diff --git a/CMakeLists.txt b/CMakeLists.txt index 6f174bb..a993d94 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -34,11 +34,7 @@ string(STRIP ${TLS_VERSION} TLS_VERSION) string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION}) string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION}) -option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL}) -option(LIBRESSL_APPS "Build apps" ON) -option(LIBRESSL_TESTS "Build tests" ON) option(ENABLE_ASM "Enable assembly" ON) -option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF) option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF) set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE) @@ -47,11 +43,6 @@ if(USE_STATIC_MSVC_RUNTIMES) set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Debug>") endif() -if(NOT LIBRESSL_SKIP_INSTALL) - set( ENABLE_LIBRESSL_INSTALL ON ) -endif(NOT LIBRESSL_SKIP_INSTALL) - - set(BUILD_NC true) if(CMAKE_SYSTEM_NAME MATCHES "Darwin") @@ -291,6 +282,11 @@ if(HAVE_ENDIAN_H) add_definitions(-DHAVE_ENDIAN_H) endif() +check_include_files(machine/endian.h HAVE_MACHINE_ENDIAN_H) +if(HAVE_MACHINE_ENDIAN_H) + add_definitions(-DHAVE_MACHINE_ENDIAN_H) +endif() + check_include_files(err.h HAVE_ERR_H) if(HAVE_ERR_H) add_definitions(-DHAVE_ERR_H) @@ -301,6 +297,33 @@ if(HAVE_NETINET_IP_H) add_definitions(-DHAVE_NETINET_IP_H) endif() +if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(aarch64|arm64)") + set(HOST_AARCH64 true) +elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "arm") + set(HOST_ARM true) +elseif("${CMAKE_SYSTEM_NAME}" STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386") + set(HOST_X86_64 true) +elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)") + set(HOST_X86_64 true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "[i?86|x86]") + set(ENABLE_ASM false) + set(HOST_I386 true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "mips64") + set(HOST_MIPS64 true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "mips") + set(HOST_MIPS true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "powerpc") + set(HOST_POWERPC true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "ppc64") + set(HOST_PPC64 true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "riscv64") + set(HOST_RISCV64 true) +elseif("${CMAKE_SYSTEM_NAME}" MATCHES "sparc64") + set(HOST_SPARC64 true) +else() + set(ENABLE_ASM false) +endif() + if(ENABLE_ASM) if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF") if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)") @@ -356,10 +379,10 @@ else() set(LIBTLS_TEST_LIBS tls ${PLATFORM_LIBS}) endif() +add_subdirectory(include) add_subdirectory(crypto) add_subdirectory(ssl) add_subdirectory(tls) -add_subdirectory(include) if (BUILD_APPLE_XCFRAMEWORK) # Create the super library from object libraries @@ -367,42 +390,5 @@ if (BUILD_APPLE_XCFRAMEWORK) $ $ $) set_target_properties(LibreSSL_xcframework PROPERTIES OUTPUT_NAME ressl) - - if(ENABLE_LIBRESSL_INSTALL) - install(TARGETS LibreSSL_xcframework - LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}) - endif(ENABLE_LIBRESSL_INSTALL) endif(BUILD_APPLE_XCFRAMEWORK) -if(ENABLE_LIBRESSL_INSTALL) - if(NOT MSVC) - # Create pkgconfig files. - set(prefix ${CMAKE_INSTALL_PREFIX}) - set(exec_prefix \${prefix}) - set(libdir \${exec_prefix}/${CMAKE_INSTALL_LIBDIR}) - set(includedir \${prefix}/include) - if(PLATFORM_LIBS) - string(REGEX REPLACE ";" " -l" PLATFORM_LDADD ";${PLATFORM_LIBS}") - endif() - file(STRINGS "VERSION" VERSION LIMIT_COUNT 1) - file(GLOB OPENSSL_PKGCONFIGS "*.pc.in") - foreach(file ${OPENSSL_PKGCONFIGS}) - get_filename_component(filename ${file} NAME) - string(REPLACE ".in" "" new_file "${filename}") - configure_file(${filename} pkgconfig/${new_file} @ONLY) - endforeach() - install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig - DESTINATION ${CMAKE_INSTALL_LIBDIR}) - endif() -endif(ENABLE_LIBRESSL_INSTALL) - -if(NOT "${OPENSSLDIR}" STREQUAL "") - set(CONF_DIR "${OPENSSLDIR}") -else() - set(CONF_DIR "${CMAKE_INSTALL_PREFIX}/etc/ssl") -endif() - -if(ENABLE_LIBRESSL_INSTALL) - install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) - install(DIRECTORY DESTINATION ${CONF_DIR}/certs) -endif(ENABLE_LIBRESSL_INSTALL) diff --git a/ChangeLog b/ChangeLog index e4dc7ad..fc453d0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,31 +3,365 @@ Git, it can be confusing following all of the changes. Most of the libssl and libcrypto source code is is here in OpenBSD CVS: - http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ + https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/ Some of the libcrypto and OS-compatibility files for entropy and random number generation are here: - http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ + https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libcrypto/ A simplified TLS wrapper library is here: - http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ + https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libtls/ The LibreSSL Portable project copies these portions of the OpenBSD tree, along with relevant portions of the C library, to a Git repository. This makes it easier to follow all of the relevant changes to the upstream project in a single place: - https://github.com/libressl-portable/openbsd + https://github.com/libressl/openbsd The portable bits of the project are largely maintained out-of-tree, and their history is also available from Git. - https://github.com/libressl-portable/portable + https://github.com/libressl/portable LibreSSL Portable Release Notes: +3.8.0 - Development release + + * Portable changes + - Extended the endian.h compat header with hto* and *toh macros. + - Adapted more tests to the portable framework. + * Internal improvements + - Improved sieve of Eratosthenes script used for generating a table + of small primes. + - Started cleaning up and rewriting SHA internals. + - Replace internal use of BN_copy() with bn_copy() for consistency. + - Rewrote and improved BN_exp() and BN_copy(). + - Add branch target information (BTI) support to arm64 assembly. + - Replaced BN_mod_sqrt() with a new implementation. + - Removed incomplete and dangerous BN_RECURSION code. + - Added endbr64 instructions to amd64 assembly. + - Imported RFC 5280 policy checking code from BoringSSL and used it + to replace the old exponential time code. + - Converted more of libcrypto to use CBB/CBS. + - Cleaned up and simplified the code dealing with builtin curves. + * New features + - Added support for truncated SHA-2 and for SHA-3. + - The BPSW primality test performs additional Miller-Rabin rounds + with random bases to reduce the likelihood of composites passing. + - Allow testing of ciphers and digests using badly aligned buffers + in openssl speed. + - Added a workaround for a poorly thought-out change in OpenSSL 3 that + broke privilege separation support in libtls. + * Compatibility changes + - Support for GF2m was removed: BIGNUM no longer supports binary extension + field arithmetic and all binary elliptic builtin curves were removed. + - Removed dangerous, "fast" NIST prime and elliptic curve implementations. + In particular, EC_GFp_nist_method() is no longer available. + - Removed most public symbols that were deprecated in OpenSSL 0.9.8. + - Removed the public X9.31 API (RSA_X931_PADDING is still available). + - Removed Cipher Text Stealing mode. + - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including the + openssl(1) nseq command. + - Dropped proxy certificate (RFC 3820) support. + - The POLICY_TREE and its related structures and API were removed. + - The explicitText user notice uses UTF8String instead of VisibleString + to reduce the risk of emitting certificates with invalid DER-encoding. + - Initial fixes for RSA-PSS support to make the TLSv1.3 stack more + compliant with RFC 8446. + * Bug fixes + - Correctly handle negative input to various BIGNUM functions. + - Ensure ERR_load_ERR_strings() does not set errno unexpectedly. + - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign(). + - Fixed detection of extended operations (XOP) on AMD hardware. + - Ensure Montgomery exponentiation is used for the initial RSA blinding. + - Policy is always checked in X509 validation. Critical policy extensions + are no longer silently ignored. + - Fixed error handling in tls_check_common_name(). + - Add missing pointer invalidation in SSL_free(). + - Fixed X509err() and X509V3err() and their internal versions. + - Ensure that OBJ_obj2txt() always returns a C string again. + - In X509_VERIFY_PARAM_inherit() copy hostflags independently of the + host list. + * Documentation improvements + - Improved documentation of BIO_ctrl(3), BIO_set_info_callback(3), + BIO_get_info_callback(3), BIO_method_type(3), and BIO_method_name(3). + - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as intentionally + undocumented. + * Testing and Proactive Security + - Significantly improved test coverage of BN_mod_sqrt() and GCD. + - As always, new test coverage is added as bugs are fixed and subsystems + are cleaned up. + +3.7.2 - Stable release + + * Portable changes + - Moved official Github project to https://github.com/libressl/. + - Build support for Apple Silicon. + - Installed opensslconf.h is now architecture-specific. + - Removed internal defines from opensslconf.h. + - Support reproducible builds on tagged commits in main branch. + +3.7.1 - Development release + + * Internal improvements + - Initial overhaul of the BIGNUM code: + - Added a new framework that allows architecture-dependent + replacement implementations for bignum primitives. + - Imported various s2n-bignum's constant time assembly primitives + and switched amd64 to them. + - Lots of cleanup, simplification and bug fixes. + - Changed Perl assembly generators to move constants into .rodata, + allowing code to run with execute-only permissions. + - Capped the number of iterations in DSA and ECDSA signing (avoiding + infinite loops), added additional sanity checks to DSA. + - ASN.1 parsing improvements. + - Made UI_destroy_method() NULL safe. + - Various improvements to nc(1). + - Always clear EC groups and points on free. + - Cleanup and improvements in EC code. + - Various openssl(1) improvements. + * Bug fixes + - Fixed a memory leak, a double free and various other issues in + BIO_new_NDEF(). + - Fixed various crashes in the openssl(1) testing utility. + - Do not check policies by default in the new X.509 verifier. + - Added missing error checking in PKCS7. + - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup(). + * New features + - Added UI_null() + - Added X509_STORE_*check_issued() + - Added X509_CRL_get0_tbs_sigalg() and X509_get0_uids() accessors. + - Added EVP_CIPHER_meth_*() setter API. + * Documentation improvements + - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3), + BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented. + - Document BIO_number_read(3), BIO_number_written(3), + BIO_set_retry_read(3), BIO_set_retry_write(3), + BIO_set_retry_special(3), BIO_clear_retry_flags(3), + BIO_get_retry_flags(3), BIO_dup_chain(3), BIO_set_flags(3), + BIO_clear_flags(3), BIO_test_flags(3), BIO_get_flags(3). + BIO_callback_fn_ex(3), BIO_set_callback_ex(3), BIO_get_callback_ex(3), + BIO_callback_fn(3), and the BIO_FLAGS_* constants + - Correct the prototypes of BIO_get_conn_ip(3) and BIO_get_conn_int_port(3). + - Document ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3). + - Document EVP_PKEY_new_raw_private_key(3), + EVP_PKEY_new_raw_public_key(3), EVP_PKEY_get_raw_private_key(3), and + EVP_PKEY_get_raw_public_key(3). + - Document ASN1_buf_print(3). + - Document DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_{r,s}() and RSA_get0_*. + - Merged documentation of UI_null() from OpenSSL 1.1 + - Various spelling and other documentation improvements. + * Testing and Proactive Security + - As always, new test coverage is added as bugs are fixed and subsystems + are cleaned up. + - New Wycheproof tests added. + - OpenSSL 3.0 Interop tests added. + - Many old tests rewritten, cleaned up and extended. + * Security fixes + - A malicious certificate revocation list or timestamp response token + would allow an attacker to read arbitrary memory. + +3.7.0 - Development release + + * Internal improvements + - Remove dependency on system timegm() and gmtime() by replacing + traditional Julian date conversion with POSIX epoch-seconds date + conversion from BoringSSL. + - Clean old and unused BN code dealing with primes. + - Start rewriting name constraints code using CBS. + - Remove support for the HMAC PRIVATE KEY. + - Rework DSA signing and verifying internals. + - First few passes on cleaning up the BN code. + - Internal headers coming from OpenSSL are all called *_local.h now. + - Rewrite TLSv1.2 key exporter. + - Cleaned up and refactored various aspects of the legacy TLS stack. + * Compatibility changes + - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in + various corner cases. More work is needed here. + * Bug fixes + - Add EVP_chacha20_poly1305() to the list of all ciphers. + - Fix potential leaks of EVP_PKEY in various printing functions + - Fix potential leak in OBJ_NAME_add(). + - Avoid signed overflow in i2c_ASN1_BIT_STRING(). + - Clean up EVP_PKEY_ASN1_METHOD related tables and code. + - Fix long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod(). + - Fix segfaults in BN_{dec,hex}2bn(). + - Fix NULL dereference in x509_constraints_uri_host() reachable only + in the process of generating certificates. + - Fixed a variety of memory corruption issues in BIO chains coming + from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next(). + - Avoid potential divide by zero in BIO_dump_indent_cb() + * Documentation improvements + - Numerous improvements and additions for ASN.1, BIO, BN, and X.509. + - The BN documentation is now considered to be complete. + * Testing and Proactive Security + - As always, new test coverage is added as bugs are fixed and + subsystems are cleaned up. + - Many old tests rewritten, cleaned up and extended. + * New features + - Added Ed25519 support both as a primitive and via OpenSSL's EVP + interfaces. + - X25519 is now also supported via EVP. + - The OpenSSL 1.1 raw public and private key API is available with + support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519. + Poly1305 is not currently supported via this interface. + +3.6.1 - Stable release + + * Bug fixes + - Custom verification callbacks could cause the X.509 verifier to + fail to store errors resulting from leaf certificate verification. + Reported by Ilya Shipitsin. + - Unbreak ASN.1 indefinite length encoding. + Reported by Niklas Hallqvist. + +3.6.0 - Development release + + * Internal improvements + - Avoid expensive RFC 3779 checks during cert verification. + - The templated ASN.1 decoder has been cleaned up, refactored, + modernized with parts rewritten using CBB and CBS. + - The ASN.1 time parser has been rewritten. + - Rewrite and fix ASN1_STRING_to_UTF8(). + - Use asn1_abs_set_unused_bits() rather than inlining it. + - Simplify ec_asn1_group2curve(). + - First pass at a clean up of ASN1_item_sign_ctx() + - ssl_txt.c was cleaned up. + - Internal function arguments and struct member have been changed + to size_t. + - Lots of missing error checks of EVP API were added. + - Clean up and clarify BN_kronecker(). + - Simplify ASN1_INTEGER_cmp() + - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse + the ASN1_INTEGER functions for ASN1_ENUMERATED. + - Use ASN1_INTEGER to parse and build {Z,}LONG_it + - Refactored and cleaned up group (elliptic curve) handling in + t1_lib.c. + - Simplify certificate list handling code in the legacy server. + - Make CBB_finish() fail if *out_data is not NULL. + - Remove tls_buffer_set_data() and remove/revise callers. + - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS. + - Simplify tlsext_supported_groups_server_parse(). + - Remove redundant length checks in tlsext parse functions. + - Simplify tls13_server_encrypted_extensions_recv(). + - Add read and write support to tls_buffer. + - Convert TLS transcript from BUF_MEM to tls_buffer. + - Clear key on exit in PKCS12_gen_mac(). + - Minor fixes in PKCS12_parse(). + - Provide and use a primitive clear function for BIGNUM_it. + - Use ASN1_INTEGER to encode/decode BIGNUM_it. + - Add stack frames to AES-NI x86_64 assembly. + - Use named initialisers for BIGNUMs. + - Tidy up some of BN_nist_mod_*. + - Expand BLOCK_CIPHER_* and related macros. + - Avoid shadowing the cbs function parameter in + tlsext_alpn_server_parse() + - Deduplicate peer certificate chain processing code. + - Make it possible to signal an error from an i2c_* function. + - Rewrite i2c_ASN1_INTEGER() using CBB/CBS. + - Remove UINT32_MAX limitation on ChaCha() and CRYPTO_chacha_20(). + - Remove bogus length checks from EVP_aead_chacha20_poly1305(). + - Reworked DSA_size() and ECDSA_size(). + - Stop using CBIGNUM_it internal to libcrypto. + - Provide c2i_ASN1_ENUMERATED_cbs() and call it from + asn1_c2i_primitive(). + - Ensure ASN.1 types are appropriately encoded. + - Avoid recycling ASN1_STRINGs when decoding ASN.1. + - Tidy up asn1_c2i_primitive() slightly. + - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR, + BLOCK_CIPHER and the looney M_do_cipher macros. + - Use correct length for EVP CFB mode ciphers. + - Provide a version of ssl_msg_callback() that takes a CBS. + - Use CBS to parse TLS alerts in the legacy stack. + - Increment the input and output position for EVP AES CFB1. + - Ensure there is no trailing data for a CCS received by the + TLSv1.3 stack. + - Use CBS when procesing a CCS message in the legacy stack. + - Be stricter with middlebox compatibility mode in the TLSv1.3 + server. + * Compatibility changes + - The ASN.1 time parser has been refactored and rewritten using CBS. + It has been made stricter in that it now enforces the rules from + RFC 5280. + - ASN1_AFLG_BROKEN was removed. + - Error check tls_session_secret_cb() like OpenSSL. + - Added ASN1_INTEGER_{get,set}_{u,}int64() + - Move leaf certificate checks to the last thing after chain + validation. + - Added -s option to openssl(1) ciphers that only shows the ciphers + supported by the specified protocol. + - Use TLS_client_method() instead of TLSv1_client_method() in + the openssl(1) ciphers command. + - Validate the protocols in SSL{_CTX,}_set_alpn_protos(). + - Made TS and PKCS12 opaque. + - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF. + - Align PKCS12_key_gen_uni() with OpenSSL + - Various PKCS12 and TS accessors were added. In particular, the + TS_RESP_CTX_set_time_cb() function was added back. + - Allow a NULL header in PEM_write{,_bio}() + - Allow empty attribute sets in CSRs. + - Adjust signatures of BIO_ctrl functions. + - Provide additional defines for EVP AEAD. + - Provide OPENSSL_cleanup(). + - Make BIO_info_cb() identical to bio_info_cb(). + * Bug fixes + - Avoid use of uninitialized in BN_mod_exp_recp(). + - Fix X509_get_extension_flags() by ensuring that EXFLAG_INVALID is + set on X509_get_purpose() failure. + - Fix HMAC() with NULL key. + - Add ERR_load_{COMP,CT,KDF}_strings() to ERR_load_crypto_strings(). + - Avoid strict aliasing violations in BN_nist_mod_*(). + - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). + No return value of X509_check_ca() indicates failure. Application + code should therefore issue a checked call to X509_check_purpose() + before calling X509_check_ca(). + - Rewrite and fix X509v3_asid_subset() to avoid segfaults on some + valid input. + - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new(). + - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly. + - Avoid use of uninitialized in ASN1_STRING_to_UTF8(). + - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8(). + - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT proxy. + - Do not reject primes in trial divisions. + - Error out on negative shifts in BN_{r,l}shift() instead of + accessing arrays out of bounds. + - Fix URI name constraints, allow for URI's with no host part. + - Fix the legacy verifier callback behaviour for untrusted certs. + - Correct serfver-side handling of TLSv1.3 key updates. + - Plug leak in PKCS12_setup_mac(). + - Plug leak in X509V3_add1_i2d(). + - Only print X.509 versions we know about. + - Avoid signed integer overflow due to unary negation + - Initialize readbytes in BIO_gets(). + - Plug memory leak in CMS_add_simple_smimecap(). + - Plug memory leak in X509_REQ_print_ex(). + - Check HMAC() return value to avoid a later use of uninitialized. + - Avoid potential NULL dereference in ssl_set_pkey(). + - Check return values in ssl_print_tmp_key(). + - Switch loop bounds from size_t to int in check_hosts(). + - Avoid division by zero if no connection was made in s_time.c. + - Check sk_SSL_CIPHER_push() return value + - Avoid out-of-bounds read in ssl_cipher_process_rulestr(). + - Use LONG_MAX as the limit for ciphers with long based APIs. + * New features + - EVP API for HKDF ported from OpenSSL and subsequently cleaned up. + - The security level API (SSL_{,CTX}_{get,set}_security_level()) is + now available. Callbacks and ex_data are not supported. Sane + software will not be using this. + - Experimental support for the BoringSSL QUIC API. + - Add initial support for TS ESSCertIDv2 verification. + - LibreSSL now uses the Baillie-PSW primality test instead of + Miller-Rabin . + +3.5.3 - Reliability fix + + * Fix d2i_ASN1_OBJECT(). A confusion of two CBS resulted in advancing + the passed *der_in pointer incorrectly. Thanks to Aram Sargsyan for + reporting the issue and testing the fix. + 3.5.2 - Stable release * Bug fixes @@ -2404,7 +2738,7 @@ LibreSSL Portable Release Notes: * Address POODLE attack by disabling SSLv3 by default * Fix Eliptical Curve cipher selection bug - (https://github.com/libressl-portable/portable/issues/35) + (https://github.com/libressl/portable/issues/35) 2.1.0 - First release from the OpenBSD 5.7 tree * Added support for automatic ephemeral EC keys diff --git a/INSTALL b/INSTALL deleted file mode 100644 index 2099840..0000000 --- a/INSTALL +++ /dev/null @@ -1,370 +0,0 @@ -Installation Instructions -************************* - -Copyright (C) 1994-1996, 1999-2002, 2004-2013 Free Software Foundation, -Inc. - - Copying and distribution of this file, with or without modification, -are permitted in any medium without royalty provided the copyright -notice and this notice are preserved. This file is offered as-is, -without warranty of any kind. - -Basic Installation -================== - - Briefly, the shell command `./configure && make && make install' -should configure, build, and install this package. The following -more-detailed instructions are generic; see the `README' file for -instructions specific to this package. Some packages provide this -`INSTALL' file but do not implement all of the features documented -below. The lack of an optional feature in a given package is not -necessarily a bug. More recommendations for GNU packages can be found -in *note Makefile Conventions: (standards)Makefile Conventions. - - The `configure' shell script attempts to guess correct values for -various system-dependent variables used during compilation. It uses -those values to create a `Makefile' in each directory of the package. -It may also create one or more `.h' files containing system-dependent -definitions. Finally, it creates a shell script `config.status' that -you can run in the future to recreate the current configuration, and a -file `config.log' containing compiler output (useful mainly for -debugging `configure'). - - It can also use an optional file (typically called `config.cache' -and enabled with `--cache-file=config.cache' or simply `-C') that saves -the results of its tests to speed up reconfiguring. Caching is -disabled by default to prevent problems with accidental use of stale -cache files. - - If you need to do unusual things to compile the package, please try -to figure out how `configure' could check whether to do them, and mail -diffs or instructions to the address given in the `README' so they can -be considered for the next release. If you are using the cache, and at -some point `config.cache' contains results you don't want to keep, you -may remove or edit it. - - The file `configure.ac' (or `configure.in') is used to create -`configure' by a program called `autoconf'. You need `configure.ac' if -you want to change it or regenerate `configure' using a newer version -of `autoconf'. - - The simplest way to compile this package is: - - 1. `cd' to the directory containing the package's source code and type - `./configure' to configure the package for your system. - - Running `configure' might take a while. While running, it prints - some messages telling which features it is checking for. - - 2. Type `make' to compile the package. - - 3. Optionally, type `make check' to run any self-tests that come with - the package, generally using the just-built uninstalled binaries. - - 4. Type `make install' to install the programs and any data files and - documentation. When installing into a prefix owned by root, it is - recommended that the package be configured and built as a regular - user, and only the `make install' phase executed with root - privileges. - - 5. Optionally, type `make installcheck' to repeat any self-tests, but - this time using the binaries in their final installed location. - This target does not install anything. Running this target as a - regular user, particularly if the prior `make install' required - root privileges, verifies that the installation completed - correctly. - - 6. You can remove the program binaries and object files from the - source code directory by typing `make clean'. To also remove the - files that `configure' created (so you can compile the package for - a different kind of computer), type `make distclean'. There is - also a `make maintainer-clean' target, but that is intended mainly - for the package's developers. If you use it, you may have to get - all sorts of other programs in order to regenerate files that came - with the distribution. - - 7. Often, you can also type `make uninstall' to remove the installed - files again. In practice, not all packages have tested that - uninstallation works correctly, even though it is required by the - GNU Coding Standards. - - 8. Some packages, particularly those that use Automake, provide `make - distcheck', which can by used by developers to test that all other - targets like `make install' and `make uninstall' work correctly. - This target is generally not run by end users. - -Compilers and Options -===================== - - Some systems require unusual options for compilation or linking that -the `configure' script does not know about. Run `./configure --help' -for details on some of the pertinent environment variables. - - You can give `configure' initial values for configuration parameters -by setting variables in the command line or in the environment. Here -is an example: - - ./configure CC=c99 CFLAGS=-g LIBS=-lposix - - *Note Defining Variables::, for more details. - -Compiling For Multiple Architectures -==================================== - - You can compile the package for more than one kind of computer at the -same time, by placing the object files for each architecture in their -own directory. To do this, you can use GNU `make'. `cd' to the -directory where you want the object files and executables to go and run -the `configure' script. `configure' automatically checks for the -source code in the directory that `configure' is in and in `..'. This -is known as a "VPATH" build. - - With a non-GNU `make', it is safer to compile the package for one -architecture at a time in the source code directory. After you have -installed the package for one architecture, use `make distclean' before -reconfiguring for another architecture. - - On MacOS X 10.5 and later systems, you can create libraries and -executables that work on multiple system types--known as "fat" or -"universal" binaries--by specifying multiple `-arch' options to the -compiler but only a single `-arch' option to the preprocessor. Like -this: - - ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ - CPP="gcc -E" CXXCPP="g++ -E" - - This is not guaranteed to produce working output in all cases, you -may have to build one architecture at a time and combine the results -using the `lipo' tool if you have problems. - -Installation Names -================== - - By default, `make install' installs the package's commands under -`/usr/local/bin', include files under `/usr/local/include', etc. You -can specify an installation prefix other than `/usr/local' by giving -`configure' the option `--prefix=PREFIX', where PREFIX must be an -absolute file name. - - You can specify separate installation prefixes for -architecture-specific files and architecture-independent files. If you -pass the option `--exec-prefix=PREFIX' to `configure', the package uses -PREFIX as the prefix for installing programs and libraries. -Documentation and other data files still use the regular prefix. - - In addition, if you use an unusual directory layout you can give -options like `--bindir=DIR' to specify different values for particular -kinds of files. Run `configure --help' for a list of the directories -you can set and what kinds of files go in them. In general, the -default for these options is expressed in terms of `${prefix}', so that -specifying just `--prefix' will affect all of the other directory -specifications that were not explicitly provided. - - The most portable way to affect installation locations is to pass the -correct locations to `configure'; however, many packages provide one or -both of the following shortcuts of passing variable assignments to the -`make install' command line to change installation locations without -having to reconfigure or recompile. - - The first method involves providing an override variable for each -affected directory. For example, `make install -prefix=/alternate/directory' will choose an alternate location for all -directory configuration variables that were expressed in terms of -`${prefix}'. Any directories that were specified during `configure', -but not in terms of `${prefix}', must each be overridden at install -time for the entire installation to be relocated. The approach of -makefile variable overrides for each directory variable is required by -the GNU Coding Standards, and ideally causes no recompilation. -However, some platforms have known limitations with the semantics of -shared libraries that end up requiring recompilation when using this -method, particularly noticeable in packages that use GNU Libtool. - - The second method involves providing the `DESTDIR' variable. For -example, `make install DESTDIR=/alternate/directory' will prepend -`/alternate/directory' before all installation names. The approach of -`DESTDIR' overrides is not required by the GNU Coding Standards, and -does not work on platforms that have drive letters. On the other hand, -it does better at avoiding recompilation issues, and works well even -when some directory options were not specified in terms of `${prefix}' -at `configure' time. - -Optional Features -================= - - If the package supports it, you can cause programs to be installed -with an extra prefix or suffix on their names by giving `configure' the -option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. - - Some packages pay attention to `--enable-FEATURE' options to -`configure', where FEATURE indicates an optional part of the package. -They may also pay attention to `--with-PACKAGE' options, where PACKAGE -is something like `gnu-as' or `x' (for the X Window System). The -`README' should mention any `--enable-' and `--with-' options that the -package recognizes. - - For packages that use the X Window System, `configure' can usually -find the X include and library files automatically, but if it doesn't, -you can use the `configure' options `--x-includes=DIR' and -`--x-libraries=DIR' to specify their locations. - - Some packages offer the ability to configure how verbose the -execution of `make' will be. For these packages, running `./configure ---enable-silent-rules' sets the default to minimal output, which can be -overridden with `make V=1'; while running `./configure ---disable-silent-rules' sets the default to verbose, which can be -overridden with `make V=0'. - -Particular systems -================== - - On HP-UX, the default C compiler is not ANSI C compatible. If GNU -CC is not installed, it is recommended to use the following options in -order to use an ANSI C compiler: - - ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" - -and if that doesn't work, install pre-built binaries of GCC for HP-UX. - - HP-UX `make' updates targets which have the same time stamps as -their prerequisites, which makes it generally unusable when shipped -generated files such as `configure' are involved. Use GNU `make' -instead. - - On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot -parse its `' header file. The option `-nodtk' can be used as -a workaround. If GNU CC is not installed, it is therefore recommended -to try - - ./configure CC="cc" - -and if that doesn't work, try - - ./configure CC="cc -nodtk" - - On Solaris, don't put `/usr/ucb' early in your `PATH'. This -directory contains several dysfunctional programs; working variants of -these programs are available in `/usr/bin'. So, if you need `/usr/ucb' -in your `PATH', put it _after_ `/usr/bin'. - - On Haiku, software installed for all users goes in `/boot/common', -not `/usr/local'. It is recommended to use the following options: - - ./configure --prefix=/boot/common - -Specifying the System Type -========================== - - There may be some features `configure' cannot figure out -automatically, but needs to determine by the type of machine the package -will run on. Usually, assuming the package is built to be run on the -_same_ architectures, `configure' can figure that out, but if it prints -a message saying it cannot guess the machine type, give it the -`--build=TYPE' option. TYPE can either be a short name for the system -type, such as `sun4', or a canonical name which has the form: - - CPU-COMPANY-SYSTEM - -where SYSTEM can have one of these forms: - - OS - KERNEL-OS - - See the file `config.sub' for the possible values of each field. If -`config.sub' isn't included in this package, then this package doesn't -need to know the machine type. - - If you are _building_ compiler tools for cross-compiling, you should -use the option `--target=TYPE' to select the type of system they will -produce code for. - - If you want to _use_ a cross compiler, that generates code for a -platform different from the build platform, you should specify the -"host" platform (i.e., that on which the generated programs will -eventually be run) with `--host=TYPE'. - -Sharing Defaults -================ - - If you want to set default values for `configure' scripts to share, -you can create a site shell script called `config.site' that gives -default values for variables like `CC', `cache_file', and `prefix'. -`configure' looks for `PREFIX/share/config.site' if it exists, then -`PREFIX/etc/config.site' if it exists. Or, you can set the -`CONFIG_SITE' environment variable to the location of the site script. -A warning: not all `configure' scripts look for a site script. - -Defining Variables -================== - - Variables not defined in a site shell script can be set in the -environment passed to `configure'. However, some packages may run -configure again during the build, and the customized values of these -variables may be lost. In order to avoid this problem, you should set -them in the `configure' command line, using `VAR=value'. For example: - - ./configure CC=/usr/local2/bin/gcc - -causes the specified `gcc' to be used as the C compiler (unless it is -overridden in the site shell script). - -Unfortunately, this technique does not work for `CONFIG_SHELL' due to -an Autoconf limitation. Until the limitation is lifted, you can use -this workaround: - - CONFIG_SHELL=/bin/bash ./configure CONFIG_SHELL=/bin/bash - -`configure' Invocation -====================== - - `configure' recognizes the following options to control how it -operates. - -`--help' -`-h' - Print a summary of all of the options to `configure', and exit. - -`--help=short' -`--help=recursive' - Print a summary of the options unique to this package's - `configure', and exit. The `short' variant lists options used - only in the top level, while the `recursive' variant lists options - also present in any nested packages. - -`--version' -`-V' - Print the version of Autoconf used to generate the `configure' - script, and exit. - -`--cache-file=FILE' - Enable the cache: use and save the results of the tests in FILE, - traditionally `config.cache'. FILE defaults to `/dev/null' to - disable caching. - -`--config-cache' -`-C' - Alias for `--cache-file=config.cache'. - -`--quiet' -`--silent' -`-q' - Do not print messages saying which checks are being made. To - suppress all normal output, redirect it to `/dev/null' (any error - messages will still be shown). - -`--srcdir=DIR' - Look for the package's source code in directory DIR. Usually - `configure' can determine that directory automatically. - -`--prefix=DIR' - Use DIR as the installation prefix. *note Installation Names:: - for more details, including other options available for fine-tuning - the installation locations. - -`--no-create' -`-n' - Run the configure checks, but stop before creating any output - files. - -`configure' also accepts some other, not widely useful, options. Run -`configure --help' for more details. diff --git a/README.md b/README.md index 26855e6..f1f8972 100644 --- a/README.md +++ b/README.md @@ -1,20 +1,20 @@ -Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.2.tar.gz +Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.8.0.tar.gz Modifications: -- Removed tests/mandocs/pkgconfig/scripts/apps/cmake_uninstall from both filesystem and CMakeLists.txt -- Removed m4 configuration files + make build scripts +* Removed targets for apps, tests, install, uninstall. +* Removed extra files like unneeded target sources, Makefiles, autoconf files. === ![LibreSSL image](https://www.libressl.org/images/libressl.jpg) ## Official portable version of [LibreSSL](https://www.libressl.org) ## -[![Linux Build Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test.yml) -[![macOS Build Status](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/macos_test.yml) -[![Android_Build Status](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/android_test.yml) -[![Cross_Build Status](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/cross_test.yml) +[![Linux Build Status](https://github.com/libressl/portable/actions/workflows/linux_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/linux_test.yml) +[![macOS Build Status](https://github.com/libressl/portable/actions/workflows/macos_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/macos_test.yml) +[![Android_Build Status](https://github.com/libressl/portable/actions/workflows/android_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/android_test.yml) +[![Cross_Build Status](https://github.com/libressl/portable/actions/workflows/cross_test.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/cross_test.yml) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl) -[![ASan Status](https://github.com/libressl-portable/portable/actions/workflows/linux_test_asan.yml/badge.svg)](https://github.com/libressl-portable/portable/actions/workflows/linux_test_asan.yml) +[![ASan Status](https://github.com/libressl/portable/actions/workflows/linux_test_asan.yml/badge.svg)](https://github.com/libressl/portable/actions/workflows/linux_test_asan.yml) LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the [OpenBSD](https://www.openbsd.org) project. Our goal is to modernize the codebase, @@ -22,9 +22,12 @@ improve security, and apply best practice development processes from OpenBSD. ## Compatibility with OpenSSL: ## -LibreSSL is API compatible with OpenSSL 1.0.1, but does not yet include all -new APIs from OpenSSL 1.0.2 and later. LibreSSL also includes APIs not yet -present in OpenSSL. The current common API subset is OpenSSL 1.0.1. +LibreSSL provides much of the OpenSSL 1.1 API. The OpenSSL 3 API is not currently +supported. Incompatibilities between the projects exist and are unavoidable since +both evolve with different goals and priorities. Important incompatibilities will +be addressed if possible and as long as they are not too detrimental to LibreSSL's +goals of simplicity, security and sanity. We do not add new features, ciphers and +API without a solid reason and require that new code be clean and of high quality. LibreSSL is not ABI compatible with any release of OpenSSL, or necessarily earlier releases of LibreSSL. You will need to relink your programs to @@ -60,11 +63,11 @@ OpenBSD mirror in directory although we suggest that you use a [mirror](https://www.openbsd.org/ftp.html). The LibreSSL portable build framework is also -[mirrored](https://github.com/libressl-portable/portable) in Github. +[mirrored](https://github.com/libressl/portable) on GitHub. Please report bugs either to the public libressl@openbsd.org mailing list, -or to the github -[issue tracker](https://github.com/libressl-portable/portable/issues) +or to the GitHub +[issue tracker](https://github.com/libressl/portable/issues) Severe vulnerabilities or bugs requiring coordination with OpenSSL can be sent to the core team at libressl-security@openbsd.org. @@ -155,12 +158,8 @@ into other projects or build by itself. | Option Name | Default | Description | ------------ | -----: | ------ -| LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules. Can be specified from command line using
```-DLIBRESSL_SKIP_INSTALL=ON``` | -| LIBRESSL_APPS | ON | allows skipping application builds. Apps are required to run tests | -| LIBRESSL_TESTS | ON | allows skipping of tests. Tests are only available in static builds | | BUILD_SHARED_LIBS | OFF | CMake option for building shared libraries. | | ENABLE_ASM | ON | builds assembly optimized rules. | -| ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms | | ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) | | OPENSSLDIR | Blank | Set the default openssl directory. Can be specified from command line using
```-DOPENSSLDIR=``` | diff --git a/README.windows b/README.windows index a88ddc9..1a9b7b5 100644 --- a/README.windows +++ b/README.windows @@ -46,7 +46,7 @@ problem. A script for generating ready-to-use .DLL and static .LIB files is included in the source repository at -https://github.com/libressl-portable/portable/blob/master/dist-win.sh +https://github.com/libressl/portable/blob/master/dist-win.sh This script uses mingw-w64 to build LibreSSL and then uses Visual Studio tools to generate compatible library import files ready-to-use with Visual diff --git a/VERSION b/VERSION index 8b7c8d3..6641052 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -3.5.2 +3.8.0 diff --git a/cert.pem b/cert.pem index 0e50fe6..e5215f3 100644 --- a/cert.pem +++ b/cert.pem @@ -1,36 +1,36 @@ -# $OpenBSD: cert.pem,v 1.24 2021/09/30 18:16:11 deraadt Exp $ +# $OpenBSD: cert.pem,v 1.26 2023/05/06 17:55:38 tb Exp $ ### /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 === /C=ES/CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 Certificate: Data: Version: 3 (0x2) - Serial Number: 6047274297262753887 (0x53ec3beefbb2485f) - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 1977337328857672817 (0x1b70e9d2ffae6c71) + Signature Algorithm: sha256WithRSAEncryption Validity - Not Before: May 20 08:38:15 2009 GMT - Not After : Dec 31 08:38:15 2030 GMT + Not Before: Sep 23 15:22:07 2014 GMT + Not After : May 5 15:22:07 2036 GMT Subject: C=ES, CN=Autoridad de Certificacion Firmaprofesional CIF A62634068 X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE, pathlen:1 - X509v3 Key Usage: critical - Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 65:CD:EB:AB:35:1E:00:3E:7E:D5:74:C0:1C:B4:73:47:0E:1A:64:2F + X509v3 Basic Constraints: critical + CA:TRUE, pathlen:1 X509v3 Certificate Policies: Policy: X509v3 Any Policy CPS: http://www.firmaprofesional.com/cps User Notice: Explicit Text: -SHA1 Fingerprint=AE:C5:FB:3F:C8:E1:BF:C4:E5:4F:03:07:5A:9A:E8:00:B7:F7:B6:FA -SHA256 Fingerprint=04:04:80:28:BF:1F:28:64:D4:8F:9A:D4:D8:32:94:36:6A:82:88:56:55:3F:3B:14:30:3F:90:14:7F:5D:40:EF + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=0B:BE:C2:27:22:49:CB:39:AA:DB:35:5C:53:E3:8C:AE:78:FF:B6:FE +SHA256 Fingerprint=57:DE:05:83:EF:D2:B2:6E:03:61:DA:99:DA:9D:F4:64:8D:EF:7E:E8:44:1C:3B:72:8A:FA:9B:CD:E0:F9:B2:6A -----BEGIN CERTIFICATE----- -MIIGFDCCA/ygAwIBAgIIU+w77vuySF8wDQYJKoZIhvcNAQEFBQAwUTELMAkGA1UE +MIIGFDCCA/ygAwIBAgIIG3Dp0v+ubHEwDQYJKoZIhvcNAQELBQAwUTELMAkGA1UE BhMCRVMxQjBABgNVBAMMOUF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uIEZpcm1h -cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0wOTA1MjAwODM4MTVaFw0zMDEy -MzEwODM4MTVaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg +cHJvZmVzaW9uYWwgQ0lGIEE2MjYzNDA2ODAeFw0xNDA5MjMxNTIyMDdaFw0zNjA1 +MDUxNTIyMDdaMFExCzAJBgNVBAYTAkVTMUIwQAYDVQQDDDlBdXRvcmlkYWQgZGUg Q2VydGlmaWNhY2lvbiBGaXJtYXByb2Zlc2lvbmFsIENJRiBBNjI2MzQwNjgwggIi MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKlmuO6vj78aI14H9M2uDDUtd9 thDIAl6zQyrET2qyyhxdKJp4ERppWVevtSBC5IsP5t9bpgOSL/UR5GLXMnE42QQM @@ -43,23 +43,23 @@ Z/QYFpM6/EfY0XiWMR+6KwxfXZmtY4laJCB22N/9q06mIqqdXuYnin1oKaPnirja EbsXLZmdEyRG98Xi2J+Of8ePdG1asuhy9azuJBCtLxTa/y2aRnFHvkLfuwHb9H/T KI8xWVvTyQKmtFLKbpf7Q8UIJm+K9Lv9nyiqDdVF8xM6HdjAeI9BZzwelGSuewvF 6NkBiDkal4ZkQdU7hwxu+g/GvUgUvzlN1J5Bto+WHWOWk9mVBngxaJ43BjuAiUVh -OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMBIGA1UdEwEB/wQIMAYBAf8CAQEwDgYD -VR0PAQH/BAQDAgEGMB0GA1UdDgQWBBRlzeurNR4APn7VdMActHNHDhpkLzCBpgYD -VR0gBIGeMIGbMIGYBgRVHSAAMIGPMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmZp -cm1hcHJvZmVzaW9uYWwuY29tL2NwczBcBggrBgEFBQcCAjBQHk4AUABhAHMAZQBv -ACAAZABlACAAbABhACAAQgBvAG4AYQBuAG8AdgBhACAANAA3ACAAQgBhAHIAYwBl -AGwAbwBuAGEAIAAwADgAMAAxADcwDQYJKoZIhvcNAQEFBQADggIBABd9oPm03cXF -661LJLWhAqvdpYhKsg9VSytXjDvlMd3+xDLx51tkljYyGOylMnfX40S2wBEqgLk9 -am58m9Ot/MPWo+ZkKXzR4Tgegiv/J2Wv+xYVxC5xhOW1//qkR71kMrv2JYSiJ0L1 -ILDCExARzRAVukKQKtJE4ZYm6zFIEv0q2skGz3QeqUvVhyj5eTSSPi5E6PaPT481 -PyWzOdxjKpBrIF/EUhJOlywqrJ2X3kjyo2bbwtKDlaZmp54lD+kLM5FlClrD2VQS -3a/DTg4fJl4N3LON7NWBcN7STyQF82xO9UxJZo3R/9ILJUFI/lGExkKvgATP0H5k -SeTy36LssUzAKh3ntLFlosS88Zj0qnAHY7S42jtM+kAiMFsRpvAFDsYCA0irhpuF -3dvd6qJ2gHN99ZwExEWN57kci57q13XRcrHedUTnQn3iV2t93Jm8PYMo6oCTjcVM -ZcFwgbg4/EMxsvYDNEeyrPsiBsse3RdHHF9mudMaotoRsaS8I8nkvof/uZS2+F0g -StRf571oe2XyFR7SOqkt6dhrJKyXWERHrVkY8SFlcN7ONGCoQPHzPKTDKCOM/icz -Q0CgFzzr6juwcqajuUpLXhZI9LK8yIySxZ2frHI2vDSANGupi5LAuBft7HZT9SQB -jLMi6Et8Vcad+qMUu2WFbm5PEn4KPJ2V +OSPHG0SjFeUc+JIwuwIDAQABo4HvMIHsMB0GA1UdDgQWBBRlzeurNR4APn7VdMAc +tHNHDhpkLzASBgNVHRMBAf8ECDAGAQH/AgEBMIGmBgNVHSAEgZ4wgZswgZgGBFUd +IAAwgY8wLwYIKwYBBQUHAgEWI2h0dHA6Ly93d3cuZmlybWFwcm9mZXNpb25hbC5j +b20vY3BzMFwGCCsGAQUFBwICMFAeTgBQAGEAcwBlAG8AIABkAGUAIABsAGEAIABC +AG8AbgBhAG4AbwB2AGEAIAA0ADcAIABCAGEAcgBjAGUAbABvAG4AYQAgADAAOAAw +ADEANzAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQELBQADggIBAHSHKAIrdx9m +iWTtj3QuRhy7qPj4Cx2Dtjqn6EWKB7fgPiDL4QjbEwj4KKE1soCzC1HA01aajTNF +Sa9J8OA9B3pFE1r/yJfY0xgsfZb43aJlQ3CTkBW6kN/oGbDbLIpgD7dvlAceHabJ +hfa9NPhAeGIQcDq+fUs5gakQ1JZBu/hfHAsdCPKxsIl68veg4MSPi3i1O1ilI45P +Vf42O+AMt8oqMEEgtIDNrvx2ZnOorm7hfNoD6JQg5iKj0B+QXSBTFCZX2lSX3xZE +EAEeiGaPcjiT3SC3NL7X8e5jjkd5KAb881lFJWAiMxujX6i6KtoaPc1A6ozuBRWV +1aUsIC+nmCjuRfzxuIgALI9C2lHVnOUTaHFFQ4ueCyE8S1wF3BqfmI7avSKecs2t +CsvMo2ebKHTEm9caPARYpoKdrcd7b/+Alun4jWq9GJAd/0kakFI3ky88Al2CdgtR +5xbHV/g4+afNmyJU72OwFW1TZQNKXkqgsqeOSQBZONXH9IBk9W6VULgRfhVwOEqw +f9DEMnDAGf/JOC0ULGb0QkTmVXYbgBVX/8Cnp6o5qtjTcNAuuuuUavpfNIbnYrX9 +ivAwhZTJryQCL2/W3Wf+47BVTwSYT6RBVuKT0Gro1vP7ZeDOdcQxWQzugsgMYDNK +GbqEZycPvEJdvSRUDewdcAZfpLz6IHxV -----END CERTIFICATE----- ### ACCV @@ -369,66 +369,63 @@ aobgxCd05DhT1wV/GzTjxi+zygk8N53X57hG8f2h4nECMEJZh0PUUd+60wkyWs6I flc9nF9Ca/UHLbXwgpP5WW+uZPpY5Yse42O+tYHNbwKMeQ== -----END CERTIFICATE----- -### Agencia Catalana de Certificacio (NIF Q-0801176-I) +### Agence Nationale de Certification Electronique -=== /C=ES/O=Agencia Catalana de Certificacio (NIF Q-0801176-I)/OU=Serveis Publics de Certificacio/OU=Vegeu https://www.catcert.net/verarrel (c)03/OU=Jerarquia Entitats de Certificacio Catalanes/CN=EC-ACC +=== /C=TN/O=Agence Nationale de Certification Electronique/CN=TunTrust Root CA Certificate: Data: Version: 3 (0x2) Serial Number: - (Negative)11:d4:c2:14:2b:de:21:eb:57:9d:53:fb:0c:22:3b:ff - Signature Algorithm: sha1WithRSAEncryption + 13:02:d5:e2:40:4c:92:46:86:16:67:5d:b4:bb:bb:b2:6b:3e:fc:13 + Signature Algorithm: sha256WithRSAEncryption Validity - Not Before: Jan 7 23:00:00 2003 GMT - Not After : Jan 7 22:59:59 2031 GMT - Subject: C=ES, O=Agencia Catalana de Certificacio (NIF Q-0801176-I), OU=Serveis Publics de Certificacio, OU=Vegeu https://www.catcert.net/verarrel (c)03, OU=Jerarquia Entitats de Certificacio Catalanes, CN=EC-ACC + Not Before: Apr 26 08:57:56 2019 GMT + Not After : Apr 26 08:57:56 2044 GMT + Subject: C=TN, O=Agence Nationale de Certification Electronique, CN=TunTrust Root CA X509v3 extensions: - X509v3 Subject Alternative Name: - email:ec_acc@catcert.net + X509v3 Subject Key Identifier: + 06:9A:9B:1F:53:7D:F1:F5:A4:C8:D3:86:3E:A1:73:59:B4:F7:44:21 X509v3 Basic Constraints: critical CA:TRUE + X509v3 Authority Key Identifier: + keyid:06:9A:9B:1F:53:7D:F1:F5:A4:C8:D3:86:3E:A1:73:59:B4:F7:44:21 + X509v3 Key Usage: critical Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - A0:C3:8B:44:AA:37:A5:45:BF:97:80:5A:D1:F1:78:A2:9B:E9:5D:8D - X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.15096.1.3.1.10 - CPS: https://www.catcert.net/verarrel - User Notice: - Explicit Text: Vegeu https://www.catcert.net/verarrel - -SHA1 Fingerprint=28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8 -SHA256 Fingerprint=88:49:7F:01:60:2F:31:54:24:6A:E2:8C:4D:5A:EF:10:F1:D8:7E:BB:76:62:6F:4A:E0:B7:F9:5B:A7:96:87:99 +SHA1 Fingerprint=CF:E9:70:84:0F:E0:73:0F:9D:F6:0C:7F:2C:4B:EE:20:46:34:9C:BB +SHA256 Fingerprint=2E:44:10:2A:B5:8C:B8:54:19:45:1C:8E:19:D9:AC:F3:66:2C:AF:BC:61:4B:6A:53:96:0A:30:F7:D0:E2:EB:41 -----BEGIN CERTIFICATE----- -MIIFVjCCBD6gAwIBAgIQ7is969Qh3hSoYqwE893EATANBgkqhkiG9w0BAQUFADCB -8zELMAkGA1UEBhMCRVMxOzA5BgNVBAoTMkFnZW5jaWEgQ2F0YWxhbmEgZGUgQ2Vy -dGlmaWNhY2lvIChOSUYgUS0wODAxMTc2LUkpMSgwJgYDVQQLEx9TZXJ2ZWlzIFB1 -YmxpY3MgZGUgQ2VydGlmaWNhY2lvMTUwMwYDVQQLEyxWZWdldSBodHRwczovL3d3 -dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAoYykwMzE1MDMGA1UECxMsSmVyYXJxdWlh -IEVudGl0YXRzIGRlIENlcnRpZmljYWNpbyBDYXRhbGFuZXMxDzANBgNVBAMTBkVD -LUFDQzAeFw0wMzAxMDcyMzAwMDBaFw0zMTAxMDcyMjU5NTlaMIHzMQswCQYDVQQG -EwJFUzE7MDkGA1UEChMyQWdlbmNpYSBDYXRhbGFuYSBkZSBDZXJ0aWZpY2FjaW8g -KE5JRiBRLTA4MDExNzYtSSkxKDAmBgNVBAsTH1NlcnZlaXMgUHVibGljcyBkZSBD -ZXJ0aWZpY2FjaW8xNTAzBgNVBAsTLFZlZ2V1IGh0dHBzOi8vd3d3LmNhdGNlcnQu -bmV0L3ZlcmFycmVsIChjKTAzMTUwMwYDVQQLEyxKZXJhcnF1aWEgRW50aXRhdHMg -ZGUgQ2VydGlmaWNhY2lvIENhdGFsYW5lczEPMA0GA1UEAxMGRUMtQUNDMIIBIjAN -BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsyLHT+KXQpWIR4NA9h0X84NzJB5R -85iKw5K4/0CQBXCHYMkAqbWUZRkiFRfCQ2xmRJoNBD45b6VLeqpjt4pEndljkYRm -4CgPukLjbo73FCeTae6RDqNfDrHrZqJyTxIThmV6PttPB/SnCWDaOkKZx7J/sxaV -HMf5NLWUhdWZXqBIoH7nF2W4onW4HvPlQn2v7fOKSGRdghST2MDk/7NQcvJ29rNd -QlB50JQ+awwAvthrDk4q7D7SzIKiGGUzE3eeml0aE9jD2z3Il3rucO2n5nzbcc8t -lGLfbdb1OL4/pYUKGbio2Al1QnDE6u/LDsg0qBIimAy4E5S2S+zw0JDnJwIDAQAB -o4HjMIHgMB0GA1UdEQQWMBSBEmVjX2FjY0BjYXRjZXJ0Lm5ldDAPBgNVHRMBAf8E -BTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUoMOLRKo3pUW/l4Ba0fF4 -opvpXY0wfwYDVR0gBHgwdjB0BgsrBgEEAfV4AQMBCjBlMCwGCCsGAQUFBwIBFiBo -dHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbDA1BggrBgEFBQcCAjApGidW -ZWdldSBodHRwczovL3d3dy5jYXRjZXJ0Lm5ldC92ZXJhcnJlbCAwDQYJKoZIhvcN -AQEFBQADggEBAKBIW4IB9k1IuDlVNZyAelOZ1Vr/sXE7zDkJlF7W2u++AVtd0x7Y -/X1PzaBB4DSTv8vihpw3kpBWHNzrKQXlxJ7HNd+KDM3FIUPpqojlNcAZQmNaAl6k -SBg6hW/cnbw/nZzBh7h6YQjpdwt/cKt63dmXLGQehb+8dJahw3oS7AwaboMMPOhy -Rp/7SNVel+axofjk70YllJyJ22k4vuxcDlbHZVHlUIiIv0LVKz3l+bqeLrPK9HOS -Agu+TGbrIP65y7WZf+a2E/rKS03Z7lNGBjvGTq2TWoF+bCpLagVFjPIhpDGQh2xl -nJ2lYJU6Un/10asIbvPuW/mIPX64b24D5EI= +MIIFszCCA5ugAwIBAgIUEwLV4kBMkkaGFmddtLu7sms+/BMwDQYJKoZIhvcNAQEL +BQAwYTELMAkGA1UEBhMCVE4xNzA1BgNVBAoMLkFnZW5jZSBOYXRpb25hbGUgZGUg +Q2VydGlmaWNhdGlvbiBFbGVjdHJvbmlxdWUxGTAXBgNVBAMMEFR1blRydXN0IFJv +b3QgQ0EwHhcNMTkwNDI2MDg1NzU2WhcNNDQwNDI2MDg1NzU2WjBhMQswCQYDVQQG +EwJUTjE3MDUGA1UECgwuQWdlbmNlIE5hdGlvbmFsZSBkZSBDZXJ0aWZpY2F0aW9u +IEVsZWN0cm9uaXF1ZTEZMBcGA1UEAwwQVHVuVHJ1c3QgUm9vdCBDQTCCAiIwDQYJ +KoZIhvcNAQEBBQADggIPADCCAgoCggIBAMPN0/y9BFPdDCA61YguBUtB9YOCfvdZ +n56eY+hz2vYGqU8ftPkLHzmMmiDQfgbU7DTZhrx1W4eI8NLZ1KMKsmwb60ksPqxd +2JQDoOw05TDENX37Jk0bbjBU2PWARZw5rZzJJQRNmpA+TkBuimvNKWfGzC3gdOgF +VwpIUPp6Q9p+7FuaDmJ2/uqdHYVy7BG7NegfJ7/Boce7SBbdVtfMTqDhuazb1YMZ +GoXRlJfXyqNlC/M4+QKu3fZnz8k/9YosRxqZbwUN/dAdgjH8KcwAWJeRTIAAHDOF +li/LQcKLEITDCSSJH7UP2dl3RxiSlGBcx5kDPP73lad9UKGAwqmDrViWVSHbhlnU +r8a83YFuB9tgYv7sEG7aaAH0gxupPqJbI9dkxt/con3YS7qC0lH4Zr8GRuR5KiY2 +eY8fTpkdso8MDhz/yV3A/ZAQprE38806JG60hZC/gLkMjNWb1sjxVj8agIl6qeIb +MlEsPvLfe/ZdeikZjuXIvTZxi11Mwh0/rViizz1wTaZQmCXcI/m4WEEIcb9PuISg +jwBUFfyRbVinljvrS5YnzWuioYasDXxU5mZMZl+QviGaAkYt5IPCgLnPSz7ofzwB +7I9ezX/SKEIBlYrilz0QIX32nRzFNKHsLA4KUiwSVXAkPcvCFDVDXSdOvsC9qnyW +5/yeYa1E0wCXAgMBAAGjYzBhMB0GA1UdDgQWBBQGmpsfU33x9aTI04Y+oXNZtPdE +ITAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFAaamx9TffH1pMjThj6hc1m0 +90QhMA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAqgVutt0Vyb+z +xiD2BkewhpMl0425yAA/l/VSJ4hxyXT968pk21vvHl26v9Hr7lxpuhbI87mP0zYu +QEkHDVneixCwSQXi/5E/S7fdAo74gShczNxtr18UnH1YeA32gAm56Q6XKRm4t+v4 +FstVEuTGfbvE7Pi1HE4+Z7/FXxttbUcoqgRYYdZ2vyJ/0Adqp2RT8JeNnYA/u8EH +22Wv5psymsNUk8QcCMNE+3tjEUPRahphanltkE8pjkcFwRJpadbGNjHh/PqAulxP +xOu3Mqz4dWEX1xAZufHSCe96Qp1bWgvUxpVOKs7/B9dPfhgGiPEZtdmYu65xxBzn +dFlY7wyJz4sfdZMaBBSSSFCp61cpABbjNhzI+L/wM9VBD8TMPN3pM0MBkRArHtG5 +Xc0yGYuPjCB31yLEQtyEFpslbei0VXF/sHyz03FJuc9SpAQ/3D2gu68zngowYI7b +nV2UqL1g52KAdoGDDIzMMEZJ4gzSqK/rYXHv5yJiqfdcZGyfFoxnNidF9Ql7v/YQ +CvGwjVRDjAS6oz/v4jXH+XTgbzRB0L9zZVcg+ZtnemZoJE6AZb0QmQZZ8mWvuMZH +u/2QeItBcy6vVR/cO5JyboTT0GFMDcx2V+IthSIVNg3rAZ3r2OvEhJn7wAzMMujj +d9qDRIueVSjAi1jTkD5OGwDxFa2DK5o= -----END CERTIFICATE----- ### Amazon @@ -590,6 +587,156 @@ CkcO8DdZEv8tmZQoTipPNU0zWgIxAOp1AE47xDqUEpHJWEadIRNyp4iciuRMStuW 1KyLa2tJElMzrdfkviT8tQp21KW8EA== -----END CERTIFICATE----- +### ANF Autoridad de Certificacion + +=== /serialNumber=G63287510/C=ES/O=ANF Autoridad de Certificacion/OU=ANF CA Raiz/CN=ANF Secure Server Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 996390341000653745 (0xdd3e3bc6cf96bb1) + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Sep 4 10:00:38 2019 GMT + Not After : Aug 30 10:00:38 2039 GMT + Subject: serialNumber=G63287510, C=ES, O=ANF Autoridad de Certificacion, OU=ANF CA Raiz, CN=ANF Secure Server Root CA + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37 + + X509v3 Subject Key Identifier: + 9C:5F:D0:6C:63:A3:5F:93:CA:93:98:08:AD:8C:87:A5:2C:5C:C1:37 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=5B:6E:68:D0:CC:15:B6:A0:5F:1E:C1:5F:AE:02:FC:6B:2F:5D:6F:74 +SHA256 Fingerprint=FB:8F:EC:75:91:69:B9:10:6B:1E:51:16:44:C6:18:C5:13:04:37:3F:6C:06:43:08:8D:8B:EF:FD:1B:99:75:99 +-----BEGIN CERTIFICATE----- +MIIF7zCCA9egAwIBAgIIDdPjvGz5a7EwDQYJKoZIhvcNAQELBQAwgYQxEjAQBgNV +BAUTCUc2MzI4NzUxMDELMAkGA1UEBhMCRVMxJzAlBgNVBAoTHkFORiBBdXRvcmlk +YWQgZGUgQ2VydGlmaWNhY2lvbjEUMBIGA1UECxMLQU5GIENBIFJhaXoxIjAgBgNV +BAMTGUFORiBTZWN1cmUgU2VydmVyIFJvb3QgQ0EwHhcNMTkwOTA0MTAwMDM4WhcN +MzkwODMwMTAwMDM4WjCBhDESMBAGA1UEBRMJRzYzMjg3NTEwMQswCQYDVQQGEwJF +UzEnMCUGA1UEChMeQU5GIEF1dG9yaWRhZCBkZSBDZXJ0aWZpY2FjaW9uMRQwEgYD +VQQLEwtBTkYgQ0EgUmFpejEiMCAGA1UEAxMZQU5GIFNlY3VyZSBTZXJ2ZXIgUm9v +dCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANvrayvmZFSVgpCj +cqQZAZ2cC4Ffc0m6p6zzBE57lgvsEeBbphzOG9INgxwruJ4dfkUyYA8H6XdYfp9q +yGFOtibBTI3/TO80sh9l2Ll49a2pcbnvT1gdpd50IJeh7WhM3pIXS7yr/2WanvtH +2Vdy8wmhrnZEE26cLUQ5vPnHO6RYPUG9tMJJo8gN0pcvB2VSAKduyK9o7PQUlrZX +H1bDOZ8rbeTzPvY1ZNoMHKGESy9LS+IsJJ1tk0DrtSOOMspvRdOoiXsezx76W0OL +zc2oD2rKDF65nkeP8Nm2CgtYZRczuSPkdxl9y0oukntPLxB3sY0vaJxizOBQ+OyR +p1RMVwnVdmPF6GUe7m1qzwmd+nxPrWAI/VaZDxUse6mAq4xhj0oHdkLePfTdsiQz +W7i1o0TJrH93PB0j7IKppuLIBkwC/qxcmZkLLxCKpvR/1Yd0DVlJRfbwcVw5Kda/ +SiOL9V8BY9KHcyi1Swr1+KuCLH5zJTIdC2MKF4EA/7Z2Xue0sUDKIbvVgFHlSFJn +LNJhiQcND85Cd8BEc5xEUKDbEAotlRyBr+Qc5RQe8TZBAQIvfXOn3kLMTOmJDVb3 +n5HUA8ZsyY/b2BzgQJhdZpmYgG4t/wHFzstGH6wCxkPmrqKEPMVOHj1tyRRM4y5B +u8o5vzY8KhmqQYdOpc5LMnndkEl/AgMBAAGjYzBhMB8GA1UdIwQYMBaAFJxf0Gxj +o1+TypOYCK2Mh6UsXME3MB0GA1UdDgQWBBScX9BsY6Nfk8qTmAitjIelLFzBNzAO +BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC +AgEATh65isagmD9uw2nAalxJUqzLK114OMHVVISfk/CHGT0sZonrDUL8zPB1hT+L +9IBdeeUXZ701guLyPI59WzbLWoAAKfLOKyzxj6ptBZNscsdW699QIyjlRRA96Gej +rw5VD5AJYu9LWaL2U/HANeQvwSS9eS9OICI7/RogsKQOLHDtdD+4E5UGUcjohybK +pFtqFiGS3XNgnhAY3jyB6ugYw3yJ8otQPr0R4hUDqDZ9MwFsSBXXiJCZBMXM5gf0 +vPSQ7RPi6ovDj6MzD8EpTBNO2hVWcXNyglD2mjN8orGoGjR0ZVzO0eurU+AagNjq +OknkJjCb5RyKqKkVMoaZkgoQI1YS4PbOTOK7vtuNknMBZi9iPrJyJ0U27U1W45eZ +/zo1PqVUSlJZS2Db7v54EX9K3BR5YLZrZAPbFYPhor72I5dQ8AkzNqdxliXzuUJ9 +2zg/LFis6ELhDtjTO0wugumDLmsx2d1Hhk9tl5EuT+IocTUW0fJz/iUrB0ckYyfI ++PbZa/wSMVYIwFNCr5zQM378BvAxRAMU8Vjq8moNqRGyg77FGr8H6lnco4g175x2 +MjxNBiLOFeXdntiP2t7SxDnlF4HPOEfrf4htWRvfn0IUrn7PqLBmZdo3r5+qPeoo +tt7VMVgWglvquxl1AnMaykgaIZOQCo6ThKd9OyMYkomgjaw= +-----END CERTIFICATE----- + +### Asseco Data Systems S.A. + +=== /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum EC-384 CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 78:8f:27:5c:81:12:52:20:a5:04:d0:2d:dd:ba:73:f4 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Mar 26 07:24:54 2018 GMT + Not After : Mar 26 07:24:54 2043 GMT + Subject: C=PL, O=Asseco Data Systems S.A., OU=Certum Certification Authority, CN=Certum EC-384 CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 8D:06:66:74:24:76:3A:F3:89:F7:BC:D6:BD:47:7D:2F:BC:10:5F:4B + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=F3:3E:78:3C:AC:DF:F4:A2:CC:AC:67:55:69:56:D7:E5:16:3C:E1:ED +SHA256 Fingerprint=6B:32:80:85:62:53:18:AA:50:D1:73:C9:8D:8B:DA:09:D5:7E:27:41:3D:11:4C:F7:87:A0:F5:D0:6C:03:0C:F6 +-----BEGIN CERTIFICATE----- +MIICZTCCAeugAwIBAgIQeI8nXIESUiClBNAt3bpz9DAKBggqhkjOPQQDAzB0MQsw +CQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEuMScw +JQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAXBgNVBAMT +EENlcnR1bSBFQy0zODQgQ0EwHhcNMTgwMzI2MDcyNDU0WhcNNDMwMzI2MDcyNDU0 +WjB0MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBT +LkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxGTAX +BgNVBAMTEENlcnR1bSBFQy0zODQgQ0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATE +KI6rGFtqvm5kN2PkzeyrOvfMobgOgknXhimfoZTy42B4mIF4Bk3y7JoOV2CDn7Tm +Fy8as10CW4kjPMIRBSqniBMY81CE1700LCeJVf/OTOffph8oxPBUw7l8t1Ot68Kj +QjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFI0GZnQkdjrzife81r1HfS+8 +EF9LMA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBlAjADVS2m5hjEfO/J +UG7BJw+ch69u1RsIGL2SKcHvlJF40jocVYli5RsJHrpka/F2tNQCMQC0QoSZ/6vn +nvuRlydd3LBbMHHOXjgaatkl5+r3YZJW+OraNsKHZZYuciUvf9/DE8k= +-----END CERTIFICATE----- +=== /C=PL/O=Asseco Data Systems S.A./OU=Certum Certification Authority/CN=Certum Trusted Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 1e:bf:59:50:b8:c9:80:37:4c:06:f7:eb:55:4f:b5:ed + Signature Algorithm: sha512WithRSAEncryption + Validity + Not Before: Mar 16 12:10:13 2018 GMT + Not After : Mar 16 12:10:13 2043 GMT + Subject: C=PL, O=Asseco Data Systems S.A., OU=Certum Certification Authority, CN=Certum Trusted Root CA + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 8C:FB:1C:75:BC:02:D3:9F:4E:2E:48:D9:F9:60:54:AA:C4:B3:4F:FA + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=C8:83:44:C0:18:AE:9F:CC:F1:87:B7:8F:22:D1:C5:D7:45:84:BA:E5 +SHA256 Fingerprint=FE:76:96:57:38:55:77:3E:37:A9:5E:7A:D4:D9:CC:96:C3:01:57:C1:5D:31:76:5B:A9:B1:57:04:E1:AE:78:FD +-----BEGIN CERTIFICATE----- +MIIFwDCCA6igAwIBAgIQHr9ZULjJgDdMBvfrVU+17TANBgkqhkiG9w0BAQ0FADB6 +MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEgU3lzdGVtcyBTLkEu +MScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxHzAdBgNV +BAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwHhcNMTgwMzE2MTIxMDEzWhcNNDMw +MzE2MTIxMDEzWjB6MQswCQYDVQQGEwJQTDEhMB8GA1UEChMYQXNzZWNvIERhdGEg +U3lzdGVtcyBTLkEuMScwJQYDVQQLEx5DZXJ0dW0gQ2VydGlmaWNhdGlvbiBBdXRo +b3JpdHkxHzAdBgNVBAMTFkNlcnR1bSBUcnVzdGVkIFJvb3QgQ0EwggIiMA0GCSqG +SIb3DQEBAQUAA4ICDwAwggIKAoICAQDRLY67tzbqbTeRn06TpwXkKQMlzhyC93yZ +n0EGze2jusDbCSzBfN8pfktlL5On1AFrAygYo9idBcEq2EXxkd7fO9CAAozPOA/q +p1x4EaTByIVcJdPTsuclzxFUl6s1wB52HO8AU5853BSlLCIls3Jy/I2z5T4IHhQq +NwuIPMqw9MjCoa68wb4pZ1Xi/K1ZXP69VyywkI3C7Te2fJmItdUDmj0VDT06qKhF +8JVOJVkdzZhpu9PMMsmN74H+rX2Ju7pgE8pllWeg8xn2A1bUatMn4qGtg/BKEiJ3 +HAVz4hlxQsDsdUaakFjgao4rpUYwBI4Zshfjvqm6f1bxJAPXsiEodg42MEx51UGa +mqi4NboMOvJEGyCI98Ul1z3G4z5D3Yf+xOr1Uz5MZf87Sst4WmsXXw3Hw09Omiqi +7VdNIuJGmj8PkTQkfVXjjJU30xrwCSss0smNtA0Aq2cpKNgB9RkEth2+dv5yXMSF +ytKAQd8FqKPVhJBPC/PgP5sZ0jeJP/J7UhyM9uH3PAeXjA6iWYEMspA90+NZRu0P +qafegGtaqge2Gcu8V/OXIXoMsSt0Puvap2ctTMSYnjYJdmZm/Bo/6khUHL4wvYBQ +v3y1zgD2DGHZ5yQD4OMBgQ692IU0iL2yNqh7XAjlRICMb/gv1SHKHRzQ+8S1h9E6 +Tsd2tTVItQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSM+xx1 +vALTn04uSNn5YFSqxLNP+jAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQAD +ggIBAEii1QALLtA/vBzVtVRJHlpr9OTy4EA34MwUe7nJ+jW1dReTagVphZzNTxl4 +WxmB82M+w85bj/UvXgF2Ez8sALnNllI5SW0ETsXpD4YN4fqzX4IS8TrOZgYkNCvo +zMrnadyHncI013nR03e4qllY/p0m+jiGPp2Kh2RX5Rc64vmNueMzeMGQ2Ljdt4NR +5MTMI9UGfOZR0800McD2RrsLrfw9EAUqO0qRJe6M1ISHgCq8CYyqOhNf6DR5UMEQ +GfnTKB7U0VEwKbOukGfWHwpjscWpxkIxYxeU72nLL/qMFH3EQxiJ2fAyQOaA4kZf +5ePBAFmo+eggvIksDkc0C+pXwlM2/KfUrzHN/gLldfq5Jwn58/U7yn2fqSLLiMmq +0Uc9NneoWWRrJ8/vJ8HjJLWG965+Mk2weWjROeiQWMODvA8s1pfrzgzhIMfatz7D +P78v3DSk+yshzWePS/Tj6tQ/50+6uaWTRRxmHyH6ZF5v4HaUMst19W7l9o/HuKTM +qJZ9ZPskWkoDbGs4xugDQ5r3V7mzKWmTOPQD8rv7gmsHINFSH5pkAnuYZttcTVoP +0ISVoDwUQwbKytu4QTbaakRnh6+v40URFWkIsr4WOZckbxJF0WddCajJFdr60qZf +E2Efv4WstK2tBZQIgx51F9NxO5NQI1mg7TyRVJ12AMXDuDjb +-----END CERTIFICATE----- + ### Atos === /CN=Atos TrustedRoot 2011/O=Atos/C=DE @@ -785,6 +932,93 @@ u79leNKGef9JOxqDDPDeeOzI8k1MGt6CKfjBWtrt7uYnXuhF0J0cUahoq0Tj0Itq 4/g7u9xN12TyUb7mqqta6THuBrxzvxNiCp/HuZc= -----END CERTIFICATE----- +### Certainly + +=== /C=US/O=Certainly/CN=Certainly Root E1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 06:25:33:b1:47:03:33:27:5c:f9:8d:9a:b9:bf:cc:f8 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Apr 1 00:00:00 2021 GMT + Not After : Apr 1 00:00:00 2046 GMT + Subject: C=US, O=Certainly, CN=Certainly Root E1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + F3:28:18:CB:64:75:EE:29:2A:EB:ED:AE:23:58:38:85:EB:C8:22:07 +SHA1 Fingerprint=F9:E1:6D:DC:01:89:CF:D5:82:45:63:3E:C5:37:7D:C2:EB:93:6F:2B +SHA256 Fingerprint=B4:58:5F:22:E4:AC:75:6A:4E:86:12:A1:36:1C:5D:9D:03:1A:93:FD:84:FE:BB:77:8F:A3:06:8B:0F:C4:2D:C2 +-----BEGIN CERTIFICATE----- +MIIB9zCCAX2gAwIBAgIQBiUzsUcDMydc+Y2aub/M+DAKBggqhkjOPQQDAzA9MQsw +CQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0YWlu +bHkgUm9vdCBFMTAeFw0yMTA0MDEwMDAwMDBaFw00NjA0MDEwMDAwMDBaMD0xCzAJ +BgNVBAYTAlVTMRIwEAYDVQQKEwlDZXJ0YWlubHkxGjAYBgNVBAMTEUNlcnRhaW5s +eSBSb290IEUxMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAE3m/4fxzf7flHh4axpMCK ++IKXgOqPyEpeKn2IaKcBYhSRJHpcnqMXfYqGITQYUBsQ3tA3SybHGWCA6TS9YBk2 +QNYphwk8kXr2vBMj3VlOBF7PyAIcGFPBMdjaIOlEjeR2o0IwQDAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU8ygYy2R17ikq6+2uI1g4 +hevIIgcwCgYIKoZIzj0EAwMDaAAwZQIxALGOWiDDshliTd6wT99u0nCK8Z9+aozm +ut6Dacpps6kFtZaSF4fC0urQe87YQVt8rgIwRt7qy12a7DLCZRawTDBcMPPaTnOG +BtjOiQRINzf43TNRnXCve1XYAS59BWQOhriR +-----END CERTIFICATE----- +=== /C=US/O=Certainly/CN=Certainly Root R1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 8e:0f:f9:4b:90:71:68:65:33:54:f4:d4:44:39:b7:e0 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Apr 1 00:00:00 2021 GMT + Not After : Apr 1 00:00:00 2046 GMT + Subject: C=US, O=Certainly, CN=Certainly Root R1 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + E0:AA:3F:25:8D:9F:44:5C:C1:3A:E8:2E:AE:77:4C:84:3E:67:0C:F4 +SHA1 Fingerprint=A0:50:EE:0F:28:71:F4:27:B2:12:6D:6F:50:96:25:BA:CC:86:42:AF +SHA256 Fingerprint=77:B8:2C:D8:64:4C:43:05:F7:AC:C5:CB:15:6B:45:67:50:04:03:3D:51:C6:0C:62:02:A8:E0:C3:34:67:D3:A0 +-----BEGIN CERTIFICATE----- +MIIFRzCCAy+gAwIBAgIRAI4P+UuQcWhlM1T01EQ5t+AwDQYJKoZIhvcNAQELBQAw +PTELMAkGA1UEBhMCVVMxEjAQBgNVBAoTCUNlcnRhaW5seTEaMBgGA1UEAxMRQ2Vy +dGFpbmx5IFJvb3QgUjEwHhcNMjEwNDAxMDAwMDAwWhcNNDYwNDAxMDAwMDAwWjA9 +MQswCQYDVQQGEwJVUzESMBAGA1UEChMJQ2VydGFpbmx5MRowGAYDVQQDExFDZXJ0 +YWlubHkgUm9vdCBSMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANA2 +1B/q3avk0bbm+yLA3RMNansiExyXPGhjZjKcA7WNpIGD2ngwEc/csiu+kr+O5MQT +vqRoTNoCaBZ0vrLdBORrKt03H2As2/X3oXyVtwxwhi7xOu9S98zTm/mLvg7fMbed +aFySpvXl8wo0tf97ouSHocavFwDvA5HtqRxOcT3Si2yJ9HiG5mpJoM610rCrm/b0 +1C7jcvk2xusVtyWMOvwlDbMicyF0yEqWYZL1LwsYpfSt4u5BvQF5+paMjRcCMLT5 +r3gajLQ2EBAHBXDQ9DGQilHFhiZ5shGIXsXwClTNSaa/ApzSRKft43jvRl5tcdF5 +cBxGX1HpyTfcX35pe0HfNEXgO4T0oYoKNp43zGJS4YkNKPl6I7ENPT2a/Z2B7yyQ +wHtETrtJ4A5KVpK8y7XdeReJkd5hiXSSqOMyhb5OhaRLWcsrxXiOcVTQAjeZjOVJ +6uBUcqQRBi8LjMFbvrWhsFNunLhgkR9Za/kt9JQKl7XsxXYDVBtlUrpMklZRNaBA +2CnbrlJ2Oy0wQJuK0EJWtLeIAaSHO1OWzaMWj/Nmqhexx2DgwUMFDO6bW2BvBlyH +Wyf5QBGenDPBt+U1VwV/J84XIIwc/PH72jEpSe31C4SnT8H2TsIonPru4K8H+zMR +eiFPCyEQtkA6qyI6BJyLm4SGcprSp6XEtHWRqSsjAgMBAAGjQjBAMA4GA1UdDwEB +/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTgqj8ljZ9EXME66C6u +d0yEPmcM9DANBgkqhkiG9w0BAQsFAAOCAgEAuVevuBLaV4OPaAszHQNTVfSVcOQr +PbA56/qJYv331hgELyE03fFo8NWWWt7CgKPBjcZq91l3rhVkz1t5BXdm6ozTaw3d +8VkswTOlMIAVRQdFGjEitpIAq5lNOo93r6kiyi9jyhXWx8bwPWz8HA2YEGGeEaIi +1wrykXprOQ4vMMM2SZ/g6Q8CRFA3lFV96p/2O7qUpUzpvD5RtOjKkjZUbVwlKNrd +rRT90+7iIgXr0PK3aBLXWopBGsaSpVo7Y0VPv+E6dyIvXL9G+VoDhRNCX8reU9di +taY1BMJH/5n9hN9czulegChB8n3nHpDYT3Y+gjwN/KUD+nsa2UUeYNrEjvn8K8l7 +lcUq/6qJ34IxD3L/DCfXCh5WAFAeDJDBlrXYFIW7pw0WwfgHJBu6haEaBQmAupVj +yTrsJZ9/nbqkRxWbRHDxakvWOF5D8xh+UG7pWijmZeZ3Gzr9Hb4DJqPb1OG7fpYn +Kx3upPvaJVQTA945xsMfTZDsjxtK0hzthZU4UHlG1sGQUDGpXJpuHfUzVounmdLy +yCwzk5Iwx06MZTMQZBf9JBeW0Y3COmor6xOLRPIh80oat3df1+2IpHLlOR+Vnb5n +wXARPbv0+Em34yaXOp/SX3z7wJl8OSngex2/DaeP0ik0biQVy96QXr8axGbqwua6 +OV+KmalBWQewLK8= +-----END CERTIFICATE----- + ### certSIGN === /C=RO/O=certSIGN/OU=certSIGN ROOT CA @@ -940,6 +1174,57 @@ AAoACxGV2lZFA4gKn2fQ1XmxqI1AbQ3CekD6819kR5LLU7m7Wc5P/dAVUwHY3+vZ ### Chunghwa Telecom Co., Ltd. +=== /C=TW/O=Chunghwa Telecom Co., Ltd./CN=HiPKI Root CA - G1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 2d:dd:ac:ce:62:97:94:a1:43:e8:b0:cd:76:6a:5e:60 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 22 09:46:04 2019 GMT + Not After : Dec 31 15:59:59 2037 GMT + Subject: C=TW, O=Chunghwa Telecom Co., Ltd., CN=HiPKI Root CA - G1 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + F2:77:17:FA:5E:A8:FE:F6:3D:71:D5:68:BA:C9:46:0C:38:D8:AF:B0 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=6A:92:E4:A8:EE:1B:EC:96:45:37:E3:29:57:49:CD:96:E3:E5:D2:60 +SHA256 Fingerprint=F0:15:CE:3C:C2:39:BF:EF:06:4B:E9:F1:D2:C4:17:E1:A0:26:4A:0A:94:BE:1F:0C:8D:12:18:64:EB:69:49:CC +-----BEGIN CERTIFICATE----- +MIIFajCCA1KgAwIBAgIQLd2szmKXlKFD6LDNdmpeYDANBgkqhkiG9w0BAQsFADBP +MQswCQYDVQQGEwJUVzEjMCEGA1UECgwaQ2h1bmdod2EgVGVsZWNvbSBDby4sIEx0 +ZC4xGzAZBgNVBAMMEkhpUEtJIFJvb3QgQ0EgLSBHMTAeFw0xOTAyMjIwOTQ2MDRa +Fw0zNzEyMzExNTU5NTlaME8xCzAJBgNVBAYTAlRXMSMwIQYDVQQKDBpDaHVuZ2h3 +YSBUZWxlY29tIENvLiwgTHRkLjEbMBkGA1UEAwwSSGlQS0kgUm9vdCBDQSAtIEcx +MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA9B5/UnMyDHPkvRN0o9Qw +qNCuS9i233VHZvR85zkEHmpwINJaR3JnVfSl6J3VHiGh8Ge6zCFovkRTv4354twv +Vcg3Px+kwJyz5HdcoEb+d/oaoDjq7Zpy3iu9lFc6uux55199QmQ5eiY29yTw1S+6 +lZgRZq2XNdZ1AYDgr/SEYYwNHl98h5ZeQa/rh+r4XfEuiAU+TCK72h8q3VJGZDnz +Qs7ZngyzsHeXZJzA9KMuH5UHsBffMNsAGJZMoYFL3QRtU6M9/Aes1MU3guvklQgZ +KILSQjqj2FPseYlgSGDIcpJQ3AOPgz+yQlda22rpEZfdhSi8MEyr48KxRURHH+CK +FgeW0iEPU8DtqX7UTuybCeyvQqww1r/REEXgphaypcXTT3OUM3ECoWqj1jOXTyFj +HluP2cFeRXF3D4FdXyGarYPM+l7WjSNfGz1BryB1ZlpK9p/7qxj3ccC2HTHsOyDr +y+K49a6SsvfhhEvyovKTmiKe0xRvNlS9H15ZFblzqMF8b3ti6RZsR1pl8w4Rm0bZ +/W3c1pzAtH2lsN0/Vm+h+fbkEkj9Bn8SV7apI09bA8PgcSojt/ewsTu8mL3WmKgM +a/aOEmem8rJY5AIJEzypuxC00jBF8ez3ABHfZfjcK0NVvxaXxA/VLGGEqnKG/uY6 +fsI/fe78LxQ+5oXdUG+3Se0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNV +HQ4EFgQU8ncX+l6o/vY9cdVouslGDDjYr7AwDgYDVR0PAQH/BAQDAgGGMA0GCSqG +SIb3DQEBCwUAA4ICAQBQUfB13HAE4/+qddRxosuej6ip0691x1TPOhwEmSKsxBHi +7zNKpiMdDg1H2DfHb680f0+BazVP6XKlMeJ45/dOlBhbQH3PayFUhuaVevvGyuqc +SE5XCV0vrPSltJczWNWseanMX/mF+lLFjfiRFOs6DRfQUsJ748JzjkZ4Bjgs6Fza +ZsT0pPBWGTMpWmWSBUdGSquEwx4noR8RkpkndZMPvDY7l1ePJlsMu5wP1G4wB9Tc +XzZoZjmDlicmisjEOf6aIW/Vcobpf2Lll07QJNBAsNB1CI69aO4I1258EHBGG3zg +iLKecoaZAeO/n0kZtCW+VmWuF2PlHt/o/0elv+EmBYTksMCv5wiZqAxeJoBF1Pho +L5aPruJKHJwWDBNvOIf2u8g0X5IDUXlwpt/L9ZlNec1OvFefQ05rLisY+GpzjLrF +Ne85akEez3GoorKGB1s6yeHvP2UEgEcyRHCVTjFnanRbEEV16rCf0OY1/k6fi8wr +kkVbbiVghUbN0aqwdmaTd5a+g744tiROJgvM7XpWGuDpWsZkrUx6AEhEL7lAuxM+ +vhV4nYWBSipX3tUZQ9rbyltHhoMLP7YNdnhzeSJesYAfz77RP1YQmCuVh6EfnWQU +YDksswBVLuT1sw5XxJFBAJw/6KXf6vb/yPCtbVKoF6ubYfwSUTXkJf2vqmqGOQ== +-----END CERTIFICATE----- === /C=TW/O=Chunghwa Telecom Co., Ltd./OU=ePKI Root Certification Authority Certificate: Data: @@ -1193,61 +1478,100 @@ QOhTsiedSrnAdyGN/4fy3ryM7xfft0kL0fJuMAsaDk527RH89elWsn2/x20Kk4yl NVOFBkpdn627G190 -----END CERTIFICATE----- -### Cybertrust, Inc +### D-Trust GmbH -=== /O=Cybertrust, Inc/CN=Cybertrust Global Root +=== /C=DE/O=D-Trust GmbH/CN=D-TRUST BR Root CA 1 2020 Certificate: Data: Version: 3 (0x2) Serial Number: - 04:00:00:00:00:01:0f:85:aa:2d:48 - Signature Algorithm: sha1WithRSAEncryption + 7c:c9:8f:2b:84:d7:df:ea:0f:c9:65:9a:d3:4b:4d:96 + Signature Algorithm: ecdsa-with-SHA384 Validity - Not Before: Dec 15 08:00:00 2006 GMT - Not After : Dec 15 08:00:00 2021 GMT - Subject: O=Cybertrust, Inc, CN=Cybertrust Global Root + Not Before: Feb 11 09:45:00 2020 GMT + Not After : Feb 11 09:44:59 2035 GMT + Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST BR Root CA 1 2020 X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: - B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 + 73:91:10:AB:FF:55:B3:5A:7C:09:25:D5:B2:BA:08:A0:6B:AB:1F:6D + X509v3 Key Usage: critical + Certificate Sign, CRL Sign X509v3 CRL Distribution Points: Full Name: - URI:http://www2.public-trust.com/crl/ct/ctroot.crl + URI:http://crl.d-trust.net/crl/d-trust_br_root_ca_1_2020.crl - X509v3 Authority Key Identifier: - keyid:B6:08:7B:0D:7A:CC:AC:20:4C:86:56:32:5E:CF:AB:6E:85:2D:70:57 + Full Name: + URI:ldap://directory.d-trust.net/CN=D-TRUST%20BR%20Root%20CA%201%202020,O=D-Trust%20GmbH,C=DE?certificaterevocationlist -SHA1 Fingerprint=5F:43:E5:B1:BF:F8:78:8C:AC:1C:C7:CA:4A:9A:C6:22:2B:CC:34:C6 -SHA256 Fingerprint=96:0A:DF:00:63:E9:63:56:75:0C:29:65:DD:0A:08:67:DA:0B:9C:BD:6E:77:71:4A:EA:FB:23:49:AB:39:3D:A3 +SHA1 Fingerprint=1F:5B:98:F0:E3:B5:F7:74:3C:ED:E6:B0:36:7D:32:CD:F4:09:41:67 +SHA256 Fingerprint=E5:9A:AA:81:60:09:C2:2B:FF:5B:25:BA:D3:7D:F3:06:F0:49:79:7C:1F:81:D8:5A:B0:89:E6:57:BD:8F:00:44 -----BEGIN CERTIFICATE----- -MIIDoTCCAomgAwIBAgILBAAAAAABD4WqLUgwDQYJKoZIhvcNAQEFBQAwOzEYMBYG -A1UEChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2Jh -bCBSb290MB4XDTA2MTIxNTA4MDAwMFoXDTIxMTIxNTA4MDAwMFowOzEYMBYGA1UE -ChMPQ3liZXJ0cnVzdCwgSW5jMR8wHQYDVQQDExZDeWJlcnRydXN0IEdsb2JhbCBS -b290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Mi8vRRQZhP/8NN5 -7CPytxrHjoXxEnOmGaoQ25yiZXRadz5RfVb23CO21O1fWLE3TdVJDm71aofW0ozS -J8bi/zafmGWgE07GKmSb1ZASzxQG9Dvj1Ci+6A74q05IlG2OlTEQXO2iLb3VOm2y -HLtgwEZLAfVJrn5GitB0jaEMAs7u/OePuGtm839EAL9mJRQr3RAwHQeWP032a7iP -t3sMpTjr3kfb1V05/Iin89cqdPHoWqI7n1C6poxFNcJQZZXcY4Lv3b93TZxiyWNz -FtApD0mpSPCzqrdsxacwOUBdrsTiXSZT8M4cIwhhqJQZugRiQOwfOHB3EgZxpzAY -XSUnpQIDAQABo4GlMIGiMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/ -MB0GA1UdDgQWBBS2CHsNesysIEyGVjJez6tuhS1wVzA/BgNVHR8EODA2MDSgMqAw -hi5odHRwOi8vd3d3Mi5wdWJsaWMtdHJ1c3QuY29tL2NybC9jdC9jdHJvb3QuY3Js -MB8GA1UdIwQYMBaAFLYIew16zKwgTIZWMl7Pq26FLXBXMA0GCSqGSIb3DQEBBQUA -A4IBAQBW7wojoFROlZfJ+InaRcHUowAl9B8Tq7ejhVhpwjCt2BWKLePJzYFa+HMj -Wqd8BfP9IjsO0QbE2zZMcwSO5bAi5MXzLqXZI+O4Tkogp24CJJ8iYGd7ix1yCcUx -XOl5n4BHPa2hCwcUPUf/A2kaDAtE52Mlp3+yybh2hO0j9n0Hq0V+09+zv+mKts2o -omcrUtW3ZfA5TGOgkXmTUg9U3YO7n9GPp1Nzw8v/MOx8BLjYRB+TX3EJIrduPuoc -A06dGiBh+4E37F78CkWr1+cXVdCg6mCbpvbjjFspwgZgFJ0tl0ypkxWdYcQBX0jW -WL1WMRJOEcgh4LMRkWXbtKaIOM5V +MIIC2zCCAmCgAwIBAgIQfMmPK4TX3+oPyWWa00tNljAKBggqhkjOPQQDAzBIMQsw +CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS +VVNUIEJSIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTA5NDUwMFoXDTM1MDIxMTA5 +NDQ1OVowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAG +A1UEAxMZRC1UUlVTVCBCUiBSb290IENBIDEgMjAyMDB2MBAGByqGSM49AgEGBSuB +BAAiA2IABMbLxyjR+4T1mu9CFCDhQ2tuda38KwOE1HaTJddZO0Flax7mNCq7dPYS +zuht56vkPE4/RAiLzRZxy7+SmfSk1zxQVFKQhYN4lGdnoxwJGT11NIXe7WB9xwy0 +QVK5buXuQqOCAQ0wggEJMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFHOREKv/ +VbNafAkl1bK6CKBrqx9tMA4GA1UdDwEB/wQEAwIBBjCBxgYDVR0fBIG+MIG7MD6g +PKA6hjhodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X2JyX3Jvb3Rf +Y2FfMV8yMDIwLmNybDB5oHegdYZzbGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l +dC9DTj1ELVRSVVNUJTIwQlIlMjBSb290JTIwQ0ElMjAxJTIwMjAyMCxPPUQtVHJ1 +c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDAKBggqhkjO +PQQDAwNpADBmAjEAlJAtE/rhY/hhY+ithXhUkZy4kzg+GkHaQBZTQgjKL47xPoFW +wKrY7RjEsK70PvomAjEA8yjixtsrmfu3Ubgko6SUeho/5jbiA1czijDLgsfWFBHV +dWNbFJWcHwHP2NVypw87 -----END CERTIFICATE----- +=== /C=DE/O=D-Trust GmbH/CN=D-TRUST EV Root CA 1 2020 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 5f:02:41:d7:7a:87:7c:4c:03:a3:ac:96:8d:fb:ff:d0 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 11 10:00:00 2020 GMT + Not After : Feb 11 09:59:59 2035 GMT + Subject: C=DE, O=D-Trust GmbH, CN=D-TRUST EV Root CA 1 2020 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 7F:10:01:16:37:3A:A4:28:E4:50:F8:A4:F7:EC:6B:32:B6:FE:E9:8B + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 CRL Distribution Points: -### D-Trust GmbH + Full Name: + URI:http://crl.d-trust.net/crl/d-trust_ev_root_ca_1_2020.crl + Full Name: + URI:ldap://directory.d-trust.net/CN=D-TRUST%20EV%20Root%20CA%201%202020,O=D-Trust%20GmbH,C=DE?certificaterevocationlist + +SHA1 Fingerprint=61:DB:8C:21:59:69:03:90:D8:7C:9C:12:86:54:CF:9D:3D:F4:DD:07 +SHA256 Fingerprint=08:17:0D:1A:A3:64:53:90:1A:2F:95:92:45:E3:47:DB:0C:8D:37:AB:AA:BC:56:B8:1A:A1:00:DC:95:89:70:DB +-----BEGIN CERTIFICATE----- +MIIC2zCCAmCgAwIBAgIQXwJB13qHfEwDo6yWjfv/0DAKBggqhkjOPQQDAzBIMQsw +CQYDVQQGEwJERTEVMBMGA1UEChMMRC1UcnVzdCBHbWJIMSIwIAYDVQQDExlELVRS +VVNUIEVWIFJvb3QgQ0EgMSAyMDIwMB4XDTIwMDIxMTEwMDAwMFoXDTM1MDIxMTA5 +NTk1OVowSDELMAkGA1UEBhMCREUxFTATBgNVBAoTDEQtVHJ1c3QgR21iSDEiMCAG +A1UEAxMZRC1UUlVTVCBFViBSb290IENBIDEgMjAyMDB2MBAGByqGSM49AgEGBSuB +BAAiA2IABPEL3YZDIBnfl4XoIkqbz52Yv7QFJsnL46bSj8WeeHsxiamJrSc8ZRCC +/N/DnU7wMyPE0jL1HLDfMxddxfCxivnvubcUyilKwg+pf3VlSSowZ/Rk99Yad9rD +wpdhQntJraOCAQ0wggEJMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFH8QARY3 +OqQo5FD4pPfsazK2/umLMA4GA1UdDwEB/wQEAwIBBjCBxgYDVR0fBIG+MIG7MD6g +PKA6hjhodHRwOi8vY3JsLmQtdHJ1c3QubmV0L2NybC9kLXRydXN0X2V2X3Jvb3Rf +Y2FfMV8yMDIwLmNybDB5oHegdYZzbGRhcDovL2RpcmVjdG9yeS5kLXRydXN0Lm5l +dC9DTj1ELVRSVVNUJTIwRVYlMjBSb290JTIwQ0ElMjAxJTIwMjAyMCxPPUQtVHJ1 +c3QlMjBHbWJILEM9REU/Y2VydGlmaWNhdGVyZXZvY2F0aW9ubGlzdDAKBggqhkjO +PQQDAwNpADBmAjEAyjzGKnXCXnViOTYAYFqLwZOZzNnbQTs7h5kXO9XMT8oi96CA +y/m0sRtW9XLS/BnRAjEAkfcwkz8QRitxpNA7RJvAKQIFskF3UfN5Wp6OFKBOQtJb +gfM0agPnIjhQW+0ZT0MW +-----END CERTIFICATE----- === /C=DE/O=D-Trust GmbH/CN=D-TRUST Root Class 3 CA 2 2009 Certificate: Data: @@ -1821,6 +2145,94 @@ r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1 gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+ -----END CERTIFICATE----- +### DigiCert, Inc. + +=== /C=US/O=DigiCert, Inc./CN=DigiCert TLS ECC P384 Root G5 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 09:e0:93:65:ac:f7:d9:c8:b9:3e:1c:0b:04:2a:2e:f3 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jan 15 00:00:00 2021 GMT + Not After : Jan 14 23:59:59 2046 GMT + Subject: C=US, O=DigiCert, Inc., CN=DigiCert TLS ECC P384 Root G5 + X509v3 extensions: + X509v3 Subject Key Identifier: + C1:51:45:50:59:AB:3E:E7:2C:5A:FA:20:22:12:07:80:88:7C:11:6A + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=17:F3:DE:5E:9F:0F:19:E9:8E:F6:1F:32:26:6E:20:C4:07:AE:30:EE +SHA256 Fingerprint=01:8E:13:F0:77:25:32:CF:80:9B:D1:B1:72:81:86:72:83:FC:48:C6:E1:3B:E9:C6:98:12:85:4A:49:0C:1B:05 +-----BEGIN CERTIFICATE----- +MIICGTCCAZ+gAwIBAgIQCeCTZaz32ci5PhwLBCou8zAKBggqhkjOPQQDAzBOMQsw +CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp +Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDExNTAwMDAwMFoXDTQ2 +MDExNDIzNTk1OVowTjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ +bmMuMSYwJAYDVQQDEx1EaWdpQ2VydCBUTFMgRUNDIFAzODQgUm9vdCBHNTB2MBAG +ByqGSM49AgEGBSuBBAAiA2IABMFEoc8Rl1Ca3iOCNQfN0MsYndLxf3c1TzvdlHJS +7cI7+Oz6e2tYIOyZrsn8aLN1udsJ7MgT9U7GCh1mMEy7H0cKPGEQQil8pQgO4CLp +0zVozptjn4S1mU1YoI71VOeVyaNCMEAwHQYDVR0OBBYEFMFRRVBZqz7nLFr6ICIS +B4CIfBFqMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49 +BAMDA2gAMGUCMQCJao1H5+z8blUD2WdsJk6Dxv3J+ysTvLd6jLRl0mlpYxNjOyZQ +LgGheQaRnUi/wr4CMEfDFXuxoJGZSZOoPHzoRgaLLPIxAJSdYsiJvRmEFOml+wG4 +DXZDjC5Ty3zfDBeWUA== +-----END CERTIFICATE----- +=== /C=US/O=DigiCert, Inc./CN=DigiCert TLS RSA4096 Root G5 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 08:f9:b4:78:a8:fa:7e:da:6a:33:37:89:de:7c:cf:8a + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jan 15 00:00:00 2021 GMT + Not After : Jan 14 23:59:59 2046 GMT + Subject: C=US, O=DigiCert, Inc., CN=DigiCert TLS RSA4096 Root G5 + X509v3 extensions: + X509v3 Subject Key Identifier: + 51:33:1C:ED:36:40:AF:17:D3:25:CD:69:68:F2:AF:4E:23:3E:B3:41 + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=A7:88:49:DC:5D:7C:75:8C:8C:DE:39:98:56:B3:AA:D0:B2:A5:71:35 +SHA256 Fingerprint=37:1A:00:DC:05:33:B3:72:1A:7E:EB:40:E8:41:9E:70:79:9D:2B:0A:0F:2C:1D:80:69:31:65:F7:CE:C4:AD:75 +-----BEGIN CERTIFICATE----- +MIIFZjCCA06gAwIBAgIQCPm0eKj6ftpqMzeJ3nzPijANBgkqhkiG9w0BAQwFADBN +MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJTAjBgNVBAMT +HERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwHhcNMjEwMTE1MDAwMDAwWhcN +NDYwMTE0MjM1OTU5WjBNMQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQs +IEluYy4xJTAjBgNVBAMTHERpZ2lDZXJ0IFRMUyBSU0E0MDk2IFJvb3QgRzUwggIi +MA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCz0PTJeRGd/fxmgefM1eS87IE+ +ajWOLrfn3q/5B03PMJ3qCQuZvWxX2hhKuHisOjmopkisLnLlvevxGs3npAOpPxG0 +2C+JFvuUAT27L/gTBaF4HI4o4EXgg/RZG5Wzrn4DReW+wkL+7vI8toUTmDKdFqgp +wgscONyfMXdcvyej/Cestyu9dJsXLfKB2l2w4SMXPohKEiPQ6s+d3gMXsUJKoBZM +pG2T6T867jp8nVid9E6P/DsjyG244gXazOvswzH016cpVIDPRFtMbzCe88zdH5RD +nU1/cHAN1DrRN/BsnZvAFJNY781BOHW8EwOVfH/jXOnVDdXifBBiqmvwPXbzP6Po +sMH976pXTayGpxi0KcEsDr9kvimM2AItzVwv8n/vFfQMFawKsPHTDU9qTXeXAaDx +Zre3zu/O7Oyldcqs4+Fj97ihBMi8ez9dLRYiVu1ISf6nL3kwJZu6ay0/nTvEF+cd +Lvvyz6b84xQslpghjLSR6Rlgg/IwKwZzUNWYOwbpx4oMYIwo+FKbbuH2TbsGJJvX +KyY//SovcfXWJL5/MZ4PbeiPT02jP/816t9JXkGPhvnxd3lLG7SjXi/7RgLQZhNe +XoVPzthwiHvOAbWWl9fNff2C+MIkwcoBOU+NosEUQB+cZtUMCUbW8tDRSHZWOkPL +tgoRObqME2wGtZ7P6wIDAQABo0IwQDAdBgNVHQ4EFgQUUTMc7TZArxfTJc1paPKv +TiM+s0EwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcN +AQEMBQADggIBAGCmr1tfV9qJ20tQqcQjNSH/0GEwhJG3PxDPJY7Jv0Y02cEhJhxw +GXIeo8mH/qlDZJY6yFMECrZBu8RHANmfGBg7sg7zNOok992vIGCukihfNudd5N7H +PNtQOa27PShNlnx2xlv0wdsUpasZYgcYQF+Xkdycx6u1UQ3maVNVzDl92sURVXLF +O4uJ+DQtpBflF+aZfTCIITfNMBc9uPK8qHWgQ9w+iUuQrm0D4ByjoJYJu32jtyoQ +REtGBzRj7TG5BO6jm5qu5jF49OokYTurWGT/u4cnYiWB39yhL/btp/96j1EuMPik +AdKFOV8BmZZvWltwGUb+hmA+rYAQCd05JS9Yf7vSdPD3Rh9GOUrYU9DzLjtxpdRv +/PNn5AeP3SYZ4Y1b+qOTEZvpyDrDVWiakuFSdjjo4bq9+0/V77PnSIMx8IIh47a+ +p6tv75/fTM8BuGJqIz3nCU2AG3swpMPdB380vqQmsvZB6Akd4yCYqjdP//fx4ilw +MUc/dNAUFvohigLVigmUdy7yWSiLfFCSCmZ4OIN1xLVaqBHG5cGdZlXPU8Sv13WF +qUITVuwhd4GTWgzqltlJyqEI8pc7bZsEGCREjnwB8twl2F6GmrE52/WRMmrRpnCK +ovfepEWFJqgejF0pW8hL2JpqA15w8oVPbEtoL8pU9ozaMv7Da4M/OMZ+ +-----END CERTIFICATE----- + ### Disig a.s. === /C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2 @@ -1875,65 +2287,162 @@ zMOl6W8KjptlwlCFtaOgUxLMVYdh84GuEEZhvUQhuMI9dM9+JDX6HAcOmz0iyu8x L4ysEr3vQCj8KWefshNPZiTEUxnpHikV7+ZtsH8tZ/3zbBt1RqPlShfppNcL -----END CERTIFICATE----- -### E-Tu\U011Fra EBG Bili\U015Fim Teknolojileri ve Hizmetleri A.\U015E. +### e-commerce monitoring GmbH -=== /C=TR/L=Ankara/O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E./OU=E-Tugra Sertifikasyon Merkezi/CN=E-Tugra Certification Authority +=== /C=AT/O=e-commerce monitoring GmbH/CN=GLOBALTRUST 2020 Certificate: Data: Version: 3 (0x2) - Serial Number: 7667447206703254355 (0x6a683e9c519bcb53) + Serial Number: + 5a:4b:bd:5a:fb:4f:8a:5b:fa:65:e5 Signature Algorithm: sha256WithRSAEncryption Validity - Not Before: Mar 5 12:09:48 2013 GMT - Not After : Mar 3 12:09:48 2023 GMT - Subject: C=TR, L=Ankara, O=E-Tu\xC4\x9Fra EBG Bili\xC5\x9Fim Teknolojileri ve Hizmetleri A.\xC5\x9E., OU=E-Tugra Sertifikasyon Merkezi, CN=E-Tugra Certification Authority + Not Before: Feb 10 00:00:00 2020 GMT + Not After : Jun 10 00:00:00 2040 GMT + Subject: C=AT, O=e-commerce monitoring GmbH, CN=GLOBALTRUST 2020 X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign X509v3 Subject Key Identifier: - 2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 + DC:2E:1F:D1:61:37:79:E4:AB:D5:D5:B3:12:71:68:3D:6A:68:9C:22 + X509v3 Authority Key Identifier: + keyid:DC:2E:1F:D1:61:37:79:E4:AB:D5:D5:B3:12:71:68:3D:6A:68:9C:22 + +SHA1 Fingerprint=D0:67:C1:13:51:01:0C:AA:D0:C7:6A:65:37:31:16:26:4F:53:71:A2 +SHA256 Fingerprint=9A:29:6A:51:82:D1:D4:51:A2:E3:7F:43:9B:74:DA:AF:A2:67:52:33:29:F9:0F:9A:0D:20:07:C3:34:E2:3C:9A +-----BEGIN CERTIFICATE----- +MIIFgjCCA2qgAwIBAgILWku9WvtPilv6ZeUwDQYJKoZIhvcNAQELBQAwTTELMAkG +A1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9uaXRvcmluZyBHbWJIMRkw +FwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMB4XDTIwMDIxMDAwMDAwMFoXDTQwMDYx +MDAwMDAwMFowTTELMAkGA1UEBhMCQVQxIzAhBgNVBAoTGmUtY29tbWVyY2UgbW9u +aXRvcmluZyBHbWJIMRkwFwYDVQQDExBHTE9CQUxUUlVTVCAyMDIwMIICIjANBgkq +hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAri5WrRsc7/aVj6B3GyvTY4+ETUWiD59b +RatZe1E0+eyLinjF3WuvvcTfk0Uev5E4C64OFudBc/jbu9G4UeDLgztzOG53ig9Z +YybNpyrOVPu44sB8R85gfD+yc/LAGbaKkoc1DZAoouQVBGM+uq/ufF7MpotQsjj3 +QWPKzv9pj2gOlTblzLmMCcpL3TGQlsjMH/1WljTbjhzqLL6FLmPdqqmV0/0plRPw +yJiT2S0WR5ARg6I6IqIoV6Lr/sCMKKCmfecqQjuCgGOlYx8ZzHyyZqjC0203b+J+ +BlHZRYQfEs4kUmSFC0iAToexIiIwquuuvuAC4EDosEKAA1GqtH6qRNdDYfOiaxaJ +SaSjpCuKAsR49GiKweR6NrFvG5Ybd0mN1MkGco/PU+PcF4UgStyYJ9ORJitHHmkH +r96i5OTUawuzXnzUJIBHKWk7buis/UDr2O1xcSvy6Fgd60GXIsUf1DnQJ4+H4xj0 +4KlGDfV0OoIu0G4skaMxXDtG6nsEEFZegB31pWXogvziB4xiRfUg3kZwhqG8k9Me +dKZssCz3AwyIDMvUclOGvGBG85hqwvG/Q/lwIHfKN0F5VVJjjVsSn8VoxIidrPIw +q7ejMZdnrY8XD2zHc+0klGvIg5rQmjdJBKuxFshsSUktq6HQjJLyQUp5ISXbY9e2 +nKd+Qmn7OmMCAwEAAaNjMGEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC +AQYwHQYDVR0OBBYEFNwuH9FhN3nkq9XVsxJxaD1qaJwiMB8GA1UdIwQYMBaAFNwu +H9FhN3nkq9XVsxJxaD1qaJwiMA0GCSqGSIb3DQEBCwUAA4ICAQCR8EICaEDuw2jA +VC/f7GLDw56KoDEoqoOOpFaWEhCGVrqXctJUMHytGdUdaG/7FELYjQ7ztdGl4wJC +XtzoRlgHNQIw4Lx0SsFDKv/bGtCwr2zD/cuz9X9tAy5ZVp0tLTWMstZDFyySCstd +6IwPS3BD0IL/qMy/pJTAvoe9iuOTe8aPmxadJ2W8esVCgmxcB9CpwYhgROmYhRZf ++I/KARDOJcP5YBugxZfD0yyIMaK9MOzQ0MAS8cE54+X1+NZK3TTN+2/BT+MAi1bi +kvcoskJ3ciNnxz8RFbLEAwW+uxF7Cr+obuf/WEPPm2eggAe2HcqtbepBEX4tdJP7 +wry+UUTF72glJ4DjyKDUEuzZpTcdN3y0kcra1LGWge9oXHYQSa9+pTeAsRxSvTOB +TI/53WXZFM2KJVj04sWDpQmQ1GwUY7VA3+vA/MRYfg0UFodUJ25W5HCEuGwyEn6C +MUO+1918oa2u1qsgEu8KwxCMSZY13At1XrFP1U80DhEgB3VDRemjEdqso5nCtnkn +4rnvyOL2NSl6dPrFf4IFYqYK6miyeUcGbvJXqBUzxvd4Sj1Ce2t+/vdG6tHrju+I +aFvowdlxfv1k7/9nR4hYJS8+hge9+6jlgqispdNpQ80xiEmEU5LAsTkbOYMBMMTy +qfrQA71yN2BWHzZ8vTmR9W0Nv3vXkg== +-----END CERTIFICATE----- + +### E-Tugra EBG A.S. + +=== /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA ECC v3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 26:46:19:77:31:e1:4f:6f:28:36:de:39:51:86:e6:d4:97:88:22:c1 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Mar 18 09:46:58 2020 GMT + Not After : Mar 12 09:46:58 2045 GMT + Subject: C=TR, L=Ankara, O=E-Tugra EBG A.S., OU=E-Tugra Trust Center, CN=E-Tugra Global Root CA ECC v3 + X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Authority Key Identifier: - keyid:2E:E3:DB:B2:49:D0:9C:54:79:5C:FA:27:2A:FE:CC:4E:D2:E8:4E:54 + keyid:FF:82:31:72:3E:F9:C4:66:6C:AD:38:9E:D1:B0:51:88:A5:90:CC:F5 + X509v3 Subject Key Identifier: + FF:82:31:72:3E:F9:C4:66:6C:AD:38:9E:D1:B0:51:88:A5:90:CC:F5 X509v3 Key Usage: critical Certificate Sign, CRL Sign -SHA1 Fingerprint=51:C6:E7:08:49:06:6E:F3:92:D4:5C:A0:0D:6D:A3:62:8F:C3:52:39 -SHA256 Fingerprint=B0:BF:D5:2B:B0:D7:D9:BD:92:BF:5D:4D:C1:3D:A2:55:C0:2C:54:2F:37:83:65:EA:89:39:11:F5:5E:55:F2:3C +SHA1 Fingerprint=8A:2F:AF:57:53:B1:B0:E6:A1:04:EC:5B:6A:69:71:6D:F6:1C:E2:84 +SHA256 Fingerprint=87:3F:46:85:FA:7F:56:36:25:25:2E:6D:36:BC:D7:F1:6F:C2:49:51:F2:64:E4:7E:1B:95:4F:49:08:CD:CA:13 -----BEGIN CERTIFICATE----- -MIIGSzCCBDOgAwIBAgIIamg+nFGby1MwDQYJKoZIhvcNAQELBQAwgbIxCzAJBgNV -BAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+BgNVBAoMN0UtVHXEn3JhIEVCRyBC -aWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhpem1ldGxlcmkgQS7Fni4xJjAkBgNV -BAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBNZXJrZXppMSgwJgYDVQQDDB9FLVR1 -Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTEzMDMwNTEyMDk0OFoXDTIz -MDMwMzEyMDk0OFowgbIxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHDAZBbmthcmExQDA+ -BgNVBAoMN0UtVHXEn3JhIEVCRyBCaWxpxZ9pbSBUZWtub2xvamlsZXJpIHZlIEhp -em1ldGxlcmkgQS7Fni4xJjAkBgNVBAsMHUUtVHVncmEgU2VydGlmaWthc3lvbiBN -ZXJrZXppMSgwJgYDVQQDDB9FLVR1Z3JhIENlcnRpZmljYXRpb24gQXV0aG9yaXR5 -MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4vU/kwVRHoViVF56C/UY -B4Oufq9899SKa6VjQzm5S/fDxmSJPZQuVIBSOTkHS0vdhQd2h8y/L5VMzH2nPbxH -D5hw+IyFHnSOkm0bQNGZDbt1bsipa5rAhDGvykPL6ys06I+XawGb1Q5KCKpbknSF -Q9OArqGIW66z6l7LFpp3RMih9lRozt6Plyu6W0ACDGQXwLWTzeHxE2bODHnv0ZEo -q1+gElIwcxmOj+GMB6LDu0rw6h8VqO4lzKRG+Bsi77MOQ7osJLjFLFzUHPhdZL3D -k14opz8n8Y4e0ypQBaNV2cvnOVPAmJ6MVGKLJrD3fY185MaeZkJVgkfnsliNZvcH -fC425lAcP9tDJMW/hkd5s3kc91r0E+xs+D/iWR+V7kI+ua2oMoVJl0b+SzGPWsut -dEcf6ZG33ygEIqDUD13ieU/qbIWGvaimzuT6w+Gzrt48Ue7LE3wBf4QOXVGUnhMM -ti6lTPk5cDZvlsouDERVxcr6XQKj39ZkjFqzAQqptQpHF//vkUAqjqFGOjGY5RH8 -zLtJVor8udBhmm9lbObDyz51Sf6Pp+KJxWfXnUYTTjF2OySznhFlhqt/7x3U+Lzn -rFpct1pHXFXOVbQicVtbC/DP3KBhZOqp12gKY6fgDT+gr9Oq0n7vUaDmUStVkhUX -U8u3Zg5mTPj5dUyQ5xJwx0UCAwEAAaNjMGEwHQYDVR0OBBYEFC7j27JJ0JxUeVz6 -Jyr+zE7S6E5UMA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAULuPbsknQnFR5 -XPonKv7MTtLoTlQwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3DQEBCwUAA4ICAQAF -Nzr0TbdF4kV1JI+2d1LoHNgQk2Xz8lkGpD4eKexd0dCrfOAKkEh47U6YA5n+KGCR -HTAduGN8qOY1tfrTYXbm1gdLymmasoR6d5NFFxWfJNCYExL/u6Au/U5Mh/jOXKqY -GwXgAEZKgoClM4so3O0409/lPun++1ndYYRP0lSWE2ETPo+Aab6TR7U1Q9Jauz1c -77NCR807VRMGsAnb/WP2OogKmW9+4c4bU2pEZiNRCHu8W1Ki/QY3OEBhj0qWuJA3 -+GbHeJAAFS6LrVE1Uweoa2iu+U48BybNCAVwzDk/dr2l02cmAYamU9JgO3xDf1WK -vJUawSg5TB9D0pH0clmKuVb8P7Sd2nCcdlqMQ1DujjByTd//SffGqWfZbawCEeI6 -FiWnWAjLb1NBnEg4R2gz0dfHj9R0IdTDBZB6/86WiLEVKV0jq9BgoRJP3vQXzTLl -yb/IQ639Lo7xr+L0mPoSHyDYwKcMhcWQ9DstliaxLL5Mq+ux0orJ23gTDx4JnW2P -AJ8C2sH6H3p6CcRK5ogql5+Ji/03X186zjhZhkuvcQu02PJwT58yE+Owp1fl2tpD -y4Q08ijE6m30Ku/Ba3ba+367hTzSU8JNvnHhRdH9I2cNE3X7z2VnIp2usAnRCf8d -NL/+I5c30jn6PQ0GC7TbO6Orb1wdtn7os4I07QZcJA== +MIICpTCCAiqgAwIBAgIUJkYZdzHhT28oNt45UYbm1JeIIsEwCgYIKoZIzj0EAwMw +gYAxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUtVHVn +cmEgRUJHIEEuUy4xHTAbBgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYwJAYD +VQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENBIEVDQyB2MzAeFw0yMDAzMTgwOTQ2 +NThaFw00NTAzMTIwOTQ2NThaMIGAMQswCQYDVQQGEwJUUjEPMA0GA1UEBxMGQW5r +YXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1Z3Jh +IFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBDQSBF +Q0MgdjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASOmCm/xxAeJ9urA8woLNheSBkQ +KczLWYHMjLiSF4mDKpL2w6QdTGLVn9agRtwcvHbB40fQWxPa56WzZkjnIZpKT4YK +fWzqTTKACrJ6CZtpS5iB4i7sAnCWH/31Rs7K3IKjYzBhMA8GA1UdEwEB/wQFMAMB +Af8wHwYDVR0jBBgwFoAU/4Ixcj75xGZsrTie0bBRiKWQzPUwHQYDVR0OBBYEFP+C +MXI++cRmbK04ntGwUYilkMz1MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNp +ADBmAjEA5gVYaWHlLcoNy/EZCL3W/VGSGn5jVASQkZo1kTmZ+gepZpO6yGjUij/6 +7W4WAie3AjEA3VoXK3YdZUKWpqxdinlW2Iob35reX8dQj7FbcQwm32pAAOwzkSFx +vmjkI6TZraE3 +-----END CERTIFICATE----- +=== /C=TR/L=Ankara/O=E-Tugra EBG A.S./OU=E-Tugra Trust Center/CN=E-Tugra Global Root CA RSA v3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 0d:4d:c5:cd:16:22:95:96:08:7e:b8:0b:7f:15:06:34:fb:79:10:34 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Mar 18 09:07:17 2020 GMT + Not After : Mar 12 09:07:17 2045 GMT + Subject: C=TR, L=Ankara, O=E-Tugra EBG A.S., OU=E-Tugra Trust Center, CN=E-Tugra Global Root CA RSA v3 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Authority Key Identifier: + keyid:B2:B4:AE:E6:2D:F7:26:D5:AA:75:2D:76:4B:C0:1B:53:21:D0:48:EF + + X509v3 Subject Key Identifier: + B2:B4:AE:E6:2D:F7:26:D5:AA:75:2D:76:4B:C0:1B:53:21:D0:48:EF + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=E9:A8:5D:22:14:52:1C:5B:AA:0A:B4:BE:24:6A:23:8A:C9:BA:E2:A9 +SHA256 Fingerprint=EF:66:B0:B1:0A:3C:DB:9F:2E:36:48:C7:6B:D2:AF:18:EA:D2:BF:E6:F1:17:65:5E:28:C4:06:0D:A1:A3:F4:C2 +-----BEGIN CERTIFICATE----- +MIIF8zCCA9ugAwIBAgIUDU3FzRYilZYIfrgLfxUGNPt5EDQwDQYJKoZIhvcNAQEL +BQAwgYAxCzAJBgNVBAYTAlRSMQ8wDQYDVQQHEwZBbmthcmExGTAXBgNVBAoTEEUt +VHVncmEgRUJHIEEuUy4xHTAbBgNVBAsTFEUtVHVncmEgVHJ1c3QgQ2VudGVyMSYw +JAYDVQQDEx1FLVR1Z3JhIEdsb2JhbCBSb290IENBIFJTQSB2MzAeFw0yMDAzMTgw +OTA3MTdaFw00NTAzMTIwOTA3MTdaMIGAMQswCQYDVQQGEwJUUjEPMA0GA1UEBxMG +QW5rYXJhMRkwFwYDVQQKExBFLVR1Z3JhIEVCRyBBLlMuMR0wGwYDVQQLExRFLVR1 +Z3JhIFRydXN0IENlbnRlcjEmMCQGA1UEAxMdRS1UdWdyYSBHbG9iYWwgUm9vdCBD +QSBSU0EgdjMwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCiZvCJt3J7 +7gnJY9LTQ91ew6aEOErxjYG7FL1H6EAX8z3DeEVypi6Q3po61CBxyryfHUuXCscx +uj7X/iWpKo429NEvx7epXTPcMHD4QGxLsqYxYdE0PD0xesevxKenhOGXpOhL9hd8 +7jwH7eKKV9y2+/hDJVDqJ4GohryPUkqWOmAalrv9c/SF/YP9f4RtNGx/ardLAQO/ +rWm31zLZ9Vdq6YaCPqVmMbMWPcLzJmAy01IesGykNz709a/r4d+ABs8qQedmCeFL +l+d3vSFtKbZnwy1+7dZ5ZdHPOrbRsV5WYVB6Ws5OUDGAA5hH5+QYfERaxqSzO8bG +wzrwbMOLyKSRBfP12baqBqG3q+Sx6iEUXIOk/P+2UNOMEiaZdnDpwA+mdPy70Bt4 +znKS4iicvObpCdg604nmvi533wEKb5b25Y08TVJ2Glbhc34XrD2tbKNSEhhw5oBO +M/J+JjKsBY04pOZ2PJ8QaQ5tndLBeSBrW88zjdGUdjXnXVXHt6woq0bM5zshtQoK +5EpZ3IE1S0SVEgpnpaH/WwAH0sDM+T/8nzPyAPiMbIedBi3x7+PmBvrFZhNb/FAH +nnGGstpvdDDPk1Po3CLW3iAfYY2jLqN4MpBs3KwytQXk9TwzDdbgh3cXTJ2w2Amo +DVf3RIXwyAS+XF1a4xeOVGNpf0l0ZAWMowIDAQABo2MwYTAPBgNVHRMBAf8EBTAD +AQH/MB8GA1UdIwQYMBaAFLK0ruYt9ybVqnUtdkvAG1Mh0EjvMB0GA1UdDgQWBBSy +tK7mLfcm1ap1LXZLwBtTIdBI7zAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQEL +BQADggIBAImocn+M684uGMQQgC0QDP/7FM0E4BQ8Tpr7nym/Ip5XuYJzEmMmtcyQ +6dIqKe6cLcwsmb5FJ+Sxce3kOJUxQfJ9emN438o2Fi+CiJ+8EUdPdk3ILY7r3y18 +Tjvarvbj2l0Upq7ohUSdBm6O++96SmotKygY/r+QLHUWnw/qln0F7psTpURs+APQ +3SPh/QMSEgj0GDSz4DcLdxEBSL9htLX4GdnLTeqjjO/98Aa1bZL0SmFQhO3sSdPk +vmjmLuMxC1QLGpLWgti2omU8ZgT5Vdps+9u1FGZNlIM7zR6mK7L+d0CGq+ffCsn9 +9t2HVhjYsCxVYJb6CH5SkPVLpi6HfMsg2wY+oF0Dd32iPBMbKaITVaA9FCKvb7jQ +mhty3QUBjYZgv6Rn7rWlDdF/5horYmbDB7rnoEgcOMPpRfunf/ztAmgayncSd6YA +VSgU7NbHEqIbZULpkejLPoeJVF3Zr52XnGnnCv8PWniLYypMfUeUP95L6VPQMPHF +9p5J3zugkaOj/s1YzOrfr28oO6Bpm4/srK4rVJ2bBLFHIK+WEj5jlB0E5y67hscM +moi/dkfv97ALl2bSRM9gUgfh1SxKOidhd8rXj+eHDjD/DLsE4mHDosiXYY60MGo8 +bcIHX0pzLz/5FooBZu+6kcpSV3uu1OYP3Qt6f4ueJiDPO++BcYNZ -----END CERTIFICATE----- ### eMudhra Inc @@ -2437,7 +2946,7 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 2a:38:a4:1c:96:0a:04:de:42:b2:28:a5:0b:e8:34:98:02 + 02:03:e5:7e:f5:3f:93:fd:a5:09:21:b2:a6 Signature Algorithm: ecdsa-with-SHA256 Validity Not Before: Nov 13 00:00:00 2012 GMT @@ -2445,25 +2954,24 @@ Certificate: Subject: OU=GlobalSign ECC Root CA - R4, O=GlobalSign, CN=GlobalSign X509v3 extensions: X509v3 Key Usage: critical - Certificate Sign, CRL Sign + Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 54:B0:7B:AD:45:B8:E2:40:7F:FB:0A:6E:FB:BE:33:C9:3C:A3:84:D5 -SHA1 Fingerprint=69:69:56:2E:40:80:F4:24:A1:E7:19:9F:14:BA:F3:EE:58:AB:6A:BB -SHA256 Fingerprint=BE:C9:49:11:C2:95:56:76:DB:6C:0A:55:09:86:D7:6E:3B:A0:05:66:7C:44:2C:97:62:B4:FB:B7:73:DE:22:8C +SHA1 Fingerprint=6B:A0:B0:98:E1:71:EF:5A:AD:FE:48:15:80:77:10:F4:BD:6F:0B:28 +SHA256 Fingerprint=B0:85:D7:0B:96:4F:19:1A:73:E4:AF:0D:54:AE:7A:0E:07:AA:FD:AF:9B:71:DD:08:62:13:8A:B7:32:5A:24:A2 -----BEGIN CERTIFICATE----- -MIIB4TCCAYegAwIBAgIRKjikHJYKBN5CsiilC+g0mAIwCgYIKoZIzj0EAwIwUDEk -MCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBDQSAtIFI0MRMwEQYDVQQKEwpH -bG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTEyMTExMzAwMDAwMFoX -DTM4MDExOTAzMTQwN1owUDEkMCIGA1UECxMbR2xvYmFsU2lnbiBFQ0MgUm9vdCBD -QSAtIFI0MRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWdu -MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEuMZ5049sJQ6fLjkZHAOkrprlOQcJ -FspjsbmG+IpXwVfOQvpzofdlQv8ewQCybnMO/8ch5RikqtlxP6jUuc6MHaNCMEAw -DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFFSwe61F -uOJAf/sKbvu+M8k8o4TVMAoGCCqGSM49BAMCA0gAMEUCIQDckqGgE6bPA7DmxCGX -kPoUVy0D7O48027KqGx2vKLeuwIgJ6iFJzWbVsaj8kfSt24bAgAXqmemFZHe+pTs -ewv4n4Q= +MIIB3DCCAYOgAwIBAgINAgPlfvU/k/2lCSGypjAKBggqhkjOPQQDAjBQMSQwIgYD +VQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0gUjQxEzARBgNVBAoTCkdsb2Jh +bFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMTIxMTEzMDAwMDAwWhcNMzgw +MTE5MDMxNDA3WjBQMSQwIgYDVQQLExtHbG9iYWxTaWduIEVDQyBSb290IENBIC0g +UjQxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wWTAT +BgcqhkjOPQIBBggqhkjOPQMBBwNCAAS4xnnTj2wlDp8uORkcA6SumuU5BwkWymOx +uYb4ilfBV85C+nOh92VC/x7BALJucw7/xyHlGKSq2XE/qNS5zowdo0IwQDAOBgNV +HQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUVLB7rUW44kB/ ++wpu+74zyTyjhNUwCgYIKoZIzj0EAwIDRwAwRAIgIk90crlgr/HmnKAWBVBfw147 +bmF0774BxL4YSFlhgjICICadVGNA3jdgUM/I2O2dgq43mLyjj0xMqTQrbO/7lZsm -----END CERTIFICATE----- === /OU=GlobalSign ECC Root CA - R5/O=GlobalSign/CN=GlobalSign Certificate: @@ -2499,56 +3007,6 @@ KoZIzj0EAwMDaAAwZQIxAOVpEslu28YxuglB4Zf4+/2a4n0Sye18ZNPLBSWLVtmg 515dTguDnFt2KaAJJiFqYgIwcdK1j1zqO+F4CYWodZI7yFz9SO8NdCKoCOJuxUnO xwy8p2Fp8fc74SrL+SvzZpA3 -----END CERTIFICATE----- -=== /OU=GlobalSign Root CA - R2/O=GlobalSign/CN=GlobalSign -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 04:00:00:00:00:01:0f:86:26:e6:0d - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Dec 15 08:00:00 2006 GMT - Not After : Dec 15 08:00:00 2021 GMT - Subject: OU=GlobalSign Root CA - R2, O=GlobalSign, CN=GlobalSign - X509v3 extensions: - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Subject Key Identifier: - 9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.globalsign.net/root-r2.crl - - X509v3 Authority Key Identifier: - keyid:9B:E2:07:57:67:1C:1E:C0:6A:06:DE:59:B4:9A:2D:DF:DC:19:86:2E - -SHA1 Fingerprint=75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE -SHA256 Fingerprint=CA:42:DD:41:74:5F:D0:B8:1E:B9:02:36:2C:F9:D8:BF:71:9D:A1:BD:1B:1E:FC:94:6F:5B:4C:99:F4:2C:1B:9E ------BEGIN CERTIFICATE----- -MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G -A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp -Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 -MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG -A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL -v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 -eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq -tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd -C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa -zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB -mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH -V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n -bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG -3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs -J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO -291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS -ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd -AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 -TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== ------END CERTIFICATE----- === /OU=GlobalSign Root CA - R3/O=GlobalSign/CN=GlobalSign Certificate: Data: @@ -2826,7 +3284,7 @@ Certificate: Data: Version: 3 (0x2) Serial Number: - 6e:47:a9:c5:4b:47:0c:0d:ec:33:d0:89:b9:1c:f4:e1 + 02:03:e5:93:6f:31:b0:13:49:88:6b:a2:17 Signature Algorithm: sha384WithRSAEncryption Validity Not Before: Jun 22 00:00:00 2016 GMT @@ -2834,50 +3292,50 @@ Certificate: Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R1 X509v3 extensions: X509v3 Key Usage: critical - Certificate Sign, CRL Sign + Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: E4:AF:2B:26:71:1A:2B:48:27:85:2F:52:66:2C:EF:F0:89:13:71:3E -SHA1 Fingerprint=E1:C9:50:E6:EF:22:F8:4C:56:45:72:8B:92:20:60:D7:D5:A7:A3:E8 -SHA256 Fingerprint=2A:57:54:71:E3:13:40:BC:21:58:1C:BD:2C:F1:3E:15:84:63:20:3E:CE:94:BC:F9:D3:CC:19:6B:F0:9A:54:72 +SHA1 Fingerprint=E5:8C:1C:C4:91:3B:38:63:4B:E9:10:6E:E3:AD:8E:6B:9D:D9:81:4A +SHA256 Fingerprint=D9:47:43:2A:BD:E7:B7:FA:90:FC:2E:6B:59:10:1B:12:80:E0:E1:C7:E4:E4:0F:A3:C6:88:7F:FF:57:A7:F4:CF -----BEGIN CERTIFICATE----- -MIIFWjCCA0KgAwIBAgIQbkepxUtHDA3sM9CJuRz04TANBgkqhkiG9w0BAQwFADBH -MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM -QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIy -MDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNl -cnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaM -f/vo27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vX -mX7wCl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7 -zUjwTcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0P -fyblqAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtc -vfaHszVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4 -Zor8Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUsp -zBmkMiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOO -Rc92wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYW -k70paDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+ -DVrNVjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgF -lQIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV -HQ4EFgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBADiW -Cu49tJYeX++dnAsznyvgyv3SjgofQXSlfKqE1OXyHuY3UjKcC9FhHb8owbZEKTV1 -d5iyfNm9dKyKaOOpMQkpAWBz40d8U6iQSifvS9efk+eCNs6aaAyC58/UEBZvXw6Z -XPYfcX3v73svfuo21pdwCxXu11xWajOl40k4DLh9+42FpLFZXvRq4d2h9mREruZR -gyFmxhE+885H7pwoHyXa/6xmld01D1zvICxi/ZG6qcz8WpyTgYMpl0p8WnK0OdC3 -d8t5/Wk6kjftbjhlRn7pYL15iJdfOBL07q9bgsiG1eGZbYwE8na6SfZu6W0eX6Dv -J4J2QPim01hcDyxC2kLGe4g0x8HYRZvBPsVhHdljUEn2NIVq4BjFbkerQUIpm/Zg -DdIx02OYI5NaAIFItO/Nis3Jz5nu2Z6qNuFoS3FJFDYoOj0dzpqPJeaAcWErtXvM -+SUWgeExX6GjfhaknBZqlxi9dnKlC54dNuYvoS++cJEPqOba+MSSQGwlfnuzCdyy -F62ARPBopY+Udf90WuioAnwMCeKpSwughQtiue+hMZL77/ZRBIls6Kl0obsXs7X9 -SQ98POyDGCBDTtWTurQ0sR8WNh8M5mQ5Fkzc4P4dyKliPUDqysU0ArSuiYgzNdws -E3PYJ/HQcu51OyLemGhmW/HGY0dVHLqlCFF1pkgl +MIIFVzCCAz+gAwIBAgINAgPlk28xsBNJiGuiFzANBgkqhkiG9w0BAQwFADBHMQsw +CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU +MBIGA1UEAxMLR1RTIFJvb3QgUjEwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw +MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp +Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjEwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQC2EQKLHuOhd5s73L+UPreVp0A8of2C+X0yBoJx9vaMf/vo +27xqLpeXo4xL+Sv2sfnOhB2x+cWX3u+58qPpvBKJXqeqUqv4IyfLpLGcY9vXmX7w +Cl7raKb0xlpHDU0QM+NOsROjyBhsS+z8CZDfnWQpJSMHobTSPS5g4M/SCYe7zUjw +TcLCeoiKu7rPWRnWr4+wB7CeMfGCwcDfLqZtbBkOtdh+JhpFAz2weaSUKK0Pfybl +qAj+lug8aJRT7oM6iCsVlgmy4HqMLnXWnOunVmSPlk9orj2XwoSPwLxAwAtcvfaH +szVsrBhQf4TgTM2S0yDpM7xSma8ytSmzJSq0SPly4cpk9+aCEI3oncKKiPo4Zor8 +Y/kB+Xj9e1x3+naH+uzfsQ55lVe0vSbv1gHR6xYKu44LtcXFilWr06zqkUspzBmk +MiVOKvFlRNACzqrOSbTqn3yDsEB750Orp2yjj32JgfpMpf/VjsPOS+C12LOORc92 +wO1AK/1TD7Cn1TsNsYqiA94xrcx36m97PtbfkSIS5r762DL8EGMUUXLeXdYWk70p +aDPvOmbsB4om3xPXV2V4J95eSRQAogB/mqghtqmxlbCluQ0WEdrHbEg8QOB+DVrN +VjzRlwW5y0vtOUucxD/SVRNuJLDWcfr0wbrM7Rv1/oFB2ACYPTrIrnqYNxgFlQID +AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E +FgQU5K8rJnEaK0gnhS9SZizv8IkTcT4wDQYJKoZIhvcNAQEMBQADggIBAJ+qQibb +C5u+/x6Wki4+omVKapi6Ist9wTrYggoGxval3sBOh2Z5ofmmWJyq+bXmYOfg6LEe +QkEzCzc9zolwFcq1JKjPa7XSQCGYzyI0zzvFIoTgxQ6KfF2I5DUkzps+GlQebtuy +h6f88/qBVRRiClmpIgUxPoLW7ttXNLwzldMXG+gnoot7TiYaelpkttGsN/H9oPM4 +7HLwEXWdyzRSjeZ2axfG34arJ45JK3VmgRAhpuo+9K4l/3wV3s6MJT/KYnAK9y8J +ZgfIPxz88NtFMN9iiMG1D53Dn0reWVlHxYciNuaCp+0KueIHoI17eko8cdLiA6Ef +MgfdG+RCzgwARWGAtQsgWSl4vflVy2PFPEz0tv/bal8xa5meLMFrUKTX5hgUvYU/ +Z6tGn6D/Qqc6f1zLXbBwHSs09dR2CQzreExZBfMzQsNhFRAbd03OIozUhfJFfbdT +6u9AWpQKXCBfTkBdYiJ23//OYb2MI3jSNwLgjt7RETeJ9r/tSQdirpLsQBqvFAnZ +0E6yove+7u7Y/9waLd64NnHi/Hm3lCXRSHNboTXns5lndcEZOitHTtNCjv0xyBZm +2tIMPNuzjsmhDYAPexZ3FL//2wmUspO8IFgV6dtxQ/PeEMMA3KgqlbbC1j+Qa3bb +bP6MvPJwNQzcmRk13NfIRmPVNnGuV/u3gm3c -----END CERTIFICATE----- === /C=US/O=Google Trust Services LLC/CN=GTS Root R2 Certificate: Data: Version: 3 (0x2) Serial Number: - 6e:47:a9:c6:5a:b3:e7:20:c5:30:9a:3f:68:52:f2:6f + 02:03:e5:ae:c5:8d:04:25:1a:ab:11:25:aa Signature Algorithm: sha384WithRSAEncryption Validity Not Before: Jun 22 00:00:00 2016 GMT @@ -2885,50 +3343,50 @@ Certificate: Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R2 X509v3 extensions: X509v3 Key Usage: critical - Certificate Sign, CRL Sign + Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: BB:FF:CA:8E:23:9F:4F:99:CA:DB:E2:68:A6:A5:15:27:17:1E:D9:0E -SHA1 Fingerprint=D2:73:96:2A:2A:5E:39:9F:73:3F:E1:C7:1E:64:3F:03:38:34:FC:4D -SHA256 Fingerprint=C4:5D:7B:B0:8E:6D:67:E6:2E:42:35:11:0B:56:4E:5F:78:FD:92:EF:05:8C:84:0A:EA:4E:64:55:D7:58:5C:60 +SHA1 Fingerprint=9A:44:49:76:32:DB:DE:FA:D0:BC:FB:5A:7B:17:BD:9E:56:09:24:94 +SHA256 Fingerprint=8D:25:CD:97:22:9D:BF:70:35:6B:DA:4E:B3:CC:73:40:31:E2:4C:F0:0F:AF:CF:D3:2D:C7:6E:B5:84:1C:7E:A8 -----BEGIN CERTIFICATE----- -MIIFWjCCA0KgAwIBAgIQbkepxlqz5yDFMJo/aFLybzANBgkqhkiG9w0BAQwFADBH -MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM -QzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIy -MDAwMDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNl -cnZpY2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwggIiMA0GCSqGSIb3DQEB -AQUAA4ICDwAwggIKAoICAQDO3v2m++zsFDQ8BwZabFn3GTXd98GdVarTzTukk3Lv -CvptnfbwhYBboUhSnznFt+4orO/LdmgUud+tAWyZH8QiHZ/+cnfgLFuv5AS/T3Kg -GjSY6Dlo7JUle3ah5mm5hRm9iYz+re026nO8/4Piy33B0s5Ks40FnotJk9/BW9Bu -XvAuMC6C/Pq8tBcKSOWIm8Wba96wyrQD8Nr0kLhlZPdcTK3ofmZemde4wj7I0BOd -re7kRXuJVfeKH2JShBKzwkCX44ofR5GmdFrS+LFjKBC4swm4VndAoiaYecb+3yXu -PuWgf9RhD1FLPD+M2uFwdNjCaKH5wQzpoeJ/u1U8dgbuak7MkogwTZq9TwtImoS1 -mKPV+3PBV2HdKFZ1E66HjucMUQkQdYhMvI35ezzUIkgfKtzra7tEscszcTJGr61K -8YzodDqs5xoic4DSMPclQsciOzsSrZYuxsN2B6ogtzVJV+mSSeh2FnIxZyuWfoqj -x5RWIr9qS34BIbIjMt/kmkRtWVtd9QCgHJvGeJeNkP+byKq0rxFROV7Z+2et1VsR -nTKaG73VululycslaVNVJ1zgyjbLiGH7HrfQy+4W+9OmTN6SpdTi3/UGVN4unUu0 -kzCqgc7dGtxRcw1PcOnlthYhGXmy5okLdWTK1au8CcEYof/UVKGFPP0UJAOyh9Ok -twIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV -HQ4EFgQUu//KjiOfT5nK2+JopqUVJxce2Q4wDQYJKoZIhvcNAQEMBQADggIBALZp -8KZ3/p7uC4Gt4cCpx/k1HUCCq+YEtN/L9x0Pg/B+E02NjO7jMyLDOfxA325BS0JT -vhaI8dI4XsRomRyYUpOM52jtG2pzegVATX9lO9ZY8c6DR2Dj/5epnGB3GFW1fgiT -z9D2PGcDFWEJ+YF59exTpJ/JjwGLc8R3dtyDovUMSRqodt6Sm2T4syzFJ9MHwAiA -pJiS4wGWAqoC7o87xdFtCjMwc3i5T1QWvwsHoaRc5svJXISPD+AVdyx+Jn7axEvb -pxZ3B7DNdehyQtaVhJ2Gg/LkkM0JR9SLA3DaWsYDQvTtN6LwG1BUSw7YhN4ZKJmB -R64JGz9I0cNv4rBgF/XuIwKl2gBbbZCr7qLpGzvpx0QnRY5rn/WkhLx3+WuXrD5R -RaIRpsyF7gpo8j5QOHokYh4XIDdtak23CZvJ/KRY9bb7nE4Yu5UC56GtmwfuNmsk -0jmGwZODUNKBRqhfYlcsu2xkiAhu7xNUX90txGdj08+JN7+dIPT7eoOboB6BAFDC -5AwiWVIQ7UNWhwD4FFKnHYuTjKJNRn8nxnGbJN7k2oaLDX5rIMHAnuFl2GqjpuiF -izoHCBy69Y9Vmhh1fuXsgWbRIXOhNUQLgD1bnF5vKheW0YMjiGZt5obicDIvUiLn -yOd/xCxgXS/Dr55FBcOEArf9LAhST4Ldo/DUhgkC +MIIFVzCCAz+gAwIBAgINAgPlrsWNBCUaqxElqjANBgkqhkiG9w0BAQwFADBHMQsw +CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU +MBIGA1UEAxMLR1RTIFJvb3QgUjIwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw +MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp +Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjIwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQDO3v2m++zsFDQ8BwZabFn3GTXd98GdVarTzTukk3LvCvpt +nfbwhYBboUhSnznFt+4orO/LdmgUud+tAWyZH8QiHZ/+cnfgLFuv5AS/T3KgGjSY +6Dlo7JUle3ah5mm5hRm9iYz+re026nO8/4Piy33B0s5Ks40FnotJk9/BW9BuXvAu +MC6C/Pq8tBcKSOWIm8Wba96wyrQD8Nr0kLhlZPdcTK3ofmZemde4wj7I0BOdre7k +RXuJVfeKH2JShBKzwkCX44ofR5GmdFrS+LFjKBC4swm4VndAoiaYecb+3yXuPuWg +f9RhD1FLPD+M2uFwdNjCaKH5wQzpoeJ/u1U8dgbuak7MkogwTZq9TwtImoS1mKPV ++3PBV2HdKFZ1E66HjucMUQkQdYhMvI35ezzUIkgfKtzra7tEscszcTJGr61K8Yzo +dDqs5xoic4DSMPclQsciOzsSrZYuxsN2B6ogtzVJV+mSSeh2FnIxZyuWfoqjx5RW +Ir9qS34BIbIjMt/kmkRtWVtd9QCgHJvGeJeNkP+byKq0rxFROV7Z+2et1VsRnTKa +G73VululycslaVNVJ1zgyjbLiGH7HrfQy+4W+9OmTN6SpdTi3/UGVN4unUu0kzCq +gc7dGtxRcw1PcOnlthYhGXmy5okLdWTK1au8CcEYof/UVKGFPP0UJAOyh9OktwID +AQABo0IwQDAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E +FgQUu//KjiOfT5nK2+JopqUVJxce2Q4wDQYJKoZIhvcNAQEMBQADggIBAB/Kzt3H +vqGf2SdMC9wXmBFqiN495nFWcrKeGk6c1SuYJF2ba3uwM4IJvd8lRuqYnrYb/oM8 +0mJhwQTtzuDFycgTE1XnqGOtjHsB/ncw4c5omwX4Eu55MaBBRTUoCnGkJE+M3DyC +B19m3H0Q/gxhswWV7uGugQ+o+MePTagjAiZrHYNSVc61LwDKgEDg4XSsYPWHgJ2u +NmSRXbBoGOqKYcl3qJfEycel/FVL8/B/uWU9J2jQzGv6U53hkRrJXRqWbTKH7QMg +yALOWr7Z6v2yTcQvG99fevX4i8buMTolUVVnjWQye+mew4K6Ki3pHrTgSAai/Gev +HyICc/sgCq+dVEuhzf9gR7A/Xe8bVr2XIZYtCtFenTgCR2y59PYjJbigapordwj6 +xLEokCZYCDzifqrXPW+6MYgKBesntaFJ7qBFVHvmJ2WZICGoo7z7GJa7Um8M7YNR +TOlZ4iBgxcJlkoKM8xAfDoqXvneCbT+PHV28SSe9zE8P4c52hgQjxcCMElv924Sg +JPFI/2R80L5cFtHvma3AH/vLrrw4IgYmZNralw4/KBVEqE8AyvCazM90arQ+POuV +7LXTWtiBmelDGDfrs7vRWGJB82bSj6p4lVQgw1oudCvV0b4YacCs1aTPObpRhANl +6WLAYv7YTVWW4tAR+kg0Eeye7QUd5MjWHYbL -----END CERTIFICATE----- === /C=US/O=Google Trust Services LLC/CN=GTS Root R3 Certificate: Data: Version: 3 (0x2) Serial Number: - 6e:47:a9:c7:6c:a9:73:24:40:89:0f:03:55:dd:8d:1d + 02:03:e5:b8:82:eb:20:f8:25:27:6d:3d:66 Signature Algorithm: ecdsa-with-SHA384 Validity Not Before: Jun 22 00:00:00 2016 GMT @@ -2936,32 +3394,32 @@ Certificate: Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R3 X509v3 extensions: X509v3 Key Usage: critical - Certificate Sign, CRL Sign + Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: C1:F1:26:BA:A0:2D:AE:85:81:CF:D3:F1:2A:12:BD:B8:0A:67:FD:BC -SHA1 Fingerprint=30:D4:24:6F:07:FF:DB:91:89:8A:0B:E9:49:66:11:EB:8C:5E:46:E5 -SHA256 Fingerprint=15:D5:B8:77:46:19:EA:7D:54:CE:1C:A6:D0:B0:C4:03:E0:37:A9:17:F1:31:E8:A0:4E:1E:6B:7A:71:BA:BC:E5 +SHA1 Fingerprint=ED:E5:71:80:2B:C8:92:B9:5B:83:3C:D2:32:68:3F:09:CD:A0:1E:46 +SHA256 Fingerprint=34:D8:A7:3E:E2:08:D9:BC:DB:0D:95:65:20:93:4B:4E:40:E6:94:82:59:6E:8B:6F:73:C8:42:6B:01:0A:6F:48 -----BEGIN CERTIFICATE----- -MIICDDCCAZGgAwIBAgIQbkepx2ypcyRAiQ8DVd2NHTAKBggqhkjOPQQDAzBHMQsw -CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU -MBIGA1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw -MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp -Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQA -IgNiAAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUURout -736GjOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2A -DDL24CejQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud -DgQWBBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEAgFuk -fCPAlaUs3L6JbyO5o91lAFJekazInXJ0glMLfalAvWhgxeG4VDvBNhcl2MG9AjEA -njWSdIUlUfUk7GRSJFClH9voy8l27OyCbvWFGFPouOOaKaqW04MjyaR7YbPMAuhd +MIICCTCCAY6gAwIBAgINAgPluILrIPglJ209ZjAKBggqhkjOPQQDAzBHMQswCQYD +VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG +A1UEAxMLR1RTIFJvb3QgUjMwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw +WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz +IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjMwdjAQBgcqhkjOPQIBBgUrgQQAIgNi +AAQfTzOHMymKoYTey8chWEGJ6ladK0uFxh1MJ7x/JlFyb+Kf1qPKzEUURout736G +jOyxfi//qXGdGIRFBEFVbivqJn+7kAHjSxm65FSWRQmx1WyRRK2EE46ajA2ADDL2 +4CejQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW +BBTB8Sa6oC2uhYHP0/EqEr24Cmf9vDAKBggqhkjOPQQDAwNpADBmAjEA9uEglRR7 +VKOQFhG/hMjqb2sXnh5GmCCbn9MN2azTL818+FsuVbu/3ZL3pAzcMeGiAjEA/Jdm +ZuVDFhOD3cffL74UOO0BzrEXGhF16b0DjyZ+hOXJYKaV11RZt+cRLInUue4X -----END CERTIFICATE----- === /C=US/O=Google Trust Services LLC/CN=GTS Root R4 Certificate: Data: Version: 3 (0x2) Serial Number: - 6e:47:a9:c8:8b:94:b6:e8:bb:3b:2a:d8:a2:b2:c1:99 + 02:03:e5:c0:68:ef:63:1a:9c:72:90:50:52 Signature Algorithm: ecdsa-with-SHA384 Validity Not Before: Jun 22 00:00:00 2016 GMT @@ -2969,25 +3427,25 @@ Certificate: Subject: C=US, O=Google Trust Services LLC, CN=GTS Root R4 X509v3 extensions: X509v3 Key Usage: critical - Certificate Sign, CRL Sign + Digital Signature, Certificate Sign, CRL Sign X509v3 Basic Constraints: critical CA:TRUE X509v3 Subject Key Identifier: 80:4C:D6:EB:74:FF:49:36:A3:D5:D8:FC:B5:3E:C5:6A:F0:94:1D:8C -SHA1 Fingerprint=2A:1D:60:27:D9:4A:B1:0A:1C:4D:91:5C:CD:33:A0:CB:3E:2D:54:CB -SHA256 Fingerprint=71:CC:A5:39:1F:9E:79:4B:04:80:25:30:B3:63:E1:21:DA:8A:30:43:BB:26:66:2F:EA:4D:CA:7F:C9:51:A4:BD +SHA1 Fingerprint=77:D3:03:67:B5:E0:0C:15:F6:0C:38:61:DF:7C:E1:3B:92:46:4D:47 +SHA256 Fingerprint=34:9D:FA:40:58:C5:E2:63:12:3B:39:8A:E7:95:57:3C:4E:13:13:C8:3F:E6:8F:93:55:6C:D5:E8:03:1B:3C:7D -----BEGIN CERTIFICATE----- -MIICCjCCAZGgAwIBAgIQbkepyIuUtui7OyrYorLBmTAKBggqhkjOPQQDAzBHMQsw -CQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEU -MBIGA1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAw -MDAwWjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZp -Y2VzIExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQA -IgNiAATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzu -hXyiQHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/l -xKvRHYqjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud -DgQWBBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNnADBkAjBqUFJ0 -CMRw3J5QdCHojXohw0+WbhXRIjVhLfoIN+4Zba3bssx9BzT1YBkstTTZbyACMANx -sbqjYAuG7ZoIapVon+Kz4ZNkfF6Tpt95LY2F45TPI11xzPKwTdb+mciUqXWi4w== +MIICCTCCAY6gAwIBAgINAgPlwGjvYxqccpBQUjAKBggqhkjOPQQDAzBHMQswCQYD +VQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExMQzEUMBIG +A1UEAxMLR1RTIFJvb3QgUjQwHhcNMTYwNjIyMDAwMDAwWhcNMzYwNjIyMDAwMDAw +WjBHMQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2Vz +IExMQzEUMBIGA1UEAxMLR1RTIFJvb3QgUjQwdjAQBgcqhkjOPQIBBgUrgQQAIgNi +AATzdHOnaItgrkO4NcWBMHtLSZ37wWHO5t5GvWvVYRg1rkDdc/eJkTBa6zzuhXyi +QHY7qca4R9gq55KRanPpsXI5nymfopjTX15YhmUPoYRlBtHci8nHc8iMai/lxKvR +HYqjQjBAMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW +BBSATNbrdP9JNqPV2Py1PsVq8JQdjDAKBggqhkjOPQQDAwNpADBmAjEA6ED/g94D +9J+uHXqnLrmvT/aDHQ4thQEd0dlq7A/Cr8deVl5c1RxYIigL9zC2L7F8AjEA8GE8 +p/SgguMh1YQdc4acLa/KNJvxn7kjNuK8YAOdgLOaVsjh4rsUecrNIdSUtUlD -----END CERTIFICATE----- ### GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. @@ -3044,6 +3502,97 @@ T8p+ck0LcIymSLumoRT2+1hEmRSuqguTaaApJUqlyyvdimYHFngVV3Eb7PVHhPOe MTd61X8kreS8/f3MboPoDKi3QWwH3b08hpcv0g== -----END CERTIFICATE----- +### Hellenic Academic and Research Institutions CA + +=== /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS ECC Root CA 2021 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 67:74:9d:8d:77:d8:3b:6a:db:22:f4:ff:59:e2:bf:ce + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Feb 19 11:01:10 2021 GMT + Not After : Feb 13 11:01:09 2045 GMT + Subject: C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA TLS ECC Root CA 2021 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + C9:1B:53:81:12:FE:04:D5:16:D1:AA:BC:9A:6F:B7:A0:95:19:6E:CA + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=BC:B0:C1:9D:E9:98:92:70:19:38:57:E9:8D:A7:B4:5D:6E:EE:01:48 +SHA256 Fingerprint=3F:99:CC:47:4A:CF:CE:4D:FE:D5:87:94:66:5E:47:8D:15:47:73:9F:2E:78:0F:1B:B4:CA:9B:13:30:97:D4:01 +-----BEGIN CERTIFICATE----- +MIICVDCCAdugAwIBAgIQZ3SdjXfYO2rbIvT/WeK/zjAKBggqhkjOPQQDAzBsMQsw +CQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJlc2Vh +cmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBFQ0MgUm9v +dCBDQSAyMDIxMB4XDTIxMDIxOTExMDExMFoXDTQ1MDIxMzExMDEwOVowbDELMAkG +A1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJj +aCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklDQSBUTFMgRUNDIFJvb3Qg +Q0EgMjAyMTB2MBAGByqGSM49AgEGBSuBBAAiA2IABDgI/rGgltJ6rK9JOtDA4MM7 +KKrxcm1lAEeIhPyaJmuqS7psBAqIXhfyVYf8MLA04jRYVxqEU+kw2anylnTDUR9Y +STHMmE5gEYd103KUkE+bECUqqHgtvpBBWJAVcqeht6NCMEAwDwYDVR0TAQH/BAUw +AwEB/zAdBgNVHQ4EFgQUyRtTgRL+BNUW0aq8mm+3oJUZbsowDgYDVR0PAQH/BAQD +AgGGMAoGCCqGSM49BAMDA2cAMGQCMBHervjcToiwqfAircJRQO9gcS3ujwLEXQNw +SaSS6sUUiHCm0w2wqsosQJz76YJumgIwK0eaB8bRwoF8yguWGEEbo/QwCZ61IygN +nxS2PFOiTAZpffpskcYqSUXm7LcT4Tps +-----END CERTIFICATE----- +=== /C=GR/O=Hellenic Academic and Research Institutions CA/CN=HARICA TLS RSA Root CA 2021 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 39:ca:93:1c:ef:43:f3:c6:8e:93:c7:f4:64:89:38:7e + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Feb 19 10:55:38 2021 GMT + Not After : Feb 13 10:55:37 2045 GMT + Subject: C=GR, O=Hellenic Academic and Research Institutions CA, CN=HARICA TLS RSA Root CA 2021 + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 0A:48:23:A6:60:A4:92:0A:33:EA:93:5B:C5:57:EA:25:4D:BD:12:EE + X509v3 Key Usage: critical + Digital Signature, Certificate Sign, CRL Sign +SHA1 Fingerprint=02:2D:05:82:FA:88:CE:14:0C:06:79:DE:7F:14:10:E9:45:D7:A5:6D +SHA256 Fingerprint=D9:5D:0E:8E:DA:79:52:5B:F9:BE:B1:1B:14:D2:10:0D:32:94:98:5F:0C:62:D9:FA:BD:9C:D9:99:EC:CB:7B:1D +-----BEGIN CERTIFICATE----- +MIIFpDCCA4ygAwIBAgIQOcqTHO9D88aOk8f0ZIk4fjANBgkqhkiG9w0BAQsFADBs +MQswCQYDVQQGEwJHUjE3MDUGA1UECgwuSGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl +c2VhcmNoIEluc3RpdHV0aW9ucyBDQTEkMCIGA1UEAwwbSEFSSUNBIFRMUyBSU0Eg +Um9vdCBDQSAyMDIxMB4XDTIxMDIxOTEwNTUzOFoXDTQ1MDIxMzEwNTUzN1owbDEL +MAkGA1UEBhMCR1IxNzA1BgNVBAoMLkhlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNl +YXJjaCBJbnN0aXR1dGlvbnMgQ0ExJDAiBgNVBAMMG0hBUklDQSBUTFMgUlNBIFJv +b3QgQ0EgMjAyMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAIvC569l +mwVnlskNJLnQDmT8zuIkGCyEf3dRywQRNrhe7Wlxp57kJQmXZ8FHws+RFjZiPTgE +4VGC/6zStGndLuwRo0Xua2s7TL+MjaQenRG56Tj5eg4MmOIjHdFOY9TnuEFE+2uv +a9of08WRiFukiZLRgeaMOVig1mlDqa2YUlhu2wr7a89o+uOkXjpFc5gH6l8Cct4M +pbOfrqkdtx2z/IpZ525yZa31MJQjB/OCFks1mJxTuy/K5FrZx40d/JiZ+yykgmvw +Kh+OC19xXFyuQnspiYHLA6OZyoieC0AJQTPb5lh6/a6ZcMBaD9YThnEvdmn8kN3b +LW7R8pv1GmuebxWMevBLKKAiOIAkbDakO/IwkfN4E8/BPzWr8R0RI7VDIp4BkrcY +AuUR0YLbFQDMYTfBKnya4dC6s1BG7oKsnTH4+yPiAwBIcKMJJnkVU2DzOFytOOqB +AGMUuTNe3QvboEUHGjMJ+E20pwKmafTCWQWIZYVWrkvL4N48fS0ayOn7H6NhStYq +E613TBoYm5EPWNgGVMWX+Ko/IIqmhaZ39qb8HOLubpQzKoNQhArlT4b4UEV4AIHr +W2jjJo3Me1xR9BQsQL4aYB16cmEdH2MtiKrOokWQCPxrvrNQKlr9qEgYRtaQQJKQ +CoReaDH46+0N0x3GfZkYVVYnZS6NRcUk7M7jAgMBAAGjQjBAMA8GA1UdEwEB/wQF +MAMBAf8wHQYDVR0OBBYEFApII6ZgpJIKM+qTW8VX6iVNvRLuMA4GA1UdDwEB/wQE +AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAPpBIqm5iFSVmewzVjIuJndftTgfvnNAU +X15QvWiWkKQUEapobQk1OUAJ2vQJLDSle1mESSmXdMgHHkdt8s4cUCbjnj1AUz/3 +f5Z2EMVGpdAgS1D0NTsY9FVqQRtHBmg8uwkIYtlfVUKqrFOFrJVWNlar5AWMxaja +H6NpvVMPxP/cyuN+8kyIhkdGGvMA9YCRotxDQpSbIPDRzbLrLFPCU3hKTwSUQZqP +JzLB5UkZv/HywouoCjkxKLR9YjYsTewfM7Z+d21+UPCfDtcRj88YxeMn/ibvBZ3P +zzfF0HvaO7AWhAw6k9a+F9sPPg4ZeAnHqQJyIkv3N3a6dcSFA1pj1bF1BcK5vZSt +jBWZp5N99sXzqnTPBIWUmAD04vnKJGW/4GKvyMX6ssmeVkjaef2WdhW+o45WxLM0 +/L5H9MG0qPzVMIho7suuyWPEdr6sOBjhXlzPrjoiUevRi7PzKzMHVIf6tLITe7pT +BGIBnfHAT+7hOtSLIBD6Alfm78ELt5BGnBkpjNxvoEppaZS3JGWg/6w/zgH7IS79 +aPib8qXPMThcFarmlwDB31qlpzmq6YR/PFGoOtmUW4y/Twhx5duoXNTSpv4Ao8YW +xw/ogM4cKGR0GQjTQuPOAF1/sdwTsOEFy9EgqoZ0njnnkf3/W9b3raYvAwtt41dU +63ZTGI0RmLo= +-----END CERTIFICATE----- + ### Hellenic Academic and Research Institutions Cert. Authority === /C=GR/L=Athens/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions ECC RootCA 2015 @@ -3136,61 +3685,6 @@ pcw72Hc3MKJP2W/R8kCtQXoXxdZKNYm3QdV8hn9VTYNKpXMgwDqvkPGaJI7ZjnHK e7iG2rKPmT4dEw0SEe7Uq/DpFXYC5ODfqiAeW2GFZECpkJcNrVPSWh2HagCXZWK0 vm9qp/UsQu0yrbYhnr68 -----END CERTIFICATE----- -=== /C=GR/O=Hellenic Academic and Research Institutions Cert. Authority/CN=Hellenic Academic and Research Institutions RootCA 2011 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 0 (0x0) - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Dec 6 13:49:52 2011 GMT - Not After : Dec 1 13:49:52 2031 GMT - Subject: C=GR, O=Hellenic Academic and Research Institutions Cert. Authority, CN=Hellenic Academic and Research Institutions RootCA 2011 - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - A6:91:42:FD:13:61:4A:23:9E:08:A4:29:E5:D8:13:04:23:EE:41:25 - X509v3 Name Constraints: - Permitted: - DNS:.gr - DNS:.eu - DNS:.edu - DNS:.org - email:.gr - email:.eu - email:.edu - email:.org - -SHA1 Fingerprint=FE:45:65:9B:79:03:5B:98:A1:61:B5:51:2E:AC:DA:58:09:48:22:4D -SHA256 Fingerprint=BC:10:4F:15:A4:8B:E7:09:DC:A5:42:A7:E1:D4:B9:DF:6F:05:45:27:E8:02:EA:A9:2D:59:54:44:25:8A:FE:71 ------BEGIN CERTIFICATE----- -MIIEMTCCAxmgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBlTELMAkGA1UEBhMCR1Ix -RDBCBgNVBAoTO0hlbGxlbmljIEFjYWRlbWljIGFuZCBSZXNlYXJjaCBJbnN0aXR1 -dGlvbnMgQ2VydC4gQXV0aG9yaXR5MUAwPgYDVQQDEzdIZWxsZW5pYyBBY2FkZW1p -YyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIFJvb3RDQSAyMDExMB4XDTExMTIw -NjEzNDk1MloXDTMxMTIwMTEzNDk1MlowgZUxCzAJBgNVBAYTAkdSMUQwQgYDVQQK -EztIZWxsZW5pYyBBY2FkZW1pYyBhbmQgUmVzZWFyY2ggSW5zdGl0dXRpb25zIENl -cnQuIEF1dGhvcml0eTFAMD4GA1UEAxM3SGVsbGVuaWMgQWNhZGVtaWMgYW5kIFJl -c2VhcmNoIEluc3RpdHV0aW9ucyBSb290Q0EgMjAxMTCCASIwDQYJKoZIhvcNAQEB -BQADggEPADCCAQoCggEBAKlTAOMupvaO+mDYLZU++CwqVE7NuYRhlFhPjz2L5EPz -dYmNUeTDN9KKiE15HrcS3UN4SoqS5tdI1Q+kOilENbgH9mgdVc04UfCMJDGFr4PJ -fel3r+0ae50X+bOdOFAPplp5kYCvN66m0zH7tSYJnTxa71HFK9+WXesyHgLacEns -bgzImjeN9/E2YEsmLIKe0HjzDQ9jpFEw4fkrJxIH2Oq9GGKYsFk3fb7u8yBRQlqD -75O6aRXxYp2fmTmCobd0LovUxQt7L/DICto9eQqakxylKHJzkUOap9FNhYS5qXSP -FEDH3N6sQWRstBmbAmNtJGSPRLIl6s5ddAxjMlyNh+UCAwEAAaOBiTCBhjAPBgNV -HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUppFC/RNhSiOeCKQp -5dgTBCPuQSUwRwYDVR0eBEAwPqA8MAWCAy5ncjAFggMuZXUwBoIELmVkdTAGggQu -b3JnMAWBAy5ncjAFgQMuZXUwBoEELmVkdTAGgQQub3JnMA0GCSqGSIb3DQEBBQUA -A4IBAQAf73lB4XtuP7KMhjdCSk4cNx6NZrokgclPEg8hwAOXhiVtXdMiKahsog2p -6z0GW5k6x8zDmjR/qw7IThzh+uTczQ2+vyT+bOdrwg3IBp5OjWEopmr95fZi6hg8 -TqBTnbI6nOulnJEWtk2C4AwFSKls9cz4y51JtPACpf1wA+2KIaWuE4ZJwzNzvoc7 -dIsXRSZMFpGD/md9zU1jZ/rzAxKWeAaNsWftjj++n08C9bMJL/NMh98qy5V8Acys -Nnq/onN694/BtZqhFLKPM58N7yLcZnuEvUUXBj08yrl3NI/K6s8/MT7jiOOASSXI -l7WdmplNsDz4SgCbZN2fOUvRJ9e4 ------END CERTIFICATE----- ### Hongkong Post @@ -3447,6 +3941,128 @@ oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= -----END CERTIFICATE----- +=== /C=US/O=Internet Security Research Group/CN=ISRG Root X2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 41:d2:9d:d1:72:ea:ee:a7:80:c1:2c:6c:e9:2f:87:52 + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Sep 4 00:00:00 2020 GMT + Not After : Sep 17 16:00:00 2040 GMT + Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X2 + X509v3 extensions: + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Subject Key Identifier: + 7C:42:96:AE:DE:4B:48:3B:FA:92:F8:9E:8C:CF:6D:8B:A9:72:37:95 +SHA1 Fingerprint=BD:B1:B9:3C:D5:97:8D:45:C6:26:14:55:F8:DB:95:C7:5A:D1:53:AF +SHA256 Fingerprint=69:72:9B:8E:15:A8:6E:FC:17:7A:57:AF:B7:17:1D:FC:64:AD:D2:8C:2F:CA:8C:F1:50:7E:34:45:3C:CB:14:70 +-----BEGIN CERTIFICATE----- +MIICGzCCAaGgAwIBAgIQQdKd0XLq7qeAwSxs6S+HUjAKBggqhkjOPQQDAzBPMQsw +CQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2gg +R3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMjAeFw0yMDA5MDQwMDAwMDBaFw00 +MDA5MTcxNjAwMDBaME8xCzAJBgNVBAYTAlVTMSkwJwYDVQQKEyBJbnRlcm5ldCBT +ZWN1cml0eSBSZXNlYXJjaCBHcm91cDEVMBMGA1UEAxMMSVNSRyBSb290IFgyMHYw +EAYHKoZIzj0CAQYFK4EEACIDYgAEzZvVn4CDCuwJSvMWSj5cz3es3mcFDR0HttwW ++1qLFNvicWDEukWVEYmO6gbf9yoWHKS5xcUy4APgHoIYOIvXRdgKam7mAHf7AlF9 +ItgKbppbd9/w+kHsOdx1ymgHDB/qo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0T +AQH/BAUwAwEB/zAdBgNVHQ4EFgQUfEKWrt5LSDv6kviejM9ti6lyN5UwCgYIKoZI +zj0EAwMDaAAwZQIwe3lORlCEwkSHRhtFcP9Ymd70/aTSVaYgLXTWNLxBo1BfASdW +tL4ndQavEi51mI38AjEAi/V3bNTIZargCyzuFJ0nN6T5U6VR5CmD1/iQMVtCnwr1 +/q4AaOeMSQ+2b1tbFfLn +-----END CERTIFICATE----- + +### iTrusChina Co.,Ltd. + +=== /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus ECC Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 6e:6a:bc:59:aa:53:be:98:39:67:a2:d2:6b:a4:3b:e6:6d:1c:d6:da + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jul 31 07:26:44 2018 GMT + Not After : Jul 31 07:26:44 2043 GMT + Subject: C=CN, O=iTrusChina Co.,Ltd., CN=vTrus ECC Root CA + X509v3 extensions: + X509v3 Subject Key Identifier: + 98:39:CD:BE:D8:B2:8C:F7:B2:AB:E1:AD:24:AF:7B:7C:A1:DB:1F:CF + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=F6:9C:DB:B0:FC:F6:02:13:B6:52:32:A6:A3:91:3F:16:70:DA:C3:E1 +SHA256 Fingerprint=30:FB:BA:2C:32:23:8E:2A:98:54:7A:F9:79:31:E5:50:42:8B:9B:3F:1C:8E:EB:66:33:DC:FA:86:C5:B2:7D:D3 +-----BEGIN CERTIFICATE----- +MIICDzCCAZWgAwIBAgIUbmq8WapTvpg5Z6LSa6Q75m0c1towCgYIKoZIzj0EAwMw +RzELMAkGA1UEBhMCQ04xHDAaBgNVBAoTE2lUcnVzQ2hpbmEgQ28uLEx0ZC4xGjAY +BgNVBAMTEXZUcnVzIEVDQyBSb290IENBMB4XDTE4MDczMTA3MjY0NFoXDTQzMDcz +MTA3MjY0NFowRzELMAkGA1UEBhMCQ04xHDAaBgNVBAoTE2lUcnVzQ2hpbmEgQ28u +LEx0ZC4xGjAYBgNVBAMTEXZUcnVzIEVDQyBSb290IENBMHYwEAYHKoZIzj0CAQYF +K4EEACIDYgAEZVBKrox5lkqqHAjDo6LN/llWQXf9JpRCux3NCNtzslt188+cToL0 +v/hhJoVs1oVbcnDS/dtitN9Ti72xRFhiQgnH+n9bEOf+QP3A2MMrMudwpremIFUd +e4BdS49nTPEQo0IwQDAdBgNVHQ4EFgQUmDnNvtiyjPeyq+GtJK97fKHbH88wDwYD +VR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwCgYIKoZIzj0EAwMDaAAwZQIw +V53dVvHH4+m4SVBrm2nDb+zDfSXkV5UTQJtS0zvzQBm8JsctBp61ezaf9SXUY2sA +AjEA6dPGnlaaKsyh2j/IZivTWJwghfqrkYpwcBE4YGQLYgmRWAD5Tfs0aNoJrSEG +GJTO +-----END CERTIFICATE----- +=== /C=CN/O=iTrusChina Co.,Ltd./CN=vTrus Root CA +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 43:e3:71:13:d8:b3:59:14:5d:b7:ce:8c:fd:35:fd:6f:bc:05:8d:45 + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Jul 31 07:24:05 2018 GMT + Not After : Jul 31 07:24:05 2043 GMT + Subject: C=CN, O=iTrusChina Co.,Ltd., CN=vTrus Root CA + X509v3 extensions: + X509v3 Subject Key Identifier: + 54:62:70:63:F1:75:84:43:58:8E:D1:16:20:B1:C6:AC:1A:BC:F6:89 + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: critical + Certificate Sign, CRL Sign +SHA1 Fingerprint=84:1A:69:FB:F5:CD:1A:25:34:13:3D:E3:F8:FC:B8:99:D0:C9:14:B7 +SHA256 Fingerprint=8A:71:DE:65:59:33:6F:42:6C:26:E5:38:80:D0:0D:88:A1:8D:A4:C6:A9:1F:0D:CB:61:94:E2:06:C5:C9:63:87 +-----BEGIN CERTIFICATE----- +MIIFVjCCAz6gAwIBAgIUQ+NxE9izWRRdt86M/TX9b7wFjUUwDQYJKoZIhvcNAQEL +BQAwQzELMAkGA1UEBhMCQ04xHDAaBgNVBAoTE2lUcnVzQ2hpbmEgQ28uLEx0ZC4x +FjAUBgNVBAMTDXZUcnVzIFJvb3QgQ0EwHhcNMTgwNzMxMDcyNDA1WhcNNDMwNzMx +MDcyNDA1WjBDMQswCQYDVQQGEwJDTjEcMBoGA1UEChMTaVRydXNDaGluYSBDby4s +THRkLjEWMBQGA1UEAxMNdlRydXMgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQAD +ggIPADCCAgoCggIBAL1VfGHTuB0EYgWgrmy3cLRB6ksDXhA/kFocizuwZotsSKYc +IrrVQJLuM7IjWcmOvFjai57QGfIvWcaMY1q6n6MLsLOaXLoRuBLpDLvPbmyAhykU +AyyNJJrIZIO1aqwTLDPxn9wsYTwaP3BVm60AUn/PBLn+NvqcwBauYv6WTEN+VRS+ +GrPSbcKvdmaVayqwlHeFXgQPYh1jdfdr58tbmnDsPmcF8P4HCIDPKNsFxhQnL4Z9 +8Cfe/+Z+M0jnCx5Y0ScrUw5XSmXX+6KAYPxMvDVTAWqXcoKv8R1w6Jz1717CbMdH +flqUhSZNO7rrTOiwCcJlwp2dCZtOtZcFrPUGoPc2BX70kLJrxLT5ZOrpGgrIDajt +J8nU57O5q4IikCc9Kuh8kO+8T/3iCiSn3mUkpF3qwHYw03dQ+A0Em5Q2AXPKBlim +0zvc+gRGE1WKyURHuFE5Gi7oNOJ5y1lKCn+8pu8fA2dqWSslYpPZUxlmPCdiKYZN +pGvu/9ROutW04o5IWgAZCfEF2c6Rsffr6TlP9m8EQ5pV9T4FFL2/s1m02I4zhKOQ +UqqzApVg+QxMaPnu1RcN+HFXtSXkKe5lXa/R7jwXC1pDxaWG6iSe4gUH3DRCEpHW +OXSuTEGC2/KmSNGzm/MzqvOmwMVO9fSddmPmAsYiS8GVP1BkLFTltvA8Kc9XAgMB +AAGjQjBAMB0GA1UdDgQWBBRUYnBj8XWEQ1iO0RYgscasGrz2iTAPBgNVHRMBAf8E +BTADAQH/MA4GA1UdDwEB/wQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAgEAKbqSSaet +8PFww+SX8J+pJdVrnjT+5hpk9jprUrIQeBqfTNqK2uwcN1LgQkv7bHbKJAs5EhWd +nxEt/Hlk3ODg9d3gV8mlsnZwUKT+twpw1aA08XXXTUm6EdGz2OyC/+sOxL9kLX1j +bhd47F18iMjrjld22VkE+rxSH0Ws8HqA7Oxvdq6R2xCOBNyS36D25q5J08FsEhvM +Kar5CKXiNxTKsbhm7xqC5PD48acWabfbqWE8n/Uxy+QARsIvdLGx14HuqCaVvIiv +TDUHKgLKeBRtRytAVunLKmChZwOgzoy8sHJnxDHO2zTlJQNgJXtxmOTAGytfdELS +S8VZCAeHvsXDf+eW2eHcKJfWjwXj9ZtOyh1QRwVTsMo554WgicEFOwE30z9J4nfr +I8iIZjs9OXYhRvHsXyO466JmdXTBQPfYaJqT4i2pLr0cox7IdMakLXogqzu4sEb9 +b91fUlV1YvCXoHzXOP0l382gmxDPi7g4Xl7FtKYCNqEeXxzP4padKar9mK5S4fNB +UvupLnKWnyfjqnN9+BojZns7q2WwMgFLFT49ok8MKzWixtlnEjUwzXYuFrOZnk1P +Ti07NEPhmg4NpGaXutIcSkwsKouLgU9xGqndXHt7CMUADTdA43x7VF8vhV929ven +sBxXVsFy6K2ir40zSbofitzmdHxghm+Hl3s= +-----END CERTIFICATE----- ### IZENPE S.A. @@ -3881,57 +4497,6 @@ uLjbvrW5KfnaNwUASZQDhETnv0Mxz3WLJdH0pmT1kvarBes96aULNmLazAZfNou2 XjG4Kvte9nHfRCaexOYNkbQudZWAUWpLMKawYqGT8ZvYzsRjdT9ZR7E= -----END CERTIFICATE----- -### Network Solutions L.L.C. - -=== /C=US/O=Network Solutions L.L.C./CN=Network Solutions Certificate Authority -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 57:cb:33:6f:c2:5c:16:e6:47:16:17:e3:90:31:68:e0 - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Dec 1 00:00:00 2006 GMT - Not After : Dec 31 23:59:59 2029 GMT - Subject: C=US, O=Network Solutions L.L.C., CN=Network Solutions Certificate Authority - X509v3 extensions: - X509v3 Subject Key Identifier: - 21:30:C9:FB:00:D7:4E:98:DA:87:AA:2A:D0:A7:2E:B1:40:31:A7:4C - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl - -SHA1 Fingerprint=74:F8:A3:C3:EF:E7:B3:90:06:4B:83:90:3C:21:64:60:20:E5:DF:CE -SHA256 Fingerprint=15:F0:BA:00:A3:AC:7A:F3:AC:88:4C:07:2B:10:11:A0:77:BD:77:C0:97:F4:01:64:B2:F8:59:8A:BD:83:86:0C ------BEGIN CERTIFICATE----- -MIID5jCCAs6gAwIBAgIQV8szb8JcFuZHFhfjkDFo4DANBgkqhkiG9w0BAQUFADBi -MQswCQYDVQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMu -MTAwLgYDVQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3Jp -dHkwHhcNMDYxMjAxMDAwMDAwWhcNMjkxMjMxMjM1OTU5WjBiMQswCQYDVQQGEwJV -UzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYDVQQDEydO -ZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqG -SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDkvH6SMG3G2I4rC7xGzuAnlt7e+foS0zwz -c7MEL7xxjOWftiJgPl9dzgn/ggwbmlFQGiaJ3dVhXRncEg8tCqJDXRfQNJIg6nPP -OCwGJgl6cvf6UDL4wpPTaaIjzkGxzOTVHzbRijr4jGPiFFlp7Q3Tf2vouAPlT2rl -mGNpSAW+Lv8ztumXWWn4Zxmuk2GWRBXTcrA/vGp97Eh/jcOrqnErU2lBUzS1sLnF -BgrEsEX1QV1uiUV7PTsmjHTC5dLRfbIR1PtYMiKagMnc/Qzpf14Dl847ABSHJ3A4 -qY5usyd2mFHgBeMhqxrVhSI8KbWaFsWAqPS7azCPL0YCorEMIuDTAgMBAAGjgZcw -gZQwHQYDVR0OBBYEFCEwyfsA106Y2oeqKtCnLrFAMadMMA4GA1UdDwEB/wQEAwIB -BjAPBgNVHRMBAf8EBTADAQH/MFIGA1UdHwRLMEkwR6BFoEOGQWh0dHA6Ly9jcmwu -bmV0c29sc3NsLmNvbS9OZXR3b3JrU29sdXRpb25zQ2VydGlmaWNhdGVBdXRob3Jp -dHkuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQC7rkvnt1frf6ott3NHhWrB5KUd5Oc8 -6fRZZXe1eltajSU24HqXLjjAV2CDmAaDn7l2em5Q4LqILPxFzBiwmZVRDuwduIj/ -h1AcgsLj4DKAv6ALR8jDMe+ZZzKATxcheQxpXN5eNK4CtSbqUN9/GGUsyfJj4akH -/nxxH2szJGoeBfcFaMBqEssuXmHLrijTfsK0ZpEmXzwuJF/LWA/rKOyvEZbz3Htv -wKeI8lN3s2Berq4o2jUsbzRF0ybh3uxbTydrFny9RAQYgrOJeRcQcT16ohZO9QHN -pGxlaKFJdlxDydi8NmdspZS11My5vWo1ViHe2MPr+8ukYEywVaCge1ey ------END CERTIFICATE----- - ### QuoVadis Limited === /C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 1 G3 @@ -4215,6 +4780,92 @@ ywaZWWDYWGWVjUTR939+J399roD1B0y2PpxxVJkES/1Y+Zj0 ### SECOM Trust Systems CO.,LTD. +=== /C=JP/O=SECOM Trust Systems CO.,LTD./CN=Security Communication ECC RootCA1 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + d6:5d:9b:b3:78:81:2e:eb + Signature Algorithm: ecdsa-with-SHA384 + Validity + Not Before: Jun 16 05:15:28 2016 GMT + Not After : Jan 18 05:15:28 2038 GMT + Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication ECC RootCA1 + X509v3 extensions: + X509v3 Subject Key Identifier: + 86:1C:E7:FE:2D:A5:4A:8B:08:FE:28:11:FA:BE:A3:66:F8:60:59:2F + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=B8:0E:26:A9:BF:D2:B2:3B:C0:EF:46:C9:BA:C7:BB:F6:1D:0D:41:41 +SHA256 Fingerprint=E7:4F:BD:A5:5B:D5:64:C4:73:A3:6B:44:1A:A7:99:C8:A6:8E:07:74:40:E8:28:8B:9F:A1:E5:0E:4B:BA:CA:11 +-----BEGIN CERTIFICATE----- +MIICODCCAb6gAwIBAgIJANZdm7N4gS7rMAoGCCqGSM49BAMDMGExCzAJBgNVBAYT +AkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMSswKQYD +VQQDEyJTZWN1cml0eSBDb21tdW5pY2F0aW9uIEVDQyBSb290Q0ExMB4XDTE2MDYx +NjA1MTUyOFoXDTM4MDExODA1MTUyOFowYTELMAkGA1UEBhMCSlAxJTAjBgNVBAoT +HFNFQ09NIFRydXN0IFN5c3RlbXMgQ08uLExURC4xKzApBgNVBAMTIlNlY3VyaXR5 +IENvbW11bmljYXRpb24gRUNDIFJvb3RDQTEwdjAQBgcqhkjOPQIBBgUrgQQAIgNi +AASkpW9gAwPDvTH00xecK4R1rOX9PVdu12O/5gSJko6BnOPpR27KkBLIE+Cnnfdl +dB9sELLo5OnvbYUymUSxXv3MdhDYW72ixvnWQuRXdtyQwjWpS4g8EkdtXP9JTxpK +ULGjQjBAMB0GA1UdDgQWBBSGHOf+LaVKiwj+KBH6vqNm+GBZLzAOBgNVHQ8BAf8E +BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjAVXUI9/Lbu +9zuxNuie9sRGKEkz0FhDKmMpzE2xtHqiuQ04pV1IKv3LsnNdo4gIxwwCMQDAqy0O +be0YottT6SXbVQjgUMzfRGEWgqtJsLKB7HOHeLRMsmIbEvoWTSVLY70eN9k= +-----END CERTIFICATE----- +=== /C=JP/O=SECOM Trust Systems CO.,LTD./CN=Security Communication RootCA3 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + e1:7c:37:40:fd:1b:fe:67 + Signature Algorithm: sha384WithRSAEncryption + Validity + Not Before: Jun 16 06:17:16 2016 GMT + Not After : Jan 18 06:17:16 2038 GMT + Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication RootCA3 + X509v3 extensions: + X509v3 Subject Key Identifier: + 64:14:7C:FC:58:72:16:A6:0A:29:34:15:6F:2A:CB:BC:FC:AF:A8:AB + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=C3:03:C8:22:74:92:E5:61:A2:9C:5F:79:91:2B:1E:44:13:91:30:3A +SHA256 Fingerprint=24:A5:5C:2A:B0:51:44:2D:06:17:76:65:41:23:9A:4A:D0:32:D7:C5:51:75:AA:34:FF:DE:2F:BC:4F:5C:52:94 +-----BEGIN CERTIFICATE----- +MIIFfzCCA2egAwIBAgIJAOF8N0D9G/5nMA0GCSqGSIb3DQEBDAUAMF0xCzAJBgNV +BAYTAkpQMSUwIwYDVQQKExxTRUNPTSBUcnVzdCBTeXN0ZW1zIENPLixMVEQuMScw +JQYDVQQDEx5TZWN1cml0eSBDb21tdW5pY2F0aW9uIFJvb3RDQTMwHhcNMTYwNjE2 +MDYxNzE2WhcNMzgwMTE4MDYxNzE2WjBdMQswCQYDVQQGEwJKUDElMCMGA1UEChMc +U0VDT00gVHJ1c3QgU3lzdGVtcyBDTy4sTFRELjEnMCUGA1UEAxMeU2VjdXJpdHkg +Q29tbXVuaWNhdGlvbiBSb290Q0EzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC +CgKCAgEA48lySfcw3gl8qUCBWNO0Ot26YQ+TUG5pPDXC7ltzkBtnTCHsXzW7OT4r +CmDvu20rhvtxosis5FaU+cmvsXLUIKx00rgVrVH+hXShuRD+BYD5UpOzQD11EKzA +lrenfna84xtSGc4RHwsENPXY9Wk8d/Nk9A2qhd7gCVAEF5aEt8iKvE1y/By7z/MG +TfmfZPd+pmaGNXHIEYBMwXFAWB6+oHP2/D5Q4eAvJj1+XCO1eXDe+uDRpdYMQXF7 +9+qMHIjH7Iv10S9VlkZ8WjtYO/u62C21Jdp6Ts9EriGmnpjKIG58u4iFW/vAEGK7 +8vknR+/RiTlDxN/e4UG/VHMgly1s2vPUB6PmudhvrvyMGS7TZ2crldtYXLVqAvO4 +g160a75BflcJdURQVc1aEWEhCmHCqYj9E7wtiS/NYeCVvsq1e+F7NGcLH7YMx3we +GVPKp7FKFSBWFHA9K4IsD50VHUeAR/94mQ4xr28+j+2GaR57GIgUssL8gjMunEst ++3A7caoreyYn8xrC3PsXuKHqy6C0rtOUfnrQq8PsOC0RLoi/1D+tEjtCrI8Cbn3M +0V9hvqG8OmpI6iZVIhZdXw3/JzOfGAN0iltSIEdrRU0id4xVJ/CvHozJgyJUt5rQ +T9nO/NkuHJYosQLTA70lUhw0Zk8jq/R3gpYd0VcwCBEF/VfR2ccCAwEAAaNCMEAw +HQYDVR0OBBYEFGQUfPxYchamCik0FW8qy7z8r6irMA4GA1UdDwEB/wQEAwIBBjAP +BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDAUAA4ICAQDcAiMI4u8hOscNtybS +YpOnpSNyByCCYN8Y11StaSWSntkUz5m5UoHPrmyKO1o5yGwBQ8IibQLwYs1OY0PA +FNr0Y/Dq9HHuTofjcan0yVflLl8cebsjqodEV+m9NU1Bu0soo5iyG9kLFwfl9+qd +9XbXv8S2gVj/yP9kaWJ5rW4OH3/uHWnlt3Jxs/6lATWUVCvAUm2PVcTJ0rjLyjQI +UYWg9by0F1jqClx6vWPGOi//lkkZhOpn2ASxYfQAW0q3nHE3GYV5v4GwxxMOdnE+ +OoAGrgYWp421wsTL/0ClXI2lyTrtcoHKXJg80jQDdwj98ClZXSEIx2C/pHF7uNke +gr4Jr2VvKKu/S7XuPghHJ6APbw+LP6yVGPO5DtxnVW5inkYO0QR4ynKudtml+LLf +iAlhi+8kTtFZP1rUPcmTPCtk9YENFpb3ksP+MW/oKjJ0DvRMmEoYDjBU1cXrvMUV +nuiZIesnKwkK2/HmcBhWuwzkvvnoEKQTkrgc4NtnHVMDpCKn3F2SEDzq//wbEBrD +2NCcnWXL0CsnMQMeNuE9dnUM/0Umud1RvCPHX9jYhxBAEg09ODfnRDwYwFMJZI// +1ZqmfHAuc1Uh6N//g7kdPjIe1qZ9LPFm6Vwdp6POXiUyK+OVrCoHzrQoeIY8Laad +TdJ0MN1kURXbg4NR16/9M51NZg== +-----END CERTIFICATE----- === /C=JP/O=SECOM Trust Systems CO.,LTD./OU=Security Communication RootCA2 Certificate: Data: @@ -4403,9 +5054,6 @@ CPyI6a6Lf+Ew9Dd+/cYy2i2eRDAwbO4H3tI0/NL/QPZL9GZGBlSm8jIKYyYwa5vR 3ItHuuG51WLQoqD0ZwV4KWMabwTW+MZMo5qxN7SN5ShLHZ4swrhovO0C7jE= -----END CERTIFICATE----- -### Sonera - - ### SSL Corporation === /C=US/ST=Texas/L=Houston/O=SSL Corporation/CN=SSL.com EV Root Certification Authority ECC @@ -4597,60 +5245,6 @@ oYYitmUnDuy2n0Jg5GfCtdpBC8TTi2EbvPofkSvXRAdeuims2cXp71NIWuuA8ShY Ic2wBlX7Jz9TkHCpBB5XJ7k= -----END CERTIFICATE----- -### Staat der Nederlanden - -=== /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 10000013 (0x98968d) - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Dec 8 11:19:29 2010 GMT - Not After : Dec 8 11:10:28 2022 GMT - Subject: C=NL, O=Staat der Nederlanden, CN=Staat der Nederlanden EV Root CA - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Certificate Sign, CRL Sign - X509v3 Subject Key Identifier: - FE:AB:00:90:98:9E:24:FC:A9:CC:1A:8A:FB:27:B8:BF:30:6E:A8:3B -SHA1 Fingerprint=76:E2:7E:C1:4F:DB:82:C1:C0:A6:75:B5:05:BE:3D:29:B4:ED:DB:BB -SHA256 Fingerprint=4D:24:91:41:4C:FE:95:67:46:EC:4C:EF:A6:CF:6F:72:E2:8A:13:29:43:2F:9D:8A:90:7A:C4:CB:5D:AD:C1:5A ------BEGIN CERTIFICATE----- -MIIFcDCCA1igAwIBAgIEAJiWjTANBgkqhkiG9w0BAQsFADBYMQswCQYDVQQGEwJO -TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSkwJwYDVQQDDCBTdGFh -dCBkZXIgTmVkZXJsYW5kZW4gRVYgUm9vdCBDQTAeFw0xMDEyMDgxMTE5MjlaFw0y -MjEyMDgxMTEwMjhaMFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIg -TmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBS -b290IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA48d+ifkkSzrS -M4M1LGns3Amk41GoJSt5uAg94JG6hIXGhaTK5skuU6TJJB79VWZxXSzFYGgEt9nC -UiY4iKTWO0Cmws0/zZiTs1QUWJZV1VD+hq2kY39ch/aO5ieSZxeSAgMs3NZmdO3d -Z//BYY1jTw+bbRcwJu+r0h8QoPnFfxZpgQNH7R5ojXKhTbImxrpsX23Wr9GxE46p -rfNeaXUmGD5BKyF/7otdBwadQ8QpCiv8Kj6GyzyDOvnJDdrFmeK8eEEzduG/L13l -pJhQDBXd4Pqcfzho0LKmeqfRMb1+ilgnQ7O6M5HTp5gVXJrm0w912fxBmJc+qiXb -j5IusHsMX/FjqTf5m3VpTCgmJdrV8hJwRVXj33NeN/UhbJCONVrJ0yPr08C+eKxC -KFhmpUZtcALXEPlLVPxdhkqHz3/KRawRWrUgUY0viEeXOcDPusBCAUCZSCELa6fS -/ZbV0b5GnUngC6agIk440ME8MLxwjyx1zNDFjFE7PZQIZCZhfbnDZY8UnCHQqv0X -cgOPvZuM5l5Tnrmd74K74bzickFbIZTTRTeU0d8JOV3nI6qaHcptqAqGhYqCvkIH -1vI4gnPah1vlPNOePqc7nvQDs/nxfRN0Av+7oeX6AHkcpmZBiFxgV6YuCcS6/ZrP -px9Aw7vMWgpVSzs4dlG4Y4uElBbmVvMCAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB -/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFP6rAJCYniT8qcwaivsnuL8wbqg7 -MA0GCSqGSIb3DQEBCwUAA4ICAQDPdyxuVr5Os7aEAJSrR8kN0nbHhp8dB9O2tLsI -eK9p0gtJ3jPFrK3CiAJ9Brc1AsFgyb/E6JTe1NOpEyVa/m6irn0F3H3zbPB+po3u -2dfOWBfoqSmuc0iH55vKbimhZF8ZE/euBhD/UcabTVUlT5OZEAFTdfETzsemQUHS -v4ilf0X8rLiltTMMgsT7B/Zq5SWEXwbKwYY5EdtYzXc7LMJMD16a4/CrPmEbUCTC -wPTxGfARKbalGAKb12NMcIxHowNDXLldRqANb/9Zjr7dn3LDWyvfjFvO5QxGbJKy -CqNMVEIYFRIYvdr8unRu/8G2oGTYqV9Vrp9canaW2HNnh/tNf1zuacpzEPuKqf2e -vTY4SUmH9A4U8OmHuD+nT3pajnnUk+S7aFKErGzp85hwVXIy+TSrK0m1zSBi5Dp6 -Z2Orltxtrpfs/J92VoguZs9btsmksNcFuuEnL5O7Jiqik7Ab846+HUCjuTaPPoIa -Gl6I6lD4WeKDRikL40Rc4ZW2aZCaFG+XroHPaO+Zmr615+F/+PoTRxZMzG0IQOeL -eG9QgkRQP2YGiqtDhFZKDyAthg710tvSeopLzaXoTvFeJiUBWSOgftL2fiFX1ye8 -FVdMpEbB4IMeDExNH08GGeL5qPQ6gqGyeUN51q1veieQA6TqJIc/2b3Z6fJfUEkc -7uzXLg== ------END CERTIFICATE----- - ### Starfield Technologies, Inc. === /C=US/O=Starfield Technologies, Inc./OU=Starfield Class 2 Certification Authority @@ -5085,6 +5679,64 @@ aspHYcN6+NOSBB+4IIThNlQWx0DeO4pz3N/GCUzf7Nr/1FNCocnyYh0igzyXxfkZ YiesZSLX0zzG5Y6yU8xJzrww/nsOM5D77dIUkR8Hrw== -----END CERTIFICATE----- +### Telia Finland Oyj + +=== /C=FI/O=Telia Finland Oyj/CN=Telia Root CA v2 +Certificate: + Data: + Version: 3 (0x2) + Serial Number: + 01:67:5f:27:d6:fe:7a:e3:e4:ac:be:09:5b:05:9e + Signature Algorithm: sha256WithRSAEncryption + Validity + Not Before: Nov 29 11:55:54 2018 GMT + Not After : Nov 29 11:55:54 2043 GMT + Subject: C=FI, O=Telia Finland Oyj, CN=Telia Root CA v2 + X509v3 extensions: + X509v3 Authority Key Identifier: + keyid:72:AC:E4:33:79:AA:45:87:F6:FD:AC:1D:9E:D6:C7:2F:86:D8:24:39 + + X509v3 Subject Key Identifier: + 72:AC:E4:33:79:AA:45:87:F6:FD:AC:1D:9E:D6:C7:2F:86:D8:24:39 + X509v3 Key Usage: critical + Certificate Sign, CRL Sign + X509v3 Basic Constraints: critical + CA:TRUE +SHA1 Fingerprint=B9:99:CD:D1:73:50:8A:C4:47:05:08:9C:8C:88:FB:BE:A0:2B:40:CD +SHA256 Fingerprint=24:2B:69:74:2F:CB:1E:5B:2A:BF:98:89:8B:94:57:21:87:54:4E:5B:4D:99:11:78:65:73:62:1F:6A:74:B8:2C +-----BEGIN CERTIFICATE----- +MIIFdDCCA1ygAwIBAgIPAWdfJ9b+euPkrL4JWwWeMA0GCSqGSIb3DQEBCwUAMEQx +CzAJBgNVBAYTAkZJMRowGAYDVQQKDBFUZWxpYSBGaW5sYW5kIE95ajEZMBcGA1UE +AwwQVGVsaWEgUm9vdCBDQSB2MjAeFw0xODExMjkxMTU1NTRaFw00MzExMjkxMTU1 +NTRaMEQxCzAJBgNVBAYTAkZJMRowGAYDVQQKDBFUZWxpYSBGaW5sYW5kIE95ajEZ +MBcGA1UEAwwQVGVsaWEgUm9vdCBDQSB2MjCCAiIwDQYJKoZIhvcNAQEBBQADggIP +ADCCAgoCggIBALLQPwe84nvQa5n44ndp586dpAO8gm2h/oFlH0wnrI4AuhZ76zBq +AMCzdGh+sq/H1WKzej9Qyow2RCRj0jbpDIX2Q3bVTKFgcmfiKDOlyzG4OiIjNLh9 +vVYiQJ3q9HsDrWj8soFPmNB06o3lfc1jw6P23pLCWBnglrvFxKk9pXSW/q/5iaq9 +lRdU2HhE8Qx3FZLgmEKnpNaqIJLNwaCzlrI6hEKNfdWV5Nbb6WLEWLN5xYzTNTOD +n3WhUidhOPFZPY5Q4L15POdslv5e2QJltI5c0BE0312/UqeBAMN/mUWZFdUXyApT +7GPzmX3MaRKGwhfwAZ6/hLzRUssbkmbOpFPlob/E2wnW5olWK8jjfN7j/4nlNW4o +6GwLI1GpJQXrSPjdscr6bAhR77cYbETKJuFzxokGgeWKrLDiKca5JLNrRBH0pUPC +TEPlcDaMtjNXepUugqD0XBCzYYP2AgWGLnwtbNwDRm41k9V6lS/eINhbfpSQBGq6 +WT0EBXWdN6IOLj3rwaRSg/7Qa9RmjtzG6RJOHSpXqhC8fF6CfaamyfItufUXJ63R +DolUK5X6wK0dmBR4M0KGCqlztft0DbcbMBnEWg4cJ7faGND/isgFuvGqHKI3t+ZI +pEYslOqodmJHixBTB0hXbOKSTbauBcvcwUpej6w9GU7C7WB1K9vBykLVAgMBAAGj +YzBhMB8GA1UdIwQYMBaAFHKs5DN5qkWH9v2sHZ7Wxy+G2CQ5MB0GA1UdDgQWBBRy +rOQzeapFh/b9rB2e1scvhtgkOTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUw +AwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAoDtZpwmUPjaE0n4vOaWWl/oRrfxn83EJ +8rKJhGdEr7nv7ZbsnGTbMjBvZ5qsfl+yqwE2foH65IRe0qw24GtixX1LDoJt0nZi +0f6X+J8wfBj5tFJ3gh1229MdqfDBmgC9bXXYfef6xzijnHDoRnkDry5023X4blMM +A8iZGok1GTzTyVR8qPAs5m4HeW9q4ebqkYJpCh3DflminmtGFZhb069GHWLIzoBS +SRE/yQQSwxN8PzuKlts8oB4KtItUsiRnDe+Cy748fdHif64W1lZYudogsYMVoe+K +TTJvQS8TUoKU1xrBeKJR3Stwbbca+few4GeXVtt8YVMJAygCQMez2P2ccGrGKMOF +6eLtGpOg3kuYooQ+BXcBlj37tCAPnHICehIv1aO6UXivKitEZU61/Qrowc15h2Er +3oBXRb9n8ZuRXqWk7FlIEA04x7D6w0RtBPV4UBySllva9bguulvP5fBqnUsvWHMt +Ty3EHD70sz+rFQ47GUGKpMFXEmZxTPpT41frYpUJnlTd0cI8Vzy9OK2YZLe4A5pT +VmBds9hCG1xLEooc6+t9xnppxyd/pPiL8uSUZodL6ZQHCRJ5irLrdATczvREWeAW +ysUsWNc8e89ihmpQfTU2Zqf7N+cox9jQraVplI/owd8k+BsHMYeB2F326CjYSlKA +rBPuUBQemMc= +-----END CERTIFICATE----- + ### TeliaSonera === /O=TeliaSonera/CN=TeliaSonera Root CA v1 @@ -5280,208 +5932,6 @@ L6KCq9NjRHDEjf8tM7qtj3u1cIiuPhnPQCjY/MiQu12ZIvVS5ljFH4gxQ+6IHdfG jjxDah2nGN59PRbxYvnKkKj9 -----END CERTIFICATE----- -### TrustCor Systems S. de R.L. - -=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor ECA-1 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 84:82:2c:5f:1c:62:d0:40 - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Feb 4 12:32:33 2016 GMT - Not After : Dec 31 17:28:07 2029 GMT - Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor ECA-1 - X509v3 extensions: - X509v3 Subject Key Identifier: - 44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86 - X509v3 Authority Key Identifier: - keyid:44:9E:48:F5:CC:6D:48:D4:A0:4B:7F:FE:59:24:2F:83:97:99:9A:86 - - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign -SHA1 Fingerprint=58:D1:DF:95:95:67:6B:63:C0:F0:5B:1C:17:4D:8B:84:0B:C8:78:BD -SHA256 Fingerprint=5A:88:5D:B1:9C:01:D9:12:C5:75:93:88:93:8C:AF:BB:DF:03:1A:B2:D4:8E:91:EE:15:58:9B:42:97:1D:03:9C ------BEGIN CERTIFICATE----- -MIIEIDCCAwigAwIBAgIJAISCLF8cYtBAMA0GCSqGSIb3DQEBCwUAMIGcMQswCQYD -VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk -MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U -cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxFzAVBgNVBAMMDlRydXN0Q29y -IEVDQS0xMB4XDTE2MDIwNDEyMzIzM1oXDTI5MTIzMTE3MjgwN1owgZwxCzAJBgNV -BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw -IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy -dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEXMBUGA1UEAwwOVHJ1c3RDb3Ig -RUNBLTEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPj+ARtZ+odnbb -3w9U73NjKYKtR8aja+3+XzP4Q1HpGjORMRegdMTUpwHmspI+ap3tDvl0mEDTPwOA -BoJA6LHip1GnHYMma6ve+heRK9jGrB6xnhkB1Zem6g23xFUfJ3zSCNV2HykVh0A5 -3ThFEXXQmqc04L/NyFIduUd+Dbi7xgz2c1cWWn5DkR9VOsZtRASqnKmcp0yJF4Ou -owReUoCLHhIlERnXDH19MURB6tuvsBzvgdAsxZohmz3tQjtQJvLsznFhBmIhVE5/ -wZ0+fyCMgMsq2JdiyIMzkX2woloPV+g7zPIlstR8L+xNxqE6FXrntl019fZISjZF -ZtS6mFjBAgMBAAGjYzBhMB0GA1UdDgQWBBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAf -BgNVHSMEGDAWgBREnkj1zG1I1KBLf/5ZJC+Dl5mahjAPBgNVHRMBAf8EBTADAQH/ -MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAQEABT41XBVwm8nHc2Fv -civUwo/yQ10CzsSUuZQRg2dd4mdsdXa/uwyqNsatR5Nj3B5+1t4u/ukZMjgDfxT2 -AHMsWbEhBuH7rBiVDKP/mZb3Kyeb1STMHd3BOuCYRLDE5D53sXOpZCz2HAF8P11F -hcCF5yWPldwX8zyfGm6wyuMdKulMY/okYWLW2n62HGz1Ah3UKt1VkOsqEUc8Ll50 -soIipX1TH0XsJ5F95yIW6MBoNtjG8U+ARDL54dHRHareqKucBK+tIA5kmE2la8BI -WJZpTdwHjFGTot+fDz2LYLSCjaoITmJF4PkL0uDgPFveXHEnJcLmA4GLEFPjx1Wi -tJ/X5g== ------END CERTIFICATE----- -=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-1 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - da:9b:ec:71:f3:03:b0:19 - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Feb 4 12:32:16 2016 GMT - Not After : Dec 31 17:23:16 2029 GMT - Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-1 - X509v3 extensions: - X509v3 Subject Key Identifier: - EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7 - X509v3 Authority Key Identifier: - keyid:EE:6B:49:3C:7A:3F:0D:E3:B1:09:B7:8A:C8:AB:19:9F:73:33:50:E7 - - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign -SHA1 Fingerprint=FF:BD:CD:E7:82:C8:43:5E:3C:6F:26:86:5C:CA:A8:3A:45:5B:C3:0A -SHA256 Fingerprint=D4:0E:9C:86:CD:8F:E4:68:C1:77:69:59:F4:9E:A7:74:FA:54:86:84:B6:C4:06:F3:90:92:61:F4:DC:E2:57:5C ------BEGIN CERTIFICATE----- -MIIEMDCCAxigAwIBAgIJANqb7HHzA7AZMA0GCSqGSIb3DQEBCwUAMIGkMQswCQYD -VQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEgQ2l0eTEk -MCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYDVQQLDB5U -cnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRydXN0Q29y -IFJvb3RDZXJ0IENBLTEwHhcNMTYwMjA0MTIzMjE2WhcNMjkxMjMxMTcyMzE2WjCB -pDELMAkGA1UEBhMCUEExDzANBgNVBAgMBlBhbmFtYTEUMBIGA1UEBwwLUGFuYW1h -IENpdHkxJDAiBgNVBAoMG1RydXN0Q29yIFN5c3RlbXMgUy4gZGUgUi5MLjEnMCUG -A1UECwweVHJ1c3RDb3IgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYDVQQDDBZU -cnVzdENvciBSb290Q2VydCBDQS0xMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAv463leLCJhJrMxnHQFgKq1mqjQCj/IDHUHuO1CAmujIS2CNUSSUQIpid -RtLByZ5OGy4sDjjzGiVoHKZaBeYei0i/mJZ0PmnK6bV4pQa81QBeCQryJ3pS/C3V -seq0iWEk8xoT26nPUu0MJLq5nux+AHT6k61sKZKuUbS701e/s/OojZz0JEsq1pme -9J7+wH5COucLlVPat2gOkEz7cD+PSiyU8ybdY2mplNgQTsVHCJCZGxdNuWxu72CV -EY4hgLW9oHPY0LJ3xEXqWib7ZnZ2+AYfYW0PVcWDtxBWcgYHpfOxGgMFZA6dWorW -hnAbJN7+KIor0Gqw/Hqi3LJ5DotlDwIDAQABo2MwYTAdBgNVHQ4EFgQU7mtJPHo/ -DeOxCbeKyKsZn3MzUOcwHwYDVR0jBBgwFoAU7mtJPHo/DeOxCbeKyKsZn3MzUOcw -DwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwDQYJKoZIhvcNAQELBQAD -ggEBACUY1JGPE+6PHh0RU9otRCkZoB5rMZ5NDp6tPVxBb5UrJKF5mDo4Nvu7Zp5I -/5CQ7z3UuJu0h3U/IJvOcs+hVcFNZKIZBqEHMwwLKeXx6quj7LUKdJDHfXLy11yf -ke+Ri7fc7Waiz45mO7yfOgLgJ90WmMCV1Aqk5IGadZQ1nJBfiDcGrVmVCrDRZ9MZ -yonnMlo2HD6CqFqTvsbQZJG2z9m2GM/bftJlo6bEjhcxwft+dtvTheNYsnd6djts -L1Ac59v2Z3kf9YKVmgenFK+P3CghZwnS1k1aHBkcjndcw5QkPTJrS37UeJSDvjdN -zl/HHk484IkzlQsPpTLWPFp5LBk= ------END CERTIFICATE----- -=== /C=PA/ST=Panama/L=Panama City/O=TrustCor Systems S. de R.L./OU=TrustCor Certificate Authority/CN=TrustCor RootCert CA-2 -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 2711694510199101698 (0x25a1dfca33cb5902) - Signature Algorithm: sha256WithRSAEncryption - Validity - Not Before: Feb 4 12:32:23 2016 GMT - Not After : Dec 31 17:26:39 2034 GMT - Subject: C=PA, ST=Panama, L=Panama City, O=TrustCor Systems S. de R.L., OU=TrustCor Certificate Authority, CN=TrustCor RootCert CA-2 - X509v3 extensions: - X509v3 Subject Key Identifier: - D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2 - X509v3 Authority Key Identifier: - keyid:D9:FE:21:40:6E:94:9E:BC:9B:3D:9C:7D:98:20:19:E5:8C:30:62:B2 - - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Key Usage: critical - Digital Signature, Certificate Sign, CRL Sign -SHA1 Fingerprint=B8:BE:6D:CB:56:F1:55:B9:63:D4:12:CA:4E:06:34:C7:94:B2:1C:C0 -SHA256 Fingerprint=07:53:E9:40:37:8C:1B:D5:E3:83:6E:39:5D:AE:A5:CB:83:9E:50:46:F1:BD:0E:AE:19:51:CF:10:FE:C7:C9:65 ------BEGIN CERTIFICATE----- -MIIGLzCCBBegAwIBAgIIJaHfyjPLWQIwDQYJKoZIhvcNAQELBQAwgaQxCzAJBgNV -BAYTAlBBMQ8wDQYDVQQIDAZQYW5hbWExFDASBgNVBAcMC1BhbmFtYSBDaXR5MSQw -IgYDVQQKDBtUcnVzdENvciBTeXN0ZW1zIFMuIGRlIFIuTC4xJzAlBgNVBAsMHlRy -dXN0Q29yIENlcnRpZmljYXRlIEF1dGhvcml0eTEfMB0GA1UEAwwWVHJ1c3RDb3Ig -Um9vdENlcnQgQ0EtMjAeFw0xNjAyMDQxMjMyMjNaFw0zNDEyMzExNzI2MzlaMIGk -MQswCQYDVQQGEwJQQTEPMA0GA1UECAwGUGFuYW1hMRQwEgYDVQQHDAtQYW5hbWEg -Q2l0eTEkMCIGA1UECgwbVHJ1c3RDb3IgU3lzdGVtcyBTLiBkZSBSLkwuMScwJQYD -VQQLDB5UcnVzdENvciBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxHzAdBgNVBAMMFlRy -dXN0Q29yIFJvb3RDZXJ0IENBLTIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK -AoICAQCnIG7CKqJiJJWQdsg4foDSq8GbZQWU9MEKENUCrO2fk8eHyLAnK0IMPQo+ -QVqedd2NyuCb7GgypGmSaIwLgQ5WoD4a3SwlFIIvl9NkRvRUqdw6VC0xK5mC8tkq -1+9xALgxpL56JAfDQiDyitSSBBtlVkxs1Pu2YVpHI7TYabS3OtB0PAx1oYxOdqHp -2yqlO/rOsP9+aij9JxzIsekp8VduZLTQwRVtDr4uDkbIXvRR/u8OYzo7cbrPb1nK -DOObXUm4TOJXsZiKQlecdu/vvdFoqNL0Cbt3Nb4lggjEFixEIFapRBF37120Hape -az6LMvYHL1cEksr1/p3C6eizjkxLAjHZ5DxIgif3GIJ2SDpxsROhOdUuxTTCHWKF -3wP+TfSvPd9cW436cOGlfifHhi5qjxLGhF5DUVCcGZt45vz27Ud+ez1m7xMTiF88 -oWP7+ayHNZ/zgp6kPwqcMWmLmaSISo5uZk3vFsQPeSghYA2FFn3XVDjxklb9tTNM -g9zXEJ9L/cb4Qr26fHMC4P99zVvh1Kxhe1fVSntb1IVYJ12/+CtgrKAmrhQhJ8Z3 -mjOAPF5GP/fDsaOGM8boXg25NSyqRsGFAnWAoOsk+xWq5Gd/bnc/9ASKL3x74xdh -8N0JqSDIvgmk0H5Ew7IwSjiqqewYmgeCK9u4nBit2uBGF6zPXQIDAQABo2MwYTAd -BgNVHQ4EFgQU2f4hQG6UnrybPZx9mCAZ5YwwYrIwHwYDVR0jBBgwFoAU2f4hQG6U -nrybPZx9mCAZ5YwwYrIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYw -DQYJKoZIhvcNAQELBQADggIBAJ5Fngw7tu/hOsh80QA9z+LqBrWyOrsGS2h60COX -dKcs8AjYeVrXWoSK2BKaG9l9XE1wxaX5q+WjiYndAfrs3fnpkpfbsEZC89NiqpX+ -MWcUaViQCqoL7jcjx1BRtPV+nuN79+TMQjItSQzL/0kMmx40/W5ulop5A7Zv2wnL -/V9lFDfhOPXzYRZY5LVtDQsEGz9QLX+zx3oaFoBg+Iof6Rsqxvm6ARppv9JYx1RX -CI/hOWB3S6xZhBqI8d3LT3jX5+EzLfzuQfogsL7L9ziUwOHQhQ+77Sxzq+3+knYa -ZH9bDTMJBzN7Bj8RpFxwPIXAz+OQqIN3+tvmxYxoZxBnpVIt8MSZj3+/0WvitUfW -2dCFmU2Umw9Lje4AWkcdEQOsQRivh7dvDDqPys/cA8GiCcjl/YBeyGBCARsaU1q7 -N6a3vLqE6R5sGtRk2tRD/pOLS/IseRYQ1JMLiI+h2IYURpFHmygk71dSTlxCnKr3 -Sewn6EAes6aJInKc9Q0ztFijMDvd1GpUk74aTfOTlPf8hAs/hCBcNANExdqtvArB -As8e5ZTZ845b2EzwnexhF7sUMlQMAimTHpKG9n/v55IFDlndmQguLvqcAFLTxWYp -5KeXRKQOKIETNcX2b2TmQcTVL8w0RSXPQQCWPUouwpaYT05KnJe32x+SMsj/D1Fu -1uwJ ------END CERTIFICATE----- - -### Trustis Limited - -=== /C=GB/O=Trustis Limited/OU=Trustis FPS Root CA -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 1b:1f:ad:b6:20:f9:24:d3:36:6b:f7:c7:f1:8c:a0:59 - Signature Algorithm: sha1WithRSAEncryption - Validity - Not Before: Dec 23 12:14:06 2003 GMT - Not After : Jan 21 11:36:54 2024 GMT - Subject: C=GB, O=Trustis Limited, OU=Trustis FPS Root CA - X509v3 extensions: - X509v3 Basic Constraints: critical - CA:TRUE - X509v3 Authority Key Identifier: - keyid:BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 - - X509v3 Subject Key Identifier: - BA:FA:71:25:79:8B:57:41:25:21:86:0B:71:EB:B2:64:0E:8B:21:67 -SHA1 Fingerprint=3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04 -SHA256 Fingerprint=C1:B4:82:99:AB:A5:20:8F:E9:63:0A:CE:55:CA:68:A0:3E:DA:5A:51:9C:88:02:A0:D3:A6:73:BE:8F:8E:55:7D ------BEGIN CERTIFICATE----- -MIIDZzCCAk+gAwIBAgIQGx+ttiD5JNM2a/fH8YygWTANBgkqhkiG9w0BAQUFADBF -MQswCQYDVQQGEwJHQjEYMBYGA1UEChMPVHJ1c3RpcyBMaW1pdGVkMRwwGgYDVQQL -ExNUcnVzdGlzIEZQUyBSb290IENBMB4XDTAzMTIyMzEyMTQwNloXDTI0MDEyMTEx -MzY1NFowRTELMAkGA1UEBhMCR0IxGDAWBgNVBAoTD1RydXN0aXMgTGltaXRlZDEc -MBoGA1UECxMTVHJ1c3RpcyBGUFMgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQAD -ggEPADCCAQoCggEBAMVQe547NdDfxIzNjpvto8A2mfRC6qc+gIMPpqdZh8mQRUN+ -AOqGeSoDvT03mYlmt+WKVoaTnGhLaASMk5MCPjDSNzoiYYkchU59j9WvezX2fihH -iTHcDnlkH5nSW7r+f2C/revnPDgpai/lkQtV/+xvWNUtyd5MZnGPDNcE2gfmHhjj -vSkCqPoc4Vu5g6hBSLwacY3nYuUtsuvffM/bq1rKMfFMIvMFE/eC+XN5DL7XSxzA -0RU8k0Fk0ea+IxciAIleH2ulrG6nS4zto3Lmr2NNL4XSFDWaLk6M6jKYKIahkQlB -OrTh4/L68MkKokHdqeMDx4gVOxzUGpTXn2RZEm0CAwEAAaNTMFEwDwYDVR0TAQH/ -BAUwAwEB/zAfBgNVHSMEGDAWgBS6+nEleYtXQSUhhgtx67JkDoshZzAdBgNVHQ4E -FgQUuvpxJXmLV0ElIYYLceuyZA6LIWcwDQYJKoZIhvcNAQEFBQADggEBAH5Y//01 -GX2cGE+esCu8jowU/yyg2kdbw++BLa8F6nRIW/M+TgfHbcWzk88iNVy2P3UnXwmW -zaD+vkAMXBJV+JOCyinpXj9WV4s4NvdFGkwozZ5BuO1WTISkQMi4sKUraXAEasP4 -1BIy+Q7DsdwyhEQsb8tGD+pmQQ9P8Vilpg0ND2HepZ5dfWWhPBfnqFVO76DH7cZE -f1T1o+CP8HxVIo8ptoGj4W1OLBuAZ+ytIJ8MYmHVl/9D7S3B2l0pKoU/rGXuhg8F -jZBf3+6f9L/uHfuY5H+QK4R4EA5sSVPvFVtlRkpdr7r7OnIdzfYliB6XzCGcKQEN -ZetX2fNXlrtIzYE= ------END CERTIFICATE----- - ### Trustwave Holdings, Inc. === /C=US/ST=Illinois/L=Chicago/O=Trustwave Holdings, Inc./CN=Trustwave Global Certification Authority diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 9b66d9f..cfcba62 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -4,7 +4,6 @@ if(HOST_ASM_ELF_ARMV4) set( ASM_ARMV4_ELF_SRC aes/aes-elf-armv4.S - bn/gf2m-elf-armv4.S bn/mont-elf-armv4.S sha/sha1-elf-armv4.S sha/sha512-elf-armv4.S @@ -15,7 +14,6 @@ if(HOST_ASM_ELF_ARMV4) ) add_definitions(-DAES_ASM) add_definitions(-DOPENSSL_BN_ASM_MONT) - add_definitions(-DOPENSSL_BN_ASM_GF2m) add_definitions(-DGHASH_ASM) add_definitions(-DSHA1_ASM) add_definitions(-DSHA256_ASM) @@ -36,7 +34,6 @@ if(HOST_ASM_ELF_X86_64) bn/modexp512-elf-x86_64.S bn/mont-elf-x86_64.S bn/mont5-elf-x86_64.S - bn/gf2m-elf-x86_64.S camellia/cmll-elf-x86_64.S md5/md5-elf-x86_64.S modes/ghash-elf-x86_64.S @@ -47,6 +44,19 @@ if(HOST_ASM_ELF_X86_64) sha/sha512-elf-x86_64.S whrlpool/wp-elf-x86_64.S cpuid-elf-x86_64.S + + bn/arch/amd64/bignum_add.S + bn/arch/amd64/bignum_cmadd.S + bn/arch/amd64/bignum_cmul.S + bn/arch/amd64/bignum_mul.S + bn/arch/amd64/bignum_mul_4_8_alt.S + bn/arch/amd64/bignum_mul_8_16_alt.S + bn/arch/amd64/bignum_sqr.S + bn/arch/amd64/bignum_sqr_4_8_alt.S + bn/arch/amd64/bignum_sqr_8_16_alt.S + bn/arch/amd64/bignum_sub.S + bn/arch/amd64/word_clz.S + bn/arch/amd64/bn_arch.c ) add_definitions(-DAES_ASM) add_definitions(-DBSAES_ASM) @@ -54,7 +64,6 @@ if(HOST_ASM_ELF_X86_64) add_definitions(-DOPENSSL_IA32_SSE2) add_definitions(-DOPENSSL_BN_ASM_MONT) add_definitions(-DOPENSSL_BN_ASM_MONT5) - add_definitions(-DOPENSSL_BN_ASM_GF2m) add_definitions(-DMD5_ASM) add_definitions(-DGHASH_ASM) add_definitions(-DRSA_ASM) @@ -78,7 +87,6 @@ if(HOST_ASM_MACOSX_X86_64) bn/modexp512-macosx-x86_64.S bn/mont-macosx-x86_64.S bn/mont5-macosx-x86_64.S - bn/gf2m-macosx-x86_64.S camellia/cmll-macosx-x86_64.S md5/md5-macosx-x86_64.S modes/ghash-macosx-x86_64.S @@ -89,6 +97,19 @@ if(HOST_ASM_MACOSX_X86_64) sha/sha512-macosx-x86_64.S whrlpool/wp-macosx-x86_64.S cpuid-macosx-x86_64.S + + bn/arch/amd64/bignum_add.S + bn/arch/amd64/bignum_cmadd.S + bn/arch/amd64/bignum_cmul.S + bn/arch/amd64/bignum_mul.S + bn/arch/amd64/bignum_mul_4_8_alt.S + bn/arch/amd64/bignum_mul_8_16_alt.S + bn/arch/amd64/bignum_sqr.S + bn/arch/amd64/bignum_sqr_4_8_alt.S + bn/arch/amd64/bignum_sqr_8_16_alt.S + bn/arch/amd64/bignum_sub.S + bn/arch/amd64/word_clz.S + bn/arch/amd64/bn_arch.c ) add_definitions(-DAES_ASM) add_definitions(-DBSAES_ASM) @@ -96,7 +117,6 @@ if(HOST_ASM_MACOSX_X86_64) add_definitions(-DOPENSSL_IA32_SSE2) add_definitions(-DOPENSSL_BN_ASM_MONT) add_definitions(-DOPENSSL_BN_ASM_MONT5) - add_definitions(-DOPENSSL_BN_ASM_GF2m) add_definitions(-DMD5_ASM) add_definitions(-DGHASH_ASM) add_definitions(-DRSA_ASM) @@ -121,7 +141,6 @@ if(HOST_ASM_MASM_X86_64) #bn/modexp512-masm-x86_64.S #bn/mont-masm-x86_64.S #bn/mont5-masm-x86_64.S - #bn/gf2m-masm-x86_64.S camellia/cmll-masm-x86_64.S md5/md5-masm-x86_64.S modes/ghash-masm-x86_64.S @@ -139,7 +158,6 @@ if(HOST_ASM_MASM_X86_64) add_definitions(-DOPENSSL_IA32_SSE2) #add_definitions(-DOPENSSL_BN_ASM_MONT) #add_definitions(-DOPENSSL_BN_ASM_MONT5) - #add_definitions(-DOPENSSL_BN_ASM_GF2m) add_definitions(-DMD5_ASM) add_definitions(-DGHASH_ASM) add_definitions(-DRSA_ASM) @@ -163,7 +181,6 @@ if(HOST_ASM_MINGW64_X86_64) #bn/modexp512-mingw64-x86_64.S #bn/mont-mingw64-x86_64.S #bn/mont5-mingw64-x86_64.S - #bn/gf2m-mingw64-x86_64.S camellia/cmll-mingw64-x86_64.S md5/md5-mingw64-x86_64.S modes/ghash-mingw64-x86_64.S @@ -181,7 +198,6 @@ if(HOST_ASM_MINGW64_X86_64) add_definitions(-DOPENSSL_IA32_SSE2) #add_definitions(-DOPENSSL_BN_ASM_MONT) #add_definitions(-DOPENSSL_BN_ASM_MONT5) - #add_definitions(-DOPENSSL_BN_ASM_GF2m) add_definitions(-DMD5_ASM) add_definitions(-DGHASH_ASM) add_definitions(-DRSA_ASM) @@ -236,7 +252,6 @@ set( o_fips.c o_init.c o_str.c - o_time.c aes/aes_cfb.c aes/aes_ctr.c aes/aes_ecb.c @@ -257,6 +272,7 @@ set( asn1/a_string.c asn1/a_strnid.c asn1/a_time.c + asn1/a_time_posix.c asn1/a_time_tm.c asn1/a_type.c asn1/a_utf8.c @@ -273,7 +289,6 @@ set( asn1/asn_moid.c asn1/bio_asn1.c asn1/bio_ndef.c - asn1/nsseq.c asn1/p5_pbe.c asn1/p5_pbev2.c asn1/p8_pkey.c @@ -331,33 +346,29 @@ set( bio/bss_null.c bio/bss_sock.c bn/bn_add.c - bn/bn_asm.c bn/bn_blind.c + bn/bn_bpsw.c bn/bn_const.c + bn/bn_convert.c bn/bn_ctx.c - bn/bn_depr.c bn/bn_div.c bn/bn_err.c bn/bn_exp.c - bn/bn_exp2.c bn/bn_gcd.c - bn/bn_gf2m.c + bn/bn_isqrt.c bn/bn_kron.c bn/bn_lib.c bn/bn_mod.c + bn/bn_mod_sqrt.c bn/bn_mont.c - bn/bn_mpi.c bn/bn_mul.c - bn/bn_nist.c bn/bn_prime.c - bn/bn_print.c bn/bn_rand.c bn/bn_recp.c bn/bn_shift.c + bn/bn_small_primes.c bn/bn_sqr.c - bn/bn_sqrt.c bn/bn_word.c - bn/bn_x931p.c buffer/buf_err.c buffer/buf_str.c buffer/buffer.c @@ -440,16 +451,13 @@ set( dh/dh_ameth.c dh/dh_asn1.c dh/dh_check.c - dh/dh_depr.c dh/dh_err.c dh/dh_gen.c dh/dh_key.c dh/dh_lib.c dh/dh_pmeth.c - dh/dh_prn.c dsa/dsa_ameth.c dsa/dsa_asn1.c - dsa/dsa_depr.c dsa/dsa_err.c dsa/dsa_gen.c dsa/dsa_key.c @@ -458,16 +466,11 @@ set( dsa/dsa_ossl.c dsa/dsa_pmeth.c dsa/dsa_prn.c - dsa/dsa_sign.c - dsa/dsa_vrf.c dso/dso_dlfcn.c dso/dso_err.c dso/dso_lib.c dso/dso_null.c dso/dso_openssl.c - ec/ec2_mult.c - ec/ec2_oct.c - ec/ec2_smpl.c ec/ec_ameth.c ec/ec_asn1.c ec/ec_check.c @@ -483,9 +486,9 @@ set( ec/ec_print.c ec/eck_prn.c ec/ecp_mont.c - ec/ecp_nist.c ec/ecp_oct.c ec/ecp_smpl.c + ec/ecx_methods.c ecdh/ecdh_kdf.c ecdh/ech_err.c ecdh/ech_key.c @@ -494,8 +497,6 @@ set( ecdsa/ecs_err.c ecdsa/ecs_lib.c ecdsa/ecs_ossl.c - ecdsa/ecs_sign.c - ecdsa/ecs_vrf.c engine/eng_all.c engine/eng_cnf.c engine/eng_ctrl.c @@ -527,6 +528,7 @@ set( evp/bio_enc.c evp/bio_md.c evp/c_all.c + evp/cipher_method_lib.c evp/digest.c evp/e_aes.c evp/e_aes_cbc_hmac_sha1.c @@ -540,7 +542,6 @@ set( evp/e_gost2814789.c evp/e_idea.c evp/e_null.c - evp/e_old.c evp/e_rc2.c evp/e_rc4.c evp/e_rc4_hmac_md5.c @@ -562,6 +563,7 @@ set( evp/m_null.c evp/m_ripemd.c evp/m_sha1.c + evp/m_sha3.c evp/m_sigver.c evp/m_streebog.c evp/m_sm3.c @@ -602,6 +604,8 @@ set( idea/i_ecb.c idea/i_ofb64.c idea/i_skey.c + kdf/hkdf_evp.c + kdf/kdf_err.c lhash/lh_stats.c lhash/lhash.c md4/md4_dgst.c @@ -612,7 +616,6 @@ set( modes/ccm128.c modes/cfb128.c modes/ctr128.c - modes/cts128.c modes/gcm128.c modes/ofb128.c modes/xts128.c @@ -654,9 +657,9 @@ set( pkcs12/p12_npas.c pkcs12/p12_p8d.c pkcs12/p12_p8e.c + pkcs12/p12_sbag.c pkcs12/p12_utl.c pkcs12/pk12err.c - pkcs7/bio_pk7.c pkcs7/pk7_asn1.c pkcs7/pk7_attr.c pkcs7/pk7_doit.c @@ -679,7 +682,6 @@ set( rsa/rsa_asn1.c rsa/rsa_chk.c rsa/rsa_crpt.c - rsa/rsa_depr.c rsa/rsa_eay.c rsa/rsa_err.c rsa/rsa_gen.c @@ -694,9 +696,9 @@ set( rsa/rsa_saos.c rsa/rsa_sign.c rsa/rsa_x931.c - sha/sha1_one.c - sha/sha1dgst.c + sha/sha1.c sha/sha256.c + sha/sha3.c sha/sha512.c sm3/sm3.c sm4/sm4.c @@ -715,17 +717,12 @@ set( txt_db/txt_db.c ui/ui_err.c ui/ui_lib.c + ui/ui_null.c ui/ui_util.c whrlpool/wp_dgst.c x509/by_dir.c x509/by_file.c x509/by_mem.c - x509/pcy_cache.c - x509/pcy_data.c - x509/pcy_lib.c - x509/pcy_map.c - x509/pcy_node.c - x509/pcy_tree.c x509/x509_addr.c x509/x509_akey.c x509/x509_akeya.c @@ -741,7 +738,6 @@ set( x509/x509_crld.c x509/x509_d2.c x509/x509_def.c - x509/x509_enum.c x509/x509_err.c x509/x509_ext.c x509/x509_extku.c @@ -755,18 +751,16 @@ set( x509/x509_ncons.c x509/x509_obj.c x509/x509_ocsp.c - x509/x509_pci.c - x509/x509_pcia.c x509/x509_pcons.c x509/x509_pku.c x509/x509_pmaps.c + x509/x509_policy.c x509/x509_prn.c x509/x509_purp.c x509/x509_r2x.c x509/x509_req.c x509/x509_set.c x509/x509_skey.c - x509/x509_sxnet.c x509/x509_trs.c x509/x509_txt.c x509/x509_utl.c @@ -987,20 +981,44 @@ target_include_directories(crypto_obj bytestring dh dsa + curve25519 ec ecdh ecdsa evp + hidden hmac modes ocsp + pkcs12 rsa + sha x509 ../include/compat PUBLIC ../include) -add_library(crypto $) +if(HOST_AARCH64) + target_include_directories(crypto_obj PRIVATE bn/arch/aarch64/) +elseif(HOST_ARM) + target_include_directories(crypto_obj PRIVATE bn/arch/arm/) +elseif(HOST_I386) + target_include_directories(crypto_obj PRIVATE bn/arch/i386/) +elseif(HOST_MIPS64) + target_include_directories(crypto_obj PRIVATE bn/arch/mips64) +elseif(HOST_POWERPC) + target_include_directories(crypto_obj PRIVATE bn/arch/powerpc) +elseif(HOST_POWERPC64) + target_include_directories(crypto_obj PRIVATE bn/arch/powerpc64) +elseif(HOST_RISCV64) + target_include_directories(crypto_obj PRIVATE bn/arch/riscv64) +elseif(HOST_SPARC64) + target_include_directories(crypto_obj PRIVATE bn/arch/sparc64) +elseif(HOST_X86_64) + target_include_directories(crypto_obj PRIVATE bn/arch/amd64) +endif() + +add_library(crypto $ empty.c) export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym) target_link_libraries(crypto ${PLATFORM_LIBS}) @@ -1013,15 +1031,6 @@ set_target_properties(crypto PROPERTIES set_target_properties(crypto PROPERTIES VERSION ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION}) -if(ENABLE_LIBRESSL_INSTALL) - install( - TARGETS crypto - ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} - LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} - RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} - ) -endif(ENABLE_LIBRESSL_INSTALL) - # build static library for regression test if(BUILD_SHARED_LIBS) add_library(crypto-static STATIC $) diff --git a/crypto/VERSION b/crypto/VERSION index 81abba8..439709c 100644 --- a/crypto/VERSION +++ b/crypto/VERSION @@ -1 +1 @@ -49:0:0 +51:0:0 diff --git a/crypto/aes/aes-elf-x86_64.S b/crypto/aes/aes-elf-x86_64.S index 83c0053..1f51a47 100644 --- a/crypto/aes/aes-elf-x86_64.S +++ b/crypto/aes/aes-elf-x86_64.S @@ -4,6 +4,7 @@ .type _x86_64_AES_encrypt,@function .align 16 _x86_64_AES_encrypt: + endbr64 xorl 0(%r15),%eax xorl 4(%r15),%ebx xorl 8(%r15),%ecx @@ -157,6 +158,7 @@ _x86_64_AES_encrypt: .type _x86_64_AES_encrypt_compact,@function .align 16 _x86_64_AES_encrypt_compact: + endbr64 leaq 128(%r14),%r8 movl 0-128(%r8),%edi movl 32-128(%r8),%ebp @@ -336,6 +338,7 @@ _x86_64_AES_encrypt_compact: .hidden asm_AES_encrypt asm_AES_encrypt: AES_encrypt: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -399,6 +402,7 @@ AES_encrypt: .type _x86_64_AES_decrypt,@function .align 16 _x86_64_AES_decrypt: + endbr64 xorl 0(%r15),%eax xorl 4(%r15),%ebx xorl 8(%r15),%ecx @@ -554,6 +558,7 @@ _x86_64_AES_decrypt: .type _x86_64_AES_decrypt_compact,@function .align 16 _x86_64_AES_decrypt_compact: + endbr64 leaq 128(%r14),%r8 movl 0-128(%r8),%edi movl 32-128(%r8),%ebp @@ -784,6 +789,7 @@ _x86_64_AES_decrypt_compact: .hidden asm_AES_decrypt asm_AES_decrypt: AES_decrypt: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -850,6 +856,7 @@ AES_decrypt: .type AES_set_encrypt_key,@function .align 16 AES_set_encrypt_key: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -875,6 +882,7 @@ AES_set_encrypt_key: .type _x86_64_AES_set_encrypt_key,@function .align 16 _x86_64_AES_set_encrypt_key: + endbr64 movl %esi,%ecx movq %rdi,%rsi movq %rdx,%rdi @@ -1115,6 +1123,7 @@ _x86_64_AES_set_encrypt_key: .type AES_set_decrypt_key,@function .align 16 AES_set_decrypt_key: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1307,6 +1316,7 @@ AES_set_decrypt_key: .hidden asm_AES_cbc_encrypt asm_AES_cbc_encrypt: AES_cbc_encrypt: + endbr64 cmpq $0,%rdx je .Lcbc_epilogue pushfq @@ -1756,6 +1766,7 @@ AES_cbc_encrypt: .Lcbc_epilogue: retq .size AES_cbc_encrypt,.-AES_cbc_encrypt +.section .rodata .align 64 .LAES_Te: .long 0xa56363c6,0xa56363c6 @@ -2540,8 +2551,8 @@ AES_cbc_encrypt: .byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d .long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe .long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 -.byte 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/aes/aes-macosx-x86_64.S b/crypto/aes/aes-macosx-x86_64.S index 8a9c36e..1cfe21a 100644 --- a/crypto/aes/aes-macosx-x86_64.S +++ b/crypto/aes/aes-macosx-x86_64.S @@ -4,6 +4,7 @@ .p2align 4 _x86_64_AES_encrypt: + xorl 0(%r15),%eax xorl 4(%r15),%ebx xorl 8(%r15),%ecx @@ -157,6 +158,7 @@ L$enc_loop: .p2align 4 _x86_64_AES_encrypt_compact: + leaq 128(%r14),%r8 movl 0-128(%r8),%edi movl 32-128(%r8),%ebp @@ -336,6 +338,7 @@ L$enc_compact_done: .private_extern _asm_AES_encrypt _asm_AES_encrypt: _AES_encrypt: + pushq %rbx pushq %rbp pushq %r12 @@ -399,6 +402,7 @@ L$enc_epilogue: .p2align 4 _x86_64_AES_decrypt: + xorl 0(%r15),%eax xorl 4(%r15),%ebx xorl 8(%r15),%ecx @@ -554,6 +558,7 @@ L$dec_loop: .p2align 4 _x86_64_AES_decrypt_compact: + leaq 128(%r14),%r8 movl 0-128(%r8),%edi movl 32-128(%r8),%ebp @@ -784,6 +789,7 @@ L$dec_compact_done: .private_extern _asm_AES_decrypt _asm_AES_decrypt: _AES_decrypt: + pushq %rbx pushq %rbp pushq %r12 @@ -850,6 +856,7 @@ L$dec_epilogue: .p2align 4 _AES_set_encrypt_key: + pushq %rbx pushq %rbp pushq %r12 @@ -875,6 +882,7 @@ L$enc_key_epilogue: .p2align 4 _x86_64_AES_set_encrypt_key: + movl %esi,%ecx movq %rdi,%rsi movq %rdx,%rdi @@ -1115,6 +1123,7 @@ L$exit: .p2align 4 _AES_set_decrypt_key: + pushq %rbx pushq %rbp pushq %r12 @@ -1307,6 +1316,7 @@ L$dec_key_epilogue: .private_extern _asm_AES_cbc_encrypt _asm_AES_cbc_encrypt: _AES_cbc_encrypt: + cmpq $0,%rdx je L$cbc_epilogue pushfq @@ -1756,6 +1766,7 @@ L$cbc_popfq: L$cbc_epilogue: retq +.section __DATA,__const .p2align 6 L$AES_Te: .long 0xa56363c6,0xa56363c6 @@ -2540,5 +2551,5 @@ L$AES_Td: .byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d .long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe .long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 -.byte 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text diff --git a/crypto/aes/aes-masm-x86_64.S b/crypto/aes/aes-masm-x86_64.S index e99ccf6..7875d42 100644 --- a/crypto/aes/aes-masm-x86_64.S +++ b/crypto/aes/aes-masm-x86_64.S @@ -72,6 +72,7 @@ OPTION DOTNAME ALIGN 16 _x86_64_AES_encrypt PROC PRIVATE + endbr64 xor eax,DWORD PTR[r15] xor ebx,DWORD PTR[4+r15] xor ecx,DWORD PTR[8+r15] @@ -225,6 +226,7 @@ _x86_64_AES_encrypt ENDP ALIGN 16 _x86_64_AES_encrypt_compact PROC PRIVATE + endbr64 lea r8,QWORD PTR[128+r14] mov edi,DWORD PTR[((0-128))+r8] mov ebp,DWORD PTR[((32-128))+r8] @@ -413,6 +415,7 @@ $L$SEH_begin_AES_encrypt:: mov rdx,r8 + endbr64 push rbx push rbp push r12 @@ -479,6 +482,7 @@ AES_encrypt ENDP ALIGN 16 _x86_64_AES_decrypt PROC PRIVATE + endbr64 xor eax,DWORD PTR[r15] xor ebx,DWORD PTR[4+r15] xor ecx,DWORD PTR[8+r15] @@ -634,6 +638,7 @@ _x86_64_AES_decrypt ENDP ALIGN 16 _x86_64_AES_decrypt_compact PROC PRIVATE + endbr64 lea r8,QWORD PTR[128+r14] mov edi,DWORD PTR[((0-128))+r8] mov ebp,DWORD PTR[((32-128))+r8] @@ -873,6 +878,7 @@ $L$SEH_begin_AES_decrypt:: mov rdx,r8 + endbr64 push rbx push rbp push r12 @@ -951,6 +957,7 @@ $L$SEH_begin_AES_set_encrypt_key:: mov rdx,r8 + endbr64 push rbx push rbp push r12 @@ -979,6 +986,7 @@ AES_set_encrypt_key ENDP ALIGN 16 _x86_64_AES_set_encrypt_key PROC PRIVATE + endbr64 mov ecx,esi mov rsi,rdi mov rdi,rdx @@ -1228,6 +1236,7 @@ $L$SEH_begin_AES_set_decrypt_key:: mov rdx,r8 + endbr64 push rbx push rbp push r12 @@ -1435,6 +1444,7 @@ $L$SEH_begin_AES_cbc_encrypt:: mov r9,QWORD PTR[48+rsp] + endbr64 cmp rdx,0 je $L$cbc_epilogue pushfq @@ -1887,6 +1897,8 @@ $L$cbc_epilogue:: DB 0F3h,0C3h ;repret $L$SEH_end_AES_cbc_encrypt:: AES_cbc_encrypt ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$AES_Te:: DD 0a56363c6h,0a56363c6h @@ -2671,15 +2683,14 @@ DB 017h,02bh,004h,07eh,0bah,077h,0d6h,026h DB 0e1h,069h,014h,063h,055h,021h,00ch,07dh DD 080808080h,080808080h,0fefefefeh,0fefefefeh DD 01b1b1b1bh,01b1b1b1bh,0,0 -DB 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32 -DB 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 -DB 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 -DB 62,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 block_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2738,6 +2749,7 @@ block_se_handler ENDP ALIGN 16 key_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2795,6 +2807,7 @@ key_se_handler ENDP ALIGN 16 cbc_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/aes/aes-mingw64-x86_64.S b/crypto/aes/aes-mingw64-x86_64.S index ca2d60f..f491106 100644 --- a/crypto/aes/aes-mingw64-x86_64.S +++ b/crypto/aes/aes-mingw64-x86_64.S @@ -4,6 +4,7 @@ .def _x86_64_AES_encrypt; .scl 3; .type 32; .endef .p2align 4 _x86_64_AES_encrypt: + endbr64 xorl 0(%r15),%eax xorl 4(%r15),%ebx xorl 8(%r15),%ecx @@ -157,6 +158,7 @@ _x86_64_AES_encrypt: .def _x86_64_AES_encrypt_compact; .scl 3; .type 32; .endef .p2align 4 _x86_64_AES_encrypt_compact: + endbr64 leaq 128(%r14),%r8 movl 0-128(%r8),%edi movl 32-128(%r8),%ebp @@ -344,6 +346,7 @@ AES_encrypt: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -409,6 +412,7 @@ AES_encrypt: .def _x86_64_AES_decrypt; .scl 3; .type 32; .endef .p2align 4 _x86_64_AES_decrypt: + endbr64 xorl 0(%r15),%eax xorl 4(%r15),%ebx xorl 8(%r15),%ecx @@ -564,6 +568,7 @@ _x86_64_AES_decrypt: .def _x86_64_AES_decrypt_compact; .scl 3; .type 32; .endef .p2align 4 _x86_64_AES_decrypt_compact: + endbr64 leaq 128(%r14),%r8 movl 0-128(%r8),%edi movl 32-128(%r8),%ebp @@ -802,6 +807,7 @@ AES_decrypt: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -878,6 +884,7 @@ AES_set_encrypt_key: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -905,6 +912,7 @@ AES_set_encrypt_key: .def _x86_64_AES_set_encrypt_key; .scl 3; .type 32; .endef .p2align 4 _x86_64_AES_set_encrypt_key: + endbr64 movl %esi,%ecx movq %rdi,%rsi movq %rdx,%rdi @@ -1153,6 +1161,7 @@ AES_set_decrypt_key: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1358,6 +1367,7 @@ AES_cbc_encrypt: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + endbr64 cmpq $0,%rdx je .Lcbc_epilogue pushfq @@ -1809,6 +1819,7 @@ AES_cbc_encrypt: movq 16(%rsp),%rsi retq .LSEH_end_AES_cbc_encrypt: +.section .rodata .p2align 6 .LAES_Te: .long 0xa56363c6,0xa56363c6 @@ -2593,12 +2604,13 @@ AES_cbc_encrypt: .byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d .long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe .long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 -.byte 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text .def block_se_handler; .scl 3; .type 32; .endef .p2align 4 block_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2657,6 +2669,7 @@ block_se_handler: .def key_se_handler; .scl 3; .type 32; .endef .p2align 4 key_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2714,6 +2727,7 @@ key_se_handler: .def cbc_se_handler; .scl 3; .type 32; .endef .p2align 4 cbc_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx diff --git a/crypto/aes/aes-mips.S b/crypto/aes/aes-mips.S new file mode 100644 index 0000000..2a8e3e4 --- /dev/null +++ b/crypto/aes/aes-mips.S @@ -0,0 +1,1336 @@ +.text +#if !defined(__vxworks) || defined(__pic__) +.option pic2 +#endif +.set noat +.align 5 +.ent _mips_AES_encrypt +_mips_AES_encrypt: + .frame $29,0,$31 + .set reorder + lw $12,0($6) + lw $13,4($6) + lw $14,8($6) + lw $15,12($6) + lw $30,240($6) + add $3,$6,16 + + xor $8,$12 + xor $9,$13 + xor $10,$14 + xor $11,$15 + + sub $30,1 + srl $1,$9,6 +.Loop_enc: + srl $2,$10,6 + srl $24,$11,6 + srl $25,$8,6 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lwl $12,2($1) # Te1[s1>>16] + lwl $13,2($2) # Te1[s2>>16] + lwl $14,2($24) # Te1[s3>>16] + lwl $15,2($25) # Te1[s0>>16] + lwr $12,3($1) # Te1[s1>>16] + lwr $13,3($2) # Te1[s2>>16] + lwr $14,3($24) # Te1[s3>>16] + lwr $15,3($25) # Te1[s0>>16] + + srl $1,$10,14 + srl $2,$11,14 + srl $24,$8,14 + srl $25,$9,14 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lwl $16,1($1) # Te2[s2>>8] + lwl $17,1($2) # Te2[s3>>8] + lwl $18,1($24) # Te2[s0>>8] + lwl $19,1($25) # Te2[s1>>8] + lwr $16,2($1) # Te2[s2>>8] + lwr $17,2($2) # Te2[s3>>8] + lwr $18,2($24) # Te2[s0>>8] + lwr $19,2($25) # Te2[s1>>8] + + srl $1,$11,22 + srl $2,$8,22 + srl $24,$9,22 + srl $25,$10,22 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lwl $20,0($1) # Te3[s3] + lwl $21,0($2) # Te3[s0] + lwl $22,0($24) # Te3[s1] + lwl $23,0($25) # Te3[s2] + lwr $20,1($1) # Te3[s3] + lwr $21,1($2) # Te3[s0] + lwr $22,1($24) # Te3[s1] + lwr $23,1($25) # Te3[s2] + + sll $1,$8,2 + sll $2,$9,2 + sll $24,$10,2 + sll $25,$11,2 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + lw $16,0($1) # Te0[s0>>24] + lw $17,0($2) # Te0[s1>>24] + lw $18,0($24) # Te0[s2>>24] + lw $19,0($25) # Te0[s3>>24] + + lw $8,0($3) + lw $9,4($3) + lw $10,8($3) + lw $11,12($3) + + xor $12,$20 + xor $13,$21 + xor $14,$22 + xor $15,$23 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + sub $30,1 + add $3,16 + xor $8,$12 + xor $9,$13 + xor $10,$14 + xor $11,$15 + .set noreorder + bnez $30,.Loop_enc + srl $1,$9,6 + + .set reorder + srl $2,$10,6 + srl $24,$11,6 + srl $25,$8,6 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $12,2($1) # Te4[s1>>16] + lbu $13,2($2) # Te4[s2>>16] + lbu $14,2($24) # Te4[s3>>16] + lbu $15,2($25) # Te4[s0>>16] + + srl $1,$10,14 + srl $2,$11,14 + srl $24,$8,14 + srl $25,$9,14 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $16,2($1) # Te4[s2>>8] + lbu $17,2($2) # Te4[s3>>8] + lbu $18,2($24) # Te4[s0>>8] + lbu $19,2($25) # Te4[s1>>8] + + sll $1,$8,2 + sll $2,$9,2 + sll $24,$10,2 + sll $25,$11,2 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $20,2($1) # Te4[s0>>24] + lbu $21,2($2) # Te4[s1>>24] + lbu $22,2($24) # Te4[s2>>24] + lbu $23,2($25) # Te4[s3>>24] + + srl $1,$11,22 + srl $2,$8,22 + srl $24,$9,22 + srl $25,$10,22 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + + sll $12,$12,8 + sll $13,$13,8 + sll $14,$14,8 + sll $15,$15,8 + + sll $16,$16,16 + sll $17,$17,16 + sll $18,$18,16 + sll $19,$19,16 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $16,2($1) # Te4[s3] + lbu $17,2($2) # Te4[s0] + lbu $18,2($24) # Te4[s1] + lbu $19,2($25) # Te4[s2] + + #sll $20,$20,0 + #sll $21,$21,0 + #sll $22,$22,0 + #sll $23,$23,0 + + lw $8,0($3) + lw $9,4($3) + lw $10,8($3) + lw $11,12($3) + + xor $12,$20 + xor $13,$21 + xor $14,$22 + xor $15,$23 + + sll $16,$16,24 + sll $17,$17,24 + sll $18,$18,24 + sll $19,$19,24 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + xor $8,$12 + xor $9,$13 + xor $10,$14 + xor $11,$15 + + jr $31 +.end _mips_AES_encrypt + +.align 5 +.globl AES_encrypt +.ent AES_encrypt +AES_encrypt: + .frame $29,64,$31 + .mask 3237937152,-4 + .set noreorder + .cpload $25 + sub $29,64 + sw $31,64-1*4($29) + sw $30,64-2*4($29) + sw $23,64-3*4($29) + sw $22,64-4*4($29) + sw $21,64-5*4($29) + sw $20,64-6*4($29) + sw $19,64-7*4($29) + sw $18,64-8*4($29) + sw $17,64-9*4($29) + sw $16,64-10*4($29) + .set reorder + la $7,AES_Te # PIC-ified 'load address' + + lwl $8,0+3($4) + lwl $9,4+3($4) + lwl $10,8+3($4) + lwl $11,12+3($4) + lwr $8,0+0($4) + lwr $9,4+0($4) + lwr $10,8+0($4) + lwr $11,12+0($4) + + bal _mips_AES_encrypt + + swr $8,0+0($5) + swr $9,4+0($5) + swr $10,8+0($5) + swr $11,12+0($5) + swl $8,0+3($5) + swl $9,4+3($5) + swl $10,8+3($5) + swl $11,12+3($5) + + .set noreorder + lw $31,64-1*4($29) + lw $30,64-2*4($29) + lw $23,64-3*4($29) + lw $22,64-4*4($29) + lw $21,64-5*4($29) + lw $20,64-6*4($29) + lw $19,64-7*4($29) + lw $18,64-8*4($29) + lw $17,64-9*4($29) + lw $16,64-10*4($29) + jr $31 + add $29,64 +.end AES_encrypt +.align 5 +.ent _mips_AES_decrypt +_mips_AES_decrypt: + .frame $29,0,$31 + .set reorder + lw $12,0($6) + lw $13,4($6) + lw $14,8($6) + lw $15,12($6) + lw $30,240($6) + add $3,$6,16 + + xor $8,$12 + xor $9,$13 + xor $10,$14 + xor $11,$15 + + sub $30,1 + srl $1,$11,6 +.Loop_dec: + srl $2,$8,6 + srl $24,$9,6 + srl $25,$10,6 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lwl $12,2($1) # Td1[s3>>16] + lwl $13,2($2) # Td1[s0>>16] + lwl $14,2($24) # Td1[s1>>16] + lwl $15,2($25) # Td1[s2>>16] + lwr $12,3($1) # Td1[s3>>16] + lwr $13,3($2) # Td1[s0>>16] + lwr $14,3($24) # Td1[s1>>16] + lwr $15,3($25) # Td1[s2>>16] + + srl $1,$10,14 + srl $2,$11,14 + srl $24,$8,14 + srl $25,$9,14 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lwl $16,1($1) # Td2[s2>>8] + lwl $17,1($2) # Td2[s3>>8] + lwl $18,1($24) # Td2[s0>>8] + lwl $19,1($25) # Td2[s1>>8] + lwr $16,2($1) # Td2[s2>>8] + lwr $17,2($2) # Td2[s3>>8] + lwr $18,2($24) # Td2[s0>>8] + lwr $19,2($25) # Td2[s1>>8] + + srl $1,$9,22 + srl $2,$10,22 + srl $24,$11,22 + srl $25,$8,22 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lwl $20,0($1) # Td3[s1] + lwl $21,0($2) # Td3[s2] + lwl $22,0($24) # Td3[s3] + lwl $23,0($25) # Td3[s0] + lwr $20,1($1) # Td3[s1] + lwr $21,1($2) # Td3[s2] + lwr $22,1($24) # Td3[s3] + lwr $23,1($25) # Td3[s0] + + sll $1,$8,2 + sll $2,$9,2 + sll $24,$10,2 + sll $25,$11,2 + and $1,0x3fc + and $2,0x3fc + and $24,0x3fc + and $25,0x3fc + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + + lw $16,0($1) # Td0[s0>>24] + lw $17,0($2) # Td0[s1>>24] + lw $18,0($24) # Td0[s2>>24] + lw $19,0($25) # Td0[s3>>24] + + lw $8,0($3) + lw $9,4($3) + lw $10,8($3) + lw $11,12($3) + + xor $12,$20 + xor $13,$21 + xor $14,$22 + xor $15,$23 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + sub $30,1 + add $3,16 + xor $8,$12 + xor $9,$13 + xor $10,$14 + xor $11,$15 + .set noreorder + bnez $30,.Loop_dec + srl $1,$11,6 + + .set reorder + lw $16,1024($7) # prefetch Td4 + lw $17,1024+32($7) + lw $18,1024+64($7) + lw $19,1024+96($7) + lw $20,1024+128($7) + lw $21,1024+160($7) + lw $22,1024+192($7) + lw $23,1024+224($7) + + srl $1,$11,8 + srl $2,$8,8 + srl $24,$9,8 + srl $25,$10,8 + and $1,0xff + and $2,0xff + and $24,0xff + and $25,0xff + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $12,1024($1) # Td4[s3>>16] + lbu $13,1024($2) # Td4[s0>>16] + lbu $14,1024($24) # Td4[s1>>16] + lbu $15,1024($25) # Td4[s2>>16] + + srl $1,$10,16 + srl $2,$11,16 + srl $24,$8,16 + srl $25,$9,16 + and $1,0xff + and $2,0xff + and $24,0xff + and $25,0xff + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $16,1024($1) # Td4[s2>>8] + lbu $17,1024($2) # Td4[s3>>8] + lbu $18,1024($24) # Td4[s0>>8] + lbu $19,1024($25) # Td4[s1>>8] + + and $1,$8,0xff + and $2,$9,0xff + and $24,$10,0xff + and $25,$11,0xff + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $20,1024($1) # Td4[s0>>24] + lbu $21,1024($2) # Td4[s1>>24] + lbu $22,1024($24) # Td4[s2>>24] + lbu $23,1024($25) # Td4[s3>>24] + + srl $1,$9,24 + srl $2,$10,24 + srl $24,$11,24 + srl $25,$8,24 + + sll $12,$12,8 + sll $13,$13,8 + sll $14,$14,8 + sll $15,$15,8 + + sll $16,$16,16 + sll $17,$17,16 + sll $18,$18,16 + sll $19,$19,16 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $16,1024($1) # Td4[s1] + lbu $17,1024($2) # Td4[s2] + lbu $18,1024($24) # Td4[s3] + lbu $19,1024($25) # Td4[s0] + + #sll $20,$20,0 + #sll $21,$21,0 + #sll $22,$22,0 + #sll $23,$23,0 + + lw $8,0($3) + lw $9,4($3) + lw $10,8($3) + lw $11,12($3) + + sll $16,$16,24 + sll $17,$17,24 + sll $18,$18,24 + sll $19,$19,24 + + + xor $12,$20 + xor $13,$21 + xor $14,$22 + xor $15,$23 + + xor $12,$16 + xor $13,$17 + xor $14,$18 + xor $15,$19 + + xor $8,$12 + xor $9,$13 + xor $10,$14 + xor $11,$15 + + jr $31 +.end _mips_AES_decrypt + +.align 5 +.globl AES_decrypt +.ent AES_decrypt +AES_decrypt: + .frame $29,64,$31 + .mask 3237937152,-4 + .set noreorder + .cpload $25 + sub $29,64 + sw $31,64-1*4($29) + sw $30,64-2*4($29) + sw $23,64-3*4($29) + sw $22,64-4*4($29) + sw $21,64-5*4($29) + sw $20,64-6*4($29) + sw $19,64-7*4($29) + sw $18,64-8*4($29) + sw $17,64-9*4($29) + sw $16,64-10*4($29) + .set reorder + la $7,AES_Td # PIC-ified 'load address' + + lwl $8,0+3($4) + lwl $9,4+3($4) + lwl $10,8+3($4) + lwl $11,12+3($4) + lwr $8,0+0($4) + lwr $9,4+0($4) + lwr $10,8+0($4) + lwr $11,12+0($4) + + bal _mips_AES_decrypt + + swr $8,0+0($5) + swr $9,4+0($5) + swr $10,8+0($5) + swr $11,12+0($5) + swl $8,0+3($5) + swl $9,4+3($5) + swl $10,8+3($5) + swl $11,12+3($5) + + .set noreorder + lw $31,64-1*4($29) + lw $30,64-2*4($29) + lw $23,64-3*4($29) + lw $22,64-4*4($29) + lw $21,64-5*4($29) + lw $20,64-6*4($29) + lw $19,64-7*4($29) + lw $18,64-8*4($29) + lw $17,64-9*4($29) + lw $16,64-10*4($29) + jr $31 + add $29,64 +.end AES_decrypt +.align 5 +.ent _mips_AES_set_encrypt_key +_mips_AES_set_encrypt_key: + .frame $29,0,$31 + .set noreorder + beqz $4,.Lekey_done + li $2,-1 + beqz $6,.Lekey_done + add $3,$7,1024+256 + + .set reorder + lwl $8,0+3($4) # load 128 bits + lwl $9,4+3($4) + lwl $10,8+3($4) + lwl $11,12+3($4) + li $1,128 + lwr $8,0+0($4) + lwr $9,4+0($4) + lwr $10,8+0($4) + lwr $11,12+0($4) + .set noreorder + beq $5,$1,.L128bits + li $30,10 + + .set reorder + lwl $12,16+3($4) # load 192 bits + lwl $13,20+3($4) + li $1,192 + lwr $12,16+0($4) + lwr $13,20+0($4) + .set noreorder + beq $5,$1,.L192bits + li $30,8 + + .set reorder + lwl $14,24+3($4) # load 256 bits + lwl $15,28+3($4) + li $1,256 + lwr $14,24+0($4) + lwr $15,28+0($4) + .set noreorder + beq $5,$1,.L256bits + li $30,7 + + b .Lekey_done + li $2,-2 + +.align 4 +.L128bits: + .set reorder + srl $1,$11,16 + srl $2,$11,8 + and $1,0xff + and $2,0xff + and $24,$11,0xff + srl $25,$11,24 + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $1,1024($1) + lbu $2,1024($2) + lbu $24,1024($24) + lbu $25,1024($25) + + sw $8,0($6) + sw $9,4($6) + sw $10,8($6) + sw $11,12($6) + sub $30,1 + add $6,16 + + sll $1,$1,8 + #sll $2,$2,0 + sll $24,$24,24 + sll $25,$25,16 + + xor $8,$1 + lw $1,0($3) + xor $8,$2 + xor $8,$24 + xor $8,$25 + xor $8,$1 + + xor $9,$8 + xor $10,$9 + xor $11,$10 + + .set noreorder + bnez $30,.L128bits + add $3,4 + + sw $8,0($6) + sw $9,4($6) + sw $10,8($6) + li $30,10 + sw $11,12($6) + li $2,0 + sw $30,80($6) + b .Lekey_done + sub $6,10*16 + +.align 4 +.L192bits: + .set reorder + srl $1,$13,16 + srl $2,$13,8 + and $1,0xff + and $2,0xff + and $24,$13,0xff + srl $25,$13,24 + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $1,1024($1) + lbu $2,1024($2) + lbu $24,1024($24) + lbu $25,1024($25) + + sw $8,0($6) + sw $9,4($6) + sw $10,8($6) + sw $11,12($6) + sw $12,16($6) + sw $13,20($6) + sub $30,1 + add $6,24 + + sll $1,$1,8 + #sll $2,$2,0 + sll $24,$24,24 + sll $25,$25,16 + + xor $8,$1 + lw $1,0($3) + xor $8,$2 + xor $8,$24 + xor $8,$25 + xor $8,$1 + + xor $9,$8 + xor $10,$9 + xor $11,$10 + xor $12,$11 + xor $13,$12 + + .set noreorder + bnez $30,.L192bits + add $3,4 + + sw $8,0($6) + sw $9,4($6) + sw $10,8($6) + li $30,12 + sw $11,12($6) + li $2,0 + sw $30,48($6) + b .Lekey_done + sub $6,12*16 + +.align 4 +.L256bits: + .set reorder + srl $1,$15,16 + srl $2,$15,8 + and $1,0xff + and $2,0xff + and $24,$15,0xff + srl $25,$15,24 + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $1,1024($1) + lbu $2,1024($2) + lbu $24,1024($24) + lbu $25,1024($25) + + sw $8,0($6) + sw $9,4($6) + sw $10,8($6) + sw $11,12($6) + sw $12,16($6) + sw $13,20($6) + sw $14,24($6) + sw $15,28($6) + sub $30,1 + + sll $1,$1,8 + #sll $2,$2,0 + sll $24,$24,24 + sll $25,$25,16 + + xor $8,$1 + lw $1,0($3) + xor $8,$2 + xor $8,$24 + xor $8,$25 + xor $8,$1 + + xor $9,$8 + xor $10,$9 + xor $11,$10 + beqz $30,.L256bits_done + + srl $1,$11,24 + srl $2,$11,16 + srl $24,$11,8 + and $25,$11,0xff + and $2,0xff + and $24,0xff + add $1,$7 + add $2,$7 + add $24,$7 + add $25,$7 + lbu $1,1024($1) + lbu $2,1024($2) + lbu $24,1024($24) + lbu $25,1024($25) + sll $1,24 + sll $2,16 + sll $24,8 + + xor $12,$1 + xor $12,$2 + xor $12,$24 + xor $12,$25 + + xor $13,$12 + xor $14,$13 + xor $15,$14 + + add $6,32 + .set noreorder + b .L256bits + add $3,4 + +.L256bits_done: + sw $8,32($6) + sw $9,36($6) + sw $10,40($6) + li $30,14 + sw $11,44($6) + li $2,0 + sw $30,48($6) + sub $6,12*16 + +.Lekey_done: + jr $31 + nop +.end _mips_AES_set_encrypt_key + +.globl AES_set_encrypt_key +.ent AES_set_encrypt_key +AES_set_encrypt_key: + .frame $29,32,$31 + .mask 3221225472,-4 + .set noreorder + .cpload $25 + sub $29,32 + sw $31,32-1*4($29) + sw $30,32-2*4($29) + .set reorder + la $7,AES_Te # PIC-ified 'load address' + + bal _mips_AES_set_encrypt_key + + .set noreorder + move $4,$2 + lw $31,32-1*4($29) + lw $30,32-2*4($29) + jr $31 + add $29,32 +.end AES_set_encrypt_key +.align 5 +.globl AES_set_decrypt_key +.ent AES_set_decrypt_key +AES_set_decrypt_key: + .frame $29,32,$31 + .mask 3221225472,-4 + .set noreorder + .cpload $25 + sub $29,32 + sw $31,32-1*4($29) + sw $30,32-2*4($29) + .set reorder + la $7,AES_Te # PIC-ified 'load address' + + bal _mips_AES_set_encrypt_key + + bltz $2,.Ldkey_done + + sll $1,$30,4 + add $4,$6,0 + add $5,$6,$1 +.align 4 +.Lswap: + lw $8,0($4) + lw $9,4($4) + lw $10,8($4) + lw $11,12($4) + lw $12,0($5) + lw $13,4($5) + lw $14,8($5) + lw $15,12($5) + sw $8,0($5) + sw $9,4($5) + sw $10,8($5) + sw $11,12($5) + add $4,16 + sub $5,16 + sw $12,-16($4) + sw $13,-12($4) + sw $14,-8($4) + sw $15,-4($4) + bne $4,$5,.Lswap + + lw $8,16($6) # modulo-scheduled + lui $2,0x8080 + sub $30,1 + or $2,0x8080 + sll $30,2 + add $6,16 + lui $25,0x1b1b + nor $24,$0,$2 + or $25,0x1b1b +.align 4 +.Lmix: + and $1,$8,$2 + and $9,$8,$24 + srl $10,$1,7 + addu $9,$9 # tp2<<1 + subu $1,$10 + and $1,$25 + xor $9,$1 + + and $1,$9,$2 + and $10,$9,$24 + srl $11,$1,7 + addu $10,$10 # tp4<<1 + subu $1,$11 + and $1,$25 + xor $10,$1 + + and $1,$10,$2 + and $11,$10,$24 + srl $12,$1,7 + addu $11,$11 # tp8<<1 + subu $1,$12 + and $1,$25 + xor $11,$1 + + xor $12,$11,$8 + xor $15,$11,$10 + xor $13,$12,$9 + xor $14,$12,$10 + + sll $8,$14,16 + xor $15,$9 + srl $9,$14,16 + xor $15,$8 + sll $8,$12,8 + xor $15,$9 + srl $9,$12,24 + xor $15,$8 + sll $8,$13,24 + xor $15,$9 + srl $9,$13,8 + xor $15,$8 + lw $8,4($6) # modulo-scheduled + xor $15,$9 + sub $30,1 + sw $15,0($6) + add $6,4 + bnez $30,.Lmix + + li $2,0 +.Ldkey_done: + .set noreorder + move $4,$2 + lw $31,32-1*4($29) + lw $30,32-2*4($29) + jr $31 + add $29,32 +.end AES_set_decrypt_key +.rdata +.align 6 +AES_Te: +.byte 0xc6,0x63,0x63,0xa5, 0xf8,0x7c,0x7c,0x84 # Te0 +.byte 0xee,0x77,0x77,0x99, 0xf6,0x7b,0x7b,0x8d +.byte 0xff,0xf2,0xf2,0x0d, 0xd6,0x6b,0x6b,0xbd +.byte 0xde,0x6f,0x6f,0xb1, 0x91,0xc5,0xc5,0x54 +.byte 0x60,0x30,0x30,0x50, 0x02,0x01,0x01,0x03 +.byte 0xce,0x67,0x67,0xa9, 0x56,0x2b,0x2b,0x7d +.byte 0xe7,0xfe,0xfe,0x19, 0xb5,0xd7,0xd7,0x62 +.byte 0x4d,0xab,0xab,0xe6, 0xec,0x76,0x76,0x9a +.byte 0x8f,0xca,0xca,0x45, 0x1f,0x82,0x82,0x9d +.byte 0x89,0xc9,0xc9,0x40, 0xfa,0x7d,0x7d,0x87 +.byte 0xef,0xfa,0xfa,0x15, 0xb2,0x59,0x59,0xeb +.byte 0x8e,0x47,0x47,0xc9, 0xfb,0xf0,0xf0,0x0b +.byte 0x41,0xad,0xad,0xec, 0xb3,0xd4,0xd4,0x67 +.byte 0x5f,0xa2,0xa2,0xfd, 0x45,0xaf,0xaf,0xea +.byte 0x23,0x9c,0x9c,0xbf, 0x53,0xa4,0xa4,0xf7 +.byte 0xe4,0x72,0x72,0x96, 0x9b,0xc0,0xc0,0x5b +.byte 0x75,0xb7,0xb7,0xc2, 0xe1,0xfd,0xfd,0x1c +.byte 0x3d,0x93,0x93,0xae, 0x4c,0x26,0x26,0x6a +.byte 0x6c,0x36,0x36,0x5a, 0x7e,0x3f,0x3f,0x41 +.byte 0xf5,0xf7,0xf7,0x02, 0x83,0xcc,0xcc,0x4f +.byte 0x68,0x34,0x34,0x5c, 0x51,0xa5,0xa5,0xf4 +.byte 0xd1,0xe5,0xe5,0x34, 0xf9,0xf1,0xf1,0x08 +.byte 0xe2,0x71,0x71,0x93, 0xab,0xd8,0xd8,0x73 +.byte 0x62,0x31,0x31,0x53, 0x2a,0x15,0x15,0x3f +.byte 0x08,0x04,0x04,0x0c, 0x95,0xc7,0xc7,0x52 +.byte 0x46,0x23,0x23,0x65, 0x9d,0xc3,0xc3,0x5e +.byte 0x30,0x18,0x18,0x28, 0x37,0x96,0x96,0xa1 +.byte 0x0a,0x05,0x05,0x0f, 0x2f,0x9a,0x9a,0xb5 +.byte 0x0e,0x07,0x07,0x09, 0x24,0x12,0x12,0x36 +.byte 0x1b,0x80,0x80,0x9b, 0xdf,0xe2,0xe2,0x3d +.byte 0xcd,0xeb,0xeb,0x26, 0x4e,0x27,0x27,0x69 +.byte 0x7f,0xb2,0xb2,0xcd, 0xea,0x75,0x75,0x9f +.byte 0x12,0x09,0x09,0x1b, 0x1d,0x83,0x83,0x9e +.byte 0x58,0x2c,0x2c,0x74, 0x34,0x1a,0x1a,0x2e +.byte 0x36,0x1b,0x1b,0x2d, 0xdc,0x6e,0x6e,0xb2 +.byte 0xb4,0x5a,0x5a,0xee, 0x5b,0xa0,0xa0,0xfb +.byte 0xa4,0x52,0x52,0xf6, 0x76,0x3b,0x3b,0x4d +.byte 0xb7,0xd6,0xd6,0x61, 0x7d,0xb3,0xb3,0xce +.byte 0x52,0x29,0x29,0x7b, 0xdd,0xe3,0xe3,0x3e +.byte 0x5e,0x2f,0x2f,0x71, 0x13,0x84,0x84,0x97 +.byte 0xa6,0x53,0x53,0xf5, 0xb9,0xd1,0xd1,0x68 +.byte 0x00,0x00,0x00,0x00, 0xc1,0xed,0xed,0x2c +.byte 0x40,0x20,0x20,0x60, 0xe3,0xfc,0xfc,0x1f +.byte 0x79,0xb1,0xb1,0xc8, 0xb6,0x5b,0x5b,0xed +.byte 0xd4,0x6a,0x6a,0xbe, 0x8d,0xcb,0xcb,0x46 +.byte 0x67,0xbe,0xbe,0xd9, 0x72,0x39,0x39,0x4b +.byte 0x94,0x4a,0x4a,0xde, 0x98,0x4c,0x4c,0xd4 +.byte 0xb0,0x58,0x58,0xe8, 0x85,0xcf,0xcf,0x4a +.byte 0xbb,0xd0,0xd0,0x6b, 0xc5,0xef,0xef,0x2a +.byte 0x4f,0xaa,0xaa,0xe5, 0xed,0xfb,0xfb,0x16 +.byte 0x86,0x43,0x43,0xc5, 0x9a,0x4d,0x4d,0xd7 +.byte 0x66,0x33,0x33,0x55, 0x11,0x85,0x85,0x94 +.byte 0x8a,0x45,0x45,0xcf, 0xe9,0xf9,0xf9,0x10 +.byte 0x04,0x02,0x02,0x06, 0xfe,0x7f,0x7f,0x81 +.byte 0xa0,0x50,0x50,0xf0, 0x78,0x3c,0x3c,0x44 +.byte 0x25,0x9f,0x9f,0xba, 0x4b,0xa8,0xa8,0xe3 +.byte 0xa2,0x51,0x51,0xf3, 0x5d,0xa3,0xa3,0xfe +.byte 0x80,0x40,0x40,0xc0, 0x05,0x8f,0x8f,0x8a +.byte 0x3f,0x92,0x92,0xad, 0x21,0x9d,0x9d,0xbc +.byte 0x70,0x38,0x38,0x48, 0xf1,0xf5,0xf5,0x04 +.byte 0x63,0xbc,0xbc,0xdf, 0x77,0xb6,0xb6,0xc1 +.byte 0xaf,0xda,0xda,0x75, 0x42,0x21,0x21,0x63 +.byte 0x20,0x10,0x10,0x30, 0xe5,0xff,0xff,0x1a +.byte 0xfd,0xf3,0xf3,0x0e, 0xbf,0xd2,0xd2,0x6d +.byte 0x81,0xcd,0xcd,0x4c, 0x18,0x0c,0x0c,0x14 +.byte 0x26,0x13,0x13,0x35, 0xc3,0xec,0xec,0x2f +.byte 0xbe,0x5f,0x5f,0xe1, 0x35,0x97,0x97,0xa2 +.byte 0x88,0x44,0x44,0xcc, 0x2e,0x17,0x17,0x39 +.byte 0x93,0xc4,0xc4,0x57, 0x55,0xa7,0xa7,0xf2 +.byte 0xfc,0x7e,0x7e,0x82, 0x7a,0x3d,0x3d,0x47 +.byte 0xc8,0x64,0x64,0xac, 0xba,0x5d,0x5d,0xe7 +.byte 0x32,0x19,0x19,0x2b, 0xe6,0x73,0x73,0x95 +.byte 0xc0,0x60,0x60,0xa0, 0x19,0x81,0x81,0x98 +.byte 0x9e,0x4f,0x4f,0xd1, 0xa3,0xdc,0xdc,0x7f +.byte 0x44,0x22,0x22,0x66, 0x54,0x2a,0x2a,0x7e +.byte 0x3b,0x90,0x90,0xab, 0x0b,0x88,0x88,0x83 +.byte 0x8c,0x46,0x46,0xca, 0xc7,0xee,0xee,0x29 +.byte 0x6b,0xb8,0xb8,0xd3, 0x28,0x14,0x14,0x3c +.byte 0xa7,0xde,0xde,0x79, 0xbc,0x5e,0x5e,0xe2 +.byte 0x16,0x0b,0x0b,0x1d, 0xad,0xdb,0xdb,0x76 +.byte 0xdb,0xe0,0xe0,0x3b, 0x64,0x32,0x32,0x56 +.byte 0x74,0x3a,0x3a,0x4e, 0x14,0x0a,0x0a,0x1e +.byte 0x92,0x49,0x49,0xdb, 0x0c,0x06,0x06,0x0a +.byte 0x48,0x24,0x24,0x6c, 0xb8,0x5c,0x5c,0xe4 +.byte 0x9f,0xc2,0xc2,0x5d, 0xbd,0xd3,0xd3,0x6e +.byte 0x43,0xac,0xac,0xef, 0xc4,0x62,0x62,0xa6 +.byte 0x39,0x91,0x91,0xa8, 0x31,0x95,0x95,0xa4 +.byte 0xd3,0xe4,0xe4,0x37, 0xf2,0x79,0x79,0x8b +.byte 0xd5,0xe7,0xe7,0x32, 0x8b,0xc8,0xc8,0x43 +.byte 0x6e,0x37,0x37,0x59, 0xda,0x6d,0x6d,0xb7 +.byte 0x01,0x8d,0x8d,0x8c, 0xb1,0xd5,0xd5,0x64 +.byte 0x9c,0x4e,0x4e,0xd2, 0x49,0xa9,0xa9,0xe0 +.byte 0xd8,0x6c,0x6c,0xb4, 0xac,0x56,0x56,0xfa +.byte 0xf3,0xf4,0xf4,0x07, 0xcf,0xea,0xea,0x25 +.byte 0xca,0x65,0x65,0xaf, 0xf4,0x7a,0x7a,0x8e +.byte 0x47,0xae,0xae,0xe9, 0x10,0x08,0x08,0x18 +.byte 0x6f,0xba,0xba,0xd5, 0xf0,0x78,0x78,0x88 +.byte 0x4a,0x25,0x25,0x6f, 0x5c,0x2e,0x2e,0x72 +.byte 0x38,0x1c,0x1c,0x24, 0x57,0xa6,0xa6,0xf1 +.byte 0x73,0xb4,0xb4,0xc7, 0x97,0xc6,0xc6,0x51 +.byte 0xcb,0xe8,0xe8,0x23, 0xa1,0xdd,0xdd,0x7c +.byte 0xe8,0x74,0x74,0x9c, 0x3e,0x1f,0x1f,0x21 +.byte 0x96,0x4b,0x4b,0xdd, 0x61,0xbd,0xbd,0xdc +.byte 0x0d,0x8b,0x8b,0x86, 0x0f,0x8a,0x8a,0x85 +.byte 0xe0,0x70,0x70,0x90, 0x7c,0x3e,0x3e,0x42 +.byte 0x71,0xb5,0xb5,0xc4, 0xcc,0x66,0x66,0xaa +.byte 0x90,0x48,0x48,0xd8, 0x06,0x03,0x03,0x05 +.byte 0xf7,0xf6,0xf6,0x01, 0x1c,0x0e,0x0e,0x12 +.byte 0xc2,0x61,0x61,0xa3, 0x6a,0x35,0x35,0x5f +.byte 0xae,0x57,0x57,0xf9, 0x69,0xb9,0xb9,0xd0 +.byte 0x17,0x86,0x86,0x91, 0x99,0xc1,0xc1,0x58 +.byte 0x3a,0x1d,0x1d,0x27, 0x27,0x9e,0x9e,0xb9 +.byte 0xd9,0xe1,0xe1,0x38, 0xeb,0xf8,0xf8,0x13 +.byte 0x2b,0x98,0x98,0xb3, 0x22,0x11,0x11,0x33 +.byte 0xd2,0x69,0x69,0xbb, 0xa9,0xd9,0xd9,0x70 +.byte 0x07,0x8e,0x8e,0x89, 0x33,0x94,0x94,0xa7 +.byte 0x2d,0x9b,0x9b,0xb6, 0x3c,0x1e,0x1e,0x22 +.byte 0x15,0x87,0x87,0x92, 0xc9,0xe9,0xe9,0x20 +.byte 0x87,0xce,0xce,0x49, 0xaa,0x55,0x55,0xff +.byte 0x50,0x28,0x28,0x78, 0xa5,0xdf,0xdf,0x7a +.byte 0x03,0x8c,0x8c,0x8f, 0x59,0xa1,0xa1,0xf8 +.byte 0x09,0x89,0x89,0x80, 0x1a,0x0d,0x0d,0x17 +.byte 0x65,0xbf,0xbf,0xda, 0xd7,0xe6,0xe6,0x31 +.byte 0x84,0x42,0x42,0xc6, 0xd0,0x68,0x68,0xb8 +.byte 0x82,0x41,0x41,0xc3, 0x29,0x99,0x99,0xb0 +.byte 0x5a,0x2d,0x2d,0x77, 0x1e,0x0f,0x0f,0x11 +.byte 0x7b,0xb0,0xb0,0xcb, 0xa8,0x54,0x54,0xfc +.byte 0x6d,0xbb,0xbb,0xd6, 0x2c,0x16,0x16,0x3a + +.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5 # Te4 +.byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 +.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0 +.byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 +.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc +.byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 +.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a +.byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 +.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0 +.byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 +.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b +.byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf +.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85 +.byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 +.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5 +.byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 +.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17 +.byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 +.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88 +.byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb +.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c +.byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 +.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9 +.byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 +.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6 +.byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a +.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e +.byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e +.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94 +.byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf +.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68 +.byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 + +.byte 0x01,0x00,0x00,0x00, 0x02,0x00,0x00,0x00 # rcon +.byte 0x04,0x00,0x00,0x00, 0x08,0x00,0x00,0x00 +.byte 0x10,0x00,0x00,0x00, 0x20,0x00,0x00,0x00 +.byte 0x40,0x00,0x00,0x00, 0x80,0x00,0x00,0x00 +.byte 0x1B,0x00,0x00,0x00, 0x36,0x00,0x00,0x00 + +.align 6 +AES_Td: +.byte 0x51,0xf4,0xa7,0x50, 0x7e,0x41,0x65,0x53 # Td0 +.byte 0x1a,0x17,0xa4,0xc3, 0x3a,0x27,0x5e,0x96 +.byte 0x3b,0xab,0x6b,0xcb, 0x1f,0x9d,0x45,0xf1 +.byte 0xac,0xfa,0x58,0xab, 0x4b,0xe3,0x03,0x93 +.byte 0x20,0x30,0xfa,0x55, 0xad,0x76,0x6d,0xf6 +.byte 0x88,0xcc,0x76,0x91, 0xf5,0x02,0x4c,0x25 +.byte 0x4f,0xe5,0xd7,0xfc, 0xc5,0x2a,0xcb,0xd7 +.byte 0x26,0x35,0x44,0x80, 0xb5,0x62,0xa3,0x8f +.byte 0xde,0xb1,0x5a,0x49, 0x25,0xba,0x1b,0x67 +.byte 0x45,0xea,0x0e,0x98, 0x5d,0xfe,0xc0,0xe1 +.byte 0xc3,0x2f,0x75,0x02, 0x81,0x4c,0xf0,0x12 +.byte 0x8d,0x46,0x97,0xa3, 0x6b,0xd3,0xf9,0xc6 +.byte 0x03,0x8f,0x5f,0xe7, 0x15,0x92,0x9c,0x95 +.byte 0xbf,0x6d,0x7a,0xeb, 0x95,0x52,0x59,0xda +.byte 0xd4,0xbe,0x83,0x2d, 0x58,0x74,0x21,0xd3 +.byte 0x49,0xe0,0x69,0x29, 0x8e,0xc9,0xc8,0x44 +.byte 0x75,0xc2,0x89,0x6a, 0xf4,0x8e,0x79,0x78 +.byte 0x99,0x58,0x3e,0x6b, 0x27,0xb9,0x71,0xdd +.byte 0xbe,0xe1,0x4f,0xb6, 0xf0,0x88,0xad,0x17 +.byte 0xc9,0x20,0xac,0x66, 0x7d,0xce,0x3a,0xb4 +.byte 0x63,0xdf,0x4a,0x18, 0xe5,0x1a,0x31,0x82 +.byte 0x97,0x51,0x33,0x60, 0x62,0x53,0x7f,0x45 +.byte 0xb1,0x64,0x77,0xe0, 0xbb,0x6b,0xae,0x84 +.byte 0xfe,0x81,0xa0,0x1c, 0xf9,0x08,0x2b,0x94 +.byte 0x70,0x48,0x68,0x58, 0x8f,0x45,0xfd,0x19 +.byte 0x94,0xde,0x6c,0x87, 0x52,0x7b,0xf8,0xb7 +.byte 0xab,0x73,0xd3,0x23, 0x72,0x4b,0x02,0xe2 +.byte 0xe3,0x1f,0x8f,0x57, 0x66,0x55,0xab,0x2a +.byte 0xb2,0xeb,0x28,0x07, 0x2f,0xb5,0xc2,0x03 +.byte 0x86,0xc5,0x7b,0x9a, 0xd3,0x37,0x08,0xa5 +.byte 0x30,0x28,0x87,0xf2, 0x23,0xbf,0xa5,0xb2 +.byte 0x02,0x03,0x6a,0xba, 0xed,0x16,0x82,0x5c +.byte 0x8a,0xcf,0x1c,0x2b, 0xa7,0x79,0xb4,0x92 +.byte 0xf3,0x07,0xf2,0xf0, 0x4e,0x69,0xe2,0xa1 +.byte 0x65,0xda,0xf4,0xcd, 0x06,0x05,0xbe,0xd5 +.byte 0xd1,0x34,0x62,0x1f, 0xc4,0xa6,0xfe,0x8a +.byte 0x34,0x2e,0x53,0x9d, 0xa2,0xf3,0x55,0xa0 +.byte 0x05,0x8a,0xe1,0x32, 0xa4,0xf6,0xeb,0x75 +.byte 0x0b,0x83,0xec,0x39, 0x40,0x60,0xef,0xaa +.byte 0x5e,0x71,0x9f,0x06, 0xbd,0x6e,0x10,0x51 +.byte 0x3e,0x21,0x8a,0xf9, 0x96,0xdd,0x06,0x3d +.byte 0xdd,0x3e,0x05,0xae, 0x4d,0xe6,0xbd,0x46 +.byte 0x91,0x54,0x8d,0xb5, 0x71,0xc4,0x5d,0x05 +.byte 0x04,0x06,0xd4,0x6f, 0x60,0x50,0x15,0xff +.byte 0x19,0x98,0xfb,0x24, 0xd6,0xbd,0xe9,0x97 +.byte 0x89,0x40,0x43,0xcc, 0x67,0xd9,0x9e,0x77 +.byte 0xb0,0xe8,0x42,0xbd, 0x07,0x89,0x8b,0x88 +.byte 0xe7,0x19,0x5b,0x38, 0x79,0xc8,0xee,0xdb +.byte 0xa1,0x7c,0x0a,0x47, 0x7c,0x42,0x0f,0xe9 +.byte 0xf8,0x84,0x1e,0xc9, 0x00,0x00,0x00,0x00 +.byte 0x09,0x80,0x86,0x83, 0x32,0x2b,0xed,0x48 +.byte 0x1e,0x11,0x70,0xac, 0x6c,0x5a,0x72,0x4e +.byte 0xfd,0x0e,0xff,0xfb, 0x0f,0x85,0x38,0x56 +.byte 0x3d,0xae,0xd5,0x1e, 0x36,0x2d,0x39,0x27 +.byte 0x0a,0x0f,0xd9,0x64, 0x68,0x5c,0xa6,0x21 +.byte 0x9b,0x5b,0x54,0xd1, 0x24,0x36,0x2e,0x3a +.byte 0x0c,0x0a,0x67,0xb1, 0x93,0x57,0xe7,0x0f +.byte 0xb4,0xee,0x96,0xd2, 0x1b,0x9b,0x91,0x9e +.byte 0x80,0xc0,0xc5,0x4f, 0x61,0xdc,0x20,0xa2 +.byte 0x5a,0x77,0x4b,0x69, 0x1c,0x12,0x1a,0x16 +.byte 0xe2,0x93,0xba,0x0a, 0xc0,0xa0,0x2a,0xe5 +.byte 0x3c,0x22,0xe0,0x43, 0x12,0x1b,0x17,0x1d +.byte 0x0e,0x09,0x0d,0x0b, 0xf2,0x8b,0xc7,0xad +.byte 0x2d,0xb6,0xa8,0xb9, 0x14,0x1e,0xa9,0xc8 +.byte 0x57,0xf1,0x19,0x85, 0xaf,0x75,0x07,0x4c +.byte 0xee,0x99,0xdd,0xbb, 0xa3,0x7f,0x60,0xfd +.byte 0xf7,0x01,0x26,0x9f, 0x5c,0x72,0xf5,0xbc +.byte 0x44,0x66,0x3b,0xc5, 0x5b,0xfb,0x7e,0x34 +.byte 0x8b,0x43,0x29,0x76, 0xcb,0x23,0xc6,0xdc +.byte 0xb6,0xed,0xfc,0x68, 0xb8,0xe4,0xf1,0x63 +.byte 0xd7,0x31,0xdc,0xca, 0x42,0x63,0x85,0x10 +.byte 0x13,0x97,0x22,0x40, 0x84,0xc6,0x11,0x20 +.byte 0x85,0x4a,0x24,0x7d, 0xd2,0xbb,0x3d,0xf8 +.byte 0xae,0xf9,0x32,0x11, 0xc7,0x29,0xa1,0x6d +.byte 0x1d,0x9e,0x2f,0x4b, 0xdc,0xb2,0x30,0xf3 +.byte 0x0d,0x86,0x52,0xec, 0x77,0xc1,0xe3,0xd0 +.byte 0x2b,0xb3,0x16,0x6c, 0xa9,0x70,0xb9,0x99 +.byte 0x11,0x94,0x48,0xfa, 0x47,0xe9,0x64,0x22 +.byte 0xa8,0xfc,0x8c,0xc4, 0xa0,0xf0,0x3f,0x1a +.byte 0x56,0x7d,0x2c,0xd8, 0x22,0x33,0x90,0xef +.byte 0x87,0x49,0x4e,0xc7, 0xd9,0x38,0xd1,0xc1 +.byte 0x8c,0xca,0xa2,0xfe, 0x98,0xd4,0x0b,0x36 +.byte 0xa6,0xf5,0x81,0xcf, 0xa5,0x7a,0xde,0x28 +.byte 0xda,0xb7,0x8e,0x26, 0x3f,0xad,0xbf,0xa4 +.byte 0x2c,0x3a,0x9d,0xe4, 0x50,0x78,0x92,0x0d +.byte 0x6a,0x5f,0xcc,0x9b, 0x54,0x7e,0x46,0x62 +.byte 0xf6,0x8d,0x13,0xc2, 0x90,0xd8,0xb8,0xe8 +.byte 0x2e,0x39,0xf7,0x5e, 0x82,0xc3,0xaf,0xf5 +.byte 0x9f,0x5d,0x80,0xbe, 0x69,0xd0,0x93,0x7c +.byte 0x6f,0xd5,0x2d,0xa9, 0xcf,0x25,0x12,0xb3 +.byte 0xc8,0xac,0x99,0x3b, 0x10,0x18,0x7d,0xa7 +.byte 0xe8,0x9c,0x63,0x6e, 0xdb,0x3b,0xbb,0x7b +.byte 0xcd,0x26,0x78,0x09, 0x6e,0x59,0x18,0xf4 +.byte 0xec,0x9a,0xb7,0x01, 0x83,0x4f,0x9a,0xa8 +.byte 0xe6,0x95,0x6e,0x65, 0xaa,0xff,0xe6,0x7e +.byte 0x21,0xbc,0xcf,0x08, 0xef,0x15,0xe8,0xe6 +.byte 0xba,0xe7,0x9b,0xd9, 0x4a,0x6f,0x36,0xce +.byte 0xea,0x9f,0x09,0xd4, 0x29,0xb0,0x7c,0xd6 +.byte 0x31,0xa4,0xb2,0xaf, 0x2a,0x3f,0x23,0x31 +.byte 0xc6,0xa5,0x94,0x30, 0x35,0xa2,0x66,0xc0 +.byte 0x74,0x4e,0xbc,0x37, 0xfc,0x82,0xca,0xa6 +.byte 0xe0,0x90,0xd0,0xb0, 0x33,0xa7,0xd8,0x15 +.byte 0xf1,0x04,0x98,0x4a, 0x41,0xec,0xda,0xf7 +.byte 0x7f,0xcd,0x50,0x0e, 0x17,0x91,0xf6,0x2f +.byte 0x76,0x4d,0xd6,0x8d, 0x43,0xef,0xb0,0x4d +.byte 0xcc,0xaa,0x4d,0x54, 0xe4,0x96,0x04,0xdf +.byte 0x9e,0xd1,0xb5,0xe3, 0x4c,0x6a,0x88,0x1b +.byte 0xc1,0x2c,0x1f,0xb8, 0x46,0x65,0x51,0x7f +.byte 0x9d,0x5e,0xea,0x04, 0x01,0x8c,0x35,0x5d +.byte 0xfa,0x87,0x74,0x73, 0xfb,0x0b,0x41,0x2e +.byte 0xb3,0x67,0x1d,0x5a, 0x92,0xdb,0xd2,0x52 +.byte 0xe9,0x10,0x56,0x33, 0x6d,0xd6,0x47,0x13 +.byte 0x9a,0xd7,0x61,0x8c, 0x37,0xa1,0x0c,0x7a +.byte 0x59,0xf8,0x14,0x8e, 0xeb,0x13,0x3c,0x89 +.byte 0xce,0xa9,0x27,0xee, 0xb7,0x61,0xc9,0x35 +.byte 0xe1,0x1c,0xe5,0xed, 0x7a,0x47,0xb1,0x3c +.byte 0x9c,0xd2,0xdf,0x59, 0x55,0xf2,0x73,0x3f +.byte 0x18,0x14,0xce,0x79, 0x73,0xc7,0x37,0xbf +.byte 0x53,0xf7,0xcd,0xea, 0x5f,0xfd,0xaa,0x5b +.byte 0xdf,0x3d,0x6f,0x14, 0x78,0x44,0xdb,0x86 +.byte 0xca,0xaf,0xf3,0x81, 0xb9,0x68,0xc4,0x3e +.byte 0x38,0x24,0x34,0x2c, 0xc2,0xa3,0x40,0x5f +.byte 0x16,0x1d,0xc3,0x72, 0xbc,0xe2,0x25,0x0c +.byte 0x28,0x3c,0x49,0x8b, 0xff,0x0d,0x95,0x41 +.byte 0x39,0xa8,0x01,0x71, 0x08,0x0c,0xb3,0xde +.byte 0xd8,0xb4,0xe4,0x9c, 0x64,0x56,0xc1,0x90 +.byte 0x7b,0xcb,0x84,0x61, 0xd5,0x32,0xb6,0x70 +.byte 0x48,0x6c,0x5c,0x74, 0xd0,0xb8,0x57,0x42 + +.byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38 # Td4 +.byte 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb +.byte 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87 +.byte 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb +.byte 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d +.byte 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e +.byte 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2 +.byte 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25 +.byte 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16 +.byte 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92 +.byte 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda +.byte 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84 +.byte 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a +.byte 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06 +.byte 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02 +.byte 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b +.byte 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea +.byte 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73 +.byte 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85 +.byte 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e +.byte 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89 +.byte 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b +.byte 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20 +.byte 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4 +.byte 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31 +.byte 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f +.byte 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d +.byte 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef +.byte 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0 +.byte 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61 +.byte 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26 +.byte 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/aes/aes_core.c b/crypto/aes/aes_core.c index 1b8a24c..e3fdb4f 100644 --- a/crypto/aes/aes_core.c +++ b/crypto/aes/aes_core.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_core.c,v 1.13 2015/11/05 21:59:13 miod Exp $ */ +/* $OpenBSD: aes_core.c,v 1.14 2022/11/26 16:08:50 tb Exp $ */ /** * rijndael-alg-fst.c * @@ -36,7 +36,7 @@ #include #include -#include "aes_locl.h" +#include "aes_local.h" #ifndef AES_ASM /* diff --git a/crypto/aes/aes_ecb.c b/crypto/aes/aes_ecb.c index b05e539..e3bb40b 100644 --- a/crypto/aes/aes_ecb.c +++ b/crypto/aes/aes_ecb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_ecb.c,v 1.6 2015/02/10 09:46:30 miod Exp $ */ +/* $OpenBSD: aes_ecb.c,v 1.7 2022/11/26 16:08:50 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -56,7 +56,7 @@ #endif #include -#include "aes_locl.h" +#include "aes_local.h" void AES_ecb_encrypt(const unsigned char *in, unsigned char *out, diff --git a/crypto/aes/aes_ige.c b/crypto/aes/aes_ige.c index 244a5a3..ef7d766 100644 --- a/crypto/aes/aes_ige.c +++ b/crypto/aes/aes_ige.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_ige.c,v 1.8 2022/01/22 00:43:41 inoguchi Exp $ */ +/* $OpenBSD: aes_ige.c,v 1.9 2022/11/26 16:08:50 tb Exp $ */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * @@ -52,7 +52,7 @@ #include #include -#include "aes_locl.h" +#include "aes_local.h" #define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long)) typedef struct { diff --git a/crypto/aes/aes_locl.h b/crypto/aes/aes_local.h similarity index 95% rename from crypto/aes/aes_locl.h rename to crypto/aes/aes_local.h index c47f65d..ef74e71 100644 --- a/crypto/aes/aes_locl.h +++ b/crypto/aes/aes_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_locl.h,v 1.11 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: aes_local.h,v 1.2 2022/11/26 17:23:17 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -49,8 +49,8 @@ * */ -#ifndef HEADER_AES_LOCL_H -#define HEADER_AES_LOCL_H +#ifndef HEADER_AES_LOCAL_H +#define HEADER_AES_LOCAL_H #include @@ -80,4 +80,4 @@ typedef unsigned char u8; __END_HIDDEN_DECLS -#endif /* !HEADER_AES_LOCL_H */ +#endif /* !HEADER_AES_LOCAL_H */ diff --git a/crypto/aes/aes_misc.c b/crypto/aes/aes_misc.c index 6c1506d..4ed55b1 100644 --- a/crypto/aes/aes_misc.c +++ b/crypto/aes/aes_misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_misc.c,v 1.10 2014/07/09 11:10:50 bcook Exp $ */ +/* $OpenBSD: aes_misc.c,v 1.11 2022/11/26 16:08:50 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -52,7 +52,7 @@ #include #include #include -#include "aes_locl.h" +#include "aes_local.h" const char * AES_options(void) diff --git a/crypto/aes/aesni-elf-x86_64.S b/crypto/aes/aesni-elf-x86_64.S index 3b3dabf..ebcc6a3 100644 --- a/crypto/aes/aesni-elf-x86_64.S +++ b/crypto/aes/aesni-elf-x86_64.S @@ -4,6 +4,7 @@ .type aesni_encrypt,@function .align 16 aesni_encrypt: + endbr64 movups (%rdi),%xmm2 movl 240(%rdx),%eax movups (%rdx),%xmm0 @@ -25,6 +26,7 @@ aesni_encrypt: .type aesni_decrypt,@function .align 16 aesni_decrypt: + endbr64 movups (%rdi),%xmm2 movl 240(%rdx),%eax movups (%rdx),%xmm0 @@ -44,6 +46,7 @@ aesni_decrypt: .type _aesni_encrypt3,@function .align 16 _aesni_encrypt3: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -77,6 +80,7 @@ _aesni_encrypt3: .type _aesni_decrypt3,@function .align 16 _aesni_decrypt3: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -110,6 +114,7 @@ _aesni_decrypt3: .type _aesni_encrypt4,@function .align 16 _aesni_encrypt4: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -148,6 +153,7 @@ _aesni_encrypt4: .type _aesni_decrypt4,@function .align 16 _aesni_decrypt4: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -186,6 +192,7 @@ _aesni_decrypt4: .type _aesni_encrypt6,@function .align 16 _aesni_encrypt6: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -243,6 +250,7 @@ _aesni_encrypt6: .type _aesni_decrypt6,@function .align 16 _aesni_decrypt6: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -300,6 +308,7 @@ _aesni_decrypt6: .type _aesni_encrypt8,@function .align 16 _aesni_encrypt8: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -370,6 +379,7 @@ _aesni_encrypt8: .type _aesni_decrypt8,@function .align 16 _aesni_decrypt8: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -441,6 +451,7 @@ _aesni_decrypt8: .type aesni_ecb_encrypt,@function .align 16 aesni_ecb_encrypt: + endbr64 andq $-16,%rdx jz .Lecb_ret @@ -743,6 +754,7 @@ aesni_ecb_encrypt: .type aesni_ccm64_encrypt_blocks,@function .align 16 aesni_ccm64_encrypt_blocks: + endbr64 movl 240(%rcx),%eax movdqu (%r8),%xmm9 movdqa .Lincrement64(%rip),%xmm6 @@ -887,6 +899,10 @@ aesni_ccm64_decrypt_blocks: .type aesni_ctr32_encrypt_blocks,@function .align 16 aesni_ctr32_encrypt_blocks: + leaq (%rsp),%rax + pushq %rbp + subq $32,%rsp + leaq -8(%rax),%rbp cmpq $1,%rdx je .Lctr32_one_shortcut @@ -911,9 +927,9 @@ aesni_ctr32_encrypt_blocks: .byte 102,69,15,58,34,226,2 incq %r11 .byte 102,69,15,58,34,235,2 - movdqa %xmm12,-40(%rsp) + movdqa %xmm12,0(%rsp) .byte 102,69,15,56,0,231 - movdqa %xmm13,-24(%rsp) + movdqa %xmm13,16(%rsp) .byte 102,69,15,56,0,239 pshufd $192,%xmm12,%xmm2 @@ -953,7 +969,7 @@ aesni_ctr32_encrypt_blocks: movdqa .Lincrement32(%rip),%xmm13 pxor %xmm0,%xmm5 aesenc %xmm1,%xmm4 - movdqa -40(%rsp),%xmm12 + movdqa (%rsp),%xmm12 pxor %xmm0,%xmm6 aesenc %xmm1,%xmm5 pxor %xmm0,%xmm7 @@ -986,11 +1002,11 @@ aesni_ctr32_encrypt_blocks: aesenc %xmm1,%xmm2 paddd %xmm13,%xmm12 aesenc %xmm1,%xmm3 - paddd -24(%rsp),%xmm13 + paddd 16(%rsp),%xmm13 aesenc %xmm1,%xmm4 - movdqa %xmm12,-40(%rsp) + movdqa %xmm12,0(%rsp) aesenc %xmm1,%xmm5 - movdqa %xmm13,-24(%rsp) + movdqa %xmm13,16(%rsp) aesenc %xmm1,%xmm6 .byte 102,69,15,56,0,231 aesenc %xmm1,%xmm7 @@ -1129,13 +1145,19 @@ aesni_ctr32_encrypt_blocks: movups %xmm11,48(%rsi) .Lctr32_done: + leaq (%rbp),%rsp + popq %rbp +.Lctr32_ret: retq .size aesni_ctr32_encrypt_blocks,.-aesni_ctr32_encrypt_blocks .globl aesni_xts_encrypt .type aesni_xts_encrypt,@function .align 16 aesni_xts_encrypt: - leaq -104(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $96,%rsp + leaq -8(%rax),%rbp movups (%r9),%xmm15 movl 240(%r8),%eax movl 240(%rcx),%r10d @@ -1523,7 +1545,8 @@ aesni_xts_encrypt: movups %xmm2,-16(%rsi) .Lxts_enc_ret: - leaq 104(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp .Lxts_enc_epilogue: retq .size aesni_xts_encrypt,.-aesni_xts_encrypt @@ -1531,7 +1554,10 @@ aesni_xts_encrypt: .type aesni_xts_decrypt,@function .align 16 aesni_xts_decrypt: - leaq -104(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $96,%rsp + leaq -8(%rax),%rbp movups (%r9),%xmm15 movl 240(%r8),%eax movl 240(%rcx),%r10d @@ -1963,7 +1989,8 @@ aesni_xts_decrypt: movups %xmm2,(%rsi) .Lxts_dec_ret: - leaq 104(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp .Lxts_dec_epilogue: retq .size aesni_xts_decrypt,.-aesni_xts_decrypt @@ -2030,6 +2057,10 @@ aesni_cbc_encrypt: .align 16 .Lcbc_decrypt: + leaq (%rsp),%rax + pushq %rbp + subq $16,%rsp + leaq -8(%rax),%rbp movups (%r8),%xmm9 movl %r10d,%eax cmpq $112,%rdx @@ -2037,11 +2068,11 @@ aesni_cbc_encrypt: shrl $1,%r10d subq $112,%rdx movl %r10d,%eax - movaps %xmm9,-24(%rsp) + movaps %xmm9,(%rsp) jmp .Lcbc_dec_loop8_enter .align 16 .Lcbc_dec_loop8: - movaps %xmm0,-24(%rsp) + movaps %xmm0,(%rsp) movups %xmm9,(%rsi) leaq 16(%rsi),%rsi .Lcbc_dec_loop8_enter: @@ -2081,7 +2112,7 @@ aesni_cbc_encrypt: movups (%rdi),%xmm1 movups 16(%rdi),%xmm0 - xorps -24(%rsp),%xmm2 + xorps (%rsp),%xmm2 xorps %xmm1,%xmm3 movups 32(%rdi),%xmm1 xorps %xmm0,%xmm4 @@ -2145,11 +2176,11 @@ aesni_cbc_encrypt: jbe .Lcbc_dec_six movups 96(%rdi),%xmm8 - movaps %xmm9,-24(%rsp) + movaps %xmm9,(%rsp) call _aesni_decrypt8 movups (%rdi),%xmm1 movups 16(%rdi),%xmm0 - xorps -24(%rsp),%xmm2 + xorps (%rsp),%xmm2 xorps %xmm1,%xmm3 movups 32(%rdi),%xmm1 xorps %xmm0,%xmm4 @@ -2281,14 +2312,16 @@ aesni_cbc_encrypt: jmp .Lcbc_dec_ret .align 16 .Lcbc_dec_tail_partial: - movaps %xmm2,-24(%rsp) + movaps %xmm2,(%rsp) movq $16,%rcx movq %rsi,%rdi subq %rdx,%rcx - leaq -24(%rsp),%rsi + leaq (%rsp),%rsi .long 0x9066A4F3 .Lcbc_dec_ret: + leaq (%rbp),%rsp + popq %rbp .Lcbc_ret: retq .size aesni_cbc_encrypt,.-aesni_cbc_encrypt @@ -2296,6 +2329,7 @@ aesni_cbc_encrypt: .type aesni_set_decrypt_key,@function .align 16 aesni_set_decrypt_key: + endbr64 subq $8,%rsp call __aesni_set_encrypt_key shll $4,%esi @@ -2334,6 +2368,7 @@ aesni_set_decrypt_key: .type aesni_set_encrypt_key,@function .align 16 aesni_set_encrypt_key: + endbr64 __aesni_set_encrypt_key: subq $8,%rsp movq $-1,%rax @@ -2522,6 +2557,7 @@ __aesni_set_encrypt_key: retq .size aesni_set_encrypt_key,.-aesni_set_encrypt_key .size __aesni_set_encrypt_key,.-__aesni_set_encrypt_key +.section .rodata .align 64 .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -2531,9 +2567,8 @@ __aesni_set_encrypt_key: .long 1,0,0,0 .Lxts_magic: .long 0x87,0,1,0 - -.byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/aes/aesni-macosx-x86_64.S b/crypto/aes/aesni-macosx-x86_64.S index 6b3216b..ba8b32e 100644 --- a/crypto/aes/aesni-macosx-x86_64.S +++ b/crypto/aes/aesni-macosx-x86_64.S @@ -4,6 +4,7 @@ .p2align 4 _aesni_encrypt: + movups (%rdi),%xmm2 movl 240(%rdx),%eax movups (%rdx),%xmm0 @@ -25,6 +26,7 @@ L$oop_enc1_1: .p2align 4 _aesni_decrypt: + movups (%rdi),%xmm2 movl 240(%rdx),%eax movups (%rdx),%xmm0 @@ -44,6 +46,7 @@ L$oop_dec1_2: .p2align 4 _aesni_encrypt3: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -77,6 +80,7 @@ L$enc_loop3: .p2align 4 _aesni_decrypt3: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -110,6 +114,7 @@ L$dec_loop3: .p2align 4 _aesni_encrypt4: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -148,6 +153,7 @@ L$enc_loop4: .p2align 4 _aesni_decrypt4: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -186,6 +192,7 @@ L$dec_loop4: .p2align 4 _aesni_encrypt6: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -243,6 +250,7 @@ L$enc_loop6_enter: .p2align 4 _aesni_decrypt6: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -300,6 +308,7 @@ L$dec_loop6_enter: .p2align 4 _aesni_encrypt8: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -370,6 +379,7 @@ L$enc_loop8_enter: .p2align 4 _aesni_decrypt8: + movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -441,6 +451,7 @@ L$dec_loop8_enter: .p2align 4 _aesni_ecb_encrypt: + andq $-16,%rdx jz L$ecb_ret @@ -743,6 +754,7 @@ L$ecb_ret: .p2align 4 _aesni_ccm64_encrypt_blocks: + movl 240(%rcx),%eax movdqu (%r8),%xmm9 movdqa L$increment64(%rip),%xmm6 @@ -887,6 +899,10 @@ L$oop_enc1_6: .p2align 4 _aesni_ctr32_encrypt_blocks: + leaq (%rsp),%rax + pushq %rbp + subq $32,%rsp + leaq -8(%rax),%rbp cmpq $1,%rdx je L$ctr32_one_shortcut @@ -911,9 +927,9 @@ _aesni_ctr32_encrypt_blocks: .byte 102,69,15,58,34,226,2 incq %r11 .byte 102,69,15,58,34,235,2 - movdqa %xmm12,-40(%rsp) + movdqa %xmm12,0(%rsp) .byte 102,69,15,56,0,231 - movdqa %xmm13,-24(%rsp) + movdqa %xmm13,16(%rsp) .byte 102,69,15,56,0,239 pshufd $192,%xmm12,%xmm2 @@ -953,7 +969,7 @@ L$ctr32_loop6: movdqa L$increment32(%rip),%xmm13 pxor %xmm0,%xmm5 aesenc %xmm1,%xmm4 - movdqa -40(%rsp),%xmm12 + movdqa (%rsp),%xmm12 pxor %xmm0,%xmm6 aesenc %xmm1,%xmm5 pxor %xmm0,%xmm7 @@ -986,11 +1002,11 @@ L$ctr32_enc_loop6_enter: aesenc %xmm1,%xmm2 paddd %xmm13,%xmm12 aesenc %xmm1,%xmm3 - paddd -24(%rsp),%xmm13 + paddd 16(%rsp),%xmm13 aesenc %xmm1,%xmm4 - movdqa %xmm12,-40(%rsp) + movdqa %xmm12,0(%rsp) aesenc %xmm1,%xmm5 - movdqa %xmm13,-24(%rsp) + movdqa %xmm13,16(%rsp) aesenc %xmm1,%xmm6 .byte 102,69,15,56,0,231 aesenc %xmm1,%xmm7 @@ -1129,13 +1145,19 @@ L$ctr32_four: movups %xmm11,48(%rsi) L$ctr32_done: + leaq (%rbp),%rsp + popq %rbp +L$ctr32_ret: retq .globl _aesni_xts_encrypt .p2align 4 _aesni_xts_encrypt: - leaq -104(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $96,%rsp + leaq -8(%rax),%rbp movups (%r9),%xmm15 movl 240(%r8),%eax movl 240(%rcx),%r10d @@ -1523,7 +1545,8 @@ L$oop_enc1_10: movups %xmm2,-16(%rsi) L$xts_enc_ret: - leaq 104(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp L$xts_enc_epilogue: retq @@ -1531,7 +1554,10 @@ L$xts_enc_epilogue: .p2align 4 _aesni_xts_decrypt: - leaq -104(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $96,%rsp + leaq -8(%rax),%rbp movups (%r9),%xmm15 movl 240(%r8),%eax movl 240(%rcx),%r10d @@ -1963,7 +1989,8 @@ L$oop_dec1_14: movups %xmm2,(%rsi) L$xts_dec_ret: - leaq 104(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp L$xts_dec_epilogue: retq @@ -2030,6 +2057,10 @@ L$cbc_enc_tail: .p2align 4 L$cbc_decrypt: + leaq (%rsp),%rax + pushq %rbp + subq $16,%rsp + leaq -8(%rax),%rbp movups (%r8),%xmm9 movl %r10d,%eax cmpq $112,%rdx @@ -2037,11 +2068,11 @@ L$cbc_decrypt: shrl $1,%r10d subq $112,%rdx movl %r10d,%eax - movaps %xmm9,-24(%rsp) + movaps %xmm9,(%rsp) jmp L$cbc_dec_loop8_enter .p2align 4 L$cbc_dec_loop8: - movaps %xmm0,-24(%rsp) + movaps %xmm0,(%rsp) movups %xmm9,(%rsi) leaq 16(%rsi),%rsi L$cbc_dec_loop8_enter: @@ -2081,7 +2112,7 @@ L$cbc_dec_loop8_enter: movups (%rdi),%xmm1 movups 16(%rdi),%xmm0 - xorps -24(%rsp),%xmm2 + xorps (%rsp),%xmm2 xorps %xmm1,%xmm3 movups 32(%rdi),%xmm1 xorps %xmm0,%xmm4 @@ -2145,11 +2176,11 @@ L$cbc_dec_tail: jbe L$cbc_dec_six movups 96(%rdi),%xmm8 - movaps %xmm9,-24(%rsp) + movaps %xmm9,(%rsp) call _aesni_decrypt8 movups (%rdi),%xmm1 movups 16(%rdi),%xmm0 - xorps -24(%rsp),%xmm2 + xorps (%rsp),%xmm2 xorps %xmm1,%xmm3 movups 32(%rdi),%xmm1 xorps %xmm0,%xmm4 @@ -2281,14 +2312,16 @@ L$cbc_dec_tail_collected: jmp L$cbc_dec_ret .p2align 4 L$cbc_dec_tail_partial: - movaps %xmm2,-24(%rsp) + movaps %xmm2,(%rsp) movq $16,%rcx movq %rsi,%rdi subq %rdx,%rcx - leaq -24(%rsp),%rsi + leaq (%rsp),%rsi .long 0x9066A4F3 L$cbc_dec_ret: + leaq (%rbp),%rsp + popq %rbp L$cbc_ret: retq @@ -2296,6 +2329,7 @@ L$cbc_ret: .p2align 4 _aesni_set_decrypt_key: + subq $8,%rsp call __aesni_set_encrypt_key shll $4,%esi @@ -2334,6 +2368,7 @@ L$SEH_end_set_decrypt_key: .p2align 4 _aesni_set_encrypt_key: + __aesni_set_encrypt_key: subq $8,%rsp movq $-1,%rax @@ -2522,6 +2557,7 @@ L$key_expansion_256b: retq +.section __DATA,__const .p2align 6 L$bswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -2531,6 +2567,5 @@ L$increment64: .long 1,0,0,0 L$xts_magic: .long 0x87,0,1,0 - -.byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text diff --git a/crypto/aes/aesni-masm-x86_64.S b/crypto/aes/aesni-masm-x86_64.S index 7c9224f..fa64d45 100644 --- a/crypto/aes/aesni-masm-x86_64.S +++ b/crypto/aes/aesni-masm-x86_64.S @@ -72,6 +72,7 @@ PUBLIC aesni_encrypt ALIGN 16 aesni_encrypt PROC PUBLIC + endbr64 movups xmm2,XMMWORD PTR[rcx] mov eax,DWORD PTR[240+r8] movups xmm0,XMMWORD PTR[r8] @@ -93,6 +94,7 @@ PUBLIC aesni_decrypt ALIGN 16 aesni_decrypt PROC PUBLIC + endbr64 movups xmm2,XMMWORD PTR[rcx] mov eax,DWORD PTR[240+r8] movups xmm0,XMMWORD PTR[r8] @@ -112,6 +114,7 @@ aesni_decrypt ENDP ALIGN 16 _aesni_encrypt3 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -145,6 +148,7 @@ _aesni_encrypt3 ENDP ALIGN 16 _aesni_decrypt3 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -178,6 +182,7 @@ _aesni_decrypt3 ENDP ALIGN 16 _aesni_encrypt4 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -216,6 +221,7 @@ _aesni_encrypt4 ENDP ALIGN 16 _aesni_decrypt4 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -254,6 +260,7 @@ _aesni_decrypt4 ENDP ALIGN 16 _aesni_encrypt6 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -311,6 +318,7 @@ _aesni_encrypt6 ENDP ALIGN 16 _aesni_decrypt6 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -368,6 +376,7 @@ _aesni_decrypt6 ENDP ALIGN 16 _aesni_encrypt8 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -438,6 +447,7 @@ _aesni_encrypt8 ENDP ALIGN 16 _aesni_decrypt8 PROC PRIVATE + endbr64 movups xmm0,XMMWORD PTR[rcx] shr eax,1 movups xmm1,XMMWORD PTR[16+rcx] @@ -520,6 +530,7 @@ $L$SEH_begin_aesni_ecb_encrypt:: mov r8,QWORD PTR[40+rsp] + endbr64 and rdx,-16 jz $L$ecb_ret @@ -837,6 +848,7 @@ $L$SEH_begin_aesni_ccm64_encrypt_blocks:: mov r9,QWORD PTR[48+rsp] + endbr64 lea rsp,QWORD PTR[((-88))+rsp] movaps XMMWORD PTR[rsp],xmm6 movaps XMMWORD PTR[16+rsp],xmm7 @@ -1034,7 +1046,9 @@ $L$SEH_begin_aesni_ctr32_encrypt_blocks:: mov r8,QWORD PTR[40+rsp] - lea rsp,QWORD PTR[((-200))+rsp] + lea rax,QWORD PTR[rsp] + push rbp + sub rsp,192 movaps XMMWORD PTR[32+rsp],xmm6 movaps XMMWORD PTR[48+rsp],xmm7 movaps XMMWORD PTR[64+rsp],xmm8 @@ -1046,6 +1060,7 @@ $L$SEH_begin_aesni_ctr32_encrypt_blocks:: movaps XMMWORD PTR[160+rsp],xmm14 movaps XMMWORD PTR[176+rsp],xmm15 $L$ctr32_body:: + lea rbp,QWORD PTR[((-8))+rax] cmp rdx,1 je $L$ctr32_one_shortcut @@ -1298,7 +1313,8 @@ $L$ctr32_done:: movaps xmm13,XMMWORD PTR[144+rsp] movaps xmm14,XMMWORD PTR[160+rsp] movaps xmm15,XMMWORD PTR[176+rsp] - lea rsp,QWORD PTR[200+rsp] + lea rsp,QWORD PTR[rbp] + pop rbp $L$ctr32_ret:: mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue mov rsi,QWORD PTR[16+rsp] @@ -1321,7 +1337,9 @@ $L$SEH_begin_aesni_xts_encrypt:: mov r9,QWORD PTR[48+rsp] - lea rsp,QWORD PTR[((-264))+rsp] + lea rax,QWORD PTR[rsp] + push rbp + sub rsp,256 movaps XMMWORD PTR[96+rsp],xmm6 movaps XMMWORD PTR[112+rsp],xmm7 movaps XMMWORD PTR[128+rsp],xmm8 @@ -1333,6 +1351,7 @@ $L$SEH_begin_aesni_xts_encrypt:: movaps XMMWORD PTR[224+rsp],xmm14 movaps XMMWORD PTR[240+rsp],xmm15 $L$xts_enc_body:: + lea rbp,QWORD PTR[((-8))+rax] movups xmm15,XMMWORD PTR[r9] mov eax,DWORD PTR[240+r8] mov r10d,DWORD PTR[240+rcx] @@ -1730,7 +1749,8 @@ $L$xts_enc_ret:: movaps xmm13,XMMWORD PTR[208+rsp] movaps xmm14,XMMWORD PTR[224+rsp] movaps xmm15,XMMWORD PTR[240+rsp] - lea rsp,QWORD PTR[264+rsp] + lea rsp,QWORD PTR[rbp] + pop rbp $L$xts_enc_epilogue:: mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue mov rsi,QWORD PTR[16+rsp] @@ -1753,7 +1773,9 @@ $L$SEH_begin_aesni_xts_decrypt:: mov r9,QWORD PTR[48+rsp] - lea rsp,QWORD PTR[((-264))+rsp] + lea rax,QWORD PTR[rsp] + push rbp + sub rsp,256 movaps XMMWORD PTR[96+rsp],xmm6 movaps XMMWORD PTR[112+rsp],xmm7 movaps XMMWORD PTR[128+rsp],xmm8 @@ -1765,6 +1787,7 @@ $L$SEH_begin_aesni_xts_decrypt:: movaps XMMWORD PTR[224+rsp],xmm14 movaps XMMWORD PTR[240+rsp],xmm15 $L$xts_dec_body:: + lea rbp,QWORD PTR[((-8))+rax] movups xmm15,XMMWORD PTR[r9] mov eax,DWORD PTR[240+r8] mov r10d,DWORD PTR[240+rcx] @@ -2206,7 +2229,8 @@ $L$xts_dec_ret:: movaps xmm13,XMMWORD PTR[208+rsp] movaps xmm14,XMMWORD PTR[224+rsp] movaps xmm15,XMMWORD PTR[240+rsp] - lea rsp,QWORD PTR[264+rsp] + lea rsp,QWORD PTR[rbp] + pop rbp $L$xts_dec_epilogue:: mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue mov rsi,QWORD PTR[16+rsp] @@ -2288,12 +2312,15 @@ $L$cbc_enc_tail:: ALIGN 16 $L$cbc_decrypt:: - lea rsp,QWORD PTR[((-88))+rsp] - movaps XMMWORD PTR[rsp],xmm6 - movaps XMMWORD PTR[16+rsp],xmm7 - movaps XMMWORD PTR[32+rsp],xmm8 - movaps XMMWORD PTR[48+rsp],xmm9 + lea rax,QWORD PTR[rsp] + push rbp + sub rsp,80 + movaps XMMWORD PTR[16+rsp],xmm6 + movaps XMMWORD PTR[32+rsp],xmm7 + movaps XMMWORD PTR[48+rsp],xmm8 + movaps XMMWORD PTR[64+rsp],xmm9 $L$cbc_decrypt_body:: + lea rbp,QWORD PTR[((-8))+rax] movups xmm9,XMMWORD PTR[r8] mov eax,r10d cmp rdx,070h @@ -2301,11 +2328,11 @@ $L$cbc_decrypt_body:: shr r10d,1 sub rdx,070h mov eax,r10d - movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[rsp],xmm9 jmp $L$cbc_dec_loop8_enter ALIGN 16 $L$cbc_dec_loop8:: - movaps XMMWORD PTR[64+rsp],xmm0 + movaps XMMWORD PTR[rsp],xmm0 movups XMMWORD PTR[rsi],xmm9 lea rsi,QWORD PTR[16+rsi] $L$cbc_dec_loop8_enter:: @@ -2345,7 +2372,7 @@ $L$cbc_dec_loop8_enter:: movups xmm1,XMMWORD PTR[rdi] movups xmm0,XMMWORD PTR[16+rdi] - xorps xmm2,XMMWORD PTR[64+rsp] + xorps xmm2,XMMWORD PTR[rsp] xorps xmm3,xmm1 movups xmm1,XMMWORD PTR[32+rdi] xorps xmm4,xmm0 @@ -2409,11 +2436,11 @@ $L$cbc_dec_tail:: jbe $L$cbc_dec_six movups xmm8,XMMWORD PTR[96+rdi] - movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[rsp],xmm9 call _aesni_decrypt8 movups xmm1,XMMWORD PTR[rdi] movups xmm0,XMMWORD PTR[16+rdi] - xorps xmm2,XMMWORD PTR[64+rsp] + xorps xmm2,XMMWORD PTR[rsp] xorps xmm3,xmm1 movups xmm1,XMMWORD PTR[32+rdi] xorps xmm4,xmm0 @@ -2545,19 +2572,20 @@ $L$cbc_dec_tail_collected:: jmp $L$cbc_dec_ret ALIGN 16 $L$cbc_dec_tail_partial:: - movaps XMMWORD PTR[64+rsp],xmm2 + movaps XMMWORD PTR[rsp],xmm2 mov rcx,16 mov rdi,rsi sub rcx,rdx - lea rsi,QWORD PTR[64+rsp] + lea rsi,QWORD PTR[rsp] DD 09066A4F3h $L$cbc_dec_ret:: - movaps xmm6,XMMWORD PTR[rsp] - movaps xmm7,XMMWORD PTR[16+rsp] - movaps xmm8,XMMWORD PTR[32+rsp] - movaps xmm9,XMMWORD PTR[48+rsp] - lea rsp,QWORD PTR[88+rsp] + movaps xmm6,XMMWORD PTR[16+rsp] + movaps xmm7,XMMWORD PTR[32+rsp] + movaps xmm8,XMMWORD PTR[48+rsp] + movaps xmm9,XMMWORD PTR[64+rsp] + lea rsp,QWORD PTR[rbp] + pop rbp $L$cbc_ret:: mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue mov rsi,QWORD PTR[16+rsp] @@ -2568,6 +2596,7 @@ PUBLIC aesni_set_decrypt_key ALIGN 16 aesni_set_decrypt_key PROC PUBLIC + endbr64 sub rsp,8 call __aesni_set_encrypt_key shl edx,4 @@ -2606,6 +2635,7 @@ PUBLIC aesni_set_encrypt_key ALIGN 16 aesni_set_encrypt_key PROC PUBLIC + endbr64 __aesni_set_encrypt_key:: sub rsp,8 mov rax,-1 @@ -2794,6 +2824,8 @@ $L$key_expansion_256b:: DB 0F3h,0C3h ;repret aesni_set_encrypt_key ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$bswap_mask:: DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -2803,16 +2835,14 @@ $L$increment64:: DD 1,0,0,0 $L$xts_magic:: DD 087h,0,1,0 - -DB 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69 -DB 83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83 -DB 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 -DB 115,108,46,111,114,103,62,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 ecb_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2832,6 +2862,7 @@ ecb_se_handler ENDP ALIGN 16 ccm64_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2873,6 +2904,7 @@ ccm64_se_handler ENDP ALIGN 16 ctr32_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2901,14 +2933,14 @@ ctr32_se_handler PROC PRIVATE lea rdi,QWORD PTR[512+r8] mov ecx,20 DD 0a548f3fch - lea rax,QWORD PTR[200+rax] - jmp $L$common_seh_tail + jmp $L$common_rbp_tail ctr32_se_handler ENDP ALIGN 16 xts_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2942,13 +2974,13 @@ xts_se_handler PROC PRIVATE lea rdi,QWORD PTR[512+r8] mov ecx,20 DD 0a548f3fch - lea rax,QWORD PTR[((104+160))+rax] - jmp $L$common_seh_tail + jmp $L$common_rbp_tail xts_se_handler ENDP ALIGN 16 cbc_se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx @@ -2975,11 +3007,16 @@ cbc_se_handler PROC PRIVATE cmp rbx,r10 jae $L$common_seh_tail - lea rsi,QWORD PTR[rax] + lea rsi,QWORD PTR[16+rax] lea rdi,QWORD PTR[512+r8] mov ecx,8 DD 0a548f3fch - lea rax,QWORD PTR[88+rax] + +$L$common_rbp_tail:: + mov rax,QWORD PTR[160+r8] + mov rbp,QWORD PTR[rax] + lea rax,QWORD PTR[8+rax] + mov QWORD PTR[160+r8],rbp jmp $L$common_seh_tail $L$restore_cbc_rax:: diff --git a/crypto/aes/aesni-mingw64-x86_64.S b/crypto/aes/aesni-mingw64-x86_64.S index 0a82a10..a302884 100644 --- a/crypto/aes/aesni-mingw64-x86_64.S +++ b/crypto/aes/aesni-mingw64-x86_64.S @@ -4,6 +4,7 @@ .def aesni_encrypt; .scl 2; .type 32; .endef .p2align 4 aesni_encrypt: + endbr64 movups (%rcx),%xmm2 movl 240(%r8),%eax movups (%r8),%xmm0 @@ -25,6 +26,7 @@ aesni_encrypt: .def aesni_decrypt; .scl 2; .type 32; .endef .p2align 4 aesni_decrypt: + endbr64 movups (%rcx),%xmm2 movl 240(%r8),%eax movups (%r8),%xmm0 @@ -44,6 +46,7 @@ aesni_decrypt: .def _aesni_encrypt3; .scl 3; .type 32; .endef .p2align 4 _aesni_encrypt3: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -77,6 +80,7 @@ _aesni_encrypt3: .def _aesni_decrypt3; .scl 3; .type 32; .endef .p2align 4 _aesni_decrypt3: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -110,6 +114,7 @@ _aesni_decrypt3: .def _aesni_encrypt4; .scl 3; .type 32; .endef .p2align 4 _aesni_encrypt4: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -148,6 +153,7 @@ _aesni_encrypt4: .def _aesni_decrypt4; .scl 3; .type 32; .endef .p2align 4 _aesni_decrypt4: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -186,6 +192,7 @@ _aesni_decrypt4: .def _aesni_encrypt6; .scl 3; .type 32; .endef .p2align 4 _aesni_encrypt6: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -243,6 +250,7 @@ _aesni_encrypt6: .def _aesni_decrypt6; .scl 3; .type 32; .endef .p2align 4 _aesni_decrypt6: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -300,6 +308,7 @@ _aesni_decrypt6: .def _aesni_encrypt8; .scl 3; .type 32; .endef .p2align 4 _aesni_encrypt8: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -370,6 +379,7 @@ _aesni_encrypt8: .def _aesni_decrypt8; .scl 3; .type 32; .endef .p2align 4 _aesni_decrypt8: + endbr64 movups (%rcx),%xmm0 shrl $1,%eax movups 16(%rcx),%xmm1 @@ -451,6 +461,7 @@ aesni_ecb_encrypt: movq %r9,%rcx movq 40(%rsp),%r8 + endbr64 andq $-16,%rdx jz .Lecb_ret @@ -766,6 +777,7 @@ aesni_ccm64_encrypt_blocks: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + endbr64 leaq -88(%rsp),%rsp movaps %xmm6,(%rsp) movaps %xmm7,16(%rsp) @@ -959,7 +971,9 @@ aesni_ctr32_encrypt_blocks: movq %r9,%rcx movq 40(%rsp),%r8 - leaq -200(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $192,%rsp movaps %xmm6,32(%rsp) movaps %xmm7,48(%rsp) movaps %xmm8,64(%rsp) @@ -971,6 +985,7 @@ aesni_ctr32_encrypt_blocks: movaps %xmm14,160(%rsp) movaps %xmm15,176(%rsp) .Lctr32_body: + leaq -8(%rax),%rbp cmpq $1,%rdx je .Lctr32_one_shortcut @@ -1037,7 +1052,7 @@ aesni_ctr32_encrypt_blocks: movdqa .Lincrement32(%rip),%xmm13 pxor %xmm0,%xmm5 aesenc %xmm1,%xmm4 - movdqa 0(%rsp),%xmm12 + movdqa (%rsp),%xmm12 pxor %xmm0,%xmm6 aesenc %xmm1,%xmm5 pxor %xmm0,%xmm7 @@ -1223,7 +1238,8 @@ aesni_ctr32_encrypt_blocks: movaps 144(%rsp),%xmm13 movaps 160(%rsp),%xmm14 movaps 176(%rsp),%xmm15 - leaq 200(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp .Lctr32_ret: movq 8(%rsp),%rdi movq 16(%rsp),%rsi @@ -1244,7 +1260,9 @@ aesni_xts_encrypt: movq 40(%rsp),%r8 movq 48(%rsp),%r9 - leaq -264(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $256,%rsp movaps %xmm6,96(%rsp) movaps %xmm7,112(%rsp) movaps %xmm8,128(%rsp) @@ -1256,6 +1274,7 @@ aesni_xts_encrypt: movaps %xmm14,224(%rsp) movaps %xmm15,240(%rsp) .Lxts_enc_body: + leaq -8(%rax),%rbp movups (%r9),%xmm15 movl 240(%r8),%eax movl 240(%rcx),%r10d @@ -1653,7 +1672,8 @@ aesni_xts_encrypt: movaps 208(%rsp),%xmm13 movaps 224(%rsp),%xmm14 movaps 240(%rsp),%xmm15 - leaq 264(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp .Lxts_enc_epilogue: movq 8(%rsp),%rdi movq 16(%rsp),%rsi @@ -1674,7 +1694,9 @@ aesni_xts_decrypt: movq 40(%rsp),%r8 movq 48(%rsp),%r9 - leaq -264(%rsp),%rsp + leaq (%rsp),%rax + pushq %rbp + subq $256,%rsp movaps %xmm6,96(%rsp) movaps %xmm7,112(%rsp) movaps %xmm8,128(%rsp) @@ -1686,6 +1708,7 @@ aesni_xts_decrypt: movaps %xmm14,224(%rsp) movaps %xmm15,240(%rsp) .Lxts_dec_body: + leaq -8(%rax),%rbp movups (%r9),%xmm15 movl 240(%r8),%eax movl 240(%rcx),%r10d @@ -2127,7 +2150,8 @@ aesni_xts_decrypt: movaps 208(%rsp),%xmm13 movaps 224(%rsp),%xmm14 movaps 240(%rsp),%xmm15 - leaq 264(%rsp),%rsp + leaq (%rbp),%rsp + popq %rbp .Lxts_dec_epilogue: movq 8(%rsp),%rdi movq 16(%rsp),%rsi @@ -2207,12 +2231,15 @@ aesni_cbc_encrypt: .p2align 4 .Lcbc_decrypt: - leaq -88(%rsp),%rsp - movaps %xmm6,(%rsp) - movaps %xmm7,16(%rsp) - movaps %xmm8,32(%rsp) - movaps %xmm9,48(%rsp) + leaq (%rsp),%rax + pushq %rbp + subq $80,%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) + movaps %xmm8,48(%rsp) + movaps %xmm9,64(%rsp) .Lcbc_decrypt_body: + leaq -8(%rax),%rbp movups (%r8),%xmm9 movl %r10d,%eax cmpq $112,%rdx @@ -2220,11 +2247,11 @@ aesni_cbc_encrypt: shrl $1,%r10d subq $112,%rdx movl %r10d,%eax - movaps %xmm9,64(%rsp) + movaps %xmm9,(%rsp) jmp .Lcbc_dec_loop8_enter .p2align 4 .Lcbc_dec_loop8: - movaps %xmm0,64(%rsp) + movaps %xmm0,(%rsp) movups %xmm9,(%rsi) leaq 16(%rsi),%rsi .Lcbc_dec_loop8_enter: @@ -2264,7 +2291,7 @@ aesni_cbc_encrypt: movups (%rdi),%xmm1 movups 16(%rdi),%xmm0 - xorps 64(%rsp),%xmm2 + xorps (%rsp),%xmm2 xorps %xmm1,%xmm3 movups 32(%rdi),%xmm1 xorps %xmm0,%xmm4 @@ -2328,11 +2355,11 @@ aesni_cbc_encrypt: jbe .Lcbc_dec_six movups 96(%rdi),%xmm8 - movaps %xmm9,64(%rsp) + movaps %xmm9,(%rsp) call _aesni_decrypt8 movups (%rdi),%xmm1 movups 16(%rdi),%xmm0 - xorps 64(%rsp),%xmm2 + xorps (%rsp),%xmm2 xorps %xmm1,%xmm3 movups 32(%rdi),%xmm1 xorps %xmm0,%xmm4 @@ -2464,19 +2491,20 @@ aesni_cbc_encrypt: jmp .Lcbc_dec_ret .p2align 4 .Lcbc_dec_tail_partial: - movaps %xmm2,64(%rsp) + movaps %xmm2,(%rsp) movq $16,%rcx movq %rsi,%rdi subq %rdx,%rcx - leaq 64(%rsp),%rsi + leaq (%rsp),%rsi .long 0x9066A4F3 .Lcbc_dec_ret: - movaps (%rsp),%xmm6 - movaps 16(%rsp),%xmm7 - movaps 32(%rsp),%xmm8 - movaps 48(%rsp),%xmm9 - leaq 88(%rsp),%rsp + movaps 16(%rsp),%xmm6 + movaps 32(%rsp),%xmm7 + movaps 48(%rsp),%xmm8 + movaps 64(%rsp),%xmm9 + leaq (%rbp),%rsp + popq %rbp .Lcbc_ret: movq 8(%rsp),%rdi movq 16(%rsp),%rsi @@ -2486,6 +2514,7 @@ aesni_cbc_encrypt: .def aesni_set_decrypt_key; .scl 2; .type 32; .endef .p2align 4 aesni_set_decrypt_key: + endbr64 subq $8,%rsp call __aesni_set_encrypt_key shll $4,%edx @@ -2524,6 +2553,7 @@ aesni_set_decrypt_key: .def aesni_set_encrypt_key; .scl 2; .type 32; .endef .p2align 4 aesni_set_encrypt_key: + endbr64 __aesni_set_encrypt_key: subq $8,%rsp movq $-1,%rax @@ -2712,6 +2742,7 @@ __aesni_set_encrypt_key: retq +.section .rodata .p2align 6 .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -2721,13 +2752,13 @@ __aesni_set_encrypt_key: .long 1,0,0,0 .Lxts_magic: .long 0x87,0,1,0 - -.byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text .def ecb_se_handler; .scl 3; .type 32; .endef .p2align 4 ecb_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2747,6 +2778,7 @@ ecb_se_handler: .def ccm64_se_handler; .scl 3; .type 32; .endef .p2align 4 ccm64_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2788,6 +2820,7 @@ ccm64_se_handler: .def ctr32_se_handler; .scl 3; .type 32; .endef .p2align 4 ctr32_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2816,14 +2849,14 @@ ctr32_se_handler: leaq 512(%r8),%rdi movl $20,%ecx .long 0xa548f3fc - leaq 200(%rax),%rax - jmp .Lcommon_seh_tail + jmp .Lcommon_rbp_tail .def xts_se_handler; .scl 3; .type 32; .endef .p2align 4 xts_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2857,13 +2890,13 @@ xts_se_handler: leaq 512(%r8),%rdi movl $20,%ecx .long 0xa548f3fc - leaq 104+160(%rax),%rax - jmp .Lcommon_seh_tail + jmp .Lcommon_rbp_tail .def cbc_se_handler; .scl 3; .type 32; .endef .p2align 4 cbc_se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx @@ -2890,11 +2923,16 @@ cbc_se_handler: cmpq %r10,%rbx jae .Lcommon_seh_tail - leaq 0(%rax),%rsi + leaq 16(%rax),%rsi leaq 512(%r8),%rdi movl $8,%ecx .long 0xa548f3fc - leaq 88(%rax),%rax + +.Lcommon_rbp_tail: + movq 160(%r8),%rax + movq (%rax),%rbp + leaq 8(%rax),%rax + movq %rbp,160(%r8) jmp .Lcommon_seh_tail .Lrestore_cbc_rax: diff --git a/crypto/aes/aesni-sha1-elf-x86_64.S b/crypto/aes/aesni-sha1-elf-x86_64.S index c0b3e5f..0d7e94a 100644 --- a/crypto/aes/aesni-sha1-elf-x86_64.S +++ b/crypto/aes/aesni-sha1-elf-x86_64.S @@ -7,6 +7,7 @@ .type aesni_cbc_sha1_enc,@function .align 16 aesni_cbc_sha1_enc: + endbr64 movl OPENSSL_ia32cap_P+0(%rip),%r10d movl OPENSSL_ia32cap_P+4(%rip),%r11d @@ -16,6 +17,7 @@ aesni_cbc_sha1_enc: .type aesni_cbc_sha1_enc_ssse3,@function .align 16 aesni_cbc_sha1_enc_ssse3: + endbr64 movq 8(%rsp),%r10 @@ -1386,6 +1388,7 @@ aesni_cbc_sha1_enc_ssse3: .Lepilogue_ssse3: retq .size aesni_cbc_sha1_enc_ssse3,.-aesni_cbc_sha1_enc_ssse3 +.section .rodata .align 64 K_XX_XX: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 @@ -1393,9 +1396,8 @@ K_XX_XX: .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f - -.byte 65,69,83,78,73,45,67,66,67,43,83,72,65,49,32,115,116,105,116,99,104,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/aes/aesni-sha1-macosx-x86_64.S b/crypto/aes/aesni-sha1-macosx-x86_64.S index 3e88b1a..6d839ac 100644 --- a/crypto/aes/aesni-sha1-macosx-x86_64.S +++ b/crypto/aes/aesni-sha1-macosx-x86_64.S @@ -7,6 +7,7 @@ .p2align 4 _aesni_cbc_sha1_enc: + movl _OPENSSL_ia32cap_P+0(%rip),%r10d movl _OPENSSL_ia32cap_P+4(%rip),%r11d @@ -16,6 +17,7 @@ _aesni_cbc_sha1_enc: .p2align 4 aesni_cbc_sha1_enc_ssse3: + movq 8(%rsp),%r10 @@ -1386,6 +1388,7 @@ L$aesenclast5: L$epilogue_ssse3: retq +.section __DATA,__const .p2align 6 K_XX_XX: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 @@ -1393,6 +1396,5 @@ K_XX_XX: .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f - -.byte 65,69,83,78,73,45,67,66,67,43,83,72,65,49,32,115,116,105,116,99,104,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text diff --git a/crypto/aes/aesni-sha1-masm-x86_64.S b/crypto/aes/aesni-sha1-masm-x86_64.S index b87202a..9bd8642 100644 --- a/crypto/aes/aesni-sha1-masm-x86_64.S +++ b/crypto/aes/aesni-sha1-masm-x86_64.S @@ -75,6 +75,7 @@ PUBLIC aesni_cbc_sha1_enc ALIGN 16 aesni_cbc_sha1_enc PROC PUBLIC + endbr64 mov r10d,DWORD PTR[((OPENSSL_ia32cap_P+0))] mov r11d,DWORD PTR[((OPENSSL_ia32cap_P+4))] @@ -96,6 +97,7 @@ $L$SEH_begin_aesni_cbc_sha1_enc_ssse3:: mov r9,QWORD PTR[48+rsp] + endbr64 mov r10,QWORD PTR[56+rsp] @@ -1490,6 +1492,8 @@ $L$epilogue_ssse3:: DB 0F3h,0C3h ;repret $L$SEH_end_aesni_cbc_sha1_enc_ssse3:: aesni_cbc_sha1_enc_ssse3 ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 K_XX_XX:: DD 05a827999h,05a827999h,05a827999h,05a827999h @@ -1497,17 +1501,14 @@ K_XX_XX:: DD 08f1bbcdch,08f1bbcdch,08f1bbcdch,08f1bbcdch DD 0ca62c1d6h,0ca62c1d6h,0ca62c1d6h,0ca62c1d6h DD 000010203h,004050607h,008090a0bh,00c0d0e0fh - -DB 65,69,83,78,73,45,67,66,67,43,83,72,65,49,32,115 -DB 116,105,116,99,104,32,102,111,114,32,120,56,54,95,54,52 -DB 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 -DB 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 -DB 114,103,62,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 ssse3_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/aes/aesni-sha1-mingw64-x86_64.S b/crypto/aes/aesni-sha1-mingw64-x86_64.S index c7a2d5c..8a53a50 100644 --- a/crypto/aes/aesni-sha1-mingw64-x86_64.S +++ b/crypto/aes/aesni-sha1-mingw64-x86_64.S @@ -7,6 +7,7 @@ .def aesni_cbc_sha1_enc; .scl 2; .type 32; .endef .p2align 4 aesni_cbc_sha1_enc: + endbr64 movl OPENSSL_ia32cap_P+0(%rip),%r10d movl OPENSSL_ia32cap_P+4(%rip),%r11d @@ -27,6 +28,7 @@ aesni_cbc_sha1_enc_ssse3: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + endbr64 movq 56(%rsp),%r10 @@ -1420,6 +1422,7 @@ aesni_cbc_sha1_enc_ssse3: movq 16(%rsp),%rsi retq .LSEH_end_aesni_cbc_sha1_enc_ssse3: +.section .rodata .p2align 6 K_XX_XX: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 @@ -1427,13 +1430,13 @@ K_XX_XX: .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f - -.byte 65,69,83,78,73,45,67,66,67,43,83,72,65,49,32,115,116,105,116,99,104,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text .def ssse3_handler; .scl 3; .type 32; .endef .p2align 4 ssse3_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx diff --git a/crypto/aes/bsaes-elf-x86_64.S b/crypto/aes/bsaes-elf-x86_64.S index 903e374..602afd0 100644 --- a/crypto/aes/bsaes-elf-x86_64.S +++ b/crypto/aes/bsaes-elf-x86_64.S @@ -7,6 +7,7 @@ .type _bsaes_encrypt8,@function .align 64 _bsaes_encrypt8: + endbr64 leaq .LBS0(%rip),%r11 movdqa (%rax),%xmm8 @@ -479,6 +480,7 @@ _bsaes_encrypt8_bitslice: .type _bsaes_decrypt8,@function .align 64 _bsaes_decrypt8: + endbr64 leaq .LBS0(%rip),%r11 movdqa (%rax),%xmm8 @@ -984,6 +986,7 @@ _bsaes_decrypt8: .type _bsaes_key_convert,@function .align 16 _bsaes_key_convert: + endbr64 leaq .Lmasks(%rip),%r11 movdqu (%rcx),%xmm7 leaq 16(%rcx),%rcx @@ -1068,6 +1071,7 @@ _bsaes_key_convert: .type bsaes_cbc_encrypt,@function .align 16 bsaes_cbc_encrypt: + endbr64 cmpl $0,%r9d jne asm_AES_cbc_encrypt cmpq $128,%rdx @@ -1318,6 +1322,7 @@ bsaes_cbc_encrypt: .type bsaes_ctr32_encrypt_blocks,@function .align 16 bsaes_ctr32_encrypt_blocks: + endbr64 movq %rsp,%rax .Lctr_enc_prologue: pushq %rbp @@ -1517,6 +1522,7 @@ bsaes_ctr32_encrypt_blocks: .type bsaes_xts_encrypt,@function .align 16 bsaes_xts_encrypt: + endbr64 movq %rsp,%rax .Lxts_enc_prologue: pushq %rbp @@ -1969,6 +1975,7 @@ bsaes_xts_encrypt: .type bsaes_xts_decrypt,@function .align 16 bsaes_xts_decrypt: + endbr64 movq %rsp,%rax .Lxts_dec_prologue: pushq %rbp @@ -2442,6 +2449,7 @@ bsaes_xts_decrypt: .Lxts_dec_epilogue: retq .size bsaes_xts_decrypt,.-bsaes_xts_decrypt +.section .rodata .type _bsaes_const,@object .align 64 _bsaes_const: @@ -2494,9 +2502,9 @@ _bsaes_const: .quad 0x02060a0e03070b0f, 0x0004080c0105090d .L63: .quad 0x6363636363636363, 0x6363636363636363 -.byte 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,69,109,105,108,105,97,32,75,195,164,115,112,101,114,44,32,80,101,116,101,114,32,83,99,104,119,97,98,101,44,32,65,110,100,121,32,80,111,108,121,97,107,111,118,0 .align 64 .size _bsaes_const,.-_bsaes_const +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/aes/bsaes-macosx-x86_64.S b/crypto/aes/bsaes-macosx-x86_64.S index 5f780f0..7669f3b 100644 --- a/crypto/aes/bsaes-macosx-x86_64.S +++ b/crypto/aes/bsaes-macosx-x86_64.S @@ -7,6 +7,7 @@ .p2align 6 _bsaes_encrypt8: + leaq L$BS0(%rip),%r11 movdqa (%rax),%xmm8 @@ -479,6 +480,7 @@ L$enc_done: .p2align 6 _bsaes_decrypt8: + leaq L$BS0(%rip),%r11 movdqa (%rax),%xmm8 @@ -984,6 +986,7 @@ L$dec_done: .p2align 4 _bsaes_key_convert: + leaq L$masks(%rip),%r11 movdqu (%rcx),%xmm7 leaq 16(%rcx),%rcx @@ -1068,6 +1071,7 @@ L$key_loop: .p2align 4 _bsaes_cbc_encrypt: + cmpl $0,%r9d jne _asm_AES_cbc_encrypt cmpq $128,%rdx @@ -1318,6 +1322,7 @@ L$cbc_dec_epilogue: .p2align 4 _bsaes_ctr32_encrypt_blocks: + movq %rsp,%rax L$ctr_enc_prologue: pushq %rbp @@ -1517,6 +1522,7 @@ L$ctr_enc_epilogue: .p2align 4 _bsaes_xts_encrypt: + movq %rsp,%rax L$xts_enc_prologue: pushq %rbp @@ -1969,6 +1975,7 @@ L$xts_enc_epilogue: .p2align 4 _bsaes_xts_decrypt: + movq %rsp,%rax L$xts_dec_prologue: pushq %rbp @@ -2442,6 +2449,7 @@ L$xts_dec_bzero: L$xts_dec_epilogue: retq +.section __DATA,__const .p2align 6 _bsaes_const: @@ -2494,6 +2502,6 @@ L$M0: .quad 0x02060a0e03070b0f, 0x0004080c0105090d L$63: .quad 0x6363636363636363, 0x6363636363636363 -.byte 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,69,109,105,108,105,97,32,75,195,164,115,112,101,114,44,32,80,101,116,101,114,32,83,99,104,119,97,98,101,44,32,65,110,100,121,32,80,111,108,121,97,107,111,118,0 .p2align 6 +.text diff --git a/crypto/aes/bsaes-masm-x86_64.S b/crypto/aes/bsaes-masm-x86_64.S index 7049860..7433bfa 100644 --- a/crypto/aes/bsaes-masm-x86_64.S +++ b/crypto/aes/bsaes-masm-x86_64.S @@ -75,6 +75,7 @@ EXTERN asm_AES_decrypt:NEAR ALIGN 64 _bsaes_encrypt8 PROC PRIVATE + endbr64 lea r11,QWORD PTR[$L$BS0] movdqa xmm8,XMMWORD PTR[rax] @@ -547,6 +548,7 @@ _bsaes_encrypt8 ENDP ALIGN 64 _bsaes_decrypt8 PROC PRIVATE + endbr64 lea r11,QWORD PTR[$L$BS0] movdqa xmm8,XMMWORD PTR[rax] @@ -1052,6 +1054,7 @@ _bsaes_decrypt8 ENDP ALIGN 16 _bsaes_key_convert PROC PRIVATE + endbr64 lea r11,QWORD PTR[$L$masks] movdqu xmm7,XMMWORD PTR[rcx] lea rcx,QWORD PTR[16+rcx] @@ -1136,6 +1139,7 @@ PUBLIC bsaes_cbc_encrypt ALIGN 16 bsaes_cbc_encrypt PROC PUBLIC + endbr64 mov r11d,DWORD PTR[48+rsp] cmp r11d,0 jne asm_AES_cbc_encrypt @@ -1411,6 +1415,7 @@ PUBLIC bsaes_ctr32_encrypt_blocks ALIGN 16 bsaes_ctr32_encrypt_blocks PROC PUBLIC + endbr64 mov rax,rsp $L$ctr_enc_prologue:: push rbp @@ -1634,6 +1639,7 @@ PUBLIC bsaes_xts_encrypt ALIGN 16 bsaes_xts_encrypt PROC PUBLIC + endbr64 mov rax,rsp $L$xts_enc_prologue:: push rbp @@ -2111,6 +2117,7 @@ PUBLIC bsaes_xts_decrypt ALIGN 16 bsaes_xts_decrypt PROC PUBLIC + endbr64 mov rax,rsp $L$xts_dec_prologue:: push rbp @@ -2609,6 +2616,8 @@ $L$xts_dec_bzero:: $L$xts_dec_epilogue:: DB 0F3h,0C3h ;repret bsaes_xts_decrypt ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 _bsaes_const:: @@ -2661,17 +2670,15 @@ $L$M0:: DQ 002060a0e03070b0fh,00004080c0105090dh $L$63:: DQ 06363636363636363h,06363636363636363h -DB 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102 -DB 111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44 -DB 32,69,109,105,108,105,97,32,75,195,164,115,112,101,114,44 -DB 32,80,101,116,101,114,32,83,99,104,119,97,98,101,44,32 -DB 65,110,100,121,32,80,111,108,121,97,107,111,118,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/aes/bsaes-mingw64-x86_64.S b/crypto/aes/bsaes-mingw64-x86_64.S index f0b07cb..cdab3c6 100644 --- a/crypto/aes/bsaes-mingw64-x86_64.S +++ b/crypto/aes/bsaes-mingw64-x86_64.S @@ -7,6 +7,7 @@ .def _bsaes_encrypt8; .scl 3; .type 32; .endef .p2align 6 _bsaes_encrypt8: + endbr64 leaq .LBS0(%rip),%r11 movdqa (%rax),%xmm8 @@ -479,6 +480,7 @@ _bsaes_encrypt8_bitslice: .def _bsaes_decrypt8; .scl 3; .type 32; .endef .p2align 6 _bsaes_decrypt8: + endbr64 leaq .LBS0(%rip),%r11 movdqa (%rax),%xmm8 @@ -984,6 +986,7 @@ _bsaes_decrypt8: .def _bsaes_key_convert; .scl 3; .type 32; .endef .p2align 4 _bsaes_key_convert: + endbr64 leaq .Lmasks(%rip),%r11 movdqu (%rcx),%xmm7 leaq 16(%rcx),%rcx @@ -1068,6 +1071,7 @@ _bsaes_key_convert: .def bsaes_cbc_encrypt; .scl 2; .type 32; .endef .p2align 4 bsaes_cbc_encrypt: + endbr64 movl 48(%rsp),%r11d cmpl $0,%r11d jne asm_AES_cbc_encrypt @@ -1343,6 +1347,7 @@ bsaes_cbc_encrypt: .def bsaes_ctr32_encrypt_blocks; .scl 2; .type 32; .endef .p2align 4 bsaes_ctr32_encrypt_blocks: + endbr64 movq %rsp,%rax .Lctr_enc_prologue: pushq %rbp @@ -1566,6 +1571,7 @@ bsaes_ctr32_encrypt_blocks: .def bsaes_xts_encrypt; .scl 2; .type 32; .endef .p2align 4 bsaes_xts_encrypt: + endbr64 movq %rsp,%rax .Lxts_enc_prologue: pushq %rbp @@ -2043,6 +2049,7 @@ bsaes_xts_encrypt: .def bsaes_xts_decrypt; .scl 2; .type 32; .endef .p2align 4 bsaes_xts_decrypt: + endbr64 movq %rsp,%rax .Lxts_dec_prologue: pushq %rbp @@ -2541,6 +2548,7 @@ bsaes_xts_decrypt: .Lxts_dec_epilogue: retq +.section .rodata .p2align 6 _bsaes_const: @@ -2593,13 +2601,14 @@ _bsaes_const: .quad 0x02060a0e03070b0f, 0x0004080c0105090d .L63: .quad 0x6363636363636363, 0x6363636363636363 -.byte 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,69,109,105,108,105,97,32,75,195,164,115,112,101,114,44,32,80,101,116,101,114,32,83,99,104,119,97,98,101,44,32,65,110,100,121,32,80,111,108,121,97,107,111,118,0 .p2align 6 +.text .def se_handler; .scl 3; .type 32; .endef .p2align 4 se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx diff --git a/crypto/aes/vpaes-elf-x86_64.S b/crypto/aes/vpaes-elf-x86_64.S index 1e1a6e8..67ff646 100644 --- a/crypto/aes/vpaes-elf-x86_64.S +++ b/crypto/aes/vpaes-elf-x86_64.S @@ -19,6 +19,7 @@ .type _vpaes_encrypt_core,@function .align 16 _vpaes_encrypt_core: + endbr64 movq %rdx,%r9 movq $16,%r11 movl 240(%rdx),%eax @@ -109,6 +110,7 @@ _vpaes_encrypt_core: .type _vpaes_decrypt_core,@function .align 16 _vpaes_decrypt_core: + endbr64 movq %rdx,%r9 movl 240(%rdx),%eax movdqa %xmm9,%xmm1 @@ -216,6 +218,7 @@ _vpaes_decrypt_core: .type _vpaes_schedule_core,@function .align 16 _vpaes_schedule_core: + endbr64 @@ -401,6 +404,7 @@ _vpaes_schedule_core: .type _vpaes_schedule_192_smear,@function .align 16 _vpaes_schedule_192_smear: + endbr64 pshufd $128,%xmm6,%xmm0 pxor %xmm0,%xmm6 pshufd $254,%xmm7,%xmm0 @@ -432,6 +436,7 @@ _vpaes_schedule_192_smear: .type _vpaes_schedule_round,@function .align 16 _vpaes_schedule_round: + endbr64 pxor %xmm1,%xmm1 .byte 102,65,15,58,15,200,15 @@ -499,6 +504,7 @@ _vpaes_schedule_low_round: .type _vpaes_schedule_transform,@function .align 16 _vpaes_schedule_transform: + endbr64 movdqa %xmm9,%xmm1 pandn %xmm0,%xmm1 psrld $4,%xmm1 @@ -537,6 +543,7 @@ _vpaes_schedule_transform: .type _vpaes_schedule_mangle,@function .align 16 _vpaes_schedule_mangle: + endbr64 movdqa %xmm0,%xmm4 movdqa .Lk_mc_forward(%rip),%xmm5 testq %rcx,%rcx @@ -610,6 +617,7 @@ _vpaes_schedule_mangle: .type vpaes_set_encrypt_key,@function .align 16 vpaes_set_encrypt_key: + endbr64 movl %esi,%eax shrl $5,%eax addl $5,%eax @@ -626,6 +634,7 @@ vpaes_set_encrypt_key: .type vpaes_set_decrypt_key,@function .align 16 vpaes_set_decrypt_key: + endbr64 movl %esi,%eax shrl $5,%eax addl $5,%eax @@ -647,6 +656,7 @@ vpaes_set_decrypt_key: .type vpaes_encrypt,@function .align 16 vpaes_encrypt: + endbr64 movdqu (%rdi),%xmm0 call _vpaes_preheat call _vpaes_encrypt_core @@ -658,6 +668,7 @@ vpaes_encrypt: .type vpaes_decrypt,@function .align 16 vpaes_decrypt: + endbr64 movdqu (%rdi),%xmm0 call _vpaes_preheat call _vpaes_decrypt_core @@ -668,6 +679,7 @@ vpaes_decrypt: .type vpaes_cbc_encrypt,@function .align 16 vpaes_cbc_encrypt: + endbr64 xchgq %rcx,%rdx subq $16,%rcx jc .Lcbc_abort @@ -713,6 +725,7 @@ vpaes_cbc_encrypt: .type _vpaes_preheat,@function .align 16 _vpaes_preheat: + endbr64 leaq .Lk_s0F(%rip),%r10 movdqa -32(%r10),%xmm10 movdqa -16(%r10),%xmm11 @@ -728,6 +741,7 @@ _vpaes_preheat: +.section .rodata .type _vpaes_consts,@object .align 64 _vpaes_consts: @@ -824,9 +838,9 @@ _vpaes_consts: .Lk_dsbo: .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C -.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 .align 64 .size _vpaes_consts,.-_vpaes_consts +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/aes/vpaes-macosx-x86_64.S b/crypto/aes/vpaes-macosx-x86_64.S index 0a892a9..d6bfae1 100644 --- a/crypto/aes/vpaes-macosx-x86_64.S +++ b/crypto/aes/vpaes-macosx-x86_64.S @@ -19,6 +19,7 @@ .p2align 4 _vpaes_encrypt_core: + movq %rdx,%r9 movq $16,%r11 movl 240(%rdx),%eax @@ -109,6 +110,7 @@ L$enc_entry: .p2align 4 _vpaes_decrypt_core: + movq %rdx,%r9 movl 240(%rdx),%eax movdqa %xmm9,%xmm1 @@ -216,6 +218,7 @@ L$dec_entry: .p2align 4 _vpaes_schedule_core: + @@ -401,6 +404,7 @@ L$schedule_mangle_last_dec: .p2align 4 _vpaes_schedule_192_smear: + pshufd $128,%xmm6,%xmm0 pxor %xmm0,%xmm6 pshufd $254,%xmm7,%xmm0 @@ -432,6 +436,7 @@ _vpaes_schedule_192_smear: .p2align 4 _vpaes_schedule_round: + pxor %xmm1,%xmm1 .byte 102,65,15,58,15,200,15 @@ -499,6 +504,7 @@ _vpaes_schedule_low_round: .p2align 4 _vpaes_schedule_transform: + movdqa %xmm9,%xmm1 pandn %xmm0,%xmm1 psrld $4,%xmm1 @@ -537,6 +543,7 @@ _vpaes_schedule_transform: .p2align 4 _vpaes_schedule_mangle: + movdqa %xmm0,%xmm4 movdqa L$k_mc_forward(%rip),%xmm5 testq %rcx,%rcx @@ -610,6 +617,7 @@ L$schedule_mangle_both: .p2align 4 _vpaes_set_encrypt_key: + movl %esi,%eax shrl $5,%eax addl $5,%eax @@ -626,6 +634,7 @@ _vpaes_set_encrypt_key: .p2align 4 _vpaes_set_decrypt_key: + movl %esi,%eax shrl $5,%eax addl $5,%eax @@ -647,6 +656,7 @@ _vpaes_set_decrypt_key: .p2align 4 _vpaes_encrypt: + movdqu (%rdi),%xmm0 call _vpaes_preheat call _vpaes_encrypt_core @@ -658,6 +668,7 @@ _vpaes_encrypt: .p2align 4 _vpaes_decrypt: + movdqu (%rdi),%xmm0 call _vpaes_preheat call _vpaes_decrypt_core @@ -668,6 +679,7 @@ _vpaes_decrypt: .p2align 4 _vpaes_cbc_encrypt: + xchgq %rcx,%rdx subq $16,%rcx jc L$cbc_abort @@ -713,6 +725,7 @@ L$cbc_abort: .p2align 4 _vpaes_preheat: + leaq L$k_s0F(%rip),%r10 movdqa -32(%r10),%xmm10 movdqa -16(%r10),%xmm11 @@ -728,6 +741,7 @@ _vpaes_preheat: +.section __DATA,__const .p2align 6 _vpaes_consts: @@ -824,6 +838,6 @@ L$k_dsbe: L$k_dsbo: .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C -.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 .p2align 6 +.text diff --git a/crypto/aes/vpaes-masm-x86_64.S b/crypto/aes/vpaes-masm-x86_64.S index fa24314..2f1f6fe 100644 --- a/crypto/aes/vpaes-masm-x86_64.S +++ b/crypto/aes/vpaes-masm-x86_64.S @@ -87,6 +87,7 @@ OPTION DOTNAME ALIGN 16 _vpaes_encrypt_core PROC PRIVATE + endbr64 mov r9,rdx mov r11,16 mov eax,DWORD PTR[240+rdx] @@ -177,6 +178,7 @@ _vpaes_encrypt_core ENDP ALIGN 16 _vpaes_decrypt_core PROC PRIVATE + endbr64 mov r9,rdx mov eax,DWORD PTR[240+rdx] movdqa xmm1,xmm9 @@ -284,6 +286,7 @@ _vpaes_decrypt_core ENDP ALIGN 16 _vpaes_schedule_core PROC PRIVATE + endbr64 @@ -469,6 +472,7 @@ _vpaes_schedule_core ENDP ALIGN 16 _vpaes_schedule_192_smear PROC PRIVATE + endbr64 pshufd xmm0,xmm6,080h pxor xmm6,xmm0 pshufd xmm0,xmm7,0FEh @@ -500,6 +504,7 @@ _vpaes_schedule_192_smear ENDP ALIGN 16 _vpaes_schedule_round PROC PRIVATE + endbr64 pxor xmm1,xmm1 DB 102,65,15,58,15,200,15 @@ -567,6 +572,7 @@ _vpaes_schedule_round ENDP ALIGN 16 _vpaes_schedule_transform PROC PRIVATE + endbr64 movdqa xmm1,xmm9 pandn xmm1,xmm0 psrld xmm1,4 @@ -605,6 +611,7 @@ _vpaes_schedule_transform ENDP ALIGN 16 _vpaes_schedule_mangle PROC PRIVATE + endbr64 movdqa xmm4,xmm0 movdqa xmm5,XMMWORD PTR[$L$k_mc_forward] test rcx,rcx @@ -687,6 +694,7 @@ $L$SEH_begin_vpaes_set_encrypt_key:: mov rdx,r8 + endbr64 lea rsp,QWORD PTR[((-184))+rsp] movaps XMMWORD PTR[16+rsp],xmm6 movaps XMMWORD PTR[32+rsp],xmm7 @@ -739,6 +747,7 @@ $L$SEH_begin_vpaes_set_decrypt_key:: mov rdx,r8 + endbr64 lea rsp,QWORD PTR[((-184))+rsp] movaps XMMWORD PTR[16+rsp],xmm6 movaps XMMWORD PTR[32+rsp],xmm7 @@ -796,6 +805,7 @@ $L$SEH_begin_vpaes_encrypt:: mov rdx,r8 + endbr64 lea rsp,QWORD PTR[((-184))+rsp] movaps XMMWORD PTR[16+rsp],xmm6 movaps XMMWORD PTR[32+rsp],xmm7 @@ -843,6 +853,7 @@ $L$SEH_begin_vpaes_decrypt:: mov rdx,r8 + endbr64 lea rsp,QWORD PTR[((-184))+rsp] movaps XMMWORD PTR[16+rsp],xmm6 movaps XMMWORD PTR[32+rsp],xmm7 @@ -892,6 +903,7 @@ $L$SEH_begin_vpaes_cbc_encrypt:: mov r9,QWORD PTR[48+rsp] + endbr64 xchg rdx,rcx sub rcx,16 jc $L$cbc_abort @@ -964,6 +976,7 @@ vpaes_cbc_encrypt ENDP ALIGN 16 _vpaes_preheat PROC PRIVATE + endbr64 lea r10,QWORD PTR[$L$k_s0F] movdqa xmm10,XMMWORD PTR[((-32))+r10] movdqa xmm11,XMMWORD PTR[((-16))+r10] @@ -979,6 +992,8 @@ _vpaes_preheat ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 _vpaes_consts:: @@ -1075,17 +1090,15 @@ $L$k_dsbe:: $L$k_dsbo:: DQ 01387EA537EF94000h,0C7AA6DB9D4943E2Dh DQ 012D7560F93441D00h,0CA4B8159D8C58E9Ch -DB 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105 -DB 111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54 -DB 52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97 -DB 109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32 -DB 85,110,105,118,101,114,115,105,116,121,41,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/aes/vpaes-mingw64-x86_64.S b/crypto/aes/vpaes-mingw64-x86_64.S index d6cb860..77a362d 100644 --- a/crypto/aes/vpaes-mingw64-x86_64.S +++ b/crypto/aes/vpaes-mingw64-x86_64.S @@ -19,6 +19,7 @@ .def _vpaes_encrypt_core; .scl 3; .type 32; .endef .p2align 4 _vpaes_encrypt_core: + endbr64 movq %rdx,%r9 movq $16,%r11 movl 240(%rdx),%eax @@ -109,6 +110,7 @@ _vpaes_encrypt_core: .def _vpaes_decrypt_core; .scl 3; .type 32; .endef .p2align 4 _vpaes_decrypt_core: + endbr64 movq %rdx,%r9 movl 240(%rdx),%eax movdqa %xmm9,%xmm1 @@ -216,6 +218,7 @@ _vpaes_decrypt_core: .def _vpaes_schedule_core; .scl 3; .type 32; .endef .p2align 4 _vpaes_schedule_core: + endbr64 @@ -401,6 +404,7 @@ _vpaes_schedule_core: .def _vpaes_schedule_192_smear; .scl 3; .type 32; .endef .p2align 4 _vpaes_schedule_192_smear: + endbr64 pshufd $128,%xmm6,%xmm0 pxor %xmm0,%xmm6 pshufd $254,%xmm7,%xmm0 @@ -432,6 +436,7 @@ _vpaes_schedule_192_smear: .def _vpaes_schedule_round; .scl 3; .type 32; .endef .p2align 4 _vpaes_schedule_round: + endbr64 pxor %xmm1,%xmm1 .byte 102,65,15,58,15,200,15 @@ -499,6 +504,7 @@ _vpaes_schedule_low_round: .def _vpaes_schedule_transform; .scl 3; .type 32; .endef .p2align 4 _vpaes_schedule_transform: + endbr64 movdqa %xmm9,%xmm1 pandn %xmm0,%xmm1 psrld $4,%xmm1 @@ -537,6 +543,7 @@ _vpaes_schedule_transform: .def _vpaes_schedule_mangle; .scl 3; .type 32; .endef .p2align 4 _vpaes_schedule_mangle: + endbr64 movdqa %xmm0,%xmm4 movdqa .Lk_mc_forward(%rip),%xmm5 testq %rcx,%rcx @@ -618,6 +625,7 @@ vpaes_set_encrypt_key: movq %rdx,%rsi movq %r8,%rdx + endbr64 leaq -184(%rsp),%rsp movaps %xmm6,16(%rsp) movaps %xmm7,32(%rsp) @@ -668,6 +676,7 @@ vpaes_set_decrypt_key: movq %rdx,%rsi movq %r8,%rdx + endbr64 leaq -184(%rsp),%rsp movaps %xmm6,16(%rsp) movaps %xmm7,32(%rsp) @@ -723,6 +732,7 @@ vpaes_encrypt: movq %rdx,%rsi movq %r8,%rdx + endbr64 leaq -184(%rsp),%rsp movaps %xmm6,16(%rsp) movaps %xmm7,32(%rsp) @@ -768,6 +778,7 @@ vpaes_decrypt: movq %rdx,%rsi movq %r8,%rdx + endbr64 leaq -184(%rsp),%rsp movaps %xmm6,16(%rsp) movaps %xmm7,32(%rsp) @@ -815,6 +826,7 @@ vpaes_cbc_encrypt: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + endbr64 xchgq %rcx,%rdx subq $16,%rcx jc .Lcbc_abort @@ -886,6 +898,7 @@ vpaes_cbc_encrypt: .def _vpaes_preheat; .scl 3; .type 32; .endef .p2align 4 _vpaes_preheat: + endbr64 leaq .Lk_s0F(%rip),%r10 movdqa -32(%r10),%xmm10 movdqa -16(%r10),%xmm11 @@ -901,6 +914,7 @@ _vpaes_preheat: +.section .rodata .p2align 6 _vpaes_consts: @@ -997,13 +1011,14 @@ _vpaes_consts: .Lk_dsbo: .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C -.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 .p2align 6 +.text .def se_handler; .scl 3; .type 32; .endef .p2align 4 se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx diff --git a/crypto/armv4cpuid.S b/crypto/armv4cpuid.S index bb9abaf..db0b54e 100644 --- a/crypto/armv4cpuid.S +++ b/crypto/armv4cpuid.S @@ -9,43 +9,6 @@ #undef __thumb2__ #endif -.align 5 -.globl OPENSSL_atomic_add -.type OPENSSL_atomic_add,%function -OPENSSL_atomic_add: -#if __ARM_ARCH__>=6 -.Ladd: ldrex r2,[r0] - add r3,r2,r1 - strex r2,r3,[r0] - cmp r2,#0 - bne .Ladd - mov r0,r3 - bx lr -#else - stmdb sp!,{r4,r5,r6,lr} - ldr r2,.Lspinlock - adr r3,.Lspinlock - mov r4,r0 - mov r5,r1 - add r6,r3,r2 @ &spinlock - b .+8 -.Lspin: bl sched_yield - mov r0,#-1 - swp r0,r0,[r6] - cmp r0,#0 - bne .Lspin - - ldr r2,[r4] - add r2,r2,r5 - str r2,[r4] - str r0,[r6] @ release spinlock - ldmia sp!,{r4,r5,r6,lr} - tst lr,#1 - moveq pc,lr -.word 0xe12fff1e @ bx lr -#endif -.size OPENSSL_atomic_add,.-OPENSSL_atomic_add - #if __ARM_ARCH__>=7 .arch armv7-a .fpu neon @@ -102,64 +65,5 @@ _armv8_pmull_probe: .size _armv8_pmull_probe,.-_armv8_pmull_probe #endif -.globl OPENSSL_wipe_cpu -.type OPENSSL_wipe_cpu,%function -OPENSSL_wipe_cpu: -#if __ARM_ARCH__>=7 - ldr r0,.LOPENSSL_armcap - adr r1,.LOPENSSL_armcap - ldr r0,[r1,r0] -#ifdef __APPLE__ - ldr r0,[r0] -#endif -#endif - eor r2,r2,r2 - eor r3,r3,r3 - eor ip,ip,ip -#if __ARM_ARCH__>=7 - tst r0,#1 - beq .Lwipe_done - veor q0, q0, q0 - veor q1, q1, q1 - veor q2, q2, q2 - veor q3, q3, q3 - veor q8, q8, q8 - veor q9, q9, q9 - veor q10, q10, q10 - veor q11, q11, q11 - veor q12, q12, q12 - veor q13, q13, q13 - veor q14, q14, q14 - veor q15, q15, q15 -.Lwipe_done: -#endif - mov r0,sp -#if __ARM_ARCH__>=5 - bx lr -#else - tst lr,#1 - moveq pc,lr -.word 0xe12fff1e @ bx lr -#endif -.size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu - -.align 5 -#if __ARM_ARCH__>=7 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-. -#endif -#if __ARM_ARCH__>=6 -.align 5 -#else -.Lspinlock: -.word atomic_add_spinlock-.Lspinlock -.align 5 - -.data -.align 2 -atomic_add_spinlock: -.word 0 -#endif - .comm OPENSSL_armcap_P,4,4 .hidden OPENSSL_armcap_P diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 4ffafd5..7670551 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_bitstr.c,v 1.33 2021/12/25 08:52:44 jsing Exp $ */ +/* $OpenBSD: a_bitstr.c,v 1.38 2023/01/13 14:46:08 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -65,6 +66,8 @@ #include #include +#include "bytestring.h" + const ASN1_ITEM ASN1_BIT_STRING_it = { .itype = ASN1_ITYPE_PRIMITIVE, .utype = V_ASN1_BIT_STRING, @@ -83,6 +86,25 @@ ASN1_BIT_STRING_free(ASN1_BIT_STRING *a) ASN1_item_free((ASN1_VALUE *)a, &ASN1_BIT_STRING_it); } +static void +asn1_abs_clear_unused_bits(ASN1_BIT_STRING *abs) +{ + abs->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); +} + +int +asn1_abs_set_unused_bits(ASN1_BIT_STRING *abs, uint8_t unused_bits) +{ + if (unused_bits > 7) + return 0; + + asn1_abs_clear_unused_bits(abs); + + abs->flags |= ASN1_STRING_FLAG_BITS_LEFT | unused_bits; + + return 1; +} + int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len) { @@ -104,7 +126,7 @@ ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) if (a == NULL) return 0; - a->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear, set on write */ + asn1_abs_clear_unused_bits(a); if ((a->length < (w + 1)) || (a->data == NULL)) { if (!value) @@ -219,17 +241,27 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) if (a == NULL) return (0); + if (a->length == INT_MAX) + return (0); + + ret = a->length + 1; + + if (pp == NULL) + return (ret); + len = a->length; if (len > 0) { if (a->flags & ASN1_STRING_FLAG_BITS_LEFT) { bits = (int)a->flags & 0x07; } else { + j = 0; for (; len > 0; len--) { if (a->data[len - 1]) break; } - j = a->data[len - 1]; + if (len > 0) + j = a->data[len - 1]; if (j & 0x01) bits = 0; else if (j & 0x02) @@ -252,10 +284,6 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) } else bits = 0; - ret = 1 + len; - if (pp == NULL) - return (ret); - p= *pp; *(p++) = (unsigned char)bits; @@ -269,68 +297,90 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) return (ret); } -ASN1_BIT_STRING * -c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **pp, long len) +int +c2i_ASN1_BIT_STRING_cbs(ASN1_BIT_STRING **out_abs, CBS *cbs) { - ASN1_BIT_STRING *ret = NULL; - const unsigned char *p; - unsigned char *s; - int i; + ASN1_BIT_STRING *abs = NULL; + uint8_t *data = NULL; + size_t data_len = 0; + uint8_t unused_bits; + int ret = 0; - if (len < 1) { + if (out_abs == NULL) + goto err; + + if (*out_abs != NULL) { + ASN1_BIT_STRING_free(*out_abs); + *out_abs = NULL; + } + + if (!CBS_get_u8(cbs, &unused_bits)) { ASN1error(ASN1_R_STRING_TOO_SHORT); goto err; } - if (a == NULL || *a == NULL) { - if ((ret = ASN1_BIT_STRING_new()) == NULL) - return (NULL); - } else - ret = *a; - - p = *pp; - i = *(p++); - if (i > 7) { - ASN1error(ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + if (!CBS_stow(cbs, &data, &data_len)) goto err; - } + if (data_len > INT_MAX) + goto err; + + if ((abs = ASN1_BIT_STRING_new()) == NULL) + goto err; + + abs->data = data; + abs->length = (int)data_len; + data = NULL; /* * We do this to preserve the settings. If we modify the settings, * via the _set_bit function, we will recalculate on output. */ - ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear */ - ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | i); /* set */ + if (!asn1_abs_set_unused_bits(abs, unused_bits)) { + ASN1error(ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + goto err; + } + if (abs->length > 0) + abs->data[abs->length - 1] &= 0xff << unused_bits; - /* using one because of the bits left byte */ - if (len-- > 1) { - if ((s = malloc(len)) == NULL) { - ASN1error(ERR_R_MALLOC_FAILURE); - goto err; - } - memcpy(s, p, len); - s[len - 1] &= (0xff << i); - p += len; - } else - s = NULL; + *out_abs = abs; + abs = NULL; - free(ret->data); - ret->data = s; - ret->length = (int)len; - ret->type = V_ASN1_BIT_STRING; - - if (a != NULL) - *a = ret; - - *pp = p; - - return (ret); + ret = 1; err: - if (a == NULL || *a != ret) - ASN1_BIT_STRING_free(ret); + ASN1_BIT_STRING_free(abs); + freezero(data, data_len); - return (NULL); + return ret; +} + +ASN1_BIT_STRING * +c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **out_abs, const unsigned char **pp, long len) +{ + ASN1_BIT_STRING *abs = NULL; + CBS content; + + if (out_abs != NULL) { + ASN1_BIT_STRING_free(*out_abs); + *out_abs = NULL; + } + + if (len < 0) { + ASN1error(ASN1_R_LENGTH_ERROR); + return NULL; + } + + CBS_init(&content, *pp, len); + + if (!c2i_ASN1_BIT_STRING_cbs(&abs, &content)) + return NULL; + + *pp = CBS_data(&content); + + if (out_abs != NULL) + *out_abs = abs; + + return abs; } int diff --git a/crypto/asn1/a_enum.c b/crypto/asn1/a_enum.c index 007a421..d7c8181 100644 --- a/crypto/asn1/a_enum.c +++ b/crypto/asn1/a_enum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_enum.c,v 1.23 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: a_enum.c,v 1.28 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include +#include #include #include @@ -65,6 +65,9 @@ #include #include +#include "asn1_local.h" +#include "bytestring.h" + /* * Code for ENUMERATED type: identical to INTEGER apart from a different tag. * for comments on encoding see a_int.c @@ -82,6 +85,16 @@ ASN1_ENUMERATED_new(void) return (ASN1_ENUMERATED *)ASN1_item_new(&ASN1_ENUMERATED_it); } +static void +asn1_aenum_clear(ASN1_ENUMERATED *aenum) +{ + freezero(aenum->data, aenum->length); + + memset(aenum, 0, sizeof(*aenum)); + + aenum->type = V_ASN1_ENUMERATED; +} + void ASN1_ENUMERATED_free(ASN1_ENUMERATED *a) { @@ -89,73 +102,65 @@ ASN1_ENUMERATED_free(ASN1_ENUMERATED *a) } int -ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) +ASN1_ENUMERATED_get_int64(int64_t *out_val, const ASN1_ENUMERATED *aenum) { - int j, k; - unsigned int i; - unsigned char buf[sizeof(long) + 1]; - long d; + CBS cbs; - a->type = V_ASN1_ENUMERATED; - if (a->length < (int)(sizeof(long) + 1)) { - free(a->data); - a->data = calloc(1, sizeof(long) + 1); - } - if (a->data == NULL) { - ASN1error(ERR_R_MALLOC_FAILURE); - return (0); - } - d = v; - if (d < 0) { - d = -d; - a->type = V_ASN1_NEG_ENUMERATED; + *out_val = 0; + + if (aenum == NULL || aenum->length < 0) + return 0; + + if (aenum->type != V_ASN1_ENUMERATED && + aenum->type != V_ASN1_NEG_ENUMERATED) { + ASN1error(ASN1_R_WRONG_INTEGER_TYPE); + return 0; } - for (i = 0; i < sizeof(long); i++) { - if (d == 0) - break; - buf[i] = (int)d & 0xff; - d >>= 8; + CBS_init(&cbs, aenum->data, aenum->length); + + return asn1_aint_get_int64(&cbs, (aenum->type == V_ASN1_NEG_ENUMERATED), + out_val); +} + +int +ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *aenum, int64_t val) +{ + uint64_t uval; + + asn1_aenum_clear(aenum); + + uval = (uint64_t)val; + + if (val < 0) { + aenum->type = V_ASN1_NEG_ENUMERATED; + uval = -uval; } - j = 0; - for (k = i - 1; k >= 0; k--) - a->data[j++] = buf[k]; - a->length = j; - return (1); + + return asn1_aint_set_uint64(uval, &aenum->data, &aenum->length); } long -ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) +ASN1_ENUMERATED_get(const ASN1_ENUMERATED *aenum) { - int neg = 0, i; - unsigned long r = 0; + int64_t val; - if (a == NULL) - return (0L); - i = a->type; - if (i == V_ASN1_NEG_ENUMERATED) - neg = 1; - else if (i != V_ASN1_ENUMERATED) - return -1; - - if (a->length > (int)sizeof(long)) { - /* hmm... a bit ugly */ - return -1; - } - if (a->data == NULL) + if (aenum == NULL) return 0; - - for (i = 0; i < a->length; i++) { - r <<= 8; - r |= (unsigned char)a->data[i]; + if (!ASN1_ENUMERATED_get_int64(&val, aenum)) + return -1; + if (val < LONG_MIN || val > LONG_MAX) { + /* hmm... a bit ugly, return all ones */ + return -1; } - if (r > LONG_MAX) - return -1; + return (long)val; +} - if (neg) - return -(long)r; - return (long)r; +int +ASN1_ENUMERATED_set(ASN1_ENUMERATED *aenum, long val) +{ + return ASN1_ENUMERATED_set_int64(aenum, val); } ASN1_ENUMERATED * @@ -340,6 +345,28 @@ a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size) return (ret); } +int +c2i_ASN1_ENUMERATED_cbs(ASN1_ENUMERATED **out_aenum, CBS *cbs) +{ + ASN1_ENUMERATED *aenum = NULL; + + if (out_aenum == NULL) + return 0; + + if (*out_aenum != NULL) { + ASN1_INTEGER_free(*out_aenum); + *out_aenum = NULL; + } + + if (!c2i_ASN1_INTEGER_cbs((ASN1_INTEGER **)&aenum, cbs)) + return 0; + + aenum->type = V_ASN1_ENUMERATED | (aenum->type & V_ASN1_NEG); + *out_aenum = aenum; + + return 1; +} + int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **out) { diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index c4b40ff..1f47789 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_int.c,v 1.38 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: a_int.c,v 1.46 2022/08/28 17:49:25 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,8 @@ #include #include +#include "bytestring.h" + const ASN1_ITEM ASN1_INTEGER_it = { .itype = ASN1_ITYPE_PRIMITIVE, .utype = V_ASN1_INTEGER, @@ -78,6 +80,16 @@ ASN1_INTEGER_new(void) return (ASN1_INTEGER *)ASN1_item_new(&ASN1_INTEGER_it); } +static void +asn1_aint_clear(ASN1_INTEGER *aint) +{ + freezero(aint->data, aint->length); + + memset(aint, 0, sizeof(*aint)); + + aint->type = V_ASN1_INTEGER; +} + void ASN1_INTEGER_free(ASN1_INTEGER *a) { @@ -100,105 +112,211 @@ ASN1_INTEGER_dup(const ASN1_INTEGER *x) } int -ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y) +ASN1_INTEGER_cmp(const ASN1_INTEGER *a, const ASN1_INTEGER *b) { - int neg, ret; + int ret = 1; - /* Compare signs */ - neg = x->type & V_ASN1_NEG; - if (neg != (y->type & V_ASN1_NEG)) { - if (neg) - return -1; - else - return 1; - } + /* Compare sign, then content. */ + if ((a->type & V_ASN1_NEG) == (b->type & V_ASN1_NEG)) + ret = ASN1_STRING_cmp(a, b); - ret = ASN1_STRING_cmp(x, y); - - if (neg) + if ((a->type & V_ASN1_NEG) != 0) return -ret; - else - return ret; + + return ret; } int -ASN1_INTEGER_set(ASN1_INTEGER *a, long v) +asn1_aint_get_uint64(CBS *cbs, uint64_t *out_val) { - int j, k; - unsigned int i; - unsigned char buf[sizeof(long) + 1]; - long d; + uint64_t val = 0; + uint8_t u8; - a->type = V_ASN1_INTEGER; - /* XXX ssl/ssl_asn1.c:i2d_SSL_SESSION() depends upon this bound vae */ - if (a->length < (int)(sizeof(long) + 1)) { - free(a->data); - a->data = calloc(1, sizeof(long) + 1); - } - if (a->data == NULL) { - ASN1error(ERR_R_MALLOC_FAILURE); - return (0); - } - d = v; - if (d < 0) { - d = -d; - a->type = V_ASN1_NEG_INTEGER; + *out_val = 0; + + while (CBS_len(cbs) > 0) { + if (!CBS_get_u8(cbs, &u8)) + return 0; + if (val > (UINT64_MAX >> 8)) { + ASN1error(ASN1_R_TOO_LARGE); + return 0; + } + val = val << 8 | u8; } - for (i = 0; i < sizeof(long); i++) { - if (d == 0) - break; - buf[i] = (int)d & 0xff; - d >>= 8; - } - j = 0; - for (k = i - 1; k >= 0; k--) - a->data[j++] = buf[k]; - a->length = j; - return (1); + *out_val = val; + + return 1; } -/* - * XXX this particular API is a gibbering eidrich horror that makes it - * impossible to determine valid return cases from errors.. "a bit - * ugly" is preserved for posterity, unfortunately this is probably - * unfixable without changing public API - */ -long -ASN1_INTEGER_get(const ASN1_INTEGER *a) +int +asn1_aint_set_uint64(uint64_t val, uint8_t **out_data, int *out_len) { - int neg = 0, i; - unsigned long r = 0; + uint8_t *data = NULL; + size_t data_len = 0; + int started = 0; + uint8_t u8; + CBB cbb; + int i; + int ret = 0; - if (a == NULL) - return (0L); - i = a->type; - if (i == V_ASN1_NEG_INTEGER) - neg = 1; - else if (i != V_ASN1_INTEGER) + if (!CBB_init(&cbb, sizeof(long))) + goto err; + + if (out_data == NULL || out_len == NULL) + goto err; + if (*out_data != NULL || *out_len != 0) + goto err; + + for (i = sizeof(uint64_t) - 1; i >= 0; i--) { + u8 = (val >> (i * 8)) & 0xff; + if (!started && i != 0 && u8 == 0) + continue; + if (!CBB_add_u8(&cbb, u8)) + goto err; + started = 1; + } + + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + if (data_len > INT_MAX) + goto err; + + *out_data = data; + *out_len = (int)data_len; + data = NULL; + + ret = 1; + err: + CBB_cleanup(&cbb); + freezero(data, data_len); + + return ret; +} + +int +asn1_aint_get_int64(CBS *cbs, int negative, int64_t *out_val) +{ + uint64_t val; + + if (!asn1_aint_get_uint64(cbs, &val)) + return 0; + + if (negative) { + if (val > (uint64_t)INT64_MIN) { + ASN1error(ASN1_R_TOO_SMALL); + return 0; + } + *out_val = (int64_t)-val; + } else { + if (val > (uint64_t)INT64_MAX) { + ASN1error(ASN1_R_TOO_LARGE); + return 0; + } + *out_val = (int64_t)val; + } + + return 1; +} + +int +ASN1_INTEGER_get_uint64(uint64_t *out_val, const ASN1_INTEGER *aint) +{ + uint64_t val; + CBS cbs; + + *out_val = 0; + + if (aint == NULL || aint->length < 0) + return 0; + + if (aint->type == V_ASN1_NEG_INTEGER) { + ASN1error(ASN1_R_ILLEGAL_NEGATIVE_VALUE); + return 0; + } + if (aint->type != V_ASN1_INTEGER) { + ASN1error(ASN1_R_WRONG_INTEGER_TYPE); + return 0; + } + + CBS_init(&cbs, aint->data, aint->length); + + if (!asn1_aint_get_uint64(&cbs, &val)) + return 0; + + *out_val = val; + + return 1; +} + +int +ASN1_INTEGER_set_uint64(ASN1_INTEGER *aint, uint64_t val) +{ + asn1_aint_clear(aint); + + return asn1_aint_set_uint64(val, &aint->data, &aint->length); +} + +int +ASN1_INTEGER_get_int64(int64_t *out_val, const ASN1_INTEGER *aint) +{ + CBS cbs; + + *out_val = 0; + + if (aint == NULL || aint->length < 0) + return 0; + + if (aint->type != V_ASN1_INTEGER && + aint->type != V_ASN1_NEG_INTEGER) { + ASN1error(ASN1_R_WRONG_INTEGER_TYPE); + return 0; + } + + CBS_init(&cbs, aint->data, aint->length); + + return asn1_aint_get_int64(&cbs, (aint->type == V_ASN1_NEG_INTEGER), + out_val); +} + +int +ASN1_INTEGER_set_int64(ASN1_INTEGER *aint, int64_t val) +{ + uint64_t uval; + + asn1_aint_clear(aint); + + uval = (uint64_t)val; + + if (val < 0) { + aint->type = V_ASN1_NEG_INTEGER; + uval = -uval; + } + + return asn1_aint_set_uint64(uval, &aint->data, &aint->length); +} + +long +ASN1_INTEGER_get(const ASN1_INTEGER *aint) +{ + int64_t val; + + if (aint == NULL) + return 0; + if (!ASN1_INTEGER_get_int64(&val, aint)) return -1; - - if (!ASN1_INTEGER_valid(a)) - return -1; /* XXX best effort */ - - if (a->length > (int)sizeof(long)) { + if (val < LONG_MIN || val > LONG_MAX) { /* hmm... a bit ugly, return all ones */ return -1; } - if (a->data == NULL) - return 0; - for (i = 0; i < a->length; i++) { - r <<= 8; - r |= (unsigned char)a->data[i]; - } + return (long)val; +} - if (r > LONG_MAX) - return -1; - - if (neg) - return -(long)r; - return (long)r; +int +ASN1_INTEGER_set(ASN1_INTEGER *aint, long val) +{ + return ASN1_INTEGER_set_int64(aint, val); } ASN1_INTEGER * @@ -392,198 +510,246 @@ a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) return (ret); } -/* - * This converts an ASN1 INTEGER into its content encoding. - * The internal representation is an ASN1_STRING whose data is a big endian - * representation of the value, ignoring the sign. The sign is determined by - * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative. - * - * Positive integers are no problem: they are almost the same as the DER - * encoding, except if the first byte is >= 0x80 we need to add a zero pad. - * - * Negative integers are a bit trickier... - * The DER representation of negative integers is in 2s complement form. - * The internal form is converted by complementing each octet and finally - * adding one to the result. This can be done less messily with a little trick. - * If the internal form has trailing zeroes then they will become FF by the - * complement and 0 by the add one (due to carry) so just copy as many trailing - * zeros to the destination as there are in the source. The carry will add one - * to the last none zero octet: so complement this octet and add one and finally - * complement any left over until you get to the start of the string. - * - * Padding is a little trickier too. If the first bytes is > 0x80 then we pad - * with 0xff. However if the first byte is 0x80 and one of the following bytes - * is non-zero we pad with 0xff. The reason for this distinction is that 0x80 - * followed by optional zeros isn't padded. - */ - -int -i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) +static void +asn1_aint_twos_complement(uint8_t *data, size_t data_len) { - int pad = 0, ret, i, neg; - unsigned char *p, *n, pb = 0; + uint8_t carry = 1; + ssize_t i; - if (!ASN1_INTEGER_valid(a)) - return 0; - - neg = a->type & V_ASN1_NEG; - if (a->length == 0) - ret = 1; - else { - ret = a->length; - i = a->data[0]; - if (!neg && (i > 127)) { - pad = 1; - pb = 0; - } else if (neg) { - if (i > 128) { - pad = 1; - pb = 0xFF; - } else if (i == 128) { - /* - * Special case: if any other bytes non zero we pad: - * otherwise we don't. - */ - for (i = 1; i < a->length; i++) if (a->data[i]) { - pad = 1; - pb = 0xFF; - break; - } - } - } - ret += pad; + for (i = data_len - 1; i >= 0; i--) { + data[i] = (data[i] ^ 0xff) + carry; + if (data[i] != 0) + carry = 0; } - if (pp == NULL) - return (ret); - p= *pp; - - if (pad) - *(p++) = pb; - if (a->length == 0) - *(p++) = 0; - else if (!neg) - memcpy(p, a->data, a->length); - else { - /* Begin at the end of the encoding */ - n = a->data + a->length - 1; - p += a->length - 1; - i = a->length; - /* Copy zeros to destination as long as source is zero */ - while (!*n) { - *(p--) = 0; - n--; - i--; - } - /* Complement and increment next octet */ - *(p--) = ((*(n--)) ^ 0xff) + 1; - i--; - /* Complement any octets left */ - for (; i > 0; i--) - *(p--) = *(n--) ^ 0xff; - } - - *pp += ret; - return (ret); } -/* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */ - -ASN1_INTEGER * -c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long len) +static int +asn1_aint_keep_twos_padding(const uint8_t *data, size_t data_len) { - ASN1_INTEGER *ret = NULL; - const unsigned char *p, *pend; - unsigned char *to, *s; - int i; + size_t i; - if ((a == NULL) || ((*a) == NULL)) { - if ((ret = ASN1_INTEGER_new()) == NULL) - return (NULL); - } else - ret = (*a); + /* + * If a two's complement value has a padding byte (0xff) and the rest + * of the value is all zeros, the padding byte cannot be removed as when + * converted from two's complement this becomes 0x01 (in the place of + * the padding byte) followed by the same number of zero bytes. + */ + if (data_len <= 1 || data[0] != 0xff) + return 0; + for (i = 1; i < data_len; i++) { + if (data[i] != 0) + return 0; + } + return 1; +} - if (!ASN1_INTEGER_valid(ret)) { - /* - * XXX using i for an alert is confusing, - * we should call this al - */ - i = ERR_R_ASN1_LENGTH_MISMATCH; +static int +i2c_ASN1_INTEGER_cbb(ASN1_INTEGER *aint, CBB *cbb) +{ + uint8_t *data = NULL; + size_t data_len = 0; + uint8_t padding, val; + uint8_t msb; + CBS cbs; + int ret = 0; + + if (aint->length < 0) goto err; - } - - p = *pp; - pend = p + len; - - /* We must malloc stuff, even for 0 bytes otherwise it - * signifies a missing NULL parameter. */ - if (len < 0 || len > INT_MAX) { - i = ERR_R_ASN1_LENGTH_MISMATCH; + if (aint->data == NULL && aint->length != 0) goto err; - } - s = malloc(len + 1); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; + + if ((aint->type & ~V_ASN1_NEG) != V_ASN1_ENUMERATED && + (aint->type & ~V_ASN1_NEG) != V_ASN1_INTEGER) goto err; - } - to = s; - if (!len) { - /* Strictly speaking this is an illegal INTEGER but we - * tolerate it. - */ - ret->type = V_ASN1_INTEGER; - } else if (*p & 0x80) /* a negative number */ { - ret->type = V_ASN1_NEG_INTEGER; - if ((*p == 0xff) && (len != 1)) { - p++; - len--; - } - i = len; - p += i - 1; - to += i - 1; - while((!*p) && i) { - *(to--) = 0; - i--; - p--; - } - /* Special case: if all zeros then the number will be of - * the form FF followed by n zero bytes: this corresponds to - * 1 followed by n zero bytes. We've already written n zeros - * so we just append an extra one and set the first byte to - * a 1. This is treated separately because it is the only case - * where the number of bytes is larger than len. - */ - if (!i) { - *s = 1; - s[len] = 0; - len++; - } else { - *(to--) = (*(p--) ^ 0xff) + 1; - i--; - for (; i > 0; i--) - *(to--) = *(p--) ^ 0xff; - } - } else { - ret->type = V_ASN1_INTEGER; - if ((*p == 0) && (len != 1)) { - p++; - len--; - } - memcpy(s, p, len); + + CBS_init(&cbs, aint->data, aint->length); + + /* Find the first non-zero byte. */ + while (CBS_len(&cbs) > 0) { + if (!CBS_peek_u8(&cbs, &val)) + goto err; + if (val != 0) + break; + if (!CBS_skip(&cbs, 1)) + goto err; } - free(ret->data); - ret->data = s; - ret->length = (int)len; - if (a != NULL) - (*a) = ret; - *pp = pend; - return (ret); + /* A zero value is encoded as a single octet. */ + if (CBS_len(&cbs) == 0) { + if (!CBB_add_u8(cbb, 0)) + goto err; + goto done; + } + + if (!CBS_stow(&cbs, &data, &data_len)) + goto err; + + if ((aint->type & V_ASN1_NEG) != 0) + asn1_aint_twos_complement(data, data_len); + + /* Topmost bit indicates sign, padding is all zeros or all ones. */ + msb = (data[0] >> 7); + padding = (msb - 1) & 0xff; + + /* See if we need a padding octet to avoid incorrect sign. */ + if (((aint->type & V_ASN1_NEG) == 0 && msb == 1) || + ((aint->type & V_ASN1_NEG) != 0 && msb == 0)) { + if (!CBB_add_u8(cbb, padding)) + goto err; + } + if (!CBB_add_bytes(cbb, data, data_len)) + goto err; + + done: + ret = 1; err: - ASN1error(i); - if (a == NULL || *a != ret) - ASN1_INTEGER_free(ret); - return (NULL); + freezero(data, data_len); + + return ret; +} + +int +i2c_ASN1_INTEGER(ASN1_INTEGER *aint, unsigned char **pp) +{ + uint8_t *data = NULL; + size_t data_len = 0; + CBB cbb; + int ret = -3; + + if (!CBB_init(&cbb, 0)) + goto err; + if (!i2c_ASN1_INTEGER_cbb(aint, &cbb)) + goto err; + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + if (data_len > INT_MAX) + goto err; + + if (pp != NULL) { + if ((uintptr_t)*pp > UINTPTR_MAX - data_len) + goto err; + memcpy(*pp, data, data_len); + *pp += data_len; + } + + ret = data_len; + + err: + freezero(data, data_len); + CBB_cleanup(&cbb); + + return ret; +} + +int +c2i_ASN1_INTEGER_cbs(ASN1_INTEGER **out_aint, CBS *cbs) +{ + ASN1_INTEGER *aint = NULL; + uint8_t *data = NULL; + size_t data_len = 0; + uint8_t padding, val; + uint8_t negative; + int ret = 0; + + if (out_aint == NULL) + goto err; + + if (*out_aint != NULL) { + ASN1_INTEGER_free(*out_aint); + *out_aint = NULL; + } + + if (CBS_len(cbs) == 0) { + /* XXX INVALID ENCODING? */ + ASN1error(ERR_R_ASN1_LENGTH_MISMATCH); + goto err; + } + if (!CBS_peek_u8(cbs, &val)) + goto err; + + /* Topmost bit indicates sign, padding is all zeros or all ones. */ + negative = (val >> 7); + padding = ~(negative - 1) & 0xff; + + /* + * Ensure that the first 9 bits are not all zero or all one, as per + * X.690 section 8.3.2. Remove the padding octet if possible. + */ + if (CBS_len(cbs) > 1 && val == padding) { + if (!asn1_aint_keep_twos_padding(CBS_data(cbs), CBS_len(cbs))) { + if (!CBS_get_u8(cbs, &padding)) + goto err; + if (!CBS_peek_u8(cbs, &val)) + goto err; + if ((val >> 7) == (padding >> 7)) { + /* XXX INVALID ENCODING? */ + ASN1error(ERR_R_ASN1_LENGTH_MISMATCH); + goto err; + } + } + } + + if (!CBS_stow(cbs, &data, &data_len)) + goto err; + if (data_len > INT_MAX) + goto err; + + if ((aint = ASN1_INTEGER_new()) == NULL) + goto err; + + /* + * Negative integers are handled as a separate type - convert from + * two's complement for internal representation. + */ + if (negative) { + aint->type = V_ASN1_NEG_INTEGER; + asn1_aint_twos_complement(data, data_len); + } + + aint->data = data; + aint->length = (int)data_len; + data = NULL; + + *out_aint = aint; + aint = NULL; + + ret = 1; + + err: + ASN1_INTEGER_free(aint); + freezero(data, data_len); + + return ret; +} + +ASN1_INTEGER * +c2i_ASN1_INTEGER(ASN1_INTEGER **out_aint, const unsigned char **pp, long len) +{ + ASN1_INTEGER *aint = NULL; + CBS content; + + if (out_aint != NULL) { + ASN1_INTEGER_free(*out_aint); + *out_aint = NULL; + } + + if (len < 0) { + ASN1error(ASN1_R_LENGTH_ERROR); + return NULL; + } + + CBS_init(&content, *pp, len); + + if (!c2i_ASN1_INTEGER_cbs(&aint, &content)) + return NULL; + + *pp = CBS_data(&content); + + if (out_aint != NULL) + *out_aint = aint; + + return aint; } int diff --git a/crypto/asn1/a_mbstr.c b/crypto/asn1/a_mbstr.c index 8cff3ae..32b39ad 100644 --- a/crypto/asn1/a_mbstr.c +++ b/crypto/asn1/a_mbstr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_mbstr.c,v 1.24 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: a_mbstr.c,v 1.26 2022/12/26 07:18:51 jmc Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -63,7 +63,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" static int traverse_string(const unsigned char *p, int len, int inform, int (*rfunc)(unsigned long value, void *in), void *arg); @@ -276,7 +276,7 @@ traverse_string(const unsigned char *p, int len, int inform, case MBSTRING_BMP: value = *p++ << 8; value |= *p++; - /* BMP is explictly defined to not support surrogates */ + /* BMP is explicitly defined to not support surrogates */ if (UNICODE_IS_SURROGATE(value)) return -1; len -= 2; diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index c6e4c77..af19858 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_object.c,v 1.46 2022/04/10 12:42:33 inoguchi Exp $ */ +/* $OpenBSD: a_object.c,v 1.50 2023/05/23 11:51:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" const ASN1_ITEM ASN1_OBJECT_it = { .itype = ASN1_ITYPE_PRIMITIVE, @@ -433,6 +433,9 @@ i2t_ASN1_OBJECT_internal(const ASN1_OBJECT *aobj, char *buf, int buf_len, int no if (buf_len > 0) buf[0] = '\0'; + if (aobj == NULL || aobj->data == NULL) + return 0; + if (!CBB_init(&cbb, 0)) goto err; if (!i2t_ASN1_OBJECT_cbb(aobj, &cbb, no_name)) @@ -529,9 +532,14 @@ c2i_ASN1_OBJECT_cbs(ASN1_OBJECT **out_aobj, CBS *content) size_t data_len; CBS cbs; - if (out_aobj == NULL || *out_aobj != NULL) + if (out_aobj == NULL) goto err; + if (*out_aobj != NULL) { + ASN1_OBJECT_free(*out_aobj); + *out_aobj = NULL; + } + /* Parse and validate OID encoding per X.690 8.19.2. */ CBS_dup(content, &cbs); if (CBS_len(&cbs) == 0) { @@ -651,7 +659,7 @@ d2i_ASN1_OBJECT(ASN1_OBJECT **out_aobj, const unsigned char **pp, long length) if (!c2i_ASN1_OBJECT_cbs(&aobj, &content)) return NULL; - *pp = CBS_data(&content); + *pp = CBS_data(&cbs); if (out_aobj != NULL) *out_aobj = aobj; diff --git a/crypto/asn1/a_pkey.c b/crypto/asn1/a_pkey.c index 3b8dea7..c440861 100644 --- a/crypto/asn1/a_pkey.c +++ b/crypto/asn1/a_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_pkey.c,v 1.3 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: a_pkey.c,v 1.4 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -71,8 +71,8 @@ #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" EVP_PKEY * d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) diff --git a/crypto/asn1/a_print.c b/crypto/asn1/a_print.c index ddcee54..979f5f4 100644 --- a/crypto/asn1/a_print.c +++ b/crypto/asn1/a_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_print.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: a_print.c,v 1.12 2023/03/12 11:49:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -72,7 +72,7 @@ ASN1_PRINTABLE_type(const unsigned char *s, int len) if (s == NULL) return (V_ASN1_PRINTABLESTRING); - while ((*s) && (len-- != 0)) { + while (len-- > 0 && *s != '\0') { c= *(s++); if (!(((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')) || diff --git a/crypto/asn1/a_pubkey.c b/crypto/asn1/a_pubkey.c index f3bb5d8..5f5df10 100644 --- a/crypto/asn1/a_pubkey.c +++ b/crypto/asn1/a_pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_pubkey.c,v 1.3 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: a_pubkey.c,v 1.4 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,7 +76,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" EVP_PKEY * d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index 848d1bf..91aa8d2 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_strex.c,v 1.31 2021/12/25 12:11:57 jsing Exp $ */ +/* $OpenBSD: a_strex.c,v 1.32 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -63,7 +63,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" #include "charmap.h" diff --git a/crypto/asn1/a_string.c b/crypto/asn1/a_string.c index 90e363e..d0e917b 100644 --- a/crypto/asn1/a_string.c +++ b/crypto/asn1/a_string.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_string.c,v 1.7 2022/03/17 17:17:58 jsing Exp $ */ +/* $OpenBSD: a_string.c,v 1.13 2022/11/28 07:50:47 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" ASN1_STRING * ASN1_STRING_new(void) @@ -95,7 +95,7 @@ ASN1_STRING_clear(ASN1_STRING *astr) astr->data = NULL; astr->length = 0; } - + void ASN1_STRING_free(ASN1_STRING *astr) { @@ -199,12 +199,6 @@ ASN1_STRING_set0(ASN1_STRING *astr, void *data, int len) astr->length = len; } -void -asn1_add_error(const unsigned char *address, int offset) -{ - ERR_asprintf_error_data("offset=%d", offset); -} - int ASN1_STRING_length(const ASN1_STRING *astr) { @@ -276,25 +270,39 @@ ASN1_STRING_print(BIO *bp, const ASN1_STRING *astr) int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) { - ASN1_STRING stmp, *str = &stmp; - int mbflag, ret; + ASN1_STRING *astr = NULL; + int mbflag; + int ret = -1; + + /* + * XXX We can't fail on *out != NULL here since things like haproxy and + * grpc pass in a pointer to an uninitialized pointer on the stack. + */ + if (out == NULL) + goto err; if (in == NULL) - return -1; + goto err; if ((mbflag = asn1_tag2charwidth(in->type)) == -1) - return -1; + goto err; mbflag |= MBSTRING_FLAG; - stmp.data = NULL; - stmp.length = 0; - ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, - B_ASN1_UTF8STRING); - if (ret < 0) - return ret; - *out = stmp.data; - return stmp.length; + if ((ret = ASN1_mbstring_copy(&astr, in->data, in->length, mbflag, + B_ASN1_UTF8STRING)) < 0) + goto err; + + *out = astr->data; + ret = astr->length; + + astr->data = NULL; + astr->length = 0; + + err: + ASN1_STRING_free(astr); + + return ret; } int diff --git a/crypto/asn1/a_time.c b/crypto/asn1/a_time.c index cd6a790..fda06d4 100644 --- a/crypto/asn1/a_time.c +++ b/crypto/asn1/a_time.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_time.c,v 1.33 2021/12/25 07:48:09 jsing Exp $ */ +/* $OpenBSD: a_time.c,v 1.36 2022/11/26 16:08:50 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * @@ -67,8 +67,7 @@ #include #include -#include "o_time.h" -#include "asn1_locl.h" +#include "asn1_local.h" const ASN1_ITEM ASN1_TIME_it = { .itype = ASN1_ITYPE_MSTRING, @@ -92,8 +91,7 @@ ASN1_TIME_free(ASN1_TIME *a) ASN1_item_free((ASN1_VALUE *)a, &ASN1_TIME_it); } -/* Public API in OpenSSL. Kept internal for now. */ -static int +int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm) { time_t now; @@ -104,7 +102,7 @@ ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm) time(&now); memset(tm, 0, sizeof(*tm)); - return gmtime_r(&now, tm) != NULL; + return asn1_time_time_t_to_tm(&now, tm); } int diff --git a/crypto/asn1/a_time_posix.c b/crypto/asn1/a_time_posix.c new file mode 100644 index 0000000..9327aa8 --- /dev/null +++ b/crypto/asn1/a_time_posix.c @@ -0,0 +1,274 @@ +/* $OpenBSD: a_time_posix.c,v 1.3 2023/01/01 16:58:23 miod Exp $ */ +/* + * Copyright (c) 2022, Google Inc. + * Copyright (c) 2022, Bob Beck + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * Time conversion to/from POSIX time_t and struct tm, with no support + * for time zones other than UTC + */ + +#include +#include +#include +#include + +#define SECS_PER_HOUR (int64_t)(60 * 60) +#define SECS_PER_DAY (int64_t)(24 * SECS_PER_HOUR) + +/* + * Is a year/month/day combination valid, in the range from year 0000 + * to 9999? + */ +static int +is_valid_date(int year, int month, int day) +{ + int days_in_month; + if (day < 1 || month < 1 || year < 0 || year > 9999) + return 0; + switch (month) { + case 1: + case 3: + case 5: + case 7: + case 8: + case 10: + case 12: + days_in_month = 31; + break; + case 4: + case 6: + case 9: + case 11: + days_in_month = 30; + break; + case 2: + if ((year % 4 == 0 && year % 100 != 0) || year % 400 == 0) + days_in_month = 29; + else + days_in_month = 28; + break; + default: + return 0; + } + return day <= days_in_month; +} + +/* + * Is a time valid? Leap seconds of 60 are not considered valid, as + * the POSIX time in seconds does not include them. + */ +static int +is_valid_time(int hours, int minutes, int seconds) +{ + return hours >= 0 && minutes >= 0 && seconds >= 0 && hours <= 23 && + minutes <= 59 && seconds <= 59; +} + +/* Is a int64 time representing a time within our expected range? */ +static int +is_valid_epoch_time(int64_t time) +{ + /* 0000-01-01 00:00:00 UTC to 9999-12-31 23:59:59 UTC */ + return (int64_t)-62167219200LL <= time && + time <= (int64_t)253402300799LL; +} + +/* + * Inspired by algorithms presented in + * https://howardhinnant.github.io/date_algorithms.html + * (Public Domain) + */ +static int +posix_time_from_utc(int year, int month, int day, int hours, int minutes, + int seconds, int64_t *out_time) +{ + int64_t era, year_of_era, day_of_year, day_of_era, posix_days; + + if (!is_valid_date(year, month, day) || + !is_valid_time(hours, minutes, seconds)) + return 0; + if (month <= 2) + year--; /* Start years on Mar 1, so leap days end a year. */ + + /* At this point year will be in the range -1 and 9999.*/ + era = (year >= 0 ? year : year - 399) / 400; + year_of_era = year - era * 400; + day_of_year = (153 * (month > 2 ? month - 3 : month + 9) + 2) / + 5 + day - 1; + day_of_era = year_of_era * 365 + year_of_era / 4 - year_of_era / + 100 + day_of_year; + posix_days = era * 146097 + day_of_era - 719468; + *out_time = posix_days * SECS_PER_DAY + hours * SECS_PER_HOUR + + minutes * 60 + seconds; + + return 1; +} + +/* + * Inspired by algorithms presented in + * https://howardhinnant.github.io/date_algorithms.html + * (Public Domain) + */ +static int +utc_from_posix_time(int64_t time, int *out_year, int *out_month, int *out_day, + int *out_hours, int *out_minutes, int *out_seconds) +{ + int64_t days, leftover_seconds, era, day_of_era, year_of_era, + day_of_year, month_of_year; + + if (!is_valid_epoch_time(time)) + return 0; + + days = time / SECS_PER_DAY; + leftover_seconds = time % SECS_PER_DAY; + if (leftover_seconds < 0) { + days--; + leftover_seconds += SECS_PER_DAY; + } + days += 719468; /* Shift to starting epoch of Mar 1 0000. */ + + /* At this point, days will be in the range -61 and 3652364. */ + era = (days > 0 ? days : days - 146096) / 146097; + day_of_era = days - era * 146097; + year_of_era = (day_of_era - day_of_era / 1460 + day_of_era / 36524 - + day_of_era / 146096) / + 365; + *out_year = year_of_era + era * 400; /* Year starts on Mar 1 */ + day_of_year = day_of_era - (365 * year_of_era + year_of_era / 4 - + year_of_era / 100); + month_of_year = (5 * day_of_year + 2) / 153; + *out_month = (month_of_year < 10 ? month_of_year + 3 : + month_of_year - 9); + if (*out_month <= 2) + (*out_year)++; /* Adjust year back to Jan 1 start of year. */ + + *out_day = day_of_year - (153 * month_of_year + 2) / 5 + 1; + *out_hours = leftover_seconds / SECS_PER_HOUR; + leftover_seconds %= SECS_PER_HOUR; + *out_minutes = leftover_seconds / 60; + *out_seconds = leftover_seconds % 60; + + return 1; +} + +static int +asn1_time_tm_to_posix(const struct tm *tm, int64_t *out) +{ + /* Ensure additions below do not overflow */ + if (tm->tm_year > 9999) + return 0; + if (tm->tm_mon > 12) + return 0; + + return posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec, out); +} + +static int +asn1_time_posix_to_tm(int64_t time, struct tm *out_tm) +{ + memset(out_tm, 0, sizeof(struct tm)); + if (!utc_from_posix_time(time, &out_tm->tm_year, &out_tm->tm_mon, + &out_tm->tm_mday, &out_tm->tm_hour, &out_tm->tm_min, + &out_tm->tm_sec)) + return 0; + + out_tm->tm_year -= 1900; + out_tm->tm_mon -= 1; + + return 1; +} + +int +asn1_time_tm_to_time_t(const struct tm *tm, time_t *out) +{ + int64_t posix_time; + + if (!asn1_time_tm_to_posix(tm, &posix_time)) + return 0; + +#ifdef SMALL_TIME_T + /* For portable. */ + if (sizeof(time_t) == sizeof(int32_t) && + (posix_time > INT32_MAX || posix_time < INT32_MIN)) + return 0; +#endif + + *out = posix_time; + return 1; +} + +int +asn1_time_time_t_to_tm(const time_t *time, struct tm *out_tm) +{ + int64_t posix_time = *time; + + return asn1_time_posix_to_tm(posix_time, out_tm); +} + +int +OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) +{ + int64_t posix_time; + + /* Ensure additions below do not overflow */ + if (tm->tm_year > 9999) + return 0; + if (tm->tm_mon > 12) + return 0; + + if (!posix_time_from_utc(tm->tm_year + 1900, tm->tm_mon + 1, + tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec, &posix_time)) + return 0; + + if (!utc_from_posix_time(posix_time + off_day * SECS_PER_DAY + + offset_sec, &tm->tm_year, &tm->tm_mon, &tm->tm_mday, &tm->tm_hour, + &tm->tm_min, &tm->tm_sec)) + return 0; + + tm->tm_year -= 1900; + tm->tm_mon -= 1; + + return 1; +} + +int +OPENSSL_gmtime_diff(int *out_days, int *out_secs, const struct tm *from, + const struct tm *to) +{ + int64_t time_to, time_from, timediff, daydiff; + + if (!posix_time_from_utc(to->tm_year + 1900, to->tm_mon + 1, + to->tm_mday, to->tm_hour, to->tm_min, to->tm_sec, &time_to)) + return 0; + + if (!posix_time_from_utc(from->tm_year + 1900, from->tm_mon + 1, + from->tm_mday, from->tm_hour, from->tm_min, + from->tm_sec, &time_from)) + return 0; + + timediff = time_to - time_from; + daydiff = timediff / SECS_PER_DAY; + timediff %= SECS_PER_DAY; + if (daydiff > INT_MAX || daydiff < INT_MIN) + return 0; + + *out_secs = timediff; + *out_days = daydiff; + + return 1; +} diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c index 5be2ff0..c8b0172 100644 --- a/crypto/asn1/a_time_tm.c +++ b/crypto/asn1/a_time_tm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_time_tm.c,v 1.19 2022/03/31 13:04:47 tb Exp $ */ +/* $OpenBSD: a_time_tm.c,v 1.27 2022/11/26 16:08:50 tb Exp $ */ /* * Copyright (c) 2015 Bob Beck * @@ -14,6 +14,7 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + #include #include #include @@ -23,7 +24,8 @@ #include #include -#include "o_time.h" +#include "bytestring.h" +#include "asn1_local.h" #define RFC5280 0 #define GENTIME_LENGTH 15 @@ -66,7 +68,7 @@ ASN1_time_tm_clamp_notafter(struct tm *tm) struct tm broken_os_epoch_tm; time_t broken_os_epoch_time = INT_MAX; - if (gmtime_r(&broken_os_epoch_time, &broken_os_epoch_tm) == NULL) + if (!asn1_time_time_t_to_tm(&broken_os_epoch_time, &broken_os_epoch_tm)) return 0; if (ASN1_time_tm_cmp(tm, &broken_os_epoch_tm) == 1) @@ -75,59 +77,232 @@ ASN1_time_tm_clamp_notafter(struct tm *tm) return 1; } -/* Format a time as an RFC 5280 format Generalized time */ -char * -gentime_string_from_tm(struct tm *tm) +/* Convert time to GeneralizedTime, X.690, 11.7. */ +ASN1_TIME * +tm_to_gentime(struct tm *tm, ASN1_TIME *atime) { - char *ret = NULL; + char *time_str = NULL; int year; year = tm->tm_year + 1900; - if (year < 0 || year > 9999) - return (NULL); + if (year < 0 || year > 9999) { + ASN1error(ASN1_R_ILLEGAL_TIME_VALUE); + goto err; + } - if (asprintf(&ret, "%04u%02u%02u%02u%02u%02uZ", year, + if (asprintf(&time_str, "%04u%02u%02u%02u%02u%02uZ", year, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min, - tm->tm_sec) == -1) - ret = NULL; + tm->tm_sec) == -1) { + time_str = NULL; + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } - return (ret); + if (atime == NULL) + atime = ASN1_TIME_new(); + if (atime == NULL) { + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } + + free(atime->data); + atime->data = time_str; + atime->length = GENTIME_LENGTH; + atime->type = V_ASN1_GENERALIZEDTIME; + + return (atime); + + err: + free(time_str); + + return (NULL); } -/* Format a time as an RFC 5280 format UTC time */ -char * -utctime_string_from_tm(struct tm *tm) +/* Convert time to UTCTime, X.690, 11.8. */ +ASN1_TIME * +tm_to_utctime(struct tm *tm, ASN1_TIME *atime) { - char *ret = NULL; + char *time_str = NULL; - if (tm->tm_year >= 150 || tm->tm_year < 50) - return (NULL); + if (tm->tm_year >= 150 || tm->tm_year < 50) { + ASN1error(ASN1_R_ILLEGAL_TIME_VALUE); + goto err; + } - if (asprintf(&ret, "%02u%02u%02u%02u%02u%02uZ", + if (asprintf(&time_str, "%02u%02u%02u%02u%02u%02uZ", tm->tm_year % 100, tm->tm_mon + 1, tm->tm_mday, - tm->tm_hour, tm->tm_min, tm->tm_sec) == -1) - ret = NULL; + tm->tm_hour, tm->tm_min, tm->tm_sec) == -1) { + time_str = NULL; + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } - return (ret); + if (atime == NULL) + atime = ASN1_TIME_new(); + if (atime == NULL) { + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } + + free(atime->data); + atime->data = time_str; + atime->length = UTCTIME_LENGTH; + atime->type = V_ASN1_UTCTIME; + + return (atime); + + err: + free(time_str); + + return (NULL); } -/* Format a time correctly for an X509 object as per RFC 5280 */ -char * -rfc5280_string_from_tm(struct tm *tm) +ASN1_TIME * +tm_to_rfc5280_time(struct tm *tm, ASN1_TIME *atime) { - char *ret = NULL; int year; year = tm->tm_year + 1900; - if (year < 1950 || year > 9999) + if (year < 1950 || year > 9999) { + ASN1error(ASN1_R_ILLEGAL_TIME_VALUE); return (NULL); + } if (year < 2050) - ret = utctime_string_from_tm(tm); - else - ret = gentime_string_from_tm(tm); + return (tm_to_utctime(tm, atime)); - return (ret); + return (tm_to_gentime(tm, atime)); +} + + +static int +cbs_get_two_digit_value(CBS *cbs, int *out) +{ + uint8_t first_digit, second_digit; + + if (!CBS_get_u8(cbs, &first_digit)) + return 0; + if (!isdigit(first_digit)) + return 0; + if (!CBS_get_u8(cbs, &second_digit)) + return 0; + if (!isdigit(second_digit)) + return 0; + + *out = (first_digit - '0') * 10 + (second_digit - '0'); + + return 1; +} + +static int +is_valid_day(int year, int month, int day) +{ + if (day < 1) + return 0; + switch (month) { + case 1: + case 3: + case 5: + case 7: + case 8: + case 10: + case 12: + return day <= 31; + case 4: + case 6: + case 9: + case 11: + return day <= 30; + case 2: + if ((year % 4 == 0 && year % 100 != 0) || year % 400 == 0) + return day <= 29; + else + return day <= 28; + default: + return 0; + } +} + +/* + * asn1_time_parse_cbs returns one if |cbs| is a valid DER-encoded, ASN.1 Time + * body within the limitations imposed by RFC 5280, or zero otherwise. The time + * is expected to parse as a Generalized Time if is_gentime is true, and as a + * UTC Time otherwise. If |out_tm| is non-NULL, |*out_tm| will be zeroed, and + * then set to the corresponding time in UTC. This function does not compute + * |out_tm->tm_wday| or |out_tm->tm_yday|. |cbs| is not consumed. + */ +int +asn1_time_parse_cbs(const CBS *cbs, int is_gentime, struct tm *out_tm) +{ + int year, month, day, hour, min, sec, val; + CBS copy; + uint8_t tz; + + CBS_dup(cbs, ©); + + if (is_gentime) { + if (!cbs_get_two_digit_value(©, &val)) + return 0; + year = val * 100; + if (!cbs_get_two_digit_value(©, &val)) + return 0; + year += val; + } else { + year = 1900; + if (!cbs_get_two_digit_value(©, &val)) + return 0; + year += val; + if (year < 1950) + year += 100; + if (year >= 2050) + return 0; /* A Generalized time must be used. */ + } + + if (!cbs_get_two_digit_value(©, &month)) + return 0; + if (month < 1 || month > 12) + return 0; /* Reject invalid months. */ + + if (!cbs_get_two_digit_value(©, &day)) + return 0; + if (!is_valid_day(year, month, day)) + return 0; /* Reject invalid days. */ + + if (!cbs_get_two_digit_value(©, &hour)) + return 0; + if (hour > 23) + return 0; /* Reject invalid hours. */ + + if (!cbs_get_two_digit_value(©, &min)) + return 0; + if (min > 59) + return 0; /* Reject invalid minutes. */ + + if (!cbs_get_two_digit_value(©, &sec)) + return 0; + if (sec > 59) + return 0; /* Reject invalid seconds. Leap seconds are invalid. */ + + if (!CBS_get_u8(©, &tz)) + return 0; + if (tz != 'Z') + return 0; /* Reject anything but Z on the end. */ + + if (CBS_len(©) != 0) + return 0; /* Reject invalid lengths. */ + + if (out_tm != NULL) { + memset(out_tm, 0, sizeof(*out_tm)); + /* Fill in the tm fields corresponding to what we validated. */ + out_tm->tm_year = year - 1900; + out_tm->tm_mon = month - 1; + out_tm->tm_mday = day; + out_tm->tm_hour = hour; + out_tm->tm_min = min; + out_tm->tm_sec = sec; + } + + return 1; } /* @@ -145,83 +320,29 @@ rfc5280_string_from_tm(struct tm *tm) * * Fills in *tm with the corresponding time if tm is non NULL. */ -#define ATOI2(ar) ((ar) += 2, ((ar)[-2] - '0') * 10 + ((ar)[-1] - '0')) int ASN1_time_parse(const char *bytes, size_t len, struct tm *tm, int mode) { - size_t i; + struct tm tml, *tmp = tm ? tm : &tml; int type = 0; - struct tm ltm; - struct tm *lt; - const char *p; + CBS cbs; if (bytes == NULL) return (-1); - /* Constrain to valid lengths. */ - if (len != UTCTIME_LENGTH && len != GENTIME_LENGTH) - return (-1); + CBS_init(&cbs, bytes, len); - lt = tm; - if (lt == NULL) - lt = <m; - memset(lt, 0, sizeof(*lt)); - - /* Timezone is required and must be GMT (Zulu). */ - if (bytes[len - 1] != 'Z') - return (-1); - - /* Make sure everything else is digits. */ - for (i = 0; i < len - 1; i++) { - if (isdigit((unsigned char)bytes[i])) - continue; - return (-1); - } - - /* - * Validate and convert the time - */ - p = bytes; - switch (len) { - case GENTIME_LENGTH: - if (mode == V_ASN1_UTCTIME) - return (-1); - lt->tm_year = (ATOI2(p) * 100) - 1900; /* cc */ + if (CBS_len(&cbs) == UTCTIME_LENGTH) + type = V_ASN1_UTCTIME; + if (CBS_len(&cbs) == GENTIME_LENGTH) type = V_ASN1_GENERALIZEDTIME; - /* FALLTHROUGH */ - case UTCTIME_LENGTH: - if (type == 0) { - if (mode == V_ASN1_GENERALIZEDTIME) - return (-1); - type = V_ASN1_UTCTIME; - } - lt->tm_year += ATOI2(p); /* yy */ - if (type == V_ASN1_UTCTIME) { - if (lt->tm_year < 50) - lt->tm_year += 100; - } - lt->tm_mon = ATOI2(p) - 1; /* mm */ - if (lt->tm_mon < 0 || lt->tm_mon > 11) - return (-1); - lt->tm_mday = ATOI2(p); /* dd */ - if (lt->tm_mday < 1 || lt->tm_mday > 31) - return (-1); - lt->tm_hour = ATOI2(p); /* HH */ - if (lt->tm_hour < 0 || lt->tm_hour > 23) - return (-1); - lt->tm_min = ATOI2(p); /* MM */ - if (lt->tm_min < 0 || lt->tm_min > 59) - return (-1); - lt->tm_sec = ATOI2(p); /* SS */ - /* Leap second 60 is not accepted. Reconsider later? */ - if (lt->tm_sec < 0 || lt->tm_sec > 59) - return (-1); - break; - default: - return (-1); + if (asn1_time_parse_cbs(&cbs, type == V_ASN1_GENERALIZEDTIME, tmp)) { + if (mode != 0 && mode != type) + return -1; + return type; } - return (type); + return -1; } /* @@ -256,63 +377,26 @@ static ASN1_TIME * ASN1_TIME_adj_internal(ASN1_TIME *s, time_t t, int offset_day, long offset_sec, int mode) { - int allocated = 0; struct tm tm; - size_t len; - char *p; - if (gmtime_r(&t, &tm) == NULL) + if (!asn1_time_time_t_to_tm(&t, &tm)) return (NULL); - if (offset_day || offset_sec) { + if (offset_day != 0 || offset_sec != 0) { if (!OPENSSL_gmtime_adj(&tm, offset_day, offset_sec)) return (NULL); } switch (mode) { case V_ASN1_UTCTIME: - p = utctime_string_from_tm(&tm); - break; + return (tm_to_utctime(&tm, s)); case V_ASN1_GENERALIZEDTIME: - p = gentime_string_from_tm(&tm); - break; + return (tm_to_gentime(&tm, s)); case RFC5280: - p = rfc5280_string_from_tm(&tm); - break; + return (tm_to_rfc5280_time(&tm, s)); default: return (NULL); } - if (p == NULL) { - ASN1error(ASN1_R_ILLEGAL_TIME_VALUE); - return (NULL); - } - - if (s == NULL) { - if ((s = ASN1_TIME_new()) == NULL) { - free(p); - return (NULL); - } - allocated = 1; - } - - len = strlen(p); - switch (len) { - case GENTIME_LENGTH: - s->type = V_ASN1_GENERALIZEDTIME; - break; - case UTCTIME_LENGTH: - s->type = V_ASN1_UTCTIME; - break; - default: - if (allocated) - ASN1_TIME_free(s); - free(p); - return (NULL); - } - free(s->data); - s->data = p; - s->length = len; - return (s); } ASN1_TIME * @@ -326,7 +410,7 @@ ASN1_TIME_set_tm(ASN1_TIME *s, struct tm *tm) { time_t t; - if ((t = timegm(tm)) == -1) + if (!asn1_time_tm_to_time_t(tm, &t)) return NULL; return (ASN1_TIME_adj(s, t, 0, 0)); } @@ -348,31 +432,23 @@ ASN1_TIME_check(const ASN1_TIME *t) ASN1_GENERALIZEDTIME * ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out) { - ASN1_GENERALIZEDTIME *tmp = NULL; + ASN1_GENERALIZEDTIME *agt = NULL; struct tm tm; - char *str; if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME) return (NULL); if (t->type != ASN1_time_parse(t->data, t->length, &tm, t->type)) return (NULL); - if ((str = gentime_string_from_tm(&tm)) == NULL) - return (NULL); if (out != NULL) - tmp = *out; - if (tmp == NULL && (tmp = ASN1_GENERALIZEDTIME_new()) == NULL) { - free(str); + agt = *out; + if ((agt = tm_to_gentime(&tm, agt)) == NULL) return (NULL); - } if (out != NULL) - *out = tmp; + *out = agt; - free(tmp->data); - tmp->data = str; - tmp->length = strlen(str); - return (tmp); + return (agt); } int @@ -381,6 +457,61 @@ ASN1_TIME_set_string(ASN1_TIME *s, const char *str) return (ASN1_TIME_set_string_internal(s, str, 0)); } +static int +ASN1_TIME_cmp_time_t_internal(const ASN1_TIME *s, time_t t2, int mode) +{ + struct tm tm1, tm2; + + /* + * This function has never handled failure conditions properly + * The OpenSSL version used to simply follow NULL pointers on failure. + * BoringSSL and OpenSSL now make it return -2 on failure. + * + * The danger is that users of this function will not differentiate the + * -2 failure case from s < t2. Callers must be careful. Sadly this is + * one of those pervasive things from OpenSSL we must continue with. + */ + + if (ASN1_time_parse(s->data, s->length, &tm1, mode) == -1) + return -2; + + if (!asn1_time_time_t_to_tm(&t2, &tm2)) + return -2; + + return ASN1_time_tm_cmp(&tm1, &tm2); +} + +int +ASN1_TIME_compare(const ASN1_TIME *t1, const ASN1_TIME *t2) +{ + struct tm tm1, tm2; + + if (t1->type != V_ASN1_UTCTIME && t1->type != V_ASN1_GENERALIZEDTIME) + return -2; + + if (t2->type != V_ASN1_UTCTIME && t2->type != V_ASN1_GENERALIZEDTIME) + return -2; + + if (ASN1_time_parse(t1->data, t1->length, &tm1, t1->type) == -1) + return -2; + + if (ASN1_time_parse(t1->data, t2->length, &tm2, t2->type) == -1) + return -2; + + return ASN1_time_tm_cmp(&tm1, &tm2); +} + +int +ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t) +{ + if (s->type == V_ASN1_UTCTIME) + return ASN1_TIME_cmp_time_t_internal(s, t, V_ASN1_UTCTIME); + if (s->type == V_ASN1_GENERALIZEDTIME) + return ASN1_TIME_cmp_time_t_internal(s, t, + V_ASN1_GENERALIZEDTIME); + return -2; +} + /* * ASN1_UTCTIME wrappers */ @@ -415,26 +546,11 @@ ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec) } int -ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2) +ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t) { - struct tm tm1, tm2; - - /* - * This function has never handled failure conditions properly - * and should be deprecated. The OpenSSL version used to - * simply follow NULL pointers on failure. BoringSSL and - * OpenSSL now make it return -2 on failure. - * - * The danger is that users of this function will not - * differentiate the -2 failure case from t1 < t2. - */ - if (ASN1_time_parse(s->data, s->length, &tm1, V_ASN1_UTCTIME) == -1) - return (-2); /* XXX */ - - if (gmtime_r(&t2, &tm2) == NULL) - return (-2); /* XXX */ - - return ASN1_time_tm_cmp(&tm1, &tm2); + if (s->type == V_ASN1_UTCTIME) + return ASN1_TIME_cmp_time_t_internal(s, t, V_ASN1_UTCTIME); + return -2; } /* @@ -470,3 +586,19 @@ ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, time_t t, int offset_day, return (ASN1_TIME_adj_internal(s, t, offset_day, offset_sec, V_ASN1_GENERALIZEDTIME)); } + +int +ASN1_TIME_normalize(ASN1_TIME *t) +{ + struct tm tm; + + if (!ASN1_TIME_to_tm(t, &tm)) + return 0; + return tm_to_rfc5280_time(&tm, t) != NULL; +} + +int +ASN1_TIME_set_string_X509(ASN1_TIME *s, const char *str) +{ + return ASN1_TIME_set_string_internal(s, str, RFC5280); +} diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index 61609c3..a382cd7 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_type.c,v 1.23 2021/12/25 12:19:16 jsing Exp $ */ +/* $OpenBSD: a_type.c,v 1.25 2023/03/11 14:05:02 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -104,10 +104,14 @@ ASN1_TYPE_free(ASN1_TYPE *a) int ASN1_TYPE_get(const ASN1_TYPE *a) { - if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL)) - return (a->type); - else - return (0); + /* Special non-pointer types. */ + if (a->type == V_ASN1_BOOLEAN || a->type == V_ASN1_NULL) + return a->type; + + if (a->value.ptr != NULL) + return a->type; + + return 0; } void diff --git a/crypto/asn1/a_utf8.c b/crypto/asn1/a_utf8.c index 113a3a2..51ab1bd 100644 --- a/crypto/asn1/a_utf8.c +++ b/crypto/asn1/a_utf8.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_utf8.c,v 1.8 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: a_utf8.c,v 1.9 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,7 +60,7 @@ #include -#include "asn1_locl.h" +#include "asn1_local.h" /* UTF8 utilities */ diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index 8ff5a35..e9f9927 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ameth_lib.c,v 1.25 2022/01/10 12:10:26 tb Exp $ */ +/* $OpenBSD: ameth_lib.c,v 1.30 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -68,140 +68,106 @@ #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" +extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[]; +extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD gostimit_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD gostr01_asn1_meths[]; +extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[]; extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[]; -extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD gostr01_asn1_meths[]; -extern const EVP_PKEY_ASN1_METHOD gostimit_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth; -extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth; +extern const EVP_PKEY_ASN1_METHOD x25519_asn1_meth; -/* Keep this sorted in type order !! */ -static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { -#ifndef OPENSSL_NO_RSA - &rsa_asn1_meths[0], - &rsa_asn1_meths[1], -#endif -#ifndef OPENSSL_NO_DH +static const EVP_PKEY_ASN1_METHOD *asn1_methods[] = { + &cmac_asn1_meth, &dh_asn1_meth, -#endif -#ifndef OPENSSL_NO_DSA &dsa_asn1_meths[0], &dsa_asn1_meths[1], &dsa_asn1_meths[2], &dsa_asn1_meths[3], &dsa_asn1_meths[4], -#endif -#ifndef OPENSSL_NO_EC &eckey_asn1_meth, -#endif -#ifndef OPENSSL_NO_GOST - &gostr01_asn1_meths[0], + &ed25519_asn1_meth, &gostimit_asn1_meth, -#endif - &hmac_asn1_meth, - &cmac_asn1_meth, -#ifndef OPENSSL_NO_RSA - &rsa_pss_asn1_meth, -#endif -#ifndef OPENSSL_NO_GOST + &gostr01_asn1_meths[0], &gostr01_asn1_meths[1], &gostr01_asn1_meths[2], -#endif + &hmac_asn1_meth, + &rsa_asn1_meths[0], + &rsa_asn1_meths[1], + &rsa_pss_asn1_meth, + &x25519_asn1_meth, }; -typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); +static const size_t asn1_methods_count = + sizeof(asn1_methods) / sizeof(asn1_methods[0]); + DECLARE_STACK_OF(EVP_PKEY_ASN1_METHOD) -static STACK_OF(EVP_PKEY_ASN1_METHOD) *app_methods = NULL; - -static int ameth_cmp_BSEARCH_CMP_FN(const void *, const void *); -static int ameth_cmp(const EVP_PKEY_ASN1_METHOD * const *, const EVP_PKEY_ASN1_METHOD * const *); -static const EVP_PKEY_ASN1_METHOD * *OBJ_bsearch_ameth(const EVP_PKEY_ASN1_METHOD * *key, const EVP_PKEY_ASN1_METHOD * const *base, int num); - -static int -ameth_cmp(const EVP_PKEY_ASN1_METHOD * const *a, - const EVP_PKEY_ASN1_METHOD * const *b) -{ - return ((*a)->pkey_id - (*b)->pkey_id); -} - - -static int -ameth_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) -{ - const EVP_PKEY_ASN1_METHOD * const *a = a_; - const EVP_PKEY_ASN1_METHOD * const *b = b_; - return ameth_cmp(a, b); -} - -static const EVP_PKEY_ASN1_METHOD * * -OBJ_bsearch_ameth(const EVP_PKEY_ASN1_METHOD * *key, const EVP_PKEY_ASN1_METHOD * const *base, int num) -{ - return (const EVP_PKEY_ASN1_METHOD * *)OBJ_bsearch_(key, base, num, sizeof(const EVP_PKEY_ASN1_METHOD *), - ameth_cmp_BSEARCH_CMP_FN); -} +static STACK_OF(EVP_PKEY_ASN1_METHOD) *asn1_app_methods = NULL; int EVP_PKEY_asn1_get_count(void) { - int num = sizeof(standard_methods) / sizeof(EVP_PKEY_ASN1_METHOD *); - if (app_methods) - num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods); + int num = asn1_methods_count; + + if (asn1_app_methods != NULL) + num += sk_EVP_PKEY_ASN1_METHOD_num(asn1_app_methods); + return num; } const EVP_PKEY_ASN1_METHOD * EVP_PKEY_asn1_get0(int idx) { - int num = sizeof(standard_methods) / sizeof(EVP_PKEY_ASN1_METHOD *); + int num = asn1_methods_count; + if (idx < 0) return NULL; if (idx < num) - return standard_methods[idx]; + return asn1_methods[idx]; + idx -= num; - return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + + return sk_EVP_PKEY_ASN1_METHOD_value(asn1_app_methods, idx); } static const EVP_PKEY_ASN1_METHOD * -pkey_asn1_find(int type) +pkey_asn1_find(int pkey_id) { - EVP_PKEY_ASN1_METHOD tmp; - const EVP_PKEY_ASN1_METHOD *t = &tmp, **ret; - tmp.pkey_id = type; - if (app_methods) { - int idx; - idx = sk_EVP_PKEY_ASN1_METHOD_find(app_methods, &tmp); - if (idx >= 0) - return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + const EVP_PKEY_ASN1_METHOD *ameth; + int i; + + for (i = EVP_PKEY_asn1_get_count() - 1; i >= 0; i--) { + ameth = EVP_PKEY_asn1_get0(i); + if (ameth->pkey_id == pkey_id) + return ameth; } - ret = OBJ_bsearch_ameth(&t, standard_methods, - sizeof(standard_methods) / sizeof(EVP_PKEY_ASN1_METHOD *)); - if (!ret || !*ret) - return NULL; - return *ret; + + return NULL; } -/* Find an implementation of an ASN1 algorithm. If 'pe' is not NULL +/* + * Find an implementation of an ASN1 algorithm. If 'pe' is not NULL * also search through engines and set *pe to a functional reference * to the engine implementing 'type' or NULL if no engine implements * it. */ - const EVP_PKEY_ASN1_METHOD * EVP_PKEY_asn1_find(ENGINE **pe, int type) { - const EVP_PKEY_ASN1_METHOD *t; + const EVP_PKEY_ASN1_METHOD *mp; for (;;) { - t = pkey_asn1_find(type); - if (!t || !(t->pkey_flags & ASN1_PKEY_ALIAS)) + if ((mp = pkey_asn1_find(type)) == NULL) break; - type = t->pkey_base_id; + if ((mp->pkey_flags & ASN1_PKEY_ALIAS) == 0) + break; + type = mp->pkey_base_id; } if (pe) { #ifndef OPENSSL_NO_ENGINE @@ -215,14 +181,15 @@ EVP_PKEY_asn1_find(ENGINE **pe, int type) #endif *pe = NULL; } - return t; + return mp; } const EVP_PKEY_ASN1_METHOD * EVP_PKEY_asn1_find_str(ENGINE **pe, const char *str, int len) { - int i; const EVP_PKEY_ASN1_METHOD *ameth; + int i; + if (len == -1) len = strlen(str); if (pe) { @@ -242,7 +209,7 @@ EVP_PKEY_asn1_find_str(ENGINE **pe, const char *str, int len) #endif *pe = NULL; } - for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) { + for (i = EVP_PKEY_asn1_get_count() - 1; i >= 0; i--) { ameth = EVP_PKEY_asn1_get0(i); if (ameth->pkey_flags & ASN1_PKEY_ALIAS) continue; @@ -256,14 +223,15 @@ EVP_PKEY_asn1_find_str(ENGINE **pe, const char *str, int len) int EVP_PKEY_asn1_add0(const EVP_PKEY_ASN1_METHOD *ameth) { - if (app_methods == NULL) { - app_methods = sk_EVP_PKEY_ASN1_METHOD_new(ameth_cmp); - if (!app_methods) + if (asn1_app_methods == NULL) { + asn1_app_methods = sk_EVP_PKEY_ASN1_METHOD_new(NULL); + if (asn1_app_methods == NULL) return 0; } - if (!sk_EVP_PKEY_ASN1_METHOD_push(app_methods, ameth)) + + if (!sk_EVP_PKEY_ASN1_METHOD_push(asn1_app_methods, ameth)) return 0; - sk_EVP_PKEY_ASN1_METHOD_sort(app_methods); + return 1; } @@ -273,8 +241,9 @@ EVP_PKEY_asn1_add_alias(int to, int from) EVP_PKEY_ASN1_METHOD *ameth; ameth = EVP_PKEY_asn1_new(from, ASN1_PKEY_ALIAS, NULL, NULL); - if (!ameth) + if (ameth == NULL) return 0; + ameth->pkey_base_id = to; if (!EVP_PKEY_asn1_add0(ameth)) { EVP_PKEY_asn1_free(ameth); @@ -430,6 +399,13 @@ EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, ameth->pkey_ctrl = pkey_ctrl; } +void +EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth, + int (*pkey_security_bits)(const EVP_PKEY *pkey)) +{ + ameth->pkey_security_bits = pkey_security_bits; +} + void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth, int (*pkey_check)(const EVP_PKEY *pk)) diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index e2c56de..f67fa71 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_err.c,v 1.22 2020/12/08 15:06:42 tb Exp $ */ +/* $OpenBSD: asn1_err.c,v 1.25 2022/08/29 06:48:58 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0) @@ -118,6 +112,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_ILLEGAL_HEX) , "illegal hex"}, {ERR_REASON(ASN1_R_ILLEGAL_IMPLICIT_TAG) , "illegal implicit tag"}, {ERR_REASON(ASN1_R_ILLEGAL_INTEGER) , "illegal integer"}, + {ERR_REASON(ASN1_R_ILLEGAL_NEGATIVE_VALUE), "illegal negative value"}, {ERR_REASON(ASN1_R_ILLEGAL_NESTED_TAGGING), "illegal nested tagging"}, {ERR_REASON(ASN1_R_ILLEGAL_NULL) , "illegal null"}, {ERR_REASON(ASN1_R_ILLEGAL_NULL_VALUE) , "illegal null value"}, @@ -177,8 +172,11 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_TAG_VALUE_TOO_HIGH) , "tag value too high"}, {ERR_REASON(ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"}, {ERR_REASON(ASN1_R_TIME_NOT_ASCII_FORMAT), "time not ascii format"}, + {ERR_REASON(ASN1_R_TOO_LARGE) , "too large"}, {ERR_REASON(ASN1_R_TOO_LONG) , "too long"}, + {ERR_REASON(ASN1_R_TOO_SMALL) , "too small"}, {ERR_REASON(ASN1_R_TYPE_NOT_CONSTRUCTED) , "type not constructed"}, + {ERR_REASON(ASN1_R_TYPE_NOT_PRIMITIVE) , "type not primitive"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_KEY), "unable to decode rsa key"}, {ERR_REASON(ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY), "unable to decode rsa private key"}, {ERR_REASON(ASN1_R_UNEXPECTED_EOC) , "unexpected eoc"}, @@ -195,12 +193,12 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM), "unsupported encryption algorithm"}, {ERR_REASON(ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE), "unsupported public key type"}, {ERR_REASON(ASN1_R_UNSUPPORTED_TYPE) , "unsupported type"}, + {ERR_REASON(ASN1_R_WRONG_INTEGER_TYPE) , "wrong integer type"}, {ERR_REASON(ASN1_R_WRONG_PUBLIC_KEY_TYPE), "wrong public key type"}, {ERR_REASON(ASN1_R_WRONG_TAG) , "wrong tag"}, {ERR_REASON(ASN1_R_WRONG_TYPE) , "wrong type"}, {0, NULL} }; - #endif void diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index d800b77..b64aa89 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_gen.c,v 1.18 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: asn1_gen.c,v 1.20 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2002. */ @@ -62,6 +62,8 @@ #include #include +#include "asn1_local.h" + #define ASN1_GEN_FLAG 0x10000 #define ASN1_GEN_FLAG_IMP (ASN1_GEN_FLAG|1) #define ASN1_GEN_FLAG_EXP (ASN1_GEN_FLAG|2) @@ -754,10 +756,9 @@ asn1_str2type(const char *str, int format, int utype) } if ((utype == V_ASN1_BIT_STRING) && no_unused) { - atmp->value.asn1_string->flags &= - ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); - atmp->value.asn1_string->flags |= - ASN1_STRING_FLAG_BITS_LEFT; + if (!asn1_abs_set_unused_bits(atmp->value.asn1_string, + 0)) + goto bad_str; } break; diff --git a/crypto/asn1/asn1_item.c b/crypto/asn1/asn1_item.c index 108f272..9e7f308 100644 --- a/crypto/asn1/asn1_item.c +++ b/crypto/asn1/asn1_item.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_item.c,v 1.4 2022/01/14 08:38:05 tb Exp $ */ +/* $OpenBSD: asn1_item.c,v 1.6 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -116,8 +116,8 @@ #include #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" /* * ASN1_ITEM version of dup: this follows the model above except we don't need @@ -234,9 +234,11 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, const EVP_MD *type; EVP_PKEY *pkey; unsigned char *buf_in = NULL, *buf_out = NULL; - size_t inl = 0, outl = 0, outll = 0; + size_t buf_out_len = 0; + int in_len = 0, out_len = 0; int signid, paramtype; - int rv; + int rv = 2; + int ret = 0; type = EVP_MD_CTX_md(ctx); pkey = EVP_PKEY_CTX_get0_pkey(ctx->pctx); @@ -250,7 +252,7 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, rv = pkey->ameth->item_sign(ctx, it, asn, algor1, algor2, signature); if (rv == 1) - outl = signature->length; + out_len = signature->length; /* Return value meanings: * <=0: error. * 1: method does everything. @@ -261,8 +263,7 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1error(ERR_R_EVP_LIB); if (rv <= 1) goto err; - } else - rv = 2; + } if (rv == 2) { if (!pkey->ameth || @@ -286,36 +287,48 @@ ASN1_item_sign_ctx(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2, } - inl = ASN1_item_i2d(asn, &buf_in, it); - outll = outl = EVP_PKEY_size(pkey); - buf_out = malloc(outl); - if ((buf_in == NULL) || (buf_out == NULL)) { - outl = 0; + if ((in_len = ASN1_item_i2d(asn, &buf_in, it)) <= 0) { + in_len = 0; + goto err; + } + + if ((out_len = EVP_PKEY_size(pkey)) <= 0) { + out_len = 0; + goto err; + } + + if ((buf_out = malloc(out_len)) == NULL) { ASN1error(ERR_R_MALLOC_FAILURE); goto err; } - if (!EVP_DigestSignUpdate(ctx, buf_in, inl) || - !EVP_DigestSignFinal(ctx, buf_out, &outl)) { - outl = 0; + buf_out_len = out_len; + if (!EVP_DigestSignUpdate(ctx, buf_in, in_len) || + !EVP_DigestSignFinal(ctx, buf_out, &buf_out_len)) { ASN1error(ERR_R_EVP_LIB); goto err; } - free(signature->data); - signature->data = buf_out; - buf_out = NULL; - signature->length = outl; - /* In the interests of compatibility, I'll make sure that - * the bit string has a 'not-used bits' value of 0 - */ - signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); - signature->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (buf_out_len > INT_MAX) { + ASN1error(ASN1_R_TOO_LONG); + goto err; + } + + ASN1_STRING_set0(signature, buf_out, (int)buf_out_len); + buf_out = NULL; + + if (!asn1_abs_set_unused_bits(signature, 0)) { + ASN1error(ERR_R_ASN1_LIB); + goto err; + } + + ret = (int)buf_out_len; err: EVP_MD_CTX_cleanup(ctx); - freezero((char *)buf_in, inl); - freezero((char *)buf_out, outll); - return (outl); + freezero(buf_in, in_len); + freezero(buf_out, out_len); + + return ret; } int diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 6a29c32..ac8da0e 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_lib.c,v 1.52 2022/03/26 14:47:58 jsing Exp $ */ +/* $OpenBSD: asn1_lib.c,v 1.54 2022/05/05 19:18:56 jsing Exp $ */ /* * Copyright (c) 2021 Joel Sing * @@ -20,7 +20,7 @@ #include "bytestring.h" -static int +int asn1_get_identifier_cbs(CBS *cbs, int der_mode, uint8_t *out_class, int *out_constructed, uint32_t *out_tag_number) { @@ -76,12 +76,12 @@ asn1_get_identifier_cbs(CBS *cbs, int der_mode, uint8_t *out_class, return 1; } -static int +int asn1_get_length_cbs(CBS *cbs, int der_mode, int *out_indefinite, - uint32_t *out_length) + size_t *out_length) { uint8_t len_bytes; - uint32_t length; + size_t length; uint8_t val; /* @@ -127,7 +127,7 @@ asn1_get_length_cbs(CBS *cbs, int der_mode, int *out_indefinite, return 0; if (der_mode && length == 0 && val == 0) return 0; - if (length > (UINT32_MAX >> 8)) + if (length > (SIZE_MAX >> 8)) return 0; length = (length << 8) | val; } @@ -140,11 +140,12 @@ asn1_get_length_cbs(CBS *cbs, int der_mode, int *out_indefinite, int asn1_get_object_cbs(CBS *cbs, int der_mode, uint8_t *out_tag_class, int *out_constructed, uint32_t *out_tag_number, int *out_indefinite, - uint32_t *out_length) + size_t *out_length) { int constructed, indefinite; - uint32_t tag_number, length; + uint32_t tag_number; uint8_t tag_class; + size_t length; *out_tag_class = 0; *out_constructed = 0; @@ -176,8 +177,9 @@ asn1_get_primitive(CBS *cbs, int der_mode, uint32_t *out_tag_number, CBS *out_content) { int constructed, indefinite; - uint32_t tag_number, length; + uint32_t tag_number; uint8_t tag_class; + size_t length; *out_tag_number = 0; diff --git a/crypto/asn1/asn1_locl.h b/crypto/asn1/asn1_local.h similarity index 73% rename from crypto/asn1/asn1_locl.h rename to crypto/asn1/asn1_local.h index 756e407..52b8a46 100644 --- a/crypto/asn1/asn1_locl.h +++ b/crypto/asn1/asn1_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_locl.h,v 1.24 2022/03/26 14:47:58 jsing Exp $ */ +/* $OpenBSD: asn1_local.h,v 1.2 2023/04/25 19:08:30 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -112,6 +112,7 @@ struct evp_pkey_asn1_method_st { int (*pkey_size)(const EVP_PKEY *pk); int (*pkey_bits)(const EVP_PKEY *pk); + int (*pkey_security_bits)(const EVP_PKEY *pk); int (*param_decode)(EVP_PKEY *pkey, const unsigned char **pder, int derlen); @@ -141,6 +142,15 @@ struct evp_pkey_asn1_method_st { int (*pkey_check)(const EVP_PKEY *pk); int (*pkey_public_check)(const EVP_PKEY *pk); int (*pkey_param_check)(const EVP_PKEY *pk); + + int (*set_priv_key)(EVP_PKEY *pk, const unsigned char *private_key, + size_t len); + int (*set_pub_key)(EVP_PKEY *pk, const unsigned char *public_key, + size_t len); + int (*get_priv_key)(const EVP_PKEY *pk, unsigned char *out_private_key, + size_t *out_len); + int (*get_pub_key)(const EVP_PKEY *pk, unsigned char *out_public_key, + size_t *out_len); } /* EVP_PKEY_ASN1_METHOD */; /* Method to handle CRL access. @@ -171,9 +181,9 @@ const ASN1_TEMPLATE *asn1_do_adb(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt, int int asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it); void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it); -void asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it); +void asn1_enc_cleanup(ASN1_VALUE **pval, const ASN1_ITEM *it); +int asn1_enc_save(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it); int asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it); -int asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, const ASN1_ITEM *it); int i2d_ASN1_BOOLEAN(int a, unsigned char **pp); int d2i_ASN1_BOOLEAN(int *a, const unsigned char **pp, long length); @@ -193,16 +203,62 @@ int UTF8_putc(unsigned char *str, int len, unsigned long value); int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb); +int asn1_get_identifier_cbs(CBS *cbs, int der_mode, uint8_t *out_class, + int *out_constructed, uint32_t *out_tag_number); +int asn1_get_length_cbs(CBS *cbs, int der_mode, int *out_indefinite, + size_t *out_length); int asn1_get_object_cbs(CBS *cbs, int der_mode, uint8_t *out_class, int *out_constructed, uint32_t *out_tag_number, int *out_indefinite, - uint32_t *out_length); + size_t *out_length); int asn1_get_primitive(CBS *cbs, int der_mode, uint32_t *out_tag_number, CBS *out_content); +int asn1_must_be_constructed(int tag); +int asn1_must_be_primitive(int tag); int asn1_tag2charwidth(int tag); +int asn1_abs_set_unused_bits(ASN1_BIT_STRING *abs, uint8_t unused_bits); +int c2i_ASN1_BIT_STRING_cbs(ASN1_BIT_STRING **out_abs, CBS *cbs); + +int c2i_ASN1_ENUMERATED_cbs(ASN1_ENUMERATED **out_aenum, CBS *cbs); + +int asn1_aint_get_uint64(CBS *cbs, uint64_t *out_val); +int asn1_aint_set_uint64(uint64_t val, uint8_t **out_data, int *out_len); +int asn1_aint_get_int64(CBS *cbs, int negative, int64_t *out_val); +int c2i_ASN1_INTEGER_cbs(ASN1_INTEGER **out_aint, CBS *cbs); + +int c2i_ASN1_OBJECT_cbs(ASN1_OBJECT **out_aobj, CBS *content); int i2t_ASN1_OBJECT_internal(const ASN1_OBJECT *aobj, char *buf, int buf_len, int no_name); ASN1_OBJECT *t2i_ASN1_OBJECT_internal(const char *oid); +int asn1_time_parse_cbs(const CBS *cbs, int is_gentime, struct tm *out_tm); + +ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, + long length); +int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp); +ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, + const unsigned char **pp, long length); +int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp); +ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, + long length); +int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec); +int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from, + const struct tm *to); +int asn1_time_time_t_to_tm(const time_t *time, struct tm *out_tm); +int asn1_time_tm_to_time_t(const struct tm *tm, time_t *out); + +int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); + +BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it); + +int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, + const ASN1_ITEM *it); +int PEM_write_bio_ASN1_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, + const char *hdr, const ASN1_ITEM *it); +int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, + int ctype_nid, int econt_nid, STACK_OF(X509_ALGOR) *mdalgs, + const ASN1_ITEM *it); +ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it); + __END_HIDDEN_DECLS diff --git a/crypto/asn1/asn1_old.c b/crypto/asn1/asn1_old.c index 59e9cdb..d7f0d96 100644 --- a/crypto/asn1/asn1_old.c +++ b/crypto/asn1/asn1_old.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_old.c,v 1.2 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: asn1_old.c,v 1.3 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" #ifndef NO_OLD_ASN1 diff --git a/crypto/asn1/asn1_old_lib.c b/crypto/asn1/asn1_old_lib.c index e41a5ea..f19cb1c 100644 --- a/crypto/asn1/asn1_old_lib.c +++ b/crypto/asn1/asn1_old_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_old_lib.c,v 1.3 2022/01/14 07:57:17 tb Exp $ */ +/* $OpenBSD: asn1_old_lib.c,v 1.5 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" static void asn1_put_length(unsigned char **pp, int length); @@ -72,8 +72,9 @@ ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, int *pclass, long omax) { int constructed, indefinite; - uint32_t tag_number, length; + uint32_t tag_number; uint8_t tag_class; + size_t length; CBS cbs; int ret = 0; @@ -99,7 +100,7 @@ ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, * signal an error by setting the 8th bit in the return value... but we * still provide all of the decoded data. */ - if (length > CBS_len(&cbs)) { + if (length > CBS_len(&cbs) || length > LONG_MAX) { ASN1error(ASN1_R_TOO_LONG); ret = 0x80; } diff --git a/crypto/asn1/asn1_types.c b/crypto/asn1/asn1_types.c index c8e6b23..d8b7c1e 100644 --- a/crypto/asn1/asn1_types.c +++ b/crypto/asn1/asn1_types.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_types.c,v 1.1 2021/12/14 17:35:21 jsing Exp $ */ +/* $OpenBSD: asn1_types.c,v 1.2 2022/09/03 18:52:18 jsing Exp $ */ /* * Copyright (c) 2021 Joel Sing * @@ -19,10 +19,14 @@ #include +#define ASN1_ENCODING_CONSTRUCTED_ONLY 1 +#define ASN1_ENCODING_PRIMITIVE_ONLY 2 + struct asn1_type { const char *name; uint32_t bit_value; int char_width; + int encoding; }; /* @@ -40,12 +44,14 @@ static const struct asn1_type asn1_types[31] = { .name = "BOOLEAN", .bit_value = 0, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [2] = { /* Tag 2 (0x02) - Integer */ .name = "INTEGER", .bit_value = 0, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [3] = { /* Tag 3 (0x03) - BitString */ @@ -64,12 +70,14 @@ static const struct asn1_type asn1_types[31] = { .name = "NULL", .bit_value = 0, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [6] = { /* Tag 6 (0x06) - Object Identifier */ .name = "OBJECT", .bit_value = 0, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [7] = { /* Tag 7 (0x07) - Object Descriptor */ @@ -88,12 +96,14 @@ static const struct asn1_type asn1_types[31] = { .name = "REAL", .bit_value = B_ASN1_UNKNOWN, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [10] = { /* Tag 10 (0x0a) - Enumerated */ .name = "ENUMERATED", .bit_value = B_ASN1_UNKNOWN, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [11] = { /* Tag 11 (0x0b) - Embedded PDV */ @@ -112,12 +122,14 @@ static const struct asn1_type asn1_types[31] = { .name = "", .bit_value = B_ASN1_UNKNOWN, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [14] = { /* Tag 14 (0x0e) - Time */ .name = "", .bit_value = B_ASN1_UNKNOWN, .char_width = -1, + .encoding = ASN1_ENCODING_PRIMITIVE_ONLY, }, [15] = { /* Tag 15 (0x0f) - Reserved */ @@ -130,12 +142,14 @@ static const struct asn1_type asn1_types[31] = { .name = "SEQUENCE", .bit_value = B_ASN1_SEQUENCE, .char_width = -1, + .encoding = ASN1_ENCODING_CONSTRUCTED_ONLY, }, [17] = { /* Tag 17 (0x11) - Set */ .name = "SET", .bit_value = 0, .char_width = -1, + .encoding = ASN1_ENCODING_CONSTRUCTED_ONLY, }, [18] = { /* Tag 18 (0x12) - NumericString */ @@ -226,6 +240,32 @@ asn1_type_by_tag(int tag) return &asn1_types[tag]; } +int +asn1_must_be_constructed(int tag) +{ + const struct asn1_type *at; + + if (tag == V_ASN1_NEG_INTEGER || tag == V_ASN1_NEG_ENUMERATED) + tag &= ~V_ASN1_NEG; + if ((at = asn1_type_by_tag(tag)) != NULL) + return at->encoding == ASN1_ENCODING_CONSTRUCTED_ONLY; + + return 0; +} + +int +asn1_must_be_primitive(int tag) +{ + const struct asn1_type *at; + + if (tag == V_ASN1_NEG_INTEGER || tag == V_ASN1_NEG_ENUMERATED) + tag &= ~V_ASN1_NEG; + if ((at = asn1_type_by_tag(tag)) != NULL) + return at->encoding == ASN1_ENCODING_PRIMITIVE_ONLY; + + return 0; +} + int asn1_tag2charwidth(int tag) { diff --git a/crypto/asn1/asn_mime.c b/crypto/asn1/asn_mime.c index 3150214..c433eb2 100644 --- a/crypto/asn1/asn_mime.c +++ b/crypto/asn1/asn_mime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn_mime.c,v 1.29 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: asn_mime.c,v 1.31 2023/04/19 16:36:34 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -62,8 +62,8 @@ #include #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" /* Generalised MIME like utilities for streaming ASN1. Although many * have a PKCS7/CMS like flavour others are more general purpose. @@ -663,9 +663,8 @@ multi_split(BIO *bio, char *bound, STACK_OF(BIO) **ret) #define MIME_QUOTE 5 #define MIME_COMMENT 6 - -static -STACK_OF(MIME_HEADER) *mime_parse_hdr(BIO *bio) +static STACK_OF(MIME_HEADER) * +mime_parse_hdr(BIO *bio) { char *p, *q, c; char *ntmp; diff --git a/crypto/asn1/asn_moid.c b/crypto/asn1/asn_moid.c index c672f0a..166ebae 100644 --- a/crypto/asn1/asn_moid.c +++ b/crypto/asn1/asn_moid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn_moid.c,v 1.14 2022/01/07 11:13:54 tb Exp $ */ +/* $OpenBSD: asn_moid.c,v 1.15 2022/11/26 16:08:50 tb Exp $ */ /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -65,7 +65,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" /* Simple ASN1 OID module: add all objects in a given section */ diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index 9017786..7e25a9c 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_asn1.c,v 1.17 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_asn1.c,v 1.21 2023/03/25 10:45:20 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -163,7 +163,7 @@ asn1_bio_new(BIO *b) ctx->state = ASN1_STATE_START; b->init = 1; - b->ptr = (char *)ctx; + b->ptr = ctx; b->flags = 0; return 1; @@ -172,11 +172,16 @@ asn1_bio_new(BIO *b) static int asn1_bio_free(BIO *b) { - BIO_ASN1_BUF_CTX *ctx; + BIO_ASN1_BUF_CTX *ctx = b->ptr; - ctx = (BIO_ASN1_BUF_CTX *) b->ptr; if (ctx == NULL) return 0; + + if (ctx->prefix_free != NULL) + ctx->prefix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + if (ctx->suffix_free != NULL) + ctx->suffix_free(b, &ctx->ex_buf, &ctx->ex_len, &ctx->ex_arg); + free(ctx->buf); free(ctx); b->init = 0; @@ -194,8 +199,8 @@ asn1_bio_write(BIO *b, const char *in , int inl) if (!in || (inl < 0) || (b->next_bio == NULL)) return 0; - ctx = (BIO_ASN1_BUF_CTX *) b->ptr; - if (ctx == NULL) + + if ((ctx = b->ptr) == NULL) return 0; wrlen = 0; @@ -254,7 +259,7 @@ asn1_bio_write(BIO *b, const char *in , int inl) wrmax = inl; ret = BIO_write(b->next_bio, in, wrmax); if (ret <= 0) - break; + goto done; wrlen += ret; ctx->copylen -= ret; in += ret; @@ -360,8 +365,7 @@ asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2) BIO_ASN1_EX_FUNCS *ex_func; long ret = 1; - ctx = (BIO_ASN1_BUF_CTX *) b->ptr; - if (ctx == NULL) + if ((ctx = b->ptr) == NULL) return 0; switch (cmd) { @@ -452,11 +456,12 @@ asn1_bio_get_ex(BIO *b, int cmd, asn1_ps_func **ex_func, BIO_ASN1_EX_FUNCS extmp; int ret; - ret = BIO_ctrl(b, cmd, 0, &extmp); - if (ret > 0) { - *ex_func = extmp.ex_func; - *ex_free_func = extmp.ex_free_func; - } + if ((ret = BIO_ctrl(b, cmd, 0, &extmp)) <= 0) + return ret; + + *ex_func = extmp.ex_func; + *ex_free_func = extmp.ex_free_func; + return ret; } diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c index 88b204e..d0329ed 100644 --- a/crypto/asn1/bio_ndef.c +++ b/crypto/asn1/bio_ndef.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ndef.c,v 1.11 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: bio_ndef.c,v 1.22 2023/04/25 19:08:30 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -52,12 +52,14 @@ * */ +#include + #include #include #include #include -#include +#include "asn1_local.h" /* Experimental NDEF ASN1 BIO support routines */ @@ -101,32 +103,49 @@ BIO * BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) { NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; + BIO *asn_bio = NULL, *pop_bio = NULL; const ASN1_AUX *aux = it->funcs; ASN1_STREAM_ARG sarg; - if (!aux || !aux->asn1_cb) { + if (aux == NULL || aux->asn1_cb == NULL) { ASN1error(ASN1_R_STREAMING_NOT_SUPPORTED); - return NULL; + goto err; } - ndef_aux = malloc(sizeof(NDEF_SUPPORT)); - asn_bio = BIO_new(BIO_f_asn1()); - /* ASN1 bio needs to be next to output BIO */ - - out = BIO_push(asn_bio, out); - - if (!ndef_aux || !asn_bio || !out) + if ((asn_bio = BIO_new(BIO_f_asn1())) == NULL) goto err; - BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); - BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); + if (BIO_push(asn_bio, out) == NULL) + goto err; + pop_bio = asn_bio; - /* Now let callback prepend any digest, cipher etc BIOs - * ASN1 structure needs. + /* + * Set up prefix and suffix handlers first. This ensures that ndef_aux + * is freed as part of asn_bio once it is the asn_bio's ex_arg. + */ + if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0) + goto err; + if (BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0) + goto err; + + /* + * Allocate early to avoid the tricky cleanup after the asn1_cb(). + * Ownership of ndef_aux is transferred to asn_bio in BIO_ctrl(). + * Keep a reference to populate it after callback success. + */ + if ((ndef_aux = calloc(1, sizeof(*ndef_aux))) == NULL) + goto err; + if (BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) { + free(ndef_aux); + goto err; + } + + /* + * The callback prepends BIOs to the chain starting at asn_bio for + * digest, cipher, etc. The resulting chain starts at sarg.ndef_bio. */ - sarg.out = out; + sarg.out = asn_bio; sarg.ndef_bio = NULL; sarg.boundary = NULL; @@ -137,15 +156,14 @@ BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) ndef_aux->it = it; ndef_aux->ndef_bio = sarg.ndef_bio; ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - - BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); + ndef_aux->out = asn_bio; return sarg.ndef_bio; err: + BIO_pop(pop_bio); BIO_free(asn_bio); - free(ndef_aux); + return NULL; } @@ -178,29 +196,34 @@ ndef_prefix(BIO *b, unsigned char **pbuf, int *plen, void *parg) static int ndef_prefix_free(BIO *b, unsigned char **pbuf, int *plen, void *parg) { - NDEF_SUPPORT *ndef_aux; + NDEF_SUPPORT **pndef_aux = parg; - if (!parg) + if (pndef_aux == NULL || *pndef_aux == NULL) return 0; - ndef_aux = *(NDEF_SUPPORT **)parg; + free((*pndef_aux)->derbuf); + (*pndef_aux)->derbuf = NULL; - free(ndef_aux->derbuf); - - ndef_aux->derbuf = NULL; *pbuf = NULL; *plen = 0; + return 1; } static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, void *parg) { - NDEF_SUPPORT **pndef_aux = (NDEF_SUPPORT **)parg; + NDEF_SUPPORT **pndef_aux = parg; + + /* Ensure ndef_prefix_free() won't fail, so we won't leak *pndef_aux. */ + if (pndef_aux == NULL || *pndef_aux == NULL) + return 0; if (!ndef_prefix_free(b, pbuf, plen, parg)) return 0; + free(*pndef_aux); *pndef_aux = NULL; + return 1; } diff --git a/crypto/asn1/nsseq.c b/crypto/asn1/nsseq.c deleted file mode 100644 index 8b39278..0000000 --- a/crypto/asn1/nsseq.c +++ /dev/null @@ -1,129 +0,0 @@ -/* $OpenBSD: nsseq.c,v 1.10 2015/02/11 04:00:39 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include -#include -#include - -static int -nsseq_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) -{ - if (operation == ASN1_OP_NEW_POST) { - NETSCAPE_CERT_SEQUENCE *nsseq; - nsseq = (NETSCAPE_CERT_SEQUENCE *)*pval; - nsseq->type = OBJ_nid2obj(NID_netscape_cert_sequence); - } - return 1; -} - -/* Netscape certificate sequence structure */ - -static const ASN1_AUX NETSCAPE_CERT_SEQUENCE_aux = { - .asn1_cb = nsseq_cb, -}; -static const ASN1_TEMPLATE NETSCAPE_CERT_SEQUENCE_seq_tt[] = { - { - .offset = offsetof(NETSCAPE_CERT_SEQUENCE, type), - .field_name = "type", - .item = &ASN1_OBJECT_it, - }, - { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, - .offset = offsetof(NETSCAPE_CERT_SEQUENCE, certs), - .field_name = "certs", - .item = &X509_it, - }, -}; - -const ASN1_ITEM NETSCAPE_CERT_SEQUENCE_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = NETSCAPE_CERT_SEQUENCE_seq_tt, - .tcount = sizeof(NETSCAPE_CERT_SEQUENCE_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = &NETSCAPE_CERT_SEQUENCE_aux, - .size = sizeof(NETSCAPE_CERT_SEQUENCE), - .sname = "NETSCAPE_CERT_SEQUENCE", -}; - - -NETSCAPE_CERT_SEQUENCE * -d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, const unsigned char **in, long len) -{ - return (NETSCAPE_CERT_SEQUENCE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &NETSCAPE_CERT_SEQUENCE_it); -} - -int -i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &NETSCAPE_CERT_SEQUENCE_it); -} - -NETSCAPE_CERT_SEQUENCE * -NETSCAPE_CERT_SEQUENCE_new(void) -{ - return (NETSCAPE_CERT_SEQUENCE *)ASN1_item_new(&NETSCAPE_CERT_SEQUENCE_it); -} - -void -NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &NETSCAPE_CERT_SEQUENCE_it); -} diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index d88a4df..85818a9 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p5_pbev2.c,v 1.27 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: p5_pbev2.c,v 1.28 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999-2004. */ @@ -64,7 +64,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* PKCS#5 v2.0 password based encryption structures */ diff --git a/crypto/asn1/p8_pkey.c b/crypto/asn1/p8_pkey.c index 18659a6..24f1457 100644 --- a/crypto/asn1/p8_pkey.c +++ b/crypto/asn1/p8_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p8_pkey.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: p8_pkey.c,v 1.21 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" /* Minor tweak to operation: zero private key data */ static int diff --git a/crypto/asn1/t_crl.c b/crypto/asn1/t_crl.c index 3ded015..34c9200 100644 --- a/crypto/asn1/t_crl.c +++ b/crypto/asn1/t_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_crl.c,v 1.20 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: t_crl.c,v 1.21 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,7 +66,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509_CRL_print_fp(FILE *fp, X509_CRL *x) diff --git a/crypto/asn1/t_pkey.c b/crypto/asn1/t_pkey.c index a307381..0392dc4 100644 --- a/crypto/asn1/t_pkey.c +++ b/crypto/asn1/t_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_pkey.c,v 1.17 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: t_pkey.c,v 1.19 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "bn_lcl.h" +#include "bn_local.h" int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num, @@ -114,3 +114,32 @@ ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num, } return (1); } + +#define ASN1_BUF_PRINT_WIDTH 15 +#define ASN1_BUF_PRINT_MAX_INDENT 64 + +int +ASN1_buf_print(BIO *bp, const unsigned char *buf, size_t buflen, int indent) +{ + size_t i; + + for (i = 0; i < buflen; i++) { + if ((i % ASN1_BUF_PRINT_WIDTH) == 0) { + if (i > 0 && BIO_puts(bp, "\n") <= 0) + return 0; + if (!BIO_indent(bp, indent, ASN1_BUF_PRINT_MAX_INDENT)) + return 0; + } + /* + * Use colon separators for each octet for compatibility as + * this function is used to print out key components. + */ + if (BIO_printf(bp, "%02x%s", buf[i], + (i == buflen - 1) ? "" : ":") <= 0) + return 0; + } + if (BIO_write(bp, "\n", 1) <= 0) + return 0; + + return 1; +} diff --git a/crypto/asn1/t_req.c b/crypto/asn1/t_req.c index cc9da46..0ede4ce 100644 --- a/crypto/asn1/t_req.c +++ b/crypto/asn1/t_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_req.c,v 1.21 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: t_req.c,v 1.24 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,7 +74,7 @@ #include #endif -#include "x509_lcl.h" +#include "x509_local.h" int X509_REQ_print_fp(FILE *fp, X509_REQ *x) @@ -102,7 +102,7 @@ X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, X509_REQ_INFO *ri; EVP_PKEY *pkey; STACK_OF(X509_ATTRIBUTE) *sk; - STACK_OF(X509_EXTENSION) *exts; + STACK_OF(X509_EXTENSION) *exts = NULL; char mlch = ' '; int nmindent = 0; @@ -176,7 +176,6 @@ X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, ASN1_TYPE *at; X509_ATTRIBUTE *a; ASN1_BIT_STRING *bs = NULL; - ASN1_TYPE *t; int j, type = 0, count = 1, ii = 0; a = sk_X509_ATTRIBUTE_value(sk, i); @@ -186,20 +185,12 @@ X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, if (BIO_printf(bp, "%12s", "") <= 0) goto err; if ((j = i2a_ASN1_OBJECT(bp, a->object)) > 0) { - if (a->single) { - t = a->value.single; - type = t->type; - bs = t->value.bit_string; - } else { - ii = 0; - count = sk_ASN1_TYPE_num( - a->value.set); + ii = 0; + count = sk_ASN1_TYPE_num(a->set); get_next: - at = sk_ASN1_TYPE_value( - a->value.set, ii); - type = at->type; - bs = at->value.asn1_string; - } + at = sk_ASN1_TYPE_value(a->set, ii); + type = at->type; + bs = at->value.asn1_string; } for (j = 25 - j; j > 0; j--) if (BIO_write(bp, " ", 1) != 1) @@ -247,6 +238,7 @@ X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, goto err; } sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + exts = NULL; } } @@ -258,6 +250,7 @@ X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, return (1); err: + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); X509error(ERR_R_BUF_LIB); return (0); } diff --git a/crypto/asn1/t_spki.c b/crypto/asn1/t_spki.c index 56c0956..2da8717 100644 --- a/crypto/asn1/t_spki.c +++ b/crypto/asn1/t_spki.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_spki.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: t_spki.c,v 1.14 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -71,7 +71,7 @@ #include #endif -#include "x509_lcl.h" +#include "x509_local.h" /* Print out an SPKI */ diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index 563edac..d0fbf90 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509.c,v 1.37 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: t_x509.c,v 1.41 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -77,8 +77,8 @@ #include #endif -#include "asn1_locl.h" -#include "x509_lcl.h" +#include "asn1_local.h" +#include "x509_local.h" int X509_print_fp(FILE *fp, X509 *x) @@ -118,7 +118,6 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) X509_CINF *ci; ASN1_INTEGER *bs; EVP_PKEY *pkey = NULL; - const char *neg; if ((nmflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) { mlch = '\n'; @@ -137,9 +136,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) } if (!(cflag & X509_FLAG_NO_VERSION)) { l = X509_get_version(x); - if (BIO_printf(bp, "%8sVersion: %lu (0x%lx)\n", - "", l + 1, l) <= 0) - goto err; + if (l >= 0 && l <= 2) { + if (BIO_printf(bp, "%8sVersion: %ld (0x%lx)\n", + "", l + 1, l) <= 0) + goto err; + } else { + if (BIO_printf(bp, "%8sVersion: unknown (%ld)\n", + "", l) <= 0) + goto err; + } } if (!(cflag & X509_FLAG_NO_SERIAL)) { if (BIO_write(bp, " Serial Number:", 22) <= 0) @@ -149,18 +154,15 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) l = -1; if (bs->length <= (int)sizeof(long)) l = ASN1_INTEGER_get(bs); - if (l != -1) { - if (bs->type == V_ASN1_NEG_INTEGER) { - l = -l; - neg = "-"; - } else - neg = ""; - if (BIO_printf(bp, " %s%lu (%s0x%lx)\n", - neg, l, neg, l) <= 0) + if (l >= 0) { + if (BIO_printf(bp, " %ld (0x%lx)\n", l, l) <= 0) goto err; } else { - neg = (bs->type == V_ASN1_NEG_INTEGER) ? - " (Negative)" : ""; + const char *neg = ""; + + if (bs->type == V_ASN1_NEG_INTEGER) + neg = " (Negative)"; + if (BIO_printf(bp, "\n%12s%s", "", neg) <= 0) goto err; for (i = 0; i < bs->length; i++) { @@ -468,9 +470,8 @@ int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) { char *s, *c, *b; - int ret = 0, l, i; - - l = 80 - 2 - obase; + int i; + int ret = 0; b = X509_NAME_oneline(name, NULL, 0); if (b == NULL) @@ -495,12 +496,10 @@ X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) if (BIO_write(bp, ", ", 2) != 2) goto err; } - l--; } if (*s == '\0') break; s++; - l--; } ret = 1; diff --git a/crypto/asn1/t_x509a.c b/crypto/asn1/t_x509a.c index 6745318..09e5ecd 100644 --- a/crypto/asn1/t_x509a.c +++ b/crypto/asn1/t_x509a.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509a.c,v 1.10 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: t_x509a.c,v 1.11 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" /* X509_CERT_AUX and string set routines */ diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index d475c99..8964d46 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_dec.c,v 1.49 2022/03/13 14:58:14 jsing Exp $ */ +/* $OpenBSD: tasn_dec.c,v 1.86 2023/04/30 16:46:49 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -66,768 +66,235 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" #include "bytestring.h" -/* Constructed types with a recursive definition (such as can be found in PKCS7) +/* + * Constructed types with a recursive definition (such as can be found in PKCS7) * could eventually exceed the stack given malicious input with excessive * recursion. Therefore we limit the stack depth. */ #define ASN1_MAX_CONSTRUCTED_NEST 30 -static int asn1_check_eoc(const unsigned char **in, long len); -static int asn1_find_end(const unsigned char **in, long len, char inf); - -static int asn1_collect(CBB *cbb, const unsigned char **in, long len, - char inf, int tag, int aclass, int depth); - -static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, - char *inf, char *cst, const unsigned char **in, long len, int exptag, - int expclass, char opt, ASN1_TLC *ctx); - -static int asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, - long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx, - int depth); -static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, - long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth); -static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, - long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth); -static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, - long len, const ASN1_ITEM *it, int tag, int aclass, char opt, - ASN1_TLC *ctx); -static int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, - int utype, const ASN1_ITEM *it); - -static void -asn1_tlc_invalidate(ASN1_TLC *ctx) -{ - if (ctx != NULL) - ctx->valid = 0; -} - -ASN1_VALUE * -ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it) -{ - ASN1_VALUE *ptmpval = NULL; - ASN1_TLC ctx; - - asn1_tlc_invalidate(&ctx); - - if (pval == NULL) - pval = &ptmpval; - if (asn1_item_ex_d2i(pval, in, len, it, -1, 0, 0, &ctx, 0) <= 0) - return NULL; - - return *pval; -} - -int -ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_TEMPLATE *tt) -{ - ASN1_TLC ctx; - - asn1_tlc_invalidate(&ctx); - - return asn1_template_ex_d2i(pval, in, len, tt, 0, &ctx, 0); -} - -/* Decode an item, taking care of IMPLICIT tagging, if any. - * If 'opt' set and tag mismatch return -1 to handle OPTIONAL +#ifndef ASN1_MAX_STRING_NEST +/* + * This determines how many levels of recursion are permitted in ASN.1 string + * types. If it is not limited stack overflows can occur. If set to zero no + * recursion is allowed at all. */ +#define ASN1_MAX_STRING_NEST 5 +#endif + +static int asn1_template_d2i(ASN1_VALUE **pval, CBS *cbs, + const ASN1_TEMPLATE *at, int optional, int depth); static int -asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx, - int depth) +asn1_check_eoc(CBS *cbs) { - const ASN1_TEMPLATE *tt, *errtt = NULL; - const ASN1_EXTERN_FUNCS *ef; - const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb = NULL; - const unsigned char *p = NULL, *q; - unsigned char oclass; - char seq_eoc, seq_nolen, cst, isopt; - long tmplen; - int i; - int otag; - int ret = 0; - ASN1_VALUE **pchptr; - int combine; + uint16_t eoc; - combine = aclass & ASN1_TFLG_COMBINE; - aclass &= ~ASN1_TFLG_COMBINE; - - if (!pval) + if (!CBS_peek_u16(cbs, &eoc)) + return 0; + if (eoc != 0) return 0; - if (aux && aux->asn1_cb) - asn1_cb = aux->asn1_cb; + return CBS_skip(cbs, 2); +} - if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { - ASN1error(ASN1_R_NESTED_TOO_DEEP); - goto err; +static int +asn1_check_tag(CBS *cbs, size_t *out_len, int *out_tag, uint8_t *out_class, + int *out_indefinite, int *out_constructed, int expected_tag, + int expected_class, int optional) +{ + int constructed, indefinite; + uint32_t tag_number; + uint8_t tag_class; + size_t length; + + if (out_len != NULL) + *out_len = 0; + if (out_tag != NULL) + *out_tag = 0; + if (out_class != NULL) + *out_class = 0; + if (out_indefinite != NULL) + *out_indefinite = 0; + if (out_constructed != NULL) + *out_constructed = 0; + + if (!asn1_get_identifier_cbs(cbs, 0, &tag_class, &constructed, + &tag_number)) { + ASN1error(ASN1_R_BAD_OBJECT_HEADER); + return 0; } - - switch (it->itype) { - case ASN1_ITYPE_PRIMITIVE: - if (it->templates) { - /* tagging or OPTIONAL is currently illegal on an item - * template because the flags can't get passed down. - * In practice this isn't a problem: we include the - * relevant flags from the item template in the - * template itself. - */ - if ((tag != -1) || opt) { - ASN1error(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); - goto err; - } - return asn1_template_ex_d2i(pval, in, len, - it->templates, opt, ctx, depth); - } - return asn1_d2i_ex_primitive(pval, in, len, it, - tag, aclass, opt, ctx); - break; - - case ASN1_ITYPE_MSTRING: - /* - * It never makes sense for multi-strings to have implicit - * tagging, so if tag != -1, then this looks like an error in - * the template. - */ - if (tag != -1) { - ASN1error(ASN1_R_BAD_TEMPLATE); - goto err; - } - - p = *in; - /* Just read in tag and class */ - ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL, - &p, len, -1, 0, 1, ctx); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } - - /* Must be UNIVERSAL class */ - if (oclass != V_ASN1_UNIVERSAL) { - /* If OPTIONAL, assume this is OK */ - if (opt) + if (expected_tag >= 0) { + if (expected_tag != tag_number || + expected_class != tag_class << 6) { + /* Indicate missing type if this is OPTIONAL. */ + if (optional) return -1; - ASN1error(ASN1_R_MSTRING_NOT_UNIVERSAL); - goto err; - } - /* Check tag matches bit map */ - if (!(ASN1_tag2bit(otag) & it->utype)) { - /* If OPTIONAL, assume this is OK */ - if (opt) - return -1; - ASN1error(ASN1_R_MSTRING_WRONG_TAG); - goto err; - } - return asn1_d2i_ex_primitive(pval, in, len, - it, otag, 0, 0, ctx); - case ASN1_ITYPE_EXTERN: - /* Use new style d2i */ - ef = it->funcs; - return ef->asn1_ex_d2i(pval, in, len, - it, tag, aclass, opt, ctx); - - case ASN1_ITYPE_CHOICE: - /* - * It never makes sense for CHOICE types to have implicit - * tagging, so if tag != -1, then this looks like an error in - * the template. - */ - if (tag != -1) { - ASN1error(ASN1_R_BAD_TEMPLATE); - goto err; + ASN1error(ASN1_R_WRONG_TAG); + return 0; } - - if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) - goto auxerr; - - if (*pval) { - /* Free up and zero CHOICE value if initialised */ - i = asn1_get_choice_selector(pval, it); - if ((i >= 0) && (i < it->tcount)) { - tt = it->templates + i; - pchptr = asn1_get_field_ptr(pval, tt); - ASN1_template_free(pchptr, tt); - asn1_set_choice_selector(pval, -1, it); - } - } else if (!ASN1_item_ex_new(pval, it)) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } - /* CHOICE type, try each possibility in turn */ - p = *in; - for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { - pchptr = asn1_get_field_ptr(pval, tt); - /* We mark field as OPTIONAL so its absence - * can be recognised. - */ - ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, - depth); - /* If field not present, try the next one */ - if (ret == -1) - continue; - /* If positive return, read OK, break loop */ - if (ret > 0) - break; - /* Otherwise must be an ASN1 parsing error */ - errtt = tt; - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } - - /* Did we fall off the end without reading anything? */ - if (i == it->tcount) { - /* If OPTIONAL, this is OK */ - if (opt) { - /* Free and zero it */ - ASN1_item_ex_free(pval, it); - return -1; - } - ASN1error(ASN1_R_NO_MATCHING_CHOICE_TYPE); - goto err; - } - - asn1_set_choice_selector(pval, i, it); - *in = p; - if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) - goto auxerr; - return 1; - - case ASN1_ITYPE_NDEF_SEQUENCE: - case ASN1_ITYPE_SEQUENCE: - p = *in; - tmplen = len; - - /* If no IMPLICIT tagging set to SEQUENCE, UNIVERSAL */ - if (tag == -1) { - tag = V_ASN1_SEQUENCE; - aclass = V_ASN1_UNIVERSAL; - } - /* Get SEQUENCE length and update len, p */ - ret = asn1_check_tlen(&len, NULL, NULL, &seq_eoc, &cst, - &p, len, tag, aclass, opt, ctx); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } else if (ret == -1) - return -1; - if (aux && (aux->flags & ASN1_AFLG_BROKEN)) { - len = tmplen - (p - *in); - seq_nolen = 1; - } - /* If indefinite we don't do a length check */ - else - seq_nolen = seq_eoc; - if (!cst) { - ASN1error(ASN1_R_SEQUENCE_NOT_CONSTRUCTED); - goto err; - } - - if (!*pval && !ASN1_item_ex_new(pval, it)) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } - - if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL)) - goto auxerr; - - /* Free up and zero any ADB found */ - for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { - if (tt->flags & ASN1_TFLG_ADB_MASK) { - const ASN1_TEMPLATE *seqtt; - ASN1_VALUE **pseqval; - seqtt = asn1_do_adb(pval, tt, 1); - if (!seqtt) - goto err; - pseqval = asn1_get_field_ptr(pval, seqtt); - ASN1_template_free(pseqval, seqtt); - } - } - - /* Get each field entry */ - for (i = 0, tt = it->templates; i < it->tcount; i++, tt++) { - const ASN1_TEMPLATE *seqtt; - ASN1_VALUE **pseqval; - seqtt = asn1_do_adb(pval, tt, 1); - if (!seqtt) - goto err; - pseqval = asn1_get_field_ptr(pval, seqtt); - /* Have we ran out of data? */ - if (!len) - break; - q = p; - if (asn1_check_eoc(&p, len)) { - if (!seq_eoc) { - ASN1error(ASN1_R_UNEXPECTED_EOC); - goto err; - } - len -= p - q; - seq_eoc = 0; - q = p; - break; - } - /* This determines the OPTIONAL flag value. The field - * cannot be omitted if it is the last of a SEQUENCE - * and there is still data to be read. This isn't - * strictly necessary but it increases efficiency in - * some cases. - */ - if (i == (it->tcount - 1)) - isopt = 0; - else - isopt = (char)(seqtt->flags & ASN1_TFLG_OPTIONAL); - /* attempt to read in field, allowing each to be - * OPTIONAL */ - - ret = asn1_template_ex_d2i(pseqval, &p, len, - seqtt, isopt, ctx, depth); - if (!ret) { - errtt = seqtt; - goto err; - } else if (ret == -1) { - /* OPTIONAL component absent. - * Free and zero the field. - */ - ASN1_template_free(pseqval, seqtt); - continue; - } - /* Update length */ - len -= p - q; - } - - /* Check for EOC if expecting one */ - if (seq_eoc && !asn1_check_eoc(&p, len)) { - ASN1error(ASN1_R_MISSING_EOC); - goto err; - } - /* Check all data read */ - if (!seq_nolen && len) { - ASN1error(ASN1_R_SEQUENCE_LENGTH_MISMATCH); - goto err; - } - - /* If we get here we've got no more data in the SEQUENCE, - * however we may not have read all fields so check all - * remaining are OPTIONAL and clear any that are. - */ - for (; i < it->tcount; tt++, i++) { - const ASN1_TEMPLATE *seqtt; - seqtt = asn1_do_adb(pval, tt, 1); - if (!seqtt) - goto err; - if (seqtt->flags & ASN1_TFLG_OPTIONAL) { - ASN1_VALUE **pseqval; - pseqval = asn1_get_field_ptr(pval, seqtt); - ASN1_template_free(pseqval, seqtt); - } else { - errtt = seqtt; - ASN1error(ASN1_R_FIELD_MISSING); - goto err; - } - } - /* Save encoding */ - if (!asn1_enc_save(pval, *in, p - *in, it)) { - ASN1error(ERR_R_MALLOC_FAILURE); - goto auxerr; - } - *in = p; - if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL)) - goto auxerr; - return 1; - - default: + } + if (!asn1_get_length_cbs(cbs, 0, &indefinite, &length)) { + ASN1error(ASN1_R_BAD_OBJECT_HEADER); return 0; } - auxerr: - ASN1error(ASN1_R_AUX_ERROR); - err: - if (combine == 0) - ASN1_item_ex_free(pval, it); - if (errtt) - ERR_asprintf_error_data("Field=%s, Type=%s", errtt->field_name, - it->sname); - else - ERR_asprintf_error_data("Type=%s", it->sname); - return 0; -} - -int -ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) -{ - return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); -} - -/* Templates are handled with two separate functions. - * One handles any EXPLICIT tag and the other handles the rest. - */ - -static int -asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, - const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth) -{ - int flags, aclass; - int ret; - long len; - const unsigned char *p, *q; - char exp_eoc; - - if (!val) + /* Indefinite length can only be used with constructed encoding. */ + if (indefinite && !constructed) { + ASN1error(ASN1_R_BAD_OBJECT_HEADER); return 0; - flags = tt->flags; - aclass = flags & ASN1_TFLG_TAG_CLASS; + } - p = *in; + if (!indefinite && CBS_len(cbs) < length) { + ASN1error(ASN1_R_TOO_LONG); + return 0; + } - /* Check if EXPLICIT tag expected */ - if (flags & ASN1_TFLG_EXPTAG) { - char cst; - /* Need to work out amount of data available to the inner - * content and where it starts: so read in EXPLICIT header to - * get the info. - */ - ret = asn1_check_tlen(&len, NULL, NULL, &exp_eoc, &cst, - &p, inlen, tt->tag, aclass, opt, ctx); - q = p; - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - return 0; - } else if (ret == -1) - return -1; - if (!cst) { - ASN1error(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); - return 0; - } - /* We've found the field so it can't be OPTIONAL now */ - ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - return 0; - } - /* We read the field in OK so update length */ - len -= p - q; - if (exp_eoc) { - /* If NDEF we must have an EOC here */ - if (!asn1_check_eoc(&p, len)) { - ASN1error(ASN1_R_MISSING_EOC); - goto err; - } - } else { - /* Otherwise we must hit the EXPLICIT tag end or its - * an error */ - if (len) { - ASN1error(ASN1_R_EXPLICIT_LENGTH_MISMATCH); - goto err; - } - } - } else - return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, - depth); + if (tag_number > INT_MAX) { + ASN1error(ASN1_R_TOO_LONG); + return 0; + } + + if (indefinite) + length = CBS_len(cbs); + + if (out_len != NULL) + *out_len = length; + if (out_tag != NULL) + *out_tag = tag_number; + if (out_class != NULL) + *out_class = tag_class << 6; + if (out_indefinite != NULL) + *out_indefinite = indefinite; + if (out_constructed != NULL) + *out_constructed = constructed; - *in = p; return 1; - - err: - ASN1_template_free(val, tt); - return 0; } +/* Collect the contents from a constructed ASN.1 object. */ static int -asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, - const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth) +asn1_collect(CBB *cbb, CBS *cbs, int indefinite, int expected_tag, + int expected_class, int depth) { - int flags, aclass; - int ret; - const unsigned char *p, *q; + int constructed; + size_t length; + CBS content; + int need_eoc; - if (!val) + if (depth > ASN1_MAX_STRING_NEST) { + ASN1error(ASN1_R_NESTED_ASN1_STRING); + return 0; + } + + need_eoc = indefinite; + + while (CBS_len(cbs) > 0) { + if (asn1_check_eoc(cbs)) { + if (!need_eoc) { + ASN1error(ASN1_R_UNEXPECTED_EOC); + return 0; + } + return 1; + } + if (!asn1_check_tag(cbs, &length, NULL, NULL, &indefinite, + &constructed, expected_tag, expected_class, 0)) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + + if (constructed) { + if (!asn1_collect(cbb, cbs, indefinite, expected_tag, + expected_class, depth + 1)) + return 0; + continue; + } + + if (!CBS_get_bytes(cbs, &content, length)) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + if (!CBB_add_bytes(cbb, CBS_data(&content), CBS_len(&content))) + return 0; + } + + if (need_eoc) { + ASN1error(ASN1_R_MISSING_EOC); return 0; - flags = tt->flags; - aclass = flags & ASN1_TFLG_TAG_CLASS; - - p = *in; - q = p; - - if (flags & ASN1_TFLG_SK_MASK) { - /* SET OF, SEQUENCE OF */ - int sktag, skaclass; - char sk_eoc; - /* First work out expected inner tag value */ - if (flags & ASN1_TFLG_IMPTAG) { - sktag = tt->tag; - skaclass = aclass; - } else { - skaclass = V_ASN1_UNIVERSAL; - if (flags & ASN1_TFLG_SET_OF) - sktag = V_ASN1_SET; - else - sktag = V_ASN1_SEQUENCE; - } - /* Get the tag */ - ret = asn1_check_tlen(&len, NULL, NULL, &sk_eoc, NULL, - &p, len, sktag, skaclass, opt, ctx); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - return 0; - } else if (ret == -1) - return -1; - if (!*val) - *val = (ASN1_VALUE *)sk_new_null(); - else { - /* We've got a valid STACK: free up any items present */ - STACK_OF(ASN1_VALUE) *sktmp = - (STACK_OF(ASN1_VALUE) *)*val; - ASN1_VALUE *vtmp; - while (sk_ASN1_VALUE_num(sktmp) > 0) { - vtmp = sk_ASN1_VALUE_pop(sktmp); - ASN1_item_ex_free(&vtmp, - tt->item); - } - } - - if (!*val) { - ASN1error(ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Read as many items as we can */ - while (len > 0) { - ASN1_VALUE *skfield; - q = p; - /* See if EOC found */ - if (asn1_check_eoc(&p, len)) { - if (!sk_eoc) { - ASN1error(ASN1_R_UNEXPECTED_EOC); - goto err; - } - len -= p - q; - sk_eoc = 0; - break; - } - skfield = NULL; - if (!asn1_item_ex_d2i(&skfield, &p, len, - tt->item, -1, 0, 0, ctx, depth)) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } - len -= p - q; - if (!sk_ASN1_VALUE_push((STACK_OF(ASN1_VALUE) *)*val, - skfield)) { - ASN1error(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (sk_eoc) { - ASN1error(ASN1_R_MISSING_EOC); - goto err; - } - } else if (flags & ASN1_TFLG_IMPTAG) { - /* IMPLICIT tagging */ - ret = asn1_item_ex_d2i(val, &p, len, - tt->item, tt->tag, aclass, opt, ctx, depth); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } else if (ret == -1) - return -1; - } else { - /* Nothing special */ - ret = asn1_item_ex_d2i(val, &p, len, tt->item, - -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, depth); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - goto err; - } else if (ret == -1) - return -1; } - *in = p; return 1; - - err: - ASN1_template_free(val, tt); - return 0; } +/* Find the end of an ASN.1 object. */ static int -asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long inlen, - const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) +asn1_find_end(CBS *cbs, size_t length, int indefinite) { - int ret = 0, utype; - long plen; - char cst, inf; - const unsigned char *p; - const unsigned char *content = NULL; - uint8_t *data = NULL; - size_t data_len = 0; - CBB cbb; - long len; + size_t eoc_count; - memset(&cbb, 0, sizeof(cbb)); - - if (!pval) { - ASN1error(ASN1_R_ILLEGAL_NULL); - return 0; /* Should never happen */ - } - - if (it->itype == ASN1_ITYPE_MSTRING) { - utype = tag; - tag = -1; - } else - utype = it->utype; - - if (utype == V_ASN1_ANY) { - /* If type is ANY need to figure out type from tag */ - unsigned char oclass; - if (tag >= 0) { - ASN1error(ASN1_R_ILLEGAL_TAGGED_ANY); - return 0; - } - if (opt) { - ASN1error(ASN1_R_ILLEGAL_OPTIONAL_ANY); - return 0; - } - p = *in; - ret = asn1_check_tlen(NULL, &utype, &oclass, NULL, NULL, - &p, inlen, -1, 0, 0, ctx); - if (!ret) { + if (!indefinite) { + if (!CBS_skip(cbs, length)) { ASN1error(ERR_R_NESTED_ASN1_ERROR); return 0; } - if (oclass != V_ASN1_UNIVERSAL) - utype = V_ASN1_OTHER; + return 1; } - if (tag == -1) { - tag = utype; - aclass = V_ASN1_UNIVERSAL; - } - p = *in; - /* Check header */ - ret = asn1_check_tlen(&plen, NULL, NULL, &inf, &cst, - &p, inlen, tag, aclass, opt, ctx); - if (!ret) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - return 0; - } else if (ret == -1) - return -1; - ret = 0; - /* SEQUENCE, SET and "OTHER" are left in encoded form */ - if ((utype == V_ASN1_SEQUENCE) || (utype == V_ASN1_SET) || - (utype == V_ASN1_OTHER)) { - /* Clear context cache for type OTHER because the auto clear - * when we have a exact match wont work - */ - if (utype == V_ASN1_OTHER) { - asn1_tlc_invalidate(ctx); - } else if (!cst) { - /* SEQUENCE and SET must be constructed */ - ASN1error(ASN1_R_TYPE_NOT_CONSTRUCTED); + + eoc_count = 1; + + while (CBS_len(cbs) > 0) { + if (asn1_check_eoc(cbs)) { + if (--eoc_count == 0) + break; + continue; + } + if (!asn1_check_tag(cbs, &length, NULL, NULL, + &indefinite, NULL, -1, 0, 0)) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); return 0; } - - content = *in; - /* If indefinite length constructed find the real end */ - if (inf) { - if (!asn1_find_end(&p, plen, inf)) - goto err; - len = p - content; - } else { - len = p - content + plen; - p += plen; + if (indefinite) { + eoc_count++; + continue; } - } else if (cst) { - /* - * Should really check the internal tags are correct but - * some things may get this wrong. The relevant specs - * say that constructed string types should be OCTET STRINGs - * internally irrespective of the type. So instead just check - * for UNIVERSAL class and ignore the tag. - */ - if (!CBB_init(&cbb, 0)) - goto err; - if (!asn1_collect(&cbb, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) - goto err; - if (!CBB_finish(&cbb, &data, &data_len)) - goto err; - - if (data_len > LONG_MAX) - goto err; - - content = data; - len = data_len; - } else { - content = p; - len = plen; - p += plen; + if (!CBS_skip(cbs, length)) + return 0; } - /* We now have content length and type: translate into a structure */ - if (!asn1_ex_c2i(pval, content, len, utype, it)) - goto err; + if (eoc_count > 0) { + ASN1error(ASN1_R_MISSING_EOC); + return 0; + } - *in = p; - ret = 1; - - err: - CBB_cleanup(&cbb); - freezero(data, data_len); - - return ret; + return 1; } -/* Translate ASN1 content octets into a structure */ - static int -asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype, - const ASN1_ITEM *it) +asn1_c2i_primitive(ASN1_VALUE **pval, CBS *content, int utype, const ASN1_ITEM *it) { - ASN1_VALUE **opval = NULL; - ASN1_STRING *stmp; - ASN1_TYPE *typ = NULL; - ASN1_INTEGER **tint; + ASN1_BOOLEAN *abool; + ASN1_STRING *astr; + uint8_t val; int ret = 0; - if (it->funcs != NULL) { - const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; - char free_content = 0; + if (it->funcs != NULL) + goto err; - if (pf->prim_c2i == NULL) - return 0; - return pf->prim_c2i(pval, content, len, utype, &free_content, it); - } + if (CBS_len(content) > INT_MAX) + goto err; - /* If ANY type clear type and set pointer to internal value */ - if (it->utype == V_ASN1_ANY) { - if (!*pval) { - typ = ASN1_TYPE_new(); - if (typ == NULL) - goto err; - *pval = (ASN1_VALUE *)typ; - } else - typ = (ASN1_TYPE *)*pval; - - if (utype != typ->type) - ASN1_TYPE_set(typ, utype, NULL); - opval = pval; - pval = &typ->value.asn1_value; - } switch (utype) { case V_ASN1_OBJECT: - if (!c2i_ASN1_OBJECT((ASN1_OBJECT **)pval, &content, len)) + if (!c2i_ASN1_OBJECT_cbs((ASN1_OBJECT **)pval, content)) goto err; break; case V_ASN1_NULL: - if (len) { + if (CBS_len(content) != 0) { ASN1error(ASN1_R_NULL_IS_WRONG_LENGTH); goto err; } @@ -835,28 +302,29 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype, break; case V_ASN1_BOOLEAN: - if (len != 1) { + abool = (ASN1_BOOLEAN *)pval; + if (CBS_len(content) != 1) { ASN1error(ASN1_R_BOOLEAN_IS_WRONG_LENGTH); goto err; - } else { - ASN1_BOOLEAN *tbool; - tbool = (ASN1_BOOLEAN *)pval; - *tbool = *content; } + if (!CBS_get_u8(content, &val)) + goto err; + *abool = val; break; case V_ASN1_BIT_STRING: - if (!c2i_ASN1_BIT_STRING((ASN1_BIT_STRING **)pval, &content, len)) + if (!c2i_ASN1_BIT_STRING_cbs((ASN1_BIT_STRING **)pval, content)) + goto err; + break; + + case V_ASN1_ENUMERATED: + if (!c2i_ASN1_ENUMERATED_cbs((ASN1_ENUMERATED **)pval, content)) goto err; break; case V_ASN1_INTEGER: - case V_ASN1_ENUMERATED: - tint = (ASN1_INTEGER **)pval; - if (!c2i_ASN1_INTEGER(tint, &content, len)) + if (!c2i_ASN1_INTEGER_cbs((ASN1_INTEGER **)pval, content)) goto err; - /* Fixup type to match the expected form */ - (*tint)->type = utype | ((*tint)->type & V_ASN1_NEG); break; case V_ASN1_OCTET_STRING: @@ -877,267 +345,931 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype, case V_ASN1_SET: case V_ASN1_SEQUENCE: default: - if (utype == V_ASN1_BMPSTRING && (len & 1)) { + if (utype == V_ASN1_BMPSTRING && (CBS_len(content) & 1)) { ASN1error(ASN1_R_BMPSTRING_IS_WRONG_LENGTH); goto err; } - if (utype == V_ASN1_UNIVERSALSTRING && (len & 3)) { + if (utype == V_ASN1_UNIVERSALSTRING && (CBS_len(content) & 3)) { ASN1error(ASN1_R_UNIVERSALSTRING_IS_WRONG_LENGTH); goto err; } - /* All based on ASN1_STRING and handled the same way. */ - if (*pval == NULL) { - if ((stmp = ASN1_STRING_type_new(utype)) == NULL) { - ASN1error(ERR_R_MALLOC_FAILURE); + if (utype == V_ASN1_UTCTIME || utype == V_ASN1_GENERALIZEDTIME) { + if (!asn1_time_parse_cbs(content, + utype == V_ASN1_GENERALIZEDTIME, NULL)) { + ASN1error(ASN1_R_INVALID_TIME_FORMAT); goto err; } - *pval = (ASN1_VALUE *)stmp; - } else { - stmp = (ASN1_STRING *)*pval; - stmp->type = utype; } - if (!ASN1_STRING_set(stmp, content, len)) { - ASN1_STRING_free(stmp); + /* All based on ASN1_STRING and handled the same way. */ + if (*pval != NULL) { + ASN1_STRING_free((ASN1_STRING *)*pval); *pval = NULL; + } + if ((astr = ASN1_STRING_type_new(utype)) == NULL) { + ASN1error(ERR_R_MALLOC_FAILURE); goto err; } + if (!ASN1_STRING_set(astr, CBS_data(content), CBS_len(content))) { + ASN1_STRING_free(astr); + goto err; + } + *pval = (ASN1_VALUE *)astr; break; } - /* If ASN1_ANY and NULL type fix up value */ - if (typ && (utype == V_ASN1_NULL)) - typ->value.ptr = NULL; ret = 1; err: - if (!ret) { - ASN1_TYPE_free(typ); - if (opval) - *opval = NULL; - } return ret; } -/* This function finds the end of an ASN1 structure when passed its maximum - * length, whether it is indefinite length and a pointer to the content. - * This is more efficient than calling asn1_collect because it does not - * recurse on each indefinite length header. - */ +static int +asn1_c2i_any(ASN1_VALUE **pval, CBS *content, int utype, const ASN1_ITEM *it) +{ + ASN1_TYPE *atype; + + if (it->utype != V_ASN1_ANY || it->funcs != NULL) + return 0; + + if (*pval != NULL) { + ASN1_TYPE_free((ASN1_TYPE *)*pval); + *pval = NULL; + } + + if ((atype = ASN1_TYPE_new()) == NULL) + return 0; + + if (!asn1_c2i_primitive(&atype->value.asn1_value, content, utype, it)) { + ASN1_TYPE_free(atype); + return 0; + } + atype->type = utype; + + /* Fix up value for ASN.1 NULL. */ + if (atype->type == V_ASN1_NULL) + atype->value.ptr = NULL; + + *pval = (ASN1_VALUE *)atype; + + return 1; +} static int -asn1_find_end(const unsigned char **in, long len, char inf) +asn1_c2i(ASN1_VALUE **pval, CBS *content, int utype, const ASN1_ITEM *it) { - int expected_eoc; - long plen; - const unsigned char *p = *in, *q; + if (CBS_len(content) > INT_MAX) + return 0; - /* If not indefinite length constructed just add length */ - if (inf == 0) { - *in += len; - return 1; + if (it->funcs != NULL) { + const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; + char free_content = 0; + + if (pf->prim_c2i == NULL) + return 0; + + return pf->prim_c2i(pval, CBS_data(content), CBS_len(content), + utype, &free_content, it); } - expected_eoc = 1; - /* Indefinite length constructed form. Find the end when enough EOCs - * are found. If more indefinite length constructed headers - * are encountered increment the expected eoc count otherwise just - * skip to the end of the data. + + if (it->utype == V_ASN1_ANY) + return asn1_c2i_any(pval, content, utype, it); + + return asn1_c2i_primitive(pval, content, utype, it); +} + +/* + * Decode ASN.1 content into a primitive type. There are three possible forms - + * a SEQUENCE/SET/OTHER that is stored verbatim (including the ASN.1 tag and + * length octets), constructed objects and non-constructed objects. In the + * first two cases indefinite length is permitted, which we may need to handle. + * When this function is called the *cbs should reference the start of the + * ASN.1 object (i.e. the tag/length header), while *cbs_object should + * reference the start of the object contents (i.e. after the tag/length + * header. Additionally, the *cbs_object offset should be relative to the + * ASN.1 object being parsed. On success the *cbs will point at the octet + * after the object. + */ +static int +asn1_d2i_primitive_content(ASN1_VALUE **pval, CBS *cbs, CBS *cbs_object, + int utype, int constructed, int indefinite, size_t length, + const ASN1_ITEM *it) +{ + CBS cbs_content, cbs_initial; + uint8_t *data = NULL; + size_t data_len = 0; + CBB cbb; + int ret = 0; + + memset(&cbb, 0, sizeof(cbb)); + + CBS_dup(cbs, &cbs_initial); + CBS_init(&cbs_content, NULL, 0); + + if (asn1_must_be_constructed(utype) && !constructed) { + ASN1error(ASN1_R_TYPE_NOT_CONSTRUCTED); + goto err; + } + if (asn1_must_be_primitive(utype) && constructed) { + ASN1error(ASN1_R_TYPE_NOT_PRIMITIVE); + goto err; + } + + /* SEQUENCE, SET and "OTHER" are left in encoded form. */ + if (utype == V_ASN1_SEQUENCE || utype == V_ASN1_SET || + utype == V_ASN1_OTHER) { + if (!asn1_find_end(cbs_object, length, indefinite)) + goto err; + if (!CBS_get_bytes(&cbs_initial, &cbs_content, + CBS_offset(cbs_object))) + goto err; + } else if (constructed) { + /* + * Should really check the internal tags are correct but + * some things may get this wrong. The relevant specs + * say that constructed string types should be OCTET STRINGs + * internally irrespective of the type. So instead just check + * for UNIVERSAL class and ignore the tag. + */ + if (!CBB_init(&cbb, 0)) + goto err; + if (!asn1_collect(&cbb, cbs_object, indefinite, -1, + V_ASN1_UNIVERSAL, 0)) + goto err; + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + + CBS_init(&cbs_content, data, data_len); + } else { + if (!CBS_get_bytes(cbs_object, &cbs_content, length)) + goto err; + } + + if (!asn1_c2i(pval, &cbs_content, utype, it)) + goto err; + + if (!CBS_skip(cbs, CBS_offset(cbs_object))) + goto err; + + ret = 1; + + err: + CBB_cleanup(&cbb); + freezero(data, data_len); + + return ret; +} + +static int +asn1_d2i_any(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional) +{ + int constructed, indefinite; + uint8_t object_class; + int object_type; + CBS cbs_object; + size_t length; + + CBS_init(&cbs_object, CBS_data(cbs), CBS_len(cbs)); + + if (it->utype != V_ASN1_ANY) + return 0; + + if (tag_number >= 0) { + ASN1error(ASN1_R_ILLEGAL_TAGGED_ANY); + return 0; + } + if (optional) { + ASN1error(ASN1_R_ILLEGAL_OPTIONAL_ANY); + return 0; + } + + /* Determine type from ASN.1 tag. */ + if (asn1_check_tag(&cbs_object, &length, &object_type, &object_class, + &indefinite, &constructed, -1, 0, 0) != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + if (object_class != V_ASN1_UNIVERSAL) + object_type = V_ASN1_OTHER; + + return asn1_d2i_primitive_content(pval, cbs, &cbs_object, object_type, + constructed, indefinite, length, it); +} + +static int +asn1_d2i_mstring(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional) +{ + int constructed, indefinite; + uint8_t object_class; + int object_tag; + CBS cbs_object; + size_t length; + + CBS_init(&cbs_object, CBS_data(cbs), CBS_len(cbs)); + + /* + * It never makes sense for multi-strings to have implicit tagging, so + * if tag_number != -1, then this looks like an error in the template. */ - while (len > 0) { - if (asn1_check_eoc(&p, len)) { - expected_eoc--; - if (expected_eoc == 0) - break; - len -= 2; + if (tag_number != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + return 0; + } + + if (asn1_check_tag(&cbs_object, &length, &object_tag, &object_class, + &indefinite, &constructed, -1, 0, 1) != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + + /* Class must be UNIVERSAL. */ + if (object_class != V_ASN1_UNIVERSAL) { + if (optional) + return -1; + ASN1error(ASN1_R_MSTRING_NOT_UNIVERSAL); + return 0; + } + /* Check tag matches bit map. */ + if ((ASN1_tag2bit(object_tag) & it->utype) == 0) { + if (optional) + return -1; + ASN1error(ASN1_R_MSTRING_WRONG_TAG); + return 0; + } + + return asn1_d2i_primitive_content(pval, cbs, &cbs_object, + object_tag, constructed, indefinite, length, it); +} + +static int +asn1_d2i_primitive(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional) +{ + CBS cbs_object; + int constructed, indefinite; + int utype = it->utype; + size_t length; + int ret; + + CBS_init(&cbs_object, CBS_data(cbs), CBS_len(cbs)); + + if (it->itype == ASN1_ITYPE_MSTRING) + return 0; + + if (it->utype == V_ASN1_ANY) + return asn1_d2i_any(pval, cbs, it, tag_number, tag_class, optional); + + if (tag_number == -1) { + tag_number = it->utype; + tag_class = V_ASN1_UNIVERSAL; + } + + ret = asn1_check_tag(&cbs_object, &length, NULL, NULL, &indefinite, + &constructed, tag_number, tag_class, optional); + if (ret == -1) + return -1; + if (ret != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + + return asn1_d2i_primitive_content(pval, cbs, &cbs_object, utype, + constructed, indefinite, length, it); +} + +static int +asn1_item_d2i_choice(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional, int depth) +{ + const ASN1_TEMPLATE *at, *errat = NULL; + const ASN1_AUX *aux; + ASN1_aux_cb *asn1_cb = NULL; + ASN1_VALUE *achoice = NULL; + ASN1_VALUE **pchptr; + int i, ret; + + if ((aux = it->funcs) != NULL) + asn1_cb = aux->asn1_cb; + + if (it->itype != ASN1_ITYPE_CHOICE) + goto err; + + /* + * It never makes sense for CHOICE types to have implicit tagging, so + * if tag_number != -1, then this looks like an error in the template. + */ + if (tag_number != -1) { + ASN1error(ASN1_R_BAD_TEMPLATE); + goto err; + } + + if (*pval != NULL) { + ASN1_item_ex_free(pval, it); + *pval = NULL; + } + + if (!ASN1_item_ex_new(&achoice, it)) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + goto err; + } + + if (asn1_cb != NULL && !asn1_cb(ASN1_OP_D2I_PRE, &achoice, it, NULL)) { + ASN1error(ASN1_R_AUX_ERROR); + goto err; + } + + /* Try each possible CHOICE in turn. */ + for (i = 0; i < it->tcount; i++) { + at = &it->templates[i]; + + pchptr = asn1_get_field_ptr(&achoice, at); + + /* Mark field as OPTIONAL so its absence can be identified. */ + ret = asn1_template_d2i(pchptr, cbs, at, 1, depth); + if (ret == -1) continue; - } - q = p; - /* Just read in a header: only care about the length */ - if (!asn1_check_tlen(&plen, NULL, NULL, &inf, NULL, &p, len, - -1, 0, 0, NULL)) { + if (ret != 1) { ASN1error(ERR_R_NESTED_ASN1_ERROR); - return 0; + errat = at; + goto err; } - if (inf) - expected_eoc++; - else - p += plen; - len -= p - q; + + /* We've successfully decoded an ASN.1 object. */ + asn1_set_choice_selector(&achoice, i, it); + break; } - if (expected_eoc) { - ASN1error(ASN1_R_MISSING_EOC); - return 0; + + /* Did we fall off the end without reading anything? */ + if (i == it->tcount) { + if (optional) { + ASN1_item_ex_free(&achoice, it); + return -1; + } + ASN1error(ASN1_R_NO_MATCHING_CHOICE_TYPE); + goto err; } - *in = p; + + if (asn1_cb != NULL && !asn1_cb(ASN1_OP_D2I_POST, &achoice, it, NULL)) { + ASN1error(ASN1_R_AUX_ERROR); + goto err; + } + + *pval = achoice; + achoice = NULL; + return 1; -} -/* This function collects the asn1 data from a constructred string - * type into a buffer. The values of 'in' and 'len' should refer - * to the contents of the constructed type and 'inf' should be set - * if it is indefinite length. - */ -#ifndef ASN1_MAX_STRING_NEST -/* This determines how many levels of recursion are permitted in ASN1 - * string types. If it is not limited stack overflows can occur. If set - * to zero no recursion is allowed at all. Although zero should be adequate - * examples exist that require a value of 1. So 5 should be more than enough. - */ -#define ASN1_MAX_STRING_NEST 5 -#endif + err: + ASN1_item_ex_free(&achoice, it); -static int -asn1_collect(CBB *cbb, const unsigned char **in, long len, char inf, - int tag, int aclass, int depth) -{ - const unsigned char *p, *q; - long plen; - char cst, ininf; + if (errat != NULL) + ERR_asprintf_error_data("Field=%s, Type=%s", errat->field_name, + it->sname); + else + ERR_asprintf_error_data("Type=%s", it->sname); - if (depth > ASN1_MAX_STRING_NEST) { - ASN1error(ASN1_R_NESTED_ASN1_STRING); - return 0; - } - - p = *in; - inf &= 1; - - while (len > 0) { - q = p; - /* Check for EOC */ - if (asn1_check_eoc(&p, len)) { - /* EOC is illegal outside indefinite length - * constructed form */ - if (!inf) { - ASN1error(ASN1_R_UNEXPECTED_EOC); - return 0; - } - inf = 0; - break; - } - - if (!asn1_check_tlen(&plen, NULL, NULL, &ininf, &cst, &p, - len, tag, aclass, 0, NULL)) { - ASN1error(ERR_R_NESTED_ASN1_ERROR); - return 0; - } - - /* If indefinite length constructed update max length */ - if (cst) { - if (!asn1_collect(cbb, &p, plen, ininf, tag, aclass, - depth + 1)) - return 0; - } else if (plen > 0) { - if (!CBB_add_bytes(cbb, p, plen)) - return 0; - p += plen; - } - len -= p - q; - } - if (inf) { - ASN1error(ASN1_R_MISSING_EOC); - return 0; - } - *in = p; - return 1; -} - -/* Check for ASN1 EOC and swallow it if found */ - -static int -asn1_check_eoc(const unsigned char **in, long len) -{ - const unsigned char *p; - - if (len < 2) - return 0; - p = *in; - if (!p[0] && !p[1]) { - *in += 2; - return 1; - } return 0; } -/* Check an ASN1 tag and length: a bit like ASN1_get_object - * but it sets the length for indefinite length constructed - * form, we don't know the exact length but we can set an - * upper bound to the amount of data available minus the - * header length just read. - */ +static int +asn1_item_d2i_sequence(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional, int depth) +{ + CBS cbs_seq, cbs_seq_content, cbs_object; + int constructed, indefinite, optional_field; + const ASN1_TEMPLATE *errat = NULL; + const ASN1_TEMPLATE *seqat, *at; + ASN1_aux_cb *asn1_cb = NULL; + const ASN1_AUX *aux; + ASN1_VALUE *aseq = NULL; + ASN1_VALUE **pseqval; + int eoc_needed, i; + size_t length; + int ret = 0; + + CBS_init(&cbs_seq, CBS_data(cbs), CBS_len(cbs)); + + if ((aux = it->funcs) != NULL) + asn1_cb = aux->asn1_cb; + + if (it->itype != ASN1_ITYPE_NDEF_SEQUENCE && + it->itype != ASN1_ITYPE_SEQUENCE) + goto err; + + if (*pval != NULL) { + ASN1_item_ex_free(pval, it); + *pval = NULL; + } + + /* If no IMPLICIT tagging use UNIVERSAL/SEQUENCE. */ + if (tag_number == -1) { + tag_class = V_ASN1_UNIVERSAL; + tag_number = V_ASN1_SEQUENCE; + } + + /* Read ASN.1 SEQUENCE header. */ + ret = asn1_check_tag(&cbs_seq, &length, NULL, NULL, &indefinite, + &constructed, tag_number, tag_class, optional); + if (ret == -1) + return -1; + if (ret != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + goto err; + } + + if (!constructed) { + ASN1error(ASN1_R_SEQUENCE_NOT_CONSTRUCTED); + goto err; + } + + if (indefinite) { + eoc_needed = 1; + CBS_init(&cbs_seq_content, CBS_data(&cbs_seq), CBS_len(&cbs_seq)); + } else { + eoc_needed = 0; + if (!CBS_get_bytes(&cbs_seq, &cbs_seq_content, length)) + goto err; + } + + if (!ASN1_item_ex_new(&aseq, it)) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + goto err; + } + + if (asn1_cb != NULL && !asn1_cb(ASN1_OP_D2I_PRE, &aseq, it, NULL)) { + ASN1error(ASN1_R_AUX_ERROR); + goto err; + } + + for (i = 0; i < it->tcount; i++) { + at = &it->templates[i]; + + if (asn1_check_eoc(&cbs_seq_content)) { + if (!indefinite) { + ASN1error(ASN1_R_UNEXPECTED_EOC); + goto err; + } + eoc_needed = 0; + break; + } + if (CBS_len(&cbs_seq_content) == 0) + break; + + if ((seqat = asn1_do_adb(&aseq, at, 1)) == NULL) + goto err; + + pseqval = asn1_get_field_ptr(&aseq, seqat); + + /* + * This was originally implemented to "increase efficiency", + * however it currently needs to remain since it papers over + * the use of ASN.1 ANY with OPTIONAL in SEQUENCEs (which + * asn1_d2i_primitive() currently rejects). + */ + optional_field = (seqat->flags & ASN1_TFLG_OPTIONAL) != 0; + if (i == it->tcount - 1) + optional_field = 0; + + ret = asn1_template_d2i(pseqval, &cbs_seq_content, + seqat, optional_field, depth); + if (ret == -1) { + /* Absent OPTIONAL component. */ + ASN1_template_free(pseqval, seqat); + continue; + } + if (ret != 1) { + errat = seqat; + goto err; + } + } + + if (eoc_needed && !asn1_check_eoc(&cbs_seq_content)) { + ASN1error(ASN1_R_MISSING_EOC); + goto err; + } + + if (indefinite) { + if (!CBS_skip(&cbs_seq, CBS_offset(&cbs_seq_content))) + goto err; + } else if (CBS_len(&cbs_seq_content) != 0) { + ASN1error(ASN1_R_SEQUENCE_LENGTH_MISMATCH); + goto err; + } + + /* + * There is no more data in the ASN.1 SEQUENCE, however we may not have + * populated all fields - check that any remaining are OPTIONAL. + */ + for (; i < it->tcount; i++) { + at = &it->templates[i]; + + if ((seqat = asn1_do_adb(&aseq, at, 1)) == NULL) + goto err; + + if ((seqat->flags & ASN1_TFLG_OPTIONAL) == 0) { + ASN1error(ASN1_R_FIELD_MISSING); + errat = seqat; + goto err; + } + + /* XXX - this is probably unnecessary with earlier free. */ + pseqval = asn1_get_field_ptr(&aseq, seqat); + ASN1_template_free(pseqval, seqat); + } + + if (!CBS_get_bytes(cbs, &cbs_object, CBS_offset(&cbs_seq))) + goto err; + + if (!asn1_enc_save(&aseq, &cbs_object, it)) { + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (asn1_cb != NULL && !asn1_cb(ASN1_OP_D2I_POST, &aseq, it, NULL)) { + ASN1error(ASN1_R_AUX_ERROR); + goto err; + } + + *pval = aseq; + aseq = NULL; + + return 1; + + err: + ASN1_item_ex_free(&aseq, it); + + if (errat != NULL) + ERR_asprintf_error_data("Field=%s, Type=%s", errat->field_name, + it->sname); + else + ERR_asprintf_error_data("Type=%s", it->sname); + + return 0; +} static int -asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, char *inf, - char *cst, const unsigned char **in, long len, int exptag, int expclass, - char opt, ASN1_TLC *ctx) +asn1_item_d2i_extern(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional) { - int i; - int ptag, pclass; - long plen; - const unsigned char *p, *q; + const ASN1_EXTERN_FUNCS *ef = it->funcs; + const unsigned char *p = NULL; + ASN1_TLC ctx = { 0 }; + int ret = 0; - p = *in; - q = p; + if (CBS_len(cbs) > LONG_MAX) + return 0; - if (ctx && ctx->valid) { - i = ctx->ret; - plen = ctx->plen; - pclass = ctx->pclass; - ptag = ctx->ptag; - p += ctx->hdrlen; - } else { - i = ASN1_get_object(&p, &plen, &ptag, &pclass, len); - if (ctx) { - ctx->ret = i; - ctx->plen = plen; - ctx->pclass = pclass; - ctx->ptag = ptag; - ctx->hdrlen = p - q; - ctx->valid = 1; - /* If definite length, and no error, length + - * header can't exceed total amount of data available. - */ - if (!(i & 0x81) && ((plen + ctx->hdrlen) > len)) { - ASN1error(ASN1_R_TOO_LONG); - asn1_tlc_invalidate(ctx); - return 0; - } - } + p = CBS_data(cbs); + + if ((ret = ef->asn1_ex_d2i(pval, &p, (long)CBS_len(cbs), it, + tag_number, tag_class, optional, &ctx)) == 1) { + if (!CBS_skip(cbs, p - CBS_data(cbs))) + goto err; + } + return ret; + + err: + ASN1_item_ex_free(pval, it); + + ERR_asprintf_error_data("Type=%s", it->sname); + + return 0; +} + +static int +asn1_item_d2i(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it, + int tag_number, int tag_class, int optional, int depth) +{ + if (pval == NULL) + return 0; + + if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { + ASN1error(ASN1_R_NESTED_TOO_DEEP); + goto err; } - if (i & 0x80) { - ASN1error(ASN1_R_BAD_OBJECT_HEADER); - asn1_tlc_invalidate(ctx); + switch (it->itype) { + case ASN1_ITYPE_PRIMITIVE: + if (it->templates != NULL) { + /* + * Tagging or OPTIONAL is currently illegal on an item + * template because the flags can't get passed down. + * In practice this isn't a problem: we include the + * relevant flags from the item template in the + * template itself. + */ + if (tag_number != -1 || optional) { + ASN1error(ASN1_R_ILLEGAL_OPTIONS_ON_ITEM_TEMPLATE); + goto err; + } + return asn1_template_d2i(pval, cbs, it->templates, + optional, depth); + } + return asn1_d2i_primitive(pval, cbs, it, tag_number, tag_class, + optional); + + case ASN1_ITYPE_MSTRING: + return asn1_d2i_mstring(pval, cbs, it, tag_number, tag_class, + optional); + + case ASN1_ITYPE_EXTERN: + return asn1_item_d2i_extern(pval, cbs, it, tag_number, + tag_class, optional); + + case ASN1_ITYPE_CHOICE: + return asn1_item_d2i_choice(pval, cbs, it, tag_number, + tag_class, optional, depth); + + case ASN1_ITYPE_NDEF_SEQUENCE: + case ASN1_ITYPE_SEQUENCE: + return asn1_item_d2i_sequence(pval, cbs, it, tag_number, + tag_class, optional, depth); + + default: return 0; } - if (exptag >= 0) { - if ((exptag != ptag) || (expclass != pclass)) { - /* If type is OPTIONAL, not an error: - * indicate missing type. - */ - if (opt) - return -1; - asn1_tlc_invalidate(ctx); - ASN1error(ASN1_R_WRONG_TAG); - return 0; - } - /* We have a tag and class match: - * assume we are going to do something with it */ - asn1_tlc_invalidate(ctx); + + err: + ASN1_item_ex_free(pval, it); + + ERR_asprintf_error_data("Type=%s", it->sname); + + return 0; +} + +static void +asn1_template_stack_of_free(STACK_OF(ASN1_VALUE) *avals, + const ASN1_TEMPLATE *at) +{ + ASN1_VALUE *aval; + + if (avals == NULL) + return; + + while (sk_ASN1_VALUE_num(avals) > 0) { + aval = sk_ASN1_VALUE_pop(avals); + ASN1_item_ex_free(&aval, at->item); + } + sk_ASN1_VALUE_free(avals); +} + +static int +asn1_template_stack_of_d2i(ASN1_VALUE **pval, CBS *cbs, const ASN1_TEMPLATE *at, + int optional, int depth) +{ + CBS cbs_object, cbs_object_content; + STACK_OF(ASN1_VALUE) *avals = NULL; + ASN1_VALUE *aval = NULL; + int tag_number, tag_class; + int eoc_needed; + int indefinite; + size_t length; + int ret; + + CBS_init(&cbs_object, CBS_data(cbs), CBS_len(cbs)); + + if (pval == NULL) + return 0; + + asn1_template_stack_of_free((STACK_OF(ASN1_VALUE) *)*pval, at); + *pval = NULL; + + tag_number = at->tag; + tag_class = at->flags & ASN1_TFLG_TAG_CLASS; + + /* Determine the inner tag value for SET OF or SEQUENCE OF. */ + if ((at->flags & ASN1_TFLG_IMPTAG) == 0) { + tag_number = V_ASN1_SEQUENCE; + tag_class = V_ASN1_UNIVERSAL; + if ((at->flags & ASN1_TFLG_SET_OF) != 0) + tag_number = V_ASN1_SET; } - if (i & 1) - plen = len - (p - q); - if (inf) - *inf = i & 1; - if (cst) - *cst = i & V_ASN1_CONSTRUCTED; - if (olen) - *olen = plen; - if (oclass) - *oclass = pclass; - if (otag) - *otag = ptag; + ret = asn1_check_tag(&cbs_object, &length, NULL, NULL, &indefinite, + NULL, tag_number, tag_class, optional); + if (ret == -1) + return -1; + if (ret != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + + if (indefinite) { + eoc_needed = 1; + CBS_init(&cbs_object_content, CBS_data(&cbs_object), + CBS_len(&cbs_object)); + } else { + eoc_needed = 0; + if (!CBS_get_bytes(&cbs_object, &cbs_object_content, + length)) + goto err; + } + + if ((avals = sk_ASN1_VALUE_new_null()) == NULL) { + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } + + /* Read as many items as possible. */ + while (CBS_len(&cbs_object_content) > 0) { + if (asn1_check_eoc(&cbs_object_content)) { + if (!eoc_needed) { + ASN1error(ASN1_R_UNEXPECTED_EOC); + goto err; + } + eoc_needed = 0; + break; + } + if (!asn1_item_d2i(&aval, &cbs_object_content, at->item, -1, 0, + 0, depth)) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + goto err; + } + if (!sk_ASN1_VALUE_push(avals, aval)) { + ASN1error(ERR_R_MALLOC_FAILURE); + goto err; + } + aval = NULL; + } + if (eoc_needed) { + ASN1error(ASN1_R_MISSING_EOC); + goto err; + } + + if (indefinite) { + if (!CBS_skip(&cbs_object, CBS_offset(&cbs_object_content))) + goto err; + } + + if (!CBS_skip(cbs, CBS_offset(&cbs_object))) + goto err; + + *pval = (ASN1_VALUE *)avals; + avals = NULL; - *in = p; return 1; + + err: + asn1_template_stack_of_free(avals, at); + ASN1_item_ex_free(&aval, at->item); + + return 0; +} + +static int +asn1_template_noexp_d2i(ASN1_VALUE **pval, CBS *cbs, const ASN1_TEMPLATE *at, + int optional, int depth) +{ + int tag_number, tag_class; + int ret; + + if (pval == NULL) + return 0; + + if ((at->flags & ASN1_TFLG_SK_MASK) != 0) + return asn1_template_stack_of_d2i(pval, cbs, at, optional, depth); + + tag_number = -1; + tag_class = V_ASN1_UNIVERSAL; + + /* See if we need to use IMPLICIT tagging. */ + if ((at->flags & ASN1_TFLG_IMPTAG) != 0) { + tag_number = at->tag; + tag_class = at->flags & ASN1_TFLG_TAG_CLASS; + } + + ret = asn1_item_d2i(pval, cbs, at->item, tag_number, tag_class, + optional, depth); + if (ret == -1) + return -1; + if (ret != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + goto err; + } + + return 1; + + err: + /* XXX - The called function should have freed already. */ + ASN1_template_free(pval, at); + return 0; +} + +static int +asn1_template_d2i(ASN1_VALUE **pval, CBS *cbs, const ASN1_TEMPLATE *at, + int optional, int depth) +{ + CBS cbs_exp, cbs_exp_content; + int constructed, indefinite; + size_t length; + int ret; + + if (pval == NULL) + return 0; + + /* Check if EXPLICIT tag is expected. */ + if ((at->flags & ASN1_TFLG_EXPTAG) == 0) + return asn1_template_noexp_d2i(pval, cbs, at, optional, depth); + + CBS_init(&cbs_exp, CBS_data(cbs), CBS_len(cbs)); + + /* Read ASN.1 header for EXPLICIT tagged object. */ + ret = asn1_check_tag(&cbs_exp, &length, NULL, NULL, &indefinite, + &constructed, at->tag, at->flags & ASN1_TFLG_TAG_CLASS, optional); + if (ret == -1) + return -1; + if (ret != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + + if (!constructed) { + ASN1error(ASN1_R_EXPLICIT_TAG_NOT_CONSTRUCTED); + return 0; + } + + if (indefinite) { + CBS_init(&cbs_exp_content, CBS_data(&cbs_exp), CBS_len(&cbs_exp)); + } else { + if (!CBS_get_bytes(&cbs_exp, &cbs_exp_content, length)) + goto err; + } + + if ((ret = asn1_template_noexp_d2i(pval, &cbs_exp_content, at, 0, + depth)) != 1) { + ASN1error(ERR_R_NESTED_ASN1_ERROR); + return 0; + } + + if (indefinite) { + if (!asn1_check_eoc(&cbs_exp_content)) { + ASN1error(ASN1_R_MISSING_EOC); + goto err; + } + if (!CBS_skip(&cbs_exp, CBS_offset(&cbs_exp_content))) + goto err; + } else if (CBS_len(&cbs_exp_content) != 0) { + ASN1error(ASN1_R_SEQUENCE_LENGTH_MISMATCH); + goto err; + } + + if (!CBS_skip(cbs, CBS_offset(&cbs_exp))) + goto err; + + return 1; + + err: + ASN1_template_free(pval, at); + return 0; +} + +ASN1_VALUE * +ASN1_item_d2i(ASN1_VALUE **pval, const unsigned char **in, long inlen, + const ASN1_ITEM *it) +{ + ASN1_VALUE *ptmpval = NULL; + + if (pval == NULL) + pval = &ptmpval; + if (ASN1_item_ex_d2i(pval, in, inlen, it, -1, 0, 0, NULL) <= 0) + return NULL; + + return *pval; +} + +int +ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long inlen, + const ASN1_ITEM *it, int tag_number, int tag_class, char optional, + ASN1_TLC *ctx) +{ + CBS cbs; + int ret; + + if (inlen < 0) + return 0; + + CBS_init(&cbs, *in, inlen); + if ((ret = asn1_item_d2i(pval, &cbs, it, tag_number, tag_class, + (int)optional, 0)) == 1) + *in = CBS_data(&cbs); + + return ret; +} + +int +ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + const ASN1_TEMPLATE *at) +{ + CBS cbs; + int ret; + + if (len < 0) + return 0; + + CBS_init(&cbs, *in, len); + if ((ret = asn1_template_d2i(pval, &cbs, at, 0, 0)) == 1) + *in = CBS_data(&cbs); + + return ret; } diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index ee2320f..bbe8a2e 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_enc.c,v 1.24 2022/01/07 11:13:54 tb Exp $ */ +/* $OpenBSD: tasn_enc.c,v 1.31 2023/04/30 16:46:49 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -64,7 +64,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass); @@ -106,22 +106,28 @@ static int asn1_item_flags_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it, int flags) { - if (out && !*out) { - unsigned char *p, *buf; - int len; - len = ASN1_item_ex_i2d(&val, NULL, it, -1, flags); - if (len <= 0) - return len; - buf = malloc(len); - if (!buf) - return -1; - p = buf; - ASN1_item_ex_i2d(&val, &p, it, -1, flags); - *out = buf; + unsigned char *p, *buf; + int len; + + if (out == NULL || *out != NULL) + return ASN1_item_ex_i2d(&val, out, it, -1, flags); + + if ((len = ASN1_item_ex_i2d(&val, NULL, it, -1, flags)) <= 0) return len; + + if ((buf = calloc(1, len)) == NULL) + return -1; + + p = buf; + if (ASN1_item_ex_i2d(&val, &p, it, -1, flags) != len) { + freezero(buf, len); + ASN1error(ASN1_R_LENGTH_ERROR); + return -1; } - return ASN1_item_ex_i2d(&val, out, it, -1, flags); + *out = buf; + + return len; } /* Encode an item, taking care of IMPLICIT tagging (if any). @@ -494,7 +500,7 @@ static int asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, const ASN1_ITEM *it, int tag, int aclass) { - int len; + int olen, len; int utype; int usetag; int ndef = 0; @@ -505,7 +511,7 @@ asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, * out the underlying type. */ - len = asn1_ex_i2c(pval, NULL, &utype, it); + olen = len = asn1_ex_i2c(pval, NULL, &utype, it); /* If SEQUENCE, SET or OTHER then header is * included in pseudo content octets so don't @@ -529,6 +535,10 @@ asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, len = 0; } + /* Treat any other negative value as an error. */ + if (len < 0) + return -1; + /* If not implicitly tagged get tag from underlying type */ if (tag == -1) tag = utype; @@ -537,7 +547,8 @@ asn1_i2d_ex_primitive(ASN1_VALUE **pval, unsigned char **out, if (out) { if (usetag) ASN1_put_object(out, ndef, len, tag, aclass); - asn1_ex_i2c(pval, *out, &utype, it); + if (asn1_ex_i2c(pval, *out, &utype, it) != olen) + return -1; if (ndef) ASN1_put_eoc(out); else diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c index 64d3856..38f3764 100644 --- a/crypto/asn1/tasn_fre.c +++ b/crypto/asn1/tasn_fre.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_fre.c,v 1.18 2022/01/07 12:24:17 tb Exp $ */ +/* $OpenBSD: tasn_fre.c,v 1.21 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -62,27 +62,26 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" -static void asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, - int combine); +static void asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it); /* Free up an ASN1 structure */ void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it) { - asn1_item_combine_free(&val, it, 0); + asn1_item_free(&val, it); } void ASN1_item_ex_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { - asn1_item_combine_free(pval, it, 0); + asn1_item_free(pval, it); } static void -asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) +asn1_item_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { const ASN1_TEMPLATE *tt = NULL, *seqtt; const ASN1_EXTERN_FUNCS *ef; @@ -126,10 +125,8 @@ asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) } if (asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it, NULL); - if (!combine) { - free(*pval); - *pval = NULL; - } + free(*pval); + *pval = NULL; break; case ASN1_ITYPE_EXTERN: @@ -147,7 +144,7 @@ asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) if (i == 2) return; } - asn1_enc_free(pval, it); + asn1_enc_cleanup(pval, it); /* If we free up as normal we will invalidate any * ANY DEFINED BY field and we wont be able to * determine the type of the field it defines. So @@ -164,10 +161,8 @@ asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) } if (asn1_cb) asn1_cb(ASN1_OP_FREE_POST, pval, it, NULL); - if (!combine) { - free(*pval); - *pval = NULL; - } + free(*pval); + *pval = NULL; break; } } @@ -181,14 +176,12 @@ ASN1_template_free(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) for (i = 0; i < sk_ASN1_VALUE_num(sk); i++) { ASN1_VALUE *vtmp; vtmp = sk_ASN1_VALUE_value(sk, i); - asn1_item_combine_free(&vtmp, tt->item, - 0); + asn1_item_free(&vtmp, tt->item); } sk_ASN1_VALUE_free(sk); *pval = NULL; } else - asn1_item_combine_free(pval, tt->item, - tt->flags & ASN1_TFLG_COMBINE); + asn1_item_free(pval, tt->item); } void diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index 1f17f17..5d436cf 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_new.c,v 1.21 2022/01/07 12:24:17 tb Exp $ */ +/* $OpenBSD: tasn_new.c,v 1.23 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -64,10 +64,9 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" -static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, - int combine); +static int asn1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void asn1_item_clear(ASN1_VALUE **pval, const ASN1_ITEM *it); static void asn1_template_clear(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt); static void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it); @@ -86,11 +85,11 @@ ASN1_item_new(const ASN1_ITEM *it) int ASN1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { - return asn1_item_ex_combine_new(pval, it, 0); + return asn1_item_ex_new(pval, it); } static int -asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) +asn1_item_ex_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { const ASN1_TEMPLATE *tt = NULL; const ASN1_EXTERN_FUNCS *ef; @@ -102,9 +101,7 @@ asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) if (aux != NULL && aux->asn1_cb != NULL) asn1_cb = aux->asn1_cb; - if (!combine) - *pval = NULL; - + *pval = NULL; switch (it->itype) { case ASN1_ITYPE_EXTERN: @@ -137,11 +134,9 @@ asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) return 1; } } - if (!combine) { - *pval = calloc(1, it->size); - if (!*pval) - goto memerr; - } + *pval = calloc(1, it->size); + if (!*pval) + goto memerr; asn1_set_choice_selector(pval, -1, it); if (asn1_cb && !asn1_cb(ASN1_OP_NEW_POST, pval, it, NULL)) goto auxerr; @@ -157,13 +152,11 @@ asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) return 1; } } - if (!combine) { - *pval = calloc(1, it->size); - if (!*pval) - goto memerr; - asn1_do_lock(pval, 0, it); - asn1_enc_init(pval, it); - } + *pval = calloc(1, it->size); + if (!*pval) + goto memerr; + asn1_do_lock(pval, 0, it); + asn1_enc_init(pval, it); for (i = 0, tt = it->templates; i < it->tcount; tt++, i++) { pseqval = asn1_get_field_ptr(pval, tt); if (!ASN1_template_new(pseqval, tt)) @@ -249,7 +242,7 @@ ASN1_template_new(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) goto done; } /* Otherwise pass it back to the item routine */ - ret = asn1_item_ex_combine_new(pval, it, tt->flags & ASN1_TFLG_COMBINE); + ret = asn1_item_ex_new(pval, it); done: return ret; } diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 54ec56e..9652a97 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_prn.c,v 1.22 2021/12/03 17:10:49 jsing Exp $ */ +/* $OpenBSD: tasn_prn.c,v 1.24 2023/04/17 08:43:16 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -65,22 +65,17 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" /* Print routines. */ /* ASN1_PCTX routines */ -ASN1_PCTX default_pctx = { - ASN1_PCTX_FLAGS_SHOW_ABSENT, /* flags */ - 0, /* nm_flags */ - 0, /* cert_flags */ - 0, /* oid_flags */ - 0 /* str_flags */ +static const ASN1_PCTX default_pctx = { + .flags = ASN1_PCTX_FLAGS_SHOW_ABSENT, }; - ASN1_PCTX * ASN1_PCTX_new(void) { diff --git a/crypto/asn1/tasn_utl.c b/crypto/asn1/tasn_utl.c index e64bbe1..ae546ed 100644 --- a/crypto/asn1/tasn_utl.c +++ b/crypto/asn1/tasn_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_utl.c,v 1.13 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: tasn_utl.c,v 1.18 2022/12/26 07:18:51 jmc Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -56,13 +56,17 @@ * */ +#include #include #include + #include #include #include #include +#include "bytestring.h" + /* Utility functions for manipulating fields and offsets */ /* Add 'offset' to 'addr' */ @@ -96,7 +100,7 @@ asn1_set_choice_selector(ASN1_VALUE **pval, int value, const ASN1_ITEM *it) /* Do reference counting. The value 'op' decides what to do. * if it is +1 then the count is incremented. If op is 0 count is * set to 1. If op is -1 count is decremented and the return value - * is the current refrence count or 0 if no reference count exists. + * is the current reference count or 0 if no reference count exists. */ int @@ -123,79 +127,96 @@ asn1_do_lock(ASN1_VALUE **pval, int op, const ASN1_ITEM *it) static ASN1_ENCODING * asn1_get_enc_ptr(ASN1_VALUE **pval, const ASN1_ITEM *it) { - const ASN1_AUX *aux; + const ASN1_AUX *aux = it->funcs; - if (!pval || !*pval) + if (pval == NULL || *pval == NULL) return NULL; - aux = it->funcs; - if (!aux || !(aux->flags & ASN1_AFLG_ENCODING)) + + if (aux == NULL || (aux->flags & ASN1_AFLG_ENCODING) == 0) return NULL; + return offset2ptr(*pval, aux->enc_offset); } void asn1_enc_init(ASN1_VALUE **pval, const ASN1_ITEM *it) { - ASN1_ENCODING *enc; + ASN1_ENCODING *aenc; - enc = asn1_get_enc_ptr(pval, it); - if (enc) { - enc->enc = NULL; - enc->len = 0; - enc->modified = 1; - } + if ((aenc = asn1_get_enc_ptr(pval, it)) == NULL) + return; + + aenc->enc = NULL; + aenc->len = 0; + aenc->modified = 1; +} + +static void +asn1_enc_clear(ASN1_ENCODING *aenc) +{ + freezero(aenc->enc, aenc->len); + aenc->enc = NULL; + aenc->len = 0; + aenc->modified = 1; } void -asn1_enc_free(ASN1_VALUE **pval, const ASN1_ITEM *it) +asn1_enc_cleanup(ASN1_VALUE **pval, const ASN1_ITEM *it) { - ASN1_ENCODING *enc; + ASN1_ENCODING *aenc; - enc = asn1_get_enc_ptr(pval, it); - if (enc) { - free(enc->enc); - enc->enc = NULL; - enc->len = 0; - enc->modified = 1; - } + if ((aenc = asn1_get_enc_ptr(pval, it)) == NULL) + return; + + asn1_enc_clear(aenc); } int -asn1_enc_save(ASN1_VALUE **pval, const unsigned char *in, int inlen, - const ASN1_ITEM *it) +asn1_enc_save(ASN1_VALUE **pval, CBS *cbs, const ASN1_ITEM *it) { - ASN1_ENCODING *enc; + ASN1_ENCODING *aenc; + uint8_t *data = NULL; + size_t data_len = 0; - enc = asn1_get_enc_ptr(pval, it); - if (!enc) + if ((aenc = asn1_get_enc_ptr(pval, it)) == NULL) return 1; - free(enc->enc); - enc->enc = malloc(inlen); - if (!enc->enc) + asn1_enc_clear(aenc); + + if (!CBS_stow(cbs, &data, &data_len)) return 0; - memcpy(enc->enc, in, inlen); - enc->len = inlen; - enc->modified = 0; + if (data_len > LONG_MAX) { + freezero(data, data_len); + return 0; + } + + aenc->enc = data; + aenc->len = (long)data_len; + aenc->modified = 0; return 1; } int -asn1_enc_restore(int *len, unsigned char **out, ASN1_VALUE **pval, +asn1_enc_restore(int *out_len, unsigned char **out, ASN1_VALUE **pval, const ASN1_ITEM *it) { - ASN1_ENCODING *enc; + ASN1_ENCODING *aenc; - enc = asn1_get_enc_ptr(pval, it); - if (!enc || enc->modified) + if ((aenc = asn1_get_enc_ptr(pval, it)) == NULL) return 0; - if (out) { - memcpy(*out, enc->enc, enc->len); - *out += enc->len; + + if (aenc->modified) + return 0; + + if (out != NULL) { + memcpy(*out, aenc->enc, aenc->len); + *out += aenc->len; } - if (len) - *len = enc->len; + + if (out_len != NULL) + *out_len = aenc->len; + return 1; } @@ -205,8 +226,6 @@ asn1_get_field_ptr(ASN1_VALUE **pval, const ASN1_TEMPLATE *tt) { ASN1_VALUE **pvaltmp; - if (tt->flags & ASN1_TFLG_COMBINE) - return pval; pvaltmp = offset2ptr(*pval, tt->offset); /* NOTE for BOOLEAN types the field is just a plain * int so we can't return int **, so settle for diff --git a/crypto/asn1/x_attrib.c b/crypto/asn1/x_attrib.c index 47b5afd..d116094 100644 --- a/crypto/asn1/x_attrib.c +++ b/crypto/asn1/x_attrib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_attrib.c,v 1.16 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: x_attrib.c,v 1.18 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,50 +62,16 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" -/* X509_ATTRIBUTE: this has the following form: - * - * typedef struct x509_attributes_st - * { - * ASN1_OBJECT *object; - * int single; - * union { - * char *ptr; - * STACK_OF(ASN1_TYPE) *set; - * ASN1_TYPE *single; - * } value; - * } X509_ATTRIBUTE; - * - * this needs some extra thought because the CHOICE type is - * merged with the main structure and because the value can - * be anything at all we *must* try the SET OF first because - * the ASN1_ANY type will swallow anything including the whole - * SET OF structure. +/* + * XXX - remove X509_ATTRIBUTE_SET_it with next major bump. */ - -static const ASN1_TEMPLATE X509_ATTRIBUTE_SET_ch_tt[] = { - { - .flags = ASN1_TFLG_SET_OF, - .tag = 0, - .offset = offsetof(X509_ATTRIBUTE, value.set), - .field_name = "value.set", - .item = &ASN1_ANY_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(X509_ATTRIBUTE, value.single), - .field_name = "value.single", - .item = &ASN1_ANY_it, - }, -}; - const ASN1_ITEM X509_ATTRIBUTE_SET_it = { .itype = ASN1_ITYPE_CHOICE, - .utype = offsetof(X509_ATTRIBUTE, single), - .templates = X509_ATTRIBUTE_SET_ch_tt, - .tcount = sizeof(X509_ATTRIBUTE_SET_ch_tt) / sizeof(ASN1_TEMPLATE), + .utype = 0, + .templates = NULL, + .tcount = 0, .funcs = NULL, .size = sizeof(X509_ATTRIBUTE), .sname = "X509_ATTRIBUTE", @@ -119,13 +85,12 @@ static const ASN1_TEMPLATE X509_ATTRIBUTE_seq_tt[] = { .field_name = "object", .item = &ASN1_OBJECT_it, }, - /* CHOICE type merged with parent */ { - .flags = 0 | ASN1_TFLG_COMBINE, + .flags = ASN1_TFLG_SET_OF, .tag = 0, - .offset = 0, - .field_name = NULL, - .item = &X509_ATTRIBUTE_SET_it, + .offset = offsetof(X509_ATTRIBUTE, set), + .field_name = "set", + .item = &ASN1_ANY_it, }, }; @@ -183,12 +148,9 @@ X509_ATTRIBUTE_create(int nid, int atrtype, void *value) if ((ret = X509_ATTRIBUTE_new()) == NULL) return (NULL); ret->object = oid; - ret->single = 0; - if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL) - goto err; if ((val = ASN1_TYPE_new()) == NULL) goto err; - if (!sk_ASN1_TYPE_push(ret->value.set, val)) + if (!sk_ASN1_TYPE_push(ret->set, val)) goto err; ASN1_TYPE_set(val, atrtype, value); diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index fab8fc2..bfcf941 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_bignum.c,v 1.10 2019/04/01 15:49:22 jsing Exp $ */ +/* $OpenBSD: x_bignum.c,v 1.13 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,15 +61,16 @@ #include #include +#include "asn1_local.h" +#include "bytestring.h" + /* - * Custom primitive type for BIGNUM handling. This reads in an ASN1_INTEGER as a - * BIGNUM directly. Currently it ignores the sign which isn't a problem since - * all BIGNUMs used are non negative and anything that looks negative is - * normally due to an encoding error. + * Custom primitive type for that reads an ASN.1 INTEGER into a BIGNUM. */ static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it); +static void bn_clear(ASN1_VALUE **pval, const ASN1_ITEM *it); static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); @@ -83,7 +84,7 @@ static ASN1_PRIMITIVE_FUNCS bignum_pf = { .flags = 0, .prim_new = bn_new, .prim_free = bn_free, - .prim_clear = NULL, /* XXX */ + .prim_clear = bn_clear, .prim_c2i = bn_c2i, .prim_i2c = bn_i2c, .prim_print = bn_print, @@ -112,11 +113,17 @@ const ASN1_ITEM CBIGNUM_it = { static int bn_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { - *pval = (ASN1_VALUE *)BN_new(); - if (*pval) - return 1; - else + if ((*pval = (ASN1_VALUE *)BN_new()) == NULL) return 0; + + return 1; +} + +static void +bn_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ + BN_free((BIGNUM *)*pval); + *pval = NULL; } static void @@ -124,56 +131,70 @@ bn_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { if (*pval == NULL) return; - BN_clear_free((BIGNUM *)*pval); - *pval = NULL; + + bn_clear(pval, it); } static int -bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it) +bn_i2c(ASN1_VALUE **pval, unsigned char *content, int *putype, const ASN1_ITEM *it) { - BIGNUM *bn; - int pad, len; + ASN1_INTEGER *aint = NULL; + unsigned char **pp = NULL; + const BIGNUM *bn; + int ret; if (*pval == NULL) return -1; - bn = (BIGNUM *)*pval; - /* If MSB set in an octet we need a padding byte */ - if (BN_num_bits(bn) & 0x7) - pad = 0; - else - pad = 1; - if (cont) { - if (pad) - *cont++ = 0; - len = BN_bn2bin(bn, cont); - } else - len = BN_num_bytes(bn); - return pad + len; + + bn = (const BIGNUM *)*pval; + + if ((aint = BN_to_ASN1_INTEGER(bn, NULL)) == NULL) + return -1; + + if (content != NULL) + pp = &content; + + ret = i2c_ASN1_INTEGER(aint, pp); + + ASN1_INTEGER_free(aint); + + return ret; } static int -bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, - char *free_cont, const ASN1_ITEM *it) +bn_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype, + char *free_content, const ASN1_ITEM *it) { + ASN1_INTEGER *aint = NULL; BIGNUM *bn; + CBS cbs; + int ret = 0; - if (*pval == NULL) { - if (bn_new(pval, it) == 0) - return 0; - } - bn = (BIGNUM *)*pval; - if (!BN_bin2bn(cont, len, bn)) { - bn_free(pval, it); - return 0; - } - return 1; + bn_clear(pval, it); + + if (len < 0) + goto err; + CBS_init(&cbs, content, len); + if (!c2i_ASN1_INTEGER_cbs(&aint, &cbs)) + goto err; + + if ((bn = ASN1_INTEGER_to_BN(aint, NULL)) == NULL) + goto err; + *pval = (ASN1_VALUE *)bn; + + ret = 1; + + err: + ASN1_INTEGER_free(aint); + + return ret; } static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx) { - BIGNUM *bn = (BIGNUM *)*pval; + const BIGNUM *bn = (BIGNUM *)*pval; if (!BN_print(out, bn)) return 0; diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index 35d9007..f637bdd 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_crl.c,v 1.37 2022/02/24 22:05:06 beck Exp $ */ +/* $OpenBSD: x_crl.c,v 1.39 2022/12/26 16:00:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,8 +65,8 @@ #include #include -#include "asn1_locl.h" -#include "x509_lcl.h" +#include "asn1_local.h" +#include "x509_local.h" static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b); @@ -755,3 +755,9 @@ X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, if (palg != NULL) *palg = crl->sig_alg; } + +const X509_ALGOR * +X509_CRL_get0_tbs_sigalg(const X509_CRL *crl) +{ + return crl->crl->sig_alg; +} diff --git a/crypto/asn1/x_exten.c b/crypto/asn1/x_exten.c index aba8973..fc54b49 100644 --- a/crypto/asn1/x_exten.c +++ b/crypto/asn1/x_exten.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_exten.c,v 1.17 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x_exten.c,v 1.18 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,7 +61,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static const ASN1_TEMPLATE X509_EXTENSION_seq_tt[] = { { diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c index ff72338..aafdb9c 100644 --- a/crypto/asn1/x_long.c +++ b/crypto/asn1/x_long.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_long.c,v 1.16 2019/04/20 11:13:15 jsing Exp $ */ +/* $OpenBSD: x_long.c,v 1.19 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -56,13 +56,15 @@ * */ -#include +#include #include #include #include #include +#include "asn1_local.h" + /* * Custom primitive type for long handling. This converts between an * ASN1_INTEGER and a long directly. @@ -70,11 +72,12 @@ static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it); +static void long_clear(ASN1_VALUE **pval, const ASN1_ITEM *it); -static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, +static int long_i2c(ASN1_VALUE **pval, unsigned char *content, int *putype, const ASN1_ITEM *it); -static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, - int utype, char *free_cont, const ASN1_ITEM *it); +static int long_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, + int utype, char *free_content, const ASN1_ITEM *it); static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx); @@ -83,7 +86,7 @@ static ASN1_PRIMITIVE_FUNCS long_pf = { .flags = 0, .prim_new = long_new, .prim_free = long_free, - .prim_clear = long_free, /* Clear should set to initial value */ + .prim_clear = long_clear, .prim_c2i = long_c2i, .prim_i2c = long_i2c, .prim_print = long_print, @@ -109,108 +112,127 @@ const ASN1_ITEM ZLONG_it = { .sname = "ZLONG", }; +static void +long_get(ASN1_VALUE **pval, long *out_val) +{ + memcpy(out_val, pval, sizeof(long)); +} + +static void +long_set(ASN1_VALUE **pval, long val) +{ + memcpy(pval, &val, sizeof(long)); +} + static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it) { - *(long *)pval = it->size; + long_clear(pval, it); + return 1; } static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { - *(long *)pval = it->size; + long_clear(pval, it); +} + +static void +long_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) +{ + /* Zero value. */ + long_set(pval, it->size); } static int -long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, +long_i2c(ASN1_VALUE **pval, unsigned char *content, int *putype, const ASN1_ITEM *it) { - long ltmp; - unsigned long utmp; - int clen, pad, i; - /* this exists to bypass broken gcc optimization */ - char *cp = (char *)pval; + ASN1_INTEGER *aint; + uint8_t **pp = NULL; + long val; + int ret = 0; - /* use memcpy, because we may not be long aligned */ - memcpy(<mp, cp, sizeof(long)); + long_get(pval, &val); - if (ltmp == it->size) - return -1; - /* Convert the long to positive: we subtract one if negative so - * we can cleanly handle the padding if only the MSB of the leading - * octet is set. + /* + * The zero value for this type (stored in the overloaded it->size + * field) is considered to be invalid. */ - if (ltmp < 0) - utmp = -(ltmp + 1); - else - utmp = ltmp; - clen = BN_num_bits_word(utmp); - /* If MSB of leading octet set we need to pad */ - if (!(clen & 0x7)) - pad = 1; - else - pad = 0; + if (val == it->size) + return -1; - /* Convert number of bits to number of octets */ - clen = (clen + 7) >> 3; + if ((aint = ASN1_INTEGER_new()) == NULL) + goto err; + if (!ASN1_INTEGER_set_int64(aint, (int64_t)val)) + goto err; + if (content != NULL) + pp = &content; + ret = i2c_ASN1_INTEGER(aint, pp); - if (cont) { - if (pad) - *cont++ = (ltmp < 0) ? 0xff : 0; - for (i = clen - 1; i >= 0; i--) { - cont[i] = (unsigned char)(utmp & 0xff); - if (ltmp < 0) - cont[i] ^= 0xff; - utmp >>= 8; - } - } - return clen + pad; + err: + ASN1_INTEGER_free(aint); + + return ret; } static int -long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, - char *free_cont, const ASN1_ITEM *it) +long_c2i(ASN1_VALUE **pval, const unsigned char *content, int len, int utype, + char *free_content, const ASN1_ITEM *it) { - int neg, i; - long ltmp; - unsigned long utmp = 0; - char *cp = (char *)pval; - if (len > (int)sizeof(long)) { + ASN1_INTEGER *aint = NULL; + const uint8_t **pp = NULL; + int64_t val = 0; + int ret = 0; + + /* + * The original long_i2c() mishandled 0 values and encoded them as + * content with zero length, rather than a single zero byte. Permit + * zero length content here for backwards compatibility. + */ + if (len != 0) { + if (content != NULL) + pp = &content; + if (!c2i_ASN1_INTEGER(&aint, pp, len)) + goto err; + if (!ASN1_INTEGER_get_int64(&val, aint)) + goto err; + } + + if (val < LONG_MIN || val > LONG_MAX) { ASN1error(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); - return 0; + goto err; } - /* Is it negative? */ - if (len && (cont[0] & 0x80)) - neg = 1; - else - neg = 0; - utmp = 0; - for (i = 0; i < len; i++) { - utmp <<= 8; - if (neg) - utmp |= cont[i] ^ 0xff; - else - utmp |= cont[i]; - } - ltmp = (long)utmp; - if (neg) { - ltmp = -ltmp; - ltmp--; - } - if (ltmp == it->size) { + + /* + * The zero value for this type (stored in the overloaded it->size + * field) is considered to be invalid. + */ + if (val == (int64_t)it->size) { ASN1error(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); - return 0; + goto err; } - memcpy(cp, <mp, sizeof(long)); - return 1; + + long_set(pval, (long)val); + + ret = 1; + + err: + ASN1_INTEGER_free(aint); + + return ret; } static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx) { - if (BIO_printf(out, "%ld\n", *(long *)pval) <= 0) + long val; + + long_get(pval, &val); + + if (BIO_printf(out, "%ld\n", val) <= 0) return 0; return 1; diff --git a/crypto/asn1/x_name.c b/crypto/asn1/x_name.c index 4c698ac..ea3a3c8 100644 --- a/crypto/asn1/x_name.c +++ b/crypto/asn1/x_name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_name.c,v 1.37 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: x_name.c,v 1.38 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,8 +64,8 @@ #include #include -#include "asn1_locl.h" -#include "x509_lcl.h" +#include "asn1_local.h" +#include "x509_local.h" typedef STACK_OF(X509_NAME_ENTRY) STACK_OF_X509_NAME_ENTRY; DECLARE_STACK_OF(STACK_OF_X509_NAME_ENTRY) diff --git a/crypto/asn1/x_pubkey.c b/crypto/asn1/x_pubkey.c index 69be6ed..4c255d6 100644 --- a/crypto/asn1/x_pubkey.c +++ b/crypto/asn1/x_pubkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_pubkey.c,v 1.31 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: x_pubkey.c,v 1.33 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -71,9 +71,9 @@ #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" -#include "x509_lcl.h" +#include "asn1_local.h" +#include "evp_local.h" +#include "x509_local.h" /* Minor tweak to operation: free up EVP_PKEY */ static int @@ -716,15 +716,13 @@ X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, int ptype, { if (!X509_ALGOR_set0(pub->algor, aobj, ptype, pval)) return 0; - if (penc) { - free(pub->public_key->data); - pub->public_key->data = penc; - pub->public_key->length = penclen; - /* Set number of unused bits to zero */ - pub->public_key->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); - pub->public_key->flags |= ASN1_STRING_FLAG_BITS_LEFT; - } - return 1; + + if (penc == NULL) + return 1; + + ASN1_STRING_set0(pub->public_key, penc, penclen); + + return asn1_abs_set_unused_bits(pub->public_key, 0); } int diff --git a/crypto/asn1/x_req.c b/crypto/asn1/x_req.c index 38e3790..42b9173 100644 --- a/crypto/asn1/x_req.c +++ b/crypto/asn1/x_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_req.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x_req.c,v 1.19 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,7 +61,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" /* X509_REQ_INFO is handled in an unusual way to get round * invalid encodings. Some broken certificate requests don't diff --git a/crypto/asn1/x_sig.c b/crypto/asn1/x_sig.c index 6a842da..9406a2d 100644 --- a/crypto/asn1/x_sig.c +++ b/crypto/asn1/x_sig.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_sig.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x_sig.c,v 1.14 2022/11/26 16:08:50 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,7 +61,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static const ASN1_TEMPLATE X509_SIG_seq_tt[] = { { diff --git a/crypto/asn1/x_x509.c b/crypto/asn1/x_x509.c index 7147069..0c10bec 100644 --- a/crypto/asn1/x_x509.c +++ b/crypto/asn1/x_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509.c,v 1.30 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: x_x509.c,v 1.35 2023/04/28 16:30:14 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,7 +65,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static const ASN1_AUX X509_CINF_aux = { .flags = ASN1_AFLG_ENCODING, @@ -169,8 +169,6 @@ X509_CINF_free(X509_CINF *a) } /* X509 top level structure needs a bit of customisation */ -extern void policy_cache_free(X509_POLICY_CACHE *cache); - static int x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { @@ -205,7 +203,6 @@ x509_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) ASN1_OCTET_STRING_free(ret->skid); AUTHORITY_KEYID_free(ret->akid); CRL_DIST_POINTS_free(ret->crldp); - policy_cache_free(ret->policy_cache); GENERAL_NAMES_free(ret->altname); NAME_CONSTRAINTS_free(ret->nc); #ifndef OPENSSL_NO_RFC3779 diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 87dc045..a5e1f71 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509a.c,v 1.18 2021/12/25 13:17:48 jsing Exp $ */ +/* $OpenBSD: x_x509a.c,v 1.19 2022/11/26 16:08:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" /* X509_CERT_AUX routines. These are used to encode additional * user modifiable data about a certificate. This data is diff --git a/crypto/bf/bf_cfb64.c b/crypto/bf/bf_cfb64.c index 6cc0bb9..87dccae 100644 --- a/crypto/bf/bf_cfb64.c +++ b/crypto/bf/bf_cfb64.c @@ -1,25 +1,25 @@ -/* $OpenBSD: bf_cfb64.c,v 1.5 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: bf_cfb64.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -57,65 +57,68 @@ */ #include -#include "bf_locl.h" -/* The input and output encrypted as though 64bit cfb mode is being +#include "bf_local.h" + +/* + * The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the * 64bit block we have used is contained in *num; */ -void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, - const BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt) - { - BF_LONG v0,v1,t; +void +BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, + const BF_KEY *schedule, unsigned char *ivec, int *num, int encrypt) +{ + BF_LONG v0, v1, t; int n= *num; - long l=length; + long l = length; BF_LONG ti[2]; - unsigned char *iv,c,cc; + unsigned char *iv, c, cc; - iv=(unsigned char *)ivec; - if (encrypt) - { - while (l--) - { - if (n == 0) - { - n2l(iv,v0); ti[0]=v0; - n2l(iv,v1); ti[1]=v1; - BF_encrypt((BF_LONG *)ti,schedule); - iv=(unsigned char *)ivec; - t=ti[0]; l2n(t,iv); - t=ti[1]; l2n(t,iv); - iv=(unsigned char *)ivec; - } + iv = (unsigned char *)ivec; + if (encrypt) { + while (l--) { + if (n == 0) { + n2l(iv, v0); + ti[0] = v0; + n2l(iv, v1); + ti[1] = v1; + BF_encrypt((BF_LONG *)ti, schedule); + iv = (unsigned char *)ivec; + t = ti[0]; + l2n(t, iv); + t = ti[1]; + l2n(t, iv); + iv = (unsigned char *)ivec; + } c= *(in++)^iv[n]; - *(out++)=c; - iv[n]=c; - n=(n+1)&0x07; - } + *(out++) = c; + iv[n] = c; + n = (n + 1)&0x07; } - else - { - while (l--) - { - if (n == 0) - { - n2l(iv,v0); ti[0]=v0; - n2l(iv,v1); ti[1]=v1; - BF_encrypt((BF_LONG *)ti,schedule); - iv=(unsigned char *)ivec; - t=ti[0]; l2n(t,iv); - t=ti[1]; l2n(t,iv); - iv=(unsigned char *)ivec; - } + } else { + while (l--) { + if (n == 0) { + n2l(iv, v0); + ti[0] = v0; + n2l(iv, v1); + ti[1] = v1; + BF_encrypt((BF_LONG *)ti, schedule); + iv = (unsigned char *)ivec; + t = ti[0]; + l2n(t, iv); + t = ti[1]; + l2n(t, iv); + iv = (unsigned char *)ivec; + } cc= *(in++); - c=iv[n]; - iv[n]=cc; - *(out++)=c^cc; - n=(n+1)&0x07; - } + c = iv[n]; + iv[n] = cc; + *(out++) = c^cc; + n = (n + 1)&0x07; } - v0=v1=ti[0]=ti[1]=t=c=cc=0; - *num=n; } - + v0 = v1 = ti[0] = ti[1] = t=c = cc = 0; + *num = n; +} diff --git a/crypto/bf/bf_ecb.c b/crypto/bf/bf_ecb.c index 305bd78..99e50b0 100644 --- a/crypto/bf/bf_ecb.c +++ b/crypto/bf/bf_ecb.c @@ -1,25 +1,25 @@ -/* $OpenBSD: bf_ecb.c,v 1.6 2014/07/09 11:10:50 bcook Exp $ */ +/* $OpenBSD: bf_ecb.c,v 1.9 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -57,16 +57,19 @@ */ #include -#include "bf_locl.h" #include -/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper' +#include "bf_local.h" + +/* + * Blowfish as implemented from 'Blowfish: Springer-Verlag paper' * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION, * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993) */ -const char *BF_options(void) - { +const char * +BF_options(void) +{ #ifdef BF_PTR return("blowfish(ptr)"); #elif defined(BF_PTR2) @@ -74,21 +77,25 @@ const char *BF_options(void) #else return("blowfish(idx)"); #endif - } +} -void BF_ecb_encrypt(const unsigned char *in, unsigned char *out, - const BF_KEY *key, int encrypt) - { - BF_LONG l,d[2]; +void +BF_ecb_encrypt(const unsigned char *in, unsigned char *out, + const BF_KEY *key, int encrypt) +{ + BF_LONG l, d[2]; - n2l(in,l); d[0]=l; - n2l(in,l); d[1]=l; + n2l(in, l); + d[0] = l; + n2l(in, l); + d[1] = l; if (encrypt) - BF_encrypt(d,key); + BF_encrypt(d, key); else - BF_decrypt(d,key); - l=d[0]; l2n(l,out); - l=d[1]; l2n(l,out); - l=d[0]=d[1]=0; - } - + BF_decrypt(d, key); + l = d[0]; + l2n(l, out); + l = d[1]; + l2n(l, out); + l = d[0] = d[1] = 0; +} diff --git a/crypto/bf/bf_enc.c b/crypto/bf/bf_enc.c index 2cf1c86..bbefe7d 100644 --- a/crypto/bf/bf_enc.c +++ b/crypto/bf/bf_enc.c @@ -1,25 +1,25 @@ -/* $OpenBSD: bf_enc.c,v 1.6 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: bf_enc.c,v 1.9 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -57,9 +57,11 @@ */ #include -#include "bf_locl.h" -/* Blowfish as implemented from 'Blowfish: Springer-Verlag paper' +#include "bf_local.h" + +/* + * Blowfish as implemented from 'Blowfish: Springer-Verlag paper' * (From LECTURE NOTES IN COMPUTER SCIENCE 809, FAST SOFTWARE ENCRYPTION, * CAMBRIDGE SECURITY WORKSHOP, CAMBRIDGE, U.K., DECEMBER 9-11, 1993) */ @@ -69,238 +71,234 @@ to modify the code. #endif -void BF_encrypt(BF_LONG *data, const BF_KEY *key) - { +void +BF_encrypt(BF_LONG *data, const BF_KEY *key) +{ #ifndef BF_PTR2 - BF_LONG l,r; - const BF_LONG *p,*s; + BF_LONG l, r; + const BF_LONG *p, *s; - p=key->P; - s= &(key->S[0]); - l=data[0]; - r=data[1]; + p = key->P; + s = &(key->S[0]); + l = data[0]; + r = data[1]; - l^=p[0]; - BF_ENC(r,l,s,p[ 1]); - BF_ENC(l,r,s,p[ 2]); - BF_ENC(r,l,s,p[ 3]); - BF_ENC(l,r,s,p[ 4]); - BF_ENC(r,l,s,p[ 5]); - BF_ENC(l,r,s,p[ 6]); - BF_ENC(r,l,s,p[ 7]); - BF_ENC(l,r,s,p[ 8]); - BF_ENC(r,l,s,p[ 9]); - BF_ENC(l,r,s,p[10]); - BF_ENC(r,l,s,p[11]); - BF_ENC(l,r,s,p[12]); - BF_ENC(r,l,s,p[13]); - BF_ENC(l,r,s,p[14]); - BF_ENC(r,l,s,p[15]); - BF_ENC(l,r,s,p[16]); + l ^= p[0]; + BF_ENC(r, l,s, p[1]); + BF_ENC(l, r,s, p[2]); + BF_ENC(r, l,s, p[3]); + BF_ENC(l, r,s, p[4]); + BF_ENC(r, l,s, p[5]); + BF_ENC(l, r,s, p[6]); + BF_ENC(r, l,s, p[7]); + BF_ENC(l, r,s, p[8]); + BF_ENC(r, l,s, p[9]); + BF_ENC(l, r,s, p[10]); + BF_ENC(r, l,s, p[11]); + BF_ENC(l, r,s, p[12]); + BF_ENC(r, l,s, p[13]); + BF_ENC(l, r,s, p[14]); + BF_ENC(r, l,s, p[15]); + BF_ENC(l, r,s, p[16]); #if BF_ROUNDS == 20 - BF_ENC(r,l,s,p[17]); - BF_ENC(l,r,s,p[18]); - BF_ENC(r,l,s,p[19]); - BF_ENC(l,r,s,p[20]); + BF_ENC(r, l,s, p[17]); + BF_ENC(l, r,s, p[18]); + BF_ENC(r, l,s, p[19]); + BF_ENC(l, r,s, p[20]); #endif - r^=p[BF_ROUNDS+1]; + r ^= p[BF_ROUNDS + 1]; - data[1]=l&0xffffffffL; - data[0]=r&0xffffffffL; + data[1] = l&0xffffffffL; + data[0] = r&0xffffffffL; #else - BF_LONG l,r,t,*k; + BF_LONG l, r,t, *k; - l=data[0]; - r=data[1]; - k=(BF_LONG*)key; + l = data[0]; + r = data[1]; + k = (BF_LONG*)key; - l^=k[0]; - BF_ENC(r,l,k, 1); - BF_ENC(l,r,k, 2); - BF_ENC(r,l,k, 3); - BF_ENC(l,r,k, 4); - BF_ENC(r,l,k, 5); - BF_ENC(l,r,k, 6); - BF_ENC(r,l,k, 7); - BF_ENC(l,r,k, 8); - BF_ENC(r,l,k, 9); - BF_ENC(l,r,k,10); - BF_ENC(r,l,k,11); - BF_ENC(l,r,k,12); - BF_ENC(r,l,k,13); - BF_ENC(l,r,k,14); - BF_ENC(r,l,k,15); - BF_ENC(l,r,k,16); + l ^= k[0]; + BF_ENC(r, l, k, 1); + BF_ENC(l, r, k, 2); + BF_ENC(r, l, k, 3); + BF_ENC(l, r, k, 4); + BF_ENC(r, l, k, 5); + BF_ENC(l, r, k, 6); + BF_ENC(r, l, k, 7); + BF_ENC(l, r, k, 8); + BF_ENC(r, l, k, 9); + BF_ENC(l, r,k, 10); + BF_ENC(r, l,k, 11); + BF_ENC(l, r,k, 12); + BF_ENC(r, l,k, 13); + BF_ENC(l, r,k, 14); + BF_ENC(r, l,k, 15); + BF_ENC(l, r,k, 16); #if BF_ROUNDS == 20 - BF_ENC(r,l,k,17); - BF_ENC(l,r,k,18); - BF_ENC(r,l,k,19); - BF_ENC(l,r,k,20); + BF_ENC(r, l,k, 17); + BF_ENC(l, r,k, 18); + BF_ENC(r, l,k, 19); + BF_ENC(l, r,k, 20); #endif - r^=k[BF_ROUNDS+1]; + r ^= k[BF_ROUNDS + 1]; - data[1]=l&0xffffffffL; - data[0]=r&0xffffffffL; + data[1] = l&0xffffffffL; + data[0] = r&0xffffffffL; #endif - } +} #ifndef BF_DEFAULT_OPTIONS -void BF_decrypt(BF_LONG *data, const BF_KEY *key) - { +void +BF_decrypt(BF_LONG *data, const BF_KEY *key) +{ #ifndef BF_PTR2 - BF_LONG l,r; - const BF_LONG *p,*s; + BF_LONG l, r; + const BF_LONG *p, *s; - p=key->P; - s= &(key->S[0]); - l=data[0]; - r=data[1]; + p = key->P; + s = &(key->S[0]); + l = data[0]; + r = data[1]; - l^=p[BF_ROUNDS+1]; + l ^= p[BF_ROUNDS + 1]; #if BF_ROUNDS == 20 - BF_ENC(r,l,s,p[20]); - BF_ENC(l,r,s,p[19]); - BF_ENC(r,l,s,p[18]); - BF_ENC(l,r,s,p[17]); + BF_ENC(r, l,s, p[20]); + BF_ENC(l, r,s, p[19]); + BF_ENC(r, l,s, p[18]); + BF_ENC(l, r,s, p[17]); #endif - BF_ENC(r,l,s,p[16]); - BF_ENC(l,r,s,p[15]); - BF_ENC(r,l,s,p[14]); - BF_ENC(l,r,s,p[13]); - BF_ENC(r,l,s,p[12]); - BF_ENC(l,r,s,p[11]); - BF_ENC(r,l,s,p[10]); - BF_ENC(l,r,s,p[ 9]); - BF_ENC(r,l,s,p[ 8]); - BF_ENC(l,r,s,p[ 7]); - BF_ENC(r,l,s,p[ 6]); - BF_ENC(l,r,s,p[ 5]); - BF_ENC(r,l,s,p[ 4]); - BF_ENC(l,r,s,p[ 3]); - BF_ENC(r,l,s,p[ 2]); - BF_ENC(l,r,s,p[ 1]); - r^=p[0]; + BF_ENC(r, l,s, p[16]); + BF_ENC(l, r,s, p[15]); + BF_ENC(r, l,s, p[14]); + BF_ENC(l, r,s, p[13]); + BF_ENC(r, l,s, p[12]); + BF_ENC(l, r,s, p[11]); + BF_ENC(r, l,s, p[10]); + BF_ENC(l, r,s, p[9]); + BF_ENC(r, l,s, p[8]); + BF_ENC(l, r,s, p[7]); + BF_ENC(r, l,s, p[6]); + BF_ENC(l, r,s, p[5]); + BF_ENC(r, l,s, p[4]); + BF_ENC(l, r,s, p[3]); + BF_ENC(r, l,s, p[2]); + BF_ENC(l, r,s, p[1]); + r ^= p[0]; - data[1]=l&0xffffffffL; - data[0]=r&0xffffffffL; + data[1] = l&0xffffffffL; + data[0] = r&0xffffffffL; #else - BF_LONG l,r,t,*k; + BF_LONG l, r,t, *k; - l=data[0]; - r=data[1]; - k=(BF_LONG *)key; + l = data[0]; + r = data[1]; + k = (BF_LONG *)key; - l^=k[BF_ROUNDS+1]; + l ^= k[BF_ROUNDS + 1]; #if BF_ROUNDS == 20 - BF_ENC(r,l,k,20); - BF_ENC(l,r,k,19); - BF_ENC(r,l,k,18); - BF_ENC(l,r,k,17); + BF_ENC(r, l,k, 20); + BF_ENC(l, r,k, 19); + BF_ENC(r, l,k, 18); + BF_ENC(l, r,k, 17); #endif - BF_ENC(r,l,k,16); - BF_ENC(l,r,k,15); - BF_ENC(r,l,k,14); - BF_ENC(l,r,k,13); - BF_ENC(r,l,k,12); - BF_ENC(l,r,k,11); - BF_ENC(r,l,k,10); - BF_ENC(l,r,k, 9); - BF_ENC(r,l,k, 8); - BF_ENC(l,r,k, 7); - BF_ENC(r,l,k, 6); - BF_ENC(l,r,k, 5); - BF_ENC(r,l,k, 4); - BF_ENC(l,r,k, 3); - BF_ENC(r,l,k, 2); - BF_ENC(l,r,k, 1); - r^=k[0]; + BF_ENC(r, l,k, 16); + BF_ENC(l, r,k, 15); + BF_ENC(r, l,k, 14); + BF_ENC(l, r,k, 13); + BF_ENC(r, l,k, 12); + BF_ENC(l, r,k, 11); + BF_ENC(r, l,k, 10); + BF_ENC(l, r, k, 9); + BF_ENC(r, l, k, 8); + BF_ENC(l, r, k, 7); + BF_ENC(r, l, k, 6); + BF_ENC(l, r, k, 5); + BF_ENC(r, l, k, 4); + BF_ENC(l, r, k, 3); + BF_ENC(r, l, k, 2); + BF_ENC(l, r, k, 1); + r ^= k[0]; - data[1]=l&0xffffffffL; - data[0]=r&0xffffffffL; + data[1] = l&0xffffffffL; + data[0] = r&0xffffffffL; #endif - } +} -void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length, - const BF_KEY *schedule, unsigned char *ivec, int encrypt) - { - BF_LONG tin0,tin1; - BF_LONG tout0,tout1,xor0,xor1; - long l=length; +void +BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length, + const BF_KEY *schedule, unsigned char *ivec, int encrypt) +{ + BF_LONG tin0, tin1; + BF_LONG tout0, tout1, xor0, xor1; + long l = length; BF_LONG tin[2]; - if (encrypt) - { - n2l(ivec,tout0); - n2l(ivec,tout1); - ivec-=8; - for (l-=8; l>=0; l-=8) - { - n2l(in,tin0); - n2l(in,tin1); - tin0^=tout0; - tin1^=tout1; - tin[0]=tin0; - tin[1]=tin1; - BF_encrypt(tin,schedule); - tout0=tin[0]; - tout1=tin[1]; - l2n(tout0,out); - l2n(tout1,out); - } - if (l != -8) - { - n2ln(in,tin0,tin1,l+8); - tin0^=tout0; - tin1^=tout1; - tin[0]=tin0; - tin[1]=tin1; - BF_encrypt(tin,schedule); - tout0=tin[0]; - tout1=tin[1]; - l2n(tout0,out); - l2n(tout1,out); - } - l2n(tout0,ivec); - l2n(tout1,ivec); + if (encrypt) { + n2l(ivec, tout0); + n2l(ivec, tout1); + ivec -= 8; + for (l -= 8; l >= 0; l -= 8) { + n2l(in, tin0); + n2l(in, tin1); + tin0 ^= tout0; + tin1 ^= tout1; + tin[0] = tin0; + tin[1] = tin1; + BF_encrypt(tin, schedule); + tout0 = tin[0]; + tout1 = tin[1]; + l2n(tout0, out); + l2n(tout1, out); } - else - { - n2l(ivec,xor0); - n2l(ivec,xor1); - ivec-=8; - for (l-=8; l>=0; l-=8) - { - n2l(in,tin0); - n2l(in,tin1); - tin[0]=tin0; - tin[1]=tin1; - BF_decrypt(tin,schedule); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - l2n(tout0,out); - l2n(tout1,out); - xor0=tin0; - xor1=tin1; - } - if (l != -8) - { - n2l(in,tin0); - n2l(in,tin1); - tin[0]=tin0; - tin[1]=tin1; - BF_decrypt(tin,schedule); - tout0=tin[0]^xor0; - tout1=tin[1]^xor1; - l2nn(tout0,tout1,out,l+8); - xor0=tin0; - xor1=tin1; - } - l2n(xor0,ivec); - l2n(xor1,ivec); + if (l != -8) { + n2ln(in, tin0, tin1, l + 8); + tin0 ^= tout0; + tin1 ^= tout1; + tin[0] = tin0; + tin[1] = tin1; + BF_encrypt(tin, schedule); + tout0 = tin[0]; + tout1 = tin[1]; + l2n(tout0, out); + l2n(tout1, out); } - tin0=tin1=tout0=tout1=xor0=xor1=0; - tin[0]=tin[1]=0; + l2n(tout0, ivec); + l2n(tout1, ivec); + } else { + n2l(ivec, xor0); + n2l(ivec, xor1); + ivec -= 8; + for (l -= 8; l >= 0; l -= 8) { + n2l(in, tin0); + n2l(in, tin1); + tin[0] = tin0; + tin[1] = tin1; + BF_decrypt(tin, schedule); + tout0 = tin[0]^xor0; + tout1 = tin[1]^xor1; + l2n(tout0, out); + l2n(tout1, out); + xor0 = tin0; + xor1 = tin1; + } + if (l != -8) { + n2l(in, tin0); + n2l(in, tin1); + tin[0] = tin0; + tin[1] = tin1; + BF_decrypt(tin, schedule); + tout0 = tin[0]^xor0; + tout1 = tin[1]^xor1; + l2nn(tout0, tout1, out, l + 8); + xor0 = tin0; + xor1 = tin1; + } + l2n(xor0, ivec); + l2n(xor1, ivec); } + tin0 = tin1 = tout0 = tout1 = xor0 = xor1 = 0; + tin[0] = tin[1] = 0; +} #endif diff --git a/crypto/bf/bf_locl.h b/crypto/bf/bf_local.h similarity index 98% rename from crypto/bf/bf_locl.h rename to crypto/bf/bf_local.h index 0b66362..1cc2952 100644 --- a/crypto/bf/bf_locl.h +++ b/crypto/bf/bf_local.h @@ -1,25 +1,25 @@ -/* $OpenBSD: bf_locl.h,v 1.3 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: bf_local.h,v 1.1 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence diff --git a/crypto/bf/bf_ofb64.c b/crypto/bf/bf_ofb64.c index 9e33162..8fe2478 100644 --- a/crypto/bf/bf_ofb64.c +++ b/crypto/bf/bf_ofb64.c @@ -1,25 +1,25 @@ -/* $OpenBSD: bf_ofb64.c,v 1.5 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: bf_ofb64.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -57,54 +57,55 @@ */ #include -#include "bf_locl.h" -/* The input and output encrypted as though 64bit ofb mode is being +#include "bf_local.h" + +/* + * The input and output encrypted as though 64bit ofb mode is being * used. The extra state information to record how much of the * 64bit block we have used is contained in *num; */ -void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length, - const BF_KEY *schedule, unsigned char *ivec, int *num) - { - BF_LONG v0,v1,t; +void +BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length, + const BF_KEY *schedule, unsigned char *ivec, int *num) +{ + BF_LONG v0, v1, t; int n= *num; - long l=length; + long l = length; unsigned char d[8]; char *dp; BF_LONG ti[2]; unsigned char *iv; - int save=0; + int save = 0; - iv=(unsigned char *)ivec; - n2l(iv,v0); - n2l(iv,v1); - ti[0]=v0; - ti[1]=v1; - dp=(char *)d; - l2n(v0,dp); - l2n(v1,dp); - while (l--) - { - if (n == 0) - { - BF_encrypt((BF_LONG *)ti,schedule); - dp=(char *)d; - t=ti[0]; l2n(t,dp); - t=ti[1]; l2n(t,dp); + iv = (unsigned char *)ivec; + n2l(iv, v0); + n2l(iv, v1); + ti[0] = v0; + ti[1] = v1; + dp = (char *)d; + l2n(v0, dp); + l2n(v1, dp); + while (l--) { + if (n == 0) { + BF_encrypt((BF_LONG *)ti, schedule); + dp = (char *)d; + t = ti[0]; + l2n(t, dp); + t = ti[1]; + l2n(t, dp); save++; - } + } *(out++)= *(in++)^d[n]; - n=(n+1)&0x07; - } - if (save) - { - v0=ti[0]; - v1=ti[1]; - iv=(unsigned char *)ivec; - l2n(v0,iv); - l2n(v1,iv); - } - t=v0=v1=ti[0]=ti[1]=0; - *num=n; + n = (n + 1)&0x07; } - + if (save) { + v0 = ti[0]; + v1 = ti[1]; + iv = (unsigned char *)ivec; + l2n(v0, iv); + l2n(v1, iv); + } + t = v0 = v1 = ti[0] = ti[1] = 0; + *num = n; +} diff --git a/crypto/bf/bf_pi.h b/crypto/bf/bf_pi.h deleted file mode 100644 index ce4843a..0000000 --- a/crypto/bf/bf_pi.h +++ /dev/null @@ -1,328 +0,0 @@ -/* $OpenBSD: bf_pi.h,v 1.4 2016/12/21 15:49:29 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -__BEGIN_HIDDEN_DECLS - -static const BF_KEY bf_init= { - { - 0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L, - 0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L, - 0x452821e6L, 0x38d01377L, 0xbe5466cfL, 0x34e90c6cL, - 0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L, - 0x9216d5d9L, 0x8979fb1b - },{ - 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, - 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, - 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, - 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, - 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, - 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, - 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, - 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, - 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, - 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, - 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, - 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, - 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, - 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, - 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, - 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, - 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, - 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, - 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, - 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, - 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, - 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, - 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, - 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, - 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, - 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, - 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, - 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, - 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, - 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, - 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, - 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, - 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, - 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, - 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, - 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, - 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, - 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, - 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, - 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, - 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, - 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, - 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, - 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, - 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, - 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, - 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, - 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, - 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, - 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, - 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, - 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, - 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, - 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, - 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, - 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, - 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, - 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, - 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, - 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, - 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, - 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, - 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, - 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, - 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, - 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, - 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, - 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, - 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, - 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, - 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, - 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, - 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, - 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, - 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, - 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, - 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, - 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, - 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, - 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, - 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, - 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, - 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, - 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, - 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, - 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, - 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, - 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, - 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, - 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, - 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, - 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, - 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, - 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, - 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, - 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, - 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, - 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, - 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, - 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, - 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, - 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, - 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, - 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, - 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, - 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, - 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, - 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, - 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, - 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, - 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, - 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, - 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, - 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, - 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, - 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, - 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, - 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, - 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, - 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, - 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, - 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, - 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, - 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, - 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, - 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, - 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, - 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, - 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, - 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, - 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, - 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, - 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, - 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, - 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, - 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, - 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, - 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, - 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, - 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, - 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, - 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, - 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, - 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, - 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, - 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, - 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, - 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, - 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, - 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, - 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, - 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, - 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, - 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, - 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, - 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, - 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, - 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, - 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, - 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, - 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, - 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, - 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, - 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, - 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, - 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, - 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, - 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, - 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, - 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, - 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, - 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, - 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, - 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, - 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, - 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, - 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, - 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, - 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, - 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, - 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, - 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, - 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, - 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, - 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, - 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, - 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, - 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, - 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, - 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, - 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, - 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, - 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, - 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, - 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, - 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, - 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, - 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, - 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, - 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, - 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, - 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, - 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, - 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, - 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, - 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, - 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, - 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, - 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, - 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, - 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, - 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, - 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, - 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, - 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, - 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, - 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, - 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, - 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, - 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, - 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, - 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, - 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, - 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, - 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, - 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, - 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, - 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, - 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, - 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, - 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, - 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, - 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, - 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, - 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, - 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, - 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, - 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, - 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, - 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, - 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, - 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, - 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, - 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, - 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, - 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, - 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, - 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, - 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, - 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, - 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, - 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, - 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, - 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, - 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, - 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, - } - }; - -__END_HIDDEN_DECLS diff --git a/crypto/bf/bf_skey.c b/crypto/bf/bf_skey.c index 8191d17..cc31034 100644 --- a/crypto/bf/bf_skey.c +++ b/crypto/bf/bf_skey.c @@ -1,25 +1,25 @@ -/* $OpenBSD: bf_skey.c,v 1.12 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: bf_skey.c,v 1.17 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -58,60 +58,330 @@ #include #include + #include #include -#include "bf_locl.h" -#include "bf_pi.h" -void BF_set_key(BF_KEY *key, int len, const unsigned char *data) - { +#include "bf_local.h" + +static const BF_KEY bf_init = { + .P = { + 0x243f6a88L, 0x85a308d3L, 0x13198a2eL, 0x03707344L, + 0xa4093822L, 0x299f31d0L, 0x082efa98L, 0xec4e6c89L, + 0x452821e6L, 0x38d01377L, 0xbe5466cfL, 0x34e90c6cL, + 0xc0ac29b7L, 0xc97c50ddL, 0x3f84d5b5L, 0xb5470917L, + 0x9216d5d9L, 0x8979fb1b + }, + .S = { + 0xd1310ba6L, 0x98dfb5acL, 0x2ffd72dbL, 0xd01adfb7L, + 0xb8e1afedL, 0x6a267e96L, 0xba7c9045L, 0xf12c7f99L, + 0x24a19947L, 0xb3916cf7L, 0x0801f2e2L, 0x858efc16L, + 0x636920d8L, 0x71574e69L, 0xa458fea3L, 0xf4933d7eL, + 0x0d95748fL, 0x728eb658L, 0x718bcd58L, 0x82154aeeL, + 0x7b54a41dL, 0xc25a59b5L, 0x9c30d539L, 0x2af26013L, + 0xc5d1b023L, 0x286085f0L, 0xca417918L, 0xb8db38efL, + 0x8e79dcb0L, 0x603a180eL, 0x6c9e0e8bL, 0xb01e8a3eL, + 0xd71577c1L, 0xbd314b27L, 0x78af2fdaL, 0x55605c60L, + 0xe65525f3L, 0xaa55ab94L, 0x57489862L, 0x63e81440L, + 0x55ca396aL, 0x2aab10b6L, 0xb4cc5c34L, 0x1141e8ceL, + 0xa15486afL, 0x7c72e993L, 0xb3ee1411L, 0x636fbc2aL, + 0x2ba9c55dL, 0x741831f6L, 0xce5c3e16L, 0x9b87931eL, + 0xafd6ba33L, 0x6c24cf5cL, 0x7a325381L, 0x28958677L, + 0x3b8f4898L, 0x6b4bb9afL, 0xc4bfe81bL, 0x66282193L, + 0x61d809ccL, 0xfb21a991L, 0x487cac60L, 0x5dec8032L, + 0xef845d5dL, 0xe98575b1L, 0xdc262302L, 0xeb651b88L, + 0x23893e81L, 0xd396acc5L, 0x0f6d6ff3L, 0x83f44239L, + 0x2e0b4482L, 0xa4842004L, 0x69c8f04aL, 0x9e1f9b5eL, + 0x21c66842L, 0xf6e96c9aL, 0x670c9c61L, 0xabd388f0L, + 0x6a51a0d2L, 0xd8542f68L, 0x960fa728L, 0xab5133a3L, + 0x6eef0b6cL, 0x137a3be4L, 0xba3bf050L, 0x7efb2a98L, + 0xa1f1651dL, 0x39af0176L, 0x66ca593eL, 0x82430e88L, + 0x8cee8619L, 0x456f9fb4L, 0x7d84a5c3L, 0x3b8b5ebeL, + 0xe06f75d8L, 0x85c12073L, 0x401a449fL, 0x56c16aa6L, + 0x4ed3aa62L, 0x363f7706L, 0x1bfedf72L, 0x429b023dL, + 0x37d0d724L, 0xd00a1248L, 0xdb0fead3L, 0x49f1c09bL, + 0x075372c9L, 0x80991b7bL, 0x25d479d8L, 0xf6e8def7L, + 0xe3fe501aL, 0xb6794c3bL, 0x976ce0bdL, 0x04c006baL, + 0xc1a94fb6L, 0x409f60c4L, 0x5e5c9ec2L, 0x196a2463L, + 0x68fb6fafL, 0x3e6c53b5L, 0x1339b2ebL, 0x3b52ec6fL, + 0x6dfc511fL, 0x9b30952cL, 0xcc814544L, 0xaf5ebd09L, + 0xbee3d004L, 0xde334afdL, 0x660f2807L, 0x192e4bb3L, + 0xc0cba857L, 0x45c8740fL, 0xd20b5f39L, 0xb9d3fbdbL, + 0x5579c0bdL, 0x1a60320aL, 0xd6a100c6L, 0x402c7279L, + 0x679f25feL, 0xfb1fa3ccL, 0x8ea5e9f8L, 0xdb3222f8L, + 0x3c7516dfL, 0xfd616b15L, 0x2f501ec8L, 0xad0552abL, + 0x323db5faL, 0xfd238760L, 0x53317b48L, 0x3e00df82L, + 0x9e5c57bbL, 0xca6f8ca0L, 0x1a87562eL, 0xdf1769dbL, + 0xd542a8f6L, 0x287effc3L, 0xac6732c6L, 0x8c4f5573L, + 0x695b27b0L, 0xbbca58c8L, 0xe1ffa35dL, 0xb8f011a0L, + 0x10fa3d98L, 0xfd2183b8L, 0x4afcb56cL, 0x2dd1d35bL, + 0x9a53e479L, 0xb6f84565L, 0xd28e49bcL, 0x4bfb9790L, + 0xe1ddf2daL, 0xa4cb7e33L, 0x62fb1341L, 0xcee4c6e8L, + 0xef20cadaL, 0x36774c01L, 0xd07e9efeL, 0x2bf11fb4L, + 0x95dbda4dL, 0xae909198L, 0xeaad8e71L, 0x6b93d5a0L, + 0xd08ed1d0L, 0xafc725e0L, 0x8e3c5b2fL, 0x8e7594b7L, + 0x8ff6e2fbL, 0xf2122b64L, 0x8888b812L, 0x900df01cL, + 0x4fad5ea0L, 0x688fc31cL, 0xd1cff191L, 0xb3a8c1adL, + 0x2f2f2218L, 0xbe0e1777L, 0xea752dfeL, 0x8b021fa1L, + 0xe5a0cc0fL, 0xb56f74e8L, 0x18acf3d6L, 0xce89e299L, + 0xb4a84fe0L, 0xfd13e0b7L, 0x7cc43b81L, 0xd2ada8d9L, + 0x165fa266L, 0x80957705L, 0x93cc7314L, 0x211a1477L, + 0xe6ad2065L, 0x77b5fa86L, 0xc75442f5L, 0xfb9d35cfL, + 0xebcdaf0cL, 0x7b3e89a0L, 0xd6411bd3L, 0xae1e7e49L, + 0x00250e2dL, 0x2071b35eL, 0x226800bbL, 0x57b8e0afL, + 0x2464369bL, 0xf009b91eL, 0x5563911dL, 0x59dfa6aaL, + 0x78c14389L, 0xd95a537fL, 0x207d5ba2L, 0x02e5b9c5L, + 0x83260376L, 0x6295cfa9L, 0x11c81968L, 0x4e734a41L, + 0xb3472dcaL, 0x7b14a94aL, 0x1b510052L, 0x9a532915L, + 0xd60f573fL, 0xbc9bc6e4L, 0x2b60a476L, 0x81e67400L, + 0x08ba6fb5L, 0x571be91fL, 0xf296ec6bL, 0x2a0dd915L, + 0xb6636521L, 0xe7b9f9b6L, 0xff34052eL, 0xc5855664L, + 0x53b02d5dL, 0xa99f8fa1L, 0x08ba4799L, 0x6e85076aL, + 0x4b7a70e9L, 0xb5b32944L, 0xdb75092eL, 0xc4192623L, + 0xad6ea6b0L, 0x49a7df7dL, 0x9cee60b8L, 0x8fedb266L, + 0xecaa8c71L, 0x699a17ffL, 0x5664526cL, 0xc2b19ee1L, + 0x193602a5L, 0x75094c29L, 0xa0591340L, 0xe4183a3eL, + 0x3f54989aL, 0x5b429d65L, 0x6b8fe4d6L, 0x99f73fd6L, + 0xa1d29c07L, 0xefe830f5L, 0x4d2d38e6L, 0xf0255dc1L, + 0x4cdd2086L, 0x8470eb26L, 0x6382e9c6L, 0x021ecc5eL, + 0x09686b3fL, 0x3ebaefc9L, 0x3c971814L, 0x6b6a70a1L, + 0x687f3584L, 0x52a0e286L, 0xb79c5305L, 0xaa500737L, + 0x3e07841cL, 0x7fdeae5cL, 0x8e7d44ecL, 0x5716f2b8L, + 0xb03ada37L, 0xf0500c0dL, 0xf01c1f04L, 0x0200b3ffL, + 0xae0cf51aL, 0x3cb574b2L, 0x25837a58L, 0xdc0921bdL, + 0xd19113f9L, 0x7ca92ff6L, 0x94324773L, 0x22f54701L, + 0x3ae5e581L, 0x37c2dadcL, 0xc8b57634L, 0x9af3dda7L, + 0xa9446146L, 0x0fd0030eL, 0xecc8c73eL, 0xa4751e41L, + 0xe238cd99L, 0x3bea0e2fL, 0x3280bba1L, 0x183eb331L, + 0x4e548b38L, 0x4f6db908L, 0x6f420d03L, 0xf60a04bfL, + 0x2cb81290L, 0x24977c79L, 0x5679b072L, 0xbcaf89afL, + 0xde9a771fL, 0xd9930810L, 0xb38bae12L, 0xdccf3f2eL, + 0x5512721fL, 0x2e6b7124L, 0x501adde6L, 0x9f84cd87L, + 0x7a584718L, 0x7408da17L, 0xbc9f9abcL, 0xe94b7d8cL, + 0xec7aec3aL, 0xdb851dfaL, 0x63094366L, 0xc464c3d2L, + 0xef1c1847L, 0x3215d908L, 0xdd433b37L, 0x24c2ba16L, + 0x12a14d43L, 0x2a65c451L, 0x50940002L, 0x133ae4ddL, + 0x71dff89eL, 0x10314e55L, 0x81ac77d6L, 0x5f11199bL, + 0x043556f1L, 0xd7a3c76bL, 0x3c11183bL, 0x5924a509L, + 0xf28fe6edL, 0x97f1fbfaL, 0x9ebabf2cL, 0x1e153c6eL, + 0x86e34570L, 0xeae96fb1L, 0x860e5e0aL, 0x5a3e2ab3L, + 0x771fe71cL, 0x4e3d06faL, 0x2965dcb9L, 0x99e71d0fL, + 0x803e89d6L, 0x5266c825L, 0x2e4cc978L, 0x9c10b36aL, + 0xc6150ebaL, 0x94e2ea78L, 0xa5fc3c53L, 0x1e0a2df4L, + 0xf2f74ea7L, 0x361d2b3dL, 0x1939260fL, 0x19c27960L, + 0x5223a708L, 0xf71312b6L, 0xebadfe6eL, 0xeac31f66L, + 0xe3bc4595L, 0xa67bc883L, 0xb17f37d1L, 0x018cff28L, + 0xc332ddefL, 0xbe6c5aa5L, 0x65582185L, 0x68ab9802L, + 0xeecea50fL, 0xdb2f953bL, 0x2aef7dadL, 0x5b6e2f84L, + 0x1521b628L, 0x29076170L, 0xecdd4775L, 0x619f1510L, + 0x13cca830L, 0xeb61bd96L, 0x0334fe1eL, 0xaa0363cfL, + 0xb5735c90L, 0x4c70a239L, 0xd59e9e0bL, 0xcbaade14L, + 0xeecc86bcL, 0x60622ca7L, 0x9cab5cabL, 0xb2f3846eL, + 0x648b1eafL, 0x19bdf0caL, 0xa02369b9L, 0x655abb50L, + 0x40685a32L, 0x3c2ab4b3L, 0x319ee9d5L, 0xc021b8f7L, + 0x9b540b19L, 0x875fa099L, 0x95f7997eL, 0x623d7da8L, + 0xf837889aL, 0x97e32d77L, 0x11ed935fL, 0x16681281L, + 0x0e358829L, 0xc7e61fd6L, 0x96dedfa1L, 0x7858ba99L, + 0x57f584a5L, 0x1b227263L, 0x9b83c3ffL, 0x1ac24696L, + 0xcdb30aebL, 0x532e3054L, 0x8fd948e4L, 0x6dbc3128L, + 0x58ebf2efL, 0x34c6ffeaL, 0xfe28ed61L, 0xee7c3c73L, + 0x5d4a14d9L, 0xe864b7e3L, 0x42105d14L, 0x203e13e0L, + 0x45eee2b6L, 0xa3aaabeaL, 0xdb6c4f15L, 0xfacb4fd0L, + 0xc742f442L, 0xef6abbb5L, 0x654f3b1dL, 0x41cd2105L, + 0xd81e799eL, 0x86854dc7L, 0xe44b476aL, 0x3d816250L, + 0xcf62a1f2L, 0x5b8d2646L, 0xfc8883a0L, 0xc1c7b6a3L, + 0x7f1524c3L, 0x69cb7492L, 0x47848a0bL, 0x5692b285L, + 0x095bbf00L, 0xad19489dL, 0x1462b174L, 0x23820e00L, + 0x58428d2aL, 0x0c55f5eaL, 0x1dadf43eL, 0x233f7061L, + 0x3372f092L, 0x8d937e41L, 0xd65fecf1L, 0x6c223bdbL, + 0x7cde3759L, 0xcbee7460L, 0x4085f2a7L, 0xce77326eL, + 0xa6078084L, 0x19f8509eL, 0xe8efd855L, 0x61d99735L, + 0xa969a7aaL, 0xc50c06c2L, 0x5a04abfcL, 0x800bcadcL, + 0x9e447a2eL, 0xc3453484L, 0xfdd56705L, 0x0e1e9ec9L, + 0xdb73dbd3L, 0x105588cdL, 0x675fda79L, 0xe3674340L, + 0xc5c43465L, 0x713e38d8L, 0x3d28f89eL, 0xf16dff20L, + 0x153e21e7L, 0x8fb03d4aL, 0xe6e39f2bL, 0xdb83adf7L, + 0xe93d5a68L, 0x948140f7L, 0xf64c261cL, 0x94692934L, + 0x411520f7L, 0x7602d4f7L, 0xbcf46b2eL, 0xd4a20068L, + 0xd4082471L, 0x3320f46aL, 0x43b7d4b7L, 0x500061afL, + 0x1e39f62eL, 0x97244546L, 0x14214f74L, 0xbf8b8840L, + 0x4d95fc1dL, 0x96b591afL, 0x70f4ddd3L, 0x66a02f45L, + 0xbfbc09ecL, 0x03bd9785L, 0x7fac6dd0L, 0x31cb8504L, + 0x96eb27b3L, 0x55fd3941L, 0xda2547e6L, 0xabca0a9aL, + 0x28507825L, 0x530429f4L, 0x0a2c86daL, 0xe9b66dfbL, + 0x68dc1462L, 0xd7486900L, 0x680ec0a4L, 0x27a18deeL, + 0x4f3ffea2L, 0xe887ad8cL, 0xb58ce006L, 0x7af4d6b6L, + 0xaace1e7cL, 0xd3375fecL, 0xce78a399L, 0x406b2a42L, + 0x20fe9e35L, 0xd9f385b9L, 0xee39d7abL, 0x3b124e8bL, + 0x1dc9faf7L, 0x4b6d1856L, 0x26a36631L, 0xeae397b2L, + 0x3a6efa74L, 0xdd5b4332L, 0x6841e7f7L, 0xca7820fbL, + 0xfb0af54eL, 0xd8feb397L, 0x454056acL, 0xba489527L, + 0x55533a3aL, 0x20838d87L, 0xfe6ba9b7L, 0xd096954bL, + 0x55a867bcL, 0xa1159a58L, 0xcca92963L, 0x99e1db33L, + 0xa62a4a56L, 0x3f3125f9L, 0x5ef47e1cL, 0x9029317cL, + 0xfdf8e802L, 0x04272f70L, 0x80bb155cL, 0x05282ce3L, + 0x95c11548L, 0xe4c66d22L, 0x48c1133fL, 0xc70f86dcL, + 0x07f9c9eeL, 0x41041f0fL, 0x404779a4L, 0x5d886e17L, + 0x325f51ebL, 0xd59bc0d1L, 0xf2bcc18fL, 0x41113564L, + 0x257b7834L, 0x602a9c60L, 0xdff8e8a3L, 0x1f636c1bL, + 0x0e12b4c2L, 0x02e1329eL, 0xaf664fd1L, 0xcad18115L, + 0x6b2395e0L, 0x333e92e1L, 0x3b240b62L, 0xeebeb922L, + 0x85b2a20eL, 0xe6ba0d99L, 0xde720c8cL, 0x2da2f728L, + 0xd0127845L, 0x95b794fdL, 0x647d0862L, 0xe7ccf5f0L, + 0x5449a36fL, 0x877d48faL, 0xc39dfd27L, 0xf33e8d1eL, + 0x0a476341L, 0x992eff74L, 0x3a6f6eabL, 0xf4f8fd37L, + 0xa812dc60L, 0xa1ebddf8L, 0x991be14cL, 0xdb6e6b0dL, + 0xc67b5510L, 0x6d672c37L, 0x2765d43bL, 0xdcd0e804L, + 0xf1290dc7L, 0xcc00ffa3L, 0xb5390f92L, 0x690fed0bL, + 0x667b9ffbL, 0xcedb7d9cL, 0xa091cf0bL, 0xd9155ea3L, + 0xbb132f88L, 0x515bad24L, 0x7b9479bfL, 0x763bd6ebL, + 0x37392eb3L, 0xcc115979L, 0x8026e297L, 0xf42e312dL, + 0x6842ada7L, 0xc66a2b3bL, 0x12754cccL, 0x782ef11cL, + 0x6a124237L, 0xb79251e7L, 0x06a1bbe6L, 0x4bfb6350L, + 0x1a6b1018L, 0x11caedfaL, 0x3d25bdd8L, 0xe2e1c3c9L, + 0x44421659L, 0x0a121386L, 0xd90cec6eL, 0xd5abea2aL, + 0x64af674eL, 0xda86a85fL, 0xbebfe988L, 0x64e4c3feL, + 0x9dbc8057L, 0xf0f7c086L, 0x60787bf8L, 0x6003604dL, + 0xd1fd8346L, 0xf6381fb0L, 0x7745ae04L, 0xd736fcccL, + 0x83426b33L, 0xf01eab71L, 0xb0804187L, 0x3c005e5fL, + 0x77a057beL, 0xbde8ae24L, 0x55464299L, 0xbf582e61L, + 0x4e58f48fL, 0xf2ddfda2L, 0xf474ef38L, 0x8789bdc2L, + 0x5366f9c3L, 0xc8b38e74L, 0xb475f255L, 0x46fcd9b9L, + 0x7aeb2661L, 0x8b1ddf84L, 0x846a0e79L, 0x915f95e2L, + 0x466e598eL, 0x20b45770L, 0x8cd55591L, 0xc902de4cL, + 0xb90bace1L, 0xbb8205d0L, 0x11a86248L, 0x7574a99eL, + 0xb77f19b6L, 0xe0a9dc09L, 0x662d09a1L, 0xc4324633L, + 0xe85a1f02L, 0x09f0be8cL, 0x4a99a025L, 0x1d6efe10L, + 0x1ab93d1dL, 0x0ba5a4dfL, 0xa186f20fL, 0x2868f169L, + 0xdcb7da83L, 0x573906feL, 0xa1e2ce9bL, 0x4fcd7f52L, + 0x50115e01L, 0xa70683faL, 0xa002b5c4L, 0x0de6d027L, + 0x9af88c27L, 0x773f8641L, 0xc3604c06L, 0x61a806b5L, + 0xf0177a28L, 0xc0f586e0L, 0x006058aaL, 0x30dc7d62L, + 0x11e69ed7L, 0x2338ea63L, 0x53c2dd94L, 0xc2c21634L, + 0xbbcbee56L, 0x90bcb6deL, 0xebfc7da1L, 0xce591d76L, + 0x6f05e409L, 0x4b7c0188L, 0x39720a3dL, 0x7c927c24L, + 0x86e3725fL, 0x724d9db9L, 0x1ac15bb4L, 0xd39eb8fcL, + 0xed545578L, 0x08fca5b5L, 0xd83d7cd3L, 0x4dad0fc4L, + 0x1e50ef5eL, 0xb161e6f8L, 0xa28514d9L, 0x6c51133cL, + 0x6fd5c7e7L, 0x56e14ec4L, 0x362abfceL, 0xddc6c837L, + 0xd79a3234L, 0x92638212L, 0x670efa8eL, 0x406000e0L, + 0x3a39ce37L, 0xd3faf5cfL, 0xabc27737L, 0x5ac52d1bL, + 0x5cb0679eL, 0x4fa33742L, 0xd3822740L, 0x99bc9bbeL, + 0xd5118e9dL, 0xbf0f7315L, 0xd62d1c7eL, 0xc700c47bL, + 0xb78c1b6bL, 0x21a19045L, 0xb26eb1beL, 0x6a366eb4L, + 0x5748ab2fL, 0xbc946e79L, 0xc6a376d2L, 0x6549c2c8L, + 0x530ff8eeL, 0x468dde7dL, 0xd5730a1dL, 0x4cd04dc6L, + 0x2939bbdbL, 0xa9ba4650L, 0xac9526e8L, 0xbe5ee304L, + 0xa1fad5f0L, 0x6a2d519aL, 0x63ef8ce2L, 0x9a86ee22L, + 0xc089c2b8L, 0x43242ef6L, 0xa51e03aaL, 0x9cf2d0a4L, + 0x83c061baL, 0x9be96a4dL, 0x8fe51550L, 0xba645bd6L, + 0x2826a2f9L, 0xa73a3ae1L, 0x4ba99586L, 0xef5562e9L, + 0xc72fefd3L, 0xf752f7daL, 0x3f046f69L, 0x77fa0a59L, + 0x80e4a915L, 0x87b08601L, 0x9b09e6adL, 0x3b3ee593L, + 0xe990fd5aL, 0x9e34d797L, 0x2cf0b7d9L, 0x022b8b51L, + 0x96d5ac3aL, 0x017da67dL, 0xd1cf3ed6L, 0x7c7d2d28L, + 0x1f9f25cfL, 0xadf2b89bL, 0x5ad6b472L, 0x5a88f54cL, + 0xe029ac71L, 0xe019a5e6L, 0x47b0acfdL, 0xed93fa9bL, + 0xe8d3c48dL, 0x283b57ccL, 0xf8d56629L, 0x79132e28L, + 0x785f0191L, 0xed756055L, 0xf7960e44L, 0xe3d35e8cL, + 0x15056dd4L, 0x88f46dbaL, 0x03a16125L, 0x0564f0bdL, + 0xc3eb9e15L, 0x3c9057a2L, 0x97271aecL, 0xa93a072aL, + 0x1b3f6d9bL, 0x1e6321f5L, 0xf59c66fbL, 0x26dcf319L, + 0x7533d928L, 0xb155fdf5L, 0x03563482L, 0x8aba3cbbL, + 0x28517711L, 0xc20ad9f8L, 0xabcc5167L, 0xccad925fL, + 0x4de81751L, 0x3830dc8eL, 0x379d5862L, 0x9320f991L, + 0xea7a90c2L, 0xfb3e7bceL, 0x5121ce64L, 0x774fbe32L, + 0xa8b6e37eL, 0xc3293d46L, 0x48de5369L, 0x6413e680L, + 0xa2ae0810L, 0xdd6db224L, 0x69852dfdL, 0x09072166L, + 0xb39a460aL, 0x6445c0ddL, 0x586cdecfL, 0x1c20c8aeL, + 0x5bbef7ddL, 0x1b588d40L, 0xccd2017fL, 0x6bb4e3bbL, + 0xdda26a7eL, 0x3a59ff45L, 0x3e350a44L, 0xbcb4cdd5L, + 0x72eacea8L, 0xfa6484bbL, 0x8d6612aeL, 0xbf3c6f47L, + 0xd29be463L, 0x542f5d9eL, 0xaec2771bL, 0xf64e6370L, + 0x740e0d8dL, 0xe75b1357L, 0xf8721671L, 0xaf537d5dL, + 0x4040cb08L, 0x4eb4e2ccL, 0x34d2466aL, 0x0115af84L, + 0xe1b00428L, 0x95983a1dL, 0x06b89fb4L, 0xce6ea048L, + 0x6f3f3b82L, 0x3520ab82L, 0x011a1d4bL, 0x277227f8L, + 0x611560b1L, 0xe7933fdcL, 0xbb3a792bL, 0x344525bdL, + 0xa08839e1L, 0x51ce794bL, 0x2f32c9b7L, 0xa01fbac9L, + 0xe01cc87eL, 0xbcc7d1f6L, 0xcf0111c3L, 0xa1e8aac7L, + 0x1a908749L, 0xd44fbd9aL, 0xd0dadecbL, 0xd50ada38L, + 0x0339c32aL, 0xc6913667L, 0x8df9317cL, 0xe0b12b4fL, + 0xf79e59b7L, 0x43f5bb3aL, 0xf2d519ffL, 0x27d9459cL, + 0xbf97222cL, 0x15e6fc2aL, 0x0f91fc71L, 0x9b941525L, + 0xfae59361L, 0xceb69cebL, 0xc2a86459L, 0x12baa8d1L, + 0xb6c1075eL, 0xe3056a0cL, 0x10d25065L, 0xcb03a442L, + 0xe0ec6e0eL, 0x1698db3bL, 0x4c98a0beL, 0x3278e964L, + 0x9f1f9532L, 0xe0d392dfL, 0xd3a0342bL, 0x8971f21eL, + 0x1b0a7441L, 0x4ba3348cL, 0xc5be7120L, 0xc37632d8L, + 0xdf359f8dL, 0x9b992f2eL, 0xe60b6f47L, 0x0fe3f11dL, + 0xe54cda54L, 0x1edad891L, 0xce6279cfL, 0xcd3e7e6fL, + 0x1618b166L, 0xfd2c1d05L, 0x848fd2c5L, 0xf6fb2299L, + 0xf523f357L, 0xa6327623L, 0x93a83531L, 0x56cccd02L, + 0xacf08162L, 0x5a75ebb5L, 0x6e163697L, 0x88d273ccL, + 0xde966292L, 0x81b949d0L, 0x4c50901bL, 0x71c65614L, + 0xe6c6c7bdL, 0x327a140aL, 0x45e1d006L, 0xc3f27b9aL, + 0xc9aa53fdL, 0x62a80f00L, 0xbb25bfe2L, 0x35bdd2f6L, + 0x71126905L, 0xb2040222L, 0xb6cbcf7cL, 0xcd769c2bL, + 0x53113ec0L, 0x1640e3d3L, 0x38abbd60L, 0x2547adf0L, + 0xba38209cL, 0xf746ce76L, 0x77afa1c5L, 0x20756060L, + 0x85cbfe4eL, 0x8ae88dd8L, 0x7aaaf9b0L, 0x4cf9aa7eL, + 0x1948c25cL, 0x02fb8a8cL, 0x01c36ae4L, 0xd6ebe1f9L, + 0x90d4f869L, 0xa65cdea0L, 0x3f09252dL, 0xc208e69fL, + 0xb74e6132L, 0xce77e25bL, 0x578fdfe3L, 0x3ac372e6L, + } +}; + +void +BF_set_key(BF_KEY *key, int len, const unsigned char *data) +{ int i; - BF_LONG *p,ri,in[2]; - const unsigned char *d,*end; + BF_LONG *p, ri, in[2]; + const unsigned char *d, *end; + memcpy(key, &bf_init, sizeof(BF_KEY)); + p = key->P; - memcpy(key,&bf_init,sizeof(BF_KEY)); - p=key->P; + if (len > ((BF_ROUNDS + 2)*4)) + len = (BF_ROUNDS + 2)*4; - if (len > ((BF_ROUNDS+2)*4)) len=(BF_ROUNDS+2)*4; - - d=data; - end= &(data[len]); - for (i=0; i<(BF_ROUNDS+2); i++) - { + d = data; + end = &(data[len]); + for (i = 0; i < (BF_ROUNDS + 2); i++) { ri= *(d++); - if (d >= end) d=data; + if (d >= end) + d = data; - ri<<=8; - ri|= *(d++); - if (d >= end) d=data; + ri <<= 8; + ri |= *(d++); + if (d >= end) + d = data; - ri<<=8; - ri|= *(d++); - if (d >= end) d=data; + ri <<= 8; + ri |= *(d++); + if (d >= end) + d = data; - ri<<=8; - ri|= *(d++); - if (d >= end) d=data; + ri <<= 8; + ri |= *(d++); + if (d >= end) + d = data; p[i]^=ri; - } - - in[0]=0L; - in[1]=0L; - for (i=0; i<(BF_ROUNDS+2); i+=2) - { - BF_encrypt(in,key); - p[i ]=in[0]; - p[i+1]=in[1]; - } - - p=key->S; - for (i=0; i<4*256; i+=2) - { - BF_encrypt(in,key); - p[i ]=in[0]; - p[i+1]=in[1]; - } } + in[0] = 0L; + in[1] = 0L; + for (i = 0; i < (BF_ROUNDS + 2); i += 2) { + BF_encrypt(in, key); + p[i ] = in[0]; + p[i + 1] = in[1]; + } + + p = key->S; + for (i = 0; i < 4*256; i += 2) { + BF_encrypt(in, key); + p[i ] = in[0]; + p[i + 1] = in[1]; + } +} diff --git a/crypto/bio/b_dump.c b/crypto/bio/b_dump.c index 7e1c2d7..61a83fc 100644 --- a/crypto/bio/b_dump.c +++ b/crypto/bio/b_dump.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b_dump.c,v 1.22 2021/07/11 20:18:07 beck Exp $ */ +/* $OpenBSD: b_dump.c,v 1.23 2022/10/17 18:26:41 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -80,11 +80,11 @@ int BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), void *u, const char *s, int len, int indent) { - int ret = 0; char buf[288 + 1], tmp[20], str[128 + 1]; int i, j, rows, trc, written; unsigned char ch; int dump_width; + int ret = 0; trc = 0; @@ -95,14 +95,13 @@ BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u), if (indent < 0) indent = 0; - if (indent) { - if (indent > 128) - indent = 128; - memset(str, ' ', indent); - } + if (indent > 64) + indent = 64; + memset(str, ' ', indent); str[indent] = '\0'; - dump_width = DUMP_WIDTH_LESS_INDENT(indent); + if ((dump_width = DUMP_WIDTH_LESS_INDENT(indent)) <= 0) + return -1; rows = (len / dump_width); if ((rows * dump_width) < len) rows++; diff --git a/crypto/bio/b_sock.c b/crypto/bio/b_sock.c index 152b080..301f739 100644 --- a/crypto/bio/b_sock.c +++ b/crypto/bio/b_sock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b_sock.c,v 1.69 2018/02/07 00:52:05 bluhm Exp $ */ +/* $OpenBSD: b_sock.c,v 1.70 2022/12/22 20:13:45 schwarze Exp $ */ /* * Copyright (c) 2017 Bob Beck * @@ -47,6 +47,7 @@ BIO_get_host_ip(const char *str, unsigned char *ip) int error; if (str == NULL) { + BIOerror(BIO_R_BAD_HOSTNAME_LOOKUP); ERR_asprintf_error_data("NULL host provided"); return (0); } @@ -79,6 +80,7 @@ BIO_get_port(const char *str, unsigned short *port_ptr) } if ((error = getaddrinfo(NULL, str, &hints, &res)) != 0) { + BIOerror(BIO_R_INVALID_ARGUMENT); ERR_asprintf_error_data("getaddrinfo: service='%s' : %s'", str, gai_strerror(error)); return (0); @@ -129,8 +131,14 @@ BIO_get_accept_socket(char *host, int bind_mode) char *h, *p, *str = NULL; int error, ret = 0, s = -1; - if (host == NULL || (str = strdup(host)) == NULL) + if (host == NULL) { + BIOerror(BIO_R_NO_PORT_SPECIFIED); return (-1); + } + if ((str = strdup(host)) == NULL) { + BIOerror(ERR_R_MALLOC_FAILURE); + return (-1); + } p = NULL; h = str; if ((p = strrchr(str, ':')) == NULL) { @@ -148,6 +156,7 @@ BIO_get_accept_socket(char *host, int bind_mode) } if ((error = getaddrinfo(h, p, &hints, &res)) != 0) { + BIOerror(BIO_R_BAD_HOSTNAME_LOOKUP); ERR_asprintf_error_data("getaddrinfo: '%s:%s': %s'", h, p, gai_strerror(error)); goto err; @@ -203,9 +212,10 @@ BIO_accept(int sock, char **addr) socklen_t sin_len = sizeof(sin); int ret = -1; - if (addr == NULL) + if (addr == NULL) { + BIOerror(BIO_R_NULL_PARAMETER); goto end; - + } ret = accept(sock, (struct sockaddr *)&sin, &sin_len); if (ret == -1) { if (BIO_sock_should_retry(ret)) diff --git a/crypto/bio/bio_err.c b/crypto/bio/bio_err.c index cda693d..fa5d16a 100644 --- a/crypto/bio/bio_err.c +++ b/crypto/bio/bio_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_err.c,v 1.18 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_err.c,v 1.19 2022/07/12 14:42:48 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_BIO,func,0) diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 0b6c9ec..d145078 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_lib.c,v 1.35 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_lib.c,v 1.44 2023/03/15 06:14:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -323,11 +323,18 @@ BIO_read(BIO *b, void *out, int outl) size_t readbytes = 0; int ret; - if (b == NULL) + if (b == NULL) { + BIOerror(ERR_R_PASSED_NULL_PARAMETER); + return (-1); + } + + if (outl <= 0) return (0); - if (out == NULL || outl <= 0) - return (0); + if (out == NULL) { + BIOerror(ERR_R_PASSED_NULL_PARAMETER); + return (-1); + } if (b->method == NULL || b->method->bread == NULL) { BIOerror(BIO_R_UNSUPPORTED_METHOD); @@ -373,12 +380,18 @@ BIO_write(BIO *b, const void *in, int inl) size_t writebytes = 0; int ret; + /* Not an error. Things like SMIME_text() assume that this succeeds. */ if (b == NULL) return (0); - if (in == NULL || inl <= 0) + if (inl <= 0) return (0); + if (in == NULL) { + BIOerror(ERR_R_PASSED_NULL_PARAMETER); + return (-1); + } + if (b->method == NULL || b->method->bwrite == NULL) { BIOerror(BIO_R_UNSUPPORTED_METHOD); return (-2); @@ -464,7 +477,7 @@ BIO_puts(BIO *b, const char *in) int BIO_gets(BIO *b, char *in, int inl) { - size_t readbytes; + size_t readbytes = 0; int ret; if (b == NULL || b->method == NULL || b->method->bgets == NULL) { @@ -611,7 +624,11 @@ BIO_ctrl_wpending(BIO *bio) } -/* put the 'bio' on the end of b's list of operators */ +/* + * Append "bio" to the end of the chain containing "b": + * Two chains "b -> lb" and "oldhead -> bio" + * become two chains "b -> lb -> bio" and "oldhead". + */ BIO * BIO_push(BIO *b, BIO *bio) { @@ -623,8 +640,11 @@ BIO_push(BIO *b, BIO *bio) while (lb->next_bio != NULL) lb = lb->next_bio; lb->next_bio = bio; - if (bio != NULL) + if (bio != NULL) { + if (bio->prev_bio != NULL) + bio->prev_bio->next_bio = NULL; bio->prev_bio = lb; + } /* called to do internal processing */ BIO_ctrl(b, BIO_CTRL_PUSH, 0, lb); return (b); @@ -713,10 +733,25 @@ BIO_next(BIO *b) return b->next_bio; } +/* + * Two chains "bio -> oldtail" and "oldhead -> next" become + * three chains "oldtail", "bio -> next", and "oldhead". + */ void -BIO_set_next(BIO *b, BIO *next) +BIO_set_next(BIO *bio, BIO *next) { - b->next_bio = next; + /* Cut off the tail of the chain containing bio after bio. */ + if (bio->next_bio != NULL) + bio->next_bio->prev_bio = NULL; + + /* Cut off the head of the chain containing next before next. */ + if (next != NULL && next->prev_bio != NULL) + next->prev_bio->next_bio = NULL; + + /* Append the chain starting at next to the chain ending at bio. */ + bio->next_bio = next; + if (next != NULL) + next->prev_bio = bio; } void diff --git a/crypto/bio/bio_local.h b/crypto/bio/bio_local.h index 7e1885f..4eecf7e 100644 --- a/crypto/bio/bio_local.h +++ b/crypto/bio/bio_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_local.h,v 1.3 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_local.h,v 1.5 2022/12/02 19:44:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index fa6e2db..0d70daa 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_dgram.c,v 1.43 2022/01/07 09:02:17 tb Exp $ */ +/* $OpenBSD: bss_dgram.c,v 1.44 2022/12/26 07:18:51 jmc Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -214,7 +214,7 @@ dgram_adjust_rcv_timeout(BIO *b) timeleft.tv_usec = 1; } - /* Adjust socket timeout if next handhake message timer + /* Adjust socket timeout if next handshake message timer * will expire earlier. */ if ((data->socket_timeout.tv_sec == 0 && diff --git a/crypto/bn/arch/aarch64/bn_arch.h b/crypto/bn/arch/aarch64/bn_arch.h new file mode 100644 index 0000000..4e16597 --- /dev/null +++ b/crypto/bn/arch/aarch64/bn_arch.h @@ -0,0 +1,84 @@ +/* $OpenBSD: bn_arch.h,v 1.7 2023/04/17 12:51:09 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#if defined(__GNUC__) + +#define HAVE_BN_ADDW + +static inline void +bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG carry, r0; + + __asm__ ( + "adds %[r0], %[a], %[b] \n" + "cset %[carry], cs \n" + : [carry]"=r"(carry), [r0]"=r"(r0) + : [a]"r"(a), [b]"r"(b) + : "cc"); + + *out_r1 = carry; + *out_r0 = r0; +} + +#define HAVE_BN_MULW + +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r1, r0; + + /* Unsigned multiplication using a umulh/mul pair. */ + __asm__ ( + "umulh %[r1], %[a], %[b] \n" + "mul %[r0], %[a], %[b] \n" + : [r1]"=&r"(r1), [r0]"=r"(r0) + : [a]"r"(a), [b]"r"(b)); + + *out_r1 = r1; + *out_r0 = r0; +} + +#define HAVE_BN_SUBW + +static inline void +bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) +{ + BN_ULONG borrow, r0; + + __asm__ ( + "subs %[r0], %[a], %[b] \n" + "cset %[borrow], cc \n" + : [borrow]"=r"(borrow), [r0]"=r"(r0) + : [a]"r"(a), [b]"r"(b) + : "cc"); + + *out_borrow = borrow; + *out_r0 = r0; +} + +#endif /* __GNUC__ */ + +#endif +#endif diff --git a/crypto/bn/arch/amd64/bignum_add.S b/crypto/bn/arch/amd64/bignum_add.S new file mode 100644 index 0000000..06298ca --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_add.S @@ -0,0 +1,165 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Add, z := x + y +// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] +// +// extern uint64_t bignum_add +// (uint64_t p, uint64_t *z, +// uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); +// +// Does the z := x + y operation, truncating modulo p words in general and +// returning a top carry (0 or 1) in the p'th place, only adding the input +// words below p (as well as m and n respectively) to get the sum and carry. +// +// Standard x86-64 ABI: RDI = p, RSI = z, RDX = m, RCX = x, R8 = n, R9 = y, returns RAX +// Microsoft x64 ABI: RCX = p, RDX = z, R8 = m, R9 = x, [RSP+40] = n, [RSP+48] = y, returns RAX +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_add) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_add) + .text + +#define p rdi +#define z rsi +#define m rdx +#define x rcx +#define n r8 +#define y r9 +#define i r10 +#define a rax + +#define ashort eax + + + +S2N_BN_SYMBOL(bignum_add): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, [rsp+56] + mov r9, [rsp+64] +#endif + +// Zero the main index counter for both branches + + xor i, i + +// First clamp the two input sizes m := min(p,m) and n := min(p,n) since +// we'll never need words past the p'th. Can now assume m <= p and n <= p. +// Then compare the modified m and n and branch accordingly + + cmp p, m + cmovc m, p + cmp p, n + cmovc n, p + cmp m, n + jc ylonger + +// The case where x is longer or of the same size (p >= m >= n) + + sub p, m + sub m, n + inc m + test n, n + jz xtest +xmainloop: + mov a, [x+8*i] + adc a, [y+8*i] + mov [z+8*i],a + inc i + dec n + jnz xmainloop + jmp xtest +xtoploop: + mov a, [x+8*i] + adc a, 0 + mov [z+8*i],a + inc i +xtest: + dec m + jnz xtoploop + mov ashort, 0 + adc a, 0 + test p, p + jnz tails +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +// The case where y is longer (p >= n > m) + +ylonger: + + sub p, n + sub n, m + test m, m + jz ytoploop +ymainloop: + mov a, [x+8*i] + adc a, [y+8*i] + mov [z+8*i],a + inc i + dec m + jnz ymainloop +ytoploop: + mov a, [y+8*i] + adc a, 0 + mov [z+8*i],a + inc i + dec n + jnz ytoploop + mov ashort, 0 + adc a, 0 + test p, p + jnz tails +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +// Adding a non-trivial tail, when p > max(m,n) + +tails: + mov [z+8*i],a + xor a, a + jmp tail +tailloop: + mov [z+8*i],a +tail: + inc i + dec p + jnz tailloop +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_cmadd.S b/crypto/bn/arch/amd64/bignum_cmadd.S new file mode 100644 index 0000000..5ad7127 --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_cmadd.S @@ -0,0 +1,155 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Multiply-add with single-word multiplier, z := z + c * y +// Inputs c, y[n]; outputs function return (carry-out) and z[k] +// +// extern uint64_t bignum_cmadd +// (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); +// +// Does the "z := z + c * y" operation where y is n digits, result z is p. +// Truncates the result in general. +// +// The return value is a high/carry word that is meaningful when p = n + 1, or +// more generally when n <= p and the result fits in p + 1 digits. In these +// cases it gives the top digit of the (p + 1)-digit result. +// +// Standard x86-64 ABI: RDI = k, RSI = z, RDX = c, RCX = n, R8 = y, returns RAX +// Microsoft x64 ABI: RCX = k, RDX = z, R8 = c, R9 = n, [RSP+40] = y, returns RAX +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_cmadd) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_cmadd) + .text + +#define p rdi +#define z rsi +#define c r9 +#define n rcx +#define x r8 + +#define i r10 +#define h r11 + +#define r rbx + +#define hshort r11d +#define ishort r10d + + + +S2N_BN_SYMBOL(bignum_cmadd): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, [rsp+56] +#endif + +// Seems hard to avoid one more register + + push rbx + +// First clamp the input size n := min(p,n) since we can never need to read +// past the p'th term of the input to generate p-digit output. +// Subtract p := p - min(n,p) so it holds the size of the extra tail needed + + cmp p, n + cmovc n, p + sub p, n + +// Initialize high part h = 0; if n = 0 do nothing but return that zero + + xor h, h + test n, n + jz end + +// Move c into a safer register as multiplies overwrite rdx + + mov c, rdx + +// Initialization of the loop: 2^64 * CF + [h,z_0'] = z_0 + c * x_0 + + mov rax, [x] + mul c + add [z], rax + mov h, rdx + mov ishort, 1 + dec n + jz hightail + +// Main loop, where we always have CF + previous high part h to add in + +loop: + adc h, [z+8*i] + sbb r, r + mov rax, [x+8*i] + mul c + sub rdx, r + add rax, h + mov [z+8*i], rax + mov h, rdx + inc i + dec n + jnz loop + +hightail: + adc h, 0 + +// Propagate the carry all the way to the end with h as extra carry word + +tail: + test p, p + jz end + + add [z+8*i], h + mov hshort, 0 + inc i + dec p + jz highend + +tloop: + adc [z+8*i], h + inc i + dec p + jnz tloop + +highend: + + adc h, 0 + +// Return the high/carry word + +end: + mov rax, h + + pop rbx +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_cmul.S b/crypto/bn/arch/amd64/bignum_cmul.S new file mode 100644 index 0000000..9199c8f --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_cmul.S @@ -0,0 +1,138 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Multiply by a single word, z := c * y +// Inputs c, y[n]; outputs function return (carry-out) and z[k] +// +// extern uint64_t bignum_cmul +// (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); +// +// Does the "z := c * y" operation where y is n digits, result z is p. +// Truncates the result in general unless p >= n + 1. +// +// The return value is a high/carry word that is meaningful when p >= n as +// giving the high part of the result. Since this is always zero if p > n, +// it is mainly of interest in the special case p = n, i.e. where the source +// and destination have the same nominal size, when it gives the extra word +// of the full result. +// +// Standard x86-64 ABI: RDI = k, RSI = z, RDX = c, RCX = n, R8 = y, returns RAX +// Microsoft x64 ABI: RCX = k, RDX = z, R8 = c, R9 = n, [RSP+40] = y, returns RAX +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_cmul) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_cmul) + .text + +#define p rdi +#define z rsi +#define c r9 +#define n rcx +#define x r8 + +#define i r10 +#define h r11 + + + +S2N_BN_SYMBOL(bignum_cmul): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, [rsp+56] +#endif + +// First clamp the input size n := min(p,n) since we can never need to read +// past the p'th term of the input to generate p-digit output. Now we can +// assume that n <= p + + cmp p, n + cmovc n, p + +// Initialize current input/output pointer offset i and high part h. +// But then if n = 0 skip the multiplication and go to the tail part + + xor h, h + xor i, i + test n, n + jz tail + +// Move c into a safer register as multiplies overwrite rdx + + mov c, rdx + +// Initialization of the loop: [h,l] = c * x_0 + + mov rax, [x] + mul c + mov [z], rax + mov h, rdx + inc i + cmp i, n + jz tail + +// Main loop doing the multiplications + +loop: + mov rax, [x+8*i] + mul c + add rax, h + adc rdx, 0 + mov [z+8*i], rax + mov h, rdx + inc i + cmp i, n + jc loop + +// Add a tail when the destination is longer + +tail: + cmp i, p + jnc end + mov [z+8*i], h + xor h, h + inc i + cmp i, p + jnc end + +tloop: + mov [z+8*i], h + inc i + cmp i, p + jc tloop + +// Return the high/carry word + +end: + mov rax, h + +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_mul.S b/crypto/bn/arch/amd64/bignum_mul.S new file mode 100644 index 0000000..2d7ed19 --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_mul.S @@ -0,0 +1,167 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Multiply z := x * y +// Inputs x[m], y[n]; output z[k] +// +// extern void bignum_mul +// (uint64_t k, uint64_t *z, +// uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); +// +// Does the "z := x * y" operation where x is m digits, y is n, result z is k. +// Truncates the result in general unless k >= m + n +// +// Standard x86-64 ABI: RDI = k, RSI = z, RDX = m, RCX = x, R8 = n, R9 = y +// Microsoft x64 ABI: RCX = k, RDX = z, R8 = m, R9 = x, [RSP+40] = n, [RSP+48] = y +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul) + .text + +// These are actually right + +#define p rdi +#define z rsi +#define n r8 + +// These are not + +#define c r15 +#define h r14 +#define l r13 +#define x r12 +#define y r11 +#define i rbx +#define k r10 +#define m rbp + +// These are always local scratch since multiplier result is in these + +#define a rax +#define d rdx + + + +S2N_BN_SYMBOL(bignum_mul): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, [rsp+56] + mov r9, [rsp+64] +#endif + +// We use too many registers, and also we need rax:rdx for multiplications + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + mov m, rdx + +// If the result size is zero, do nothing +// Note that even if either or both inputs has size zero, we can't +// just give up because we at least need to zero the output array +// If we did a multiply-add variant, however, then we could + + test p, p + jz end + +// Set initial 2-part sum to zero (we zero c inside the body) + + xor h,h + xor l,l + +// Otherwise do outer loop k = 0 ... k = p - 1 + + xor k, k + +outerloop: + +// Zero our carry term first; we eventually want it and a zero is useful now +// Set a = max 0 (k + 1 - n), i = min (k + 1) m +// This defines the range a <= j < i for the inner summation +// Note that since k < p < 2^64 we can assume k + 1 doesn't overflow +// And since we want to increment it anyway, we might as well do it now + + xor c, c // c = 0 + inc k // k = k + 1 + + mov a, k // a = k + 1 + sub a, n // a = k + 1 - n + cmovc a, c // a = max 0 (k + 1 - n) + + mov i, m // i = m + cmp k, m // CF <=> k + 1 < m + cmovc i, k // i = min (k + 1) m + +// Turn i into a loop count, and skip things if it's <= 0 +// Otherwise set up initial pointers x -> x0[a] and y -> y0[k - a] +// and then launch into the main inner loop, postdecrementing i + + mov d, k + sub d, i + sub i, a + jbe innerend + lea x,[rcx+8*a] + lea y,[r9+8*d-8] + +innerloop: + mov rax, [y+8*i] + mul QWORD PTR [x] + add x, 8 + add l, rax + adc h, rdx + adc c, 0 + dec i + jnz innerloop + +innerend: + + mov [z], l + mov l, h + mov h, c + add z, 8 + + cmp k, p + jc outerloop + +end: + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_mul_4_8_alt.S b/crypto/bn/arch/amd64/bignum_mul_4_8_alt.S new file mode 100644 index 0000000..f02b09b --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_mul_4_8_alt.S @@ -0,0 +1,157 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Multiply z := x * y +// Inputs x[4], y[4]; output z[8] +// +// extern void bignum_mul_4_8_alt +// (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]); +// +// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y +// Microsoft x64 ABI: RCX = z, RDX = x, R8 = y +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_4_8_alt) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_4_8_alt) + .text + +// These are actually right + +#define z rdi +#define x rsi + +// This is moved from rdx to free it for muls + +#define y rcx + +// Other variables used as a rotating 3-word window to add terms to + +#define t0 r8 +#define t1 r9 +#define t2 r10 + +// Macro for the key "multiply and add to (c,h,l)" step + +#define combadd(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +// A minutely shorter form for when c = 0 initially + +#define combadz(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx; \ + adc c, c + +// A short form where we don't expect a top carry + +#define combads(h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx + +S2N_BN_SYMBOL(bignum_mul_4_8_alt): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 +#endif + +// Copy y into a safe register to start with + + mov y, rdx + +// Result term 0 + + mov rax, [x] + mul QWORD PTR [y] + + mov [z], rax + mov t0, rdx + xor t1, t1 + +// Result term 1 + + xor t2, t2 + combads(t1,t0,[x],[y+8]) + combadz(t2,t1,t0,[x+8],[y]) + mov [z+8], t0 + +// Result term 2 + + xor t0, t0 + combadz(t0,t2,t1,[x],[y+16]) + combadd(t0,t2,t1,[x+8],[y+8]) + combadd(t0,t2,t1,[x+16],[y]) + mov [z+16], t1 + +// Result term 3 + + xor t1, t1 + combadz(t1,t0,t2,[x],[y+24]) + combadd(t1,t0,t2,[x+8],[y+16]) + combadd(t1,t0,t2,[x+16],[y+8]) + combadd(t1,t0,t2,[x+24],[y]) + mov [z+24], t2 + +// Result term 4 + + xor t2, t2 + combadz(t2,t1,t0,[x+8],[y+24]) + combadd(t2,t1,t0,[x+16],[y+16]) + combadd(t2,t1,t0,[x+24],[y+8]) + mov [z+32], t0 + +// Result term 5 + + xor t0, t0 + combadz(t0,t2,t1,[x+16],[y+24]) + combadd(t0,t2,t1,[x+24],[y+16]) + mov [z+40], t1 + +// Result term 6 + + xor t1, t1 + combads(t0,t2,[x+24],[y+24]) + mov [z+48], t2 + +// Result term 7 + + mov [z+56], t0 + +// Return + +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_mul_8_16_alt.S b/crypto/bn/arch/amd64/bignum_mul_8_16_alt.S new file mode 100644 index 0000000..97be83e --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_mul_8_16_alt.S @@ -0,0 +1,244 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Multiply z := x * y +// Inputs x[8], y[8]; output z[16] +// +// extern void bignum_mul_8_16_alt +// (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]); +// +// Standard x86-64 ABI: RDI = z, RSI = x, RDX = y +// Microsoft x64 ABI: RCX = z, RDX = x, R8 = y +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_mul_8_16_alt) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_mul_8_16_alt) + .text + +// These are actually right + +#define z rdi +#define x rsi + +// This is moved from rdx to free it for muls + +#define y rcx + +// Other variables used as a rotating 3-word window to add terms to + +#define t0 r8 +#define t1 r9 +#define t2 r10 + +// Macro for the key "multiply and add to (c,h,l)" step + +#define combadd(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +// A minutely shorter form for when c = 0 initially + +#define combadz(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx; \ + adc c, c + +// A short form where we don't expect a top carry + +#define combads(h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx + +S2N_BN_SYMBOL(bignum_mul_8_16_alt): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 +#endif + +// Copy y into a safe register to start with + + mov y, rdx + +// Result term 0 + + mov rax, [x] + mul QWORD PTR [y] + + mov [z], rax + mov t0, rdx + xor t1, t1 + +// Result term 1 + + xor t2, t2 + combads(t1,t0,[x],[y+8]) + combadz(t2,t1,t0,[x+8],[y]) + mov [z+8], t0 + +// Result term 2 + + xor t0, t0 + combadz(t0,t2,t1,[x],[y+16]) + combadd(t0,t2,t1,[x+8],[y+8]) + combadd(t0,t2,t1,[x+16],[y]) + mov [z+16], t1 + +// Result term 3 + + xor t1, t1 + combadz(t1,t0,t2,[x],[y+24]) + combadd(t1,t0,t2,[x+8],[y+16]) + combadd(t1,t0,t2,[x+16],[y+8]) + combadd(t1,t0,t2,[x+24],[y]) + mov [z+24], t2 + +// Result term 4 + + xor t2, t2 + combadz(t2,t1,t0,[x],[y+32]) + combadd(t2,t1,t0,[x+8],[y+24]) + combadd(t2,t1,t0,[x+16],[y+16]) + combadd(t2,t1,t0,[x+24],[y+8]) + combadd(t2,t1,t0,[x+32],[y]) + mov [z+32], t0 + +// Result term 5 + + xor t0, t0 + combadz(t0,t2,t1,[x],[y+40]) + combadd(t0,t2,t1,[x+8],[y+32]) + combadd(t0,t2,t1,[x+16],[y+24]) + combadd(t0,t2,t1,[x+24],[y+16]) + combadd(t0,t2,t1,[x+32],[y+8]) + combadd(t0,t2,t1,[x+40],[y]) + mov [z+40], t1 + +// Result term 6 + + xor t1, t1 + combadz(t1,t0,t2,[x],[y+48]) + combadd(t1,t0,t2,[x+8],[y+40]) + combadd(t1,t0,t2,[x+16],[y+32]) + combadd(t1,t0,t2,[x+24],[y+24]) + combadd(t1,t0,t2,[x+32],[y+16]) + combadd(t1,t0,t2,[x+40],[y+8]) + combadd(t1,t0,t2,[x+48],[y]) + mov [z+48], t2 + +// Result term 7 + + xor t2, t2 + combadz(t2,t1,t0,[x],[y+56]) + combadd(t2,t1,t0,[x+8],[y+48]) + combadd(t2,t1,t0,[x+16],[y+40]) + combadd(t2,t1,t0,[x+24],[y+32]) + combadd(t2,t1,t0,[x+32],[y+24]) + combadd(t2,t1,t0,[x+40],[y+16]) + combadd(t2,t1,t0,[x+48],[y+8]) + combadd(t2,t1,t0,[x+56],[y]) + mov [z+56], t0 + +// Result term 8 + + xor t0, t0 + combadz(t0,t2,t1,[x+8],[y+56]) + combadd(t0,t2,t1,[x+16],[y+48]) + combadd(t0,t2,t1,[x+24],[y+40]) + combadd(t0,t2,t1,[x+32],[y+32]) + combadd(t0,t2,t1,[x+40],[y+24]) + combadd(t0,t2,t1,[x+48],[y+16]) + combadd(t0,t2,t1,[x+56],[y+8]) + mov [z+64], t1 + +// Result term 9 + + xor t1, t1 + combadz(t1,t0,t2,[x+16],[y+56]) + combadd(t1,t0,t2,[x+24],[y+48]) + combadd(t1,t0,t2,[x+32],[y+40]) + combadd(t1,t0,t2,[x+40],[y+32]) + combadd(t1,t0,t2,[x+48],[y+24]) + combadd(t1,t0,t2,[x+56],[y+16]) + mov [z+72], t2 + +// Result term 10 + + xor t2, t2 + combadz(t2,t1,t0,[x+24],[y+56]) + combadd(t2,t1,t0,[x+32],[y+48]) + combadd(t2,t1,t0,[x+40],[y+40]) + combadd(t2,t1,t0,[x+48],[y+32]) + combadd(t2,t1,t0,[x+56],[y+24]) + mov [z+80], t0 + +// Result term 11 + + xor t0, t0 + combadz(t0,t2,t1,[x+32],[y+56]) + combadd(t0,t2,t1,[x+40],[y+48]) + combadd(t0,t2,t1,[x+48],[y+40]) + combadd(t0,t2,t1,[x+56],[y+32]) + mov [z+88], t1 + +// Result term 12 + + xor t1, t1 + combadz(t1,t0,t2,[x+40],[y+56]) + combadd(t1,t0,t2,[x+48],[y+48]) + combadd(t1,t0,t2,[x+56],[y+40]) + mov [z+96], t2 + +// Result term 13 + + xor t2, t2 + combadz(t2,t1,t0,[x+48],[y+56]) + combadd(t2,t1,t0,[x+56],[y+48]) + mov [z+104], t0 + +// Result term 14 + + combads(t2,t1,[x+56],[y+56]) + mov [z+112], t1 + +// Result term 11 + + mov [z+120], t2 + +// Return + +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_sqr.S b/crypto/bn/arch/amd64/bignum_sqr.S new file mode 100644 index 0000000..c4a0cab --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_sqr.S @@ -0,0 +1,197 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Square z := x^2 +// Input x[n]; output z[k] +// +// extern void bignum_sqr +// (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x); +// +// Does the "z := x^2" operation where x is n digits and result z is k. +// Truncates the result in general unless k >= 2 * n +// +// Standard x86-64 ABI: RDI = k, RSI = z, RDX = n, RCX = x +// Microsoft x64 ABI: RCX = k, RDX = z, R8 = n, R9 = x +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr) + .text + +// First three are where arguments come in, but n is moved. + +#define p rdi +#define z rsi +#define x rcx +#define n r8 + +// These are always local scratch since multiplier result is in these + +#define a rax +#define d rdx + +// Other variables + +#define i rbx +#define ll rbp +#define hh r9 +#define k r10 +#define y r11 +#define htop r12 +#define l r13 +#define h r14 +#define c r15 + +// Short versions + +#define llshort ebp + +S2N_BN_SYMBOL(bignum_sqr): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 +#endif + +// We use too many registers, and also we need rax:rdx for multiplications + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + mov n, rdx + +// If p = 0 the result is trivial and nothing needs doing + + test p, p + jz end + +// initialize (hh,ll) = 0 + + xor llshort, llshort + xor hh, hh + +// Iterate outer loop from k = 0 ... k = p - 1 producing result digits + + xor k, k + +outerloop: + +// First let bot = MAX 0 (k + 1 - n) and top = MIN (k + 1) n +// We want to accumulate all x[i] * x[k - i] for bot <= i < top +// For the optimization of squaring we avoid duplication and do +// 2 * x[i] * x[k - i] for i < htop, where htop = MIN ((k+1)/2) n +// Initialize i = bot; in fact just compute bot as i directly. + + xor c, c + lea i, [k+1] + mov htop, i + shr htop, 1 + sub i, n + cmovc i, c + cmp htop, n + cmovnc htop, n + +// Initialize the three-part local sum (c,h,l); c was already done above + + xor l, l + xor h, h + +// If htop <= bot then main doubled part of the sum is empty + + cmp i, htop + jnc nosumming + +// Use a moving pointer for [y] = x[k-i] for the cofactor + + mov a, k + sub a, i + lea y, [x+8*a] + +// Do the main part of the sum x[i] * x[k - i] for 2 * i < k + +innerloop: + mov a, [x+8*i] + mul QWORD PTR [y] + add l, a + adc h, d + adc c, 0 + sub y, 8 + inc i + cmp i, htop + jc innerloop + +// Now double it + + add l, l + adc h, h + adc c, c + +// If k is even (which means 2 * i = k) and i < n add the extra x[i]^2 term + +nosumming: + test k, 1 + jnz innerend + cmp i, n + jnc innerend + + mov a, [x+8*i] + mul a + add l, a + adc h, d + adc c, 0 + +// Now add the local sum into the global sum, store and shift + +innerend: + add l, ll + mov [z+8*k], l + adc h, hh + mov ll, h + adc c, 0 + mov hh, c + + inc k + cmp k, p + jc outerloop + +// Restore registers and return + +end: + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_sqr_4_8_alt.S b/crypto/bn/arch/amd64/bignum_sqr_4_8_alt.S new file mode 100644 index 0000000..b228414 --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_sqr_4_8_alt.S @@ -0,0 +1,145 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Square, z := x^2 +// Input x[4]; output z[8] +// +// extern void bignum_sqr_4_8_alt +// (uint64_t z[static 8], uint64_t x[static 4]); +// +// Standard x86-64 ABI: RDI = z, RSI = x +// Microsoft x64 ABI: RCX = z, RDX = x +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_4_8_alt) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_4_8_alt) + .text + +// Input arguments + +#define z rdi +#define x rsi + +// Other variables used as a rotating 3-word window to add terms to + +#define t0 rcx +#define t1 r8 +#define t2 r9 + +// Macro for the key "multiply and add to (c,h,l)" step, for square term + +#define combadd1(c,h,l,numa) \ + mov rax, numa; \ + mul rax; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +// A short form where we don't expect a top carry + +#define combads(h,l,numa) \ + mov rax, numa; \ + mul rax; \ + add l, rax; \ + adc h, rdx + +// A version doubling before adding, for non-square terms + +#define combadd2(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add rax, rax; \ + adc rdx, rdx; \ + adc c, 0; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +S2N_BN_SYMBOL(bignum_sqr_4_8_alt): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx +#endif + +// Result term 0 + + mov rax, [x] + mul rax + + mov [z], rax + mov t0, rdx + xor t1, t1 + +// Result term 1 + + xor t2, t2 + combadd2(t2,t1,t0,[x],[x+8]) + mov [z+8], t0 + +// Result term 2 + + xor t0, t0 + combadd1(t0,t2,t1,[x+8]) + combadd2(t0,t2,t1,[x],[x+16]) + mov [z+16], t1 + +// Result term 3 + + xor t1, t1 + combadd2(t1,t0,t2,[x],[x+24]) + combadd2(t1,t0,t2,[x+8],[x+16]) + mov [z+24], t2 + +// Result term 4 + + xor t2, t2 + combadd2(t2,t1,t0,[x+8],[x+24]) + combadd1(t2,t1,t0,[x+16]) + mov [z+32], t0 + +// Result term 5 + + xor t0, t0 + combadd2(t0,t2,t1,[x+16],[x+24]) + mov [z+40], t1 + +// Result term 6 + + xor t1, t1 + combads(t0,t2,[x+24]) + mov [z+48], t2 + +// Result term 7 + + mov [z+56], t0 + +// Return + +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_sqr_8_16_alt.S b/crypto/bn/arch/amd64/bignum_sqr_8_16_alt.S new file mode 100644 index 0000000..04efeec --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_sqr_8_16_alt.S @@ -0,0 +1,242 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Square, z := x^2 +// Input x[8]; output z[16] +// +// extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]); +// +// Standard x86-64 ABI: RDI = z, RSI = x +// Microsoft x64 ABI: RCX = z, RDX = x +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sqr_8_16_alt) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sqr_8_16_alt) + .text + +// Input arguments + +#define z rdi +#define x rsi + +// Other variables used as a rotating 3-word window to add terms to + +#define t0 r8 +#define t1 r9 +#define t2 r10 + +// Additional temporaries for local windows to share doublings + +#define u0 rcx +#define u1 r11 + +// Macro for the key "multiply and add to (c,h,l)" step + +#define combadd(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +// Set up initial window (c,h,l) = numa * numb + +#define combaddz(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + xor c, c; \ + mov l, rax; \ + mov h, rdx + +// Doubling step (c,h,l) = 2 * (c,hh,ll) + (0,h,l) + +#define doubladd(c,h,l,hh,ll) \ + add ll, ll; \ + adc hh, hh; \ + adc c, c; \ + add l, ll; \ + adc h, hh; \ + adc c, 0 + +// Square term incorporation (c,h,l) += numba^2 + +#define combadd1(c,h,l,numa) \ + mov rax, numa; \ + mul rax; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +// A short form where we don't expect a top carry + +#define combads(h,l,numa) \ + mov rax, numa; \ + mul rax; \ + add l, rax; \ + adc h, rdx + +// A version doubling directly before adding, for single non-square terms + +#define combadd2(c,h,l,numa,numb) \ + mov rax, numa; \ + mul QWORD PTR numb; \ + add rax, rax; \ + adc rdx, rdx; \ + adc c, 0; \ + add l, rax; \ + adc h, rdx; \ + adc c, 0 + +S2N_BN_SYMBOL(bignum_sqr_8_16_alt): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx +#endif + +// Result term 0 + + mov rax, [x] + mul rax + + mov [z], rax + mov t0, rdx + xor t1, t1 + +// Result term 1 + + xor t2, t2 + combadd2(t2,t1,t0,[x],[x+8]) + mov [z+8], t0 + +// Result term 2 + + xor t0, t0 + combadd1(t0,t2,t1,[x+8]) + combadd2(t0,t2,t1,[x],[x+16]) + mov [z+16], t1 + +// Result term 3 + + combaddz(t1,u1,u0,[x],[x+24]) + combadd(t1,u1,u0,[x+8],[x+16]) + doubladd(t1,t0,t2,u1,u0) + mov [z+24], t2 + +// Result term 4 + + combaddz(t2,u1,u0,[x],[x+32]) + combadd(t2,u1,u0,[x+8],[x+24]) + doubladd(t2,t1,t0,u1,u0) + combadd1(t2,t1,t0,[x+16]) + mov [z+32], t0 + +// Result term 5 + + combaddz(t0,u1,u0,[x],[x+40]) + combadd(t0,u1,u0,[x+8],[x+32]) + combadd(t0,u1,u0,[x+16],[x+24]) + doubladd(t0,t2,t1,u1,u0) + mov [z+40], t1 + +// Result term 6 + + combaddz(t1,u1,u0,[x],[x+48]) + combadd(t1,u1,u0,[x+8],[x+40]) + combadd(t1,u1,u0,[x+16],[x+32]) + doubladd(t1,t0,t2,u1,u0) + combadd1(t1,t0,t2,[x+24]) + mov [z+48], t2 + +// Result term 7 + + combaddz(t2,u1,u0,[x],[x+56]) + combadd(t2,u1,u0,[x+8],[x+48]) + combadd(t2,u1,u0,[x+16],[x+40]) + combadd(t2,u1,u0,[x+24],[x+32]) + doubladd(t2,t1,t0,u1,u0) + mov [z+56], t0 + +// Result term 8 + + combaddz(t0,u1,u0,[x+8],[x+56]) + combadd(t0,u1,u0,[x+16],[x+48]) + combadd(t0,u1,u0,[x+24],[x+40]) + doubladd(t0,t2,t1,u1,u0) + combadd1(t0,t2,t1,[x+32]) + mov [z+64], t1 + +// Result term 9 + + combaddz(t1,u1,u0,[x+16],[x+56]) + combadd(t1,u1,u0,[x+24],[x+48]) + combadd(t1,u1,u0,[x+32],[x+40]) + doubladd(t1,t0,t2,u1,u0) + mov [z+72], t2 + +// Result term 10 + + combaddz(t2,u1,u0,[x+24],[x+56]) + combadd(t2,u1,u0,[x+32],[x+48]) + doubladd(t2,t1,t0,u1,u0) + combadd1(t2,t1,t0,[x+40]) + mov [z+80], t0 + +// Result term 11 + + combaddz(t0,u1,u0,[x+32],[x+56]) + combadd(t0,u1,u0,[x+40],[x+48]) + doubladd(t0,t2,t1,u1,u0) + mov [z+88], t1 + +// Result term 12 + + xor t1, t1 + combadd2(t1,t0,t2,[x+40],[x+56]) + combadd1(t1,t0,t2,[x+48]) + mov [z+96], t2 + +// Result term 13 + + xor t2, t2 + combadd2(t2,t1,t0,[x+48],[x+56]) + mov [z+104], t0 + +// Result term 14 + + combads(t2,t1,[x+56]) + mov [z+112], t1 + +// Result term 15 + + mov [z+120], t2 + +// Return + +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bignum_sub.S b/crypto/bn/arch/amd64/bignum_sub.S new file mode 100644 index 0000000..11a9bd7 --- /dev/null +++ b/crypto/bn/arch/amd64/bignum_sub.S @@ -0,0 +1,153 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Subtract, z := x - y +// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] +// +// extern uint64_t bignum_sub +// (uint64_t p, uint64_t *z, +// uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); +// +// Does the z := x - y operation, truncating modulo p words in general and +// returning a top borrow (0 or 1) in the p'th place, only subtracting input +// words below p (as well as m and n respectively) to get the diff and borrow. +// +// Standard x86-64 ABI: RDI = p, RSI = z, RDX = m, RCX = x, R8 = n, R9 = y, returns RAX +// Microsoft x64 ABI: RCX = p, RDX = z, R8 = m, R9 = x, [RSP+40] = n, [RSP+48] = y, returns RAX +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(bignum_sub) + S2N_BN_SYM_PRIVACY_DIRECTIVE(bignum_sub) + .text + +#define p rdi +#define z rsi +#define m rdx +#define x rcx +#define n r8 +#define y r9 +#define i r10 +#define a rax + +#define ashort eax + + + +S2N_BN_SYMBOL(bignum_sub): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx + mov rsi, rdx + mov rdx, r8 + mov rcx, r9 + mov r8, [rsp+56] + mov r9, [rsp+64] +#endif + +// Zero the main index counter for both branches + + xor i, i + +// First clamp the two input sizes m := min(p,m) and n := min(p,n) since +// we'll never need words past the p'th. Can now assume m <= p and n <= p. +// Then compare the modified m and n and branch accordingly + + cmp p, m + cmovc m, p + cmp p, n + cmovc n, p + cmp m, n + jc ylonger + +// The case where x is longer or of the same size (p >= m >= n) + + sub p, m + sub m, n + inc m + test n, n + jz xtest +xmainloop: + mov a, [x+8*i] + sbb a, [y+8*i] + mov [z+8*i],a + inc i + dec n + jnz xmainloop + jmp xtest +xtoploop: + mov a, [x+8*i] + sbb a, 0 + mov [z+8*i],a + inc i +xtest: + dec m + jnz xtoploop + sbb a, a + test p, p + jz tailskip +tailloop: + mov [z+8*i],a + inc i + dec p + jnz tailloop +tailskip: + neg a +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +// The case where y is longer (p >= n > m) + +ylonger: + + sub p, n + sub n, m + test m, m + jz ytoploop +ymainloop: + mov a, [x+8*i] + sbb a, [y+8*i] + mov [z+8*i],a + inc i + dec m + jnz ymainloop +ytoploop: + mov ashort, 0 + sbb a, [y+8*i] + mov [z+8*i],a + inc i + dec n + jnz ytoploop + sbb a, a + test p, p + jnz tailloop + neg a +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/amd64/bn_arch.c b/crypto/bn/arch/amd64/bn_arch.c new file mode 100644 index 0000000..55275aa --- /dev/null +++ b/crypto/bn/arch/amd64/bn_arch.c @@ -0,0 +1,131 @@ +/* $OpenBSD: bn_arch.c,v 1.6 2023/02/22 05:46:37 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "bn_arch.h" +#include "bn_local.h" +#include "s2n_bignum.h" + +#ifdef HAVE_BN_ADD +BN_ULONG +bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, + int b_len) +{ + return bignum_add(r_len, (uint64_t *)r, a_len, (uint64_t *)a, + b_len, (uint64_t *)b); +} +#endif + + +#ifdef HAVE_BN_ADD_WORDS +BN_ULONG +bn_add_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n) +{ + return bignum_add(n, (uint64_t *)rd, n, (uint64_t *)ad, n, + (uint64_t *)bd); +} +#endif + +#ifdef HAVE_BN_SUB +BN_ULONG +bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, + int b_len) +{ + return bignum_sub(r_len, (uint64_t *)r, a_len, (uint64_t *)a, + b_len, (uint64_t *)b); +} +#endif + +#ifdef HAVE_BN_SUB_WORDS +BN_ULONG +bn_sub_words(BN_ULONG *rd, const BN_ULONG *ad, const BN_ULONG *bd, int n) +{ + return bignum_sub(n, (uint64_t *)rd, n, (uint64_t *)ad, n, + (uint64_t *)bd); +} +#endif + +#ifdef HAVE_BN_MUL_ADD_WORDS +BN_ULONG +bn_mul_add_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w) +{ + return bignum_cmadd(num, (uint64_t *)rd, w, num, (uint64_t *)ad); +} +#endif + +#ifdef HAVE_BN_MUL_WORDS +BN_ULONG +bn_mul_words(BN_ULONG *rd, const BN_ULONG *ad, int num, BN_ULONG w) +{ + return bignum_cmul(num, (uint64_t *)rd, w, num, (uint64_t *)ad); +} +#endif + +#ifdef HAVE_BN_MUL_COMBA4 +void +bn_mul_comba4(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd) +{ + /* XXX - consider using non-alt on CPUs that have the ADX extension. */ + bignum_mul_4_8_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd); +} +#endif + +#ifdef HAVE_BN_MUL_COMBA8 +void +bn_mul_comba8(BN_ULONG *rd, BN_ULONG *ad, BN_ULONG *bd) +{ + /* XXX - consider using non-alt on CPUs that have the ADX extension. */ + bignum_mul_8_16_alt((uint64_t *)rd, (uint64_t *)ad, (uint64_t *)bd); +} +#endif + +#ifdef HAVE_BN_SQR +int +bn_sqr(BIGNUM *r, const BIGNUM *a, int rn, BN_CTX *ctx) +{ + bignum_sqr(rn, (uint64_t *)r->d, a->top, (uint64_t *)a->d); + + return 1; +} +#endif + +#ifdef HAVE_BN_SQR_COMBA4 +void +bn_sqr_comba4(BN_ULONG *rd, const BN_ULONG *ad) +{ + /* XXX - consider using non-alt on CPUs that have the ADX extension. */ + bignum_sqr_4_8_alt((uint64_t *)rd, (uint64_t *)ad); +} +#endif + +#ifdef HAVE_BN_SQR_COMBA8 +void +bn_sqr_comba8(BN_ULONG *rd, const BN_ULONG *ad) +{ + /* XXX - consider using non-alt on CPUs that have the ADX extension. */ + bignum_sqr_8_16_alt((uint64_t *)rd, (uint64_t *)ad); +} +#endif + +#ifdef HAVE_BN_WORD_CLZ +int +bn_word_clz(BN_ULONG w) +{ + return word_clz(w); +} +#endif diff --git a/crypto/bn/arch/amd64/bn_arch.h b/crypto/bn/arch/amd64/bn_arch.h new file mode 100644 index 0000000..9d491e2 --- /dev/null +++ b/crypto/bn/arch/amd64/bn_arch.h @@ -0,0 +1,95 @@ +/* $OpenBSD: bn_arch.h,v 1.13 2023/02/16 11:13:05 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifdef _WIN32 +#define OPENSSL_NO_ASM +#else + +#ifndef OPENSSL_NO_ASM + +#define HAVE_BN_ADD +#define HAVE_BN_ADD_WORDS + +#define HAVE_BN_DIV_WORDS + +#define HAVE_BN_MUL_ADD_WORDS +#define HAVE_BN_MUL_COMBA4 +#define HAVE_BN_MUL_COMBA8 +#define HAVE_BN_MUL_WORDS + +#define HAVE_BN_SQR +#define HAVE_BN_SQR_COMBA4 +#define HAVE_BN_SQR_COMBA8 + +#define HAVE_BN_SUB +#define HAVE_BN_SUB_WORDS + +#define HAVE_BN_WORD_CLZ + +#if defined(__GNUC__) +#define HAVE_BN_DIV_REM_WORDS_INLINE + +static inline void +bn_div_rem_words_inline(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, + BN_ULONG *out_r) +{ + BN_ULONG q, r; + + /* + * Unsigned division of %rdx:%rax by d with quotient being stored in + * %rax and remainder in %rdx. + */ + __asm__ volatile ("divq %4" + : "=a"(q), "=d"(r) + : "d"(h), "a"(l), "rm"(d) + : "cc"); + + *out_q = q; + *out_r = r; +} +#endif /* __GNUC__ */ + +#if defined(__GNUC__) +#define HAVE_BN_MULW + +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r1, r0; + + /* + * Unsigned multiplication of %rax, with the double word result being + * stored in %rdx:%rax. + */ + __asm__ ("mulq %3" + : "=d"(r1), "=a"(r0) + : "a"(a), "rm"(b) + : "cc"); + + *out_r1 = r1; + *out_r0 = r0; +} +#endif /* __GNUC__ */ +#endif /* _WIN32 */ + +#endif +#endif diff --git a/crypto/bn/arch/amd64/word_clz.S b/crypto/bn/arch/amd64/word_clz.S new file mode 100644 index 0000000..464a9d9 --- /dev/null +++ b/crypto/bn/arch/amd64/word_clz.S @@ -0,0 +1,60 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// Count leading zero bits in a single word +// Input a; output function return +// +// extern uint64_t word_clz (uint64_t a); +// +// Standard x86-64 ABI: RDI = a, returns RAX +// Microsoft x64 ABI: RCX = a, returns RAX +// ---------------------------------------------------------------------------- + +#include "s2n_bignum_internal.h" + + .intel_syntax noprefix + S2N_BN_SYM_VISIBILITY_DIRECTIVE(word_clz) + S2N_BN_SYM_PRIVACY_DIRECTIVE(word_clz) + .text + +S2N_BN_SYMBOL(word_clz): + endbr64 + +#if WINDOWS_ABI + push rdi + push rsi + mov rdi, rcx +#endif + +// First do rax = 63 - bsr(a), which is right except (maybe) for zero inputs + + bsr rax, rdi + xor rax, 63 + +// Force return of 64 in the zero-input case + + mov edx, 64 + test rdi, rdi + cmove rax, rdx + +#if WINDOWS_ABI + pop rsi + pop rdi +#endif + ret + +#if defined(__linux__) && defined(__ELF__) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/arch/arm/bn_arch.h b/crypto/bn/arch/arm/bn_arch.h new file mode 100644 index 0000000..136adf0 --- /dev/null +++ b/crypto/bn/arch/arm/bn_arch.h @@ -0,0 +1,24 @@ +/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:33 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#endif +#endif diff --git a/crypto/bn/arch/i386/bn_arch.h b/crypto/bn/arch/i386/bn_arch.h new file mode 100644 index 0000000..eef519f --- /dev/null +++ b/crypto/bn/arch/i386/bn_arch.h @@ -0,0 +1,86 @@ +/* $OpenBSD: bn_arch.h,v 1.9 2023/02/16 10:41:03 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#define HAVE_BN_ADD_WORDS + +#define HAVE_BN_DIV_WORDS + +#define HAVE_BN_MUL_ADD_WORDS +#define HAVE_BN_MUL_COMBA4 +#define HAVE_BN_MUL_COMBA8 +#define HAVE_BN_MUL_WORDS + +#define HAVE_BN_SQR_COMBA4 +#define HAVE_BN_SQR_COMBA8 +#define HAVE_BN_SQR_WORDS + +#define HAVE_BN_SUB_WORDS + +#if defined(__GNUC__) +#define HAVE_BN_DIV_REM_WORDS_INLINE + +static inline void +bn_div_rem_words_inline(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, + BN_ULONG *out_r) +{ + BN_ULONG q, r; + + /* + * Unsigned division of %edx:%eax by d with quotient being stored in + * %eax and remainder in %edx. + */ + __asm__ volatile ("divl %4" + : "=a"(q), "=d"(r) + : "a"(l), "d"(h), "rm"(d) + : "cc"); + + *out_q = q; + *out_r = r; +} +#endif /* __GNUC__ */ + +#if defined(__GNUC__) +#define HAVE_BN_MULW + +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r1, r0; + + /* + * Unsigned multiplication of %eax, with the double word result being + * stored in %edx:%eax. + */ + __asm__ ("mull %3" + : "=d"(r1), "=a"(r0) + : "a"(a), "rm"(b) + : "cc"); + + *out_r1 = r1; + *out_r0 = r0; +} +#endif /* __GNUC__ */ + +#endif +#endif diff --git a/crypto/bn/arch/mips/bn_arch.h b/crypto/bn/arch/mips/bn_arch.h new file mode 100644 index 0000000..4d6571f --- /dev/null +++ b/crypto/bn/arch/mips/bn_arch.h @@ -0,0 +1,24 @@ +/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:34 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#endif +#endif diff --git a/crypto/bn/arch/mips64/bn_arch.h b/crypto/bn/arch/mips64/bn_arch.h new file mode 100644 index 0000000..53771bc --- /dev/null +++ b/crypto/bn/arch/mips64/bn_arch.h @@ -0,0 +1,40 @@ +/* $OpenBSD: bn_arch.h,v 1.7 2023/01/23 12:17:58 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#define HAVE_BN_ADD_WORDS + +#define HAVE_BN_DIV_WORDS +#define HAVE_BN_DIV_3_WORDS + +#define HAVE_BN_MUL_ADD_WORDS +#define HAVE_BN_MUL_COMBA4 +#define HAVE_BN_MUL_COMBA8 +#define HAVE_BN_MUL_WORDS + +#define HAVE_BN_SQR_COMBA4 +#define HAVE_BN_SQR_COMBA8 +#define HAVE_BN_SQR_WORDS + +#define HAVE_BN_SUB_WORDS + +#endif +#endif diff --git a/crypto/bn/arch/powerpc/bn_arch.h b/crypto/bn/arch/powerpc/bn_arch.h new file mode 100644 index 0000000..46e932a --- /dev/null +++ b/crypto/bn/arch/powerpc/bn_arch.h @@ -0,0 +1,39 @@ +/* $OpenBSD: bn_arch.h,v 1.6 2023/01/23 12:17:58 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#define HAVE_BN_ADD_WORDS + +#define HAVE_BN_DIV_WORDS + +#define HAVE_BN_MUL_ADD_WORDS +#define HAVE_BN_MUL_COMBA4 +#define HAVE_BN_MUL_COMBA8 +#define HAVE_BN_MUL_WORDS + +#define HAVE_BN_SQR_COMBA4 +#define HAVE_BN_SQR_COMBA8 +#define HAVE_BN_SQR_WORDS + +#define HAVE_BN_SUB_WORDS + +#endif +#endif diff --git a/crypto/bn/arch/powerpc64/bn_arch.h b/crypto/bn/arch/powerpc64/bn_arch.h new file mode 100644 index 0000000..18bac20 --- /dev/null +++ b/crypto/bn/arch/powerpc64/bn_arch.h @@ -0,0 +1,44 @@ +/* $OpenBSD: bn_arch.h,v 1.4 2023/02/16 10:41:03 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#if 0 /* Needs testing and enabling. */ +#if defined(__GNUC__) +#define HAVE_BN_MULW + +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r1, r0; + + /* Unsigned multiplication using a mulhdu/mul pair. */ + __asm__ ("mulhdu %0, %2, %3; mul %1, %2, %3" + : "=&r"(r1), "=r"(r0) + : "r"(a), "r"(b)); + + *out_r1 = r1; + *out_r0 = r0; +} +#endif /* __GNUC__ */ +#endif + +#endif +#endif diff --git a/crypto/bn/arch/riscv64/bn_arch.h b/crypto/bn/arch/riscv64/bn_arch.h new file mode 100644 index 0000000..354774c --- /dev/null +++ b/crypto/bn/arch/riscv64/bn_arch.h @@ -0,0 +1,48 @@ +/* $OpenBSD: bn_arch.h,v 1.4 2023/02/16 10:41:03 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#if 0 /* Needs testing and enabling. */ +#if defined(__GNUC__) +#define HAVE_BN_MULW + +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r1, r0; + + /* + * Unsigned multiplication using a mulh/mul pair. Note that the order + * of these instructions is important, as they can potentially be fused + * into a single operation. + */ + __asm__ ("mulh %0, %2, %3; mul %1, %2, %3" + : "=&r"(r1), "=r"(r0) + : "r"(a), "r"(b)); + + *out_r1 = r1; + *out_r0 = r0; +} +#endif /* __GNUC__ */ +#endif + +#endif +#endif diff --git a/crypto/bn/arch/sparc64/bn_arch.h b/crypto/bn/arch/sparc64/bn_arch.h new file mode 100644 index 0000000..4d6571f --- /dev/null +++ b/crypto/bn/arch/sparc64/bn_arch.h @@ -0,0 +1,24 @@ +/* $OpenBSD: bn_arch.h,v 1.1 2023/01/20 10:04:34 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_BN_ARCH_H +#define HEADER_BN_ARCH_H + +#ifndef OPENSSL_NO_ASM + +#endif +#endif diff --git a/crypto/bn/bn-mips.S b/crypto/bn/bn-mips.S new file mode 100644 index 0000000..eb4ac9b --- /dev/null +++ b/crypto/bn/bn-mips.S @@ -0,0 +1,2162 @@ +.set mips2 +.rdata +.asciiz "mips3.s, Version 1.2" +.asciiz "MIPS II/III/IV ISA artwork by Andy Polyakov " + +.text +.set noat + +.align 5 +.globl bn_mul_add_words +.ent bn_mul_add_words +bn_mul_add_words: + .set noreorder + bgtz $6,bn_mul_add_words_internal + move $2,$0 + jr $31 + move $4,$2 +.end bn_mul_add_words + +.align 5 +.ent bn_mul_add_words_internal +bn_mul_add_words_internal: + .set reorder + li $3,-4 + and $8,$6,$3 + beqz $8,.L_bn_mul_add_words_tail + +.L_bn_mul_add_words_loop: + lw $12,0($5) + multu $12,$7 + lw $13,0($4) + lw $14,4($5) + lw $15,4($4) + lw $8,2*4($5) + lw $9,2*4($4) + addu $13,$2 + sltu $2,$13,$2 # All manuals say it "compares 32-bit + # values", but it seems to work fine + # even on 64-bit registers. + mflo $1 + mfhi $12 + addu $13,$1 + addu $2,$12 + multu $14,$7 + sltu $1,$13,$1 + sw $13,0($4) + addu $2,$1 + + lw $10,3*4($5) + lw $11,3*4($4) + addu $15,$2 + sltu $2,$15,$2 + mflo $1 + mfhi $14 + addu $15,$1 + addu $2,$14 + multu $8,$7 + sltu $1,$15,$1 + sw $15,4($4) + addu $2,$1 + + subu $6,4 + addu $4,4*4 + addu $5,4*4 + addu $9,$2 + sltu $2,$9,$2 + mflo $1 + mfhi $8 + addu $9,$1 + addu $2,$8 + multu $10,$7 + sltu $1,$9,$1 + sw $9,-2*4($4) + addu $2,$1 + + + and $8,$6,$3 + addu $11,$2 + sltu $2,$11,$2 + mflo $1 + mfhi $10 + addu $11,$1 + addu $2,$10 + sltu $1,$11,$1 + sw $11,-4($4) + .set noreorder + bgtz $8,.L_bn_mul_add_words_loop + addu $2,$1 + + beqz $6,.L_bn_mul_add_words_return + nop + +.L_bn_mul_add_words_tail: + .set reorder + lw $12,0($5) + multu $12,$7 + lw $13,0($4) + subu $6,1 + addu $13,$2 + sltu $2,$13,$2 + mflo $1 + mfhi $12 + addu $13,$1 + addu $2,$12 + sltu $1,$13,$1 + sw $13,0($4) + addu $2,$1 + beqz $6,.L_bn_mul_add_words_return + + lw $12,4($5) + multu $12,$7 + lw $13,4($4) + subu $6,1 + addu $13,$2 + sltu $2,$13,$2 + mflo $1 + mfhi $12 + addu $13,$1 + addu $2,$12 + sltu $1,$13,$1 + sw $13,4($4) + addu $2,$1 + beqz $6,.L_bn_mul_add_words_return + + lw $12,2*4($5) + multu $12,$7 + lw $13,2*4($4) + addu $13,$2 + sltu $2,$13,$2 + mflo $1 + mfhi $12 + addu $13,$1 + addu $2,$12 + sltu $1,$13,$1 + sw $13,2*4($4) + addu $2,$1 + +.L_bn_mul_add_words_return: + .set noreorder + jr $31 + move $4,$2 +.end bn_mul_add_words_internal + +.align 5 +.globl bn_mul_words +.ent bn_mul_words +bn_mul_words: + .set noreorder + bgtz $6,bn_mul_words_internal + move $2,$0 + jr $31 + move $4,$2 +.end bn_mul_words + +.align 5 +.ent bn_mul_words_internal +bn_mul_words_internal: + .set reorder + li $3,-4 + and $8,$6,$3 + beqz $8,.L_bn_mul_words_tail + +.L_bn_mul_words_loop: + lw $12,0($5) + multu $12,$7 + lw $14,4($5) + lw $8,2*4($5) + lw $10,3*4($5) + mflo $1 + mfhi $12 + addu $2,$1 + sltu $13,$2,$1 + multu $14,$7 + sw $2,0($4) + addu $2,$13,$12 + + subu $6,4 + addu $4,4*4 + addu $5,4*4 + mflo $1 + mfhi $14 + addu $2,$1 + sltu $15,$2,$1 + multu $8,$7 + sw $2,-3*4($4) + addu $2,$15,$14 + + mflo $1 + mfhi $8 + addu $2,$1 + sltu $9,$2,$1 + multu $10,$7 + sw $2,-2*4($4) + addu $2,$9,$8 + + and $8,$6,$3 + mflo $1 + mfhi $10 + addu $2,$1 + sltu $11,$2,$1 + sw $2,-4($4) + .set noreorder + bgtz $8,.L_bn_mul_words_loop + addu $2,$11,$10 + + beqz $6,.L_bn_mul_words_return + nop + +.L_bn_mul_words_tail: + .set reorder + lw $12,0($5) + multu $12,$7 + subu $6,1 + mflo $1 + mfhi $12 + addu $2,$1 + sltu $13,$2,$1 + sw $2,0($4) + addu $2,$13,$12 + beqz $6,.L_bn_mul_words_return + + lw $12,4($5) + multu $12,$7 + subu $6,1 + mflo $1 + mfhi $12 + addu $2,$1 + sltu $13,$2,$1 + sw $2,4($4) + addu $2,$13,$12 + beqz $6,.L_bn_mul_words_return + + lw $12,2*4($5) + multu $12,$7 + mflo $1 + mfhi $12 + addu $2,$1 + sltu $13,$2,$1 + sw $2,2*4($4) + addu $2,$13,$12 + +.L_bn_mul_words_return: + .set noreorder + jr $31 + move $4,$2 +.end bn_mul_words_internal + +.align 5 +.globl bn_sqr_words +.ent bn_sqr_words +bn_sqr_words: + .set noreorder + bgtz $6,bn_sqr_words_internal + move $2,$0 + jr $31 + move $4,$2 +.end bn_sqr_words + +.align 5 +.ent bn_sqr_words_internal +bn_sqr_words_internal: + .set reorder + li $3,-4 + and $8,$6,$3 + beqz $8,.L_bn_sqr_words_tail + +.L_bn_sqr_words_loop: + lw $12,0($5) + multu $12,$12 + lw $14,4($5) + lw $8,2*4($5) + lw $10,3*4($5) + mflo $13 + mfhi $12 + sw $13,0($4) + sw $12,4($4) + + multu $14,$14 + subu $6,4 + addu $4,8*4 + addu $5,4*4 + mflo $15 + mfhi $14 + sw $15,-6*4($4) + sw $14,-5*4($4) + + multu $8,$8 + mflo $9 + mfhi $8 + sw $9,-4*4($4) + sw $8,-3*4($4) + + + multu $10,$10 + and $8,$6,$3 + mflo $11 + mfhi $10 + sw $11,-2*4($4) + + .set noreorder + bgtz $8,.L_bn_sqr_words_loop + sw $10,-4($4) + + beqz $6,.L_bn_sqr_words_return + nop + +.L_bn_sqr_words_tail: + .set reorder + lw $12,0($5) + multu $12,$12 + subu $6,1 + mflo $13 + mfhi $12 + sw $13,0($4) + sw $12,4($4) + beqz $6,.L_bn_sqr_words_return + + lw $12,4($5) + multu $12,$12 + subu $6,1 + mflo $13 + mfhi $12 + sw $13,2*4($4) + sw $12,3*4($4) + beqz $6,.L_bn_sqr_words_return + + lw $12,2*4($5) + multu $12,$12 + mflo $13 + mfhi $12 + sw $13,4*4($4) + sw $12,5*4($4) + +.L_bn_sqr_words_return: + .set noreorder + jr $31 + move $4,$2 + +.end bn_sqr_words_internal + +.align 5 +.globl bn_add_words +.ent bn_add_words +bn_add_words: + .set noreorder + bgtz $7,bn_add_words_internal + move $2,$0 + jr $31 + move $4,$2 +.end bn_add_words + +.align 5 +.ent bn_add_words_internal +bn_add_words_internal: + .set reorder + li $3,-4 + and $1,$7,$3 + beqz $1,.L_bn_add_words_tail + +.L_bn_add_words_loop: + lw $12,0($5) + lw $8,0($6) + subu $7,4 + lw $13,4($5) + and $1,$7,$3 + lw $14,2*4($5) + addu $6,4*4 + lw $15,3*4($5) + addu $4,4*4 + lw $9,-3*4($6) + addu $5,4*4 + lw $10,-2*4($6) + lw $11,-4($6) + addu $8,$12 + sltu $24,$8,$12 + addu $12,$8,$2 + sltu $2,$12,$8 + sw $12,-4*4($4) + addu $2,$24 + + addu $9,$13 + sltu $25,$9,$13 + addu $13,$9,$2 + sltu $2,$13,$9 + sw $13,-3*4($4) + addu $2,$25 + + addu $10,$14 + sltu $24,$10,$14 + addu $14,$10,$2 + sltu $2,$14,$10 + sw $14,-2*4($4) + addu $2,$24 + + addu $11,$15 + sltu $25,$11,$15 + addu $15,$11,$2 + sltu $2,$15,$11 + sw $15,-4($4) + + .set noreorder + bgtz $1,.L_bn_add_words_loop + addu $2,$25 + + beqz $7,.L_bn_add_words_return + nop + +.L_bn_add_words_tail: + .set reorder + lw $12,0($5) + lw $8,0($6) + addu $8,$12 + subu $7,1 + sltu $24,$8,$12 + addu $12,$8,$2 + sltu $2,$12,$8 + sw $12,0($4) + addu $2,$24 + beqz $7,.L_bn_add_words_return + + lw $13,4($5) + lw $9,4($6) + addu $9,$13 + subu $7,1 + sltu $25,$9,$13 + addu $13,$9,$2 + sltu $2,$13,$9 + sw $13,4($4) + addu $2,$25 + beqz $7,.L_bn_add_words_return + + lw $14,2*4($5) + lw $10,2*4($6) + addu $10,$14 + sltu $24,$10,$14 + addu $14,$10,$2 + sltu $2,$14,$10 + sw $14,2*4($4) + addu $2,$24 + +.L_bn_add_words_return: + .set noreorder + jr $31 + move $4,$2 + +.end bn_add_words_internal + +.align 5 +.globl bn_sub_words +.ent bn_sub_words +bn_sub_words: + .set noreorder + bgtz $7,bn_sub_words_internal + move $2,$0 + jr $31 + move $4,$0 +.end bn_sub_words + +.align 5 +.ent bn_sub_words_internal +bn_sub_words_internal: + .set reorder + li $3,-4 + and $1,$7,$3 + beqz $1,.L_bn_sub_words_tail + +.L_bn_sub_words_loop: + lw $12,0($5) + lw $8,0($6) + subu $7,4 + lw $13,4($5) + and $1,$7,$3 + lw $14,2*4($5) + addu $6,4*4 + lw $15,3*4($5) + addu $4,4*4 + lw $9,-3*4($6) + addu $5,4*4 + lw $10,-2*4($6) + lw $11,-4($6) + sltu $24,$12,$8 + subu $8,$12,$8 + subu $12,$8,$2 + sgtu $2,$12,$8 + sw $12,-4*4($4) + addu $2,$24 + + sltu $25,$13,$9 + subu $9,$13,$9 + subu $13,$9,$2 + sgtu $2,$13,$9 + sw $13,-3*4($4) + addu $2,$25 + + + sltu $24,$14,$10 + subu $10,$14,$10 + subu $14,$10,$2 + sgtu $2,$14,$10 + sw $14,-2*4($4) + addu $2,$24 + + sltu $25,$15,$11 + subu $11,$15,$11 + subu $15,$11,$2 + sgtu $2,$15,$11 + sw $15,-4($4) + + .set noreorder + bgtz $1,.L_bn_sub_words_loop + addu $2,$25 + + beqz $7,.L_bn_sub_words_return + nop + +.L_bn_sub_words_tail: + .set reorder + lw $12,0($5) + lw $8,0($6) + subu $7,1 + sltu $24,$12,$8 + subu $8,$12,$8 + subu $12,$8,$2 + sgtu $2,$12,$8 + sw $12,0($4) + addu $2,$24 + beqz $7,.L_bn_sub_words_return + + lw $13,4($5) + subu $7,1 + lw $9,4($6) + sltu $25,$13,$9 + subu $9,$13,$9 + subu $13,$9,$2 + sgtu $2,$13,$9 + sw $13,4($4) + addu $2,$25 + beqz $7,.L_bn_sub_words_return + + lw $14,2*4($5) + lw $10,2*4($6) + sltu $24,$14,$10 + subu $10,$14,$10 + subu $14,$10,$2 + sgtu $2,$14,$10 + sw $14,2*4($4) + addu $2,$24 + +.L_bn_sub_words_return: + .set noreorder + jr $31 + move $4,$2 +.end bn_sub_words_internal + +.align 5 +.globl bn_div_3_words +.ent bn_div_3_words +bn_div_3_words: + .set noreorder + move $7,$4 # we know that bn_div_words does not + # touch $7, $10, $11 and preserves $6 + # so that we can save two arguments + # and return address in registers + # instead of stack:-) + + lw $4,($7) + move $10,$5 + bne $4,$6,bn_div_3_words_internal + lw $5,-4($7) + li $2,-1 + jr $31 + move $4,$2 +.end bn_div_3_words + +.align 5 +.ent bn_div_3_words_internal +bn_div_3_words_internal: + .set reorder + move $11,$31 + bal bn_div_words_internal + move $31,$11 + multu $10,$2 + lw $14,-2*4($7) + move $8,$0 + mfhi $13 + mflo $12 + sltu $24,$13,$5 +.L_bn_div_3_words_inner_loop: + bnez $24,.L_bn_div_3_words_inner_loop_done + sgeu $1,$14,$12 + seq $25,$13,$5 + and $1,$25 + sltu $15,$12,$10 + addu $5,$6 + subu $13,$15 + subu $12,$10 + sltu $24,$13,$5 + sltu $8,$5,$6 + or $24,$8 + .set noreorder + beqz $1,.L_bn_div_3_words_inner_loop + subu $2,1 + addu $2,1 + .set reorder +.L_bn_div_3_words_inner_loop_done: + .set noreorder + jr $31 + move $4,$2 +.end bn_div_3_words_internal + +.align 5 +.globl bn_div_words +.ent bn_div_words +bn_div_words: + .set noreorder + bnez $6,bn_div_words_internal + li $2,-1 # I would rather signal div-by-zero + # which can be done with 'break 7' + jr $31 + move $4,$2 +.end bn_div_words + +.align 5 +.ent bn_div_words_internal +bn_div_words_internal: + move $3,$0 + bltz $6,.L_bn_div_words_body + move $25,$3 + sll $6,1 + bgtz $6,.-4 + addu $25,1 + + .set reorder + negu $13,$25 + li $14,-1 + sll $14,$13 + and $14,$4 + srl $1,$5,$13 + .set noreorder + beqz $14,.+12 + nop + break 6 # signal overflow + .set reorder + sll $4,$25 + sll $5,$25 + or $4,$1 +.L_bn_div_words_body: + srl $3,$6,4*4 # bits + sgeu $1,$4,$6 + .set noreorder + beqz $1,.+12 + nop + subu $4,$6 + .set reorder + + li $8,-1 + srl $9,$4,4*4 # bits + srl $8,4*4 # q=0xffffffff + beq $3,$9,.L_bn_div_words_skip_div1 + divu $0,$4,$3 + mflo $8 +.L_bn_div_words_skip_div1: + multu $6,$8 + sll $15,$4,4*4 # bits + srl $1,$5,4*4 # bits + or $15,$1 + mflo $12 + mfhi $13 +.L_bn_div_words_inner_loop1: + sltu $14,$15,$12 + seq $24,$9,$13 + sltu $1,$9,$13 + and $14,$24 + sltu $2,$12,$6 + or $1,$14 + .set noreorder + beqz $1,.L_bn_div_words_inner_loop1_done + subu $13,$2 + subu $12,$6 + b .L_bn_div_words_inner_loop1 + subu $8,1 + .set reorder +.L_bn_div_words_inner_loop1_done: + + sll $5,4*4 # bits + subu $4,$15,$12 + sll $2,$8,4*4 # bits + + li $8,-1 + srl $9,$4,4*4 # bits + srl $8,4*4 # q=0xffffffff + beq $3,$9,.L_bn_div_words_skip_div2 + divu $0,$4,$3 + mflo $8 +.L_bn_div_words_skip_div2: + multu $6,$8 + sll $15,$4,4*4 # bits + srl $1,$5,4*4 # bits + or $15,$1 + mflo $12 + mfhi $13 +.L_bn_div_words_inner_loop2: + sltu $14,$15,$12 + seq $24,$9,$13 + sltu $1,$9,$13 + and $14,$24 + sltu $3,$12,$6 + or $1,$14 + .set noreorder + beqz $1,.L_bn_div_words_inner_loop2_done + subu $13,$3 + subu $12,$6 + b .L_bn_div_words_inner_loop2 + subu $8,1 + .set reorder +.L_bn_div_words_inner_loop2_done: + + subu $4,$15,$12 + or $2,$8 + srl $3,$4,$25 # $3 contains remainder if anybody wants it + srl $6,$25 # restore $6 + + .set noreorder + move $5,$3 + jr $31 + move $4,$2 +.end bn_div_words_internal + +.align 5 +.globl bn_mul_comba8 +.ent bn_mul_comba8 +bn_mul_comba8: + .set noreorder + .frame $29,6*4,$31 + .mask 0x003f0000,-4 + subu $29,6*4 + sw $21,5*4($29) + sw $20,4*4($29) + sw $19,3*4($29) + sw $18,2*4($29) + sw $17,1*4($29) + sw $16,0*4($29) + + .set reorder + lw $12,0($5) # If compiled with -mips3 option on + # R5000 box assembler barks on this + # 1ine with "should not have mult/div + # as last instruction in bb (R10K + # bug)" warning. If anybody out there + # has a clue about how to circumvent + # this do send me a note. + # + + lw $8,0($6) + lw $13,4($5) + lw $14,2*4($5) + multu $12,$8 # mul_add_c(a[0],b[0],c1,c2,c3); + lw $15,3*4($5) + lw $9,4($6) + lw $10,2*4($6) + lw $11,3*4($6) + mflo $2 + mfhi $3 + + lw $16,4*4($5) + lw $18,5*4($5) + multu $12,$9 # mul_add_c(a[0],b[1],c2,c3,c1); + lw $20,6*4($5) + lw $5,7*4($5) + lw $17,4*4($6) + lw $19,5*4($6) + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $13,$8 # mul_add_c(a[1],b[0],c2,c3,c1); + addu $7,$25,$1 + lw $21,6*4($6) + lw $6,7*4($6) + sw $2,0($4) # r[0]=c1; + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$8 # mul_add_c(a[2],b[0],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + sw $3,4($4) # r[1]=c2; + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$9 # mul_add_c(a[1],b[1],c3,c1,c2); + addu $25,$1 + addu $2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $12,$10 # mul_add_c(a[0],b[2],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $3,$2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $12,$11 # mul_add_c(a[0],b[3],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,2*4($4) # r[2]=c3; + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $13,$10 # mul_add_c(a[1],b[2],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $7,$3,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $14,$9 # mul_add_c(a[2],b[1],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$8 # mul_add_c(a[3],b[0],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $16,$8 # mul_add_c(a[4],b[0],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,3*4($4) # r[3]=c1; + + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $15,$9 # mul_add_c(a[3],b[1],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$10 # mul_add_c(a[2],b[2],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $13,$11 # mul_add_c(a[1],b[3],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $12,$17 # mul_add_c(a[0],b[4],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $12,$19 # mul_add_c(a[0],b[5],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,4*4($4) # r[4]=c2; + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$17 # mul_add_c(a[1],b[4],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $3,$2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $14,$11 # mul_add_c(a[2],b[3],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $15,$10 # mul_add_c(a[3],b[2],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $16,$9 # mul_add_c(a[4],b[1],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $18,$8 # mul_add_c(a[5],b[0],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $20,$8 # mul_add_c(a[6],b[0],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,5*4($4) # r[5]=c3; + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $18,$9 # mul_add_c(a[5],b[1],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $7,$3,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $16,$10 # mul_add_c(a[4],b[2],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$11 # mul_add_c(a[3],b[3],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $14,$17 # mul_add_c(a[2],b[4],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $13,$19 # mul_add_c(a[1],b[5],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $12,$21 # mul_add_c(a[0],b[6],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $12,$6 # mul_add_c(a[0],b[7],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,6*4($4) # r[6]=c1; + + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $13,$21 # mul_add_c(a[1],b[6],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$19 # mul_add_c(a[2],b[5],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $15,$17 # mul_add_c(a[3],b[4],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $16,$11 # mul_add_c(a[4],b[3],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $18,$10 # mul_add_c(a[5],b[2],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $20,$9 # mul_add_c(a[6],b[1],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $5,$8 # mul_add_c(a[7],b[0],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $5,$9 # mul_add_c(a[7],b[1],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,7*4($4) # r[7]=c2; + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $20,$10 # mul_add_c(a[6],b[2],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $3,$2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $18,$11 # mul_add_c(a[5],b[3],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $16,$17 # mul_add_c(a[4],b[4],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $15,$19 # mul_add_c(a[3],b[5],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $14,$21 # mul_add_c(a[2],b[6],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$6 # mul_add_c(a[1],b[7],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $14,$6 # mul_add_c(a[2],b[7],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,8*4($4) # r[8]=c3; + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$21 # mul_add_c(a[3],b[6],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $7,$3,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $16,$19 # mul_add_c(a[4],b[5],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $18,$17 # mul_add_c(a[5],b[4],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $20,$11 # mul_add_c(a[6],b[3],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $5,$10 # mul_add_c(a[7],b[2],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $5,$11 # mul_add_c(a[7],b[3],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,9*4($4) # r[9]=c1; + + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $20,$17 # mul_add_c(a[6],b[4],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $18,$19 # mul_add_c(a[5],b[5],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $16,$21 # mul_add_c(a[4],b[6],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $15,$6 # mul_add_c(a[3],b[7],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $16,$6 # mul_add_c(a[4],b[7],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,10*4($4) # r[10]=c2; + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $18,$21 # mul_add_c(a[5],b[6],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $3,$2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $20,$19 # mul_add_c(a[6],b[5],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $5,$17 # mul_add_c(a[7],b[4],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $5,$19 # mul_add_c(a[7],b[5],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,11*4($4) # r[11]=c3; + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $20,$21 # mul_add_c(a[6],b[6],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $7,$3,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $18,$6 # mul_add_c(a[5],b[7],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $20,$6 # mul_add_c(a[6],b[7],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,12*4($4) # r[12]=c1; + + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $5,$21 # mul_add_c(a[7],b[6],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $5,$6 # mul_add_c(a[7],b[7],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,13*4($4) # r[13]=c2; + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + addu $25,$1 + addu $2,$25 + sw $7,14*4($4) # r[14]=c3; + sw $2,15*4($4) # r[15]=c1; + + .set noreorder + lw $21,5*4($29) + lw $20,4*4($29) + lw $19,3*4($29) + lw $18,2*4($29) + lw $17,1*4($29) + lw $16,0*4($29) + jr $31 + addu $29,6*4 +.end bn_mul_comba8 + +.align 5 +.globl bn_mul_comba4 +.ent bn_mul_comba4 +bn_mul_comba4: + .set reorder + lw $12,0($5) + lw $8,0($6) + lw $13,4($5) + lw $14,2*4($5) + multu $12,$8 # mul_add_c(a[0],b[0],c1,c2,c3); + lw $15,3*4($5) + lw $9,4($6) + lw $10,2*4($6) + lw $11,3*4($6) + mflo $2 + mfhi $3 + sw $2,0($4) + + multu $12,$9 # mul_add_c(a[0],b[1],c2,c3,c1); + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $13,$8 # mul_add_c(a[1],b[0],c2,c3,c1); + addu $7,$25,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$8 # mul_add_c(a[2],b[0],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + sw $3,4($4) + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$9 # mul_add_c(a[1],b[1],c3,c1,c2); + addu $25,$1 + addu $2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $12,$10 # mul_add_c(a[0],b[2],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $3,$2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $12,$11 # mul_add_c(a[0],b[3],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,2*4($4) + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $13,$10 # mul_add_c(a[1],b[2],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $7,$3,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $14,$9 # mul_add_c(a[2],b[1],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$8 # mul_add_c(a[3],b[0],c1,c2,c3); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$9 # mul_add_c(a[3],b[1],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,3*4($4) + + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$10 # mul_add_c(a[2],b[2],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $2,$7,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $13,$11 # mul_add_c(a[1],b[3],c2,c3,c1); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$11 # mul_add_c(a[2],b[3],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,4*4($4) + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $15,$10 # mul_add_c(a[3],b[2],c3,c1,c2); + addu $25,$1 + addu $2,$25 + sltu $3,$2,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $15,$11 # mul_add_c(a[3],b[3],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,5*4($4) + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + addu $25,$1 + addu $3,$25 + sw $2,6*4($4) + sw $3,7*4($4) + + .set noreorder + jr $31 + nop +.end bn_mul_comba4 + +.align 5 +.globl bn_sqr_comba8 +.ent bn_sqr_comba8 +bn_sqr_comba8: + .set reorder + lw $12,0($5) + lw $13,4($5) + lw $14,2*4($5) + lw $15,3*4($5) + + multu $12,$12 # mul_add_c(a[0],b[0],c1,c2,c3); + lw $8,4*4($5) + lw $9,5*4($5) + lw $10,6*4($5) + lw $11,7*4($5) + mflo $2 + mfhi $3 + sw $2,0($4) + + multu $12,$13 # mul_add_c2(a[0],b[1],c2,c3,c1); + mflo $24 + mfhi $25 + slt $2,$25,$0 + sll $25,1 + multu $14,$12 # mul_add_c2(a[2],b[0],c3,c1,c2); + slt $6,$24,$0 + addu $25,$6 + sll $24,1 + addu $3,$24 + sltu $1,$3,$24 + addu $7,$25,$1 + sw $3,4($4) + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$13 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $3,$2,$1 + addu $2,$25 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $12,$15 # mul_add_c2(a[0],b[3],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,2*4($4) + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $13,$14 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $7,$3,$1 + addu $3,$25 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $8,$12 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $1,$3,$1 + addu $3,$25 + addu $7,$1 + sltu $25,$3,$25 + addu $7,$25 + sw $2,3*4($4) + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $15,$13 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $2,$7,$1 + addu $7,$25 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$14 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $1,$7,$1 + addu $7,$25 + addu $2,$1 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $12,$9 # mul_add_c2(a[0],b[5],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,4*4($4) + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$8 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $3,$2,$1 + addu $2,$25 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $14,$15 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $1,$2,$1 + addu $2,$25 + addu $3,$1 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $10,$12 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $1,$2,$1 + addu $2,$25 + addu $3,$1 + sltu $25,$2,$25 + addu $3,$25 + sw $7,5*4($4) + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $9,$13 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $7,$3,$1 + addu $3,$25 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $8,$14 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $1,$3,$1 + addu $3,$25 + addu $7,$1 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$15 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $1,$3,$1 + addu $3,$25 + addu $7,$1 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $12,$11 # mul_add_c2(a[0],b[7],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,6*4($4) + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $13,$10 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $2,$7,$1 + addu $7,$25 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$9 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $1,$7,$1 + addu $7,$25 + addu $2,$1 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $15,$8 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $1,$7,$1 + addu $7,$25 + addu $2,$1 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $11,$13 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $1,$7,$1 + addu $7,$25 + addu $2,$1 + sltu $25,$7,$25 + addu $2,$25 + sw $3,7*4($4) + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $10,$14 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $3,$2,$1 + addu $2,$25 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $9,$15 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $1,$2,$1 + addu $2,$25 + addu $3,$1 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $8,$8 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $1,$2,$1 + addu $2,$25 + addu $3,$1 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $14,$11 # mul_add_c2(a[2],b[7],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,8*4($4) + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$10 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $7,$3,$1 + addu $3,$25 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $8,$9 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $1,$3,$1 + addu $3,$25 + addu $7,$1 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $11,$15 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $1,$3,$1 + addu $3,$25 + addu $7,$1 + sltu $25,$3,$25 + addu $7,$25 + sw $2,9*4($4) + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $10,$8 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $2,$7,$1 + addu $7,$25 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $9,$9 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $1,$7,$1 + addu $7,$25 + addu $2,$1 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $8,$11 # mul_add_c2(a[4],b[7],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,10*4($4) + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $9,$10 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $3,$2,$1 + addu $2,$25 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $11,$9 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $1,$2,$1 + addu $2,$25 + addu $3,$1 + sltu $25,$2,$25 + addu $3,$25 + sw $7,11*4($4) + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $10,$10 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $7,$3,$1 + addu $3,$25 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $10,$11 # mul_add_c2(a[6],b[7],c2,c3,c1); + addu $25,$1 + addu $3,$25 + sltu $1,$3,$25 + addu $7,$1 + sw $2,12*4($4) + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $11,$11 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $2,$7,$1 + addu $7,$25 + sltu $25,$7,$25 + addu $2,$25 + sw $3,13*4($4) + + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + addu $25,$1 + addu $2,$25 + sw $7,14*4($4) + sw $2,15*4($4) + + .set noreorder + jr $31 + nop +.end bn_sqr_comba8 + +.align 5 +.globl bn_sqr_comba4 +.ent bn_sqr_comba4 +bn_sqr_comba4: + .set reorder + lw $12,0($5) + lw $13,4($5) + multu $12,$12 # mul_add_c(a[0],b[0],c1,c2,c3); + lw $14,2*4($5) + lw $15,3*4($5) + mflo $2 + mfhi $3 + sw $2,0($4) + + multu $12,$13 # mul_add_c2(a[0],b[1],c2,c3,c1); + mflo $24 + mfhi $25 + slt $2,$25,$0 + sll $25,1 + multu $14,$12 # mul_add_c2(a[2],b[0],c3,c1,c2); + slt $6,$24,$0 + addu $25,$6 + sll $24,1 + addu $3,$24 + sltu $1,$3,$24 + addu $7,$25,$1 + sw $3,4($4) + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $13,$13 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $3,$2,$1 + addu $2,$25 + sltu $25,$2,$25 + addu $3,$25 + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $12,$15 # mul_add_c2(a[0],b[3],c1,c2,c3); + addu $25,$1 + addu $2,$25 + sltu $1,$2,$25 + addu $3,$1 + sw $7,2*4($4) + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $13,$14 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $7,$3,$1 + addu $3,$25 + sltu $25,$3,$25 + addu $7,$25 + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + multu $15,$13 # forward multiplication + addu $2,$24 + addu $1,$25 + sltu $24,$2,$24 + addu $3,$1 + addu $25,$24 + sltu $1,$3,$1 + addu $3,$25 + addu $7,$1 + sltu $25,$3,$25 + addu $7,$25 + sw $2,3*4($4) + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$14 # forward multiplication + addu $3,$24 + addu $1,$25 + sltu $24,$3,$24 + addu $7,$1 + addu $25,$24 + sltu $2,$7,$1 + addu $7,$25 + sltu $25,$7,$25 + addu $2,$25 + mflo $24 + mfhi $25 + addu $3,$24 + sltu $1,$3,$24 + multu $14,$15 # mul_add_c2(a[2],b[3],c3,c1,c2); + addu $25,$1 + addu $7,$25 + sltu $1,$7,$25 + addu $2,$1 + sw $3,4*4($4) + mflo $24 + mfhi $25 + addu $7,$24 + sltu $1,$7,$24 + multu $15,$15 # forward multiplication + addu $7,$24 + addu $1,$25 + sltu $24,$7,$24 + addu $2,$1 + addu $25,$24 + sltu $3,$2,$1 + addu $2,$25 + sltu $25,$2,$25 + addu $3,$25 + sw $7,5*4($4) + + mflo $24 + mfhi $25 + addu $2,$24 + sltu $1,$2,$24 + addu $25,$1 + addu $3,$25 + sw $2,6*4($4) + sw $3,7*4($4) + + .set noreorder + jr $31 + nop +.end bn_sqr_comba4 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/bn_add.c b/crypto/bn/bn_add.c index 048a136..92489b7 100644 --- a/crypto/bn/bn_add.c +++ b/crypto/bn/bn_add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_add.c,v 1.13 2018/07/23 18:07:21 tb Exp $ */ +/* $OpenBSD: bn_add.c,v 1.24 2023/02/22 05:46:37 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,20 +56,241 @@ * [including the GNU Public Licence.] */ +#include +#include #include #include -#include "bn_lcl.h" +#include "bn_arch.h" +#include "bn_local.h" +#include "bn_internal.h" + +/* + * bn_add_words() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b + * are both arrays of words. Any carry resulting from the addition is returned. + */ +#ifndef HAVE_BN_ADD_WORDS +BN_ULONG +bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) +{ + BN_ULONG carry = 0; + + assert(n >= 0); + if (n <= 0) + return 0; + +#ifndef OPENSSL_SMALL_FOOTPRINT + while (n & ~3) { + bn_addw_addw(a[0], b[0], carry, &carry, &r[0]); + bn_addw_addw(a[1], b[1], carry, &carry, &r[1]); + bn_addw_addw(a[2], b[2], carry, &carry, &r[2]); + bn_addw_addw(a[3], b[3], carry, &carry, &r[3]); + a += 4; + b += 4; + r += 4; + n -= 4; + } +#endif + while (n) { + bn_addw_addw(a[0], b[0], carry, &carry, &r[0]); + a++; + b++; + r++; + n--; + } + return carry; +} +#endif + +/* + * bn_add() computes (carry:r[i]) = a[i] + b[i] + carry, where a and b are both + * arrays of words (r may be the same as a or b). The length of a and b may + * differ, while r must be at least max(a_len, b_len) in length. Any carry + * resulting from the addition is returned. + */ +#ifndef HAVE_BN_ADD +BN_ULONG +bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, + int b_len) +{ + int min_len, diff_len; + BN_ULONG carry = 0; + + if ((min_len = a_len) > b_len) + min_len = b_len; + + diff_len = a_len - b_len; + + carry = bn_add_words(r, a, b, min_len); + + a += min_len; + b += min_len; + r += min_len; + + /* XXX - consider doing four at a time to match bn_add_words(). */ + while (diff_len < 0) { + /* Compute r[0] = 0 + b[0] + carry. */ + bn_addw(b[0], carry, &carry, &r[0]); + diff_len++; + b++; + r++; + } + + /* XXX - consider doing four at a time to match bn_add_words(). */ + while (diff_len > 0) { + /* Compute r[0] = a[0] + 0 + carry. */ + bn_addw(a[0], carry, &carry, &r[0]); + diff_len--; + a++; + r++; + } + + return carry; +} +#endif + +/* + * bn_sub_words() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b + * are both arrays of words. Any borrow resulting from the subtraction is + * returned. + */ +#ifndef HAVE_BN_SUB_WORDS +BN_ULONG +bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) +{ + BN_ULONG borrow = 0; + + assert(n >= 0); + if (n <= 0) + return 0; + +#ifndef OPENSSL_SMALL_FOOTPRINT + while (n & ~3) { + bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]); + bn_subw_subw(a[1], b[1], borrow, &borrow, &r[1]); + bn_subw_subw(a[2], b[2], borrow, &borrow, &r[2]); + bn_subw_subw(a[3], b[3], borrow, &borrow, &r[3]); + a += 4; + b += 4; + r += 4; + n -= 4; + } +#endif + while (n) { + bn_subw_subw(a[0], b[0], borrow, &borrow, &r[0]); + a++; + b++; + r++; + n--; + } + return borrow; +} +#endif + +/* + * bn_sub() computes (borrow:r[i]) = a[i] - b[i] - borrow, where a and b are both + * arrays of words (r may be the same as a or b). The length of a and b may + * differ, while r must be at least max(a_len, b_len) in length. Any borrow + * resulting from the subtraction is returned. + */ +#ifndef HAVE_BN_SUB +BN_ULONG +bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, const BN_ULONG *b, + int b_len) +{ + int min_len, diff_len; + BN_ULONG borrow = 0; + + if ((min_len = a_len) > b_len) + min_len = b_len; + + diff_len = a_len - b_len; + + borrow = bn_sub_words(r, a, b, min_len); + + a += min_len; + b += min_len; + r += min_len; + + /* XXX - consider doing four at a time to match bn_sub_words. */ + while (diff_len < 0) { + /* Compute r[0] = 0 - b[0] - borrow. */ + bn_subw(0 - b[0], borrow, &borrow, &r[0]); + diff_len++; + b++; + r++; + } + + /* XXX - consider doing four at a time to match bn_sub_words. */ + while (diff_len > 0) { + /* Compute r[0] = a[0] - 0 - borrow. */ + bn_subw(a[0], borrow, &borrow, &r[0]); + diff_len--; + a++; + r++; + } + + return borrow; +} +#endif + +int +BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) +{ + BN_ULONG carry; + int rn; + + if ((rn = a->top) < b->top) + rn = b->top; + if (rn == INT_MAX) + return 0; + if (!bn_wexpand(r, rn + 1)) + return 0; + + carry = bn_add(r->d, rn, a->d, a->top, b->d, b->top); + r->d[rn] = carry; + + r->top = rn + (carry & 1); + r->neg = 0; + + return 1; +} + +int +BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) +{ + BN_ULONG borrow; + int rn; + + if (a->top < b->top) { + BNerror(BN_R_ARG2_LT_ARG3); + return 0; + } + rn = a->top; + + if (!bn_wexpand(r, rn)) + return 0; + + borrow = bn_sub(r->d, rn, a->d, a->top, b->d, b->top); + if (borrow > 0) { + BNerror(BN_R_ARG2_LT_ARG3); + return 0; + } + + r->top = rn; + r->neg = 0; + + bn_correct_top(r); + + return 1; +} int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { int ret, r_neg; - bn_check_top(a); - bn_check_top(b); - if (a->neg == b->neg) { r_neg = a->neg; ret = BN_uadd(r, a, b); @@ -89,115 +310,16 @@ BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) } } - r->neg = r_neg; - bn_check_top(r); + BN_set_negative(r, r_neg); + return ret; } -int -BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - int max, min, dif; - const BN_ULONG *ap, *bp; - BN_ULONG *rp, carry, t1, t2; - - bn_check_top(a); - bn_check_top(b); - - if (a->top < b->top) { - const BIGNUM *tmp; - - tmp = a; - a = b; - b = tmp; - } - max = a->top; - min = b->top; - dif = max - min; - - if (bn_wexpand(r, max + 1) == NULL) - return 0; - - r->top = max; - - ap = a->d; - bp = b->d; - rp = r->d; - - carry = bn_add_words(rp, ap, bp, min); - rp += min; - ap += min; - - while (dif) { - dif--; - t1 = *(ap++); - t2 = (t1 + carry) & BN_MASK2; - *(rp++) = t2; - carry &= (t2 == 0); - } - *rp = carry; - r->top += carry; - - r->neg = 0; - bn_check_top(r); - return 1; -} - -int -BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - int max, min, dif; - const BN_ULONG *ap, *bp; - BN_ULONG t1, t2, borrow, *rp; - - bn_check_top(a); - bn_check_top(b); - - max = a->top; - min = b->top; - dif = max - min; - - if (dif < 0) { - BNerror(BN_R_ARG2_LT_ARG3); - return 0; - } - - if (bn_wexpand(r, max) == NULL) - return 0; - - ap = a->d; - bp = b->d; - rp = r->d; - - borrow = bn_sub_words(rp, ap, bp, min); - ap += min; - rp += min; - - while (dif) { - dif--; - t1 = *(ap++); - t2 = (t1 - borrow) & BN_MASK2; - *(rp++) = t2; - borrow &= (t1 == 0); - } - - while (max > 0 && *--rp == 0) - max--; - - r->top = max; - r->neg = 0; - bn_correct_top(r); - return 1; -} - int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { int ret, r_neg; - bn_check_top(a); - bn_check_top(b); - if (a->neg != b->neg) { r_neg = a->neg; ret = BN_uadd(r, a, b); @@ -217,7 +339,7 @@ BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) } } - r->neg = r_neg; - bn_check_top(r); + BN_set_negative(r, r_neg); + return ret; } diff --git a/crypto/bn/bn_asm.c b/crypto/bn/bn_asm.c deleted file mode 100644 index 993fbb3..0000000 --- a/crypto/bn/bn_asm.c +++ /dev/null @@ -1,1096 +0,0 @@ -/* $OpenBSD: bn_asm.c,v 1.15 2017/05/02 03:59:44 deraadt Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef BN_DEBUG -# undef NDEBUG /* avoid conflicting definitions */ -# define NDEBUG -#endif - -#include -#include - -#include - -#include "bn_lcl.h" - -#if defined(BN_LLONG) || defined(BN_UMULT_HIGH) - -BN_ULONG -bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) -{ - BN_ULONG c1 = 0; - - assert(num >= 0); - if (num <= 0) - return (c1); - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (num & ~3) { - mul_add(rp[0], ap[0], w, c1); - mul_add(rp[1], ap[1], w, c1); - mul_add(rp[2], ap[2], w, c1); - mul_add(rp[3], ap[3], w, c1); - ap += 4; - rp += 4; - num -= 4; - } -#endif - while (num) { - mul_add(rp[0], ap[0], w, c1); - ap++; - rp++; - num--; - } - - return (c1); -} - -BN_ULONG -bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) -{ - BN_ULONG c1 = 0; - - assert(num >= 0); - if (num <= 0) - return (c1); - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (num & ~3) { - mul(rp[0], ap[0], w, c1); - mul(rp[1], ap[1], w, c1); - mul(rp[2], ap[2], w, c1); - mul(rp[3], ap[3], w, c1); - ap += 4; - rp += 4; - num -= 4; - } -#endif - while (num) { - mul(rp[0], ap[0], w, c1); - ap++; - rp++; - num--; - } - return (c1); -} - -void -bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) -{ - assert(n >= 0); - if (n <= 0) - return; - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (n & ~3) { - sqr(r[0], r[1], a[0]); - sqr(r[2], r[3], a[1]); - sqr(r[4], r[5], a[2]); - sqr(r[6], r[7], a[3]); - a += 4; - r += 8; - n -= 4; - } -#endif - while (n) { - sqr(r[0], r[1], a[0]); - a++; - r += 2; - n--; - } -} - -#else /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */ - -BN_ULONG -bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) -{ - BN_ULONG c = 0; - BN_ULONG bl, bh; - - assert(num >= 0); - if (num <= 0) - return ((BN_ULONG)0); - - bl = LBITS(w); - bh = HBITS(w); - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (num & ~3) { - mul_add(rp[0], ap[0], bl, bh, c); - mul_add(rp[1], ap[1], bl, bh, c); - mul_add(rp[2], ap[2], bl, bh, c); - mul_add(rp[3], ap[3], bl, bh, c); - ap += 4; - rp += 4; - num -= 4; - } -#endif - while (num) { - mul_add(rp[0], ap[0], bl, bh, c); - ap++; - rp++; - num--; - } - return (c); -} - -BN_ULONG -bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w) -{ - BN_ULONG carry = 0; - BN_ULONG bl, bh; - - assert(num >= 0); - if (num <= 0) - return ((BN_ULONG)0); - - bl = LBITS(w); - bh = HBITS(w); - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (num & ~3) { - mul(rp[0], ap[0], bl, bh, carry); - mul(rp[1], ap[1], bl, bh, carry); - mul(rp[2], ap[2], bl, bh, carry); - mul(rp[3], ap[3], bl, bh, carry); - ap += 4; - rp += 4; - num -= 4; - } -#endif - while (num) { - mul(rp[0], ap[0], bl, bh, carry); - ap++; - rp++; - num--; - } - return (carry); -} - -void -bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) -{ - assert(n >= 0); - if (n <= 0) - return; - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (n & ~3) { - sqr64(r[0], r[1], a[0]); - sqr64(r[2], r[3], a[1]); - sqr64(r[4], r[5], a[2]); - sqr64(r[6], r[7], a[3]); - a += 4; - r += 8; - n -= 4; - } -#endif - while (n) { - sqr64(r[0], r[1], a[0]); - a++; - r += 2; - n--; - } -} - -#endif /* !(defined(BN_LLONG) || defined(BN_UMULT_HIGH)) */ - -#if defined(BN_LLONG) && defined(BN_DIV2W) - -BN_ULONG -bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) -{ - return ((BN_ULONG)(((((BN_ULLONG)h) << BN_BITS2)|l)/(BN_ULLONG)d)); -} - -#else - -/* Divide h,l by d and return the result. */ -/* I need to test this some more :-( */ -BN_ULONG -bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) -{ - BN_ULONG dh, dl, q,ret = 0, th, tl, t; - int i, count = 2; - - if (d == 0) - return (BN_MASK2); - - i = BN_num_bits_word(d); - assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i)); - - i = BN_BITS2 - i; - if (h >= d) - h -= d; - - if (i) { - d <<= i; - h = (h << i) | (l >> (BN_BITS2 - i)); - l <<= i; - } - dh = (d & BN_MASK2h) >> BN_BITS4; - dl = (d & BN_MASK2l); - for (;;) { - if ((h >> BN_BITS4) == dh) - q = BN_MASK2l; - else - q = h / dh; - - th = q * dh; - tl = dl * q; - for (;;) { - t = h - th; - if ((t & BN_MASK2h) || - ((tl) <= ( - (t << BN_BITS4) | - ((l & BN_MASK2h) >> BN_BITS4)))) - break; - q--; - th -= dh; - tl -= dl; - } - t = (tl >> BN_BITS4); - tl = (tl << BN_BITS4) & BN_MASK2h; - th += t; - - if (l < tl) - th++; - l -= tl; - if (h < th) { - h += d; - q--; - } - h -= th; - - if (--count == 0) - break; - - ret = q << BN_BITS4; - h = ((h << BN_BITS4) | (l >> BN_BITS4)) & BN_MASK2; - l = (l & BN_MASK2l) << BN_BITS4; - } - ret |= q; - return (ret); -} -#endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */ - -#ifdef BN_LLONG -BN_ULONG -bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) -{ - BN_ULLONG ll = 0; - - assert(n >= 0); - if (n <= 0) - return ((BN_ULONG)0); - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (n & ~3) { - ll += (BN_ULLONG)a[0] + b[0]; - r[0] = (BN_ULONG)ll & BN_MASK2; - ll >>= BN_BITS2; - ll += (BN_ULLONG)a[1] + b[1]; - r[1] = (BN_ULONG)ll & BN_MASK2; - ll >>= BN_BITS2; - ll += (BN_ULLONG)a[2] + b[2]; - r[2] = (BN_ULONG)ll & BN_MASK2; - ll >>= BN_BITS2; - ll += (BN_ULLONG)a[3] + b[3]; - r[3] = (BN_ULONG)ll & BN_MASK2; - ll >>= BN_BITS2; - a += 4; - b += 4; - r += 4; - n -= 4; - } -#endif - while (n) { - ll += (BN_ULLONG)a[0] + b[0]; - r[0] = (BN_ULONG)ll & BN_MASK2; - ll >>= BN_BITS2; - a++; - b++; - r++; - n--; - } - return ((BN_ULONG)ll); -} -#else /* !BN_LLONG */ -BN_ULONG -bn_add_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) -{ - BN_ULONG c, l, t; - - assert(n >= 0); - if (n <= 0) - return ((BN_ULONG)0); - - c = 0; -#ifndef OPENSSL_SMALL_FOOTPRINT - while (n & ~3) { - t = a[0]; - t = (t + c) & BN_MASK2; - c = (t < c); - l = (t + b[0]) & BN_MASK2; - c += (l < t); - r[0] = l; - t = a[1]; - t = (t + c) & BN_MASK2; - c = (t < c); - l = (t + b[1]) & BN_MASK2; - c += (l < t); - r[1] = l; - t = a[2]; - t = (t + c) & BN_MASK2; - c = (t < c); - l = (t + b[2]) & BN_MASK2; - c += (l < t); - r[2] = l; - t = a[3]; - t = (t + c) & BN_MASK2; - c = (t < c); - l = (t + b[3]) & BN_MASK2; - c += (l < t); - r[3] = l; - a += 4; - b += 4; - r += 4; - n -= 4; - } -#endif - while (n) { - t = a[0]; - t = (t + c) & BN_MASK2; - c = (t < c); - l = (t + b[0]) & BN_MASK2; - c += (l < t); - r[0] = l; - a++; - b++; - r++; - n--; - } - return ((BN_ULONG)c); -} -#endif /* !BN_LLONG */ - -BN_ULONG -bn_sub_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int n) -{ - BN_ULONG t1, t2; - int c = 0; - - assert(n >= 0); - if (n <= 0) - return ((BN_ULONG)0); - -#ifndef OPENSSL_SMALL_FOOTPRINT - while (n&~3) { - t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); - t1 = a[1]; - t2 = b[1]; - r[1] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); - t1 = a[2]; - t2 = b[2]; - r[2] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); - t1 = a[3]; - t2 = b[3]; - r[3] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); - a += 4; - b += 4; - r += 4; - n -= 4; - } -#endif - while (n) { - t1 = a[0]; - t2 = b[0]; - r[0] = (t1 - t2 - c) & BN_MASK2; - if (t1 != t2) - c = (t1 < t2); - a++; - b++; - r++; - n--; - } - return (c); -} - -#if defined(BN_MUL_COMBA) && !defined(OPENSSL_SMALL_FOOTPRINT) - -#undef bn_mul_comba8 -#undef bn_mul_comba4 -#undef bn_sqr_comba8 -#undef bn_sqr_comba4 - -/* mul_add_c(a,b,c0,c1,c2) -- c+=a*b for three word number c=(c2,c1,c0) */ -/* mul_add_c2(a,b,c0,c1,c2) -- c+=2*a*b for three word number c=(c2,c1,c0) */ -/* sqr_add_c(a,i,c0,c1,c2) -- c+=a[i]^2 for three word number c=(c2,c1,c0) */ -/* sqr_add_c2(a,i,c0,c1,c2) -- c+=2*a[i]*a[j] for three word number c=(c2,c1,c0) */ - -#ifdef BN_LLONG -/* - * Keep in mind that additions to multiplication result can not - * overflow, because its high half cannot be all-ones. - */ -#define mul_add_c(a,b,c0,c1,c2) do { \ - BN_ULONG hi; \ - BN_ULLONG t = (BN_ULLONG)(a)*(b); \ - t += c0; /* no carry */ \ - c0 = (BN_ULONG)Lw(t); \ - hi = (BN_ULONG)Hw(t); \ - c1 = (c1+hi)&BN_MASK2; if (c1= np[num - 1]) { - c0 = bn_sub_words(rp, tp, np, num); - if (tp[num] != 0 || c0 == 0) { - goto out; - } - } - memcpy(rp, tp, num * sizeof(BN_ULONG)); -out: - freezero(tp, (num + 2) * sizeof(BN_ULONG)); - return 1; -} -#else -/* - * Return value of 0 indicates that multiplication/convolution was not - * performed to signal the caller to fall down to alternative/original - * code-path. - */ -int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num) - { return 0; -} -#endif /* OPENSSL_BN_ASM_MONT */ -#endif - -#else /* !BN_MUL_COMBA */ - -/* hmm... is it faster just to do a multiply? */ -#undef bn_sqr_comba4 -void -bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) -{ - BN_ULONG t[8]; - bn_sqr_normal(r, a, 4, t); -} - -#undef bn_sqr_comba8 -void -bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a) -{ - BN_ULONG t[16]; - bn_sqr_normal(r, a, 8, t); -} - -void -bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) -{ - r[4] = bn_mul_words(&(r[0]), a, 4, b[0]); - r[5] = bn_mul_add_words(&(r[1]), a, 4, b[1]); - r[6] = bn_mul_add_words(&(r[2]), a, 4, b[2]); - r[7] = bn_mul_add_words(&(r[3]), a, 4, b[3]); -} - -void -bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) -{ - r[8] = bn_mul_words(&(r[0]), a, 8, b[0]); - r[9] = bn_mul_add_words(&(r[1]), a, 8, b[1]); - r[10] = bn_mul_add_words(&(r[2]), a, 8, b[2]); - r[11] = bn_mul_add_words(&(r[3]), a, 8, b[3]); - r[12] = bn_mul_add_words(&(r[4]), a, 8, b[4]); - r[13] = bn_mul_add_words(&(r[5]), a, 8, b[5]); - r[14] = bn_mul_add_words(&(r[6]), a, 8, b[6]); - r[15] = bn_mul_add_words(&(r[7]), a, 8, b[7]); -} - -#ifdef OPENSSL_NO_ASM -#ifdef OPENSSL_BN_ASM_MONT -int -bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0p, int num) -{ - BN_ULONG c0, c1, *tp, n0 = *n0p; - int i = 0, j; - - tp = calloc(NULL, num + 2, sizeof(BN_ULONG)); - if (tp == NULL) - return 0; - - for (i = 0; i < num; i++) { - c0 = bn_mul_add_words(tp, ap, num, bp[i]); - c1 = (tp[num] + c0) & BN_MASK2; - tp[num] = c1; - tp[num + 1] = (c1 < c0 ? 1 : 0); - - c0 = bn_mul_add_words(tp, np, num, tp[0] * n0); - c1 = (tp[num] + c0) & BN_MASK2; - tp[num] = c1; - tp[num + 1] += (c1 < c0 ? 1 : 0); - for (j = 0; j <= num; j++) - tp[j] = tp[j + 1]; - } - - if (tp[num] != 0 || tp[num - 1] >= np[num - 1]) { - c0 = bn_sub_words(rp, tp, np, num); - if (tp[num] != 0 || c0 == 0) { - goto out; - } - } - memcpy(rp, tp, num * sizeof(BN_ULONG)); -out: - freezero(tp, (num + 2) * sizeof(BN_ULONG)); - return 1; -} -#else -int -bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num) -{ - return 0; -} -#endif /* OPENSSL_BN_ASM_MONT */ -#endif - -#endif /* !BN_MUL_COMBA */ diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c index ecd6718..77ba691 100644 --- a/crypto/bn/bn_blind.c +++ b/crypto/bn/bn_blind.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_blind.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_blind.c,v 1.22 2023/04/25 19:57:59 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -115,7 +115,7 @@ #include -#include "bn_lcl.h" +#include "bn_local.h" #define BN_BLINDING_COUNTER 32 @@ -124,10 +124,6 @@ struct bn_blinding_st { BIGNUM *Ai; BIGNUM *e; BIGNUM *mod; /* just a reference */ -#ifndef OPENSSL_NO_DEPRECATED - unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b; - * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */ -#endif CRYPTO_THREADID tid; int counter; unsigned long flags; @@ -141,7 +137,6 @@ BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) { BN_BLINDING *ret = NULL; - bn_check_top(mod); if ((ret = calloc(1, sizeof(BN_BLINDING))) == NULL) { BNerror(ERR_R_MALLOC_FAILURE); @@ -181,10 +176,10 @@ BN_BLINDING_free(BN_BLINDING *r) if (r == NULL) return; - BN_clear_free(r->A); - BN_clear_free(r->Ai); - BN_clear_free(r->e); - BN_clear_free(r->mod); + BN_free(r->A); + BN_free(r->Ai); + BN_free(r->e); + BN_free(r->mod); free(r); } @@ -232,7 +227,6 @@ BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) { int ret = 1; - bn_check_top(n); if ((b->A == NULL) || (b->Ai == NULL)) { BNerror(BN_R_NOT_INITIALIZED); @@ -246,7 +240,7 @@ BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) return (0); if (r != NULL) { - if (!BN_copy(r, b->Ai)) + if (!bn_copy(r, b->Ai)) ret = 0; } @@ -267,7 +261,6 @@ BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) { int ret; - bn_check_top(n); if (r != NULL) ret = BN_mod_mul(n, n, r, b->mod, ctx); @@ -279,24 +272,9 @@ BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *ctx) ret = BN_mod_mul(n, n, b->Ai, b->mod, ctx); } - bn_check_top(n); return (ret); } -#ifndef OPENSSL_NO_DEPRECATED -unsigned long -BN_BLINDING_get_thread_id(const BN_BLINDING *b) -{ - return b->thread_id; -} - -void -BN_BLINDING_set_thread_id(BN_BLINDING *b, unsigned long n) -{ - b->thread_id = n; -} -#endif - CRYPTO_THREADID * BN_BLINDING_thread_id(BN_BLINDING *b) { diff --git a/crypto/bn/bn_bpsw.c b/crypto/bn/bn_bpsw.c new file mode 100644 index 0000000..82a4e87 --- /dev/null +++ b/crypto/bn/bn_bpsw.c @@ -0,0 +1,539 @@ +/* $OpenBSD: bn_bpsw.c,v 1.10 2023/05/10 21:05:24 tb Exp $ */ +/* + * Copyright (c) 2022 Martin Grenouilloux + * Copyright (c) 2022 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "bn_local.h" +#include "bn_prime.h" + +/* + * For an odd n compute a / 2 (mod n). If a is even, we can do a plain + * division, otherwise calculate (a + n) / 2. Then reduce (mod n). + */ + +static int +bn_div_by_two_mod_odd_n(BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) +{ + if (!BN_is_odd(n)) + return 0; + + if (BN_is_odd(a)) { + if (!BN_add(a, a, n)) + return 0; + } + if (!BN_rshift1(a, a)) + return 0; + if (!BN_mod_ct(a, a, n, ctx)) + return 0; + + return 1; +} + +/* + * Given the next binary digit of k and the current Lucas terms U and V, this + * helper computes the next terms in the Lucas sequence defined as follows: + * + * U' = U * V (mod n) + * V' = (V^2 + D * U^2) / 2 (mod n) + * + * If digit == 0, bn_lucas_step() returns U' and V'. If digit == 1, it returns + * + * U'' = (U' + V') / 2 (mod n) + * V'' = (V' + D * U') / 2 (mod n) + * + * Compare with FIPS 186-4, Appendix C.3.3, step 6. + */ + +static int +bn_lucas_step(BIGNUM *U, BIGNUM *V, int digit, const BIGNUM *D, + const BIGNUM *n, BN_CTX *ctx) +{ + BIGNUM *tmp; + int ret = 0; + + BN_CTX_start(ctx); + + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Calculate D * U^2 before computing U'. */ + if (!BN_sqr(tmp, U, ctx)) + goto err; + if (!BN_mul(tmp, D, tmp, ctx)) + goto err; + + /* U' = U * V (mod n). */ + if (!BN_mod_mul(U, U, V, n, ctx)) + goto err; + + /* V' = (V^2 + D * U^2) / 2 (mod n). */ + if (!BN_sqr(V, V, ctx)) + goto err; + if (!BN_add(V, V, tmp)) + goto err; + if (!bn_div_by_two_mod_odd_n(V, n, ctx)) + goto err; + + if (digit == 1) { + /* Calculate D * U' before computing U''. */ + if (!BN_mul(tmp, D, U, ctx)) + goto err; + + /* U'' = (U' + V') / 2 (mod n). */ + if (!BN_add(U, U, V)) + goto err; + if (!bn_div_by_two_mod_odd_n(U, n, ctx)) + goto err; + + /* V'' = (V' + D * U') / 2 (mod n). */ + if (!BN_add(V, V, tmp)) + goto err; + if (!bn_div_by_two_mod_odd_n(V, n, ctx)) + goto err; + } + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Compute the Lucas terms U_k, V_k, see FIPS 186-4, Appendix C.3.3, steps 4-6. + */ + +static int +bn_lucas(BIGNUM *U, BIGNUM *V, const BIGNUM *k, const BIGNUM *D, + const BIGNUM *n, BN_CTX *ctx) +{ + int digit, i; + int ret = 0; + + if (!BN_one(U)) + goto err; + if (!BN_one(V)) + goto err; + + /* + * Iterate over the digits of k from MSB to LSB. Start at digit 2 + * since the first digit is dealt with by setting U = 1 and V = 1. + */ + + for (i = BN_num_bits(k) - 2; i >= 0; i--) { + digit = BN_is_bit_set(k, i); + + if (!bn_lucas_step(U, V, digit, D, n, ctx)) + goto err; + } + + ret = 1; + + err: + return ret; +} + +/* + * This is a stronger variant of the Lucas test in FIPS 186-4, Appendix C.3.3. + * Every strong Lucas pseudoprime n is also a Lucas pseudoprime since + * U_{n+1} == 0 follows from U_k == 0 or V_{k * 2^r} == 0 for 0 <= r < s. + */ + +static int +bn_strong_lucas_test(int *is_pseudoprime, const BIGNUM *n, const BIGNUM *D, + BN_CTX *ctx) +{ + BIGNUM *k, *U, *V; + int r, s; + int ret = 0; + + BN_CTX_start(ctx); + + if ((k = BN_CTX_get(ctx)) == NULL) + goto err; + if ((U = BN_CTX_get(ctx)) == NULL) + goto err; + if ((V = BN_CTX_get(ctx)) == NULL) + goto err; + + /* + * Factorize n + 1 = k * 2^s with odd k: shift away the s trailing ones + * of n and set the lowest bit of the resulting number k. + */ + + s = 0; + while (BN_is_bit_set(n, s)) + s++; + if (!BN_rshift(k, n, s)) + goto err; + if (!BN_set_bit(k, 0)) + goto err; + + /* + * Calculate the Lucas terms U_k and V_k. If either of them is zero, + * then n is a strong Lucas pseudoprime. + */ + + if (!bn_lucas(U, V, k, D, n, ctx)) + goto err; + + if (BN_is_zero(U) || BN_is_zero(V)) { + *is_pseudoprime = 1; + goto done; + } + + /* + * Calculate the Lucas terms U_{k * 2^r}, V_{k * 2^r} for 1 <= r < s. + * If any V_{k * 2^r} is zero then n is a strong Lucas pseudoprime. + */ + + for (r = 1; r < s; r++) { + if (!bn_lucas_step(U, V, 0, D, n, ctx)) + goto err; + + if (BN_is_zero(V)) { + *is_pseudoprime = 1; + goto done; + } + } + + /* + * If we got here, n is definitely composite. + */ + + *is_pseudoprime = 0; + + done: + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Test n for primality using the strong Lucas test with Selfridge's Method A. + * Returns 1 if n is prime or a strong Lucas-Selfridge pseudoprime. + * If it returns 0 then n is definitely composite. + */ + +static int +bn_strong_lucas_selfridge(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx) +{ + BIGNUM *D, *two; + int is_perfect_square, jacobi_symbol, sign; + int ret = 0; + + BN_CTX_start(ctx); + + /* If n is a perfect square, it is composite. */ + if (!bn_is_perfect_square(&is_perfect_square, n, ctx)) + goto err; + if (is_perfect_square) { + *is_pseudoprime = 0; + goto done; + } + + /* + * Find the first D in the Selfridge sequence 5, -7, 9, -11, 13, ... + * such that the Jacobi symbol (D/n) is -1. + */ + + if ((D = BN_CTX_get(ctx)) == NULL) + goto err; + if ((two = BN_CTX_get(ctx)) == NULL) + goto err; + + sign = 1; + if (!BN_set_word(D, 5)) + goto err; + if (!BN_set_word(two, 2)) + goto err; + + while (1) { + /* For odd n the Kronecker symbol computes the Jacobi symbol. */ + if ((jacobi_symbol = BN_kronecker(D, n, ctx)) == -2) + goto err; + + /* We found the value for D. */ + if (jacobi_symbol == -1) + break; + + /* n and D have prime factors in common. */ + if (jacobi_symbol == 0) { + *is_pseudoprime = 0; + goto done; + } + + sign = -sign; + if (!BN_uadd(D, D, two)) + goto err; + BN_set_negative(D, sign == -1); + } + + if (!bn_strong_lucas_test(is_pseudoprime, n, D, ctx)) + goto err; + + done: + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Fermat criterion in Miller-Rabin test. + * + * Check whether 1 < base < n - 1 witnesses that n is composite. For prime n: + * + * * Fermat's little theorem: base^(n-1) = 1 (mod n). + * * The only square roots of 1 (mod n) are 1 and -1. + * + * Calculate base^((n-1)/2) by writing n - 1 = k * 2^s with odd k. Iteratively + * compute power = (base^k)^(2^(s-1)) by successive squaring of base^k. + * + * If power ever reaches -1, base^(n-1) is equal to 1 and n is a pseudoprime + * for base. If power reaches 1 before -1 during successive squaring, we have + * an unexpected square root of 1 and n is composite. Otherwise base^(n-1) != 1, + * and n is composite. + */ + +static int +bn_fermat(int *is_pseudoprime, const BIGNUM *n, const BIGNUM *n_minus_one, + const BIGNUM *k, int s, const BIGNUM *base, BN_CTX *ctx, BN_MONT_CTX *mctx) +{ + BIGNUM *power; + int ret = 0; + int i; + + BN_CTX_start(ctx); + + if ((power = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Sanity check: ensure that 1 < base < n - 1. */ + if (BN_cmp(base, BN_value_one()) <= 0 || BN_cmp(base, n_minus_one) >= 0) + goto err; + + if (!BN_mod_exp_mont_ct(power, base, k, n, ctx, mctx)) + goto err; + + if (BN_is_one(power) || BN_cmp(power, n_minus_one) == 0) { + *is_pseudoprime = 1; + goto done; + } + + /* Loop invariant: power is neither 1 nor -1 (mod n). */ + for (i = 1; i < s; i++) { + if (!BN_mod_sqr(power, power, n, ctx)) + goto err; + + /* n is a pseudoprime for base. */ + if (BN_cmp(power, n_minus_one) == 0) { + *is_pseudoprime = 1; + goto done; + } + + /* n is composite: there's a square root of unity != 1 or -1. */ + if (BN_is_one(power)) { + *is_pseudoprime = 0; + goto done; + } + } + + /* + * If we get here, n is definitely composite: base^(n-1) != 1. + */ + + *is_pseudoprime = 0; + + done: + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Miller-Rabin primality test for base 2 and for |rounds| of random bases. + * On success: is_pseudoprime == 0 implies that n is composite. + */ + +static int +bn_miller_rabin(int *is_pseudoprime, const BIGNUM *n, BN_CTX *ctx, + size_t rounds) +{ + BN_MONT_CTX *mctx = NULL; + BIGNUM *base, *k, *n_minus_one, *three; + size_t i; + int s; + int ret = 0; + + BN_CTX_start(ctx); + + if ((base = BN_CTX_get(ctx)) == NULL) + goto err; + if ((k = BN_CTX_get(ctx)) == NULL) + goto err; + if ((n_minus_one = BN_CTX_get(ctx)) == NULL) + goto err; + if ((three = BN_CTX_get(ctx)) == NULL) + goto err; + + if (BN_is_word(n, 2) || BN_is_word(n, 3)) { + *is_pseudoprime = 1; + goto done; + } + + if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) { + *is_pseudoprime = 0; + goto done; + } + + if (!BN_sub(n_minus_one, n, BN_value_one())) + goto err; + + /* + * Factorize n - 1 = k * 2^s. + */ + + s = 0; + while (!BN_is_bit_set(n_minus_one, s)) + s++; + if (!BN_rshift(k, n_minus_one, s)) + goto err; + + /* + * Montgomery setup for n. + */ + + if ((mctx = BN_MONT_CTX_new()) == NULL) + goto err; + + if (!BN_MONT_CTX_set(mctx, n, ctx)) + goto err; + + /* + * Perform a Miller-Rabin test for base 2 as required by BPSW. + */ + + if (!BN_set_word(base, 2)) + goto err; + + if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx, mctx)) + goto err; + if (!*is_pseudoprime) + goto done; + + /* + * Perform Miller-Rabin tests with random 3 <= base < n - 1 to reduce + * risk of false positives in BPSW. + */ + + if (!BN_set_word(three, 3)) + goto err; + + for (i = 0; i < rounds; i++) { + if (!bn_rand_interval(base, three, n_minus_one)) + goto err; + + if (!bn_fermat(is_pseudoprime, n, n_minus_one, k, s, base, ctx, + mctx)) + goto err; + if (!*is_pseudoprime) + goto done; + } + + /* + * If we got here, we have a Miller-Rabin pseudoprime. + */ + + *is_pseudoprime = 1; + + done: + ret = 1; + + err: + BN_MONT_CTX_free(mctx); + BN_CTX_end(ctx); + + return ret; +} + +/* + * The Baillie-Pomerance-Selfridge-Wagstaff algorithm combines a Miller-Rabin + * test for base 2 with a Strong Lucas pseudoprime test. + */ + +int +bn_is_prime_bpsw(int *is_pseudoprime, const BIGNUM *n, BN_CTX *in_ctx, + size_t rounds) +{ + BN_CTX *ctx = NULL; + BN_ULONG mod; + int i; + int ret = 0; + + if (BN_is_word(n, 2)) { + *is_pseudoprime = 1; + goto done; + } + + if (BN_cmp(n, BN_value_one()) <= 0 || !BN_is_odd(n)) { + *is_pseudoprime = 0; + goto done; + } + + /* Trial divisions with the first 2048 primes. */ + for (i = 0; i < NUMPRIMES; i++) { + if ((mod = BN_mod_word(n, primes[i])) == (BN_ULONG)-1) + goto err; + if (mod == 0) { + *is_pseudoprime = BN_is_word(n, primes[i]); + goto done; + } + } + + if ((ctx = in_ctx) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (!bn_miller_rabin(is_pseudoprime, n, ctx, rounds)) + goto err; + if (!*is_pseudoprime) + goto done; + + if (!bn_strong_lucas_selfridge(is_pseudoprime, n, ctx)) + goto err; + + done: + ret = 1; + + err: + if (ctx != in_ctx) + BN_CTX_free(ctx); + + return ret; +} diff --git a/crypto/bn/bn_convert.c b/crypto/bn/bn_convert.c new file mode 100644 index 0000000..65834ff --- /dev/null +++ b/crypto/bn/bn_convert.c @@ -0,0 +1,656 @@ +/* $OpenBSD: bn_convert.c,v 1.8 2023/05/09 05:15:55 jsing Exp $ */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include +#include +#include + +#include + +#include +#include +#include + +#include "bn_local.h" +#include "bytestring.h" + +static const char hex_digits[] = "0123456789ABCDEF"; + +typedef enum { + big, + little, +} endianness_t; + +/* ignore negative */ +static int +bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianness_t endianness) +{ + int n; + size_t i, lasti, j, atop, mask; + BN_ULONG l; + + /* + * In case |a| is fixed-top, BN_num_bytes can return bogus length, + * but it's assumed that fixed-top inputs ought to be "nominated" + * even for padded output, so it works out... + */ + n = BN_num_bytes(a); + if (tolen == -1) + tolen = n; + else if (tolen < n) { /* uncommon/unlike case */ + BIGNUM temp = *a; + + bn_correct_top(&temp); + + n = BN_num_bytes(&temp); + if (tolen < n) + return -1; + } + + /* Swipe through whole available data and don't give away padded zero. */ + atop = a->dmax * BN_BYTES; + if (atop == 0) { + explicit_bzero(to, tolen); + return tolen; + } + + lasti = atop - 1; + atop = a->top * BN_BYTES; + + if (endianness == big) + to += tolen; /* start from the end of the buffer */ + + for (i = 0, j = 0; j < (size_t)tolen; j++) { + unsigned char val; + + l = a->d[i / BN_BYTES]; + mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); + val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); + + if (endianness == big) + *--to = val; + else + *to++ = val; + + i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ + } + + return tolen; +} + +int +BN_bn2bin(const BIGNUM *a, unsigned char *to) +{ + return bn2binpad(a, to, -1, big); +} + +int +BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + return bn2binpad(a, to, tolen, big); +} + +BIGNUM * +BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) +{ + unsigned int i, m; + unsigned int n; + BN_ULONG l; + BIGNUM *bn = NULL; + + if (len < 0) + return (NULL); + if (ret == NULL) + ret = bn = BN_new(); + if (ret == NULL) + return (NULL); + l = 0; + n = len; + if (n == 0) { + ret->top = 0; + return (ret); + } + i = ((n - 1) / BN_BYTES) + 1; + m = ((n - 1) % (BN_BYTES)); + if (!bn_wexpand(ret, (int)i)) { + BN_free(bn); + return NULL; + } + ret->top = i; + ret->neg = 0; + while (n--) { + l = (l << 8L) | *(s++); + if (m-- == 0) { + ret->d[--i] = l; + l = 0; + m = BN_BYTES - 1; + } + } + /* need to call this due to clear byte at top if avoiding + * having the top bit set (-ve number) */ + bn_correct_top(ret); + return (ret); +} + +int +BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) +{ + if (tolen < 0) + return -1; + + return bn2binpad(a, to, tolen, little); +} + +BIGNUM * +BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) +{ + unsigned int i, m, n; + BN_ULONG l; + BIGNUM *bn = NULL; + + if (ret == NULL) + ret = bn = BN_new(); + if (ret == NULL) + return NULL; + + + s += len; + /* Skip trailing zeroes. */ + for (; len > 0 && s[-1] == 0; s--, len--) + continue; + + n = len; + if (n == 0) { + ret->top = 0; + return ret; + } + + i = ((n - 1) / BN_BYTES) + 1; + m = (n - 1) % BN_BYTES; + if (!bn_wexpand(ret, (int)i)) { + BN_free(bn); + return NULL; + } + + ret->top = i; + ret->neg = 0; + l = 0; + while (n-- > 0) { + s--; + l = (l << 8L) | *s; + if (m-- == 0) { + ret->d[--i] = l; + l = 0; + m = BN_BYTES - 1; + } + } + + /* + * need to call this due to clear byte at top if avoiding having the + * top bit set (-ve number) + */ + bn_correct_top(ret); + + return ret; +} + +int +BN_asc2bn(BIGNUM **bn, const char *a) +{ + const char *p = a; + if (*p == '-') + p++; + + if (p[0] == '0' && (p[1] == 'X' || p[1] == 'x')) { + if (!BN_hex2bn(bn, p + 2)) + return 0; + } else { + if (!BN_dec2bn(bn, p)) + return 0; + } + if (*a == '-') + BN_set_negative(*bn, 1); + return 1; +} + +char * +BN_bn2dec(const BIGNUM *bn) +{ + int started = 0; + BIGNUM *tmp = NULL; + uint8_t *data = NULL; + size_t data_len = 0; + uint8_t *s = NULL; + size_t s_len; + BN_ULONG v, w; + uint8_t c; + CBB cbb; + CBS cbs; + int i; + + if (!CBB_init(&cbb, 0)) + goto err; + + if ((tmp = BN_dup(bn)) == NULL) + goto err; + + /* + * Divide the BIGNUM by a large multiple of 10, then break the remainder + * into decimal digits. This produces a reversed string of digits, + * potentially with leading zeroes. + */ + while (!BN_is_zero(tmp)) { + if ((w = BN_div_word(tmp, BN_DEC_CONV)) == -1) + goto err; + for (i = 0; i < BN_DEC_NUM; i++) { + v = w % 10; + if (!CBB_add_u8(&cbb, '0' + v)) + goto err; + w /= 10; + } + } + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + + if (data_len > SIZE_MAX - 3) + goto err; + if (!CBB_init(&cbb, data_len + 3)) + goto err; + + if (BN_is_negative(bn)) { + if (!CBB_add_u8(&cbb, '-')) + goto err; + } + + /* Reverse digits and trim leading zeroes. */ + CBS_init(&cbs, data, data_len); + while (CBS_len(&cbs) > 0) { + if (!CBS_get_last_u8(&cbs, &c)) + goto err; + if (!started && c == '0') + continue; + if (!CBB_add_u8(&cbb, c)) + goto err; + started = 1; + } + + if (!started) { + if (!CBB_add_u8(&cbb, '0')) + goto err; + } + if (!CBB_add_u8(&cbb, '\0')) + goto err; + if (!CBB_finish(&cbb, &s, &s_len)) + goto err; + + err: + BN_free(tmp); + CBB_cleanup(&cbb); + freezero(data, data_len); + + return s; +} + +int +BN_dec2bn(BIGNUM **bn, const char *a) +{ + BIGNUM *ret = NULL; + BN_ULONG l = 0; + int neg = 0, i, j; + int num; + + if ((a == NULL) || (*a == '\0')) + return (0); + if (*a == '-') { + neg = 1; + a++; + } + + for (i = 0; i <= (INT_MAX / 4) && isdigit((unsigned char)a[i]); i++) + ; + if (i > INT_MAX / 4) + return (0); + + num = i + neg; + if (bn == NULL) + return (num); + + /* a is the start of the digits, and it is 'i' long. + * We chop it into BN_DEC_NUM digits at a time */ + if (*bn == NULL) { + if ((ret = BN_new()) == NULL) + return (0); + } else { + ret = *bn; + BN_zero(ret); + } + + /* i is the number of digits, a bit of an over expand */ + if (!bn_expand(ret, i * 4)) + goto err; + + j = BN_DEC_NUM - (i % BN_DEC_NUM); + if (j == BN_DEC_NUM) + j = 0; + l = 0; + while (*a) { + l *= 10; + l += *a - '0'; + a++; + if (++j == BN_DEC_NUM) { + if (!BN_mul_word(ret, BN_DEC_CONV)) + goto err; + if (!BN_add_word(ret, l)) + goto err; + l = 0; + j = 0; + } + } + + bn_correct_top(ret); + + BN_set_negative(ret, neg); + + *bn = ret; + return (num); + +err: + if (*bn == NULL) + BN_free(ret); + return (0); +} + +char * +BN_bn2hex(const BIGNUM *bn) +{ + int started = 0; + uint8_t *s = NULL; + size_t s_len; + BN_ULONG v, w; + int i, j; + CBB cbb; + + if (!CBB_init(&cbb, 0)) + goto err; + + if (BN_is_negative(bn)) { + if (!CBB_add_u8(&cbb, '-')) + goto err; + } + if (BN_is_zero(bn)) { + if (!CBB_add_u8(&cbb, '0')) + goto err; + } + for (i = bn->top - 1; i >= 0; i--) { + w = bn->d[i]; + for (j = BN_BITS2 - 8; j >= 0; j -= 8) { + v = (w >> j) & 0xff; + if (!started && v == 0) + continue; + if (!CBB_add_u8(&cbb, hex_digits[v >> 4])) + goto err; + if (!CBB_add_u8(&cbb, hex_digits[v & 0xf])) + goto err; + started = 1; + } + } + if (!CBB_add_u8(&cbb, '\0')) + goto err; + if (!CBB_finish(&cbb, &s, &s_len)) + goto err; + + err: + CBB_cleanup(&cbb); + + return s; +} + +int +BN_hex2bn(BIGNUM **bn, const char *a) +{ + BIGNUM *ret = NULL; + BN_ULONG l = 0; + int neg = 0, h, m, i,j, k, c; + int num; + + if ((a == NULL) || (*a == '\0')) + return (0); + + if (*a == '-') { + neg = 1; + a++; + } + + for (i = 0; i <= (INT_MAX / 4) && isxdigit((unsigned char)a[i]); i++) + ; + if (i > INT_MAX / 4) + return (0); + + num = i + neg; + if (bn == NULL) + return (num); + + /* a is the start of the hex digits, and it is 'i' long */ + if (*bn == NULL) { + if ((ret = BN_new()) == NULL) + return (0); + } else { + ret = *bn; + BN_zero(ret); + } + + /* i is the number of hex digits */ + if (!bn_expand(ret, i * 4)) + goto err; + + j = i; /* least significant 'hex' */ + m = 0; + h = 0; + while (j > 0) { + m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j; + l = 0; + for (;;) { + c = a[j - m]; + if ((c >= '0') && (c <= '9')) + k = c - '0'; + else if ((c >= 'a') && (c <= 'f')) + k = c - 'a' + 10; + else if ((c >= 'A') && (c <= 'F')) + k = c - 'A' + 10; + else + k = 0; /* paranoia */ + l = (l << 4) | k; + + if (--m <= 0) { + ret->d[h++] = l; + break; + } + } + j -= (BN_BYTES * 2); + } + ret->top = h; + bn_correct_top(ret); + + BN_set_negative(ret, neg); + + *bn = ret; + return (num); + +err: + if (*bn == NULL) + BN_free(ret); + return (0); +} + +int +BN_bn2mpi(const BIGNUM *a, unsigned char *d) +{ + int bits; + int num = 0; + int ext = 0; + long l; + + bits = BN_num_bits(a); + num = (bits + 7) / 8; + if (bits > 0) { + ext = ((bits & 0x07) == 0); + } + if (d == NULL) + return (num + 4 + ext); + + l = num + ext; + d[0] = (unsigned char)(l >> 24) & 0xff; + d[1] = (unsigned char)(l >> 16) & 0xff; + d[2] = (unsigned char)(l >> 8) & 0xff; + d[3] = (unsigned char)(l) & 0xff; + if (ext) + d[4] = 0; + num = BN_bn2bin(a, &(d[4 + ext])); + if (a->neg) + d[4] |= 0x80; + return (num + 4 + ext); +} + +BIGNUM * +BN_mpi2bn(const unsigned char *d, int n, BIGNUM *ain) +{ + BIGNUM *a = ain; + long len; + int neg = 0; + + if (n < 4) { + BNerror(BN_R_INVALID_LENGTH); + return (NULL); + } + len = ((long)d[0] << 24) | ((long)d[1] << 16) | ((int)d[2] << 8) | + (int)d[3]; + if ((len + 4) != n) { + BNerror(BN_R_ENCODING_ERROR); + return (NULL); + } + + if (a == NULL) + a = BN_new(); + if (a == NULL) + return (NULL); + + if (len == 0) { + a->neg = 0; + a->top = 0; + return (a); + } + d += 4; + if ((*d) & 0x80) + neg = 1; + if (BN_bin2bn(d, (int)len, a) == NULL) { + if (ain == NULL) + BN_free(a); + return (NULL); + } + BN_set_negative(a, neg); + if (neg) { + BN_clear_bit(a, BN_num_bits(a) - 1); + } + return (a); +} + +#ifndef OPENSSL_NO_BIO +int +BN_print_fp(FILE *fp, const BIGNUM *a) +{ + BIO *b; + int ret; + + if ((b = BIO_new(BIO_s_file())) == NULL) + return (0); + BIO_set_fp(b, fp, BIO_NOCLOSE); + ret = BN_print(b, a); + BIO_free(b); + return (ret); +} + +int +BN_print(BIO *bp, const BIGNUM *a) +{ + int i, j, v, z = 0; + int ret = 0; + + if ((a->neg) && (BIO_write(bp, "-", 1) != 1)) + goto end; + if (BN_is_zero(a) && (BIO_write(bp, "0", 1) != 1)) + goto end; + for (i = a->top - 1; i >= 0; i--) { + for (j = BN_BITS2 - 4; j >= 0; j -= 4) { + /* strip leading zeros */ + v = ((int)(a->d[i] >> (long)j)) & 0x0f; + if (z || (v != 0)) { + if (BIO_write(bp, &hex_digits[v], 1) != 1) + goto end; + z = 1; + } + } + } + ret = 1; + +end: + return (ret); +} +#endif diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 0d64cca..357eda1 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,481 +1,156 @@ -/* $OpenBSD: bn_ctx.c,v 1.16 2019/08/20 10:59:09 schwarze Exp $ */ -/* Written by Ulf Moeller for the OpenSSL project. */ -/* ==================================================================== - * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. +/* $OpenBSD: bn_ctx.c,v 1.21 2023/04/25 16:41:29 tb Exp $ */ +/* + * Copyright (c) 2023 Joel Sing * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#if !defined(BN_CTX_DEBUG) && !defined(BN_DEBUG) -#ifndef NDEBUG -#define NDEBUG -#endif -#endif - -#include +#include #include #include - #include -#include "bn_lcl.h" +#include "bn_local.h" -/* TODO list - * - * 1. Check a bunch of "(words+1)" type hacks in various bignum functions and - * check they can be safely removed. - * - Check +1 and other ugliness in BN_from_montgomery() - * - * 2. Consider allowing a BN_new_ex() that, at least, lets you specify an - * appropriate 'block' size that will be honoured by bn_expand_internal() to - * prevent piddly little reallocations. OTOH, profiling bignum expansions in - * BN_CTX doesn't show this to be a big issue. - */ +#define BN_CTX_INITIAL_LEN 8 -/* How many bignums are in each "pool item"; */ -#define BN_CTX_POOL_SIZE 16 -/* The stack frame info is resizing, set a first-time expansion size; */ -#define BN_CTX_START_FRAMES 32 - -/***********/ -/* BN_POOL */ -/***********/ - -/* A bundle of bignums that can be linked with other bundles */ -typedef struct bignum_pool_item { - /* The bignum values */ - BIGNUM vals[BN_CTX_POOL_SIZE]; - /* Linked-list admin */ - struct bignum_pool_item *prev, *next; -} BN_POOL_ITEM; - -/* A linked-list of bignums grouped in bundles */ -typedef struct bignum_pool { - /* Linked-list admin */ - BN_POOL_ITEM *head, *current, *tail; - /* Stack depth and allocation size */ - unsigned used, size; -} BN_POOL; - -static void BN_POOL_init(BN_POOL *); -static void BN_POOL_finish(BN_POOL *); -#ifndef OPENSSL_NO_DEPRECATED -static void BN_POOL_reset(BN_POOL *); -#endif -static BIGNUM * BN_POOL_get(BN_POOL *); -static void BN_POOL_release(BN_POOL *, unsigned int); - -/************/ -/* BN_STACK */ -/************/ - -/* A wrapper to manage the "stack frames" */ -typedef struct bignum_ctx_stack { - /* Array of indexes into the bignum stack */ - unsigned int *indexes; - /* Number of stack frames, and the size of the allocated array */ - unsigned int depth, size; -} BN_STACK; - -static void BN_STACK_init(BN_STACK *); -static void BN_STACK_finish(BN_STACK *); -#ifndef OPENSSL_NO_DEPRECATED -static void BN_STACK_reset(BN_STACK *); -#endif -static int BN_STACK_push(BN_STACK *, unsigned int); -static unsigned int BN_STACK_pop(BN_STACK *); - -/**********/ -/* BN_CTX */ -/**********/ - -/* The opaque BN_CTX type */ struct bignum_ctx { - /* The bignum bundles */ - BN_POOL pool; - /* The "stack frames", if you will */ - BN_STACK stack; - /* The number of bignums currently assigned */ - unsigned int used; - /* Depth of stack overflow */ - int err_stack; - /* Block "gets" until an "end" (compatibility behaviour) */ - int too_many; + BIGNUM **bignums; + uint8_t *groups; + uint8_t group; + size_t index; + size_t len; + + int error; }; -/* Enable this to find BN_CTX bugs */ -#ifdef BN_CTX_DEBUG -static const char *ctxdbg_cur = NULL; - -static void -ctxdbg(BN_CTX *ctx) +static int +bn_ctx_grow(BN_CTX *bctx) { - unsigned int bnidx = 0, fpidx = 0; - BN_POOL_ITEM *item = ctx->pool.head; - BN_STACK *stack = &ctx->stack; + BIGNUM **bignums = NULL; + uint8_t *groups = NULL; + size_t len; - fprintf(stderr, "(%08x): ", (unsigned int)ctx); - while (bnidx < ctx->used) { - fprintf(stderr, "%03x ", - item->vals[bnidx++ % BN_CTX_POOL_SIZE].dmax); - if (!(bnidx % BN_CTX_POOL_SIZE)) - item = item->next; + if ((len = bctx->len) == 0) { + len = BN_CTX_INITIAL_LEN; + } else { + if (SIZE_MAX - len < len) + return 0; + len *= 2; } - fprintf(stderr, "\n"); - bnidx = 0; - fprintf(stderr, " : "); - while (fpidx < stack->depth) { - while (bnidx++ < stack->indexes[fpidx]) - fprintf(stderr, " "); - fprintf(stderr, "^^^ "); - bnidx++; - fpidx++; - } - fprintf(stderr, "\n"); + + if ((bignums = recallocarray(bctx->bignums, bctx->len, len, + sizeof(bctx->bignums[0]))) == NULL) + return 0; + bctx->bignums = bignums; + + if ((groups = reallocarray(bctx->groups, len, + sizeof(bctx->groups[0]))) == NULL) + return 0; + bctx->groups = groups; + + bctx->len = len; + + return 1; } -#define CTXDBG_ENTRY(str, ctx) \ - do { \ - ctxdbg_cur = (str); \ - fprintf(stderr, "Starting %s\n", ctxdbg_cur); \ - ctxdbg(ctx); \ - } while(0) - -#define CTXDBG_EXIT(ctx) \ - do { \ - fprintf(stderr, "Ending %s\n", ctxdbg_cur); \ - ctxdbg(ctx); \ - } while(0) - -#define CTXDBG_RET(ctx,ret) -#else -#define CTXDBG_ENTRY(str, ctx) -#define CTXDBG_EXIT(ctx) -#define CTXDBG_RET(ctx,ret) -#endif - -/* This function is an evil legacy and should not be used. This implementation - * is WYSIWYG, though I've done my best. */ -#ifndef OPENSSL_NO_DEPRECATED -void -BN_CTX_init(BN_CTX *ctx) -{ - /* Assume the caller obtained the context via BN_CTX_new() and so is - * trying to reset it for use. Nothing else makes sense, least of all - * binary compatibility from a time when they could declare a static - * variable. */ - BN_POOL_reset(&ctx->pool); - BN_STACK_reset(&ctx->stack); - ctx->used = 0; - ctx->err_stack = 0; - ctx->too_many = 0; -} -#endif BN_CTX * BN_CTX_new(void) { - BN_CTX *ret = malloc(sizeof(BN_CTX)); - if (!ret) { - BNerror(ERR_R_MALLOC_FAILURE); - return NULL; - } - - /* Initialise the structure */ - BN_POOL_init(&ret->pool); - BN_STACK_init(&ret->stack); - ret->used = 0; - ret->err_stack = 0; - ret->too_many = 0; - return ret; + return calloc(1, sizeof(struct bignum_ctx)); } void -BN_CTX_free(BN_CTX *ctx) +BN_CTX_free(BN_CTX *bctx) { - if (ctx == NULL) + size_t i; + + if (bctx == NULL) return; -#ifdef BN_CTX_DEBUG - { - BN_POOL_ITEM *pool = ctx->pool.head; - fprintf(stderr, "BN_CTX_free, stack-size=%d, pool-bignums=%d\n", - ctx->stack.size, ctx->pool.size); - fprintf(stderr, "dmaxs: "); - while (pool) { - unsigned loop = 0; - while (loop < BN_CTX_POOL_SIZE) - fprintf(stderr, "%02x ", - pool->vals[loop++].dmax); - pool = pool->next; - } - fprintf(stderr, "\n"); + + for (i = 0; i < bctx->len; i++) { + BN_free(bctx->bignums[i]); + bctx->bignums[i] = NULL; } -#endif - BN_STACK_finish(&ctx->stack); - BN_POOL_finish(&ctx->pool); - free(ctx); + + free(bctx->bignums); + free(bctx->groups); + + freezero(bctx, sizeof(*bctx)); } void -BN_CTX_start(BN_CTX *ctx) +BN_CTX_start(BN_CTX *bctx) { - CTXDBG_ENTRY("BN_CTX_start", ctx); + bctx->group++; - /* If we're already overflowing ... */ - if (ctx->err_stack || ctx->too_many) - ctx->err_stack++; - /* (Try to) get a new frame pointer */ - else if (!BN_STACK_push(&ctx->stack, ctx->used)) { + if (bctx->group == 0) { BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); - ctx->err_stack++; - } - CTXDBG_EXIT(ctx); -} - -void -BN_CTX_end(BN_CTX *ctx) -{ - if (ctx == NULL) + bctx->error = 1; return; - - CTXDBG_ENTRY("BN_CTX_end", ctx); - - if (ctx->err_stack) - ctx->err_stack--; - else { - unsigned int fp = BN_STACK_pop(&ctx->stack); - /* Does this stack frame have anything to release? */ - if (fp < ctx->used) - BN_POOL_release(&ctx->pool, ctx->used - fp); - ctx->used = fp; - /* Unjam "too_many" in case "get" had failed */ - ctx->too_many = 0; } - CTXDBG_EXIT(ctx); } BIGNUM * -BN_CTX_get(BN_CTX *ctx) +BN_CTX_get(BN_CTX *bctx) { - BIGNUM *ret; + BIGNUM *bn = NULL; - CTXDBG_ENTRY("BN_CTX_get", ctx); - - if (ctx->err_stack || ctx->too_many) + if (bctx->error) return NULL; - if ((ret = BN_POOL_get(&ctx->pool)) == NULL) { - /* Setting too_many prevents repeated "get" attempts from - * cluttering the error stack. */ - ctx->too_many = 1; - BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); + + if (bctx->group == 0) { + BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + bctx->error = 1; return NULL; } - /* OK, make sure the returned bignum is "zero" */ - BN_zero(ret); - ctx->used++; - CTXDBG_RET(ctx, ret); - return ret; -} -/************/ -/* BN_STACK */ -/************/ - -static void -BN_STACK_init(BN_STACK *st) -{ - st->indexes = NULL; - st->depth = st->size = 0; -} - -static void -BN_STACK_finish(BN_STACK *st) -{ - if (st->size) - free(st->indexes); -} - -#ifndef OPENSSL_NO_DEPRECATED -static void -BN_STACK_reset(BN_STACK *st) -{ - st->depth = 0; -} -#endif - -static int -BN_STACK_push(BN_STACK *st, unsigned int idx) -{ - if (st->depth == st->size) - /* Need to expand */ - { - unsigned int newsize = (st->size ? - (st->size * 3 / 2) : BN_CTX_START_FRAMES); - unsigned int *newitems = reallocarray(NULL, - newsize, sizeof(unsigned int)); - if (!newitems) - return 0; - if (st->depth) - memcpy(newitems, st->indexes, st->depth * - sizeof(unsigned int)); - if (st->size) - free(st->indexes); - st->indexes = newitems; - st->size = newsize; - } - st->indexes[(st->depth)++] = idx; - return 1; -} - -static unsigned int -BN_STACK_pop(BN_STACK *st) -{ - return st->indexes[--(st->depth)]; -} - -/***********/ -/* BN_POOL */ -/***********/ - -static void -BN_POOL_init(BN_POOL *p) -{ - p->head = p->current = p->tail = NULL; - p->used = p->size = 0; -} - -static void -BN_POOL_finish(BN_POOL *p) -{ - while (p->head) { - unsigned int loop = 0; - BIGNUM *bn = p->head->vals; - while (loop++ < BN_CTX_POOL_SIZE) { - if (bn->d) - BN_clear_free(bn); - bn++; - } - p->current = p->head->next; - free(p->head); - p->head = p->current; - } -} - -#ifndef OPENSSL_NO_DEPRECATED -static void -BN_POOL_reset(BN_POOL *p) -{ - BN_POOL_ITEM *item = p->head; - while (item) { - unsigned int loop = 0; - BIGNUM *bn = item->vals; - while (loop++ < BN_CTX_POOL_SIZE) { - if (bn->d) - BN_clear(bn); - bn++; - } - item = item->next; - } - p->current = p->head; - p->used = 0; -} -#endif - -static BIGNUM * -BN_POOL_get(BN_POOL *p) -{ - if (p->used == p->size) { - BIGNUM *bn; - unsigned int loop = 0; - BN_POOL_ITEM *item = malloc(sizeof(BN_POOL_ITEM)); - if (!item) + if (bctx->index == bctx->len) { + if (!bn_ctx_grow(bctx)) { + BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); + bctx->error = 1; return NULL; - /* Initialise the structure */ - bn = item->vals; - while (loop++ < BN_CTX_POOL_SIZE) - BN_init(bn++); - item->prev = p->tail; - item->next = NULL; - /* Link it in */ - if (!p->head) - p->head = p->current = p->tail = item; - else { - p->tail->next = item; - p->tail = item; - p->current = item; } - p->size += BN_CTX_POOL_SIZE; - p->used++; - /* Return the first bignum from the new pool */ - return item->vals; } - if (!p->used) - p->current = p->head; - else if ((p->used % BN_CTX_POOL_SIZE) == 0) - p->current = p->current->next; - return p->current->vals + ((p->used++) % BN_CTX_POOL_SIZE); + + if ((bn = bctx->bignums[bctx->index]) == NULL) { + if ((bn = BN_new()) == NULL) { + BNerror(BN_R_TOO_MANY_TEMPORARY_VARIABLES); + bctx->error = 1; + return NULL; + } + bctx->bignums[bctx->index] = bn; + } + bctx->groups[bctx->index] = bctx->group; + bctx->index++; + + BN_zero(bn); + + return bn; } -static void -BN_POOL_release(BN_POOL *p, unsigned int num) +void +BN_CTX_end(BN_CTX *bctx) { - unsigned int offset = (p->used - 1) % BN_CTX_POOL_SIZE; + if (bctx == NULL || bctx->error || bctx->group == 0) + return; - p->used -= num; - while (num--) { - bn_check_top(p->current->vals + offset); - if (!offset) { - offset = BN_CTX_POOL_SIZE - 1; - p->current = p->current->prev; - } else - offset--; + while (bctx->index > 0 && bctx->groups[bctx->index - 1] == bctx->group) { + BN_zero(bctx->bignums[bctx->index - 1]); + bctx->groups[bctx->index - 1] = 0; + bctx->index--; } + + bctx->group--; } diff --git a/crypto/bn/bn_depr.c b/crypto/bn/bn_depr.c deleted file mode 100644 index dc5c2ab..0000000 --- a/crypto/bn/bn_depr.c +++ /dev/null @@ -1,115 +0,0 @@ -/* $OpenBSD: bn_depr.c,v 1.7 2014/10/18 17:20:40 jsing Exp $ */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* Support for deprecated functions goes here - static linkage will only slurp - * this code if applications are using them directly. */ - -#include -#include - -#include - -#include "bn_lcl.h" - -#ifndef OPENSSL_NO_DEPRECATED -BIGNUM * -BN_generate_prime(BIGNUM *ret, int bits, int safe, const BIGNUM *add, - const BIGNUM *rem, void (*callback)(int, int, void *), void *cb_arg) -{ - BN_GENCB cb; - BIGNUM *rnd = NULL; - int found = 0; - - BN_GENCB_set_old(&cb, callback, cb_arg); - - if (ret == NULL) { - if ((rnd = BN_new()) == NULL) - goto err; - } else - rnd = ret; - if (!BN_generate_prime_ex(rnd, bits, safe, add, rem, &cb)) - goto err; - - /* we have a prime :-) */ - found = 1; - -err: - if (!found && (ret == NULL) && (rnd != NULL)) - BN_free(rnd); - return (found ? rnd : NULL); -} - -int -BN_is_prime(const BIGNUM *a, int checks, void (*callback)(int, int, void *), - BN_CTX *ctx_passed, void *cb_arg) -{ - BN_GENCB cb; - - BN_GENCB_set_old(&cb, callback, cb_arg); - return BN_is_prime_ex(a, checks, ctx_passed, &cb); -} - -int -BN_is_prime_fasttest(const BIGNUM *a, int checks, - void (*callback)(int, int, void *), BN_CTX *ctx_passed, void *cb_arg, - int do_trial_division) -{ - BN_GENCB cb; - - BN_GENCB_set_old(&cb, callback, cb_arg); - return BN_is_prime_fasttest_ex(a, checks, ctx_passed, - do_trial_division, &cb); -} -#endif diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index 1249a11..3225fa4 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_div.c,v 1.25 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_div.c,v 1.40 2023/03/27 10:21:23 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -63,149 +64,264 @@ #include #include -#include "bn_lcl.h" +#include "bn_arch.h" +#include "bn_local.h" +#include "bn_internal.h" -#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) \ - && !defined(BN_DIV3W) -# if defined(__GNUC__) && __GNUC__>=2 -# if defined(__i386) || defined (__i386__) - /* - * There were two reasons for implementing this template: - * - GNU C generates a call to a function (__udivdi3 to be exact) - * in reply to ((((BN_ULLONG)n0)< - */ -#undef bn_div_words -# define bn_div_words(n0,n1,d0) \ - ({ asm volatile ( \ - "divl %4" \ - : "=a"(q), "=d"(rem) \ - : "a"(n1), "d"(n0), "g"(d0) \ - : "cc"); \ - q; \ - }) -# define REMAINDER_IS_ALREADY_CALCULATED -# elif defined(__x86_64) && defined(_LP64) - /* - * Same story here, but it's 128-bit by 64-bit division. Wow! - * - */ -# undef bn_div_words -# define bn_div_words(n0,n1,d0) \ - ({ asm volatile ( \ - "divq %4" \ - : "=a"(q), "=d"(rem) \ - : "a"(n1), "d"(n0), "g"(d0) \ - : "cc"); \ - q; \ - }) -# define REMAINDER_IS_ALREADY_CALCULATED -# endif /* __ */ -# endif /* __GNUC__ */ -#endif /* OPENSSL_NO_ASM */ +BN_ULONG bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0); +#ifndef HAVE_BN_DIV_WORDS +#if defined(BN_LLONG) && defined(BN_DIV2W) -/* BN_div computes dv := num / divisor, rounding towards - * zero, and sets up rm such that dv*divisor + rm = num holds. - * Thus: - * dv->neg == num->neg ^ divisor->neg (unless the result is zero) - * rm->neg == num->neg (unless the remainder is zero) - * If 'dv' or 'rm' is NULL, the respective value is not returned. +BN_ULONG +bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) +{ + return ((BN_ULONG)(((((BN_ULLONG)h) << BN_BITS2)|l)/(BN_ULLONG)d)); +} + +#else + +/* Divide h,l by d and return the result. */ +/* I need to test this some more :-( */ +BN_ULONG +bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d) +{ + BN_ULONG dh, dl, q,ret = 0, th, tl, t; + int i, count = 2; + + if (d == 0) + return (BN_MASK2); + + i = BN_num_bits_word(d); + assert((i == BN_BITS2) || (h <= (BN_ULONG)1 << i)); + + i = BN_BITS2 - i; + if (h >= d) + h -= d; + + if (i) { + d <<= i; + h = (h << i) | (l >> (BN_BITS2 - i)); + l <<= i; + } + dh = (d & BN_MASK2h) >> BN_BITS4; + dl = (d & BN_MASK2l); + for (;;) { + if ((h >> BN_BITS4) == dh) + q = BN_MASK2l; + else + q = h / dh; + + th = q * dh; + tl = dl * q; + for (;;) { + t = h - th; + if ((t & BN_MASK2h) || + ((tl) <= ( + (t << BN_BITS4) | + ((l & BN_MASK2h) >> BN_BITS4)))) + break; + q--; + th -= dh; + tl -= dl; + } + t = (tl >> BN_BITS4); + tl = (tl << BN_BITS4) & BN_MASK2h; + th += t; + + if (l < tl) + th++; + l -= tl; + if (h < th) { + h += d; + q--; + } + h -= th; + + if (--count == 0) + break; + + ret = q << BN_BITS4; + h = ((h << BN_BITS4) | (l >> BN_BITS4)) & BN_MASK2; + l = (l & BN_MASK2l) << BN_BITS4; + } + ret |= q; + return (ret); +} +#endif /* !defined(BN_LLONG) && defined(BN_DIV2W) */ +#endif + +/* + * Divide a double word (h:l) by d, returning the quotient q and the remainder + * r, such that q * d + r is equal to the numerator. + */ +#ifndef HAVE_BN_DIV_REM_WORDS +#ifndef HAVE_BN_DIV_REM_WORDS_INLINE +static inline void +bn_div_rem_words_inline(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, + BN_ULONG *out_r) +{ + BN_ULONG q, r; + + q = bn_div_words(h, l, d); + r = (l - q * d) & BN_MASK2; + + *out_q = q; + *out_r = r; +} +#endif + +void +bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, + BN_ULONG *out_r) +{ + bn_div_rem_words_inline(h, l, d, out_q, out_r); +} +#endif + +#ifndef HAVE_BN_DIV_3_WORDS + +/* + * Interface is somewhat quirky, |m| is pointer to most significant limb, + * and less significant limb is referred at |m[-1]|. This means that caller + * is responsible for ensuring that |m[-1]| is valid. Second condition that + * has to be met is that |d0|'s most significant bit has to be set. Or in + * other words divisor has to be "bit-aligned to the left." The subroutine + * considers four limbs, two of which are "overlapping," hence the name... + */ +BN_ULONG +bn_div_3_words(const BN_ULONG *m, BN_ULONG d1, BN_ULONG d0) +{ + BN_ULONG n0, n1, q, t2h, t2l; + BN_ULONG rem = 0; + + n0 = m[0]; + n1 = m[-1]; + + if (n0 == d0) + return BN_MASK2; + + /* n0 < d0 */ + bn_div_rem_words(n0, n1, d0, &q, &rem); + + bn_mulw(d1, q, &t2h, &t2l); + + for (;;) { + if (t2h < rem || (t2h == rem && t2l <= m[-2])) + break; + q--; + rem += d0; + if (rem < d0) + break; /* don't let rem overflow */ + if (t2l < d1) + t2h--; + t2l -= d1; + } + + return q; +} +#endif /* !HAVE_BN_DIV_3_WORDS */ + +/* + * BN_div_internal computes quotient := numerator / divisor, rounding towards + * zero and setting remainder such that quotient * divisor + remainder equals + * the numerator. Thus: + * + * quotient->neg == numerator->neg ^ divisor->neg (unless result is zero) + * remainder->neg == numerator->neg (unless the remainder is zero) + * + * If either the quotient or remainder is NULL, the respective value is not + * returned. */ static int -BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, - BN_CTX *ctx, int ct) +BN_div_internal(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, + const BIGNUM *divisor, BN_CTX *ctx, int ct) { - int norm_shift, i, loop; + int norm_shift, i, loop, r_neg; BIGNUM *tmp, wnum, *snum, *sdiv, *res; BN_ULONG *resp, *wnump; BN_ULONG d0, d1; int num_n, div_n; int no_branch = 0; + int ret = 0; - /* Invalid zero-padding would have particularly bad consequences - * in the case of 'num', so don't just rely on bn_check_top() for this one - * (bn_check_top() works only for BN_DEBUG builds) */ - if (num->top > 0 && num->d[num->top - 1] == 0) { + BN_CTX_start(ctx); + + /* Invalid zero-padding would have particularly bad consequences. */ + if (numerator->top > 0 && numerator->d[numerator->top - 1] == 0) { BNerror(BN_R_NOT_INITIALIZED); - return 0; + goto err; } - bn_check_top(num); - if (ct) no_branch = 1; - bn_check_top(dv); - bn_check_top(rm); - /* bn_check_top(num); */ /* 'num' has been checked already */ - bn_check_top(divisor); - if (BN_is_zero(divisor)) { BNerror(BN_R_DIV_BY_ZERO); - return (0); - } - - if (!no_branch && BN_ucmp(num, divisor) < 0) { - if (rm != NULL) { - if (BN_copy(rm, num) == NULL) - return (0); - } - if (dv != NULL) - BN_zero(dv); - return (1); - } - - BN_CTX_start(ctx); - tmp = BN_CTX_get(ctx); - snum = BN_CTX_get(ctx); - sdiv = BN_CTX_get(ctx); - if (dv == NULL) - res = BN_CTX_get(ctx); - else - res = dv; - if (tmp == NULL || snum == NULL || sdiv == NULL || res == NULL) goto err; + } - /* First we normalise the numbers */ - norm_shift = BN_BITS2 - ((BN_num_bits(divisor)) % BN_BITS2); - if (!(BN_lshift(sdiv, divisor, norm_shift))) + if (!no_branch) { + if (BN_ucmp(numerator, divisor) < 0) { + if (remainder != NULL) { + if (!bn_copy(remainder, numerator)) + goto err; + } + if (quotient != NULL) + BN_zero(quotient); + + goto done; + } + } + + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; + if ((snum = BN_CTX_get(ctx)) == NULL) + goto err; + if ((sdiv = BN_CTX_get(ctx)) == NULL) + goto err; + if ((res = quotient) == NULL) { + if ((res = BN_CTX_get(ctx)) == NULL) + goto err; + } + + /* First we normalise the numbers. */ + norm_shift = BN_BITS2 - BN_num_bits(divisor) % BN_BITS2; + if (!BN_lshift(sdiv, divisor, norm_shift)) goto err; sdiv->neg = 0; norm_shift += BN_BITS2; - if (!(BN_lshift(snum, num, norm_shift))) + if (!BN_lshift(snum, numerator, norm_shift)) goto err; snum->neg = 0; if (no_branch) { - /* Since we don't know whether snum is larger than sdiv, - * we pad snum with enough zeroes without changing its - * value. + /* + * Since we don't know whether snum is larger than sdiv, we pad + * snum with enough zeroes without changing its value. */ if (snum->top <= sdiv->top + 1) { - if (bn_wexpand(snum, sdiv->top + 2) == NULL) + if (!bn_wexpand(snum, sdiv->top + 2)) goto err; for (i = snum->top; i < sdiv->top + 2; i++) snum->d[i] = 0; snum->top = sdiv->top + 2; } else { - if (bn_wexpand(snum, snum->top + 1) == NULL) + if (!bn_wexpand(snum, snum->top + 1)) goto err; snum->d[snum->top] = 0; - snum->top ++; + snum->top++; } } div_n = sdiv->top; num_n = snum->top; loop = num_n - div_n; - /* Lets setup a 'window' into snum - * This is the part that corresponds to the current - * 'area' being divided */ + + /* + * Setup a 'window' into snum - this is the part that corresponds to the + * current 'area' being divided. + */ wnum.neg = 0; wnum.d = &(snum->d[loop]); wnum.top = div_n; @@ -222,10 +338,10 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor wnump = &(snum->d[num_n - 1]); /* Setup to 'res' */ - res->neg = (num->neg ^ divisor->neg); if (!bn_wexpand(res, (loop + 1))) goto err; res->top = loop - no_branch; + r_neg = numerator->neg ^ divisor->neg; resp = &(res->d[loop - 1]); /* space for temp */ @@ -234,18 +350,16 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor if (!no_branch) { if (BN_ucmp(&wnum, sdiv) >= 0) { - /* If BN_DEBUG_RAND is defined BN_ucmp changes (via - * bn_pollute) the const bignum arguments => - * clean the values between top and max again */ - bn_clear_top2max(&wnum); bn_sub_words(wnum.d, wnum.d, sdiv->d, div_n); *resp = 1; } else res->top--; } - /* if res->top == 0 then clear the neg value otherwise decrease - * the resp pointer */ + /* + * If res->top == 0 then clear the neg value otherwise decrease the resp + * pointer. + */ if (res->top == 0) res->neg = 0; else @@ -253,151 +367,91 @@ BN_div_internal(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor for (i = 0; i < loop - 1; i++, wnump--, resp--) { BN_ULONG q, l0; - /* the first part of the loop uses the top two words of - * snum and sdiv to calculate a BN_ULONG q such that - * | wnum - sdiv * q | < sdiv */ -#if defined(BN_DIV3W) && !defined(OPENSSL_NO_ASM) - BN_ULONG bn_div_3_words(BN_ULONG*, BN_ULONG, BN_ULONG); + + /* + * The first part of the loop uses the top two words of snum and + * sdiv to calculate a BN_ULONG q such that: + * + * | wnum - sdiv * q | < sdiv + */ q = bn_div_3_words(wnump, d1, d0); -#else - BN_ULONG n0, n1, rem = 0; - - n0 = wnump[0]; - n1 = wnump[-1]; - if (n0 == d0) - q = BN_MASK2; - else /* n0 < d0 */ - { -#ifdef BN_LLONG - BN_ULLONG t2; - -#if defined(BN_DIV2W) && !defined(bn_div_words) - q = (BN_ULONG)(((((BN_ULLONG)n0) << BN_BITS2)|n1)/d0); -#else - q = bn_div_words(n0, n1, d0); -#endif - -#ifndef REMAINDER_IS_ALREADY_CALCULATED - /* - * rem doesn't have to be BN_ULLONG. The least we - * know it's less that d0, isn't it? - */ - rem = (n1 - q * d0) & BN_MASK2; -#endif - t2 = (BN_ULLONG)d1*q; - - for (;;) { - if (t2 <= ((((BN_ULLONG)rem) << BN_BITS2) | - wnump[-2])) - break; - q--; - rem += d0; - if (rem < d0) break; /* don't let rem overflow */ - t2 -= d1; - } -#else /* !BN_LLONG */ - BN_ULONG t2l, t2h; - - q = bn_div_words(n0, n1, d0); -#ifndef REMAINDER_IS_ALREADY_CALCULATED - rem = (n1 - q*d0)&BN_MASK2; -#endif - -#if defined(BN_UMULT_LOHI) - BN_UMULT_LOHI(t2l, t2h, d1, q); -#elif defined(BN_UMULT_HIGH) - t2l = d1 * q; - t2h = BN_UMULT_HIGH(d1, q); -#else - { - BN_ULONG ql, qh; - t2l = LBITS(d1); - t2h = HBITS(d1); - ql = LBITS(q); - qh = HBITS(q); - mul64(t2l, t2h, ql, qh); /* t2=(BN_ULLONG)d1*q; */ - } -#endif - - for (;;) { - if ((t2h < rem) || - ((t2h == rem) && (t2l <= wnump[-2]))) - break; - q--; - rem += d0; - if (rem < d0) - break; /* don't let rem overflow */ - if (t2l < d1) - t2h--; - t2l -= d1; - } -#endif /* !BN_LLONG */ - } -#endif /* !BN_DIV3W */ - l0 = bn_mul_words(tmp->d, sdiv->d, div_n, q); tmp->d[div_n] = l0; wnum.d--; - /* ingore top values of the bignums just sub the two - * BN_ULONG arrays with bn_sub_words */ + + /* + * Ignore top values of the bignums just sub the two BN_ULONG + * arrays with bn_sub_words. + */ if (bn_sub_words(wnum.d, wnum.d, tmp->d, div_n + 1)) { - /* Note: As we have considered only the leading - * two BN_ULONGs in the calculation of q, sdiv * q - * might be greater than wnum (but then (q-1) * sdiv - * is less or equal than wnum) + /* + * Note: As we have considered only the leading two + * BN_ULONGs in the calculation of q, sdiv * q might be + * greater than wnum (but then (q-1) * sdiv is less or + * equal than wnum). */ q--; - if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) - /* we can't have an overflow here (assuming + if (bn_add_words(wnum.d, wnum.d, sdiv->d, div_n)) { + /* + * We can't have an overflow here (assuming * that q != 0, but if q == 0 then tmp is - * zero anyway) */ + * zero anyway). + */ (*wnump)++; + } } /* store part of the result */ *resp = q; } + bn_correct_top(snum); - if (rm != NULL) { - /* Keep a copy of the neg flag in num because if rm==num - * BN_rshift() will overwrite it. + + if (remainder != NULL) { + /* + * Keep a copy of the neg flag in numerator because if + * remainder == numerator, BN_rshift() will overwrite it. */ - int neg = num->neg; - BN_rshift(rm, snum, norm_shift); - if (!BN_is_zero(rm)) - rm->neg = neg; - bn_check_top(rm); + int neg = numerator->neg; + + BN_rshift(remainder, snum, norm_shift); + BN_set_negative(remainder, neg); } + if (no_branch) bn_correct_top(res); + + BN_set_negative(res, r_neg); + + done: + ret = 1; + err: BN_CTX_end(ctx); - return (1); -err: - bn_check_top(rm); - BN_CTX_end(ctx); - return (0); + return ret; } int -BN_div(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, - BN_CTX *ctx) +BN_div(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, + const BIGNUM *divisor, BN_CTX *ctx) { - int ct = ((BN_get_flags(num, BN_FLG_CONSTTIME) != 0) || - (BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0)); + int ct; - return BN_div_internal(dv, rm, num, divisor, ctx, ct); + ct = BN_get_flags(numerator, BN_FLG_CONSTTIME) != 0 || + BN_get_flags(divisor, BN_FLG_CONSTTIME) != 0; + + return BN_div_internal(quotient, remainder, numerator, divisor, ctx, ct); } int -BN_div_nonct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, - BN_CTX *ctx) +BN_div_nonct(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, + const BIGNUM *divisor, BN_CTX *ctx) { - return BN_div_internal(dv, rm, num, divisor, ctx, 0); + return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 0); } int -BN_div_ct(BIGNUM *dv, BIGNUM *rm, const BIGNUM *num, const BIGNUM *divisor, - BN_CTX *ctx) +BN_div_ct(BIGNUM *quotient, BIGNUM *remainder, const BIGNUM *numerator, + const BIGNUM *divisor, BN_CTX *ctx) { - return BN_div_internal(dv, rm, num, divisor, ctx, 1); + return BN_div_internal(quotient, remainder, numerator, divisor, ctx, 1); } diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c index a693a8c..592c509 100644 --- a/crypto/bn/bn_err.c +++ b/crypto/bn/bn_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_err.c,v 1.14 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_err.c,v 1.15 2022/07/12 14:42:48 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0) diff --git a/crypto/bn/bn_exp.c b/crypto/bn/bn_exp.c index b778d5d..9e5d1fd 100644 --- a/crypto/bn/bn_exp.c +++ b/crypto/bn/bn_exp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_exp.c,v 1.31 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: bn_exp.c,v 1.46 2023/05/09 05:38:11 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -114,152 +114,76 @@ #include -#include "bn_lcl.h" -#include "constant_time_locl.h" +#include "bn_local.h" +#include "constant_time.h" /* maximum precomputation table size for *variable* sliding windows */ #define TABLE_SIZE 32 -/* this one works - simple but works */ +/* Calculates r = a^p by successive squaring of a. Not constant time. */ int BN_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) { - int i, bits, ret = 0; - BIGNUM *v, *rr; + BIGNUM *rr, *v; + int i; + int ret = 0; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { - /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ BNerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return -1; } BN_CTX_start(ctx); - if ((r == a) || (r == p)) + + if ((v = BN_CTX_get(ctx)) == NULL) + goto err; + + rr = r; + if (r == a || r == p) rr = BN_CTX_get(ctx); - else - rr = r; - v = BN_CTX_get(ctx); - if (rr == NULL || v == NULL) + if (rr == NULL) goto err; - if (BN_copy(v, a) == NULL) + if (!BN_one(rr)) goto err; - bits = BN_num_bits(p); - if (BN_is_odd(p)) { - if (BN_copy(rr, a) == NULL) - goto err; - } else { - if (!BN_one(rr)) + if (!bn_copy(rr, a)) goto err; } - for (i = 1; i < bits; i++) { + if (!bn_copy(v, a)) + goto err; + + for (i = 1; i < BN_num_bits(p); i++) { if (!BN_sqr(v, v, ctx)) goto err; - if (BN_is_bit_set(p, i)) { - if (!BN_mul(rr, rr, v, ctx)) - goto err; - } + if (!BN_is_bit_set(p, i)) + continue; + if (!BN_mul(rr, rr, v, ctx)) + goto err; } + + if (!bn_copy(r, rr)) + goto err; + ret = 1; -err: - if (r != rr && rr != NULL) - BN_copy(r, rr); + err: BN_CTX_end(ctx); - bn_check_top(r); - return (ret); -} - -static int -BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, int ct) -{ - int ret; - - bn_check_top(a); - bn_check_top(p); - bn_check_top(m); - - /* For even modulus m = 2^k*m_odd, it might make sense to compute - * a^p mod m_odd and a^p mod 2^k separately (with Montgomery - * exponentiation for the odd part), using appropriate exponent - * reductions, and combine the results using the CRT. - * - * For now, we use Montgomery only if the modulus is odd; otherwise, - * exponentiation using the reciprocal-based quick remaindering - * algorithm is used. - * - * (Timing obtained with expspeed.c [computations a^p mod m - * where a, p, m are of the same length: 256, 512, 1024, 2048, - * 4096, 8192 bits], compared to the running time of the - * standard algorithm: - * - * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration] - * 55 .. 77 % [UltraSparc processor, but - * debug-solaris-sparcv8-gcc conf.] - * - * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration] - * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc] - * - * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont - * at 2048 and more bits, but at 512 and 1024 bits, it was - * slower even than the standard algorithm! - * - * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations] - * should be obtained when the new Montgomery reduction code - * has been integrated into OpenSSL.) - */ - - if (BN_is_odd(m)) { - if (a->top == 1 && !a->neg && !ct) { - BN_ULONG A = a->d[0]; - ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL); - } else - ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL); - } else { - ret = BN_mod_exp_recp(r, a,p, m, ctx); - } - - bn_check_top(r); - return (ret); + + return ret; } +/* The old fallback, simple version :-) */ int -BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - return BN_mod_exp_internal(r, a, p, m, ctx, - (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); -} - -int -BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - return BN_mod_exp_internal(r, a, p, m, ctx, 1); -} - - -int -BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx) -{ - return BN_mod_exp_internal(r, a, p, m, ctx, 0); -} - - -int -BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, +BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { int i, j, bits, ret = 0, wstart, wend, window, wvalue; int start = 1; - BIGNUM *aa; + BIGNUM *d; /* Table of variables obtained from 'ctx' */ BIGNUM *val[TABLE_SIZE]; - BN_RECP_CTX recp; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ @@ -270,7 +194,7 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else @@ -279,25 +203,12 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, } BN_CTX_start(ctx); - if ((aa = BN_CTX_get(ctx)) == NULL) + if ((d = BN_CTX_get(ctx)) == NULL) goto err; if ((val[0] = BN_CTX_get(ctx)) == NULL) goto err; - BN_RECP_CTX_init(&recp); - if (m->neg) { - /* ignore sign of 'm' */ - if (!BN_copy(aa, m)) - goto err; - aa->neg = 0; - if (BN_RECP_CTX_set(&recp, aa, ctx) <= 0) - goto err; - } else { - if (BN_RECP_CTX_set(&recp, m, ctx) <= 0) - goto err; - } - - if (!BN_nnmod(val[0], a, m, ctx)) + if (!BN_nnmod(val[0],a,m,ctx)) goto err; /* 1 */ if (BN_is_zero(val[0])) { BN_zero(r); @@ -307,13 +218,12 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx)) + if (!BN_mod_mul(d, val[0], val[0], m, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_reciprocal(val[i], val[i - 1], - aa, &recp, ctx)) + !BN_mod_mul(val[i], val[i - 1], d,m, ctx)) goto err; } } @@ -331,7 +241,7 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) - if (!BN_mod_mul_reciprocal(r, r,r, &recp, ctx)) + if (!BN_mod_mul(r, r, r, m, ctx)) goto err; if (wstart == 0) break; @@ -360,12 +270,12 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { - if (!BN_mod_mul_reciprocal(r, r,r, &recp, ctx)) + if (!BN_mod_mul(r, r, r, m, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_reciprocal(r, r,val[wvalue >> 1], &recp, ctx)) + if (!BN_mod_mul(r, r, val[wvalue >> 1], m, ctx)) goto err; /* move the 'window' down further */ @@ -379,185 +289,9 @@ BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, err: BN_CTX_end(ctx); - BN_RECP_CTX_free(&recp); - bn_check_top(r); return (ret); } -static int -BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct) -{ - int i, j, bits, ret = 0, wstart, wend, window, wvalue; - int start = 1; - BIGNUM *d, *r; - const BIGNUM *aa; - /* Table of variables obtained from 'ctx' */ - BIGNUM *val[TABLE_SIZE]; - BN_MONT_CTX *mont = NULL; - - if (ct) { - return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); - } - - bn_check_top(a); - bn_check_top(p); - bn_check_top(m); - - if (!BN_is_odd(m)) { - BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); - return (0); - } - - bits = BN_num_bits(p); - if (bits == 0) { - /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { - ret = 1; - BN_zero(rr); - } else - ret = BN_one(rr); - return ret; - } - - BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) - goto err; - if ((r = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val[0] = BN_CTX_get(ctx)) == NULL) - goto err; - - /* If this is not done, things will break in the montgomery - * part */ - - if (in_mont != NULL) - mont = in_mont; - else { - if ((mont = BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(mont, m, ctx)) - goto err; - } - - if (a->neg || BN_ucmp(a, m) >= 0) { - if (!BN_nnmod(val[0], a,m, ctx)) - goto err; - aa = val[0]; - } else - aa = a; - if (BN_is_zero(aa)) { - BN_zero(rr); - ret = 1; - goto err; - } - if (!BN_to_montgomery(val[0], aa, mont, ctx)) - goto err; /* 1 */ - - window = BN_window_bits_for_exponent_size(bits); - if (window > 1) { - if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) - goto err; /* 2 */ - j = 1 << (window - 1); - for (i = 1; i < j; i++) { - if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val[i], val[i - 1], - d, mont, ctx)) - goto err; - } - } - - start = 1; /* This is used to avoid multiplication etc - * when there is only the value '1' in the - * buffer. */ - wvalue = 0; /* The 'value' of the window */ - wstart = bits - 1; /* The top bit of the window */ - wend = 0; /* The bottom bit of the window */ - - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - for (;;) { - if (BN_is_bit_set(p, wstart) == 0) { - if (!start) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) - goto err; - } - if (wstart == 0) - break; - wstart--; - continue; - } - /* We now have wstart on a 'set' bit, we now need to work out - * how bit a window to do. To do this we need to scan - * forward until the last set bit before the end of the - * window */ - j = wstart; - wvalue = 1; - wend = 0; - for (i = 1; i < window; i++) { - if (wstart - i < 0) - break; - if (BN_is_bit_set(p, wstart - i)) { - wvalue <<= (i - wend); - wvalue |= 1; - wend = i; - } - } - - /* wend is the size of the current window */ - j = wend + 1; - /* add the 'bytes above' */ - if (!start) - for (i = 0; i < j; i++) { - if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) - goto err; - } - - /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) - goto err; - - /* move the 'window' down further */ - wstart -= wend + 1; - wvalue = 0; - start = 0; - if (wstart < 0) - break; - } - if (!BN_from_montgomery(rr, r,mont, ctx)) - goto err; - ret = 1; - -err: - if ((in_mont == NULL) && (mont != NULL)) - BN_MONT_CTX_free(mont); - BN_CTX_end(ctx); - bn_check_top(rr); - return (ret); -} - -int -BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, - (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); -} - -int -BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1); -} - -int -BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, - BN_CTX *ctx, BN_MONT_CTX *in_mont) -{ - return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0); -} - /* BN_mod_exp_mont_consttime() stores the precomputed powers in a specific layout * so that accessing any of these table values shows the same access pattern as far * as cache lines are concerned. The following functions are used to transfer a BIGNUM @@ -589,7 +323,7 @@ MOD_EXP_CTIME_COPY_FROM_PREBUF(BIGNUM *b, int top, unsigned char *buf, int idx, int width = 1 << window; volatile BN_ULONG *table = (volatile BN_ULONG *)buf; - if (bn_wexpand(b, top) == NULL) + if (!bn_wexpand(b, top)) return 0; if (window <= 3) { @@ -657,9 +391,6 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, unsigned char *powerbuf = NULL; BIGNUM tmp, am; - bn_check_top(a); - bn_check_top(p); - bn_check_top(m); if (!BN_is_odd(m)) { BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); @@ -671,7 +402,7 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else @@ -681,9 +412,10 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, BN_CTX_start(ctx); - /* Allocate a montgomery context if it was not supplied by the caller. + /* + * Allocate a Montgomery context if it was not supplied by the caller. * If this is not done, things will break in the montgomery part. - */ + */ if (in_mont != NULL) mont = in_mont; else { @@ -731,12 +463,9 @@ BN_mod_exp_mont_consttime(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, #endif /* prepare a^1 in Montgomery domain */ - if (a->neg || BN_ucmp(a, m) >= 0) { - if (!BN_mod_ct(&am, a,m, ctx)) - goto err; - if (!BN_to_montgomery(&am, &am, mont, ctx)) - goto err; - } else if (!BN_to_montgomery(&am, a,mont, ctx)) + if (!BN_nnmod(&am, a, m, ctx)) + goto err; + if (!BN_to_montgomery(&am, &am, mont, ctx)) goto err; #if defined(OPENSSL_BN_ASM_MONT5) @@ -904,6 +633,173 @@ err: return (ret); } +static int +BN_mod_exp_mont_internal(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont, int ct) +{ + int i, j, bits, ret = 0, wstart, wend, window, wvalue; + int start = 1; + BIGNUM *d, *r; + const BIGNUM *aa; + /* Table of variables obtained from 'ctx' */ + BIGNUM *val[TABLE_SIZE]; + BN_MONT_CTX *mont = NULL; + + if (ct) { + return BN_mod_exp_mont_consttime(rr, a, p, m, ctx, in_mont); + } + + + if (!BN_is_odd(m)) { + BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); + return (0); + } + + bits = BN_num_bits(p); + if (bits == 0) { + /* x**0 mod 1 is still zero. */ + if (BN_abs_is_word(m, 1)) { + ret = 1; + BN_zero(rr); + } else + ret = BN_one(rr); + return ret; + } + + BN_CTX_start(ctx); + if ((d = BN_CTX_get(ctx)) == NULL) + goto err; + if ((r = BN_CTX_get(ctx)) == NULL) + goto err; + if ((val[0] = BN_CTX_get(ctx)) == NULL) + goto err; + + /* If this is not done, things will break in the montgomery + * part */ + + if (in_mont != NULL) + mont = in_mont; + else { + if ((mont = BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(mont, m, ctx)) + goto err; + } + + if (!BN_nnmod(val[0], a,m, ctx)) + goto err; + aa = val[0]; + if (BN_is_zero(aa)) { + BN_zero(rr); + ret = 1; + goto err; + } + if (!BN_to_montgomery(val[0], aa, mont, ctx)) + goto err; /* 1 */ + + window = BN_window_bits_for_exponent_size(bits); + if (window > 1) { + if (!BN_mod_mul_montgomery(d, val[0], val[0], mont, ctx)) + goto err; /* 2 */ + j = 1 << (window - 1); + for (i = 1; i < j; i++) { + if (((val[i] = BN_CTX_get(ctx)) == NULL) || + !BN_mod_mul_montgomery(val[i], val[i - 1], + d, mont, ctx)) + goto err; + } + } + + start = 1; /* This is used to avoid multiplication etc + * when there is only the value '1' in the + * buffer. */ + wvalue = 0; /* The 'value' of the window */ + wstart = bits - 1; /* The top bit of the window */ + wend = 0; /* The bottom bit of the window */ + + if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + goto err; + for (;;) { + if (BN_is_bit_set(p, wstart) == 0) { + if (!start) { + if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + goto err; + } + if (wstart == 0) + break; + wstart--; + continue; + } + /* We now have wstart on a 'set' bit, we now need to work out + * how bit a window to do. To do this we need to scan + * forward until the last set bit before the end of the + * window */ + j = wstart; + wvalue = 1; + wend = 0; + for (i = 1; i < window; i++) { + if (wstart - i < 0) + break; + if (BN_is_bit_set(p, wstart - i)) { + wvalue <<= (i - wend); + wvalue |= 1; + wend = i; + } + } + + /* wend is the size of the current window */ + j = wend + 1; + /* add the 'bytes above' */ + if (!start) + for (i = 0; i < j; i++) { + if (!BN_mod_mul_montgomery(r, r, r, mont, ctx)) + goto err; + } + + /* wvalue will be an odd number < 2^window */ + if (!BN_mod_mul_montgomery(r, r, val[wvalue >> 1], mont, ctx)) + goto err; + + /* move the 'window' down further */ + wstart -= wend + 1; + wvalue = 0; + start = 0; + if (wstart < 0) + break; + } + if (!BN_from_montgomery(rr, r,mont, ctx)) + goto err; + ret = 1; + +err: + if ((in_mont == NULL) && (mont != NULL)) + BN_MONT_CTX_free(mont); + BN_CTX_end(ctx); + return (ret); +} + +int +BN_mod_exp_mont(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, + (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); +} + +int +BN_mod_exp_mont_ct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 1); +} + +int +BN_mod_exp_mont_nonct(BIGNUM *rr, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, BN_MONT_CTX *in_mont) +{ + return BN_mod_exp_mont_internal(rr, a, p, m, ctx, in_mont, 0); +} + int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *in_mont) @@ -921,7 +817,7 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, (BN_mod_ct(t, r, m, ctx) && (swap_tmp = r, r = t, t = swap_tmp, 1)))) /* BN_MOD_MUL_WORD is only used with 'w' large, * so the BN_ucmp test is probably more overhead - * than always using BN_mod (which uses BN_copy if + * than always using BN_mod (which uses bn_copy if * a similar test returns true). */ /* We can use BN_mod and do not need BN_nnmod because our * accumulator is never negative (the result of BN_mod does @@ -936,8 +832,6 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, return -1; } - bn_check_top(p); - bn_check_top(m); if (!BN_is_odd(m)) { BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); @@ -949,7 +843,7 @@ BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p, const BIGNUM *m, bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(rr); } else @@ -1051,21 +945,19 @@ err: if ((in_mont == NULL) && (mont != NULL)) BN_MONT_CTX_free(mont); BN_CTX_end(ctx); - bn_check_top(rr); return (ret); } - -/* The old fallback, simple version :-) */ int -BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, +BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx) { int i, j, bits, ret = 0, wstart, wend, window, wvalue; int start = 1; - BIGNUM *d; + BIGNUM *aa; /* Table of variables obtained from 'ctx' */ BIGNUM *val[TABLE_SIZE]; + BN_RECP_CTX recp; if (BN_get_flags(p, BN_FLG_CONSTTIME) != 0) { /* BN_FLG_CONSTTIME only supported by BN_mod_exp_mont() */ @@ -1076,7 +968,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, bits = BN_num_bits(p); if (bits == 0) { /* x**0 mod 1 is still zero. */ - if (BN_is_one(m)) { + if (BN_abs_is_word(m, 1)) { ret = 1; BN_zero(r); } else @@ -1084,13 +976,27 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, return ret; } + BN_RECP_CTX_init(&recp); + BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) + if ((aa = BN_CTX_get(ctx)) == NULL) goto err; if ((val[0] = BN_CTX_get(ctx)) == NULL) goto err; - if (!BN_nnmod(val[0],a,m,ctx)) + if (m->neg) { + /* ignore sign of 'm' */ + if (!bn_copy(aa, m)) + goto err; + aa->neg = 0; + if (BN_RECP_CTX_set(&recp, aa, ctx) <= 0) + goto err; + } else { + if (BN_RECP_CTX_set(&recp, m, ctx) <= 0) + goto err; + } + + if (!BN_nnmod(val[0], a, m, ctx)) goto err; /* 1 */ if (BN_is_zero(val[0])) { BN_zero(r); @@ -1100,12 +1006,13 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, window = BN_window_bits_for_exponent_size(bits); if (window > 1) { - if (!BN_mod_mul(d, val[0], val[0], m, ctx)) + if (!BN_mod_mul_reciprocal(aa, val[0], val[0], &recp, ctx)) goto err; /* 2 */ j = 1 << (window - 1); for (i = 1; i < j; i++) { if (((val[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul(val[i], val[i - 1], d,m, ctx)) + !BN_mod_mul_reciprocal(val[i], val[i - 1], + aa, &recp, ctx)) goto err; } } @@ -1123,7 +1030,7 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, for (;;) { if (BN_is_bit_set(p, wstart) == 0) { if (!start) - if (!BN_mod_mul(r, r, r, m, ctx)) + if (!BN_mod_mul_reciprocal(r, r,r, &recp, ctx)) goto err; if (wstart == 0) break; @@ -1152,12 +1059,12 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, /* add the 'bytes above' */ if (!start) for (i = 0; i < j; i++) { - if (!BN_mod_mul(r, r, r, m, ctx)) + if (!BN_mod_mul_reciprocal(r, r,r, &recp, ctx)) goto err; } /* wvalue will be an odd number < 2^window */ - if (!BN_mod_mul(r, r, val[wvalue >> 1], m, ctx)) + if (!BN_mod_mul_reciprocal(r, r,val[wvalue >> 1], &recp, ctx)) goto err; /* move the 'window' down further */ @@ -1171,6 +1078,256 @@ BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, err: BN_CTX_end(ctx); - bn_check_top(r); + BN_RECP_CTX_free(&recp); + return (ret); +} + +static int +BN_mod_exp_internal(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx, int ct) +{ + int ret; + + + /* For even modulus m = 2^k*m_odd, it might make sense to compute + * a^p mod m_odd and a^p mod 2^k separately (with Montgomery + * exponentiation for the odd part), using appropriate exponent + * reductions, and combine the results using the CRT. + * + * For now, we use Montgomery only if the modulus is odd; otherwise, + * exponentiation using the reciprocal-based quick remaindering + * algorithm is used. + * + * (Timing obtained with expspeed.c [computations a^p mod m + * where a, p, m are of the same length: 256, 512, 1024, 2048, + * 4096, 8192 bits], compared to the running time of the + * standard algorithm: + * + * BN_mod_exp_mont 33 .. 40 % [AMD K6-2, Linux, debug configuration] + * 55 .. 77 % [UltraSparc processor, but + * debug-solaris-sparcv8-gcc conf.] + * + * BN_mod_exp_recp 50 .. 70 % [AMD K6-2, Linux, debug configuration] + * 62 .. 118 % [UltraSparc, debug-solaris-sparcv8-gcc] + * + * On the Sparc, BN_mod_exp_recp was faster than BN_mod_exp_mont + * at 2048 and more bits, but at 512 and 1024 bits, it was + * slower even than the standard algorithm! + * + * "Real" timings [linux-elf, solaris-sparcv9-gcc configurations] + * should be obtained when the new Montgomery reduction code + * has been integrated into OpenSSL.) + */ + + if (BN_is_odd(m)) { + if (a->top == 1 && !a->neg && !ct) { + BN_ULONG A = a->d[0]; + ret = BN_mod_exp_mont_word(r, A,p, m,ctx, NULL); + } else + ret = BN_mod_exp_mont_ct(r, a,p, m,ctx, NULL); + } else { + ret = BN_mod_exp_recp(r, a,p, m, ctx); + } + + return (ret); +} + +int +BN_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx) +{ + return BN_mod_exp_internal(r, a, p, m, ctx, + (BN_get_flags(p, BN_FLG_CONSTTIME) != 0)); +} + +int +BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx) +{ + return BN_mod_exp_internal(r, a, p, m, ctx, 1); +} + +int +BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, + BN_CTX *ctx) +{ + return BN_mod_exp_internal(r, a, p, m, ctx, 0); +} + +int +BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, + const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *in_mont) +{ + int i, j, bits, b, bits1, bits2, ret = 0, wpos1, wpos2, window1, window2, wvalue1, wvalue2; + int r_is_one = 1; + BIGNUM *d, *r; + const BIGNUM *a_mod_m; + /* Tables of variables obtained from 'ctx' */ + BIGNUM *val1[TABLE_SIZE], *val2[TABLE_SIZE]; + BN_MONT_CTX *mont = NULL; + + + if (!BN_is_odd(m)) { + BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); + return (0); + } + bits1 = BN_num_bits(p1); + bits2 = BN_num_bits(p2); + if ((bits1 == 0) && (bits2 == 0)) { + ret = BN_one(rr); + return ret; + } + + bits = (bits1 > bits2) ? bits1 : bits2; + + BN_CTX_start(ctx); + if ((d = BN_CTX_get(ctx)) == NULL) + goto err; + if ((r = BN_CTX_get(ctx)) == NULL) + goto err; + if ((val1[0] = BN_CTX_get(ctx)) == NULL) + goto err; + if ((val2[0] = BN_CTX_get(ctx)) == NULL) + goto err; + + if (in_mont != NULL) + mont = in_mont; + else { + if ((mont = BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(mont, m, ctx)) + goto err; + } + + window1 = BN_window_bits_for_exponent_size(bits1); + window2 = BN_window_bits_for_exponent_size(bits2); + + /* + * Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1) + */ + if (!BN_nnmod(val1[0], a1, m, ctx)) + goto err; + a_mod_m = val1[0]; + if (BN_is_zero(a_mod_m)) { + BN_zero(rr); + ret = 1; + goto err; + } + + if (!BN_to_montgomery(val1[0], a_mod_m, mont, ctx)) + goto err; + if (window1 > 1) { + if (!BN_mod_mul_montgomery(d, val1[0], val1[0], mont, ctx)) + goto err; + + j = 1 << (window1 - 1); + for (i = 1; i < j; i++) { + if (((val1[i] = BN_CTX_get(ctx)) == NULL) || + !BN_mod_mul_montgomery(val1[i], val1[i - 1], + d, mont, ctx)) + goto err; + } + } + + + /* + * Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1) + */ + if (!BN_nnmod(val2[0], a2, m, ctx)) + goto err; + a_mod_m = val2[0]; + if (BN_is_zero(a_mod_m)) { + BN_zero(rr); + ret = 1; + goto err; + } + if (!BN_to_montgomery(val2[0], a_mod_m, mont, ctx)) + goto err; + if (window2 > 1) { + if (!BN_mod_mul_montgomery(d, val2[0], val2[0], mont, ctx)) + goto err; + + j = 1 << (window2 - 1); + for (i = 1; i < j; i++) { + if (((val2[i] = BN_CTX_get(ctx)) == NULL) || + !BN_mod_mul_montgomery(val2[i], val2[i - 1], + d, mont, ctx)) + goto err; + } + } + + + /* Now compute the power product, using independent windows. */ + r_is_one = 1; + wvalue1 = 0; /* The 'value' of the first window */ + wvalue2 = 0; /* The 'value' of the second window */ + wpos1 = 0; /* If wvalue1 > 0, the bottom bit of the first window */ + wpos2 = 0; /* If wvalue2 > 0, the bottom bit of the second window */ + + if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) + goto err; + for (b = bits - 1; b >= 0; b--) { + if (!r_is_one) { + if (!BN_mod_mul_montgomery(r, r,r, mont, ctx)) + goto err; + } + + if (!wvalue1) + if (BN_is_bit_set(p1, b)) { + /* consider bits b-window1+1 .. b for this window */ + i = b - window1 + 1; + while (!BN_is_bit_set(p1, i)) /* works for i<0 */ + i++; + wpos1 = i; + wvalue1 = 1; + for (i = b - 1; i >= wpos1; i--) { + wvalue1 <<= 1; + if (BN_is_bit_set(p1, i)) + wvalue1++; + } + } + + if (!wvalue2) + if (BN_is_bit_set(p2, b)) { + /* consider bits b-window2+1 .. b for this window */ + i = b - window2 + 1; + while (!BN_is_bit_set(p2, i)) + i++; + wpos2 = i; + wvalue2 = 1; + for (i = b - 1; i >= wpos2; i--) { + wvalue2 <<= 1; + if (BN_is_bit_set(p2, i)) + wvalue2++; + } + } + + if (wvalue1 && b == wpos1) { + /* wvalue1 is odd and < 2^window1 */ + if (!BN_mod_mul_montgomery(r, r, val1[wvalue1 >> 1], + mont, ctx)) + goto err; + wvalue1 = 0; + r_is_one = 0; + } + + if (wvalue2 && b == wpos2) { + /* wvalue2 is odd and < 2^window2 */ + if (!BN_mod_mul_montgomery(r, r, val2[wvalue2 >> 1], + mont, ctx)) + goto err; + wvalue2 = 0; + r_is_one = 0; + } + } + if (!BN_from_montgomery(rr, r,mont, ctx)) + goto err; + ret = 1; + +err: + if ((in_mont == NULL) && (mont != NULL)) + BN_MONT_CTX_free(mont); + BN_CTX_end(ctx); return (ret); } diff --git a/crypto/bn/bn_exp2.c b/crypto/bn/bn_exp2.c deleted file mode 100644 index c63503f..0000000 --- a/crypto/bn/bn_exp2.c +++ /dev/null @@ -1,308 +0,0 @@ -/* $OpenBSD: bn_exp2.c,v 1.13 2022/02/07 19:49:56 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include - -#include "bn_lcl.h" - -#define TABLE_SIZE 32 - -int -BN_mod_exp2_mont(BIGNUM *rr, const BIGNUM *a1, const BIGNUM *p1, - const BIGNUM *a2, const BIGNUM *p2, const BIGNUM *m, BN_CTX *ctx, - BN_MONT_CTX *in_mont) -{ - int i, j, bits, b, bits1, bits2, ret = 0, wpos1, wpos2, window1, window2, wvalue1, wvalue2; - int r_is_one = 1; - BIGNUM *d, *r; - const BIGNUM *a_mod_m; - /* Tables of variables obtained from 'ctx' */ - BIGNUM *val1[TABLE_SIZE], *val2[TABLE_SIZE]; - BN_MONT_CTX *mont = NULL; - - bn_check_top(a1); - bn_check_top(p1); - bn_check_top(a2); - bn_check_top(p2); - bn_check_top(m); - - if (!BN_is_odd(m)) { - BNerror(BN_R_CALLED_WITH_EVEN_MODULUS); - return (0); - } - bits1 = BN_num_bits(p1); - bits2 = BN_num_bits(p2); - if ((bits1 == 0) && (bits2 == 0)) { - ret = BN_one(rr); - return ret; - } - - bits = (bits1 > bits2) ? bits1 : bits2; - - BN_CTX_start(ctx); - if ((d = BN_CTX_get(ctx)) == NULL) - goto err; - if ((r = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val1[0] = BN_CTX_get(ctx)) == NULL) - goto err; - if ((val2[0] = BN_CTX_get(ctx)) == NULL) - goto err; - - if (in_mont != NULL) - mont = in_mont; - else { - if ((mont = BN_MONT_CTX_new()) == NULL) - goto err; - if (!BN_MONT_CTX_set(mont, m, ctx)) - goto err; - } - - window1 = BN_window_bits_for_exponent_size(bits1); - window2 = BN_window_bits_for_exponent_size(bits2); - - /* - * Build table for a1: val1[i] := a1^(2*i + 1) mod m for i = 0 .. 2^(window1-1) - */ - if (a1->neg || BN_ucmp(a1, m) >= 0) { - if (!BN_mod_ct(val1[0], a1, m, ctx)) - goto err; - a_mod_m = val1[0]; - } else - a_mod_m = a1; - if (BN_is_zero(a_mod_m)) { - BN_zero(rr); - ret = 1; - goto err; - } - - if (!BN_to_montgomery(val1[0], a_mod_m, mont, ctx)) - goto err; - if (window1 > 1) { - if (!BN_mod_mul_montgomery(d, val1[0], val1[0], mont, ctx)) - goto err; - - j = 1 << (window1 - 1); - for (i = 1; i < j; i++) { - if (((val1[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val1[i], val1[i - 1], - d, mont, ctx)) - goto err; - } - } - - - /* - * Build table for a2: val2[i] := a2^(2*i + 1) mod m for i = 0 .. 2^(window2-1) - */ - if (a2->neg || BN_ucmp(a2, m) >= 0) { - if (!BN_mod_ct(val2[0], a2, m, ctx)) - goto err; - a_mod_m = val2[0]; - } else - a_mod_m = a2; - if (BN_is_zero(a_mod_m)) { - BN_zero(rr); - ret = 1; - goto err; - } - if (!BN_to_montgomery(val2[0], a_mod_m, mont, ctx)) - goto err; - if (window2 > 1) { - if (!BN_mod_mul_montgomery(d, val2[0], val2[0], mont, ctx)) - goto err; - - j = 1 << (window2 - 1); - for (i = 1; i < j; i++) { - if (((val2[i] = BN_CTX_get(ctx)) == NULL) || - !BN_mod_mul_montgomery(val2[i], val2[i - 1], - d, mont, ctx)) - goto err; - } - } - - - /* Now compute the power product, using independent windows. */ - r_is_one = 1; - wvalue1 = 0; /* The 'value' of the first window */ - wvalue2 = 0; /* The 'value' of the second window */ - wpos1 = 0; /* If wvalue1 > 0, the bottom bit of the first window */ - wpos2 = 0; /* If wvalue2 > 0, the bottom bit of the second window */ - - if (!BN_to_montgomery(r, BN_value_one(), mont, ctx)) - goto err; - for (b = bits - 1; b >= 0; b--) { - if (!r_is_one) { - if (!BN_mod_mul_montgomery(r, r,r, mont, ctx)) - goto err; - } - - if (!wvalue1) - if (BN_is_bit_set(p1, b)) { - /* consider bits b-window1+1 .. b for this window */ - i = b - window1 + 1; - while (!BN_is_bit_set(p1, i)) /* works for i<0 */ - i++; - wpos1 = i; - wvalue1 = 1; - for (i = b - 1; i >= wpos1; i--) { - wvalue1 <<= 1; - if (BN_is_bit_set(p1, i)) - wvalue1++; - } - } - - if (!wvalue2) - if (BN_is_bit_set(p2, b)) { - /* consider bits b-window2+1 .. b for this window */ - i = b - window2 + 1; - while (!BN_is_bit_set(p2, i)) - i++; - wpos2 = i; - wvalue2 = 1; - for (i = b - 1; i >= wpos2; i--) { - wvalue2 <<= 1; - if (BN_is_bit_set(p2, i)) - wvalue2++; - } - } - - if (wvalue1 && b == wpos1) { - /* wvalue1 is odd and < 2^window1 */ - if (!BN_mod_mul_montgomery(r, r, val1[wvalue1 >> 1], - mont, ctx)) - goto err; - wvalue1 = 0; - r_is_one = 0; - } - - if (wvalue2 && b == wpos2) { - /* wvalue2 is odd and < 2^window2 */ - if (!BN_mod_mul_montgomery(r, r, val2[wvalue2 >> 1], - mont, ctx)) - goto err; - wvalue2 = 0; - r_is_one = 0; - } - } - if (!BN_from_montgomery(rr, r,mont, ctx)) - goto err; - ret = 1; - -err: - if ((in_mont == NULL) && (mont != NULL)) - BN_MONT_CTX_free(mont); - BN_CTX_end(ctx); - bn_check_top(rr); - return (ret); -} diff --git a/crypto/bn/bn_gcd.c b/crypto/bn/bn_gcd.c index d756398..c44b933 100644 --- a/crypto/bn/bn_gcd.c +++ b/crypto/bn/bn_gcd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_gcd.c,v 1.16 2021/12/26 15:16:50 tb Exp $ */ +/* $OpenBSD: bn_gcd.c,v 1.27 2023/04/09 18:38:59 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -111,11 +111,53 @@ #include -#include "bn_lcl.h" +#include "bn_local.h" -static BIGNUM *euclid(BIGNUM *a, BIGNUM *b); -static BIGNUM *BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx); +static BIGNUM * +euclid(BIGNUM *a, BIGNUM *b) +{ + BIGNUM *t; + int shifts = 0; + + /* Loop invariant: 0 <= b <= a. */ + while (!BN_is_zero(b)) { + if (BN_is_odd(a) && BN_is_odd(b)) { + if (!BN_sub(a, a, b)) + goto err; + if (!BN_rshift1(a, a)) + goto err; + } else if (BN_is_odd(a) && !BN_is_odd(b)) { + if (!BN_rshift1(b, b)) + goto err; + } else if (!BN_is_odd(a) && BN_is_odd(b)) { + if (!BN_rshift1(a, a)) + goto err; + } else { + if (!BN_rshift1(a, a)) + goto err; + if (!BN_rshift1(b, b)) + goto err; + shifts++; + continue; + } + + if (BN_cmp(a, b) < 0) { + t = a; + a = b; + b = t; + } + } + + if (shifts) { + if (!BN_lshift(a, a, shifts)) + goto err; + } + + return a; + + err: + return NULL; +} int BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) @@ -123,18 +165,15 @@ BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) BIGNUM *a, *b, *t; int ret = 0; - bn_check_top(in_a); - bn_check_top(in_b); - BN_CTX_start(ctx); if ((a = BN_CTX_get(ctx)) == NULL) goto err; if ((b = BN_CTX_get(ctx)) == NULL) goto err; - if (BN_copy(a, in_a) == NULL) + if (!bn_copy(a, in_a)) goto err; - if (BN_copy(b, in_b) == NULL) + if (!bn_copy(b, in_b)) goto err; a->neg = 0; b->neg = 0; @@ -148,13 +187,161 @@ BN_gcd(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) if (t == NULL) goto err; - if (BN_copy(r, t) == NULL) + if (!bn_copy(r, t)) goto err; ret = 1; -err: + err: + BN_CTX_end(ctx); + return (ret); +} + +int +BN_gcd_nonct(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) +{ + return BN_gcd(r, in_a, in_b, ctx); +} + +/* + * BN_gcd_no_branch is a special version of BN_mod_inverse_no_branch. + * that returns the GCD. + */ +static BIGNUM * +BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, + BN_CTX *ctx) +{ + BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; + BIGNUM local_A, local_B; + BIGNUM *pA, *pB; + BIGNUM *ret = NULL; + int sign; + + if (in == NULL) + goto err; + R = in; + + BN_init(&local_A); + BN_init(&local_B); + + BN_CTX_start(ctx); + if ((A = BN_CTX_get(ctx)) == NULL) + goto err; + if ((B = BN_CTX_get(ctx)) == NULL) + goto err; + if ((X = BN_CTX_get(ctx)) == NULL) + goto err; + if ((D = BN_CTX_get(ctx)) == NULL) + goto err; + if ((M = BN_CTX_get(ctx)) == NULL) + goto err; + if ((Y = BN_CTX_get(ctx)) == NULL) + goto err; + if ((T = BN_CTX_get(ctx)) == NULL) + goto err; + + if (!BN_one(X)) + goto err; + BN_zero(Y); + if (!bn_copy(B, a)) + goto err; + if (!bn_copy(A, n)) + goto err; + A->neg = 0; + + if (B->neg || (BN_ucmp(B, A) >= 0)) { + /* + * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, + * BN_div_no_branch will be called eventually. + */ + pB = &local_B; + /* BN_init() done at the top of the function. */ + BN_with_flags(pB, B, BN_FLG_CONSTTIME); + if (!BN_nnmod(B, pB, A, ctx)) + goto err; + } + sign = -1; + /* From B = a mod |n|, A = |n| it follows that + * + * 0 <= B < A, + * -sign*X*a == B (mod |n|), + * sign*Y*a == A (mod |n|). + */ + + while (!BN_is_zero(B)) { + BIGNUM *tmp; + + /* + * 0 < B < A, + * (*) -sign*X*a == B (mod |n|), + * sign*Y*a == A (mod |n|) + */ + + /* + * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, + * BN_div_no_branch will be called eventually. + */ + pA = &local_A; + /* BN_init() done at the top of the function. */ + BN_with_flags(pA, A, BN_FLG_CONSTTIME); + + /* (D, M) := (A/B, A%B) ... */ + if (!BN_div_ct(D, M, pA, B, ctx)) + goto err; + + /* Now + * A = D*B + M; + * thus we have + * (**) sign*Y*a == D*B + M (mod |n|). + */ + tmp = A; /* keep the BIGNUM object, the value does not matter */ + + /* (A, B) := (B, A mod B) ... */ + A = B; + B = M; + /* ... so we have 0 <= B < A again */ + + /* Since the former M is now B and the former B is now A, + * (**) translates into + * sign*Y*a == D*A + B (mod |n|), + * i.e. + * sign*Y*a - D*A == B (mod |n|). + * Similarly, (*) translates into + * -sign*X*a == A (mod |n|). + * + * Thus, + * sign*Y*a + D*sign*X*a == B (mod |n|), + * i.e. + * sign*(Y + D*X)*a == B (mod |n|). + * + * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at + * -sign*X*a == B (mod |n|), + * sign*Y*a == A (mod |n|). + * Note that X and Y stay non-negative all the time. + */ + + if (!BN_mul(tmp, D, X, ctx)) + goto err; + if (!BN_add(tmp, tmp, Y)) + goto err; + + M = Y; /* keep the BIGNUM object, the value does not matter */ + Y = X; + X = tmp; + sign = -sign; + } + + /* + * The while loop (Euclid's algorithm) ends when + * A == gcd(a,n); + */ + + if (!bn_copy(R, A)) + goto err; + ret = R; + err: + if ((ret == NULL) && (in == NULL)) + BN_free(R); BN_CTX_end(ctx); - bn_check_top(r); return (ret); } @@ -166,101 +353,21 @@ BN_gcd_ct(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) return 1; } -int -BN_gcd_nonct(BIGNUM *r, const BIGNUM *in_a, const BIGNUM *in_b, BN_CTX *ctx) -{ - return BN_gcd(r, in_a, in_b, ctx); -} - - +/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse. + * It does not contain branches that may leak sensitive information. + */ static BIGNUM * -euclid(BIGNUM *a, BIGNUM *b) -{ - BIGNUM *t; - int shifts = 0; - - bn_check_top(a); - bn_check_top(b); - - /* 0 <= b <= a */ - while (!BN_is_zero(b)) { - /* 0 < b <= a */ - - if (BN_is_odd(a)) { - if (BN_is_odd(b)) { - if (!BN_sub(a, a, b)) - goto err; - if (!BN_rshift1(a, a)) - goto err; - if (BN_cmp(a, b) < 0) { - t = a; - a = b; - b = t; - } - } - else /* a odd - b even */ - { - if (!BN_rshift1(b, b)) - goto err; - if (BN_cmp(a, b) < 0) { - t = a; - a = b; - b = t; - } - } - } - else /* a is even */ - { - if (BN_is_odd(b)) { - if (!BN_rshift1(a, a)) - goto err; - if (BN_cmp(a, b) < 0) { - t = a; - a = b; - b = t; - } - } - else /* a even - b even */ - { - if (!BN_rshift1(a, a)) - goto err; - if (!BN_rshift1(b, b)) - goto err; - shifts++; - } - } - /* 0 <= b <= a */ - } - - if (shifts) { - if (!BN_lshift(a, a, shifts)) - goto err; - } - bn_check_top(a); - return (a); - -err: - return (NULL); -} - - -/* solves ax == 1 (mod n) */ -static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, - const BIGNUM *n, BN_CTX *ctx); - -static BIGNUM * -BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, - int ct) +BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, + BN_CTX *ctx) { BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; + BIGNUM local_A, local_B; + BIGNUM *pA, *pB; BIGNUM *ret = NULL; int sign; - if (ct) - return BN_mod_inverse_no_branch(in, a, n, ctx); - - bn_check_top(a); - bn_check_top(n); + BN_init(&local_A); + BN_init(&local_B); BN_CTX_start(ctx); if ((A = BN_CTX_get(ctx)) == NULL) @@ -285,11 +392,174 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct if (R == NULL) goto err; - BN_one(X); - BN_zero(Y); - if (BN_copy(B, a) == NULL) + if (!BN_one(X)) goto err; - if (BN_copy(A, n) == NULL) + BN_zero(Y); + if (!bn_copy(B, a)) + goto err; + if (!bn_copy(A, n)) + goto err; + A->neg = 0; + + if (B->neg || (BN_ucmp(B, A) >= 0)) { + /* + * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, + * BN_div_no_branch will be called eventually. + */ + pB = &local_B; + /* BN_init() done at the top of the function. */ + BN_with_flags(pB, B, BN_FLG_CONSTTIME); + if (!BN_nnmod(B, pB, A, ctx)) + goto err; + } + sign = -1; + /* From B = a mod |n|, A = |n| it follows that + * + * 0 <= B < A, + * -sign*X*a == B (mod |n|), + * sign*Y*a == A (mod |n|). + */ + + while (!BN_is_zero(B)) { + BIGNUM *tmp; + + /* + * 0 < B < A, + * (*) -sign*X*a == B (mod |n|), + * sign*Y*a == A (mod |n|) + */ + + /* + * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, + * BN_div_no_branch will be called eventually. + */ + pA = &local_A; + /* BN_init() done at the top of the function. */ + BN_with_flags(pA, A, BN_FLG_CONSTTIME); + + /* (D, M) := (A/B, A%B) ... */ + if (!BN_div_ct(D, M, pA, B, ctx)) + goto err; + + /* Now + * A = D*B + M; + * thus we have + * (**) sign*Y*a == D*B + M (mod |n|). + */ + tmp = A; /* keep the BIGNUM object, the value does not matter */ + + /* (A, B) := (B, A mod B) ... */ + A = B; + B = M; + /* ... so we have 0 <= B < A again */ + + /* Since the former M is now B and the former B is now A, + * (**) translates into + * sign*Y*a == D*A + B (mod |n|), + * i.e. + * sign*Y*a - D*A == B (mod |n|). + * Similarly, (*) translates into + * -sign*X*a == A (mod |n|). + * + * Thus, + * sign*Y*a + D*sign*X*a == B (mod |n|), + * i.e. + * sign*(Y + D*X)*a == B (mod |n|). + * + * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at + * -sign*X*a == B (mod |n|), + * sign*Y*a == A (mod |n|). + * Note that X and Y stay non-negative all the time. + */ + + if (!BN_mul(tmp, D, X, ctx)) + goto err; + if (!BN_add(tmp, tmp, Y)) + goto err; + + M = Y; /* keep the BIGNUM object, the value does not matter */ + Y = X; + X = tmp; + sign = -sign; + } + + /* + * The while loop (Euclid's algorithm) ends when + * A == gcd(a,n); + * we have + * sign*Y*a == A (mod |n|), + * where Y is non-negative. + */ + + if (sign < 0) { + if (!BN_sub(Y, n, Y)) + goto err; + } + /* Now Y*a == A (mod |n|). */ + + if (BN_is_one(A)) { + /* Y*a == 1 (mod |n|) */ + if (!Y->neg && BN_ucmp(Y, n) < 0) { + if (!bn_copy(R, Y)) + goto err; + } else { + if (!BN_nnmod(R, Y, n, ctx)) + goto err; + } + } else { + BNerror(BN_R_NO_INVERSE); + goto err; + } + ret = R; + + err: + if ((ret == NULL) && (in == NULL)) + BN_free(R); + BN_CTX_end(ctx); + return (ret); +} + +/* solves ax == 1 (mod n) */ +static BIGNUM * +BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx, + int ct) +{ + BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; + BIGNUM *ret = NULL; + int sign; + + if (ct) + return BN_mod_inverse_no_branch(in, a, n, ctx); + + BN_CTX_start(ctx); + if ((A = BN_CTX_get(ctx)) == NULL) + goto err; + if ((B = BN_CTX_get(ctx)) == NULL) + goto err; + if ((X = BN_CTX_get(ctx)) == NULL) + goto err; + if ((D = BN_CTX_get(ctx)) == NULL) + goto err; + if ((M = BN_CTX_get(ctx)) == NULL) + goto err; + if ((Y = BN_CTX_get(ctx)) == NULL) + goto err; + if ((T = BN_CTX_get(ctx)) == NULL) + goto err; + + if (in == NULL) + R = BN_new(); + else + R = in; + if (R == NULL) + goto err; + + if (!BN_one(X)) + goto err; + BN_zero(Y); + if (!bn_copy(B, a)) + goto err; + if (!bn_copy(A, n)) goto err; A->neg = 0; if (B->neg || (BN_ucmp(B, A) >= 0)) { @@ -308,7 +578,7 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct /* Binary inversion algorithm; requires odd modulus. * This is faster than the general algorithm if the modulus * is sufficiently small (about 400 .. 500 bits on 32-bit - * sytems, but much more on 64-bit systems) */ + * systems, but much more on 64-bit systems) */ int shift; while (!BN_is_zero(B)) { @@ -340,7 +610,6 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct goto err; } - /* Same for A and Y. Afterwards, (2) still holds. */ shift = 0; while (!BN_is_bit_set(A, shift)) /* note that 0 < A */ @@ -360,7 +629,6 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct goto err; } - /* We still have (1) and (2). * Both A and B are odd. * The following computations ensure that @@ -484,7 +752,7 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct if (!BN_lshift(tmp, X, 2)) goto err; } else if (D->top == 1) { - if (!BN_copy(tmp, X)) + if (!bn_copy(tmp, X)) goto err; if (!BN_mul_word(tmp, D->d[0])) goto err; @@ -520,7 +788,7 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct if (BN_is_one(A)) { /* Y*a == 1 (mod |n|) */ if (!Y->neg && BN_ucmp(Y, n) < 0) { - if (!BN_copy(R, Y)) + if (!bn_copy(R, Y)) goto err; } else { if (!BN_nnmod(R, Y,n, ctx)) @@ -532,11 +800,10 @@ BN_mod_inverse_internal(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ct } ret = R; -err: + err: if ((ret == NULL) && (in == NULL)) BN_free(R); BN_CTX_end(ctx); - bn_check_top(ret); return (ret); } @@ -559,318 +826,3 @@ BN_mod_inverse_ct(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx) { return BN_mod_inverse_internal(in, a, n, ctx, 1); } - -/* BN_mod_inverse_no_branch is a special version of BN_mod_inverse. - * It does not contain branches that may leak sensitive information. - */ -static BIGNUM * -BN_mod_inverse_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx) -{ - BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; - BIGNUM local_A, local_B; - BIGNUM *pA, *pB; - BIGNUM *ret = NULL; - int sign; - - bn_check_top(a); - bn_check_top(n); - - BN_init(&local_A); - BN_init(&local_B); - - BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) - goto err; - if ((B = BN_CTX_get(ctx)) == NULL) - goto err; - if ((X = BN_CTX_get(ctx)) == NULL) - goto err; - if ((D = BN_CTX_get(ctx)) == NULL) - goto err; - if ((M = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((T = BN_CTX_get(ctx)) == NULL) - goto err; - - if (in == NULL) - R = BN_new(); - else - R = in; - if (R == NULL) - goto err; - - BN_one(X); - BN_zero(Y); - if (BN_copy(B, a) == NULL) - goto err; - if (BN_copy(A, n) == NULL) - goto err; - A->neg = 0; - - if (B->neg || (BN_ucmp(B, A) >= 0)) { - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pB = &local_B; - /* BN_init() done at the top of the function. */ - BN_with_flags(pB, B, BN_FLG_CONSTTIME); - if (!BN_nnmod(B, pB, A, ctx)) - goto err; - } - sign = -1; - /* From B = a mod |n|, A = |n| it follows that - * - * 0 <= B < A, - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - */ - - while (!BN_is_zero(B)) { - BIGNUM *tmp; - - /* - * 0 < B < A, - * (*) -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|) - */ - - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pA = &local_A; - /* BN_init() done at the top of the function. */ - BN_with_flags(pA, A, BN_FLG_CONSTTIME); - - /* (D, M) := (A/B, A%B) ... */ - if (!BN_div_ct(D, M, pA, B, ctx)) - goto err; - - /* Now - * A = D*B + M; - * thus we have - * (**) sign*Y*a == D*B + M (mod |n|). - */ - tmp = A; /* keep the BIGNUM object, the value does not matter */ - - /* (A, B) := (B, A mod B) ... */ - A = B; - B = M; - /* ... so we have 0 <= B < A again */ - - /* Since the former M is now B and the former B is now A, - * (**) translates into - * sign*Y*a == D*A + B (mod |n|), - * i.e. - * sign*Y*a - D*A == B (mod |n|). - * Similarly, (*) translates into - * -sign*X*a == A (mod |n|). - * - * Thus, - * sign*Y*a + D*sign*X*a == B (mod |n|), - * i.e. - * sign*(Y + D*X)*a == B (mod |n|). - * - * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - * Note that X and Y stay non-negative all the time. - */ - - if (!BN_mul(tmp, D, X, ctx)) - goto err; - if (!BN_add(tmp, tmp, Y)) - goto err; - - M = Y; /* keep the BIGNUM object, the value does not matter */ - Y = X; - X = tmp; - sign = -sign; - } - - /* - * The while loop (Euclid's algorithm) ends when - * A == gcd(a,n); - * we have - * sign*Y*a == A (mod |n|), - * where Y is non-negative. - */ - - if (sign < 0) { - if (!BN_sub(Y, n, Y)) - goto err; - } - /* Now Y*a == A (mod |n|). */ - - if (BN_is_one(A)) { - /* Y*a == 1 (mod |n|) */ - if (!Y->neg && BN_ucmp(Y, n) < 0) { - if (!BN_copy(R, Y)) - goto err; - } else { - if (!BN_nnmod(R, Y, n, ctx)) - goto err; - } - } else { - BNerror(BN_R_NO_INVERSE); - goto err; - } - ret = R; - -err: - if ((ret == NULL) && (in == NULL)) - BN_free(R); - BN_CTX_end(ctx); - bn_check_top(ret); - return (ret); -} - -/* - * BN_gcd_no_branch is a special version of BN_mod_inverse_no_branch. - * that returns the GCD. - */ -static BIGNUM * -BN_gcd_no_branch(BIGNUM *in, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx) -{ - BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL; - BIGNUM local_A, local_B; - BIGNUM *pA, *pB; - BIGNUM *ret = NULL; - int sign; - - if (in == NULL) - goto err; - R = in; - - BN_init(&local_A); - BN_init(&local_B); - - bn_check_top(a); - bn_check_top(n); - - BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) - goto err; - if ((B = BN_CTX_get(ctx)) == NULL) - goto err; - if ((X = BN_CTX_get(ctx)) == NULL) - goto err; - if ((D = BN_CTX_get(ctx)) == NULL) - goto err; - if ((M = BN_CTX_get(ctx)) == NULL) - goto err; - if ((Y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((T = BN_CTX_get(ctx)) == NULL) - goto err; - - BN_one(X); - BN_zero(Y); - if (BN_copy(B, a) == NULL) - goto err; - if (BN_copy(A, n) == NULL) - goto err; - A->neg = 0; - - if (B->neg || (BN_ucmp(B, A) >= 0)) { - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pB = &local_B; - /* BN_init() done at the top of the function. */ - BN_with_flags(pB, B, BN_FLG_CONSTTIME); - if (!BN_nnmod(B, pB, A, ctx)) - goto err; - } - sign = -1; - /* From B = a mod |n|, A = |n| it follows that - * - * 0 <= B < A, - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - */ - - while (!BN_is_zero(B)) { - BIGNUM *tmp; - - /* - * 0 < B < A, - * (*) -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|) - */ - - /* - * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked, - * BN_div_no_branch will be called eventually. - */ - pA = &local_A; - /* BN_init() done at the top of the function. */ - BN_with_flags(pA, A, BN_FLG_CONSTTIME); - - /* (D, M) := (A/B, A%B) ... */ - if (!BN_div_ct(D, M, pA, B, ctx)) - goto err; - - /* Now - * A = D*B + M; - * thus we have - * (**) sign*Y*a == D*B + M (mod |n|). - */ - tmp = A; /* keep the BIGNUM object, the value does not matter */ - - /* (A, B) := (B, A mod B) ... */ - A = B; - B = M; - /* ... so we have 0 <= B < A again */ - - /* Since the former M is now B and the former B is now A, - * (**) translates into - * sign*Y*a == D*A + B (mod |n|), - * i.e. - * sign*Y*a - D*A == B (mod |n|). - * Similarly, (*) translates into - * -sign*X*a == A (mod |n|). - * - * Thus, - * sign*Y*a + D*sign*X*a == B (mod |n|), - * i.e. - * sign*(Y + D*X)*a == B (mod |n|). - * - * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at - * -sign*X*a == B (mod |n|), - * sign*Y*a == A (mod |n|). - * Note that X and Y stay non-negative all the time. - */ - - if (!BN_mul(tmp, D, X, ctx)) - goto err; - if (!BN_add(tmp, tmp, Y)) - goto err; - - M = Y; /* keep the BIGNUM object, the value does not matter */ - Y = X; - X = tmp; - sign = -sign; - } - - /* - * The while loop (Euclid's algorithm) ends when - * A == gcd(a,n); - */ - - if (!BN_copy(R, A)) - goto err; - ret = R; -err: - if ((ret == NULL) && (in == NULL)) - BN_free(R); - BN_CTX_end(ctx); - bn_check_top(ret); - return (ret); -} diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c deleted file mode 100644 index 8562b3f..0000000 --- a/crypto/bn/bn_gf2m.c +++ /dev/null @@ -1,1321 +0,0 @@ -/* $OpenBSD: bn_gf2m.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * The Elliptic Curve Public-Key Crypto Library (ECC Code) included - * herein is developed by SUN MICROSYSTEMS, INC., and is contributed - * to the OpenSSL project. - * - * The ECC Code is licensed pursuant to the OpenSSL open source - * license provided below. - * - * In addition, Sun covenants to all licensees who provide a reciprocal - * covenant with respect to their own patents if any, not to sue under - * current and future patent claims necessarily infringed by the making, - * using, practicing, selling, offering for sale and/or otherwise - * disposing of the ECC Code as delivered hereunder (or portions thereof), - * provided that such covenant shall not apply: - * 1) for code that a licensee deletes from the ECC Code; - * 2) separates from the ECC Code; or - * 3) for infringements caused by: - * i) the modification of the ECC Code or - * ii) the combination of the ECC Code with other software or - * devices where such combination causes the infringement. - * - * The software is originally written by Sheueling Chang Shantz and - * Douglas Stebila of Sun Microsystems Laboratories. - * - */ - -/* NOTE: This file is licensed pursuant to the OpenSSL license below - * and may be modified; but after modifications, the above covenant - * may no longer apply! In such cases, the corresponding paragraph - * ["In addition, Sun covenants ... causes the infringement."] and - * this note can be edited out; but please keep the Sun copyright - * notice and attribution. */ - -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include - -#include - -#include "bn_lcl.h" - -#ifndef OPENSSL_NO_EC2M - -/* Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should fail. */ -#define MAX_ITERATIONS 50 - -static const BN_ULONG SQR_tb[16] = - { 0, 1, 4, 5, 16, 17, 20, 21, -64, 65, 68, 69, 80, 81, 84, 85 }; -/* Platform-specific macros to accelerate squaring. */ -#ifdef _LP64 -#define SQR1(w) \ - SQR_tb[(w) >> 60 & 0xF] << 56 | SQR_tb[(w) >> 56 & 0xF] << 48 | \ - SQR_tb[(w) >> 52 & 0xF] << 40 | SQR_tb[(w) >> 48 & 0xF] << 32 | \ - SQR_tb[(w) >> 44 & 0xF] << 24 | SQR_tb[(w) >> 40 & 0xF] << 16 | \ - SQR_tb[(w) >> 36 & 0xF] << 8 | SQR_tb[(w) >> 32 & 0xF] -#define SQR0(w) \ - SQR_tb[(w) >> 28 & 0xF] << 56 | SQR_tb[(w) >> 24 & 0xF] << 48 | \ - SQR_tb[(w) >> 20 & 0xF] << 40 | SQR_tb[(w) >> 16 & 0xF] << 32 | \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] -#else -#define SQR1(w) \ - SQR_tb[(w) >> 28 & 0xF] << 24 | SQR_tb[(w) >> 24 & 0xF] << 16 | \ - SQR_tb[(w) >> 20 & 0xF] << 8 | SQR_tb[(w) >> 16 & 0xF] -#define SQR0(w) \ - SQR_tb[(w) >> 12 & 0xF] << 24 | SQR_tb[(w) >> 8 & 0xF] << 16 | \ - SQR_tb[(w) >> 4 & 0xF] << 8 | SQR_tb[(w) & 0xF] -#endif - -#if !defined(OPENSSL_BN_ASM_GF2m) -/* Product of two polynomials a, b each with degree < BN_BITS2 - 1, - * result is a polynomial r with degree < 2 * BN_BITS - 1 - * The caller MUST ensure that the variables have the right amount - * of space allocated. - */ -static void -bn_GF2m_mul_1x1(BN_ULONG *r1, BN_ULONG *r0, const BN_ULONG a, const BN_ULONG b) -{ -#ifndef _LP64 - BN_ULONG h, l, s; - BN_ULONG tab[8], top2b = a >> 30; - BN_ULONG a1, a2, a4; - - a1 = a & (0x3FFFFFFF); - a2 = a1 << 1; - a4 = a2 << 1; - - tab[0] = 0; - tab[1] = a1; - tab[2] = a2; - tab[3] = a1 ^ a2; - tab[4] = a4; - tab[5] = a1 ^ a4; - tab[6] = a2 ^ a4; - tab[7] = a1 ^ a2 ^ a4; - - s = tab[b & 0x7]; - l = s; - s = tab[b >> 3 & 0x7]; - l ^= s << 3; - h = s >> 29; - s = tab[b >> 6 & 0x7]; - l ^= s << 6; - h ^= s >> 26; - s = tab[b >> 9 & 0x7]; - l ^= s << 9; - h ^= s >> 23; - s = tab[b >> 12 & 0x7]; - l ^= s << 12; - h ^= s >> 20; - s = tab[b >> 15 & 0x7]; - l ^= s << 15; - h ^= s >> 17; - s = tab[b >> 18 & 0x7]; - l ^= s << 18; - h ^= s >> 14; - s = tab[b >> 21 & 0x7]; - l ^= s << 21; - h ^= s >> 11; - s = tab[b >> 24 & 0x7]; - l ^= s << 24; - h ^= s >> 8; - s = tab[b >> 27 & 0x7]; - l ^= s << 27; - h ^= s >> 5; - s = tab[b >> 30]; - l ^= s << 30; - h ^= s >> 2; - - /* compensate for the top two bits of a */ - if (top2b & 01) { - l ^= b << 30; - h ^= b >> 2; - } - if (top2b & 02) { - l ^= b << 31; - h ^= b >> 1; - } - - *r1 = h; - *r0 = l; -#else - BN_ULONG h, l, s; - BN_ULONG tab[16], top3b = a >> 61; - BN_ULONG a1, a2, a4, a8; - - a1 = a & (0x1FFFFFFFFFFFFFFFULL); - a2 = a1 << 1; - a4 = a2 << 1; - a8 = a4 << 1; - - tab[0] = 0; - tab[1] = a1; - tab[2] = a2; - tab[3] = a1 ^ a2; - tab[4] = a4; - tab[5] = a1 ^ a4; - tab[6] = a2 ^ a4; - tab[7] = a1 ^ a2 ^ a4; - tab[8] = a8; - tab[9] = a1 ^ a8; - tab[10] = a2 ^ a8; - tab[11] = a1 ^ a2 ^ a8; - tab[12] = a4 ^ a8; - tab[13] = a1 ^ a4 ^ a8; - tab[14] = a2 ^ a4 ^ a8; - tab[15] = a1 ^ a2 ^ a4 ^ a8; - - s = tab[b & 0xF]; - l = s; - s = tab[b >> 4 & 0xF]; - l ^= s << 4; - h = s >> 60; - s = tab[b >> 8 & 0xF]; - l ^= s << 8; - h ^= s >> 56; - s = tab[b >> 12 & 0xF]; - l ^= s << 12; - h ^= s >> 52; - s = tab[b >> 16 & 0xF]; - l ^= s << 16; - h ^= s >> 48; - s = tab[b >> 20 & 0xF]; - l ^= s << 20; - h ^= s >> 44; - s = tab[b >> 24 & 0xF]; - l ^= s << 24; - h ^= s >> 40; - s = tab[b >> 28 & 0xF]; - l ^= s << 28; - h ^= s >> 36; - s = tab[b >> 32 & 0xF]; - l ^= s << 32; - h ^= s >> 32; - s = tab[b >> 36 & 0xF]; - l ^= s << 36; - h ^= s >> 28; - s = tab[b >> 40 & 0xF]; - l ^= s << 40; - h ^= s >> 24; - s = tab[b >> 44 & 0xF]; - l ^= s << 44; - h ^= s >> 20; - s = tab[b >> 48 & 0xF]; - l ^= s << 48; - h ^= s >> 16; - s = tab[b >> 52 & 0xF]; - l ^= s << 52; - h ^= s >> 12; - s = tab[b >> 56 & 0xF]; - l ^= s << 56; - h ^= s >> 8; - s = tab[b >> 60]; - l ^= s << 60; - h ^= s >> 4; - - /* compensate for the top three bits of a */ - if (top3b & 01) { - l ^= b << 61; - h ^= b >> 3; - } - if (top3b & 02) { - l ^= b << 62; - h ^= b >> 2; - } - if (top3b & 04) { - l ^= b << 63; - h ^= b >> 1; - } - - *r1 = h; - *r0 = l; -#endif -} - -/* Product of two polynomials a, b each with degree < 2 * BN_BITS2 - 1, - * result is a polynomial r with degree < 4 * BN_BITS2 - 1 - * The caller MUST ensure that the variables have the right amount - * of space allocated. - */ -static void -bn_GF2m_mul_2x2(BN_ULONG *r, const BN_ULONG a1, const BN_ULONG a0, - const BN_ULONG b1, const BN_ULONG b0) -{ - BN_ULONG m1, m0; - - /* r[3] = h1, r[2] = h0; r[1] = l1; r[0] = l0 */ - bn_GF2m_mul_1x1(r + 3, r + 2, a1, b1); - bn_GF2m_mul_1x1(r + 1, r, a0, b0); - bn_GF2m_mul_1x1(&m1, &m0, a0 ^ a1, b0 ^ b1); - /* Correction on m1 ^= l1 ^ h1; m0 ^= l0 ^ h0; */ - r[2] ^= m1 ^ r[1] ^ r[3]; /* h0 ^= m1 ^ l1 ^ h1; */ - r[1] = r[3] ^ r[2] ^ r[0] ^ m1 ^ m0; /* l1 ^= l0 ^ h0 ^ m0; */ -} -#else -void bn_GF2m_mul_2x2(BN_ULONG *r, BN_ULONG a1, BN_ULONG a0, BN_ULONG b1, - BN_ULONG b0); -#endif - -/* Add polynomials a and b and store result in r; r could be a or b, a and b - * could be equal; r is the bitwise XOR of a and b. - */ -int -BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) -{ - int i; - const BIGNUM *at, *bt; - - bn_check_top(a); - bn_check_top(b); - - if (a->top < b->top) { - at = b; - bt = a; - } else { - at = a; - bt = b; - } - - if (bn_wexpand(r, at->top) == NULL) - return 0; - - for (i = 0; i < bt->top; i++) { - r->d[i] = at->d[i] ^ bt->d[i]; - } - for (; i < at->top; i++) { - r->d[i] = at->d[i]; - } - - r->top = at->top; - bn_correct_top(r); - - return 1; -} - - -/* Some functions allow for representation of the irreducible polynomials - * as an int[], say p. The irreducible f(t) is then of the form: - * t^p[0] + t^p[1] + ... + t^p[k] - * where m = p[0] > p[1] > ... > p[k] = 0. - */ - - -/* Performs modular reduction of a and store result in r. r could be a. */ -int -BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]) -{ - int j, k; - int n, dN, d0, d1; - BN_ULONG zz, *z; - - bn_check_top(a); - - if (!p[0]) { - /* reduction mod 1 => return 0 */ - BN_zero(r); - return 1; - } - - /* Since the algorithm does reduction in the r value, if a != r, copy - * the contents of a into r so we can do reduction in r. - */ - if (a != r) { - if (!bn_wexpand(r, a->top)) - return 0; - for (j = 0; j < a->top; j++) { - r->d[j] = a->d[j]; - } - r->top = a->top; - } - z = r->d; - - /* start reduction */ - dN = p[0] / BN_BITS2; - for (j = r->top - 1; j > dN; ) { - zz = z[j]; - if (z[j] == 0) { - j--; - continue; - } - z[j] = 0; - - for (k = 1; p[k] != 0; k++) { - /* reducing component t^p[k] */ - n = p[0] - p[k]; - d0 = n % BN_BITS2; - d1 = BN_BITS2 - d0; - n /= BN_BITS2; - z[j - n] ^= (zz >> d0); - if (d0) - z[j - n - 1] ^= (zz << d1); - } - - /* reducing component t^0 */ - n = dN; - d0 = p[0] % BN_BITS2; - d1 = BN_BITS2 - d0; - z[j - n] ^= (zz >> d0); - if (d0) - z[j - n - 1] ^= (zz << d1); - } - - /* final round of reduction */ - while (j == dN) { - - d0 = p[0] % BN_BITS2; - zz = z[dN] >> d0; - if (zz == 0) - break; - d1 = BN_BITS2 - d0; - - /* clear up the top d1 bits */ - if (d0) - z[dN] = (z[dN] << d1) >> d1; - else - z[dN] = 0; - z[0] ^= zz; /* reduction t^0 component */ - - for (k = 1; p[k] != 0; k++) { - BN_ULONG tmp_ulong; - - /* reducing component t^p[k]*/ - n = p[k] / BN_BITS2; - d0 = p[k] % BN_BITS2; - d1 = BN_BITS2 - d0; - z[n] ^= (zz << d0); - if (d0 && (tmp_ulong = zz >> d1)) - z[n + 1] ^= tmp_ulong; - } - - - } - - bn_correct_top(r); - return 1; -} - -/* Performs modular reduction of a by p and store result in r. r could be a. - * - * This function calls down to the BN_GF2m_mod_arr implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_arr function. - */ -int -BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p) -{ - int ret = 0; - int arr[6]; - - bn_check_top(a); - bn_check_top(p); - ret = BN_GF2m_poly2arr(p, arr, sizeof(arr) / sizeof(arr[0])); - if (!ret || ret > (int)(sizeof(arr) / sizeof(arr[0]))) { - BNerror(BN_R_INVALID_LENGTH); - return 0; - } - ret = BN_GF2m_mod_arr(r, a, arr); - bn_check_top(r); - return ret; -} - - -/* Compute the product of two polynomials a and b, reduce modulo p, and store - * the result in r. r could be a or b; a could be b. - */ -int -BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const int p[], - BN_CTX *ctx) -{ - int zlen, i, j, k, ret = 0; - BIGNUM *s; - BN_ULONG x1, x0, y1, y0, zz[4]; - - bn_check_top(a); - bn_check_top(b); - - if (a == b) { - return BN_GF2m_mod_sqr_arr(r, a, p, ctx); - } - - BN_CTX_start(ctx); - if ((s = BN_CTX_get(ctx)) == NULL) - goto err; - - zlen = a->top + b->top + 4; - if (!bn_wexpand(s, zlen)) - goto err; - s->top = zlen; - - for (i = 0; i < zlen; i++) - s->d[i] = 0; - - for (j = 0; j < b->top; j += 2) { - y0 = b->d[j]; - y1 = ((j + 1) == b->top) ? 0 : b->d[j + 1]; - for (i = 0; i < a->top; i += 2) { - x0 = a->d[i]; - x1 = ((i + 1) == a->top) ? 0 : a->d[i + 1]; - bn_GF2m_mul_2x2(zz, x1, x0, y1, y0); - for (k = 0; k < 4; k++) - s->d[i + j + k] ^= zz[k]; - } - } - - bn_correct_top(s); - if (BN_GF2m_mod_arr(r, s, p)) - ret = 1; - bn_check_top(r); - -err: - BN_CTX_end(ctx); - return ret; -} - -/* Compute the product of two polynomials a and b, reduce modulo p, and store - * the result in r. r could be a or b; a could equal b. - * - * This function calls down to the BN_GF2m_mod_mul_arr implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_mul_arr function. - */ -int -BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, - BN_CTX *ctx) -{ - int ret = 0; - const int max = BN_num_bits(p) + 1; - int *arr = NULL; - - bn_check_top(a); - bn_check_top(b); - bn_check_top(p); - if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL) - goto err; - ret = BN_GF2m_poly2arr(p, arr, max); - if (!ret || ret > max) { - BNerror(BN_R_INVALID_LENGTH); - goto err; - } - ret = BN_GF2m_mod_mul_arr(r, a, b, arr, ctx); - bn_check_top(r); - -err: - free(arr); - return ret; -} - - -/* Square a, reduce the result mod p, and store it in a. r could be a. */ -int -BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[], BN_CTX *ctx) -{ - int i, ret = 0; - BIGNUM *s; - - bn_check_top(a); - BN_CTX_start(ctx); - if ((s = BN_CTX_get(ctx)) == NULL) - goto err; - if (!bn_wexpand(s, 2 * a->top)) - goto err; - - for (i = a->top - 1; i >= 0; i--) { - s->d[2 * i + 1] = SQR1(a->d[i]); - s->d[2 * i] = SQR0(a->d[i]); - } - - s->top = 2 * a->top; - bn_correct_top(s); - if (!BN_GF2m_mod_arr(r, s, p)) - goto err; - bn_check_top(r); - ret = 1; - -err: - BN_CTX_end(ctx); - return ret; -} - -/* Square a, reduce the result mod p, and store it in a. r could be a. - * - * This function calls down to the BN_GF2m_mod_sqr_arr implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_sqr_arr function. - */ -int -BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -{ - int ret = 0; - const int max = BN_num_bits(p) + 1; - int *arr = NULL; - - bn_check_top(a); - bn_check_top(p); - if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL) - goto err; - ret = BN_GF2m_poly2arr(p, arr, max); - if (!ret || ret > max) { - BNerror(BN_R_INVALID_LENGTH); - goto err; - } - ret = BN_GF2m_mod_sqr_arr(r, a, arr, ctx); - bn_check_top(r); - -err: - free(arr); - return ret; -} - - -/* Invert a, reduce modulo p, and store the result in r. r could be a. - * Uses Modified Almost Inverse Algorithm (Algorithm 10) from - * Hankerson, D., Hernandez, J.L., and Menezes, A. "Software Implementation - * of Elliptic Curve Cryptography Over Binary Fields". - */ -int -BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -{ - BIGNUM *b, *c = NULL, *u = NULL, *v = NULL, *tmp; - int ret = 0; - - bn_check_top(a); - bn_check_top(p); - - BN_CTX_start(ctx); - - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - if ((c = BN_CTX_get(ctx)) == NULL) - goto err; - if ((u = BN_CTX_get(ctx)) == NULL) - goto err; - if ((v = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_GF2m_mod(u, a, p)) - goto err; - if (BN_is_zero(u)) - goto err; - - if (!BN_copy(v, p)) - goto err; -#if 0 - if (!BN_one(b)) - goto err; - - while (1) { - while (!BN_is_odd(u)) { - if (BN_is_zero(u)) - goto err; - if (!BN_rshift1(u, u)) - goto err; - if (BN_is_odd(b)) { - if (!BN_GF2m_add(b, b, p)) - goto err; - } - if (!BN_rshift1(b, b)) - goto err; - } - - if (BN_abs_is_word(u, 1)) - break; - - if (BN_num_bits(u) < BN_num_bits(v)) { - tmp = u; - u = v; - v = tmp; - tmp = b; - b = c; - c = tmp; - } - - if (!BN_GF2m_add(u, u, v)) - goto err; - if (!BN_GF2m_add(b, b, c)) - goto err; - } -#else - { - int i, ubits = BN_num_bits(u), - vbits = BN_num_bits(v), /* v is copy of p */ - top = p->top; - BN_ULONG *udp, *bdp, *vdp, *cdp; - - if (!bn_wexpand(u, top)) - goto err; - udp = u->d; - for (i = u->top; i < top; i++) - udp[i] = 0; - u->top = top; - if (!bn_wexpand(b, top)) - goto err; - bdp = b->d; - bdp[0] = 1; - for (i = 1; i < top; i++) - bdp[i] = 0; - b->top = top; - if (!bn_wexpand(c, top)) - goto err; - cdp = c->d; - for (i = 0; i < top; i++) - cdp[i] = 0; - c->top = top; - vdp = v->d; /* It pays off to "cache" *->d pointers, because - * it allows optimizer to be more aggressive. - * But we don't have to "cache" p->d, because *p - * is declared 'const'... */ - while (1) { - while (ubits && !(udp[0]&1)) { - BN_ULONG u0, u1, b0, b1, mask; - - u0 = udp[0]; - b0 = bdp[0]; - mask = (BN_ULONG)0 - (b0 & 1); - b0 ^= p->d[0] & mask; - for (i = 0; i < top - 1; i++) { - u1 = udp[i + 1]; - udp[i] = ((u0 >> 1) | - (u1 << (BN_BITS2 - 1))) & BN_MASK2; - u0 = u1; - b1 = bdp[i + 1] ^ (p->d[i + 1] & mask); - bdp[i] = ((b0 >> 1) | - (b1 << (BN_BITS2 - 1))) & BN_MASK2; - b0 = b1; - } - udp[i] = u0 >> 1; - bdp[i] = b0 >> 1; - ubits--; - } - - if (ubits <= BN_BITS2) { - /* See if poly was reducible. */ - if (udp[0] == 0) - goto err; - if (udp[0] == 1) - break; - } - - if (ubits < vbits) { - i = ubits; - ubits = vbits; - vbits = i; - tmp = u; - u = v; - v = tmp; - tmp = b; - b = c; - c = tmp; - udp = vdp; - vdp = v->d; - bdp = cdp; - cdp = c->d; - } - for (i = 0; i < top; i++) { - udp[i] ^= vdp[i]; - bdp[i] ^= cdp[i]; - } - if (ubits == vbits) { - BN_ULONG ul; - int utop = (ubits - 1) / BN_BITS2; - - while ((ul = udp[utop]) == 0 && utop) - utop--; - ubits = utop*BN_BITS2 + BN_num_bits_word(ul); - } - } - bn_correct_top(b); - } -#endif - - if (!BN_copy(r, b)) - goto err; - bn_check_top(r); - ret = 1; - -err: -#ifdef BN_DEBUG /* BN_CTX_end would complain about the expanded form */ - bn_correct_top(c); - bn_correct_top(u); - bn_correct_top(v); -#endif - BN_CTX_end(ctx); - return ret; -} - -/* Invert xx, reduce modulo p, and store the result in r. r could be xx. - * - * This function calls down to the BN_GF2m_mod_inv implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_inv function. - */ -int -BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *xx, const int p[], BN_CTX *ctx) -{ - BIGNUM *field; - int ret = 0; - - bn_check_top(xx); - BN_CTX_start(ctx); - if ((field = BN_CTX_get(ctx)) == NULL) - goto err; - if (!BN_GF2m_arr2poly(p, field)) - goto err; - - ret = BN_GF2m_mod_inv(r, xx, field, ctx); - bn_check_top(r); - -err: - BN_CTX_end(ctx); - return ret; -} - - -#ifndef OPENSSL_SUN_GF2M_DIV -/* Divide y by x, reduce modulo p, and store the result in r. r could be x - * or y, x could equal y. - */ -int -BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *xinv = NULL; - int ret = 0; - - bn_check_top(y); - bn_check_top(x); - bn_check_top(p); - - BN_CTX_start(ctx); - if ((xinv = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_GF2m_mod_inv(xinv, x, p, ctx)) - goto err; - if (!BN_GF2m_mod_mul(r, y, xinv, p, ctx)) - goto err; - bn_check_top(r); - ret = 1; - -err: - BN_CTX_end(ctx); - return ret; -} -#else -/* Divide y by x, reduce modulo p, and store the result in r. r could be x - * or y, x could equal y. - * Uses algorithm Modular_Division_GF(2^m) from - * Chang-Shantz, S. "From Euclid's GCD to Montgomery Multiplication to - * the Great Divide". - */ -int -BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *y, const BIGNUM *x, const BIGNUM *p, - BN_CTX *ctx) -{ - BIGNUM *a, *b, *u, *v; - int ret = 0; - - bn_check_top(y); - bn_check_top(x); - bn_check_top(p); - - BN_CTX_start(ctx); - - if ((a = BN_CTX_get(ctx)) == NULL) - goto err; - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - if ((u = BN_CTX_get(ctx)) == NULL) - goto err; - if ((v = BN_CTX_get(ctx)) == NULL) - goto err; - - /* reduce x and y mod p */ - if (!BN_GF2m_mod(u, y, p)) - goto err; - if (!BN_GF2m_mod(a, x, p)) - goto err; - if (!BN_copy(b, p)) - goto err; - - while (!BN_is_odd(a)) { - if (!BN_rshift1(a, a)) - goto err; - if (BN_is_odd(u)) - if (!BN_GF2m_add(u, u, p)) - goto err; - if (!BN_rshift1(u, u)) - goto err; - } - - do { - if (BN_GF2m_cmp(b, a) > 0) { - if (!BN_GF2m_add(b, b, a)) - goto err; - if (!BN_GF2m_add(v, v, u)) - goto err; - do { - if (!BN_rshift1(b, b)) - goto err; - if (BN_is_odd(v)) - if (!BN_GF2m_add(v, v, p)) - goto err; - if (!BN_rshift1(v, v)) - goto err; - } while (!BN_is_odd(b)); - } else if (BN_abs_is_word(a, 1)) - break; - else { - if (!BN_GF2m_add(a, a, b)) - goto err; - if (!BN_GF2m_add(u, u, v)) - goto err; - do { - if (!BN_rshift1(a, a)) - goto err; - if (BN_is_odd(u)) - if (!BN_GF2m_add(u, u, p)) - goto err; - if (!BN_rshift1(u, u)) - goto err; - } while (!BN_is_odd(a)); - } - } while (1); - - if (!BN_copy(r, u)) - goto err; - bn_check_top(r); - ret = 1; - -err: - BN_CTX_end(ctx); - return ret; -} -#endif - -/* Divide yy by xx, reduce modulo p, and store the result in r. r could be xx - * or yy, xx could equal yy. - * - * This function calls down to the BN_GF2m_mod_div implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_div function. - */ -int -BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *yy, const BIGNUM *xx, - const int p[], BN_CTX *ctx) -{ - BIGNUM *field; - int ret = 0; - - bn_check_top(yy); - bn_check_top(xx); - - BN_CTX_start(ctx); - if ((field = BN_CTX_get(ctx)) == NULL) - goto err; - if (!BN_GF2m_arr2poly(p, field)) - goto err; - - ret = BN_GF2m_mod_div(r, yy, xx, field, ctx); - bn_check_top(r); - -err: - BN_CTX_end(ctx); - return ret; -} - - -/* Compute the bth power of a, reduce modulo p, and store - * the result in r. r could be a. - * Uses simple square-and-multiply algorithm A.5.1 from IEEE P1363. - */ -int -BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const int p[], - BN_CTX *ctx) -{ - int ret = 0, i, n; - BIGNUM *u; - - bn_check_top(a); - bn_check_top(b); - - if (BN_is_zero(b)) - return (BN_one(r)); - - if (BN_abs_is_word(b, 1)) - return (BN_copy(r, a) != NULL); - - BN_CTX_start(ctx); - if ((u = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_GF2m_mod_arr(u, a, p)) - goto err; - - n = BN_num_bits(b) - 1; - for (i = n - 1; i >= 0; i--) { - if (!BN_GF2m_mod_sqr_arr(u, u, p, ctx)) - goto err; - if (BN_is_bit_set(b, i)) { - if (!BN_GF2m_mod_mul_arr(u, u, a, p, ctx)) - goto err; - } - } - if (!BN_copy(r, u)) - goto err; - bn_check_top(r); - ret = 1; - -err: - BN_CTX_end(ctx); - return ret; -} - -/* Compute the bth power of a, reduce modulo p, and store - * the result in r. r could be a. - * - * This function calls down to the BN_GF2m_mod_exp_arr implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_exp_arr function. - */ -int -BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *p, - BN_CTX *ctx) -{ - int ret = 0; - const int max = BN_num_bits(p) + 1; - int *arr = NULL; - - bn_check_top(a); - bn_check_top(b); - bn_check_top(p); - if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL) - goto err; - ret = BN_GF2m_poly2arr(p, arr, max); - if (!ret || ret > max) { - BNerror(BN_R_INVALID_LENGTH); - goto err; - } - ret = BN_GF2m_mod_exp_arr(r, a, b, arr, ctx); - bn_check_top(r); - -err: - free(arr); - return ret; -} - -/* Compute the square root of a, reduce modulo p, and store - * the result in r. r could be a. - * Uses exponentiation as in algorithm A.4.1 from IEEE P1363. - */ -int -BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, const int p[], BN_CTX *ctx) -{ - int ret = 0; - BIGNUM *u; - - bn_check_top(a); - - if (!p[0]) { - /* reduction mod 1 => return 0 */ - BN_zero(r); - return 1; - } - - BN_CTX_start(ctx); - if ((u = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_set_bit(u, p[0] - 1)) - goto err; - ret = BN_GF2m_mod_exp_arr(r, a, u, p, ctx); - bn_check_top(r); - -err: - BN_CTX_end(ctx); - return ret; -} - -/* Compute the square root of a, reduce modulo p, and store - * the result in r. r could be a. - * - * This function calls down to the BN_GF2m_mod_sqrt_arr implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_sqrt_arr function. - */ -int -BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -{ - int ret = 0; - const int max = BN_num_bits(p) + 1; - int *arr = NULL; - bn_check_top(a); - bn_check_top(p); - if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL) - goto err; - ret = BN_GF2m_poly2arr(p, arr, max); - if (!ret || ret > max) { - BNerror(BN_R_INVALID_LENGTH); - goto err; - } - ret = BN_GF2m_mod_sqrt_arr(r, a, arr, ctx); - bn_check_top(r); - -err: - free(arr); - return ret; -} - -/* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0. - * Uses algorithms A.4.7 and A.4.6 from IEEE P1363. - */ -int -BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a_, const int p[], - BN_CTX *ctx) -{ - int ret = 0, count = 0, j; - BIGNUM *a, *z, *rho, *w, *w2, *tmp; - - bn_check_top(a_); - - if (!p[0]) { - /* reduction mod 1 => return 0 */ - BN_zero(r); - return 1; - } - - BN_CTX_start(ctx); - if ((a = BN_CTX_get(ctx)) == NULL) - goto err; - if ((z = BN_CTX_get(ctx)) == NULL) - goto err; - if ((w = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_GF2m_mod_arr(a, a_, p)) - goto err; - - if (BN_is_zero(a)) { - BN_zero(r); - ret = 1; - goto err; - } - - if (p[0] & 0x1) /* m is odd */ - { - /* compute half-trace of a */ - if (!BN_copy(z, a)) - goto err; - for (j = 1; j <= (p[0] - 1) / 2; j++) { - if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) - goto err; - if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) - goto err; - if (!BN_GF2m_add(z, z, a)) - goto err; - } - - } - else /* m is even */ - { - if ((rho = BN_CTX_get(ctx)) == NULL) - goto err; - if ((w2 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - do { - if (!BN_rand(rho, p[0], 0, 0)) - goto err; - if (!BN_GF2m_mod_arr(rho, rho, p)) - goto err; - BN_zero(z); - if (!BN_copy(w, rho)) - goto err; - for (j = 1; j <= p[0] - 1; j++) { - if (!BN_GF2m_mod_sqr_arr(z, z, p, ctx)) - goto err; - if (!BN_GF2m_mod_sqr_arr(w2, w, p, ctx)) - goto err; - if (!BN_GF2m_mod_mul_arr(tmp, w2, a, p, ctx)) - goto err; - if (!BN_GF2m_add(z, z, tmp)) - goto err; - if (!BN_GF2m_add(w, w2, rho)) - goto err; - } - count++; - } while (BN_is_zero(w) && (count < MAX_ITERATIONS)); - if (BN_is_zero(w)) { - BNerror(BN_R_TOO_MANY_ITERATIONS); - goto err; - } - } - - if (!BN_GF2m_mod_sqr_arr(w, z, p, ctx)) - goto err; - if (!BN_GF2m_add(w, z, w)) - goto err; - if (BN_GF2m_cmp(w, a)) { - BNerror(BN_R_NO_SOLUTION); - goto err; - } - - if (!BN_copy(r, z)) - goto err; - bn_check_top(r); - - ret = 1; - -err: - BN_CTX_end(ctx); - return ret; -} - -/* Find r such that r^2 + r = a mod p. r could be a. If no r exists returns 0. - * - * This function calls down to the BN_GF2m_mod_solve_quad_arr implementation; this wrapper - * function is only provided for convenience; for best performance, use the - * BN_GF2m_mod_solve_quad_arr function. - */ -int -BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -{ - int ret = 0; - const int max = BN_num_bits(p) + 1; - int *arr = NULL; - - bn_check_top(a); - bn_check_top(p); - if ((arr = reallocarray(NULL, max, sizeof(int))) == NULL) - goto err; - ret = BN_GF2m_poly2arr(p, arr, max); - if (!ret || ret > max) { - BNerror(BN_R_INVALID_LENGTH); - goto err; - } - ret = BN_GF2m_mod_solve_quad_arr(r, a, arr, ctx); - bn_check_top(r); - -err: - free(arr); - return ret; -} - -/* Convert the bit-string representation of a polynomial - * ( \sum_{i=0}^n a_i * x^i) into an array of integers corresponding - * to the bits with non-zero coefficient. Array is terminated with -1. - * Up to max elements of the array will be filled. Return value is total - * number of array elements that would be filled if array was large enough. - */ -int -BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) -{ - int i, j, k = 0; - BN_ULONG mask; - - if (BN_is_zero(a)) - return 0; - - for (i = a->top - 1; i >= 0; i--) { - if (!a->d[i]) - /* skip word if a->d[i] == 0 */ - continue; - mask = BN_TBIT; - for (j = BN_BITS2 - 1; j >= 0; j--) { - if (a->d[i] & mask) { - if (k < max) - p[k] = BN_BITS2 * i + j; - k++; - } - mask >>= 1; - } - } - - if (k < max) { - p[k] = -1; - k++; - } - - return k; -} - -/* Convert the coefficient array representation of a polynomial to a - * bit-string. The array must be terminated by -1. - */ -int -BN_GF2m_arr2poly(const int p[], BIGNUM *a) -{ - int i; - - bn_check_top(a); - BN_zero(a); - for (i = 0; p[i] != -1; i++) { - if (BN_set_bit(a, p[i]) == 0) - return 0; - } - bn_check_top(a); - - return 1; -} - -#endif diff --git a/crypto/bn/bn_internal.h b/crypto/bn/bn_internal.h new file mode 100644 index 0000000..8a729b8 --- /dev/null +++ b/crypto/bn/bn_internal.h @@ -0,0 +1,390 @@ +/* $OpenBSD: bn_internal.h,v 1.11 2023/03/07 09:35:55 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "bn_arch.h" + +#ifndef HEADER_BN_INTERNAL_H +#define HEADER_BN_INTERNAL_H + +#ifndef HAVE_BN_CT_NE_ZERO +static inline int +bn_ct_ne_zero(BN_ULONG w) +{ + return (w | ~(w - 1)) >> (BN_BITS2 - 1); +} +#endif + +#ifndef HAVE_BN_CT_NE_ZERO_MASK +static inline BN_ULONG +bn_ct_ne_zero_mask(BN_ULONG w) +{ + return 0 - bn_ct_ne_zero(w); +} +#endif + +#ifndef HAVE_BN_CT_EQ_ZERO +static inline int +bn_ct_eq_zero(BN_ULONG w) +{ + return 1 - bn_ct_ne_zero(w); +} +#endif + +#ifndef HAVE_BN_CT_EQ_ZERO_MASK +static inline BN_ULONG +bn_ct_eq_zero_mask(BN_ULONG w) +{ + return 0 - bn_ct_eq_zero(w); +} +#endif + +/* + * Big number primitives are named as the operation followed by a suffix + * that indicates the number of words that it operates on, where 'w' means + * single word, 'dw' means double word, 'tw' means triple word and 'qw' means + * quadruple word. Unless otherwise noted, the size of the output is implied + * based on its inputs, for example bn_mulw() takes two single word inputs + * and is going to produce a double word result. + * + * Where a function implements multiple operations, these are listed in order. + * For example, a function that computes (r1:r0) = a * b + c is named + * bn_mulw_addw(), producing a double word result. + */ + +/* + * bn_addw() computes (r1:r0) = a + b, where both inputs are single words, + * producing a double word result. The value of r1 is the carry from the + * addition. + */ +#ifndef HAVE_BN_ADDW +#ifdef BN_LLONG +static inline void +bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULLONG r; + + r = (BN_ULLONG)a + (BN_ULLONG)b; + + *out_r1 = r >> BN_BITS2; + *out_r0 = r & BN_MASK2; +} +#else + +static inline void +bn_addw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r1, r0, c1, c2; + + c1 = a | b; + c2 = a & b; + r0 = a + b; + r1 = ((c1 & ~r0) | c2) >> (BN_BITS2 - 1); /* carry */ + + *out_r1 = r1; + *out_r0 = r0; +} +#endif +#endif + +/* + * bn_addw_addw() computes (r1:r0) = a + b + c, where all inputs are single + * words, producing a double word result. + */ +#ifndef HAVE_BN_ADDW_ADDW +static inline void +bn_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, + BN_ULONG *out_r0) +{ + BN_ULONG carry, r1, r0; + + bn_addw(a, b, &r1, &r0); + bn_addw(r0, c, &carry, &r0); + r1 += carry; + + *out_r1 = r1; + *out_r0 = r0; +} +#endif + +/* + * bn_subw() computes r0 = a - b, where both inputs are single words, + * producing a single word result and borrow. + */ +#ifndef HAVE_BN_SUBW +static inline void +bn_subw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_borrow, BN_ULONG *out_r0) +{ + BN_ULONG borrow, r0; + + r0 = a - b; + borrow = ((r0 | (b & ~a)) & (b | ~a)) >> (BN_BITS2 - 1); + + *out_borrow = borrow; + *out_r0 = r0; +} +#endif + +/* + * bn_subw_subw() computes r0 = a - b - c, where all inputs are single words, + * producing a single word result and borrow. + */ +#ifndef HAVE_BN_SUBW_SUBW +static inline void +bn_subw_subw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_borrow, + BN_ULONG *out_r0) +{ + BN_ULONG b1, b2, r0; + + bn_subw(a, b, &b1, &r0); + bn_subw(r0, c, &b2, &r0); + + *out_borrow = b1 + b2; + *out_r0 = r0; +} +#endif + +/* + * bn_mulw() computes (r1:r0) = a * b, where both inputs are single words, + * producing a double word result. + */ +#ifndef HAVE_BN_MULW +#ifdef BN_LLONG +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULLONG r; + + r = (BN_ULLONG)a * (BN_ULLONG)b; + + *out_r1 = r >> BN_BITS2; + *out_r0 = r & BN_MASK2; +} + +#else /* !BN_LLONG */ +/* + * Multiply two words (a * b) producing a double word result (h:l). + * + * This can be rewritten as: + * + * a * b = (hi32(a) * 2^32 + lo32(a)) * (hi32(b) * 2^32 + lo32(b)) + * = hi32(a) * hi32(b) * 2^64 + + * hi32(a) * lo32(b) * 2^32 + + * hi32(b) * lo32(a) * 2^32 + + * lo32(a) * lo32(b) + * + * The multiplication for each part of a and b can be calculated for each of + * these four terms without overflowing a BN_ULONG, as the maximum value of a + * 32 bit x 32 bit multiplication is 32 + 32 = 64 bits. Once these + * multiplications have been performed the result can be partitioned and summed + * into a double word (h:l). The same applies on a 32 bit system, substituting + * 16 for 32 and 32 for 64. + */ +#if 1 +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG a1, a0, b1, b0, r1, r0; + BN_ULONG carry, x; + + a1 = a >> BN_BITS4; + a0 = a & BN_MASK2l; + b1 = b >> BN_BITS4; + b0 = b & BN_MASK2l; + + r1 = a1 * b1; + r0 = a0 * b0; + + /* (a1 * b0) << BN_BITS4, partition the result across r1:r0 with carry. */ + x = a1 * b0; + r1 += x >> BN_BITS4; + bn_addw(r0, x << BN_BITS4, &carry, &r0); + r1 += carry; + + /* (b1 * a0) << BN_BITS4, partition the result across r1:r0 with carry. */ + x = b1 * a0; + r1 += x >> BN_BITS4; + bn_addw(r0, x << BN_BITS4, &carry, &r0); + r1 += carry; + + *out_r1 = r1; + *out_r0 = r0; +} +#else + +/* + * XXX - this accumulator based version uses fewer instructions, however + * requires more variables/registers. It seems to be slower on at least amd64 + * and i386, however may be faster on other architectures that have more + * registers available. Further testing is required and one of the two + * implementations should eventually be removed. + */ +static inline void +bn_mulw(BN_ULONG a, BN_ULONG b, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG a1, a0, b1, b0, r1, r0, x; + BN_ULONG acc0, acc1, acc2, acc3; + + a1 = a >> BN_BITS4; + b1 = b >> BN_BITS4; + a0 = a & BN_MASK2l; + b0 = b & BN_MASK2l; + + r1 = a1 * b1; + r0 = a0 * b0; + + acc0 = r0 & BN_MASK2l; + acc1 = r0 >> BN_BITS4; + acc2 = r1 & BN_MASK2l; + acc3 = r1 >> BN_BITS4; + + /* (a1 * b0) << BN_BITS4, partition the result across r1:r0. */ + x = a1 * b0; + acc1 += x & BN_MASK2l; + acc2 += (acc1 >> BN_BITS4) + (x >> BN_BITS4); + acc1 &= BN_MASK2l; + acc3 += acc2 >> BN_BITS4; + acc2 &= BN_MASK2l; + + /* (b1 * a0) << BN_BITS4, partition the result across r1:r0. */ + x = b1 * a0; + acc1 += x & BN_MASK2l; + acc2 += (acc1 >> BN_BITS4) + (x >> BN_BITS4); + acc1 &= BN_MASK2l; + acc3 += acc2 >> BN_BITS4; + acc2 &= BN_MASK2l; + + *out_r1 = (acc3 << BN_BITS4) | acc2; + *out_r0 = (acc1 << BN_BITS4) | acc0; +} +#endif +#endif /* !BN_LLONG */ +#endif + +#ifndef HAVE_BN_MULW_LO +static inline BN_ULONG +bn_mulw_lo(BN_ULONG a, BN_ULONG b) +{ + return a * b; +} +#endif + +#ifndef HAVE_BN_MULW_HI +static inline BN_ULONG +bn_mulw_hi(BN_ULONG a, BN_ULONG b) +{ + BN_ULONG h, l; + + bn_mulw(a, b, &h, &l); + + return h; +} +#endif + +/* + * bn_mulw_addw() computes (r1:r0) = a * b + c with all inputs being single + * words, producing a double word result. + */ +#ifndef HAVE_BN_MULW_ADDW +static inline void +bn_mulw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG *out_r1, + BN_ULONG *out_r0) +{ + BN_ULONG carry, r1, r0; + + bn_mulw(a, b, &r1, &r0); + bn_addw(r0, c, &carry, &r0); + r1 += carry; + + *out_r1 = r1; + *out_r0 = r0; +} +#endif + +/* + * bn_mulw_addw_addw() computes (r1:r0) = a * b + c + d with all inputs being + * single words, producing a double word result. + */ +#ifndef HAVE_BN_MULW_ADDW_ADDW +static inline void +bn_mulw_addw_addw(BN_ULONG a, BN_ULONG b, BN_ULONG c, BN_ULONG d, + BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG carry, r1, r0; + + bn_mulw_addw(a, b, c, &r1, &r0); + bn_addw(r0, d, &carry, &r0); + r1 += carry; + + *out_r1 = r1; + *out_r0 = r0; +} +#endif + +/* + * bn_mulw_addtw() computes (r2:r1:r0) = a * b + (c2:c1:c0), where a and b are + * single words and (c2:c1:c0) is a triple word, producing a triple word result. + * The caller must ensure that the inputs provided do not result in c2 + * overflowing. + */ +#ifndef HAVE_BN_MULW_ADDTW +static inline void +bn_mulw_addtw(BN_ULONG a, BN_ULONG b, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, + BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG carry, r2, r1, r0, x1; + + bn_mulw_addw(a, b, c0, &x1, &r0); + bn_addw(c1, x1, &carry, &r1); + r2 = c2 + carry; + + *out_r2 = r2; + *out_r1 = r1; + *out_r0 = r0; +} +#endif + +/* + * bn_mul2_mulw_addtw() computes (r2:r1:r0) = 2 * a * b + (c2:c1:c0), where a + * and b are single words and (c2:c1:c0) is a triple word, producing a triple + * word result. The caller must ensure that the inputs provided do not result + * in c2 overflowing. + */ +#ifndef HAVE_BN_MUL2_MULW_ADDTW +static inline void +bn_mul2_mulw_addtw(BN_ULONG a, BN_ULONG b, BN_ULONG c2, BN_ULONG c1, BN_ULONG c0, + BN_ULONG *out_r2, BN_ULONG *out_r1, BN_ULONG *out_r0) +{ + BN_ULONG r2, r1, r0, x1, x0; + BN_ULONG carry; + + bn_mulw(a, b, &x1, &x0); + bn_addw(c0, x0, &carry, &r0); + bn_addw(c1, x1 + carry, &r2, &r1); + bn_addw(c2, r2, &carry, &r2); + bn_addw(r0, x0, &carry, &r0); + bn_addw(r1, x1 + carry, &carry, &r1); + r2 += carry; + + *out_r2 = r2; + *out_r1 = r1; + *out_r0 = r0; +} +#endif + +#endif diff --git a/crypto/bn/bn_isqrt.c b/crypto/bn/bn_isqrt.c new file mode 100644 index 0000000..d24a4a4 --- /dev/null +++ b/crypto/bn/bn_isqrt.c @@ -0,0 +1,236 @@ +/* $OpenBSD: bn_isqrt.c,v 1.9 2023/05/19 00:54:28 deraadt Exp $ */ +/* + * Copyright (c) 2022 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include +#include + +#include "bn_local.h" + +#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ + __attribute__((__unused__)) + +/* + * Calculate integer square root of |n| using a variant of Newton's method. + * + * Returns the integer square root of |n| in the caller-provided |out_sqrt|; + * |*out_perfect| is set to 1 if and only if |n| is a perfect square. + * One of |out_sqrt| and |out_perfect| can be NULL; |in_ctx| can be NULL. + * + * Returns 0 on error, 1 on success. + * + * Adapted from pure Python describing cpython's math.isqrt(), without bothering + * with any of the optimizations in the C code. A correctness proof is here: + * https://github.com/mdickinson/snippets/blob/master/proofs/isqrt/src/isqrt.lean + * The comments in the Python code also give a rather detailed proof. + */ + +int +bn_isqrt(BIGNUM *out_sqrt, int *out_perfect, const BIGNUM *n, BN_CTX *in_ctx) +{ + BN_CTX *ctx = NULL; + BIGNUM *a, *b; + int c, d, e, s; + int cmp, perfect; + int ret = 0; + + if (out_perfect == NULL && out_sqrt == NULL) { + BNerror(ERR_R_PASSED_NULL_PARAMETER); + goto err; + } + + if (BN_is_negative(n)) { + BNerror(BN_R_INVALID_RANGE); + goto err; + } + + if ((ctx = in_ctx) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + BN_CTX_start(ctx); + + if ((a = BN_CTX_get(ctx)) == NULL) + goto err; + if ((b = BN_CTX_get(ctx)) == NULL) + goto err; + + if (BN_is_zero(n)) { + perfect = 1; + BN_zero(a); + goto done; + } + + if (!BN_one(a)) + goto err; + + c = (BN_num_bits(n) - 1) / 2; + d = 0; + + /* Calculate s = floor(log(c)). */ + if (!BN_set_word(b, c)) + goto err; + s = BN_num_bits(b) - 1; + + /* + * By definition, the loop below is run <= floor(log(log(n))) times. + * Comments in the cpython code establish the loop invariant that + * + * (a - 1)^2 < n / 4^(c - d) < (a + 1)^2 + * + * holds true in every iteration. Once this is proved via induction, + * correctness of the algorithm is easy. + * + * Roughly speaking, A = (a << (d - e)) is used for one Newton step + * "a = (A >> 1) + (m >> 1) / A" approximating m = (n >> 2 * (c - d)). + */ + + for (; s >= 0; s--) { + e = d; + d = c >> s; + + if (!BN_rshift(b, n, 2 * c - d - e + 1)) + goto err; + + if (!BN_div_ct(b, NULL, b, a, ctx)) + goto err; + + if (!BN_lshift(a, a, d - e - 1)) + goto err; + + if (!BN_add(a, a, b)) + goto err; + } + + /* + * The loop invariant implies that either a or a - 1 is isqrt(n). + * Figure out which one it is. The invariant also implies that for + * a perfect square n, a must be the square root. + */ + + if (!BN_sqr(b, a, ctx)) + goto err; + + /* If a^2 > n, we must have isqrt(n) == a - 1. */ + if ((cmp = BN_cmp(b, n)) > 0) { + if (!BN_sub_word(a, 1)) + goto err; + } + + perfect = cmp == 0; + + done: + if (out_perfect != NULL) + *out_perfect = perfect; + + if (out_sqrt != NULL) { + if (!bn_copy(out_sqrt, a)) + goto err; + } + + ret = 1; + + err: + BN_CTX_end(ctx); + + if (ctx != in_ctx) + BN_CTX_free(ctx); + + return ret; +} + +/* + * is_square_mod_N[r % N] indicates whether r % N has a square root modulo N. + * The tables are generated in regress/lib/libcrypto/bn/bn_isqrt.c. + */ + +const uint8_t is_square_mod_11[] = { + 1, 1, 0, 1, 1, 1, 0, 0, 0, 1, 0, +}; +CTASSERT(sizeof(is_square_mod_11) == 11); + +const uint8_t is_square_mod_63[] = { + 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 0, 0, 0, 0, + 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 0, 1, 0, 0, 0, + 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 0, 0, 1, 0, + 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, +}; +CTASSERT(sizeof(is_square_mod_63) == 63); + +const uint8_t is_square_mod_64[] = { + 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, + 1, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, + 0, 1, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, + 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, +}; +CTASSERT(sizeof(is_square_mod_64) == 64); + +const uint8_t is_square_mod_65[] = { + 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 1, 0, + 1, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, + 0, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0, 0, 0, 0, 0, + 0, 1, 0, 1, 0, 0, 0, 1, 1, 0, 0, 0, 0, 1, 0, 0, + 1, +}; +CTASSERT(sizeof(is_square_mod_65) == 65); + +/* + * Determine whether n is a perfect square or not. + * + * Returns 1 on success and 0 on error. In case of success, |*out_perfect| is + * set to 1 if and only if |n| is a perfect square. + */ + +int +bn_is_perfect_square(int *out_perfect, const BIGNUM *n, BN_CTX *ctx) +{ + BN_ULONG r; + + *out_perfect = 0; + + if (BN_is_negative(n)) + return 1; + + /* + * Before performing an expensive bn_isqrt() operation, weed out many + * obvious non-squares. See H. Cohen, "A course in computational + * algebraic number theory", Algorithm 1.7.3. + * + * The idea is that a square remains a square when reduced modulo any + * number. The moduli are chosen in such a way that a non-square has + * probability < 1% of passing the four table lookups. + */ + + /* n % 64 */ + r = BN_lsw(n) & 0x3f; + + if (!is_square_mod_64[r % 64]) + return 1; + + if ((r = BN_mod_word(n, 11 * 63 * 65)) == (BN_ULONG)-1) + return 0; + + if (!is_square_mod_63[r % 63] || + !is_square_mod_65[r % 65] || + !is_square_mod_11[r % 11]) + return 1; + + return bn_isqrt(NULL, out_perfect, n, ctx); +} diff --git a/crypto/bn/bn_kron.c b/crypto/bn/bn_kron.c index 274da5d..f48823a 100644 --- a/crypto/bn/bn_kron.c +++ b/crypto/bn/bn_kron.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_kron.c,v 1.6 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: bn_kron.c,v 1.14 2023/03/27 10:21:23 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. * @@ -53,133 +53,142 @@ * */ -#include "bn_lcl.h" +#include "bn_local.h" -/* least significant word */ -#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0]) +/* + * Kronecker symbol, implemented according to Henri Cohen, "A Course in + * Computational Algebraic Number Theory", Algorithm 1.4.10. + * + * Returns -1, 0, or 1 on success and -2 on error. + */ -/* Returns -2 for errors because both -1 and 0 are valid results. */ int -BN_kronecker(const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +BN_kronecker(const BIGNUM *A, const BIGNUM *B, BN_CTX *ctx) { - int i; - int ret = -2; /* avoid 'uninitialized' warning */ - int err = 0; - BIGNUM *A, *B, *tmp; - - /* In 'tab', only odd-indexed entries are relevant: - * For any odd BIGNUM n, - * tab[BN_lsw(n) & 7] - * is $(-1)^{(n^2-1)/8}$ (using TeX notation). - * Note that the sign of n does not matter. - */ + /* tab[BN_lsw(n) & 7] = (-1)^((n^2 - 1)) / 8) for odd values of n. */ static const int tab[8] = {0, 1, 0, -1, 0, -1, 0, 1}; - - bn_check_top(a); - bn_check_top(b); + BIGNUM *a, *b, *tmp; + int k, v; + int ret = -2; BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) + + if ((a = BN_CTX_get(ctx)) == NULL) goto end; - if ((B = BN_CTX_get(ctx)) == NULL) + if ((b = BN_CTX_get(ctx)) == NULL) goto end; - err = !BN_copy(A, a); - if (err) + if (!bn_copy(a, A)) goto end; - err = !BN_copy(B, b); - if (err) + if (!bn_copy(b, B)) goto end; /* - * Kronecker symbol, imlemented according to Henri Cohen, - * "A Course in Computational Algebraic Number Theory" - * (algorithm 1.4.10). + * Cohen's step 1: */ - /* Cohen's step 1: */ - - if (BN_is_zero(B)) { - ret = BN_abs_is_word(A, 1); + /* If b is zero, output 1 if |a| is 1, otherwise output 0. */ + if (BN_is_zero(b)) { + ret = BN_abs_is_word(a, 1); goto end; } - /* Cohen's step 2: */ + /* + * Cohen's step 2: + */ - if (!BN_is_odd(A) && !BN_is_odd(B)) { + /* If both are even, they have a factor in common, so output 0. */ + if (!BN_is_odd(a) && !BN_is_odd(b)) { ret = 0; goto end; } - /* now B is non-zero */ - i = 0; - while (!BN_is_bit_set(B, i)) - i++; - err = !BN_rshift(B, B, i); - if (err) + /* Factorize b = 2^v * u with odd u and replace b with u. */ + v = 0; + while (!BN_is_bit_set(b, v)) + v++; + if (!BN_rshift(b, b, v)) goto end; - if (i & 1) { - /* i is odd */ - /* (thus B was even, thus A must be odd!) */ - /* set 'ret' to $(-1)^{(A^2-1)/8}$ */ - ret = tab[BN_lsw(A) & 7]; - } else { - /* i is even */ - ret = 1; + /* If v is even set k = 1, otherwise set it to (-1)^((a^2 - 1) / 8). */ + k = 1; + if (v % 2 != 0) + k = tab[BN_lsw(a) & 7]; + + /* + * If b is negative, replace it with -b and if a is also negative + * replace k with -k. + */ + if (BN_is_negative(b)) { + BN_set_negative(b, 0); + + if (BN_is_negative(a)) + k = -k; } - if (B->neg) { - B->neg = 0; - if (A->neg) - ret = -ret; - } - - /* now B is positive and odd, so what remains to be done is - * to compute the Jacobi symbol (A/B) and multiply it by 'ret' */ + /* + * Now b is positive and odd, so compute the Jacobi symbol (a/b) + * and multiply it by k. + */ while (1) { - /* Cohen's step 3: */ + /* + * Cohen's step 3: + */ - /* B is positive and odd */ + /* b is positive and odd. */ - if (BN_is_zero(A)) { - ret = BN_is_one(B) ? ret : 0; + /* If a is zero output k if b is one, otherwise output 0. */ + if (BN_is_zero(a)) { + ret = BN_is_one(b) ? k : 0; goto end; } - /* now A is non-zero */ - i = 0; - while (!BN_is_bit_set(A, i)) - i++; - err = !BN_rshift(A, A, i); - if (err) + /* Factorize a = 2^v * u with odd u and replace a with u. */ + v = 0; + while (!BN_is_bit_set(a, v)) + v++; + if (!BN_rshift(a, a, v)) goto end; - if (i & 1) { - /* i is odd */ - /* multiply 'ret' by $(-1)^{(B^2-1)/8}$ */ - ret = ret * tab[BN_lsw(B) & 7]; - } - /* Cohen's step 4: */ - /* multiply 'ret' by $(-1)^{(A-1)(B-1)/4}$ */ - if ((A->neg ? ~BN_lsw(A) : BN_lsw(A)) & BN_lsw(B) & 2) - ret = -ret; + /* If v is odd, multiply k with (-1)^((b^2 - 1) / 8). */ + if (v % 2 != 0) + k *= tab[BN_lsw(b) & 7]; - /* (A, B) := (B mod |A|, |A|) */ - err = !BN_nnmod(B, B, A, ctx); - if (err) + /* + * Cohen's step 4: + */ + + /* + * Apply the reciprocity law: multiply k by (-1)^((a-1)(b-1)/4). + * + * This expression is -1 if and only if a and b are 3 (mod 4). + * In turn, this is the case if and only if their two's + * complement representations have the second bit set. + * a could be negative in the first iteration, b is positive. + */ + if ((BN_is_negative(a) ? ~BN_lsw(a) : BN_lsw(a)) & BN_lsw(b) & 2) + k = -k; + + /* + * (a, b) := (b mod |a|, |a|) + * + * Once this is done, we know that 0 < a < b at the start of the + * loop. Since b is strictly decreasing, the loop terminates. + */ + + if (!BN_nnmod(b, b, a, ctx)) goto end; - tmp = A; - A = B; - B = tmp; - tmp->neg = 0; + + tmp = a; + a = b; + b = tmp; + + BN_set_negative(b, 0); } -end: + end: BN_CTX_end(ctx); - if (err) - return -2; - else - return ret; + + return ret; } diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h deleted file mode 100644 index 5f16660..0000000 --- a/crypto/bn/bn_lcl.h +++ /dev/null @@ -1,657 +0,0 @@ -/* $OpenBSD: bn_lcl.h,v 1.31 2022/01/14 08:01:47 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#ifndef HEADER_BN_LCL_H -#define HEADER_BN_LCL_H - -#include - -#include - -__BEGIN_HIDDEN_DECLS - -struct bignum_st { - BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */ - int top; /* Index of last used d +1. */ - /* The next are internal book keeping for bn_expand. */ - int dmax; /* Size of the d array. */ - int neg; /* one if the number is negative */ - int flags; -}; - -/* Used for montgomery multiplication */ -struct bn_mont_ctx_st { - int ri; /* number of bits in R */ - BIGNUM RR; /* used to convert to montgomery form */ - BIGNUM N; /* The modulus */ - BIGNUM Ni; /* R*(1/R mod N) - N*Ni = 1 - * (Ni is only stored for bignum algorithm) */ - BN_ULONG n0[2];/* least significant word(s) of Ni; - (type changed with 0.9.9, was "BN_ULONG n0;" before) */ - int flags; -}; - -/* Used for reciprocal division/mod functions - * It cannot be shared between threads - */ -struct bn_recp_ctx_st { - BIGNUM N; /* the divisor */ - BIGNUM Nr; /* the reciprocal */ - int num_bits; - int shift; - int flags; -}; - -/* Used for slow "generation" functions. */ -struct bn_gencb_st { - unsigned int ver; /* To handle binary (in)compatibility */ - void *arg; /* callback-specific data */ - union { - /* if(ver==1) - handles old style callbacks */ - void (*cb_1)(int, int, void *); - /* if(ver==2) - new callback style */ - int (*cb_2)(int, int, BN_GENCB *); - } cb; -}; - -/* - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * - * - * For window size 'w' (w >= 2) and a random 'b' bits exponent, - * the number of multiplications is a constant plus on average - * - * 2^(w-1) + (b-w)/(w+1); - * - * here 2^(w-1) is for precomputing the table (we actually need - * entries only for windows that have the lowest bit set), and - * (b-w)/(w+1) is an approximation for the expected number of - * w-bit windows, not counting the first one. - * - * Thus we should use - * - * w >= 6 if b > 671 - * w = 5 if 671 > b > 239 - * w = 4 if 239 > b > 79 - * w = 3 if 79 > b > 23 - * w <= 2 if 23 > b - * - * (with draws in between). Very small exponents are often selected - * with low Hamming weight, so we use w = 1 for b <= 23. - */ -#define BN_window_bits_for_exponent_size(b) \ - ((b) > 671 ? 6 : \ - (b) > 239 ? 5 : \ - (b) > 79 ? 4 : \ - (b) > 23 ? 3 : 1) - - -/* BN_mod_exp_mont_consttime is based on the assumption that the - * L1 data cache line width of the target processor is at least - * the following value. - */ -#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 ) -#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1) - -/* Window sizes optimized for fixed window size modular exponentiation - * algorithm (BN_mod_exp_mont_consttime). - * - * To achieve the security goals of BN_mode_exp_mont_consttime, the - * maximum size of the window must not exceed - * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). - * - * Window size thresholds are defined for cache line sizes of 32 and 64, - * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A - * window size of 7 should only be used on processors that have a 128 - * byte or greater cache line size. - */ -#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64 - -# define BN_window_bits_for_ctime_exponent_size(b) \ - ((b) > 937 ? 6 : \ - (b) > 306 ? 5 : \ - (b) > 89 ? 4 : \ - (b) > 22 ? 3 : 1) -# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6) - -#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32 - -# define BN_window_bits_for_ctime_exponent_size(b) \ - ((b) > 306 ? 5 : \ - (b) > 89 ? 4 : \ - (b) > 22 ? 3 : 1) -# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5) - -#endif - - -/* Pentium pro 16,16,16,32,64 */ -/* Alpha 16,16,16,16.64 */ -#define BN_MULL_SIZE_NORMAL (16) /* 32 */ -#define BN_MUL_RECURSIVE_SIZE_NORMAL (16) /* 32 less than */ -#define BN_SQR_RECURSIVE_SIZE_NORMAL (16) /* 32 */ -#define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */ -#define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */ - -#if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) -/* - * BN_UMULT_HIGH section. - * - * No, I'm not trying to overwhelm you when stating that the - * product of N-bit numbers is 2*N bits wide:-) No, I don't expect - * you to be impressed when I say that if the compiler doesn't - * support 2*N integer type, then you have to replace every N*N - * multiplication with 4 (N/2)*(N/2) accompanied by some shifts - * and additions which unavoidably results in severe performance - * penalties. Of course provided that the hardware is capable of - * producing 2*N result... That's when you normally start - * considering assembler implementation. However! It should be - * pointed out that some CPUs (most notably Alpha, PowerPC and - * upcoming IA-64 family:-) provide *separate* instruction - * calculating the upper half of the product placing the result - * into a general purpose register. Now *if* the compiler supports - * inline assembler, then it's not impossible to implement the - * "bignum" routines (and have the compiler optimize 'em) - * exhibiting "native" performance in C. That's what BN_UMULT_HIGH - * macro is about:-) - * - * - */ -# if defined(__alpha) -# if defined(__GNUC__) && __GNUC__>=2 -# define BN_UMULT_HIGH(a,b) ({ \ - BN_ULONG ret; \ - asm ("umulh %1,%2,%0" \ - : "=r"(ret) \ - : "r"(a), "r"(b)); \ - ret; }) -# endif /* compiler */ -# elif defined(_ARCH_PPC) && defined(_LP64) -# if defined(__GNUC__) && __GNUC__>=2 -# define BN_UMULT_HIGH(a,b) ({ \ - BN_ULONG ret; \ - asm ("mulhdu %0,%1,%2" \ - : "=r"(ret) \ - : "r"(a), "r"(b)); \ - ret; }) -# endif /* compiler */ -# elif (defined(__x86_64) || defined(__x86_64__)) && defined(_LP64) -# if defined(__GNUC__) && __GNUC__>=2 -# define BN_UMULT_HIGH(a,b) ({ \ - BN_ULONG ret,discard; \ - asm ("mulq %3" \ - : "=a"(discard),"=d"(ret) \ - : "a"(a), "g"(b) \ - : "cc"); \ - ret; }) -# define BN_UMULT_LOHI(low,high,a,b) \ - asm ("mulq %3" \ - : "=a"(low),"=d"(high) \ - : "a"(a),"g"(b) \ - : "cc"); -# endif -# elif defined(__mips) && defined(_LP64) -# if defined(__GNUC__) && __GNUC__>=2 -# if __GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4) /* "h" constraint is no more since 4.4 */ -# define BN_UMULT_HIGH(a,b) (((__uint128_t)(a)*(b))>>64) -# define BN_UMULT_LOHI(low,high,a,b) ({ \ - __uint128_t ret=(__uint128_t)(a)*(b); \ - (high)=ret>>64; (low)=ret; }) -# else -# define BN_UMULT_HIGH(a,b) ({ \ - BN_ULONG ret; \ - asm ("dmultu %1,%2" \ - : "=h"(ret) \ - : "r"(a), "r"(b) : "l"); \ - ret; }) -# define BN_UMULT_LOHI(low,high,a,b)\ - asm ("dmultu %2,%3" \ - : "=l"(low),"=h"(high) \ - : "r"(a), "r"(b)); -# endif -# endif -# endif /* cpu */ -#endif /* OPENSSL_NO_ASM */ - -/************************************************************* - * Using the long long type - */ -#define Lw(t) (((BN_ULONG)(t))&BN_MASK2) -#define Hw(t) (((BN_ULONG)((t)>>BN_BITS2))&BN_MASK2) - -#ifdef BN_DEBUG_RAND -#define bn_clear_top2max(a) \ - { \ - int ind = (a)->dmax - (a)->top; \ - BN_ULONG *ftl = &(a)->d[(a)->top-1]; \ - for (; ind != 0; ind--) \ - *(++ftl) = 0x0; \ - } -#else -#define bn_clear_top2max(a) -#endif - -#ifdef BN_LLONG -#define mul_add(r,a,w,c) { \ - BN_ULLONG t; \ - t=(BN_ULLONG)w * (a) + (r) + (c); \ - (r)= Lw(t); \ - (c)= Hw(t); \ - } - -#define mul(r,a,w,c) { \ - BN_ULLONG t; \ - t=(BN_ULLONG)w * (a) + (c); \ - (r)= Lw(t); \ - (c)= Hw(t); \ - } - -#define sqr(r0,r1,a) { \ - BN_ULLONG t; \ - t=(BN_ULLONG)(a)*(a); \ - (r0)=Lw(t); \ - (r1)=Hw(t); \ - } - -#elif defined(BN_UMULT_LOHI) -#define mul_add(r,a,w,c) { \ - BN_ULONG high,low,ret,tmp=(a); \ - ret = (r); \ - BN_UMULT_LOHI(low,high,w,tmp); \ - ret += (c); \ - (c) = (ret<(c))?1:0; \ - (c) += high; \ - ret += low; \ - (c) += (ret>BN_BITS4)&BN_MASK2l) -#define L2HBITS(a) (((a)<>(BN_BITS4-1); \ - m =(m&BN_MASK2l)<<(BN_BITS4+1); \ - l=(l+m)&BN_MASK2; if (l < m) h++; \ - (lo)=l; \ - (ho)=h; \ - } - -#define mul_add(r,a,bl,bh,c) { \ - BN_ULONG l,h; \ - \ - h= (a); \ - l=LBITS(h); \ - h=HBITS(h); \ - mul64(l,h,(bl),(bh)); \ - \ - /* non-multiply part */ \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ - (c)=(r); \ - l=(l+(c))&BN_MASK2; if (l < (c)) h++; \ - (c)=h&BN_MASK2; \ - (r)=l; \ - } - -#define mul(r,a,bl,bh,c) { \ - BN_ULONG l,h; \ - \ - h= (a); \ - l=LBITS(h); \ - h=HBITS(h); \ - mul64(l,h,(bl),(bh)); \ - \ - /* non-multiply part */ \ - l+=(c); if ((l&BN_MASK2) < (c)) h++; \ - (c)=h&BN_MASK2; \ - (r)=l&BN_MASK2; \ - } -#endif /* !BN_LLONG */ - -void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb); -void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); -void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); -void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp); -void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a); -void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a); -int bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n); -int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl); -void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, - int dna, int dnb, BN_ULONG *t); -void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, - int n, int tna, int tnb, BN_ULONG *t); -void bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t); -void bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n); -void bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, - BN_ULONG *t); -void bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2, - BN_ULONG *t); -BN_ULONG bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl); -BN_ULONG bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, - int cl, int dl); -int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, const BN_ULONG *np, const BN_ULONG *n0, int num); - -#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) -BIGNUM *bn_expand2(BIGNUM *a, int words); -BIGNUM *bn_expand(BIGNUM *a, int bits); - -BIGNUM *bn_dup_expand(const BIGNUM *a, int words); /* unused */ - -/* Bignum consistency macros - * There is one "API" macro, bn_fix_top(), for stripping leading zeroes from - * bignum data after direct manipulations on the data. There is also an - * "internal" macro, bn_check_top(), for verifying that there are no leading - * zeroes. Unfortunately, some auditing is required due to the fact that - * bn_fix_top() has become an overabused duct-tape because bignum data is - * occasionally passed around in an inconsistent state. So the following - * changes have been made to sort this out; - * - bn_fix_top()s implementation has been moved to bn_correct_top() - * - if BN_DEBUG isn't defined, bn_fix_top() maps to bn_correct_top(), and - * bn_check_top() is as before. - * - if BN_DEBUG *is* defined; - * - bn_check_top() tries to pollute unused words even if the bignum 'top' is - * consistent. (ed: only if BN_DEBUG_RAND is defined) - * - bn_fix_top() maps to bn_check_top() rather than "fixing" anything. - * The idea is to have debug builds flag up inconsistent bignums when they - * occur. If that occurs in a bn_fix_top(), we examine the code in question; if - * the use of bn_fix_top() was appropriate (ie. it follows directly after code - * that manipulates the bignum) it is converted to bn_correct_top(), and if it - * was not appropriate, we convert it permanently to bn_check_top() and track - * down the cause of the bug. Eventually, no internal code should be using the - * bn_fix_top() macro. External applications and libraries should try this with - * their own code too, both in terms of building against the openssl headers - * with BN_DEBUG defined *and* linking with a version of OpenSSL built with it - * defined. This not only improves external code, it provides more test - * coverage for openssl's own code. - */ - -#ifdef BN_DEBUG - -/* We only need assert() when debugging */ -#include - -#ifdef BN_DEBUG_RAND -#define bn_pollute(a) \ - do { \ - const BIGNUM *_bnum1 = (a); \ - if(_bnum1->top < _bnum1->dmax) { \ - unsigned char _tmp_char; \ - /* We cast away const without the compiler knowing, any \ - * *genuinely* constant variables that aren't mutable \ - * wouldn't be constructed with top!=dmax. */ \ - BN_ULONG *_not_const; \ - memcpy(&_not_const, &_bnum1->d, sizeof(BN_ULONG*)); \ - arc4random_buf(&_tmp_char, 1); \ - memset((unsigned char *)(_not_const + _bnum1->top), _tmp_char, \ - (_bnum1->dmax - _bnum1->top) * sizeof(BN_ULONG)); \ - } \ - } while(0) -#else -#define bn_pollute(a) -#endif - -#define bn_check_top(a) \ - do { \ - const BIGNUM *_bnum2 = (a); \ - if (_bnum2 != NULL) { \ - assert((_bnum2->top == 0) || \ - (_bnum2->d[_bnum2->top - 1] != 0)); \ - bn_pollute(_bnum2); \ - } \ - } while(0) - -#define bn_fix_top(a) bn_check_top(a) - -#define bn_check_size(bn, bits) bn_wcheck_size(bn, ((bits+BN_BITS2-1))/BN_BITS2) -#define bn_wcheck_size(bn, words) \ - do { \ - const BIGNUM *_bnum2 = (bn); \ - assert(words <= (_bnum2)->dmax && words >= (_bnum2)->top); \ - } while(0) - -#else /* !BN_DEBUG */ - -#define bn_pollute(a) -#define bn_check_top(a) -#define bn_fix_top(a) bn_correct_top(a) -#define bn_check_size(bn, bits) -#define bn_wcheck_size(bn, words) - -#endif - -#define bn_correct_top(a) \ - { \ - BN_ULONG *ftl; \ - int tmp_top = (a)->top; \ - if (tmp_top > 0) \ - { \ - for (ftl= &((a)->d[tmp_top-1]); tmp_top > 0; tmp_top--) \ - if (*(ftl--)) break; \ - (a)->top = tmp_top; \ - } \ - bn_pollute(a); \ - } - -BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); -BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); -void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); -BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); -BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); -BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); - -int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); -int bn_rand_interval(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc); - -/* Explicitly const time / non-const time versions for internal use */ -int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); -int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); -int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -int BN_div_nonct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, - BN_CTX *ctx); -int BN_div_ct(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, const BIGNUM *d, - BN_CTX *ctx); -#define BN_mod_ct(rem,m,d,ctx) BN_div_ct(NULL,(rem),(m),(d),(ctx)) -#define BN_mod_nonct(rem,m,d,ctx) BN_div_nonct(NULL,(rem),(m),(d),(ctx)) -BIGNUM *BN_mod_inverse_ct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx); -BIGNUM *BN_mod_inverse_nonct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, - BN_CTX *ctx); -int BN_gcd_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -int BN_gcd_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); - -int BN_swap_ct(BN_ULONG swap, BIGNUM *a, BIGNUM *b, size_t nwords); - -__END_HIDDEN_DECLS -#endif diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index 6e828f1..389dd3f 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_lib.c,v 1.53 2021/12/27 15:12:22 jsing Exp $ */ +/* $OpenBSD: bn_lib.c,v 1.86 2023/04/30 19:15:48 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,11 +56,6 @@ * [including the GNU Public Licence.] */ -#ifndef BN_DEBUG -# undef NDEBUG /* avoid conflicting definitions */ -# define NDEBUG -#endif - #include #include #include @@ -70,57 +65,32 @@ #include -#include "bn_lcl.h" - -/* This stuff appears to be completely unused, so is deprecated */ -#ifndef OPENSSL_NO_DEPRECATED -/* For a 32 bit machine - * 2 - 4 == 128 - * 3 - 8 == 256 - * 4 - 16 == 512 - * 5 - 32 == 1024 - * 6 - 64 == 2048 - * 7 - 128 == 4096 - * 8 - 256 == 8192 - */ -static int bn_limit_bits = 0; -static int bn_limit_num = 8; /* (1<flags = BN_FLG_MALLOCED; - ret->top = 0; - ret->neg = 0; - ret->dmax = 0; - ret->d = NULL; - bn_check_top(ret); - return (ret); + bn->flags = BN_FLG_MALLOCED; + + return bn; } void BN_init(BIGNUM *a) { memset(a, 0, sizeof(BIGNUM)); - bn_check_top(a); } void BN_clear(BIGNUM *a) { - bn_check_top(a); if (a->d != NULL) explicit_bzero(a->d, a->dmax * sizeof(a->d[0])); a->top = 0; @@ -128,72 +98,28 @@ BN_clear(BIGNUM *a) } void -BN_clear_free(BIGNUM *a) +BN_free(BIGNUM *bn) { - int i; - - if (a == NULL) + if (bn == NULL) return; - bn_check_top(a); - if (a->d != NULL && !(BN_get_flags(a, BN_FLG_STATIC_DATA))) - freezero(a->d, a->dmax * sizeof(a->d[0])); - i = BN_get_flags(a, BN_FLG_MALLOCED); - explicit_bzero(a, sizeof(BIGNUM)); - if (i) - free(a); + + if (!BN_get_flags(bn, BN_FLG_STATIC_DATA)) + freezero(bn->d, bn->dmax * sizeof(bn->d[0])); + + if (!BN_get_flags(bn, BN_FLG_MALLOCED)) { + explicit_bzero(bn, sizeof(*bn)); + return; + } + + freezero(bn, sizeof(*bn)); } void -BN_free(BIGNUM *a) +BN_clear_free(BIGNUM *bn) { - BN_clear_free(a); + BN_free(bn); } -void -BN_set_params(int mult, int high, int low, int mont) -{ - if (mult >= 0) { - if (mult > (int)(sizeof(int) * 8) - 1) - mult = sizeof(int) * 8 - 1; - bn_limit_bits = mult; - bn_limit_num = 1 << mult; - } - if (high >= 0) { - if (high > (int)(sizeof(int) * 8) - 1) - high = sizeof(int) * 8 - 1; - bn_limit_bits_high = high; - bn_limit_num_high = 1 << high; - } - if (low >= 0) { - if (low > (int)(sizeof(int) * 8) - 1) - low = sizeof(int) * 8 - 1; - bn_limit_bits_low = low; - bn_limit_num_low = 1 << low; - } - if (mont >= 0) { - if (mont > (int)(sizeof(int) * 8) - 1) - mont = sizeof(int) * 8 - 1; - bn_limit_bits_mont = mont; - bn_limit_num_mont = 1 << mont; - } -} - -int -BN_get_params(int which) -{ - if (which == 0) - return (bn_limit_bits); - else if (which == 1) - return (bn_limit_bits_high); - else if (which == 2) - return (bn_limit_bits_low); - else if (which == 3) - return (bn_limit_bits_mont); - else - return (0); -} -#endif - void BN_set_flags(BIGNUM *b, int n) { @@ -218,37 +144,46 @@ BN_with_flags(BIGNUM *dest, const BIGNUM *b, int flags) dest->flags = dest_flags; } +static const BN_ULONG bn_value_one_data = 1; +static const BIGNUM bn_value_one = { + .d = (BN_ULONG *)&bn_value_one_data, + .top = 1, + .dmax = 1, + .neg = 0, + .flags = BN_FLG_STATIC_DATA, +}; + const BIGNUM * BN_value_one(void) { - static const BN_ULONG data_one = 1L; - static const BIGNUM const_one = { - (BN_ULONG *)&data_one, 1, 1, 0, BN_FLG_STATIC_DATA - }; - - return (&const_one); + return &bn_value_one; } +#ifndef HAVE_BN_WORD_CLZ int -BN_num_bits_word(BN_ULONG l) +bn_word_clz(BN_ULONG w) { - BN_ULONG x, mask; - int bits; - unsigned int shift; + BN_ULONG bits, mask, shift; - /* Constant time calculation of floor(log2(l)) + 1. */ - bits = (l != 0); - shift = BN_BITS4; /* On _LP64 this is 32, otherwise 16. */ - do { - x = l >> shift; - /* If x is 0, set mask to 0, otherwise set it to all 1s. */ - mask = ((~x & (x - 1)) >> (BN_BITS2 - 1)) - 1; - bits += shift & mask; - /* If x is 0, leave l alone, otherwise set l = x. */ - l ^= (x ^ l) & mask; - } while ((shift /= 2) != 0); + bits = shift = BN_BITS2; + mask = 0; - return bits; + while ((shift >>= 1) != 0) { + bits += (shift & mask) - (shift & ~mask); + mask = bn_ct_ne_zero_mask(w >> bits); + } + bits += 1 & mask; + + bits -= bn_ct_eq_zero(w); + + return BN_BITS2 - bits; +} +#endif + +int +BN_num_bits_word(BN_ULONG w) +{ + return BN_BITS2 - bn_word_clz(w); } int @@ -256,174 +191,74 @@ BN_num_bits(const BIGNUM *a) { int i = a->top - 1; - bn_check_top(a); - if (BN_is_zero(a)) return 0; return ((i * BN_BITS2) + BN_num_bits_word(a->d[i])); } -/* This is used both by bn_expand2() and bn_dup_expand() */ -/* The caller MUST check that words > b->dmax before calling this */ -static BN_ULONG * -bn_expand_internal(const BIGNUM *b, int words) +void +bn_correct_top(BIGNUM *a) { - BN_ULONG *A, *a = NULL; - const BN_ULONG *B; - int i; + while (a->top > 0 && a->d[a->top - 1] == 0) + a->top--; +} - bn_check_top(b); +static int +bn_expand_internal(BIGNUM *bn, int words) +{ + BN_ULONG *d; - if (words > (INT_MAX/(4*BN_BITS2))) { + if (words < 0) { + BNerror(BN_R_BIGNUM_TOO_LONG); // XXX + return 0; + } + + if (words > INT_MAX / (4 * BN_BITS2)) { BNerror(BN_R_BIGNUM_TOO_LONG); - return NULL; + return 0; } - if (BN_get_flags(b, BN_FLG_STATIC_DATA)) { + if (BN_get_flags(bn, BN_FLG_STATIC_DATA)) { BNerror(BN_R_EXPAND_ON_STATIC_BIGNUM_DATA); - return (NULL); + return 0; } - a = A = reallocarray(NULL, words, sizeof(BN_ULONG)); - if (A == NULL) { + + d = recallocarray(bn->d, bn->dmax, words, sizeof(BN_ULONG)); + if (d == NULL) { BNerror(ERR_R_MALLOC_FAILURE); - return (NULL); - } -#if 1 - B = b->d; - /* Check if the previous number needs to be copied */ - if (B != NULL) { - for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) { - /* - * The fact that the loop is unrolled - * 4-wise is a tribute to Intel. It's - * the one that doesn't have enough - * registers to accommodate more data. - * I'd unroll it 8-wise otherwise:-) - * - * - */ - BN_ULONG a0, a1, a2, a3; - a0 = B[0]; - a1 = B[1]; - a2 = B[2]; - a3 = B[3]; - A[0] = a0; - A[1] = a1; - A[2] = a2; - A[3] = a3; - } - switch (b->top & 3) { - case 3: - A[2] = B[2]; - case 2: - A[1] = B[1]; - case 1: - A[0] = B[0]; - } + return 0; } + bn->d = d; + bn->dmax = words; -#else - memset(A, 0, sizeof(BN_ULONG) * words); - memcpy(A, b->d, sizeof(b->d[0]) * b->top); -#endif - - return (a); + return 1; } -/* This is an internal function that can be used instead of bn_expand2() - * when there is a need to copy BIGNUMs instead of only expanding the - * data part, while still expanding them. - * Especially useful when needing to expand BIGNUMs that are declared - * 'const' and should therefore not be changed. - * The reason to use this instead of a BN_dup() followed by a bn_expand2() - * is memory allocation overhead. A BN_dup() followed by a bn_expand2() - * will allocate new memory for the BIGNUM data twice, and free it once, - * while bn_dup_expand() makes sure allocation is made only once. - */ - -#ifndef OPENSSL_NO_DEPRECATED -BIGNUM * -bn_dup_expand(const BIGNUM *b, int words) +int +bn_expand(BIGNUM *bn, int bits) { - BIGNUM *r = NULL; + int words; - bn_check_top(b); + if (bits < 0) + return 0; - /* This function does not work if - * words <= b->dmax && top < words - * because BN_dup() does not preserve 'dmax'! - * (But bn_dup_expand() is not used anywhere yet.) - */ + if (bits > (INT_MAX - BN_BITS2 + 1)) + return 0; - if (words > b->dmax) { - BN_ULONG *a = bn_expand_internal(b, words); + words = (bits + BN_BITS2 - 1) / BN_BITS2; - if (a) { - r = BN_new(); - if (r) { - r->top = b->top; - r->dmax = words; - r->neg = b->neg; - r->d = a; - } else { - /* r == NULL, BN_new failure */ - free(a); - } - } - /* If a == NULL, there was an error in allocation in - bn_expand_internal(), and NULL should be returned */ - } else { - r = BN_dup(b); - } - - bn_check_top(r); - return r; + return bn_wexpand(bn, words); } -#endif -/* This is an internal function that should not be used in applications. - * It ensures that 'b' has enough room for a 'words' word number - * and initialises any unused part of b->d with leading zeros. - * It is mostly used by the various BIGNUM routines. If there is an error, - * NULL is returned. If not, 'b' is returned. */ - -BIGNUM * -bn_expand2(BIGNUM *b, int words) +int +bn_wexpand(BIGNUM *bn, int words) { - bn_check_top(b); + if (words < 0) + return 0; - if (words > b->dmax) { - BN_ULONG *a = bn_expand_internal(b, words); - if (!a) - return NULL; - if (b->d) - freezero(b->d, b->dmax * sizeof(b->d[0])); - b->d = a; - b->dmax = words; - } + if (words <= bn->dmax) + return 1; -/* None of this should be necessary because of what b->top means! */ -#if 0 - /* NB: bn_wexpand() calls this only if the BIGNUM really has to grow */ - if (b->top < b->dmax) { - int i; - BN_ULONG *A = &(b->d[b->top]); - for (i = (b->dmax - b->top) >> 3; i > 0; i--, A += 8) { - A[0] = 0; - A[1] = 0; - A[2] = 0; - A[3] = 0; - A[4] = 0; - A[5] = 0; - A[6] = 0; - A[7] = 0; - } - for (i = (b->dmax - b->top)&7; i > 0; i--, A++) - A[0] = 0; - assert(A == &(b->d[b->dmax])); - } -#endif - bn_check_top(b); - return b; + return bn_expand_internal(bn, words); } BIGNUM * @@ -433,65 +268,54 @@ BN_dup(const BIGNUM *a) if (a == NULL) return NULL; - bn_check_top(a); t = BN_new(); if (t == NULL) return NULL; - if (!BN_copy(t, a)) { + if (!bn_copy(t, a)) { BN_free(t); return NULL; } - bn_check_top(t); return t; } +static inline void +bn_copy_words(BN_ULONG *ap, const BN_ULONG *bp, int n) +{ + while (n > 0) { + ap[0] = bp[0]; + ap++; + bp++; + n--; + } +} + BIGNUM * BN_copy(BIGNUM *a, const BIGNUM *b) { - int i; - BN_ULONG *A; - const BN_ULONG *B; - - bn_check_top(b); - if (a == b) return (a); - if (bn_wexpand(a, b->top) == NULL) + + if (!bn_wexpand(a, b->top)) return (NULL); -#if 1 - A = a->d; - B = b->d; - for (i = b->top >> 2; i > 0; i--, A += 4, B += 4) { - BN_ULONG a0, a1, a2, a3; - a0 = B[0]; - a1 = B[1]; - a2 = B[2]; - a3 = B[3]; - A[0] = a0; - A[1] = a1; - A[2] = a2; - A[3] = a3; - } - switch (b->top & 3) { - case 3: - A[2] = B[2]; - case 2: - A[1] = B[1]; - case 1: - A[0] = B[0]; - } -#else - memcpy(a->d, b->d, sizeof(b->d[0]) * b->top); -#endif + bn_copy_words(a->d, b->d, b->top); + + /* Copy constant time flag from b, but make it sticky on a. */ + a->flags |= b->flags & BN_FLG_CONSTTIME; a->top = b->top; a->neg = b->neg; - bn_check_top(a); + return (a); } +int +bn_copy(BIGNUM *dst, const BIGNUM *src) +{ + return BN_copy(dst, src) != NULL; +} + void BN_swap(BIGNUM *a, BIGNUM *b) { @@ -499,8 +323,6 @@ BN_swap(BIGNUM *a, BIGNUM *b) BN_ULONG *tmp_d; int tmp_top, tmp_dmax, tmp_neg; - bn_check_top(a); - bn_check_top(b); flags_old_a = a->flags; flags_old_b = b->flags; @@ -524,8 +346,6 @@ BN_swap(BIGNUM *a, BIGNUM *b) (flags_old_b & BN_FLG_STATIC_DATA); b->flags = (flags_old_b & BN_FLG_MALLOCED) | (flags_old_a & BN_FLG_STATIC_DATA); - bn_check_top(a); - bn_check_top(b); } BN_ULONG @@ -539,282 +359,53 @@ BN_get_word(const BIGNUM *a) return 0; } -BIGNUM * -bn_expand(BIGNUM *a, int bits) -{ - if (bits > (INT_MAX - BN_BITS2 + 1)) - return (NULL); - - if (((bits + BN_BITS2 - 1) / BN_BITS2) <= a->dmax) - return (a); - - return bn_expand2(a, (bits + BN_BITS2 - 1) / BN_BITS2); -} - int BN_set_word(BIGNUM *a, BN_ULONG w) { - bn_check_top(a); - if (bn_expand(a, (int)sizeof(BN_ULONG) * 8) == NULL) + if (!bn_wexpand(a, 1)) return (0); a->neg = 0; a->d[0] = w; a->top = (w ? 1 : 0); - bn_check_top(a); return (1); } -BIGNUM * -BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) -{ - unsigned int i, m; - unsigned int n; - BN_ULONG l; - BIGNUM *bn = NULL; - - if (len < 0) - return (NULL); - if (ret == NULL) - ret = bn = BN_new(); - if (ret == NULL) - return (NULL); - bn_check_top(ret); - l = 0; - n = len; - if (n == 0) { - ret->top = 0; - return (ret); - } - i = ((n - 1) / BN_BYTES) + 1; - m = ((n - 1) % (BN_BYTES)); - if (bn_wexpand(ret, (int)i) == NULL) { - BN_free(bn); - return NULL; - } - ret->top = i; - ret->neg = 0; - while (n--) { - l = (l << 8L) | *(s++); - if (m-- == 0) { - ret->d[--i] = l; - l = 0; - m = BN_BYTES - 1; - } - } - /* need to call this due to clear byte at top if avoiding - * having the top bit set (-ve number) */ - bn_correct_top(ret); - return (ret); -} - -typedef enum { - big, - little, -} endianness_t; - -/* ignore negative */ -static int -bn2binpad(const BIGNUM *a, unsigned char *to, int tolen, endianness_t endianness) -{ - int n; - size_t i, lasti, j, atop, mask; - BN_ULONG l; - - /* - * In case |a| is fixed-top, BN_num_bytes can return bogus length, - * but it's assumed that fixed-top inputs ought to be "nominated" - * even for padded output, so it works out... - */ - n = BN_num_bytes(a); - if (tolen == -1) - tolen = n; - else if (tolen < n) { /* uncommon/unlike case */ - BIGNUM temp = *a; - - bn_correct_top(&temp); - - n = BN_num_bytes(&temp); - if (tolen < n) - return -1; - } - - /* Swipe through whole available data and don't give away padded zero. */ - atop = a->dmax * BN_BYTES; - if (atop == 0) { - explicit_bzero(to, tolen); - return tolen; - } - - lasti = atop - 1; - atop = a->top * BN_BYTES; - - if (endianness == big) - to += tolen; /* start from the end of the buffer */ - - for (i = 0, j = 0; j < (size_t)tolen; j++) { - unsigned char val; - - l = a->d[i / BN_BYTES]; - mask = 0 - ((j - atop) >> (8 * sizeof(i) - 1)); - val = (unsigned char)(l >> (8 * (i % BN_BYTES)) & mask); - - if (endianness == big) - *--to = val; - else - *to++ = val; - - i += (i - lasti) >> (8 * sizeof(i) - 1); /* stay on last limb */ - } - - return tolen; -} - -int -BN_bn2binpad(const BIGNUM *a, unsigned char *to, int tolen) -{ - if (tolen < 0) - return -1; - return bn2binpad(a, to, tolen, big); -} - -int -BN_bn2bin(const BIGNUM *a, unsigned char *to) -{ - return bn2binpad(a, to, -1, big); -} - -BIGNUM * -BN_lebin2bn(const unsigned char *s, int len, BIGNUM *ret) -{ - unsigned int i, m, n; - BN_ULONG l; - BIGNUM *bn = NULL; - - if (ret == NULL) - ret = bn = BN_new(); - if (ret == NULL) - return NULL; - - bn_check_top(ret); - - s += len; - /* Skip trailing zeroes. */ - for (; len > 0 && s[-1] == 0; s--, len--) - continue; - - n = len; - if (n == 0) { - ret->top = 0; - return ret; - } - - i = ((n - 1) / BN_BYTES) + 1; - m = (n - 1) % BN_BYTES; - if (bn_wexpand(ret, (int)i) == NULL) { - BN_free(bn); - return NULL; - } - - ret->top = i; - ret->neg = 0; - l = 0; - while (n-- > 0) { - s--; - l = (l << 8L) | *s; - if (m-- == 0) { - ret->d[--i] = l; - l = 0; - m = BN_BYTES - 1; - } - } - - /* - * need to call this due to clear byte at top if avoiding having the - * top bit set (-ve number) - */ - bn_correct_top(ret); - - return ret; -} - -int -BN_bn2lebinpad(const BIGNUM *a, unsigned char *to, int tolen) -{ - if (tolen < 0) - return -1; - - return bn2binpad(a, to, tolen, little); -} - int BN_ucmp(const BIGNUM *a, const BIGNUM *b) { int i; - BN_ULONG t1, t2, *ap, *bp; - bn_check_top(a); - bn_check_top(b); + if (a->top < b->top) + return -1; + if (a->top > b->top) + return 1; - i = a->top - b->top; - if (i != 0) - return (i); - ap = a->d; - bp = b->d; for (i = a->top - 1; i >= 0; i--) { - t1 = ap[i]; - t2 = bp[i]; - if (t1 != t2) - return ((t1 > t2) ? 1 : -1); + if (a->d[i] != b->d[i]) + return (a->d[i] > b->d[i] ? 1 : -1); } - return (0); + + return 0; } int BN_cmp(const BIGNUM *a, const BIGNUM *b) { - int i; - int gt, lt; - BN_ULONG t1, t2; - - if ((a == NULL) || (b == NULL)) { + if (a == NULL || b == NULL) { if (a != NULL) - return (-1); - else if (b != NULL) - return (1); - else - return (0); + return -1; + if (b != NULL) + return 1; + return 0; } - bn_check_top(a); - bn_check_top(b); + if (a->neg != b->neg) + return b->neg - a->neg; - if (a->neg != b->neg) { - if (a->neg) - return (-1); - else - return (1); - } - if (a->neg == 0) { - gt = 1; - lt = -1; - } else { - gt = -1; - lt = 1; - } + if (a->neg) + return BN_ucmp(b, a); - if (a->top > b->top) - return (gt); - if (a->top < b->top) - return (lt); - for (i = a->top - 1; i >= 0; i--) { - t1 = a->d[i]; - t2 = b->d[i]; - if (t1 > t2) - return (gt); - if (t1 < t2) - return (lt); - } - return (0); + return BN_ucmp(a, b); } int @@ -828,7 +419,7 @@ BN_set_bit(BIGNUM *a, int n) i = n / BN_BITS2; j = n % BN_BITS2; if (a->top <= i) { - if (bn_wexpand(a, i + 1) == NULL) + if (!bn_wexpand(a, i + 1)) return (0); for (k = a->top; k < i + 1; k++) a->d[k] = 0; @@ -836,7 +427,6 @@ BN_set_bit(BIGNUM *a, int n) } a->d[i] |= (((BN_ULONG)1) << j); - bn_check_top(a); return (1); } @@ -845,7 +435,6 @@ BN_clear_bit(BIGNUM *a, int n) { int i, j; - bn_check_top(a); if (n < 0) return 0; @@ -864,7 +453,6 @@ BN_is_bit_set(const BIGNUM *a, int n) { int i, j; - bn_check_top(a); if (n < 0) return 0; i = n / BN_BITS2; @@ -879,7 +467,6 @@ BN_mask_bits(BIGNUM *a, int n) { int b, w; - bn_check_top(a); if (n < 0) return 0; @@ -898,60 +485,9 @@ BN_mask_bits(BIGNUM *a, int n) } void -BN_set_negative(BIGNUM *a, int b) +BN_set_negative(BIGNUM *bn, int neg) { - if (b && !BN_is_zero(a)) - a->neg = 1; - else - a->neg = 0; -} - -int -bn_cmp_words(const BN_ULONG *a, const BN_ULONG *b, int n) -{ - int i; - BN_ULONG aa, bb; - - aa = a[n - 1]; - bb = b[n - 1]; - if (aa != bb) - return ((aa > bb) ? 1 : -1); - for (i = n - 2; i >= 0; i--) { - aa = a[i]; - bb = b[i]; - if (aa != bb) - return ((aa > bb) ? 1 : -1); - } - return (0); -} - -/* Here follows a specialised variants of bn_cmp_words(). It has the - property of performing the operation on arrays of different sizes. - The sizes of those arrays is expressed through cl, which is the - common length ( basicall, min(len(a),len(b)) ), and dl, which is the - delta between the two lengths, calculated as len(a)-len(b). - All lengths are the number of BN_ULONGs... */ - -int -bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl) -{ - int n, i; - - n = cl - 1; - - if (dl < 0) { - for (i = dl; i < 0; i++) { - if (b[n - i] != 0) - return -1; /* a < b */ - } - } - if (dl > 0) { - for (i = dl; i > 0; i--) { - if (a[n + i] != 0) - return 1; /* a > b */ - } - } - return bn_cmp_words(a, b, cl); + bn->neg = ~BN_is_zero(bn) & bn_ct_ne_zero(neg); } /* @@ -969,9 +505,6 @@ BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) BN_ULONG t; int i; - bn_wcheck_size(a, nwords); - bn_wcheck_size(b, nwords); - assert(a != b); assert((condition & (condition - 1)) == 0); assert(sizeof(BN_ULONG) >= sizeof(int)); @@ -1026,7 +559,7 @@ BN_swap_ct(BN_ULONG condition, BIGNUM *a, BIGNUM *b, size_t nwords) if (nwords > INT_MAX) return 0; words = (int)nwords; - if (bn_wexpand(a, words) == NULL || bn_wexpand(b, words) == NULL) + if (!bn_wexpand(a, words) || !bn_wexpand(b, words)) return 0; if (a->top > words || b->top > words) { BNerror(BN_R_INVALID_LENGTH); @@ -1062,11 +595,16 @@ BN_swap_ct(BN_ULONG condition, BIGNUM *a, BIGNUM *b, size_t nwords) } void -BN_zero_ex(BIGNUM *a) +BN_zero(BIGNUM *a) { a->neg = 0; a->top = 0; - /* XXX: a->flags &= ~BN_FIXED_TOP */ +} + +int +BN_one(BIGNUM *a) +{ + return BN_set_word(a, 1); } int @@ -1076,9 +614,15 @@ BN_abs_is_word(const BIGNUM *a, const BN_ULONG w) } int -BN_is_zero(const BIGNUM *a) +BN_is_zero(const BIGNUM *bn) { - return a->top == 0; + BN_ULONG bits = 0; + int i; + + for (i = 0; i < bn->top; i++) + bits |= bn->d[i]; + + return bits == 0; } int @@ -1105,6 +649,56 @@ BN_is_negative(const BIGNUM *a) return a->neg != 0; } +char * +BN_options(void) +{ + static int init = 0; + static char data[16]; + + if (!init) { + init++; +#ifdef BN_LLONG + snprintf(data,sizeof data, "bn(%d,%d)", + (int)sizeof(BN_ULLONG) * 8, (int)sizeof(BN_ULONG) * 8); +#else + snprintf(data,sizeof data, "bn(%d,%d)", + (int)sizeof(BN_ULONG) * 8, (int)sizeof(BN_ULONG) * 8); +#endif + } + return (data); +} + +/* + * Bits of security, see SP800-57, section 5.6.11, table 2. + */ +int +BN_security_bits(int L, int N) +{ + int secbits, bits; + + if (L >= 15360) + secbits = 256; + else if (L >= 7680) + secbits = 192; + else if (L >= 3072) + secbits = 128; + else if (L >= 2048) + secbits = 112; + else if (L >= 1024) + secbits = 80; + else + return 0; + + if (N == -1) + return secbits; + + bits = N / 2; + if (bits < 80) + return 0; + + return bits >= secbits ? secbits : bits; +} + BN_GENCB * BN_GENCB_new(void) { diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h new file mode 100644 index 0000000..78b4157 --- /dev/null +++ b/crypto/bn/bn_local.h @@ -0,0 +1,330 @@ +/* $OpenBSD: bn_local.h,v 1.22 2023/05/10 12:21:55 tb Exp $ */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ +/* ==================================================================== + * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#ifndef HEADER_BN_LOCAL_H +#define HEADER_BN_LOCAL_H + +#include + +#include + +__BEGIN_HIDDEN_DECLS + +struct bignum_st { + BN_ULONG *d; /* Pointer to an array of 'BN_BITS2' bit chunks. */ + int top; /* Index of last used d +1. */ + /* The next are internal book keeping for bn_expand. */ + int dmax; /* Size of the d array. */ + int neg; /* one if the number is negative */ + int flags; +}; + +struct bn_mont_ctx_st { + int ri; /* Number of bits in R */ + BIGNUM RR; /* Used to convert to Montgomery form */ + BIGNUM N; /* Modulus */ + + /* Least significant word(s) of Ni; R*(1/R mod N) - N*Ni = 1 */ + BN_ULONG n0[2]; + + int flags; +}; + +/* Used for reciprocal division/mod functions + * It cannot be shared between threads + */ +typedef struct bn_recp_ctx_st { + BIGNUM N; /* the divisor */ + BIGNUM Nr; /* the reciprocal */ + int num_bits; + int shift; + int flags; +} BN_RECP_CTX; + +/* Used for slow "generation" functions. */ +struct bn_gencb_st { + unsigned int ver; /* To handle binary (in)compatibility */ + void *arg; /* callback-specific data */ + union { + /* if(ver==1) - handles old style callbacks */ + void (*cb_1)(int, int, void *); + /* if(ver==2) - new callback style */ + int (*cb_2)(int, int, BN_GENCB *); + } cb; +}; + +/* + * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions + * + * + * For window size 'w' (w >= 2) and a random 'b' bits exponent, + * the number of multiplications is a constant plus on average + * + * 2^(w-1) + (b-w)/(w+1); + * + * here 2^(w-1) is for precomputing the table (we actually need + * entries only for windows that have the lowest bit set), and + * (b-w)/(w+1) is an approximation for the expected number of + * w-bit windows, not counting the first one. + * + * Thus we should use + * + * w >= 6 if b > 671 + * w = 5 if 671 > b > 239 + * w = 4 if 239 > b > 79 + * w = 3 if 79 > b > 23 + * w <= 2 if 23 > b + * + * (with draws in between). Very small exponents are often selected + * with low Hamming weight, so we use w = 1 for b <= 23. + */ +#define BN_window_bits_for_exponent_size(b) \ + ((b) > 671 ? 6 : \ + (b) > 239 ? 5 : \ + (b) > 79 ? 4 : \ + (b) > 23 ? 3 : 1) + + +/* BN_mod_exp_mont_consttime is based on the assumption that the + * L1 data cache line width of the target processor is at least + * the following value. + */ +#define MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH ( 64 ) +#define MOD_EXP_CTIME_MIN_CACHE_LINE_MASK (MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH - 1) + +/* Window sizes optimized for fixed window size modular exponentiation + * algorithm (BN_mod_exp_mont_consttime). + * + * To achieve the security goals of BN_mode_exp_mont_consttime, the + * maximum size of the window must not exceed + * log_2(MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH). + * + * Window size thresholds are defined for cache line sizes of 32 and 64, + * cache line sizes where log_2(32)=5 and log_2(64)=6 respectively. A + * window size of 7 should only be used on processors that have a 128 + * byte or greater cache line size. + */ +#if MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 64 + +# define BN_window_bits_for_ctime_exponent_size(b) \ + ((b) > 937 ? 6 : \ + (b) > 306 ? 5 : \ + (b) > 89 ? 4 : \ + (b) > 22 ? 3 : 1) +# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (6) + +#elif MOD_EXP_CTIME_MIN_CACHE_LINE_WIDTH == 32 + +# define BN_window_bits_for_ctime_exponent_size(b) \ + ((b) > 306 ? 5 : \ + (b) > 89 ? 4 : \ + (b) > 22 ? 3 : 1) +# define BN_MAX_WINDOW_BITS_FOR_CTIME_EXPONENT_SIZE (5) + +#endif + + +/* Pentium pro 16,16,16,32,64 */ +/* Alpha 16,16,16,16.64 */ +#define BN_MULL_SIZE_NORMAL (16) /* 32 */ +#define BN_MUL_RECURSIVE_SIZE_NORMAL (16) /* 32 less than */ +#define BN_SQR_RECURSIVE_SIZE_NORMAL (16) /* 32 */ +#define BN_MUL_LOW_RECURSIVE_SIZE_NORMAL (32) /* 32 */ +#define BN_MONT_CTX_SET_SIZE_WORD (64) /* 32 */ + +/* The least significant word of a BIGNUM. */ +#define BN_lsw(n) (((n)->top == 0) ? (BN_ULONG) 0 : (n)->d[0]) + +BN_ULONG bn_add(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, + const BN_ULONG *b, int b_len); +BN_ULONG bn_sub(BN_ULONG *r, int r_len, const BN_ULONG *a, int a_len, + const BN_ULONG *b, int b_len); + +void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb); +void bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); +void bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b); + +void bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp); +void bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a); +void bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a); + +int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, const BN_ULONG *n0, int num); + +int bn_word_clz(BN_ULONG w); + +void bn_correct_top(BIGNUM *a); +int bn_expand(BIGNUM *a, int bits); +int bn_wexpand(BIGNUM *a, int words); + +BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + int num); +BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + int num); +BN_ULONG bn_mul_add_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); +BN_ULONG bn_mul_words(BN_ULONG *rp, const BN_ULONG *ap, int num, BN_ULONG w); +void bn_sqr_words(BN_ULONG *rp, const BN_ULONG *ap, int num); +BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d); +void bn_div_rem_words(BN_ULONG h, BN_ULONG l, BN_ULONG d, BN_ULONG *out_q, + BN_ULONG *out_r); + +int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); +int bn_rand_interval(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc); + +void BN_init(BIGNUM *); + +int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx); + +void BN_RECP_CTX_init(BN_RECP_CTX *recp); +BN_RECP_CTX *BN_RECP_CTX_new(void); +void BN_RECP_CTX_free(BN_RECP_CTX *recp); +int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx); +int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, + BN_RECP_CTX *recp, BN_CTX *ctx); +int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, + BN_RECP_CTX *recp, BN_CTX *ctx); + +/* Explicitly const time / non-const time versions for internal use */ +int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx); +int BN_mod_exp_mont_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +int BN_mod_exp_mont_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); +int BN_div_nonct(BIGNUM *q, BIGNUM *r, const BIGNUM *n, const BIGNUM *d, + BN_CTX *ctx); +int BN_div_ct(BIGNUM *q, BIGNUM *r, const BIGNUM *n, const BIGNUM *d, + BN_CTX *ctx); +int BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); +int BN_mod_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); + +BIGNUM *BN_mod_inverse_ct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, + BN_CTX *ctx); +BIGNUM *BN_mod_inverse_nonct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, + BN_CTX *ctx); +int BN_gcd_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); +int BN_gcd_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); + +int BN_swap_ct(BN_ULONG swap, BIGNUM *a, BIGNUM *b, size_t nwords); + +int bn_copy(BIGNUM *dst, const BIGNUM *src); + +int bn_isqrt(BIGNUM *out_sqrt, int *out_perfect, const BIGNUM *n, BN_CTX *ctx); +int bn_is_perfect_square(int *out_perfect, const BIGNUM *n, BN_CTX *ctx); + +int bn_is_prime_bpsw(int *is_prime, const BIGNUM *n, BN_CTX *ctx, size_t rounds); + +__END_HIDDEN_DECLS +#endif /* !HEADER_BN_LOCAL_H */ diff --git a/crypto/bn/bn_mod.c b/crypto/bn/bn_mod.c index 897ff43..868ef5b 100644 --- a/crypto/bn/bn_mod.c +++ b/crypto/bn/bn_mod.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_mod.c,v 1.12 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_mod.c,v 1.20 2023/03/27 10:21:23 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. */ /* ==================================================================== @@ -113,23 +113,34 @@ #include -#include "bn_lcl.h" +#include "bn_local.h" int -BN_nnmod(BIGNUM *r, const BIGNUM *m, const BIGNUM *d, BN_CTX *ctx) +BN_mod_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) { - /* like BN_mod, but returns non-negative remainder - * (i.e., 0 <= r < |d| always holds) */ + return BN_div_ct(NULL, r, a, m, ctx); +} - if (!(BN_mod_ct(r, m,d, ctx))) +int +BN_mod_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) +{ + return BN_div_nonct(NULL, r, a, m, ctx); +} + +/* + * BN_nnmod() is like BN_mod(), but always returns a non-negative remainder + * (that is 0 <= r < |m| always holds). If both a and m have the same sign then + * the result is already non-negative. Otherwise, -|m| < r < 0, which needs to + * be adjusted as r := r + |m|. This equates to r := |m| - |r|. + */ +int +BN_nnmod(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) +{ + if (!BN_mod_ct(r, a, m, ctx)) return 0; - if (!r->neg) - return 1; - /* now -|d| < r < 0, so we have to set r := r + |d| */ - if (d->neg) - return BN_sub(r, r, d); - else - return BN_add(r, r, d); + if (BN_is_negative(r)) + return BN_usub(r, m, r); + return 1; } int @@ -141,8 +152,10 @@ BN_mod_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, return BN_nnmod(r, r, m, ctx); } -/* BN_mod_add variant that may be used if both a and b are non-negative - * and less than m */ +/* + * BN_mod_add() variant that may only be used if both a and b are non-negative + * and have already been reduced (less than m). + */ int BN_mod_add_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { @@ -162,57 +175,57 @@ BN_mod_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, return BN_nnmod(r, r, m, ctx); } -/* BN_mod_sub variant that may be used if both a and b are non-negative - * and less than m */ +/* + * BN_mod_sub() variant that may only be used if both a and b are non-negative + * and have already been reduced (less than m). + */ int BN_mod_sub_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m) { - if (!BN_sub(r, a, b)) + if (BN_ucmp(a, b) >= 0) + return BN_usub(r, a, b); + if (!BN_usub(r, b, a)) return 0; - if (r->neg) - return BN_add(r, r, m); - return 1; + return BN_usub(r, m, r); } -/* slow but works */ int BN_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, const BIGNUM *m, BN_CTX *ctx) { - BIGNUM *t; + BIGNUM *rr; int ret = 0; - bn_check_top(a); - bn_check_top(b); - bn_check_top(m); - BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) == NULL) + + rr = r; + if (rr == a || rr == b) + rr = BN_CTX_get(ctx); + if (rr == NULL) goto err; + if (a == b) { - if (!BN_sqr(t, a, ctx)) + if (!BN_sqr(rr, a, ctx)) goto err; } else { - if (!BN_mul(t, a,b, ctx)) + if (!BN_mul(rr, a, b, ctx)) goto err; } - if (!BN_nnmod(r, t,m, ctx)) + if (!BN_nnmod(r, rr, m, ctx)) goto err; - bn_check_top(r); + ret = 1; -err: + err: BN_CTX_end(ctx); - return (ret); + + return ret; } int BN_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) { - if (!BN_sqr(r, a, ctx)) - return 0; - /* r->neg == 0, thus we don't need BN_nnmod */ - return BN_mod_ct(r, r, m, ctx); + return BN_mod_mul(r, a, a, m, ctx); } int @@ -220,89 +233,83 @@ BN_mod_lshift1(BIGNUM *r, const BIGNUM *a, const BIGNUM *m, BN_CTX *ctx) { if (!BN_lshift1(r, a)) return 0; - bn_check_top(r); return BN_nnmod(r, r, m, ctx); } -/* BN_mod_lshift1 variant that may be used if a is non-negative - * and less than m */ +/* + * BN_mod_lshift1() variant that may be used if a is non-negative + * and has already been reduced (less than m). + */ int BN_mod_lshift1_quick(BIGNUM *r, const BIGNUM *a, const BIGNUM *m) { if (!BN_lshift1(r, a)) return 0; - bn_check_top(r); - if (BN_cmp(r, m) >= 0) - return BN_sub(r, r, m); + if (BN_ucmp(r, m) >= 0) + return BN_usub(r, r, m); return 1; } int BN_mod_lshift(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m, BN_CTX *ctx) { - BIGNUM *abs_m = NULL; - int ret; + BIGNUM *abs_m; + int ret = 0; + + BN_CTX_start(ctx); if (!BN_nnmod(r, a, m, ctx)) - return 0; + goto err; - if (m->neg) { - abs_m = BN_dup(m); - if (abs_m == NULL) - return 0; - abs_m->neg = 0; + if (BN_is_negative(m)) { + if ((abs_m = BN_CTX_get(ctx)) == NULL) + goto err; + if (!bn_copy(abs_m, m)) + goto err; + BN_set_negative(abs_m, 0); + m = abs_m; } + if (!BN_mod_lshift_quick(r, r, n, m)) + goto err; - ret = BN_mod_lshift_quick(r, r, n, (abs_m ? abs_m : m)); - bn_check_top(r); + ret = 1; + err: + BN_CTX_end(ctx); - BN_free(abs_m); return ret; } -/* BN_mod_lshift variant that may be used if a is non-negative - * and less than m */ +/* + * BN_mod_lshift() variant that may be used if a is non-negative + * and has already been reduced (less than m). + */ int BN_mod_lshift_quick(BIGNUM *r, const BIGNUM *a, int n, const BIGNUM *m) { - if (r != a) { - if (BN_copy(r, a) == NULL) - return 0; - } + int max_shift; + + if (!bn_copy(r, a)) + return 0; while (n > 0) { - int max_shift; - - /* 0 < r < m */ - max_shift = BN_num_bits(m) - BN_num_bits(r); - /* max_shift >= 0 */ - - if (max_shift < 0) { + if ((max_shift = BN_num_bits(m) - BN_num_bits(r)) < 0) { BNerror(BN_R_INPUT_NOT_REDUCED); return 0; } - + if (max_shift == 0) + max_shift = 1; if (max_shift > n) max_shift = n; - if (max_shift) { - if (!BN_lshift(r, r, max_shift)) - return 0; - n -= max_shift; - } else { - if (!BN_lshift1(r, r)) - return 0; - --n; - } + if (!BN_lshift(r, r, max_shift)) + return 0; + n -= max_shift; - /* BN_num_bits(r) <= BN_num_bits(m) */ - - if (BN_cmp(r, m) >= 0) { - if (!BN_sub(r, r, m)) + if (BN_ucmp(r, m) >= 0) { + if (!BN_usub(r, r, m)) return 0; } } - bn_check_top(r); return 1; } diff --git a/crypto/bn/bn_mod_sqrt.c b/crypto/bn/bn_mod_sqrt.c new file mode 100644 index 0000000..acca540 --- /dev/null +++ b/crypto/bn/bn_mod_sqrt.c @@ -0,0 +1,726 @@ +/* $OpenBSD: bn_mod_sqrt.c,v 1.1 2023/04/11 10:08:44 tb Exp $ */ + +/* + * Copyright (c) 2022 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "bn_local.h" + +/* + * Tonelli-Shanks according to H. Cohen "A Course in Computational Algebraic + * Number Theory", Section 1.5.1, Springer GTM volume 138, Berlin, 1996. + * + * Under the assumption that p is prime and a is a quadratic residue, we know: + * + * a^[(p-1)/2] = 1 (mod p). (*) + * + * To find a square root of a (mod p), we handle three cases of increasing + * complexity. In the first two cases, we can compute a square root using an + * explicit formula, thus avoiding the probabilistic nature of Tonelli-Shanks. + * + * 1. p = 3 (mod 4). + * + * Set n = (p+1)/4. Then 2n = 1 + (p-1)/2 and (*) shows that x = a^n (mod p) + * is a square root of a: x^2 = a^(2n) = a * a^[(p-1)/2] = a (mod p). + * + * 2. p = 5 (mod 8). + * + * This uses a simplification due to Atkin. By Theorem 1.4.7 and 1.4.9, the + * Kronecker symbol (2/p) evaluates to (-1)^[(p^2-1)/8]. From p = 5 (mod 8) + * we get (p^2-1)/8 = 1 (mod 2), so (2/p) = -1, and thus + * + * 2^[(p-1)/2] = -1 (mod p). (**) + * + * Set b = (2a)^[(p-5)/8]. With (p-1)/2 = 2 + (p-5)/2, (*) and (**) show + * + * i = 2 a b^2 is a square root of -1 (mod p). + * + * Indeed, i^2 = 2^2 a^2 b^4 = 2^[(p-1)/2] a^[(p-1)/2] = -1 (mod p). Because + * of (i-1)^2 = -2i (mod p) and i (-i) = 1 (mod p), a square root of a is + * + * x = a b (i-1) + * + * as x^2 = a^2 b^2 (-2i) = a (2 a b^2) (-i) = a (mod p). + * + * 3. p = 1 (mod 8). + * + * This is the Tonelli-Shanks algorithm. For a prime p, the multiplicative + * group of GF(p) is cyclic of order p - 1 = 2^s q, with odd q. Denote its + * 2-Sylow subgroup by S. It is cyclic of order 2^s. The squares in S have + * order dividing 2^(s-1). They are the even powers of any generator z of S. + * If a is a quadratic residue, 1 = a^[(p-1)/2] = (a^q)^[2^(s-1)], so b = a^q + * is a square in S. Therefore there is an integer k such that b z^(2k) = 1. + * Set x = a^[(q+1)/2] z^k, and find x^2 = a (mod p). + * + * The problem is thus reduced to finding a generator z of the 2-Sylow + * subgroup S of GF(p)* and finding k. An iterative constructions avoids + * the need for an explicit k, a generator is found by a randomized search. + * + * While we do not actually know that p is a prime number, we can still apply + * the formulas in cases 1 and 2 and verify that we have indeed found a square + * root of p. Similarly, in case 3, we can try to find a quadratic non-residue, + * which will fail for example if p is a square. The iterative construction + * may or may not find a candidate square root which we can then validate. + */ + +/* + * Handle the cases where p is 2, p isn't odd or p is one. Since BN_mod_sqrt() + * can run on untrusted data, a primality check is too expensive. Also treat + * the obvious cases where a is 0 or 1. + */ + +static int +bn_mod_sqrt_trivial_cases(int *done, BIGNUM *out_sqrt, const BIGNUM *a, + const BIGNUM *p, BN_CTX *ctx) +{ + *done = 1; + + if (BN_abs_is_word(p, 2)) + return BN_set_word(out_sqrt, BN_is_odd(a)); + + if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { + BNerror(BN_R_P_IS_NOT_PRIME); + return 0; + } + + if (BN_is_zero(a) || BN_is_one(a)) + return BN_set_word(out_sqrt, BN_is_one(a)); + + *done = 0; + + return 1; +} + +/* + * Case 1. We know that (a/p) = 1 and that p = 3 (mod 4). + */ + +static int +bn_mod_sqrt_p_is_3_mod_4(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, + BN_CTX *ctx) +{ + BIGNUM *n; + int ret = 0; + + BN_CTX_start(ctx); + + if ((n = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Calculate n = (|p| + 1) / 4. */ + if (!BN_uadd(n, p, BN_value_one())) + goto err; + if (!BN_rshift(n, n, 2)) + goto err; + + /* By case 1 above, out_sqrt = a^n is a square root of a (mod p). */ + if (!BN_mod_exp_ct(out_sqrt, a, n, p, ctx)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Case 2. We know that (a/p) = 1 and that p = 5 (mod 8). + */ + +static int +bn_mod_sqrt_p_is_5_mod_8(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, + BN_CTX *ctx) +{ + BIGNUM *b, *i, *n, *tmp; + int ret = 0; + + BN_CTX_start(ctx); + + if ((b = BN_CTX_get(ctx)) == NULL) + goto err; + if ((i = BN_CTX_get(ctx)) == NULL) + goto err; + if ((n = BN_CTX_get(ctx)) == NULL) + goto err; + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Calculate n = (|p| - 5) / 8. Since p = 5 (mod 8), simply shift. */ + if (!BN_rshift(n, p, 3)) + goto err; + BN_set_negative(n, 0); + + /* Compute tmp = 2a (mod p) for later use. */ + if (!BN_mod_lshift1(tmp, a, p, ctx)) + goto err; + + /* Calculate b = (2a)^n (mod p). */ + if (!BN_mod_exp_ct(b, tmp, n, p, ctx)) + goto err; + + /* Calculate i = 2 a b^2 (mod p). */ + if (!BN_mod_sqr(i, b, p, ctx)) + goto err; + if (!BN_mod_mul(i, tmp, i, p, ctx)) + goto err; + + /* A square root is out_sqrt = a b (i-1) (mod p). */ + if (!BN_sub_word(i, 1)) + goto err; + if (!BN_mod_mul(out_sqrt, a, b, p, ctx)) + goto err; + if (!BN_mod_mul(out_sqrt, out_sqrt, i, p, ctx)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Case 3. We know that (a/p) = 1 and that p = 1 (mod 8). + */ + +/* + * Simple helper. To find a generator of the 2-Sylow subgroup of GF(p)*, we + * need to find a quadratic non-residue of p, i.e., n such that (n/p) = -1. + */ + +static int +bn_mod_sqrt_n_is_non_residue(int *is_non_residue, const BIGNUM *n, + const BIGNUM *p, BN_CTX *ctx) +{ + switch (BN_kronecker(n, p, ctx)) { + case -1: + *is_non_residue = 1; + return 1; + case 1: + *is_non_residue = 0; + return 1; + case 0: + /* n divides p, so ... */ + BNerror(BN_R_P_IS_NOT_PRIME); + return 0; + default: + return 0; + } +} + +/* + * The following is the only non-deterministic part preparing Tonelli-Shanks. + * + * If we find n such that (n/p) = -1, then n^q (mod p) is a generator of the + * 2-Sylow subgroup of GF(p)*. To find such n, first try some small numbers, + * then random ones. + */ + +static int +bn_mod_sqrt_find_sylow_generator(BIGNUM *out_generator, const BIGNUM *p, + const BIGNUM *q, BN_CTX *ctx) +{ + BIGNUM *n, *p_abs, *thirty_two; + int i, is_non_residue; + int ret = 0; + + BN_CTX_start(ctx); + + if ((n = BN_CTX_get(ctx)) == NULL) + goto err; + if ((thirty_two = BN_CTX_get(ctx)) == NULL) + goto err; + if ((p_abs = BN_CTX_get(ctx)) == NULL) + goto err; + + for (i = 2; i < 32; i++) { + if (!BN_set_word(n, i)) + goto err; + if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx)) + goto err; + if (is_non_residue) + goto found; + } + + if (!BN_set_word(thirty_two, 32)) + goto err; + if (!bn_copy(p_abs, p)) + goto err; + BN_set_negative(p_abs, 0); + + for (i = 0; i < 128; i++) { + if (!bn_rand_interval(n, thirty_two, p_abs)) + goto err; + if (!bn_mod_sqrt_n_is_non_residue(&is_non_residue, n, p, ctx)) + goto err; + if (is_non_residue) + goto found; + } + + /* + * The probability to get here is < 2^(-128) for prime p. For squares + * it is easy: for p = 1369 = 37^2 this happens in ~3% of runs. + */ + + BNerror(BN_R_TOO_MANY_ITERATIONS); + goto err; + + found: + /* + * If p is prime, n^q generates the 2-Sylow subgroup S of GF(p)*. + */ + + if (!BN_mod_exp_ct(out_generator, n, q, p, ctx)) + goto err; + + /* Sanity: p is not necessarily prime, so we could have found 0 or 1. */ + if (BN_is_zero(out_generator) || BN_is_one(out_generator)) { + BNerror(BN_R_P_IS_NOT_PRIME); + goto err; + } + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Initialization step for Tonelli-Shanks. + * + * In the end, b = a^q (mod p) and x = a^[(q+1)/2] (mod p). Cohen optimizes this + * to minimize taking powers of a. This is a bit confusing and distracting, so + * factor this into a separate function. + */ + +static int +bn_mod_sqrt_tonelli_shanks_initialize(BIGNUM *b, BIGNUM *x, const BIGNUM *a, + const BIGNUM *p, const BIGNUM *q, BN_CTX *ctx) +{ + BIGNUM *k; + int ret = 0; + + BN_CTX_start(ctx); + + if ((k = BN_CTX_get(ctx)) == NULL) + goto err; + + /* k = (q-1)/2. Since q is odd, we can shift. */ + if (!BN_rshift1(k, q)) + goto err; + + /* x = a^[(q-1)/2] (mod p). */ + if (!BN_mod_exp_ct(x, a, k, p, ctx)) + goto err; + + /* b = ax^2 = a^q (mod p). */ + if (!BN_mod_sqr(b, x, p, ctx)) + goto err; + if (!BN_mod_mul(b, a, b, p, ctx)) + goto err; + + /* x = ax = a^[(q+1)/2] (mod p). */ + if (!BN_mod_mul(x, a, x, p, ctx)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Find smallest exponent m such that b^(2^m) = 1 (mod p). Assuming that a + * is a quadratic residue and p is a prime, we know that 1 <= m < r. + */ + +static int +bn_mod_sqrt_tonelli_shanks_find_exponent(int *out_exponent, const BIGNUM *b, + const BIGNUM *p, int r, BN_CTX *ctx) +{ + BIGNUM *x; + int m; + int ret = 0; + + BN_CTX_start(ctx); + + if ((x = BN_CTX_get(ctx)) == NULL) + goto err; + + /* + * If r <= 1, the Tonelli-Shanks iteration should have terminated as + * r == 1 implies b == 1. + */ + if (r <= 1) { + BNerror(BN_R_P_IS_NOT_PRIME); + goto err; + } + + /* + * Sanity check to ensure taking squares actually does something: + * If b is 1, the Tonelli-Shanks iteration should have terminated. + * If b is 0, something's very wrong, in particular p can't be prime. + */ + if (BN_is_zero(b) || BN_is_one(b)) { + BNerror(BN_R_P_IS_NOT_PRIME); + goto err; + } + + if (!bn_copy(x, b)) + goto err; + + for (m = 1; m < r; m++) { + if (!BN_mod_sqr(x, x, p, ctx)) + goto err; + if (BN_is_one(x)) + break; + } + + if (m >= r) { + /* This means a is not a quadratic residue. As (a/p) = 1, ... */ + BNerror(BN_R_P_IS_NOT_PRIME); + goto err; + } + + *out_exponent = m; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * The update step. With the minimal m such that b^(2^m) = 1 (mod m), + * set t = y^[2^(r-m-1)] (mod p) and update x = xt, y = t^2, b = by. + * This preserves the loop invariants a b = x^2, y^[2^(r-1)] = -1 and + * b^[2^(r-1)] = 1. + */ + +static int +bn_mod_sqrt_tonelli_shanks_update(BIGNUM *b, BIGNUM *x, BIGNUM *y, + const BIGNUM *p, int m, int r, BN_CTX *ctx) +{ + BIGNUM *t; + int ret = 0; + + BN_CTX_start(ctx); + + if ((t = BN_CTX_get(ctx)) == NULL) + goto err; + + /* t = y^[2^(r-m-1)] (mod p). */ + if (!BN_set_bit(t, r - m - 1)) + goto err; + if (!BN_mod_exp_ct(t, y, t, p, ctx)) + goto err; + + /* x = xt (mod p). */ + if (!BN_mod_mul(x, x, t, p, ctx)) + goto err; + + /* y = t^2 = y^[2^(r-m)] (mod p). */ + if (!BN_mod_sqr(y, t, p, ctx)) + goto err; + + /* b = by (mod p). */ + if (!BN_mod_mul(b, b, y, p, ctx)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +static int +bn_mod_sqrt_p_is_1_mod_8(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, + BN_CTX *ctx) +{ + BIGNUM *b, *q, *x, *y; + int e, m, r; + int ret = 0; + + BN_CTX_start(ctx); + + if ((b = BN_CTX_get(ctx)) == NULL) + goto err; + if ((q = BN_CTX_get(ctx)) == NULL) + goto err; + if ((x = BN_CTX_get(ctx)) == NULL) + goto err; + if ((y = BN_CTX_get(ctx)) == NULL) + goto err; + + /* + * Factor p - 1 = 2^e q with odd q. Since p = 1 (mod 8), we know e >= 3. + */ + + e = 1; + while (!BN_is_bit_set(p, e)) + e++; + if (!BN_rshift(q, p, e)) + goto err; + + if (!bn_mod_sqrt_find_sylow_generator(y, p, q, ctx)) + goto err; + + /* + * Set b = a^q (mod p) and x = a^[(q+1)/2] (mod p). + */ + if (!bn_mod_sqrt_tonelli_shanks_initialize(b, x, a, p, q, ctx)) + goto err; + + /* + * The Tonelli-Shanks iteration. Starting with r = e, the following loop + * invariants hold at the start of the loop. + * + * a b = x^2 (mod p) + * y^[2^(r-1)] = -1 (mod p) + * b^[2^(r-1)] = 1 (mod p) + * + * In particular, if b = 1 (mod p), x is a square root of a. + * + * Since p - 1 = 2^e q, we have 2^(e-1) q = (p - 1) / 2, so in the first + * iteration this follows from (a/p) = 1, (n/p) = -1, y = n^q, b = a^q. + * + * In subsequent iterations, t = y^[2^(r-m-1)], where m is the smallest + * m such that b^(2^m) = 1. With x = xt (mod p) and b = bt^2 (mod p) the + * first invariant is preserved, the second and third follow from + * y = t^2 (mod p) and r = m as well as the choice of m. + * + * Finally, r is strictly decreasing in each iteration. If p is prime, + * let S be the 2-Sylow subgroup of GF(p)*. We can prove the algorithm + * stops: Let S_r be the subgroup of S consisting of elements of order + * dividing 2^r. Then S_r = and b is in S_(r-1). The S_r form a + * descending filtration of S and when r = 1, then b = 1. + */ + + for (r = e; r >= 1; r = m) { + /* + * Termination condition. If b == 1 then x is a square root. + */ + if (BN_is_one(b)) + goto done; + + /* Find smallest exponent 1 <= m < r such that b^(2^m) == 1. */ + if (!bn_mod_sqrt_tonelli_shanks_find_exponent(&m, b, p, r, ctx)) + goto err; + + /* + * With t = y^[2^(r-m-1)], update x = xt, y = t^2, b = by. + */ + if (!bn_mod_sqrt_tonelli_shanks_update(b, x, y, p, m, r, ctx)) + goto err; + + /* + * Sanity check to make sure we don't loop indefinitely. + * bn_mod_sqrt_tonelli_shanks_find_exponent() ensures m < r. + */ + if (r <= m) + goto err; + } + + /* + * If p is prime, we should not get here. + */ + + BNerror(BN_R_NOT_A_SQUARE); + goto err; + + done: + if (!bn_copy(out_sqrt, x)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Choose the smaller of sqrt and |p| - sqrt. + */ + +static int +bn_mod_sqrt_normalize(BIGNUM *sqrt, const BIGNUM *p, BN_CTX *ctx) +{ + BIGNUM *x; + int ret = 0; + + BN_CTX_start(ctx); + + if ((x = BN_CTX_get(ctx)) == NULL) + goto err; + + if (!BN_lshift1(x, sqrt)) + goto err; + + if (BN_ucmp(x, p) > 0) { + if (!BN_usub(sqrt, p, sqrt)) + goto err; + } + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * Verify that a = (sqrt_a)^2 (mod p). Requires that a is reduced (mod p). + */ + +static int +bn_mod_sqrt_verify(const BIGNUM *a, const BIGNUM *sqrt_a, const BIGNUM *p, + BN_CTX *ctx) +{ + BIGNUM *x; + int ret = 0; + + BN_CTX_start(ctx); + + if ((x = BN_CTX_get(ctx)) == NULL) + goto err; + + if (!BN_mod_sqr(x, sqrt_a, p, ctx)) + goto err; + + if (BN_cmp(x, a) != 0) { + BNerror(BN_R_NOT_A_SQUARE); + goto err; + } + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +static int +bn_mod_sqrt_internal(BIGNUM *out_sqrt, const BIGNUM *a, const BIGNUM *p, + BN_CTX *ctx) +{ + BIGNUM *a_mod_p, *sqrt; + BN_ULONG lsw; + int done; + int kronecker; + int ret = 0; + + BN_CTX_start(ctx); + + if ((a_mod_p = BN_CTX_get(ctx)) == NULL) + goto err; + if ((sqrt = BN_CTX_get(ctx)) == NULL) + goto err; + + if (!BN_nnmod(a_mod_p, a, p, ctx)) + goto err; + + if (!bn_mod_sqrt_trivial_cases(&done, sqrt, a_mod_p, p, ctx)) + goto err; + if (done) + goto verify; + + /* + * Make sure that the Kronecker symbol (a/p) == 1. In case p is prime + * this is equivalent to a having a square root (mod p). The cost of + * BN_kronecker() is O(log^2(n)). This is small compared to the cost + * O(log^4(n)) of Tonelli-Shanks. + */ + + if ((kronecker = BN_kronecker(a_mod_p, p, ctx)) == -2) + goto err; + if (kronecker <= 0) { + /* This error is only accurate if p is known to be a prime. */ + BNerror(BN_R_NOT_A_SQUARE); + goto err; + } + + lsw = BN_lsw(p); + + if (lsw % 4 == 3) { + if (!bn_mod_sqrt_p_is_3_mod_4(sqrt, a_mod_p, p, ctx)) + goto err; + } else if (lsw % 8 == 5) { + if (!bn_mod_sqrt_p_is_5_mod_8(sqrt, a_mod_p, p, ctx)) + goto err; + } else if (lsw % 8 == 1) { + if (!bn_mod_sqrt_p_is_1_mod_8(sqrt, a_mod_p, p, ctx)) + goto err; + } else { + /* Impossible to hit since the trivial cases ensure p is odd. */ + BNerror(BN_R_P_IS_NOT_PRIME); + goto err; + } + + if (!bn_mod_sqrt_normalize(sqrt, p, ctx)) + goto err; + + verify: + if (!bn_mod_sqrt_verify(a_mod_p, sqrt, p, ctx)) + goto err; + + if (!bn_copy(out_sqrt, sqrt)) + goto err; + + ret = 1; + + err: + BN_CTX_end(ctx); + + return ret; +} + +BIGNUM * +BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) +{ + BIGNUM *out_sqrt; + + if ((out_sqrt = in) == NULL) + out_sqrt = BN_new(); + if (out_sqrt == NULL) + goto err; + + if (!bn_mod_sqrt_internal(out_sqrt, a, p, ctx)) + goto err; + + return out_sqrt; + + err: + if (out_sqrt != in) + BN_free(out_sqrt); + + return NULL; +} diff --git a/crypto/bn/bn_mont.c b/crypto/bn/bn_mont.c index e01af70..6194e09 100644 --- a/crypto/bn/bn_mont.c +++ b/crypto/bn/bn_mont.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_mont.c,v 1.28 2022/02/07 19:44:23 tb Exp $ */ +/* $OpenBSD: bn_mont.c,v 1.59 2023/04/30 05:21:20 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,430 +118,455 @@ #include #include +#include -#include "bn_lcl.h" - -#define MONT_WORD /* use the faster word-based algorithm */ - -#ifdef MONT_WORD -static int BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont); -#endif - -int -BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - BN_MONT_CTX *mont, BN_CTX *ctx) -{ - BIGNUM *tmp; - int ret = 0; -#if defined(OPENSSL_BN_ASM_MONT) && defined(MONT_WORD) - int num = mont->N.top; - - if (num > 1 && a->top == num && b->top == num) { - if (bn_wexpand(r, num) == NULL) - return (0); - if (bn_mul_mont(r->d, a->d, b->d, mont->N.d, mont->n0, num)) { - r->neg = a->neg^b->neg; - r->top = num; - bn_correct_top(r); - return (1); - } - } -#endif - - BN_CTX_start(ctx); - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - - bn_check_top(tmp); - if (a == b) { - if (!BN_sqr(tmp, a, ctx)) - goto err; - } else { - if (!BN_mul(tmp, a,b, ctx)) - goto err; - } - /* reduce from aRR to aR */ -#ifdef MONT_WORD - if (!BN_from_montgomery_word(r, tmp, mont)) - goto err; -#else - if (!BN_from_montgomery(r, tmp, mont, ctx)) - goto err; -#endif - bn_check_top(r); - ret = 1; -err: - BN_CTX_end(ctx); - return (ret); -} - -int -BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx) -{ - return BN_mod_mul_montgomery(r, a, &mont->RR, mont, ctx); -} - -#ifdef MONT_WORD -static int -BN_from_montgomery_word(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mont) -{ - BIGNUM *n; - BN_ULONG *ap, *np, *rp, n0, v, carry; - int nl, max, i; - - n = &(mont->N); - nl = n->top; - if (nl == 0) { - ret->top = 0; - return (1); - } - - max = (2 * nl); /* carry is stored separately */ - if (bn_wexpand(r, max) == NULL) - return (0); - - r->neg ^= n->neg; - np = n->d; - rp = r->d; - - /* clear the top words of T */ -#if 1 - for (i=r->top; itop]), 0, (max - r->top) * sizeof(BN_ULONG)); -#endif - - r->top = max; - n0 = mont->n0[0]; - -#ifdef BN_COUNT - fprintf(stderr, "word BN_from_montgomery_word %d * %d\n", nl, nl); -#endif - for (carry = 0, i = 0; i < nl; i++, rp++) { - v = bn_mul_add_words(rp, np, nl, (rp[0] * n0) & BN_MASK2); - v = (v + carry + rp[nl]) & BN_MASK2; - carry |= (v != rp[nl]); - carry &= (v <= rp[nl]); - rp[nl] = v; - } - - if (bn_wexpand(ret, nl) == NULL) - return (0); - ret->top = nl; - ret->neg = r->neg; - - rp = ret->d; - ap = &(r->d[nl]); - -#define BRANCH_FREE 1 -#if BRANCH_FREE - { - BN_ULONG *nrp; - size_t m; - - v = bn_sub_words(rp, ap, np, nl) - carry; - /* if subtraction result is real, then - * trick unconditional memcpy below to perform in-place - * "refresh" instead of actual copy. */ - m = (0 - (size_t)v); - nrp = (BN_ULONG *)(((uintptr_t)rp & ~m)|((uintptr_t)ap & m)); - - for (i = 0, nl -= 4; i < nl; i += 4) { - BN_ULONG t1, t2, t3, t4; - - t1 = nrp[i + 0]; - t2 = nrp[i + 1]; - t3 = nrp[i + 2]; - ap[i + 0] = 0; - t4 = nrp[i + 3]; - ap[i + 1] = 0; - rp[i + 0] = t1; - ap[i + 2] = 0; - rp[i + 1] = t2; - ap[i + 3] = 0; - rp[i + 2] = t3; - rp[i + 3] = t4; - } - for (nl += 4; i < nl; i++) - rp[i] = nrp[i], ap[i] = 0; - } -#else - if (bn_sub_words (rp, ap, np, nl) - carry) - memcpy(rp, ap, nl*sizeof(BN_ULONG)); -#endif - bn_correct_top(r); - bn_correct_top(ret); - bn_check_top(ret); - - return (1); -} -#endif /* MONT_WORD */ - -int -BN_from_montgomery(BIGNUM *ret, const BIGNUM *a, BN_MONT_CTX *mont, BN_CTX *ctx) -{ - int retn = 0; -#ifdef MONT_WORD - BIGNUM *t; - - BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) && BN_copy(t, a)) - retn = BN_from_montgomery_word(ret, t, mont); - BN_CTX_end(ctx); -#else /* !MONT_WORD */ - BIGNUM *t1, *t2; - - BN_CTX_start(ctx); - if ((t1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((t2 = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_copy(t1, a)) - goto err; - BN_mask_bits(t1, mont->ri); - - if (!BN_mul(t2, t1, &mont->Ni, ctx)) - goto err; - BN_mask_bits(t2, mont->ri); - - if (!BN_mul(t1, t2, &mont->N, ctx)) - goto err; - if (!BN_add(t2, a, t1)) - goto err; - if (!BN_rshift(ret, t2, mont->ri)) - goto err; - - if (BN_ucmp(ret, &(mont->N)) >= 0) { - if (!BN_usub(ret, ret, &(mont->N))) - goto err; - } - retn = 1; - bn_check_top(ret); - -err: - BN_CTX_end(ctx); -#endif /* MONT_WORD */ - return (retn); -} +#include "bn_internal.h" +#include "bn_local.h" BN_MONT_CTX * BN_MONT_CTX_new(void) { - BN_MONT_CTX *ret; + BN_MONT_CTX *mctx; - if ((ret = malloc(sizeof(BN_MONT_CTX))) == NULL) - return (NULL); + if ((mctx = calloc(1, sizeof(BN_MONT_CTX))) == NULL) + return NULL; + mctx->flags = BN_FLG_MALLOCED; - BN_MONT_CTX_init(ret); - ret->flags = BN_FLG_MALLOCED; - return (ret); + BN_init(&mctx->RR); + BN_init(&mctx->N); + + return mctx; } void -BN_MONT_CTX_init(BN_MONT_CTX *ctx) +BN_MONT_CTX_free(BN_MONT_CTX *mctx) { - ctx->ri = 0; - BN_init(&(ctx->RR)); - BN_init(&(ctx->N)); - BN_init(&(ctx->Ni)); - ctx->n0[0] = ctx->n0[1] = 0; - ctx->flags = 0; -} - -void -BN_MONT_CTX_free(BN_MONT_CTX *mont) -{ - if (mont == NULL) + if (mctx == NULL) return; - BN_clear_free(&(mont->RR)); - BN_clear_free(&(mont->N)); - BN_clear_free(&(mont->Ni)); - if (mont->flags & BN_FLG_MALLOCED) - free(mont); + BN_free(&mctx->RR); + BN_free(&mctx->N); + + if (mctx->flags & BN_FLG_MALLOCED) + free(mctx); +} + +BN_MONT_CTX * +BN_MONT_CTX_copy(BN_MONT_CTX *dst, BN_MONT_CTX *src) +{ + if (dst == src) + return dst; + + if (!bn_copy(&dst->RR, &src->RR)) + return NULL; + if (!bn_copy(&dst->N, &src->N)) + return NULL; + + dst->ri = src->ri; + dst->n0[0] = src->n0[0]; + dst->n0[1] = src->n0[1]; + + return dst; } int BN_MONT_CTX_set(BN_MONT_CTX *mont, const BIGNUM *mod, BN_CTX *ctx) { + BIGNUM *N, *Ninv, *Rinv, *R; int ret = 0; - BIGNUM *Ri, *R; - - if (BN_is_zero(mod)) - return 0; BN_CTX_start(ctx); - if ((Ri = BN_CTX_get(ctx)) == NULL) + + if ((N = BN_CTX_get(ctx)) == NULL) goto err; - R = &(mont->RR); /* grab RR as a temp */ - if (!BN_copy(&(mont->N), mod)) - goto err; /* Set N */ + if ((Ninv = BN_CTX_get(ctx)) == NULL) + goto err; + if ((R = BN_CTX_get(ctx)) == NULL) + goto err; + if ((Rinv = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Save modulus and determine length of R. */ + if (BN_is_zero(mod)) + goto err; + if (!bn_copy(&mont->N, mod)) + goto err; mont->N.neg = 0; - -#ifdef MONT_WORD - { - BIGNUM tmod; - BN_ULONG buf[2]; - - BN_init(&tmod); - tmod.d = buf; - tmod.dmax = 2; - tmod.neg = 0; - - mont->ri = (BN_num_bits(mod) + - (BN_BITS2 - 1)) / BN_BITS2 * BN_BITS2; - -#if defined(OPENSSL_BN_ASM_MONT) && (BN_BITS2<=32) - /* Only certain BN_BITS2<=32 platforms actually make use of - * n0[1], and we could use the #else case (with a shorter R - * value) for the others. However, currently only the assembler - * files do know which is which. */ - - BN_zero(R); - if (!(BN_set_bit(R, 2 * BN_BITS2))) - goto err; - - tmod.top = 0; - if ((buf[0] = mod->d[0])) - tmod.top = 1; - if ((buf[1] = mod->top > 1 ? mod->d[1] : 0)) - tmod.top = 2; - - if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL) - goto err; - if (!BN_lshift(Ri, Ri, 2 * BN_BITS2)) - goto err; /* R*Ri */ - if (!BN_is_zero(Ri)) { - if (!BN_sub_word(Ri, 1)) - goto err; - } - else /* if N mod word size == 1 */ - { - if (bn_expand(Ri, (int)sizeof(BN_ULONG) * 2) == NULL) - goto err; - /* Ri-- (mod double word size) */ - Ri->neg = 0; - Ri->d[0] = BN_MASK2; - Ri->d[1] = BN_MASK2; - Ri->top = 2; - } - if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx)) - goto err; - /* Ni = (R*Ri-1)/N, - * keep only couple of least significant words: */ - mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0; - mont->n0[1] = (Ri->top > 1) ? Ri->d[1] : 0; -#else - BN_zero(R); - if (!(BN_set_bit(R, BN_BITS2))) - goto err; /* R */ - - buf[0] = mod->d[0]; /* tmod = N mod word size */ - buf[1] = 0; - tmod.top = buf[0] != 0 ? 1 : 0; - /* Ri = R^-1 mod N*/ - if ((BN_mod_inverse_ct(Ri, R, &tmod, ctx)) == NULL) - goto err; - if (!BN_lshift(Ri, Ri, BN_BITS2)) - goto err; /* R*Ri */ - if (!BN_is_zero(Ri)) { - if (!BN_sub_word(Ri, 1)) - goto err; - } - else /* if N mod word size == 1 */ - { - if (!BN_set_word(Ri, BN_MASK2)) - goto err; /* Ri-- (mod word size) */ - } - if (!BN_div_ct(Ri, NULL, Ri, &tmod, ctx)) - goto err; - /* Ni = (R*Ri-1)/N, - * keep only least significant word: */ - mont->n0[0] = (Ri->top > 0) ? Ri->d[0] : 0; - mont->n0[1] = 0; -#endif - } -#else /* !MONT_WORD */ - { /* bignum version */ - mont->ri = BN_num_bits(&mont->N); - BN_zero(R); - if (!BN_set_bit(R, mont->ri)) - goto err; /* R = 2^ri */ - /* Ri = R^-1 mod N*/ - if ((BN_mod_inverse_ct(Ri, R, &mont->N, ctx)) == NULL) - goto err; - if (!BN_lshift(Ri, Ri, mont->ri)) - goto err; /* R*Ri */ - if (!BN_sub_word(Ri, 1)) - goto err; - /* Ni = (R*Ri-1) / N */ - if (!BN_div_ct(&(mont->Ni), NULL, Ri, &mont->N, ctx)) - goto err; - } -#endif - - /* setup RR for conversions */ - BN_zero(&(mont->RR)); - if (!BN_set_bit(&(mont->RR), mont->ri*2)) + mont->ri = ((BN_num_bits(mod) + BN_BITS2 - 1) / BN_BITS2) * BN_BITS2; + if (mont->ri * 2 < mont->ri) goto err; - if (!BN_mod_ct(&(mont->RR), &(mont->RR), &(mont->N), ctx)) + + /* + * Compute Ninv = (R * Rinv - 1)/N mod R, for R = 2^64. This provides + * a single or double word result (dependent on BN word size), that is + * later used to implement Montgomery reduction. + */ + BN_zero(R); + if (!BN_set_bit(R, 64)) + goto err; + + /* N = N mod R. */ + if (!bn_wexpand(N, 2)) + goto err; + if (!BN_set_word(N, mod->d[0])) + goto err; +#if BN_BITS2 == 32 + if (mod->top > 1) { + N->d[1] = mod->d[1]; + N->top += bn_ct_ne_zero(N->d[1]); + } +#endif + + /* Rinv = R^-1 mod N */ + if ((BN_mod_inverse_ct(Rinv, R, N, ctx)) == NULL) + goto err; + + /* Ninv = (R * Rinv - 1) / N */ + if (!BN_lshift(Ninv, Rinv, 64)) + goto err; + if (BN_is_zero(Ninv)) { + /* R * Rinv == 0, set to R so that R * Rinv - 1 is mod R. */ + if (!BN_set_bit(Ninv, 64)) + goto err; + } + if (!BN_sub_word(Ninv, 1)) + goto err; + if (!BN_div_ct(Ninv, NULL, Ninv, N, ctx)) + goto err; + + /* Store least significant word(s) of Ninv. */ + mont->n0[0] = mont->n0[1] = 0; + if (Ninv->top > 0) + mont->n0[0] = Ninv->d[0]; +#if BN_BITS2 == 32 + /* Some BN_BITS2 == 32 platforms (namely parisc) use two words of Ninv. */ + if (Ninv->top > 1) + mont->n0[1] = Ninv->d[1]; +#endif + + /* Compute RR = R * R mod N, for use when converting to Montgomery form. */ + BN_zero(&mont->RR); + if (!BN_set_bit(&mont->RR, mont->ri * 2)) + goto err; + if (!BN_mod_ct(&mont->RR, &mont->RR, &mont->N, ctx)) goto err; ret = 1; - -err: + err: BN_CTX_end(ctx); + return ret; } BN_MONT_CTX * -BN_MONT_CTX_copy(BN_MONT_CTX *to, BN_MONT_CTX *from) -{ - if (to == from) - return (to); - - if (!BN_copy(&(to->RR), &(from->RR))) - return NULL; - if (!BN_copy(&(to->N), &(from->N))) - return NULL; - if (!BN_copy(&(to->Ni), &(from->Ni))) - return NULL; - to->ri = from->ri; - to->n0[0] = from->n0[0]; - to->n0[1] = from->n0[1]; - return (to); -} - -BN_MONT_CTX * -BN_MONT_CTX_set_locked(BN_MONT_CTX **pmont, int lock, const BIGNUM *mod, +BN_MONT_CTX_set_locked(BN_MONT_CTX **pmctx, int lock, const BIGNUM *mod, BN_CTX *ctx) { - int got_write_lock = 0; - BN_MONT_CTX *ret; + BN_MONT_CTX *mctx = NULL; CRYPTO_r_lock(lock); - if (!*pmont) { - CRYPTO_r_unlock(lock); - CRYPTO_w_lock(lock); - got_write_lock = 1; + mctx = *pmctx; + CRYPTO_r_unlock(lock); - if (!*pmont) { - ret = BN_MONT_CTX_new(); - if (ret && !BN_MONT_CTX_set(ret, mod, ctx)) - BN_MONT_CTX_free(ret); - else - *pmont = ret; - } + if (mctx != NULL) + goto done; + + if ((mctx = BN_MONT_CTX_new()) == NULL) + goto err; + if (!BN_MONT_CTX_set(mctx, mod, ctx)) + goto err; + + CRYPTO_w_lock(lock); + if (*pmctx != NULL) { + /* Someone else raced us... */ + BN_MONT_CTX_free(mctx); + mctx = *pmctx; + } else { + *pmctx = mctx; + } + CRYPTO_w_unlock(lock); + + goto done; + err: + BN_MONT_CTX_free(mctx); + mctx = NULL; + done: + return mctx; +} + +static int bn_montgomery_reduce(BIGNUM *ret, BIGNUM *r, BN_MONT_CTX *mctx); + +static int +bn_mod_mul_montgomery_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + BIGNUM *tmp; + int ret = 0; + + BN_CTX_start(ctx); + + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; + + if (a == b) { + if (!BN_sqr(tmp, a, ctx)) + goto err; + } else { + if (!BN_mul(tmp, a, b, ctx)) + goto err; } - ret = *pmont; + /* Reduce from aRR to aR. */ + if (!bn_montgomery_reduce(r, tmp, mctx)) + goto err; - if (got_write_lock) - CRYPTO_w_unlock(lock); - else - CRYPTO_r_unlock(lock); + ret = 1; + err: + BN_CTX_end(ctx); + + return ret; +} + +/* + * bn_montgomery_multiply_words() computes r = aR * bR * R^-1 = abR for the + * given word arrays. The caller must ensure that rp, ap, bp and np are all + * n_len words in length, while tp must be n_len * 2 + 2 words in length. + */ +void +bn_montgomery_multiply_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, + const BN_ULONG *np, BN_ULONG *tp, BN_ULONG n0, int n_len) +{ + BN_ULONG a0, b, carry_a, carry_n, carry, mask, w, x; + int i, j; + + carry_a = carry_n = carry = 0; + + for (i = 0; i < n_len; i++) + tp[i] = 0; + + a0 = ap[0]; + + for (i = 0; i < n_len; i++) { + b = bp[i]; + + /* Compute new t[0] * n0, as we need it inside the loop. */ + w = (a0 * b + tp[0]) * n0; + + for (j = 0; j < n_len; j++) { + bn_mulw_addw_addw(ap[j], b, tp[j], carry_a, &carry_a, &x); + bn_mulw_addw_addw(np[j], w, x, carry_n, &carry_n, &tp[j]); + } + bn_addw_addw(carry_a, carry_n, carry, &carry, &tp[n_len]); + carry_a = carry_n = 0; + + tp++; + } + tp[n_len] = carry; + + /* + * The output is now in the range of [0, 2N). Attempt to reduce once by + * subtracting the modulus. If the reduction was necessary then the + * result is already in r, otherwise copy the value prior to reduction + * from tp. + */ + mask = bn_ct_ne_zero(tp[n_len]) - bn_sub_words(rp, tp, np, n_len); + + for (i = 0; i < n_len; i++) { + *rp = (*rp & ~mask) | (*tp & mask); + rp++; + tp++; + } +} + +/* + * bn_montgomery_multiply() computes r = aR * bR * R^-1 = abR for the given + * BIGNUMs. The caller must ensure that the modulus is two or more words in + * length and that a and b have the same number of words as the modulus. + */ +int +bn_montgomery_multiply(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + BIGNUM *t; + int ret = 0; + + BN_CTX_start(ctx); + + if (mctx->N.top <= 1 || a->top != mctx->N.top || b->top != mctx->N.top) + goto err; + if (!bn_wexpand(r, mctx->N.top)) + goto err; + + if ((t = BN_CTX_get(ctx)) == NULL) + goto err; + if (!bn_wexpand(t, mctx->N.top * 2 + 2)) + goto err; + + bn_montgomery_multiply_words(r->d, a->d, b->d, mctx->N.d, t->d, + mctx->n0[0], mctx->N.top); + + r->top = mctx->N.top; + bn_correct_top(r); + + BN_set_negative(r, a->neg ^ b->neg); + + ret = 1; + err: + BN_CTX_end(ctx); + + return ret; +} + +#ifndef OPENSSL_BN_ASM_MONT +int +bn_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + if (mctx->N.top <= 1 || a->top != mctx->N.top || b->top != mctx->N.top) + return bn_mod_mul_montgomery_simple(r, a, b, mctx, ctx); + + return bn_montgomery_multiply(r, a, b, mctx, ctx); +} +#else + +int +bn_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + if (mctx->N.top <= 1 || a->top != mctx->N.top || b->top != mctx->N.top) + return bn_mod_mul_montgomery_simple(r, a, b, mctx, ctx); + + /* + * Legacy bn_mul_mont() performs stack based allocation, without + * size limitation. Allowing a large size results in the stack + * being blown. + */ + if (mctx->N.top > (8 * 1024 / sizeof(BN_ULONG))) + return bn_montgomery_multiply(r, a, b, mctx, ctx); + + if (!bn_wexpand(r, mctx->N.top)) + return 0; + + /* + * Legacy bn_mul_mont() can indicate that we should "fallback" to + * another implementation. + */ + if (!bn_mul_mont(r->d, a->d, b->d, mctx->N.d, mctx->n0, mctx->N.top)) + return bn_montgomery_multiply(r, a, b, mctx, ctx); + + r->top = mctx->N.top; + bn_correct_top(r); + + BN_set_negative(r, a->neg ^ b->neg); + + return (1); +} +#endif + +int +BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, + BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + /* Compute r = aR * bR * R^-1 mod N = abR mod N */ + return bn_mod_mul_montgomery(r, a, b, mctx, ctx); +} + +int +BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + /* Compute r = a * R * R * R^-1 mod N = aR mod N */ + return bn_mod_mul_montgomery(r, a, &mctx->RR, mctx, ctx); +} + +/* + * bn_montgomery_reduce() performs Montgomery reduction, reducing the input + * from its Montgomery form aR to a, returning the result in r. Note that the + * input is mutated in the process of performing the reduction, destroying its + * original value. + */ +static int +bn_montgomery_reduce(BIGNUM *r, BIGNUM *a, BN_MONT_CTX *mctx) +{ + BIGNUM *n; + BN_ULONG *ap, *rp, n0, v, carry, mask; + int i, max, n_len; + + n = &mctx->N; + n_len = mctx->N.top; + + if (n_len == 0) { + BN_zero(r); + return 1; + } + + if (!bn_wexpand(r, n_len)) + return 0; + + /* + * Expand a to twice the length of the modulus, zero if necessary. + * XXX - make this a requirement of the caller. + */ + if ((max = 2 * n_len) < n_len) + return 0; + if (!bn_wexpand(a, max)) + return 0; + for (i = a->top; i < max; i++) + a->d[i] = 0; + + carry = 0; + n0 = mctx->n0[0]; + + /* Add multiples of the modulus, so that it becomes divisible by R. */ + for (i = 0; i < n_len; i++) { + v = bn_mul_add_words(&a->d[i], n->d, n_len, a->d[i] * n0); + bn_addw_addw(v, a->d[i + n_len], carry, &carry, + &a->d[i + n_len]); + } + + /* Divide by R (this is the equivalent of right shifting by n_len). */ + ap = &a->d[n_len]; + + /* + * The output is now in the range of [0, 2N). Attempt to reduce once by + * subtracting the modulus. If the reduction was necessary then the + * result is already in r, otherwise copy the value prior to reduction + * from the top half of a. + */ + mask = carry - bn_sub_words(r->d, ap, n->d, n_len); + + rp = r->d; + for (i = 0; i < n_len; i++) { + *rp = (*rp & ~mask) | (*ap & mask); + rp++; + ap++; + } + r->top = n_len; + + bn_correct_top(r); + + BN_set_negative(r, a->neg ^ n->neg); + + return 1; +} + +int +BN_from_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mctx, BN_CTX *ctx) +{ + BIGNUM *tmp; + int ret = 0; + + BN_CTX_start(ctx); + + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; + if (!bn_copy(tmp, a)) + goto err; + if (!bn_montgomery_reduce(r, tmp, mctx)) + goto err; + + ret = 1; + err: + BN_CTX_end(ctx); return ret; } diff --git a/crypto/bn/bn_mpi.c b/crypto/bn/bn_mpi.c deleted file mode 100644 index 4801192..0000000 --- a/crypto/bn/bn_mpi.c +++ /dev/null @@ -1,132 +0,0 @@ -/* $OpenBSD: bn_mpi.c,v 1.8 2017/01/29 17:49:22 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include - -#include "bn_lcl.h" - -int -BN_bn2mpi(const BIGNUM *a, unsigned char *d) -{ - int bits; - int num = 0; - int ext = 0; - long l; - - bits = BN_num_bits(a); - num = (bits + 7) / 8; - if (bits > 0) { - ext = ((bits & 0x07) == 0); - } - if (d == NULL) - return (num + 4 + ext); - - l = num + ext; - d[0] = (unsigned char)(l >> 24) & 0xff; - d[1] = (unsigned char)(l >> 16) & 0xff; - d[2] = (unsigned char)(l >> 8) & 0xff; - d[3] = (unsigned char)(l) & 0xff; - if (ext) - d[4] = 0; - num = BN_bn2bin(a, &(d[4 + ext])); - if (a->neg) - d[4] |= 0x80; - return (num + 4 + ext); -} - -BIGNUM * -BN_mpi2bn(const unsigned char *d, int n, BIGNUM *a) -{ - long len; - int neg = 0; - - if (n < 4) { - BNerror(BN_R_INVALID_LENGTH); - return (NULL); - } - len = ((long)d[0] << 24) | ((long)d[1] << 16) | ((int)d[2] << 8) | - (int)d[3]; - if ((len + 4) != n) { - BNerror(BN_R_ENCODING_ERROR); - return (NULL); - } - - if (a == NULL) - a = BN_new(); - if (a == NULL) - return (NULL); - - if (len == 0) { - a->neg = 0; - a->top = 0; - return (a); - } - d += 4; - if ((*d) & 0x80) - neg = 1; - if (BN_bin2bn(d, (int)len, a) == NULL) - return (NULL); - a->neg = neg; - if (neg) { - BN_clear_bit(a, BN_num_bits(a) - 1); - } - bn_check_top(a); - return (a); -} diff --git a/crypto/bn/bn_mul.c b/crypto/bn/bn_mul.c index 7794d59..118e8cd 100644 --- a/crypto/bn/bn_mul.c +++ b/crypto/bn/bn_mul.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_mul.c,v 1.20 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: bn_mul.c,v 1.37 2023/04/19 10:51:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,1055 +56,224 @@ * [including the GNU Public Licence.] */ -#ifndef BN_DEBUG -# undef NDEBUG /* avoid conflicting definitions */ -# define NDEBUG -#endif - #include #include #include #include -#include "bn_lcl.h" +#include "bn_arch.h" +#include "bn_internal.h" +#include "bn_local.h" -#if defined(OPENSSL_NO_ASM) || !defined(OPENSSL_BN_ASM_PART_WORDS) -/* Here follows specialised variants of bn_add_words() and - bn_sub_words(). They have the property performing operations on - arrays of different sizes. The sizes of those arrays is expressed through - cl, which is the common length ( basicall, min(len(a),len(b)) ), and dl, - which is the delta between the two lengths, calculated as len(a)-len(b). - All lengths are the number of BN_ULONGs... For the operations that require - a result array as parameter, it must have the length cl+abs(dl). - These functions should probably end up in bn_asm.c as soon as there are - assembler counterparts for the systems that use assembler files. */ +/* + * bn_mul_comba4() computes r[] = a[] * b[] using Comba multiplication + * (https://everything2.com/title/Comba+multiplication), where a and b are both + * four word arrays, producing an eight word array result. + */ +#ifndef HAVE_BN_MUL_COMBA4 +void +bn_mul_comba4(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) +{ + BN_ULONG c0, c1, c2; + bn_mulw_addtw(a[0], b[0], 0, 0, 0, &c2, &c1, &r[0]); + + bn_mulw_addtw(a[0], b[1], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]); + + bn_mulw_addtw(a[2], b[0], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]); + + bn_mulw_addtw(a[0], b[3], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]); + + bn_mulw_addtw(a[3], b[1], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &r[4]); + + bn_mulw_addtw(a[2], b[3], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &r[5]); + + bn_mulw_addtw(a[3], b[3], 0, c2, c1, &c2, &r[7], &r[6]); +} +#endif + +/* + * bn_mul_comba8() computes r[] = a[] * b[] using Comba multiplication + * (https://everything2.com/title/Comba+multiplication), where a and b are both + * eight word arrays, producing a 16 word array result. + */ +#ifndef HAVE_BN_MUL_COMBA8 +void +bn_mul_comba8(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b) +{ + BN_ULONG c0, c1, c2; + + bn_mulw_addtw(a[0], b[0], 0, 0, 0, &c2, &c1, &r[0]); + + bn_mulw_addtw(a[0], b[1], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[0], c2, c1, c0, &c2, &c1, &r[1]); + + bn_mulw_addtw(a[2], b[0], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[0], b[2], c2, c1, c0, &c2, &c1, &r[2]); + + bn_mulw_addtw(a[0], b[3], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[0], c2, c1, c0, &c2, &c1, &r[3]); + + bn_mulw_addtw(a[4], b[0], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[3], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[0], b[4], c2, c1, c0, &c2, &c1, &r[4]); + + bn_mulw_addtw(a[0], b[5], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[4], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[3], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[4], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[0], c2, c1, c0, &c2, &c1, &r[5]); + + bn_mulw_addtw(a[6], b[0], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[4], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[3], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[4], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[5], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[0], b[6], c2, c1, c0, &c2, &c1, &r[6]); + + bn_mulw_addtw(a[0], b[7], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[6], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[5], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[4], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[4], b[3], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[6], b[1], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[7], b[0], c2, c1, c0, &c2, &c1, &r[7]); + + bn_mulw_addtw(a[7], b[1], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[6], b[2], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[3], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[4], b[4], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[5], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[2], b[6], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[1], b[7], c2, c1, c0, &c2, &c1, &r[8]); + + bn_mulw_addtw(a[2], b[7], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[6], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[4], b[5], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[4], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[6], b[3], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[7], b[2], c2, c1, c0, &c2, &c1, &r[9]); + + bn_mulw_addtw(a[7], b[3], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[6], b[4], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[5], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[4], b[6], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[3], b[7], c2, c1, c0, &c2, &c1, &r[10]); + + bn_mulw_addtw(a[4], b[7], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[6], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[6], b[5], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[7], b[4], c2, c1, c0, &c2, &c1, &r[11]); + + bn_mulw_addtw(a[7], b[5], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[6], b[6], c2, c1, c0, &c2, &c1, &c0); + bn_mulw_addtw(a[5], b[7], c2, c1, c0, &c2, &c1, &r[12]); + + bn_mulw_addtw(a[6], b[7], 0, c2, c1, &c2, &c1, &c0); + bn_mulw_addtw(a[7], b[6], c2, c1, c0, &c2, &c1, &r[13]); + + bn_mulw_addtw(a[7], b[7], 0, c2, c1, &c2, &r[15], &r[14]); +} +#endif + +/* + * bn_mul_words() computes (carry:r[i]) = a[i] * w + carry, where a is an array + * of words and w is a single word. This should really be called bn_mulw_words() + * since only one input is an array. This is used as a step in the multiplication + * of word arrays. + */ +#ifndef HAVE_BN_MUL_WORDS BN_ULONG -bn_sub_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int cl, - int dl) +bn_mul_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w) { - BN_ULONG c, t; + BN_ULONG carry = 0; - assert(cl >= 0); - c = bn_sub_words(r, a, b, cl); + assert(num >= 0); + if (num <= 0) + return 0; - if (dl == 0) - return c; - - r += cl; - a += cl; - b += cl; - - if (dl < 0) { -#ifdef BN_COUNT - fprintf(stderr, - " bn_sub_part_words %d + %d (dl < 0, c = %d)\n", - cl, dl, c); -#endif - for (;;) { - t = b[0]; - r[0] = (0 - t - c) & BN_MASK2; - if (t != 0) - c = 1; - if (++dl >= 0) - break; - - t = b[1]; - r[1] = (0 - t - c) & BN_MASK2; - if (t != 0) - c = 1; - if (++dl >= 0) - break; - - t = b[2]; - r[2] = (0 - t - c) & BN_MASK2; - if (t != 0) - c = 1; - if (++dl >= 0) - break; - - t = b[3]; - r[3] = (0 - t - c) & BN_MASK2; - if (t != 0) - c = 1; - if (++dl >= 0) - break; - - b += 4; - r += 4; - } - } else { - int save_dl = dl; -#ifdef BN_COUNT - fprintf(stderr, - " bn_sub_part_words %d + %d (dl > 0, c = %d)\n", - cl, dl, c); -#endif - while (c) { - t = a[0]; - r[0] = (t - c) & BN_MASK2; - if (t != 0) - c = 0; - if (--dl <= 0) - break; - - t = a[1]; - r[1] = (t - c) & BN_MASK2; - if (t != 0) - c = 0; - if (--dl <= 0) - break; - - t = a[2]; - r[2] = (t - c) & BN_MASK2; - if (t != 0) - c = 0; - if (--dl <= 0) - break; - - t = a[3]; - r[3] = (t - c) & BN_MASK2; - if (t != 0) - c = 0; - if (--dl <= 0) - break; - - save_dl = dl; - a += 4; - r += 4; - } - if (dl > 0) { -#ifdef BN_COUNT - fprintf(stderr, - " bn_sub_part_words %d + %d (dl > 0, c == 0)\n", - cl, dl); -#endif - if (save_dl > dl) { - switch (save_dl - dl) { - case 1: - r[1] = a[1]; - if (--dl <= 0) - break; - case 2: - r[2] = a[2]; - if (--dl <= 0) - break; - case 3: - r[3] = a[3]; - if (--dl <= 0) - break; - } - a += 4; - r += 4; - } - } - if (dl > 0) { -#ifdef BN_COUNT - fprintf(stderr, - " bn_sub_part_words %d + %d (dl > 0, copy)\n", - cl, dl); -#endif - for (;;) { - r[0] = a[0]; - if (--dl <= 0) - break; - r[1] = a[1]; - if (--dl <= 0) - break; - r[2] = a[2]; - if (--dl <= 0) - break; - r[3] = a[3]; - if (--dl <= 0) - break; - - a += 4; - r += 4; - } - } +#ifndef OPENSSL_SMALL_FOOTPRINT + while (num & ~3) { + bn_mulw_addw(a[0], w, carry, &carry, &r[0]); + bn_mulw_addw(a[1], w, carry, &carry, &r[1]); + bn_mulw_addw(a[2], w, carry, &carry, &r[2]); + bn_mulw_addw(a[3], w, carry, &carry, &r[3]); + a += 4; + r += 4; + num -= 4; } - return c; +#endif + while (num) { + bn_mulw_addw(a[0], w, carry, &carry, &r[0]); + a++; + r++; + num--; + } + return carry; } #endif +/* + * bn_mul_add_words() computes (carry:r[i]) = a[i] * w + r[i] + carry, where + * a is an array of words and w is a single word. This should really be called + * bn_mulw_add_words() since only one input is an array. This is used as a step + * in the multiplication of word arrays. + */ +#ifndef HAVE_BN_MUL_ADD_WORDS BN_ULONG -bn_add_part_words(BN_ULONG *r, const BN_ULONG *a, const BN_ULONG *b, int cl, - int dl) +bn_mul_add_words(BN_ULONG *r, const BN_ULONG *a, int num, BN_ULONG w) { - BN_ULONG c, l, t; + BN_ULONG carry = 0; - assert(cl >= 0); - c = bn_add_words(r, a, b, cl); + assert(num >= 0); + if (num <= 0) + return 0; - if (dl == 0) - return c; - - r += cl; - a += cl; - b += cl; - - if (dl < 0) { - int save_dl = dl; -#ifdef BN_COUNT - fprintf(stderr, - " bn_add_part_words %d + %d (dl < 0, c = %d)\n", - cl, dl, c); -#endif - while (c) { - l = (c + b[0]) & BN_MASK2; - c = (l < c); - r[0] = l; - if (++dl >= 0) - break; - - l = (c + b[1]) & BN_MASK2; - c = (l < c); - r[1] = l; - if (++dl >= 0) - break; - - l = (c + b[2]) & BN_MASK2; - c = (l < c); - r[2] = l; - if (++dl >= 0) - break; - - l = (c + b[3]) & BN_MASK2; - c = (l < c); - r[3] = l; - if (++dl >= 0) - break; - - save_dl = dl; - b += 4; - r += 4; - } - if (dl < 0) { -#ifdef BN_COUNT - fprintf(stderr, - " bn_add_part_words %d + %d (dl < 0, c == 0)\n", - cl, dl); -#endif - if (save_dl < dl) { - switch (dl - save_dl) { - case 1: - r[1] = b[1]; - if (++dl >= 0) - break; - case 2: - r[2] = b[2]; - if (++dl >= 0) - break; - case 3: - r[3] = b[3]; - if (++dl >= 0) - break; - } - b += 4; - r += 4; - } - } - if (dl < 0) { -#ifdef BN_COUNT - fprintf(stderr, - " bn_add_part_words %d + %d (dl < 0, copy)\n", - cl, dl); -#endif - for (;;) { - r[0] = b[0]; - if (++dl >= 0) - break; - r[1] = b[1]; - if (++dl >= 0) - break; - r[2] = b[2]; - if (++dl >= 0) - break; - r[3] = b[3]; - if (++dl >= 0) - break; - - b += 4; - r += 4; - } - } - } else { - int save_dl = dl; -#ifdef BN_COUNT - fprintf(stderr, - " bn_add_part_words %d + %d (dl > 0)\n", cl, dl); -#endif - while (c) { - t = (a[0] + c) & BN_MASK2; - c = (t < c); - r[0] = t; - if (--dl <= 0) - break; - - t = (a[1] + c) & BN_MASK2; - c = (t < c); - r[1] = t; - if (--dl <= 0) - break; - - t = (a[2] + c) & BN_MASK2; - c = (t < c); - r[2] = t; - if (--dl <= 0) - break; - - t = (a[3] + c) & BN_MASK2; - c = (t < c); - r[3] = t; - if (--dl <= 0) - break; - - save_dl = dl; - a += 4; - r += 4; - } -#ifdef BN_COUNT - fprintf(stderr, - " bn_add_part_words %d + %d (dl > 0, c == 0)\n", cl, dl); -#endif - if (dl > 0) { - if (save_dl > dl) { - switch (save_dl - dl) { - case 1: - r[1] = a[1]; - if (--dl <= 0) - break; - case 2: - r[2] = a[2]; - if (--dl <= 0) - break; - case 3: - r[3] = a[3]; - if (--dl <= 0) - break; - } - a += 4; - r += 4; - } - } - if (dl > 0) { -#ifdef BN_COUNT - fprintf(stderr, - " bn_add_part_words %d + %d (dl > 0, copy)\n", - cl, dl); -#endif - for (;;) { - r[0] = a[0]; - if (--dl <= 0) - break; - r[1] = a[1]; - if (--dl <= 0) - break; - r[2] = a[2]; - if (--dl <= 0) - break; - r[3] = a[3]; - if (--dl <= 0) - break; - - a += 4; - r += 4; - } - } +#ifndef OPENSSL_SMALL_FOOTPRINT + while (num & ~3) { + bn_mulw_addw_addw(a[0], w, r[0], carry, &carry, &r[0]); + bn_mulw_addw_addw(a[1], w, r[1], carry, &carry, &r[1]); + bn_mulw_addw_addw(a[2], w, r[2], carry, &carry, &r[2]); + bn_mulw_addw_addw(a[3], w, r[3], carry, &carry, &r[3]); + a += 4; + r += 4; + num -= 4; } - return c; +#endif + while (num) { + bn_mulw_addw_addw(a[0], w, r[0], carry, &carry, &r[0]); + a++; + r++; + num--; + } + + return carry; } - -#ifdef BN_RECURSION -/* Karatsuba recursive multiplication algorithm - * (cf. Knuth, The Art of Computer Programming, Vol. 2) */ - -/* r is 2*n2 words in size, - * a and b are both n2 words in size. - * n2 must be a power of 2. - * We multiply and return the result. - * t must be 2*n2 words in size - * We calculate - * a[0]*b[0] - * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0]) - * a[1]*b[1] - */ -/* dnX may not be positive, but n2/2+dnX has to be */ -void -bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, int dna, - int dnb, BN_ULONG *t) -{ - int n = n2 / 2, c1, c2; - int tna = n + dna, tnb = n + dnb; - unsigned int neg, zero; - BN_ULONG ln, lo, *p; - -# ifdef BN_COUNT - fprintf(stderr, " bn_mul_recursive %d%+d * %d%+d\n",n2,dna,n2,dnb); -# endif -# ifdef BN_MUL_COMBA -# if 0 - if (n2 == 4) { - bn_mul_comba4(r, a, b); - return; - } -# endif - /* Only call bn_mul_comba 8 if n2 == 8 and the - * two arrays are complete [steve] - */ - if (n2 == 8 && dna == 0 && dnb == 0) { - bn_mul_comba8(r, a, b); - return; - } -# endif /* BN_MUL_COMBA */ - /* Else do normal multiply */ - if (n2 < BN_MUL_RECURSIVE_SIZE_NORMAL) { - bn_mul_normal(r, a, n2 + dna, b, n2 + dnb); - if ((dna + dnb) < 0) - memset(&r[2*n2 + dna + dnb], 0, - sizeof(BN_ULONG) * -(dna + dnb)); - return; - } - /* r=(a[0]-a[1])*(b[1]-b[0]) */ - c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna); - c2 = bn_cmp_part_words(&(b[n]), b,tnb, tnb - n); - zero = neg = 0; - switch (c1 * 3 + c2) { - case -4: - bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */ - bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */ - break; - case -3: - zero = 1; - break; - case -2: - bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */ - bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */ - neg = 1; - break; - case -1: - case 0: - case 1: - zero = 1; - break; - case 2: - bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */ - bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */ - neg = 1; - break; - case 3: - zero = 1; - break; - case 4: - bn_sub_part_words(t, a, &(a[n]), tna, n - tna); - bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); - break; - } - -# ifdef BN_MUL_COMBA - if (n == 4 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba4 could take - extra args to do this well */ - { - if (!zero) - bn_mul_comba4(&(t[n2]), t, &(t[n])); - else - memset(&(t[n2]), 0, 8 * sizeof(BN_ULONG)); - - bn_mul_comba4(r, a, b); - bn_mul_comba4(&(r[n2]), &(a[n]), &(b[n])); - } else if (n == 8 && dna == 0 && dnb == 0) /* XXX: bn_mul_comba8 could - take extra args to do this - well */ - { - if (!zero) - bn_mul_comba8(&(t[n2]), t, &(t[n])); - else - memset(&(t[n2]), 0, 16 * sizeof(BN_ULONG)); - - bn_mul_comba8(r, a, b); - bn_mul_comba8(&(r[n2]), &(a[n]), &(b[n])); - } else -# endif /* BN_MUL_COMBA */ - { - p = &(t[n2 * 2]); - if (!zero) - bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p); - else - memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG)); - bn_mul_recursive(r, a, b, n, 0, 0, p); - bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), n, dna, dnb, p); - } - - /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign - * r[10] holds (a[0]*b[0]) - * r[32] holds (b[1]*b[1]) - */ - - c1 = (int)(bn_add_words(t, r, &(r[n2]), n2)); - - if (neg) /* if t[32] is negative */ - { - c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2)); - } else { - /* Might have a carry */ - c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2)); - } - - /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1]) - * r[10] holds (a[0]*b[0]) - * r[32] holds (b[1]*b[1]) - * c1 holds the carry bits - */ - c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2)); - if (c1) { - p = &(r[n + n2]); - lo= *p; - ln = (lo + c1) & BN_MASK2; - *p = ln; - - /* The overflow will stop before we over write - * words we should not overwrite */ - if (ln < (BN_ULONG)c1) { - do { - p++; - lo= *p; - ln = (lo + 1) & BN_MASK2; - *p = ln; - } while (ln == 0); - } - } -} - -/* n+tn is the word length - * t needs to be n*4 is size, as does r */ -/* tnX may not be negative but less than n */ -void -bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n, int tna, - int tnb, BN_ULONG *t) -{ - int i, j, n2 = n * 2; - int c1, c2, neg; - BN_ULONG ln, lo, *p; - -# ifdef BN_COUNT - fprintf(stderr, " bn_mul_part_recursive (%d%+d) * (%d%+d)\n", - n, tna, n, tnb); -# endif - if (n < 8) { - bn_mul_normal(r, a, n + tna, b, n + tnb); - return; - } - - /* r=(a[0]-a[1])*(b[1]-b[0]) */ - c1 = bn_cmp_part_words(a, &(a[n]), tna, n - tna); - c2 = bn_cmp_part_words(&(b[n]), b, tnb, tnb - n); - neg = 0; - switch (c1 * 3 + c2) { - case -4: - bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */ - bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */ - break; - case -3: - /* break; */ - case -2: - bn_sub_part_words(t, &(a[n]), a, tna, tna - n); /* - */ - bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); /* + */ - neg = 1; - break; - case -1: - case 0: - case 1: - /* break; */ - case 2: - bn_sub_part_words(t, a, &(a[n]), tna, n - tna); /* + */ - bn_sub_part_words(&(t[n]), b, &(b[n]), tnb, n - tnb); /* - */ - neg = 1; - break; - case 3: - /* break; */ - case 4: - bn_sub_part_words(t, a, &(a[n]), tna, n - tna); - bn_sub_part_words(&(t[n]), &(b[n]), b, tnb, tnb - n); - break; - } - /* The zero case isn't yet implemented here. The speedup - would probably be negligible. */ -# if 0 - if (n == 4) { - bn_mul_comba4(&(t[n2]), t, &(t[n])); - bn_mul_comba4(r, a, b); - bn_mul_normal(&(r[n2]), &(a[n]), tn, &(b[n]), tn); - memset(&(r[n2 + tn * 2]), 0, sizeof(BN_ULONG) * (n2 - tn * 2)); - } else -# endif - if (n == 8) { - bn_mul_comba8(&(t[n2]), t, &(t[n])); - bn_mul_comba8(r, a, b); - bn_mul_normal(&(r[n2]), &(a[n]), tna, &(b[n]), tnb); - memset(&(r[n2 + tna + tnb]), 0, - sizeof(BN_ULONG) * (n2 - tna - tnb)); - } else { - p = &(t[n2*2]); - bn_mul_recursive(&(t[n2]), t, &(t[n]), n, 0, 0, p); - bn_mul_recursive(r, a, b, n, 0, 0, p); - i = n / 2; - /* If there is only a bottom half to the number, - * just do it */ - if (tna > tnb) - j = tna - i; - else - j = tnb - i; - if (j == 0) { - bn_mul_recursive(&(r[n2]), &(a[n]), &(b[n]), - i, tna - i, tnb - i, p); - memset(&(r[n2 + i * 2]), 0, - sizeof(BN_ULONG) * (n2 - i * 2)); - } - else if (j > 0) /* eg, n == 16, i == 8 and tn == 11 */ - { - bn_mul_part_recursive(&(r[n2]), &(a[n]), &(b[n]), - i, tna - i, tnb - i, p); - memset(&(r[n2 + tna + tnb]), 0, - sizeof(BN_ULONG) * (n2 - tna - tnb)); - } - else /* (j < 0) eg, n == 16, i == 8 and tn == 5 */ - { - memset(&(r[n2]), 0, sizeof(BN_ULONG) * n2); - if (tna < BN_MUL_RECURSIVE_SIZE_NORMAL && - tnb < BN_MUL_RECURSIVE_SIZE_NORMAL) { - bn_mul_normal(&(r[n2]), &(a[n]), tna, - &(b[n]), tnb); - } else { - for (;;) { - i /= 2; - /* these simplified conditions work - * exclusively because difference - * between tna and tnb is 1 or 0 */ - if (i < tna || i < tnb) { - bn_mul_part_recursive(&(r[n2]), - &(a[n]), &(b[n]), i, - tna - i, tnb - i, p); - break; - } else if (i == tna || i == tnb) { - bn_mul_recursive(&(r[n2]), - &(a[n]), &(b[n]), i, - tna - i, tnb - i, p); - break; - } - } - } - } - } - - /* t[32] holds (a[0]-a[1])*(b[1]-b[0]), c1 is the sign - * r[10] holds (a[0]*b[0]) - * r[32] holds (b[1]*b[1]) - */ - - c1 = (int)(bn_add_words(t, r,&(r[n2]), n2)); - - if (neg) /* if t[32] is negative */ - { - c1 -= (int)(bn_sub_words(&(t[n2]), t,&(t[n2]), n2)); - } else { - /* Might have a carry */ - c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), t, n2)); - } - - /* t[32] holds (a[0]-a[1])*(b[1]-b[0])+(a[0]*b[0])+(a[1]*b[1]) - * r[10] holds (a[0]*b[0]) - * r[32] holds (b[1]*b[1]) - * c1 holds the carry bits - */ - c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2)); - if (c1) { - p = &(r[n + n2]); - lo= *p; - ln = (lo + c1)&BN_MASK2; - *p = ln; - - /* The overflow will stop before we over write - * words we should not overwrite */ - if (ln < (BN_ULONG)c1) { - do { - p++; - lo= *p; - ln = (lo + 1) & BN_MASK2; - *p = ln; - } while (ln == 0); - } - } -} - -/* a and b must be the same size, which is n2. - * r needs to be n2 words and t needs to be n2*2 - */ -void -bn_mul_low_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2, BN_ULONG *t) -{ - int n = n2 / 2; - -# ifdef BN_COUNT - fprintf(stderr, " bn_mul_low_recursive %d * %d\n",n2,n2); -# endif - - bn_mul_recursive(r, a, b, n, 0, 0, &(t[0])); - if (n >= BN_MUL_LOW_RECURSIVE_SIZE_NORMAL) { - bn_mul_low_recursive(&(t[0]), &(a[0]), &(b[n]), n, &(t[n2])); - bn_add_words(&(r[n]), &(r[n]), &(t[0]), n); - bn_mul_low_recursive(&(t[0]), &(a[n]), &(b[0]), n, &(t[n2])); - bn_add_words(&(r[n]), &(r[n]), &(t[0]), n); - } else { - bn_mul_low_normal(&(t[0]), &(a[0]), &(b[n]), n); - bn_mul_low_normal(&(t[n]), &(a[n]), &(b[0]), n); - bn_add_words(&(r[n]), &(r[n]), &(t[0]), n); - bn_add_words(&(r[n]), &(r[n]), &(t[n]), n); - } -} - -/* a and b must be the same size, which is n2. - * r needs to be n2 words and t needs to be n2*2 - * l is the low words of the output. - * t needs to be n2*3 - */ -void -bn_mul_high(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, BN_ULONG *l, int n2, - BN_ULONG *t) -{ - int i, n; - int c1, c2; - int neg, oneg, zero; - BN_ULONG ll, lc, *lp, *mp; - -# ifdef BN_COUNT - fprintf(stderr, " bn_mul_high %d * %d\n",n2,n2); -# endif - n = n2 / 2; - - /* Calculate (al-ah)*(bh-bl) */ - neg = zero = 0; - c1 = bn_cmp_words(&(a[0]), &(a[n]), n); - c2 = bn_cmp_words(&(b[n]), &(b[0]), n); - switch (c1 * 3 + c2) { - case -4: - bn_sub_words(&(r[0]), &(a[n]), &(a[0]), n); - bn_sub_words(&(r[n]), &(b[0]), &(b[n]), n); - break; - case -3: - zero = 1; - break; - case -2: - bn_sub_words(&(r[0]), &(a[n]), &(a[0]), n); - bn_sub_words(&(r[n]), &(b[n]), &(b[0]), n); - neg = 1; - break; - case -1: - case 0: - case 1: - zero = 1; - break; - case 2: - bn_sub_words(&(r[0]), &(a[0]), &(a[n]), n); - bn_sub_words(&(r[n]), &(b[0]), &(b[n]), n); - neg = 1; - break; - case 3: - zero = 1; - break; - case 4: - bn_sub_words(&(r[0]), &(a[0]), &(a[n]), n); - bn_sub_words(&(r[n]), &(b[n]), &(b[0]), n); - break; - } - - oneg = neg; - /* t[10] = (a[0]-a[1])*(b[1]-b[0]) */ - /* r[10] = (a[1]*b[1]) */ -# ifdef BN_MUL_COMBA - if (n == 8) { - bn_mul_comba8(&(t[0]), &(r[0]), &(r[n])); - bn_mul_comba8(r, &(a[n]), &(b[n])); - } else -# endif - { - bn_mul_recursive(&(t[0]), &(r[0]), &(r[n]), n, 0, 0, &(t[n2])); - bn_mul_recursive(r, &(a[n]), &(b[n]), n, 0, 0, &(t[n2])); - } - - /* s0 == low(al*bl) - * s1 == low(ah*bh)+low((al-ah)*(bh-bl))+low(al*bl)+high(al*bl) - * We know s0 and s1 so the only unknown is high(al*bl) - * high(al*bl) == s1 - low(ah*bh+s0+(al-ah)*(bh-bl)) - * high(al*bl) == s1 - (r[0]+l[0]+t[0]) - */ - if (l != NULL) { - lp = &(t[n2 + n]); - c1 = (int)(bn_add_words(lp, &(r[0]), &(l[0]), n)); - } else { - c1 = 0; - lp = &(r[0]); - } - - if (neg) - neg = (int)(bn_sub_words(&(t[n2]), lp, &(t[0]), n)); - else { - bn_add_words(&(t[n2]), lp, &(t[0]), n); - neg = 0; - } - - if (l != NULL) { - bn_sub_words(&(t[n2 + n]), &(l[n]), &(t[n2]), n); - } else { - lp = &(t[n2 + n]); - mp = &(t[n2]); - for (i = 0; i < n; i++) - lp[i] = ((~mp[i]) + 1) & BN_MASK2; - } - - /* s[0] = low(al*bl) - * t[3] = high(al*bl) - * t[10] = (a[0]-a[1])*(b[1]-b[0]) neg is the sign - * r[10] = (a[1]*b[1]) - */ - /* R[10] = al*bl - * R[21] = al*bl + ah*bh + (a[0]-a[1])*(b[1]-b[0]) - * R[32] = ah*bh - */ - /* R[1]=t[3]+l[0]+r[0](+-)t[0] (have carry/borrow) - * R[2]=r[0]+t[3]+r[1](+-)t[1] (have carry/borrow) - * R[3]=r[1]+(carry/borrow) - */ - if (l != NULL) { - lp = &(t[n2]); - c1 = (int)(bn_add_words(lp, &(t[n2 + n]), &(l[0]), n)); - } else { - lp = &(t[n2 + n]); - c1 = 0; - } - c1 += (int)(bn_add_words(&(t[n2]), lp, &(r[0]), n)); - if (oneg) - c1 -= (int)(bn_sub_words(&(t[n2]), &(t[n2]), &(t[0]), n)); - else - c1 += (int)(bn_add_words(&(t[n2]), &(t[n2]), &(t[0]), n)); - - c2 = (int)(bn_add_words(&(r[0]), &(r[0]), &(t[n2 + n]), n)); - c2 += (int)(bn_add_words(&(r[0]), &(r[0]), &(r[n]), n)); - if (oneg) - c2 -= (int)(bn_sub_words(&(r[0]), &(r[0]), &(t[n]), n)); - else - c2 += (int)(bn_add_words(&(r[0]), &(r[0]), &(t[n]), n)); - - if (c1 != 0) /* Add starting at r[0], could be +ve or -ve */ - { - i = 0; - if (c1 > 0) { - lc = c1; - do { - ll = (r[i] + lc) & BN_MASK2; - r[i++] = ll; - lc = (lc > ll); - } while (lc); - } else { - lc = -c1; - do { - ll = r[i]; - r[i++] = (ll - lc) & BN_MASK2; - lc = (lc > ll); - } while (lc); - } - } - if (c2 != 0) /* Add starting at r[1] */ - { - i = n; - if (c2 > 0) { - lc = c2; - do { - ll = (r[i] + lc) & BN_MASK2; - r[i++] = ll; - lc = (lc > ll); - } while (lc); - } else { - lc = -c2; - do { - ll = r[i]; - r[i++] = (ll - lc) & BN_MASK2; - lc = (lc > ll); - } while (lc); - } - } -} -#endif /* BN_RECURSION */ - -int -BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) -{ - int ret = 0; - int top, al, bl; - BIGNUM *rr; -#if defined(BN_MUL_COMBA) || defined(BN_RECURSION) - int i; #endif -#ifdef BN_RECURSION - BIGNUM *t = NULL; - int j = 0, k; -#endif - -#ifdef BN_COUNT - fprintf(stderr, "BN_mul %d * %d\n",a->top,b->top); -#endif - - bn_check_top(a); - bn_check_top(b); - bn_check_top(r); - - al = a->top; - bl = b->top; - - if ((al == 0) || (bl == 0)) { - BN_zero(r); - return (1); - } - top = al + bl; - - BN_CTX_start(ctx); - if ((r == a) || (r == b)) { - if ((rr = BN_CTX_get(ctx)) == NULL) - goto err; - } else - rr = r; - rr->neg = a->neg ^ b->neg; - -#if defined(BN_MUL_COMBA) || defined(BN_RECURSION) - i = al - bl; -#endif -#ifdef BN_MUL_COMBA - if (i == 0) { -# if 0 - if (al == 4) { - if (bn_wexpand(rr, 8) == NULL) - goto err; - rr->top = 8; - bn_mul_comba4(rr->d, a->d, b->d); - goto end; - } -# endif - if (al == 8) { - if (bn_wexpand(rr, 16) == NULL) - goto err; - rr->top = 16; - bn_mul_comba8(rr->d, a->d, b->d); - goto end; - } - } -#endif /* BN_MUL_COMBA */ -#ifdef BN_RECURSION - if ((al >= BN_MULL_SIZE_NORMAL) && (bl >= BN_MULL_SIZE_NORMAL)) { - if (i >= -1 && i <= 1) { - /* Find out the power of two lower or equal - to the longest of the two numbers */ - if (i >= 0) { - j = BN_num_bits_word((BN_ULONG)al); - } - if (i == -1) { - j = BN_num_bits_word((BN_ULONG)bl); - } - j = 1 << (j - 1); - assert(j <= al || j <= bl); - k = j + j; - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - if (al > j || bl > j) { - if (bn_wexpand(t, k * 4) == NULL) - goto err; - if (bn_wexpand(rr, k * 4) == NULL) - goto err; - bn_mul_part_recursive(rr->d, a->d, b->d, - j, al - j, bl - j, t->d); - } - else /* al <= j || bl <= j */ - { - if (bn_wexpand(t, k * 2) == NULL) - goto err; - if (bn_wexpand(rr, k * 2) == NULL) - goto err; - bn_mul_recursive(rr->d, a->d, b->d, - j, al - j, bl - j, t->d); - } - rr->top = top; - goto end; - } -#if 0 - if (i == 1 && !BN_get_flags(b, BN_FLG_STATIC_DATA)) { - BIGNUM *tmp_bn = (BIGNUM *)b; - if (bn_wexpand(tmp_bn, al) == NULL) - goto err; - tmp_bn->d[bl] = 0; - bl++; - i--; - } else if (i == -1 && !BN_get_flags(a, BN_FLG_STATIC_DATA)) { - BIGNUM *tmp_bn = (BIGNUM *)a; - if (bn_wexpand(tmp_bn, bl) == NULL) - goto err; - tmp_bn->d[al] = 0; - al++; - i++; - } - if (i == 0) { - /* symmetric and > 4 */ - /* 16 or larger */ - j = BN_num_bits_word((BN_ULONG)al); - j = 1 << (j - 1); - k = j + j; - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - if (al == j) /* exact multiple */ - { - if (bn_wexpand(t, k * 2) == NULL) - goto err; - if (bn_wexpand(rr, k * 2) == NULL) - goto err; - bn_mul_recursive(rr->d, a->d, b->d, al, t->d); - } else { - if (bn_wexpand(t, k * 4) == NULL) - goto err; - if (bn_wexpand(rr, k * 4) == NULL) - goto err; - bn_mul_part_recursive(rr->d, a->d, b->d, - al - j, j, t->d); - } - rr->top = top; - goto end; - } -#endif - } -#endif /* BN_RECURSION */ - if (bn_wexpand(rr, top) == NULL) - goto err; - rr->top = top; - bn_mul_normal(rr->d, a->d, al, b->d, bl); - -#if defined(BN_MUL_COMBA) || defined(BN_RECURSION) -end: -#endif - bn_correct_top(rr); - if (r != rr) - BN_copy(r, rr); - ret = 1; -err: - bn_check_top(r); - BN_CTX_end(ctx); - return (ret); -} void bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb) { BN_ULONG *rr; -#ifdef BN_COUNT - fprintf(stderr, " bn_mul_normal %d * %d\n", na, nb); -#endif if (na < nb) { int itmp; @@ -1144,28 +313,64 @@ bn_mul_normal(BN_ULONG *r, BN_ULONG *a, int na, BN_ULONG *b, int nb) } } -void -bn_mul_low_normal(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n) -{ -#ifdef BN_COUNT - fprintf(stderr, " bn_mul_low_normal %d * %d\n", n, n); -#endif - bn_mul_words(r, a, n, b[0]); - for (;;) { - if (--n <= 0) - return; - bn_mul_add_words(&(r[1]), a, n, b[1]); - if (--n <= 0) - return; - bn_mul_add_words(&(r[2]), a, n, b[2]); - if (--n <= 0) - return; - bn_mul_add_words(&(r[3]), a, n, b[3]); - if (--n <= 0) - return; - bn_mul_add_words(&(r[4]), a, n, b[4]); - r += 4; - b += 4; - } +#ifndef HAVE_BN_MUL +int +bn_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, int rn, BN_CTX *ctx) +{ + bn_mul_normal(r->d, a->d, a->top, b->d, b->top); + + return 1; +} + +#endif /* HAVE_BN_MUL */ + +int +BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) +{ + BIGNUM *rr; + int rn; + int ret = 0; + + BN_CTX_start(ctx); + + if (BN_is_zero(a) || BN_is_zero(b)) { + BN_zero(r); + goto done; + } + + rr = r; + if (rr == a || rr == b) + rr = BN_CTX_get(ctx); + if (rr == NULL) + goto err; + + rn = a->top + b->top; + if (rn < a->top) + goto err; + if (!bn_wexpand(rr, rn)) + goto err; + + if (a->top == 4 && b->top == 4) { + bn_mul_comba4(rr->d, a->d, b->d); + } else if (a->top == 8 && b->top == 8) { + bn_mul_comba8(rr->d, a->d, b->d); + } else { + if (!bn_mul(rr, a, b, rn, ctx)) + goto err; + } + + rr->top = rn; + bn_correct_top(rr); + + BN_set_negative(rr, a->neg ^ b->neg); + + if (!bn_copy(r, rr)) + goto err; + done: + ret = 1; + err: + BN_CTX_end(ctx); + + return ret; } diff --git a/crypto/bn/bn_nist.c b/crypto/bn/bn_nist.c deleted file mode 100644 index 3a04c47..0000000 --- a/crypto/bn/bn_nist.c +++ /dev/null @@ -1,1272 +0,0 @@ -/* $OpenBSD: bn_nist.c,v 1.19 2021/11/09 18:40:20 bcook Exp $ */ -/* - * Written by Nils Larsch for the OpenSSL project - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include - -#include "bn_lcl.h" - -#define BN_NIST_192_TOP (192+BN_BITS2-1)/BN_BITS2 -#define BN_NIST_224_TOP (224+BN_BITS2-1)/BN_BITS2 -#define BN_NIST_256_TOP (256+BN_BITS2-1)/BN_BITS2 -#define BN_NIST_384_TOP (384+BN_BITS2-1)/BN_BITS2 -#define BN_NIST_521_TOP (521+BN_BITS2-1)/BN_BITS2 - -/* pre-computed tables are "carry-less" values of modulus*(i+1) */ -#if BN_BITS2 == 64 -static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = { - {0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFFULL}, - {0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFFULL}, - {0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFCULL, 0xFFFFFFFFFFFFFFFFULL} -}; -static const BN_ULONG _nist_p_192_sqr[] = { - 0x0000000000000001ULL, 0x0000000000000002ULL, 0x0000000000000001ULL, - 0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFFULL -}; -static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = { - { - 0x0000000000000001ULL, 0xFFFFFFFF00000000ULL, - 0xFFFFFFFFFFFFFFFFULL, 0x00000000FFFFFFFFULL - }, - { - 0x0000000000000002ULL, 0xFFFFFFFE00000000ULL, - 0xFFFFFFFFFFFFFFFFULL, 0x00000001FFFFFFFFULL - } /* this one is "carry-full" */ -}; -static const BN_ULONG _nist_p_224_sqr[] = { - 0x0000000000000001ULL, 0xFFFFFFFE00000000ULL, - 0xFFFFFFFFFFFFFFFFULL, 0x0000000200000000ULL, - 0x0000000000000000ULL, 0xFFFFFFFFFFFFFFFEULL, - 0xFFFFFFFFFFFFFFFFULL -}; -static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = { - { - 0xFFFFFFFFFFFFFFFFULL, 0x00000000FFFFFFFFULL, - 0x0000000000000000ULL, 0xFFFFFFFF00000001ULL - }, - { - 0xFFFFFFFFFFFFFFFEULL, 0x00000001FFFFFFFFULL, - 0x0000000000000000ULL, 0xFFFFFFFE00000002ULL - }, - { - 0xFFFFFFFFFFFFFFFDULL, 0x00000002FFFFFFFFULL, - 0x0000000000000000ULL, 0xFFFFFFFD00000003ULL - }, - { - 0xFFFFFFFFFFFFFFFCULL, 0x00000003FFFFFFFFULL, - 0x0000000000000000ULL, 0xFFFFFFFC00000004ULL - }, - { - 0xFFFFFFFFFFFFFFFBULL, 0x00000004FFFFFFFFULL, - 0x0000000000000000ULL, 0xFFFFFFFB00000005ULL - }, -}; -static const BN_ULONG _nist_p_256_sqr[] = { - 0x0000000000000001ULL, 0xFFFFFFFE00000000ULL, - 0xFFFFFFFFFFFFFFFFULL, 0x00000001FFFFFFFEULL, - 0x00000001FFFFFFFEULL, 0x00000001FFFFFFFEULL, - 0xFFFFFFFE00000001ULL, 0xFFFFFFFE00000002ULL -}; -static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = { - { - 0x00000000FFFFFFFFULL, 0xFFFFFFFF00000000ULL, - 0xFFFFFFFFFFFFFFFEULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL - }, - { - 0x00000001FFFFFFFEULL, 0xFFFFFFFE00000000ULL, - 0xFFFFFFFFFFFFFFFDULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL - }, - { - 0x00000002FFFFFFFDULL, 0xFFFFFFFD00000000ULL, - 0xFFFFFFFFFFFFFFFCULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL - }, - { - 0x00000003FFFFFFFCULL, 0xFFFFFFFC00000000ULL, - 0xFFFFFFFFFFFFFFFBULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL - }, - { - 0x00000004FFFFFFFBULL, 0xFFFFFFFB00000000ULL, - 0xFFFFFFFFFFFFFFFAULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL - }, -}; -static const BN_ULONG _nist_p_384_sqr[] = { - 0xFFFFFFFE00000001ULL, 0x0000000200000000ULL, 0xFFFFFFFE00000000ULL, - 0x0000000200000000ULL, 0x0000000000000001ULL, 0x0000000000000000ULL, - 0x00000001FFFFFFFEULL, 0xFFFFFFFE00000000ULL, 0xFFFFFFFFFFFFFFFDULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL -}; -static const BN_ULONG _nist_p_521[] = { - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0x00000000000001FFULL -}; -static const BN_ULONG _nist_p_521_sqr[] = { - 0x0000000000000001ULL, 0x0000000000000000ULL, 0x0000000000000000ULL, - 0x0000000000000000ULL, 0x0000000000000000ULL, 0x0000000000000000ULL, - 0x0000000000000000ULL, 0x0000000000000000ULL, 0xFFFFFFFFFFFFFC00ULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, 0xFFFFFFFFFFFFFFFFULL, - 0xFFFFFFFFFFFFFFFFULL, 0x000000000003FFFFULL -}; -#elif BN_BITS2 == 32 -static const BN_ULONG _nist_p_192[][BN_NIST_192_TOP] = { - { - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFC, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF - } -}; -static const BN_ULONG _nist_p_192_sqr[] = { - 0x00000001, 0x00000000, 0x00000002, 0x00000000, 0x00000001, 0x00000000, - 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF -}; -static const BN_ULONG _nist_p_224[][BN_NIST_224_TOP] = { - { - 0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0x00000002, 0x00000000, 0x00000000, 0xFFFFFFFE, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - } -}; -static const BN_ULONG _nist_p_224_sqr[] = { - 0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFE, - 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, 0x00000002, - 0x00000000, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF -}; -static const BN_ULONG _nist_p_256[][BN_NIST_256_TOP] = { - { - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000000, - 0x00000000, 0x00000000, 0x00000001, 0xFFFFFFFF - }, - { - 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001, - 0x00000000, 0x00000000, 0x00000002, 0xFFFFFFFE - }, - { - 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000002, - 0x00000000, 0x00000000, 0x00000003, 0xFFFFFFFD - }, - { - 0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, - 0x00000000, 0x00000000, 0x00000004, 0xFFFFFFFC - }, - { - 0xFFFFFFFB, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, - 0x00000000, 0x00000000, 0x00000005, 0xFFFFFFFB - }, -}; -static const BN_ULONG _nist_p_256_sqr[] = { - 0x00000001, 0x00000000, 0x00000000, 0xFFFFFFFE, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0x00000001, - 0xFFFFFFFE, 0x00000001, 0xFFFFFFFE, 0x00000001, - 0x00000001, 0xFFFFFFFE, 0x00000002, 0xFFFFFFFE -}; -static const BN_ULONG _nist_p_384[][BN_NIST_384_TOP] = { - { - 0xFFFFFFFF, 0x00000000, 0x00000000, 0xFFFFFFFF, - 0xFFFFFFFE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0xFFFFFFFE, 0x00000001, 0x00000000, 0xFFFFFFFE, - 0xFFFFFFFD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0xFFFFFFFD, 0x00000002, 0x00000000, 0xFFFFFFFD, - 0xFFFFFFFC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0xFFFFFFFC, 0x00000003, 0x00000000, 0xFFFFFFFC, - 0xFFFFFFFB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - }, - { - 0xFFFFFFFB, 0x00000004, 0x00000000, 0xFFFFFFFB, - 0xFFFFFFFA, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF - }, -}; -static const BN_ULONG _nist_p_384_sqr[] = { - 0x00000001, 0xFFFFFFFE, 0x00000000, 0x00000002, 0x00000000, 0xFFFFFFFE, - 0x00000000, 0x00000002, 0x00000001, 0x00000000, 0x00000000, 0x00000000, - 0xFFFFFFFE, 0x00000001, 0x00000000, 0xFFFFFFFE, 0xFFFFFFFD, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF -}; -static const BN_ULONG _nist_p_521[] = { - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0x000001FF -}; -static const BN_ULONG _nist_p_521_sqr[] = { - 0x00000001, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, - 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, - 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0xFFFFFC00, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, - 0xFFFFFFFF, 0xFFFFFFFF, 0x0003FFFF -}; -#else -#error "unsupported BN_BITS2" -#endif - -static const BIGNUM _bignum_nist_p_192 = { - (BN_ULONG *)_nist_p_192[0], - BN_NIST_192_TOP, - BN_NIST_192_TOP, - 0, - BN_FLG_STATIC_DATA -}; - -static const BIGNUM _bignum_nist_p_224 = { - (BN_ULONG *)_nist_p_224[0], - BN_NIST_224_TOP, - BN_NIST_224_TOP, - 0, - BN_FLG_STATIC_DATA -}; - -static const BIGNUM _bignum_nist_p_256 = { - (BN_ULONG *)_nist_p_256[0], - BN_NIST_256_TOP, - BN_NIST_256_TOP, - 0, - BN_FLG_STATIC_DATA -}; - -static const BIGNUM _bignum_nist_p_384 = { - (BN_ULONG *)_nist_p_384[0], - BN_NIST_384_TOP, - BN_NIST_384_TOP, - 0, - BN_FLG_STATIC_DATA -}; - -static const BIGNUM _bignum_nist_p_521 = { - (BN_ULONG *)_nist_p_521, - BN_NIST_521_TOP, - BN_NIST_521_TOP, - 0, - BN_FLG_STATIC_DATA -}; - - -const BIGNUM * -BN_get0_nist_prime_192(void) -{ - return &_bignum_nist_p_192; -} - -const BIGNUM * -BN_get0_nist_prime_224(void) -{ - return &_bignum_nist_p_224; -} - -const BIGNUM * -BN_get0_nist_prime_256(void) -{ - return &_bignum_nist_p_256; -} - -const BIGNUM * -BN_get0_nist_prime_384(void) -{ - return &_bignum_nist_p_384; -} - -const BIGNUM * -BN_get0_nist_prime_521(void) -{ - return &_bignum_nist_p_521; -} - -static void -nist_cp_bn_0(BN_ULONG *dst, const BN_ULONG *src, int top, int max) -{ - int i; - -#ifdef BN_DEBUG - OPENSSL_assert(top <= max); -#endif - for (i = 0; i < top; i++) - dst[i] = src[i]; - for (; i < max; i++) - dst[i] = 0; -} - -static void nist_cp_bn(BN_ULONG *dst, const BN_ULONG *src, int top) -{ - int i; - - for (i = 0; i < top; i++) - dst[i] = src[i]; -} - -#if BN_BITS2 == 64 -#define bn_cp_64(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0; -#define bn_64_set_0(to, n) (to)[n] = (BN_ULONG)0; -/* - * two following macros are implemented under assumption that they - * are called in a sequence with *ascending* n, i.e. as they are... - */ -#define bn_cp_32_naked(to, n, from, m) (((n)&1)?(to[(n)/2]|=((m)&1)?(from[(m)/2]&BN_MASK2h):(from[(m)/2]<<32))\ - :(to[(n)/2] =((m)&1)?(from[(m)/2]>>32):(from[(m)/2]&BN_MASK2l))) -#define bn_32_set_0(to, n) (((n)&1)?(to[(n)/2]&=BN_MASK2l):(to[(n)/2]=0)); -#define bn_cp_32(to,n,from,m) ((m)>=0)?bn_cp_32_naked(to,n,from,m):bn_32_set_0(to,n) -# if BYTE_ORDER == LITTLE_ENDIAN -# if defined(_LP64) -# define NIST_INT64 long -# else -# define NIST_INT64 long long -# endif -# endif -#else -#define bn_cp_64(to, n, from, m) \ - { \ - bn_cp_32(to, (n)*2, from, (m)*2); \ - bn_cp_32(to, (n)*2+1, from, (m)*2+1); \ - } -#define bn_64_set_0(to, n) \ - { \ - bn_32_set_0(to, (n)*2); \ - bn_32_set_0(to, (n)*2+1); \ - } -#define bn_cp_32(to, n, from, m) (to)[n] = (m>=0)?((from)[m]):0; -#define bn_32_set_0(to, n) (to)[n] = (BN_ULONG)0; -# if defined(BN_LLONG) -# define NIST_INT64 long long -# endif -#endif /* BN_BITS2 != 64 */ - -#define nist_set_192(to, from, a1, a2, a3) \ - { \ - bn_cp_64(to, 0, from, (a3) - 3) \ - bn_cp_64(to, 1, from, (a2) - 3) \ - bn_cp_64(to, 2, from, (a1) - 3) \ - } - -int -BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) -{ - int top = a->top, i; - int carry; - BN_ULONG *r_d, *a_d = a->d; - union { - BN_ULONG bn[BN_NIST_192_TOP]; - unsigned int ui[BN_NIST_192_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; - BN_ULONG c_d[BN_NIST_192_TOP], *res; - uintptr_t mask; - static const BIGNUM _bignum_nist_p_192_sqr = { - (BN_ULONG *)_nist_p_192_sqr, - sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]), - sizeof(_nist_p_192_sqr) / sizeof(_nist_p_192_sqr[0]), - 0, - BN_FLG_STATIC_DATA - }; - - field = &_bignum_nist_p_192; /* just to make sure */ - - if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_192_sqr) >= 0) - return BN_nnmod(r, a, field, ctx); - - i = BN_ucmp(field, a); - if (i == 0) { - BN_zero(r); - return 1; - } else if (i > 0) - return (r == a) ? 1 : (BN_copy(r , a) != NULL); - - if (r != a) { - if (!bn_wexpand(r, BN_NIST_192_TOP)) - return 0; - r_d = r->d; - nist_cp_bn(r_d, a_d, BN_NIST_192_TOP); - } else - r_d = a_d; - - nist_cp_bn_0(buf.bn, a_d + BN_NIST_192_TOP, top - BN_NIST_192_TOP, - BN_NIST_192_TOP); - -#if defined(NIST_INT64) - { - NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; - - acc = rp[0]; - acc += bp[3 * 2 - 6]; - acc += bp[5 * 2 - 6]; - rp[0] = (unsigned int)acc; - acc >>= 32; - - acc += rp[1]; - acc += bp[3 * 2 - 5]; - acc += bp[5 * 2 - 5]; - rp[1] = (unsigned int)acc; - acc >>= 32; - - acc += rp[2]; - acc += bp[3 * 2 - 6]; - acc += bp[4 * 2 - 6]; - acc += bp[5 * 2 - 6]; - rp[2] = (unsigned int)acc; - acc >>= 32; - - acc += rp[3]; - acc += bp[3 * 2 - 5]; - acc += bp[4 * 2 - 5]; - acc += bp[5 * 2 - 5]; - rp[3] = (unsigned int)acc; - acc >>= 32; - - acc += rp[4]; - acc += bp[4 * 2 - 6]; - acc += bp[5 * 2 - 6]; - rp[4] = (unsigned int)acc; - acc >>= 32; - - acc += rp[5]; - acc += bp[4 * 2 - 5]; - acc += bp[5 * 2 - 5]; - rp[5] = (unsigned int)acc; - - carry = (int)(acc >> 32); - } -#else - { - BN_ULONG t_d[BN_NIST_192_TOP] = {0}; - - nist_set_192(t_d, buf.bn, 0, 3, 3); - carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); - nist_set_192(t_d, buf.bn, 4, 4, 0); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); - nist_set_192(t_d, buf.bn, 5, 5, 5) - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_192_TOP); - } -#endif - if (carry > 0) - carry = (int)bn_sub_words(r_d, r_d, _nist_p_192[carry - 1], - BN_NIST_192_TOP); - else - carry = 1; - - /* - * we need 'if (carry==0 || result>=modulus) result-=modulus;' - * as comparison implies subtraction, we can write - * 'tmp=result-modulus; if (!carry || !borrow) result=tmp;' - * this is what happens below, but without explicit if:-) a. - */ - mask = 0 - (uintptr_t)bn_sub_words(c_d, r_d, _nist_p_192[0], - BN_NIST_192_TOP); - mask &= 0 - (uintptr_t)carry; - res = c_d; - res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); - nist_cp_bn(r_d, res, BN_NIST_192_TOP); - r->top = BN_NIST_192_TOP; - bn_correct_top(r); - - return 1; -} - -typedef BN_ULONG (*bn_addsub_f)(BN_ULONG *, const BN_ULONG *, - const BN_ULONG *, int); - -#define nist_set_224(to, from, a1, a2, a3, a4, a5, a6, a7) \ - { \ - bn_cp_32(to, 0, from, (a7) - 7) \ - bn_cp_32(to, 1, from, (a6) - 7) \ - bn_cp_32(to, 2, from, (a5) - 7) \ - bn_cp_32(to, 3, from, (a4) - 7) \ - bn_cp_32(to, 4, from, (a3) - 7) \ - bn_cp_32(to, 5, from, (a2) - 7) \ - bn_cp_32(to, 6, from, (a1) - 7) \ - } - -int -BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) -{ - int top = a->top, i; - int carry; - BN_ULONG *r_d, *a_d = a->d; - union { - BN_ULONG bn[BN_NIST_224_TOP]; - unsigned int ui[BN_NIST_224_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; - BN_ULONG c_d[BN_NIST_224_TOP], *res; - uintptr_t mask; - union { - bn_addsub_f f; - uintptr_t p; - } u; - static const BIGNUM _bignum_nist_p_224_sqr = { - (BN_ULONG *)_nist_p_224_sqr, - sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]), - sizeof(_nist_p_224_sqr) / sizeof(_nist_p_224_sqr[0]), - 0, - BN_FLG_STATIC_DATA - }; - - field = &_bignum_nist_p_224; /* just to make sure */ - - if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_224_sqr) >= 0) - return BN_nnmod(r, a, field, ctx); - - i = BN_ucmp(field, a); - if (i == 0) { - BN_zero(r); - return 1; - } else if (i > 0) - return (r == a) ? 1 : (BN_copy(r, a) != NULL); - - if (r != a) { - if (!bn_wexpand(r, BN_NIST_224_TOP)) - return 0; - r_d = r->d; - nist_cp_bn(r_d, a_d, BN_NIST_224_TOP); - } else - r_d = a_d; - - memset(&buf, 0, sizeof(buf)); - -#if BN_BITS2==64 - /* copy upper 256 bits of 448 bit number ... */ - nist_cp_bn_0(c_d, a_d + (BN_NIST_224_TOP - 1), - top - (BN_NIST_224_TOP - 1), BN_NIST_224_TOP); - /* ... and right shift by 32 to obtain upper 224 bits */ - nist_set_224(buf.bn, c_d, 14, 13, 12, 11, 10, 9, 8); - /* truncate lower part to 224 bits too */ - r_d[BN_NIST_224_TOP - 1] &= BN_MASK2l; -#else - nist_cp_bn_0(buf.bn, a_d + BN_NIST_224_TOP, - top - BN_NIST_224_TOP, BN_NIST_224_TOP); -#endif - -#if defined(NIST_INT64) && BN_BITS2!=64 - { - NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; - - acc = rp[0]; - acc -= bp[7 - 7]; - acc -= bp[11 - 7]; - rp[0] = (unsigned int)acc; - acc >>= 32; - - acc += rp[1]; - acc -= bp[8 - 7]; - acc -= bp[12 - 7]; - rp[1] = (unsigned int)acc; - acc >>= 32; - - acc += rp[2]; - acc -= bp[9 - 7]; - acc -= bp[13 - 7]; - rp[2] = (unsigned int)acc; - acc >>= 32; - - acc += rp[3]; - acc += bp[7 - 7]; - acc += bp[11 - 7]; - acc -= bp[10 - 7]; - rp[3] = (unsigned int)acc; - acc >>= 32; - - acc += rp[4]; - acc += bp[8 - 7]; - acc += bp[12 - 7]; - acc -= bp[11 - 7]; - rp[4] = (unsigned int)acc; - acc >>= 32; - - acc += rp[5]; - acc += bp[9 - 7]; - acc += bp[13 - 7]; - acc -= bp[12 - 7]; - rp[5] = (unsigned int)acc; - acc >>= 32; - - acc += rp[6]; - acc += bp[10 - 7]; - acc -= bp[13 - 7]; - rp[6] = (unsigned int)acc; - - carry = (int)(acc >> 32); -# if BN_BITS2==64 - rp[7] = carry; -# endif - } -#else - { - BN_ULONG t_d[BN_NIST_224_TOP] = {0}; - - nist_set_224(t_d, buf.bn, 10, 9, 8, 7, 0, 0, 0); - carry = (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); - nist_set_224(t_d, buf.bn, 0, 13, 12, 11, 0, 0, 0); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_224_TOP); - nist_set_224(t_d, buf.bn, 13, 12, 11, 10, 9, 8, 7); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP); - nist_set_224(t_d, buf.bn, 0, 0, 0, 0, 13, 12, 11); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_224_TOP); - -#if BN_BITS2==64 - carry = (int)(r_d[BN_NIST_224_TOP - 1] >> 32); -#endif - } -#endif - u.f = bn_sub_words; - if (carry > 0) { - carry = (int)bn_sub_words(r_d, r_d, _nist_p_224[carry - 1], - BN_NIST_224_TOP); -#if BN_BITS2==64 - carry = (int)(~(r_d[BN_NIST_224_TOP - 1] >> 32)) & 1; -#endif - } else if (carry < 0) { - /* it's a bit more complicated logic in this case. - * if bn_add_words yields no carry, then result - * has to be adjusted by unconditionally *adding* - * the modulus. but if it does, then result has - * to be compared to the modulus and conditionally - * adjusted by *subtracting* the latter. */ - carry = (int)bn_add_words(r_d, r_d, _nist_p_224[-carry - 1], - BN_NIST_224_TOP); - mask = 0 - (uintptr_t)carry; - u.p = ((uintptr_t)bn_sub_words & mask) | - ((uintptr_t)bn_add_words & ~mask); - } else - carry = 1; - - /* otherwise it's effectively same as in BN_nist_mod_192... */ - mask = 0 - (uintptr_t)(*u.f)(c_d, r_d, _nist_p_224[0], BN_NIST_224_TOP); - mask &= 0 - (uintptr_t)carry; - res = c_d; - res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); - nist_cp_bn(r_d, res, BN_NIST_224_TOP); - r->top = BN_NIST_224_TOP; - bn_correct_top(r); - - return 1; -} - -#define nist_set_256(to, from, a1, a2, a3, a4, a5, a6, a7, a8) \ - { \ - bn_cp_32(to, 0, from, (a8) - 8) \ - bn_cp_32(to, 1, from, (a7) - 8) \ - bn_cp_32(to, 2, from, (a6) - 8) \ - bn_cp_32(to, 3, from, (a5) - 8) \ - bn_cp_32(to, 4, from, (a4) - 8) \ - bn_cp_32(to, 5, from, (a3) - 8) \ - bn_cp_32(to, 6, from, (a2) - 8) \ - bn_cp_32(to, 7, from, (a1) - 8) \ - } - -int -BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) -{ - int i, top = a->top; - int carry = 0; - BN_ULONG *a_d = a->d, *r_d; - union { - BN_ULONG bn[BN_NIST_256_TOP]; - unsigned int ui[BN_NIST_256_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; - BN_ULONG c_d[BN_NIST_256_TOP] = {0}, *res; - uintptr_t mask; - union { - bn_addsub_f f; - uintptr_t p; - } u; - static const BIGNUM _bignum_nist_p_256_sqr = { - (BN_ULONG *)_nist_p_256_sqr, - sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]), - sizeof(_nist_p_256_sqr) / sizeof(_nist_p_256_sqr[0]), - 0, - BN_FLG_STATIC_DATA - }; - - field = &_bignum_nist_p_256; /* just to make sure */ - - if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_256_sqr) >= 0) - return BN_nnmod(r, a, field, ctx); - - i = BN_ucmp(field, a); - if (i == 0) { - BN_zero(r); - return 1; - } else if (i > 0) - return (r == a) ? 1 : (BN_copy(r, a) != NULL); - - if (r != a) { - if (!bn_wexpand(r, BN_NIST_256_TOP)) - return 0; - r_d = r->d; - nist_cp_bn(r_d, a_d, BN_NIST_256_TOP); - } else - r_d = a_d; - - nist_cp_bn_0(buf.bn, a_d + BN_NIST_256_TOP, - top - BN_NIST_256_TOP, BN_NIST_256_TOP); - -#if defined(NIST_INT64) - { - NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; - - acc = rp[0]; - acc += bp[8 - 8]; - acc += bp[9 - 8]; - acc -= bp[11 - 8]; - acc -= bp[12 - 8]; - acc -= bp[13 - 8]; - acc -= bp[14 - 8]; - rp[0] = (unsigned int)acc; - acc >>= 32; - - acc += rp[1]; - acc += bp[9 - 8]; - acc += bp[10 - 8]; - acc -= bp[12 - 8]; - acc -= bp[13 - 8]; - acc -= bp[14 - 8]; - acc -= bp[15 - 8]; - rp[1] = (unsigned int)acc; - acc >>= 32; - - acc += rp[2]; - acc += bp[10 - 8]; - acc += bp[11 - 8]; - acc -= bp[13 - 8]; - acc -= bp[14 - 8]; - acc -= bp[15 - 8]; - rp[2] = (unsigned int)acc; - acc >>= 32; - - acc += rp[3]; - acc += bp[11 - 8]; - acc += bp[11 - 8]; - acc += bp[12 - 8]; - acc += bp[12 - 8]; - acc += bp[13 - 8]; - acc -= bp[15 - 8]; - acc -= bp[8 - 8]; - acc -= bp[9 - 8]; - rp[3] = (unsigned int)acc; - acc >>= 32; - - acc += rp[4]; - acc += bp[12 - 8]; - acc += bp[12 - 8]; - acc += bp[13 - 8]; - acc += bp[13 - 8]; - acc += bp[14 - 8]; - acc -= bp[9 - 8]; - acc -= bp[10 - 8]; - rp[4] = (unsigned int)acc; - acc >>= 32; - - acc += rp[5]; - acc += bp[13 - 8]; - acc += bp[13 - 8]; - acc += bp[14 - 8]; - acc += bp[14 - 8]; - acc += bp[15 - 8]; - acc -= bp[10 - 8]; - acc -= bp[11 - 8]; - rp[5] = (unsigned int)acc; - acc >>= 32; - - acc += rp[6]; - acc += bp[14 - 8]; - acc += bp[14 - 8]; - acc += bp[15 - 8]; - acc += bp[15 - 8]; - acc += bp[14 - 8]; - acc += bp[13 - 8]; - acc -= bp[8 - 8]; - acc -= bp[9 - 8]; - rp[6] = (unsigned int)acc; - acc >>= 32; - - acc += rp[7]; - acc += bp[15 - 8]; - acc += bp[15 - 8]; - acc += bp[15 - 8]; - acc += bp[8 - 8]; - acc -= bp[10 - 8]; - acc -= bp[11 - 8]; - acc -= bp[12 - 8]; - acc -= bp[13 - 8]; - rp[7] = (unsigned int)acc; - - carry = (int)(acc >> 32); - } -#else - { - BN_ULONG t_d[BN_NIST_256_TOP] = {0}; - - /*S1*/ - nist_set_256(t_d, buf.bn, 15, 14, 13, 12, 11, 0, 0, 0); - /*S2*/ - nist_set_256(c_d, buf.bn, 0, 15, 14, 13, 12, 0, 0, 0); - carry = (int)bn_add_words(t_d, t_d, c_d, BN_NIST_256_TOP); - /* left shift */ - { - BN_ULONG *ap, t, c; - ap = t_d; - c = 0; - for (i = BN_NIST_256_TOP; i != 0; --i) { - t = *ap; - *(ap++) = ((t << 1) | c) & BN_MASK2; - c = (t & BN_TBIT) ? 1 : 0; - } - carry <<= 1; - carry |= c; - } - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); - /*S3*/ - nist_set_256(t_d, buf.bn, 15, 14, 0, 0, 0, 10, 9, 8); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); - /*S4*/ - nist_set_256(t_d, buf.bn, 8, 13, 15, 14, 13, 11, 10, 9); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_256_TOP); - /*D1*/ - nist_set_256(t_d, buf.bn, 10, 8, 0, 0, 0, 13, 12, 11); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); - /*D2*/ - nist_set_256(t_d, buf.bn, 11, 9, 0, 0, 15, 14, 13, 12); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); - /*D3*/ - nist_set_256(t_d, buf.bn, 12, 0, 10, 9, 8, 15, 14, 13); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); - /*D4*/ - nist_set_256(t_d, buf.bn, 13, 0, 11, 10, 9, 0, 15, 14); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_256_TOP); - - } -#endif - /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; - if (carry > 0) - carry = (int)bn_sub_words(r_d, r_d, _nist_p_256[carry - 1], - BN_NIST_256_TOP); - else if (carry < 0) { - carry = (int)bn_add_words(r_d, r_d, _nist_p_256[-carry - 1], - BN_NIST_256_TOP); - mask = 0 - (uintptr_t)carry; - u.p = ((uintptr_t)bn_sub_words & mask) | - ((uintptr_t)bn_add_words & ~mask); - } else - carry = 1; - - mask = 0 - (uintptr_t)(*u.f)(c_d, r_d, _nist_p_256[0], BN_NIST_256_TOP); - mask &= 0 - (uintptr_t)carry; - res = c_d; - res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); - nist_cp_bn(r_d, res, BN_NIST_256_TOP); - r->top = BN_NIST_256_TOP; - bn_correct_top(r); - - return 1; -} - -#define nist_set_384(to,from,a1,a2,a3,a4,a5,a6,a7,a8,a9,a10,a11,a12) \ - { \ - bn_cp_32(to, 0, from, (a12) - 12) \ - bn_cp_32(to, 1, from, (a11) - 12) \ - bn_cp_32(to, 2, from, (a10) - 12) \ - bn_cp_32(to, 3, from, (a9) - 12) \ - bn_cp_32(to, 4, from, (a8) - 12) \ - bn_cp_32(to, 5, from, (a7) - 12) \ - bn_cp_32(to, 6, from, (a6) - 12) \ - bn_cp_32(to, 7, from, (a5) - 12) \ - bn_cp_32(to, 8, from, (a4) - 12) \ - bn_cp_32(to, 9, from, (a3) - 12) \ - bn_cp_32(to, 10, from, (a2) - 12) \ - bn_cp_32(to, 11, from, (a1) - 12) \ - } - -int -BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) -{ - int i, top = a->top; - int carry = 0; - BN_ULONG *r_d, *a_d = a->d; - union { - BN_ULONG bn[BN_NIST_384_TOP]; - unsigned int ui[BN_NIST_384_TOP * - sizeof(BN_ULONG) / sizeof(unsigned int)]; - } buf; - BN_ULONG c_d[BN_NIST_384_TOP], *res; - uintptr_t mask; - union { - bn_addsub_f f; - uintptr_t p; - } u; - static const BIGNUM _bignum_nist_p_384_sqr = { - (BN_ULONG *)_nist_p_384_sqr, - sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]), - sizeof(_nist_p_384_sqr) / sizeof(_nist_p_384_sqr[0]), - 0, - BN_FLG_STATIC_DATA - }; - - field = &_bignum_nist_p_384; /* just to make sure */ - - if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_384_sqr) >= 0) - return BN_nnmod(r, a, field, ctx); - - i = BN_ucmp(field, a); - if (i == 0) { - BN_zero(r); - return 1; - } else if (i > 0) - return (r == a) ? 1 : (BN_copy(r, a) != NULL); - - if (r != a) { - if (!bn_wexpand(r, BN_NIST_384_TOP)) - return 0; - r_d = r->d; - nist_cp_bn(r_d, a_d, BN_NIST_384_TOP); - } else - r_d = a_d; - - nist_cp_bn_0(buf.bn, a_d + BN_NIST_384_TOP, - top - BN_NIST_384_TOP, BN_NIST_384_TOP); - -#if defined(NIST_INT64) - { - NIST_INT64 acc; /* accumulator */ - unsigned int *rp = (unsigned int *)r_d; - const unsigned int *bp = (const unsigned int *)buf.ui; - - acc = rp[0]; - acc += bp[12 - 12]; - acc += bp[21 - 12]; - acc += bp[20 - 12]; - acc -= bp[23 - 12]; - rp[0] = (unsigned int)acc; - acc >>= 32; - - acc += rp[1]; - acc += bp[13 - 12]; - acc += bp[22 - 12]; - acc += bp[23 - 12]; - acc -= bp[12 - 12]; - acc -= bp[20 - 12]; - rp[1] = (unsigned int)acc; - acc >>= 32; - - acc += rp[2]; - acc += bp[14 - 12]; - acc += bp[23 - 12]; - acc -= bp[13 - 12]; - acc -= bp[21 - 12]; - rp[2] = (unsigned int)acc; - acc >>= 32; - - acc += rp[3]; - acc += bp[15 - 12]; - acc += bp[12 - 12]; - acc += bp[20 - 12]; - acc += bp[21 - 12]; - acc -= bp[14 - 12]; - acc -= bp[22 - 12]; - acc -= bp[23 - 12]; - rp[3] = (unsigned int)acc; - acc >>= 32; - - acc += rp[4]; - acc += bp[21 - 12]; - acc += bp[21 - 12]; - acc += bp[16 - 12]; - acc += bp[13 - 12]; - acc += bp[12 - 12]; - acc += bp[20 - 12]; - acc += bp[22 - 12]; - acc -= bp[15 - 12]; - acc -= bp[23 - 12]; - acc -= bp[23 - 12]; - rp[4] = (unsigned int)acc; - acc >>= 32; - - acc += rp[5]; - acc += bp[22 - 12]; - acc += bp[22 - 12]; - acc += bp[17 - 12]; - acc += bp[14 - 12]; - acc += bp[13 - 12]; - acc += bp[21 - 12]; - acc += bp[23 - 12]; - acc -= bp[16 - 12]; - rp[5] = (unsigned int)acc; - acc >>= 32; - - acc += rp[6]; - acc += bp[23 - 12]; - acc += bp[23 - 12]; - acc += bp[18 - 12]; - acc += bp[15 - 12]; - acc += bp[14 - 12]; - acc += bp[22 - 12]; - acc -= bp[17 - 12]; - rp[6] = (unsigned int)acc; - acc >>= 32; - - acc += rp[7]; - acc += bp[19 - 12]; - acc += bp[16 - 12]; - acc += bp[15 - 12]; - acc += bp[23 - 12]; - acc -= bp[18 - 12]; - rp[7] = (unsigned int)acc; - acc >>= 32; - - acc += rp[8]; - acc += bp[20 - 12]; - acc += bp[17 - 12]; - acc += bp[16 - 12]; - acc -= bp[19 - 12]; - rp[8] = (unsigned int)acc; - acc >>= 32; - - acc += rp[9]; - acc += bp[21 - 12]; - acc += bp[18 - 12]; - acc += bp[17 - 12]; - acc -= bp[20 - 12]; - rp[9] = (unsigned int)acc; - acc >>= 32; - - acc += rp[10]; - acc += bp[22 - 12]; - acc += bp[19 - 12]; - acc += bp[18 - 12]; - acc -= bp[21 - 12]; - rp[10] = (unsigned int)acc; - acc >>= 32; - - acc += rp[11]; - acc += bp[23 - 12]; - acc += bp[20 - 12]; - acc += bp[19 - 12]; - acc -= bp[22 - 12]; - rp[11] = (unsigned int)acc; - - carry = (int)(acc >> 32); - } -#else - { - BN_ULONG t_d[BN_NIST_384_TOP] = {0}; - - /*S1*/ - nist_set_256(t_d, buf.bn, 0, 0, 0, 0, 0, 23 - 4, 22 - 4, - 21 - 4); - /* left shift */ - { - BN_ULONG *ap, t, c; - ap = t_d; - c = 0; - for (i = 3; i != 0; --i) { - t= *ap; - *(ap++) = ((t << 1)|c) & BN_MASK2; - c = (t & BN_TBIT) ? 1 : 0; - } - *ap = c; - } - carry = (int)bn_add_words(r_d + (128 / BN_BITS2), - r_d + (128 / BN_BITS2), t_d, BN_NIST_256_TOP); - /*S2 */ - carry += (int)bn_add_words(r_d, r_d, buf.bn, BN_NIST_384_TOP); - /*S3*/ - nist_set_384(t_d, buf.bn, 20, 19, 18, 17, 16, 15, 14, 13, 12, - 23, 22, 21); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); - /*S4*/ - nist_set_384(t_d, buf.bn, 19, 18, 17, 16, 15, 14, 13, 12, 20, - 0, 23, 0); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); - /*S5*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 23, 22, 21, 20, 0,0, 0, 0); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); - /*S6*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 0,0, 23, 22, 21, 0,0, 20); - carry += (int)bn_add_words(r_d, r_d, t_d, BN_NIST_384_TOP); - /*D1*/ - nist_set_384(t_d, buf.bn, 22, 21, 20, 19, 18, 17, 16, 15, 14, - 13, 12, 23); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); - /*D2*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 0,0, 0,23, 22, 21, 20, 0); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); - /*D3*/ - nist_set_384(t_d, buf.bn, 0,0, 0,0, 0,0, 0,23, 23, 0,0, 0); - carry -= (int)bn_sub_words(r_d, r_d, t_d, BN_NIST_384_TOP); - - } -#endif - /* see BN_nist_mod_224 for explanation */ - u.f = bn_sub_words; - if (carry > 0) - carry = (int)bn_sub_words(r_d, r_d, _nist_p_384[carry - 1], - BN_NIST_384_TOP); - else if (carry < 0) { - carry = (int)bn_add_words(r_d, r_d, _nist_p_384[-carry - 1], - BN_NIST_384_TOP); - mask = 0 - (uintptr_t)carry; - u.p = ((uintptr_t)bn_sub_words & mask) | - ((uintptr_t)bn_add_words & ~mask); - } else - carry = 1; - - mask = 0 - (uintptr_t)(*u.f)(c_d, r_d, _nist_p_384[0], BN_NIST_384_TOP); - mask &= 0 - (uintptr_t)carry; - res = c_d; - res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); - nist_cp_bn(r_d, res, BN_NIST_384_TOP); - r->top = BN_NIST_384_TOP; - bn_correct_top(r); - - return 1; -} - -#define BN_NIST_521_RSHIFT (521%BN_BITS2) -#define BN_NIST_521_LSHIFT (BN_BITS2-BN_NIST_521_RSHIFT) -#define BN_NIST_521_TOP_MASK ((BN_ULONG)BN_MASK2>>BN_NIST_521_LSHIFT) - -int -BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *field, BN_CTX *ctx) -{ - int top = a->top, i; - BN_ULONG *r_d, *a_d = a->d, t_d[BN_NIST_521_TOP], val, tmp, *res; - uintptr_t mask; - static const BIGNUM _bignum_nist_p_521_sqr = { - (BN_ULONG *)_nist_p_521_sqr, - sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]), - sizeof(_nist_p_521_sqr) / sizeof(_nist_p_521_sqr[0]), - 0, - BN_FLG_STATIC_DATA - }; - - field = &_bignum_nist_p_521; /* just to make sure */ - - if (BN_is_negative(a) || BN_ucmp(a, &_bignum_nist_p_521_sqr) >= 0) - return BN_nnmod(r, a, field, ctx); - - i = BN_ucmp(field, a); - if (i == 0) { - BN_zero(r); - return 1; - } else if (i > 0) - return (r == a) ? 1 : (BN_copy(r, a) != NULL); - - if (r != a) { - if (!bn_wexpand(r, BN_NIST_521_TOP)) - return 0; - r_d = r->d; - nist_cp_bn(r_d, a_d, BN_NIST_521_TOP); - } else - r_d = a_d; - - /* upper 521 bits, copy ... */ - nist_cp_bn_0(t_d, a_d + (BN_NIST_521_TOP - 1), - top - (BN_NIST_521_TOP - 1), BN_NIST_521_TOP); - /* ... and right shift */ - for (val = t_d[0], i = 0; i < BN_NIST_521_TOP - 1; i++) { - tmp = val >> BN_NIST_521_RSHIFT; - val = t_d[i + 1]; - t_d[i] = (tmp | val << BN_NIST_521_LSHIFT) & BN_MASK2; - } - t_d[i] = val >> BN_NIST_521_RSHIFT; - /* lower 521 bits */ - r_d[i] &= BN_NIST_521_TOP_MASK; - - bn_add_words(r_d, r_d, t_d, BN_NIST_521_TOP); - mask = 0 - (uintptr_t)bn_sub_words(t_d, r_d, _nist_p_521, - BN_NIST_521_TOP); - res = t_d; - res = (BN_ULONG *)(((uintptr_t)res & ~mask) | ((uintptr_t)r_d & mask)); - nist_cp_bn(r_d, res, BN_NIST_521_TOP); - r->top = BN_NIST_521_TOP; - bn_correct_top(r); - - return 1; -} diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c index e78c568..b8f0eb6 100644 --- a/crypto/bn/bn_prime.c +++ b/crypto/bn/bn_prime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_prime.c,v 1.18 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_prime.c,v 1.32 2023/05/10 12:21:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -114,12 +114,7 @@ #include -#include "bn_lcl.h" - -/* NB: these functions have been "upgraded", the deprecated versions (which are - * compatibility wrappers using these functions) are in bn_depr.c. - * - Geoff - */ +#include "bn_local.h" /* The quick sieve algorithm approach to weeding out primes is * Philip Zimmermann's, as implemented in PGP. I have had a read of @@ -127,8 +122,6 @@ */ #include "bn_prime.h" -static int witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, - const BIGNUM *a1_odd, int k, BN_CTX *ctx, BN_MONT_CTX *mont); static int probable_prime(BIGNUM *rnd, int bits); static int probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, BN_CTX *ctx); @@ -162,11 +155,11 @@ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb) { - BIGNUM *t; - int found = 0; - int i, j, c1 = 0; BN_CTX *ctx; - int checks; + BIGNUM *p; + int is_prime; + int loops = 0; + int found = 0; if (bits < 2 || (bits == 2 && safe)) { /* @@ -177,17 +170,14 @@ BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, return 0; } - ctx = BN_CTX_new(); - if (ctx == NULL) + if ((ctx = BN_CTX_new()) == NULL) goto err; BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) == NULL) + if ((p = BN_CTX_get(ctx)) == NULL) goto err; - checks = BN_prime_checks_for_size(bits); - -loop: - /* make a random number and set the top and bottom bits */ + loop: + /* Make a random number and set the top and bottom bits. */ if (add == NULL) { if (!probable_prime(ret, bits)) goto err; @@ -200,52 +190,44 @@ loop: goto err; } } - /* if (BN_mod_word(ret,(BN_ULONG)3) == 1) goto loop; */ - if (!BN_GENCB_call(cb, 0, c1++)) - /* aborted */ + + if (!BN_GENCB_call(cb, 0, loops++)) goto err; if (!safe) { - i = BN_is_prime_fasttest_ex(ret, checks, ctx, 0, cb); - if (i == -1) + if (!bn_is_prime_bpsw(&is_prime, ret, ctx, 1)) goto err; - if (i == 0) + if (!is_prime) goto loop; } else { - /* for "safe prime" generation, - * check that (p-1)/2 is prime. - * Since a prime is odd, We just - * need to divide by 2 */ - if (!BN_rshift1(t, ret)) + if (!bn_is_prime_bpsw(&is_prime, ret, ctx, 1)) + goto err; + if (!is_prime) + goto loop; + + /* + * For safe prime generation, check that p = (ret-1)/2 is prime. + * Since this prime has >= 3 bits, it is odd, and we can simply + * divide by 2. + */ + if (!BN_rshift1(p, ret)) goto err; - for (i = 0; i < checks; i++) { - j = BN_is_prime_fasttest_ex(ret, 1, ctx, 0, cb); - if (j == -1) - goto err; - if (j == 0) - goto loop; + if (!bn_is_prime_bpsw(&is_prime, p, ctx, 1)) + goto err; + if (!is_prime) + goto loop; - j = BN_is_prime_fasttest_ex(t, 1, ctx, 0, cb); - if (j == -1) - goto err; - if (j == 0) - goto loop; - - if (!BN_GENCB_call(cb, 2, c1 - 1)) - goto err; - /* We have a safe prime test pass */ - } + if (!BN_GENCB_call(cb, 2, loops - 1)) + goto err; } - /* we have a prime :-) */ + found = 1; -err: - if (ctx != NULL) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } - bn_check_top(ret); + err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + return found; } @@ -259,143 +241,26 @@ int BN_is_prime_fasttest_ex(const BIGNUM *a, int checks, BN_CTX *ctx_passed, int do_trial_division, BN_GENCB *cb) { - int i, j, ret = -1; - int k; - BN_CTX *ctx = NULL; - BIGNUM *A1, *A1_odd, *check; /* taken from ctx */ - BN_MONT_CTX *mont = NULL; - const BIGNUM *A = NULL; + int is_prime; - if (BN_cmp(a, BN_value_one()) <= 0) - return 0; + if (checks < 0) + return -1; if (checks == BN_prime_checks) checks = BN_prime_checks_for_size(BN_num_bits(a)); - /* first look for small factors */ - if (!BN_is_odd(a)) - /* a is even => a is prime if and only if a == 2 */ - return BN_is_word(a, 2); - if (do_trial_division) { - for (i = 1; i < NUMPRIMES; i++) { - BN_ULONG mod = BN_mod_word(a, primes[i]); - if (mod == (BN_ULONG)-1) - goto err; - if (mod == 0) - return 0; - } - if (!BN_GENCB_call(cb, 1, -1)) - goto err; - } - - if (ctx_passed != NULL) - ctx = ctx_passed; - else if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); - - /* A := abs(a) */ - if (a->neg) { - BIGNUM *t; - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - BN_copy(t, a); - t->neg = 0; - A = t; - } else - A = a; - if ((A1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((A1_odd = BN_CTX_get(ctx)) == NULL) - goto err; - if ((check = BN_CTX_get(ctx)) == NULL) - goto err; - - /* compute A1 := A - 1 */ - if (!BN_copy(A1, A)) - goto err; - if (!BN_sub_word(A1, 1)) - goto err; - if (BN_is_zero(A1)) { - ret = 0; - goto err; - } - - /* write A1 as A1_odd * 2^k */ - k = 1; - while (!BN_is_bit_set(A1, k)) - k++; - if (!BN_rshift(A1_odd, A1, k)) - goto err; - - /* Montgomery setup for computations mod A */ - mont = BN_MONT_CTX_new(); - if (mont == NULL) - goto err; - if (!BN_MONT_CTX_set(mont, A, ctx)) - goto err; - - for (i = 0; i < checks; i++) { - if (!BN_pseudo_rand_range(check, A1)) - goto err; - if (!BN_add_word(check, 1)) - goto err; - /* now 1 <= check < A */ - - j = witness(check, A, A1, A1_odd, k, ctx, mont); - if (j == -1) - goto err; - if (j) { - ret = 0; - goto err; - } - if (!BN_GENCB_call(cb, 1, i)) - goto err; - } - ret = 1; - -err: - if (ctx != NULL) { - BN_CTX_end(ctx); - if (ctx_passed == NULL) - BN_CTX_free(ctx); - } - BN_MONT_CTX_free(mont); - - return (ret); -} - -static int -witness(BIGNUM *w, const BIGNUM *a, const BIGNUM *a1, const BIGNUM *a1_odd, - int k, BN_CTX *ctx, BN_MONT_CTX *mont) -{ - if (!BN_mod_exp_mont_ct(w, w, a1_odd, a, ctx, mont)) - /* w := w^a1_odd mod a */ + /* XXX - tickle BN_GENCB in bn_is_prime_bpsw(). */ + if (!bn_is_prime_bpsw(&is_prime, a, ctx_passed, checks)) return -1; - if (BN_is_one(w)) - return 0; /* probably prime */ - if (BN_cmp(w, a1) == 0) - return 0; /* w == -1 (mod a), 'a' is probably prime */ - while (--k) { - if (!BN_mod_mul(w, w, w, a, ctx)) /* w := w^2 mod a */ - return -1; - if (BN_is_one(w)) - return 1; /* 'a' is composite, otherwise a previous 'w' would - * have been == -1 (mod 'a') */ - if (BN_cmp(w, a1) == 0) - return 0; /* w == -1 (mod a), 'a' is probably prime */ - } - /* If we get here, 'w' is the (a-1)/2-th power of the original 'w', - * and it is neither -1 nor +1 -- so 'a' cannot be prime */ - bn_check_top(w); - return 1; + + return is_prime; } static int probable_prime(BIGNUM *rnd, int bits) { int i; - prime_t mods[NUMPRIMES]; + BN_ULONG mods[NUMPRIMES]; BN_ULONG delta, maxdelta; again: @@ -403,10 +268,10 @@ again: return (0); /* we now have a random number 'rand' to test. */ for (i = 1; i < NUMPRIMES; i++) { - BN_ULONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); + BN_ULONG mod = BN_mod_word(rnd, primes[i]); if (mod == (BN_ULONG)-1) return (0); - mods[i] = (prime_t)mod; + mods[i] = mod; } maxdelta = BN_MASK2 - primes[NUMPRIMES - 1]; delta = 0; @@ -423,7 +288,6 @@ loop: } if (!BN_add_word(rnd, delta)) return (0); - bn_check_top(rnd); return (1); } @@ -460,7 +324,7 @@ probable_prime_dh(BIGNUM *rnd, int bits, const BIGNUM *add, const BIGNUM *rem, loop: for (i = 1; i < NUMPRIMES; i++) { /* check that rnd is a prime */ - BN_LONG mod = BN_mod_word(rnd, (BN_ULONG)primes[i]); + BN_LONG mod = BN_mod_word(rnd, primes[i]); if (mod == (BN_ULONG)-1) goto err; if (mod <= 1) { @@ -473,7 +337,6 @@ loop: err: BN_CTX_end(ctx); - bn_check_top(rnd); return (ret); } @@ -525,8 +388,8 @@ loop: /* check that p and q are prime */ /* check that for p and q * gcd(p-1,primes) == 1 (except for 2) */ - BN_ULONG pmod = BN_mod_word(p, (BN_ULONG)primes[i]); - BN_ULONG qmod = BN_mod_word(q, (BN_ULONG)primes[i]); + BN_ULONG pmod = BN_mod_word(p, primes[i]); + BN_ULONG qmod = BN_mod_word(q, primes[i]); if (pmod == (BN_ULONG)-1 || qmod == (BN_ULONG)-1) goto err; if (pmod == 0 || qmod == 0) { @@ -541,6 +404,5 @@ loop: err: BN_CTX_end(ctx); - bn_check_top(p); return (ret); } diff --git a/crypto/bn/bn_prime.h b/crypto/bn/bn_prime.h index d519900..4ea2d47 100644 --- a/crypto/bn/bn_prime.h +++ b/crypto/bn/bn_prime.h @@ -1,323 +1,14 @@ -/* $OpenBSD: bn_prime.h,v 1.7 2016/12/21 15:49:29 jsing Exp $ */ -/* Auto generated by bn_prime.pl */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] +/* $OpenBSD: bn_prime.h,v 1.9 2022/11/10 10:24:50 tb Exp $ */ +/* + * Public domain. */ +#include + __BEGIN_HIDDEN_DECLS #define NUMPRIMES 2048 -typedef unsigned short prime_t; -static const prime_t primes[NUMPRIMES] = { - 2, 3, 5, 7, 11, 13, 17, 19, - 23, 29, 31, 37, 41, 43, 47, 53, - 59, 61, 67, 71, 73, 79, 83, 89, - 97, 101, 103, 107, 109, 113, 127, 131, - 137, 139, 149, 151, 157, 163, 167, 173, - 179, 181, 191, 193, 197, 199, 211, 223, - 227, 229, 233, 239, 241, 251, 257, 263, - 269, 271, 277, 281, 283, 293, 307, 311, - 313, 317, 331, 337, 347, 349, 353, 359, - 367, 373, 379, 383, 389, 397, 401, 409, - 419, 421, 431, 433, 439, 443, 449, 457, - 461, 463, 467, 479, 487, 491, 499, 503, - 509, 521, 523, 541, 547, 557, 563, 569, - 571, 577, 587, 593, 599, 601, 607, 613, - 617, 619, 631, 641, 643, 647, 653, 659, - 661, 673, 677, 683, 691, 701, 709, 719, - 727, 733, 739, 743, 751, 757, 761, 769, - 773, 787, 797, 809, 811, 821, 823, 827, - 829, 839, 853, 857, 859, 863, 877, 881, - 883, 887, 907, 911, 919, 929, 937, 941, - 947, 953, 967, 971, 977, 983, 991, 997, - 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, - 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, - 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, - 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, - 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, - 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, - 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, - 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, - 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, - 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, - 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, - 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, - 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, - 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, - 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, - 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, - 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, - 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, - 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, - 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, - 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, - 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, - 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, - 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, - 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, - 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, - 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, - 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, - 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, - 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, - 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, - 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, - 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, - 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, - 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, - 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221, - 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, - 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, - 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, - 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, - 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, - 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, - 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, - 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, - 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, - 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, - 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, - 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003, - 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, - 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, - 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, - 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, - 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, - 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, - 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, - 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547, - 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, - 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, - 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, - 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, - 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, - 4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967, - 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, - 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, - 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, - 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233, - 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, - 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, - 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, - 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, - 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, - 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653, - 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, - 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, - 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, - 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, - 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, - 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073, - 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, - 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, - 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, - 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, - 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, - 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, - 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, - 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, - 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, - 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, - 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, - 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, - 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, - 6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027, - 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, - 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, - 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, - 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349, - 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, - 7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517, - 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, - 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, - 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, - 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757, - 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, - 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, - 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, - 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, - 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, - 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, - 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, - 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, - 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, - 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, - 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, - 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, - 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, - 8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803, - 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, - 8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941, - 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, - 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, - 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, - 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227, - 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, - 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, - 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, - 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, - 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, - 9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649, - 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, - 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, - 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, - 9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929, - 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, - 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, - 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, - 10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247, - 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, - 10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369, - 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, - 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, - 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, - 10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691, - 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, - 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, - 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, - 10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003, - 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, - 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, - 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, - 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, - 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, - 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, - 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, - 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, - 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, - 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, - 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, - 11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941, - 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, - 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, - 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, - 12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251, - 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, - 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, - 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, - 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527, - 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, - 12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653, - 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, - 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, - 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, - 12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967, - 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, - 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, - 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, - 13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259, - 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, - 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, - 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, - 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, - 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, - 13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723, - 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, - 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, - 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, - 13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033, - 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, - 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221, - 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, - 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, - 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, - 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, - 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, - 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, - 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, - 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, - 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, - 14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957, - 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, - 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, - 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, - 15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277, - 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, - 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, - 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, - 15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569, - 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, - 15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727, - 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, - 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, - 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, - 15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007, - 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, - 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, - 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, - 16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349, - 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, - 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, - 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, - 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, - 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, - 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, - 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, - 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, - 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, - 17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159, - 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, - 17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327, - 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, - 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, - 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, - 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599, - 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, - 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, - 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, -}; + +extern const uint16_t primes[NUMPRIMES]; __END_HIDDEN_DECLS diff --git a/crypto/bn/bn_print.c b/crypto/bn/bn_print.c deleted file mode 100644 index 9b5c753..0000000 --- a/crypto/bn/bn_print.c +++ /dev/null @@ -1,413 +0,0 @@ -/* $OpenBSD: bn_print.c,v 1.33 2022/01/20 10:53:33 inoguchi Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include -#include - -#include - -#include -#include -#include - -#include "bn_lcl.h" - -static const char Hex[]="0123456789ABCDEF"; - -/* Must 'free' the returned data */ -char * -BN_bn2hex(const BIGNUM *a) -{ - int i, j, v, z = 0; - char *buf; - char *p; - - buf = malloc(BN_is_negative(a) + a->top * BN_BYTES * 2 + 2); - if (buf == NULL) { - BNerror(ERR_R_MALLOC_FAILURE); - goto err; - } - p = buf; - if (BN_is_negative(a)) - *p++ = '-'; - if (BN_is_zero(a)) - *p++ = '0'; - for (i = a->top - 1; i >=0; i--) { - for (j = BN_BITS2 - 8; j >= 0; j -= 8) { - /* strip leading zeros */ - v = ((int)(a->d[i] >> (long)j)) & 0xff; - if (z || (v != 0)) { - *p++ = Hex[v >> 4]; - *p++ = Hex[v & 0x0f]; - z = 1; - } - } - } - *p = '\0'; - -err: - return (buf); -} - -/* Must 'free' the returned data */ -char * -BN_bn2dec(const BIGNUM *a) -{ - int i = 0, num, bn_data_num, ok = 0; - char *buf = NULL; - char *p; - BIGNUM *t = NULL; - BN_ULONG *bn_data = NULL, *lp; - - if (BN_is_zero(a)) { - buf = malloc(BN_is_negative(a) + 2); - if (buf == NULL) { - BNerror(ERR_R_MALLOC_FAILURE); - goto err; - } - p = buf; - if (BN_is_negative(a)) - *p++ = '-'; - *p++ = '0'; - *p++ = '\0'; - return (buf); - } - - /* get an upper bound for the length of the decimal integer - * num <= (BN_num_bits(a) + 1) * log(2) - * <= 3 * BN_num_bits(a) * 0.1001 + log(2) + 1 (rounding error) - * <= BN_num_bits(a)/10 + BN_num_bits/1000 + 1 + 1 - */ - i = BN_num_bits(a) * 3; - num = (i / 10 + i / 1000 + 1) + 1; - bn_data_num = num / BN_DEC_NUM + 1; - bn_data = reallocarray(NULL, bn_data_num, sizeof(BN_ULONG)); - buf = malloc(num + 3); - if ((buf == NULL) || (bn_data == NULL)) { - BNerror(ERR_R_MALLOC_FAILURE); - goto err; - } - if ((t = BN_dup(a)) == NULL) - goto err; - -#define BUF_REMAIN (num+3 - (size_t)(p - buf)) - p = buf; - lp = bn_data; - if (BN_is_negative(t)) - *p++ = '-'; - - while (!BN_is_zero(t)) { - if (lp - bn_data >= bn_data_num) - goto err; - *lp = BN_div_word(t, BN_DEC_CONV); - if (*lp == (BN_ULONG)-1) - goto err; - lp++; - } - lp--; - /* We now have a series of blocks, BN_DEC_NUM chars - * in length, where the last one needs truncation. - * The blocks need to be reversed in order. */ - snprintf(p, BUF_REMAIN, BN_DEC_FMT1, *lp); - while (*p) - p++; - while (lp != bn_data) { - lp--; - snprintf(p, BUF_REMAIN, BN_DEC_FMT2, *lp); - while (*p) - p++; - } - ok = 1; - -err: - free(bn_data); - BN_free(t); - if (!ok && buf) { - free(buf); - buf = NULL; - } - - return (buf); -} - -int -BN_hex2bn(BIGNUM **bn, const char *a) -{ - BIGNUM *ret = NULL; - BN_ULONG l = 0; - int neg = 0, h, m, i,j, k, c; - int num; - - if ((a == NULL) || (*a == '\0')) - return (0); - - if (*a == '-') { - neg = 1; - a++; - } - - for (i = 0; i <= (INT_MAX / 4) && isxdigit((unsigned char)a[i]); i++) - ; - if (i > INT_MAX / 4) - goto err; - - num = i + neg; - if (bn == NULL) - return (num); - - /* a is the start of the hex digits, and it is 'i' long */ - if (*bn == NULL) { - if ((ret = BN_new()) == NULL) - return (0); - } else { - ret = *bn; - BN_zero(ret); - } - - /* i is the number of hex digits */ - if (bn_expand(ret, i * 4) == NULL) - goto err; - - j = i; /* least significant 'hex' */ - m = 0; - h = 0; - while (j > 0) { - m = ((BN_BYTES * 2) <= j) ? (BN_BYTES * 2) : j; - l = 0; - for (;;) { - c = a[j - m]; - if ((c >= '0') && (c <= '9')) - k = c - '0'; - else if ((c >= 'a') && (c <= 'f')) - k = c - 'a' + 10; - else if ((c >= 'A') && (c <= 'F')) - k = c - 'A' + 10; - else - k = 0; /* paranoia */ - l = (l << 4) | k; - - if (--m <= 0) { - ret->d[h++] = l; - break; - } - } - j -= (BN_BYTES * 2); - } - ret->top = h; - bn_correct_top(ret); - ret->neg = neg; - - *bn = ret; - bn_check_top(ret); - return (num); - -err: - if (*bn == NULL) - BN_free(ret); - return (0); -} - -int -BN_dec2bn(BIGNUM **bn, const char *a) -{ - BIGNUM *ret = NULL; - BN_ULONG l = 0; - int neg = 0, i, j; - int num; - - if ((a == NULL) || (*a == '\0')) - return (0); - if (*a == '-') { - neg = 1; - a++; - } - - for (i = 0; i <= (INT_MAX / 4) && isdigit((unsigned char)a[i]); i++) - ; - if (i > INT_MAX / 4) - goto err; - - num = i + neg; - if (bn == NULL) - return (num); - - /* a is the start of the digits, and it is 'i' long. - * We chop it into BN_DEC_NUM digits at a time */ - if (*bn == NULL) { - if ((ret = BN_new()) == NULL) - return (0); - } else { - ret = *bn; - BN_zero(ret); - } - - /* i is the number of digits, a bit of an over expand */ - if (bn_expand(ret, i * 4) == NULL) - goto err; - - j = BN_DEC_NUM - (i % BN_DEC_NUM); - if (j == BN_DEC_NUM) - j = 0; - l = 0; - while (*a) { - l *= 10; - l += *a - '0'; - a++; - if (++j == BN_DEC_NUM) { - if (!BN_mul_word(ret, BN_DEC_CONV)) - goto err; - if (!BN_add_word(ret, l)) - goto err; - l = 0; - j = 0; - } - } - ret->neg = neg; - - bn_correct_top(ret); - *bn = ret; - bn_check_top(ret); - return (num); - -err: - if (*bn == NULL) - BN_free(ret); - return (0); -} - -int -BN_asc2bn(BIGNUM **bn, const char *a) -{ - const char *p = a; - if (*p == '-') - p++; - - if (p[0] == '0' && (p[1] == 'X' || p[1] == 'x')) { - if (!BN_hex2bn(bn, p + 2)) - return 0; - } else { - if (!BN_dec2bn(bn, p)) - return 0; - } - if (*a == '-') - (*bn)->neg = 1; - return 1; -} - -#ifndef OPENSSL_NO_BIO -int -BN_print_fp(FILE *fp, const BIGNUM *a) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file())) == NULL) - return (0); - BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = BN_print(b, a); - BIO_free(b); - return (ret); -} - -int -BN_print(BIO *bp, const BIGNUM *a) -{ - int i, j, v, z = 0; - int ret = 0; - - if ((a->neg) && (BIO_write(bp, "-", 1) != 1)) - goto end; - if (BN_is_zero(a) && (BIO_write(bp, "0", 1) != 1)) - goto end; - for (i = a->top - 1; i >= 0; i--) { - for (j = BN_BITS2 - 4; j >= 0; j -= 4) { - /* strip leading zeros */ - v = ((int)(a->d[i] >> (long)j)) & 0x0f; - if (z || (v != 0)) { - if (BIO_write(bp, &(Hex[v]), 1) != 1) - goto end; - z = 1; - } - } - } - ret = 1; - -end: - return (ret); -} -#endif - -char * -BN_options(void) -{ - static int init = 0; - static char data[16]; - - if (!init) { - init++; -#ifdef BN_LLONG - snprintf(data,sizeof data, "bn(%d,%d)", - (int)sizeof(BN_ULLONG) * 8, (int)sizeof(BN_ULONG) * 8); -#else - snprintf(data,sizeof data, "bn(%d,%d)", - (int)sizeof(BN_ULONG) * 8, (int)sizeof(BN_ULONG) * 8); -#endif - } - return (data); -} diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index b21692c..a03d700 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand.c,v 1.25 2021/08/31 11:19:19 tb Exp $ */ +/* $OpenBSD: bn_rand.c,v 1.27 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -116,7 +116,7 @@ #include -#include "bn_lcl.h" +#include "bn_local.h" static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) @@ -190,7 +190,6 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) err: freezero(buf, bytes); - bn_check_top(rnd); return (ret); } @@ -272,7 +271,6 @@ bn_rand_range(int pseudo, BIGNUM *r, const BIGNUM *range) } while (BN_cmp(r, range) >= 0); } - bn_check_top(r); return 1; } diff --git a/crypto/bn/bn_recp.c b/crypto/bn/bn_recp.c index 6588d33..35390e3 100644 --- a/crypto/bn/bn_recp.c +++ b/crypto/bn/bn_recp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_recp.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_recp.c,v 1.19 2023/03/27 10:25:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,7 +60,7 @@ #include -#include "bn_lcl.h" +#include "bn_local.h" void BN_RECP_CTX_init(BN_RECP_CTX *recp) @@ -99,7 +99,7 @@ BN_RECP_CTX_free(BN_RECP_CTX *recp) int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *d, BN_CTX *ctx) { - if (!BN_copy(&(recp->N), d)) + if (!bn_copy(&(recp->N), d)) return 0; BN_zero(&(recp->Nr)); recp->num_bits = BN_num_bits(d); @@ -134,7 +134,6 @@ BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, err: BN_CTX_end(ctx); - bn_check_top(r); return (ret); } @@ -161,7 +160,7 @@ BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp, if (BN_ucmp(m, &(recp->N)) < 0) { BN_zero(d); - if (!BN_copy(r, m)) { + if (!bn_copy(r, m)) { BN_CTX_end(ctx); return 0; } @@ -222,14 +221,13 @@ BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, BN_RECP_CTX *recp, } #endif - r->neg = BN_is_zero(r) ? 0 : m->neg; - d->neg = m->neg^recp->N.neg; + BN_set_negative(r, m->neg); + BN_set_negative(d, m->neg ^ recp->N.neg); + ret = 1; err: BN_CTX_end(ctx); - bn_check_top(dv); - bn_check_top(rem); return (ret); } @@ -257,7 +255,6 @@ BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx) ret = len; err: - bn_check_top(r); BN_CTX_end(ctx); return (ret); } diff --git a/crypto/bn/bn_shift.c b/crypto/bn/bn_shift.c index 0e8211e..eee3436 100644 --- a/crypto/bn/bn_shift.c +++ b/crypto/bn/bn_shift.c @@ -1,218 +1,171 @@ -/* $OpenBSD: bn_shift.c,v 1.13 2014/10/28 07:35:58 jsg Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. +/* $OpenBSD: bn_shift.c,v 1.21 2023/02/13 04:25:37 jsing Exp $ */ +/* + * Copyright (c) 2022, 2023 Joel Sing * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include -#include +#include +#include -#include "bn_lcl.h" +#include "bn_local.h" + +static inline int +bn_lshift(BIGNUM *r, const BIGNUM *a, int n) +{ + size_t count, shift_bits, shift_words; + size_t lshift, rshift; + ssize_t rstride; + BN_ULONG *dst, *src; + + if (n < 0) { + BNerror(BN_R_INVALID_LENGTH); + return 0; + } + shift_bits = n; + + /* + * Left bit shift, potentially across word boundaries. + * + * When shift is not an exact multiple of BN_BITS2, the bottom bits of + * the previous word need to be right shifted and combined with the left + * shifted bits using bitwise OR. If shift is an exact multiple of + * BN_BITS2, the source for the left and right shifts are the same + * and the shifts become zero bits (which is effectively a memmove). + */ + shift_words = shift_bits / BN_BITS2; + lshift = shift_bits % BN_BITS2; + rshift = (BN_BITS2 - lshift) % BN_BITS2; + rstride = 0 - (lshift + rshift) / BN_BITS2; + + if (a->top < 1) { + BN_zero(r); + return 1; + } + + count = a->top + shift_words + 1; + + if (count < shift_words) + return 0; + + if (!bn_wexpand(r, count)) + return 0; + + src = a->d + a->top - 1; + dst = r->d + a->top + shift_words; + + /* Handle right shift for top most word. */ + *dst = (*src >> rshift) & rstride; + dst--; + + /* Handle left shift and right shift for remaining words. */ + while (src > a->d) { + *dst = *src << lshift | src[rstride] >> rshift; + src--; + dst--; + } + *dst = *src << lshift; + + /* Zero any additional words resulting from the left shift. */ + while (dst > r->d) { + dst--; + *dst = 0; + } + + r->top = count; + bn_correct_top(r); + + BN_set_negative(r, a->neg); + + return 1; +} + +static inline int +bn_rshift(BIGNUM *r, const BIGNUM *a, int n) +{ + size_t count, shift_bits, shift_words; + size_t lshift, rshift; + ssize_t lstride; + BN_ULONG *dst, *src; + size_t i; + + if (n < 0) { + BNerror(BN_R_INVALID_LENGTH); + return 0; + } + shift_bits = n; + + /* + * Right bit shift, potentially across word boundaries. + * + * When shift is not an exact multiple of BN_BITS2, the top bits of + * the next word need to be left shifted and combined with the right + * shifted bits using bitwise OR. If shift is an exact multiple of + * BN_BITS2, the source for the left and right shifts are the same + * and the shifts become zero (which is effectively a memmove). + */ + shift_words = shift_bits / BN_BITS2; + rshift = shift_bits % BN_BITS2; + lshift = (BN_BITS2 - rshift) % BN_BITS2; + lstride = (lshift + rshift) / BN_BITS2; + + if (a->top <= shift_words) { + BN_zero(r); + return 1; + } + count = a->top - shift_words; + + if (!bn_wexpand(r, count)) + return 0; + + src = a->d + shift_words; + dst = r->d; + + for (i = 1; i < count; i++) { + *dst = src[lstride] << lshift | *src >> rshift; + src++; + dst++; + } + *dst = *src >> rshift; + + r->top = count; + bn_correct_top(r); + + BN_set_negative(r, a->neg); + + return 1; +} int BN_lshift1(BIGNUM *r, const BIGNUM *a) { - BN_ULONG *ap, *rp, t, c; - int i; - - bn_check_top(r); - bn_check_top(a); - - if (r != a) { - r->neg = a->neg; - if (bn_wexpand(r, a->top + 1) == NULL) - return (0); - r->top = a->top; - } else { - if (bn_wexpand(r, a->top + 1) == NULL) - return (0); - } - ap = a->d; - rp = r->d; - c = 0; - for (i = 0; i < a->top; i++) { - t= *(ap++); - *(rp++) = ((t << 1) | c) & BN_MASK2; - c = (t & BN_TBIT) ? 1 : 0; - } - if (c) { - *rp = 1; - r->top++; - } - bn_check_top(r); - return (1); -} - -int -BN_rshift1(BIGNUM *r, const BIGNUM *a) -{ - BN_ULONG *ap, *rp, t, c; - int i, j; - - bn_check_top(r); - bn_check_top(a); - - if (BN_is_zero(a)) { - BN_zero(r); - return (1); - } - i = a->top; - ap = a->d; - j = i - (ap[i - 1]==1); - if (a != r) { - if (bn_wexpand(r, j) == NULL) - return (0); - r->neg = a->neg; - } - rp = r->d; - t = ap[--i]; - c = (t & 1) ? BN_TBIT : 0; - if (t >>= 1) - rp[i] = t; - while (i > 0) { - t = ap[--i]; - rp[i] = ((t >> 1) & BN_MASK2) | c; - c = (t & 1) ? BN_TBIT : 0; - } - r->top = j; - bn_check_top(r); - return (1); + return bn_lshift(r, a, 1); } int BN_lshift(BIGNUM *r, const BIGNUM *a, int n) { - int i, nw, lb, rb; - BN_ULONG *t, *f; - BN_ULONG l; + return bn_lshift(r, a, n); +} - bn_check_top(r); - bn_check_top(a); - - r->neg = a->neg; - nw = n / BN_BITS2; - if (bn_wexpand(r, a->top + nw + 1) == NULL) - return (0); - lb = n % BN_BITS2; - rb = BN_BITS2 - lb; - f = a->d; - t = r->d; - t[a->top + nw] = 0; - if (lb == 0) - for (i = a->top - 1; i >= 0; i--) - t[nw + i] = f[i]; - else - for (i = a->top - 1; i >= 0; i--) { - l = f[i]; - t[nw + i + 1] |= (l >> rb) & BN_MASK2; - t[nw + i] = (l << lb) & BN_MASK2; - } - memset(t, 0, nw * sizeof(t[0])); -/* for (i=0; itop = a->top + nw + 1; - bn_correct_top(r); - bn_check_top(r); - return (1); +int +BN_rshift1(BIGNUM *r, const BIGNUM *a) +{ + return bn_rshift(r, a, 1); } int BN_rshift(BIGNUM *r, const BIGNUM *a, int n) { - int i, j, nw, lb, rb; - BN_ULONG *t, *f; - BN_ULONG l, tmp; - - bn_check_top(r); - bn_check_top(a); - - nw = n / BN_BITS2; - rb = n % BN_BITS2; - lb = BN_BITS2 - rb; - if (nw >= a->top || a->top == 0) { - BN_zero(r); - return (1); - } - i = (BN_num_bits(a) - n + (BN_BITS2 - 1)) / BN_BITS2; - if (r != a) { - r->neg = a->neg; - if (bn_wexpand(r, i) == NULL) - return (0); - } else { - if (n == 0) - return 1; /* or the copying loop will go berserk */ - } - - f = &(a->d[nw]); - t = r->d; - j = a->top - nw; - r->top = i; - - if (rb == 0) { - for (i = j; i != 0; i--) - *(t++) = *(f++); - } else { - l = *(f++); - for (i = j - 1; i != 0; i--) { - tmp = (l >> rb) & BN_MASK2; - l = *(f++); - *(t++) = (tmp|(l << lb)) & BN_MASK2; - } - if ((l = (l >> rb) & BN_MASK2)) - *(t) = l; - } - bn_check_top(r); - return (1); + return bn_rshift(r, a, n); } diff --git a/crypto/bn/bn_small_primes.c b/crypto/bn/bn_small_primes.c new file mode 100644 index 0000000..bfb7903 --- /dev/null +++ b/crypto/bn/bn_small_primes.c @@ -0,0 +1,265 @@ +/* $OpenBSD: bn_small_primes.c,v 1.1 2022/11/09 22:52:51 tb Exp $ */ +/* + * Public domain, generated by bn_prime.pl. + */ + +#include "bn_prime.h" + +const uint16_t primes[NUMPRIMES] = { + 2, 3, 5, 7, 11, 13, 17, 19, + 23, 29, 31, 37, 41, 43, 47, 53, + 59, 61, 67, 71, 73, 79, 83, 89, + 97, 101, 103, 107, 109, 113, 127, 131, + 137, 139, 149, 151, 157, 163, 167, 173, + 179, 181, 191, 193, 197, 199, 211, 223, + 227, 229, 233, 239, 241, 251, 257, 263, + 269, 271, 277, 281, 283, 293, 307, 311, + 313, 317, 331, 337, 347, 349, 353, 359, + 367, 373, 379, 383, 389, 397, 401, 409, + 419, 421, 431, 433, 439, 443, 449, 457, + 461, 463, 467, 479, 487, 491, 499, 503, + 509, 521, 523, 541, 547, 557, 563, 569, + 571, 577, 587, 593, 599, 601, 607, 613, + 617, 619, 631, 641, 643, 647, 653, 659, + 661, 673, 677, 683, 691, 701, 709, 719, + 727, 733, 739, 743, 751, 757, 761, 769, + 773, 787, 797, 809, 811, 821, 823, 827, + 829, 839, 853, 857, 859, 863, 877, 881, + 883, 887, 907, 911, 919, 929, 937, 941, + 947, 953, 967, 971, 977, 983, 991, 997, + 1009, 1013, 1019, 1021, 1031, 1033, 1039, 1049, + 1051, 1061, 1063, 1069, 1087, 1091, 1093, 1097, + 1103, 1109, 1117, 1123, 1129, 1151, 1153, 1163, + 1171, 1181, 1187, 1193, 1201, 1213, 1217, 1223, + 1229, 1231, 1237, 1249, 1259, 1277, 1279, 1283, + 1289, 1291, 1297, 1301, 1303, 1307, 1319, 1321, + 1327, 1361, 1367, 1373, 1381, 1399, 1409, 1423, + 1427, 1429, 1433, 1439, 1447, 1451, 1453, 1459, + 1471, 1481, 1483, 1487, 1489, 1493, 1499, 1511, + 1523, 1531, 1543, 1549, 1553, 1559, 1567, 1571, + 1579, 1583, 1597, 1601, 1607, 1609, 1613, 1619, + 1621, 1627, 1637, 1657, 1663, 1667, 1669, 1693, + 1697, 1699, 1709, 1721, 1723, 1733, 1741, 1747, + 1753, 1759, 1777, 1783, 1787, 1789, 1801, 1811, + 1823, 1831, 1847, 1861, 1867, 1871, 1873, 1877, + 1879, 1889, 1901, 1907, 1913, 1931, 1933, 1949, + 1951, 1973, 1979, 1987, 1993, 1997, 1999, 2003, + 2011, 2017, 2027, 2029, 2039, 2053, 2063, 2069, + 2081, 2083, 2087, 2089, 2099, 2111, 2113, 2129, + 2131, 2137, 2141, 2143, 2153, 2161, 2179, 2203, + 2207, 2213, 2221, 2237, 2239, 2243, 2251, 2267, + 2269, 2273, 2281, 2287, 2293, 2297, 2309, 2311, + 2333, 2339, 2341, 2347, 2351, 2357, 2371, 2377, + 2381, 2383, 2389, 2393, 2399, 2411, 2417, 2423, + 2437, 2441, 2447, 2459, 2467, 2473, 2477, 2503, + 2521, 2531, 2539, 2543, 2549, 2551, 2557, 2579, + 2591, 2593, 2609, 2617, 2621, 2633, 2647, 2657, + 2659, 2663, 2671, 2677, 2683, 2687, 2689, 2693, + 2699, 2707, 2711, 2713, 2719, 2729, 2731, 2741, + 2749, 2753, 2767, 2777, 2789, 2791, 2797, 2801, + 2803, 2819, 2833, 2837, 2843, 2851, 2857, 2861, + 2879, 2887, 2897, 2903, 2909, 2917, 2927, 2939, + 2953, 2957, 2963, 2969, 2971, 2999, 3001, 3011, + 3019, 3023, 3037, 3041, 3049, 3061, 3067, 3079, + 3083, 3089, 3109, 3119, 3121, 3137, 3163, 3167, + 3169, 3181, 3187, 3191, 3203, 3209, 3217, 3221, + 3229, 3251, 3253, 3257, 3259, 3271, 3299, 3301, + 3307, 3313, 3319, 3323, 3329, 3331, 3343, 3347, + 3359, 3361, 3371, 3373, 3389, 3391, 3407, 3413, + 3433, 3449, 3457, 3461, 3463, 3467, 3469, 3491, + 3499, 3511, 3517, 3527, 3529, 3533, 3539, 3541, + 3547, 3557, 3559, 3571, 3581, 3583, 3593, 3607, + 3613, 3617, 3623, 3631, 3637, 3643, 3659, 3671, + 3673, 3677, 3691, 3697, 3701, 3709, 3719, 3727, + 3733, 3739, 3761, 3767, 3769, 3779, 3793, 3797, + 3803, 3821, 3823, 3833, 3847, 3851, 3853, 3863, + 3877, 3881, 3889, 3907, 3911, 3917, 3919, 3923, + 3929, 3931, 3943, 3947, 3967, 3989, 4001, 4003, + 4007, 4013, 4019, 4021, 4027, 4049, 4051, 4057, + 4073, 4079, 4091, 4093, 4099, 4111, 4127, 4129, + 4133, 4139, 4153, 4157, 4159, 4177, 4201, 4211, + 4217, 4219, 4229, 4231, 4241, 4243, 4253, 4259, + 4261, 4271, 4273, 4283, 4289, 4297, 4327, 4337, + 4339, 4349, 4357, 4363, 4373, 4391, 4397, 4409, + 4421, 4423, 4441, 4447, 4451, 4457, 4463, 4481, + 4483, 4493, 4507, 4513, 4517, 4519, 4523, 4547, + 4549, 4561, 4567, 4583, 4591, 4597, 4603, 4621, + 4637, 4639, 4643, 4649, 4651, 4657, 4663, 4673, + 4679, 4691, 4703, 4721, 4723, 4729, 4733, 4751, + 4759, 4783, 4787, 4789, 4793, 4799, 4801, 4813, + 4817, 4831, 4861, 4871, 4877, 4889, 4903, 4909, + 4919, 4931, 4933, 4937, 4943, 4951, 4957, 4967, + 4969, 4973, 4987, 4993, 4999, 5003, 5009, 5011, + 5021, 5023, 5039, 5051, 5059, 5077, 5081, 5087, + 5099, 5101, 5107, 5113, 5119, 5147, 5153, 5167, + 5171, 5179, 5189, 5197, 5209, 5227, 5231, 5233, + 5237, 5261, 5273, 5279, 5281, 5297, 5303, 5309, + 5323, 5333, 5347, 5351, 5381, 5387, 5393, 5399, + 5407, 5413, 5417, 5419, 5431, 5437, 5441, 5443, + 5449, 5471, 5477, 5479, 5483, 5501, 5503, 5507, + 5519, 5521, 5527, 5531, 5557, 5563, 5569, 5573, + 5581, 5591, 5623, 5639, 5641, 5647, 5651, 5653, + 5657, 5659, 5669, 5683, 5689, 5693, 5701, 5711, + 5717, 5737, 5741, 5743, 5749, 5779, 5783, 5791, + 5801, 5807, 5813, 5821, 5827, 5839, 5843, 5849, + 5851, 5857, 5861, 5867, 5869, 5879, 5881, 5897, + 5903, 5923, 5927, 5939, 5953, 5981, 5987, 6007, + 6011, 6029, 6037, 6043, 6047, 6053, 6067, 6073, + 6079, 6089, 6091, 6101, 6113, 6121, 6131, 6133, + 6143, 6151, 6163, 6173, 6197, 6199, 6203, 6211, + 6217, 6221, 6229, 6247, 6257, 6263, 6269, 6271, + 6277, 6287, 6299, 6301, 6311, 6317, 6323, 6329, + 6337, 6343, 6353, 6359, 6361, 6367, 6373, 6379, + 6389, 6397, 6421, 6427, 6449, 6451, 6469, 6473, + 6481, 6491, 6521, 6529, 6547, 6551, 6553, 6563, + 6569, 6571, 6577, 6581, 6599, 6607, 6619, 6637, + 6653, 6659, 6661, 6673, 6679, 6689, 6691, 6701, + 6703, 6709, 6719, 6733, 6737, 6761, 6763, 6779, + 6781, 6791, 6793, 6803, 6823, 6827, 6829, 6833, + 6841, 6857, 6863, 6869, 6871, 6883, 6899, 6907, + 6911, 6917, 6947, 6949, 6959, 6961, 6967, 6971, + 6977, 6983, 6991, 6997, 7001, 7013, 7019, 7027, + 7039, 7043, 7057, 7069, 7079, 7103, 7109, 7121, + 7127, 7129, 7151, 7159, 7177, 7187, 7193, 7207, + 7211, 7213, 7219, 7229, 7237, 7243, 7247, 7253, + 7283, 7297, 7307, 7309, 7321, 7331, 7333, 7349, + 7351, 7369, 7393, 7411, 7417, 7433, 7451, 7457, + 7459, 7477, 7481, 7487, 7489, 7499, 7507, 7517, + 7523, 7529, 7537, 7541, 7547, 7549, 7559, 7561, + 7573, 7577, 7583, 7589, 7591, 7603, 7607, 7621, + 7639, 7643, 7649, 7669, 7673, 7681, 7687, 7691, + 7699, 7703, 7717, 7723, 7727, 7741, 7753, 7757, + 7759, 7789, 7793, 7817, 7823, 7829, 7841, 7853, + 7867, 7873, 7877, 7879, 7883, 7901, 7907, 7919, + 7927, 7933, 7937, 7949, 7951, 7963, 7993, 8009, + 8011, 8017, 8039, 8053, 8059, 8069, 8081, 8087, + 8089, 8093, 8101, 8111, 8117, 8123, 8147, 8161, + 8167, 8171, 8179, 8191, 8209, 8219, 8221, 8231, + 8233, 8237, 8243, 8263, 8269, 8273, 8287, 8291, + 8293, 8297, 8311, 8317, 8329, 8353, 8363, 8369, + 8377, 8387, 8389, 8419, 8423, 8429, 8431, 8443, + 8447, 8461, 8467, 8501, 8513, 8521, 8527, 8537, + 8539, 8543, 8563, 8573, 8581, 8597, 8599, 8609, + 8623, 8627, 8629, 8641, 8647, 8663, 8669, 8677, + 8681, 8689, 8693, 8699, 8707, 8713, 8719, 8731, + 8737, 8741, 8747, 8753, 8761, 8779, 8783, 8803, + 8807, 8819, 8821, 8831, 8837, 8839, 8849, 8861, + 8863, 8867, 8887, 8893, 8923, 8929, 8933, 8941, + 8951, 8963, 8969, 8971, 8999, 9001, 9007, 9011, + 9013, 9029, 9041, 9043, 9049, 9059, 9067, 9091, + 9103, 9109, 9127, 9133, 9137, 9151, 9157, 9161, + 9173, 9181, 9187, 9199, 9203, 9209, 9221, 9227, + 9239, 9241, 9257, 9277, 9281, 9283, 9293, 9311, + 9319, 9323, 9337, 9341, 9343, 9349, 9371, 9377, + 9391, 9397, 9403, 9413, 9419, 9421, 9431, 9433, + 9437, 9439, 9461, 9463, 9467, 9473, 9479, 9491, + 9497, 9511, 9521, 9533, 9539, 9547, 9551, 9587, + 9601, 9613, 9619, 9623, 9629, 9631, 9643, 9649, + 9661, 9677, 9679, 9689, 9697, 9719, 9721, 9733, + 9739, 9743, 9749, 9767, 9769, 9781, 9787, 9791, + 9803, 9811, 9817, 9829, 9833, 9839, 9851, 9857, + 9859, 9871, 9883, 9887, 9901, 9907, 9923, 9929, + 9931, 9941, 9949, 9967, 9973, 10007, 10009, 10037, + 10039, 10061, 10067, 10069, 10079, 10091, 10093, 10099, + 10103, 10111, 10133, 10139, 10141, 10151, 10159, 10163, + 10169, 10177, 10181, 10193, 10211, 10223, 10243, 10247, + 10253, 10259, 10267, 10271, 10273, 10289, 10301, 10303, + 10313, 10321, 10331, 10333, 10337, 10343, 10357, 10369, + 10391, 10399, 10427, 10429, 10433, 10453, 10457, 10459, + 10463, 10477, 10487, 10499, 10501, 10513, 10529, 10531, + 10559, 10567, 10589, 10597, 10601, 10607, 10613, 10627, + 10631, 10639, 10651, 10657, 10663, 10667, 10687, 10691, + 10709, 10711, 10723, 10729, 10733, 10739, 10753, 10771, + 10781, 10789, 10799, 10831, 10837, 10847, 10853, 10859, + 10861, 10867, 10883, 10889, 10891, 10903, 10909, 10937, + 10939, 10949, 10957, 10973, 10979, 10987, 10993, 11003, + 11027, 11047, 11057, 11059, 11069, 11071, 11083, 11087, + 11093, 11113, 11117, 11119, 11131, 11149, 11159, 11161, + 11171, 11173, 11177, 11197, 11213, 11239, 11243, 11251, + 11257, 11261, 11273, 11279, 11287, 11299, 11311, 11317, + 11321, 11329, 11351, 11353, 11369, 11383, 11393, 11399, + 11411, 11423, 11437, 11443, 11447, 11467, 11471, 11483, + 11489, 11491, 11497, 11503, 11519, 11527, 11549, 11551, + 11579, 11587, 11593, 11597, 11617, 11621, 11633, 11657, + 11677, 11681, 11689, 11699, 11701, 11717, 11719, 11731, + 11743, 11777, 11779, 11783, 11789, 11801, 11807, 11813, + 11821, 11827, 11831, 11833, 11839, 11863, 11867, 11887, + 11897, 11903, 11909, 11923, 11927, 11933, 11939, 11941, + 11953, 11959, 11969, 11971, 11981, 11987, 12007, 12011, + 12037, 12041, 12043, 12049, 12071, 12073, 12097, 12101, + 12107, 12109, 12113, 12119, 12143, 12149, 12157, 12161, + 12163, 12197, 12203, 12211, 12227, 12239, 12241, 12251, + 12253, 12263, 12269, 12277, 12281, 12289, 12301, 12323, + 12329, 12343, 12347, 12373, 12377, 12379, 12391, 12401, + 12409, 12413, 12421, 12433, 12437, 12451, 12457, 12473, + 12479, 12487, 12491, 12497, 12503, 12511, 12517, 12527, + 12539, 12541, 12547, 12553, 12569, 12577, 12583, 12589, + 12601, 12611, 12613, 12619, 12637, 12641, 12647, 12653, + 12659, 12671, 12689, 12697, 12703, 12713, 12721, 12739, + 12743, 12757, 12763, 12781, 12791, 12799, 12809, 12821, + 12823, 12829, 12841, 12853, 12889, 12893, 12899, 12907, + 12911, 12917, 12919, 12923, 12941, 12953, 12959, 12967, + 12973, 12979, 12983, 13001, 13003, 13007, 13009, 13033, + 13037, 13043, 13049, 13063, 13093, 13099, 13103, 13109, + 13121, 13127, 13147, 13151, 13159, 13163, 13171, 13177, + 13183, 13187, 13217, 13219, 13229, 13241, 13249, 13259, + 13267, 13291, 13297, 13309, 13313, 13327, 13331, 13337, + 13339, 13367, 13381, 13397, 13399, 13411, 13417, 13421, + 13441, 13451, 13457, 13463, 13469, 13477, 13487, 13499, + 13513, 13523, 13537, 13553, 13567, 13577, 13591, 13597, + 13613, 13619, 13627, 13633, 13649, 13669, 13679, 13681, + 13687, 13691, 13693, 13697, 13709, 13711, 13721, 13723, + 13729, 13751, 13757, 13759, 13763, 13781, 13789, 13799, + 13807, 13829, 13831, 13841, 13859, 13873, 13877, 13879, + 13883, 13901, 13903, 13907, 13913, 13921, 13931, 13933, + 13963, 13967, 13997, 13999, 14009, 14011, 14029, 14033, + 14051, 14057, 14071, 14081, 14083, 14087, 14107, 14143, + 14149, 14153, 14159, 14173, 14177, 14197, 14207, 14221, + 14243, 14249, 14251, 14281, 14293, 14303, 14321, 14323, + 14327, 14341, 14347, 14369, 14387, 14389, 14401, 14407, + 14411, 14419, 14423, 14431, 14437, 14447, 14449, 14461, + 14479, 14489, 14503, 14519, 14533, 14537, 14543, 14549, + 14551, 14557, 14561, 14563, 14591, 14593, 14621, 14627, + 14629, 14633, 14639, 14653, 14657, 14669, 14683, 14699, + 14713, 14717, 14723, 14731, 14737, 14741, 14747, 14753, + 14759, 14767, 14771, 14779, 14783, 14797, 14813, 14821, + 14827, 14831, 14843, 14851, 14867, 14869, 14879, 14887, + 14891, 14897, 14923, 14929, 14939, 14947, 14951, 14957, + 14969, 14983, 15013, 15017, 15031, 15053, 15061, 15073, + 15077, 15083, 15091, 15101, 15107, 15121, 15131, 15137, + 15139, 15149, 15161, 15173, 15187, 15193, 15199, 15217, + 15227, 15233, 15241, 15259, 15263, 15269, 15271, 15277, + 15287, 15289, 15299, 15307, 15313, 15319, 15329, 15331, + 15349, 15359, 15361, 15373, 15377, 15383, 15391, 15401, + 15413, 15427, 15439, 15443, 15451, 15461, 15467, 15473, + 15493, 15497, 15511, 15527, 15541, 15551, 15559, 15569, + 15581, 15583, 15601, 15607, 15619, 15629, 15641, 15643, + 15647, 15649, 15661, 15667, 15671, 15679, 15683, 15727, + 15731, 15733, 15737, 15739, 15749, 15761, 15767, 15773, + 15787, 15791, 15797, 15803, 15809, 15817, 15823, 15859, + 15877, 15881, 15887, 15889, 15901, 15907, 15913, 15919, + 15923, 15937, 15959, 15971, 15973, 15991, 16001, 16007, + 16033, 16057, 16061, 16063, 16067, 16069, 16073, 16087, + 16091, 16097, 16103, 16111, 16127, 16139, 16141, 16183, + 16187, 16189, 16193, 16217, 16223, 16229, 16231, 16249, + 16253, 16267, 16273, 16301, 16319, 16333, 16339, 16349, + 16361, 16363, 16369, 16381, 16411, 16417, 16421, 16427, + 16433, 16447, 16451, 16453, 16477, 16481, 16487, 16493, + 16519, 16529, 16547, 16553, 16561, 16567, 16573, 16603, + 16607, 16619, 16631, 16633, 16649, 16651, 16657, 16661, + 16673, 16691, 16693, 16699, 16703, 16729, 16741, 16747, + 16759, 16763, 16787, 16811, 16823, 16829, 16831, 16843, + 16871, 16879, 16883, 16889, 16901, 16903, 16921, 16927, + 16931, 16937, 16943, 16963, 16979, 16981, 16987, 16993, + 17011, 17021, 17027, 17029, 17033, 17041, 17047, 17053, + 17077, 17093, 17099, 17107, 17117, 17123, 17137, 17159, + 17167, 17183, 17189, 17191, 17203, 17207, 17209, 17231, + 17239, 17257, 17291, 17293, 17299, 17317, 17321, 17327, + 17333, 17341, 17351, 17359, 17377, 17383, 17387, 17389, + 17393, 17401, 17417, 17419, 17431, 17443, 17449, 17467, + 17471, 17477, 17483, 17489, 17491, 17497, 17509, 17519, + 17539, 17551, 17569, 17573, 17579, 17581, 17597, 17599, + 17609, 17623, 17627, 17657, 17659, 17669, 17681, 17683, + 17707, 17713, 17729, 17737, 17747, 17749, 17761, 17783, + 17789, 17791, 17807, 17827, 17837, 17839, 17851, 17863, +}; diff --git a/crypto/bn/bn_sqr.c b/crypto/bn/bn_sqr.c index a0dce6e..d414800 100644 --- a/crypto/bn/bn_sqr.c +++ b/crypto/bn/bn_sqr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_sqr.c,v 1.12 2015/02/09 15:49:22 jsing Exp $ */ +/* $OpenBSD: bn_sqr.c,v 1.30 2023/04/19 10:51:22 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,101 +56,140 @@ * [including the GNU Public Licence.] */ +#include #include #include -#include "bn_lcl.h" +#include "bn_arch.h" +#include "bn_local.h" +#include "bn_internal.h" -/* r must not be a */ -/* I've just gone over this and it is now %20 faster on x86 - eay - 27 Jun 96 */ -int -BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) +int bn_sqr(BIGNUM *r, const BIGNUM *a, int max, BN_CTX *ctx); + +/* + * bn_sqr_comba4() computes r[] = a[] * a[] using Comba multiplication + * (https://everything2.com/title/Comba+multiplication), where a is a + * four word array, producing an eight word array result. + */ +#ifndef HAVE_BN_SQR_COMBA4 +void +bn_sqr_comba4(BN_ULONG *r, const BN_ULONG *a) { - int max, al; - int ret = 0; - BIGNUM *tmp, *rr; + BN_ULONG c2, c1, c0; -#ifdef BN_COUNT - fprintf(stderr, "BN_sqr %d * %d\n", a->top, a->top); -#endif - bn_check_top(a); + bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]); - al = a->top; - if (al <= 0) { - r->top = 0; - r->neg = 0; - return 1; - } + bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]); - BN_CTX_start(ctx); - rr = (a != r) ? r : BN_CTX_get(ctx); - tmp = BN_CTX_get(ctx); - if (rr == NULL || tmp == NULL) - goto err; + bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]); - max = 2 * al; /* Non-zero (from above) */ - if (bn_wexpand(rr, max) == NULL) - goto err; + bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]); - if (al == 4) { -#ifndef BN_SQR_COMBA - BN_ULONG t[8]; - bn_sqr_normal(rr->d, a->d, 4, t); -#else - bn_sqr_comba4(rr->d, a->d); -#endif - } else if (al == 8) { -#ifndef BN_SQR_COMBA - BN_ULONG t[16]; - bn_sqr_normal(rr->d, a->d, 8, t); -#else - bn_sqr_comba8(rr->d, a->d); -#endif - } else { -#if defined(BN_RECURSION) - if (al < BN_SQR_RECURSIVE_SIZE_NORMAL) { - BN_ULONG t[BN_SQR_RECURSIVE_SIZE_NORMAL*2]; - bn_sqr_normal(rr->d, a->d, al, t); - } else { - int j, k; + bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &r[4]); - j = BN_num_bits_word((BN_ULONG)al); - j = 1 << (j - 1); - k = j + j; - if (al == j) { - if (bn_wexpand(tmp, k * 2) == NULL) - goto err; - bn_sqr_recursive(rr->d, a->d, al, tmp->d); - } else { - if (bn_wexpand(tmp, max) == NULL) - goto err; - bn_sqr_normal(rr->d, a->d, al, tmp->d); - } - } -#else - if (bn_wexpand(tmp, max) == NULL) - goto err; - bn_sqr_normal(rr->d, a->d, al, tmp->d); -#endif - } + bn_mul2_mulw_addtw(a[3], a[2], 0, c2, c1, &c2, &c1, &r[5]); - rr->neg = 0; - /* If the most-significant half of the top word of 'a' is zero, then - * the square of 'a' will max-1 words. */ - if (a->d[al - 1] == (a->d[al - 1] & BN_MASK2l)) - rr->top = max - 1; - else - rr->top = max; - if (rr != r) - BN_copy(r, rr); - ret = 1; - -err: - bn_check_top(rr); - bn_check_top(tmp); - BN_CTX_end(ctx); - return (ret); + bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &r[7], &r[6]); } +#endif + +/* + * bn_sqr_comba8() computes r[] = a[] * a[] using Comba multiplication + * (https://everything2.com/title/Comba+multiplication), where a is an + * eight word array, producing an 16 word array result. + */ +#ifndef HAVE_BN_SQR_COMBA8 +void +bn_sqr_comba8(BN_ULONG *r, const BN_ULONG *a) +{ + BN_ULONG c2, c1, c0; + + bn_mulw_addtw(a[0], a[0], 0, 0, 0, &c2, &c1, &r[0]); + + bn_mul2_mulw_addtw(a[1], a[0], 0, c2, c1, &c2, &c1, &r[1]); + + bn_mulw_addtw(a[1], a[1], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[2], a[0], c2, c1, c0, &c2, &c1, &r[2]); + + bn_mul2_mulw_addtw(a[3], a[0], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[2], a[1], c2, c1, c0, &c2, &c1, &r[3]); + + bn_mulw_addtw(a[2], a[2], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[3], a[1], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[4], a[0], c2, c1, c0, &c2, &c1, &r[4]); + + bn_mul2_mulw_addtw(a[5], a[0], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[4], a[1], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[3], a[2], c2, c1, c0, &c2, &c1, &r[5]); + + bn_mulw_addtw(a[3], a[3], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[4], a[2], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[5], a[1], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[6], a[0], c2, c1, c0, &c2, &c1, &r[6]); + + bn_mul2_mulw_addtw(a[7], a[0], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[6], a[1], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[5], a[2], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[4], a[3], c2, c1, c0, &c2, &c1, &r[7]); + + bn_mulw_addtw(a[4], a[4], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[5], a[3], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[6], a[2], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[7], a[1], c2, c1, c0, &c2, &c1, &r[8]); + + bn_mul2_mulw_addtw(a[7], a[2], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[6], a[3], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[5], a[4], c2, c1, c0, &c2, &c1, &r[9]); + + bn_mulw_addtw(a[5], a[5], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[6], a[4], c2, c1, c0, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[7], a[3], c2, c1, c0, &c2, &c1, &r[10]); + + bn_mul2_mulw_addtw(a[7], a[4], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[6], a[5], c2, c1, c0, &c2, &c1, &r[11]); + + bn_mulw_addtw(a[6], a[6], 0, c2, c1, &c2, &c1, &c0); + bn_mul2_mulw_addtw(a[7], a[5], c2, c1, c0, &c2, &c1, &r[12]); + + bn_mul2_mulw_addtw(a[7], a[6], 0, c2, c1, &c2, &c1, &r[13]); + + bn_mulw_addtw(a[7], a[7], 0, c2, c1, &c2, &r[15], &r[14]); +} +#endif + +#ifndef HAVE_BN_SQR_WORDS +/* + * bn_sqr_words() computes (r[i*2+1]:r[i*2]) = a[i] * a[i]. + */ +void +bn_sqr_words(BN_ULONG *r, const BN_ULONG *a, int n) +{ + assert(n >= 0); + if (n <= 0) + return; + +#ifndef OPENSSL_SMALL_FOOTPRINT + while (n & ~3) { + bn_mulw(a[0], a[0], &r[1], &r[0]); + bn_mulw(a[1], a[1], &r[3], &r[2]); + bn_mulw(a[2], a[2], &r[5], &r[4]); + bn_mulw(a[3], a[3], &r[7], &r[6]); + a += 4; + r += 8; + n -= 4; + } +#endif + while (n) { + bn_mulw(a[0], a[0], &r[1], &r[0]); + a++; + r += 2; + n--; + } +} +#endif /* tmp must have 2*n words */ void @@ -189,98 +228,82 @@ bn_sqr_normal(BN_ULONG *r, const BN_ULONG *a, int n, BN_ULONG *tmp) bn_add_words(r, r, tmp, max); } -#ifdef BN_RECURSION -/* r is 2*n words in size, - * a and b are both n words in size. (There's not actually a 'b' here ...) - * n must be a power of 2. - * We multiply and return the result. - * t must be 2*n words in size - * We calculate - * a[0]*b[0] - * a[0]*b[0]+a[1]*b[1]+(a[0]-a[1])*(b[1]-b[0]) - * a[1]*b[1] + +/* + * bn_sqr() computes a * a, storing the result in r. The caller must ensure that + * r is not the same BIGNUM as a and that r has been expanded to rn = a->top * 2 + * words. */ -void -bn_sqr_recursive(BN_ULONG *r, const BN_ULONG *a, int n2, BN_ULONG *t) +#ifndef HAVE_BN_SQR +int +bn_sqr(BIGNUM *r, const BIGNUM *a, int rn, BN_CTX *ctx) { - int n = n2 / 2; - int zero, c1; - BN_ULONG ln, lo, *p; + BIGNUM *tmp; + int ret = 0; -#ifdef BN_COUNT - fprintf(stderr, " bn_sqr_recursive %d * %d\n", n2, n2); -#endif - if (n2 == 4) { -#ifndef BN_SQR_COMBA - bn_sqr_normal(r, a, 4, t); -#else - bn_sqr_comba4(r, a); -#endif - return; - } else if (n2 == 8) { -#ifndef BN_SQR_COMBA - bn_sqr_normal(r, a, 8, t); -#else - bn_sqr_comba8(r, a); -#endif - return; - } - if (n2 < BN_SQR_RECURSIVE_SIZE_NORMAL) { - bn_sqr_normal(r, a, n2, t); - return; - } - /* r=(a[0]-a[1])*(a[1]-a[0]) */ - c1 = bn_cmp_words(a, &(a[n]), n); - zero = 0; - if (c1 > 0) - bn_sub_words(t, a, &(a[n]), n); - else if (c1 < 0) - bn_sub_words(t, &(a[n]), a, n); - else - zero = 1; + BN_CTX_start(ctx); - /* The result will always be negative unless it is zero */ - p = &(t[n2*2]); + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; - if (!zero) - bn_sqr_recursive(&(t[n2]), t, n, p); - else - memset(&(t[n2]), 0, n2 * sizeof(BN_ULONG)); - bn_sqr_recursive(r, a, n, p); - bn_sqr_recursive(&(r[n2]), &(a[n]), n, p); + if (!bn_wexpand(tmp, rn)) + goto err; + bn_sqr_normal(r->d, a->d, a->top, tmp->d); - /* t[32] holds (a[0]-a[1])*(a[1]-a[0]), it is negative or zero - * r[10] holds (a[0]*b[0]) - * r[32] holds (b[1]*b[1]) - */ + ret = 1; - c1 = (int)(bn_add_words(t, r, &(r[n2]), n2)); + err: + BN_CTX_end(ctx); - /* t[32] is negative */ - c1 -= (int)(bn_sub_words(&(t[n2]), t, &(t[n2]), n2)); - - /* t[32] holds (a[0]-a[1])*(a[1]-a[0])+(a[0]*a[0])+(a[1]*a[1]) - * r[10] holds (a[0]*a[0]) - * r[32] holds (a[1]*a[1]) - * c1 holds the carry bits - */ - c1 += (int)(bn_add_words(&(r[n]), &(r[n]), &(t[n2]), n2)); - if (c1) { - p = &(r[n + n2]); - lo= *p; - ln = (lo + c1) & BN_MASK2; - *p = ln; - - /* The overflow will stop before we over write - * words we should not overwrite */ - if (ln < (BN_ULONG)c1) { - do { - p++; - lo= *p; - ln = (lo + 1) & BN_MASK2; - *p = ln; - } while (ln == 0); - } - } + return ret; } #endif + +int +BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) +{ + BIGNUM *rr; + int rn; + int ret = 1; + + BN_CTX_start(ctx); + + if (BN_is_zero(a)) { + BN_zero(r); + goto done; + } + + if ((rr = r) == a) + rr = BN_CTX_get(ctx); + if (rr == NULL) + goto err; + + rn = a->top * 2; + if (rn < a->top) + goto err; + if (!bn_wexpand(rr, rn)) + goto err; + + if (a->top == 4) { + bn_sqr_comba4(rr->d, a->d); + } else if (a->top == 8) { + bn_sqr_comba8(rr->d, a->d); + } else { + if (!bn_sqr(rr, a, rn, ctx)) + goto err; + } + + rr->top = rn; + bn_correct_top(rr); + + rr->neg = 0; + + if (!bn_copy(r, rr)) + goto err; + done: + ret = 1; + err: + BN_CTX_end(ctx); + + return ret; +} diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c deleted file mode 100644 index 4b9638b..0000000 --- a/crypto/bn/bn_sqrt.c +++ /dev/null @@ -1,411 +0,0 @@ -/* $OpenBSD: bn_sqrt.c,v 1.10 2022/03/15 15:52:39 tb Exp $ */ -/* Written by Lenka Fibikova - * and Bodo Moeller for the OpenSSL project. */ -/* ==================================================================== - * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include "bn_lcl.h" - -BIGNUM * -BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) -/* Returns 'ret' such that - * ret^2 == a (mod p), - * using the Tonelli/Shanks algorithm (cf. Henri Cohen, "A Course - * in Algebraic Computational Number Theory", algorithm 1.5.1). - * 'p' must be prime! - */ -{ - BIGNUM *ret = in; - int err = 1; - int r; - BIGNUM *A, *b, *q, *t, *x, *y; - int e, i, j; - - if (!BN_is_odd(p) || BN_abs_is_word(p, 1)) { - if (BN_abs_is_word(p, 2)) { - if (ret == NULL) - ret = BN_new(); - if (ret == NULL) - goto end; - if (!BN_set_word(ret, BN_is_bit_set(a, 0))) { - if (ret != in) - BN_free(ret); - return NULL; - } - bn_check_top(ret); - return ret; - } - - BNerror(BN_R_P_IS_NOT_PRIME); - return (NULL); - } - - if (BN_is_zero(a) || BN_is_one(a)) { - if (ret == NULL) - ret = BN_new(); - if (ret == NULL) - goto end; - if (!BN_set_word(ret, BN_is_one(a))) { - if (ret != in) - BN_free(ret); - return NULL; - } - bn_check_top(ret); - return ret; - } - - BN_CTX_start(ctx); - if ((A = BN_CTX_get(ctx)) == NULL) - goto end; - if ((b = BN_CTX_get(ctx)) == NULL) - goto end; - if ((q = BN_CTX_get(ctx)) == NULL) - goto end; - if ((t = BN_CTX_get(ctx)) == NULL) - goto end; - if ((x = BN_CTX_get(ctx)) == NULL) - goto end; - if ((y = BN_CTX_get(ctx)) == NULL) - goto end; - - if (ret == NULL) - ret = BN_new(); - if (ret == NULL) - goto end; - - /* A = a mod p */ - if (!BN_nnmod(A, a, p, ctx)) - goto end; - - /* now write |p| - 1 as 2^e*q where q is odd */ - e = 1; - while (!BN_is_bit_set(p, e)) - e++; - /* we'll set q later (if needed) */ - - if (e == 1) { - /* The easy case: (|p|-1)/2 is odd, so 2 has an inverse - * modulo (|p|-1)/2, and square roots can be computed - * directly by modular exponentiation. - * We have - * 2 * (|p|+1)/4 == 1 (mod (|p|-1)/2), - * so we can use exponent (|p|+1)/4, i.e. (|p|-3)/4 + 1. - */ - if (!BN_rshift(q, p, 2)) - goto end; - q->neg = 0; - if (!BN_add_word(q, 1)) - goto end; - if (!BN_mod_exp_ct(ret, A, q, p, ctx)) - goto end; - err = 0; - goto vrfy; - } - - if (e == 2) { - /* |p| == 5 (mod 8) - * - * In this case 2 is always a non-square since - * Legendre(2,p) = (-1)^((p^2-1)/8) for any odd prime. - * So if a really is a square, then 2*a is a non-square. - * Thus for - * b := (2*a)^((|p|-5)/8), - * i := (2*a)*b^2 - * we have - * i^2 = (2*a)^((1 + (|p|-5)/4)*2) - * = (2*a)^((p-1)/2) - * = -1; - * so if we set - * x := a*b*(i-1), - * then - * x^2 = a^2 * b^2 * (i^2 - 2*i + 1) - * = a^2 * b^2 * (-2*i) - * = a*(-i)*(2*a*b^2) - * = a*(-i)*i - * = a. - * - * (This is due to A.O.L. Atkin, - * , - * November 1992.) - */ - - /* t := 2*a */ - if (!BN_mod_lshift1_quick(t, A, p)) - goto end; - - /* b := (2*a)^((|p|-5)/8) */ - if (!BN_rshift(q, p, 3)) - goto end; - q->neg = 0; - if (!BN_mod_exp_ct(b, t, q, p, ctx)) - goto end; - - /* y := b^2 */ - if (!BN_mod_sqr(y, b, p, ctx)) - goto end; - - /* t := (2*a)*b^2 - 1*/ - if (!BN_mod_mul(t, t, y, p, ctx)) - goto end; - if (!BN_sub_word(t, 1)) - goto end; - - /* x = a*b*t */ - if (!BN_mod_mul(x, A, b, p, ctx)) - goto end; - if (!BN_mod_mul(x, x, t, p, ctx)) - goto end; - - if (!BN_copy(ret, x)) - goto end; - err = 0; - goto vrfy; - } - - /* e > 2, so we really have to use the Tonelli/Shanks algorithm. - * First, find some y that is not a square. */ - if (!BN_copy(q, p)) goto end; /* use 'q' as temp */ - q->neg = 0; - i = 2; - do { - /* For efficiency, try small numbers first; - * if this fails, try random numbers. - */ - if (i < 22) { - if (!BN_set_word(y, i)) - goto end; - } else { - if (!BN_pseudo_rand(y, BN_num_bits(p), 0, 0)) - goto end; - if (BN_ucmp(y, p) >= 0) { - if (p->neg) { - if (!BN_add(y, y, p)) - goto end; - } else { - if (!BN_sub(y, y, p)) - goto end; - } - } - /* now 0 <= y < |p| */ - if (BN_is_zero(y)) - if (!BN_set_word(y, i)) - goto end; - } - - r = BN_kronecker(y, q, ctx); /* here 'q' is |p| */ - if (r < -1) - goto end; - if (r == 0) { - /* m divides p */ - BNerror(BN_R_P_IS_NOT_PRIME); - goto end; - } - } - while (r == 1 && ++i < 82); - - if (r != -1) { - /* Many rounds and still no non-square -- this is more likely - * a bug than just bad luck. - * Even if p is not prime, we should have found some y - * such that r == -1. - */ - BNerror(BN_R_TOO_MANY_ITERATIONS); - goto end; - } - - /* Here's our actual 'q': */ - if (!BN_rshift(q, q, e)) - goto end; - - /* Now that we have some non-square, we can find an element - * of order 2^e by computing its q'th power. */ - if (!BN_mod_exp_ct(y, y, q, p, ctx)) - goto end; - if (BN_is_one(y)) { - BNerror(BN_R_P_IS_NOT_PRIME); - goto end; - } - - /* Now we know that (if p is indeed prime) there is an integer - * k, 0 <= k < 2^e, such that - * - * a^q * y^k == 1 (mod p). - * - * As a^q is a square and y is not, k must be even. - * q+1 is even, too, so there is an element - * - * X := a^((q+1)/2) * y^(k/2), - * - * and it satisfies - * - * X^2 = a^q * a * y^k - * = a, - * - * so it is the square root that we are looking for. - */ - - /* t := (q-1)/2 (note that q is odd) */ - if (!BN_rshift1(t, q)) - goto end; - - /* x := a^((q-1)/2) */ - if (BN_is_zero(t)) /* special case: p = 2^e + 1 */ - { - if (!BN_nnmod(t, A, p, ctx)) - goto end; - if (BN_is_zero(t)) { - /* special case: a == 0 (mod p) */ - BN_zero(ret); - err = 0; - goto end; - } else if (!BN_one(x)) - goto end; - } else { - if (!BN_mod_exp_ct(x, A, t, p, ctx)) - goto end; - if (BN_is_zero(x)) { - /* special case: a == 0 (mod p) */ - BN_zero(ret); - err = 0; - goto end; - } - } - - /* b := a*x^2 (= a^q) */ - if (!BN_mod_sqr(b, x, p, ctx)) - goto end; - if (!BN_mod_mul(b, b, A, p, ctx)) - goto end; - - /* x := a*x (= a^((q+1)/2)) */ - if (!BN_mod_mul(x, x, A, p, ctx)) - goto end; - - while (1) { - /* Now b is a^q * y^k for some even k (0 <= k < 2^E - * where E refers to the original value of e, which we - * don't keep in a variable), and x is a^((q+1)/2) * y^(k/2). - * - * We have a*b = x^2, - * y^2^(e-1) = -1, - * b^2^(e-1) = 1. - */ - - if (BN_is_one(b)) { - if (!BN_copy(ret, x)) - goto end; - err = 0; - goto vrfy; - } - - /* Find the smallest i with 0 < i < e such that b^(2^i) = 1. */ - for (i = 1; i < e; i++) { - if (i == 1) { - if (!BN_mod_sqr(t, b, p, ctx)) - goto end; - } else { - if (!BN_mod_sqr(t, t, p, ctx)) - goto end; - } - if (BN_is_one(t)) - break; - } - if (i >= e) { - BNerror(BN_R_NOT_A_SQUARE); - goto end; - } - - /* t := y^2^(e - i - 1) */ - if (!BN_copy(t, y)) - goto end; - for (j = e - i - 1; j > 0; j--) { - if (!BN_mod_sqr(t, t, p, ctx)) - goto end; - } - if (!BN_mod_mul(y, t, t, p, ctx)) - goto end; - if (!BN_mod_mul(x, x, t, p, ctx)) - goto end; - if (!BN_mod_mul(b, b, y, p, ctx)) - goto end; - e = i; - } - -vrfy: - if (!err) { - /* verify the result -- the input might have been not a square - * (test added in 0.9.8) */ - - if (!BN_mod_sqr(x, ret, p, ctx)) - err = 1; - - if (!err && 0 != BN_cmp(x, A)) { - BNerror(BN_R_NOT_A_SQUARE); - err = 1; - } - } - -end: - if (err) { - if (ret != NULL && ret != in) { - BN_clear_free(ret); - } - ret = NULL; - } - BN_CTX_end(ctx); - bn_check_top(ret); - return ret; -} diff --git a/crypto/bn/bn_word.c b/crypto/bn/bn_word.c index 7165458..68d5c2a 100644 --- a/crypto/bn/bn_word.c +++ b/crypto/bn/bn_word.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_word.c,v 1.13 2016/07/05 02:54:35 bcook Exp $ */ +/* $OpenBSD: bn_word.c,v 1.20 2023/03/11 14:14:54 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -58,7 +58,7 @@ #include -#include "bn_lcl.h" +#include "bn_local.h" BN_ULONG BN_mod_word(const BIGNUM *a, BN_ULONG w) @@ -87,7 +87,6 @@ BN_mod_word(const BIGNUM *a, BN_ULONG w) } #endif - bn_check_top(a); w &= BN_MASK2; for (i = a->top - 1; i >= 0; i--) { #ifndef BN_LLONG @@ -108,7 +107,6 @@ BN_div_word(BIGNUM *a, BN_ULONG w) BN_ULONG ret = 0; int i, j; - bn_check_top(a); w &= BN_MASK2; if (!w) @@ -127,14 +125,16 @@ BN_div_word(BIGNUM *a, BN_ULONG w) BN_ULONG l, d; l = a->d[i]; - d = bn_div_words(ret, l, w); - ret = (l - ((d*w)&BN_MASK2))&BN_MASK2; + bn_div_rem_words(ret, l, w, &d, &ret); a->d[i] = d; } if ((a->top > 0) && (a->d[a->top - 1] == 0)) a->top--; ret >>= j; - bn_check_top(a); + + /* Set negative again, to handle -0 case. */ + BN_set_negative(a, a->neg); + return (ret); } @@ -144,7 +144,6 @@ BN_add_word(BIGNUM *a, BN_ULONG w) BN_ULONG l; int i; - bn_check_top(a); w &= BN_MASK2; /* degenerate case: w is zero */ @@ -157,8 +156,7 @@ BN_add_word(BIGNUM *a, BN_ULONG w) if (a->neg) { a->neg = 0; i = BN_sub_word(a, w); - if (!BN_is_zero(a)) - a->neg=!(a->neg); + BN_set_negative(a, !a->neg); return (i); } for (i = 0; w != 0 && i < a->top; i++) { @@ -166,12 +164,11 @@ BN_add_word(BIGNUM *a, BN_ULONG w) w = (w > l) ? 1 : 0; } if (w && i == a->top) { - if (bn_wexpand(a, a->top + 1) == NULL) + if (!bn_wexpand(a, a->top + 1)) return 0; a->top++; a->d[i] = w; } - bn_check_top(a); return (1); } @@ -180,7 +177,6 @@ BN_sub_word(BIGNUM *a, BN_ULONG w) { int i; - bn_check_top(a); w &= BN_MASK2; /* degenerate case: w is zero */ @@ -197,13 +193,13 @@ BN_sub_word(BIGNUM *a, BN_ULONG w) if (a->neg) { a->neg = 0; i = BN_add_word(a, w); - a->neg = 1; + BN_set_negative(a, !a->neg); return (i); } if ((a->top == 1) && (a->d[0] < w)) { a->d[0] = w - a->d[0]; - a->neg = 1; + BN_set_negative(a, 1); return (1); } i = 0; @@ -219,7 +215,6 @@ BN_sub_word(BIGNUM *a, BN_ULONG w) } if ((a->d[i] == 0) && (i == (a->top - 1))) a->top--; - bn_check_top(a); return (1); } @@ -228,7 +223,6 @@ BN_mul_word(BIGNUM *a, BN_ULONG w) { BN_ULONG ll; - bn_check_top(a); w &= BN_MASK2; if (a->top) { if (w == 0) @@ -236,12 +230,11 @@ BN_mul_word(BIGNUM *a, BN_ULONG w) else { ll = bn_mul_words(a->d, a->d, a->top, w); if (ll) { - if (bn_wexpand(a, a->top + 1) == NULL) + if (!bn_wexpand(a, a->top + 1)) return (0); a->d[a->top++] = ll; } } } - bn_check_top(a); return (1); } diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c deleted file mode 100644 index 7fc3b5c..0000000 --- a/crypto/bn/bn_x931p.c +++ /dev/null @@ -1,292 +0,0 @@ -/* $OpenBSD: bn_x931p.c,v 1.13 2022/01/20 10:56:22 inoguchi Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2005. - */ -/* ==================================================================== - * Copyright (c) 2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include "bn_lcl.h" - -/* X9.31 routines for prime derivation */ - -/* X9.31 prime derivation. This is used to generate the primes pi - * (p1, p2, q1, q2) from a parameter Xpi by checking successive odd - * integers. - */ - -static int -bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx, BN_GENCB *cb) -{ - int i = 0, is_prime; - - if (!BN_copy(pi, Xpi)) - return 0; - if (!BN_is_odd(pi) && !BN_add_word(pi, 1)) - return 0; - for (;;) { - i++; - BN_GENCB_call(cb, 0, i); - /* NB 27 MR is specificed in X9.31 */ - is_prime = BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb); - if (is_prime < 0) - return 0; - if (is_prime == 1) - break; - if (!BN_add_word(pi, 2)) - return 0; - } - BN_GENCB_call(cb, 2, i); - return 1; -} - -/* This is the main X9.31 prime derivation function. From parameters - * Xp1, Xp2 and Xp derive the prime p. If the parameters p1 or p2 are - * not NULL they will be returned too: this is needed for testing. - */ - -int -BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, - const BIGNUM *Xp1, const BIGNUM *Xp2, const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb) -{ - int ret = 0; - - BIGNUM *t, *p1p2, *pm1; - - /* Only even e supported */ - if (!BN_is_odd(e)) - return 0; - - BN_CTX_start(ctx); - if (p1 == NULL) { - if ((p1 = BN_CTX_get(ctx)) == NULL) - goto err; - } - if (p2 == NULL) { - if ((p2 = BN_CTX_get(ctx)) == NULL) - goto err; - } - - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - if ((p1p2 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((pm1 = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!bn_x931_derive_pi(p1, Xp1, ctx, cb)) - goto err; - - if (!bn_x931_derive_pi(p2, Xp2, ctx, cb)) - goto err; - - if (!BN_mul(p1p2, p1, p2, ctx)) - goto err; - - /* First set p to value of Rp */ - - if (BN_mod_inverse_ct(p, p2, p1, ctx) == NULL) - goto err; - - if (!BN_mul(p, p, p2, ctx)) - goto err; - - if (BN_mod_inverse_ct(t, p1, p2, ctx) == NULL) - goto err; - - if (!BN_mul(t, t, p1, ctx)) - goto err; - - if (!BN_sub(p, p, t)) - goto err; - - if (BN_is_negative(p) && !BN_add(p, p, p1p2)) - goto err; - - /* p now equals Rp */ - - if (!BN_mod_sub(p, p, Xp, p1p2, ctx)) - goto err; - - if (!BN_add(p, p, Xp)) - goto err; - - /* p now equals Yp0 */ - - for (;;) { - int i = 1; - BN_GENCB_call(cb, 0, i++); - if (!BN_copy(pm1, p)) - goto err; - if (!BN_sub_word(pm1, 1)) - goto err; - if (!BN_gcd_ct(t, pm1, e, ctx)) - goto err; - if (BN_is_one(t)) { - int r; - - /* - * X9.31 specifies 8 MR and 1 Lucas test or any prime - * test offering similar or better guarantees 50 MR - * is considerably better. - */ - r = BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb); - if (r < 0) - goto err; - if (r == 1) - break; - } - if (!BN_add(p, p, p1p2)) - goto err; - } - - BN_GENCB_call(cb, 3, 0); - - ret = 1; - -err: - - BN_CTX_end(ctx); - - return ret; -} - -/* Generate pair of paramters Xp, Xq for X9.31 prime generation. - * Note: nbits paramter is sum of number of bits in both. - */ - -int -BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx) -{ - BIGNUM *t; - int i; - int ret = 0; - - /* Number of bits for each prime is of the form - * 512+128s for s = 0, 1, ... - */ - if ((nbits < 1024) || (nbits & 0xff)) - return 0; - nbits >>= 1; - /* The random value Xp must be between sqrt(2) * 2^(nbits-1) and - * 2^nbits - 1. By setting the top two bits we ensure that the lower - * bound is exceeded. - */ - if (!BN_rand(Xp, nbits, 1, 0)) - return 0; - - BN_CTX_start(ctx); - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - - for (i = 0; i < 1000; i++) { - if (!BN_rand(Xq, nbits, 1, 0)) - goto err; - /* Check that |Xp - Xq| > 2^(nbits - 100) */ - if (!BN_sub(t, Xp, Xq)) - goto err; - if (BN_num_bits(t) > (nbits - 100)) - break; - } - - if (i < 1000) - ret = 1; - -err: - BN_CTX_end(ctx); - - return ret; -} - -/* Generate primes using X9.31 algorithm. Of the values p, p1, p2, Xp1 - * and Xp2 only 'p' needs to be non-NULL. If any of the others are not NULL - * the relevant parameter will be stored in it. - * - * Due to the fact that |Xp - Xq| > 2^(nbits - 100) must be satisfied Xp and Xq - * are generated using the previous function and supplied as input. - */ - -int -BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, BIGNUM *Xp1, - BIGNUM *Xp2, const BIGNUM *Xp, const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb) -{ - int ret = 0; - - BN_CTX_start(ctx); - if (Xp1 == NULL) { - if ((Xp1 = BN_CTX_get(ctx)) == NULL) - goto error; - } - if (Xp2 == NULL) { - if ((Xp2 = BN_CTX_get(ctx)) == NULL) - goto error; - } - - if (!BN_rand(Xp1, 101, 0, 0)) - goto error; - if (!BN_rand(Xp2, 101, 0, 0)) - goto error; - if (!BN_X931_derive_prime_ex(p, p1, p2, Xp, Xp1, Xp2, e, ctx, cb)) - goto error; - - ret = 1; - -error: - BN_CTX_end(ctx); - - return ret; -} diff --git a/crypto/bn/gf2m-elf-armv4.S b/crypto/bn/gf2m-elf-armv4.S deleted file mode 100644 index 8e214cc..0000000 --- a/crypto/bn/gf2m-elf-armv4.S +++ /dev/null @@ -1,216 +0,0 @@ -#include "arm_arch.h" - -.text -.code 32 - -#if __ARM_ARCH__>=7 -.fpu neon - -.type mul_1x1_neon,%function -.align 5 -mul_1x1_neon: - vshl.u64 d2,d16,#8 @ q1-q3 are slided - vmull.p8 q0,d16,d17 @ a·bb - vshl.u64 d4,d16,#16 - vmull.p8 q1,d2,d17 @ a<<8·bb - vshl.u64 d6,d16,#24 - vmull.p8 q2,d4,d17 @ a<<16·bb - vshr.u64 d2,#8 - vmull.p8 q3,d6,d17 @ a<<24·bb - vshl.u64 d3,#24 - veor d0,d2 - vshr.u64 d4,#16 - veor d0,d3 - vshl.u64 d5,#16 - veor d0,d4 - vshr.u64 d6,#24 - veor d0,d5 - vshl.u64 d7,#8 - veor d0,d6 - veor d0,d7 - .word 0xe12fff1e -.size mul_1x1_neon,.-mul_1x1_neon -#endif -.type mul_1x1_ialu,%function -.align 5 -mul_1x1_ialu: - mov r4,#0 - bic r5,r1,#3<<30 @ a1=a&0x3fffffff - str r4,[sp,#0] @ tab[0]=0 - add r6,r5,r5 @ a2=a1<<1 - str r5,[sp,#4] @ tab[1]=a1 - eor r7,r5,r6 @ a1^a2 - str r6,[sp,#8] @ tab[2]=a2 - mov r8,r5,lsl#2 @ a4=a1<<2 - str r7,[sp,#12] @ tab[3]=a1^a2 - eor r9,r5,r8 @ a1^a4 - str r8,[sp,#16] @ tab[4]=a4 - eor r4,r6,r8 @ a2^a4 - str r9,[sp,#20] @ tab[5]=a1^a4 - eor r7,r7,r8 @ a1^a2^a4 - str r4,[sp,#24] @ tab[6]=a2^a4 - and r8,r12,r0,lsl#2 - str r7,[sp,#28] @ tab[7]=a1^a2^a4 - - and r9,r12,r0,lsr#1 - ldr r5,[sp,r8] @ tab[b & 0x7] - and r8,r12,r0,lsr#4 - ldr r7,[sp,r9] @ tab[b >> 3 & 0x7] - and r9,r12,r0,lsr#7 - ldr r6,[sp,r8] @ tab[b >> 6 & 0x7] - eor r5,r5,r7,lsl#3 @ stall - mov r4,r7,lsr#29 - ldr r7,[sp,r9] @ tab[b >> 9 & 0x7] - - and r8,r12,r0,lsr#10 - eor r5,r5,r6,lsl#6 - eor r4,r4,r6,lsr#26 - ldr r6,[sp,r8] @ tab[b >> 12 & 0x7] - - and r9,r12,r0,lsr#13 - eor r5,r5,r7,lsl#9 - eor r4,r4,r7,lsr#23 - ldr r7,[sp,r9] @ tab[b >> 15 & 0x7] - - and r8,r12,r0,lsr#16 - eor r5,r5,r6,lsl#12 - eor r4,r4,r6,lsr#20 - ldr r6,[sp,r8] @ tab[b >> 18 & 0x7] - - and r9,r12,r0,lsr#19 - eor r5,r5,r7,lsl#15 - eor r4,r4,r7,lsr#17 - ldr r7,[sp,r9] @ tab[b >> 21 & 0x7] - - and r8,r12,r0,lsr#22 - eor r5,r5,r6,lsl#18 - eor r4,r4,r6,lsr#14 - ldr r6,[sp,r8] @ tab[b >> 24 & 0x7] - - and r9,r12,r0,lsr#25 - eor r5,r5,r7,lsl#21 - eor r4,r4,r7,lsr#11 - ldr r7,[sp,r9] @ tab[b >> 27 & 0x7] - - tst r1,#1<<30 - and r8,r12,r0,lsr#28 - eor r5,r5,r6,lsl#24 - eor r4,r4,r6,lsr#8 - ldr r6,[sp,r8] @ tab[b >> 30 ] - - eorne r5,r5,r0,lsl#30 - eorne r4,r4,r0,lsr#2 - tst r1,#1<<31 - eor r5,r5,r7,lsl#27 - eor r4,r4,r7,lsr#5 - eorne r5,r5,r0,lsl#31 - eorne r4,r4,r0,lsr#1 - eor r5,r5,r6,lsl#30 - eor r4,r4,r6,lsr#2 - - mov pc,lr -.size mul_1x1_ialu,.-mul_1x1_ialu -.global bn_GF2m_mul_2x2 -.type bn_GF2m_mul_2x2,%function -.align 5 -bn_GF2m_mul_2x2: -#if __ARM_ARCH__>=7 - ldr r12,.LOPENSSL_armcap -.Lpic: ldr r12,[pc,r12] - tst r12,#1 - beq .Lialu - - veor d18,d18 - vmov d19,r3,r3 @ two copies of b1 - vmov.32 d18[0],r1 @ a1 - - veor d20,d20 - vld1.32 d21[],[sp,:32] @ two copies of b0 - vmov.32 d20[0],r2 @ a0 - mov r12,lr - - vmov d16,d18 - vmov d17,d19 - bl mul_1x1_neon @ a1·b1 - vmov d22,d0 - - vmov d16,d20 - vmov d17,d21 - bl mul_1x1_neon @ a0·b0 - vmov d23,d0 - - veor d16,d20,d18 - veor d17,d21,d19 - veor d20,d23,d22 - bl mul_1x1_neon @ (a0+a1)·(b0+b1) - - veor d0,d20 @ (a0+a1)·(b0+b1)-a0·b0-a1·b1 - vshl.u64 d1,d0,#32 - vshr.u64 d0,d0,#32 - veor d23,d1 - veor d22,d0 - vst1.32 {d23[0]},[r0,:32]! - vst1.32 {d23[1]},[r0,:32]! - vst1.32 {d22[0]},[r0,:32]! - vst1.32 {d22[1]},[r0,:32] - bx r12 -.align 4 -.Lialu: -#endif - stmdb sp!,{r4-r10,lr} - mov r10,r0 @ reassign 1st argument - mov r0,r3 @ r0=b1 - ldr r3,[sp,#32] @ load b0 - mov r12,#7<<2 - sub sp,sp,#32 @ allocate tab[8] - - bl mul_1x1_ialu @ a1·b1 - str r5,[r10,#8] - str r4,[r10,#12] - - eor r0,r0,r3 @ flip b0 and b1 - eor r1,r1,r2 @ flip a0 and a1 - eor r3,r3,r0 - eor r2,r2,r1 - eor r0,r0,r3 - eor r1,r1,r2 - bl mul_1x1_ialu @ a0·b0 - str r5,[r10] - str r4,[r10,#4] - - eor r1,r1,r2 - eor r0,r0,r3 - bl mul_1x1_ialu @ (a1+a0)·(b1+b0) - ldmia r10,{r6-r9} - eor r5,r5,r4 - eor r4,r4,r7 - eor r5,r5,r6 - eor r4,r4,r8 - eor r5,r5,r9 - eor r4,r4,r9 - str r4,[r10,#8] - eor r5,r5,r4 - add sp,sp,#32 @ destroy tab[8] - str r5,[r10,#4] - -#if __ARM_ARCH__>=5 - ldmia sp!,{r4-r10,pc} -#else - ldmia sp!,{r4-r10,lr} - tst lr,#1 - moveq pc,lr @ be binary compatible with V4, yet - .word 0xe12fff1e @ interoperable with Thumb ISA:-) -#endif -.size bn_GF2m_mul_2x2,.-bn_GF2m_mul_2x2 -#if __ARM_ARCH__>=7 -.align 5 -.LOPENSSL_armcap: -.word OPENSSL_armcap_P-(.Lpic+8) -#endif -.asciz "GF(2^m) Multiplication for ARMv4/NEON, CRYPTOGAMS by " -.align 5 - -.comm OPENSSL_armcap_P,4,4 -#if defined(HAVE_GNU_STACK) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/crypto/bn/gf2m-elf-x86_64.S b/crypto/bn/gf2m-elf-x86_64.S deleted file mode 100644 index c53a2c0..0000000 --- a/crypto/bn/gf2m-elf-x86_64.S +++ /dev/null @@ -1,296 +0,0 @@ -#include "x86_arch.h" -.text - -.type _mul_1x1,@function -.align 16 -_mul_1x1: - subq $128+8,%rsp - movq $-1,%r9 - leaq (%rax,%rax,1),%rsi - shrq $3,%r9 - leaq (,%rax,4),%rdi - andq %rax,%r9 - leaq (,%rax,8),%r12 - sarq $63,%rax - leaq (%r9,%r9,1),%r10 - sarq $63,%rsi - leaq (,%r9,4),%r11 - andq %rbp,%rax - sarq $63,%rdi - movq %rax,%rdx - shlq $63,%rax - andq %rbp,%rsi - shrq $1,%rdx - movq %rsi,%rcx - shlq $62,%rsi - andq %rbp,%rdi - shrq $2,%rcx - xorq %rsi,%rax - movq %rdi,%rbx - shlq $61,%rdi - xorq %rcx,%rdx - shrq $3,%rbx - xorq %rdi,%rax - xorq %rbx,%rdx - - movq %r9,%r13 - movq $0,0(%rsp) - xorq %r10,%r13 - movq %r9,8(%rsp) - movq %r11,%r14 - movq %r10,16(%rsp) - xorq %r12,%r14 - movq %r13,24(%rsp) - - xorq %r11,%r9 - movq %r11,32(%rsp) - xorq %r11,%r10 - movq %r9,40(%rsp) - xorq %r11,%r13 - movq %r10,48(%rsp) - xorq %r14,%r9 - movq %r13,56(%rsp) - xorq %r14,%r10 - - movq %r12,64(%rsp) - xorq %r14,%r13 - movq %r9,72(%rsp) - xorq %r11,%r9 - movq %r10,80(%rsp) - xorq %r11,%r10 - movq %r13,88(%rsp) - - xorq %r11,%r13 - movq %r14,96(%rsp) - movq %r8,%rsi - movq %r9,104(%rsp) - andq %rbp,%rsi - movq %r10,112(%rsp) - shrq $4,%rbp - movq %r13,120(%rsp) - movq %r8,%rdi - andq %rbp,%rdi - shrq $4,%rbp - - movq (%rsp,%rsi,8),%xmm0 - movq %r8,%rsi - andq %rbp,%rsi - shrq $4,%rbp - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $4,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $60,%rbx - xorq %rcx,%rax - pslldq $1,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $12,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $52,%rbx - xorq %rcx,%rax - pslldq $2,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $20,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $44,%rbx - xorq %rcx,%rax - pslldq $3,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $28,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $36,%rbx - xorq %rcx,%rax - pslldq $4,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $36,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $28,%rbx - xorq %rcx,%rax - pslldq $5,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $44,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $20,%rbx - xorq %rcx,%rax - pslldq $6,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $52,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $12,%rbx - xorq %rcx,%rax - pslldq $7,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %rcx,%rbx - shlq $60,%rcx - movd %xmm0,%rsi - shrq $4,%rbx - xorq %rcx,%rax - psrldq $8,%xmm0 - xorq %rbx,%rdx - movd %xmm0,%rdi - xorq %rsi,%rax - xorq %rdi,%rdx - - addq $128+8,%rsp - retq -.Lend_mul_1x1: -.size _mul_1x1,.-_mul_1x1 - -.hidden OPENSSL_ia32cap_P -.globl bn_GF2m_mul_2x2 -.type bn_GF2m_mul_2x2,@function -.align 16 -bn_GF2m_mul_2x2: - movl OPENSSL_ia32cap_P+4(%rip),%eax - btl $IA32CAP_BIT1_PCLMUL,%eax - jnc .Lvanilla_mul_2x2 - - movd %rsi,%xmm0 - movd %rcx,%xmm1 - movd %rdx,%xmm2 - movd %r8,%xmm3 - movdqa %xmm0,%xmm4 - movdqa %xmm1,%xmm5 -.byte 102,15,58,68,193,0 - pxor %xmm2,%xmm4 - pxor %xmm3,%xmm5 -.byte 102,15,58,68,211,0 -.byte 102,15,58,68,229,0 - xorps %xmm0,%xmm4 - xorps %xmm2,%xmm4 - movdqa %xmm4,%xmm5 - pslldq $8,%xmm4 - psrldq $8,%xmm5 - pxor %xmm4,%xmm2 - pxor %xmm5,%xmm0 - movdqu %xmm2,0(%rdi) - movdqu %xmm0,16(%rdi) - retq - -.align 16 -.Lvanilla_mul_2x2: - leaq -136(%rsp),%rsp - movq %r14,80(%rsp) - movq %r13,88(%rsp) - movq %r12,96(%rsp) - movq %rbp,104(%rsp) - movq %rbx,112(%rsp) -.Lbody_mul_2x2: - movq %rdi,32(%rsp) - movq %rsi,40(%rsp) - movq %rdx,48(%rsp) - movq %rcx,56(%rsp) - movq %r8,64(%rsp) - - movq $15,%r8 - movq %rsi,%rax - movq %rcx,%rbp - call _mul_1x1 - movq %rax,16(%rsp) - movq %rdx,24(%rsp) - - movq 48(%rsp),%rax - movq 64(%rsp),%rbp - call _mul_1x1 - movq %rax,0(%rsp) - movq %rdx,8(%rsp) - - movq 40(%rsp),%rax - movq 56(%rsp),%rbp - xorq 48(%rsp),%rax - xorq 64(%rsp),%rbp - call _mul_1x1 - movq 0(%rsp),%rbx - movq 8(%rsp),%rcx - movq 16(%rsp),%rdi - movq 24(%rsp),%rsi - movq 32(%rsp),%rbp - - xorq %rdx,%rax - xorq %rcx,%rdx - xorq %rbx,%rax - movq %rbx,0(%rbp) - xorq %rdi,%rdx - movq %rsi,24(%rbp) - xorq %rsi,%rax - xorq %rsi,%rdx - xorq %rdx,%rax - movq %rdx,16(%rbp) - movq %rax,8(%rbp) - - movq 80(%rsp),%r14 - movq 88(%rsp),%r13 - movq 96(%rsp),%r12 - movq 104(%rsp),%rbp - movq 112(%rsp),%rbx - leaq 136(%rsp),%rsp - retq -.Lend_mul_2x2: -.size bn_GF2m_mul_2x2,.-bn_GF2m_mul_2x2 -.byte 71,70,40,50,94,109,41,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 16 -#if defined(HAVE_GNU_STACK) -.section .note.GNU-stack,"",%progbits -#endif diff --git a/crypto/bn/gf2m-macosx-x86_64.S b/crypto/bn/gf2m-macosx-x86_64.S deleted file mode 100644 index 693e159..0000000 --- a/crypto/bn/gf2m-macosx-x86_64.S +++ /dev/null @@ -1,293 +0,0 @@ -#include "x86_arch.h" -.text - - -.p2align 4 -_mul_1x1: - subq $128+8,%rsp - movq $-1,%r9 - leaq (%rax,%rax,1),%rsi - shrq $3,%r9 - leaq (,%rax,4),%rdi - andq %rax,%r9 - leaq (,%rax,8),%r12 - sarq $63,%rax - leaq (%r9,%r9,1),%r10 - sarq $63,%rsi - leaq (,%r9,4),%r11 - andq %rbp,%rax - sarq $63,%rdi - movq %rax,%rdx - shlq $63,%rax - andq %rbp,%rsi - shrq $1,%rdx - movq %rsi,%rcx - shlq $62,%rsi - andq %rbp,%rdi - shrq $2,%rcx - xorq %rsi,%rax - movq %rdi,%rbx - shlq $61,%rdi - xorq %rcx,%rdx - shrq $3,%rbx - xorq %rdi,%rax - xorq %rbx,%rdx - - movq %r9,%r13 - movq $0,0(%rsp) - xorq %r10,%r13 - movq %r9,8(%rsp) - movq %r11,%r14 - movq %r10,16(%rsp) - xorq %r12,%r14 - movq %r13,24(%rsp) - - xorq %r11,%r9 - movq %r11,32(%rsp) - xorq %r11,%r10 - movq %r9,40(%rsp) - xorq %r11,%r13 - movq %r10,48(%rsp) - xorq %r14,%r9 - movq %r13,56(%rsp) - xorq %r14,%r10 - - movq %r12,64(%rsp) - xorq %r14,%r13 - movq %r9,72(%rsp) - xorq %r11,%r9 - movq %r10,80(%rsp) - xorq %r11,%r10 - movq %r13,88(%rsp) - - xorq %r11,%r13 - movq %r14,96(%rsp) - movq %r8,%rsi - movq %r9,104(%rsp) - andq %rbp,%rsi - movq %r10,112(%rsp) - shrq $4,%rbp - movq %r13,120(%rsp) - movq %r8,%rdi - andq %rbp,%rdi - shrq $4,%rbp - - movq (%rsp,%rsi,8),%xmm0 - movq %r8,%rsi - andq %rbp,%rsi - shrq $4,%rbp - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $4,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $60,%rbx - xorq %rcx,%rax - pslldq $1,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $12,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $52,%rbx - xorq %rcx,%rax - pslldq $2,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $20,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $44,%rbx - xorq %rcx,%rax - pslldq $3,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $28,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $36,%rbx - xorq %rcx,%rax - pslldq $4,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $36,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $28,%rbx - xorq %rcx,%rax - pslldq $5,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $44,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $20,%rbx - xorq %rcx,%rax - pslldq $6,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %r8,%rdi - movq %rcx,%rbx - shlq $52,%rcx - andq %rbp,%rdi - movq (%rsp,%rsi,8),%xmm1 - shrq $12,%rbx - xorq %rcx,%rax - pslldq $7,%xmm1 - movq %r8,%rsi - shrq $4,%rbp - xorq %rbx,%rdx - andq %rbp,%rsi - shrq $4,%rbp - pxor %xmm1,%xmm0 - movq (%rsp,%rdi,8),%rcx - movq %rcx,%rbx - shlq $60,%rcx - movd %xmm0,%rsi - shrq $4,%rbx - xorq %rcx,%rax - psrldq $8,%xmm0 - xorq %rbx,%rdx - movd %xmm0,%rdi - xorq %rsi,%rax - xorq %rdi,%rdx - - addq $128+8,%rsp - retq -L$end_mul_1x1: - - -.private_extern _OPENSSL_ia32cap_P -.globl _bn_GF2m_mul_2x2 - -.p2align 4 -_bn_GF2m_mul_2x2: - movl _OPENSSL_ia32cap_P+4(%rip),%eax - btl $IA32CAP_BIT1_PCLMUL,%eax - jnc L$vanilla_mul_2x2 - - movd %rsi,%xmm0 - movd %rcx,%xmm1 - movd %rdx,%xmm2 - movd %r8,%xmm3 - movdqa %xmm0,%xmm4 - movdqa %xmm1,%xmm5 -.byte 102,15,58,68,193,0 - pxor %xmm2,%xmm4 - pxor %xmm3,%xmm5 -.byte 102,15,58,68,211,0 -.byte 102,15,58,68,229,0 - xorps %xmm0,%xmm4 - xorps %xmm2,%xmm4 - movdqa %xmm4,%xmm5 - pslldq $8,%xmm4 - psrldq $8,%xmm5 - pxor %xmm4,%xmm2 - pxor %xmm5,%xmm0 - movdqu %xmm2,0(%rdi) - movdqu %xmm0,16(%rdi) - retq - -.p2align 4 -L$vanilla_mul_2x2: - leaq -136(%rsp),%rsp - movq %r14,80(%rsp) - movq %r13,88(%rsp) - movq %r12,96(%rsp) - movq %rbp,104(%rsp) - movq %rbx,112(%rsp) -L$body_mul_2x2: - movq %rdi,32(%rsp) - movq %rsi,40(%rsp) - movq %rdx,48(%rsp) - movq %rcx,56(%rsp) - movq %r8,64(%rsp) - - movq $15,%r8 - movq %rsi,%rax - movq %rcx,%rbp - call _mul_1x1 - movq %rax,16(%rsp) - movq %rdx,24(%rsp) - - movq 48(%rsp),%rax - movq 64(%rsp),%rbp - call _mul_1x1 - movq %rax,0(%rsp) - movq %rdx,8(%rsp) - - movq 40(%rsp),%rax - movq 56(%rsp),%rbp - xorq 48(%rsp),%rax - xorq 64(%rsp),%rbp - call _mul_1x1 - movq 0(%rsp),%rbx - movq 8(%rsp),%rcx - movq 16(%rsp),%rdi - movq 24(%rsp),%rsi - movq 32(%rsp),%rbp - - xorq %rdx,%rax - xorq %rcx,%rdx - xorq %rbx,%rax - movq %rbx,0(%rbp) - xorq %rdi,%rdx - movq %rsi,24(%rbp) - xorq %rsi,%rax - xorq %rsi,%rdx - xorq %rdx,%rax - movq %rdx,16(%rbp) - movq %rax,8(%rbp) - - movq 80(%rsp),%r14 - movq 88(%rsp),%r13 - movq 96(%rsp),%r12 - movq 104(%rsp),%rbp - movq 112(%rsp),%rbx - leaq 136(%rsp),%rsp - retq -L$end_mul_2x2: - -.byte 71,70,40,50,94,109,41,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.p2align 4 diff --git a/crypto/bn/gf2m-masm-x86_64.S b/crypto/bn/gf2m-masm-x86_64.S deleted file mode 100644 index a3ce027..0000000 --- a/crypto/bn/gf2m-masm-x86_64.S +++ /dev/null @@ -1,469 +0,0 @@ -; 1 "crypto/bn/gf2m-masm-x86_64.S.tmp" -; 1 "" 1 -; 1 "" 3 -; 343 "" 3 -; 1 "" 1 -; 1 "" 2 -; 1 "crypto/bn/gf2m-masm-x86_64.S.tmp" 2 -OPTION DOTNAME - -; 1 "./crypto/x86_arch.h" 1 - - -; 16 "./crypto/x86_arch.h" - - - - - - - - - -; 40 "./crypto/x86_arch.h" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -; 3 "crypto/bn/gf2m-masm-x86_64.S.tmp" 2 -.text$ SEGMENT ALIGN(64) 'CODE' - - -ALIGN 16 -_mul_1x1 PROC PRIVATE - sub rsp,128+8 - mov r9,-1 - lea rsi,QWORD PTR[rax*1+rax] - shr r9,3 - lea rdi,QWORD PTR[rax*4] - and r9,rax - lea r12,QWORD PTR[rax*8] - sar rax,63 - lea r10,QWORD PTR[r9*1+r9] - sar rsi,63 - lea r11,QWORD PTR[r9*4] - and rax,rbp - sar rdi,63 - mov rdx,rax - shl rax,63 - and rsi,rbp - shr rdx,1 - mov rcx,rsi - shl rsi,62 - and rdi,rbp - shr rcx,2 - xor rax,rsi - mov rbx,rdi - shl rdi,61 - xor rdx,rcx - shr rbx,3 - xor rax,rdi - xor rdx,rbx - - mov r13,r9 - mov QWORD PTR[rsp],0 - xor r13,r10 - mov QWORD PTR[8+rsp],r9 - mov r14,r11 - mov QWORD PTR[16+rsp],r10 - xor r14,r12 - mov QWORD PTR[24+rsp],r13 - - xor r9,r11 - mov QWORD PTR[32+rsp],r11 - xor r10,r11 - mov QWORD PTR[40+rsp],r9 - xor r13,r11 - mov QWORD PTR[48+rsp],r10 - xor r9,r14 - mov QWORD PTR[56+rsp],r13 - xor r10,r14 - - mov QWORD PTR[64+rsp],r12 - xor r13,r14 - mov QWORD PTR[72+rsp],r9 - xor r9,r11 - mov QWORD PTR[80+rsp],r10 - xor r10,r11 - mov QWORD PTR[88+rsp],r13 - - xor r13,r11 - mov QWORD PTR[96+rsp],r14 - mov rsi,r8 - mov QWORD PTR[104+rsp],r9 - and rsi,rbp - mov QWORD PTR[112+rsp],r10 - shr rbp,4 - mov QWORD PTR[120+rsp],r13 - mov rdi,r8 - and rdi,rbp - shr rbp,4 - - movq xmm0,QWORD PTR[rsi*8+rsp] - mov rsi,r8 - and rsi,rbp - shr rbp,4 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,4 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,60 - xor rax,rcx - pslldq xmm1,1 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,12 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,52 - xor rax,rcx - pslldq xmm1,2 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,20 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,44 - xor rax,rcx - pslldq xmm1,3 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,28 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,36 - xor rax,rcx - pslldq xmm1,4 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,36 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,28 - xor rax,rcx - pslldq xmm1,5 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,44 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,20 - xor rax,rcx - pslldq xmm1,6 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rdi,r8 - mov rbx,rcx - shl rcx,52 - and rdi,rbp - movq xmm1,QWORD PTR[rsi*8+rsp] - shr rbx,12 - xor rax,rcx - pslldq xmm1,7 - mov rsi,r8 - shr rbp,4 - xor rdx,rbx - and rsi,rbp - shr rbp,4 - pxor xmm0,xmm1 - mov rcx,QWORD PTR[rdi*8+rsp] - mov rbx,rcx - shl rcx,60 - movd rsi,xmm0 - shr rbx,4 - xor rax,rcx - psrldq xmm0,8 - xor rdx,rbx - movd rdi,xmm0 - xor rax,rsi - xor rdx,rdi - - add rsp,128+8 - DB 0F3h,0C3h ;repret -$L$end_mul_1x1:: -_mul_1x1 ENDP -EXTERN OPENSSL_ia32cap_P:NEAR - -PUBLIC bn_GF2m_mul_2x2 - -ALIGN 16 -bn_GF2m_mul_2x2 PROC PUBLIC - mov eax,DWORD PTR[((OPENSSL_ia32cap_P+4))] - bt eax,1 - jnc $L$vanilla_mul_2x2 - - movd xmm0,rdx - movd xmm1,r9 - movd xmm2,r8 - movq xmm3,QWORD PTR[40+rsp] - movdqa xmm4,xmm0 - movdqa xmm5,xmm1 -DB 102,15,58,68,193,0 - pxor xmm4,xmm2 - pxor xmm5,xmm3 -DB 102,15,58,68,211,0 -DB 102,15,58,68,229,0 - xorps xmm4,xmm0 - xorps xmm4,xmm2 - movdqa xmm5,xmm4 - pslldq xmm4,8 - psrldq xmm5,8 - pxor xmm2,xmm4 - pxor xmm0,xmm5 - movdqu XMMWORD PTR[rcx],xmm2 - movdqu XMMWORD PTR[16+rcx],xmm0 - DB 0F3h,0C3h ;repret - -ALIGN 16 -$L$vanilla_mul_2x2:: - lea rsp,QWORD PTR[((-136))+rsp] - mov r10,QWORD PTR[176+rsp] - mov QWORD PTR[120+rsp],rdi - mov QWORD PTR[128+rsp],rsi - mov QWORD PTR[80+rsp],r14 - mov QWORD PTR[88+rsp],r13 - mov QWORD PTR[96+rsp],r12 - mov QWORD PTR[104+rsp],rbp - mov QWORD PTR[112+rsp],rbx -$L$body_mul_2x2:: - mov QWORD PTR[32+rsp],rcx - mov QWORD PTR[40+rsp],rdx - mov QWORD PTR[48+rsp],r8 - mov QWORD PTR[56+rsp],r9 - mov QWORD PTR[64+rsp],r10 - - mov r8,0fh - mov rax,rdx - mov rbp,r9 - call _mul_1x1 - mov QWORD PTR[16+rsp],rax - mov QWORD PTR[24+rsp],rdx - - mov rax,QWORD PTR[48+rsp] - mov rbp,QWORD PTR[64+rsp] - call _mul_1x1 - mov QWORD PTR[rsp],rax - mov QWORD PTR[8+rsp],rdx - - mov rax,QWORD PTR[40+rsp] - mov rbp,QWORD PTR[56+rsp] - xor rax,QWORD PTR[48+rsp] - xor rbp,QWORD PTR[64+rsp] - call _mul_1x1 - mov rbx,QWORD PTR[rsp] - mov rcx,QWORD PTR[8+rsp] - mov rdi,QWORD PTR[16+rsp] - mov rsi,QWORD PTR[24+rsp] - mov rbp,QWORD PTR[32+rsp] - - xor rax,rdx - xor rdx,rcx - xor rax,rbx - mov QWORD PTR[rbp],rbx - xor rdx,rdi - mov QWORD PTR[24+rbp],rsi - xor rax,rsi - xor rdx,rsi - xor rax,rdx - mov QWORD PTR[16+rbp],rdx - mov QWORD PTR[8+rbp],rax - - mov r14,QWORD PTR[80+rsp] - mov r13,QWORD PTR[88+rsp] - mov r12,QWORD PTR[96+rsp] - mov rbp,QWORD PTR[104+rsp] - mov rbx,QWORD PTR[112+rsp] - mov rdi,QWORD PTR[120+rsp] - mov rsi,QWORD PTR[128+rsp] - lea rsp,QWORD PTR[136+rsp] - DB 0F3h,0C3h ;repret -$L$end_mul_2x2:: -bn_GF2m_mul_2x2 ENDP -DB 71,70,40,50,94,109,41,32,77,117,108,116,105,112,108,105 -DB 99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54 -DB 52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 -DB 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 -DB 111,114,103,62,0 -ALIGN 16 -EXTERN __imp_RtlVirtualUnwind:NEAR - - -ALIGN 16 -se_handler PROC PRIVATE - push rsi - push rdi - push rbx - push rbp - push r12 - push r13 - push r14 - push r15 - pushfq - sub rsp,64 - - mov rax,QWORD PTR[152+r8] - mov rbx,QWORD PTR[248+r8] - - lea r10,QWORD PTR[$L$body_mul_2x2] - cmp rbx,r10 - jb $L$in_prologue - - mov r14,QWORD PTR[80+rax] - mov r13,QWORD PTR[88+rax] - mov r12,QWORD PTR[96+rax] - mov rbp,QWORD PTR[104+rax] - mov rbx,QWORD PTR[112+rax] - mov rdi,QWORD PTR[120+rax] - mov rsi,QWORD PTR[128+rax] - - mov QWORD PTR[144+r8],rbx - mov QWORD PTR[160+r8],rbp - mov QWORD PTR[168+r8],rsi - mov QWORD PTR[176+r8],rdi - mov QWORD PTR[216+r8],r12 - mov QWORD PTR[224+r8],r13 - mov QWORD PTR[232+r8],r14 - -$L$in_prologue:: - lea rax,QWORD PTR[136+rax] - mov QWORD PTR[152+r8],rax - - mov rdi,QWORD PTR[40+r9] - mov rsi,r8 - mov ecx,154 - DD 0a548f3fch - - mov rsi,r9 - xor rcx,rcx - mov rdx,QWORD PTR[8+rsi] - mov r8,QWORD PTR[rsi] - mov r9,QWORD PTR[16+rsi] - mov r10,QWORD PTR[40+rsi] - lea r11,QWORD PTR[56+rsi] - lea r12,QWORD PTR[24+rsi] - mov QWORD PTR[32+rsp],r10 - mov QWORD PTR[40+rsp],r11 - mov QWORD PTR[48+rsp],r12 - mov QWORD PTR[56+rsp],rcx - call QWORD PTR[__imp_RtlVirtualUnwind] - - mov eax,1 - add rsp,64 - popfq - pop r15 - pop r14 - pop r13 - pop r12 - pop rbp - pop rbx - pop rdi - pop rsi - DB 0F3h,0C3h ;repret -se_handler ENDP - -.text$ ENDS -.pdata SEGMENT READONLY ALIGN(4) -ALIGN 4 - DD imagerel _mul_1x1 - DD imagerel $L$end_mul_1x1 - DD imagerel $L$SEH_info_1x1 - - DD imagerel $L$vanilla_mul_2x2 - DD imagerel $L$end_mul_2x2 - DD imagerel $L$SEH_info_2x2 -.pdata ENDS -.xdata SEGMENT READONLY ALIGN(8) -ALIGN 8 -$L$SEH_info_1x1:: -DB 001h,007h,002h,000h -DB 007h,001h,011h,000h -$L$SEH_info_2x2:: -DB 9,0,0,0 - DD imagerel se_handler - -.xdata ENDS -END - diff --git a/crypto/bn/modexp512-elf-x86_64.S b/crypto/bn/modexp512-elf-x86_64.S index 76baefe..87fc026 100644 --- a/crypto/bn/modexp512-elf-x86_64.S +++ b/crypto/bn/modexp512-elf-x86_64.S @@ -4,6 +4,7 @@ .type MULADD_128x512,@function .align 16 MULADD_128x512: + endbr64 movq 0(%rsi),%rax mulq %rbp addq %rax,%r8 @@ -134,6 +135,7 @@ MULADD_128x512: .type mont_reduce,@function .align 16 mont_reduce: + endbr64 leaq 192(%rsp),%rdi movq 32(%rsp),%rsi addq $576,%rsi @@ -577,6 +579,7 @@ mont_reduce: .type mont_mul_a3b,@function .align 16 mont_mul_a3b: + endbr64 @@ -1083,6 +1086,7 @@ mont_mul_a3b: .type sqr_reduce,@function .align 16 sqr_reduce: + endbr64 movq 16(%rsp),%rcx @@ -1466,6 +1470,7 @@ sqr_reduce: .globl mod_exp_512 .type mod_exp_512,@function mod_exp_512: + endbr64 pushq %rbp pushq %rbx pushq %r12 diff --git a/crypto/bn/modexp512-macosx-x86_64.S b/crypto/bn/modexp512-macosx-x86_64.S index 4d7b0b8..84c8ccb 100644 --- a/crypto/bn/modexp512-macosx-x86_64.S +++ b/crypto/bn/modexp512-macosx-x86_64.S @@ -4,6 +4,7 @@ .p2align 4 MULADD_128x512: + movq 0(%rsi),%rax mulq %rbp addq %rax,%r8 @@ -134,6 +135,7 @@ MULADD_128x512: .p2align 4 mont_reduce: + leaq 192(%rsp),%rdi movq 32(%rsp),%rsi addq $576,%rsi @@ -577,6 +579,7 @@ mont_reduce: .p2align 4 mont_mul_a3b: + @@ -1083,6 +1086,7 @@ mont_mul_a3b: .p2align 4 sqr_reduce: + movq 16(%rsp),%rcx @@ -1466,6 +1470,7 @@ sqr_reduce: .globl _mod_exp_512 _mod_exp_512: + pushq %rbp pushq %rbx pushq %r12 diff --git a/crypto/bn/modexp512-masm-x86_64.S b/crypto/bn/modexp512-masm-x86_64.S index 9626fe3..6ddecdb 100644 --- a/crypto/bn/modexp512-masm-x86_64.S +++ b/crypto/bn/modexp512-masm-x86_64.S @@ -72,6 +72,7 @@ OPTION DOTNAME ALIGN 16 MULADD_128x512 PROC PRIVATE + endbr64 mov rax,QWORD PTR[rsi] mul rbp add r8,rax @@ -202,6 +203,7 @@ MULADD_128x512 ENDP ALIGN 16 mont_reduce PROC PRIVATE + endbr64 lea rdi,QWORD PTR[192+rsp] mov rsi,QWORD PTR[32+rsp] add rsi,576 @@ -645,6 +647,7 @@ mont_reduce ENDP ALIGN 16 mont_mul_a3b PROC PRIVATE + endbr64 @@ -1151,6 +1154,7 @@ mont_mul_a3b ENDP ALIGN 16 sqr_reduce PROC PRIVATE + endbr64 mov rcx,QWORD PTR[16+rsp] @@ -1544,6 +1548,7 @@ $L$SEH_begin_mod_exp_512:: mov rcx,r9 + endbr64 push rbp push rbx push r12 diff --git a/crypto/bn/mont-elf-x86_64.S b/crypto/bn/mont-elf-x86_64.S index 3576545..7847a19 100644 --- a/crypto/bn/mont-elf-x86_64.S +++ b/crypto/bn/mont-elf-x86_64.S @@ -5,6 +5,7 @@ .type bn_mul_mont,@function .align 16 bn_mul_mont: + endbr64 testl $3,%r9d jnz .Lmul_enter cmpl $8,%r9d @@ -212,6 +213,7 @@ bn_mul_mont: .align 16 bn_mul4x_mont: .Lmul4x_enter: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -610,6 +612,7 @@ bn_mul4x_mont: .align 16 bn_sqr4x_mont: .Lsqr4x_enter: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1371,8 +1374,6 @@ bn_sqr4x_mont: .Lsqr4x_epilogue: retq .size bn_sqr4x_mont,.-bn_sqr4x_mont -.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.align 16 #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/bn/mont-macosx-x86_64.S b/crypto/bn/mont-macosx-x86_64.S index 7de69d9..dfcdbb1 100644 --- a/crypto/bn/mont-macosx-x86_64.S +++ b/crypto/bn/mont-macosx-x86_64.S @@ -5,6 +5,7 @@ .p2align 4 _bn_mul_mont: + testl $3,%r9d jnz L$mul_enter cmpl $8,%r9d @@ -212,6 +213,7 @@ L$mul_epilogue: .p2align 4 bn_mul4x_mont: L$mul4x_enter: + pushq %rbx pushq %rbp pushq %r12 @@ -610,6 +612,7 @@ L$mul4x_epilogue: .p2align 4 bn_sqr4x_mont: L$sqr4x_enter: + pushq %rbx pushq %rbp pushq %r12 @@ -1371,5 +1374,3 @@ L$sqr4x_copy: L$sqr4x_epilogue: retq -.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 -.p2align 4 diff --git a/crypto/bn/mont-masm-x86_64.S b/crypto/bn/mont-masm-x86_64.S index 4896acd..d50022b 100644 --- a/crypto/bn/mont-masm-x86_64.S +++ b/crypto/bn/mont-masm-x86_64.S @@ -85,6 +85,7 @@ $L$SEH_begin_bn_mul_mont:: mov r9,QWORD PTR[48+rsp] + endbr64 test r9d,3 jnz $L$mul_enter cmp r9d,8 @@ -307,6 +308,7 @@ $L$SEH_begin_bn_mul4x_mont:: $L$mul4x_enter:: + endbr64 push rbx push rbp push r12 @@ -720,6 +722,7 @@ $L$SEH_begin_bn_sqr4x_mont:: $L$sqr4x_enter:: + endbr64 push rbx push rbp push r12 @@ -1484,12 +1487,6 @@ $L$sqr4x_epilogue:: DB 0F3h,0C3h ;repret $L$SEH_end_bn_sqr4x_mont:: bn_sqr4x_mont ENDP -DB 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 -DB 112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56 -DB 54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83 -DB 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 -DB 115,108,46,111,114,103,62,0 -ALIGN 16 .text$ ENDS END diff --git a/crypto/bn/mont-mips.S b/crypto/bn/mont-mips.S new file mode 100644 index 0000000..65f7b22 --- /dev/null +++ b/crypto/bn/mont-mips.S @@ -0,0 +1,287 @@ +.text + +.set noat +.set noreorder + +.align 5 +.globl bn_mul_mont +.ent bn_mul_mont +bn_mul_mont: + lw $8,16($29) + lw $9,20($29) + slt $1,$9,4 + bnez $1,1f + li $2,0 + slt $1,$9,17 # on in-order CPU + bnez $1,bn_mul_mont_internal + nop +1: jr $31 + li $4,0 +.end bn_mul_mont + +.align 5 +.ent bn_mul_mont_internal +bn_mul_mont_internal: + .frame $30,14*4,$31 + .mask 0x40000000|16711680,-4 + sub $29,14*4 + sw $30,(14-1)*4($29) + sw $23,(14-2)*4($29) + sw $22,(14-3)*4($29) + sw $21,(14-4)*4($29) + sw $20,(14-5)*4($29) + sw $19,(14-6)*4($29) + sw $18,(14-7)*4($29) + sw $17,(14-8)*4($29) + sw $16,(14-9)*4($29) + move $30,$29 + + .set reorder + lw $8,0($8) + lw $13,0($6) # bp[0] + lw $12,0($5) # ap[0] + lw $14,0($7) # np[0] + + sub $29,2*4 # place for two extra words + sll $9,2 + li $1,-4096 + sub $29,$9 + and $29,$1 + + multu $12,$13 + lw $16,4($5) + lw $18,4($7) + mflo $10 + mfhi $11 + multu $10,$8 + mflo $23 + + multu $16,$13 + mflo $16 + mfhi $17 + + multu $14,$23 + mflo $24 + mfhi $25 + multu $18,$23 + addu $24,$10 + sltu $1,$24,$10 + addu $25,$1 + mflo $18 + mfhi $19 + + move $15,$29 + li $22,2*4 +.align 4 +.L1st: + .set noreorder + add $12,$5,$22 + add $14,$7,$22 + lw $12,($12) + lw $14,($14) + + multu $12,$13 + addu $10,$16,$11 + addu $24,$18,$25 + sltu $1,$10,$11 + sltu $2,$24,$25 + addu $11,$17,$1 + addu $25,$19,$2 + mflo $16 + mfhi $17 + + addu $24,$10 + sltu $1,$24,$10 + multu $14,$23 + addu $25,$1 + addu $22,4 + sw $24,($15) + sltu $2,$22,$9 + mflo $18 + mfhi $19 + + bnez $2,.L1st + add $15,4 + .set reorder + + addu $10,$16,$11 + sltu $1,$10,$11 + addu $11,$17,$1 + + addu $24,$18,$25 + sltu $2,$24,$25 + addu $25,$19,$2 + addu $24,$10 + sltu $1,$24,$10 + addu $25,$1 + + sw $24,($15) + + addu $25,$11 + sltu $1,$25,$11 + sw $25,4($15) + sw $1,2*4($15) + + li $21,4 +.align 4 +.Louter: + add $13,$6,$21 + lw $13,($13) + lw $12,($5) + lw $16,4($5) + lw $20,($29) + + multu $12,$13 + lw $14,($7) + lw $18,4($7) + mflo $10 + mfhi $11 + addu $10,$20 + multu $10,$8 + sltu $1,$10,$20 + addu $11,$1 + mflo $23 + + multu $16,$13 + mflo $16 + mfhi $17 + + multu $14,$23 + mflo $24 + mfhi $25 + + multu $18,$23 + addu $24,$10 + sltu $1,$24,$10 + addu $25,$1 + mflo $18 + mfhi $19 + + move $15,$29 + li $22,2*4 + lw $20,4($15) +.align 4 +.Linner: + .set noreorder + add $12,$5,$22 + add $14,$7,$22 + lw $12,($12) + lw $14,($14) + + multu $12,$13 + addu $10,$16,$11 + addu $24,$18,$25 + sltu $1,$10,$11 + sltu $2,$24,$25 + addu $11,$17,$1 + addu $25,$19,$2 + mflo $16 + mfhi $17 + + addu $10,$20 + addu $22,4 + multu $14,$23 + sltu $1,$10,$20 + addu $24,$10 + addu $11,$1 + sltu $2,$24,$10 + lw $20,2*4($15) + addu $25,$2 + sltu $1,$22,$9 + mflo $18 + mfhi $19 + sw $24,($15) + bnez $1,.Linner + add $15,4 + .set reorder + + addu $10,$16,$11 + sltu $1,$10,$11 + addu $11,$17,$1 + addu $10,$20 + sltu $2,$10,$20 + addu $11,$2 + + lw $20,2*4($15) + addu $24,$18,$25 + sltu $1,$24,$25 + addu $25,$19,$1 + addu $24,$10 + sltu $2,$24,$10 + addu $25,$2 + sw $24,($15) + + addu $24,$25,$11 + sltu $25,$24,$11 + addu $24,$20 + sltu $1,$24,$20 + addu $25,$1 + sw $24,4($15) + sw $25,2*4($15) + + addu $21,4 + sltu $2,$21,$9 + bnez $2,.Louter + + .set noreorder + add $20,$29,$9 # &tp[num] + move $15,$29 + move $5,$29 + li $11,0 # clear borrow bit + +.align 4 +.Lsub: lw $10,($15) + lw $24,($7) + add $15,4 + add $7,4 + subu $24,$10,$24 # tp[i]-np[i] + sgtu $1,$24,$10 + subu $10,$24,$11 + sgtu $11,$10,$24 + sw $10,($4) + or $11,$1 + sltu $1,$15,$20 + bnez $1,.Lsub + add $4,4 + + subu $11,$25,$11 # handle upmost overflow bit + move $15,$29 + sub $4,$9 # restore rp + not $25,$11 + + and $5,$11,$29 + and $6,$25,$4 + or $5,$5,$6 # ap=borrow?tp:rp + +.align 4 +.Lcopy: lw $12,($5) + add $5,4 + sw $0,($15) + add $15,4 + sltu $1,$15,$20 + sw $12,($4) + bnez $1,.Lcopy + add $4,4 + + li $4,1 + li $2,1 + + .set noreorder + move $29,$30 + lw $30,(14-1)*4($29) + lw $23,(14-2)*4($29) + lw $22,(14-3)*4($29) + lw $21,(14-4)*4($29) + lw $20,(14-5)*4($29) + lw $19,(14-6)*4($29) + lw $18,(14-7)*4($29) + lw $17,(14-8)*4($29) + lw $16,(14-9)*4($29) + jr $31 + add $29,14*4 +.end bn_mul_mont_internal +.rdata +.asciiz "Montgomery Multiplication for MIPS, CRYPTOGAMS by " +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/mont5-elf-x86_64.S b/crypto/bn/mont5-elf-x86_64.S index 48cc771..a3dbbca 100644 --- a/crypto/bn/mont5-elf-x86_64.S +++ b/crypto/bn/mont5-elf-x86_64.S @@ -5,6 +5,7 @@ .type bn_mul_mont_gather5,@function .align 64 bn_mul_mont_gather5: + endbr64 testl $3,%r9d jnz .Lmul_enter cmpl $8,%r9d @@ -400,6 +401,7 @@ bn_mul_mont_gather5: .type bn_mul4x_mont_gather5,@function .align 16 bn_mul4x_mont_gather5: + endbr64 .Lmul4x_enter: movl %r9d,%r9d movd 8(%rsp),%xmm5 @@ -990,6 +992,7 @@ bn_mul4x_mont_gather5: .type bn_scatter5,@function .align 16 bn_scatter5: + endbr64 cmpq $0,%rsi jz .Lscatter_epilogue leaq (%rdx,%rcx,8),%rdx @@ -1008,6 +1011,7 @@ bn_scatter5: .type bn_gather5,@function .align 16 bn_gather5: + endbr64 .LSEH_begin_bn_gather5: .byte 0x4c,0x8d,0x14,0x24 @@ -1167,11 +1171,12 @@ bn_gather5: retq .LSEH_end_bn_gather5: .size bn_gather5,.-bn_gather5 +.section .rodata .align 64 .Linc: .long 0,0, 1,1 .long 2,2, 2,2 -.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/bn/mont5-macosx-x86_64.S b/crypto/bn/mont5-macosx-x86_64.S index 039229f..5d7a1fe 100644 --- a/crypto/bn/mont5-macosx-x86_64.S +++ b/crypto/bn/mont5-macosx-x86_64.S @@ -5,6 +5,7 @@ .p2align 6 _bn_mul_mont_gather5: + testl $3,%r9d jnz L$mul_enter cmpl $8,%r9d @@ -400,6 +401,7 @@ L$mul_epilogue: .p2align 4 bn_mul4x_mont_gather5: + L$mul4x_enter: movl %r9d,%r9d movd 8(%rsp),%xmm5 @@ -990,6 +992,7 @@ L$mul4x_epilogue: .p2align 4 _bn_scatter5: + cmpq $0,%rsi jz L$scatter_epilogue leaq (%rdx,%rcx,8),%rdx @@ -1008,6 +1011,7 @@ L$scatter_epilogue: .p2align 4 _bn_gather5: + L$SEH_begin_bn_gather5: .byte 0x4c,0x8d,0x14,0x24 @@ -1167,8 +1171,9 @@ L$gather: retq L$SEH_end_bn_gather5: +.section __DATA,__const .p2align 6 L$inc: .long 0,0, 1,1 .long 2,2, 2,2 -.byte 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105,112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115,99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.text diff --git a/crypto/bn/mont5-masm-x86_64.S b/crypto/bn/mont5-masm-x86_64.S index cc709e6..8dc4984 100644 --- a/crypto/bn/mont5-masm-x86_64.S +++ b/crypto/bn/mont5-masm-x86_64.S @@ -85,6 +85,7 @@ $L$SEH_begin_bn_mul_mont_gather5:: mov r9,QWORD PTR[48+rsp] + endbr64 test r9d,3 jnz $L$mul_enter cmp r9d,8 @@ -495,6 +496,7 @@ $L$SEH_begin_bn_mul4x_mont_gather5:: mov r9,QWORD PTR[48+rsp] + endbr64 $L$mul4x_enter:: mov r9d,r9d movd xmm5,DWORD PTR[56+rsp] @@ -1088,6 +1090,7 @@ PUBLIC bn_scatter5 ALIGN 16 bn_scatter5 PROC PUBLIC + endbr64 cmp rdx,0 jz $L$scatter_epilogue lea r8,QWORD PTR[r9*8+r8] @@ -1106,6 +1109,7 @@ PUBLIC bn_gather5 ALIGN 16 bn_gather5 PROC PUBLIC + endbr64 $L$SEH_begin_bn_gather5:: DB 04ch,08dh,014h,024h @@ -1265,20 +1269,19 @@ $L$gather:: DB 0F3h,0C3h ;repret $L$SEH_end_bn_gather5:: bn_gather5 ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$inc:: DD 0,0,1,1 DD 2,2,2,2 -DB 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 -DB 112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115 -DB 99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111 -DB 114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79 -DB 71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111 -DB 112,101,110,115,115,108,46,111,114,103,62,0 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 mul_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/bn/s2n_bignum.h b/crypto/bn/s2n_bignum.h new file mode 100644 index 0000000..ce6e8cd --- /dev/null +++ b/crypto/bn/s2n_bignum.h @@ -0,0 +1,856 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +// ---------------------------------------------------------------------------- +// C prototypes for s2n-bignum functions, so you can use them in C programs via +// +// #include "s2n-bignum.h" +// +// The functions are listed in alphabetical order with a brief description +// in comments for each one. For more detailed documentation see the comment +// banner at the top of the corresponding assembly (.S) file, and +// for the last word in what properties it satisfies see the spec in the +// formal proof (the .ml file in the architecture-specific directory). +// +// For some functions there are additional variants with names ending in +// "_alt". These have the same core mathematical functionality as their +// non-"alt" versions, but can be better suited to some microarchitectures: +// +// - On x86, the "_alt" forms avoid BMI and ADX instruction set +// extensions, so will run on any x86_64 machine, even older ones +// +// - On ARM, the "_alt" forms target machines with higher multiplier +// throughput, generally offering higher performance there. +// ---------------------------------------------------------------------------- + +// Add, z := x + y +// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] +extern uint64_t bignum_add (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Add modulo p_25519, z := (x + y) mod p_25519, assuming x and y reduced +// Inputs x[4], y[4]; output z[4] +extern void bignum_add_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Add modulo p_256, z := (x + y) mod p_256, assuming x and y reduced +// Inputs x[4], y[4]; output z[4] +extern void bignum_add_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Add modulo p_256k1, z := (x + y) mod p_256k1, assuming x and y reduced +// Inputs x[4], y[4]; output z[4] +extern void bignum_add_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Add modulo p_384, z := (x + y) mod p_384, assuming x and y reduced +// Inputs x[6], y[6]; output z[6] +extern void bignum_add_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); + +// Add modulo p_521, z := (x + y) mod p_521, assuming x and y reduced +// Inputs x[9], y[9]; output z[9] +extern void bignum_add_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); + +// Compute "amontification" constant z :== 2^{128k} (congruent mod m) +// Input m[k]; output z[k]; temporary buffer t[>=k] +extern void bignum_amontifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t); + +// Almost-Montgomery multiply, z :== (x * y / 2^{64k}) (congruent mod m) +// Inputs x[k], y[k], m[k]; output z[k] +extern void bignum_amontmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); + +// Almost-Montgomery reduce, z :== (x' / 2^{64p}) (congruent mod m) +// Inputs x[n], m[k], p; output z[k] +extern void bignum_amontredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p); + +// Almost-Montgomery square, z :== (x^2 / 2^{64k}) (congruent mod m) +// Inputs x[k], m[k]; output z[k] +extern void bignum_amontsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); + +// Convert 4-digit (256-bit) bignum to/from big-endian form +// Input x[4]; output z[4] +extern void bignum_bigendian_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert 6-digit (384-bit) bignum to/from big-endian form +// Input x[6]; output z[6] +extern void bignum_bigendian_6 (uint64_t z[static 6], uint64_t x[static 6]); + +// Select bitfield starting at bit n with length l <= 64 +// Inputs x[k], n, l; output function return +extern uint64_t bignum_bitfield (uint64_t k, uint64_t *x, uint64_t n, uint64_t l); + +// Return size of bignum in bits +// Input x[k]; output function return +extern uint64_t bignum_bitsize (uint64_t k, uint64_t *x); + +// Divide by a single (nonzero) word, z := x / m and return x mod m +// Inputs x[n], m; outputs function return (remainder) and z[k] +extern uint64_t bignum_cdiv (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m); + +// Divide by a single word, z := x / m when known to be exact +// Inputs x[n], m; output z[k] +extern void bignum_cdiv_exact (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t m); + +// Count leading zero digits (64-bit words) +// Input x[k]; output function return +extern uint64_t bignum_cld (uint64_t k, uint64_t *x); + +// Count leading zero bits +// Input x[k]; output function return +extern uint64_t bignum_clz (uint64_t k, uint64_t *x); + +// Multiply-add with single-word multiplier, z := z + c * y +// Inputs c, y[n]; outputs function return (carry-out) and z[k] +extern uint64_t bignum_cmadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); + +// Negated multiply-add with single-word multiplier, z := z - c * y +// Inputs c, y[n]; outputs function return (negative carry-out) and z[k] +extern uint64_t bignum_cmnegadd (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); + +// Find modulus of bignum w.r.t. single nonzero word m, returning x mod m +// Input x[k], m; output function return +extern uint64_t bignum_cmod (uint64_t k, uint64_t *x, uint64_t m); + +// Multiply by a single word, z := c * y +// Inputs c, y[n]; outputs function return (carry-out) and z[k] +extern uint64_t bignum_cmul (uint64_t k, uint64_t *z, uint64_t c, uint64_t n, uint64_t *y); + +// Multiply by a single word modulo p_25519, z := (c * x) mod p_25519, assuming x reduced +// Inputs c, x[4]; output z[4] +extern void bignum_cmul_p25519 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); +extern void bignum_cmul_p25519_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); + +// Multiply by a single word modulo p_256, z := (c * x) mod p_256, assuming x reduced +// Inputs c, x[4]; output z[4] +extern void bignum_cmul_p256 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); +extern void bignum_cmul_p256_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); + +// Multiply by a single word modulo p_256k1, z := (c * x) mod p_256k1, assuming x reduced +// Inputs c, x[4]; output z[4] +extern void bignum_cmul_p256k1 (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); +extern void bignum_cmul_p256k1_alt (uint64_t z[static 4], uint64_t c, uint64_t x[static 4]); + +// Multiply by a single word modulo p_384, z := (c * x) mod p_384, assuming x reduced +// Inputs c, x[6]; output z[6] +extern void bignum_cmul_p384 (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]); +extern void bignum_cmul_p384_alt (uint64_t z[static 6], uint64_t c, uint64_t x[static 6]); + +// Multiply by a single word modulo p_521, z := (c * x) mod p_521, assuming x reduced +// Inputs c, x[9]; output z[9] +extern void bignum_cmul_p521 (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]); +extern void bignum_cmul_p521_alt (uint64_t z[static 9], uint64_t c, uint64_t x[static 9]); + +// Test bignums for coprimality, gcd(x,y) = 1 +// Inputs x[m], y[n]; output function return; temporary buffer t[>=2*max(m,n)] +extern uint64_t bignum_coprime (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y, uint64_t *t); + +// Copy bignum with zero-extension or truncation, z := x +// Input x[n]; output z[k] +extern void bignum_copy (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x); + +// Count trailing zero digits (64-bit words) +// Input x[k]; output function return +extern uint64_t bignum_ctd (uint64_t k, uint64_t *x); + +// Count trailing zero bits +// Input x[k]; output function return +extern uint64_t bignum_ctz (uint64_t k, uint64_t *x); + +// Convert from almost-Montgomery form, z := (x / 2^256) mod p_256 +// Input x[4]; output z[4] +extern void bignum_deamont_p256 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_deamont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert from almost-Montgomery form, z := (x / 2^256) mod p_256k1 +// Input x[4]; output z[4] +extern void bignum_deamont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert from almost-Montgomery form, z := (x / 2^384) mod p_384 +// Input x[6]; output z[6] +extern void bignum_deamont_p384 (uint64_t z[static 6], uint64_t x[static 6]); +extern void bignum_deamont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); + +// Convert from almost-Montgomery form z := (x / 2^576) mod p_521 +// Input x[9]; output z[9] +extern void bignum_deamont_p521 (uint64_t z[static 9], uint64_t x[static 9]); + +// Convert from (almost-)Montgomery form z := (x / 2^{64k}) mod m +// Inputs x[k], m[k]; output z[k] +extern void bignum_demont (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); + +// Convert from Montgomery form z := (x / 2^256) mod p_256, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_demont_p256 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_demont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert from Montgomery form z := (x / 2^256) mod p_256k1, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_demont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert from Montgomery form z := (x / 2^384) mod p_384, assuming x reduced +// Input x[6]; output z[6] +extern void bignum_demont_p384 (uint64_t z[static 6], uint64_t x[static 6]); +extern void bignum_demont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); + +// Convert from Montgomery form z := (x / 2^576) mod p_521, assuming x reduced +// Input x[9]; output z[9] +extern void bignum_demont_p521 (uint64_t z[static 9], uint64_t x[static 9]); + +// Select digit x[n] +// Inputs x[k], n; output function return +extern uint64_t bignum_digit (uint64_t k, uint64_t *x, uint64_t n); + +// Return size of bignum in digits (64-bit word) +// Input x[k]; output function return +extern uint64_t bignum_digitsize (uint64_t k, uint64_t *x); + +// Divide bignum by 10: z' := z div 10, returning remainder z mod 10 +// Inputs z[k]; outputs function return (remainder) and z[k] +extern uint64_t bignum_divmod10 (uint64_t k, uint64_t *z); + +// Double modulo p_25519, z := (2 * x) mod p_25519, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_double_p25519 (uint64_t z[static 4], uint64_t x[static 4]); + +// Double modulo p_256, z := (2 * x) mod p_256, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_double_p256 (uint64_t z[static 4], uint64_t x[static 4]); + +// Double modulo p_256k1, z := (2 * x) mod p_256k1, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_double_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); + +// Double modulo p_384, z := (2 * x) mod p_384, assuming x reduced +// Input x[6]; output z[6] +extern void bignum_double_p384 (uint64_t z[static 6], uint64_t x[static 6]); + +// Double modulo p_521, z := (2 * x) mod p_521, assuming x reduced +// Input x[9]; output z[9] +extern void bignum_double_p521 (uint64_t z[static 9], uint64_t x[static 9]); + +// Extended Montgomery reduce, returning results in input-output buffer +// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k] +extern uint64_t bignum_emontredc (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w); + +// Extended Montgomery reduce in 8-digit blocks, results in input-output buffer +// Inputs z[2*k], m[k], w; outputs function return (extra result bit) and z[2*k] +extern uint64_t bignum_emontredc_8n (uint64_t k, uint64_t *z, uint64_t *m, uint64_t w); + +// Test bignums for equality, x = y +// Inputs x[m], y[n]; output function return +extern uint64_t bignum_eq (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Test bignum for even-ness +// Input x[k]; output function return +extern uint64_t bignum_even (uint64_t k, uint64_t *x); + +// Convert 4-digit (256-bit) bignum from big-endian bytes +// Input x[32] (bytes); output z[4] +extern void bignum_frombebytes_4 (uint64_t z[static 4], uint8_t x[static 32]); + +// Convert 6-digit (384-bit) bignum from big-endian bytes +// Input x[48] (bytes); output z[6] +extern void bignum_frombebytes_6 (uint64_t z[static 6], uint8_t x[static 48]); + +// Convert 4-digit (256-bit) bignum from little-endian bytes +// Input x[32] (bytes); output z[4] +extern void bignum_fromlebytes_4 (uint64_t z[static 4], uint8_t x[static 32]); + +// Convert 6-digit (384-bit) bignum from little-endian bytes +// Input x[48] (bytes); output z[6] +extern void bignum_fromlebytes_6 (uint64_t z[static 6], uint8_t x[static 48]); + +// Convert little-endian bytes to 9-digit 528-bit bignum +// Input x[66] (bytes); output z[9] +extern void bignum_fromlebytes_p521 (uint64_t z[static 9],uint8_t x[static 66]); + +// Compare bignums, x >= y +// Inputs x[m], y[n]; output function return +extern uint64_t bignum_ge (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Compare bignums, x > y +// Inputs x[m], y[n]; output function return +extern uint64_t bignum_gt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Halve modulo p_256, z := (x / 2) mod p_256, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_half_p256 (uint64_t z[static 4], uint64_t x[static 4]); + +// Halve modulo p_256k1, z := (x / 2) mod p_256k1, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_half_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); + +// Halve modulo p_384, z := (x / 2) mod p_384, assuming x reduced +// Input x[6]; output z[6] +extern void bignum_half_p384 (uint64_t z[static 6], uint64_t x[static 6]); + +// Halve modulo p_521, z := (x / 2) mod p_521, assuming x reduced +// Input x[9]; output z[9] +extern void bignum_half_p521 (uint64_t z[static 9], uint64_t x[static 9]); + +// Test bignum for zero-ness, x = 0 +// Input x[k]; output function return +extern uint64_t bignum_iszero (uint64_t k, uint64_t *x); + +// Multiply z := x * y +// Inputs x[16], y[16]; output z[32]; temporary buffer t[>=32] +extern void bignum_kmul_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t y[static 16], uint64_t t[static 32]); + +// Multiply z := x * y +// Inputs x[32], y[32]; output z[64]; temporary buffer t[>=96] +extern void bignum_kmul_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t y[static 32], uint64_t t[static 96]); + +// Square, z := x^2 +// Input x[16]; output z[32]; temporary buffer t[>=24] +extern void bignum_ksqr_16_32 (uint64_t z[static 32], uint64_t x[static 16], uint64_t t[static 24]); + +// Square, z := x^2 +// Input x[32]; output z[64]; temporary buffer t[>=72] +extern void bignum_ksqr_32_64 (uint64_t z[static 64], uint64_t x[static 32], uint64_t t[static 72]); + +// Compare bignums, x <= y +// Inputs x[m], y[n]; output function return +extern uint64_t bignum_le (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Convert 4-digit (256-bit) bignum to/from little-endian form +// Input x[4]; output z[4] +extern void bignum_littleendian_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert 6-digit (384-bit) bignum to/from little-endian form +// Input x[6]; output z[6] +extern void bignum_littleendian_6 (uint64_t z[static 6], uint64_t x[static 6]); + +// Compare bignums, x < y +// Inputs x[m], y[n]; output function return +extern uint64_t bignum_lt (uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Multiply-add, z := z + x * y +// Inputs x[m], y[n]; outputs function return (carry-out) and z[k] +extern uint64_t bignum_madd (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Reduce modulo group order, z := x mod n_256 +// Input x[k]; output z[4] +extern void bignum_mod_n256 (uint64_t z[static 4], uint64_t k, uint64_t *x); +extern void bignum_mod_n256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x); + +// Reduce modulo group order, z := x mod n_256 +// Input x[4]; output z[4] +extern void bignum_mod_n256_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Reduce modulo group order, z := x mod n_256k1 +// Input x[4]; output z[4] +extern void bignum_mod_n256k1_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Reduce modulo group order, z := x mod n_384 +// Input x[k]; output z[6] +extern void bignum_mod_n384 (uint64_t z[static 6], uint64_t k, uint64_t *x); +extern void bignum_mod_n384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x); + +// Reduce modulo group order, z := x mod n_384 +// Input x[6]; output z[6] +extern void bignum_mod_n384_6 (uint64_t z[static 6], uint64_t x[static 6]); + +// Reduce modulo group order, z := x mod n_521 +// Input x[9]; output z[9] +extern void bignum_mod_n521_9 (uint64_t z[static 9], uint64_t x[static 9]); +extern void bignum_mod_n521_9_alt (uint64_t z[static 9], uint64_t x[static 9]); + +// Reduce modulo field characteristic, z := x mod p_25519 +// Input x[4]; output z[4] +extern void bignum_mod_p25519_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Reduce modulo field characteristic, z := x mod p_256 +// Input x[k]; output z[4] +extern void bignum_mod_p256 (uint64_t z[static 4], uint64_t k, uint64_t *x); +extern void bignum_mod_p256_alt (uint64_t z[static 4], uint64_t k, uint64_t *x); + +// Reduce modulo field characteristic, z := x mod p_256 +// Input x[4]; output z[4] +extern void bignum_mod_p256_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Reduce modulo field characteristic, z := x mod p_256k1 +// Input x[4]; output z[4] +extern void bignum_mod_p256k1_4 (uint64_t z[static 4], uint64_t x[static 4]); + +// Reduce modulo field characteristic, z := x mod p_384 +// Input x[k]; output z[6] +extern void bignum_mod_p384 (uint64_t z[static 6], uint64_t k, uint64_t *x); +extern void bignum_mod_p384_alt (uint64_t z[static 6], uint64_t k, uint64_t *x); + +// Reduce modulo field characteristic, z := x mod p_384 +// Input x[6]; output z[6] +extern void bignum_mod_p384_6 (uint64_t z[static 6], uint64_t x[static 6]); + +// Reduce modulo field characteristic, z := x mod p_521 +// Input x[9]; output z[9] +extern void bignum_mod_p521_9 (uint64_t z[static 9], uint64_t x[static 9]); + +// Add modulo m, z := (x + y) mod m, assuming x and y reduced +// Inputs x[k], y[k], m[k]; output z[k] +extern void bignum_modadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); + +// Double modulo m, z := (2 * x) mod m, assuming x reduced +// Inputs x[k], m[k]; output z[k] +extern void bignum_moddouble (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); + +// Compute "modification" constant z := 2^{64k} mod m +// Input m[k]; output z[k]; temporary buffer t[>=k] +extern void bignum_modifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t); + +// Invert modulo m, z = (1/a) mod b, assuming b is an odd number > 1, a coprime to b +// Inputs a[k], b[k]; output z[k]; temporary buffer t[>=3*k] +extern void bignum_modinv (uint64_t k, uint64_t *z, uint64_t *a, uint64_t *b, uint64_t *t); + +// Optionally negate modulo m, z := (-x) mod m (if p nonzero) or z := x (if p zero), assuming x reduced +// Inputs p, x[k], m[k]; output z[k] +extern void bignum_modoptneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x, uint64_t *m); + +// Subtract modulo m, z := (x - y) mod m, assuming x and y reduced +// Inputs x[k], y[k], m[k]; output z[k] +extern void bignum_modsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); + +// Compute "montification" constant z := 2^{128k} mod m +// Input m[k]; output z[k]; temporary buffer t[>=k] +extern void bignum_montifier (uint64_t k, uint64_t *z, uint64_t *m, uint64_t *t); + +// Montgomery multiply, z := (x * y / 2^{64k}) mod m +// Inputs x[k], y[k], m[k]; output z[k] +extern void bignum_montmul (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y, uint64_t *m); + +// Montgomery multiply, z := (x * y / 2^256) mod p_256 +// Inputs x[4], y[4]; output z[4] +extern void bignum_montmul_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); +extern void bignum_montmul_p256_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Montgomery multiply, z := (x * y / 2^256) mod p_256k1 +// Inputs x[4], y[4]; output z[4] +extern void bignum_montmul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); +extern void bignum_montmul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Montgomery multiply, z := (x * y / 2^384) mod p_384 +// Inputs x[6], y[6]; output z[6] +extern void bignum_montmul_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); +extern void bignum_montmul_p384_alt (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); + +// Montgomery multiply, z := (x * y / 2^576) mod p_521 +// Inputs x[9], y[9]; output z[9] +extern void bignum_montmul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); +extern void bignum_montmul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); + +// Montgomery reduce, z := (x' / 2^{64p}) MOD m +// Inputs x[n], m[k], p; output z[k] +extern void bignum_montredc (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t *m, uint64_t p); + +// Montgomery square, z := (x^2 / 2^{64k}) mod m +// Inputs x[k], m[k]; output z[k] +extern void bignum_montsqr (uint64_t k, uint64_t *z, uint64_t *x, uint64_t *m); + +// Montgomery square, z := (x^2 / 2^256) mod p_256 +// Input x[4]; output z[4] +extern void bignum_montsqr_p256 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_montsqr_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Montgomery square, z := (x^2 / 2^256) mod p_256k1 +// Input x[4]; output z[4] +extern void bignum_montsqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_montsqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Montgomery square, z := (x^2 / 2^384) mod p_384 +// Input x[6]; output z[6] +extern void bignum_montsqr_p384 (uint64_t z[static 6], uint64_t x[static 6]); +extern void bignum_montsqr_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); + +// Montgomery square, z := (x^2 / 2^576) mod p_521 +// Input x[9]; output z[9] +extern void bignum_montsqr_p521 (uint64_t z[static 9], uint64_t x[static 9]); +extern void bignum_montsqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]); + +// Multiply z := x * y +// Inputs x[m], y[n]; output z[k] +extern void bignum_mul (uint64_t k, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Multiply z := x * y +// Inputs x[4], y[4]; output z[8] +extern void bignum_mul_4_8 (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]); +extern void bignum_mul_4_8_alt (uint64_t z[static 8], uint64_t x[static 4], uint64_t y[static 4]); + +// Multiply z := x * y +// Inputs x[6], y[6]; output z[12] +extern void bignum_mul_6_12 (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]); +extern void bignum_mul_6_12_alt (uint64_t z[static 12], uint64_t x[static 6], uint64_t y[static 6]); + +// Multiply z := x * y +// Inputs x[8], y[8]; output z[16] +extern void bignum_mul_8_16 (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]); +extern void bignum_mul_8_16_alt (uint64_t z[static 16], uint64_t x[static 8], uint64_t y[static 8]); + +// Multiply modulo p_25519, z := (x * y) mod p_25519 +// Inputs x[4], y[4]; output z[4] +extern void bignum_mul_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); +extern void bignum_mul_p25519_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Multiply modulo p_256k1, z := (x * y) mod p_256k1 +// Inputs x[4], y[4]; output z[4] +extern void bignum_mul_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); +extern void bignum_mul_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Multiply modulo p_521, z := (x * y) mod p_521, assuming x and y reduced +// Inputs x[9], y[9]; output z[9] +extern void bignum_mul_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); +extern void bignum_mul_p521_alt (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); + +// Multiply bignum by 10 and add word: z := 10 * z + d +// Inputs z[k], d; outputs function return (carry) and z[k] +extern uint64_t bignum_muladd10 (uint64_t k, uint64_t *z, uint64_t d); + +// Multiplex/select z := x (if p nonzero) or z := y (if p zero) +// Inputs p, x[k], y[k]; output z[k] +extern void bignum_mux (uint64_t p, uint64_t k, uint64_t *z, uint64_t *x, uint64_t *y); + +// 256-bit multiplex/select z := x (if p nonzero) or z := y (if p zero) +// Inputs p, x[4], y[4]; output z[4] +extern void bignum_mux_4 (uint64_t p, uint64_t z[static 4],uint64_t x[static 4], uint64_t y[static 4]); + +// 384-bit multiplex/select z := x (if p nonzero) or z := y (if p zero) +// Inputs p, x[6], y[6]; output z[6] +extern void bignum_mux_6 (uint64_t p, uint64_t z[static 6],uint64_t x[static 6], uint64_t y[static 6]); + +// Select element from 16-element table, z := xs[k*i] +// Inputs xs[16*k], i; output z[k] +extern void bignum_mux16 (uint64_t k, uint64_t *z, uint64_t *xs, uint64_t i); + +// Negate modulo p_25519, z := (-x) mod p_25519, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_neg_p25519 (uint64_t z[static 4], uint64_t x[static 4]); + +// Negate modulo p_256, z := (-x) mod p_256, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_neg_p256 (uint64_t z[static 4], uint64_t x[static 4]); + +// Negate modulo p_256k1, z := (-x) mod p_256k1, assuming x reduced +// Input x[4]; output z[4] +extern void bignum_neg_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); + +// Negate modulo p_384, z := (-x) mod p_384, assuming x reduced +// Input x[6]; output z[6] +extern void bignum_neg_p384 (uint64_t z[static 6], uint64_t x[static 6]); + +// Negate modulo p_521, z := (-x) mod p_521, assuming x reduced +// Input x[9]; output z[9] +extern void bignum_neg_p521 (uint64_t z[static 9], uint64_t x[static 9]); + +// Negated modular inverse, z := (-1/x) mod 2^{64k} +// Input x[k]; output z[k] +extern void bignum_negmodinv (uint64_t k, uint64_t *z, uint64_t *x); + +// Test bignum for nonzero-ness x =/= 0 +// Input x[k]; output function return +extern uint64_t bignum_nonzero (uint64_t k, uint64_t *x); + +// Test 256-bit bignum for nonzero-ness x =/= 0 +// Input x[4]; output function return +extern uint64_t bignum_nonzero_4(uint64_t x[static 4]); + +// Test 384-bit bignum for nonzero-ness x =/= 0 +// Input x[6]; output function return +extern uint64_t bignum_nonzero_6(uint64_t x[static 6]); + +// Normalize bignum in-place by shifting left till top bit is 1 +// Input z[k]; outputs function return (bits shifted left) and z[k] +extern uint64_t bignum_normalize (uint64_t k, uint64_t *z); + +// Test bignum for odd-ness +// Input x[k]; output function return +extern uint64_t bignum_odd (uint64_t k, uint64_t *x); + +// Convert single digit to bignum, z := n +// Input n; output z[k] +extern void bignum_of_word (uint64_t k, uint64_t *z, uint64_t n); + +// Optionally add, z := x + y (if p nonzero) or z := x (if p zero) +// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k] +extern uint64_t bignum_optadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y); + +// Optionally negate, z := -x (if p nonzero) or z := x (if p zero) +// Inputs p, x[k]; outputs function return (nonzero input) and z[k] +extern uint64_t bignum_optneg (uint64_t k, uint64_t *z, uint64_t p, uint64_t *x); + +// Optionally negate modulo p_25519, z := (-x) mod p_25519 (if p nonzero) or z := x (if p zero), assuming x reduced +// Inputs p, x[4]; output z[4] +extern void bignum_optneg_p25519 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]); + +// Optionally negate modulo p_256, z := (-x) mod p_256 (if p nonzero) or z := x (if p zero), assuming x reduced +// Inputs p, x[4]; output z[4] +extern void bignum_optneg_p256 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]); + +// Optionally negate modulo p_256k1, z := (-x) mod p_256k1 (if p nonzero) or z := x (if p zero), assuming x reduced +// Inputs p, x[4]; output z[4] +extern void bignum_optneg_p256k1 (uint64_t z[static 4], uint64_t p, uint64_t x[static 4]); + +// Optionally negate modulo p_384, z := (-x) mod p_384 (if p nonzero) or z := x (if p zero), assuming x reduced +// Inputs p, x[6]; output z[6] +extern void bignum_optneg_p384 (uint64_t z[static 6], uint64_t p, uint64_t x[static 6]); + +// Optionally negate modulo p_521, z := (-x) mod p_521 (if p nonzero) or z := x (if p zero), assuming x reduced +// Inputs p, x[9]; output z[9] +extern void bignum_optneg_p521 (uint64_t z[static 9], uint64_t p, uint64_t x[static 9]); + +// Optionally subtract, z := x - y (if p nonzero) or z := x (if p zero) +// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k] +extern uint64_t bignum_optsub (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y); + +// Optionally subtract or add, z := x + sgn(p) * y interpreting p as signed +// Inputs x[k], p, y[k]; outputs function return (carry-out) and z[k] +extern uint64_t bignum_optsubadd (uint64_t k, uint64_t *z, uint64_t *x, uint64_t p, uint64_t *y); + +// Return bignum of power of 2, z := 2^n +// Input n; output z[k] +extern void bignum_pow2 (uint64_t k, uint64_t *z, uint64_t n); + +// Shift bignum left by c < 64 bits z := x * 2^c +// Inputs x[n], c; outputs function return (carry-out) and z[k] +extern uint64_t bignum_shl_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c); + +// Shift bignum right by c < 64 bits z := floor(x / 2^c) +// Inputs x[n], c; outputs function return (bits shifted out) and z[k] +extern uint64_t bignum_shr_small (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x, uint64_t c); + +// Square, z := x^2 +// Input x[n]; output z[k] +extern void bignum_sqr (uint64_t k, uint64_t *z, uint64_t n, uint64_t *x); + +// Square, z := x^2 +// Input x[4]; output z[8] +extern void bignum_sqr_4_8 (uint64_t z[static 8], uint64_t x[static 4]); +extern void bignum_sqr_4_8_alt (uint64_t z[static 8], uint64_t x[static 4]); + +// Square, z := x^2 +// Input x[6]; output z[12] +extern void bignum_sqr_6_12 (uint64_t z[static 12], uint64_t x[static 6]); +extern void bignum_sqr_6_12_alt (uint64_t z[static 12], uint64_t x[static 6]); + +// Square, z := x^2 +// Input x[8]; output z[16] +extern void bignum_sqr_8_16 (uint64_t z[static 16], uint64_t x[static 8]); +extern void bignum_sqr_8_16_alt (uint64_t z[static 16], uint64_t x[static 8]); + +// Square modulo p_25519, z := (x^2) mod p_25519 +// Input x[4]; output z[4] +extern void bignum_sqr_p25519 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_sqr_p25519_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Square modulo p_256k1, z := (x^2) mod p_256k1 +// Input x[4]; output z[4] +extern void bignum_sqr_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_sqr_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Square modulo p_521, z := (x^2) mod p_521, assuming x reduced +// Input x[9]; output z[9] +extern void bignum_sqr_p521 (uint64_t z[static 9], uint64_t x[static 9]); +extern void bignum_sqr_p521_alt (uint64_t z[static 9], uint64_t x[static 9]); + +// Subtract, z := x - y +// Inputs x[m], y[n]; outputs function return (carry-out) and z[p] +extern uint64_t bignum_sub (uint64_t p, uint64_t *z, uint64_t m, uint64_t *x, uint64_t n, uint64_t *y); + +// Subtract modulo p_25519, z := (x - y) mod p_25519, assuming x and y reduced +// Inputs x[4], y[4]; output z[4] +extern void bignum_sub_p25519 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Subtract modulo p_256, z := (x - y) mod p_256, assuming x and y reduced +// Inputs x[4], y[4]; output z[4] +extern void bignum_sub_p256 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Subtract modulo p_256k1, z := (x - y) mod p_256k1, assuming x and y reduced +// Inputs x[4], y[4]; output z[4] +extern void bignum_sub_p256k1 (uint64_t z[static 4], uint64_t x[static 4], uint64_t y[static 4]); + +// Subtract modulo p_384, z := (x - y) mod p_384, assuming x and y reduced +// Inputs x[6], y[6]; output z[6] +extern void bignum_sub_p384 (uint64_t z[static 6], uint64_t x[static 6], uint64_t y[static 6]); + +// Subtract modulo p_521, z := (x - y) mod p_521, assuming x and y reduced +// Inputs x[9], y[9]; output z[9] +extern void bignum_sub_p521 (uint64_t z[static 9], uint64_t x[static 9], uint64_t y[static 9]); + +// Convert 4-digit (256-bit) bignum to big-endian bytes +// Input x[4]; output z[32] (bytes) +extern void bignum_tobebytes_4 (uint8_t z[static 32], uint64_t x[static 4]); + +// Convert 6-digit (384-bit) bignum to big-endian bytes +// Input x[6]; output z[48] (bytes) +extern void bignum_tobebytes_6 (uint8_t z[static 48], uint64_t x[static 6]); + +// Convert 4-digit (256-bit) bignum to little-endian bytes +// Input x[4]; output z[32] (bytes) +extern void bignum_tolebytes_4 (uint8_t z[static 32], uint64_t x[static 4]); + +// Convert 6-digit (384-bit) bignum to little-endian bytes +// Input x[6]; output z[48] (bytes) +extern void bignum_tolebytes_6 (uint8_t z[static 48], uint64_t x[static 6]); + +// Convert 9-digit 528-bit bignum to little-endian bytes +// Input x[6]; output z[66] (bytes) +extern void bignum_tolebytes_p521 (uint8_t z[static 66], uint64_t x[static 9]); + +// Convert to Montgomery form z := (2^256 * x) mod p_256 +// Input x[4]; output z[4] +extern void bignum_tomont_p256 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_tomont_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert to Montgomery form z := (2^256 * x) mod p_256k1 +// Input x[4]; output z[4] +extern void bignum_tomont_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_tomont_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Convert to Montgomery form z := (2^384 * x) mod p_384 +// Input x[6]; output z[6] +extern void bignum_tomont_p384 (uint64_t z[static 6], uint64_t x[static 6]); +extern void bignum_tomont_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); + +// Convert to Montgomery form z := (2^576 * x) mod p_521 +// Input x[9]; output z[9] +extern void bignum_tomont_p521 (uint64_t z[static 9], uint64_t x[static 9]); + +// Triple modulo p_256, z := (3 * x) mod p_256 +// Input x[4]; output z[4] +extern void bignum_triple_p256 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_triple_p256_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Triple modulo p_256k1, z := (3 * x) mod p_256k1 +// Input x[4]; output z[4] +extern void bignum_triple_p256k1 (uint64_t z[static 4], uint64_t x[static 4]); +extern void bignum_triple_p256k1_alt (uint64_t z[static 4], uint64_t x[static 4]); + +// Triple modulo p_384, z := (3 * x) mod p_384 +// Input x[6]; output z[6] +extern void bignum_triple_p384 (uint64_t z[static 6], uint64_t x[static 6]); +extern void bignum_triple_p384_alt (uint64_t z[static 6], uint64_t x[static 6]); + +// Triple modulo p_521, z := (3 * x) mod p_521, assuming x reduced +// Input x[9]; output z[9] +extern void bignum_triple_p521 (uint64_t z[static 9], uint64_t x[static 9]); +extern void bignum_triple_p521_alt (uint64_t z[static 9], uint64_t x[static 9]); + +// Montgomery ladder step for curve25519 +// Inputs point[8], pp[16], b; output rr[16] +extern void curve25519_ladderstep(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b); +extern void curve25519_ladderstep_alt(uint64_t rr[16],uint64_t point[8],uint64_t pp[16],uint64_t b); + +// Projective scalar multiplication, x coordinate only, for curve25519 +// Inputs scalar[4], point[4]; output res[8] +extern void curve25519_pxscalarmul(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]); +extern void curve25519_pxscalarmul_alt(uint64_t res[static 8],uint64_t scalar[static 4],uint64_t point[static 4]); + +// x25519 function for curve25519 +// Inputs scalar[4], point[4]; output res[4] +extern void curve25519_x25519(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]); +extern void curve25519_x25519_alt(uint64_t res[static 4],uint64_t scalar[static 4],uint64_t point[static 4]); + +// x25519 function for curve25519 on base element 9 +// Input scalar[4]; output res[4] +extern void curve25519_x25519base(uint64_t res[static 4],uint64_t scalar[static 4]); +extern void curve25519_x25519base_alt(uint64_t res[static 4],uint64_t scalar[static 4]); + +// Extended projective addition for edwards25519 +// Inputs p1[16], p2[16]; output p3[16] +extern void edwards25519_epadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]); +extern void edwards25519_epadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 16]); + +// Extended projective doubling for edwards25519 +// Inputs p1[12]; output p3[16] +extern void edwards25519_epdouble(uint64_t p3[static 16],uint64_t p1[static 12]); +extern void edwards25519_epdouble_alt(uint64_t p3[static 16],uint64_t p1[static 12]); + +// Projective doubling for edwards25519 +// Inputs p1[12]; output p3[12] +extern void edwards25519_pdouble(uint64_t p3[static 12],uint64_t p1[static 12]); +extern void edwards25519_pdouble_alt(uint64_t p3[static 12],uint64_t p1[static 12]); + +// Extended projective + precomputed mixed addition for edwards25519 +// Inputs p1[16], p2[12]; output p3[16] +extern void edwards25519_pepadd(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]); +extern void edwards25519_pepadd_alt(uint64_t p3[static 16],uint64_t p1[static 16],uint64_t p2[static 12]); + +// Point addition on NIST curve P-256 in Montgomery-Jacobian coordinates +// Inputs p1[12], p2[12]; output p3[12] +extern void p256_montjadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]); + +// Point doubling on NIST curve P-256 in Montgomery-Jacobian coordinates +// Inputs p1[12]; output p3[12] +extern void p256_montjdouble(uint64_t p3[static 12],uint64_t p1[static 12]); + +// Point mixed addition on NIST curve P-256 in Montgomery-Jacobian coordinates +// Inputs p1[12], p2[8]; output p3[12] +extern void p256_montjmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]); + +// Point addition on NIST curve P-384 in Montgomery-Jacobian coordinates +// Inputs p1[18], p2[18]; output p3[18] +extern void p384_montjadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 18]); + +// Point doubling on NIST curve P-384 in Montgomery-Jacobian coordinates +// Inputs p1[18]; output p3[18] +extern void p384_montjdouble(uint64_t p3[static 18],uint64_t p1[static 18]); + +// Point mixed addition on NIST curve P-384 in Montgomery-Jacobian coordinates +// Inputs p1[18], p2[12]; output p3[18] +extern void p384_montjmixadd(uint64_t p3[static 18],uint64_t p1[static 18],uint64_t p2[static 12]); + +// Point addition on NIST curve P-521 in Jacobian coordinates +// Inputs p1[27], p2[27]; output p3[27] +extern void p521_jadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 27]); + +// Point doubling on NIST curve P-521 in Jacobian coordinates +// Input p1[27]; output p3[27] +extern void p521_jdouble(uint64_t p3[static 27],uint64_t p1[static 27]); + +// Point mixed addition on NIST curve P-521 in Jacobian coordinates +// Inputs p1[27], p2[18]; output p3[27] +extern void p521_jmixadd(uint64_t p3[static 27],uint64_t p1[static 27],uint64_t p2[static 18]); + +// Point addition on SECG curve secp256k1 in Jacobian coordinates +// Inputs p1[12], p2[12]; output p3[12] +extern void secp256k1_jadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 12]); + +// Point doubling on SECG curve secp256k1 in Jacobian coordinates +// Input p1[12]; output p3[12] +extern void secp256k1_jdouble(uint64_t p3[static 12],uint64_t p1[static 12]); + +// Point mixed addition on SECG curve secp256k1 in Jacobian coordinates +// Inputs p1[12], p2[8]; output p3[12] +extern void secp256k1_jmixadd(uint64_t p3[static 12],uint64_t p1[static 12],uint64_t p2[static 8]); + +// Reverse the bytes in a single word +// Input a; output function return +extern uint64_t word_bytereverse (uint64_t a); + +// Count leading zero bits in a single word +// Input a; output function return +extern uint64_t word_clz (uint64_t a); + +// Count trailing zero bits in a single word +// Input a; output function return +extern uint64_t word_ctz (uint64_t a); + +// Return maximum of two unsigned 64-bit words +// Inputs a, b; output function return +extern uint64_t word_max (uint64_t a, uint64_t b); + +// Return minimum of two unsigned 64-bit words +// Inputs a, b; output function return +extern uint64_t word_min (uint64_t a, uint64_t b); + +// Single-word negated modular inverse (-1/a) mod 2^64 +// Input a; output function return +extern uint64_t word_negmodinv (uint64_t a); + +// Single-word reciprocal, 2^64 + ret = ceil(2^128/a) - 1 if MSB of "a" is set +// Input a; output function return +extern uint64_t word_recip (uint64_t a); diff --git a/crypto/bn/s2n_bignum_internal.h b/crypto/bn/s2n_bignum_internal.h new file mode 100644 index 0000000..f413688 --- /dev/null +++ b/crypto/bn/s2n_bignum_internal.h @@ -0,0 +1,30 @@ +// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. +// +// Permission to use, copy, modify, and/or distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +#ifdef __APPLE__ +# define S2N_BN_SYMBOL(NAME) _##NAME +#else +# define S2N_BN_SYMBOL(name) name +#endif + +#define S2N_BN_SYM_VISIBILITY_DIRECTIVE(name) .globl S2N_BN_SYMBOL(name) +#ifdef S2N_BN_HIDE_SYMBOLS +# ifdef __APPLE__ +# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) .private_extern S2N_BN_SYMBOL(name) +# else +# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) .hidden S2N_BN_SYMBOL(name) +# endif +#else +# define S2N_BN_SYM_PRIVACY_DIRECTIVE(name) /* NO-OP: S2N_BN_SYM_PRIVACY_DIRECTIVE */ +#endif diff --git a/crypto/buffer/buf_err.c b/crypto/buffer/buf_err.c index dd5cc5e..4dc1dca 100644 --- a/crypto/buffer/buf_err.c +++ b/crypto/buffer/buf_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: buf_err.c,v 1.11 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: buf_err.c,v 1.12 2022/07/12 14:42:48 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_BUF,func,0) diff --git a/crypto/bytestring/bs_cbb.c b/crypto/bytestring/bs_cbb.c index 1300931..c8b6f48 100644 --- a/crypto/bytestring/bs_cbb.c +++ b/crypto/bytestring/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.3 2022/01/06 14:32:55 jsing Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.4 2022/07/07 17:16:05 tb Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -163,6 +163,9 @@ CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) */ return 0; + if (out_data != NULL && *out_data != NULL) + return 0; + if (out_data != NULL) *out_data = cbb->base->buf; diff --git a/crypto/bytestring/bytestring.h b/crypto/bytestring/bytestring.h index d8ef8ff..d80e89c 100644 --- a/crypto/bytestring/bytestring.h +++ b/crypto/bytestring/bytestring.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bytestring.h,v 1.3 2022/01/06 14:32:55 jsing Exp $ */ +/* $OpenBSD: bytestring.h,v 1.4 2022/11/09 19:05:42 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -80,11 +80,9 @@ int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len); /* * CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a * NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed - * with free. It returns one on success and zero on allocation - * failure. On success, |*out_ptr| should be freed with free. - * - * NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call - * |CBS_contains_zero_byte(cbs)| to check for NUL bytes. + * with free. It returns one on success and zero on failure. On success, + * |*out_ptr| should be freed with free. If |cbs| contains NUL bytes, + * CBS_strdup will fail. */ int CBS_strdup(const CBS *cbs, char **out_ptr); diff --git a/crypto/camellia/camellia.c b/crypto/camellia/camellia.c index 5f754ff..336074a 100644 --- a/crypto/camellia/camellia.c +++ b/crypto/camellia/camellia.c @@ -1,4 +1,4 @@ -/* $OpenBSD: camellia.c,v 1.11 2016/09/04 14:31:29 jsing Exp $ */ +/* $OpenBSD: camellia.c,v 1.12 2022/11/26 16:08:51 tb Exp $ */ /* ==================================================================== * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . * ALL RIGHTS RESERVED. @@ -87,7 +87,7 @@ #include #include -#include "cmll_locl.h" +#include "cmll_local.h" /* 32-bit rotations */ #if !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) diff --git a/crypto/camellia/cmll-elf-x86_64.S b/crypto/camellia/cmll-elf-x86_64.S index 64a1af0..ab4a184 100644 --- a/crypto/camellia/cmll-elf-x86_64.S +++ b/crypto/camellia/cmll-elf-x86_64.S @@ -6,6 +6,7 @@ .type Camellia_EncryptBlock,@function .align 16 Camellia_EncryptBlock: + endbr64 movl $128,%eax subl %edi,%eax movl $3,%edi @@ -18,6 +19,7 @@ Camellia_EncryptBlock: .align 16 .Lenc_rounds: Camellia_EncryptBlock_Rounds: + endbr64 pushq %rbx pushq %rbp pushq %r13 @@ -66,6 +68,7 @@ Camellia_EncryptBlock_Rounds: .type _x86_64_Camellia_encrypt,@function .align 16 _x86_64_Camellia_encrypt: + endbr64 xorl 0(%r14),%r9d xorl 4(%r14),%r8d xorl 8(%r14),%r11d @@ -275,6 +278,7 @@ _x86_64_Camellia_encrypt: .type Camellia_DecryptBlock,@function .align 16 Camellia_DecryptBlock: + endbr64 movl $128,%eax subl %edi,%eax movl $3,%edi @@ -287,6 +291,7 @@ Camellia_DecryptBlock: .align 16 .Ldec_rounds: Camellia_DecryptBlock_Rounds: + endbr64 pushq %rbx pushq %rbp pushq %r13 @@ -335,6 +340,7 @@ Camellia_DecryptBlock_Rounds: .type _x86_64_Camellia_decrypt,@function .align 16 _x86_64_Camellia_decrypt: + endbr64 xorl 0(%r14),%r9d xorl 4(%r14),%r8d xorl 8(%r14),%r11d @@ -543,6 +549,7 @@ _x86_64_Camellia_decrypt: .type Camellia_Ekeygen,@function .align 16 Camellia_Ekeygen: + endbr64 pushq %rbx pushq %rbp pushq %r13 @@ -1083,6 +1090,7 @@ Camellia_Ekeygen: .Lkey_epilogue: retq .size Camellia_Ekeygen,.-Camellia_Ekeygen +.section .rodata .align 64 .LCamellia_SIGMA: .long 0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858 @@ -1602,10 +1610,12 @@ Camellia_Ekeygen: .long 0x008f8f8f,0xe300e3e3 .long 0x00010101,0x40004040 .long 0x003d3d3d,0x4f004f4f +.text .globl Camellia_cbc_encrypt .type Camellia_cbc_encrypt,@function .align 16 Camellia_cbc_encrypt: + endbr64 cmpq $0,%rdx je .Lcbc_abort pushq %rbx @@ -1835,8 +1845,6 @@ Camellia_cbc_encrypt: .Lcbc_abort: retq .size Camellia_cbc_encrypt,.-Camellia_cbc_encrypt - -.byte 67,97,109,101,108,108,105,97,32,102,111,114,32,120,56,54,95,54,52,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/camellia/cmll-macosx-x86_64.S b/crypto/camellia/cmll-macosx-x86_64.S index 5e7a1b7..4c5d8cb 100644 --- a/crypto/camellia/cmll-macosx-x86_64.S +++ b/crypto/camellia/cmll-macosx-x86_64.S @@ -6,6 +6,7 @@ .p2align 4 _Camellia_EncryptBlock: + movl $128,%eax subl %edi,%eax movl $3,%edi @@ -18,6 +19,7 @@ _Camellia_EncryptBlock: .p2align 4 L$enc_rounds: _Camellia_EncryptBlock_Rounds: + pushq %rbx pushq %rbp pushq %r13 @@ -66,6 +68,7 @@ L$enc_epilogue: .p2align 4 _x86_64_Camellia_encrypt: + xorl 0(%r14),%r9d xorl 4(%r14),%r8d xorl 8(%r14),%r11d @@ -275,6 +278,7 @@ L$edone: .p2align 4 _Camellia_DecryptBlock: + movl $128,%eax subl %edi,%eax movl $3,%edi @@ -287,6 +291,7 @@ _Camellia_DecryptBlock: .p2align 4 L$dec_rounds: _Camellia_DecryptBlock_Rounds: + pushq %rbx pushq %rbp pushq %r13 @@ -335,6 +340,7 @@ L$dec_epilogue: .p2align 4 _x86_64_Camellia_decrypt: + xorl 0(%r14),%r9d xorl 4(%r14),%r8d xorl 8(%r14),%r11d @@ -543,6 +549,7 @@ L$ddone: .p2align 4 _Camellia_Ekeygen: + pushq %rbx pushq %rbp pushq %r13 @@ -1083,6 +1090,7 @@ L$done: L$key_epilogue: retq +.section __DATA,__const .p2align 6 L$Camellia_SIGMA: .long 0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858 @@ -1602,10 +1610,12 @@ L$Camellia_SBOX: .long 0x008f8f8f,0xe300e3e3 .long 0x00010101,0x40004040 .long 0x003d3d3d,0x4f004f4f +.text .globl _Camellia_cbc_encrypt .p2align 4 _Camellia_cbc_encrypt: + cmpq $0,%rdx je L$cbc_abort pushq %rbx @@ -1835,5 +1845,3 @@ L$cbc_done: L$cbc_abort: retq - -.byte 67,97,109,101,108,108,105,97,32,102,111,114,32,120,56,54,95,54,52,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 diff --git a/crypto/camellia/cmll-masm-x86_64.S b/crypto/camellia/cmll-masm-x86_64.S index e1871b5..820a4fa 100644 --- a/crypto/camellia/cmll-masm-x86_64.S +++ b/crypto/camellia/cmll-masm-x86_64.S @@ -74,6 +74,7 @@ PUBLIC Camellia_EncryptBlock ALIGN 16 Camellia_EncryptBlock PROC PUBLIC + endbr64 mov eax,128 sub eax,edi mov edi,3 @@ -96,6 +97,7 @@ $L$SEH_begin_Camellia_EncryptBlock_Rounds:: mov rcx,r9 + endbr64 push rbx push rbp push r13 @@ -147,6 +149,7 @@ Camellia_EncryptBlock_Rounds ENDP ALIGN 16 _x86_64_Camellia_encrypt PROC PRIVATE + endbr64 xor r9d,DWORD PTR[r14] xor r8d,DWORD PTR[4+r14] xor r11d,DWORD PTR[8+r14] @@ -356,6 +359,7 @@ PUBLIC Camellia_DecryptBlock ALIGN 16 Camellia_DecryptBlock PROC PUBLIC + endbr64 mov eax,128 sub eax,edi mov edi,3 @@ -378,6 +382,7 @@ $L$SEH_begin_Camellia_DecryptBlock_Rounds:: mov rcx,r9 + endbr64 push rbx push rbp push r13 @@ -429,6 +434,7 @@ Camellia_DecryptBlock_Rounds ENDP ALIGN 16 _x86_64_Camellia_decrypt PROC PRIVATE + endbr64 xor r9d,DWORD PTR[r14] xor r8d,DWORD PTR[4+r14] xor r11d,DWORD PTR[8+r14] @@ -646,6 +652,7 @@ $L$SEH_begin_Camellia_Ekeygen:: mov rdx,r8 + endbr64 push rbx push rbp push r13 @@ -1189,6 +1196,8 @@ $L$key_epilogue:: DB 0F3h,0C3h ;repret $L$SEH_end_Camellia_Ekeygen:: Camellia_Ekeygen ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$Camellia_SIGMA:: DD 03bcc908bh,0a09e667fh,04caa73b2h,0b67ae858h @@ -1708,6 +1717,8 @@ $L$Camellia_SBOX:: DD 0008f8f8fh,0e300e3e3h DD 000010101h,040004040h DD 0003d3d3dh,04f004f4fh +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' PUBLIC Camellia_cbc_encrypt ALIGN 16 @@ -1724,6 +1735,7 @@ $L$SEH_begin_Camellia_cbc_encrypt:: mov r9,QWORD PTR[48+rsp] + endbr64 cmp rdx,0 je $L$cbc_abort push rbx @@ -1957,10 +1969,6 @@ $L$cbc_abort:: $L$SEH_end_Camellia_cbc_encrypt:: Camellia_cbc_encrypt ENDP -DB 67,97,109,101,108,108,105,97,32,102,111,114,32,120,56,54 -DB 95,54,52,32,98,121,32,60,97,112,112,114,111,64,111,112 -DB 101,110,115,115,108,46,111,114,103,62,0 - .text$ ENDS END diff --git a/crypto/camellia/cmll-mingw64-x86_64.S b/crypto/camellia/cmll-mingw64-x86_64.S index 75966f4..2f144e2 100644 --- a/crypto/camellia/cmll-mingw64-x86_64.S +++ b/crypto/camellia/cmll-mingw64-x86_64.S @@ -6,6 +6,7 @@ .def Camellia_EncryptBlock; .scl 2; .type 32; .endef .p2align 4 Camellia_EncryptBlock: + endbr64 movl $128,%eax subl %edi,%eax movl $3,%edi @@ -27,6 +28,7 @@ Camellia_EncryptBlock_Rounds: movq %r8,%rdx movq %r9,%rcx + endbr64 pushq %rbx pushq %rbp pushq %r13 @@ -77,6 +79,7 @@ Camellia_EncryptBlock_Rounds: .def _x86_64_Camellia_encrypt; .scl 3; .type 32; .endef .p2align 4 _x86_64_Camellia_encrypt: + endbr64 xorl 0(%r14),%r9d xorl 4(%r14),%r8d xorl 8(%r14),%r11d @@ -286,6 +289,7 @@ _x86_64_Camellia_encrypt: .def Camellia_DecryptBlock; .scl 2; .type 32; .endef .p2align 4 Camellia_DecryptBlock: + endbr64 movl $128,%eax subl %edi,%eax movl $3,%edi @@ -307,6 +311,7 @@ Camellia_DecryptBlock_Rounds: movq %r8,%rdx movq %r9,%rcx + endbr64 pushq %rbx pushq %rbp pushq %r13 @@ -357,6 +362,7 @@ Camellia_DecryptBlock_Rounds: .def _x86_64_Camellia_decrypt; .scl 3; .type 32; .endef .p2align 4 _x86_64_Camellia_decrypt: + endbr64 xorl 0(%r14),%r9d xorl 4(%r14),%r8d xorl 8(%r14),%r11d @@ -573,6 +579,7 @@ Camellia_Ekeygen: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbx pushq %rbp pushq %r13 @@ -1115,6 +1122,7 @@ Camellia_Ekeygen: movq 16(%rsp),%rsi retq .LSEH_end_Camellia_Ekeygen: +.section .rodata .p2align 6 .LCamellia_SIGMA: .long 0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858 @@ -1634,6 +1642,7 @@ Camellia_Ekeygen: .long 0x008f8f8f,0xe300e3e3 .long 0x00010101,0x40004040 .long 0x003d3d3d,0x4f004f4f +.text .globl Camellia_cbc_encrypt .def Camellia_cbc_encrypt; .scl 2; .type 32; .endef .p2align 4 @@ -1649,6 +1658,7 @@ Camellia_cbc_encrypt: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + endbr64 cmpq $0,%rdx je .Lcbc_abort pushq %rbx @@ -1880,5 +1890,3 @@ Camellia_cbc_encrypt: movq 16(%rsp),%rsi retq .LSEH_end_Camellia_cbc_encrypt: - -.byte 67,97,109,101,108,108,105,97,32,102,111,114,32,120,56,54,95,54,52,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 diff --git a/crypto/camellia/cmll_ecb.c b/crypto/camellia/cmll_ecb.c index 1a65445..b47ece7 100644 --- a/crypto/camellia/cmll_ecb.c +++ b/crypto/camellia/cmll_ecb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cmll_ecb.c,v 1.4 2014/11/13 20:01:58 miod Exp $ */ +/* $OpenBSD: cmll_ecb.c,v 1.5 2022/11/26 16:08:51 tb Exp $ */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * @@ -50,7 +50,7 @@ */ #include -#include "cmll_locl.h" +#include "cmll_local.h" void Camellia_ecb_encrypt(const unsigned char *in, unsigned char *out, diff --git a/crypto/camellia/cmll_locl.h b/crypto/camellia/cmll_local.h similarity index 95% rename from crypto/camellia/cmll_locl.h rename to crypto/camellia/cmll_local.h index 325b6e2..ed9807c 100644 --- a/crypto/camellia/cmll_locl.h +++ b/crypto/camellia/cmll_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cmll_locl.h,v 1.6 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: cmll_local.h,v 1.2 2022/11/26 17:23:17 tb Exp $ */ /* ==================================================================== * Copyright 2006 NTT (Nippon Telegraph and Telephone Corporation) . * ALL RIGHTS RESERVED. @@ -65,8 +65,8 @@ * ==================================================================== */ -#ifndef HEADER_CAMELLIA_LOCL_H -#define HEADER_CAMELLIA_LOCL_H +#ifndef HEADER_CAMELLIA_LOCAL_H +#define HEADER_CAMELLIA_LOCAL_H __BEGIN_HIDDEN_DECLS @@ -86,4 +86,4 @@ void Camellia_DecryptBlock(int keyBitLength, const u8 ciphertext[], __END_HIDDEN_DECLS -#endif /* #ifndef HEADER_CAMELLIA_LOCL_H */ +#endif /* !HEADER_CAMELLIA_LOCAL_H */ diff --git a/crypto/camellia/cmll_misc.c b/crypto/camellia/cmll_misc.c index 2fa61dc..9fce92d 100644 --- a/crypto/camellia/cmll_misc.c +++ b/crypto/camellia/cmll_misc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cmll_misc.c,v 1.6 2014/11/13 20:01:58 miod Exp $ */ +/* $OpenBSD: cmll_misc.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * @@ -52,7 +52,7 @@ #include #include #include -#include "cmll_locl.h" +#include "cmll_local.h" int Camellia_set_key(const unsigned char *userKey, const int bits, diff --git a/crypto/cast/c_cfb64.c b/crypto/cast/c_cfb64.c index 726d19e..9586f93 100644 --- a/crypto/cast/c_cfb64.c +++ b/crypto/cast/c_cfb64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_cfb64.c,v 1.5 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: c_cfb64.c,v 1.6 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "cast_lcl.h" +#include "cast_local.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the diff --git a/crypto/cast/c_ecb.c b/crypto/cast/c_ecb.c index c3a01b7..e4ad05c 100644 --- a/crypto/cast/c_ecb.c +++ b/crypto/cast/c_ecb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_ecb.c,v 1.7 2014/07/09 11:10:50 bcook Exp $ */ +/* $OpenBSD: c_ecb.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "cast_lcl.h" +#include "cast_local.h" #include void CAST_ecb_encrypt(const unsigned char *in, unsigned char *out, diff --git a/crypto/cast/c_enc.c b/crypto/cast/c_enc.c index 5999a59..cc28991 100644 --- a/crypto/cast/c_enc.c +++ b/crypto/cast/c_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_enc.c,v 1.7 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: c_enc.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "cast_lcl.h" +#include "cast_local.h" #ifndef OPENBSD_CAST_ASM void CAST_encrypt(CAST_LONG *data, const CAST_KEY *key) diff --git a/crypto/cast/c_ofb64.c b/crypto/cast/c_ofb64.c index 611425a..d585915 100644 --- a/crypto/cast/c_ofb64.c +++ b/crypto/cast/c_ofb64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_ofb64.c,v 1.5 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: c_ofb64.c,v 1.6 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "cast_lcl.h" +#include "cast_local.h" /* The input and output encrypted as though 64bit ofb mode is being * used. The extra state information to record how much of the diff --git a/crypto/cast/c_skey.c b/crypto/cast/c_skey.c index 1cea8c8..5f86eff 100644 --- a/crypto/cast/c_skey.c +++ b/crypto/cast/c_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_skey.c,v 1.11 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: c_skey.c,v 1.12 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -58,7 +58,7 @@ #include #include -#include "cast_lcl.h" +#include "cast_local.h" #include "cast_s.h" #define CAST_exp(l,A,a,n) \ diff --git a/crypto/cast/cast_lcl.h b/crypto/cast/cast_local.h similarity index 99% rename from crypto/cast/cast_lcl.h rename to crypto/cast/cast_local.h index 100ff1f..2ee72a9 100644 --- a/crypto/cast/cast_lcl.h +++ b/crypto/cast/cast_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cast_lcl.h,v 1.12 2020/01/26 11:49:21 inoguchi Exp $ */ +/* $OpenBSD: cast_local.h,v 1.1 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/chacha/chacha.c b/crypto/chacha/chacha.c index 6a2dddf..0ce4545 100644 --- a/crypto/chacha/chacha.c +++ b/crypto/chacha/chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha.c,v 1.8 2019/01/22 00:59:21 dlg Exp $ */ +/* $OpenBSD: chacha.c,v 1.9 2022/08/20 18:44:58 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -40,6 +40,7 @@ void ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, size_t len) { unsigned char *k; + uint64_t n; int i, l; /* Consume remaining keystream, if any exists. */ @@ -52,7 +53,16 @@ ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, size_t len) len -= l; } - chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)len); + while (len > 0) { + if ((n = len) > UINT32_MAX) + n = UINT32_MAX; + + chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)n); + + in += n; + out += n; + len -= n; + } } void @@ -60,6 +70,7 @@ CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, const unsigned char key[32], const unsigned char iv[8], uint64_t counter) { struct chacha_ctx ctx; + uint64_t n; /* * chacha_ivsetup expects the counter to be in u8. Rather than @@ -73,7 +84,16 @@ CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, ctx.input[13] = (uint32_t)(counter >> 32); } - chacha_encrypt_bytes(&ctx, in, out, (uint32_t)len); + while (len > 0) { + if ((n = len) > UINT32_MAX) + n = UINT32_MAX; + + chacha_encrypt_bytes(&ctx, in, out, (uint32_t)n); + + in += n; + out += n; + len -= n; + } } void diff --git a/crypto/cmac/cm_ameth.c b/crypto/cmac/cm_ameth.c index 2695646..04e0eb8 100644 --- a/crypto/cmac/cm_ameth.c +++ b/crypto/cmac/cm_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cm_ameth.c,v 1.8 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: cm_ameth.c,v 1.10 2022/11/26 16:08:51 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2010. */ @@ -56,8 +56,8 @@ #include #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" /* CMAC "ASN1" method. This is just here to indicate the * maximum CMAC output length and to free up a CMAC @@ -73,9 +73,7 @@ cmac_size(const EVP_PKEY *pkey) static void cmac_key_free(EVP_PKEY *pkey) { - CMAC_CTX *cmctx = (CMAC_CTX *)pkey->pkey.ptr; - - CMAC_CTX_free(cmctx); + CMAC_CTX_free(pkey->pkey.ptr); } const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = { diff --git a/crypto/cmac/cm_pmeth.c b/crypto/cmac/cm_pmeth.c index d9059ca..d47cfb7 100644 --- a/crypto/cmac/cm_pmeth.c +++ b/crypto/cmac/cm_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cm_pmeth.c,v 1.8 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: cm_pmeth.c,v 1.10 2022/11/26 16:08:51 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2010. */ @@ -59,7 +59,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* The context structure and "key" is simply a CMAC_CTX */ @@ -148,8 +148,7 @@ pkey_cmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) break; case EVP_PKEY_CTRL_MD: - if (ctx->pkey && !CMAC_CTX_copy(ctx->data, - (CMAC_CTX *)ctx->pkey->pkey.ptr)) + if (ctx->pkey && !CMAC_CTX_copy(ctx->data, ctx->pkey->pkey.ptr)) return 0; if (!CMAC_Init(cmctx, NULL, 0, NULL, NULL)) return 0; diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c index cd286f8..7135f53 100644 --- a/crypto/cmac/cmac.c +++ b/crypto/cmac/cmac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cmac.c,v 1.11 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: cmac.c,v 1.13 2022/12/26 07:18:51 jmc Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -57,7 +57,7 @@ #include -#include "evp_locl.h" +#include "evp_local.h" struct CMAC_CTX_st { /* Cipher context to use */ @@ -167,7 +167,7 @@ CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen, ctx->nlast_block = 0; return 1; } - /* Initialiase context */ + /* Initialise context */ if (cipher && !EVP_EncryptInit_ex(&ctx->cctx, cipher, impl, NULL, NULL)) return 0; /* Non-NULL key means initialisation complete */ diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c index cc00aef..7948a3c 100644 --- a/crypto/cms/cms_asn1.c +++ b/crypto/cms/cms_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_asn1.c,v 1.19 2022/01/14 08:16:13 tb Exp $ */ +/* $OpenBSD: cms_asn1.c,v 1.22 2023/05/23 06:55:31 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -56,7 +56,7 @@ #include #include #include -#include "cms_lcl.h" +#include "cms_local.h" static const ASN1_TEMPLATE CMS_IssuerAndSerialNumber_seq_tt[] = { @@ -1250,7 +1250,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.data", .item = &ASN1_OCTET_STRING_NDEF_it, }, - }, { .value = NID_pkcs7_signed, @@ -1261,7 +1260,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.signedData", .item = &CMS_SignedData_it, }, - }, { .value = NID_pkcs7_enveloped, @@ -1272,7 +1270,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.envelopedData", .item = &CMS_EnvelopedData_it, }, - }, { .value = NID_pkcs7_digest, @@ -1283,7 +1280,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.digestedData", .item = &CMS_DigestedData_it, }, - }, { .value = NID_pkcs7_encrypted, @@ -1294,7 +1290,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.encryptedData", .item = &CMS_EncryptedData_it, }, - }, { .value = NID_id_smime_ct_authData, @@ -1305,7 +1300,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.authenticatedData", .item = &CMS_AuthenticatedData_it, }, - }, { .value = NID_id_smime_ct_compressedData, @@ -1316,7 +1310,6 @@ static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { .field_name = "d.compressedData", .item = &CMS_CompressedData_it, }, - }, }; @@ -1335,16 +1328,18 @@ cms_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) { ASN1_STREAM_ARG *sarg = exarg; CMS_ContentInfo *cms = NULL; + if (pval) cms = (CMS_ContentInfo *)*pval; else return 1; - switch (operation) { + switch (operation) { case ASN1_OP_STREAM_PRE: if (CMS_stream(&sarg->boundary, cms) <= 0) return 0; - /* fall thru */ + /* FALLTHROUGH */ + case ASN1_OP_DETACHED_PRE: sarg->ndef_bio = CMS_dataInit(cms, sarg->out); if (!sarg->ndef_bio) @@ -1356,8 +1351,8 @@ cms_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) if (CMS_dataFinal(cms, sarg->ndef_bio) <= 0) return 0; break; - } + return 1; } diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c index b03c743..0fb077f 100644 --- a/crypto/cms/cms_att.c +++ b/crypto/cms/cms_att.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_att.c,v 1.9 2019/08/10 18:15:52 jsing Exp $ */ +/* $OpenBSD: cms_att.c,v 1.10 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -57,7 +57,7 @@ #include #include #include -#include "cms_lcl.h" +#include "cms_local.h" /* CMS SignedData Attribute utilities */ diff --git a/crypto/cms/cms_cd.c b/crypto/cms/cms_cd.c index ec67cf1..3ecf801 100644 --- a/crypto/cms/cms_cd.c +++ b/crypto/cms/cms_cd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_cd.c,v 1.15 2019/08/11 11:04:18 jsing Exp $ */ +/* $OpenBSD: cms_cd.c,v 1.16 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -60,7 +60,7 @@ #include #include #include -#include "cms_lcl.h" +#include "cms_local.h" #ifdef ZLIB diff --git a/crypto/cms/cms_dd.c b/crypto/cms/cms_dd.c index f1aafe3..a08fccc 100644 --- a/crypto/cms/cms_dd.c +++ b/crypto/cms/cms_dd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_dd.c,v 1.14 2019/08/11 11:04:18 jsing Exp $ */ +/* $OpenBSD: cms_dd.c,v 1.15 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -60,7 +60,7 @@ #include #include #include -#include "cms_lcl.h" +#include "cms_local.h" /* CMS DigestedData Utilities */ diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c index ccbb6a5..06dffcb 100644 --- a/crypto/cms/cms_enc.c +++ b/crypto/cms/cms_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_enc.c,v 1.21 2022/01/20 10:58:35 inoguchi Exp $ */ +/* $OpenBSD: cms_enc.c,v 1.22 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -61,7 +61,7 @@ #include #include #include -#include "cms_lcl.h" +#include "cms_local.h" /* CMS EncryptedData Utilities */ diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c index a88ea63..1d534e3 100644 --- a/crypto/cms/cms_env.c +++ b/crypto/cms/cms_env.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_env.c,v 1.24 2021/09/08 14:33:02 tb Exp $ */ +/* $OpenBSD: cms_env.c,v 1.25 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -61,9 +61,9 @@ #include #include #include -#include "cms_lcl.h" -#include "asn1/asn1_locl.h" -#include "evp/evp_locl.h" +#include "cms_local.h" +#include "asn1/asn1_local.h" +#include "evp/evp_local.h" /* CMS EnvelopedData Utilities */ diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c index 2fd550c..07869ff 100644 --- a/crypto/cms/cms_err.c +++ b/crypto/cms/cms_err.c @@ -1,6 +1,5 @@ -/* $OpenBSD: cms_err.c,v 1.12 2020/06/05 16:51:12 jsing Exp $ */ +/* $OpenBSD: cms_err.c,v 1.13 2022/07/12 14:42:48 kn Exp $ */ /* - * Generated by util/mkerr.pl DO NOT EDIT * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c index 9420405..88ea6e9 100644 --- a/crypto/cms/cms_ess.c +++ b/crypto/cms/cms_ess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_ess.c,v 1.21 2019/08/11 14:19:09 jsing Exp $ */ +/* $OpenBSD: cms_ess.c,v 1.22 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -61,7 +61,7 @@ #include #include #include -#include "cms_lcl.h" +#include "cms_local.h" CMS_ReceiptRequest * diff --git a/crypto/cms/cms_io.c b/crypto/cms/cms_io.c index 4466d6a..38e76e0 100644 --- a/crypto/cms/cms_io.c +++ b/crypto/cms/cms_io.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_io.c,v 1.11 2019/08/11 10:38:27 jsing Exp $ */ +/* $OpenBSD: cms_io.c,v 1.19 2023/04/26 14:23:18 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -53,30 +53,34 @@ */ #include -#include +#include #include #include -#include -#include "cms_lcl.h" +#include + +#include "asn1_local.h" +#include "cms_local.h" int CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms) { ASN1_OCTET_STRING **pos; - pos = CMS_get0_content(cms); - if (pos == NULL) + if ((pos = CMS_get0_content(cms)) == NULL) return 0; + if (*pos == NULL) *pos = ASN1_OCTET_STRING_new(); - if (*pos != NULL) { - (*pos)->flags |= ASN1_STRING_FLAG_NDEF; - (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; - *boundary = &(*pos)->data; - return 1; + if (*pos == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; } - CMSerror(ERR_R_MALLOC_FAILURE); - return 0; + + (*pos)->flags |= ASN1_STRING_FLAG_NDEF; + (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; + *boundary = &(*pos)->data; + + return 1; } CMS_ContentInfo * @@ -95,44 +99,44 @@ i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms) CMS_ContentInfo * PEM_read_bio_CMS(BIO *bp, CMS_ContentInfo **x, pem_password_cb *cb, void *u) { - return PEM_ASN1_read_bio((d2i_of_void *)d2i_CMS_ContentInfo, PEM_STRING_CMS, bp, - (void **)x, cb, u); + return PEM_ASN1_read_bio((d2i_of_void *)d2i_CMS_ContentInfo, + PEM_STRING_CMS, bp, (void **)x, cb, u); } CMS_ContentInfo * PEM_read_CMS(FILE *fp, CMS_ContentInfo **x, pem_password_cb *cb, void *u) { - return PEM_ASN1_read((d2i_of_void *)d2i_CMS_ContentInfo, PEM_STRING_CMS, fp, - (void **)x, cb, u); + return PEM_ASN1_read((d2i_of_void *)d2i_CMS_ContentInfo, + PEM_STRING_CMS, fp, (void **)x, cb, u); } int PEM_write_bio_CMS(BIO *bp, const CMS_ContentInfo *x) { - return PEM_ASN1_write_bio((i2d_of_void *)i2d_CMS_ContentInfo, PEM_STRING_CMS, bp, - (void *)x, NULL, NULL, 0, NULL, NULL); + return PEM_ASN1_write_bio((i2d_of_void *)i2d_CMS_ContentInfo, + PEM_STRING_CMS, bp, (void *)x, NULL, NULL, 0, NULL, NULL); } int PEM_write_CMS(FILE *fp, const CMS_ContentInfo *x) { - return PEM_ASN1_write((i2d_of_void *)i2d_CMS_ContentInfo, PEM_STRING_CMS, fp, - (void *)x, NULL, NULL, 0, NULL, NULL); + return PEM_ASN1_write((i2d_of_void *)i2d_CMS_ContentInfo, + PEM_STRING_CMS, fp, (void *)x, NULL, NULL, 0, NULL, NULL); } BIO * BIO_new_CMS(BIO *out, CMS_ContentInfo *cms) { - return BIO_new_NDEF(out, (ASN1_VALUE *)cms, - &CMS_ContentInfo_it); + return BIO_new_NDEF(out, (ASN1_VALUE *)cms, &CMS_ContentInfo_it); } /* CMS wrappers round generalised stream and MIME routines */ -int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) +int +i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) { return i2d_ASN1_bio_stream(out, (ASN1_VALUE *)cms, in, flags, - &CMS_ContentInfo_it); + &CMS_ContentInfo_it); } int @@ -145,14 +149,12 @@ PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags) { - STACK_OF(X509_ALGOR) *mdalgs; + STACK_OF(X509_ALGOR) *mdalgs = NULL; int ctype_nid = OBJ_obj2nid(cms->contentType); int econt_nid = OBJ_obj2nid(CMS_get0_eContentType(cms)); if (ctype_nid == NID_pkcs7_signed) mdalgs = cms->d.signedData->digestAlgorithms; - else - mdalgs = NULL; return SMIME_write_ASN1(bio, (ASN1_VALUE *)cms, data, flags, ctype_nid, econt_nid, mdalgs, &CMS_ContentInfo_it); diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c index 21e3ce8..0294007 100644 --- a/crypto/cms/cms_kari.c +++ b/crypto/cms/cms_kari.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_kari.c,v 1.13 2019/08/11 14:27:01 jsing Exp $ */ +/* $OpenBSD: cms_kari.c,v 1.14 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -61,8 +61,8 @@ #include #include #include -#include "cms_lcl.h" -#include "asn1/asn1_locl.h" +#include "cms_local.h" +#include "asn1/asn1_local.h" /* Key Agreement Recipient Info (KARI) routines */ diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c index 21adef7..ee93859 100644 --- a/crypto/cms/cms_lib.c +++ b/crypto/cms/cms_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_lib.c,v 1.15 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: cms_lib.c,v 1.16 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -60,8 +60,8 @@ #include #include -#include "cms_lcl.h" -#include "x509_lcl.h" +#include "cms_local.h" +#include "x509_local.h" CMS_ContentInfo * d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len) diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_local.h similarity index 99% rename from crypto/cms/cms_lcl.h rename to crypto/cms/cms_local.h index 8083e55..65a684e 100644 --- a/crypto/cms/cms_lcl.h +++ b/crypto/cms/cms_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_lcl.h,v 1.12 2019/10/04 18:03:56 tb Exp $ */ +/* $OpenBSD: cms_local.h,v 1.2 2022/11/26 17:23:17 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -52,8 +52,8 @@ * ==================================================================== */ -#ifndef HEADER_CMS_LCL_H -#define HEADER_CMS_LCL_H +#ifndef HEADER_CMS_LOCAL_H +#define HEADER_CMS_LOCAL_H #include @@ -481,4 +481,4 @@ extern const ASN1_ITEM CMS_RevocationInfoChoice_it; extern const ASN1_ITEM CMS_SignedData_it; extern const ASN1_ITEM CMS_CompressedData_it; -#endif +#endif /* !HEADER_CMS_LOCAL_H */ diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c index eb241a6..3348b60 100644 --- a/crypto/cms/cms_pwri.c +++ b/crypto/cms/cms_pwri.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_pwri.c,v 1.27 2022/01/19 13:47:44 inoguchi Exp $ */ +/* $OpenBSD: cms_pwri.c,v 1.28 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -62,8 +62,8 @@ #include #include #include -#include "cms_lcl.h" -#include "asn1/asn1_locl.h" +#include "cms_local.h" +#include "asn1/asn1_local.h" int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, unsigned char *pass, diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c index 95343d0..8df78fe 100644 --- a/crypto/cms/cms_sd.c +++ b/crypto/cms/cms_sd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_sd.c,v 1.23 2019/08/11 14:35:57 jsing Exp $ */ +/* $OpenBSD: cms_sd.c,v 1.25 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -61,9 +61,9 @@ #include #include #include -#include "cms_lcl.h" -#include "asn1/asn1_locl.h" -#include "evp/evp_locl.h" +#include "cms_local.h" +#include "asn1/asn1_local.h" +#include "evp/evp_local.h" /* CMS SignedData Utilities */ @@ -955,9 +955,12 @@ CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, int algnid, int keysize) ASN1_INTEGER *key = NULL; if (keysize > 0) { - key = ASN1_INTEGER_new(); - if (key == NULL || !ASN1_INTEGER_set(key, keysize)) + if ((key = ASN1_INTEGER_new()) == NULL) return 0; + if (!ASN1_INTEGER_set(key, keysize)) { + ASN1_INTEGER_free(key); + return 0; + } } alg = X509_ALGOR_new(); if (alg == NULL) { diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c index 367810f..d21ff12 100644 --- a/crypto/cms/cms_smime.c +++ b/crypto/cms/cms_smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms_smime.c,v 1.24 2019/10/04 18:03:56 tb Exp $ */ +/* $OpenBSD: cms_smime.c,v 1.25 2022/11/26 16:08:51 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -58,8 +58,8 @@ #include #include #include -#include "cms_lcl.h" -#include "asn1/asn1_locl.h" +#include "cms_local.h" +#include "asn1/asn1_local.h" static BIO * cms_get_text_bio(BIO *out, unsigned int flags) diff --git a/crypto/comp/c_rle.c b/crypto/comp/c_rle.c index 93b2f3c..c2c279d 100644 --- a/crypto/comp/c_rle.c +++ b/crypto/comp/c_rle.c @@ -1,7 +1,121 @@ -/* $OpenBSD: c_rle.c,v 1.9 2022/01/09 23:50:10 tb Exp $ */ +/* $OpenBSD: c_rle.c,v 1.11 2022/12/24 07:12:09 tb Exp $ */ +/* + * --------------------------------------------------------------------------- + * Patches to this file were contributed by + * Ulf Moeller and Bodo Moeller . + * --------------------------------------------------------------------------- + * Copyright (c) 1999, 2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * --------------------------------------------------------------------------- + * Parts of this file are derived from SSLeay code + * which is covered by the following Copyright and license: + * --------------------------------------------------------------------------- + * Copyright (c) 1998 Eric Young + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young . + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson . + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given + * attribution as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young " + * The word 'cryptographic' can be left out if the rouines from the + * library being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) + * from the apps directory (application code) you must include an + * acknowledgement: "This product includes software written + * by Tim Hudson " + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version + * or derivative of this code cannot be changed. i.e. this code cannot + * simply be copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + #include #include #include + #include #include diff --git a/crypto/comp/c_zlib.c b/crypto/comp/c_zlib.c index bdcd7e0..009737d 100644 --- a/crypto/comp/c_zlib.c +++ b/crypto/comp/c_zlib.c @@ -1,11 +1,128 @@ -/* $OpenBSD: c_zlib.c,v 1.22 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: c_zlib.c,v 1.26 2023/04/17 13:18:00 tb Exp $ */ +/* + * --------------------------------------------------------------------------- + * Major patches to this file were contributed by + * Richard Levitte , Nils Larsch , + * and Dr. Stephen Henson . + * --------------------------------------------------------------------------- + * Copyright (c) 2002, 2003, 2007, 2008, 2010 The OpenSSL Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * --------------------------------------------------------------------------- + * Parts of this file are derived from SSLeay code + * which is covered by the following Copyright and license: + * --------------------------------------------------------------------------- + * Copyright (c) 1998 Eric Young + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young . + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson . + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given + * attribution as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young " + * The word 'cryptographic' can be left out if the rouines from the + * library being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) + * from the apps directory (application code) you must include an + * acknowledgement: "This product includes software written + * by Tim Hudson " + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version + * or derivative of this code cannot be changed. i.e. this code cannot + * simply be copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + #include #include #include + #include #include #include +#include "bio_local.h" #include "comp_local.h" COMP_METHOD *COMP_zlib(void ); @@ -27,7 +144,7 @@ static int zlib_stateful_expand_block(COMP_CTX *ctx, unsigned char *out, unsigned int olen, unsigned char *in, unsigned int ilen); -/* memory allocations functions for zlib intialization */ +/* memory allocations functions for zlib initialization */ static void* zlib_zalloc(void* opaque, unsigned int no, unsigned int size) { @@ -181,7 +298,7 @@ COMP_zlib(void) #ifdef ZLIB { /* init zlib_stateful_ex_idx here so that in a multi-process - * application it's enough to intialize openssl before forking + * application it's enough to initialize openssl before forking * (idx will be inherited in all the children) */ if (zlib_stateful_ex_idx == -1) { CRYPTO_w_lock(CRYPTO_LOCK_COMP); diff --git a/crypto/comp/comp_err.c b/crypto/comp/comp_err.c index ccc7a28..5ec5039 100644 --- a/crypto/comp/comp_err.c +++ b/crypto/comp/comp_err.c @@ -1,6 +1,7 @@ -/* $OpenBSD: comp_err.c,v 1.11 2022/01/09 23:50:10 tb Exp $ */ +/* $OpenBSD: comp_err.c,v 1.13 2022/12/23 23:23:02 schwarze Exp $ */ /* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. + * This file was written by Dr. Stephen Henson . + * Copyright (c) 1999, 2005, 2008 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -62,7 +63,6 @@ #include "comp_local.h" -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_COMP,func,0) diff --git a/crypto/comp/comp_lib.c b/crypto/comp/comp_lib.c index 3f914a7..5cb2335 100644 --- a/crypto/comp/comp_lib.c +++ b/crypto/comp/comp_lib.c @@ -1,7 +1,121 @@ -/* $OpenBSD: comp_lib.c,v 1.9 2022/01/09 23:50:10 tb Exp $ */ +/* $OpenBSD: comp_lib.c,v 1.11 2022/12/24 07:12:09 tb Exp $ */ +/* + * --------------------------------------------------------------------------- + * Patches to this file were contributed by + * Ben Laurie and Ulf Moeller . + * --------------------------------------------------------------------------- + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * --------------------------------------------------------------------------- + * Parts of this file are derived from SSLeay code + * which is covered by the following Copyright and license: + * --------------------------------------------------------------------------- + * Copyright (c) 1998 Eric Young + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young . + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson . + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given + * attribution as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young " + * The word 'cryptographic' can be left out if the rouines from the + * library being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) + * from the apps directory (application code) you must include an + * acknowledgement: "This product includes software written + * by Tim Hudson " + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version + * or derivative of this code cannot be changed. i.e. this code cannot + * simply be copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + #include #include #include + #include #include diff --git a/crypto/comp/comp_local.h b/crypto/comp/comp_local.h index fc18887..e26a800 100644 --- a/crypto/comp/comp_local.h +++ b/crypto/comp/comp_local.h @@ -1,4 +1,116 @@ -/* $OpenBSD: comp_local.h,v 1.2 2022/01/14 08:21:12 tb Exp $ */ +/* $OpenBSD: comp_local.h,v 1.4 2022/12/24 07:12:09 tb Exp $ */ +/* + * --------------------------------------------------------------------------- + * Patches to this file were contributed by + * Richard Levitte . + * --------------------------------------------------------------------------- + * Copyright (c) 1999, 2000, 2003 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * --------------------------------------------------------------------------- + * Parts of this file are derived from SSLeay code + * which is covered by the following Copyright and license: + * --------------------------------------------------------------------------- + * Copyright (c) 1998 Eric Young + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young . + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson . + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given + * attribution as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young " + * The word 'cryptographic' can be left out if the rouines from the + * library being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) + * from the apps directory (application code) you must include an + * acknowledgement: "This product includes software written + * by Tim Hudson " + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version + * or derivative of this code cannot be changed. i.e. this code cannot + * simply be copied and put under another distribution licence + * [including the GNU Public Licence.] + */ #ifndef HEADER_COMP_LOCAL_H #define HEADER_COMP_LOCAL_H diff --git a/crypto/compat/arc4random.c b/crypto/compat/arc4random.c index 6f95d57..1ec8e1e 100644 --- a/crypto/compat/arc4random.c +++ b/crypto/compat/arc4random.c @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random.c,v 1.56 2022/02/28 21:56:29 dtucker Exp $ */ +/* $OpenBSD: arc4random.c,v 1.58 2022/07/31 13:41:45 tb Exp $ */ /* * Copyright (c) 1996, David Mazieres @@ -49,6 +49,8 @@ #define BLOCKSZ 64 #define RSBUFSZ (16*BLOCKSZ) +#define REKEY_BASE (1024*1024) /* NB. should be a power of 2 */ + /* Marked MAP_INHERIT_ZERO, so zero'd out in fork children. */ static struct _rs { size_t rs_have; /* valid bytes at end of rs_buf */ @@ -86,6 +88,7 @@ static void _rs_stir(void) { u_char rnd[KEYSZ + IVSZ]; + uint32_t rekey_fuzz = 0; if (getentropy(rnd, sizeof rnd) == -1) _getentropy_fail(); @@ -100,7 +103,10 @@ _rs_stir(void) rs->rs_have = 0; memset(rsx->rs_buf, 0, sizeof(rsx->rs_buf)); - rs->rs_count = 1600000; + /* rekey interval should not be predictable */ + chacha_encrypt_bytes(&rsx->rs_chacha, (uint8_t *)&rekey_fuzz, + (uint8_t *)&rekey_fuzz, sizeof(rekey_fuzz)); + rs->rs_count = REKEY_BASE + (rekey_fuzz % REKEY_BASE); } static inline void diff --git a/crypto/compat/getentropy_aix.c b/crypto/compat/getentropy_aix.c index 7fb857e..9d085cf 100644 --- a/crypto/compat/getentropy_aix.c +++ b/crypto/compat/getentropy_aix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_aix.c,v 1.8 2021/10/24 21:24:20 deraadt Exp $ */ +/* $OpenBSD: getentropy_aix.c,v 1.9 2022/12/26 07:18:50 jmc Exp $ */ /* * Copyright (c) 2015 Michael Felt @@ -21,7 +21,7 @@ * http://man.openbsd.org/getentropy.2 */ /* - * -lperfstat is needed for the psuedo entropy data + * -lperfstat is needed for the pseudo entropy data */ #include diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c index 1e5eaff..e6c707a 100644 --- a/crypto/conf/conf_err.c +++ b/crypto/conf/conf_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_err.c,v 1.14 2020/02/17 12:51:48 inoguchi Exp $ */ +/* $OpenBSD: conf_err.c,v 1.15 2022/07/12 14:42:48 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_CONF,func,0) diff --git a/crypto/constant_time_locl.h b/crypto/constant_time.h similarity index 97% rename from crypto/constant_time_locl.h rename to crypto/constant_time.h index 2d511cc..ea7dede 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time.h @@ -1,4 +1,4 @@ -/* crypto/constant_time_locl.h */ +/* $OpenBSD: constant_time.h,v 1.3 2023/04/06 18:43:47 tb Exp $ */ /*- * Utilities for constant-time cryptography. * @@ -44,8 +44,8 @@ * [including the GNU Public Licence.] */ -#ifndef HEADER_CONSTANT_TIME_LOCL_H -# define HEADER_CONSTANT_TIME_LOCL_H +#ifndef HEADER_CONSTANT_TIME_H +#define HEADER_CONSTANT_TIME_H __BEGIN_HIDDEN_DECLS @@ -204,4 +204,4 @@ void err_clear_last_constant_time(int clear); __END_HIDDEN_DECLS -#endif /* HEADER_CONSTANT_TIME_LOCL_H */ +#endif /* !HEADER_CONSTANT_TIME_H */ diff --git a/crypto/cpt_err.c b/crypto/cpt_err.c index 4ac32a2..718c726 100644 --- a/crypto/cpt_err.c +++ b/crypto/cpt_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cpt_err.c,v 1.13 2014/07/10 22:45:56 jsing Exp $ */ +/* $OpenBSD: cpt_err.c,v 1.14 2022/07/12 14:42:48 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_CRYPTO,func,0) diff --git a/crypto/cpuid-elf-x86_64.S b/crypto/cpuid-elf-x86_64.S index c0e1366..6dc8e58 100644 --- a/crypto/cpuid-elf-x86_64.S +++ b/crypto/cpuid-elf-x86_64.S @@ -2,6 +2,7 @@ .hidden OPENSSL_cpuid_setup .section .init + endbr64 call OPENSSL_cpuid_setup @@ -9,24 +10,11 @@ .text -.globl OPENSSL_atomic_add -.type OPENSSL_atomic_add,@function -.align 16 -OPENSSL_atomic_add: - movl (%rdi),%eax -.Lspin: leaq (%rsi,%rax,1),%r8 -.byte 0xf0 - cmpxchgl %r8d,(%rdi) - jne .Lspin - movl %r8d,%eax -.byte 0x48,0x98 - retq -.size OPENSSL_atomic_add,.-OPENSSL_atomic_add - .globl OPENSSL_ia32_cpuid .type OPENSSL_ia32_cpuid,@function .align 16 OPENSSL_ia32_cpuid: + endbr64 movq %rbx,%r8 xorl %eax,%eax @@ -64,6 +52,7 @@ OPENSSL_ia32_cpuid: movl %eax,%r10d movl $2147483649,%eax cpuid + orl %ecx,%r9d andl $IA32CAP_MASK1_AMD_XOP,%r9d orl $1,%r9d @@ -147,37 +136,6 @@ OPENSSL_ia32_cpuid: orq %r9,%rax retq .size OPENSSL_ia32_cpuid,.-OPENSSL_ia32_cpuid -.globl OPENSSL_wipe_cpu -.type OPENSSL_wipe_cpu,@function -.align 16 -OPENSSL_wipe_cpu: - pxor %xmm0,%xmm0 - pxor %xmm1,%xmm1 - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - pxor %xmm6,%xmm6 - pxor %xmm7,%xmm7 - pxor %xmm8,%xmm8 - pxor %xmm9,%xmm9 - pxor %xmm10,%xmm10 - pxor %xmm11,%xmm11 - pxor %xmm12,%xmm12 - pxor %xmm13,%xmm13 - pxor %xmm14,%xmm14 - pxor %xmm15,%xmm15 - xorq %rcx,%rcx - xorq %rdx,%rdx - xorq %rsi,%rsi - xorq %rdi,%rdi - xorq %r8,%r8 - xorq %r9,%r9 - xorq %r10,%r10 - xorq %r11,%r11 - leaq 8(%rsp),%rax - retq -.size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/cpuid-macosx-x86_64.S b/crypto/cpuid-macosx-x86_64.S index 7531770..1c612e4 100644 --- a/crypto/cpuid-macosx-x86_64.S +++ b/crypto/cpuid-macosx-x86_64.S @@ -2,6 +2,7 @@ .private_extern _OPENSSL_cpuid_setup .mod_init_func + .p2align 3 .quad _OPENSSL_cpuid_setup @@ -10,24 +11,11 @@ .text -.globl _OPENSSL_atomic_add - -.p2align 4 -_OPENSSL_atomic_add: - movl (%rdi),%eax -L$spin: leaq (%rsi,%rax,1),%r8 -.byte 0xf0 - cmpxchgl %r8d,(%rdi) - jne L$spin - movl %r8d,%eax -.byte 0x48,0x98 - retq - - .globl _OPENSSL_ia32_cpuid .p2align 4 _OPENSSL_ia32_cpuid: + movq %rbx,%r8 xorl %eax,%eax @@ -65,6 +53,7 @@ _OPENSSL_ia32_cpuid: movl %eax,%r10d movl $2147483649,%eax cpuid + orl %ecx,%r9d andl $IA32CAP_MASK1_AMD_XOP,%r9d orl $1,%r9d @@ -148,34 +137,3 @@ L$done: orq %r9,%rax retq -.globl _OPENSSL_wipe_cpu - -.p2align 4 -_OPENSSL_wipe_cpu: - pxor %xmm0,%xmm0 - pxor %xmm1,%xmm1 - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - pxor %xmm6,%xmm6 - pxor %xmm7,%xmm7 - pxor %xmm8,%xmm8 - pxor %xmm9,%xmm9 - pxor %xmm10,%xmm10 - pxor %xmm11,%xmm11 - pxor %xmm12,%xmm12 - pxor %xmm13,%xmm13 - pxor %xmm14,%xmm14 - pxor %xmm15,%xmm15 - xorq %rcx,%rcx - xorq %rdx,%rdx - xorq %rsi,%rsi - xorq %rdi,%rdi - xorq %r8,%r8 - xorq %r9,%r9 - xorq %r10,%r10 - xorq %r11,%r11 - leaq 8(%rsp),%rax - retq - diff --git a/crypto/cpuid-masm-x86_64.S b/crypto/cpuid-masm-x86_64.S index 0dd7baf..b3a8423 100644 --- a/crypto/cpuid-masm-x86_64.S +++ b/crypto/cpuid-masm-x86_64.S @@ -70,6 +70,7 @@ OPTION DOTNAME EXTERN OPENSSL_cpuid_setup:NEAR .CRT$XCU SEGMENT READONLY ALIGN(8) + endbr64 DQ OPENSSL_cpuid_setup EXTERN OPENSSL_ia32cap_P:NEAR @@ -78,24 +79,11 @@ EXTERN OPENSSL_ia32cap_P:NEAR .CRT$XCU ENDS .text$ SEGMENT ALIGN(64) 'CODE' -PUBLIC OPENSSL_atomic_add - -ALIGN 16 -OPENSSL_atomic_add PROC PUBLIC - mov eax,DWORD PTR[rdi] -$L$spin:: lea r8,QWORD PTR[rax*1+rsi] -DB 0f0h - cmpxchg DWORD PTR[rdi],r8d - jne $L$spin - mov eax,r8d -DB 048h,098h - DB 0F3h,0C3h ;repret -OPENSSL_atomic_add ENDP - PUBLIC OPENSSL_ia32_cpuid ALIGN 16 OPENSSL_ia32_cpuid PROC PUBLIC + endbr64 mov r8,rbx xor eax,eax @@ -133,6 +121,7 @@ OPENSSL_ia32_cpuid PROC PUBLIC mov r10d,eax mov eax,080000001h cpuid + or r9d,ecx and r9d,(1 SHL 11) or r9d,1 @@ -216,37 +205,6 @@ $L$done:: or rax,r9 DB 0F3h,0C3h ;repret OPENSSL_ia32_cpuid ENDP -PUBLIC OPENSSL_wipe_cpu - -ALIGN 16 -OPENSSL_wipe_cpu PROC PUBLIC - pxor xmm0,xmm0 - pxor xmm1,xmm1 - pxor xmm2,xmm2 - pxor xmm3,xmm3 - pxor xmm4,xmm4 - pxor xmm5,xmm5 - pxor xmm6,xmm6 - pxor xmm7,xmm7 - pxor xmm8,xmm8 - pxor xmm9,xmm9 - pxor xmm10,xmm10 - pxor xmm11,xmm11 - pxor xmm12,xmm12 - pxor xmm13,xmm13 - pxor xmm14,xmm14 - pxor xmm15,xmm15 - xor rcx,rcx - xor rdx,rdx - xor rsi,rsi - xor rdi,rdi - xor r8,r8 - xor r9,r9 - xor r10,r10 - xor r11,r11 - lea rax,QWORD PTR[8+rsp] - DB 0F3h,0C3h ;repret -OPENSSL_wipe_cpu ENDP .text$ ENDS END diff --git a/crypto/cpuid-mingw64-x86_64.S b/crypto/cpuid-mingw64-x86_64.S index db9578c..a5b63ca 100644 --- a/crypto/cpuid-mingw64-x86_64.S +++ b/crypto/cpuid-mingw64-x86_64.S @@ -2,6 +2,7 @@ .section .ctors + endbr64 .p2align 3 .quad OPENSSL_cpuid_setup @@ -10,24 +11,11 @@ .text -.globl OPENSSL_atomic_add -.def OPENSSL_atomic_add; .scl 2; .type 32; .endef -.p2align 4 -OPENSSL_atomic_add: - movl (%rdi),%eax -.Lspin: leaq (%rsi,%rax,1),%r8 -.byte 0xf0 - cmpxchgl %r8d,(%rdi) - jne .Lspin - movl %r8d,%eax -.byte 0x48,0x98 - retq - - .globl OPENSSL_ia32_cpuid .def OPENSSL_ia32_cpuid; .scl 2; .type 32; .endef .p2align 4 OPENSSL_ia32_cpuid: + endbr64 movq %rbx,%r8 xorl %eax,%eax @@ -65,6 +53,7 @@ OPENSSL_ia32_cpuid: movl %eax,%r10d movl $2147483649,%eax cpuid + orl %ecx,%r9d andl $IA32CAP_MASK1_AMD_XOP,%r9d orl $1,%r9d @@ -148,34 +137,3 @@ OPENSSL_ia32_cpuid: orq %r9,%rax retq -.globl OPENSSL_wipe_cpu -.def OPENSSL_wipe_cpu; .scl 2; .type 32; .endef -.p2align 4 -OPENSSL_wipe_cpu: - pxor %xmm0,%xmm0 - pxor %xmm1,%xmm1 - pxor %xmm2,%xmm2 - pxor %xmm3,%xmm3 - pxor %xmm4,%xmm4 - pxor %xmm5,%xmm5 - pxor %xmm6,%xmm6 - pxor %xmm7,%xmm7 - pxor %xmm8,%xmm8 - pxor %xmm9,%xmm9 - pxor %xmm10,%xmm10 - pxor %xmm11,%xmm11 - pxor %xmm12,%xmm12 - pxor %xmm13,%xmm13 - pxor %xmm14,%xmm14 - pxor %xmm15,%xmm15 - xorq %rcx,%rcx - xorq %rdx,%rdx - xorq %rsi,%rsi - xorq %rdi,%rdi - xorq %r8,%r8 - xorq %r9,%r9 - xorq %r10,%r10 - xorq %r11,%r11 - leaq 8(%rsp),%rax - retq - diff --git a/crypto/crypto.sym b/crypto/crypto.sym index a2dfa72..5976919 100644 --- a/crypto/crypto.sym +++ b/crypto/crypto.sym @@ -41,9 +41,11 @@ ASN1_BMPSTRING_it ASN1_BMPSTRING_new ASN1_ENUMERATED_free ASN1_ENUMERATED_get +ASN1_ENUMERATED_get_int64 ASN1_ENUMERATED_it ASN1_ENUMERATED_new ASN1_ENUMERATED_set +ASN1_ENUMERATED_set_int64 ASN1_ENUMERATED_to_BN ASN1_GENERALIZEDTIME_adj ASN1_GENERALIZEDTIME_check @@ -63,9 +65,13 @@ ASN1_INTEGER_cmp ASN1_INTEGER_dup ASN1_INTEGER_free ASN1_INTEGER_get +ASN1_INTEGER_get_int64 +ASN1_INTEGER_get_uint64 ASN1_INTEGER_it ASN1_INTEGER_new ASN1_INTEGER_set +ASN1_INTEGER_set_int64 +ASN1_INTEGER_set_uint64 ASN1_INTEGER_to_BN ASN1_NULL_free ASN1_NULL_it @@ -74,7 +80,6 @@ ASN1_OBJECT_create ASN1_OBJECT_free ASN1_OBJECT_it ASN1_OBJECT_new -ASN1_OCTET_STRING_NDEF_it ASN1_OCTET_STRING_cmp ASN1_OCTET_STRING_dup ASN1_OCTET_STRING_free @@ -132,15 +137,20 @@ ASN1_T61STRING_it ASN1_T61STRING_new ASN1_TIME_adj ASN1_TIME_check +ASN1_TIME_cmp_time_t +ASN1_TIME_compare ASN1_TIME_diff ASN1_TIME_free ASN1_TIME_it ASN1_TIME_new +ASN1_TIME_normalize ASN1_TIME_print ASN1_TIME_set ASN1_TIME_set_string +ASN1_TIME_set_string_X509 ASN1_TIME_set_tm ASN1_TIME_to_generalizedtime +ASN1_TIME_to_tm ASN1_TYPE_cmp ASN1_TYPE_free ASN1_TYPE_get @@ -172,6 +182,7 @@ ASN1_VISIBLESTRING_it ASN1_VISIBLESTRING_new ASN1_add_oid_module ASN1_bn_print +ASN1_buf_print ASN1_d2i_bio ASN1_d2i_fp ASN1_dup @@ -193,7 +204,6 @@ ASN1_item_free ASN1_item_i2d ASN1_item_i2d_bio ASN1_item_i2d_fp -ASN1_item_ndef_i2d ASN1_item_new ASN1_item_pack ASN1_item_print @@ -317,7 +327,6 @@ BIO_method_name BIO_method_type BIO_new BIO_new_CMS -BIO_new_NDEF BIO_new_PKCS7 BIO_new_accept BIO_new_bio_pair @@ -383,18 +392,15 @@ BN_BLINDING_convert_ex BN_BLINDING_create_param BN_BLINDING_free BN_BLINDING_get_flags -BN_BLINDING_get_thread_id BN_BLINDING_invert BN_BLINDING_invert_ex BN_BLINDING_new BN_BLINDING_set_flags -BN_BLINDING_set_thread_id BN_BLINDING_thread_id BN_BLINDING_update BN_CTX_end BN_CTX_free BN_CTX_get -BN_CTX_init BN_CTX_new BN_CTX_start BN_GENCB_call @@ -403,38 +409,11 @@ BN_GENCB_get_arg BN_GENCB_new BN_GENCB_set BN_GENCB_set_old -BN_GF2m_add -BN_GF2m_arr2poly -BN_GF2m_mod -BN_GF2m_mod_arr -BN_GF2m_mod_div -BN_GF2m_mod_div_arr -BN_GF2m_mod_exp -BN_GF2m_mod_exp_arr -BN_GF2m_mod_inv -BN_GF2m_mod_inv_arr -BN_GF2m_mod_mul -BN_GF2m_mod_mul_arr -BN_GF2m_mod_solve_quad -BN_GF2m_mod_solve_quad_arr -BN_GF2m_mod_sqr -BN_GF2m_mod_sqr_arr -BN_GF2m_mod_sqrt -BN_GF2m_mod_sqrt_arr -BN_GF2m_poly2arr BN_MONT_CTX_copy BN_MONT_CTX_free -BN_MONT_CTX_init BN_MONT_CTX_new BN_MONT_CTX_set BN_MONT_CTX_set_locked -BN_RECP_CTX_free -BN_RECP_CTX_init -BN_RECP_CTX_new -BN_RECP_CTX_set -BN_X931_derive_prime_ex -BN_X931_generate_Xpq -BN_X931_generate_prime_ex BN_abs_is_word BN_add BN_add_word @@ -454,22 +433,14 @@ BN_consttime_swap BN_copy BN_dec2bn BN_div -BN_div_recp BN_div_word BN_dup BN_exp BN_free BN_from_montgomery BN_gcd -BN_generate_prime BN_generate_prime_ex -BN_get0_nist_prime_192 -BN_get0_nist_prime_224 -BN_get0_nist_prime_256 -BN_get0_nist_prime_384 -BN_get0_nist_prime_521 BN_get_flags -BN_get_params BN_get_rfc2409_prime_1024 BN_get_rfc2409_prime_768 BN_get_rfc3526_prime_1536 @@ -480,14 +451,11 @@ BN_get_rfc3526_prime_6144 BN_get_rfc3526_prime_8192 BN_get_word BN_hex2bn -BN_init BN_is_bit_set BN_is_negative BN_is_odd BN_is_one -BN_is_prime BN_is_prime_ex -BN_is_prime_fasttest BN_is_prime_fasttest_ex BN_is_word BN_is_zero @@ -503,7 +471,6 @@ BN_mod_exp2_mont BN_mod_exp_mont BN_mod_exp_mont_consttime BN_mod_exp_mont_word -BN_mod_exp_recp BN_mod_exp_simple BN_mod_inverse BN_mod_lshift @@ -512,7 +479,6 @@ BN_mod_lshift1_quick BN_mod_lshift_quick BN_mod_mul BN_mod_mul_montgomery -BN_mod_mul_reciprocal BN_mod_sqr BN_mod_sqrt BN_mod_sub @@ -522,14 +488,10 @@ BN_mpi2bn BN_mul BN_mul_word BN_new -BN_nist_mod_192 -BN_nist_mod_224 -BN_nist_mod_256 -BN_nist_mod_384 -BN_nist_mod_521 BN_nnmod BN_num_bits BN_num_bits_word +BN_one BN_options BN_print BN_print_fp @@ -537,13 +499,12 @@ BN_pseudo_rand BN_pseudo_rand_range BN_rand BN_rand_range -BN_reciprocal BN_rshift BN_rshift1 +BN_security_bits BN_set_bit BN_set_flags BN_set_negative -BN_set_params BN_set_word BN_sqr BN_sub @@ -557,7 +518,7 @@ BN_ucmp BN_usub BN_value_one BN_with_flags -BN_zero_ex +BN_zero BUF_MEM_free BUF_MEM_grow BUF_MEM_grow_clean @@ -764,10 +725,6 @@ CRYPTO_chacha_20 CRYPTO_cleanup_all_ex_data CRYPTO_ctr128_encrypt CRYPTO_ctr128_encrypt_ctr32 -CRYPTO_cts128_decrypt -CRYPTO_cts128_decrypt_block -CRYPTO_cts128_encrypt -CRYPTO_cts128_encrypt_block CRYPTO_dbg_free CRYPTO_dbg_get_options CRYPTO_dbg_malloc @@ -820,10 +777,6 @@ CRYPTO_mem_leaks_cb CRYPTO_mem_leaks_fp CRYPTO_memcmp CRYPTO_new_ex_data -CRYPTO_nistcts128_decrypt -CRYPTO_nistcts128_decrypt_block -CRYPTO_nistcts128_encrypt -CRYPTO_nistcts128_encrypt_block CRYPTO_num_locks CRYPTO_ofb128_encrypt CRYPTO_poly1305_finish @@ -949,6 +902,7 @@ DH_get_ex_new_index DH_get_length DH_new DH_new_method +DH_security_bits DH_set0_key DH_set0_pqg DH_set_default_method @@ -1006,13 +960,16 @@ DSA_get_ex_data DSA_get_ex_new_index DSA_meth_dup DSA_meth_free +DSA_meth_get0_name DSA_meth_new +DSA_meth_set1_name DSA_meth_set_finish DSA_meth_set_sign DSA_new DSA_new_method DSA_print DSA_print_fp +DSA_security_bits DSA_set0_key DSA_set0_pqg DSA_set_default_method @@ -1095,9 +1052,7 @@ ECPKParameters_print_fp ECParameters_dup ECParameters_print ECParameters_print_fp -EC_GF2m_simple_method EC_GFp_mont_method -EC_GFp_nist_method EC_GFp_simple_method EC_GROUP_check EC_GROUP_check_discriminant @@ -1112,26 +1067,21 @@ EC_GROUP_get_asn1_flag EC_GROUP_get_basis_type EC_GROUP_get_cofactor EC_GROUP_get_curve -EC_GROUP_get_curve_GF2m EC_GROUP_get_curve_GFp EC_GROUP_get_curve_name EC_GROUP_get_degree EC_GROUP_get_order -EC_GROUP_get_pentanomial_basis EC_GROUP_get_point_conversion_form EC_GROUP_get_seed_len -EC_GROUP_get_trinomial_basis EC_GROUP_have_precompute_mult EC_GROUP_method_of EC_GROUP_new EC_GROUP_new_by_curve_name -EC_GROUP_new_curve_GF2m EC_GROUP_new_curve_GFp EC_GROUP_order_bits EC_GROUP_precompute_mult EC_GROUP_set_asn1_flag EC_GROUP_set_curve -EC_GROUP_set_curve_GF2m EC_GROUP_set_curve_GFp EC_GROUP_set_curve_name EC_GROUP_set_generator @@ -1164,9 +1114,7 @@ EC_KEY_get_default_method EC_KEY_get_enc_flags EC_KEY_get_ex_data EC_KEY_get_flags -EC_KEY_get_key_method_data EC_KEY_get_method -EC_KEY_insert_key_method_data EC_KEY_new EC_KEY_new_by_curve_name EC_KEY_new_method @@ -1196,7 +1144,6 @@ EC_POINT_dup EC_POINT_free EC_POINT_get_Jprojective_coordinates_GFp EC_POINT_get_affine_coordinates -EC_POINT_get_affine_coordinates_GF2m EC_POINT_get_affine_coordinates_GFp EC_POINT_hex2point EC_POINT_invert @@ -1212,10 +1159,8 @@ EC_POINT_point2hex EC_POINT_point2oct EC_POINT_set_Jprojective_coordinates_GFp EC_POINT_set_affine_coordinates -EC_POINT_set_affine_coordinates_GF2m EC_POINT_set_affine_coordinates_GFp EC_POINT_set_compressed_coordinates -EC_POINT_set_compressed_coordinates_GF2m EC_POINT_set_compressed_coordinates_GFp EC_POINT_set_to_infinity EC_POINTs_make_affine @@ -1226,6 +1171,9 @@ EC_PRIVATEKEY_new EC_curve_nid2nist EC_curve_nist2nid EC_get_builtin_curves +ED25519_keypair +ED25519_sign +ED25519_verify EDIPARTYNAME_free EDIPARTYNAME_it EDIPARTYNAME_new @@ -1498,6 +1446,18 @@ EVP_CIPHER_flags EVP_CIPHER_get_asn1_iv EVP_CIPHER_iv_length EVP_CIPHER_key_length +EVP_CIPHER_meth_dup +EVP_CIPHER_meth_free +EVP_CIPHER_meth_new +EVP_CIPHER_meth_set_cleanup +EVP_CIPHER_meth_set_ctrl +EVP_CIPHER_meth_set_do_cipher +EVP_CIPHER_meth_set_flags +EVP_CIPHER_meth_set_get_asn1_params +EVP_CIPHER_meth_set_impl_ctx_size +EVP_CIPHER_meth_set_init +EVP_CIPHER_meth_set_iv_length +EVP_CIPHER_meth_set_set_asn1_params EVP_CIPHER_nid EVP_CIPHER_param_to_asn1 EVP_CIPHER_set_asn1_iv @@ -1625,6 +1585,7 @@ EVP_PKEY_asn1_set_param_check EVP_PKEY_asn1_set_private EVP_PKEY_asn1_set_public EVP_PKEY_asn1_set_public_check +EVP_PKEY_asn1_set_security_bits EVP_PKEY_assign EVP_PKEY_base_id EVP_PKEY_bits @@ -1659,6 +1620,8 @@ EVP_PKEY_get_attr_by_NID EVP_PKEY_get_attr_by_OBJ EVP_PKEY_get_attr_count EVP_PKEY_get_default_digest_nid +EVP_PKEY_get_raw_private_key +EVP_PKEY_get_raw_public_key EVP_PKEY_id EVP_PKEY_keygen EVP_PKEY_keygen_init @@ -1689,6 +1652,8 @@ EVP_PKEY_missing_parameters EVP_PKEY_new EVP_PKEY_new_CMAC_key EVP_PKEY_new_mac_key +EVP_PKEY_new_raw_private_key +EVP_PKEY_new_raw_public_key EVP_PKEY_param_check EVP_PKEY_paramgen EVP_PKEY_paramgen_init @@ -1697,6 +1662,7 @@ EVP_PKEY_print_private EVP_PKEY_print_public EVP_PKEY_public_check EVP_PKEY_save_parameters +EVP_PKEY_security_bits EVP_PKEY_set1_DH EVP_PKEY_set1_DSA EVP_PKEY_set1_EC_KEY @@ -1725,7 +1691,6 @@ EVP_aead_xchacha20_poly1305 EVP_aes_128_cbc EVP_aes_128_cbc_hmac_sha1 EVP_aes_128_ccm -EVP_aes_128_cfb EVP_aes_128_cfb1 EVP_aes_128_cfb128 EVP_aes_128_cfb8 @@ -1737,7 +1702,6 @@ EVP_aes_128_wrap EVP_aes_128_xts EVP_aes_192_cbc EVP_aes_192_ccm -EVP_aes_192_cfb EVP_aes_192_cfb1 EVP_aes_192_cfb128 EVP_aes_192_cfb8 @@ -1749,7 +1713,6 @@ EVP_aes_192_wrap EVP_aes_256_cbc EVP_aes_256_cbc_hmac_sha1 EVP_aes_256_ccm -EVP_aes_256_cfb EVP_aes_256_cfb1 EVP_aes_256_cfb128 EVP_aes_256_cfb8 @@ -1760,7 +1723,6 @@ EVP_aes_256_ofb EVP_aes_256_wrap EVP_aes_256_xts EVP_bf_cbc -EVP_bf_cfb EVP_bf_cfb64 EVP_bf_ecb EVP_bf_ofb @@ -1783,14 +1745,13 @@ EVP_camellia_256_cfb8 EVP_camellia_256_ecb EVP_camellia_256_ofb EVP_cast5_cbc -EVP_cast5_cfb EVP_cast5_cfb64 EVP_cast5_ecb EVP_cast5_ofb EVP_chacha20 +EVP_chacha20_poly1305 EVP_cleanup EVP_des_cbc -EVP_des_cfb EVP_des_cfb1 EVP_des_cfb64 EVP_des_cfb8 @@ -1798,14 +1759,12 @@ EVP_des_ecb EVP_des_ede EVP_des_ede3 EVP_des_ede3_cbc -EVP_des_ede3_cfb EVP_des_ede3_cfb1 EVP_des_ede3_cfb64 EVP_des_ede3_cfb8 EVP_des_ede3_ecb EVP_des_ede3_ofb EVP_des_ede_cbc -EVP_des_ede_cfb EVP_des_ede_cfb64 EVP_des_ede_ecb EVP_des_ede_ofb @@ -1821,7 +1780,6 @@ EVP_gost2814789_ecb EVP_gost2814789imit EVP_gostr341194 EVP_idea_cbc -EVP_idea_cfb EVP_idea_cfb64 EVP_idea_ecb EVP_idea_ofb @@ -1832,7 +1790,6 @@ EVP_md_null EVP_rc2_40_cbc EVP_rc2_64_cbc EVP_rc2_cbc -EVP_rc2_cfb EVP_rc2_cfb64 EVP_rc2_ecb EVP_rc2_ofb @@ -1847,7 +1804,13 @@ EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 +EVP_sha3_224 +EVP_sha3_256 +EVP_sha3_384 +EVP_sha3_512 EVP_sha512 +EVP_sha512_224 +EVP_sha512_256 EVP_sm3 EVP_sm4_cbc EVP_sm4_cfb128 @@ -1966,9 +1929,6 @@ NCONF_load NCONF_load_bio NCONF_load_fp NCONF_new -NETSCAPE_CERT_SEQUENCE_free -NETSCAPE_CERT_SEQUENCE_it -NETSCAPE_CERT_SEQUENCE_new NETSCAPE_SPKAC_free NETSCAPE_SPKAC_it NETSCAPE_SPKAC_new @@ -2157,6 +2117,7 @@ OPENSSL_add_all_algorithms_conf OPENSSL_add_all_algorithms_noconf OPENSSL_asc2uni OPENSSL_cleanse +OPENSSL_cleanup OPENSSL_config OPENSSL_cpu_caps OPENSSL_cpuid_setup @@ -2210,7 +2171,6 @@ PEM_read_DSAparams PEM_read_ECPKParameters PEM_read_ECPrivateKey PEM_read_EC_PUBKEY -PEM_read_NETSCAPE_CERT_SEQUENCE PEM_read_PKCS7 PEM_read_PKCS8 PEM_read_PKCS8_PRIV_KEY_INFO @@ -2232,7 +2192,6 @@ PEM_read_bio_DSAparams PEM_read_bio_ECPKParameters PEM_read_bio_ECPrivateKey PEM_read_bio_EC_PUBKEY -PEM_read_bio_NETSCAPE_CERT_SEQUENCE PEM_read_bio_PKCS7 PEM_read_bio_PKCS8 PEM_read_bio_PKCS8_PRIV_KEY_INFO @@ -2255,7 +2214,6 @@ PEM_write_DSAparams PEM_write_ECPKParameters PEM_write_ECPrivateKey PEM_write_EC_PUBKEY -PEM_write_NETSCAPE_CERT_SEQUENCE PEM_write_PKCS7 PEM_write_PKCS8 PEM_write_PKCS8PrivateKey @@ -2272,7 +2230,6 @@ PEM_write_X509_CRL PEM_write_X509_REQ PEM_write_X509_REQ_NEW PEM_write_bio -PEM_write_bio_ASN1_stream PEM_write_bio_CMS PEM_write_bio_CMS_stream PEM_write_bio_DHparams @@ -2282,7 +2239,6 @@ PEM_write_bio_DSAparams PEM_write_bio_ECPKParameters PEM_write_bio_ECPrivateKey PEM_write_bio_EC_PUBKEY -PEM_write_bio_NETSCAPE_CERT_SEQUENCE PEM_write_bio_PKCS7 PEM_write_bio_PKCS7_stream PEM_write_bio_PKCS8 @@ -2308,12 +2264,25 @@ PKCS12_BAGS_new PKCS12_MAC_DATA_free PKCS12_MAC_DATA_it PKCS12_MAC_DATA_new -PKCS12_MAKE_KEYBAG -PKCS12_MAKE_SHKEYBAG PKCS12_PBE_add PKCS12_PBE_keyivgen PKCS12_SAFEBAGS_it +PKCS12_SAFEBAG_create0_p8inf +PKCS12_SAFEBAG_create0_pkcs8 +PKCS12_SAFEBAG_create_cert +PKCS12_SAFEBAG_create_crl +PKCS12_SAFEBAG_create_pkcs8_encrypt PKCS12_SAFEBAG_free +PKCS12_SAFEBAG_get0_attr +PKCS12_SAFEBAG_get0_attrs +PKCS12_SAFEBAG_get0_p8inf +PKCS12_SAFEBAG_get0_pkcs8 +PKCS12_SAFEBAG_get0_safes +PKCS12_SAFEBAG_get0_type +PKCS12_SAFEBAG_get1_cert +PKCS12_SAFEBAG_get1_crl +PKCS12_SAFEBAG_get_bag_nid +PKCS12_SAFEBAG_get_nid PKCS12_SAFEBAG_it PKCS12_SAFEBAG_new PKCS12_add_CSPName_asc @@ -2324,12 +2293,11 @@ PKCS12_add_key PKCS12_add_localkeyid PKCS12_add_safe PKCS12_add_safes -PKCS12_certbag2x509 -PKCS12_certbag2x509crl PKCS12_create PKCS12_decrypt_skey PKCS12_free PKCS12_gen_mac +PKCS12_get0_mac PKCS12_get_attr_gen PKCS12_get_friendlyname PKCS12_init @@ -2339,6 +2307,7 @@ PKCS12_item_i2d_encrypt PKCS12_item_pack_safebag PKCS12_key_gen_asc PKCS12_key_gen_uni +PKCS12_mac_present PKCS12_new PKCS12_newpass PKCS12_pack_authsafes @@ -2352,8 +2321,6 @@ PKCS12_unpack_authsafes PKCS12_unpack_p7data PKCS12_unpack_p7encdata PKCS12_verify_mac -PKCS12_x5092certbag -PKCS12_x509crl2certbag PKCS1_MGF1 PKCS5_PBE_add PKCS5_PBE_keyivgen @@ -2454,6 +2421,7 @@ PKCS8_PRIV_KEY_INFO_new PKCS8_add_keyusage PKCS8_decrypt PKCS8_encrypt +PKCS8_get_attr PKCS8_pkey_add1_attr_by_NID PKCS8_pkey_get0 PKCS8_pkey_get0_attrs @@ -2474,12 +2442,6 @@ POLICY_MAPPINGS_it POLICY_MAPPING_free POLICY_MAPPING_it POLICY_MAPPING_new -PROXY_CERT_INFO_EXTENSION_free -PROXY_CERT_INFO_EXTENSION_it -PROXY_CERT_INFO_EXTENSION_new -PROXY_POLICY_free -PROXY_POLICY_it -PROXY_POLICY_new RAND_SSLeay RAND_add RAND_bytes @@ -2521,7 +2483,6 @@ RSA_PKCS1_SSLeay RSA_PSS_PARAMS_free RSA_PSS_PARAMS_it RSA_PSS_PARAMS_new -RSA_X931_hash_id RSA_bits RSA_blinding_off RSA_blinding_on @@ -2586,13 +2547,11 @@ RSA_padding_add_PKCS1_PSS RSA_padding_add_PKCS1_PSS_mgf1 RSA_padding_add_PKCS1_type_1 RSA_padding_add_PKCS1_type_2 -RSA_padding_add_X931 RSA_padding_add_none RSA_padding_check_PKCS1_OAEP RSA_padding_check_PKCS1_OAEP_mgf1 RSA_padding_check_PKCS1_type_1 RSA_padding_check_PKCS1_type_2 -RSA_padding_check_X931 RSA_padding_check_none RSA_pkey_ctx_ctrl RSA_print @@ -2601,6 +2560,7 @@ RSA_private_decrypt RSA_private_encrypt RSA_public_decrypt RSA_public_encrypt +RSA_security_bits RSA_set0_crt_params RSA_set0_factors RSA_set0_key @@ -2677,11 +2637,9 @@ SM4_decrypt SM4_encrypt SM4_set_key SMIME_crlf_copy -SMIME_read_ASN1 SMIME_read_CMS SMIME_read_PKCS7 SMIME_text -SMIME_write_ASN1 SMIME_write_CMS SMIME_write_PKCS7 SSLeay @@ -2695,18 +2653,6 @@ STREEBOG512_Final STREEBOG512_Init STREEBOG512_Transform STREEBOG512_Update -SXNETID_free -SXNETID_it -SXNETID_new -SXNET_add_id_INTEGER -SXNET_add_id_asc -SXNET_add_id_ulong -SXNET_free -SXNET_get_id_INTEGER -SXNET_get_id_asc -SXNET_get_id_ulong -SXNET_it -SXNET_new TS_ACCURACY_dup TS_ACCURACY_free TS_ACCURACY_get_micros @@ -2790,6 +2736,7 @@ TS_RESP_CTX_set_signer_cert TS_RESP_CTX_set_signer_key TS_RESP_CTX_set_status_info TS_RESP_CTX_set_status_info_cond +TS_RESP_CTX_set_time_cb TS_RESP_create_response TS_RESP_dup TS_RESP_free @@ -2806,9 +2753,13 @@ TS_RESP_verify_signature TS_RESP_verify_token TS_STATUS_INFO_dup TS_STATUS_INFO_free +TS_STATUS_INFO_get0_failure_info +TS_STATUS_INFO_get0_status +TS_STATUS_INFO_get0_text TS_STATUS_INFO_it TS_STATUS_INFO_new TS_STATUS_INFO_print_bio +TS_STATUS_INFO_set_status TS_TST_INFO_add_ext TS_TST_INFO_delete_ext TS_TST_INFO_dup @@ -2842,10 +2793,15 @@ TS_TST_INFO_set_serial TS_TST_INFO_set_time TS_TST_INFO_set_tsa TS_TST_INFO_set_version +TS_VERIFY_CTX_add_flags TS_VERIFY_CTX_cleanup TS_VERIFY_CTX_free -TS_VERIFY_CTX_init TS_VERIFY_CTX_new +TS_VERIFY_CTX_set_certs +TS_VERIFY_CTX_set_data +TS_VERIFY_CTX_set_flags +TS_VERIFY_CTX_set_imprint +TS_VERIFY_CTX_set_store TS_X509_ALGOR_print_bio TS_ext_print_bio TXT_DB_create_index @@ -2901,6 +2857,7 @@ UI_method_set_reader UI_method_set_writer UI_new UI_new_method +UI_null UI_process UI_set_default_method UI_set_ex_data @@ -2968,7 +2925,6 @@ X509_ALGOR_it X509_ALGOR_new X509_ALGOR_set0 X509_ALGOR_set_md -X509_ATTRIBUTE_SET_it X509_ATTRIBUTE_count X509_ATTRIBUTE_create X509_ATTRIBUTE_create_by_NID @@ -3009,6 +2965,7 @@ X509_CRL_get0_extensions X509_CRL_get0_lastUpdate X509_CRL_get0_nextUpdate X509_CRL_get0_signature +X509_CRL_get0_tbs_sigalg X509_CRL_get_REVOKED X509_CRL_get_ext X509_CRL_get_ext_by_NID @@ -3117,7 +3074,6 @@ X509_OBJECT_retrieve_match X509_OBJECT_up_ref_count X509_PKEY_free X509_PKEY_new -X509_POLICY_NODE_print X509_PUBKEY_free X509_PUBKEY_get X509_PUBKEY_get0 @@ -3209,19 +3165,20 @@ X509_STORE_CTX_get0_current_crl X509_STORE_CTX_get0_current_issuer X509_STORE_CTX_get0_param X509_STORE_CTX_get0_parent_ctx -X509_STORE_CTX_get0_policy_tree X509_STORE_CTX_get0_store X509_STORE_CTX_get0_untrusted +X509_STORE_CTX_get1_certs X509_STORE_CTX_get1_chain +X509_STORE_CTX_get1_crls X509_STORE_CTX_get1_issuer X509_STORE_CTX_get_by_subject X509_STORE_CTX_get_chain +X509_STORE_CTX_get_check_issued X509_STORE_CTX_get_current_cert X509_STORE_CTX_get_error X509_STORE_CTX_get_error_depth X509_STORE_CTX_get_ex_data X509_STORE_CTX_get_ex_new_index -X509_STORE_CTX_get_explicit_policy X509_STORE_CTX_get_num_untrusted X509_STORE_CTX_get_obj_by_subject X509_STORE_CTX_get_verify @@ -3255,8 +3212,7 @@ X509_STORE_add_lookup X509_STORE_free X509_STORE_get0_objects X509_STORE_get0_param -X509_STORE_get1_certs -X509_STORE_get1_crls +X509_STORE_get_check_issued X509_STORE_get_ex_data X509_STORE_get_verify X509_STORE_get_verify_cb @@ -3264,6 +3220,7 @@ X509_STORE_load_locations X509_STORE_load_mem X509_STORE_new X509_STORE_set1_param +X509_STORE_set_check_issued X509_STORE_set_default_paths X509_STORE_set_depth X509_STORE_set_ex_data @@ -3297,6 +3254,7 @@ X509_VERIFY_PARAM_get0_peername X509_VERIFY_PARAM_get_count X509_VERIFY_PARAM_get_depth X509_VERIFY_PARAM_get_flags +X509_VERIFY_PARAM_get_time X509_VERIFY_PARAM_inherit X509_VERIFY_PARAM_lookup X509_VERIFY_PARAM_new @@ -3307,6 +3265,7 @@ X509_VERIFY_PARAM_set1_ip X509_VERIFY_PARAM_set1_ip_asc X509_VERIFY_PARAM_set1_name X509_VERIFY_PARAM_set1_policies +X509_VERIFY_PARAM_set_auth_level X509_VERIFY_PARAM_set_depth X509_VERIFY_PARAM_set_flags X509_VERIFY_PARAM_set_hostflags @@ -3350,6 +3309,7 @@ X509_get0_pubkey_bitstr X509_get0_serialNumber X509_get0_signature X509_get0_tbs_sigalg +X509_get0_uids X509_get1_email X509_get1_ocsp X509_get_X509_PUBKEY @@ -3394,17 +3354,6 @@ X509_load_cert_file X509_load_crl_file X509_new X509_ocspid_print -X509_policy_check -X509_policy_level_get0_node -X509_policy_level_node_count -X509_policy_node_get0_parent -X509_policy_node_get0_policy -X509_policy_node_get0_qualifiers -X509_policy_tree_free -X509_policy_tree_get0_level -X509_policy_tree_get0_policies -X509_policy_tree_get0_user_policies -X509_policy_tree_level_count X509_print X509_print_ex X509_print_ex_fp @@ -3502,9 +3451,6 @@ b2i_PrivateKey b2i_PrivateKey_bio b2i_PublicKey b2i_PublicKey_bio -c2i_ASN1_BIT_STRING -c2i_ASN1_INTEGER -c2i_ASN1_OBJECT d2i_ACCESS_DESCRIPTION d2i_ASIdOrRange d2i_ASIdentifierChoice @@ -3583,7 +3529,6 @@ d2i_IPAddressFamily d2i_IPAddressOrRange d2i_IPAddressRange d2i_ISSUING_DIST_POINT -d2i_NETSCAPE_CERT_SEQUENCE d2i_NETSCAPE_SPKAC d2i_NETSCAPE_SPKI d2i_NOTICEREF @@ -3636,8 +3581,6 @@ d2i_PKCS8_fp d2i_PKEY_USAGE_PERIOD d2i_POLICYINFO d2i_POLICYQUALINFO -d2i_PROXY_CERT_INFO_EXTENSION -d2i_PROXY_POLICY d2i_PUBKEY d2i_PUBKEY_bio d2i_PUBKEY_fp @@ -3657,8 +3600,6 @@ d2i_RSA_PUBKEY d2i_RSA_PUBKEY_bio d2i_RSA_PUBKEY_fp d2i_SCT_LIST -d2i_SXNET -d2i_SXNETID d2i_TS_ACCURACY d2i_TS_MSG_IMPRINT d2i_TS_MSG_IMPRINT_bio @@ -3716,8 +3657,6 @@ i2a_ASN1_STRING i2b_PVK_bio i2b_PrivateKey_bio i2b_PublicKey_bio -i2c_ASN1_BIT_STRING -i2c_ASN1_INTEGER i2d_ACCESS_DESCRIPTION i2d_ASIdOrRange i2d_ASIdentifierChoice @@ -3743,7 +3682,6 @@ i2d_ASN1_UNIVERSALSTRING i2d_ASN1_UTCTIME i2d_ASN1_UTF8STRING i2d_ASN1_VISIBLESTRING -i2d_ASN1_bio_stream i2d_ASRange i2d_AUTHORITY_INFO_ACCESS i2d_AUTHORITY_KEYID @@ -3796,7 +3734,6 @@ i2d_IPAddressFamily i2d_IPAddressOrRange i2d_IPAddressRange i2d_ISSUING_DIST_POINT -i2d_NETSCAPE_CERT_SEQUENCE i2d_NETSCAPE_SPKAC i2d_NETSCAPE_SPKI i2d_NOTICEREF @@ -3833,7 +3770,6 @@ i2d_PKCS7_ENCRYPT i2d_PKCS7_ENC_CONTENT i2d_PKCS7_ENVELOPE i2d_PKCS7_ISSUER_AND_SERIAL -i2d_PKCS7_NDEF i2d_PKCS7_RECIP_INFO i2d_PKCS7_SIGNED i2d_PKCS7_SIGNER_INFO @@ -3855,8 +3791,6 @@ i2d_PKCS8_fp i2d_PKEY_USAGE_PERIOD i2d_POLICYINFO i2d_POLICYQUALINFO -i2d_PROXY_CERT_INFO_EXTENSION -i2d_PROXY_POLICY i2d_PUBKEY i2d_PUBKEY_bio i2d_PUBKEY_fp @@ -3876,8 +3810,6 @@ i2d_RSA_PUBKEY i2d_RSA_PUBKEY_bio i2d_RSA_PUBKEY_fp i2d_SCT_LIST -i2d_SXNET -i2d_SXNETID i2d_TS_ACCURACY i2d_TS_MSG_IMPRINT i2d_TS_MSG_IMPRINT_bio diff --git a/crypto/crypto_init.c b/crypto/crypto_init.c index 67e7920..ccf6022 100644 --- a/crypto/crypto_init.c +++ b/crypto/crypto_init.c @@ -1,3 +1,4 @@ +/* $OpenBSD: crypto_init.c,v 1.8 2023/05/08 13:53:26 tb Exp $ */ /* * Copyright (c) 2018 Bob Beck * @@ -19,17 +20,21 @@ #include #include -#include #include -#include +#include #include +#include +#include #include "cryptlib.h" +#include "x509_issuer_cache.h" int OpenSSL_config(const char *); int OpenSSL_no_config(void); +static pthread_once_t crypto_init_once = PTHREAD_ONCE_INIT; static pthread_t crypto_init_thread; +static int crypto_init_cleaned_up; static void OPENSSL_init_crypto_internal(void) @@ -45,12 +50,15 @@ OPENSSL_init_crypto_internal(void) int OPENSSL_init_crypto(uint64_t opts, const void *settings) { - static pthread_once_t once = PTHREAD_ONCE_INIT; + if (crypto_init_cleaned_up) { + CRYPTOerror(ERR_R_INIT_FAIL); + return 0; + } if (pthread_equal(pthread_self(), crypto_init_thread)) return 1; /* don't recurse */ - if (pthread_once(&once, OPENSSL_init_crypto_internal) != 0) + if (pthread_once(&crypto_init_once, OPENSSL_init_crypto_internal) != 0) return 0; if ((opts & OPENSSL_INIT_NO_LOAD_CONFIG) && @@ -63,3 +71,17 @@ OPENSSL_init_crypto(uint64_t opts, const void *settings) return 1; } + +void +OPENSSL_cleanup(void) +{ + /* This currently calls init... */ + ERR_free_strings(); + + CRYPTO_cleanup_all_ex_data(); + ENGINE_cleanup(); + EVP_cleanup(); + x509_issuer_cache_free(); + + crypto_init_cleaned_up = 1; +} diff --git a/crypto/crypto_internal.h b/crypto/crypto_internal.h new file mode 100644 index 0000000..db3e995 --- /dev/null +++ b/crypto/crypto_internal.h @@ -0,0 +1,85 @@ +/* $OpenBSD: crypto_internal.h,v 1.5 2023/05/19 00:54:27 deraadt Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include + +#ifndef HEADER_CRYPTO_INTERNAL_H +#define HEADER_CRYPTO_INTERNAL_H + +/* + * crypto_store_htobe32() stores a 32 bit unsigned host endian value + * as a 32 bit unsigned big endian value, at the specified location in + * memory. The memory location may have any alignment. + */ +#ifndef HAVE_CRYPTO_STORE_HTOBE32 +static inline void +crypto_store_htobe32(uint8_t *dst, uint32_t v) +{ + v = htobe32(v); + memcpy(dst, &v, sizeof(v)); +} +#endif + +/* + * crypto_store_htobe64() stores a 64 bit unsigned host endian value + * as a 64 bit unsigned big endian value, at the specified location in + * memory. The memory location may have any alignment. + */ +#ifndef HAVE_CRYPTO_STORE_HTOBE64 +static inline void +crypto_store_htobe64(uint8_t *dst, uint64_t v) +{ + v = htobe64(v); + memcpy(dst, &v, sizeof(v)); +} +#endif + +#ifndef HAVE_CRYPTO_ROL_U32 +static inline uint32_t +crypto_rol_u32(uint32_t v, size_t shift) +{ + return (v << shift) | (v >> (32 - shift)); +} +#endif + +#ifndef HAVE_CRYPTO_ROR_U32 +static inline uint32_t +crypto_ror_u32(uint32_t v, size_t shift) +{ + return (v << (32 - shift)) | (v >> shift); +} +#endif + +#ifndef HAVE_CRYPTO_ROL_U64 +static inline uint64_t +crypto_rol_u64(uint64_t v, size_t shift) +{ + return (v << shift) | (v >> (64 - shift)); +} +#endif + +#ifndef HAVE_CRYPTO_ROR_U64 +static inline uint64_t +crypto_ror_u64(uint64_t v, size_t shift) +{ + return (v << (64 - shift)) | (v >> shift); +} +#endif + +#endif diff --git a/crypto/crypto_lock.c b/crypto/crypto_lock.c index 5d317a8..bd8315c 100644 --- a/crypto/crypto_lock.c +++ b/crypto/crypto_lock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto_lock.c,v 1.2 2018/11/28 15:51:32 jsing Exp $ */ +/* $OpenBSD: crypto_lock.c,v 1.4 2023/05/19 00:54:27 deraadt Exp $ */ /* * Copyright (c) 2018 Brent Cook * diff --git a/crypto/ct/ct_err.c b/crypto/ct/ct_err.c index fc9ca0c..2597874 100644 --- a/crypto/ct/ct_err.c +++ b/crypto/ct/ct_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ct_err.c,v 1.5 2021/12/18 16:50:40 tb Exp $ */ +/* $OpenBSD: ct_err.c,v 1.7 2022/07/12 14:42:48 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,13 +53,8 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - +#include #include -#include #ifndef OPENSSL_NO_ERR diff --git a/crypto/ct/ct_sct_ctx.c b/crypto/ct/ct_sct_ctx.c index 1863058..b2b6d4e 100644 --- a/crypto/ct/ct_sct_ctx.c +++ b/crypto/ct/ct_sct_ctx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ct_sct_ctx.c,v 1.5 2021/12/18 16:34:52 tb Exp $ */ +/* $OpenBSD: ct_sct_ctx.c,v 1.6 2022/06/30 11:14:47 tb Exp $ */ /* * Written by Rob Stradling (rob@comodo.com) and Stephen Henson * (steve@openssl.org) for the OpenSSL project 2014. @@ -65,7 +65,7 @@ #include #include -#include +#include #include #include "ct_local.h" diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c index 6df03a3..4f85a81 100644 --- a/crypto/curve25519/curve25519.c +++ b/crypto/curve25519/curve25519.c @@ -1,4 +1,4 @@ -/* $OpenBSD: curve25519.c,v 1.6 2022/02/08 16:44:23 tb Exp $ */ +/* $OpenBSD: curve25519.c,v 1.15 2023/04/02 15:36:53 tb Exp $ */ /* * Copyright (c) 2015, Google Inc. * @@ -24,14 +24,12 @@ * The field functions are shared by Ed25519 and X25519 where possible. */ +#include #include #include #include - -#ifdef ED25519 #include -#endif #include "curve25519_internal.h" @@ -644,9 +642,6 @@ static void fe_invert(fe out, const fe z) { int i; fe_sq(t0, z); - for (i = 1; i < 1; ++i) { - fe_sq(t0, t0); - } fe_sq(t1, t0); for (i = 1; i < 2; ++i) { fe_sq(t1, t1); @@ -654,9 +649,6 @@ static void fe_invert(fe out, const fe z) { fe_mul(t1, z, t1); fe_mul(t0, t0, t1); fe_sq(t2, t0); - for (i = 1; i < 1; ++i) { - fe_sq(t2, t2); - } fe_mul(t1, t1, t2); fe_sq(t2, t1); for (i = 1; i < 5; ++i) { @@ -911,9 +903,6 @@ static void fe_pow22523(fe out, const fe z) { int i; fe_sq(t0, z); - for (i = 1; i < 1; ++i) { - fe_sq(t0, t0); - } fe_sq(t1, t0); for (i = 1; i < 2; ++i) { fe_sq(t1, t1); @@ -921,9 +910,6 @@ static void fe_pow22523(fe out, const fe z) { fe_mul(t1, z, t1); fe_mul(t0, t0, t1); fe_sq(t0, t0); - for (i = 1; i < 1; ++i) { - fe_sq(t0, t0); - } fe_mul(t0, t1, t0); fe_sq(t1, t0); for (i = 1; i < 5; ++i) { @@ -979,7 +965,6 @@ void x25519_ge_tobytes(uint8_t *s, const ge_p2 *h) { s[31] ^= fe_isnegative(x) << 7; } -#ifdef ED25519 static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) { fe recip; fe x; @@ -991,7 +976,6 @@ static void ge_p3_tobytes(uint8_t *s, const ge_p3 *h) { fe_tobytes(s, y); s[31] ^= fe_isnegative(x) << 7; } -#endif static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116}; @@ -1146,7 +1130,6 @@ static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { fe_sub(r->T, t0, r->T); } -#ifdef ED25519 /* r = p - q */ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { fe t0; @@ -1162,7 +1145,6 @@ static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { fe_sub(r->Z, t0, r->T); fe_add(r->T, t0, r->T); } -#endif /* r = p + q */ void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { @@ -3624,7 +3606,6 @@ void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, const ge_p3 *A) { } } -#ifdef ED25519 static void slide(signed char *r, const uint8_t *a) { int i; int b; @@ -3799,7 +3780,6 @@ ge_double_scalarmult_vartime(ge_p2 *r, const uint8_t *a, x25519_ge_p1p1_to_p2(r, &t); } } -#endif /* The set of scalars is \Z/l * where l = 2^252 + 27742317777372353535851937790883648493. */ @@ -4145,7 +4125,6 @@ x25519_sc_reduce(uint8_t *s) { s[31] = s11 >> 17; } -#ifdef ED25519 /* Input: * a[0]+256*a[1]+...+256^31*a[31] = a * b[0]+256*b[1]+...+256^31*b[31] = b @@ -4636,15 +4615,11 @@ sc_muladd(uint8_t *s, const uint8_t *a, const uint8_t *b, s[30] = s11 >> 9; s[31] = s11 >> 17; } -#endif - -#ifdef ED25519 -void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) { - uint8_t seed[32]; - arc4random_buf(seed, 32); +void ED25519_public_from_private(uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH], + const uint8_t private_key[ED25519_PRIVATE_KEY_LENGTH]) { uint8_t az[SHA512_DIGEST_LENGTH]; - SHA512(seed, 32, az); + SHA512(private_key, 32, az); az[0] &= 248; az[31] &= 63; @@ -4653,13 +4628,18 @@ void ED25519_keypair(uint8_t out_public_key[32], uint8_t out_private_key[64]) { ge_p3 A; x25519_ge_scalarmult_base(&A, az); ge_p3_tobytes(out_public_key, &A); +} - memcpy(out_private_key, seed, 32); - memmove(out_private_key + 32, out_public_key, 32); +void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH], + uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]) { + arc4random_buf(out_private_key, 32); + + ED25519_public_from_private(out_public_key, out_private_key); } int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, - const uint8_t private_key[64]) { + const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH], + const uint8_t private_key[ED25519_PRIVATE_KEY_LENGTH]) { uint8_t az[SHA512_DIGEST_LENGTH]; SHA512(private_key, 32, az); @@ -4681,7 +4661,7 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, SHA512_Init(&hash_ctx); SHA512_Update(&hash_ctx, out_sig, 32); - SHA512_Update(&hash_ctx, private_key + 32, 32); + SHA512_Update(&hash_ctx, public_key, 32); SHA512_Update(&hash_ctx, message, message_len); uint8_t hram[SHA512_DIGEST_LENGTH]; SHA512_Final(hram, &hash_ctx); @@ -4692,9 +4672,22 @@ int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, return 1; } +/* + * Little endian representation of the order of edwards25519, + * see https://www.rfc-editor.org/rfc/rfc7748#section-4.1 + */ +static const uint8_t order[] = { + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, +}; + int ED25519_verify(const uint8_t *message, size_t message_len, - const uint8_t signature[64], const uint8_t public_key[32]) { + const uint8_t signature[ED25519_SIGNATURE_LENGTH], + const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]) { ge_p3 A; + int i; if ((signature[63] & 224) != 0 || x25519_ge_frombytes_vartime(&A, public_key) != 0) { return 0; @@ -4710,6 +4703,20 @@ int ED25519_verify(const uint8_t *message, size_t message_len, uint8_t scopy[32]; memcpy(scopy, signature + 32, 32); + /* + * https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that scopy be + * in the range [0, order) to prevent signature malleability. This value is + * public, so there is no need to make this constant time. + */ + for (i = 31; i >= 0; i--) { + if (scopy[i] > order[i]) + return 0; + if (scopy[i] < order[i]) + break; + if (i == 0) + return 0; + } + SHA512_CTX hash_ctx; SHA512_Init(&hash_ctx); SHA512_Update(&hash_ctx, signature, 32); @@ -4728,7 +4735,6 @@ int ED25519_verify(const uint8_t *message, size_t message_len, return timingsafe_memcmp(rcheck, rcopy, sizeof(rcheck)) == 0; } -#endif /* Replace (f,g) with (g,f) if b == 1; * replace (f,g) with (f,g) if b == 0. @@ -4862,7 +4868,7 @@ x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32], #ifdef unused void -x25519_public_from_private_generic(uint8_t out_public_value[32], +x25519_public_from_private_generic(uint8_t out_public_key[32], const uint8_t private_key[32]) { uint8_t e[32]; @@ -4882,21 +4888,21 @@ x25519_public_from_private_generic(uint8_t out_public_value[32], fe_sub(zminusy, A.Z, A.Y); fe_invert(zminusy_inv, zminusy); fe_mul(zplusy, zplusy, zminusy_inv); - fe_tobytes(out_public_value, zplusy); + fe_tobytes(out_public_key, zplusy); } #endif void -x25519_public_from_private(uint8_t out_public_value[32], - const uint8_t private_key[32]) +X25519_public_from_private(uint8_t out_public_key[X25519_KEY_LENGTH], + const uint8_t private_key[X25519_KEY_LENGTH]) { static const uint8_t kMongomeryBasePoint[32] = {9}; - x25519_scalar_mult(out_public_value, private_key, kMongomeryBasePoint); + x25519_scalar_mult(out_public_key, private_key, kMongomeryBasePoint); } void -X25519_keypair(uint8_t out_public_value[X25519_KEY_LENGTH], +X25519_keypair(uint8_t out_public_key[X25519_KEY_LENGTH], uint8_t out_private_key[X25519_KEY_LENGTH]) { /* All X25519 implementations should decode scalars correctly (see @@ -4918,17 +4924,17 @@ X25519_keypair(uint8_t out_public_value[X25519_KEY_LENGTH], out_private_key[31] &= 63; out_private_key[31] |= 128; - x25519_public_from_private(out_public_value, out_private_key); + X25519_public_from_private(out_public_key, out_private_key); } int X25519(uint8_t out_shared_key[X25519_KEY_LENGTH], const uint8_t private_key[X25519_KEY_LENGTH], - const uint8_t peer_public_value[X25519_KEY_LENGTH]) + const uint8_t peer_public_key[X25519_KEY_LENGTH]) { static const uint8_t kZeros[32] = {0}; - x25519_scalar_mult(out_shared_key, private_key, peer_public_value); + x25519_scalar_mult(out_shared_key, private_key, peer_public_key); /* The all-zero output results when the input is a point of small order. */ return timingsafe_memcmp(kZeros, out_shared_key, 32) != 0; diff --git a/crypto/curve25519/curve25519_internal.h b/crypto/curve25519/curve25519_internal.h index 09d20a4..abfaaaf 100644 --- a/crypto/curve25519/curve25519_internal.h +++ b/crypto/curve25519/curve25519_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: curve25519_internal.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */ +/* $OpenBSD: curve25519_internal.h,v 1.6 2022/11/09 17:45:55 jsing Exp $ */ /* * Copyright (c) 2015, Google Inc. * @@ -94,6 +94,12 @@ void x25519_scalar_mult(uint8_t out[32], const uint8_t scalar[32], void x25519_scalar_mult_generic(uint8_t out[32], const uint8_t scalar[32], const uint8_t point[32]); +void ED25519_public_from_private(uint8_t out_public_key[32], + const uint8_t private_key[32]); + +void X25519_public_from_private(uint8_t out_public_key[32], + const uint8_t private_key[32]); + __END_HIDDEN_DECLS #endif /* HEADER_CURVE25519_INTERNAL_H */ diff --git a/crypto/des/cbc_cksm.c b/crypto/des/cbc_cksm.c index 20553ef..2c1c4aa 100644 --- a/crypto/des/cbc_cksm.c +++ b/crypto/des/cbc_cksm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cbc_cksm.c,v 1.7 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: cbc_cksm.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" DES_LONG DES_cbc_cksum(const unsigned char *in, DES_cblock *output, long length, DES_key_schedule *schedule, diff --git a/crypto/des/cfb64ede.c b/crypto/des/cfb64ede.c index 6d4d287..f2b2fe2 100644 --- a/crypto/des/cfb64ede.c +++ b/crypto/des/cfb64ede.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cfb64ede.c,v 1.9 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: cfb64ede.c,v 1.10 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the diff --git a/crypto/des/cfb64enc.c b/crypto/des/cfb64enc.c index 6c8f99e..4e92845 100644 --- a/crypto/des/cfb64enc.c +++ b/crypto/des/cfb64enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cfb64enc.c,v 1.6 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: cfb64enc.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the diff --git a/crypto/des/cfb_enc.c b/crypto/des/cfb_enc.c index 4231f46..9ba31f4 100644 --- a/crypto/des/cfb_enc.c +++ b/crypto/des/cfb_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cfb_enc.c,v 1.14 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: cfb_enc.c,v 1.15 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" #include /* The input and output are loaded in multiples of 8 bits. diff --git a/crypto/des/des_enc.c b/crypto/des/des_enc.c index 1de35e1..8d6232b 100644 --- a/crypto/des/des_enc.c +++ b/crypto/des/des_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: des_enc.c,v 1.12 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: des_enc.c,v 1.13 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" #include "spr.h" #ifndef OPENBSD_DES_ASM diff --git a/crypto/des/des_locl.h b/crypto/des/des_local.h similarity index 99% rename from crypto/des/des_locl.h rename to crypto/des/des_local.h index 34a7609..a058ac2 100644 --- a/crypto/des/des_locl.h +++ b/crypto/des/des_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: des_locl.h,v 1.19 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: des_local.h,v 1.1 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/des/ecb3_enc.c b/crypto/des/ecb3_enc.c index 97de804..c2d8329 100644 --- a/crypto/des/ecb3_enc.c +++ b/crypto/des/ecb3_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecb3_enc.c,v 1.7 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: ecb3_enc.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" void DES_ecb3_encrypt(const_DES_cblock *input, DES_cblock *output, DES_key_schedule *ks1, DES_key_schedule *ks2, diff --git a/crypto/des/ecb_enc.c b/crypto/des/ecb_enc.c index dac37de..35ce711 100644 --- a/crypto/des/ecb_enc.c +++ b/crypto/des/ecb_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecb_enc.c,v 1.16 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: ecb_enc.c,v 1.17 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" #include #include diff --git a/crypto/des/ede_cbcm_enc.c b/crypto/des/ede_cbcm_enc.c index 9a9f51e..3f1609d 100644 --- a/crypto/des/ede_cbcm_enc.c +++ b/crypto/des/ede_cbcm_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ede_cbcm_enc.c,v 1.6 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: ede_cbcm_enc.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* Written by Ben Laurie for the OpenSSL * project 13 Feb 1999. */ @@ -71,7 +71,7 @@ http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1998/CS/CS0928.ps.gz #include /* To see if OPENSSL_NO_DESCBCM is defined */ #ifndef OPENSSL_NO_DESCBCM -#include "des_locl.h" +#include "des_local.h" void DES_ede3_cbcm_encrypt(const unsigned char *in, unsigned char *out, long length, DES_key_schedule *ks1, DES_key_schedule *ks2, diff --git a/crypto/des/enc_read.c b/crypto/des/enc_read.c index f565915..a9010f6 100644 --- a/crypto/des/enc_read.c +++ b/crypto/des/enc_read.c @@ -1,4 +1,4 @@ -/* $OpenBSD: enc_read.c,v 1.15 2015/02/12 03:54:07 jsing Exp $ */ +/* $OpenBSD: enc_read.c,v 1.16 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,7 +61,7 @@ #include -#include "des_locl.h" +#include "des_local.h" /* This has some uglies in it but it works - even over sockets. */ /*extern int errno;*/ diff --git a/crypto/des/enc_writ.c b/crypto/des/enc_writ.c index 59f3878..65fa720 100644 --- a/crypto/des/enc_writ.c +++ b/crypto/des/enc_writ.c @@ -1,4 +1,4 @@ -/* $OpenBSD: enc_writ.c,v 1.14 2015/02/12 03:54:07 jsing Exp $ */ +/* $OpenBSD: enc_writ.c,v 1.15 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include -#include "des_locl.h" +#include "des_local.h" /* * WARNINGS: diff --git a/crypto/des/fcrypt.c b/crypto/des/fcrypt.c index f8c9935..537562c 100644 --- a/crypto/des/fcrypt.c +++ b/crypto/des/fcrypt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fcrypt.c,v 1.12 2016/12/26 21:30:10 jca Exp $ */ +/* $OpenBSD: fcrypt.c,v 1.13 2022/11/26 16:08:51 tb Exp $ */ #include @@ -15,7 +15,7 @@ * defined 24. */ -#include "des_locl.h" +#include "des_local.h" /* Added more values to handle illegal salt values the way normal * crypt() implementations do. The patch was sent by diff --git a/crypto/des/fcrypt_b.c b/crypto/des/fcrypt_b.c index ad11a47..903c6de 100644 --- a/crypto/des/fcrypt_b.c +++ b/crypto/des/fcrypt_b.c @@ -1,4 +1,4 @@ -/* $OpenBSD: fcrypt_b.c,v 1.9 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: fcrypt_b.c,v 1.10 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,7 +65,7 @@ */ #define DES_FCRYPT -#include "des_locl.h" +#include "des_local.h" #undef DES_FCRYPT #ifndef OPENBSD_DES_ASM diff --git a/crypto/des/ncbc_enc.c b/crypto/des/ncbc_enc.c index 2127962..f2e1274 100644 --- a/crypto/des/ncbc_enc.c +++ b/crypto/des/ncbc_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ncbc_enc.c,v 1.7 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: ncbc_enc.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* * #included by: * cbc_enc.c (DES_cbc_encrypt) @@ -61,7 +61,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" #ifdef CBC_ENC_C__DONT_UPDATE_IV void DES_cbc_encrypt(const unsigned char *in, unsigned char *out, long length, diff --git a/crypto/des/ofb64ede.c b/crypto/des/ofb64ede.c index 474d38c..6596931 100644 --- a/crypto/des/ofb64ede.c +++ b/crypto/des/ofb64ede.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ofb64ede.c,v 1.6 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: ofb64ede.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" /* The input and output encrypted as though 64bit ofb mode is being * used. The extra state information to record how much of the diff --git a/crypto/des/ofb64enc.c b/crypto/des/ofb64enc.c index de1a26b..10deca0 100644 --- a/crypto/des/ofb64enc.c +++ b/crypto/des/ofb64enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ofb64enc.c,v 1.6 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: ofb64enc.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" /* The input and output encrypted as though 64bit ofb mode is being * used. The extra state information to record how much of the diff --git a/crypto/des/ofb_enc.c b/crypto/des/ofb_enc.c index 8cc5bbc..25abb6d 100644 --- a/crypto/des/ofb_enc.c +++ b/crypto/des/ofb_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ofb_enc.c,v 1.6 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: ofb_enc.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" /* The input and output are loaded in multiples of 8 bits. * What this means is that if you hame numbits=12 and length=2 diff --git a/crypto/des/pcbc_enc.c b/crypto/des/pcbc_enc.c index fda18ba..1f8688d 100644 --- a/crypto/des/pcbc_enc.c +++ b/crypto/des/pcbc_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcbc_enc.c,v 1.6 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: pcbc_enc.c,v 1.7 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" void DES_pcbc_encrypt(const unsigned char *input, unsigned char *output, long length, DES_key_schedule *schedule, diff --git a/crypto/des/qud_cksm.c b/crypto/des/qud_cksm.c index e2409d8..7ff4362 100644 --- a/crypto/des/qud_cksm.c +++ b/crypto/des/qud_cksm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: qud_cksm.c,v 1.7 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: qud_cksm.c,v 1.8 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -61,7 +61,7 @@ * This module in only based on the code in this paper and is * almost definitely not the same as the MIT implementation. */ -#include "des_locl.h" +#include "des_local.h" /* bug fix for dos - 7/6/91 - Larry hughes@logos.ucs.indiana.edu */ #define Q_B0(a) (((DES_LONG)(a))) diff --git a/crypto/des/set_key.c b/crypto/des/set_key.c index 7d2c6b4..5196a64 100644 --- a/crypto/des/set_key.c +++ b/crypto/des/set_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: set_key.c,v 1.20 2017/02/09 03:43:05 dtucker Exp $ */ +/* $OpenBSD: set_key.c,v 1.21 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,7 +64,7 @@ * 1.0 First working version */ #include -#include "des_locl.h" +#include "des_local.h" int DES_check_key = 0; /* defaults to false */ diff --git a/crypto/des/str2key.c b/crypto/des/str2key.c index ce17e26..316e803 100644 --- a/crypto/des/str2key.c +++ b/crypto/des/str2key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: str2key.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: str2key.c,v 1.11 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "des_locl.h" +#include "des_local.h" void DES_string_to_key(const char *str, DES_cblock *key) { diff --git a/crypto/des/xcbc_enc.c b/crypto/des/xcbc_enc.c index 4f7a070..0152f3e 100644 --- a/crypto/des/xcbc_enc.c +++ b/crypto/des/xcbc_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xcbc_enc.c,v 1.9 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: xcbc_enc.c,v 1.10 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,7 +56,7 @@ * [including the GNU Public Licence.] */ -#include "des_locl.h" +#include "des_local.h" /* RSA's DESX */ diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 0df7fbc..3de0bb9 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_ameth.c,v 1.23 2022/01/20 11:00:34 inoguchi Exp $ */ +/* $OpenBSD: dh_ameth.c,v 1.28 2023/04/17 05:57:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -64,9 +64,9 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" #include "dh_local.h" -#include "evp_locl.h" +#include "evp_local.h" static void int_dh_free(EVP_PKEY *pkey) @@ -177,7 +177,7 @@ err: /* * PKCS#8 DH is defined in PKCS#11 of all places. It is similar to DH in - * that the AlgorithmIdentifier contains the paramaters, the private key + * that the AlgorithmIdentifier contains the parameters, the private key * is explcitly included and the pubkey must be recalculated. */ @@ -397,6 +397,12 @@ dh_bits(const EVP_PKEY *pkey) return BN_num_bits(pkey->pkey.dh->p); } +static int +dh_security_bits(const EVP_PKEY *pkey) +{ + return DH_security_bits(pkey->pkey.dh); +} + static int dh_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { @@ -468,6 +474,24 @@ DHparams_print(BIO *bp, const DH *x) return do_dh_print(bp, x, 4, NULL, 0); } +int +DHparams_print_fp(FILE *fp, const DH *x) +{ + BIO *b; + int ret; + + if ((b = BIO_new(BIO_s_file())) == NULL) { + DHerror(ERR_R_BUF_LIB); + return 0; + } + + BIO_set_fp(b, fp, BIO_NOCLOSE); + ret = DHparams_print(b, x); + BIO_free(b); + + return ret; +} + static int dh_pkey_public_check(const EVP_PKEY *pkey) { @@ -512,6 +536,7 @@ const EVP_PKEY_ASN1_METHOD dh_asn1_meth = { .pkey_size = int_dh_size, .pkey_bits = dh_bits, + .pkey_security_bits = dh_security_bits, .param_decode = dh_param_decode, .param_encode = dh_param_encode, diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index 1d20952..9bbbd55 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_check.c,v 1.24 2022/01/10 12:00:52 tb Exp $ */ +/* $OpenBSD: dh_check.c,v 1.26 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "bn_lcl.h" +#include "bn_local.h" #include "dh_local.h" #define DH_NUMBER_ITERATIONS_FOR_PRIME 64 @@ -269,9 +269,7 @@ DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *flags) *flags |= DH_CHECK_PUBKEY_TOO_SMALL; /* max_pub_key = dh->p - 1 */ - if (BN_copy(max_pub_key, dh->p) == NULL) - goto err; - if (!BN_sub_word(max_pub_key, 1)) + if (!BN_sub(max_pub_key, dh->p, BN_value_one())) goto err; if (BN_cmp(pub_key, max_pub_key) >= 0) diff --git a/crypto/dh/dh_depr.c b/crypto/dh/dh_depr.c deleted file mode 100644 index 717482c..0000000 --- a/crypto/dh/dh_depr.c +++ /dev/null @@ -1,85 +0,0 @@ -/* $OpenBSD: dh_depr.c,v 1.7 2021/12/04 16:08:32 tb Exp $ */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* This file contains deprecated functions as wrappers to the new ones */ - -#include - -#include - -#include -#include - -#include "bn_lcl.h" - -#ifndef OPENSSL_NO_DEPRECATED -DH * -DH_generate_parameters(int prime_len, int generator, - void (*callback)(int, int, void *), void *cb_arg) -{ - BN_GENCB cb; - DH *ret = NULL; - - if ((ret = DH_new()) == NULL) - return NULL; - - BN_GENCB_set_old(&cb, callback, cb_arg); - - if (DH_generate_parameters_ex(ret, prime_len, generator, &cb)) - return ret; - DH_free(ret); - return NULL; -} -#endif diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c index a387c37..db66d68 100644 --- a/crypto/dh/dh_err.c +++ b/crypto/dh/dh_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_err.c,v 1.17 2022/01/10 12:00:52 tb Exp $ */ +/* $OpenBSD: dh_err.c,v 1.18 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0) diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c index 6b49a28..d51d10d 100644 --- a/crypto/dh/dh_gen.c +++ b/crypto/dh/dh_gen.c @@ -1,25 +1,25 @@ -/* $OpenBSD: dh_gen.c,v 1.17 2022/01/07 09:27:13 tb Exp $ */ +/* $OpenBSD: dh_gen.c,v 1.20 2023/04/13 15:18:29 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,24 +49,20 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ -/* NB: These functions have been upgraded - the previous prototypes are in - * dh_depr.c as wrappers to these ones. - * - Geoff - */ - #include #include #include #include +#include "bn_local.h" #include "dh_local.h" static int dh_builtin_genparams(DH *ret, int prime_len, int generator, @@ -127,7 +123,7 @@ dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb) goto err; if (!ret->g && ((ret->g = BN_new()) == NULL)) goto err; - + if (generator <= 1) { DHerror(DH_R_BAD_GENERATOR); goto err; @@ -159,7 +155,7 @@ dh_builtin_genparams(DH *ret, int prime_len, int generator, BN_GENCB *cb) goto err; g = generator; } - + if (!BN_generate_prime_ex(ret->p, prime_len, 1, t1, t2, cb)) goto err; if (!BN_GENCB_call(cb, 3, 0)) @@ -179,3 +175,21 @@ err: } return ok; } + +DH * +DH_generate_parameters(int prime_len, int generator, + void (*callback)(int, int, void *), void *cb_arg) +{ + BN_GENCB cb; + DH *ret = NULL; + + if ((ret = DH_new()) == NULL) + return NULL; + + BN_GENCB_set_old(&cb, callback, cb_arg); + + if (DH_generate_parameters_ex(ret, prime_len, generator, &cb)) + return ret; + DH_free(ret); + return NULL; +} diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 9242931..89ae5f0 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.37 2022/01/07 09:27:13 tb Exp $ */ +/* $OpenBSD: dh_key.c,v 1.38 2022/11/26 16:08:51 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "bn_lcl.h" +#include "bn_local.h" #include "dh_local.h" static int generate_key(DH *dh); diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index d4d0c9d..e5cb464 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_lib.c,v 1.36 2022/01/07 09:27:13 tb Exp $ */ +/* $OpenBSD: dh_lib.c,v 1.38 2023/03/07 09:27:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,14 +194,14 @@ DH_free(DH *r) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data); - BN_clear_free(r->p); - BN_clear_free(r->g); - BN_clear_free(r->q); - BN_clear_free(r->j); + BN_free(r->p); + BN_free(r->g); + BN_free(r->q); + BN_free(r->j); free(r->seed); - BN_clear_free(r->counter); - BN_clear_free(r->pub_key); - BN_clear_free(r->priv_key); + BN_free(r->counter); + BN_free(r->pub_key); + BN_free(r->priv_key); free(r); } @@ -245,6 +245,19 @@ DH_bits(const DH *dh) return BN_num_bits(dh->p); } +int +DH_security_bits(const DH *dh) +{ + int N = -1; + + if (dh->q != NULL) + N = BN_num_bits(dh->q); + else if (dh->length > 0) + N = dh->length; + + return BN_security_bits(BN_num_bits(dh->p), N); +} + ENGINE * DH_get0_engine(DH *dh) { diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c index d2052a8..7a598da 100644 --- a/crypto/dh/dh_pmeth.c +++ b/crypto/dh/dh_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_pmeth.c,v 1.12 2022/01/07 09:27:13 tb Exp $ */ +/* $OpenBSD: dh_pmeth.c,v 1.13 2022/11/26 16:08:51 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -67,9 +67,9 @@ #include #include -#include "bn_lcl.h" +#include "bn_local.h" #include "dh_local.h" -#include "evp_locl.h" +#include "evp_local.h" /* DH pkey context structure */ diff --git a/crypto/dh/dh_prn.c b/crypto/dh/dh_prn.c deleted file mode 100644 index 56a96f8..0000000 --- a/crypto/dh/dh_prn.c +++ /dev/null @@ -1,79 +0,0 @@ -/* $OpenBSD: dh_prn.c,v 1.6 2017/01/29 17:49:22 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include -#include -#include - -int -DHparams_print_fp(FILE *fp, const DH *x) -{ - BIO *b; - int ret; - - if ((b = BIO_new(BIO_s_file())) == NULL) { - DHerror(ERR_R_BUF_LIB); - return 0; - } - BIO_set_fp(b,fp,BIO_NOCLOSE); - ret = DHparams_print(b, x); - BIO_free(b); - return ret; -} diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 9b8f09d..f282caa 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ameth.c,v 1.35 2022/04/07 17:38:24 tb Exp $ */ +/* $OpenBSD: dsa_ameth.c,v 1.42 2023/03/04 21:42:49 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -67,10 +67,10 @@ #include #include -#include "asn1_locl.h" -#include "bn_lcl.h" -#include "dsa_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "bn_local.h" +#include "dsa_local.h" +#include "evp_local.h" static int dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) @@ -90,7 +90,7 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) X509_ALGOR_get0(NULL, &ptype, &pval, palg); if (ptype == V_ASN1_SEQUENCE) { - pstr = pval; + pstr = pval; pm = pstr->data; pmlen = pstr->length; @@ -102,13 +102,13 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) if (!(dsa = DSA_new())) { DSAerror(ERR_R_MALLOC_FAILURE); goto err; - } + } } else { DSAerror(DSA_R_PARAMETER_ENCODING_ERROR); goto err; } - if (!(public_key=d2i_ASN1_INTEGER(NULL, &p, pklen))) { + if (!(public_key = d2i_ASN1_INTEGER(NULL, &p, pklen))) { DSAerror(DSA_R_DECODE_ERROR); goto err; } @@ -118,6 +118,12 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) goto err; } + /* We can only check for key consistency if we have parameters. */ + if (ptype == V_ASN1_SEQUENCE) { + if (!dsa_check_key(dsa)) + goto err; + } + ASN1_INTEGER_free(public_key); EVP_PKEY_assign_DSA(pkey, dsa); return 1; @@ -192,7 +198,6 @@ dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) ASN1_INTEGER *privkey = NULL; BN_CTX *ctx = NULL; DSA *dsa = NULL; - int ret = 0; if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) @@ -216,16 +221,24 @@ dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) DSAerror(DSA_R_BN_ERROR); goto dsaerr; } + + /* Check the key for basic consistency before doing expensive things. */ + if (!dsa_check_key(dsa)) + goto dsaerr; + /* Calculate public key */ if (!(dsa->pub_key = BN_new())) { DSAerror(ERR_R_MALLOC_FAILURE); goto dsaerr; } - if (!(ctx = BN_CTX_new())) { + + if ((ctx = BN_CTX_new()) == NULL) { DSAerror(ERR_R_MALLOC_FAILURE); goto dsaerr; } + BN_CTX_start(ctx); + if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) { DSAerror(DSA_R_BN_ERROR); goto dsaerr; @@ -242,8 +255,10 @@ decerr: dsaerr: DSA_free(dsa); done: + BN_CTX_end(ctx); BN_CTX_free(ctx); ASN1_INTEGER_free(privkey); + return ret; } @@ -305,6 +320,12 @@ dsa_bits(const EVP_PKEY *pkey) return BN_num_bits(pkey->pkey.dsa->p); } +static int +dsa_security_bits(const EVP_PKEY *pkey) +{ + return DSA_security_bits(pkey->pkey.dsa); +} + static int dsa_missing_parameters(const EVP_PKEY *pkey) { @@ -434,7 +455,7 @@ do_dsa_print(BIO *bp, const DSA *x, int off, int ptype) ret = 1; err: free(m); - return(ret); + return ret; } static int @@ -446,6 +467,10 @@ dsa_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) DSAerror(ERR_R_DSA_LIB); return 0; } + if (!dsa_check_key(dsa)) { + DSA_free(dsa); + return 0; + } EVP_PKEY_assign_DSA(pkey, dsa); return 1; } @@ -479,56 +504,34 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) { DSA *dsa; BN_CTX *ctx = NULL; - BIGNUM *j, *p1, *newp1, *powg; - int qbits; + BIGNUM *result; - if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) { + if ((dsa = d2i_DSAPrivateKey(NULL, pder, derlen)) == NULL) { DSAerror(ERR_R_DSA_LIB); - return 0; - } - - /* FIPS 186-3 allows only three different sizes for q. */ - qbits = BN_num_bits(dsa->q); - if (qbits != 160 && qbits != 224 && qbits != 256) { - DSAerror(DSA_R_BAD_Q_VALUE); - goto err; - } - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { - DSAerror(DSA_R_MODULUS_TOO_LARGE); goto err; } - /* Check that 1 < g < p. */ - if (BN_cmp(dsa->g, BN_value_one()) <= 0 || - BN_cmp(dsa->g, dsa->p) >= 0) { - DSAerror(DSA_R_PARAMETER_ENCODING_ERROR); /* XXX */ + if (!dsa_check_key(dsa)) goto err; - } - ctx = BN_CTX_new(); - if (ctx == NULL) + if ((ctx = BN_CTX_new()) == NULL) + goto err; + + BN_CTX_start(ctx); + + if ((result = BN_CTX_get(ctx)) == NULL) goto err; /* - * Check that p and q are consistent with each other. + * Check that p and q are consistent with each other. dsa_check_key() + * ensures that 1 < q < p. Now check that q divides p - 1. */ - j = BN_CTX_get(ctx); - p1 = BN_CTX_get(ctx); - newp1 = BN_CTX_get(ctx); - powg = BN_CTX_get(ctx); - if (j == NULL || p1 == NULL || newp1 == NULL || powg == NULL) + if (!BN_sub(result, dsa->p, BN_value_one())) goto err; - /* p1 = p - 1 */ - if (BN_sub(p1, dsa->p, BN_value_one()) == 0) + if (!BN_mod_ct(result, result, dsa->q, ctx)) goto err; - /* j = (p - 1) / q */ - if (BN_div_ct(j, NULL, p1, dsa->q, ctx) == 0) - goto err; - /* q * j should == p - 1 */ - if (BN_mul(newp1, dsa->q, j, ctx) == 0) - goto err; - if (BN_cmp(newp1, p1) != 0) { + if (!BN_is_zero(result)) { DSAerror(DSA_R_BAD_Q_VALUE); goto err; } @@ -539,10 +542,10 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) * Once we know that q is prime, this is enough. */ - if (!BN_mod_exp_ct(powg, dsa->g, dsa->q, dsa->p, ctx)) + if (!BN_mod_exp_ct(result, dsa->g, dsa->q, dsa->p, ctx)) goto err; - if (BN_cmp(powg, BN_value_one()) != 0) { - DSAerror(DSA_R_PARAMETER_ENCODING_ERROR); /* XXX */ + if (BN_cmp(result, BN_value_one()) != 0) { + DSAerror(DSA_R_INVALID_PARAMETERS); goto err; } @@ -555,12 +558,14 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) goto err; } + BN_CTX_end(ctx); BN_CTX_free(ctx); EVP_PKEY_assign_DSA(pkey, dsa); return 1; err: + BN_CTX_end(ctx); BN_CTX_free(ctx); DSA_free(dsa); return 0; @@ -633,7 +638,7 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) return -1; if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) - return -1; + return -1; X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); } @@ -716,6 +721,7 @@ const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[] = { .pkey_size = int_dsa_size, .pkey_bits = dsa_bits, + .pkey_security_bits = dsa_security_bits, .param_decode = dsa_param_decode, .param_encode = dsa_param_encode, diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index daa970e..70a826c 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_asn1.c,v 1.24 2022/01/14 08:29:06 tb Exp $ */ +/* $OpenBSD: dsa_asn1.c,v 1.30 2023/03/25 09:09:28 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -61,10 +61,11 @@ #include #include +#include #include #include -#include "dsa_locl.h" +#include "dsa_local.h" /* Override the default new methods */ static int @@ -97,14 +98,14 @@ static const ASN1_TEMPLATE DSA_SIG_seq_tt[] = { .tag = 0, .offset = offsetof(DSA_SIG, r), .field_name = "r", - .item = &CBIGNUM_it, + .item = &BIGNUM_it, }, { .flags = 0, .tag = 0, .offset = offsetof(DSA_SIG, s), .field_name = "s", - .item = &CBIGNUM_it, + .item = &BIGNUM_it, }, }; @@ -147,9 +148,9 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) if (r == NULL || s == NULL) return 0; - BN_clear_free(sig->r); + BN_free(sig->r); sig->r = r; - BN_clear_free(sig->s); + BN_free(sig->s); sig->s = s; return 1; @@ -399,18 +400,27 @@ DSAparams_dup(DSA *dsa) int DSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, - unsigned int *siglen, DSA *dsa) + unsigned int *out_siglen, DSA *dsa) { DSA_SIG *s; + int siglen; + int ret = 0; - s = DSA_do_sign(dgst, dlen, dsa); - if (s == NULL) { - *siglen = 0; - return 0; - } - *siglen = i2d_DSA_SIG(s,&sig); + *out_siglen = 0; + + if ((s = DSA_do_sign(dgst, dlen, dsa)) == NULL) + goto err; + + if ((siglen = i2d_DSA_SIG(s, &sig)) < 0) + goto err; + + *out_siglen = siglen; + + ret = 1; + err: DSA_SIG_free(s); - return 1; + + return ret; } /* @@ -424,24 +434,26 @@ int DSA_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int siglen, DSA *dsa) { - DSA_SIG *s; + DSA_SIG *s = NULL; unsigned char *der = NULL; - const unsigned char *p = sigbuf; - int derlen = -1; + const unsigned char *p; int ret = -1; - s = DSA_SIG_new(); - if (s == NULL) - return ret; - if (d2i_DSA_SIG(&s, &p, siglen) == NULL) + p = sigbuf; + if ((s = d2i_DSA_SIG(NULL, &p, siglen)) == NULL) goto err; + /* Ensure signature uses DER and doesn't have trailing garbage */ - derlen = i2d_DSA_SIG(s, &der); - if (derlen != siglen || memcmp(sigbuf, der, derlen)) + if (i2d_DSA_SIG(s, &der) != siglen) goto err; + + if (memcmp(der, sigbuf, siglen) != 0) + goto err; + ret = DSA_do_verify(dgst, dgst_len, s, dsa); -err: - freezero(der, derlen); + err: + free(der); DSA_SIG_free(s); + return ret; } diff --git a/crypto/dsa/dsa_depr.c b/crypto/dsa/dsa_depr.c deleted file mode 100644 index 673e700..0000000 --- a/crypto/dsa/dsa_depr.c +++ /dev/null @@ -1,94 +0,0 @@ -/* $OpenBSD: dsa_depr.c,v 1.8 2021/12/04 16:08:32 tb Exp $ */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* This file contains deprecated function(s) that are now wrappers to the new - * version(s). */ - -#include -#include - -#include - -#ifndef OPENSSL_NO_SHA - -#include -#include -#include -#include - -#include "bn_lcl.h" - -#ifndef OPENSSL_NO_DEPRECATED -DSA * -DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, void (*callback)(int, int, void *), - void *cb_arg) -{ - BN_GENCB cb; - DSA *ret; - - if ((ret = DSA_new()) == NULL) - return NULL; - - BN_GENCB_set_old(&cb, callback, cb_arg); - - if (DSA_generate_parameters_ex(ret, bits, seed_in, seed_len, - counter_ret, h_ret, &cb)) - return ret; - DSA_free(ret); - return NULL; -} -#endif -#endif diff --git a/crypto/dsa/dsa_err.c b/crypto/dsa/dsa_err.c index 2dcddcb..8f105a8 100644 --- a/crypto/dsa/dsa_err.c +++ b/crypto/dsa/dsa_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_err.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_err.c,v 1.18 2023/03/04 20:47:04 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -7,7 +7,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0) @@ -84,6 +78,7 @@ static ERR_STRING_DATA DSA_str_reasons[]= {ERR_REASON(DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE),"data too large for key size"}, {ERR_REASON(DSA_R_DECODE_ERROR) ,"decode error"}, {ERR_REASON(DSA_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, +{ERR_REASON(DSA_R_INVALID_PARAMETERS) ,"invalid parameters"}, {ERR_REASON(DSA_R_MISSING_PARAMETERS) ,"missing parameters"}, {ERR_REASON(DSA_R_MODULUS_TOO_LARGE) ,"modulus too large"}, {ERR_REASON(DSA_R_NEED_NEW_SETUP_VALUES) ,"need new setup values"}, diff --git a/crypto/dsa/dsa_gen.c b/crypto/dsa/dsa_gen.c index b6bbb8a..4a16278 100644 --- a/crypto/dsa/dsa_gen.c +++ b/crypto/dsa/dsa_gen.c @@ -1,25 +1,25 @@ -/* $OpenBSD: dsa_gen.c,v 1.24 2017/01/21 10:38:29 beck Exp $ */ +/* $OpenBSD: dsa_gen.c,v 1.29 2023/04/13 14:58:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -68,8 +68,8 @@ #include #include -#include "bn_lcl.h" -#include "dsa_locl.h" +#include "bn_local.h" +#include "dsa_local.h" int DSA_generate_parameters_ex(DSA *ret, int bits, const unsigned char *seed_in, @@ -135,18 +135,19 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, * App. 2.2 of FIPS PUB 186 allows larger SEED, * but our internal buffers are restricted to 160 bits */ - if (seed_len > (size_t)qsize) + if (seed_len > (size_t)qsize) seed_len = qsize; if (seed_in != NULL) memcpy(seed, seed_in, seed_len); else if (seed_len != 0) goto err; - if ((mont=BN_MONT_CTX_new()) == NULL) + if ((mont = BN_MONT_CTX_new()) == NULL) goto err; - if ((ctx=BN_CTX_new()) == NULL) + if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); if ((r0 = BN_CTX_get(ctx)) == NULL) @@ -263,7 +264,7 @@ dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, const EVP_MD *evpmd, /* more of step 8 */ if (!BN_mask_bits(W, bits - 1)) goto err; - if (!BN_copy(X, W)) + if (!bn_copy(X, W)) goto err; if (!BN_add(X, X, test)) goto err; @@ -348,11 +349,31 @@ err: if (seed_out != NULL) memcpy(seed_out, seed, qsize); } - if (ctx) { - BN_CTX_end(ctx); - BN_CTX_free(ctx); - } + BN_CTX_end(ctx); + BN_CTX_free(ctx); BN_MONT_CTX_free(mont); + return ok; } + +DSA * +DSA_generate_parameters(int bits, unsigned char *seed_in, int seed_len, + int *counter_ret, unsigned long *h_ret, void (*callback)(int, int, void *), + void *cb_arg) +{ + BN_GENCB cb; + DSA *ret; + + if ((ret = DSA_new()) == NULL) + return NULL; + + BN_GENCB_set_old(&cb, callback, cb_arg); + + if (DSA_generate_parameters_ex(ret, bits, seed_in, seed_len, + counter_ret, h_ret, &cb)) + return ret; + DSA_free(ret); + return NULL; +} + #endif diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index a5053ec..890f991 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -1,25 +1,25 @@ -/* $OpenBSD: dsa_key.c,v 1.30 2022/01/07 09:35:36 tb Exp $ */ +/* $OpenBSD: dsa_key.c,v 1.33 2023/01/11 04:35:26 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -66,8 +66,8 @@ #include #include -#include "bn_lcl.h" -#include "dsa_locl.h" +#include "bn_local.h" +#include "dsa_local.h" static int dsa_builtin_keygen(DSA *dsa); @@ -82,39 +82,38 @@ DSA_generate_key(DSA *dsa) static int dsa_builtin_keygen(DSA *dsa) { - int ok = 0; - BN_CTX *ctx = NULL; BIGNUM *pub_key = NULL, *priv_key = NULL; + BN_CTX *ctx = NULL; + int ok = 0; + + if ((priv_key = BN_new()) == NULL) + goto err; + if ((pub_key = BN_new()) == NULL) + goto err; if ((ctx = BN_CTX_new()) == NULL) goto err; - if ((priv_key = dsa->priv_key) == NULL) { - if ((priv_key = BN_new()) == NULL) - goto err; - } - if (!bn_rand_interval(priv_key, BN_value_one(), dsa->q)) goto err; - - if ((pub_key = dsa->pub_key) == NULL) { - if ((pub_key = BN_new()) == NULL) - goto err; - } - if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx)) goto err; + BN_free(dsa->priv_key); dsa->priv_key = priv_key; + priv_key = NULL; + + BN_free(dsa->pub_key); dsa->pub_key = pub_key; + pub_key = NULL; + ok = 1; err: - if (dsa->pub_key == NULL) - BN_free(pub_key); - if (dsa->priv_key == NULL) - BN_free(priv_key); + BN_free(pub_key); + BN_free(priv_key); BN_CTX_free(ctx); + return ok; } #endif diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 1369c6f..6986f9a 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -1,25 +1,25 @@ -/* $OpenBSD: dsa_lib.c,v 1.34 2022/01/14 08:29:06 tb Exp $ */ +/* $OpenBSD: dsa_lib.c,v 1.42 2023/03/11 15:29:03 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -75,7 +75,7 @@ #endif #include "dh_local.h" -#include "dsa_locl.h" +#include "dsa_local.h" static const DSA_METHOD *default_DSA_method = NULL; @@ -106,18 +106,18 @@ DSA_set_method(DSA *dsa, const DSA_METHOD *meth) * NB: The caller is specifically setting a method, so it's not up to us * to deal with which ENGINE it comes from. */ - const DSA_METHOD *mtmp; - mtmp = dsa->meth; - if (mtmp->finish) + const DSA_METHOD *mtmp; + mtmp = dsa->meth; + if (mtmp->finish) mtmp->finish(dsa); #ifndef OPENSSL_NO_ENGINE ENGINE_finish(dsa->engine); dsa->engine = NULL; #endif - dsa->meth = meth; - if (meth->init) + dsa->meth = meth; + if (meth->init) meth->init(dsa); - return 1; + return 1; } DSA * @@ -200,13 +200,13 @@ DSA_free(DSA *r) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data); - BN_clear_free(r->p); - BN_clear_free(r->q); - BN_clear_free(r->g); - BN_clear_free(r->pub_key); - BN_clear_free(r->priv_key); - BN_clear_free(r->kinv); - BN_clear_free(r->r); + BN_free(r->p); + BN_free(r->q); + BN_free(r->g); + BN_free(r->pub_key); + BN_free(r->priv_key); + BN_free(r->kinv); + BN_free(r->r); free(r); } @@ -220,23 +220,15 @@ DSA_up_ref(DSA *r) int DSA_size(const DSA *r) { - int ret, i; - ASN1_INTEGER bs; - unsigned char buf[4]; /* 4 bytes looks really small. - However, i2d_ASN1_INTEGER() will not look - beyond the first byte, as long as the second - parameter is NULL. */ + DSA_SIG signature; + int ret = 0; - i = BN_num_bits(r->q); - bs.length = (i + 7) / 8; - bs.data = buf; - bs.type = V_ASN1_INTEGER; - /* If the top bit is set the asn1 encoding is 1 larger. */ - buf[0] = 0xff; + signature.r = r->q; + signature.s = r->q; + + if ((ret = i2d_DSA_SIG(&signature, NULL)) < 0) + ret = 0; - i = i2d_ASN1_INTEGER(&bs, NULL); - i += i; /* r and s */ - ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE); return ret; } @@ -260,6 +252,15 @@ DSA_get_ex_data(DSA *d, int idx) return CRYPTO_get_ex_data(&d->ex_data, idx); } +int +DSA_security_bits(const DSA *d) +{ + if (d->p == NULL || d->q == NULL) + return -1; + + return BN_security_bits(BN_num_bits(d->p), BN_num_bits(d->q)); +} + #ifndef OPENSSL_NO_DH DH * DSA_dup_DH(const DSA *r) @@ -268,7 +269,7 @@ DSA_dup_DH(const DSA *r) * DSA has p, q, g, optional pub_key, optional priv_key. * DH has p, optional length, g, optional pub_key, optional priv_key, * optional q. - */ + */ DH *ret = NULL; if (r == NULL) @@ -276,7 +277,7 @@ DSA_dup_DH(const DSA *r) ret = DH_new(); if (ret == NULL) goto err; - if (r->p != NULL) + if (r->p != NULL) if ((ret->p = BN_dup(r->p)) == NULL) goto err; if (r->q != NULL) { @@ -422,3 +423,76 @@ DSA_bits(const DSA *dsa) { return BN_num_bits(dsa->p); } + +int +dsa_check_key(const DSA *dsa) +{ + int p_bits, q_bits; + + if (dsa->p == NULL || dsa->q == NULL || dsa->g == NULL) { + DSAerror(DSA_R_MISSING_PARAMETERS); + return 0; + } + + /* Checking that p and q are primes is expensive. Check they are odd. */ + if (!BN_is_odd(dsa->p) || !BN_is_odd(dsa->q)) { + DSAerror(DSA_R_INVALID_PARAMETERS); + return 0; + } + + /* FIPS 186-4: 1 < g < p. */ + if (BN_cmp(dsa->g, BN_value_one()) <= 0 || + BN_cmp(dsa->g, dsa->p) >= 0) { + DSAerror(DSA_R_INVALID_PARAMETERS); + return 0; + } + + /* We know p and g are positive. The next two checks imply q > 0. */ + if (BN_is_negative(dsa->q)) { + DSAerror(DSA_R_BAD_Q_VALUE); + return 0; + } + + /* FIPS 186-4 only allows three sizes for q. */ + q_bits = BN_num_bits(dsa->q); + if (q_bits != 160 && q_bits != 224 && q_bits != 256) { + DSAerror(DSA_R_BAD_Q_VALUE); + return 0; + } + + /* + * XXX - FIPS 186-4 only allows 1024, 2048, and 3072 bits for p. + * Cap the size to reduce DoS risks. Poor defaults make keys with + * incorrect p sizes >= 512 bits common, so only enforce a weak + * lower bound. + */ + p_bits = BN_num_bits(dsa->p); + if (p_bits > OPENSSL_DSA_MAX_MODULUS_BITS) { + DSAerror(DSA_R_MODULUS_TOO_LARGE); + return 0; + } + if (p_bits < 512) { + DSAerror(DSA_R_INVALID_PARAMETERS); + return 0; + } + + /* The public key must be in the multiplicative group (mod p). */ + if (dsa->pub_key != NULL) { + if (BN_cmp(dsa->pub_key, BN_value_one()) <= 0 || + BN_cmp(dsa->pub_key, dsa->p) >= 0) { + DSAerror(DSA_R_INVALID_PARAMETERS); + return 0; + } + } + + /* The private key must be nonzero and in GF(q). */ + if (dsa->priv_key != NULL) { + if (BN_cmp(dsa->priv_key, BN_value_one()) < 0 || + BN_cmp(dsa->priv_key, dsa->q) >= 0) { + DSAerror(DSA_R_INVALID_PARAMETERS); + return 0; + } + } + + return 1; +} diff --git a/crypto/dsa/dsa_locl.h b/crypto/dsa/dsa_local.h similarity index 97% rename from crypto/dsa/dsa_locl.h rename to crypto/dsa/dsa_local.h index 299c67a..a413db9 100644 --- a/crypto/dsa/dsa_locl.h +++ b/crypto/dsa/dsa_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_locl.h,v 1.5 2022/01/14 08:29:06 tb Exp $ */ +/* $OpenBSD: dsa_local.h,v 1.2 2023/03/04 20:54:52 tb Exp $ */ /* ==================================================================== * Copyright (c) 2007 The OpenSSL Project. All rights reserved. * @@ -63,7 +63,7 @@ struct DSA_SIG_st { } /* DSA_SIG */; struct dsa_method { - const char *name; + char *name; DSA_SIG *(*dsa_do_sign)(const unsigned char *dgst, int dlen, DSA *dsa); int (*dsa_sign_setup)(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -115,4 +115,6 @@ int dsa_builtin_paramgen(DSA *ret, size_t bits, size_t qbits, unsigned char *seed_out, int *counter_ret, unsigned long *h_ret, BN_GENCB *cb); +int dsa_check_key(const DSA *dsa); + __END_HIDDEN_DECLS diff --git a/crypto/dsa/dsa_meth.c b/crypto/dsa/dsa_meth.c index f8ed035..392afb8 100644 --- a/crypto/dsa/dsa_meth.c +++ b/crypto/dsa/dsa_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_meth.c,v 1.2 2022/01/07 09:35:36 tb Exp $ */ +/* $OpenBSD: dsa_meth.c,v 1.6 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2018 Theo Buehler * @@ -21,7 +21,7 @@ #include #include -#include "dsa_locl.h" +#include "dsa_local.h" DSA_METHOD * DSA_meth_new(const char *name, int flags) @@ -42,10 +42,11 @@ DSA_meth_new(const char *name, int flags) void DSA_meth_free(DSA_METHOD *meth) { - if (meth != NULL) { - free((char *)meth->name); - free(meth); - } + if (meth == NULL) + return; + + free(meth->name); + free(meth); } DSA_METHOD * @@ -60,10 +61,32 @@ DSA_meth_dup(const DSA_METHOD *meth) free(copy); return NULL; } - + return copy; } +const char * +DSA_meth_get0_name(const DSA_METHOD *meth) +{ + return meth->name; +} + +int +DSA_meth_set1_name(DSA_METHOD *meth, const char *name) +{ + char *new_name; + + if ((new_name = strdup(name)) == NULL) { + DSAerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + free(meth->name); + meth->name = new_name; + + return 1; +} + int DSA_meth_set_sign(DSA_METHOD *meth, DSA_SIG *(*sign)(const unsigned char *, int, DSA *)) diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index c306fc2..b69cf1a 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -1,25 +1,25 @@ -/* $OpenBSD: dsa_ossl.c,v 1.44 2022/02/24 08:35:45 tb Exp $ */ +/* $OpenBSD: dsa_ossl.c,v 1.51 2023/03/27 10:25:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -66,8 +66,8 @@ #include #include -#include "bn_lcl.h" -#include "dsa_locl.h" +#include "bn_local.h" +#include "dsa_local.h" static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, @@ -92,31 +92,49 @@ DSA_OpenSSL(void) return &openssl_dsa_meth; } +/* + * Since DSA parameters are entirely arbitrary and checking them to be + * consistent is very expensive, we cannot do so on every sign operation. + * Instead, cap the number of retries so we do not loop indefinitely if + * the generator of the multiplicative group happens to be nilpotent. + * The probability of needing a retry with valid parameters is negligible, + * so trying 32 times is amply enough. + */ +#define DSA_MAX_SIGN_ITERATIONS 32 + static DSA_SIG * dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { - BIGNUM b, bm, bxr, binv, m, *kinv = NULL, *r = NULL, *s = NULL; + BIGNUM *b = NULL, *bm = NULL, *bxr = NULL, *binv = NULL, *m = NULL; + BIGNUM *kinv = NULL, *r = NULL, *s = NULL; BN_CTX *ctx = NULL; int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; + int attempts = 0; int noredo = 0; - BN_init(&b); - BN_init(&binv); - BN_init(&bm); - BN_init(&bxr); - BN_init(&m); - - if (!dsa->p || !dsa->q || !dsa->g) { - reason = DSA_R_MISSING_PARAMETERS; + if (!dsa_check_key(dsa)) { + reason = DSA_R_INVALID_PARAMETERS; goto err; } - s = BN_new(); - if (s == NULL) + if ((s = BN_new()) == NULL) goto err; - ctx = BN_CTX_new(); - if (ctx == NULL) + + if ((ctx = BN_CTX_new()) == NULL) + goto err; + + BN_CTX_start(ctx); + + if ((b = BN_CTX_get(ctx)) == NULL) + goto err; + if ((binv = BN_CTX_get(ctx)) == NULL) + goto err; + if ((bm = BN_CTX_get(ctx)) == NULL) + goto err; + if ((bxr = BN_CTX_get(ctx)) == NULL) + goto err; + if ((m = BN_CTX_get(ctx)) == NULL) goto err; /* @@ -126,7 +144,7 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) */ if (dlen > BN_num_bytes(dsa->q)) dlen = BN_num_bytes(dsa->q); - if (BN_bin2bn(dgst, dlen, &m) == NULL) + if (BN_bin2bn(dgst, dlen, m) == NULL) goto err; redo: @@ -153,22 +171,22 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) * * Where b is a random value in the range [1, q). */ - if (!bn_rand_interval(&b, BN_value_one(), dsa->q)) + if (!bn_rand_interval(b, BN_value_one(), dsa->q)) goto err; - if (BN_mod_inverse_ct(&binv, &b, dsa->q, ctx) == NULL) + if (BN_mod_inverse_ct(binv, b, dsa->q, ctx) == NULL) goto err; - if (!BN_mod_mul(&bxr, &b, dsa->priv_key, dsa->q, ctx)) /* bx */ + if (!BN_mod_mul(bxr, b, dsa->priv_key, dsa->q, ctx)) /* bx */ goto err; - if (!BN_mod_mul(&bxr, &bxr, r, dsa->q, ctx)) /* bxr */ + if (!BN_mod_mul(bxr, bxr, r, dsa->q, ctx)) /* bxr */ goto err; - if (!BN_mod_mul(&bm, &b, &m, dsa->q, ctx)) /* bm */ + if (!BN_mod_mul(bm, b, m, dsa->q, ctx)) /* bm */ goto err; - if (!BN_mod_add(s, &bxr, &bm, dsa->q, ctx)) /* s = bm + bxr */ + if (!BN_mod_add(s, bxr, bm, dsa->q, ctx)) /* s = bm + bxr */ goto err; if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) /* s = b(m + xr)k^-1 */ goto err; - if (!BN_mod_mul(s, s, &binv, dsa->q, ctx)) /* s = (m + xr)k^-1 */ + if (!BN_mod_mul(s, s, binv, dsa->q, ctx)) /* s = (m + xr)k^-1 */ goto err; /* @@ -180,6 +198,10 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) reason = DSA_R_NEED_NEW_SETUP_VALUES; goto err; } + if (++attempts > DSA_MAX_SIGN_ITERATIONS) { + reason = DSA_R_INVALID_PARAMETERS; + goto err; + } goto redo; } @@ -189,20 +211,16 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) } ret->r = r; ret->s = s; - + err: if (!ret) { DSAerror(reason); BN_free(r); BN_free(s); } + BN_CTX_end(ctx); BN_CTX_free(ctx); - BN_clear_free(&b); - BN_clear_free(&bm); - BN_clear_free(&bxr); - BN_clear_free(&binv); - BN_clear_free(&m); - BN_clear_free(kinv); + BN_free(kinv); return ret; } @@ -210,39 +228,42 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { - BN_CTX *ctx; - BIGNUM k, l, m, *kinv = NULL, *r = NULL; - int q_bits, ret = 0; + BIGNUM *k = NULL, *l = NULL, *m = NULL, *kinv = NULL, *r = NULL; + BN_CTX *ctx = NULL; + int q_bits; + int ret = 0; - if (!dsa->p || !dsa->q || !dsa->g) { - DSAerror(DSA_R_MISSING_PARAMETERS); - return 0; - } - - BN_init(&k); - BN_init(&l); - BN_init(&m); - - if (ctx_in == NULL) { - if ((ctx = BN_CTX_new()) == NULL) - goto err; - } else - ctx = ctx_in; + if (!dsa_check_key(dsa)) + goto err; if ((r = BN_new()) == NULL) goto err; + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + BN_CTX_start(ctx); + + if ((k = BN_CTX_get(ctx)) == NULL) + goto err; + if ((l = BN_CTX_get(ctx)) == NULL) + goto err; + if ((m = BN_CTX_get(ctx)) == NULL) + goto err; + /* Preallocate space */ q_bits = BN_num_bits(dsa->q); - if (!BN_set_bit(&k, q_bits) || - !BN_set_bit(&l, q_bits) || - !BN_set_bit(&m, q_bits)) + if (!BN_set_bit(k, q_bits) || + !BN_set_bit(l, q_bits) || + !BN_set_bit(m, q_bits)) goto err; - if (!bn_rand_interval(&k, BN_value_one(), dsa->q)) + if (!bn_rand_interval(k, BN_value_one(), dsa->q)) goto err; - BN_set_flags(&k, BN_FLG_CONSTTIME); + BN_set_flags(k, BN_FLG_CONSTTIME); if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { if (!BN_MONT_CTX_set_locked(&dsa->method_mont_p, @@ -261,21 +282,21 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) * small timing information leakage. We then choose the sum that is * one bit longer than the modulus. * - * TODO: revisit the BN_copy aiming for a memory access agnostic + * TODO: revisit the bn_copy aiming for a memory access agnostic * conditional copy. */ - if (!BN_add(&l, &k, dsa->q) || - !BN_add(&m, &l, dsa->q) || - !BN_copy(&k, BN_num_bits(&l) > q_bits ? &l : &m)) + if (!BN_add(l, k, dsa->q) || + !BN_add(m, l, dsa->q) || + !bn_copy(k, BN_num_bits(l) > q_bits ? l : m)) goto err; if (dsa->meth->bn_mod_exp != NULL) { - if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx, + if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) goto err; } else { - if (!BN_mod_exp_mont_ct(r, dsa->g, &k, dsa->p, ctx, + if (!BN_mod_exp_mont_ct(r, dsa->g, k, dsa->p, ctx, dsa->method_mont_p)) goto err; } @@ -284,13 +305,14 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ - if ((kinv = BN_mod_inverse_ct(NULL, &k, dsa->q, ctx)) == NULL) + if ((kinv = BN_mod_inverse_ct(NULL, k, dsa->q, ctx)) == NULL) goto err; - BN_clear_free(*kinvp); + BN_free(*kinvp); *kinvp = kinv; kinv = NULL; - BN_clear_free(*rp); + + BN_free(*rp); *rp = r; ret = 1; @@ -298,13 +320,11 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) err: if (!ret) { DSAerror(ERR_R_BN_LIB); - BN_clear_free(r); + BN_free(r); } - if (ctx_in == NULL) + BN_CTX_end(ctx); + if (ctx != ctx_in) BN_CTX_free(ctx); - BN_clear_free(&k); - BN_clear_free(&l); - BN_clear_free(&m); return ret; } @@ -312,35 +332,27 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) { - BN_CTX *ctx; - BIGNUM u1, u2, t1; + BIGNUM *u1 = NULL, *u2 = NULL, *t1 = NULL; + BN_CTX *ctx = NULL; BN_MONT_CTX *mont = NULL; int qbits; int ret = -1; - if (!dsa->p || !dsa->q || !dsa->g) { - DSAerror(DSA_R_MISSING_PARAMETERS); - return -1; - } - - /* FIPS 186-3 allows only three different sizes for q. */ - qbits = BN_num_bits(dsa->q); - if (qbits != 160 && qbits != 224 && qbits != 256) { - DSAerror(DSA_R_BAD_Q_VALUE); - return -1; - } - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { - DSAerror(DSA_R_MODULUS_TOO_LARGE); - return -1; - } - - BN_init(&u1); - BN_init(&u2); - BN_init(&t1); + if (!dsa_check_key(dsa)) + goto err; if ((ctx = BN_CTX_new()) == NULL) goto err; + BN_CTX_start(ctx); + + if ((u1 = BN_CTX_get(ctx)) == NULL) + goto err; + if ((u2 = BN_CTX_get(ctx)) == NULL) + goto err; + if ((t1 = BN_CTX_get(ctx)) == NULL) + goto err; + if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || BN_ucmp(sig->r, dsa->q) >= 0) { ret = 0; @@ -353,26 +365,27 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) } /* Calculate w = inv(s) mod q, saving w in u2. */ - if ((BN_mod_inverse_ct(&u2, sig->s, dsa->q, ctx)) == NULL) + if ((BN_mod_inverse_ct(u2, sig->s, dsa->q, ctx)) == NULL) goto err; /* * If the digest length is greater than the size of q use the - * BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2. + * BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-4, 4.2. */ + qbits = BN_num_bits(dsa->q); if (dgst_len > (qbits >> 3)) dgst_len = (qbits >> 3); /* Save m in u1. */ - if (BN_bin2bn(dgst, dgst_len, &u1) == NULL) + if (BN_bin2bn(dgst, dgst_len, u1) == NULL) goto err; /* u1 = m * w mod q */ - if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) + if (!BN_mod_mul(u1, u1, u2, dsa->q, ctx)) goto err; /* u2 = r * w mod q */ - if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) + if (!BN_mod_mul(u2, sig->r, u2, dsa->q, ctx)) goto err; if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { @@ -383,30 +396,27 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) } if (dsa->meth->dsa_mod_exp != NULL) { - if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, - &u2, dsa->p, ctx, mont)) + if (!dsa->meth->dsa_mod_exp(dsa, t1, dsa->g, u1, dsa->pub_key, + u2, dsa->p, ctx, mont)) goto err; } else { - if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, + if (!BN_mod_exp2_mont(t1, dsa->g, u1, dsa->pub_key, u2, dsa->p, ctx, mont)) goto err; } - /* BN_copy(&u1,&t1); */ /* let u1 = u1 mod q */ - if (!BN_mod_ct(&u1, &t1, dsa->q, ctx)) + if (!BN_mod_ct(u1, t1, dsa->q, ctx)) goto err; /* v is in u1 - if the signature is correct, it will be equal to r. */ - ret = BN_ucmp(&u1, sig->r) == 0; + ret = BN_ucmp(u1, sig->r) == 0; err: if (ret < 0) DSAerror(ERR_R_BN_LIB); + BN_CTX_end(ctx); BN_CTX_free(ctx); - BN_free(&u1); - BN_free(&u2); - BN_free(&t1); return ret; } @@ -425,3 +435,37 @@ dsa_finish(DSA *dsa) return 1; } +DSA_SIG * +DSA_SIG_new(void) +{ + return calloc(1, sizeof(DSA_SIG)); +} + +void +DSA_SIG_free(DSA_SIG *sig) +{ + if (sig == NULL) + return; + + BN_free(sig->r); + BN_free(sig->s); + free(sig); +} + +int +DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +{ + return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); +} + +DSA_SIG * +DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) +{ + return dsa->meth->dsa_do_sign(dgst, dlen, dsa); +} + +int +DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) +{ + return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); +} diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index ef89e2b..9b03a2f 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_pmeth.c,v 1.13 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: dsa_pmeth.c,v 1.17 2023/04/25 15:48:48 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -66,9 +66,9 @@ #include #include -#include "bn_lcl.h" -#include "dsa_locl.h" -#include "evp_locl.h" +#include "bn_local.h" +#include "dsa_local.h" +#include "evp_local.h" /* DSA pkey context structure */ @@ -99,7 +99,7 @@ pkey_dsa_init(EVP_PKEY_CTX *ctx) ctx->data = dctx; ctx->keygen_info = dctx->gentmp; ctx->keygen_info_count = 2; - + return 1; } @@ -110,7 +110,7 @@ pkey_dsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) if (!pkey_dsa_init(dst)) return 0; - sctx = src->data; + sctx = src->data; dctx = dst->data; dctx->nbits = sctx->nbits; dctx->qbits = sctx->qbits; @@ -128,24 +128,28 @@ pkey_dsa_cleanup(EVP_PKEY_CTX *ctx) } static int -pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, +pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *out_siglen, const unsigned char *tbs, size_t tbslen) { - int ret, type; - unsigned int sltmp; - DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; + DSA_PKEY_CTX *dctx = ctx->data; + unsigned int siglen; - if (dctx->md) - type = EVP_MD_type(dctx->md); - else - type = NID_sha1; + *out_siglen = 0; - ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa); + if (tbslen > INT_MAX) + return 0; + + if (dctx->md != NULL) { + if (tbslen != EVP_MD_size(dctx->md)) + return 0; + } + + if (!DSA_sign(0, tbs, tbslen, sig, &siglen, dsa)) + return 0; + + *out_siglen = siglen; - if (ret <= 0) - return ret; - *siglen = sltmp; return 1; } @@ -153,18 +157,18 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen) { - int ret, type; - DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; + DSA_PKEY_CTX *dctx = ctx->data; - if (dctx->md) - type = EVP_MD_type(dctx->md); - else - type = NID_sha1; + if (tbslen > INT_MAX || siglen > INT_MAX) + return 0; - ret = DSA_verify(type, tbs, tbslen, sig, siglen, dsa); + if (dctx->md != NULL) { + if (tbslen != EVP_MD_size(dctx->md)) + return 0; + } - return ret; + return DSA_verify(0, tbs, tbslen, sig, siglen, dsa); } static int @@ -199,6 +203,7 @@ pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) return 1; case EVP_PKEY_CTRL_MD: + /* ANSI X9.57 and NIST CSOR. */ switch (EVP_MD_type((const EVP_MD *)p2)) { case NID_sha1: case NID_dsa: @@ -207,6 +212,10 @@ pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) case NID_sha256: case NID_sha384: case NID_sha512: + case NID_sha3_224: + case NID_sha3_256: + case NID_sha3_384: + case NID_sha3_512: break; default: DSAerror(DSA_R_INVALID_DIGEST_TYPE); @@ -223,19 +232,19 @@ pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) case EVP_PKEY_CTRL_PKCS7_SIGN: case EVP_PKEY_CTRL_CMS_SIGN: return 1; - + case EVP_PKEY_CTRL_PEER_KEY: DSAerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); - return -2; + return -2; default: return -2; } } - + static int pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) { - long lval; + long lval; char *ep; if (!strcmp(type, "dsa_paramgen_bits")) { @@ -268,7 +277,7 @@ pkey_dsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) qbits, NULL); } else if (!strcmp(type, "dsa_paramgen_md")) { return EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_DSA, - EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, + EVP_PKEY_OP_PARAMGEN, EVP_PKEY_CTRL_DSA_PARAMGEN_MD, 0, (void *)EVP_get_digestbyname(value)); } not_a_number: diff --git a/crypto/dsa/dsa_prn.c b/crypto/dsa/dsa_prn.c index fb5e35f..4ed656a 100644 --- a/crypto/dsa/dsa_prn.c +++ b/crypto/dsa/dsa_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_prn.c,v 1.6 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_prn.c,v 1.9 2022/11/19 06:33:00 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -98,12 +98,16 @@ int DSA_print(BIO *bp, const DSA *x, int off) { EVP_PKEY *pk; - int ret; + int ret = 0; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + if (!EVP_PKEY_set1_DSA(pk, (DSA *)x)) + goto err; - pk = EVP_PKEY_new(); - if (!pk || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) - return 0; ret = EVP_PKEY_print_private(bp, pk, off, NULL); + err: EVP_PKEY_free(pk); return ret; } @@ -112,12 +116,16 @@ int DSAparams_print(BIO *bp, const DSA *x) { EVP_PKEY *pk; - int ret; + int ret = 0; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + if (!EVP_PKEY_set1_DSA(pk, (DSA *)x)) + goto err; - pk = EVP_PKEY_new(); - if (!pk || !EVP_PKEY_set1_DSA(pk, (DSA *)x)) - return 0; ret = EVP_PKEY_print_params(bp, pk, 4, NULL); + err: EVP_PKEY_free(pk); return ret; } diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c deleted file mode 100644 index b1fc1db..0000000 --- a/crypto/dsa/dsa_sign.c +++ /dev/null @@ -1,92 +0,0 @@ -/* $OpenBSD: dsa_sign.c,v 1.21 2022/01/07 09:35:36 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* Original version from Steven Schoch */ - -#include -#include - -#include "dsa_locl.h" - -DSA_SIG * -DSA_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) -{ - return dsa->meth->dsa_do_sign(dgst, dlen, dsa); -} - -int -DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) -{ - return dsa->meth->dsa_sign_setup(dsa, ctx_in, kinvp, rp); -} - -DSA_SIG * -DSA_SIG_new(void) -{ - return calloc(1, sizeof(DSA_SIG)); -} - -void -DSA_SIG_free(DSA_SIG *sig) -{ - if (sig != NULL) { - BN_free(sig->r); - BN_free(sig->s); - free(sig); - } -} diff --git a/crypto/dsa/dsa_vrf.c b/crypto/dsa/dsa_vrf.c deleted file mode 100644 index 38f8450..0000000 --- a/crypto/dsa/dsa_vrf.c +++ /dev/null @@ -1,69 +0,0 @@ -/* $OpenBSD: dsa_vrf.c,v 1.17 2022/01/07 09:35:36 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* Original version from Steven Schoch */ - -#include - -#include "dsa_locl.h" - -int -DSA_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) -{ - return dsa->meth->dsa_do_verify(dgst, dgst_len, sig, dsa); -} diff --git a/crypto/dso/dso_err.c b/crypto/dso/dso_err.c index be6375a..2eee155 100644 --- a/crypto/dso/dso_err.c +++ b/crypto/dso/dso_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dso_err.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: dso_err.c,v 1.10 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSO,func,0) diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c deleted file mode 100644 index 3e5d1dc..0000000 --- a/crypto/ec/ec2_mult.c +++ /dev/null @@ -1,455 +0,0 @@ -/* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * The Elliptic Curve Public-Key Crypto Library (ECC Code) included - * herein is developed by SUN MICROSYSTEMS, INC., and is contributed - * to the OpenSSL project. - * - * The ECC Code is licensed pursuant to the OpenSSL open source - * license provided below. - * - * The software is originally written by Sheueling Chang Shantz and - * Douglas Stebila of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include - -#include "bn_lcl.h" -#include "ec_lcl.h" - -#ifndef OPENSSL_NO_EC2M - - -/* Compute the x-coordinate x/z for the point 2*(x/z) in Montgomery projective - * coordinates. - * Uses algorithm Mdouble in appendix of - * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over - * GF(2^m) without precomputation" (CHES '99, LNCS 1717). - * modified to not require precomputation of c=b^{2^{m-1}}. - */ -static int -gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx) -{ - BIGNUM *t1; - int ret = 0; - - /* Since Mdouble is static we can guarantee that ctx != NULL. */ - BN_CTX_start(ctx); - if ((t1 = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!group->meth->field_sqr(group, x, x, ctx)) - goto err; - if (!group->meth->field_sqr(group, t1, z, ctx)) - goto err; - if (!group->meth->field_mul(group, z, x, t1, ctx)) - goto err; - if (!group->meth->field_sqr(group, x, x, ctx)) - goto err; - if (!group->meth->field_sqr(group, t1, t1, ctx)) - goto err; - if (!group->meth->field_mul(group, t1, &group->b, t1, ctx)) - goto err; - if (!BN_GF2m_add(x, x, t1)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - return ret; -} - -/* Compute the x-coordinate x1/z1 for the point (x1/z1)+(x2/x2) in Montgomery - * projective coordinates. - * Uses algorithm Madd in appendix of - * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over - * GF(2^m) without precomputation" (CHES '99, LNCS 1717). - */ -static int -gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1, - const BIGNUM *x2, const BIGNUM *z2, BN_CTX *ctx) -{ - BIGNUM *t1, *t2; - int ret = 0; - - /* Since Madd is static we can guarantee that ctx != NULL. */ - BN_CTX_start(ctx); - if ((t1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((t2 = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_copy(t1, x)) - goto err; - if (!group->meth->field_mul(group, x1, x1, z2, ctx)) - goto err; - if (!group->meth->field_mul(group, z1, z1, x2, ctx)) - goto err; - if (!group->meth->field_mul(group, t2, x1, z1, ctx)) - goto err; - if (!BN_GF2m_add(z1, z1, x1)) - goto err; - if (!group->meth->field_sqr(group, z1, z1, ctx)) - goto err; - if (!group->meth->field_mul(group, x1, z1, t1, ctx)) - goto err; - if (!BN_GF2m_add(x1, x1, t2)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - return ret; -} - -/* Compute the x, y affine coordinates from the point (x1, z1) (x2, z2) - * using Montgomery point multiplication algorithm Mxy() in appendix of - * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over - * GF(2^m) without precomputation" (CHES '99, LNCS 1717). - * Returns: - * 0 on error - * 1 if return value should be the point at infinity - * 2 otherwise - */ -static int -gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1, - BIGNUM *z1, BIGNUM *x2, BIGNUM *z2, BN_CTX *ctx) -{ - BIGNUM *t3, *t4, *t5; - int ret = 0; - - if (BN_is_zero(z1)) { - BN_zero(x2); - BN_zero(z2); - return 1; - } - if (BN_is_zero(z2)) { - if (!BN_copy(x2, x)) - return 0; - if (!BN_GF2m_add(z2, x, y)) - return 0; - return 2; - } - /* Since Mxy is static we can guarantee that ctx != NULL. */ - BN_CTX_start(ctx); - if ((t3 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((t4 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((t5 = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_one(t5)) - goto err; - - if (!group->meth->field_mul(group, t3, z1, z2, ctx)) - goto err; - - if (!group->meth->field_mul(group, z1, z1, x, ctx)) - goto err; - if (!BN_GF2m_add(z1, z1, x1)) - goto err; - if (!group->meth->field_mul(group, z2, z2, x, ctx)) - goto err; - if (!group->meth->field_mul(group, x1, z2, x1, ctx)) - goto err; - if (!BN_GF2m_add(z2, z2, x2)) - goto err; - - if (!group->meth->field_mul(group, z2, z2, z1, ctx)) - goto err; - if (!group->meth->field_sqr(group, t4, x, ctx)) - goto err; - if (!BN_GF2m_add(t4, t4, y)) - goto err; - if (!group->meth->field_mul(group, t4, t4, t3, ctx)) - goto err; - if (!BN_GF2m_add(t4, t4, z2)) - goto err; - - if (!group->meth->field_mul(group, t3, t3, x, ctx)) - goto err; - if (!group->meth->field_div(group, t3, t5, t3, ctx)) - goto err; - if (!group->meth->field_mul(group, t4, t3, t4, ctx)) - goto err; - if (!group->meth->field_mul(group, x2, x1, t3, ctx)) - goto err; - if (!BN_GF2m_add(z2, x2, x)) - goto err; - - if (!group->meth->field_mul(group, z2, z2, t4, ctx)) - goto err; - if (!BN_GF2m_add(z2, z2, y)) - goto err; - - ret = 2; - - err: - BN_CTX_end(ctx); - return ret; -} - - -/* Computes scalar*point and stores the result in r. - * point can not equal r. - * Uses a modified algorithm 2P of - * Lopez, J. and Dahab, R. "Fast multiplication on elliptic curves over - * GF(2^m) without precomputation" (CHES '99, LNCS 1717). - * - * To protect against side-channel attack the function uses constant time swap, - * avoiding conditional branches. - */ -static int -ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) -{ - BIGNUM *x1, *x2, *z1, *z2; - int ret = 0, i; - BN_ULONG mask, word; - - if (r == point) { - ECerror(EC_R_INVALID_ARGUMENT); - return 0; - } - /* if result should be point at infinity */ - if ((scalar == NULL) || BN_is_zero(scalar) || (point == NULL) || - EC_POINT_is_at_infinity(group, point) > 0) { - return EC_POINT_set_to_infinity(group, r); - } - /* only support affine coordinates */ - if (!point->Z_is_one) - return 0; - - /* Since point_multiply is static we can guarantee that ctx != NULL. */ - BN_CTX_start(ctx); - if ((x1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((z1 = BN_CTX_get(ctx)) == NULL) - goto err; - - x2 = &r->X; - z2 = &r->Y; - - if (!bn_wexpand(x1, group->field.top)) - goto err; - if (!bn_wexpand(z1, group->field.top)) - goto err; - if (!bn_wexpand(x2, group->field.top)) - goto err; - if (!bn_wexpand(z2, group->field.top)) - goto err; - - if (!BN_GF2m_mod_arr(x1, &point->X, group->poly)) - goto err; /* x1 = x */ - if (!BN_one(z1)) - goto err; /* z1 = 1 */ - if (!group->meth->field_sqr(group, z2, x1, ctx)) - goto err; /* z2 = x1^2 = x^2 */ - if (!group->meth->field_sqr(group, x2, z2, ctx)) - goto err; - if (!BN_GF2m_add(x2, x2, &group->b)) - goto err; /* x2 = x^4 + b */ - - /* find top most bit and go one past it */ - i = scalar->top - 1; - mask = BN_TBIT; - word = scalar->d[i]; - while (!(word & mask)) - mask >>= 1; - mask >>= 1; - /* if top most bit was at word break, go to next word */ - if (!mask) { - i--; - mask = BN_TBIT; - } - for (; i >= 0; i--) { - word = scalar->d[i]; - while (mask) { - if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) - goto err; - if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) - goto err; - if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) - goto err; - if (!gf2m_Mdouble(group, x1, z1, ctx)) - goto err; - if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) - goto err; - if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) - goto err; - mask >>= 1; - } - mask = BN_TBIT; - } - - /* convert out of "projective" coordinates */ - i = gf2m_Mxy(group, &point->X, &point->Y, x1, z1, x2, z2, ctx); - if (i == 0) - goto err; - else if (i == 1) { - if (!EC_POINT_set_to_infinity(group, r)) - goto err; - } else { - if (!BN_one(&r->Z)) - goto err; - r->Z_is_one = 1; - } - - /* GF(2^m) field elements should always have BIGNUM::neg = 0 */ - BN_set_negative(&r->X, 0); - BN_set_negative(&r->Y, 0); - - ret = 1; - - err: - BN_CTX_end(ctx); - return ret; -} - - -/* Computes the sum - * scalar*group->generator + scalars[0]*points[0] + ... + scalars[num-1]*points[num-1] - * gracefully ignoring NULL scalar values. - */ -int -ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) -{ - BN_CTX *new_ctx = NULL; - int ret = 0; - size_t i; - EC_POINT *p = NULL; - EC_POINT *acc = NULL; - - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - /* - * This implementation is more efficient than the wNAF implementation - * for 2 or fewer points. Use the ec_wNAF_mul implementation for 3 - * or more points, or if we can perform a fast multiplication based - * on precomputation. - */ - if ((scalar && (num > 1)) || (num > 2) || - (num == 0 && EC_GROUP_have_precompute_mult(group))) { - ret = ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); - goto err; - } - if ((p = EC_POINT_new(group)) == NULL) - goto err; - if ((acc = EC_POINT_new(group)) == NULL) - goto err; - - if (!EC_POINT_set_to_infinity(group, acc)) - goto err; - - if (scalar) { - if (!ec_GF2m_montgomery_point_multiply(group, p, scalar, group->generator, ctx)) - goto err; - if (BN_is_negative(scalar)) - if (!group->meth->invert(group, p, ctx)) - goto err; - if (!group->meth->add(group, acc, acc, p, ctx)) - goto err; - } - for (i = 0; i < num; i++) { - if (!ec_GF2m_montgomery_point_multiply(group, p, scalars[i], points[i], ctx)) - goto err; - if (BN_is_negative(scalars[i])) - if (!group->meth->invert(group, p, ctx)) - goto err; - if (!group->meth->add(group, acc, acc, p, ctx)) - goto err; - } - - if (!EC_POINT_copy(r, acc)) - goto err; - - ret = 1; - - err: - EC_POINT_free(p); - EC_POINT_free(acc); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Precomputation for point multiplication: fall back to wNAF methods - * because ec_GF2m_simple_mul() uses ec_wNAF_mul() if appropriate */ - -int -ec_GF2m_precompute_mult(EC_GROUP * group, BN_CTX * ctx) -{ - return ec_wNAF_precompute_mult(group, ctx); -} - -int -ec_GF2m_have_precompute_mult(const EC_GROUP * group) -{ - return ec_wNAF_have_precompute_mult(group); -} - -#endif diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c deleted file mode 100644 index 832083c..0000000 --- a/crypto/ec/ec2_oct.c +++ /dev/null @@ -1,421 +0,0 @@ -/* $OpenBSD: ec2_oct.c,v 1.16 2021/05/03 14:42:45 tb Exp $ */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * The Elliptic Curve Public-Key Crypto Library (ECC Code) included - * herein is developed by SUN MICROSYSTEMS, INC., and is contributed - * to the OpenSSL project. - * - * The ECC Code is licensed pursuant to the OpenSSL open source - * license provided below. - * - * The software is originally written by Sheueling Chang Shantz and - * Douglas Stebila of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include - -#include "ec_lcl.h" - -#ifndef OPENSSL_NO_EC2M - -/* Calculates and sets the affine coordinates of an EC_POINT from the given - * compressed coordinates. Uses algorithm 2.3.4 of SEC 1. - * Note that the simple implementation only uses affine coordinates. - * - * The method is from the following publication: - * - * Harper, Menezes, Vanstone: - * "Public-Key Cryptosystems with Very Small Key Lengths", - * EUROCRYPT '92, Springer-Verlag LNCS 658, - * published February 1993 - * - * US Patents 6,141,420 and 6,618,483 (Vanstone, Mullin, Agnew) describe - * the same method, but claim no priority date earlier than July 29, 1994 - * (and additionally fail to cite the EUROCRYPT '92 publication as prior art). - */ -int -ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, - const BIGNUM *x_, int y_bit, BN_CTX *ctx) -{ - BN_CTX *new_ctx = NULL; - BIGNUM *tmp, *x, *y, *z; - int ret = 0, z0; - - /* clear error queue */ - ERR_clear_error(); - - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - y_bit = (y_bit != 0) ? 1 : 0; - - BN_CTX_start(ctx); - if ((tmp = BN_CTX_get(ctx)) == NULL) - goto err; - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((z = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_GF2m_mod_arr(x, x_, group->poly)) - goto err; - if (BN_is_zero(x)) { - if (y_bit != 0) { - ECerror(EC_R_INVALID_COMPRESSED_POINT); - goto err; - } - if (!BN_GF2m_mod_sqrt_arr(y, &group->b, group->poly, ctx)) - goto err; - } else { - if (!group->meth->field_sqr(group, tmp, x, ctx)) - goto err; - if (!group->meth->field_div(group, tmp, &group->b, tmp, ctx)) - goto err; - if (!BN_GF2m_add(tmp, &group->a, tmp)) - goto err; - if (!BN_GF2m_add(tmp, x, tmp)) - goto err; - if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) { - unsigned long err = ERR_peek_last_error(); - - if (ERR_GET_LIB(err) == ERR_LIB_BN && - ERR_GET_REASON(err) == BN_R_NO_SOLUTION) { - ERR_clear_error(); - ECerror(EC_R_INVALID_COMPRESSED_POINT); - } else - ECerror(ERR_R_BN_LIB); - goto err; - } - z0 = (BN_is_odd(z)) ? 1 : 0; - if (!group->meth->field_mul(group, y, x, z, ctx)) - goto err; - if (z0 != y_bit) { - if (!BN_GF2m_add(y, y, x)) - goto err; - } - } - - if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Converts an EC_POINT to an octet string. - * If buf is NULL, the encoded length will be returned. - * If the length len of buf is smaller than required an error will be returned. - */ -size_t -ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX * ctx) -{ - size_t ret; - BN_CTX *new_ctx = NULL; - int used_ctx = 0; - BIGNUM *x, *y, *yxi; - size_t field_len, i, skip; - - if ((form != POINT_CONVERSION_COMPRESSED) - && (form != POINT_CONVERSION_UNCOMPRESSED) - && (form != POINT_CONVERSION_HYBRID)) { - ECerror(EC_R_INVALID_FORM); - goto err; - } - if (EC_POINT_is_at_infinity(group, point) > 0) { - /* encodes to a single 0 octet */ - if (buf != NULL) { - if (len < 1) { - ECerror(EC_R_BUFFER_TOO_SMALL); - return 0; - } - buf[0] = 0; - } - return 1; - } - /* ret := required output buffer length */ - field_len = (EC_GROUP_get_degree(group) + 7) / 8; - ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : - 1 + 2 * field_len; - - /* if 'buf' is NULL, just return required length */ - if (buf != NULL) { - if (len < ret) { - ECerror(EC_R_BUFFER_TOO_SMALL); - goto err; - } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - BN_CTX_start(ctx); - used_ctx = 1; - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((yxi = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx)) - goto err; - - buf[0] = form; - if ((form != POINT_CONVERSION_UNCOMPRESSED) && !BN_is_zero(x)) { - if (!group->meth->field_div(group, yxi, y, x, ctx)) - goto err; - if (BN_is_odd(yxi)) - buf[0]++; - } - i = 1; - - skip = field_len - BN_num_bytes(x); - if (skip > field_len) { - ECerror(ERR_R_INTERNAL_ERROR); - goto err; - } - while (skip > 0) { - buf[i++] = 0; - skip--; - } - skip = BN_bn2bin(x, buf + i); - i += skip; - if (i != 1 + field_len) { - ECerror(ERR_R_INTERNAL_ERROR); - goto err; - } - if (form == POINT_CONVERSION_UNCOMPRESSED || - form == POINT_CONVERSION_HYBRID) { - skip = field_len - BN_num_bytes(y); - if (skip > field_len) { - ECerror(ERR_R_INTERNAL_ERROR); - goto err; - } - while (skip > 0) { - buf[i++] = 0; - skip--; - } - skip = BN_bn2bin(y, buf + i); - i += skip; - } - if (i != ret) { - ECerror(ERR_R_INTERNAL_ERROR); - goto err; - } - } - if (used_ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; - - err: - if (used_ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return 0; -} - - -/* - * Converts an octet string representation to an EC_POINT. - * Note that the simple implementation only uses affine coordinates. - */ -int -ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, - const unsigned char *buf, size_t len, BN_CTX *ctx) -{ - point_conversion_form_t form; - int y_bit; - BN_CTX *new_ctx = NULL; - BIGNUM *x, *y, *yxi; - size_t field_len, enc_len; - int ret = 0; - - if (len == 0) { - ECerror(EC_R_BUFFER_TOO_SMALL); - return 0; - } - - /* - * The first octet is the point conversion octet PC, see X9.62, page 4 - * and section 4.4.2. It must be: - * 0x00 for the point at infinity - * 0x02 or 0x03 for compressed form - * 0x04 for uncompressed form - * 0x06 or 0x07 for hybrid form. - * For compressed or hybrid forms, we store the last bit of buf[0] as - * y_bit and clear it from buf[0] so as to obtain a POINT_CONVERSION_*. - * We error if buf[0] contains any but the above values. - */ - y_bit = buf[0] & 1; - form = buf[0] & ~1U; - - if (form != 0 && form != POINT_CONVERSION_COMPRESSED && - form != POINT_CONVERSION_UNCOMPRESSED && - form != POINT_CONVERSION_HYBRID) { - ECerror(EC_R_INVALID_ENCODING); - return 0; - } - if (form == 0 || form == POINT_CONVERSION_UNCOMPRESSED) { - if (y_bit != 0) { - ECerror(EC_R_INVALID_ENCODING); - return 0; - } - } - - /* The point at infinity is represented by a single zero octet. */ - if (form == 0) { - if (len != 1) { - ECerror(EC_R_INVALID_ENCODING); - return 0; - } - return EC_POINT_set_to_infinity(group, point); - } - - field_len = (EC_GROUP_get_degree(group) + 7) / 8; - enc_len = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : - 1 + 2 * field_len; - - if (len != enc_len) { - ECerror(EC_R_INVALID_ENCODING); - return 0; - } - - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - BN_CTX_start(ctx); - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y = BN_CTX_get(ctx)) == NULL) - goto err; - if ((yxi = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_bin2bn(buf + 1, field_len, x)) - goto err; - if (BN_ucmp(x, &group->field) >= 0) { - ECerror(EC_R_INVALID_ENCODING); - goto err; - } - if (form == POINT_CONVERSION_COMPRESSED) { - /* - * EC_POINT_set_compressed_coordinates checks that the - * point is on the curve as required by X9.62. - */ - if (!EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx)) - goto err; - } else { - if (!BN_bin2bn(buf + 1 + field_len, field_len, y)) - goto err; - if (BN_ucmp(y, &group->field) >= 0) { - ECerror(EC_R_INVALID_ENCODING); - goto err; - } - if (form == POINT_CONVERSION_HYBRID) { - /* - * Check that the form in the encoding was set - * correctly according to X9.62 4.4.2.a, 4(c), - * see also first paragraph of X9.62 4.4.1.b. - */ - if (BN_is_zero(x)) { - if (y_bit != 0) { - ECerror(EC_R_INVALID_ENCODING); - goto err; - } - } else { - if (!group->meth->field_div(group, yxi, y, x, - ctx)) - goto err; - if (y_bit != BN_is_odd(yxi)) { - ECerror(EC_R_INVALID_ENCODING); - goto err; - } - } - } - /* - * EC_POINT_set_affine_coordinates checks that the - * point is on the curve as required by X9.62. - */ - if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) - goto err; - } - - ret = 1; - - err: - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} -#endif diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c deleted file mode 100644 index 9f3b380..0000000 --- a/crypto/ec/ec2_smpl.c +++ /dev/null @@ -1,785 +0,0 @@ -/* $OpenBSD: ec2_smpl.c,v 1.23 2021/09/08 17:29:21 tb Exp $ */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * - * The Elliptic Curve Public-Key Crypto Library (ECC Code) included - * herein is developed by SUN MICROSYSTEMS, INC., and is contributed - * to the OpenSSL project. - * - * The ECC Code is licensed pursuant to the OpenSSL open source - * license provided below. - * - * The software is originally written by Sheueling Chang Shantz and - * Douglas Stebila of Sun Microsystems Laboratories. - * - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#include - -#include "ec_lcl.h" - -#ifndef OPENSSL_NO_EC2M - -const EC_METHOD * -EC_GF2m_simple_method(void) -{ - static const EC_METHOD ret = { - .flags = EC_FLAGS_DEFAULT_OCT, - .field_type = NID_X9_62_characteristic_two_field, - .group_init = ec_GF2m_simple_group_init, - .group_finish = ec_GF2m_simple_group_finish, - .group_clear_finish = ec_GF2m_simple_group_clear_finish, - .group_copy = ec_GF2m_simple_group_copy, - .group_set_curve = ec_GF2m_simple_group_set_curve, - .group_get_curve = ec_GF2m_simple_group_get_curve, - .group_get_degree = ec_GF2m_simple_group_get_degree, - .group_order_bits = ec_group_simple_order_bits, - .group_check_discriminant = - ec_GF2m_simple_group_check_discriminant, - .point_init = ec_GF2m_simple_point_init, - .point_finish = ec_GF2m_simple_point_finish, - .point_clear_finish = ec_GF2m_simple_point_clear_finish, - .point_copy = ec_GF2m_simple_point_copy, - .point_set_to_infinity = ec_GF2m_simple_point_set_to_infinity, - .point_set_affine_coordinates = - ec_GF2m_simple_point_set_affine_coordinates, - .point_get_affine_coordinates = - ec_GF2m_simple_point_get_affine_coordinates, - .add = ec_GF2m_simple_add, - .dbl = ec_GF2m_simple_dbl, - .invert = ec_GF2m_simple_invert, - .is_at_infinity = ec_GF2m_simple_is_at_infinity, - .is_on_curve = ec_GF2m_simple_is_on_curve, - .point_cmp = ec_GF2m_simple_cmp, - .make_affine = ec_GF2m_simple_make_affine, - .points_make_affine = ec_GF2m_simple_points_make_affine, - .mul_generator_ct = ec_GFp_simple_mul_generator_ct, - .mul_single_ct = ec_GFp_simple_mul_single_ct, - .mul_double_nonct = ec_GFp_simple_mul_double_nonct, - .precompute_mult = ec_GF2m_precompute_mult, - .have_precompute_mult = ec_GF2m_have_precompute_mult, - .field_mul = ec_GF2m_simple_field_mul, - .field_sqr = ec_GF2m_simple_field_sqr, - .field_div = ec_GF2m_simple_field_div, - .blind_coordinates = NULL, - }; - - return &ret; -} - - -/* Initialize a GF(2^m)-based EC_GROUP structure. - * Note that all other members are handled by EC_GROUP_new. - */ -int -ec_GF2m_simple_group_init(EC_GROUP * group) -{ - BN_init(&group->field); - BN_init(&group->a); - BN_init(&group->b); - return 1; -} - - -/* Free a GF(2^m)-based EC_GROUP structure. - * Note that all other members are handled by EC_GROUP_free. - */ -void -ec_GF2m_simple_group_finish(EC_GROUP * group) -{ - BN_free(&group->field); - BN_free(&group->a); - BN_free(&group->b); -} - - -/* Clear and free a GF(2^m)-based EC_GROUP structure. - * Note that all other members are handled by EC_GROUP_clear_free. - */ -void -ec_GF2m_simple_group_clear_finish(EC_GROUP * group) -{ - BN_clear_free(&group->field); - BN_clear_free(&group->a); - BN_clear_free(&group->b); - group->poly[0] = 0; - group->poly[1] = 0; - group->poly[2] = 0; - group->poly[3] = 0; - group->poly[4] = 0; - group->poly[5] = -1; -} - - -/* Copy a GF(2^m)-based EC_GROUP structure. - * Note that all other members are handled by EC_GROUP_copy. - */ -int -ec_GF2m_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src) -{ - int i; - - if (!BN_copy(&dest->field, &src->field)) - return 0; - if (!BN_copy(&dest->a, &src->a)) - return 0; - if (!BN_copy(&dest->b, &src->b)) - return 0; - dest->poly[0] = src->poly[0]; - dest->poly[1] = src->poly[1]; - dest->poly[2] = src->poly[2]; - dest->poly[3] = src->poly[3]; - dest->poly[4] = src->poly[4]; - dest->poly[5] = src->poly[5]; - if (bn_wexpand(&dest->a, (int) (dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) - return 0; - if (bn_wexpand(&dest->b, (int) (dest->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) - return 0; - for (i = dest->a.top; i < dest->a.dmax; i++) - dest->a.d[i] = 0; - for (i = dest->b.top; i < dest->b.dmax; i++) - dest->b.d[i] = 0; - return 1; -} - - -/* Set the curve parameters of an EC_GROUP structure. */ -int -ec_GF2m_simple_group_set_curve(EC_GROUP * group, - const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx) -{ - int ret = 0, i; - - /* group->field */ - if (!BN_copy(&group->field, p)) - goto err; - i = BN_GF2m_poly2arr(&group->field, group->poly, 6) - 1; - if ((i != 5) && (i != 3)) { - ECerror(EC_R_UNSUPPORTED_FIELD); - goto err; - } - /* group->a */ - if (!BN_GF2m_mod_arr(&group->a, a, group->poly)) - goto err; - if (bn_wexpand(&group->a, (int) (group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) - goto err; - for (i = group->a.top; i < group->a.dmax; i++) - group->a.d[i] = 0; - - /* group->b */ - if (!BN_GF2m_mod_arr(&group->b, b, group->poly)) - goto err; - if (bn_wexpand(&group->b, (int) (group->poly[0] + BN_BITS2 - 1) / BN_BITS2) == NULL) - goto err; - for (i = group->b.top; i < group->b.dmax; i++) - group->b.d[i] = 0; - - ret = 1; - err: - return ret; -} - - -/* Get the curve parameters of an EC_GROUP structure. - * If p, a, or b are NULL then there values will not be set but the method will return with success. - */ -int -ec_GF2m_simple_group_get_curve(const EC_GROUP *group, - BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) -{ - int ret = 0; - - if (p != NULL) { - if (!BN_copy(p, &group->field)) - return 0; - } - if (a != NULL) { - if (!BN_copy(a, &group->a)) - goto err; - } - if (b != NULL) { - if (!BN_copy(b, &group->b)) - goto err; - } - ret = 1; - - err: - return ret; -} - - -/* Gets the degree of the field. For a curve over GF(2^m) this is the value m. */ -int -ec_GF2m_simple_group_get_degree(const EC_GROUP * group) -{ - return BN_num_bits(&group->field) - 1; -} - - -/* Checks the discriminant of the curve. - * y^2 + x*y = x^3 + a*x^2 + b is an elliptic curve <=> b != 0 (mod p) - */ -int -ec_GF2m_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) -{ - int ret = 0; - BIGNUM *b; - BN_CTX *new_ctx = NULL; - - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - BN_CTX_start(ctx); - if ((b = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!BN_GF2m_mod_arr(b, &group->b, group->poly)) - goto err; - - /* - * check the discriminant: y^2 + x*y = x^3 + a*x^2 + b is an elliptic - * curve <=> b != 0 (mod p) - */ - if (BN_is_zero(b)) - goto err; - - ret = 1; - - err: - if (ctx != NULL) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Initializes an EC_POINT. */ -int -ec_GF2m_simple_point_init(EC_POINT * point) -{ - BN_init(&point->X); - BN_init(&point->Y); - BN_init(&point->Z); - return 1; -} - - -/* Frees an EC_POINT. */ -void -ec_GF2m_simple_point_finish(EC_POINT * point) -{ - BN_free(&point->X); - BN_free(&point->Y); - BN_free(&point->Z); -} - - -/* Clears and frees an EC_POINT. */ -void -ec_GF2m_simple_point_clear_finish(EC_POINT * point) -{ - BN_clear_free(&point->X); - BN_clear_free(&point->Y); - BN_clear_free(&point->Z); - point->Z_is_one = 0; -} - - -/* Copy the contents of one EC_POINT into another. Assumes dest is initialized. */ -int -ec_GF2m_simple_point_copy(EC_POINT * dest, const EC_POINT * src) -{ - if (!BN_copy(&dest->X, &src->X)) - return 0; - if (!BN_copy(&dest->Y, &src->Y)) - return 0; - if (!BN_copy(&dest->Z, &src->Z)) - return 0; - dest->Z_is_one = src->Z_is_one; - - return 1; -} - - -/* Set an EC_POINT to the point at infinity. - * A point at infinity is represented by having Z=0. - */ -int -ec_GF2m_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point) -{ - point->Z_is_one = 0; - BN_zero(&point->Z); - return 1; -} - - -/* Set the coordinates of an EC_POINT using affine coordinates. - * Note that the simple implementation only uses affine coordinates. - */ -int -ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point, - const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx) -{ - int ret = 0; - if (x == NULL || y == NULL) { - ECerror(ERR_R_PASSED_NULL_PARAMETER); - return 0; - } - if (!BN_copy(&point->X, x)) - goto err; - BN_set_negative(&point->X, 0); - if (!BN_copy(&point->Y, y)) - goto err; - BN_set_negative(&point->Y, 0); - if (!BN_copy(&point->Z, BN_value_one())) - goto err; - BN_set_negative(&point->Z, 0); - point->Z_is_one = 1; - ret = 1; - - err: - return ret; -} - - -/* Gets the affine coordinates of an EC_POINT. - * Note that the simple implementation only uses affine coordinates. - */ -int -ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, - const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx) -{ - int ret = 0; - - if (EC_POINT_is_at_infinity(group, point) > 0) { - ECerror(EC_R_POINT_AT_INFINITY); - return 0; - } - if (BN_cmp(&point->Z, BN_value_one())) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (x != NULL) { - if (!BN_copy(x, &point->X)) - goto err; - BN_set_negative(x, 0); - } - if (y != NULL) { - if (!BN_copy(y, &point->Y)) - goto err; - BN_set_negative(y, 0); - } - ret = 1; - - err: - return ret; -} - -/* Computes a + b and stores the result in r. r could be a or b, a could be b. - * Uses algorithm A.10.2 of IEEE P1363. - */ -int -ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) -{ - BN_CTX *new_ctx = NULL; - BIGNUM *x0, *y0, *x1, *y1, *x2, *y2, *s, *t; - int ret = 0; - - if (EC_POINT_is_at_infinity(group, a) > 0) { - if (!EC_POINT_copy(r, b)) - return 0; - return 1; - } - if (EC_POINT_is_at_infinity(group, b) > 0) { - if (!EC_POINT_copy(r, a)) - return 0; - return 1; - } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - BN_CTX_start(ctx); - if ((x0 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y0 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((x1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y1 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((x2 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y2 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((s = BN_CTX_get(ctx)) == NULL) - goto err; - if ((t = BN_CTX_get(ctx)) == NULL) - goto err; - - if (a->Z_is_one) { - if (!BN_copy(x0, &a->X)) - goto err; - if (!BN_copy(y0, &a->Y)) - goto err; - } else { - if (!EC_POINT_get_affine_coordinates(group, a, x0, y0, ctx)) - goto err; - } - if (b->Z_is_one) { - if (!BN_copy(x1, &b->X)) - goto err; - if (!BN_copy(y1, &b->Y)) - goto err; - } else { - if (!EC_POINT_get_affine_coordinates(group, b, x1, y1, ctx)) - goto err; - } - - - if (BN_GF2m_cmp(x0, x1)) { - if (!BN_GF2m_add(t, x0, x1)) - goto err; - if (!BN_GF2m_add(s, y0, y1)) - goto err; - if (!group->meth->field_div(group, s, s, t, ctx)) - goto err; - if (!group->meth->field_sqr(group, x2, s, ctx)) - goto err; - if (!BN_GF2m_add(x2, x2, &group->a)) - goto err; - if (!BN_GF2m_add(x2, x2, s)) - goto err; - if (!BN_GF2m_add(x2, x2, t)) - goto err; - } else { - if (BN_GF2m_cmp(y0, y1) || BN_is_zero(x1)) { - if (!EC_POINT_set_to_infinity(group, r)) - goto err; - ret = 1; - goto err; - } - if (!group->meth->field_div(group, s, y1, x1, ctx)) - goto err; - if (!BN_GF2m_add(s, s, x1)) - goto err; - - if (!group->meth->field_sqr(group, x2, s, ctx)) - goto err; - if (!BN_GF2m_add(x2, x2, s)) - goto err; - if (!BN_GF2m_add(x2, x2, &group->a)) - goto err; - } - - if (!BN_GF2m_add(y2, x1, x2)) - goto err; - if (!group->meth->field_mul(group, y2, y2, s, ctx)) - goto err; - if (!BN_GF2m_add(y2, y2, x2)) - goto err; - if (!BN_GF2m_add(y2, y2, y1)) - goto err; - - if (!EC_POINT_set_affine_coordinates(group, r, x2, y2, ctx)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Computes 2 * a and stores the result in r. r could be a. - * Uses algorithm A.10.2 of IEEE P1363. - */ -int -ec_GF2m_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - BN_CTX *ctx) -{ - return ec_GF2m_simple_add(group, r, a, a, ctx); -} - -int -ec_GF2m_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) -{ - if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y)) - /* point is its own inverse */ - return 1; - - if (!EC_POINT_make_affine(group, point, ctx)) - return 0; - return BN_GF2m_add(&point->Y, &point->X, &point->Y); -} - - -/* Indicates whether the given point is the point at infinity. */ -int -ec_GF2m_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) -{ - return BN_is_zero(&point->Z); -} - - -/* Determines whether the given EC_POINT is an actual point on the curve defined - * in the EC_GROUP. A point is valid if it satisfies the Weierstrass equation: - * y^2 + x*y = x^3 + a*x^2 + b. - */ -int -ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) -{ - int ret = -1; - BN_CTX *new_ctx = NULL; - BIGNUM *lh, *y2; - int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); - int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); - - if (EC_POINT_is_at_infinity(group, point) > 0) - return 1; - - field_mul = group->meth->field_mul; - field_sqr = group->meth->field_sqr; - - /* only support affine coordinates */ - if (!point->Z_is_one) - return -1; - - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return -1; - } - BN_CTX_start(ctx); - if ((y2 = BN_CTX_get(ctx)) == NULL) - goto err; - if ((lh = BN_CTX_get(ctx)) == NULL) - goto err; - - /* - * We have a curve defined by a Weierstrass equation y^2 + x*y = x^3 - * + a*x^2 + b. <=> x^3 + a*x^2 + x*y + b + y^2 = 0 <=> ((x + a) * x - * + y ) * x + b + y^2 = 0 - */ - if (!BN_GF2m_add(lh, &point->X, &group->a)) - goto err; - if (!field_mul(group, lh, lh, &point->X, ctx)) - goto err; - if (!BN_GF2m_add(lh, lh, &point->Y)) - goto err; - if (!field_mul(group, lh, lh, &point->X, ctx)) - goto err; - if (!BN_GF2m_add(lh, lh, &group->b)) - goto err; - if (!field_sqr(group, y2, &point->Y, ctx)) - goto err; - if (!BN_GF2m_add(lh, lh, y2)) - goto err; - ret = BN_is_zero(lh); - err: - if (ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Indicates whether two points are equal. - * Return values: - * -1 error - * 0 equal (in affine coordinates) - * 1 not equal - */ -int -ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) -{ - BIGNUM *aX, *aY, *bX, *bY; - BN_CTX *new_ctx = NULL; - int ret = -1; - - if (EC_POINT_is_at_infinity(group, a) > 0) { - return EC_POINT_is_at_infinity(group, b) > 0 ? 0 : 1; - } - if (EC_POINT_is_at_infinity(group, b) > 0) - return 1; - - if (a->Z_is_one && b->Z_is_one) { - return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1; - } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return -1; - } - BN_CTX_start(ctx); - if ((aX = BN_CTX_get(ctx)) == NULL) - goto err; - if ((aY = BN_CTX_get(ctx)) == NULL) - goto err; - if ((bX = BN_CTX_get(ctx)) == NULL) - goto err; - if ((bY = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!EC_POINT_get_affine_coordinates(group, a, aX, aY, ctx)) - goto err; - if (!EC_POINT_get_affine_coordinates(group, b, bX, bY, ctx)) - goto err; - ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1; - - err: - if (ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Forces the given EC_POINT to internally use affine coordinates. */ -int -ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) -{ - BN_CTX *new_ctx = NULL; - BIGNUM *x, *y; - int ret = 0; - - if (point->Z_is_one || EC_POINT_is_at_infinity(group, point) > 0) - return 1; - - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - BN_CTX_start(ctx); - if ((x = BN_CTX_get(ctx)) == NULL) - goto err; - if ((y = BN_CTX_get(ctx)) == NULL) - goto err; - - if (!EC_POINT_get_affine_coordinates(group, point, x, y, ctx)) - goto err; - if (!BN_copy(&point->X, x)) - goto err; - if (!BN_copy(&point->Y, y)) - goto err; - if (!BN_one(&point->Z)) - goto err; - - ret = 1; - - err: - if (ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -/* Forces each of the EC_POINTs in the given array to use affine coordinates. */ -int -ec_GF2m_simple_points_make_affine(const EC_GROUP *group, size_t num, - EC_POINT *points[], BN_CTX *ctx) -{ - size_t i; - - for (i = 0; i < num; i++) { - if (!group->meth->make_affine(group, points[i], ctx)) - return 0; - } - - return 1; -} - - -/* Wrapper to simple binary polynomial field multiplication implementation. */ -int -ec_GF2m_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) -{ - return BN_GF2m_mod_mul_arr(r, a, b, group->poly, ctx); -} - - -/* Wrapper to simple binary polynomial field squaring implementation. */ -int -ec_GF2m_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - BN_CTX *ctx) -{ - return BN_GF2m_mod_sqr_arr(r, a, group->poly, ctx); -} - - -/* Wrapper to simple binary polynomial field division implementation. */ -int -ec_GF2m_simple_field_div(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) -{ - return BN_GF2m_mod_div(r, a, b, &group->field, ctx); -} - -#endif diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 86f509b..e47dcbc 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_ameth.c,v 1.31 2022/01/10 12:10:26 tb Exp $ */ +/* $OpenBSD: ec_ameth.c,v 1.38 2023/03/07 07:01:35 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -66,17 +66,17 @@ #include #include -#include "asn1_locl.h" -#include "ec_lcl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "ec_local.h" +#include "evp_local.h" #ifndef OPENSSL_NO_CMS static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); #endif -static int -eckey_param2type(int *pptype, void **ppval, EC_KEY * ec_key) +static int +eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key) { const EC_GROUP *group; int nid; @@ -107,8 +107,8 @@ eckey_param2type(int *pptype, void **ppval, EC_KEY * ec_key) return 1; } -static int -eckey_pub_encode(X509_PUBKEY * pk, const EVP_PKEY * pkey) +static int +eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { EC_KEY *ec_key = pkey->pkey.ec; void *pval = NULL; @@ -190,8 +190,8 @@ eckey_type2param(int ptype, const void *pval) return NULL; } -static int -eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey) +static int +eckey_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) { const unsigned char *p = NULL; const void *pval; @@ -223,8 +223,8 @@ eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey) return 0; } -static int -eckey_pub_cmp(const EVP_PKEY * a, const EVP_PKEY * b) +static int +eckey_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) { int r; const EC_GROUP *group = EC_KEY_get0_group(b->pkey.ec); @@ -238,8 +238,8 @@ eckey_pub_cmp(const EVP_PKEY * a, const EVP_PKEY * b) return -2; } -static int -eckey_priv_decode(EVP_PKEY * pkey, const PKCS8_PRIV_KEY_INFO * p8) +static int +eckey_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) { const unsigned char *p = NULL; const void *pval; @@ -305,8 +305,8 @@ eckey_priv_decode(EVP_PKEY * pkey, const PKCS8_PRIV_KEY_INFO * p8) return 0; } -static int -eckey_priv_encode(PKCS8_PRIV_KEY_INFO * p8, const EVP_PKEY * pkey) +static int +eckey_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) { EC_KEY *ec_key; unsigned char *ep, *p; @@ -358,14 +358,14 @@ eckey_priv_encode(PKCS8_PRIV_KEY_INFO * p8, const EVP_PKEY * pkey) return 1; } -static int -int_ec_size(const EVP_PKEY * pkey) +static int +int_ec_size(const EVP_PKEY *pkey) { return ECDSA_size(pkey->pkey.ec); } -static int -ec_bits(const EVP_PKEY * pkey) +static int +ec_bits(const EVP_PKEY *pkey) { BIGNUM *order = BN_new(); const EC_GROUP *group; @@ -386,22 +386,41 @@ ec_bits(const EVP_PKEY * pkey) return ret; } -static int -ec_missing_parameters(const EVP_PKEY * pkey) +static int +ec_security_bits(const EVP_PKEY *pkey) +{ + int ecbits = ec_bits(pkey); + + if (ecbits >= 512) + return 256; + if (ecbits >= 384) + return 192; + if (ecbits >= 256) + return 128; + if (ecbits >= 224) + return 112; + if (ecbits >= 160) + return 80; + + return ecbits / 2; +} + +static int +ec_missing_parameters(const EVP_PKEY *pkey) { if (EC_KEY_get0_group(pkey->pkey.ec) == NULL) return 1; return 0; } -static int -ec_copy_parameters(EVP_PKEY * to, const EVP_PKEY * from) +static int +ec_copy_parameters(EVP_PKEY *to, const EVP_PKEY *from) { return EC_KEY_set_group(to->pkey.ec, EC_KEY_get0_group(from->pkey.ec)); } -static int -ec_cmp_parameters(const EVP_PKEY * a, const EVP_PKEY * b) +static int +ec_cmp_parameters(const EVP_PKEY *a, const EVP_PKEY *b) { const EC_GROUP *group_a = EC_KEY_get0_group(a->pkey.ec), *group_b = EC_KEY_get0_group(b->pkey.ec); if (EC_GROUP_cmp(group_a, group_b, NULL)) @@ -410,14 +429,14 @@ ec_cmp_parameters(const EVP_PKEY * a, const EVP_PKEY * b) return 1; } -static void -int_ec_free(EVP_PKEY * pkey) +static void +int_ec_free(EVP_PKEY *pkey) { EC_KEY_free(pkey->pkey.ec); } -static int -do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype) +static int +do_EC_KEY_print(BIO *bp, const EC_KEY *x, int off, int ktype) { unsigned char *buffer = NULL; const char *ecstr; @@ -500,8 +519,8 @@ do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype) return (ret); } -static int -eckey_param_decode(EVP_PKEY * pkey, +static int +eckey_param_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) { EC_KEY *eckey; @@ -513,36 +532,36 @@ eckey_param_decode(EVP_PKEY * pkey, return 1; } -static int -eckey_param_encode(const EVP_PKEY * pkey, unsigned char **pder) +static int +eckey_param_encode(const EVP_PKEY *pkey, unsigned char **pder) { return i2d_ECParameters(pkey->pkey.ec, pder); } -static int -eckey_param_print(BIO * bp, const EVP_PKEY * pkey, int indent, - ASN1_PCTX * ctx) +static int +eckey_param_print(BIO *bp, const EVP_PKEY *pkey, int indent, + ASN1_PCTX *ctx) { return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 0); } -static int -eckey_pub_print(BIO * bp, const EVP_PKEY * pkey, int indent, - ASN1_PCTX * ctx) +static int +eckey_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, + ASN1_PCTX *ctx) { return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 1); } -static int -eckey_priv_print(BIO * bp, const EVP_PKEY * pkey, int indent, - ASN1_PCTX * ctx) +static int +eckey_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, + ASN1_PCTX *ctx) { return do_EC_KEY_print(bp, pkey->pkey.ec, indent, 2); } -static int -old_ec_priv_decode(EVP_PKEY * pkey, +static int +old_ec_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) { EC_KEY *ec; @@ -554,14 +573,14 @@ old_ec_priv_decode(EVP_PKEY * pkey, return 1; } -static int -old_ec_priv_encode(const EVP_PKEY * pkey, unsigned char **pder) +static int +old_ec_priv_encode(const EVP_PKEY *pkey, unsigned char **pder) { return i2d_ECPrivateKey(pkey->pkey.ec, pder); } -static int -ec_pkey_ctrl(EVP_PKEY * pkey, int op, long arg1, void *arg2) +static int +ec_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { switch (op) { case ASN1_PKEY_CTRL_PKCS7_SIGN: @@ -795,7 +814,7 @@ ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) goto err; plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen); - if (!plen) + if (plen <= 0) goto err; if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0) @@ -888,8 +907,8 @@ ecdh_cms_encrypt(CMS_RecipientInfo *ri) if (penclen <= 0) goto err; ASN1_STRING_set0(pubkey, penc, penclen); - pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); - pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (!asn1_abs_set_unused_bits(pubkey, 0)) + goto err; penc = NULL; X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), @@ -957,7 +976,7 @@ ecdh_cms_encrypt(CMS_RecipientInfo *ri) goto err; penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); - if (!penclen) + if (penclen <= 0) goto err; if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) @@ -969,7 +988,7 @@ ecdh_cms_encrypt(CMS_RecipientInfo *ri) * of another AlgorithmIdentifier. */ penclen = i2d_X509_ALGOR(wrap_alg, &penc); - if (!penc || !penclen) + if (penclen <= 0) goto err; wrap_str = ASN1_STRING_new(); if (wrap_str == NULL) @@ -1006,6 +1025,7 @@ const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { .pkey_size = int_ec_size, .pkey_bits = ec_bits, + .pkey_security_bits = ec_security_bits, .param_decode = eckey_param_decode, .param_encode = eckey_param_encode, diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 4cf0bf5..36a413a 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_asn1.c,v 1.36 2022/03/31 13:00:58 tb Exp $ */ +/* $OpenBSD: ec_asn1.c,v 1.45 2023/05/04 05:59:38 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -60,13 +60,15 @@ #include -#include "ec_lcl.h" #include #include #include -int -EC_GROUP_get_basis_type(const EC_GROUP * group) +#include "asn1_local.h" +#include "ec_local.h" + +int +EC_GROUP_get_basis_type(const EC_GROUP *group) { int i = 0; @@ -87,49 +89,6 @@ EC_GROUP_get_basis_type(const EC_GROUP * group) return 0; } -#ifndef OPENSSL_NO_EC2M -int -EC_GROUP_get_trinomial_basis(const EC_GROUP * group, unsigned int *k) -{ - if (group == NULL) - return 0; - - if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != - NID_X9_62_characteristic_two_field - || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] == 0))) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (k) - *k = group->poly[1]; - - return 1; -} - -int -EC_GROUP_get_pentanomial_basis(const EC_GROUP * group, unsigned int *k1, - unsigned int *k2, unsigned int *k3) -{ - if (group == NULL) - return 0; - - if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) != - NID_X9_62_characteristic_two_field - || !((group->poly[0] != 0) && (group->poly[1] != 0) && (group->poly[2] != 0) && (group->poly[3] != 0) && (group->poly[4] == 0))) { - ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; - } - if (k1) - *k1 = group->poly[3]; - if (k2) - *k2 = group->poly[2]; - if (k3) - *k3 = group->poly[1]; - - return 1; -} -#endif - /* some structures needed for the asn1 encoding */ typedef struct x9_62_pentanomial_st { long k1; @@ -266,7 +225,6 @@ static const ASN1_ADB_TABLE X9_62_CHARACTERISTIC_TWO_adbtbl[] = { .field_name = "p.onBasis", .item = &ASN1_NULL_it, }, - }, { .value = NID_X9_62_tpBasis, @@ -277,7 +235,6 @@ static const ASN1_ADB_TABLE X9_62_CHARACTERISTIC_TWO_adbtbl[] = { .field_name = "p.tpBasis", .item = &ASN1_INTEGER_it, }, - }, { .value = NID_X9_62_ppBasis, @@ -288,7 +245,7 @@ static const ASN1_ADB_TABLE X9_62_CHARACTERISTIC_TWO_adbtbl[] = { .field_name = "p.ppBasis", .item = &X9_62_PENTANOMIAL_it, }, - + }, }; @@ -368,7 +325,6 @@ static const ASN1_ADB_TABLE X9_62_FIELDID_adbtbl[] = { .field_name = "p.prime", .item = &ASN1_INTEGER_it, }, - }, { .value = NID_X9_62_characteristic_two_field, @@ -379,7 +335,6 @@ static const ASN1_ADB_TABLE X9_62_FIELDID_adbtbl[] = { .field_name = "p.char_two", .item = &X9_62_CHARACTERISTIC_TWO_it, }, - }, }; @@ -660,7 +615,7 @@ EC_PRIVATEKEY_free(EC_PRIVATEKEY *a) /* some declarations of internal function */ -/* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */ +/* ec_asn1_group2fieldid() sets the values in a X9_62_FIELDID object */ static int ec_asn1_group2fieldid(const EC_GROUP *, X9_62_FIELDID *); /* ec_asn1_group2curve() sets the values in a X9_62_CURVE object */ static int ec_asn1_group2curve(const EC_GROUP *, X9_62_CURVE *); @@ -681,7 +636,7 @@ static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *, /* the function definitions */ static int -ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field) +ec_asn1_group2fieldid(const EC_GROUP *group, X9_62_FIELDID *field) { int ok = 0, nid; BIGNUM *tmp = NULL; @@ -717,77 +672,10 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field) ECerror(ERR_R_ASN1_LIB); goto err; } - } else /* nid == NID_X9_62_characteristic_two_field */ -#ifdef OPENSSL_NO_EC2M - { + } else { ECerror(EC_R_GF2M_NOT_SUPPORTED); goto err; } -#else - { - int field_type; - X9_62_CHARACTERISTIC_TWO *char_two; - - field->p.char_two = X9_62_CHARACTERISTIC_TWO_new(); - char_two = field->p.char_two; - - if (char_two == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - char_two->m = (long) EC_GROUP_get_degree(group); - - field_type = EC_GROUP_get_basis_type(group); - - if (field_type == 0) { - ECerror(ERR_R_EC_LIB); - goto err; - } - /* set base type OID */ - if ((char_two->type = OBJ_nid2obj(field_type)) == NULL) { - ECerror(ERR_R_OBJ_LIB); - goto err; - } - if (field_type == NID_X9_62_tpBasis) { - unsigned int k; - - if (!EC_GROUP_get_trinomial_basis(group, &k)) - goto err; - - char_two->p.tpBasis = ASN1_INTEGER_new(); - if (!char_two->p.tpBasis) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - if (!ASN1_INTEGER_set(char_two->p.tpBasis, (long) k)) { - ECerror(ERR_R_ASN1_LIB); - goto err; - } - } else if (field_type == NID_X9_62_ppBasis) { - unsigned int k1, k2, k3; - - if (!EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3)) - goto err; - - char_two->p.ppBasis = X9_62_PENTANOMIAL_new(); - if (!char_two->p.ppBasis) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - /* set k? values */ - char_two->p.ppBasis->k1 = (long) k1; - char_two->p.ppBasis->k2 = (long) k2; - char_two->p.ppBasis->k3 = (long) k3; - } else { /* field_type == NID_X9_62_onBasis */ - /* for ONB the parameters are (asn1) NULL */ - char_two->p.onBasis = ASN1_NULL_new(); - if (!char_two->p.onBasis) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - } -#endif ok = 1; @@ -796,8 +684,8 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field) return (ok); } -static int -ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve) +static int +ec_asn1_group2curve(const EC_GROUP *group, X9_62_CURVE *curve) { BIGNUM *tmp_1 = NULL, *tmp_2 = NULL; unsigned char *buffer_1 = NULL, *buffer_2 = NULL, *a_buf = NULL, @@ -860,24 +748,24 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve) ECerror(ERR_R_ASN1_LIB); goto err; } + + ASN1_BIT_STRING_free(curve->seed); + curve->seed = NULL; + /* set the seed (optional) */ - if (group->seed) { - if (!curve->seed) - if ((curve->seed = ASN1_BIT_STRING_new()) == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - curve->seed->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); - curve->seed->flags |= ASN1_STRING_FLAG_BITS_LEFT; + if (group->seed != NULL) { + if ((curve->seed = ASN1_BIT_STRING_new()) == NULL) { + ECerror(ERR_R_MALLOC_FAILURE); + goto err; + } if (!ASN1_BIT_STRING_set(curve->seed, group->seed, (int) group->seed_len)) { ECerror(ERR_R_ASN1_LIB); goto err; } - } else { - if (curve->seed) { - ASN1_BIT_STRING_free(curve->seed); - curve->seed = NULL; + if (!asn1_abs_set_unused_bits(curve->seed, 0)) { + ECerror(ERR_R_ASN1_LIB); + goto err; } } @@ -892,7 +780,7 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve) } static ECPARAMETERS * -ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param) +ec_asn1_group2parameters(const EC_GROUP *group, ECPARAMETERS *param) { int ok = 0; size_t len = 0; @@ -987,7 +875,7 @@ ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param) } ECPKPARAMETERS * -ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params) +ec_asn1_group2pkparameters(const EC_GROUP *group, ECPKPARAMETERS *params) { int ok = 1, tmp; ECPKPARAMETERS *ret = params; @@ -1020,8 +908,8 @@ ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params) } else { /* use the ECPARAMETERS structure */ ret->type = 1; - if ((ret->value.parameters = ec_asn1_group2parameters( - group, NULL)) == NULL) + if ((ret->value.parameters = ec_asn1_group2parameters(group, + NULL)) == NULL) ok = 0; } @@ -1033,7 +921,7 @@ ec_asn1_group2pkparameters(const EC_GROUP * group, ECPKPARAMETERS * params) } static EC_GROUP * -ec_asn1_parameters2group(const ECPARAMETERS * params) +ec_asn1_parameters2group(const ECPARAMETERS *params) { int ok = 0, tmp; EC_GROUP *ret = NULL; @@ -1065,86 +953,10 @@ ec_asn1_parameters2group(const ECPARAMETERS * params) } /* get the field parameters */ tmp = OBJ_obj2nid(params->fieldID->fieldType); - if (tmp == NID_X9_62_characteristic_two_field) -#ifdef OPENSSL_NO_EC2M - { + if (tmp == NID_X9_62_characteristic_two_field) { ECerror(EC_R_GF2M_NOT_SUPPORTED); goto err; - } -#else - { - X9_62_CHARACTERISTIC_TWO *char_two; - - char_two = params->fieldID->p.char_two; - - field_bits = char_two->m; - if (field_bits > OPENSSL_ECC_MAX_FIELD_BITS) { - ECerror(EC_R_FIELD_TOO_LARGE); - goto err; - } - if ((p = BN_new()) == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - /* get the base type */ - tmp = OBJ_obj2nid(char_two->type); - - if (tmp == NID_X9_62_tpBasis) { - long tmp_long; - - if (!char_two->p.tpBasis) { - ECerror(EC_R_ASN1_ERROR); - goto err; - } - tmp_long = ASN1_INTEGER_get(char_two->p.tpBasis); - - if (!(char_two->m > tmp_long && tmp_long > 0)) { - ECerror(EC_R_INVALID_TRINOMIAL_BASIS); - goto err; - } - /* create the polynomial */ - if (!BN_set_bit(p, (int) char_two->m)) - goto err; - if (!BN_set_bit(p, (int) tmp_long)) - goto err; - if (!BN_set_bit(p, 0)) - goto err; - } else if (tmp == NID_X9_62_ppBasis) { - X9_62_PENTANOMIAL *penta; - - penta = char_two->p.ppBasis; - if (!penta) { - ECerror(EC_R_ASN1_ERROR); - goto err; - } - if (!(char_two->m > penta->k3 && penta->k3 > penta->k2 && penta->k2 > penta->k1 && penta->k1 > 0)) { - ECerror(EC_R_INVALID_PENTANOMIAL_BASIS); - goto err; - } - /* create the polynomial */ - if (!BN_set_bit(p, (int) char_two->m)) - goto err; - if (!BN_set_bit(p, (int) penta->k1)) - goto err; - if (!BN_set_bit(p, (int) penta->k2)) - goto err; - if (!BN_set_bit(p, (int) penta->k3)) - goto err; - if (!BN_set_bit(p, 0)) - goto err; - } else if (tmp == NID_X9_62_onBasis) { - ECerror(EC_R_NOT_IMPLEMENTED); - goto err; - } else { /* error */ - ECerror(EC_R_ASN1_ERROR); - goto err; - } - - /* create the EC_GROUP structure */ - ret = EC_GROUP_new_curve_GF2m(p, a, b, NULL); - } -#endif - else if (tmp == NID_X9_62_prime_field) { + } else if (tmp == NID_X9_62_prime_field) { /* we have a curve over a prime field */ /* extract the prime number */ if (!params->fieldID->p.prime) { @@ -1234,7 +1046,7 @@ ec_asn1_parameters2group(const ECPARAMETERS * params) err: if (!ok) { - EC_GROUP_clear_free(ret); + EC_GROUP_free(ret); ret = NULL; } BN_free(p); @@ -1245,7 +1057,7 @@ ec_asn1_parameters2group(const ECPARAMETERS * params) } EC_GROUP * -ec_asn1_pkparameters2group(const ECPKPARAMETERS * params) +ec_asn1_pkparameters2group(const ECPKPARAMETERS *params) { EC_GROUP *ret = NULL; int tmp = 0; @@ -1282,7 +1094,7 @@ ec_asn1_pkparameters2group(const ECPKPARAMETERS * params) /* EC_GROUP <-> DER encoding of ECPKPARAMETERS */ EC_GROUP * -d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len) +d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) { EC_GROUP *group = NULL; ECPKPARAMETERS *params; @@ -1297,7 +1109,7 @@ d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len) } if (a != NULL) { - EC_GROUP_clear_free(*a); + EC_GROUP_free(*a); *a = group; } @@ -1306,8 +1118,8 @@ d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len) return (group); } -int -i2d_ECPKParameters(const EC_GROUP * a, unsigned char **out) +int +i2d_ECPKParameters(const EC_GROUP *a, unsigned char **out) { int ret = 0; ECPKPARAMETERS *tmp = ec_asn1_group2pkparameters(a, NULL); @@ -1327,7 +1139,7 @@ i2d_ECPKParameters(const EC_GROUP * a, unsigned char **out) /* some EC_KEY functions */ EC_KEY * -d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) +d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) { EC_KEY *ret = NULL; EC_PRIVATEKEY *priv_key = NULL; @@ -1345,7 +1157,7 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) ret = *a; if (priv_key->parameters) { - EC_GROUP_clear_free(ret->group); + EC_GROUP_free(ret->group); ret->group = ec_asn1_pkparameters2group(priv_key->parameters); } if (ret->group == NULL) { @@ -1369,7 +1181,7 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) } if (ret->pub_key) - EC_POINT_clear_free(ret->pub_key); + EC_POINT_free(ret->pub_key); ret->pub_key = EC_POINT_new(ret->group); if (ret->pub_key == NULL) { ECerror(ERR_R_EC_LIB); @@ -1418,8 +1230,8 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) return (NULL); } -int -i2d_ECPrivateKey(EC_KEY * a, unsigned char **out) +int +i2d_ECPrivateKey(EC_KEY *a, unsigned char **out) { int ret = 0, ok = 0; unsigned char *buffer = NULL; @@ -1481,10 +1293,11 @@ i2d_ECPrivateKey(EC_KEY * a, unsigned char **out) ECerror(ERR_R_EC_LIB); goto err; } - priv_key->publicKey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); - priv_key->publicKey->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (!ASN1_STRING_set(priv_key->publicKey, buffer, - buf_len)) { + if (!ASN1_STRING_set(priv_key->publicKey, buffer, buf_len)) { + ECerror(ERR_R_ASN1_LIB); + goto err; + } + if (!asn1_abs_set_unused_bits(priv_key->publicKey, 0)) { ECerror(ERR_R_ASN1_LIB); goto err; } @@ -1501,8 +1314,8 @@ i2d_ECPrivateKey(EC_KEY * a, unsigned char **out) return (ok ? ret : 0); } -int -i2d_ECParameters(EC_KEY * a, unsigned char **out) +int +i2d_ECParameters(EC_KEY *a, unsigned char **out) { if (a == NULL) { ECerror(ERR_R_PASSED_NULL_PARAMETER); @@ -1512,7 +1325,7 @@ i2d_ECParameters(EC_KEY * a, unsigned char **out) } EC_KEY * -d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len) +d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len) { EC_KEY *ret; @@ -1541,7 +1354,7 @@ d2i_ECParameters(EC_KEY ** a, const unsigned char **in, long len) } EC_KEY * -o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len) +o2i_ECPublicKey(EC_KEY **a, const unsigned char **in, long len) { EC_KEY *ret = NULL; @@ -1566,8 +1379,8 @@ o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len) return ret; } -int -i2o_ECPublicKey(const EC_KEY * a, unsigned char **out) +int +i2o_ECPublicKey(const EC_KEY *a, unsigned char **out) { size_t buf_len = 0; int new_buffer = 0; diff --git a/crypto/ec/ec_check.c b/crypto/ec/ec_check.c index dcca661..4e065c7 100644 --- a/crypto/ec/ec_check.c +++ b/crypto/ec/ec_check.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_check.c,v 1.9 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ec_check.c,v 1.13 2023/04/11 18:58:20 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -53,25 +53,24 @@ * */ -#include "ec_lcl.h" +#include "ec_local.h" #include -int -EC_GROUP_check(const EC_GROUP * group, BN_CTX * ctx) +int +EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx_in) { - int ret = 0; + BN_CTX *ctx; BIGNUM *order; - BN_CTX *new_ctx = NULL; EC_POINT *point = NULL; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } BN_CTX_start(ctx); + if ((order = BN_CTX_get(ctx)) == NULL) goto err; @@ -104,12 +103,16 @@ EC_GROUP_check(const EC_GROUP * group, BN_CTX * ctx) ECerror(EC_R_INVALID_GROUP_ORDER); goto err; } + ret = 1; err: - if (ctx != NULL) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + BN_CTX_end(ctx); + + if (ctx != ctx_in) + BN_CTX_free(ctx); + EC_POINT_free(point); + return ret; } diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index b575f7b..a8a1e4d 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_curve.c,v 1.21 2021/04/20 17:16:37 tb Exp $ */ +/* $OpenBSD: ec_curve.c,v 1.41 2023/05/02 13:01:57 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -73,2831 +73,1906 @@ #include -#include "ec_lcl.h" #include -#include +#include -typedef struct { - int field_type, /* either NID_X9_62_prime_field or - * NID_X9_62_characteristic_two_field */ - seed_len, param_len; - unsigned int cofactor; /* promoted to BN_ULONG */ -} EC_CURVE_DATA; +#include "ec_local.h" /* the nist prime curves */ static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} - _EC_NIST_PRIME_192 = { - { - NID_X9_62_prime_field, 20, 24, 1 + uint8_t seed[20]; + uint8_t p[24]; + uint8_t a[24]; + uint8_t b[24]; + uint8_t x[24]; + uint8_t y[24]; + uint8_t order[24]; +} _EC_NIST_PRIME_192 = { + .seed = { + 0x30, 0x45, 0xae, 0x6f, 0xc8, 0x42, 0x2f, 0x64, 0xed, 0x57, + 0x95, 0x28, 0xd3, 0x81, 0x20, 0xea, 0xe1, 0x21, 0x96, 0xd5, }, - { - 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, /* seed */ - 0x95, 0x28, 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, - - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFC, - 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, /* b */ - 0xE9, 0xAB, 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, - 0xC1, 0x46, 0xB9, 0xB1, - 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, /* x */ - 0x20, 0xEB, 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, - 0x82, 0xFF, 0x10, 0x12, - 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, /* y */ + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0x64, 0x21, 0x05, 0x19, 0xe5, 0x9c, 0x80, 0xe7, 0x0f, 0xa7, + 0xe9, 0xab, 0x72, 0x24, 0x30, 0x49, 0xfe, 0xb8, 0xde, 0xec, + 0xc1, 0x46, 0xb9, 0xb1, + }, + .x = { + 0x18, 0x8d, 0xa8, 0x0e, 0xb0, 0x30, 0x90, 0xf6, 0x7c, 0xbf, + 0x20, 0xeb, 0x43, 0xa1, 0x88, 0x00, 0xf4, 0xff, 0x0a, 0xfd, + 0x82, 0xff, 0x10, 0x12, + }, + .y = { + 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, - 0xB4, 0xD2, 0x28, 0x31 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x99, 0xde, 0xf8, 0x36, 0x14, 0x6b, 0xc9, 0xb1, + 0xb4, 0xd2, 0x28, 0x31, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 28 * 6]; -} - _EC_NIST_PRIME_224 = { - { - NID_X9_62_prime_field, 20, 28, 1 + uint8_t seed[20]; + uint8_t p[28]; + uint8_t a[28]; + uint8_t b[28]; + uint8_t x[28]; + uint8_t y[28]; + uint8_t order[28]; +} _EC_NIST_PRIME_224 = { + .seed = { + 0xbd, 0x71, 0x34, 0x47, 0x99, 0xd5, 0xc7, 0xfc, 0xdc, 0x45, + 0xb5, 0x9f, 0xa3, 0xb9, 0xab, 0x8f, 0x6a, 0x94, 0x8b, 0xc5, }, - { - 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, /* seed */ - 0xB5, 0x9F, 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5, - - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, - 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, /* b */ - 0x32, 0x56, 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, - 0x27, 0x0B, 0x39, 0x43, 0x23, 0x55, 0xFF, 0xB4, - 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, /* x */ - 0x90, 0xB9, 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, - 0x34, 0x32, 0x80, 0xD6, 0x11, 0x5C, 0x1D, 0x21, - 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, /* y */ + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, + }, + .b = { + 0xb4, 0x05, 0x0a, 0x85, 0x0c, 0x04, 0xb3, 0xab, 0xf5, 0x41, + 0x32, 0x56, 0x50, 0x44, 0xb0, 0xb7, 0xd7, 0xbf, 0xd8, 0xba, + 0x27, 0x0b, 0x39, 0x43, 0x23, 0x55, 0xff, 0xb4, + }, + .x = { + 0xb7, 0x0e, 0x0c, 0xbd, 0x6b, 0xb4, 0xbf, 0x7f, 0x32, 0x13, + 0x90, 0xb9, 0x4a, 0x03, 0xc1, 0xd3, 0x56, 0xc2, 0x11, 0x22, + 0x34, 0x32, 0x80, 0xd6, 0x11, 0x5c, 0x1d, 0x21, + }, + .y = { + 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, 0x85, 0x00, 0x7e, 0x34, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, - 0x13, 0xDD, 0x29, 0x45, 0x5C, 0x5C, 0x2A, 0x3D - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0x16, 0xa2, 0xe0, 0xb8, 0xf0, 0x3e, + 0x13, 0xdd, 0x29, 0x45, 0x5c, 0x5c, 0x2a, 0x3d, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 48 * 6]; -} - _EC_NIST_PRIME_384 = { - { - NID_X9_62_prime_field, 20, 48, 1 + uint8_t seed[20]; + uint8_t p[48]; + uint8_t a[48]; + uint8_t b[48]; + uint8_t x[48]; + uint8_t y[48]; + uint8_t order[48]; +} _EC_NIST_PRIME_384 = { + .seed = { + 0xa3, 0x35, 0x92, 0x6a, 0xa3, 0x19, 0xa2, 0x7a, 0x1d, 0x00, + 0x89, 0x6a, 0x67, 0x73, 0xa4, 0x82, 0x7a, 0xcd, 0xac, 0x73, }, - { - 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, /* seed */ - 0x89, 0x6A, 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73, - - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, - 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, /* b */ - 0x05, 0x6B, 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, - 0xFE, 0x81, 0x41, 0x12, 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, - 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, 0x8A, 0x2E, 0xD1, 0x9D, - 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, - 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, /* x */ - 0xC7, 0x1E, 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, - 0x8B, 0xA7, 0x9B, 0x98, 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, - 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, 0xBF, 0x55, 0x29, 0x6C, - 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, - 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, /* y */ + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0xb3, 0x31, 0x2f, 0xa7, 0xe2, 0x3e, 0xe7, 0xe4, 0x98, 0x8e, + 0x05, 0x6b, 0xe3, 0xf8, 0x2d, 0x19, 0x18, 0x1d, 0x9c, 0x6e, + 0xfe, 0x81, 0x41, 0x12, 0x03, 0x14, 0x08, 0x8f, 0x50, 0x13, + 0x87, 0x5a, 0xc6, 0x56, 0x39, 0x8d, 0x8a, 0x2e, 0xd1, 0x9d, + 0x2a, 0x85, 0xc8, 0xed, 0xd3, 0xec, 0x2a, 0xef, + }, + .x = { + 0xaa, 0x87, 0xca, 0x22, 0xbe, 0x8b, 0x05, 0x37, 0x8e, 0xb1, + 0xc7, 0x1e, 0xf3, 0x20, 0xad, 0x74, 0x6e, 0x1d, 0x3b, 0x62, + 0x8b, 0xa7, 0x9b, 0x98, 0x59, 0xf7, 0x41, 0xe0, 0x82, 0x54, + 0x2a, 0x38, 0x55, 0x02, 0xf2, 0x5d, 0xbf, 0x55, 0x29, 0x6c, + 0x3a, 0x54, 0x5e, 0x38, 0x72, 0x76, 0x0a, 0xb7, + }, + .y = { + 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, - 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, 0x48, 0xB0, 0xA7, 0x7A, - 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xc7, 0x63, 0x4d, 0x81, 0xf4, 0x37, + 0x2d, 0xdf, 0x58, 0x1a, 0x0d, 0xb2, 0x48, 0xb0, 0xa7, 0x7a, + 0xec, 0xec, 0x19, 0x6a, 0xcc, 0xc5, 0x29, 0x73, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 66 * 6]; -} - _EC_NIST_PRIME_521 = { - { - NID_X9_62_prime_field, 20, 66, 1 + uint8_t seed[20]; + uint8_t p[66]; + uint8_t a[66]; + uint8_t b[66]; + uint8_t x[66]; + uint8_t y[66]; + uint8_t order[66]; +} _EC_NIST_PRIME_521 = { + .seed = { + 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, + 0x67, 0x17, 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, }, - { - 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, /* seed */ - 0x67, 0x17, 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA, - - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, /* b */ - 0x92, 0x9A, 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, - 0x72, 0x5B, 0x99, 0xB3, 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, - 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, 0x39, 0x51, 0xEC, 0x7E, - 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, 0xBF, 0x07, - 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, - 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, - 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, /* x */ - 0x9E, 0x3E, 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, - 0x81, 0x39, 0x05, 0x3F, 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, - 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, 0x5E, 0x77, 0xEF, 0xE7, - 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, 0xA8, 0xDE, - 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, - 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, - 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, /* y */ + .p = { + 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, 0x1f, + 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, + 0x72, 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, + 0x8e, 0xf1, 0x09, 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, + 0x93, 0x7b, 0x16, 0x52, 0xc0, 0xbd, 0x3b, 0xb1, 0xbf, 0x07, + 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, 0xf1, 0xef, 0x45, + 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, + }, + .x = { + 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, + 0x9e, 0x3e, 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, + 0x81, 0x39, 0x05, 0x3f, 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, + 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, 0x5e, 0x77, 0xef, 0xe7, + 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, 0xa8, 0xde, + 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, + 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, + }, + .y = { + 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, 0x87, 0x83, 0xBF, 0x2F, - 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, 0xA5, 0xD0, - 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, - 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 - } + }, + .order = { + 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xfa, 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, + 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, 0xf7, 0x09, 0xa5, 0xd0, + 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, 0xbb, 0x6f, + 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, + }, }; /* the x9.62 prime curves (minus the nist prime curves) */ static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} - _EC_X9_62_PRIME_192V2 = { - { - NID_X9_62_prime_field, 20, 24, 1 + uint8_t seed[20]; + uint8_t p[24]; + uint8_t a[24]; + uint8_t b[24]; + uint8_t x[24]; + uint8_t y[24]; + uint8_t order[24]; +} _EC_X9_62_PRIME_192V2 = { + .seed = { + 0x31, 0xa9, 0x2e, 0xe2, 0x02, 0x9f, 0xd1, 0x0d, 0x90, 0x1b, + 0x11, 0x3e, 0x99, 0x07, 0x10, 0xf0, 0xd2, 0x1a, 0xc6, 0xb6, }, - { - 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, /* seed */ - 0x11, 0x3E, 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, - - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFC, - 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, /* b */ - 0x0D, 0x63, 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, - 0x16, 0x68, 0xD9, 0x53, - 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, /* x */ - 0x77, 0x69, 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, - 0x6F, 0x48, 0x03, 0x4A, - 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, /* y */ + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0xcc, 0x22, 0xd6, 0xdf, 0xb9, 0x5c, 0x6b, 0x25, 0xe4, 0x9c, + 0x0d, 0x63, 0x64, 0xa4, 0xe5, 0x98, 0x0c, 0x39, 0x3a, 0xa2, + 0x16, 0x68, 0xd9, 0x53, + }, + .x = { + 0xee, 0xa2, 0xba, 0xe7, 0xe1, 0x49, 0x78, 0x42, 0xf2, 0xde, + 0x77, 0x69, 0xcf, 0xe9, 0xc9, 0x89, 0xc0, 0x72, 0xad, 0x69, + 0x6f, 0x48, 0x03, 0x4a, + }, + .y = { + 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFE, 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, - 0x48, 0xD8, 0xDD, 0x31 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xfe, 0x5f, 0xb1, 0xa7, 0x24, 0xdc, 0x80, 0x41, 0x86, + 0x48, 0xd8, 0xdd, 0x31, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} - _EC_X9_62_PRIME_192V3 = { - { - NID_X9_62_prime_field, 20, 24, 1 + uint8_t seed[20]; + uint8_t p[24]; + uint8_t a[24]; + uint8_t b[24]; + uint8_t x[24]; + uint8_t y[24]; + uint8_t order[24]; +} _EC_X9_62_PRIME_192V3 = { + .seed = { + 0xc4, 0x69, 0x68, 0x44, 0x35, 0xde, 0xb3, 0x78, 0xc4, 0xb6, + 0x5c, 0xa9, 0x59, 0x1e, 0x2a, 0x57, 0x63, 0x05, 0x9a, 0x2e, }, - { - 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, /* seed */ - 0x5C, 0xA9, 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, - - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFC, - 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, /* b */ - 0x3D, 0xAE, 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, - 0x6B, 0xD5, 0x69, 0x16, - 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, /* x */ - 0x37, 0x16, 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, - 0x22, 0x8F, 0x18, 0x96, - 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, /* y */ + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0x22, 0x12, 0x3d, 0xc2, 0x39, 0x5a, 0x05, 0xca, 0xa7, 0x42, + 0x3d, 0xae, 0xcc, 0xc9, 0x47, 0x60, 0xa7, 0xd4, 0x62, 0x25, + 0x6b, 0xd5, 0x69, 0x16, + }, + .x = { + 0x7d, 0x29, 0x77, 0x81, 0x00, 0xc6, 0x5a, 0x1d, 0xa1, 0x78, + 0x37, 0x16, 0x58, 0x8d, 0xce, 0x2b, 0x8b, 0x4a, 0xee, 0x8e, + 0x22, 0x8f, 0x18, 0x96, + }, + .y = { + 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, - 0xF6, 0x40, 0xEC, 0x13 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7a, 0x62, 0xd0, 0x31, 0xc8, 0x3f, 0x42, 0x94, + 0xf6, 0x40, 0xec, 0x13, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_X9_62_PRIME_239V1 = { - { - NID_X9_62_prime_field, 20, 30, 1 + uint8_t seed[20]; + uint8_t p[30]; + uint8_t a[30]; + uint8_t b[30]; + uint8_t x[30]; + uint8_t y[30]; + uint8_t order[30]; +} _EC_X9_62_PRIME_239V1 = { + .seed = { + 0xe4, 0x3b, 0xb4, 0x60, 0xf0, 0xb8, 0x0c, 0xc0, 0xc0, 0xb0, + 0x75, 0x79, 0x8e, 0x94, 0x80, 0x60, 0xf8, 0x32, 0x1b, 0x7d, }, - { - 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, /* seed */ - 0x75, 0x79, 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - - 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, /* b */ - 0x54, 0x92, 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, - 0x7D, 0x1D, 0x37, 0x79, 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, - - 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, /* x */ - 0xB8, 0x64, 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, - 0x3D, 0x3F, 0x27, 0xFB, 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, - - 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, /* y */ + .p = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0x6b, 0x01, 0x6c, 0x3b, 0xdc, 0xf1, 0x89, 0x41, 0xd0, 0xd6, + 0x54, 0x92, 0x14, 0x75, 0xca, 0x71, 0xa9, 0xdb, 0x2f, 0xb2, + 0x7d, 0x1d, 0x37, 0x79, 0x61, 0x85, 0xc2, 0x94, 0x2c, 0x0a, + }, + .x = { + 0x0f, 0xfa, 0x96, 0x3c, 0xdc, 0xa8, 0x81, 0x6c, 0xcc, 0x33, + 0xb8, 0x64, 0x2b, 0xed, 0xf9, 0x05, 0xc3, 0xd3, 0x58, 0x57, + 0x3d, 0x3f, 0x27, 0xfb, 0xbd, 0x3b, 0x3c, 0xb9, 0xaa, 0xaf, + }, + .y = { + 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, - 0x90, 0x71, 0xFB, 0xD1, 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B - } + }, + .order = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0x9e, 0x5e, 0x9a, 0x9f, 0x5d, + 0x90, 0x71, 0xfb, 0xd1, 0x52, 0x26, 0x88, 0x90, 0x9d, 0x0b, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_X9_62_PRIME_239V2 = { - { - NID_X9_62_prime_field, 20, 30, 1 + uint8_t seed[20]; + uint8_t p[30]; + uint8_t a[30]; + uint8_t b[30]; + uint8_t x[30]; + uint8_t y[30]; + uint8_t order[30]; +} _EC_X9_62_PRIME_239V2 = { + .seed = { + 0xe8, 0xb4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xca, 0x3b, + 0x80, 0x99, 0x98, 0x2b, 0xe0, 0x9f, 0xcb, 0x9a, 0xe6, 0x16, }, - { - 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, /* seed */ - 0x80, 0x99, 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - - 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, /* b */ - 0x0D, 0x99, 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, - 0xA0, 0x03, 0x8C, 0x7A, 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, - - 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, /* x */ - 0x21, 0xBB, 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, - 0xF3, 0x57, 0x57, 0xA0, 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, - - 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, /* y */ + .p = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0x61, 0x7f, 0xab, 0x68, 0x32, 0x57, 0x6c, 0xbb, 0xfe, 0xd5, + 0x0d, 0x99, 0xf0, 0x24, 0x9c, 0x3f, 0xee, 0x58, 0xb9, 0x4b, + 0xa0, 0x03, 0x8c, 0x7a, 0xe8, 0x4c, 0x8c, 0x83, 0x2f, 0x2c, + }, + .x = { + 0x38, 0xaf, 0x09, 0xd9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xc9, + 0x21, 0xbb, 0x5e, 0x9e, 0x26, 0x29, 0x6a, 0x3c, 0xdc, 0xf2, + 0xf3, 0x57, 0x57, 0xa0, 0xea, 0xfd, 0x87, 0xb8, 0x30, 0xe7, + }, + .y = { + 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, - 0x77, 0xD4, 0x14, 0xC0, 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 - } + }, + .order = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x80, 0x00, 0x00, 0xcf, 0xa7, 0xe8, 0x59, 0x43, + 0x77, 0xd4, 0x14, 0xc0, 0x38, 0x21, 0xbc, 0x58, 0x20, 0x63, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_X9_62_PRIME_239V3 = { - { - NID_X9_62_prime_field, 20, 30, 1 + uint8_t seed[20]; + uint8_t p[30]; + uint8_t a[30]; + uint8_t b[30]; + uint8_t x[30]; + uint8_t y[30]; + uint8_t order[30]; +} _EC_X9_62_PRIME_239V3 = { + .seed = { + 0x7d, 0x73, 0x74, 0x16, 0x8f, 0xfe, 0x34, 0x71, 0xb6, 0x0a, + 0x85, 0x76, 0x86, 0xa1, 0x94, 0x75, 0xd3, 0xbf, 0xa2, 0xff, }, - { - 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, /* seed */ - 0x85, 0x76, 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - - 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, /* b */ - 0xCB, 0x03, 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, - 0xD4, 0x98, 0x87, 0x17, 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, - - 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, /* x */ - 0x5C, 0x94, 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, - 0x60, 0xBB, 0xF8, 0x54, 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, - - 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, /* y */ + .p = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0x80, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0x25, 0x57, 0x05, 0xfa, 0x2a, 0x30, 0x66, 0x54, 0xb1, 0xf4, + 0xcb, 0x03, 0xd6, 0xa7, 0x50, 0xa3, 0x0c, 0x25, 0x01, 0x02, + 0xd4, 0x98, 0x87, 0x17, 0xd9, 0xba, 0x15, 0xab, 0x6d, 0x3e, + }, + .x = { + 0x67, 0x68, 0xae, 0x8e, 0x18, 0xbb, 0x92, 0xcf, 0xcf, 0x00, + 0x5c, 0x94, 0x9a, 0xa2, 0xc6, 0xd9, 0x48, 0x53, 0xd0, 0xe6, + 0x60, 0xbb, 0xf8, 0x54, 0xb1, 0xc9, 0x50, 0x5f, 0xe9, 0x5a, + }, + .y = { + 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, - - 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, - 0xA6, 0x05, 0x7C, 0x3C, 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 - } + }, + .order = { + 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0x7f, 0xff, 0xff, 0x97, 0x5d, 0xeb, 0x41, 0xb3, + 0xa6, 0x05, 0x7c, 0x3c, 0x43, 0x21, 0x46, 0x52, 0x65, 0x51, + }, }; - static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -} - _EC_X9_62_PRIME_256V1 = { - { - NID_X9_62_prime_field, 20, 32, 1 + uint8_t seed[20]; + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_X9_62_PRIME_256V1 = { + .seed = { + 0xc4, 0x9d, 0x36, 0x08, 0x86, 0xe7, 0x04, 0x93, 0x6a, 0x66, + 0x78, 0xe1, 0x13, 0x9d, 0x26, 0xb7, 0x81, 0x9f, 0x7e, 0x90, }, - { - 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, /* seed */ - 0x78, 0xE1, 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90, - - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, /* p */ + .p = { + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, /* a */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFC, - 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, /* b */ - 0xBD, 0x55, 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, - 0xCC, 0x53, 0xB0, 0xF6, 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, - 0x60, 0x4B, - 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, /* x */ - 0xE6, 0xE5, 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, - 0x2D, 0xEB, 0x33, 0xA0, 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, - 0xC2, 0x96, - 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, /* y */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xfc, + }, + .b = { + 0x5a, 0xc6, 0x35, 0xd8, 0xaa, 0x3a, 0x93, 0xe7, 0xb3, 0xeb, + 0xbd, 0x55, 0x76, 0x98, 0x86, 0xbc, 0x65, 0x1d, 0x06, 0xb0, + 0xcc, 0x53, 0xb0, 0xf6, 0x3b, 0xce, 0x3c, 0x3e, 0x27, 0xd2, + 0x60, 0x4b, + }, + .x = { + 0x6b, 0x17, 0xd1, 0xf2, 0xe1, 0x2c, 0x42, 0x47, 0xf8, 0xbc, + 0xe6, 0xe5, 0x63, 0xa4, 0x40, 0xf2, 0x77, 0x03, 0x7d, 0x81, + 0x2d, 0xeb, 0x33, 0xa0, 0xf4, 0xa1, 0x39, 0x45, 0xd8, 0x98, + 0xc2, 0x96, + }, + .y = { + 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, - 0xA7, 0x17, 0x9E, 0x84, 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, - 0x25, 0x51 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xbc, 0xe6, 0xfa, 0xad, + 0xa7, 0x17, 0x9e, 0x84, 0xf3, 0xb9, 0xca, 0xc2, 0xfc, 0x63, + 0x25, 0x51, + }, }; /* the secg prime curves (minus the nist and x9.62 prime curves) */ static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 14 * 6]; -} - _EC_SECG_PRIME_112R1 = { - { - NID_X9_62_prime_field, 20, 14, 1 + uint8_t seed[20]; + uint8_t p[14]; + uint8_t a[14]; + uint8_t b[14]; + uint8_t x[14]; + uint8_t y[14]; + uint8_t order[14]; +} _EC_SECG_PRIME_112R1 = { + .seed = { + 0x00, 0xf5, 0x0b, 0x02, 0x8e, 0x4d, 0x69, 0x6e, 0x67, 0x68, + 0x75, 0x61, 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3f, 0xb1, }, - { - 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, /* seed */ - 0x75, 0x61, 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, - - 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, /* p */ - 0xBE, 0xAD, 0x20, 0x8B, - 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, /* a */ - 0xBE, 0xAD, 0x20, 0x88, - 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, /* b */ - 0x11, 0x70, 0x2B, 0x22, - 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, /* x */ - 0xF9, 0xC2, 0xF0, 0x98, - 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, /* y */ + .p = { + 0xdb, 0x7c, 0x2a, 0xbf, 0x62, 0xe3, 0x5e, 0x66, 0x80, 0x76, + 0xbe, 0xad, 0x20, 0x8b, + }, + .a = { + 0xdb, 0x7c, 0x2a, 0xbf, 0x62, 0xe3, 0x5e, 0x66, 0x80, 0x76, + 0xbe, 0xad, 0x20, 0x88, + }, + .b = { + 0x65, 0x9e, 0xf8, 0xba, 0x04, 0x39, 0x16, 0xee, 0xde, 0x89, + 0x11, 0x70, 0x2b, 0x22, + }, + .x = { + 0x09, 0x48, 0x72, 0x39, 0x99, 0x5a, 0x5e, 0xe7, 0x6b, 0x55, + 0xf9, 0xc2, 0xf0, 0x98, + }, + .y = { + 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, 0x75, 0x00, - 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, /* order */ - 0xAC, 0x65, 0x61, 0xC5 - } + }, + .order = { + 0xdb, 0x7c, 0x2a, 0xbf, 0x62, 0xe3, 0x5e, 0x76, 0x28, 0xdf, + 0xac, 0x65, 0x61, 0xc5, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 14 * 6]; -} - _EC_SECG_PRIME_112R2 = { - { - NID_X9_62_prime_field, 20, 14, 4 + uint8_t seed[20]; + uint8_t p[14]; + uint8_t a[14]; + uint8_t b[14]; + uint8_t x[14]; + uint8_t y[14]; + uint8_t order[14]; +} _EC_SECG_PRIME_112R2 = { + .seed = { + 0x00, 0x27, 0x57, 0xa1, 0x11, 0x4d, 0x69, 0x6e, 0x67, 0x68, + 0x75, 0x61, 0x51, 0x75, 0x53, 0x16, 0xc0, 0x5e, 0x0b, 0xd4, }, - { - 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, /* seed */ - 0x75, 0x61, 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, - - 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, /* p */ - 0xBE, 0xAD, 0x20, 0x8B, - 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, /* a */ - 0x5C, 0x0E, 0xF0, 0x2C, - 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, /* b */ - 0x4C, 0x85, 0xD7, 0x09, - 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, /* x */ - 0xD0, 0x92, 0x86, 0x43, - 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, /* y */ + .p = { + 0xdb, 0x7c, 0x2a, 0xbf, 0x62, 0xe3, 0x5e, 0x66, 0x80, 0x76, + 0xbe, 0xad, 0x20, 0x8b, + }, + .a = { + 0x61, 0x27, 0xc2, 0x4c, 0x05, 0xf3, 0x8a, 0x0a, 0xaa, 0xf6, + 0x5c, 0x0e, 0xf0, 0x2c, + }, + .b = { + 0x51, 0xde, 0xf1, 0x81, 0x5d, 0xb5, 0xed, 0x74, 0xfc, 0xc3, + 0x4c, 0x85, 0xd7, 0x09, + }, + .x = { + 0x4b, 0xa3, 0x0a, 0xb5, 0xe8, 0x92, 0xb4, 0xe1, 0x64, 0x9d, + 0xd0, 0x92, 0x86, 0x43, + }, + .y = { + 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, 0x6e, 0x97, - 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, /* order */ - 0x05, 0x20, 0xD0, 0x4B - } + }, + .order = { + 0x36, 0xdf, 0x0a, 0xaf, 0xd8, 0xb8, 0xd7, 0x59, 0x7c, 0xa1, + 0x05, 0x20, 0xd0, 0x4b, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 16 * 6]; -} - _EC_SECG_PRIME_128R1 = { - { - NID_X9_62_prime_field, 20, 16, 1 + uint8_t seed[20]; + uint8_t p[16]; + uint8_t a[16]; + uint8_t b[16]; + uint8_t x[16]; + uint8_t y[16]; + uint8_t order[16]; +} _EC_SECG_PRIME_128R1 = { + .seed = { + 0x00, 0x0e, 0x0d, 0x4d, 0x69, 0x6e, 0x67, 0x68, 0x75, 0x61, + 0x51, 0x75, 0x0c, 0xc0, 0x3a, 0x44, 0x73, 0xd0, 0x36, 0x79, }, - { - 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */ - 0x51, 0x75, 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, - - 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, /* b */ - 0x99, 0x3C, 0x2C, 0xEE, 0x5E, 0xD3, - 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, /* x */ - 0x60, 0x7C, 0xA5, 0x2C, 0x5B, 0x86, - 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, /* y */ + .p = { + 0xff, 0xff, 0xff, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0xff, 0xff, 0xff, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc, + }, + .b = { + 0xe8, 0x75, 0x79, 0xc1, 0x10, 0x79, 0xf4, 0x3d, 0xd8, 0x24, + 0x99, 0x3c, 0x2c, 0xee, 0x5e, 0xd3, + }, + .x = { + 0x16, 0x1f, 0xf7, 0x52, 0x8b, 0x89, 0x9b, 0x2d, 0x0c, 0x28, + 0x60, 0x7c, 0xa5, 0x2c, 0x5b, 0x86, + }, + .y = { + 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, 0xdd, 0xed, 0x7a, 0x83, - 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, /* order */ - 0x0D, 0x1B, 0x90, 0x38, 0xA1, 0x15 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xfe, 0x00, 0x00, 0x00, 0x00, 0x75, 0xa3, + 0x0d, 0x1b, 0x90, 0x38, 0xa1, 0x15, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 16 * 6]; -} - _EC_SECG_PRIME_128R2 = { - { - NID_X9_62_prime_field, 20, 16, 4 + uint8_t seed[20]; + uint8_t p[16]; + uint8_t a[16]; + uint8_t b[16]; + uint8_t x[16]; + uint8_t y[16]; + uint8_t order[16]; +} _EC_SECG_PRIME_128R2 = { + .seed = { + 0x00, 0x4d, 0x69, 0x6e, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, + 0x12, 0xd8, 0xf0, 0x34, 0x31, 0xfc, 0xe6, 0x3b, 0x88, 0xf4, }, - { - 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, /* seed */ - 0x12, 0xD8, 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, - - 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, /* a */ - 0xCC, 0x9B, 0xBF, 0xF9, 0xAE, 0xE1, - 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, /* b */ - 0x65, 0x58, 0xBB, 0x6D, 0x8A, 0x5D, - 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, /* x */ - 0x32, 0xA7, 0xCD, 0xEB, 0xC1, 0x40, - 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, /* y */ + .p = { + 0xff, 0xff, 0xff, 0xfd, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + }, + .a = { + 0xd6, 0x03, 0x19, 0x98, 0xd1, 0xb3, 0xbb, 0xfe, 0xbf, 0x59, + 0xcc, 0x9b, 0xbf, 0xf9, 0xae, 0xe1, + }, + .b = { + 0x5e, 0xee, 0xfc, 0xa3, 0x80, 0xd0, 0x29, 0x19, 0xdc, 0x2c, + 0x65, 0x58, 0xbb, 0x6d, 0x8a, 0x5d, + }, + .x = { + 0x7b, 0x6a, 0xa5, 0xd8, 0x5e, 0x57, 0x29, 0x83, 0xe6, 0xfb, + 0x32, 0xa7, 0xcd, 0xeb, 0xc1, 0x40, + }, + .y = { + 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, 0x5f, 0xc3, 0x4b, 0x44, - 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, /* order */ - 0x24, 0x72, 0x06, 0x13, 0xB5, 0xA3 - } + }, + .order = { + 0x3f, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xbe, 0x00, + 0x24, 0x72, 0x06, 0x13, 0xb5, 0xa3, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 21 * 6]; -} - _EC_SECG_PRIME_160K1 = { - { - NID_X9_62_prime_field, 0, 21, 1 - }, - { /* no seed */ - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, + uint8_t p[21]; + uint8_t a[21]; + uint8_t b[21]; + uint8_t x[21]; + uint8_t y[21]; + uint8_t order[21]; +} _EC_SECG_PRIME_160K1 = { + .p = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xac, 0x73, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + }, + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, /* x */ - 0x01, 0x9E, 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, - 0xBB, - 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, /* y */ + }, + .x = { + 0x00, 0x3b, 0x4c, 0x38, 0x2c, 0xe3, 0x7a, 0xa1, 0x92, 0xa4, + 0x01, 0x9e, 0x76, 0x30, 0x36, 0xf4, 0xf5, 0xdd, 0x4d, 0x7e, + 0xbb, + }, + .y = { + 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x01, 0xB8, 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, - 0xB3 - } + }, + .order = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0xb8, 0xfa, 0x16, 0xdf, 0xab, 0x9a, 0xca, 0x16, 0xb6, + 0xb3, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 21 * 6]; -} - _EC_SECG_PRIME_160R1 = { - { - NID_X9_62_prime_field, 20, 21, 1 + uint8_t seed[20]; + uint8_t p[21]; + uint8_t a[21]; + uint8_t b[21]; + uint8_t x[21]; + uint8_t y[21]; + uint8_t order[21]; +} _EC_SECG_PRIME_160R1 = { + .seed = { + 0x10, 0x53, 0xcd, 0xe4, 0x2c, 0x14, 0xd6, 0x96, 0xe6, 0x76, + 0x87, 0x56, 0x15, 0x17, 0x53, 0x3b, 0xf3, 0xf8, 0x33, 0x45, }, - { - 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, - - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, - 0xFF, - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, - 0xFC, - 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, /* b */ - 0xAC, 0xF8, 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, + .p = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, + 0xff, + }, + .a = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, + 0xfc, + }, + .b = { + 0x00, 0x1c, 0x97, 0xbe, 0xfc, 0x54, 0xbd, 0x7a, 0x8b, 0x65, + 0xac, 0xf8, 0x9f, 0x81, 0xd4, 0xd4, 0xad, 0xc5, 0x65, 0xfa, 0x45, - 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, /* x */ - 0x64, 0x69, 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, + }, + .x = { + 0x00, 0x4a, 0x96, 0xb5, 0x68, 0x8e, 0xf5, 0x73, 0x28, 0x46, + 0x64, 0x69, 0x89, 0x68, 0xc3, 0x8b, 0xb9, 0x13, 0xcb, 0xfc, 0x82, - 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, /* y */ + }, + .y = { + 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x01, 0xF4, 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, - 0x57 - } + }, + .order = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0xf4, 0xc8, 0xf9, 0x27, 0xae, 0xd3, 0xca, 0x75, 0x22, + 0x57, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 21 * 6]; -} - _EC_SECG_PRIME_160R2 = { - { - NID_X9_62_prime_field, 20, 21, 1 + uint8_t seed[20]; + uint8_t p[21]; + uint8_t a[21]; + uint8_t b[21]; + uint8_t x[21]; + uint8_t y[21]; + uint8_t order[21]; +} _EC_SECG_PRIME_160R2 = { + .seed = { + 0xb9, 0x9b, 0x99, 0xb0, 0x99, 0xb3, 0x23, 0xe0, 0x27, 0x09, + 0xa4, 0xd6, 0x96, 0xe6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, }, - { - 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, /* seed */ - 0xA4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, - - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, + .p = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xac, 0x73, - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, + }, + .a = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xac, 0x70, - 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, /* b */ - 0x57, 0x27, 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, - 0xBA, - 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, /* x */ - 0x4F, 0xF1, 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, - 0x6D, - 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, /* y */ + }, + .b = { + 0x00, 0xb4, 0xe1, 0x34, 0xd3, 0xfb, 0x59, 0xeb, 0x8b, 0xab, + 0x57, 0x27, 0x49, 0x04, 0x66, 0x4d, 0x5a, 0xf5, 0x03, 0x88, + 0xba, + }, + .x = { + 0x00, 0x52, 0xdc, 0xb0, 0x34, 0x29, 0x3a, 0x11, 0x7e, 0x1f, + 0x4f, 0xf1, 0x1b, 0x30, 0xf7, 0x19, 0x9d, 0x31, 0x44, 0xce, + 0x6d, + }, + .y = { + 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x35, 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, - 0x6B - } + }, + .order = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x35, 0x1e, 0xe7, 0x86, 0xa8, 0x18, 0xf3, 0xa1, 0xa1, + 0x6b, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 24 * 6]; -} - _EC_SECG_PRIME_192K1 = { - { - NID_X9_62_prime_field, 0, 24, 1 + uint8_t p[24]; + uint8_t a[24]; + uint8_t b[24]; + uint8_t x[24]; + uint8_t y[24]; + uint8_t order[24]; +} _EC_SECG_PRIME_192K1 = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, + 0xff, 0xff, 0xee, 0x37, }, - { /* no seed */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, - 0xFF, 0xFF, 0xEE, 0x37, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, - 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, /* x */ - 0x7D, 0x02, 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, - 0xEA, 0xE0, 0x6C, 0x7D, - 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, /* y */ + }, + .x = { + 0xdb, 0x4f, 0xf1, 0x0e, 0xc0, 0x57, 0xe9, 0xae, 0x26, 0xb0, + 0x7d, 0x02, 0x80, 0xb7, 0xf4, 0x34, 0x1d, 0xa5, 0xd1, 0xb1, + 0xea, 0xe0, 0x6c, 0x7d, + }, + .y = { + 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFE, 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, - 0x74, 0xDE, 0xFD, 0x8D - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xfe, 0x26, 0xf2, 0xfc, 0x17, 0x0f, 0x69, 0x46, 0x6a, + 0x74, 0xde, 0xfd, 0x8d, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 29 * 6]; -} - _EC_SECG_PRIME_224K1 = { - { - NID_X9_62_prime_field, 0, 29, 1 + uint8_t p[29]; + uint8_t a[29]; + uint8_t b[29]; + uint8_t x[29]; + uint8_t y[29]; + uint8_t order[29]; +} _EC_SECG_PRIME_224K1 = { + .p = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xe5, 0x6d, }, - { /* no seed */ - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, - 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, /* x */ - 0xFC, 0x28, 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, - 0xA9, 0x0F, 0x7E, 0x65, 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, - 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, /* y */ + }, + .x = { + 0x00, 0xa1, 0x45, 0x5b, 0x33, 0x4d, 0xf0, 0x99, 0xdf, 0x30, + 0xfc, 0x28, 0xa1, 0x69, 0xa4, 0x67, 0xe9, 0xe4, 0x70, 0x75, + 0xa9, 0x0f, 0x7e, 0x65, 0x0e, 0xb6, 0xb7, 0xa4, 0x5c, + }, + .y = { + 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, 0xdb, 0x55, 0x6d, 0x61, 0xa5, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, - 0x84, 0xCA, 0xF0, 0xA9, 0x71, 0x76, 0x9F, 0xB1, 0xF7 - } + }, + .order = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0xdc, 0xe8, 0xd2, 0xec, 0x61, + 0x84, 0xca, 0xf0, 0xa9, 0x71, 0x76, 0x9f, 0xb1, 0xf7, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_SECG_PRIME_256K1 = { - { - NID_X9_62_prime_field, 0, 32, 1 + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_SECG_PRIME_256K1 = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, + 0xfc, 0x2f, }, - { /* no seed */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, - 0xFC, 0x2F, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, /* x */ - 0x62, 0x95, 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, - 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, + }, + .x = { + 0x79, 0xbe, 0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0, + 0x62, 0x95, 0xce, 0x87, 0x0b, 0x07, 0x02, 0x9b, 0xfc, 0xdb, + 0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2, 0x81, 0x5b, 0x16, 0xf8, 0x17, 0x98, - 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, /* y */ + }, + .y = { + 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, - 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, - 0x41, 0x41 - } + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xba, 0xae, 0xdc, 0xe6, + 0xaf, 0x48, 0xa0, 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, + 0x41, 0x41, + }, }; /* some wap/wtls curves */ static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 15 * 6]; -} - _EC_WTLS_8 = { - { - NID_X9_62_prime_field, 0, 15, 1 + uint8_t p[15]; + uint8_t a[15]; + uint8_t b[15]; + uint8_t x[15]; + uint8_t y[15]; + uint8_t order[15]; +} _EC_WTLS_8 = { + .p = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xfd, 0xe7, }, - { /* no seed */ - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFD, 0xE7, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */ + }, + .y = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, /* order */ - 0x55, 0x1A, 0xD8, 0x37, 0xE9 - } + }, + .order = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xec, 0xea, + 0x55, 0x1a, 0xd8, 0x37, 0xe9, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 21 * 6]; -} - _EC_WTLS_9 = { - { - NID_X9_62_prime_field, 0, 21, 1 + uint8_t p[21]; + uint8_t a[21]; + uint8_t b[21]; + uint8_t x[21]; + uint8_t y[21]; + uint8_t order[21]; +} _EC_WTLS_9 = { + .p = { + 0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfc, 0x80, + 0x8f, }, - { /* no seed */ - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, - 0x8F, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */ + }, + .y = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x01, 0xCD, 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, - 0x33 - } + }, + .order = { + 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0xcd, 0xc9, 0x8a, 0xe0, 0xe2, 0xde, 0x57, 0x4a, 0xbf, + 0x33, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 28 * 6]; -} - _EC_WTLS_12 = { - { - NID_X9_62_prime_field, 0, 28, 1 - }, - { /* no seed */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, + uint8_t p[28]; + uint8_t a[28]; + uint8_t b[28]; + uint8_t x[28]; + uint8_t y[28]; + uint8_t order[28]; +} _EC_WTLS_12 = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, - 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, /* b */ - 0x32, 0x56, 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, - 0x27, 0x0B, 0x39, 0x43, 0x23, 0x55, 0xFF, 0xB4, - 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, /* x */ - 0x90, 0xB9, 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, - 0x34, 0x32, 0x80, 0xD6, 0x11, 0x5C, 0x1D, 0x21, - 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, /* y */ + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, + }, + .b = { + 0xb4, 0x05, 0x0a, 0x85, 0x0c, 0x04, 0xb3, 0xab, 0xf5, 0x41, + 0x32, 0x56, 0x50, 0x44, 0xb0, 0xb7, 0xd7, 0xbf, 0xd8, 0xba, + 0x27, 0x0b, 0x39, 0x43, 0x23, 0x55, 0xff, 0xb4, + }, + .x = { + 0xb7, 0x0e, 0x0c, 0xbd, 0x6b, 0xb4, 0xbf, 0x7f, 0x32, 0x13, + 0x90, 0xb9, 0x4a, 0x03, 0xc1, 0xd3, 0x56, 0xc2, 0x11, 0x22, + 0x34, 0x32, 0x80, 0xd6, 0x11, 0x5c, 0x1d, 0x21, + }, + .y = { + 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, 0x85, 0x00, 0x7e, 0x34, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, - 0x13, 0xDD, 0x29, 0x45, 0x5C, 0x5C, 0x2A, 0x3D - } -}; - -#ifndef OPENSSL_NO_EC2M - -/* characteristic two curves */ -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 15 * 6]; -} - _EC_SECG_CHAR2_113R1 = { - { - NID_X9_62_characteristic_two_field, 20, 15, 2 }, - { - 0x10, 0xE7, 0x23, 0xAB, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, /* seed */ - 0x56, 0x15, 0x17, 0x56, 0xFE, 0xBF, 0x8F, 0xCB, 0x49, 0xA9, - - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x02, 0x01, - 0x00, 0x30, 0x88, 0x25, 0x0C, 0xA6, 0xE7, 0xC7, 0xFE, 0x64, /* a */ - 0x9C, 0xE8, 0x58, 0x20, 0xF7, - 0x00, 0xE8, 0xBE, 0xE4, 0xD3, 0xE2, 0x26, 0x07, 0x44, 0x18, /* b */ - 0x8B, 0xE0, 0xE9, 0xC7, 0x23, - 0x00, 0x9D, 0x73, 0x61, 0x6F, 0x35, 0xF4, 0xAB, 0x14, 0x07, /* x */ - 0xD7, 0x35, 0x62, 0xC1, 0x0F, - 0x00, 0xA5, 0x28, 0x30, 0x27, 0x79, 0x58, 0xEE, 0x84, 0xD1, /* y */ - 0x31, 0x5E, 0xD3, 0x18, 0x86, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD9, 0xCC, /* order */ - 0xEC, 0x8A, 0x39, 0xE5, 0x6F - } + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0x16, 0xa2, 0xe0, 0xb8, 0xf0, 0x3e, + 0x13, 0xdd, 0x29, 0x45, 0x5c, 0x5c, 0x2a, 0x3d, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 15 * 6]; -} - _EC_SECG_CHAR2_113R2 = { - { - NID_X9_62_characteristic_two_field, 20, 15, 2 + uint8_t p[20]; + uint8_t a[20]; + uint8_t b[20]; + uint8_t x[20]; + uint8_t y[20]; + uint8_t order[20]; +} _EC_brainpoolP160r1 = { + .p = { + 0xe9, 0x5e, 0x4a, 0x5f, 0x73, 0x70, 0x59, 0xdc, 0x60, 0xdf, + 0xc7, 0xad, 0x95, 0xb3, 0xd8, 0x13, 0x95, 0x15, 0x62, 0x0f, + }, + .a = { + 0x34, 0x0e, 0x7b, 0xe2, 0xa2, 0x80, 0xeb, 0x74, 0xe2, 0xbe, + 0x61, 0xba, 0xda, 0x74, 0x5d, 0x97, 0xe8, 0xf7, 0xc3, 0x00, + }, + .b = { + 0x1e, 0x58, 0x9a, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4f, + 0xaa, 0x2d, 0xbd, 0xec, 0x95, 0xc8, 0xd8, 0x67, 0x5e, 0x58, + }, + .x = { + 0xbe, 0xd5, 0xaf, 0x16, 0xea, 0x3f, 0x6a, 0x4f, 0x62, 0x93, + 0x8c, 0x46, 0x31, 0xeb, 0x5a, 0xf7, 0xbd, 0xbc, 0xdb, 0xc3, + }, + .y = { + 0x16, 0x67, 0xcb, 0x47, 0x7a, 0x1a, 0x8e, 0xc3, 0x38, 0xf9, + 0x47, 0x41, 0x66, 0x9c, 0x97, 0x63, 0x16, 0xda, 0x63, 0x21, + }, + .order = { + 0xe9, 0x5e, 0x4a, 0x5f, 0x73, 0x70, 0x59, 0xdc, 0x60, 0xdf, + 0x59, 0x91, 0xd4, 0x50, 0x29, 0x40, 0x9e, 0x60, 0xfc, 0x09, }, - { - 0x10, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE, /* seed */ - 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x5D, - - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x02, 0x01, - 0x00, 0x68, 0x99, 0x18, 0xDB, 0xEC, 0x7E, 0x5A, 0x0D, 0xD6, /* a */ - 0xDF, 0xC0, 0xAA, 0x55, 0xC7, - 0x00, 0x95, 0xE9, 0xA9, 0xEC, 0x9B, 0x29, 0x7B, 0xD4, 0xBF, /* b */ - 0x36, 0xE0, 0x59, 0x18, 0x4F, - 0x01, 0xA5, 0x7A, 0x6A, 0x7B, 0x26, 0xCA, 0x5E, 0xF5, 0x2F, /* x */ - 0xCD, 0xB8, 0x16, 0x47, 0x97, - 0x00, 0xB3, 0xAD, 0xC9, 0x4E, 0xD1, 0xFE, 0x67, 0x4C, 0x06, /* y */ - 0xE6, 0x95, 0xBA, 0xBA, 0x1D, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x08, 0x78, /* order */ - 0x9B, 0x24, 0x96, 0xAF, 0x93 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 17 * 6]; -} - _EC_SECG_CHAR2_131R1 = { - { - NID_X9_62_characteristic_two_field, 20, 17, 2 + uint8_t p[20]; + uint8_t a[20]; + uint8_t b[20]; + uint8_t x[20]; + uint8_t y[20]; + uint8_t order[20]; +} _EC_brainpoolP160t1 = { + .p = { + 0xe9, 0x5e, 0x4a, 0x5f, 0x73, 0x70, 0x59, 0xdc, 0x60, 0xdf, + 0xc7, 0xad, 0x95, 0xb3, 0xd8, 0x13, 0x95, 0x15, 0x62, 0x0f, + }, + .a = { + 0xe9, 0x5e, 0x4a, 0x5f, 0x73, 0x70, 0x59, 0xdc, 0x60, 0xdf, + 0xc7, 0xad, 0x95, 0xb3, 0xd8, 0x13, 0x95, 0x15, 0x62, 0x0c, + }, + .b = { + 0x7a, 0x55, 0x6b, 0x6d, 0xae, 0x53, 0x5b, 0x7b, 0x51, 0xed, + 0x2c, 0x4d, 0x7d, 0xaa, 0x7a, 0x0b, 0x5c, 0x55, 0xf3, 0x80, + }, + .x = { + 0xb1, 0x99, 0xb1, 0x3b, 0x9b, 0x34, 0xef, 0xc1, 0x39, 0x7e, + 0x64, 0xba, 0xeb, 0x05, 0xac, 0xc2, 0x65, 0xff, 0x23, 0x78, + }, + .y = { + 0xad, 0xd6, 0x71, 0x8b, 0x7c, 0x7c, 0x19, 0x61, 0xf0, 0x99, + 0x1b, 0x84, 0x24, 0x43, 0x77, 0x21, 0x52, 0xc9, 0xe0, 0xad, + }, + .order = { + 0xe9, 0x5e, 0x4a, 0x5f, 0x73, 0x70, 0x59, 0xdc, 0x60, 0xdf, + 0x59, 0x91, 0xd4, 0x50, 0x29, 0x40, 0x9e, 0x60, 0xfc, 0x09, }, - { - 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x98, /* seed */ - 0x5B, 0xD3, 0xAD, 0xBA, 0xDA, 0x21, 0xB4, 0x3A, 0x97, 0xE2, - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D, - 0x07, 0xA1, 0x1B, 0x09, 0xA7, 0x6B, 0x56, 0x21, 0x44, 0x41, /* a */ - 0x8F, 0xF3, 0xFF, 0x8C, 0x25, 0x70, 0xB8, - 0x02, 0x17, 0xC0, 0x56, 0x10, 0x88, 0x4B, 0x63, 0xB9, 0xC6, /* b */ - 0xC7, 0x29, 0x16, 0x78, 0xF9, 0xD3, 0x41, - 0x00, 0x81, 0xBA, 0xF9, 0x1F, 0xDF, 0x98, 0x33, 0xC4, 0x0F, /* x */ - 0x9C, 0x18, 0x13, 0x43, 0x63, 0x83, 0x99, - 0x07, 0x8C, 0x6E, 0x7E, 0xA3, 0x8C, 0x00, 0x1F, 0x73, 0xC8, /* y */ - 0x13, 0x4B, 0x1B, 0x4E, 0xF9, 0xE1, 0x50, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x31, /* order */ - 0x23, 0x95, 0x3A, 0x94, 0x64, 0xB5, 0x4D - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 17 * 6]; -} - _EC_SECG_CHAR2_131R2 = { - { - NID_X9_62_characteristic_two_field, 20, 17, 2 + uint8_t p[24]; + uint8_t a[24]; + uint8_t b[24]; + uint8_t x[24]; + uint8_t y[24]; + uint8_t order[24]; +} _EC_brainpoolP192r1 = { + .p = { + 0xc3, 0x02, 0xf4, 0x1d, 0x93, 0x2a, 0x36, 0xcd, 0xa7, 0xa3, + 0x46, 0x30, 0x93, 0xd1, 0x8d, 0xb7, 0x8f, 0xce, 0x47, 0x6d, + 0xe1, 0xa8, 0x62, 0x97, + }, + .a = { + 0x6a, 0x91, 0x17, 0x40, 0x76, 0xb1, 0xe0, 0xe1, 0x9c, 0x39, + 0xc0, 0x31, 0xfe, 0x86, 0x85, 0xc1, 0xca, 0xe0, 0x40, 0xe5, + 0xc6, 0x9a, 0x28, 0xef, + }, + .b = { + 0x46, 0x9a, 0x28, 0xef, 0x7c, 0x28, 0xcc, 0xa3, 0xdc, 0x72, + 0x1d, 0x04, 0x4f, 0x44, 0x96, 0xbc, 0xca, 0x7e, 0xf4, 0x14, + 0x6f, 0xbf, 0x25, 0xc9, + }, + .x = { + 0xc0, 0xa0, 0x64, 0x7e, 0xaa, 0xb6, 0xa4, 0x87, 0x53, 0xb0, + 0x33, 0xc5, 0x6c, 0xb0, 0xf0, 0x90, 0x0a, 0x2f, 0x5c, 0x48, + 0x53, 0x37, 0x5f, 0xd6, + }, + .y = { + 0x14, 0xb6, 0x90, 0x86, 0x6a, 0xbd, 0x5b, 0xb8, 0x8b, 0x5f, + 0x48, 0x28, 0xc1, 0x49, 0x00, 0x02, 0xe6, 0x77, 0x3f, 0xa2, + 0xfa, 0x29, 0x9b, 0x8f, + }, + .order = { + 0xc3, 0x02, 0xf4, 0x1d, 0x93, 0x2a, 0x36, 0xcd, 0xa7, 0xa3, + 0x46, 0x2f, 0x9e, 0x9e, 0x91, 0x6b, 0x5b, 0xe8, 0xf1, 0x02, + 0x9a, 0xc4, 0xac, 0xc1, }, - { - 0x98, 0x5B, 0xD3, 0xAD, 0xBA, 0xD4, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x5A, 0x21, 0xB4, 0x3A, 0x97, 0xE3, - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x0D, - 0x03, 0xE5, 0xA8, 0x89, 0x19, 0xD7, 0xCA, 0xFC, 0xBF, 0x41, /* a */ - 0x5F, 0x07, 0xC2, 0x17, 0x65, 0x73, 0xB2, - 0x04, 0xB8, 0x26, 0x6A, 0x46, 0xC5, 0x56, 0x57, 0xAC, 0x73, /* b */ - 0x4C, 0xE3, 0x8F, 0x01, 0x8F, 0x21, 0x92, - 0x03, 0x56, 0xDC, 0xD8, 0xF2, 0xF9, 0x50, 0x31, 0xAD, 0x65, /* x */ - 0x2D, 0x23, 0x95, 0x1B, 0xB3, 0x66, 0xA8, - 0x06, 0x48, 0xF0, 0x6D, 0x86, 0x79, 0x40, 0xA5, 0x36, 0x6D, /* y */ - 0x9E, 0x26, 0x5D, 0xE9, 0xEB, 0x24, 0x0F, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x69, /* order */ - 0x54, 0xA2, 0x33, 0x04, 0x9B, 0xA9, 0x8F - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 21 * 6]; -} - _EC_NIST_CHAR2_163K = { - { - NID_X9_62_characteristic_two_field, 0, 21, 2 + uint8_t p[24]; + uint8_t a[24]; + uint8_t b[24]; + uint8_t x[24]; + uint8_t y[24]; + uint8_t order[24]; +} _EC_brainpoolP192t1 = { + .p = { + 0xc3, 0x02, 0xf4, 0x1d, 0x93, 0x2a, 0x36, 0xcd, 0xa7, 0xa3, + 0x46, 0x30, 0x93, 0xd1, 0x8d, 0xb7, 0x8f, 0xce, 0x47, 0x6d, + 0xe1, 0xa8, 0x62, 0x97, + }, + .a = { + 0xc3, 0x02, 0xf4, 0x1d, 0x93, 0x2a, 0x36, 0xcd, 0xa7, 0xa3, + 0x46, 0x30, 0x93, 0xd1, 0x8d, 0xb7, 0x8f, 0xce, 0x47, 0x6d, + 0xe1, 0xa8, 0x62, 0x94, + }, + .b = { + 0x13, 0xd5, 0x6f, 0xfa, 0xec, 0x78, 0x68, 0x1e, 0x68, 0xf9, + 0xde, 0xb4, 0x3b, 0x35, 0xbe, 0xc2, 0xfb, 0x68, 0x54, 0x2e, + 0x27, 0x89, 0x7b, 0x79, + }, + .x = { + 0x3a, 0xe9, 0xe5, 0x8c, 0x82, 0xf6, 0x3c, 0x30, 0x28, 0x2e, + 0x1f, 0xe7, 0xbb, 0xf4, 0x3f, 0xa7, 0x2c, 0x44, 0x6a, 0xf6, + 0xf4, 0x61, 0x81, 0x29, + }, + .y = { + 0x09, 0x7e, 0x2c, 0x56, 0x67, 0xc2, 0x22, 0x3a, 0x90, 0x2a, + 0xb5, 0xca, 0x44, 0x9d, 0x00, 0x84, 0xb7, 0xe5, 0xb3, 0xde, + 0x7c, 0xcc, 0x01, 0xc9, + }, + .order = { + 0xc3, 0x02, 0xf4, 0x1d, 0x93, 0x2a, 0x36, 0xcd, 0xa7, 0xa3, + 0x46, 0x2f, 0x9e, 0x9e, 0x91, 0x6b, 0x5b, 0xe8, 0xf1, 0x02, + 0x9a, 0xc4, 0xac, 0xc1, }, - { /* no seed */ - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xC9, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, - 0x02, 0xFE, 0x13, 0xC0, 0x53, 0x7B, 0xBC, 0x11, 0xAC, 0xAA, /* x */ - 0x07, 0xD7, 0x93, 0xDE, 0x4E, 0x6D, 0x5E, 0x5C, 0x94, 0xEE, - 0xE8, - 0x02, 0x89, 0x07, 0x0F, 0xB0, 0x5D, 0x38, 0xFF, 0x58, 0x32, /* y */ - 0x1F, 0x2E, 0x80, 0x05, 0x36, 0xD5, 0x38, 0xCC, 0xDA, 0xA3, - 0xD9, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x02, 0x01, 0x08, 0xA2, 0xE0, 0xCC, 0x0D, 0x99, 0xF8, 0xA5, - 0xEF - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 21 * 6]; -} - _EC_SECG_CHAR2_163R1 = { - { - NID_X9_62_characteristic_two_field, 0, 21, 2 + uint8_t p[28]; + uint8_t a[28]; + uint8_t b[28]; + uint8_t x[28]; + uint8_t y[28]; + uint8_t order[28]; +} _EC_brainpoolP224r1 = { + .p = { + 0xd7, 0xc1, 0x34, 0xaa, 0x26, 0x43, 0x66, 0x86, 0x2a, 0x18, + 0x30, 0x25, 0x75, 0xd1, 0xd7, 0x87, 0xb0, 0x9f, 0x07, 0x57, + 0x97, 0xda, 0x89, 0xf5, 0x7e, 0xc8, 0xc0, 0xff, + }, + .a = { + 0x68, 0xa5, 0xe6, 0x2c, 0xa9, 0xce, 0x6c, 0x1c, 0x29, 0x98, + 0x03, 0xa6, 0xc1, 0x53, 0x0b, 0x51, 0x4e, 0x18, 0x2a, 0xd8, + 0xb0, 0x04, 0x2a, 0x59, 0xca, 0xd2, 0x9f, 0x43, + }, + .b = { + 0x25, 0x80, 0xf6, 0x3c, 0xcf, 0xe4, 0x41, 0x38, 0x87, 0x07, + 0x13, 0xb1, 0xa9, 0x23, 0x69, 0xe3, 0x3e, 0x21, 0x35, 0xd2, + 0x66, 0xdb, 0xb3, 0x72, 0x38, 0x6c, 0x40, 0x0b, + }, + .x = { + 0x0d, 0x90, 0x29, 0xad, 0x2c, 0x7e, 0x5c, 0xf4, 0x34, 0x08, + 0x23, 0xb2, 0xa8, 0x7d, 0xc6, 0x8c, 0x9e, 0x4c, 0xe3, 0x17, + 0x4c, 0x1e, 0x6e, 0xfd, 0xee, 0x12, 0xc0, 0x7d, + }, + .y = { + 0x58, 0xaa, 0x56, 0xf7, 0x72, 0xc0, 0x72, 0x6f, 0x24, 0xc6, + 0xb8, 0x9e, 0x4e, 0xcd, 0xac, 0x24, 0x35, 0x4b, 0x9e, 0x99, + 0xca, 0xa3, 0xf6, 0xd3, 0x76, 0x14, 0x02, 0xcd, + }, + .order = { + 0xd7, 0xc1, 0x34, 0xaa, 0x26, 0x43, 0x66, 0x86, 0x2a, 0x18, + 0x30, 0x25, 0x75, 0xd0, 0xfb, 0x98, 0xd1, 0x16, 0xbc, 0x4b, + 0x6d, 0xde, 0xbc, 0xa3, 0xa5, 0xa7, 0x93, 0x9f, }, - { /* no seed */ - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xC9, - 0x07, 0xB6, 0x88, 0x2C, 0xAA, 0xEF, 0xA8, 0x4F, 0x95, 0x54, /* a */ - 0xFF, 0x84, 0x28, 0xBD, 0x88, 0xE2, 0x46, 0xD2, 0x78, 0x2A, - 0xE2, - 0x07, 0x13, 0x61, 0x2D, 0xCD, 0xDC, 0xB4, 0x0A, 0xAB, 0x94, /* b */ - 0x6B, 0xDA, 0x29, 0xCA, 0x91, 0xF7, 0x3A, 0xF9, 0x58, 0xAF, - 0xD9, - 0x03, 0x69, 0x97, 0x96, 0x97, 0xAB, 0x43, 0x89, 0x77, 0x89, /* x */ - 0x56, 0x67, 0x89, 0x56, 0x7F, 0x78, 0x7A, 0x78, 0x76, 0xA6, - 0x54, - 0x00, 0x43, 0x5E, 0xDB, 0x42, 0xEF, 0xAF, 0xB2, 0x98, 0x9D, /* y */ - 0x51, 0xFE, 0xFC, 0xE3, 0xC8, 0x09, 0x88, 0xF4, 0x1F, 0xF8, - 0x83, - 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0x48, 0xAA, 0xB6, 0x89, 0xC2, 0x9C, 0xA7, 0x10, 0x27, - 0x9B - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 21 * 6]; -} - _EC_NIST_CHAR2_163B = { - { - NID_X9_62_characteristic_two_field, 0, 21, 2 + uint8_t p[28]; + uint8_t a[28]; + uint8_t b[28]; + uint8_t x[28]; + uint8_t y[28]; + uint8_t order[28]; +} _EC_brainpoolP224t1 = { + .p = { + 0xd7, 0xc1, 0x34, 0xaa, 0x26, 0x43, 0x66, 0x86, 0x2a, 0x18, + 0x30, 0x25, 0x75, 0xd1, 0xd7, 0x87, 0xb0, 0x9f, 0x07, 0x57, + 0x97, 0xda, 0x89, 0xf5, 0x7e, 0xc8, 0xc0, 0xff, + }, + .a = { + 0xd7, 0xc1, 0x34, 0xaa, 0x26, 0x43, 0x66, 0x86, 0x2a, 0x18, + 0x30, 0x25, 0x75, 0xd1, 0xd7, 0x87, 0xb0, 0x9f, 0x07, 0x57, + 0x97, 0xda, 0x89, 0xf5, 0x7e, 0xc8, 0xc0, 0xfc, + }, + .b = { + 0x4b, 0x33, 0x7d, 0x93, 0x41, 0x04, 0xcd, 0x7b, 0xef, 0x27, + 0x1b, 0xf6, 0x0c, 0xed, 0x1e, 0xd2, 0x0d, 0xa1, 0x4c, 0x08, + 0xb3, 0xbb, 0x64, 0xf1, 0x8a, 0x60, 0x88, 0x8d, + }, + .x = { + 0x6a, 0xb1, 0xe3, 0x44, 0xce, 0x25, 0xff, 0x38, 0x96, 0x42, + 0x4e, 0x7f, 0xfe, 0x14, 0x76, 0x2e, 0xcb, 0x49, 0xf8, 0x92, + 0x8a, 0xc0, 0xc7, 0x60, 0x29, 0xb4, 0xd5, 0x80, + }, + .y = { + 0x03, 0x74, 0xe9, 0xf5, 0x14, 0x3e, 0x56, 0x8c, 0xd2, 0x3f, + 0x3f, 0x4d, 0x7c, 0x0d, 0x4b, 0x1e, 0x41, 0xc8, 0xcc, 0x0d, + 0x1c, 0x6a, 0xbd, 0x5f, 0x1a, 0x46, 0xdb, 0x4c, + }, + .order = { + 0xd7, 0xc1, 0x34, 0xaa, 0x26, 0x43, 0x66, 0x86, 0x2a, 0x18, + 0x30, 0x25, 0x75, 0xd0, 0xfb, 0x98, 0xd1, 0x16, 0xbc, 0x4b, + 0x6d, 0xde, 0xbc, 0xa3, 0xa5, 0xa7, 0x93, 0x9f, }, - { /* no seed */ - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0xC9, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x01, - 0x02, 0x0A, 0x60, 0x19, 0x07, 0xB8, 0xC9, 0x53, 0xCA, 0x14, /* b */ - 0x81, 0xEB, 0x10, 0x51, 0x2F, 0x78, 0x74, 0x4A, 0x32, 0x05, - 0xFD, - 0x03, 0xF0, 0xEB, 0xA1, 0x62, 0x86, 0xA2, 0xD5, 0x7E, 0xA0, /* x */ - 0x99, 0x11, 0x68, 0xD4, 0x99, 0x46, 0x37, 0xE8, 0x34, 0x3E, - 0x36, - 0x00, 0xD5, 0x1F, 0xBC, 0x6C, 0x71, 0xA0, 0x09, 0x4F, 0xA2, /* y */ - 0xCD, 0xD5, 0x45, 0xB1, 0x1C, 0x5C, 0x0C, 0x79, 0x73, 0x24, - 0xF1, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x02, 0x92, 0xFE, 0x77, 0xE7, 0x0C, 0x12, 0xA4, 0x23, 0x4C, - 0x33 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 25 * 6]; -} - _EC_SECG_CHAR2_193R1 = { - { - NID_X9_62_characteristic_two_field, 20, 25, 2 - }, - { - 0x10, 0x3F, 0xAE, 0xC7, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, /* seed */ - 0x61, 0x51, 0x75, 0x77, 0x7F, 0xC5, 0xB1, 0x91, 0xEF, 0x30, - - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x80, 0x01, - 0x00, 0x17, 0x85, 0x8F, 0xEB, 0x7A, 0x98, 0x97, 0x51, 0x69, /* a */ - 0xE1, 0x71, 0xF7, 0x7B, 0x40, 0x87, 0xDE, 0x09, 0x8A, 0xC8, - 0xA9, 0x11, 0xDF, 0x7B, 0x01, - 0x00, 0xFD, 0xFB, 0x49, 0xBF, 0xE6, 0xC3, 0xA8, 0x9F, 0xAC, /* b */ - 0xAD, 0xAA, 0x7A, 0x1E, 0x5B, 0xBC, 0x7C, 0xC1, 0xC2, 0xE5, - 0xD8, 0x31, 0x47, 0x88, 0x14, - 0x01, 0xF4, 0x81, 0xBC, 0x5F, 0x0F, 0xF8, 0x4A, 0x74, 0xAD, /* x */ - 0x6C, 0xDF, 0x6F, 0xDE, 0xF4, 0xBF, 0x61, 0x79, 0x62, 0x53, - 0x72, 0xD8, 0xC0, 0xC5, 0xE1, - 0x00, 0x25, 0xE3, 0x99, 0xF2, 0x90, 0x37, 0x12, 0xCC, 0xF3, /* y */ - 0xEA, 0x9E, 0x3A, 0x1A, 0xD1, 0x7F, 0xB0, 0xB3, 0x20, 0x1B, - 0x6A, 0xF7, 0xCE, 0x1B, 0x05, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0xC7, 0xF3, 0x4A, 0x77, 0x8F, 0x44, 0x3A, - 0xCC, 0x92, 0x0E, 0xBA, 0x49 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 25 * 6]; -} - _EC_SECG_CHAR2_193R2 = { - { - NID_X9_62_characteristic_two_field, 20, 25, 2 - }, - { - 0x10, 0xB7, 0xB4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, /* seed */ - 0x17, 0x51, 0x37, 0xC8, 0xA1, 0x6F, 0xD0, 0xDA, 0x22, 0x11, - - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x80, 0x01, - 0x01, 0x63, 0xF3, 0x5A, 0x51, 0x37, 0xC2, 0xCE, 0x3E, 0xA6, /* a */ - 0xED, 0x86, 0x67, 0x19, 0x0B, 0x0B, 0xC4, 0x3E, 0xCD, 0x69, - 0x97, 0x77, 0x02, 0x70, 0x9B, - 0x00, 0xC9, 0xBB, 0x9E, 0x89, 0x27, 0xD4, 0xD6, 0x4C, 0x37, /* b */ - 0x7E, 0x2A, 0xB2, 0x85, 0x6A, 0x5B, 0x16, 0xE3, 0xEF, 0xB7, - 0xF6, 0x1D, 0x43, 0x16, 0xAE, - 0x00, 0xD9, 0xB6, 0x7D, 0x19, 0x2E, 0x03, 0x67, 0xC8, 0x03, /* x */ - 0xF3, 0x9E, 0x1A, 0x7E, 0x82, 0xCA, 0x14, 0xA6, 0x51, 0x35, - 0x0A, 0xAE, 0x61, 0x7E, 0x8F, - 0x01, 0xCE, 0x94, 0x33, 0x56, 0x07, 0xC3, 0x04, 0xAC, 0x29, /* y */ - 0xE7, 0xDE, 0xFB, 0xD9, 0xCA, 0x01, 0xF5, 0x96, 0xF9, 0x27, - 0x22, 0x4C, 0xDE, 0xCF, 0x6C, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x01, 0x5A, 0xAB, 0x56, 0x1B, 0x00, 0x54, 0x13, - 0xCC, 0xD4, 0xEE, 0x99, 0xD5 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 30 * 6]; -} - _EC_NIST_CHAR2_233K = { - { - NID_X9_62_characteristic_two_field, 0, 30, 4 - }, - { /* no seed */ - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x01, 0x72, 0x32, 0xBA, 0x85, 0x3A, 0x7E, 0x73, 0x1A, 0xF1, /* x */ - 0x29, 0xF2, 0x2F, 0xF4, 0x14, 0x95, 0x63, 0xA4, 0x19, 0xC2, - 0x6B, 0xF5, 0x0A, 0x4C, 0x9D, 0x6E, 0xEF, 0xAD, 0x61, 0x26, - - 0x01, 0xDB, 0x53, 0x7D, 0xEC, 0xE8, 0x19, 0xB7, 0xF7, 0x0F, /* y */ - 0x55, 0x5A, 0x67, 0xC4, 0x27, 0xA8, 0xCD, 0x9B, 0xF1, 0x8A, - 0xEB, 0x9B, 0x56, 0xE0, 0xC1, 0x10, 0x56, 0xFA, 0xE6, 0xA3, - - 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x9D, 0x5B, 0xB9, 0x15, - 0xBC, 0xD4, 0x6E, 0xFB, 0x1A, 0xD5, 0xF1, 0x73, 0xAB, 0xDF - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_NIST_CHAR2_233B = { - { - NID_X9_62_characteristic_two_field, 20, 30, 2 - }, - { - 0x74, 0xD5, 0x9F, 0xF0, 0x7F, 0x6B, 0x41, 0x3D, 0x0E, 0xA1, /* seed */ - 0x4B, 0x34, 0x4B, 0x20, 0xA2, 0xDB, 0x04, 0x9B, 0x50, 0xC3, - - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x00, 0x66, 0x64, 0x7E, 0xDE, 0x6C, 0x33, 0x2C, 0x7F, 0x8C, /* b */ - 0x09, 0x23, 0xBB, 0x58, 0x21, 0x3B, 0x33, 0x3B, 0x20, 0xE9, - 0xCE, 0x42, 0x81, 0xFE, 0x11, 0x5F, 0x7D, 0x8F, 0x90, 0xAD, - - 0x00, 0xFA, 0xC9, 0xDF, 0xCB, 0xAC, 0x83, 0x13, 0xBB, 0x21, /* x */ - 0x39, 0xF1, 0xBB, 0x75, 0x5F, 0xEF, 0x65, 0xBC, 0x39, 0x1F, - 0x8B, 0x36, 0xF8, 0xF8, 0xEB, 0x73, 0x71, 0xFD, 0x55, 0x8B, - - 0x01, 0x00, 0x6A, 0x08, 0xA4, 0x19, 0x03, 0x35, 0x06, 0x78, /* y */ - 0xE5, 0x85, 0x28, 0xBE, 0xBF, 0x8A, 0x0B, 0xEF, 0xF8, 0x67, - 0xA7, 0xCA, 0x36, 0x71, 0x6F, 0x7E, 0x01, 0xF8, 0x10, 0x52, - - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0xE9, 0x74, 0xE7, 0x2F, - 0x8A, 0x69, 0x22, 0x03, 0x1D, 0x26, 0x03, 0xCF, 0xE0, 0xD7 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 30 * 6]; -} - _EC_SECG_CHAR2_239K1 = { - { - NID_X9_62_characteristic_two_field, 0, 30, 4 - }, - { /* no seed */ - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x29, 0xA0, 0xB6, 0xA8, 0x87, 0xA9, 0x83, 0xE9, 0x73, 0x09, /* x */ - 0x88, 0xA6, 0x87, 0x27, 0xA8, 0xB2, 0xD1, 0x26, 0xC4, 0x4C, - 0xC2, 0xCC, 0x7B, 0x2A, 0x65, 0x55, 0x19, 0x30, 0x35, 0xDC, - - 0x76, 0x31, 0x08, 0x04, 0xF1, 0x2E, 0x54, 0x9B, 0xDB, 0x01, /* y */ - 0x1C, 0x10, 0x30, 0x89, 0xE7, 0x35, 0x10, 0xAC, 0xB2, 0x75, - 0xFC, 0x31, 0x2A, 0x5D, 0xC6, 0xB7, 0x65, 0x53, 0xF0, 0xCA, - - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x5A, 0x79, 0xFE, 0xC6, 0x7C, - 0xB6, 0xE9, 0x1F, 0x1C, 0x1D, 0xA8, 0x00, 0xE4, 0x78, 0xA5 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 36 * 6]; -} - _EC_NIST_CHAR2_283K = { - { - NID_X9_62_characteristic_two_field, 0, 36, 4 - }, - { /* no seed */ - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x05, 0x03, 0x21, 0x3F, 0x78, 0xCA, 0x44, 0x88, 0x3F, 0x1A, /* x */ - 0x3B, 0x81, 0x62, 0xF1, 0x88, 0xE5, 0x53, 0xCD, 0x26, 0x5F, - 0x23, 0xC1, 0x56, 0x7A, 0x16, 0x87, 0x69, 0x13, 0xB0, 0xC2, - 0xAC, 0x24, 0x58, 0x49, 0x28, 0x36, - 0x01, 0xCC, 0xDA, 0x38, 0x0F, 0x1C, 0x9E, 0x31, 0x8D, 0x90, /* y */ - 0xF9, 0x5D, 0x07, 0xE5, 0x42, 0x6F, 0xE8, 0x7E, 0x45, 0xC0, - 0xE8, 0x18, 0x46, 0x98, 0xE4, 0x59, 0x62, 0x36, 0x4E, 0x34, - 0x11, 0x61, 0x77, 0xDD, 0x22, 0x59, - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xAE, - 0x2E, 0xD0, 0x75, 0x77, 0x26, 0x5D, 0xFF, 0x7F, 0x94, 0x45, - 0x1E, 0x06, 0x1E, 0x16, 0x3C, 0x61 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 36 * 6]; -} - _EC_NIST_CHAR2_283B = { - { - NID_X9_62_characteristic_two_field, 20, 36, 2 - }, - { - 0x77, 0xE2, 0xB0, 0x73, 0x70, 0xEB, 0x0F, 0x83, 0x2A, 0x6D, /* no seed */ - 0xD5, 0xB6, 0x2D, 0xFC, 0x88, 0xCD, 0x06, 0xBB, 0x84, 0xBE, - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x10, 0xA1, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x02, 0x7B, 0x68, 0x0A, 0xC8, 0xB8, 0x59, 0x6D, 0xA5, 0xA4, /* b */ - 0xAF, 0x8A, 0x19, 0xA0, 0x30, 0x3F, 0xCA, 0x97, 0xFD, 0x76, - 0x45, 0x30, 0x9F, 0xA2, 0xA5, 0x81, 0x48, 0x5A, 0xF6, 0x26, - 0x3E, 0x31, 0x3B, 0x79, 0xA2, 0xF5, - 0x05, 0xF9, 0x39, 0x25, 0x8D, 0xB7, 0xDD, 0x90, 0xE1, 0x93, /* x */ - 0x4F, 0x8C, 0x70, 0xB0, 0xDF, 0xEC, 0x2E, 0xED, 0x25, 0xB8, - 0x55, 0x7E, 0xAC, 0x9C, 0x80, 0xE2, 0xE1, 0x98, 0xF8, 0xCD, - 0xBE, 0xCD, 0x86, 0xB1, 0x20, 0x53, - 0x03, 0x67, 0x68, 0x54, 0xFE, 0x24, 0x14, 0x1C, 0xB9, 0x8F, /* y */ - 0xE6, 0xD4, 0xB2, 0x0D, 0x02, 0xB4, 0x51, 0x6F, 0xF7, 0x02, - 0x35, 0x0E, 0xDD, 0xB0, 0x82, 0x67, 0x79, 0xC8, 0x13, 0xF0, - 0xDF, 0x45, 0xBE, 0x81, 0x12, 0xF4, - 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xEF, 0x90, - 0x39, 0x96, 0x60, 0xFC, 0x93, 0x8A, 0x90, 0x16, 0x5B, 0x04, - 0x2A, 0x7C, 0xEF, 0xAD, 0xB3, 0x07 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 52 * 6]; -} - _EC_NIST_CHAR2_409K = { - { - NID_X9_62_characteristic_two_field, 0, 52, 4 - }, - { /* no seed */ - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, - 0x00, 0x60, 0xF0, 0x5F, 0x65, 0x8F, 0x49, 0xC1, 0xAD, 0x3A, /* x */ - 0xB1, 0x89, 0x0F, 0x71, 0x84, 0x21, 0x0E, 0xFD, 0x09, 0x87, - 0xE3, 0x07, 0xC8, 0x4C, 0x27, 0xAC, 0xCF, 0xB8, 0xF9, 0xF6, - 0x7C, 0xC2, 0xC4, 0x60, 0x18, 0x9E, 0xB5, 0xAA, 0xAA, 0x62, - 0xEE, 0x22, 0x2E, 0xB1, 0xB3, 0x55, 0x40, 0xCF, 0xE9, 0x02, - 0x37, 0x46, - 0x01, 0xE3, 0x69, 0x05, 0x0B, 0x7C, 0x4E, 0x42, 0xAC, 0xBA, /* y */ - 0x1D, 0xAC, 0xBF, 0x04, 0x29, 0x9C, 0x34, 0x60, 0x78, 0x2F, - 0x91, 0x8E, 0xA4, 0x27, 0xE6, 0x32, 0x51, 0x65, 0xE9, 0xEA, - 0x10, 0xE3, 0xDA, 0x5F, 0x6C, 0x42, 0xE9, 0xC5, 0x52, 0x15, - 0xAA, 0x9C, 0xA2, 0x7A, 0x58, 0x63, 0xEC, 0x48, 0xD8, 0xE0, - 0x28, 0x6B, - 0x00, 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0x5F, 0x83, 0xB2, - 0xD4, 0xEA, 0x20, 0x40, 0x0E, 0xC4, 0x55, 0x7D, 0x5E, 0xD3, - 0xE3, 0xE7, 0xCA, 0x5B, 0x4B, 0x5C, 0x83, 0xB8, 0xE0, 0x1E, - 0x5F, 0xCF - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 52 * 6]; -} - _EC_NIST_CHAR2_409B = { - { - NID_X9_62_characteristic_two_field, 20, 52, 2 - }, - { - 0x40, 0x99, 0xB5, 0xA4, 0x57, 0xF9, 0xD6, 0x9F, 0x79, 0x21, /* seed */ - 0x3D, 0x09, 0x4C, 0x4B, 0xCD, 0x4D, 0x42, 0x62, 0x21, 0x0B, - - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, - 0x00, 0x21, 0xA5, 0xC2, 0xC8, 0xEE, 0x9F, 0xEB, 0x5C, 0x4B, /* b */ - 0x9A, 0x75, 0x3B, 0x7B, 0x47, 0x6B, 0x7F, 0xD6, 0x42, 0x2E, - 0xF1, 0xF3, 0xDD, 0x67, 0x47, 0x61, 0xFA, 0x99, 0xD6, 0xAC, - 0x27, 0xC8, 0xA9, 0xA1, 0x97, 0xB2, 0x72, 0x82, 0x2F, 0x6C, - 0xD5, 0x7A, 0x55, 0xAA, 0x4F, 0x50, 0xAE, 0x31, 0x7B, 0x13, - 0x54, 0x5F, - 0x01, 0x5D, 0x48, 0x60, 0xD0, 0x88, 0xDD, 0xB3, 0x49, 0x6B, /* x */ - 0x0C, 0x60, 0x64, 0x75, 0x62, 0x60, 0x44, 0x1C, 0xDE, 0x4A, - 0xF1, 0x77, 0x1D, 0x4D, 0xB0, 0x1F, 0xFE, 0x5B, 0x34, 0xE5, - 0x97, 0x03, 0xDC, 0x25, 0x5A, 0x86, 0x8A, 0x11, 0x80, 0x51, - 0x56, 0x03, 0xAE, 0xAB, 0x60, 0x79, 0x4E, 0x54, 0xBB, 0x79, - 0x96, 0xA7, - 0x00, 0x61, 0xB1, 0xCF, 0xAB, 0x6B, 0xE5, 0xF3, 0x2B, 0xBF, /* y */ - 0xA7, 0x83, 0x24, 0xED, 0x10, 0x6A, 0x76, 0x36, 0xB9, 0xC5, - 0xA7, 0xBD, 0x19, 0x8D, 0x01, 0x58, 0xAA, 0x4F, 0x54, 0x88, - 0xD0, 0x8F, 0x38, 0x51, 0x4F, 0x1F, 0xDF, 0x4B, 0x4F, 0x40, - 0xD2, 0x18, 0x1B, 0x36, 0x81, 0xC3, 0x64, 0xBA, 0x02, 0x73, - 0xC7, 0x06, - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xE2, 0xAA, 0xD6, - 0xA6, 0x12, 0xF3, 0x33, 0x07, 0xBE, 0x5F, 0xA4, 0x7C, 0x3C, - 0x9E, 0x05, 0x2F, 0x83, 0x81, 0x64, 0xCD, 0x37, 0xD9, 0xA2, - 0x11, 0x73 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 72 * 6]; -} - _EC_NIST_CHAR2_571K = { - { - NID_X9_62_characteristic_two_field, 0, 72, 4 - }, - { /* no seed */ - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x25, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, - 0x02, 0x6E, 0xB7, 0xA8, 0x59, 0x92, 0x3F, 0xBC, 0x82, 0x18, /* x */ - 0x96, 0x31, 0xF8, 0x10, 0x3F, 0xE4, 0xAC, 0x9C, 0xA2, 0x97, - 0x00, 0x12, 0xD5, 0xD4, 0x60, 0x24, 0x80, 0x48, 0x01, 0x84, - 0x1C, 0xA4, 0x43, 0x70, 0x95, 0x84, 0x93, 0xB2, 0x05, 0xE6, - 0x47, 0xDA, 0x30, 0x4D, 0xB4, 0xCE, 0xB0, 0x8C, 0xBB, 0xD1, - 0xBA, 0x39, 0x49, 0x47, 0x76, 0xFB, 0x98, 0x8B, 0x47, 0x17, - 0x4D, 0xCA, 0x88, 0xC7, 0xE2, 0x94, 0x52, 0x83, 0xA0, 0x1C, - 0x89, 0x72, - 0x03, 0x49, 0xDC, 0x80, 0x7F, 0x4F, 0xBF, 0x37, 0x4F, 0x4A, /* y */ - 0xEA, 0xDE, 0x3B, 0xCA, 0x95, 0x31, 0x4D, 0xD5, 0x8C, 0xEC, - 0x9F, 0x30, 0x7A, 0x54, 0xFF, 0xC6, 0x1E, 0xFC, 0x00, 0x6D, - 0x8A, 0x2C, 0x9D, 0x49, 0x79, 0xC0, 0xAC, 0x44, 0xAE, 0xA7, - 0x4F, 0xBE, 0xBB, 0xB9, 0xF7, 0x72, 0xAE, 0xDC, 0xB6, 0x20, - 0xB0, 0x1A, 0x7B, 0xA7, 0xAF, 0x1B, 0x32, 0x04, 0x30, 0xC8, - 0x59, 0x19, 0x84, 0xF6, 0x01, 0xCD, 0x4C, 0x14, 0x3E, 0xF1, - 0xC7, 0xA3, - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x13, 0x18, 0x50, 0xE1, - 0xF1, 0x9A, 0x63, 0xE4, 0xB3, 0x91, 0xA8, 0xDB, 0x91, 0x7F, - 0x41, 0x38, 0xB6, 0x30, 0xD8, 0x4B, 0xE5, 0xD6, 0x39, 0x38, - 0x1E, 0x91, 0xDE, 0xB4, 0x5C, 0xFE, 0x77, 0x8F, 0x63, 0x7C, - 0x10, 0x01 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 72 * 6]; -} - _EC_NIST_CHAR2_571B = { - { - NID_X9_62_characteristic_two_field, 20, 72, 2 - }, - { - 0x2A, 0xA0, 0x58, 0xF7, 0x3A, 0x0E, 0x33, 0xAB, 0x48, 0x6B, /* seed */ - 0x0F, 0x61, 0x04, 0x10, 0xC5, 0x3A, 0x7F, 0x13, 0x23, 0x10, - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x04, 0x25, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x01, - 0x02, 0xF4, 0x0E, 0x7E, 0x22, 0x21, 0xF2, 0x95, 0xDE, 0x29, /* b */ - 0x71, 0x17, 0xB7, 0xF3, 0xD6, 0x2F, 0x5C, 0x6A, 0x97, 0xFF, - 0xCB, 0x8C, 0xEF, 0xF1, 0xCD, 0x6B, 0xA8, 0xCE, 0x4A, 0x9A, - 0x18, 0xAD, 0x84, 0xFF, 0xAB, 0xBD, 0x8E, 0xFA, 0x59, 0x33, - 0x2B, 0xE7, 0xAD, 0x67, 0x56, 0xA6, 0x6E, 0x29, 0x4A, 0xFD, - 0x18, 0x5A, 0x78, 0xFF, 0x12, 0xAA, 0x52, 0x0E, 0x4D, 0xE7, - 0x39, 0xBA, 0xCA, 0x0C, 0x7F, 0xFE, 0xFF, 0x7F, 0x29, 0x55, - 0x72, 0x7A, - 0x03, 0x03, 0x00, 0x1D, 0x34, 0xB8, 0x56, 0x29, 0x6C, 0x16, /* x */ - 0xC0, 0xD4, 0x0D, 0x3C, 0xD7, 0x75, 0x0A, 0x93, 0xD1, 0xD2, - 0x95, 0x5F, 0xA8, 0x0A, 0xA5, 0xF4, 0x0F, 0xC8, 0xDB, 0x7B, - 0x2A, 0xBD, 0xBD, 0xE5, 0x39, 0x50, 0xF4, 0xC0, 0xD2, 0x93, - 0xCD, 0xD7, 0x11, 0xA3, 0x5B, 0x67, 0xFB, 0x14, 0x99, 0xAE, - 0x60, 0x03, 0x86, 0x14, 0xF1, 0x39, 0x4A, 0xBF, 0xA3, 0xB4, - 0xC8, 0x50, 0xD9, 0x27, 0xE1, 0xE7, 0x76, 0x9C, 0x8E, 0xEC, - 0x2D, 0x19, - 0x03, 0x7B, 0xF2, 0x73, 0x42, 0xDA, 0x63, 0x9B, 0x6D, 0xCC, /* y */ - 0xFF, 0xFE, 0xB7, 0x3D, 0x69, 0xD7, 0x8C, 0x6C, 0x27, 0xA6, - 0x00, 0x9C, 0xBB, 0xCA, 0x19, 0x80, 0xF8, 0x53, 0x39, 0x21, - 0xE8, 0xA6, 0x84, 0x42, 0x3E, 0x43, 0xBA, 0xB0, 0x8A, 0x57, - 0x62, 0x91, 0xAF, 0x8F, 0x46, 0x1B, 0xB2, 0xA8, 0xB3, 0x53, - 0x1D, 0x2F, 0x04, 0x85, 0xC1, 0x9B, 0x16, 0xE2, 0xF1, 0x51, - 0x6E, 0x23, 0xDD, 0x3C, 0x1A, 0x48, 0x27, 0xAF, 0x1B, 0x8A, - 0xC1, 0x5B, - 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xE6, 0x61, 0xCE, 0x18, - 0xFF, 0x55, 0x98, 0x73, 0x08, 0x05, 0x9B, 0x18, 0x68, 0x23, - 0x85, 0x1E, 0xC7, 0xDD, 0x9C, 0xA1, 0x16, 0x1D, 0xE9, 0x3D, - 0x51, 0x74, 0xD6, 0x6E, 0x83, 0x82, 0xE9, 0xBB, 0x2F, 0xE8, - 0x4E, 0x47 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 21 * 6]; -} - _EC_X9_62_CHAR2_163V1 = { - { - NID_X9_62_characteristic_two_field, 20, 21, 2 - }, - { - 0xD2, 0xC0, 0xFB, 0x15, 0x76, 0x08, 0x60, 0xDE, 0xF1, 0xEE, - 0xF4, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x54, /* seed */ - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x07, - 0x07, 0x25, 0x46, 0xB5, 0x43, 0x52, 0x34, 0xA4, 0x22, 0xE0, /* a */ - 0x78, 0x96, 0x75, 0xF4, 0x32, 0xC8, 0x94, 0x35, 0xDE, 0x52, - 0x42, - 0x00, 0xC9, 0x51, 0x7D, 0x06, 0xD5, 0x24, 0x0D, 0x3C, 0xFF, /* b */ - 0x38, 0xC7, 0x4B, 0x20, 0xB6, 0xCD, 0x4D, 0x6F, 0x9D, 0xD4, - 0xD9, - 0x07, 0xAF, 0x69, 0x98, 0x95, 0x46, 0x10, 0x3D, 0x79, 0x32, /* x */ - 0x9F, 0xCC, 0x3D, 0x74, 0x88, 0x0F, 0x33, 0xBB, 0xE8, 0x03, - 0xCB, - 0x01, 0xEC, 0x23, 0x21, 0x1B, 0x59, 0x66, 0xAD, 0xEA, 0x1D, /* y */ - 0x3F, 0x87, 0xF7, 0xEA, 0x58, 0x48, 0xAE, 0xF0, 0xB7, 0xCA, - 0x9F, - 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x01, 0xE6, 0x0F, 0xC8, 0x82, 0x1C, 0xC7, 0x4D, 0xAE, 0xAF, - 0xC1 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 21 * 6]; -} - _EC_X9_62_CHAR2_163V2 = { - { - NID_X9_62_characteristic_two_field, 20, 21, 2 - }, - { - 0x53, 0x81, 0x4C, 0x05, 0x0D, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x58, 0x0C, 0xA4, 0xE2, 0x9F, 0xFD, - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x07, - 0x01, 0x08, 0xB3, 0x9E, 0x77, 0xC4, 0xB1, 0x08, 0xBE, 0xD9, /* a */ - 0x81, 0xED, 0x0E, 0x89, 0x0E, 0x11, 0x7C, 0x51, 0x1C, 0xF0, - 0x72, - 0x06, 0x67, 0xAC, 0xEB, 0x38, 0xAF, 0x4E, 0x48, 0x8C, 0x40, /* b */ - 0x74, 0x33, 0xFF, 0xAE, 0x4F, 0x1C, 0x81, 0x16, 0x38, 0xDF, - 0x20, - 0x00, 0x24, 0x26, 0x6E, 0x4E, 0xB5, 0x10, 0x6D, 0x0A, 0x96, /* x */ - 0x4D, 0x92, 0xC4, 0x86, 0x0E, 0x26, 0x71, 0xDB, 0x9B, 0x6C, - 0xC5, - 0x07, 0x9F, 0x68, 0x4D, 0xDF, 0x66, 0x84, 0xC5, 0xCD, 0x25, /* y */ - 0x8B, 0x38, 0x90, 0x02, 0x1B, 0x23, 0x86, 0xDF, 0xD1, 0x9F, - 0xC5, - 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFD, 0xF6, 0x4D, 0xE1, 0x15, 0x1A, 0xDB, 0xB7, 0x8F, 0x10, - 0xA7 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 21 * 6]; -} - _EC_X9_62_CHAR2_163V3 = { - { - NID_X9_62_characteristic_two_field, 20, 21, 2 - }, - { - 0x50, 0xCB, 0xF1, 0xD9, 0x5C, 0xA9, 0x4D, 0x69, 0x6E, 0x67, /* seed */ - 0x68, 0x75, 0x61, 0x51, 0x75, 0xF1, 0x6A, 0x36, 0xA3, 0xB8, - - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x07, - 0x07, 0xA5, 0x26, 0xC6, 0x3D, 0x3E, 0x25, 0xA2, 0x56, 0xA0, /* a */ - 0x07, 0x69, 0x9F, 0x54, 0x47, 0xE3, 0x2A, 0xE4, 0x56, 0xB5, - 0x0E, - 0x03, 0xF7, 0x06, 0x17, 0x98, 0xEB, 0x99, 0xE2, 0x38, 0xFD, /* b */ - 0x6F, 0x1B, 0xF9, 0x5B, 0x48, 0xFE, 0xEB, 0x48, 0x54, 0x25, - 0x2B, - 0x02, 0xF9, 0xF8, 0x7B, 0x7C, 0x57, 0x4D, 0x0B, 0xDE, 0xCF, /* x */ - 0x8A, 0x22, 0xE6, 0x52, 0x47, 0x75, 0xF9, 0x8C, 0xDE, 0xBD, - 0xCB, - 0x05, 0xB9, 0x35, 0x59, 0x0C, 0x15, 0x5E, 0x17, 0xEA, 0x48, /* y */ - 0xEB, 0x3F, 0xF3, 0x71, 0x8B, 0x89, 0x3D, 0xF5, 0x9A, 0x05, - 0xD0, - 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFE, 0x1A, 0xEE, 0x14, 0x0F, 0x11, 0x0A, 0xFF, 0x96, 0x13, - 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 23 * 6]; -} - _EC_X9_62_CHAR2_176V1 = { - { - NID_X9_62_characteristic_two_field, 0, 23, 0xFF6E - }, - { /* no seed */ - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, - 0x00, 0x00, 0x07, - 0x00, 0xE4, 0xE6, 0xDB, 0x29, 0x95, 0x06, 0x5C, 0x40, 0x7D, /* a */ - 0x9D, 0x39, 0xB8, 0xD0, 0x96, 0x7B, 0x96, 0x70, 0x4B, 0xA8, - 0xE9, 0xC9, 0x0B, - 0x00, 0x5D, 0xDA, 0x47, 0x0A, 0xBE, 0x64, 0x14, 0xDE, 0x8E, /* b */ - 0xC1, 0x33, 0xAE, 0x28, 0xE9, 0xBB, 0xD7, 0xFC, 0xEC, 0x0A, - 0xE0, 0xFF, 0xF2, - 0x00, 0x8D, 0x16, 0xC2, 0x86, 0x67, 0x98, 0xB6, 0x00, 0xF9, /* x */ - 0xF0, 0x8B, 0xB4, 0xA8, 0xE8, 0x60, 0xF3, 0x29, 0x8C, 0xE0, - 0x4A, 0x57, 0x98, - 0x00, 0x6F, 0xA4, 0x53, 0x9C, 0x2D, 0xAD, 0xDD, 0xD6, 0xBA, /* y */ - 0xB5, 0x16, 0x7D, 0x61, 0xB4, 0x36, 0xE1, 0xD9, 0x2B, 0xB1, - 0x6A, 0x56, 0x2C, - 0x00, 0x00, 0x01, 0x00, 0x92, 0x53, 0x73, 0x97, 0xEC, 0xA4, /* order */ - 0xF6, 0x14, 0x57, 0x99, 0xD6, 0x2B, 0x0A, 0x19, 0xCE, 0x06, - 0xFE, 0x26, 0xAD - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} - _EC_X9_62_CHAR2_191V1 = { - { - NID_X9_62_characteristic_two_field, 20, 24, 2 - }, - { - 0x4E, 0x13, 0xCA, 0x54, 0x27, 0x44, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x55, 0x2F, 0x27, 0x9A, 0x8C, 0x84, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x02, 0x01, - 0x28, 0x66, 0x53, 0x7B, 0x67, 0x67, 0x52, 0x63, 0x6A, 0x68, /* a */ - 0xF5, 0x65, 0x54, 0xE1, 0x26, 0x40, 0x27, 0x6B, 0x64, 0x9E, - 0xF7, 0x52, 0x62, 0x67, - 0x2E, 0x45, 0xEF, 0x57, 0x1F, 0x00, 0x78, 0x6F, 0x67, 0xB0, /* b */ - 0x08, 0x1B, 0x94, 0x95, 0xA3, 0xD9, 0x54, 0x62, 0xF5, 0xDE, - 0x0A, 0xA1, 0x85, 0xEC, - 0x36, 0xB3, 0xDA, 0xF8, 0xA2, 0x32, 0x06, 0xF9, 0xC4, 0xF2, /* x */ - 0x99, 0xD7, 0xB2, 0x1A, 0x9C, 0x36, 0x91, 0x37, 0xF2, 0xC8, - 0x4A, 0xE1, 0xAA, 0x0D, - 0x76, 0x5B, 0xE7, 0x34, 0x33, 0xB3, 0xF9, 0x5E, 0x33, 0x29, /* y */ - 0x32, 0xE7, 0x0E, 0xA2, 0x45, 0xCA, 0x24, 0x18, 0xEA, 0x0E, - 0xF9, 0x80, 0x18, 0xFB, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x04, 0xA2, 0x0E, 0x90, 0xC3, 0x90, 0x67, 0xC8, - 0x93, 0xBB, 0xB9, 0xA5 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} - _EC_X9_62_CHAR2_191V2 = { - { - NID_X9_62_characteristic_two_field, 20, 24, 4 - }, - { - 0x08, 0x71, 0xEF, 0x2F, 0xEF, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x58, 0xBE, 0xE0, 0xD9, 0x5C, 0x15, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x02, 0x01, - 0x40, 0x10, 0x28, 0x77, 0x4D, 0x77, 0x77, 0xC7, 0xB7, 0x66, /* a */ - 0x6D, 0x13, 0x66, 0xEA, 0x43, 0x20, 0x71, 0x27, 0x4F, 0x89, - 0xFF, 0x01, 0xE7, 0x18, - 0x06, 0x20, 0x04, 0x8D, 0x28, 0xBC, 0xBD, 0x03, 0xB6, 0x24, /* b */ - 0x9C, 0x99, 0x18, 0x2B, 0x7C, 0x8C, 0xD1, 0x97, 0x00, 0xC3, - 0x62, 0xC4, 0x6A, 0x01, - 0x38, 0x09, 0xB2, 0xB7, 0xCC, 0x1B, 0x28, 0xCC, 0x5A, 0x87, /* x */ - 0x92, 0x6A, 0xAD, 0x83, 0xFD, 0x28, 0x78, 0x9E, 0x81, 0xE2, - 0xC9, 0xE3, 0xBF, 0x10, - 0x17, 0x43, 0x43, 0x86, 0x62, 0x6D, 0x14, 0xF3, 0xDB, 0xF0, /* y */ - 0x17, 0x60, 0xD9, 0x21, 0x3A, 0x3E, 0x1C, 0xF3, 0x7A, 0xEC, - 0x43, 0x7D, 0x66, 0x8A, - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x50, 0x50, 0x8C, 0xB8, 0x9F, 0x65, 0x28, 0x24, - 0xE0, 0x6B, 0x81, 0x73 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} - _EC_X9_62_CHAR2_191V3 = { - { - NID_X9_62_characteristic_two_field, 20, 24, 6 - }, - { - 0xE0, 0x53, 0x51, 0x2D, 0xC6, 0x84, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x50, 0x67, 0xAE, 0x78, 0x6D, 0x1F, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x02, 0x01, - 0x6C, 0x01, 0x07, 0x47, 0x56, 0x09, 0x91, 0x22, 0x22, 0x10, /* a */ - 0x56, 0x91, 0x1C, 0x77, 0xD7, 0x7E, 0x77, 0xA7, 0x77, 0xE7, - 0xE7, 0xE7, 0x7F, 0xCB, - 0x71, 0xFE, 0x1A, 0xF9, 0x26, 0xCF, 0x84, 0x79, 0x89, 0xEF, /* b */ - 0xEF, 0x8D, 0xB4, 0x59, 0xF6, 0x63, 0x94, 0xD9, 0x0F, 0x32, - 0xAD, 0x3F, 0x15, 0xE8, - 0x37, 0x5D, 0x4C, 0xE2, 0x4F, 0xDE, 0x43, 0x44, 0x89, 0xDE, /* x */ - 0x87, 0x46, 0xE7, 0x17, 0x86, 0x01, 0x50, 0x09, 0xE6, 0x6E, - 0x38, 0xA9, 0x26, 0xDD, - 0x54, 0x5A, 0x39, 0x17, 0x61, 0x96, 0x57, 0x5D, 0x98, 0x59, /* y */ - 0x99, 0x36, 0x6E, 0x6A, 0xD3, 0x4C, 0xE0, 0xA7, 0x7C, 0xD7, - 0x12, 0x7B, 0x06, 0xBE, - 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */ - 0x55, 0x55, 0x61, 0x0C, 0x0B, 0x19, 0x68, 0x12, 0xBF, 0xB6, - 0x28, 0x8A, 0x3E, 0xA3 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 27 * 6]; -} - _EC_X9_62_CHAR2_208W1 = { - { - NID_X9_62_characteristic_two_field, 0, 27, 0xFE48 - }, - { /* no seed */ - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xC8, 0x61, 0x9E, 0xD4, 0x5A, 0x62, 0xE6, 0x21, 0x2E, /* b */ - 0x11, 0x60, 0x34, 0x9E, 0x2B, 0xFA, 0x84, 0x44, 0x39, 0xFA, - 0xFC, 0x2A, 0x3F, 0xD1, 0x63, 0x8F, 0x9E, - 0x00, 0x89, 0xFD, 0xFB, 0xE4, 0xAB, 0xE1, 0x93, 0xDF, 0x95, /* x */ - 0x59, 0xEC, 0xF0, 0x7A, 0xC0, 0xCE, 0x78, 0x55, 0x4E, 0x27, - 0x84, 0xEB, 0x8C, 0x1E, 0xD1, 0xA5, 0x7A, - 0x00, 0x0F, 0x55, 0xB5, 0x1A, 0x06, 0xE7, 0x8E, 0x9A, 0xC3, /* y */ - 0x8A, 0x03, 0x5F, 0xF5, 0x20, 0xD8, 0xB0, 0x17, 0x81, 0xBE, - 0xB1, 0xA6, 0xBB, 0x08, 0x61, 0x7D, 0xE3, - 0x00, 0x00, 0x01, 0x01, 0xBA, 0xF9, 0x5C, 0x97, 0x23, 0xC5, /* order */ - 0x7B, 0x6C, 0x21, 0xDA, 0x2E, 0xFF, 0x2D, 0x5E, 0xD5, 0x88, - 0xBD, 0xD5, 0x71, 0x7E, 0x21, 0x2F, 0x9D - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_X9_62_CHAR2_239V1 = { - { - NID_X9_62_characteristic_two_field, 20, 30, 4 - }, - { - 0xD3, 0x4B, 0x9A, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */ - 0x51, 0x75, 0xCA, 0x71, 0xB9, 0x20, 0xBF, 0xEF, 0xB0, 0x5D, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, - - 0x32, 0x01, 0x08, 0x57, 0x07, 0x7C, 0x54, 0x31, 0x12, 0x3A, /* a */ - 0x46, 0xB8, 0x08, 0x90, 0x67, 0x56, 0xF5, 0x43, 0x42, 0x3E, - 0x8D, 0x27, 0x87, 0x75, 0x78, 0x12, 0x57, 0x78, 0xAC, 0x76, - - 0x79, 0x04, 0x08, 0xF2, 0xEE, 0xDA, 0xF3, 0x92, 0xB0, 0x12, /* b */ - 0xED, 0xEF, 0xB3, 0x39, 0x2F, 0x30, 0xF4, 0x32, 0x7C, 0x0C, - 0xA3, 0xF3, 0x1F, 0xC3, 0x83, 0xC4, 0x22, 0xAA, 0x8C, 0x16, - - 0x57, 0x92, 0x70, 0x98, 0xFA, 0x93, 0x2E, 0x7C, 0x0A, 0x96, /* x */ - 0xD3, 0xFD, 0x5B, 0x70, 0x6E, 0xF7, 0xE5, 0xF5, 0xC1, 0x56, - 0xE1, 0x6B, 0x7E, 0x7C, 0x86, 0x03, 0x85, 0x52, 0xE9, 0x1D, - - 0x61, 0xD8, 0xEE, 0x50, 0x77, 0xC3, 0x3F, 0xEC, 0xF6, 0xF1, /* y */ - 0xA1, 0x6B, 0x26, 0x8D, 0xE4, 0x69, 0xC3, 0xC7, 0x74, 0x4E, - 0xA9, 0xA9, 0x71, 0x64, 0x9F, 0xC7, 0xA9, 0x61, 0x63, 0x05, - - 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x4D, 0x42, 0xFF, 0xE1, - 0x49, 0x2A, 0x49, 0x93, 0xF1, 0xCA, 0xD6, 0x66, 0xE4, 0x47 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_X9_62_CHAR2_239V2 = { - { - NID_X9_62_characteristic_two_field, 20, 30, 6 - }, - { - 0x2A, 0xA6, 0x98, 0x2F, 0xDF, 0xA4, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x5D, 0x26, 0x67, 0x27, 0x27, 0x7D, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, - - 0x42, 0x30, 0x01, 0x77, 0x57, 0xA7, 0x67, 0xFA, 0xE4, 0x23, /* a */ - 0x98, 0x56, 0x9B, 0x74, 0x63, 0x25, 0xD4, 0x53, 0x13, 0xAF, - 0x07, 0x66, 0x26, 0x64, 0x79, 0xB7, 0x56, 0x54, 0xE6, 0x5F, - - 0x50, 0x37, 0xEA, 0x65, 0x41, 0x96, 0xCF, 0xF0, 0xCD, 0x82, /* b */ - 0xB2, 0xC1, 0x4A, 0x2F, 0xCF, 0x2E, 0x3F, 0xF8, 0x77, 0x52, - 0x85, 0xB5, 0x45, 0x72, 0x2F, 0x03, 0xEA, 0xCD, 0xB7, 0x4B, - - 0x28, 0xF9, 0xD0, 0x4E, 0x90, 0x00, 0x69, 0xC8, 0xDC, 0x47, /* x */ - 0xA0, 0x85, 0x34, 0xFE, 0x76, 0xD2, 0xB9, 0x00, 0xB7, 0xD7, - 0xEF, 0x31, 0xF5, 0x70, 0x9F, 0x20, 0x0C, 0x4C, 0xA2, 0x05, - - 0x56, 0x67, 0x33, 0x4C, 0x45, 0xAF, 0xF3, 0xB5, 0xA0, 0x3B, /* y */ - 0xAD, 0x9D, 0xD7, 0x5E, 0x2C, 0x71, 0xA9, 0x93, 0x62, 0x56, - 0x7D, 0x54, 0x53, 0xF7, 0xFA, 0x6E, 0x22, 0x7E, 0xC8, 0x33, - - 0x15, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, /* order */ - 0x55, 0x55, 0x55, 0x55, 0x55, 0x3C, 0x6F, 0x28, 0x85, 0x25, - 0x9C, 0x31, 0xE3, 0xFC, 0xDF, 0x15, 0x46, 0x24, 0x52, 0x2D - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 30 * 6]; -} - _EC_X9_62_CHAR2_239V3 = { - { - NID_X9_62_characteristic_two_field, 20, 30, 0xA - }, - { - 0x9E, 0x07, 0x6F, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, /* seed */ - 0x51, 0x75, 0xE1, 0x1E, 0x9F, 0xDD, 0x77, 0xF9, 0x20, 0x41, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x01, - - 0x01, 0x23, 0x87, 0x74, 0x66, 0x6A, 0x67, 0x76, 0x6D, 0x66, /* a */ - 0x76, 0xF7, 0x78, 0xE6, 0x76, 0xB6, 0x69, 0x99, 0x17, 0x66, - 0x66, 0xE6, 0x87, 0x66, 0x6D, 0x87, 0x66, 0xC6, 0x6A, 0x9F, - - 0x6A, 0x94, 0x19, 0x77, 0xBA, 0x9F, 0x6A, 0x43, 0x51, 0x99, /* b */ - 0xAC, 0xFC, 0x51, 0x06, 0x7E, 0xD5, 0x87, 0xF5, 0x19, 0xC5, - 0xEC, 0xB5, 0x41, 0xB8, 0xE4, 0x41, 0x11, 0xDE, 0x1D, 0x40, - - 0x70, 0xF6, 0xE9, 0xD0, 0x4D, 0x28, 0x9C, 0x4E, 0x89, 0x91, /* x */ - 0x3C, 0xE3, 0x53, 0x0B, 0xFD, 0xE9, 0x03, 0x97, 0x7D, 0x42, - 0xB1, 0x46, 0xD5, 0x39, 0xBF, 0x1B, 0xDE, 0x4E, 0x9C, 0x92, - - 0x2E, 0x5A, 0x0E, 0xAF, 0x6E, 0x5E, 0x13, 0x05, 0xB9, 0x00, /* y */ - 0x4D, 0xCE, 0x5C, 0x0E, 0xD7, 0xFE, 0x59, 0xA3, 0x56, 0x08, - 0xF3, 0x38, 0x37, 0xC8, 0x16, 0xD8, 0x0B, 0x79, 0xF4, 0x61, - - 0x0C, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, /* order */ - 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xAC, 0x49, 0x12, 0xD2, 0xD9, - 0xDF, 0x90, 0x3E, 0xF9, 0x88, 0x8B, 0x8A, 0x0E, 0x4C, 0xFF - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 35 * 6]; -} - _EC_X9_62_CHAR2_272W1 = { - { - NID_X9_62_characteristic_two_field, 0, 35, 0xFF06 - }, - { /* no seed */ - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x0B, - 0x00, 0x91, 0xA0, 0x91, 0xF0, 0x3B, 0x5F, 0xBA, 0x4A, 0xB2, /* a */ - 0xCC, 0xF4, 0x9C, 0x4E, 0xDD, 0x22, 0x0F, 0xB0, 0x28, 0x71, - 0x2D, 0x42, 0xBE, 0x75, 0x2B, 0x2C, 0x40, 0x09, 0x4D, 0xBA, - 0xCD, 0xB5, 0x86, 0xFB, 0x20, - 0x00, 0x71, 0x67, 0xEF, 0xC9, 0x2B, 0xB2, 0xE3, 0xCE, 0x7C, /* b */ - 0x8A, 0xAA, 0xFF, 0x34, 0xE1, 0x2A, 0x9C, 0x55, 0x70, 0x03, - 0xD7, 0xC7, 0x3A, 0x6F, 0xAF, 0x00, 0x3F, 0x99, 0xF6, 0xCC, - 0x84, 0x82, 0xE5, 0x40, 0xF7, - 0x00, 0x61, 0x08, 0xBA, 0xBB, 0x2C, 0xEE, 0xBC, 0xF7, 0x87, /* x */ - 0x05, 0x8A, 0x05, 0x6C, 0xBE, 0x0C, 0xFE, 0x62, 0x2D, 0x77, - 0x23, 0xA2, 0x89, 0xE0, 0x8A, 0x07, 0xAE, 0x13, 0xEF, 0x0D, - 0x10, 0xD1, 0x71, 0xDD, 0x8D, - 0x00, 0x10, 0xC7, 0x69, 0x57, 0x16, 0x85, 0x1E, 0xEF, 0x6B, /* y */ - 0xA7, 0xF6, 0x87, 0x2E, 0x61, 0x42, 0xFB, 0xD2, 0x41, 0xB8, - 0x30, 0xFF, 0x5E, 0xFC, 0xAC, 0xEC, 0xCA, 0xB0, 0x5E, 0x02, - 0x00, 0x5D, 0xDE, 0x9D, 0x23, - 0x00, 0x00, 0x01, 0x00, 0xFA, 0xF5, 0x13, 0x54, 0xE0, 0xE3, /* order */ - 0x9E, 0x48, 0x92, 0xDF, 0x6E, 0x31, 0x9C, 0x72, 0xC8, 0x16, - 0x16, 0x03, 0xFA, 0x45, 0xAA, 0x7B, 0x99, 0x8A, 0x16, 0x7B, - 0x8F, 0x1E, 0x62, 0x95, 0x21 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 39 * 6]; -} - _EC_X9_62_CHAR2_304W1 = { - { - NID_X9_62_characteristic_two_field, 0, 39, 0xFE2E - }, - { /* no seed */ - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, 0x07, - 0x00, 0xFD, 0x0D, 0x69, 0x31, 0x49, 0xA1, 0x18, 0xF6, 0x51, /* a */ - 0xE6, 0xDC, 0xE6, 0x80, 0x20, 0x85, 0x37, 0x7E, 0x5F, 0x88, - 0x2D, 0x1B, 0x51, 0x0B, 0x44, 0x16, 0x00, 0x74, 0xC1, 0x28, - 0x80, 0x78, 0x36, 0x5A, 0x03, 0x96, 0xC8, 0xE6, 0x81, - 0x00, 0xBD, 0xDB, 0x97, 0xE5, 0x55, 0xA5, 0x0A, 0x90, 0x8E, /* b */ - 0x43, 0xB0, 0x1C, 0x79, 0x8E, 0xA5, 0xDA, 0xA6, 0x78, 0x8F, - 0x1E, 0xA2, 0x79, 0x4E, 0xFC, 0xF5, 0x71, 0x66, 0xB8, 0xC1, - 0x40, 0x39, 0x60, 0x1E, 0x55, 0x82, 0x73, 0x40, 0xBE, - 0x00, 0x19, 0x7B, 0x07, 0x84, 0x5E, 0x9B, 0xE2, 0xD9, 0x6A, /* x */ - 0xDB, 0x0F, 0x5F, 0x3C, 0x7F, 0x2C, 0xFF, 0xBD, 0x7A, 0x3E, - 0xB8, 0xB6, 0xFE, 0xC3, 0x5C, 0x7F, 0xD6, 0x7F, 0x26, 0xDD, - 0xF6, 0x28, 0x5A, 0x64, 0x4F, 0x74, 0x0A, 0x26, 0x14, - 0x00, 0xE1, 0x9F, 0xBE, 0xB7, 0x6E, 0x0D, 0xA1, 0x71, 0x51, /* y */ - 0x7E, 0xCF, 0x40, 0x1B, 0x50, 0x28, 0x9B, 0xF0, 0x14, 0x10, - 0x32, 0x88, 0x52, 0x7A, 0x9B, 0x41, 0x6A, 0x10, 0x5E, 0x80, - 0x26, 0x0B, 0x54, 0x9F, 0xDC, 0x1B, 0x92, 0xC0, 0x3B, - 0x00, 0x00, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, /* order */ - 0x80, 0x01, 0x01, 0xD5, 0x56, 0x57, 0x2A, 0xAB, 0xAC, 0x80, - 0x01, 0x02, 0x2D, 0x5C, 0x91, 0xDD, 0x17, 0x3F, 0x8F, 0xB5, - 0x61, 0xDA, 0x68, 0x99, 0x16, 0x44, 0x43, 0x05, 0x1D - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 45 * 6]; -} - _EC_X9_62_CHAR2_359V1 = { - { - NID_X9_62_characteristic_two_field, 20, 45, 0x4C - }, - { - 0x2B, 0x35, 0x49, 0x20, 0xB7, 0x24, 0xD6, 0x96, 0xE6, 0x76, /* seed */ - 0x87, 0x56, 0x15, 0x17, 0x58, 0x5B, 0xA1, 0x33, 0x2D, 0xC6, - - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, - 0x56, 0x67, 0x67, 0x6A, 0x65, 0x4B, 0x20, 0x75, 0x4F, 0x35, /* a */ - 0x6E, 0xA9, 0x20, 0x17, 0xD9, 0x46, 0x56, 0x7C, 0x46, 0x67, - 0x55, 0x56, 0xF1, 0x95, 0x56, 0xA0, 0x46, 0x16, 0xB5, 0x67, - 0xD2, 0x23, 0xA5, 0xE0, 0x56, 0x56, 0xFB, 0x54, 0x90, 0x16, - 0xA9, 0x66, 0x56, 0xA5, 0x57, - 0x24, 0x72, 0xE2, 0xD0, 0x19, 0x7C, 0x49, 0x36, 0x3F, 0x1F, /* b */ - 0xE7, 0xF5, 0xB6, 0xDB, 0x07, 0x5D, 0x52, 0xB6, 0x94, 0x7D, - 0x13, 0x5D, 0x8C, 0xA4, 0x45, 0x80, 0x5D, 0x39, 0xBC, 0x34, - 0x56, 0x26, 0x08, 0x96, 0x87, 0x74, 0x2B, 0x63, 0x29, 0xE7, - 0x06, 0x80, 0x23, 0x19, 0x88, - 0x3C, 0x25, 0x8E, 0xF3, 0x04, 0x77, 0x67, 0xE7, 0xED, 0xE0, /* x */ - 0xF1, 0xFD, 0xAA, 0x79, 0xDA, 0xEE, 0x38, 0x41, 0x36, 0x6A, - 0x13, 0x2E, 0x16, 0x3A, 0xCE, 0xD4, 0xED, 0x24, 0x01, 0xDF, - 0x9C, 0x6B, 0xDC, 0xDE, 0x98, 0xE8, 0xE7, 0x07, 0xC0, 0x7A, - 0x22, 0x39, 0xB1, 0xB0, 0x97, - 0x53, 0xD7, 0xE0, 0x85, 0x29, 0x54, 0x70, 0x48, 0x12, 0x1E, /* y */ - 0x9C, 0x95, 0xF3, 0x79, 0x1D, 0xD8, 0x04, 0x96, 0x39, 0x48, - 0xF3, 0x4F, 0xAE, 0x7B, 0xF4, 0x4E, 0xA8, 0x23, 0x65, 0xDC, - 0x78, 0x68, 0xFE, 0x57, 0xE4, 0xAE, 0x2D, 0xE2, 0x11, 0x30, - 0x5A, 0x40, 0x71, 0x04, 0xBD, - 0x01, 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, /* order */ - 0xAF, 0x28, 0x6B, 0xCA, 0x1A, 0xF2, 0x86, 0xBC, 0xA1, 0xAF, - 0x28, 0x6B, 0xC9, 0xFB, 0x8F, 0x6B, 0x85, 0xC5, 0x56, 0x89, - 0x2C, 0x20, 0xA7, 0xEB, 0x96, 0x4F, 0xE7, 0x71, 0x9E, 0x74, - 0xF4, 0x90, 0x75, 0x8D, 0x3B - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 47 * 6]; -} - _EC_X9_62_CHAR2_368W1 = { - { - NID_X9_62_characteristic_two_field, 0, 47, 0xFF70 - }, - { /* no seed */ - 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - 0x00, 0xE0, 0xD2, 0xEE, 0x25, 0x09, 0x52, 0x06, 0xF5, 0xE2, /* a */ - 0xA4, 0xF9, 0xED, 0x22, 0x9F, 0x1F, 0x25, 0x6E, 0x79, 0xA0, - 0xE2, 0xB4, 0x55, 0x97, 0x0D, 0x8D, 0x0D, 0x86, 0x5B, 0xD9, - 0x47, 0x78, 0xC5, 0x76, 0xD6, 0x2F, 0x0A, 0xB7, 0x51, 0x9C, - 0xCD, 0x2A, 0x1A, 0x90, 0x6A, 0xE3, 0x0D, - 0x00, 0xFC, 0x12, 0x17, 0xD4, 0x32, 0x0A, 0x90, 0x45, 0x2C, /* b */ - 0x76, 0x0A, 0x58, 0xED, 0xCD, 0x30, 0xC8, 0xDD, 0x06, 0x9B, - 0x3C, 0x34, 0x45, 0x38, 0x37, 0xA3, 0x4E, 0xD5, 0x0C, 0xB5, - 0x49, 0x17, 0xE1, 0xC2, 0x11, 0x2D, 0x84, 0xD1, 0x64, 0xF4, - 0x44, 0xF8, 0xF7, 0x47, 0x86, 0x04, 0x6A, - 0x00, 0x10, 0x85, 0xE2, 0x75, 0x53, 0x81, 0xDC, 0xCC, 0xE3, /* x */ - 0xC1, 0x55, 0x7A, 0xFA, 0x10, 0xC2, 0xF0, 0xC0, 0xC2, 0x82, - 0x56, 0x46, 0xC5, 0xB3, 0x4A, 0x39, 0x4C, 0xBC, 0xFA, 0x8B, - 0xC1, 0x6B, 0x22, 0xE7, 0xE7, 0x89, 0xE9, 0x27, 0xBE, 0x21, - 0x6F, 0x02, 0xE1, 0xFB, 0x13, 0x6A, 0x5F, - 0x00, 0x7B, 0x3E, 0xB1, 0xBD, 0xDC, 0xBA, 0x62, 0xD5, 0xD8, /* y */ - 0xB2, 0x05, 0x9B, 0x52, 0x57, 0x97, 0xFC, 0x73, 0x82, 0x2C, - 0x59, 0x05, 0x9C, 0x62, 0x3A, 0x45, 0xFF, 0x38, 0x43, 0xCE, - 0xE8, 0xF8, 0x7C, 0xD1, 0x85, 0x5A, 0xDA, 0xA8, 0x1E, 0x2A, - 0x07, 0x50, 0xB8, 0x0F, 0xDA, 0x23, 0x10, - 0x00, 0x00, 0x01, 0x00, 0x90, 0x51, 0x2D, 0xA9, 0xAF, 0x72, /* order */ - 0xB0, 0x83, 0x49, 0xD9, 0x8A, 0x5D, 0xD4, 0xC7, 0xB0, 0x53, - 0x2E, 0xCA, 0x51, 0xCE, 0x03, 0xE2, 0xD1, 0x0F, 0x3B, 0x7A, - 0xC5, 0x79, 0xBD, 0x87, 0xE9, 0x09, 0xAE, 0x40, 0xA6, 0xF1, - 0x31, 0xE9, 0xCF, 0xCE, 0x5B, 0xD9, 0x67 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 54 * 6]; -} - _EC_X9_62_CHAR2_431R1 = { - { - NID_X9_62_characteristic_two_field, 0, 54, 0x2760 - }, - { /* no seed */ - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, - 0x1A, 0x82, 0x7E, 0xF0, 0x0D, 0xD6, 0xFC, 0x0E, 0x23, 0x4C, /* a */ - 0xAF, 0x04, 0x6C, 0x6A, 0x5D, 0x8A, 0x85, 0x39, 0x5B, 0x23, - 0x6C, 0xC4, 0xAD, 0x2C, 0xF3, 0x2A, 0x0C, 0xAD, 0xBD, 0xC9, - 0xDD, 0xF6, 0x20, 0xB0, 0xEB, 0x99, 0x06, 0xD0, 0x95, 0x7F, - 0x6C, 0x6F, 0xEA, 0xCD, 0x61, 0x54, 0x68, 0xDF, 0x10, 0x4D, - 0xE2, 0x96, 0xCD, 0x8F, - 0x10, 0xD9, 0xB4, 0xA3, 0xD9, 0x04, 0x7D, 0x8B, 0x15, 0x43, /* b */ - 0x59, 0xAB, 0xFB, 0x1B, 0x7F, 0x54, 0x85, 0xB0, 0x4C, 0xEB, - 0x86, 0x82, 0x37, 0xDD, 0xC9, 0xDE, 0xDA, 0x98, 0x2A, 0x67, - 0x9A, 0x5A, 0x91, 0x9B, 0x62, 0x6D, 0x4E, 0x50, 0xA8, 0xDD, - 0x73, 0x1B, 0x10, 0x7A, 0x99, 0x62, 0x38, 0x1F, 0xB5, 0xD8, - 0x07, 0xBF, 0x26, 0x18, - 0x12, 0x0F, 0xC0, 0x5D, 0x3C, 0x67, 0xA9, 0x9D, 0xE1, 0x61, /* x */ - 0xD2, 0xF4, 0x09, 0x26, 0x22, 0xFE, 0xCA, 0x70, 0x1B, 0xE4, - 0xF5, 0x0F, 0x47, 0x58, 0x71, 0x4E, 0x8A, 0x87, 0xBB, 0xF2, - 0xA6, 0x58, 0xEF, 0x8C, 0x21, 0xE7, 0xC5, 0xEF, 0xE9, 0x65, - 0x36, 0x1F, 0x6C, 0x29, 0x99, 0xC0, 0xC2, 0x47, 0xB0, 0xDB, - 0xD7, 0x0C, 0xE6, 0xB7, - 0x20, 0xD0, 0xAF, 0x89, 0x03, 0xA9, 0x6F, 0x8D, 0x5F, 0xA2, /* y */ - 0xC2, 0x55, 0x74, 0x5D, 0x3C, 0x45, 0x1B, 0x30, 0x2C, 0x93, - 0x46, 0xD9, 0xB7, 0xE4, 0x85, 0xE7, 0xBC, 0xE4, 0x1F, 0x6B, - 0x59, 0x1F, 0x3E, 0x8F, 0x6A, 0xDD, 0xCB, 0xB0, 0xBC, 0x4C, - 0x2F, 0x94, 0x7A, 0x7D, 0xE1, 0xA8, 0x9B, 0x62, 0x5D, 0x6A, - 0x59, 0x8B, 0x37, 0x60, - 0x00, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, /* order */ - 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, - 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x40, 0x34, 0x03, 0x23, - 0xC3, 0x13, 0xFA, 0xB5, 0x05, 0x89, 0x70, 0x3B, 0x5E, 0xC6, - 0x8D, 0x35, 0x87, 0xFE, 0xC6, 0x0D, 0x16, 0x1C, 0xC1, 0x49, - 0xC1, 0xAD, 0x4A, 0x91 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 15 * 6]; -} - _EC_WTLS_1 = { - { - NID_X9_62_characteristic_two_field, 0, 15, 2 - }, - { /* no seed */ - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x02, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x01, - 0x01, 0x66, 0x79, 0x79, 0xA4, 0x0B, 0xA4, 0x97, 0xE5, 0xD5, /* x */ - 0xC2, 0x70, 0x78, 0x06, 0x17, - 0x00, 0xF4, 0x4B, 0x4A, 0xF1, 0xEC, 0xC2, 0x63, 0x0E, 0x08, /* y */ - 0x78, 0x5C, 0xEB, 0xCC, 0x15, - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFD, 0xBF, /* order */ - 0x91, 0xAF, 0x6D, 0xEA, 0x73 - } -}; - -/* IPsec curves */ -/* NOTE: The of curves over a extension field of non prime degree - * is not recommended (Weil-descent). - * As the group order is not a prime this curve is not suitable - * for ECDSA. - */ -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 20 * 6]; -} - _EC_IPSEC_155_ID3 = { - { - NID_X9_62_characteristic_two_field, 0, 20, 3 - }, - { /* no seed */ - 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x33, 0x8f, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7b, - - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc8, - - 0x02, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, 0xAA, /* order */ - 0xC7, 0xF3, 0xC7, 0x88, 0x1B, 0xD0, 0x86, 0x8F, 0xA8, 0x6C - } -}; - -/* NOTE: The of curves over a extension field of non prime degree - * is not recommended (Weil-descent). - * As the group order is not a prime this curve is not suitable - * for ECDSA. - */ -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 24 * 6]; -} - _EC_IPSEC_185_ID4 = { - { - NID_X9_62_characteristic_two_field, 0, 24, 2 - }, - { /* no seed */ - 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x1e, 0xe9, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x18, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* y */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x0d, - 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xED, 0xF9, 0x7C, 0x44, 0xDB, 0x9F, 0x24, 0x20, - 0xBA, 0xFC, 0xA7, 0x5E - } -}; - -#endif - -/* These curves were added by Annie Yousar - * For the definition of RFC 5639 curves see - * https://www.ietf.org/rfc/rfc5639.txt - * These curves are generated verifiable at random, nevertheless the seed is - * omitted as parameter because the generation mechanism is different from - * those defined in ANSI X9.62. - */ - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 20 * 6]; -} - _EC_brainpoolP160r1 = { - { - NID_X9_62_prime_field, 0, 20, 1 - }, - { /* no seed */ - 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* p */ - 0xC7, 0xAD, 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, - 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, /* a */ - 0x61, 0xBA, 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, - 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, /* b */ - 0xAA, 0x2D, 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, - 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, /* x */ - 0x8C, 0x46, 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, - 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, /* y */ - 0x47, 0x41, 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, - 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* order */ - 0x59, 0x91, 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 20 * 6]; -} - _EC_brainpoolP160t1 = { - { - NID_X9_62_prime_field, 0, 20, 1 - }, - { /* no seed */ - 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* p */ - 0xC7, 0xAD, 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, - 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* a */ - 0xC7, 0xAD, 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, - 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, /* b */ - 0x2C, 0x4D, 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, - 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, /* x */ - 0x64, 0xBA, 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, - 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, /* y */ - 0x1B, 0x84, 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, - 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, /* order */ - 0x59, 0x91, 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 24 * 6]; -} - _EC_brainpoolP192r1 = { - { - NID_X9_62_prime_field, 0, 24, 1 - }, - { /* no seed */ - 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* p */ - 0x46, 0x30, 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, - 0xE1, 0xA8, 0x62, 0x97, - 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, /* a */ - 0xC0, 0x31, 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, - 0xC6, 0x9A, 0x28, 0xEF, - 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, /* b */ - 0x1D, 0x04, 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, - 0x6F, 0xBF, 0x25, 0xC9, - 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, /* x */ - 0x33, 0xC5, 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, - 0x53, 0x37, 0x5F, 0xD6, - 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, /* y */ - 0x48, 0x28, 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, - 0xFA, 0x29, 0x9B, 0x8F, - 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* order */ - 0x46, 0x2F, 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, - 0x9A, 0xC4, 0xAC, 0xC1 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 24 * 6]; -} - _EC_brainpoolP192t1 = { - { - NID_X9_62_prime_field, 0, 24, 1 - }, - { /* no seed */ - 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* p */ - 0x46, 0x30, 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, - 0xE1, 0xA8, 0x62, 0x97, - 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* a */ - 0x46, 0x30, 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, - 0xE1, 0xA8, 0x62, 0x94, - 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, /* b */ - 0xDE, 0xB4, 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, - 0x27, 0x89, 0x7B, 0x79, - 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, /* x */ - 0x1F, 0xE7, 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, - 0xF4, 0x61, 0x81, 0x29, - 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, /* y */ - 0xB5, 0xCA, 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, - 0x7C, 0xCC, 0x01, 0xC9, - 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, /* order */ - 0x46, 0x2F, 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, - 0x9A, 0xC4, 0xAC, 0xC1 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 28 * 6]; -} - _EC_brainpoolP224r1 = { - { - NID_X9_62_prime_field, 0, 28, 1 - }, - { /* no seed */ - 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* p */ - 0x30, 0x25, 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, - 0x97, 0xDA, 0x89, 0xF5, 0x7E, 0xC8, 0xC0, 0xFF, - 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, /* a */ - 0x03, 0xA6, 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, - 0xB0, 0x04, 0x2A, 0x59, 0xCA, 0xD2, 0x9F, 0x43, - 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, /* b */ - 0x13, 0xB1, 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, - 0x66, 0xDB, 0xB3, 0x72, 0x38, 0x6C, 0x40, 0x0B, - 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, /* x */ - 0x23, 0xB2, 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, - 0x4C, 0x1E, 0x6E, 0xFD, 0xEE, 0x12, 0xC0, 0x7D, - 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, /* y */ - 0xB8, 0x9E, 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, - 0xCA, 0xA3, 0xF6, 0xD3, 0x76, 0x14, 0x02, 0xCD, - 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* order */ - 0x30, 0x25, 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, - 0x6D, 0xDE, 0xBC, 0xA3, 0xA5, 0xA7, 0x93, 0x9F - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 28 * 6]; -} - _EC_brainpoolP224t1 = { - { - NID_X9_62_prime_field, 0, 28, 1 - }, - { /* no seed */ - 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* p */ - 0x30, 0x25, 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, - 0x97, 0xDA, 0x89, 0xF5, 0x7E, 0xC8, 0xC0, 0xFF, - 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* a */ - 0x30, 0x25, 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, - 0x97, 0xDA, 0x89, 0xF5, 0x7E, 0xC8, 0xC0, 0xFC, - 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, /* b */ - 0x1B, 0xF6, 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, - 0xB3, 0xBB, 0x64, 0xF1, 0x8A, 0x60, 0x88, 0x8D, - 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, /* x */ - 0x4E, 0x7F, 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, - 0x8A, 0xC0, 0xC7, 0x60, 0x29, 0xB4, 0xD5, 0x80, - 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, /* y */ - 0x3F, 0x4D, 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, - 0x1C, 0x6A, 0xBD, 0x5F, 0x1A, 0x46, 0xDB, 0x4C, - 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, /* order */ - 0x30, 0x25, 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, - 0x6D, 0xDE, 0xBC, 0xA3, 0xA5, 0xA7, 0x93, 0x9F - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_brainpoolP256r1 = { - { - NID_X9_62_prime_field, 0, 32, 1 - }, - { /* no seed */ - 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* p */ - 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B, 0xF6, 0x23, - 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E, + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_brainpoolP256r1 = { + .p = { + 0xa9, 0xfb, 0x57, 0xdb, 0xa1, 0xee, 0xa9, 0xbc, 0x3e, 0x66, + 0x0a, 0x90, 0x9d, 0x83, 0x8d, 0x72, 0x6e, 0x3b, 0xf6, 0x23, + 0xd5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1d, 0x1f, 0x6e, 0x53, 0x77, - 0x7D, 0x5A, 0x09, 0x75, 0xFC, 0x2C, 0x30, 0x57, 0xEE, 0xF6, /* a */ - 0x75, 0x30, 0x41, 0x7A, 0xFF, 0xE7, 0xFB, 0x80, 0x55, 0xC1, - 0x26, 0xDC, 0x5C, 0x6C, 0xE9, 0x4A, 0x4B, 0x44, 0xF3, 0x30, - 0xB5, 0xD9, - 0x26, 0xDC, 0x5C, 0x6C, 0xE9, 0x4A, 0x4B, 0x44, 0xF3, 0x30, /* b */ - 0xB5, 0xD9, 0xBB, 0xD7, 0x7C, 0xBF, 0x95, 0x84, 0x16, 0x29, - 0x5C, 0xF7, 0xE1, 0xCE, 0x6B, 0xCC, 0xDC, 0x18, 0xFF, 0x8C, - 0x07, 0xB6, - 0x8B, 0xD2, 0xAE, 0xB9, 0xCB, 0x7E, 0x57, 0xCB, 0x2C, 0x4B, /* x */ - 0x48, 0x2F, 0xFC, 0x81, 0xB7, 0xAF, 0xB9, 0xDE, 0x27, 0xE1, - 0xE3, 0xBD, 0x23, 0xC2, 0x3A, 0x44, 0x53, 0xBD, 0x9A, 0xCE, + }, + .a = { + 0x7d, 0x5a, 0x09, 0x75, 0xfc, 0x2c, 0x30, 0x57, 0xee, 0xf6, + 0x75, 0x30, 0x41, 0x7a, 0xff, 0xe7, 0xfb, 0x80, 0x55, 0xc1, + 0x26, 0xdc, 0x5c, 0x6c, 0xe9, 0x4a, 0x4b, 0x44, 0xf3, 0x30, + 0xb5, 0xd9, + }, + .b = { + 0x26, 0xdc, 0x5c, 0x6c, 0xe9, 0x4a, 0x4b, 0x44, 0xf3, 0x30, + 0xb5, 0xd9, 0xbb, 0xd7, 0x7c, 0xbf, 0x95, 0x84, 0x16, 0x29, + 0x5c, 0xf7, 0xe1, 0xce, 0x6b, 0xcc, 0xdc, 0x18, 0xff, 0x8c, + 0x07, 0xb6, + }, + .x = { + 0x8b, 0xd2, 0xae, 0xb9, 0xcb, 0x7e, 0x57, 0xcb, 0x2c, 0x4b, + 0x48, 0x2f, 0xfc, 0x81, 0xb7, 0xaf, 0xb9, 0xde, 0x27, 0xe1, + 0xe3, 0xbd, 0x23, 0xc2, 0x3a, 0x44, 0x53, 0xbd, 0x9a, 0xce, 0x32, 0x62, - 0x54, 0x7E, 0xF8, 0x35, 0xC3, 0xDA, 0xC4, 0xFD, 0x97, 0xF8, /* y */ - 0x46, 0x1A, 0x14, 0x61, 0x1D, 0xC9, 0xC2, 0x77, 0x45, 0x13, - 0x2D, 0xED, 0x8E, 0x54, 0x5C, 0x1D, 0x54, 0xC7, 0x2F, 0x04, + }, + .y = { + 0x54, 0x7e, 0xf8, 0x35, 0xc3, 0xda, 0xc4, 0xfd, 0x97, 0xf8, + 0x46, 0x1a, 0x14, 0x61, 0x1d, 0xc9, 0xc2, 0x77, 0x45, 0x13, + 0x2d, 0xed, 0x8e, 0x54, 0x5c, 0x1d, 0x54, 0xc7, 0x2f, 0x04, 0x69, 0x97, - 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* order */ - 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x71, 0x8C, 0x39, 0x7A, 0xA3, - 0xB5, 0x61, 0xA6, 0xF7, 0x90, 0x1E, 0x0E, 0x82, 0x97, 0x48, - 0x56, 0xA7 - } + }, + .order = { + 0xa9, 0xfb, 0x57, 0xdb, 0xa1, 0xee, 0xa9, 0xbc, 0x3e, 0x66, + 0x0a, 0x90, 0x9d, 0x83, 0x8d, 0x71, 0x8c, 0x39, 0x7a, 0xa3, + 0xb5, 0x61, 0xa6, 0xf7, 0x90, 0x1e, 0x0e, 0x82, 0x97, 0x48, + 0x56, 0xa7, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_brainpoolP256t1 = { - { - NID_X9_62_prime_field, 0, 32, 1 - }, - { /* no seed */ - 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* p */ - 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B, 0xF6, 0x23, - 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E, + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_brainpoolP256t1 = { + .p = { + 0xa9, 0xfb, 0x57, 0xdb, 0xa1, 0xee, 0xa9, 0xbc, 0x3e, 0x66, + 0x0a, 0x90, 0x9d, 0x83, 0x8d, 0x72, 0x6e, 0x3b, 0xf6, 0x23, + 0xd5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1d, 0x1f, 0x6e, 0x53, 0x77, - 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* a */ - 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x72, 0x6E, 0x3B, 0xF6, 0x23, - 0xD5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1D, 0x1F, 0x6E, + }, + .a = { + 0xa9, 0xfb, 0x57, 0xdb, 0xa1, 0xee, 0xa9, 0xbc, 0x3e, 0x66, + 0x0a, 0x90, 0x9d, 0x83, 0x8d, 0x72, 0x6e, 0x3b, 0xf6, 0x23, + 0xd5, 0x26, 0x20, 0x28, 0x20, 0x13, 0x48, 0x1d, 0x1f, 0x6e, 0x53, 0x74, - 0x66, 0x2C, 0x61, 0xC4, 0x30, 0xD8, 0x4E, 0xA4, 0xFE, 0x66, /* b */ - 0xA7, 0x73, 0x3D, 0x0B, 0x76, 0xB7, 0xBF, 0x93, 0xEB, 0xC4, - 0xAF, 0x2F, 0x49, 0x25, 0x6A, 0xE5, 0x81, 0x01, 0xFE, 0xE9, - 0x2B, 0x04, - 0xA3, 0xE8, 0xEB, 0x3C, 0xC1, 0xCF, 0xE7, 0xB7, 0x73, 0x22, /* x */ - 0x13, 0xB2, 0x3A, 0x65, 0x61, 0x49, 0xAF, 0xA1, 0x42, 0xC4, - 0x7A, 0xAF, 0xBC, 0x2B, 0x79, 0xA1, 0x91, 0x56, 0x2E, 0x13, - 0x05, 0xF4, - 0x2D, 0x99, 0x6C, 0x82, 0x34, 0x39, 0xC5, 0x6D, 0x7F, 0x7B, /* y */ - 0x22, 0xE1, 0x46, 0x44, 0x41, 0x7E, 0x69, 0xBC, 0xB6, 0xDE, - 0x39, 0xD0, 0x27, 0x00, 0x1D, 0xAB, 0xE8, 0xF3, 0x5B, 0x25, - 0xC9, 0xBE, - 0xA9, 0xFB, 0x57, 0xDB, 0xA1, 0xEE, 0xA9, 0xBC, 0x3E, 0x66, /* order */ - 0x0A, 0x90, 0x9D, 0x83, 0x8D, 0x71, 0x8C, 0x39, 0x7A, 0xA3, - 0xB5, 0x61, 0xA6, 0xF7, 0x90, 0x1E, 0x0E, 0x82, 0x97, 0x48, - 0x56, 0xA7 - } + }, + .b = { + 0x66, 0x2c, 0x61, 0xc4, 0x30, 0xd8, 0x4e, 0xa4, 0xfe, 0x66, + 0xa7, 0x73, 0x3d, 0x0b, 0x76, 0xb7, 0xbf, 0x93, 0xeb, 0xc4, + 0xaf, 0x2f, 0x49, 0x25, 0x6a, 0xe5, 0x81, 0x01, 0xfe, 0xe9, + 0x2b, 0x04, + }, + .x = { + 0xa3, 0xe8, 0xeb, 0x3c, 0xc1, 0xcf, 0xe7, 0xb7, 0x73, 0x22, + 0x13, 0xb2, 0x3a, 0x65, 0x61, 0x49, 0xaf, 0xa1, 0x42, 0xc4, + 0x7a, 0xaf, 0xbc, 0x2b, 0x79, 0xa1, 0x91, 0x56, 0x2e, 0x13, + 0x05, 0xf4, + }, + .y = { + 0x2d, 0x99, 0x6c, 0x82, 0x34, 0x39, 0xc5, 0x6d, 0x7f, 0x7b, + 0x22, 0xe1, 0x46, 0x44, 0x41, 0x7e, 0x69, 0xbc, 0xb6, 0xde, + 0x39, 0xd0, 0x27, 0x00, 0x1d, 0xab, 0xe8, 0xf3, 0x5b, 0x25, + 0xc9, 0xbe, + }, + .order = { + 0xa9, 0xfb, 0x57, 0xdb, 0xa1, 0xee, 0xa9, 0xbc, 0x3e, 0x66, + 0x0a, 0x90, 0x9d, 0x83, 0x8d, 0x71, 0x8c, 0x39, 0x7a, 0xa3, + 0xb5, 0x61, 0xa6, 0xf7, 0x90, 0x1e, 0x0e, 0x82, 0x97, 0x48, + 0x56, 0xa7, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 40 * 6]; -} - _EC_brainpoolP320r1 = { - { - NID_X9_62_prime_field, 0, 40, 1 + uint8_t p[40]; + uint8_t a[40]; + uint8_t b[40]; + uint8_t x[40]; + uint8_t y[40]; + uint8_t order[40]; +} _EC_brainpoolP320r1 = { + .p = { + 0xd3, 0x5e, 0x47, 0x20, 0x36, 0xbc, 0x4f, 0xb7, 0xe1, 0x3c, + 0x78, 0x5e, 0xd2, 0x01, 0xe0, 0x65, 0xf9, 0x8f, 0xcf, 0xa6, + 0xf6, 0xf4, 0x0d, 0xef, 0x4f, 0x92, 0xb9, 0xec, 0x78, 0x93, + 0xec, 0x28, 0xfc, 0xd4, 0x12, 0xb1, 0xf1, 0xb3, 0x2e, 0x27, + }, + .a = { + 0x3e, 0xe3, 0x0b, 0x56, 0x8f, 0xba, 0xb0, 0xf8, 0x83, 0xcc, + 0xeb, 0xd4, 0x6d, 0x3f, 0x3b, 0xb8, 0xa2, 0xa7, 0x35, 0x13, + 0xf5, 0xeb, 0x79, 0xda, 0x66, 0x19, 0x0e, 0xb0, 0x85, 0xff, + 0xa9, 0xf4, 0x92, 0xf3, 0x75, 0xa9, 0x7d, 0x86, 0x0e, 0xb4, + }, + .b = { + 0x52, 0x08, 0x83, 0x94, 0x9d, 0xfd, 0xbc, 0x42, 0xd3, 0xad, + 0x19, 0x86, 0x40, 0x68, 0x8a, 0x6f, 0xe1, 0x3f, 0x41, 0x34, + 0x95, 0x54, 0xb4, 0x9a, 0xcc, 0x31, 0xdc, 0xcd, 0x88, 0x45, + 0x39, 0x81, 0x6f, 0x5e, 0xb4, 0xac, 0x8f, 0xb1, 0xf1, 0xa6, + }, + .x = { + 0x43, 0xbd, 0x7e, 0x9a, 0xfb, 0x53, 0xd8, 0xb8, 0x52, 0x89, + 0xbc, 0xc4, 0x8e, 0xe5, 0xbf, 0xe6, 0xf2, 0x01, 0x37, 0xd1, + 0x0a, 0x08, 0x7e, 0xb6, 0xe7, 0x87, 0x1e, 0x2a, 0x10, 0xa5, + 0x99, 0xc7, 0x10, 0xaf, 0x8d, 0x0d, 0x39, 0xe2, 0x06, 0x11, + }, + .y = { + 0x14, 0xfd, 0xd0, 0x55, 0x45, 0xec, 0x1c, 0xc8, 0xab, 0x40, + 0x93, 0x24, 0x7f, 0x77, 0x27, 0x5e, 0x07, 0x43, 0xff, 0xed, + 0x11, 0x71, 0x82, 0xea, 0xa9, 0xc7, 0x78, 0x77, 0xaa, 0xac, + 0x6a, 0xc7, 0xd3, 0x52, 0x45, 0xd1, 0x69, 0x2e, 0x8e, 0xe1, + }, + .order = { + 0xd3, 0x5e, 0x47, 0x20, 0x36, 0xbc, 0x4f, 0xb7, 0xe1, 0x3c, + 0x78, 0x5e, 0xd2, 0x01, 0xe0, 0x65, 0xf9, 0x8f, 0xcf, 0xa5, + 0xb6, 0x8f, 0x12, 0xa3, 0x2d, 0x48, 0x2e, 0xc7, 0xee, 0x86, + 0x58, 0xe9, 0x86, 0x91, 0x55, 0x5b, 0x44, 0xc5, 0x93, 0x11, }, - { /* no seed */ - 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* p */ - 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA6, - 0xF6, 0xF4, 0x0D, 0xEF, 0x4F, 0x92, 0xB9, 0xEC, 0x78, 0x93, - 0xEC, 0x28, 0xFC, 0xD4, 0x12, 0xB1, 0xF1, 0xB3, 0x2E, 0x27, - 0x3E, 0xE3, 0x0B, 0x56, 0x8F, 0xBA, 0xB0, 0xF8, 0x83, 0xCC, /* a */ - 0xEB, 0xD4, 0x6D, 0x3F, 0x3B, 0xB8, 0xA2, 0xA7, 0x35, 0x13, - 0xF5, 0xEB, 0x79, 0xDA, 0x66, 0x19, 0x0E, 0xB0, 0x85, 0xFF, - 0xA9, 0xF4, 0x92, 0xF3, 0x75, 0xA9, 0x7D, 0x86, 0x0E, 0xB4, - 0x52, 0x08, 0x83, 0x94, 0x9D, 0xFD, 0xBC, 0x42, 0xD3, 0xAD, /* b */ - 0x19, 0x86, 0x40, 0x68, 0x8A, 0x6F, 0xE1, 0x3F, 0x41, 0x34, - 0x95, 0x54, 0xB4, 0x9A, 0xCC, 0x31, 0xDC, 0xCD, 0x88, 0x45, - 0x39, 0x81, 0x6F, 0x5E, 0xB4, 0xAC, 0x8F, 0xB1, 0xF1, 0xA6, - 0x43, 0xBD, 0x7E, 0x9A, 0xFB, 0x53, 0xD8, 0xB8, 0x52, 0x89, /* x */ - 0xBC, 0xC4, 0x8E, 0xE5, 0xBF, 0xE6, 0xF2, 0x01, 0x37, 0xD1, - 0x0A, 0x08, 0x7E, 0xB6, 0xE7, 0x87, 0x1E, 0x2A, 0x10, 0xA5, - 0x99, 0xC7, 0x10, 0xAF, 0x8D, 0x0D, 0x39, 0xE2, 0x06, 0x11, - 0x14, 0xFD, 0xD0, 0x55, 0x45, 0xEC, 0x1C, 0xC8, 0xAB, 0x40, /* y */ - 0x93, 0x24, 0x7F, 0x77, 0x27, 0x5E, 0x07, 0x43, 0xFF, 0xED, - 0x11, 0x71, 0x82, 0xEA, 0xA9, 0xC7, 0x78, 0x77, 0xAA, 0xAC, - 0x6A, 0xC7, 0xD3, 0x52, 0x45, 0xD1, 0x69, 0x2E, 0x8E, 0xE1, - 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* order */ - 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA5, - 0xB6, 0x8F, 0x12, 0xA3, 0x2D, 0x48, 0x2E, 0xC7, 0xEE, 0x86, - 0x58, 0xE9, 0x86, 0x91, 0x55, 0x5B, 0x44, 0xC5, 0x93, 0x11 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 40 * 6]; -} - _EC_brainpoolP320t1 = { - { - NID_X9_62_prime_field, 0, 40, 1 + uint8_t p[40]; + uint8_t a[40]; + uint8_t b[40]; + uint8_t x[40]; + uint8_t y[40]; + uint8_t order[40]; +} _EC_brainpoolP320t1 = { + .p = { + 0xd3, 0x5e, 0x47, 0x20, 0x36, 0xbc, 0x4f, 0xb7, 0xe1, 0x3c, + 0x78, 0x5e, 0xd2, 0x01, 0xe0, 0x65, 0xf9, 0x8f, 0xcf, 0xa6, + 0xf6, 0xf4, 0x0d, 0xef, 0x4f, 0x92, 0xb9, 0xec, 0x78, 0x93, + 0xec, 0x28, 0xfc, 0xd4, 0x12, 0xb1, 0xf1, 0xb3, 0x2e, 0x27, + }, + .a = { + 0xd3, 0x5e, 0x47, 0x20, 0x36, 0xbc, 0x4f, 0xb7, 0xe1, 0x3c, + 0x78, 0x5e, 0xd2, 0x01, 0xe0, 0x65, 0xf9, 0x8f, 0xcf, 0xa6, + 0xf6, 0xf4, 0x0d, 0xef, 0x4f, 0x92, 0xb9, 0xec, 0x78, 0x93, + 0xec, 0x28, 0xfc, 0xd4, 0x12, 0xb1, 0xf1, 0xb3, 0x2e, 0x24, + }, + .b = { + 0xa7, 0xf5, 0x61, 0xe0, 0x38, 0xeb, 0x1e, 0xd5, 0x60, 0xb3, + 0xd1, 0x47, 0xdb, 0x78, 0x20, 0x13, 0x06, 0x4c, 0x19, 0xf2, + 0x7e, 0xd2, 0x7c, 0x67, 0x80, 0xaa, 0xf7, 0x7f, 0xb8, 0xa5, + 0x47, 0xce, 0xb5, 0xb4, 0xfe, 0xf4, 0x22, 0x34, 0x03, 0x53, + }, + .x = { + 0x92, 0x5b, 0xe9, 0xfb, 0x01, 0xaf, 0xc6, 0xfb, 0x4d, 0x3e, + 0x7d, 0x49, 0x90, 0x01, 0x0f, 0x81, 0x34, 0x08, 0xab, 0x10, + 0x6c, 0x4f, 0x09, 0xcb, 0x7e, 0xe0, 0x78, 0x68, 0xcc, 0x13, + 0x6f, 0xff, 0x33, 0x57, 0xf6, 0x24, 0xa2, 0x1b, 0xed, 0x52, + }, + .y = { + 0x63, 0xba, 0x3a, 0x7a, 0x27, 0x48, 0x3e, 0xbf, 0x66, 0x71, + 0xdb, 0xef, 0x7a, 0xbb, 0x30, 0xeb, 0xee, 0x08, 0x4e, 0x58, + 0xa0, 0xb0, 0x77, 0xad, 0x42, 0xa5, 0xa0, 0x98, 0x9d, 0x1e, + 0xe7, 0x1b, 0x1b, 0x9b, 0xc0, 0x45, 0x5f, 0xb0, 0xd2, 0xc3, + }, + .order = { + 0xd3, 0x5e, 0x47, 0x20, 0x36, 0xbc, 0x4f, 0xb7, 0xe1, 0x3c, + 0x78, 0x5e, 0xd2, 0x01, 0xe0, 0x65, 0xf9, 0x8f, 0xcf, 0xa5, + 0xb6, 0x8f, 0x12, 0xa3, 0x2d, 0x48, 0x2e, 0xc7, 0xee, 0x86, + 0x58, 0xe9, 0x86, 0x91, 0x55, 0x5b, 0x44, 0xc5, 0x93, 0x11, }, - { /* no seed */ - 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* p */ - 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA6, - 0xF6, 0xF4, 0x0D, 0xEF, 0x4F, 0x92, 0xB9, 0xEC, 0x78, 0x93, - 0xEC, 0x28, 0xFC, 0xD4, 0x12, 0xB1, 0xF1, 0xB3, 0x2E, 0x27, - 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* a */ - 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA6, - 0xF6, 0xF4, 0x0D, 0xEF, 0x4F, 0x92, 0xB9, 0xEC, 0x78, 0x93, - 0xEC, 0x28, 0xFC, 0xD4, 0x12, 0xB1, 0xF1, 0xB3, 0x2E, 0x24, - 0xA7, 0xF5, 0x61, 0xE0, 0x38, 0xEB, 0x1E, 0xD5, 0x60, 0xB3, /* b */ - 0xD1, 0x47, 0xDB, 0x78, 0x20, 0x13, 0x06, 0x4C, 0x19, 0xF2, - 0x7E, 0xD2, 0x7C, 0x67, 0x80, 0xAA, 0xF7, 0x7F, 0xB8, 0xA5, - 0x47, 0xCE, 0xB5, 0xB4, 0xFE, 0xF4, 0x22, 0x34, 0x03, 0x53, - 0x92, 0x5B, 0xE9, 0xFB, 0x01, 0xAF, 0xC6, 0xFB, 0x4D, 0x3E, /* x */ - 0x7D, 0x49, 0x90, 0x01, 0x0F, 0x81, 0x34, 0x08, 0xAB, 0x10, - 0x6C, 0x4F, 0x09, 0xCB, 0x7E, 0xE0, 0x78, 0x68, 0xCC, 0x13, - 0x6F, 0xFF, 0x33, 0x57, 0xF6, 0x24, 0xA2, 0x1B, 0xED, 0x52, - 0x63, 0xBA, 0x3A, 0x7A, 0x27, 0x48, 0x3E, 0xBF, 0x66, 0x71, /* y */ - 0xDB, 0xEF, 0x7A, 0xBB, 0x30, 0xEB, 0xEE, 0x08, 0x4E, 0x58, - 0xA0, 0xB0, 0x77, 0xAD, 0x42, 0xA5, 0xA0, 0x98, 0x9D, 0x1E, - 0xE7, 0x1B, 0x1B, 0x9B, 0xC0, 0x45, 0x5F, 0xB0, 0xD2, 0xC3, - 0xD3, 0x5E, 0x47, 0x20, 0x36, 0xBC, 0x4F, 0xB7, 0xE1, 0x3C, /* order */ - 0x78, 0x5E, 0xD2, 0x01, 0xE0, 0x65, 0xF9, 0x8F, 0xCF, 0xA5, - 0xB6, 0x8F, 0x12, 0xA3, 0x2D, 0x48, 0x2E, 0xC7, 0xEE, 0x86, - 0x58, 0xE9, 0x86, 0x91, 0x55, 0x5B, 0x44, 0xC5, 0x93, 0x11 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 48 * 6]; -} - _EC_brainpoolP384r1 = { - { - NID_X9_62_prime_field, 0, 48, 1 + uint8_t p[48]; + uint8_t a[48]; + uint8_t b[48]; + uint8_t x[48]; + uint8_t y[48]; + uint8_t order[48]; +} _EC_brainpoolP384r1 = { + .p = { + 0x8c, 0xb9, 0x1e, 0x82, 0xa3, 0x38, 0x6d, 0x28, 0x0f, 0x5d, + 0x6f, 0x7e, 0x50, 0xe6, 0x41, 0xdf, 0x15, 0x2f, 0x71, 0x09, + 0xed, 0x54, 0x56, 0xb4, 0x12, 0xb1, 0xda, 0x19, 0x7f, 0xb7, + 0x11, 0x23, 0xac, 0xd3, 0xa7, 0x29, 0x90, 0x1d, 0x1a, 0x71, + 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xec, 0x53, + }, + .a = { + 0x7b, 0xc3, 0x82, 0xc6, 0x3d, 0x8c, 0x15, 0x0c, 0x3c, 0x72, + 0x08, 0x0a, 0xce, 0x05, 0xaf, 0xa0, 0xc2, 0xbe, 0xa2, 0x8e, + 0x4f, 0xb2, 0x27, 0x87, 0x13, 0x91, 0x65, 0xef, 0xba, 0x91, + 0xf9, 0x0f, 0x8a, 0xa5, 0x81, 0x4a, 0x50, 0x3a, 0xd4, 0xeb, + 0x04, 0xa8, 0xc7, 0xdd, 0x22, 0xce, 0x28, 0x26, + }, + .b = { + 0x04, 0xa8, 0xc7, 0xdd, 0x22, 0xce, 0x28, 0x26, 0x8b, 0x39, + 0xb5, 0x54, 0x16, 0xf0, 0x44, 0x7c, 0x2f, 0xb7, 0x7d, 0xe1, + 0x07, 0xdc, 0xd2, 0xa6, 0x2e, 0x88, 0x0e, 0xa5, 0x3e, 0xeb, + 0x62, 0xd5, 0x7c, 0xb4, 0x39, 0x02, 0x95, 0xdb, 0xc9, 0x94, + 0x3a, 0xb7, 0x86, 0x96, 0xfa, 0x50, 0x4c, 0x11, + }, + .x = { + 0x1d, 0x1c, 0x64, 0xf0, 0x68, 0xcf, 0x45, 0xff, 0xa2, 0xa6, + 0x3a, 0x81, 0xb7, 0xc1, 0x3f, 0x6b, 0x88, 0x47, 0xa3, 0xe7, + 0x7e, 0xf1, 0x4f, 0xe3, 0xdb, 0x7f, 0xca, 0xfe, 0x0c, 0xbd, + 0x10, 0xe8, 0xe8, 0x26, 0xe0, 0x34, 0x36, 0xd6, 0x46, 0xaa, + 0xef, 0x87, 0xb2, 0xe2, 0x47, 0xd4, 0xaf, 0x1e, + }, + .y = { + 0x8a, 0xbe, 0x1d, 0x75, 0x20, 0xf9, 0xc2, 0xa4, 0x5c, 0xb1, + 0xeb, 0x8e, 0x95, 0xcf, 0xd5, 0x52, 0x62, 0xb7, 0x0b, 0x29, + 0xfe, 0xec, 0x58, 0x64, 0xe1, 0x9c, 0x05, 0x4f, 0xf9, 0x91, + 0x29, 0x28, 0x0e, 0x46, 0x46, 0x21, 0x77, 0x91, 0x81, 0x11, + 0x42, 0x82, 0x03, 0x41, 0x26, 0x3c, 0x53, 0x15, + }, + .order = { + 0x8c, 0xb9, 0x1e, 0x82, 0xa3, 0x38, 0x6d, 0x28, 0x0f, 0x5d, + 0x6f, 0x7e, 0x50, 0xe6, 0x41, 0xdf, 0x15, 0x2f, 0x71, 0x09, + 0xed, 0x54, 0x56, 0xb3, 0x1f, 0x16, 0x6e, 0x6c, 0xac, 0x04, + 0x25, 0xa7, 0xcf, 0x3a, 0xb6, 0xaf, 0x6b, 0x7f, 0xc3, 0x10, + 0x3b, 0x88, 0x32, 0x02, 0xe9, 0x04, 0x65, 0x65, }, - { /* no seed */ - 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* p */ - 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09, - 0xED, 0x54, 0x56, 0xB4, 0x12, 0xB1, 0xDA, 0x19, 0x7F, 0xB7, - 0x11, 0x23, 0xAC, 0xD3, 0xA7, 0x29, 0x90, 0x1D, 0x1A, 0x71, - 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xEC, 0x53, - 0x7B, 0xC3, 0x82, 0xC6, 0x3D, 0x8C, 0x15, 0x0C, 0x3C, 0x72, /* a */ - 0x08, 0x0A, 0xCE, 0x05, 0xAF, 0xA0, 0xC2, 0xBE, 0xA2, 0x8E, - 0x4F, 0xB2, 0x27, 0x87, 0x13, 0x91, 0x65, 0xEF, 0xBA, 0x91, - 0xF9, 0x0F, 0x8A, 0xA5, 0x81, 0x4A, 0x50, 0x3A, 0xD4, 0xEB, - 0x04, 0xA8, 0xC7, 0xDD, 0x22, 0xCE, 0x28, 0x26, - 0x04, 0xA8, 0xC7, 0xDD, 0x22, 0xCE, 0x28, 0x26, 0x8B, 0x39, /* b */ - 0xB5, 0x54, 0x16, 0xF0, 0x44, 0x7C, 0x2F, 0xB7, 0x7D, 0xE1, - 0x07, 0xDC, 0xD2, 0xA6, 0x2E, 0x88, 0x0E, 0xA5, 0x3E, 0xEB, - 0x62, 0xD5, 0x7C, 0xB4, 0x39, 0x02, 0x95, 0xDB, 0xC9, 0x94, - 0x3A, 0xB7, 0x86, 0x96, 0xFA, 0x50, 0x4C, 0x11, - 0x1D, 0x1C, 0x64, 0xF0, 0x68, 0xCF, 0x45, 0xFF, 0xA2, 0xA6, /* x */ - 0x3A, 0x81, 0xB7, 0xC1, 0x3F, 0x6B, 0x88, 0x47, 0xA3, 0xE7, - 0x7E, 0xF1, 0x4F, 0xE3, 0xDB, 0x7F, 0xCA, 0xFE, 0x0C, 0xBD, - 0x10, 0xE8, 0xE8, 0x26, 0xE0, 0x34, 0x36, 0xD6, 0x46, 0xAA, - 0xEF, 0x87, 0xB2, 0xE2, 0x47, 0xD4, 0xAF, 0x1E, - 0x8A, 0xBE, 0x1D, 0x75, 0x20, 0xF9, 0xC2, 0xA4, 0x5C, 0xB1, /* y */ - 0xEB, 0x8E, 0x95, 0xCF, 0xD5, 0x52, 0x62, 0xB7, 0x0B, 0x29, - 0xFE, 0xEC, 0x58, 0x64, 0xE1, 0x9C, 0x05, 0x4F, 0xF9, 0x91, - 0x29, 0x28, 0x0E, 0x46, 0x46, 0x21, 0x77, 0x91, 0x81, 0x11, - 0x42, 0x82, 0x03, 0x41, 0x26, 0x3C, 0x53, 0x15, - 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* order */ - 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09, - 0xED, 0x54, 0x56, 0xB3, 0x1F, 0x16, 0x6E, 0x6C, 0xAC, 0x04, - 0x25, 0xA7, 0xCF, 0x3A, 0xB6, 0xAF, 0x6B, 0x7F, 0xC3, 0x10, - 0x3B, 0x88, 0x32, 0x02, 0xE9, 0x04, 0x65, 0x65 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 48 * 6]; -} - _EC_brainpoolP384t1 = { - { - NID_X9_62_prime_field, 0, 48, 1 + uint8_t p[48]; + uint8_t a[48]; + uint8_t b[48]; + uint8_t x[48]; + uint8_t y[48]; + uint8_t order[48]; +} _EC_brainpoolP384t1 = { + .p = { + 0x8c, 0xb9, 0x1e, 0x82, 0xa3, 0x38, 0x6d, 0x28, 0x0f, 0x5d, + 0x6f, 0x7e, 0x50, 0xe6, 0x41, 0xdf, 0x15, 0x2f, 0x71, 0x09, + 0xed, 0x54, 0x56, 0xb4, 0x12, 0xb1, 0xda, 0x19, 0x7f, 0xb7, + 0x11, 0x23, 0xac, 0xd3, 0xa7, 0x29, 0x90, 0x1d, 0x1a, 0x71, + 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xec, 0x53, + }, + .a = { + 0x8c, 0xb9, 0x1e, 0x82, 0xa3, 0x38, 0x6d, 0x28, 0x0f, 0x5d, + 0x6f, 0x7e, 0x50, 0xe6, 0x41, 0xdf, 0x15, 0x2f, 0x71, 0x09, + 0xed, 0x54, 0x56, 0xb4, 0x12, 0xb1, 0xda, 0x19, 0x7f, 0xb7, + 0x11, 0x23, 0xac, 0xd3, 0xa7, 0x29, 0x90, 0x1d, 0x1a, 0x71, + 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xec, 0x50, + }, + .b = { + 0x7f, 0x51, 0x9e, 0xad, 0xa7, 0xbd, 0xa8, 0x1b, 0xd8, 0x26, + 0xdb, 0xa6, 0x47, 0x91, 0x0f, 0x8c, 0x4b, 0x93, 0x46, 0xed, + 0x8c, 0xcd, 0xc6, 0x4e, 0x4b, 0x1a, 0xbd, 0x11, 0x75, 0x6d, + 0xce, 0x1d, 0x20, 0x74, 0xaa, 0x26, 0x3b, 0x88, 0x80, 0x5c, + 0xed, 0x70, 0x35, 0x5a, 0x33, 0xb4, 0x71, 0xee, + }, + .x = { + 0x18, 0xde, 0x98, 0xb0, 0x2d, 0xb9, 0xa3, 0x06, 0xf2, 0xaf, + 0xcd, 0x72, 0x35, 0xf7, 0x2a, 0x81, 0x9b, 0x80, 0xab, 0x12, + 0xeb, 0xd6, 0x53, 0x17, 0x24, 0x76, 0xfe, 0xcd, 0x46, 0x2a, + 0xab, 0xff, 0xc4, 0xff, 0x19, 0x1b, 0x94, 0x6a, 0x5f, 0x54, + 0xd8, 0xd0, 0xaa, 0x2f, 0x41, 0x88, 0x08, 0xcc, + }, + .y = { + 0x25, 0xab, 0x05, 0x69, 0x62, 0xd3, 0x06, 0x51, 0xa1, 0x14, + 0xaf, 0xd2, 0x75, 0x5a, 0xd3, 0x36, 0x74, 0x7f, 0x93, 0x47, + 0x5b, 0x7a, 0x1f, 0xca, 0x3b, 0x88, 0xf2, 0xb6, 0xa2, 0x08, + 0xcc, 0xfe, 0x46, 0x94, 0x08, 0x58, 0x4d, 0xc2, 0xb2, 0x91, + 0x26, 0x75, 0xbf, 0x5b, 0x9e, 0x58, 0x29, 0x28, + }, + .order = { + 0x8c, 0xb9, 0x1e, 0x82, 0xa3, 0x38, 0x6d, 0x28, 0x0f, 0x5d, + 0x6f, 0x7e, 0x50, 0xe6, 0x41, 0xdf, 0x15, 0x2f, 0x71, 0x09, + 0xed, 0x54, 0x56, 0xb3, 0x1f, 0x16, 0x6e, 0x6c, 0xac, 0x04, + 0x25, 0xa7, 0xcf, 0x3a, 0xb6, 0xaf, 0x6b, 0x7f, 0xc3, 0x10, + 0x3b, 0x88, 0x32, 0x02, 0xe9, 0x04, 0x65, 0x65, }, - { /* no seed */ - 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* p */ - 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09, - 0xED, 0x54, 0x56, 0xB4, 0x12, 0xB1, 0xDA, 0x19, 0x7F, 0xB7, - 0x11, 0x23, 0xAC, 0xD3, 0xA7, 0x29, 0x90, 0x1D, 0x1A, 0x71, - 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xEC, 0x53, - 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* a */ - 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09, - 0xED, 0x54, 0x56, 0xB4, 0x12, 0xB1, 0xDA, 0x19, 0x7F, 0xB7, - 0x11, 0x23, 0xAC, 0xD3, 0xA7, 0x29, 0x90, 0x1D, 0x1A, 0x71, - 0x87, 0x47, 0x00, 0x13, 0x31, 0x07, 0xEC, 0x50, - 0x7F, 0x51, 0x9E, 0xAD, 0xA7, 0xBD, 0xA8, 0x1B, 0xD8, 0x26, /* b */ - 0xDB, 0xA6, 0x47, 0x91, 0x0F, 0x8C, 0x4B, 0x93, 0x46, 0xED, - 0x8C, 0xCD, 0xC6, 0x4E, 0x4B, 0x1A, 0xBD, 0x11, 0x75, 0x6D, - 0xCE, 0x1D, 0x20, 0x74, 0xAA, 0x26, 0x3B, 0x88, 0x80, 0x5C, - 0xED, 0x70, 0x35, 0x5A, 0x33, 0xB4, 0x71, 0xEE, - 0x18, 0xDE, 0x98, 0xB0, 0x2D, 0xB9, 0xA3, 0x06, 0xF2, 0xAF, /* x */ - 0xCD, 0x72, 0x35, 0xF7, 0x2A, 0x81, 0x9B, 0x80, 0xAB, 0x12, - 0xEB, 0xD6, 0x53, 0x17, 0x24, 0x76, 0xFE, 0xCD, 0x46, 0x2A, - 0xAB, 0xFF, 0xC4, 0xFF, 0x19, 0x1B, 0x94, 0x6A, 0x5F, 0x54, - 0xD8, 0xD0, 0xAA, 0x2F, 0x41, 0x88, 0x08, 0xCC, - 0x25, 0xAB, 0x05, 0x69, 0x62, 0xD3, 0x06, 0x51, 0xA1, 0x14, /* y */ - 0xAF, 0xD2, 0x75, 0x5A, 0xD3, 0x36, 0x74, 0x7F, 0x93, 0x47, - 0x5B, 0x7A, 0x1F, 0xCA, 0x3B, 0x88, 0xF2, 0xB6, 0xA2, 0x08, - 0xCC, 0xFE, 0x46, 0x94, 0x08, 0x58, 0x4D, 0xC2, 0xB2, 0x91, - 0x26, 0x75, 0xBF, 0x5B, 0x9E, 0x58, 0x29, 0x28, - 0x8C, 0xB9, 0x1E, 0x82, 0xA3, 0x38, 0x6D, 0x28, 0x0F, 0x5D, /* order */ - 0x6F, 0x7E, 0x50, 0xE6, 0x41, 0xDF, 0x15, 0x2F, 0x71, 0x09, - 0xED, 0x54, 0x56, 0xB3, 0x1F, 0x16, 0x6E, 0x6C, 0xAC, 0x04, - 0x25, 0xA7, 0xCF, 0x3A, 0xB6, 0xAF, 0x6B, 0x7F, 0xC3, 0x10, - 0x3B, 0x88, 0x32, 0x02, 0xE9, 0x04, 0x65, 0x65 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 64 * 6]; -} - _EC_brainpoolP512r1 = { - { - NID_X9_62_prime_field, 0, 64, 1 + uint8_t p[64]; + uint8_t a[64]; + uint8_t b[64]; + uint8_t x[64]; + uint8_t y[64]; + uint8_t order[64]; +} _EC_brainpoolP512r1 = { + .p = { + 0xaa, 0xdd, 0x9d, 0xb8, 0xdb, 0xe9, 0xc4, 0x8b, 0x3f, 0xd4, + 0xe6, 0xae, 0x33, 0xc9, 0xfc, 0x07, 0xcb, 0x30, 0x8d, 0xb3, + 0xb3, 0xc9, 0xd2, 0x0e, 0xd6, 0x63, 0x9c, 0xca, 0x70, 0x33, + 0x08, 0x71, 0x7d, 0x4d, 0x9b, 0x00, 0x9b, 0xc6, 0x68, 0x42, + 0xae, 0xcd, 0xa1, 0x2a, 0xe6, 0xa3, 0x80, 0xe6, 0x28, 0x81, + 0xff, 0x2f, 0x2d, 0x82, 0xc6, 0x85, 0x28, 0xaa, 0x60, 0x56, + 0x58, 0x3a, 0x48, 0xf3, + }, + .a = { + 0x78, 0x30, 0xa3, 0x31, 0x8b, 0x60, 0x3b, 0x89, 0xe2, 0x32, + 0x71, 0x45, 0xac, 0x23, 0x4c, 0xc5, 0x94, 0xcb, 0xdd, 0x8d, + 0x3d, 0xf9, 0x16, 0x10, 0xa8, 0x34, 0x41, 0xca, 0xea, 0x98, + 0x63, 0xbc, 0x2d, 0xed, 0x5d, 0x5a, 0xa8, 0x25, 0x3a, 0xa1, + 0x0a, 0x2e, 0xf1, 0xc9, 0x8b, 0x9a, 0xc8, 0xb5, 0x7f, 0x11, + 0x17, 0xa7, 0x2b, 0xf2, 0xc7, 0xb9, 0xe7, 0xc1, 0xac, 0x4d, + 0x77, 0xfc, 0x94, 0xca, + }, + .b = { + 0x3d, 0xf9, 0x16, 0x10, 0xa8, 0x34, 0x41, 0xca, 0xea, 0x98, + 0x63, 0xbc, 0x2d, 0xed, 0x5d, 0x5a, 0xa8, 0x25, 0x3a, 0xa1, + 0x0a, 0x2e, 0xf1, 0xc9, 0x8b, 0x9a, 0xc8, 0xb5, 0x7f, 0x11, + 0x17, 0xa7, 0x2b, 0xf2, 0xc7, 0xb9, 0xe7, 0xc1, 0xac, 0x4d, + 0x77, 0xfc, 0x94, 0xca, 0xdc, 0x08, 0x3e, 0x67, 0x98, 0x40, + 0x50, 0xb7, 0x5e, 0xba, 0xe5, 0xdd, 0x28, 0x09, 0xbd, 0x63, + 0x80, 0x16, 0xf7, 0x23, + }, + .x = { + 0x81, 0xae, 0xe4, 0xbd, 0xd8, 0x2e, 0xd9, 0x64, 0x5a, 0x21, + 0x32, 0x2e, 0x9c, 0x4c, 0x6a, 0x93, 0x85, 0xed, 0x9f, 0x70, + 0xb5, 0xd9, 0x16, 0xc1, 0xb4, 0x3b, 0x62, 0xee, 0xf4, 0xd0, + 0x09, 0x8e, 0xff, 0x3b, 0x1f, 0x78, 0xe2, 0xd0, 0xd4, 0x8d, + 0x50, 0xd1, 0x68, 0x7b, 0x93, 0xb9, 0x7d, 0x5f, 0x7c, 0x6d, + 0x50, 0x47, 0x40, 0x6a, 0x5e, 0x68, 0x8b, 0x35, 0x22, 0x09, + 0xbc, 0xb9, 0xf8, 0x22, + }, + .y = { + 0x7d, 0xde, 0x38, 0x5d, 0x56, 0x63, 0x32, 0xec, 0xc0, 0xea, + 0xbf, 0xa9, 0xcf, 0x78, 0x22, 0xfd, 0xf2, 0x09, 0xf7, 0x00, + 0x24, 0xa5, 0x7b, 0x1a, 0xa0, 0x00, 0xc5, 0x5b, 0x88, 0x1f, + 0x81, 0x11, 0xb2, 0xdc, 0xde, 0x49, 0x4a, 0x5f, 0x48, 0x5e, + 0x5b, 0xca, 0x4b, 0xd8, 0x8a, 0x27, 0x63, 0xae, 0xd1, 0xca, + 0x2b, 0x2f, 0xa8, 0xf0, 0x54, 0x06, 0x78, 0xcd, 0x1e, 0x0f, + 0x3a, 0xd8, 0x08, 0x92, + }, + .order = { + 0xaa, 0xdd, 0x9d, 0xb8, 0xdb, 0xe9, 0xc4, 0x8b, 0x3f, 0xd4, + 0xe6, 0xae, 0x33, 0xc9, 0xfc, 0x07, 0xcb, 0x30, 0x8d, 0xb3, + 0xb3, 0xc9, 0xd2, 0x0e, 0xd6, 0x63, 0x9c, 0xca, 0x70, 0x33, + 0x08, 0x70, 0x55, 0x3e, 0x5c, 0x41, 0x4c, 0xa9, 0x26, 0x19, + 0x41, 0x86, 0x61, 0x19, 0x7f, 0xac, 0x10, 0x47, 0x1d, 0xb1, + 0xd3, 0x81, 0x08, 0x5d, 0xda, 0xdd, 0xb5, 0x87, 0x96, 0x82, + 0x9c, 0xa9, 0x00, 0x69, }, - { /* no seed */ - 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* p */ - 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3, - 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33, - 0x08, 0x71, 0x7D, 0x4D, 0x9B, 0x00, 0x9B, 0xC6, 0x68, 0x42, - 0xAE, 0xCD, 0xA1, 0x2A, 0xE6, 0xA3, 0x80, 0xE6, 0x28, 0x81, - 0xFF, 0x2F, 0x2D, 0x82, 0xC6, 0x85, 0x28, 0xAA, 0x60, 0x56, - 0x58, 0x3A, 0x48, 0xF3, - 0x78, 0x30, 0xA3, 0x31, 0x8B, 0x60, 0x3B, 0x89, 0xE2, 0x32, /* a */ - 0x71, 0x45, 0xAC, 0x23, 0x4C, 0xC5, 0x94, 0xCB, 0xDD, 0x8D, - 0x3D, 0xF9, 0x16, 0x10, 0xA8, 0x34, 0x41, 0xCA, 0xEA, 0x98, - 0x63, 0xBC, 0x2D, 0xED, 0x5D, 0x5A, 0xA8, 0x25, 0x3A, 0xA1, - 0x0A, 0x2E, 0xF1, 0xC9, 0x8B, 0x9A, 0xC8, 0xB5, 0x7F, 0x11, - 0x17, 0xA7, 0x2B, 0xF2, 0xC7, 0xB9, 0xE7, 0xC1, 0xAC, 0x4D, - 0x77, 0xFC, 0x94, 0xCA, - 0x3D, 0xF9, 0x16, 0x10, 0xA8, 0x34, 0x41, 0xCA, 0xEA, 0x98, /* b */ - 0x63, 0xBC, 0x2D, 0xED, 0x5D, 0x5A, 0xA8, 0x25, 0x3A, 0xA1, - 0x0A, 0x2E, 0xF1, 0xC9, 0x8B, 0x9A, 0xC8, 0xB5, 0x7F, 0x11, - 0x17, 0xA7, 0x2B, 0xF2, 0xC7, 0xB9, 0xE7, 0xC1, 0xAC, 0x4D, - 0x77, 0xFC, 0x94, 0xCA, 0xDC, 0x08, 0x3E, 0x67, 0x98, 0x40, - 0x50, 0xB7, 0x5E, 0xBA, 0xE5, 0xDD, 0x28, 0x09, 0xBD, 0x63, - 0x80, 0x16, 0xF7, 0x23, - 0x81, 0xAE, 0xE4, 0xBD, 0xD8, 0x2E, 0xD9, 0x64, 0x5A, 0x21, /* x */ - 0x32, 0x2E, 0x9C, 0x4C, 0x6A, 0x93, 0x85, 0xED, 0x9F, 0x70, - 0xB5, 0xD9, 0x16, 0xC1, 0xB4, 0x3B, 0x62, 0xEE, 0xF4, 0xD0, - 0x09, 0x8E, 0xFF, 0x3B, 0x1F, 0x78, 0xE2, 0xD0, 0xD4, 0x8D, - 0x50, 0xD1, 0x68, 0x7B, 0x93, 0xB9, 0x7D, 0x5F, 0x7C, 0x6D, - 0x50, 0x47, 0x40, 0x6A, 0x5E, 0x68, 0x8B, 0x35, 0x22, 0x09, - 0xBC, 0xB9, 0xF8, 0x22, - 0x7D, 0xDE, 0x38, 0x5D, 0x56, 0x63, 0x32, 0xEC, 0xC0, 0xEA, /* y */ - 0xBF, 0xA9, 0xCF, 0x78, 0x22, 0xFD, 0xF2, 0x09, 0xF7, 0x00, - 0x24, 0xA5, 0x7B, 0x1A, 0xA0, 0x00, 0xC5, 0x5B, 0x88, 0x1F, - 0x81, 0x11, 0xB2, 0xDC, 0xDE, 0x49, 0x4A, 0x5F, 0x48, 0x5E, - 0x5B, 0xCA, 0x4B, 0xD8, 0x8A, 0x27, 0x63, 0xAE, 0xD1, 0xCA, - 0x2B, 0x2F, 0xA8, 0xF0, 0x54, 0x06, 0x78, 0xCD, 0x1E, 0x0F, - 0x3A, 0xD8, 0x08, 0x92, - 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* order */ - 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3, - 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33, - 0x08, 0x70, 0x55, 0x3E, 0x5C, 0x41, 0x4C, 0xA9, 0x26, 0x19, - 0x41, 0x86, 0x61, 0x19, 0x7F, 0xAC, 0x10, 0x47, 0x1D, 0xB1, - 0xD3, 0x81, 0x08, 0x5D, 0xDA, 0xDD, 0xB5, 0x87, 0x96, 0x82, - 0x9C, 0xA9, 0x00, 0x69 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 64 * 6]; -} - _EC_brainpoolP512t1 = { - { - NID_X9_62_prime_field, 0, 64, 1 + uint8_t p[64]; + uint8_t a[64]; + uint8_t b[64]; + uint8_t x[64]; + uint8_t y[64]; + uint8_t order[64]; +} _EC_brainpoolP512t1 = { + .p = { + 0xaa, 0xdd, 0x9d, 0xb8, 0xdb, 0xe9, 0xc4, 0x8b, 0x3f, 0xd4, + 0xe6, 0xae, 0x33, 0xc9, 0xfc, 0x07, 0xcb, 0x30, 0x8d, 0xb3, + 0xb3, 0xc9, 0xd2, 0x0e, 0xd6, 0x63, 0x9c, 0xca, 0x70, 0x33, + 0x08, 0x71, 0x7d, 0x4d, 0x9b, 0x00, 0x9b, 0xc6, 0x68, 0x42, + 0xae, 0xcd, 0xa1, 0x2a, 0xe6, 0xa3, 0x80, 0xe6, 0x28, 0x81, + 0xff, 0x2f, 0x2d, 0x82, 0xc6, 0x85, 0x28, 0xaa, 0x60, 0x56, + 0x58, 0x3a, 0x48, 0xf3, + }, + .a = { + 0xaa, 0xdd, 0x9d, 0xb8, 0xdb, 0xe9, 0xc4, 0x8b, 0x3f, 0xd4, + 0xe6, 0xae, 0x33, 0xc9, 0xfc, 0x07, 0xcb, 0x30, 0x8d, 0xb3, + 0xb3, 0xc9, 0xd2, 0x0e, 0xd6, 0x63, 0x9c, 0xca, 0x70, 0x33, + 0x08, 0x71, 0x7d, 0x4d, 0x9b, 0x00, 0x9b, 0xc6, 0x68, 0x42, + 0xae, 0xcd, 0xa1, 0x2a, 0xe6, 0xa3, 0x80, 0xe6, 0x28, 0x81, + 0xff, 0x2f, 0x2d, 0x82, 0xc6, 0x85, 0x28, 0xaa, 0x60, 0x56, + 0x58, 0x3a, 0x48, 0xf0, + }, + .b = { + 0x7c, 0xbb, 0xbc, 0xf9, 0x44, 0x1c, 0xfa, 0xb7, 0x6e, 0x18, + 0x90, 0xe4, 0x68, 0x84, 0xea, 0xe3, 0x21, 0xf7, 0x0c, 0x0b, + 0xcb, 0x49, 0x81, 0x52, 0x78, 0x97, 0x50, 0x4b, 0xec, 0x3e, + 0x36, 0xa6, 0x2b, 0xcd, 0xfa, 0x23, 0x04, 0x97, 0x65, 0x40, + 0xf6, 0x45, 0x00, 0x85, 0xf2, 0xda, 0xe1, 0x45, 0xc2, 0x25, + 0x53, 0xb4, 0x65, 0x76, 0x36, 0x89, 0x18, 0x0e, 0xa2, 0x57, + 0x18, 0x67, 0x42, 0x3e, + }, + .x = { + 0x64, 0x0e, 0xce, 0x5c, 0x12, 0x78, 0x87, 0x17, 0xb9, 0xc1, + 0xba, 0x06, 0xcb, 0xc2, 0xa6, 0xfe, 0xba, 0x85, 0x84, 0x24, + 0x58, 0xc5, 0x6d, 0xde, 0x9d, 0xb1, 0x75, 0x8d, 0x39, 0xc0, + 0x31, 0x3d, 0x82, 0xba, 0x51, 0x73, 0x5c, 0xdb, 0x3e, 0xa4, + 0x99, 0xaa, 0x77, 0xa7, 0xd6, 0x94, 0x3a, 0x64, 0xf7, 0xa3, + 0xf2, 0x5f, 0xe2, 0x6f, 0x06, 0xb5, 0x1b, 0xaa, 0x26, 0x96, + 0xfa, 0x90, 0x35, 0xda, + }, + .y = { + 0x5b, 0x53, 0x4b, 0xd5, 0x95, 0xf5, 0xaf, 0x0f, 0xa2, 0xc8, + 0x92, 0x37, 0x6c, 0x84, 0xac, 0xe1, 0xbb, 0x4e, 0x30, 0x19, + 0xb7, 0x16, 0x34, 0xc0, 0x11, 0x31, 0x15, 0x9c, 0xae, 0x03, + 0xce, 0xe9, 0xd9, 0x93, 0x21, 0x84, 0xbe, 0xef, 0x21, 0x6b, + 0xd7, 0x1d, 0xf2, 0xda, 0xdf, 0x86, 0xa6, 0x27, 0x30, 0x6e, + 0xcf, 0xf9, 0x6d, 0xbb, 0x8b, 0xac, 0xe1, 0x98, 0xb6, 0x1e, + 0x00, 0xf8, 0xb3, 0x32, + }, + .order = { + 0xaa, 0xdd, 0x9d, 0xb8, 0xdb, 0xe9, 0xc4, 0x8b, 0x3f, 0xd4, + 0xe6, 0xae, 0x33, 0xc9, 0xfc, 0x07, 0xcb, 0x30, 0x8d, 0xb3, + 0xb3, 0xc9, 0xd2, 0x0e, 0xd6, 0x63, 0x9c, 0xca, 0x70, 0x33, + 0x08, 0x70, 0x55, 0x3e, 0x5c, 0x41, 0x4c, 0xa9, 0x26, 0x19, + 0x41, 0x86, 0x61, 0x19, 0x7f, 0xac, 0x10, 0x47, 0x1d, 0xb1, + 0xd3, 0x81, 0x08, 0x5d, 0xda, 0xdd, 0xb5, 0x87, 0x96, 0x82, + 0x9c, 0xa9, 0x00, 0x69, }, - { /* no seed */ - 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* p */ - 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3, - 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33, - 0x08, 0x71, 0x7D, 0x4D, 0x9B, 0x00, 0x9B, 0xC6, 0x68, 0x42, - 0xAE, 0xCD, 0xA1, 0x2A, 0xE6, 0xA3, 0x80, 0xE6, 0x28, 0x81, - 0xFF, 0x2F, 0x2D, 0x82, 0xC6, 0x85, 0x28, 0xAA, 0x60, 0x56, - 0x58, 0x3A, 0x48, 0xF3, - 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* a */ - 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3, - 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33, - 0x08, 0x71, 0x7D, 0x4D, 0x9B, 0x00, 0x9B, 0xC6, 0x68, 0x42, - 0xAE, 0xCD, 0xA1, 0x2A, 0xE6, 0xA3, 0x80, 0xE6, 0x28, 0x81, - 0xFF, 0x2F, 0x2D, 0x82, 0xC6, 0x85, 0x28, 0xAA, 0x60, 0x56, - 0x58, 0x3A, 0x48, 0xF0, - 0x7C, 0xBB, 0xBC, 0xF9, 0x44, 0x1C, 0xFA, 0xB7, 0x6E, 0x18, /* b */ - 0x90, 0xE4, 0x68, 0x84, 0xEA, 0xE3, 0x21, 0xF7, 0x0C, 0x0B, - 0xCB, 0x49, 0x81, 0x52, 0x78, 0x97, 0x50, 0x4B, 0xEC, 0x3E, - 0x36, 0xA6, 0x2B, 0xCD, 0xFA, 0x23, 0x04, 0x97, 0x65, 0x40, - 0xF6, 0x45, 0x00, 0x85, 0xF2, 0xDA, 0xE1, 0x45, 0xC2, 0x25, - 0x53, 0xB4, 0x65, 0x76, 0x36, 0x89, 0x18, 0x0E, 0xA2, 0x57, - 0x18, 0x67, 0x42, 0x3E, - 0x64, 0x0E, 0xCE, 0x5C, 0x12, 0x78, 0x87, 0x17, 0xB9, 0xC1, /* x */ - 0xBA, 0x06, 0xCB, 0xC2, 0xA6, 0xFE, 0xBA, 0x85, 0x84, 0x24, - 0x58, 0xC5, 0x6D, 0xDE, 0x9D, 0xB1, 0x75, 0x8D, 0x39, 0xC0, - 0x31, 0x3D, 0x82, 0xBA, 0x51, 0x73, 0x5C, 0xDB, 0x3E, 0xA4, - 0x99, 0xAA, 0x77, 0xA7, 0xD6, 0x94, 0x3A, 0x64, 0xF7, 0xA3, - 0xF2, 0x5F, 0xE2, 0x6F, 0x06, 0xB5, 0x1B, 0xAA, 0x26, 0x96, - 0xFA, 0x90, 0x35, 0xDA, - 0x5B, 0x53, 0x4B, 0xD5, 0x95, 0xF5, 0xAF, 0x0F, 0xA2, 0xC8, /* y */ - 0x92, 0x37, 0x6C, 0x84, 0xAC, 0xE1, 0xBB, 0x4E, 0x30, 0x19, - 0xB7, 0x16, 0x34, 0xC0, 0x11, 0x31, 0x15, 0x9C, 0xAE, 0x03, - 0xCE, 0xE9, 0xD9, 0x93, 0x21, 0x84, 0xBE, 0xEF, 0x21, 0x6B, - 0xD7, 0x1D, 0xF2, 0xDA, 0xDF, 0x86, 0xA6, 0x27, 0x30, 0x6E, - 0xCF, 0xF9, 0x6D, 0xBB, 0x8B, 0xAC, 0xE1, 0x98, 0xB6, 0x1E, - 0x00, 0xF8, 0xB3, 0x32, - 0xAA, 0xDD, 0x9D, 0xB8, 0xDB, 0xE9, 0xC4, 0x8B, 0x3F, 0xD4, /* order */ - 0xE6, 0xAE, 0x33, 0xC9, 0xFC, 0x07, 0xCB, 0x30, 0x8D, 0xB3, - 0xB3, 0xC9, 0xD2, 0x0E, 0xD6, 0x63, 0x9C, 0xCA, 0x70, 0x33, - 0x08, 0x70, 0x55, 0x3E, 0x5C, 0x41, 0x4C, 0xA9, 0x26, 0x19, - 0x41, 0x86, 0x61, 0x19, 0x7F, 0xAC, 0x10, 0x47, 0x1D, 0xB1, - 0xD3, 0x81, 0x08, 0x5D, 0xDA, 0xDD, 0xB5, 0x87, 0x96, 0x82, - 0x9C, 0xA9, 0x00, 0x69 - } }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_FRP256v1 = { - { - NID_X9_62_prime_field, 0, 32, 1 + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_FRP256v1 = { + .p = { + 0xf1, 0xfd, 0x17, 0x8c, 0x0b, 0x3a, 0xd5, 0x8f, 0x10, 0x12, + 0x6d, 0xe8, 0xce, 0x42, 0x43, 0x5b, 0x39, 0x61, 0xad, 0xbc, + 0xab, 0xc8, 0xca, 0x6d, 0xe8, 0xfc, 0xf3, 0x53, 0xd8, 0x6e, + 0x9c, 0x03, + }, + .a = { + 0xf1, 0xfd, 0x17, 0x8c, 0x0b, 0x3a, 0xd5, 0x8f, 0x10, 0x12, + 0x6d, 0xe8, 0xce, 0x42, 0x43, 0x5b, 0x39, 0x61, 0xad, 0xbc, + 0xab, 0xc8, 0xca, 0x6d, 0xe8, 0xfc, 0xf3, 0x53, 0xd8, 0x6e, + 0x9c, 0x00, + }, + .b = { + 0xee, 0x35, 0x3f, 0xca, 0x54, 0x28, 0xa9, 0x30, 0x0d, 0x4a, + 0xba, 0x75, 0x4a, 0x44, 0xc0, 0x0f, 0xdf, 0xec, 0x0c, 0x9a, + 0xe4, 0xb1, 0xa1, 0x80, 0x30, 0x75, 0xed, 0x96, 0x7b, 0x7b, + 0xb7, 0x3f, + }, + .x = { + 0xb6, 0xb3, 0xd4, 0xc3, 0x56, 0xc1, 0x39, 0xeb, 0x31, 0x18, + 0x3d, 0x47, 0x49, 0xd4, 0x23, 0x95, 0x8c, 0x27, 0xd2, 0xdc, + 0xaf, 0x98, 0xb7, 0x01, 0x64, 0xc9, 0x7a, 0x2d, 0xd9, 0x8f, + 0x5c, 0xff, + }, + .y = { + 0x61, 0x42, 0xe0, 0xf7, 0xc8, 0xb2, 0x04, 0x91, 0x1f, 0x92, + 0x71, 0xf0, 0xf3, 0xec, 0xef, 0x8c, 0x27, 0x01, 0xc3, 0x07, + 0xe8, 0xe4, 0xc9, 0xe1, 0x83, 0x11, 0x5a, 0x15, 0x54, 0x06, + 0x2c, 0xfb, + }, + .order = { + 0xf1, 0xfd, 0x17, 0x8c, 0x0b, 0x3a, 0xd5, 0x8f, 0x10, 0x12, + 0x6d, 0xe8, 0xce, 0x42, 0x43, 0x5b, 0x53, 0xdc, 0x67, 0xe1, + 0x40, 0xd2, 0xbf, 0x94, 0x1f, 0xfd, 0xd4, 0x59, 0xc6, 0xd6, + 0x55, 0xe1, }, - { /* no seed */ - 0xF1, 0xFD, 0x17, 0x8C, 0x0B, 0x3A, 0xD5, 0x8F, 0x10, 0x12, /* p */ - 0x6D, 0xE8, 0xCE, 0x42, 0x43, 0x5B, 0x39, 0x61, 0xAD, 0xBC, - 0xAB, 0xC8, 0xCA, 0x6D, 0xE8, 0xFC, 0xF3, 0x53, 0xD8, 0x6E, - 0x9C, 0x03, - 0xF1, 0xFD, 0x17, 0x8C, 0x0B, 0x3A, 0xD5, 0x8F, 0x10, 0x12, /* a */ - 0x6D, 0xE8, 0xCE, 0x42, 0x43, 0x5B, 0x39, 0x61, 0xAD, 0xBC, - 0xAB, 0xC8, 0xCA, 0x6D, 0xE8, 0xFC, 0xF3, 0x53, 0xD8, 0x6E, - 0x9C, 0x00, - 0xEE, 0x35, 0x3F, 0xCA, 0x54, 0x28, 0xA9, 0x30, 0x0D, 0x4A, /* b */ - 0xBA, 0x75, 0x4A, 0x44, 0xC0, 0x0F, 0xDF, 0xEC, 0x0C, 0x9A, - 0xE4, 0xB1, 0xA1, 0x80, 0x30, 0x75, 0xED, 0x96, 0x7B, 0x7B, - 0xB7, 0x3F, - 0xB6, 0xB3, 0xD4, 0xC3, 0x56, 0xC1, 0x39, 0xEB, 0x31, 0x18, /* x */ - 0x3D, 0x47, 0x49, 0xD4, 0x23, 0x95, 0x8C, 0x27, 0xD2, 0xDC, - 0xAF, 0x98, 0xB7, 0x01, 0x64, 0xC9, 0x7A, 0x2D, 0xD9, 0x8F, - 0x5C, 0xFF, - 0x61, 0x42, 0xE0, 0xF7, 0xC8, 0xB2, 0x04, 0x91, 0x1F, 0x92, /* y */ - 0x71, 0xF0, 0xF3, 0xEC, 0xEF, 0x8C, 0x27, 0x01, 0xC3, 0x07, - 0xE8, 0xE4, 0xC9, 0xE1, 0x83, 0x11, 0x5A, 0x15, 0x54, 0x06, - 0x2C, 0xFB, - 0xF1, 0xFD, 0x17, 0x8C, 0x0B, 0x3A, 0xD5, 0x8F, 0x10, 0x12, /* order */ - 0x6D, 0xE8, 0xCE, 0x42, 0x43, 0x5B, 0x53, 0xDC, 0x67, 0xE1, - 0x40, 0xD2, 0xBF, 0x94, 0x1F, 0xFD, 0xD4, 0x59, 0xC6, 0xD6, - 0x55, 0xE1 - } }; #ifndef OPENSSL_NO_GOST static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_GOST_2001_Test = { - { - NID_X9_62_prime_field, 0, 32, 1 - }, - { /* no seed */ - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_GOST_2001_Test = { + .p = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x31, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + }, + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - 0x5F, 0xBF, 0xF4, 0x98, 0xAA, 0x93, 0x8C, 0xE7, 0x39, 0xB8, /* b */ - 0xE0, 0x22, 0xFB, 0xAF, 0xEF, 0x40, 0x56, 0x3F, 0x6E, 0x6A, - 0x34, 0x72, 0xFC, 0x2A, 0x51, 0x4C, 0x0C, 0xE9, 0xDA, 0xE2, - 0x3B, 0x7E, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + }, + .b = { + 0x5f, 0xbf, 0xf4, 0x98, 0xaa, 0x93, 0x8c, 0xe7, 0x39, 0xb8, + 0xe0, 0x22, 0xfb, 0xaf, 0xef, 0x40, 0x56, 0x3f, 0x6e, 0x6a, + 0x34, 0x72, 0xfc, 0x2a, 0x51, 0x4c, 0x0c, 0xe9, 0xda, 0xe2, + 0x3b, 0x7e, + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, - 0x08, 0xE2, 0xA8, 0xA0, 0xE6, 0x51, 0x47, 0xD4, 0xBD, 0x63, /* y */ - 0x16, 0x03, 0x0E, 0x16, 0xD1, 0x9C, 0x85, 0xC9, 0x7F, 0x0A, - 0x9C, 0xA2, 0x67, 0x12, 0x2B, 0x96, 0xAB, 0xBC, 0xEA, 0x7E, - 0x8F, 0xC8, - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x50, 0xFE, 0x8A, 0x18, - 0x92, 0x97, 0x61, 0x54, 0xC5, 0x9C, 0xFC, 0x19, 0x3A, 0xCC, - 0xF5, 0xB3, - } + }, + .y = { + 0x08, 0xe2, 0xa8, 0xa0, 0xe6, 0x51, 0x47, 0xd4, 0xbd, 0x63, + 0x16, 0x03, 0x0e, 0x16, 0xd1, 0x9c, 0x85, 0xc9, 0x7f, 0x0a, + 0x9c, 0xa2, 0x67, 0x12, 0x2b, 0x96, 0xab, 0xbc, 0xea, 0x7e, + 0x8f, 0xc8, + }, + .order = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x50, 0xfe, 0x8a, 0x18, + 0x92, 0x97, 0x61, 0x54, 0xc5, 0x9c, 0xfc, 0x19, 0x3a, 0xcc, + 0xf5, 0xb3, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_GOST_2001_CryptoPro_A = { - { - NID_X9_62_prime_field, 0, 32, 1 + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_GOST_2001_CryptoPro_A = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xfd, 0x97, }, - { /* no seed */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFD, 0x97, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFD, 0x94, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xfd, 0x94, + }, + .b = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0xA6, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0xa6, + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x8D, 0x91, 0xE4, 0x71, 0xE0, 0x98, 0x9C, 0xDA, 0x27, 0xDF, /* y */ - 0x50, 0x5A, 0x45, 0x3F, 0x2B, 0x76, 0x35, 0x29, 0x4F, 0x2D, - 0xDF, 0x23, 0xE3, 0xB1, 0x22, 0xAC, 0xC9, 0x9C, 0x9E, 0x9F, - 0x1E, 0x14, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x6C, 0x61, 0x10, 0x70, - 0x99, 0x5A, 0xD1, 0x00, 0x45, 0x84, 0x1B, 0x09, 0xB7, 0x61, - 0xB8, 0x93, - } + }, + .y = { + 0x8d, 0x91, 0xe4, 0x71, 0xe0, 0x98, 0x9c, 0xda, 0x27, 0xdf, + 0x50, 0x5a, 0x45, 0x3f, 0x2b, 0x76, 0x35, 0x29, 0x4f, 0x2d, + 0xdf, 0x23, 0xe3, 0xb1, 0x22, 0xac, 0xc9, 0x9c, 0x9e, 0x9f, + 0x1e, 0x14, + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x6c, 0x61, 0x10, 0x70, + 0x99, 0x5a, 0xd1, 0x00, 0x45, 0x84, 0x1b, 0x09, 0xb7, 0x61, + 0xb8, 0x93, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_GOST_2001_CryptoPro_B = { - { - NID_X9_62_prime_field, 0, 32, 1 + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_GOST_2001_CryptoPro_B = { + .p = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x99, }, - { /* no seed */ - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ + .a = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0C, 0x99, - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + 0x0c, 0x96, + }, + .b = { + 0x3e, 0x1a, 0xf4, 0x19, 0xa2, 0x69, 0xa5, 0xf8, 0x66, 0xa7, + 0xd3, 0xc2, 0x5c, 0x3d, 0xf8, 0x0a, 0xe9, 0x79, 0x25, 0x93, + 0x73, 0xff, 0x2b, 0x18, 0x2f, 0x49, 0xd4, 0xce, 0x7e, 0x1b, + 0xbc, 0x8b, + }, + .x = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x0C, 0x96, - 0x3E, 0x1A, 0xF4, 0x19, 0xA2, 0x69, 0xA5, 0xF8, 0x66, 0xA7, /* b */ - 0xD3, 0xC2, 0x5C, 0x3D, 0xF8, 0x0A, 0xE9, 0x79, 0x25, 0x93, - 0x73, 0xFF, 0x2B, 0x18, 0x2F, 0x49, 0xD4, 0xCE, 0x7E, 0x1B, - 0xBC, 0x8B, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, - 0x3F, 0xA8, 0x12, 0x43, 0x59, 0xF9, 0x66, 0x80, 0xB8, 0x3D, /* y */ - 0x1C, 0x3E, 0xB2, 0xC0, 0x70, 0xE5, 0xC5, 0x45, 0xC9, 0x85, - 0x8D, 0x03, 0xEC, 0xFB, 0x74, 0x4B, 0xF8, 0xD7, 0x17, 0x71, - 0x7E, 0xFC, - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x5F, 0x70, 0x0C, 0xFF, - 0xF1, 0xA6, 0x24, 0xE5, 0xE4, 0x97, 0x16, 0x1B, 0xCC, 0x8A, - 0x19, 0x8F, - } + }, + .y = { + 0x3f, 0xa8, 0x12, 0x43, 0x59, 0xf9, 0x66, 0x80, 0xb8, 0x3d, + 0x1c, 0x3e, 0xb2, 0xc0, 0x70, 0xe5, 0xc5, 0x45, 0xc9, 0x85, + 0x8d, 0x03, 0xec, 0xfb, 0x74, 0x4b, 0xf8, 0xd7, 0x17, 0x71, + 0x7e, 0xfc, + }, + .order = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x5f, 0x70, 0x0c, 0xff, + 0xf1, 0xa6, 0x24, 0xe5, 0xe4, 0x97, 0x16, 0x1b, 0xcc, 0x8a, + 0x19, 0x8f, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_GOST_2001_CryptoPro_C = { - { - NID_X9_62_prime_field, 0, 32, 1 + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_GOST_2001_CryptoPro_C = { + .p = { + 0x9b, 0x9f, 0x60, 0x5f, 0x5a, 0x85, 0x81, 0x07, 0xab, 0x1e, + 0xc8, 0x5e, 0x6b, 0x41, 0xc8, 0xaa, 0xcf, 0x84, 0x6e, 0x86, + 0x78, 0x90, 0x51, 0xd3, 0x79, 0x98, 0xf7, 0xb9, 0x02, 0x2d, + 0x75, 0x9b, }, - { /* no seed */ - 0x9B, 0x9F, 0x60, 0x5F, 0x5A, 0x85, 0x81, 0x07, 0xAB, 0x1E, /* p */ - 0xC8, 0x5E, 0x6B, 0x41, 0xC8, 0xAA, 0xCF, 0x84, 0x6E, 0x86, - 0x78, 0x90, 0x51, 0xD3, 0x79, 0x98, 0xF7, 0xB9, 0x02, 0x2D, - 0x75, 0x9B, - 0x9B, 0x9F, 0x60, 0x5F, 0x5A, 0x85, 0x81, 0x07, 0xAB, 0x1E, /* a */ - 0xC8, 0x5E, 0x6B, 0x41, 0xC8, 0xAA, 0xCF, 0x84, 0x6E, 0x86, - 0x78, 0x90, 0x51, 0xD3, 0x79, 0x98, 0xF7, 0xB9, 0x02, 0x2D, + .a = { + 0x9b, 0x9f, 0x60, 0x5f, 0x5a, 0x85, 0x81, 0x07, 0xab, 0x1e, + 0xc8, 0x5e, 0x6b, 0x41, 0xc8, 0xaa, 0xcf, 0x84, 0x6e, 0x86, + 0x78, 0x90, 0x51, 0xd3, 0x79, 0x98, 0xf7, 0xb9, 0x02, 0x2d, 0x75, 0x98, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* b */ + }, + .b = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x80, 0x5A, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x80, 0x5a, + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x41, 0xEC, 0xE5, 0x57, 0x43, 0x71, 0x1A, 0x8C, 0x3C, 0xBF, /* y */ - 0x37, 0x83, 0xCD, 0x08, 0xC0, 0xEE, 0x4D, 0x4D, 0xC4, 0x40, - 0xD4, 0x64, 0x1A, 0x8F, 0x36, 0x6E, 0x55, 0x0D, 0xFD, 0xB3, - 0xBB, 0x67, - 0x9B, 0x9F, 0x60, 0x5F, 0x5A, 0x85, 0x81, 0x07, 0xAB, 0x1E, /* order */ - 0xC8, 0x5E, 0x6B, 0x41, 0xC8, 0xAA, 0x58, 0x2C, 0xA3, 0x51, - 0x1E, 0xDD, 0xFB, 0x74, 0xF0, 0x2F, 0x3A, 0x65, 0x98, 0x98, - 0x0B, 0xB9, - } + }, + .y = { + 0x41, 0xec, 0xe5, 0x57, 0x43, 0x71, 0x1a, 0x8c, 0x3c, 0xbf, + 0x37, 0x83, 0xcd, 0x08, 0xc0, 0xee, 0x4d, 0x4d, 0xc4, 0x40, + 0xd4, 0x64, 0x1a, 0x8f, 0x36, 0x6e, 0x55, 0x0d, 0xfd, 0xb3, + 0xbb, 0x67, + }, + .order = { + 0x9b, 0x9f, 0x60, 0x5f, 0x5a, 0x85, 0x81, 0x07, 0xab, 0x1e, + 0xc8, 0x5e, 0x6b, 0x41, 0xc8, 0xaa, 0x58, 0x2c, 0xa3, 0x51, + 0x1e, 0xdd, 0xfb, 0x74, 0xf0, 0x2f, 0x3a, 0x65, 0x98, 0x98, + 0x0b, 0xb9, + }, }; /* @@ -2905,201 +1980,241 @@ static const struct { * Edwards. We do calculations in canonical (Weierstrass) form. */ static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} - _EC_GOST_2012_256_TC26_A = { - { - NID_X9_62_prime_field, 0, 32, 4 + uint8_t p[32]; + uint8_t a[32]; + uint8_t b[32]; + uint8_t x[32]; + uint8_t y[32]; + uint8_t order[32]; +} _EC_GOST_2012_256_TC26_A = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xfd, 0x97, }, - { /* no seed */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFD, 0x97, - 0xc2, 0x17, 0x3f, 0x15, 0x13, 0x98, 0x16, 0x73, 0xaf, 0x48, /* a */ + .a = { + 0xc2, 0x17, 0x3f, 0x15, 0x13, 0x98, 0x16, 0x73, 0xaf, 0x48, 0x92, 0xc2, 0x30, 0x35, 0xa2, 0x7c, 0xe2, 0x5e, 0x20, 0x13, 0xbf, 0x95, 0xaa, 0x33, 0xb2, 0x2c, 0x65, 0x6f, 0x27, 0x7e, 0x73, 0x35, - 0x29, 0x5f, 0x9b, 0xae, 0x74, 0x28, 0xed, 0x9c, 0xcc, 0x20, /* b */ + }, + .b = { + 0x29, 0x5f, 0x9b, 0xae, 0x74, 0x28, 0xed, 0x9c, 0xcc, 0x20, 0xe7, 0xc3, 0x59, 0xa9, 0xd4, 0x1a, 0x22, 0xfc, 0xcd, 0x91, 0x08, 0xe1, 0x7b, 0xf7, 0xba, 0x93, 0x37, 0xa6, 0xf8, 0xae, 0x95, 0x13, - 0x91, 0xe3, 0x84, 0x43, 0xa5, 0xe8, 0x2c, 0x0d, 0x88, 0x09, /* x */ + }, + .x = { + 0x91, 0xe3, 0x84, 0x43, 0xa5, 0xe8, 0x2c, 0x0d, 0x88, 0x09, 0x23, 0x42, 0x57, 0x12, 0xb2, 0xbb, 0x65, 0x8b, 0x91, 0x96, 0x93, 0x2e, 0x02, 0xc7, 0x8b, 0x25, 0x82, 0xfe, 0x74, 0x2d, 0xaa, 0x28, - 0x32, 0x87, 0x94, 0x23, 0xab, 0x1a, 0x03, 0x75, 0x89, 0x57, /* y */ + }, + .y = { + 0x32, 0x87, 0x94, 0x23, 0xab, 0x1a, 0x03, 0x75, 0x89, 0x57, 0x86, 0xc4, 0xbb, 0x46, 0xe9, 0x56, 0x5f, 0xde, 0x0b, 0x53, 0x44, 0x76, 0x67, 0x40, 0xaf, 0x26, 0x8a, 0xdb, 0x32, 0x32, 0x2e, 0x5c, - 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ + }, + .order = { + 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xd8, 0xcd, 0xdf, 0xc8, 0x7b, 0x66, 0x35, 0xc1, 0x15, 0xaf, 0x55, 0x6c, 0x36, 0x0c, 0x67, - } + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 64 * 6]; -} - _EC_GOST_2012_512_Test = { - { - NID_X9_62_prime_field, 0, 64, 1 - }, - { /* no seed */ - 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, /* p */ + uint8_t p[64]; + uint8_t a[64]; + uint8_t b[64]; + uint8_t x[64]; + uint8_t y[64]; + uint8_t order[64]; +} _EC_GOST_2012_512_Test = { + .p = { + 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, 0x26, 0x7b, 0x6b, 0x2f, 0xee, 0x80, 0x92, 0x2b, 0x14, 0xb2, 0xff, 0xb9, 0x0f, 0x04, 0xd4, 0xeb, 0x7c, 0x09, 0xb5, 0xd2, 0xd1, 0x5d, 0xf1, 0xd8, 0x52, 0x74, 0x1a, 0xf4, 0x70, 0x4a, 0x04, 0x58, 0x04, 0x7e, 0x80, 0xe4, 0x54, 0x6d, 0x35, 0xb8, 0x33, 0x6f, 0xac, 0x22, 0x4d, 0xd8, 0x16, 0x64, 0xbb, 0xf5, 0x28, 0xbe, 0x63, 0x73, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + }, + .a = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - 0x1c, 0xff, 0x08, 0x06, 0xa3, 0x11, 0x16, 0xda, 0x29, 0xd8, /* b */ + }, + .b = { + 0x1c, 0xff, 0x08, 0x06, 0xa3, 0x11, 0x16, 0xda, 0x29, 0xd8, 0xcf, 0xa5, 0x4e, 0x57, 0xeb, 0x74, 0x8b, 0xc5, 0xf3, 0x77, 0xe4, 0x94, 0x00, 0xfd, 0xd7, 0x88, 0xb6, 0x49, 0xec, 0xa1, 0xac, 0x43, 0x61, 0x83, 0x40, 0x13, 0xb2, 0xad, 0x73, 0x22, 0x48, 0x0a, 0x89, 0xca, 0x58, 0xe0, 0xcf, 0x74, 0xbc, 0x9e, 0x54, 0x0c, 0x2a, 0xdd, 0x68, 0x97, 0xfa, 0xd0, 0xa3, 0x08, 0x4f, 0x30, 0x2a, 0xdc, - 0x24, 0xd1, 0x9c, 0xc6, 0x45, 0x72, 0xee, 0x30, 0xf3, 0x96, /* x */ + }, + .x = { + 0x24, 0xd1, 0x9c, 0xc6, 0x45, 0x72, 0xee, 0x30, 0xf3, 0x96, 0xbf, 0x6e, 0xbb, 0xfd, 0x7a, 0x6c, 0x52, 0x13, 0xb3, 0xb3, 0xd7, 0x05, 0x7c, 0xc8, 0x25, 0xf9, 0x10, 0x93, 0xa6, 0x8c, 0xd7, 0x62, 0xfd, 0x60, 0x61, 0x12, 0x62, 0xcd, 0x83, 0x8d, 0xc6, 0xb6, 0x0a, 0xa7, 0xee, 0xe8, 0x04, 0xe2, 0x8b, 0xc8, 0x49, 0x97, 0x7f, 0xac, 0x33, 0xb4, 0xb5, 0x30, 0xf1, 0xb1, 0x20, 0x24, 0x8a, 0x9a, - 0x2b, 0xb3, 0x12, 0xa4, 0x3b, 0xd2, 0xce, 0x6e, 0x0d, 0x02, /* y */ + }, + .y = { + 0x2b, 0xb3, 0x12, 0xa4, 0x3b, 0xd2, 0xce, 0x6e, 0x0d, 0x02, 0x06, 0x13, 0xc8, 0x57, 0xac, 0xdd, 0xcf, 0xbf, 0x06, 0x1e, 0x91, 0xe5, 0xf2, 0xc3, 0xf3, 0x24, 0x47, 0xc2, 0x59, 0xf3, 0x9b, 0x2c, 0x83, 0xab, 0x15, 0x6d, 0x77, 0xf1, 0x49, 0x6b, 0xf7, 0xeb, 0x33, 0x51, 0xe1, 0xee, 0x4e, 0x43, 0xdc, 0x1a, 0x18, 0xb9, 0x1b, 0x24, 0x64, 0x0b, 0x6d, 0xbb, 0x92, 0xcb, 0x1a, 0xdd, 0x37, 0x1e, - 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, /* order */ + }, + .order = { + 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, 0x26, 0x7b, 0x6b, 0x2f, 0xee, 0x80, 0x92, 0x2b, 0x14, 0xb2, 0xff, 0xb9, 0x0f, 0x04, 0xd4, 0xeb, 0x7c, 0x09, 0xb5, 0xd2, 0xd1, 0x5d, 0xa8, 0x2f, 0x2d, 0x7e, 0xcb, 0x1d, 0xba, 0xc7, 0x19, 0x90, 0x5c, 0x5e, 0xec, 0xc4, 0x23, 0xf1, 0xd8, 0x6e, 0x25, 0xed, 0xbe, 0x23, 0xc5, 0x95, 0xd6, 0x44, 0xaa, 0xf1, 0x87, 0xe6, 0xe6, 0xdf, - } + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 64 * 6]; -} - _EC_GOST_2012_512_TC26_A = { - { - NID_X9_62_prime_field, 0, 64, 1 - }, - { /* no seed */ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* p */ + uint8_t p[64]; + uint8_t a[64]; + uint8_t b[64]; + uint8_t x[64]; + uint8_t y[64]; + uint8_t order[64]; +} _EC_GOST_2012_512_TC26_A = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfd, 0xc7, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* a */ + }, + .a = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfd, 0xc4, - 0xe8, 0xc2, 0x50, 0x5d, 0xed, 0xfc, 0x86, 0xdd, 0xc1, 0xbd, /* b */ + }, + .b = { + 0xe8, 0xc2, 0x50, 0x5d, 0xed, 0xfc, 0x86, 0xdd, 0xc1, 0xbd, 0x0b, 0x2b, 0x66, 0x67, 0xf1, 0xda, 0x34, 0xb8, 0x25, 0x74, 0x76, 0x1c, 0xb0, 0xe8, 0x79, 0xbd, 0x08, 0x1c, 0xfd, 0x0b, 0x62, 0x65, 0xee, 0x3c, 0xb0, 0x90, 0xf3, 0x0d, 0x27, 0x61, 0x4c, 0xb4, 0x57, 0x40, 0x10, 0xda, 0x90, 0xdd, 0x86, 0x2e, 0xf9, 0xd4, 0xeb, 0xee, 0x47, 0x61, 0x50, 0x31, 0x90, 0x78, 0x5a, 0x71, 0xc7, 0x60, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, - 0x75, 0x03, 0xcf, 0xe8, 0x7a, 0x83, 0x6a, 0xe3, 0xa6, 0x1b, /* y */ + }, + .y = { + 0x75, 0x03, 0xcf, 0xe8, 0x7a, 0x83, 0x6a, 0xe3, 0xa6, 0x1b, 0x88, 0x16, 0xe2, 0x54, 0x50, 0xe6, 0xce, 0x5e, 0x1c, 0x93, 0xac, 0xf1, 0xab, 0xc1, 0x77, 0x80, 0x64, 0xfd, 0xcb, 0xef, 0xa9, 0x21, 0xdf, 0x16, 0x26, 0xbe, 0x4f, 0xd0, 0x36, 0xe9, 0x3d, 0x75, 0xe6, 0xa5, 0x0e, 0x3a, 0x41, 0xe9, 0x80, 0x28, 0xfe, 0x5f, 0xc2, 0x35, 0xf5, 0xb8, 0x89, 0xa5, 0x89, 0xcb, 0x52, 0x15, 0xf2, 0xa4, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* order */ + }, + .order = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x27, 0xe6, 0x95, 0x32, 0xf4, 0x8d, 0x89, 0x11, 0x6f, 0xf2, 0x2b, 0x8d, 0x4e, 0x05, 0x60, 0x60, 0x9b, 0x4b, 0x38, 0xab, 0xfa, 0xd2, 0xb8, 0x5d, 0xca, 0xcd, 0xb1, 0x41, - 0x1f, 0x10, 0xb2, 0x75 - } + 0x1f, 0x10, 0xb2, 0x75, + }, }; static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 64 * 6]; -} - _EC_GOST_2012_512_TC26_B = { - { - NID_X9_62_prime_field, 0, 64, 1 - }, - { /* no seed */ - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* p */ + uint8_t p[64]; + uint8_t a[64]; + uint8_t b[64]; + uint8_t x[64]; + uint8_t y[64]; + uint8_t order[64]; +} _EC_GOST_2012_512_TC26_B = { + .p = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6f, - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + }, + .a = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6c, - 0x68, 0x7d, 0x1b, 0x45, 0x9d, 0xc8, 0x41, 0x45, 0x7e, 0x3e, /* b */ + }, + .b = { + 0x68, 0x7d, 0x1b, 0x45, 0x9d, 0xc8, 0x41, 0x45, 0x7e, 0x3e, 0x06, 0xcf, 0x6f, 0x5e, 0x25, 0x17, 0xb9, 0x7c, 0x7d, 0x61, 0x4a, 0xf1, 0x38, 0xbc, 0xbf, 0x85, 0xdc, 0x80, 0x6c, 0x4b, 0x28, 0x9f, 0x3e, 0x96, 0x5d, 0x2d, 0xb1, 0x41, 0x6d, 0x21, 0x7f, 0x8b, 0x27, 0x6f, 0xad, 0x1a, 0xb6, 0x9c, 0x50, 0xf7, 0x8b, 0xee, 0x1f, 0xa3, 0x10, 0x6e, 0xfb, 0x8c, 0xcb, 0xc7, 0xc5, 0x14, 0x01, 0x16, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* x */ + }, + .x = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, - 0x1a, 0x8f, 0x7e, 0xda, 0x38, 0x9b, 0x09, 0x4c, 0x2c, 0x07, /* y */ + }, + .y = { + 0x1a, 0x8f, 0x7e, 0xda, 0x38, 0x9b, 0x09, 0x4c, 0x2c, 0x07, 0x1e, 0x36, 0x47, 0xa8, 0x94, 0x0f, 0x3c, 0x12, 0x3b, 0x69, 0x75, 0x78, 0xc2, 0x13, 0xbe, 0x6d, 0xd9, 0xe6, 0xc8, 0xec, 0x73, 0x35, 0xdc, 0xb2, 0x28, 0xfd, 0x1e, 0xdf, 0x4a, 0x39, 0x15, 0x2c, 0xbc, 0xaa, 0xf8, 0xc0, 0x39, 0x88, 0x28, 0x04, 0x10, 0x55, 0xf9, 0x4c, 0xee, 0xec, 0x7e, 0x21, 0x34, 0x07, 0x80, 0xfe, 0x41, 0xbd, - 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ + }, + .order = { + 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x49, 0xa1, 0xec, 0x14, 0x25, 0x65, 0xa5, 0x45, 0xac, 0xfd, 0xb7, 0x7b, 0xd9, 0xd4, 0x0c, 0xfa, 0x8b, 0x99, 0x67, 0x12, 0x10, 0x1b, 0xea, 0x0e, 0xc6, 0x34, 0x6c, 0x54, - 0x37, 0x4f, 0x25, 0xbd - } + 0x37, 0x4f, 0x25, 0xbd, + }, }; /* @@ -3107,359 +2222,929 @@ static const struct { * Edwards. We do calculations in canonical (Weierstrass) form. */ static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 64 * 6]; -} - _EC_GOST_2012_512_TC26_C = { - { - NID_X9_62_prime_field, 0, 64, 4 - }, - { /* no seed */ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* p */ + uint8_t p[64]; + uint8_t a[64]; + uint8_t b[64]; + uint8_t x[64]; + uint8_t y[64]; + uint8_t order[64]; +} _EC_GOST_2012_512_TC26_C = { + .p = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfd, 0xc7, - 0xdc, 0x92, 0x03, 0xe5, 0x14, 0xa7, 0x21, 0x87, 0x54, 0x85, /* a */ + }, + .a = { + 0xdc, 0x92, 0x03, 0xe5, 0x14, 0xa7, 0x21, 0x87, 0x54, 0x85, 0xa5, 0x29, 0xd2, 0xc7, 0x22, 0xfb, 0x18, 0x7b, 0xc8, 0x98, 0x0e, 0xb8, 0x66, 0x64, 0x4d, 0xe4, 0x1c, 0x68, 0xe1, 0x43, 0x06, 0x45, 0x46, 0xe8, 0x61, 0xc0, 0xe2, 0xc9, 0xed, 0xd9, 0x2a, 0xde, 0x71, 0xf4, 0x6f, 0xcf, 0x50, 0xff, 0x2a, 0xd9, 0x7f, 0x95, 0x1f, 0xda, 0x9f, 0x2a, 0x2e, 0xb6, 0x54, 0x6f, 0x39, 0x68, 0x9b, 0xd3, - 0xb4, 0xc4, 0xee, 0x28, 0xce, 0xbc, 0x6c, 0x2c, 0x8a, 0xc1, /* b */ + }, + .b = { + 0xb4, 0xc4, 0xee, 0x28, 0xce, 0xbc, 0x6c, 0x2c, 0x8a, 0xc1, 0x29, 0x52, 0xcf, 0x37, 0xf1, 0x6a, 0xc7, 0xef, 0xb6, 0xa9, 0xf6, 0x9f, 0x4b, 0x57, 0xff, 0xda, 0x2e, 0x4f, 0x0d, 0xe5, 0xad, 0xe0, 0x38, 0xcb, 0xc2, 0xff, 0xf7, 0x19, 0xd2, 0xc1, 0x8d, 0xe0, 0x28, 0x4b, 0x8b, 0xfe, 0xf3, 0xb5, 0x2b, 0x8c, 0xc7, 0xa5, 0xf5, 0xbf, 0x0a, 0x3c, 0x8d, 0x23, 0x19, 0xa5, 0x31, 0x25, 0x57, 0xe1, - 0xe2, 0xe3, 0x1e, 0xdf, 0xc2, 0x3d, 0xe7, 0xbd, 0xeb, 0xe2, /* x */ + }, + .x = { + 0xe2, 0xe3, 0x1e, 0xdf, 0xc2, 0x3d, 0xe7, 0xbd, 0xeb, 0xe2, 0x41, 0xce, 0x59, 0x3e, 0xf5, 0xde, 0x22, 0x95, 0xb7, 0xa9, 0xcb, 0xae, 0xf0, 0x21, 0xd3, 0x85, 0xf7, 0x07, 0x4c, 0xea, 0x04, 0x3a, 0xa2, 0x72, 0x72, 0xa7, 0xae, 0x60, 0x2b, 0xf2, 0xa7, 0xb9, 0x03, 0x3d, 0xb9, 0xed, 0x36, 0x10, 0xc6, 0xfb, 0x85, 0x48, 0x7e, 0xae, 0x97, 0xaa, 0xc5, 0xbc, 0x79, 0x28, 0xc1, 0x95, 0x01, 0x48, - 0xf5, 0xce, 0x40, 0xd9, 0x5b, 0x5e, 0xb8, 0x99, 0xab, 0xbc, /* y */ + }, + .y = { + 0xf5, 0xce, 0x40, 0xd9, 0x5b, 0x5e, 0xb8, 0x99, 0xab, 0xbc, 0xcf, 0xf5, 0x91, 0x1c, 0xb8, 0x57, 0x79, 0x39, 0x80, 0x4d, 0x65, 0x27, 0x37, 0x8b, 0x8c, 0x10, 0x8c, 0x3d, 0x20, 0x90, 0xff, 0x9b, 0xe1, 0x8e, 0x2d, 0x33, 0xe3, 0x02, 0x1e, 0xd2, 0xef, 0x32, 0xd8, 0x58, 0x22, 0x42, 0x3b, 0x63, 0x04, 0xf7, 0x26, 0xaa, 0x85, 0x4b, 0xae, 0x07, 0xd0, 0x39, 0x6e, 0x9a, 0x9a, 0xdd, 0xc4, 0x0f, - 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* order */ + }, + .order = { + 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x8c, 0xdb, 0xa4, 0x65, 0x06, 0xab, 0x00, 0x4c, 0x33, 0xa9, 0xff, 0x51, 0x47, 0x50, 0x2c, 0xc8, 0xed, 0xa9, 0xe7, 0xa7, 0x69, 0xa1, 0x26, 0x94, 0x62, 0x3c, 0xef, 0x47, 0xf0, 0x23, 0xed, - } + }, }; - #endif -typedef struct _ec_list_element_st { - int nid; - const EC_CURVE_DATA *data; - const EC_METHOD *(*meth) (void); +static const struct ec_list_element { const char *comment; -} ec_list_element; - -static const ec_list_element curve_list[] = { - /* prime field curves */ + int nid; + int seed_len; + int param_len; + unsigned int cofactor; + const uint8_t *seed; + const uint8_t *p; + const uint8_t *a; + const uint8_t *b; + const uint8_t *x; + const uint8_t *y; + const uint8_t *order; +} curve_list[] = { /* secg curves */ - {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"}, - {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, "SECG curve over a 112 bit prime field"}, - {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, "SECG curve over a 128 bit prime field"}, - {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, "SECG curve over a 128 bit prime field"}, - {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, "SECG curve over a 160 bit prime field"}, - {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, "SECG curve over a 160 bit prime field"}, - {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"}, + { + .comment = "SECG/WTLS curve over a 112 bit prime field", + .nid = NID_secp112r1, + .seed_len = sizeof(_EC_SECG_PRIME_112R1.seed), + .param_len = sizeof(_EC_SECG_PRIME_112R1.p), + .seed = _EC_SECG_PRIME_112R1.seed, + .p = _EC_SECG_PRIME_112R1.p, + .a = _EC_SECG_PRIME_112R1.a, + .b = _EC_SECG_PRIME_112R1.b, + .x = _EC_SECG_PRIME_112R1.x, + .y = _EC_SECG_PRIME_112R1.y, + .order = _EC_SECG_PRIME_112R1.order, + .cofactor = 1, + }, + { + .comment = "SECG curve over a 112 bit prime field", + .nid = NID_secp112r2, + .seed_len = sizeof(_EC_SECG_PRIME_112R2.seed), + .param_len = sizeof(_EC_SECG_PRIME_112R2.p), + .seed = _EC_SECG_PRIME_112R2.seed, + .p = _EC_SECG_PRIME_112R2.p, + .a = _EC_SECG_PRIME_112R2.a, + .b = _EC_SECG_PRIME_112R2.b, + .x = _EC_SECG_PRIME_112R2.x, + .y = _EC_SECG_PRIME_112R2.y, + .order = _EC_SECG_PRIME_112R2.order, + .cofactor = 4, + }, + { + .comment = "SECG curve over a 128 bit prime field", + .nid = NID_secp128r1, + .seed_len = sizeof(_EC_SECG_PRIME_128R1.seed), + .param_len = sizeof(_EC_SECG_PRIME_128R1.p), + .seed = _EC_SECG_PRIME_128R1.seed, + .p = _EC_SECG_PRIME_128R1.p, + .a = _EC_SECG_PRIME_128R1.a, + .b = _EC_SECG_PRIME_128R1.b, + .x = _EC_SECG_PRIME_128R1.x, + .y = _EC_SECG_PRIME_128R1.y, + .order = _EC_SECG_PRIME_128R1.order, + .cofactor = 1, + }, + { + .comment = "SECG curve over a 128 bit prime field", + .nid = NID_secp128r2, + .seed_len = sizeof(_EC_SECG_PRIME_128R2.seed), + .param_len = sizeof(_EC_SECG_PRIME_128R2.p), + .seed = _EC_SECG_PRIME_128R2.seed, + .p = _EC_SECG_PRIME_128R2.p, + .a = _EC_SECG_PRIME_128R2.a, + .b = _EC_SECG_PRIME_128R2.b, + .x = _EC_SECG_PRIME_128R2.x, + .y = _EC_SECG_PRIME_128R2.y, + .order = _EC_SECG_PRIME_128R2.order, + .cofactor = 4, + }, + { + .comment = "SECG curve over a 160 bit prime field", + .nid = NID_secp160k1, + .param_len = sizeof(_EC_SECG_PRIME_160K1.p), + .p = _EC_SECG_PRIME_160K1.p, + .a = _EC_SECG_PRIME_160K1.a, + .b = _EC_SECG_PRIME_160K1.b, + .x = _EC_SECG_PRIME_160K1.x, + .y = _EC_SECG_PRIME_160K1.y, + .order = _EC_SECG_PRIME_160K1.order, + .cofactor = 1, + }, + { + .comment = "SECG curve over a 160 bit prime field", + .nid = NID_secp160r1, + .seed_len = sizeof(_EC_SECG_PRIME_160R1.seed), + .param_len = sizeof(_EC_SECG_PRIME_160R1.p), + .seed = _EC_SECG_PRIME_160R1.seed, + .p = _EC_SECG_PRIME_160R1.p, + .a = _EC_SECG_PRIME_160R1.a, + .b = _EC_SECG_PRIME_160R1.b, + .x = _EC_SECG_PRIME_160R1.x, + .y = _EC_SECG_PRIME_160R1.y, + .order = _EC_SECG_PRIME_160R1.order, + .cofactor = 1, + }, + { + .comment = "SECG/WTLS curve over a 160 bit prime field", + .nid = NID_secp160r2, + .seed_len = sizeof(_EC_SECG_PRIME_160R2.seed), + .param_len = sizeof(_EC_SECG_PRIME_160R2.p), + .seed = _EC_SECG_PRIME_160R2.seed, + .p = _EC_SECG_PRIME_160R2.p, + .a = _EC_SECG_PRIME_160R2.a, + .b = _EC_SECG_PRIME_160R2.b, + .x = _EC_SECG_PRIME_160R2.x, + .y = _EC_SECG_PRIME_160R2.y, + .order = _EC_SECG_PRIME_160R2.order, + .cofactor = 1, + }, /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ - {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, "SECG curve over a 192 bit prime field"}, - {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, "SECG curve over a 224 bit prime field"}, -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field"}, -#else - {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, "NIST/SECG curve over a 224 bit prime field"}, -#endif - {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, "SECG curve over a 256 bit prime field"}, + { + .comment = "SECG curve over a 192 bit prime field", + .nid = NID_secp192k1, + .param_len = sizeof(_EC_SECG_PRIME_192K1.p), + .p = _EC_SECG_PRIME_192K1.p, + .a = _EC_SECG_PRIME_192K1.a, + .b = _EC_SECG_PRIME_192K1.b, + .x = _EC_SECG_PRIME_192K1.x, + .y = _EC_SECG_PRIME_192K1.y, + .order = _EC_SECG_PRIME_192K1.order, + .cofactor = 1, + }, + { + .comment = "SECG curve over a 224 bit prime field", + .nid = NID_secp224k1, + .param_len = sizeof(_EC_SECG_PRIME_224K1.p), + .p = _EC_SECG_PRIME_224K1.p, + .a = _EC_SECG_PRIME_224K1.a, + .b = _EC_SECG_PRIME_224K1.b, + .x = _EC_SECG_PRIME_224K1.x, + .y = _EC_SECG_PRIME_224K1.y, + .order = _EC_SECG_PRIME_224K1.order, + .cofactor = 1, + }, + { + .comment = "NIST/SECG curve over a 224 bit prime field", + .nid = NID_secp224r1, + .seed_len = sizeof(_EC_NIST_PRIME_224.seed), + .param_len = sizeof(_EC_NIST_PRIME_224.p), + .seed = _EC_NIST_PRIME_224.seed, + .p = _EC_NIST_PRIME_224.p, + .a = _EC_NIST_PRIME_224.a, + .b = _EC_NIST_PRIME_224.b, + .x = _EC_NIST_PRIME_224.x, + .y = _EC_NIST_PRIME_224.y, + .order = _EC_NIST_PRIME_224.order, + .cofactor = 1, + }, + { + .comment = "SECG curve over a 256 bit prime field", + .nid = NID_secp256k1, + .param_len = sizeof(_EC_SECG_PRIME_256K1.p), + .p = _EC_SECG_PRIME_256K1.p, + .a = _EC_SECG_PRIME_256K1.a, + .b = _EC_SECG_PRIME_256K1.b, + .x = _EC_SECG_PRIME_256K1.x, + .y = _EC_SECG_PRIME_256K1.y, + .order = _EC_SECG_PRIME_256K1.order, + .cofactor = 1, + }, /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, "NIST/SECG curve over a 384 bit prime field"}, -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, "NIST/SECG curve over a 521 bit prime field"}, -#else - {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, "NIST/SECG curve over a 521 bit prime field"}, -#endif + { + .comment = "NIST/SECG curve over a 384 bit prime field", + .nid = NID_secp384r1, + .seed_len = sizeof(_EC_NIST_PRIME_384.seed), + .param_len = sizeof(_EC_NIST_PRIME_384.p), + .seed = _EC_NIST_PRIME_384.seed, + .p = _EC_NIST_PRIME_384.p, + .a = _EC_NIST_PRIME_384.a, + .b = _EC_NIST_PRIME_384.b, + .x = _EC_NIST_PRIME_384.x, + .y = _EC_NIST_PRIME_384.y, + .order = _EC_NIST_PRIME_384.order, + .cofactor = 1, + }, + { + .comment = "NIST/SECG curve over a 521 bit prime field", + .nid = NID_secp521r1, + .seed_len = sizeof(_EC_NIST_PRIME_521.seed), + .param_len = sizeof(_EC_NIST_PRIME_521.p), + .seed = _EC_NIST_PRIME_521.seed, + .p = _EC_NIST_PRIME_521.p, + .a = _EC_NIST_PRIME_521.a, + .b = _EC_NIST_PRIME_521.b, + .x = _EC_NIST_PRIME_521.x, + .y = _EC_NIST_PRIME_521.y, + .order = _EC_NIST_PRIME_521.order, + .cofactor = 1, + }, /* X9.62 curves */ - {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, "NIST/X9.62/SECG curve over a 192 bit prime field"}, - {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, "X9.62 curve over a 192 bit prime field"}, - {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, "X9.62 curve over a 192 bit prime field"}, - {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, "X9.62 curve over a 239 bit prime field"}, - {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, "X9.62 curve over a 239 bit prime field"}, - {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, "X9.62 curve over a 239 bit prime field"}, - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -#if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp256_method, -#else - 0, -#endif - "X9.62/SECG curve over a 256 bit prime field"}, -#ifndef OPENSSL_NO_EC2M - /* characteristic two field curves */ - /* NIST/SECG curves */ - {NID_sect113r1, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"}, - {NID_sect113r2, &_EC_SECG_CHAR2_113R2.h, 0, "SECG curve over a 113 bit binary field"}, - {NID_sect131r1, &_EC_SECG_CHAR2_131R1.h, 0, "SECG/WTLS curve over a 131 bit binary field"}, - {NID_sect131r2, &_EC_SECG_CHAR2_131R2.h, 0, "SECG curve over a 131 bit binary field"}, - {NID_sect163k1, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"}, - {NID_sect163r1, &_EC_SECG_CHAR2_163R1.h, 0, "SECG curve over a 163 bit binary field"}, - {NID_sect163r2, &_EC_NIST_CHAR2_163B.h, 0, "NIST/SECG curve over a 163 bit binary field"}, - {NID_sect193r1, &_EC_SECG_CHAR2_193R1.h, 0, "SECG curve over a 193 bit binary field"}, - {NID_sect193r2, &_EC_SECG_CHAR2_193R2.h, 0, "SECG curve over a 193 bit binary field"}, - {NID_sect233k1, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"}, - {NID_sect233r1, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"}, - {NID_sect239k1, &_EC_SECG_CHAR2_239K1.h, 0, "SECG curve over a 239 bit binary field"}, - {NID_sect283k1, &_EC_NIST_CHAR2_283K.h, 0, "NIST/SECG curve over a 283 bit binary field"}, - {NID_sect283r1, &_EC_NIST_CHAR2_283B.h, 0, "NIST/SECG curve over a 283 bit binary field"}, - {NID_sect409k1, &_EC_NIST_CHAR2_409K.h, 0, "NIST/SECG curve over a 409 bit binary field"}, - {NID_sect409r1, &_EC_NIST_CHAR2_409B.h, 0, "NIST/SECG curve over a 409 bit binary field"}, - {NID_sect571k1, &_EC_NIST_CHAR2_571K.h, 0, "NIST/SECG curve over a 571 bit binary field"}, - {NID_sect571r1, &_EC_NIST_CHAR2_571B.h, 0, "NIST/SECG curve over a 571 bit binary field"}, - /* X9.62 curves */ - {NID_X9_62_c2pnb163v1, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"}, - {NID_X9_62_c2pnb163v2, &_EC_X9_62_CHAR2_163V2.h, 0, "X9.62 curve over a 163 bit binary field"}, - {NID_X9_62_c2pnb163v3, &_EC_X9_62_CHAR2_163V3.h, 0, "X9.62 curve over a 163 bit binary field"}, - {NID_X9_62_c2pnb176v1, &_EC_X9_62_CHAR2_176V1.h, 0, "X9.62 curve over a 176 bit binary field"}, - {NID_X9_62_c2tnb191v1, &_EC_X9_62_CHAR2_191V1.h, 0, "X9.62 curve over a 191 bit binary field"}, - {NID_X9_62_c2tnb191v2, &_EC_X9_62_CHAR2_191V2.h, 0, "X9.62 curve over a 191 bit binary field"}, - {NID_X9_62_c2tnb191v3, &_EC_X9_62_CHAR2_191V3.h, 0, "X9.62 curve over a 191 bit binary field"}, - {NID_X9_62_c2pnb208w1, &_EC_X9_62_CHAR2_208W1.h, 0, "X9.62 curve over a 208 bit binary field"}, - {NID_X9_62_c2tnb239v1, &_EC_X9_62_CHAR2_239V1.h, 0, "X9.62 curve over a 239 bit binary field"}, - {NID_X9_62_c2tnb239v2, &_EC_X9_62_CHAR2_239V2.h, 0, "X9.62 curve over a 239 bit binary field"}, - {NID_X9_62_c2tnb239v3, &_EC_X9_62_CHAR2_239V3.h, 0, "X9.62 curve over a 239 bit binary field"}, - {NID_X9_62_c2pnb272w1, &_EC_X9_62_CHAR2_272W1.h, 0, "X9.62 curve over a 272 bit binary field"}, - {NID_X9_62_c2pnb304w1, &_EC_X9_62_CHAR2_304W1.h, 0, "X9.62 curve over a 304 bit binary field"}, - {NID_X9_62_c2tnb359v1, &_EC_X9_62_CHAR2_359V1.h, 0, "X9.62 curve over a 359 bit binary field"}, - {NID_X9_62_c2pnb368w1, &_EC_X9_62_CHAR2_368W1.h, 0, "X9.62 curve over a 368 bit binary field"}, - {NID_X9_62_c2tnb431r1, &_EC_X9_62_CHAR2_431R1.h, 0, "X9.62 curve over a 431 bit binary field"}, - /* - * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves - * from X9.62] - */ - {NID_wap_wsg_idm_ecid_wtls1, &_EC_WTLS_1.h, 0, "WTLS curve over a 113 bit binary field"}, - {NID_wap_wsg_idm_ecid_wtls3, &_EC_NIST_CHAR2_163K.h, 0, "NIST/SECG/WTLS curve over a 163 bit binary field"}, - {NID_wap_wsg_idm_ecid_wtls4, &_EC_SECG_CHAR2_113R1.h, 0, "SECG curve over a 113 bit binary field"}, - {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"}, -#endif - {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, "SECG/WTLS curve over a 112 bit prime field"}, - {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, "SECG/WTLS curve over a 160 bit prime field"}, - {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, "WTLS curve over a 112 bit prime field"}, - {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, "WTLS curve over a 160 bit prime field"}, -#ifndef OPENSSL_NO_EC2M - {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"}, - {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, "NIST/SECG/WTLS curve over a 233 bit binary field"}, -#endif - {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, "WTLS curve over a 224 bit prime field"}, -#ifndef OPENSSL_NO_EC2M - /* IPSec curves */ - {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, "\n\tIPSec/IKE/Oakley curve #3 over a 155 bit binary field.\n" - "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, - {NID_ipsec4, &_EC_IPSEC_185_ID4.h, 0, "\n\tIPSec/IKE/Oakley curve #4 over a 185 bit binary field.\n" - "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, -#endif + { + .comment = "NIST/X9.62/SECG curve over a 192 bit prime field", + .nid = NID_X9_62_prime192v1, + .seed_len = sizeof(_EC_NIST_PRIME_192.seed), + .param_len = sizeof(_EC_NIST_PRIME_192.p), + .seed = _EC_NIST_PRIME_192.seed, + .p = _EC_NIST_PRIME_192.p, + .a = _EC_NIST_PRIME_192.a, + .b = _EC_NIST_PRIME_192.b, + .x = _EC_NIST_PRIME_192.x, + .y = _EC_NIST_PRIME_192.y, + .order = _EC_NIST_PRIME_192.order, + .cofactor = 1, + }, + { + .comment = "X9.62 curve over a 192 bit prime field", + .nid = NID_X9_62_prime192v2, + .seed_len = sizeof(_EC_X9_62_PRIME_192V2.seed), + .param_len = sizeof(_EC_X9_62_PRIME_192V2.p), + .seed = _EC_X9_62_PRIME_192V2.seed, + .p = _EC_X9_62_PRIME_192V2.p, + .a = _EC_X9_62_PRIME_192V2.a, + .b = _EC_X9_62_PRIME_192V2.b, + .x = _EC_X9_62_PRIME_192V2.x, + .y = _EC_X9_62_PRIME_192V2.y, + .order = _EC_X9_62_PRIME_192V2.order, + .cofactor = 1, + }, + { + .comment = "X9.62 curve over a 192 bit prime field", + .nid = NID_X9_62_prime192v3, + .seed_len = sizeof(_EC_X9_62_PRIME_192V3.seed), + .param_len = sizeof(_EC_X9_62_PRIME_192V3.p), + .seed = _EC_X9_62_PRIME_192V3.seed, + .p = _EC_X9_62_PRIME_192V3.p, + .a = _EC_X9_62_PRIME_192V3.a, + .b = _EC_X9_62_PRIME_192V3.b, + .x = _EC_X9_62_PRIME_192V3.x, + .y = _EC_X9_62_PRIME_192V3.y, + .order = _EC_X9_62_PRIME_192V3.order, + .cofactor = 1, + }, + { + .comment = "X9.62 curve over a 239 bit prime field", + .nid = NID_X9_62_prime239v1, + .seed_len = sizeof(_EC_X9_62_PRIME_239V1.seed), + .param_len = sizeof(_EC_X9_62_PRIME_239V1.p), + .seed = _EC_X9_62_PRIME_239V1.seed, + .p = _EC_X9_62_PRIME_239V1.p, + .a = _EC_X9_62_PRIME_239V1.a, + .b = _EC_X9_62_PRIME_239V1.b, + .x = _EC_X9_62_PRIME_239V1.x, + .y = _EC_X9_62_PRIME_239V1.y, + .order = _EC_X9_62_PRIME_239V1.order, + .cofactor = 1, + }, + { + .comment = "X9.62 curve over a 239 bit prime field", + .nid = NID_X9_62_prime239v2, + .seed_len = sizeof(_EC_X9_62_PRIME_239V2.seed), + .param_len = sizeof(_EC_X9_62_PRIME_239V2.p), + .seed = _EC_X9_62_PRIME_239V2.seed, + .p = _EC_X9_62_PRIME_239V2.p, + .a = _EC_X9_62_PRIME_239V2.a, + .b = _EC_X9_62_PRIME_239V2.b, + .x = _EC_X9_62_PRIME_239V2.x, + .y = _EC_X9_62_PRIME_239V2.y, + .order = _EC_X9_62_PRIME_239V2.order, + .cofactor = 1, + }, + { + .comment = "X9.62 curve over a 239 bit prime field", + .nid = NID_X9_62_prime239v3, + .seed_len = sizeof(_EC_X9_62_PRIME_239V3.seed), + .param_len = sizeof(_EC_X9_62_PRIME_239V3.p), + .seed = _EC_X9_62_PRIME_239V3.seed, + .p = _EC_X9_62_PRIME_239V3.p, + .a = _EC_X9_62_PRIME_239V3.a, + .b = _EC_X9_62_PRIME_239V3.b, + .x = _EC_X9_62_PRIME_239V3.x, + .y = _EC_X9_62_PRIME_239V3.y, + .order = _EC_X9_62_PRIME_239V3.order, + .cofactor = 1, + }, + { + .comment = "X9.62/SECG curve over a 256 bit prime field", + .nid = NID_X9_62_prime256v1, + .seed_len = sizeof(_EC_X9_62_PRIME_256V1.seed), + .param_len = sizeof(_EC_X9_62_PRIME_256V1.p), + .seed = _EC_X9_62_PRIME_256V1.seed, + .p = _EC_X9_62_PRIME_256V1.p, + .a = _EC_X9_62_PRIME_256V1.a, + .b = _EC_X9_62_PRIME_256V1.b, + .x = _EC_X9_62_PRIME_256V1.x, + .y = _EC_X9_62_PRIME_256V1.y, + .order = _EC_X9_62_PRIME_256V1.order, + .cofactor = 1, + }, + { + .comment = "SECG/WTLS curve over a 112 bit prime field", + .nid = NID_wap_wsg_idm_ecid_wtls6, + .seed_len = sizeof(_EC_SECG_PRIME_112R1.seed), + .param_len = sizeof(_EC_SECG_PRIME_112R1.p), + .seed = _EC_SECG_PRIME_112R1.seed, + .p = _EC_SECG_PRIME_112R1.p, + .a = _EC_SECG_PRIME_112R1.a, + .b = _EC_SECG_PRIME_112R1.b, + .x = _EC_SECG_PRIME_112R1.x, + .y = _EC_SECG_PRIME_112R1.y, + .order = _EC_SECG_PRIME_112R1.order, + .cofactor = 1, + }, + { + .comment = "SECG/WTLS curve over a 160 bit prime field", + .nid = NID_wap_wsg_idm_ecid_wtls7, + .seed_len = sizeof(_EC_SECG_PRIME_160R2.seed), + .param_len = sizeof(_EC_SECG_PRIME_160R2.p), + .seed = _EC_SECG_PRIME_160R2.seed, + .p = _EC_SECG_PRIME_160R2.p, + .a = _EC_SECG_PRIME_160R2.a, + .b = _EC_SECG_PRIME_160R2.b, + .x = _EC_SECG_PRIME_160R2.x, + .y = _EC_SECG_PRIME_160R2.y, + .order = _EC_SECG_PRIME_160R2.order, + .cofactor = 1, + }, + { + .comment = "WTLS curve over a 112 bit prime field", + .nid = NID_wap_wsg_idm_ecid_wtls8, + .param_len = sizeof(_EC_WTLS_8.p), + .p = _EC_WTLS_8.p, + .a = _EC_WTLS_8.a, + .b = _EC_WTLS_8.b, + .x = _EC_WTLS_8.x, + .y = _EC_WTLS_8.y, + .order = _EC_WTLS_8.order, + .cofactor = 1, + }, + { + .comment = "WTLS curve over a 160 bit prime field", + .nid = NID_wap_wsg_idm_ecid_wtls9, + .param_len = sizeof(_EC_WTLS_9.p), + .p = _EC_WTLS_9.p, + .a = _EC_WTLS_9.a, + .b = _EC_WTLS_9.b, + .x = _EC_WTLS_9.x, + .y = _EC_WTLS_9.y, + .order = _EC_WTLS_9.order, + .cofactor = 1, + }, + { + .comment = "WTLS curve over a 224 bit prime field", + .nid = NID_wap_wsg_idm_ecid_wtls12, + .param_len = sizeof(_EC_WTLS_12.p), + .p = _EC_WTLS_12.p, + .a = _EC_WTLS_12.a, + .b = _EC_WTLS_12.b, + .x = _EC_WTLS_12.x, + .y = _EC_WTLS_12.y, + .order = _EC_WTLS_12.order, + .cofactor = 1, + }, /* RFC 5639 curves */ - {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, - {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, "RFC 5639 curve over a 160 bit prime field"}, - {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, "RFC 5639 curve over a 192 bit prime field"}, - {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, "RFC 5639 curve over a 192 bit prime field"}, - {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, "RFC 5639 curve over a 224 bit prime field"}, - {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, "RFC 5639 curve over a 224 bit prime field"}, - {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, - {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, - {NID_brainpoolP320r1, &_EC_brainpoolP320r1.h, 0, "RFC 5639 curve over a 320 bit prime field"}, - {NID_brainpoolP320t1, &_EC_brainpoolP320t1.h, 0, "RFC 5639 curve over a 320 bit prime field"}, - {NID_brainpoolP384r1, &_EC_brainpoolP384r1.h, 0, "RFC 5639 curve over a 384 bit prime field"}, - {NID_brainpoolP384t1, &_EC_brainpoolP384t1.h, 0, "RFC 5639 curve over a 384 bit prime field"}, - {NID_brainpoolP512r1, &_EC_brainpoolP512r1.h, 0, "RFC 5639 curve over a 512 bit prime field"}, - {NID_brainpoolP512t1, &_EC_brainpoolP512t1.h, 0, "RFC 5639 curve over a 512 bit prime field"}, + { + .comment = "RFC 5639 curve over a 160 bit prime field", + .nid = NID_brainpoolP160r1, + .param_len = sizeof(_EC_brainpoolP160r1.p), + .p = _EC_brainpoolP160r1.p, + .a = _EC_brainpoolP160r1.a, + .b = _EC_brainpoolP160r1.b, + .x = _EC_brainpoolP160r1.x, + .y = _EC_brainpoolP160r1.y, + .order = _EC_brainpoolP160r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 160 bit prime field", + .nid = NID_brainpoolP160t1, + .param_len = sizeof(_EC_brainpoolP160t1.p), + .p = _EC_brainpoolP160t1.p, + .a = _EC_brainpoolP160t1.a, + .b = _EC_brainpoolP160t1.b, + .x = _EC_brainpoolP160t1.x, + .y = _EC_brainpoolP160t1.y, + .order = _EC_brainpoolP160t1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 192 bit prime field", + .nid = NID_brainpoolP192r1, + .param_len = sizeof(_EC_brainpoolP192r1.p), + .p = _EC_brainpoolP192r1.p, + .a = _EC_brainpoolP192r1.a, + .b = _EC_brainpoolP192r1.b, + .x = _EC_brainpoolP192r1.x, + .y = _EC_brainpoolP192r1.y, + .order = _EC_brainpoolP192r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 192 bit prime field", + .nid = NID_brainpoolP192t1, + .param_len = sizeof(_EC_brainpoolP192t1.p), + .p = _EC_brainpoolP192t1.p, + .a = _EC_brainpoolP192t1.a, + .b = _EC_brainpoolP192t1.b, + .x = _EC_brainpoolP192t1.x, + .y = _EC_brainpoolP192t1.y, + .order = _EC_brainpoolP192t1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 224 bit prime field", + .nid = NID_brainpoolP224r1, + .param_len = sizeof(_EC_brainpoolP224r1.p), + .p = _EC_brainpoolP224r1.p, + .a = _EC_brainpoolP224r1.a, + .b = _EC_brainpoolP224r1.b, + .x = _EC_brainpoolP224r1.x, + .y = _EC_brainpoolP224r1.y, + .order = _EC_brainpoolP224r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 224 bit prime field", + .nid = NID_brainpoolP224t1, + .param_len = sizeof(_EC_brainpoolP224t1.p), + .p = _EC_brainpoolP224t1.p, + .a = _EC_brainpoolP224t1.a, + .b = _EC_brainpoolP224t1.b, + .x = _EC_brainpoolP224t1.x, + .y = _EC_brainpoolP224t1.y, + .order = _EC_brainpoolP224t1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 256 bit prime field", + .nid = NID_brainpoolP256r1, + .param_len = sizeof(_EC_brainpoolP256r1.p), + .p = _EC_brainpoolP256r1.p, + .a = _EC_brainpoolP256r1.a, + .b = _EC_brainpoolP256r1.b, + .x = _EC_brainpoolP256r1.x, + .y = _EC_brainpoolP256r1.y, + .order = _EC_brainpoolP256r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 256 bit prime field", + .nid = NID_brainpoolP256t1, + .param_len = sizeof(_EC_brainpoolP256t1.p), + .p = _EC_brainpoolP256t1.p, + .a = _EC_brainpoolP256t1.a, + .b = _EC_brainpoolP256t1.b, + .x = _EC_brainpoolP256t1.x, + .y = _EC_brainpoolP256t1.y, + .order = _EC_brainpoolP256t1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 320 bit prime field", + .nid = NID_brainpoolP320r1, + .param_len = sizeof(_EC_brainpoolP320r1.p), + .p = _EC_brainpoolP320r1.p, + .a = _EC_brainpoolP320r1.a, + .b = _EC_brainpoolP320r1.b, + .x = _EC_brainpoolP320r1.x, + .y = _EC_brainpoolP320r1.y, + .order = _EC_brainpoolP320r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 320 bit prime field", + .nid = NID_brainpoolP320t1, + .param_len = sizeof(_EC_brainpoolP320t1.p), + .p = _EC_brainpoolP320t1.p, + .a = _EC_brainpoolP320t1.a, + .b = _EC_brainpoolP320t1.b, + .x = _EC_brainpoolP320t1.x, + .y = _EC_brainpoolP320t1.y, + .order = _EC_brainpoolP320t1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 384 bit prime field", + .nid = NID_brainpoolP384r1, + .param_len = sizeof(_EC_brainpoolP384r1.p), + .p = _EC_brainpoolP384r1.p, + .a = _EC_brainpoolP384r1.a, + .b = _EC_brainpoolP384r1.b, + .x = _EC_brainpoolP384r1.x, + .y = _EC_brainpoolP384r1.y, + .order = _EC_brainpoolP384r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 384 bit prime field", + .nid = NID_brainpoolP384t1, + .param_len = sizeof(_EC_brainpoolP384t1.p), + .p = _EC_brainpoolP384t1.p, + .a = _EC_brainpoolP384t1.a, + .b = _EC_brainpoolP384t1.b, + .x = _EC_brainpoolP384t1.x, + .y = _EC_brainpoolP384t1.y, + .order = _EC_brainpoolP384t1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 512 bit prime field", + .nid = NID_brainpoolP512r1, + .param_len = sizeof(_EC_brainpoolP512r1.p), + .p = _EC_brainpoolP512r1.p, + .a = _EC_brainpoolP512r1.a, + .b = _EC_brainpoolP512r1.b, + .x = _EC_brainpoolP512r1.x, + .y = _EC_brainpoolP512r1.y, + .order = _EC_brainpoolP512r1.order, + .cofactor = 1, + }, + { + .comment = "RFC 5639 curve over a 512 bit prime field", + .nid = NID_brainpoolP512t1, + .param_len = sizeof(_EC_brainpoolP512t1.p), + .p = _EC_brainpoolP512t1.p, + .a = _EC_brainpoolP512t1.a, + .b = _EC_brainpoolP512t1.b, + .x = _EC_brainpoolP512t1.x, + .y = _EC_brainpoolP512t1.y, + .order = _EC_brainpoolP512t1.order, + .cofactor = 1, + }, /* ANSSI */ - {NID_FRP256v1, &_EC_FRP256v1.h, 0, "FRP256v1"}, + { + .comment = "FRP256v1", + .nid = NID_FRP256v1, + .param_len = sizeof(_EC_FRP256v1.p), + .p = _EC_FRP256v1.p, + .a = _EC_FRP256v1.a, + .b = _EC_FRP256v1.b, + .x = _EC_FRP256v1.x, + .y = _EC_FRP256v1.y, + .order = _EC_FRP256v1.order, + .cofactor = 1, + }, #ifndef OPENSSL_NO_GOST /* GOST R 34.10-2001 */ - {NID_id_GostR3410_2001_TestParamSet, &_EC_GOST_2001_Test.h, 0, "GOST R 34.10-2001 Test Curve"}, - {NID_id_GostR3410_2001_CryptoPro_A_ParamSet, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 CryptoPro-A"}, - {NID_id_GostR3410_2001_CryptoPro_B_ParamSet, &_EC_GOST_2001_CryptoPro_B.h, 0, "GOST R 34.10-2001 CryptoPro-B"}, - {NID_id_GostR3410_2001_CryptoPro_C_ParamSet, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-C"}, - {NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 CryptoPro-XchA"}, - {NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-XchB"}, - {NID_id_tc26_gost_3410_12_256_paramSetA, &_EC_GOST_2012_256_TC26_A.h, 0, "GOST R 34.10-2012 256 TC26-A"}, - {NID_id_tc26_gost_3410_12_256_paramSetB, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2012 256 TC26-B"}, - {NID_id_tc26_gost_3410_12_256_paramSetC, &_EC_GOST_2001_CryptoPro_B.h, 0, "GOST R 34.10-2012 256 TC26-C"}, - {NID_id_tc26_gost_3410_12_256_paramSetD, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2012 256 TC26-D"}, - {NID_id_tc26_gost_3410_12_512_paramSetTest, &_EC_GOST_2012_512_Test.h, 0, "GOST R 34.10-2012 512 Test Curve"}, - {NID_id_tc26_gost_3410_12_512_paramSetA, &_EC_GOST_2012_512_TC26_A.h, 0, "GOST R 34.10-2012 512 TC26-A"}, - {NID_id_tc26_gost_3410_12_512_paramSetB, &_EC_GOST_2012_512_TC26_B.h, 0, "GOST R 34.10-2012 512 TC26-B"}, - {NID_id_tc26_gost_3410_12_512_paramSetC, &_EC_GOST_2012_512_TC26_C.h, 0, "GOST R 34.10-2012 512 TC26-C"}, + { + .comment = "GOST R 34.10-2001 Test Curve", + .nid = NID_id_GostR3410_2001_TestParamSet, + .param_len = sizeof(_EC_GOST_2001_Test.p), + .p = _EC_GOST_2001_Test.p, + .a = _EC_GOST_2001_Test.a, + .b = _EC_GOST_2001_Test.b, + .x = _EC_GOST_2001_Test.x, + .y = _EC_GOST_2001_Test.y, + .order = _EC_GOST_2001_Test.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2001 CryptoPro-A", + .nid = NID_id_GostR3410_2001_CryptoPro_A_ParamSet, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_A.p), + .p = _EC_GOST_2001_CryptoPro_A.p, + .a = _EC_GOST_2001_CryptoPro_A.a, + .b = _EC_GOST_2001_CryptoPro_A.b, + .x = _EC_GOST_2001_CryptoPro_A.x, + .y = _EC_GOST_2001_CryptoPro_A.y, + .order = _EC_GOST_2001_CryptoPro_A.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2001 CryptoPro-B", + .nid = NID_id_GostR3410_2001_CryptoPro_B_ParamSet, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_B.p), + .p = _EC_GOST_2001_CryptoPro_B.p, + .a = _EC_GOST_2001_CryptoPro_B.a, + .b = _EC_GOST_2001_CryptoPro_B.b, + .x = _EC_GOST_2001_CryptoPro_B.x, + .y = _EC_GOST_2001_CryptoPro_B.y, + .order = _EC_GOST_2001_CryptoPro_B.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2001 CryptoPro-C", + .nid = NID_id_GostR3410_2001_CryptoPro_C_ParamSet, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_C.p), + .p = _EC_GOST_2001_CryptoPro_C.p, + .a = _EC_GOST_2001_CryptoPro_C.a, + .b = _EC_GOST_2001_CryptoPro_C.b, + .x = _EC_GOST_2001_CryptoPro_C.x, + .y = _EC_GOST_2001_CryptoPro_C.y, + .order = _EC_GOST_2001_CryptoPro_C.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2001 CryptoPro-XchA", + .nid = NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_A.p), + .p = _EC_GOST_2001_CryptoPro_A.p, + .a = _EC_GOST_2001_CryptoPro_A.a, + .b = _EC_GOST_2001_CryptoPro_A.b, + .x = _EC_GOST_2001_CryptoPro_A.x, + .y = _EC_GOST_2001_CryptoPro_A.y, + .order = _EC_GOST_2001_CryptoPro_A.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2001 CryptoPro-XchB", + .nid = NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_C.p), + .p = _EC_GOST_2001_CryptoPro_C.p, + .a = _EC_GOST_2001_CryptoPro_C.a, + .b = _EC_GOST_2001_CryptoPro_C.b, + .x = _EC_GOST_2001_CryptoPro_C.x, + .y = _EC_GOST_2001_CryptoPro_C.y, + .order = _EC_GOST_2001_CryptoPro_C.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 256 TC26-A", + .nid = NID_id_tc26_gost_3410_12_256_paramSetA, + .param_len = sizeof(_EC_GOST_2012_256_TC26_A.p), + .p = _EC_GOST_2012_256_TC26_A.p, + .a = _EC_GOST_2012_256_TC26_A.a, + .b = _EC_GOST_2012_256_TC26_A.b, + .x = _EC_GOST_2012_256_TC26_A.x, + .y = _EC_GOST_2012_256_TC26_A.y, + .order = _EC_GOST_2012_256_TC26_A.order, + .cofactor = 4, + }, + { + .comment = "GOST R 34.10-2012 256 TC26-B", + .nid = NID_id_tc26_gost_3410_12_256_paramSetB, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_A.p), + .p = _EC_GOST_2001_CryptoPro_A.p, + .a = _EC_GOST_2001_CryptoPro_A.a, + .b = _EC_GOST_2001_CryptoPro_A.b, + .x = _EC_GOST_2001_CryptoPro_A.x, + .y = _EC_GOST_2001_CryptoPro_A.y, + .order = _EC_GOST_2001_CryptoPro_A.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 256 TC26-C", + .nid = NID_id_tc26_gost_3410_12_256_paramSetC, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_B.p), + .p = _EC_GOST_2001_CryptoPro_B.p, + .a = _EC_GOST_2001_CryptoPro_B.a, + .b = _EC_GOST_2001_CryptoPro_B.b, + .x = _EC_GOST_2001_CryptoPro_B.x, + .y = _EC_GOST_2001_CryptoPro_B.y, + .order = _EC_GOST_2001_CryptoPro_B.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 256 TC26-D", + .nid = NID_id_tc26_gost_3410_12_256_paramSetD, + .param_len = sizeof(_EC_GOST_2001_CryptoPro_C.p), + .p = _EC_GOST_2001_CryptoPro_C.p, + .a = _EC_GOST_2001_CryptoPro_C.a, + .b = _EC_GOST_2001_CryptoPro_C.b, + .x = _EC_GOST_2001_CryptoPro_C.x, + .y = _EC_GOST_2001_CryptoPro_C.y, + .order = _EC_GOST_2001_CryptoPro_C.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 512 Test Curve", + .nid = NID_id_tc26_gost_3410_12_512_paramSetTest, + .param_len = sizeof(_EC_GOST_2012_512_Test.p), + .p = _EC_GOST_2012_512_Test.p, + .a = _EC_GOST_2012_512_Test.a, + .b = _EC_GOST_2012_512_Test.b, + .x = _EC_GOST_2012_512_Test.x, + .y = _EC_GOST_2012_512_Test.y, + .order = _EC_GOST_2012_512_Test.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 512 TC26-A", + .nid = NID_id_tc26_gost_3410_12_512_paramSetA, + .param_len = sizeof(_EC_GOST_2012_512_TC26_A.p), + .p = _EC_GOST_2012_512_TC26_A.p, + .a = _EC_GOST_2012_512_TC26_A.a, + .b = _EC_GOST_2012_512_TC26_A.b, + .x = _EC_GOST_2012_512_TC26_A.x, + .y = _EC_GOST_2012_512_TC26_A.y, + .order = _EC_GOST_2012_512_TC26_A.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 512 TC26-B", + .nid = NID_id_tc26_gost_3410_12_512_paramSetB, + .param_len = sizeof(_EC_GOST_2012_512_TC26_B.p), + .p = _EC_GOST_2012_512_TC26_B.p, + .a = _EC_GOST_2012_512_TC26_B.a, + .b = _EC_GOST_2012_512_TC26_B.b, + .x = _EC_GOST_2012_512_TC26_B.x, + .y = _EC_GOST_2012_512_TC26_B.y, + .order = _EC_GOST_2012_512_TC26_B.order, + .cofactor = 1, + }, + { + .comment = "GOST R 34.10-2012 512 TC26-C", + .nid = NID_id_tc26_gost_3410_12_512_paramSetC, + .param_len = sizeof(_EC_GOST_2012_512_TC26_C.p), + .p = _EC_GOST_2012_512_TC26_C.p, + .a = _EC_GOST_2012_512_TC26_C.a, + .b = _EC_GOST_2012_512_TC26_C.b, + .x = _EC_GOST_2012_512_TC26_C.x, + .y = _EC_GOST_2012_512_TC26_C.y, + .order = _EC_GOST_2012_512_TC26_C.order, + .cofactor = 4, + }, #endif }; -#define curve_list_length (sizeof(curve_list)/sizeof(ec_list_element)) +#define CURVE_LIST_LENGTH (sizeof(curve_list) / sizeof(curve_list[0])) static EC_GROUP * -ec_group_new_from_data(const ec_list_element curve) +ec_group_new_from_data(const struct ec_list_element *curve) { - EC_GROUP *group = NULL; - EC_POINT *P = NULL; + EC_GROUP *group = NULL, *ret = NULL; + EC_POINT *generator = NULL; BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = NULL; - int ok = 0; - int seed_len, param_len; - const EC_METHOD *meth; - const EC_CURVE_DATA *data; - const unsigned char *params; + BIGNUM *p, *a, *b, *x, *y, *order, *cofactor; if ((ctx = BN_CTX_new()) == NULL) { ECerror(ERR_R_MALLOC_FAILURE); goto err; } - data = curve.data; - seed_len = data->seed_len; - param_len = data->param_len; - params = (const unsigned char *) (data + 1); /* skip header */ - params += seed_len; /* skip seed */ + BN_CTX_start(ctx); - if (!(p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) || - !(a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) || - !(b = BN_bin2bn(params + 2 * param_len, param_len, NULL))) { + if ((p = BN_CTX_get(ctx)) == NULL) { ECerror(ERR_R_BN_LIB); goto err; } - if (curve.meth != 0) { - meth = curve.meth(); - if (((group = EC_GROUP_new(meth)) == NULL) || - (!(group->meth->group_set_curve(group, p, a, b, ctx)))) { - ECerror(ERR_R_EC_LIB); - goto err; - } - } else if (data->field_type == NID_X9_62_prime_field) { - if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) { - ECerror(ERR_R_EC_LIB); - goto err; - } + if ((a = BN_CTX_get(ctx)) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; } -#ifndef OPENSSL_NO_EC2M - else { /* field_type == - * NID_X9_62_characteristic_two_field */ - if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) { - ECerror(ERR_R_EC_LIB); - goto err; - } + if ((b = BN_CTX_get(ctx)) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if ((x = BN_CTX_get(ctx)) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if ((y = BN_CTX_get(ctx)) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if ((order = BN_CTX_get(ctx)) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if ((cofactor = BN_CTX_get(ctx)) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; } -#endif - if ((P = EC_POINT_new(group)) == NULL) { - ECerror(ERR_R_EC_LIB); - goto err; - } - if (!(x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) - || !(y = BN_bin2bn(params + 4 * param_len, param_len, NULL))) { + if (BN_bin2bn(curve->p, curve->param_len, p) == NULL) { ECerror(ERR_R_BN_LIB); goto err; } - if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) { - ECerror(ERR_R_EC_LIB); - goto err; - } - if (!(order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) - || !BN_set_word(x, (BN_ULONG) data->cofactor)) { + if (BN_bin2bn(curve->a, curve->param_len, a) == NULL) { ECerror(ERR_R_BN_LIB); goto err; } - if (!EC_GROUP_set_generator(group, P, order, x)) { + if (BN_bin2bn(curve->b, curve->param_len, b) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) { ECerror(ERR_R_EC_LIB); goto err; } - if (seed_len) { - if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) { + EC_GROUP_set_curve_name(group, curve->nid); + + if ((generator = EC_POINT_new(group)) == NULL) { + ECerror(ERR_R_EC_LIB); + goto err; + } + if (BN_bin2bn(curve->x, curve->param_len, x) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if (BN_bin2bn(curve->y, curve->param_len, y) == NULL) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) { + ECerror(ERR_R_EC_LIB); + goto err; + } + if (BN_bin2bn(curve->order, curve->param_len, order) == NULL) { + ECerror(ERR_R_EC_LIB); + goto err; + } + if (!BN_set_word(cofactor, curve->cofactor)) { + ECerror(ERR_R_BN_LIB); + goto err; + } + if (!EC_GROUP_set_generator(group, generator, order, cofactor)) { + ECerror(ERR_R_EC_LIB); + goto err; + } + + if (curve->seed != NULL) { + if (!EC_GROUP_set_seed(group, curve->seed, curve->seed_len)) { ECerror(ERR_R_EC_LIB); goto err; } } - ok = 1; + + ret = group; + group = NULL; + err: - if (!ok) { - EC_GROUP_free(group); - group = NULL; - } - EC_POINT_free(P); + EC_GROUP_free(group); + EC_POINT_free(generator); + BN_CTX_end(ctx); BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(order); - BN_free(x); - BN_free(y); - return group; + + return ret; } EC_GROUP * EC_GROUP_new_by_curve_name(int nid) { size_t i; - EC_GROUP *ret = NULL; if (nid <= 0) return NULL; - for (i = 0; i < curve_list_length; i++) - if (curve_list[i].nid == nid) { - ret = ec_group_new_from_data(curve_list[i]); - break; - } - if (ret == NULL) { - ECerror(EC_R_UNKNOWN_GROUP); - return NULL; + for (i = 0; i < CURVE_LIST_LENGTH; i++) { + if (curve_list[i].nid == nid) + return ec_group_new_from_data(&curve_list[i]); } - EC_GROUP_set_curve_name(ret, nid); - return ret; + ECerror(EC_R_UNKNOWN_GROUP); + return NULL; } -size_t -EC_get_builtin_curves(EC_builtin_curve * r, size_t nitems) +size_t +EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) { size_t i, min; if (r == NULL || nitems == 0) - return curve_list_length; + return CURVE_LIST_LENGTH; - min = nitems < curve_list_length ? nitems : curve_list_length; + min = nitems < CURVE_LIST_LENGTH ? nitems : CURVE_LIST_LENGTH; for (i = 0; i < min; i++) { r[i].nid = curve_list[i].nid; r[i].comment = curve_list[i].comment; } - return curve_list_length; + return CURVE_LIST_LENGTH; } -/* - * Functions to translate between common NIST curve names and NIDs. - */ - -typedef struct { - const char *name; /* NIST Name of curve */ - int nid; /* Curve NID */ -} EC_NIST_NAME; - -static EC_NIST_NAME nist_curves[] = { +static const struct { + const char *name; + int nid; +} nist_curves[] = { { "B-163", NID_sect163r2 }, { "B-233", NID_sect233r1 }, { "B-283", NID_sect283r1 }, @@ -3482,11 +3167,12 @@ EC_curve_nid2nist(int nid) { size_t i; - for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) { + for (i = 0; i < sizeof(nist_curves) / sizeof(nist_curves[0]); i++) { if (nist_curves[i].nid == nid) - return (nist_curves[i].name); + return nist_curves[i].name; } - return (NULL); + + return NULL; } int @@ -3494,9 +3180,10 @@ EC_curve_nist2nid(const char *name) { size_t i; - for (i = 0; i < sizeof(nist_curves) / sizeof(EC_NIST_NAME); i++) { - if (!strcmp(nist_curves[i].name, name)) - return (nist_curves[i].nid); + for (i = 0; i < sizeof(nist_curves) / sizeof(nist_curves[0]); i++) { + if (strcmp(nist_curves[i].name, name) == 0) + return nist_curves[i].nid; } - return (NID_undef); + + return NID_undef; } diff --git a/crypto/ec/ec_cvt.c b/crypto/ec/ec_cvt.c index 05c7dd1..90e7400 100644 --- a/crypto/ec/ec_cvt.c +++ b/crypto/ec/ec_cvt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_cvt.c,v 1.7 2021/04/20 17:04:13 tb Exp $ */ +/* $OpenBSD: ec_cvt.c,v 1.11 2023/04/25 19:53:30 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -72,96 +72,31 @@ #include #include -#include "ec_lcl.h" +#include "ec_local.h" + +static EC_GROUP * +ec_group_new_curve(const EC_METHOD *method, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx) +{ + EC_GROUP *group; + + if ((group = EC_GROUP_new(method)) == NULL) + goto err; + + if (!EC_GROUP_set_curve(group, p, a, b, ctx)) + goto err; + + return group; + + err: + EC_GROUP_free(group); + + return NULL; +} EC_GROUP * EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { - const EC_METHOD *meth; - EC_GROUP *ret; - -#if defined(OPENSSL_BN_ASM_MONT) - /* - * This might appear controversial, but the fact is that generic - * prime method was observed to deliver better performance even - * for NIST primes on a range of platforms, e.g.: 60%-15% - * improvement on IA-64, ~25% on ARM, 30%-90% on P4, 20%-25% - * in 32-bit build and 35%--12% in 64-bit build on Core2... - * Coefficients are relative to optimized bn_nist.c for most - * intensive ECDSA verify and ECDH operations for 192- and 521- - * bit keys respectively. Choice of these boundary values is - * arguable, because the dependency of improvement coefficient - * from key length is not a "monotone" curve. For example while - * 571-bit result is 23% on ARM, 384-bit one is -1%. But it's - * generally faster, sometimes "respectfully" faster, sometimes - * "tolerably" slower... What effectively happens is that loop - * with bn_mul_add_words is put against bn_mul_mont, and the - * latter "wins" on short vectors. Correct solution should be - * implementing dedicated NxN multiplication subroutines for - * small N. But till it materializes, let's stick to generic - * prime method... - * - */ - meth = EC_GFp_mont_method(); -#else - meth = EC_GFp_nist_method(); -#endif - - ret = EC_GROUP_new(meth); - if (ret == NULL) - return NULL; - - if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { - unsigned long err; - - err = ERR_peek_last_error(); - - if (!(ERR_GET_LIB(err) == ERR_LIB_EC && - ((ERR_GET_REASON(err) == EC_R_NOT_A_NIST_PRIME) || - (ERR_GET_REASON(err) == EC_R_NOT_A_SUPPORTED_NIST_PRIME)))) { - /* real error */ - - EC_GROUP_clear_free(ret); - return NULL; - } - /* not an actual error, we just cannot use EC_GFp_nist_method */ - - ERR_clear_error(); - - EC_GROUP_clear_free(ret); - meth = EC_GFp_mont_method(); - - ret = EC_GROUP_new(meth); - if (ret == NULL) - return NULL; - - if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { - EC_GROUP_clear_free(ret); - return NULL; - } - } - return ret; + return ec_group_new_curve(EC_GFp_mont_method(), p, a, b, ctx); } - -#ifndef OPENSSL_NO_EC2M -EC_GROUP * -EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, - BN_CTX *ctx) -{ - const EC_METHOD *meth; - EC_GROUP *ret; - - meth = EC_GF2m_simple_method(); - - ret = EC_GROUP_new(meth); - if (ret == NULL) - return NULL; - - if (!EC_GROUP_set_curve(ret, p, a, b, ctx)) { - EC_GROUP_clear_free(ret); - return NULL; - } - return ret; -} -#endif diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index 95c15a1..be6a284 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_err.c,v 1.12 2019/09/29 10:09:09 tb Exp $ */ +/* $OpenBSD: ec_err.c,v 1.15 2022/11/19 07:00:57 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0) @@ -102,6 +96,8 @@ static ERR_STRING_DATA EC_str_reasons[] = {ERR_REASON(EC_R_INVALID_FIELD), "invalid field"}, {ERR_REASON(EC_R_INVALID_FORM), "invalid form"}, {ERR_REASON(EC_R_INVALID_GROUP_ORDER), "invalid group order"}, + {ERR_REASON(EC_R_INVALID_KEY), "invalid key"}, + {ERR_REASON(EC_R_INVALID_PEER_KEY), "invalid peer key"}, {ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS), "invalid pentanomial basis"}, {ERR_REASON(EC_R_INVALID_PRIVATE_KEY), "invalid private key"}, {ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS), "invalid trinomial basis"}, @@ -135,7 +131,7 @@ static ERR_STRING_DATA EC_str_reasons[] = #endif -void +void ERR_load_EC_strings(void) { #ifndef OPENSSL_NO_ERR diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 27b8f26..2f9f05c 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_key.c,v 1.26 2021/04/20 17:23:37 tb Exp $ */ +/* $OpenBSD: ec_key.c,v 1.32 2023/03/27 10:25:02 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -70,8 +70,8 @@ #endif #include -#include "bn_lcl.h" -#include "ec_lcl.h" +#include "bn_local.h" +#include "ec_local.h" EC_KEY * EC_KEY_new(void) @@ -98,8 +98,8 @@ EC_KEY_new_by_curve_name(int nid) return ret; } -void -EC_KEY_free(EC_KEY * r) +void +EC_KEY_free(EC_KEY *r) { int i; @@ -120,7 +120,7 @@ EC_KEY_free(EC_KEY * r) EC_GROUP_free(r->group); EC_POINT_free(r->pub_key); - BN_clear_free(r->priv_key); + BN_free(r->priv_key); EC_EX_DATA_free_all_data(&r->method_data); @@ -128,7 +128,7 @@ EC_KEY_free(EC_KEY * r) } EC_KEY * -EC_KEY_copy(EC_KEY * dest, const EC_KEY * src) +EC_KEY_copy(EC_KEY *dest, const EC_KEY *src) { EC_EXTRA_DATA *d; @@ -172,7 +172,7 @@ EC_KEY_copy(EC_KEY * dest, const EC_KEY * src) if (dest->priv_key == NULL) return NULL; } - if (!BN_copy(dest->priv_key, src->priv_key)) + if (!bn_copy(dest->priv_key, src->priv_key)) return NULL; } /* copy method/extra data */ @@ -215,7 +215,7 @@ EC_KEY_copy(EC_KEY * dest, const EC_KEY * src) } EC_KEY * -EC_KEY_dup(const EC_KEY * ec_key) +EC_KEY_dup(const EC_KEY *ec_key) { EC_KEY *ret; @@ -228,8 +228,8 @@ EC_KEY_dup(const EC_KEY * ec_key) return ret; } -int -EC_KEY_up_ref(EC_KEY * r) +int +EC_KEY_up_ref(EC_KEY *r) { int i = CRYPTO_add(&r->references, 1, CRYPTO_LOCK_EC); return ((i > 1) ? 1 : 0); @@ -259,84 +259,93 @@ EC_KEY_generate_key(EC_KEY *eckey) int ossl_ec_key_gen(EC_KEY *eckey) { - int ok = 0; BN_CTX *ctx = NULL; - BIGNUM *priv_key = NULL, *order = NULL; + BIGNUM *priv_key = NULL; EC_POINT *pub_key = NULL; + BIGNUM *order; + int ret = 0; - if (!eckey || !eckey->group) { + if (eckey == NULL || eckey->group == NULL) { ECerror(ERR_R_PASSED_NULL_PARAMETER); - return 0; + goto err; } - if ((order = BN_new()) == NULL) + if ((priv_key = BN_new()) == NULL) goto err; + if ((pub_key = EC_POINT_new(eckey->group)) == NULL) + goto err; + if ((ctx = BN_CTX_new()) == NULL) goto err; - if ((priv_key = eckey->priv_key) == NULL) { - if ((priv_key = BN_new()) == NULL) - goto err; - } + BN_CTX_start(ctx); + + if ((order = BN_CTX_get(ctx)) == NULL) + goto err; if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; - if (!bn_rand_interval(priv_key, BN_value_one(), order)) goto err; - - if ((pub_key = eckey->pub_key) == NULL) { - if ((pub_key = EC_POINT_new(eckey->group)) == NULL) - goto err; - } - if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err; + BN_free(eckey->priv_key); eckey->priv_key = priv_key; - eckey->pub_key = pub_key; + priv_key = NULL; - ok = 1; + EC_POINT_free(eckey->pub_key); + eckey->pub_key = pub_key; + pub_key = NULL; + + ret = 1; err: - BN_free(order); - if (eckey->pub_key == NULL) - EC_POINT_free(pub_key); - if (eckey->priv_key == NULL) - BN_free(priv_key); + EC_POINT_free(pub_key); + BN_free(priv_key); + BN_CTX_end(ctx); BN_CTX_free(ctx); - return (ok); + + return ret; } -int -EC_KEY_check_key(const EC_KEY * eckey) +int +EC_KEY_check_key(const EC_KEY *eckey) { - int ok = 0; BN_CTX *ctx = NULL; - const BIGNUM *order = NULL; EC_POINT *point = NULL; + BIGNUM *order; + int ret = 0; - if (!eckey || !eckey->group || !eckey->pub_key) { + if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) { ECerror(ERR_R_PASSED_NULL_PARAMETER); - return 0; + goto err; } + if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key) > 0) { ECerror(EC_R_POINT_AT_INFINITY); goto err; } + if ((ctx = BN_CTX_new()) == NULL) goto err; + + BN_CTX_start(ctx); + + if ((order = BN_CTX_get(ctx)) == NULL) + goto err; + if ((point = EC_POINT_new(eckey->group)) == NULL) goto err; - /* testing whether the pub_key is on the elliptic curve */ + /* Ensure public key is on the elliptic curve. */ if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { ECerror(EC_R_POINT_IS_NOT_ON_CURVE); goto err; } - /* testing whether pub_key * order is the point at infinity */ - order = &eckey->group->order; - if (BN_is_zero(order)) { + + /* Ensure public key multiplied by the order is the point at infinity. */ + if (!EC_GROUP_get_order(eckey->group, order, ctx)) { ECerror(EC_R_INVALID_GROUP_ORDER); goto err; } @@ -348,94 +357,100 @@ EC_KEY_check_key(const EC_KEY * eckey) ECerror(EC_R_WRONG_ORDER); goto err; } + /* - * in case the priv_key is present : check if generator * priv_key == - * pub_key + * If the private key is present, ensure that the private key multiplied + * by the generator matches the public key. */ - if (eckey->priv_key) { + if (eckey->priv_key != NULL) { if (BN_cmp(eckey->priv_key, order) >= 0) { ECerror(EC_R_WRONG_ORDER); goto err; } - if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, - NULL, NULL, ctx)) { + if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, NULL, + NULL, ctx)) { ECerror(ERR_R_EC_LIB); goto err; } if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, - ctx) != 0) { + ctx) != 0) { ECerror(EC_R_INVALID_PRIVATE_KEY); goto err; } } - ok = 1; + + ret = 1; + err: + BN_CTX_end(ctx); BN_CTX_free(ctx); EC_POINT_free(point); - return (ok); + + return ret; } -int -EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y) +int +EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y) { BN_CTX *ctx = NULL; - BIGNUM *tx, *ty; EC_POINT *point = NULL; - int ok = 0; + BIGNUM *tx, *ty; + int ret = 0; - if (!key || !key->group || !x || !y) { + if (key == NULL || key->group == NULL || x == NULL || y == NULL) { ECerror(ERR_R_PASSED_NULL_PARAMETER); - return 0; + goto err; } - ctx = BN_CTX_new(); - if (!ctx) + + if ((ctx = BN_CTX_new()) == NULL) goto err; - point = EC_POINT_new(key->group); - - if (!point) - goto err; + BN_CTX_start(ctx); if ((tx = BN_CTX_get(ctx)) == NULL) goto err; if ((ty = BN_CTX_get(ctx)) == NULL) goto err; + if ((point = EC_POINT_new(key->group)) == NULL) + goto err; + if (!EC_POINT_set_affine_coordinates(key->group, point, x, y, ctx)) goto err; if (!EC_POINT_get_affine_coordinates(key->group, point, tx, ty, ctx)) goto err; + /* * Check if retrieved coordinates match originals: if not values are * out of range. */ - if (BN_cmp(x, tx) || BN_cmp(y, ty)) { + if (BN_cmp(x, tx) != 0 || BN_cmp(y, ty) != 0) { ECerror(EC_R_COORDINATES_OUT_OF_RANGE); goto err; } if (!EC_KEY_set_public_key(key, point)) goto err; - if (EC_KEY_check_key(key) == 0) goto err; - ok = 1; + ret = 1; err: + BN_CTX_end(ctx); BN_CTX_free(ctx); EC_POINT_free(point); - return ok; + return ret; } const EC_GROUP * -EC_KEY_get0_group(const EC_KEY * key) +EC_KEY_get0_group(const EC_KEY *key) { return key->group; } -int -EC_KEY_set_group(EC_KEY * key, const EC_GROUP * group) +int +EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group) { if (key->meth->set_group != NULL && key->meth->set_group(key, group) == 0) @@ -446,59 +461,65 @@ EC_KEY_set_group(EC_KEY * key, const EC_GROUP * group) } const BIGNUM * -EC_KEY_get0_private_key(const EC_KEY * key) +EC_KEY_get0_private_key(const EC_KEY *key) { return key->priv_key; } -int -EC_KEY_set_private_key(EC_KEY * key, const BIGNUM * priv_key) +int +EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key) { if (key->meth->set_private != NULL && key->meth->set_private(key, priv_key) == 0) return 0; - BN_clear_free(key->priv_key); - key->priv_key = BN_dup(priv_key); - return (key->priv_key == NULL) ? 0 : 1; + + BN_free(key->priv_key); + if ((key->priv_key = BN_dup(priv_key)) == NULL) + return 0; + + return 1; } const EC_POINT * -EC_KEY_get0_public_key(const EC_KEY * key) +EC_KEY_get0_public_key(const EC_KEY *key) { return key->pub_key; } -int -EC_KEY_set_public_key(EC_KEY * key, const EC_POINT * pub_key) +int +EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub_key) { if (key->meth->set_public != NULL && key->meth->set_public(key, pub_key) == 0) return 0; + EC_POINT_free(key->pub_key); - key->pub_key = EC_POINT_dup(pub_key, key->group); - return (key->pub_key == NULL) ? 0 : 1; + if ((key->pub_key = EC_POINT_dup(pub_key, key->group)) == NULL) + return 0; + + return 1; } -unsigned int -EC_KEY_get_enc_flags(const EC_KEY * key) +unsigned int +EC_KEY_get_enc_flags(const EC_KEY *key) { return key->enc_flag; } -void -EC_KEY_set_enc_flags(EC_KEY * key, unsigned int flags) +void +EC_KEY_set_enc_flags(EC_KEY *key, unsigned int flags) { key->enc_flag = flags; } -point_conversion_form_t -EC_KEY_get_conv_form(const EC_KEY * key) +point_conversion_form_t +EC_KEY_get_conv_form(const EC_KEY *key) { return key->conv_form; } -void -EC_KEY_set_conv_form(EC_KEY * key, point_conversion_form_t cform) +void +EC_KEY_set_conv_form(EC_KEY *key, point_conversion_form_t cform) { key->conv_form = cform; if (key->group != NULL) @@ -521,7 +542,7 @@ EC_KEY_get_key_method_data(EC_KEY *key, } void * -EC_KEY_insert_key_method_data(EC_KEY * key, void *data, +EC_KEY_insert_key_method_data(EC_KEY *key, void *data, void *(*dup_func) (void *), void (*free_func) (void *), void (*clear_free_func) (void *)) @@ -537,35 +558,35 @@ EC_KEY_insert_key_method_data(EC_KEY * key, void *data, return ex_data; } -void -EC_KEY_set_asn1_flag(EC_KEY * key, int flag) +void +EC_KEY_set_asn1_flag(EC_KEY *key, int flag) { if (key->group != NULL) EC_GROUP_set_asn1_flag(key->group, flag); } -int -EC_KEY_precompute_mult(EC_KEY * key, BN_CTX * ctx) +int +EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx) { if (key->group == NULL) return 0; return EC_GROUP_precompute_mult(key->group, ctx); } -int -EC_KEY_get_flags(const EC_KEY * key) +int +EC_KEY_get_flags(const EC_KEY *key) { return key->flags; } -void -EC_KEY_set_flags(EC_KEY * key, int flags) +void +EC_KEY_set_flags(EC_KEY *key, int flags) { key->flags |= flags; } -void -EC_KEY_clear_flags(EC_KEY * key, int flags) +void +EC_KEY_clear_flags(EC_KEY *key, int flags) { key->flags &= ~flags; } diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c index 4203dff..56fb437 100644 --- a/crypto/ec/ec_kmeth.c +++ b/crypto/ec/ec_kmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_kmeth.c,v 1.6 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: ec_kmeth.c,v 1.7 2022/11/26 16:08:52 tb Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. @@ -58,9 +58,9 @@ #endif #include -#include "bn_lcl.h" -#include "ec_lcl.h" -#include "ecs_locl.h" +#include "bn_local.h" +#include "ec_local.h" +#include "ecs_local.h" static const EC_KEY_METHOD openssl_ec_key_method = { .name = "OpenSSL EC_KEY method", diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 4ec17d5..308a0f0 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lib.c,v 1.45 2022/04/07 17:37:25 tb Exp $ */ +/* $OpenBSD: ec_lib.c,v 1.57 2023/05/04 13:51:59 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -68,13 +68,13 @@ #include #include -#include "bn_lcl.h" -#include "ec_lcl.h" +#include "bn_local.h" +#include "ec_local.h" /* functions for EC_GROUP objects */ EC_GROUP * -EC_GROUP_new(const EC_METHOD * meth) +EC_GROUP_new(const EC_METHOD *meth) { EC_GROUP *ret; @@ -82,7 +82,7 @@ EC_GROUP_new(const EC_METHOD * meth) ECerror(EC_R_SLOT_FULL); return NULL; } - if (meth->group_init == 0) { + if (meth->group_init == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return NULL; } @@ -115,54 +115,36 @@ EC_GROUP_new(const EC_METHOD * meth) void -EC_GROUP_free(EC_GROUP * group) +EC_GROUP_free(EC_GROUP *group) { - if (!group) + if (group == NULL) return; - if (group->meth->group_finish != 0) + if (group->meth->group_finish != NULL) group->meth->group_finish(group); - EC_EX_DATA_free_all_data(&group->extra_data); + EC_EX_DATA_clear_free_all_data(&group->extra_data); EC_POINT_free(group->generator); BN_free(&group->order); BN_free(&group->cofactor); - free(group->seed); - - free(group); -} - - -void -EC_GROUP_clear_free(EC_GROUP * group) -{ - if (!group) - return; - - if (group->meth->group_clear_finish != 0) - group->meth->group_clear_finish(group); - else if (group->meth->group_finish != 0) - group->meth->group_finish(group); - - EC_EX_DATA_clear_free_all_data(&group->extra_data); - - EC_POINT_clear_free(group->generator); - BN_clear_free(&group->order); - BN_clear_free(&group->cofactor); - freezero(group->seed, group->seed_len); freezero(group, sizeof *group); } +void +EC_GROUP_clear_free(EC_GROUP *group) +{ + EC_GROUP_free(group); +} int -EC_GROUP_copy(EC_GROUP * dest, const EC_GROUP * src) +EC_GROUP_copy(EC_GROUP *dest, const EC_GROUP *src) { EC_EXTRA_DATA *d; - if (dest->meth->group_copy == 0) { + if (dest->meth->group_copy == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -195,13 +177,13 @@ EC_GROUP_copy(EC_GROUP * dest, const EC_GROUP * src) return 0; } else { /* src->generator == NULL */ - EC_POINT_clear_free(dest->generator); + EC_POINT_free(dest->generator); dest->generator = NULL; } - if (!BN_copy(&dest->order, &src->order)) + if (!bn_copy(&dest->order, &src->order)) return 0; - if (!BN_copy(&dest->cofactor, &src->cofactor)) + if (!bn_copy(&dest->cofactor, &src->cofactor)) return 0; dest->curve_name = src->curve_name; @@ -227,7 +209,7 @@ EC_GROUP_copy(EC_GROUP * dest, const EC_GROUP * src) EC_GROUP * -EC_GROUP_dup(const EC_GROUP * a) +EC_GROUP_dup(const EC_GROUP *a) { EC_GROUP *t = NULL; @@ -297,7 +279,7 @@ ec_guess_cofactor(EC_GROUP *group) if (!BN_set_bit(q, BN_num_bits(&group->field) - 1)) goto err; } else { - if (!BN_copy(q, &group->field)) + if (!bn_copy(q, &group->field)) goto err; } @@ -375,12 +357,12 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, if (!EC_POINT_copy(group->generator, generator)) return 0; - if (!BN_copy(&group->order, order)) + if (!bn_copy(&group->order, order)) return 0; /* Either take the provided positive cofactor, or try to compute it. */ if (cofactor != NULL && !BN_is_zero(cofactor)) { - if (!BN_copy(&group->cofactor, cofactor)) + if (!bn_copy(&group->cofactor, cofactor)) return 0; } else if (!ec_guess_cofactor(group)) return 0; @@ -405,7 +387,7 @@ EC_GROUP_get0_generator(const EC_GROUP *group) int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx) { - if (!BN_copy(order, &group->order)) + if (!bn_copy(order, &group->order)) return 0; return !BN_is_zero(order); @@ -420,7 +402,7 @@ EC_GROUP_order_bits(const EC_GROUP *group) int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) { - if (!BN_copy(cofactor, &group->cofactor)) + if (!bn_copy(cofactor, &group->cofactor)) return 0; return !BN_is_zero(&group->cofactor); @@ -428,35 +410,35 @@ EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx) void -EC_GROUP_set_curve_name(EC_GROUP * group, int nid) +EC_GROUP_set_curve_name(EC_GROUP *group, int nid) { group->curve_name = nid; } int -EC_GROUP_get_curve_name(const EC_GROUP * group) +EC_GROUP_get_curve_name(const EC_GROUP *group) { return group->curve_name; } void -EC_GROUP_set_asn1_flag(EC_GROUP * group, int flag) +EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) { group->asn1_flag = flag; } int -EC_GROUP_get_asn1_flag(const EC_GROUP * group) +EC_GROUP_get_asn1_flag(const EC_GROUP *group) { return group->asn1_flag; } void -EC_GROUP_set_point_conversion_form(EC_GROUP * group, +EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form) { group->asn1_form = form; @@ -464,14 +446,14 @@ EC_GROUP_set_point_conversion_form(EC_GROUP * group, point_conversion_form_t -EC_GROUP_get_point_conversion_form(const EC_GROUP * group) +EC_GROUP_get_point_conversion_form(const EC_GROUP *group) { return group->asn1_form; } size_t -EC_GROUP_set_seed(EC_GROUP * group, const unsigned char *p, size_t len) +EC_GROUP_set_seed(EC_GROUP *group, const unsigned char *p, size_t len) { if (group->seed) { free(group->seed); @@ -491,38 +473,66 @@ EC_GROUP_set_seed(EC_GROUP * group, const unsigned char *p, size_t len) unsigned char * -EC_GROUP_get0_seed(const EC_GROUP * group) +EC_GROUP_get0_seed(const EC_GROUP *group) { return group->seed; } size_t -EC_GROUP_get_seed_len(const EC_GROUP * group) +EC_GROUP_get_seed_len(const EC_GROUP *group) { return group->seed_len; } int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) + const BIGNUM *b, BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->group_set_curve == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } - return group->meth->group_set_curve(group, p, a, b, ctx); + ret = group->meth->group_set_curve(group, p, a, b, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, - BN_CTX *ctx) + BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->group_get_curve == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } - return group->meth->group_get_curve(group, p, a, b, ctx); + ret = group->meth->group_get_curve(group, p, a, b, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int @@ -539,26 +549,10 @@ EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, return EC_GROUP_get_curve(group, p, a, b, ctx); } -#ifndef OPENSSL_NO_EC2M int -EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) +EC_GROUP_get_degree(const EC_GROUP *group) { - return EC_GROUP_set_curve(group, p, a, b, ctx); -} - -int -EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, - BIGNUM *b, BN_CTX *ctx) -{ - return EC_GROUP_get_curve(group, p, a, b, ctx); -} -#endif - -int -EC_GROUP_get_degree(const EC_GROUP * group) -{ - if (group->meth->group_get_degree == 0) { + if (group->meth->group_get_degree == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -567,18 +561,32 @@ EC_GROUP_get_degree(const EC_GROUP * group) int -EC_GROUP_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) +EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx_in) { - if (group->meth->group_check_discriminant == 0) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->group_check_discriminant == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } - return group->meth->group_check_discriminant(group, ctx); + ret = group->meth->group_check_discriminant(group, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int -EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx) +EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx) { int r = 0; BIGNUM *a1, *a2, *a3, *b1, *b2, *b3; @@ -710,7 +718,7 @@ EC_EX_DATA_set_data(EC_EXTRA_DATA ** ex_data, void *data, /* this has 'package' visibility */ void * -EC_EX_DATA_get_data(const EC_EXTRA_DATA * ex_data, +EC_EX_DATA_get_data(const EC_EXTRA_DATA *ex_data, void *(*dup_func) (void *), void (*free_func) (void *), void (*clear_free_func) (void *)) @@ -821,11 +829,8 @@ EC_EX_DATA_clear_free_all_data(EC_EXTRA_DATA ** ex_data) *ex_data = NULL; } - -/* functions for EC_POINT objects */ - EC_POINT * -EC_POINT_new(const EC_GROUP * group) +EC_POINT_new(const EC_GROUP *group) { EC_POINT *ret; @@ -833,7 +838,7 @@ EC_POINT_new(const EC_GROUP * group) ECerror(ERR_R_PASSED_NULL_PARAMETER); return NULL; } - if (group->meth->point_init == 0) { + if (group->meth->point_init == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return NULL; } @@ -851,37 +856,28 @@ EC_POINT_new(const EC_GROUP * group) return ret; } - void -EC_POINT_free(EC_POINT * point) +EC_POINT_free(EC_POINT *point) { - if (!point) + if (point == NULL) return; - if (point->meth->point_finish != 0) + if (point->meth->point_finish != NULL) point->meth->point_finish(point); - free(point); -} - -void -EC_POINT_clear_free(EC_POINT * point) -{ - if (!point) - return; - - if (point->meth->point_clear_finish != 0) - point->meth->point_clear_finish(point); - else if (point->meth->point_finish != 0) - point->meth->point_finish(point); freezero(point, sizeof *point); } +void +EC_POINT_clear_free(EC_POINT *point) +{ + EC_POINT_free(point); +} int -EC_POINT_copy(EC_POINT * dest, const EC_POINT * src) +EC_POINT_copy(EC_POINT *dest, const EC_POINT *src) { - if (dest->meth->point_copy == 0) { + if (dest->meth->point_copy == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -894,9 +890,8 @@ EC_POINT_copy(EC_POINT * dest, const EC_POINT * src) return dest->meth->point_copy(dest, src); } - EC_POINT * -EC_POINT_dup(const EC_POINT * a, const EC_GROUP * group) +EC_POINT_dup(const EC_POINT *a, const EC_GROUP *group) { EC_POINT *t; int r; @@ -915,18 +910,16 @@ EC_POINT_dup(const EC_POINT * a, const EC_GROUP * group) return t; } - const EC_METHOD * -EC_POINT_method_of(const EC_POINT * point) +EC_POINT_method_of(const EC_POINT *point) { return point->meth; } - int -EC_POINT_set_to_infinity(const EC_GROUP * group, EC_POINT * point) +EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { - if (group->meth->point_set_to_infinity == 0) { + if (group->meth->point_set_to_infinity == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -939,34 +932,70 @@ EC_POINT_set_to_infinity(const EC_GROUP * group, EC_POINT * point) int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *point, - const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->point_set_Jprojective_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->point_set_Jprojective_coordinates(group, point, - x, y, z, ctx); + if (!group->meth->point_set_Jprojective_coordinates(group, point, + x, y, z, ctx)) + goto err; + + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { + ECerror(EC_R_POINT_IS_NOT_ON_CURVE); + goto err; + } + + ret = 1; + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, - const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) + const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->point_get_Jprojective_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->point_get_Jprojective_coordinates(group, point, + ret = group->meth->point_get_Jprojective_coordinates(group, point, x, y, z, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int @@ -985,23 +1014,39 @@ EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, - const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->point_set_affine_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } if (!group->meth->point_set_affine_coordinates(group, point, x, y, ctx)) - return 0; + goto err; + if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { ECerror(EC_R_POINT_IS_NOT_ON_CURVE); - return 0; + goto err; } - return 1; + + ret = 1; + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int @@ -1011,28 +1056,33 @@ EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); } -#ifndef OPENSSL_NO_EC2M -int -EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, - const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) -{ - return EC_POINT_set_affine_coordinates(group, point, x, y, ctx); -} -#endif - int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, - BIGNUM *x, BIGNUM *y, BN_CTX *ctx) + BIGNUM *x, BIGNUM *y, BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->point_get_affine_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->point_get_affine_coordinates(group, point, x, y, ctx); + ret = group->meth->point_get_affine_coordinates(group, point, x, y, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int @@ -1042,65 +1092,97 @@ EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, const EC_POINT *point return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); } -#ifndef OPENSSL_NO_EC2M -int -EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, const EC_POINT *point, - BIGNUM *x, BIGNUM *y, BN_CTX *ctx) -{ - return EC_POINT_get_affine_coordinates(group, point, x, y, ctx); -} -#endif - int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, - const EC_POINT *b, BN_CTX *ctx) + const EC_POINT *b, BN_CTX *ctx_in) { - if (group->meth->add == 0) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->add == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } - if ((group->meth != r->meth) || (r->meth != a->meth) || (a->meth != b->meth)) { + if (group->meth != r->meth || group->meth != a->meth || + group->meth != b->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->add(group, r, a, b, ctx); + ret = group->meth->add(group, r, a, b, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } - int -EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) +EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, + BN_CTX *ctx_in) { - if (group->meth->dbl == 0) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->dbl == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } - if ((group->meth != r->meth) || (r->meth != a->meth)) { + if (group->meth != r->meth || r->meth != a->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->dbl(group, r, a, ctx); + ret = group->meth->dbl(group, r, a, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } - int -EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx) +EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx_in) { - if (group->meth->invert == 0) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->invert == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != a->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->invert(group, a, ctx); -} + ret = group->meth->invert(group, a, ctx); + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; +} int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) { - if (group->meth->is_at_infinity == 0) { + if (group->meth->is_at_infinity == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); return 0; } @@ -1111,114 +1193,184 @@ EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) return group->meth->is_at_infinity(group, point); } - int -EC_POINT_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx) +EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, + BN_CTX *ctx_in) { - if (group->meth->is_on_curve == 0) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->is_on_curve == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->is_on_curve(group, point, ctx); -} + ret = group->meth->is_on_curve(group, point, ctx); + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; +} int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, - BN_CTX * ctx) + BN_CTX *ctx_in) { - if (group->meth->point_cmp == 0) { + BN_CTX *ctx; + int ret = -1; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->point_cmp == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return -1; + goto err; } - if ((group->meth != a->meth) || (a->meth != b->meth)) { + if (group->meth != a->meth || a->meth != b->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return -1; + goto err; } - return group->meth->point_cmp(group, a, b, ctx); + ret = group->meth->point_cmp(group, a, b, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } - int -EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) +EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx_in) { - if (group->meth->make_affine == 0) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->make_affine == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - return group->meth->make_affine(group, point, ctx); -} + ret = group->meth->make_affine(group, point, ctx); + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; +} int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], - BN_CTX *ctx) + BN_CTX *ctx_in) { + BN_CTX *ctx; size_t i; + int ret = 0; - if (group->meth->points_make_affine == 0) { + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->points_make_affine == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } for (i = 0; i < num; i++) { if (group->meth != points[i]->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } } - return group->meth->points_make_affine(group, num, points, ctx); + ret = group->meth->points_make_affine(group, num, points, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } - -/* Functions for point multiplication */ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], + BN_CTX *ctx_in) { - /* - * The function pointers must be set, and only support num == 0 and - * num == 1. - */ + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + /* Only num == 0 and num == 1 is supported. */ if (group->meth->mul_generator_ct == NULL || group->meth->mul_single_ct == NULL || group->meth->mul_double_nonct == NULL || num > 1) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } - /* Either bP or aG + bP, this is sane. */ - if (num == 1 && points != NULL && scalars != NULL) - return EC_POINT_mul(group, r, scalar, points[0], scalars[0], - ctx); + if (num == 1 && points != NULL && scalars != NULL) { + /* Either bP or aG + bP, this is sane. */ + ret = EC_POINT_mul(group, r, scalar, points[0], scalars[0], ctx); + } else if (scalar != NULL && points == NULL && scalars == NULL) { + /* aG, this is sane */ + ret = EC_POINT_mul(group, r, scalar, NULL, NULL, ctx); + } else { + /* anything else is an error */ + ECerror(ERR_R_EC_LIB); + goto err; + } - /* aG, this is sane */ - if (scalar != NULL && points == NULL && scalars == NULL) - return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx); + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); - /* anything else is an error */ - ECerror(ERR_R_EC_LIB); - return 0; + return ret; } int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, - const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) + const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx_in) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + if (group->meth->mul_generator_ct == NULL || group->meth->mul_single_ct == NULL || group->meth->mul_double_nonct == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } + if (g_scalar != NULL && point == NULL && p_scalar == NULL) { /* * In this case we want to compute g_scalar * GeneratorPoint: @@ -1228,52 +1380,69 @@ EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, * secret. This is why we ignore if BN_FLG_CONSTTIME is actually * set and we always call the constant time version. */ - return group->meth->mul_generator_ct(group, r, g_scalar, ctx); - } - if (g_scalar == NULL && point != NULL && p_scalar != NULL) { - /* In this case we want to compute p_scalar * GenericPoint: + ret = group->meth->mul_generator_ct(group, r, g_scalar, ctx); + } else if (g_scalar == NULL && point != NULL && p_scalar != NULL) { + /* + * In this case we want to compute p_scalar * GenericPoint: * this codepath is reached most prominently by the second half * of ECDH, where the secret scalar is multiplied by the peer's * public point. To protect the secret scalar, we ignore if * BN_FLG_CONSTTIME is actually set and we always call the * constant time version. */ - return group->meth->mul_single_ct(group, r, p_scalar, point, - ctx); - } - if (g_scalar != NULL && point != NULL && p_scalar != NULL) { + ret = group->meth->mul_single_ct(group, r, p_scalar, point, ctx); + } else if (g_scalar != NULL && point != NULL && p_scalar != NULL) { /* * In this case we want to compute * g_scalar * GeneratorPoint + p_scalar * GenericPoint: * this codepath is reached most prominently by ECDSA signature * verification. So we call the non-ct version. */ - return group->meth->mul_double_nonct(group, r, g_scalar, + ret = group->meth->mul_double_nonct(group, r, g_scalar, p_scalar, point, ctx); + } else { + /* Anything else is an error. */ + ECerror(ERR_R_EC_LIB); + goto err; } - /* Anything else is an error. */ - ECerror(ERR_R_EC_LIB); - return 0; + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int -EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx) +EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx_in) { - if (group->meth->precompute_mult != 0) - return group->meth->precompute_mult(group, ctx); - else - return 1; /* nothing to do, so report success */ + BN_CTX *ctx; + int ret = 0; + + if (group->meth->precompute_mult == NULL) + return 1; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + ret = group->meth->precompute_mult(group, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int -EC_GROUP_have_precompute_mult(const EC_GROUP * group) +EC_GROUP_have_precompute_mult(const EC_GROUP *group) { - if (group->meth->have_precompute_mult != 0) - return group->meth->have_precompute_mult(group); - else - return 0; /* cannot tell whether precomputation has - * been performed */ + if (group->meth->have_precompute_mult == NULL) + return 0; + + return group->meth->have_precompute_mult(group); } int @@ -1290,15 +1459,20 @@ ec_group_simple_order_bits(const EC_GROUP *group) EC_KEY * ECParameters_dup(EC_KEY *key) { - unsigned char *p = NULL; - EC_KEY *k = NULL; + const unsigned char *p; + unsigned char *der = NULL; + EC_KEY *dup = NULL; int len; if (key == NULL) - return (NULL); + return NULL; - if ((len = i2d_ECParameters(key, &p)) > 0) - k = d2i_ECParameters(NULL, (const unsigned char **)&p, len); + if ((len = i2d_ECParameters(key, &der)) <= 0) + return NULL; - return (k); + p = der; + dup = d2i_ECParameters(NULL, &p, len); + freezero(der, len); + + return dup; } diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_local.h similarity index 51% rename from crypto/ec/ec_lcl.h rename to crypto/ec/ec_local.h index 7a74699..6e79913 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lcl.h,v 1.19 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: ec_local.h,v 1.13 2023/04/27 07:10:05 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -58,25 +58,25 @@ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * - * Portions of the attached software ("Contribution") are developed by + * Portions of the attached software ("Contribution") are developed by * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. * * The Contribution is licensed pursuant to the OpenSSL open source * license provided above. * - * The elliptic curve binary polynomial software is originally written by + * The elliptic curve binary polynomial software is originally written by * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. * */ #include -#include +#include #include #include -#include +#include -#include "bn_lcl.h" +#include "bn_local.h" __BEGIN_HIDDEN_DECLS @@ -86,107 +86,93 @@ __BEGIN_HIDDEN_DECLS # endif #endif -#define bn_wexpand(a,words) (((words) <= (a)->dmax)?(a):bn_expand2((a),(words))) -BIGNUM *bn_expand2(BIGNUM *a, int words); - -/* Use default functions for poin2oct, oct2point and compressed coordinates */ -#define EC_FLAGS_DEFAULT_OCT 0x1 - -/* Structure details are not part of the exported interface, - * so all this may change in future versions. */ - struct ec_method_st { - /* Various method flags */ - int flags; - /* used by EC_METHOD_get_field_type: */ - int field_type; /* a NID */ + int field_type; - /* used by EC_GROUP_new, EC_GROUP_free, EC_GROUP_clear_free, EC_GROUP_copy: */ int (*group_init)(EC_GROUP *); void (*group_finish)(EC_GROUP *); - void (*group_clear_finish)(EC_GROUP *); int (*group_copy)(EC_GROUP *, const EC_GROUP *); - /* used by EC_GROUP_{get,set}_curve */ - int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); - int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); + int (*group_set_curve)(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); + int (*group_get_curve)(const EC_GROUP *, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *); - /* used by EC_GROUP_get_degree: */ int (*group_get_degree)(const EC_GROUP *); - /* used by EC_GROUP_order_bits: */ int (*group_order_bits)(const EC_GROUP *); - /* used by EC_GROUP_check: */ int (*group_check_discriminant)(const EC_GROUP *, BN_CTX *); - /* used by EC_POINT_new, EC_POINT_free, EC_POINT_clear_free, EC_POINT_copy: */ int (*point_init)(EC_POINT *); void (*point_finish)(EC_POINT *); - void (*point_clear_finish)(EC_POINT *); int (*point_copy)(EC_POINT *, const EC_POINT *); - /* - * used by EC_POINT_set_to_infinity, - * EC_POINT_set_Jprojective_coordinates, - * EC_POINT_get_Jprojective_coordinates, - * EC_POINT_set_affine_coordinates, - * EC_POINT_get_affine_coordinates, - * EC_POINT_set_compressed_coordinates: - */ int (*point_set_to_infinity)(const EC_GROUP *, EC_POINT *); int (*point_set_Jprojective_coordinates)(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); - int (*point_get_Jprojective_coordinates)(const EC_GROUP *, const EC_POINT *, - BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *); + int (*point_get_Jprojective_coordinates)(const EC_GROUP *, + const EC_POINT *, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *); int (*point_set_affine_coordinates)(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, const BIGNUM *y, BN_CTX *); + const BIGNUM *x, const BIGNUM *y, BN_CTX *); int (*point_get_affine_coordinates)(const EC_GROUP *, const EC_POINT *, - BIGNUM *x, BIGNUM *y, BN_CTX *); + BIGNUM *x, BIGNUM *y, BN_CTX *); int (*point_set_compressed_coordinates)(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, int y_bit, BN_CTX *); + const BIGNUM *x, int y_bit, BN_CTX *); - /* used by EC_POINT_point2oct, EC_POINT_oct2point: */ - size_t (*point2oct)(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *); - int (*oct2point)(const EC_GROUP *, EC_POINT *, - const unsigned char *buf, size_t len, BN_CTX *); + size_t (*point2oct)(const EC_GROUP *, const EC_POINT *, + point_conversion_form_t form, unsigned char *buf, size_t len, + BN_CTX *); + int (*oct2point)(const EC_GROUP *, EC_POINT *, const unsigned char *buf, + size_t len, BN_CTX *); - /* used by EC_POINT_add, EC_POINT_dbl, ECP_POINT_invert: */ - int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *); + int (*add)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, + const EC_POINT *b, BN_CTX *); int (*dbl)(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); int (*invert)(const EC_GROUP *, EC_POINT *, BN_CTX *); - /* used by EC_POINT_is_at_infinity, EC_POINT_is_on_curve, EC_POINT_cmp: */ int (*is_at_infinity)(const EC_GROUP *, const EC_POINT *); int (*is_on_curve)(const EC_GROUP *, const EC_POINT *, BN_CTX *); - int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *); + int (*point_cmp)(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, + BN_CTX *); - /* used by EC_POINT_make_affine, EC_POINTs_make_affine: */ int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *); - int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); + int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], + BN_CTX *); - /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult */ - int (*mul_generator_ct)(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *); - int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - const EC_POINT *point, BN_CTX *); - int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, - const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *); + int (*mul_generator_ct)(const EC_GROUP *, EC_POINT *r, + const BIGNUM *scalar, BN_CTX *); + int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, BN_CTX *); + int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *g_scalar, const BIGNUM *p_scalar, + const EC_POINT *point, BN_CTX *); int (*precompute_mult)(EC_GROUP *group, BN_CTX *); int (*have_precompute_mult)(const EC_GROUP *group); + /* + * Internal methods. + */ - /* internal functions */ + /* + * These can be used by 'add' and 'dbl' so that the same implementations + * of point operations can be used with different optimized versions of + * expensive field operations. + */ + int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); + int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); + int (*field_div)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + const BIGNUM *b, BN_CTX *); - /* 'field_mul', 'field_sqr', and 'field_div' can be used by 'add' and 'dbl' so that - * the same implementations of point operations can be used with different - * optimized implementations of expensive field operations: */ - int (*field_mul)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); - int (*field_sqr)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); - int (*field_div)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); + /* Encode to and decode from other forms (e.g. Montgomery). */ + int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); + int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, + BN_CTX *); - int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */ - int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */ int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *); - int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); + int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, + BN_CTX *ctx); } /* EC_METHOD */; typedef struct ec_extra_data_st { @@ -198,54 +184,67 @@ typedef struct ec_extra_data_st { } EC_EXTRA_DATA; /* used in EC_GROUP */ struct ec_group_st { + /* + * Methods and members exposed via the public API. + */ + const EC_METHOD *meth; - EC_POINT *generator; /* optional */ - BIGNUM order, cofactor; + EC_POINT *generator; /* Optional */ + BIGNUM order; + BIGNUM cofactor; - int curve_name;/* optional NID for named curve */ - int asn1_flag; /* flag to control the asn1 encoding */ + int curve_name; /* Optional NID for named curve. */ + + /* ASN.1 encoding controls. */ + int asn1_flag; point_conversion_form_t asn1_form; - unsigned char *seed; /* optional seed for parameters (appears in ASN1) */ + /* Optional seed for parameters (appears in ASN.1). */ + unsigned char *seed; size_t seed_len; - EC_EXTRA_DATA *extra_data; /* linked list */ + /* + * Internal methods and members. Handled by the method functions, even + * if they appear to be generic. + */ - /* The following members are handled by the method functions, - * even if they appear generic */ - - BIGNUM field; /* Field specification. - * For curves over GF(p), this is the modulus; - * for curves over GF(2^m), this is the - * irreducible polynomial defining the field. - */ + EC_EXTRA_DATA *extra_data; - int poly[6]; /* Field specification for curves over GF(2^m). - * The irreducible f(t) is then of the form: - * t^poly[0] + t^poly[1] + ... + t^poly[k] - * where m = poly[0] > poly[1] > ... > poly[k] = 0. - * The array is terminated with poly[k+1]=-1. - * All elliptic curve irreducibles have at most 5 - * non-zero terms. - */ + /* + * Field specification. For GF(p) this is the modulus; for GF(2^m), + * this is the irreducible polynomial defining the field. + */ + BIGNUM field; - BIGNUM a, b; /* Curve coefficients. - * (Here the assumption is that BIGNUMs can be used - * or abused for all kinds of fields, not just GF(p).) - * For characteristic > 3, the curve is defined - * by a Weierstrass equation of the form - * y^2 = x^3 + a*x + b. - * For characteristic 2, the curve is defined by - * an equation of the form - * y^2 + x*y = x^3 + a*x^2 + b. - */ + /* + * Field specification for GF(2^m). The irreducible polynomial is + * f(t) = t^poly[0] + t^poly[1] + ... + t^poly[k], + * where + * m = poly[0] > poly[1] > ... > poly[k] = 0, + * and the array is terminated with poly[k+1] = -1. All elliptic curve + * irreducibles have at most 5 non-zero terms. + */ + int poly[6]; - int a_is_minus3; /* enable optimized point arithmetics for special case */ + /* + * Curve coefficients. In characteristic > 3, the curve is defined by a + * Weierstrass equation of the form + * y^2 = x^3 + a*x + b. + * For characteristic 2, the curve is defined by an equation of the form + * y^2 + x*y = x^3 + a*x^2 + b. + */ + BIGNUM a, b; - void *field_data1; /* method-specific (e.g., Montgomery structure) */ - void *field_data2; /* method-specific */ - int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); /* method-specific */ + /* Enables optimized point arithmetics for special case. */ + int a_is_minus3; + + /* Montgomery context and values used by EC_GFp_mont_method. */ + BN_MONT_CTX *mont_ctx; + BIGNUM *mont_one; + + int (*field_mod_func)(BIGNUM *, const BIGNUM *, const BIGNUM *, + BN_CTX *); } /* EC_GROUP */; struct ec_key_st { @@ -262,7 +261,7 @@ struct ec_key_st { unsigned int enc_flag; point_conversion_form_t conv_form; - int references; + int references; int flags; EC_EXTRA_DATA *method_data; @@ -290,13 +289,18 @@ int ec_group_simple_order_bits(const EC_GROUP *group); struct ec_point_st { const EC_METHOD *meth; - /* All members except 'meth' are handled by the method functions, - * even if they appear generic */ + /* + * All members except 'meth' are handled by the method functions, + * even if they appear generic. + */ + /* + * Jacobian projective coordinates: (X, Y, Z) represents (X/Z^2, Y/Z^3) + * if Z != 0 + */ BIGNUM X; BIGNUM Y; - BIGNUM Z; /* Jacobian projective coordinates: - * (X, Y, Z) represents (X/Z^2, Y/Z^3) if Z != 0 */ + BIGNUM Z; int Z_is_one; /* enable optimized point arithmetics for special case */ } /* EC_POINT */; @@ -311,7 +315,6 @@ int ec_wNAF_have_precompute_mult(const EC_GROUP *group); /* method functions in ecp_smpl.c */ int ec_GFp_simple_group_init(EC_GROUP *); void ec_GFp_simple_group_finish(EC_GROUP *); -void ec_GFp_simple_group_clear_finish(EC_GROUP *); int ec_GFp_simple_group_copy(EC_GROUP *, const EC_GROUP *); int ec_GFp_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int ec_GFp_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); @@ -319,7 +322,6 @@ int ec_GFp_simple_group_get_degree(const EC_GROUP *); int ec_GFp_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); int ec_GFp_simple_point_init(EC_POINT *); void ec_GFp_simple_point_finish(EC_POINT *); -void ec_GFp_simple_point_clear_finish(EC_POINT *); int ec_GFp_simple_point_copy(EC_POINT *, const EC_POINT *); int ec_GFp_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); int ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *, EC_POINT *, @@ -353,100 +355,20 @@ int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *sca int ec_GFp_simple_mul_double_nonct(const EC_GROUP *, EC_POINT *r, const BIGNUM *g_scalar, const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *); - -/* method functions in ecp_mont.c */ -int ec_GFp_mont_group_init(EC_GROUP *); -int ec_GFp_mont_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); -void ec_GFp_mont_group_finish(EC_GROUP *); -void ec_GFp_mont_group_clear_finish(EC_GROUP *); -int ec_GFp_mont_group_copy(EC_GROUP *, const EC_GROUP *); -int ec_GFp_mont_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); -int ec_GFp_mont_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); -int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); -int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); -int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); - int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); -/* method functions in ecp_nist.c */ -int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); -int ec_GFp_nist_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); -int ec_GFp_nist_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); -int ec_GFp_nist_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); - - -/* method functions in ec2_smpl.c */ -int ec_GF2m_simple_group_init(EC_GROUP *); -void ec_GF2m_simple_group_finish(EC_GROUP *); -void ec_GF2m_simple_group_clear_finish(EC_GROUP *); -int ec_GF2m_simple_group_copy(EC_GROUP *, const EC_GROUP *); -int ec_GF2m_simple_group_set_curve(EC_GROUP *, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *); -int ec_GF2m_simple_group_get_curve(const EC_GROUP *, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *); -int ec_GF2m_simple_group_get_degree(const EC_GROUP *); -int ec_GF2m_simple_group_check_discriminant(const EC_GROUP *, BN_CTX *); -int ec_GF2m_simple_point_init(EC_POINT *); -void ec_GF2m_simple_point_finish(EC_POINT *); -void ec_GF2m_simple_point_clear_finish(EC_POINT *); -int ec_GF2m_simple_point_copy(EC_POINT *, const EC_POINT *); -int ec_GF2m_simple_point_set_to_infinity(const EC_GROUP *, EC_POINT *); -int ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP *, EC_POINT *, - const BIGNUM *x, const BIGNUM *y, BN_CTX *); -int ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *, const EC_POINT *, - BIGNUM *x, BIGNUM *y, BN_CTX *); int ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *, EC_POINT *, const BIGNUM *x, int y_bit, BN_CTX *); size_t ec_GF2m_simple_point2oct(const EC_GROUP *, const EC_POINT *, point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *); int ec_GF2m_simple_oct2point(const EC_GROUP *, EC_POINT *, const unsigned char *buf, size_t len, BN_CTX *); -int ec_GF2m_simple_add(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *); -int ec_GF2m_simple_dbl(const EC_GROUP *, EC_POINT *r, const EC_POINT *a, BN_CTX *); -int ec_GF2m_simple_invert(const EC_GROUP *, EC_POINT *, BN_CTX *); -int ec_GF2m_simple_is_at_infinity(const EC_GROUP *, const EC_POINT *); -int ec_GF2m_simple_is_on_curve(const EC_GROUP *, const EC_POINT *, BN_CTX *); -int ec_GF2m_simple_cmp(const EC_GROUP *, const EC_POINT *a, const EC_POINT *b, BN_CTX *); -int ec_GF2m_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); -int ec_GF2m_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); -int ec_GF2m_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); -int ec_GF2m_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); -int ec_GF2m_simple_field_div(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); - -/* method functions in ec2_mult.c */ int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); int ec_GF2m_have_precompute_mult(const EC_GROUP *group); -/* method functions in ec2_mult.c */ -int ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); -int ec_GF2m_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GF2m_have_precompute_mult(const EC_GROUP *group); - -#ifndef OPENSSL_EC_NISTP_64_GCC_128 -/* method functions in ecp_nistp224.c */ -int ec_GFp_nistp224_group_init(EC_GROUP *group); -int ec_GFp_nistp224_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *); -int ec_GFp_nistp224_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -int ec_GFp_nistp224_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); -int ec_GFp_nistp224_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx); -int ec_GFp_nistp224_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GFp_nistp224_have_precompute_mult(const EC_GROUP *group); - -/* method functions in ecp_nistp256.c */ -int ec_GFp_nistp256_group_init(EC_GROUP *group); -int ec_GFp_nistp256_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *); -int ec_GFp_nistp256_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -int ec_GFp_nistp256_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); -int ec_GFp_nistp256_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx); -int ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); - -#ifdef ECP_NISTZ256_ASM -const EC_METHOD *EC_GFp_nistz256_method(void); -#endif - /* EC_METHOD definitions */ struct ec_key_method_st { @@ -485,27 +407,16 @@ int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey); -/* method functions in ecp_nistp521.c */ -int ec_GFp_nistp521_group_init(EC_GROUP *group); -int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *); -int ec_GFp_nistp521_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); -int ec_GFp_nistp521_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); -int ec_GFp_nistp521_points_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx); -int ec_GFp_nistp521_precompute_mult(EC_GROUP *group, BN_CTX *ctx); -int ec_GFp_nistp521_have_precompute_mult(const EC_GROUP *group); +void *EC_KEY_get_key_method_data(EC_KEY *key, + void *(*dup_func)(void *), void (*free_func)(void *), + void (*clear_free_func)(void *)); +void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, + void *(*dup_func)(void *), void (*free_func)(void *), + void (*clear_free_func)(void *)); -/* utility functions in ecp_nistputil.c */ -void ec_GFp_nistp_points_make_affine_internal(size_t num, void *point_array, - size_t felem_size, void *tmp_felems, - void (*felem_one)(void *out), - int (*felem_is_zero)(const void *in), - void (*felem_assign)(void *out, const void *in), - void (*felem_square)(void *out, const void *in), - void (*felem_mul)(void *out, const void *in1, const void *in2), - void (*felem_inv)(void *out, const void *in), - void (*felem_contract)(void *out, const void *in)); -void ec_GFp_nistp_recode_scalar_bits(unsigned char *sign, unsigned char *digit, unsigned char in); - -#endif +int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *p, + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); +int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); __END_HIDDEN_DECLS diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index 05f89a5..b70e60a 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_mult.c,v 1.24 2018/07/15 16:27:39 tb Exp $ */ +/* $OpenBSD: ec_mult.c,v 1.29 2023/04/11 18:58:20 jsing Exp $ */ /* * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ @@ -65,7 +65,7 @@ #include -#include "ec_lcl.h" +#include "ec_local.h" /* @@ -98,7 +98,7 @@ static void ec_pre_comp_free(void *); static void ec_pre_comp_clear_free(void *); static EC_PRE_COMP * -ec_pre_comp_new(const EC_GROUP * group) +ec_pre_comp_new(const EC_GROUP *group) { EC_PRE_COMP *ret = NULL; @@ -132,7 +132,7 @@ ec_pre_comp_dup(void *src_) return src_; } -static void +static void ec_pre_comp_free(void *pre_) { int i; @@ -155,7 +155,7 @@ ec_pre_comp_free(void *pre_) free(pre); } -static void +static void ec_pre_comp_clear_free(void *pre_) { int i; @@ -172,7 +172,7 @@ ec_pre_comp_clear_free(void *pre_) EC_POINT **p; for (p = pre->points; *p != NULL; p++) { - EC_POINT_clear_free(*p); + EC_POINT_free(*p); explicit_bzero(p, sizeof *p); } free(pre->points); @@ -192,7 +192,7 @@ ec_pre_comp_clear_free(void *pre_) * w-1 zeros away from that next non-zero digit. */ static signed char * -compute_wNAF(const BIGNUM * scalar, int w, size_t * ret_len) +compute_wNAF(const BIGNUM *scalar, int w, size_t *ret_len) { int window_val; int ok = 0; @@ -331,11 +331,10 @@ compute_wNAF(const BIGNUM * scalar, int w, size_t * ret_len) * scalar*generator * in the addition if scalar != NULL */ -int -ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar, - size_t num, const EC_POINT * points[], const BIGNUM * scalars[], BN_CTX * ctx) +int +ec_wNAF_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; const EC_POINT *generator = NULL; EC_POINT *tmp = NULL; size_t totalnum; @@ -375,11 +374,6 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar, } } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; - } if (scalar != NULL) { generator = EC_GROUP_get0_generator(group); if (generator == NULL) { @@ -679,7 +673,6 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar, ret = 1; err: - BN_CTX_free(new_ctx); EC_POINT_free(tmp); free(wsize); free(wNAF_len); @@ -694,7 +687,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar, } if (val != NULL) { for (v = val; *v != NULL; v++) - EC_POINT_clear_free(*v); + EC_POINT_free(*v); free(val); } free(val_sub); @@ -721,12 +714,11 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar, * points[2^(w-1)*numblocks-1] = (2^(w-1)) * 2^(blocksize*(numblocks-1)) * generator * points[2^(w-1)*numblocks] = NULL */ -int -ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx) +int +ec_wNAF_precompute_mult(EC_GROUP *group, BN_CTX *ctx) { const EC_POINT *generator; EC_POINT *tmp_point = NULL, *base = NULL, **var; - BN_CTX *new_ctx = NULL; BIGNUM *order; size_t i, bits, w, pre_points_per_block, blocksize, numblocks, num; @@ -745,12 +737,9 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx) ECerror(EC_R_UNDEFINED_GENERATOR); goto err; } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; - } + BN_CTX_start(ctx); + if ((order = BN_CTX_get(ctx)) == NULL) goto err; @@ -764,7 +753,7 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx) /* * The following parameters mean we precompute (approximately) one * point per bit. - * + * * TBD: The combination 8, 4 is perfect for 160 bits; for other bit * lengths, other parameter combinations might provide better * efficiency. @@ -857,10 +846,9 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx) pre_comp = NULL; ret = 1; + err: - if (ctx != NULL) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + BN_CTX_end(ctx); ec_pre_comp_free(pre_comp); if (points) { EC_POINT **p; @@ -875,8 +863,8 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx) } -int -ec_wNAF_have_precompute_mult(const EC_GROUP * group) +int +ec_wNAF_have_precompute_mult(const EC_GROUP *group) { if (EC_EX_DATA_get_data(group->extra_data, ec_pre_comp_dup, ec_pre_comp_free, ec_pre_comp_clear_free) != NULL) return 1; diff --git a/crypto/ec/ec_oct.c b/crypto/ec/ec_oct.c index 4596821..f9de2f1 100644 --- a/crypto/ec/ec_oct.c +++ b/crypto/ec/ec_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_oct.c,v 1.8 2021/04/20 17:34:33 tb Exp $ */ +/* $OpenBSD: ec_oct.c,v 1.14 2023/05/04 06:45:51 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -68,44 +68,36 @@ #include #include -#include "ec_lcl.h" +#include "ec_local.h" int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point, - const BIGNUM *x, int y_bit, BN_CTX *ctx) + const BIGNUM *x, int y_bit, BN_CTX *ctx_in) { - if (group->meth->point_set_compressed_coordinates == NULL && - !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->point_set_compressed_coordinates == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { - if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_set_compressed_coordinates( - group, point, x, y_bit, ctx); - else -#ifdef OPENSSL_NO_EC2M - { - ECerror(EC_R_GF2M_NOT_SUPPORTED); - return 0; - } -#else - return ec_GF2m_simple_set_compressed_coordinates( - group, point, x, y_bit, ctx); -#endif - } - if (!group->meth->point_set_compressed_coordinates(group, point, x, - y_bit, ctx)) - return 0; - if (EC_POINT_is_on_curve(group, point, ctx) <= 0) { - ECerror(EC_R_POINT_IS_NOT_ON_CURVE); - return 0; - } - return 1; + ret = group->meth->point_set_compressed_coordinates(group, point, + x, y_bit, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int @@ -115,74 +107,61 @@ EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *point, return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx); } -#ifndef OPENSSL_NO_EC2M -int -EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *point, - const BIGNUM *x, int y_bit, BN_CTX *ctx) -{ - return EC_POINT_set_compressed_coordinates(group, point, x, y_bit, ctx); -} -#endif - size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *point, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *ctx) + point_conversion_form_t form, unsigned char *buf, size_t len, + BN_CTX *ctx_in) { - if (group->meth->point2oct == 0 - && !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { + BN_CTX *ctx; + size_t ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->point2oct == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { - if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_point2oct(group, point, - form, buf, len, ctx); - else -#ifdef OPENSSL_NO_EC2M - { - ECerror(EC_R_GF2M_NOT_SUPPORTED); - return 0; - } -#else - return ec_GF2m_simple_point2oct(group, point, - form, buf, len, ctx); -#endif - } - return group->meth->point2oct(group, point, form, buf, len, ctx); + ret = group->meth->point2oct(group, point, form, buf, len, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *point, - const unsigned char *buf, size_t len, BN_CTX *ctx) + const unsigned char *buf, size_t len, BN_CTX *ctx_in) { - if (group->meth->oct2point == 0 && - !(group->meth->flags & EC_FLAGS_DEFAULT_OCT)) { + BN_CTX *ctx; + int ret = 0; + + if ((ctx = ctx_in) == NULL) + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; + + if (group->meth->oct2point == NULL) { ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - return 0; + goto err; } if (group->meth != point->meth) { ECerror(EC_R_INCOMPATIBLE_OBJECTS); - return 0; + goto err; } - if (group->meth->flags & EC_FLAGS_DEFAULT_OCT) { - if (group->meth->field_type == NID_X9_62_prime_field) - return ec_GFp_simple_oct2point(group, point, - buf, len, ctx); - else -#ifdef OPENSSL_NO_EC2M - { - ECerror(EC_R_GF2M_NOT_SUPPORTED); - return 0; - } -#else - return ec_GF2m_simple_oct2point(group, point, - buf, len, ctx); -#endif - } - return group->meth->oct2point(group, point, buf, len, ctx); + ret = group->meth->oct2point(group, point, buf, len, ctx); + + err: + if (ctx != ctx_in) + BN_CTX_free(ctx); + + return ret; } diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 63e6359..d1bb52d 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_pmeth.c,v 1.13 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: ec_pmeth.c,v 1.17 2023/04/25 15:48:48 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -66,10 +66,10 @@ #include #include -#include "bn_lcl.h" -#include "ec_lcl.h" -#include "ech_locl.h" -#include "evp_locl.h" +#include "bn_local.h" +#include "ec_local.h" +#include "ech_local.h" +#include "evp_local.h" /* EC pkey context structure */ @@ -93,8 +93,8 @@ typedef struct { size_t kdf_outlen; } EC_PKEY_CTX; -static int -pkey_ec_init(EVP_PKEY_CTX * ctx) +static int +pkey_ec_init(EVP_PKEY_CTX *ctx) { EC_PKEY_CTX *dctx; @@ -111,8 +111,8 @@ pkey_ec_init(EVP_PKEY_CTX * ctx) return 1; } -static int -pkey_ec_copy(EVP_PKEY_CTX * dst, EVP_PKEY_CTX * src) +static int +pkey_ec_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) { EC_PKEY_CTX *dctx, *sctx; if (!pkey_ec_init(dst)) @@ -146,8 +146,8 @@ pkey_ec_copy(EVP_PKEY_CTX * dst, EVP_PKEY_CTX * src) return 1; } -static void -pkey_ec_cleanup(EVP_PKEY_CTX * ctx) +static void +pkey_ec_cleanup(EVP_PKEY_CTX *ctx) { EC_PKEY_CTX *dctx = ctx->data; @@ -160,8 +160,8 @@ pkey_ec_cleanup(EVP_PKEY_CTX * ctx) } } -static int -pkey_ec_sign(EVP_PKEY_CTX * ctx, unsigned char *sig, size_t * siglen, +static int +pkey_ec_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, const unsigned char *tbs, size_t tbslen) { int ret, type; @@ -188,8 +188,8 @@ pkey_ec_sign(EVP_PKEY_CTX * ctx, unsigned char *sig, size_t * siglen, return 1; } -static int -pkey_ec_verify(EVP_PKEY_CTX * ctx, +static int +pkey_ec_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, const unsigned char *tbs, size_t tbslen) { @@ -207,8 +207,8 @@ pkey_ec_verify(EVP_PKEY_CTX * ctx, return ret; } -static int -pkey_ec_derive(EVP_PKEY_CTX * ctx, unsigned char *key, size_t * keylen) +static int +pkey_ec_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) { int ret; size_t outlen; @@ -283,8 +283,8 @@ pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) return rv; } -static int -pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) +static int +pkey_ec_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) { EC_PKEY_CTX *dctx = ctx->data; EC_GROUP *group; @@ -381,12 +381,17 @@ pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) return dctx->kdf_ukmlen; case EVP_PKEY_CTRL_MD: + /* RFC 3279, RFC 5758 and NIST CSOR. */ if (EVP_MD_type((const EVP_MD *) p2) != NID_sha1 && EVP_MD_type((const EVP_MD *) p2) != NID_ecdsa_with_SHA1 && EVP_MD_type((const EVP_MD *) p2) != NID_sha224 && EVP_MD_type((const EVP_MD *) p2) != NID_sha256 && EVP_MD_type((const EVP_MD *) p2) != NID_sha384 && - EVP_MD_type((const EVP_MD *) p2) != NID_sha512) { + EVP_MD_type((const EVP_MD *) p2) != NID_sha512 && + EVP_MD_type((const EVP_MD *) p2) != NID_sha3_224 && + EVP_MD_type((const EVP_MD *) p2) != NID_sha3_256 && + EVP_MD_type((const EVP_MD *) p2) != NID_sha3_384 && + EVP_MD_type((const EVP_MD *) p2) != NID_sha3_512) { ECerror(EC_R_INVALID_DIGEST_TYPE); return 0; } @@ -410,8 +415,8 @@ pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) } } -static int -pkey_ec_ctrl_str(EVP_PKEY_CTX * ctx, const char *type, const char *value) +static int +pkey_ec_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) { if (!strcmp(type, "ec_paramgen_curve")) { int nid; @@ -449,8 +454,8 @@ pkey_ec_ctrl_str(EVP_PKEY_CTX * ctx, const char *type, const char *value) return -2; } -static int -pkey_ec_paramgen(EVP_PKEY_CTX * ctx, EVP_PKEY * pkey) +static int +pkey_ec_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { EC_KEY *ec = NULL; EC_PKEY_CTX *dctx = ctx->data; @@ -470,8 +475,8 @@ pkey_ec_paramgen(EVP_PKEY_CTX * ctx, EVP_PKEY * pkey) return ret; } -static int -pkey_ec_keygen(EVP_PKEY_CTX * ctx, EVP_PKEY * pkey) +static int +pkey_ec_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { EC_KEY *ec = NULL; EC_PKEY_CTX *dctx = ctx->data; diff --git a/crypto/ec/ec_print.c b/crypto/ec/ec_print.c index af4d199..2aa0aa6 100644 --- a/crypto/ec/ec_print.c +++ b/crypto/ec/ec_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_print.c,v 1.7 2014/12/03 19:53:20 deraadt Exp $ */ +/* $OpenBSD: ec_print.c,v 1.11 2023/03/08 05:45:31 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -54,11 +54,11 @@ */ #include -#include "ec_lcl.h" +#include "ec_local.h" BIGNUM * -EC_POINT_point2bn(const EC_GROUP * group, const EC_POINT * point, - point_conversion_form_t form, BIGNUM * ret, BN_CTX * ctx) +EC_POINT_point2bn(const EC_GROUP *group, const EC_POINT *point, + point_conversion_form_t form, BIGNUM *ret, BN_CTX *ctx) { size_t buf_len = 0; unsigned char *buf; @@ -83,8 +83,8 @@ EC_POINT_point2bn(const EC_GROUP * group, const EC_POINT * point, } EC_POINT * -EC_POINT_bn2point(const EC_GROUP * group, - const BIGNUM * bn, EC_POINT * point, BN_CTX * ctx) +EC_POINT_bn2point(const EC_GROUP *group, + const BIGNUM *bn, EC_POINT *point, BN_CTX *ctx) { size_t buf_len = 0; unsigned char *buf; @@ -110,7 +110,7 @@ EC_POINT_bn2point(const EC_GROUP * group, if (!EC_POINT_oct2point(group, ret, buf, buf_len, ctx)) { if (point == NULL) - EC_POINT_clear_free(ret); + EC_POINT_free(ret); free(buf); return NULL; } @@ -122,8 +122,8 @@ static const char *HEX_DIGITS = "0123456789ABCDEF"; /* the return value must be freed (using free()) */ char * -EC_POINT_point2hex(const EC_GROUP * group, const EC_POINT * point, - point_conversion_form_t form, BN_CTX * ctx) +EC_POINT_point2hex(const EC_GROUP *group, const EC_POINT *point, + point_conversion_form_t form, BN_CTX *ctx) { char *ret, *p; size_t buf_len = 0, i; @@ -161,8 +161,8 @@ EC_POINT_point2hex(const EC_GROUP * group, const EC_POINT * point, } EC_POINT * -EC_POINT_hex2point(const EC_GROUP * group, const char *buf, - EC_POINT * point, BN_CTX * ctx) +EC_POINT_hex2point(const EC_GROUP *group, const char *buf, + EC_POINT *point, BN_CTX *ctx) { EC_POINT *ret = NULL; BIGNUM *tmp_bn = NULL; @@ -172,7 +172,7 @@ EC_POINT_hex2point(const EC_GROUP * group, const char *buf, ret = EC_POINT_bn2point(group, tmp_bn, point, ctx); - BN_clear_free(tmp_bn); + BN_free(tmp_bn); return ret; } diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index c2fd2eb..f7ce8de 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eck_prn.c,v 1.17 2021/04/20 17:12:43 tb Exp $ */ +/* $OpenBSD: eck_prn.c,v 1.20 2022/11/19 07:29:29 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -69,8 +69,8 @@ #include #include -int -ECPKParameters_print_fp(FILE * fp, const EC_GROUP * x, int off) +int +ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off) { BIO *b; int ret; @@ -85,8 +85,8 @@ ECPKParameters_print_fp(FILE * fp, const EC_GROUP * x, int off) return (ret); } -int -EC_KEY_print_fp(FILE * fp, const EC_KEY * x, int off) +int +EC_KEY_print_fp(FILE *fp, const EC_KEY *x, int off) { BIO *b; int ret; @@ -101,8 +101,8 @@ EC_KEY_print_fp(FILE * fp, const EC_KEY * x, int off) return (ret); } -int -ECParameters_print_fp(FILE * fp, const EC_KEY * x) +int +ECParameters_print_fp(FILE *fp, const EC_KEY *x) { BIO *b; int ret; @@ -117,38 +117,48 @@ ECParameters_print_fp(FILE * fp, const EC_KEY * x) return (ret); } -int -EC_KEY_print(BIO * bp, const EC_KEY * x, int off) +int +EC_KEY_print(BIO *bp, const EC_KEY *x, int off) { EVP_PKEY *pk; - int ret; - pk = EVP_PKEY_new(); - if (!pk || !EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x)) - return 0; + int ret = 0; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + if (!EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x)) + goto err; + ret = EVP_PKEY_print_private(bp, pk, off, NULL); + err: EVP_PKEY_free(pk); return ret; } -int -ECParameters_print(BIO * bp, const EC_KEY * x) +int +ECParameters_print(BIO *bp, const EC_KEY *x) { EVP_PKEY *pk; - int ret; - pk = EVP_PKEY_new(); - if (!pk || !EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x)) - return 0; + int ret = 0; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + if (!EVP_PKEY_set1_EC_KEY(pk, (EC_KEY *) x)) + goto err; + ret = EVP_PKEY_print_params(bp, pk, 4, NULL); + err: EVP_PKEY_free(pk); return ret; } -static int -print_bin(BIO * fp, const char *str, const unsigned char *num, +static int +print_bin(BIO *fp, const char *str, const unsigned char *num, size_t len, int off); -int -ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off) +int +ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off) { unsigned char *buffer = NULL; size_t buf_len = 0, i; @@ -323,8 +333,8 @@ ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off) return (ret); } -static int -print_bin(BIO * fp, const char *name, const unsigned char *buf, +static int +print_bin(BIO *fp, const char *name, const unsigned char *buf, size_t len, int off) { size_t i; diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 0da3083..b113855 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_mont.c,v 1.20 2021/09/08 17:29:21 tb Exp $ */ +/* $OpenBSD: ecp_mont.c,v 1.29 2023/04/11 18:58:20 jsing Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -63,147 +63,76 @@ #include -#include "ec_lcl.h" +#include "ec_local.h" - -const EC_METHOD * -EC_GFp_mont_method(void) +static void +ec_GFp_mont_group_clear(EC_GROUP *group) { - static const EC_METHOD ret = { - .flags = EC_FLAGS_DEFAULT_OCT, - .field_type = NID_X9_62_prime_field, - .group_init = ec_GFp_mont_group_init, - .group_finish = ec_GFp_mont_group_finish, - .group_clear_finish = ec_GFp_mont_group_clear_finish, - .group_copy = ec_GFp_mont_group_copy, - .group_set_curve = ec_GFp_mont_group_set_curve, - .group_get_curve = ec_GFp_simple_group_get_curve, - .group_get_degree = ec_GFp_simple_group_get_degree, - .group_order_bits = ec_group_simple_order_bits, - .group_check_discriminant = - ec_GFp_simple_group_check_discriminant, - .point_init = ec_GFp_simple_point_init, - .point_finish = ec_GFp_simple_point_finish, - .point_clear_finish = ec_GFp_simple_point_clear_finish, - .point_copy = ec_GFp_simple_point_copy, - .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, - .point_set_Jprojective_coordinates = - ec_GFp_simple_set_Jprojective_coordinates, - .point_get_Jprojective_coordinates = - ec_GFp_simple_get_Jprojective_coordinates, - .point_set_affine_coordinates = - ec_GFp_simple_point_set_affine_coordinates, - .point_get_affine_coordinates = - ec_GFp_simple_point_get_affine_coordinates, - .add = ec_GFp_simple_add, - .dbl = ec_GFp_simple_dbl, - .invert = ec_GFp_simple_invert, - .is_at_infinity = ec_GFp_simple_is_at_infinity, - .is_on_curve = ec_GFp_simple_is_on_curve, - .point_cmp = ec_GFp_simple_cmp, - .make_affine = ec_GFp_simple_make_affine, - .points_make_affine = ec_GFp_simple_points_make_affine, - .mul_generator_ct = ec_GFp_simple_mul_generator_ct, - .mul_single_ct = ec_GFp_simple_mul_single_ct, - .mul_double_nonct = ec_GFp_simple_mul_double_nonct, - .field_mul = ec_GFp_mont_field_mul, - .field_sqr = ec_GFp_mont_field_sqr, - .field_encode = ec_GFp_mont_field_encode, - .field_decode = ec_GFp_mont_field_decode, - .field_set_to_one = ec_GFp_mont_field_set_to_one, - .blind_coordinates = ec_GFp_simple_blind_coordinates, - }; + BN_MONT_CTX_free(group->mont_ctx); + group->mont_ctx = NULL; - return &ret; + BN_free(group->mont_one); + group->mont_one = NULL; } - -int -ec_GFp_mont_group_init(EC_GROUP * group) +static int +ec_GFp_mont_group_init(EC_GROUP *group) { int ok; ok = ec_GFp_simple_group_init(group); - group->field_data1 = NULL; - group->field_data2 = NULL; + group->mont_ctx = NULL; + group->mont_one = NULL; return ok; } - -void -ec_GFp_mont_group_finish(EC_GROUP * group) +static void +ec_GFp_mont_group_finish(EC_GROUP *group) { - BN_MONT_CTX_free(group->field_data1); - group->field_data1 = NULL; - BN_free(group->field_data2); - group->field_data2 = NULL; + ec_GFp_mont_group_clear(group); ec_GFp_simple_group_finish(group); } - -void -ec_GFp_mont_group_clear_finish(EC_GROUP * group) +static int +ec_GFp_mont_group_copy(EC_GROUP *dest, const EC_GROUP *src) { - BN_MONT_CTX_free(group->field_data1); - group->field_data1 = NULL; - BN_clear_free(group->field_data2); - group->field_data2 = NULL; - ec_GFp_simple_group_clear_finish(group); -} - - -int -ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src) -{ - BN_MONT_CTX_free(dest->field_data1); - dest->field_data1 = NULL; - BN_clear_free(dest->field_data2); - dest->field_data2 = NULL; + ec_GFp_mont_group_clear(dest); if (!ec_GFp_simple_group_copy(dest, src)) return 0; - if (src->field_data1 != NULL) { - dest->field_data1 = BN_MONT_CTX_new(); - if (dest->field_data1 == NULL) + if (src->mont_ctx != NULL) { + dest->mont_ctx = BN_MONT_CTX_new(); + if (dest->mont_ctx == NULL) return 0; - if (!BN_MONT_CTX_copy(dest->field_data1, src->field_data1)) + if (!BN_MONT_CTX_copy(dest->mont_ctx, src->mont_ctx)) goto err; } - if (src->field_data2 != NULL) { - dest->field_data2 = BN_dup(src->field_data2); - if (dest->field_data2 == NULL) + if (src->mont_one != NULL) { + dest->mont_one = BN_dup(src->mont_one); + if (dest->mont_one == NULL) goto err; } return 1; err: - if (dest->field_data1 != NULL) { - BN_MONT_CTX_free(dest->field_data1); - dest->field_data1 = NULL; + if (dest->mont_ctx != NULL) { + BN_MONT_CTX_free(dest->mont_ctx); + dest->mont_ctx = NULL; } return 0; } - -int +static int ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; BN_MONT_CTX *mont = NULL; BIGNUM *one = NULL; int ret = 0; - BN_MONT_CTX_free(group->field_data1); - group->field_data1 = NULL; - BN_free(group->field_data2); - group->field_data2 = NULL; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } + ec_GFp_mont_group_clear(group); + mont = BN_MONT_CTX_new(); if (mont == NULL) goto err; @@ -217,83 +146,126 @@ ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, if (!BN_to_montgomery(one, BN_value_one(), mont, ctx)) goto err; - group->field_data1 = mont; + group->mont_ctx = mont; mont = NULL; - group->field_data2 = one; + group->mont_one = one; one = NULL; ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); + if (!ret) + ec_GFp_mont_group_clear(group); - if (!ret) { - BN_MONT_CTX_free(group->field_data1); - group->field_data1 = NULL; - BN_free(group->field_data2); - group->field_data2 = NULL; - } err: - BN_CTX_free(new_ctx); BN_MONT_CTX_free(mont); BN_free(one); + return ret; } - -int +static int ec_GFp_mont_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { - if (group->field_data1 == NULL) { + if (group->mont_ctx == NULL) { ECerror(EC_R_NOT_INITIALIZED); return 0; } - return BN_mod_mul_montgomery(r, a, b, group->field_data1, ctx); + return BN_mod_mul_montgomery(r, a, b, group->mont_ctx, ctx); } - -int +static int ec_GFp_mont_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { - if (group->field_data1 == NULL) { + if (group->mont_ctx == NULL) { ECerror(EC_R_NOT_INITIALIZED); return 0; } - return BN_mod_mul_montgomery(r, a, a, group->field_data1, ctx); + return BN_mod_mul_montgomery(r, a, a, group->mont_ctx, ctx); } - -int +static int ec_GFp_mont_field_encode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { - if (group->field_data1 == NULL) { + if (group->mont_ctx == NULL) { ECerror(EC_R_NOT_INITIALIZED); return 0; } - return BN_to_montgomery(r, a, (BN_MONT_CTX *) group->field_data1, ctx); + return BN_to_montgomery(r, a, group->mont_ctx, ctx); } - -int +static int ec_GFp_mont_field_decode(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { - if (group->field_data1 == NULL) { + if (group->mont_ctx == NULL) { ECerror(EC_R_NOT_INITIALIZED); return 0; } - return BN_from_montgomery(r, a, group->field_data1, ctx); + return BN_from_montgomery(r, a, group->mont_ctx, ctx); } - -int +static int ec_GFp_mont_field_set_to_one(const EC_GROUP *group, BIGNUM *r, BN_CTX *ctx) { - if (group->field_data2 == NULL) { + if (group->mont_one == NULL) { ECerror(EC_R_NOT_INITIALIZED); return 0; } - if (!BN_copy(r, group->field_data2)) + if (!bn_copy(r, group->mont_one)) return 0; + return 1; } + +static const EC_METHOD ec_GFp_mont_method = { + .field_type = NID_X9_62_prime_field, + .group_init = ec_GFp_mont_group_init, + .group_finish = ec_GFp_mont_group_finish, + .group_copy = ec_GFp_mont_group_copy, + .group_set_curve = ec_GFp_mont_group_set_curve, + .group_get_curve = ec_GFp_simple_group_get_curve, + .group_get_degree = ec_GFp_simple_group_get_degree, + .group_order_bits = ec_group_simple_order_bits, + .group_check_discriminant = ec_GFp_simple_group_check_discriminant, + .point_init = ec_GFp_simple_point_init, + .point_finish = ec_GFp_simple_point_finish, + .point_copy = ec_GFp_simple_point_copy, + .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, + .point_set_Jprojective_coordinates = + ec_GFp_simple_set_Jprojective_coordinates, + .point_get_Jprojective_coordinates = + ec_GFp_simple_get_Jprojective_coordinates, + .point_set_affine_coordinates = + ec_GFp_simple_point_set_affine_coordinates, + .point_get_affine_coordinates = + ec_GFp_simple_point_get_affine_coordinates, + .point_set_compressed_coordinates = + ec_GFp_simple_set_compressed_coordinates, + .point2oct = ec_GFp_simple_point2oct, + .oct2point = ec_GFp_simple_oct2point, + .add = ec_GFp_simple_add, + .dbl = ec_GFp_simple_dbl, + .invert = ec_GFp_simple_invert, + .is_at_infinity = ec_GFp_simple_is_at_infinity, + .is_on_curve = ec_GFp_simple_is_on_curve, + .point_cmp = ec_GFp_simple_cmp, + .make_affine = ec_GFp_simple_make_affine, + .points_make_affine = ec_GFp_simple_points_make_affine, + .mul_generator_ct = ec_GFp_simple_mul_generator_ct, + .mul_single_ct = ec_GFp_simple_mul_single_ct, + .mul_double_nonct = ec_GFp_simple_mul_double_nonct, + .field_mul = ec_GFp_mont_field_mul, + .field_sqr = ec_GFp_mont_field_sqr, + .field_encode = ec_GFp_mont_field_encode, + .field_decode = ec_GFp_mont_field_decode, + .field_set_to_one = ec_GFp_mont_field_set_to_one, + .blind_coordinates = ec_GFp_simple_blind_coordinates, +}; + +const EC_METHOD * +EC_GFp_mont_method(void) +{ + return &ec_GFp_mont_method; +} diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c deleted file mode 100644 index f7dae16..0000000 --- a/crypto/ec/ecp_nist.c +++ /dev/null @@ -1,217 +0,0 @@ -/* $OpenBSD: ecp_nist.c,v 1.18 2021/09/08 17:29:21 tb Exp $ */ -/* - * Written by Nils Larsch for the OpenSSL project. - */ -/* ==================================================================== - * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* ==================================================================== - * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * Portions of this software developed by SUN MICROSYSTEMS, INC., - * and contributed to the OpenSSL project. - */ - -#include - -#include -#include -#include "ec_lcl.h" - -const EC_METHOD * -EC_GFp_nist_method(void) -{ - static const EC_METHOD ret = { - .flags = EC_FLAGS_DEFAULT_OCT, - .field_type = NID_X9_62_prime_field, - .group_init = ec_GFp_simple_group_init, - .group_finish = ec_GFp_simple_group_finish, - .group_clear_finish = ec_GFp_simple_group_clear_finish, - .group_copy = ec_GFp_nist_group_copy, - .group_set_curve = ec_GFp_nist_group_set_curve, - .group_get_curve = ec_GFp_simple_group_get_curve, - .group_get_degree = ec_GFp_simple_group_get_degree, - .group_order_bits = ec_group_simple_order_bits, - .group_check_discriminant = - ec_GFp_simple_group_check_discriminant, - .point_init = ec_GFp_simple_point_init, - .point_finish = ec_GFp_simple_point_finish, - .point_clear_finish = ec_GFp_simple_point_clear_finish, - .point_copy = ec_GFp_simple_point_copy, - .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, - .point_set_Jprojective_coordinates = - ec_GFp_simple_set_Jprojective_coordinates, - .point_get_Jprojective_coordinates = - ec_GFp_simple_get_Jprojective_coordinates, - .point_set_affine_coordinates = - ec_GFp_simple_point_set_affine_coordinates, - .point_get_affine_coordinates = - ec_GFp_simple_point_get_affine_coordinates, - .add = ec_GFp_simple_add, - .dbl = ec_GFp_simple_dbl, - .invert = ec_GFp_simple_invert, - .is_at_infinity = ec_GFp_simple_is_at_infinity, - .is_on_curve = ec_GFp_simple_is_on_curve, - .point_cmp = ec_GFp_simple_cmp, - .make_affine = ec_GFp_simple_make_affine, - .points_make_affine = ec_GFp_simple_points_make_affine, - .mul_generator_ct = ec_GFp_simple_mul_generator_ct, - .mul_single_ct = ec_GFp_simple_mul_single_ct, - .mul_double_nonct = ec_GFp_simple_mul_double_nonct, - .field_mul = ec_GFp_nist_field_mul, - .field_sqr = ec_GFp_nist_field_sqr, - .blind_coordinates = ec_GFp_simple_blind_coordinates, - }; - - return &ret; -} - -int -ec_GFp_nist_group_copy(EC_GROUP * dest, const EC_GROUP * src) -{ - dest->field_mod_func = src->field_mod_func; - - return ec_GFp_simple_group_copy(dest, src); -} - -int -ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, - const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) -{ - int ret = 0; - BN_CTX *new_ctx = NULL; - BIGNUM *tmp_bn; - - if (ctx == NULL) - if ((ctx = new_ctx = BN_CTX_new()) == NULL) - return 0; - - BN_CTX_start(ctx); - if ((tmp_bn = BN_CTX_get(ctx)) == NULL) - goto err; - - if (BN_ucmp(BN_get0_nist_prime_192(), p) == 0) - group->field_mod_func = BN_nist_mod_192; - else if (BN_ucmp(BN_get0_nist_prime_224(), p) == 0) - group->field_mod_func = BN_nist_mod_224; - else if (BN_ucmp(BN_get0_nist_prime_256(), p) == 0) - group->field_mod_func = BN_nist_mod_256; - else if (BN_ucmp(BN_get0_nist_prime_384(), p) == 0) - group->field_mod_func = BN_nist_mod_384; - else if (BN_ucmp(BN_get0_nist_prime_521(), p) == 0) - group->field_mod_func = BN_nist_mod_521; - else { - ECerror(EC_R_NOT_A_NIST_PRIME); - goto err; - } - - ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); - - err: - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; -} - - -int -ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, - const BIGNUM *b, BN_CTX *ctx) -{ - int ret = 0; - BN_CTX *ctx_new = NULL; - - if (!group || !r || !a || !b) { - ECerror(ERR_R_PASSED_NULL_PARAMETER); - goto err; - } - if (!ctx) - if ((ctx_new = ctx = BN_CTX_new()) == NULL) - goto err; - - if (!BN_mul(r, a, b, ctx)) - goto err; - if (!group->field_mod_func(r, r, &group->field, ctx)) - goto err; - - ret = 1; - err: - BN_CTX_free(ctx_new); - return ret; -} - - -int -ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, - BN_CTX * ctx) -{ - int ret = 0; - BN_CTX *ctx_new = NULL; - - if (!group || !r || !a) { - ECerror(EC_R_PASSED_NULL_PARAMETER); - goto err; - } - if (!ctx) - if ((ctx_new = ctx = BN_CTX_new()) == NULL) - goto err; - - if (!BN_sqr(r, a, ctx)) - goto err; - if (!group->field_mod_func(r, r, &group->field, ctx)) - goto err; - - ret = 1; - err: - BN_CTX_free(ctx_new); - return ret; -} diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index 177bbe1..b3cf441 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_oct.c,v 1.14 2021/04/20 17:32:57 tb Exp $ */ +/* $OpenBSD: ecp_oct.c,v 1.21 2023/04/18 18:29:32 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -64,27 +64,22 @@ #include -#include "ec_lcl.h" +#include "ec_local.h" -int -ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, - EC_POINT * point, const BIGNUM * x_, int y_bit, BN_CTX * ctx) +int +ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, + EC_POINT *point, const BIGNUM *x_, int y_bit, BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; BIGNUM *tmp1, *tmp2, *x, *y; int ret = 0; /* clear error queue */ ERR_clear_error(); - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } y_bit = (y_bit != 0); BN_CTX_start(ctx); + if ((tmp1 = BN_CTX_get(ctx)) == NULL) goto err; if ((tmp2 = BN_CTX_get(ctx)) == NULL) @@ -102,7 +97,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, /* tmp1 := x^3 */ if (!BN_nnmod(x, x_, &group->field, ctx)) goto err; - if (group->meth->field_decode == 0) { + if (group->meth->field_decode == NULL) { /* field_{sqr,mul} work on standard representation */ if (!group->meth->field_sqr(group, tmp2, x_, ctx)) goto err; @@ -140,7 +135,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, } /* tmp1 := tmp1 + b */ - if (group->meth->field_decode) { + if (group->meth->field_decode != NULL) { if (!group->meth->field_decode(group, tmp2, &group->b, ctx)) goto err; if (!BN_mod_add_quick(tmp1, tmp1, tmp2, &group->field)) @@ -162,28 +157,15 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, } if (y_bit != BN_is_odd(y)) { if (BN_is_zero(y)) { - int kron; - - kron = BN_kronecker(x, &group->field, ctx); - if (kron == -2) - goto err; - - if (kron == 1) - ECerror(EC_R_INVALID_COMPRESSION_BIT); - else - /* - * BN_mod_sqrt() should have cought this - * error (not a square) - */ - ECerror(EC_R_INVALID_COMPRESSED_POINT); + ECerror(EC_R_INVALID_COMPRESSION_BIT); goto err; } if (!BN_usub(y, &group->field, y)) goto err; - } - if (y_bit != BN_is_odd(y)) { - ECerror(ERR_R_INTERNAL_ERROR); - goto err; + if (y_bit != BN_is_odd(y)) { + ECerror(ERR_R_INTERNAL_ERROR); + goto err; + } } if (!EC_POINT_set_affine_coordinates(group, point, x, y, ctx)) goto err; @@ -192,27 +174,25 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } - -size_t -ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX * ctx) +size_t +ec_GFp_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, + point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx) { - size_t ret; - BN_CTX *new_ctx = NULL; - int used_ctx = 0; BIGNUM *x, *y; size_t field_len, i, skip; + size_t ret = 0; - if ((form != POINT_CONVERSION_COMPRESSED) - && (form != POINT_CONVERSION_UNCOMPRESSED) - && (form != POINT_CONVERSION_HYBRID)) { + if (form != POINT_CONVERSION_COMPRESSED && + form != POINT_CONVERSION_UNCOMPRESSED && + form != POINT_CONVERSION_HYBRID) { ECerror(EC_R_INVALID_FORM); - goto err; + return 0; } + if (EC_POINT_is_at_infinity(group, point) > 0) { /* encodes to a single 0 octet */ if (buf != NULL) { @@ -224,23 +204,20 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co } return 1; } + /* ret := required output buffer length */ field_len = BN_num_bytes(&group->field); ret = (form == POINT_CONVERSION_COMPRESSED) ? 1 + field_len : 1 + 2 * field_len; + BN_CTX_start(ctx); + /* if 'buf' is NULL, just return required length */ if (buf != NULL) { if (len < ret) { ECerror(EC_R_BUFFER_TOO_SMALL); goto err; } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - BN_CTX_start(ctx); - used_ctx = 1; + if ((x = BN_CTX_get(ctx)) == NULL) goto err; if ((y = BN_CTX_get(ctx)) == NULL) @@ -289,26 +266,19 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co goto err; } } - if (used_ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return ret; err: - if (used_ctx) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); - return 0; + BN_CTX_end(ctx); + + return ret; } - -int -ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, - const unsigned char *buf, size_t len, BN_CTX * ctx) +int +ec_GFp_simple_oct2point(const EC_GROUP *group, EC_POINT *point, + const unsigned char *buf, size_t len, BN_CTX *ctx) { point_conversion_form_t form; int y_bit; - BN_CTX *new_ctx = NULL; BIGNUM *x, *y; size_t field_len, enc_len; int ret = 0; @@ -344,12 +314,9 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, ECerror(EC_R_INVALID_ENCODING); return 0; } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } + BN_CTX_start(ctx); + if ((x = BN_CTX_get(ctx)) == NULL) goto err; if ((y = BN_CTX_get(ctx)) == NULL) @@ -393,6 +360,6 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index 6f5280b..1162d89 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_smpl.c,v 1.34 2022/01/20 11:02:44 inoguchi Exp $ */ +/* $OpenBSD: ecp_smpl.c,v 1.44 2023/04/11 18:58:20 jsing Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -64,74 +64,25 @@ #include -#include "bn_lcl.h" -#include "ec_lcl.h" +#include "bn_local.h" +#include "ec_local.h" -const EC_METHOD * -EC_GFp_simple_method(void) -{ - static const EC_METHOD ret = { - .flags = EC_FLAGS_DEFAULT_OCT, - .field_type = NID_X9_62_prime_field, - .group_init = ec_GFp_simple_group_init, - .group_finish = ec_GFp_simple_group_finish, - .group_clear_finish = ec_GFp_simple_group_clear_finish, - .group_copy = ec_GFp_simple_group_copy, - .group_set_curve = ec_GFp_simple_group_set_curve, - .group_get_curve = ec_GFp_simple_group_get_curve, - .group_get_degree = ec_GFp_simple_group_get_degree, - .group_order_bits = ec_group_simple_order_bits, - .group_check_discriminant = - ec_GFp_simple_group_check_discriminant, - .point_init = ec_GFp_simple_point_init, - .point_finish = ec_GFp_simple_point_finish, - .point_clear_finish = ec_GFp_simple_point_clear_finish, - .point_copy = ec_GFp_simple_point_copy, - .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, - .point_set_Jprojective_coordinates = - ec_GFp_simple_set_Jprojective_coordinates, - .point_get_Jprojective_coordinates = - ec_GFp_simple_get_Jprojective_coordinates, - .point_set_affine_coordinates = - ec_GFp_simple_point_set_affine_coordinates, - .point_get_affine_coordinates = - ec_GFp_simple_point_get_affine_coordinates, - .add = ec_GFp_simple_add, - .dbl = ec_GFp_simple_dbl, - .invert = ec_GFp_simple_invert, - .is_at_infinity = ec_GFp_simple_is_at_infinity, - .is_on_curve = ec_GFp_simple_is_on_curve, - .point_cmp = ec_GFp_simple_cmp, - .make_affine = ec_GFp_simple_make_affine, - .points_make_affine = ec_GFp_simple_points_make_affine, - .mul_generator_ct = ec_GFp_simple_mul_generator_ct, - .mul_single_ct = ec_GFp_simple_mul_single_ct, - .mul_double_nonct = ec_GFp_simple_mul_double_nonct, - .field_mul = ec_GFp_simple_field_mul, - .field_sqr = ec_GFp_simple_field_sqr, - .blind_coordinates = ec_GFp_simple_blind_coordinates, - }; - - return &ret; -} - - -/* Most method functions in this file are designed to work with +/* + * Most method functions in this file are designed to work with * non-trivial representations of field elements if necessary * (see ecp_mont.c): while standard modular addition and subtraction * are used, the field_mul and field_sqr methods will be used for * multiplication, and field_encode and field_decode (if defined) * will be used for converting between representations. - + * * Functions ec_GFp_simple_points_make_affine() and * ec_GFp_simple_point_get_affine_coordinates() specifically assume * that if a non-trivial representation is used, it is a Montgomery * representation (i.e. 'encoding' means multiplying by some factor R). */ - int -ec_GFp_simple_group_init(EC_GROUP * group) +ec_GFp_simple_group_init(EC_GROUP *group) { BN_init(&group->field); BN_init(&group->a); @@ -140,33 +91,22 @@ ec_GFp_simple_group_init(EC_GROUP * group) return 1; } - void -ec_GFp_simple_group_finish(EC_GROUP * group) +ec_GFp_simple_group_finish(EC_GROUP *group) { BN_free(&group->field); BN_free(&group->a); BN_free(&group->b); } - -void -ec_GFp_simple_group_clear_finish(EC_GROUP * group) -{ - BN_clear_free(&group->field); - BN_clear_free(&group->a); - BN_clear_free(&group->b); -} - - int -ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src) +ec_GFp_simple_group_copy(EC_GROUP *dest, const EC_GROUP *src) { - if (!BN_copy(&dest->field, &src->field)) + if (!bn_copy(&dest->field, &src->field)) return 0; - if (!BN_copy(&dest->a, &src->a)) + if (!bn_copy(&dest->a, &src->a)) return 0; - if (!BN_copy(&dest->b, &src->b)) + if (!bn_copy(&dest->b, &src->b)) return 0; dest->a_is_minus3 = src->a_is_minus3; @@ -174,31 +114,26 @@ ec_GFp_simple_group_copy(EC_GROUP * dest, const EC_GROUP * src) return 1; } - int -ec_GFp_simple_group_set_curve(EC_GROUP * group, - const BIGNUM * p, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx) +ec_GFp_simple_group_set_curve(EC_GROUP *group, + const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { - int ret = 0; - BN_CTX *new_ctx = NULL; BIGNUM *tmp_a; + int ret = 0; /* p must be a prime > 3 */ if (BN_num_bits(p) <= 2 || !BN_is_odd(p)) { ECerror(EC_R_INVALID_FIELD); return 0; } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } + BN_CTX_start(ctx); + if ((tmp_a = BN_CTX_get(ctx)) == NULL) goto err; /* group->field */ - if (!BN_copy(&group->field, p)) + if (!bn_copy(&group->field, p)) goto err; BN_set_negative(&group->field, 0); @@ -208,7 +143,7 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group, if (group->meth->field_encode) { if (!group->meth->field_encode(group, &group->a, tmp_a, ctx)) goto err; - } else if (!BN_copy(&group->a, tmp_a)) + } else if (!bn_copy(&group->a, tmp_a)) goto err; /* group->b */ @@ -227,78 +162,55 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group, err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } - int -ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BIGNUM * b, BN_CTX * ctx) +ec_GFp_simple_group_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx) { - int ret = 0; - BN_CTX *new_ctx = NULL; - if (p != NULL) { - if (!BN_copy(p, &group->field)) + if (!bn_copy(p, &group->field)) return 0; } - if (a != NULL || b != NULL) { - if (group->meth->field_decode) { - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } - if (a != NULL) { - if (!group->meth->field_decode(group, a, &group->a, ctx)) - goto err; - } - if (b != NULL) { - if (!group->meth->field_decode(group, b, &group->b, ctx)) - goto err; - } - } else { - if (a != NULL) { - if (!BN_copy(a, &group->a)) - goto err; - } - if (b != NULL) { - if (!BN_copy(b, &group->b)) - goto err; - } + if (group->meth->field_decode != NULL) { + if (a != NULL) { + if (!group->meth->field_decode(group, a, &group->a, ctx)) + return 0; + } + if (b != NULL) { + if (!group->meth->field_decode(group, b, &group->b, ctx)) + return 0; + } + } else { + if (a != NULL) { + if (!bn_copy(a, &group->a)) + return 0; + } + if (b != NULL) { + if (!bn_copy(b, &group->b)) + return 0; } } - ret = 1; - err: - BN_CTX_free(new_ctx); - return ret; + return 1; } - int -ec_GFp_simple_group_get_degree(const EC_GROUP * group) +ec_GFp_simple_group_get_degree(const EC_GROUP *group) { return BN_num_bits(&group->field); } - int -ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) +ec_GFp_simple_group_check_discriminant(const EC_GROUP *group, BN_CTX *ctx) { - int ret = 0; BIGNUM *a, *b, *order, *tmp_1, *tmp_2; const BIGNUM *p = &group->field; - BN_CTX *new_ctx = NULL; + int ret = 0; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } BN_CTX_start(ctx); + if ((a = BN_CTX_get(ctx)) == NULL) goto err; if ((b = BN_CTX_get(ctx)) == NULL) @@ -316,9 +228,9 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) if (!group->meth->field_decode(group, b, &group->b, ctx)) goto err; } else { - if (!BN_copy(a, &group->a)) + if (!bn_copy(a, &group->a)) goto err; - if (!BN_copy(b, &group->b)) + if (!bn_copy(b, &group->b)) goto err; } @@ -352,13 +264,11 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) ret = 1; err: - if (ctx != NULL) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + BN_CTX_end(ctx); + return ret; } - int ec_GFp_simple_point_init(EC_POINT * point) { @@ -370,67 +280,48 @@ ec_GFp_simple_point_init(EC_POINT * point) return 1; } - void -ec_GFp_simple_point_finish(EC_POINT * point) +ec_GFp_simple_point_finish(EC_POINT *point) { BN_free(&point->X); BN_free(&point->Y); BN_free(&point->Z); -} - - -void -ec_GFp_simple_point_clear_finish(EC_POINT * point) -{ - BN_clear_free(&point->X); - BN_clear_free(&point->Y); - BN_clear_free(&point->Z); point->Z_is_one = 0; } - int -ec_GFp_simple_point_copy(EC_POINT * dest, const EC_POINT * src) +ec_GFp_simple_point_copy(EC_POINT *dest, const EC_POINT *src) { - if (!BN_copy(&dest->X, &src->X)) + if (!bn_copy(&dest->X, &src->X)) return 0; - if (!BN_copy(&dest->Y, &src->Y)) + if (!bn_copy(&dest->Y, &src->Y)) return 0; - if (!BN_copy(&dest->Z, &src->Z)) + if (!bn_copy(&dest->Z, &src->Z)) return 0; dest->Z_is_one = src->Z_is_one; return 1; } - int -ec_GFp_simple_point_set_to_infinity(const EC_GROUP * group, EC_POINT * point) +ec_GFp_simple_point_set_to_infinity(const EC_GROUP *group, EC_POINT *point) { point->Z_is_one = 0; BN_zero(&point->Z); return 1; } - int ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *point, const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; int ret = 0; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } if (x != NULL) { if (!BN_nnmod(&point->X, x, &group->field, ctx)) goto err; - if (group->meth->field_encode) { + if (group->meth->field_encode != NULL) { if (!group->meth->field_encode(group, &point->X, &point->X, ctx)) goto err; } @@ -438,7 +329,7 @@ ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *group, if (y != NULL) { if (!BN_nnmod(&point->Y, y, &group->field, ctx)) goto err; - if (group->meth->field_encode) { + if (group->meth->field_encode != NULL) { if (!group->meth->field_encode(group, &point->Y, &point->Y, ctx)) goto err; } @@ -449,7 +340,7 @@ ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *group, if (!BN_nnmod(&point->Z, z, &group->field, ctx)) goto err; Z_is_one = BN_is_one(&point->Z); - if (group->meth->field_encode) { + if (group->meth->field_encode != NULL) { if (Z_is_one && (group->meth->field_set_to_one != 0)) { if (!group->meth->field_set_to_one(group, &point->Z, ctx)) goto err; @@ -463,7 +354,6 @@ ec_GFp_simple_set_Jprojective_coordinates(const EC_GROUP *group, ret = 1; err: - BN_CTX_free(new_ctx); return ret; } @@ -471,15 +361,9 @@ int ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *group, const EC_POINT *point, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; int ret = 0; - if (group->meth->field_decode != 0) { - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } + if (group->meth->field_decode != NULL) { if (x != NULL) { if (!group->meth->field_decode(group, x, &point->X, ctx)) goto err; @@ -494,15 +378,15 @@ ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *group, } } else { if (x != NULL) { - if (!BN_copy(x, &point->X)) + if (!bn_copy(x, &point->X)) goto err; } if (y != NULL) { - if (!BN_copy(y, &point->Y)) + if (!bn_copy(y, &point->Y)) goto err; } if (z != NULL) { - if (!BN_copy(z, &point->Z)) + if (!bn_copy(z, &point->Z)) goto err; } } @@ -510,13 +394,12 @@ ec_GFp_simple_get_Jprojective_coordinates(const EC_GROUP *group, ret = 1; err: - BN_CTX_free(new_ctx); return ret; } int -ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * point, - const BIGNUM * x, const BIGNUM * y, BN_CTX * ctx) +ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP *group, EC_POINT *point, + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx) { if (x == NULL || y == NULL) { /* unlike for projective coordinates, we do not tolerate this */ @@ -528,10 +411,9 @@ ec_GFp_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * po } int -ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POINT * point, - BIGNUM * x, BIGNUM * y, BN_CTX * ctx) +ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *point, + BIGNUM *x, BIGNUM *y, BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; BIGNUM *Z, *Z_1, *Z_2, *Z_3; const BIGNUM *Z_; int ret = 0; @@ -540,12 +422,9 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN ECerror(EC_R_POINT_AT_INFINITY); return 0; } - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } + BN_CTX_start(ctx); + if ((Z = BN_CTX_get(ctx)) == NULL) goto err; if ((Z_1 = BN_CTX_get(ctx)) == NULL) @@ -577,11 +456,11 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN } } else { if (x != NULL) { - if (!BN_copy(x, &point->X)) + if (!bn_copy(x, &point->X)) goto err; } if (y != NULL) { - if (!BN_copy(y, &point->Y)) + if (!bn_copy(y, &point->Y)) goto err; } } @@ -630,18 +509,17 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } int -ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx) +ec_GFp_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); - const BIGNUM *p; - BN_CTX *new_ctx = NULL; BIGNUM *n0, *n1, *n2, *n3, *n4, *n5, *n6; + const BIGNUM *p; int ret = 0; if (a == b) @@ -655,12 +533,8 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons field_sqr = group->meth->field_sqr; p = &group->field; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } BN_CTX_start(ctx); + if ((n0 = BN_CTX_get(ctx)) == NULL) goto end; if ((n1 = BN_CTX_get(ctx)) == NULL) @@ -684,9 +558,9 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons /* n1, n2 */ if (b->Z_is_one) { - if (!BN_copy(n1, &a->X)) + if (!bn_copy(n1, &a->X)) goto end; - if (!BN_copy(n2, &a->Y)) + if (!bn_copy(n2, &a->Y)) goto end; /* n1 = X_a */ /* n2 = Y_a */ @@ -706,9 +580,9 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons /* n3, n4 */ if (a->Z_is_one) { - if (!BN_copy(n3, &b->X)) + if (!bn_copy(n3, &b->X)) goto end; - if (!BN_copy(n4, &b->Y)) + if (!bn_copy(n4, &b->Y)) goto end; /* n3 = X_b */ /* n4 = Y_b */ @@ -759,14 +633,14 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons /* Z_r */ if (a->Z_is_one && b->Z_is_one) { - if (!BN_copy(&r->Z, n5)) + if (!bn_copy(&r->Z, n5)) goto end; } else { if (a->Z_is_one) { - if (!BN_copy(n0, &b->Z)) + if (!bn_copy(n0, &b->Z)) goto end; } else if (b->Z_is_one) { - if (!BN_copy(n0, &a->Z)) + if (!bn_copy(n0, &a->Z)) goto end; } else { if (!field_mul(group, n0, &a->Z, &b->Z, ctx)) @@ -816,20 +690,17 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons ret = 1; end: - if (ctx) /* otherwise we already called BN_CTX_end */ - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + BN_CTX_end(ctx); + return ret; } - int -ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_CTX * ctx) +ec_GFp_simple_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); const BIGNUM *p; - BN_CTX *new_ctx = NULL; BIGNUM *n0, *n1, *n2, *n3; int ret = 0; @@ -842,12 +713,8 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C field_sqr = group->meth->field_sqr; p = &group->field; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } BN_CTX_start(ctx); + if ((n0 = BN_CTX_get(ctx)) == NULL) goto err; if ((n1 = BN_CTX_get(ctx)) == NULL) @@ -911,7 +778,7 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C /* Z_r */ if (a->Z_is_one) { - if (!BN_copy(n0, &a->Y)) + if (!bn_copy(n0, &a->Y)) goto err; } else { if (!field_mul(group, n0, &a->Y, &a->Z, ctx)) @@ -960,13 +827,12 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } - int -ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) +ec_GFp_simple_invert(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) { if (EC_POINT_is_at_infinity(group, point) > 0 || BN_is_zero(&point->Y)) /* point is its own inverse */ @@ -975,21 +841,18 @@ ec_GFp_simple_invert(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) return BN_usub(&point->Y, &group->field, &point->Y); } - int -ec_GFp_simple_is_at_infinity(const EC_GROUP * group, const EC_POINT * point) +ec_GFp_simple_is_at_infinity(const EC_GROUP *group, const EC_POINT *point) { return BN_is_zero(&point->Z); } - int -ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX * ctx) +ec_GFp_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx) { int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); const BIGNUM *p; - BN_CTX *new_ctx = NULL; BIGNUM *rh, *tmp, *Z4, *Z6; int ret = -1; @@ -1000,12 +863,8 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX field_sqr = group->meth->field_sqr; p = &group->field; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return -1; - } BN_CTX_start(ctx); + if ((rh = BN_CTX_get(ctx)) == NULL) goto err; if ((tmp = BN_CTX_get(ctx)) == NULL) @@ -1081,13 +940,12 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } - int -ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b, BN_CTX * ctx) +ec_GFp_simple_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx) { /* * return values: -1 error 0 equal (in affine coordinates) 1 @@ -1096,29 +954,24 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b int (*field_mul) (const EC_GROUP *, BIGNUM *, const BIGNUM *, const BIGNUM *, BN_CTX *); int (*field_sqr) (const EC_GROUP *, BIGNUM *, const BIGNUM *, BN_CTX *); - BN_CTX *new_ctx = NULL; BIGNUM *tmp1, *tmp2, *Za23, *Zb23; const BIGNUM *tmp1_, *tmp2_; int ret = -1; - if (EC_POINT_is_at_infinity(group, a) > 0) { + if (EC_POINT_is_at_infinity(group, a) > 0) return EC_POINT_is_at_infinity(group, b) > 0 ? 0 : 1; - } + if (EC_POINT_is_at_infinity(group, b) > 0) return 1; - if (a->Z_is_one && b->Z_is_one) { + if (a->Z_is_one && b->Z_is_one) return ((BN_cmp(&a->X, &b->X) == 0) && BN_cmp(&a->Y, &b->Y) == 0) ? 0 : 1; - } + field_mul = group->meth->field_mul; field_sqr = group->meth->field_sqr; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return -1; - } BN_CTX_start(ctx); + if ((tmp1 = BN_CTX_get(ctx)) == NULL) goto end; if ((tmp2 = BN_CTX_get(ctx)) == NULL) @@ -1183,27 +1036,21 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b end: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } - int -ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx) +ec_GFp_simple_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; BIGNUM *x, *y; int ret = 0; if (point->Z_is_one || EC_POINT_is_at_infinity(group, point) > 0) return 1; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } BN_CTX_start(ctx); + if ((x = BN_CTX_get(ctx)) == NULL) goto err; if ((y = BN_CTX_get(ctx)) == NULL) @@ -1221,15 +1068,13 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + return ret; } - int -ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * points[], BN_CTX * ctx) +ec_GFp_simple_points_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx) { - BN_CTX *new_ctx = NULL; BIGNUM *tmp0, *tmp1; size_t pow2 = 0; BIGNUM **heap = NULL; @@ -1239,12 +1084,8 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * if (num == 0) return 1; - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) - return 0; - } BN_CTX_start(ctx); + if ((tmp0 = BN_CTX_get(ctx)) == NULL) goto err; if ((tmp1 = BN_CTX_get(ctx)) == NULL) @@ -1299,11 +1140,11 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * if (heap[2 * i] != NULL) { if ((heap[2 * i + 1] == NULL) || BN_is_zero(heap[2 * i + 1])) { - if (!BN_copy(heap[i], heap[2 * i])) + if (!bn_copy(heap[i], heap[2 * i])) goto err; } else { if (BN_is_zero(heap[2 * i])) { - if (!BN_copy(heap[i], heap[2 * i + 1])) + if (!bn_copy(heap[i], heap[2 * i + 1])) goto err; } else { if (!group->meth->field_mul(group, heap[i], @@ -1341,12 +1182,12 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * goto err; if (!group->meth->field_mul(group, tmp1, heap[i / 2], heap[i], ctx)) goto err; - if (!BN_copy(heap[i], tmp0)) + if (!bn_copy(heap[i], tmp0)) goto err; - if (!BN_copy(heap[i + 1], tmp1)) + if (!bn_copy(heap[i + 1], tmp1)) goto err; } else { - if (!BN_copy(heap[i], heap[i / 2])) + if (!bn_copy(heap[i], heap[i / 2])) goto err; } } @@ -1386,29 +1227,28 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * err: BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + if (heap != NULL) { /* * heap[pow2/2] .. heap[pow2-1] have not been allocated * locally! */ for (i = pow2 / 2 - 1; i > 0; i--) { - BN_clear_free(heap[i]); + BN_free(heap[i]); } free(heap); } return ret; } - int -ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, const BIGNUM * b, BN_CTX * ctx) +ec_GFp_simple_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx) { return BN_mod_mul(r, a, b, &group->field, ctx); } int -ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) +ec_GFp_simple_field_sqr(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, BN_CTX *ctx) { return BN_mod_sqr(r, a, &group->field, ctx); } @@ -1416,7 +1256,7 @@ ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN /* * Apply randomization of EC point projective coordinates: * - * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z) + * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z) * * where lambda is in the interval [1, group->field). */ @@ -1471,16 +1311,15 @@ ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) return ret; } - #define EC_POINT_BN_set_flags(P, flags) do { \ - BN_set_flags(&(P)->X, (flags)); \ - BN_set_flags(&(P)->Y, (flags)); \ - BN_set_flags(&(P)->Z, (flags)); \ + BN_set_flags(&(P)->X, (flags)); \ + BN_set_flags(&(P)->Y, (flags)); \ + BN_set_flags(&(P)->Z, (flags)); \ } while(0) -#define EC_POINT_CSWAP(c, a, b, w, t) do { \ +#define EC_POINT_CSWAP(c, a, b, w, t) do { \ if (!BN_swap_ct(c, &(a)->X, &(b)->X, w) || \ - !BN_swap_ct(c, &(a)->Y, &(b)->Y, w) || \ + !BN_swap_ct(c, &(a)->Y, &(b)->Y, w) || \ !BN_swap_ct(c, &(a)->Z, &(b)->Z, w)) \ goto err; \ t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ @@ -1518,12 +1357,8 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, BIGNUM *k = NULL; BIGNUM *lambda = NULL; BIGNUM *cardinality = NULL; - BN_CTX *new_ctx = NULL; int ret = 0; - if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) - return 0; - BN_CTX_start(ctx); if ((s = EC_POINT_new(group)) == NULL) @@ -1556,11 +1391,11 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, */ cardinality_bits = BN_num_bits(cardinality); group_top = cardinality->top; - if ((bn_wexpand(k, group_top + 2) == NULL) || - (bn_wexpand(lambda, group_top + 2) == NULL)) + if (!bn_wexpand(k, group_top + 2) || + !bn_wexpand(lambda, group_top + 2)) goto err; - if (!BN_copy(k, scalar)) + if (!bn_copy(k, scalar)) goto err; BN_set_flags(k, BN_FLG_CONSTTIME); @@ -1588,12 +1423,12 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, goto err; group_top = group->field.top; - if ((bn_wexpand(&s->X, group_top) == NULL) || - (bn_wexpand(&s->Y, group_top) == NULL) || - (bn_wexpand(&s->Z, group_top) == NULL) || - (bn_wexpand(&r->X, group_top) == NULL) || - (bn_wexpand(&r->Y, group_top) == NULL) || - (bn_wexpand(&r->Z, group_top) == NULL)) + if (!bn_wexpand(&s->X, group_top) || + !bn_wexpand(&s->Y, group_top) || + !bn_wexpand(&s->Z, group_top) || + !bn_wexpand(&r->X, group_top) || + !bn_wexpand(&r->Y, group_top) || + !bn_wexpand(&r->Z, group_top)) goto err; /* @@ -1692,9 +1527,7 @@ ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, err: EC_POINT_free(s); - if (ctx != NULL) - BN_CTX_end(ctx); - BN_CTX_free(new_ctx); + BN_CTX_end(ctx); return ret; } @@ -1723,3 +1556,51 @@ ec_GFp_simple_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, { return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx); } + +static const EC_METHOD ec_GFp_simple_method = { + .field_type = NID_X9_62_prime_field, + .group_init = ec_GFp_simple_group_init, + .group_finish = ec_GFp_simple_group_finish, + .group_copy = ec_GFp_simple_group_copy, + .group_set_curve = ec_GFp_simple_group_set_curve, + .group_get_curve = ec_GFp_simple_group_get_curve, + .group_get_degree = ec_GFp_simple_group_get_degree, + .group_order_bits = ec_group_simple_order_bits, + .group_check_discriminant = ec_GFp_simple_group_check_discriminant, + .point_init = ec_GFp_simple_point_init, + .point_finish = ec_GFp_simple_point_finish, + .point_copy = ec_GFp_simple_point_copy, + .point_set_to_infinity = ec_GFp_simple_point_set_to_infinity, + .point_set_Jprojective_coordinates = + ec_GFp_simple_set_Jprojective_coordinates, + .point_get_Jprojective_coordinates = + ec_GFp_simple_get_Jprojective_coordinates, + .point_set_affine_coordinates = + ec_GFp_simple_point_set_affine_coordinates, + .point_get_affine_coordinates = + ec_GFp_simple_point_get_affine_coordinates, + .point_set_compressed_coordinates = + ec_GFp_simple_set_compressed_coordinates, + .point2oct = ec_GFp_simple_point2oct, + .oct2point = ec_GFp_simple_oct2point, + .add = ec_GFp_simple_add, + .dbl = ec_GFp_simple_dbl, + .invert = ec_GFp_simple_invert, + .is_at_infinity = ec_GFp_simple_is_at_infinity, + .is_on_curve = ec_GFp_simple_is_on_curve, + .point_cmp = ec_GFp_simple_cmp, + .make_affine = ec_GFp_simple_make_affine, + .points_make_affine = ec_GFp_simple_points_make_affine, + .mul_generator_ct = ec_GFp_simple_mul_generator_ct, + .mul_single_ct = ec_GFp_simple_mul_single_ct, + .mul_double_nonct = ec_GFp_simple_mul_double_nonct, + .field_mul = ec_GFp_simple_field_mul, + .field_sqr = ec_GFp_simple_field_sqr, + .blind_coordinates = ec_GFp_simple_blind_coordinates, +}; + +const EC_METHOD * +EC_GFp_simple_method(void) +{ + return &ec_GFp_simple_method; +} diff --git a/crypto/ec/ecx_methods.c b/crypto/ec/ecx_methods.c new file mode 100644 index 0000000..8510d1a --- /dev/null +++ b/crypto/ec/ecx_methods.c @@ -0,0 +1,864 @@ +/* $OpenBSD: ecx_methods.c,v 1.5 2023/03/15 06:34:07 tb Exp $ */ +/* + * Copyright (c) 2022 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include +#include +#include + +#include "asn1_local.h" +#include "bytestring.h" +#include "curve25519_internal.h" +#include "evp_local.h" + +/* + * EVP PKEY and PKEY ASN.1 methods Ed25519 and X25519. + * + * RFC 7748 - Elliptic Curves for Security. + * RFC 8032 - Edwards-Curve Digital Signature Algorithm (EdDSA). + */ + +#define ED25519_BITS 253 +#define ED25519_SECURITY_BITS 128 +#define ED25519_SIG_SIZE 64 + +#define X25519_BITS 253 +#define X25519_SECURITY_BITS 128 + +static int +ecx_key_len(int nid) +{ + switch (nid) { + case NID_ED25519: + return ED25519_KEYLEN; + case NID_X25519: + return X25519_KEYLEN; + } + + return 0; +} + +static struct ecx_key_st * +ecx_key_new(int nid) +{ + struct ecx_key_st *ecx_key; + int key_len; + + if ((key_len = ecx_key_len(nid)) == 0) + return NULL; + + if ((ecx_key = calloc(1, sizeof(*ecx_key))) == NULL) + return NULL; + + ecx_key->nid = nid; + ecx_key->key_len = key_len; + + return ecx_key; +} + +static void +ecx_key_clear(struct ecx_key_st *ecx_key) +{ + freezero(ecx_key->priv_key, ecx_key->priv_key_len); + ecx_key->priv_key = NULL; + ecx_key->priv_key_len = 0; + + freezero(ecx_key->pub_key, ecx_key->pub_key_len); + ecx_key->pub_key = NULL; + ecx_key->pub_key_len = 0; +} + +static void +ecx_key_free(struct ecx_key_st *ecx_key) +{ + if (ecx_key == NULL) + return; + + ecx_key_clear(ecx_key); + + freezero(ecx_key, sizeof(*ecx_key)); +} + +static int +ecx_key_generate(struct ecx_key_st *ecx_key) +{ + uint8_t *pub_key = NULL, *priv_key = NULL; + int ret = 0; + + ecx_key_clear(ecx_key); + + if ((pub_key = calloc(1, ecx_key->key_len)) == NULL) + goto err; + if ((priv_key = calloc(1, ecx_key->key_len)) == NULL) + goto err; + + switch (ecx_key->nid) { + case NID_ED25519: + ED25519_keypair(pub_key, priv_key); + break; + case NID_X25519: + X25519_keypair(pub_key, priv_key); + break; + default: + goto err; + } + + ecx_key->priv_key = priv_key; + ecx_key->priv_key_len = ecx_key->key_len; + priv_key = NULL; + + ecx_key->pub_key = pub_key; + ecx_key->pub_key_len = ecx_key->key_len; + pub_key = NULL; + + ret = 1; + + err: + freezero(pub_key, ecx_key->key_len); + freezero(priv_key, ecx_key->key_len); + + return ret; +} + +static int +ecx_key_set_priv(struct ecx_key_st *ecx_key, const uint8_t *priv_key, + size_t priv_key_len) +{ + uint8_t *pub_key = NULL; + CBS cbs; + + ecx_key_clear(ecx_key); + + if (priv_key_len != ecx_key->key_len) + goto err; + + if ((pub_key = calloc(1, ecx_key->key_len)) == NULL) + goto err; + + switch (ecx_key->nid) { + case NID_ED25519: + ED25519_public_from_private(pub_key, priv_key); + break; + case NID_X25519: + X25519_public_from_private(pub_key, priv_key); + break; + default: + goto err; + } + + CBS_init(&cbs, priv_key, priv_key_len); + if (!CBS_stow(&cbs, &ecx_key->priv_key, &ecx_key->priv_key_len)) + goto err; + + ecx_key->pub_key = pub_key; + ecx_key->pub_key_len = ecx_key->key_len; + pub_key = NULL; + + err: + freezero(pub_key, ecx_key->key_len); + + return 1; +} + +static int +ecx_key_set_pub(struct ecx_key_st *ecx_key, const uint8_t *pub_key, + size_t pub_key_len) +{ + CBS cbs; + + ecx_key_clear(ecx_key); + + if (pub_key_len != ecx_key->key_len) + return 0; + + CBS_init(&cbs, pub_key, pub_key_len); + if (!CBS_stow(&cbs, &ecx_key->pub_key, &ecx_key->pub_key_len)) + return 0; + + return 1; +} + +static int +ecx_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *xpubkey) +{ + struct ecx_key_st *ecx_key = NULL; + X509_ALGOR *algor; + int algor_type; + const uint8_t *param; + int param_len; + int ret = 0; + + if (!X509_PUBKEY_get0_param(NULL, ¶m, ¶m_len, &algor, xpubkey)) + goto err; + + /* Ensure that parameters have not been specified in the encoding. */ + if (algor != NULL) { + X509_ALGOR_get0(NULL, &algor_type, NULL, algor); + if (algor_type != V_ASN1_UNDEF) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + } + + if (param == NULL || param_len != ecx_key_len(pkey->ameth->pkey_id)) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + + if ((ecx_key = ecx_key_new(pkey->ameth->pkey_id)) == NULL) + goto err; + if (!ecx_key_set_pub(ecx_key, param, param_len)) + goto err; + if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, ecx_key)) + goto err; + ecx_key = NULL; + + ret = 1; + + err: + ecx_key_free(ecx_key); + + return ret; +} + +static int +ecx_pub_encode(X509_PUBKEY *xpubkey, const EVP_PKEY *pkey) +{ + const struct ecx_key_st *ecx_key = pkey->pkey.ecx; + uint8_t *pub_key = NULL; + size_t pub_key_len = 0; + ASN1_OBJECT *aobj; + CBS cbs; + int ret = 0; + + if (ecx_key == NULL) { + ECerror(EC_R_INVALID_KEY); + goto err; + } + + if (ecx_key->pub_key_len != ecx_key->key_len) + goto err; + + if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL) + goto err; + + CBS_init(&cbs, ecx_key->pub_key, ecx_key->pub_key_len); + if (!CBS_stow(&cbs, &pub_key, &pub_key_len)) + goto err; + + if (!X509_PUBKEY_set0_param(xpubkey, aobj, V_ASN1_UNDEF, NULL, + pub_key, pub_key_len)) + goto err; + + pub_key = NULL; + pub_key_len = 0; + + ret = 1; + + err: + free(pub_key); + + return ret; +} + +static int +ecx_pub_cmp(const EVP_PKEY *pkey1, const EVP_PKEY *pkey2) +{ + if (pkey1->pkey.ecx == NULL || pkey1->pkey.ecx->pub_key == NULL) + return -2; + if (pkey2->pkey.ecx == NULL || pkey2->pkey.ecx->pub_key == NULL) + return -2; + if (pkey1->pkey.ecx->pub_key_len != pkey2->pkey.ecx->pub_key_len) + return -2; + + return timingsafe_memcmp(pkey1->pkey.ecx->pub_key, pkey2->pkey.ecx->pub_key, + pkey1->pkey.ecx->pub_key_len) == 0; +} + +static int +ecx_pub_print(BIO *bio, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) +{ + struct ecx_key_st *ecx_key = pkey->pkey.ecx; + const char *name; + + if ((name = OBJ_nid2ln(pkey->ameth->pkey_id)) == NULL) + return 0; + + if (ecx_key == NULL || ecx_key->pub_key == NULL) + return BIO_printf(bio, "%*s\n", + indent, "") > 0; + + if (BIO_printf(bio, "%*s%s Public-Key:\n", indent, "", name) <= 0) + return 0; + if (BIO_printf(bio, "%*spub:\n", indent, "") <= 0) + return 0; + if (ASN1_buf_print(bio, ecx_key->pub_key, ecx_key->pub_key_len, + indent + 4) == 0) + return 0; + + return 1; +} + +static int +ecx_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8pki) +{ + struct ecx_key_st *ecx_key = NULL; + ASN1_OCTET_STRING *aos = NULL; + const X509_ALGOR *algor; + int algor_type; + const uint8_t *param; + int param_len; + int ret = 0; + + if (!PKCS8_pkey_get0(NULL, ¶m, ¶m_len, &algor, p8pki)) + goto err; + if ((aos = d2i_ASN1_OCTET_STRING(NULL, ¶m, param_len)) == NULL) + goto err; + + /* Ensure that parameters have not been specified in the encoding. */ + if (algor != NULL) { + X509_ALGOR_get0(NULL, &algor_type, NULL, algor); + if (algor_type != V_ASN1_UNDEF) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + } + + if (ASN1_STRING_get0_data(aos) == NULL || + ASN1_STRING_length(aos) != ecx_key_len(pkey->ameth->pkey_id)) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + + if ((ecx_key = ecx_key_new(pkey->ameth->pkey_id)) == NULL) + goto err; + if (!ecx_key_set_priv(ecx_key, ASN1_STRING_get0_data(aos), + ASN1_STRING_length(aos))) + goto err; + if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, ecx_key)) + goto err; + ecx_key = NULL; + + ret = 1; + + err: + ASN1_OCTET_STRING_free(aos); + ecx_key_free(ecx_key); + + return ret; +} + +static int +ecx_priv_encode(PKCS8_PRIV_KEY_INFO *p8pki, const EVP_PKEY *pkey) +{ + struct ecx_key_st *ecx_key = pkey->pkey.ecx; + ASN1_OCTET_STRING *aos = NULL; + ASN1_OBJECT *aobj; + uint8_t *der = NULL; + int der_len = 0; + int ret = 0; + + if (ecx_key == NULL || ecx_key->priv_key == NULL) { + ECerror(EC_R_INVALID_PRIVATE_KEY); + goto err; + } + + if ((aobj = OBJ_nid2obj(pkey->ameth->pkey_id)) == NULL) + goto err; + + if ((aos = ASN1_OCTET_STRING_new()) == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(aos, ecx_key->priv_key, + ecx_key->priv_key_len)) + goto err; + if ((der_len = i2d_ASN1_OCTET_STRING(aos, &der)) < 0) + goto err; + if (!PKCS8_pkey_set0(p8pki, aobj, 0, V_ASN1_UNDEF, NULL, der, der_len)) + goto err; + + der = NULL; + der_len = 0; + + ret = 1; + + err: + freezero(der, der_len); + ASN1_OCTET_STRING_free(aos); + + return ret; +} + +static int +ecx_priv_print(BIO *bio, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) +{ + struct ecx_key_st *ecx_key = pkey->pkey.ecx; + const char *name; + + if ((name = OBJ_nid2ln(pkey->ameth->pkey_id)) == NULL) + return 0; + + if (ecx_key == NULL || ecx_key->priv_key == NULL) + return BIO_printf(bio, "%*s\n", + indent, "") > 0; + + if (BIO_printf(bio, "%*s%s Private-Key:\n", indent, "", name) <= 0) + return 0; + if (BIO_printf(bio, "%*spriv:\n", indent, "") <= 0) + return 0; + if (ASN1_buf_print(bio, ecx_key->priv_key, ecx_key->priv_key_len, + indent + 4) == 0) + return 0; + if (BIO_printf(bio, "%*spub:\n", indent, "") <= 0) + return 0; + if (ASN1_buf_print(bio, ecx_key->pub_key, ecx_key->pub_key_len, + indent + 4) == 0) + return 0; + + return 1; +} + +static int +ecx_size(const EVP_PKEY *pkey) +{ + return ecx_key_len(pkey->ameth->pkey_id); +} + +static int +ecx_sig_size(const EVP_PKEY *pkey) +{ + switch (pkey->ameth->pkey_id) { + case EVP_PKEY_ED25519: + return ED25519_SIG_SIZE; + } + return 0; +} + +static int +ecx_bits(const EVP_PKEY *pkey) +{ + switch (pkey->ameth->pkey_id) { + case EVP_PKEY_ED25519: + return ED25519_BITS; + case EVP_PKEY_X25519: + return X25519_BITS; + } + return 0; +} + +static int +ecx_security_bits(const EVP_PKEY *pkey) +{ + switch (pkey->ameth->pkey_id) { + case EVP_PKEY_ED25519: + return ED25519_SECURITY_BITS; + case EVP_PKEY_X25519: + return X25519_SECURITY_BITS; + } + return 0; +} + +static int +ecx_param_cmp(const EVP_PKEY *pkey1, const EVP_PKEY *pkey2) +{ + /* No parameters, so always equivalent. */ + return 1; +} + +static void +ecx_free(EVP_PKEY *pkey) +{ + struct ecx_key_st *ecx_key = pkey->pkey.ecx; + + return ecx_key_free(ecx_key); +} + +static int +ecx_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) +{ + /* Not supported. */ + return -2; +} + +static int +ecx_sign_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) +{ + switch (op) { + case ASN1_PKEY_CTRL_DEFAULT_MD_NID: + /* PureEdDSA does its own hashing. */ + *(int *)arg2 = NID_undef; + return 2; + } + return -2; +} + +static int +ecx_set_priv_key(EVP_PKEY *pkey, const uint8_t *priv, size_t len) +{ + struct ecx_key_st *ecx_key = NULL; + int ret = 0; + + if (priv == NULL || len != ecx_key_len(pkey->ameth->pkey_id)) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + + if ((ecx_key = ecx_key_new(pkey->ameth->pkey_id)) == NULL) + goto err; + if (!ecx_key_set_priv(ecx_key, priv, len)) + goto err; + if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, ecx_key)) + goto err; + ecx_key = NULL; + + ret = 1; + + err: + ecx_key_free(ecx_key); + + return ret; +} + +static int +ecx_set_pub_key(EVP_PKEY *pkey, const uint8_t *pub, size_t len) +{ + struct ecx_key_st *ecx_key = NULL; + int ret = 0; + + if (pub == NULL || len != ecx_key_len(pkey->ameth->pkey_id)) { + ECerror(EC_R_INVALID_ENCODING); + goto err; + } + + if ((ecx_key = ecx_key_new(pkey->ameth->pkey_id)) == NULL) + goto err; + if (!ecx_key_set_pub(ecx_key, pub, len)) + goto err; + if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, ecx_key)) + goto err; + ecx_key = NULL; + + ret = 1; + + err: + ecx_key_free(ecx_key); + + return ret; +} + +static int +ecx_get_priv_key(const EVP_PKEY *pkey, unsigned char *out_priv, size_t *out_len) +{ + struct ecx_key_st *ecx_key = pkey->pkey.ecx; + CBS cbs; + + if (out_priv == NULL) { + *out_len = ecx_key_len(pkey->ameth->pkey_id); + return 1; + } + + if (ecx_key == NULL || ecx_key->priv_key == NULL) + return 0; + + CBS_init(&cbs, ecx_key->priv_key, ecx_key->priv_key_len); + if (!CBS_write_bytes(&cbs, out_priv, *out_len, out_len)) + return 0; + + return 1; +} + +static int +ecx_get_pub_key(const EVP_PKEY *pkey, unsigned char *out_pub, size_t *out_len) +{ + struct ecx_key_st *ecx_key = pkey->pkey.ecx; + CBS cbs; + + if (out_pub == NULL) { + *out_len = ecx_key_len(pkey->ameth->pkey_id); + return 1; + } + + if (ecx_key == NULL || ecx_key->pub_key == NULL) + return 0; + + CBS_init(&cbs, ecx_key->pub_key, ecx_key->pub_key_len); + if (!CBS_write_bytes(&cbs, out_pub, *out_len, out_len)) + return 0; + + return 1; +} + +static int +pkey_ecx_keygen(EVP_PKEY_CTX *pkey_ctx, EVP_PKEY *pkey) +{ + struct ecx_key_st *ecx_key = NULL; + int ret = 0; + + if ((ecx_key = ecx_key_new(pkey_ctx->pmeth->pkey_id)) == NULL) + goto err; + if (!ecx_key_generate(ecx_key)) + goto err; + if (!EVP_PKEY_assign(pkey, pkey_ctx->pmeth->pkey_id, ecx_key)) + goto err; + ecx_key = NULL; + + ret = 1; + + err: + ecx_key_free(ecx_key); + + return ret; +} + +static int +pkey_ecx_derive(EVP_PKEY_CTX *pkey_ctx, unsigned char *out_key, + size_t *out_key_len) +{ + struct ecx_key_st *ecx_key, *ecx_peer_key; + + if (pkey_ctx->pkey == NULL || pkey_ctx->peerkey == NULL) { + ECerror(EC_R_KEYS_NOT_SET); + return 0; + } + + if ((ecx_key = pkey_ctx->pkey->pkey.ecx) == NULL) { + ECerror(EC_R_INVALID_PRIVATE_KEY); + return 0; + } + if (ecx_key->priv_key == NULL) { + ECerror(EC_R_INVALID_PRIVATE_KEY); + return 0; + } + + if ((ecx_peer_key = pkey_ctx->peerkey->pkey.ecx) == NULL) { + ECerror(EC_R_INVALID_PEER_KEY); + return 0; + } + + if (out_key != NULL) { + if (!X25519(out_key, ecx_key->priv_key, ecx_peer_key->pub_key)) + return 0; + } + + *out_key_len = X25519_KEYLEN; + + return 1; +} + +static int +pkey_ecx_ctrl(EVP_PKEY_CTX *pkey_ctx, int op, int arg1, void *arg2) +{ + if (op == EVP_PKEY_CTRL_PEER_KEY) + return 1; + + return -2; +} + +static int +ecx_item_verify(EVP_MD_CTX *md_ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *algor, ASN1_BIT_STRING *abs, EVP_PKEY *pkey) +{ + const ASN1_OBJECT *aobj; + int nid, param_type; + + X509_ALGOR_get0(&aobj, ¶m_type, NULL, algor); + + nid = OBJ_obj2nid(aobj); + + if (nid != NID_ED25519 || param_type != V_ASN1_UNDEF) { + ECerror(EC_R_INVALID_ENCODING); + return 0; + } + + if (!EVP_DigestVerifyInit(md_ctx, NULL, NULL, NULL, pkey)) + return 0; + + return 2; +} + +static int +ecx_item_sign(EVP_MD_CTX *md_ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *algor1, X509_ALGOR *algor2, ASN1_BIT_STRING *abs) +{ + ASN1_OBJECT *aobj; + + if ((aobj = OBJ_nid2obj(NID_ED25519)) == NULL) + return 0; + + if (!X509_ALGOR_set0(algor1, aobj, V_ASN1_UNDEF, NULL)) + return 0; + + if (algor2 != NULL) { + if (!X509_ALGOR_set0(algor2, aobj, V_ASN1_UNDEF, NULL)) + return 0; + } + + /* Tell ASN1_item_sign_ctx() that identifiers are set and it needs to sign. */ + return 3; +} + +static int +pkey_ecx_digestsign(EVP_MD_CTX *md_ctx, unsigned char *out_sig, + size_t *out_sig_len, const unsigned char *message, size_t message_len) +{ + struct ecx_key_st *ecx_key; + EVP_PKEY_CTX *pkey_ctx; + + pkey_ctx = EVP_MD_CTX_pkey_ctx(md_ctx); + ecx_key = pkey_ctx->pkey->pkey.ecx; + + if (out_sig == NULL) { + *out_sig_len = ecx_sig_size(pkey_ctx->pkey); + return 1; + } + if (*out_sig_len < ecx_sig_size(pkey_ctx->pkey)) { + ECerror(EC_R_BUFFER_TOO_SMALL); + return 0; + } + + if (ecx_key == NULL) + return 0; + if (ecx_key->priv_key == NULL || ecx_key->pub_key == NULL) + return 0; + + if (!ED25519_sign(out_sig, message, message_len, ecx_key->pub_key, + ecx_key->priv_key)) + return 0; + + *out_sig_len = ecx_sig_size(pkey_ctx->pkey); + + return 1; +} + +static int +pkey_ecx_digestverify(EVP_MD_CTX *md_ctx, const unsigned char *sig, + size_t sig_len, const unsigned char *message, size_t message_len) +{ + struct ecx_key_st *ecx_key; + EVP_PKEY_CTX *pkey_ctx; + + pkey_ctx = EVP_MD_CTX_pkey_ctx(md_ctx); + ecx_key = pkey_ctx->pkey->pkey.ecx; + + if (ecx_key == NULL || ecx_key->pub_key == NULL) + return 0; + if (sig_len != ecx_sig_size(pkey_ctx->pkey)) + return 0; + + return ED25519_verify(message, message_len, sig, ecx_key->pub_key); +} + +static int +pkey_ecx_ed_ctrl(EVP_PKEY_CTX *pkey_ctx, int op, int arg1, void *arg2) +{ + switch (op) { + case EVP_PKEY_CTRL_MD: + /* PureEdDSA does its own hashing. */ + if (arg2 != NULL && (const EVP_MD *)arg2 != EVP_md_null()) { + ECerror(EC_R_INVALID_DIGEST_TYPE); + return 0; + } + return 1; + + case EVP_PKEY_CTRL_DIGESTINIT: + return 1; + } + return -2; +} + +const EVP_PKEY_ASN1_METHOD x25519_asn1_meth = { + .pkey_id = EVP_PKEY_X25519, + .pkey_base_id = EVP_PKEY_X25519, + .pkey_flags = 0, + .pem_str = "X25519", + .info = "OpenSSL X25519 algorithm", + + .pub_decode = ecx_pub_decode, + .pub_encode = ecx_pub_encode, + .pub_cmp = ecx_pub_cmp, + .pub_print = ecx_pub_print, + + .priv_decode = ecx_priv_decode, + .priv_encode = ecx_priv_encode, + .priv_print = ecx_priv_print, + + .pkey_size = ecx_size, + .pkey_bits = ecx_bits, + .pkey_security_bits = ecx_security_bits, + + .param_cmp = ecx_param_cmp, + + .pkey_free = ecx_free, + .pkey_ctrl = ecx_ctrl, + + .set_priv_key = ecx_set_priv_key, + .set_pub_key = ecx_set_pub_key, + .get_priv_key = ecx_get_priv_key, + .get_pub_key = ecx_get_pub_key, +}; + +const EVP_PKEY_METHOD x25519_pkey_meth = { + .pkey_id = EVP_PKEY_X25519, + .keygen = pkey_ecx_keygen, + .derive = pkey_ecx_derive, + .ctrl = pkey_ecx_ctrl, +}; + +const EVP_PKEY_ASN1_METHOD ed25519_asn1_meth = { + .pkey_id = EVP_PKEY_ED25519, + .pkey_base_id = EVP_PKEY_ED25519, + .pkey_flags = 0, + .pem_str = "ED25519", + .info = "OpenSSL ED25519 algorithm", + + .pub_decode = ecx_pub_decode, + .pub_encode = ecx_pub_encode, + .pub_cmp = ecx_pub_cmp, + .pub_print = ecx_pub_print, + + .priv_decode = ecx_priv_decode, + .priv_encode = ecx_priv_encode, + .priv_print = ecx_priv_print, + + .pkey_size = ecx_sig_size, + .pkey_bits = ecx_bits, + .pkey_security_bits = ecx_security_bits, + + .param_cmp = ecx_param_cmp, + + .pkey_free = ecx_free, + .pkey_ctrl = ecx_sign_ctrl, + + .item_verify = ecx_item_verify, + .item_sign = ecx_item_sign, + + .set_priv_key = ecx_set_priv_key, + .set_pub_key = ecx_set_pub_key, + .get_priv_key = ecx_get_priv_key, + .get_pub_key = ecx_get_pub_key, +}; + +const EVP_PKEY_METHOD ed25519_pkey_meth = { + .pkey_id = EVP_PKEY_ED25519, + .flags = EVP_PKEY_FLAG_SIGCTX_CUSTOM, + .keygen = pkey_ecx_keygen, + .ctrl = pkey_ecx_ed_ctrl, + .digestsign = pkey_ecx_digestsign, + .digestverify = pkey_ecx_digestverify, +}; diff --git a/crypto/ecdh/ecdh_kdf.c b/crypto/ecdh/ecdh_kdf.c index 2539862..5c22e9c 100644 --- a/crypto/ecdh/ecdh_kdf.c +++ b/crypto/ecdh/ecdh_kdf.c @@ -55,7 +55,7 @@ #include #include -#include "ech_locl.h" +#include "ech_local.h" /* * Key derivation function from X9.63/SECG. diff --git a/crypto/ecdh/ech_err.c b/crypto/ecdh/ech_err.c index 149c2a8..e0cfddf 100644 --- a/crypto/ecdh/ech_err.c +++ b/crypto/ecdh/ech_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_err.c,v 1.6 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ech_err.c,v 1.7 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_ECDH,func,0) diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c index 797cb01..a5c6371 100644 --- a/crypto/ecdh/ech_key.c +++ b/crypto/ecdh/ech_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_key.c,v 1.12 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: ech_key.c,v 1.14 2022/11/26 16:08:52 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -74,12 +74,12 @@ #include #include -#include +#include #include -#include "bn_lcl.h" -#include "ech_locl.h" -#include "ec_lcl.h" +#include "bn_local.h" +#include "ech_local.h" +#include "ec_local.h" static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index cc8edaf..15d7737 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_lib.c,v 1.14 2018/04/14 07:09:21 tb Exp $ */ +/* $OpenBSD: ech_lib.c,v 1.16 2023/04/25 19:26:45 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -71,12 +71,14 @@ #include -#include "ech_locl.h" #ifndef OPENSSL_NO_ENGINE #include #endif #include +#include "ec_local.h" +#include "ech_local.h" + static const ECDH_METHOD *default_ECDH_method = NULL; static void *ecdh_data_new(void); diff --git a/crypto/ecdh/ech_locl.h b/crypto/ecdh/ech_local.h similarity index 96% rename from crypto/ecdh/ech_locl.h rename to crypto/ecdh/ech_local.h index b04d325..3c2a267 100644 --- a/crypto/ecdh/ech_locl.h +++ b/crypto/ecdh/ech_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_locl.h,v 1.6 2019/09/05 16:12:36 jsing Exp $ */ +/* $OpenBSD: ech_local.h,v 1.2 2022/11/26 17:23:17 tb Exp $ */ /* ==================================================================== * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. * @@ -53,8 +53,8 @@ * */ -#ifndef HEADER_ECH_LOCL_H -#define HEADER_ECH_LOCL_H +#ifndef HEADER_ECH_LOCAL_H +#define HEADER_ECH_LOCAL_H #include @@ -96,4 +96,4 @@ int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z, __END_HIDDEN_DECLS -#endif /* HEADER_ECH_LOCL_H */ +#endif /* !HEADER_ECH_LOCAL_H */ diff --git a/crypto/ecdsa/ecs_asn1.c b/crypto/ecdsa/ecs_asn1.c index 9a7a044..916220f 100644 --- a/crypto/ecdsa/ecs_asn1.c +++ b/crypto/ecdsa/ecs_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_asn1.c,v 1.10 2022/01/05 20:39:04 tb Exp $ */ +/* $OpenBSD: ecs_asn1.c,v 1.14 2023/03/25 09:09:28 tb Exp $ */ /* ==================================================================== * Copyright (c) 2000-2002 The OpenSSL Project. All rights reserved. * @@ -53,9 +53,11 @@ * */ -#include "ecs_locl.h" -#include #include +#include +#include + +#include "ecs_local.h" static const ASN1_TEMPLATE ECDSA_SIG_seq_tt[] = { { @@ -63,14 +65,14 @@ static const ASN1_TEMPLATE ECDSA_SIG_seq_tt[] = { .tag = 0, .offset = offsetof(ECDSA_SIG, r), .field_name = "r", - .item = &CBIGNUM_it, + .item = &BIGNUM_it, }, { .flags = 0, .tag = 0, .offset = offsetof(ECDSA_SIG, s), .field_name = "s", - .item = &CBIGNUM_it, + .item = &BIGNUM_it, }, }; @@ -141,8 +143,8 @@ ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) if (r == NULL || s == NULL) return 0; - BN_clear_free(sig->r); - BN_clear_free(sig->s); + BN_free(sig->r); + BN_free(sig->s); sig->r = r; sig->s = s; return 1; diff --git a/crypto/ecdsa/ecs_err.c b/crypto/ecdsa/ecs_err.c index ac8850d..c839c35 100644 --- a/crypto/ecdsa/ecs_err.c +++ b/crypto/ecdsa/ecs_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_err.c,v 1.6 2022/01/27 20:31:21 tb Exp $ */ +/* $OpenBSD: ecs_err.c,v 1.7 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_ECDSA,func,0) diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index c688a95..9a35a03 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_lib.c,v 1.13 2018/04/14 07:09:21 tb Exp $ */ +/* $OpenBSD: ecs_lib.c,v 1.17 2023/04/25 19:26:45 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. * @@ -57,13 +57,15 @@ #include -#include "ecs_locl.h" #ifndef OPENSSL_NO_ENGINE #include #endif #include #include +#include "ec_local.h" +#include "ecs_local.h" + static const ECDSA_METHOD *default_ECDSA_method = NULL; static void *ecdsa_data_new(void); @@ -197,36 +199,33 @@ ecdsa_check(EC_KEY *key) int ECDSA_size(const EC_KEY *r) { - int ret, i; - ASN1_INTEGER bs; - BIGNUM *order = NULL; - unsigned char buf[4]; + BIGNUM *order = NULL; const EC_GROUP *group; + ECDSA_SIG signature; + int ret = 0; if (r == NULL) - return 0; - group = EC_KEY_get0_group(r); - if (group == NULL) - return 0; + goto err; + + if ((group = EC_KEY_get0_group(r)) == NULL) + goto err; if ((order = BN_new()) == NULL) - return 0; - if (!EC_GROUP_get_order(group, order, NULL)) { - BN_clear_free(order); - return 0; - } - i = BN_num_bits(order); - bs.length = (i + 7) / 8; - bs.data = buf; - bs.type = V_ASN1_INTEGER; - /* If the top bit is set the asn1 encoding is 1 larger. */ - buf[0] = 0xff; + goto err; - i = i2d_ASN1_INTEGER(&bs, NULL); - i += i; /* r and s */ - ret = ASN1_object_size(1, i, V_ASN1_SEQUENCE); - BN_clear_free(order); - return (ret); + if (!EC_GROUP_get_order(group, order, NULL)) + goto err; + + signature.r = order; + signature.s = order; + + if ((ret = i2d_ECDSA_SIG(&signature, NULL)) < 0) + ret = 0; + + err: + BN_free(order); + + return ret; } int diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_local.h similarity index 96% rename from crypto/ecdsa/ecs_locl.h rename to crypto/ecdsa/ecs_local.h index a53ec37..5cdf264 100644 --- a/crypto/ecdsa/ecs_locl.h +++ b/crypto/ecdsa/ecs_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_locl.h,v 1.7 2022/01/14 08:31:03 tb Exp $ */ +/* $OpenBSD: ecs_local.h,v 1.2 2022/11/26 17:23:17 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -56,8 +56,8 @@ * */ -#ifndef HEADER_ECS_LOCL_H -#define HEADER_ECS_LOCL_H +#ifndef HEADER_ECS_LOCAL_H +#define HEADER_ECS_LOCAL_H #include @@ -96,4 +96,4 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, __END_HIDDEN_DECLS -#endif /* HEADER_ECS_LOCL_H */ +#endif /* !HEADER_ECS_LOCAL_H */ diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index 0203b01..9702cd6 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.24 2022/04/07 17:37:25 tb Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.33 2023/04/13 15:00:24 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -60,12 +60,14 @@ #include -#include -#include #include +#include +#include +#include -#include "bn_lcl.h" -#include "ecs_locl.h" +#include "bn_local.h" +#include "ec_local.h" +#include "ecs_local.h" static int ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len, BIGNUM *order, BIGNUM *ret); @@ -118,14 +120,23 @@ ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *si unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) { ECDSA_SIG *s; + int outlen = 0; + int ret = 0; if ((s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey)) == NULL) { - *siglen = 0; - return 0; + goto err; } - *siglen = i2d_ECDSA_SIG(s, &sig); + if ((outlen = i2d_ECDSA_SIG(s, &sig)) < 0) { + outlen = 0; + goto err; + } + + ret = 1; + + err: + *siglen = outlen; ECDSA_SIG_free(s); - return 1; + return ret; } static int @@ -168,8 +179,13 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) goto err; } + /* Reject curves with an order that is smaller than 80 bits. */ + if ((order_bits = BN_num_bits(order)) < 80) { + ECDSAerror(EC_R_INVALID_GROUP_ORDER); + goto err; + } + /* Preallocate space. */ - order_bits = BN_num_bits(order); if (!BN_set_bit(k, order_bits) || !BN_set_bit(r, order_bits) || !BN_set_bit(X, order_bits)) @@ -195,12 +211,12 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) * code path used in the constant time implementations * elsewhere. * - * TODO: revisit the BN_copy aiming for a memory access agnostic + * TODO: revisit the bn_copy aiming for a memory access agnostic * conditional copy. */ if (!BN_add(r, k, order) || !BN_add(X, r, order) || - !BN_copy(k, BN_num_bits(r) > order_bits ? r : X)) + !bn_copy(k, BN_num_bits(r) > order_bits ? r : X)) goto err; BN_set_flags(k, BN_FLG_CONSTTIME); @@ -225,22 +241,22 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) ECDSAerror(ERR_R_BN_LIB); goto err; } - BN_clear_free(*rp); - BN_clear_free(*kinvp); + BN_free(*rp); + BN_free(*kinvp); *rp = r; *kinvp = k; ret = 1; err: if (ret == 0) { - BN_clear_free(k); - BN_clear_free(r); + BN_free(k); + BN_free(r); } if (ctx_in == NULL) BN_CTX_free(ctx); BN_free(order); EC_POINT_free(point); - BN_clear_free(X); + BN_free(X); return (ret); } @@ -255,6 +271,14 @@ ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); } + +/* + * It is too expensive to check curve parameters on every sign operation. + * Instead, cap the number of retries. A single retry is very unlikely, so + * allowing 32 retries is amply enough. + */ +#define ECDSA_MAX_SIGN_ITERATIONS 32 + static ECDSA_SIG * ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) @@ -266,6 +290,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const EC_GROUP *group; ECDSA_SIG *ret; ECDSA_DATA *ecdsa; + int attempts = 0; int ok = 0; ecdsa = ecdsa_check(eckey); @@ -308,7 +333,7 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ckinv = kinv; } else { ckinv = in_kinv; - if (BN_copy(ret->r, in_r) == NULL) { + if (!bn_copy(ret->r, in_r)) { ECDSAerror(ERR_R_MALLOC_FAILURE); goto err; } @@ -380,6 +405,11 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerror(ECDSA_R_NEED_NEW_SETUP_VALUES); goto err; } + + if (++attempts > ECDSA_MAX_SIGN_ITERATIONS) { + ECDSAerror(EC_R_WRONG_CURVE_PARAMETERS); + goto err; + } } else /* s != 0 => we have a valid signature */ break; @@ -393,12 +423,12 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ret = NULL; } BN_CTX_free(ctx); - BN_clear_free(b); - BN_clear_free(binv); - BN_clear_free(bm); - BN_clear_free(bxr); - BN_clear_free(kinv); - BN_clear_free(m); + BN_free(b); + BN_free(binv); + BN_free(bm); + BN_free(bxr); + BN_free(kinv); + BN_free(m); BN_free(order); BN_free(range); return ret; @@ -544,3 +574,66 @@ ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, return 0; return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, eckey); } + +ECDSA_SIG * +ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) +{ + return ECDSA_do_sign_ex(dgst, dlen, NULL, NULL, eckey); +} + +ECDSA_SIG * +ECDSA_do_sign_ex(const unsigned char *dgst, int dlen, const BIGNUM *kinv, + const BIGNUM *rp, EC_KEY *eckey) +{ + if (eckey->meth->sign_sig != NULL) + return eckey->meth->sign_sig(dgst, dlen, kinv, rp, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; +} + +int +ECDSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, + unsigned int *siglen, EC_KEY *eckey) +{ + return ECDSA_sign_ex(type, dgst, dlen, sig, siglen, NULL, NULL, eckey); +} + +int +ECDSA_sign_ex(int type, const unsigned char *dgst, int dlen, unsigned char *sig, + unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) +{ + if (eckey->meth->sign != NULL) + return eckey->meth->sign(type, dgst, dlen, sig, siglen, kinv, r, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; +} + +int +ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +{ + if (eckey->meth->sign_setup != NULL) + return eckey->meth->sign_setup(eckey, ctx_in, kinvp, rp); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; +} + +int +ECDSA_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, + EC_KEY *eckey) +{ + if (eckey->meth->verify_sig != NULL) + return eckey->meth->verify_sig(dgst, dgst_len, sig, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; +} + +int +ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) +{ + if (eckey->meth->verify != NULL) + return eckey->meth->verify(type, dgst, dgst_len, + sigbuf, sig_len, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; +} diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c deleted file mode 100644 index 6424a3c..0000000 --- a/crypto/ecdsa/ecs_sign.c +++ /dev/null @@ -1,108 +0,0 @@ -/* $OpenBSD: ecs_sign.c,v 1.9 2022/01/27 20:30:29 tb Exp $ */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#ifndef OPENSSL_NO_ENGINE -#include -#endif -#include -#include - -#include "bn_lcl.h" -#include "ecs_locl.h" -#include "ec_lcl.h" - -ECDSA_SIG * -ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) -{ - return ECDSA_do_sign_ex(dgst, dlen, NULL, NULL, eckey); -} - -ECDSA_SIG * -ECDSA_do_sign_ex(const unsigned char *dgst, int dlen, const BIGNUM *kinv, - const BIGNUM *rp, EC_KEY *eckey) -{ - if (eckey->meth->sign_sig != NULL) - return eckey->meth->sign_sig(dgst, dlen, kinv, rp, eckey); - ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); - return 0; -} - -int -ECDSA_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, - unsigned int *siglen, EC_KEY *eckey) -{ - return ECDSA_sign_ex(type, dgst, dlen, sig, siglen, NULL, NULL, eckey); -} - -int -ECDSA_sign_ex(int type, const unsigned char *dgst, int dlen, unsigned char *sig, - unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) -{ - if (eckey->meth->sign != NULL) - return eckey->meth->sign(type, dgst, dlen, sig, siglen, kinv, r, eckey); - ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); - return 0; -} - -int -ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) -{ - if (eckey->meth->sign_setup != NULL) - return eckey->meth->sign_setup(eckey, ctx_in, kinvp, rp); - ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); - return 0; -} diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c deleted file mode 100644 index 7db5a93..0000000 --- a/crypto/ecdsa/ecs_vrf.c +++ /dev/null @@ -1,100 +0,0 @@ -/* $OpenBSD: ecs_vrf.c,v 1.9 2022/01/27 20:30:29 tb Exp $ */ -/* - * Written by Nils Larsch for the OpenSSL project - */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#ifndef OPENSSL_NO_ENGINE -#include -#endif -#include -#include - -#include "bn_lcl.h" -#include "ecs_locl.h" -#include "ec_lcl.h" - -/* returns - * 1: correct signature - * 0: incorrect signature - * -1: error - */ -int -ECDSA_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, - EC_KEY *eckey) -{ - if (eckey->meth->verify_sig != NULL) - return eckey->meth->verify_sig(dgst, dgst_len, sig, eckey); - ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); - return 0; -} - -/* returns - * 1: correct signature - * 0: incorrect signature - * -1: error - */ -int -ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, - const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) -{ - if (eckey->meth->verify != NULL) - return eckey->meth->verify(type, dgst, dgst_len, - sigbuf, sig_len, eckey); - ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); - return 0; -} diff --git a/crypto/empty.c b/crypto/empty.c new file mode 100644 index 0000000..e69de29 diff --git a/crypto/engine/eng_err.c b/crypto/engine/eng_err.c index b604cbb..5f86a41 100644 --- a/crypto/engine/eng_err.c +++ b/crypto/engine/eng_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_err.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_err.c,v 1.12 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2010 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_ENGINE,func,0) diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index b29b410..451c861 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_list.c,v 1.24 2019/01/19 01:07:00 tb Exp $ */ +/* $OpenBSD: eng_list.c,v 1.25 2022/12/26 07:18:51 jmc Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -223,7 +223,7 @@ ENGINE_get_next(ENGINE *e) CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); ret = e->next; if (ret) { - /* Return a valid structural refernce to the next ENGINE */ + /* Return a valid structural reference to the next ENGINE */ ret->struct_ref++; engine_ref_debug(ret, 0, 1) } diff --git a/crypto/engine/eng_openssl.c b/crypto/engine/eng_openssl.c index 1a6113b..c632279 100644 --- a/crypto/engine/eng_openssl.c +++ b/crypto/engine/eng_openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_openssl.c,v 1.15 2022/01/09 23:55:31 tb Exp $ */ +/* $OpenBSD: eng_openssl.c,v 1.16 2022/11/26 16:08:52 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -84,7 +84,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" /* This testing gunk is implemented (and explained) lower down. It also assumes * the application explicitly calls "ENGINE_load_openssl()" because this is no diff --git a/crypto/engine/eng_table.c b/crypto/engine/eng_table.c index a8aded5..0e7ea3b 100644 --- a/crypto/engine/eng_table.c +++ b/crypto/engine/eng_table.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_table.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_table.c,v 1.10 2022/12/26 07:18:52 jmc Exp $ */ /* ==================================================================== * Copyright (c) 2001 The OpenSSL Project. All rights reserved. * @@ -163,7 +163,7 @@ engine_table_register(ENGINE_TABLE **table, ENGINE_CLEANUP_CB *cleanup, fnd->funct = NULL; (void)lh_ENGINE_PILE_insert(&(*table)->piles, fnd); } - /* A registration shouldn't add duplciate entries */ + /* A registration shouldn't add duplicate entries */ (void)sk_ENGINE_delete_ptr(fnd->sk, e); /* if 'setdefault', this ENGINE goes to the head of the list */ if (!sk_ENGINE_push(fnd->sk, e)) @@ -193,7 +193,7 @@ int_unregister_cb_doall_arg(ENGINE_PILE *pile, ENGINE *e) { int n; - /* Iterate the 'c->sk' stack removing any occurance of 'e' */ + /* Iterate the 'c->sk' stack removing any occurrence of 'e' */ while ((n = sk_ENGINE_find(pile->sk, e)) >= 0) { (void)sk_ENGINE_delete(pile->sk, n); pile->uptodate = 0; diff --git a/crypto/engine/tb_asnmth.c b/crypto/engine/tb_asnmth.c index 51e5198..913230f 100644 --- a/crypto/engine/tb_asnmth.c +++ b/crypto/engine/tb_asnmth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tb_asnmth.c,v 1.6 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: tb_asnmth.c,v 1.7 2022/11/26 16:08:52 tb Exp $ */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * @@ -58,7 +58,7 @@ #include #include "eng_int.h" -#include "asn1_locl.h" +#include "asn1_local.h" #include /* If this symbol is defined then ENGINE_get_pkey_asn1_meth_engine(), the diff --git a/crypto/err/err.c b/crypto/err/err.c index f05567e..365eae0 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err.c,v 1.48 2019/10/17 14:28:53 jsing Exp $ */ +/* $OpenBSD: err.c,v 1.52 2023/04/09 19:10:23 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -215,6 +215,7 @@ static ERR_STRING_DATA ERR_str_reasons[] = { {ERR_R_PASSED_NULL_PARAMETER, "passed a null parameter"}, {ERR_R_INTERNAL_ERROR, "internal error"}, {ERR_R_DISABLED , "called a function that was disabled at compile-time"}, + {ERR_R_INIT_FAIL, "initialization failure"}, {0, NULL}, }; @@ -579,6 +580,7 @@ build_SYS_str_reasons(void) static char strerror_tab[NUM_SYS_STR_REASONS][LEN_SYS_STR_REASON]; int i; static int init = 1; + int save_errno; CRYPTO_r_lock(CRYPTO_LOCK_ERR); if (!init) { @@ -593,6 +595,8 @@ build_SYS_str_reasons(void) return; } + /* strerror(3) will set errno to EINVAL when i is an unknown errno. */ + save_errno = errno; for (i = 1; i <= NUM_SYS_STR_REASONS; i++) { ERR_STRING_DATA *str = &SYS_str_reasons[i - 1]; @@ -609,6 +613,7 @@ build_SYS_str_reasons(void) if (str->string == NULL) str->string = "unknown"; } + errno = save_errno; /* Now we still have SYS_str_reasons[NUM_SYS_STR_REASONS] = {0, NULL}, * as required by ERR_load_strings. */ @@ -1035,13 +1040,11 @@ ERR_remove_thread_state(const CRYPTO_THREADID *id) ERRFN(thread_del_item)(&tmp); } -#ifndef OPENSSL_NO_DEPRECATED void ERR_remove_state(unsigned long pid) { ERR_remove_thread_state(NULL); } -#endif ERR_STATE * ERR_get_state(void) @@ -1074,7 +1077,7 @@ ERR_get_state(void) ERR_STATE_free(ret); /* could not insert it */ return (&fallback); } - /* If a race occured in this function and we came second, tmpp + /* If a race occurred in this function and we came second, tmpp * is the first one that we just replaced. */ if (tmpp) ERR_STATE_free(tmpp); diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index e641238..74d39d3 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err_all.c,v 1.25 2019/09/09 17:56:21 jsing Exp $ */ +/* $OpenBSD: err_all.c,v 1.27 2022/05/07 17:20:41 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,11 +65,14 @@ #include #include #include -#include #include +#include +#include +#include #include #include #include +#include #include #include #include @@ -112,52 +115,59 @@ ERR_load_crypto_strings_internal(void) { #ifndef OPENSSL_NO_ERR ERR_load_ERR_strings_internal(); /* include error strings for SYSerr */ + + ERR_load_ASN1_strings(); + ERR_load_BIO_strings(); ERR_load_BN_strings(); -#ifndef OPENSSL_NO_RSA - ERR_load_RSA_strings(); + ERR_load_BUF_strings(); +#ifndef OPENSSL_NO_CMS + ERR_load_CMS_strings(); +#endif +#ifdef ZLIB + ERR_load_COMP_strings(); +#endif + ERR_load_CONF_strings(); + ERR_load_CRYPTO_strings(); +#ifndef OPENSSL_NO_CT + ERR_load_CT_strings(); #endif #ifndef OPENSSL_NO_DH ERR_load_DH_strings(); #endif - ERR_load_EVP_strings(); - ERR_load_BUF_strings(); - ERR_load_OBJ_strings(); - ERR_load_PEM_strings(); #ifndef OPENSSL_NO_DSA ERR_load_DSA_strings(); #endif - ERR_load_X509_strings(); - ERR_load_ASN1_strings(); - ERR_load_CONF_strings(); - ERR_load_CRYPTO_strings(); -#ifndef OPENSSL_NO_EC - ERR_load_EC_strings(); + ERR_load_DSO_strings(); +#ifndef OPENSSL_NO_ECDH + ERR_load_ECDH_strings(); #endif #ifndef OPENSSL_NO_ECDSA ERR_load_ECDSA_strings(); #endif -#ifndef OPENSSL_NO_ECDH - ERR_load_ECDH_strings(); +#ifndef OPENSSL_NO_EC + ERR_load_EC_strings(); #endif - /* skip ERR_load_SSL_strings() because it is not in this library */ - ERR_load_BIO_strings(); - ERR_load_PKCS7_strings(); - ERR_load_X509V3_strings(); - ERR_load_PKCS12_strings(); - ERR_load_RAND_strings(); - ERR_load_DSO_strings(); - ERR_load_TS_strings(); #ifndef OPENSSL_NO_ENGINE ERR_load_ENGINE_strings(); #endif - ERR_load_OCSP_strings(); - ERR_load_UI_strings(); + ERR_load_EVP_strings(); #ifndef OPENSSL_NO_GOST ERR_load_GOST_strings(); #endif -#ifndef OPENSSL_NO_CMS - ERR_load_CMS_strings(); + ERR_load_KDF_strings(); + ERR_load_OBJ_strings(); + ERR_load_OCSP_strings(); + ERR_load_PEM_strings(); + ERR_load_PKCS12_strings(); + ERR_load_PKCS7_strings(); + ERR_load_RAND_strings(); +#ifndef OPENSSL_NO_RSA + ERR_load_RSA_strings(); #endif + ERR_load_TS_strings(); + ERR_load_UI_strings(); + ERR_load_X509V3_strings(); + ERR_load_X509_strings(); #endif } diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index b61a342..8880a28 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_b64.c,v 1.25 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_b64.c,v 1.26 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,7 +64,7 @@ #include #include "bio_local.h" -#include "evp_locl.h" +#include "evp_local.h" static int b64_write(BIO *h, const char *buf, int num); static int b64_read(BIO *h, char *buf, int size); diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index 2a0f76f..098b1ea 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_enc.c,v 1.26 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_enc.c,v 1.27 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,7 +64,7 @@ #include #include "bio_local.h" -#include "evp_locl.h" +#include "evp_local.h" static int enc_write(BIO *h, const char *buf, int num); static int enc_read(BIO *h, char *buf, int size); diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c index 4ae5f1f..4b7ca44 100644 --- a/crypto/evp/bio_md.c +++ b/crypto/evp/bio_md.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_md.c,v 1.18 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio_md.c,v 1.19 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include "bio_local.h" -#include "evp_locl.h" +#include "evp_local.h" /* BIO_put and BIO_get both add to the digest, * BIO_gets returns the digest */ diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index 690215c..936d7e8 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_all.c,v 1.27 2022/01/14 08:38:05 tb Exp $ */ +/* $OpenBSD: c_all.c,v 1.29 2023/04/25 15:48:48 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -224,6 +224,9 @@ OpenSSL_add_all_ciphers_internal(void) #ifndef OPENSSL_NO_CHACHA EVP_add_cipher(EVP_chacha20()); #endif +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) + EVP_add_cipher(EVP_chacha20_poly1305()); +#endif #ifndef OPENSSL_NO_GOST EVP_add_cipher(EVP_gost2814789_ecb()); @@ -287,6 +290,14 @@ OpenSSL_add_all_digests_internal(void) #ifndef OPENSSL_NO_SHA512 EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); + EVP_add_digest(EVP_sha512_224()); + EVP_add_digest(EVP_sha512_256()); +#endif +#ifndef OPENSSL_NO_SHA3 + EVP_add_digest(EVP_sha3_224()); + EVP_add_digest(EVP_sha3_256()); + EVP_add_digest(EVP_sha3_384()); + EVP_add_digest(EVP_sha3_512()); #endif #ifndef OPENSSL_NO_SM3 EVP_add_digest(EVP_sm3()); diff --git a/crypto/x509/pcy_lib.c b/crypto/evp/cipher_method_lib.c similarity index 55% rename from crypto/x509/pcy_lib.c rename to crypto/evp/cipher_method_lib.c index 3d5c58d..55dc6b7 100644 --- a/crypto/x509/pcy_lib.c +++ b/crypto/evp/cipher_method_lib.c @@ -1,9 +1,10 @@ -/* $OpenBSD: pcy_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. +/* $OpenBSD: cipher_method_lib.c,v 1.8 2023/03/01 11:27:37 tb Exp $ */ +/* + * Written by Richard Levitte (levitte@openssl.org) for the OpenSSL project + * 2015. */ /* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -56,102 +57,122 @@ * */ -#include -#include +#include -#include "pcy_int.h" +#include -/* accessor functions */ +#include "evp_local.h" -/* X509_POLICY_TREE stuff */ +EVP_CIPHER * +EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len) +{ + EVP_CIPHER *cipher; + + if ((cipher = calloc(1, sizeof(*cipher))) == NULL) + return NULL; + + cipher->nid = cipher_type; + cipher->block_size = block_size; + cipher->key_len = key_len; + + return cipher; +} + +EVP_CIPHER * +EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher) +{ + EVP_CIPHER *copy; + + if ((copy = calloc(1, sizeof(*copy))) == NULL) + return NULL; + + *copy = *cipher; + + return copy; +} + +void +EVP_CIPHER_meth_free(EVP_CIPHER *cipher) +{ + free(cipher); +} int -X509_policy_tree_level_count(const X509_POLICY_TREE *tree) +EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len) { - if (!tree) - return 0; - return tree->nlevel; -} + cipher->iv_len = iv_len; -X509_POLICY_LEVEL * -X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i) -{ - if (!tree || (i < 0) || (i >= tree->nlevel)) - return NULL; - return tree->levels + i; + return 1; } -STACK_OF(X509_POLICY_NODE) * -X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree) -{ - if (!tree) - return NULL; - return tree->auth_policies; -} - -STACK_OF(X509_POLICY_NODE) * -X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree) -{ - if (!tree) - return NULL; - if (tree->flags & POLICY_FLAG_ANY_POLICY) - return tree->auth_policies; - else - return tree->user_policies; -} - -/* X509_POLICY_LEVEL stuff */ - int -X509_policy_level_node_count(X509_POLICY_LEVEL *level) +EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags) { - int n; - if (!level) - return 0; - if (level->anyPolicy) - n = 1; - else - n = 0; - if (level->nodes) - n += sk_X509_POLICY_NODE_num(level->nodes); - return n; + cipher->flags = flags; + + return 1; } -X509_POLICY_NODE * -X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i) +int +EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size) { - if (!level) - return NULL; - if (level->anyPolicy) { - if (i == 0) - return level->anyPolicy; - i--; - } - return sk_X509_POLICY_NODE_value(level->nodes, i); + cipher->ctx_size = ctx_size; + + return 1; } -/* X509_POLICY_NODE stuff */ - -const ASN1_OBJECT * -X509_policy_node_get0_policy(const X509_POLICY_NODE *node) +int +EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher, + int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc)) { - if (!node) - return NULL; - return node->data->valid_policy; + cipher->init = init; + + return 1; } -STACK_OF(POLICYQUALINFO) * -X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node) +int +EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher, + int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl)) { - if (!node) - return NULL; - return node->data->qualifier_set; + cipher->do_cipher = do_cipher; + + return 1; } -const X509_POLICY_NODE * -X509_policy_node_get0_parent(const X509_POLICY_NODE *node) +int +EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher, + int (*cleanup)(EVP_CIPHER_CTX *)) { - if (!node) - return NULL; - return node->parent; + cipher->cleanup = cleanup; + + return 1; +} + +int +EVP_CIPHER_meth_set_set_asn1_params(EVP_CIPHER *cipher, + int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)) +{ + cipher->set_asn1_parameters = set_asn1_parameters; + + return 1; +} + +int +EVP_CIPHER_meth_set_get_asn1_params(EVP_CIPHER *cipher, + int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)) +{ + cipher->get_asn1_parameters = get_asn1_parameters; + + return 1; +} + +int +EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, + int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr)) +{ + cipher->ctrl = ctrl; + + return 1; } diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index ecb5292..7c129f0 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest.c,v 1.34 2022/01/10 10:51:31 tb Exp $ */ +/* $OpenBSD: digest.c,v 1.36 2022/12/26 07:18:52 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -122,7 +122,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type) @@ -140,7 +140,7 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a - * reinitialisation, when it may all be unecessary. */ + * reinitialisation, when it may all be unnecessary. */ if (ctx->engine && ctx->digest && (!type || (type && (type->type == ctx->digest->type)))) goto skip_to_init; diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 05ed002..790b263 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes.c,v 1.42 2020/06/05 18:44:42 tb Exp $ */ +/* $OpenBSD: e_aes.c,v 1.51 2023/03/01 11:16:06 tb Exp $ */ /* ==================================================================== * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. * @@ -60,8 +60,8 @@ #include #include -#include "evp_locl.h" -#include "modes_lcl.h" +#include "evp_local.h" +#include "modes_local.h" typedef struct { AES_KEY ks; @@ -257,26 +257,6 @@ aesni_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -#define aesni_ofb_cipher aes_ofb_cipher -static int aesni_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - -#define aesni_cfb_cipher aes_cfb_cipher -static int aesni_cfb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - -#define aesni_cfb8_cipher aes_cfb8_cipher -static int aesni_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - -#define aesni_cfb1_cipher aes_cfb1_cipher -static int aesni_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - -#define aesni_ctr_cipher aes_ctr_cipher -static int aesni_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - static int aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -312,10 +292,6 @@ aesni_gcm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 1; } -#define aesni_gcm_cipher aes_gcm_cipher -static int aesni_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - static int aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -354,10 +330,6 @@ aesni_xts_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 1; } -#define aesni_xts_cipher aes_xts_cipher -static int aesni_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - static int aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -381,125 +353,8 @@ aesni_ccm_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 1; } -#define aesni_ccm_cipher aes_ccm_cipher -static int aesni_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); - -#define BLOCK_CIPHER_generic(n,keylen,blocksize,ivlen,nmode,mode,MODE,fl) \ -static const EVP_CIPHER aesni_##keylen##_##mode = { \ - .nid = n##_##keylen##_##nmode, \ - .block_size = blocksize, \ - .key_len = keylen / 8, \ - .iv_len = ivlen, \ - .flags = fl | EVP_CIPH_##MODE##_MODE, \ - .init = aesni_init_key, \ - .do_cipher = aesni_##mode##_cipher, \ - .ctx_size = sizeof(EVP_AES_KEY) \ -}; \ -static const EVP_CIPHER aes_##keylen##_##mode = { \ - .nid = n##_##keylen##_##nmode, \ - .block_size = blocksize, \ - .key_len = keylen / 8, \ - .iv_len = ivlen, \ - .flags = fl | EVP_CIPH_##MODE##_MODE, \ - .init = aes_init_key, \ - .do_cipher = aes_##mode##_cipher, \ - .ctx_size = sizeof(EVP_AES_KEY) \ -}; \ -const EVP_CIPHER * \ -EVP_aes_##keylen##_##mode(void) \ -{ \ - return AESNI_CAPABLE ? \ - &aesni_##keylen##_##mode : &aes_##keylen##_##mode; \ -} - -#define BLOCK_CIPHER_custom(n,keylen,blocksize,ivlen,mode,MODE,fl) \ -static const EVP_CIPHER aesni_##keylen##_##mode = { \ - .nid = n##_##keylen##_##mode, \ - .block_size = blocksize, \ - .key_len = \ - (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * \ - keylen / 8, \ - .iv_len = ivlen, \ - .flags = fl | EVP_CIPH_##MODE##_MODE, \ - .init = aesni_##mode##_init_key, \ - .do_cipher = aesni_##mode##_cipher, \ - .cleanup = aes_##mode##_cleanup, \ - .ctx_size = sizeof(EVP_AES_##MODE##_CTX), \ - .ctrl = aes_##mode##_ctrl \ -}; \ -static const EVP_CIPHER aes_##keylen##_##mode = { \ - .nid = n##_##keylen##_##mode, \ - .block_size = blocksize, \ - .key_len = \ - (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * \ - keylen / 8, \ - .iv_len = ivlen, \ - .flags = fl | EVP_CIPH_##MODE##_MODE, \ - .init = aes_##mode##_init_key, \ - .do_cipher = aes_##mode##_cipher, \ - .cleanup = aes_##mode##_cleanup, \ - .ctx_size = sizeof(EVP_AES_##MODE##_CTX), \ - .ctrl = aes_##mode##_ctrl \ -}; \ -const EVP_CIPHER * \ -EVP_aes_##keylen##_##mode(void) \ -{ \ - return AESNI_CAPABLE ? \ - &aesni_##keylen##_##mode : &aes_##keylen##_##mode; \ -} - -#else - -#define BLOCK_CIPHER_generic(n,keylen,blocksize,ivlen,nmode,mode,MODE,fl) \ -static const EVP_CIPHER aes_##keylen##_##mode = { \ - .nid = n##_##keylen##_##nmode, \ - .block_size = blocksize, \ - .key_len = keylen / 8, \ - .iv_len = ivlen, \ - .flags = fl | EVP_CIPH_##MODE##_MODE, \ - .init = aes_init_key, \ - .do_cipher = aes_##mode##_cipher, \ - .ctx_size = sizeof(EVP_AES_KEY) \ -}; \ -const EVP_CIPHER * \ -EVP_aes_##keylen##_##mode(void) \ -{ \ - return &aes_##keylen##_##mode; \ -} - -#define BLOCK_CIPHER_custom(n,keylen,blocksize,ivlen,mode,MODE,fl) \ -static const EVP_CIPHER aes_##keylen##_##mode = { \ - .nid = n##_##keylen##_##mode, \ - .block_size = blocksize, \ - .key_len = \ - (EVP_CIPH_##MODE##_MODE == EVP_CIPH_XTS_MODE ? 2 : 1) * \ - keylen / 8, \ - .iv_len = ivlen, \ - .flags = fl | EVP_CIPH_##MODE##_MODE, \ - .init = aes_##mode##_init_key, \ - .do_cipher = aes_##mode##_cipher, \ - .cleanup = aes_##mode##_cleanup, \ - .ctx_size = sizeof(EVP_AES_##MODE##_CTX), \ - .ctrl = aes_##mode##_ctrl \ -}; \ -const EVP_CIPHER * \ -EVP_aes_##keylen##_##mode(void) \ -{ \ - return &aes_##keylen##_##mode; \ -} - #endif -#define BLOCK_CIPHER_generic_pack(nid,keylen,flags) \ - BLOCK_CIPHER_generic(nid,keylen,16,16,cbc,cbc,CBC,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ - BLOCK_CIPHER_generic(nid,keylen,16,0,ecb,ecb,ECB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ - BLOCK_CIPHER_generic(nid,keylen,1,16,ofb128,ofb,OFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ - BLOCK_CIPHER_generic(nid,keylen,1,16,cfb128,cfb,CFB,flags|EVP_CIPH_FLAG_DEFAULT_ASN1) \ - BLOCK_CIPHER_generic(nid,keylen,1,16,cfb1,cfb1,CFB,flags) \ - BLOCK_CIPHER_generic(nid,keylen,1,16,cfb8,cfb8,CFB,flags) \ - BLOCK_CIPHER_generic(nid,keylen,1,16,ctr,ctr,CTR,flags) - static int aes_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -656,6 +511,8 @@ aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, CRYPTO_cfb128_1_encrypt(in, out, MAXBITCHUNK*8, &dat->ks, ctx->iv, &ctx->num, ctx->encrypt, dat->block); len -= MAXBITCHUNK; + in += MAXBITCHUNK; + out += MAXBITCHUNK; } if (len) CRYPTO_cfb128_1_encrypt(in, out, len*8, &dat->ks, @@ -664,7 +521,8 @@ aes_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, +static int +aes_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { unsigned int num = ctx->num; @@ -680,9 +538,722 @@ static int aes_ctr_cipher (EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) -BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) -BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_cbc = { + .nid = NID_aes_128_cbc, + .block_size = 16, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = aesni_init_key, + .do_cipher = aesni_cbc_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_cbc = { + .nid = NID_aes_128_cbc, + .block_size = 16, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = aes_init_key, + .do_cipher = aes_cbc_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_cbc(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_cbc : &aes_128_cbc; +#else + return &aes_128_cbc; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_ecb = { + .nid = NID_aes_128_ecb, + .block_size = 16, + .key_len = 16, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = aesni_init_key, + .do_cipher = aesni_ecb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_ecb = { + .nid = NID_aes_128_ecb, + .block_size = 16, + .key_len = 16, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = aes_init_key, + .do_cipher = aes_ecb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_ecb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_ecb : &aes_128_ecb; +#else + return &aes_128_ecb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_ofb = { + .nid = NID_aes_128_ofb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_ofb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_ofb = { + .nid = NID_aes_128_ofb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = aes_init_key, + .do_cipher = aes_ofb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_ofb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_ofb : &aes_128_ofb; +#else + return &aes_128_ofb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_cfb = { + .nid = NID_aes_128_cfb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_cfb = { + .nid = NID_aes_128_cfb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_cfb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_cfb : &aes_128_cfb; +#else + return &aes_128_cfb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_cfb1 = { + .nid = NID_aes_128_cfb1, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb1_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_cfb1 = { + .nid = NID_aes_128_cfb1, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb1_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_cfb1(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_cfb1 : &aes_128_cfb1; +#else + return &aes_128_cfb1; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_cfb8 = { + .nid = NID_aes_128_cfb8, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb8_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_cfb8 = { + .nid = NID_aes_128_cfb8, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb8_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_cfb8(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_cfb8 : &aes_128_cfb8; +#else + return &aes_128_cfb8; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_ctr = { + .nid = NID_aes_128_ctr, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = aesni_init_key, + .do_cipher = aes_ctr_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_128_ctr = { + .nid = NID_aes_128_ctr, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = aes_init_key, + .do_cipher = aes_ctr_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_128_ctr(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_ctr : &aes_128_ctr; +#else + return &aes_128_ctr; +#endif +} + + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_cbc = { + .nid = NID_aes_192_cbc, + .block_size = 16, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = aesni_init_key, + .do_cipher = aesni_cbc_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_cbc = { + .nid = NID_aes_192_cbc, + .block_size = 16, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = aes_init_key, + .do_cipher = aes_cbc_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_cbc(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_cbc : &aes_192_cbc; +#else + return &aes_192_cbc; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_ecb = { + .nid = NID_aes_192_ecb, + .block_size = 16, + .key_len = 24, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = aesni_init_key, + .do_cipher = aesni_ecb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_ecb = { + .nid = NID_aes_192_ecb, + .block_size = 16, + .key_len = 24, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = aes_init_key, + .do_cipher = aes_ecb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_ecb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_ecb : &aes_192_ecb; +#else + return &aes_192_ecb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_ofb = { + .nid = NID_aes_192_ofb128, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_ofb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_ofb = { + .nid = NID_aes_192_ofb128, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = aes_init_key, + .do_cipher = aes_ofb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_ofb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_ofb : &aes_192_ofb; +#else + return &aes_192_ofb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_cfb = { + .nid = NID_aes_192_cfb128, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_cfb = { + .nid = NID_aes_192_cfb128, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_cfb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_cfb : &aes_192_cfb; +#else + return &aes_192_cfb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_cfb1 = { + .nid = NID_aes_192_cfb1, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb1_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_cfb1 = { + .nid = NID_aes_192_cfb1, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb1_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_cfb1(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_cfb1 : &aes_192_cfb1; +#else + return &aes_192_cfb1; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_cfb8 = { + .nid = NID_aes_192_cfb8, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb8_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_cfb8 = { + .nid = NID_aes_192_cfb8, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb8_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_cfb8(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_cfb8 : &aes_192_cfb8; +#else + return &aes_192_cfb8; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_ctr = { + .nid = NID_aes_192_ctr, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = aesni_init_key, + .do_cipher = aes_ctr_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_192_ctr = { + .nid = NID_aes_192_ctr, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = aes_init_key, + .do_cipher = aes_ctr_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_192_ctr(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_ctr : &aes_192_ctr; +#else + return &aes_192_ctr; +#endif +} + + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_cbc = { + .nid = NID_aes_256_cbc, + .block_size = 16, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = aesni_init_key, + .do_cipher = aesni_cbc_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_cbc = { + .nid = NID_aes_256_cbc, + .block_size = 16, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = aes_init_key, + .do_cipher = aes_cbc_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_cbc(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_cbc : &aes_256_cbc; +#else + return &aes_256_cbc; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_ecb = { + .nid = NID_aes_256_ecb, + .block_size = 16, + .key_len = 32, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = aesni_init_key, + .do_cipher = aesni_ecb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_ecb = { + .nid = NID_aes_256_ecb, + .block_size = 16, + .key_len = 32, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = aes_init_key, + .do_cipher = aes_ecb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_ecb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_ecb : &aes_256_ecb; +#else + return &aes_256_ecb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_ofb = { + .nid = NID_aes_256_ofb128, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_ofb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_ofb = { + .nid = NID_aes_256_ofb128, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = aes_init_key, + .do_cipher = aes_ofb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_ofb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_ofb : &aes_256_ofb; +#else + return &aes_256_ofb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_cfb = { + .nid = NID_aes_256_cfb128, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_cfb = { + .nid = NID_aes_256_cfb128, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_cfb(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_cfb : &aes_256_cfb; +#else + return &aes_256_cfb; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_cfb1 = { + .nid = NID_aes_256_cfb1, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb1_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_cfb1 = { + .nid = NID_aes_256_cfb1, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb1_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_cfb1(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_cfb1 : &aes_256_cfb1; +#else + return &aes_256_cfb1; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_cfb8 = { + .nid = NID_aes_256_cfb8, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aesni_init_key, + .do_cipher = aes_cfb8_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_cfb8 = { + .nid = NID_aes_256_cfb8, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_CFB_MODE, + .init = aes_init_key, + .do_cipher = aes_cfb8_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_cfb8(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_cfb8 : &aes_256_cfb8; +#else + return &aes_256_cfb8; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_ctr = { + .nid = NID_aes_256_ctr, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = aesni_init_key, + .do_cipher = aes_ctr_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; +#endif + +static const EVP_CIPHER aes_256_ctr = { + .nid = NID_aes_256_ctr, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = aes_init_key, + .do_cipher = aes_ctr_cipher, + .ctx_size = sizeof(EVP_AES_KEY), +}; + +const EVP_CIPHER * +EVP_aes_256_ctr(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_ctr : &aes_256_ctr; +#else + return &aes_256_ctr; +#endif +} static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) @@ -691,7 +1262,9 @@ aes_gcm_cleanup(EVP_CIPHER_CTX *c) if (gctx->iv != c->iv) free(gctx->iv); + explicit_bzero(gctx, sizeof(*gctx)); + return 1; } @@ -1061,12 +1634,120 @@ aes_gcm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | \ EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) -BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) -BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) -BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, - EVP_CIPH_FLAG_FIPS|EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS) + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_gcm = { + .nid = NID_aes_128_gcm, + .block_size = 1, + .key_len = 16, + .iv_len = 12, + .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, + .init = aesni_gcm_init_key, + .do_cipher = aes_gcm_cipher, + .cleanup = aes_gcm_cleanup, + .ctx_size = sizeof(EVP_AES_GCM_CTX), + .ctrl = aes_gcm_ctrl, +}; +#endif + +static const EVP_CIPHER aes_128_gcm = { + .nid = NID_aes_128_gcm, + .block_size = 1, + .key_len = 16, + .iv_len = 12, + .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, + .init = aes_gcm_init_key, + .do_cipher = aes_gcm_cipher, + .cleanup = aes_gcm_cleanup, + .ctx_size = sizeof(EVP_AES_GCM_CTX), + .ctrl = aes_gcm_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_128_gcm(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_gcm : &aes_128_gcm; +#else + return &aes_128_gcm; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_gcm = { + .nid = NID_aes_192_gcm, + .block_size = 1, + .key_len = 24, + .iv_len = 12, + .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, + .init = aesni_gcm_init_key, + .do_cipher = aes_gcm_cipher, + .cleanup = aes_gcm_cleanup, + .ctx_size = sizeof(EVP_AES_GCM_CTX), + .ctrl = aes_gcm_ctrl, +}; +#endif + +static const EVP_CIPHER aes_192_gcm = { + .nid = NID_aes_192_gcm, + .block_size = 1, + .key_len = 24, + .iv_len = 12, + .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, + .init = aes_gcm_init_key, + .do_cipher = aes_gcm_cipher, + .cleanup = aes_gcm_cleanup, + .ctx_size = sizeof(EVP_AES_GCM_CTX), + .ctrl = aes_gcm_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_192_gcm(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_gcm : &aes_192_gcm; +#else + return &aes_192_gcm; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_gcm = { + .nid = NID_aes_256_gcm, + .block_size = 1, + .key_len = 32, + .iv_len = 12, + .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, + .init = aesni_gcm_init_key, + .do_cipher = aes_gcm_cipher, + .cleanup = aes_gcm_cleanup, + .ctx_size = sizeof(EVP_AES_GCM_CTX), + .ctrl = aes_gcm_ctrl, +}; +#endif + +static const EVP_CIPHER aes_256_gcm = { + .nid = NID_aes_256_gcm, + .block_size = 1, + .key_len = 32, + .iv_len = 12, + .flags = EVP_CIPH_FLAG_AEAD_CIPHER|CUSTOM_FLAGS | EVP_CIPH_GCM_MODE, + .init = aes_gcm_init_key, + .do_cipher = aes_gcm_cipher, + .cleanup = aes_gcm_cleanup, + .ctx_size = sizeof(EVP_AES_GCM_CTX), + .ctrl = aes_gcm_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_256_gcm(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_gcm : &aes_256_gcm; +#else + return &aes_256_gcm; +#endif +} static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) @@ -1191,14 +1872,86 @@ aes_xts_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -#define aes_xts_cleanup NULL - #define XTS_FLAGS \ ( EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CUSTOM_IV | \ EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | EVP_CIPH_CUSTOM_COPY ) -BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) -BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, EVP_CIPH_FLAG_FIPS|XTS_FLAGS) + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_xts = { + .nid = NID_aes_128_xts, + .block_size = 1, + .key_len = 2 * 16, + .iv_len = 16, + .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, + .init = aesni_xts_init_key, + .do_cipher = aes_xts_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_XTS_CTX), + .ctrl = aes_xts_ctrl, +}; +#endif + +static const EVP_CIPHER aes_128_xts = { + .nid = NID_aes_128_xts, + .block_size = 1, + .key_len = 2 * 16, + .iv_len = 16, + .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, + .init = aes_xts_init_key, + .do_cipher = aes_xts_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_XTS_CTX), + .ctrl = aes_xts_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_128_xts(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_xts : &aes_128_xts; +#else + return &aes_128_xts; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_xts = { + .nid = NID_aes_256_xts, + .block_size = 1, + .key_len = 2 * 32, + .iv_len = 16, + .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, + .init = aesni_xts_init_key, + .do_cipher = aes_xts_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_XTS_CTX), + .ctrl = aes_xts_ctrl, +}; +#endif + +static const EVP_CIPHER aes_256_xts = { + .nid = NID_aes_256_xts, + .block_size = 1, + .key_len = 2 * 32, + .iv_len = 16, + .flags = XTS_FLAGS | EVP_CIPH_XTS_MODE, + .init = aes_xts_init_key, + .do_cipher = aes_xts_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_XTS_CTX), + .ctrl = aes_xts_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_256_xts(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_xts : &aes_256_xts; +#else + return &aes_256_xts; +#endif +} static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) @@ -1358,14 +2111,119 @@ aes_ccm_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, } -#define aes_ccm_cleanup NULL +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_128_ccm = { + .nid = NID_aes_128_ccm, + .block_size = 1, + .key_len = 16, + .iv_len = 12, + .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, + .init = aesni_ccm_init_key, + .do_cipher = aes_ccm_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_CCM_CTX), + .ctrl = aes_ccm_ctrl, +}; +#endif -BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) -BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) -BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, - EVP_CIPH_FLAG_FIPS|CUSTOM_FLAGS) +static const EVP_CIPHER aes_128_ccm = { + .nid = NID_aes_128_ccm, + .block_size = 1, + .key_len = 16, + .iv_len = 12, + .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, + .init = aes_ccm_init_key, + .do_cipher = aes_ccm_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_CCM_CTX), + .ctrl = aes_ccm_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_128_ccm(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_128_ccm : &aes_128_ccm; +#else + return &aes_128_ccm; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_192_ccm = { + .nid = NID_aes_192_ccm, + .block_size = 1, + .key_len = 24, + .iv_len = 12, + .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, + .init = aesni_ccm_init_key, + .do_cipher = aes_ccm_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_CCM_CTX), + .ctrl = aes_ccm_ctrl, +}; +#endif + +static const EVP_CIPHER aes_192_ccm = { + .nid = NID_aes_192_ccm, + .block_size = 1, + .key_len = 24, + .iv_len = 12, + .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, + .init = aes_ccm_init_key, + .do_cipher = aes_ccm_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_CCM_CTX), + .ctrl = aes_ccm_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_192_ccm(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_192_ccm : &aes_192_ccm; +#else + return &aes_192_ccm; +#endif +} + +#ifdef AESNI_CAPABLE +static const EVP_CIPHER aesni_256_ccm = { + .nid = NID_aes_256_ccm, + .block_size = 1, + .key_len = 32, + .iv_len = 12, + .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, + .init = aesni_ccm_init_key, + .do_cipher = aes_ccm_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_CCM_CTX), + .ctrl = aes_ccm_ctrl, +}; +#endif + +static const EVP_CIPHER aes_256_ccm = { + .nid = NID_aes_256_ccm, + .block_size = 1, + .key_len = 32, + .iv_len = 12, + .flags = CUSTOM_FLAGS | EVP_CIPH_CCM_MODE, + .init = aes_ccm_init_key, + .do_cipher = aes_ccm_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_CCM_CTX), + .ctrl = aes_ccm_ctrl, +}; + +const EVP_CIPHER * +EVP_aes_256_ccm(void) +{ +#ifdef AESNI_CAPABLE + return AESNI_CAPABLE ? &aesni_256_ccm : &aes_256_ccm; +#else + return &aes_256_ccm; +#endif +} #define EVP_AEAD_AES_GCM_TAG_LEN 16 diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index eef9c28..9cde386 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.16 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.17 2022/11/26 16:08:52 tb Exp $ */ /* ==================================================================== * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. * @@ -60,8 +60,8 @@ #include #include -#include "constant_time_locl.h" -#include "evp_locl.h" +#include "constant_time.h" +#include "evp_local.h" #define TLS1_1_VERSION 0x0302 diff --git a/crypto/evp/e_bf.c b/crypto/evp/e_bf.c index 615c9bd..c2ab317 100644 --- a/crypto/evp/e_bf.c +++ b/crypto/evp/e_bf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_bf.c,v 1.8 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: e_bf.c,v 1.15 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -66,20 +67,13 @@ #include #include -#include "evp_locl.h" - -static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); +#include "evp_local.h" typedef struct { BF_KEY ks; } EVP_BF_KEY; -#define data(ctx) EVP_C_DATA(EVP_BF_KEY,ctx) - -IMPLEMENT_BLOCK_CIPHER(bf, ks, BF, EVP_BF_KEY, NID_bf, 8, 16, 8, 64, - EVP_CIPH_VARIABLE_LENGTH, bf_init_key, NULL, - EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +#define data(ctx) ((EVP_BF_KEY *)(ctx)->cipher_data) static int bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, @@ -88,4 +82,166 @@ bf_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, BF_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_key_length(ctx), key); return 1; } + +static int +bf_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + BF_cbc_encrypt(in, out, (long)chunk, &((EVP_BF_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + BF_cbc_encrypt(in, out, (long)inl, &((EVP_BF_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +bf_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + BF_cfb64_encrypt(in, out, (long)chunk, &((EVP_BF_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +bf_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + BF_ecb_encrypt(in + i, out + i, &((EVP_BF_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +bf_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + BF_ofb64_encrypt(in, out, (long)chunk, &((EVP_BF_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + BF_ofb64_encrypt(in, out, (long)inl, &((EVP_BF_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER bf_cbc = { + .nid = NID_bf_cbc, + .block_size = 8, + .key_len = 16, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE, + .init = bf_init_key, + .do_cipher = bf_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_BF_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_bf_cbc(void) +{ + return &bf_cbc; +} + +static const EVP_CIPHER bf_cfb64 = { + .nid = NID_bf_cfb64, + .block_size = 1, + .key_len = 16, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE, + .init = bf_init_key, + .do_cipher = bf_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_BF_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_bf_cfb64(void) +{ + return &bf_cfb64; +} + +static const EVP_CIPHER bf_ofb = { + .nid = NID_bf_ofb64, + .block_size = 1, + .key_len = 16, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE, + .init = bf_init_key, + .do_cipher = bf_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_BF_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_bf_ofb(void) +{ + return &bf_ofb; +} + +static const EVP_CIPHER bf_ecb = { + .nid = NID_bf_ecb, + .block_size = 8, + .key_len = 16, + .iv_len = 0, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE, + .init = bf_init_key, + .do_cipher = bf_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_BF_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_bf_ecb(void) +{ + return &bf_ecb; +} #endif diff --git a/crypto/evp/e_camellia.c b/crypto/evp/e_camellia.c index 70dad7e..884f8ce 100644 --- a/crypto/evp/e_camellia.c +++ b/crypto/evp/e_camellia.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_camellia.c,v 1.9 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: e_camellia.c,v 1.16 2022/11/26 16:08:52 tb Exp $ */ /* ==================================================================== * Copyright (c) 2006 The OpenSSL Project. All rights reserved. * @@ -62,10 +62,7 @@ #include #include -#include "evp_locl.h" - -static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); +#include "evp_local.h" /* Camellia subkey Structure */ typedef struct { @@ -73,39 +70,8 @@ typedef struct { } EVP_CAMELLIA_KEY; /* Attribute operation for Camellia */ -#define data(ctx) EVP_C_DATA(EVP_CAMELLIA_KEY,ctx) +#define data(ctx) ((EVP_CAMELLIA_KEY *)(ctx)->cipher_data) -IMPLEMENT_BLOCK_CIPHER(camellia_128, ks, Camellia, EVP_CAMELLIA_KEY, - NID_camellia_128, 16, 16, 16, 128, - 0, camellia_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - NULL) -IMPLEMENT_BLOCK_CIPHER(camellia_192, ks, Camellia, EVP_CAMELLIA_KEY, - NID_camellia_192, 16, 24, 16, 128, - 0, camellia_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - NULL) -IMPLEMENT_BLOCK_CIPHER(camellia_256, ks, Camellia, EVP_CAMELLIA_KEY, - NID_camellia_256, 16, 32, 16, 128, - 0, camellia_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - NULL) - -#define IMPLEMENT_CAMELLIA_CFBR(ksize,cbits) IMPLEMENT_CFBR(camellia,Camellia,EVP_CAMELLIA_KEY,ks,ksize,cbits,16) - -IMPLEMENT_CAMELLIA_CFBR(128, 1) -IMPLEMENT_CAMELLIA_CFBR(192, 1) -IMPLEMENT_CAMELLIA_CFBR(256, 1) - -IMPLEMENT_CAMELLIA_CFBR(128, 8) -IMPLEMENT_CAMELLIA_CFBR(192, 8) -IMPLEMENT_CAMELLIA_CFBR(256, 8) - - -/* The subkey for Camellia is generated. */ static int camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -121,4 +87,737 @@ camellia_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 1; } + +static int +camellia_128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + Camellia_cbc_encrypt(in, out, EVP_MAXCHUNK, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + Camellia_cbc_encrypt(in, out, inl, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +camellia_128_cfb128_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb128_encrypt(in, out, chunk, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +camellia_128_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + Camellia_ecb_encrypt(in + i, out + i, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +camellia_128_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + Camellia_ofb128_encrypt(in, out, EVP_MAXCHUNK, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + Camellia_ofb128_encrypt(in, out, inl, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER camellia_128_cbc = { + .nid = NID_camellia_128_cbc, + .block_size = 16, + .key_len = 16, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CBC_MODE, + .init = camellia_init_key, + .do_cipher = camellia_128_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_128_cbc(void) +{ + return &camellia_128_cbc; +} + +static const EVP_CIPHER camellia_128_cfb128 = { + .nid = NID_camellia_128_cfb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_128_cfb128_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_128_cfb128(void) +{ + return &camellia_128_cfb128; +} + +static const EVP_CIPHER camellia_128_ofb = { + .nid = NID_camellia_128_ofb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = 0 | EVP_CIPH_OFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_128_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_128_ofb(void) +{ + return &camellia_128_ofb; +} + +static const EVP_CIPHER camellia_128_ecb = { + .nid = NID_camellia_128_ecb, + .block_size = 16, + .key_len = 16, + .iv_len = 0, + .flags = 0 | EVP_CIPH_ECB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_128_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_128_ecb(void) +{ + return &camellia_128_ecb; +} + +static int +camellia_192_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + Camellia_cbc_encrypt(in, out, EVP_MAXCHUNK, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + Camellia_cbc_encrypt(in, out, inl, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +camellia_192_cfb128_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb128_encrypt(in, out, chunk, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +camellia_192_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + Camellia_ecb_encrypt(in + i, out + i, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +camellia_192_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + Camellia_ofb128_encrypt(in, out, EVP_MAXCHUNK, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + Camellia_ofb128_encrypt(in, out, inl, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER camellia_192_cbc = { + .nid = NID_camellia_192_cbc, + .block_size = 16, + .key_len = 24, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CBC_MODE, + .init = camellia_init_key, + .do_cipher = camellia_192_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_192_cbc(void) +{ + return &camellia_192_cbc; +} + +static const EVP_CIPHER camellia_192_cfb128 = { + .nid = NID_camellia_192_cfb128, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_192_cfb128_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_192_cfb128(void) +{ + return &camellia_192_cfb128; +} + +static const EVP_CIPHER camellia_192_ofb = { + .nid = NID_camellia_192_ofb128, + .block_size = 1, + .key_len = 24, + .iv_len = 16, + .flags = 0 | EVP_CIPH_OFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_192_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_192_ofb(void) +{ + return &camellia_192_ofb; +} + +static const EVP_CIPHER camellia_192_ecb = { + .nid = NID_camellia_192_ecb, + .block_size = 16, + .key_len = 24, + .iv_len = 0, + .flags = 0 | EVP_CIPH_ECB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_192_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_192_ecb(void) +{ + return &camellia_192_ecb; +} + +static int +camellia_256_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + Camellia_cbc_encrypt(in, out, EVP_MAXCHUNK, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + Camellia_cbc_encrypt(in, out, inl, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +camellia_256_cfb128_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb128_encrypt(in, out, chunk, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +camellia_256_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + Camellia_ecb_encrypt(in + i, out + i, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +camellia_256_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + Camellia_ofb128_encrypt(in, out, EVP_MAXCHUNK, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + Camellia_ofb128_encrypt(in, out, inl, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER camellia_256_cbc = { + .nid = NID_camellia_256_cbc, + .block_size = 16, + .key_len = 32, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CBC_MODE, + .init = camellia_init_key, + .do_cipher = camellia_256_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_256_cbc(void) +{ + return &camellia_256_cbc; +} + +static const EVP_CIPHER camellia_256_cfb128 = { + .nid = NID_camellia_256_cfb128, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_256_cfb128_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_256_cfb128(void) +{ + return &camellia_256_cfb128; +} + +static const EVP_CIPHER camellia_256_ofb = { + .nid = NID_camellia_256_ofb128, + .block_size = 1, + .key_len = 32, + .iv_len = 16, + .flags = 0 | EVP_CIPH_OFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_256_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_256_ofb(void) +{ + return &camellia_256_ofb; +} + +static const EVP_CIPHER camellia_256_ecb = { + .nid = NID_camellia_256_ecb, + .block_size = 16, + .key_len = 32, + .iv_len = 0, + .flags = 0 | EVP_CIPH_ECB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_256_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_256_ecb(void) +{ + return &camellia_256_ecb; +} + +static int +camellia_128_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + chunk >>= 3; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb1_encrypt(in, out, ((1 == 1) && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) ? chunk * 8 : chunk), &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER camellia_128_cfb1 = { + .nid = NID_camellia_128_cfb1, + .block_size = 1, + .key_len = 128/8, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_128_cfb1_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_128_cfb1(void) +{ + return &camellia_128_cfb1; +} + +static int +camellia_192_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + chunk >>= 3; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb1_encrypt(in, out, ((1 == 1) && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) ? chunk * 8 : chunk), &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER camellia_192_cfb1 = { + .nid = NID_camellia_192_cfb1, + .block_size = 1, + .key_len = 192/8, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_192_cfb1_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_192_cfb1(void) +{ + return &camellia_192_cfb1; +} + +static int +camellia_256_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + chunk >>= 3; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb1_encrypt(in, out, ((1 == 1) && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) ? chunk * 8 : chunk), &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER camellia_256_cfb1 = { + .nid = NID_camellia_256_cfb1, + .block_size = 1, + .key_len = 256/8, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_256_cfb1_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_256_cfb1(void) +{ + return &camellia_256_cfb1; +} + + +static int +camellia_128_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb8_encrypt(in, out, chunk, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER camellia_128_cfb8 = { + .nid = NID_camellia_128_cfb8, + .block_size = 1, + .key_len = 128/8, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_128_cfb8_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_128_cfb8(void) +{ + return &camellia_128_cfb8; +} + +static int +camellia_192_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb8_encrypt(in, out, chunk, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER camellia_192_cfb8 = { + .nid = NID_camellia_192_cfb8, + .block_size = 1, + .key_len = 192/8, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_192_cfb8_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_192_cfb8(void) +{ + return &camellia_192_cfb8; +} + +static int +camellia_256_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Camellia_cfb8_encrypt(in, out, chunk, &((EVP_CAMELLIA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER camellia_256_cfb8 = { + .nid = NID_camellia_256_cfb8, + .block_size = 1, + .key_len = 256/8, + .iv_len = 16, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = camellia_init_key, + .do_cipher = camellia_256_cfb8_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAMELLIA_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_camellia_256_cfb8(void) +{ + return &camellia_256_cfb8; +} #endif diff --git a/crypto/evp/e_cast.c b/crypto/evp/e_cast.c index 707daa9..98683e1 100644 --- a/crypto/evp/e_cast.c +++ b/crypto/evp/e_cast.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_cast.c,v 1.7 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: e_cast.c,v 1.14 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -66,21 +67,13 @@ #include #include -#include "evp_locl.h" - -static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); +#include "evp_local.h" typedef struct { CAST_KEY ks; } EVP_CAST_KEY; -#define data(ctx) EVP_C_DATA(EVP_CAST_KEY,ctx) - -IMPLEMENT_BLOCK_CIPHER(cast5, ks, CAST, EVP_CAST_KEY, - NID_cast5, 8, CAST_KEY_LENGTH, 8, 64, - EVP_CIPH_VARIABLE_LENGTH, cast_init_key, NULL, - EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) +#define data(ctx) ((EVP_CAST_KEY *)(ctx)->cipher_data) static int cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, @@ -89,4 +82,166 @@ cast_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, CAST_set_key(&data(ctx)->ks, EVP_CIPHER_CTX_key_length(ctx), key); return 1; } + +static int +cast5_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + CAST_cbc_encrypt(in, out, (long)chunk, &((EVP_CAST_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + CAST_cbc_encrypt(in, out, (long)inl, &((EVP_CAST_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +cast5_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + CAST_cfb64_encrypt(in, out, (long)chunk, &((EVP_CAST_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +cast5_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + CAST_ecb_encrypt(in + i, out + i, &((EVP_CAST_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +cast5_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + CAST_ofb64_encrypt(in, out, (long)chunk, &((EVP_CAST_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + CAST_ofb64_encrypt(in, out, (long)inl, &((EVP_CAST_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER cast5_cbc = { + .nid = NID_cast5_cbc, + .block_size = 8, + .key_len = CAST_KEY_LENGTH, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CBC_MODE, + .init = cast_init_key, + .do_cipher = cast5_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAST_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_cast5_cbc(void) +{ + return &cast5_cbc; +} + +static const EVP_CIPHER cast5_cfb64 = { + .nid = NID_cast5_cfb64, + .block_size = 1, + .key_len = CAST_KEY_LENGTH, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CFB_MODE, + .init = cast_init_key, + .do_cipher = cast5_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAST_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_cast5_cfb64(void) +{ + return &cast5_cfb64; +} + +static const EVP_CIPHER cast5_ofb = { + .nid = NID_cast5_ofb64, + .block_size = 1, + .key_len = CAST_KEY_LENGTH, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_OFB_MODE, + .init = cast_init_key, + .do_cipher = cast5_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAST_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_cast5_ofb(void) +{ + return &cast5_ofb; +} + +static const EVP_CIPHER cast5_ecb = { + .nid = NID_cast5_ecb, + .block_size = 8, + .key_len = CAST_KEY_LENGTH, + .iv_len = 0, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_ECB_MODE, + .init = cast_init_key, + .do_cipher = cast5_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_CAST_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_cast5_ecb(void) +{ + return &cast5_ecb; +} #endif diff --git a/crypto/evp/e_chacha.c b/crypto/evp/e_chacha.c index a27a3c6..f27ed1d 100644 --- a/crypto/evp/e_chacha.c +++ b/crypto/evp/e_chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha.c,v 1.8 2020/01/26 07:47:26 tb Exp $ */ +/* $OpenBSD: e_chacha.c,v 1.10 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -23,12 +23,31 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" -static int chacha_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t len); -static int chacha_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); +static int +chacha_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *openssl_iv, int enc) +{ + if (key != NULL) + ChaCha_set_key((ChaCha_ctx *)ctx->cipher_data, key, + EVP_CIPHER_CTX_key_length(ctx) * 8); + if (openssl_iv != NULL) { + const unsigned char *iv = openssl_iv + 8; + const unsigned char *counter = openssl_iv; + + ChaCha_set_iv((ChaCha_ctx *)ctx->cipher_data, iv, counter); + } + return 1; +} + +static int +chacha_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, + size_t len) +{ + ChaCha((ChaCha_ctx *)ctx->cipher_data, out, in, len); + return 1; +} static const EVP_CIPHER chacha20_cipher = { .nid = NID_chacha20, @@ -56,28 +75,4 @@ EVP_chacha20(void) return (&chacha20_cipher); } -static int -chacha_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *openssl_iv, int enc) -{ - if (key != NULL) - ChaCha_set_key((ChaCha_ctx *)ctx->cipher_data, key, - EVP_CIPHER_CTX_key_length(ctx) * 8); - if (openssl_iv != NULL) { - const unsigned char *iv = openssl_iv + 8; - const unsigned char *counter = openssl_iv; - - ChaCha_set_iv((ChaCha_ctx *)ctx->cipher_data, iv, counter); - } - return 1; -} - -static int -chacha_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, - size_t len) -{ - ChaCha((ChaCha_ctx *)ctx->cipher_data, out, in, len); - return 1; -} - #endif diff --git a/crypto/evp/e_chacha20poly1305.c b/crypto/evp/e_chacha20poly1305.c index 4fd92eb..1bd04c1 100644 --- a/crypto/evp/e_chacha20poly1305.c +++ b/crypto/evp/e_chacha20poly1305.c @@ -1,6 +1,7 @@ -/* $OpenBSD: e_chacha20poly1305.c,v 1.21 2019/03/27 15:34:01 jsing Exp $ */ +/* $OpenBSD: e_chacha20poly1305.c,v 1.28 2023/03/01 11:16:06 tb Exp $ */ /* + * Copyright (c) 2022 Joel Sing * Copyright (c) 2015 Reyk Floter * Copyright (c) 2014, Google Inc. * @@ -29,7 +30,8 @@ #include #include -#include "evp_locl.h" +#include "bytestring.h" +#include "evp_local.h" #define POLY1305_TAG_LEN 16 @@ -99,14 +101,11 @@ poly1305_update_with_length(poly1305_state *poly1305, } static void -poly1305_update_with_pad16(poly1305_state *poly1305, - const unsigned char *data, size_t data_len) +poly1305_pad16(poly1305_state *poly1305, size_t data_len) { static const unsigned char zero_pad16[16]; size_t pad_len; - CRYPTO_poly1305_update(poly1305, data, data_len); - /* pad16() is defined in RFC 7539 2.8.1. */ if ((pad_len = data_len % 16) == 0) return; @@ -114,6 +113,14 @@ poly1305_update_with_pad16(poly1305_state *poly1305, CRYPTO_poly1305_update(poly1305, zero_pad16, 16 - pad_len); } +static void +poly1305_update_with_pad16(poly1305_state *poly1305, + const unsigned char *data, size_t data_len) +{ + CRYPTO_poly1305_update(poly1305, data, data_len); + poly1305_pad16(poly1305, data_len); +} + static int aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, size_t max_out_len, const unsigned char *nonce, @@ -124,21 +131,8 @@ aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, unsigned char poly1305_key[32]; poly1305_state poly1305; const unsigned char *iv; - const uint64_t in_len_64 = in_len; uint64_t ctr; - /* The underlying ChaCha implementation may not overflow the block - * counter into the second counter word. Therefore we disallow - * individual operations that work on more than 2TB at a time. - * in_len_64 is needed because, on 32-bit platforms, size_t is only - * 32-bits and this produces a warning because it's always false. - * Casting to uint64_t inside the conditional is not sufficient to stop - * the warning. */ - if (in_len_64 >= (1ULL << 32) * 64 - 64) { - EVPerror(EVP_R_TOO_LARGE); - return 0; - } - if (max_out_len < in_len + c20_ctx->tag_len) { EVPerror(EVP_R_BUFFER_TOO_SMALL); return 0; @@ -188,7 +182,6 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, unsigned char poly1305_key[32]; const unsigned char *iv = nonce; poly1305_state poly1305; - const uint64_t in_len_64 = in_len; size_t plaintext_len; uint64_t ctr = 0; @@ -197,18 +190,6 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, return 0; } - /* The underlying ChaCha implementation may not overflow the block - * counter into the second counter word. Therefore we disallow - * individual operations that work on more than 2TB at a time. - * in_len_64 is needed because, on 32-bit platforms, size_t is only - * 32-bits and this produces a warning because it's always false. - * Casting to uint64_t inside the conditional is not sufficient to stop - * the warning. */ - if (in_len_64 >= (1ULL << 32) * 64 - 64) { - EVPerror(EVP_R_TOO_LARGE); - return 0; - } - if (nonce_len != ctx->aead->nonce_len) { EVPerror(EVP_R_IV_TOO_LARGE); return 0; @@ -386,4 +367,244 @@ EVP_aead_xchacha20_poly1305() return &aead_xchacha20_poly1305; } +struct chacha20_poly1305_ctx { + ChaCha_ctx chacha; + poly1305_state poly1305; + + unsigned char key[32]; + unsigned char nonce[CHACHA20_NONCE_LEN]; + size_t nonce_len; + unsigned char tag[POLY1305_TAG_LEN]; + size_t tag_len; + + size_t ad_len; + size_t in_len; + + int in_ad; + int started; +}; + +static int +chacha20_poly1305_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int encrypt) +{ + struct chacha20_poly1305_ctx *cpx = ctx->cipher_data; + uint8_t *data; + CBB cbb; + int ret = 0; + + memset(&cbb, 0, sizeof(cbb)); + + if (key == NULL && iv == NULL) + goto done; + + cpx->started = 0; + + if (key != NULL) + memcpy(cpx->key, key, sizeof(cpx->key)); + + if (iv != NULL) { + /* + * Left zero pad if configured nonce length is less than ChaCha + * nonce length. + */ + if (!CBB_init_fixed(&cbb, cpx->nonce, sizeof(cpx->nonce))) + goto err; + if (!CBB_add_space(&cbb, &data, sizeof(cpx->nonce) - cpx->nonce_len)) + goto err; + if (!CBB_add_bytes(&cbb, iv, cpx->nonce_len)) + goto err; + if (!CBB_finish(&cbb, NULL, NULL)) + goto err; + } + + done: + ret = 1; + + err: + CBB_cleanup(&cbb); + + return ret; +} + +static int +chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t len) +{ + struct chacha20_poly1305_ctx *cpx = ctx->cipher_data; + + /* + * Since we're making AEAD work within the constraints of EVP_CIPHER... + * If in is non-NULL then this is an update, while if in is NULL then + * this is a final. If in is non-NULL but out is NULL, then the input + * being provided is associated data. Plus we have to handle encryption + * (sealing) and decryption (opening) in the same function. + */ + + if (!cpx->started) { + unsigned char poly1305_key[32]; + const unsigned char *iv; + uint64_t ctr; + + ctr = (uint64_t)((uint32_t)(cpx->nonce[0]) | + (uint32_t)(cpx->nonce[1]) << 8 | + (uint32_t)(cpx->nonce[2]) << 16 | + (uint32_t)(cpx->nonce[3]) << 24) << 32; + iv = cpx->nonce + CHACHA20_CONSTANT_LEN; + + ChaCha_set_key(&cpx->chacha, cpx->key, 8 * sizeof(cpx->key)); + ChaCha_set_iv(&cpx->chacha, iv, NULL); + + /* See chacha.c for details re handling of counter. */ + cpx->chacha.input[12] = (uint32_t)ctr; + cpx->chacha.input[13] = (uint32_t)(ctr >> 32); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + ChaCha(&cpx->chacha, poly1305_key, poly1305_key, + sizeof(poly1305_key)); + CRYPTO_poly1305_init(&cpx->poly1305, poly1305_key); + + /* Mark remaining key block as used. */ + cpx->chacha.unused = 0; + + cpx->ad_len = 0; + cpx->in_len = 0; + cpx->in_ad = 0; + + cpx->started = 1; + } + + if (len > SIZE_MAX - cpx->in_len) { + EVPerror(EVP_R_TOO_LARGE); + return 0; + } + + /* Disallow authenticated data after plaintext/ciphertext. */ + if (cpx->in_len > 0 && in != NULL && out == NULL) + return -1; + + if (cpx->in_ad && (in == NULL || out != NULL)) { + poly1305_pad16(&cpx->poly1305, cpx->ad_len); + cpx->in_ad = 0; + } + + /* Update with AD or plaintext/ciphertext. */ + if (in != NULL) { + if (out == NULL) { + cpx->ad_len += len; + cpx->in_ad = 1; + } else { + ChaCha(&cpx->chacha, out, in, len); + cpx->in_len += len; + } + if (ctx->encrypt && out != NULL) + CRYPTO_poly1305_update(&cpx->poly1305, out, len); + else + CRYPTO_poly1305_update(&cpx->poly1305, in, len); + + return len; + } + + /* Final. */ + poly1305_pad16(&cpx->poly1305, cpx->in_len); + poly1305_update_with_length(&cpx->poly1305, NULL, cpx->ad_len); + poly1305_update_with_length(&cpx->poly1305, NULL, cpx->in_len); + + if (ctx->encrypt) { + CRYPTO_poly1305_finish(&cpx->poly1305, cpx->tag); + cpx->tag_len = sizeof(cpx->tag); + } else { + unsigned char tag[POLY1305_TAG_LEN]; + + /* Ensure that a tag has been provided. */ + if (cpx->tag_len <= 0) + return -1; + + CRYPTO_poly1305_finish(&cpx->poly1305, tag); + if (timingsafe_memcmp(tag, cpx->tag, cpx->tag_len) != 0) + return -1; + } + + cpx->started = 0; + + return len; +} + +static int +chacha20_poly1305_cleanup(EVP_CIPHER_CTX *ctx) +{ + struct chacha20_poly1305_ctx *cpx = ctx->cipher_data; + + explicit_bzero(cpx, sizeof(*cpx)); + + return 1; +} + +static int +chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) +{ + struct chacha20_poly1305_ctx *cpx = ctx->cipher_data; + + switch (type) { + case EVP_CTRL_INIT: + memset(cpx, 0, sizeof(*cpx)); + cpx->nonce_len = sizeof(cpx->nonce); + return 1; + + case EVP_CTRL_AEAD_SET_IVLEN: + if (arg <= 0 || arg > sizeof(cpx->nonce)) + return 0; + cpx->nonce_len = arg; + return 1; + + case EVP_CTRL_AEAD_SET_TAG: + if (ctx->encrypt) + return 0; + if (arg <= 0 || arg > sizeof(cpx->tag)) + return 0; + if (ptr != NULL) { + memcpy(cpx->tag, ptr, arg); + cpx->tag_len = arg; + } + return 1; + + case EVP_CTRL_AEAD_GET_TAG: + if (!ctx->encrypt) + return 0; + if (arg <= 0 || arg > cpx->tag_len) + return 0; + memcpy(ptr, cpx->tag, arg); + return 1; + + case EVP_CTRL_AEAD_SET_IV_FIXED: + if (arg != sizeof(cpx->nonce)) + return 0; + memcpy(cpx->nonce, ptr, arg); + return 1; + } + + return 0; +} + +static const EVP_CIPHER cipher_chacha20_poly1305 = { + .nid = NID_chacha20_poly1305, + .block_size = 1, + .key_len = 32, + .iv_len = 12, + .flags = EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT | + EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_AEAD_CIPHER | + EVP_CIPH_FLAG_CUSTOM_CIPHER | EVP_CIPH_FLAG_DEFAULT_ASN1, + .init = chacha20_poly1305_init, + .do_cipher = chacha20_poly1305_cipher, + .cleanup = chacha20_poly1305_cleanup, + .ctx_size = sizeof(struct chacha20_poly1305_ctx), + .ctrl = chacha20_poly1305_ctrl, +}; + +const EVP_CIPHER * +EVP_chacha20_poly1305(void) +{ + return &cipher_chacha20_poly1305; +} + #endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ diff --git a/crypto/evp/e_des.c b/crypto/evp/e_des.c index ad91720..dffabc8 100644 --- a/crypto/evp/e_des.c +++ b/crypto/evp/e_des.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_des.c,v 1.14 2015/10/12 06:05:52 guenther Exp $ */ +/* $OpenBSD: e_des.c,v 1.20 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -66,21 +67,49 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" -static int des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); -static int des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); +static int +des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + DES_cblock *deskey = (DES_cblock *)key; -/* Because of various casts and different names can't use IMPLEMENT_BLOCK_CIPHER */ + DES_set_key_unchecked(deskey, ctx->cipher_data); + return 1; +} + +static int +des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) +{ + switch (type) { + case EVP_CTRL_RAND_KEY: + if (DES_random_key((DES_cblock *)ptr) == 0) + return 0; + return 1; + + default: + return -1; + } +} static int des_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) { - BLOCK_CIPHER_ecb_loop() + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) DES_ecb_encrypt((DES_cblock *)(in + i), (DES_cblock *)(out + i), ctx->cipher_data, ctx->encrypt); + return 1; } @@ -88,12 +117,14 @@ static int des_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) { - while (inl >= EVP_MAXCHUNK) { - DES_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, ctx->cipher_data, + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_ofb64_encrypt(in, out, (long)chunk, ctx->cipher_data, (DES_cblock *)ctx->iv, &ctx->num); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; + inl -= chunk; + in += chunk; + out += chunk; } if (inl) DES_ofb64_encrypt(in, out, (long)inl, ctx->cipher_data, @@ -105,12 +136,14 @@ static int des_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) { - while (inl >= EVP_MAXCHUNK) { - DES_ncbc_encrypt(in, out, (long)EVP_MAXCHUNK, ctx->cipher_data, + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_ncbc_encrypt(in, out, (long)chunk, ctx->cipher_data, (DES_cblock *)ctx->iv, ctx->encrypt); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; + inl -= chunk; + in += chunk; + out += chunk; } if (inl) DES_ncbc_encrypt(in, out, (long)inl, ctx->cipher_data, @@ -122,12 +155,14 @@ static int des_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) { - while (inl >= EVP_MAXCHUNK) { - DES_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, ctx->cipher_data, + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_cfb64_encrypt(in, out, (long)chunk, ctx->cipher_data, (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; + inl -= chunk; + in += chunk; + out += chunk; } if (inl) DES_cfb64_encrypt(in, out, (long)inl, ctx->cipher_data, @@ -141,8 +176,9 @@ static int des_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) { - size_t n, chunk = EVP_MAXCHUNK/8; unsigned char c[1], d[1]; + size_t chunk = LONG_MAX / 8; + size_t n; if (inl < chunk) chunk = inl; @@ -170,12 +206,14 @@ static int des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) { - while (inl >= EVP_MAXCHUNK) { - DES_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK, + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_cfb_encrypt(in, out, 8, (long)chunk, ctx->cipher_data, (DES_cblock *)ctx->iv, ctx->encrypt); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; + inl -= chunk; + in += chunk; + out += chunk; } if (inl) DES_cfb_encrypt(in, out, 8, (long)inl, ctx->cipher_data, @@ -183,44 +221,135 @@ des_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, return 1; } -BLOCK_CIPHER_defs(des, DES_key_schedule, NID_des, 8, 8, 8, 64, - EVP_CIPH_RAND_KEY, des_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - des_ctrl) +static const EVP_CIPHER des_cbc = { + .nid = NID_des_cbc, + .block_size = 8, + .key_len = 8, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE, + .init = des_init_key, + .do_cipher = des_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_key_schedule), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des_ctrl, + .app_data = NULL, +}; -BLOCK_CIPHER_def_cfb(des, DES_key_schedule, NID_des, 8, 8, 1, - EVP_CIPH_RAND_KEY, des_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, des_ctrl) - -BLOCK_CIPHER_def_cfb(des, DES_key_schedule, NID_des, 8, 8, 8, - EVP_CIPH_RAND_KEY, des_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, des_ctrl) - -static int -des_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) +const EVP_CIPHER * +EVP_des_cbc(void) { - DES_cblock *deskey = (DES_cblock *)key; - - DES_set_key_unchecked(deskey, ctx->cipher_data); - return 1; + return &des_cbc; } -static int -des_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) -{ - switch (type) { - case EVP_CTRL_RAND_KEY: - if (DES_random_key((DES_cblock *)ptr) == 0) - return 0; - return 1; +static const EVP_CIPHER des_cfb64 = { + .nid = NID_des_cfb64, + .block_size = 1, + .key_len = 8, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_init_key, + .do_cipher = des_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_key_schedule), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des_ctrl, + .app_data = NULL, +}; - default: - return -1; - } +const EVP_CIPHER * +EVP_des_cfb64(void) +{ + return &des_cfb64; } +static const EVP_CIPHER des_ofb = { + .nid = NID_des_ofb64, + .block_size = 1, + .key_len = 8, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE, + .init = des_init_key, + .do_cipher = des_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_key_schedule), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ofb(void) +{ + return &des_ofb; +} + +static const EVP_CIPHER des_ecb = { + .nid = NID_des_ecb, + .block_size = 8, + .key_len = 8, + .iv_len = 0, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE, + .init = des_init_key, + .do_cipher = des_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_key_schedule), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ecb(void) +{ + return &des_ecb; +} + +static const EVP_CIPHER des_cfb1 = { + .nid = NID_des_cfb1, + .block_size = 1, + .key_len = 8, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_init_key, + .do_cipher = des_cfb1_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_key_schedule), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_cfb1(void) +{ + return &des_cfb1; +} + +static const EVP_CIPHER des_cfb8 = { + .nid = NID_des_cfb8, + .block_size = 1, + .key_len = 8, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_init_key, + .do_cipher = des_cfb8_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_key_schedule), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_cfb8(void) +{ + return &des_cfb8; +} #endif diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 0138839..d6c7537 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_des3.c,v 1.20 2019/05/14 15:40:44 beck Exp $ */ +/* $OpenBSD: e_des3.c,v 1.26 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -67,15 +68,7 @@ #include #include -#include "evp_locl.h" - -static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); - -static int des_ede3_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); - -static int des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr); +#include "evp_local.h" typedef struct { DES_key_schedule ks1;/* key schedule */ @@ -85,147 +78,6 @@ typedef struct { #define data(ctx) ((DES_EDE_KEY *)(ctx)->cipher_data) -/* Because of various casts and different args can't use IMPLEMENT_BLOCK_CIPHER */ - -static int -des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - BLOCK_CIPHER_ecb_loop() - DES_ecb3_encrypt((const_DES_cblock *)(in + i), (DES_cblock *)(out + i), - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); - return 1; -} - -static int -des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - while (inl >= EVP_MAXCHUNK) { - DES_ede3_ofb64_encrypt(in, out, (long)EVP_MAXCHUNK, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, &ctx->num); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; - } - if (inl) - DES_ede3_ofb64_encrypt(in, out, (long)inl, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, &ctx->num); - - return 1; -} - -static int -des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - while (inl >= EVP_MAXCHUNK) { - DES_ede3_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, ctx->encrypt); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; - } - if (inl) - DES_ede3_cbc_encrypt(in, out, (long)inl, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, ctx->encrypt); - return 1; -} - -static int -des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - while (inl >= EVP_MAXCHUNK) { - DES_ede3_cfb64_encrypt(in, out, (long)EVP_MAXCHUNK, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; - } - if (inl) - DES_ede3_cfb64_encrypt(in, out, (long)inl, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); - return 1; -} - -/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right - way, so wrap it here */ -static int -des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - size_t n; - unsigned char c[1], d[1]; - if (!(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)) - inl *= 8; - - for (n = 0; n < inl; ++n) { - c[0] = (in[n/8]&(1 << (7 - n % 8))) ? 0x80 : 0; - DES_ede3_cfb_encrypt(c, d, 1, 1, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, ctx->encrypt); - out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8))) | - ((d[0] & 0x80) >> (unsigned int)(n % 8)); - } - - return 1; -} - -static int -des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - while (inl >= EVP_MAXCHUNK) { - DES_ede3_cfb_encrypt(in, out, 8, (long)EVP_MAXCHUNK, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, ctx->encrypt); - inl -= EVP_MAXCHUNK; - in += EVP_MAXCHUNK; - out += EVP_MAXCHUNK; - } - if (inl) - DES_ede3_cfb_encrypt(in, out, 8, (long)inl, - &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, - (DES_cblock *)ctx->iv, ctx->encrypt); - return 1; -} - -BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, NID_des_ede, 8, 16, 8, 64, - EVP_CIPH_RAND_KEY, des_ede_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - des3_ctrl) - -#define des_ede3_cfb64_cipher des_ede_cfb64_cipher -#define des_ede3_ofb_cipher des_ede_ofb_cipher -#define des_ede3_cbc_cipher des_ede_cbc_cipher -#define des_ede3_ecb_cipher des_ede_ecb_cipher - -BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, - EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - des3_ctrl) - -BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, - EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - des3_ctrl) - -BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, - EVP_CIPH_RAND_KEY, des_ede3_init_key, NULL, - EVP_CIPHER_set_asn1_iv, - EVP_CIPHER_get_asn1_iv, - des3_ctrl) - static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -272,6 +124,363 @@ des3_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) } } +static int +des_ede_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + DES_ecb3_encrypt((const_DES_cblock *)(in + i), (DES_cblock *)(out + i), + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, ctx->encrypt); + + return 1; +} + +static int +des_ede_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_ede3_ofb64_encrypt(in, out, (long)chunk, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, &ctx->num); + inl -= chunk; + in += chunk; + out += chunk; + } + if (inl) + DES_ede3_ofb64_encrypt(in, out, (long)inl, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, &ctx->num); + + return 1; +} + +static int +des_ede_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_ede3_cbc_encrypt(in, out, (long)chunk, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + if (inl) + DES_ede3_cbc_encrypt(in, out, (long)inl, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, ctx->encrypt); + return 1; +} + +static int +des_ede_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_ede3_cfb64_encrypt(in, out, (long)chunk, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + if (inl) + DES_ede3_cfb64_encrypt(in, out, (long)inl, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, &ctx->num, ctx->encrypt); + return 1; +} + +/* Although we have a CFB-r implementation for 3-DES, it doesn't pack the right + way, so wrap it here */ +static int +des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + unsigned char c[1], d[1]; + size_t n; + + if (!(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)) + inl *= 8; + + for (n = 0; n < inl; ++n) { + c[0] = (in[n/8]&(1 << (7 - n % 8))) ? 0x80 : 0; + DES_ede3_cfb_encrypt(c, d, 1, 1, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, ctx->encrypt); + out[n / 8] = (out[n / 8] & ~(0x80 >> (unsigned int)(n % 8))) | + ((d[0] & 0x80) >> (unsigned int)(n % 8)); + } + + return 1; +} + +static int +des_ede3_cfb8_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + DES_ede3_cfb_encrypt(in, out, 8, (long)chunk, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + if (inl) + DES_ede3_cfb_encrypt(in, out, 8, (long)inl, + &data(ctx)->ks1, &data(ctx)->ks2, &data(ctx)->ks3, + (DES_cblock *)ctx->iv, ctx->encrypt); + return 1; +} + +static const EVP_CIPHER des_ede_cbc = { + .nid = NID_des_ede_cbc, + .block_size = 8, + .key_len = 16, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE, + .init = des_ede_init_key, + .do_cipher = des_ede_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede_cbc(void) +{ + return &des_ede_cbc; +} + +static const EVP_CIPHER des_ede_cfb64 = { + .nid = NID_des_ede_cfb64, + .block_size = 1, + .key_len = 16, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_ede_init_key, + .do_cipher = des_ede_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede_cfb64(void) +{ + return &des_ede_cfb64; +} + +static const EVP_CIPHER des_ede_ofb = { + .nid = NID_des_ede_ofb64, + .block_size = 1, + .key_len = 16, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE, + .init = des_ede_init_key, + .do_cipher = des_ede_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede_ofb(void) +{ + return &des_ede_ofb; +} + +static const EVP_CIPHER des_ede_ecb = { + .nid = NID_des_ede_ecb, + .block_size = 8, + .key_len = 16, + .iv_len = 0, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE, + .init = des_ede_init_key, + .do_cipher = des_ede_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede_ecb(void) +{ + return &des_ede_ecb; +} + + +#define des_ede3_cfb64_cipher des_ede_cfb64_cipher +#define des_ede3_ofb_cipher des_ede_ofb_cipher +#define des_ede3_cbc_cipher des_ede_cbc_cipher +#define des_ede3_ecb_cipher des_ede_ecb_cipher + +static const EVP_CIPHER des_ede3_cbc = { + .nid = NID_des_ede3_cbc, + .block_size = 8, + .key_len = 24, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CBC_MODE, + .init = des_ede3_init_key, + .do_cipher = des_ede3_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede3_cbc(void) +{ + return &des_ede3_cbc; +} + +static const EVP_CIPHER des_ede3_cfb64 = { + .nid = NID_des_ede3_cfb64, + .block_size = 1, + .key_len = 24, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_ede3_init_key, + .do_cipher = des_ede3_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede3_cfb64(void) +{ + return &des_ede3_cfb64; +} + +static const EVP_CIPHER des_ede3_ofb = { + .nid = NID_des_ede3_ofb64, + .block_size = 1, + .key_len = 24, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_OFB_MODE, + .init = des_ede3_init_key, + .do_cipher = des_ede3_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede3_ofb(void) +{ + return &des_ede3_ofb; +} + +static const EVP_CIPHER des_ede3_ecb = { + .nid = NID_des_ede3_ecb, + .block_size = 8, + .key_len = 24, + .iv_len = 0, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_ECB_MODE, + .init = des_ede3_init_key, + .do_cipher = des_ede3_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede3_ecb(void) +{ + return &des_ede3_ecb; +} + + +static const EVP_CIPHER des_ede3_cfb1 = { + .nid = NID_des_ede3_cfb1, + .block_size = 1, + .key_len = 24, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_ede3_init_key, + .do_cipher = des_ede3_cfb1_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede3_cfb1(void) +{ + return &des_ede3_cfb1; +} + + +static const EVP_CIPHER des_ede3_cfb8 = { + .nid = NID_des_ede3_cfb8, + .block_size = 1, + .key_len = 24, + .iv_len = 8, + .flags = EVP_CIPH_RAND_KEY | EVP_CIPH_CFB_MODE, + .init = des_ede3_init_key, + .do_cipher = des_ede3_cfb8_cipher, + .cleanup = NULL, + .ctx_size = sizeof(DES_EDE_KEY), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = des3_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_des_ede3_cfb8(void) +{ + return &des_ede3_cfb8; +} + const EVP_CIPHER * EVP_des_ede(void) { diff --git a/crypto/evp/e_gost2814789.c b/crypto/evp/e_gost2814789.c index 7803d95..6344a11 100644 --- a/crypto/evp/e_gost2814789.c +++ b/crypto/evp/e_gost2814789.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_gost2814789.c,v 1.5 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: e_gost2814789.c,v 1.11 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -58,13 +58,22 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" typedef struct { GOST2814789_KEY ks; int param_nid; } EVP_GOST2814789_CTX; +static int +gost2814789_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + EVP_GOST2814789_CTX *c = ctx->cipher_data; + + return Gost2814789_set_key(&c->ks, key, ctx->key_len * 8); +} + static int gost2814789_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) { @@ -89,15 +98,6 @@ gost2814789_ctl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) } } -static int -gost2814789_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) -{ - EVP_GOST2814789_CTX *c = ctx->cipher_data; - - return Gost2814789_set_key(&c->ks, key, ctx->key_len * 8); -} - int gost2814789_set_asn1_params(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params) { @@ -186,8 +186,43 @@ gost2814789_get_asn1_params(EVP_CIPHER_CTX *ctx, ASN1_TYPE *params) return 1; } -BLOCK_CIPHER_func_ecb(gost2814789, Gost2814789, EVP_GOST2814789_CTX, ks) -BLOCK_CIPHER_func_cfb(gost2814789, Gost2814789, 64, EVP_GOST2814789_CTX, ks) +static int +gost2814789_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + Gost2814789_ecb_encrypt(in + i, out + i, &((EVP_GOST2814789_CTX *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +gost2814789_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + Gost2814789_cfb64_encrypt(in, out, chunk, &((EVP_GOST2814789_CTX *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} static int gost2814789_cnt_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, @@ -196,7 +231,7 @@ gost2814789_cnt_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, EVP_GOST2814789_CTX *c = ctx->cipher_data; while (inl >= EVP_MAXCHUNK) { - Gost2814789_cnt_encrypt(in, out, (long)EVP_MAXCHUNK, &c->ks, + Gost2814789_cnt_encrypt(in, out, EVP_MAXCHUNK, &c->ks, ctx->iv, ctx->buf, &ctx->num); inl -= EVP_MAXCHUNK; in += EVP_MAXCHUNK; @@ -212,16 +247,69 @@ gost2814789_cnt_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* gost89 is CFB-64 */ #define NID_gost89_cfb64 NID_id_Gost28147_89 -BLOCK_CIPHER_def_ecb(gost2814789, EVP_GOST2814789_CTX, NID_gost89, 8, 32, - EVP_CIPH_NO_PADDING | EVP_CIPH_CTRL_INIT, - gost2814789_init_key, NULL, gost2814789_set_asn1_params, - gost2814789_get_asn1_params, gost2814789_ctl) -BLOCK_CIPHER_def_cfb(gost2814789, EVP_GOST2814789_CTX, NID_gost89, 32, 8, 64, - EVP_CIPH_NO_PADDING | EVP_CIPH_CTRL_INIT, - gost2814789_init_key, NULL, gost2814789_set_asn1_params, - gost2814789_get_asn1_params, gost2814789_ctl) -BLOCK_CIPHER_def1(gost2814789, cnt, cnt, OFB, EVP_GOST2814789_CTX, NID_gost89, - 1, 32, 8, EVP_CIPH_NO_PADDING | EVP_CIPH_CTRL_INIT, - gost2814789_init_key, NULL, gost2814789_set_asn1_params, - gost2814789_get_asn1_params, gost2814789_ctl) +static const EVP_CIPHER gost2814789_ecb = { + .nid = NID_gost89_ecb, + .block_size = 8, + .key_len = 32, + .iv_len = 0, + .flags = EVP_CIPH_NO_PADDING | EVP_CIPH_CTRL_INIT | EVP_CIPH_ECB_MODE, + .init = gost2814789_init_key, + .do_cipher = gost2814789_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_GOST2814789_CTX), + .set_asn1_parameters = gost2814789_set_asn1_params, + .get_asn1_parameters = gost2814789_get_asn1_params, + .ctrl = gost2814789_ctl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_gost2814789_ecb(void) +{ + return &gost2814789_ecb; +} + +static const EVP_CIPHER gost2814789_cfb64 = { + .nid = NID_gost89_cfb64, + .block_size = 1, + .key_len = 32, + .iv_len = 8, + .flags = EVP_CIPH_NO_PADDING | EVP_CIPH_CTRL_INIT | EVP_CIPH_CFB_MODE, + .init = gost2814789_init_key, + .do_cipher = gost2814789_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_GOST2814789_CTX), + .set_asn1_parameters = gost2814789_set_asn1_params, + .get_asn1_parameters = gost2814789_get_asn1_params, + .ctrl = gost2814789_ctl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_gost2814789_cfb64(void) +{ + return &gost2814789_cfb64; +} + +static const EVP_CIPHER gost2814789_cnt = { + .nid = NID_gost89_cnt, + .block_size = 1, + .key_len = 32, + .iv_len = 8, + .flags = EVP_CIPH_NO_PADDING | EVP_CIPH_CTRL_INIT | EVP_CIPH_OFB_MODE, + .init = gost2814789_init_key, + .do_cipher = gost2814789_cnt_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_GOST2814789_CTX), + .set_asn1_parameters = gost2814789_set_asn1_params, + .get_asn1_parameters = gost2814789_get_asn1_params, + .ctrl = gost2814789_ctl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_gost2814789_cnt(void) +{ + return &gost2814789_cnt; +} #endif diff --git a/crypto/evp/e_idea.c b/crypto/evp/e_idea.c index 454ad4e..b8349ee 100644 --- a/crypto/evp/e_idea.c +++ b/crypto/evp/e_idea.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_idea.c,v 1.10 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: e_idea.c,v 1.18 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -67,38 +68,12 @@ #include #include -#include "evp_locl.h" - -static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc); +#include "evp_local.h" /* NB idea_ecb_encrypt doesn't take an 'encrypt' argument so we treat it as a special * case */ -static int -idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl) -{ - BLOCK_CIPHER_ecb_loop() - idea_ecb_encrypt(in + i, out + i, ctx->cipher_data); - return 1; -} - -/* Can't use IMPLEMENT_BLOCK_CIPHER because idea_ecb_encrypt is different */ - -typedef struct { - IDEA_KEY_SCHEDULE ks; -} EVP_IDEA_KEY; - -BLOCK_CIPHER_func_cbc(idea, idea, EVP_IDEA_KEY, ks) -BLOCK_CIPHER_func_ofb(idea, idea, 64, EVP_IDEA_KEY, ks) -BLOCK_CIPHER_func_cfb(idea, idea, 64, EVP_IDEA_KEY, ks) - -BLOCK_CIPHER_defs(idea, IDEA_KEY_SCHEDULE, NID_idea, 8, 16, 8, 64, - 0, idea_init_key, NULL, - EVP_CIPHER_set_asn1_iv, EVP_CIPHER_get_asn1_iv, NULL) - static int idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc) @@ -122,4 +97,170 @@ idea_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, return 1; } +static int +idea_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + idea_ecb_encrypt(in + i, out + i, ctx->cipher_data); + + return 1; +} + +typedef struct { + IDEA_KEY_SCHEDULE ks; +} EVP_IDEA_KEY; + +static int +idea_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + idea_cbc_encrypt(in, out, (long)chunk, &((EVP_IDEA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + idea_cbc_encrypt(in, out, (long)inl, &((EVP_IDEA_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +idea_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + idea_ofb64_encrypt(in, out, (long)chunk, &((EVP_IDEA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + idea_ofb64_encrypt(in, out, (long)inl, &((EVP_IDEA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static int +idea_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + idea_cfb64_encrypt(in, out, (long)chunk, &((EVP_IDEA_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static const EVP_CIPHER idea_cbc = { + .nid = NID_idea_cbc, + .block_size = 8, + .key_len = 16, + .iv_len = 8, + .flags = 0 | EVP_CIPH_CBC_MODE, + .init = idea_init_key, + .do_cipher = idea_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(IDEA_KEY_SCHEDULE), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_idea_cbc(void) +{ + return &idea_cbc; +} + +static const EVP_CIPHER idea_cfb64 = { + .nid = NID_idea_cfb64, + .block_size = 1, + .key_len = 16, + .iv_len = 8, + .flags = 0 | EVP_CIPH_CFB_MODE, + .init = idea_init_key, + .do_cipher = idea_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(IDEA_KEY_SCHEDULE), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_idea_cfb64(void) +{ + return &idea_cfb64; +} + +static const EVP_CIPHER idea_ofb = { + .nid = NID_idea_ofb64, + .block_size = 1, + .key_len = 16, + .iv_len = 8, + .flags = 0 | EVP_CIPH_OFB_MODE, + .init = idea_init_key, + .do_cipher = idea_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(IDEA_KEY_SCHEDULE), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_idea_ofb(void) +{ + return &idea_ofb; +} + +static const EVP_CIPHER idea_ecb = { + .nid = NID_idea_ecb, + .block_size = 8, + .key_len = 16, + .iv_len = 0, + .flags = 0 | EVP_CIPH_ECB_MODE, + .init = idea_init_key, + .do_cipher = idea_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(IDEA_KEY_SCHEDULE), + .set_asn1_parameters = EVP_CIPHER_set_asn1_iv, + .get_asn1_parameters = EVP_CIPHER_get_asn1_iv, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_idea_ecb(void) +{ + return &idea_ecb; +} #endif diff --git a/crypto/evp/e_null.c b/crypto/evp/e_null.c index db79e1e..ddd633d 100644 --- a/crypto/evp/e_null.c +++ b/crypto/evp/e_null.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_null.c,v 1.15 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: e_null.c,v 1.16 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int null_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); diff --git a/crypto/evp/e_old.c b/crypto/evp/e_old.c deleted file mode 100644 index 7116665..0000000 --- a/crypto/evp/e_old.c +++ /dev/null @@ -1,159 +0,0 @@ -/* $OpenBSD: e_old.c,v 1.8 2015/02/10 11:45:09 jsing Exp $ */ -/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -#ifndef OPENSSL_NO_DEPRECATED - -#include - -/* Define some deprecated functions, so older programs - don't crash and burn too quickly. On Windows and VMS, - these will never be used, since functions and variables - in shared libraries are selected by entry point location, - not by name. */ - -#ifndef OPENSSL_NO_BF -#undef EVP_bf_cfb -const EVP_CIPHER *EVP_bf_cfb(void); -const EVP_CIPHER * -EVP_bf_cfb(void) -{ - return EVP_bf_cfb64(); -} -#endif - -#ifndef OPENSSL_NO_DES -#undef EVP_des_cfb -const EVP_CIPHER *EVP_des_cfb(void); -const EVP_CIPHER * -EVP_des_cfb(void) -{ - return EVP_des_cfb64(); -} -#undef EVP_des_ede3_cfb -const EVP_CIPHER *EVP_des_ede3_cfb(void); -const EVP_CIPHER * -EVP_des_ede3_cfb(void) -{ - return EVP_des_ede3_cfb64(); -} -#undef EVP_des_ede_cfb -const EVP_CIPHER *EVP_des_ede_cfb(void); -const EVP_CIPHER * -EVP_des_ede_cfb(void) -{ - return EVP_des_ede_cfb64(); -} -#endif - -#ifndef OPENSSL_NO_IDEA -#undef EVP_idea_cfb -const EVP_CIPHER *EVP_idea_cfb(void); -const EVP_CIPHER * -EVP_idea_cfb(void) -{ - return EVP_idea_cfb64(); -} -#endif - -#ifndef OPENSSL_NO_RC2 -#undef EVP_rc2_cfb -const EVP_CIPHER *EVP_rc2_cfb(void); -const EVP_CIPHER * -EVP_rc2_cfb(void) -{ - return EVP_rc2_cfb64(); -} -#endif - -#ifndef OPENSSL_NO_CAST -#undef EVP_cast5_cfb -const EVP_CIPHER *EVP_cast5_cfb(void); -const EVP_CIPHER * -EVP_cast5_cfb(void) -{ - return EVP_cast5_cfb64(); -} -#endif - -#ifndef OPENSSL_NO_AES -#undef EVP_aes_128_cfb -const EVP_CIPHER *EVP_aes_128_cfb(void); -const EVP_CIPHER * -EVP_aes_128_cfb(void) -{ - return EVP_aes_128_cfb128(); -} -#undef EVP_aes_192_cfb -const EVP_CIPHER *EVP_aes_192_cfb(void); -const EVP_CIPHER * -EVP_aes_192_cfb(void) -{ - return EVP_aes_192_cfb128(); -} -#undef EVP_aes_256_cfb -const EVP_CIPHER *EVP_aes_256_cfb(void); -const EVP_CIPHER * -EVP_aes_256_cfb(void) -{ - return EVP_aes_256_cfb128(); -} -#endif - -#endif diff --git a/crypto/evp/e_rc2.c b/crypto/evp/e_rc2.c index b07fafd..78697d0 100644 --- a/crypto/evp/e_rc2.c +++ b/crypto/evp/e_rc2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_rc2.c,v 1.14 2022/01/20 11:31:37 inoguchi Exp $ */ +/* $OpenBSD: e_rc2.c,v 1.20 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -67,7 +68,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int rc2_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); @@ -84,13 +85,167 @@ typedef struct { #define data(ctx) ((EVP_RC2_KEY *)(ctx)->cipher_data) -IMPLEMENT_BLOCK_CIPHER(rc2, ks, RC2, EVP_RC2_KEY, NID_rc2, - 8, - RC2_KEY_LENGTH, 8, 64, - EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT, - rc2_init_key, NULL, - rc2_set_asn1_type_and_iv, rc2_get_asn1_type_and_iv, - rc2_ctrl) +static int +rc2_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + RC2_cbc_encrypt(in, out, (long)chunk, &((EVP_RC2_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + RC2_cbc_encrypt(in, out, (long)inl, &((EVP_RC2_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +rc2_cfb64_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + RC2_cfb64_encrypt(in, out, (long)chunk, &((EVP_RC2_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +rc2_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + RC2_ecb_encrypt(in + i, out + i, &((EVP_RC2_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +rc2_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = LONG_MAX & ~0xff; + + while (inl >= chunk) { + RC2_ofb64_encrypt(in, out, (long)chunk, &((EVP_RC2_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= chunk; + in += chunk; + out += chunk; + } + + if (inl) + RC2_ofb64_encrypt(in, out, (long)inl, &((EVP_RC2_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER rc2_cbc = { + .nid = NID_rc2_cbc, + .block_size = 8, + .key_len = RC2_KEY_LENGTH, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT | EVP_CIPH_CBC_MODE, + .init = rc2_init_key, + .do_cipher = rc2_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_RC2_KEY), + .set_asn1_parameters = rc2_set_asn1_type_and_iv, + .get_asn1_parameters = rc2_get_asn1_type_and_iv, + .ctrl = rc2_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_rc2_cbc(void) +{ + return &rc2_cbc; +} + +static const EVP_CIPHER rc2_cfb64 = { + .nid = NID_rc2_cfb64, + .block_size = 1, + .key_len = RC2_KEY_LENGTH, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT | EVP_CIPH_CFB_MODE, + .init = rc2_init_key, + .do_cipher = rc2_cfb64_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_RC2_KEY), + .set_asn1_parameters = rc2_set_asn1_type_and_iv, + .get_asn1_parameters = rc2_get_asn1_type_and_iv, + .ctrl = rc2_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_rc2_cfb64(void) +{ + return &rc2_cfb64; +} + +static const EVP_CIPHER rc2_ofb = { + .nid = NID_rc2_ofb64, + .block_size = 1, + .key_len = RC2_KEY_LENGTH, + .iv_len = 8, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT | EVP_CIPH_OFB_MODE, + .init = rc2_init_key, + .do_cipher = rc2_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_RC2_KEY), + .set_asn1_parameters = rc2_set_asn1_type_and_iv, + .get_asn1_parameters = rc2_get_asn1_type_and_iv, + .ctrl = rc2_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_rc2_ofb(void) +{ + return &rc2_ofb; +} + +static const EVP_CIPHER rc2_ecb = { + .nid = NID_rc2_ecb, + .block_size = 8, + .key_len = RC2_KEY_LENGTH, + .iv_len = 0, + .flags = EVP_CIPH_VARIABLE_LENGTH | EVP_CIPH_CTRL_INIT | EVP_CIPH_ECB_MODE, + .init = rc2_init_key, + .do_cipher = rc2_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_RC2_KEY), + .set_asn1_parameters = rc2_set_asn1_type_and_iv, + .get_asn1_parameters = rc2_get_asn1_type_and_iv, + .ctrl = rc2_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_rc2_ecb(void) +{ + return &rc2_ecb; +} #define RC2_40_MAGIC 0xa0 #define RC2_64_MAGIC 0x78 diff --git a/crypto/evp/e_rc4.c b/crypto/evp/e_rc4.c index e77a293..7afc6af 100644 --- a/crypto/evp/e_rc4.c +++ b/crypto/evp/e_rc4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_rc4.c,v 1.14 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: e_rc4.c,v 1.15 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* FIXME: surely this is available elsewhere? */ #define EVP_RC4_KEY_SIZE 16 diff --git a/crypto/evp/e_rc4_hmac_md5.c b/crypto/evp/e_rc4_hmac_md5.c index b8a6b44..b3be57d 100644 --- a/crypto/evp/e_rc4_hmac_md5.c +++ b/crypto/evp/e_rc4_hmac_md5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_rc4_hmac_md5.c,v 1.9 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: e_rc4_hmac_md5.c,v 1.10 2022/11/26 16:08:52 tb Exp $ */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * @@ -60,7 +60,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* FIXME: surely this is available elsewhere? */ #define EVP_RC4_KEY_SIZE 16 diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c index 554915b..0d37448 100644 --- a/crypto/evp/e_sm4.c +++ b/crypto/evp/e_sm4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_sm4.c,v 1.1 2019/03/17 17:42:37 tb Exp $ */ +/* $OpenBSD: e_sm4.c,v 1.7 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2017, 2019 Ribose Inc * @@ -22,7 +22,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" typedef struct { SM4_KEY ks; @@ -74,14 +74,169 @@ sm4_ofb128_encrypt(const unsigned char *in, unsigned char *out, size_t length, (block128_f)SM4_encrypt); } -IMPLEMENT_BLOCK_CIPHER(sm4, ks, sm4, EVP_SM4_KEY, NID_sm4, 16, 16, 16, 128, - EVP_CIPH_FLAG_DEFAULT_ASN1, sm4_init_key, NULL, 0, 0, 0) +static int +sm4_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + sm4_cbc_encrypt(in, out, EVP_MAXCHUNK, &((EVP_SM4_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + sm4_cbc_encrypt(in, out, inl, &((EVP_SM4_KEY *)ctx->cipher_data)->ks, ctx->iv, ctx->encrypt); + + return 1; +} + +static int +sm4_cfb128_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t chunk = EVP_MAXCHUNK; + + if (inl < chunk) + chunk = inl; + + while (inl && inl >= chunk) { + sm4_cfb128_encrypt(in, out, chunk, &((EVP_SM4_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num, ctx->encrypt); + inl -= chunk; + in += chunk; + out += chunk; + if (inl < chunk) + chunk = inl; + } + + return 1; +} + +static int +sm4_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + size_t i, bl; + + bl = ctx->cipher->block_size; + + if (inl < bl) + return 1; + + inl -= bl; + + for (i = 0; i <= inl; i += bl) + sm4_ecb_encrypt(in + i, out + i, &((EVP_SM4_KEY *)ctx->cipher_data)->ks, ctx->encrypt); + + return 1; +} + +static int +sm4_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) +{ + while (inl >= EVP_MAXCHUNK) { + sm4_ofb128_encrypt(in, out, EVP_MAXCHUNK, &((EVP_SM4_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + inl -= EVP_MAXCHUNK; + in += EVP_MAXCHUNK; + out += EVP_MAXCHUNK; + } + + if (inl) + sm4_ofb128_encrypt(in, out, inl, &((EVP_SM4_KEY *)ctx->cipher_data)->ks, ctx->iv, &ctx->num); + + return 1; +} + +static const EVP_CIPHER sm4_cbc = { + .nid = NID_sm4_cbc, + .block_size = 16, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CBC_MODE, + .init = sm4_init_key, + .do_cipher = sm4_cbc_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_SM4_KEY), + .set_asn1_parameters = 0, + .get_asn1_parameters = 0, + .ctrl = 0, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_sm4_cbc(void) +{ + return &sm4_cbc; +} + +static const EVP_CIPHER sm4_cfb128 = { + .nid = NID_sm4_cfb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_CFB_MODE, + .init = sm4_init_key, + .do_cipher = sm4_cfb128_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_SM4_KEY), + .set_asn1_parameters = 0, + .get_asn1_parameters = 0, + .ctrl = 0, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_sm4_cfb128(void) +{ + return &sm4_cfb128; +} + +static const EVP_CIPHER sm4_ofb = { + .nid = NID_sm4_ofb128, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_OFB_MODE, + .init = sm4_init_key, + .do_cipher = sm4_ofb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_SM4_KEY), + .set_asn1_parameters = 0, + .get_asn1_parameters = 0, + .ctrl = 0, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_sm4_ofb(void) +{ + return &sm4_ofb; +} + +static const EVP_CIPHER sm4_ecb = { + .nid = NID_sm4_ecb, + .block_size = 16, + .key_len = 16, + .iv_len = 0, + .flags = EVP_CIPH_FLAG_DEFAULT_ASN1 | EVP_CIPH_ECB_MODE, + .init = sm4_init_key, + .do_cipher = sm4_ecb_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_SM4_KEY), + .set_asn1_parameters = 0, + .get_asn1_parameters = 0, + .ctrl = 0, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_sm4_ecb(void) +{ + return &sm4_ecb; +} static int sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t len) { - EVP_SM4_KEY *key = EVP_C_DATA(EVP_SM4_KEY, ctx); + EVP_SM4_KEY *key = ((EVP_SM4_KEY *)(ctx)->cipher_data); CRYPTO_ctr128_encrypt(in, out, len, &key->ks, ctx->iv, ctx->buf, &ctx->num, (block128_f)SM4_encrypt); @@ -109,5 +264,4 @@ EVP_sm4_ctr(void) { return &sm4_ctr_mode; } - #endif diff --git a/crypto/evp/e_xcbc_d.c b/crypto/evp/e_xcbc_d.c index 2aae0a9..bbbc3a1 100644 --- a/crypto/evp/e_xcbc_d.c +++ b/crypto/evp/e_xcbc_d.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_xcbc_d.c,v 1.12 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: e_xcbc_d.c,v 1.13 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -67,7 +67,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int desx_cbc_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, const unsigned char *iv, int enc); diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 30fcd85..718bdb5 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encode.c,v 1.29 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: encode.c,v 1.30 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include -#include "evp_locl.h" +#include "evp_local.h" static unsigned char conv_ascii2bin(unsigned char a); #define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f]) diff --git a/crypto/evp/evp_aead.c b/crypto/evp/evp_aead.c index 93d523a..58f1c87 100644 --- a/crypto/evp/evp_aead.c +++ b/crypto/evp/evp_aead.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_aead.c,v 1.7 2022/01/07 21:58:17 tb Exp $ */ +/* $OpenBSD: evp_aead.c,v 1.8 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -21,7 +21,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" size_t EVP_AEAD_key_length(const EVP_AEAD *aead) diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index 896b9e1..df818e3 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.44 2021/02/18 19:12:29 tb Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.50 2023/03/01 11:16:06 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -72,9 +72,7 @@ #include #endif -#include "evp_locl.h" - -#define M_do_cipher(ctx, out, in, inl) ctx->cipher->do_cipher(ctx, out, in, inl) +#include "evp_local.h" int EVP_CipherInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, @@ -100,7 +98,7 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, /* Whether it's nice or not, "Inits" can be used on "Final"'d contexts * so this context may already have an ENGINE! Try to avoid releasing * the previous handle, re-querying for an ENGINE, and having a - * reinitialisation, when it may all be unecessary. */ + * reinitialisation, when it may all be unnecessary. */ if (ctx->engine && ctx->cipher && (!cipher || (cipher && (cipher->nid == ctx->cipher->nid)))) goto skip_to_init; @@ -300,8 +298,16 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, { int i, j, bl; + *outl = 0; + + if (inl < 0) + return 0; + + if (inl == 0 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE) + return 1; + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { - i = M_do_cipher(ctx, out, in, inl); + i = ctx->cipher->do_cipher(ctx, out, in, inl); if (i < 0) return 0; else @@ -309,13 +315,8 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } - if (inl <= 0) { - *outl = 0; - return inl == 0; - } - if (ctx->buf_len == 0 && (inl&(ctx->block_mask)) == 0) { - if (M_do_cipher(ctx, out, in, inl)) { + if (ctx->cipher->do_cipher(ctx, out, in, inl)) { *outl = inl; return 1; } else { @@ -350,7 +351,7 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 0; } memcpy(&(ctx->buf[i]), in, j); - if (!M_do_cipher(ctx, out, ctx->buf, bl)) + if (!ctx->cipher->do_cipher(ctx, out, ctx->buf, bl)) return 0; inl -= j; in += j; @@ -362,7 +363,7 @@ EVP_EncryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, i = inl&(bl - 1); inl -= i; if (inl > 0) { - if (!M_do_cipher(ctx, out, in, inl)) + if (!ctx->cipher->do_cipher(ctx, out, in, inl)) return 0; *outl += inl; } @@ -392,7 +393,7 @@ EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) unsigned int i, b, bl; if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { - ret = M_do_cipher(ctx, out, NULL, 0); + ret = ctx->cipher->do_cipher(ctx, out, NULL, 0); if (ret < 0) return 0; else @@ -422,7 +423,7 @@ EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) n = b - bl; for (i = bl; i < b; i++) ctx->buf[i] = n; - ret = M_do_cipher(ctx, out, ctx->buf, b); + ret = ctx->cipher->do_cipher(ctx, out, ctx->buf, b); if (ret) @@ -438,8 +439,16 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, int fix_len; unsigned int b; + *outl = 0; + + if (inl < 0) + return 0; + + if (inl == 0 && EVP_CIPHER_mode(ctx->cipher) != EVP_CIPH_CCM_MODE) + return 1; + if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { - fix_len = M_do_cipher(ctx, out, in, inl); + fix_len = ctx->cipher->do_cipher(ctx, out, in, inl); if (fix_len < 0) { *outl = 0; return 0; @@ -448,11 +457,6 @@ EVP_DecryptUpdate(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl, return 1; } - if (inl <= 0) { - *outl = 0; - return inl == 0; - } - if (ctx->flags & EVP_CIPH_NO_PADDING) return EVP_EncryptUpdate(ctx, out, outl, in, inl); @@ -518,7 +522,7 @@ EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl) *outl = 0; if (ctx->cipher->flags & EVP_CIPH_FLAG_CUSTOM_CIPHER) { - i = M_do_cipher(ctx, out, NULL, 0); + i = ctx->cipher->do_cipher(ctx, out, NULL, 0); if (i < 0) return 0; else @@ -597,18 +601,22 @@ int EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) { if (c->cipher != NULL) { - if (c->cipher->cleanup && !c->cipher->cleanup(c)) - return 0; - /* Cleanse cipher context data */ - if (c->cipher_data) + /* XXX - Avoid leaks, so ignore return value of cleanup()... */ + if (c->cipher->cleanup != NULL) + c->cipher->cleanup(c); + if (c->cipher_data != NULL) explicit_bzero(c->cipher_data, c->cipher->ctx_size); } + /* XXX - store size of cipher_data so we can always freezero(). */ free(c->cipher_data); + #ifndef OPENSSL_NO_ENGINE ENGINE_finish(c->engine); #endif + explicit_bzero(c, sizeof(EVP_CIPHER_CTX)); + return 1; } diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 07ece82..9cf89f4 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_err.c,v 1.27 2021/03/29 15:57:23 tb Exp $ */ +/* $OpenBSD: evp_err.c,v 1.30 2022/11/10 15:17:30 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_EVP,func,0) @@ -107,6 +101,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_EXPECTING_A_ECDSA_KEY) , "expecting a ecdsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_EC_KEY) , "expecting a ec key"}, {ERR_REASON(EVP_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"}, + {ERR_REASON(EVP_R_GET_RAW_KEY_FAILED) , "get raw key failed"}, {ERR_REASON(EVP_R_INITIALIZATION_ERROR) , "initialization error"}, {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"}, {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"}, @@ -128,6 +123,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_NO_OPERATION_SET) , "no operation set"}, {ERR_REASON(EVP_R_NO_SIGN_FUNCTION_CONFIGURED), "no sign function configured"}, {ERR_REASON(EVP_R_NO_VERIFY_FUNCTION_CONFIGURED), "no verify function configured"}, + {ERR_REASON(EVP_R_ONLY_ONESHOT_SUPPORTED), "only oneshot supported"}, {ERR_REASON(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_REASON(EVP_R_OPERATON_NOT_INITIALIZED), "operaton not initialized"}, {ERR_REASON(EVP_R_OUTPUT_ALIASES_INPUT) , "output aliases input"}, diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c index dcfb94e..6fc8588 100644 --- a/crypto/evp/evp_key.c +++ b/crypto/evp/evp_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_key.c,v 1.27 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: evp_key.c,v 1.28 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,7 +65,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* should be init to zeros. */ static char prompt_string[80]; diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index 0e354d6..f64842b 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_lib.c,v 1.24 2022/01/10 13:42:28 tb Exp $ */ +/* $OpenBSD: evp_lib.c,v 1.25 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,8 +63,8 @@ #include #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" int EVP_CIPHER_param_to_asn1(EVP_CIPHER_CTX *c, ASN1_TYPE *type) diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_local.h similarity index 58% rename from crypto/evp/evp_locl.h rename to crypto/evp/evp_local.h index c3d9a6a..9905b82 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_locl.h,v 1.22 2022/01/14 08:38:05 tb Exp $ */ +/* $OpenBSD: evp_local.h,v 1.3 2023/03/01 11:16:06 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -56,8 +56,8 @@ * */ -#ifndef HEADER_EVP_LOCL_H -#define HEADER_EVP_LOCL_H +#ifndef HEADER_EVP_LOCAL_H +#define HEADER_EVP_LOCAL_H __BEGIN_HIDDEN_DECLS @@ -74,6 +74,15 @@ typedef int evp_verify_method(int type, const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, void *key); +struct ecx_key_st { + int nid; + int key_len; + uint8_t *priv_key; + size_t priv_key_len; + uint8_t *pub_key; + size_t pub_key_len; +}; + /* Type needs to be a bit field * Sub-type needs to be for variations on the method, as in, can it do * arbitrary encryption.... */ @@ -84,7 +93,7 @@ struct evp_pkey_st { const EVP_PKEY_ASN1_METHOD *ameth; ENGINE *engine; union { - char *ptr; + void *ptr; #ifndef OPENSSL_NO_RSA struct rsa_st *rsa; /* RSA */ #endif @@ -96,6 +105,7 @@ struct evp_pkey_st { #endif #ifndef OPENSSL_NO_EC struct ec_key_st *ec; /* ECC */ + struct ecx_key_st *ecx; /* ECX */ #endif #ifndef OPENSSL_NO_GOST struct gost_key_st *gost; /* GOST */ @@ -184,213 +194,8 @@ struct evp_Encode_Ctx_st { int expect_nl; } /* EVP_ENCODE_CTX */; -/* Macros to code block cipher wrappers */ - -/* Wrapper functions for each cipher mode */ - -#define BLOCK_CIPHER_ecb_loop() \ - size_t i, bl; \ - bl = ctx->cipher->block_size;\ - if(inl < bl) return 1;\ - inl -= bl; \ - for(i=0; i <= inl; i+=bl) - -#define BLOCK_CIPHER_func_ecb(cname, cprefix, kstruct, ksched) \ -static int cname##_ecb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ -{\ - BLOCK_CIPHER_ecb_loop() \ - cprefix##_ecb_encrypt(in + i, out + i, &((kstruct *)ctx->cipher_data)->ksched, ctx->encrypt);\ - return 1;\ -} - #define EVP_MAXCHUNK ((size_t)1<<(sizeof(long)*8-2)) -#define BLOCK_CIPHER_func_ofb(cname, cprefix, cbits, kstruct, ksched) \ -static int cname##_ofb_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ -{\ - while(inl>=EVP_MAXCHUNK)\ - {\ - cprefix##_ofb##cbits##_encrypt(in, out, (long)EVP_MAXCHUNK, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num);\ - inl-=EVP_MAXCHUNK;\ - in +=EVP_MAXCHUNK;\ - out+=EVP_MAXCHUNK;\ - }\ - if (inl)\ - cprefix##_ofb##cbits##_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num);\ - return 1;\ -} - -#define BLOCK_CIPHER_func_cbc(cname, cprefix, kstruct, ksched) \ -static int cname##_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ -{\ - while(inl>=EVP_MAXCHUNK) \ - {\ - cprefix##_cbc_encrypt(in, out, (long)EVP_MAXCHUNK, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, ctx->encrypt);\ - inl-=EVP_MAXCHUNK;\ - in +=EVP_MAXCHUNK;\ - out+=EVP_MAXCHUNK;\ - }\ - if (inl)\ - cprefix##_cbc_encrypt(in, out, (long)inl, &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, ctx->encrypt);\ - return 1;\ -} - -#define BLOCK_CIPHER_func_cfb(cname, cprefix, cbits, kstruct, ksched) \ -static int cname##_cfb##cbits##_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, size_t inl) \ -{\ - size_t chunk=EVP_MAXCHUNK;\ - if (cbits==1) chunk>>=3;\ - if (inl=chunk)\ - {\ - cprefix##_cfb##cbits##_encrypt(in, out, (long)((cbits==1) && !(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS) ?inl*8:inl), &((kstruct *)ctx->cipher_data)->ksched, ctx->iv, &ctx->num, ctx->encrypt);\ - inl-=chunk;\ - in +=chunk;\ - out+=chunk;\ - if(inlc))+\ - sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\ - set_asn1, get_asn1,\ - ctrl, \ - NULL \ -};\ -const EVP_CIPHER *EVP_##cname##_cbc(void) { return &cname##_cbc; }\ -static const EVP_CIPHER cname##_cfb = {\ - nid##_cfb64, 1, key_len, iv_len, \ - flags | EVP_CIPH_CFB_MODE,\ - init_key,\ - cname##_cfb_cipher,\ - cleanup,\ - sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\ - sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\ - set_asn1, get_asn1,\ - ctrl,\ - NULL \ -};\ -const EVP_CIPHER *EVP_##cname##_cfb(void) { return &cname##_cfb; }\ -static const EVP_CIPHER cname##_ofb = {\ - nid##_ofb64, 1, key_len, iv_len, \ - flags | EVP_CIPH_OFB_MODE,\ - init_key,\ - cname##_ofb_cipher,\ - cleanup,\ - sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\ - sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\ - set_asn1, get_asn1,\ - ctrl,\ - NULL \ -};\ -const EVP_CIPHER *EVP_##cname##_ofb(void) { return &cname##_ofb; }\ -static const EVP_CIPHER cname##_ecb = {\ - nid##_ecb, block_size, key_len, iv_len, \ - flags | EVP_CIPH_ECB_MODE,\ - init_key,\ - cname##_ecb_cipher,\ - cleanup,\ - sizeof(EVP_CIPHER_CTX)-sizeof((((EVP_CIPHER_CTX *)NULL)->c))+\ - sizeof((((EVP_CIPHER_CTX *)NULL)->c.kstruct)),\ - set_asn1, get_asn1,\ - ctrl,\ - NULL \ -};\ -const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } -*/ - -#define IMPLEMENT_BLOCK_CIPHER(cname, ksched, cprefix, kstruct, nid, \ - block_size, key_len, iv_len, cbits, \ - flags, init_key, \ - cleanup, set_asn1, get_asn1, ctrl) \ - BLOCK_CIPHER_all_funcs(cname, cprefix, cbits, kstruct, ksched) \ - BLOCK_CIPHER_defs(cname, kstruct, nid, block_size, key_len, iv_len, \ - cbits, flags, init_key, cleanup, set_asn1, \ - get_asn1, ctrl) - -#define EVP_C_DATA(kstruct, ctx) ((kstruct *)(ctx)->cipher_data) - -#define IMPLEMENT_CFBR(cipher,cprefix,kstruct,ksched,keysize,cbits,iv_len) \ - BLOCK_CIPHER_func_cfb(cipher##_##keysize,cprefix,cbits,kstruct,ksched) \ - BLOCK_CIPHER_def_cfb(cipher##_##keysize,kstruct, \ - NID_##cipher##_##keysize, keysize/8, iv_len, cbits, \ - 0, cipher##_init_key, NULL, \ - EVP_CIPHER_set_asn1_iv, \ - EVP_CIPHER_get_asn1_iv, \ - NULL) - struct evp_pkey_ctx_st { /* Method associated with this operation */ const EVP_PKEY_METHOD *pmeth; @@ -465,6 +270,11 @@ struct evp_pkey_method_st { int (*ctrl)(EVP_PKEY_CTX *ctx, int type, int p1, void *p2); int (*ctrl_str)(EVP_PKEY_CTX *ctx, const char *type, const char *value); + int (*digestsign)(EVP_MD_CTX *ctx, unsigned char *sig, size_t *siglen, + const unsigned char *tbs, size_t tbslen); + int (*digestverify) (EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen, const unsigned char *tbs, size_t tbslen); + int (*check)(EVP_PKEY *pkey); int (*public_check)(EVP_PKEY *pkey); int (*param_check)(EVP_PKEY *pkey); @@ -505,8 +315,10 @@ struct evp_aead_ctx_st { void *aead_state; }; +int EVP_PKEY_CTX_str2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *str); +int EVP_PKEY_CTX_hex2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *hex); int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md_name); __END_HIDDEN_DECLS -#endif /* !HEADER_EVP_LOCL_H */ +#endif /* !HEADER_EVP_LOCAL_H */ diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index 65e9e45..5659555 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_pbe.c,v 1.26 2020/06/05 17:30:41 jsing Exp $ */ +/* $OpenBSD: evp_pbe.c,v 1.27 2022/11/26 16:08:52 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,7 +66,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* Password based encryption (PBE) functions */ diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 3ba0e1d..d2fbdee 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_pkey.c,v 1.24 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: evp_pkey.c,v 1.25 2022/11/26 16:08:52 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,8 +62,8 @@ #include #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" /* Extract a private key from a PKCS8 structure */ diff --git a/crypto/evp/m_gost2814789.c b/crypto/evp/m_gost2814789.c index 7d11ec8..ca303da 100644 --- a/crypto/evp/m_gost2814789.c +++ b/crypto/evp/m_gost2814789.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_gost2814789.c,v 1.3 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: m_gost2814789.c,v 1.4 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -57,7 +57,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int gost2814789_init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_gostr341194.c b/crypto/evp/m_gostr341194.c index f479675..33e96a5 100644 --- a/crypto/evp/m_gostr341194.c +++ b/crypto/evp/m_gostr341194.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_gostr341194.c,v 1.4 2022/01/14 08:38:05 tb Exp $ */ +/* $OpenBSD: m_gostr341194.c,v 1.5 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -59,7 +59,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int gostr341194_init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_md4.c b/crypto/evp/m_md4.c index 9775652..c1e0256 100644 --- a/crypto/evp/m_md4.c +++ b/crypto/evp/m_md4.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_md4.c,v 1.18 2022/01/14 08:38:05 tb Exp $ */ +/* $OpenBSD: m_md4.c,v 1.19 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -71,7 +71,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" static int init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_md5.c b/crypto/evp/m_md5.c index daa7aee..b66b25b 100644 --- a/crypto/evp/m_md5.c +++ b/crypto/evp/m_md5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_md5.c,v 1.17 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_md5.c,v 1.18 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -71,7 +71,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" static int init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_md5_sha1.c b/crypto/evp/m_md5_sha1.c index f8bec10..b1944b8 100644 --- a/crypto/evp/m_md5_sha1.c +++ b/crypto/evp/m_md5_sha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_md5_sha1.c,v 1.4 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_md5_sha1.c,v 1.5 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -24,7 +24,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" struct md5_sha1_ctx { MD5_CTX md5; diff --git a/crypto/evp/m_null.c b/crypto/evp/m_null.c index 4334dec..d09c000 100644 --- a/crypto/evp/m_null.c +++ b/crypto/evp/m_null.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_null.c,v 1.11 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_null.c,v 1.12 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_ripemd.c b/crypto/evp/m_ripemd.c index 4739783..896de59 100644 --- a/crypto/evp/m_ripemd.c +++ b/crypto/evp/m_ripemd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_ripemd.c,v 1.14 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_ripemd.c,v 1.15 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -71,7 +71,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" static int init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_sha1.c b/crypto/evp/m_sha1.c index a6fb536..b7f4705 100644 --- a/crypto/evp/m_sha1.c +++ b/crypto/evp/m_sha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_sha1.c,v 1.19 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_sha1.c,v 1.23 2023/04/16 16:42:06 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,22 +70,23 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" +#include "sha_internal.h" static int -init(EVP_MD_CTX *ctx) +sha1_init(EVP_MD_CTX *ctx) { return SHA1_Init(ctx->md_data); } static int -update(EVP_MD_CTX *ctx, const void *data, size_t count) +sha1_update(EVP_MD_CTX *ctx, const void *data, size_t count) { return SHA1_Update(ctx->md_data, data, count); } static int -final(EVP_MD_CTX *ctx, unsigned char *md) +sha1_final(EVP_MD_CTX *ctx, unsigned char *md) { return SHA1_Final(md, ctx->md_data); } @@ -95,9 +96,9 @@ static const EVP_MD sha1_md = { .pkey_type = NID_sha1WithRSAEncryption, .md_size = SHA_DIGEST_LENGTH, .flags = EVP_MD_FLAG_DIGALGID_ABSENT, - .init = init, - .update = update, - .final = final, + .init = sha1_init, + .update = sha1_update, + .final = sha1_final, .copy = NULL, .cleanup = NULL, .block_size = SHA_CBLOCK, @@ -107,37 +108,32 @@ static const EVP_MD sha1_md = { const EVP_MD * EVP_sha1(void) { - return (&sha1_md); + return &sha1_md; } #endif #ifndef OPENSSL_NO_SHA256 static int -init224(EVP_MD_CTX *ctx) +sha224_init(EVP_MD_CTX *ctx) { return SHA224_Init(ctx->md_data); } static int -init256(EVP_MD_CTX *ctx) -{ - return SHA256_Init(ctx->md_data); -} -/* - * Even though there're separate SHA224_[Update|Final], we call - * SHA256 functions even in SHA224 context. This is what happens - * there anyway, so we can spare few CPU cycles:-) - */ -static int -update256(EVP_MD_CTX *ctx, const void *data, size_t count) +sha224_update(EVP_MD_CTX *ctx, const void *data, size_t count) { + /* + * Even though there're separate SHA224_[Update|Final], we call + * SHA256 functions even in SHA224 context. This is what happens + * there anyway, so we can spare few CPU cycles:-) + */ return SHA256_Update(ctx->md_data, data, count); } static int -final256(EVP_MD_CTX *ctx, unsigned char *md) +sha224_final(EVP_MD_CTX *ctx, unsigned char *md) { - return SHA256_Final(md, ctx->md_data); + return SHA224_Final(md, ctx->md_data); } static const EVP_MD sha224_md = { @@ -145,9 +141,9 @@ static const EVP_MD sha224_md = { .pkey_type = NID_sha224WithRSAEncryption, .md_size = SHA224_DIGEST_LENGTH, .flags = EVP_MD_FLAG_DIGALGID_ABSENT, - .init = init224, - .update = update256, - .final = final256, + .init = sha224_init, + .update = sha224_update, + .final = sha224_final, .copy = NULL, .cleanup = NULL, .block_size = SHA256_CBLOCK, @@ -157,7 +153,25 @@ static const EVP_MD sha224_md = { const EVP_MD * EVP_sha224(void) { - return (&sha224_md); + return &sha224_md; +} + +static int +sha256_init(EVP_MD_CTX *ctx) +{ + return SHA256_Init(ctx->md_data); +} + +static int +sha256_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return SHA256_Update(ctx->md_data, data, count); +} + +static int +sha256_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return SHA256_Final(md, ctx->md_data); } static const EVP_MD sha256_md = { @@ -165,9 +179,9 @@ static const EVP_MD sha256_md = { .pkey_type = NID_sha256WithRSAEncryption, .md_size = SHA256_DIGEST_LENGTH, .flags = EVP_MD_FLAG_DIGALGID_ABSENT, - .init = init256, - .update = update256, - .final = final256, + .init = sha256_init, + .update = sha256_update, + .final = sha256_final, .copy = NULL, .cleanup = NULL, .block_size = SHA256_CBLOCK, @@ -177,33 +191,28 @@ static const EVP_MD sha256_md = { const EVP_MD * EVP_sha256(void) { - return (&sha256_md); + return &sha256_md; } #endif /* ifndef OPENSSL_NO_SHA256 */ #ifndef OPENSSL_NO_SHA512 static int -init384(EVP_MD_CTX *ctx) +sha384_init(EVP_MD_CTX *ctx) { return SHA384_Init(ctx->md_data); } static int -init512(EVP_MD_CTX *ctx) -{ - return SHA512_Init(ctx->md_data); -} -/* See comment in SHA224/256 section */ -static int -update512(EVP_MD_CTX *ctx, const void *data, size_t count) +sha384_update(EVP_MD_CTX *ctx, const void *data, size_t count) { + /* See comment in SHA224/256 section */ return SHA512_Update(ctx->md_data, data, count); } static int -final512(EVP_MD_CTX *ctx, unsigned char *md) +sha384_final(EVP_MD_CTX *ctx, unsigned char *md) { - return SHA512_Final(md, ctx->md_data); + return SHA384_Final(md, ctx->md_data); } static const EVP_MD sha384_md = { @@ -211,9 +220,9 @@ static const EVP_MD sha384_md = { .pkey_type = NID_sha384WithRSAEncryption, .md_size = SHA384_DIGEST_LENGTH, .flags = EVP_MD_FLAG_DIGALGID_ABSENT, - .init = init384, - .update = update512, - .final = final512, + .init = sha384_init, + .update = sha384_update, + .final = sha384_final, .copy = NULL, .cleanup = NULL, .block_size = SHA512_CBLOCK, @@ -223,7 +232,25 @@ static const EVP_MD sha384_md = { const EVP_MD * EVP_sha384(void) { - return (&sha384_md); + return &sha384_md; +} + +static int +sha512_init(EVP_MD_CTX *ctx) +{ + return SHA512_Init(ctx->md_data); +} + +static int +sha512_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return SHA512_Update(ctx->md_data, data, count); +} + +static int +sha512_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return SHA512_Final(md, ctx->md_data); } static const EVP_MD sha512_md = { @@ -231,9 +258,9 @@ static const EVP_MD sha512_md = { .pkey_type = NID_sha512WithRSAEncryption, .md_size = SHA512_DIGEST_LENGTH, .flags = EVP_MD_FLAG_DIGALGID_ABSENT, - .init = init512, - .update = update512, - .final = final512, + .init = sha512_init, + .update = sha512_update, + .final = sha512_final, .copy = NULL, .cleanup = NULL, .block_size = SHA512_CBLOCK, @@ -243,6 +270,82 @@ static const EVP_MD sha512_md = { const EVP_MD * EVP_sha512(void) { - return (&sha512_md); + return &sha512_md; +} + +static int +sha512_224_init(EVP_MD_CTX *ctx) +{ + return SHA512_224_Init(ctx->md_data); +} + +static int +sha512_224_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return SHA512_224_Update(ctx->md_data, data, count); +} + +static int +sha512_224_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return SHA512_224_Final(md, ctx->md_data); +} + +static const EVP_MD sha512_224_md = { + .type = NID_sha512_224, + .pkey_type = NID_sha512_224WithRSAEncryption, + .md_size = SHA512_224_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sha512_224_init, + .update = sha512_224_update, + .final = sha512_224_final, + .copy = NULL, + .cleanup = NULL, + .block_size = SHA512_CBLOCK, + .ctx_size = sizeof(EVP_MD *) + sizeof(SHA512_CTX), +}; + +const EVP_MD * +EVP_sha512_224(void) +{ + return &sha512_224_md; +} + +static int +sha512_256_init(EVP_MD_CTX *ctx) +{ + return SHA512_256_Init(ctx->md_data); +} + +static int +sha512_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return SHA512_256_Update(ctx->md_data, data, count); +} + +static int +sha512_256_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return SHA512_256_Final(md, ctx->md_data); +} + +static const EVP_MD sha512_256_md = { + .type = NID_sha512_256, + .pkey_type = NID_sha512_256WithRSAEncryption, + .md_size = SHA512_256_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sha512_256_init, + .update = sha512_256_update, + .final = sha512_256_final, + .copy = NULL, + .cleanup = NULL, + .block_size = SHA512_CBLOCK, + .ctx_size = sizeof(EVP_MD *) + sizeof(SHA512_CTX), +}; + +const EVP_MD * +EVP_sha512_256(void) +{ + return &sha512_256_md; } #endif /* ifndef OPENSSL_NO_SHA512 */ diff --git a/crypto/evp/m_sha3.c b/crypto/evp/m_sha3.c new file mode 100644 index 0000000..9944ec9 --- /dev/null +++ b/crypto/evp/m_sha3.c @@ -0,0 +1,173 @@ +/* $OpenBSD: m_sha3.c,v 1.1 2023/04/16 17:06:19 jsing Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "evp_local.h" +#include "sha3_internal.h" + +static int +sha3_224_init(EVP_MD_CTX *ctx) +{ + return sha3_init(ctx->md_data, SHA3_224_DIGEST_LENGTH); +} + +static int +sha3_224_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return sha3_update(ctx->md_data, data, count); +} + +static int +sha3_224_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return sha3_final(md, ctx->md_data); +} + +static const EVP_MD sha3_224_md = { + .type = NID_sha3_224, + .pkey_type = NID_RSA_SHA3_224, + .md_size = SHA3_224_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sha3_224_init, + .update = sha3_224_update, + .final = sha3_224_final, + .copy = NULL, + .cleanup = NULL, + .block_size = SHA3_224_BLOCK_SIZE, + .ctx_size = sizeof(EVP_MD *) + sizeof(sha3_ctx), +}; + +const EVP_MD * +EVP_sha3_224(void) +{ + return &sha3_224_md; +} + +static int +sha3_256_init(EVP_MD_CTX *ctx) +{ + return sha3_init(ctx->md_data, SHA3_256_DIGEST_LENGTH); +} + +static int +sha3_256_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return sha3_update(ctx->md_data, data, count); +} + +static int +sha3_256_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return sha3_final(md, ctx->md_data); +} + +static const EVP_MD sha3_256_md = { + .type = NID_sha3_256, + .pkey_type = NID_RSA_SHA3_256, + .md_size = SHA3_256_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sha3_256_init, + .update = sha3_256_update, + .final = sha3_256_final, + .copy = NULL, + .cleanup = NULL, + .block_size = SHA3_256_BLOCK_SIZE, + .ctx_size = sizeof(EVP_MD *) + sizeof(sha3_ctx), +}; + +const EVP_MD * +EVP_sha3_256(void) +{ + return &sha3_256_md; +} + +static int +sha3_384_init(EVP_MD_CTX *ctx) +{ + return sha3_init(ctx->md_data, SHA3_384_DIGEST_LENGTH); +} + +static int +sha3_384_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return sha3_update(ctx->md_data, data, count); +} + +static int +sha3_384_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return sha3_final(md, ctx->md_data); +} + +static const EVP_MD sha3_384_md = { + .type = NID_sha3_384, + .pkey_type = NID_RSA_SHA3_384, + .md_size = SHA3_384_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sha3_384_init, + .update = sha3_384_update, + .final = sha3_384_final, + .copy = NULL, + .cleanup = NULL, + .block_size = SHA3_384_BLOCK_SIZE, + .ctx_size = sizeof(EVP_MD *) + sizeof(sha3_ctx), +}; + +const EVP_MD * +EVP_sha3_384(void) +{ + return &sha3_384_md; +} + +static int +sha3_512_init(EVP_MD_CTX *ctx) +{ + return sha3_init(ctx->md_data, SHA3_512_DIGEST_LENGTH); +} + +static int +sha3_512_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return sha3_update(ctx->md_data, data, count); +} + +static int +sha3_512_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return sha3_final(md, ctx->md_data); +} + +static const EVP_MD sha3_512_md = { + .type = NID_sha3_512, + .pkey_type = NID_RSA_SHA3_512, + .md_size = SHA3_512_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sha3_512_init, + .update = sha3_512_update, + .final = sha3_512_final, + .copy = NULL, + .cleanup = NULL, + .block_size = SHA3_512_BLOCK_SIZE, + .ctx_size = sizeof(EVP_MD *) + sizeof(sha3_ctx), +}; + +const EVP_MD * +EVP_sha3_512(void) +{ + return &sha3_512_md; +} diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index bd93746..49b1ce2 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_sigver.c,v 1.9 2021/05/09 14:25:40 tb Exp $ */ +/* $OpenBSD: m_sigver.c,v 1.11 2022/11/26 16:08:52 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -63,7 +63,14 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" + +static int +update_oneshot_only(EVP_MD_CTX *ctx, const void *data, size_t datalen) +{ + EVPerror(EVP_R_ONLY_ONESHOT_SUPPORTED); + return 0; +} static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, @@ -93,6 +100,9 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ctx) <=0) return 0; ctx->pctx->operation = EVP_PKEY_OP_VERIFYCTX; + } else if (ctx->pctx->pmeth->digestverify != NULL) { + ctx->pctx->operation = EVP_PKEY_OP_VERIFY; + ctx->update = update_oneshot_only; } else if (EVP_PKEY_verify_init(ctx->pctx) <= 0) return 0; } else { @@ -100,6 +110,9 @@ do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, if (ctx->pctx->pmeth->signctx_init(ctx->pctx, ctx) <= 0) return 0; ctx->pctx->operation = EVP_PKEY_OP_SIGNCTX; + } else if (ctx->pctx->pmeth->digestsign != NULL) { + ctx->pctx->operation = EVP_PKEY_OP_SIGN; + ctx->update = update_oneshot_only; } else if (EVP_PKEY_sign_init(ctx->pctx) <= 0) return 0; } @@ -190,6 +203,10 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, const unsigned char *tbs, size_t tbslen) { + if (ctx->pctx->pmeth->digestsign != NULL) + return ctx->pctx->pmeth->digestsign(ctx, sigret, siglen, + tbs, tbslen); + if (sigret != NULL) { if (EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) return 0; @@ -229,6 +246,10 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, size_t siglen, const unsigned char *tbs, size_t tbslen) { + if (ctx->pctx->pmeth->digestverify != NULL) + return ctx->pctx->pmeth->digestverify(ctx, sigret, siglen, + tbs, tbslen); + if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) return -1; diff --git a/crypto/evp/m_sm3.c b/crypto/evp/m_sm3.c index ae8b342..bf0ef52 100644 --- a/crypto/evp/m_sm3.c +++ b/crypto/evp/m_sm3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_sm3.c,v 1.3 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_sm3.c,v 1.4 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2018, Ribose Inc * @@ -25,7 +25,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" static int sm3_init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_streebog.c b/crypto/evp/m_streebog.c index 3f825e3..5a0dece 100644 --- a/crypto/evp/m_streebog.c +++ b/crypto/evp/m_streebog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_streebog.c,v 1.4 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_streebog.c,v 1.5 2022/11/26 16:08:52 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -57,7 +57,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int streebog_init256(EVP_MD_CTX *ctx) diff --git a/crypto/evp/m_wp.c b/crypto/evp/m_wp.c index 07ae7ca..2e0b46d 100644 --- a/crypto/evp/m_wp.c +++ b/crypto/evp/m_wp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_wp.c,v 1.10 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: m_wp.c,v 1.11 2022/11/26 16:08:52 tb Exp $ */ #include @@ -11,7 +11,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" static int init(EVP_MD_CTX *ctx) diff --git a/crypto/evp/names.c b/crypto/evp/names.c index 02529ee..a27a187 100644 --- a/crypto/evp/names.c +++ b/crypto/evp/names.c @@ -1,4 +1,4 @@ -/* $OpenBSD: names.c,v 1.15 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: names.c,v 1.16 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" int EVP_add_cipher(const EVP_CIPHER *c) diff --git a/crypto/evp/p5_crpt.c b/crypto/evp/p5_crpt.c index b9482e0..e85a60f 100644 --- a/crypto/evp/p5_crpt.c +++ b/crypto/evp/p5_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p5_crpt.c,v 1.20 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: p5_crpt.c,v 1.21 2022/11/26 16:08:52 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -64,7 +64,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* Doesn't do anything now: Builtin PBE algorithms in static table. */ diff --git a/crypto/evp/p5_crpt2.c b/crypto/evp/p5_crpt2.c index f3585ff..6c0cf52 100644 --- a/crypto/evp/p5_crpt2.c +++ b/crypto/evp/p5_crpt2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p5_crpt2.c,v 1.24 2021/12/12 21:27:37 tb Exp $ */ +/* $OpenBSD: p5_crpt2.c,v 1.25 2022/11/26 16:08:52 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -69,7 +69,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" #include "hmac_local.h" /* This is an implementation of PKCS#5 v2.0 password based encryption key diff --git a/crypto/evp/p_dec.c b/crypto/evp/p_dec.c index c19cc65..33dd301 100644 --- a/crypto/evp/p_dec.c +++ b/crypto/evp/p_dec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_dec.c,v 1.12 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: p_dec.c,v 1.13 2022/11/26 16:08:52 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -69,7 +69,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" int EVP_PKEY_decrypt_old(unsigned char *key, const unsigned char *ek, int ekl, diff --git a/crypto/evp/p_enc.c b/crypto/evp/p_enc.c index 5553429..4685f55 100644 --- a/crypto/evp/p_enc.c +++ b/crypto/evp/p_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_enc.c,v 1.12 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: p_enc.c,v 1.13 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -69,7 +69,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" int EVP_PKEY_encrypt_old(unsigned char *ek, const unsigned char *key, int key_len, diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index cdd38e4..e176012 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_lib.c,v 1.28 2022/01/20 11:06:24 inoguchi Exp $ */ +/* $OpenBSD: p_lib.c,v 1.32 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -81,8 +81,8 @@ #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" static void EVP_PKEY_free_it(EVP_PKEY *x); @@ -94,6 +94,17 @@ EVP_PKEY_bits(const EVP_PKEY *pkey) return 0; } +int +EVP_PKEY_security_bits(const EVP_PKEY *pkey) +{ + if (pkey == NULL) + return 0; + if (pkey->ameth == NULL || pkey->ameth->pkey_security_bits == NULL) + return -2; + + return pkey->ameth->pkey_security_bits(pkey); +} + int EVP_PKEY_size(const EVP_PKEY *pkey) { @@ -267,6 +278,96 @@ EVP_PKEY_set_type(EVP_PKEY *pkey, int type) return pkey_set_type(pkey, NULL, type, NULL, -1); } +EVP_PKEY * +EVP_PKEY_new_raw_private_key(int type, ENGINE *engine, + const unsigned char *private_key, size_t len) +{ + EVP_PKEY *ret; + + if ((ret = EVP_PKEY_new()) == NULL) + goto err; + + if (!pkey_set_type(ret, engine, type, NULL, -1)) + goto err; + + if (ret->ameth->set_priv_key == NULL) { + EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + goto err; + } + if (!ret->ameth->set_priv_key(ret, private_key, len)) { + EVPerror(EVP_R_KEY_SETUP_FAILED); + goto err; + } + + return ret; + + err: + EVP_PKEY_free(ret); + + return NULL; +} + +EVP_PKEY * +EVP_PKEY_new_raw_public_key(int type, ENGINE *engine, + const unsigned char *public_key, size_t len) +{ + EVP_PKEY *ret; + + if ((ret = EVP_PKEY_new()) == NULL) + goto err; + + if (!pkey_set_type(ret, engine, type, NULL, -1)) + goto err; + + if (ret->ameth->set_pub_key == NULL) { + EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + goto err; + } + if (!ret->ameth->set_pub_key(ret, public_key, len)) { + EVPerror(EVP_R_KEY_SETUP_FAILED); + goto err; + } + + return ret; + + err: + EVP_PKEY_free(ret); + + return NULL; +} + +int +EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, + unsigned char *out_private_key, size_t *out_len) +{ + if (pkey->ameth->get_priv_key == NULL) { + EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return 0; + } + if (!pkey->ameth->get_priv_key(pkey, out_private_key, out_len)) { + EVPerror(EVP_R_GET_RAW_KEY_FAILED); + return 0; + } + + return 1; +} + +int +EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, + unsigned char *out_public_key, size_t *out_len) +{ + if (pkey->ameth->get_pub_key == NULL) { + EVPerror(EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); + return 0; + } + if (!pkey->ameth->get_pub_key(pkey, out_public_key, out_len)) { + EVPerror(EVP_R_GET_RAW_KEY_FAILED); + return 0; + } + + return 1; +} + EVP_PKEY * EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, const EVP_CIPHER *cipher) @@ -287,7 +388,7 @@ EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, size_t len, goto err; } - ret->pkey.ptr = (char *)cmctx; + ret->pkey.ptr = cmctx; return ret; @@ -570,4 +671,3 @@ EVP_PKEY_get_default_digest_nid(EVP_PKEY *pkey, int *pnid) return pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_DEFAULT_MD_NID, 0, pnid); } - diff --git a/crypto/evp/p_open.c b/crypto/evp/p_open.c index e4c59e6..bce900b 100644 --- a/crypto/evp/p_open.c +++ b/crypto/evp/p_open.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_open.c,v 1.20 2021/12/12 21:30:13 tb Exp $ */ +/* $OpenBSD: p_open.c,v 1.21 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -69,7 +69,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, diff --git a/crypto/evp/p_sign.c b/crypto/evp/p_sign.c index 1e33cfb..1f78d1e 100644 --- a/crypto/evp/p_sign.c +++ b/crypto/evp/p_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_sign.c,v 1.16 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: p_sign.c,v 1.17 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, diff --git a/crypto/evp/p_verify.c b/crypto/evp/p_verify.c index d51d1b4..5457153 100644 --- a/crypto/evp/p_verify.c +++ b/crypto/evp/p_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_verify.c,v 1.15 2022/01/14 08:38:06 tb Exp $ */ +/* $OpenBSD: p_verify.c,v 1.16 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" int EVP_VerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sigbuf, diff --git a/crypto/evp/pmeth_fn.c b/crypto/evp/pmeth_fn.c index c9117ee..cab1dfa 100644 --- a/crypto/evp/pmeth_fn.c +++ b/crypto/evp/pmeth_fn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmeth_fn.c,v 1.6 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pmeth_fn.c,v 1.7 2022/11/26 16:08:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -63,7 +63,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" #define M_check_autoarg(ctx, arg, arglen, err) \ if (ctx->pmeth->flags & EVP_PKEY_FLAG_AUTOARGLEN) \ diff --git a/crypto/evp/pmeth_gn.c b/crypto/evp/pmeth_gn.c index 7d921d2..d31bb7c 100644 --- a/crypto/evp/pmeth_gn.c +++ b/crypto/evp/pmeth_gn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmeth_gn.c,v 1.10 2022/01/10 12:10:26 tb Exp $ */ +/* $OpenBSD: pmeth_gn.c,v 1.11 2022/11/26 16:08:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -64,9 +64,9 @@ #include #include -#include "asn1_locl.h" -#include "bn_lcl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "bn_local.h" +#include "evp_local.h" int EVP_PKEY_paramgen_init(EVP_PKEY_CTX *ctx) diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index d265e2a..bec899c 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmeth_lib.c,v 1.20 2022/01/10 12:10:26 tb Exp $ */ +/* $OpenBSD: pmeth_lib.c,v 1.27 2022/12/26 07:18:52 jmc Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -56,6 +56,7 @@ * */ +#include #include #include #include @@ -65,92 +66,88 @@ #include #include #include +#include #ifndef OPENSSL_NO_ENGINE #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" - -typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); +#include "asn1_local.h" +#include "evp_local.h" DECLARE_STACK_OF(EVP_PKEY_METHOD) -STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; +STACK_OF(EVP_PKEY_METHOD) *pkey_app_methods = NULL; -extern const EVP_PKEY_METHOD rsa_pkey_meth, rsa_pss_pkey_meth; -extern const EVP_PKEY_METHOD dh_pkey_meth, dsa_pkey_meth; -extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; -extern const EVP_PKEY_METHOD gostimit_pkey_meth, gostr01_pkey_meth; +extern const EVP_PKEY_METHOD cmac_pkey_meth; +extern const EVP_PKEY_METHOD dh_pkey_meth; +extern const EVP_PKEY_METHOD dsa_pkey_meth; +extern const EVP_PKEY_METHOD ec_pkey_meth; +extern const EVP_PKEY_METHOD ed25519_pkey_meth; +extern const EVP_PKEY_METHOD gostimit_pkey_meth; +extern const EVP_PKEY_METHOD gostr01_pkey_meth; +extern const EVP_PKEY_METHOD hkdf_pkey_meth; +extern const EVP_PKEY_METHOD hmac_pkey_meth; +extern const EVP_PKEY_METHOD rsa_pkey_meth; +extern const EVP_PKEY_METHOD rsa_pss_pkey_meth; +extern const EVP_PKEY_METHOD x25519_pkey_meth; -static const EVP_PKEY_METHOD *standard_methods[] = { -#ifndef OPENSSL_NO_RSA - &rsa_pkey_meth, -#endif -#ifndef OPENSSL_NO_DH - &dh_pkey_meth, -#endif -#ifndef OPENSSL_NO_DSA - &dsa_pkey_meth, -#endif -#ifndef OPENSSL_NO_EC - &ec_pkey_meth, -#endif -#ifndef OPENSSL_NO_GOST - &gostr01_pkey_meth, - &gostimit_pkey_meth, -#endif - &hmac_pkey_meth, +static const EVP_PKEY_METHOD *pkey_methods[] = { &cmac_pkey_meth, -#ifndef OPENSSL_NO_RSA + &dh_pkey_meth, + &dsa_pkey_meth, + &ec_pkey_meth, + &ed25519_pkey_meth, + &gostimit_pkey_meth, + &gostr01_pkey_meth, + &hkdf_pkey_meth, + &hmac_pkey_meth, + &rsa_pkey_meth, &rsa_pss_pkey_meth, -#endif + &x25519_pkey_meth, }; -static int pmeth_cmp_BSEARCH_CMP_FN(const void *, const void *); -static int pmeth_cmp(const EVP_PKEY_METHOD * const *, const EVP_PKEY_METHOD * const *); -static const EVP_PKEY_METHOD * *OBJ_bsearch_pmeth(const EVP_PKEY_METHOD * *key, const EVP_PKEY_METHOD * const *base, int num); +static const size_t pkey_methods_count = + sizeof(pkey_methods) / sizeof(pkey_methods[0]); -static int -pmeth_cmp(const EVP_PKEY_METHOD * const *a, const EVP_PKEY_METHOD * const *b) +int +evp_pkey_meth_get_count(void) { - return ((*a)->pkey_id - (*b)->pkey_id); + int num = pkey_methods_count; + + if (pkey_app_methods != NULL) + num += sk_EVP_PKEY_METHOD_num(pkey_app_methods); + + return num; } - -static int -pmeth_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) +const EVP_PKEY_METHOD * +evp_pkey_meth_get0(int idx) { - const EVP_PKEY_METHOD * const *a = a_; - const EVP_PKEY_METHOD * const *b = b_; - return pmeth_cmp(a, b); -} + int num = pkey_methods_count; -static const EVP_PKEY_METHOD * * -OBJ_bsearch_pmeth(const EVP_PKEY_METHOD * *key, const EVP_PKEY_METHOD * const *base, int num) -{ - return (const EVP_PKEY_METHOD * *)OBJ_bsearch_(key, base, num, sizeof(const EVP_PKEY_METHOD *), - pmeth_cmp_BSEARCH_CMP_FN); + if (idx < 0) + return NULL; + if (idx < num) + return pkey_methods[idx]; + + idx -= num; + + return sk_EVP_PKEY_METHOD_value(pkey_app_methods, idx); } const EVP_PKEY_METHOD * EVP_PKEY_meth_find(int type) { - EVP_PKEY_METHOD tmp; - const EVP_PKEY_METHOD *t = &tmp, **ret; + const EVP_PKEY_METHOD *pmeth; + int i; - tmp.pkey_id = type; - if (app_pkey_methods) { - int idx; - idx = sk_EVP_PKEY_METHOD_find(app_pkey_methods, &tmp); - if (idx >= 0) - return sk_EVP_PKEY_METHOD_value(app_pkey_methods, idx); + for (i = evp_pkey_meth_get_count() - 1; i >= 0; i--) { + pmeth = evp_pkey_meth_get0(i); + if (pmeth->pkey_id == type) + return pmeth; } - ret = OBJ_bsearch_pmeth(&t, standard_methods, - sizeof(standard_methods)/sizeof(EVP_PKEY_METHOD *)); - if (!ret || !*ret) - return NULL; - return *ret; + + return NULL; } static EVP_PKEY_CTX * @@ -176,7 +173,7 @@ int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) } else e = ENGINE_get_pkey_meth_engine(id); - /* If an ENGINE handled this method look it up. Othewise + /* If an ENGINE handled this method look it up. Otherwise * use internal tables. */ @@ -322,14 +319,15 @@ EVP_PKEY_CTX_dup(EVP_PKEY_CTX *pctx) int EVP_PKEY_meth_add0(const EVP_PKEY_METHOD *pmeth) { - if (app_pkey_methods == NULL) { - app_pkey_methods = sk_EVP_PKEY_METHOD_new(pmeth_cmp); - if (!app_pkey_methods) + if (pkey_app_methods == NULL) { + pkey_app_methods = sk_EVP_PKEY_METHOD_new(NULL); + if (pkey_app_methods == NULL) return 0; } - if (!sk_EVP_PKEY_METHOD_push(app_pkey_methods, pmeth)) + + if (!sk_EVP_PKEY_METHOD_push(pkey_app_methods, pmeth)) return 0; - sk_EVP_PKEY_METHOD_sort(app_pkey_methods); + return 1; } @@ -394,6 +392,38 @@ EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *name, const char *value) return ctx->pmeth->ctrl_str(ctx, name, value); } +int +EVP_PKEY_CTX_str2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *str) +{ + size_t len; + + if ((len = strlen(str)) > INT_MAX) + return -1; + + return ctx->pmeth->ctrl(ctx, cmd, len, (void *)str); +} + +int +EVP_PKEY_CTX_hex2ctrl(EVP_PKEY_CTX *ctx, int cmd, const char *hexstr) +{ + unsigned char *hex = NULL; + long length; + int ret = 0; + + if ((hex = string_to_hex(hexstr, &length)) == NULL) + goto err; + if (length < 0 || length > INT_MAX) { + ret = -1; + goto err; + } + + ret = ctx->pmeth->ctrl(ctx, cmd, length, hex); + + err: + free(hex); + return ret; +} + int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md_name) { diff --git a/crypto/gost/gost2814789.c b/crypto/gost/gost2814789.c index 0841a03..1e0f17d 100644 --- a/crypto/gost/gost2814789.c +++ b/crypto/gost/gost2814789.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost2814789.c,v 1.7 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: gost2814789.c,v 1.8 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -58,7 +58,7 @@ #include #include -#include "gost_locl.h" +#include "gost_local.h" static inline unsigned int f(const GOST2814789_KEY *c, unsigned int x) diff --git a/crypto/gost/gost89_keywrap.c b/crypto/gost/gost89_keywrap.c index a754c4d..9bfc5b4 100644 --- a/crypto/gost/gost89_keywrap.c +++ b/crypto/gost/gost89_keywrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost89_keywrap.c,v 1.3 2014/11/09 19:28:44 miod Exp $ */ +/* $OpenBSD: gost89_keywrap.c,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -57,7 +57,7 @@ #include -#include "gost_locl.h" +#include "gost_local.h" static void key_diversify_crypto_pro(GOST2814789_KEY *ctx, const unsigned char *inputKey, diff --git a/crypto/gost/gost89_params.c b/crypto/gost/gost89_params.c index 35d8f62..9c4a97e 100644 --- a/crypto/gost/gost89_params.c +++ b/crypto/gost/gost89_params.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost89_params.c,v 1.2 2014/11/09 23:06:52 miod Exp $ */ +/* $OpenBSD: gost89_params.c,v 1.3 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -57,7 +57,7 @@ #include #include -#include "gost_locl.h" +#include "gost_local.h" /* Substitution blocks from test examples for GOST R 34.11-94*/ static const gost_subst_block GostR3411_94_TestParamSet = { diff --git a/crypto/gost/gost89imit_ameth.c b/crypto/gost/gost89imit_ameth.c index 3fdfa3e..e300b52 100644 --- a/crypto/gost/gost89imit_ameth.c +++ b/crypto/gost/gost89imit_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost89imit_ameth.c,v 1.3 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: gost89imit_ameth.c,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -54,8 +54,8 @@ #ifndef OPENSSL_NO_GOST #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" static void mackey_free_gost(EVP_PKEY *pk) diff --git a/crypto/gost/gost89imit_pmeth.c b/crypto/gost/gost89imit_pmeth.c index 1959b36..63b7ef5 100644 --- a/crypto/gost/gost89imit_pmeth.c +++ b/crypto/gost/gost89imit_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost89imit_pmeth.c,v 1.4 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: gost89imit_pmeth.c,v 1.5 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -59,8 +59,8 @@ #include #include /* For string_to_hex */ -#include "evp_locl.h" -#include "gost_locl.h" +#include "evp_local.h" +#include "gost_local.h" struct gost_mac_pmeth_data { EVP_MD *md; diff --git a/crypto/gost/gost_asn1.c b/crypto/gost/gost_asn1.c index 2652162..d83ded5 100644 --- a/crypto/gost/gost_asn1.c +++ b/crypto/gost/gost_asn1.c @@ -14,7 +14,7 @@ #include #include -#include "gost_locl.h" +#include "gost_local.h" #include "gost_asn1.h" static const ASN1_TEMPLATE GOST_KEY_TRANSPORT_seq_tt[] = { diff --git a/crypto/gost/gost_err.c b/crypto/gost/gost_err.c index e7111dd..0c46dbc 100644 --- a/crypto/gost/gost_err.c +++ b/crypto/gost/gost_err.c @@ -53,16 +53,10 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_GOST,func,0) diff --git a/crypto/gost/gost_locl.h b/crypto/gost/gost_local.h similarity index 96% rename from crypto/gost/gost_locl.h rename to crypto/gost/gost_local.h index b2e2c13..830f141 100644 --- a/crypto/gost/gost_locl.h +++ b/crypto/gost/gost_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: gost_locl.h,v 1.4 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: gost_local.h,v 1.2 2022/11/26 17:23:18 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -49,8 +49,8 @@ * ==================================================================== */ -#ifndef HEADER_GOST_LOCL_H -#define HEADER_GOST_LOCL_H +#ifndef HEADER_GOST_LOCAL_H +#define HEADER_GOST_LOCAL_H #include #include @@ -114,4 +114,4 @@ extern int GostR3410_512_param_id(const char *value); __END_HIDDEN_DECLS -#endif +#endif /* !HEADER_GOST_LOCAL_H */ diff --git a/crypto/gost/gostr341001.c b/crypto/gost/gostr341001.c index a608256..79fddb1 100644 --- a/crypto/gost/gostr341001.c +++ b/crypto/gost/gostr341001.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001.c,v 1.9 2022/01/07 09:40:03 tb Exp $ */ +/* $OpenBSD: gostr341001.c,v 1.11 2022/12/01 02:58:31 jsing Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -58,9 +58,9 @@ #include #include -#include "bn_lcl.h" -#include "ecs_locl.h" -#include "gost_locl.h" +#include "bn_local.h" +#include "ecs_local.h" +#include "gost_local.h" /* Convert little-endian byte array into bignum */ BIGNUM * @@ -178,8 +178,10 @@ gost2001_do_sign(BIGNUM *md, GOST_KEY *eckey) goto err; if (BN_mod_ct(e, md, order, ctx) == 0) goto err; - if (BN_is_zero(e)) - BN_one(e); + if (BN_is_zero(e)) { + if (!BN_one(e)) + goto err; + } if ((k = BN_CTX_get(ctx)) == NULL) goto err; if ((X = BN_CTX_get(ctx)) == NULL) @@ -289,8 +291,10 @@ gost2001_do_verify(BIGNUM *md, ECDSA_SIG *sig, GOST_KEY *ec) if (BN_mod_ct(e, md, order, ctx) == 0) goto err; - if (BN_is_zero(e)) - BN_one(e); + if (BN_is_zero(e)) { + if (!BN_one(e)) + goto err; + } if ((v = BN_mod_inverse_ct(v, e, order, ctx)) == NULL) goto err; if (BN_mod_mul(z1, sig->s, v, order, ctx) == 0) diff --git a/crypto/gost/gostr341001_ameth.c b/crypto/gost/gostr341001_ameth.c index ce203a6..9ef7cdf 100644 --- a/crypto/gost/gostr341001_ameth.c +++ b/crypto/gost/gostr341001_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_ameth.c,v 1.19 2021/12/26 15:38:49 tb Exp $ */ +/* $OpenBSD: gostr341001_ameth.c,v 1.20 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -62,9 +62,9 @@ #include -#include "asn1_locl.h" -#include "evp_locl.h" -#include "gost_locl.h" +#include "asn1_local.h" +#include "evp_local.h" +#include "gost_local.h" #include "gost_asn1.h" static void diff --git a/crypto/gost/gostr341001_key.c b/crypto/gost/gostr341001_key.c index d5d885c..6269431 100644 --- a/crypto/gost/gostr341001_key.c +++ b/crypto/gost/gostr341001_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_key.c,v 1.9 2021/04/20 17:16:38 tb Exp $ */ +/* $OpenBSD: gostr341001_key.c,v 1.12 2023/03/07 09:27:10 jsing Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -58,7 +58,7 @@ #include #include #include -#include "gost_locl.h" +#include "gost_local.h" struct gost_key_st { EC_GROUP *group; @@ -103,7 +103,7 @@ GOST_KEY_free(GOST_KEY *r) EC_GROUP_free(r->group); EC_POINT_free(r->pub_key); - BN_clear_free(r->priv_key); + BN_free(r->priv_key); freezero(r, sizeof(GOST_KEY)); } @@ -193,6 +193,8 @@ GOST_KEY_set_public_key_affine_coordinates(GOST_KEY *key, BIGNUM *x, BIGNUM *y) if (ctx == NULL) goto err; + BN_CTX_start(ctx); + point = EC_POINT_new(key->group); if (point == NULL) goto err; @@ -225,6 +227,7 @@ GOST_KEY_set_public_key_affine_coordinates(GOST_KEY *key, BIGNUM *x, BIGNUM *y) err: EC_POINT_free(point); + BN_CTX_end(ctx); BN_CTX_free(ctx); return ok; @@ -253,7 +256,7 @@ GOST_KEY_get0_private_key(const GOST_KEY *key) int GOST_KEY_set_private_key(GOST_KEY *key, const BIGNUM *priv_key) { - BN_clear_free(key->priv_key); + BN_free(key->priv_key); key->priv_key = BN_dup(priv_key); return (key->priv_key == NULL) ? 0 : 1; } @@ -307,12 +310,12 @@ GOST_KEY_get_size(const GOST_KEY *r) return 0; if (EC_GROUP_get_order(group, order, NULL) == 0) { - BN_clear_free(order); + BN_free(order); return 0; } i = BN_num_bytes(order); - BN_clear_free(order); + BN_free(order); return (i); } #endif diff --git a/crypto/gost/gostr341001_params.c b/crypto/gost/gostr341001_params.c index 282a210..ca8a27d 100644 --- a/crypto/gost/gostr341001_params.c +++ b/crypto/gost/gostr341001_params.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_params.c,v 1.4 2020/06/05 17:12:09 jsing Exp $ */ +/* $OpenBSD: gostr341001_params.c,v 1.5 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -57,7 +57,7 @@ #include #include -#include "gost_locl.h" +#include "gost_local.h" int GostR3410_get_md_digest(int nid) diff --git a/crypto/gost/gostr341001_pmeth.c b/crypto/gost/gostr341001_pmeth.c index ae39b05..38f94ec 100644 --- a/crypto/gost/gostr341001_pmeth.c +++ b/crypto/gost/gostr341001_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_pmeth.c,v 1.16 2022/03/30 07:17:48 tb Exp $ */ +/* $OpenBSD: gostr341001_pmeth.c,v 1.17 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -62,9 +62,9 @@ #include #include -#include "ecs_locl.h" -#include "evp_locl.h" -#include "gost_locl.h" +#include "ecs_local.h" +#include "evp_local.h" +#include "gost_local.h" #include "gost_asn1.h" static ECDSA_SIG * diff --git a/crypto/gost/gostr341194.c b/crypto/gost/gostr341194.c index 2a46218..6305830 100644 --- a/crypto/gost/gostr341194.c +++ b/crypto/gost/gostr341194.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341194.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: gostr341194.c,v 1.6 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -58,7 +58,7 @@ #include #include -#include "gost_locl.h" +#include "gost_local.h" /* Following functions are various bit meshing routines used in * GOST R 34.11-94 algorithms */ diff --git a/crypto/gost/streebog.c b/crypto/gost/streebog.c index b237a2c..2785fca 100644 --- a/crypto/gost/streebog.c +++ b/crypto/gost/streebog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: streebog.c,v 1.7 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: streebog.c,v 1.8 2022/11/26 16:08:53 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -60,7 +60,7 @@ #include #include -#include "gost_locl.h" +#include "gost_local.h" static const STREEBOG_LONG64 A_PI_table[8][256] = { { /* 0 */ diff --git a/crypto/hidden/crypto_namespace.h b/crypto/hidden/crypto_namespace.h new file mode 100644 index 0000000..85e62ba --- /dev/null +++ b/crypto/hidden/crypto_namespace.h @@ -0,0 +1,51 @@ +/* $OpenBSD: crypto_namespace.h,v 1.2 2023/02/16 08:38:17 tb Exp $ */ +/* + * Copyright (c) 2016 Philip Guenther + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_CRYPTO_NAMESPACE_H_ +#define _LIBCRYPTO_CRYPTO_NAMESPACE_H_ + +/* + * If marked as 'used', then internal calls use the name with prefix "_lcry_" + * and we alias that to the normal name *and* the name with prefix "_libre_"; + * external calls use the latter name. + */ + +#ifdef _MSC_VER +# define LCRYPTO_UNUSED(x) +# define LCRYPTO_USED(x) +# define LCRYPTO_ALIAS1(pre, x) +# define LCRYPTO_ALIAS(x) +#else +#ifdef LIBRESSL_NAMESPACE +# define LCRYPTO_UNUSED(x) typeof(x) x __attribute__((deprecated)) +#ifdef LIBRESSL_CRYPTO_NAMESPACE +# define LCRYPTO_USED(x) __attribute__((visibility("hidden"))) \ + typeof(x) x asm("_lcry_"#x) +# define LCRYPTO_ALIAS1(pre,x) asm(".global "#pre#x"; "#pre#x" = _lcry_"#x) +# define LCRYPTO_ALIAS(x) LCRYPTO_ALIAS1(,x); LCRYPTO_ALIAS1(_libre_,x) +#else +# define LCRYPTO_USED(x) typeof(x) x asm("_libre_"#x) +#endif +#else +# define LCRYPTO_UNUSED(x) +# define LCRYPTO_USED(x) +# define LCRYPTO_ALIAS1(pre,x) +# define LCRYPTO_ALIAS(x) asm("") +#endif +#endif /* _MSC_VER */ + +#endif /* _LIBCRYPTO_CRYPTO_NAMESPACE_H_ */ diff --git a/crypto/hidden/openssl/hmac.h b/crypto/hidden/openssl/hmac.h new file mode 100644 index 0000000..c387d1d --- /dev/null +++ b/crypto/hidden/openssl/hmac.h @@ -0,0 +1,40 @@ +/* $OpenBSD: hmac.h,v 1.1 2022/11/11 11:25:18 beck Exp $ */ +/* + * Copyright (c) 2016 Philip Guenther + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_HMAC_H_ +#define _LIBCRYPTO_HMAC_H_ + +#ifdef _MSC_VER +#include <../include/openssl/hmac.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(HMAC_CTX_new); +LCRYPTO_USED(HMAC_CTX_free); +LCRYPTO_UNUSED(HMAC_CTX_reset); +LCRYPTO_UNUSED(HMAC_Init); +LCRYPTO_USED(HMAC_Init_ex); +LCRYPTO_USED(HMAC_Update); +LCRYPTO_USED(HMAC_Final); +LCRYPTO_USED(HMAC); +LCRYPTO_USED(HMAC_CTX_copy); +LCRYPTO_USED(HMAC_CTX_set_flags); +LCRYPTO_USED(HMAC_CTX_get_md); + +#endif /* _LIBCRYPTO_HMAC_H_ */ diff --git a/crypto/hidden/openssl/pkcs12.h b/crypto/hidden/openssl/pkcs12.h new file mode 100644 index 0000000..9407843 --- /dev/null +++ b/crypto/hidden/openssl/pkcs12.h @@ -0,0 +1,106 @@ +/* $OpenBSD: pkcs12.h,v 1.1 2022/11/12 13:03:28 beck Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_PKCS12_H +#define _LIBCRYPTO_PKCS12_H + +#ifdef _MSC_VER +#include <../include/openssl/pkcs12.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(PKCS12_SAFEBAG_get0_attr); +LCRYPTO_USED(PKCS12_SAFEBAG_get0_attrs); +LCRYPTO_USED(PKCS12_SAFEBAG_get_nid); +LCRYPTO_USED(PKCS12_SAFEBAG_get_bag_nid); +LCRYPTO_USED(PKCS12_SAFEBAG_get1_cert); +LCRYPTO_USED(PKCS12_SAFEBAG_get1_crl); +LCRYPTO_USED(PKCS8_get_attr); +LCRYPTO_USED(PKCS12_mac_present); +LCRYPTO_USED(PKCS12_get0_mac); +LCRYPTO_USED(PKCS12_SAFEBAG_create_cert); +LCRYPTO_USED(PKCS12_SAFEBAG_create_crl); +LCRYPTO_USED(PKCS12_SAFEBAG_create0_p8inf); +LCRYPTO_USED(PKCS12_SAFEBAG_create0_pkcs8); +LCRYPTO_USED(PKCS12_SAFEBAG_create_pkcs8_encrypt); +LCRYPTO_USED(PKCS12_SAFEBAG_get0_p8inf); +LCRYPTO_USED(PKCS12_SAFEBAG_get0_pkcs8); +LCRYPTO_USED(PKCS12_SAFEBAG_get0_safes); +LCRYPTO_USED(PKCS12_SAFEBAG_get0_type); +LCRYPTO_USED(PKCS12_item_pack_safebag); +LCRYPTO_USED(PKCS8_decrypt); +LCRYPTO_USED(PKCS12_decrypt_skey); +LCRYPTO_USED(PKCS8_encrypt); +LCRYPTO_USED(PKCS12_pack_p7data); +LCRYPTO_USED(PKCS12_unpack_p7data); +LCRYPTO_USED(PKCS12_pack_p7encdata); +LCRYPTO_USED(PKCS12_unpack_p7encdata); +LCRYPTO_USED(PKCS12_pack_authsafes); +LCRYPTO_USED(PKCS12_unpack_authsafes); +LCRYPTO_USED(PKCS12_add_localkeyid); +LCRYPTO_USED(PKCS12_add_friendlyname_asc); +LCRYPTO_USED(PKCS12_add_CSPName_asc); +LCRYPTO_USED(PKCS12_add_friendlyname_uni); +LCRYPTO_USED(PKCS8_add_keyusage); +LCRYPTO_USED(PKCS12_get_attr_gen); +LCRYPTO_USED(PKCS12_get_friendlyname); +LCRYPTO_USED(PKCS12_pbe_crypt); +LCRYPTO_USED(PKCS12_item_decrypt_d2i); +LCRYPTO_USED(PKCS12_item_i2d_encrypt); +LCRYPTO_USED(PKCS12_init); +LCRYPTO_USED(PKCS12_key_gen_asc); +LCRYPTO_USED(PKCS12_key_gen_uni); +LCRYPTO_USED(PKCS12_PBE_keyivgen); +LCRYPTO_USED(PKCS12_gen_mac); +LCRYPTO_USED(PKCS12_verify_mac); +LCRYPTO_USED(PKCS12_set_mac); +LCRYPTO_USED(PKCS12_setup_mac); +LCRYPTO_USED(OPENSSL_asc2uni); +LCRYPTO_USED(OPENSSL_uni2asc); +LCRYPTO_USED(PKCS12_new); +LCRYPTO_USED(PKCS12_free); +LCRYPTO_USED(d2i_PKCS12); +LCRYPTO_USED(i2d_PKCS12); +LCRYPTO_USED(PKCS12_MAC_DATA_new); +LCRYPTO_USED(PKCS12_MAC_DATA_free); +LCRYPTO_USED(d2i_PKCS12_MAC_DATA); +LCRYPTO_USED(i2d_PKCS12_MAC_DATA); +LCRYPTO_USED(PKCS12_SAFEBAG_new); +LCRYPTO_USED(PKCS12_SAFEBAG_free); +LCRYPTO_USED(d2i_PKCS12_SAFEBAG); +LCRYPTO_USED(i2d_PKCS12_SAFEBAG); +LCRYPTO_USED(PKCS12_BAGS_new); +LCRYPTO_USED(PKCS12_BAGS_free); +LCRYPTO_USED(d2i_PKCS12_BAGS); +LCRYPTO_USED(i2d_PKCS12_BAGS); +LCRYPTO_USED(PKCS12_PBE_add); +LCRYPTO_USED(PKCS12_parse); +LCRYPTO_USED(PKCS12_create); +LCRYPTO_USED(PKCS12_add_cert); +LCRYPTO_USED(PKCS12_add_key); +LCRYPTO_USED(PKCS12_add_safe); +LCRYPTO_USED(PKCS12_add_safes); +LCRYPTO_USED(i2d_PKCS12_bio); +LCRYPTO_USED(i2d_PKCS12_fp); +LCRYPTO_USED(d2i_PKCS12_bio); +LCRYPTO_USED(d2i_PKCS12_fp); +LCRYPTO_USED(PKCS12_newpass); +LCRYPTO_USED(ERR_load_PKCS12_strings); + +#endif /* _LIBCRYPTO_PKCS12_H */ diff --git a/crypto/hidden/openssl/pkcs7.h b/crypto/hidden/openssl/pkcs7.h new file mode 100644 index 0000000..de9f85a --- /dev/null +++ b/crypto/hidden/openssl/pkcs7.h @@ -0,0 +1,129 @@ +/* $OpenBSD: pkcs7.h,v 1.2 2023/04/25 18:13:25 tb Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_PKCS7_H +#define _LIBCRYPTO_PKCS7_H + +#ifdef _MSC_VER +#include <../include/openssl/pkcs7.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(PKCS7_ISSUER_AND_SERIAL_new); +LCRYPTO_USED(PKCS7_ISSUER_AND_SERIAL_free); +LCRYPTO_USED(d2i_PKCS7_ISSUER_AND_SERIAL); +LCRYPTO_USED(i2d_PKCS7_ISSUER_AND_SERIAL); +LCRYPTO_USED(PKCS7_ISSUER_AND_SERIAL_digest); +LCRYPTO_USED(d2i_PKCS7_fp); +LCRYPTO_USED(i2d_PKCS7_fp); +LCRYPTO_USED(PKCS7_dup); +LCRYPTO_USED(d2i_PKCS7_bio); +LCRYPTO_USED(i2d_PKCS7_bio); +LCRYPTO_USED(i2d_PKCS7_bio_stream); +LCRYPTO_USED(PEM_write_bio_PKCS7_stream); +LCRYPTO_USED(PKCS7_SIGNER_INFO_new); +LCRYPTO_USED(PKCS7_SIGNER_INFO_free); +LCRYPTO_USED(d2i_PKCS7_SIGNER_INFO); +LCRYPTO_USED(i2d_PKCS7_SIGNER_INFO); +LCRYPTO_USED(PKCS7_RECIP_INFO_new); +LCRYPTO_USED(PKCS7_RECIP_INFO_free); +LCRYPTO_USED(d2i_PKCS7_RECIP_INFO); +LCRYPTO_USED(i2d_PKCS7_RECIP_INFO); +LCRYPTO_USED(PKCS7_SIGNED_new); +LCRYPTO_USED(PKCS7_SIGNED_free); +LCRYPTO_USED(d2i_PKCS7_SIGNED); +LCRYPTO_USED(i2d_PKCS7_SIGNED); +LCRYPTO_USED(PKCS7_ENC_CONTENT_new); +LCRYPTO_USED(PKCS7_ENC_CONTENT_free); +LCRYPTO_USED(d2i_PKCS7_ENC_CONTENT); +LCRYPTO_USED(i2d_PKCS7_ENC_CONTENT); +LCRYPTO_USED(PKCS7_ENVELOPE_new); +LCRYPTO_USED(PKCS7_ENVELOPE_free); +LCRYPTO_USED(d2i_PKCS7_ENVELOPE); +LCRYPTO_USED(i2d_PKCS7_ENVELOPE); +LCRYPTO_USED(PKCS7_SIGN_ENVELOPE_new); +LCRYPTO_USED(PKCS7_SIGN_ENVELOPE_free); +LCRYPTO_USED(d2i_PKCS7_SIGN_ENVELOPE); +LCRYPTO_USED(i2d_PKCS7_SIGN_ENVELOPE); +LCRYPTO_USED(PKCS7_DIGEST_new); +LCRYPTO_USED(PKCS7_DIGEST_free); +LCRYPTO_USED(d2i_PKCS7_DIGEST); +LCRYPTO_USED(i2d_PKCS7_DIGEST); +LCRYPTO_USED(PKCS7_ENCRYPT_new); +LCRYPTO_USED(PKCS7_ENCRYPT_free); +LCRYPTO_USED(d2i_PKCS7_ENCRYPT); +LCRYPTO_USED(i2d_PKCS7_ENCRYPT); +LCRYPTO_USED(PKCS7_new); +LCRYPTO_USED(PKCS7_free); +LCRYPTO_USED(d2i_PKCS7); +LCRYPTO_USED(i2d_PKCS7); +LCRYPTO_USED(PKCS7_print_ctx); +LCRYPTO_USED(PKCS7_ctrl); +LCRYPTO_USED(PKCS7_set_type); +LCRYPTO_USED(PKCS7_set0_type_other); +LCRYPTO_USED(PKCS7_set_content); +LCRYPTO_USED(PKCS7_SIGNER_INFO_set); +LCRYPTO_USED(PKCS7_SIGNER_INFO_sign); +LCRYPTO_USED(PKCS7_add_signer); +LCRYPTO_USED(PKCS7_add_certificate); +LCRYPTO_USED(PKCS7_add_crl); +LCRYPTO_USED(PKCS7_content_new); +LCRYPTO_USED(PKCS7_dataVerify); +LCRYPTO_USED(PKCS7_signatureVerify); +LCRYPTO_USED(PKCS7_dataInit); +LCRYPTO_USED(PKCS7_dataFinal); +LCRYPTO_USED(PKCS7_dataDecode); +LCRYPTO_USED(PKCS7_add_signature); +LCRYPTO_USED(PKCS7_cert_from_signer_info); +LCRYPTO_USED(PKCS7_set_digest); +LCRYPTO_USED(PKCS7_get_signer_info); +LCRYPTO_USED(PKCS7_add_recipient); +LCRYPTO_USED(PKCS7_SIGNER_INFO_get0_algs); +LCRYPTO_USED(PKCS7_RECIP_INFO_get0_alg); +LCRYPTO_USED(PKCS7_add_recipient_info); +LCRYPTO_USED(PKCS7_RECIP_INFO_set); +LCRYPTO_USED(PKCS7_set_cipher); +LCRYPTO_USED(PKCS7_stream); +LCRYPTO_USED(PKCS7_get_issuer_and_serial); +LCRYPTO_USED(PKCS7_digest_from_attributes); +LCRYPTO_USED(PKCS7_add_signed_attribute); +LCRYPTO_USED(PKCS7_add_attribute); +LCRYPTO_USED(PKCS7_get_attribute); +LCRYPTO_USED(PKCS7_get_signed_attribute); +LCRYPTO_USED(PKCS7_set_signed_attributes); +LCRYPTO_USED(PKCS7_set_attributes); +LCRYPTO_USED(PKCS7_sign); +LCRYPTO_USED(PKCS7_sign_add_signer); +LCRYPTO_USED(PKCS7_final); +LCRYPTO_USED(PKCS7_verify); +LCRYPTO_USED(PKCS7_get0_signers); +LCRYPTO_USED(PKCS7_encrypt); +LCRYPTO_USED(PKCS7_decrypt); +LCRYPTO_USED(PKCS7_add_attrib_smimecap); +LCRYPTO_USED(PKCS7_get_smimecap); +LCRYPTO_USED(PKCS7_simple_smimecap); +LCRYPTO_USED(PKCS7_add_attrib_content_type); +LCRYPTO_USED(PKCS7_add0_attrib_signing_time); +LCRYPTO_USED(PKCS7_add1_attrib_digest); +LCRYPTO_USED(SMIME_write_PKCS7); +LCRYPTO_USED(SMIME_read_PKCS7); +LCRYPTO_USED(BIO_new_PKCS7); +LCRYPTO_USED(ERR_load_PKCS7_strings); + +#endif /* _LIBCRYPTO_PKCS7_H */ diff --git a/crypto/hidden/openssl/stack.h b/crypto/hidden/openssl/stack.h new file mode 100644 index 0000000..a1674fe --- /dev/null +++ b/crypto/hidden/openssl/stack.h @@ -0,0 +1,50 @@ +/* $OpenBSD: stack.h,v 1.1 2022/11/11 19:18:55 beck Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_STACK_H +#define _LIBCRYPTO_STACK_H + +#ifdef _MSC_VER +#include <../include/openssl/stack.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(sk_num); +LCRYPTO_USED(sk_value); +LCRYPTO_USED(sk_set); +LCRYPTO_USED(sk_new); +LCRYPTO_USED(sk_new_null); +LCRYPTO_USED(sk_free); +LCRYPTO_USED(sk_pop_free); +LCRYPTO_USED(sk_insert); +LCRYPTO_USED(sk_delete); +LCRYPTO_USED(sk_delete_ptr); +LCRYPTO_USED(sk_find); +LCRYPTO_USED(sk_find_ex); +LCRYPTO_USED(sk_push); +LCRYPTO_USED(sk_unshift); +LCRYPTO_USED(sk_shift); +LCRYPTO_USED(sk_pop); +LCRYPTO_USED(sk_zero); +LCRYPTO_USED(sk_set_cmp_func); +LCRYPTO_USED(sk_dup); +LCRYPTO_USED(sk_sort); +LCRYPTO_USED(sk_is_sorted); + +#endif /* _LIBCRYPTO_STACK_H */ diff --git a/crypto/hidden/openssl/ui.h b/crypto/hidden/openssl/ui.h new file mode 100644 index 0000000..ee13b0a --- /dev/null +++ b/crypto/hidden/openssl/ui.h @@ -0,0 +1,83 @@ +/* $OpenBSD: ui.h,v 1.2 2022/12/17 21:59:39 tb Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_UI_H +#define _LIBCRYPTO_UI_H + +#ifdef _MSC_VER +#include <../include/openssl/ui.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(UI_new); +LCRYPTO_USED(UI_new_method); +LCRYPTO_USED(UI_free); +LCRYPTO_USED(UI_add_input_string); +LCRYPTO_USED(UI_dup_input_string); +LCRYPTO_USED(UI_add_verify_string); +LCRYPTO_USED(UI_dup_verify_string); +LCRYPTO_USED(UI_add_input_boolean); +LCRYPTO_USED(UI_dup_input_boolean); +LCRYPTO_USED(UI_add_info_string); +LCRYPTO_USED(UI_dup_info_string); +LCRYPTO_USED(UI_add_error_string); +LCRYPTO_USED(UI_dup_error_string); +LCRYPTO_USED(UI_construct_prompt); +LCRYPTO_USED(UI_add_user_data); +LCRYPTO_USED(UI_get0_user_data); +LCRYPTO_USED(UI_get0_result); +LCRYPTO_USED(UI_process); +LCRYPTO_USED(UI_ctrl); +LCRYPTO_USED(UI_get_ex_new_index); +LCRYPTO_USED(UI_set_ex_data); +LCRYPTO_USED(UI_get_ex_data); +LCRYPTO_USED(UI_set_default_method); +LCRYPTO_USED(UI_get_default_method); +LCRYPTO_USED(UI_get_method); +LCRYPTO_USED(UI_set_method); +LCRYPTO_USED(UI_OpenSSL); +LCRYPTO_USED(UI_null); +LCRYPTO_USED(UI_create_method); +LCRYPTO_USED(UI_destroy_method); +LCRYPTO_USED(UI_method_set_opener); +LCRYPTO_USED(UI_method_set_writer); +LCRYPTO_USED(UI_method_set_flusher); +LCRYPTO_USED(UI_method_set_reader); +LCRYPTO_USED(UI_method_set_closer); +LCRYPTO_USED(UI_method_set_prompt_constructor); +LCRYPTO_USED(UI_method_get_opener); +LCRYPTO_USED(UI_method_get_writer); +LCRYPTO_USED(UI_method_get_flusher); +LCRYPTO_USED(UI_method_get_reader); +LCRYPTO_USED(UI_method_get_closer); +LCRYPTO_USED(UI_get_string_type); +LCRYPTO_USED(UI_get_input_flags); +LCRYPTO_USED(UI_get0_output_string); +LCRYPTO_USED(UI_get0_action_string); +LCRYPTO_USED(UI_get0_result_string); +LCRYPTO_USED(UI_get0_test_string); +LCRYPTO_USED(UI_get_result_minsize); +LCRYPTO_USED(UI_get_result_maxsize); +LCRYPTO_USED(UI_set_result); +LCRYPTO_USED(UI_UTIL_read_pw_string); +LCRYPTO_USED(UI_UTIL_read_pw); +LCRYPTO_USED(ERR_load_UI_strings); +LCRYPTO_USED(UI_method_get_prompt_constructor); + +#endif /* _LIBCRYPTO_UI_H */ diff --git a/crypto/hidden/openssl/x509.h b/crypto/hidden/openssl/x509.h new file mode 100644 index 0000000..bbc28af --- /dev/null +++ b/crypto/hidden/openssl/x509.h @@ -0,0 +1,283 @@ +/* $OpenBSD: x509.h,v 1.2 2023/02/23 18:12:32 job Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_X509_H +#define _LIBCRYPTO_X509_H + +#ifdef _MSC_VER +#include <../include/openssl/x509.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(X509_CRL_up_ref); +LCRYPTO_USED(i2d_re_X509_CRL_tbs); +LCRYPTO_USED(X509_get_X509_PUBKEY); +LCRYPTO_USED(X509_verify_cert_error_string); +LCRYPTO_USED(X509_verify); +LCRYPTO_USED(X509_REQ_verify); +LCRYPTO_USED(NETSCAPE_SPKI_verify); +LCRYPTO_USED(NETSCAPE_SPKI_b64_decode); +LCRYPTO_USED(NETSCAPE_SPKI_b64_encode); +LCRYPTO_USED(NETSCAPE_SPKI_get_pubkey); +LCRYPTO_USED(NETSCAPE_SPKI_set_pubkey); +LCRYPTO_USED(X509_sign); +LCRYPTO_USED(X509_sign_ctx); +LCRYPTO_USED(X509_REQ_sign); +LCRYPTO_USED(X509_REQ_sign_ctx); +LCRYPTO_USED(X509_CRL_sign); +LCRYPTO_USED(X509_CRL_sign_ctx); +LCRYPTO_USED(NETSCAPE_SPKI_sign); +LCRYPTO_USED(X509_pubkey_digest); +LCRYPTO_USED(X509_digest); +LCRYPTO_USED(X509_CRL_digest); +LCRYPTO_USED(X509_REQ_digest); +LCRYPTO_USED(X509_NAME_digest); +LCRYPTO_USED(d2i_X509_fp); +LCRYPTO_USED(i2d_X509_fp); +LCRYPTO_USED(d2i_X509_CRL_fp); +LCRYPTO_USED(i2d_X509_CRL_fp); +LCRYPTO_USED(d2i_X509_REQ_fp); +LCRYPTO_USED(i2d_X509_REQ_fp); +LCRYPTO_USED(d2i_RSAPrivateKey_fp); +LCRYPTO_USED(i2d_RSAPrivateKey_fp); +LCRYPTO_USED(d2i_RSAPublicKey_fp); +LCRYPTO_USED(i2d_RSAPublicKey_fp); +LCRYPTO_USED(d2i_DSAPrivateKey_fp); +LCRYPTO_USED(i2d_DSAPrivateKey_fp); +LCRYPTO_USED(d2i_ECPrivateKey_fp); +LCRYPTO_USED(i2d_ECPrivateKey_fp); +LCRYPTO_USED(d2i_PKCS8_fp); +LCRYPTO_USED(i2d_PKCS8_fp); +LCRYPTO_USED(d2i_PKCS8_PRIV_KEY_INFO_fp); +LCRYPTO_USED(i2d_PKCS8_PRIV_KEY_INFO_fp); +LCRYPTO_USED(i2d_PKCS8PrivateKeyInfo_fp); +LCRYPTO_USED(i2d_PrivateKey_fp); +LCRYPTO_USED(d2i_PrivateKey_fp); +LCRYPTO_USED(d2i_X509_bio); +LCRYPTO_USED(i2d_X509_bio); +LCRYPTO_USED(d2i_X509_CRL_bio); +LCRYPTO_USED(i2d_X509_CRL_bio); +LCRYPTO_USED(d2i_X509_REQ_bio); +LCRYPTO_USED(i2d_X509_REQ_bio); +LCRYPTO_USED(d2i_RSAPrivateKey_bio); +LCRYPTO_USED(i2d_RSAPrivateKey_bio); +LCRYPTO_USED(d2i_RSAPublicKey_bio); +LCRYPTO_USED(i2d_RSAPublicKey_bio); +LCRYPTO_USED(d2i_DSAPrivateKey_bio); +LCRYPTO_USED(i2d_DSAPrivateKey_bio); +LCRYPTO_USED(d2i_ECPrivateKey_bio); +LCRYPTO_USED(i2d_ECPrivateKey_bio); +LCRYPTO_USED(d2i_PKCS8_bio); +LCRYPTO_USED(i2d_PKCS8_bio); +LCRYPTO_USED(d2i_PKCS8_PRIV_KEY_INFO_bio); +LCRYPTO_USED(i2d_PKCS8_PRIV_KEY_INFO_bio); +LCRYPTO_USED(i2d_PKCS8PrivateKeyInfo_bio); +LCRYPTO_USED(i2d_PrivateKey_bio); +LCRYPTO_USED(d2i_PrivateKey_bio); +LCRYPTO_USED(X509_cmp_time); +LCRYPTO_USED(X509_cmp_current_time); +LCRYPTO_USED(X509_time_adj); +LCRYPTO_USED(X509_time_adj_ex); +LCRYPTO_USED(X509_gmtime_adj); +LCRYPTO_USED(X509_get_default_cert_area); +LCRYPTO_USED(X509_get_default_cert_dir); +LCRYPTO_USED(X509_get_default_cert_file); +LCRYPTO_USED(X509_get_default_cert_dir_env); +LCRYPTO_USED(X509_get_default_cert_file_env); +LCRYPTO_USED(X509_get_default_private_dir); +LCRYPTO_USED(X509_to_X509_REQ); +LCRYPTO_USED(X509_REQ_to_X509); +LCRYPTO_USED(X509_get_pubkey_parameters); +LCRYPTO_USED(X509_TRUST_set_default); +LCRYPTO_USED(X509_TRUST_set); +LCRYPTO_USED(X509_NAME_oneline); +LCRYPTO_USED(X509_get0_extensions); +LCRYPTO_USED(X509_get0_tbs_sigalg); +LCRYPTO_USED(X509_get0_uids); +LCRYPTO_USED(X509_set_version); +LCRYPTO_USED(X509_get_version); +LCRYPTO_USED(X509_set_serialNumber); +LCRYPTO_USED(X509_get_serialNumber); +LCRYPTO_USED(X509_get0_serialNumber); +LCRYPTO_USED(X509_set_issuer_name); +LCRYPTO_USED(X509_get_issuer_name); +LCRYPTO_USED(X509_set_subject_name); +LCRYPTO_USED(X509_get_subject_name); +LCRYPTO_USED(X509_set_notBefore); +LCRYPTO_USED(X509_set1_notBefore); +LCRYPTO_USED(X509_set_notAfter); +LCRYPTO_USED(X509_set1_notAfter); +LCRYPTO_USED(X509_get0_notBefore); +LCRYPTO_USED(X509_getm_notBefore); +LCRYPTO_USED(X509_get0_notAfter); +LCRYPTO_USED(X509_getm_notAfter); +LCRYPTO_USED(X509_set_pubkey); +LCRYPTO_USED(X509_get_pubkey); +LCRYPTO_USED(X509_get0_pubkey); +LCRYPTO_USED(X509_get0_pubkey_bitstr); +LCRYPTO_USED(X509_certificate_type); +LCRYPTO_USED(X509_get_signature_type); +LCRYPTO_USED(X509_REQ_set_version); +LCRYPTO_USED(X509_REQ_get_version); +LCRYPTO_USED(X509_REQ_set_subject_name); +LCRYPTO_USED(X509_REQ_get_subject_name); +LCRYPTO_USED(X509_REQ_set_pubkey); +LCRYPTO_USED(X509_REQ_get_pubkey); +LCRYPTO_USED(i2d_re_X509_REQ_tbs); +LCRYPTO_USED(X509_REQ_get0_pubkey); +LCRYPTO_USED(X509_REQ_extension_nid); +LCRYPTO_USED(X509_REQ_get_extension_nids); +LCRYPTO_USED(X509_REQ_set_extension_nids); +LCRYPTO_USED(X509_REQ_get_extensions); +LCRYPTO_USED(X509_REQ_add_extensions_nid); +LCRYPTO_USED(X509_REQ_add_extensions); +LCRYPTO_USED(X509_REQ_get_attr_count); +LCRYPTO_USED(X509_REQ_get_attr_by_NID); +LCRYPTO_USED(X509_REQ_get_attr_by_OBJ); +LCRYPTO_USED(X509_REQ_get_attr); +LCRYPTO_USED(X509_REQ_delete_attr); +LCRYPTO_USED(X509_REQ_add1_attr); +LCRYPTO_USED(X509_REQ_add1_attr_by_OBJ); +LCRYPTO_USED(X509_REQ_add1_attr_by_NID); +LCRYPTO_USED(X509_REQ_add1_attr_by_txt); +LCRYPTO_USED(X509_CRL_set_version); +LCRYPTO_USED(X509_CRL_set_issuer_name); +LCRYPTO_USED(X509_CRL_set_lastUpdate); +LCRYPTO_USED(X509_CRL_set1_lastUpdate); +LCRYPTO_USED(X509_CRL_set_nextUpdate); +LCRYPTO_USED(X509_CRL_set1_nextUpdate); +LCRYPTO_USED(X509_CRL_sort); +LCRYPTO_USED(X509_REVOKED_get0_extensions); +LCRYPTO_USED(X509_REVOKED_get0_revocationDate); +LCRYPTO_USED(X509_REVOKED_get0_serialNumber); +LCRYPTO_USED(X509_REVOKED_set_revocationDate); +LCRYPTO_USED(X509_REVOKED_set_serialNumber); +LCRYPTO_USED(X509_REQ_check_private_key); +LCRYPTO_USED(X509_check_private_key); +LCRYPTO_USED(X509_issuer_and_serial_cmp); +LCRYPTO_USED(X509_issuer_and_serial_hash); +LCRYPTO_USED(X509_issuer_name_cmp); +LCRYPTO_USED(X509_issuer_name_hash); +LCRYPTO_USED(X509_subject_name_cmp); +LCRYPTO_USED(X509_subject_name_hash); +LCRYPTO_USED(X509_issuer_name_hash_old); +LCRYPTO_USED(X509_subject_name_hash_old); +LCRYPTO_USED(X509_cmp); +LCRYPTO_USED(X509_NAME_cmp); +LCRYPTO_USED(X509_NAME_hash); +LCRYPTO_USED(X509_NAME_hash_old); +LCRYPTO_USED(X509_CRL_cmp); +LCRYPTO_USED(X509_CRL_match); +LCRYPTO_USED(X509_NAME_entry_count); +LCRYPTO_USED(X509_NAME_get_text_by_NID); +LCRYPTO_USED(X509_NAME_get_text_by_OBJ); +LCRYPTO_USED(X509_NAME_get_index_by_NID); +LCRYPTO_USED(X509_NAME_get_index_by_OBJ); +LCRYPTO_USED(X509_NAME_get_entry); +LCRYPTO_USED(X509_NAME_delete_entry); +LCRYPTO_USED(X509_NAME_add_entry); +LCRYPTO_USED(X509_NAME_add_entry_by_OBJ); +LCRYPTO_USED(X509_NAME_add_entry_by_NID); +LCRYPTO_USED(X509_NAME_ENTRY_create_by_txt); +LCRYPTO_USED(X509_NAME_ENTRY_create_by_NID); +LCRYPTO_USED(X509_NAME_add_entry_by_txt); +LCRYPTO_USED(X509_NAME_ENTRY_create_by_OBJ); +LCRYPTO_USED(X509_NAME_ENTRY_set_object); +LCRYPTO_USED(X509_NAME_ENTRY_set_data); +LCRYPTO_USED(X509_NAME_ENTRY_get_object); +LCRYPTO_USED(X509_NAME_ENTRY_get_data); +LCRYPTO_USED(X509_NAME_ENTRY_set); +LCRYPTO_USED(X509v3_get_ext_count); +LCRYPTO_USED(X509v3_get_ext_by_NID); +LCRYPTO_USED(X509v3_get_ext_by_OBJ); +LCRYPTO_USED(X509v3_get_ext_by_critical); +LCRYPTO_USED(X509v3_get_ext); +LCRYPTO_USED(X509v3_delete_ext); +LCRYPTO_USED(X509v3_add_ext); +LCRYPTO_USED(X509_get_ext_count); +LCRYPTO_USED(X509_get_ext_by_NID); +LCRYPTO_USED(X509_get_ext_by_OBJ); +LCRYPTO_USED(X509_get_ext_by_critical); +LCRYPTO_USED(X509_get_ext); +LCRYPTO_USED(X509_delete_ext); +LCRYPTO_USED(X509_add_ext); +LCRYPTO_USED(X509_get_ext_d2i); +LCRYPTO_USED(X509_add1_ext_i2d); +LCRYPTO_USED(X509_CRL_get_ext_count); +LCRYPTO_USED(X509_CRL_get_ext_by_NID); +LCRYPTO_USED(X509_CRL_get_ext_by_OBJ); +LCRYPTO_USED(X509_CRL_get_ext_by_critical); +LCRYPTO_USED(X509_CRL_get_ext); +LCRYPTO_USED(X509_CRL_delete_ext); +LCRYPTO_USED(X509_CRL_add_ext); +LCRYPTO_USED(X509_CRL_get_ext_d2i); +LCRYPTO_USED(X509_CRL_add1_ext_i2d); +LCRYPTO_USED(X509_REVOKED_get_ext_count); +LCRYPTO_USED(X509_REVOKED_get_ext_by_NID); +LCRYPTO_USED(X509_REVOKED_get_ext_by_OBJ); +LCRYPTO_USED(X509_REVOKED_get_ext_by_critical); +LCRYPTO_USED(X509_REVOKED_get_ext); +LCRYPTO_USED(X509_REVOKED_delete_ext); +LCRYPTO_USED(X509_REVOKED_add_ext); +LCRYPTO_USED(X509_REVOKED_get_ext_d2i); +LCRYPTO_USED(X509_REVOKED_add1_ext_i2d); +LCRYPTO_USED(X509_EXTENSION_create_by_NID); +LCRYPTO_USED(X509_EXTENSION_create_by_OBJ); +LCRYPTO_USED(X509_EXTENSION_set_object); +LCRYPTO_USED(X509_EXTENSION_set_critical); +LCRYPTO_USED(X509_EXTENSION_set_data); +LCRYPTO_USED(X509_EXTENSION_get_object); +LCRYPTO_USED(X509_EXTENSION_get_data); +LCRYPTO_USED(X509_EXTENSION_get_critical); +LCRYPTO_USED(X509at_get_attr_count); +LCRYPTO_USED(X509at_get_attr_by_NID); +LCRYPTO_USED(X509at_get_attr_by_OBJ); +LCRYPTO_USED(X509at_get_attr); +LCRYPTO_USED(X509at_delete_attr); +LCRYPTO_USED(X509at_add1_attr); +LCRYPTO_USED(X509at_add1_attr_by_OBJ); +LCRYPTO_USED(X509at_add1_attr_by_NID); +LCRYPTO_USED(X509at_add1_attr_by_txt); +LCRYPTO_USED(X509at_get0_data_by_OBJ); +LCRYPTO_USED(X509_ATTRIBUTE_create_by_NID); +LCRYPTO_USED(X509_ATTRIBUTE_create_by_OBJ); +LCRYPTO_USED(X509_ATTRIBUTE_create_by_txt); +LCRYPTO_USED(X509_ATTRIBUTE_set1_object); +LCRYPTO_USED(X509_ATTRIBUTE_set1_data); +LCRYPTO_USED(X509_ATTRIBUTE_get0_data); +LCRYPTO_USED(X509_ATTRIBUTE_count); +LCRYPTO_USED(X509_ATTRIBUTE_get0_object); +LCRYPTO_USED(X509_ATTRIBUTE_get0_type); +LCRYPTO_USED(X509_verify_cert); +LCRYPTO_USED(X509_find_by_issuer_and_serial); +LCRYPTO_USED(X509_find_by_subject); +LCRYPTO_USED(X509_check_trust); +LCRYPTO_USED(X509_TRUST_get_count); +LCRYPTO_USED(X509_TRUST_get0); +LCRYPTO_USED(X509_TRUST_get_by_id); +LCRYPTO_USED(X509_TRUST_add); +LCRYPTO_USED(X509_TRUST_cleanup); +LCRYPTO_USED(X509_TRUST_get_flags); +LCRYPTO_USED(X509_TRUST_get0_name); +LCRYPTO_USED(X509_TRUST_get_trust); +LCRYPTO_USED(X509_up_ref); +LCRYPTO_USED(X509_chain_up_ref); +LCRYPTO_USED(ERR_load_X509_strings); + +#endif /* _LIBCRYPTO_X509_H */ diff --git a/crypto/hidden/openssl/x509_vfy.h b/crypto/hidden/openssl/x509_vfy.h new file mode 100644 index 0000000..8e2f3e5 --- /dev/null +++ b/crypto/hidden/openssl/x509_vfy.h @@ -0,0 +1,167 @@ +/* $OpenBSD: x509_vfy.h,v 1.4 2023/04/25 18:32:42 tb Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_X509_VFY_H +#define _LIBCRYPTO_X509_VFY_H + +#ifdef _MSC_VER +#include <../include/openssl/x509_vfy.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(X509_STORE_set_depth); +LCRYPTO_USED(X509_STORE_CTX_set_depth); +LCRYPTO_USED(X509_OBJECT_new); +LCRYPTO_USED(X509_OBJECT_free); +LCRYPTO_USED(X509_OBJECT_idx_by_subject); +LCRYPTO_USED(X509_OBJECT_retrieve_by_subject); +LCRYPTO_USED(X509_OBJECT_retrieve_match); +LCRYPTO_USED(X509_OBJECT_up_ref_count); +LCRYPTO_USED(X509_OBJECT_get_type); +LCRYPTO_USED(X509_OBJECT_get0_X509); +LCRYPTO_USED(X509_OBJECT_get0_X509_CRL); +LCRYPTO_USED(X509_STORE_new); +LCRYPTO_USED(X509_STORE_free); +LCRYPTO_USED(X509_STORE_up_ref); +LCRYPTO_USED(X509_STORE_get0_objects); +LCRYPTO_USED(X509_STORE_get_ex_data); +LCRYPTO_USED(X509_STORE_set_ex_data); +LCRYPTO_USED(X509_STORE_set_flags); +LCRYPTO_USED(X509_STORE_set_purpose); +LCRYPTO_USED(X509_STORE_set_trust); +LCRYPTO_USED(X509_STORE_set1_param); +LCRYPTO_USED(X509_STORE_get0_param); +LCRYPTO_USED(X509_STORE_get_verify_cb); +LCRYPTO_USED(X509_STORE_set_verify_cb); +LCRYPTO_USED(X509_STORE_get_check_issued); +LCRYPTO_USED(X509_STORE_set_check_issued); +LCRYPTO_USED(X509_STORE_CTX_get_check_issued); +LCRYPTO_USED(X509_STORE_CTX_new); +LCRYPTO_USED(X509_STORE_CTX_get1_issuer); +LCRYPTO_USED(X509_STORE_CTX_free); +LCRYPTO_USED(X509_STORE_CTX_init); +LCRYPTO_USED(X509_STORE_CTX_get0_cert); +LCRYPTO_USED(X509_STORE_CTX_get0_chain); +LCRYPTO_USED(X509_STORE_CTX_get0_store); +LCRYPTO_USED(X509_STORE_CTX_get0_untrusted); +LCRYPTO_USED(X509_STORE_CTX_set0_untrusted); +LCRYPTO_USED(X509_STORE_CTX_get1_certs); +LCRYPTO_USED(X509_STORE_CTX_get1_crls); +LCRYPTO_USED(X509_STORE_CTX_trusted_stack); +LCRYPTO_USED(X509_STORE_CTX_set0_trusted_stack); +LCRYPTO_USED(X509_STORE_CTX_cleanup); +LCRYPTO_USED(X509_STORE_add_lookup); +LCRYPTO_USED(X509_LOOKUP_hash_dir); +LCRYPTO_USED(X509_LOOKUP_file); +LCRYPTO_USED(X509_LOOKUP_mem); +LCRYPTO_USED(X509_STORE_add_cert); +LCRYPTO_USED(X509_STORE_add_crl); +LCRYPTO_USED(X509_STORE_CTX_get_by_subject); +LCRYPTO_USED(X509_STORE_CTX_get_obj_by_subject); +LCRYPTO_USED(X509_LOOKUP_ctrl); +LCRYPTO_USED(X509_load_cert_file); +LCRYPTO_USED(X509_load_crl_file); +LCRYPTO_USED(X509_load_cert_crl_file); +LCRYPTO_USED(X509_LOOKUP_new); +LCRYPTO_USED(X509_LOOKUP_free); +LCRYPTO_USED(X509_LOOKUP_init); +LCRYPTO_USED(X509_LOOKUP_by_subject); +LCRYPTO_USED(X509_LOOKUP_by_issuer_serial); +LCRYPTO_USED(X509_LOOKUP_by_fingerprint); +LCRYPTO_USED(X509_LOOKUP_by_alias); +LCRYPTO_USED(X509_LOOKUP_shutdown); +LCRYPTO_USED(X509_STORE_load_locations); +LCRYPTO_USED(X509_STORE_load_mem); +LCRYPTO_USED(X509_STORE_set_default_paths); +LCRYPTO_USED(X509_STORE_CTX_get_ex_new_index); +LCRYPTO_USED(X509_STORE_CTX_set_ex_data); +LCRYPTO_USED(X509_STORE_CTX_get_ex_data); +LCRYPTO_USED(X509_STORE_CTX_get_error); +LCRYPTO_USED(X509_STORE_CTX_set_error); +LCRYPTO_USED(X509_STORE_CTX_get_error_depth); +LCRYPTO_USED(X509_STORE_CTX_set_error_depth); +LCRYPTO_USED(X509_STORE_CTX_get_current_cert); +LCRYPTO_USED(X509_STORE_CTX_set_current_cert); +LCRYPTO_USED(X509_STORE_CTX_get0_current_issuer); +LCRYPTO_USED(X509_STORE_CTX_get0_current_crl); +LCRYPTO_USED(X509_STORE_CTX_get0_parent_ctx); +LCRYPTO_USED(X509_STORE_CTX_get_chain); +LCRYPTO_USED(X509_STORE_CTX_get1_chain); +LCRYPTO_USED(X509_STORE_CTX_set_cert); +LCRYPTO_USED(X509_STORE_CTX_set_chain); +LCRYPTO_USED(X509_STORE_CTX_set0_crls); +LCRYPTO_USED(X509_STORE_CTX_set_purpose); +LCRYPTO_USED(X509_STORE_CTX_set_trust); +LCRYPTO_USED(X509_STORE_CTX_purpose_inherit); +LCRYPTO_USED(X509_STORE_CTX_set_flags); +LCRYPTO_USED(X509_STORE_CTX_set_time); +LCRYPTO_USED(X509_STORE_CTX_set0_verified_chain); +LCRYPTO_USED(X509_STORE_CTX_get_verify); +LCRYPTO_USED(X509_STORE_CTX_set_verify); +LCRYPTO_USED(X509_STORE_CTX_get_verify_cb); +LCRYPTO_USED(X509_STORE_CTX_set_verify_cb); +LCRYPTO_USED(X509_STORE_set_verify); +LCRYPTO_USED(X509_STORE_get_verify); +LCRYPTO_USED(X509_STORE_CTX_get_num_untrusted); +LCRYPTO_USED(X509_STORE_CTX_get0_param); +LCRYPTO_USED(X509_STORE_CTX_set0_param); +LCRYPTO_USED(X509_STORE_CTX_set_default); +LCRYPTO_USED(X509_VERIFY_PARAM_new); +LCRYPTO_USED(X509_VERIFY_PARAM_free); +LCRYPTO_USED(X509_VERIFY_PARAM_inherit); +LCRYPTO_USED(X509_VERIFY_PARAM_set1); +LCRYPTO_USED(X509_VERIFY_PARAM_set1_name); +LCRYPTO_USED(X509_VERIFY_PARAM_set_flags); +LCRYPTO_USED(X509_VERIFY_PARAM_clear_flags); +LCRYPTO_USED(X509_VERIFY_PARAM_get_flags); +LCRYPTO_USED(X509_VERIFY_PARAM_set_purpose); +LCRYPTO_USED(X509_VERIFY_PARAM_set_trust); +LCRYPTO_USED(X509_VERIFY_PARAM_set_depth); +LCRYPTO_USED(X509_VERIFY_PARAM_set_auth_level); +LCRYPTO_USED(X509_VERIFY_PARAM_get_time); +LCRYPTO_USED(X509_VERIFY_PARAM_set_time); +LCRYPTO_USED(X509_VERIFY_PARAM_add0_policy); +LCRYPTO_USED(X509_VERIFY_PARAM_set1_policies); +LCRYPTO_USED(X509_VERIFY_PARAM_get_depth); +LCRYPTO_USED(X509_VERIFY_PARAM_set1_host); +LCRYPTO_USED(X509_VERIFY_PARAM_add1_host); +LCRYPTO_USED(X509_VERIFY_PARAM_set_hostflags); +LCRYPTO_USED(X509_VERIFY_PARAM_get0_peername); +LCRYPTO_USED(X509_VERIFY_PARAM_set1_email); +LCRYPTO_USED(X509_VERIFY_PARAM_set1_ip); +LCRYPTO_USED(X509_VERIFY_PARAM_set1_ip_asc); +LCRYPTO_USED(X509_VERIFY_PARAM_get0_name); +LCRYPTO_USED(X509_VERIFY_PARAM_get0); +LCRYPTO_USED(X509_VERIFY_PARAM_get_count); +LCRYPTO_USED(X509_VERIFY_PARAM_add0_table); +LCRYPTO_USED(X509_VERIFY_PARAM_lookup); +LCRYPTO_USED(X509_VERIFY_PARAM_table_cleanup); +LCRYPTO_USED(X509_policy_check); +LCRYPTO_USED(X509_policy_tree_free); +LCRYPTO_USED(X509_policy_tree_level_count); +LCRYPTO_USED(X509_policy_tree_get0_level); +LCRYPTO_USED(X509_policy_tree_get0_policies); +LCRYPTO_USED(X509_policy_tree_get0_user_policies); +LCRYPTO_USED(X509_policy_level_node_count); +LCRYPTO_USED(X509_policy_level_get0_node); +LCRYPTO_USED(X509_policy_node_get0_policy); +LCRYPTO_USED(X509_policy_node_get0_qualifiers); +LCRYPTO_USED(X509_policy_node_get0_parent); + +#endif /* _LIBCRYPTO_X509_VFY_H */ diff --git a/crypto/hidden/openssl/x509v3.h b/crypto/hidden/openssl/x509v3.h new file mode 100644 index 0000000..92fab9b --- /dev/null +++ b/crypto/hidden/openssl/x509v3.h @@ -0,0 +1,265 @@ +/* $OpenBSD: x509v3.h,v 1.4 2023/04/30 19:31:05 tb Exp $ */ +/* + * Copyright (c) 2022 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBCRYPTO_X509V3_H +#define _LIBCRYPTO_X509V3_H + +#ifdef _MSC_VER +#include <../include/openssl/x509v3.h> +#else +#include_next +#endif +#include "crypto_namespace.h" + +LCRYPTO_USED(BASIC_CONSTRAINTS_new); +LCRYPTO_USED(BASIC_CONSTRAINTS_free); +LCRYPTO_USED(d2i_BASIC_CONSTRAINTS); +LCRYPTO_USED(i2d_BASIC_CONSTRAINTS); +LCRYPTO_USED(AUTHORITY_KEYID_new); +LCRYPTO_USED(AUTHORITY_KEYID_free); +LCRYPTO_USED(d2i_AUTHORITY_KEYID); +LCRYPTO_USED(i2d_AUTHORITY_KEYID); +LCRYPTO_USED(PKEY_USAGE_PERIOD_new); +LCRYPTO_USED(PKEY_USAGE_PERIOD_free); +LCRYPTO_USED(d2i_PKEY_USAGE_PERIOD); +LCRYPTO_USED(i2d_PKEY_USAGE_PERIOD); +LCRYPTO_USED(GENERAL_NAME_new); +LCRYPTO_USED(GENERAL_NAME_free); +LCRYPTO_USED(d2i_GENERAL_NAME); +LCRYPTO_USED(i2d_GENERAL_NAME); +LCRYPTO_USED(GENERAL_NAME_dup); +LCRYPTO_USED(GENERAL_NAME_cmp); +LCRYPTO_USED(v2i_ASN1_BIT_STRING); +LCRYPTO_USED(i2v_ASN1_BIT_STRING); +LCRYPTO_USED(i2v_GENERAL_NAME); +LCRYPTO_USED(GENERAL_NAME_print); +LCRYPTO_USED(GENERAL_NAMES_new); +LCRYPTO_USED(GENERAL_NAMES_free); +LCRYPTO_USED(d2i_GENERAL_NAMES); +LCRYPTO_USED(i2d_GENERAL_NAMES); +LCRYPTO_USED(i2v_GENERAL_NAMES); +LCRYPTO_USED(v2i_GENERAL_NAMES); +LCRYPTO_USED(OTHERNAME_new); +LCRYPTO_USED(OTHERNAME_free); +LCRYPTO_USED(d2i_OTHERNAME); +LCRYPTO_USED(i2d_OTHERNAME); +LCRYPTO_USED(EDIPARTYNAME_new); +LCRYPTO_USED(EDIPARTYNAME_free); +LCRYPTO_USED(d2i_EDIPARTYNAME); +LCRYPTO_USED(i2d_EDIPARTYNAME); +LCRYPTO_USED(OTHERNAME_cmp); +LCRYPTO_USED(GENERAL_NAME_set0_value); +LCRYPTO_USED(GENERAL_NAME_get0_value); +LCRYPTO_USED(GENERAL_NAME_set0_othername); +LCRYPTO_USED(GENERAL_NAME_get0_otherName); +LCRYPTO_USED(i2s_ASN1_OCTET_STRING); +LCRYPTO_USED(s2i_ASN1_OCTET_STRING); +LCRYPTO_USED(EXTENDED_KEY_USAGE_new); +LCRYPTO_USED(EXTENDED_KEY_USAGE_free); +LCRYPTO_USED(d2i_EXTENDED_KEY_USAGE); +LCRYPTO_USED(i2d_EXTENDED_KEY_USAGE); +LCRYPTO_USED(i2a_ACCESS_DESCRIPTION); +LCRYPTO_USED(CERTIFICATEPOLICIES_new); +LCRYPTO_USED(CERTIFICATEPOLICIES_free); +LCRYPTO_USED(d2i_CERTIFICATEPOLICIES); +LCRYPTO_USED(i2d_CERTIFICATEPOLICIES); +LCRYPTO_USED(POLICYINFO_new); +LCRYPTO_USED(POLICYINFO_free); +LCRYPTO_USED(d2i_POLICYINFO); +LCRYPTO_USED(i2d_POLICYINFO); +LCRYPTO_USED(POLICYQUALINFO_new); +LCRYPTO_USED(POLICYQUALINFO_free); +LCRYPTO_USED(d2i_POLICYQUALINFO); +LCRYPTO_USED(i2d_POLICYQUALINFO); +LCRYPTO_USED(USERNOTICE_new); +LCRYPTO_USED(USERNOTICE_free); +LCRYPTO_USED(d2i_USERNOTICE); +LCRYPTO_USED(i2d_USERNOTICE); +LCRYPTO_USED(NOTICEREF_new); +LCRYPTO_USED(NOTICEREF_free); +LCRYPTO_USED(d2i_NOTICEREF); +LCRYPTO_USED(i2d_NOTICEREF); +LCRYPTO_USED(CRL_DIST_POINTS_new); +LCRYPTO_USED(CRL_DIST_POINTS_free); +LCRYPTO_USED(d2i_CRL_DIST_POINTS); +LCRYPTO_USED(i2d_CRL_DIST_POINTS); +LCRYPTO_USED(DIST_POINT_new); +LCRYPTO_USED(DIST_POINT_free); +LCRYPTO_USED(d2i_DIST_POINT); +LCRYPTO_USED(i2d_DIST_POINT); +LCRYPTO_USED(DIST_POINT_NAME_new); +LCRYPTO_USED(DIST_POINT_NAME_free); +LCRYPTO_USED(d2i_DIST_POINT_NAME); +LCRYPTO_USED(i2d_DIST_POINT_NAME); +LCRYPTO_USED(ISSUING_DIST_POINT_new); +LCRYPTO_USED(ISSUING_DIST_POINT_free); +LCRYPTO_USED(d2i_ISSUING_DIST_POINT); +LCRYPTO_USED(i2d_ISSUING_DIST_POINT); +LCRYPTO_USED(DIST_POINT_set_dpname); +LCRYPTO_USED(NAME_CONSTRAINTS_check); +LCRYPTO_USED(ACCESS_DESCRIPTION_new); +LCRYPTO_USED(ACCESS_DESCRIPTION_free); +LCRYPTO_USED(d2i_ACCESS_DESCRIPTION); +LCRYPTO_USED(i2d_ACCESS_DESCRIPTION); +LCRYPTO_USED(AUTHORITY_INFO_ACCESS_new); +LCRYPTO_USED(AUTHORITY_INFO_ACCESS_free); +LCRYPTO_USED(d2i_AUTHORITY_INFO_ACCESS); +LCRYPTO_USED(i2d_AUTHORITY_INFO_ACCESS); +LCRYPTO_USED(POLICY_MAPPING_new); +LCRYPTO_USED(POLICY_MAPPING_free); +LCRYPTO_USED(GENERAL_SUBTREE_new); +LCRYPTO_USED(GENERAL_SUBTREE_free); +LCRYPTO_USED(NAME_CONSTRAINTS_new); +LCRYPTO_USED(NAME_CONSTRAINTS_free); +LCRYPTO_USED(POLICY_CONSTRAINTS_new); +LCRYPTO_USED(POLICY_CONSTRAINTS_free); +LCRYPTO_USED(a2i_GENERAL_NAME); +LCRYPTO_USED(v2i_GENERAL_NAME); +LCRYPTO_USED(v2i_GENERAL_NAME_ex); +LCRYPTO_USED(X509V3_conf_free); +LCRYPTO_USED(X509V3_EXT_nconf_nid); +LCRYPTO_USED(X509V3_EXT_nconf); +LCRYPTO_USED(X509V3_EXT_add_nconf_sk); +LCRYPTO_USED(X509V3_EXT_add_nconf); +LCRYPTO_USED(X509V3_EXT_REQ_add_nconf); +LCRYPTO_USED(X509V3_EXT_CRL_add_nconf); +LCRYPTO_USED(X509V3_EXT_conf_nid); +LCRYPTO_USED(X509V3_EXT_conf); +LCRYPTO_USED(X509V3_EXT_add_conf); +LCRYPTO_USED(X509V3_EXT_REQ_add_conf); +LCRYPTO_USED(X509V3_EXT_CRL_add_conf); +LCRYPTO_USED(X509V3_add_value_bool_nf); +LCRYPTO_USED(X509V3_get_value_bool); +LCRYPTO_USED(X509V3_get_value_int); +LCRYPTO_USED(X509V3_set_nconf); +LCRYPTO_USED(X509V3_set_conf_lhash); +LCRYPTO_USED(X509V3_get_string); +LCRYPTO_USED(X509V3_get_section); +LCRYPTO_USED(X509V3_string_free); +LCRYPTO_USED(X509V3_section_free); +LCRYPTO_USED(X509V3_set_ctx); +LCRYPTO_USED(X509V3_add_value); +LCRYPTO_USED(X509V3_add_value_uchar); +LCRYPTO_USED(X509V3_add_value_bool); +LCRYPTO_USED(X509V3_add_value_int); +LCRYPTO_USED(i2s_ASN1_INTEGER); +LCRYPTO_USED(s2i_ASN1_INTEGER); +LCRYPTO_USED(i2s_ASN1_ENUMERATED); +LCRYPTO_USED(i2s_ASN1_ENUMERATED_TABLE); +LCRYPTO_USED(X509V3_EXT_add); +LCRYPTO_USED(X509V3_EXT_add_list); +LCRYPTO_USED(X509V3_EXT_add_alias); +LCRYPTO_USED(X509V3_EXT_cleanup); +LCRYPTO_USED(X509V3_EXT_get); +LCRYPTO_USED(X509V3_EXT_get_nid); +LCRYPTO_USED(X509V3_add_standard_extensions); +LCRYPTO_USED(X509V3_parse_list); +LCRYPTO_USED(X509V3_EXT_d2i); +LCRYPTO_USED(X509V3_get_d2i); +LCRYPTO_USED(X509V3_EXT_i2d); +LCRYPTO_USED(X509V3_add1_i2d); +LCRYPTO_USED(hex_to_string); +LCRYPTO_USED(string_to_hex); +LCRYPTO_USED(X509V3_EXT_val_prn); +LCRYPTO_USED(X509V3_EXT_print); +LCRYPTO_USED(X509V3_EXT_print_fp); +LCRYPTO_USED(X509V3_extensions_print); +LCRYPTO_USED(X509_check_ca); +LCRYPTO_USED(X509_check_purpose); +LCRYPTO_USED(X509_supported_extension); +LCRYPTO_USED(X509_PURPOSE_set); +LCRYPTO_USED(X509_check_issued); +LCRYPTO_USED(X509_check_akid); +LCRYPTO_USED(X509_PURPOSE_get_count); +LCRYPTO_USED(X509_PURPOSE_get0); +LCRYPTO_USED(X509_PURPOSE_get_by_sname); +LCRYPTO_USED(X509_PURPOSE_get_by_id); +LCRYPTO_USED(X509_PURPOSE_add); +LCRYPTO_USED(X509_PURPOSE_get0_name); +LCRYPTO_USED(X509_PURPOSE_get0_sname); +LCRYPTO_USED(X509_PURPOSE_get_trust); +LCRYPTO_USED(X509_PURPOSE_cleanup); +LCRYPTO_USED(X509_PURPOSE_get_id); +LCRYPTO_USED(X509_get_extension_flags); +LCRYPTO_USED(X509_get_key_usage); +LCRYPTO_USED(X509_get_extended_key_usage); +LCRYPTO_USED(X509_get1_email); +LCRYPTO_USED(X509_REQ_get1_email); +LCRYPTO_USED(X509_email_free); +LCRYPTO_USED(X509_get1_ocsp); +LCRYPTO_USED(X509_check_host); +LCRYPTO_USED(X509_check_email); +LCRYPTO_USED(X509_check_ip); +LCRYPTO_USED(X509_check_ip_asc); +LCRYPTO_USED(a2i_IPADDRESS); +LCRYPTO_USED(a2i_IPADDRESS_NC); +LCRYPTO_USED(a2i_ipadd); +LCRYPTO_USED(X509V3_NAME_from_section); +LCRYPTO_USED(ASRange_new); +LCRYPTO_USED(ASRange_free); +LCRYPTO_USED(d2i_ASRange); +LCRYPTO_USED(i2d_ASRange); +LCRYPTO_USED(ASIdOrRange_new); +LCRYPTO_USED(ASIdOrRange_free); +LCRYPTO_USED(d2i_ASIdOrRange); +LCRYPTO_USED(i2d_ASIdOrRange); +LCRYPTO_USED(ASIdentifierChoice_new); +LCRYPTO_USED(ASIdentifierChoice_free); +LCRYPTO_USED(d2i_ASIdentifierChoice); +LCRYPTO_USED(i2d_ASIdentifierChoice); +LCRYPTO_USED(ASIdentifiers_new); +LCRYPTO_USED(ASIdentifiers_free); +LCRYPTO_USED(d2i_ASIdentifiers); +LCRYPTO_USED(i2d_ASIdentifiers); +LCRYPTO_USED(IPAddressRange_new); +LCRYPTO_USED(IPAddressRange_free); +LCRYPTO_USED(d2i_IPAddressRange); +LCRYPTO_USED(i2d_IPAddressRange); +LCRYPTO_USED(IPAddressOrRange_new); +LCRYPTO_USED(IPAddressOrRange_free); +LCRYPTO_USED(d2i_IPAddressOrRange); +LCRYPTO_USED(i2d_IPAddressOrRange); +LCRYPTO_USED(IPAddressChoice_new); +LCRYPTO_USED(IPAddressChoice_free); +LCRYPTO_USED(d2i_IPAddressChoice); +LCRYPTO_USED(i2d_IPAddressChoice); +LCRYPTO_USED(IPAddressFamily_new); +LCRYPTO_USED(IPAddressFamily_free); +LCRYPTO_USED(d2i_IPAddressFamily); +LCRYPTO_USED(i2d_IPAddressFamily); +LCRYPTO_USED(X509v3_asid_add_inherit); +LCRYPTO_USED(X509v3_asid_add_id_or_range); +LCRYPTO_USED(X509v3_addr_add_inherit); +LCRYPTO_USED(X509v3_addr_add_prefix); +LCRYPTO_USED(X509v3_addr_add_range); +LCRYPTO_USED(X509v3_addr_get_afi); +LCRYPTO_USED(X509v3_addr_get_range); +LCRYPTO_USED(X509v3_asid_is_canonical); +LCRYPTO_USED(X509v3_addr_is_canonical); +LCRYPTO_USED(X509v3_asid_canonize); +LCRYPTO_USED(X509v3_addr_canonize); +LCRYPTO_USED(X509v3_asid_inherits); +LCRYPTO_USED(X509v3_addr_inherits); +LCRYPTO_USED(X509v3_asid_subset); +LCRYPTO_USED(X509v3_addr_subset); +LCRYPTO_USED(X509v3_asid_validate_path); +LCRYPTO_USED(X509v3_addr_validate_path); +LCRYPTO_USED(X509v3_asid_validate_resource_set); +LCRYPTO_USED(X509v3_addr_validate_resource_set); +LCRYPTO_USED(ERR_load_X509V3_strings); + +#endif /* _LIBCRYPTO_X509V3_H */ diff --git a/crypto/hkdf/hkdf.c b/crypto/hkdf/hkdf.c index 9adf126..47ad4ec 100644 --- a/crypto/hkdf/hkdf.c +++ b/crypto/hkdf/hkdf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hkdf.c,v 1.7 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: hkdf.c,v 1.8 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -21,7 +21,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" #include "hmac_local.h" /* https://tools.ietf.org/html/rfc5869#section-2 */ diff --git a/crypto/hmac/hm_ameth.c b/crypto/hmac/hm_ameth.c index 84bb5f0..7e6ad6d 100644 --- a/crypto/hmac/hm_ameth.c +++ b/crypto/hmac/hm_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hm_ameth.c,v 1.12 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: hm_ameth.c,v 1.19 2022/11/26 16:08:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2007. */ @@ -56,22 +56,24 @@ * */ +#include #include #include #include #include -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "bytestring.h" +#include "evp_local.h" #include "hmac_local.h" -#define HMAC_TEST_PRIVATE_KEY_FORMAT - -/* HMAC "ASN1" method. This is just here to indicate the - * maximum HMAC output length and to free up an HMAC - * key. - */ +static int +hmac_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b) +{ + /* The ameth pub_cmp must return 1 on match, 0 on mismatch. */ + return ASN1_OCTET_STRING_cmp(a->pkey.ptr, b->pkey.ptr) == 0; +} static int hmac_size(const EVP_PKEY *pkey) @@ -82,13 +84,15 @@ hmac_size(const EVP_PKEY *pkey) static void hmac_key_free(EVP_PKEY *pkey) { - ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr; + ASN1_OCTET_STRING *os; - if (os) { - if (os->data) - explicit_bzero(os->data, os->length); - ASN1_OCTET_STRING_free(os); - } + if ((os = pkey->pkey.ptr) == NULL) + return; + + if (os->data != NULL) + explicit_bzero(os->data, os->length); + + ASN1_OCTET_STRING_free(os); } static int @@ -103,57 +107,51 @@ hmac_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) } } -#ifdef HMAC_TEST_PRIVATE_KEY_FORMAT -/* A bogus private key format for test purposes. This is simply the - * HMAC key with "HMAC PRIVATE KEY" in the headers. When enabled the - * genpkey utility can be used to "generate" HMAC keys. - */ - static int -old_hmac_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) +hmac_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv, size_t len) { - ASN1_OCTET_STRING *os; + ASN1_OCTET_STRING *os = NULL; - os = ASN1_OCTET_STRING_new(); - if (os == NULL) + if (pkey->pkey.ptr != NULL) goto err; - if (ASN1_OCTET_STRING_set(os, *pder, derlen) == 0) + + if (len > INT_MAX) goto err; - if (EVP_PKEY_assign(pkey, EVP_PKEY_HMAC, os) == 0) + + if ((os = ASN1_OCTET_STRING_new()) == NULL) goto err; + + if (!ASN1_OCTET_STRING_set(os, priv, len)) + goto err; + + pkey->pkey.ptr = os; + return 1; -err: + err: ASN1_OCTET_STRING_free(os); + return 0; } static int -old_hmac_encode(const EVP_PKEY *pkey, unsigned char **pder) +hmac_get_priv_key(const EVP_PKEY *pkey, unsigned char *priv, size_t *len) { - int inc; - ASN1_OCTET_STRING *os = (ASN1_OCTET_STRING *)pkey->pkey.ptr; + ASN1_OCTET_STRING *os; + CBS cbs; - if (pder) { - if (!*pder) { - *pder = malloc(os->length); - if (*pder == NULL) - return -1; - inc = 0; - } else - inc = 1; + if ((os = pkey->pkey.ptr) == NULL) + return 0; - memcpy(*pder, os->data, os->length); - - if (inc) - *pder += os->length; + if (priv == NULL) { + *len = os->length; + return 1; } - return os->length; + CBS_init(&cbs, os->data, os->length); + return CBS_write_bytes(&cbs, priv, *len, len); } -#endif - const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = { .pkey_id = EVP_PKEY_HMAC, .pkey_base_id = EVP_PKEY_HMAC, @@ -161,12 +159,13 @@ const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = { .pem_str = "HMAC", .info = "OpenSSL HMAC method", + .pub_cmp = hmac_pkey_public_cmp, + .pkey_size = hmac_size, .pkey_free = hmac_key_free, .pkey_ctrl = hmac_pkey_ctrl, -#ifdef HMAC_TEST_PRIVATE_KEY_FORMAT - .old_priv_decode = old_hmac_decode, - .old_priv_encode = old_hmac_encode -#endif + + .set_priv_key = hmac_set_priv_key, + .get_priv_key = hmac_get_priv_key, }; diff --git a/crypto/hmac/hm_pmeth.c b/crypto/hmac/hm_pmeth.c index 4017f57..bb043d1 100644 --- a/crypto/hmac/hm_pmeth.c +++ b/crypto/hmac/hm_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hm_pmeth.c,v 1.13 2022/03/30 07:17:48 tb Exp $ */ +/* $OpenBSD: hm_pmeth.c,v 1.15 2022/11/26 16:08:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2007. */ @@ -64,7 +64,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" #include "hmac_local.h" /* HMAC pkey context structure */ @@ -202,7 +202,7 @@ pkey_hmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) break; case EVP_PKEY_CTRL_DIGESTINIT: - key = (ASN1_OCTET_STRING *)ctx->pkey->pkey.ptr; + key = ctx->pkey->pkey.ptr; if (!HMAC_Init_ex(&hctx->ctx, key->data, key->length, hctx->md, ctx->engine)) return 0; diff --git a/crypto/hmac/hmac.c b/crypto/hmac/hmac.c index 5598998..ea3a1b4 100644 --- a/crypto/hmac/hmac.c +++ b/crypto/hmac/hmac.c @@ -1,4 +1,4 @@ -/* $OpenBSD: hmac.c,v 1.27 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: hmac.c,v 1.31 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" #include "hmac_local.h" int @@ -134,6 +134,7 @@ HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md, err: return 0; } +LCRYPTO_ALIAS(HMAC_Init_ex); int HMAC_Init(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md) @@ -151,6 +152,7 @@ HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len) return EVP_DigestUpdate(&ctx->md_ctx, data, len); } +LCRYPTO_ALIAS(HMAC_Update); int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) @@ -173,6 +175,7 @@ HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) err: return 0; } +LCRYPTO_ALIAS(HMAC_Final); HMAC_CTX * HMAC_CTX_new(void) @@ -186,6 +189,7 @@ HMAC_CTX_new(void) return ctx; } +LCRYPTO_ALIAS(HMAC_CTX_new); void HMAC_CTX_free(HMAC_CTX *ctx) @@ -197,6 +201,7 @@ HMAC_CTX_free(HMAC_CTX *ctx) free(ctx); } +LCRYPTO_ALIAS(HMAC_CTX_free); int HMAC_CTX_reset(HMAC_CTX *ctx) @@ -231,6 +236,7 @@ HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) err: return 0; } +LCRYPTO_ALIAS(HMAC_CTX_copy); void HMAC_CTX_cleanup(HMAC_CTX *ctx) @@ -248,12 +254,14 @@ HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) EVP_MD_CTX_set_flags(&ctx->o_ctx, flags); EVP_MD_CTX_set_flags(&ctx->md_ctx, flags); } +LCRYPTO_ALIAS(HMAC_CTX_set_flags); const EVP_MD * HMAC_CTX_get_md(const HMAC_CTX *ctx) { return ctx->md; } +LCRYPTO_ALIAS(HMAC_CTX_get_md); unsigned char * HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, @@ -261,11 +269,16 @@ HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d, { HMAC_CTX c; static unsigned char m[EVP_MAX_MD_SIZE]; + const unsigned char dummy_key[1] = { 0 }; if (md == NULL) md = m; + if (key == NULL) { + key = dummy_key; + key_len = 0; + } HMAC_CTX_init(&c); - if (!HMAC_Init(&c, key, key_len, evp_md)) + if (!HMAC_Init_ex(&c, key, key_len, evp_md, NULL)) goto err; if (!HMAC_Update(&c, d, n)) goto err; @@ -277,3 +290,4 @@ err: HMAC_CTX_cleanup(&c); return NULL; } +LCRYPTO_ALIAS(HMAC); diff --git a/crypto/hmac/hmac_local.h b/crypto/hmac/hmac_local.h index 5900bc1..e06cd6a 100644 --- a/crypto/hmac/hmac_local.h +++ b/crypto/hmac/hmac_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hmac_local.h,v 1.3 2022/01/14 08:06:03 tb Exp $ */ +/* $OpenBSD: hmac_local.h,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include -#include "evp_locl.h" +#include "evp_local.h" __BEGIN_HIDDEN_DECLS diff --git a/crypto/idea/i_cbc.c b/crypto/idea/i_cbc.c index 5bb9640..e382a0a 100644 --- a/crypto/idea/i_cbc.c +++ b/crypto/idea/i_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: i_cbc.c,v 1.3 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: i_cbc.c,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "idea_lcl.h" +#include "idea_local.h" void idea_cbc_encrypt(const unsigned char *in, unsigned char *out, long length, IDEA_KEY_SCHEDULE *ks, unsigned char *iv, int encrypt) diff --git a/crypto/idea/i_cfb64.c b/crypto/idea/i_cfb64.c index b979aae..d6b6411 100644 --- a/crypto/idea/i_cfb64.c +++ b/crypto/idea/i_cfb64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: i_cfb64.c,v 1.3 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: i_cfb64.c,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "idea_lcl.h" +#include "idea_local.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the diff --git a/crypto/idea/i_ecb.c b/crypto/idea/i_ecb.c index dac456c..6fada76 100644 --- a/crypto/idea/i_ecb.c +++ b/crypto/idea/i_ecb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: i_ecb.c,v 1.3 2014/07/09 11:10:51 bcook Exp $ */ +/* $OpenBSD: i_ecb.c,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "idea_lcl.h" +#include "idea_local.h" #include const char *idea_options(void) diff --git a/crypto/idea/i_ofb64.c b/crypto/idea/i_ofb64.c index 376dad9..b63144b 100644 --- a/crypto/idea/i_ofb64.c +++ b/crypto/idea/i_ofb64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: i_ofb64.c,v 1.3 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: i_ofb64.c,v 1.4 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "idea_lcl.h" +#include "idea_local.h" /* The input and output encrypted as though 64bit ofb mode is being * used. The extra state information to record how much of the diff --git a/crypto/idea/i_skey.c b/crypto/idea/i_skey.c index 2824d26..4338165 100644 --- a/crypto/idea/i_skey.c +++ b/crypto/idea/i_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: i_skey.c,v 1.4 2014/10/28 07:35:58 jsg Exp $ */ +/* $OpenBSD: i_skey.c,v 1.5 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -58,7 +58,7 @@ #include #include -#include "idea_lcl.h" +#include "idea_local.h" static IDEA_INT inverse(unsigned int xin); void idea_set_encrypt_key(const unsigned char *key, IDEA_KEY_SCHEDULE *ks) diff --git a/crypto/idea/idea_lcl.h b/crypto/idea/idea_local.h similarity index 98% rename from crypto/idea/idea_lcl.h rename to crypto/idea/idea_local.h index e46c960..2663516 100644 --- a/crypto/idea/idea_lcl.h +++ b/crypto/idea/idea_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: idea_lcl.h,v 1.3 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: idea_local.h,v 1.1 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/kdf/hkdf_evp.c b/crypto/kdf/hkdf_evp.c new file mode 100644 index 0000000..992c66a --- /dev/null +++ b/crypto/kdf/hkdf_evp.c @@ -0,0 +1,269 @@ +/* $OpenBSD: hkdf_evp.c,v 1.19 2022/11/26 16:08:53 tb Exp $ */ +/* ==================================================================== + * Copyright (c) 2016-2018 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +#include +#include +#include +#include +#include + +#include "evp_local.h" + +#define HKDF_MAXBUF 1024 + +typedef struct { + int mode; + const EVP_MD *md; + unsigned char *salt; + size_t salt_len; + unsigned char *key; + size_t key_len; + unsigned char info[HKDF_MAXBUF]; + size_t info_len; +} HKDF_PKEY_CTX; + +static int +pkey_hkdf_init(EVP_PKEY_CTX *ctx) +{ + HKDF_PKEY_CTX *kctx; + + if ((kctx = calloc(1, sizeof(*kctx))) == NULL) { + KDFerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + ctx->data = kctx; + + return 1; +} + +static void +pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx) +{ + HKDF_PKEY_CTX *kctx = ctx->data; + + freezero(kctx->salt, kctx->salt_len); + freezero(kctx->key, kctx->key_len); + freezero(kctx, sizeof(*kctx)); +} + +static int +pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +{ + HKDF_PKEY_CTX *kctx = ctx->data; + + switch (type) { + case EVP_PKEY_CTRL_HKDF_MD: + if (p2 == NULL) + return 0; + + kctx->md = p2; + return 1; + + case EVP_PKEY_CTRL_HKDF_MODE: + kctx->mode = p1; + return 1; + + case EVP_PKEY_CTRL_HKDF_SALT: + if (p1 == 0 || p2 == NULL) + return 1; + + if (p1 < 0) + return 0; + + freezero(kctx->salt, kctx->salt_len); + if ((kctx->salt = malloc(p1)) == NULL) + return 0; + memcpy(kctx->salt, p2, p1); + + kctx->salt_len = p1; + return 1; + + case EVP_PKEY_CTRL_HKDF_KEY: + if (p1 <= 0) + return 0; + + freezero(kctx->key, kctx->key_len); + if ((kctx->key = malloc(p1)) == NULL) + return 0; + memcpy(kctx->key, p2, p1); + + kctx->key_len = p1; + return 1; + + case EVP_PKEY_CTRL_HKDF_INFO: + if (p1 == 0 || p2 == NULL) + return 1; + + if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len)) + return 0; + + memcpy(kctx->info + kctx->info_len, p2, p1); + kctx->info_len += p1; + return 1; + + default: + return -2; + } +} + +static int +pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, + const char *value) +{ + if (strcmp(type, "mode") == 0) { + int mode; + + if (strcmp(value, "EXTRACT_AND_EXPAND") == 0) + mode = EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND; + else if (strcmp(value, "EXTRACT_ONLY") == 0) + mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; + else if (strcmp(value, "EXPAND_ONLY") == 0) + mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; + else + return 0; + + return EVP_PKEY_CTX_hkdf_mode(ctx, mode); + } + + if (strcmp(type, "md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_MD, value); + + if (strcmp(type, "salt") == 0) + return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, + value); + + if (strcmp(type, "hexsalt") == 0) + return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, + value); + + if (strcmp(type, "key") == 0) + return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value); + + if (strcmp(type, "hexkey") == 0) + return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value); + + if (strcmp(type, "info") == 0) + return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, + value); + + if (strcmp(type, "hexinfo") == 0) + return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, + value); + + KDFerror(KDF_R_UNKNOWN_PARAMETER_TYPE); + return -2; +} + +static int +pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx) +{ + HKDF_PKEY_CTX *kctx = ctx->data; + + freezero(kctx->key, kctx->key_len); + freezero(kctx->salt, kctx->salt_len); + explicit_bzero(kctx, sizeof(*kctx)); + + return 1; +} + +static int +pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, + size_t *keylen) +{ + HKDF_PKEY_CTX *kctx = ctx->data; + + if (kctx->md == NULL) { + KDFerror(KDF_R_MISSING_MESSAGE_DIGEST); + return 0; + } + if (kctx->key == NULL) { + KDFerror(KDF_R_MISSING_KEY); + return 0; + } + + switch (kctx->mode) { + case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND: + return HKDF(key, *keylen, kctx->md, kctx->key, kctx->key_len, + kctx->salt, kctx->salt_len, kctx->info, kctx->info_len); + + case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY: + if (key == NULL) { + *keylen = EVP_MD_size(kctx->md); + return 1; + } + return HKDF_extract(key, keylen, kctx->md, kctx->key, + kctx->key_len, kctx->salt, kctx->salt_len); + + case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY: + return HKDF_expand(key, *keylen, kctx->md, kctx->key, + kctx->key_len, kctx->info, kctx->info_len); + + default: + return 0; + } +} + +const EVP_PKEY_METHOD hkdf_pkey_meth = { + .pkey_id = EVP_PKEY_HKDF, + .flags = 0, + + .init = pkey_hkdf_init, + .copy = NULL, + .cleanup = pkey_hkdf_cleanup, + + .derive_init = pkey_hkdf_derive_init, + .derive = pkey_hkdf_derive, + .ctrl = pkey_hkdf_ctrl, + .ctrl_str = pkey_hkdf_ctrl_str, +}; diff --git a/crypto/o_time.h b/crypto/kdf/kdf_err.c similarity index 71% rename from crypto/o_time.h rename to crypto/kdf/kdf_err.c index 064f2cc..4dd3237 100644 --- a/crypto/o_time.h +++ b/crypto/kdf/kdf_err.c @@ -1,9 +1,6 @@ -/* $OpenBSD: o_time.h,v 1.8 2021/10/27 09:50:56 beck Exp $ */ -/* Written by Richard Levitte (richard@levitte.org) for the OpenSSL - * project 2001. - */ +/* $OpenBSD: kdf_err.c,v 1.9 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== - * Copyright (c) 2001 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -25,7 +22,7 @@ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. + * openssl-core@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written @@ -56,16 +53,37 @@ * */ -#ifndef HEADER_O_TIME_H -#define HEADER_O_TIME_H +#include +#include -#include +#ifndef OPENSSL_NO_ERR -__BEGIN_HIDDEN_DECLS +static ERR_STRING_DATA KDF_str_functs[] = { + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, + {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"}, + {0, NULL}, +}; -int OPENSSL_gmtime_adj(struct tm *tm, int offset_day, long offset_sec); -int OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from, - const struct tm *to); +static ERR_STRING_DATA KDF_str_reasons[] = { + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_MESSAGE_DIGEST), + "missing message digest"}, + {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_UNKNOWN_PARAMETER_TYPE), + "unknown parameter type"}, + {0, NULL}, +}; -__END_HIDDEN_DECLS #endif + +int +ERR_load_KDF_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(KDF_str_functs[0].error) == NULL) { + ERR_load_strings(0, KDF_str_functs); + ERR_load_strings(0, KDF_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/md32_common.h b/crypto/md32_common.h index 0dca617..cce4cfb 100644 --- a/crypto/md32_common.h +++ b/crypto/md32_common.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md32_common.h,v 1.22 2016/11/04 13:56:04 miod Exp $ */ +/* $OpenBSD: md32_common.h,v 1.24 2023/04/12 04:54:15 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -111,6 +111,8 @@ #include +#include "crypto_internal.h" + #if !defined(DATA_ORDER_IS_BIG_ENDIAN) && !defined(DATA_ORDER_IS_LITTLE_ENDIAN) #error "DATA_ORDER must be defined!" #endif @@ -139,15 +141,7 @@ #error "HASH_BLOCK_DATA_ORDER must be defined!" #endif -/* - * This common idiom is recognized by the compiler and turned into a - * CPU-specific intrinsic as appropriate. - * e.g. GCC optimizes to roll on amd64 at -O0 - */ -static inline uint32_t ROTATE(uint32_t a, uint32_t n) -{ - return (a<>(32-n)); -} +#define ROTATE(a, n) crypto_rol_u32(a, n) #if defined(DATA_ORDER_IS_BIG_ENDIAN) @@ -316,7 +310,7 @@ int HASH_FINAL (unsigned char *md, HASH_CTX *c) #if defined(__alpha) || defined(__sparcv9) || defined(__mips) #define MD32_REG_T long /* - * This comment was originaly written for MD5, which is why it + * This comment was originally written for MD5, which is why it * discusses A-D. But it basically applies to all 32-bit digests, * which is why it was moved to common header file. * diff --git a/crypto/md4/md4_dgst.c b/crypto/md4/md4_dgst.c index 4d3801f..aa7b7f7 100644 --- a/crypto/md4/md4_dgst.c +++ b/crypto/md4/md4_dgst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: md4_dgst.c,v 1.16 2015/09/14 01:45:03 doug Exp $ */ +/* $OpenBSD: md4_dgst.c,v 1.17 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -59,7 +59,7 @@ #include #include #include -#include "md4_locl.h" +#include "md4_local.h" /* Implemented from RFC1186 The MD4 Message-Digest Algorithm */ diff --git a/crypto/md4/md4_locl.h b/crypto/md4/md4_local.h similarity index 98% rename from crypto/md4/md4_locl.h rename to crypto/md4/md4_local.h index 6cf69de..a5aa123 100644 --- a/crypto/md4/md4_locl.h +++ b/crypto/md4/md4_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md4_locl.h,v 1.10 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: md4_local.h,v 1.1 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/md5/md5-elf-x86_64.S b/crypto/md5/md5-elf-x86_64.S index 2b73d72..8fc10c9 100644 --- a/crypto/md5/md5-elf-x86_64.S +++ b/crypto/md5/md5-elf-x86_64.S @@ -5,6 +5,7 @@ .globl md5_block_asm_data_order .type md5_block_asm_data_order,@function md5_block_asm_data_order: + endbr64 pushq %rbp pushq %rbx pushq %r12 diff --git a/crypto/md5/md5-macosx-x86_64.S b/crypto/md5/md5-macosx-x86_64.S index b4fcd18..0640eec 100644 --- a/crypto/md5/md5-macosx-x86_64.S +++ b/crypto/md5/md5-macosx-x86_64.S @@ -5,6 +5,7 @@ .globl _md5_block_asm_data_order _md5_block_asm_data_order: + pushq %rbp pushq %rbx pushq %r12 diff --git a/crypto/md5/md5-masm-x86_64.S b/crypto/md5/md5-masm-x86_64.S index 85d0bcb..d4de90b 100644 --- a/crypto/md5/md5-masm-x86_64.S +++ b/crypto/md5/md5-masm-x86_64.S @@ -82,6 +82,7 @@ $L$SEH_begin_md5_block_asm_data_order:: mov rdx,r8 + endbr64 push rbp push rbx push r12 diff --git a/crypto/md5/md5-mingw64-x86_64.S b/crypto/md5/md5-mingw64-x86_64.S index 5a611f5..7f9a722 100644 --- a/crypto/md5/md5-mingw64-x86_64.S +++ b/crypto/md5/md5-mingw64-x86_64.S @@ -13,6 +13,7 @@ md5_block_asm_data_order: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbp pushq %rbx pushq %r12 diff --git a/crypto/md5/md5_dgst.c b/crypto/md5/md5_dgst.c index f551137..5acdcd2 100644 --- a/crypto/md5/md5_dgst.c +++ b/crypto/md5/md5_dgst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: md5_dgst.c,v 1.14 2014/10/28 07:35:59 jsg Exp $ */ +/* $OpenBSD: md5_dgst.c,v 1.15 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "md5_locl.h" +#include "md5_local.h" #include #include diff --git a/crypto/md5/md5_locl.h b/crypto/md5/md5_local.h similarity index 98% rename from crypto/md5/md5_locl.h rename to crypto/md5/md5_local.h index 325c531..6026733 100644 --- a/crypto/md5/md5_locl.h +++ b/crypto/md5/md5_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: md5_locl.h,v 1.14 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: md5_local.h,v 1.1 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/modes/cbc128.c b/crypto/modes/cbc128.c index c5cf5a6..f2eebc6 100644 --- a/crypto/modes/cbc128.c +++ b/crypto/modes/cbc128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cbc128.c,v 1.5 2022/01/22 00:45:17 inoguchi Exp $ */ +/* $OpenBSD: cbc128.c,v 1.6 2022/11/26 16:08:53 tb Exp $ */ /* ==================================================================== * Copyright (c) 2008 The OpenSSL Project. All rights reserved. * @@ -50,7 +50,7 @@ */ #include -#include "modes_lcl.h" +#include "modes_local.h" #include #ifndef MODES_DEBUG diff --git a/crypto/modes/ccm128.c b/crypto/modes/ccm128.c index 12c6e61..978259e 100644 --- a/crypto/modes/ccm128.c +++ b/crypto/modes/ccm128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ccm128.c,v 1.5 2019/05/08 14:18:25 tb Exp $ */ +/* $OpenBSD: ccm128.c,v 1.6 2022/11/26 16:08:53 tb Exp $ */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * @@ -49,7 +49,7 @@ */ #include -#include "modes_lcl.h" +#include "modes_local.h" #include #ifndef MODES_DEBUG diff --git a/crypto/modes/cfb128.c b/crypto/modes/cfb128.c index 8399f0c..8555ce0 100644 --- a/crypto/modes/cfb128.c +++ b/crypto/modes/cfb128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cfb128.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */ +/* $OpenBSD: cfb128.c,v 1.5 2022/11/26 16:08:53 tb Exp $ */ /* ==================================================================== * Copyright (c) 2008 The OpenSSL Project. All rights reserved. * @@ -50,7 +50,7 @@ */ #include -#include "modes_lcl.h" +#include "modes_local.h" #include #ifndef MODES_DEBUG diff --git a/crypto/modes/ctr128.c b/crypto/modes/ctr128.c index 23979d6..eadb804 100644 --- a/crypto/modes/ctr128.c +++ b/crypto/modes/ctr128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ctr128.c,v 1.7 2017/08/13 17:46:24 bcook Exp $ */ +/* $OpenBSD: ctr128.c,v 1.9 2022/12/26 07:18:52 jmc Exp $ */ /* ==================================================================== * Copyright (c) 2008 The OpenSSL Project. All rights reserved. * @@ -50,7 +50,7 @@ */ #include -#include "modes_lcl.h" +#include "modes_local.h" #include #ifndef MODES_DEBUG @@ -109,7 +109,7 @@ ctr128_inc_aligned(unsigned char *counter) * This algorithm assumes that the counter is in the x lower bits * of the IV (ivec), and that the application has full control over * overflow and the rest of the IV. This implementation takes NO - * responsability for checking that the counter doesn't overflow + * responsibility for checking that the counter doesn't overflow * into the rest of the IV when incremented. */ void CRYPTO_ctr128_encrypt(const unsigned char *in, unsigned char *out, @@ -228,7 +228,7 @@ void CRYPTO_ctr128_encrypt_ctr32(const unsigned char *in, unsigned char *out, (*func)(in,out,blocks,key,ivec); /* (*ctr) does not update ivec, caller does: */ PUTU32(ivec+12,ctr32); - /* ... overflow was detected, propogate carry. */ + /* ... overflow was detected, propagate carry. */ if (ctr32 == 0) ctr96_inc(ivec); blocks *= 16; len -= blocks; diff --git a/crypto/modes/cts128.c b/crypto/modes/cts128.c deleted file mode 100644 index 802aa77..0000000 --- a/crypto/modes/cts128.c +++ /dev/null @@ -1,267 +0,0 @@ -/* $OpenBSD: cts128.c,v 1.5 2015/07/19 18:27:26 miod Exp $ */ -/* ==================================================================== - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. - * - * Rights for redistribution and usage in source and binary - * forms are granted according to the OpenSSL license. - */ - -#include -#include "modes_lcl.h" -#include - -#ifndef MODES_DEBUG -# ifndef NDEBUG -# define NDEBUG -# endif -#endif - -/* - * Trouble with Ciphertext Stealing, CTS, mode is that there is no - * common official specification, but couple of cipher/application - * specific ones: RFC2040 and RFC3962. Then there is 'Proposal to - * Extend CBC Mode By "Ciphertext Stealing"' at NIST site, which - * deviates from mentioned RFCs. Most notably it allows input to be - * of block length and it doesn't flip the order of the last two - * blocks. CTS is being discussed even in ECB context, but it's not - * adopted for any known application. This implementation provides - * two interfaces: one compliant with above mentioned RFCs and one - * compliant with the NIST proposal, both extending CBC mode. - */ - -size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], block128_f block) -{ size_t residue, n; - - if (len <= 16) return 0; - - if ((residue=len%16) == 0) residue = 16; - - len -= residue; - - CRYPTO_cbc128_encrypt(in,out,len,key,ivec,block); - - in += len; - out += len; - - for (n=0; n -#include "modes_lcl.h" +#include "modes_local.h" #include #ifndef MODES_DEBUG diff --git a/crypto/modes/ghash-elf-x86_64.S b/crypto/modes/ghash-elf-x86_64.S index 5f31626..039cd49 100644 --- a/crypto/modes/ghash-elf-x86_64.S +++ b/crypto/modes/ghash-elf-x86_64.S @@ -659,6 +659,7 @@ gcm_ghash_4bit: .type gcm_init_clmul,@function .align 16 gcm_init_clmul: + endbr64 movdqu (%rsi),%xmm2 pshufd $78,%xmm2,%xmm2 @@ -724,6 +725,7 @@ gcm_init_clmul: .type gcm_gmult_clmul,@function .align 16 gcm_gmult_clmul: + endbr64 movdqu (%rdi),%xmm0 movdqa .Lbswap_mask(%rip),%xmm5 movdqu (%rsi),%xmm2 @@ -774,6 +776,7 @@ gcm_gmult_clmul: .type gcm_ghash_clmul,@function .align 16 gcm_ghash_clmul: + endbr64 movdqa .Lbswap_mask(%rip),%xmm5 movdqu (%rdi),%xmm0 @@ -976,6 +979,7 @@ gcm_ghash_clmul: retq .LSEH_end_gcm_ghash_clmul: .size gcm_ghash_clmul,.-gcm_ghash_clmul +.section .rodata .align 64 .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -1022,9 +1026,8 @@ gcm_ghash_clmul: .value 0xA7D0,0xA612,0xA454,0xA596,0xA0D8,0xA11A,0xA35C,0xA29E .value 0xB5E0,0xB422,0xB664,0xB7A6,0xB2E8,0xB32A,0xB16C,0xB0AE .value 0xBBF0,0xBA32,0xB874,0xB9B6,0xBCF8,0xBD3A,0xBF7C,0xBEBE - -.byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/modes/ghash-macosx-x86_64.S b/crypto/modes/ghash-macosx-x86_64.S index e6840a7..e557c8f 100644 --- a/crypto/modes/ghash-macosx-x86_64.S +++ b/crypto/modes/ghash-macosx-x86_64.S @@ -659,6 +659,7 @@ L$ghash_epilogue: .p2align 4 _gcm_init_clmul: + movdqu (%rsi),%xmm2 pshufd $78,%xmm2,%xmm2 @@ -724,6 +725,7 @@ _gcm_init_clmul: .p2align 4 _gcm_gmult_clmul: + movdqu (%rdi),%xmm0 movdqa L$bswap_mask(%rip),%xmm5 movdqu (%rsi),%xmm2 @@ -774,6 +776,7 @@ _gcm_gmult_clmul: .p2align 4 _gcm_ghash_clmul: + movdqa L$bswap_mask(%rip),%xmm5 movdqu (%rdi),%xmm0 @@ -976,6 +979,7 @@ L$done: retq L$SEH_end_gcm_ghash_clmul: +.section __DATA,__const .p2align 6 L$bswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -1022,6 +1026,5 @@ L$rem_8bit: .value 0xA7D0,0xA612,0xA454,0xA596,0xA0D8,0xA11A,0xA35C,0xA29E .value 0xB5E0,0xB422,0xB664,0xB7A6,0xB2E8,0xB32A,0xB16C,0xB0AE .value 0xBBF0,0xBA32,0xB874,0xB9B6,0xBCF8,0xBD3A,0xBF7C,0xBEBE - -.byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text diff --git a/crypto/modes/ghash-masm-x86_64.S b/crypto/modes/ghash-masm-x86_64.S index 09ee8e0..d93a5fe 100644 --- a/crypto/modes/ghash-masm-x86_64.S +++ b/crypto/modes/ghash-masm-x86_64.S @@ -751,6 +751,7 @@ PUBLIC gcm_init_clmul ALIGN 16 gcm_init_clmul PROC PUBLIC + endbr64 movdqu xmm2,XMMWORD PTR[rdx] pshufd xmm2,xmm2,78 @@ -816,6 +817,7 @@ PUBLIC gcm_gmult_clmul ALIGN 16 gcm_gmult_clmul PROC PUBLIC + endbr64 movdqu xmm0,XMMWORD PTR[rcx] movdqa xmm5,XMMWORD PTR[$L$bswap_mask] movdqu xmm2,XMMWORD PTR[rdx] @@ -866,6 +868,7 @@ PUBLIC gcm_ghash_clmul ALIGN 16 gcm_ghash_clmul PROC PUBLIC + endbr64 $L$SEH_begin_gcm_ghash_clmul:: DB 048h,083h,0ech,058h @@ -1082,6 +1085,8 @@ DB 102,15,56,0,197 DB 0F3h,0C3h ;repret $L$SEH_end_gcm_ghash_clmul:: gcm_ghash_clmul ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$bswap_mask:: DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -1128,16 +1133,14 @@ $L$rem_8bit:: DW 0A7D0h,0A612h,0A454h,0A596h,0A0D8h,0A11Ah,0A35Ch,0A29Eh DW 0B5E0h,0B422h,0B664h,0B7A6h,0B2E8h,0B32Ah,0B16Ch,0B0AEh DW 0BBF0h,0BA32h,0B874h,0B9B6h,0BCF8h,0BD3Ah,0BF7Ch,0BEBEh - -DB 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52 -DB 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 -DB 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 -DB 114,103,62,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/modes/ghash-mingw64-x86_64.S b/crypto/modes/ghash-mingw64-x86_64.S index cd0823b..be8a60a 100644 --- a/crypto/modes/ghash-mingw64-x86_64.S +++ b/crypto/modes/ghash-mingw64-x86_64.S @@ -679,6 +679,7 @@ gcm_ghash_4bit: .def gcm_init_clmul; .scl 2; .type 32; .endef .p2align 4 gcm_init_clmul: + endbr64 movdqu (%rdx),%xmm2 pshufd $78,%xmm2,%xmm2 @@ -744,6 +745,7 @@ gcm_init_clmul: .def gcm_gmult_clmul; .scl 2; .type 32; .endef .p2align 4 gcm_gmult_clmul: + endbr64 movdqu (%rcx),%xmm0 movdqa .Lbswap_mask(%rip),%xmm5 movdqu (%rdx),%xmm2 @@ -794,6 +796,7 @@ gcm_gmult_clmul: .def gcm_ghash_clmul; .scl 2; .type 32; .endef .p2align 4 gcm_ghash_clmul: + endbr64 .LSEH_begin_gcm_ghash_clmul: .byte 0x48,0x83,0xec,0x58 @@ -1010,6 +1013,7 @@ gcm_ghash_clmul: retq .LSEH_end_gcm_ghash_clmul: +.section .rodata .p2align 6 .Lbswap_mask: .byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 @@ -1056,13 +1060,13 @@ gcm_ghash_clmul: .value 0xA7D0,0xA612,0xA454,0xA596,0xA0D8,0xA11A,0xA35C,0xA29E .value 0xB5E0,0xB422,0xB664,0xB7A6,0xB2E8,0xB32A,0xB16C,0xB0AE .value 0xBBF0,0xBA32,0xB874,0xB9B6,0xBCF8,0xBD3A,0xBF7C,0xBEBE - -.byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text .def se_handler; .scl 3; .type 32; .endef .p2align 4 se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx diff --git a/crypto/modes/modes_lcl.h b/crypto/modes/modes_local.h similarity index 97% rename from crypto/modes/modes_lcl.h rename to crypto/modes/modes_local.h index d0126e8..11efc5a 100644 --- a/crypto/modes/modes_lcl.h +++ b/crypto/modes/modes_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: modes_lcl.h,v 1.11 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: modes_local.h,v 1.1 2022/11/26 16:08:53 tb Exp $ */ /* ==================================================================== * Copyright (c) 2010 The OpenSSL Project. All rights reserved. * diff --git a/crypto/modes/ofb128.c b/crypto/modes/ofb128.c index 1b8a6fd..3cf5d98 100644 --- a/crypto/modes/ofb128.c +++ b/crypto/modes/ofb128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ofb128.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */ +/* $OpenBSD: ofb128.c,v 1.5 2022/11/26 16:08:53 tb Exp $ */ /* ==================================================================== * Copyright (c) 2008 The OpenSSL Project. All rights reserved. * @@ -50,7 +50,7 @@ */ #include -#include "modes_lcl.h" +#include "modes_local.h" #include #ifndef MODES_DEBUG diff --git a/crypto/modes/xts128.c b/crypto/modes/xts128.c index 2084892..7188122 100644 --- a/crypto/modes/xts128.c +++ b/crypto/modes/xts128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: xts128.c,v 1.8 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: xts128.c,v 1.10 2023/05/07 14:38:04 tb Exp $ */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * @@ -49,7 +49,7 @@ */ #include -#include "modes_lcl.h" +#include "modes_local.h" #include #include @@ -120,9 +120,9 @@ int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16], } if (enc) { for (i=0;i - -#include "o_time.h" - -/* Take a tm structure and add an offset to it. This avoids any OS issues - * with restricted date types and overflows which cause the year 2038 - * problem. - */ - -#define SECS_PER_DAY (24 * 60 * 60) - -static long date_to_julian(int y, int m, int d); -static void julian_to_date(long jd, int *y, int *m, int *d); -static int julian_adj(const struct tm *tm, int off_day, long offset_sec, - long *pday, int *psec); - -int -OPENSSL_gmtime_adj(struct tm *tm, int off_day, long offset_sec) -{ - int offset_hms, offset_day; - long time_jd; - int time_year, time_month, time_day; - /* split offset into days and day seconds */ - offset_day = offset_sec / SECS_PER_DAY; - /* Avoid sign issues with % operator */ - offset_hms = offset_sec - (offset_day * SECS_PER_DAY); - offset_day += off_day; - /* Add current time seconds to offset */ - offset_hms += tm->tm_hour * 3600 + tm->tm_min * 60 + tm->tm_sec; - /* Adjust day seconds if overflow */ - if (offset_hms >= SECS_PER_DAY) { - offset_day++; - offset_hms -= SECS_PER_DAY; - } else if (offset_hms < 0) { - offset_day--; - offset_hms += SECS_PER_DAY; - } - - /* Convert date of time structure into a Julian day number. - */ - - time_year = tm->tm_year + 1900; - time_month = tm->tm_mon + 1; - time_day = tm->tm_mday; - - time_jd = date_to_julian(time_year, time_month, time_day); - - /* Work out Julian day of new date */ - time_jd += offset_day; - - if (time_jd < 0) - return 0; - - /* Convert Julian day back to date */ - - julian_to_date(time_jd, &time_year, &time_month, &time_day); - - if (time_year < 1900 || time_year > 9999) - return 0; - - /* Update tm structure */ - - tm->tm_year = time_year - 1900; - tm->tm_mon = time_month - 1; - tm->tm_mday = time_day; - - tm->tm_hour = offset_hms / 3600; - tm->tm_min = (offset_hms / 60) % 60; - tm->tm_sec = offset_hms % 60; - - return 1; - -} - -int -OPENSSL_gmtime_diff(int *pday, int *psec, const struct tm *from, - const struct tm *to) -{ - int from_sec, to_sec, diff_sec; - long from_jd, to_jd, diff_day; - - if (!julian_adj(from, 0, 0, &from_jd, &from_sec)) - return 0; - if (!julian_adj(to, 0, 0, &to_jd, &to_sec)) - return 0; - diff_day = to_jd - from_jd; - diff_sec = to_sec - from_sec; - /* Adjust differences so both positive or both negative */ - if (diff_day > 0 && diff_sec < 0) { - diff_day--; - diff_sec += SECS_PER_DAY; - } - if (diff_day < 0 && diff_sec > 0) { - diff_day++; - diff_sec -= SECS_PER_DAY; - } - - if (pday) - *pday = (int)diff_day; - if (psec) - *psec = diff_sec; - - return 1; - -} - -/* Convert tm structure and offset into julian day and seconds */ -static int -julian_adj(const struct tm *tm, int off_day, long offset_sec, long *pday, - int *psec) -{ - int time_year, time_month, time_day; - long offset_day, time_jd; - int offset_hms; - - /* split offset into days and day seconds */ - offset_day = offset_sec / SECS_PER_DAY; - /* Avoid sign issues with % operator */ - offset_hms = offset_sec - (offset_day * SECS_PER_DAY); - offset_day += off_day; - /* Add current time seconds to offset */ - offset_hms += tm->tm_hour * 3600 + tm->tm_min * 60 + tm->tm_sec; - /* Adjust day seconds if overflow */ - if (offset_hms >= SECS_PER_DAY) { - offset_day++; - offset_hms -= SECS_PER_DAY; - } else if (offset_hms < 0) { - offset_day--; - offset_hms += SECS_PER_DAY; - } - - /* - * Convert date of time structure into a Julian day number. - */ - - time_year = tm->tm_year + 1900; - time_month = tm->tm_mon + 1; - time_day = tm->tm_mday; - - time_jd = date_to_julian(time_year, time_month, time_day); - - /* Work out Julian day of new date */ - time_jd += offset_day; - - if (time_jd < 0) - return 0; - - *pday = time_jd; - *psec = offset_hms; - - return 1; -} - -/* Convert date to and from julian day - * Uses Fliegel & Van Flandern algorithm - */ -static long -date_to_julian(int y, int m, int d) -{ - return (1461 * (y + 4800 + (m - 14) / 12)) / 4 + - (367 * (m - 2 - 12 * ((m - 14) / 12))) / 12 - - (3 * ((y + 4900 + (m - 14) / 12) / 100)) / 4 + - d - 32075; -} - -static void -julian_to_date(long jd, int *y, int *m, int *d) -{ - long L = jd + 68569; - long n = (4 * L) / 146097; - long i, j; - - L = L - (146097 * n + 3) / 4; - i = (4000 * (L + 1)) / 1461001; - L = L - (1461 * i) / 4 + 31; - j = (80 * L) / 2447; - *d = L - (2447 * j) / 80; - L = j / 11; - *m = j + 2 - (12 * L); - *y = 100 * (n - 49) + i + L; -} diff --git a/crypto/objects/o_names.c b/crypto/objects/o_names.c index a9e5f85..2cdd2f3 100644 --- a/crypto/objects/o_names.c +++ b/crypto/objects/o_names.c @@ -1,4 +1,4 @@ -/* $OpenBSD: o_names.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: o_names.c,v 1.23 2022/11/08 23:19:09 mbuhl Exp $ */ #include #include #include @@ -197,6 +197,7 @@ OBJ_NAME_add(const char *name, int type, const char *data) free(ret); } else { if (lh_OBJ_NAME_error(names_lh)) { + free(onp); /* ERROR */ return (0); } diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index bcb7ee2..7516a6d 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_dat.c,v 1.49 2022/03/19 17:49:32 jsing Exp $ */ +/* $OpenBSD: obj_dat.c,v 1.53 2023/05/23 11:51:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -69,7 +69,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" /* obj_dat.h is generated from objects.h by obj_dat.pl */ #include "obj_dat.h" @@ -251,7 +251,7 @@ static IMPLEMENT_LHASH_DOALL_FN(cleanup2, ADDED_OBJ) static IMPLEMENT_LHASH_DOALL_FN(cleanup3, ADDED_OBJ) /* The purpose of obj_cleanup_defer is to avoid EVP_cleanup() attempting - * to use freed up OIDs. If neccessary the actual freeing up of OIDs is + * to use freed up OIDs. If necessary the actual freeing up of OIDs is * delayed. */ @@ -320,7 +320,7 @@ OBJ_add_object(const ASN1_OBJECT *obj) ao[i]->type = i; ao[i]->obj = o; aop = lh_ADDED_OBJ_insert(added, ao[i]); - /* memory leak, buit should not normally matter */ + /* memory leak, but should not normally matter */ free(aop); } } @@ -499,9 +499,6 @@ OBJ_txt2obj(const char *s, int no_name) int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *aobj, int no_name) { - if (aobj == NULL || aobj->data == NULL) - return 0; - return i2t_ASN1_OBJECT_internal(aobj, buf, buf_len, no_name); } diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index 4bfb480..578725a 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 1022 -#define NUM_SN 1015 -#define NUM_LN 1015 -#define NUM_OBJ 945 +#define NUM_NID 1053 +#define NUM_SN 1046 +#define NUM_LN 1046 +#define NUM_OBJ 975 -static const unsigned char lvalues[6677]={ +static const unsigned char lvalues[6949]={ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -1007,6 +1007,36 @@ static const unsigned char lvalues[6677]={ 0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x03,/* [6646] OBJ_ct_precert_poison */ 0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x04,/* [6656] OBJ_ct_precert_signer */ 0x2B,0x06,0x01,0x04,0x01,0xD6,0x79,0x02,0x04,0x05,/* [6666] OBJ_ct_cert_scts */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x02,0x2F,/* [6676] OBJ_id_smime_aa_signingCertificateV2 */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x09,0x10,0x01,0x32,/* [6687] OBJ_id_ct_signedTAL */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x0F,/* [6698] OBJ_sha512_224WithRSAEncryption */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x10,/* [6707] OBJ_sha512_256WithRSAEncryption */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0C, /* [6716] OBJ_hmacWithSHA512_224 */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [6724] OBJ_hmacWithSHA512_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x05,/* [6732] OBJ_sha512_224 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x06,/* [6741] OBJ_sha512_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x07,/* [6750] OBJ_sha3_224 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x08,/* [6759] OBJ_sha3_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x09,/* [6768] OBJ_sha3_384 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0A,/* [6777] OBJ_sha3_512 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0D,/* [6786] OBJ_hmac_sha3_224 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0E,/* [6795] OBJ_hmac_sha3_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x0F,/* [6804] OBJ_hmac_sha3_384 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x02,0x10,/* [6813] OBJ_hmac_sha3_512 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x03,/* [6822] OBJ_dsa_with_SHA384 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x04,/* [6831] OBJ_dsa_with_SHA512 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x05,/* [6840] OBJ_dsa_with_SHA3_224 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x06,/* [6849] OBJ_dsa_with_SHA3_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x07,/* [6858] OBJ_dsa_with_SHA3_384 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x08,/* [6867] OBJ_dsa_with_SHA3_512 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x09,/* [6876] OBJ_ecdsa_with_SHA3_224 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0A,/* [6885] OBJ_ecdsa_with_SHA3_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0B,/* [6894] OBJ_ecdsa_with_SHA3_384 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0C,/* [6903] OBJ_ecdsa_with_SHA3_512 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0D,/* [6912] OBJ_RSA_SHA3_224 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0E,/* [6921] OBJ_RSA_SHA3_256 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x0F,/* [6930] OBJ_RSA_SHA3_384 */ +0x60,0x86,0x48,0x01,0x65,0x03,0x04,0x03,0x10,/* [6939] OBJ_RSA_SHA3_512 */ }; static const ASN1_OBJECT nid_objs[NUM_NID]={ @@ -2258,9 +2288,9 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ &(lvalues[5321]),0}, {"hmacWithSHA512","hmacWithSHA512",NID_hmacWithSHA512,8, &(lvalues[5329]),0}, -{"dsa_with_SHA224","dsa_with_SHA224",NID_dsa_with_SHA224,9, +{"id-dsa-with-sha224","dsa_with_SHA224",NID_dsa_with_SHA224,9, &(lvalues[5337]),0}, -{"dsa_with_SHA256","dsa_with_SHA256",NID_dsa_with_SHA256,9, +{"id-dsa-with-sha256","dsa_with_SHA256",NID_dsa_with_SHA256,9, &(lvalues[5346]),0}, {"whirlpool","whirlpool",NID_whirlpool,6,&(lvalues[5355]),0}, {"cryptopro","cryptopro",NID_cryptopro,5,&(lvalues[5361]),0}, @@ -2669,6 +2699,62 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ 10,&(lvalues[6656]),0}, {"ct_cert_scts","CT Certificate SCTs",NID_ct_cert_scts,10, &(lvalues[6666]),0}, +{"HKDF","hkdf",NID_hkdf,0,NULL,0}, +{"id-smime-aa-signingCertificateV2", + "id-smime-aa-signingCertificateV2", + NID_id_smime_aa_signingCertificateV2,11,&(lvalues[6676]),0}, +{"id-ct-signedTAL","id-ct-signedTAL",NID_id_ct_signedTAL,11, + &(lvalues[6687]),0}, +{"RSA-SHA512/224","sha512-224WithRSAEncryption", + NID_sha512_224WithRSAEncryption,9,&(lvalues[6698]),0}, +{"RSA-SHA512/256","sha512-256WithRSAEncryption", + NID_sha512_256WithRSAEncryption,9,&(lvalues[6707]),0}, +{"hmacWithSHA512-224","hmacWithSHA512-224",NID_hmacWithSHA512_224,8, + &(lvalues[6716]),0}, +{"hmacWithSHA512-256","hmacWithSHA512-256",NID_hmacWithSHA512_256,8, + &(lvalues[6724]),0}, +{"SHA512-224","sha512-224",NID_sha512_224,9,&(lvalues[6732]),0}, +{"SHA512-256","sha512-256",NID_sha512_256,9,&(lvalues[6741]),0}, +{"SHA3-224","sha3-224",NID_sha3_224,9,&(lvalues[6750]),0}, +{"SHA3-256","sha3-256",NID_sha3_256,9,&(lvalues[6759]),0}, +{"SHA3-384","sha3-384",NID_sha3_384,9,&(lvalues[6768]),0}, +{"SHA3-512","sha3-512",NID_sha3_512,9,&(lvalues[6777]),0}, +{"id-hmacWithSHA3-224","hmac-sha3-224",NID_hmac_sha3_224,9, + &(lvalues[6786]),0}, +{"id-hmacWithSHA3-256","hmac-sha3-256",NID_hmac_sha3_256,9, + &(lvalues[6795]),0}, +{"id-hmacWithSHA3-384","hmac-sha3-384",NID_hmac_sha3_384,9, + &(lvalues[6804]),0}, +{"id-hmacWithSHA3-512","hmac-sha3-512",NID_hmac_sha3_512,9, + &(lvalues[6813]),0}, +{"id-dsa-with-sha384","dsa_with_SHA384",NID_dsa_with_SHA384,9, + &(lvalues[6822]),0}, +{"id-dsa-with-sha512","dsa_with_SHA512",NID_dsa_with_SHA512,9, + &(lvalues[6831]),0}, +{"id-dsa-with-sha3-224","dsa_with_SHA3-224",NID_dsa_with_SHA3_224,9, + &(lvalues[6840]),0}, +{"id-dsa-with-sha3-256","dsa_with_SHA3-256",NID_dsa_with_SHA3_256,9, + &(lvalues[6849]),0}, +{"id-dsa-with-sha3-384","dsa_with_SHA3-384",NID_dsa_with_SHA3_384,9, + &(lvalues[6858]),0}, +{"id-dsa-with-sha3-512","dsa_with_SHA3-512",NID_dsa_with_SHA3_512,9, + &(lvalues[6867]),0}, +{"id-ecdsa-with-sha3-224","ecdsa_with_SHA3-224", + NID_ecdsa_with_SHA3_224,9,&(lvalues[6876]),0}, +{"id-ecdsa-with-sha3-256","ecdsa_with_SHA3-256", + NID_ecdsa_with_SHA3_256,9,&(lvalues[6885]),0}, +{"id-ecdsa-with-sha3-384","ecdsa_with_SHA3-384", + NID_ecdsa_with_SHA3_384,9,&(lvalues[6894]),0}, +{"id-ecdsa-with-sha3-512","ecdsa_with_SHA3-512", + NID_ecdsa_with_SHA3_512,9,&(lvalues[6903]),0}, +{"id-rsassa-pkcs1-v1_5-with-sha3-224","RSA-SHA3-224",NID_RSA_SHA3_224, + 9,&(lvalues[6912]),0}, +{"id-rsassa-pkcs1-v1_5-with-sha3-256","RSA-SHA3-256",NID_RSA_SHA3_256, + 9,&(lvalues[6921]),0}, +{"id-rsassa-pkcs1-v1_5-with-sha3-384","RSA-SHA3-384",NID_RSA_SHA3_384, + 9,&(lvalues[6930]),0}, +{"id-rsassa-pkcs1-v1_5-with-sha3-512","RSA-SHA3-512",NID_RSA_SHA3_512, + 9,&(lvalues[6939]),0}, }; static const unsigned int sn_objs[NUM_SN]={ @@ -2769,6 +2855,7 @@ static const unsigned int sn_objs[NUM_SN]={ 955, /* "Ed448ph" */ 936, /* "FRP256v1" */ 99, /* "GN" */ +1022, /* "HKDF" */ 855, /* "HMAC" */ 780, /* "HMAC-MD5" */ 781, /* "HMAC-SHA1" */ @@ -2853,6 +2940,8 @@ static const unsigned int sn_objs[NUM_SN]={ 668, /* "RSA-SHA256" */ 669, /* "RSA-SHA384" */ 670, /* "RSA-SHA512" */ +1025, /* "RSA-SHA512/224" */ +1026, /* "RSA-SHA512/256" */ 969, /* "RSA-SM3" */ 919, /* "RSAES-OAEP" */ 912, /* "RSASSA-PSS" */ @@ -2864,8 +2953,14 @@ static const unsigned int sn_objs[NUM_SN]={ 64, /* "SHA1" */ 675, /* "SHA224" */ 672, /* "SHA256" */ +1031, /* "SHA3-224" */ +1032, /* "SHA3-256" */ +1033, /* "SHA3-384" */ +1034, /* "SHA3-512" */ 673, /* "SHA384" */ 674, /* "SHA512" */ +1029, /* "SHA512-224" */ +1030, /* "SHA512-256" */ 968, /* "SM3" */ 974, /* "SM4-CBC" */ 976, /* "SM4-CFB" */ @@ -3011,8 +3106,6 @@ static const unsigned int sn_objs[NUM_SN]={ 470, /* "documentVersion" */ 392, /* "domain" */ 452, /* "domainRelatedObject" */ -802, /* "dsa_with_SHA224" */ -803, /* "dsa_with_SHA256" */ 791, /* "ecdsa-with-Recommended" */ 416, /* "ecdsa-with-SHA1" */ 793, /* "ecdsa-with-SHA224" */ @@ -3051,6 +3144,8 @@ static const unsigned int sn_objs[NUM_SN]={ 799, /* "hmacWithSHA256" */ 800, /* "hmacWithSHA384" */ 801, /* "hmacWithSHA512" */ +1027, /* "hmacWithSHA512-224" */ +1028, /* "hmacWithSHA512-256" */ 432, /* "holdInstructionCallIssuer" */ 430, /* "holdInstructionCode" */ 431, /* "holdInstructionNone" */ @@ -3166,9 +3261,26 @@ static const unsigned int sn_objs[NUM_SN]={ 1003, /* "id-ct-rpkiGhostbusters" */ 1002, /* "id-ct-rpkiManifest" */ 1014, /* "id-ct-signedChecklist" */ +1024, /* "id-ct-signedTAL" */ +802, /* "id-dsa-with-sha224" */ +803, /* "id-dsa-with-sha256" */ +1041, /* "id-dsa-with-sha3-224" */ +1042, /* "id-dsa-with-sha3-256" */ +1043, /* "id-dsa-with-sha3-384" */ +1044, /* "id-dsa-with-sha3-512" */ +1039, /* "id-dsa-with-sha384" */ +1040, /* "id-dsa-with-sha512" */ 408, /* "id-ecPublicKey" */ +1045, /* "id-ecdsa-with-sha3-224" */ +1046, /* "id-ecdsa-with-sha3-256" */ +1047, /* "id-ecdsa-with-sha3-384" */ +1048, /* "id-ecdsa-with-sha3-512" */ 508, /* "id-hex-multipart-message" */ 507, /* "id-hex-partial-message" */ +1035, /* "id-hmacWithSHA3-224" */ +1036, /* "id-hmacWithSHA3-256" */ +1037, /* "id-hmacWithSHA3-384" */ +1038, /* "id-hmacWithSHA3-512" */ 260, /* "id-it" */ 302, /* "id-it-caKeyUpdateInfo" */ 298, /* "id-it-caProtEncCert" */ @@ -3235,6 +3347,10 @@ static const unsigned int sn_objs[NUM_SN]={ 314, /* "id-regInfo" */ 322, /* "id-regInfo-certReq" */ 321, /* "id-regInfo-utf8Pairs" */ +1049, /* "id-rsassa-pkcs1-v1_5-with-sha3-224" */ +1050, /* "id-rsassa-pkcs1-v1_5-with-sha3-256" */ +1051, /* "id-rsassa-pkcs1-v1_5-with-sha3-384" */ +1052, /* "id-rsassa-pkcs1-v1_5-with-sha3-512" */ 512, /* "id-set" */ 191, /* "id-smime-aa" */ 215, /* "id-smime-aa-contentHint" */ @@ -3264,6 +3380,7 @@ static const unsigned int sn_objs[NUM_SN]={ 213, /* "id-smime-aa-securityLabel" */ 239, /* "id-smime-aa-signatureType" */ 223, /* "id-smime-aa-signingCertificate" */ +1023, /* "id-smime-aa-signingCertificateV2" */ 224, /* "id-smime-aa-smimeEncryptCerts" */ 225, /* "id-smime-aa-timeStampToken" */ 192, /* "id-smime-alg" */ @@ -3815,6 +3932,10 @@ static const unsigned int ln_objs[NUM_LN]={ 1012, /* "RPKI Notify" */ 1, /* "RSA Data Security, Inc." */ 2, /* "RSA Data Security, Inc. PKCS" */ +1049, /* "RSA-SHA3-224" */ +1050, /* "RSA-SHA3-256" */ +1051, /* "RSA-SHA3-384" */ +1052, /* "RSA-SHA3-512" */ 188, /* "S/MIME" */ 167, /* "S/MIME Capabilities" */ 387, /* "SNMPv2" */ @@ -4055,6 +4176,12 @@ static const unsigned int ln_objs[NUM_LN]={ 70, /* "dsaWithSHA1-old" */ 802, /* "dsa_with_SHA224" */ 803, /* "dsa_with_SHA256" */ +1041, /* "dsa_with_SHA3-224" */ +1042, /* "dsa_with_SHA3-256" */ +1043, /* "dsa_with_SHA3-384" */ +1044, /* "dsa_with_SHA3-512" */ +1039, /* "dsa_with_SHA384" */ +1040, /* "dsa_with_SHA512" */ 297, /* "dvcs" */ 791, /* "ecdsa-with-Recommended" */ 416, /* "ecdsa-with-SHA1" */ @@ -4063,6 +4190,10 @@ static const unsigned int ln_objs[NUM_LN]={ 795, /* "ecdsa-with-SHA384" */ 796, /* "ecdsa-with-SHA512" */ 792, /* "ecdsa-with-Specified" */ +1045, /* "ecdsa_with_SHA3-224" */ +1046, /* "ecdsa_with_SHA3-256" */ +1047, /* "ecdsa_with_SHA3-384" */ +1048, /* "ecdsa_with_SHA3-512" */ 48, /* "emailAddress" */ 632, /* "encrypted track 2" */ 885, /* "enhancedSearchGuide" */ @@ -4079,15 +4210,22 @@ static const unsigned int ln_objs[NUM_LN]={ 939, /* "gost89-cbc" */ 814, /* "gost89-cnt" */ 938, /* "gost89-ecb" */ +1022, /* "hkdf" */ 855, /* "hmac" */ 780, /* "hmac-md5" */ 781, /* "hmac-sha1" */ +1035, /* "hmac-sha3-224" */ +1036, /* "hmac-sha3-256" */ +1037, /* "hmac-sha3-384" */ +1038, /* "hmac-sha3-512" */ 797, /* "hmacWithMD5" */ 163, /* "hmacWithSHA1" */ 798, /* "hmacWithSHA224" */ 799, /* "hmacWithSHA256" */ 800, /* "hmacWithSHA384" */ 801, /* "hmacWithSHA512" */ +1027, /* "hmacWithSHA512-224" */ +1028, /* "hmacWithSHA512-256" */ 486, /* "homePostalAddress" */ 473, /* "homeTelephoneNumber" */ 466, /* "host" */ @@ -4183,6 +4321,7 @@ static const unsigned int ln_objs[NUM_LN]={ 1003, /* "id-ct-rpkiGhostbusters" */ 1002, /* "id-ct-rpkiManifest" */ 1014, /* "id-ct-signedChecklist" */ +1024, /* "id-ct-signedTAL" */ 408, /* "id-ecPublicKey" */ 508, /* "id-hex-multipart-message" */ 507, /* "id-hex-partial-message" */ @@ -4273,6 +4412,7 @@ static const unsigned int ln_objs[NUM_LN]={ 213, /* "id-smime-aa-securityLabel" */ 239, /* "id-smime-aa-signatureType" */ 223, /* "id-smime-aa-signingCertificate" */ +1023, /* "id-smime-aa-signingCertificateV2" */ 224, /* "id-smime-aa-smimeEncryptCerts" */ 225, /* "id-smime-aa-timeStampToken" */ 192, /* "id-smime-alg" */ @@ -4642,9 +4782,17 @@ static const unsigned int ln_objs[NUM_LN]={ 671, /* "sha224WithRSAEncryption" */ 672, /* "sha256" */ 668, /* "sha256WithRSAEncryption" */ +1031, /* "sha3-224" */ +1032, /* "sha3-256" */ +1033, /* "sha3-384" */ +1034, /* "sha3-512" */ 673, /* "sha384" */ 669, /* "sha384WithRSAEncryption" */ 674, /* "sha512" */ +1029, /* "sha512-224" */ +1025, /* "sha512-224WithRSAEncryption" */ +1030, /* "sha512-256" */ +1026, /* "sha512-256WithRSAEncryption" */ 670, /* "sha512WithRSAEncryption" */ 42, /* "shaWithRSAEncryption" */ 52, /* "signingTime" */ @@ -5172,6 +5320,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 799, /* OBJ_hmacWithSHA256 1 2 840 113549 2 9 */ 800, /* OBJ_hmacWithSHA384 1 2 840 113549 2 10 */ 801, /* OBJ_hmacWithSHA512 1 2 840 113549 2 11 */ +1027, /* OBJ_hmacWithSHA512_224 1 2 840 113549 2 12 */ +1028, /* OBJ_hmacWithSHA512_256 1 2 840 113549 2 13 */ 37, /* OBJ_rc2_cbc 1 2 840 113549 3 2 */ 5, /* OBJ_rc4 1 2 840 113549 3 4 */ 44, /* OBJ_des_ede3_cbc 1 2 840 113549 3 7 */ @@ -5361,6 +5511,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 669, /* OBJ_sha384WithRSAEncryption 1 2 840 113549 1 1 12 */ 670, /* OBJ_sha512WithRSAEncryption 1 2 840 113549 1 1 13 */ 671, /* OBJ_sha224WithRSAEncryption 1 2 840 113549 1 1 14 */ +1025, /* OBJ_sha512_224WithRSAEncryption 1 2 840 113549 1 1 15 */ +1026, /* OBJ_sha512_256WithRSAEncryption 1 2 840 113549 1 1 16 */ 28, /* OBJ_dhKeyAgreement 1 2 840 113549 1 3 1 */ 9, /* OBJ_pbeWithMD2AndDES_CBC 1 2 840 113549 1 5 1 */ 10, /* OBJ_pbeWithMD5AndDES_CBC 1 2 840 113549 1 5 3 */ @@ -5461,8 +5613,32 @@ static const unsigned int obj_objs[NUM_OBJ]={ 673, /* OBJ_sha384 2 16 840 1 101 3 4 2 2 */ 674, /* OBJ_sha512 2 16 840 1 101 3 4 2 3 */ 675, /* OBJ_sha224 2 16 840 1 101 3 4 2 4 */ +1029, /* OBJ_sha512_224 2 16 840 1 101 3 4 2 5 */ +1030, /* OBJ_sha512_256 2 16 840 1 101 3 4 2 6 */ +1031, /* OBJ_sha3_224 2 16 840 1 101 3 4 2 7 */ +1032, /* OBJ_sha3_256 2 16 840 1 101 3 4 2 8 */ +1033, /* OBJ_sha3_384 2 16 840 1 101 3 4 2 9 */ +1034, /* OBJ_sha3_512 2 16 840 1 101 3 4 2 10 */ +1035, /* OBJ_hmac_sha3_224 2 16 840 1 101 3 4 2 13 */ +1036, /* OBJ_hmac_sha3_256 2 16 840 1 101 3 4 2 14 */ +1037, /* OBJ_hmac_sha3_384 2 16 840 1 101 3 4 2 15 */ +1038, /* OBJ_hmac_sha3_512 2 16 840 1 101 3 4 2 16 */ 802, /* OBJ_dsa_with_SHA224 2 16 840 1 101 3 4 3 1 */ 803, /* OBJ_dsa_with_SHA256 2 16 840 1 101 3 4 3 2 */ +1039, /* OBJ_dsa_with_SHA384 2 16 840 1 101 3 4 3 3 */ +1040, /* OBJ_dsa_with_SHA512 2 16 840 1 101 3 4 3 4 */ +1041, /* OBJ_dsa_with_SHA3_224 2 16 840 1 101 3 4 3 5 */ +1042, /* OBJ_dsa_with_SHA3_256 2 16 840 1 101 3 4 3 6 */ +1043, /* OBJ_dsa_with_SHA3_384 2 16 840 1 101 3 4 3 7 */ +1044, /* OBJ_dsa_with_SHA3_512 2 16 840 1 101 3 4 3 8 */ +1045, /* OBJ_ecdsa_with_SHA3_224 2 16 840 1 101 3 4 3 9 */ +1046, /* OBJ_ecdsa_with_SHA3_256 2 16 840 1 101 3 4 3 10 */ +1047, /* OBJ_ecdsa_with_SHA3_384 2 16 840 1 101 3 4 3 11 */ +1048, /* OBJ_ecdsa_with_SHA3_512 2 16 840 1 101 3 4 3 12 */ +1049, /* OBJ_RSA_SHA3_224 2 16 840 1 101 3 4 3 13 */ +1050, /* OBJ_RSA_SHA3_256 2 16 840 1 101 3 4 3 14 */ +1051, /* OBJ_RSA_SHA3_384 2 16 840 1 101 3 4 3 15 */ +1052, /* OBJ_RSA_SHA3_512 2 16 840 1 101 3 4 3 16 */ 71, /* OBJ_netscape_cert_type 2 16 840 1 113730 1 1 */ 72, /* OBJ_netscape_base_url 2 16 840 1 113730 1 2 */ 73, /* OBJ_netscape_revocation_url 2 16 840 1 113730 1 3 */ @@ -5596,6 +5772,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 1013, /* OBJ_id_ct_geofeedCSVwithCRLF 1 2 840 113549 1 9 16 1 47 */ 1014, /* OBJ_id_ct_signedChecklist 1 2 840 113549 1 9 16 1 48 */ 1017, /* OBJ_id_ct_ASPA 1 2 840 113549 1 9 16 1 49 */ +1024, /* OBJ_id_ct_signedTAL 1 2 840 113549 1 9 16 1 50 */ 212, /* OBJ_id_smime_aa_receiptRequest 1 2 840 113549 1 9 16 2 1 */ 213, /* OBJ_id_smime_aa_securityLabel 1 2 840 113549 1 9 16 2 2 */ 214, /* OBJ_id_smime_aa_mlExpandHistory 1 2 840 113549 1 9 16 2 3 */ @@ -5625,6 +5802,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 238, /* OBJ_id_smime_aa_ets_archiveTimeStamp 1 2 840 113549 1 9 16 2 27 */ 239, /* OBJ_id_smime_aa_signatureType 1 2 840 113549 1 9 16 2 28 */ 240, /* OBJ_id_smime_aa_dvcs_dvc 1 2 840 113549 1 9 16 2 29 */ +1023, /* OBJ_id_smime_aa_signingCertificateV2 1 2 840 113549 1 9 16 2 47 */ 241, /* OBJ_id_smime_alg_ESDHwith3DES 1 2 840 113549 1 9 16 3 1 */ 242, /* OBJ_id_smime_alg_ESDHwithRC2 1 2 840 113549 1 9 16 3 2 */ 243, /* OBJ_id_smime_alg_3DESwrap 1 2 840 113549 1 9 16 3 3 */ diff --git a/crypto/objects/obj_err.c b/crypto/objects/obj_err.c index e141319..50e2a0e 100644 --- a/crypto/objects/obj_err.c +++ b/crypto/objects/obj_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_err.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: obj_err.c,v 1.13 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_OBJ,func,0) diff --git a/crypto/objects/obj_lib.c b/crypto/objects/obj_lib.c index 39cd412..eb06adf 100644 --- a/crypto/objects/obj_lib.c +++ b/crypto/objects/obj_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_lib.c,v 1.16 2022/01/07 11:13:54 tb Exp $ */ +/* $OpenBSD: obj_lib.c,v 1.17 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,7 +64,7 @@ #include #include -#include "asn1_locl.h" +#include "asn1_local.h" ASN1_OBJECT * OBJ_dup(const ASN1_OBJECT *o) diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index bcc484c..7747020 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.21 2022/01/07 09:45:52 tb Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.22 2022/12/26 07:18:52 jmc Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -215,7 +215,7 @@ OCSP_response_get1_basic(OCSP_RESPONSE *resp) return ASN1_item_unpack(rb->response, &OCSP_BASICRESP_it); } -/* Return number of OCSP_SINGLERESP reponses present in +/* Return number of OCSP_SINGLERESP responses present in * a basic response. */ int diff --git a/crypto/ocsp/ocsp_err.c b/crypto/ocsp/ocsp_err.c index 9e3237f..7cf5b7e 100644 --- a/crypto/ocsp/ocsp_err.c +++ b/crypto/ocsp/ocsp_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_err.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ocsp_err.c,v 1.9 2022/07/12 14:42:49 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0) diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index 1400ad7..9605d85 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_ext.c,v 1.20 2022/01/07 09:45:52 tb Exp $ */ +/* $OpenBSD: ocsp_ext.c,v 1.22 2022/12/26 07:18:52 jmc Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -71,7 +71,7 @@ #include #include "ocsp_local.h" -#include "x509_lcl.h" +#include "x509_local.h" /* Standard wrapper functions for extensions */ @@ -321,7 +321,7 @@ OCSP_SINGLERESP_add_ext(OCSP_SINGLERESP *x, X509_EXTENSION *ex, int loc) /* Nonce handling functions */ -/* Add a nonce to an extension stack. A nonce can be specificed or if NULL +/* Add a nonce to an extension stack. A nonce can be specified or if NULL * a random nonce will be generated. * Note: OpenSSL 0.9.7d and later create an OCTET STRING containing the * nonce, previous versions used the raw nonce. diff --git a/crypto/ocsp/ocsp_vfy.c b/crypto/ocsp/ocsp_vfy.c index 0da402f..3c12318 100644 --- a/crypto/ocsp/ocsp_vfy.c +++ b/crypto/ocsp/ocsp_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_vfy.c,v 1.21 2022/01/22 00:33:02 inoguchi Exp $ */ +/* $OpenBSD: ocsp_vfy.c,v 1.22 2022/11/26 16:08:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -61,7 +61,7 @@ #include #include "ocsp_local.h" -#include "x509_lcl.h" +#include "x509_local.h" static int ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); diff --git a/crypto/pem/pem_all.c b/crypto/pem/pem_all.c index f5211f2..9fa5184 100644 --- a/crypto/pem/pem_all.c +++ b/crypto/pem/pem_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_all.c,v 1.17 2016/09/04 16:10:38 jsing Exp $ */ +/* $OpenBSD: pem_all.c,v 1.20 2023/04/25 17:51:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -239,34 +239,6 @@ PEM_write_bio_PKCS7(BIO *bp, PKCS7 *x) x, NULL, NULL, 0, NULL, NULL); } -int -PEM_write_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE *x) -{ - return PEM_ASN1_write((i2d_of_void *)i2d_NETSCAPE_CERT_SEQUENCE, PEM_STRING_X509, fp, - x, NULL, NULL, 0, NULL, NULL); -} - -NETSCAPE_CERT_SEQUENCE * -PEM_read_NETSCAPE_CERT_SEQUENCE(FILE *fp, NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *cb, void *u) -{ - return PEM_ASN1_read((d2i_of_void *)d2i_NETSCAPE_CERT_SEQUENCE, PEM_STRING_X509, fp, - (void **)x, cb, u); -} - -NETSCAPE_CERT_SEQUENCE * -PEM_read_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE **x, pem_password_cb *cb, void *u) -{ - return PEM_ASN1_read_bio((d2i_of_void *)d2i_NETSCAPE_CERT_SEQUENCE, PEM_STRING_X509, bp, - (void **)x, cb, u); -} - -int -PEM_write_bio_NETSCAPE_CERT_SEQUENCE(BIO *bp, NETSCAPE_CERT_SEQUENCE *x) -{ - return PEM_ASN1_write_bio((i2d_of_void *)i2d_NETSCAPE_CERT_SEQUENCE, PEM_STRING_X509, bp, - x, NULL, NULL, 0, NULL, NULL); -} - #ifndef OPENSSL_NO_RSA /* We treat RSA or DSA private keys as a special case. diff --git a/crypto/pem/pem_err.c b/crypto/pem/pem_err.c index 8d3c278..d817caf 100644 --- a/crypto/pem/pem_err.c +++ b/crypto/pem/pem_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_err.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pem_err.c,v 1.13 2022/07/12 14:42:50 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_PEM,func,0) diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index aecdbb2..3cca828 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_info.c,v 1.25 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: pem_info.c,v 1.26 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -75,7 +75,7 @@ #include #endif -#include "evp_locl.h" +#include "evp_local.h" STACK_OF(X509_INFO) * PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 7b7f810..72cdd41 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_lib.c,v 1.50 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: pem_lib.c,v 1.52 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -78,8 +78,8 @@ #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" #define MIN_LENGTH 4 @@ -608,8 +608,7 @@ PEM_write_bio(BIO *bp, const char *name, const char *header, (BIO_write(bp, "-----\n", 6) != 6)) goto err; - i = strlen(header); - if (i > 0) { + if (header != NULL && (i = strlen(header)) > 0) { if ((BIO_write(bp, header, i) != i) || (BIO_write(bp, "\n", 1) != 1)) goto err; diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index 2e58003..fa2d38f 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_pkey.c,v 1.25 2021/12/24 12:59:18 tb Exp $ */ +/* $OpenBSD: pem_pkey.c,v 1.26 2022/11/26 16:08:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,8 +73,8 @@ #include #endif -#include "asn1_locl.h" -#include "evp_locl.h" +#include "asn1_local.h" +#include "evp_local.h" int pem_check_suffix(const char *pem_str, const char *suffix); diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index dffe1a3..1417a7b 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pvkfmt.c,v 1.25 2022/01/07 09:55:31 tb Exp $ */ +/* $OpenBSD: pvkfmt.c,v 1.26 2022/11/26 16:08:53 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -73,10 +73,10 @@ #include #include -#include "bn_lcl.h" -#include "dsa_locl.h" -#include "evp_locl.h" -#include "rsa_locl.h" +#include "bn_local.h" +#include "dsa_local.h" +#include "evp_local.h" +#include "rsa_local.h" /* Utility function: read a DWORD (4 byte unsigned integer) in little endian * format diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c index 08bb75d..93c7c72 100644 --- a/crypto/pkcs12/p12_add.c +++ b/crypto/pkcs12/p12_add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_add.c,v 1.17 2018/05/13 14:24:07 tb Exp $ */ +/* $OpenBSD: p12_add.c,v 1.22 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -61,6 +61,8 @@ #include #include +#include "pkcs12_local.h" + /* Pack an object into an OCTET STRING and turn into a safebag */ PKCS12_SAFEBAG * @@ -88,54 +90,7 @@ PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2) safebag->type = OBJ_nid2obj(nid2); return safebag; } - -/* Turn PKCS8 object into a keybag */ - -PKCS12_SAFEBAG * -PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8) -{ - PKCS12_SAFEBAG *bag; - - if (!(bag = PKCS12_SAFEBAG_new())) { - PKCS12error(ERR_R_MALLOC_FAILURE); - return NULL; - } - bag->type = OBJ_nid2obj(NID_keyBag); - bag->value.keybag = p8; - return bag; -} - -/* Turn PKCS8 object into a shrouded keybag */ - -PKCS12_SAFEBAG * -PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, int passlen, - unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8) -{ - PKCS12_SAFEBAG *bag; - const EVP_CIPHER *pbe_ciph; - - /* Set up the safe bag */ - if (!(bag = PKCS12_SAFEBAG_new())) { - PKCS12error(ERR_R_MALLOC_FAILURE); - return NULL; - } - - bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag); - - pbe_ciph = EVP_get_cipherbynid(pbe_nid); - - if (pbe_ciph) - pbe_nid = -1; - - if (!(bag->value.shkeybag = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, - passlen, salt, saltlen, iter, p8))) { - PKCS12error(ERR_R_MALLOC_FAILURE); - PKCS12_SAFEBAG_free(bag); - return NULL; - } - - return bag; -} +LCRYPTO_ALIAS(PKCS12_item_pack_safebag); /* Turn a stack of SAFEBAGS into a PKCS#7 data Contentinfo */ PKCS7 * @@ -163,6 +118,7 @@ err: PKCS7_free(p7); return NULL; } +LCRYPTO_ALIAS(PKCS12_pack_p7data); /* Unpack SAFEBAGS from PKCS#7 data ContentInfo */ STACK_OF(PKCS12_SAFEBAG) * @@ -174,6 +130,7 @@ PKCS12_unpack_p7data(PKCS7 *p7) } return ASN1_item_unpack(p7->d.data, &PKCS12_SAFEBAGS_it); } +LCRYPTO_ALIAS(PKCS12_unpack_p7data); /* Turn a stack of SAFEBAGS into a PKCS#7 encrypted data ContentInfo */ @@ -220,6 +177,7 @@ err: PKCS7_free(p7); return NULL; } +LCRYPTO_ALIAS(PKCS12_pack_p7encdata); STACK_OF(PKCS12_SAFEBAG) * PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen) @@ -230,12 +188,14 @@ PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen) &PKCS12_SAFEBAGS_it, pass, passlen, p7->d.encrypted->enc_data->enc_data, 1); } +LCRYPTO_ALIAS(PKCS12_unpack_p7encdata); PKCS8_PRIV_KEY_INFO * PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, const char *pass, int passlen) { return PKCS8_decrypt(bag->value.shkeybag, pass, passlen); } +LCRYPTO_ALIAS(PKCS12_decrypt_skey); int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) @@ -245,6 +205,7 @@ PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) return 1; return 0; } +LCRYPTO_ALIAS(PKCS12_pack_authsafes); STACK_OF(PKCS7) * PKCS12_unpack_authsafes(const PKCS12 *p12) @@ -256,3 +217,4 @@ PKCS12_unpack_authsafes(const PKCS12 *p12) return ASN1_item_unpack(p12->authsafes->d.data, &PKCS12_AUTHSAFES_it); } +LCRYPTO_ALIAS(PKCS12_unpack_authsafes); diff --git a/crypto/pkcs12/p12_asn.c b/crypto/pkcs12/p12_asn.c index d152063..a9deccc 100644 --- a/crypto/pkcs12/p12_asn.c +++ b/crypto/pkcs12/p12_asn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_asn.c,v 1.10 2022/01/14 08:16:13 tb Exp $ */ +/* $OpenBSD: p12_asn.c,v 1.14 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -61,6 +61,8 @@ #include #include +#include "pkcs12_local.h" + /* PKCS#12 ASN1 module */ static const ASN1_TEMPLATE PKCS12_seq_tt[] = { @@ -104,24 +106,28 @@ d2i_PKCS12(PKCS12 **a, const unsigned char **in, long len) return (PKCS12 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS12_it); } +LCRYPTO_ALIAS(d2i_PKCS12); int i2d_PKCS12(PKCS12 *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_it); } +LCRYPTO_ALIAS(i2d_PKCS12); PKCS12 * PKCS12_new(void) { return (PKCS12 *)ASN1_item_new(&PKCS12_it); } +LCRYPTO_ALIAS(PKCS12_new); void PKCS12_free(PKCS12 *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS12_it); } +LCRYPTO_ALIAS(PKCS12_free); static const ASN1_TEMPLATE PKCS12_MAC_DATA_seq_tt[] = { { @@ -164,24 +170,28 @@ d2i_PKCS12_MAC_DATA(PKCS12_MAC_DATA **a, const unsigned char **in, long len) return (PKCS12_MAC_DATA *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS12_MAC_DATA_it); } +LCRYPTO_ALIAS(d2i_PKCS12_MAC_DATA); int i2d_PKCS12_MAC_DATA(PKCS12_MAC_DATA *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_MAC_DATA_it); } +LCRYPTO_ALIAS(i2d_PKCS12_MAC_DATA); PKCS12_MAC_DATA * PKCS12_MAC_DATA_new(void) { return (PKCS12_MAC_DATA *)ASN1_item_new(&PKCS12_MAC_DATA_it); } +LCRYPTO_ALIAS(PKCS12_MAC_DATA_new); void PKCS12_MAC_DATA_free(PKCS12_MAC_DATA *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS12_MAC_DATA_it); } +LCRYPTO_ALIAS(PKCS12_MAC_DATA_free); static const ASN1_TEMPLATE bag_default_tt = { .flags = ASN1_TFLG_EXPLICIT, @@ -270,24 +280,28 @@ d2i_PKCS12_BAGS(PKCS12_BAGS **a, const unsigned char **in, long len) return (PKCS12_BAGS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS12_BAGS_it); } +LCRYPTO_ALIAS(d2i_PKCS12_BAGS); int i2d_PKCS12_BAGS(PKCS12_BAGS *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_BAGS_it); } +LCRYPTO_ALIAS(i2d_PKCS12_BAGS); PKCS12_BAGS * PKCS12_BAGS_new(void) { return (PKCS12_BAGS *)ASN1_item_new(&PKCS12_BAGS_it); } +LCRYPTO_ALIAS(PKCS12_BAGS_new); void PKCS12_BAGS_free(PKCS12_BAGS *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS12_BAGS_it); } +LCRYPTO_ALIAS(PKCS12_BAGS_free); static const ASN1_TEMPLATE safebag_default_tt = { .flags = ASN1_TFLG_EXPLICIT, @@ -323,7 +337,7 @@ static const ASN1_ADB_TABLE PKCS12_SAFEBAG_adbtbl[] = { { .value = NID_safeContentsBag, .tt = { - .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SET_OF, + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_SEQUENCE_OF, .tag = 0, .offset = offsetof(PKCS12_SAFEBAG, value.safes), .field_name = "value.safes", @@ -415,24 +429,28 @@ d2i_PKCS12_SAFEBAG(PKCS12_SAFEBAG **a, const unsigned char **in, long len) return (PKCS12_SAFEBAG *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS12_SAFEBAG_it); } +LCRYPTO_ALIAS(d2i_PKCS12_SAFEBAG); int i2d_PKCS12_SAFEBAG(PKCS12_SAFEBAG *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS12_SAFEBAG_it); } +LCRYPTO_ALIAS(i2d_PKCS12_SAFEBAG); PKCS12_SAFEBAG * PKCS12_SAFEBAG_new(void) { return (PKCS12_SAFEBAG *)ASN1_item_new(&PKCS12_SAFEBAG_it); } +LCRYPTO_ALIAS(PKCS12_SAFEBAG_new); void PKCS12_SAFEBAG_free(PKCS12_SAFEBAG *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS12_SAFEBAG_it); } +LCRYPTO_ALIAS(PKCS12_SAFEBAG_free); /* SEQUENCE OF SafeBag */ static const ASN1_TEMPLATE PKCS12_SAFEBAGS_item_tt = { @@ -471,4 +489,3 @@ const ASN1_ITEM PKCS12_AUTHSAFES_it = { .size = 0, .sname = "PKCS12_AUTHSAFES", }; - diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c index dc38b7c..d43b205 100644 --- a/crypto/pkcs12/p12_attr.c +++ b/crypto/pkcs12/p12_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_attr.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: p12_attr.c,v 1.20 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -60,7 +60,8 @@ #include -#include "x509_lcl.h" +#include "pkcs12_local.h" +#include "x509_local.h" /* Add a local keyid to a safebag */ @@ -73,6 +74,7 @@ PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen) else return 0; } +LCRYPTO_ALIAS(PKCS12_add_localkeyid); /* Add key usage to PKCS#8 structure */ @@ -84,6 +86,7 @@ PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage) return PKCS8_pkey_add1_attr_by_NID(p8, NID_key_usage, V_ASN1_BIT_STRING, &us_val, 1); } +LCRYPTO_ALIAS(PKCS8_add_keyusage); /* Add a friendlyname to a safebag */ @@ -96,6 +99,7 @@ PKCS12_add_friendlyname_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen) else return 0; } +LCRYPTO_ALIAS(PKCS12_add_friendlyname_asc); int @@ -108,6 +112,7 @@ PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name, else return 0; } +LCRYPTO_ALIAS(PKCS12_add_friendlyname_uni); int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen) @@ -118,6 +123,7 @@ PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen) else return 0; } +LCRYPTO_ALIAS(PKCS12_add_CSPName_asc); ASN1_TYPE * PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) @@ -129,25 +135,30 @@ PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) return NULL; for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) { attrib = sk_X509_ATTRIBUTE_value(attrs, i); - if (OBJ_obj2nid(attrib->object) == attr_nid) { - if (sk_ASN1_TYPE_num(attrib->value.set)) - return sk_ASN1_TYPE_value(attrib->value.set, 0); - else - return NULL; - } + if (OBJ_obj2nid(attrib->object) == attr_nid) + return sk_ASN1_TYPE_value(attrib->set, 0); } return NULL; } +LCRYPTO_ALIAS(PKCS12_get_attr_gen); char * PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag) { - ASN1_TYPE *atype; + const ASN1_TYPE *atype; - if (!(atype = PKCS12_get_attr(bag, NID_friendlyName))) + if (!(atype = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) return NULL; if (atype->type != V_ASN1_BMPSTRING) return NULL; return OPENSSL_uni2asc(atype->value.bmpstring->data, atype->value.bmpstring->length); } +LCRYPTO_ALIAS(PKCS12_get_friendlyname); + +const STACK_OF(X509_ATTRIBUTE) * +PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag) +{ + return bag->attrib; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get0_attrs); diff --git a/crypto/pkcs12/p12_crpt.c b/crypto/pkcs12/p12_crpt.c index d21c9c1..e7d3010 100644 --- a/crypto/pkcs12/p12_crpt.c +++ b/crypto/pkcs12/p12_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_crpt.c,v 1.15 2021/07/09 14:07:59 tb Exp $ */ +/* $OpenBSD: p12_crpt.c,v 1.17 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,6 +68,7 @@ void PKCS12_PBE_add(void) { } +LCRYPTO_ALIAS(PKCS12_PBE_add); int PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, @@ -119,3 +120,4 @@ PKCS12_PBE_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen, explicit_bzero(iv, EVP_MAX_IV_LENGTH); return ret; } +LCRYPTO_ALIAS(PKCS12_PBE_keyivgen); diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index f8ba335..90a0cbe 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_crt.c,v 1.18 2018/05/13 13:46:55 tb Exp $ */ +/* $OpenBSD: p12_crt.c,v 1.23 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -61,6 +61,8 @@ #include #include +#include "pkcs12_local.h" + static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag); @@ -111,7 +113,8 @@ PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, if (pkey && cert) { if (!X509_check_private_key(cert, pkey)) return NULL; - X509_digest(cert, EVP_sha1(), keyid, &keyidlen); + if (!X509_digest(cert, EVP_sha1(), keyid, &keyidlen)) + return NULL; } if (cert) { @@ -181,6 +184,7 @@ err: sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free); return NULL; } +LCRYPTO_ALIAS(PKCS12_create); PKCS12_SAFEBAG * PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert) @@ -218,6 +222,7 @@ err: return NULL; } +LCRYPTO_ALIAS(PKCS12_add_cert); PKCS12_SAFEBAG * PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage, @@ -232,12 +237,12 @@ PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage, if (key_usage && !PKCS8_add_keyusage(p8, key_usage)) goto err; if (nid_key != -1) { - bag = PKCS12_MAKE_SHKEYBAG(nid_key, pass, -1, NULL, 0, - iter, p8); + bag = PKCS12_SAFEBAG_create_pkcs8_encrypt(nid_key, pass, -1, + NULL, 0, iter, p8); PKCS8_PRIV_KEY_INFO_free(p8); p8 = NULL; } else { - bag = PKCS12_MAKE_KEYBAG(p8); + bag = PKCS12_SAFEBAG_create0_p8inf(p8); if (bag != NULL) p8 = NULL; } @@ -258,6 +263,7 @@ err: return NULL; } +LCRYPTO_ALIAS(PKCS12_add_key); int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, @@ -301,6 +307,7 @@ err: return 0; } +LCRYPTO_ALIAS(PKCS12_add_safe); static int pkcs12_add_bag(STACK_OF(PKCS12_SAFEBAG) **pbags, PKCS12_SAFEBAG *bag) @@ -347,3 +354,4 @@ PKCS12_add_safes(STACK_OF(PKCS7) *safes, int nid_p7) return p12; } +LCRYPTO_ALIAS(PKCS12_add_safes); diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index c352ba5..ea7f6a5 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_decr.c,v 1.21 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: p12_decr.c,v 1.24 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* Encrypt/Decrypt a buffer based on password and algor, result in a * malloc'ed buffer @@ -116,6 +116,7 @@ err: return out; } +LCRYPTO_ALIAS(PKCS12_pbe_crypt); /* Decrypt an OCTET STRING and decode ASN1 structure * if zbuf set zero buffer after use. @@ -144,6 +145,7 @@ PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, free(out); return ret; } +LCRYPTO_ALIAS(PKCS12_item_decrypt_d2i); /* Encode ASN1 structure and encrypt, return OCTET STRING * if zbuf set zero encoding. @@ -182,5 +184,6 @@ err: ASN1_OCTET_STRING_free(oct); return NULL; } +LCRYPTO_ALIAS(PKCS12_item_i2d_encrypt); IMPLEMENT_PKCS12_STACK_OF(PKCS7) diff --git a/crypto/pkcs12/p12_init.c b/crypto/pkcs12/p12_init.c index 13dbe36..09ff0d5 100644 --- a/crypto/pkcs12/p12_init.c +++ b/crypto/pkcs12/p12_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_init.c,v 1.13 2022/01/20 11:18:49 inoguchi Exp $ */ +/* $OpenBSD: p12_init.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -61,6 +61,8 @@ #include #include +#include "pkcs12_local.h" + /* Initialise a PKCS12 structure to take data */ PKCS12 * @@ -96,3 +98,4 @@ err: PKCS12_free(pkcs12); return NULL; } +LCRYPTO_ALIAS(PKCS12_init); diff --git a/crypto/pkcs12/p12_key.c b/crypto/pkcs12/p12_key.c index 38d25d2..8812f1c 100644 --- a/crypto/pkcs12/p12_key.c +++ b/crypto/pkcs12/p12_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_key.c,v 1.28 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: p12_key.c,v 1.34 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -63,7 +63,7 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" /* PKCS12 compatible key/IV generation */ #ifndef min @@ -93,56 +93,70 @@ PKCS12_key_gen_asc(const char *pass, int passlen, unsigned char *salt, freezero(unipass, uniplen); return ret; } +LCRYPTO_ALIAS(PKCS12_key_gen_asc); int PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, int saltlen, int id, int iter, int n, unsigned char *out, const EVP_MD *md_type) { - unsigned char *B, *D, *I, *p, *Ai; - int Slen, Plen, Ilen, Ijlen; + EVP_MD_CTX *ctx = NULL; + unsigned char *B = NULL, *D = NULL, *I = NULL, *Ai = NULL; + unsigned char *p; + int Slen, Plen, Ilen; int i, j, u, v; int ret = 0; - BIGNUM *Ij, *Bpl1; /* These hold Ij and B + 1 */ - EVP_MD_CTX ctx; - v = EVP_MD_block_size(md_type); - u = EVP_MD_size(md_type); - if (u < 0) - return 0; - - EVP_MD_CTX_init(&ctx); - D = malloc(v); - Ai = malloc(u); - B = malloc(v + 1); - Slen = v * ((saltlen + v - 1) / v); - if (passlen) - Plen = v * ((passlen + v - 1)/v); - else - Plen = 0; - Ilen = Slen + Plen; - I = malloc(Ilen); - Ij = BN_new(); - Bpl1 = BN_new(); - if (!D || !Ai || !B || !I || !Ij || !Bpl1) + if ((ctx = EVP_MD_CTX_new()) == NULL) goto err; + + if ((v = EVP_MD_block_size(md_type)) <= 0) + goto err; + if ((u = EVP_MD_size(md_type)) <= 0) + goto err; + + if ((D = malloc(v)) == NULL) + goto err; + if ((Ai = malloc(u)) == NULL) + goto err; + if ((B = malloc(v + 1)) == NULL) + goto err; + + Slen = v * ((saltlen + v - 1) / v); + + Plen = 0; + if (passlen) + Plen = v * ((passlen + v - 1) / v); + + Ilen = Slen + Plen; + + if ((I = malloc(Ilen)) == NULL) + goto err; + for (i = 0; i < v; i++) D[i] = id; + p = I; for (i = 0; i < Slen; i++) *p++ = salt[i % saltlen]; for (i = 0; i < Plen; i++) *p++ = pass[i % passlen]; + for (;;) { - if (!EVP_DigestInit_ex(&ctx, md_type, NULL) || - !EVP_DigestUpdate(&ctx, D, v) || - !EVP_DigestUpdate(&ctx, I, Ilen) || - !EVP_DigestFinal_ex(&ctx, Ai, NULL)) + if (!EVP_DigestInit_ex(ctx, md_type, NULL)) + goto err; + if (!EVP_DigestUpdate(ctx, D, v)) + goto err; + if (!EVP_DigestUpdate(ctx, I, Ilen)) + goto err; + if (!EVP_DigestFinal_ex(ctx, Ai, NULL)) goto err; for (j = 1; j < iter; j++) { - if (!EVP_DigestInit_ex(&ctx, md_type, NULL) || - !EVP_DigestUpdate(&ctx, Ai, u) || - !EVP_DigestFinal_ex(&ctx, Ai, NULL)) + if (!EVP_DigestInit_ex(ctx, md_type, NULL)) + goto err; + if (!EVP_DigestUpdate(ctx, Ai, u)) + goto err; + if (!EVP_DigestFinal_ex(ctx, Ai, NULL)) goto err; } memcpy(out, Ai, min(n, u)); @@ -154,46 +168,30 @@ PKCS12_key_gen_uni(unsigned char *pass, int passlen, unsigned char *salt, out += u; for (j = 0; j < v; j++) B[j] = Ai[j % u]; - /* Work out B + 1 first then can use B as tmp space */ - if (!BN_bin2bn(B, v, Bpl1)) - goto err; - if (!BN_add_word(Bpl1, 1)) - goto err; + for (j = 0; j < Ilen; j += v) { - if (!BN_bin2bn(I + j, v, Ij)) - goto err; - if (!BN_add(Ij, Ij, Bpl1)) - goto err; - if (!BN_bn2bin(Ij, B)) - goto err; - Ijlen = BN_num_bytes(Ij); - /* If more than 2^(v*8) - 1 cut off MSB */ - if (Ijlen > v) { - if (!BN_bn2bin(Ij, B)) - goto err; - memcpy(I + j, B + 1, v); -#ifndef PKCS12_BROKEN_KEYGEN - /* If less than v bytes pad with zeroes */ - } else if (Ijlen < v) { - memset(I + j, 0, v - Ijlen); - if (!BN_bn2bin(Ij, I + j + v - Ijlen)) - goto err; -#endif - } else if (!BN_bn2bin(Ij, I + j)) - goto err; + uint16_t c = 1; + int k; + + /* Work out I[j] = I[j] + B + 1. */ + for (k = v - 1; k >= 0; k--) { + c += I[j + k] + B[k]; + I[j + k] = (unsigned char)c; + c >>= 8; + } } } -err: + err: PKCS12error(ERR_R_MALLOC_FAILURE); -end: + end: free(Ai); free(B); free(D); free(I); - BN_free(Ij); - BN_free(Bpl1); - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(ctx); + return ret; } +LCRYPTO_ALIAS(PKCS12_key_gen_uni); diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c index 54a8092..48bbd13 100644 --- a/crypto/pkcs12/p12_kiss.c +++ b/crypto/pkcs12/p12_kiss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_kiss.c,v 1.21 2021/07/09 14:08:00 tb Exp $ */ +/* $OpenBSD: p12_kiss.c,v 1.27 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -61,6 +61,8 @@ #include #include +#include "pkcs12_local.h" + /* Simplified PKCS#12 routines */ static int parse_pk12( PKCS12 *p12, const char *pass, int passlen, @@ -84,18 +86,17 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, { STACK_OF(X509) *ocerts = NULL; X509 *x = NULL; - /* Check for NULL PKCS12 structure */ - if (!p12) { - PKCS12error(PKCS12_R_INVALID_NULL_PKCS12_POINTER); - return 0; - } - - if (pkey) + if (pkey != NULL) *pkey = NULL; - if (cert) + if (cert != NULL) *cert = NULL; + if (p12 == NULL) { + PKCS12error(PKCS12_R_INVALID_NULL_PKCS12_POINTER); + goto err; + } + /* Check the mac */ /* If password is zero length or NULL then try verifying both cases @@ -104,7 +105,7 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, * password are two different things... */ - if (!pass || !*pass) { + if (pass == NULL || *pass == '\0') { if (PKCS12_verify_mac(p12, NULL, 0)) pass = NULL; else if (PKCS12_verify_mac(p12, "", 0)) @@ -119,10 +120,9 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, } /* Allocate stack for other certificates */ - ocerts = sk_X509_new_null(); - if (!ocerts) { + if ((ocerts = sk_X509_new_null()) == NULL) { PKCS12error(ERR_R_MALLOC_FAILURE); - return 0; + goto err; } if (!parse_pk12(p12, pass, -1, pkey, ocerts)) { @@ -130,8 +130,9 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, goto err; } - while ((x = sk_X509_pop(ocerts))) { - if (pkey && *pkey && cert && !*cert) { + while ((x = sk_X509_pop(ocerts)) != NULL) { + if (pkey != NULL && *pkey != NULL && + cert != NULL && *cert == NULL) { ERR_set_mark(); if (X509_check_private_key(x, *pkey)) { *cert = x; @@ -140,33 +141,34 @@ PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, ERR_pop_to_mark(); } - if (ca && x) { - if (!*ca) + if (ca != NULL && x != NULL) { + if (*ca == NULL) *ca = sk_X509_new_null(); - if (!*ca) + if (*ca == NULL) goto err; if (!sk_X509_push(*ca, x)) goto err; x = NULL; } X509_free(x); + x = NULL; } - if (ocerts) - sk_X509_pop_free(ocerts, X509_free); + sk_X509_pop_free(ocerts, X509_free); return 1; err: - if (pkey && *pkey) + if (pkey != NULL) EVP_PKEY_free(*pkey); - if (cert) + if (cert != NULL) X509_free(*cert); X509_free(x); - if (ocerts) - sk_X509_pop_free(ocerts, X509_free); + sk_X509_pop_free(ocerts, X509_free); + return 0; } +LCRYPTO_ALIAS(PKCS12_parse); /* Parse the outer PKCS#12 structure */ @@ -225,14 +227,14 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey, { PKCS8_PRIV_KEY_INFO *p8; X509 *x509; - ASN1_TYPE *attrib; + const ASN1_TYPE *attrib; ASN1_BMPSTRING *fname = NULL; ASN1_OCTET_STRING *lkid = NULL; - if ((attrib = PKCS12_get_attr(bag, NID_friendlyName))) + if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName))) fname = attrib->value.bmpstring; - if ((attrib = PKCS12_get_attr(bag, NID_localKeyID))) + if ((attrib = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID))) lkid = attrib->value.octet_string; switch (OBJ_obj2nid(bag->type)) { @@ -265,7 +267,7 @@ parse_bag(PKCS12_SAFEBAG *bag, const char *pass, int passlen, EVP_PKEY **pkey, } if (fname) { int len, r; - unsigned char *data; + unsigned char *data = NULL; len = ASN1_STRING_to_UTF8(&data, fname); if (len >= 0) { r = X509_alias_set1(x509, data, len); diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c index f3a6ea3..f0e6df9 100644 --- a/crypto/pkcs12/p12_mutl.c +++ b/crypto/pkcs12/p12_mutl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_mutl.c,v 1.27 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: p12_mutl.c,v 1.35 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -68,9 +68,45 @@ #include #include -#include "evp_locl.h" +#include "evp_local.h" #include "hmac_local.h" -#include "x509_lcl.h" +#include "pkcs12_local.h" +#include "x509_local.h" + +int +PKCS12_mac_present(const PKCS12 *p12) +{ + return p12->mac != NULL; +} +LCRYPTO_ALIAS(PKCS12_mac_present); + +void +PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, const X509_ALGOR **pmacalg, + const ASN1_OCTET_STRING **psalt, const ASN1_INTEGER **piter, + const PKCS12 *p12) +{ + if (p12->mac == NULL) { + if (pmac != NULL) + *pmac = NULL; + if (pmacalg != NULL) + *pmacalg = NULL; + if (psalt != NULL) + *psalt = NULL; + if (piter != NULL) + *piter = NULL; + return; + } + + if (pmac != NULL) + *pmac = p12->mac->dinfo->digest; + if (pmacalg != NULL) + *pmacalg = p12->mac->dinfo->algor; + if (psalt != NULL) + *psalt = p12->mac->salt; + if (piter != NULL) + *piter = p12->mac->iter; +} +LCRYPTO_ALIAS(PKCS12_get0_mac); /* Generate a MAC */ int @@ -78,48 +114,62 @@ PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, unsigned char *mac, unsigned int *maclen) { const EVP_MD *md_type; - HMAC_CTX hmac; + HMAC_CTX *hmac = NULL; unsigned char key[EVP_MAX_MD_SIZE], *salt; int saltlen, iter; int md_size; + int ret = 0; if (!PKCS7_type_is_data(p12->authsafes)) { PKCS12error(PKCS12_R_CONTENT_TYPE_NOT_DATA); - return 0; + goto err; } salt = p12->mac->salt->data; saltlen = p12->mac->salt->length; - if (!p12->mac->iter) - iter = 1; - else if ((iter = ASN1_INTEGER_get(p12->mac->iter)) <= 0) { - PKCS12error(PKCS12_R_DECODE_ERROR); - return 0; + + iter = 1; + if (p12->mac->iter != NULL) { + if ((iter = ASN1_INTEGER_get(p12->mac->iter)) <= 0) { + PKCS12error(PKCS12_R_DECODE_ERROR); + goto err; + } } - if (!(md_type = EVP_get_digestbyobj( - p12->mac->dinfo->algor->algorithm))) { + + md_type = EVP_get_digestbyobj(p12->mac->dinfo->algor->algorithm); + if (md_type == NULL) { PKCS12error(PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); - return 0; + goto err; } - md_size = EVP_MD_size(md_type); - if (md_size < 0) - return 0; + + if ((md_size = EVP_MD_size(md_type)) < 0) + goto err; + if (!PKCS12_key_gen(pass, passlen, salt, saltlen, PKCS12_MAC_ID, iter, md_size, key, md_type)) { PKCS12error(PKCS12_R_KEY_GEN_ERROR); - return 0; + goto err; } - HMAC_CTX_init(&hmac); - if (!HMAC_Init_ex(&hmac, key, md_size, md_type, NULL) || - !HMAC_Update(&hmac, p12->authsafes->d.data->data, - p12->authsafes->d.data->length) || - !HMAC_Final(&hmac, mac, maclen)) { - HMAC_CTX_cleanup(&hmac); - return 0; - } - HMAC_CTX_cleanup(&hmac); - return 1; + + if ((hmac = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac, key, md_size, md_type, NULL)) + goto err; + if (!HMAC_Update(hmac, p12->authsafes->d.data->data, + p12->authsafes->d.data->length)) + goto err; + if (!HMAC_Final(hmac, mac, maclen)) + goto err; + + ret = 1; + + err: + explicit_bzero(key, sizeof(key)); + HMAC_CTX_free(hmac); + + return ret; } +LCRYPTO_ALIAS(PKCS12_gen_mac); /* Verify the mac */ int @@ -141,6 +191,7 @@ PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) return 0; return 1; } +LCRYPTO_ALIAS(PKCS12_verify_mac); /* Set a mac */ @@ -168,13 +219,15 @@ PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, unsigned char *salt, } return 1; } +LCRYPTO_ALIAS(PKCS12_set_mac); /* Set up a mac structure */ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, const EVP_MD *md_type) { - if (!(p12->mac = PKCS12_MAC_DATA_new())) + PKCS12_MAC_DATA_free(p12->mac); + if ((p12->mac = PKCS12_MAC_DATA_new()) == NULL) return PKCS12_ERROR; if (iter > 1) { if (!(p12->mac->iter = ASN1_INTEGER_new())) { @@ -206,4 +259,5 @@ PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, return 1; } +LCRYPTO_ALIAS(PKCS12_setup_mac); #endif diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index 62ec368..30dd2ef 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_npas.c,v 1.14 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: p12_npas.c,v 1.18 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -63,7 +63,8 @@ #include #include -#include "x509_lcl.h" +#include "pkcs12_local.h" +#include "x509_local.h" /* PKCS#12 password change routine */ @@ -102,6 +103,7 @@ PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass) return 1; } +LCRYPTO_ALIAS(PKCS12_newpass); /* Parse the outer PKCS#12 structure */ diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c index ce1b28b..dd5e8d9 100644 --- a/crypto/pkcs12/p12_p8d.c +++ b/crypto/pkcs12/p12_p8d.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_p8d.c,v 1.8 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: p12_p8d.c,v 1.11 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -60,7 +60,7 @@ #include -#include "x509_lcl.h" +#include "x509_local.h" PKCS8_PRIV_KEY_INFO * PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen) @@ -68,3 +68,4 @@ PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen) return PKCS12_item_decrypt_d2i(p8->algor, &PKCS8_PRIV_KEY_INFO_it, pass, passlen, p8->digest, 1); } +LCRYPTO_ALIAS(PKCS8_decrypt); diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c index 7f5f61d..87c4be5 100644 --- a/crypto/pkcs12/p12_p8e.c +++ b/crypto/pkcs12/p12_p8e.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_p8e.c,v 1.9 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: p12_p8e.c,v 1.12 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -61,7 +61,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" X509_SIG * PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, @@ -100,3 +100,4 @@ err: X509_SIG_free(p8); return NULL; } +LCRYPTO_ALIAS(PKCS8_encrypt); diff --git a/crypto/pkcs12/p12_sbag.c b/crypto/pkcs12/p12_sbag.c new file mode 100644 index 0000000..b7772b6 --- /dev/null +++ b/crypto/pkcs12/p12_sbag.c @@ -0,0 +1,240 @@ +/* $OpenBSD: p12_sbag.c,v 1.8 2023/02/16 08:38:17 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project + * 1999-2018. + */ +/* ==================================================================== + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#include + +#include +#include + +#include "pkcs12_local.h" +#include "x509_local.h" + +const ASN1_TYPE * +PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, int attr_nid) +{ + return PKCS12_get_attr_gen(bag->attrib, attr_nid); +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get0_attr); + +ASN1_TYPE * +PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid) +{ + return PKCS12_get_attr_gen(p8->attributes, attr_nid); +} +LCRYPTO_ALIAS(PKCS8_get_attr); + +const PKCS8_PRIV_KEY_INFO * +PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag) +{ + if (PKCS12_SAFEBAG_get_nid(bag) != NID_keyBag) + return NULL; + + return bag->value.keybag; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get0_p8inf); + +const X509_SIG * +PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag) +{ + if (PKCS12_SAFEBAG_get_nid(bag) != NID_pkcs8ShroudedKeyBag) + return NULL; + + return bag->value.shkeybag; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get0_pkcs8); + +const STACK_OF(PKCS12_SAFEBAG) * +PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag) +{ + if (PKCS12_SAFEBAG_get_nid(bag) != NID_safeContentsBag) + return NULL; + + return bag->value.safes; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get0_safes); + +const ASN1_OBJECT * +PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag) +{ + return bag->type; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get0_type); + +int +PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag) +{ + return OBJ_obj2nid(bag->type); +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get_nid); + +int +PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag) +{ + int bag_type; + + bag_type = PKCS12_SAFEBAG_get_nid(bag); + + if (bag_type == NID_certBag || bag_type == NID_crlBag || + bag_type == NID_secretBag) + return OBJ_obj2nid(bag->value.bag->type); + + return -1; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get_bag_nid); + +X509 * +PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag) +{ + if (OBJ_obj2nid(bag->type) != NID_certBag) + return NULL; + if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate) + return NULL; + return ASN1_item_unpack(bag->value.bag->value.octet, &X509_it); +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get1_cert); + +X509_CRL * +PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag) +{ + if (OBJ_obj2nid(bag->type) != NID_crlBag) + return NULL; + if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl) + return NULL; + return ASN1_item_unpack(bag->value.bag->value.octet, &X509_CRL_it); +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_get1_crl); + +PKCS12_SAFEBAG * +PKCS12_SAFEBAG_create_cert(X509 *x509) +{ + return PKCS12_item_pack_safebag(x509, &X509_it, + NID_x509Certificate, NID_certBag); +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_create_cert); + +PKCS12_SAFEBAG * +PKCS12_SAFEBAG_create_crl(X509_CRL *crl) +{ + return PKCS12_item_pack_safebag(crl, &X509_CRL_it, + NID_x509Crl, NID_crlBag); +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_create_crl); + +/* Turn PKCS8 object into a keybag */ + +PKCS12_SAFEBAG * +PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8) +{ + PKCS12_SAFEBAG *bag; + + if ((bag = PKCS12_SAFEBAG_new()) == NULL) { + PKCS12error(ERR_R_MALLOC_FAILURE); + return NULL; + } + + bag->type = OBJ_nid2obj(NID_keyBag); + bag->value.keybag = p8; + + return bag; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_create0_p8inf); + +/* Turn PKCS8 object into a shrouded keybag */ + +PKCS12_SAFEBAG * +PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8) +{ + PKCS12_SAFEBAG *bag; + + /* Set up the safe bag */ + if ((bag = PKCS12_SAFEBAG_new()) == NULL) { + PKCS12error(ERR_R_MALLOC_FAILURE); + return NULL; + } + + bag->type = OBJ_nid2obj(NID_pkcs8ShroudedKeyBag); + bag->value.shkeybag = p8; + + return bag; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_create0_pkcs8); + +PKCS12_SAFEBAG * +PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8info) +{ + const EVP_CIPHER *pbe_ciph; + X509_SIG *p8; + PKCS12_SAFEBAG *bag; + + if ((pbe_ciph = EVP_get_cipherbynid(pbe_nid)) != NULL) + pbe_nid = -1; + + if ((p8 = PKCS8_encrypt(pbe_nid, pbe_ciph, pass, passlen, salt, saltlen, + iter, p8info)) == NULL) + return NULL; + + if ((bag = PKCS12_SAFEBAG_create0_pkcs8(p8)) == NULL) { + X509_SIG_free(p8); + return NULL; + } + + return bag; +} +LCRYPTO_ALIAS(PKCS12_SAFEBAG_create_pkcs8_encrypt); diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c index ff3a035..72692a9 100644 --- a/crypto/pkcs12/p12_utl.c +++ b/crypto/pkcs12/p12_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_utl.c,v 1.16 2018/05/30 15:32:11 tb Exp $ */ +/* $OpenBSD: p12_utl.c,v 1.21 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,6 +62,8 @@ #include +#include "pkcs12_local.h" + /* Cheap and nasty Unicode stuff */ unsigned char * @@ -98,6 +100,7 @@ OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) *uni = unitmp; return unitmp; } +LCRYPTO_ALIAS(OPENSSL_asc2uni); char * OPENSSL_uni2asc(const unsigned char *uni, int unilen) @@ -123,63 +126,32 @@ OPENSSL_uni2asc(const unsigned char *uni, int unilen) asctmp[asclen - 1] = '\0'; return asctmp; } +LCRYPTO_ALIAS(OPENSSL_uni2asc); int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12) { return ASN1_item_i2d_bio(&PKCS12_it, bp, p12); } +LCRYPTO_ALIAS(i2d_PKCS12_bio); int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12) { return ASN1_item_i2d_fp(&PKCS12_it, fp, p12); } +LCRYPTO_ALIAS(i2d_PKCS12_fp); PKCS12 * d2i_PKCS12_bio(BIO *bp, PKCS12 **p12) { return ASN1_item_d2i_bio(&PKCS12_it, bp, p12); } +LCRYPTO_ALIAS(d2i_PKCS12_bio); PKCS12 * d2i_PKCS12_fp(FILE *fp, PKCS12 **p12) { return ASN1_item_d2i_fp(&PKCS12_it, fp, p12); } - -PKCS12_SAFEBAG * -PKCS12_x5092certbag(X509 *x509) -{ - return PKCS12_item_pack_safebag(x509, &X509_it, - NID_x509Certificate, NID_certBag); -} - -PKCS12_SAFEBAG * -PKCS12_x509crl2certbag(X509_CRL *crl) -{ - return PKCS12_item_pack_safebag(crl, &X509_CRL_it, - NID_x509Crl, NID_crlBag); -} - -X509 * -PKCS12_certbag2x509(PKCS12_SAFEBAG *bag) -{ - if (OBJ_obj2nid(bag->type) != NID_certBag) - return NULL; - if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Certificate) - return NULL; - return ASN1_item_unpack(bag->value.bag->value.octet, - &X509_it); -} - -X509_CRL * -PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag) -{ - if (OBJ_obj2nid(bag->type) != NID_crlBag) - return NULL; - if (OBJ_obj2nid(bag->value.bag->type) != NID_x509Crl) - return NULL; - return ASN1_item_unpack(bag->value.bag->value.octet, - &X509_CRL_it); -} +LCRYPTO_ALIAS(d2i_PKCS12_fp); diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c index c1d075a..3af0352 100644 --- a/crypto/pkcs12/pk12err.c +++ b/crypto/pkcs12/pk12err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk12err.c,v 1.11 2020/06/05 16:51:12 jsing Exp $ */ +/* $OpenBSD: pk12err.c,v 1.14 2023/02/16 08:38:17 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0) @@ -114,3 +108,4 @@ ERR_load_PKCS12_strings(void) } #endif } +LCRYPTO_ALIAS(ERR_load_PKCS12_strings); diff --git a/crypto/x509/vpm_int.h b/crypto/pkcs12/pkcs12_local.h similarity index 71% rename from crypto/x509/vpm_int.h rename to crypto/pkcs12/pkcs12_local.h index 7fc9fef..1d6f055 100644 --- a/crypto/x509/vpm_int.h +++ b/crypto/pkcs12/pkcs12_local.h @@ -1,10 +1,9 @@ -/* $OpenBSD: vpm_int.h,v 1.4 2018/04/06 07:08:20 beck Exp $ */ -/* - * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project - * 2013. +/* $OpenBSD: pkcs12_local.h,v 1.3 2022/11/26 17:23:18 tb Exp $ */ +/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project 1999. */ /* ==================================================================== - * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -57,19 +56,46 @@ * */ +#ifndef HEADER_PKCS12_LOCAL_H +#define HEADER_PKCS12_LOCAL_H + __BEGIN_HIDDEN_DECLS -/* internal only structure to hold additional X509_VERIFY_PARAM data */ +struct PKCS12_MAC_DATA_st { + X509_SIG *dinfo; + ASN1_OCTET_STRING *salt; + ASN1_INTEGER *iter; /* defaults to 1 */ +}; -struct X509_VERIFY_PARAM_ID_st { - STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ - unsigned int hostflags; /* Flags to control matching features */ - char *peername; /* Matching hostname in peer certificate */ - char *email; /* If not NULL email address to match */ - size_t emaillen; - unsigned char *ip; /* If not NULL IP address to match */ - size_t iplen; /* Length of IP address */ - int poisoned; +struct PKCS12_st { + ASN1_INTEGER *version; + PKCS12_MAC_DATA *mac; + PKCS7 *authsafes; +}; + +struct PKCS12_SAFEBAG_st { + ASN1_OBJECT *type; + union { + struct pkcs12_bag_st *bag; /* secret, crl and certbag */ + struct pkcs8_priv_key_info_st *keybag; /* keybag */ + X509_SIG *shkeybag; /* shrouded key bag */ + STACK_OF(PKCS12_SAFEBAG) *safes; + ASN1_TYPE *other; + } value; + STACK_OF(X509_ATTRIBUTE) *attrib; +}; + +struct pkcs12_bag_st { + ASN1_OBJECT *type; + union { + ASN1_OCTET_STRING *x509cert; + ASN1_OCTET_STRING *x509crl; + ASN1_OCTET_STRING *octet; + ASN1_IA5STRING *sdsicert; + ASN1_TYPE *other; /* Secret or other bag */ + } value; }; __END_HIDDEN_DECLS + +#endif /* !HEADER_PKCS12_LOCAL_H */ diff --git a/crypto/pkcs7/bio_pk7.c b/crypto/pkcs7/bio_pk7.c deleted file mode 100644 index ad3c5e2..0000000 --- a/crypto/pkcs7/bio_pk7.c +++ /dev/null @@ -1,66 +0,0 @@ -/* $OpenBSD: bio_pk7.c,v 1.5 2016/12/30 15:38:13 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project. - */ -/* ==================================================================== - * Copyright (c) 2008 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - */ - -#include -#include -#include - -#include - -/* Streaming encode support for PKCS#7 */ -BIO * -BIO_new_PKCS7(BIO *out, PKCS7 *p7) -{ - return BIO_new_NDEF(out, (ASN1_VALUE *)p7, &PKCS7_it); -} diff --git a/crypto/pkcs7/pk7_asn1.c b/crypto/pkcs7/pk7_asn1.c index 6665905..27f4103 100644 --- a/crypto/pkcs7/pk7_asn1.c +++ b/crypto/pkcs7/pk7_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_asn1.c,v 1.13 2022/01/14 08:16:13 tb Exp $ */ +/* $OpenBSD: pk7_asn1.c,v 1.17 2023/04/25 18:04:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -163,6 +163,7 @@ pk7_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) case ASN1_OP_STREAM_PRE: if (PKCS7_stream(&sarg->boundary, *pp7) <= 0) return 0; + /* FALLTHROUGH */ case ASN1_OP_DETACHED_PRE: sarg->ndef_bio = PKCS7_dataInit(*pp7, sarg->out); @@ -221,36 +222,35 @@ d2i_PKCS7(PKCS7 **a, const unsigned char **in, long len) return (PKCS7 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_it); } +LCRYPTO_ALIAS(d2i_PKCS7); int i2d_PKCS7(PKCS7 *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_it); } +LCRYPTO_ALIAS(i2d_PKCS7); PKCS7 * PKCS7_new(void) { return (PKCS7 *)ASN1_item_new(&PKCS7_it); } +LCRYPTO_ALIAS(PKCS7_new); void PKCS7_free(PKCS7 *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_it); } - -int -i2d_PKCS7_NDEF(PKCS7 *a, unsigned char **out) -{ - return ASN1_item_ndef_i2d((ASN1_VALUE *)a, out, &PKCS7_it); -} +LCRYPTO_ALIAS(PKCS7_free); PKCS7 * PKCS7_dup(PKCS7 *x) { return ASN1_item_dup(&PKCS7_it, x); } +LCRYPTO_ALIAS(PKCS7_dup); static const ASN1_TEMPLATE PKCS7_SIGNED_seq_tt[] = { { @@ -314,24 +314,28 @@ d2i_PKCS7_SIGNED(PKCS7_SIGNED **a, const unsigned char **in, long len) return (PKCS7_SIGNED *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_SIGNED_it); } +LCRYPTO_ALIAS(d2i_PKCS7_SIGNED); int i2d_PKCS7_SIGNED(PKCS7_SIGNED *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_SIGNED_it); } +LCRYPTO_ALIAS(i2d_PKCS7_SIGNED); PKCS7_SIGNED * PKCS7_SIGNED_new(void) { return (PKCS7_SIGNED *)ASN1_item_new(&PKCS7_SIGNED_it); } +LCRYPTO_ALIAS(PKCS7_SIGNED_new); void PKCS7_SIGNED_free(PKCS7_SIGNED *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_SIGNED_it); } +LCRYPTO_ALIAS(PKCS7_SIGNED_free); /* Minor tweak to operation: free up EVP_PKEY */ static int @@ -426,24 +430,28 @@ d2i_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO **a, const unsigned char **in, long len) return (PKCS7_SIGNER_INFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_SIGNER_INFO_it); } +LCRYPTO_ALIAS(d2i_PKCS7_SIGNER_INFO); int i2d_PKCS7_SIGNER_INFO(PKCS7_SIGNER_INFO *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_SIGNER_INFO_it); } +LCRYPTO_ALIAS(i2d_PKCS7_SIGNER_INFO); PKCS7_SIGNER_INFO * PKCS7_SIGNER_INFO_new(void) { return (PKCS7_SIGNER_INFO *)ASN1_item_new(&PKCS7_SIGNER_INFO_it); } +LCRYPTO_ALIAS(PKCS7_SIGNER_INFO_new); void PKCS7_SIGNER_INFO_free(PKCS7_SIGNER_INFO *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_SIGNER_INFO_it); } +LCRYPTO_ALIAS(PKCS7_SIGNER_INFO_free); static const ASN1_TEMPLATE PKCS7_ISSUER_AND_SERIAL_seq_tt[] = { { @@ -479,24 +487,28 @@ d2i_PKCS7_ISSUER_AND_SERIAL(PKCS7_ISSUER_AND_SERIAL **a, const unsigned char **i return (PKCS7_ISSUER_AND_SERIAL *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_ISSUER_AND_SERIAL_it); } +LCRYPTO_ALIAS(d2i_PKCS7_ISSUER_AND_SERIAL); int i2d_PKCS7_ISSUER_AND_SERIAL(PKCS7_ISSUER_AND_SERIAL *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_ISSUER_AND_SERIAL_it); } +LCRYPTO_ALIAS(i2d_PKCS7_ISSUER_AND_SERIAL); PKCS7_ISSUER_AND_SERIAL * PKCS7_ISSUER_AND_SERIAL_new(void) { return (PKCS7_ISSUER_AND_SERIAL *)ASN1_item_new(&PKCS7_ISSUER_AND_SERIAL_it); } +LCRYPTO_ALIAS(PKCS7_ISSUER_AND_SERIAL_new); void PKCS7_ISSUER_AND_SERIAL_free(PKCS7_ISSUER_AND_SERIAL *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_ISSUER_AND_SERIAL_it); } +LCRYPTO_ALIAS(PKCS7_ISSUER_AND_SERIAL_free); static const ASN1_TEMPLATE PKCS7_ENVELOPE_seq_tt[] = { { @@ -539,24 +551,28 @@ d2i_PKCS7_ENVELOPE(PKCS7_ENVELOPE **a, const unsigned char **in, long len) return (PKCS7_ENVELOPE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_ENVELOPE_it); } +LCRYPTO_ALIAS(d2i_PKCS7_ENVELOPE); int i2d_PKCS7_ENVELOPE(PKCS7_ENVELOPE *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_ENVELOPE_it); } +LCRYPTO_ALIAS(i2d_PKCS7_ENVELOPE); PKCS7_ENVELOPE * PKCS7_ENVELOPE_new(void) { return (PKCS7_ENVELOPE *)ASN1_item_new(&PKCS7_ENVELOPE_it); } +LCRYPTO_ALIAS(PKCS7_ENVELOPE_new); void PKCS7_ENVELOPE_free(PKCS7_ENVELOPE *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_ENVELOPE_it); } +LCRYPTO_ALIAS(PKCS7_ENVELOPE_free); /* Minor tweak to operation: free up X509 */ static int @@ -625,24 +641,28 @@ d2i_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO **a, const unsigned char **in, long len) return (PKCS7_RECIP_INFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_RECIP_INFO_it); } +LCRYPTO_ALIAS(d2i_PKCS7_RECIP_INFO); int i2d_PKCS7_RECIP_INFO(PKCS7_RECIP_INFO *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_RECIP_INFO_it); } +LCRYPTO_ALIAS(i2d_PKCS7_RECIP_INFO); PKCS7_RECIP_INFO * PKCS7_RECIP_INFO_new(void) { return (PKCS7_RECIP_INFO *)ASN1_item_new(&PKCS7_RECIP_INFO_it); } +LCRYPTO_ALIAS(PKCS7_RECIP_INFO_new); void PKCS7_RECIP_INFO_free(PKCS7_RECIP_INFO *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_RECIP_INFO_it); } +LCRYPTO_ALIAS(PKCS7_RECIP_INFO_free); static const ASN1_TEMPLATE PKCS7_ENC_CONTENT_seq_tt[] = { { @@ -685,24 +705,28 @@ d2i_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT **a, const unsigned char **in, long len) return (PKCS7_ENC_CONTENT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_ENC_CONTENT_it); } +LCRYPTO_ALIAS(d2i_PKCS7_ENC_CONTENT); int i2d_PKCS7_ENC_CONTENT(PKCS7_ENC_CONTENT *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_ENC_CONTENT_it); } +LCRYPTO_ALIAS(i2d_PKCS7_ENC_CONTENT); PKCS7_ENC_CONTENT * PKCS7_ENC_CONTENT_new(void) { return (PKCS7_ENC_CONTENT *)ASN1_item_new(&PKCS7_ENC_CONTENT_it); } +LCRYPTO_ALIAS(PKCS7_ENC_CONTENT_new); void PKCS7_ENC_CONTENT_free(PKCS7_ENC_CONTENT *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_ENC_CONTENT_it); } +LCRYPTO_ALIAS(PKCS7_ENC_CONTENT_free); static const ASN1_TEMPLATE PKCS7_SIGN_ENVELOPE_seq_tt[] = { { @@ -773,24 +797,28 @@ d2i_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE **a, const unsigned char **in, long return (PKCS7_SIGN_ENVELOPE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_SIGN_ENVELOPE_it); } +LCRYPTO_ALIAS(d2i_PKCS7_SIGN_ENVELOPE); int i2d_PKCS7_SIGN_ENVELOPE(PKCS7_SIGN_ENVELOPE *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_SIGN_ENVELOPE_it); } +LCRYPTO_ALIAS(i2d_PKCS7_SIGN_ENVELOPE); PKCS7_SIGN_ENVELOPE * PKCS7_SIGN_ENVELOPE_new(void) { return (PKCS7_SIGN_ENVELOPE *)ASN1_item_new(&PKCS7_SIGN_ENVELOPE_it); } +LCRYPTO_ALIAS(PKCS7_SIGN_ENVELOPE_new); void PKCS7_SIGN_ENVELOPE_free(PKCS7_SIGN_ENVELOPE *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_SIGN_ENVELOPE_it); } +LCRYPTO_ALIAS(PKCS7_SIGN_ENVELOPE_free); static const ASN1_TEMPLATE PKCS7_ENCRYPT_seq_tt[] = { { @@ -826,24 +854,28 @@ d2i_PKCS7_ENCRYPT(PKCS7_ENCRYPT **a, const unsigned char **in, long len) return (PKCS7_ENCRYPT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_ENCRYPT_it); } +LCRYPTO_ALIAS(d2i_PKCS7_ENCRYPT); int i2d_PKCS7_ENCRYPT(PKCS7_ENCRYPT *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_ENCRYPT_it); } +LCRYPTO_ALIAS(i2d_PKCS7_ENCRYPT); PKCS7_ENCRYPT * PKCS7_ENCRYPT_new(void) { return (PKCS7_ENCRYPT *)ASN1_item_new(&PKCS7_ENCRYPT_it); } +LCRYPTO_ALIAS(PKCS7_ENCRYPT_new); void PKCS7_ENCRYPT_free(PKCS7_ENCRYPT *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_ENCRYPT_it); } +LCRYPTO_ALIAS(PKCS7_ENCRYPT_free); static const ASN1_TEMPLATE PKCS7_DIGEST_seq_tt[] = { { @@ -893,24 +925,28 @@ d2i_PKCS7_DIGEST(PKCS7_DIGEST **a, const unsigned char **in, long len) return (PKCS7_DIGEST *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKCS7_DIGEST_it); } +LCRYPTO_ALIAS(d2i_PKCS7_DIGEST); int i2d_PKCS7_DIGEST(PKCS7_DIGEST *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKCS7_DIGEST_it); } +LCRYPTO_ALIAS(i2d_PKCS7_DIGEST); PKCS7_DIGEST * PKCS7_DIGEST_new(void) { return (PKCS7_DIGEST *)ASN1_item_new(&PKCS7_DIGEST_it); } +LCRYPTO_ALIAS(PKCS7_DIGEST_new); void PKCS7_DIGEST_free(PKCS7_DIGEST *a) { ASN1_item_free((ASN1_VALUE *)a, &PKCS7_DIGEST_it); } +LCRYPTO_ALIAS(PKCS7_DIGEST_free); /* Specials for authenticated attributes */ @@ -965,3 +1001,41 @@ PKCS7_print_ctx(BIO *out, PKCS7 *x, int indent, const ASN1_PCTX *pctx) return ASN1_item_print(out, (ASN1_VALUE *)x, indent, &PKCS7_it, pctx); } +LCRYPTO_ALIAS(PKCS7_print_ctx); + +PKCS7 * +d2i_PKCS7_bio(BIO *bp, PKCS7 **p7) +{ + return ASN1_item_d2i_bio(&PKCS7_it, bp, p7); +} +LCRYPTO_ALIAS(d2i_PKCS7_bio); + +int +i2d_PKCS7_bio(BIO *bp, PKCS7 *p7) +{ + return ASN1_item_i2d_bio(&PKCS7_it, bp, p7); +} +LCRYPTO_ALIAS(i2d_PKCS7_bio); + +PKCS7 * +d2i_PKCS7_fp(FILE *fp, PKCS7 **p7) +{ + return ASN1_item_d2i_fp(&PKCS7_it, fp, p7); +} +LCRYPTO_ALIAS(d2i_PKCS7_fp); + +int +i2d_PKCS7_fp(FILE *fp, PKCS7 *p7) +{ + return ASN1_item_i2d_fp(&PKCS7_it, fp, p7); +} +LCRYPTO_ALIAS(i2d_PKCS7_fp); + +int +PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, + const EVP_MD *type, unsigned char *md, unsigned int *len) +{ + return(ASN1_item_digest(&PKCS7_ISSUER_AND_SERIAL_it, type, + (char *)data, md, len)); +} +LCRYPTO_ALIAS(PKCS7_ISSUER_AND_SERIAL_digest); diff --git a/crypto/pkcs7/pk7_attr.c b/crypto/pkcs7/pk7_attr.c index f882ba7..5eff524 100644 --- a/crypto/pkcs7/pk7_attr.c +++ b/crypto/pkcs7/pk7_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_attr.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pk7_attr.c,v 1.14 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -79,6 +79,7 @@ PKCS7_add_attrib_smimecap(PKCS7_SIGNER_INFO *si, STACK_OF(X509_ALGOR) *cap) return PKCS7_add_signed_attribute(si, NID_SMIMECapabilities, V_ASN1_SEQUENCE, seq); } +LCRYPTO_ALIAS(PKCS7_add_attrib_smimecap); STACK_OF(X509_ALGOR) * PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) @@ -94,6 +95,7 @@ PKCS7_get_smimecap(PKCS7_SIGNER_INFO *si) ASN1_item_d2i(NULL, &p, cap->value.sequence->length, &X509_ALGORS_it); } +LCRYPTO_ALIAS(PKCS7_get_smimecap); /* Basic smime-capabilities OID and optional integer arg */ int @@ -130,6 +132,7 @@ err: X509_ALGOR_free(alg); return 0; } +LCRYPTO_ALIAS(PKCS7_simple_smimecap); int PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid) @@ -141,6 +144,7 @@ PKCS7_add_attrib_content_type(PKCS7_SIGNER_INFO *si, ASN1_OBJECT *coid) return PKCS7_add_signed_attribute(si, NID_pkcs9_contentType, V_ASN1_OBJECT, coid); } +LCRYPTO_ALIAS(PKCS7_add_attrib_content_type); int PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t) @@ -152,6 +156,7 @@ PKCS7_add0_attrib_signing_time(PKCS7_SIGNER_INFO *si, ASN1_TIME *t) return PKCS7_add_signed_attribute(si, NID_pkcs9_signingTime, V_ASN1_UTCTIME, t); } +LCRYPTO_ALIAS(PKCS7_add0_attrib_signing_time); int PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si, const unsigned char *md, @@ -170,3 +175,4 @@ PKCS7_add1_attrib_digest(PKCS7_SIGNER_INFO *si, const unsigned char *md, } return 1; } +LCRYPTO_ALIAS(PKCS7_add1_attrib_digest); diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index c9d64bc..d5edaed 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_doit.c,v 1.46 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: pk7_doit.c,v 1.52 2023/03/09 18:20:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,8 +65,8 @@ #include #include -#include "evp_locl.h" -#include "x509_lcl.h" +#include "evp_local.h" +#include "x509_local.h" static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value); @@ -112,6 +112,7 @@ PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) { BIO *btmp; const EVP_MD *md; + if ((btmp = BIO_new(BIO_f_md())) == NULL) { PKCS7error(ERR_R_BIO_LIB); goto err; @@ -123,7 +124,11 @@ PKCS7_bio_add_digest(BIO **pbio, X509_ALGOR *alg) goto err; } - BIO_set_md(btmp, md); + if (BIO_set_md(btmp, md) <= 0) { + PKCS7error(ERR_R_BIO_LIB); + goto err; + } + if (*pbio == NULL) *pbio = btmp; else if (!BIO_push(*pbio, btmp)) { @@ -404,6 +409,7 @@ err: } return (out); } +LCRYPTO_ALIAS(PKCS7_dataInit); static int pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) @@ -496,7 +502,10 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) goto err; } - BIO_set_md(btmp, evp_md); + if (BIO_set_md(btmp, evp_md) <= 0) { + PKCS7error(ERR_R_BIO_LIB); + goto err; + } if (out == NULL) out = btmp; else @@ -533,7 +542,7 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) /* If we haven't got a certificate try each ri in turn */ if (pcert == NULL) { /* Always attempt to decrypt all rinfo even - * after sucess as a defence against MMA timing + * after success as a defence against MMA timing * attacks. */ for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { @@ -629,6 +638,7 @@ err: } return (out); } +LCRYPTO_ALIAS(PKCS7_dataDecode); static BIO * PKCS7_find_digest(EVP_MD_CTX **pmd, BIO *bio, int nid) @@ -857,6 +867,7 @@ err: EVP_MD_CTX_cleanup(&ctx_tmp); return (ret); } +LCRYPTO_ALIAS(PKCS7_dataFinal); int PKCS7_SIGNER_INFO_sign(PKCS7_SIGNER_INFO *si) @@ -915,6 +926,7 @@ err: EVP_MD_CTX_cleanup(&mctx); return 0; } +LCRYPTO_ALIAS(PKCS7_SIGNER_INFO_sign); int PKCS7_dataVerify(X509_STORE *cert_store, X509_STORE_CTX *ctx, BIO *bio, @@ -976,6 +988,7 @@ err: return ret; } +LCRYPTO_ALIAS(PKCS7_dataVerify); int PKCS7_signatureVerify(BIO *bio, PKCS7 *p7, PKCS7_SIGNER_INFO *si, X509 *x509) @@ -1082,6 +1095,7 @@ err: EVP_MD_CTX_cleanup(&mdc_tmp); return (ret); } +LCRYPTO_ALIAS(PKCS7_signatureVerify); PKCS7_ISSUER_AND_SERIAL * PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) @@ -1104,18 +1118,21 @@ PKCS7_get_issuer_and_serial(PKCS7 *p7, int idx) ri = sk_PKCS7_RECIP_INFO_value(rsk, idx); return (ri->issuer_and_serial); } +LCRYPTO_ALIAS(PKCS7_get_issuer_and_serial); ASN1_TYPE * PKCS7_get_signed_attribute(PKCS7_SIGNER_INFO *si, int nid) { return (get_attribute(si->auth_attr, nid)); } +LCRYPTO_ALIAS(PKCS7_get_signed_attribute); ASN1_TYPE * PKCS7_get_attribute(PKCS7_SIGNER_INFO *si, int nid) { return (get_attribute(si->unauth_attr, nid)); } +LCRYPTO_ALIAS(PKCS7_get_attribute); static ASN1_TYPE * get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) @@ -1129,12 +1146,8 @@ get_attribute(STACK_OF(X509_ATTRIBUTE) *sk, int nid) return (NULL); for (i = 0; i < sk_X509_ATTRIBUTE_num(sk); i++) { xa = sk_X509_ATTRIBUTE_value(sk, i); - if (OBJ_cmp(xa->object, o) == 0) { - if (!xa->single && sk_ASN1_TYPE_num(xa->value.set)) - return (sk_ASN1_TYPE_value(xa->value.set, 0)); - else - return (NULL); - } + if (OBJ_cmp(xa->object, o) == 0) + return (sk_ASN1_TYPE_value(xa->set, 0)); } return (NULL); } @@ -1150,6 +1163,7 @@ PKCS7_digest_from_attributes(STACK_OF(X509_ATTRIBUTE) *sk) return NULL; return astype->value.octet_string; } +LCRYPTO_ALIAS(PKCS7_digest_from_attributes); int PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, @@ -1171,6 +1185,7 @@ PKCS7_set_signed_attributes(PKCS7_SIGNER_INFO *p7si, } return (1); } +LCRYPTO_ALIAS(PKCS7_set_signed_attributes); int PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) @@ -1191,6 +1206,7 @@ PKCS7_set_attributes(PKCS7_SIGNER_INFO *p7si, STACK_OF(X509_ATTRIBUTE) *sk) } return (1); } +LCRYPTO_ALIAS(PKCS7_set_attributes); int PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, @@ -1198,12 +1214,14 @@ PKCS7_add_signed_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, { return (add_attribute(&(p7si->auth_attr), nid, atrtype, value)); } +LCRYPTO_ALIAS(PKCS7_add_signed_attribute); int PKCS7_add_attribute(PKCS7_SIGNER_INFO *p7si, int nid, int atrtype, void *value) { return (add_attribute(&(p7si->unauth_attr), nid, atrtype, value)); } +LCRYPTO_ALIAS(PKCS7_add_attribute); static int add_attribute(STACK_OF(X509_ATTRIBUTE) **sk, int nid, int atrtype, void *value) diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index 7e92df1..6eda698 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_lib.c,v 1.23 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: pk7_lib.c,v 1.26 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,9 +62,9 @@ #include #include -#include "asn1_locl.h" -#include "evp_locl.h" -#include "x509_lcl.h" +#include "asn1_local.h" +#include "evp_local.h" +#include "x509_local.h" long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg) @@ -109,6 +109,7 @@ PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg) } return (ret); } +LCRYPTO_ALIAS(PKCS7_ctrl); int PKCS7_content_new(PKCS7 *p7, int type) @@ -128,6 +129,7 @@ err: PKCS7_free(ret); return (0); } +LCRYPTO_ALIAS(PKCS7_content_new); int PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data) @@ -158,6 +160,7 @@ PKCS7_set_content(PKCS7 *p7, PKCS7 *p7_data) err: return (0); } +LCRYPTO_ALIAS(PKCS7_set_content); int PKCS7_set_type(PKCS7 *p7, int type) @@ -227,6 +230,7 @@ PKCS7_set_type(PKCS7 *p7, int type) err: return (0); } +LCRYPTO_ALIAS(PKCS7_set_type); int PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other) @@ -235,6 +239,7 @@ PKCS7_set0_type_other(PKCS7 *p7, int type, ASN1_TYPE *other) p7->d.other = other; return 1; } +LCRYPTO_ALIAS(PKCS7_set0_type_other); int PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi) @@ -290,6 +295,7 @@ PKCS7_add_signer(PKCS7 *p7, PKCS7_SIGNER_INFO *psi) return 0; return (1); } +LCRYPTO_ALIAS(PKCS7_add_signer); int PKCS7_add_certificate(PKCS7 *p7, X509 *x509) @@ -323,6 +329,7 @@ PKCS7_add_certificate(PKCS7 *p7, X509 *x509) } return (1); } +LCRYPTO_ALIAS(PKCS7_add_certificate); int PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) @@ -357,6 +364,7 @@ PKCS7_add_crl(PKCS7 *p7, X509_CRL *crl) } return (1); } +LCRYPTO_ALIAS(PKCS7_add_crl); int PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, @@ -401,6 +409,7 @@ PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, err: return 0; } +LCRYPTO_ALIAS(PKCS7_SIGNER_INFO_set); PKCS7_SIGNER_INFO * PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, const EVP_MD *dgst) @@ -430,6 +439,7 @@ err: PKCS7_SIGNER_INFO_free(si); return (NULL); } +LCRYPTO_ALIAS(PKCS7_add_signature); int PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md) @@ -447,6 +457,7 @@ PKCS7_set_digest(PKCS7 *p7, const EVP_MD *md) PKCS7error(PKCS7_R_WRONG_CONTENT_TYPE); return 1; } +LCRYPTO_ALIAS(PKCS7_set_digest); STACK_OF(PKCS7_SIGNER_INFO) * PKCS7_get_signer_info(PKCS7 *p7) @@ -460,6 +471,7 @@ PKCS7_get_signer_info(PKCS7 *p7) } else return (NULL); } +LCRYPTO_ALIAS(PKCS7_get_signer_info); void PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, @@ -472,6 +484,7 @@ PKCS7_SIGNER_INFO_get0_algs(PKCS7_SIGNER_INFO *si, EVP_PKEY **pk, if (psig) *psig = si->digest_enc_alg; } +LCRYPTO_ALIAS(PKCS7_SIGNER_INFO_get0_algs); void PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc) @@ -479,6 +492,7 @@ PKCS7_RECIP_INFO_get0_alg(PKCS7_RECIP_INFO *ri, X509_ALGOR **penc) if (penc) *penc = ri->key_enc_algor; } +LCRYPTO_ALIAS(PKCS7_RECIP_INFO_get0_alg); PKCS7_RECIP_INFO * PKCS7_add_recipient(PKCS7 *p7, X509 *x509) @@ -497,6 +511,7 @@ err: PKCS7_RECIP_INFO_free(ri); return NULL; } +LCRYPTO_ALIAS(PKCS7_add_recipient); int PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) @@ -521,6 +536,7 @@ PKCS7_add_recipient_info(PKCS7 *p7, PKCS7_RECIP_INFO *ri) return 0; return (1); } +LCRYPTO_ALIAS(PKCS7_add_recipient_info); int PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) @@ -567,6 +583,7 @@ err: EVP_PKEY_free(pkey); return 0; } +LCRYPTO_ALIAS(PKCS7_RECIP_INFO_set); X509 * PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si) @@ -578,6 +595,7 @@ PKCS7_cert_from_signer_info(PKCS7 *p7, PKCS7_SIGNER_INFO *si) else return (NULL); } +LCRYPTO_ALIAS(PKCS7_cert_from_signer_info); int PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher) @@ -608,6 +626,7 @@ PKCS7_set_cipher(PKCS7 *p7, const EVP_CIPHER *cipher) ec->cipher = cipher; return 1; } +LCRYPTO_ALIAS(PKCS7_set_cipher); int PKCS7_stream(unsigned char ***boundary, PKCS7 *p7) @@ -652,3 +671,4 @@ PKCS7_stream(unsigned char ***boundary, PKCS7 *p7) return 1; } +LCRYPTO_ALIAS(PKCS7_stream); diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c index fad331b..f00e18c 100644 --- a/crypto/pkcs7/pk7_mime.c +++ b/crypto/pkcs7/pk7_mime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_mime.c,v 1.13 2016/12/30 15:38:13 jsing Exp $ */ +/* $OpenBSD: pk7_mime.c,v 1.19 2023/05/02 09:56:12 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -58,14 +58,22 @@ #include #include +#include "asn1_local.h" + /* PKCS#7 wrappers round generalised stream and MIME routines */ +BIO * +BIO_new_PKCS7(BIO *out, PKCS7 *p7) +{ + return BIO_new_NDEF(out, (ASN1_VALUE *)p7, &PKCS7_it); +} +LCRYPTO_ALIAS(BIO_new_PKCS7); int i2d_PKCS7_bio_stream(BIO *out, PKCS7 *p7, BIO *in, int flags) { - return i2d_ASN1_bio_stream(out, (ASN1_VALUE *)p7, in, flags, - &PKCS7_it); + return i2d_ASN1_bio_stream(out, (ASN1_VALUE *)p7, in, flags, &PKCS7_it); } +LCRYPTO_ALIAS(i2d_PKCS7_bio_stream); int PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *in, int flags) @@ -73,26 +81,27 @@ PEM_write_bio_PKCS7_stream(BIO *out, PKCS7 *p7, BIO *in, int flags) return PEM_write_bio_ASN1_stream(out, (ASN1_VALUE *) p7, in, flags, "PKCS7", &PKCS7_it); } +LCRYPTO_ALIAS(PEM_write_bio_PKCS7_stream); int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) { - STACK_OF(X509_ALGOR) *mdalgs; - int ctype_nid = OBJ_obj2nid(p7->type); - if (ctype_nid == NID_pkcs7_signed) + STACK_OF(X509_ALGOR) *mdalgs = NULL; + int ctype_nid; + + if ((ctype_nid = OBJ_obj2nid(p7->type)) == NID_pkcs7_signed) mdalgs = p7->d.sign->md_algs; - else - mdalgs = NULL; flags ^= SMIME_OLDMIME; - return SMIME_write_ASN1(bio, (ASN1_VALUE *)p7, data, flags, ctype_nid, NID_undef, mdalgs, &PKCS7_it); } +LCRYPTO_ALIAS(SMIME_write_PKCS7); PKCS7 * SMIME_read_PKCS7(BIO *bio, BIO **bcont) { return (PKCS7 *)SMIME_read_ASN1(bio, bcont, &PKCS7_it); } +LCRYPTO_ALIAS(SMIME_read_PKCS7); diff --git a/crypto/pkcs7/pk7_smime.c b/crypto/pkcs7/pk7_smime.c index f11d23e..c113ac3 100644 --- a/crypto/pkcs7/pk7_smime.c +++ b/crypto/pkcs7/pk7_smime.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_smime.c,v 1.23 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: pk7_smime.c,v 1.26 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -64,7 +64,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static int pkcs7_copy_existing_digest(PKCS7 *p7, PKCS7_SIGNER_INFO *si); @@ -111,6 +111,7 @@ err: PKCS7_free(p7); return NULL; } +LCRYPTO_ALIAS(PKCS7_sign); int PKCS7_final(PKCS7 *p7, BIO *data, int flags) @@ -139,6 +140,7 @@ err: return ret; } +LCRYPTO_ALIAS(PKCS7_final); /* Check to see if a cipher exists and if so add S/MIME capabilities */ @@ -221,6 +223,7 @@ err: sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); return NULL; } +LCRYPTO_ALIAS(PKCS7_sign_add_signer); /* Search for a digest matching SignerInfo digest type and if found * copy across. @@ -423,6 +426,7 @@ err: return ret; } +LCRYPTO_ALIAS(PKCS7_verify); STACK_OF(X509) * PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) @@ -481,6 +485,7 @@ PKCS7_get0_signers(PKCS7 *p7, STACK_OF(X509) *certs, int flags) } return signers; } +LCRYPTO_ALIAS(PKCS7_get0_signers); /* Build a complete PKCS#7 enveloped data */ @@ -524,6 +529,7 @@ err: PKCS7_free(p7); return NULL; } +LCRYPTO_ALIAS(PKCS7_encrypt); int PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) @@ -590,3 +596,4 @@ PKCS7_decrypt(PKCS7 *p7, EVP_PKEY *pkey, X509 *cert, BIO *data, int flags) return ret; } } +LCRYPTO_ALIAS(PKCS7_decrypt); diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c index 251e781..d3ca0ec 100644 --- a/crypto/pkcs7/pkcs7err.c +++ b/crypto/pkcs7/pkcs7err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7err.c,v 1.12 2020/06/05 16:51:12 jsing Exp $ */ +/* $OpenBSD: pkcs7err.c,v 1.15 2023/02/16 08:38:17 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS7,func,0) @@ -146,3 +140,4 @@ ERR_load_PKCS7_strings(void) } #endif } +LCRYPTO_ALIAS(ERR_load_PKCS7_strings); diff --git a/crypto/rand/rand_err.c b/crypto/rand/rand_err.c index 1ac00be..c57b9a8 100644 --- a/crypto/rand/rand_err.c +++ b/crypto/rand/rand_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rand_err.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rand_err.c,v 1.16 2022/07/12 14:42:50 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_RAND,func,0) diff --git a/crypto/rc2/rc2_cbc.c b/crypto/rc2/rc2_cbc.c index a947f1d..44204af 100644 --- a/crypto/rc2/rc2_cbc.c +++ b/crypto/rc2/rc2_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc2_cbc.c,v 1.5 2014/10/28 07:35:59 jsg Exp $ */ +/* $OpenBSD: rc2_cbc.c,v 1.6 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "rc2_locl.h" +#include "rc2_local.h" void RC2_cbc_encrypt(const unsigned char *in, unsigned char *out, long length, RC2_KEY *ks, unsigned char *iv, int encrypt) diff --git a/crypto/rc2/rc2_ecb.c b/crypto/rc2/rc2_ecb.c index 7687375..84a671a 100644 --- a/crypto/rc2/rc2_ecb.c +++ b/crypto/rc2/rc2_ecb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc2_ecb.c,v 1.6 2014/07/09 11:10:51 bcook Exp $ */ +/* $OpenBSD: rc2_ecb.c,v 1.7 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "rc2_locl.h" +#include "rc2_local.h" #include /* RC2 as implemented frm a posting from diff --git a/crypto/rc2/rc2_locl.h b/crypto/rc2/rc2_local.h similarity index 99% rename from crypto/rc2/rc2_locl.h rename to crypto/rc2/rc2_local.h index 73d8c68..c8bb468 100644 --- a/crypto/rc2/rc2_locl.h +++ b/crypto/rc2/rc2_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rc2_locl.h,v 1.2 2014/06/12 15:49:30 deraadt Exp $ */ +/* $OpenBSD: rc2_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/rc2/rc2_skey.c b/crypto/rc2/rc2_skey.c index 964db09..82161b1 100644 --- a/crypto/rc2/rc2_skey.c +++ b/crypto/rc2/rc2_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc2_skey.c,v 1.12 2014/06/12 15:49:30 deraadt Exp $ */ +/* $OpenBSD: rc2_skey.c,v 1.13 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -58,7 +58,7 @@ #include #include -#include "rc2_locl.h" +#include "rc2_local.h" static const unsigned char key_table[256]={ 0xd9,0x78,0xf9,0xc4,0x19,0xdd,0xb5,0xed,0x28,0xe9,0xfd,0x79, diff --git a/crypto/rc2/rc2cfb64.c b/crypto/rc2/rc2cfb64.c index 9536644..ebdeb9b 100644 --- a/crypto/rc2/rc2cfb64.c +++ b/crypto/rc2/rc2cfb64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc2cfb64.c,v 1.5 2014/10/28 07:35:59 jsg Exp $ */ +/* $OpenBSD: rc2cfb64.c,v 1.6 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "rc2_locl.h" +#include "rc2_local.h" /* The input and output encrypted as though 64bit cfb mode is being * used. The extra state information to record how much of the diff --git a/crypto/rc2/rc2ofb64.c b/crypto/rc2/rc2ofb64.c index c47b413..2aa2413 100644 --- a/crypto/rc2/rc2ofb64.c +++ b/crypto/rc2/rc2ofb64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc2ofb64.c,v 1.5 2014/10/28 07:35:59 jsg Exp $ */ +/* $OpenBSD: rc2ofb64.c,v 1.6 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "rc2_locl.h" +#include "rc2_local.h" /* The input and output encrypted as though 64bit ofb mode is being * used. The extra state information to record how much of the diff --git a/crypto/rc4/rc4-elf-x86_64.S b/crypto/rc4/rc4-elf-x86_64.S index 4f90dd5..1a0f618 100644 --- a/crypto/rc4/rc4-elf-x86_64.S +++ b/crypto/rc4/rc4-elf-x86_64.S @@ -6,7 +6,9 @@ .globl RC4 .type RC4,@function .align 16 -RC4: orq %rsi,%rsi +RC4: + endbr64 + orq %rsi,%rsi jne .Lentry retq .Lentry: @@ -523,6 +525,7 @@ RC4: orq %rsi,%rsi .type RC4_set_key,@function .align 16 RC4_set_key: + endbr64 leaq 8(%rdi),%rdi leaq (%rdx,%rsi,1),%rdx negq %rsi @@ -595,6 +598,7 @@ RC4_set_key: .type RC4_options,@function .align 16 RC4_options: + endbr64 leaq .Lopts(%rip),%rax movl OPENSSL_ia32cap_P(%rip),%edx btl $IA32CAP_BIT0_INTELP4,%edx @@ -607,13 +611,14 @@ RC4_options: addq $12,%rax .Ldone: retq +.section .rodata .align 64 .Lopts: .byte 114,99,52,40,56,120,44,105,110,116,41,0 .byte 114,99,52,40,56,120,44,99,104,97,114,41,0 .byte 114,99,52,40,49,54,120,44,105,110,116,41,0 -.byte 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .align 64 +.text .size RC4_options,.-RC4_options #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits diff --git a/crypto/rc4/rc4-macosx-x86_64.S b/crypto/rc4/rc4-macosx-x86_64.S index ce58e4a..0c078f4 100644 --- a/crypto/rc4/rc4-macosx-x86_64.S +++ b/crypto/rc4/rc4-macosx-x86_64.S @@ -6,7 +6,9 @@ .globl _RC4 .p2align 4 -_RC4: orq %rsi,%rsi +_RC4: + + orq %rsi,%rsi jne L$entry retq L$entry: @@ -523,6 +525,7 @@ L$epilogue: .p2align 4 _RC4_set_key: + leaq 8(%rdi),%rdi leaq (%rdx,%rsi,1),%rdx negq %rsi @@ -595,6 +598,7 @@ L$exit_key: .p2align 4 _RC4_options: + leaq L$opts(%rip),%rax movl _OPENSSL_ia32cap_P(%rip),%edx btl $IA32CAP_BIT0_INTELP4,%edx @@ -607,11 +611,12 @@ L$8xchar: addq $12,%rax L$done: retq +.section __DATA,__const .p2align 6 L$opts: .byte 114,99,52,40,56,120,44,105,110,116,41,0 .byte 114,99,52,40,56,120,44,99,104,97,114,41,0 .byte 114,99,52,40,49,54,120,44,105,110,116,41,0 -.byte 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text diff --git a/crypto/rc4/rc4-masm-x86_64.S b/crypto/rc4/rc4-masm-x86_64.S index a15566e..0b4afe8 100644 --- a/crypto/rc4/rc4-masm-x86_64.S +++ b/crypto/rc4/rc4-masm-x86_64.S @@ -84,6 +84,8 @@ $L$SEH_begin_RC4:: mov rdx,r8 mov rcx,r9 + + endbr64 or rsi,rsi jne $L$entry mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue @@ -615,6 +617,7 @@ $L$SEH_begin_RC4_set_key:: mov rdx,r8 + endbr64 lea rdi,QWORD PTR[8+rdi] lea rdx,QWORD PTR[rsi*1+rdx] neg rsi @@ -690,6 +693,7 @@ PUBLIC RC4_options ALIGN 16 RC4_options PROC PUBLIC + endbr64 lea rax,QWORD PTR[$L$opts] mov edx,DWORD PTR[OPENSSL_ia32cap_P] bt edx,20 @@ -702,16 +706,16 @@ $L$8xchar:: add rax,12 $L$done:: DB 0F3h,0C3h ;repret +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$opts:: DB 114,99,52,40,56,120,44,105,110,116,41,0 DB 114,99,52,40,56,120,44,99,104,97,114,41,0 DB 114,99,52,40,49,54,120,44,105,110,116,41,0 -DB 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32 -DB 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 -DB 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 -DB 62,0 ALIGN 64 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' RC4_options ENDP .text$ ENDS diff --git a/crypto/rc4/rc4-md5-elf-x86_64.S b/crypto/rc4/rc4-md5-elf-x86_64.S index 52b50fe..9381ff7 100644 --- a/crypto/rc4/rc4-md5-elf-x86_64.S +++ b/crypto/rc4/rc4-md5-elf-x86_64.S @@ -5,6 +5,7 @@ .globl rc4_md5_enc .type rc4_md5_enc,@function rc4_md5_enc: + endbr64 cmpq $0,%r9 je .Labort pushq %rbx diff --git a/crypto/rc4/rc4-md5-macosx-x86_64.S b/crypto/rc4/rc4-md5-macosx-x86_64.S index a8f6955..a0edc59 100644 --- a/crypto/rc4/rc4-md5-macosx-x86_64.S +++ b/crypto/rc4/rc4-md5-macosx-x86_64.S @@ -5,6 +5,7 @@ .globl _rc4_md5_enc _rc4_md5_enc: + cmpq $0,%r9 je L$abort pushq %rbx diff --git a/crypto/rc4/rc4-md5-masm-x86_64.S b/crypto/rc4/rc4-md5-masm-x86_64.S index 0d2e8d5..6129c96 100644 --- a/crypto/rc4/rc4-md5-masm-x86_64.S +++ b/crypto/rc4/rc4-md5-masm-x86_64.S @@ -85,6 +85,7 @@ $L$SEH_begin_rc4_md5_enc:: mov r9,QWORD PTR[48+rsp] + endbr64 cmp r9,0 je $L$abort push rbx diff --git a/crypto/rc4/rc4-md5-mingw64-x86_64.S b/crypto/rc4/rc4-md5-mingw64-x86_64.S index e11d314..bc24618 100644 --- a/crypto/rc4/rc4-md5-mingw64-x86_64.S +++ b/crypto/rc4/rc4-md5-mingw64-x86_64.S @@ -16,6 +16,7 @@ rc4_md5_enc: movq 40(%rsp),%r8 movq 48(%rsp),%r9 + endbr64 cmpq $0,%r9 je .Labort pushq %rbx diff --git a/crypto/rc4/rc4-mingw64-x86_64.S b/crypto/rc4/rc4-mingw64-x86_64.S index c149d7e..c0178a8 100644 --- a/crypto/rc4/rc4-mingw64-x86_64.S +++ b/crypto/rc4/rc4-mingw64-x86_64.S @@ -15,6 +15,8 @@ RC4: movq %rdx,%rsi movq %r8,%rdx movq %r9,%rcx + + endbr64 orq %rsi,%rsi jne .Lentry movq 8(%rsp),%rdi @@ -544,6 +546,7 @@ RC4_set_key: movq %rdx,%rsi movq %r8,%rdx + endbr64 leaq 8(%rdi),%rdi leaq (%rdx,%rsi,1),%rdx negq %rsi @@ -618,6 +621,7 @@ RC4_set_key: .def RC4_options; .scl 2; .type 32; .endef .p2align 4 RC4_options: + endbr64 leaq .Lopts(%rip),%rax movl OPENSSL_ia32cap_P(%rip),%edx btl $IA32CAP_BIT0_INTELP4,%edx @@ -630,11 +634,12 @@ RC4_options: addq $12,%rax .Ldone: retq +.section .rodata .p2align 6 .Lopts: .byte 114,99,52,40,56,120,44,105,110,116,41,0 .byte 114,99,52,40,56,120,44,99,104,97,114,41,0 .byte 114,99,52,40,49,54,120,44,105,110,116,41,0 -.byte 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 .p2align 6 +.text diff --git a/crypto/rc4/rc4_enc.c b/crypto/rc4/rc4_enc.c index aa2766a..3763bfa 100644 --- a/crypto/rc4/rc4_enc.c +++ b/crypto/rc4/rc4_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc4_enc.c,v 1.17 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: rc4_enc.c,v 1.18 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -59,7 +59,7 @@ #include #include -#include "rc4_locl.h" +#include "rc4_local.h" /* RC4 as implemented from a posting from * Newsgroups: sci.crypt diff --git a/crypto/rc4/rc4_local.h b/crypto/rc4/rc4_local.h new file mode 100644 index 0000000..61d08a4 --- /dev/null +++ b/crypto/rc4/rc4_local.h @@ -0,0 +1,5 @@ +/* $OpenBSD: rc4_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */ + +#ifndef HEADER_RC4_LOCL_H +#define HEADER_RC4_LOCL_H +#endif diff --git a/crypto/rc4/rc4_locl.h b/crypto/rc4/rc4_locl.h deleted file mode 100644 index d2b0806..0000000 --- a/crypto/rc4/rc4_locl.h +++ /dev/null @@ -1,5 +0,0 @@ -/* $OpenBSD: rc4_locl.h,v 1.4 2014/07/11 08:44:49 jsing Exp $ */ - -#ifndef HEADER_RC4_LOCL_H -#define HEADER_RC4_LOCL_H -#endif diff --git a/crypto/rc4/rc4_skey.c b/crypto/rc4/rc4_skey.c index 861941f..e32a6e8 100644 --- a/crypto/rc4/rc4_skey.c +++ b/crypto/rc4/rc4_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rc4_skey.c,v 1.14 2015/10/20 15:50:13 jsing Exp $ */ +/* $OpenBSD: rc4_skey.c,v 1.15 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "rc4_locl.h" +#include "rc4_local.h" #include const char * diff --git a/crypto/ripemd/rmd_dgst.c b/crypto/ripemd/rmd_dgst.c index 458968d..d794a7c 100644 --- a/crypto/ripemd/rmd_dgst.c +++ b/crypto/ripemd/rmd_dgst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rmd_dgst.c,v 1.17 2014/10/28 07:35:59 jsg Exp $ */ +/* $OpenBSD: rmd_dgst.c,v 1.18 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -57,7 +57,7 @@ */ #include -#include "rmd_locl.h" +#include "rmd_local.h" #include #include diff --git a/crypto/ripemd/rmd_locl.h b/crypto/ripemd/rmd_local.h similarity index 98% rename from crypto/ripemd/rmd_locl.h rename to crypto/ripemd/rmd_local.h index f38b101..1e46816 100644 --- a/crypto/ripemd/rmd_locl.h +++ b/crypto/ripemd/rmd_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rmd_locl.h,v 1.13 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: rmd_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index 57fe46a..1cf2069 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_ameth.c,v 1.25 2022/01/10 11:52:43 tb Exp $ */ +/* $OpenBSD: rsa_ameth.c,v 1.29 2023/05/19 17:31:20 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -64,12 +64,13 @@ #include #include #include +#include #include -#include "asn1_locl.h" +#include "asn1_local.h" #include "cryptlib.h" -#include "evp_locl.h" -#include "rsa_locl.h" +#include "evp_local.h" +#include "rsa_local.h" #ifndef OPENSSL_NO_CMS static int rsa_cms_sign(CMS_SignerInfo *si); @@ -271,6 +272,12 @@ rsa_bits(const EVP_PKEY *pkey) return BN_num_bits(pkey->pkey.rsa->n); } +static int +rsa_security_bits(const EVP_PKEY *pkey) +{ + return RSA_security_bits(pkey->pkey.rsa); +} + static void int_rsa_free(EVP_PKEY *pkey) { @@ -1103,6 +1110,7 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { .pkey_size = int_rsa_size, .pkey_bits = rsa_bits, + .pkey_security_bits = rsa_security_bits, .sig_print = rsa_sig_print, @@ -1144,6 +1152,7 @@ const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { .pkey_size = int_rsa_size, .pkey_bits = rsa_bits, + .pkey_security_bits = rsa_security_bits, .sig_print = rsa_sig_print, diff --git a/crypto/rsa/rsa_asn1.c b/crypto/rsa/rsa_asn1.c index 4b8eda2..63c3637 100644 --- a/crypto/rsa/rsa_asn1.c +++ b/crypto/rsa/rsa_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_asn1.c,v 1.15 2019/10/25 14:40:18 jsing Exp $ */ +/* $OpenBSD: rsa_asn1.c,v 1.16 2022/11/26 16:08:54 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -63,7 +63,7 @@ #include #include -#include "rsa_locl.h" +#include "rsa_local.h" /* Override the default free and new methods */ static int diff --git a/crypto/rsa/rsa_chk.c b/crypto/rsa/rsa_chk.c index ac9dbf7..5d7f7b3 100644 --- a/crypto/rsa/rsa_chk.c +++ b/crypto/rsa/rsa_chk.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_chk.c,v 1.16 2022/01/20 11:08:12 inoguchi Exp $ */ +/* $OpenBSD: rsa_chk.c,v 1.17 2022/11/26 16:08:54 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * @@ -52,8 +52,8 @@ #include #include -#include "bn_lcl.h" -#include "rsa_locl.h" +#include "bn_local.h" +#include "rsa_local.h" int RSA_check_key(const RSA *key) diff --git a/crypto/rsa/rsa_crpt.c b/crypto/rsa/rsa_crpt.c index 4fd21cd..a1b2eec 100644 --- a/crypto/rsa/rsa_crpt.c +++ b/crypto/rsa/rsa_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_crpt.c,v 1.20 2022/01/07 09:55:32 tb Exp $ */ +/* $OpenBSD: rsa_crpt.c,v 1.21 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,8 +66,8 @@ #include #include -#include "bn_lcl.h" -#include "rsa_locl.h" +#include "bn_local.h" +#include "rsa_local.h" #ifndef OPENSSL_NO_ENGINE #include diff --git a/crypto/rsa/rsa_depr.c b/crypto/rsa/rsa_depr.c deleted file mode 100644 index 54a669c..0000000 --- a/crypto/rsa/rsa_depr.c +++ /dev/null @@ -1,103 +0,0 @@ -/* $OpenBSD: rsa_depr.c,v 1.9 2021/12/04 16:08:32 tb Exp $ */ -/* ==================================================================== - * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NB: This file contains deprecated functions (compatibility wrappers to the - * "new" versions). */ - -#include -#include - -#include - -#include -#include - -#include "bn_lcl.h" - -#ifndef OPENSSL_NO_DEPRECATED - -RSA * -RSA_generate_key(int bits, unsigned long e_value, - void (*callback)(int, int, void *), void *cb_arg) -{ - BN_GENCB cb; - int i; - RSA *rsa = RSA_new(); - BIGNUM *e = BN_new(); - - if (!rsa || !e) - goto err; - - /* The problem is when building with 8, 16, or 32 BN_ULONG, - * unsigned long can be larger */ - for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) { - if (e_value & (1UL << i)) - if (BN_set_bit(e, i) == 0) - goto err; - } - - BN_GENCB_set_old(&cb, callback, cb_arg); - - if (RSA_generate_key_ex(rsa, bits, e, &cb)) { - BN_free(e); - return rsa; - } -err: - BN_free(e); - RSA_free(rsa); - - return 0; -} -#endif diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 0f8c324..6db563f 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_eay.c,v 1.54 2022/01/20 11:10:11 inoguchi Exp $ */ +/* $OpenBSD: rsa_eay.c,v 1.60 2023/05/05 12:21:44 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,8 +118,8 @@ #include #include -#include "bn_lcl.h" -#include "rsa_locl.h" +#include "bn_local.h" +#include "rsa_local.h" static int RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); @@ -226,10 +226,11 @@ RSA_eay_public_encrypt(int flen, const unsigned char *from, unsigned char *to, goto err; } - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; + } if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) @@ -403,6 +404,12 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, + CRYPTO_LOCK_RSA, rsa->n, ctx)) + goto err; + } + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -431,11 +438,6 @@ RSA_eay_private_encrypt(int flen, const unsigned char *from, unsigned char *to, BN_init(&d); BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, - CRYPTO_LOCK_RSA, rsa->n, ctx)) - goto err; - if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, rsa->_method_mod_n)) { goto err; @@ -521,6 +523,12 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, goto err; } + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { + if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, + CRYPTO_LOCK_RSA, rsa->n, ctx)) + goto err; + } + if (!(rsa->flags & RSA_FLAG_NO_BLINDING)) { blinding = rsa_get_blinding(rsa, &local_blinding, ctx); if (blinding == NULL) { @@ -550,11 +558,6 @@ RSA_eay_private_decrypt(int flen, const unsigned char *from, unsigned char *to, BN_init(&d); BN_with_flags(&d, rsa->d, BN_FLG_CONSTTIME); - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) - if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, - CRYPTO_LOCK_RSA, rsa->n, ctx)) - goto err; - if (!rsa->meth->bn_mod_exp(ret, f, &d, rsa->n, ctx, rsa->_method_mod_n)) { goto err; @@ -654,10 +657,11 @@ RSA_eay_public_decrypt(int flen, const unsigned char *from, unsigned char *to, goto err; } - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; + } if (!rsa->meth->bn_mod_exp(ret, f, rsa->e, rsa->n, ctx, rsa->_method_mod_n)) @@ -716,7 +720,7 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) BIGNUM p, q; /* - * Make sure BN_mod_inverse in Montgomery intialization uses the + * Make sure BN_mod_inverse in Montgomery initialization uses the * BN_FLG_CONSTTIME flag */ BN_init(&p); @@ -734,10 +738,11 @@ RSA_eay_mod_exp(BIGNUM *r0, const BIGNUM *I, RSA *rsa, BN_CTX *ctx) } } - if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) + if (rsa->flags & RSA_FLAG_CACHE_PUBLIC) { if (!BN_MONT_CTX_set_locked(&rsa->_method_mod_n, CRYPTO_LOCK_RSA, rsa->n, ctx)) goto err; + } /* compute I mod q */ BN_init(&c); diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c index 4614937..79425c0 100644 --- a/crypto/rsa/rsa_err.c +++ b/crypto/rsa/rsa_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_err.c,v 1.20 2019/11/01 15:13:05 jsing Exp $ */ +/* $OpenBSD: rsa_err.c,v 1.21 2022/07/12 14:42:50 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0) diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c index 5f062a7..9db8eca 100644 --- a/crypto/rsa/rsa_gen.c +++ b/crypto/rsa/rsa_gen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_gen.c,v 1.25 2022/01/20 11:11:17 inoguchi Exp $ */ +/* $OpenBSD: rsa_gen.c,v 1.29 2023/04/13 15:18:29 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,12 +56,6 @@ * [including the GNU Public Licence.] */ - -/* NB: these functions have been "upgraded", the deprecated versions (which are - * compatibility wrappers using these functions) are in rsa_depr.c. - * - Geoff - */ - #include #include @@ -69,18 +63,11 @@ #include #include -#include "bn_lcl.h" -#include "rsa_locl.h" +#include "bn_local.h" +#include "rsa_local.h" static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb); -/* - * NB: this wrapper would normally be placed in rsa_lib.c and the static - * implementation would probably be in rsa_eay.c. Nonetheless, is kept here so - * that we don't introduce a new linker dependency. Eg. any application that - * wasn't previously linking object code related to key-generation won't have to - * now just because key-generation is part of RSA_METHOD. - */ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) { @@ -131,7 +118,8 @@ rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) if (!rsa->iqmp && ((rsa->iqmp = BN_new()) == NULL)) goto err; - BN_copy(rsa->e, e_value); + if (!bn_copy(rsa->e, e_value)) + goto err; /* generate p and q */ for (;;) { @@ -232,3 +220,36 @@ err: return ok; } + +RSA * +RSA_generate_key(int bits, unsigned long e_value, + void (*callback)(int, int, void *), void *cb_arg) +{ + BN_GENCB cb; + int i; + RSA *rsa = RSA_new(); + BIGNUM *e = BN_new(); + + if (!rsa || !e) + goto err; + + /* The problem is when building with 8, 16, or 32 BN_ULONG, + * unsigned long can be larger */ + for (i = 0; i < (int)sizeof(unsigned long) * 8; i++) { + if (e_value & (1UL << i)) + if (BN_set_bit(e, i) == 0) + goto err; + } + + BN_GENCB_set_old(&cb, callback, cb_arg); + + if (RSA_generate_key_ex(rsa, bits, e, &cb)) { + BN_free(e); + return rsa; + } +err: + BN_free(e); + RSA_free(rsa); + + return 0; +} diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index ddf3f1b..9656252 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_lib.c,v 1.42 2022/01/07 09:55:32 tb Exp $ */ +/* $OpenBSD: rsa_lib.c,v 1.46 2023/03/11 21:14:26 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -67,8 +67,8 @@ #include #include -#include "evp_locl.h" -#include "rsa_locl.h" +#include "evp_local.h" +#include "rsa_local.h" #ifndef OPENSSL_NO_ENGINE #include @@ -200,14 +200,14 @@ RSA_free(RSA *r) CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); - BN_clear_free(r->n); - BN_clear_free(r->e); - BN_clear_free(r->d); - BN_clear_free(r->p); - BN_clear_free(r->q); - BN_clear_free(r->dmp1); - BN_clear_free(r->dmq1); - BN_clear_free(r->iqmp); + BN_free(r->n); + BN_free(r->e); + BN_free(r->d); + BN_free(r->p); + BN_free(r->q); + BN_free(r->dmp1); + BN_free(r->dmq1); + BN_free(r->iqmp); BN_BLINDING_free(r->blinding); BN_BLINDING_free(r->mt_blinding); RSA_PSS_PARAMS_free(r->pss); @@ -241,6 +241,12 @@ RSA_get_ex_data(const RSA *r, int idx) return CRYPTO_get_ex_data(&r->ex_data, idx); } +int +RSA_security_bits(const RSA *rsa) +{ + return BN_security_bits(RSA_bits(rsa), -1); +} + void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) { @@ -292,7 +298,7 @@ RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) if ((r->dmp1 == NULL && dmp1 == NULL) || (r->dmq1 == NULL && dmq1 == NULL) || (r->iqmp == NULL && iqmp == NULL)) - return 0; + return 0; if (dmp1 != NULL) { BN_free(r->dmp1); diff --git a/crypto/rsa/rsa_locl.h b/crypto/rsa/rsa_local.h similarity index 91% rename from crypto/rsa/rsa_locl.h rename to crypto/rsa/rsa_local.h index 9eae2b3..4bc2cee 100644 --- a/crypto/rsa/rsa_locl.h +++ b/crypto/rsa/rsa_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_locl.h,v 1.12 2022/01/14 08:34:39 tb Exp $ */ +/* $OpenBSD: rsa_local.h,v 1.2 2023/05/05 12:21:44 tb Exp $ */ __BEGIN_HIDDEN_DECLS @@ -9,7 +9,7 @@ __BEGIN_HIDDEN_DECLS #define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) struct rsa_meth_st { - const char *name; + char *name; int (*rsa_pub_enc)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding); int (*rsa_pub_dec)(int flen, const unsigned char *from, @@ -91,4 +91,10 @@ extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, size_t siglen, RSA *rsa); +int RSA_padding_add_X931(unsigned char *to, int tlen, + const unsigned char *f, int fl); +int RSA_padding_check_X931(unsigned char *to, int tlen, + const unsigned char *f, int fl, int rsa_len); +int RSA_X931_hash_id(int nid); + __END_HIDDEN_DECLS diff --git a/crypto/rsa/rsa_meth.c b/crypto/rsa/rsa_meth.c index 8ae929d..a011927 100644 --- a/crypto/rsa/rsa_meth.c +++ b/crypto/rsa/rsa_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_meth.c,v 1.4 2022/01/07 09:55:32 tb Exp $ */ +/* $OpenBSD: rsa_meth.c,v 1.6 2022/11/26 16:08:54 tb Exp $ */ /* * Copyright (c) 2018 Theo Buehler * @@ -21,7 +21,7 @@ #include #include -#include "rsa_locl.h" +#include "rsa_local.h" RSA_METHOD * RSA_meth_new(const char *name, int flags) @@ -42,10 +42,11 @@ RSA_meth_new(const char *name, int flags) void RSA_meth_free(RSA_METHOD *meth) { - if (meth != NULL) { - free((char *)meth->name); - free(meth); - } + if (meth == NULL) + return; + + free(meth->name); + free(meth); } RSA_METHOD * @@ -67,12 +68,12 @@ RSA_meth_dup(const RSA_METHOD *meth) int RSA_meth_set1_name(RSA_METHOD *meth, const char *name) { - char *copy; + char *new_name; - if ((copy = strdup(name)) == NULL) + if ((new_name = strdup(name)) == NULL) return 0; - free((char *)meth->name); - meth->name = copy; + free(meth->name); + meth->name = new_name; return 1; } diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index 9326950..083f4a6 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_oaep.c,v 1.35 2022/02/20 19:16:34 tb Exp $ */ +/* $OpenBSD: rsa_oaep.c,v 1.36 2022/11/26 16:08:54 tb Exp $ */ /* * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. * @@ -79,9 +79,9 @@ #include #include -#include "constant_time_locl.h" -#include "evp_locl.h" -#include "rsa_locl.h" +#include "constant_time.h" +#include "evp_local.h" +#include "rsa_local.h" int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index 36a2a27..429524d 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pmeth.c,v 1.33 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: rsa_pmeth.c,v 1.38 2023/05/05 12:21:44 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -70,9 +70,9 @@ #include #include -#include "bn_lcl.h" -#include "evp_locl.h" -#include "rsa_locl.h" +#include "bn_local.h" +#include "evp_local.h" +#include "rsa_local.h" /* RSA pkey context structure */ @@ -326,12 +326,16 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, return -1; } } else { + int ret; + if (!setup_tbuf(rctx, ctx)) return -1; - rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, - rctx->pad_mode); - if (rslen == 0) + + if ((ret = RSA_public_decrypt(siglen, sig, rctx->tbuf, rsa, + rctx->pad_mode)) <= 0) return 0; + + rslen = ret; } if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen)) @@ -412,12 +416,19 @@ check_padding_md(const EVP_MD *md, int padding) } } else { /* List of all supported RSA digests. */ + /* RFC 8017 and NIST CSOR. */ switch(EVP_MD_type(md)) { case NID_sha1: case NID_sha224: case NID_sha256: case NID_sha384: case NID_sha512: + case NID_sha512_224: + case NID_sha512_256: + case NID_sha3_224: + case NID_sha3_256: + case NID_sha3_384: + case NID_sha3_512: case NID_md5: case NID_md5_sha1: case NID_md4: diff --git a/crypto/rsa/rsa_prn.c b/crypto/rsa/rsa_prn.c index c46b08c..12f600d 100644 --- a/crypto/rsa/rsa_prn.c +++ b/crypto/rsa/rsa_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_prn.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_prn.c,v 1.9 2022/11/08 19:19:08 tobhe Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -82,12 +82,16 @@ int RSA_print(BIO *bp, const RSA *x, int off) { EVP_PKEY *pk; - int ret; + int ret = 0; + + if ((pk = EVP_PKEY_new()) == NULL) + goto err; + + if (!EVP_PKEY_set1_RSA(pk, (RSA *)x)) + goto err; - pk = EVP_PKEY_new(); - if (!pk || !EVP_PKEY_set1_RSA(pk, (RSA *)x)) - return 0; ret = EVP_PKEY_print_private(bp, pk, off, NULL); + err: EVP_PKEY_free(pk); return ret; } diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index cce38ef..72c79e3 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pss.c,v 1.15 2022/01/07 09:55:32 tb Exp $ */ +/* $OpenBSD: rsa_pss.c,v 1.16 2022/11/26 16:08:54 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -66,8 +66,8 @@ #include #include -#include "evp_locl.h" -#include "rsa_locl.h" +#include "evp_local.h" +#include "rsa_local.h" static const unsigned char zeroes[] = { 0, 0, 0, 0, 0, 0, 0, 0 }; diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index bd45a95..d517fcb 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_sign.c,v 1.34 2022/01/07 11:13:55 tb Exp $ */ +/* $OpenBSD: rsa_sign.c,v 1.35 2022/11/26 16:08:54 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,9 +65,9 @@ #include #include -#include "asn1_locl.h" -#include "rsa_locl.h" -#include "x509_lcl.h" +#include "asn1_local.h" +#include "rsa_local.h" +#include "x509_local.h" /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 diff --git a/crypto/rsa/rsa_x931.c b/crypto/rsa/rsa_x931.c index 3579735..52f3f80 100644 --- a/crypto/rsa/rsa_x931.c +++ b/crypto/rsa/rsa_x931.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_x931.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_x931.c,v 1.12 2023/05/05 12:19:37 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ diff --git a/crypto/sha/sha1-elf-x86_64.S b/crypto/sha/sha1-elf-x86_64.S index 5a37019..3240e9e 100644 --- a/crypto/sha/sha1-elf-x86_64.S +++ b/crypto/sha/sha1-elf-x86_64.S @@ -7,6 +7,7 @@ .type sha1_block_data_order,@function .align 16 sha1_block_data_order: + endbr64 movl OPENSSL_ia32cap_P+0(%rip),%r9d movl OPENSSL_ia32cap_P+4(%rip),%r8d testl $IA32CAP_MASK1_SSSE3,%r8d @@ -1294,6 +1295,7 @@ sha1_block_data_order: .align 16 sha1_block_data_order_ssse3: _ssse3_shortcut: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -2477,6 +2479,7 @@ _ssse3_shortcut: .Lepilogue_ssse3: retq .size sha1_block_data_order_ssse3,.-sha1_block_data_order_ssse3 +.section .rodata .align 64 K_XX_XX: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 @@ -2484,7 +2487,7 @@ K_XX_XX: .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f -.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.text .align 64 #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits diff --git a/crypto/sha/sha1-macosx-x86_64.S b/crypto/sha/sha1-macosx-x86_64.S index 04a8aff..960b765 100644 --- a/crypto/sha/sha1-macosx-x86_64.S +++ b/crypto/sha/sha1-macosx-x86_64.S @@ -7,6 +7,7 @@ .p2align 4 _sha1_block_data_order: + movl _OPENSSL_ia32cap_P+0(%rip),%r9d movl _OPENSSL_ia32cap_P+4(%rip),%r8d testl $IA32CAP_MASK1_SSSE3,%r8d @@ -1294,6 +1295,7 @@ L$epilogue: .p2align 4 sha1_block_data_order_ssse3: _ssse3_shortcut: + pushq %rbx pushq %rbp pushq %r12 @@ -2477,6 +2479,7 @@ L$done_ssse3: L$epilogue_ssse3: retq +.section __DATA,__const .p2align 6 K_XX_XX: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 @@ -2484,5 +2487,5 @@ K_XX_XX: .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f -.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.text .p2align 6 diff --git a/crypto/sha/sha1-masm-x86_64.S b/crypto/sha/sha1-masm-x86_64.S index f520b5a..1d121fd 100644 --- a/crypto/sha/sha1-masm-x86_64.S +++ b/crypto/sha/sha1-masm-x86_64.S @@ -84,6 +84,7 @@ $L$SEH_begin_sha1_block_data_order:: mov rdx,r8 + endbr64 mov r9d,DWORD PTR[((OPENSSL_ia32cap_P+0))] mov r8d,DWORD PTR[((OPENSSL_ia32cap_P+4))] test r8d,(1 SHL 9) @@ -1383,6 +1384,7 @@ $L$SEH_begin_sha1_block_data_order_ssse3:: _ssse3_shortcut:: + endbr64 push rbx push rbp push r12 @@ -2580,6 +2582,8 @@ $L$epilogue_ssse3:: DB 0F3h,0C3h ;repret $L$SEH_end_sha1_block_data_order_ssse3:: sha1_block_data_order_ssse3 ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 K_XX_XX:: DD 05a827999h,05a827999h,05a827999h,05a827999h @@ -2587,16 +2591,14 @@ K_XX_XX:: DD 08f1bbcdch,08f1bbcdch,08f1bbcdch,08f1bbcdch DD 0ca62c1d6h,0ca62c1d6h,0ca62c1d6h,0ca62c1d6h DD 000010203h,004050607h,008090a0bh,00c0d0e0fh -DB 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115 -DB 102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44 -DB 32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60 -DB 97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114 -DB 103,62,0 +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' ALIGN 64 EXTERN __imp_RtlVirtualUnwind:NEAR ALIGN 16 se_handler PROC PRIVATE + endbr64 push rsi push rdi push rbx diff --git a/crypto/sha/sha1-mingw64-x86_64.S b/crypto/sha/sha1-mingw64-x86_64.S index 3ce9fc9..e11b8c7 100644 --- a/crypto/sha/sha1-mingw64-x86_64.S +++ b/crypto/sha/sha1-mingw64-x86_64.S @@ -15,6 +15,7 @@ sha1_block_data_order: movq %rdx,%rsi movq %r8,%rdx + endbr64 movl OPENSSL_ia32cap_P+0(%rip),%r9d movl OPENSSL_ia32cap_P+4(%rip),%r8d testl $IA32CAP_MASK1_SSSE3,%r8d @@ -1312,6 +1313,7 @@ sha1_block_data_order_ssse3: movq %r8,%rdx _ssse3_shortcut: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -2508,6 +2510,7 @@ _ssse3_shortcut: movq 16(%rsp),%rsi retq .LSEH_end_sha1_block_data_order_ssse3: +.section .rodata .p2align 6 K_XX_XX: .long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 @@ -2515,12 +2518,13 @@ K_XX_XX: .long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc .long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 .long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f -.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.text .p2align 6 .def se_handler; .scl 3; .type 32; .endef .p2align 4 se_handler: + endbr64 pushq %rsi pushq %rdi pushq %rbx diff --git a/crypto/sha/sha1-mips.S b/crypto/sha/sha1-mips.S new file mode 100644 index 0000000..dddb578 --- /dev/null +++ b/crypto/sha/sha1-mips.S @@ -0,0 +1,1663 @@ +.text + +.set noat +.set noreorder +.align 5 +.globl sha1_block_data_order +.ent sha1_block_data_order +sha1_block_data_order: + .frame $29,16*4,$31 + .mask 3237937152,-4 + .set noreorder + sub $29,16*4 + sw $31,(16-1)*4($29) + sw $30,(16-2)*4($29) + sw $23,(16-3)*4($29) + sw $22,(16-4)*4($29) + sw $21,(16-5)*4($29) + sw $20,(16-6)*4($29) + sw $19,(16-7)*4($29) + sw $18,(16-8)*4($29) + sw $17,(16-9)*4($29) + sw $16,(16-10)*4($29) + sll $6,6 + add $6,$5 + sw $6,0($29) + lw $1,0($4) + lw $2,4($4) + lw $3,8($4) + lw $7,12($4) + b .Loop + lw $24,16($4) +.align 4 +.Loop: + .set reorder + lwl $8,3($5) + lui $31,0x5a82 + lwr $8,0($5) + ori $31,0x7999 # K_00_19 + srl $25,$8,24 # byte swap(0) + srl $6,$8,8 + andi $30,$8,0xFF00 + sll $8,$8,24 + andi $6,0xFF00 + sll $30,$30,8 + or $8,$25 + or $6,$30 + or $8,$6 + lwl $9,1*4+3($5) + sll $25,$1,5 # 0 + addu $24,$31 + lwr $9,1*4+0($5) + srl $6,$1,27 + addu $24,$25 + xor $25,$3,$7 + addu $24,$6 + sll $30,$2,30 + and $25,$2 + srl $2,$2,2 + xor $25,$7 + addu $24,$8 + or $2,$30 + addu $24,$25 + srl $25,$9,24 # byte swap(1) + srl $6,$9,8 + andi $30,$9,0xFF00 + sll $9,$9,24 + andi $6,0xFF00 + sll $30,$30,8 + or $9,$25 + or $6,$30 + or $9,$6 + lwl $10,2*4+3($5) + sll $25,$24,5 # 1 + addu $7,$31 + lwr $10,2*4+0($5) + srl $6,$24,27 + addu $7,$25 + xor $25,$2,$3 + addu $7,$6 + sll $30,$1,30 + and $25,$1 + srl $1,$1,2 + xor $25,$3 + addu $7,$9 + or $1,$30 + addu $7,$25 + srl $25,$10,24 # byte swap(2) + srl $6,$10,8 + andi $30,$10,0xFF00 + sll $10,$10,24 + andi $6,0xFF00 + sll $30,$30,8 + or $10,$25 + or $6,$30 + or $10,$6 + lwl $11,3*4+3($5) + sll $25,$7,5 # 2 + addu $3,$31 + lwr $11,3*4+0($5) + srl $6,$7,27 + addu $3,$25 + xor $25,$1,$2 + addu $3,$6 + sll $30,$24,30 + and $25,$24 + srl $24,$24,2 + xor $25,$2 + addu $3,$10 + or $24,$30 + addu $3,$25 + srl $25,$11,24 # byte swap(3) + srl $6,$11,8 + andi $30,$11,0xFF00 + sll $11,$11,24 + andi $6,0xFF00 + sll $30,$30,8 + or $11,$25 + or $6,$30 + or $11,$6 + lwl $12,4*4+3($5) + sll $25,$3,5 # 3 + addu $2,$31 + lwr $12,4*4+0($5) + srl $6,$3,27 + addu $2,$25 + xor $25,$24,$1 + addu $2,$6 + sll $30,$7,30 + and $25,$7 + srl $7,$7,2 + xor $25,$1 + addu $2,$11 + or $7,$30 + addu $2,$25 + srl $25,$12,24 # byte swap(4) + srl $6,$12,8 + andi $30,$12,0xFF00 + sll $12,$12,24 + andi $6,0xFF00 + sll $30,$30,8 + or $12,$25 + or $6,$30 + or $12,$6 + lwl $13,5*4+3($5) + sll $25,$2,5 # 4 + addu $1,$31 + lwr $13,5*4+0($5) + srl $6,$2,27 + addu $1,$25 + xor $25,$7,$24 + addu $1,$6 + sll $30,$3,30 + and $25,$3 + srl $3,$3,2 + xor $25,$24 + addu $1,$12 + or $3,$30 + addu $1,$25 + srl $25,$13,24 # byte swap(5) + srl $6,$13,8 + andi $30,$13,0xFF00 + sll $13,$13,24 + andi $6,0xFF00 + sll $30,$30,8 + or $13,$25 + or $6,$30 + or $13,$6 + lwl $14,6*4+3($5) + sll $25,$1,5 # 5 + addu $24,$31 + lwr $14,6*4+0($5) + srl $6,$1,27 + addu $24,$25 + xor $25,$3,$7 + addu $24,$6 + sll $30,$2,30 + and $25,$2 + srl $2,$2,2 + xor $25,$7 + addu $24,$13 + or $2,$30 + addu $24,$25 + srl $25,$14,24 # byte swap(6) + srl $6,$14,8 + andi $30,$14,0xFF00 + sll $14,$14,24 + andi $6,0xFF00 + sll $30,$30,8 + or $14,$25 + or $6,$30 + or $14,$6 + lwl $15,7*4+3($5) + sll $25,$24,5 # 6 + addu $7,$31 + lwr $15,7*4+0($5) + srl $6,$24,27 + addu $7,$25 + xor $25,$2,$3 + addu $7,$6 + sll $30,$1,30 + and $25,$1 + srl $1,$1,2 + xor $25,$3 + addu $7,$14 + or $1,$30 + addu $7,$25 + srl $25,$15,24 # byte swap(7) + srl $6,$15,8 + andi $30,$15,0xFF00 + sll $15,$15,24 + andi $6,0xFF00 + sll $30,$30,8 + or $15,$25 + or $6,$30 + or $15,$6 + lwl $16,8*4+3($5) + sll $25,$7,5 # 7 + addu $3,$31 + lwr $16,8*4+0($5) + srl $6,$7,27 + addu $3,$25 + xor $25,$1,$2 + addu $3,$6 + sll $30,$24,30 + and $25,$24 + srl $24,$24,2 + xor $25,$2 + addu $3,$15 + or $24,$30 + addu $3,$25 + srl $25,$16,24 # byte swap(8) + srl $6,$16,8 + andi $30,$16,0xFF00 + sll $16,$16,24 + andi $6,0xFF00 + sll $30,$30,8 + or $16,$25 + or $6,$30 + or $16,$6 + lwl $17,9*4+3($5) + sll $25,$3,5 # 8 + addu $2,$31 + lwr $17,9*4+0($5) + srl $6,$3,27 + addu $2,$25 + xor $25,$24,$1 + addu $2,$6 + sll $30,$7,30 + and $25,$7 + srl $7,$7,2 + xor $25,$1 + addu $2,$16 + or $7,$30 + addu $2,$25 + srl $25,$17,24 # byte swap(9) + srl $6,$17,8 + andi $30,$17,0xFF00 + sll $17,$17,24 + andi $6,0xFF00 + sll $30,$30,8 + or $17,$25 + or $6,$30 + or $17,$6 + lwl $18,10*4+3($5) + sll $25,$2,5 # 9 + addu $1,$31 + lwr $18,10*4+0($5) + srl $6,$2,27 + addu $1,$25 + xor $25,$7,$24 + addu $1,$6 + sll $30,$3,30 + and $25,$3 + srl $3,$3,2 + xor $25,$24 + addu $1,$17 + or $3,$30 + addu $1,$25 + srl $25,$18,24 # byte swap(10) + srl $6,$18,8 + andi $30,$18,0xFF00 + sll $18,$18,24 + andi $6,0xFF00 + sll $30,$30,8 + or $18,$25 + or $6,$30 + or $18,$6 + lwl $19,11*4+3($5) + sll $25,$1,5 # 10 + addu $24,$31 + lwr $19,11*4+0($5) + srl $6,$1,27 + addu $24,$25 + xor $25,$3,$7 + addu $24,$6 + sll $30,$2,30 + and $25,$2 + srl $2,$2,2 + xor $25,$7 + addu $24,$18 + or $2,$30 + addu $24,$25 + srl $25,$19,24 # byte swap(11) + srl $6,$19,8 + andi $30,$19,0xFF00 + sll $19,$19,24 + andi $6,0xFF00 + sll $30,$30,8 + or $19,$25 + or $6,$30 + or $19,$6 + lwl $20,12*4+3($5) + sll $25,$24,5 # 11 + addu $7,$31 + lwr $20,12*4+0($5) + srl $6,$24,27 + addu $7,$25 + xor $25,$2,$3 + addu $7,$6 + sll $30,$1,30 + and $25,$1 + srl $1,$1,2 + xor $25,$3 + addu $7,$19 + or $1,$30 + addu $7,$25 + srl $25,$20,24 # byte swap(12) + srl $6,$20,8 + andi $30,$20,0xFF00 + sll $20,$20,24 + andi $6,0xFF00 + sll $30,$30,8 + or $20,$25 + or $6,$30 + or $20,$6 + lwl $21,13*4+3($5) + sll $25,$7,5 # 12 + addu $3,$31 + lwr $21,13*4+0($5) + srl $6,$7,27 + addu $3,$25 + xor $25,$1,$2 + addu $3,$6 + sll $30,$24,30 + and $25,$24 + srl $24,$24,2 + xor $25,$2 + addu $3,$20 + or $24,$30 + addu $3,$25 + srl $25,$21,24 # byte swap(13) + srl $6,$21,8 + andi $30,$21,0xFF00 + sll $21,$21,24 + andi $6,0xFF00 + sll $30,$30,8 + or $21,$25 + or $6,$30 + or $21,$6 + lwl $22,14*4+3($5) + sll $25,$3,5 # 13 + addu $2,$31 + lwr $22,14*4+0($5) + srl $6,$3,27 + addu $2,$25 + xor $25,$24,$1 + addu $2,$6 + sll $30,$7,30 + and $25,$7 + srl $7,$7,2 + xor $25,$1 + addu $2,$21 + or $7,$30 + addu $2,$25 + srl $25,$22,24 # byte swap(14) + srl $6,$22,8 + andi $30,$22,0xFF00 + sll $22,$22,24 + andi $6,0xFF00 + sll $30,$30,8 + or $22,$25 + or $6,$30 + or $22,$6 + lwl $23,15*4+3($5) + sll $25,$2,5 # 14 + addu $1,$31 + lwr $23,15*4+0($5) + srl $6,$2,27 + addu $1,$25 + xor $25,$7,$24 + addu $1,$6 + sll $30,$3,30 + and $25,$3 + srl $3,$3,2 + xor $25,$24 + addu $1,$22 + or $3,$30 + addu $1,$25 + srl $25,$23,24 # byte swap(15) + srl $6,$23,8 + andi $30,$23,0xFF00 + sll $23,$23,24 + andi $6,0xFF00 + sll $30,$30,8 + or $23,$25 + or $23,$6 + or $23,$30 + xor $8,$10 + sll $25,$1,5 # 15 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $8,$16 + xor $25,$3,$7 + addu $24,$6 + xor $8,$21 + sll $30,$2,30 + and $25,$2 + srl $6,$8,31 + addu $8,$8 + srl $2,$2,2 + xor $25,$7 + or $8,$6 + addu $24,$23 + or $2,$30 + addu $24,$25 + xor $9,$11 + sll $25,$24,5 # 16 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $9,$17 + xor $25,$2,$3 + addu $7,$6 + xor $9,$22 + sll $30,$1,30 + and $25,$1 + srl $6,$9,31 + addu $9,$9 + srl $1,$1,2 + xor $25,$3 + or $9,$6 + addu $7,$8 + or $1,$30 + addu $7,$25 + xor $10,$12 + sll $25,$7,5 # 17 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $10,$18 + xor $25,$1,$2 + addu $3,$6 + xor $10,$23 + sll $30,$24,30 + and $25,$24 + srl $6,$10,31 + addu $10,$10 + srl $24,$24,2 + xor $25,$2 + or $10,$6 + addu $3,$9 + or $24,$30 + addu $3,$25 + xor $11,$13 + sll $25,$3,5 # 18 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $11,$19 + xor $25,$24,$1 + addu $2,$6 + xor $11,$8 + sll $30,$7,30 + and $25,$7 + srl $6,$11,31 + addu $11,$11 + srl $7,$7,2 + xor $25,$1 + or $11,$6 + addu $2,$10 + or $7,$30 + addu $2,$25 + xor $12,$14 + sll $25,$2,5 # 19 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $12,$20 + xor $25,$7,$24 + addu $1,$6 + xor $12,$9 + sll $30,$3,30 + and $25,$3 + srl $6,$12,31 + addu $12,$12 + srl $3,$3,2 + xor $25,$24 + or $12,$6 + addu $1,$11 + or $3,$30 + addu $1,$25 + lui $31,0x6ed9 + ori $31,0xeba1 # K_20_39 + xor $13,$15 + sll $25,$1,5 # 20 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $13,$21 + xor $25,$3,$7 + addu $24,$6 + xor $13,$10 + sll $30,$2,30 + xor $25,$2 + srl $6,$13,31 + addu $13,$13 + srl $2,$2,2 + addu $24,$12 + or $13,$6 + or $2,$30 + addu $24,$25 + xor $14,$16 + sll $25,$24,5 # 21 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $14,$22 + xor $25,$2,$3 + addu $7,$6 + xor $14,$11 + sll $30,$1,30 + xor $25,$1 + srl $6,$14,31 + addu $14,$14 + srl $1,$1,2 + addu $7,$13 + or $14,$6 + or $1,$30 + addu $7,$25 + xor $15,$17 + sll $25,$7,5 # 22 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $15,$23 + xor $25,$1,$2 + addu $3,$6 + xor $15,$12 + sll $30,$24,30 + xor $25,$24 + srl $6,$15,31 + addu $15,$15 + srl $24,$24,2 + addu $3,$14 + or $15,$6 + or $24,$30 + addu $3,$25 + xor $16,$18 + sll $25,$3,5 # 23 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $16,$8 + xor $25,$24,$1 + addu $2,$6 + xor $16,$13 + sll $30,$7,30 + xor $25,$7 + srl $6,$16,31 + addu $16,$16 + srl $7,$7,2 + addu $2,$15 + or $16,$6 + or $7,$30 + addu $2,$25 + xor $17,$19 + sll $25,$2,5 # 24 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $17,$9 + xor $25,$7,$24 + addu $1,$6 + xor $17,$14 + sll $30,$3,30 + xor $25,$3 + srl $6,$17,31 + addu $17,$17 + srl $3,$3,2 + addu $1,$16 + or $17,$6 + or $3,$30 + addu $1,$25 + xor $18,$20 + sll $25,$1,5 # 25 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $18,$10 + xor $25,$3,$7 + addu $24,$6 + xor $18,$15 + sll $30,$2,30 + xor $25,$2 + srl $6,$18,31 + addu $18,$18 + srl $2,$2,2 + addu $24,$17 + or $18,$6 + or $2,$30 + addu $24,$25 + xor $19,$21 + sll $25,$24,5 # 26 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $19,$11 + xor $25,$2,$3 + addu $7,$6 + xor $19,$16 + sll $30,$1,30 + xor $25,$1 + srl $6,$19,31 + addu $19,$19 + srl $1,$1,2 + addu $7,$18 + or $19,$6 + or $1,$30 + addu $7,$25 + xor $20,$22 + sll $25,$7,5 # 27 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $20,$12 + xor $25,$1,$2 + addu $3,$6 + xor $20,$17 + sll $30,$24,30 + xor $25,$24 + srl $6,$20,31 + addu $20,$20 + srl $24,$24,2 + addu $3,$19 + or $20,$6 + or $24,$30 + addu $3,$25 + xor $21,$23 + sll $25,$3,5 # 28 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $21,$13 + xor $25,$24,$1 + addu $2,$6 + xor $21,$18 + sll $30,$7,30 + xor $25,$7 + srl $6,$21,31 + addu $21,$21 + srl $7,$7,2 + addu $2,$20 + or $21,$6 + or $7,$30 + addu $2,$25 + xor $22,$8 + sll $25,$2,5 # 29 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $22,$14 + xor $25,$7,$24 + addu $1,$6 + xor $22,$19 + sll $30,$3,30 + xor $25,$3 + srl $6,$22,31 + addu $22,$22 + srl $3,$3,2 + addu $1,$21 + or $22,$6 + or $3,$30 + addu $1,$25 + xor $23,$9 + sll $25,$1,5 # 30 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $23,$15 + xor $25,$3,$7 + addu $24,$6 + xor $23,$20 + sll $30,$2,30 + xor $25,$2 + srl $6,$23,31 + addu $23,$23 + srl $2,$2,2 + addu $24,$22 + or $23,$6 + or $2,$30 + addu $24,$25 + xor $8,$10 + sll $25,$24,5 # 31 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $8,$16 + xor $25,$2,$3 + addu $7,$6 + xor $8,$21 + sll $30,$1,30 + xor $25,$1 + srl $6,$8,31 + addu $8,$8 + srl $1,$1,2 + addu $7,$23 + or $8,$6 + or $1,$30 + addu $7,$25 + xor $9,$11 + sll $25,$7,5 # 32 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $9,$17 + xor $25,$1,$2 + addu $3,$6 + xor $9,$22 + sll $30,$24,30 + xor $25,$24 + srl $6,$9,31 + addu $9,$9 + srl $24,$24,2 + addu $3,$8 + or $9,$6 + or $24,$30 + addu $3,$25 + xor $10,$12 + sll $25,$3,5 # 33 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $10,$18 + xor $25,$24,$1 + addu $2,$6 + xor $10,$23 + sll $30,$7,30 + xor $25,$7 + srl $6,$10,31 + addu $10,$10 + srl $7,$7,2 + addu $2,$9 + or $10,$6 + or $7,$30 + addu $2,$25 + xor $11,$13 + sll $25,$2,5 # 34 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $11,$19 + xor $25,$7,$24 + addu $1,$6 + xor $11,$8 + sll $30,$3,30 + xor $25,$3 + srl $6,$11,31 + addu $11,$11 + srl $3,$3,2 + addu $1,$10 + or $11,$6 + or $3,$30 + addu $1,$25 + xor $12,$14 + sll $25,$1,5 # 35 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $12,$20 + xor $25,$3,$7 + addu $24,$6 + xor $12,$9 + sll $30,$2,30 + xor $25,$2 + srl $6,$12,31 + addu $12,$12 + srl $2,$2,2 + addu $24,$11 + or $12,$6 + or $2,$30 + addu $24,$25 + xor $13,$15 + sll $25,$24,5 # 36 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $13,$21 + xor $25,$2,$3 + addu $7,$6 + xor $13,$10 + sll $30,$1,30 + xor $25,$1 + srl $6,$13,31 + addu $13,$13 + srl $1,$1,2 + addu $7,$12 + or $13,$6 + or $1,$30 + addu $7,$25 + xor $14,$16 + sll $25,$7,5 # 37 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $14,$22 + xor $25,$1,$2 + addu $3,$6 + xor $14,$11 + sll $30,$24,30 + xor $25,$24 + srl $6,$14,31 + addu $14,$14 + srl $24,$24,2 + addu $3,$13 + or $14,$6 + or $24,$30 + addu $3,$25 + xor $15,$17 + sll $25,$3,5 # 38 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $15,$23 + xor $25,$24,$1 + addu $2,$6 + xor $15,$12 + sll $30,$7,30 + xor $25,$7 + srl $6,$15,31 + addu $15,$15 + srl $7,$7,2 + addu $2,$14 + or $15,$6 + or $7,$30 + addu $2,$25 + xor $16,$18 + sll $25,$2,5 # 39 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $16,$8 + xor $25,$7,$24 + addu $1,$6 + xor $16,$13 + sll $30,$3,30 + xor $25,$3 + srl $6,$16,31 + addu $16,$16 + srl $3,$3,2 + addu $1,$15 + or $16,$6 + or $3,$30 + addu $1,$25 + lui $31,0x8f1b + ori $31,0xbcdc # K_40_59 + xor $17,$19 + sll $25,$1,5 # 40 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $17,$9 + and $25,$3,$7 + addu $24,$6 + xor $17,$14 + sll $30,$2,30 + addu $24,$25 + srl $6,$17,31 + xor $25,$3,$7 + addu $17,$17 + and $25,$2 + srl $2,$2,2 + or $17,$6 + addu $24,$16 + or $2,$30 + addu $24,$25 + xor $18,$20 + sll $25,$24,5 # 41 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $18,$10 + and $25,$2,$3 + addu $7,$6 + xor $18,$15 + sll $30,$1,30 + addu $7,$25 + srl $6,$18,31 + xor $25,$2,$3 + addu $18,$18 + and $25,$1 + srl $1,$1,2 + or $18,$6 + addu $7,$17 + or $1,$30 + addu $7,$25 + xor $19,$21 + sll $25,$7,5 # 42 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $19,$11 + and $25,$1,$2 + addu $3,$6 + xor $19,$16 + sll $30,$24,30 + addu $3,$25 + srl $6,$19,31 + xor $25,$1,$2 + addu $19,$19 + and $25,$24 + srl $24,$24,2 + or $19,$6 + addu $3,$18 + or $24,$30 + addu $3,$25 + xor $20,$22 + sll $25,$3,5 # 43 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $20,$12 + and $25,$24,$1 + addu $2,$6 + xor $20,$17 + sll $30,$7,30 + addu $2,$25 + srl $6,$20,31 + xor $25,$24,$1 + addu $20,$20 + and $25,$7 + srl $7,$7,2 + or $20,$6 + addu $2,$19 + or $7,$30 + addu $2,$25 + xor $21,$23 + sll $25,$2,5 # 44 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $21,$13 + and $25,$7,$24 + addu $1,$6 + xor $21,$18 + sll $30,$3,30 + addu $1,$25 + srl $6,$21,31 + xor $25,$7,$24 + addu $21,$21 + and $25,$3 + srl $3,$3,2 + or $21,$6 + addu $1,$20 + or $3,$30 + addu $1,$25 + xor $22,$8 + sll $25,$1,5 # 45 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $22,$14 + and $25,$3,$7 + addu $24,$6 + xor $22,$19 + sll $30,$2,30 + addu $24,$25 + srl $6,$22,31 + xor $25,$3,$7 + addu $22,$22 + and $25,$2 + srl $2,$2,2 + or $22,$6 + addu $24,$21 + or $2,$30 + addu $24,$25 + xor $23,$9 + sll $25,$24,5 # 46 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $23,$15 + and $25,$2,$3 + addu $7,$6 + xor $23,$20 + sll $30,$1,30 + addu $7,$25 + srl $6,$23,31 + xor $25,$2,$3 + addu $23,$23 + and $25,$1 + srl $1,$1,2 + or $23,$6 + addu $7,$22 + or $1,$30 + addu $7,$25 + xor $8,$10 + sll $25,$7,5 # 47 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $8,$16 + and $25,$1,$2 + addu $3,$6 + xor $8,$21 + sll $30,$24,30 + addu $3,$25 + srl $6,$8,31 + xor $25,$1,$2 + addu $8,$8 + and $25,$24 + srl $24,$24,2 + or $8,$6 + addu $3,$23 + or $24,$30 + addu $3,$25 + xor $9,$11 + sll $25,$3,5 # 48 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $9,$17 + and $25,$24,$1 + addu $2,$6 + xor $9,$22 + sll $30,$7,30 + addu $2,$25 + srl $6,$9,31 + xor $25,$24,$1 + addu $9,$9 + and $25,$7 + srl $7,$7,2 + or $9,$6 + addu $2,$8 + or $7,$30 + addu $2,$25 + xor $10,$12 + sll $25,$2,5 # 49 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $10,$18 + and $25,$7,$24 + addu $1,$6 + xor $10,$23 + sll $30,$3,30 + addu $1,$25 + srl $6,$10,31 + xor $25,$7,$24 + addu $10,$10 + and $25,$3 + srl $3,$3,2 + or $10,$6 + addu $1,$9 + or $3,$30 + addu $1,$25 + xor $11,$13 + sll $25,$1,5 # 50 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $11,$19 + and $25,$3,$7 + addu $24,$6 + xor $11,$8 + sll $30,$2,30 + addu $24,$25 + srl $6,$11,31 + xor $25,$3,$7 + addu $11,$11 + and $25,$2 + srl $2,$2,2 + or $11,$6 + addu $24,$10 + or $2,$30 + addu $24,$25 + xor $12,$14 + sll $25,$24,5 # 51 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $12,$20 + and $25,$2,$3 + addu $7,$6 + xor $12,$9 + sll $30,$1,30 + addu $7,$25 + srl $6,$12,31 + xor $25,$2,$3 + addu $12,$12 + and $25,$1 + srl $1,$1,2 + or $12,$6 + addu $7,$11 + or $1,$30 + addu $7,$25 + xor $13,$15 + sll $25,$7,5 # 52 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $13,$21 + and $25,$1,$2 + addu $3,$6 + xor $13,$10 + sll $30,$24,30 + addu $3,$25 + srl $6,$13,31 + xor $25,$1,$2 + addu $13,$13 + and $25,$24 + srl $24,$24,2 + or $13,$6 + addu $3,$12 + or $24,$30 + addu $3,$25 + xor $14,$16 + sll $25,$3,5 # 53 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $14,$22 + and $25,$24,$1 + addu $2,$6 + xor $14,$11 + sll $30,$7,30 + addu $2,$25 + srl $6,$14,31 + xor $25,$24,$1 + addu $14,$14 + and $25,$7 + srl $7,$7,2 + or $14,$6 + addu $2,$13 + or $7,$30 + addu $2,$25 + xor $15,$17 + sll $25,$2,5 # 54 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $15,$23 + and $25,$7,$24 + addu $1,$6 + xor $15,$12 + sll $30,$3,30 + addu $1,$25 + srl $6,$15,31 + xor $25,$7,$24 + addu $15,$15 + and $25,$3 + srl $3,$3,2 + or $15,$6 + addu $1,$14 + or $3,$30 + addu $1,$25 + xor $16,$18 + sll $25,$1,5 # 55 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $16,$8 + and $25,$3,$7 + addu $24,$6 + xor $16,$13 + sll $30,$2,30 + addu $24,$25 + srl $6,$16,31 + xor $25,$3,$7 + addu $16,$16 + and $25,$2 + srl $2,$2,2 + or $16,$6 + addu $24,$15 + or $2,$30 + addu $24,$25 + xor $17,$19 + sll $25,$24,5 # 56 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $17,$9 + and $25,$2,$3 + addu $7,$6 + xor $17,$14 + sll $30,$1,30 + addu $7,$25 + srl $6,$17,31 + xor $25,$2,$3 + addu $17,$17 + and $25,$1 + srl $1,$1,2 + or $17,$6 + addu $7,$16 + or $1,$30 + addu $7,$25 + xor $18,$20 + sll $25,$7,5 # 57 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $18,$10 + and $25,$1,$2 + addu $3,$6 + xor $18,$15 + sll $30,$24,30 + addu $3,$25 + srl $6,$18,31 + xor $25,$1,$2 + addu $18,$18 + and $25,$24 + srl $24,$24,2 + or $18,$6 + addu $3,$17 + or $24,$30 + addu $3,$25 + xor $19,$21 + sll $25,$3,5 # 58 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $19,$11 + and $25,$24,$1 + addu $2,$6 + xor $19,$16 + sll $30,$7,30 + addu $2,$25 + srl $6,$19,31 + xor $25,$24,$1 + addu $19,$19 + and $25,$7 + srl $7,$7,2 + or $19,$6 + addu $2,$18 + or $7,$30 + addu $2,$25 + xor $20,$22 + sll $25,$2,5 # 59 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $20,$12 + and $25,$7,$24 + addu $1,$6 + xor $20,$17 + sll $30,$3,30 + addu $1,$25 + srl $6,$20,31 + xor $25,$7,$24 + addu $20,$20 + and $25,$3 + srl $3,$3,2 + or $20,$6 + addu $1,$19 + or $3,$30 + addu $1,$25 + lui $31,0xca62 + ori $31,0xc1d6 # K_60_79 + xor $21,$23 + sll $25,$1,5 # 60 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $21,$13 + xor $25,$3,$7 + addu $24,$6 + xor $21,$18 + sll $30,$2,30 + xor $25,$2 + srl $6,$21,31 + addu $21,$21 + srl $2,$2,2 + addu $24,$20 + or $21,$6 + or $2,$30 + addu $24,$25 + xor $22,$8 + sll $25,$24,5 # 61 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $22,$14 + xor $25,$2,$3 + addu $7,$6 + xor $22,$19 + sll $30,$1,30 + xor $25,$1 + srl $6,$22,31 + addu $22,$22 + srl $1,$1,2 + addu $7,$21 + or $22,$6 + or $1,$30 + addu $7,$25 + xor $23,$9 + sll $25,$7,5 # 62 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $23,$15 + xor $25,$1,$2 + addu $3,$6 + xor $23,$20 + sll $30,$24,30 + xor $25,$24 + srl $6,$23,31 + addu $23,$23 + srl $24,$24,2 + addu $3,$22 + or $23,$6 + or $24,$30 + addu $3,$25 + xor $8,$10 + sll $25,$3,5 # 63 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $8,$16 + xor $25,$24,$1 + addu $2,$6 + xor $8,$21 + sll $30,$7,30 + xor $25,$7 + srl $6,$8,31 + addu $8,$8 + srl $7,$7,2 + addu $2,$23 + or $8,$6 + or $7,$30 + addu $2,$25 + xor $9,$11 + sll $25,$2,5 # 64 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $9,$17 + xor $25,$7,$24 + addu $1,$6 + xor $9,$22 + sll $30,$3,30 + xor $25,$3 + srl $6,$9,31 + addu $9,$9 + srl $3,$3,2 + addu $1,$8 + or $9,$6 + or $3,$30 + addu $1,$25 + xor $10,$12 + sll $25,$1,5 # 65 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $10,$18 + xor $25,$3,$7 + addu $24,$6 + xor $10,$23 + sll $30,$2,30 + xor $25,$2 + srl $6,$10,31 + addu $10,$10 + srl $2,$2,2 + addu $24,$9 + or $10,$6 + or $2,$30 + addu $24,$25 + xor $11,$13 + sll $25,$24,5 # 66 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $11,$19 + xor $25,$2,$3 + addu $7,$6 + xor $11,$8 + sll $30,$1,30 + xor $25,$1 + srl $6,$11,31 + addu $11,$11 + srl $1,$1,2 + addu $7,$10 + or $11,$6 + or $1,$30 + addu $7,$25 + xor $12,$14 + sll $25,$7,5 # 67 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $12,$20 + xor $25,$1,$2 + addu $3,$6 + xor $12,$9 + sll $30,$24,30 + xor $25,$24 + srl $6,$12,31 + addu $12,$12 + srl $24,$24,2 + addu $3,$11 + or $12,$6 + or $24,$30 + addu $3,$25 + xor $13,$15 + sll $25,$3,5 # 68 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $13,$21 + xor $25,$24,$1 + addu $2,$6 + xor $13,$10 + sll $30,$7,30 + xor $25,$7 + srl $6,$13,31 + addu $13,$13 + srl $7,$7,2 + addu $2,$12 + or $13,$6 + or $7,$30 + addu $2,$25 + xor $14,$16 + sll $25,$2,5 # 69 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $14,$22 + xor $25,$7,$24 + addu $1,$6 + xor $14,$11 + sll $30,$3,30 + xor $25,$3 + srl $6,$14,31 + addu $14,$14 + srl $3,$3,2 + addu $1,$13 + or $14,$6 + or $3,$30 + addu $1,$25 + xor $15,$17 + sll $25,$1,5 # 70 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $15,$23 + xor $25,$3,$7 + addu $24,$6 + xor $15,$12 + sll $30,$2,30 + xor $25,$2 + srl $6,$15,31 + addu $15,$15 + srl $2,$2,2 + addu $24,$14 + or $15,$6 + or $2,$30 + addu $24,$25 + xor $16,$18 + sll $25,$24,5 # 71 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $16,$8 + xor $25,$2,$3 + addu $7,$6 + xor $16,$13 + sll $30,$1,30 + xor $25,$1 + srl $6,$16,31 + addu $16,$16 + srl $1,$1,2 + addu $7,$15 + or $16,$6 + or $1,$30 + addu $7,$25 + xor $17,$19 + sll $25,$7,5 # 72 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $17,$9 + xor $25,$1,$2 + addu $3,$6 + xor $17,$14 + sll $30,$24,30 + xor $25,$24 + srl $6,$17,31 + addu $17,$17 + srl $24,$24,2 + addu $3,$16 + or $17,$6 + or $24,$30 + addu $3,$25 + xor $18,$20 + sll $25,$3,5 # 73 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $18,$10 + xor $25,$24,$1 + addu $2,$6 + xor $18,$15 + sll $30,$7,30 + xor $25,$7 + srl $6,$18,31 + addu $18,$18 + srl $7,$7,2 + addu $2,$17 + or $18,$6 + or $7,$30 + addu $2,$25 + xor $19,$21 + sll $25,$2,5 # 74 + addu $1,$31 + srl $6,$2,27 + addu $1,$25 + xor $19,$11 + xor $25,$7,$24 + addu $1,$6 + xor $19,$16 + sll $30,$3,30 + xor $25,$3 + srl $6,$19,31 + addu $19,$19 + srl $3,$3,2 + addu $1,$18 + or $19,$6 + or $3,$30 + addu $1,$25 + xor $20,$22 + sll $25,$1,5 # 75 + addu $24,$31 + srl $6,$1,27 + addu $24,$25 + xor $20,$12 + xor $25,$3,$7 + addu $24,$6 + xor $20,$17 + sll $30,$2,30 + xor $25,$2 + srl $6,$20,31 + addu $20,$20 + srl $2,$2,2 + addu $24,$19 + or $20,$6 + or $2,$30 + addu $24,$25 + xor $21,$23 + sll $25,$24,5 # 76 + addu $7,$31 + srl $6,$24,27 + addu $7,$25 + xor $21,$13 + xor $25,$2,$3 + addu $7,$6 + xor $21,$18 + sll $30,$1,30 + xor $25,$1 + srl $6,$21,31 + addu $21,$21 + srl $1,$1,2 + addu $7,$20 + or $21,$6 + or $1,$30 + addu $7,$25 + xor $22,$8 + sll $25,$7,5 # 77 + addu $3,$31 + srl $6,$7,27 + addu $3,$25 + xor $22,$14 + xor $25,$1,$2 + addu $3,$6 + xor $22,$19 + sll $30,$24,30 + xor $25,$24 + srl $6,$22,31 + addu $22,$22 + srl $24,$24,2 + addu $3,$21 + or $22,$6 + or $24,$30 + addu $3,$25 + xor $23,$9 + sll $25,$3,5 # 78 + addu $2,$31 + srl $6,$3,27 + addu $2,$25 + xor $23,$15 + xor $25,$24,$1 + addu $2,$6 + xor $23,$20 + sll $30,$7,30 + xor $25,$7 + srl $6,$23,31 + addu $23,$23 + srl $7,$7,2 + addu $2,$22 + or $23,$6 + or $7,$30 + addu $2,$25 + lw $8,0($4) + sll $25,$2,5 # 79 + addu $1,$31 + lw $9,4($4) + srl $6,$2,27 + addu $1,$25 + lw $10,8($4) + xor $25,$7,$24 + addu $1,$6 + lw $11,12($4) + sll $30,$3,30 + xor $25,$3 + lw $12,16($4) + srl $3,$3,2 + addu $1,$23 + or $3,$30 + addu $1,$25 + add $5,64 + lw $6,0($29) + + addu $1,$8 + addu $2,$9 + sw $1,0($4) + addu $3,$10 + addu $7,$11 + sw $2,4($4) + addu $24,$12 + sw $3,8($4) + sw $7,12($4) + sw $24,16($4) + .set noreorder + bne $5,$6,.Loop + nop + + .set noreorder + lw $31,(16-1)*4($29) + lw $30,(16-2)*4($29) + lw $23,(16-3)*4($29) + lw $22,(16-4)*4($29) + lw $21,(16-5)*4($29) + lw $20,(16-6)*4($29) + lw $19,(16-7)*4($29) + lw $18,(16-8)*4($29) + lw $17,(16-9)*4($29) + lw $16,(16-10)*4($29) + jr $31 + add $29,16*4 +.end sha1_block_data_order +.rdata +.asciiz "SHA1 for MIPS, CRYPTOGAMS by " +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/sha/sha1.c b/crypto/sha/sha1.c new file mode 100644 index 0000000..25c87e9 --- /dev/null +++ b/crypto/sha/sha1.c @@ -0,0 +1,460 @@ +/* $OpenBSD: sha1.c,v 1.5 2023/04/11 10:39:50 jsing Exp $ */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include +#include + +#include + +#include +#include + +#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) + +#define DATA_ORDER_IS_BIG_ENDIAN + +#define HASH_LONG SHA_LONG +#define HASH_CTX SHA_CTX +#define HASH_CBLOCK SHA_CBLOCK +#define HASH_MAKE_STRING(c, s) do { \ + unsigned long ll; \ + ll=(c)->h0; HOST_l2c(ll,(s)); \ + ll=(c)->h1; HOST_l2c(ll,(s)); \ + ll=(c)->h2; HOST_l2c(ll,(s)); \ + ll=(c)->h3; HOST_l2c(ll,(s)); \ + ll=(c)->h4; HOST_l2c(ll,(s)); \ + } while (0) + +#define HASH_UPDATE SHA1_Update +#define HASH_TRANSFORM SHA1_Transform +#define HASH_FINAL SHA1_Final +#define HASH_INIT SHA1_Init +#define HASH_BLOCK_DATA_ORDER sha1_block_data_order +#define Xupdate(a, ix, ia, ib, ic, id) ( (a)=(ia^ib^ic^id), \ + ix=(a)=ROTATE((a),1) \ + ) + +#ifndef SHA1_ASM +static +#endif +void sha1_block_data_order(SHA_CTX *c, const void *p, size_t num); + +#include "md32_common.h" + +int +SHA1_Init(SHA_CTX *c) +{ + memset(c, 0, sizeof(*c)); + + c->h0 = 0x67452301UL; + c->h1 = 0xefcdab89UL; + c->h2 = 0x98badcfeUL; + c->h3 = 0x10325476UL; + c->h4 = 0xc3d2e1f0UL; + + return 1; +} + +#define K_00_19 0x5a827999UL +#define K_20_39 0x6ed9eba1UL +#define K_40_59 0x8f1bbcdcUL +#define K_60_79 0xca62c1d6UL + +/* As pointed out by Wei Dai , F() below can be + * simplified to the code in F_00_19. Wei attributes these optimisations + * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel. + * #define F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) + * I've just become aware of another tweak to be made, again from Wei Dai, + * in F_40_59, (x&a)|(y&a) -> (x|y)&a + */ +#define F_00_19(b, c, d) ((((c) ^ (d)) & (b)) ^ (d)) +#define F_20_39(b, c, d) ((b) ^ (c) ^ (d)) +#define F_40_59(b, c, d) (((b) & (c)) | (((b)|(c)) & (d))) +#define F_60_79(b, c, d) F_20_39(b, c, d) + +#ifndef OPENSSL_SMALL_FOOTPRINT + +#define BODY_00_15(i, a, b, c, d, e, f, xi) \ + (f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ + (b)=ROTATE((b),30); + +#define BODY_16_19(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ + Xupdate(f, xi, xa, xb, xc, xd); \ + (f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ + (b)=ROTATE((b),30); + +#define BODY_20_31(i, a, b, c, d, e, f, xi, xa, xb, xc, xd) \ + Xupdate(f, xi, xa, xb, xc, xd); \ + (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ + (b)=ROTATE((b),30); + +#define BODY_32_39(i, a, b, c, d, e, f, xa, xb, xc, xd) \ + Xupdate(f, xa, xa, xb, xc, xd); \ + (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ + (b)=ROTATE((b),30); + +#define BODY_40_59(i, a, b, c, d, e, f, xa, xb, xc, xd) \ + Xupdate(f, xa, xa, xb, xc, xd); \ + (f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \ + (b)=ROTATE((b),30); + +#define BODY_60_79(i, a, b, c, d, e, f, xa, xb, xc, xd) \ + Xupdate(f, xa, xa, xb, xc, xd); \ + (f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \ + (b)=ROTATE((b),30); + +#if !defined(SHA1_ASM) +#include +static void +sha1_block_data_order(SHA_CTX *c, const void *p, size_t num) +{ + const unsigned char *data = p; + unsigned MD32_REG_T A, B, C, D, E, T, l; + unsigned MD32_REG_T X0, X1, X2, X3, X4, X5, X6, X7, + X8, X9, X10, X11, X12, X13, X14, X15; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + for (;;) { + + if (BYTE_ORDER != LITTLE_ENDIAN && + sizeof(SHA_LONG) == 4 && ((size_t)p % 4) == 0) { + const SHA_LONG *W = (const SHA_LONG *)data; + + X0 = W[0]; + X1 = W[1]; + BODY_00_15( 0, A, B, C, D, E, T, X0); + X2 = W[2]; + BODY_00_15( 1, T, A, B, C, D, E, X1); + X3 = W[3]; + BODY_00_15( 2, E, T, A, B, C, D, X2); + X4 = W[4]; + BODY_00_15( 3, D, E, T, A, B, C, X3); + X5 = W[5]; + BODY_00_15( 4, C, D, E, T, A, B, X4); + X6 = W[6]; + BODY_00_15( 5, B, C, D, E, T, A, X5); + X7 = W[7]; + BODY_00_15( 6, A, B, C, D, E, T, X6); + X8 = W[8]; + BODY_00_15( 7, T, A, B, C, D, E, X7); + X9 = W[9]; + BODY_00_15( 8, E, T, A, B, C, D, X8); + X10 = W[10]; + BODY_00_15( 9, D, E, T, A, B, C, X9); + X11 = W[11]; + BODY_00_15(10, C, D, E, T, A, B, X10); + X12 = W[12]; + BODY_00_15(11, B, C, D, E, T, A, X11); + X13 = W[13]; + BODY_00_15(12, A, B, C, D, E, T, X12); + X14 = W[14]; + BODY_00_15(13, T, A, B, C, D, E, X13); + X15 = W[15]; + BODY_00_15(14, E, T, A, B, C, D, X14); + BODY_00_15(15, D, E, T, A, B, C, X15); + + data += SHA_CBLOCK; + } else { + HOST_c2l(data, l); + X0 = l; + HOST_c2l(data, l); + X1 = l; + BODY_00_15( 0, A, B, C, D, E, T, X0); + HOST_c2l(data, l); + X2 = l; + BODY_00_15( 1, T, A, B, C, D, E, X1); + HOST_c2l(data, l); + X3 = l; + BODY_00_15( 2, E, T, A, B, C, D, X2); + HOST_c2l(data, l); + X4 = l; + BODY_00_15( 3, D, E, T, A, B, C, X3); + HOST_c2l(data, l); + X5 = l; + BODY_00_15( 4, C, D, E, T, A, B, X4); + HOST_c2l(data, l); + X6 = l; + BODY_00_15( 5, B, C, D, E, T, A, X5); + HOST_c2l(data, l); + X7 = l; + BODY_00_15( 6, A, B, C, D, E, T, X6); + HOST_c2l(data, l); + X8 = l; + BODY_00_15( 7, T, A, B, C, D, E, X7); + HOST_c2l(data, l); + X9 = l; + BODY_00_15( 8, E, T, A, B, C, D, X8); + HOST_c2l(data, l); + X10 = l; + BODY_00_15( 9, D, E, T, A, B, C, X9); + HOST_c2l(data, l); + X11 = l; + BODY_00_15(10, C, D, E, T, A, B, X10); + HOST_c2l(data, l); + X12 = l; + BODY_00_15(11, B, C, D, E, T, A, X11); + HOST_c2l(data, l); + X13 = l; + BODY_00_15(12, A, B, C, D, E, T, X12); + HOST_c2l(data, l); + X14 = l; + BODY_00_15(13, T, A, B, C, D, E, X13); + HOST_c2l(data, l); + X15 = l; + BODY_00_15(14, E, T, A, B, C, D, X14); + BODY_00_15(15, D, E, T, A, B, C, X15); + } + + BODY_16_19(16, C, D, E, T, A, B, X0, X0, X2, X8, X13); + BODY_16_19(17, B, C, D, E, T, A, X1, X1, X3, X9, X14); + BODY_16_19(18, A, B, C, D, E, T, X2, X2, X4, X10, X15); + BODY_16_19(19, T, A, B, C, D, E, X3, X3, X5, X11, X0); + + BODY_20_31(20, E, T, A, B, C, D, X4, X4, X6, X12, X1); + BODY_20_31(21, D, E, T, A, B, C, X5, X5, X7, X13, X2); + BODY_20_31(22, C, D, E, T, A, B, X6, X6, X8, X14, X3); + BODY_20_31(23, B, C, D, E, T, A, X7, X7, X9, X15, X4); + BODY_20_31(24, A, B, C, D, E, T, X8, X8, X10, X0, X5); + BODY_20_31(25, T, A, B, C, D, E, X9, X9, X11, X1, X6); + BODY_20_31(26, E, T, A, B, C, D, X10, X10, X12, X2, X7); + BODY_20_31(27, D, E, T, A, B, C, X11, X11, X13, X3, X8); + BODY_20_31(28, C, D, E, T, A, B, X12, X12, X14, X4, X9); + BODY_20_31(29, B, C, D, E, T, A, X13, X13, X15, X5, X10); + BODY_20_31(30, A, B, C, D, E, T, X14, X14, X0, X6, X11); + BODY_20_31(31, T, A, B, C, D, E, X15, X15, X1, X7, X12); + + BODY_32_39(32, E, T, A, B, C, D, X0, X2, X8, X13); + BODY_32_39(33, D, E, T, A, B, C, X1, X3, X9, X14); + BODY_32_39(34, C, D, E, T, A, B, X2, X4, X10, X15); + BODY_32_39(35, B, C, D, E, T, A, X3, X5, X11, X0); + BODY_32_39(36, A, B, C, D, E, T, X4, X6, X12, X1); + BODY_32_39(37, T, A, B, C, D, E, X5, X7, X13, X2); + BODY_32_39(38, E, T, A, B, C, D, X6, X8, X14, X3); + BODY_32_39(39, D, E, T, A, B, C, X7, X9, X15, X4); + + BODY_40_59(40, C, D, E, T, A, B, X8, X10, X0, X5); + BODY_40_59(41, B, C, D, E, T, A, X9, X11, X1, X6); + BODY_40_59(42, A, B, C, D, E, T, X10, X12, X2, X7); + BODY_40_59(43, T, A, B, C, D, E, X11, X13, X3, X8); + BODY_40_59(44, E, T, A, B, C, D, X12, X14, X4, X9); + BODY_40_59(45, D, E, T, A, B, C, X13, X15, X5, X10); + BODY_40_59(46, C, D, E, T, A, B, X14, X0, X6, X11); + BODY_40_59(47, B, C, D, E, T, A, X15, X1, X7, X12); + BODY_40_59(48, A, B, C, D, E, T, X0, X2, X8, X13); + BODY_40_59(49, T, A, B, C, D, E, X1, X3, X9, X14); + BODY_40_59(50, E, T, A, B, C, D, X2, X4, X10, X15); + BODY_40_59(51, D, E, T, A, B, C, X3, X5, X11, X0); + BODY_40_59(52, C, D, E, T, A, B, X4, X6, X12, X1); + BODY_40_59(53, B, C, D, E, T, A, X5, X7, X13, X2); + BODY_40_59(54, A, B, C, D, E, T, X6, X8, X14, X3); + BODY_40_59(55, T, A, B, C, D, E, X7, X9, X15, X4); + BODY_40_59(56, E, T, A, B, C, D, X8, X10, X0, X5); + BODY_40_59(57, D, E, T, A, B, C, X9, X11, X1, X6); + BODY_40_59(58, C, D, E, T, A, B, X10, X12, X2, X7); + BODY_40_59(59, B, C, D, E, T, A, X11, X13, X3, X8); + + BODY_60_79(60, A, B, C, D, E, T, X12, X14, X4, X9); + BODY_60_79(61, T, A, B, C, D, E, X13, X15, X5, X10); + BODY_60_79(62, E, T, A, B, C, D, X14, X0, X6, X11); + BODY_60_79(63, D, E, T, A, B, C, X15, X1, X7, X12); + BODY_60_79(64, C, D, E, T, A, B, X0, X2, X8, X13); + BODY_60_79(65, B, C, D, E, T, A, X1, X3, X9, X14); + BODY_60_79(66, A, B, C, D, E, T, X2, X4, X10, X15); + BODY_60_79(67, T, A, B, C, D, E, X3, X5, X11, X0); + BODY_60_79(68, E, T, A, B, C, D, X4, X6, X12, X1); + BODY_60_79(69, D, E, T, A, B, C, X5, X7, X13, X2); + BODY_60_79(70, C, D, E, T, A, B, X6, X8, X14, X3); + BODY_60_79(71, B, C, D, E, T, A, X7, X9, X15, X4); + BODY_60_79(72, A, B, C, D, E, T, X8, X10, X0, X5); + BODY_60_79(73, T, A, B, C, D, E, X9, X11, X1, X6); + BODY_60_79(74, E, T, A, B, C, D, X10, X12, X2, X7); + BODY_60_79(75, D, E, T, A, B, C, X11, X13, X3, X8); + BODY_60_79(76, C, D, E, T, A, B, X12, X14, X4, X9); + BODY_60_79(77, B, C, D, E, T, A, X13, X15, X5, X10); + BODY_60_79(78, A, B, C, D, E, T, X14, X0, X6, X11); + BODY_60_79(79, T, A, B, C, D, E, X15, X1, X7, X12); + + c->h0 = (c->h0 + E)&0xffffffffL; + c->h1 = (c->h1 + T)&0xffffffffL; + c->h2 = (c->h2 + A)&0xffffffffL; + c->h3 = (c->h3 + B)&0xffffffffL; + c->h4 = (c->h4 + C)&0xffffffffL; + + if (--num == 0) + break; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + } +} +#endif + +#else /* OPENSSL_SMALL_FOOTPRINT */ + +#define BODY_00_15(xi) do { \ + T=E+K_00_19+F_00_19(B, C, D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T+xi; } while(0) + +#define BODY_16_19(xa, xb, xc, xd) do { \ + Xupdate(T, xa, xa, xb, xc, xd); \ + T+=E+K_00_19+F_00_19(B, C, D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T; } while(0) + +#define BODY_20_39(xa, xb, xc, xd) do { \ + Xupdate(T, xa, xa, xb, xc, xd); \ + T+=E+K_20_39+F_20_39(B, C, D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T; } while(0) + +#define BODY_40_59(xa, xb, xc, xd) do { \ + Xupdate(T, xa, xa, xb, xc, xd); \ + T+=E+K_40_59+F_40_59(B, C, D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T; } while(0) + +#define BODY_60_79(xa, xb, xc, xd) do { \ + Xupdate(T, xa, xa, xb, xc, xd); \ + T=E+K_60_79+F_60_79(B, C, D); \ + E=D, D=C, C=ROTATE(B,30), B=A; \ + A=ROTATE(A,5)+T+xa; } while(0) + +#if !defined(SHA1_ASM) +static void +sha1_block_data_order(SHA_CTX *c, const void *p, size_t num) +{ + const unsigned char *data = p; + unsigned MD32_REG_T A, B, C, D, E, T, l; + int i; + SHA_LONG X[16]; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + for (;;) { + for (i = 0; i < 16; i++) { + HOST_c2l(data, l); + X[i] = l; + BODY_00_15(X[i]); + } + for (i = 0; i < 4; i++) { + BODY_16_19(X[i], X[i + 2], X[i + 8], X[(i + 13)&15]); + } + for (; i < 24; i++) { + BODY_20_39(X[i&15], X[(i + 2)&15], X[(i + 8)&15], X[(i + 13)&15]); + } + for (i = 0; i < 20; i++) { + BODY_40_59(X[(i + 8)&15], X[(i + 10)&15], X[i&15], X[(i + 5)&15]); + } + for (i = 4; i < 24; i++) { + BODY_60_79(X[(i + 8)&15], X[(i + 10)&15], X[i&15], X[(i + 5)&15]); + } + + c->h0 = (c->h0 + A)&0xffffffffL; + c->h1 = (c->h1 + B)&0xffffffffL; + c->h2 = (c->h2 + C)&0xffffffffL; + c->h3 = (c->h3 + D)&0xffffffffL; + c->h4 = (c->h4 + E)&0xffffffffL; + + if (--num == 0) + break; + + A = c->h0; + B = c->h1; + C = c->h2; + D = c->h3; + E = c->h4; + + } +} +#endif +#endif + +unsigned char * +SHA1(const unsigned char *d, size_t n, unsigned char *md) +{ + SHA_CTX c; + static unsigned char m[SHA_DIGEST_LENGTH]; + + if (md == NULL) + md = m; + + if (!SHA1_Init(&c)) + return NULL; + SHA1_Update(&c, d, n); + SHA1_Final(md, &c); + + explicit_bzero(&c, sizeof(c)); + + return (md); +} + +#endif diff --git a/crypto/sha/sha1_one.c b/crypto/sha/sha1_one.c deleted file mode 100644 index 91602ee..0000000 --- a/crypto/sha/sha1_one.c +++ /dev/null @@ -1,81 +0,0 @@ -/* $OpenBSD: sha1_one.c,v 1.12 2015/09/10 15:56:26 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include - -#include -#include - -#ifndef OPENSSL_NO_SHA1 -unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md) - { - SHA_CTX c; - static unsigned char m[SHA_DIGEST_LENGTH]; - - if (md == NULL) md=m; - if (!SHA1_Init(&c)) - return NULL; - SHA1_Update(&c,d,n); - SHA1_Final(md,&c); - explicit_bzero(&c,sizeof(c)); - return(md); - } -#endif diff --git a/crypto/sha/sha1dgst.c b/crypto/sha/sha1dgst.c deleted file mode 100644 index 583d106..0000000 --- a/crypto/sha/sha1dgst.c +++ /dev/null @@ -1,72 +0,0 @@ -/* $OpenBSD: sha1dgst.c,v 1.14 2015/09/13 21:09:56 doug Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include - -#if !defined(OPENSSL_NO_SHA1) && !defined(OPENSSL_NO_SHA) - -#include - -/* The implementation is in ../md32_common.h */ - -#include "sha_locl.h" - -#endif - diff --git a/crypto/sha/sha256-elf-x86_64.S b/crypto/sha/sha256-elf-x86_64.S index 9eea6a7..b976181 100644 --- a/crypto/sha/sha256-elf-x86_64.S +++ b/crypto/sha/sha256-elf-x86_64.S @@ -5,6 +5,7 @@ .type sha256_block_data_order,@function .align 16 sha256_block_data_order: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1758,6 +1759,7 @@ sha256_block_data_order: .Lepilogue: retq .size sha256_block_data_order,.-sha256_block_data_order +.section .rodata .align 64 .type K256,@object K256: @@ -1777,6 +1779,7 @@ K256: .long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 .long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 .long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/sha/sha256-macosx-x86_64.S b/crypto/sha/sha256-macosx-x86_64.S index 4b468b7..1feaf63 100644 --- a/crypto/sha/sha256-macosx-x86_64.S +++ b/crypto/sha/sha256-macosx-x86_64.S @@ -5,6 +5,7 @@ .p2align 4 _sha256_block_data_order: + pushq %rbx pushq %rbp pushq %r12 @@ -1758,6 +1759,7 @@ L$rounds_16_xx: L$epilogue: retq +.section __DATA,__const .p2align 6 K256: @@ -1777,3 +1779,4 @@ K256: .long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 .long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 .long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +.text diff --git a/crypto/sha/sha256-masm-x86_64.S b/crypto/sha/sha256-masm-x86_64.S index 7c182f9..9b9d92d 100644 --- a/crypto/sha/sha256-masm-x86_64.S +++ b/crypto/sha/sha256-masm-x86_64.S @@ -83,6 +83,7 @@ $L$SEH_begin_sha256_block_data_order:: mov rcx,r9 + endbr64 push rbx push rbp push r12 @@ -1839,6 +1840,8 @@ $L$epilogue:: DB 0F3h,0C3h ;repret $L$SEH_end_sha256_block_data_order:: sha256_block_data_order ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 K256:: @@ -1858,6 +1861,8 @@ K256:: DD 0391c0cb3h,04ed8aa4ah,05b9cca4fh,0682e6ff3h DD 0748f82eeh,078a5636fh,084c87814h,08cc70208h DD 090befffah,0a4506cebh,0bef9a3f7h,0c67178f2h +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' .text$ ENDS END diff --git a/crypto/sha/sha256-mingw64-x86_64.S b/crypto/sha/sha256-mingw64-x86_64.S index 3de981b..8001f7a 100644 --- a/crypto/sha/sha256-mingw64-x86_64.S +++ b/crypto/sha/sha256-mingw64-x86_64.S @@ -14,6 +14,7 @@ sha256_block_data_order: movq %r8,%rdx movq %r9,%rcx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1769,6 +1770,7 @@ sha256_block_data_order: movq 16(%rsp),%rsi retq .LSEH_end_sha256_block_data_order: +.section .rodata .p2align 6 K256: @@ -1788,3 +1790,4 @@ K256: .long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 .long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 .long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +.text diff --git a/crypto/sha/sha256-mips.S b/crypto/sha/sha256-mips.S new file mode 100644 index 0000000..3070f55 --- /dev/null +++ b/crypto/sha/sha256-mips.S @@ -0,0 +1,1997 @@ +.text +.set noat +#if !defined(__vxworks) || defined(__pic__) +.option pic2 +#endif + +.align 5 +.globl sha256_block_data_order +.ent sha256_block_data_order +sha256_block_data_order: + .frame $29,128,$31 + .mask 3237937152,-4 + .set noreorder + .cpload $25 + sub $29,128 + sw $31,128-1*4($29) + sw $30,128-2*4($29) + sw $23,128-3*4($29) + sw $22,128-4*4($29) + sw $21,128-5*4($29) + sw $20,128-6*4($29) + sw $19,128-7*4($29) + sw $18,128-8*4($29) + sw $17,128-9*4($29) + sw $16,128-10*4($29) + sll $23,$6,6 + .set reorder + la $6,K256 # PIC-ified 'load address' + + lw $1,0*4($4) # load context + lw $2,1*4($4) + lw $3,2*4($4) + lw $7,3*4($4) + lw $24,4*4($4) + lw $25,5*4($4) + lw $30,6*4($4) + lw $31,7*4($4) + + add $23,$5 # pointer to the end of input + sw $23,16*4($29) + b .Loop + +.align 5 +.Loop: + lwl $8,3($5) + lwr $8,0($5) + lwl $9,7($5) + lwr $9,4($5) + srl $13,$8,24 # byte swap(0) + srl $14,$8,8 + andi $15,$8,0xFF00 + sll $8,$8,24 + andi $14,0xFF00 + sll $15,$15,8 + or $8,$13 + or $14,$15 + or $8,$14 + addu $12,$8,$31 # 0 + srl $31,$24,6 + xor $15,$25,$30 + sll $14,$24,7 + and $15,$24 + srl $13,$24,11 + xor $31,$14 + sll $14,$24,21 + xor $31,$13 + srl $13,$24,25 + xor $31,$14 + sll $14,$24,26 + xor $31,$13 + xor $15,$30 # Ch(e,f,g) + xor $13,$14,$31 # Sigma1(e) + + srl $31,$1,2 + addu $12,$15 + lw $15,0($6) # K[0] + sll $14,$1,10 + addu $12,$13 + srl $13,$1,13 + xor $31,$14 + sll $14,$1,19 + xor $31,$13 + srl $13,$1,22 + xor $31,$14 + sll $14,$1,30 + xor $31,$13 + sw $8,0($29) # offload to ring buffer + xor $31,$14 # Sigma0(a) + + or $13,$1,$2 + and $14,$1,$2 + and $13,$3 + or $14,$13 # Maj(a,b,c) + addu $12,$15 # +=K[0] + addu $31,$14 + + addu $7,$12 + addu $31,$12 + lwl $10,11($5) + lwr $10,8($5) + srl $14,$9,24 # byte swap(1) + srl $15,$9,8 + andi $16,$9,0xFF00 + sll $9,$9,24 + andi $15,0xFF00 + sll $16,$16,8 + or $9,$14 + or $15,$16 + or $9,$15 + addu $13,$9,$30 # 1 + srl $30,$7,6 + xor $16,$24,$25 + sll $15,$7,7 + and $16,$7 + srl $14,$7,11 + xor $30,$15 + sll $15,$7,21 + xor $30,$14 + srl $14,$7,25 + xor $30,$15 + sll $15,$7,26 + xor $30,$14 + xor $16,$25 # Ch(e,f,g) + xor $14,$15,$30 # Sigma1(e) + + srl $30,$31,2 + addu $13,$16 + lw $16,4($6) # K[1] + sll $15,$31,10 + addu $13,$14 + srl $14,$31,13 + xor $30,$15 + sll $15,$31,19 + xor $30,$14 + srl $14,$31,22 + xor $30,$15 + sll $15,$31,30 + xor $30,$14 + sw $9,4($29) # offload to ring buffer + xor $30,$15 # Sigma0(a) + + or $14,$31,$1 + and $15,$31,$1 + and $14,$2 + or $15,$14 # Maj(a,b,c) + addu $13,$16 # +=K[1] + addu $30,$15 + + addu $3,$13 + addu $30,$13 + lwl $11,15($5) + lwr $11,12($5) + srl $15,$10,24 # byte swap(2) + srl $16,$10,8 + andi $17,$10,0xFF00 + sll $10,$10,24 + andi $16,0xFF00 + sll $17,$17,8 + or $10,$15 + or $16,$17 + or $10,$16 + addu $14,$10,$25 # 2 + srl $25,$3,6 + xor $17,$7,$24 + sll $16,$3,7 + and $17,$3 + srl $15,$3,11 + xor $25,$16 + sll $16,$3,21 + xor $25,$15 + srl $15,$3,25 + xor $25,$16 + sll $16,$3,26 + xor $25,$15 + xor $17,$24 # Ch(e,f,g) + xor $15,$16,$25 # Sigma1(e) + + srl $25,$30,2 + addu $14,$17 + lw $17,8($6) # K[2] + sll $16,$30,10 + addu $14,$15 + srl $15,$30,13 + xor $25,$16 + sll $16,$30,19 + xor $25,$15 + srl $15,$30,22 + xor $25,$16 + sll $16,$30,30 + xor $25,$15 + sw $10,8($29) # offload to ring buffer + xor $25,$16 # Sigma0(a) + + or $15,$30,$31 + and $16,$30,$31 + and $15,$1 + or $16,$15 # Maj(a,b,c) + addu $14,$17 # +=K[2] + addu $25,$16 + + addu $2,$14 + addu $25,$14 + lwl $12,19($5) + lwr $12,16($5) + srl $16,$11,24 # byte swap(3) + srl $17,$11,8 + andi $18,$11,0xFF00 + sll $11,$11,24 + andi $17,0xFF00 + sll $18,$18,8 + or $11,$16 + or $17,$18 + or $11,$17 + addu $15,$11,$24 # 3 + srl $24,$2,6 + xor $18,$3,$7 + sll $17,$2,7 + and $18,$2 + srl $16,$2,11 + xor $24,$17 + sll $17,$2,21 + xor $24,$16 + srl $16,$2,25 + xor $24,$17 + sll $17,$2,26 + xor $24,$16 + xor $18,$7 # Ch(e,f,g) + xor $16,$17,$24 # Sigma1(e) + + srl $24,$25,2 + addu $15,$18 + lw $18,12($6) # K[3] + sll $17,$25,10 + addu $15,$16 + srl $16,$25,13 + xor $24,$17 + sll $17,$25,19 + xor $24,$16 + srl $16,$25,22 + xor $24,$17 + sll $17,$25,30 + xor $24,$16 + sw $11,12($29) # offload to ring buffer + xor $24,$17 # Sigma0(a) + + or $16,$25,$30 + and $17,$25,$30 + and $16,$31 + or $17,$16 # Maj(a,b,c) + addu $15,$18 # +=K[3] + addu $24,$17 + + addu $1,$15 + addu $24,$15 + lwl $13,23($5) + lwr $13,20($5) + srl $17,$12,24 # byte swap(4) + srl $18,$12,8 + andi $19,$12,0xFF00 + sll $12,$12,24 + andi $18,0xFF00 + sll $19,$19,8 + or $12,$17 + or $18,$19 + or $12,$18 + addu $16,$12,$7 # 4 + srl $7,$1,6 + xor $19,$2,$3 + sll $18,$1,7 + and $19,$1 + srl $17,$1,11 + xor $7,$18 + sll $18,$1,21 + xor $7,$17 + srl $17,$1,25 + xor $7,$18 + sll $18,$1,26 + xor $7,$17 + xor $19,$3 # Ch(e,f,g) + xor $17,$18,$7 # Sigma1(e) + + srl $7,$24,2 + addu $16,$19 + lw $19,16($6) # K[4] + sll $18,$24,10 + addu $16,$17 + srl $17,$24,13 + xor $7,$18 + sll $18,$24,19 + xor $7,$17 + srl $17,$24,22 + xor $7,$18 + sll $18,$24,30 + xor $7,$17 + sw $12,16($29) # offload to ring buffer + xor $7,$18 # Sigma0(a) + + or $17,$24,$25 + and $18,$24,$25 + and $17,$30 + or $18,$17 # Maj(a,b,c) + addu $16,$19 # +=K[4] + addu $7,$18 + + addu $31,$16 + addu $7,$16 + lwl $14,27($5) + lwr $14,24($5) + srl $18,$13,24 # byte swap(5) + srl $19,$13,8 + andi $20,$13,0xFF00 + sll $13,$13,24 + andi $19,0xFF00 + sll $20,$20,8 + or $13,$18 + or $19,$20 + or $13,$19 + addu $17,$13,$3 # 5 + srl $3,$31,6 + xor $20,$1,$2 + sll $19,$31,7 + and $20,$31 + srl $18,$31,11 + xor $3,$19 + sll $19,$31,21 + xor $3,$18 + srl $18,$31,25 + xor $3,$19 + sll $19,$31,26 + xor $3,$18 + xor $20,$2 # Ch(e,f,g) + xor $18,$19,$3 # Sigma1(e) + + srl $3,$7,2 + addu $17,$20 + lw $20,20($6) # K[5] + sll $19,$7,10 + addu $17,$18 + srl $18,$7,13 + xor $3,$19 + sll $19,$7,19 + xor $3,$18 + srl $18,$7,22 + xor $3,$19 + sll $19,$7,30 + xor $3,$18 + sw $13,20($29) # offload to ring buffer + xor $3,$19 # Sigma0(a) + + or $18,$7,$24 + and $19,$7,$24 + and $18,$25 + or $19,$18 # Maj(a,b,c) + addu $17,$20 # +=K[5] + addu $3,$19 + + addu $30,$17 + addu $3,$17 + lwl $15,31($5) + lwr $15,28($5) + srl $19,$14,24 # byte swap(6) + srl $20,$14,8 + andi $21,$14,0xFF00 + sll $14,$14,24 + andi $20,0xFF00 + sll $21,$21,8 + or $14,$19 + or $20,$21 + or $14,$20 + addu $18,$14,$2 # 6 + srl $2,$30,6 + xor $21,$31,$1 + sll $20,$30,7 + and $21,$30 + srl $19,$30,11 + xor $2,$20 + sll $20,$30,21 + xor $2,$19 + srl $19,$30,25 + xor $2,$20 + sll $20,$30,26 + xor $2,$19 + xor $21,$1 # Ch(e,f,g) + xor $19,$20,$2 # Sigma1(e) + + srl $2,$3,2 + addu $18,$21 + lw $21,24($6) # K[6] + sll $20,$3,10 + addu $18,$19 + srl $19,$3,13 + xor $2,$20 + sll $20,$3,19 + xor $2,$19 + srl $19,$3,22 + xor $2,$20 + sll $20,$3,30 + xor $2,$19 + sw $14,24($29) # offload to ring buffer + xor $2,$20 # Sigma0(a) + + or $19,$3,$7 + and $20,$3,$7 + and $19,$24 + or $20,$19 # Maj(a,b,c) + addu $18,$21 # +=K[6] + addu $2,$20 + + addu $25,$18 + addu $2,$18 + lwl $16,35($5) + lwr $16,32($5) + srl $20,$15,24 # byte swap(7) + srl $21,$15,8 + andi $22,$15,0xFF00 + sll $15,$15,24 + andi $21,0xFF00 + sll $22,$22,8 + or $15,$20 + or $21,$22 + or $15,$21 + addu $19,$15,$1 # 7 + srl $1,$25,6 + xor $22,$30,$31 + sll $21,$25,7 + and $22,$25 + srl $20,$25,11 + xor $1,$21 + sll $21,$25,21 + xor $1,$20 + srl $20,$25,25 + xor $1,$21 + sll $21,$25,26 + xor $1,$20 + xor $22,$31 # Ch(e,f,g) + xor $20,$21,$1 # Sigma1(e) + + srl $1,$2,2 + addu $19,$22 + lw $22,28($6) # K[7] + sll $21,$2,10 + addu $19,$20 + srl $20,$2,13 + xor $1,$21 + sll $21,$2,19 + xor $1,$20 + srl $20,$2,22 + xor $1,$21 + sll $21,$2,30 + xor $1,$20 + sw $15,28($29) # offload to ring buffer + xor $1,$21 # Sigma0(a) + + or $20,$2,$3 + and $21,$2,$3 + and $20,$7 + or $21,$20 # Maj(a,b,c) + addu $19,$22 # +=K[7] + addu $1,$21 + + addu $24,$19 + addu $1,$19 + lwl $17,39($5) + lwr $17,36($5) + srl $21,$16,24 # byte swap(8) + srl $22,$16,8 + andi $23,$16,0xFF00 + sll $16,$16,24 + andi $22,0xFF00 + sll $23,$23,8 + or $16,$21 + or $22,$23 + or $16,$22 + addu $20,$16,$31 # 8 + srl $31,$24,6 + xor $23,$25,$30 + sll $22,$24,7 + and $23,$24 + srl $21,$24,11 + xor $31,$22 + sll $22,$24,21 + xor $31,$21 + srl $21,$24,25 + xor $31,$22 + sll $22,$24,26 + xor $31,$21 + xor $23,$30 # Ch(e,f,g) + xor $21,$22,$31 # Sigma1(e) + + srl $31,$1,2 + addu $20,$23 + lw $23,32($6) # K[8] + sll $22,$1,10 + addu $20,$21 + srl $21,$1,13 + xor $31,$22 + sll $22,$1,19 + xor $31,$21 + srl $21,$1,22 + xor $31,$22 + sll $22,$1,30 + xor $31,$21 + sw $16,32($29) # offload to ring buffer + xor $31,$22 # Sigma0(a) + + or $21,$1,$2 + and $22,$1,$2 + and $21,$3 + or $22,$21 # Maj(a,b,c) + addu $20,$23 # +=K[8] + addu $31,$22 + + addu $7,$20 + addu $31,$20 + lwl $18,43($5) + lwr $18,40($5) + srl $22,$17,24 # byte swap(9) + srl $23,$17,8 + andi $8,$17,0xFF00 + sll $17,$17,24 + andi $23,0xFF00 + sll $8,$8,8 + or $17,$22 + or $23,$8 + or $17,$23 + addu $21,$17,$30 # 9 + srl $30,$7,6 + xor $8,$24,$25 + sll $23,$7,7 + and $8,$7 + srl $22,$7,11 + xor $30,$23 + sll $23,$7,21 + xor $30,$22 + srl $22,$7,25 + xor $30,$23 + sll $23,$7,26 + xor $30,$22 + xor $8,$25 # Ch(e,f,g) + xor $22,$23,$30 # Sigma1(e) + + srl $30,$31,2 + addu $21,$8 + lw $8,36($6) # K[9] + sll $23,$31,10 + addu $21,$22 + srl $22,$31,13 + xor $30,$23 + sll $23,$31,19 + xor $30,$22 + srl $22,$31,22 + xor $30,$23 + sll $23,$31,30 + xor $30,$22 + sw $17,36($29) # offload to ring buffer + xor $30,$23 # Sigma0(a) + + or $22,$31,$1 + and $23,$31,$1 + and $22,$2 + or $23,$22 # Maj(a,b,c) + addu $21,$8 # +=K[9] + addu $30,$23 + + addu $3,$21 + addu $30,$21 + lwl $19,47($5) + lwr $19,44($5) + srl $23,$18,24 # byte swap(10) + srl $8,$18,8 + andi $9,$18,0xFF00 + sll $18,$18,24 + andi $8,0xFF00 + sll $9,$9,8 + or $18,$23 + or $8,$9 + or $18,$8 + addu $22,$18,$25 # 10 + srl $25,$3,6 + xor $9,$7,$24 + sll $8,$3,7 + and $9,$3 + srl $23,$3,11 + xor $25,$8 + sll $8,$3,21 + xor $25,$23 + srl $23,$3,25 + xor $25,$8 + sll $8,$3,26 + xor $25,$23 + xor $9,$24 # Ch(e,f,g) + xor $23,$8,$25 # Sigma1(e) + + srl $25,$30,2 + addu $22,$9 + lw $9,40($6) # K[10] + sll $8,$30,10 + addu $22,$23 + srl $23,$30,13 + xor $25,$8 + sll $8,$30,19 + xor $25,$23 + srl $23,$30,22 + xor $25,$8 + sll $8,$30,30 + xor $25,$23 + sw $18,40($29) # offload to ring buffer + xor $25,$8 # Sigma0(a) + + or $23,$30,$31 + and $8,$30,$31 + and $23,$1 + or $8,$23 # Maj(a,b,c) + addu $22,$9 # +=K[10] + addu $25,$8 + + addu $2,$22 + addu $25,$22 + lwl $20,51($5) + lwr $20,48($5) + srl $8,$19,24 # byte swap(11) + srl $9,$19,8 + andi $10,$19,0xFF00 + sll $19,$19,24 + andi $9,0xFF00 + sll $10,$10,8 + or $19,$8 + or $9,$10 + or $19,$9 + addu $23,$19,$24 # 11 + srl $24,$2,6 + xor $10,$3,$7 + sll $9,$2,7 + and $10,$2 + srl $8,$2,11 + xor $24,$9 + sll $9,$2,21 + xor $24,$8 + srl $8,$2,25 + xor $24,$9 + sll $9,$2,26 + xor $24,$8 + xor $10,$7 # Ch(e,f,g) + xor $8,$9,$24 # Sigma1(e) + + srl $24,$25,2 + addu $23,$10 + lw $10,44($6) # K[11] + sll $9,$25,10 + addu $23,$8 + srl $8,$25,13 + xor $24,$9 + sll $9,$25,19 + xor $24,$8 + srl $8,$25,22 + xor $24,$9 + sll $9,$25,30 + xor $24,$8 + sw $19,44($29) # offload to ring buffer + xor $24,$9 # Sigma0(a) + + or $8,$25,$30 + and $9,$25,$30 + and $8,$31 + or $9,$8 # Maj(a,b,c) + addu $23,$10 # +=K[11] + addu $24,$9 + + addu $1,$23 + addu $24,$23 + lwl $21,55($5) + lwr $21,52($5) + srl $9,$20,24 # byte swap(12) + srl $10,$20,8 + andi $11,$20,0xFF00 + sll $20,$20,24 + andi $10,0xFF00 + sll $11,$11,8 + or $20,$9 + or $10,$11 + or $20,$10 + addu $8,$20,$7 # 12 + srl $7,$1,6 + xor $11,$2,$3 + sll $10,$1,7 + and $11,$1 + srl $9,$1,11 + xor $7,$10 + sll $10,$1,21 + xor $7,$9 + srl $9,$1,25 + xor $7,$10 + sll $10,$1,26 + xor $7,$9 + xor $11,$3 # Ch(e,f,g) + xor $9,$10,$7 # Sigma1(e) + + srl $7,$24,2 + addu $8,$11 + lw $11,48($6) # K[12] + sll $10,$24,10 + addu $8,$9 + srl $9,$24,13 + xor $7,$10 + sll $10,$24,19 + xor $7,$9 + srl $9,$24,22 + xor $7,$10 + sll $10,$24,30 + xor $7,$9 + sw $20,48($29) # offload to ring buffer + xor $7,$10 # Sigma0(a) + + or $9,$24,$25 + and $10,$24,$25 + and $9,$30 + or $10,$9 # Maj(a,b,c) + addu $8,$11 # +=K[12] + addu $7,$10 + + addu $31,$8 + addu $7,$8 + lwl $22,59($5) + lwr $22,56($5) + srl $10,$21,24 # byte swap(13) + srl $11,$21,8 + andi $12,$21,0xFF00 + sll $21,$21,24 + andi $11,0xFF00 + sll $12,$12,8 + or $21,$10 + or $11,$12 + or $21,$11 + addu $9,$21,$3 # 13 + srl $3,$31,6 + xor $12,$1,$2 + sll $11,$31,7 + and $12,$31 + srl $10,$31,11 + xor $3,$11 + sll $11,$31,21 + xor $3,$10 + srl $10,$31,25 + xor $3,$11 + sll $11,$31,26 + xor $3,$10 + xor $12,$2 # Ch(e,f,g) + xor $10,$11,$3 # Sigma1(e) + + srl $3,$7,2 + addu $9,$12 + lw $12,52($6) # K[13] + sll $11,$7,10 + addu $9,$10 + srl $10,$7,13 + xor $3,$11 + sll $11,$7,19 + xor $3,$10 + srl $10,$7,22 + xor $3,$11 + sll $11,$7,30 + xor $3,$10 + sw $21,52($29) # offload to ring buffer + xor $3,$11 # Sigma0(a) + + or $10,$7,$24 + and $11,$7,$24 + and $10,$25 + or $11,$10 # Maj(a,b,c) + addu $9,$12 # +=K[13] + addu $3,$11 + + addu $30,$9 + addu $3,$9 + lw $8,0($29) # prefetch from ring buffer + lwl $23,63($5) + lwr $23,60($5) + srl $11,$22,24 # byte swap(14) + srl $12,$22,8 + andi $13,$22,0xFF00 + sll $22,$22,24 + andi $12,0xFF00 + sll $13,$13,8 + or $22,$11 + or $12,$13 + or $22,$12 + addu $10,$22,$2 # 14 + srl $2,$30,6 + xor $13,$31,$1 + sll $12,$30,7 + and $13,$30 + srl $11,$30,11 + xor $2,$12 + sll $12,$30,21 + xor $2,$11 + srl $11,$30,25 + xor $2,$12 + sll $12,$30,26 + xor $2,$11 + xor $13,$1 # Ch(e,f,g) + xor $11,$12,$2 # Sigma1(e) + + srl $2,$3,2 + addu $10,$13 + lw $13,56($6) # K[14] + sll $12,$3,10 + addu $10,$11 + srl $11,$3,13 + xor $2,$12 + sll $12,$3,19 + xor $2,$11 + srl $11,$3,22 + xor $2,$12 + sll $12,$3,30 + xor $2,$11 + sw $22,56($29) # offload to ring buffer + xor $2,$12 # Sigma0(a) + + or $11,$3,$7 + and $12,$3,$7 + and $11,$24 + or $12,$11 # Maj(a,b,c) + addu $10,$13 # +=K[14] + addu $2,$12 + + addu $25,$10 + addu $2,$10 + lw $9,4($29) # prefetch from ring buffer + srl $12,$23,24 # byte swap(15) + srl $13,$23,8 + andi $14,$23,0xFF00 + sll $23,$23,24 + andi $13,0xFF00 + sll $14,$14,8 + or $23,$12 + or $13,$14 + or $23,$13 + addu $11,$23,$1 # 15 + srl $1,$25,6 + xor $14,$30,$31 + sll $13,$25,7 + and $14,$25 + srl $12,$25,11 + xor $1,$13 + sll $13,$25,21 + xor $1,$12 + srl $12,$25,25 + xor $1,$13 + sll $13,$25,26 + xor $1,$12 + xor $14,$31 # Ch(e,f,g) + xor $12,$13,$1 # Sigma1(e) + + srl $1,$2,2 + addu $11,$14 + lw $14,60($6) # K[15] + sll $13,$2,10 + addu $11,$12 + srl $12,$2,13 + xor $1,$13 + sll $13,$2,19 + xor $1,$12 + srl $12,$2,22 + xor $1,$13 + sll $13,$2,30 + xor $1,$12 + sw $23,60($29) # offload to ring buffer + xor $1,$13 # Sigma0(a) + + or $12,$2,$3 + and $13,$2,$3 + and $12,$7 + or $13,$12 # Maj(a,b,c) + addu $11,$14 # +=K[15] + addu $1,$13 + + addu $24,$11 + addu $1,$11 + lw $10,8($29) # prefetch from ring buffer + b .L16_xx +.align 4 +.L16_xx: + srl $14,$9,3 # Xupdate(16) + addu $8,$17 # +=X[i+9] + sll $13,$9,14 + srl $12,$9,7 + xor $14,$13 + sll $13,11 + xor $14,$12 + srl $12,$9,18 + xor $14,$13 + + srl $15,$22,10 + xor $14,$12 # sigma0(X[i+1]) + sll $13,$22,13 + addu $8,$14 + srl $12,$22,17 + xor $15,$13 + sll $13,2 + xor $15,$12 + srl $12,$22,19 + xor $15,$13 + + xor $15,$12 # sigma1(X[i+14]) + addu $8,$15 + addu $12,$8,$31 # 16 + srl $31,$24,6 + xor $15,$25,$30 + sll $14,$24,7 + and $15,$24 + srl $13,$24,11 + xor $31,$14 + sll $14,$24,21 + xor $31,$13 + srl $13,$24,25 + xor $31,$14 + sll $14,$24,26 + xor $31,$13 + xor $15,$30 # Ch(e,f,g) + xor $13,$14,$31 # Sigma1(e) + + srl $31,$1,2 + addu $12,$15 + lw $15,64($6) # K[16] + sll $14,$1,10 + addu $12,$13 + srl $13,$1,13 + xor $31,$14 + sll $14,$1,19 + xor $31,$13 + srl $13,$1,22 + xor $31,$14 + sll $14,$1,30 + xor $31,$13 + sw $8,0($29) # offload to ring buffer + xor $31,$14 # Sigma0(a) + + or $13,$1,$2 + and $14,$1,$2 + and $13,$3 + or $14,$13 # Maj(a,b,c) + addu $12,$15 # +=K[16] + addu $31,$14 + + addu $7,$12 + addu $31,$12 + lw $11,12($29) # prefetch from ring buffer + srl $15,$10,3 # Xupdate(17) + addu $9,$18 # +=X[i+9] + sll $14,$10,14 + srl $13,$10,7 + xor $15,$14 + sll $14,11 + xor $15,$13 + srl $13,$10,18 + xor $15,$14 + + srl $16,$23,10 + xor $15,$13 # sigma0(X[i+1]) + sll $14,$23,13 + addu $9,$15 + srl $13,$23,17 + xor $16,$14 + sll $14,2 + xor $16,$13 + srl $13,$23,19 + xor $16,$14 + + xor $16,$13 # sigma1(X[i+14]) + addu $9,$16 + addu $13,$9,$30 # 17 + srl $30,$7,6 + xor $16,$24,$25 + sll $15,$7,7 + and $16,$7 + srl $14,$7,11 + xor $30,$15 + sll $15,$7,21 + xor $30,$14 + srl $14,$7,25 + xor $30,$15 + sll $15,$7,26 + xor $30,$14 + xor $16,$25 # Ch(e,f,g) + xor $14,$15,$30 # Sigma1(e) + + srl $30,$31,2 + addu $13,$16 + lw $16,68($6) # K[17] + sll $15,$31,10 + addu $13,$14 + srl $14,$31,13 + xor $30,$15 + sll $15,$31,19 + xor $30,$14 + srl $14,$31,22 + xor $30,$15 + sll $15,$31,30 + xor $30,$14 + sw $9,4($29) # offload to ring buffer + xor $30,$15 # Sigma0(a) + + or $14,$31,$1 + and $15,$31,$1 + and $14,$2 + or $15,$14 # Maj(a,b,c) + addu $13,$16 # +=K[17] + addu $30,$15 + + addu $3,$13 + addu $30,$13 + lw $12,16($29) # prefetch from ring buffer + srl $16,$11,3 # Xupdate(18) + addu $10,$19 # +=X[i+9] + sll $15,$11,14 + srl $14,$11,7 + xor $16,$15 + sll $15,11 + xor $16,$14 + srl $14,$11,18 + xor $16,$15 + + srl $17,$8,10 + xor $16,$14 # sigma0(X[i+1]) + sll $15,$8,13 + addu $10,$16 + srl $14,$8,17 + xor $17,$15 + sll $15,2 + xor $17,$14 + srl $14,$8,19 + xor $17,$15 + + xor $17,$14 # sigma1(X[i+14]) + addu $10,$17 + addu $14,$10,$25 # 18 + srl $25,$3,6 + xor $17,$7,$24 + sll $16,$3,7 + and $17,$3 + srl $15,$3,11 + xor $25,$16 + sll $16,$3,21 + xor $25,$15 + srl $15,$3,25 + xor $25,$16 + sll $16,$3,26 + xor $25,$15 + xor $17,$24 # Ch(e,f,g) + xor $15,$16,$25 # Sigma1(e) + + srl $25,$30,2 + addu $14,$17 + lw $17,72($6) # K[18] + sll $16,$30,10 + addu $14,$15 + srl $15,$30,13 + xor $25,$16 + sll $16,$30,19 + xor $25,$15 + srl $15,$30,22 + xor $25,$16 + sll $16,$30,30 + xor $25,$15 + sw $10,8($29) # offload to ring buffer + xor $25,$16 # Sigma0(a) + + or $15,$30,$31 + and $16,$30,$31 + and $15,$1 + or $16,$15 # Maj(a,b,c) + addu $14,$17 # +=K[18] + addu $25,$16 + + addu $2,$14 + addu $25,$14 + lw $13,20($29) # prefetch from ring buffer + srl $17,$12,3 # Xupdate(19) + addu $11,$20 # +=X[i+9] + sll $16,$12,14 + srl $15,$12,7 + xor $17,$16 + sll $16,11 + xor $17,$15 + srl $15,$12,18 + xor $17,$16 + + srl $18,$9,10 + xor $17,$15 # sigma0(X[i+1]) + sll $16,$9,13 + addu $11,$17 + srl $15,$9,17 + xor $18,$16 + sll $16,2 + xor $18,$15 + srl $15,$9,19 + xor $18,$16 + + xor $18,$15 # sigma1(X[i+14]) + addu $11,$18 + addu $15,$11,$24 # 19 + srl $24,$2,6 + xor $18,$3,$7 + sll $17,$2,7 + and $18,$2 + srl $16,$2,11 + xor $24,$17 + sll $17,$2,21 + xor $24,$16 + srl $16,$2,25 + xor $24,$17 + sll $17,$2,26 + xor $24,$16 + xor $18,$7 # Ch(e,f,g) + xor $16,$17,$24 # Sigma1(e) + + srl $24,$25,2 + addu $15,$18 + lw $18,76($6) # K[19] + sll $17,$25,10 + addu $15,$16 + srl $16,$25,13 + xor $24,$17 + sll $17,$25,19 + xor $24,$16 + srl $16,$25,22 + xor $24,$17 + sll $17,$25,30 + xor $24,$16 + sw $11,12($29) # offload to ring buffer + xor $24,$17 # Sigma0(a) + + or $16,$25,$30 + and $17,$25,$30 + and $16,$31 + or $17,$16 # Maj(a,b,c) + addu $15,$18 # +=K[19] + addu $24,$17 + + addu $1,$15 + addu $24,$15 + lw $14,24($29) # prefetch from ring buffer + srl $18,$13,3 # Xupdate(20) + addu $12,$21 # +=X[i+9] + sll $17,$13,14 + srl $16,$13,7 + xor $18,$17 + sll $17,11 + xor $18,$16 + srl $16,$13,18 + xor $18,$17 + + srl $19,$10,10 + xor $18,$16 # sigma0(X[i+1]) + sll $17,$10,13 + addu $12,$18 + srl $16,$10,17 + xor $19,$17 + sll $17,2 + xor $19,$16 + srl $16,$10,19 + xor $19,$17 + + xor $19,$16 # sigma1(X[i+14]) + addu $12,$19 + addu $16,$12,$7 # 20 + srl $7,$1,6 + xor $19,$2,$3 + sll $18,$1,7 + and $19,$1 + srl $17,$1,11 + xor $7,$18 + sll $18,$1,21 + xor $7,$17 + srl $17,$1,25 + xor $7,$18 + sll $18,$1,26 + xor $7,$17 + xor $19,$3 # Ch(e,f,g) + xor $17,$18,$7 # Sigma1(e) + + srl $7,$24,2 + addu $16,$19 + lw $19,80($6) # K[20] + sll $18,$24,10 + addu $16,$17 + srl $17,$24,13 + xor $7,$18 + sll $18,$24,19 + xor $7,$17 + srl $17,$24,22 + xor $7,$18 + sll $18,$24,30 + xor $7,$17 + sw $12,16($29) # offload to ring buffer + xor $7,$18 # Sigma0(a) + + or $17,$24,$25 + and $18,$24,$25 + and $17,$30 + or $18,$17 # Maj(a,b,c) + addu $16,$19 # +=K[20] + addu $7,$18 + + addu $31,$16 + addu $7,$16 + lw $15,28($29) # prefetch from ring buffer + srl $19,$14,3 # Xupdate(21) + addu $13,$22 # +=X[i+9] + sll $18,$14,14 + srl $17,$14,7 + xor $19,$18 + sll $18,11 + xor $19,$17 + srl $17,$14,18 + xor $19,$18 + + srl $20,$11,10 + xor $19,$17 # sigma0(X[i+1]) + sll $18,$11,13 + addu $13,$19 + srl $17,$11,17 + xor $20,$18 + sll $18,2 + xor $20,$17 + srl $17,$11,19 + xor $20,$18 + + xor $20,$17 # sigma1(X[i+14]) + addu $13,$20 + addu $17,$13,$3 # 21 + srl $3,$31,6 + xor $20,$1,$2 + sll $19,$31,7 + and $20,$31 + srl $18,$31,11 + xor $3,$19 + sll $19,$31,21 + xor $3,$18 + srl $18,$31,25 + xor $3,$19 + sll $19,$31,26 + xor $3,$18 + xor $20,$2 # Ch(e,f,g) + xor $18,$19,$3 # Sigma1(e) + + srl $3,$7,2 + addu $17,$20 + lw $20,84($6) # K[21] + sll $19,$7,10 + addu $17,$18 + srl $18,$7,13 + xor $3,$19 + sll $19,$7,19 + xor $3,$18 + srl $18,$7,22 + xor $3,$19 + sll $19,$7,30 + xor $3,$18 + sw $13,20($29) # offload to ring buffer + xor $3,$19 # Sigma0(a) + + or $18,$7,$24 + and $19,$7,$24 + and $18,$25 + or $19,$18 # Maj(a,b,c) + addu $17,$20 # +=K[21] + addu $3,$19 + + addu $30,$17 + addu $3,$17 + lw $16,32($29) # prefetch from ring buffer + srl $20,$15,3 # Xupdate(22) + addu $14,$23 # +=X[i+9] + sll $19,$15,14 + srl $18,$15,7 + xor $20,$19 + sll $19,11 + xor $20,$18 + srl $18,$15,18 + xor $20,$19 + + srl $21,$12,10 + xor $20,$18 # sigma0(X[i+1]) + sll $19,$12,13 + addu $14,$20 + srl $18,$12,17 + xor $21,$19 + sll $19,2 + xor $21,$18 + srl $18,$12,19 + xor $21,$19 + + xor $21,$18 # sigma1(X[i+14]) + addu $14,$21 + addu $18,$14,$2 # 22 + srl $2,$30,6 + xor $21,$31,$1 + sll $20,$30,7 + and $21,$30 + srl $19,$30,11 + xor $2,$20 + sll $20,$30,21 + xor $2,$19 + srl $19,$30,25 + xor $2,$20 + sll $20,$30,26 + xor $2,$19 + xor $21,$1 # Ch(e,f,g) + xor $19,$20,$2 # Sigma1(e) + + srl $2,$3,2 + addu $18,$21 + lw $21,88($6) # K[22] + sll $20,$3,10 + addu $18,$19 + srl $19,$3,13 + xor $2,$20 + sll $20,$3,19 + xor $2,$19 + srl $19,$3,22 + xor $2,$20 + sll $20,$3,30 + xor $2,$19 + sw $14,24($29) # offload to ring buffer + xor $2,$20 # Sigma0(a) + + or $19,$3,$7 + and $20,$3,$7 + and $19,$24 + or $20,$19 # Maj(a,b,c) + addu $18,$21 # +=K[22] + addu $2,$20 + + addu $25,$18 + addu $2,$18 + lw $17,36($29) # prefetch from ring buffer + srl $21,$16,3 # Xupdate(23) + addu $15,$8 # +=X[i+9] + sll $20,$16,14 + srl $19,$16,7 + xor $21,$20 + sll $20,11 + xor $21,$19 + srl $19,$16,18 + xor $21,$20 + + srl $22,$13,10 + xor $21,$19 # sigma0(X[i+1]) + sll $20,$13,13 + addu $15,$21 + srl $19,$13,17 + xor $22,$20 + sll $20,2 + xor $22,$19 + srl $19,$13,19 + xor $22,$20 + + xor $22,$19 # sigma1(X[i+14]) + addu $15,$22 + addu $19,$15,$1 # 23 + srl $1,$25,6 + xor $22,$30,$31 + sll $21,$25,7 + and $22,$25 + srl $20,$25,11 + xor $1,$21 + sll $21,$25,21 + xor $1,$20 + srl $20,$25,25 + xor $1,$21 + sll $21,$25,26 + xor $1,$20 + xor $22,$31 # Ch(e,f,g) + xor $20,$21,$1 # Sigma1(e) + + srl $1,$2,2 + addu $19,$22 + lw $22,92($6) # K[23] + sll $21,$2,10 + addu $19,$20 + srl $20,$2,13 + xor $1,$21 + sll $21,$2,19 + xor $1,$20 + srl $20,$2,22 + xor $1,$21 + sll $21,$2,30 + xor $1,$20 + sw $15,28($29) # offload to ring buffer + xor $1,$21 # Sigma0(a) + + or $20,$2,$3 + and $21,$2,$3 + and $20,$7 + or $21,$20 # Maj(a,b,c) + addu $19,$22 # +=K[23] + addu $1,$21 + + addu $24,$19 + addu $1,$19 + lw $18,40($29) # prefetch from ring buffer + srl $22,$17,3 # Xupdate(24) + addu $16,$9 # +=X[i+9] + sll $21,$17,14 + srl $20,$17,7 + xor $22,$21 + sll $21,11 + xor $22,$20 + srl $20,$17,18 + xor $22,$21 + + srl $23,$14,10 + xor $22,$20 # sigma0(X[i+1]) + sll $21,$14,13 + addu $16,$22 + srl $20,$14,17 + xor $23,$21 + sll $21,2 + xor $23,$20 + srl $20,$14,19 + xor $23,$21 + + xor $23,$20 # sigma1(X[i+14]) + addu $16,$23 + addu $20,$16,$31 # 24 + srl $31,$24,6 + xor $23,$25,$30 + sll $22,$24,7 + and $23,$24 + srl $21,$24,11 + xor $31,$22 + sll $22,$24,21 + xor $31,$21 + srl $21,$24,25 + xor $31,$22 + sll $22,$24,26 + xor $31,$21 + xor $23,$30 # Ch(e,f,g) + xor $21,$22,$31 # Sigma1(e) + + srl $31,$1,2 + addu $20,$23 + lw $23,96($6) # K[24] + sll $22,$1,10 + addu $20,$21 + srl $21,$1,13 + xor $31,$22 + sll $22,$1,19 + xor $31,$21 + srl $21,$1,22 + xor $31,$22 + sll $22,$1,30 + xor $31,$21 + sw $16,32($29) # offload to ring buffer + xor $31,$22 # Sigma0(a) + + or $21,$1,$2 + and $22,$1,$2 + and $21,$3 + or $22,$21 # Maj(a,b,c) + addu $20,$23 # +=K[24] + addu $31,$22 + + addu $7,$20 + addu $31,$20 + lw $19,44($29) # prefetch from ring buffer + srl $23,$18,3 # Xupdate(25) + addu $17,$10 # +=X[i+9] + sll $22,$18,14 + srl $21,$18,7 + xor $23,$22 + sll $22,11 + xor $23,$21 + srl $21,$18,18 + xor $23,$22 + + srl $8,$15,10 + xor $23,$21 # sigma0(X[i+1]) + sll $22,$15,13 + addu $17,$23 + srl $21,$15,17 + xor $8,$22 + sll $22,2 + xor $8,$21 + srl $21,$15,19 + xor $8,$22 + + xor $8,$21 # sigma1(X[i+14]) + addu $17,$8 + addu $21,$17,$30 # 25 + srl $30,$7,6 + xor $8,$24,$25 + sll $23,$7,7 + and $8,$7 + srl $22,$7,11 + xor $30,$23 + sll $23,$7,21 + xor $30,$22 + srl $22,$7,25 + xor $30,$23 + sll $23,$7,26 + xor $30,$22 + xor $8,$25 # Ch(e,f,g) + xor $22,$23,$30 # Sigma1(e) + + srl $30,$31,2 + addu $21,$8 + lw $8,100($6) # K[25] + sll $23,$31,10 + addu $21,$22 + srl $22,$31,13 + xor $30,$23 + sll $23,$31,19 + xor $30,$22 + srl $22,$31,22 + xor $30,$23 + sll $23,$31,30 + xor $30,$22 + sw $17,36($29) # offload to ring buffer + xor $30,$23 # Sigma0(a) + + or $22,$31,$1 + and $23,$31,$1 + and $22,$2 + or $23,$22 # Maj(a,b,c) + addu $21,$8 # +=K[25] + addu $30,$23 + + addu $3,$21 + addu $30,$21 + lw $20,48($29) # prefetch from ring buffer + srl $8,$19,3 # Xupdate(26) + addu $18,$11 # +=X[i+9] + sll $23,$19,14 + srl $22,$19,7 + xor $8,$23 + sll $23,11 + xor $8,$22 + srl $22,$19,18 + xor $8,$23 + + srl $9,$16,10 + xor $8,$22 # sigma0(X[i+1]) + sll $23,$16,13 + addu $18,$8 + srl $22,$16,17 + xor $9,$23 + sll $23,2 + xor $9,$22 + srl $22,$16,19 + xor $9,$23 + + xor $9,$22 # sigma1(X[i+14]) + addu $18,$9 + addu $22,$18,$25 # 26 + srl $25,$3,6 + xor $9,$7,$24 + sll $8,$3,7 + and $9,$3 + srl $23,$3,11 + xor $25,$8 + sll $8,$3,21 + xor $25,$23 + srl $23,$3,25 + xor $25,$8 + sll $8,$3,26 + xor $25,$23 + xor $9,$24 # Ch(e,f,g) + xor $23,$8,$25 # Sigma1(e) + + srl $25,$30,2 + addu $22,$9 + lw $9,104($6) # K[26] + sll $8,$30,10 + addu $22,$23 + srl $23,$30,13 + xor $25,$8 + sll $8,$30,19 + xor $25,$23 + srl $23,$30,22 + xor $25,$8 + sll $8,$30,30 + xor $25,$23 + sw $18,40($29) # offload to ring buffer + xor $25,$8 # Sigma0(a) + + or $23,$30,$31 + and $8,$30,$31 + and $23,$1 + or $8,$23 # Maj(a,b,c) + addu $22,$9 # +=K[26] + addu $25,$8 + + addu $2,$22 + addu $25,$22 + lw $21,52($29) # prefetch from ring buffer + srl $9,$20,3 # Xupdate(27) + addu $19,$12 # +=X[i+9] + sll $8,$20,14 + srl $23,$20,7 + xor $9,$8 + sll $8,11 + xor $9,$23 + srl $23,$20,18 + xor $9,$8 + + srl $10,$17,10 + xor $9,$23 # sigma0(X[i+1]) + sll $8,$17,13 + addu $19,$9 + srl $23,$17,17 + xor $10,$8 + sll $8,2 + xor $10,$23 + srl $23,$17,19 + xor $10,$8 + + xor $10,$23 # sigma1(X[i+14]) + addu $19,$10 + addu $23,$19,$24 # 27 + srl $24,$2,6 + xor $10,$3,$7 + sll $9,$2,7 + and $10,$2 + srl $8,$2,11 + xor $24,$9 + sll $9,$2,21 + xor $24,$8 + srl $8,$2,25 + xor $24,$9 + sll $9,$2,26 + xor $24,$8 + xor $10,$7 # Ch(e,f,g) + xor $8,$9,$24 # Sigma1(e) + + srl $24,$25,2 + addu $23,$10 + lw $10,108($6) # K[27] + sll $9,$25,10 + addu $23,$8 + srl $8,$25,13 + xor $24,$9 + sll $9,$25,19 + xor $24,$8 + srl $8,$25,22 + xor $24,$9 + sll $9,$25,30 + xor $24,$8 + sw $19,44($29) # offload to ring buffer + xor $24,$9 # Sigma0(a) + + or $8,$25,$30 + and $9,$25,$30 + and $8,$31 + or $9,$8 # Maj(a,b,c) + addu $23,$10 # +=K[27] + addu $24,$9 + + addu $1,$23 + addu $24,$23 + lw $22,56($29) # prefetch from ring buffer + srl $10,$21,3 # Xupdate(28) + addu $20,$13 # +=X[i+9] + sll $9,$21,14 + srl $8,$21,7 + xor $10,$9 + sll $9,11 + xor $10,$8 + srl $8,$21,18 + xor $10,$9 + + srl $11,$18,10 + xor $10,$8 # sigma0(X[i+1]) + sll $9,$18,13 + addu $20,$10 + srl $8,$18,17 + xor $11,$9 + sll $9,2 + xor $11,$8 + srl $8,$18,19 + xor $11,$9 + + xor $11,$8 # sigma1(X[i+14]) + addu $20,$11 + addu $8,$20,$7 # 28 + srl $7,$1,6 + xor $11,$2,$3 + sll $10,$1,7 + and $11,$1 + srl $9,$1,11 + xor $7,$10 + sll $10,$1,21 + xor $7,$9 + srl $9,$1,25 + xor $7,$10 + sll $10,$1,26 + xor $7,$9 + xor $11,$3 # Ch(e,f,g) + xor $9,$10,$7 # Sigma1(e) + + srl $7,$24,2 + addu $8,$11 + lw $11,112($6) # K[28] + sll $10,$24,10 + addu $8,$9 + srl $9,$24,13 + xor $7,$10 + sll $10,$24,19 + xor $7,$9 + srl $9,$24,22 + xor $7,$10 + sll $10,$24,30 + xor $7,$9 + sw $20,48($29) # offload to ring buffer + xor $7,$10 # Sigma0(a) + + or $9,$24,$25 + and $10,$24,$25 + and $9,$30 + or $10,$9 # Maj(a,b,c) + addu $8,$11 # +=K[28] + addu $7,$10 + + addu $31,$8 + addu $7,$8 + lw $23,60($29) # prefetch from ring buffer + srl $11,$22,3 # Xupdate(29) + addu $21,$14 # +=X[i+9] + sll $10,$22,14 + srl $9,$22,7 + xor $11,$10 + sll $10,11 + xor $11,$9 + srl $9,$22,18 + xor $11,$10 + + srl $12,$19,10 + xor $11,$9 # sigma0(X[i+1]) + sll $10,$19,13 + addu $21,$11 + srl $9,$19,17 + xor $12,$10 + sll $10,2 + xor $12,$9 + srl $9,$19,19 + xor $12,$10 + + xor $12,$9 # sigma1(X[i+14]) + addu $21,$12 + addu $9,$21,$3 # 29 + srl $3,$31,6 + xor $12,$1,$2 + sll $11,$31,7 + and $12,$31 + srl $10,$31,11 + xor $3,$11 + sll $11,$31,21 + xor $3,$10 + srl $10,$31,25 + xor $3,$11 + sll $11,$31,26 + xor $3,$10 + xor $12,$2 # Ch(e,f,g) + xor $10,$11,$3 # Sigma1(e) + + srl $3,$7,2 + addu $9,$12 + lw $12,116($6) # K[29] + sll $11,$7,10 + addu $9,$10 + srl $10,$7,13 + xor $3,$11 + sll $11,$7,19 + xor $3,$10 + srl $10,$7,22 + xor $3,$11 + sll $11,$7,30 + xor $3,$10 + sw $21,52($29) # offload to ring buffer + xor $3,$11 # Sigma0(a) + + or $10,$7,$24 + and $11,$7,$24 + and $10,$25 + or $11,$10 # Maj(a,b,c) + addu $9,$12 # +=K[29] + addu $3,$11 + + addu $30,$9 + addu $3,$9 + lw $8,0($29) # prefetch from ring buffer + srl $12,$23,3 # Xupdate(30) + addu $22,$15 # +=X[i+9] + sll $11,$23,14 + srl $10,$23,7 + xor $12,$11 + sll $11,11 + xor $12,$10 + srl $10,$23,18 + xor $12,$11 + + srl $13,$20,10 + xor $12,$10 # sigma0(X[i+1]) + sll $11,$20,13 + addu $22,$12 + srl $10,$20,17 + xor $13,$11 + sll $11,2 + xor $13,$10 + srl $10,$20,19 + xor $13,$11 + + xor $13,$10 # sigma1(X[i+14]) + addu $22,$13 + addu $10,$22,$2 # 30 + srl $2,$30,6 + xor $13,$31,$1 + sll $12,$30,7 + and $13,$30 + srl $11,$30,11 + xor $2,$12 + sll $12,$30,21 + xor $2,$11 + srl $11,$30,25 + xor $2,$12 + sll $12,$30,26 + xor $2,$11 + xor $13,$1 # Ch(e,f,g) + xor $11,$12,$2 # Sigma1(e) + + srl $2,$3,2 + addu $10,$13 + lw $13,120($6) # K[30] + sll $12,$3,10 + addu $10,$11 + srl $11,$3,13 + xor $2,$12 + sll $12,$3,19 + xor $2,$11 + srl $11,$3,22 + xor $2,$12 + sll $12,$3,30 + xor $2,$11 + sw $22,56($29) # offload to ring buffer + xor $2,$12 # Sigma0(a) + + or $11,$3,$7 + and $12,$3,$7 + and $11,$24 + or $12,$11 # Maj(a,b,c) + addu $10,$13 # +=K[30] + addu $2,$12 + + addu $25,$10 + addu $2,$10 + lw $9,4($29) # prefetch from ring buffer + srl $13,$8,3 # Xupdate(31) + addu $23,$16 # +=X[i+9] + sll $12,$8,14 + srl $11,$8,7 + xor $13,$12 + sll $12,11 + xor $13,$11 + srl $11,$8,18 + xor $13,$12 + + srl $14,$21,10 + xor $13,$11 # sigma0(X[i+1]) + sll $12,$21,13 + addu $23,$13 + srl $11,$21,17 + xor $14,$12 + sll $12,2 + xor $14,$11 + srl $11,$21,19 + xor $14,$12 + + xor $14,$11 # sigma1(X[i+14]) + addu $23,$14 + addu $11,$23,$1 # 31 + srl $1,$25,6 + xor $14,$30,$31 + sll $13,$25,7 + and $14,$25 + srl $12,$25,11 + xor $1,$13 + sll $13,$25,21 + xor $1,$12 + srl $12,$25,25 + xor $1,$13 + sll $13,$25,26 + xor $1,$12 + xor $14,$31 # Ch(e,f,g) + xor $12,$13,$1 # Sigma1(e) + + srl $1,$2,2 + addu $11,$14 + lw $14,124($6) # K[31] + sll $13,$2,10 + addu $11,$12 + srl $12,$2,13 + xor $1,$13 + sll $13,$2,19 + xor $1,$12 + srl $12,$2,22 + xor $1,$13 + sll $13,$2,30 + xor $1,$12 + sw $23,60($29) # offload to ring buffer + xor $1,$13 # Sigma0(a) + + or $12,$2,$3 + and $13,$2,$3 + and $12,$7 + or $13,$12 # Maj(a,b,c) + addu $11,$14 # +=K[31] + addu $1,$13 + + addu $24,$11 + addu $1,$11 + lw $10,8($29) # prefetch from ring buffer + and $14,0xfff + li $15,2290 + .set noreorder + bne $14,$15,.L16_xx + add $6,16*4 # Ktbl+=16 + + lw $23,16*4($29) # restore pointer to the end of input + lw $8,0*4($4) + lw $9,1*4($4) + lw $10,2*4($4) + add $5,16*4 + lw $11,3*4($4) + addu $1,$8 + lw $12,4*4($4) + addu $2,$9 + lw $13,5*4($4) + addu $3,$10 + lw $14,6*4($4) + addu $7,$11 + lw $15,7*4($4) + addu $24,$12 + sw $1,0*4($4) + addu $25,$13 + sw $2,1*4($4) + addu $30,$14 + sw $3,2*4($4) + addu $31,$15 + sw $7,3*4($4) + sw $24,4*4($4) + sw $25,5*4($4) + sw $30,6*4($4) + sw $31,7*4($4) + + bne $5,$23,.Loop + sub $6,192 # rewind $6 + + lw $31,128-1*4($29) + lw $30,128-2*4($29) + lw $23,128-3*4($29) + lw $22,128-4*4($29) + lw $21,128-5*4($29) + lw $20,128-6*4($29) + lw $19,128-7*4($29) + lw $18,128-8*4($29) + lw $17,128-9*4($29) + lw $16,128-10*4($29) + jr $31 + add $29,128 +.end sha256_block_data_order + +.rdata +.align 5 +K256: + .word 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5 + .word 0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5 + .word 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3 + .word 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174 + .word 0xe49b69c1, 0xefbe4786, 0x0fc19dc6, 0x240ca1cc + .word 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da + .word 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7 + .word 0xc6e00bf3, 0xd5a79147, 0x06ca6351, 0x14292967 + .word 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13 + .word 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85 + .word 0xa2bfe8a1, 0xa81a664b, 0xc24b8b70, 0xc76c51a3 + .word 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070 + .word 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5 + .word 0x391c0cb3, 0x4ed8aa4a, 0x5b9cca4f, 0x682e6ff3 + .word 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208 + .word 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2 +.asciiz "SHA256 for MIPS, CRYPTOGAMS by " +.align 5 + +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c index e826ca9..6c58321 100644 --- a/crypto/sha/sha256.c +++ b/crypto/sha/sha256.c @@ -1,8 +1,55 @@ -/* $OpenBSD: sha256.c,v 1.11 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: sha256.c,v 1.15 2023/03/29 05:34:01 jsing Exp $ */ /* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved - * according to the OpenSSL license [found in ../../LICENSE]. + * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). */ #include @@ -17,58 +64,91 @@ #include #include -int SHA224_Init(SHA256_CTX *c) - { - memset (c,0,sizeof(*c)); - c->h[0]=0xc1059ed8UL; c->h[1]=0x367cd507UL; - c->h[2]=0x3070dd17UL; c->h[3]=0xf70e5939UL; - c->h[4]=0xffc00b31UL; c->h[5]=0x68581511UL; - c->h[6]=0x64f98fa7UL; c->h[7]=0xbefa4fa4UL; - c->md_len=SHA224_DIGEST_LENGTH; - return 1; - } +int +SHA224_Init(SHA256_CTX *c) +{ + memset (c, 0, sizeof(*c)); -int SHA256_Init(SHA256_CTX *c) - { - memset (c,0,sizeof(*c)); - c->h[0]=0x6a09e667UL; c->h[1]=0xbb67ae85UL; - c->h[2]=0x3c6ef372UL; c->h[3]=0xa54ff53aUL; - c->h[4]=0x510e527fUL; c->h[5]=0x9b05688cUL; - c->h[6]=0x1f83d9abUL; c->h[7]=0x5be0cd19UL; - c->md_len=SHA256_DIGEST_LENGTH; - return 1; - } + c->h[0] = 0xc1059ed8UL; + c->h[1] = 0x367cd507UL; + c->h[2] = 0x3070dd17UL; + c->h[3] = 0xf70e5939UL; + c->h[4] = 0xffc00b31UL; + c->h[5] = 0x68581511UL; + c->h[6] = 0x64f98fa7UL; + c->h[7] = 0xbefa4fa4UL; -unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md) - { + c->md_len = SHA224_DIGEST_LENGTH; + + return 1; +} + +int +SHA256_Init(SHA256_CTX *c) +{ + memset (c, 0, sizeof(*c)); + + c->h[0] = 0x6a09e667UL; + c->h[1] = 0xbb67ae85UL; + c->h[2] = 0x3c6ef372UL; + c->h[3] = 0xa54ff53aUL; + c->h[4] = 0x510e527fUL; + c->h[5] = 0x9b05688cUL; + c->h[6] = 0x1f83d9abUL; + c->h[7] = 0x5be0cd19UL; + + c->md_len = SHA256_DIGEST_LENGTH; + + return 1; +} + +unsigned char * +SHA224(const unsigned char *d, size_t n, unsigned char *md) +{ SHA256_CTX c; static unsigned char m[SHA224_DIGEST_LENGTH]; - if (md == NULL) md=m; - SHA224_Init(&c); - SHA256_Update(&c,d,n); - SHA256_Final(md,&c); - explicit_bzero(&c,sizeof(c)); - return(md); - } + if (md == NULL) + md = m; -unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md) - { + SHA224_Init(&c); + SHA256_Update(&c, d, n); + SHA256_Final(md, &c); + + explicit_bzero(&c, sizeof(c)); + + return (md); +} + +unsigned char * +SHA256(const unsigned char *d, size_t n, unsigned char *md) +{ SHA256_CTX c; static unsigned char m[SHA256_DIGEST_LENGTH]; - if (md == NULL) md=m; - SHA256_Init(&c); - SHA256_Update(&c,d,n); - SHA256_Final(md,&c); - explicit_bzero(&c,sizeof(c)); - return(md); - } + if (md == NULL) + md = m; -int SHA224_Update(SHA256_CTX *c, const void *data, size_t len) -{ return SHA256_Update (c,data,len); } -int SHA224_Final (unsigned char *md, SHA256_CTX *c) -{ return SHA256_Final (md,c); } + SHA256_Init(&c); + SHA256_Update(&c, d, n); + SHA256_Final(md, &c); + + explicit_bzero(&c, sizeof(c)); + + return (md); +} + +int +SHA224_Update(SHA256_CTX *c, const void *data, size_t len) +{ + return SHA256_Update(c, data, len); +} + +int +SHA224_Final(unsigned char *md, SHA256_CTX *c) +{ + return SHA256_Final(md, c); +} #define DATA_ORDER_IS_BIG_ENDIAN @@ -83,7 +163,7 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c) * Idea behind separate cases for pre-defined lengths is to let the * compiler decide if it's appropriate to unroll small loops. */ -#define HASH_MAKE_STRING(c,s) do { \ +#define HASH_MAKE_STRING(c, s) do { \ unsigned long ll; \ unsigned int nn; \ switch ((c)->md_len) \ @@ -117,22 +197,23 @@ void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num); #ifndef SHA256_ASM static const SHA_LONG K256[64] = { - 0x428a2f98UL,0x71374491UL,0xb5c0fbcfUL,0xe9b5dba5UL, - 0x3956c25bUL,0x59f111f1UL,0x923f82a4UL,0xab1c5ed5UL, - 0xd807aa98UL,0x12835b01UL,0x243185beUL,0x550c7dc3UL, - 0x72be5d74UL,0x80deb1feUL,0x9bdc06a7UL,0xc19bf174UL, - 0xe49b69c1UL,0xefbe4786UL,0x0fc19dc6UL,0x240ca1ccUL, - 0x2de92c6fUL,0x4a7484aaUL,0x5cb0a9dcUL,0x76f988daUL, - 0x983e5152UL,0xa831c66dUL,0xb00327c8UL,0xbf597fc7UL, - 0xc6e00bf3UL,0xd5a79147UL,0x06ca6351UL,0x14292967UL, - 0x27b70a85UL,0x2e1b2138UL,0x4d2c6dfcUL,0x53380d13UL, - 0x650a7354UL,0x766a0abbUL,0x81c2c92eUL,0x92722c85UL, - 0xa2bfe8a1UL,0xa81a664bUL,0xc24b8b70UL,0xc76c51a3UL, - 0xd192e819UL,0xd6990624UL,0xf40e3585UL,0x106aa070UL, - 0x19a4c116UL,0x1e376c08UL,0x2748774cUL,0x34b0bcb5UL, - 0x391c0cb3UL,0x4ed8aa4aUL,0x5b9cca4fUL,0x682e6ff3UL, - 0x748f82eeUL,0x78a5636fUL,0x84c87814UL,0x8cc70208UL, - 0x90befffaUL,0xa4506cebUL,0xbef9a3f7UL,0xc67178f2UL }; + 0x428a2f98UL, 0x71374491UL, 0xb5c0fbcfUL, 0xe9b5dba5UL, + 0x3956c25bUL, 0x59f111f1UL, 0x923f82a4UL, 0xab1c5ed5UL, + 0xd807aa98UL, 0x12835b01UL, 0x243185beUL, 0x550c7dc3UL, + 0x72be5d74UL, 0x80deb1feUL, 0x9bdc06a7UL, 0xc19bf174UL, + 0xe49b69c1UL, 0xefbe4786UL, 0x0fc19dc6UL, 0x240ca1ccUL, + 0x2de92c6fUL, 0x4a7484aaUL, 0x5cb0a9dcUL, 0x76f988daUL, + 0x983e5152UL, 0xa831c66dUL, 0xb00327c8UL, 0xbf597fc7UL, + 0xc6e00bf3UL, 0xd5a79147UL, 0x06ca6351UL, 0x14292967UL, + 0x27b70a85UL, 0x2e1b2138UL, 0x4d2c6dfcUL, 0x53380d13UL, + 0x650a7354UL, 0x766a0abbUL, 0x81c2c92eUL, 0x92722c85UL, + 0xa2bfe8a1UL, 0xa81a664bUL, 0xc24b8b70UL, 0xc76c51a3UL, + 0xd192e819UL, 0xd6990624UL, 0xf40e3585UL, 0x106aa070UL, + 0x19a4c116UL, 0x1e376c08UL, 0x2748774cUL, 0x34b0bcb5UL, + 0x391c0cb3UL, 0x4ed8aa4aUL, 0x5b9cca4fUL, 0x682e6ff3UL, + 0x748f82eeUL, 0x78a5636fUL, 0x84c87814UL, 0x8cc70208UL, + 0x90befffaUL, 0xa4506cebUL, 0xbef9a3f7UL, 0xc67178f2UL, +}; /* * FIPS specification refers to right rotations, while our ROTATE macro @@ -144,138 +225,219 @@ static const SHA_LONG K256[64] = { #define sigma0(x) (ROTATE((x),25) ^ ROTATE((x),14) ^ ((x)>>3)) #define sigma1(x) (ROTATE((x),15) ^ ROTATE((x),13) ^ ((x)>>10)) -#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) #ifdef OPENSSL_SMALL_FOOTPRINT -static void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num) - { - unsigned MD32_REG_T a,b,c,d,e,f,g,h,s0,s1,T1,T2; - SHA_LONG X[16],l; +static void +sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num) +{ + unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1, T2; + SHA_LONG X[16], l; int i; - const unsigned char *data=in; + const unsigned char *data = in; - while (num--) { + while (num--) { - a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3]; - e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7]; + a = ctx->h[0]; + b = ctx->h[1]; + c = ctx->h[2]; + d = ctx->h[3]; + e = ctx->h[4]; + f = ctx->h[5]; + g = ctx->h[6]; + h = ctx->h[7]; - for (i=0;i<16;i++) - { - HOST_c2l(data,l); T1 = X[i] = l; - T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; - T2 = Sigma0(a) + Maj(a,b,c); - h = g; g = f; f = e; e = d + T1; - d = c; c = b; b = a; a = T1 + T2; + for (i = 0; i < 16; i++) { + HOST_c2l(data, l); + T1 = X[i] = l; + T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; + T2 = Sigma0(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; } - for (;i<64;i++) - { - s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); - s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); + for (; i < 64; i++) { + s0 = X[(i + 1)&0x0f]; + s0 = sigma0(s0); + s1 = X[(i + 14)&0x0f]; + s1 = sigma1(s1); - T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf]; - T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; - T2 = Sigma0(a) + Maj(a,b,c); - h = g; g = f; f = e; e = d + T1; - d = c; c = b; b = a; a = T1 + T2; + T1 = X[i&0xf] += s0 + s1 + X[(i + 9)&0xf]; + T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; + T2 = Sigma0(a) + Maj(a, b, c); + h = g; + g = f; + f = e; + e = d + T1; + d = c; + c = b; + b = a; + a = T1 + T2; } - ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d; - ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h; - - } + ctx->h[0] += a; + ctx->h[1] += b; + ctx->h[2] += c; + ctx->h[3] += d; + ctx->h[4] += e; + ctx->h[5] += f; + ctx->h[6] += g; + ctx->h[7] += h; + } } #else -#define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ - T1 += h + Sigma1(e) + Ch(e,f,g) + K256[i]; \ - h = Sigma0(a) + Maj(a,b,c); \ +#define ROUND_00_15(i, a, b, c, d, e, f, g, h) do { \ + T1 += h + Sigma1(e) + Ch(e, f, g) + K256[i]; \ + h = Sigma0(a) + Maj(a, b, c); \ d += T1; h += T1; } while (0) -#define ROUND_16_63(i,a,b,c,d,e,f,g,h,X) do { \ +#define ROUND_16_63(i, a, b, c, d, e, f, g, h, X) do { \ s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); \ s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); \ T1 = X[(i)&0x0f] += s0 + s1 + X[(i+9)&0x0f]; \ - ROUND_00_15(i,a,b,c,d,e,f,g,h); } while (0) + ROUND_00_15(i, a, b, c, d, e, f, g, h); } while (0) -static void sha256_block_data_order (SHA256_CTX *ctx, const void *in, size_t num) - { - unsigned MD32_REG_T a,b,c,d,e,f,g,h,s0,s1,T1; +static void +sha256_block_data_order(SHA256_CTX *ctx, const void *in, size_t num) +{ + unsigned MD32_REG_T a, b, c, d, e, f, g, h, s0, s1, T1; SHA_LONG X[16]; int i; - const unsigned char *data=in; + const unsigned char *data = in; - while (num--) { + while (num--) { - a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3]; - e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7]; + a = ctx->h[0]; + b = ctx->h[1]; + c = ctx->h[2]; + d = ctx->h[3]; + e = ctx->h[4]; + f = ctx->h[5]; + g = ctx->h[6]; + h = ctx->h[7]; - if (BYTE_ORDER != LITTLE_ENDIAN && - sizeof(SHA_LONG)==4 && ((size_t)in%4)==0) - { - const SHA_LONG *W=(const SHA_LONG *)data; + if (BYTE_ORDER != LITTLE_ENDIAN && + sizeof(SHA_LONG) == 4 && ((size_t)in % 4) == 0) { + const SHA_LONG *W = (const SHA_LONG *)data; - T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h); - T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g); - T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f); - T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e); - T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d); - T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c); - T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b); - T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a); - T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h); - T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g); - T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f); - T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e); - T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d); - T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c); - T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b); - T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a); + T1 = X[0] = W[0]; + ROUND_00_15(0, a, b, c, d, e, f, g, h); + T1 = X[1] = W[1]; + ROUND_00_15(1, h, a, b, c, d, e, f, g); + T1 = X[2] = W[2]; + ROUND_00_15(2, g, h, a, b, c, d, e, f); + T1 = X[3] = W[3]; + ROUND_00_15(3, f, g, h, a, b, c, d, e); + T1 = X[4] = W[4]; + ROUND_00_15(4, e, f, g, h, a, b, c, d); + T1 = X[5] = W[5]; + ROUND_00_15(5, d, e, f, g, h, a, b, c); + T1 = X[6] = W[6]; + ROUND_00_15(6, c, d, e, f, g, h, a, b); + T1 = X[7] = W[7]; + ROUND_00_15(7, b, c, d, e, f, g, h, a); + T1 = X[8] = W[8]; + ROUND_00_15(8, a, b, c, d, e, f, g, h); + T1 = X[9] = W[9]; + ROUND_00_15(9, h, a, b, c, d, e, f, g); + T1 = X[10] = W[10]; + ROUND_00_15(10, g, h, a, b, c, d, e, f); + T1 = X[11] = W[11]; + ROUND_00_15(11, f, g, h, a, b, c, d, e); + T1 = X[12] = W[12]; + ROUND_00_15(12, e, f, g, h, a, b, c, d); + T1 = X[13] = W[13]; + ROUND_00_15(13, d, e, f, g, h, a, b, c); + T1 = X[14] = W[14]; + ROUND_00_15(14, c, d, e, f, g, h, a, b); + T1 = X[15] = W[15]; + ROUND_00_15(15, b, c, d, e, f, g, h, a); - data += SHA256_CBLOCK; - } - else - { - SHA_LONG l; + data += SHA256_CBLOCK; + } else { + SHA_LONG l; - HOST_c2l(data,l); T1 = X[0] = l; ROUND_00_15(0,a,b,c,d,e,f,g,h); - HOST_c2l(data,l); T1 = X[1] = l; ROUND_00_15(1,h,a,b,c,d,e,f,g); - HOST_c2l(data,l); T1 = X[2] = l; ROUND_00_15(2,g,h,a,b,c,d,e,f); - HOST_c2l(data,l); T1 = X[3] = l; ROUND_00_15(3,f,g,h,a,b,c,d,e); - HOST_c2l(data,l); T1 = X[4] = l; ROUND_00_15(4,e,f,g,h,a,b,c,d); - HOST_c2l(data,l); T1 = X[5] = l; ROUND_00_15(5,d,e,f,g,h,a,b,c); - HOST_c2l(data,l); T1 = X[6] = l; ROUND_00_15(6,c,d,e,f,g,h,a,b); - HOST_c2l(data,l); T1 = X[7] = l; ROUND_00_15(7,b,c,d,e,f,g,h,a); - HOST_c2l(data,l); T1 = X[8] = l; ROUND_00_15(8,a,b,c,d,e,f,g,h); - HOST_c2l(data,l); T1 = X[9] = l; ROUND_00_15(9,h,a,b,c,d,e,f,g); - HOST_c2l(data,l); T1 = X[10] = l; ROUND_00_15(10,g,h,a,b,c,d,e,f); - HOST_c2l(data,l); T1 = X[11] = l; ROUND_00_15(11,f,g,h,a,b,c,d,e); - HOST_c2l(data,l); T1 = X[12] = l; ROUND_00_15(12,e,f,g,h,a,b,c,d); - HOST_c2l(data,l); T1 = X[13] = l; ROUND_00_15(13,d,e,f,g,h,a,b,c); - HOST_c2l(data,l); T1 = X[14] = l; ROUND_00_15(14,c,d,e,f,g,h,a,b); - HOST_c2l(data,l); T1 = X[15] = l; ROUND_00_15(15,b,c,d,e,f,g,h,a); + HOST_c2l(data, l); + T1 = X[0] = l; + ROUND_00_15(0, a, b, c, d, e, f, g, h); + HOST_c2l(data, l); + T1 = X[1] = l; + ROUND_00_15(1, h, a, b, c, d, e, f, g); + HOST_c2l(data, l); + T1 = X[2] = l; + ROUND_00_15(2, g, h, a, b, c, d, e, f); + HOST_c2l(data, l); + T1 = X[3] = l; + ROUND_00_15(3, f, g, h, a, b, c, d, e); + HOST_c2l(data, l); + T1 = X[4] = l; + ROUND_00_15(4, e, f, g, h, a, b, c, d); + HOST_c2l(data, l); + T1 = X[5] = l; + ROUND_00_15(5, d, e, f, g, h, a, b, c); + HOST_c2l(data, l); + T1 = X[6] = l; + ROUND_00_15(6, c, d, e, f, g, h, a, b); + HOST_c2l(data, l); + T1 = X[7] = l; + ROUND_00_15(7, b, c, d, e, f, g, h, a); + HOST_c2l(data, l); + T1 = X[8] = l; + ROUND_00_15(8, a, b, c, d, e, f, g, h); + HOST_c2l(data, l); + T1 = X[9] = l; + ROUND_00_15(9, h, a, b, c, d, e, f, g); + HOST_c2l(data, l); + T1 = X[10] = l; + ROUND_00_15(10, g, h, a, b, c, d, e, f); + HOST_c2l(data, l); + T1 = X[11] = l; + ROUND_00_15(11, f, g, h, a, b, c, d, e); + HOST_c2l(data, l); + T1 = X[12] = l; + ROUND_00_15(12, e, f, g, h, a, b, c, d); + HOST_c2l(data, l); + T1 = X[13] = l; + ROUND_00_15(13, d, e, f, g, h, a, b, c); + HOST_c2l(data, l); + T1 = X[14] = l; + ROUND_00_15(14, c, d, e, f, g, h, a, b); + HOST_c2l(data, l); + T1 = X[15] = l; + ROUND_00_15(15, b, c, d, e, f, g, h, a); } - for (i=16;i<64;i+=8) - { - ROUND_16_63(i+0,a,b,c,d,e,f,g,h,X); - ROUND_16_63(i+1,h,a,b,c,d,e,f,g,X); - ROUND_16_63(i+2,g,h,a,b,c,d,e,f,X); - ROUND_16_63(i+3,f,g,h,a,b,c,d,e,X); - ROUND_16_63(i+4,e,f,g,h,a,b,c,d,X); - ROUND_16_63(i+5,d,e,f,g,h,a,b,c,X); - ROUND_16_63(i+6,c,d,e,f,g,h,a,b,X); - ROUND_16_63(i+7,b,c,d,e,f,g,h,a,X); + for (i = 16; i < 64; i += 8) { + ROUND_16_63(i + 0, a, b, c, d, e, f, g, h, X); + ROUND_16_63(i + 1, h, a, b, c, d, e, f, g, X); + ROUND_16_63(i + 2, g, h, a, b, c, d, e, f, X); + ROUND_16_63(i + 3, f, g, h, a, b, c, d, e, X); + ROUND_16_63(i + 4, e, f, g, h, a, b, c, d, X); + ROUND_16_63(i + 5, d, e, f, g, h, a, b, c, X); + ROUND_16_63(i + 6, c, d, e, f, g, h, a, b, X); + ROUND_16_63(i + 7, b, c, d, e, f, g, h, a, X); } - ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d; - ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h; - - } + ctx->h[0] += a; + ctx->h[1] += b; + ctx->h[2] += c; + ctx->h[3] += d; + ctx->h[4] += e; + ctx->h[5] += f; + ctx->h[6] += g; + ctx->h[7] += h; } +} #endif #endif /* SHA256_ASM */ diff --git a/crypto/sha/sha3.c b/crypto/sha/sha3.c new file mode 100644 index 0000000..b070d71 --- /dev/null +++ b/crypto/sha/sha3.c @@ -0,0 +1,193 @@ +/* $OpenBSD: sha3.c,v 1.15 2023/04/16 15:32:16 jsing Exp $ */ +/* + * The MIT License (MIT) + * + * Copyright (c) 2015 Markku-Juhani O. Saarinen + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include +#include + +#include "sha3_internal.h" + +#define KECCAKF_ROUNDS 24 + +#define ROTL64(x, y) (((x) << (y)) | ((x) >> (64 - (y)))) + +static const uint64_t sha3_keccakf_rndc[24] = { + 0x0000000000000001, 0x0000000000008082, 0x800000000000808a, + 0x8000000080008000, 0x000000000000808b, 0x0000000080000001, + 0x8000000080008081, 0x8000000000008009, 0x000000000000008a, + 0x0000000000000088, 0x0000000080008009, 0x000000008000000a, + 0x000000008000808b, 0x800000000000008b, 0x8000000000008089, + 0x8000000000008003, 0x8000000000008002, 0x8000000000000080, + 0x000000000000800a, 0x800000008000000a, 0x8000000080008081, + 0x8000000000008080, 0x0000000080000001, 0x8000000080008008 +}; +static const int sha3_keccakf_rotc[24] = { + 1, 3, 6, 10, 15, 21, 28, 36, 45, 55, 2, 14, + 27, 41, 56, 8, 25, 43, 62, 18, 39, 61, 20, 44 +}; +static const int sha3_keccakf_piln[24] = { + 10, 7, 11, 17, 18, 3, 5, 16, 8, 21, 24, 4, + 15, 23, 19, 13, 12, 2, 20, 14, 22, 9, 6, 1 +}; + +static void +sha3_keccakf(uint64_t st[25]) +{ + uint64_t t, bc[5]; + int i, j, r; + +#if BYTE_ORDER != LITTLE_ENDIAN + uint8_t *v; + + for (i = 0; i < 25; i++) { + v = (uint8_t *) &st[i]; + st[i] = ((uint64_t) v[0]) | (((uint64_t) v[1]) << 8) | + (((uint64_t) v[2]) << 16) | (((uint64_t) v[3]) << 24) | + (((uint64_t) v[4]) << 32) | (((uint64_t) v[5]) << 40) | + (((uint64_t) v[6]) << 48) | (((uint64_t) v[7]) << 56); + } +#endif + + for (r = 0; r < KECCAKF_ROUNDS; r++) { + + /* Theta */ + for (i = 0; i < 5; i++) + bc[i] = st[i] ^ st[i + 5] ^ st[i + 10] ^ st[i + 15] ^ st[i + 20]; + + for (i = 0; i < 5; i++) { + t = bc[(i + 4) % 5] ^ ROTL64(bc[(i + 1) % 5], 1); + for (j = 0; j < 25; j += 5) + st[j + i] ^= t; + } + + /* Rho Pi */ + t = st[1]; + for (i = 0; i < 24; i++) { + j = sha3_keccakf_piln[i]; + bc[0] = st[j]; + st[j] = ROTL64(t, sha3_keccakf_rotc[i]); + t = bc[0]; + } + + /* Chi */ + for (j = 0; j < 25; j += 5) { + for (i = 0; i < 5; i++) + bc[i] = st[j + i]; + for (i = 0; i < 5; i++) + st[j + i] ^= (~bc[(i + 1) % 5]) & bc[(i + 2) % 5]; + } + + /* Iota */ + st[0] ^= sha3_keccakf_rndc[r]; + } + +#if BYTE_ORDER != LITTLE_ENDIAN + for (i = 0; i < 25; i++) { + v = (uint8_t *) &st[i]; + t = st[i]; + v[0] = t & 0xFF; + v[1] = (t >> 8) & 0xFF; + v[2] = (t >> 16) & 0xFF; + v[3] = (t >> 24) & 0xFF; + v[4] = (t >> 32) & 0xFF; + v[5] = (t >> 40) & 0xFF; + v[6] = (t >> 48) & 0xFF; + v[7] = (t >> 56) & 0xFF; + } +#endif +} + +int +sha3_init(sha3_ctx *c, int mdlen) +{ + if (mdlen < 0 || mdlen >= KECCAK_BYTE_WIDTH / 2) + return 0; + + memset(c, 0, sizeof(*c)); + + c->mdlen = mdlen; + c->rsize = KECCAK_BYTE_WIDTH - 2 * mdlen; + + return 1; +} + +int +sha3_update(sha3_ctx *c, const void *data, size_t len) +{ + size_t i, j; + + j = c->pt; + for (i = 0; i < len; i++) { + c->state.b[j++] ^= ((const uint8_t *) data)[i]; + if (j >= c->rsize) { + sha3_keccakf(c->state.q); + j = 0; + } + } + c->pt = j; + + return 1; +} + +int +sha3_final(void *md, sha3_ctx *c) +{ + int i; + + c->state.b[c->pt] ^= 0x06; + c->state.b[c->rsize - 1] ^= 0x80; + sha3_keccakf(c->state.q); + + for (i = 0; i < c->mdlen; i++) { + ((uint8_t *) md)[i] = c->state.b[i]; + } + + return 1; +} + +/* SHAKE128 and SHAKE256 extensible-output functionality. */ +void +shake_xof(sha3_ctx *c) +{ + c->state.b[c->pt] ^= 0x1F; + c->state.b[c->rsize - 1] ^= 0x80; + sha3_keccakf(c->state.q); + c->pt = 0; +} + +void +shake_out(sha3_ctx *c, void *out, size_t len) +{ + size_t i, j; + + j = c->pt; + for (i = 0; i < len; i++) { + if (j >= c->rsize) { + sha3_keccakf(c->state.q); + j = 0; + } + ((uint8_t *) out)[i] = c->state.b[j++]; + } + c->pt = j; +} diff --git a/crypto/sha/sha3_internal.h b/crypto/sha/sha3_internal.h new file mode 100644 index 0000000..53a4980 --- /dev/null +++ b/crypto/sha/sha3_internal.h @@ -0,0 +1,81 @@ +/* $OpenBSD: sha3_internal.h,v 1.15 2023/04/25 19:32:19 tb Exp $ */ +/* + * The MIT License (MIT) + * + * Copyright (c) 2015 Markku-Juhani O. Saarinen + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all + * copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +#include +#include + +#ifndef HEADER_SHA3_INTERNAL_H +#define HEADER_SHA3_INTERNAL_H + +#define KECCAK_BIT_WIDTH 1600 +#define KECCAK_BYTE_WIDTH (KECCAK_BIT_WIDTH / 8) + +#define SHA3_224_BIT_LENGTH 224 +#define SHA3_224_BITRATE (2 * SHA3_224_BIT_LENGTH) +#define SHA3_224_CAPACITY (KECCAK_BIT_WIDTH - SHA3_224_BITRATE) +#define SHA3_224_BLOCK_SIZE (SHA3_224_CAPACITY / 8) +#define SHA3_224_DIGEST_LENGTH (SHA3_224_BIT_LENGTH / 8) + +#define SHA3_256_BIT_LENGTH 256 +#define SHA3_256_BITRATE (2 * SHA3_256_BIT_LENGTH) +#define SHA3_256_CAPACITY (KECCAK_BIT_WIDTH - SHA3_256_BITRATE) +#define SHA3_256_BLOCK_SIZE (SHA3_256_CAPACITY / 8) +#define SHA3_256_DIGEST_LENGTH (SHA3_256_BIT_LENGTH / 8) + +#define SHA3_384_BIT_LENGTH 384 +#define SHA3_384_BITRATE (2 * SHA3_384_BIT_LENGTH) +#define SHA3_384_CAPACITY (KECCAK_BIT_WIDTH - SHA3_384_BITRATE) +#define SHA3_384_BLOCK_SIZE (SHA3_384_CAPACITY / 8) +#define SHA3_384_DIGEST_LENGTH (SHA3_384_BIT_LENGTH / 8) + +#define SHA3_512_BIT_LENGTH 512 +#define SHA3_512_BITRATE (2 * SHA3_512_BIT_LENGTH) +#define SHA3_512_CAPACITY (KECCAK_BIT_WIDTH - SHA3_512_BITRATE) +#define SHA3_512_BLOCK_SIZE (SHA3_512_CAPACITY / 8) +#define SHA3_512_DIGEST_LENGTH (SHA3_512_BIT_LENGTH / 8) + +typedef struct sha3_ctx_st { + union { + uint8_t b[200]; /* State as 8 bit bytes. */ + uint64_t q[25]; /* State as 64 bit words. */ + } state; + size_t pt; + size_t rsize; + size_t mdlen; +} sha3_ctx; + +int sha3_init(sha3_ctx *c, int mdlen); +int sha3_update(sha3_ctx *c, const void *data, size_t len); +int sha3_final(void *md, sha3_ctx *c); + +/* SHAKE128 and SHAKE256 extensible-output functions. */ +#define shake128_init(c) sha3_init(c, 16) +#define shake256_init(c) sha3_init(c, 32) +#define shake_update sha3_update + +void shake_xof(sha3_ctx *c); +void shake_out(sha3_ctx *c, void *out, size_t len); + +#endif diff --git a/crypto/sha/sha512-elf-x86_64.S b/crypto/sha/sha512-elf-x86_64.S index 1173407..0581c7c 100644 --- a/crypto/sha/sha512-elf-x86_64.S +++ b/crypto/sha/sha512-elf-x86_64.S @@ -5,6 +5,7 @@ .type sha512_block_data_order,@function .align 16 sha512_block_data_order: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1758,6 +1759,7 @@ sha512_block_data_order: .Lepilogue: retq .size sha512_block_data_order,.-sha512_block_data_order +.section .rodata .align 64 .type K512,@object K512: @@ -1801,6 +1803,7 @@ K512: .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 +.text #if defined(HAVE_GNU_STACK) .section .note.GNU-stack,"",%progbits #endif diff --git a/crypto/sha/sha512-macosx-x86_64.S b/crypto/sha/sha512-macosx-x86_64.S index 7581da4..a18d51a 100644 --- a/crypto/sha/sha512-macosx-x86_64.S +++ b/crypto/sha/sha512-macosx-x86_64.S @@ -5,6 +5,7 @@ .p2align 4 _sha512_block_data_order: + pushq %rbx pushq %rbp pushq %r12 @@ -1758,6 +1759,7 @@ L$rounds_16_xx: L$epilogue: retq +.section __DATA,__const .p2align 6 K512: @@ -1801,3 +1803,4 @@ K512: .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 +.text diff --git a/crypto/sha/sha512-masm-x86_64.S b/crypto/sha/sha512-masm-x86_64.S index e964d9c..0e1c01d 100644 --- a/crypto/sha/sha512-masm-x86_64.S +++ b/crypto/sha/sha512-masm-x86_64.S @@ -83,6 +83,7 @@ $L$SEH_begin_sha512_block_data_order:: mov rcx,r9 + endbr64 push rbx push rbp push r12 @@ -1839,6 +1840,8 @@ $L$epilogue:: DB 0F3h,0C3h ;repret $L$SEH_end_sha512_block_data_order:: sha512_block_data_order ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 K512:: @@ -1882,6 +1885,8 @@ K512:: DQ 03c9ebe0a15c9bebch,0431d67c49c100d4ch DQ 04cc5d4becb3e42b6h,0597f299cfc657e2ah DQ 05fcb6fab3ad6faech,06c44198c4a475817h +.rdata ENDS +.text$ SEGMENT ALIGN(64) 'CODE' .text$ ENDS END diff --git a/crypto/sha/sha512-mingw64-x86_64.S b/crypto/sha/sha512-mingw64-x86_64.S index 5153952..70b7223 100644 --- a/crypto/sha/sha512-mingw64-x86_64.S +++ b/crypto/sha/sha512-mingw64-x86_64.S @@ -14,6 +14,7 @@ sha512_block_data_order: movq %r8,%rdx movq %r9,%rcx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -1769,6 +1770,7 @@ sha512_block_data_order: movq 16(%rsp),%rsi retq .LSEH_end_sha512_block_data_order: +.section .rodata .p2align 6 K512: @@ -1812,3 +1814,4 @@ K512: .quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c .quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a .quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 +.text diff --git a/crypto/sha/sha512-mips.S b/crypto/sha/sha512-mips.S new file mode 100644 index 0000000..da903b6 --- /dev/null +++ b/crypto/sha/sha512-mips.S @@ -0,0 +1,2165 @@ +.text +.set noat +#if !defined(__vxworks) || defined(__pic__) +.option pic2 +#endif + +.align 5 +.globl sha512_block_data_order +.ent sha512_block_data_order +sha512_block_data_order: + .frame $29,192,$31 + .mask 3237937152,-4 + .set noreorder + .cpload $25 + sub $29,192 + sw $31,192-1*4($29) + sw $30,192-2*4($29) + sw $23,192-3*4($29) + sw $22,192-4*4($29) + sw $21,192-5*4($29) + sw $20,192-6*4($29) + sw $19,192-7*4($29) + sw $18,192-8*4($29) + sw $17,192-9*4($29) + sw $16,192-10*4($29) + sll $23,$6,7 + .set reorder + la $6,K512 # PIC-ified 'load address' + + ld $1,0*8($4) # load context + ld $2,1*8($4) + ld $3,2*8($4) + ld $7,3*8($4) + ld $24,4*8($4) + ld $25,5*8($4) + ld $30,6*8($4) + ld $31,7*8($4) + + add $23,$5 # pointer to the end of input + sw $23,16*8($29) + b .Loop + +.align 5 +.Loop: + ldl $8,7($5) + ldr $8,0($5) + ldl $9,15($5) + ldr $9,8($5) + ori $13,$0,0xFF + dsll $15,$13,32 + or $13,$15 # 0x000000FF000000FF + and $14,$8,$13 # byte swap(0) + dsrl $15,$8,24 + dsll $14,24 + and $15,$13 + dsll $13,8 # 0x0000FF000000FF00 + or $14,$15 + and $15,$8,$13 + dsrl $8,8 + dsll $15,8 + and $8,$13 + or $14,$15 + or $8,$14 + dsrl $14,$8,32 + dsll $8,32 + or $8,$14 + daddu $12,$8,$31 # 0 + dsrl $31,$24,14 + xor $15,$25,$30 + dsll $14,$24,23 + and $15,$24 + dsrl $13,$24,18 + xor $31,$14 + dsll $14,$24,46 + xor $31,$13 + dsrl $13,$24,41 + xor $31,$14 + dsll $14,$24,50 + xor $31,$13 + xor $15,$30 # Ch(e,f,g) + xor $13,$14,$31 # Sigma1(e) + + dsrl $31,$1,28 + daddu $12,$15 + ld $15,0($6) # K[0] + dsll $14,$1,25 + daddu $12,$13 + dsrl $13,$1,34 + xor $31,$14 + dsll $14,$1,30 + xor $31,$13 + dsrl $13,$1,39 + xor $31,$14 + dsll $14,$1,36 + xor $31,$13 + sd $8,0($29) # offload to ring buffer + xor $31,$14 # Sigma0(a) + + or $13,$1,$2 + and $14,$1,$2 + and $13,$3 + or $14,$13 # Maj(a,b,c) + daddu $12,$15 # +=K[0] + daddu $31,$14 + + daddu $7,$12 + daddu $31,$12 + ldl $10,23($5) + ldr $10,16($5) + ori $14,$0,0xFF + dsll $16,$14,32 + or $14,$16 # 0x000000FF000000FF + and $15,$9,$14 # byte swap(1) + dsrl $16,$9,24 + dsll $15,24 + and $16,$14 + dsll $14,8 # 0x0000FF000000FF00 + or $15,$16 + and $16,$9,$14 + dsrl $9,8 + dsll $16,8 + and $9,$14 + or $15,$16 + or $9,$15 + dsrl $15,$9,32 + dsll $9,32 + or $9,$15 + daddu $13,$9,$30 # 1 + dsrl $30,$7,14 + xor $16,$24,$25 + dsll $15,$7,23 + and $16,$7 + dsrl $14,$7,18 + xor $30,$15 + dsll $15,$7,46 + xor $30,$14 + dsrl $14,$7,41 + xor $30,$15 + dsll $15,$7,50 + xor $30,$14 + xor $16,$25 # Ch(e,f,g) + xor $14,$15,$30 # Sigma1(e) + + dsrl $30,$31,28 + daddu $13,$16 + ld $16,8($6) # K[1] + dsll $15,$31,25 + daddu $13,$14 + dsrl $14,$31,34 + xor $30,$15 + dsll $15,$31,30 + xor $30,$14 + dsrl $14,$31,39 + xor $30,$15 + dsll $15,$31,36 + xor $30,$14 + sd $9,8($29) # offload to ring buffer + xor $30,$15 # Sigma0(a) + + or $14,$31,$1 + and $15,$31,$1 + and $14,$2 + or $15,$14 # Maj(a,b,c) + daddu $13,$16 # +=K[1] + daddu $30,$15 + + daddu $3,$13 + daddu $30,$13 + ldl $11,31($5) + ldr $11,24($5) + ori $15,$0,0xFF + dsll $17,$15,32 + or $15,$17 # 0x000000FF000000FF + and $16,$10,$15 # byte swap(2) + dsrl $17,$10,24 + dsll $16,24 + and $17,$15 + dsll $15,8 # 0x0000FF000000FF00 + or $16,$17 + and $17,$10,$15 + dsrl $10,8 + dsll $17,8 + and $10,$15 + or $16,$17 + or $10,$16 + dsrl $16,$10,32 + dsll $10,32 + or $10,$16 + daddu $14,$10,$25 # 2 + dsrl $25,$3,14 + xor $17,$7,$24 + dsll $16,$3,23 + and $17,$3 + dsrl $15,$3,18 + xor $25,$16 + dsll $16,$3,46 + xor $25,$15 + dsrl $15,$3,41 + xor $25,$16 + dsll $16,$3,50 + xor $25,$15 + xor $17,$24 # Ch(e,f,g) + xor $15,$16,$25 # Sigma1(e) + + dsrl $25,$30,28 + daddu $14,$17 + ld $17,16($6) # K[2] + dsll $16,$30,25 + daddu $14,$15 + dsrl $15,$30,34 + xor $25,$16 + dsll $16,$30,30 + xor $25,$15 + dsrl $15,$30,39 + xor $25,$16 + dsll $16,$30,36 + xor $25,$15 + sd $10,16($29) # offload to ring buffer + xor $25,$16 # Sigma0(a) + + or $15,$30,$31 + and $16,$30,$31 + and $15,$1 + or $16,$15 # Maj(a,b,c) + daddu $14,$17 # +=K[2] + daddu $25,$16 + + daddu $2,$14 + daddu $25,$14 + ldl $12,39($5) + ldr $12,32($5) + ori $16,$0,0xFF + dsll $18,$16,32 + or $16,$18 # 0x000000FF000000FF + and $17,$11,$16 # byte swap(3) + dsrl $18,$11,24 + dsll $17,24 + and $18,$16 + dsll $16,8 # 0x0000FF000000FF00 + or $17,$18 + and $18,$11,$16 + dsrl $11,8 + dsll $18,8 + and $11,$16 + or $17,$18 + or $11,$17 + dsrl $17,$11,32 + dsll $11,32 + or $11,$17 + daddu $15,$11,$24 # 3 + dsrl $24,$2,14 + xor $18,$3,$7 + dsll $17,$2,23 + and $18,$2 + dsrl $16,$2,18 + xor $24,$17 + dsll $17,$2,46 + xor $24,$16 + dsrl $16,$2,41 + xor $24,$17 + dsll $17,$2,50 + xor $24,$16 + xor $18,$7 # Ch(e,f,g) + xor $16,$17,$24 # Sigma1(e) + + dsrl $24,$25,28 + daddu $15,$18 + ld $18,24($6) # K[3] + dsll $17,$25,25 + daddu $15,$16 + dsrl $16,$25,34 + xor $24,$17 + dsll $17,$25,30 + xor $24,$16 + dsrl $16,$25,39 + xor $24,$17 + dsll $17,$25,36 + xor $24,$16 + sd $11,24($29) # offload to ring buffer + xor $24,$17 # Sigma0(a) + + or $16,$25,$30 + and $17,$25,$30 + and $16,$31 + or $17,$16 # Maj(a,b,c) + daddu $15,$18 # +=K[3] + daddu $24,$17 + + daddu $1,$15 + daddu $24,$15 + ldl $13,47($5) + ldr $13,40($5) + ori $17,$0,0xFF + dsll $19,$17,32 + or $17,$19 # 0x000000FF000000FF + and $18,$12,$17 # byte swap(4) + dsrl $19,$12,24 + dsll $18,24 + and $19,$17 + dsll $17,8 # 0x0000FF000000FF00 + or $18,$19 + and $19,$12,$17 + dsrl $12,8 + dsll $19,8 + and $12,$17 + or $18,$19 + or $12,$18 + dsrl $18,$12,32 + dsll $12,32 + or $12,$18 + daddu $16,$12,$7 # 4 + dsrl $7,$1,14 + xor $19,$2,$3 + dsll $18,$1,23 + and $19,$1 + dsrl $17,$1,18 + xor $7,$18 + dsll $18,$1,46 + xor $7,$17 + dsrl $17,$1,41 + xor $7,$18 + dsll $18,$1,50 + xor $7,$17 + xor $19,$3 # Ch(e,f,g) + xor $17,$18,$7 # Sigma1(e) + + dsrl $7,$24,28 + daddu $16,$19 + ld $19,32($6) # K[4] + dsll $18,$24,25 + daddu $16,$17 + dsrl $17,$24,34 + xor $7,$18 + dsll $18,$24,30 + xor $7,$17 + dsrl $17,$24,39 + xor $7,$18 + dsll $18,$24,36 + xor $7,$17 + sd $12,32($29) # offload to ring buffer + xor $7,$18 # Sigma0(a) + + or $17,$24,$25 + and $18,$24,$25 + and $17,$30 + or $18,$17 # Maj(a,b,c) + daddu $16,$19 # +=K[4] + daddu $7,$18 + + daddu $31,$16 + daddu $7,$16 + ldl $14,55($5) + ldr $14,48($5) + ori $18,$0,0xFF + dsll $20,$18,32 + or $18,$20 # 0x000000FF000000FF + and $19,$13,$18 # byte swap(5) + dsrl $20,$13,24 + dsll $19,24 + and $20,$18 + dsll $18,8 # 0x0000FF000000FF00 + or $19,$20 + and $20,$13,$18 + dsrl $13,8 + dsll $20,8 + and $13,$18 + or $19,$20 + or $13,$19 + dsrl $19,$13,32 + dsll $13,32 + or $13,$19 + daddu $17,$13,$3 # 5 + dsrl $3,$31,14 + xor $20,$1,$2 + dsll $19,$31,23 + and $20,$31 + dsrl $18,$31,18 + xor $3,$19 + dsll $19,$31,46 + xor $3,$18 + dsrl $18,$31,41 + xor $3,$19 + dsll $19,$31,50 + xor $3,$18 + xor $20,$2 # Ch(e,f,g) + xor $18,$19,$3 # Sigma1(e) + + dsrl $3,$7,28 + daddu $17,$20 + ld $20,40($6) # K[5] + dsll $19,$7,25 + daddu $17,$18 + dsrl $18,$7,34 + xor $3,$19 + dsll $19,$7,30 + xor $3,$18 + dsrl $18,$7,39 + xor $3,$19 + dsll $19,$7,36 + xor $3,$18 + sd $13,40($29) # offload to ring buffer + xor $3,$19 # Sigma0(a) + + or $18,$7,$24 + and $19,$7,$24 + and $18,$25 + or $19,$18 # Maj(a,b,c) + daddu $17,$20 # +=K[5] + daddu $3,$19 + + daddu $30,$17 + daddu $3,$17 + ldl $15,63($5) + ldr $15,56($5) + ori $19,$0,0xFF + dsll $21,$19,32 + or $19,$21 # 0x000000FF000000FF + and $20,$14,$19 # byte swap(6) + dsrl $21,$14,24 + dsll $20,24 + and $21,$19 + dsll $19,8 # 0x0000FF000000FF00 + or $20,$21 + and $21,$14,$19 + dsrl $14,8 + dsll $21,8 + and $14,$19 + or $20,$21 + or $14,$20 + dsrl $20,$14,32 + dsll $14,32 + or $14,$20 + daddu $18,$14,$2 # 6 + dsrl $2,$30,14 + xor $21,$31,$1 + dsll $20,$30,23 + and $21,$30 + dsrl $19,$30,18 + xor $2,$20 + dsll $20,$30,46 + xor $2,$19 + dsrl $19,$30,41 + xor $2,$20 + dsll $20,$30,50 + xor $2,$19 + xor $21,$1 # Ch(e,f,g) + xor $19,$20,$2 # Sigma1(e) + + dsrl $2,$3,28 + daddu $18,$21 + ld $21,48($6) # K[6] + dsll $20,$3,25 + daddu $18,$19 + dsrl $19,$3,34 + xor $2,$20 + dsll $20,$3,30 + xor $2,$19 + dsrl $19,$3,39 + xor $2,$20 + dsll $20,$3,36 + xor $2,$19 + sd $14,48($29) # offload to ring buffer + xor $2,$20 # Sigma0(a) + + or $19,$3,$7 + and $20,$3,$7 + and $19,$24 + or $20,$19 # Maj(a,b,c) + daddu $18,$21 # +=K[6] + daddu $2,$20 + + daddu $25,$18 + daddu $2,$18 + ldl $16,71($5) + ldr $16,64($5) + ori $20,$0,0xFF + dsll $22,$20,32 + or $20,$22 # 0x000000FF000000FF + and $21,$15,$20 # byte swap(7) + dsrl $22,$15,24 + dsll $21,24 + and $22,$20 + dsll $20,8 # 0x0000FF000000FF00 + or $21,$22 + and $22,$15,$20 + dsrl $15,8 + dsll $22,8 + and $15,$20 + or $21,$22 + or $15,$21 + dsrl $21,$15,32 + dsll $15,32 + or $15,$21 + daddu $19,$15,$1 # 7 + dsrl $1,$25,14 + xor $22,$30,$31 + dsll $21,$25,23 + and $22,$25 + dsrl $20,$25,18 + xor $1,$21 + dsll $21,$25,46 + xor $1,$20 + dsrl $20,$25,41 + xor $1,$21 + dsll $21,$25,50 + xor $1,$20 + xor $22,$31 # Ch(e,f,g) + xor $20,$21,$1 # Sigma1(e) + + dsrl $1,$2,28 + daddu $19,$22 + ld $22,56($6) # K[7] + dsll $21,$2,25 + daddu $19,$20 + dsrl $20,$2,34 + xor $1,$21 + dsll $21,$2,30 + xor $1,$20 + dsrl $20,$2,39 + xor $1,$21 + dsll $21,$2,36 + xor $1,$20 + sd $15,56($29) # offload to ring buffer + xor $1,$21 # Sigma0(a) + + or $20,$2,$3 + and $21,$2,$3 + and $20,$7 + or $21,$20 # Maj(a,b,c) + daddu $19,$22 # +=K[7] + daddu $1,$21 + + daddu $24,$19 + daddu $1,$19 + ldl $17,79($5) + ldr $17,72($5) + ori $21,$0,0xFF + dsll $23,$21,32 + or $21,$23 # 0x000000FF000000FF + and $22,$16,$21 # byte swap(8) + dsrl $23,$16,24 + dsll $22,24 + and $23,$21 + dsll $21,8 # 0x0000FF000000FF00 + or $22,$23 + and $23,$16,$21 + dsrl $16,8 + dsll $23,8 + and $16,$21 + or $22,$23 + or $16,$22 + dsrl $22,$16,32 + dsll $16,32 + or $16,$22 + daddu $20,$16,$31 # 8 + dsrl $31,$24,14 + xor $23,$25,$30 + dsll $22,$24,23 + and $23,$24 + dsrl $21,$24,18 + xor $31,$22 + dsll $22,$24,46 + xor $31,$21 + dsrl $21,$24,41 + xor $31,$22 + dsll $22,$24,50 + xor $31,$21 + xor $23,$30 # Ch(e,f,g) + xor $21,$22,$31 # Sigma1(e) + + dsrl $31,$1,28 + daddu $20,$23 + ld $23,64($6) # K[8] + dsll $22,$1,25 + daddu $20,$21 + dsrl $21,$1,34 + xor $31,$22 + dsll $22,$1,30 + xor $31,$21 + dsrl $21,$1,39 + xor $31,$22 + dsll $22,$1,36 + xor $31,$21 + sd $16,64($29) # offload to ring buffer + xor $31,$22 # Sigma0(a) + + or $21,$1,$2 + and $22,$1,$2 + and $21,$3 + or $22,$21 # Maj(a,b,c) + daddu $20,$23 # +=K[8] + daddu $31,$22 + + daddu $7,$20 + daddu $31,$20 + ldl $18,87($5) + ldr $18,80($5) + ori $22,$0,0xFF + dsll $8,$22,32 + or $22,$8 # 0x000000FF000000FF + and $23,$17,$22 # byte swap(9) + dsrl $8,$17,24 + dsll $23,24 + and $8,$22 + dsll $22,8 # 0x0000FF000000FF00 + or $23,$8 + and $8,$17,$22 + dsrl $17,8 + dsll $8,8 + and $17,$22 + or $23,$8 + or $17,$23 + dsrl $23,$17,32 + dsll $17,32 + or $17,$23 + daddu $21,$17,$30 # 9 + dsrl $30,$7,14 + xor $8,$24,$25 + dsll $23,$7,23 + and $8,$7 + dsrl $22,$7,18 + xor $30,$23 + dsll $23,$7,46 + xor $30,$22 + dsrl $22,$7,41 + xor $30,$23 + dsll $23,$7,50 + xor $30,$22 + xor $8,$25 # Ch(e,f,g) + xor $22,$23,$30 # Sigma1(e) + + dsrl $30,$31,28 + daddu $21,$8 + ld $8,72($6) # K[9] + dsll $23,$31,25 + daddu $21,$22 + dsrl $22,$31,34 + xor $30,$23 + dsll $23,$31,30 + xor $30,$22 + dsrl $22,$31,39 + xor $30,$23 + dsll $23,$31,36 + xor $30,$22 + sd $17,72($29) # offload to ring buffer + xor $30,$23 # Sigma0(a) + + or $22,$31,$1 + and $23,$31,$1 + and $22,$2 + or $23,$22 # Maj(a,b,c) + daddu $21,$8 # +=K[9] + daddu $30,$23 + + daddu $3,$21 + daddu $30,$21 + ldl $19,95($5) + ldr $19,88($5) + ori $23,$0,0xFF + dsll $9,$23,32 + or $23,$9 # 0x000000FF000000FF + and $8,$18,$23 # byte swap(10) + dsrl $9,$18,24 + dsll $8,24 + and $9,$23 + dsll $23,8 # 0x0000FF000000FF00 + or $8,$9 + and $9,$18,$23 + dsrl $18,8 + dsll $9,8 + and $18,$23 + or $8,$9 + or $18,$8 + dsrl $8,$18,32 + dsll $18,32 + or $18,$8 + daddu $22,$18,$25 # 10 + dsrl $25,$3,14 + xor $9,$7,$24 + dsll $8,$3,23 + and $9,$3 + dsrl $23,$3,18 + xor $25,$8 + dsll $8,$3,46 + xor $25,$23 + dsrl $23,$3,41 + xor $25,$8 + dsll $8,$3,50 + xor $25,$23 + xor $9,$24 # Ch(e,f,g) + xor $23,$8,$25 # Sigma1(e) + + dsrl $25,$30,28 + daddu $22,$9 + ld $9,80($6) # K[10] + dsll $8,$30,25 + daddu $22,$23 + dsrl $23,$30,34 + xor $25,$8 + dsll $8,$30,30 + xor $25,$23 + dsrl $23,$30,39 + xor $25,$8 + dsll $8,$30,36 + xor $25,$23 + sd $18,80($29) # offload to ring buffer + xor $25,$8 # Sigma0(a) + + or $23,$30,$31 + and $8,$30,$31 + and $23,$1 + or $8,$23 # Maj(a,b,c) + daddu $22,$9 # +=K[10] + daddu $25,$8 + + daddu $2,$22 + daddu $25,$22 + ldl $20,103($5) + ldr $20,96($5) + ori $8,$0,0xFF + dsll $10,$8,32 + or $8,$10 # 0x000000FF000000FF + and $9,$19,$8 # byte swap(11) + dsrl $10,$19,24 + dsll $9,24 + and $10,$8 + dsll $8,8 # 0x0000FF000000FF00 + or $9,$10 + and $10,$19,$8 + dsrl $19,8 + dsll $10,8 + and $19,$8 + or $9,$10 + or $19,$9 + dsrl $9,$19,32 + dsll $19,32 + or $19,$9 + daddu $23,$19,$24 # 11 + dsrl $24,$2,14 + xor $10,$3,$7 + dsll $9,$2,23 + and $10,$2 + dsrl $8,$2,18 + xor $24,$9 + dsll $9,$2,46 + xor $24,$8 + dsrl $8,$2,41 + xor $24,$9 + dsll $9,$2,50 + xor $24,$8 + xor $10,$7 # Ch(e,f,g) + xor $8,$9,$24 # Sigma1(e) + + dsrl $24,$25,28 + daddu $23,$10 + ld $10,88($6) # K[11] + dsll $9,$25,25 + daddu $23,$8 + dsrl $8,$25,34 + xor $24,$9 + dsll $9,$25,30 + xor $24,$8 + dsrl $8,$25,39 + xor $24,$9 + dsll $9,$25,36 + xor $24,$8 + sd $19,88($29) # offload to ring buffer + xor $24,$9 # Sigma0(a) + + or $8,$25,$30 + and $9,$25,$30 + and $8,$31 + or $9,$8 # Maj(a,b,c) + daddu $23,$10 # +=K[11] + daddu $24,$9 + + daddu $1,$23 + daddu $24,$23 + ldl $21,111($5) + ldr $21,104($5) + ori $9,$0,0xFF + dsll $11,$9,32 + or $9,$11 # 0x000000FF000000FF + and $10,$20,$9 # byte swap(12) + dsrl $11,$20,24 + dsll $10,24 + and $11,$9 + dsll $9,8 # 0x0000FF000000FF00 + or $10,$11 + and $11,$20,$9 + dsrl $20,8 + dsll $11,8 + and $20,$9 + or $10,$11 + or $20,$10 + dsrl $10,$20,32 + dsll $20,32 + or $20,$10 + daddu $8,$20,$7 # 12 + dsrl $7,$1,14 + xor $11,$2,$3 + dsll $10,$1,23 + and $11,$1 + dsrl $9,$1,18 + xor $7,$10 + dsll $10,$1,46 + xor $7,$9 + dsrl $9,$1,41 + xor $7,$10 + dsll $10,$1,50 + xor $7,$9 + xor $11,$3 # Ch(e,f,g) + xor $9,$10,$7 # Sigma1(e) + + dsrl $7,$24,28 + daddu $8,$11 + ld $11,96($6) # K[12] + dsll $10,$24,25 + daddu $8,$9 + dsrl $9,$24,34 + xor $7,$10 + dsll $10,$24,30 + xor $7,$9 + dsrl $9,$24,39 + xor $7,$10 + dsll $10,$24,36 + xor $7,$9 + sd $20,96($29) # offload to ring buffer + xor $7,$10 # Sigma0(a) + + or $9,$24,$25 + and $10,$24,$25 + and $9,$30 + or $10,$9 # Maj(a,b,c) + daddu $8,$11 # +=K[12] + daddu $7,$10 + + daddu $31,$8 + daddu $7,$8 + ldl $22,119($5) + ldr $22,112($5) + ori $10,$0,0xFF + dsll $12,$10,32 + or $10,$12 # 0x000000FF000000FF + and $11,$21,$10 # byte swap(13) + dsrl $12,$21,24 + dsll $11,24 + and $12,$10 + dsll $10,8 # 0x0000FF000000FF00 + or $11,$12 + and $12,$21,$10 + dsrl $21,8 + dsll $12,8 + and $21,$10 + or $11,$12 + or $21,$11 + dsrl $11,$21,32 + dsll $21,32 + or $21,$11 + daddu $9,$21,$3 # 13 + dsrl $3,$31,14 + xor $12,$1,$2 + dsll $11,$31,23 + and $12,$31 + dsrl $10,$31,18 + xor $3,$11 + dsll $11,$31,46 + xor $3,$10 + dsrl $10,$31,41 + xor $3,$11 + dsll $11,$31,50 + xor $3,$10 + xor $12,$2 # Ch(e,f,g) + xor $10,$11,$3 # Sigma1(e) + + dsrl $3,$7,28 + daddu $9,$12 + ld $12,104($6) # K[13] + dsll $11,$7,25 + daddu $9,$10 + dsrl $10,$7,34 + xor $3,$11 + dsll $11,$7,30 + xor $3,$10 + dsrl $10,$7,39 + xor $3,$11 + dsll $11,$7,36 + xor $3,$10 + sd $21,104($29) # offload to ring buffer + xor $3,$11 # Sigma0(a) + + or $10,$7,$24 + and $11,$7,$24 + and $10,$25 + or $11,$10 # Maj(a,b,c) + daddu $9,$12 # +=K[13] + daddu $3,$11 + + daddu $30,$9 + daddu $3,$9 + ld $8,0($29) # prefetch from ring buffer + ldl $23,127($5) + ldr $23,120($5) + ori $11,$0,0xFF + dsll $13,$11,32 + or $11,$13 # 0x000000FF000000FF + and $12,$22,$11 # byte swap(14) + dsrl $13,$22,24 + dsll $12,24 + and $13,$11 + dsll $11,8 # 0x0000FF000000FF00 + or $12,$13 + and $13,$22,$11 + dsrl $22,8 + dsll $13,8 + and $22,$11 + or $12,$13 + or $22,$12 + dsrl $12,$22,32 + dsll $22,32 + or $22,$12 + daddu $10,$22,$2 # 14 + dsrl $2,$30,14 + xor $13,$31,$1 + dsll $12,$30,23 + and $13,$30 + dsrl $11,$30,18 + xor $2,$12 + dsll $12,$30,46 + xor $2,$11 + dsrl $11,$30,41 + xor $2,$12 + dsll $12,$30,50 + xor $2,$11 + xor $13,$1 # Ch(e,f,g) + xor $11,$12,$2 # Sigma1(e) + + dsrl $2,$3,28 + daddu $10,$13 + ld $13,112($6) # K[14] + dsll $12,$3,25 + daddu $10,$11 + dsrl $11,$3,34 + xor $2,$12 + dsll $12,$3,30 + xor $2,$11 + dsrl $11,$3,39 + xor $2,$12 + dsll $12,$3,36 + xor $2,$11 + sd $22,112($29) # offload to ring buffer + xor $2,$12 # Sigma0(a) + + or $11,$3,$7 + and $12,$3,$7 + and $11,$24 + or $12,$11 # Maj(a,b,c) + daddu $10,$13 # +=K[14] + daddu $2,$12 + + daddu $25,$10 + daddu $2,$10 + ld $9,8($29) # prefetch from ring buffer + ori $12,$0,0xFF + dsll $14,$12,32 + or $12,$14 # 0x000000FF000000FF + and $13,$23,$12 # byte swap(15) + dsrl $14,$23,24 + dsll $13,24 + and $14,$12 + dsll $12,8 # 0x0000FF000000FF00 + or $13,$14 + and $14,$23,$12 + dsrl $23,8 + dsll $14,8 + and $23,$12 + or $13,$14 + or $23,$13 + dsrl $13,$23,32 + dsll $23,32 + or $23,$13 + daddu $11,$23,$1 # 15 + dsrl $1,$25,14 + xor $14,$30,$31 + dsll $13,$25,23 + and $14,$25 + dsrl $12,$25,18 + xor $1,$13 + dsll $13,$25,46 + xor $1,$12 + dsrl $12,$25,41 + xor $1,$13 + dsll $13,$25,50 + xor $1,$12 + xor $14,$31 # Ch(e,f,g) + xor $12,$13,$1 # Sigma1(e) + + dsrl $1,$2,28 + daddu $11,$14 + ld $14,120($6) # K[15] + dsll $13,$2,25 + daddu $11,$12 + dsrl $12,$2,34 + xor $1,$13 + dsll $13,$2,30 + xor $1,$12 + dsrl $12,$2,39 + xor $1,$13 + dsll $13,$2,36 + xor $1,$12 + sd $23,120($29) # offload to ring buffer + xor $1,$13 # Sigma0(a) + + or $12,$2,$3 + and $13,$2,$3 + and $12,$7 + or $13,$12 # Maj(a,b,c) + daddu $11,$14 # +=K[15] + daddu $1,$13 + + daddu $24,$11 + daddu $1,$11 + ld $10,16($29) # prefetch from ring buffer + b .L16_xx +.align 4 +.L16_xx: + dsrl $14,$9,7 # Xupdate(16) + daddu $8,$17 # +=X[i+9] + dsll $13,$9,56 + dsrl $12,$9,1 + xor $14,$13 + dsll $13,7 + xor $14,$12 + dsrl $12,$9,8 + xor $14,$13 + + dsrl $15,$22,6 + xor $14,$12 # sigma0(X[i+1]) + dsll $13,$22,3 + daddu $8,$14 + dsrl $12,$22,19 + xor $15,$13 + dsll $13,42 + xor $15,$12 + dsrl $12,$22,61 + xor $15,$13 + + xor $15,$12 # sigma1(X[i+14]) + daddu $8,$15 + daddu $12,$8,$31 # 16 + dsrl $31,$24,14 + xor $15,$25,$30 + dsll $14,$24,23 + and $15,$24 + dsrl $13,$24,18 + xor $31,$14 + dsll $14,$24,46 + xor $31,$13 + dsrl $13,$24,41 + xor $31,$14 + dsll $14,$24,50 + xor $31,$13 + xor $15,$30 # Ch(e,f,g) + xor $13,$14,$31 # Sigma1(e) + + dsrl $31,$1,28 + daddu $12,$15 + ld $15,128($6) # K[16] + dsll $14,$1,25 + daddu $12,$13 + dsrl $13,$1,34 + xor $31,$14 + dsll $14,$1,30 + xor $31,$13 + dsrl $13,$1,39 + xor $31,$14 + dsll $14,$1,36 + xor $31,$13 + sd $8,0($29) # offload to ring buffer + xor $31,$14 # Sigma0(a) + + or $13,$1,$2 + and $14,$1,$2 + and $13,$3 + or $14,$13 # Maj(a,b,c) + daddu $12,$15 # +=K[16] + daddu $31,$14 + + daddu $7,$12 + daddu $31,$12 + ld $11,24($29) # prefetch from ring buffer + dsrl $15,$10,7 # Xupdate(17) + daddu $9,$18 # +=X[i+9] + dsll $14,$10,56 + dsrl $13,$10,1 + xor $15,$14 + dsll $14,7 + xor $15,$13 + dsrl $13,$10,8 + xor $15,$14 + + dsrl $16,$23,6 + xor $15,$13 # sigma0(X[i+1]) + dsll $14,$23,3 + daddu $9,$15 + dsrl $13,$23,19 + xor $16,$14 + dsll $14,42 + xor $16,$13 + dsrl $13,$23,61 + xor $16,$14 + + xor $16,$13 # sigma1(X[i+14]) + daddu $9,$16 + daddu $13,$9,$30 # 17 + dsrl $30,$7,14 + xor $16,$24,$25 + dsll $15,$7,23 + and $16,$7 + dsrl $14,$7,18 + xor $30,$15 + dsll $15,$7,46 + xor $30,$14 + dsrl $14,$7,41 + xor $30,$15 + dsll $15,$7,50 + xor $30,$14 + xor $16,$25 # Ch(e,f,g) + xor $14,$15,$30 # Sigma1(e) + + dsrl $30,$31,28 + daddu $13,$16 + ld $16,136($6) # K[17] + dsll $15,$31,25 + daddu $13,$14 + dsrl $14,$31,34 + xor $30,$15 + dsll $15,$31,30 + xor $30,$14 + dsrl $14,$31,39 + xor $30,$15 + dsll $15,$31,36 + xor $30,$14 + sd $9,8($29) # offload to ring buffer + xor $30,$15 # Sigma0(a) + + or $14,$31,$1 + and $15,$31,$1 + and $14,$2 + or $15,$14 # Maj(a,b,c) + daddu $13,$16 # +=K[17] + daddu $30,$15 + + daddu $3,$13 + daddu $30,$13 + ld $12,32($29) # prefetch from ring buffer + dsrl $16,$11,7 # Xupdate(18) + daddu $10,$19 # +=X[i+9] + dsll $15,$11,56 + dsrl $14,$11,1 + xor $16,$15 + dsll $15,7 + xor $16,$14 + dsrl $14,$11,8 + xor $16,$15 + + dsrl $17,$8,6 + xor $16,$14 # sigma0(X[i+1]) + dsll $15,$8,3 + daddu $10,$16 + dsrl $14,$8,19 + xor $17,$15 + dsll $15,42 + xor $17,$14 + dsrl $14,$8,61 + xor $17,$15 + + xor $17,$14 # sigma1(X[i+14]) + daddu $10,$17 + daddu $14,$10,$25 # 18 + dsrl $25,$3,14 + xor $17,$7,$24 + dsll $16,$3,23 + and $17,$3 + dsrl $15,$3,18 + xor $25,$16 + dsll $16,$3,46 + xor $25,$15 + dsrl $15,$3,41 + xor $25,$16 + dsll $16,$3,50 + xor $25,$15 + xor $17,$24 # Ch(e,f,g) + xor $15,$16,$25 # Sigma1(e) + + dsrl $25,$30,28 + daddu $14,$17 + ld $17,144($6) # K[18] + dsll $16,$30,25 + daddu $14,$15 + dsrl $15,$30,34 + xor $25,$16 + dsll $16,$30,30 + xor $25,$15 + dsrl $15,$30,39 + xor $25,$16 + dsll $16,$30,36 + xor $25,$15 + sd $10,16($29) # offload to ring buffer + xor $25,$16 # Sigma0(a) + + or $15,$30,$31 + and $16,$30,$31 + and $15,$1 + or $16,$15 # Maj(a,b,c) + daddu $14,$17 # +=K[18] + daddu $25,$16 + + daddu $2,$14 + daddu $25,$14 + ld $13,40($29) # prefetch from ring buffer + dsrl $17,$12,7 # Xupdate(19) + daddu $11,$20 # +=X[i+9] + dsll $16,$12,56 + dsrl $15,$12,1 + xor $17,$16 + dsll $16,7 + xor $17,$15 + dsrl $15,$12,8 + xor $17,$16 + + dsrl $18,$9,6 + xor $17,$15 # sigma0(X[i+1]) + dsll $16,$9,3 + daddu $11,$17 + dsrl $15,$9,19 + xor $18,$16 + dsll $16,42 + xor $18,$15 + dsrl $15,$9,61 + xor $18,$16 + + xor $18,$15 # sigma1(X[i+14]) + daddu $11,$18 + daddu $15,$11,$24 # 19 + dsrl $24,$2,14 + xor $18,$3,$7 + dsll $17,$2,23 + and $18,$2 + dsrl $16,$2,18 + xor $24,$17 + dsll $17,$2,46 + xor $24,$16 + dsrl $16,$2,41 + xor $24,$17 + dsll $17,$2,50 + xor $24,$16 + xor $18,$7 # Ch(e,f,g) + xor $16,$17,$24 # Sigma1(e) + + dsrl $24,$25,28 + daddu $15,$18 + ld $18,152($6) # K[19] + dsll $17,$25,25 + daddu $15,$16 + dsrl $16,$25,34 + xor $24,$17 + dsll $17,$25,30 + xor $24,$16 + dsrl $16,$25,39 + xor $24,$17 + dsll $17,$25,36 + xor $24,$16 + sd $11,24($29) # offload to ring buffer + xor $24,$17 # Sigma0(a) + + or $16,$25,$30 + and $17,$25,$30 + and $16,$31 + or $17,$16 # Maj(a,b,c) + daddu $15,$18 # +=K[19] + daddu $24,$17 + + daddu $1,$15 + daddu $24,$15 + ld $14,48($29) # prefetch from ring buffer + dsrl $18,$13,7 # Xupdate(20) + daddu $12,$21 # +=X[i+9] + dsll $17,$13,56 + dsrl $16,$13,1 + xor $18,$17 + dsll $17,7 + xor $18,$16 + dsrl $16,$13,8 + xor $18,$17 + + dsrl $19,$10,6 + xor $18,$16 # sigma0(X[i+1]) + dsll $17,$10,3 + daddu $12,$18 + dsrl $16,$10,19 + xor $19,$17 + dsll $17,42 + xor $19,$16 + dsrl $16,$10,61 + xor $19,$17 + + xor $19,$16 # sigma1(X[i+14]) + daddu $12,$19 + daddu $16,$12,$7 # 20 + dsrl $7,$1,14 + xor $19,$2,$3 + dsll $18,$1,23 + and $19,$1 + dsrl $17,$1,18 + xor $7,$18 + dsll $18,$1,46 + xor $7,$17 + dsrl $17,$1,41 + xor $7,$18 + dsll $18,$1,50 + xor $7,$17 + xor $19,$3 # Ch(e,f,g) + xor $17,$18,$7 # Sigma1(e) + + dsrl $7,$24,28 + daddu $16,$19 + ld $19,160($6) # K[20] + dsll $18,$24,25 + daddu $16,$17 + dsrl $17,$24,34 + xor $7,$18 + dsll $18,$24,30 + xor $7,$17 + dsrl $17,$24,39 + xor $7,$18 + dsll $18,$24,36 + xor $7,$17 + sd $12,32($29) # offload to ring buffer + xor $7,$18 # Sigma0(a) + + or $17,$24,$25 + and $18,$24,$25 + and $17,$30 + or $18,$17 # Maj(a,b,c) + daddu $16,$19 # +=K[20] + daddu $7,$18 + + daddu $31,$16 + daddu $7,$16 + ld $15,56($29) # prefetch from ring buffer + dsrl $19,$14,7 # Xupdate(21) + daddu $13,$22 # +=X[i+9] + dsll $18,$14,56 + dsrl $17,$14,1 + xor $19,$18 + dsll $18,7 + xor $19,$17 + dsrl $17,$14,8 + xor $19,$18 + + dsrl $20,$11,6 + xor $19,$17 # sigma0(X[i+1]) + dsll $18,$11,3 + daddu $13,$19 + dsrl $17,$11,19 + xor $20,$18 + dsll $18,42 + xor $20,$17 + dsrl $17,$11,61 + xor $20,$18 + + xor $20,$17 # sigma1(X[i+14]) + daddu $13,$20 + daddu $17,$13,$3 # 21 + dsrl $3,$31,14 + xor $20,$1,$2 + dsll $19,$31,23 + and $20,$31 + dsrl $18,$31,18 + xor $3,$19 + dsll $19,$31,46 + xor $3,$18 + dsrl $18,$31,41 + xor $3,$19 + dsll $19,$31,50 + xor $3,$18 + xor $20,$2 # Ch(e,f,g) + xor $18,$19,$3 # Sigma1(e) + + dsrl $3,$7,28 + daddu $17,$20 + ld $20,168($6) # K[21] + dsll $19,$7,25 + daddu $17,$18 + dsrl $18,$7,34 + xor $3,$19 + dsll $19,$7,30 + xor $3,$18 + dsrl $18,$7,39 + xor $3,$19 + dsll $19,$7,36 + xor $3,$18 + sd $13,40($29) # offload to ring buffer + xor $3,$19 # Sigma0(a) + + or $18,$7,$24 + and $19,$7,$24 + and $18,$25 + or $19,$18 # Maj(a,b,c) + daddu $17,$20 # +=K[21] + daddu $3,$19 + + daddu $30,$17 + daddu $3,$17 + ld $16,64($29) # prefetch from ring buffer + dsrl $20,$15,7 # Xupdate(22) + daddu $14,$23 # +=X[i+9] + dsll $19,$15,56 + dsrl $18,$15,1 + xor $20,$19 + dsll $19,7 + xor $20,$18 + dsrl $18,$15,8 + xor $20,$19 + + dsrl $21,$12,6 + xor $20,$18 # sigma0(X[i+1]) + dsll $19,$12,3 + daddu $14,$20 + dsrl $18,$12,19 + xor $21,$19 + dsll $19,42 + xor $21,$18 + dsrl $18,$12,61 + xor $21,$19 + + xor $21,$18 # sigma1(X[i+14]) + daddu $14,$21 + daddu $18,$14,$2 # 22 + dsrl $2,$30,14 + xor $21,$31,$1 + dsll $20,$30,23 + and $21,$30 + dsrl $19,$30,18 + xor $2,$20 + dsll $20,$30,46 + xor $2,$19 + dsrl $19,$30,41 + xor $2,$20 + dsll $20,$30,50 + xor $2,$19 + xor $21,$1 # Ch(e,f,g) + xor $19,$20,$2 # Sigma1(e) + + dsrl $2,$3,28 + daddu $18,$21 + ld $21,176($6) # K[22] + dsll $20,$3,25 + daddu $18,$19 + dsrl $19,$3,34 + xor $2,$20 + dsll $20,$3,30 + xor $2,$19 + dsrl $19,$3,39 + xor $2,$20 + dsll $20,$3,36 + xor $2,$19 + sd $14,48($29) # offload to ring buffer + xor $2,$20 # Sigma0(a) + + or $19,$3,$7 + and $20,$3,$7 + and $19,$24 + or $20,$19 # Maj(a,b,c) + daddu $18,$21 # +=K[22] + daddu $2,$20 + + daddu $25,$18 + daddu $2,$18 + ld $17,72($29) # prefetch from ring buffer + dsrl $21,$16,7 # Xupdate(23) + daddu $15,$8 # +=X[i+9] + dsll $20,$16,56 + dsrl $19,$16,1 + xor $21,$20 + dsll $20,7 + xor $21,$19 + dsrl $19,$16,8 + xor $21,$20 + + dsrl $22,$13,6 + xor $21,$19 # sigma0(X[i+1]) + dsll $20,$13,3 + daddu $15,$21 + dsrl $19,$13,19 + xor $22,$20 + dsll $20,42 + xor $22,$19 + dsrl $19,$13,61 + xor $22,$20 + + xor $22,$19 # sigma1(X[i+14]) + daddu $15,$22 + daddu $19,$15,$1 # 23 + dsrl $1,$25,14 + xor $22,$30,$31 + dsll $21,$25,23 + and $22,$25 + dsrl $20,$25,18 + xor $1,$21 + dsll $21,$25,46 + xor $1,$20 + dsrl $20,$25,41 + xor $1,$21 + dsll $21,$25,50 + xor $1,$20 + xor $22,$31 # Ch(e,f,g) + xor $20,$21,$1 # Sigma1(e) + + dsrl $1,$2,28 + daddu $19,$22 + ld $22,184($6) # K[23] + dsll $21,$2,25 + daddu $19,$20 + dsrl $20,$2,34 + xor $1,$21 + dsll $21,$2,30 + xor $1,$20 + dsrl $20,$2,39 + xor $1,$21 + dsll $21,$2,36 + xor $1,$20 + sd $15,56($29) # offload to ring buffer + xor $1,$21 # Sigma0(a) + + or $20,$2,$3 + and $21,$2,$3 + and $20,$7 + or $21,$20 # Maj(a,b,c) + daddu $19,$22 # +=K[23] + daddu $1,$21 + + daddu $24,$19 + daddu $1,$19 + ld $18,80($29) # prefetch from ring buffer + dsrl $22,$17,7 # Xupdate(24) + daddu $16,$9 # +=X[i+9] + dsll $21,$17,56 + dsrl $20,$17,1 + xor $22,$21 + dsll $21,7 + xor $22,$20 + dsrl $20,$17,8 + xor $22,$21 + + dsrl $23,$14,6 + xor $22,$20 # sigma0(X[i+1]) + dsll $21,$14,3 + daddu $16,$22 + dsrl $20,$14,19 + xor $23,$21 + dsll $21,42 + xor $23,$20 + dsrl $20,$14,61 + xor $23,$21 + + xor $23,$20 # sigma1(X[i+14]) + daddu $16,$23 + daddu $20,$16,$31 # 24 + dsrl $31,$24,14 + xor $23,$25,$30 + dsll $22,$24,23 + and $23,$24 + dsrl $21,$24,18 + xor $31,$22 + dsll $22,$24,46 + xor $31,$21 + dsrl $21,$24,41 + xor $31,$22 + dsll $22,$24,50 + xor $31,$21 + xor $23,$30 # Ch(e,f,g) + xor $21,$22,$31 # Sigma1(e) + + dsrl $31,$1,28 + daddu $20,$23 + ld $23,192($6) # K[24] + dsll $22,$1,25 + daddu $20,$21 + dsrl $21,$1,34 + xor $31,$22 + dsll $22,$1,30 + xor $31,$21 + dsrl $21,$1,39 + xor $31,$22 + dsll $22,$1,36 + xor $31,$21 + sd $16,64($29) # offload to ring buffer + xor $31,$22 # Sigma0(a) + + or $21,$1,$2 + and $22,$1,$2 + and $21,$3 + or $22,$21 # Maj(a,b,c) + daddu $20,$23 # +=K[24] + daddu $31,$22 + + daddu $7,$20 + daddu $31,$20 + ld $19,88($29) # prefetch from ring buffer + dsrl $23,$18,7 # Xupdate(25) + daddu $17,$10 # +=X[i+9] + dsll $22,$18,56 + dsrl $21,$18,1 + xor $23,$22 + dsll $22,7 + xor $23,$21 + dsrl $21,$18,8 + xor $23,$22 + + dsrl $8,$15,6 + xor $23,$21 # sigma0(X[i+1]) + dsll $22,$15,3 + daddu $17,$23 + dsrl $21,$15,19 + xor $8,$22 + dsll $22,42 + xor $8,$21 + dsrl $21,$15,61 + xor $8,$22 + + xor $8,$21 # sigma1(X[i+14]) + daddu $17,$8 + daddu $21,$17,$30 # 25 + dsrl $30,$7,14 + xor $8,$24,$25 + dsll $23,$7,23 + and $8,$7 + dsrl $22,$7,18 + xor $30,$23 + dsll $23,$7,46 + xor $30,$22 + dsrl $22,$7,41 + xor $30,$23 + dsll $23,$7,50 + xor $30,$22 + xor $8,$25 # Ch(e,f,g) + xor $22,$23,$30 # Sigma1(e) + + dsrl $30,$31,28 + daddu $21,$8 + ld $8,200($6) # K[25] + dsll $23,$31,25 + daddu $21,$22 + dsrl $22,$31,34 + xor $30,$23 + dsll $23,$31,30 + xor $30,$22 + dsrl $22,$31,39 + xor $30,$23 + dsll $23,$31,36 + xor $30,$22 + sd $17,72($29) # offload to ring buffer + xor $30,$23 # Sigma0(a) + + or $22,$31,$1 + and $23,$31,$1 + and $22,$2 + or $23,$22 # Maj(a,b,c) + daddu $21,$8 # +=K[25] + daddu $30,$23 + + daddu $3,$21 + daddu $30,$21 + ld $20,96($29) # prefetch from ring buffer + dsrl $8,$19,7 # Xupdate(26) + daddu $18,$11 # +=X[i+9] + dsll $23,$19,56 + dsrl $22,$19,1 + xor $8,$23 + dsll $23,7 + xor $8,$22 + dsrl $22,$19,8 + xor $8,$23 + + dsrl $9,$16,6 + xor $8,$22 # sigma0(X[i+1]) + dsll $23,$16,3 + daddu $18,$8 + dsrl $22,$16,19 + xor $9,$23 + dsll $23,42 + xor $9,$22 + dsrl $22,$16,61 + xor $9,$23 + + xor $9,$22 # sigma1(X[i+14]) + daddu $18,$9 + daddu $22,$18,$25 # 26 + dsrl $25,$3,14 + xor $9,$7,$24 + dsll $8,$3,23 + and $9,$3 + dsrl $23,$3,18 + xor $25,$8 + dsll $8,$3,46 + xor $25,$23 + dsrl $23,$3,41 + xor $25,$8 + dsll $8,$3,50 + xor $25,$23 + xor $9,$24 # Ch(e,f,g) + xor $23,$8,$25 # Sigma1(e) + + dsrl $25,$30,28 + daddu $22,$9 + ld $9,208($6) # K[26] + dsll $8,$30,25 + daddu $22,$23 + dsrl $23,$30,34 + xor $25,$8 + dsll $8,$30,30 + xor $25,$23 + dsrl $23,$30,39 + xor $25,$8 + dsll $8,$30,36 + xor $25,$23 + sd $18,80($29) # offload to ring buffer + xor $25,$8 # Sigma0(a) + + or $23,$30,$31 + and $8,$30,$31 + and $23,$1 + or $8,$23 # Maj(a,b,c) + daddu $22,$9 # +=K[26] + daddu $25,$8 + + daddu $2,$22 + daddu $25,$22 + ld $21,104($29) # prefetch from ring buffer + dsrl $9,$20,7 # Xupdate(27) + daddu $19,$12 # +=X[i+9] + dsll $8,$20,56 + dsrl $23,$20,1 + xor $9,$8 + dsll $8,7 + xor $9,$23 + dsrl $23,$20,8 + xor $9,$8 + + dsrl $10,$17,6 + xor $9,$23 # sigma0(X[i+1]) + dsll $8,$17,3 + daddu $19,$9 + dsrl $23,$17,19 + xor $10,$8 + dsll $8,42 + xor $10,$23 + dsrl $23,$17,61 + xor $10,$8 + + xor $10,$23 # sigma1(X[i+14]) + daddu $19,$10 + daddu $23,$19,$24 # 27 + dsrl $24,$2,14 + xor $10,$3,$7 + dsll $9,$2,23 + and $10,$2 + dsrl $8,$2,18 + xor $24,$9 + dsll $9,$2,46 + xor $24,$8 + dsrl $8,$2,41 + xor $24,$9 + dsll $9,$2,50 + xor $24,$8 + xor $10,$7 # Ch(e,f,g) + xor $8,$9,$24 # Sigma1(e) + + dsrl $24,$25,28 + daddu $23,$10 + ld $10,216($6) # K[27] + dsll $9,$25,25 + daddu $23,$8 + dsrl $8,$25,34 + xor $24,$9 + dsll $9,$25,30 + xor $24,$8 + dsrl $8,$25,39 + xor $24,$9 + dsll $9,$25,36 + xor $24,$8 + sd $19,88($29) # offload to ring buffer + xor $24,$9 # Sigma0(a) + + or $8,$25,$30 + and $9,$25,$30 + and $8,$31 + or $9,$8 # Maj(a,b,c) + daddu $23,$10 # +=K[27] + daddu $24,$9 + + daddu $1,$23 + daddu $24,$23 + ld $22,112($29) # prefetch from ring buffer + dsrl $10,$21,7 # Xupdate(28) + daddu $20,$13 # +=X[i+9] + dsll $9,$21,56 + dsrl $8,$21,1 + xor $10,$9 + dsll $9,7 + xor $10,$8 + dsrl $8,$21,8 + xor $10,$9 + + dsrl $11,$18,6 + xor $10,$8 # sigma0(X[i+1]) + dsll $9,$18,3 + daddu $20,$10 + dsrl $8,$18,19 + xor $11,$9 + dsll $9,42 + xor $11,$8 + dsrl $8,$18,61 + xor $11,$9 + + xor $11,$8 # sigma1(X[i+14]) + daddu $20,$11 + daddu $8,$20,$7 # 28 + dsrl $7,$1,14 + xor $11,$2,$3 + dsll $10,$1,23 + and $11,$1 + dsrl $9,$1,18 + xor $7,$10 + dsll $10,$1,46 + xor $7,$9 + dsrl $9,$1,41 + xor $7,$10 + dsll $10,$1,50 + xor $7,$9 + xor $11,$3 # Ch(e,f,g) + xor $9,$10,$7 # Sigma1(e) + + dsrl $7,$24,28 + daddu $8,$11 + ld $11,224($6) # K[28] + dsll $10,$24,25 + daddu $8,$9 + dsrl $9,$24,34 + xor $7,$10 + dsll $10,$24,30 + xor $7,$9 + dsrl $9,$24,39 + xor $7,$10 + dsll $10,$24,36 + xor $7,$9 + sd $20,96($29) # offload to ring buffer + xor $7,$10 # Sigma0(a) + + or $9,$24,$25 + and $10,$24,$25 + and $9,$30 + or $10,$9 # Maj(a,b,c) + daddu $8,$11 # +=K[28] + daddu $7,$10 + + daddu $31,$8 + daddu $7,$8 + ld $23,120($29) # prefetch from ring buffer + dsrl $11,$22,7 # Xupdate(29) + daddu $21,$14 # +=X[i+9] + dsll $10,$22,56 + dsrl $9,$22,1 + xor $11,$10 + dsll $10,7 + xor $11,$9 + dsrl $9,$22,8 + xor $11,$10 + + dsrl $12,$19,6 + xor $11,$9 # sigma0(X[i+1]) + dsll $10,$19,3 + daddu $21,$11 + dsrl $9,$19,19 + xor $12,$10 + dsll $10,42 + xor $12,$9 + dsrl $9,$19,61 + xor $12,$10 + + xor $12,$9 # sigma1(X[i+14]) + daddu $21,$12 + daddu $9,$21,$3 # 29 + dsrl $3,$31,14 + xor $12,$1,$2 + dsll $11,$31,23 + and $12,$31 + dsrl $10,$31,18 + xor $3,$11 + dsll $11,$31,46 + xor $3,$10 + dsrl $10,$31,41 + xor $3,$11 + dsll $11,$31,50 + xor $3,$10 + xor $12,$2 # Ch(e,f,g) + xor $10,$11,$3 # Sigma1(e) + + dsrl $3,$7,28 + daddu $9,$12 + ld $12,232($6) # K[29] + dsll $11,$7,25 + daddu $9,$10 + dsrl $10,$7,34 + xor $3,$11 + dsll $11,$7,30 + xor $3,$10 + dsrl $10,$7,39 + xor $3,$11 + dsll $11,$7,36 + xor $3,$10 + sd $21,104($29) # offload to ring buffer + xor $3,$11 # Sigma0(a) + + or $10,$7,$24 + and $11,$7,$24 + and $10,$25 + or $11,$10 # Maj(a,b,c) + daddu $9,$12 # +=K[29] + daddu $3,$11 + + daddu $30,$9 + daddu $3,$9 + ld $8,0($29) # prefetch from ring buffer + dsrl $12,$23,7 # Xupdate(30) + daddu $22,$15 # +=X[i+9] + dsll $11,$23,56 + dsrl $10,$23,1 + xor $12,$11 + dsll $11,7 + xor $12,$10 + dsrl $10,$23,8 + xor $12,$11 + + dsrl $13,$20,6 + xor $12,$10 # sigma0(X[i+1]) + dsll $11,$20,3 + daddu $22,$12 + dsrl $10,$20,19 + xor $13,$11 + dsll $11,42 + xor $13,$10 + dsrl $10,$20,61 + xor $13,$11 + + xor $13,$10 # sigma1(X[i+14]) + daddu $22,$13 + daddu $10,$22,$2 # 30 + dsrl $2,$30,14 + xor $13,$31,$1 + dsll $12,$30,23 + and $13,$30 + dsrl $11,$30,18 + xor $2,$12 + dsll $12,$30,46 + xor $2,$11 + dsrl $11,$30,41 + xor $2,$12 + dsll $12,$30,50 + xor $2,$11 + xor $13,$1 # Ch(e,f,g) + xor $11,$12,$2 # Sigma1(e) + + dsrl $2,$3,28 + daddu $10,$13 + ld $13,240($6) # K[30] + dsll $12,$3,25 + daddu $10,$11 + dsrl $11,$3,34 + xor $2,$12 + dsll $12,$3,30 + xor $2,$11 + dsrl $11,$3,39 + xor $2,$12 + dsll $12,$3,36 + xor $2,$11 + sd $22,112($29) # offload to ring buffer + xor $2,$12 # Sigma0(a) + + or $11,$3,$7 + and $12,$3,$7 + and $11,$24 + or $12,$11 # Maj(a,b,c) + daddu $10,$13 # +=K[30] + daddu $2,$12 + + daddu $25,$10 + daddu $2,$10 + ld $9,8($29) # prefetch from ring buffer + dsrl $13,$8,7 # Xupdate(31) + daddu $23,$16 # +=X[i+9] + dsll $12,$8,56 + dsrl $11,$8,1 + xor $13,$12 + dsll $12,7 + xor $13,$11 + dsrl $11,$8,8 + xor $13,$12 + + dsrl $14,$21,6 + xor $13,$11 # sigma0(X[i+1]) + dsll $12,$21,3 + daddu $23,$13 + dsrl $11,$21,19 + xor $14,$12 + dsll $12,42 + xor $14,$11 + dsrl $11,$21,61 + xor $14,$12 + + xor $14,$11 # sigma1(X[i+14]) + daddu $23,$14 + daddu $11,$23,$1 # 31 + dsrl $1,$25,14 + xor $14,$30,$31 + dsll $13,$25,23 + and $14,$25 + dsrl $12,$25,18 + xor $1,$13 + dsll $13,$25,46 + xor $1,$12 + dsrl $12,$25,41 + xor $1,$13 + dsll $13,$25,50 + xor $1,$12 + xor $14,$31 # Ch(e,f,g) + xor $12,$13,$1 # Sigma1(e) + + dsrl $1,$2,28 + daddu $11,$14 + ld $14,248($6) # K[31] + dsll $13,$2,25 + daddu $11,$12 + dsrl $12,$2,34 + xor $1,$13 + dsll $13,$2,30 + xor $1,$12 + dsrl $12,$2,39 + xor $1,$13 + dsll $13,$2,36 + xor $1,$12 + sd $23,120($29) # offload to ring buffer + xor $1,$13 # Sigma0(a) + + or $12,$2,$3 + and $13,$2,$3 + and $12,$7 + or $13,$12 # Maj(a,b,c) + daddu $11,$14 # +=K[31] + daddu $1,$13 + + daddu $24,$11 + daddu $1,$11 + ld $10,16($29) # prefetch from ring buffer + and $14,0xfff + li $15,2071 + .set noreorder + bne $14,$15,.L16_xx + add $6,16*8 # Ktbl+=16 + + lw $23,16*8($29) # restore pointer to the end of input + ld $8,0*8($4) + ld $9,1*8($4) + ld $10,2*8($4) + add $5,16*8 + ld $11,3*8($4) + daddu $1,$8 + ld $12,4*8($4) + daddu $2,$9 + ld $13,5*8($4) + daddu $3,$10 + ld $14,6*8($4) + daddu $7,$11 + ld $15,7*8($4) + daddu $24,$12 + sd $1,0*8($4) + daddu $25,$13 + sd $2,1*8($4) + daddu $30,$14 + sd $3,2*8($4) + daddu $31,$15 + sd $7,3*8($4) + sd $24,4*8($4) + sd $25,5*8($4) + sd $30,6*8($4) + sd $31,7*8($4) + + bne $5,$23,.Loop + sub $6,512 # rewind $6 + + lw $31,192-1*4($29) + lw $30,192-2*4($29) + lw $23,192-3*4($29) + lw $22,192-4*4($29) + lw $21,192-5*4($29) + lw $20,192-6*4($29) + lw $19,192-7*4($29) + lw $18,192-8*4($29) + lw $17,192-9*4($29) + lw $16,192-10*4($29) + jr $31 + add $29,192 +.end sha512_block_data_order + +.rdata +.align 5 +K512: + .dword 0x428a2f98d728ae22, 0x7137449123ef65cd + .dword 0xb5c0fbcfec4d3b2f, 0xe9b5dba58189dbbc + .dword 0x3956c25bf348b538, 0x59f111f1b605d019 + .dword 0x923f82a4af194f9b, 0xab1c5ed5da6d8118 + .dword 0xd807aa98a3030242, 0x12835b0145706fbe + .dword 0x243185be4ee4b28c, 0x550c7dc3d5ffb4e2 + .dword 0x72be5d74f27b896f, 0x80deb1fe3b1696b1 + .dword 0x9bdc06a725c71235, 0xc19bf174cf692694 + .dword 0xe49b69c19ef14ad2, 0xefbe4786384f25e3 + .dword 0x0fc19dc68b8cd5b5, 0x240ca1cc77ac9c65 + .dword 0x2de92c6f592b0275, 0x4a7484aa6ea6e483 + .dword 0x5cb0a9dcbd41fbd4, 0x76f988da831153b5 + .dword 0x983e5152ee66dfab, 0xa831c66d2db43210 + .dword 0xb00327c898fb213f, 0xbf597fc7beef0ee4 + .dword 0xc6e00bf33da88fc2, 0xd5a79147930aa725 + .dword 0x06ca6351e003826f, 0x142929670a0e6e70 + .dword 0x27b70a8546d22ffc, 0x2e1b21385c26c926 + .dword 0x4d2c6dfc5ac42aed, 0x53380d139d95b3df + .dword 0x650a73548baf63de, 0x766a0abb3c77b2a8 + .dword 0x81c2c92e47edaee6, 0x92722c851482353b + .dword 0xa2bfe8a14cf10364, 0xa81a664bbc423001 + .dword 0xc24b8b70d0f89791, 0xc76c51a30654be30 + .dword 0xd192e819d6ef5218, 0xd69906245565a910 + .dword 0xf40e35855771202a, 0x106aa07032bbd1b8 + .dword 0x19a4c116b8d2d0c8, 0x1e376c085141ab53 + .dword 0x2748774cdf8eeb99, 0x34b0bcb5e19b48a8 + .dword 0x391c0cb3c5c95a63, 0x4ed8aa4ae3418acb + .dword 0x5b9cca4f7763e373, 0x682e6ff3d6b2b8a3 + .dword 0x748f82ee5defb2fc, 0x78a5636f43172f60 + .dword 0x84c87814a1f0ab72, 0x8cc702081a6439ec + .dword 0x90befffa23631e28, 0xa4506cebde82bde9 + .dword 0xbef9a3f7b2c67915, 0xc67178f2e372532b + .dword 0xca273eceea26619c, 0xd186b8c721c0c207 + .dword 0xeada7dd6cde0eb1e, 0xf57d4f7fee6ed178 + .dword 0x06f067aa72176fba, 0x0a637dc5a2c898a6 + .dword 0x113f9804bef90dae, 0x1b710b35131c471b + .dword 0x28db77f523047d84, 0x32caab7b40c72493 + .dword 0x3c9ebe0a15c9bebc, 0x431d67c49c100d4c + .dword 0x4cc5d4becb3e42b6, 0x597f299cfc657e2a + .dword 0x5fcb6fab3ad6faec, 0x6c44198c4a475817 +.asciiz "SHA512 for MIPS, CRYPTOGAMS by " +.align 5 + +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/sha/sha512.c b/crypto/sha/sha512.c index 56a207f..94e55a3 100644 --- a/crypto/sha/sha512.c +++ b/crypto/sha/sha512.c @@ -1,8 +1,55 @@ -/* $OpenBSD: sha512.c,v 1.16 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: sha512.c,v 1.38 2023/05/19 00:54:28 deraadt Exp $ */ /* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved - * according to the OpenSSL license [found in ../../LICENSE]. + * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). */ #include @@ -11,309 +58,68 @@ #include -#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) -/* - * IMPLEMENTATION NOTES. - * - * As you might have noticed 32-bit hash algorithms: - * - * - permit SHA_LONG to be wider than 32-bit (case on CRAY); - * - optimized versions implement two transform functions: one operating - * on [aligned] data in host byte order and one - on data in input - * stream byte order; - * - share common byte-order neutral collector and padding function - * implementations, ../md32_common.h; - * - * Neither of the above applies to this SHA-512 implementations. Reasons - * [in reverse order] are: - * - * - it's the only 64-bit hash algorithm for the moment of this writing, - * there is no need for common collector/padding implementation [yet]; - * - by supporting only one transform function [which operates on - * *aligned* data in input stream byte order, big-endian in this case] - * we minimize burden of maintenance in two ways: a) collector/padding - * function is simpler; b) only one transform function to stare at; - * - SHA_LONG64 is required to be exactly 64-bit in order to be able to - * apply a number of optimizations to mitigate potential performance - * penalties caused by previous design decision; - * - * Caveat lector. - * - * Implementation relies on the fact that "long long" is 64-bit on - * both 32- and 64-bit platforms. If some compiler vendor comes up - * with 128-bit long long, adjustment to sha.h would be required. - * As this implementation relies on 64-bit integer type, it's totally - * inappropriate for platforms which don't support it, most notably - * 16-bit platforms. - * - */ - #include -#include #include +#include "crypto_internal.h" +#include "sha_internal.h" + +#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA512) + #if !defined(__STRICT_ALIGNMENT) || defined(SHA512_ASM) #define SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA #endif -int SHA384_Init(SHA512_CTX *c) - { - c->h[0]=U64(0xcbbb9d5dc1059ed8); - c->h[1]=U64(0x629a292a367cd507); - c->h[2]=U64(0x9159015a3070dd17); - c->h[3]=U64(0x152fecd8f70e5939); - c->h[4]=U64(0x67332667ffc00b31); - c->h[5]=U64(0x8eb44a8768581511); - c->h[6]=U64(0xdb0c2e0d64f98fa7); - c->h[7]=U64(0x47b5481dbefa4fa4); - - c->Nl=0; c->Nh=0; - c->num=0; c->md_len=SHA384_DIGEST_LENGTH; - return 1; - } - -int SHA512_Init(SHA512_CTX *c) - { - c->h[0]=U64(0x6a09e667f3bcc908); - c->h[1]=U64(0xbb67ae8584caa73b); - c->h[2]=U64(0x3c6ef372fe94f82b); - c->h[3]=U64(0xa54ff53a5f1d36f1); - c->h[4]=U64(0x510e527fade682d1); - c->h[5]=U64(0x9b05688c2b3e6c1f); - c->h[6]=U64(0x1f83d9abfb41bd6b); - c->h[7]=U64(0x5be0cd19137e2179); - - c->Nl=0; c->Nh=0; - c->num=0; c->md_len=SHA512_DIGEST_LENGTH; - return 1; - } - -#ifndef SHA512_ASM -static +#ifdef SHA512_ASM +void sha512_block_data_order(SHA512_CTX *ctx, const void *in, size_t num); #endif -void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num); - -int SHA512_Final (unsigned char *md, SHA512_CTX *c) - { - unsigned char *p=(unsigned char *)c->u.p; - size_t n=c->num; - - p[n]=0x80; /* There always is a room for one */ - n++; - if (n > (sizeof(c->u)-16)) - memset (p+n,0,sizeof(c->u)-n), n=0, - sha512_block_data_order (c,p,1); - - memset (p+n,0,sizeof(c->u)-16-n); -#if BYTE_ORDER == BIG_ENDIAN - c->u.d[SHA_LBLOCK-2] = c->Nh; - c->u.d[SHA_LBLOCK-1] = c->Nl; -#else - p[sizeof(c->u)-1] = (unsigned char)(c->Nl); - p[sizeof(c->u)-2] = (unsigned char)(c->Nl>>8); - p[sizeof(c->u)-3] = (unsigned char)(c->Nl>>16); - p[sizeof(c->u)-4] = (unsigned char)(c->Nl>>24); - p[sizeof(c->u)-5] = (unsigned char)(c->Nl>>32); - p[sizeof(c->u)-6] = (unsigned char)(c->Nl>>40); - p[sizeof(c->u)-7] = (unsigned char)(c->Nl>>48); - p[sizeof(c->u)-8] = (unsigned char)(c->Nl>>56); - p[sizeof(c->u)-9] = (unsigned char)(c->Nh); - p[sizeof(c->u)-10] = (unsigned char)(c->Nh>>8); - p[sizeof(c->u)-11] = (unsigned char)(c->Nh>>16); - p[sizeof(c->u)-12] = (unsigned char)(c->Nh>>24); - p[sizeof(c->u)-13] = (unsigned char)(c->Nh>>32); - p[sizeof(c->u)-14] = (unsigned char)(c->Nh>>40); - p[sizeof(c->u)-15] = (unsigned char)(c->Nh>>48); - p[sizeof(c->u)-16] = (unsigned char)(c->Nh>>56); -#endif - - sha512_block_data_order (c,p,1); - - if (md==0) return 0; - - switch (c->md_len) - { - /* Let compiler decide if it's appropriate to unroll... */ - case SHA384_DIGEST_LENGTH: - for (n=0;nh[n]; - - *(md++) = (unsigned char)(t>>56); - *(md++) = (unsigned char)(t>>48); - *(md++) = (unsigned char)(t>>40); - *(md++) = (unsigned char)(t>>32); - *(md++) = (unsigned char)(t>>24); - *(md++) = (unsigned char)(t>>16); - *(md++) = (unsigned char)(t>>8); - *(md++) = (unsigned char)(t); - } - break; - case SHA512_DIGEST_LENGTH: - for (n=0;nh[n]; - - *(md++) = (unsigned char)(t>>56); - *(md++) = (unsigned char)(t>>48); - *(md++) = (unsigned char)(t>>40); - *(md++) = (unsigned char)(t>>32); - *(md++) = (unsigned char)(t>>24); - *(md++) = (unsigned char)(t>>16); - *(md++) = (unsigned char)(t>>8); - *(md++) = (unsigned char)(t); - } - break; - /* ... as well as make sure md_len is not abused. */ - default: return 0; - } - - return 1; - } - -int SHA384_Final (unsigned char *md,SHA512_CTX *c) -{ return SHA512_Final (md,c); } - -int SHA512_Update (SHA512_CTX *c, const void *_data, size_t len) - { - SHA_LONG64 l; - unsigned char *p=c->u.p; - const unsigned char *data=(const unsigned char *)_data; - - if (len==0) return 1; - - l = (c->Nl+(((SHA_LONG64)len)<<3))&U64(0xffffffffffffffff); - if (l < c->Nl) c->Nh++; - if (sizeof(len)>=8) c->Nh+=(((SHA_LONG64)len)>>61); - c->Nl=l; - - if (c->num != 0) - { - size_t n = sizeof(c->u) - c->num; - - if (len < n) - { - memcpy (p+c->num,data,len), c->num += (unsigned int)len; - return 1; - } - else { - memcpy (p+c->num,data,n), c->num = 0; - len-=n, data+=n; - sha512_block_data_order (c,p,1); - } - } - - if (len >= sizeof(c->u)) - { -#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA - if ((size_t)data%sizeof(c->u.d[0]) != 0) - while (len >= sizeof(c->u)) - memcpy (p,data,sizeof(c->u)), - sha512_block_data_order (c,p,1), - len -= sizeof(c->u), - data += sizeof(c->u); - else -#endif - sha512_block_data_order (c,data,len/sizeof(c->u)), - data += len, - len %= sizeof(c->u), - data -= len; - } - - if (len != 0) memcpy (p,data,len), c->num = (int)len; - - return 1; - } - -int SHA384_Update (SHA512_CTX *c, const void *data, size_t len) -{ return SHA512_Update (c,data,len); } - -void SHA512_Transform (SHA512_CTX *c, const unsigned char *data) - { -#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA - if ((size_t)data%sizeof(c->u.d[0]) != 0) - memcpy(c->u.p,data,sizeof(c->u.p)), - data = c->u.p; -#endif - sha512_block_data_order (c,data,1); - } - -unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md) - { - SHA512_CTX c; - static unsigned char m[SHA384_DIGEST_LENGTH]; - - if (md == NULL) md=m; - SHA384_Init(&c); - SHA512_Update(&c,d,n); - SHA512_Final(md,&c); - explicit_bzero(&c,sizeof(c)); - return(md); - } - -unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md) - { - SHA512_CTX c; - static unsigned char m[SHA512_DIGEST_LENGTH]; - - if (md == NULL) md=m; - SHA512_Init(&c); - SHA512_Update(&c,d,n); - SHA512_Final(md,&c); - explicit_bzero(&c,sizeof(c)); - return(md); - } #ifndef SHA512_ASM static const SHA_LONG64 K512[80] = { - U64(0x428a2f98d728ae22),U64(0x7137449123ef65cd), - U64(0xb5c0fbcfec4d3b2f),U64(0xe9b5dba58189dbbc), - U64(0x3956c25bf348b538),U64(0x59f111f1b605d019), - U64(0x923f82a4af194f9b),U64(0xab1c5ed5da6d8118), - U64(0xd807aa98a3030242),U64(0x12835b0145706fbe), - U64(0x243185be4ee4b28c),U64(0x550c7dc3d5ffb4e2), - U64(0x72be5d74f27b896f),U64(0x80deb1fe3b1696b1), - U64(0x9bdc06a725c71235),U64(0xc19bf174cf692694), - U64(0xe49b69c19ef14ad2),U64(0xefbe4786384f25e3), - U64(0x0fc19dc68b8cd5b5),U64(0x240ca1cc77ac9c65), - U64(0x2de92c6f592b0275),U64(0x4a7484aa6ea6e483), - U64(0x5cb0a9dcbd41fbd4),U64(0x76f988da831153b5), - U64(0x983e5152ee66dfab),U64(0xa831c66d2db43210), - U64(0xb00327c898fb213f),U64(0xbf597fc7beef0ee4), - U64(0xc6e00bf33da88fc2),U64(0xd5a79147930aa725), - U64(0x06ca6351e003826f),U64(0x142929670a0e6e70), - U64(0x27b70a8546d22ffc),U64(0x2e1b21385c26c926), - U64(0x4d2c6dfc5ac42aed),U64(0x53380d139d95b3df), - U64(0x650a73548baf63de),U64(0x766a0abb3c77b2a8), - U64(0x81c2c92e47edaee6),U64(0x92722c851482353b), - U64(0xa2bfe8a14cf10364),U64(0xa81a664bbc423001), - U64(0xc24b8b70d0f89791),U64(0xc76c51a30654be30), - U64(0xd192e819d6ef5218),U64(0xd69906245565a910), - U64(0xf40e35855771202a),U64(0x106aa07032bbd1b8), - U64(0x19a4c116b8d2d0c8),U64(0x1e376c085141ab53), - U64(0x2748774cdf8eeb99),U64(0x34b0bcb5e19b48a8), - U64(0x391c0cb3c5c95a63),U64(0x4ed8aa4ae3418acb), - U64(0x5b9cca4f7763e373),U64(0x682e6ff3d6b2b8a3), - U64(0x748f82ee5defb2fc),U64(0x78a5636f43172f60), - U64(0x84c87814a1f0ab72),U64(0x8cc702081a6439ec), - U64(0x90befffa23631e28),U64(0xa4506cebde82bde9), - U64(0xbef9a3f7b2c67915),U64(0xc67178f2e372532b), - U64(0xca273eceea26619c),U64(0xd186b8c721c0c207), - U64(0xeada7dd6cde0eb1e),U64(0xf57d4f7fee6ed178), - U64(0x06f067aa72176fba),U64(0x0a637dc5a2c898a6), - U64(0x113f9804bef90dae),U64(0x1b710b35131c471b), - U64(0x28db77f523047d84),U64(0x32caab7b40c72493), - U64(0x3c9ebe0a15c9bebc),U64(0x431d67c49c100d4c), - U64(0x4cc5d4becb3e42b6),U64(0x597f299cfc657e2a), - U64(0x5fcb6fab3ad6faec),U64(0x6c44198c4a475817) }; + U64(0x428a2f98d728ae22), U64(0x7137449123ef65cd), + U64(0xb5c0fbcfec4d3b2f), U64(0xe9b5dba58189dbbc), + U64(0x3956c25bf348b538), U64(0x59f111f1b605d019), + U64(0x923f82a4af194f9b), U64(0xab1c5ed5da6d8118), + U64(0xd807aa98a3030242), U64(0x12835b0145706fbe), + U64(0x243185be4ee4b28c), U64(0x550c7dc3d5ffb4e2), + U64(0x72be5d74f27b896f), U64(0x80deb1fe3b1696b1), + U64(0x9bdc06a725c71235), U64(0xc19bf174cf692694), + U64(0xe49b69c19ef14ad2), U64(0xefbe4786384f25e3), + U64(0x0fc19dc68b8cd5b5), U64(0x240ca1cc77ac9c65), + U64(0x2de92c6f592b0275), U64(0x4a7484aa6ea6e483), + U64(0x5cb0a9dcbd41fbd4), U64(0x76f988da831153b5), + U64(0x983e5152ee66dfab), U64(0xa831c66d2db43210), + U64(0xb00327c898fb213f), U64(0xbf597fc7beef0ee4), + U64(0xc6e00bf33da88fc2), U64(0xd5a79147930aa725), + U64(0x06ca6351e003826f), U64(0x142929670a0e6e70), + U64(0x27b70a8546d22ffc), U64(0x2e1b21385c26c926), + U64(0x4d2c6dfc5ac42aed), U64(0x53380d139d95b3df), + U64(0x650a73548baf63de), U64(0x766a0abb3c77b2a8), + U64(0x81c2c92e47edaee6), U64(0x92722c851482353b), + U64(0xa2bfe8a14cf10364), U64(0xa81a664bbc423001), + U64(0xc24b8b70d0f89791), U64(0xc76c51a30654be30), + U64(0xd192e819d6ef5218), U64(0xd69906245565a910), + U64(0xf40e35855771202a), U64(0x106aa07032bbd1b8), + U64(0x19a4c116b8d2d0c8), U64(0x1e376c085141ab53), + U64(0x2748774cdf8eeb99), U64(0x34b0bcb5e19b48a8), + U64(0x391c0cb3c5c95a63), U64(0x4ed8aa4ae3418acb), + U64(0x5b9cca4f7763e373), U64(0x682e6ff3d6b2b8a3), + U64(0x748f82ee5defb2fc), U64(0x78a5636f43172f60), + U64(0x84c87814a1f0ab72), U64(0x8cc702081a6439ec), + U64(0x90befffa23631e28), U64(0xa4506cebde82bde9), + U64(0xbef9a3f7b2c67915), U64(0xc67178f2e372532b), + U64(0xca273eceea26619c), U64(0xd186b8c721c0c207), + U64(0xeada7dd6cde0eb1e), U64(0xf57d4f7fee6ed178), + U64(0x06f067aa72176fba), U64(0x0a637dc5a2c898a6), + U64(0x113f9804bef90dae), U64(0x1b710b35131c471b), + U64(0x28db77f523047d84), U64(0x32caab7b40c72493), + U64(0x3c9ebe0a15c9bebc), U64(0x431d67c49c100d4c), + U64(0x4cc5d4becb3e42b6), U64(0x597f299cfc657e2a), + U64(0x5fcb6fab3ad6faec), U64(0x6c44198c4a475817), +}; #if defined(__GNUC__) && __GNUC__>=2 && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM) # if defined(__x86_64) || defined(__x86_64__) -# define ROTR(a,n) ({ SHA_LONG64 ret; \ - asm ("rorq %1,%0" \ - : "=r"(ret) \ - : "J"(n),"0"(a) \ - : "cc"); ret; }) # define PULL64(x) ({ SHA_LONG64 ret=*((const SHA_LONG64 *)(&(x))); \ asm ("bswapq %0" \ : "=r"(ret) \ @@ -325,222 +131,404 @@ static const SHA_LONG64 K512[80] = { : "=r"(lo),"=r"(hi) \ : "0"(lo),"1"(hi)); \ ((SHA_LONG64)hi)<<32|lo; }) -# elif (defined(_ARCH_PPC) && defined(__64BIT__)) || defined(_ARCH_PPC64) -# define ROTR(a,n) ({ SHA_LONG64 ret; \ - asm ("rotrdi %0,%1,%2" \ - : "=r"(ret) \ - : "r"(a),"K"(n)); ret; }) # endif #endif #ifndef PULL64 -#define B(x,j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8)) -#define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7)) +#if BYTE_ORDER == BIG_ENDIAN +#define PULL64(x) (x) +#else +#define B(x, j) (((SHA_LONG64)(*(((const unsigned char *)(&x))+j)))<<((7-j)*8)) +#define PULL64(x) (B(x,0)|B(x,1)|B(x,2)|B(x,3)|B(x,4)|B(x,5)|B(x,6)|B(x,7)) +#endif #endif -#ifndef ROTR -#define ROTR(x,s) (((x)>>s) | (x)<<(64-s)) -#endif +#define ROTR(x, s) crypto_ror_u64(x, s) #define Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) #define Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) #define sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) #define sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) -#define Ch(x,y,z) (((x) & (y)) ^ ((~(x)) & (z))) -#define Maj(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define Ch(x, y, z) (((x) & (y)) ^ ((~(x)) & (z))) +#define Maj(x, y, z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z))) +#define ROUND_00_15(i, a, b, c, d, e, f, g, h, Wt) do { \ + T1 = h + Sigma1(e) + Ch(e, f, g) + K512[i] + Wt; \ + T2 = Sigma0(a) + Maj(a, b, c); \ + d += T1; \ + h = T1 + T2; \ + } while (0) -#if defined(__i386) || defined(__i386__) || defined(_M_IX86) -/* - * This code should give better results on 32-bit CPU with less than - * ~24 registers, both size and performance wise... - */ -static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num) - { - const SHA_LONG64 *W=in; - SHA_LONG64 A,E,T; - SHA_LONG64 X[9+80],*F; +#define ROUND_16_80(i, j, a, b, c, d, e, f, g, h, X) do { \ + s0 = sigma0(X[(j + 1) & 0x0f]); \ + s1 = sigma1(X[(j + 14) & 0x0f]); \ + X[(j) & 0x0f] += s0 + s1 + X[(j + 9) & 0x0f]; \ + ROUND_00_15(i + j, a, b, c, d, e, f, g, h, X[(j) & 0x0f]); \ + } while (0) + +static void +sha512_block_data_order(SHA512_CTX *ctx, const void *_in, size_t num) +{ + const SHA_LONG64 *in = _in; + SHA_LONG64 a, b, c, d, e, f, g, h, s0, s1, T1, T2; + SHA_LONG64 X[16]; int i; - while (num--) { + while (num--) { + a = ctx->h[0]; + b = ctx->h[1]; + c = ctx->h[2]; + d = ctx->h[3]; + e = ctx->h[4]; + f = ctx->h[5]; + g = ctx->h[6]; + h = ctx->h[7]; - F = X+80; - A = ctx->h[0]; F[1] = ctx->h[1]; - F[2] = ctx->h[2]; F[3] = ctx->h[3]; - E = ctx->h[4]; F[5] = ctx->h[5]; - F[6] = ctx->h[6]; F[7] = ctx->h[7]; + X[0] = PULL64(in[0]); + ROUND_00_15(0, a, b, c, d, e, f, g, h, X[0]); + X[1] = PULL64(in[1]); + ROUND_00_15(1, h, a, b, c, d, e, f, g, X[1]); + X[2] = PULL64(in[2]); + ROUND_00_15(2, g, h, a, b, c, d, e, f, X[2]); + X[3] = PULL64(in[3]); + ROUND_00_15(3, f, g, h, a, b, c, d, e, X[3]); + X[4] = PULL64(in[4]); + ROUND_00_15(4, e, f, g, h, a, b, c, d, X[4]); + X[5] = PULL64(in[5]); + ROUND_00_15(5, d, e, f, g, h, a, b, c, X[5]); + X[6] = PULL64(in[6]); + ROUND_00_15(6, c, d, e, f, g, h, a, b, X[6]); + X[7] = PULL64(in[7]); + ROUND_00_15(7, b, c, d, e, f, g, h, a, X[7]); + X[8] = PULL64(in[8]); + ROUND_00_15(8, a, b, c, d, e, f, g, h, X[8]); + X[9] = PULL64(in[9]); + ROUND_00_15(9, h, a, b, c, d, e, f, g, X[9]); + X[10] = PULL64(in[10]); + ROUND_00_15(10, g, h, a, b, c, d, e, f, X[10]); + X[11] = PULL64(in[11]); + ROUND_00_15(11, f, g, h, a, b, c, d, e, X[11]); + X[12] = PULL64(in[12]); + ROUND_00_15(12, e, f, g, h, a, b, c, d, X[12]); + X[13] = PULL64(in[13]); + ROUND_00_15(13, d, e, f, g, h, a, b, c, X[13]); + X[14] = PULL64(in[14]); + ROUND_00_15(14, c, d, e, f, g, h, a, b, X[14]); + X[15] = PULL64(in[15]); + ROUND_00_15(15, b, c, d, e, f, g, h, a, X[15]); - for (i=0;i<16;i++,F--) - { - T = PULL64(W[i]); - F[0] = A; - F[4] = E; - F[8] = T; - T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i]; - E = F[3] + T; - A = T + Sigma0(A) + Maj(A,F[1],F[2]); + for (i = 16; i < 80; i += 16) { + ROUND_16_80(i, 0, a, b, c, d, e, f, g, h, X); + ROUND_16_80(i, 1, h, a, b, c, d, e, f, g, X); + ROUND_16_80(i, 2, g, h, a, b, c, d, e, f, X); + ROUND_16_80(i, 3, f, g, h, a, b, c, d, e, X); + ROUND_16_80(i, 4, e, f, g, h, a, b, c, d, X); + ROUND_16_80(i, 5, d, e, f, g, h, a, b, c, X); + ROUND_16_80(i, 6, c, d, e, f, g, h, a, b, X); + ROUND_16_80(i, 7, b, c, d, e, f, g, h, a, X); + ROUND_16_80(i, 8, a, b, c, d, e, f, g, h, X); + ROUND_16_80(i, 9, h, a, b, c, d, e, f, g, X); + ROUND_16_80(i, 10, g, h, a, b, c, d, e, f, X); + ROUND_16_80(i, 11, f, g, h, a, b, c, d, e, X); + ROUND_16_80(i, 12, e, f, g, h, a, b, c, d, X); + ROUND_16_80(i, 13, d, e, f, g, h, a, b, c, X); + ROUND_16_80(i, 14, c, d, e, f, g, h, a, b, X); + ROUND_16_80(i, 15, b, c, d, e, f, g, h, a, X); } - for (;i<80;i++,F--) - { - T = sigma0(F[8+16-1]); - T += sigma1(F[8+16-14]); - T += F[8+16] + F[8+16-9]; + ctx->h[0] += a; + ctx->h[1] += b; + ctx->h[2] += c; + ctx->h[3] += d; + ctx->h[4] += e; + ctx->h[5] += f; + ctx->h[6] += g; + ctx->h[7] += h; - F[0] = A; - F[4] = E; - F[8] = T; - T += F[7] + Sigma1(E) + Ch(E,F[5],F[6]) + K512[i]; - E = F[3] + T; - A = T + Sigma0(A) + Maj(A,F[1],F[2]); - } - - ctx->h[0] += A; ctx->h[1] += F[1]; - ctx->h[2] += F[2]; ctx->h[3] += F[3]; - ctx->h[4] += E; ctx->h[5] += F[5]; - ctx->h[6] += F[6]; ctx->h[7] += F[7]; - - W+=SHA_LBLOCK; - } + in += SHA_LBLOCK; } - -#elif defined(OPENSSL_SMALL_FOOTPRINT) - -static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num) - { - const SHA_LONG64 *W=in; - SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1,T2; - SHA_LONG64 X[16]; - int i; - - while (num--) { - - a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3]; - e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7]; - - for (i=0;i<16;i++) - { -#if BYTE_ORDER == BIG_ENDIAN - T1 = X[i] = W[i]; -#else - T1 = X[i] = PULL64(W[i]); -#endif - T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; - T2 = Sigma0(a) + Maj(a,b,c); - h = g; g = f; f = e; e = d + T1; - d = c; c = b; b = a; a = T1 + T2; - } - - for (;i<80;i++) - { - s0 = X[(i+1)&0x0f]; s0 = sigma0(s0); - s1 = X[(i+14)&0x0f]; s1 = sigma1(s1); - - T1 = X[i&0xf] += s0 + s1 + X[(i+9)&0xf]; - T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; - T2 = Sigma0(a) + Maj(a,b,c); - h = g; g = f; f = e; e = d + T1; - d = c; c = b; b = a; a = T1 + T2; - } - - ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d; - ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h; - - W+=SHA_LBLOCK; - } - } - -#else - -#define ROUND_00_15(i,a,b,c,d,e,f,g,h) do { \ - T1 += h + Sigma1(e) + Ch(e,f,g) + K512[i]; \ - h = Sigma0(a) + Maj(a,b,c); \ - d += T1; h += T1; } while (0) - -#define ROUND_16_80(i,j,a,b,c,d,e,f,g,h,X) do { \ - s0 = X[(j+1)&0x0f]; s0 = sigma0(s0); \ - s1 = X[(j+14)&0x0f]; s1 = sigma1(s1); \ - T1 = X[(j)&0x0f] += s0 + s1 + X[(j+9)&0x0f]; \ - ROUND_00_15(i+j,a,b,c,d,e,f,g,h); } while (0) - -static void sha512_block_data_order (SHA512_CTX *ctx, const void *in, size_t num) - { - const SHA_LONG64 *W=in; - SHA_LONG64 a,b,c,d,e,f,g,h,s0,s1,T1; - SHA_LONG64 X[16]; - int i; - - while (num--) { - - a = ctx->h[0]; b = ctx->h[1]; c = ctx->h[2]; d = ctx->h[3]; - e = ctx->h[4]; f = ctx->h[5]; g = ctx->h[6]; h = ctx->h[7]; - -#if BYTE_ORDER == BIG_ENDIAN - T1 = X[0] = W[0]; ROUND_00_15(0,a,b,c,d,e,f,g,h); - T1 = X[1] = W[1]; ROUND_00_15(1,h,a,b,c,d,e,f,g); - T1 = X[2] = W[2]; ROUND_00_15(2,g,h,a,b,c,d,e,f); - T1 = X[3] = W[3]; ROUND_00_15(3,f,g,h,a,b,c,d,e); - T1 = X[4] = W[4]; ROUND_00_15(4,e,f,g,h,a,b,c,d); - T1 = X[5] = W[5]; ROUND_00_15(5,d,e,f,g,h,a,b,c); - T1 = X[6] = W[6]; ROUND_00_15(6,c,d,e,f,g,h,a,b); - T1 = X[7] = W[7]; ROUND_00_15(7,b,c,d,e,f,g,h,a); - T1 = X[8] = W[8]; ROUND_00_15(8,a,b,c,d,e,f,g,h); - T1 = X[9] = W[9]; ROUND_00_15(9,h,a,b,c,d,e,f,g); - T1 = X[10] = W[10]; ROUND_00_15(10,g,h,a,b,c,d,e,f); - T1 = X[11] = W[11]; ROUND_00_15(11,f,g,h,a,b,c,d,e); - T1 = X[12] = W[12]; ROUND_00_15(12,e,f,g,h,a,b,c,d); - T1 = X[13] = W[13]; ROUND_00_15(13,d,e,f,g,h,a,b,c); - T1 = X[14] = W[14]; ROUND_00_15(14,c,d,e,f,g,h,a,b); - T1 = X[15] = W[15]; ROUND_00_15(15,b,c,d,e,f,g,h,a); -#else - T1 = X[0] = PULL64(W[0]); ROUND_00_15(0,a,b,c,d,e,f,g,h); - T1 = X[1] = PULL64(W[1]); ROUND_00_15(1,h,a,b,c,d,e,f,g); - T1 = X[2] = PULL64(W[2]); ROUND_00_15(2,g,h,a,b,c,d,e,f); - T1 = X[3] = PULL64(W[3]); ROUND_00_15(3,f,g,h,a,b,c,d,e); - T1 = X[4] = PULL64(W[4]); ROUND_00_15(4,e,f,g,h,a,b,c,d); - T1 = X[5] = PULL64(W[5]); ROUND_00_15(5,d,e,f,g,h,a,b,c); - T1 = X[6] = PULL64(W[6]); ROUND_00_15(6,c,d,e,f,g,h,a,b); - T1 = X[7] = PULL64(W[7]); ROUND_00_15(7,b,c,d,e,f,g,h,a); - T1 = X[8] = PULL64(W[8]); ROUND_00_15(8,a,b,c,d,e,f,g,h); - T1 = X[9] = PULL64(W[9]); ROUND_00_15(9,h,a,b,c,d,e,f,g); - T1 = X[10] = PULL64(W[10]); ROUND_00_15(10,g,h,a,b,c,d,e,f); - T1 = X[11] = PULL64(W[11]); ROUND_00_15(11,f,g,h,a,b,c,d,e); - T1 = X[12] = PULL64(W[12]); ROUND_00_15(12,e,f,g,h,a,b,c,d); - T1 = X[13] = PULL64(W[13]); ROUND_00_15(13,d,e,f,g,h,a,b,c); - T1 = X[14] = PULL64(W[14]); ROUND_00_15(14,c,d,e,f,g,h,a,b); - T1 = X[15] = PULL64(W[15]); ROUND_00_15(15,b,c,d,e,f,g,h,a); -#endif - - for (i=16;i<80;i+=16) - { - ROUND_16_80(i, 0,a,b,c,d,e,f,g,h,X); - ROUND_16_80(i, 1,h,a,b,c,d,e,f,g,X); - ROUND_16_80(i, 2,g,h,a,b,c,d,e,f,X); - ROUND_16_80(i, 3,f,g,h,a,b,c,d,e,X); - ROUND_16_80(i, 4,e,f,g,h,a,b,c,d,X); - ROUND_16_80(i, 5,d,e,f,g,h,a,b,c,X); - ROUND_16_80(i, 6,c,d,e,f,g,h,a,b,X); - ROUND_16_80(i, 7,b,c,d,e,f,g,h,a,X); - ROUND_16_80(i, 8,a,b,c,d,e,f,g,h,X); - ROUND_16_80(i, 9,h,a,b,c,d,e,f,g,X); - ROUND_16_80(i,10,g,h,a,b,c,d,e,f,X); - ROUND_16_80(i,11,f,g,h,a,b,c,d,e,X); - ROUND_16_80(i,12,e,f,g,h,a,b,c,d,X); - ROUND_16_80(i,13,d,e,f,g,h,a,b,c,X); - ROUND_16_80(i,14,c,d,e,f,g,h,a,b,X); - ROUND_16_80(i,15,b,c,d,e,f,g,h,a,X); - } - - ctx->h[0] += a; ctx->h[1] += b; ctx->h[2] += c; ctx->h[3] += d; - ctx->h[4] += e; ctx->h[5] += f; ctx->h[6] += g; ctx->h[7] += h; - - W+=SHA_LBLOCK; - } - } - -#endif +} #endif /* SHA512_ASM */ +int +SHA384_Init(SHA512_CTX *c) +{ + memset(c, 0, sizeof(*c)); + + c->h[0] = U64(0xcbbb9d5dc1059ed8); + c->h[1] = U64(0x629a292a367cd507); + c->h[2] = U64(0x9159015a3070dd17); + c->h[3] = U64(0x152fecd8f70e5939); + c->h[4] = U64(0x67332667ffc00b31); + c->h[5] = U64(0x8eb44a8768581511); + c->h[6] = U64(0xdb0c2e0d64f98fa7); + c->h[7] = U64(0x47b5481dbefa4fa4); + + c->md_len = SHA384_DIGEST_LENGTH; + + return 1; +} + +int +SHA384_Update(SHA512_CTX *c, const void *data, size_t len) +{ + return SHA512_Update(c, data, len); +} + +int +SHA384_Final(unsigned char *md, SHA512_CTX *c) +{ + return SHA512_Final(md, c); +} + +unsigned char * +SHA384(const unsigned char *d, size_t n, unsigned char *md) +{ + SHA512_CTX c; + static unsigned char m[SHA384_DIGEST_LENGTH]; + + if (md == NULL) + md = m; + + SHA384_Init(&c); + SHA512_Update(&c, d, n); + SHA512_Final(md, &c); + + explicit_bzero(&c, sizeof(c)); + + return (md); +} + +int +SHA512_Init(SHA512_CTX *c) +{ + memset(c, 0, sizeof(*c)); + + c->h[0] = U64(0x6a09e667f3bcc908); + c->h[1] = U64(0xbb67ae8584caa73b); + c->h[2] = U64(0x3c6ef372fe94f82b); + c->h[3] = U64(0xa54ff53a5f1d36f1); + c->h[4] = U64(0x510e527fade682d1); + c->h[5] = U64(0x9b05688c2b3e6c1f); + c->h[6] = U64(0x1f83d9abfb41bd6b); + c->h[7] = U64(0x5be0cd19137e2179); + + c->md_len = SHA512_DIGEST_LENGTH; + + return 1; +} + +void +SHA512_Transform(SHA512_CTX *c, const unsigned char *data) +{ +#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA + if ((size_t)data % sizeof(c->u.d[0]) != 0) { + memcpy(c->u.p, data, sizeof(c->u.p)); + data = c->u.p; + } +#endif + sha512_block_data_order(c, data, 1); +} + +int +SHA512_Update(SHA512_CTX *c, const void *_data, size_t len) +{ + SHA_LONG64 l; + unsigned char *p = c->u.p; + const unsigned char *data = (const unsigned char *)_data; + + if (len == 0) + return 1; + + l = (c->Nl + (((SHA_LONG64)len) << 3))&U64(0xffffffffffffffff); + if (l < c->Nl) + c->Nh++; + if (sizeof(len) >= 8) + c->Nh += (((SHA_LONG64)len) >> 61); + c->Nl = l; + + if (c->num != 0) { + size_t n = sizeof(c->u) - c->num; + + if (len < n) { + memcpy(p + c->num, data, len); + c->num += (unsigned int)len; + return 1; + } else{ + memcpy(p + c->num, data, n); + c->num = 0; + len -= n; + data += n; + sha512_block_data_order(c, p, 1); + } + } + + if (len >= sizeof(c->u)) { +#ifndef SHA512_BLOCK_CAN_MANAGE_UNALIGNED_DATA + if ((size_t)data % sizeof(c->u.d[0]) != 0) { + while (len >= sizeof(c->u)) { + memcpy(p, data, sizeof(c->u)); + sha512_block_data_order(c, p, 1); + len -= sizeof(c->u); + data += sizeof(c->u); + } + } else +#endif + { + sha512_block_data_order(c, data, len/sizeof(c->u)); + data += len; + len %= sizeof(c->u); + data -= len; + } + } + + if (len != 0) { + memcpy(p, data, len); + c->num = (int)len; + } + + return 1; +} + +int +SHA512_Final(unsigned char *md, SHA512_CTX *c) +{ + unsigned char *p = (unsigned char *)c->u.p; + size_t n = c->num; + + p[n]=0x80; /* There always is a room for one */ + n++; + if (n > (sizeof(c->u) - 16)) { + memset(p + n, 0, sizeof(c->u) - n); + n = 0; + sha512_block_data_order(c, p, 1); + } + + memset(p + n, 0, sizeof(c->u) - 16 - n); + c->u.d[SHA_LBLOCK - 2] = htobe64(c->Nh); + c->u.d[SHA_LBLOCK - 1] = htobe64(c->Nl); + + sha512_block_data_order(c, p, 1); + + if (md == NULL) + return 0; + + /* Let compiler decide if it's appropriate to unroll... */ + switch (c->md_len) { + case SHA512_224_DIGEST_LENGTH: + for (n = 0; n < SHA512_224_DIGEST_LENGTH/8; n++) { + crypto_store_htobe64(md, c->h[n]); + md += 8; + } + crypto_store_htobe32(md, c->h[n] >> 32); + break; + case SHA512_256_DIGEST_LENGTH: + for (n = 0; n < SHA512_256_DIGEST_LENGTH/8; n++) { + crypto_store_htobe64(md, c->h[n]); + md += 8; + } + break; + case SHA384_DIGEST_LENGTH: + for (n = 0; n < SHA384_DIGEST_LENGTH/8; n++) { + crypto_store_htobe64(md, c->h[n]); + md += 8; + } + break; + case SHA512_DIGEST_LENGTH: + for (n = 0; n < SHA512_DIGEST_LENGTH/8; n++) { + crypto_store_htobe64(md, c->h[n]); + md += 8; + } + break; + default: + return 0; + } + + return 1; +} + +unsigned char * +SHA512(const unsigned char *d, size_t n, unsigned char *md) +{ + SHA512_CTX c; + static unsigned char m[SHA512_DIGEST_LENGTH]; + + if (md == NULL) + md = m; + + SHA512_Init(&c); + SHA512_Update(&c, d, n); + SHA512_Final(md, &c); + + explicit_bzero(&c, sizeof(c)); + + return (md); +} + +int +SHA512_224_Init(SHA512_CTX *c) +{ + memset(c, 0, sizeof(*c)); + + /* FIPS 180-4 section 5.3.6.1. */ + c->h[0] = U64(0x8c3d37c819544da2); + c->h[1] = U64(0x73e1996689dcd4d6); + c->h[2] = U64(0x1dfab7ae32ff9c82); + c->h[3] = U64(0x679dd514582f9fcf); + c->h[4] = U64(0x0f6d2b697bd44da8); + c->h[5] = U64(0x77e36f7304c48942); + c->h[6] = U64(0x3f9d85a86a1d36c8); + c->h[7] = U64(0x1112e6ad91d692a1); + + c->md_len = SHA512_224_DIGEST_LENGTH; + + return 1; +} + +int +SHA512_224_Update(SHA512_CTX *c, const void *data, size_t len) +{ + return SHA512_Update(c, data, len); +} + +int +SHA512_224_Final(unsigned char *md, SHA512_CTX *c) +{ + return SHA512_Final(md, c); +} + +int +SHA512_256_Init(SHA512_CTX *c) +{ + memset(c, 0, sizeof(*c)); + + /* FIPS 180-4 section 5.3.6.2. */ + c->h[0] = U64(0x22312194fc2bf72c); + c->h[1] = U64(0x9f555fa3c84c64c2); + c->h[2] = U64(0x2393b86b6f53b151); + c->h[3] = U64(0x963877195940eabd); + c->h[4] = U64(0x96283ee2a88effe3); + c->h[5] = U64(0xbe5e1e2553863992); + c->h[6] = U64(0x2b0199fc2c85b8aa); + c->h[7] = U64(0x0eb72ddc81c52ca2); + + c->md_len = SHA512_256_DIGEST_LENGTH; + + return 1; +} + +int +SHA512_256_Update(SHA512_CTX *c, const void *data, size_t len) +{ + return SHA512_Update(c, data, len); +} + +int +SHA512_256_Final(unsigned char *md, SHA512_CTX *c) +{ + return SHA512_Final(md, c); +} + #endif /* !OPENSSL_NO_SHA512 */ diff --git a/crypto/sha/sha_internal.h b/crypto/sha/sha_internal.h new file mode 100644 index 0000000..63cae3d --- /dev/null +++ b/crypto/sha/sha_internal.h @@ -0,0 +1,36 @@ +/* $OpenBSD: sha_internal.h,v 1.3 2023/04/25 15:47:29 tb Exp $ */ +/* + * Copyright (c) 2023 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef HEADER_SHA_INTERNAL_H +#define HEADER_SHA_INTERNAL_H + +#define SHA512_224_DIGEST_LENGTH 28 +#define SHA512_256_DIGEST_LENGTH 32 + +int SHA512_224_Init(SHA512_CTX *c); +int SHA512_224_Update(SHA512_CTX *c, const void *data, size_t len) + __attribute__ ((__bounded__(__buffer__,2,3))); +int SHA512_224_Final(unsigned char *md, SHA512_CTX *c); + +int SHA512_256_Init(SHA512_CTX *c); +int SHA512_256_Update(SHA512_CTX *c, const void *data, size_t len) + __attribute__ ((__bounded__(__buffer__,2,3))); +int SHA512_256_Final(unsigned char *md, SHA512_CTX *c); + +#endif diff --git a/crypto/sha/sha_locl.h b/crypto/sha/sha_locl.h deleted file mode 100644 index 5daab29..0000000 --- a/crypto/sha/sha_locl.h +++ /dev/null @@ -1,419 +0,0 @@ -/* $OpenBSD: sha_locl.h,v 1.24 2021/11/09 18:40:21 bcook Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include -#include - -#define DATA_ORDER_IS_BIG_ENDIAN - -#define HASH_LONG SHA_LONG -#define HASH_CTX SHA_CTX -#define HASH_CBLOCK SHA_CBLOCK -#define HASH_MAKE_STRING(c,s) do { \ - unsigned long ll; \ - ll=(c)->h0; HOST_l2c(ll,(s)); \ - ll=(c)->h1; HOST_l2c(ll,(s)); \ - ll=(c)->h2; HOST_l2c(ll,(s)); \ - ll=(c)->h3; HOST_l2c(ll,(s)); \ - ll=(c)->h4; HOST_l2c(ll,(s)); \ - } while (0) - -# define HASH_UPDATE SHA1_Update -# define HASH_TRANSFORM SHA1_Transform -# define HASH_FINAL SHA1_Final -# define HASH_INIT SHA1_Init -# define HASH_BLOCK_DATA_ORDER sha1_block_data_order -# define Xupdate(a,ix,ia,ib,ic,id) ( (a)=(ia^ib^ic^id), \ - ix=(a)=ROTATE((a),1) \ - ) - -__BEGIN_HIDDEN_DECLS - -#ifndef SHA1_ASM -static -#endif - -void sha1_block_data_order (SHA_CTX *c, const void *p,size_t num); - -__END_HIDDEN_DECLS - -#include "md32_common.h" - -#define INIT_DATA_h0 0x67452301UL -#define INIT_DATA_h1 0xefcdab89UL -#define INIT_DATA_h2 0x98badcfeUL -#define INIT_DATA_h3 0x10325476UL -#define INIT_DATA_h4 0xc3d2e1f0UL - -int SHA1_Init(SHA_CTX *c) - { - memset (c,0,sizeof(*c)); - c->h0=INIT_DATA_h0; - c->h1=INIT_DATA_h1; - c->h2=INIT_DATA_h2; - c->h3=INIT_DATA_h3; - c->h4=INIT_DATA_h4; - return 1; - } - -#define K_00_19 0x5a827999UL -#define K_20_39 0x6ed9eba1UL -#define K_40_59 0x8f1bbcdcUL -#define K_60_79 0xca62c1d6UL - -/* As pointed out by Wei Dai , F() below can be - * simplified to the code in F_00_19. Wei attributes these optimisations - * to Peter Gutmann's SHS code, and he attributes it to Rich Schroeppel. - * #define F(x,y,z) (((x) & (y)) | ((~(x)) & (z))) - * I've just become aware of another tweak to be made, again from Wei Dai, - * in F_40_59, (x&a)|(y&a) -> (x|y)&a - */ -#define F_00_19(b,c,d) ((((c) ^ (d)) & (b)) ^ (d)) -#define F_20_39(b,c,d) ((b) ^ (c) ^ (d)) -#define F_40_59(b,c,d) (((b) & (c)) | (((b)|(c)) & (d))) -#define F_60_79(b,c,d) F_20_39(b,c,d) - -#ifndef OPENSSL_SMALL_FOOTPRINT - -#define BODY_00_15(i,a,b,c,d,e,f,xi) \ - (f)=xi+(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ - (b)=ROTATE((b),30); - -#define BODY_16_19(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ - Xupdate(f,xi,xa,xb,xc,xd); \ - (f)+=(e)+K_00_19+ROTATE((a),5)+F_00_19((b),(c),(d)); \ - (b)=ROTATE((b),30); - -#define BODY_20_31(i,a,b,c,d,e,f,xi,xa,xb,xc,xd) \ - Xupdate(f,xi,xa,xb,xc,xd); \ - (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ - (b)=ROTATE((b),30); - -#define BODY_32_39(i,a,b,c,d,e,f,xa,xb,xc,xd) \ - Xupdate(f,xa,xa,xb,xc,xd); \ - (f)+=(e)+K_20_39+ROTATE((a),5)+F_20_39((b),(c),(d)); \ - (b)=ROTATE((b),30); - -#define BODY_40_59(i,a,b,c,d,e,f,xa,xb,xc,xd) \ - Xupdate(f,xa,xa,xb,xc,xd); \ - (f)+=(e)+K_40_59+ROTATE((a),5)+F_40_59((b),(c),(d)); \ - (b)=ROTATE((b),30); - -#define BODY_60_79(i,a,b,c,d,e,f,xa,xb,xc,xd) \ - Xupdate(f,xa,xa,xb,xc,xd); \ - (f)=xa+(e)+K_60_79+ROTATE((a),5)+F_60_79((b),(c),(d)); \ - (b)=ROTATE((b),30); - -#ifdef X -#undef X -#endif -#ifndef MD32_XARRAY - /* - * Originally X was an array. As it's automatic it's natural - * to expect RISC compiler to accommodate at least part of it in - * the register bank, isn't it? Unfortunately not all compilers - * "find" this expectation reasonable:-( On order to make such - * compilers generate better code I replace X[] with a bunch of - * X0, X1, etc. See the function body below... - * - */ -# define X(i) XX##i -#else - /* - * However! Some compilers (most notably HP C) get overwhelmed by - * that many local variables so that we have to have the way to - * fall down to the original behavior. - */ -# define X(i) XX[i] -#endif - -#if !defined(SHA1_ASM) -#include -static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num) - { - const unsigned char *data=p; - unsigned MD32_REG_T A,B,C,D,E,T,l; -#ifndef MD32_XARRAY - unsigned MD32_REG_T XX0, XX1, XX2, XX3, XX4, XX5, XX6, XX7, - XX8, XX9,XX10,XX11,XX12,XX13,XX14,XX15; -#else - SHA_LONG XX[16]; -#endif - - A=c->h0; - B=c->h1; - C=c->h2; - D=c->h3; - E=c->h4; - - for (;;) - { - - if (BYTE_ORDER != LITTLE_ENDIAN && - sizeof(SHA_LONG)==4 && ((size_t)p%4)==0) - { - const SHA_LONG *W=(const SHA_LONG *)data; - - X( 0) = W[0]; X( 1) = W[ 1]; - BODY_00_15( 0,A,B,C,D,E,T,X( 0)); X( 2) = W[ 2]; - BODY_00_15( 1,T,A,B,C,D,E,X( 1)); X( 3) = W[ 3]; - BODY_00_15( 2,E,T,A,B,C,D,X( 2)); X( 4) = W[ 4]; - BODY_00_15( 3,D,E,T,A,B,C,X( 3)); X( 5) = W[ 5]; - BODY_00_15( 4,C,D,E,T,A,B,X( 4)); X( 6) = W[ 6]; - BODY_00_15( 5,B,C,D,E,T,A,X( 5)); X( 7) = W[ 7]; - BODY_00_15( 6,A,B,C,D,E,T,X( 6)); X( 8) = W[ 8]; - BODY_00_15( 7,T,A,B,C,D,E,X( 7)); X( 9) = W[ 9]; - BODY_00_15( 8,E,T,A,B,C,D,X( 8)); X(10) = W[10]; - BODY_00_15( 9,D,E,T,A,B,C,X( 9)); X(11) = W[11]; - BODY_00_15(10,C,D,E,T,A,B,X(10)); X(12) = W[12]; - BODY_00_15(11,B,C,D,E,T,A,X(11)); X(13) = W[13]; - BODY_00_15(12,A,B,C,D,E,T,X(12)); X(14) = W[14]; - BODY_00_15(13,T,A,B,C,D,E,X(13)); X(15) = W[15]; - BODY_00_15(14,E,T,A,B,C,D,X(14)); - BODY_00_15(15,D,E,T,A,B,C,X(15)); - - data += SHA_CBLOCK; - } - else - { - HOST_c2l(data,l); X( 0)=l; HOST_c2l(data,l); X( 1)=l; - BODY_00_15( 0,A,B,C,D,E,T,X( 0)); HOST_c2l(data,l); X( 2)=l; - BODY_00_15( 1,T,A,B,C,D,E,X( 1)); HOST_c2l(data,l); X( 3)=l; - BODY_00_15( 2,E,T,A,B,C,D,X( 2)); HOST_c2l(data,l); X( 4)=l; - BODY_00_15( 3,D,E,T,A,B,C,X( 3)); HOST_c2l(data,l); X( 5)=l; - BODY_00_15( 4,C,D,E,T,A,B,X( 4)); HOST_c2l(data,l); X( 6)=l; - BODY_00_15( 5,B,C,D,E,T,A,X( 5)); HOST_c2l(data,l); X( 7)=l; - BODY_00_15( 6,A,B,C,D,E,T,X( 6)); HOST_c2l(data,l); X( 8)=l; - BODY_00_15( 7,T,A,B,C,D,E,X( 7)); HOST_c2l(data,l); X( 9)=l; - BODY_00_15( 8,E,T,A,B,C,D,X( 8)); HOST_c2l(data,l); X(10)=l; - BODY_00_15( 9,D,E,T,A,B,C,X( 9)); HOST_c2l(data,l); X(11)=l; - BODY_00_15(10,C,D,E,T,A,B,X(10)); HOST_c2l(data,l); X(12)=l; - BODY_00_15(11,B,C,D,E,T,A,X(11)); HOST_c2l(data,l); X(13)=l; - BODY_00_15(12,A,B,C,D,E,T,X(12)); HOST_c2l(data,l); X(14)=l; - BODY_00_15(13,T,A,B,C,D,E,X(13)); HOST_c2l(data,l); X(15)=l; - BODY_00_15(14,E,T,A,B,C,D,X(14)); - BODY_00_15(15,D,E,T,A,B,C,X(15)); - } - - BODY_16_19(16,C,D,E,T,A,B,X( 0),X( 0),X( 2),X( 8),X(13)); - BODY_16_19(17,B,C,D,E,T,A,X( 1),X( 1),X( 3),X( 9),X(14)); - BODY_16_19(18,A,B,C,D,E,T,X( 2),X( 2),X( 4),X(10),X(15)); - BODY_16_19(19,T,A,B,C,D,E,X( 3),X( 3),X( 5),X(11),X( 0)); - - BODY_20_31(20,E,T,A,B,C,D,X( 4),X( 4),X( 6),X(12),X( 1)); - BODY_20_31(21,D,E,T,A,B,C,X( 5),X( 5),X( 7),X(13),X( 2)); - BODY_20_31(22,C,D,E,T,A,B,X( 6),X( 6),X( 8),X(14),X( 3)); - BODY_20_31(23,B,C,D,E,T,A,X( 7),X( 7),X( 9),X(15),X( 4)); - BODY_20_31(24,A,B,C,D,E,T,X( 8),X( 8),X(10),X( 0),X( 5)); - BODY_20_31(25,T,A,B,C,D,E,X( 9),X( 9),X(11),X( 1),X( 6)); - BODY_20_31(26,E,T,A,B,C,D,X(10),X(10),X(12),X( 2),X( 7)); - BODY_20_31(27,D,E,T,A,B,C,X(11),X(11),X(13),X( 3),X( 8)); - BODY_20_31(28,C,D,E,T,A,B,X(12),X(12),X(14),X( 4),X( 9)); - BODY_20_31(29,B,C,D,E,T,A,X(13),X(13),X(15),X( 5),X(10)); - BODY_20_31(30,A,B,C,D,E,T,X(14),X(14),X( 0),X( 6),X(11)); - BODY_20_31(31,T,A,B,C,D,E,X(15),X(15),X( 1),X( 7),X(12)); - - BODY_32_39(32,E,T,A,B,C,D,X( 0),X( 2),X( 8),X(13)); - BODY_32_39(33,D,E,T,A,B,C,X( 1),X( 3),X( 9),X(14)); - BODY_32_39(34,C,D,E,T,A,B,X( 2),X( 4),X(10),X(15)); - BODY_32_39(35,B,C,D,E,T,A,X( 3),X( 5),X(11),X( 0)); - BODY_32_39(36,A,B,C,D,E,T,X( 4),X( 6),X(12),X( 1)); - BODY_32_39(37,T,A,B,C,D,E,X( 5),X( 7),X(13),X( 2)); - BODY_32_39(38,E,T,A,B,C,D,X( 6),X( 8),X(14),X( 3)); - BODY_32_39(39,D,E,T,A,B,C,X( 7),X( 9),X(15),X( 4)); - - BODY_40_59(40,C,D,E,T,A,B,X( 8),X(10),X( 0),X( 5)); - BODY_40_59(41,B,C,D,E,T,A,X( 9),X(11),X( 1),X( 6)); - BODY_40_59(42,A,B,C,D,E,T,X(10),X(12),X( 2),X( 7)); - BODY_40_59(43,T,A,B,C,D,E,X(11),X(13),X( 3),X( 8)); - BODY_40_59(44,E,T,A,B,C,D,X(12),X(14),X( 4),X( 9)); - BODY_40_59(45,D,E,T,A,B,C,X(13),X(15),X( 5),X(10)); - BODY_40_59(46,C,D,E,T,A,B,X(14),X( 0),X( 6),X(11)); - BODY_40_59(47,B,C,D,E,T,A,X(15),X( 1),X( 7),X(12)); - BODY_40_59(48,A,B,C,D,E,T,X( 0),X( 2),X( 8),X(13)); - BODY_40_59(49,T,A,B,C,D,E,X( 1),X( 3),X( 9),X(14)); - BODY_40_59(50,E,T,A,B,C,D,X( 2),X( 4),X(10),X(15)); - BODY_40_59(51,D,E,T,A,B,C,X( 3),X( 5),X(11),X( 0)); - BODY_40_59(52,C,D,E,T,A,B,X( 4),X( 6),X(12),X( 1)); - BODY_40_59(53,B,C,D,E,T,A,X( 5),X( 7),X(13),X( 2)); - BODY_40_59(54,A,B,C,D,E,T,X( 6),X( 8),X(14),X( 3)); - BODY_40_59(55,T,A,B,C,D,E,X( 7),X( 9),X(15),X( 4)); - BODY_40_59(56,E,T,A,B,C,D,X( 8),X(10),X( 0),X( 5)); - BODY_40_59(57,D,E,T,A,B,C,X( 9),X(11),X( 1),X( 6)); - BODY_40_59(58,C,D,E,T,A,B,X(10),X(12),X( 2),X( 7)); - BODY_40_59(59,B,C,D,E,T,A,X(11),X(13),X( 3),X( 8)); - - BODY_60_79(60,A,B,C,D,E,T,X(12),X(14),X( 4),X( 9)); - BODY_60_79(61,T,A,B,C,D,E,X(13),X(15),X( 5),X(10)); - BODY_60_79(62,E,T,A,B,C,D,X(14),X( 0),X( 6),X(11)); - BODY_60_79(63,D,E,T,A,B,C,X(15),X( 1),X( 7),X(12)); - BODY_60_79(64,C,D,E,T,A,B,X( 0),X( 2),X( 8),X(13)); - BODY_60_79(65,B,C,D,E,T,A,X( 1),X( 3),X( 9),X(14)); - BODY_60_79(66,A,B,C,D,E,T,X( 2),X( 4),X(10),X(15)); - BODY_60_79(67,T,A,B,C,D,E,X( 3),X( 5),X(11),X( 0)); - BODY_60_79(68,E,T,A,B,C,D,X( 4),X( 6),X(12),X( 1)); - BODY_60_79(69,D,E,T,A,B,C,X( 5),X( 7),X(13),X( 2)); - BODY_60_79(70,C,D,E,T,A,B,X( 6),X( 8),X(14),X( 3)); - BODY_60_79(71,B,C,D,E,T,A,X( 7),X( 9),X(15),X( 4)); - BODY_60_79(72,A,B,C,D,E,T,X( 8),X(10),X( 0),X( 5)); - BODY_60_79(73,T,A,B,C,D,E,X( 9),X(11),X( 1),X( 6)); - BODY_60_79(74,E,T,A,B,C,D,X(10),X(12),X( 2),X( 7)); - BODY_60_79(75,D,E,T,A,B,C,X(11),X(13),X( 3),X( 8)); - BODY_60_79(76,C,D,E,T,A,B,X(12),X(14),X( 4),X( 9)); - BODY_60_79(77,B,C,D,E,T,A,X(13),X(15),X( 5),X(10)); - BODY_60_79(78,A,B,C,D,E,T,X(14),X( 0),X( 6),X(11)); - BODY_60_79(79,T,A,B,C,D,E,X(15),X( 1),X( 7),X(12)); - - c->h0=(c->h0+E)&0xffffffffL; - c->h1=(c->h1+T)&0xffffffffL; - c->h2=(c->h2+A)&0xffffffffL; - c->h3=(c->h3+B)&0xffffffffL; - c->h4=(c->h4+C)&0xffffffffL; - - if (--num == 0) break; - - A=c->h0; - B=c->h1; - C=c->h2; - D=c->h3; - E=c->h4; - - } - } -#endif - -#else /* OPENSSL_SMALL_FOOTPRINT */ - -#define BODY_00_15(xi) do { \ - T=E+K_00_19+F_00_19(B,C,D); \ - E=D, D=C, C=ROTATE(B,30), B=A; \ - A=ROTATE(A,5)+T+xi; } while(0) - -#define BODY_16_19(xa,xb,xc,xd) do { \ - Xupdate(T,xa,xa,xb,xc,xd); \ - T+=E+K_00_19+F_00_19(B,C,D); \ - E=D, D=C, C=ROTATE(B,30), B=A; \ - A=ROTATE(A,5)+T; } while(0) - -#define BODY_20_39(xa,xb,xc,xd) do { \ - Xupdate(T,xa,xa,xb,xc,xd); \ - T+=E+K_20_39+F_20_39(B,C,D); \ - E=D, D=C, C=ROTATE(B,30), B=A; \ - A=ROTATE(A,5)+T; } while(0) - -#define BODY_40_59(xa,xb,xc,xd) do { \ - Xupdate(T,xa,xa,xb,xc,xd); \ - T+=E+K_40_59+F_40_59(B,C,D); \ - E=D, D=C, C=ROTATE(B,30), B=A; \ - A=ROTATE(A,5)+T; } while(0) - -#define BODY_60_79(xa,xb,xc,xd) do { \ - Xupdate(T,xa,xa,xb,xc,xd); \ - T=E+K_60_79+F_60_79(B,C,D); \ - E=D, D=C, C=ROTATE(B,30), B=A; \ - A=ROTATE(A,5)+T+xa; } while(0) - -#if !defined(SHA1_ASM) -static void HASH_BLOCK_DATA_ORDER (SHA_CTX *c, const void *p, size_t num) - { - const unsigned char *data=p; - unsigned MD32_REG_T A,B,C,D,E,T,l; - int i; - SHA_LONG X[16]; - - A=c->h0; - B=c->h1; - C=c->h2; - D=c->h3; - E=c->h4; - - for (;;) - { - for (i=0;i<16;i++) - { HOST_c2l(data,l); X[i]=l; BODY_00_15(X[i]); } - for (i=0;i<4;i++) - { BODY_16_19(X[i], X[i+2], X[i+8], X[(i+13)&15]); } - for (;i<24;i++) - { BODY_20_39(X[i&15], X[(i+2)&15], X[(i+8)&15],X[(i+13)&15]); } - for (i=0;i<20;i++) - { BODY_40_59(X[(i+8)&15],X[(i+10)&15],X[i&15], X[(i+5)&15]); } - for (i=4;i<24;i++) - { BODY_60_79(X[(i+8)&15],X[(i+10)&15],X[i&15], X[(i+5)&15]); } - - c->h0=(c->h0+A)&0xffffffffL; - c->h1=(c->h1+B)&0xffffffffL; - c->h2=(c->h2+C)&0xffffffffL; - c->h3=(c->h3+D)&0xffffffffL; - c->h4=(c->h4+E)&0xffffffffL; - - if (--num == 0) break; - - A=c->h0; - B=c->h1; - C=c->h2; - D=c->h3; - E=c->h4; - - } - } -#endif - -#endif diff --git a/crypto/sm3/sm3.c b/crypto/sm3/sm3.c index ff6240a..1a96146 100644 --- a/crypto/sm3/sm3.c +++ b/crypto/sm3/sm3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sm3.c,v 1.1 2018/11/11 06:53:31 tb Exp $ */ +/* $OpenBSD: sm3.c,v 1.2 2022/11/26 16:08:54 tb Exp $ */ /* * Copyright (c) 2018, Ribose Inc * @@ -19,7 +19,7 @@ #include -#include "sm3_locl.h" +#include "sm3_local.h" int SM3_Init(SM3_CTX *c) diff --git a/crypto/sm3/sm3_locl.h b/crypto/sm3/sm3_local.h similarity index 97% rename from crypto/sm3/sm3_locl.h rename to crypto/sm3/sm3_local.h index 6ecf809..a941e59 100644 --- a/crypto/sm3/sm3_locl.h +++ b/crypto/sm3/sm3_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sm3_locl.h,v 1.1 2018/11/11 06:53:31 tb Exp $ */ +/* $OpenBSD: sm3_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */ /* * Copyright (c) 2018, Ribose Inc * diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index b76a0d7..65bd321 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -1,4 +1,4 @@ -/* $OpenBSD: stack.c,v 1.20 2018/04/01 00:36:28 schwarze Exp $ */ +/* $OpenBSD: stack.c,v 1.23 2023/04/24 15:35:22 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -79,6 +79,7 @@ int return old; } +LCRYPTO_ALIAS(sk_set_cmp_func); _STACK * sk_dup(_STACK *sk) @@ -105,12 +106,14 @@ err: sk_free(ret); return (NULL); } +LCRYPTO_ALIAS(sk_dup); _STACK * sk_new_null(void) { return sk_new((int (*)(const void *, const void *))0); } +LCRYPTO_ALIAS(sk_new_null); _STACK * sk_new(int (*c)(const void *, const void *)) @@ -134,6 +137,7 @@ err: free(ret); return (NULL); } +LCRYPTO_ALIAS(sk_new); int sk_insert(_STACK *st, void *data, int loc) @@ -160,6 +164,7 @@ sk_insert(_STACK *st, void *data, int loc) st->sorted = 0; return (st->num); } +LCRYPTO_ALIAS(sk_insert); void * sk_delete_ptr(_STACK *st, void *p) @@ -171,6 +176,7 @@ sk_delete_ptr(_STACK *st, void *p) return (sk_delete(st, i)); return (NULL); } +LCRYPTO_ALIAS(sk_delete_ptr); void * sk_delete(_STACK *st, int loc) @@ -188,6 +194,7 @@ sk_delete(_STACK *st, int loc) st->num--; return (ret); } +LCRYPTO_ALIAS(sk_delete); static int internal_find(_STACK *st, void *data, int ret_val_options) @@ -219,24 +226,28 @@ sk_find(_STACK *st, void *data) { return internal_find(st, data, OBJ_BSEARCH_FIRST_VALUE_ON_MATCH); } +LCRYPTO_ALIAS(sk_find); int sk_find_ex(_STACK *st, void *data) { return internal_find(st, data, OBJ_BSEARCH_VALUE_ON_NOMATCH); } +LCRYPTO_ALIAS(sk_find_ex); int sk_push(_STACK *st, void *data) { return (sk_insert(st, data, st->num)); } +LCRYPTO_ALIAS(sk_push); int sk_unshift(_STACK *st, void *data) { return (sk_insert(st, data, 0)); } +LCRYPTO_ALIAS(sk_unshift); void * sk_shift(_STACK *st) @@ -247,6 +258,7 @@ sk_shift(_STACK *st) return (NULL); return (sk_delete(st, 0)); } +LCRYPTO_ALIAS(sk_shift); void * sk_pop(_STACK *st) @@ -257,6 +269,7 @@ sk_pop(_STACK *st) return (NULL); return (sk_delete(st, st->num - 1)); } +LCRYPTO_ALIAS(sk_pop); void sk_zero(_STACK *st) @@ -268,6 +281,7 @@ sk_zero(_STACK *st) memset(st->data, 0, sizeof(st->data)*st->num); st->num = 0; } +LCRYPTO_ALIAS(sk_zero); void sk_pop_free(_STACK *st, void (*func)(void *)) @@ -281,6 +295,7 @@ sk_pop_free(_STACK *st, void (*func)(void *)) func(st->data[i]); sk_free(st); } +LCRYPTO_ALIAS(sk_pop_free); void sk_free(_STACK *st) @@ -290,6 +305,7 @@ sk_free(_STACK *st) free(st->data); free(st); } +LCRYPTO_ALIAS(sk_free); int sk_num(const _STACK *st) @@ -298,6 +314,7 @@ sk_num(const _STACK *st) return -1; return st->num; } +LCRYPTO_ALIAS(sk_num); void * sk_value(const _STACK *st, int i) @@ -306,6 +323,7 @@ sk_value(const _STACK *st, int i) return NULL; return st->data[i]; } +LCRYPTO_ALIAS(sk_value); void * sk_set(_STACK *st, int i, void *value) @@ -315,6 +333,7 @@ sk_set(_STACK *st, int i, void *value) st->sorted = 0; return (st->data[i] = value); } +LCRYPTO_ALIAS(sk_set); void sk_sort(_STACK *st) @@ -332,11 +351,22 @@ sk_sort(_STACK *st) st->sorted = 1; } } +LCRYPTO_ALIAS(sk_sort); int sk_is_sorted(const _STACK *st) { - if (!st) + if (st == NULL) return 1; - return st->sorted; + + if (st->sorted) + return 1; + + /* If there is no comparison function we cannot sort. */ + if (st->comp == NULL) + return 0; + + /* Lists with zero or one elements are always sorted. */ + return st->num <= 1; } +LCRYPTO_ALIAS(sk_is_sorted); diff --git a/crypto/ts/ts_asn1.c b/crypto/ts/ts_asn1.c index bc89f13..6537f1c 100644 --- a/crypto/ts/ts_asn1.c +++ b/crypto/ts/ts_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_asn1.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_asn1.c,v 1.13 2022/07/24 08:16:47 tb Exp $ */ /* Written by Nils Larsch for the OpenSSL project 2004. */ /* ==================================================================== @@ -61,6 +61,8 @@ #include #include +#include "ts_local.h" + static const ASN1_TEMPLATE TS_MSG_IMPRINT_seq_tt[] = { { .flags = 0, @@ -846,6 +848,129 @@ ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *x) return ASN1_item_dup(&ESS_SIGNING_CERT_it, x); } +static const ASN1_TEMPLATE ESS_CERT_ID_V2_seq_tt[] = { + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ESS_CERT_ID_V2, hash_alg), + .field_name = "hash_alg", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(ESS_CERT_ID_V2, hash), + .field_name = "hash", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ESS_CERT_ID_V2, issuer_serial), + .field_name = "issuer_serial", + .item = &ESS_ISSUER_SERIAL_it, + }, +}; + +static const ASN1_ITEM ESS_CERT_ID_V2_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ESS_CERT_ID_V2_seq_tt, + .tcount = sizeof(ESS_CERT_ID_V2_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ESS_CERT_ID_V2), + .sname = "ESS_CERT_ID_V2", +}; + +ESS_CERT_ID_V2 * +d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **in, long len) +{ + return (ESS_CERT_ID_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ESS_CERT_ID_V2_it); +} + +int +i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_CERT_ID_V2_it); +} + +ESS_CERT_ID_V2 * +ESS_CERT_ID_V2_new(void) +{ + return (ESS_CERT_ID_V2 *)ASN1_item_new(&ESS_CERT_ID_V2_it); +} + +void +ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ESS_CERT_ID_V2_it); +} + +ESS_CERT_ID_V2 * +ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *x) +{ + return ASN1_item_dup(&ESS_CERT_ID_V2_it, x); +} + +static const ASN1_TEMPLATE ESS_SIGNING_CERT_V2_seq_tt[] = { + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(ESS_SIGNING_CERT_V2, cert_ids), + .field_name = "cert_ids", + .item = &ESS_CERT_ID_V2_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(ESS_SIGNING_CERT_V2, policy_info), + .field_name = "policy_info", + .item = &POLICYINFO_it, + }, +}; + +static const ASN1_ITEM ESS_SIGNING_CERT_V2_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = ESS_SIGNING_CERT_V2_seq_tt, + .tcount = sizeof(ESS_SIGNING_CERT_V2_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(ESS_SIGNING_CERT_V2), + .sname = "ESS_SIGNING_CERT_V2", +}; + +ESS_SIGNING_CERT_V2 * +d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, const unsigned char **in, long len) +{ + return (ESS_SIGNING_CERT_V2 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &ESS_SIGNING_CERT_V2_it); +} + +int +i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &ESS_SIGNING_CERT_V2_it); +} + +ESS_SIGNING_CERT_V2 * +ESS_SIGNING_CERT_V2_new(void) +{ + return (ESS_SIGNING_CERT_V2 *)ASN1_item_new(&ESS_SIGNING_CERT_V2_it); +} + +void +ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &ESS_SIGNING_CERT_V2_it); +} + +ESS_SIGNING_CERT_V2 * +ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *x) +{ + return ASN1_item_dup(&ESS_SIGNING_CERT_V2_it, x); +} + /* Getting encapsulated TS_TST_INFO object from PKCS7. */ TS_TST_INFO * PKCS7_to_TS_TST_INFO(PKCS7 *token) diff --git a/crypto/ts/ts_err.c b/crypto/ts/ts_err.c index 4b89909..ddd532a 100644 --- a/crypto/ts/ts_err.c +++ b/crypto/ts/ts_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_err.c,v 1.5 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_err.c,v 1.6 2022/07/12 14:42:50 kn Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0) diff --git a/crypto/ts/ts_lib.c b/crypto/ts/ts_lib.c index b6d50a3..ae715fb 100644 --- a/crypto/ts/ts_lib.c +++ b/crypto/ts/ts_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_lib.c,v 1.12 2021/12/04 16:08:32 tb Exp $ */ +/* $OpenBSD: ts_lib.c,v 1.13 2022/11/26 16:08:54 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -64,8 +64,8 @@ #include #include -#include "bn_lcl.h" -#include "x509_lcl.h" +#include "bn_local.h" +#include "x509_local.h" /* Local function declarations. */ diff --git a/crypto/ts/ts_local.h b/crypto/ts/ts_local.h new file mode 100644 index 0000000..07c9861 --- /dev/null +++ b/crypto/ts/ts_local.h @@ -0,0 +1,316 @@ +/* $OpenBSD: ts_local.h,v 1.3 2022/11/26 17:23:18 tb Exp $ */ +/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL + * project 2002, 2003, 2004. + */ +/* ==================================================================== + * Copyright (c) 2006 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + +#ifndef HEADER_TS_LOCAL_H +#define HEADER_TS_LOCAL_H + +__BEGIN_HIDDEN_DECLS + +/* + * MessageImprint ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier, + * hashedMessage OCTET STRING } + */ + +struct TS_msg_imprint_st { + X509_ALGOR *hash_algo; + ASN1_OCTET_STRING *hashed_msg; +}; + +/* + * TimeStampReq ::= SEQUENCE { + * version INTEGER { v1(1) }, + * messageImprint MessageImprint, + * --a hash algorithm OID and the hash value of the data to be + * --time-stamped + * reqPolicy TSAPolicyId OPTIONAL, + * nonce INTEGER OPTIONAL, + * certReq BOOLEAN DEFAULT FALSE, + * extensions [0] IMPLICIT Extensions OPTIONAL } + */ + +struct TS_req_st { + ASN1_INTEGER *version; + TS_MSG_IMPRINT *msg_imprint; + ASN1_OBJECT *policy_id; /* OPTIONAL */ + ASN1_INTEGER *nonce; /* OPTIONAL */ + ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ + STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ +}; + +/* + * Accuracy ::= SEQUENCE { + * seconds INTEGER OPTIONAL, + * millis [0] INTEGER (1..999) OPTIONAL, + * micros [1] INTEGER (1..999) OPTIONAL } + */ + +struct TS_accuracy_st { + ASN1_INTEGER *seconds; + ASN1_INTEGER *millis; + ASN1_INTEGER *micros; +}; + +/* + * TSTInfo ::= SEQUENCE { + * version INTEGER { v1(1) }, + * policy TSAPolicyId, + * messageImprint MessageImprint, + * -- MUST have the same value as the similar field in + * -- TimeStampReq + * serialNumber INTEGER, + * -- Time-Stamping users MUST be ready to accommodate integers + * -- up to 160 bits. + * genTime GeneralizedTime, + * accuracy Accuracy OPTIONAL, + * ordering BOOLEAN DEFAULT FALSE, + * nonce INTEGER OPTIONAL, + * -- MUST be present if the similar field was present + * -- in TimeStampReq. In that case it MUST have the same value. + * tsa [0] GeneralName OPTIONAL, + * extensions [1] IMPLICIT Extensions OPTIONAL } + */ + +struct TS_tst_info_st { + ASN1_INTEGER *version; + ASN1_OBJECT *policy_id; + TS_MSG_IMPRINT *msg_imprint; + ASN1_INTEGER *serial; + ASN1_GENERALIZEDTIME *time; + TS_ACCURACY *accuracy; + ASN1_BOOLEAN ordering; + ASN1_INTEGER *nonce; + GENERAL_NAME *tsa; + STACK_OF(X509_EXTENSION) *extensions; +}; + +/* + * PKIStatusInfo ::= SEQUENCE { + * status PKIStatus, + * statusString PKIFreeText OPTIONAL, + * failInfo PKIFailureInfo OPTIONAL } + * + * From RFC 1510 - section 3.1.1: + * PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String + * -- text encoded as UTF-8 String (note: each UTF8String SHOULD + * -- include an RFC 1766 language tag to indicate the language + * -- of the contained text) + */ + +struct TS_status_info_st { + ASN1_INTEGER *status; + STACK_OF(ASN1_UTF8STRING) *text; + ASN1_BIT_STRING *failure_info; +}; + +/* + * TimeStampResp ::= SEQUENCE { + * status PKIStatusInfo, + * timeStampToken TimeStampToken OPTIONAL } + */ + +struct TS_resp_st { + TS_STATUS_INFO *status_info; + PKCS7 *token; + TS_TST_INFO *tst_info; +}; + +/* The structure below would belong to the ESS component. */ + +/* + * IssuerSerial ::= SEQUENCE { + * issuer GeneralNames, + * serialNumber CertificateSerialNumber + * } + */ + +struct ESS_issuer_serial { + STACK_OF(GENERAL_NAME) *issuer; + ASN1_INTEGER *serial; +}; + +/* + * ESSCertID ::= SEQUENCE { + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL + * } + */ + +struct ESS_cert_id { + ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/* + * SigningCertificate ::= SEQUENCE { + * certs SEQUENCE OF ESSCertID, + * policies SEQUENCE OF PolicyInformation OPTIONAL + * } + */ + +struct ESS_signing_cert { + STACK_OF(ESS_CERT_ID) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; + +/* + * ESSCertIDv2 ::= SEQUENCE { + * hashAlgorithm AlgorithmIdentifier + * DEFAULT {algorithm id-sha256}, + * certHash Hash, + * issuerSerial IssuerSerial OPTIONAL } + */ + +struct ESS_cert_id_v2 { + X509_ALGOR *hash_alg; /* Default SHA-256. */ + ASN1_OCTET_STRING *hash; + ESS_ISSUER_SERIAL *issuer_serial; +}; + +/* + * SigningCertificateV2 ::= SEQUENCE { + * certs SEQUENCE OF ESSCertIDv2, + * policies SEQUENCE OF PolicyInformation OPTIONAL } + */ + +struct ESS_signing_cert_v2 { + STACK_OF(ESS_CERT_ID_V2) *cert_ids; + STACK_OF(POLICYINFO) *policy_info; +}; + +struct TS_resp_ctx { + X509 *signer_cert; + EVP_PKEY *signer_key; + STACK_OF(X509) *certs; /* Certs to include in signed data. */ + STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ + ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ + STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ + ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ + ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ + ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ + unsigned clock_precision_digits; /* fraction of seconds in + time stamp token. */ + unsigned flags; /* Optional info, see values above. */ + + /* Callback functions. */ + TS_serial_cb serial_cb; + void *serial_cb_data; /* User data for serial_cb. */ + + TS_time_cb time_cb; + void *time_cb_data; /* User data for time_cb. */ + + TS_extension_cb extension_cb; + void *extension_cb_data; /* User data for extension_cb. */ + + /* These members are used only while creating the response. */ + TS_REQ *request; + TS_RESP *response; + TS_TST_INFO *tst_info; +}; + +/* Context structure for the generic verify method. */ + +struct TS_verify_ctx { + /* Set this to the union of TS_VFY_... flags you want to carry out. */ + unsigned flags; + + /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ + X509_STORE *store; + STACK_OF(X509) *certs; + + /* Must be set only with TS_VFY_POLICY. */ + ASN1_OBJECT *policy; + + /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, + the algorithm from the response is used. */ + X509_ALGOR *md_alg; + unsigned char *imprint; + unsigned imprint_len; + + /* Must be set only with TS_VFY_DATA. */ + BIO *data; + + /* Must be set only with TS_VFY_TSA_NAME. */ + ASN1_INTEGER *nonce; + + /* Must be set only with TS_VFY_TSA_NAME. */ + GENERAL_NAME *tsa_name; +}; + +/* + * Public OpenSSL API that we do not currently want to expose. + */ + +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_new(void); +void ESS_CERT_ID_V2_free(ESS_CERT_ID_V2 *a); +int i2d_ESS_CERT_ID_V2(const ESS_CERT_ID_V2 *a, unsigned char **pp); +ESS_CERT_ID_V2 *d2i_ESS_CERT_ID_V2(ESS_CERT_ID_V2 **a, const unsigned char **pp, + long length); +ESS_CERT_ID_V2 *ESS_CERT_ID_V2_dup(ESS_CERT_ID_V2 *a); + +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_new(void); +void ESS_SIGNING_CERT_V2_free(ESS_SIGNING_CERT_V2 *a); +int i2d_ESS_SIGNING_CERT_V2(const ESS_SIGNING_CERT_V2 *a, + unsigned char **pp); +ESS_SIGNING_CERT_V2 *d2i_ESS_SIGNING_CERT_V2(ESS_SIGNING_CERT_V2 **a, + const unsigned char **pp, long length); +ESS_SIGNING_CERT_V2 *ESS_SIGNING_CERT_V2_dup(ESS_SIGNING_CERT_V2 *a); + +__END_HIDDEN_DECLS + +#endif /* !HEADER_TS_LOCAL_H */ diff --git a/crypto/ts/ts_req_utils.c b/crypto/ts/ts_req_utils.c index 6b9c13f..8d9d6f3 100644 --- a/crypto/ts/ts_req_utils.c +++ b/crypto/ts/ts_req_utils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_req_utils.c,v 1.6 2018/05/13 15:04:05 tb Exp $ */ +/* $OpenBSD: ts_req_utils.c,v 1.7 2022/07/24 08:16:47 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -63,6 +63,8 @@ #include #include +#include "ts_local.h" + int TS_REQ_set_version(TS_REQ *a, long version) { diff --git a/crypto/ts/ts_rsp_print.c b/crypto/ts/ts_rsp_print.c index c442b71..cfff955 100644 --- a/crypto/ts/ts_rsp_print.c +++ b/crypto/ts/ts_rsp_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_print.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: ts_rsp_print.c,v 1.6 2022/07/24 08:16:47 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -63,6 +63,8 @@ #include #include +#include "ts_local.h" + struct status_map_st { int bit; const char *text; diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 470cbfb..7ebadb1 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_sign.c,v 1.26 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: ts_rsp_sign.c,v 1.30 2022/11/26 16:08:54 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -65,8 +65,9 @@ #include #include -#include "evp_locl.h" -#include "x509_lcl.h" +#include "evp_local.h" +#include "ts_local.h" +#include "x509_local.h" /* Private function declarations. */ @@ -142,6 +143,13 @@ def_extension_cb(struct TS_resp_ctx *ctx, X509_EXTENSION *ext, void *data) return 0; } +void +TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data) +{ + ctx->time_cb = cb; + ctx->time_cb_data = data; +} + /* TS_RESP_CTX management functions. */ TS_RESP_CTX * @@ -654,7 +662,7 @@ TS_RESP_create_tst_info(TS_RESP_CTX *ctx, ASN1_OBJECT *policy) goto end; tsa_name->type = GEN_DIRNAME; tsa_name->d.dirn = - X509_NAME_dup(ctx->signer_cert->cert_info->subject); + X509_NAME_dup(X509_get_subject_name(ctx->signer_cert)); if (!tsa_name->d.dirn) goto end; if (!TS_TST_INFO_set_tsa(tst_info, tsa_name)) @@ -874,7 +882,7 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) if (!(name = GENERAL_NAME_new())) goto err; name->type = GEN_DIRNAME; - if (!(name->d.dirn = X509_NAME_dup(cert->cert_info->issuer))) + if ((name->d.dirn = X509_NAME_dup(X509_get_issuer_name(cert))) == NULL) goto err; if (!sk_GENERAL_NAME_push(cid->issuer_serial->issuer, name)) goto err; @@ -882,7 +890,7 @@ ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) /* Setting the serial number. */ ASN1_INTEGER_free(cid->issuer_serial->serial); if (!(cid->issuer_serial->serial = - ASN1_INTEGER_dup(cert->cert_info->serialNumber))) + ASN1_INTEGER_dup(X509_get_serialNumber(cert)))) goto err; } diff --git a/crypto/ts/ts_rsp_utils.c b/crypto/ts/ts_rsp_utils.c index 233df86..2e37f26 100644 --- a/crypto/ts/ts_rsp_utils.c +++ b/crypto/ts/ts_rsp_utils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_utils.c,v 1.7 2018/05/13 15:35:46 tb Exp $ */ +/* $OpenBSD: ts_rsp_utils.c,v 1.9 2022/07/24 19:25:36 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -63,6 +63,8 @@ #include #include +#include "ts_local.h" + /* Function definitions. */ int @@ -89,6 +91,30 @@ TS_RESP_get_status_info(TS_RESP *a) return a->status_info; } +const ASN1_UTF8STRING * +TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si) +{ + return si->failure_info; +} + +const STACK_OF(ASN1_UTF8STRING) * +TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si) +{ + return si->text; +} + +const ASN1_INTEGER * +TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si) +{ + return si->status; +} + +int +TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i) +{ + return ASN1_INTEGER_set(si->status, i); +} + /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info) diff --git a/crypto/ts/ts_rsp_verify.c b/crypto/ts/ts_rsp_verify.c index 8b15760..dc467d8 100644 --- a/crypto/ts/ts_rsp_verify.c +++ b/crypto/ts/ts_rsp_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_verify.c,v 1.24 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: ts_rsp_verify.c,v 1.29 2022/11/26 16:08:54 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -64,8 +64,9 @@ #include #include -#include "evp_locl.h" -#include "x509_lcl.h" +#include "evp_local.h" +#include "ts_local.h" +#include "x509_local.h" /* Private function declarations. */ @@ -74,7 +75,9 @@ static int TS_verify_cert(X509_STORE *store, STACK_OF(X509) *untrusted, static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain); static ESS_SIGNING_CERT *ESS_get_signing_cert(PKCS7_SIGNER_INFO *si); static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert); -static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo); +static ESS_SIGNING_CERT_V2 *ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si); +static int TS_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert); +static int TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert); static int int_TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token, TS_TST_INFO *tst_info); static int TS_check_status_info(TS_RESP *response); @@ -272,36 +275,67 @@ err: static int TS_check_signing_certs(PKCS7_SIGNER_INFO *si, STACK_OF(X509) *chain) { - ESS_SIGNING_CERT *ss = ESS_get_signing_cert(si); - STACK_OF(ESS_CERT_ID) *cert_ids = NULL; + ESS_SIGNING_CERT *ss = NULL; + STACK_OF(ESS_CERT_ID) *cert_ids; + ESS_SIGNING_CERT_V2 *ssv2 = NULL; + STACK_OF(ESS_CERT_ID_V2) *cert_ids_v2; X509 *cert; int i = 0; int ret = 0; - if (!ss) - goto err; - cert_ids = ss->cert_ids; - /* The signer certificate must be the first in cert_ids. */ - cert = sk_X509_value(chain, 0); - if (TS_find_cert(cert_ids, cert) != 0) - goto err; + if ((ss = ESS_get_signing_cert(si)) != NULL) { + cert_ids = ss->cert_ids; + /* The signer certificate must be the first in cert_ids. */ + cert = sk_X509_value(chain, 0); - /* Check the other certificates of the chain if there are more - than one certificate ids in cert_ids. */ - if (sk_ESS_CERT_ID_num(cert_ids) > 1) { - /* All the certificates of the chain must be in cert_ids. */ - for (i = 1; i < sk_X509_num(chain); ++i) { - cert = sk_X509_value(chain, i); - if (TS_find_cert(cert_ids, cert) < 0) - goto err; + if (TS_find_cert(cert_ids, cert) != 0) + goto err; + + /* + * Check the other certificates of the chain if there are more + * than one certificate ids in cert_ids. + */ + if (sk_ESS_CERT_ID_num(cert_ids) > 1) { + /* All the certificates of the chain must be in cert_ids. */ + for (i = 1; i < sk_X509_num(chain); i++) { + cert = sk_X509_value(chain, i); + + if (TS_find_cert(cert_ids, cert) < 0) + goto err; + } } } + + if ((ssv2 = ESS_get_signing_cert_v2(si)) != NULL) { + cert_ids_v2 = ssv2->cert_ids; + /* The signer certificate must be the first in cert_ids_v2. */ + cert = sk_X509_value(chain, 0); + + if (TS_find_cert_v2(cert_ids_v2, cert) != 0) + goto err; + + /* + * Check the other certificates of the chain if there are more + * than one certificate ids in cert_ids_v2. + */ + if (sk_ESS_CERT_ID_V2_num(cert_ids_v2) > 1) { + /* All the certificates of the chain must be in cert_ids_v2. */ + for (i = 1; i < sk_X509_num(chain); i++) { + cert = sk_X509_value(chain, i); + + if (TS_find_cert_v2(cert_ids_v2, cert) < 0) + goto err; + } + } + } + ret = 1; err: if (!ret) TSerror(TS_R_ESS_SIGNING_CERTIFICATE_ERROR); ESS_SIGNING_CERT_free(ss); + ESS_SIGNING_CERT_V2_free(ssv2); return ret; } @@ -321,6 +355,19 @@ ESS_get_signing_cert(PKCS7_SIGNER_INFO *si) return d2i_ESS_SIGNING_CERT(NULL, &p, attr->value.sequence->length); } +static ESS_SIGNING_CERT_V2 * +ESS_get_signing_cert_v2(PKCS7_SIGNER_INFO *si) +{ + ASN1_TYPE *attr; + const unsigned char *p; + + attr = PKCS7_get_signed_attribute(si, NID_id_smime_aa_signingCertificateV2); + if (attr == NULL) + return NULL; + p = attr->value.sequence->data; + return d2i_ESS_SIGNING_CERT_V2(NULL, &p, attr->value.sequence->length); +} + /* Returns < 0 if certificate is not found, certificate index otherwise. */ static int TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) @@ -335,7 +382,8 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) return -1; /* Recompute SHA1 hash of certificate if necessary (side effect). */ - X509_check_purpose(cert, -1, 0); + if (X509_check_purpose(cert, -1, 0) == -1) + return -1; /* Look for cert in the cert_ids vector. */ for (i = 0; i < sk_ESS_CERT_ID_num(cert_ids); ++i) { @@ -346,7 +394,43 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) cert_hash, TS_HASH_LEN)) { /* Check the issuer/serial as well if specified. */ ESS_ISSUER_SERIAL *is = cid->issuer_serial; - if (!is || !TS_issuer_serial_cmp(is, cert->cert_info)) + + if (is == NULL || TS_issuer_serial_cmp(is, cert) == 0) + return i; + } + } + + return -1; +} + +/* Returns < 0 if certificate is not found, certificate index otherwise. */ +static int +TS_find_cert_v2(STACK_OF(ESS_CERT_ID_V2) *cert_ids, X509 *cert) +{ + int i; + unsigned char cert_digest[EVP_MAX_MD_SIZE]; + unsigned int len; + + /* Look for cert in the cert_ids vector. */ + for (i = 0; i < sk_ESS_CERT_ID_V2_num(cert_ids); ++i) { + ESS_CERT_ID_V2 *cid = sk_ESS_CERT_ID_V2_value(cert_ids, i); + const EVP_MD *md = EVP_sha256(); + + if (cid->hash_alg != NULL) + md = EVP_get_digestbyobj(cid->hash_alg->algorithm); + if (md == NULL) + return -1; + + if (!X509_digest(cert, md, cert_digest, &len)) + return -1; + + if ((unsigned int)cid->hash->length != len) + return -1; + + if (memcmp(cid->hash->data, cert_digest, cid->hash->length) == 0) { + ESS_ISSUER_SERIAL *is = cid->issuer_serial; + + if (is == NULL || TS_issuer_serial_cmp(is, cert) == 0) return i; } } @@ -355,21 +439,21 @@ TS_find_cert(STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) } static int -TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509_CINF *cinfo) +TS_issuer_serial_cmp(ESS_ISSUER_SERIAL *is, X509 *cert) { GENERAL_NAME *issuer; - if (!is || !cinfo || sk_GENERAL_NAME_num(is->issuer) != 1) + if (is == NULL || cert == NULL || sk_GENERAL_NAME_num(is->issuer) != 1) return -1; /* Check the issuer first. It must be a directory name. */ issuer = sk_GENERAL_NAME_value(is->issuer, 0); if (issuer->type != GEN_DIRNAME || - X509_NAME_cmp(issuer->d.dirn, cinfo->issuer)) + X509_NAME_cmp(issuer->d.dirn, X509_get_issuer_name(cert))) return -1; /* Check the serial number, too. */ - if (ASN1_INTEGER_cmp(is->serial, cinfo->serialNumber)) + if (ASN1_INTEGER_cmp(is->serial, X509_get_serialNumber(cert))) return -1; return 0; @@ -726,7 +810,7 @@ TS_check_signer_name(GENERAL_NAME *tsa_name, X509 *signer) /* Check the subject name first. */ if (tsa_name->type == GEN_DIRNAME && - X509_NAME_cmp(tsa_name->d.dirn, signer->cert_info->subject) == 0) + X509_name_cmp(tsa_name->d.dirn, X509_get_subject_name(signer)) == 0) return 1; /* Check all the alternative names. */ diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index 7608a7d..a7b90f9 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_verify_ctx.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_verify_ctx.c,v 1.13 2023/04/25 17:52:54 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2003. */ @@ -62,6 +62,8 @@ #include #include +#include "ts_local.h" + TS_VERIFY_CTX * TS_VERIFY_CTX_new(void) { @@ -73,12 +75,6 @@ TS_VERIFY_CTX_new(void) return ctx; } -void -TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx) -{ - memset(ctx, 0, sizeof(TS_VERIFY_CTX)); -} - void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx) { @@ -109,7 +105,71 @@ TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) GENERAL_NAME_free(ctx->tsa_name); - TS_VERIFY_CTX_init(ctx); + memset(ctx, 0, sizeof(*ctx)); +} + +/* + * XXX: The following accessors demonstrate the amount of care and thought that + * went into OpenSSL 1.1 API design and the review thereof: for whatever reason + * these functions return what was passed in. Correct memory management is left + * as an exercise for the reader... Unfortunately, careful consumers like + * openssl-ruby assume this behavior, so we're stuck with this insanity. The + * cherry on top is the TS_VERIFY_CTS_set_certs() [sic!] function that made it + * into the public API. + * + * Outstanding job, R$ and tjh, A+. + */ + +int +TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags) +{ + ctx->flags |= flags; + + return ctx->flags; +} + +int +TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags) +{ + ctx->flags = flags; + + return ctx->flags; +} + +BIO * +TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio) +{ + ctx->data = bio; + + return ctx->data; +} + +X509_STORE * +TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store) +{ + ctx->store = store; + + return ctx->store; +} + +STACK_OF(X509) * +TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs) +{ + ctx->certs = certs; + + return ctx->certs; +} + +unsigned char * +TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *imprint, + long imprint_len) +{ + free(ctx->imprint); + + ctx->imprint = imprint; + ctx->imprint_len = imprint_len; + + return ctx->imprint; } TS_VERIFY_CTX * diff --git a/crypto/ui/ui_err.c b/crypto/ui/ui_err.c index 8451d63..3f875da 100644 --- a/crypto/ui/ui_err.c +++ b/crypto/ui/ui_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_err.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ui_err.c,v 1.12 2023/02/16 08:38:17 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -65,7 +60,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_UI,func,0) @@ -99,3 +93,4 @@ ERR_load_UI_strings(void) } #endif } +LCRYPTO_ALIAS(ERR_load_UI_strings); diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index 09522e7..73d899a 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_lib.c,v 1.44 2020/09/25 11:25:31 tb Exp $ */ +/* $OpenBSD: ui_lib.c,v 1.51 2023/02/16 08:38:17 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -64,7 +64,7 @@ #include #include -#include "ui_locl.h" +#include "ui_local.h" static const UI_METHOD *default_UI_meth = NULL; @@ -73,6 +73,7 @@ UI_new(void) { return (UI_new_method(NULL)); } +LCRYPTO_ALIAS(UI_new); UI * UI_new_method(const UI_METHOD *method) @@ -89,6 +90,7 @@ UI_new_method(const UI_METHOD *method) return ret; } +LCRYPTO_ALIAS(UI_new_method); static void free_string(UI_STRING *uis) @@ -115,10 +117,12 @@ UI_free(UI *ui) { if (ui == NULL) return; + sk_UI_STRING_pop_free(ui->strings, free_string); CRYPTO_free_ex_data(CRYPTO_EX_INDEX_UI, ui, &ui->ex_data); free(ui); } +LCRYPTO_ALIAS(UI_free); static int allocate_string_stack(UI *ui) @@ -265,6 +269,7 @@ UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, return general_allocate_string(ui, prompt, 0, UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL); } +LCRYPTO_ALIAS(UI_add_input_string); /* Same as UI_add_input_string(), excepts it takes a copy of the prompt. */ int @@ -274,6 +279,7 @@ UI_dup_input_string(UI *ui, const char *prompt, int flags, char *result_buf, return general_allocate_string(ui, prompt, 1, UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL); } +LCRYPTO_ALIAS(UI_dup_input_string); int UI_add_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, @@ -282,6 +288,7 @@ UI_add_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, return general_allocate_string(ui, prompt, 0, UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf); } +LCRYPTO_ALIAS(UI_add_verify_string); int UI_dup_verify_string(UI *ui, const char *prompt, int flags, @@ -290,6 +297,7 @@ UI_dup_verify_string(UI *ui, const char *prompt, int flags, return general_allocate_string(ui, prompt, 1, UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf); } +LCRYPTO_ALIAS(UI_dup_verify_string); int UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, @@ -298,6 +306,7 @@ UI_add_input_boolean(UI *ui, const char *prompt, const char *action_desc, return general_allocate_boolean(ui, prompt, action_desc, ok_chars, cancel_chars, 0, UIT_BOOLEAN, flags, result_buf); } +LCRYPTO_ALIAS(UI_add_input_boolean); int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, @@ -306,6 +315,7 @@ UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, return general_allocate_boolean(ui, prompt, action_desc, ok_chars, cancel_chars, 1, UIT_BOOLEAN, flags, result_buf); } +LCRYPTO_ALIAS(UI_dup_input_boolean); int UI_add_info_string(UI *ui, const char *text) @@ -313,6 +323,7 @@ UI_add_info_string(UI *ui, const char *text) return general_allocate_string(ui, text, 0, UIT_INFO, 0, NULL, 0, 0, NULL); } +LCRYPTO_ALIAS(UI_add_info_string); int UI_dup_info_string(UI *ui, const char *text) @@ -320,6 +331,7 @@ UI_dup_info_string(UI *ui, const char *text) return general_allocate_string(ui, text, 1, UIT_INFO, 0, NULL, 0, 0, NULL); } +LCRYPTO_ALIAS(UI_dup_info_string); int UI_add_error_string(UI *ui, const char *text) @@ -327,6 +339,7 @@ UI_add_error_string(UI *ui, const char *text) return general_allocate_string(ui, text, 0, UIT_ERROR, 0, NULL, 0, 0, NULL); } +LCRYPTO_ALIAS(UI_add_error_string); int UI_dup_error_string(UI *ui, const char *text) @@ -334,6 +347,7 @@ UI_dup_error_string(UI *ui, const char *text) return general_allocate_string(ui, text, 1, UIT_ERROR, 0, NULL, 0, 0, NULL); } +LCRYPTO_ALIAS(UI_dup_error_string); char * UI_construct_prompt(UI *ui, const char *object_desc, const char *object_name) @@ -358,6 +372,7 @@ UI_construct_prompt(UI *ui, const char *object_desc, const char *object_name) return prompt; } +LCRYPTO_ALIAS(UI_construct_prompt); void * UI_add_user_data(UI *ui, void *user_data) @@ -365,14 +380,17 @@ UI_add_user_data(UI *ui, void *user_data) void *old_data = ui->user_data; ui->user_data = user_data; + return old_data; } +LCRYPTO_ALIAS(UI_add_user_data); void * UI_get0_user_data(UI *ui) { return ui->user_data; } +LCRYPTO_ALIAS(UI_get0_user_data); const char * UI_get0_result(UI *ui, int i) @@ -387,6 +405,7 @@ UI_get0_result(UI *ui, int i) } return UI_get0_result_string(sk_UI_STRING_value(ui->strings, i)); } +LCRYPTO_ALIAS(UI_get0_result); static int print_error(const char *str, size_t len, void *arg) @@ -460,6 +479,7 @@ UI_process(UI *ui) return -1; return ok; } +LCRYPTO_ALIAS(UI_process); int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f) (void)) @@ -468,6 +488,7 @@ UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f) (void)) UIerror(ERR_R_PASSED_NULL_PARAMETER); return -1; } + switch (cmd) { case UI_CTRL_PRINT_ERRORS: { @@ -486,6 +507,7 @@ UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f) (void)) UIerror(UI_R_UNKNOWN_CONTROL_COMMAND); return -1; } +LCRYPTO_ALIAS(UI_ctrl); int UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, @@ -494,212 +516,259 @@ UI_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_UI, argl, argp, new_func, dup_func, free_func); } +LCRYPTO_ALIAS(UI_get_ex_new_index); int UI_set_ex_data(UI *r, int idx, void *arg) { return (CRYPTO_set_ex_data(&r->ex_data, idx, arg)); } +LCRYPTO_ALIAS(UI_set_ex_data); void * UI_get_ex_data(UI *r, int idx) { return (CRYPTO_get_ex_data(&r->ex_data, idx)); } +LCRYPTO_ALIAS(UI_get_ex_data); void -UI_set_default_method(const UI_METHOD *meth) +UI_set_default_method(const UI_METHOD *method) { - default_UI_meth = meth; + default_UI_meth = method; } +LCRYPTO_ALIAS(UI_set_default_method); const UI_METHOD * UI_get_default_method(void) { - if (default_UI_meth == NULL) { + if (default_UI_meth == NULL) default_UI_meth = UI_OpenSSL(); - } + return default_UI_meth; } +LCRYPTO_ALIAS(UI_get_default_method); const UI_METHOD * UI_get_method(UI *ui) { return ui->meth; } +LCRYPTO_ALIAS(UI_get_method); const UI_METHOD * -UI_set_method(UI *ui, const UI_METHOD *meth) +UI_set_method(UI *ui, const UI_METHOD *method) { - ui->meth = meth; + ui->meth = method; + return ui->meth; } - +LCRYPTO_ALIAS(UI_set_method); UI_METHOD * UI_create_method(const char *name) { - UI_METHOD *ui_method = calloc(1, sizeof(UI_METHOD)); + UI_METHOD *method = NULL; - if (ui_method && name) - ui_method->name = strdup(name); + if ((method = calloc(1, sizeof(UI_METHOD))) == NULL) + goto err; - return ui_method; + if (name != NULL) { + if ((method->name = strdup(name)) == NULL) + goto err; + } + + return method; + + err: + UI_destroy_method(method); + + return NULL; } +LCRYPTO_ALIAS(UI_create_method); -/* - * BIG FSCKING WARNING!!!! If you use this on a statically allocated method - * (that is, it hasn't been allocated using UI_create_method(), you deserve - * anything Murphy can throw at you and more! You have been warned. - */ void -UI_destroy_method(UI_METHOD *ui_method) +UI_destroy_method(UI_METHOD *method) { - free(ui_method->name); - ui_method->name = NULL; - free(ui_method); + if (method == NULL) + return; + + free(method->name); + free(method); } +LCRYPTO_ALIAS(UI_destroy_method); int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)) { - if (method) { - method->ui_open_session = opener; - return 0; - } - return -1; + if (method == NULL) + return -1; + + method->ui_open_session = opener; + + return 0; } +LCRYPTO_ALIAS(UI_method_set_opener); int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis)) { - if (method) { - method->ui_write_string = writer; - return 0; - } - return -1; + if (method == NULL) + return -1; + + method->ui_write_string = writer; + + return 0; } +LCRYPTO_ALIAS(UI_method_set_writer); int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)) { - if (method) { - method->ui_flush = flusher; - return 0; - } - return -1; + if (method == NULL) + return -1; + + method->ui_flush = flusher; + + return 0; } +LCRYPTO_ALIAS(UI_method_set_flusher); int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis)) { - if (method) { - method->ui_read_string = reader; - return 0; - } - return -1; + if (method == NULL) + return -1; + + method->ui_read_string = reader; + + return 0; } +LCRYPTO_ALIAS(UI_method_set_reader); int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)) { - if (method) { - method->ui_close_session = closer; - return 0; - } - return -1; + if (method == NULL) + return -1; + + method->ui_close_session = closer; + + return 0; } +LCRYPTO_ALIAS(UI_method_set_closer); int UI_method_set_prompt_constructor(UI_METHOD *method, char *(*prompt_constructor)(UI *ui, const char *object_desc, const char *object_name)) { - if (method) { - method->ui_construct_prompt = prompt_constructor; - return 0; - } - return -1; + if (method == NULL) + return -1; + + method->ui_construct_prompt = prompt_constructor; + + return 0; } +LCRYPTO_ALIAS(UI_method_set_prompt_constructor); int (*UI_method_get_opener(const UI_METHOD * method))(UI *) { - if (method) - return method->ui_open_session; - return NULL; + if (method == NULL) + return NULL; + + return method->ui_open_session; } +LCRYPTO_ALIAS(UI_method_get_opener); int (*UI_method_get_writer(const UI_METHOD *method))(UI *, UI_STRING *) { - if (method) - return method->ui_write_string; - return NULL; + if (method == NULL) + return NULL; + + return method->ui_write_string; } +LCRYPTO_ALIAS(UI_method_get_writer); int (*UI_method_get_flusher(const UI_METHOD *method)) (UI *) { - if (method) - return method->ui_flush; - return NULL; + if (method == NULL) + return NULL; + + return method->ui_flush; } +LCRYPTO_ALIAS(UI_method_get_flusher); int (*UI_method_get_reader(const UI_METHOD *method))(UI *, UI_STRING *) { - if (method) - return method->ui_read_string; - return NULL; + if (method == NULL) + return NULL; + + return method->ui_read_string; } +LCRYPTO_ALIAS(UI_method_get_reader); int (*UI_method_get_closer(const UI_METHOD *method))(UI *) { - if (method) - return method->ui_close_session; - return NULL; + if (method == NULL) + return NULL; + + return method->ui_close_session; } +LCRYPTO_ALIAS(UI_method_get_closer); char * (*UI_method_get_prompt_constructor(const UI_METHOD *method))(UI *, const char *, const char *) { - if (method) - return method->ui_construct_prompt; - return NULL; + if (method == NULL) + return NULL; + + return method->ui_construct_prompt; } +LCRYPTO_ALIAS(UI_method_get_prompt_constructor); enum UI_string_types UI_get_string_type(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return UIT_NONE; + return uis->type; } +LCRYPTO_ALIAS(UI_get_string_type); int UI_get_input_flags(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return 0; + return uis->input_flags; } +LCRYPTO_ALIAS(UI_get_input_flags); const char * UI_get0_output_string(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return NULL; + return uis->out_string; } +LCRYPTO_ALIAS(UI_get0_output_string); const char * UI_get0_action_string(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return NULL; + switch (uis->type) { case UIT_PROMPT: case UIT_BOOLEAN: @@ -708,12 +777,14 @@ UI_get0_action_string(UI_STRING *uis) return NULL; } } +LCRYPTO_ALIAS(UI_get0_action_string); const char * UI_get0_result_string(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return NULL; + switch (uis->type) { case UIT_PROMPT: case UIT_VERIFY: @@ -722,12 +793,14 @@ UI_get0_result_string(UI_STRING *uis) return NULL; } } +LCRYPTO_ALIAS(UI_get0_result_string); const char * UI_get0_test_string(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return NULL; + switch (uis->type) { case UIT_VERIFY: return uis->_.string_data.test_buf; @@ -735,12 +808,14 @@ UI_get0_test_string(UI_STRING *uis) return NULL; } } +LCRYPTO_ALIAS(UI_get0_test_string); int UI_get_result_minsize(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return -1; + switch (uis->type) { case UIT_PROMPT: case UIT_VERIFY: @@ -749,12 +824,14 @@ UI_get_result_minsize(UI_STRING *uis) return -1; } } +LCRYPTO_ALIAS(UI_get_result_minsize); int UI_get_result_maxsize(UI_STRING *uis) { - if (!uis) + if (uis == NULL) return -1; + switch (uis->type) { case UIT_PROMPT: case UIT_VERIFY: @@ -763,6 +840,7 @@ UI_get_result_maxsize(UI_STRING *uis) return -1; } } +LCRYPTO_ALIAS(UI_get_result_maxsize); int UI_set_result(UI *ui, UI_STRING *uis, const char *result) @@ -772,8 +850,9 @@ UI_set_result(UI *ui, UI_STRING *uis, const char *result) ui->flags &= ~UI_FLAG_REDOABLE; - if (!uis) + if (uis == NULL) return -1; + switch (uis->type) { case UIT_PROMPT: case UIT_VERIFY: @@ -825,3 +904,4 @@ UI_set_result(UI *ui, UI_STRING *uis, const char *result) } return 0; } +LCRYPTO_ALIAS(UI_set_result); diff --git a/crypto/ui/ui_locl.h b/crypto/ui/ui_local.h similarity index 97% rename from crypto/ui/ui_locl.h rename to crypto/ui/ui_local.h index c424be6..460b560 100644 --- a/crypto/ui/ui_locl.h +++ b/crypto/ui/ui_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_locl.h,v 1.7 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: ui_local.h,v 1.2 2022/11/26 17:23:18 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. @@ -57,8 +57,8 @@ * */ -#ifndef HEADER_UI_LOCL_H -#define HEADER_UI_LOCL_H +#ifndef HEADER_UI_LOCAL_H +#define HEADER_UI_LOCAL_H #include #include @@ -149,4 +149,4 @@ struct ui_st { __END_HIDDEN_DECLS -#endif +#endif /* !HEADER_UI_LOCAL_H */ diff --git a/crypto/ui/ui_null.c b/crypto/ui/ui_null.c new file mode 100644 index 0000000..cbc9a50 --- /dev/null +++ b/crypto/ui/ui_null.c @@ -0,0 +1,18 @@ +/* $OpenBSD: ui_null.c,v 1.2 2023/02/16 08:38:17 tb Exp $ */ + +/* + * Written by Theo Buehler. Public domain. + */ + +#include "ui_local.h" + +static const UI_METHOD ui_null = { + .name = "OpenSSL NULL UI", +}; + +const UI_METHOD * +UI_null(void) +{ + return &ui_null; +} +LCRYPTO_ALIAS(UI_null); diff --git a/crypto/ui/ui_openssl.c b/crypto/ui/ui_openssl.c index 9562c2c..0b91700 100644 --- a/crypto/ui/ui_openssl.c +++ b/crypto/ui/ui_openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_openssl.c,v 1.25 2015/09/10 15:56:26 jsing Exp $ */ +/* $OpenBSD: ui_openssl.c,v 1.28 2023/02/16 08:38:17 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) and others * for the OpenSSL project 2001. */ @@ -125,7 +125,7 @@ #include #include -#include "ui_locl.h" +#include "ui_local.h" #ifndef NX509_SIG #define NX509_SIG 32 @@ -167,6 +167,7 @@ UI_OpenSSL(void) { return &ui_openssl; } +LCRYPTO_ALIAS(UI_OpenSSL); /* The following function makes sure that info and error strings are printed before any prompt. */ diff --git a/crypto/ui/ui_openssl_win.c b/crypto/ui/ui_openssl_win.c index ad9e915..c245111 100644 --- a/crypto/ui/ui_openssl_win.c +++ b/crypto/ui/ui_openssl_win.c @@ -124,7 +124,7 @@ #include #include -#include "ui_locl.h" +#include "ui_local.h" #ifndef NX509_SIG #define NX509_SIG 32 diff --git a/crypto/ui/ui_util.c b/crypto/ui/ui_util.c index d1040c9..4fa4058 100644 --- a/crypto/ui/ui_util.c +++ b/crypto/ui/ui_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_util.c,v 1.10 2015/09/10 15:56:26 jsing Exp $ */ +/* $OpenBSD: ui_util.c,v 1.14 2023/02/16 08:38:17 tb Exp $ */ /* ==================================================================== * Copyright (c) 2001-2002 The OpenSSL Project. All rights reserved. * @@ -57,7 +57,7 @@ #include -#include "ui_locl.h" +#include "ui_local.h" int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify) @@ -70,6 +70,7 @@ UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify) explicit_bzero(buff, BUFSIZ); return (ret); } +LCRYPTO_ALIAS(UI_UTIL_read_pw_string); int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) @@ -94,18 +95,4 @@ UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) ok = 0; return (ok); } - -/* - * Old compatibility glue - see comment in ui_compat.h. - */ -int -_ossl_old_des_read_pw_string(char *buf, int length, const char *prompt, int verify) -{ - return UI_UTIL_read_pw_string(buf, length, prompt, verify); -} - -int -_ossl_old_des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify) -{ - return UI_UTIL_read_pw(buf, buff, size, prompt, verify); -} +LCRYPTO_ALIAS(UI_UTIL_read_pw); diff --git a/crypto/whrlpool/wp-elf-x86_64.S b/crypto/whrlpool/wp-elf-x86_64.S index 2b37a98..aba96ef 100644 --- a/crypto/whrlpool/wp-elf-x86_64.S +++ b/crypto/whrlpool/wp-elf-x86_64.S @@ -5,6 +5,7 @@ .type whirlpool_block,@function .align 16 whirlpool_block: + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -588,6 +589,7 @@ whirlpool_block: retq .size whirlpool_block,.-whirlpool_block +.section .rodata .align 64 .type .Ltable,@object .Ltable: diff --git a/crypto/whrlpool/wp-macosx-x86_64.S b/crypto/whrlpool/wp-macosx-x86_64.S index 6df325a..efeab6e 100644 --- a/crypto/whrlpool/wp-macosx-x86_64.S +++ b/crypto/whrlpool/wp-macosx-x86_64.S @@ -5,6 +5,7 @@ .p2align 4 _whirlpool_block: + pushq %rbx pushq %rbp pushq %r12 @@ -588,6 +589,7 @@ L$epilogue: retq +.section __DATA,__const .p2align 6 L$table: diff --git a/crypto/whrlpool/wp-masm-x86_64.S b/crypto/whrlpool/wp-masm-x86_64.S index 71f0c01..266424f 100644 --- a/crypto/whrlpool/wp-masm-x86_64.S +++ b/crypto/whrlpool/wp-masm-x86_64.S @@ -82,6 +82,7 @@ $L$SEH_begin_whirlpool_block:: mov rdx,r8 + endbr64 push rbx push rbp push r12 @@ -668,6 +669,8 @@ $L$epilogue:: $L$SEH_end_whirlpool_block:: whirlpool_block ENDP +.text$ ENDS +.rdata SEGMENT READONLY ALIGN(8) ALIGN 64 $L$table:: @@ -938,6 +941,6 @@ DB 228,39,65,139,167,125,149,216 DB 251,238,124,102,221,23,71,158 DB 202,45,191,7,173,90,131,51 -.text$ ENDS +.rdata ENDS END diff --git a/crypto/whrlpool/wp-mingw64-x86_64.S b/crypto/whrlpool/wp-mingw64-x86_64.S index ea9f6cf..d4ec636 100644 --- a/crypto/whrlpool/wp-mingw64-x86_64.S +++ b/crypto/whrlpool/wp-mingw64-x86_64.S @@ -13,6 +13,7 @@ whirlpool_block: movq %rdx,%rsi movq %r8,%rdx + endbr64 pushq %rbx pushq %rbp pushq %r12 @@ -598,6 +599,7 @@ whirlpool_block: retq .LSEH_end_whirlpool_block: +.section .rodata .p2align 6 .Ltable: diff --git a/crypto/whrlpool/wp_block.c b/crypto/whrlpool/wp_block.c index b2137d6..ad814a3 100644 --- a/crypto/whrlpool/wp_block.c +++ b/crypto/whrlpool/wp_block.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wp_block.c,v 1.14 2021/11/09 18:40:21 bcook Exp $ */ +/* $OpenBSD: wp_block.c,v 1.15 2022/11/26 16:08:54 tb Exp $ */ /** * The Whirlpool hashing function. * @@ -40,7 +40,7 @@ #include #include -#include "wp_locl.h" +#include "wp_local.h" typedef unsigned char u8; #if defined(_LP64) diff --git a/crypto/whrlpool/wp_dgst.c b/crypto/whrlpool/wp_dgst.c index 663f2ef..fd074c1 100644 --- a/crypto/whrlpool/wp_dgst.c +++ b/crypto/whrlpool/wp_dgst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: wp_dgst.c,v 1.4 2014/07/12 11:25:25 miod Exp $ */ +/* $OpenBSD: wp_dgst.c,v 1.5 2022/11/26 16:08:54 tb Exp $ */ /** * The Whirlpool hashing function. * @@ -52,7 +52,7 @@ * input. This is done for performance. */ -#include "wp_locl.h" +#include "wp_local.h" #include #include diff --git a/crypto/whrlpool/wp_locl.h b/crypto/whrlpool/wp_local.h similarity index 67% rename from crypto/whrlpool/wp_locl.h rename to crypto/whrlpool/wp_local.h index 771c65e..2d3bc9c 100644 --- a/crypto/whrlpool/wp_locl.h +++ b/crypto/whrlpool/wp_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: wp_locl.h,v 1.3 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: wp_local.h,v 1.1 2022/11/26 16:08:54 tb Exp $ */ #include diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index fa05f55..9fa6a10 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_dir.c,v 1.41 2021/11/10 14:34:21 schwarze Exp $ */ +/* $OpenBSD: by_dir.c,v 1.44 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,7 +70,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" typedef struct lookup_dir_hashes_st { unsigned long hash; @@ -117,6 +117,7 @@ X509_LOOKUP_hash_dir(void) { return &x509_dir_lookup; } +LCRYPTO_ALIAS(X509_LOOKUP_hash_dir); static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index 3116b7c..606f4c8 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_file.c,v 1.25 2021/11/10 13:57:42 schwarze Exp $ */ +/* $OpenBSD: by_file.c,v 1.28 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); @@ -89,6 +89,7 @@ X509_LOOKUP_file(void) { return &x509_file_lookup; } +LCRYPTO_ALIAS(X509_LOOKUP_file); static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, @@ -173,6 +174,7 @@ err: BIO_free(in); return ret; } +LCRYPTO_ALIAS(X509_load_cert_file); int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) @@ -229,6 +231,7 @@ err: BIO_free(in); return ret; } +LCRYPTO_ALIAS(X509_load_crl_file); int X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) @@ -267,4 +270,4 @@ X509_load_cert_crl_file(X509_LOOKUP *ctx, const char *file, int type) sk_X509_INFO_pop_free(inf, X509_INFO_free); return count; } - +LCRYPTO_ALIAS(X509_load_cert_crl_file); diff --git a/crypto/x509/by_mem.c b/crypto/x509/by_mem.c index 272877f..579eecd 100644 --- a/crypto/x509/by_mem.c +++ b/crypto/x509/by_mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_mem.c,v 1.5 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: by_mem.c,v 1.8 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,7 +68,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static int by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); @@ -90,6 +90,7 @@ X509_LOOKUP_mem(void) { return (&x509_mem_lookup); } +LCRYPTO_ALIAS(X509_LOOKUP_mem); static int by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf, diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h deleted file mode 100644 index 59815c9..0000000 --- a/crypto/x509/ext_dat.h +++ /dev/null @@ -1,143 +0,0 @@ -/* $OpenBSD: ext_dat.h,v 1.4 2021/11/24 19:22:14 tb Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999-2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include - -__BEGIN_HIDDEN_DECLS - -/* This file contains a table of "standard" extensions */ - -extern X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; -extern X509V3_EXT_METHOD v3_pkey_usage_period, v3_sxnet, v3_info, v3_sinfo; -extern X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; -extern X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; -extern X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; -extern X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; -extern X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; -extern X509V3_EXT_METHOD v3_crl_hold, v3_pci; -extern X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; -extern X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; -extern const X509V3_EXT_METHOD v3_addr, v3_asid; -extern const X509V3_EXT_METHOD v3_ct_scts[3]; - -/* This table will be searched using OBJ_bsearch so it *must* kept in - * order of the ext_nid values. - */ - -static const X509V3_EXT_METHOD *standard_exts[] = { - &v3_nscert, - &v3_ns_ia5_list[0], - &v3_ns_ia5_list[1], - &v3_ns_ia5_list[2], - &v3_ns_ia5_list[3], - &v3_ns_ia5_list[4], - &v3_ns_ia5_list[5], - &v3_ns_ia5_list[6], - &v3_skey_id, - &v3_key_usage, - &v3_pkey_usage_period, - &v3_alt[0], - &v3_alt[1], - &v3_bcons, - &v3_crl_num, - &v3_cpols, - &v3_akey_id, - &v3_crld, - &v3_ext_ku, - &v3_delta_crl, - &v3_crl_reason, -#ifndef OPENSSL_NO_OCSP - &v3_crl_invdate, -#endif - &v3_sxnet, - &v3_info, -#ifndef OPENSSL_NO_RFC3779 - &v3_addr, - &v3_asid, -#endif -#ifndef OPENSSL_NO_OCSP - &v3_ocsp_nonce, - &v3_ocsp_crlid, - &v3_ocsp_accresp, - &v3_ocsp_nocheck, - &v3_ocsp_acutoff, - &v3_ocsp_serviceloc, -#endif - &v3_sinfo, - &v3_policy_constraints, -#ifndef OPENSSL_NO_OCSP - &v3_crl_hold, -#endif - &v3_pci, - &v3_name_constraints, - &v3_policy_mappings, - &v3_inhibit_anyp, - &v3_idp, - &v3_alt[2], - &v3_freshest_crl, -#ifndef OPENSSL_NO_CT - &v3_ct_scts[0], - &v3_ct_scts[1], - &v3_ct_scts[2], -#endif -}; - -/* Number of standard extensions */ -#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts)/sizeof(X509V3_EXT_METHOD *)) - -__END_HIDDEN_DECLS diff --git a/crypto/x509/pcy_cache.c b/crypto/x509/pcy_cache.c deleted file mode 100644 index debca30..0000000 --- a/crypto/x509/pcy_cache.c +++ /dev/null @@ -1,272 +0,0 @@ -/* $OpenBSD: pcy_cache.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include "pcy_int.h" -#include "x509_lcl.h" - -static int policy_data_cmp(const X509_POLICY_DATA * const *a, - const X509_POLICY_DATA * const *b); -static int policy_cache_set_int(long *out, ASN1_INTEGER *value); - -/* Set cache entry according to CertificatePolicies extension. - * Note: this destroys the passed CERTIFICATEPOLICIES structure. - */ - -static int -policy_cache_create(X509 *x, CERTIFICATEPOLICIES *policies, int crit) -{ - int i; - int ret = 0; - X509_POLICY_CACHE *cache = x->policy_cache; - X509_POLICY_DATA *data = NULL; - POLICYINFO *policy; - - if (sk_POLICYINFO_num(policies) == 0) - goto bad_policy; - cache->data = sk_X509_POLICY_DATA_new(policy_data_cmp); - if (!cache->data) - goto bad_policy; - for (i = 0; i < sk_POLICYINFO_num(policies); i++) { - policy = sk_POLICYINFO_value(policies, i); - data = policy_data_new(policy, NULL, crit); - if (!data) - goto bad_policy; - /* Duplicate policy OIDs are illegal: reject if matches - * found. - */ - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (cache->anyPolicy) { - ret = -1; - goto bad_policy; - } - cache->anyPolicy = data; - } else if (sk_X509_POLICY_DATA_find(cache->data, data) != -1) { - ret = -1; - goto bad_policy; - } else if (!sk_X509_POLICY_DATA_push(cache->data, data)) - goto bad_policy; - data = NULL; - } - ret = 1; - -bad_policy: - if (ret == -1) - x->ex_flags |= EXFLAG_INVALID_POLICY; - if (data) - policy_data_free(data); - sk_POLICYINFO_pop_free(policies, POLICYINFO_free); - if (ret <= 0) { - sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); - cache->data = NULL; - } - return ret; -} - -static int -policy_cache_new(X509 *x) -{ - X509_POLICY_CACHE *cache; - ASN1_INTEGER *ext_any = NULL; - POLICY_CONSTRAINTS *ext_pcons = NULL; - CERTIFICATEPOLICIES *ext_cpols = NULL; - POLICY_MAPPINGS *ext_pmaps = NULL; - int i; - - cache = malloc(sizeof(X509_POLICY_CACHE)); - if (!cache) - return 0; - cache->anyPolicy = NULL; - cache->data = NULL; - cache->any_skip = -1; - cache->explicit_skip = -1; - cache->map_skip = -1; - - x->policy_cache = cache; - - /* Handle requireExplicitPolicy *first*. Need to process this - * even if we don't have any policies. - */ - ext_pcons = X509_get_ext_d2i(x, NID_policy_constraints, &i, NULL); - - if (!ext_pcons) { - if (i != -1) - goto bad_cache; - } else { - if (!ext_pcons->requireExplicitPolicy && - !ext_pcons->inhibitPolicyMapping) - goto bad_cache; - if (!policy_cache_set_int(&cache->explicit_skip, - ext_pcons->requireExplicitPolicy)) - goto bad_cache; - if (!policy_cache_set_int(&cache->map_skip, - ext_pcons->inhibitPolicyMapping)) - goto bad_cache; - } - - /* Process CertificatePolicies */ - - ext_cpols = X509_get_ext_d2i(x, NID_certificate_policies, &i, NULL); - /* If no CertificatePolicies extension or problem decoding then - * there is no point continuing because the valid policies will be - * NULL. - */ - if (!ext_cpols) { - /* If not absent some problem with extension */ - if (i != -1) - goto bad_cache; - return 1; - } - - i = policy_cache_create(x, ext_cpols, i); - - /* NB: ext_cpols freed by policy_cache_set_policies */ - - if (i <= 0) - return i; - - ext_pmaps = X509_get_ext_d2i(x, NID_policy_mappings, &i, NULL); - - if (!ext_pmaps) { - /* If not absent some problem with extension */ - if (i != -1) - goto bad_cache; - } else { - i = policy_cache_set_mapping(x, ext_pmaps); - if (i <= 0) - goto bad_cache; - } - - ext_any = X509_get_ext_d2i(x, NID_inhibit_any_policy, &i, NULL); - - if (!ext_any) { - if (i != -1) - goto bad_cache; - } else if (!policy_cache_set_int(&cache->any_skip, ext_any)) - goto bad_cache; - - if (0) { -bad_cache: - x->ex_flags |= EXFLAG_INVALID_POLICY; - } - - if (ext_pcons) - POLICY_CONSTRAINTS_free(ext_pcons); - - if (ext_any) - ASN1_INTEGER_free(ext_any); - - return 1; -} - -void -policy_cache_free(X509_POLICY_CACHE *cache) -{ - if (!cache) - return; - if (cache->anyPolicy) - policy_data_free(cache->anyPolicy); - if (cache->data) - sk_X509_POLICY_DATA_pop_free(cache->data, policy_data_free); - free(cache); -} - -const X509_POLICY_CACHE * -policy_cache_set(X509 *x) -{ - if (x->policy_cache == NULL) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - policy_cache_new(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - - return x->policy_cache; -} - -X509_POLICY_DATA * -policy_cache_find_data(const X509_POLICY_CACHE *cache, const ASN1_OBJECT *id) -{ - int idx; - X509_POLICY_DATA tmp; - - tmp.valid_policy = (ASN1_OBJECT *)id; - idx = sk_X509_POLICY_DATA_find(cache->data, &tmp); - if (idx == -1) - return NULL; - return sk_X509_POLICY_DATA_value(cache->data, idx); -} - -static int -policy_data_cmp(const X509_POLICY_DATA * const *a, - const X509_POLICY_DATA * const *b) -{ - return OBJ_cmp((*a)->valid_policy, (*b)->valid_policy); -} - -static int -policy_cache_set_int(long *out, ASN1_INTEGER *value) -{ - if (value == NULL) - return 1; - if (value->type == V_ASN1_NEG_INTEGER) - return 0; - *out = ASN1_INTEGER_get(value); - return 1; -} diff --git a/crypto/x509/pcy_int.h b/crypto/x509/pcy_int.h deleted file mode 100644 index 6632b78..0000000 --- a/crypto/x509/pcy_int.h +++ /dev/null @@ -1,209 +0,0 @@ -/* $OpenBSD: pcy_int.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -__BEGIN_HIDDEN_DECLS - -typedef struct X509_POLICY_DATA_st X509_POLICY_DATA; - -DECLARE_STACK_OF(X509_POLICY_DATA) - -/* Internal structures */ - -/* This structure and the field names correspond to the Policy 'node' of - * RFC3280. NB this structure contains no pointers to parent or child - * data: X509_POLICY_NODE contains that. This means that the main policy data - * can be kept static and cached with the certificate. - */ - -struct X509_POLICY_DATA_st { - unsigned int flags; - /* Policy OID and qualifiers for this data */ - ASN1_OBJECT *valid_policy; - STACK_OF(POLICYQUALINFO) *qualifier_set; - STACK_OF(ASN1_OBJECT) *expected_policy_set; -}; - -/* X509_POLICY_DATA flags values */ - -/* This flag indicates the structure has been mapped using a policy mapping - * extension. If policy mapping is not active its references get deleted. - */ - -#define POLICY_DATA_FLAG_MAPPED 0x1 - -/* This flag indicates the data doesn't correspond to a policy in Certificate - * Policies: it has been mapped to any policy. - */ - -#define POLICY_DATA_FLAG_MAPPED_ANY 0x2 - -/* AND with flags to see if any mapping has occurred */ - -#define POLICY_DATA_FLAG_MAP_MASK 0x3 - -/* qualifiers are shared and shouldn't be freed */ - -#define POLICY_DATA_FLAG_SHARED_QUALIFIERS 0x4 - -/* Parent node is an extra node and should be freed */ - -#define POLICY_DATA_FLAG_EXTRA_NODE 0x8 - -/* Corresponding CertificatePolicies is critical */ - -#define POLICY_DATA_FLAG_CRITICAL 0x10 - -/* This structure is cached with a certificate */ - -struct X509_POLICY_CACHE_st { - /* anyPolicy data or NULL if no anyPolicy */ - X509_POLICY_DATA *anyPolicy; - /* other policy data */ - STACK_OF(X509_POLICY_DATA) *data; - /* If InhibitAnyPolicy present this is its value or -1 if absent. */ - long any_skip; - /* If policyConstraints and requireExplicitPolicy present this is its - * value or -1 if absent. - */ - long explicit_skip; - /* If policyConstraints and policyMapping present this is its - * value or -1 if absent. - */ - long map_skip; -}; - -/*#define POLICY_CACHE_FLAG_CRITICAL POLICY_DATA_FLAG_CRITICAL*/ - -/* This structure represents the relationship between nodes */ - -struct X509_POLICY_NODE_st { - /* node data this refers to */ - const X509_POLICY_DATA *data; - /* Parent node */ - X509_POLICY_NODE *parent; - /* Number of child nodes */ - int nchild; -}; - -struct X509_POLICY_LEVEL_st { - /* Cert for this level */ - X509 *cert; - /* nodes at this level */ - STACK_OF(X509_POLICY_NODE) *nodes; - /* anyPolicy node */ - X509_POLICY_NODE *anyPolicy; - /* Extra data */ - /*STACK_OF(X509_POLICY_DATA) *extra_data;*/ - unsigned int flags; -}; - -struct X509_POLICY_TREE_st { - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; - /* Extra policy data when additional nodes (not from the certificate) - * are required. - */ - STACK_OF(X509_POLICY_DATA) *extra_data; - /* This is the authority constained policy set */ - STACK_OF(X509_POLICY_NODE) *auth_policies; - STACK_OF(X509_POLICY_NODE) *user_policies; - unsigned int flags; -}; - -/* Set if anyPolicy present in user policies */ -#define POLICY_FLAG_ANY_POLICY 0x2 - -/* Useful macros */ - -#define node_data_critical(data) (data->flags & POLICY_DATA_FLAG_CRITICAL) -#define node_critical(node) node_data_critical(node->data) - -/* Internal functions */ - -X509_POLICY_DATA *policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *id, - int crit); -void policy_data_free(X509_POLICY_DATA *data); - -X509_POLICY_DATA *policy_cache_find_data(const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id); -int policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps); - - -STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void); - -void policy_cache_init(void); - -void policy_cache_free(X509_POLICY_CACHE *cache); - -X509_POLICY_NODE *level_find_node(const X509_POLICY_LEVEL *level, - const X509_POLICY_NODE *parent, const ASN1_OBJECT *id); - -X509_POLICY_NODE *tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - const ASN1_OBJECT *id); - -int level_add_node(X509_POLICY_LEVEL *level, - const X509_POLICY_DATA *data, X509_POLICY_NODE *parent, - X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep); -void policy_node_free(X509_POLICY_NODE *node); -int policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); - -const X509_POLICY_CACHE *policy_cache_set(X509 *x); - -__END_HIDDEN_DECLS diff --git a/crypto/x509/pcy_map.c b/crypto/x509/pcy_map.c deleted file mode 100644 index f2e5d32..0000000 --- a/crypto/x509/pcy_map.c +++ /dev/null @@ -1,127 +0,0 @@ -/* $OpenBSD: pcy_map.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include "pcy_int.h" -#include "x509_lcl.h" - -/* Set policy mapping entries in cache. - * Note: this modifies the passed POLICY_MAPPINGS structure - */ - -int -policy_cache_set_mapping(X509 *x, POLICY_MAPPINGS *maps) -{ - POLICY_MAPPING *map; - X509_POLICY_DATA *data; - X509_POLICY_CACHE *cache = x->policy_cache; - int i; - int ret = 0; - - if (sk_POLICY_MAPPING_num(maps) == 0) { - ret = -1; - goto bad_mapping; - } - for (i = 0; i < sk_POLICY_MAPPING_num(maps); i++) { - map = sk_POLICY_MAPPING_value(maps, i); - /* Reject if map to or from anyPolicy */ - if ((OBJ_obj2nid(map->subjectDomainPolicy) == NID_any_policy) || - (OBJ_obj2nid(map->issuerDomainPolicy) == NID_any_policy)) { - ret = -1; - goto bad_mapping; - } - - /* Attempt to find matching policy data */ - data = policy_cache_find_data(cache, map->issuerDomainPolicy); - /* If we don't have anyPolicy can't map */ - if (!data && !cache->anyPolicy) - continue; - - /* Create a NODE from anyPolicy */ - if (!data) { - data = policy_data_new(NULL, map->issuerDomainPolicy, - cache->anyPolicy->flags & - POLICY_DATA_FLAG_CRITICAL); - if (!data) - goto bad_mapping; - data->qualifier_set = cache->anyPolicy->qualifier_set; - /*map->issuerDomainPolicy = NULL;*/ - data->flags |= POLICY_DATA_FLAG_MAPPED_ANY; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (!sk_X509_POLICY_DATA_push(cache->data, data)) { - policy_data_free(data); - goto bad_mapping; - } - } else - data->flags |= POLICY_DATA_FLAG_MAPPED; - if (!sk_ASN1_OBJECT_push(data->expected_policy_set, - map->subjectDomainPolicy)) - goto bad_mapping; - map->subjectDomainPolicy = NULL; - } - - ret = 1; - -bad_mapping: - if (ret == -1) - x->ex_flags |= EXFLAG_INVALID_POLICY; - sk_POLICY_MAPPING_pop_free(maps, POLICY_MAPPING_free); - return ret; -} diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c deleted file mode 100644 index 3a0f230..0000000 --- a/crypto/x509/pcy_node.c +++ /dev/null @@ -1,200 +0,0 @@ -/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include - -#include "pcy_int.h" - -static int -node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b) -{ - return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); -} - -STACK_OF(X509_POLICY_NODE) * -policy_node_cmp_new(void) -{ - return sk_X509_POLICY_NODE_new(node_cmp); -} - -X509_POLICY_NODE * -tree_find_sk(STACK_OF(X509_POLICY_NODE) *nodes, const ASN1_OBJECT *id) -{ - X509_POLICY_DATA n; - X509_POLICY_NODE l; - int idx; - - n.valid_policy = (ASN1_OBJECT *)id; - l.data = &n; - - idx = sk_X509_POLICY_NODE_find(nodes, &l); - if (idx == -1) - return NULL; - - return sk_X509_POLICY_NODE_value(nodes, idx); -} - -X509_POLICY_NODE * -level_find_node(const X509_POLICY_LEVEL *level, const X509_POLICY_NODE *parent, - const ASN1_OBJECT *id) -{ - X509_POLICY_NODE *node; - int i; - - for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { - node = sk_X509_POLICY_NODE_value(level->nodes, i); - if (node->parent == parent) { - if (!OBJ_cmp(node->data->valid_policy, id)) - return node; - } - } - return NULL; -} - - -int -level_add_node(X509_POLICY_LEVEL *level, const X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, X509_POLICY_TREE *tree, X509_POLICY_NODE **nodep) -{ - X509_POLICY_NODE *node = NULL; - - if (level) { - node = malloc(sizeof(X509_POLICY_NODE)); - if (!node) - goto node_error; - node->data = data; - node->parent = parent; - node->nchild = 0; - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; - level->anyPolicy = node; - if (parent) - parent->nchild++; - } else { - - if (!level->nodes) - level->nodes = policy_node_cmp_new(); - if (!level->nodes) - goto node_error; - if (!sk_X509_POLICY_NODE_push(level->nodes, node)) - goto node_error; - if (parent) - parent->nchild++; - } - } - - if (tree) { - if (!tree->extra_data) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (!tree->extra_data) - goto node_error_cond; - if (!sk_X509_POLICY_DATA_push(tree->extra_data, data)) - goto node_error_cond; - } - - if (nodep) - *nodep = node; - - return 1; - -node_error_cond: - if (level) - node = NULL; -node_error: - policy_node_free(node); - node = NULL; - if (nodep) - *nodep = node; - return 0; -} - -void -policy_node_free(X509_POLICY_NODE *node) -{ - free(node); -} - -/* See if a policy node matches a policy OID. If mapping enabled look through - * expected policy set otherwise just valid policy. - */ - -int -policy_node_match(const X509_POLICY_LEVEL *lvl, const X509_POLICY_NODE *node, - const ASN1_OBJECT *oid) -{ - int i; - ASN1_OBJECT *policy_oid; - const X509_POLICY_DATA *x = node->data; - - if ((lvl->flags & X509_V_FLAG_INHIBIT_MAP) || - !(x->flags & POLICY_DATA_FLAG_MAP_MASK)) { - if (!OBJ_cmp(x->valid_policy, oid)) - return 1; - return 0; - } - - for (i = 0; i < sk_ASN1_OBJECT_num(x->expected_policy_set); i++) { - policy_oid = sk_ASN1_OBJECT_value(x->expected_policy_set, i); - if (!OBJ_cmp(policy_oid, oid)) - return 1; - } - return 0; -} diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c deleted file mode 100644 index 284c08e..0000000 --- a/crypto/x509/pcy_tree.c +++ /dev/null @@ -1,771 +0,0 @@ -/* $OpenBSD: pcy_tree.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. - */ -/* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include "pcy_int.h" -#include "x509_lcl.h" - -/* Enable this to print out the complete policy tree at various point during - * evaluation. - */ - -/*#define OPENSSL_POLICY_DEBUG*/ - -#ifdef OPENSSL_POLICY_DEBUG - -static void -expected_print(BIO *err, X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -{ - if ((lev->flags & X509_V_FLAG_INHIBIT_MAP) || - !(node->data->flags & POLICY_DATA_FLAG_MAP_MASK)) - BIO_puts(err, " Not Mapped\n"); - else { - int i; - STACK_OF(ASN1_OBJECT) *pset = node->data->expected_policy_set; - ASN1_OBJECT *oid; - BIO_puts(err, " Expected: "); - for (i = 0; i < sk_ASN1_OBJECT_num(pset); i++) { - oid = sk_ASN1_OBJECT_value(pset, i); - if (i) - BIO_puts(err, ", "); - i2a_ASN1_OBJECT(err, oid); - } - BIO_puts(err, "\n"); - } -} - -static void -tree_print(char *str, X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) -{ - X509_POLICY_LEVEL *plev; - X509_POLICY_NODE *node; - int i; - BIO *err; - - if ((err = BIO_new_fp(stderr, BIO_NOCLOSE)) == NULL) - return; - - if (!curr) - curr = tree->levels + tree->nlevel; - else - curr++; - BIO_printf(err, "Level print after %s\n", str); - BIO_printf(err, "Printing Up to Level %ld\n", curr - tree->levels); - for (plev = tree->levels; plev != curr; plev++) { - BIO_printf(err, "Level %ld, flags = %x\n", - plev - tree->levels, plev->flags); - for (i = 0; i < sk_X509_POLICY_NODE_num(plev->nodes); i++) { - node = sk_X509_POLICY_NODE_value(plev->nodes, i); - X509_POLICY_NODE_print(err, node, 2); - expected_print(err, plev, node, 2); - BIO_printf(err, " Flags: %x\n", node->data->flags); - } - if (plev->anyPolicy) - X509_POLICY_NODE_print(err, plev->anyPolicy, 2); - } - - BIO_free(err); -} -#else - -#define tree_print(a,b,c) /* */ - -#endif - -/* Initialize policy tree. Return values: - * 0 Some internal error occured. - * -1 Inconsistent or invalid extensions in certificates. - * 1 Tree initialized OK. - * 2 Policy tree is empty. - * 5 Tree OK and requireExplicitPolicy true. - * 6 Tree empty and requireExplicitPolicy true. - */ - -static int -tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, unsigned int flags) -{ - X509_POLICY_TREE *tree; - X509_POLICY_LEVEL *level; - const X509_POLICY_CACHE *cache; - X509_POLICY_DATA *data = NULL; - X509 *x; - int ret = 1; - int i, n; - int explicit_policy; - int any_skip; - int map_skip; - - *ptree = NULL; - n = sk_X509_num(certs); - - if (flags & X509_V_FLAG_EXPLICIT_POLICY) - explicit_policy = 0; - else - explicit_policy = n + 1; - - if (flags & X509_V_FLAG_INHIBIT_ANY) - any_skip = 0; - else - any_skip = n + 1; - - if (flags & X509_V_FLAG_INHIBIT_MAP) - map_skip = 0; - else - map_skip = n + 1; - - /* Can't do anything with just a trust anchor */ - if (n == 1) - return 1; - /* First setup policy cache in all certificates apart from the - * trust anchor. Note any bad cache results on the way. Also can - * calculate explicit_policy value at this point. - */ - for (i = n - 2; i >= 0; i--) { - x = sk_X509_value(certs, i); - X509_check_purpose(x, -1, -1); - cache = policy_cache_set(x); - /* If cache NULL something bad happened: return immediately */ - if (cache == NULL) - return 0; - /* If inconsistent extensions keep a note of it but continue */ - if (x->ex_flags & EXFLAG_INVALID_POLICY) - ret = -1; - /* Otherwise if we have no data (hence no CertificatePolicies) - * and haven't already set an inconsistent code note it. - */ - else if ((ret == 1) && !cache->data) - ret = 2; - if (explicit_policy > 0) { - if (!(x->ex_flags & EXFLAG_SI)) - explicit_policy--; - if ((cache->explicit_skip != -1) && - (cache->explicit_skip < explicit_policy)) - explicit_policy = cache->explicit_skip; - } - } - - if (ret != 1) { - if (ret == 2 && !explicit_policy) - return 6; - return ret; - } - - - /* If we get this far initialize the tree */ - - tree = malloc(sizeof(X509_POLICY_TREE)); - - if (!tree) - return 0; - - tree->flags = 0; - tree->levels = calloc(n, sizeof(X509_POLICY_LEVEL)); - tree->nlevel = 0; - tree->extra_data = NULL; - tree->auth_policies = NULL; - tree->user_policies = NULL; - - if (!tree->levels) { - free(tree); - return 0; - } - - tree->nlevel = n; - - level = tree->levels; - - /* Root data: initialize to anyPolicy */ - - data = policy_data_new(NULL, OBJ_nid2obj(NID_any_policy), 0); - - if (!data || !level_add_node(level, data, NULL, tree, NULL)) - goto bad_tree; - - for (i = n - 2; i >= 0; i--) { - level++; - x = sk_X509_value(certs, i); - cache = policy_cache_set(x); - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); - level->cert = x; - - if (!cache->anyPolicy) - level->flags |= X509_V_FLAG_INHIBIT_ANY; - - /* Determine inhibit any and inhibit map flags */ - if (any_skip == 0) { - /* Any matching allowed if certificate is self - * issued and not the last in the chain. - */ - if (!(x->ex_flags & EXFLAG_SI) || (i == 0)) - level->flags |= X509_V_FLAG_INHIBIT_ANY; - } else { - if (!(x->ex_flags & EXFLAG_SI)) - any_skip--; - if ((cache->any_skip >= 0) && - (cache->any_skip < any_skip)) - any_skip = cache->any_skip; - } - - if (map_skip == 0) - level->flags |= X509_V_FLAG_INHIBIT_MAP; - else { - if (!(x->ex_flags & EXFLAG_SI)) - map_skip--; - if ((cache->map_skip >= 0) && - (cache->map_skip < map_skip)) - map_skip = cache->map_skip; - } - - } - - *ptree = tree; - - if (explicit_policy) - return 1; - else - return 5; - -bad_tree: - X509_policy_tree_free(tree); - - return 0; -} - -static int -tree_link_matching_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_DATA *data) -{ - X509_POLICY_LEVEL *last = curr - 1; - X509_POLICY_NODE *node; - int i, matched = 0; - - /* Iterate through all in nodes linking matches */ - for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) { - node = sk_X509_POLICY_NODE_value(last->nodes, i); - if (policy_node_match(last, node, data->valid_policy)) { - if (!level_add_node(curr, data, node, NULL, NULL)) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { - if (!level_add_node(curr, data, last->anyPolicy, NULL, NULL)) - return 0; - } - return 1; -} - -/* This corresponds to RFC3280 6.1.3(d)(1): - * link any data from CertificatePolicies onto matching parent - * or anyPolicy if no match. - */ - -static int -tree_link_nodes(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache) -{ - int i; - X509_POLICY_DATA *data; - - for (i = 0; i < sk_X509_POLICY_DATA_num(cache->data); i++) { - data = sk_X509_POLICY_DATA_value(cache->data, i); - /* Look for matching nodes in previous level */ - if (!tree_link_matching_nodes(curr, data)) - return 0; - } - return 1; -} - -/* This corresponds to RFC3280 6.1.3(d)(2): - * Create new data for any unmatched policies in the parent and link - * to anyPolicy. - */ - -static int -tree_add_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache, - const ASN1_OBJECT *id, X509_POLICY_NODE *node, X509_POLICY_TREE *tree) -{ - X509_POLICY_DATA *data; - - if (id == NULL) - id = node->data->valid_policy; - /* Create a new node with qualifiers from anyPolicy and - * id from unmatched node. - */ - data = policy_data_new(NULL, id, node_critical(node)); - - if (data == NULL) - return 0; - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; - if (!level_add_node(curr, data, node, tree, NULL)) { - policy_data_free(data); - return 0; - } - - return 1; -} - -static int -tree_link_unmatched(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache, - X509_POLICY_NODE *node, X509_POLICY_TREE *tree) -{ - const X509_POLICY_LEVEL *last = curr - 1; - int i; - - if ((last->flags & X509_V_FLAG_INHIBIT_MAP) || - !(node->data->flags & POLICY_DATA_FLAG_MAPPED)) { - /* If no policy mapping: matched if one child present */ - if (node->nchild) - return 1; - if (!tree_add_unmatched(curr, cache, NULL, node, tree)) - return 0; - /* Add it */ - } else { - /* If mapping: matched if one child per expected policy set */ - STACK_OF(ASN1_OBJECT) *expset = node->data->expected_policy_set; - if (node->nchild == sk_ASN1_OBJECT_num(expset)) - return 1; - /* Locate unmatched nodes */ - for (i = 0; i < sk_ASN1_OBJECT_num(expset); i++) { - ASN1_OBJECT *oid = sk_ASN1_OBJECT_value(expset, i); - if (level_find_node(curr, node, oid)) - continue; - if (!tree_add_unmatched(curr, cache, oid, node, tree)) - return 0; - } - } - - return 1; -} - -static int -tree_link_any(X509_POLICY_LEVEL *curr, const X509_POLICY_CACHE *cache, - X509_POLICY_TREE *tree) -{ - int i; - X509_POLICY_NODE *node; - X509_POLICY_LEVEL *last = curr - 1; - - for (i = 0; i < sk_X509_POLICY_NODE_num(last->nodes); i++) { - node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (!tree_link_unmatched(curr, cache, node, tree)) - return 0; - } - /* Finally add link to anyPolicy */ - if (last->anyPolicy) { - if (!level_add_node(curr, cache->anyPolicy, - last->anyPolicy, NULL, NULL)) - return 0; - } - return 1; -} - -/* Prune the tree: delete any child mapped child data on the current level - * then proceed up the tree deleting any data with no children. If we ever - * have no data on a level we can halt because the tree will be empty. - */ - -static int -tree_prune(X509_POLICY_TREE *tree, X509_POLICY_LEVEL *curr) -{ - STACK_OF(X509_POLICY_NODE) *nodes; - X509_POLICY_NODE *node; - int i; - - nodes = curr->nodes; - if (curr->flags & X509_V_FLAG_INHIBIT_MAP) { - for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) { - node = sk_X509_POLICY_NODE_value(nodes, i); - /* Delete any mapped data: see RFC3280 XXXX */ - if (node->data->flags & POLICY_DATA_FLAG_MAP_MASK) { - node->parent->nchild--; - free(node); - (void)sk_X509_POLICY_NODE_delete(nodes, i); - } - } - } - - for (;;) { - --curr; - nodes = curr->nodes; - for (i = sk_X509_POLICY_NODE_num(nodes) - 1; i >= 0; i--) { - node = sk_X509_POLICY_NODE_value(nodes, i); - if (node->nchild == 0) { - node->parent->nchild--; - free(node); - (void)sk_X509_POLICY_NODE_delete(nodes, i); - } - } - if (curr->anyPolicy && !curr->anyPolicy->nchild) { - if (curr->anyPolicy->parent) - curr->anyPolicy->parent->nchild--; - free(curr->anyPolicy); - curr->anyPolicy = NULL; - } - if (curr == tree->levels) { - /* If we zapped anyPolicy at top then tree is empty */ - if (!curr->anyPolicy) - return 2; - return 1; - } - } - - return 1; -} - -static int -tree_add_auth_node(STACK_OF(X509_POLICY_NODE) **pnodes, X509_POLICY_NODE *pcy) -{ - if (!*pnodes) { - *pnodes = policy_node_cmp_new(); - if (!*pnodes) - return 0; - } else if (sk_X509_POLICY_NODE_find(*pnodes, pcy) != -1) - return 1; - - if (!sk_X509_POLICY_NODE_push(*pnodes, pcy)) - return 0; - - return 1; -} - -/* Calculate the authority set based on policy tree. - * The 'pnodes' parameter is used as a store for the set of policy nodes - * used to calculate the user set. If the authority set is not anyPolicy - * then pnodes will just point to the authority set. If however the authority - * set is anyPolicy then the set of valid policies (other than anyPolicy) - * is store in pnodes. The return value of '2' is used in this case to indicate - * that pnodes should be freed. - */ - -static int -tree_calculate_authority_set(X509_POLICY_TREE *tree, - STACK_OF(X509_POLICY_NODE) **pnodes) -{ - X509_POLICY_LEVEL *curr; - X509_POLICY_NODE *node, *anyptr; - STACK_OF(X509_POLICY_NODE) **addnodes; - int i, j; - - curr = tree->levels + tree->nlevel - 1; - - /* If last level contains anyPolicy set is anyPolicy */ - if (curr->anyPolicy) { - if (!tree_add_auth_node(&tree->auth_policies, curr->anyPolicy)) - return 0; - addnodes = pnodes; - } else - /* Add policies to authority set */ - addnodes = &tree->auth_policies; - - curr = tree->levels; - for (i = 1; i < tree->nlevel; i++) { - /* If no anyPolicy node on this this level it can't - * appear on lower levels so end search. - */ - if (!(anyptr = curr->anyPolicy)) - break; - curr++; - for (j = 0; j < sk_X509_POLICY_NODE_num(curr->nodes); j++) { - node = sk_X509_POLICY_NODE_value(curr->nodes, j); - if ((node->parent == anyptr) && - !tree_add_auth_node(addnodes, node)) - return 0; - } - } - - if (addnodes == pnodes) - return 2; - - *pnodes = tree->auth_policies; - - return 1; -} - -static int -tree_calculate_user_set(X509_POLICY_TREE *tree, - STACK_OF(ASN1_OBJECT) *policy_oids, STACK_OF(X509_POLICY_NODE) *auth_nodes) -{ - int i; - X509_POLICY_NODE *node; - ASN1_OBJECT *oid; - X509_POLICY_NODE *anyPolicy; - X509_POLICY_DATA *extra; - - /* Check if anyPolicy present in authority constrained policy set: - * this will happen if it is a leaf node. - */ - - if (sk_ASN1_OBJECT_num(policy_oids) <= 0) - return 1; - - anyPolicy = tree->levels[tree->nlevel - 1].anyPolicy; - - for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) { - oid = sk_ASN1_OBJECT_value(policy_oids, i); - if (OBJ_obj2nid(oid) == NID_any_policy) { - tree->flags |= POLICY_FLAG_ANY_POLICY; - return 1; - } - } - - for (i = 0; i < sk_ASN1_OBJECT_num(policy_oids); i++) { - oid = sk_ASN1_OBJECT_value(policy_oids, i); - node = tree_find_sk(auth_nodes, oid); - if (!node) { - if (!anyPolicy) - continue; - /* Create a new node with policy ID from user set - * and qualifiers from anyPolicy. - */ - extra = policy_data_new(NULL, oid, - node_critical(anyPolicy)); - if (!extra) - return 0; - extra->qualifier_set = anyPolicy->data->qualifier_set; - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS | - POLICY_DATA_FLAG_EXTRA_NODE; - (void) level_add_node(NULL, extra, anyPolicy->parent, - tree, &node); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); - if (!tree->user_policies) - return 1; - } - if (!sk_X509_POLICY_NODE_push(tree->user_policies, node)) - return 0; - } - return 1; -} - -static int -tree_evaluate(X509_POLICY_TREE *tree) -{ - int ret, i; - X509_POLICY_LEVEL *curr = tree->levels + 1; - const X509_POLICY_CACHE *cache; - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = policy_cache_set(curr->cert); - if (!tree_link_nodes(curr, cache)) - return 0; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) && - !tree_link_any(curr, cache, tree)) - return 0; - tree_print("before tree_prune()", tree, curr); - ret = tree_prune(tree, curr); - if (ret != 1) - return ret; - } - - return 1; -} - -static void -exnode_free(X509_POLICY_NODE *node) -{ - if (node->data && (node->data->flags & POLICY_DATA_FLAG_EXTRA_NODE)) - free(node); -} - -void -X509_policy_tree_free(X509_POLICY_TREE *tree) -{ - X509_POLICY_LEVEL *curr; - int i; - - if (!tree) - return; - - sk_X509_POLICY_NODE_free(tree->auth_policies); - sk_X509_POLICY_NODE_pop_free(tree->user_policies, exnode_free); - - for (i = 0, curr = tree->levels; i < tree->nlevel; i++, curr++) { - X509_free(curr->cert); - if (curr->nodes) - sk_X509_POLICY_NODE_pop_free(curr->nodes, - policy_node_free); - if (curr->anyPolicy) - policy_node_free(curr->anyPolicy); - } - - if (tree->extra_data) - sk_X509_POLICY_DATA_pop_free(tree->extra_data, - policy_data_free); - - free(tree->levels); - free(tree); -} - -/* Application policy checking function. - * Return codes: - * 0 Internal Error. - * 1 Successful. - * -1 One or more certificates contain invalid or inconsistent extensions - * -2 User constrained policy set empty and requireExplicit true. - */ - -int -X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags) -{ - int ret, ret2; - X509_POLICY_TREE *tree = NULL; - STACK_OF(X509_POLICY_NODE) *nodes, *auth_nodes = NULL; - - *ptree = NULL; - *pexplicit_policy = 0; - ret = tree_init(&tree, certs, flags); - - switch (ret) { - - /* Tree empty requireExplicit False: OK */ - case 2: - return 1; - - /* Some internal error */ - case -1: - return -1; - - /* Some internal error */ - case 0: - return 0; - - /* Tree empty requireExplicit True: Error */ - - case 6: - *pexplicit_policy = 1; - return -2; - - /* Tree OK requireExplicit True: OK and continue */ - case 5: - *pexplicit_policy = 1; - break; - - /* Tree OK: continue */ - - case 1: - if (!tree) - /* - * tree_init() returns success and a null tree - * if it's just looking at a trust anchor. - * I'm not sure that returning success here is - * correct, but I'm sure that reporting this - * as an internal error which our caller - * interprets as a malloc failure is wrong. - */ - return 1; - break; - } - - if (!tree) - goto error; - ret = tree_evaluate(tree); - - tree_print("tree_evaluate()", tree, NULL); - - if (ret <= 0) - goto error; - - /* Return value 2 means tree empty */ - if (ret == 2) { - X509_policy_tree_free(tree); - if (*pexplicit_policy) - return -2; - else - return 1; - } - - /* Tree is not empty: continue */ - - ret = tree_calculate_authority_set(tree, &auth_nodes); - if (ret == 0) - goto error; - - ret2 = tree_calculate_user_set(tree, policy_oids, auth_nodes); - - /* Return value 2 means auth_nodes needs to be freed */ - if (ret == 2) - sk_X509_POLICY_NODE_free(auth_nodes); - - if (ret2 == 0) - goto error; - - if (tree) - *ptree = tree; - - if (*pexplicit_policy) { - nodes = X509_policy_tree_get0_user_policies(tree); - if (sk_X509_POLICY_NODE_num(nodes) <= 0) - return -2; - } - - return 1; - -error: - X509_policy_tree_free(tree); - - return 0; -} diff --git a/crypto/x509/x509_addr.c b/crypto/x509/x509_addr.c index 0353538..2d8cc0b 100644 --- a/crypto/x509/x509_addr.c +++ b/crypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.78 2022/03/16 11:44:36 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.86 2023/02/16 08:38:17 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -73,8 +73,9 @@ #include #include +#include "asn1_local.h" #include "bytestring.h" -#include "x509_lcl.h" +#include "x509_local.h" #ifndef OPENSSL_NO_RFC3779 @@ -214,24 +215,28 @@ d2i_IPAddressRange(IPAddressRange **a, const unsigned char **in, long len) return (IPAddressRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &IPAddressRange_it); } +LCRYPTO_ALIAS(d2i_IPAddressRange); int i2d_IPAddressRange(IPAddressRange *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressRange_it); } +LCRYPTO_ALIAS(i2d_IPAddressRange); IPAddressRange * IPAddressRange_new(void) { return (IPAddressRange *)ASN1_item_new(&IPAddressRange_it); } +LCRYPTO_ALIAS(IPAddressRange_new); void IPAddressRange_free(IPAddressRange *a) { ASN1_item_free((ASN1_VALUE *)a, &IPAddressRange_it); } +LCRYPTO_ALIAS(IPAddressRange_free); IPAddressOrRange * d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) @@ -239,24 +244,28 @@ d2i_IPAddressOrRange(IPAddressOrRange **a, const unsigned char **in, long len) return (IPAddressOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &IPAddressOrRange_it); } +LCRYPTO_ALIAS(d2i_IPAddressOrRange); int i2d_IPAddressOrRange(IPAddressOrRange *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressOrRange_it); } +LCRYPTO_ALIAS(i2d_IPAddressOrRange); IPAddressOrRange * IPAddressOrRange_new(void) { return (IPAddressOrRange *)ASN1_item_new(&IPAddressOrRange_it); } +LCRYPTO_ALIAS(IPAddressOrRange_new); void IPAddressOrRange_free(IPAddressOrRange *a) { ASN1_item_free((ASN1_VALUE *)a, &IPAddressOrRange_it); } +LCRYPTO_ALIAS(IPAddressOrRange_free); IPAddressChoice * d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) @@ -264,24 +273,28 @@ d2i_IPAddressChoice(IPAddressChoice **a, const unsigned char **in, long len) return (IPAddressChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &IPAddressChoice_it); } +LCRYPTO_ALIAS(d2i_IPAddressChoice); int i2d_IPAddressChoice(IPAddressChoice *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressChoice_it); } +LCRYPTO_ALIAS(i2d_IPAddressChoice); IPAddressChoice * IPAddressChoice_new(void) { return (IPAddressChoice *)ASN1_item_new(&IPAddressChoice_it); } +LCRYPTO_ALIAS(IPAddressChoice_new); void IPAddressChoice_free(IPAddressChoice *a) { ASN1_item_free((ASN1_VALUE *)a, &IPAddressChoice_it); } +LCRYPTO_ALIAS(IPAddressChoice_free); IPAddressFamily * d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) @@ -289,24 +302,28 @@ d2i_IPAddressFamily(IPAddressFamily **a, const unsigned char **in, long len) return (IPAddressFamily *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &IPAddressFamily_it); } +LCRYPTO_ALIAS(d2i_IPAddressFamily); int i2d_IPAddressFamily(IPAddressFamily *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &IPAddressFamily_it); } +LCRYPTO_ALIAS(i2d_IPAddressFamily); IPAddressFamily * IPAddressFamily_new(void) { return (IPAddressFamily *)ASN1_item_new(&IPAddressFamily_it); } +LCRYPTO_ALIAS(IPAddressFamily_new); void IPAddressFamily_free(IPAddressFamily *a) { ASN1_item_free((ASN1_VALUE *)a, &IPAddressFamily_it); } +LCRYPTO_ALIAS(IPAddressFamily_free); /* * Convenience accessors for IPAddressFamily. @@ -517,6 +534,7 @@ X509v3_addr_get_afi(const IPAddressFamily *af) return afi; } +LCRYPTO_ALIAS(X509v3_addr_get_afi); /* * Expand the bitstring form (RFC 3779, section 2.1.2) of an address into @@ -847,44 +865,45 @@ range_should_be_prefix(const unsigned char *min, const unsigned char *max, } /* - * Construct a prefix. + * Fill IPAddressOrRange with bit string encoding of a prefix - RFC 3779, 2.1.1. */ static int -make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, - unsigned int afi, int prefix_len) +make_addressPrefix(IPAddressOrRange **out_aor, uint8_t *addr, uint32_t afi, + int prefix_len) { - IPAddressOrRange *aor; - int afi_len, byte_len, bit_len, max_len; + IPAddressOrRange *aor = NULL; + int afi_len, max_len, num_bits, num_octets; + uint8_t unused_bits; if (prefix_len < 0) - return 0; + goto err; max_len = 16; if ((afi_len = length_from_afi(afi)) > 0) max_len = afi_len; if (prefix_len > 8 * max_len) - return 0; + goto err; - byte_len = (prefix_len + 7) / 8; - bit_len = prefix_len % 8; + num_octets = (prefix_len + 7) / 8; + num_bits = prefix_len % 8; + + unused_bits = 0; + if (num_bits > 0) + unused_bits = 8 - num_bits; if ((aor = IPAddressOrRange_new()) == NULL) - return 0; + goto err; + aor->type = IPAddressOrRange_addressPrefix; + if ((aor->u.addressPrefix = ASN1_BIT_STRING_new()) == NULL) goto err; - - if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, byte_len)) + if (!ASN1_BIT_STRING_set(aor->u.addressPrefix, addr, num_octets)) + goto err; + if (!asn1_abs_set_unused_bits(aor->u.addressPrefix, unused_bits)) goto err; - aor->u.addressPrefix->flags &= ~7; - aor->u.addressPrefix->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (bit_len > 0) { - aor->u.addressPrefix->data[byte_len - 1] &= ~(0xff >> bit_len); - aor->u.addressPrefix->flags |= 8 - bit_len; - } - - *result = aor; + *out_aor = aor; return 1; err: @@ -892,59 +911,126 @@ make_addressPrefix(IPAddressOrRange **result, unsigned char *addr, return 0; } +static uint8_t +count_trailing_zeroes(uint8_t octet) +{ + uint8_t count = 0; + + if (octet == 0) + return 8; + + while ((octet & (1 << count)) == 0) + count++; + + return count; +} + +static int +trim_end_u8(CBS *cbs, uint8_t trim) +{ + uint8_t octet; + + while (CBS_len(cbs) > 0) { + if (!CBS_peek_last_u8(cbs, &octet)) + return 0; + if (octet != trim) + return 1; + if (!CBS_get_last_u8(cbs, &octet)) + return 0; + } + + return 1; +} + /* - * Construct a range. If it can be expressed as a prefix, - * return a prefix instead. Doing this here simplifies - * the rest of the code considerably. + * Populate IPAddressOrRange with bit string encoding of a range, see + * RFC 3779, 2.1.2. */ static int -make_addressRange(IPAddressOrRange **result, unsigned char *min, - unsigned char *max, unsigned int afi, int length) +make_addressRange(IPAddressOrRange **out_aor, uint8_t *min, uint8_t *max, + uint32_t afi, int length) { - IPAddressOrRange *aor; - int i, prefix_len; + IPAddressOrRange *aor = NULL; + IPAddressRange *range; + int prefix_len; + CBS cbs; + size_t max_len, min_len; + uint8_t unused_bits_min, unused_bits_max; + uint8_t octet; if (memcmp(min, max, length) > 0) - return 0; + goto err; + + /* + * RFC 3779, 2.2.3.6 - a range that can be expressed as a prefix + * must be encoded as a prefix. + */ if ((prefix_len = range_should_be_prefix(min, max, length)) >= 0) - return make_addressPrefix(result, min, afi, prefix_len); + return make_addressPrefix(out_aor, min, afi, prefix_len); + + /* + * The bit string representing min is formed by removing all its + * trailing zero bits, so remove all trailing zero octets and count + * the trailing zero bits of the last octet. + */ + + CBS_init(&cbs, min, length); + + if (!trim_end_u8(&cbs, 0x00)) + goto err; + + unused_bits_min = 0; + if ((min_len = CBS_len(&cbs)) > 0) { + if (!CBS_peek_last_u8(&cbs, &octet)) + goto err; + + unused_bits_min = count_trailing_zeroes(octet); + } + + /* + * The bit string representing max is formed by removing all its + * trailing one bits, so remove all trailing 0xff octets and count + * the trailing ones of the last octet. + */ + + CBS_init(&cbs, max, length); + + if (!trim_end_u8(&cbs, 0xff)) + goto err; + + unused_bits_max = 0; + if ((max_len = CBS_len(&cbs)) > 0) { + if (!CBS_peek_last_u8(&cbs, &octet)) + goto err; + + unused_bits_max = count_trailing_zeroes(octet + 1); + } + + /* + * Populate IPAddressOrRange. + */ if ((aor = IPAddressOrRange_new()) == NULL) - return 0; + goto err; + aor->type = IPAddressOrRange_addressRange; - if ((aor->u.addressRange = IPAddressRange_new()) == NULL) + + if ((range = aor->u.addressRange = IPAddressRange_new()) == NULL) goto err; - for (i = length; i > 0 && min[i - 1] == 0x00; --i) - continue; - if (!ASN1_BIT_STRING_set(aor->u.addressRange->min, min, i)) + if (!ASN1_BIT_STRING_set(range->min, min, min_len)) goto err; - aor->u.addressRange->min->flags &= ~7; - aor->u.addressRange->min->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (i > 0) { - unsigned char b = min[i - 1]; - int j = 1; - while ((b & (0xffU >> j)) != 0) - ++j; - aor->u.addressRange->min->flags |= 8 - j; - } - - for (i = length; i > 0 && max[i - 1] == 0xff; --i) - continue; - if (!ASN1_BIT_STRING_set(aor->u.addressRange->max, max, i)) + if (!asn1_abs_set_unused_bits(range->min, unused_bits_min)) goto err; - aor->u.addressRange->max->flags &= ~7; - aor->u.addressRange->max->flags |= ASN1_STRING_FLAG_BITS_LEFT; - if (i > 0) { - unsigned char b = max[i - 1]; - int j = 1; - while ((b & (0xffU >> j)) != (0xffU >> j)) - ++j; - aor->u.addressRange->max->flags |= 8 - j; - } - *result = aor; + if (!ASN1_BIT_STRING_set(range->max, max, max_len)) + goto err; + if (!asn1_abs_set_unused_bits(range->max, unused_bits_max)) + goto err; + + *out_aor = aor; + return 1; err: @@ -1024,6 +1110,7 @@ X509v3_addr_add_inherit(IPAddrBlocks *addr, const unsigned afi, return IPAddressFamily_set_inheritance(af); } +LCRYPTO_ALIAS(X509v3_addr_add_inherit); /* * Construct an IPAddressOrRange sequence, or return an existing one. @@ -1087,6 +1174,7 @@ X509v3_addr_add_prefix(IPAddrBlocks *addr, const unsigned afi, return 1; } +LCRYPTO_ALIAS(X509v3_addr_add_prefix); /* * Add a range. @@ -1114,6 +1202,7 @@ X509v3_addr_add_range(IPAddrBlocks *addr, const unsigned afi, return 1; } +LCRYPTO_ALIAS(X509v3_addr_add_range); static int extract_min_max_bitstr(IPAddressOrRange *aor, ASN1_BIT_STRING **out_min, @@ -1173,6 +1262,7 @@ X509v3_addr_get_range(IPAddressOrRange *aor, const unsigned afi, return afi_len; } +LCRYPTO_ALIAS(X509v3_addr_get_range); /* * Check whether an IPAddrBLocks is in canonical form. @@ -1239,10 +1329,6 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) aor_a = sk_IPAddressOrRange_value(aors, j); aor_b = sk_IPAddressOrRange_value(aors, j + 1); - /* - * XXX - check that both are either a prefix or a range. - */ - if (!extract_min_max(aor_a, a_min, a_max, length) || !extract_min_max(aor_b, b_min, b_max, length)) return 0; @@ -1295,6 +1381,7 @@ X509v3_addr_is_canonical(IPAddrBlocks *addr) */ return 1; } +LCRYPTO_ALIAS(X509v3_addr_is_canonical); /* * Whack an IPAddressOrRanges into canonical form. @@ -1401,6 +1488,7 @@ X509v3_addr_canonize(IPAddrBlocks *addr) return X509v3_addr_is_canonical(addr); } +LCRYPTO_ALIAS(X509v3_addr_canonize); /* * v2i handler for the IPAddrBlocks extension. @@ -1644,6 +1732,7 @@ X509v3_addr_inherits(IPAddrBlocks *addr) return 0; } +LCRYPTO_ALIAS(X509v3_addr_inherits); /* * Figure out whether parent contains child. @@ -1727,6 +1816,7 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent) } return 1; } +LCRYPTO_ALIAS(X509v3_addr_subset); static int verify_error(X509_STORE_CTX *ctx, X509 *cert, int error, int depth) @@ -1774,17 +1864,17 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, /* * Figure out where to start. If we don't have an extension to check, - * we're done. Otherwise, check canonical form and set up for walking - * up the chain. + * (either extracted from the leaf or passed by the caller), we're done. + * Otherwise, check canonical form and set up for walking up the chain. */ if (ext == NULL) { depth = 0; cert = sk_X509_value(chain, depth); + if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) + goto done; if ((ext = cert->rfc3779_addr) == NULL) goto done; - } - - if (!X509v3_addr_is_canonical(ext)) { + } else if (!X509v3_addr_is_canonical(ext)) { if ((ret = verify_error(ctx, cert, X509_V_ERR_INVALID_EXTENSION, depth)) == 0) goto done; @@ -1806,6 +1896,12 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, for (depth++; depth < sk_X509_num(chain); depth++) { cert = sk_X509_value(chain, depth); + if ((X509_get_extension_flags(cert) & EXFLAG_INVALID) != 0) { + if ((ret = verify_error(ctx, cert, + X509_V_ERR_INVALID_EXTENSION, depth)) == 0) + goto done; + } + if ((parent = cert->rfc3779_addr) == NULL) { for (i = 0; i < sk_IPAddressFamily_num(child); i++) { child_af = sk_IPAddressFamily_value(child, i); @@ -1822,12 +1918,6 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, continue; } - if (!X509v3_addr_is_canonical(parent)) { - if ((ret = verify_error(ctx, cert, - X509_V_ERR_INVALID_EXTENSION, depth)) == 0) - goto done; - } - /* * Check that the child's resources are covered by the parent. * Each covered resource is replaced with the parent's resource @@ -1932,6 +2022,7 @@ X509v3_addr_validate_path(X509_STORE_CTX *ctx) } return addr_validate_path_internal(ctx, ctx->chain, NULL); } +LCRYPTO_ALIAS(X509v3_addr_validate_path); /* * RFC 3779 2.3 path validation of an extension. @@ -1949,5 +2040,6 @@ X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, return 0; return addr_validate_path_internal(NULL, chain, ext); } +LCRYPTO_ALIAS(X509v3_addr_validate_resource_set); #endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/x509/x509_akeya.c b/crypto/x509/x509_akeya.c index aba8923..52eca42 100644 --- a/crypto/x509/x509_akeya.c +++ b/crypto/x509/x509_akeya.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_akeya.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_akeya.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -104,21 +104,25 @@ d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len) return (AUTHORITY_KEYID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &AUTHORITY_KEYID_it); } +LCRYPTO_ALIAS(d2i_AUTHORITY_KEYID); int i2d_AUTHORITY_KEYID(AUTHORITY_KEYID *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_KEYID_it); } +LCRYPTO_ALIAS(i2d_AUTHORITY_KEYID); AUTHORITY_KEYID * AUTHORITY_KEYID_new(void) { return (AUTHORITY_KEYID *)ASN1_item_new(&AUTHORITY_KEYID_it); } +LCRYPTO_ALIAS(AUTHORITY_KEYID_new); void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a) { ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_KEYID_it); } +LCRYPTO_ALIAS(AUTHORITY_KEYID_free); diff --git a/crypto/x509/x509_alt.c b/crypto/x509/x509_alt.c index 8656df8..c4c5fca 100644 --- a/crypto/x509/x509_alt.c +++ b/crypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_alt.c,v 1.12 2022/03/26 16:34:21 tb Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.15 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -152,6 +152,7 @@ i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens, return NULL; } +LCRYPTO_ALIAS(i2v_GENERAL_NAMES); STACK_OF(CONF_VALUE) * i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, @@ -244,6 +245,7 @@ i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, return NULL; } +LCRYPTO_ALIAS(i2v_GENERAL_NAME); int GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) @@ -310,6 +312,7 @@ GENERAL_NAME_print(BIO *out, GENERAL_NAME *gen) } return 1; } +LCRYPTO_ALIAS(GENERAL_NAME_print); static GENERAL_NAMES * v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, @@ -512,6 +515,7 @@ err: sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); return NULL; } +LCRYPTO_ALIAS(v2i_GENERAL_NAMES); GENERAL_NAME * v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, @@ -519,6 +523,7 @@ v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, { return v2i_GENERAL_NAME_ex(NULL, method, ctx, cnf, 0); } +LCRYPTO_ALIAS(v2i_GENERAL_NAME); GENERAL_NAME * a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, @@ -609,6 +614,7 @@ err: GENERAL_NAME_free(gen); return NULL; } +LCRYPTO_ALIAS(a2i_GENERAL_NAME); GENERAL_NAME * v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, @@ -619,6 +625,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, GENERAL_NAME *ret; size_t len = 0; int type; + CBS cbs; name = cnf->name; value = cnf->value; @@ -669,9 +676,10 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, } type = x509_constraints_general_to_bytes(ret, &bytes, &len); + CBS_init(&cbs, bytes, len); switch (type) { case GEN_DNS: - if (!x509_constraints_valid_sandns(bytes, len)) { + if (!x509_constraints_valid_sandns(&cbs)) { X509V3error(X509V3_R_BAD_OBJECT); ERR_asprintf_error_data("name=%s value='%.*s'", name, (int)len, bytes); @@ -687,7 +695,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, } break; case GEN_EMAIL: - if (!x509_constraints_parse_mailbox(bytes, len, NULL)) { + if (!x509_constraints_parse_mailbox(&cbs, NULL)) { X509V3error(X509V3_R_BAD_OBJECT); ERR_asprintf_error_data("name=%s value='%.*s'", name, (int)len, bytes); @@ -710,6 +718,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, GENERAL_NAME_free(ret); return NULL; } +LCRYPTO_ALIAS(v2i_GENERAL_NAME_ex); static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) diff --git a/crypto/x509/x509_asid.c b/crypto/x509/x509_asid.c index c82f2f3..95b1acb 100644 --- a/crypto/x509/x509_asid.c +++ b/crypto/x509/x509_asid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_asid.c,v 1.30 2021/12/25 15:46:05 tb Exp $ */ +/* $OpenBSD: x509_asid.c,v 1.40 2023/04/19 12:30:09 jsg Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -70,10 +70,9 @@ #include #include #include -#include #include -#include "x509_lcl.h" +#include "x509_local.h" #ifndef OPENSSL_NO_RFC3779 @@ -191,24 +190,28 @@ d2i_ASRange(ASRange **a, const unsigned char **in, long len) return (ASRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &ASRange_it); } +LCRYPTO_ALIAS(d2i_ASRange); int i2d_ASRange(ASRange *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASRange_it); } +LCRYPTO_ALIAS(i2d_ASRange); ASRange * ASRange_new(void) { return (ASRange *)ASN1_item_new(&ASRange_it); } +LCRYPTO_ALIAS(ASRange_new); void ASRange_free(ASRange *a) { ASN1_item_free((ASN1_VALUE *)a, &ASRange_it); } +LCRYPTO_ALIAS(ASRange_free); ASIdOrRange * d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len) @@ -216,24 +219,28 @@ d2i_ASIdOrRange(ASIdOrRange **a, const unsigned char **in, long len) return (ASIdOrRange *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &ASIdOrRange_it); } +LCRYPTO_ALIAS(d2i_ASIdOrRange); int i2d_ASIdOrRange(ASIdOrRange *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdOrRange_it); } +LCRYPTO_ALIAS(i2d_ASIdOrRange); ASIdOrRange * ASIdOrRange_new(void) { return (ASIdOrRange *)ASN1_item_new(&ASIdOrRange_it); } +LCRYPTO_ALIAS(ASIdOrRange_new); void ASIdOrRange_free(ASIdOrRange *a) { ASN1_item_free((ASN1_VALUE *)a, &ASIdOrRange_it); } +LCRYPTO_ALIAS(ASIdOrRange_free); ASIdentifierChoice * d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, @@ -242,24 +249,28 @@ d2i_ASIdentifierChoice(ASIdentifierChoice **a, const unsigned char **in, return (ASIdentifierChoice *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &ASIdentifierChoice_it); } +LCRYPTO_ALIAS(d2i_ASIdentifierChoice); int i2d_ASIdentifierChoice(ASIdentifierChoice *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifierChoice_it); } +LCRYPTO_ALIAS(i2d_ASIdentifierChoice); ASIdentifierChoice * ASIdentifierChoice_new(void) { return (ASIdentifierChoice *)ASN1_item_new(&ASIdentifierChoice_it); } +LCRYPTO_ALIAS(ASIdentifierChoice_new); void ASIdentifierChoice_free(ASIdentifierChoice *a) { ASN1_item_free((ASN1_VALUE *)a, &ASIdentifierChoice_it); } +LCRYPTO_ALIAS(ASIdentifierChoice_free); ASIdentifiers * d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len) @@ -267,24 +278,28 @@ d2i_ASIdentifiers(ASIdentifiers **a, const unsigned char **in, long len) return (ASIdentifiers *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &ASIdentifiers_it); } +LCRYPTO_ALIAS(d2i_ASIdentifiers); int i2d_ASIdentifiers(ASIdentifiers *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &ASIdentifiers_it); } +LCRYPTO_ALIAS(i2d_ASIdentifiers); ASIdentifiers * ASIdentifiers_new(void) { return (ASIdentifiers *)ASN1_item_new(&ASIdentifiers_it); } +LCRYPTO_ALIAS(ASIdentifiers_new); void ASIdentifiers_free(ASIdentifiers *a) { ASN1_item_free((ASN1_VALUE *)a, &ASIdentifiers_it); } +LCRYPTO_ALIAS(ASIdentifiers_free); /* * i2r method for an ASIdentifierChoice. @@ -412,6 +427,7 @@ X509v3_asid_add_inherit(ASIdentifiers *asid, int which) } return (*choice)->type == ASIdentifierChoice_inherit; } +LCRYPTO_ALIAS(X509v3_asid_add_inherit); /* * Add an ID or range to an ASIdentifierChoice. @@ -466,6 +482,7 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min, ASIdOrRange_free(aor); return 0; } +LCRYPTO_ALIAS(X509v3_asid_add_id_or_range); /* * Extract min and max values from an ASIdOrRange. @@ -562,8 +579,8 @@ ASIdentifierChoice_is_canonical(ASIdentifierChoice *choice) } /* - * Check for inverted range. - */ + * Check for inverted range. + */ i = sk_ASIdOrRange_num(choice->u.asIdsOrRanges) - 1; { ASIdOrRange *a = sk_ASIdOrRange_value(choice->u.asIdsOrRanges, @@ -594,6 +611,7 @@ X509v3_asid_is_canonical(ASIdentifiers *asid) (ASIdentifierChoice_is_canonical(asid->asnum) && ASIdentifierChoice_is_canonical(asid->rdi))); } +LCRYPTO_ALIAS(X509v3_asid_is_canonical); /* * Whack an ASIdentifierChoice into canonical form. @@ -753,10 +771,15 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice) int X509v3_asid_canonize(ASIdentifiers *asid) { - return (asid == NULL || - (ASIdentifierChoice_canonize(asid->asnum) && - ASIdentifierChoice_canonize(asid->rdi))); + if (asid == NULL) + return 1; + + if (!ASIdentifierChoice_canonize(asid->asnum)) + return 0; + + return ASIdentifierChoice_canonize(asid->rdi); } +LCRYPTO_ALIAS(X509v3_asid_canonize); /* * v2i method for an ASIdentifier extension. @@ -900,12 +923,22 @@ const X509V3_EXT_METHOD v3_asid = { int X509v3_asid_inherits(ASIdentifiers *asid) { - return (asid != NULL && - ((asid->asnum != NULL && - asid->asnum->type == ASIdentifierChoice_inherit) || - (asid->rdi != NULL && - asid->rdi->type == ASIdentifierChoice_inherit))); + if (asid == NULL) + return 0; + + if (asid->asnum != NULL) { + if (asid->asnum->type == ASIdentifierChoice_inherit) + return 1; + } + + if (asid->rdi != NULL) { + if (asid->rdi->type == ASIdentifierChoice_inherit) + return 1; + } + + return 0; } +LCRYPTO_ALIAS(X509v3_asid_inherits); /* * Figure out whether parent contains child. @@ -918,6 +951,7 @@ asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) if (child == NULL || parent == child) return 1; + if (parent == NULL) return 0; @@ -944,21 +978,41 @@ asid_contains(ASIdOrRanges *parent, ASIdOrRanges *child) } /* - * Test whether a is a subset of b. + * Test whether child is a subset of parent. */ int -X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) +X509v3_asid_subset(ASIdentifiers *child, ASIdentifiers *parent) { - return (a == NULL || - a == b || - (b != NULL && - !X509v3_asid_inherits(a) && - !X509v3_asid_inherits(b) && - asid_contains(b->asnum->u.asIdsOrRanges, - a->asnum->u.asIdsOrRanges) && - asid_contains(b->rdi->u.asIdsOrRanges, - a->rdi->u.asIdsOrRanges))); + if (child == NULL || child == parent) + return 1; + + if (parent == NULL) + return 0; + + if (X509v3_asid_inherits(child) || X509v3_asid_inherits(parent)) + return 0; + + if (child->asnum != NULL) { + if (parent->asnum == NULL) + return 0; + + if (!asid_contains(parent->asnum->u.asIdsOrRanges, + child->asnum->u.asIdsOrRanges)) + return 0; + } + + if (child->rdi != NULL) { + if (parent->rdi == NULL) + return 0; + + if (!asid_contains(parent->rdi->u.asIdsOrRanges, + child->rdi->u.asIdsOrRanges)) + return 0; + } + + return 1; } +LCRYPTO_ALIAS(X509v3_asid_subset); /* * Validation error handling via callback. @@ -999,21 +1053,23 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, goto err; /* - * Figure out where to start. If we don't have an extension to - * check, we're done. Otherwise, check canonical form and - * set up for walking up the chain. + * Figure out where to start. If we don't have an extension to check, + * (either extracted from the leaf or passed by the caller), we're done. + * Otherwise, check canonical form and set up for walking up the chain. */ if (ext != NULL) { i = -1; x = NULL; + if (!X509v3_asid_is_canonical(ext)) + validation_err(X509_V_ERR_INVALID_EXTENSION); } else { i = 0; x = sk_X509_value(chain, i); + if ((X509_get_extension_flags(x) & EXFLAG_INVALID) != 0) + goto done; if ((ext = x->rfc3779_asid) == NULL) goto done; } - if (!X509v3_asid_is_canonical(ext)) - validation_err(X509_V_ERR_INVALID_EXTENSION); if (ext->asnum != NULL) { switch (ext->asnum->type) { case ASIdentifierChoice_inherit: @@ -1042,13 +1098,13 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); + if ((X509_get_extension_flags(x) & EXFLAG_INVALID) != 0) + validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_asid == NULL) { if (child_as != NULL || child_rdi != NULL) validation_err(X509_V_ERR_UNNESTED_RESOURCE); continue; } - if (!X509v3_asid_is_canonical(x->rfc3779_asid)) - validation_err(X509_V_ERR_INVALID_EXTENSION); if (x->rfc3779_asid->asnum == NULL && child_as != NULL) { validation_err(X509_V_ERR_UNNESTED_RESOURCE); child_as = NULL; @@ -1124,6 +1180,7 @@ X509v3_asid_validate_path(X509_STORE_CTX *ctx) } return asid_validate_path_internal(ctx, ctx->chain, NULL); } +LCRYPTO_ALIAS(X509v3_asid_validate_path); /* * RFC 3779 3.3 path validation of an extension. @@ -1141,5 +1198,6 @@ X509v3_asid_validate_resource_set(STACK_OF(X509) *chain, ASIdentifiers *ext, return 0; return asid_validate_path_internal(NULL, chain, ext); } +LCRYPTO_ALIAS(X509v3_asid_validate_resource_set); #endif /* OPENSSL_NO_RFC3779 */ diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index 38aa063..0c9d55f 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_att.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_att.c,v 1.22 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,13 +66,14 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x) { return sk_X509_ATTRIBUTE_num(x); } +LCRYPTO_ALIAS(X509at_get_attr_count); int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, int lastpos) @@ -84,6 +85,7 @@ X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, int lastpos) return (-2); return (X509at_get_attr_by_OBJ(x, obj, lastpos)); } +LCRYPTO_ALIAS(X509at_get_attr_by_NID); int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, @@ -105,6 +107,7 @@ X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, } return (-1); } +LCRYPTO_ALIAS(X509at_get_attr_by_OBJ); X509_ATTRIBUTE * X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc) @@ -114,6 +117,7 @@ X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc) else return sk_X509_ATTRIBUTE_value(x, loc); } +LCRYPTO_ALIAS(X509at_get_attr); X509_ATTRIBUTE * X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc) @@ -125,6 +129,7 @@ X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc) ret = sk_X509_ATTRIBUTE_delete(x, loc); return (ret); } +LCRYPTO_ALIAS(X509at_delete_attr); STACK_OF(X509_ATTRIBUTE) * X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, X509_ATTRIBUTE *attr) @@ -160,6 +165,7 @@ err2: sk_X509_ATTRIBUTE_free(sk); return (NULL); } +LCRYPTO_ALIAS(X509at_add1_attr); STACK_OF(X509_ATTRIBUTE) * X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, @@ -175,6 +181,7 @@ X509at_add1_attr_by_OBJ(STACK_OF(X509_ATTRIBUTE) **x, const ASN1_OBJECT *obj, X509_ATTRIBUTE_free(attr); return ret; } +LCRYPTO_ALIAS(X509at_add1_attr_by_OBJ); STACK_OF(X509_ATTRIBUTE) * X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, @@ -190,6 +197,7 @@ X509at_add1_attr_by_NID(STACK_OF(X509_ATTRIBUTE) **x, int nid, int type, X509_ATTRIBUTE_free(attr); return ret; } +LCRYPTO_ALIAS(X509at_add1_attr_by_NID); STACK_OF(X509_ATTRIBUTE) * X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, @@ -205,6 +213,7 @@ X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, X509_ATTRIBUTE_free(attr); return ret; } +LCRYPTO_ALIAS(X509at_add1_attr_by_txt); void * X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, const ASN1_OBJECT *obj, @@ -223,6 +232,7 @@ X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, const ASN1_OBJECT *obj, return NULL; return X509_ATTRIBUTE_get0_data(at, 0, type, NULL); } +LCRYPTO_ALIAS(X509at_get0_data_by_OBJ); X509_ATTRIBUTE * X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, int atrtype, @@ -241,6 +251,7 @@ X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, int atrtype, ASN1_OBJECT_free(obj); return (ret); } +LCRYPTO_ALIAS(X509_ATTRIBUTE_create_by_NID); X509_ATTRIBUTE * X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, const ASN1_OBJECT *obj, @@ -270,6 +281,7 @@ err: X509_ATTRIBUTE_free(ret); return (NULL); } +LCRYPTO_ALIAS(X509_ATTRIBUTE_create_by_OBJ); X509_ATTRIBUTE * X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, const char *atrname, @@ -288,6 +300,7 @@ X509_ATTRIBUTE_create_by_txt(X509_ATTRIBUTE **attr, const char *atrname, ASN1_OBJECT_free(obj); return nattr; } +LCRYPTO_ALIAS(X509_ATTRIBUTE_create_by_txt); int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) @@ -298,6 +311,7 @@ X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj) attr->object = OBJ_dup(obj); return attr->object != NULL; } +LCRYPTO_ALIAS(X509_ATTRIBUTE_set1_object); int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, @@ -324,10 +338,8 @@ X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, goto err; atype = attrtype; } - if (!(attr->value.set = sk_ASN1_TYPE_new_null())) - goto err; - attr->single = 0; - /* This is a bit naughty because the attribute should really have + /* + * This is a bit naughty because the attribute should really have * at least one value but some types use and zero length SET and * require this. */ @@ -343,7 +355,7 @@ X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, goto err; } else ASN1_TYPE_set(ttmp, atype, stmp); - if (!sk_ASN1_TYPE_push(attr->value.set, ttmp)) + if (!sk_ASN1_TYPE_push(attr->set, ttmp)) goto err; return 1; @@ -353,16 +365,17 @@ err: X509error(ERR_R_MALLOC_FAILURE); return 0; } +LCRYPTO_ALIAS(X509_ATTRIBUTE_set1_data); int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr) { - if (!attr->single) - return sk_ASN1_TYPE_num(attr->value.set); - if (attr->value.single) - return 1; - return 0; + if (attr == NULL) + return 0; + + return sk_ASN1_TYPE_num(attr->set); } +LCRYPTO_ALIAS(X509_ATTRIBUTE_count); ASN1_OBJECT * X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr) @@ -371,6 +384,7 @@ X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr) return (NULL); return (attr->object); } +LCRYPTO_ALIAS(X509_ATTRIBUTE_get0_object); void * X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, void *data) @@ -386,16 +400,14 @@ X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, void *data) } return ttmp->value.ptr; } +LCRYPTO_ALIAS(X509_ATTRIBUTE_get0_data); ASN1_TYPE * X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx) { if (attr == NULL) return (NULL); - if (idx >= X509_ATTRIBUTE_count(attr)) - return NULL; - if (!attr->single) - return sk_ASN1_TYPE_value(attr->value.set, idx); - else - return attr->value.single; + + return sk_ASN1_TYPE_value(attr->set, idx); } +LCRYPTO_ALIAS(X509_ATTRIBUTE_get0_type); diff --git a/crypto/x509/x509_bcons.c b/crypto/x509/x509_bcons.c index 48ce7d6..a39ae0a 100644 --- a/crypto/x509/x509_bcons.c +++ b/crypto/x509/x509_bcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_bcons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_bcons.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -121,24 +121,28 @@ d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned char **in, long len) return (BASIC_CONSTRAINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &BASIC_CONSTRAINTS_it); } +LCRYPTO_ALIAS(d2i_BASIC_CONSTRAINTS); int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &BASIC_CONSTRAINTS_it); } +LCRYPTO_ALIAS(i2d_BASIC_CONSTRAINTS); BASIC_CONSTRAINTS * BASIC_CONSTRAINTS_new(void) { return (BASIC_CONSTRAINTS *)ASN1_item_new(&BASIC_CONSTRAINTS_it); } +LCRYPTO_ALIAS(BASIC_CONSTRAINTS_new); void BASIC_CONSTRAINTS_free(BASIC_CONSTRAINTS *a) { ASN1_item_free((ASN1_VALUE *)a, &BASIC_CONSTRAINTS_it); } +LCRYPTO_ALIAS(BASIC_CONSTRAINTS_free); static STACK_OF(CONF_VALUE) * diff --git a/crypto/x509/x509_bitst.c b/crypto/x509/x509_bitst.c index 3d99818..97c630d 100644 --- a/crypto/x509/x509_bitst.c +++ b/crypto/x509/x509_bitst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_bitst.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_bitst.c,v 1.4 2023/04/21 06:11:56 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -88,6 +88,20 @@ static BIT_STRING_BITNAME key_usage_type_table[] = { {-1, NULL, NULL} }; +static BIT_STRING_BITNAME crl_reasons[] = { + {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"}, + {CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"}, + {CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"}, + {CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"}, + {CRL_REASON_SUPERSEDED, "Superseded", "superseded"}, + {CRL_REASON_CESSATION_OF_OPERATION, "Cessation Of Operation", "cessationOfOperation"}, + {CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"}, + {CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"}, + {CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"}, + {CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"}, + {-1, NULL, NULL} +}; + const X509V3_EXT_METHOD v3_nscert = { .ext_nid = NID_netscape_cert_type, .ext_flags = 0, @@ -122,6 +136,23 @@ const X509V3_EXT_METHOD v3_key_usage = { .usr_data = key_usage_type_table, }; +const X509V3_EXT_METHOD v3_crl_reason = { + .ext_nid = NID_crl_reason, + .ext_flags = 0, + .it = &ASN1_ENUMERATED_it, + .ext_new = NULL, + .ext_free = NULL, + .d2i = NULL, + .i2d = NULL, + .i2s = (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE, + .s2i = NULL, + .i2v = NULL, + .v2i = NULL, + .i2r = NULL, + .r2i = NULL, + .usr_data = crl_reasons, +}; + STACK_OF(CONF_VALUE) * i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) @@ -148,6 +179,7 @@ i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, return NULL; } +LCRYPTO_ALIAS(i2v_ASN1_BIT_STRING); ASN1_BIT_STRING * v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, @@ -185,3 +217,4 @@ v2i_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, } return bs; } +LCRYPTO_ALIAS(v2i_ASN1_BIT_STRING); diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index 4fd8d78..3ee4fd4 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cmp.c,v 1.39 2022/02/24 22:05:06 beck Exp $ */ +/* $OpenBSD: x509_cmp.c,v 1.42 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -68,8 +68,8 @@ #include #include -#include "evp_locl.h" -#include "x509_lcl.h" +#include "evp_local.h" +#include "x509_local.h" int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) @@ -84,6 +84,7 @@ X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) return (i); return (X509_NAME_cmp(ai->issuer, bi->issuer)); } +LCRYPTO_ALIAS(X509_issuer_and_serial_cmp); #ifndef OPENSSL_NO_MD5 unsigned long @@ -119,6 +120,7 @@ err: free(f); return (ret); } +LCRYPTO_ALIAS(X509_issuer_and_serial_hash); #endif int @@ -126,18 +128,21 @@ X509_issuer_name_cmp(const X509 *a, const X509 *b) { return (X509_NAME_cmp(a->cert_info->issuer, b->cert_info->issuer)); } +LCRYPTO_ALIAS(X509_issuer_name_cmp); int X509_subject_name_cmp(const X509 *a, const X509 *b) { return (X509_NAME_cmp(a->cert_info->subject, b->cert_info->subject)); } +LCRYPTO_ALIAS(X509_subject_name_cmp); int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b) { return (X509_NAME_cmp(a->crl->issuer, b->crl->issuer)); } +LCRYPTO_ALIAS(X509_CRL_cmp); #ifndef OPENSSL_NO_SHA int @@ -145,6 +150,7 @@ X509_CRL_match(const X509_CRL *a, const X509_CRL *b) { return memcmp(a->hash, b->hash, X509_CRL_HASH_LEN); } +LCRYPTO_ALIAS(X509_CRL_match); #endif X509_NAME * @@ -152,12 +158,14 @@ X509_get_issuer_name(const X509 *a) { return (a->cert_info->issuer); } +LCRYPTO_ALIAS(X509_get_issuer_name); unsigned long X509_issuer_name_hash(X509 *x) { return (X509_NAME_hash(x->cert_info->issuer)); } +LCRYPTO_ALIAS(X509_issuer_name_hash); #ifndef OPENSSL_NO_MD5 unsigned long @@ -165,6 +173,7 @@ X509_issuer_name_hash_old(X509 *x) { return (X509_NAME_hash_old(x->cert_info->issuer)); } +LCRYPTO_ALIAS(X509_issuer_name_hash_old); #endif X509_NAME * @@ -172,24 +181,28 @@ X509_get_subject_name(const X509 *a) { return (a->cert_info->subject); } +LCRYPTO_ALIAS(X509_get_subject_name); ASN1_INTEGER * X509_get_serialNumber(X509 *a) { return (a->cert_info->serialNumber); } +LCRYPTO_ALIAS(X509_get_serialNumber); const ASN1_INTEGER * X509_get0_serialNumber(const X509 *a) { return (a->cert_info->serialNumber); } +LCRYPTO_ALIAS(X509_get0_serialNumber); unsigned long X509_subject_name_hash(X509 *x) { return (X509_NAME_hash(x->cert_info->subject)); } +LCRYPTO_ALIAS(X509_subject_name_hash); #ifndef OPENSSL_NO_MD5 unsigned long @@ -197,6 +210,7 @@ X509_subject_name_hash_old(X509 *x) { return (X509_NAME_hash_old(x->cert_info->subject)); } +LCRYPTO_ALIAS(X509_subject_name_hash_old); #endif #ifndef OPENSSL_NO_SHA @@ -218,6 +232,7 @@ X509_cmp(const X509 *a, const X509 *b) return memcmp(a->hash, b->hash, X509_CERT_HASH_LEN); } +LCRYPTO_ALIAS(X509_cmp); #endif int @@ -241,6 +256,7 @@ X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b) return ret; return memcmp(a->canon_enc, b->canon_enc, a->canon_enclen); } +LCRYPTO_ALIAS(X509_NAME_cmp); unsigned long X509_NAME_hash(X509_NAME *x) @@ -259,6 +275,7 @@ X509_NAME_hash(X509_NAME *x) 0xffffffffL; return (ret); } +LCRYPTO_ALIAS(X509_NAME_hash); #ifndef OPENSSL_NO_MD5 @@ -287,6 +304,7 @@ X509_NAME_hash_old(X509_NAME *x) return (ret); } +LCRYPTO_ALIAS(X509_NAME_hash_old); #endif /* Search a stack of X509 for a match */ @@ -312,6 +330,7 @@ X509_find_by_issuer_and_serial(STACK_OF(X509) *sk, X509_NAME *name, } return (NULL); } +LCRYPTO_ALIAS(X509_find_by_issuer_and_serial); X509 * X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) @@ -326,6 +345,7 @@ X509_find_by_subject(STACK_OF(X509) *sk, X509_NAME *name) } return (NULL); } +LCRYPTO_ALIAS(X509_find_by_subject); EVP_PKEY * X509_get_pubkey(X509 *x) @@ -334,6 +354,7 @@ X509_get_pubkey(X509 *x) return (NULL); return (X509_PUBKEY_get(x->cert_info->key)); } +LCRYPTO_ALIAS(X509_get_pubkey); EVP_PKEY * X509_get0_pubkey(const X509 *x) @@ -342,6 +363,7 @@ X509_get0_pubkey(const X509 *x) return (NULL); return (X509_PUBKEY_get0(x->cert_info->key)); } +LCRYPTO_ALIAS(X509_get0_pubkey); ASN1_BIT_STRING * X509_get0_pubkey_bitstr(const X509 *x) @@ -350,6 +372,7 @@ X509_get0_pubkey_bitstr(const X509 *x) return NULL; return x->cert_info->key->public_key; } +LCRYPTO_ALIAS(X509_get0_pubkey_bitstr); int X509_check_private_key(const X509 *x, const EVP_PKEY *k) @@ -380,6 +403,7 @@ X509_check_private_key(const X509 *x, const EVP_PKEY *k) return 1; return 0; } +LCRYPTO_ALIAS(X509_check_private_key); /* * Not strictly speaking an "up_ref" as a STACK doesn't have a reference @@ -398,3 +422,4 @@ X509_chain_up_ref(STACK_OF(X509) *chain) return ret; } +LCRYPTO_ALIAS(X509_chain_up_ref); diff --git a/crypto/x509/x509_conf.c b/crypto/x509/x509_conf.c index cd703fc..189bf64 100644 --- a/crypto/x509/x509_conf.c +++ b/crypto/x509/x509_conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_conf.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_conf.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,7 +66,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static int v3_check_critical(const char **value); static int v3_check_generic(const char **value); @@ -104,6 +104,7 @@ X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name, } return ret; } +LCRYPTO_ALIAS(X509V3_EXT_nconf); /* CONF *conf: Config file */ /* char *value: Value */ @@ -120,6 +121,7 @@ X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, value, crit, ext_type, ctx); return do_ext_nconf(conf, ctx, ext_nid, crit, value); } +LCRYPTO_ALIAS(X509V3_EXT_nconf_nid); /* CONF *conf: Config file */ /* char *value: Value */ @@ -238,6 +240,7 @@ X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc) } return do_ext_i2d(method, ext_nid, crit, ext_struc); } +LCRYPTO_ALIAS(X509V3_EXT_i2d); /* Check the extension string for critical flag */ static int @@ -364,6 +367,7 @@ X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, } return 1; } +LCRYPTO_ALIAS(X509V3_EXT_add_nconf_sk); /* Convenience functions to add extensions to a certificate, CRL and request */ @@ -377,6 +381,7 @@ X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, sk = &cert->cert_info->extensions; return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); } +LCRYPTO_ALIAS(X509V3_EXT_add_nconf); /* Same as above but for a CRL */ @@ -390,6 +395,7 @@ X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, sk = &crl->crl->extensions; return X509V3_EXT_add_nconf_sk(conf, ctx, section, sk); } +LCRYPTO_ALIAS(X509V3_EXT_CRL_add_nconf); /* Add extensions to certificate request */ @@ -409,6 +415,7 @@ X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, sk_X509_EXTENSION_pop_free(extlist, X509_EXTENSION_free); return i; } +LCRYPTO_ALIAS(X509V3_EXT_REQ_add_nconf); /* Config database functions */ @@ -421,6 +428,7 @@ X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section) } return ctx->db_meth->get_string(ctx->db, name, section); } +LCRYPTO_ALIAS(X509V3_get_string); STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, const char *section) @@ -431,6 +439,7 @@ X509V3_get_section(X509V3_CTX *ctx, const char *section) } return ctx->db_meth->get_section(ctx->db, section); } +LCRYPTO_ALIAS(X509V3_get_section); void X509V3_string_free(X509V3_CTX *ctx, char *str) @@ -440,6 +449,7 @@ X509V3_string_free(X509V3_CTX *ctx, char *str) if (ctx->db_meth->free_string) ctx->db_meth->free_string(ctx->db, str); } +LCRYPTO_ALIAS(X509V3_string_free); void X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section) @@ -449,6 +459,7 @@ X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section) if (ctx->db_meth->free_section) ctx->db_meth->free_section(ctx->db, section); } +LCRYPTO_ALIAS(X509V3_section_free); static char * nconf_get_string(void *db, const char *section, const char *value) @@ -475,6 +486,7 @@ X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf) ctx->db_meth = &nconf_method; ctx->db = conf; } +LCRYPTO_ALIAS(X509V3_set_nconf); void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, @@ -486,6 +498,7 @@ X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, ctx->subject_req = req; ctx->flags = flags; } +LCRYPTO_ALIAS(X509V3_set_ctx); /* Old conf compatibility functions */ @@ -498,6 +511,7 @@ X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name, CONF_set_nconf(&ctmp, conf); return X509V3_EXT_nconf(&ctmp, ctx, name, value); } +LCRYPTO_ALIAS(X509V3_EXT_conf); /* LHASH *conf: Config file */ /* char *value: Value */ @@ -510,6 +524,7 @@ X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid, CONF_set_nconf(&ctmp, conf); return X509V3_EXT_nconf_nid(&ctmp, ctx, ext_nid, value); } +LCRYPTO_ALIAS(X509V3_EXT_conf_nid); static char * conf_lhash_get_string(void *db, const char *section, const char *value) @@ -536,6 +551,7 @@ X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash) ctx->db_meth = &conf_lhash_method; ctx->db = lhash; } +LCRYPTO_ALIAS(X509V3_set_conf_lhash); int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, @@ -546,6 +562,7 @@ X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, CONF_set_nconf(&ctmp, conf); return X509V3_EXT_add_nconf(&ctmp, ctx, section, cert); } +LCRYPTO_ALIAS(X509V3_EXT_add_conf); /* Same as above but for a CRL */ @@ -558,6 +575,7 @@ X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, CONF_set_nconf(&ctmp, conf); return X509V3_EXT_CRL_add_nconf(&ctmp, ctx, section, crl); } +LCRYPTO_ALIAS(X509V3_EXT_CRL_add_conf); /* Add extensions to certificate request */ @@ -570,3 +588,4 @@ X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, CONF_set_nconf(&ctmp, conf); return X509V3_EXT_REQ_add_nconf(&ctmp, ctx, section, req); } +LCRYPTO_ALIAS(X509V3_EXT_REQ_add_conf); diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c index 533bbbf..346cab0 100644 --- a/crypto/x509/x509_constraints.c +++ b/crypto/x509/x509_constraints.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_constraints.c,v 1.26 2022/03/26 16:34:21 tb Exp $ */ +/* $OpenBSD: x509_constraints.c,v 1.31 2022/12/26 07:18:53 jmc Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -29,11 +29,33 @@ #include #include +#include "bytestring.h" #include "x509_internal.h" /* RFC 2821 section 4.5.3.1 */ -#define LOCAL_PART_MAX_LEN 64 -#define DOMAIN_PART_MAX_LEN 255 +#define LOCAL_PART_MAX_LEN (size_t)64 +#define DOMAIN_PART_MAX_LEN (size_t)255 +#define MAX_IP_ADDRESS_LENGTH (size_t)46 + +static int +cbs_is_ip_address(CBS *cbs) +{ + struct sockaddr_in6 sin6; + struct sockaddr_in sin4; + char *name = NULL; + int ret = 0; + + if (CBS_len(cbs) > MAX_IP_ADDRESS_LENGTH) + return 0; + if (!CBS_strdup(cbs, &name)) + return 0; + if (inet_pton(AF_INET, name, &sin4) == 1 || + inet_pton(AF_INET6, name, &sin6) == 1) + ret = 1; + + free(name); + return ret; +} struct x509_constraints_name * x509_constraints_name_new(void) @@ -165,31 +187,34 @@ x509_constraints_names_dup(struct x509_constraints_names *names) return NULL; } - /* * Validate that the name contains only a hostname consisting of RFC * 5890 compliant A-labels (see RFC 6066 section 3). This is more * permissive to allow for a leading '.' for a subdomain based * constraint, as well as allowing for '_' which is commonly accepted - * by nonconformant DNS implementaitons. + * by nonconformant DNS implementations. * * if "wildcards" is set it allows '*' to occur in the string at the end of a * component. */ static int -x509_constraints_valid_domain_internal(uint8_t *name, size_t len, int wildcards) +x509_constraints_valid_domain_internal(CBS *cbs, int wildcards) { + int first, component = 0; uint8_t prev, c = 0; - int component = 0; - int first; - size_t i; + size_t i, len; + CBS copy; + + CBS_dup(cbs, ©); + + len = CBS_len(cbs); if (len > DOMAIN_PART_MAX_LEN) return 0; - for (i = 0; i < len; i++) { prev = c; - c = name[i]; + if (!CBS_get_u8(©, &c)) + return 0; first = (i == 0); @@ -234,61 +259,42 @@ x509_constraints_valid_domain_internal(uint8_t *name, size_t len, int wildcards) if (++component > 63) return 0; } + return 1; } int -x509_constraints_valid_domain(uint8_t *name, size_t len) +x509_constraints_valid_host(CBS *cbs) { - if (len == 0) + uint8_t first; + + if (!CBS_peek_u8(cbs, &first)) return 0; - /* - * A domain may not be less than two characters, so you can't - * have a require subdomain name with less than that. - */ - if (len < 3 && name[0] == '.') + if (first == '.') + return 0; /* leading . not allowed in a host name */ + if (cbs_is_ip_address(cbs)) return 0; - return x509_constraints_valid_domain_internal(name, len, 0); + + return x509_constraints_valid_domain_internal(cbs, 0); } int -x509_constraints_valid_host(uint8_t *name, size_t len) +x509_constraints_valid_sandns(CBS *cbs) { - struct sockaddr_in sin4; - struct sockaddr_in6 sin6; + uint8_t first; - if (len == 0) - return 0; - if (name[0] == '.') /* leading . not allowed in a host name*/ - return 0; - if (inet_pton(AF_INET, name, &sin4) == 1) - return 0; - if (inet_pton(AF_INET6, name, &sin6) == 1) - return 0; - return x509_constraints_valid_domain_internal(name, len, 0); -} - -int -x509_constraints_valid_sandns(uint8_t *name, size_t len) -{ - if (len == 0) - return 0; - - if (name[0] == '.') /* leading . not allowed in a SAN DNS name */ + if (!CBS_peek_u8(cbs, &first)) return 0; + if (first == '.') + return 0; /* leading . not allowed in a SAN DNS name */ /* * A domain may not be less than two characters, so you * can't wildcard a single domain of less than that */ - if (len < 4 && name[0] == '*') - return 0; - /* - * A wildcard may only be followed by a '.' - */ - if (len >= 4 && name[0] == '*' && name[1] != '.') + if (CBS_len(cbs) < 4 && first == '*') return 0; - return x509_constraints_valid_domain_internal(name, len, 1); + return x509_constraints_valid_domain_internal(cbs, 1); } static inline int @@ -297,7 +303,7 @@ local_part_ok(char c) return (('0' <= c && c <= '9') || ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') || c == '!' || c == '#' || c == '$' || c == '%' || c == '&' || c == '\'' || c == '*' || c == '+' || - c == '-' || c == '/' || c == '=' || c == '?' || c == '^' || + c == '-' || c == '/' || c == '=' || c == '?' || c == '^' || c == '_' || c == '`' || c == '{' || c == '|' || c == '}' || c == '~' || c == '.'); } @@ -309,25 +315,35 @@ local_part_ok(char c) * local and domain parts of the mailbox to "name->local" and name->name" */ int -x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, +x509_constraints_parse_mailbox(CBS *candidate, struct x509_constraints_name *name) { char working[DOMAIN_PART_MAX_LEN + 1] = { 0 }; char *candidate_local = NULL; char *candidate_domain = NULL; - size_t i, wi = 0; + CBS domain_cbs; + size_t i, len, wi = 0; int accept = 0; int quoted = 0; + CBS copy; + /* XXX This should not be necessary - revisit and remove */ if (candidate == NULL) return 0; + CBS_dup(candidate, ©); + + if ((len = CBS_len(©)) == 0) + return 0; + /* It can't be bigger than the local part, domain part and the '@' */ if (len > LOCAL_PART_MAX_LEN + DOMAIN_PART_MAX_LEN + 1) return 0; for (i = 0; i < len; i++) { - char c = candidate[i]; + char c; + if (!CBS_get_u8(©, &c)) + goto bad; /* non ascii, cr, lf, or nul is never allowed */ if (!isascii(c) || c == '\r' || c == '\n' || c == '\0') goto bad; @@ -372,8 +388,11 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, continue; } if (c == '"' && i != 0) { + uint8_t next; /* end the quoted part. @ must be next */ - if (i + 1 == len || candidate[i + 1] != '@') + if (!CBS_peek_u8(©, &next)) + goto bad; + if (next != '@') goto bad; quoted = 0; } @@ -401,14 +420,15 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, continue; } if (c == '\\') { + uint8_t next; /* - * RFC 3936 hints these can happen outside of - * quotend string. don't include the \ but + * RFC 2821 hints these can happen outside of + * quoted string. Don't include the \ but * next character must be ok. */ - if (i + 1 == len) + if (!CBS_peek_u8(©, &next)) goto bad; - if (!local_part_ok(candidate[i + 1])) + if (!local_part_ok(next)) goto bad; accept = 1; } @@ -420,8 +440,8 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, } if (candidate_local == NULL || candidate_domain == NULL) goto bad; - if (!x509_constraints_valid_host(candidate_domain, - strlen(candidate_domain))) + CBS_init(&domain_cbs, candidate_domain, strlen(candidate_domain)); + if (!x509_constraints_valid_host(&domain_cbs)) goto bad; if (name != NULL) { @@ -440,24 +460,36 @@ x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, } int -x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len) +x509_constraints_valid_domain_constraint(CBS *cbs) { - if (len == 0) + uint8_t first; + + if (CBS_len(cbs) == 0) return 1; /* empty constraints match */ /* * A domain may not be less than two characters, so you * can't match a single domain of less than that */ - if (len < 3 && constraint[0] == '.') - return 0; - return x509_constraints_valid_domain_internal(constraint, len, 0); + if (CBS_len(cbs) < 3) { + if (!CBS_peek_u8(cbs, &first)) + return 0; + if (first == '.') + return 0; + } + return x509_constraints_valid_domain_internal(cbs, 0); } /* - * Extract the host part of a URI, returns the host part as a c string - * the caller must free, or or NULL if it could not be found or is - * invalid. + * Extract the host part of a URI. On failure to parse a valid host part of the + * URI, 0 is returned indicating an invalid URI. If the host part parses as + * valid, or is not present, 1 is returned indicating a possibly valid URI. + * + * In the case of a valid URI, *hostpart will be set to a copy of the host part + * of the URI, or the empty string if no URI is present. If memory allocation + * fails *hostpart will be set to NULL, even though we returned 1. It is the + * caller's responsibility to indicate an error for memory allocation failure, + * and the callers responsibility to free *hostpart. * * RFC 3986: * the authority part of a uri starts with // and is terminated with @@ -474,6 +506,7 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) size_t i, hostlen = 0; uint8_t *authority = NULL; char *host = NULL; + CBS host_cbs; /* * Find first '//'. there must be at least a '//' and @@ -489,8 +522,18 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) break; } } - if (authority == NULL) - return 0; + if (authority == NULL) { + /* + * There is no authority, so no host part in this + * URI. This might be ok or might not, but it must + * fail if we run into a name constraint later, so + * we indicate that we have a URI with an empty + * host part, and succeed. + */ + if (hostpart != NULL) + *hostpart = strdup(""); + return 1; + } for (i = authority - uri; i < len; i++) { if (!isascii(uri[i])) return 0; @@ -514,10 +557,11 @@ x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) return 0; if (host == NULL) host = authority; - if (!x509_constraints_valid_host(host, hostlen)) + CBS_init(&host_cbs, host, hostlen); + if (!x509_constraints_valid_host(&host_cbs)) + return 0; + if (hostpart != NULL && !CBS_strdup(&host_cbs, hostpart)) return 0; - if (hostpart != NULL) - *hostpart = strndup(host, hostlen); return 1; } @@ -543,7 +587,7 @@ x509_constraints_sandns(char *sandns, size_t dlen, char *constraint, size_t len) * returns 1 if the domain and constraint match. * returns 0 otherwise. * - * an empty constraint matches everyting. + * an empty constraint matches everything. * constraint will be matched against the domain as a suffix if it * starts with a '.'. * domain will be matched against the constraint as a suffix if it @@ -578,12 +622,15 @@ x509_constraints_domain(char *domain, size_t dlen, char *constraint, size_t len) } int -x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, +x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, + size_t len, int *error) { int ret = 0; char *hostpart = NULL; + CBS cbs; + CBS_init(&cbs, constraint, len); if (!x509_constraints_uri_host(uri, ulen, &hostpart)) { *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; goto err; @@ -592,7 +639,7 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, *error = X509_V_ERR_OUT_OF_MEM; goto err; } - if (!x509_constraints_valid_domain_constraint(constraint, len)) { + if (!x509_constraints_valid_domain_constraint(&cbs)) { *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; goto err; } @@ -604,10 +651,10 @@ x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, } /* - * Verify a validated address of size alen with a validated contraint + * Verify a validated address of size alen with a validated constraint * of size constraint_len. returns 1 if matching, 0 if not. * Addresses are assumed to be pre-validated for a length of 4 and 8 - * respectively for ipv4 addreses and constraints, and a length of + * respectively for ipv4 addresses and constraints, and a length of * 16 and 32 respectively for ipv6 address constraints by the caller. */ int @@ -699,7 +746,6 @@ x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, return 0; } - /* * Extract the relevant names for constraint checking from "cert", * validate them, and add them to the list of cert names for "chain". @@ -719,6 +765,7 @@ x509_constraints_extract_names(struct x509_constraints_names *names, while ((name = sk_GENERAL_NAME_value(cert->altname, i++)) != NULL) { uint8_t *bytes = NULL; size_t len = 0; + CBS cbs; if ((vname = x509_constraints_name_new()) == NULL) { *error = X509_V_ERR_OUT_OF_MEM; @@ -727,30 +774,31 @@ x509_constraints_extract_names(struct x509_constraints_names *names, name_type = x509_constraints_general_to_bytes(name, &bytes, &len); - switch(name_type) { + CBS_init(&cbs, bytes, len); + switch (name_type) { case GEN_DNS: - if (!x509_constraints_valid_sandns(bytes, len)) { + if (!x509_constraints_valid_sandns(&cbs)) { *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; goto err; } - if ((vname->name = strndup(bytes, len)) == NULL) { + if (!CBS_strdup(&cbs, &vname->name)) { *error = X509_V_ERR_OUT_OF_MEM; goto err; } vname->type = GEN_DNS; - include_cn = 0; /* don't use cn from subject */ + include_cn = 0; /* Don't use cn from subject */ break; case GEN_EMAIL: - if (!x509_constraints_parse_mailbox(bytes, len, - vname)) { + if (!x509_constraints_parse_mailbox(&cbs, vname)) { *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; goto err; } vname->type = GEN_EMAIL; - include_email = 0; /* don't use email from subject */ + include_email = 0; /* Don't use email from subject */ break; case GEN_URI: - if (!x509_constraints_uri_host(bytes, len, &vname->name)) { + if (!x509_constraints_uri_host(bytes, len, + &vname->name)) { *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; goto err; } @@ -835,19 +883,21 @@ x509_constraints_extract_names(struct x509_constraints_names *names, */ while (include_email && (i = X509_NAME_get_index_by_NID(subject_name, - NID_pkcs9_emailAddress, i)) >= 0) { + NID_pkcs9_emailAddress, i)) >= 0) { ASN1_STRING *aname; - if ((email = X509_NAME_get_entry(subject_name, i)) == NULL || + CBS cbs; + if ((email = X509_NAME_get_entry(subject_name, i)) == + NULL || (aname = X509_NAME_ENTRY_get_data(email)) == NULL) { *error = X509_V_ERR_OUT_OF_MEM; goto err; } + CBS_init(&cbs, aname->data, aname->length); if ((vname = x509_constraints_name_new()) == NULL) { *error = X509_V_ERR_OUT_OF_MEM; goto err; } - if (!x509_constraints_parse_mailbox(aname->data, - aname->length, vname)) { + if (!x509_constraints_parse_mailbox(&cbs, vname)) { *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; goto err; } @@ -859,27 +909,28 @@ x509_constraints_extract_names(struct x509_constraints_names *names, vname = NULL; } /* - * Include the CN as a hostname to be checked againt + * Include the CN as a hostname to be checked against * name constraints if it looks like a hostname. */ while (include_cn && (i = X509_NAME_get_index_by_NID(subject_name, - NID_commonName, i)) >= 0) { + NID_commonName, i)) >= 0) { + CBS cbs; ASN1_STRING *aname; - if ((cn = X509_NAME_get_entry(subject_name, i)) == NULL || + if ((cn = X509_NAME_get_entry(subject_name, i)) == + NULL || (aname = X509_NAME_ENTRY_get_data(cn)) == NULL) { *error = X509_V_ERR_OUT_OF_MEM; goto err; } - if (!x509_constraints_valid_host(aname->data, - aname->length)) + CBS_init(&cbs, aname->data, aname->length); + if (!x509_constraints_valid_host(&cbs)) continue; /* ignore it if not a hostname */ if ((vname = x509_constraints_name_new()) == NULL) { *error = X509_V_ERR_OUT_OF_MEM; goto err; } - if ((vname->name = strndup(aname->data, - aname->length)) == NULL) { + if (!CBS_strdup(&cbs, &vname->name)) { *error = X509_V_ERR_OUT_OF_MEM; goto err; } @@ -908,11 +959,12 @@ int x509_constraints_validate(GENERAL_NAME *constraint, struct x509_constraints_name **out_name, int *out_error) { - uint8_t *bytes = NULL; + uint8_t next, *bytes = NULL; size_t len = 0; struct x509_constraints_name *name; int error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; int name_type; + CBS cbs; if (out_name == NULL || *out_name != NULL) return 0; @@ -926,6 +978,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, } name_type = x509_constraints_general_to_bytes(constraint, &bytes, &len); + CBS_init(&cbs, bytes, len); switch (name_type) { case GEN_DIRNAME: if (len == 0) @@ -939,7 +992,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, name->type = GEN_DIRNAME; break; case GEN_DNS: - if (!x509_constraints_valid_domain_constraint(bytes, len)) + if (!x509_constraints_valid_domain_constraint(&cbs)) goto err; if ((name->name = strndup(bytes, len)) == NULL) { error = X509_V_ERR_OUT_OF_MEM; @@ -949,7 +1002,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, break; case GEN_EMAIL: if (len > 0 && memchr(bytes + 1, '@', len - 1) != NULL) { - if (!x509_constraints_parse_mailbox(bytes, len, name)) + if (!x509_constraints_parse_mailbox(&cbs, name)) goto err; break; } @@ -957,13 +1010,17 @@ x509_constraints_validate(GENERAL_NAME *constraint, * Mail constraints of the form @domain.com are accepted by * OpenSSL and Microsoft. */ - if (len > 0 && bytes[0] == '@') { - bytes++; - len--; + if (CBS_len(&cbs) > 0) { + if (!CBS_peek_u8(&cbs, &next)) + goto err; + if (next == '@') { + if (!CBS_skip(&cbs, 1)) + goto err; + } } - if (!x509_constraints_valid_domain_constraint(bytes, len)) + if (!x509_constraints_valid_domain_constraint(&cbs)) goto err; - if ((name->name = strndup(bytes, len)) == NULL) { + if (!CBS_strdup(&cbs, &name->name)) { error = X509_V_ERR_OUT_OF_MEM; goto err; } @@ -981,7 +1038,7 @@ x509_constraints_validate(GENERAL_NAME *constraint, name->type = GEN_IPADD; break; case GEN_URI: - if (!x509_constraints_valid_domain_constraint(bytes, len)) + if (!x509_constraints_valid_domain_constraint(&cbs)) goto err; if ((name->name = strndup(bytes, len)) == NULL) { error = X509_V_ERR_OUT_OF_MEM; @@ -1020,7 +1077,6 @@ x509_constraints_extract_constraints(X509 *cert, return 1; for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { - subtree = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); if (subtree->minimum || subtree->maximum) { *error = X509_V_ERR_SUBTREE_MINMAX; @@ -1154,7 +1210,7 @@ x509_constraints_check(struct x509_constraints_names *names, /* * Walk a validated chain of X509 certs, starting at the leaf, and * validate the name constraints in the chain. Intended for use with - * the legacy X509 validtion code in x509_vfy.c + * the legacy X509 validation code in x509_vfy.c * * returns 1 if the constraints are ok, 0 otherwise, setting error and * depth diff --git a/crypto/x509/x509_cpols.c b/crypto/x509/x509_cpols.c index 93527a4..bab2e99 100644 --- a/crypto/x509/x509_cpols.c +++ b/crypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cpols.c,v 1.4 2022/01/14 08:16:13 tb Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.11 2023/04/26 20:54:21 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,8 +65,7 @@ #include #include -#include "pcy_int.h" -#include "x509_lcl.h" +#include "x509_local.h" /* Certificate policies extension support: this one is a bit complex... */ @@ -125,24 +124,28 @@ d2i_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES **a, const unsigned char **in, long return (CERTIFICATEPOLICIES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &CERTIFICATEPOLICIES_it); } +LCRYPTO_ALIAS(d2i_CERTIFICATEPOLICIES); int i2d_CERTIFICATEPOLICIES(CERTIFICATEPOLICIES *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &CERTIFICATEPOLICIES_it); } +LCRYPTO_ALIAS(i2d_CERTIFICATEPOLICIES); CERTIFICATEPOLICIES * CERTIFICATEPOLICIES_new(void) { return (CERTIFICATEPOLICIES *)ASN1_item_new(&CERTIFICATEPOLICIES_it); } +LCRYPTO_ALIAS(CERTIFICATEPOLICIES_new); void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a) { ASN1_item_free((ASN1_VALUE *)a, &CERTIFICATEPOLICIES_it); } +LCRYPTO_ALIAS(CERTIFICATEPOLICIES_free); static const ASN1_TEMPLATE POLICYINFO_seq_tt[] = { { @@ -178,24 +181,28 @@ d2i_POLICYINFO(POLICYINFO **a, const unsigned char **in, long len) return (POLICYINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &POLICYINFO_it); } +LCRYPTO_ALIAS(d2i_POLICYINFO); int i2d_POLICYINFO(POLICYINFO *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYINFO_it); } +LCRYPTO_ALIAS(i2d_POLICYINFO); POLICYINFO * POLICYINFO_new(void) { return (POLICYINFO *)ASN1_item_new(&POLICYINFO_it); } +LCRYPTO_ALIAS(POLICYINFO_new); void POLICYINFO_free(POLICYINFO *a) { ASN1_item_free((ASN1_VALUE *)a, &POLICYINFO_it); } +LCRYPTO_ALIAS(POLICYINFO_free); static const ASN1_TEMPLATE policydefault_tt = { .flags = 0, @@ -215,7 +222,6 @@ static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = { .field_name = "d.cpsuri", .item = &ASN1_IA5STRING_it, }, - }, { .value = NID_id_qt_unotice, @@ -226,7 +232,6 @@ static const ASN1_ADB_TABLE POLICYQUALINFO_adbtbl[] = { .field_name = "d.usernotice", .item = &USERNOTICE_it, }, - }, }; @@ -273,24 +278,28 @@ d2i_POLICYQUALINFO(POLICYQUALINFO **a, const unsigned char **in, long len) return (POLICYQUALINFO *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &POLICYQUALINFO_it); } +LCRYPTO_ALIAS(d2i_POLICYQUALINFO); int i2d_POLICYQUALINFO(POLICYQUALINFO *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &POLICYQUALINFO_it); } +LCRYPTO_ALIAS(i2d_POLICYQUALINFO); POLICYQUALINFO * POLICYQUALINFO_new(void) { return (POLICYQUALINFO *)ASN1_item_new(&POLICYQUALINFO_it); } +LCRYPTO_ALIAS(POLICYQUALINFO_new); void POLICYQUALINFO_free(POLICYQUALINFO *a) { ASN1_item_free((ASN1_VALUE *)a, &POLICYQUALINFO_it); } +LCRYPTO_ALIAS(POLICYQUALINFO_free); static const ASN1_TEMPLATE USERNOTICE_seq_tt[] = { { @@ -326,24 +335,28 @@ d2i_USERNOTICE(USERNOTICE **a, const unsigned char **in, long len) return (USERNOTICE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &USERNOTICE_it); } +LCRYPTO_ALIAS(d2i_USERNOTICE); int i2d_USERNOTICE(USERNOTICE *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &USERNOTICE_it); } +LCRYPTO_ALIAS(i2d_USERNOTICE); USERNOTICE * USERNOTICE_new(void) { return (USERNOTICE *)ASN1_item_new(&USERNOTICE_it); } +LCRYPTO_ALIAS(USERNOTICE_new); void USERNOTICE_free(USERNOTICE *a) { ASN1_item_free((ASN1_VALUE *)a, &USERNOTICE_it); } +LCRYPTO_ALIAS(USERNOTICE_free); static const ASN1_TEMPLATE NOTICEREF_seq_tt[] = { { @@ -379,24 +392,28 @@ d2i_NOTICEREF(NOTICEREF **a, const unsigned char **in, long len) return (NOTICEREF *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &NOTICEREF_it); } +LCRYPTO_ALIAS(d2i_NOTICEREF); int i2d_NOTICEREF(NOTICEREF *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &NOTICEREF_it); } +LCRYPTO_ALIAS(i2d_NOTICEREF); NOTICEREF * NOTICEREF_new(void) { return (NOTICEREF *)ASN1_item_new(&NOTICEREF_it); } +LCRYPTO_ALIAS(NOTICEREF_new); void NOTICEREF_free(NOTICEREF *a) { ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it); } +LCRYPTO_ALIAS(NOTICEREF_free); static STACK_OF(POLICYINFO) * r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value) @@ -574,7 +591,7 @@ notice_section(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *unot, int ia5org) cnf = sk_CONF_VALUE_value(unot, i); if (!strcmp(cnf->name, "explicitText")) { if (not->exptext == NULL) { - not->exptext = ASN1_VISIBLESTRING_new(); + not->exptext = ASN1_UTF8STRING_new(); if (not->exptext == NULL) goto merr; } @@ -745,20 +762,3 @@ print_notice(BIO *out, USERNOTICE *notice, int indent) BIO_printf(out, "%*sExplicit Text: %.*s\n", indent, "", notice->exptext->length, notice->exptext->data); } - -void -X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent) -{ - const X509_POLICY_DATA *dat = node->data; - - BIO_printf(out, "%*sPolicy: ", indent, ""); - - i2a_ASN1_OBJECT(out, dat->valid_policy); - BIO_puts(out, "\n"); - BIO_printf(out, "%*s%s\n", indent + 2, "", - node_data_critical(dat) ? "Critical" : "Non Critical"); - if (dat->qualifier_set) - print_qualifiers(out, dat->qualifier_set, indent + 2); - else - BIO_printf(out, "%*sNo Qualifiers\n", indent + 2, ""); -} diff --git a/crypto/x509/x509_crld.c b/crypto/x509/x509_crld.c index 6b6f795..7887ccd 100644 --- a/crypto/x509/x509_crld.c +++ b/crypto/x509/x509_crld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_crld.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_crld.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,7 +65,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static void *v2i_crld(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); @@ -426,24 +426,28 @@ d2i_DIST_POINT_NAME(DIST_POINT_NAME **a, const unsigned char **in, long len) return (DIST_POINT_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &DIST_POINT_NAME_it); } +LCRYPTO_ALIAS(d2i_DIST_POINT_NAME); int i2d_DIST_POINT_NAME(DIST_POINT_NAME *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_NAME_it); } +LCRYPTO_ALIAS(i2d_DIST_POINT_NAME); DIST_POINT_NAME * DIST_POINT_NAME_new(void) { return (DIST_POINT_NAME *)ASN1_item_new(&DIST_POINT_NAME_it); } +LCRYPTO_ALIAS(DIST_POINT_NAME_new); void DIST_POINT_NAME_free(DIST_POINT_NAME *a) { ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_NAME_it); } +LCRYPTO_ALIAS(DIST_POINT_NAME_free); static const ASN1_TEMPLATE DIST_POINT_seq_tt[] = { { @@ -486,24 +490,28 @@ d2i_DIST_POINT(DIST_POINT **a, const unsigned char **in, long len) return (DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &DIST_POINT_it); } +LCRYPTO_ALIAS(d2i_DIST_POINT); int i2d_DIST_POINT(DIST_POINT *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &DIST_POINT_it); } +LCRYPTO_ALIAS(i2d_DIST_POINT); DIST_POINT * DIST_POINT_new(void) { return (DIST_POINT *)ASN1_item_new(&DIST_POINT_it); } +LCRYPTO_ALIAS(DIST_POINT_new); void DIST_POINT_free(DIST_POINT *a) { ASN1_item_free((ASN1_VALUE *)a, &DIST_POINT_it); } +LCRYPTO_ALIAS(DIST_POINT_free); static const ASN1_TEMPLATE CRL_DIST_POINTS_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, @@ -530,24 +538,28 @@ d2i_CRL_DIST_POINTS(CRL_DIST_POINTS **a, const unsigned char **in, long len) return (CRL_DIST_POINTS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &CRL_DIST_POINTS_it); } +LCRYPTO_ALIAS(d2i_CRL_DIST_POINTS); int i2d_CRL_DIST_POINTS(CRL_DIST_POINTS *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &CRL_DIST_POINTS_it); } +LCRYPTO_ALIAS(i2d_CRL_DIST_POINTS); CRL_DIST_POINTS * CRL_DIST_POINTS_new(void) { return (CRL_DIST_POINTS *)ASN1_item_new(&CRL_DIST_POINTS_it); } +LCRYPTO_ALIAS(CRL_DIST_POINTS_new); void CRL_DIST_POINTS_free(CRL_DIST_POINTS *a) { ASN1_item_free((ASN1_VALUE *)a, &CRL_DIST_POINTS_it); } +LCRYPTO_ALIAS(CRL_DIST_POINTS_free); static const ASN1_TEMPLATE ISSUING_DIST_POINT_seq_tt[] = { { @@ -611,24 +623,28 @@ d2i_ISSUING_DIST_POINT(ISSUING_DIST_POINT **a, const unsigned char **in, long le return (ISSUING_DIST_POINT *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &ISSUING_DIST_POINT_it); } +LCRYPTO_ALIAS(d2i_ISSUING_DIST_POINT); int i2d_ISSUING_DIST_POINT(ISSUING_DIST_POINT *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &ISSUING_DIST_POINT_it); } +LCRYPTO_ALIAS(i2d_ISSUING_DIST_POINT); ISSUING_DIST_POINT * ISSUING_DIST_POINT_new(void) { return (ISSUING_DIST_POINT *)ASN1_item_new(&ISSUING_DIST_POINT_it); } +LCRYPTO_ALIAS(ISSUING_DIST_POINT_new); void ISSUING_DIST_POINT_free(ISSUING_DIST_POINT *a) { ASN1_item_free((ASN1_VALUE *)a, &ISSUING_DIST_POINT_it); } +LCRYPTO_ALIAS(ISSUING_DIST_POINT_free); static int i2r_idp(const X509V3_EXT_METHOD *method, void *pidp, BIO *out, int indent); @@ -809,3 +825,4 @@ DIST_POINT_set_dpname(DIST_POINT_NAME *dpn, X509_NAME *iname) } return 1; } +LCRYPTO_ALIAS(DIST_POINT_set_dpname); diff --git a/crypto/x509/x509_d2.c b/crypto/x509/x509_d2.c index 5b0f80a..bf358ec 100644 --- a/crypto/x509/x509_d2.c +++ b/crypto/x509/x509_d2.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_d2.c,v 1.10 2015/01/22 09:06:39 reyk Exp $ */ +/* $OpenBSD: x509_d2.c,v 1.12 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -83,6 +83,7 @@ X509_STORE_set_default_paths(X509_STORE *ctx) return (1); } +LCRYPTO_ALIAS(X509_STORE_set_default_paths); int X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path) @@ -107,6 +108,7 @@ X509_STORE_load_locations(X509_STORE *ctx, const char *file, const char *path) return (0); return (1); } +LCRYPTO_ALIAS(X509_STORE_load_locations); int X509_STORE_load_mem(X509_STORE *ctx, void *buf, int len) @@ -126,3 +128,4 @@ X509_STORE_load_mem(X509_STORE *ctx, void *buf, int len) return (1); } +LCRYPTO_ALIAS(X509_STORE_load_mem); diff --git a/crypto/x509/x509_def.c b/crypto/x509/x509_def.c index 5e570eb..f85781a 100644 --- a/crypto/x509/x509_def.c +++ b/crypto/x509/x509_def.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_def.c,v 1.5 2014/06/12 15:49:31 deraadt Exp $ */ +/* $OpenBSD: x509_def.c,v 1.7 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,33 +66,39 @@ X509_get_default_private_dir(void) { return (X509_PRIVATE_DIR); } +LCRYPTO_ALIAS(X509_get_default_private_dir); const char * X509_get_default_cert_area(void) { return (X509_CERT_AREA); } +LCRYPTO_ALIAS(X509_get_default_cert_area); const char * X509_get_default_cert_dir(void) { return (X509_CERT_DIR); } +LCRYPTO_ALIAS(X509_get_default_cert_dir); const char * X509_get_default_cert_file(void) { return (X509_CERT_FILE); } +LCRYPTO_ALIAS(X509_get_default_cert_file); const char * X509_get_default_cert_dir_env(void) { return (X509_CERT_DIR_EVP); } +LCRYPTO_ALIAS(X509_get_default_cert_dir_env); const char * X509_get_default_cert_file_env(void) { return (X509_CERT_FILE_EVP); } +LCRYPTO_ALIAS(X509_get_default_cert_file_env); diff --git a/crypto/x509/x509_enum.c b/crypto/x509/x509_enum.c deleted file mode 100644 index f18eea5..0000000 --- a/crypto/x509/x509_enum.c +++ /dev/null @@ -1,107 +0,0 @@ -/* $OpenBSD: x509_enum.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include -#include - -static ENUMERATED_NAMES crl_reasons[] = { - {CRL_REASON_UNSPECIFIED, "Unspecified", "unspecified"}, - {CRL_REASON_KEY_COMPROMISE, "Key Compromise", "keyCompromise"}, - {CRL_REASON_CA_COMPROMISE, "CA Compromise", "CACompromise"}, - {CRL_REASON_AFFILIATION_CHANGED, "Affiliation Changed", "affiliationChanged"}, - {CRL_REASON_SUPERSEDED, "Superseded", "superseded"}, - {CRL_REASON_CESSATION_OF_OPERATION, - "Cessation Of Operation", "cessationOfOperation"}, - {CRL_REASON_CERTIFICATE_HOLD, "Certificate Hold", "certificateHold"}, - {CRL_REASON_REMOVE_FROM_CRL, "Remove From CRL", "removeFromCRL"}, - {CRL_REASON_PRIVILEGE_WITHDRAWN, "Privilege Withdrawn", "privilegeWithdrawn"}, - {CRL_REASON_AA_COMPROMISE, "AA Compromise", "AACompromise"}, - {-1, NULL, NULL} -}; - -const X509V3_EXT_METHOD v3_crl_reason = { - .ext_nid = NID_crl_reason, - .ext_flags = 0, - .it = &ASN1_ENUMERATED_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = (X509V3_EXT_I2S)i2s_ASN1_ENUMERATED_TABLE, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = NULL, - .r2i = NULL, - .usr_data = crl_reasons, -}; - -char * -i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e) -{ - ENUMERATED_NAMES *enam; - long strval; - - strval = ASN1_ENUMERATED_get(e); - for (enam = method->usr_data; enam->lname; enam++) { - if (strval == enam->bitnum) - return strdup(enam->lname); - } - return i2s_ASN1_ENUMERATED(method, e); -} diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index a8e9155..2cbd349 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_err.c,v 1.16 2021/11/10 13:57:42 schwarze Exp $ */ +/* $OpenBSD: x509_err.c,v 1.22 2023/05/14 17:20:26 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -53,11 +53,6 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include @@ -66,7 +61,6 @@ #include #include -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0) @@ -77,11 +71,6 @@ static ERR_STRING_DATA X509_str_functs[] = { {0, NULL} }; -static ERR_STRING_DATA X509V3_str_functs[] = { - {ERR_FUNC(0xfff), "CRYPTO_internal"}, - {0, NULL} -}; - static ERR_STRING_DATA X509_str_reasons[] = { {ERR_REASON(X509_R_BAD_X509_FILETYPE) , "bad x509 filetype"}, {ERR_REASON(X509_R_BASE64_DECODE_ERROR) , "base64 decode error"}, @@ -91,6 +80,7 @@ static ERR_STRING_DATA X509_str_reasons[] = { {ERR_REASON(X509_R_INVALID_DIRECTORY) , "invalid directory"}, {ERR_REASON(X509_R_INVALID_FIELD_NAME) , "invalid field name"}, {ERR_REASON(X509_R_INVALID_TRUST) , "invalid trust"}, + {ERR_REASON(X509_R_INVALID_VERSION) , "invalid x509 version"}, {ERR_REASON(X509_R_KEY_TYPE_MISMATCH) , "key type mismatch"}, {ERR_REASON(X509_R_KEY_VALUES_MISMATCH) , "key values mismatch"}, {ERR_REASON(X509_R_LOADING_CERT_DIR) , "loading cert dir"}, @@ -113,6 +103,16 @@ static ERR_STRING_DATA X509_str_reasons[] = { {0, NULL} }; +#undef ERR_FUNC +#undef ERR_REASON +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason) + +static ERR_STRING_DATA X509V3_str_functs[] = { + {ERR_FUNC(0xfff), "CRYPTO_internal"}, + {0, NULL} +}; + static ERR_STRING_DATA X509V3_str_reasons[] = { {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"}, {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"}, @@ -197,6 +197,7 @@ ERR_load_X509_strings(void) } #endif } +LCRYPTO_ALIAS(ERR_load_X509_strings); void @@ -209,3 +210,4 @@ ERR_load_X509V3_strings(void) } #endif } +LCRYPTO_ALIAS(ERR_load_X509V3_strings); diff --git a/crypto/x509/x509_ext.c b/crypto/x509/x509_ext.c index 1445951..ce316d2 100644 --- a/crypto/x509/x509_ext.c +++ b/crypto/x509/x509_ext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ext.c,v 1.13 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_ext.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,49 +65,56 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509_CRL_get_ext_count(const X509_CRL *x) { return (X509v3_get_ext_count(x->crl->extensions)); } +LCRYPTO_ALIAS(X509_CRL_get_ext_count); int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->crl->extensions, nid, lastpos)); } +LCRYPTO_ALIAS(X509_CRL_get_ext_by_NID); int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->crl->extensions, obj, lastpos)); } +LCRYPTO_ALIAS(X509_CRL_get_ext_by_OBJ); int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical(x->crl->extensions, crit, lastpos)); } +LCRYPTO_ALIAS(X509_CRL_get_ext_by_critical); X509_EXTENSION * X509_CRL_get_ext(const X509_CRL *x, int loc) { return (X509v3_get_ext(x->crl->extensions, loc)); } +LCRYPTO_ALIAS(X509_CRL_get_ext); X509_EXTENSION * X509_CRL_delete_ext(X509_CRL *x, int loc) { return (X509v3_delete_ext(x->crl->extensions, loc)); } +LCRYPTO_ALIAS(X509_CRL_delete_ext); void * X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->crl->extensions, nid, crit, idx); } +LCRYPTO_ALIAS(X509_CRL_get_ext_d2i); int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, @@ -115,30 +122,35 @@ X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, { return X509V3_add1_i2d(&x->crl->extensions, nid, value, crit, flags); } +LCRYPTO_ALIAS(X509_CRL_add1_ext_i2d); int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) { return (X509v3_add_ext(&(x->crl->extensions), ex, loc) != NULL); } +LCRYPTO_ALIAS(X509_CRL_add_ext); int X509_get_ext_count(const X509 *x) { return (X509v3_get_ext_count(x->cert_info->extensions)); } +LCRYPTO_ALIAS(X509_get_ext_count); int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->cert_info->extensions, nid, lastpos)); } +LCRYPTO_ALIAS(X509_get_ext_by_NID); int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->cert_info->extensions, obj, lastpos)); } +LCRYPTO_ALIAS(X509_get_ext_by_OBJ); int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos) @@ -146,30 +158,35 @@ X509_get_ext_by_critical(const X509 *x, int crit, int lastpos) return (X509v3_get_ext_by_critical(x->cert_info->extensions, crit, lastpos)); } +LCRYPTO_ALIAS(X509_get_ext_by_critical); X509_EXTENSION * X509_get_ext(const X509 *x, int loc) { return (X509v3_get_ext(x->cert_info->extensions, loc)); } +LCRYPTO_ALIAS(X509_get_ext); X509_EXTENSION * X509_delete_ext(X509 *x, int loc) { return (X509v3_delete_ext(x->cert_info->extensions, loc)); } +LCRYPTO_ALIAS(X509_delete_ext); int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) { return (X509v3_add_ext(&(x->cert_info->extensions), ex, loc) != NULL); } +LCRYPTO_ALIAS(X509_add_ext); void * X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx); } +LCRYPTO_ALIAS(X509_get_ext_d2i); int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags) @@ -177,18 +194,21 @@ X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags) return X509V3_add1_i2d(&x->cert_info->extensions, nid, value, crit, flags); } +LCRYPTO_ALIAS(X509_add1_ext_i2d); int X509_REVOKED_get_ext_count(const X509_REVOKED *x) { return (X509v3_get_ext_count(x->extensions)); } +LCRYPTO_ALIAS(X509_REVOKED_get_ext_count); int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->extensions, nid, lastpos)); } +LCRYPTO_ALIAS(X509_REVOKED_get_ext_by_NID); int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, @@ -196,36 +216,42 @@ X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, { return (X509v3_get_ext_by_OBJ(x->extensions, obj, lastpos)); } +LCRYPTO_ALIAS(X509_REVOKED_get_ext_by_OBJ); int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical(x->extensions, crit, lastpos)); } +LCRYPTO_ALIAS(X509_REVOKED_get_ext_by_critical); X509_EXTENSION * X509_REVOKED_get_ext(const X509_REVOKED *x, int loc) { return (X509v3_get_ext(x->extensions, loc)); } +LCRYPTO_ALIAS(X509_REVOKED_get_ext); X509_EXTENSION * X509_REVOKED_delete_ext(X509_REVOKED *x, int loc) { return (X509v3_delete_ext(x->extensions, loc)); } +LCRYPTO_ALIAS(X509_REVOKED_delete_ext); int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) { return (X509v3_add_ext(&(x->extensions), ex, loc) != NULL); } +LCRYPTO_ALIAS(X509_REVOKED_add_ext); void * X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->extensions, nid, crit, idx); } +LCRYPTO_ALIAS(X509_REVOKED_get_ext_d2i); int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, @@ -233,3 +259,4 @@ X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, { return X509V3_add1_i2d(&x->extensions, nid, value, crit, flags); } +LCRYPTO_ALIAS(X509_REVOKED_add1_ext_i2d); diff --git a/crypto/x509/x509_extku.c b/crypto/x509/x509_extku.c index 09bec67..94032f6 100644 --- a/crypto/x509/x509_extku.c +++ b/crypto/x509/x509_extku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_extku.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_extku.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -128,24 +128,28 @@ d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long le return (EXTENDED_KEY_USAGE *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &EXTENDED_KEY_USAGE_it); } +LCRYPTO_ALIAS(d2i_EXTENDED_KEY_USAGE); int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &EXTENDED_KEY_USAGE_it); } +LCRYPTO_ALIAS(i2d_EXTENDED_KEY_USAGE); EXTENDED_KEY_USAGE * EXTENDED_KEY_USAGE_new(void) { return (EXTENDED_KEY_USAGE *)ASN1_item_new(&EXTENDED_KEY_USAGE_it); } +LCRYPTO_ALIAS(EXTENDED_KEY_USAGE_new); void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a) { ASN1_item_free((ASN1_VALUE *)a, &EXTENDED_KEY_USAGE_it); } +LCRYPTO_ALIAS(EXTENDED_KEY_USAGE_free); static STACK_OF(CONF_VALUE) * i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a, diff --git a/crypto/x509/x509_genn.c b/crypto/x509/x509_genn.c index dadf6f1..556ba81 100644 --- a/crypto/x509/x509_genn.c +++ b/crypto/x509/x509_genn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_genn.c,v 1.2 2020/12/08 15:06:42 tb Exp $ */ +/* $OpenBSD: x509_genn.c,v 1.6 2023/04/25 15:51:04 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -98,24 +98,28 @@ d2i_OTHERNAME(OTHERNAME **a, const unsigned char **in, long len) return (OTHERNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &OTHERNAME_it); } +LCRYPTO_ALIAS(d2i_OTHERNAME); int i2d_OTHERNAME(OTHERNAME *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &OTHERNAME_it); } +LCRYPTO_ALIAS(i2d_OTHERNAME); OTHERNAME * OTHERNAME_new(void) { return (OTHERNAME *)ASN1_item_new(&OTHERNAME_it); } +LCRYPTO_ALIAS(OTHERNAME_new); void OTHERNAME_free(OTHERNAME *a) { ASN1_item_free((ASN1_VALUE *)a, &OTHERNAME_it); } +LCRYPTO_ALIAS(OTHERNAME_free); /* Uses explicit tagging since DIRECTORYSTRING is a CHOICE type */ static const ASN1_TEMPLATE EDIPARTYNAME_seq_tt[] = { @@ -152,24 +156,28 @@ d2i_EDIPARTYNAME(EDIPARTYNAME **a, const unsigned char **in, long len) return (EDIPARTYNAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &EDIPARTYNAME_it); } +LCRYPTO_ALIAS(d2i_EDIPARTYNAME); int i2d_EDIPARTYNAME(EDIPARTYNAME *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &EDIPARTYNAME_it); } +LCRYPTO_ALIAS(i2d_EDIPARTYNAME); EDIPARTYNAME * EDIPARTYNAME_new(void) { return (EDIPARTYNAME *)ASN1_item_new(&EDIPARTYNAME_it); } +LCRYPTO_ALIAS(EDIPARTYNAME_new); void EDIPARTYNAME_free(EDIPARTYNAME *a) { ASN1_item_free((ASN1_VALUE *)a, &EDIPARTYNAME_it); } +LCRYPTO_ALIAS(EDIPARTYNAME_free); static const ASN1_TEMPLATE GENERAL_NAME_ch_tt[] = { { @@ -256,24 +264,28 @@ d2i_GENERAL_NAME(GENERAL_NAME **a, const unsigned char **in, long len) return (GENERAL_NAME *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &GENERAL_NAME_it); } +LCRYPTO_ALIAS(d2i_GENERAL_NAME); int i2d_GENERAL_NAME(GENERAL_NAME *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAME_it); } +LCRYPTO_ALIAS(i2d_GENERAL_NAME); GENERAL_NAME * GENERAL_NAME_new(void) { return (GENERAL_NAME *)ASN1_item_new(&GENERAL_NAME_it); } +LCRYPTO_ALIAS(GENERAL_NAME_new); void GENERAL_NAME_free(GENERAL_NAME *a) { ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAME_it); } +LCRYPTO_ALIAS(GENERAL_NAME_free); static const ASN1_TEMPLATE GENERAL_NAMES_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, @@ -300,30 +312,35 @@ d2i_GENERAL_NAMES(GENERAL_NAMES **a, const unsigned char **in, long len) return (GENERAL_NAMES *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &GENERAL_NAMES_it); } +LCRYPTO_ALIAS(d2i_GENERAL_NAMES); int i2d_GENERAL_NAMES(GENERAL_NAMES *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &GENERAL_NAMES_it); } +LCRYPTO_ALIAS(i2d_GENERAL_NAMES); GENERAL_NAMES * GENERAL_NAMES_new(void) { return (GENERAL_NAMES *)ASN1_item_new(&GENERAL_NAMES_it); } +LCRYPTO_ALIAS(GENERAL_NAMES_new); void GENERAL_NAMES_free(GENERAL_NAMES *a) { ASN1_item_free((ASN1_VALUE *)a, &GENERAL_NAMES_it); } +LCRYPTO_ALIAS(GENERAL_NAMES_free); GENERAL_NAME * GENERAL_NAME_dup(GENERAL_NAME *a) { return ASN1_item_dup(&GENERAL_NAME_it, a); } +LCRYPTO_ALIAS(GENERAL_NAME_dup); static int EDIPARTYNAME_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b) @@ -366,7 +383,7 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) return -1; switch (a->type) { case GEN_X400: - result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); + result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); break; case GEN_EDIPARTY: @@ -397,6 +414,7 @@ GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) } return result; } +LCRYPTO_ALIAS(GENERAL_NAME_cmp); /* Returns 0 if they are equal, != 0 otherwise. */ int @@ -413,6 +431,7 @@ OTHERNAME_cmp(OTHERNAME *a, OTHERNAME *b) result = ASN1_TYPE_cmp(a->value, b->value); return result; } +LCRYPTO_ALIAS(OTHERNAME_cmp); void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) @@ -450,6 +469,7 @@ GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value) } a->type = type; } +LCRYPTO_ALIAS(GENERAL_NAME_set0_value); void * GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype) @@ -484,6 +504,7 @@ GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype) return NULL; } } +LCRYPTO_ALIAS(GENERAL_NAME_get0_value); int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, @@ -499,6 +520,7 @@ GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, GENERAL_NAME_set0_value(gen, GEN_OTHERNAME, oth); return 1; } +LCRYPTO_ALIAS(GENERAL_NAME_set0_othername); int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid, @@ -512,3 +534,4 @@ GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid, *pvalue = gen->d.otherName->value; return 1; } +LCRYPTO_ALIAS(GENERAL_NAME_get0_otherName); diff --git a/crypto/x509/x509_info.c b/crypto/x509/x509_info.c index 86ed6fa..a3d4d1b 100644 --- a/crypto/x509/x509_info.c +++ b/crypto/x509/x509_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_info.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ +/* $OpenBSD: x509_info.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -139,24 +139,28 @@ d2i_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION **a, const unsigned char **in, long le return (ACCESS_DESCRIPTION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &ACCESS_DESCRIPTION_it); } +LCRYPTO_ALIAS(d2i_ACCESS_DESCRIPTION); int i2d_ACCESS_DESCRIPTION(ACCESS_DESCRIPTION *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &ACCESS_DESCRIPTION_it); } +LCRYPTO_ALIAS(i2d_ACCESS_DESCRIPTION); ACCESS_DESCRIPTION * ACCESS_DESCRIPTION_new(void) { return (ACCESS_DESCRIPTION *)ASN1_item_new(&ACCESS_DESCRIPTION_it); } +LCRYPTO_ALIAS(ACCESS_DESCRIPTION_new); void ACCESS_DESCRIPTION_free(ACCESS_DESCRIPTION *a) { ASN1_item_free((ASN1_VALUE *)a, &ACCESS_DESCRIPTION_it); } +LCRYPTO_ALIAS(ACCESS_DESCRIPTION_free); static const ASN1_TEMPLATE AUTHORITY_INFO_ACCESS_item_tt = { .flags = ASN1_TFLG_SEQUENCE_OF, @@ -183,24 +187,28 @@ d2i_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS **a, const unsigned char **in, l return (AUTHORITY_INFO_ACCESS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &AUTHORITY_INFO_ACCESS_it); } +LCRYPTO_ALIAS(d2i_AUTHORITY_INFO_ACCESS); int i2d_AUTHORITY_INFO_ACCESS(AUTHORITY_INFO_ACCESS *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &AUTHORITY_INFO_ACCESS_it); } +LCRYPTO_ALIAS(i2d_AUTHORITY_INFO_ACCESS); AUTHORITY_INFO_ACCESS * AUTHORITY_INFO_ACCESS_new(void) { return (AUTHORITY_INFO_ACCESS *)ASN1_item_new(&AUTHORITY_INFO_ACCESS_it); } +LCRYPTO_ALIAS(AUTHORITY_INFO_ACCESS_new); void AUTHORITY_INFO_ACCESS_free(AUTHORITY_INFO_ACCESS *a) { ASN1_item_free((ASN1_VALUE *)a, &AUTHORITY_INFO_ACCESS_it); } +LCRYPTO_ALIAS(AUTHORITY_INFO_ACCESS_free); static STACK_OF(CONF_VALUE) * i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, @@ -306,3 +314,4 @@ i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a) i2a_ASN1_OBJECT(bp, a->method); return 2; } +LCRYPTO_ALIAS(i2a_ACCESS_DESCRIPTION); diff --git a/crypto/x509/x509_internal.h b/crypto/x509/x509_internal.h index c6ce522..c4222bc 100644 --- a/crypto/x509/x509_internal.h +++ b/crypto/x509/x509_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_internal.h,v 1.18 2022/03/14 21:15:49 tb Exp $ */ +/* $OpenBSD: x509_internal.h,v 1.25 2023/01/28 19:08:09 tb Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -20,9 +20,9 @@ /* Internal use only, not public API */ #include -#include - -#include "x509_lcl.h" +#include "bytestring.h" +#include "x509_local.h" +#include "x509_verify.h" /* Hard limits on structure size and number of signature checks. */ #define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ @@ -93,7 +93,7 @@ int x509_vfy_check_policy(X509_STORE_CTX *ctx); int x509_vfy_check_trust(X509_STORE_CTX *ctx); int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); int x509_vfy_callback_indicate_completion(X509_STORE_CTX *ctx); -void x509v3_cache_extensions(X509 *x); +int x509v3_cache_extensions(X509 *x); X509 *x509_vfy_lookup_cert_match(X509_STORE_CTX *ctx, X509 *x); time_t x509_verify_asn1_time_to_time_t(const ASN1_TIME *atime, int notafter); @@ -111,14 +111,13 @@ struct x509_constraints_names *x509_constraints_names_new(size_t names_max); int x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, size_t *len); void x509_constraints_names_free(struct x509_constraints_names *names); -int x509_constraints_valid_host(uint8_t *name, size_t len); -int x509_constraints_valid_sandns(uint8_t *name, size_t len); +int x509_constraints_valid_host(CBS *cbs); +int x509_constraints_valid_sandns(CBS *cbs); int x509_constraints_domain(char *domain, size_t dlen, char *constraint, size_t len); -int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, +int x509_constraints_parse_mailbox(CBS *candidate, struct x509_constraints_name *name); -int x509_constraints_valid_domain_constraint(uint8_t *constraint, - size_t len); +int x509_constraints_valid_domain_constraint(CBS *cbs); int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, int *error); @@ -135,6 +134,7 @@ int x509_constraints_check(struct x509_constraints_names *names, int x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth); void x509_verify_cert_info_populate(X509 *cert); +int x509_vfy_check_security_level(X509_STORE_CTX *ctx); __END_HIDDEN_DECLS diff --git a/crypto/x509/x509_issuer_cache.c b/crypto/x509/x509_issuer_cache.c index 26cde17..f7fbd54 100644 --- a/crypto/x509/x509_issuer_cache.c +++ b/crypto/x509/x509_issuer_cache.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_issuer_cache.c,v 1.2 2020/11/18 17:00:59 tb Exp $ */ +/* $OpenBSD: x509_issuer_cache.c,v 1.4 2022/12/26 07:18:53 jmc Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -73,6 +73,40 @@ x509_issuer_cache_set_max(size_t max) return 1; } +/* + * Free the oldest entry in the issuer cache. Returns 1 + * if an entry was successfully freed, 0 otherwise. Must + * be called with x509_issuer_tree_mutex held. + */ +void +x509_issuer_cache_free_oldest() +{ + struct x509_issuer *old; + + if (x509_issuer_cache_count == 0) + return; + old = TAILQ_LAST(&x509_issuer_lru, lruqueue); + TAILQ_REMOVE(&x509_issuer_lru, old, queue); + RB_REMOVE(x509_issuer_tree, &x509_issuer_cache, old); + free(old->parent_md); + free(old->child_md); + free(old); + x509_issuer_cache_count--; +} + +/* + * Free the entire issuer cache, discarding all entries. + */ +void +x509_issuer_cache_free() +{ + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + return; + while (x509_issuer_cache_count > 0) + x509_issuer_cache_free_oldest(); + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); +} + /* * Find a previous result of checking if parent signed child * @@ -140,24 +174,16 @@ x509_issuer_cache_add(unsigned char *parent_md, unsigned char *child_md, if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) goto err; - while (x509_issuer_cache_count >= x509_issuer_cache_max) { - struct x509_issuer *old; - if ((old = TAILQ_LAST(&x509_issuer_lru, lruqueue)) == NULL) - goto err; - TAILQ_REMOVE(&x509_issuer_lru, old, queue); - RB_REMOVE(x509_issuer_tree, &x509_issuer_cache, old); - free(old->parent_md); - free(old->child_md); - free(old); - x509_issuer_cache_count--; - } + while (x509_issuer_cache_count >= x509_issuer_cache_max) + x509_issuer_cache_free_oldest(); if (RB_INSERT(x509_issuer_tree, &x509_issuer_cache, new) == NULL) { TAILQ_INSERT_HEAD(&x509_issuer_lru, new, queue); x509_issuer_cache_count++; new = NULL; } - err: (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + + err: if (new != NULL) { free(new->parent_md); free(new->child_md); diff --git a/crypto/x509/x509_issuer_cache.h b/crypto/x509/x509_issuer_cache.h index 6dedde7..3afe65b 100644 --- a/crypto/x509/x509_issuer_cache.h +++ b/crypto/x509/x509_issuer_cache.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_issuer_cache.h,v 1.1 2020/09/11 14:30:51 beck Exp $ */ +/* $OpenBSD: x509_issuer_cache.h,v 1.2 2022/09/03 17:47:47 jsing Exp $ */ /* * Copyright (c) 2020 Bob Beck * @@ -41,6 +41,7 @@ int x509_issuer_cache_set_max(size_t max); int x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md); void x509_issuer_cache_add(unsigned char *parent_md, unsigned char *child_md, int valid); +void x509_issuer_cache_free(); __END_HIDDEN_DECLS diff --git a/crypto/x509/x509_lib.c b/crypto/x509/x509_lib.c index a518d5b..93f8dc2 100644 --- a/crypto/x509/x509_lib.c +++ b/crypto/x509/x509_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lib.c,v 1.3 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_lib.c,v 1.14 2023/04/25 10:56:58 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -63,14 +63,90 @@ #include #include -#include "ext_dat.h" -#include "x509_lcl.h" +#include "x509_local.h" static STACK_OF(X509V3_EXT_METHOD) *ext_list = NULL; -static int ext_cmp(const X509V3_EXT_METHOD * const *a, - const X509V3_EXT_METHOD * const *b); -static void ext_list_free(X509V3_EXT_METHOD *ext); +extern const X509V3_EXT_METHOD v3_bcons, v3_nscert, v3_key_usage, v3_ext_ku; +extern const X509V3_EXT_METHOD v3_pkey_usage_period, v3_info, v3_sinfo; +extern const X509V3_EXT_METHOD v3_ns_ia5_list[], v3_alt[], v3_skey_id, v3_akey_id; +extern const X509V3_EXT_METHOD v3_crl_num, v3_crl_reason, v3_crl_invdate; +extern const X509V3_EXT_METHOD v3_delta_crl, v3_cpols, v3_crld, v3_freshest_crl; +extern const X509V3_EXT_METHOD v3_ocsp_nonce, v3_ocsp_accresp, v3_ocsp_acutoff; +extern const X509V3_EXT_METHOD v3_ocsp_crlid, v3_ocsp_nocheck, v3_ocsp_serviceloc; +extern const X509V3_EXT_METHOD v3_crl_hold; +extern const X509V3_EXT_METHOD v3_policy_mappings, v3_policy_constraints; +extern const X509V3_EXT_METHOD v3_name_constraints, v3_inhibit_anyp, v3_idp; +extern const X509V3_EXT_METHOD v3_addr, v3_asid; +extern const X509V3_EXT_METHOD v3_ct_scts[3]; + +/* + * This table needs to be sorted by increasing ext_nid values for OBJ_bsearch_. + */ + +static const X509V3_EXT_METHOD *standard_exts[] = { + &v3_nscert, + &v3_ns_ia5_list[0], + &v3_ns_ia5_list[1], + &v3_ns_ia5_list[2], + &v3_ns_ia5_list[3], + &v3_ns_ia5_list[4], + &v3_ns_ia5_list[5], + &v3_ns_ia5_list[6], + &v3_skey_id, + &v3_key_usage, + &v3_pkey_usage_period, + &v3_alt[0], + &v3_alt[1], + &v3_bcons, + &v3_crl_num, + &v3_cpols, + &v3_akey_id, + &v3_crld, + &v3_ext_ku, + &v3_delta_crl, + &v3_crl_reason, +#ifndef OPENSSL_NO_OCSP + &v3_crl_invdate, +#endif + &v3_info, +#ifndef OPENSSL_NO_RFC3779 + &v3_addr, + &v3_asid, +#endif +#ifndef OPENSSL_NO_OCSP + &v3_ocsp_nonce, + &v3_ocsp_crlid, + &v3_ocsp_accresp, + &v3_ocsp_nocheck, + &v3_ocsp_acutoff, + &v3_ocsp_serviceloc, +#endif + &v3_sinfo, + &v3_policy_constraints, +#ifndef OPENSSL_NO_OCSP + &v3_crl_hold, +#endif + &v3_name_constraints, + &v3_policy_mappings, + &v3_inhibit_anyp, + &v3_idp, + &v3_alt[2], + &v3_freshest_crl, +#ifndef OPENSSL_NO_CT + &v3_ct_scts[0], + &v3_ct_scts[1], + &v3_ct_scts[2], +#endif +}; + +#define STANDARD_EXTENSION_COUNT (sizeof(standard_exts) / sizeof(standard_exts[0])) + +static int +ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b) +{ + return ((*a)->ext_nid - (*b)->ext_nid); +} int X509V3_EXT_add(X509V3_EXT_METHOD *ext) @@ -85,16 +161,7 @@ X509V3_EXT_add(X509V3_EXT_METHOD *ext) } return 1; } - -static int -ext_cmp(const X509V3_EXT_METHOD * const *a, const X509V3_EXT_METHOD * const *b) -{ - return ((*a)->ext_nid - (*b)->ext_nid); -} - -static int ext_cmp_BSEARCH_CMP_FN(const void *, const void *); -static int ext_cmp(const X509V3_EXT_METHOD * const *, const X509V3_EXT_METHOD * const *); -static const X509V3_EXT_METHOD * *OBJ_bsearch_ext(const X509V3_EXT_METHOD * *key, const X509V3_EXT_METHOD * const *base, int num); +LCRYPTO_ALIAS(X509V3_EXT_add); static int ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) @@ -132,6 +199,7 @@ X509V3_EXT_get_nid(int nid) return NULL; return sk_X509V3_EXT_METHOD_value(ext_list, idx); } +LCRYPTO_ALIAS(X509V3_EXT_get_nid); const X509V3_EXT_METHOD * X509V3_EXT_get(X509_EXTENSION *ext) @@ -142,6 +210,7 @@ X509V3_EXT_get(X509_EXTENSION *ext) return NULL; return X509V3_EXT_get_nid(nid); } +LCRYPTO_ALIAS(X509V3_EXT_get); int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) @@ -151,6 +220,7 @@ X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist) return 0; return 1; } +LCRYPTO_ALIAS(X509V3_EXT_add_list); int X509V3_EXT_add_alias(int nid_to, int nid_from) @@ -175,13 +245,7 @@ X509V3_EXT_add_alias(int nid_to, int nid_from) } return 1; } - -void -X509V3_EXT_cleanup(void) -{ - sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free); - ext_list = NULL; -} +LCRYPTO_ALIAS(X509V3_EXT_add_alias); static void ext_list_free(X509V3_EXT_METHOD *ext) @@ -190,15 +254,20 @@ ext_list_free(X509V3_EXT_METHOD *ext) free(ext); } -/* Legacy function: we don't need to add standard extensions - * any more because they are now kept in ext_dat.h. - */ +void +X509V3_EXT_cleanup(void) +{ + sk_X509V3_EXT_METHOD_pop_free(ext_list, ext_list_free); + ext_list = NULL; +} +LCRYPTO_ALIAS(X509V3_EXT_cleanup); int X509V3_add_standard_extensions(void) { return 1; } +LCRYPTO_ALIAS(X509V3_add_standard_extensions); /* Return an extension internal structure */ @@ -216,6 +285,7 @@ X509V3_EXT_d2i(X509_EXTENSION *ext) method->it); return method->d2i(NULL, &p, ext->value->length); } +LCRYPTO_ALIAS(X509V3_EXT_d2i); /* Get critical flag and decoded version of extension from a NID. * The "idx" variable returns the last found extension and can @@ -281,6 +351,7 @@ X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) *crit = -1; return NULL; } +LCRYPTO_ALIAS(X509V3_get_d2i); /* This function is a general extension append, replace and delete utility. * The precise operation is governed by the 'flags' value. The 'crit' and @@ -314,8 +385,9 @@ X509V3_add1_i2d(STACK_OF(X509_EXTENSION) **x, int nid, void *value, } /* If delete, just delete it */ if (ext_op == X509V3_ADD_DELETE) { - if (!sk_X509_EXTENSION_delete(*x, extidx)) + if ((extmp = sk_X509_EXTENSION_delete(*x, extidx)) == NULL) return -1; + X509_EXTENSION_free(extmp); return 1; } } else { @@ -361,3 +433,4 @@ err: X509V3error(errcode); return 0; } +LCRYPTO_ALIAS(X509V3_add1_i2d); diff --git a/crypto/x509/x509_lcl.h b/crypto/x509/x509_local.h similarity index 92% rename from crypto/x509/x509_lcl.h rename to crypto/x509/x509_local.h index e7eb733..9ce1b58 100644 --- a/crypto/x509/x509_lcl.h +++ b/crypto/x509/x509_local.h @@ -1,4 +1,4 @@ -/* x509_lcl.h */ +/* $OpenBSD: x509_local.h,v 1.8 2023/05/08 14:51:00 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2013. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -56,8 +56,8 @@ * */ -#ifndef HEADER_X509_LCL_H -#define HEADER_X509_LCL_H +#ifndef HEADER_X509_LOCAL_H +#define HEADER_X509_LOCAL_H __BEGIN_HIDDEN_DECLS @@ -109,12 +109,7 @@ struct X509_extension_st { struct x509_attributes_st { ASN1_OBJECT *object; - int single; /* 0 for a set, 1 for a single item (which is wrong) */ - union { - char *ptr; -/* 0 */ STACK_OF(ASN1_TYPE) *set; -/* 1 */ ASN1_TYPE *single; - } value; + STACK_OF(ASN1_TYPE) *set; } /* X509_ATTRIBUTE */; struct X509_req_info_st { @@ -170,14 +165,12 @@ struct x509_st { CRYPTO_EX_DATA ex_data; /* These contain copies of various extension values */ long ex_pathlen; - long ex_pcpathlen; unsigned long ex_flags; unsigned long ex_kusage; unsigned long ex_xkusage; unsigned long ex_nscert; ASN1_OCTET_STRING *skid; AUTHORITY_KEYID *akid; - X509_POLICY_CACHE *policy_cache; STACK_OF(DIST_POINT) *crldp; STACK_OF(GENERAL_NAME) *altname; NAME_CONSTRAINTS *nc; @@ -277,6 +270,7 @@ struct X509_VERIFY_PARAM_st { int purpose; /* purpose to check untrusted certificates */ int trust; /* trust setting to check */ int depth; /* Verify depth */ + int security_level; /* 'Security level', see SP800-57. */ STACK_OF(ASN1_OBJECT) *policies; /* Permissible policies */ X509_VERIFY_PARAM_ID *id; /* opaque ID data */ } /* X509_VERIFY_PARAM */; @@ -333,10 +327,10 @@ struct x509_store_ctx_st { /* The following are set by the caller */ X509 *cert; /* The cert to check */ STACK_OF(X509) *untrusted; /* chain of X509s - untrusted - passed in */ + STACK_OF(X509) *trusted; /* trusted stack for use with get_issuer() */ STACK_OF(X509_CRL) *crls; /* set of CRLs passed in */ X509_VERIFY_PARAM *param; - void *other_ctx; /* Other info for use with get_issuer() */ /* Callbacks for various operations */ int (*verify)(X509_STORE_CTX *ctx); /* called to verify a certificate */ @@ -356,7 +350,6 @@ struct x509_store_ctx_st { int valid; /* if 0, rebuild chain */ int num_untrusted; /* number of untrusted certs in chain */ STACK_OF(X509) *chain; /* chain of X509s - built up and trusted */ - X509_POLICY_TREE *tree; /* Valid policy tree */ int explicit_policy; /* Require explicit policy value */ @@ -375,10 +368,25 @@ struct x509_store_ctx_st { CRYPTO_EX_DATA ex_data; } /* X509_STORE_CTX */; +struct X509_VERIFY_PARAM_ID_st { + STACK_OF(OPENSSL_STRING) *hosts; /* Set of acceptable names */ + unsigned int hostflags; /* Flags to control matching features */ + char *peername; /* Matching hostname in peer certificate */ + char *email; /* If not NULL email address to match */ + size_t emaillen; + unsigned char *ip; /* If not NULL IP address to match */ + size_t iplen; /* Length of IP address */ + int poisoned; +}; + int x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int quiet); int name_cmp(const char *name, const char *cmp); +int X509_policy_check(const STACK_OF(X509) *certs, + const STACK_OF(ASN1_OBJECT) *user_policies, unsigned long flags, + X509 **out_current_cert); + __END_HIDDEN_DECLS -#endif /* !HEADER_X509_LCL_H */ +#endif /* !HEADER_X509_LOCAL_H */ diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 90d7549..05730f5 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lu.c,v 1.55 2022/01/14 07:53:45 tb Exp $ */ +/* $OpenBSD: x509_lu.c,v 1.60 2023/04/25 18:32:42 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include #include -#include "x509_lcl.h" +#include "x509_local.h" X509_LOOKUP * X509_LOOKUP_new(X509_LOOKUP_METHOD *method) @@ -84,6 +84,7 @@ X509_LOOKUP_new(X509_LOOKUP_METHOD *method) return lu; } +LCRYPTO_ALIAS(X509_LOOKUP_new); void X509_LOOKUP_free(X509_LOOKUP *ctx) @@ -94,6 +95,7 @@ X509_LOOKUP_free(X509_LOOKUP *ctx) ctx->method->free(ctx); free(ctx); } +LCRYPTO_ALIAS(X509_LOOKUP_free); int X509_LOOKUP_init(X509_LOOKUP *ctx) @@ -104,6 +106,7 @@ X509_LOOKUP_init(X509_LOOKUP *ctx) return 1; return ctx->method->init(ctx); } +LCRYPTO_ALIAS(X509_LOOKUP_init); int X509_LOOKUP_shutdown(X509_LOOKUP *ctx) @@ -114,6 +117,7 @@ X509_LOOKUP_shutdown(X509_LOOKUP *ctx) return 1; return ctx->method->shutdown(ctx); } +LCRYPTO_ALIAS(X509_LOOKUP_shutdown); int X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, @@ -125,6 +129,7 @@ X509_LOOKUP_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, return 1; return ctx->method->ctrl(ctx, cmd, argc, argl, ret); } +LCRYPTO_ALIAS(X509_LOOKUP_ctrl); int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, X509_NAME *name, @@ -134,6 +139,7 @@ X509_LOOKUP_by_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, X509_NAME *name, return 0; return ctx->method->get_by_subject(ctx, type, name, ret); } +LCRYPTO_ALIAS(X509_LOOKUP_by_subject); int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, @@ -143,6 +149,7 @@ X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, return 0; return ctx->method->get_by_issuer_serial(ctx, type, name, serial, ret); } +LCRYPTO_ALIAS(X509_LOOKUP_by_issuer_serial); int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, @@ -152,6 +159,7 @@ X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, return 0; return ctx->method->get_by_fingerprint(ctx, type, bytes, len, ret); } +LCRYPTO_ALIAS(X509_LOOKUP_by_fingerprint); int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const char *str, @@ -161,6 +169,7 @@ X509_LOOKUP_by_alias(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type, const char *str, return 0; return ctx->method->get_by_alias(ctx, type, str, len, ret); } +LCRYPTO_ALIAS(X509_LOOKUP_by_alias); static int x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b) @@ -208,6 +217,7 @@ X509_STORE_new(void) return NULL; } +LCRYPTO_ALIAS(X509_STORE_new); X509_OBJECT * X509_OBJECT_new(void) @@ -223,6 +233,7 @@ X509_OBJECT_new(void) return obj; } +LCRYPTO_ALIAS(X509_OBJECT_new); void X509_OBJECT_free(X509_OBJECT *a) @@ -241,6 +252,7 @@ X509_OBJECT_free(X509_OBJECT *a) free(a); } +LCRYPTO_ALIAS(X509_OBJECT_free); void X509_STORE_free(X509_STORE *store) @@ -268,12 +280,14 @@ X509_STORE_free(X509_STORE *store) X509_VERIFY_PARAM_free(store->param); free(store); } +LCRYPTO_ALIAS(X509_STORE_free); int X509_STORE_up_ref(X509_STORE *store) { return CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 1; } +LCRYPTO_ALIAS(X509_STORE_up_ref); X509_LOOKUP * X509_STORE_add_lookup(X509_STORE *store, X509_LOOKUP_METHOD *method) @@ -302,6 +316,7 @@ X509_STORE_add_lookup(X509_STORE *store, X509_LOOKUP_METHOD *method) return lu; } +LCRYPTO_ALIAS(X509_STORE_add_lookup); X509_OBJECT * X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, @@ -318,6 +333,7 @@ X509_STORE_CTX_get_obj_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, return obj; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_obj_by_subject); int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, @@ -356,6 +372,7 @@ X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type, return 1; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_by_subject); /* Add obj to the store. Takes ownership of obj. */ static int @@ -407,6 +424,7 @@ X509_STORE_add_cert(X509_STORE *store, X509 *x) return X509_STORE_add_object(store, obj); } +LCRYPTO_ALIAS(X509_STORE_add_cert); int X509_STORE_add_crl(X509_STORE *store, X509_CRL *x) @@ -429,6 +447,7 @@ X509_STORE_add_crl(X509_STORE *store, X509_CRL *x) return X509_STORE_add_object(store, obj); } +LCRYPTO_ALIAS(X509_STORE_add_crl); int X509_OBJECT_up_ref_count(X509_OBJECT *a) @@ -441,12 +460,14 @@ X509_OBJECT_up_ref_count(X509_OBJECT *a) } return 1; } +LCRYPTO_ALIAS(X509_OBJECT_up_ref_count); X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a) { return a->type; } +LCRYPTO_ALIAS(X509_OBJECT_get_type); static int x509_object_idx_cnt(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, @@ -498,6 +519,7 @@ X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, { return x509_object_idx_cnt(h, type, name, NULL); } +LCRYPTO_ALIAS(X509_OBJECT_idx_by_subject); X509_OBJECT * X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, @@ -510,6 +532,7 @@ X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h, X509_LOOKUP_TYPE type, return NULL; return sk_X509_OBJECT_value(h, idx); } +LCRYPTO_ALIAS(X509_OBJECT_retrieve_by_subject); X509 * X509_OBJECT_get0_X509(const X509_OBJECT *xo) @@ -518,6 +541,7 @@ X509_OBJECT_get0_X509(const X509_OBJECT *xo) return xo->data.x509; return NULL; } +LCRYPTO_ALIAS(X509_OBJECT_get0_X509); X509_CRL * X509_OBJECT_get0_X509_CRL(X509_OBJECT *xo) @@ -526,6 +550,7 @@ X509_OBJECT_get0_X509_CRL(X509_OBJECT *xo) return xo->data.crl; return NULL; } +LCRYPTO_ALIAS(X509_OBJECT_get0_X509_CRL); static STACK_OF(X509) * X509_get1_certs_from_cache(X509_STORE *store, X509_NAME *name) @@ -569,7 +594,7 @@ X509_get1_certs_from_cache(X509_STORE *store, X509_NAME *name) } STACK_OF(X509) * -X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *name) +X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *name) { X509_STORE *store = ctx->store; STACK_OF(X509) *sk; @@ -589,9 +614,10 @@ X509_STORE_get1_certs(X509_STORE_CTX *ctx, X509_NAME *name) return X509_get1_certs_from_cache(store, name); } +LCRYPTO_ALIAS(X509_STORE_CTX_get1_certs); STACK_OF(X509_CRL) * -X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *name) +X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *name) { X509_STORE *store = ctx->store; STACK_OF(X509_CRL) *sk = NULL; @@ -639,6 +665,7 @@ X509_STORE_get1_crls(X509_STORE_CTX *ctx, X509_NAME *name) sk_X509_CRL_pop_free(sk, X509_CRL_free); return NULL; } +LCRYPTO_ALIAS(X509_STORE_CTX_get1_crls); X509_OBJECT * X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) @@ -667,6 +694,7 @@ X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x) } return NULL; } +LCRYPTO_ALIAS(X509_OBJECT_retrieve_match); /* Try to get issuer certificate from store. Due to limitations * of the API this can only retrieve a single certificate matching @@ -757,30 +785,35 @@ X509_STORE_CTX_get1_issuer(X509 **out_issuer, X509_STORE_CTX *ctx, X509 *x) CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); return ret; } +LCRYPTO_ALIAS(X509_STORE_CTX_get1_issuer); STACK_OF(X509_OBJECT) * X509_STORE_get0_objects(X509_STORE *xs) { return xs->objs; } +LCRYPTO_ALIAS(X509_STORE_get0_objects); void * X509_STORE_get_ex_data(X509_STORE *xs, int idx) { return CRYPTO_get_ex_data(&xs->ex_data, idx); } +LCRYPTO_ALIAS(X509_STORE_get_ex_data); int X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data) { return CRYPTO_set_ex_data(&xs->ex_data, idx, data); } +LCRYPTO_ALIAS(X509_STORE_set_ex_data); int X509_STORE_set_flags(X509_STORE *ctx, unsigned long flags) { return X509_VERIFY_PARAM_set_flags(ctx->param, flags); } +LCRYPTO_ALIAS(X509_STORE_set_flags); int X509_STORE_set_depth(X509_STORE *ctx, int depth) @@ -788,51 +821,60 @@ X509_STORE_set_depth(X509_STORE *ctx, int depth) X509_VERIFY_PARAM_set_depth(ctx->param, depth); return 1; } +LCRYPTO_ALIAS(X509_STORE_set_depth); int X509_STORE_set_purpose(X509_STORE *ctx, int purpose) { return X509_VERIFY_PARAM_set_purpose(ctx->param, purpose); } +LCRYPTO_ALIAS(X509_STORE_set_purpose); int X509_STORE_set_trust(X509_STORE *ctx, int trust) { return X509_VERIFY_PARAM_set_trust(ctx->param, trust); } +LCRYPTO_ALIAS(X509_STORE_set_trust); int X509_STORE_set1_param(X509_STORE *ctx, X509_VERIFY_PARAM *param) { return X509_VERIFY_PARAM_set1(ctx->param, param); } +LCRYPTO_ALIAS(X509_STORE_set1_param); X509_VERIFY_PARAM * X509_STORE_get0_param(X509_STORE *ctx) { return ctx->param; } +LCRYPTO_ALIAS(X509_STORE_get0_param); void X509_STORE_set_verify(X509_STORE *store, X509_STORE_CTX_verify_fn verify) { store->verify = verify; } +LCRYPTO_ALIAS(X509_STORE_set_verify); X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *store) { return store->verify; } +LCRYPTO_ALIAS(X509_STORE_get_verify); void X509_STORE_set_verify_cb(X509_STORE *store, X509_STORE_CTX_verify_cb verify_cb) { store->verify_cb = verify_cb; } +LCRYPTO_ALIAS(X509_STORE_set_verify_cb); X509_STORE_CTX_verify_cb X509_STORE_get_verify_cb(X509_STORE *store) { return store->verify_cb; } +LCRYPTO_ALIAS(X509_STORE_get_verify_cb); diff --git a/crypto/x509/x509_ncons.c b/crypto/x509/x509_ncons.c index 6135270..159e3c2 100644 --- a/crypto/x509/x509_ncons.c +++ b/crypto/x509/x509_ncons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ncons.c,v 1.5 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_ncons.c,v 1.9 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -64,7 +64,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static void *v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); @@ -165,24 +165,28 @@ GENERAL_SUBTREE_new(void) { return (GENERAL_SUBTREE*)ASN1_item_new(&GENERAL_SUBTREE_it); } +LCRYPTO_ALIAS(GENERAL_SUBTREE_new); void GENERAL_SUBTREE_free(GENERAL_SUBTREE *a) { ASN1_item_free((ASN1_VALUE *)a, &GENERAL_SUBTREE_it); } +LCRYPTO_ALIAS(GENERAL_SUBTREE_free); NAME_CONSTRAINTS * NAME_CONSTRAINTS_new(void) { return (NAME_CONSTRAINTS*)ASN1_item_new(&NAME_CONSTRAINTS_it); } +LCRYPTO_ALIAS(NAME_CONSTRAINTS_new); void NAME_CONSTRAINTS_free(NAME_CONSTRAINTS *a) { ASN1_item_free((ASN1_VALUE *)a, &NAME_CONSTRAINTS_it); } +LCRYPTO_ALIAS(NAME_CONSTRAINTS_free); static void * v2i_NAME_CONSTRAINTS(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, @@ -349,6 +353,7 @@ NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) } return X509_V_OK; } +LCRYPTO_ALIAS(NAME_CONSTRAINTS_check); static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { @@ -477,7 +482,7 @@ nc_email(ASN1_IA5STRING *eml, ASN1_IA5STRING *base) if (!emlat) return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - /* Special case: inital '.' is RHS match */ + /* Special case: initial '.' is RHS match */ if (!baseat && (*baseptr == '.')) { if (eml->length > base->length) { emlptr += eml->length - base->length; @@ -538,7 +543,7 @@ nc_uri(ASN1_IA5STRING *uri, ASN1_IA5STRING *base) if (hostlen == 0) return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; - /* Special case: inital '.' is RHS match */ + /* Special case: initial '.' is RHS match */ if (*baseptr == '.') { if (hostlen > base->length) { p = hostptr + hostlen - base->length; diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index 58ffa3a..ea4ae6b 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_obj.c,v 1.19 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_obj.c,v 1.22 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,7 +65,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" char * X509_NAME_oneline(const X509_NAME *a, char *buf, int len) @@ -179,3 +179,4 @@ err: BUF_MEM_free(b); return (NULL); } +LCRYPTO_ALIAS(X509_NAME_oneline); diff --git a/crypto/x509/x509_pci.c b/crypto/x509/x509_pci.c deleted file mode 100644 index b1d31df..0000000 --- a/crypto/x509/x509_pci.c +++ /dev/null @@ -1,311 +0,0 @@ -/* $OpenBSD: x509_pci.c,v 1.2 2021/08/24 15:23:03 tb Exp $ */ -/* Contributed to the OpenSSL Project 2004 - * by Richard Levitte (richard@levitte.org) - */ -/* Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include - -#include -#include -#include - -static int i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *ext, - BIO *out, int indent); -static PROXY_CERT_INFO_EXTENSION *r2i_pci(X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, char *str); - -const X509V3_EXT_METHOD v3_pci = { - .ext_nid = NID_proxyCertInfo, - .ext_flags = 0, - .it = &PROXY_CERT_INFO_EXTENSION_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, - .v2i = NULL, - .i2r = (X509V3_EXT_I2R)i2r_pci, - .r2i = (X509V3_EXT_R2I)r2i_pci, - .usr_data = NULL, -}; - -static int -i2r_pci(X509V3_EXT_METHOD *method, PROXY_CERT_INFO_EXTENSION *pci, BIO *out, - int indent) -{ - BIO_printf(out, "%*sPath Length Constraint: ", indent, ""); - if (pci->pcPathLengthConstraint) - i2a_ASN1_INTEGER(out, pci->pcPathLengthConstraint); - else - BIO_printf(out, "infinite"); - BIO_puts(out, "\n"); - BIO_printf(out, "%*sPolicy Language: ", indent, ""); - i2a_ASN1_OBJECT(out, pci->proxyPolicy->policyLanguage); - BIO_puts(out, "\n"); - if (pci->proxyPolicy->policy && pci->proxyPolicy->policy->data) - BIO_printf(out, "%*sPolicy Text: %.*s\n", indent, "", - pci->proxyPolicy->policy->length, - pci->proxyPolicy->policy->data); - return 1; -} - -static int -process_pci_value(CONF_VALUE *val, ASN1_OBJECT **language, - ASN1_INTEGER **pathlen, ASN1_OCTET_STRING **policy) -{ - int free_policy = 0; - - if (strcmp(val->name, "language") == 0) { - if (*language) { - X509V3error(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED); - X509V3_conf_err(val); - return 0; - } - if (!(*language = OBJ_txt2obj(val->value, 0))) { - X509V3error(X509V3_R_INVALID_OBJECT_IDENTIFIER); - X509V3_conf_err(val); - return 0; - } - } - else if (strcmp(val->name, "pathlen") == 0) { - if (*pathlen) { - X509V3error(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED); - X509V3_conf_err(val); - return 0; - } - if (!X509V3_get_value_int(val, pathlen)) { - X509V3error(X509V3_R_POLICY_PATH_LENGTH); - X509V3_conf_err(val); - return 0; - } - } - else if (strcmp(val->name, "policy") == 0) { - unsigned char *tmp_data = NULL; - long val_len; - if (!*policy) { - *policy = ASN1_OCTET_STRING_new(); - if (!*policy) { - X509V3error(ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - return 0; - } - free_policy = 1; - } - if (strncmp(val->value, "hex:", 4) == 0) { - unsigned char *tmp_data2 = - string_to_hex(val->value + 4, &val_len); - - if (!tmp_data2) { - X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT); - X509V3_conf_err(val); - goto err; - } - - tmp_data = realloc((*policy)->data, - (*policy)->length + val_len + 1); - if (tmp_data) { - (*policy)->data = tmp_data; - memcpy(&(*policy)->data[(*policy)->length], - tmp_data2, val_len); - (*policy)->length += val_len; - (*policy)->data[(*policy)->length] = '\0'; - } else { - free(tmp_data2); - free((*policy)->data); - (*policy)->data = NULL; - (*policy)->length = 0; - X509V3error(ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - goto err; - } - free(tmp_data2); - } - else if (strncmp(val->value, "file:", 5) == 0) { - unsigned char buf[2048]; - int n; - BIO *b = BIO_new_file(val->value + 5, "r"); - if (!b) { - X509V3error(ERR_R_BIO_LIB); - X509V3_conf_err(val); - goto err; - } - while ((n = BIO_read(b, buf, sizeof(buf))) > 0 || - (n == 0 && BIO_should_retry(b))) { - if (!n) - continue; - - tmp_data = realloc((*policy)->data, - (*policy)->length + n + 1); - - if (!tmp_data) - break; - - (*policy)->data = tmp_data; - memcpy(&(*policy)->data[(*policy)->length], - buf, n); - (*policy)->length += n; - (*policy)->data[(*policy)->length] = '\0'; - } - BIO_free_all(b); - - if (n < 0) { - X509V3error(ERR_R_BIO_LIB); - X509V3_conf_err(val); - goto err; - } - } - else if (strncmp(val->value, "text:", 5) == 0) { - val_len = strlen(val->value + 5); - tmp_data = realloc((*policy)->data, - (*policy)->length + val_len + 1); - if (tmp_data) { - (*policy)->data = tmp_data; - memcpy(&(*policy)->data[(*policy)->length], - val->value + 5, val_len); - (*policy)->length += val_len; - (*policy)->data[(*policy)->length] = '\0'; - } else { - free((*policy)->data); - (*policy)->data = NULL; - (*policy)->length = 0; - X509V3error(ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - goto err; - } - } else { - X509V3error(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG); - X509V3_conf_err(val); - goto err; - } - if (!tmp_data) { - X509V3error(ERR_R_MALLOC_FAILURE); - X509V3_conf_err(val); - goto err; - } - } - return 1; - -err: - if (free_policy) { - ASN1_OCTET_STRING_free(*policy); - *policy = NULL; - } - return 0; -} - -static PROXY_CERT_INFO_EXTENSION * -r2i_pci(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value) -{ - PROXY_CERT_INFO_EXTENSION *pci = NULL; - STACK_OF(CONF_VALUE) *vals; - ASN1_OBJECT *language = NULL; - ASN1_INTEGER *pathlen = NULL; - ASN1_OCTET_STRING *policy = NULL; - int i, j; - - vals = X509V3_parse_list(value); - for (i = 0; i < sk_CONF_VALUE_num(vals); i++) { - CONF_VALUE *cnf = sk_CONF_VALUE_value(vals, i); - if (!cnf->name || (*cnf->name != '@' && !cnf->value)) { - X509V3error(X509V3_R_INVALID_PROXY_POLICY_SETTING); - X509V3_conf_err(cnf); - goto err; - } - if (*cnf->name == '@') { - STACK_OF(CONF_VALUE) *sect; - int success_p = 1; - - sect = X509V3_get_section(ctx, cnf->name + 1); - if (!sect) { - X509V3error(X509V3_R_INVALID_SECTION); - X509V3_conf_err(cnf); - goto err; - } - for (j = 0; success_p && - j < sk_CONF_VALUE_num(sect); j++) { - success_p = process_pci_value( - sk_CONF_VALUE_value(sect, j), - &language, &pathlen, &policy); - } - X509V3_section_free(ctx, sect); - if (!success_p) - goto err; - } else { - if (!process_pci_value(cnf, - &language, &pathlen, &policy)) { - X509V3_conf_err(cnf); - goto err; - } - } - } - - /* Language is mandatory */ - if (!language) { - X509V3error(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED); - goto err; - } - i = OBJ_obj2nid(language); - if ((i == NID_Independent || i == NID_id_ppl_inheritAll) && policy) { - X509V3error(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY); - goto err; - } - - pci = PROXY_CERT_INFO_EXTENSION_new(); - if (!pci) { - X509V3error(ERR_R_MALLOC_FAILURE); - goto err; - } - - pci->proxyPolicy->policyLanguage = language; - language = NULL; - pci->proxyPolicy->policy = policy; - policy = NULL; - pci->pcPathLengthConstraint = pathlen; - pathlen = NULL; - goto end; - -err: - ASN1_OBJECT_free(language); - language = NULL; - ASN1_INTEGER_free(pathlen); - pathlen = NULL; - ASN1_OCTET_STRING_free(policy); - policy = NULL; -end: - sk_CONF_VALUE_pop_free(vals, X509V3_conf_free); - return pci; -} diff --git a/crypto/x509/x509_pcia.c b/crypto/x509/x509_pcia.c deleted file mode 100644 index b639aa3..0000000 --- a/crypto/x509/x509_pcia.c +++ /dev/null @@ -1,145 +0,0 @@ -/* $OpenBSD: x509_pcia.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ -/* Contributed to the OpenSSL Project 2004 - * by Richard Levitte (richard@levitte.org) - */ -/* Copyright (c) 2004 Kungliga Tekniska Högskolan - * (Royal Institute of Technology, Stockholm, Sweden). - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * 3. Neither the name of the Institute nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include -#include -#include - -static const ASN1_TEMPLATE PROXY_POLICY_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(PROXY_POLICY, policyLanguage), - .field_name = "policyLanguage", - .item = &ASN1_OBJECT_it, - }, - { - .flags = ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(PROXY_POLICY, policy), - .field_name = "policy", - .item = &ASN1_OCTET_STRING_it, - }, -}; - -const ASN1_ITEM PROXY_POLICY_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = PROXY_POLICY_seq_tt, - .tcount = sizeof(PROXY_POLICY_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(PROXY_POLICY), - .sname = "PROXY_POLICY", -}; - - -PROXY_POLICY * -d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len) -{ - return (PROXY_POLICY *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &PROXY_POLICY_it); -} - -int -i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_POLICY_it); -} - -PROXY_POLICY * -PROXY_POLICY_new(void) -{ - return (PROXY_POLICY *)ASN1_item_new(&PROXY_POLICY_it); -} - -void -PROXY_POLICY_free(PROXY_POLICY *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &PROXY_POLICY_it); -} - -static const ASN1_TEMPLATE PROXY_CERT_INFO_EXTENSION_seq_tt[] = { - { - .flags = ASN1_TFLG_OPTIONAL, - .tag = 0, - .offset = offsetof(PROXY_CERT_INFO_EXTENSION, pcPathLengthConstraint), - .field_name = "pcPathLengthConstraint", - .item = &ASN1_INTEGER_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(PROXY_CERT_INFO_EXTENSION, proxyPolicy), - .field_name = "proxyPolicy", - .item = &PROXY_POLICY_it, - }, -}; - -const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = PROXY_CERT_INFO_EXTENSION_seq_tt, - .tcount = sizeof(PROXY_CERT_INFO_EXTENSION_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(PROXY_CERT_INFO_EXTENSION), - .sname = "PROXY_CERT_INFO_EXTENSION", -}; - - -PROXY_CERT_INFO_EXTENSION * -d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len) -{ - return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &PROXY_CERT_INFO_EXTENSION_it); -} - -int -i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &PROXY_CERT_INFO_EXTENSION_it); -} - -PROXY_CERT_INFO_EXTENSION * -PROXY_CERT_INFO_EXTENSION_new(void) -{ - return (PROXY_CERT_INFO_EXTENSION *)ASN1_item_new(&PROXY_CERT_INFO_EXTENSION_it); -} - -void -PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &PROXY_CERT_INFO_EXTENSION_it); -} diff --git a/crypto/x509/x509_pcons.c b/crypto/x509/x509_pcons.c index 69bf433..0ee9355 100644 --- a/crypto/x509/x509_pcons.c +++ b/crypto/x509/x509_pcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pcons.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ +/* $OpenBSD: x509_pcons.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -121,12 +121,14 @@ POLICY_CONSTRAINTS_new(void) { return (POLICY_CONSTRAINTS*)ASN1_item_new(&POLICY_CONSTRAINTS_it); } +LCRYPTO_ALIAS(POLICY_CONSTRAINTS_new); void POLICY_CONSTRAINTS_free(POLICY_CONSTRAINTS *a) { ASN1_item_free((ASN1_VALUE *)a, &POLICY_CONSTRAINTS_it); } +LCRYPTO_ALIAS(POLICY_CONSTRAINTS_free); static STACK_OF(CONF_VALUE) * i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, diff --git a/crypto/x509/x509_pku.c b/crypto/x509/x509_pku.c index 9b82ad3..dd28077 100644 --- a/crypto/x509/x509_pku.c +++ b/crypto/x509/x509_pku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pku.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ +/* $OpenBSD: x509_pku.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -116,24 +116,28 @@ d2i_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD **a, const unsigned char **in, long len) return (PKEY_USAGE_PERIOD *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, &PKEY_USAGE_PERIOD_it); } +LCRYPTO_ALIAS(d2i_PKEY_USAGE_PERIOD); int i2d_PKEY_USAGE_PERIOD(PKEY_USAGE_PERIOD *a, unsigned char **out) { return ASN1_item_i2d((ASN1_VALUE *)a, out, &PKEY_USAGE_PERIOD_it); } +LCRYPTO_ALIAS(i2d_PKEY_USAGE_PERIOD); PKEY_USAGE_PERIOD * PKEY_USAGE_PERIOD_new(void) { return (PKEY_USAGE_PERIOD *)ASN1_item_new(&PKEY_USAGE_PERIOD_it); } +LCRYPTO_ALIAS(PKEY_USAGE_PERIOD_new); void PKEY_USAGE_PERIOD_free(PKEY_USAGE_PERIOD *a) { ASN1_item_free((ASN1_VALUE *)a, &PKEY_USAGE_PERIOD_it); } +LCRYPTO_ALIAS(PKEY_USAGE_PERIOD_free); static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, diff --git a/crypto/x509/x509_pmaps.c b/crypto/x509/x509_pmaps.c index 352f85a..39aebfe 100644 --- a/crypto/x509/x509_pmaps.c +++ b/crypto/x509/x509_pmaps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_pmaps.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ +/* $OpenBSD: x509_pmaps.c,v 1.3 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -137,12 +137,14 @@ POLICY_MAPPING_new(void) { return (POLICY_MAPPING*)ASN1_item_new(&POLICY_MAPPING_it); } +LCRYPTO_ALIAS(POLICY_MAPPING_new); void POLICY_MAPPING_free(POLICY_MAPPING *a) { ASN1_item_free((ASN1_VALUE *)a, &POLICY_MAPPING_it); } +LCRYPTO_ALIAS(POLICY_MAPPING_free); static STACK_OF(CONF_VALUE) * i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a, diff --git a/crypto/x509/x509_policy.c b/crypto/x509/x509_policy.c new file mode 100644 index 0000000..73f7154 --- /dev/null +++ b/crypto/x509/x509_policy.c @@ -0,0 +1,1019 @@ +/* $OpenBSD: x509_policy.c,v 1.25 2023/04/28 16:30:14 tb Exp $ */ +/* + * Copyright (c) 2022, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include +#include +#include + +#include "x509_internal.h" +#include "x509_local.h" + +/* XXX move to proper place */ +#define X509_R_INVALID_POLICY_EXTENSION 201 + +/* + * This file computes the X.509 policy tree, as described in RFC 5280, section + * 6.1. It differs in that: + * + * (1) It does not track "qualifier_set". This is not needed as it is not + * output by this implementation. + * + * (2) It builds a directed acyclic graph, rather than a tree. When a given + * policy matches multiple parents, RFC 5280 makes a separate node for + * each parent. This representation condenses them into one node with + * multiple parents. Thus we refer to this structure as a "policy graph", + * rather than a "policy tree". + * + * (3) "expected_policy_set" is not tracked explicitly and built temporarily + * as part of building the graph. + * + * (4) anyPolicy nodes are not tracked explicitly. + * + * (5) Some pruning steps are deferred to when policies are evaluated, as a + * reachability pass. + */ + +/* + * An X509_POLICY_NODE is a node in the policy graph. It corresponds to a node + * from RFC 5280, section 6.1.2, step (a), but we store some fields differently. + */ +typedef struct x509_policy_node_st { + /* policy is the "valid_policy" field from RFC 5280. */ + ASN1_OBJECT *policy; + + /* + * parent_policies, if non-empty, is the list of "valid_policy" values + * for all nodes which are a parent of this node. In this case, no entry + * in this list will be anyPolicy. This list is in no particular order + * and may contain duplicates if the corresponding certificate had + * duplicate mappings. + * + * If empty, this node has a single parent, anyPolicy. The node is then + * a root policies, and is in authorities-constrained-policy-set if it + * has a path to a leaf node. + * + * Note it is not possible for a policy to have both anyPolicy and a + * concrete policy as a parent. Section 6.1.3, step (d.1.ii) only runs + * if there was no match in step (d.1.i). We do not need to represent a + * parent list of, say, {anyPolicy, OID1, OID2}. + */ + STACK_OF(ASN1_OBJECT) *parent_policies; + + /* + * mapped is one if this node matches a policy mapping in the + * certificate and zero otherwise. + */ + int mapped; + + /* + * reachable is one if this node is reachable from some valid policy in + * the end-entity certificate. It is computed during |has_explicit_policy|. + */ + int reachable; +} X509_POLICY_NODE; + +DECLARE_STACK_OF(X509_POLICY_NODE) + +#define sk_X509_POLICY_NODE_new(cmp) SKM_sk_new(X509_POLICY_NODE, (cmp)) +#define sk_X509_POLICY_NODE_new_null() SKM_sk_new_null(X509_POLICY_NODE) +#define sk_X509_POLICY_NODE_free(st) SKM_sk_free(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_num(st) SKM_sk_num(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_value(st, i) SKM_sk_value(X509_POLICY_NODE, (st), (i)) +#define sk_X509_POLICY_NODE_set(st, i, val) SKM_sk_set(X509_POLICY_NODE, (st), (i), (val)) +#define sk_X509_POLICY_NODE_zero(st) SKM_sk_zero(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_push(st, val) SKM_sk_push(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_unshift(st, val) SKM_sk_unshift(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_find(st, val) SKM_sk_find(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_NODE, (st), (val)) +#define sk_X509_POLICY_NODE_delete(st, i) SKM_sk_delete(X509_POLICY_NODE, (st), (i)) +#define sk_X509_POLICY_NODE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_NODE, (st), (ptr)) +#define sk_X509_POLICY_NODE_insert(st, val, i) SKM_sk_insert(X509_POLICY_NODE, (st), (val), (i)) +#define sk_X509_POLICY_NODE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_NODE, (st), (cmp)) +#define sk_X509_POLICY_NODE_dup(st) SKM_sk_dup(X509_POLICY_NODE, st) +#define sk_X509_POLICY_NODE_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_NODE, (st), (free_func)) +#define sk_X509_POLICY_NODE_shift(st) SKM_sk_shift(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_pop(st) SKM_sk_pop(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st)) +#define sk_X509_POLICY_NODE_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_NODE, (st)) + +/* + * An X509_POLICY_LEVEL is the collection of nodes at the same depth in the + * policy graph. This structure can also be used to represent a level's + * "expected_policy_set" values. See |process_policy_mappings|. + */ +typedef struct x509_policy_level_st { + /* + * nodes is the list of nodes at this depth, except for the anyPolicy + * node, if any. This list is sorted by policy OID for efficient lookup. + */ + STACK_OF(X509_POLICY_NODE) *nodes; + + /* + * has_any_policy is one if there is an anyPolicy node at this depth, + * and zero otherwise. + */ + int has_any_policy; +} X509_POLICY_LEVEL; + +DECLARE_STACK_OF(X509_POLICY_LEVEL) + +#define sk_X509_POLICY_LEVEL_new(cmp) SKM_sk_new(X509_POLICY_LEVEL, (cmp)) +#define sk_X509_POLICY_LEVEL_new_null() SKM_sk_new_null(X509_POLICY_LEVEL) +#define sk_X509_POLICY_LEVEL_free(st) SKM_sk_free(X509_POLICY_LEVEL, (st)) +#define sk_X509_POLICY_LEVEL_num(st) SKM_sk_num(X509_POLICY_LEVEL, (st)) +#define sk_X509_POLICY_LEVEL_value(st, i) SKM_sk_value(X509_POLICY_LEVEL, (st), (i)) +#define sk_X509_POLICY_LEVEL_set(st, i, val) SKM_sk_set(X509_POLICY_LEVEL, (st), (i), (val)) +#define sk_X509_POLICY_LEVEL_zero(st) SKM_sk_zero(X509_POLICY_LEVEL, (st)) +#define sk_X509_POLICY_LEVEL_push(st, val) SKM_sk_push(X509_POLICY_LEVEL, (st), (val)) +#define sk_X509_POLICY_LEVEL_unshift(st, val) SKM_sk_unshift(X509_POLICY_LEVEL, (st), (val)) +#define sk_X509_POLICY_LEVEL_find(st, val) SKM_sk_find(X509_POLICY_LEVEL, (st), (val)) +#define sk_X509_POLICY_LEVEL_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_LEVEL, (st), (val)) +#define sk_X509_POLICY_LEVEL_delete(st, i) SKM_sk_delete(X509_POLICY_LEVEL, (st), (i)) +#define sk_X509_POLICY_LEVEL_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_LEVEL, (st), (ptr)) +#define sk_X509_POLICY_LEVEL_insert(st, val, i) SKM_sk_insert(X509_POLICY_LEVEL, (st), (val), (i)) +#define sk_X509_POLICY_LEVEL_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_LEVEL, (st), (cmp)) +#define sk_X509_POLICY_LEVEL_dup(st) SKM_sk_dup(X509_POLICY_LEVEL, st) +#define sk_X509_POLICY_LEVEL_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_LEVEL, (st), (free_func)) +#define sk_X509_POLICY_LEVEL_shift(st) SKM_sk_shift(X509_POLICY_LEVEL, (st)) +#define sk_X509_POLICY_LEVEL_pop(st) SKM_sk_pop(X509_POLICY_LEVEL, (st)) +#define sk_X509_POLICY_LEVEL_sort(st) SKM_sk_sort(X509_POLICY_LEVEL, (st)) +#define sk_X509_POLICY_LEVEL_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_LEVEL, (st)) + +/* + * Don't look Ethel, but you would really not want to look if we did + * this the OpenSSL way either, and we are not using this boringsslism + * anywhere else. Callers should ensure that the stack in data is sorted. + */ +void +sk_X509_POLICY_NODE_delete_if(STACK_OF(X509_POLICY_NODE) *nodes, + int (*delete_if)(X509_POLICY_NODE *, void *), void *data) +{ + _STACK *sk = (_STACK *)nodes; + X509_POLICY_NODE *node; + int new_num = 0; + int i; + + for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { + node = sk_X509_POLICY_NODE_value(nodes, i); + if (!delete_if(node, data)) + sk->data[new_num++] = (char *)node; + } + sk->num = new_num; +} + +static int +is_any_policy(const ASN1_OBJECT *obj) +{ + return OBJ_obj2nid(obj) == NID_any_policy; +} + +static void +x509_policy_node_free(X509_POLICY_NODE *node) +{ + if (node == NULL) + return; + + ASN1_OBJECT_free(node->policy); + sk_ASN1_OBJECT_pop_free(node->parent_policies, ASN1_OBJECT_free); + free(node); +} + +static X509_POLICY_NODE * +x509_policy_node_new(const ASN1_OBJECT *policy) +{ + X509_POLICY_NODE *node = NULL; + + if (is_any_policy(policy)) + goto err; + if ((node = calloc(1, sizeof(*node))) == NULL) + goto err; + if ((node->policy = OBJ_dup(policy)) == NULL) + goto err; + if ((node->parent_policies = sk_ASN1_OBJECT_new_null()) == NULL) + goto err; + + return node; + + err: + x509_policy_node_free(node); + return NULL; +} + +static int +x509_policy_node_cmp(const X509_POLICY_NODE *const *a, + const X509_POLICY_NODE *const *b) +{ + return OBJ_cmp((*a)->policy, (*b)->policy); +} + +static void +x509_policy_level_free(X509_POLICY_LEVEL *level) +{ + if (level == NULL) + return; + + sk_X509_POLICY_NODE_pop_free(level->nodes, x509_policy_node_free); + free(level); +} + +static X509_POLICY_LEVEL * +x509_policy_level_new(void) +{ + X509_POLICY_LEVEL *level; + + if ((level = calloc(1, sizeof(*level))) == NULL) + goto err; + level->nodes = sk_X509_POLICY_NODE_new(x509_policy_node_cmp); + if (level->nodes == NULL) + goto err; + + return level; + + err: + x509_policy_level_free(level); + return NULL; +} + +static int +x509_policy_level_is_empty(const X509_POLICY_LEVEL *level) +{ + if (level->has_any_policy) + return 0; + + return sk_X509_POLICY_NODE_num(level->nodes) == 0; +} + +static void +x509_policy_level_clear(X509_POLICY_LEVEL *level) +{ + X509_POLICY_NODE *node; + int i; + + level->has_any_policy = 0; + for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { + node = sk_X509_POLICY_NODE_value(level->nodes, i); + x509_policy_node_free(node); + } + sk_X509_POLICY_NODE_zero(level->nodes); +} + +/* + * x509_policy_level_find returns the node in |level| corresponding to |policy|, + * or NULL if none exists. Callers should ensure that level->nodes is sorted + * to avoid the cost of sorting it in sk_find(). + */ +static X509_POLICY_NODE * +x509_policy_level_find(X509_POLICY_LEVEL *level, const ASN1_OBJECT *policy) +{ + X509_POLICY_NODE node; + node.policy = (ASN1_OBJECT *)policy; + int idx; + + if ((idx = sk_X509_POLICY_NODE_find(level->nodes, &node)) < 0) + return NULL; + return sk_X509_POLICY_NODE_value(level->nodes, idx); +} + +/* + * x509_policy_level_add_nodes adds the nodes in |nodes| to |level|. It returns + * one on success and zero on error. No policy in |nodes| may already be present + * in |level|. This function modifies |nodes| to avoid making a copy, but the + * caller is still responsible for releasing |nodes| itself. + * + * This function is used to add nodes to |level| in bulk, and avoid resorting + * |level| after each addition. + */ +static int +x509_policy_level_add_nodes(X509_POLICY_LEVEL *level, + STACK_OF(X509_POLICY_NODE) *nodes) +{ + int i; + + for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) { + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i); + if (!sk_X509_POLICY_NODE_push(level->nodes, node)) + return 0; + sk_X509_POLICY_NODE_set(nodes, i, NULL); + } + sk_X509_POLICY_NODE_sort(level->nodes); + + return 1; +} + +static int +policyinfo_cmp(const POLICYINFO *const *a, + const POLICYINFO *const *b) +{ + return OBJ_cmp((*a)->policyid, (*b)->policyid); +} + +static int +delete_if_not_in_policies(X509_POLICY_NODE *node, void *data) +{ + const CERTIFICATEPOLICIES *policies = data; + POLICYINFO info; + info.policyid = node->policy; + + if (sk_POLICYINFO_find(policies, &info) >= 0) + return 0; + x509_policy_node_free(node); + return 1; +} + +/* + * process_certificate_policies updates |level| to incorporate |x509|'s + * certificate policies extension. This implements steps (d) and (e) of RFC + * 5280, section 6.1.3. |level| must contain the previous level's + * "expected_policy_set" information. For all but the top-most level, this is + * the output of |process_policy_mappings|. |any_policy_allowed| specifies + * whether anyPolicy is allowed or inhibited, taking into account the exception + * for self-issued certificates. + */ +static int +process_certificate_policies(const X509 *x509, X509_POLICY_LEVEL *level, + int any_policy_allowed) +{ + STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; + CERTIFICATEPOLICIES *policies; + const POLICYINFO *policy; + X509_POLICY_NODE *node; + int cert_has_any_policy, critical, i, previous_level_has_any_policy; + int ret = 0; + + policies = X509_get_ext_d2i(x509, NID_certificate_policies, &critical, + NULL); + if (policies == NULL) { + if (critical != -1) + return 0; /* Syntax error in the extension. */ + + /* RFC 5280, section 6.1.3, step (e). */ + x509_policy_level_clear(level); + return 1; + } + + /* + * certificatePolicies may not be empty. See RFC 5280, section 4.2.1.4. + * TODO(https://crbug.com/boringssl/443): Move this check into the parser. + */ + if (sk_POLICYINFO_num(policies) == 0) { + X509error(X509_R_INVALID_POLICY_EXTENSION); + goto err; + } + + (void)sk_POLICYINFO_set_cmp_func(policies, policyinfo_cmp); + sk_POLICYINFO_sort(policies); + cert_has_any_policy = 0; + for (i = 0; i < sk_POLICYINFO_num(policies); i++) { + policy = sk_POLICYINFO_value(policies, i); + if (is_any_policy(policy->policyid)) + cert_has_any_policy = 1; + if (i > 0 && + OBJ_cmp(sk_POLICYINFO_value(policies, i - 1)->policyid, + policy->policyid) == 0) { + /* + * Per RFC 5280, section 4.2.1.4, |policies| may not + * have duplicates. + */ + X509error(X509_R_INVALID_POLICY_EXTENSION); + goto err; + } + } + + /* + * This does the same thing as RFC 5280, section 6.1.3, step (d), + * though in a slighty different order. |level| currently contains + * "expected_policy_set" values of the previous level. + * See |process_policy_mappings| for details. + */ + previous_level_has_any_policy = level->has_any_policy; + + /* + * First, we handle steps (d.1.i) and (d.2). The net effect of these + * two steps is to intersect |level| with |policies|, ignoring + * anyPolicy if it is inhibited. + */ + if (!cert_has_any_policy || !any_policy_allowed) { + if (!sk_POLICYINFO_is_sorted(policies)) + goto err; + sk_X509_POLICY_NODE_delete_if(level->nodes, + delete_if_not_in_policies, policies); + level->has_any_policy = 0; + } + + /* + * Step (d.1.ii) may attach new nodes to the previous level's anyPolicy + * node. + */ + if (previous_level_has_any_policy) { + new_nodes = sk_X509_POLICY_NODE_new_null(); + if (new_nodes == NULL) + goto err; + for (i = 0; i < sk_POLICYINFO_num(policies); i++) { + policy = sk_POLICYINFO_value(policies, i); + /* + * Though we've reordered the steps slightly, |policy| + * is in |level| if and only if it would have been a + * match in step (d.1.ii). + */ + if (is_any_policy(policy->policyid)) + continue; + if (!sk_X509_POLICY_NODE_is_sorted(level->nodes)) + goto err; + if (x509_policy_level_find(level, policy->policyid) != NULL) + continue; + node = x509_policy_node_new(policy->policyid); + if (node == NULL || + !sk_X509_POLICY_NODE_push(new_nodes, node)) { + x509_policy_node_free(node); + goto err; + } + } + if (!x509_policy_level_add_nodes(level, new_nodes)) + goto err; + } + + ret = 1; + +err: + sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free); + CERTIFICATEPOLICIES_free(policies); + return ret; +} + +static int +compare_issuer_policy(const POLICY_MAPPING *const *a, + const POLICY_MAPPING *const *b) +{ + return OBJ_cmp((*a)->issuerDomainPolicy, (*b)->issuerDomainPolicy); +} + +static int +compare_subject_policy(const POLICY_MAPPING *const *a, + const POLICY_MAPPING *const *b) +{ + return OBJ_cmp((*a)->subjectDomainPolicy, (*b)->subjectDomainPolicy); +} + +static int +delete_if_mapped(X509_POLICY_NODE *node, void *data) +{ + const POLICY_MAPPINGS *mappings = data; + POLICY_MAPPING mapping; + mapping.issuerDomainPolicy = node->policy; + if (sk_POLICY_MAPPING_find(mappings, &mapping) < 0) + return 0; + x509_policy_node_free(node); + return 1; +} + +/* + * process_policy_mappings processes the policy mappings extension of |cert|, + * whose corresponding graph level is |level|. |mapping_allowed| specifies + * whether policy mapping is inhibited at this point. On success, it returns an + * |X509_POLICY_LEVEL| containing the "expected_policy_set" for |level|. On + * error, it returns NULL. This implements steps (a) and (b) of RFC 5280, + * section 6.1.4. + * + * We represent the "expected_policy_set" as an |X509_POLICY_LEVEL|. + * |has_any_policy| indicates whether there is an anyPolicy node with + * "expected_policy_set" of {anyPolicy}. If a node with policy oid P1 contains + * P2 in its "expected_policy_set", the level will contain a node of policy P2 + * with P1 in |parent_policies|. + * + * This is equivalent to the |X509_POLICY_LEVEL| that would result if the next + * certificats contained anyPolicy. |process_certificate_policies| will filter + * this result down to compute the actual level. + */ +static X509_POLICY_LEVEL * +process_policy_mappings(const X509 *cert, + X509_POLICY_LEVEL *level, + int mapping_allowed) +{ + STACK_OF(X509_POLICY_NODE) *new_nodes = NULL; + POLICY_MAPPINGS *mappings; + const ASN1_OBJECT *last_policy; + POLICY_MAPPING *mapping; + X509_POLICY_LEVEL *next = NULL; + X509_POLICY_NODE *node; + int critical, i; + int ok = 0; + + mappings = X509_get_ext_d2i(cert, NID_policy_mappings, &critical, NULL); + if (mappings == NULL && critical != -1) { + /* Syntax error in the policy mappings extension. */ + goto err; + } + + if (mappings != NULL) { + /* + * PolicyMappings may not be empty. See RFC 5280, section 4.2.1.5. + * TODO(https://crbug.com/boringssl/443): Move this check into + * the parser. + */ + if (sk_POLICY_MAPPING_num(mappings) == 0) { + X509error(X509_R_INVALID_POLICY_EXTENSION); + goto err; + } + + /* RFC 5280, section 6.1.4, step (a). */ + for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { + mapping = sk_POLICY_MAPPING_value(mappings, i); + if (is_any_policy(mapping->issuerDomainPolicy) || + is_any_policy(mapping->subjectDomainPolicy)) + goto err; + } + + /* Sort to group by issuerDomainPolicy. */ + (void)sk_POLICY_MAPPING_set_cmp_func(mappings, + compare_issuer_policy); + sk_POLICY_MAPPING_sort(mappings); + + if (mapping_allowed) { + /* + * Mark nodes as mapped, and add any nodes to |level| + * which may be needed as part of RFC 5280, + * section 6.1.4, step (b.1). + */ + new_nodes = sk_X509_POLICY_NODE_new_null(); + if (new_nodes == NULL) + goto err; + last_policy = NULL; + for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { + mapping = sk_POLICY_MAPPING_value(mappings, i); + /* + * There may be multiple mappings with the same + * |issuerDomainPolicy|. + */ + if (last_policy != NULL && + OBJ_cmp(mapping->issuerDomainPolicy, + last_policy) == 0) + continue; + last_policy = mapping->issuerDomainPolicy; + + if (!sk_X509_POLICY_NODE_is_sorted(level->nodes)) + goto err; + node = x509_policy_level_find(level, + mapping->issuerDomainPolicy); + if (node == NULL) { + if (!level->has_any_policy) + continue; + node = x509_policy_node_new( + mapping->issuerDomainPolicy); + if (node == NULL || + !sk_X509_POLICY_NODE_push(new_nodes, + node)) { + x509_policy_node_free(node); + goto err; + } + } + node->mapped = 1; + } + if (!x509_policy_level_add_nodes(level, new_nodes)) + goto err; + } else { + /* + * RFC 5280, section 6.1.4, step (b.2). If mapping is + * inhibited, delete all mapped nodes. + */ + if (!sk_POLICY_MAPPING_is_sorted(mappings)) + goto err; + sk_X509_POLICY_NODE_delete_if(level->nodes, + delete_if_mapped, mappings); + sk_POLICY_MAPPING_pop_free(mappings, + POLICY_MAPPING_free); + mappings = NULL; + } + } + + /* + * If a node was not mapped, it retains the original "explicit_policy_set" + * value, itself. Add those to |mappings|. + */ + if (mappings == NULL) { + mappings = sk_POLICY_MAPPING_new_null(); + if (mappings == NULL) + goto err; + } + for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) { + node = sk_X509_POLICY_NODE_value(level->nodes, i); + if (!node->mapped) { + mapping = POLICY_MAPPING_new(); + if (mapping == NULL) + goto err; + mapping->issuerDomainPolicy = OBJ_dup(node->policy); + mapping->subjectDomainPolicy = OBJ_dup(node->policy); + if (mapping->issuerDomainPolicy == NULL || + mapping->subjectDomainPolicy == NULL || + !sk_POLICY_MAPPING_push(mappings, mapping)) { + POLICY_MAPPING_free(mapping); + goto err; + } + } + } + + /* Sort to group by subjectDomainPolicy. */ + (void)sk_POLICY_MAPPING_set_cmp_func(mappings, compare_subject_policy); + sk_POLICY_MAPPING_sort(mappings); + + /* Convert |mappings| to our "expected_policy_set" representation. */ + next = x509_policy_level_new(); + if (next == NULL) + goto err; + next->has_any_policy = level->has_any_policy; + + X509_POLICY_NODE *last_node = NULL; + for (i = 0; i < sk_POLICY_MAPPING_num(mappings); i++) { + mapping = sk_POLICY_MAPPING_value(mappings, i); + /* + * Skip mappings where |issuerDomainPolicy| does not appear in + * the graph. + */ + if (!level->has_any_policy) { + if (!sk_X509_POLICY_NODE_is_sorted(level->nodes)) + goto err; + if (x509_policy_level_find(level, + mapping->issuerDomainPolicy) == NULL) + continue; + } + + if (last_node == NULL || + OBJ_cmp(last_node->policy, mapping->subjectDomainPolicy) != + 0) { + last_node = x509_policy_node_new( + mapping->subjectDomainPolicy); + if (last_node == NULL || + !sk_X509_POLICY_NODE_push(next->nodes, last_node)) { + x509_policy_node_free(last_node); + goto err; + } + } + + if (!sk_ASN1_OBJECT_push(last_node->parent_policies, + mapping->issuerDomainPolicy)) + goto err; + mapping->issuerDomainPolicy = NULL; + } + + sk_X509_POLICY_NODE_sort(next->nodes); + ok = 1; + +err: + if (!ok) { + x509_policy_level_free(next); + next = NULL; + } + + sk_POLICY_MAPPING_pop_free(mappings, POLICY_MAPPING_free); + sk_X509_POLICY_NODE_pop_free(new_nodes, x509_policy_node_free); + return next; +} + +/* + * apply_skip_certs, if |skip_certs| is non-NULL, sets |*value| to the minimum + * of its current value and |skip_certs|. It returns one on success and zero if + * |skip_certs| is negative. + */ +static int +apply_skip_certs(const ASN1_INTEGER *skip_certs, size_t *value) +{ + if (skip_certs == NULL) + return 1; + + /* TODO(https://crbug.com/boringssl/443): Move this check into the parser. */ + if (skip_certs->type & V_ASN1_NEG) { + X509error(X509_R_INVALID_POLICY_EXTENSION); + return 0; + } + + /* If |skip_certs| does not fit in |uint64_t|, it must exceed |*value|. */ + uint64_t u64; + if (ASN1_INTEGER_get_uint64(&u64, skip_certs) && u64 < *value) + *value = (size_t)u64; + ERR_clear_error(); + return 1; +} + +/* + * process_policy_constraints updates |*explicit_policy|, |*policy_mapping|, and + * |*inhibit_any_policy| according to |x509|'s policy constraints and inhibit + * anyPolicy extensions. It returns one on success and zero on error. This + * implements steps (i) and (j) of RFC 5280, section 6.1.4. + */ +static int +process_policy_constraints(const X509 *x509, size_t *explicit_policy, + size_t *policy_mapping, + size_t *inhibit_any_policy) +{ + ASN1_INTEGER *inhibit_any_policy_ext; + POLICY_CONSTRAINTS *constraints; + int critical; + int ok = 0; + + constraints = X509_get_ext_d2i(x509, NID_policy_constraints, &critical, + NULL); + if (constraints == NULL && critical != -1) + return 0; + if (constraints != NULL) { + if (constraints->requireExplicitPolicy == NULL && + constraints->inhibitPolicyMapping == NULL) { + /* + * Per RFC 5280, section 4.2.1.11, at least one of the + * fields must be + */ + X509error(X509_R_INVALID_POLICY_EXTENSION); + POLICY_CONSTRAINTS_free(constraints); + return 0; + } + ok = apply_skip_certs(constraints->requireExplicitPolicy, + explicit_policy) && + apply_skip_certs(constraints->inhibitPolicyMapping, + policy_mapping); + POLICY_CONSTRAINTS_free(constraints); + if (!ok) + return 0; + } + + inhibit_any_policy_ext = X509_get_ext_d2i(x509, NID_inhibit_any_policy, + &critical, NULL); + if (inhibit_any_policy_ext == NULL && critical != -1) + return 0; + ok = apply_skip_certs(inhibit_any_policy_ext, inhibit_any_policy); + ASN1_INTEGER_free(inhibit_any_policy_ext); + return ok; +} + +/* + * has_explicit_policy returns one if the set of authority-space policy OIDs + * |levels| has some non-empty intersection with |user_policies|, and zero + * otherwise. This mirrors the logic in RFC 5280, section 6.1.5, step (g). This + * function modifies |levels| and should only be called at the end of policy + * evaluation. + */ +static int +has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels, + const STACK_OF(ASN1_OBJECT) *user_policies) +{ + X509_POLICY_LEVEL *level, *prev; + X509_POLICY_NODE *node, *parent; + int num_levels, user_has_any_policy; + int i, j, k; + + if (!sk_ASN1_OBJECT_is_sorted(user_policies)) + return 0; + + /* Step (g.i). If the policy graph is empty, the intersection is empty. */ + num_levels = sk_X509_POLICY_LEVEL_num(levels); + level = sk_X509_POLICY_LEVEL_value(levels, num_levels - 1); + if (x509_policy_level_is_empty(level)) + return 0; + + /* + * If |user_policies| is empty, we interpret it as having a single + * anyPolicy value. The caller may also have supplied anyPolicy + * explicitly. + */ + user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) <= 0; + for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) { + if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) { + user_has_any_policy = 1; + break; + } + } + + /* + * Step (g.ii). If the policy graph is not empty and the user set + * contains anyPolicy, the intersection is the entire (non-empty) graph. + */ + if (user_has_any_policy) + return 1; + + /* + * Step (g.iii) does not delete anyPolicy nodes, so if the graph has + * anyPolicy, some explicit policy will survive. The actual intersection + * may synthesize some nodes in step (g.iii.3), but we do not return the + * policy list itself, so we skip actually computing this. + */ + if (level->has_any_policy) + return 1; + + /* + * We defer pruning the tree, so as we look for nodes with parent + * anyPolicy, step (g.iii.1), we must limit to nodes reachable from the + * bottommost level. Start by marking each of those nodes as reachable. + */ + for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) + sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1; + + for (i = num_levels - 1; i >= 0; i--) { + level = sk_X509_POLICY_LEVEL_value(levels, i); + for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes); j++) { + node = sk_X509_POLICY_NODE_value(level->nodes, j); + if (!node->reachable) + continue; + if (sk_ASN1_OBJECT_num(node->parent_policies) == 0) { + /* + * |node|'s parent is anyPolicy and is part of + * "valid_policy_node_set". If it exists in + * |user_policies|, the intersection is + * non-empty and we * can return immediately. + */ + if (sk_ASN1_OBJECT_find(user_policies, + node->policy) >= 0) + return 1; + } else if (i > 0) { + int num_parent_policies = + sk_ASN1_OBJECT_num(node->parent_policies); + /* + * |node|'s parents are concrete policies. Mark + * the parents reachable, to be inspected by the + * next loop iteration. + */ + prev = sk_X509_POLICY_LEVEL_value(levels, i - 1); + for (k = 0; k < num_parent_policies; k++) { + if (!sk_X509_POLICY_NODE_is_sorted(prev->nodes)) + return 0; + parent = x509_policy_level_find(prev, + sk_ASN1_OBJECT_value(node->parent_policies, + k)); + if (parent != NULL) + parent->reachable = 1; + } + } + } + } + + return 0; +} + +static int +asn1_object_cmp(const ASN1_OBJECT *const *a, const ASN1_OBJECT *const *b) +{ + return OBJ_cmp(*a, *b); +} + +int +X509_policy_check(const STACK_OF(X509) *certs, + const STACK_OF(ASN1_OBJECT) *user_policies, + unsigned long flags, X509 **out_current_cert) +{ + *out_current_cert = NULL; + int ret = X509_V_ERR_OUT_OF_MEM; + X509 *cert; + X509_POLICY_LEVEL *level = NULL; + X509_POLICY_LEVEL *current_level; + STACK_OF(X509_POLICY_LEVEL) *levels = NULL; + STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL; + int num_certs = sk_X509_num(certs); + int is_self_issued, any_policy_allowed; + int i; + + /* Skip policy checking if the chain is just the trust anchor. */ + if (num_certs <= 1) + return X509_V_OK; + + /* See RFC 5280, section 6.1.2, steps (d) through (f). */ + size_t explicit_policy = + (flags & X509_V_FLAG_EXPLICIT_POLICY) ? 0 : num_certs + 1; + size_t inhibit_any_policy = + (flags & X509_V_FLAG_INHIBIT_ANY) ? 0 : num_certs + 1; + size_t policy_mapping = + (flags & X509_V_FLAG_INHIBIT_MAP) ? 0 : num_certs + 1; + + levels = sk_X509_POLICY_LEVEL_new_null(); + if (levels == NULL) + goto err; + + for (i = num_certs - 2; i >= 0; i--) { + cert = sk_X509_value(certs, i); + if (!x509v3_cache_extensions(cert)) + goto err; + is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0; + + if (level == NULL) { + if (i != num_certs - 2) + goto err; + level = x509_policy_level_new(); + if (level == NULL) + goto err; + level->has_any_policy = 1; + } + + /* + * RFC 5280, section 6.1.3, steps (d) and (e). |any_policy_allowed| + * is computed as in step (d.2). + */ + any_policy_allowed = + inhibit_any_policy > 0 || (i > 0 && is_self_issued); + if (!process_certificate_policies(cert, level, + any_policy_allowed)) { + ret = X509_V_ERR_INVALID_POLICY_EXTENSION; + *out_current_cert = cert; + goto err; + } + + /* RFC 5280, section 6.1.3, step (f). */ + if (explicit_policy == 0 && x509_policy_level_is_empty(level)) { + ret = X509_V_ERR_NO_EXPLICIT_POLICY; + goto err; + } + + /* Insert into the list. */ + if (!sk_X509_POLICY_LEVEL_push(levels, level)) + goto err; + current_level = level; + level = NULL; + + /* + * If this is not the leaf certificate, we go to section 6.1.4. + * If it is the leaf certificate, we go to section 6.1.5 instead. + */ + if (i != 0) { + /* RFC 5280, section 6.1.4, steps (a) and (b). */ + level = process_policy_mappings(cert, current_level, + policy_mapping > 0); + if (level == NULL) { + ret = X509_V_ERR_INVALID_POLICY_EXTENSION; + *out_current_cert = cert; + goto err; + } + } + + /* + * RFC 5280, section 6.1.4, step (h-j) for non-leaves, and + * section 6.1.5, step (a-b) for leaves. In the leaf case, + * RFC 5280 says only to update |explicit_policy|, but + * |policy_mapping| and |inhibit_any_policy| are no + * longer read at this point, so we use the same process. + */ + if (i == 0 || !is_self_issued) { + if (explicit_policy > 0) + explicit_policy--; + if (policy_mapping > 0) + policy_mapping--; + if (inhibit_any_policy > 0) + inhibit_any_policy--; + } + if (!process_policy_constraints(cert, &explicit_policy, + &policy_mapping, &inhibit_any_policy)) { + ret = X509_V_ERR_INVALID_POLICY_EXTENSION; + *out_current_cert = cert; + goto err; + } + } + + /* + * RFC 5280, section 6.1.5, step (g). We do not output the policy set, + * so it is only necessary to check if the user-constrained-policy-set + * is not empty. + */ + if (explicit_policy == 0) { + /* + * Build a sorted copy of |user_policies| for more efficient + * lookup. + */ + if (user_policies != NULL) { + user_policies_sorted = sk_ASN1_OBJECT_dup( + user_policies); + if (user_policies_sorted == NULL) + goto err; + (void)sk_ASN1_OBJECT_set_cmp_func(user_policies_sorted, + asn1_object_cmp); + sk_ASN1_OBJECT_sort(user_policies_sorted); + } + + if (!has_explicit_policy(levels, user_policies_sorted)) { + ret = X509_V_ERR_NO_EXPLICIT_POLICY; + goto err; + } + } + + ret = X509_V_OK; + +err: + x509_policy_level_free(level); + /* + * |user_policies_sorted|'s contents are owned by |user_policies|, so + * we do not use |sk_ASN1_OBJECT_pop_free|. + */ + sk_ASN1_OBJECT_free(user_policies_sorted); + sk_X509_POLICY_LEVEL_pop_free(levels, x509_policy_level_free); + return ret; +} diff --git a/crypto/x509/x509_prn.c b/crypto/x509/x509_prn.c index 4977051..3bf7c80 100644 --- a/crypto/x509/x509_prn.c +++ b/crypto/x509/x509_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_prn.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_prn.c,v 1.6 2023/05/08 05:30:38 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" /* Extension printing routines */ @@ -99,6 +99,7 @@ X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int ml) BIO_puts(out, "\n"); } } +LCRYPTO_ALIAS(X509V3_EXT_val_prn); /* Main routine: print out a general extension */ @@ -152,6 +153,7 @@ err: method->ext_free(ext_str); return ok; } +LCRYPTO_ALIAS(X509V3_EXT_print); int X509V3_extensions_print(BIO *bp, const char *title, @@ -176,7 +178,7 @@ X509V3_extensions_print(BIO *bp, const char *title, obj = X509_EXTENSION_get_object(ex); i2a_ASN1_OBJECT(bp, obj); j = X509_EXTENSION_get_critical(ex); - if (BIO_printf(bp, ": %s\n",j?"critical":"") <= 0) + if (BIO_printf(bp, ":%s\n", j ? " critical" : "") <= 0) return 0; if (!X509V3_EXT_print(bp, ex, flag, indent + 4)) { BIO_printf(bp, "%*s", indent + 4, ""); @@ -187,6 +189,7 @@ X509V3_extensions_print(BIO *bp, const char *title, } return 1; } +LCRYPTO_ALIAS(X509V3_extensions_print); static int unknown_ext_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, @@ -225,3 +228,4 @@ X509V3_EXT_print_fp(FILE *fp, X509_EXTENSION *ext, int flag, int indent) BIO_free(bio_tmp); return ret; } +LCRYPTO_ALIAS(X509V3_EXT_print_fp); diff --git a/crypto/x509/x509_purp.c b/crypto/x509/x509_purp.c index a05c038..85d9b77 100644 --- a/crypto/x509/x509_purp.c +++ b/crypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.13 2021/11/04 23:52:34 beck Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.25 2023/04/23 21:49:15 job Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -66,7 +66,7 @@ #include #include "x509_internal.h" -#include "x509_lcl.h" +#include "x509_local.h" #define V1_ROOT (EXFLAG_V1|EXFLAG_SS) #define ku_reject(x, usage) \ @@ -76,8 +76,6 @@ #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -void x509v3_cache_extensions(X509 *x); - static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, int ca); @@ -131,13 +129,9 @@ X509_check_purpose(X509 *x, int id, int ca) int idx; const X509_PURPOSE *pt; - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - if (x->ex_flags & EXFLAG_INVALID) - return -1; - } + if (!x509v3_cache_extensions(x)) + return -1; + if (id == -1) return 1; idx = X509_PURPOSE_get_by_id(id); @@ -146,6 +140,7 @@ X509_check_purpose(X509 *x, int id, int ca) pt = X509_PURPOSE_get0(idx); return pt->check_purpose(pt, x, ca); } +LCRYPTO_ALIAS(X509_check_purpose); int X509_PURPOSE_set(int *p, int purpose) @@ -157,6 +152,7 @@ X509_PURPOSE_set(int *p, int purpose) *p = purpose; return 1; } +LCRYPTO_ALIAS(X509_PURPOSE_set); int X509_PURPOSE_get_count(void) @@ -165,6 +161,7 @@ X509_PURPOSE_get_count(void) return X509_PURPOSE_COUNT; return sk_X509_PURPOSE_num(xptable) + X509_PURPOSE_COUNT; } +LCRYPTO_ALIAS(X509_PURPOSE_get_count); X509_PURPOSE * X509_PURPOSE_get0(int idx) @@ -175,6 +172,7 @@ X509_PURPOSE_get0(int idx) return xstandard + idx; return sk_X509_PURPOSE_value(xptable, idx - X509_PURPOSE_COUNT); } +LCRYPTO_ALIAS(X509_PURPOSE_get0); int X509_PURPOSE_get_by_sname(const char *sname) @@ -189,6 +187,7 @@ X509_PURPOSE_get_by_sname(const char *sname) } return -1; } +LCRYPTO_ALIAS(X509_PURPOSE_get_by_sname); int X509_PURPOSE_get_by_id(int purpose) @@ -206,6 +205,7 @@ X509_PURPOSE_get_by_id(int purpose) return -1; return idx + X509_PURPOSE_COUNT; } +LCRYPTO_ALIAS(X509_PURPOSE_get_by_id); int X509_PURPOSE_add(int id, int trust, int flags, @@ -280,6 +280,7 @@ err: X509V3error(ERR_R_MALLOC_FAILURE); return 0; } +LCRYPTO_ALIAS(X509_PURPOSE_add); static void xptable_free(X509_PURPOSE *p) @@ -301,30 +302,35 @@ X509_PURPOSE_cleanup(void) sk_X509_PURPOSE_pop_free(xptable, xptable_free); xptable = NULL; } +LCRYPTO_ALIAS(X509_PURPOSE_cleanup); int X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; } +LCRYPTO_ALIAS(X509_PURPOSE_get_id); char * X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; } +LCRYPTO_ALIAS(X509_PURPOSE_get0_name); char * X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; } +LCRYPTO_ALIAS(X509_PURPOSE_get0_sname); int X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; } +LCRYPTO_ALIAS(X509_PURPOSE_get_trust); static int nid_cmp(const int *a, const int *b) @@ -374,7 +380,6 @@ X509_supported_extension(X509_EXTENSION *ex) NID_sbgp_autonomousSysNum, /* 291 */ #endif NID_policy_constraints, /* 401 */ - NID_proxyCertInfo, /* 663 */ NID_name_constraints, /* 666 */ NID_policy_mappings, /* 747 */ NID_inhibit_any_policy /* 748 */ @@ -390,6 +395,7 @@ X509_supported_extension(X509_EXTENSION *ex) return 1; return 0; } +LCRYPTO_ALIAS(X509_supported_extension); static void setup_dp(X509 *x, DIST_POINT *dp) @@ -418,7 +424,6 @@ setup_dp(X509 *x, DIST_POINT *dp) iname = X509_get_issuer_name(x); DIST_POINT_set_dpname(dp->distpoint, iname); - } static void @@ -436,11 +441,10 @@ setup_crldp(X509 *x) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } -void -x509v3_cache_extensions(X509 *x) +static void +x509v3_cache_extensions_internal(X509 *x) { BASIC_CONSTRAINTS *bs; - PROXY_CERT_INFO_EXTENSION *pci; ASN1_BIT_STRING *usage; ASN1_BIT_STRING *ns; EXTENDED_KEY_USAGE *extusage; @@ -453,8 +457,11 @@ x509v3_cache_extensions(X509 *x) X509_digest(x, X509_CERT_HASH_EVP, x->hash, NULL); /* V1 should mean no extensions ... */ - if (!X509_get_version(x)) + if (X509_get_version(x) == 0) { x->ex_flags |= EXFLAG_V1; + if (X509_get_ext_count(x) != 0) + x->ex_flags |= EXFLAG_INVALID; + } /* Handle basic constraints */ if ((bs = X509_get_ext_d2i(x, NID_basic_constraints, &i, NULL))) { @@ -475,30 +482,6 @@ x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_INVALID; } - /* Handle proxy certificates */ - if ((pci = X509_get_ext_d2i(x, NID_proxyCertInfo, &i, NULL))) { - if (x->ex_flags & EXFLAG_CA || - X509_get_ext_by_NID(x, NID_subject_alt_name, -1) >= 0 || - X509_get_ext_by_NID(x, NID_issuer_alt_name, -1) >= 0) { - x->ex_flags |= EXFLAG_INVALID; - } - if (pci->pcPathLengthConstraint) { - if (pci->pcPathLengthConstraint->type == - V_ASN1_NEG_INTEGER) { - x->ex_flags |= EXFLAG_INVALID; - x->ex_pcpathlen = 0; - } else - x->ex_pcpathlen = - ASN1_INTEGER_get(pci-> - pcPathLengthConstraint); - } else - x->ex_pcpathlen = -1; - PROXY_CERT_INFO_EXTENSION_free(pci); - x->ex_flags |= EXFLAG_PROXY; - } else if (i != -1) { - x->ex_flags |= EXFLAG_INVALID; - } - /* Handle key usage */ if ((usage = X509_get_ext_d2i(x, NID_key_usage, &i, NULL))) { if (usage->length > 0) { @@ -600,9 +583,13 @@ x509v3_cache_extensions(X509 *x) x->rfc3779_addr = X509_get_ext_d2i(x, NID_sbgp_ipAddrBlock, &i, NULL); if (x->rfc3779_addr == NULL && i != -1) x->ex_flags |= EXFLAG_INVALID; + if (!X509v3_addr_is_canonical(x->rfc3779_addr)) + x->ex_flags |= EXFLAG_INVALID; x->rfc3779_asid = X509_get_ext_d2i(x, NID_sbgp_autonomousSysNum, &i, NULL); if (x->rfc3779_asid == NULL && i != -1) x->ex_flags |= EXFLAG_INVALID; + if (!X509v3_asid_is_canonical(x->rfc3779_asid)) + x->ex_flags |= EXFLAG_INVALID; #endif for (i = 0; i < X509_get_ext_count(x); i++) { @@ -623,6 +610,18 @@ x509v3_cache_extensions(X509 *x) x->ex_flags |= EXFLAG_SET; } +int +x509v3_cache_extensions(X509 *x) +{ + if ((x->ex_flags & EXFLAG_SET) == 0) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions_internal(x); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + return (x->ex_flags & EXFLAG_INVALID) == 0; +} + /* CA checks common to all purposes * return codes: * 0 not a CA @@ -663,16 +662,11 @@ check_ca(const X509 *x) int X509_check_ca(X509 *x) { - if (!(x->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(x); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - if (x->ex_flags & EXFLAG_INVALID) - return X509_V_ERR_UNSPECIFIED; - } + x509v3_cache_extensions(x); return check_ca(x); } +LCRYPTO_ALIAS(X509_check_ca); /* Check SSL CA: common checks for SSL client and server */ static int @@ -879,19 +873,10 @@ X509_check_issued(X509 *issuer, X509 *subject) if (X509_NAME_cmp(X509_get_subject_name(issuer), X509_get_issuer_name(subject))) return X509_V_ERR_SUBJECT_ISSUER_MISMATCH; - if (!(issuer->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(issuer); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - if (issuer->ex_flags & EXFLAG_INVALID) + + if (!x509v3_cache_extensions(issuer)) return X509_V_ERR_UNSPECIFIED; - if (!(subject->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(subject); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - if (subject->ex_flags & EXFLAG_INVALID) + if (!x509v3_cache_extensions(subject)) return X509_V_ERR_UNSPECIFIED; if (subject->akid) { @@ -900,13 +885,11 @@ X509_check_issued(X509 *issuer, X509 *subject) return ret; } - if (subject->ex_flags & EXFLAG_PROXY) { - if (ku_reject(issuer, KU_DIGITAL_SIGNATURE)) - return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE; - } else if (ku_reject(issuer, KU_KEY_CERT_SIGN)) + if (ku_reject(issuer, KU_KEY_CERT_SIGN)) return X509_V_ERR_KEYUSAGE_NO_CERTSIGN; return X509_V_OK; } +LCRYPTO_ALIAS(X509_check_issued); int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) @@ -946,16 +929,18 @@ X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid) } return X509_V_OK; } +LCRYPTO_ALIAS(X509_check_akid); uint32_t X509_get_extension_flags(X509 *x) { /* Call for side-effect of computing hash and caching extensions */ if (X509_check_purpose(x, -1, -1) != 1) - return 0; + return EXFLAG_INVALID; return x->ex_flags; } +LCRYPTO_ALIAS(X509_get_extension_flags); uint32_t X509_get_key_usage(X509 *x) @@ -969,6 +954,7 @@ X509_get_key_usage(X509 *x) return UINT32_MAX; } +LCRYPTO_ALIAS(X509_get_key_usage); uint32_t X509_get_extended_key_usage(X509 *x) @@ -982,3 +968,4 @@ X509_get_extended_key_usage(X509 *x) return UINT32_MAX; } +LCRYPTO_ALIAS(X509_get_extended_key_usage); diff --git a/crypto/x509/x509_r2x.c b/crypto/x509/x509_r2x.c index b3b8aa7..39b3922 100644 --- a/crypto/x509/x509_r2x.c +++ b/crypto/x509/x509_r2x.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_r2x.c,v 1.13 2021/11/03 14:36:21 schwarze Exp $ */ +/* $OpenBSD: x509_r2x.c,v 1.17 2023/04/25 09:46:36 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" X509 * X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) @@ -85,9 +85,7 @@ X509_REQ_to_X509(X509_REQ *r, int days, EVP_PKEY *pkey) xi = ret->cert_info; if (sk_X509_ATTRIBUTE_num(r->req_info->attributes) != 0) { - if ((xi->version = ASN1_INTEGER_new()) == NULL) - goto err; - if (!ASN1_INTEGER_set(xi->version, 2)) + if (!X509_set_version(ret, 2)) goto err; } @@ -116,3 +114,4 @@ err: X509_free(ret); return NULL; } +LCRYPTO_ALIAS(X509_REQ_to_X509); diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index 8d5bf58..7ed1062 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_req.c,v 1.28 2022/01/22 00:34:48 inoguchi Exp $ */ +/* $OpenBSD: x509_req.c,v 1.33 2023/04/25 09:46:36 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,14 +70,13 @@ #include #include -#include "evp_locl.h" -#include "x509_lcl.h" +#include "evp_local.h" +#include "x509_local.h" X509_REQ * X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) { X509_REQ *ret; - X509_REQ_INFO *ri; int i; EVP_PKEY *pktmp; @@ -87,11 +86,7 @@ X509_to_X509_REQ(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) goto err; } - ri = ret->req_info; - - if ((ri->version = ASN1_INTEGER_new()) == NULL) - goto err; - if (ASN1_INTEGER_set(ri->version, 0) == 0) + if (!X509_REQ_set_version(ret, 0)) goto err; if (!X509_REQ_set_subject_name(ret, X509_get_subject_name(x))) @@ -115,6 +110,7 @@ err: X509_REQ_free(ret); return (NULL); } +LCRYPTO_ALIAS(X509_to_X509_REQ); EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req) @@ -123,6 +119,7 @@ X509_REQ_get_pubkey(X509_REQ *req) return (NULL); return (X509_PUBKEY_get(req->req_info->pubkey)); } +LCRYPTO_ALIAS(X509_REQ_get_pubkey); EVP_PKEY * X509_REQ_get0_pubkey(X509_REQ *req) @@ -131,6 +128,7 @@ X509_REQ_get0_pubkey(X509_REQ *req) return NULL; return X509_PUBKEY_get0(req->req_info->pubkey); } +LCRYPTO_ALIAS(X509_REQ_get0_pubkey); int X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) @@ -170,6 +168,7 @@ X509_REQ_check_private_key(X509_REQ *x, EVP_PKEY *k) return (ok); } +LCRYPTO_ALIAS(X509_REQ_check_private_key); /* It seems several organisations had the same idea of including a list of * extensions in a certificate request. There are at least two OIDs that are @@ -193,18 +192,21 @@ X509_REQ_extension_nid(int req_nid) return 1; } } +LCRYPTO_ALIAS(X509_REQ_extension_nid); int * X509_REQ_get_extension_nids(void) { return ext_nids; } +LCRYPTO_ALIAS(X509_REQ_get_extension_nids); void X509_REQ_set_extension_nids(int *nids) { ext_nids = nids; } +LCRYPTO_ALIAS(X509_REQ_set_extension_nids); STACK_OF(X509_EXTENSION) * X509_REQ_get_extensions(X509_REQ *req) @@ -224,11 +226,14 @@ X509_REQ_get_extensions(X509_REQ *req) ext = X509_ATTRIBUTE_get0_type(attr, 0); break; } - if (ext == NULL || ext->type != V_ASN1_SEQUENCE) + if (ext == NULL) + return sk_X509_EXTENSION_new_null(); + if (ext->type != V_ASN1_SEQUENCE) return NULL; p = ext->value.sequence->data; return d2i_X509_EXTENSIONS(NULL, &p, ext->value.sequence->length); } +LCRYPTO_ALIAS(X509_REQ_get_extensions); /* * Add a STACK_OF extensions to a certificate request: allow alternative OIDs @@ -252,6 +257,7 @@ X509_REQ_add_extensions_nid(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts, return rv; } +LCRYPTO_ALIAS(X509_REQ_add_extensions_nid); /* This is the normal usage: use the "official" OID */ int @@ -259,6 +265,7 @@ X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts) { return X509_REQ_add_extensions_nid(req, exts, NID_ext_req); } +LCRYPTO_ALIAS(X509_REQ_add_extensions); /* Request attribute functions */ @@ -267,12 +274,14 @@ X509_REQ_get_attr_count(const X509_REQ *req) { return X509at_get_attr_count(req->req_info->attributes); } +LCRYPTO_ALIAS(X509_REQ_get_attr_count); int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos) { return X509at_get_attr_by_NID(req->req_info->attributes, nid, lastpos); } +LCRYPTO_ALIAS(X509_REQ_get_attr_by_NID); int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, @@ -280,18 +289,21 @@ X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, { return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos); } +LCRYPTO_ALIAS(X509_REQ_get_attr_by_OBJ); X509_ATTRIBUTE * X509_REQ_get_attr(const X509_REQ *req, int loc) { return X509at_get_attr(req->req_info->attributes, loc); } +LCRYPTO_ALIAS(X509_REQ_get_attr); X509_ATTRIBUTE * X509_REQ_delete_attr(X509_REQ *req, int loc) { return X509at_delete_attr(req->req_info->attributes, loc); } +LCRYPTO_ALIAS(X509_REQ_delete_attr); int X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) @@ -300,6 +312,7 @@ X509_REQ_add1_attr(X509_REQ *req, X509_ATTRIBUTE *attr) return 1; return 0; } +LCRYPTO_ALIAS(X509_REQ_add1_attr); int X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int type, @@ -310,6 +323,7 @@ X509_REQ_add1_attr_by_OBJ(X509_REQ *req, const ASN1_OBJECT *obj, int type, return 1; return 0; } +LCRYPTO_ALIAS(X509_REQ_add1_attr_by_OBJ); int X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int type, @@ -320,6 +334,7 @@ X509_REQ_add1_attr_by_NID(X509_REQ *req, int nid, int type, return 1; return 0; } +LCRYPTO_ALIAS(X509_REQ_add1_attr_by_NID); int X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int type, @@ -330,6 +345,7 @@ X509_REQ_add1_attr_by_txt(X509_REQ *req, const char *attrname, int type, return 1; return 0; } +LCRYPTO_ALIAS(X509_REQ_add1_attr_by_txt); int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) @@ -337,3 +353,4 @@ i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp) req->req_info->enc.modified = 1; return i2d_X509_REQ_INFO(req->req_info, pp); } +LCRYPTO_ALIAS(i2d_re_X509_REQ_tbs); diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index 5784f22..cd12c9e 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_set.c,v 1.20 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_set.c,v 1.25 2023/04/25 10:18:39 job Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,19 +63,21 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" const STACK_OF(X509_EXTENSION) * X509_get0_extensions(const X509 *x) { return x->cert_info->extensions; } +LCRYPTO_ALIAS(X509_get0_extensions); const X509_ALGOR * X509_get0_tbs_sigalg(const X509 *x) { return x->cert_info->signature; } +LCRYPTO_ALIAS(X509_get0_tbs_sigalg); int X509_set_version(X509 *x, long version) @@ -86,14 +88,17 @@ X509_set_version(X509 *x, long version) if ((x->cert_info->version = ASN1_INTEGER_new()) == NULL) return (0); } + x->cert_info->enc.modified = 1; return (ASN1_INTEGER_set(x->cert_info->version, version)); } +LCRYPTO_ALIAS(X509_set_version); long X509_get_version(const X509 *x) { return ASN1_INTEGER_get(x->cert_info->version); } +LCRYPTO_ALIAS(X509_get_version); int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) @@ -106,34 +111,41 @@ X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) if (in != serial) { in = ASN1_INTEGER_dup(serial); if (in != NULL) { + x->cert_info->enc.modified = 1; ASN1_INTEGER_free(x->cert_info->serialNumber); x->cert_info->serialNumber = in; } } return (in != NULL); } +LCRYPTO_ALIAS(X509_set_serialNumber); int X509_set_issuer_name(X509 *x, X509_NAME *name) { if ((x == NULL) || (x->cert_info == NULL)) return (0); + x->cert_info->enc.modified = 1; return (X509_NAME_set(&x->cert_info->issuer, name)); } +LCRYPTO_ALIAS(X509_set_issuer_name); int X509_set_subject_name(X509 *x, X509_NAME *name) { if (x == NULL || x->cert_info == NULL) return (0); + x->cert_info->enc.modified = 1; return (X509_NAME_set(&x->cert_info->subject, name)); } +LCRYPTO_ALIAS(X509_set_subject_name); const ASN1_TIME * X509_get0_notBefore(const X509 *x) { return X509_getm_notBefore(x); } +LCRYPTO_ALIAS(X509_get0_notBefore); ASN1_TIME * X509_getm_notBefore(const X509 *x) @@ -142,6 +154,7 @@ X509_getm_notBefore(const X509 *x) return (NULL); return x->cert_info->validity->notBefore; } +LCRYPTO_ALIAS(X509_getm_notBefore); int X509_set_notBefore(X509 *x, const ASN1_TIME *tm) @@ -154,24 +167,28 @@ X509_set_notBefore(X509 *x, const ASN1_TIME *tm) if (in != tm) { in = ASN1_STRING_dup(tm); if (in != NULL) { + x->cert_info->enc.modified = 1; ASN1_TIME_free(x->cert_info->validity->notBefore); x->cert_info->validity->notBefore = in; } } return (in != NULL); } +LCRYPTO_ALIAS(X509_set_notBefore); int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm) { return X509_set_notBefore(x, tm); } +LCRYPTO_ALIAS(X509_set1_notBefore); const ASN1_TIME * X509_get0_notAfter(const X509 *x) { return X509_getm_notAfter(x); } +LCRYPTO_ALIAS(X509_get0_notAfter); ASN1_TIME * X509_getm_notAfter(const X509 *x) @@ -180,6 +197,7 @@ X509_getm_notAfter(const X509 *x) return (NULL); return x->cert_info->validity->notAfter; } +LCRYPTO_ALIAS(X509_getm_notAfter); int X509_set_notAfter(X509 *x, const ASN1_TIME *tm) @@ -192,35 +210,53 @@ X509_set_notAfter(X509 *x, const ASN1_TIME *tm) if (in != tm) { in = ASN1_STRING_dup(tm); if (in != NULL) { + x->cert_info->enc.modified = 1; ASN1_TIME_free(x->cert_info->validity->notAfter); x->cert_info->validity->notAfter = in; } } return (in != NULL); } +LCRYPTO_ALIAS(X509_set_notAfter); int X509_set1_notAfter(X509 *x, const ASN1_TIME *tm) { return X509_set_notAfter(x, tm); } +LCRYPTO_ALIAS(X509_set1_notAfter); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey) { if ((x == NULL) || (x->cert_info == NULL)) return (0); + x->cert_info->enc.modified = 1; return (X509_PUBKEY_set(&(x->cert_info->key), pkey)); } +LCRYPTO_ALIAS(X509_set_pubkey); int X509_get_signature_type(const X509 *x) { return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg->algorithm)); } +LCRYPTO_ALIAS(X509_get_signature_type); X509_PUBKEY * X509_get_X509_PUBKEY(const X509 *x) { return x->cert_info->key; } +LCRYPTO_ALIAS(X509_get_X509_PUBKEY); + +void +X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, + const ASN1_BIT_STRING **psuid) +{ + if (piuid != NULL) + *piuid = x->cert_info->issuerUID; + if (psuid != NULL) + *psuid = x->cert_info->subjectUID; +} +LCRYPTO_ALIAS(X509_get0_uids); diff --git a/crypto/x509/x509_skey.c b/crypto/x509/x509_skey.c index 58bb66b..245ba51 100644 --- a/crypto/x509/x509_skey.c +++ b/crypto/x509/x509_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_skey.c,v 1.2 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_skey.c,v 1.5 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static ASN1_OCTET_STRING *s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); @@ -89,6 +89,7 @@ i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct) { return hex_to_string(oct->data, oct->length); } +LCRYPTO_ALIAS(i2s_ASN1_OCTET_STRING); ASN1_OCTET_STRING * s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, @@ -111,6 +112,7 @@ s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, return oct; } +LCRYPTO_ALIAS(s2i_ASN1_OCTET_STRING); static ASN1_OCTET_STRING * s2i_skey_id(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str) diff --git a/crypto/x509/x509_sxnet.c b/crypto/x509/x509_sxnet.c deleted file mode 100644 index e5e98bc..0000000 --- a/crypto/x509/x509_sxnet.c +++ /dev/null @@ -1,383 +0,0 @@ -/* $OpenBSD: x509_sxnet.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 1999. - */ -/* ==================================================================== - * Copyright (c) 1999 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -#include -#include - -#include -#include -#include -#include -#include - -/* Support for Thawte strong extranet extension */ - -#define SXNET_TEST - -static int sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, - int indent); -#ifdef SXNET_TEST -static SXNET * sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval); -#endif - -const X509V3_EXT_METHOD v3_sxnet = { - .ext_nid = NID_sxnet, - .ext_flags = X509V3_EXT_MULTILINE, - .it = &SXNET_it, - .ext_new = NULL, - .ext_free = NULL, - .d2i = NULL, - .i2d = NULL, - .i2s = NULL, - .s2i = NULL, - .i2v = NULL, -#ifdef SXNET_TEST - .v2i = (X509V3_EXT_V2I)sxnet_v2i, -#else - .v2i = NULL, -#endif - .i2r = (X509V3_EXT_I2R)sxnet_i2r, - .r2i = NULL, - .usr_data = NULL, -}; - -static const ASN1_TEMPLATE SXNETID_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(SXNETID, zone), - .field_name = "zone", - .item = &ASN1_INTEGER_it, - }, - { - .flags = 0, - .tag = 0, - .offset = offsetof(SXNETID, user), - .field_name = "user", - .item = &ASN1_OCTET_STRING_it, - }, -}; - -const ASN1_ITEM SXNETID_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = SXNETID_seq_tt, - .tcount = sizeof(SXNETID_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(SXNETID), - .sname = "SXNETID", -}; - - -SXNETID * -d2i_SXNETID(SXNETID **a, const unsigned char **in, long len) -{ - return (SXNETID *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &SXNETID_it); -} - -int -i2d_SXNETID(SXNETID *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNETID_it); -} - -SXNETID * -SXNETID_new(void) -{ - return (SXNETID *)ASN1_item_new(&SXNETID_it); -} - -void -SXNETID_free(SXNETID *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &SXNETID_it); -} - -static const ASN1_TEMPLATE SXNET_seq_tt[] = { - { - .flags = 0, - .tag = 0, - .offset = offsetof(SXNET, version), - .field_name = "version", - .item = &ASN1_INTEGER_it, - }, - { - .flags = ASN1_TFLG_SEQUENCE_OF, - .tag = 0, - .offset = offsetof(SXNET, ids), - .field_name = "ids", - .item = &SXNETID_it, - }, -}; - -const ASN1_ITEM SXNET_it = { - .itype = ASN1_ITYPE_SEQUENCE, - .utype = V_ASN1_SEQUENCE, - .templates = SXNET_seq_tt, - .tcount = sizeof(SXNET_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, - .size = sizeof(SXNET), - .sname = "SXNET", -}; - - -SXNET * -d2i_SXNET(SXNET **a, const unsigned char **in, long len) -{ - return (SXNET *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, - &SXNET_it); -} - -int -i2d_SXNET(SXNET *a, unsigned char **out) -{ - return ASN1_item_i2d((ASN1_VALUE *)a, out, &SXNET_it); -} - -SXNET * -SXNET_new(void) -{ - return (SXNET *)ASN1_item_new(&SXNET_it); -} - -void -SXNET_free(SXNET *a) -{ - ASN1_item_free((ASN1_VALUE *)a, &SXNET_it); -} - -static int -sxnet_i2r(X509V3_EXT_METHOD *method, SXNET *sx, BIO *out, int indent) -{ - long v; - char *tmp; - SXNETID *id; - int i; - - v = ASN1_INTEGER_get(sx->version); - BIO_printf(out, "%*sVersion: %ld (0x%lX)", indent, "", v + 1, v); - for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { - id = sk_SXNETID_value(sx->ids, i); - tmp = i2s_ASN1_INTEGER(NULL, id->zone); - BIO_printf(out, "\n%*sZone: %s, User: ", indent, "", tmp); - free(tmp); - ASN1_STRING_print(out, id->user); - } - return 1; -} - -#ifdef SXNET_TEST - -/* NBB: this is used for testing only. It should *not* be used for anything - * else because it will just take static IDs from the configuration file and - * they should really be separate values for each user. - */ - -static SXNET * -sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - STACK_OF(CONF_VALUE) *nval) -{ - CONF_VALUE *cnf; - SXNET *sx = NULL; - int i; - - for (i = 0; i < sk_CONF_VALUE_num(nval); i++) { - cnf = sk_CONF_VALUE_value(nval, i); - if (!SXNET_add_id_asc(&sx, cnf->name, cnf->value, -1)) - return NULL; - } - return sx; -} - -#endif - -/* Strong Extranet utility functions */ - -/* Add an id given the zone as an ASCII number */ - -int -SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen) -{ - ASN1_INTEGER *izone = NULL; - - if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) { - X509V3error(X509V3_R_ERROR_CONVERTING_ZONE); - return 0; - } - return SXNET_add_id_INTEGER(psx, izone, user, userlen); -} - -/* Add an id given the zone as an unsigned long */ - -int -SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user, - int userlen) -{ - ASN1_INTEGER *izone = NULL; - - if (!(izone = ASN1_INTEGER_new()) || - !ASN1_INTEGER_set(izone, lzone)) { - X509V3error(ERR_R_MALLOC_FAILURE); - ASN1_INTEGER_free(izone); - return 0; - } - return SXNET_add_id_INTEGER(psx, izone, user, userlen); -} - -/* Add an id given the zone as an ASN1_INTEGER. - * Note this version uses the passed integer and doesn't make a copy so don't - * free it up afterwards. - */ - -int -SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, - int userlen) -{ - SXNET *sx = NULL; - SXNETID *id = NULL; - - if (!psx || !zone || !user) { - X509V3error(X509V3_R_INVALID_NULL_ARGUMENT); - return 0; - } - if (userlen == -1) - userlen = strlen(user); - if (userlen > 64) { - X509V3error(X509V3_R_USER_TOO_LONG); - return 0; - } - if (!*psx) { - if (!(sx = SXNET_new())) - goto err; - if (!ASN1_INTEGER_set(sx->version, 0)) - goto err; - *psx = sx; - } else - sx = *psx; - if (SXNET_get_id_INTEGER(sx, zone)) { - X509V3error(X509V3_R_DUPLICATE_ZONE_ID); - return 0; - } - - if (!(id = SXNETID_new())) - goto err; - if (userlen == -1) - userlen = strlen(user); - - if (!ASN1_STRING_set(id->user, user, userlen)) - goto err; - if (!sk_SXNETID_push(sx->ids, id)) - goto err; - id->zone = zone; - return 1; - -err: - X509V3error(ERR_R_MALLOC_FAILURE); - SXNETID_free(id); - SXNET_free(sx); - *psx = NULL; - return 0; -} - -ASN1_OCTET_STRING * -SXNET_get_id_asc(SXNET *sx, const char *zone) -{ - ASN1_INTEGER *izone = NULL; - ASN1_OCTET_STRING *oct; - - if (!(izone = s2i_ASN1_INTEGER(NULL, zone))) { - X509V3error(X509V3_R_ERROR_CONVERTING_ZONE); - return NULL; - } - oct = SXNET_get_id_INTEGER(sx, izone); - ASN1_INTEGER_free(izone); - return oct; -} - -ASN1_OCTET_STRING * -SXNET_get_id_ulong(SXNET *sx, unsigned long lzone) -{ - ASN1_INTEGER *izone = NULL; - ASN1_OCTET_STRING *oct; - - if (!(izone = ASN1_INTEGER_new()) || - !ASN1_INTEGER_set(izone, lzone)) { - X509V3error(ERR_R_MALLOC_FAILURE); - ASN1_INTEGER_free(izone); - return NULL; - } - oct = SXNET_get_id_INTEGER(sx, izone); - ASN1_INTEGER_free(izone); - return oct; -} - -ASN1_OCTET_STRING * -SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone) -{ - SXNETID *id; - int i; - - for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { - id = sk_SXNETID_value(sx->ids, i); - if (!ASN1_INTEGER_cmp(id->zone, zone)) - return id->user; - } - return NULL; -} diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 72d616a..e326591 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.25 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.31 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -62,7 +62,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" static int tr_cmp(const X509_TRUST * const *a, const X509_TRUST * const *b); static void trtable_free(X509_TRUST *p); @@ -109,6 +109,7 @@ int default_trust = trust; return oldtrust; } +LCRYPTO_ALIAS(X509_TRUST_set_default); int X509_check_trust(X509 *x, int id, int flags) @@ -140,6 +141,7 @@ X509_check_trust(X509 *x, int id, int flags) pt = X509_TRUST_get0(idx); return pt->check_trust(pt, x, flags); } +LCRYPTO_ALIAS(X509_check_trust); int X509_TRUST_get_count(void) @@ -148,6 +150,7 @@ X509_TRUST_get_count(void) return X509_TRUST_COUNT; return sk_X509_TRUST_num(trtable) + X509_TRUST_COUNT; } +LCRYPTO_ALIAS(X509_TRUST_get_count); X509_TRUST * X509_TRUST_get0(int idx) @@ -158,6 +161,7 @@ X509_TRUST_get0(int idx) return trstandard + idx; return sk_X509_TRUST_value(trtable, idx - X509_TRUST_COUNT); } +LCRYPTO_ALIAS(X509_TRUST_get0); int X509_TRUST_get_by_id(int id) @@ -175,6 +179,7 @@ X509_TRUST_get_by_id(int id) return -1; return idx + X509_TRUST_COUNT; } +LCRYPTO_ALIAS(X509_TRUST_get_by_id); int X509_TRUST_set(int *t, int trust) @@ -186,6 +191,7 @@ X509_TRUST_set(int *t, int trust) *t = trust; return 1; } +LCRYPTO_ALIAS(X509_TRUST_set); int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), @@ -251,6 +257,7 @@ err: X509error(ERR_R_MALLOC_FAILURE); return 0; } +LCRYPTO_ALIAS(X509_TRUST_add); static void trtable_free(X509_TRUST *p) @@ -270,24 +277,28 @@ X509_TRUST_cleanup(void) sk_X509_TRUST_pop_free(trtable, trtable_free); trtable = NULL; } +LCRYPTO_ALIAS(X509_TRUST_cleanup); int X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; } +LCRYPTO_ALIAS(X509_TRUST_get_flags); char * X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; } +LCRYPTO_ALIAS(X509_TRUST_get0_name); int X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; } +LCRYPTO_ALIAS(X509_TRUST_get_trust); static int trust_1oidany(X509_TRUST *trust, X509 *x, int flags) @@ -322,7 +333,7 @@ static int obj_trust(int id, X509 *x, int flags) { ASN1_OBJECT *obj; - int i; + int i, nid; X509_CERT_AUX *ax; ax = x->aux; @@ -331,14 +342,16 @@ obj_trust(int id, X509 *x, int flags) if (ax->reject) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->reject); i++) { obj = sk_ASN1_OBJECT_value(ax->reject, i); - if (OBJ_obj2nid(obj) == id) + nid = OBJ_obj2nid(obj); + if (nid == id || nid == NID_anyExtendedKeyUsage) return X509_TRUST_REJECTED; } } if (ax->trust) { for (i = 0; i < sk_ASN1_OBJECT_num(ax->trust); i++) { obj = sk_ASN1_OBJECT_value(ax->trust, i); - if (OBJ_obj2nid(obj) == id) + nid = OBJ_obj2nid(obj); + if (nid == id || nid == NID_anyExtendedKeyUsage) return X509_TRUST_TRUSTED; } } diff --git a/crypto/x509/x509_txt.c b/crypto/x509/x509_txt.c index 14fa237..5f5bc5a 100644 --- a/crypto/x509/x509_txt.c +++ b/crypto/x509/x509_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_txt.c,v 1.19 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: x509_txt.c,v 1.28 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,134 +56,141 @@ * [including the GNU Public Licence.] */ -#include -#include -#include - -#include -#include -#include -#include -#include -#include +#include const char * X509_verify_cert_error_string(long n) { - static char buf[100]; - switch ((int)n) { case X509_V_OK: - return("ok"); + return "ok"; + case X509_V_ERR_UNSPECIFIED: + return "Unspecified certificate verification error"; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - return("unable to get issuer certificate"); + return "unable to get issuer certificate"; case X509_V_ERR_UNABLE_TO_GET_CRL: - return("unable to get certificate CRL"); + return "unable to get certificate CRL"; case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: - return("unable to decrypt certificate's signature"); + return "unable to decrypt certificate's signature"; case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: - return("unable to decrypt CRL's signature"); + return "unable to decrypt CRL's signature"; case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: - return("unable to decode issuer public key"); + return "unable to decode issuer public key"; case X509_V_ERR_CERT_SIGNATURE_FAILURE: - return("certificate signature failure"); + return "certificate signature failure"; case X509_V_ERR_CRL_SIGNATURE_FAILURE: - return("CRL signature failure"); + return "CRL signature failure"; case X509_V_ERR_CERT_NOT_YET_VALID: - return("certificate is not yet valid"); - case X509_V_ERR_CRL_NOT_YET_VALID: - return("CRL is not yet valid"); + return "certificate is not yet valid"; case X509_V_ERR_CERT_HAS_EXPIRED: - return("certificate has expired"); + return "certificate has expired"; + case X509_V_ERR_CRL_NOT_YET_VALID: + return "CRL is not yet valid"; case X509_V_ERR_CRL_HAS_EXPIRED: - return("CRL has expired"); + return "CRL has expired"; case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: - return("format error in certificate's notBefore field"); + return "format error in certificate's notBefore field"; case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: - return("format error in certificate's notAfter field"); + return "format error in certificate's notAfter field"; case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: - return("format error in CRL's lastUpdate field"); + return "format error in CRL's lastUpdate field"; case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: - return("format error in CRL's nextUpdate field"); + return "format error in CRL's nextUpdate field"; case X509_V_ERR_OUT_OF_MEM: - return("out of memory"); + return "out of memory"; case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: - return("self signed certificate"); + return "self signed certificate"; case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: - return("self signed certificate in certificate chain"); + return "self signed certificate in certificate chain"; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: - return("unable to get local issuer certificate"); + return "unable to get local issuer certificate"; case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: - return("unable to verify the first certificate"); + return "unable to verify the first certificate"; case X509_V_ERR_CERT_CHAIN_TOO_LONG: - return("certificate chain too long"); + return "certificate chain too long"; case X509_V_ERR_CERT_REVOKED: - return("certificate revoked"); + return "certificate revoked"; case X509_V_ERR_INVALID_CA: - return ("invalid CA certificate"); - case X509_V_ERR_INVALID_NON_CA: - return ("invalid non-CA certificate (has CA markings)"); + return "invalid CA certificate"; case X509_V_ERR_PATH_LENGTH_EXCEEDED: - return ("path length constraint exceeded"); - case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: - return("proxy path length constraint exceeded"); - case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: - return("proxy certificates not allowed, please set the appropriate flag"); + return "path length constraint exceeded"; case X509_V_ERR_INVALID_PURPOSE: - return ("unsupported certificate purpose"); + return "unsupported certificate purpose"; case X509_V_ERR_CERT_UNTRUSTED: - return ("certificate not trusted"); + return "certificate not trusted"; case X509_V_ERR_CERT_REJECTED: - return ("certificate rejected"); - case X509_V_ERR_APPLICATION_VERIFICATION: - return("application verification failure"); + return "certificate rejected"; case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: - return("subject issuer mismatch"); + return "subject issuer mismatch"; case X509_V_ERR_AKID_SKID_MISMATCH: - return("authority and subject key identifier mismatch"); + return "authority and subject key identifier mismatch"; case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: - return("authority and issuer serial number mismatch"); + return "authority and issuer serial number mismatch"; case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: - return("key usage does not include certificate signing"); + return "key usage does not include certificate signing"; case X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER: - return("unable to get CRL issuer certificate"); + return "unable to get CRL issuer certificate"; case X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION: - return("unhandled critical extension"); + return "unhandled critical extension"; case X509_V_ERR_KEYUSAGE_NO_CRL_SIGN: - return("key usage does not include CRL signing"); - case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: - return("key usage does not include digital signature"); + return "key usage does not include CRL signing"; case X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION: - return("unhandled critical CRL extension"); + return "unhandled critical CRL extension"; + case X509_V_ERR_INVALID_NON_CA: + return "invalid non-CA certificate (has CA markings)"; + case X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED: + return "proxy path length constraint exceeded"; + case X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE: + return "key usage does not include digital signature"; + case X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED: + return "proxy certificates not allowed, " + "please set the appropriate flag"; case X509_V_ERR_INVALID_EXTENSION: - return("invalid or inconsistent certificate extension"); + return "invalid or inconsistent certificate extension"; case X509_V_ERR_INVALID_POLICY_EXTENSION: - return("invalid or inconsistent certificate policy extension"); + return "invalid or inconsistent certificate policy extension"; case X509_V_ERR_NO_EXPLICIT_POLICY: - return("no explicit policy"); + return "no explicit policy"; case X509_V_ERR_DIFFERENT_CRL_SCOPE: - return("Different CRL scope"); + return "Different CRL scope"; case X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE: - return("Unsupported extension feature"); + return "Unsupported extension feature"; case X509_V_ERR_UNNESTED_RESOURCE: - return("RFC 3779 resource not subset of parent's resources"); + return "RFC 3779 resource not subset of parent's resources"; case X509_V_ERR_PERMITTED_VIOLATION: - return("permitted subtree violation"); + return "permitted subtree violation"; case X509_V_ERR_EXCLUDED_VIOLATION: - return("excluded subtree violation"); + return "excluded subtree violation"; case X509_V_ERR_SUBTREE_MINMAX: - return("name constraints minimum and maximum not supported"); + return "name constraints minimum and maximum not supported"; case X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE: - return("unsupported name constraint type"); + return "unsupported name constraint type"; case X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX: - return("unsupported or invalid name constraint syntax"); + return "unsupported or invalid name constraint syntax"; case X509_V_ERR_UNSUPPORTED_NAME_SYNTAX: - return("unsupported or invalid name syntax"); + return "unsupported or invalid name syntax"; case X509_V_ERR_CRL_PATH_VALIDATION_ERROR: - return("CRL path validation error"); - + return "CRL path validation error"; + case X509_V_ERR_APPLICATION_VERIFICATION: + return "application verification failure"; + case X509_V_ERR_HOSTNAME_MISMATCH: + return "Hostname mismatch"; + case X509_V_ERR_EMAIL_MISMATCH: + return "Email address mismatch"; + case X509_V_ERR_IP_ADDRESS_MISMATCH: + return "IP address mismatch"; + case X509_V_ERR_INVALID_CALL: + return "Invalid certificate verification context"; + case X509_V_ERR_STORE_LOOKUP: + return "Issuer certificate lookup error"; + case X509_V_ERR_EE_KEY_TOO_SMALL: + return "EE certificate key too weak"; + case X509_V_ERR_CA_KEY_TOO_SMALL: + return "CA certificate key too weak"; + case X509_V_ERR_CA_MD_TOO_WEAK: + return "CA signature digest algorithm too weak"; default: - (void) snprintf(buf, sizeof buf, "error number %ld", n); - return(buf); + return "Unknown certificate verification error"; } } +LCRYPTO_ALIAS(X509_verify_cert_error_string); diff --git a/crypto/x509/x509_utl.c b/crypto/x509/x509_utl.c index 0fa6ea6..14b43e8 100644 --- a/crypto/x509/x509_utl.c +++ b/crypto/x509/x509_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_utl.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ +/* $OpenBSD: x509_utl.c,v 1.17 2023/05/12 19:02:10 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -55,18 +55,21 @@ * Hudson (tjh@cryptsoft.com). * */ -/* X509 v3 extension utilities */ #include +#include #include #include +#include #include #include #include #include -char *bn_to_string(const BIGNUM *bn); +#include "bytestring.h" + +static char *bn_to_string(const BIGNUM *bn); static char *strip_spaces(char *name); static int sk_strcmp(const char * const *a, const char * const *b); static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, @@ -117,6 +120,7 @@ X509V3_add_value(const char *name, const char *value, } return 0; } +LCRYPTO_ALIAS(X509V3_add_value); int X509V3_add_value_uchar(const char *name, const unsigned char *value, @@ -124,6 +128,7 @@ X509V3_add_value_uchar(const char *name, const unsigned char *value, { return X509V3_add_value(name, (const char *)value, extlist); } +LCRYPTO_ALIAS(X509V3_add_value_uchar); /* Free function for STACK_OF(CONF_VALUE) */ @@ -137,6 +142,7 @@ X509V3_conf_free(CONF_VALUE *conf) free(conf->section); free(conf); } +LCRYPTO_ALIAS(X509V3_conf_free); int X509V3_add_value_bool(const char *name, int asn1_bool, @@ -146,6 +152,7 @@ X509V3_add_value_bool(const char *name, int asn1_bool, return X509V3_add_value(name, "TRUE", extlist); return X509V3_add_value(name, "FALSE", extlist); } +LCRYPTO_ALIAS(X509V3_add_value_bool); int X509V3_add_value_bool_nf(const char *name, int asn1_bool, @@ -155,8 +162,9 @@ X509V3_add_value_bool_nf(const char *name, int asn1_bool, return X509V3_add_value(name, "TRUE", extlist); return 1; } +LCRYPTO_ALIAS(X509V3_add_value_bool_nf); -char * +static char * bn_to_string(const BIGNUM *bn) { const char *sign = ""; @@ -197,6 +205,22 @@ i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a) BN_free(bntmp); return strtmp; } +LCRYPTO_ALIAS(i2s_ASN1_ENUMERATED); + +char * +i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e) +{ + BIT_STRING_BITNAME *enam; + long strval; + + strval = ASN1_ENUMERATED_get(e); + for (enam = method->usr_data; enam->lname; enam++) { + if (strval == enam->bitnum) + return strdup(enam->lname); + } + return i2s_ASN1_ENUMERATED(method, e); +} +LCRYPTO_ALIAS(i2s_ASN1_ENUMERATED_TABLE); char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) @@ -212,31 +236,33 @@ i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) BN_free(bntmp); return strtmp; } +LCRYPTO_ALIAS(i2s_ASN1_INTEGER); ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value) { BIGNUM *bn = NULL; ASN1_INTEGER *aint; - int isneg, ishex; + int isneg = 0, ishex = 0; int ret; if (!value) { X509V3error(X509V3_R_INVALID_NULL_VALUE); - return 0; + return NULL; + } + if ((bn = BN_new()) == NULL) { + X509V3error(ERR_R_MALLOC_FAILURE); + return NULL; } - bn = BN_new(); if (value[0] == '-') { value++; isneg = 1; - } else - isneg = 0; + } - if (value[0] == '0' && ((value[1] == 'x') || (value[1] == 'X'))) { + if (value[0] == '0' && (value[1] == 'x' || value[1] == 'X')) { value += 2; ishex = 1; - } else - ishex = 0; + } if (ishex) ret = BN_hex2bn(&bn, value); @@ -246,22 +272,23 @@ s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value) if (!ret || value[ret]) { BN_free(bn); X509V3error(X509V3_R_BN_DEC2BN_ERROR); - return 0; + return NULL; } - if (isneg && BN_is_zero(bn)) + if (BN_is_zero(bn)) isneg = 0; aint = BN_to_ASN1_INTEGER(bn, NULL); BN_free(bn); if (!aint) { X509V3error(X509V3_R_BN_TO_ASN1_INTEGER_ERROR); - return 0; + return NULL; } if (isneg) aint->type |= V_ASN1_NEG; return aint; } +LCRYPTO_ALIAS(s2i_ASN1_INTEGER); int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, @@ -278,6 +305,7 @@ X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, free(strtmp); return ret; } +LCRYPTO_ALIAS(X509V3_add_value_int); int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool) @@ -303,6 +331,7 @@ X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool) X509V3_conf_err(value); return 0; } +LCRYPTO_ALIAS(X509V3_get_value_bool); int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint) @@ -316,6 +345,7 @@ X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint) *aint = itmp; return 1; } +LCRYPTO_ALIAS(X509V3_get_value_int); #define HDR_NAME 1 #define HDR_VALUE 2 @@ -407,6 +437,7 @@ X509V3_parse_list(const char *line) return NULL; } +LCRYPTO_ALIAS(X509V3_parse_list); /* Delete leading and trailing spaces from a string */ static char * @@ -430,95 +461,150 @@ strip_spaces(char *name) return p; } -/* hex string utilities */ +static const char hex_digits[] = "0123456789ABCDEF"; -/* Given a buffer of length 'len' return a malloc'ed string with its - * hex representation - */ char * hex_to_string(const unsigned char *buffer, long len) { - char *tmp, *q; - const unsigned char *p; - int i; - static const char hexdig[] = "0123456789ABCDEF"; + CBB cbb; + CBS cbs; + uint8_t *out = NULL; + uint8_t c; + size_t out_len; - if (!buffer || !len) - return NULL; - if (!(tmp = malloc(len * 3 + 1))) { - X509V3error(ERR_R_MALLOC_FAILURE); - return NULL; + if (!CBB_init(&cbb, 0)) + goto err; + + if (len < 0) + goto err; + + CBS_init(&cbs, buffer, len); + while (CBS_len(&cbs) > 0) { + if (!CBS_get_u8(&cbs, &c)) + goto err; + if (!CBB_add_u8(&cbb, hex_digits[c >> 4])) + goto err; + if (!CBB_add_u8(&cbb, hex_digits[c & 0xf])) + goto err; + if (CBS_len(&cbs) > 0) { + if (!CBB_add_u8(&cbb, ':')) + goto err; + } } - q = tmp; - for (i = 0, p = buffer; i < len; i++, p++) { - *q++ = hexdig[(*p >> 4) & 0xf]; - *q++ = hexdig[*p & 0xf]; - *q++ = ':'; + + if (!CBB_add_u8(&cbb, '\0')) + goto err; + + if (!CBB_finish(&cbb, &out, &out_len)) + goto err; + + err: + CBB_cleanup(&cbb); + + return out; +} +LCRYPTO_ALIAS(hex_to_string); + +static int +x509_skip_colons_cbs(CBS *cbs) +{ + uint8_t c; + + while (CBS_len(cbs) > 0) { + if (!CBS_peek_u8(cbs, &c)) + return 0; + if (c != ':') + return 1; + if (!CBS_get_u8(cbs, &c)) + return 0; } - q[-1] = 0; - return tmp; + + return 1; } -/* Give a string of hex digits convert to - * a buffer - */ +static int +x509_get_xdigit_nibble_cbs(CBS *cbs, uint8_t *out_nibble) +{ + uint8_t c; + + if (!CBS_get_u8(cbs, &c)) + return 0; + + if (c >= '0' && c <= '9') { + *out_nibble = c - '0'; + return 1; + } + if (c >= 'a' && c <= 'f') { + *out_nibble = c - 'a' + 10; + return 1; + } + if (c >= 'A' && c <= 'F') { + *out_nibble = c - 'A' + 10; + return 1; + } + + X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT); + return 0; +} unsigned char * string_to_hex(const char *str, long *len) { - unsigned char *hexbuf, *q; - unsigned char ch, cl, *p; - if (!str) { - X509V3error(X509V3_R_INVALID_NULL_ARGUMENT); - return NULL; - } - if (!(hexbuf = malloc(strlen(str) >> 1))) + CBB cbb; + CBS cbs; + uint8_t *out = NULL; + size_t out_len; + uint8_t hi, lo; + + *len = 0; + + if (!CBB_init(&cbb, 0)) goto err; - for (p = (unsigned char *)str, q = hexbuf; *p; ) { - ch = *p++; - if (ch == ':') - continue; - cl = *p++; - if (!cl) { - X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS); - free(hexbuf); - return NULL; - } - ch = tolower(ch); - cl = tolower(cl); - if ((ch >= '0') && (ch <= '9')) - ch -= '0'; - else if ((ch >= 'a') && (ch <= 'f')) - ch -= 'a' - 10; - else - goto badhex; - - if ((cl >= '0') && (cl <= '9')) - cl -= '0'; - else if ((cl >= 'a') && (cl <= 'f')) - cl -= 'a' - 10; - else - goto badhex; - - *q++ = (ch << 4) | cl; + if (str == NULL) { + X509V3error(X509V3_R_INVALID_NULL_ARGUMENT); + goto err; } - if (len) - *len = q - hexbuf; + CBS_init(&cbs, str, strlen(str)); + while (CBS_len(&cbs) > 0) { + /* + * Skipping only a single colon between two pairs of digits + * would make more sense - history... + */ + if (!x509_skip_colons_cbs(&cbs)) + goto err; + /* Another historic idiocy. */ + if (CBS_len(&cbs) == 0) + break; + if (!x509_get_xdigit_nibble_cbs(&cbs, &hi)) + goto err; + if (CBS_len(&cbs) == 0) { + X509V3error(X509V3_R_ODD_NUMBER_OF_DIGITS); + goto err; + } + if (!x509_get_xdigit_nibble_cbs(&cbs, &lo)) + goto err; + if (!CBB_add_u8(&cbb, hi << 4 | lo)) + goto err; + } - return hexbuf; + if (!CBB_finish(&cbb, &out, &out_len)) + goto err; + if (out_len > LONG_MAX) { + freezero(out, out_len); + out = NULL; + goto err; + } + + *len = out_len; err: - free(hexbuf); - X509V3error(ERR_R_MALLOC_FAILURE); - return NULL; + CBB_cleanup(&cbb); - badhex: - free(hexbuf); - X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT); - return NULL; + return out; } +LCRYPTO_ALIAS(string_to_hex); /* V2I name comparison function: returns zero if 'name' matches * cmp or cmp.* @@ -556,6 +642,7 @@ X509_get1_email(X509 *x) sk_GENERAL_NAME_pop_free(gens, GENERAL_NAME_free); return ret; } +LCRYPTO_ALIAS(X509_get1_email); STACK_OF(OPENSSL_STRING) * X509_get1_ocsp(X509 *x) @@ -580,6 +667,7 @@ X509_get1_ocsp(X509 *x) AUTHORITY_INFO_ACCESS_free(info); return ret; } +LCRYPTO_ALIAS(X509_get1_ocsp); STACK_OF(OPENSSL_STRING) * X509_REQ_get1_email(X509_REQ *x) @@ -595,6 +683,7 @@ X509_REQ_get1_email(X509_REQ *x) sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); return ret; } +LCRYPTO_ALIAS(X509_REQ_get1_email); static STACK_OF(OPENSSL_STRING) * @@ -664,6 +753,7 @@ X509_email_free(STACK_OF(OPENSSL_STRING) *sk) { sk_OPENSSL_STRING_pop_free(sk, str_free); } +LCRYPTO_ALIAS(X509_email_free); typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len, const unsigned char *subject, size_t subject_len, unsigned int flags); @@ -705,7 +795,7 @@ skip_prefix(const unsigned char **p, size_t *plen, const unsigned char *subject, * "equal_nocase" function is a hand-rolled strncasecmp that does not * allow \0 in the pattern. Since an embedded \0 is likely a sign of * problems, we simply don't allow it in either case, and then we use - * standard libc funcitons. + * standard libc functions. */ /* Compare using strncasecmp */ @@ -954,7 +1044,7 @@ do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal, rv = -1; } else { int astrlen; - unsigned char *astr; + unsigned char *astr = NULL; astrlen = ASN1_STRING_to_UTF8(&astr, a); if (astrlen < 0) return -1; @@ -1065,6 +1155,7 @@ X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, return -2; return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername); } +LCRYPTO_ALIAS(X509_check_host); int X509_check_email(X509 *x, const char *chk, size_t chklen, unsigned int flags) @@ -1077,6 +1168,7 @@ X509_check_email(X509 *x, const char *chk, size_t chklen, unsigned int flags) return -2; return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL); } +LCRYPTO_ALIAS(X509_check_email); int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, @@ -1086,6 +1178,7 @@ X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, return -2; return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL); } +LCRYPTO_ALIAS(X509_check_ip); int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) @@ -1100,6 +1193,7 @@ X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) return -2; return do_x509_check(x, (char *)ipout, iplen, flags, GEN_IPADD, NULL); } +LCRYPTO_ALIAS(X509_check_ip_asc); /* Convert IP addresses both IPv4 and IPv6 into an * OCTET STRING compatible with RFC3280. @@ -1128,6 +1222,7 @@ a2i_IPADDRESS(const char *ipasc) } return ret; } +LCRYPTO_ALIAS(a2i_IPADDRESS); ASN1_OCTET_STRING * a2i_IPADDRESS_NC(const char *ipasc) @@ -1173,6 +1268,7 @@ a2i_IPADDRESS_NC(const char *ipasc) ASN1_OCTET_STRING_free(ret); return NULL; } +LCRYPTO_ALIAS(a2i_IPADDRESS_NC); int @@ -1190,6 +1286,7 @@ a2i_ipadd(unsigned char *ipout, const char *ipasc) return 4; } } +LCRYPTO_ALIAS(a2i_ipadd); static int ipv4_from_asc(unsigned char *v4, const char *in) @@ -1386,3 +1483,4 @@ X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, } return 1; } +LCRYPTO_ALIAS(X509V3_NAME_from_section); diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index 9aefb8d..8dddb46 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_v3.c,v 1.18 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_v3.c,v 1.21 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) @@ -75,6 +75,7 @@ X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x) return (0); return (sk_X509_EXTENSION_num(x)); } +LCRYPTO_ALIAS(X509v3_get_ext_count); int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) @@ -86,6 +87,7 @@ X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) return (-2); return (X509v3_get_ext_by_OBJ(x, obj, lastpos)); } +LCRYPTO_ALIAS(X509v3_get_ext_by_NID); int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, @@ -107,6 +109,7 @@ X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, } return (-1); } +LCRYPTO_ALIAS(X509v3_get_ext_by_OBJ); int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, @@ -129,6 +132,7 @@ X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *sk, int crit, } return (-1); } +LCRYPTO_ALIAS(X509v3_get_ext_by_critical); X509_EXTENSION * X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) @@ -138,6 +142,7 @@ X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc) else return sk_X509_EXTENSION_value(x, loc); } +LCRYPTO_ALIAS(X509v3_get_ext); X509_EXTENSION * X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) @@ -149,6 +154,7 @@ X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc) ret = sk_X509_EXTENSION_delete(x, loc); return (ret); } +LCRYPTO_ALIAS(X509v3_delete_ext); STACK_OF(X509_EXTENSION) * X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc) @@ -191,6 +197,7 @@ err2: sk_X509_EXTENSION_free(sk); return (NULL); } +LCRYPTO_ALIAS(X509v3_add_ext); X509_EXTENSION * X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, @@ -209,6 +216,7 @@ X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, ASN1_OBJECT_free(obj); return (ret); } +LCRYPTO_ALIAS(X509_EXTENSION_create_by_NID); X509_EXTENSION * X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, const ASN1_OBJECT *obj, @@ -240,6 +248,7 @@ err: X509_EXTENSION_free(ret); return (NULL); } +LCRYPTO_ALIAS(X509_EXTENSION_create_by_OBJ); int X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj) @@ -250,6 +259,7 @@ X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj) ex->object = OBJ_dup(obj); return ex->object != NULL; } +LCRYPTO_ALIAS(X509_EXTENSION_set_object); int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) @@ -259,6 +269,7 @@ X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit) ex->critical = (crit) ? 0xFF : -1; return (1); } +LCRYPTO_ALIAS(X509_EXTENSION_set_critical); int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) @@ -272,6 +283,7 @@ X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data) return (0); return (1); } +LCRYPTO_ALIAS(X509_EXTENSION_set_data); ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex) @@ -280,6 +292,7 @@ X509_EXTENSION_get_object(X509_EXTENSION *ex) return (NULL); return (ex->object); } +LCRYPTO_ALIAS(X509_EXTENSION_get_object); ASN1_OCTET_STRING * X509_EXTENSION_get_data(X509_EXTENSION *ex) @@ -288,6 +301,7 @@ X509_EXTENSION_get_data(X509_EXTENSION *ex) return (NULL); return (ex->value); } +LCRYPTO_ALIAS(X509_EXTENSION_get_data); int X509_EXTENSION_get_critical(const X509_EXTENSION *ex) @@ -298,3 +312,4 @@ X509_EXTENSION_get_critical(const X509_EXTENSION *ex) return 1; return 0; } +LCRYPTO_ALIAS(X509_EXTENSION_get_critical); diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c index 6a73cb7..ca4814d 100644 --- a/crypto/x509/x509_verify.c +++ b/crypto/x509/x509_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_verify.c,v 1.54 2021/11/24 05:38:12 beck Exp $ */ +/* $OpenBSD: x509_verify.c,v 1.66 2023/05/07 07:11:50 tb Exp $ */ /* * Copyright (c) 2020-2021 Bob Beck * @@ -32,8 +32,10 @@ static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, struct x509_verify_chain *current_chain); +static int x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, + char *name); static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, - struct x509_verify_chain *current_chain, int full_chain); + struct x509_verify_chain *current_chain, int full_chain, char *name); static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, int error, int ok); static void x509_verify_chain_free(struct x509_verify_chain *chain); @@ -233,20 +235,13 @@ x509_verify_ctx_clear(struct x509_verify_ctx *ctx) x509_verify_ctx_reset(ctx); sk_X509_pop_free(ctx->intermediates, X509_free); free(ctx->chains); - memset(ctx, 0, sizeof(*ctx)); + } static int -x509_verify_cert_cache_extensions(X509 *cert) { - if (!(cert->ex_flags & EXFLAG_SET)) { - CRYPTO_w_lock(CRYPTO_LOCK_X509); - x509v3_cache_extensions(cert); - CRYPTO_w_unlock(CRYPTO_LOCK_X509); - } - if (cert->ex_flags & EXFLAG_INVALID) - return 0; - - return (cert->ex_flags & EXFLAG_SET); +x509_verify_cert_cache_extensions(X509 *cert) +{ + return x509v3_cache_extensions(cert); } static int @@ -255,6 +250,15 @@ x509_verify_cert_self_signed(X509 *cert) return (cert->ex_flags & EXFLAG_SS) ? 1 : 0; } +/* XXX beck - clean up this mess of is_root */ +static int +x509_verify_check_chain_end(X509 *cert, int full_chain) +{ + if (full_chain) + return x509_verify_cert_self_signed(cert); + return 1; +} + static int x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, int full_chain) @@ -270,15 +274,14 @@ x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert, if ((match = x509_vfy_lookup_cert_match(ctx->xsc, cert)) != NULL) { X509_free(match); - return !full_chain || - x509_verify_cert_self_signed(cert); + return x509_verify_check_chain_end(cert, full_chain); } } else { /* Check the provided roots */ for (i = 0; i < sk_X509_num(ctx->roots); i++) { if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) - return !full_chain || - x509_verify_cert_self_signed(cert); + return x509_verify_check_chain_end(cert, + full_chain); } } @@ -390,13 +393,22 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, ctx->xsc->error = X509_V_OK; ctx->xsc->error_depth = 0; - trust = x509_vfy_check_trust(ctx->xsc); - if (trust == X509_TRUST_REJECTED) - goto err; - if (!x509_verify_ctx_set_xsc_chain(ctx, chain, 0, 1)) goto err; + /* + * Call the legacy code to walk the chain and check trust + * in the legacy way to handle partial chains and get the + * callback fired correctly. + */ + trust = x509_vfy_check_trust(ctx->xsc); + if (trust == X509_TRUST_REJECTED) + goto err; /* callback was called in x509_vfy_check_trust */ + if (trust != X509_TRUST_TRUSTED) { + /* NOTREACHED */ + goto err; /* should not happen if we get in here - abort? */ + } + /* * XXX currently this duplicates some work done in chain * build, but we keep it here until we have feature parity @@ -412,6 +424,9 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, goto err; #endif + if (!x509_vfy_check_security_level(ctx->xsc)) + goto err; + if (!x509_constraints_chain(ctx->xsc->chain, &ctx->xsc->error, &ctx->xsc->error_depth)) { X509 *cert = sk_X509_value(ctx->xsc->chain, depth); @@ -426,10 +441,6 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, if (!x509_vfy_check_policy(ctx->xsc)) goto err; - if ((!(ctx->xsc->param->flags & X509_V_FLAG_PARTIAL_CHAIN)) && - trust != X509_TRUST_TRUSTED) - goto err; - ret = 1; err: @@ -452,10 +463,11 @@ x509_verify_ctx_validate_legacy_chain(struct x509_verify_ctx *ctx, /* Add a validated chain to our list of valid chains */ static int x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, - struct x509_verify_chain *chain) + struct x509_verify_chain *chain, char *name) { size_t depth; X509 *last = x509_verify_chain_last(chain); + X509 *leaf = x509_verify_chain_leaf(chain); depth = sk_X509_num(chain->certs); if (depth > 0) @@ -473,6 +485,15 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, if (!x509_verify_ctx_validate_legacy_chain(ctx, chain, depth)) return 0; + /* Verify the leaf certificate and store any resulting error. */ + if (!x509_verify_cert_valid(ctx, leaf, NULL)) + return 0; + if (!x509_verify_cert_hostname(ctx, leaf, name)) + return 0; + if (ctx->error_depth == 0 && + ctx->error != X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY) + chain->cert_errors[0] = ctx->error; + /* * In the non-legacy code, extensions and purpose are dealt * with as the chain is built. @@ -488,8 +509,10 @@ x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, X509_V_ERR_OUT_OF_MEM, 0); } ctx->chains_count++; + ctx->error = X509_V_OK; ctx->error_depth = depth; + return 1; } @@ -538,7 +561,7 @@ x509_verify_parent_signature(X509 *parent, X509 *child, int *error) static int x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, int is_root_cert, X509 *candidate, struct x509_verify_chain *current_chain, - int full_chain) + int full_chain, char *name) { int depth = sk_X509_num(current_chain->certs); struct x509_verify_chain *new_chain; @@ -589,14 +612,14 @@ x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, x509_verify_chain_free(new_chain); return 0; } - if (!x509_verify_ctx_add_chain(ctx, new_chain)) { + if (!x509_verify_ctx_add_chain(ctx, new_chain, name)) { x509_verify_chain_free(new_chain); return 0; } goto done; } - x509_verify_build_chains(ctx, candidate, new_chain, full_chain); + x509_verify_build_chains(ctx, candidate, new_chain, full_chain, name); done: x509_verify_chain_free(new_chain); @@ -620,7 +643,7 @@ x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, - struct x509_verify_chain *current_chain, int full_chain) + struct x509_verify_chain *current_chain, int full_chain, char *name) { X509 *candidate; int i, depth, count, ret, is_root; @@ -674,11 +697,11 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, } if (ret > 0) { if (x509_verify_potential_parent(ctx, candidate, cert)) { - is_root = !full_chain || - x509_verify_cert_self_signed(candidate); + is_root = x509_verify_check_chain_end(candidate, + full_chain); x509_verify_consider_candidate(ctx, cert, is_root, candidate, current_chain, - full_chain); + full_chain, name); } X509_free(candidate); } @@ -687,11 +710,11 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, for (i = 0; i < sk_X509_num(ctx->roots); i++) { candidate = sk_X509_value(ctx->roots, i); if (x509_verify_potential_parent(ctx, candidate, cert)) { - is_root = !full_chain || - x509_verify_cert_self_signed(candidate); + is_root = x509_verify_check_chain_end(candidate, + full_chain); x509_verify_consider_candidate(ctx, cert, is_root, candidate, current_chain, - full_chain); + full_chain, name); } } } @@ -703,7 +726,7 @@ x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, if (x509_verify_potential_parent(ctx, candidate, cert)) { x509_verify_consider_candidate(ctx, cert, 0, candidate, current_chain, - full_chain); + full_chain, name); } } } @@ -882,12 +905,6 @@ x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca return 0; } - /* XXX support proxy certs later in new api */ - if (ctx->xsc == NULL && cert->ex_flags & EXFLAG_PROXY) { - ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; - return 0; - } - return 1; } @@ -1115,16 +1132,18 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) ctx->xsc->current_cert = leaf; } - if (!x509_verify_cert_valid(ctx, leaf, NULL)) - goto err; - - if (!x509_verify_cert_hostname(ctx, leaf, name)) - goto err; - if ((current_chain = x509_verify_chain_new()) == NULL) { ctx->error = X509_V_ERR_OUT_OF_MEM; goto err; } + + /* + * Add the leaf to the chain and try to build chains from it. + * Note that unlike Go's verifier, we have not yet checked + * anything about the leaf, This is intentional, so that we + * report failures in chain building before we report problems + * with the leaf. + */ if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { x509_verify_chain_free(current_chain); goto err; @@ -1132,13 +1151,14 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) do { retry_chain_build = 0; if (x509_verify_ctx_cert_is_root(ctx, leaf, full_chain)) { - if (!x509_verify_ctx_add_chain(ctx, current_chain)) { + if (!x509_verify_ctx_add_chain(ctx, current_chain, + name)) { x509_verify_chain_free(current_chain); goto err; } } else { x509_verify_build_chains(ctx, leaf, current_chain, - full_chain); + full_chain, name); if (full_chain && ctx->chains_count == 0) { /* * Save the error state from the xsc @@ -1151,6 +1171,7 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) * on failure and will be needed for * that. */ + ctx->xsc->error_depth = ctx->error_depth; if (!x509_verify_ctx_save_xsc_error(ctx)) { x509_verify_chain_free(current_chain); goto err; @@ -1259,4 +1280,3 @@ x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) return 0; } - diff --git a/include/openssl/x509_verify.h b/crypto/x509/x509_verify.h similarity index 100% rename from include/openssl/x509_verify.h rename to crypto/x509/x509_verify.h diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index 9a92996..6bc0618 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.101 2022/01/22 00:36:46 inoguchi Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.123 2023/05/14 20:20:40 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,9 +73,10 @@ #include #include #include -#include "asn1_locl.h" -#include "vpm_int.h" + +#include "asn1_local.h" #include "x509_internal.h" +#include "x509_local.h" /* CRL score values */ @@ -116,7 +117,7 @@ #define CRL_SCORE_TIME_DELTA 0x002 static int null_callback(int ok, X509_STORE_CTX *e); -static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); +static int check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer); static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, int allow_expired); static int check_chain_extensions(X509_STORE_CTX *ctx); @@ -143,7 +144,9 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafter); static int internal_verify(X509_STORE_CTX *ctx); -static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); +static int get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); +static int check_key_level(X509_STORE_CTX *ctx, X509 *cert); +static int verify_cb_cert(X509_STORE_CTX *ctx, X509 *x, int depth, int err); int ASN1_time_tm_clamp_notafter(struct tm *tm); @@ -153,14 +156,6 @@ null_callback(int ok, X509_STORE_CTX *e) return ok; } -#if 0 -static int -x509_subject_cmp(X509 **a, X509 **b) -{ - return X509_subject_name_cmp(*a, *b); -} -#endif - /* Return 1 if a certificate is self signed */ static int cert_self_signed(X509 *x) @@ -184,7 +179,7 @@ check_id_error(X509_STORE_CTX *ctx, int errcode) static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) { - size_t i, n; + int i, n; char *name; n = sk_OPENSSL_STRING_num(id->hosts); @@ -310,7 +305,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok) if (ctx->untrusted != NULL) { /* * If we do not find a non-expired untrusted cert, peek - * ahead and see if we can satisify this from the trusted + * ahead and see if we can satisfy this from the trusted * store. If not, see if we have an expired untrusted cert. */ xtmp = find_issuer(ctx, sktmp, x, 0); @@ -542,6 +537,11 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) if (!ok) goto end; + /* Check that the chain satisfies the security level. */ + ok = x509_vfy_check_security_level(ctx); + if (!ok) + goto end; + /* Check name constraints */ ok = check_name_constraints(ctx); if (!ok) @@ -578,7 +578,7 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) goto end; /* If we get this far evaluate policies */ - if (!bad_chain && (ctx->param->flags & X509_V_FLAG_POLICY_CHECK)) + if (!bad_chain) ok = ctx->check_policy(ctx); end: @@ -592,7 +592,6 @@ X509_verify_cert_legacy(X509_STORE_CTX *ctx) int X509_verify_cert(X509_STORE_CTX *ctx) { - STACK_OF(X509) *roots = NULL; struct x509_verify_ctx *vctx = NULL; int chain_count = 0; @@ -628,6 +627,14 @@ X509_verify_cert(X509_STORE_CTX *ctx) return -1; } + /* + * If the certificate's public key is too weak, don't bother + * continuing. + */ + if (!check_key_level(ctx, ctx->cert) && + !verify_cb_cert(ctx, ctx->cert, 0, X509_V_ERR_EE_KEY_TOO_SMALL)) + return 0; + /* * If flags request legacy, use the legacy verifier. If we * requested "no alt chains" from the age of hammer pants, use @@ -648,11 +655,10 @@ X509_verify_cert(X509_STORE_CTX *ctx) } x509_verify_ctx_free(vctx); - sk_X509_pop_free(roots, X509_free); - /* if we succeed we have a chain in ctx->chain */ return (chain_count > 0 && ctx->chain != NULL); } +LCRYPTO_ALIAS(X509_verify_cert); /* Given a STACK_OF(X509) find the issuer of cert (if any) */ @@ -679,29 +685,21 @@ find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, /* Given a possible certificate and issuer check them */ static int -check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) +check_issued(X509_STORE_CTX *ctx, X509 *subject, X509 *issuer) { - int ret; - - ret = X509_check_issued(issuer, x); - if (ret == X509_V_OK) - return 1; - /* If we haven't asked for issuer errors don't set ctx */ - if (!(ctx->param->flags & X509_V_FLAG_CB_ISSUER_CHECK)) - return 0; - - ctx->error = ret; - ctx->current_cert = x; - ctx->current_issuer = issuer; - return ctx->verify_cb(0, ctx); + /* + * Yes, the arguments of X509_STORE_CTX_check_issued_fn were exposed in + * reverse order compared to the already public X509_check_issued()... + */ + return X509_check_issued(issuer, subject) == X509_V_OK; } -/* Alternative lookup method: look from a STACK stored in other_ctx */ +/* Alternative lookup method: look from a STACK stored in ctx->trusted */ static int -get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) +get_trusted_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { - *issuer = find_issuer(ctx, ctx->other_ctx, x, 1); + *issuer = find_issuer(ctx, ctx->trusted, x, 1); if (*issuer) { CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; @@ -724,7 +722,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) int (*cb)(int xok, X509_STORE_CTX *xctx); int proxy_path_length = 0; int purpose; - int allow_proxy_certs; cb = ctx->verify_cb; @@ -739,14 +736,10 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) must_be_ca = -1; /* CRL path validation */ - if (ctx->parent) { - allow_proxy_certs = 0; + if (ctx->parent) purpose = X509_PURPOSE_CRL_SIGN; - } else { - allow_proxy_certs = - !!(ctx->param->flags & X509_V_FLAG_ALLOW_PROXY_CERTS); + else purpose = ctx->param->purpose; - } /* Check all untrusted certificates */ for (i = 0; i < ctx->num_untrusted; i++) { @@ -761,14 +754,6 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) if (!ok) goto end; } - if (!allow_proxy_certs && (x->ex_flags & EXFLAG_PROXY)) { - ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; - } ret = X509_check_ca(x); switch (must_be_ca) { case -1: @@ -830,24 +815,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) /* Increment path length if not self issued */ if (!(x->ex_flags & EXFLAG_SI)) plen++; - /* If this certificate is a proxy certificate, the next - certificate must be another proxy certificate or a EE - certificate. If not, the next certificate must be a - CA certificate. */ - if (x->ex_flags & EXFLAG_PROXY) { - if (x->ex_pcpathlen != -1 && i > x->ex_pcpathlen) { - ctx->error = - X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; - ctx->error_depth = i; - ctx->current_cert = x; - ok = cb(0, ctx); - if (!ok) - goto end; - } - proxy_path_length++; - must_be_ca = 0; - } else - must_be_ca = 1; + must_be_ca = 1; } ok = 1; @@ -1767,48 +1735,31 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) int x509_vfy_check_policy(X509_STORE_CTX *ctx) { + X509 *current_cert = NULL; int ret; - if (ctx->parent) + if (ctx->parent != NULL) return 1; - /* X509_policy_check always allocates a new tree. */ - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - - ret = X509_policy_check(&ctx->tree, &ctx->explicit_policy, ctx->chain, - ctx->param->policies, ctx->param->flags); - if (ret == 0) { - X509error(ERR_R_MALLOC_FAILURE); - return 0; - } - /* Invalid or inconsistent extensions */ - if (ret == -1) { - /* Locate certificates with bad extensions and notify - * callback. - */ - X509 *x; - int i; - for (i = 1; i < sk_X509_num(ctx->chain); i++) { - x = sk_X509_value(ctx->chain, i); - if (!(x->ex_flags & EXFLAG_INVALID_POLICY)) - continue; - ctx->current_cert = x; - ctx->error = X509_V_ERR_INVALID_POLICY_EXTENSION; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - return 1; - } - if (ret == -2) { - ctx->current_cert = NULL; - ctx->error = X509_V_ERR_NO_EXPLICIT_POLICY; + ret = X509_policy_check(ctx->chain, ctx->param->policies, + ctx->param->flags, ¤t_cert); + if (ret != X509_V_OK) { + ctx->current_cert = current_cert; + ctx->error = ret; + if (ret == X509_V_ERR_OUT_OF_MEM) + return 0; return ctx->verify_cb(0, ctx); } if (ctx->param->flags & X509_V_FLAG_NOTIFY_POLICY) { ctx->current_cert = NULL; - ctx->error = X509_V_OK; + /* + * Verification errors need to be "sticky", a callback may have + * allowed an SSL handshake to continue despite an error, and + * we must then remain in an error state. Therefore, we MUST + * NOT clear earlier verification errors by setting the error + * to X509_V_OK. + */ if (!ctx->verify_cb(2, ctx)) return 0; } @@ -2004,6 +1955,7 @@ X509_cmp_current_time(const ASN1_TIME *ctm) { return X509_cmp_time(ctm, NULL); } +LCRYPTO_ALIAS(X509_cmp_current_time); /* * Compare a possibly unvalidated ASN1_TIME string against a time_t @@ -2043,6 +1995,7 @@ X509_cmp_time(const ASN1_TIME *ctm, time_t *cmp_time) { return X509_cmp_time_internal(ctm, cmp_time, 0); } +LCRYPTO_ALIAS(X509_cmp_time); ASN1_TIME * @@ -2050,12 +2003,14 @@ X509_gmtime_adj(ASN1_TIME *s, long adj) { return X509_time_adj(s, adj, NULL); } +LCRYPTO_ALIAS(X509_gmtime_adj); ASN1_TIME * X509_time_adj(ASN1_TIME *s, long offset_sec, time_t *in_time) { return X509_time_adj_ex(s, 0, offset_sec, in_time); } +LCRYPTO_ALIAS(X509_time_adj); ASN1_TIME * X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_time) @@ -2068,6 +2023,7 @@ X509_time_adj_ex(ASN1_TIME *s, int offset_day, long offset_sec, time_t *in_time) return ASN1_TIME_adj(s, t, offset_day, offset_sec); } +LCRYPTO_ALIAS(X509_time_adj_ex); int X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) @@ -2107,6 +2063,7 @@ X509_get_pubkey_parameters(EVP_PKEY *pkey, STACK_OF(X509) *chain) return 0; return 1; } +LCRYPTO_ALIAS(X509_get_pubkey_parameters); int X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, @@ -2117,66 +2074,77 @@ X509_STORE_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, return CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_X509_STORE_CTX, argl, argp, new_func, dup_func, free_func); } +LCRYPTO_ALIAS(X509_STORE_CTX_get_ex_new_index); int X509_STORE_CTX_set_ex_data(X509_STORE_CTX *ctx, int idx, void *data) { return CRYPTO_set_ex_data(&ctx->ex_data, idx, data); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_ex_data); void * X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx) { return CRYPTO_get_ex_data(&ctx->ex_data, idx); } +LCRYPTO_ALIAS(X509_STORE_CTX_get_ex_data); int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx) { return ctx->error; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_error); void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int err) { ctx->error = err; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_error); int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx) { return ctx->error_depth; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_error_depth); void X509_STORE_CTX_set_error_depth(X509_STORE_CTX *ctx, int depth) { ctx->error_depth = depth; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_error_depth); X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx) { return ctx->current_cert; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_current_cert); void X509_STORE_CTX_set_current_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->current_cert = x; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_current_cert); STACK_OF(X509) * X509_STORE_CTX_get_chain(X509_STORE_CTX *ctx) { return ctx->chain; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_chain); STACK_OF(X509) * X509_STORE_CTX_get0_chain(X509_STORE_CTX *xs) { return xs->chain; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_chain); STACK_OF(X509) * X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) @@ -2193,60 +2161,70 @@ X509_STORE_CTX_get1_chain(X509_STORE_CTX *ctx) } return chain; } +LCRYPTO_ALIAS(X509_STORE_CTX_get1_chain); X509 * X509_STORE_CTX_get0_current_issuer(X509_STORE_CTX *ctx) { return ctx->current_issuer; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_current_issuer); X509_CRL * X509_STORE_CTX_get0_current_crl(X509_STORE_CTX *ctx) { return ctx->current_crl; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_current_crl); X509_STORE_CTX * X509_STORE_CTX_get0_parent_ctx(X509_STORE_CTX *ctx) { return ctx->parent; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_parent_ctx); X509_STORE * X509_STORE_CTX_get0_store(X509_STORE_CTX *xs) { return xs->store; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_store); void X509_STORE_CTX_set_cert(X509_STORE_CTX *ctx, X509 *x) { ctx->cert = x; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_cert); void X509_STORE_CTX_set_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->untrusted = sk; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_chain); void X509_STORE_CTX_set0_crls(X509_STORE_CTX *ctx, STACK_OF(X509_CRL) *sk) { ctx->crls = sk; } +LCRYPTO_ALIAS(X509_STORE_CTX_set0_crls); int X509_STORE_CTX_set_purpose(X509_STORE_CTX *ctx, int purpose) { return X509_STORE_CTX_purpose_inherit(ctx, 0, purpose, 0); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_purpose); int X509_STORE_CTX_set_trust(X509_STORE_CTX *ctx, int trust) { return X509_STORE_CTX_purpose_inherit(ctx, 0, 0, trust); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_trust); /* This function is used to set the X509_STORE_CTX purpose and trust * values. This is intended to be used when another structure has its @@ -2302,6 +2280,7 @@ X509_STORE_CTX_purpose_inherit(X509_STORE_CTX *ctx, int def_purpose, ctx->param->trust = trust; return 1; } +LCRYPTO_ALIAS(X509_STORE_CTX_purpose_inherit); X509_STORE_CTX * X509_STORE_CTX_new(void) @@ -2315,6 +2294,7 @@ X509_STORE_CTX_new(void) } return ctx; } +LCRYPTO_ALIAS(X509_STORE_CTX_new); void X509_STORE_CTX_free(X509_STORE_CTX *ctx) @@ -2325,10 +2305,11 @@ X509_STORE_CTX_free(X509_STORE_CTX *ctx) X509_STORE_CTX_cleanup(ctx); free(ctx); } +LCRYPTO_ALIAS(X509_STORE_CTX_free); int -X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, - STACK_OF(X509) *chain) +X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *leaf, + STACK_OF(X509) *untrusted) { int param_ret = 1; @@ -2356,8 +2337,8 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, * possible even on early exits. */ ctx->store = store; - ctx->cert = x509; - ctx->untrusted = chain; + ctx->cert = leaf; + ctx->untrusted = untrusted; if (store && store->verify) ctx->verify = store->verify; @@ -2404,12 +2385,12 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, if (store && store->lookup_certs) ctx->lookup_certs = store->lookup_certs; else - ctx->lookup_certs = X509_STORE_get1_certs; + ctx->lookup_certs = X509_STORE_CTX_get1_certs; if (store && store->lookup_crls) ctx->lookup_crls = store->lookup_crls; else - ctx->lookup_crls = X509_STORE_get1_crls; + ctx->lookup_crls = X509_STORE_CTX_get1_crls; if (store && store->cleanup) ctx->cleanup = store->cleanup; @@ -2446,23 +2427,26 @@ X509_STORE_CTX_init(X509_STORE_CTX *ctx, X509_STORE *store, X509 *x509, } return 1; } +LCRYPTO_ALIAS(X509_STORE_CTX_init); /* Set alternative lookup method: just a STACK of trusted certificates. * This avoids X509_STORE nastiness where it isn't needed. */ void -X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +X509_STORE_CTX_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted) { - ctx->other_ctx = sk; - ctx->get_issuer = get_issuer_sk; + X509_STORE_CTX_set0_trusted_stack(ctx, trusted); } +LCRYPTO_ALIAS(X509_STORE_CTX_trusted_stack); void -X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) +X509_STORE_CTX_set0_trusted_stack(X509_STORE_CTX *ctx, STACK_OF(X509) *trusted) { - X509_STORE_CTX_trusted_stack(ctx, sk); + ctx->trusted = trusted; + ctx->get_issuer = get_trusted_issuer; } +LCRYPTO_ALIAS(X509_STORE_CTX_set0_trusted_stack); void X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) @@ -2474,10 +2458,6 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) X509_VERIFY_PARAM_free(ctx->param); ctx->param = NULL; } - if (ctx->tree != NULL) { - X509_policy_tree_free(ctx->tree); - ctx->tree = NULL; - } if (ctx->chain != NULL) { sk_X509_pop_free(ctx->chain, X509_free); ctx->chain = NULL; @@ -2486,30 +2466,35 @@ X509_STORE_CTX_cleanup(X509_STORE_CTX *ctx) ctx, &(ctx->ex_data)); memset(&ctx->ex_data, 0, sizeof(CRYPTO_EX_DATA)); } +LCRYPTO_ALIAS(X509_STORE_CTX_cleanup); void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth) { X509_VERIFY_PARAM_set_depth(ctx->param, depth); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_depth); void X509_STORE_CTX_set_flags(X509_STORE_CTX *ctx, unsigned long flags) { X509_VERIFY_PARAM_set_flags(ctx->param, flags); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_flags); void X509_STORE_CTX_set_time(X509_STORE_CTX *ctx, unsigned long flags, time_t t) { X509_VERIFY_PARAM_set_time(ctx->param, t); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_time); int (*X509_STORE_CTX_get_verify_cb(X509_STORE_CTX *ctx))(int, X509_STORE_CTX *) { return ctx->verify_cb; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_verify_cb); void X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, @@ -2517,36 +2502,64 @@ X509_STORE_CTX_set_verify_cb(X509_STORE_CTX *ctx, { ctx->verify_cb = verify_cb; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_verify_cb); int (*X509_STORE_CTX_get_verify(X509_STORE_CTX *ctx))(X509_STORE_CTX *) { return ctx->verify; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_verify); void X509_STORE_CTX_set_verify(X509_STORE_CTX *ctx, int (*verify)(X509_STORE_CTX *)) { ctx->verify = verify; } +LCRYPTO_ALIAS(X509_STORE_CTX_set_verify); + +X509_STORE_CTX_check_issued_fn +X509_STORE_get_check_issued(X509_STORE *store) +{ + return store->check_issued; +} +LCRYPTO_ALIAS(X509_STORE_get_check_issued); + +void +X509_STORE_set_check_issued(X509_STORE *store, + X509_STORE_CTX_check_issued_fn check_issued) +{ + store->check_issued = check_issued; +} +LCRYPTO_ALIAS(X509_STORE_set_check_issued); + +X509_STORE_CTX_check_issued_fn +X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx) +{ + return ctx->check_issued; +} +LCRYPTO_ALIAS(X509_STORE_CTX_get_check_issued); X509 * X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) { return ctx->cert; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_cert); STACK_OF(X509) * X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) { return ctx->untrusted; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_untrusted); void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) { ctx->untrusted = sk; } +LCRYPTO_ALIAS(X509_STORE_CTX_set0_untrusted); void X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) @@ -2554,24 +2567,14 @@ X509_STORE_CTX_set0_verified_chain(X509_STORE_CTX *ctx, STACK_OF(X509) *sk) sk_X509_pop_free(ctx->chain, X509_free); ctx->chain = sk; } - -X509_POLICY_TREE * -X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx) -{ - return ctx->tree; -} - -int -X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx) -{ - return ctx->explicit_policy; -} +LCRYPTO_ALIAS(X509_STORE_CTX_set0_verified_chain); int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx) { return ctx->num_untrusted; } +LCRYPTO_ALIAS(X509_STORE_CTX_get_num_untrusted); int X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) @@ -2582,12 +2585,14 @@ X509_STORE_CTX_set_default(X509_STORE_CTX *ctx, const char *name) return 0; return X509_VERIFY_PARAM_inherit(ctx->param, param); } +LCRYPTO_ALIAS(X509_STORE_CTX_set_default); X509_VERIFY_PARAM * X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx) { return ctx->param; } +LCRYPTO_ALIAS(X509_STORE_CTX_get0_param); void X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) @@ -2596,3 +2601,130 @@ X509_STORE_CTX_set0_param(X509_STORE_CTX *ctx, X509_VERIFY_PARAM *param) X509_VERIFY_PARAM_free(ctx->param); ctx->param = param; } +LCRYPTO_ALIAS(X509_STORE_CTX_set0_param); + +/* + * Check if |bits| are adequate for |security level|. + * Returns 1 if ok, 0 otherwise. + */ +static int +enough_bits_for_security_level(int bits, int level) +{ + /* + * Sigh. OpenSSL does this silly squashing, so we will + * too. Derp for Derp compatibility being important. + */ + if (level < 0) + level = 0; + if (level > 5) + level = 5; + + switch (level) { + case 0: + return 1; + case 1: + return bits >= 80; + case 2: + return bits >= 112; + case 3: + return bits >= 128; + case 4: + return bits >= 192; + case 5: + return bits >= 256; + default: + return 0; + } +} + +/* + * Check whether the public key of |cert| meets the security level of |ctx|. + * + * Returns 1 on success, 0 otherwise. + */ +static int +check_key_level(X509_STORE_CTX *ctx, X509 *cert) +{ + EVP_PKEY *pkey; + int bits; + + /* Unsupported or malformed keys are not secure */ + if ((pkey = X509_get0_pubkey(cert)) == NULL) + return 0; + + if ((bits = EVP_PKEY_security_bits(pkey)) <= 0) + return 0; + + return enough_bits_for_security_level(bits, ctx->param->security_level); +} + +/* + * Check whether the signature digest algorithm of |cert| meets the security + * level of |ctx|. Do not check trust anchors (self-signed or not). + * + * Returns 1 on success, 0 otherwise. + */ +static int +check_sig_level(X509_STORE_CTX *ctx, X509 *cert) +{ + const EVP_MD *md; + int bits, nid, md_nid; + + if ((nid = X509_get_signature_nid(cert)) == NID_undef) + return 0; + + /* + * Look up signature algorithm digest. + */ + + if (!OBJ_find_sigid_algs(nid, &md_nid, NULL)) + return 0; + + if (md_nid == NID_undef) + return 0; + + if ((md = EVP_get_digestbynid(md_nid)) == NULL) + return 0; + + /* Assume 4 bits of collision resistance for each hash octet. */ + bits = EVP_MD_size(md) * 4; + + return enough_bits_for_security_level(bits, ctx->param->security_level); +} + +int +x509_vfy_check_security_level(X509_STORE_CTX *ctx) +{ + int num = sk_X509_num(ctx->chain); + int i; + + if (ctx->param->security_level <= 0) + return 1; + + for (i = 0; i < num; i++) { + X509 *cert = sk_X509_value(ctx->chain, i); + + /* + * We've already checked the security of the leaf key, so here + * we only check the security of issuer keys. + */ + if (i > 0) { + if (!check_key_level(ctx, cert) && + !verify_cb_cert(ctx, cert, i, + X509_V_ERR_CA_KEY_TOO_SMALL)) + return 0; + } + + /* + * We also check the signature algorithm security of all certs + * except those of the trust anchor at index num - 1. + */ + if (i == num - 1) + break; + + if (!check_sig_level(ctx, cert) && + !verify_cb_cert(ctx, cert, i, X509_V_ERR_CA_MD_TOO_WEAK)) + return 0; + } + return 1; +} diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 13171e4..5c8c09e 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.28 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.39 2023/05/24 09:15:14 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -66,8 +66,7 @@ #include #include -#include "vpm_int.h" -#include "x509_lcl.h" +#include "x509_local.h" /* X509_VERIFY_PARAM functions */ @@ -85,9 +84,6 @@ str_free(char *s) free(s); } -#define string_stack_free(sk) sk_OPENSSL_STRING_pop_free(sk, str_free) - - /* * Post 1.0.1 sk function "deep_copy". For the moment we simply make * these take void * and use them directly without a glorious blob of @@ -140,7 +136,7 @@ x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode, return 0; if (mode == SET_HOST && id->hosts) { - string_stack_free(id->hosts); + sk_OPENSSL_STRING_pop_free(id->hosts, str_free); id->hosts = NULL; } if (name == NULL || namelen == 0) @@ -187,7 +183,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param) } paramid = param->id; if (paramid->hosts) { - string_stack_free(paramid->hosts); + sk_OPENSSL_STRING_pop_free(paramid->hosts, str_free); paramid->hosts = NULL; } free(paramid->peername); @@ -218,6 +214,7 @@ X509_VERIFY_PARAM_new(void) x509_verify_param_zero(param); return param; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_new); void X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) @@ -228,6 +225,7 @@ X509_VERIFY_PARAM_free(X509_VERIFY_PARAM *param) free(param->id); free(param); } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_free); /* * This function determines how parameters are "inherited" from one structure @@ -328,10 +326,12 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) return 0; } - /* Copy the host flags if and only if we're copying the host list */ + if (test_x509_verify_param_copy_id(hostflags, 0)) + dest->id->hostflags = id->hostflags; + if (test_x509_verify_param_copy_id(hosts, NULL)) { if (dest->id->hosts) { - string_stack_free(dest->id->hosts); + sk_OPENSSL_STRING_pop_free(dest->id->hosts, str_free); dest->id->hosts = NULL; } if (id->hosts) { @@ -339,7 +339,6 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) sk_deep_copy(id->hosts, strdup, str_free); if (dest->id->hosts == NULL) return 0; - dest->id->hostflags = id->hostflags; } } @@ -356,6 +355,7 @@ X509_VERIFY_PARAM_inherit(X509_VERIFY_PARAM *dest, const X509_VERIFY_PARAM *src) return 1; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_inherit); int X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) @@ -368,6 +368,7 @@ X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) to->inh_flags = save_flags; return ret; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1); static int x509_param_set1_internal(char **pdest, size_t *pdestlen, const char *src, @@ -412,15 +413,15 @@ X509_VERIFY_PARAM_set1_name(X509_VERIFY_PARAM *param, const char *name) return 1; return 0; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_name); int X509_VERIFY_PARAM_set_flags(X509_VERIFY_PARAM *param, unsigned long flags) { param->flags |= flags; - if (flags & X509_V_FLAG_POLICY_MASK) - param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_flags); int X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) @@ -428,30 +429,49 @@ X509_VERIFY_PARAM_clear_flags(X509_VERIFY_PARAM *param, unsigned long flags) param->flags &= ~flags; return 1; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_clear_flags); unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param) { return param->flags; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_flags); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose) { return X509_PURPOSE_set(¶m->purpose, purpose); } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_purpose); int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust) { return X509_TRUST_set(¶m->trust, trust); } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_trust); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth) { param->depth = depth; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_depth); + +void +X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level) +{ + param->security_level = auth_level; +} +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_auth_level); + +time_t +X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param) +{ + return param->check_time; +} +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_time); void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) @@ -459,6 +479,7 @@ X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t) param->check_time = t; param->flags |= X509_V_FLAG_USE_CHECK_TIME; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_time); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) @@ -472,6 +493,7 @@ X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy) return 0; return 1; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_policy); int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, @@ -504,9 +526,9 @@ X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param, return 0; } } - param->flags |= X509_V_FLAG_POLICY_CHECK; return 1; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_policies); int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, @@ -517,6 +539,7 @@ X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, param->id->poisoned = 1; return 0; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_host); int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, @@ -527,18 +550,28 @@ X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, param->id->poisoned = 1; return 0; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_add1_host); + +/* Public API in OpenSSL - nothing seems to use this. */ +unsigned int +X509_VERIFY_PARAM_get_hostflags(X509_VERIFY_PARAM *param) +{ + return param->id->hostflags; +} void X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param, unsigned int flags) { param->id->hostflags = flags; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set_hostflags); char * X509_VERIFY_PARAM_get0_peername(X509_VERIFY_PARAM *param) { return param->id->peername; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_peername); int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, @@ -550,6 +583,7 @@ X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, param->id->poisoned = 1; return 0; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_email); int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip, @@ -564,6 +598,7 @@ X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip, param->id->poisoned = 1; return 0; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip); int X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) @@ -574,18 +609,21 @@ X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) iplen = (size_t)a2i_ipadd(ipout, ipasc); return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen); } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_set1_ip_asc); int X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) { return param->depth; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_depth); const char * X509_VERIFY_PARAM_get0_name(const X509_VERIFY_PARAM *param) { return param->name; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0_name); static const X509_VERIFY_PARAM_ID _empty_id = { NULL }; @@ -667,6 +705,7 @@ X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param) return 0; return 1; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_add0_table); int X509_VERIFY_PARAM_get_count(void) @@ -676,6 +715,7 @@ X509_VERIFY_PARAM_get_count(void) num += sk_X509_VERIFY_PARAM_num(param_table); return num; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get_count); const X509_VERIFY_PARAM * X509_VERIFY_PARAM_get0(int id) @@ -685,6 +725,7 @@ X509_VERIFY_PARAM_get0(int id) return default_table + id; return sk_X509_VERIFY_PARAM_value(param_table, id - num); } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_get0); const X509_VERIFY_PARAM * X509_VERIFY_PARAM_lookup(const char *name) @@ -707,6 +748,7 @@ X509_VERIFY_PARAM_lookup(const char *name) } return NULL; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_lookup); void X509_VERIFY_PARAM_table_cleanup(void) @@ -716,3 +758,4 @@ X509_VERIFY_PARAM_table_cleanup(void) X509_VERIFY_PARAM_free); param_table = NULL; } +LCRYPTO_ALIAS(X509_VERIFY_PARAM_table_cleanup); diff --git a/crypto/x509/x509cset.c b/crypto/x509/x509cset.c index b3af77d..7904a7d 100644 --- a/crypto/x509/x509cset.c +++ b/crypto/x509/x509cset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509cset.c,v 1.16 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509cset.c,v 1.19 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -63,7 +63,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509_CRL_up_ref(X509_CRL *x) @@ -71,6 +71,7 @@ X509_CRL_up_ref(X509_CRL *x) int refs = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); return (refs > 1) ? 1 : 0; } +LCRYPTO_ALIAS(X509_CRL_up_ref); int X509_CRL_set_version(X509_CRL *x, long version) @@ -83,6 +84,7 @@ X509_CRL_set_version(X509_CRL *x, long version) } return (ASN1_INTEGER_set(x->crl->version, version)); } +LCRYPTO_ALIAS(X509_CRL_set_version); int X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) @@ -91,6 +93,7 @@ X509_CRL_set_issuer_name(X509_CRL *x, X509_NAME *name) return (0); return (X509_NAME_set(&x->crl->issuer, name)); } +LCRYPTO_ALIAS(X509_CRL_set_issuer_name); int X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) @@ -109,12 +112,14 @@ X509_CRL_set_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) } return (in != NULL); } +LCRYPTO_ALIAS(X509_CRL_set_lastUpdate); int X509_CRL_set1_lastUpdate(X509_CRL *x, const ASN1_TIME *tm) { return X509_CRL_set_lastUpdate(x, tm); } +LCRYPTO_ALIAS(X509_CRL_set1_lastUpdate); int X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) @@ -133,12 +138,14 @@ X509_CRL_set_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) } return (in != NULL); } +LCRYPTO_ALIAS(X509_CRL_set_nextUpdate); int X509_CRL_set1_nextUpdate(X509_CRL *x, const ASN1_TIME *tm) { return X509_CRL_set_nextUpdate(x, tm); } +LCRYPTO_ALIAS(X509_CRL_set1_nextUpdate); int X509_CRL_sort(X509_CRL *c) @@ -156,24 +163,28 @@ X509_CRL_sort(X509_CRL *c) c->crl->enc.modified = 1; return 1; } +LCRYPTO_ALIAS(X509_CRL_sort); const STACK_OF(X509_EXTENSION) * X509_REVOKED_get0_extensions(const X509_REVOKED *x) { return x->extensions; } +LCRYPTO_ALIAS(X509_REVOKED_get0_extensions); const ASN1_TIME * X509_REVOKED_get0_revocationDate(const X509_REVOKED *x) { return x->revocationDate; } +LCRYPTO_ALIAS(X509_REVOKED_get0_revocationDate); const ASN1_INTEGER * X509_REVOKED_get0_serialNumber(const X509_REVOKED *x) { return x->serialNumber; } +LCRYPTO_ALIAS(X509_REVOKED_get0_serialNumber); int X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) @@ -192,6 +203,7 @@ X509_REVOKED_set_revocationDate(X509_REVOKED *x, ASN1_TIME *tm) } return (in != NULL); } +LCRYPTO_ALIAS(X509_REVOKED_set_revocationDate); int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) @@ -210,6 +222,7 @@ X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial) } return (in != NULL); } +LCRYPTO_ALIAS(X509_REVOKED_set_serialNumber); int i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) @@ -217,3 +230,4 @@ i2d_re_X509_CRL_tbs(X509_CRL *crl, unsigned char **pp) crl->crl->enc.modified = 1; return i2d_X509_CRL_INFO(crl->crl, pp); } +LCRYPTO_ALIAS(i2d_re_X509_CRL_tbs); diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index 878d787..ecdf473 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509name.c,v 1.27 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509name.c,v 1.34 2023/05/03 08:10:23 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) @@ -78,6 +78,7 @@ X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) return (-1); return (X509_NAME_get_text_by_OBJ(name, obj, buf, len)); } +LCRYPTO_ALIAS(X509_NAME_get_text_by_NID); int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, @@ -99,6 +100,7 @@ X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, } return (i); } +LCRYPTO_ALIAS(X509_NAME_get_text_by_OBJ); int X509_NAME_entry_count(const X509_NAME *name) @@ -107,6 +109,7 @@ X509_NAME_entry_count(const X509_NAME *name) return (0); return (sk_X509_NAME_ENTRY_num(name->entries)); } +LCRYPTO_ALIAS(X509_NAME_entry_count); int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos) @@ -118,8 +121,9 @@ X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos) return (-2); return (X509_NAME_get_index_by_OBJ(name, obj, lastpos)); } +LCRYPTO_ALIAS(X509_NAME_get_index_by_NID); -/* NOTE: you should be passsing -1, not 0 as lastpos */ +/* NOTE: you should be passing -1, not 0 as lastpos */ int X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, int lastpos) @@ -141,6 +145,7 @@ X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, } return (-1); } +LCRYPTO_ALIAS(X509_NAME_get_index_by_OBJ); X509_NAME_ENTRY * X509_NAME_get_entry(const X509_NAME *name, int loc) @@ -151,6 +156,7 @@ X509_NAME_get_entry(const X509_NAME *name, int loc) else return (sk_X509_NAME_ENTRY_value(name->entries, loc)); } +LCRYPTO_ALIAS(X509_NAME_get_entry); X509_NAME_ENTRY * X509_NAME_delete_entry(X509_NAME *name, int loc) @@ -189,6 +195,7 @@ X509_NAME_delete_entry(X509_NAME *name, int loc) sk_X509_NAME_ENTRY_value(sk, i)->set--; return (ret); } +LCRYPTO_ALIAS(X509_NAME_delete_entry); int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, @@ -204,6 +211,7 @@ X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, X509_NAME_ENTRY_free(ne); return ret; } +LCRYPTO_ALIAS(X509_NAME_add_entry_by_OBJ); int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, @@ -219,6 +227,7 @@ X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, X509_NAME_ENTRY_free(ne); return ret; } +LCRYPTO_ALIAS(X509_NAME_add_entry_by_NID); int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, @@ -234,6 +243,7 @@ X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, X509_NAME_ENTRY_free(ne); return ret; } +LCRYPTO_ALIAS(X509_NAME_add_entry_by_txt); /* if set is -1, append to previous set, 0 'a new one', and 1, * prepend to the guy we are about to stomp on. */ @@ -292,6 +302,7 @@ err: X509_NAME_ENTRY_free(new_name); return (0); } +LCRYPTO_ALIAS(X509_NAME_add_entry); X509_NAME_ENTRY * X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, @@ -310,6 +321,7 @@ X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, ASN1_OBJECT_free(obj); return nentry; } +LCRYPTO_ALIAS(X509_NAME_ENTRY_create_by_txt); X509_NAME_ENTRY * X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, @@ -327,6 +339,7 @@ X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, ASN1_OBJECT_free(obj); return nentry; } +LCRYPTO_ALIAS(X509_NAME_ENTRY_create_by_NID); X509_NAME_ENTRY * X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, const ASN1_OBJECT *obj, @@ -354,6 +367,7 @@ err: X509_NAME_ENTRY_free(ret); return (NULL); } +LCRYPTO_ALIAS(X509_NAME_ENTRY_create_by_OBJ); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj) @@ -366,6 +380,7 @@ X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj) ne->object = OBJ_dup(obj); return ((ne->object == NULL) ? 0 : 1); } +LCRYPTO_ALIAS(X509_NAME_ENTRY_set_object); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, @@ -391,6 +406,7 @@ X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, } return (1); } +LCRYPTO_ALIAS(X509_NAME_ENTRY_set_data); ASN1_OBJECT * X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) @@ -399,6 +415,7 @@ X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) return (NULL); return (ne->object); } +LCRYPTO_ALIAS(X509_NAME_ENTRY_get_object); ASN1_STRING * X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne) @@ -407,9 +424,11 @@ X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne) return (NULL); return (ne->value); } +LCRYPTO_ALIAS(X509_NAME_ENTRY_get_data); int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne) { return (ne->set); } +LCRYPTO_ALIAS(X509_NAME_ENTRY_set); diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c index a2dd9e4..f097a37 100644 --- a/crypto/x509/x509rset.c +++ b/crypto/x509/x509rset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509rset.c,v 1.9 2021/11/01 20:53:08 tb Exp $ */ +/* $OpenBSD: x509rset.c,v 1.12 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include #include -#include "x509_lcl.h" +#include "x509_local.h" int X509_REQ_set_version(X509_REQ *x, long version) @@ -73,12 +73,14 @@ X509_REQ_set_version(X509_REQ *x, long version) x->req_info->enc.modified = 1; return (ASN1_INTEGER_set(x->req_info->version, version)); } +LCRYPTO_ALIAS(X509_REQ_set_version); long X509_REQ_get_version(const X509_REQ *x) { return ASN1_INTEGER_get(x->req_info->version); } +LCRYPTO_ALIAS(X509_REQ_get_version); int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) @@ -88,12 +90,14 @@ X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) x->req_info->enc.modified = 1; return (X509_NAME_set(&x->req_info->subject, name)); } +LCRYPTO_ALIAS(X509_REQ_set_subject_name); X509_NAME * X509_REQ_get_subject_name(const X509_REQ *x) { return x->req_info->subject; } +LCRYPTO_ALIAS(X509_REQ_get_subject_name); int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) @@ -103,3 +107,4 @@ X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) x->req_info->enc.modified = 1; return (X509_PUBKEY_set(&x->req_info->pubkey, pkey)); } +LCRYPTO_ALIAS(X509_REQ_set_pubkey); diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c index 66bbd1e..04c9a6f 100644 --- a/crypto/x509/x509spki.c +++ b/crypto/x509/x509spki.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509spki.c,v 1.14 2019/05/23 02:08:34 bcook Exp $ */ +/* $OpenBSD: x509spki.c,v 1.16 2023/02/16 08:38:17 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -70,6 +70,7 @@ NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey) return (0); return (X509_PUBKEY_set(&(x->spkac->pubkey), pkey)); } +LCRYPTO_ALIAS(NETSCAPE_SPKI_set_pubkey); EVP_PKEY * NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x) @@ -78,6 +79,7 @@ NETSCAPE_SPKI_get_pubkey(NETSCAPE_SPKI *x) return (NULL); return (X509_PUBKEY_get(x->spkac->pubkey)); } +LCRYPTO_ALIAS(NETSCAPE_SPKI_get_pubkey); /* Load a Netscape SPKI from a base64 encoded string */ @@ -106,6 +108,7 @@ NETSCAPE_SPKI_b64_decode(const char *str, int len) free(spki_der); return spki; } +LCRYPTO_ALIAS(NETSCAPE_SPKI_b64_decode); /* Generate a base64 encoded string from an SPKI */ @@ -130,3 +133,4 @@ NETSCAPE_SPKI_b64_encode(NETSCAPE_SPKI *spki) free(der_spki); return b64_str; } +LCRYPTO_ALIAS(NETSCAPE_SPKI_b64_encode); diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index 7495b9e..ebc02c5 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509type.c,v 1.15 2021/12/12 21:30:14 tb Exp $ */ +/* $OpenBSD: x509type.c,v 1.18 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,8 +62,8 @@ #include #include -#include "evp_locl.h" -#include "x509_lcl.h" +#include "evp_local.h" +#include "x509_local.h" int X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) @@ -124,3 +124,4 @@ X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) ret |= EVP_PKT_EXP; return (ret); } +LCRYPTO_ALIAS(X509_certificate_type); diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c index 9bcb0c3..cd6da9f 100644 --- a/crypto/x509/x_all.c +++ b/crypto/x509/x_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_all.c,v 1.25 2021/12/03 16:46:50 jsing Exp $ */ +/* $OpenBSD: x_all.c,v 1.30 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,103 +73,91 @@ #include #endif -#include "x509_lcl.h" +#include "x509_local.h" X509 * d2i_X509_bio(BIO *bp, X509 **x509) { return ASN1_item_d2i_bio(&X509_it, bp, x509); } +LCRYPTO_ALIAS(d2i_X509_bio); int i2d_X509_bio(BIO *bp, X509 *x509) { return ASN1_item_i2d_bio(&X509_it, bp, x509); } +LCRYPTO_ALIAS(i2d_X509_bio); X509 * d2i_X509_fp(FILE *fp, X509 **x509) { return ASN1_item_d2i_fp(&X509_it, fp, x509); } +LCRYPTO_ALIAS(d2i_X509_fp); int i2d_X509_fp(FILE *fp, X509 *x509) { return ASN1_item_i2d_fp(&X509_it, fp, x509); } +LCRYPTO_ALIAS(i2d_X509_fp); X509_CRL * d2i_X509_CRL_bio(BIO *bp, X509_CRL **crl) { return ASN1_item_d2i_bio(&X509_CRL_it, bp, crl); } +LCRYPTO_ALIAS(d2i_X509_CRL_bio); int i2d_X509_CRL_bio(BIO *bp, X509_CRL *crl) { return ASN1_item_i2d_bio(&X509_CRL_it, bp, crl); } +LCRYPTO_ALIAS(i2d_X509_CRL_bio); X509_CRL * d2i_X509_CRL_fp(FILE *fp, X509_CRL **crl) { return ASN1_item_d2i_fp(&X509_CRL_it, fp, crl); } +LCRYPTO_ALIAS(d2i_X509_CRL_fp); int i2d_X509_CRL_fp(FILE *fp, X509_CRL *crl) { return ASN1_item_i2d_fp(&X509_CRL_it, fp, crl); } - -PKCS7 * -d2i_PKCS7_bio(BIO *bp, PKCS7 **p7) -{ - return ASN1_item_d2i_bio(&PKCS7_it, bp, p7); -} - -int -i2d_PKCS7_bio(BIO *bp, PKCS7 *p7) -{ - return ASN1_item_i2d_bio(&PKCS7_it, bp, p7); -} - -PKCS7 * -d2i_PKCS7_fp(FILE *fp, PKCS7 **p7) -{ - return ASN1_item_d2i_fp(&PKCS7_it, fp, p7); -} - -int -i2d_PKCS7_fp(FILE *fp, PKCS7 *p7) -{ - return ASN1_item_i2d_fp(&PKCS7_it, fp, p7); -} +LCRYPTO_ALIAS(i2d_X509_CRL_fp); X509_REQ * d2i_X509_REQ_bio(BIO *bp, X509_REQ **req) { return ASN1_item_d2i_bio(&X509_REQ_it, bp, req); } +LCRYPTO_ALIAS(d2i_X509_REQ_bio); int i2d_X509_REQ_bio(BIO *bp, X509_REQ *req) { return ASN1_item_i2d_bio(&X509_REQ_it, bp, req); } +LCRYPTO_ALIAS(i2d_X509_REQ_bio); X509_REQ * d2i_X509_REQ_fp(FILE *fp, X509_REQ **req) { return ASN1_item_d2i_fp(&X509_REQ_it, fp, req); } +LCRYPTO_ALIAS(d2i_X509_REQ_fp); int i2d_X509_REQ_fp(FILE *fp, X509_REQ *req) { return ASN1_item_i2d_fp(&X509_REQ_it, fp, req); } +LCRYPTO_ALIAS(i2d_X509_REQ_fp); #ifndef OPENSSL_NO_RSA RSA * @@ -177,48 +165,56 @@ d2i_RSAPrivateKey_bio(BIO *bp, RSA **rsa) { return ASN1_item_d2i_bio(&RSAPrivateKey_it, bp, rsa); } +LCRYPTO_ALIAS(d2i_RSAPrivateKey_bio); int i2d_RSAPrivateKey_bio(BIO *bp, RSA *rsa) { return ASN1_item_i2d_bio(&RSAPrivateKey_it, bp, rsa); } +LCRYPTO_ALIAS(i2d_RSAPrivateKey_bio); RSA * d2i_RSAPrivateKey_fp(FILE *fp, RSA **rsa) { return ASN1_item_d2i_fp(&RSAPrivateKey_it, fp, rsa); } +LCRYPTO_ALIAS(d2i_RSAPrivateKey_fp); int i2d_RSAPrivateKey_fp(FILE *fp, RSA *rsa) { return ASN1_item_i2d_fp(&RSAPrivateKey_it, fp, rsa); } +LCRYPTO_ALIAS(i2d_RSAPrivateKey_fp); RSA * d2i_RSAPublicKey_bio(BIO *bp, RSA **rsa) { return ASN1_item_d2i_bio(&RSAPublicKey_it, bp, rsa); } +LCRYPTO_ALIAS(d2i_RSAPublicKey_bio); int i2d_RSAPublicKey_bio(BIO *bp, RSA *rsa) { return ASN1_item_i2d_bio(&RSAPublicKey_it, bp, rsa); } +LCRYPTO_ALIAS(i2d_RSAPublicKey_bio); RSA * d2i_RSAPublicKey_fp(FILE *fp, RSA **rsa) { return ASN1_item_d2i_fp(&RSAPublicKey_it, fp, rsa); } +LCRYPTO_ALIAS(d2i_RSAPublicKey_fp); int i2d_RSAPublicKey_fp(FILE *fp, RSA *rsa) { return ASN1_item_i2d_fp(&RSAPublicKey_it, fp, rsa); } +LCRYPTO_ALIAS(i2d_RSAPublicKey_fp); #endif #ifndef OPENSSL_NO_DSA @@ -227,24 +223,28 @@ d2i_DSAPrivateKey_bio(BIO *bp, DSA **dsa) { return ASN1_item_d2i_bio(&DSAPrivateKey_it, bp, dsa); } +LCRYPTO_ALIAS(d2i_DSAPrivateKey_bio); int i2d_DSAPrivateKey_bio(BIO *bp, DSA *dsa) { return ASN1_item_i2d_bio(&DSAPrivateKey_it, bp, dsa); } +LCRYPTO_ALIAS(i2d_DSAPrivateKey_bio); DSA * d2i_DSAPrivateKey_fp(FILE *fp, DSA **dsa) { return ASN1_item_d2i_fp(&DSAPrivateKey_it, fp, dsa); } +LCRYPTO_ALIAS(d2i_DSAPrivateKey_fp); int i2d_DSAPrivateKey_fp(FILE *fp, DSA *dsa) { return ASN1_item_i2d_fp(&DSAPrivateKey_it, fp, dsa); } +LCRYPTO_ALIAS(i2d_DSAPrivateKey_fp); #endif #ifndef OPENSSL_NO_EC @@ -253,24 +253,28 @@ d2i_ECPrivateKey_bio(BIO *bp, EC_KEY **eckey) { return ASN1_d2i_bio_of(EC_KEY, EC_KEY_new, d2i_ECPrivateKey, bp, eckey); } +LCRYPTO_ALIAS(d2i_ECPrivateKey_bio); int i2d_ECPrivateKey_bio(BIO *bp, EC_KEY *eckey) { return ASN1_i2d_bio_of(EC_KEY, i2d_ECPrivateKey, bp, eckey); } +LCRYPTO_ALIAS(i2d_ECPrivateKey_bio); EC_KEY * d2i_ECPrivateKey_fp(FILE *fp, EC_KEY **eckey) { return ASN1_d2i_fp_of(EC_KEY, EC_KEY_new, d2i_ECPrivateKey, fp, eckey); } +LCRYPTO_ALIAS(d2i_ECPrivateKey_fp); int i2d_ECPrivateKey_fp(FILE *fp, EC_KEY *eckey) { return ASN1_i2d_fp_of(EC_KEY, i2d_ECPrivateKey, fp, eckey); } +LCRYPTO_ALIAS(i2d_ECPrivateKey_fp); #endif X509_SIG * @@ -278,24 +282,28 @@ d2i_PKCS8_bio(BIO *bp, X509_SIG **p8) { return ASN1_item_d2i_bio(&X509_SIG_it, bp, p8); } +LCRYPTO_ALIAS(d2i_PKCS8_bio); int i2d_PKCS8_bio(BIO *bp, X509_SIG *p8) { return ASN1_item_i2d_bio(&X509_SIG_it, bp, p8); } +LCRYPTO_ALIAS(i2d_PKCS8_bio); X509_SIG * d2i_PKCS8_fp(FILE *fp, X509_SIG **p8) { return ASN1_item_d2i_fp(&X509_SIG_it, fp, p8); } +LCRYPTO_ALIAS(d2i_PKCS8_fp); int i2d_PKCS8_fp(FILE *fp, X509_SIG *p8) { return ASN1_item_i2d_fp(&X509_SIG_it, fp, p8); } +LCRYPTO_ALIAS(i2d_PKCS8_fp); PKCS8_PRIV_KEY_INFO * d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf) @@ -303,6 +311,7 @@ d2i_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO **p8inf) return ASN1_item_d2i_bio(&PKCS8_PRIV_KEY_INFO_it, bp, p8inf); } +LCRYPTO_ALIAS(d2i_PKCS8_PRIV_KEY_INFO_bio); int i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf) @@ -310,6 +319,7 @@ i2d_PKCS8_PRIV_KEY_INFO_bio(BIO *bp, PKCS8_PRIV_KEY_INFO *p8inf) return ASN1_item_i2d_bio(&PKCS8_PRIV_KEY_INFO_it, bp, p8inf); } +LCRYPTO_ALIAS(i2d_PKCS8_PRIV_KEY_INFO_bio); PKCS8_PRIV_KEY_INFO * d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf) @@ -317,6 +327,7 @@ d2i_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO **p8inf) return ASN1_item_d2i_fp(&PKCS8_PRIV_KEY_INFO_it, fp, p8inf); } +LCRYPTO_ALIAS(d2i_PKCS8_PRIV_KEY_INFO_fp); int i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf) @@ -324,6 +335,7 @@ i2d_PKCS8_PRIV_KEY_INFO_fp(FILE *fp, PKCS8_PRIV_KEY_INFO *p8inf) return ASN1_item_i2d_fp(&PKCS8_PRIV_KEY_INFO_it, fp, p8inf); } +LCRYPTO_ALIAS(i2d_PKCS8_PRIV_KEY_INFO_fp); EVP_PKEY * d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a) @@ -331,12 +343,14 @@ d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a) return ASN1_d2i_bio_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, bp, a); } +LCRYPTO_ALIAS(d2i_PrivateKey_bio); int i2d_PrivateKey_bio(BIO *bp, EVP_PKEY *pkey) { return ASN1_i2d_bio_of(EVP_PKEY, i2d_PrivateKey, bp, pkey); } +LCRYPTO_ALIAS(i2d_PrivateKey_bio); EVP_PKEY * d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a) @@ -344,12 +358,14 @@ d2i_PrivateKey_fp(FILE *fp, EVP_PKEY **a) return ASN1_d2i_fp_of(EVP_PKEY, EVP_PKEY_new, d2i_AutoPrivateKey, fp, a); } +LCRYPTO_ALIAS(d2i_PrivateKey_fp); int i2d_PrivateKey_fp(FILE *fp, EVP_PKEY *pkey) { return ASN1_i2d_fp_of(EVP_PKEY, i2d_PrivateKey, fp, pkey); } +LCRYPTO_ALIAS(i2d_PrivateKey_fp); int i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key) @@ -364,6 +380,7 @@ i2d_PKCS8PrivateKeyInfo_bio(BIO *bp, EVP_PKEY *key) PKCS8_PRIV_KEY_INFO_free(p8inf); return ret; } +LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_bio); int i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key) @@ -377,15 +394,17 @@ i2d_PKCS8PrivateKeyInfo_fp(FILE *fp, EVP_PKEY *key) PKCS8_PRIV_KEY_INFO_free(p8inf); return ret; } +LCRYPTO_ALIAS(i2d_PKCS8PrivateKeyInfo_fp); int X509_verify(X509 *a, EVP_PKEY *r) { if (X509_ALGOR_cmp(a->sig_alg, a->cert_info->signature)) return 0; - return(ASN1_item_verify(&X509_CINF_it, a->sig_alg, + return (ASN1_item_verify(&X509_CINF_it, a->sig_alg, a->signature, a->cert_info, r)); } +LCRYPTO_ALIAS(X509_verify); int X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) @@ -393,6 +412,7 @@ X509_REQ_verify(X509_REQ *a, EVP_PKEY *r) return (ASN1_item_verify(&X509_REQ_INFO_it, a->sig_alg, a->signature, a->req_info, r)); } +LCRYPTO_ALIAS(X509_REQ_verify); int NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) @@ -400,6 +420,7 @@ NETSCAPE_SPKI_verify(NETSCAPE_SPKI *a, EVP_PKEY *r) return (ASN1_item_verify(&NETSCAPE_SPKAC_it, a->sig_algor, a->signature, a->spkac, r)); } +LCRYPTO_ALIAS(NETSCAPE_SPKI_verify); int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) @@ -409,6 +430,7 @@ X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md) x->cert_info->signature, x->sig_alg, x->signature, x->cert_info, pkey, md)); } +LCRYPTO_ALIAS(X509_sign); int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) @@ -418,6 +440,7 @@ X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx) x->cert_info->signature, x->sig_alg, x->signature, x->cert_info, ctx); } +LCRYPTO_ALIAS(X509_sign_ctx); int X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) @@ -425,6 +448,7 @@ X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md) return (ASN1_item_sign(&X509_REQ_INFO_it, x->sig_alg, NULL, x->signature, x->req_info, pkey, md)); } +LCRYPTO_ALIAS(X509_REQ_sign); int X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) @@ -432,6 +456,7 @@ X509_REQ_sign_ctx(X509_REQ *x, EVP_MD_CTX *ctx) return ASN1_item_sign_ctx(&X509_REQ_INFO_it, x->sig_alg, NULL, x->signature, x->req_info, ctx); } +LCRYPTO_ALIAS(X509_REQ_sign_ctx); int X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) @@ -440,6 +465,7 @@ X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md) return(ASN1_item_sign(&X509_CRL_INFO_it, x->crl->sig_alg, x->sig_alg, x->signature, x->crl, pkey, md)); } +LCRYPTO_ALIAS(X509_CRL_sign); int X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) @@ -448,6 +474,7 @@ X509_CRL_sign_ctx(X509_CRL *x, EVP_MD_CTX *ctx) return ASN1_item_sign_ctx(&X509_CRL_INFO_it, x->crl->sig_alg, x->sig_alg, x->signature, x->crl, ctx); } +LCRYPTO_ALIAS(X509_CRL_sign_ctx); int NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) @@ -455,6 +482,7 @@ NETSCAPE_SPKI_sign(NETSCAPE_SPKI *x, EVP_PKEY *pkey, const EVP_MD *md) return (ASN1_item_sign(&NETSCAPE_SPKAC_it, x->sig_algor, NULL, x->signature, x->spkac, pkey, md)); } +LCRYPTO_ALIAS(NETSCAPE_SPKI_sign); int X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md, @@ -466,6 +494,7 @@ X509_pubkey_digest(const X509 *data, const EVP_MD *type, unsigned char *md, return 0; return EVP_Digest(key->data, key->length, md, len, type, NULL); } +LCRYPTO_ALIAS(X509_pubkey_digest); int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, @@ -474,6 +503,7 @@ X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md, return (ASN1_item_digest(&X509_it, type, (char *)data, md, len)); } +LCRYPTO_ALIAS(X509_digest); int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, @@ -482,6 +512,7 @@ X509_CRL_digest(const X509_CRL *data, const EVP_MD *type, unsigned char *md, return (ASN1_item_digest(&X509_CRL_it, type, (char *)data, md, len)); } +LCRYPTO_ALIAS(X509_CRL_digest); int X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md, @@ -490,6 +521,7 @@ X509_REQ_digest(const X509_REQ *data, const EVP_MD *type, unsigned char *md, return (ASN1_item_digest(&X509_REQ_it, type, (char *)data, md, len)); } +LCRYPTO_ALIAS(X509_REQ_digest); int X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md, @@ -498,14 +530,7 @@ X509_NAME_digest(const X509_NAME *data, const EVP_MD *type, unsigned char *md, return (ASN1_item_digest(&X509_NAME_it, type, (char *)data, md, len)); } - -int -PKCS7_ISSUER_AND_SERIAL_digest(PKCS7_ISSUER_AND_SERIAL *data, - const EVP_MD *type, unsigned char *md, unsigned int *len) -{ - return(ASN1_item_digest(&PKCS7_ISSUER_AND_SERIAL_it, type, - (char *)data, md, len)); -} +LCRYPTO_ALIAS(X509_NAME_digest); int X509_up_ref(X509 *x) @@ -513,3 +538,4 @@ X509_up_ref(X509 *x) int i = CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); return i > 1 ? 1 : 0; } +LCRYPTO_ALIAS(X509_up_ref); diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt index 1d1a159..76f65b6 100644 --- a/include/CMakeLists.txt +++ b/include/CMakeLists.txt @@ -1,8 +1,22 @@ -if(ENABLE_LIBRESSL_INSTALL) - install(DIRECTORY . - DESTINATION ${CMAKE_INSTALL_INCLUDEDIR} - PATTERN "CMakeLists.txt" EXCLUDE - PATTERN "compat" EXCLUDE - PATTERN "pqueue.h" EXCLUDE - PATTERN "Makefile*" EXCLUDE) -endif(ENABLE_LIBRESSL_INSTALL) +if(HOST_AARCH64) + file(READ arch/aarch64/opensslconf.h OPENSSLCONF) +elseif(HOST_ARM) + file(READ arch/arm/opensslconf.h OPENSSLCONF) +elseif(HOST_I386) + file(READ arch/i386/opensslconf.h OPENSSLCONF) +elseif(HOST_MIPS) + file(READ arch/mips/opensslconf.h OPENSSLCONF) +elseif(HOST_MIPS64) + file(READ arch/mips64/opensslconf.h OPENSSLCONF) +elseif(HOST_POWERPC) + file(READ arch/powerpc/opensslconf.h OPENSSLCONF) +elseif(HOST_POWERPC64) + file(READ arch/powerpc64/opensslconf.h OPENSSLCONF) +elseif(HOST_RISCV64) + file(READ arch/riscv64/opensslconf.h OPENSSLCONF) +elseif(HOST_SPARC64) + file(READ arch/sparc64/opensslconf.h OPENSSLCONF) +elseif(HOST_X86_64) + file(READ arch/amd64/opensslconf.h OPENSSLCONF) +endif() +file(WRITE openssl/opensslconf.h "${OPENSSLCONF}") diff --git a/include/arch/aarch64/opensslconf.h b/include/arch/aarch64/opensslconf.h new file mode 100644 index 0000000..748ed8f --- /dev/null +++ b/include/arch/aarch64/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/alpha/opensslconf.h b/include/arch/alpha/opensslconf.h new file mode 100644 index 0000000..47f2aa8 --- /dev/null +++ b/include/arch/alpha/opensslconf.h @@ -0,0 +1,152 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#define BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#define DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#define DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#undef DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/amd64/opensslconf.h b/include/arch/amd64/opensslconf.h new file mode 100644 index 0000000..5cad089 --- /dev/null +++ b/include/arch/amd64/opensslconf.h @@ -0,0 +1,149 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/arm/opensslconf.h b/include/arch/arm/opensslconf.h new file mode 100644 index 0000000..f17d3d2 --- /dev/null +++ b/include/arch/arm/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/hppa/opensslconf.h b/include/arch/hppa/opensslconf.h new file mode 100644 index 0000000..f17d3d2 --- /dev/null +++ b/include/arch/hppa/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/i386/opensslconf.h b/include/arch/i386/opensslconf.h new file mode 100644 index 0000000..3b3827c --- /dev/null +++ b/include/arch/i386/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned long +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#define DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#define DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/m88k/opensslconf.h b/include/arch/m88k/opensslconf.h new file mode 100644 index 0000000..f17d3d2 --- /dev/null +++ b/include/arch/m88k/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/mips/opensslconf.h b/include/arch/mips/opensslconf.h new file mode 100644 index 0000000..f17d3d2 --- /dev/null +++ b/include/arch/mips/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/mips64/opensslconf.h b/include/arch/mips64/opensslconf.h new file mode 100644 index 0000000..ed1204c --- /dev/null +++ b/include/arch/mips64/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#define BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#define DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#define DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#undef DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/powerpc/opensslconf.h b/include/arch/powerpc/opensslconf.h new file mode 100644 index 0000000..f17d3d2 --- /dev/null +++ b/include/arch/powerpc/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/powerpc64/opensslconf.h b/include/arch/powerpc64/opensslconf.h new file mode 100644 index 0000000..5cad089 --- /dev/null +++ b/include/arch/powerpc64/opensslconf.h @@ -0,0 +1,149 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/riscv64/opensslconf.h b/include/arch/riscv64/opensslconf.h new file mode 100644 index 0000000..748ed8f --- /dev/null +++ b/include/arch/riscv64/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/sh/opensslconf.h b/include/arch/sh/opensslconf.h new file mode 100644 index 0000000..f17d3d2 --- /dev/null +++ b/include/arch/sh/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#undef RC4_CHUNK +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#define BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#undef SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#define THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#define RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#undef BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#undef DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#undef DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#define DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/arch/sparc64/opensslconf.h b/include/arch/sparc64/opensslconf.h new file mode 100644 index 0000000..ed1204c --- /dev/null +++ b/include/arch/sparc64/opensslconf.h @@ -0,0 +1,154 @@ +#include +/* crypto/opensslconf.h.in */ + +#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) +#define OPENSSLDIR "/etc/ssl" +#endif + +#undef OPENSSL_UNISTD +#define OPENSSL_UNISTD + +#undef OPENSSL_EXPORT_VAR_AS_FUNCTION + +#if defined(HEADER_IDEA_H) && !defined(IDEA_INT) +#define IDEA_INT unsigned int +#endif + +#if defined(HEADER_MD2_H) && !defined(MD2_INT) +#define MD2_INT unsigned int +#endif + +#if defined(HEADER_RC2_H) && !defined(RC2_INT) +/* I need to put in a mod for the alpha - eay */ +#define RC2_INT unsigned int +#endif + +#if defined(HEADER_RC4_H) +#if !defined(RC4_INT) +/* using int types make the structure larger but make the code faster + * on most boxes I have tested - up to %20 faster. */ +/* + * I don't know what does "most" mean, but declaring "int" is a must on: + * - Intel P6 because partial register stalls are very expensive; + * - elder Alpha because it lacks byte load/store instructions; + */ +#define RC4_INT unsigned int +#endif +#if !defined(RC4_CHUNK) +/* + * This enables code handling data aligned at natural CPU word + * boundary. See crypto/rc4/rc4_enc.c for further details. + */ +#define RC4_CHUNK unsigned long +#endif +#endif + +#if (defined(HEADER_NEW_DES_H) || defined(HEADER_DES_H)) && !defined(DES_LONG) +/* If this is set to 'unsigned int' on a DEC Alpha, this gives about a + * %20 speed up (longs are 8 bytes, int's are 4). */ +#ifndef DES_LONG +#define DES_LONG unsigned int +#endif +#endif + +#if defined(HEADER_BN_H) && !defined(CONFIG_HEADER_BN_H) +#define CONFIG_HEADER_BN_H +#undef BN_LLONG + +/* Should we define BN_DIV2W here? */ + +/* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ +#define SIXTY_FOUR_BIT_LONG +#undef SIXTY_FOUR_BIT +#undef THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT +#endif + +#if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) +#define CONFIG_HEADER_RC4_LOCL_H +/* if this is defined data[i] is used instead of *data, this is a %20 + * speedup on x86 */ +#undef RC4_INDEX +#endif + +#if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H) +#define CONFIG_HEADER_BF_LOCL_H +#define BF_PTR +#endif /* HEADER_BF_LOCL_H */ + +#if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H) +#define CONFIG_HEADER_DES_LOCL_H +#ifndef DES_DEFAULT_OPTIONS +/* the following is tweaked from a config script, that is why it is a + * protected undef/define */ +#ifndef DES_PTR +#define DES_PTR +#endif + +/* This helps C compiler generate the correct code for multiple functional + * units. It reduces register dependencies at the expense of 2 more + * registers */ +#ifndef DES_RISC1 +#undef DES_RISC1 +#endif + +#ifndef DES_RISC2 +#define DES_RISC2 +#endif + +#if defined(DES_RISC1) && defined(DES_RISC2) +YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! +#endif + +/* Unroll the inner loop, this sometimes helps, sometimes hinders. + * Very much CPU dependent */ +#ifndef DES_UNROLL +#undef DES_UNROLL +#endif + +/* These default values were supplied by + * Peter Gutman + * They are only used if nothing else has been defined */ +#if !defined(DES_PTR) && !defined(DES_RISC1) && !defined(DES_RISC2) && !defined(DES_UNROLL) +/* Special defines which change the way the code is built depending on the + CPU and OS. For SGI machines you can use _MIPS_SZLONG (32 or 64) to find + even newer MIPS CPU's, but at the moment one size fits all for + optimization options. Older Sparc's work better with only UNROLL, but + there's no way to tell at compile time what it is you're running on */ + +#if defined( sun ) /* Newer Sparc's */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#elif defined( __ultrix ) /* Older MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined( __osf1__ ) /* Alpha */ +# define DES_PTR +# define DES_RISC2 +#elif defined ( _AIX ) /* RS6000 */ + /* Unknown */ +#elif defined( __hpux ) /* HP-PA */ + /* Unknown */ +#elif defined( __aux ) /* 68K */ + /* Unknown */ +#elif defined( __dgux ) /* 88K (but P6 in latest boxes) */ +# define DES_UNROLL +#elif defined( __sgi ) /* Newer MIPS */ +# define DES_PTR +# define DES_RISC2 +# define DES_UNROLL +#elif defined(i386) || defined(__i386__) /* x86 boxes, should be gcc */ +# define DES_PTR +# define DES_RISC1 +# define DES_UNROLL +#endif /* Systems-specific speed defines */ +#endif + +#endif /* DES_DEFAULT_OPTIONS */ +#endif /* HEADER_DES_LOCL_H */ diff --git a/include/compat/endian.h b/include/compat/endian.h index 1ed255e..d9f7eb2 100644 --- a/include/compat/endian.h +++ b/include/compat/endian.h @@ -24,6 +24,9 @@ #elif defined(HAVE_ENDIAN_H) #include_next +#elif defined(HAVE_MACHINE_ENDIAN_H) +#include_next + #elif defined(__sun) || defined(_AIX) || defined(__hpux) #include #include @@ -45,4 +48,74 @@ #endif #endif +#if defined(__APPLE__) && !defined(HAVE_ENDIAN_H) +#include +#define be16toh(x) OSSwapBigToHostInt16((x)) +#define htobe16(x) OSSwapHostToBigInt16((x)) +#define be32toh(x) OSSwapBigToHostInt32((x)) +#define htobe32(x) OSSwapHostToBigInt32(x) +#define htole64(x) OSSwapHostToLittleInt64(x) +#define htobe64(x) OSSwapHostToBigInt64(x) +#define le64toh(x) OSSwapLittleToHostInt64(x) +#define be64toh(x) OSSwapBigToHostInt64(x) +#endif /* __APPLE__ && !HAVE_ENDIAN_H */ + +#if defined(_WIN32) && !defined(HAVE_ENDIAN_H) +#include + +#define be16toh(x) ntohs((x)) +#define htobe16(x) htons((x)) +#define be32toh(x) ntohl((x)) +#define htobe32(x) ntohl((x)) +#define be64toh(x) ntohll((x)) + +#if !defined(ntohll) +#define ntohll(x) ((1==htonl(1)) ? (x) : ((uint64_t)ntohl((x) & 0xFFFFFFFF) << 32) | ntohl((x) >> 32)) +#endif +#if !defined(htonll) +#define htonll(x) ((1==ntohl(1)) ? (x) : ((uint64_t)htonl((x) & 0xFFFFFFFF) << 32) | htonl((x) >> 32)) +#endif + +#define htobe64(x) ntohll((x)) +#endif /* _WIN32 && !HAVE_ENDIAN_H */ + +#ifdef __linux__ +#if !defined(betoh16) +#define betoh16 be16toh +#endif +#if !defined(betoh32) +#define betoh32 be32toh +#endif +#if !defined(betoh64) +#define betoh64 be64toh +#endif +#endif /* __linux__ */ + +#if defined(__FreeBSD__) +#if !defined(HAVE_ENDIAN_H) +#include +#endif +#if !defined(betoh16) +#define betoh16 be16toh +#endif +#if !defined(betoh32) +#define betoh32 be32toh +#endif +#if !defined(betoh64) +#define betoh64 be64toh +#endif +#endif + +#if defined(__NetBSD__) +#if !defined(betoh16) +#define betoh16 be16toh +#endif +#if !defined(betoh32) +#define betoh32 be32toh +#endif +#if !defined(betoh64) +#define betoh64 be64toh +#endif +#endif + #endif diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index e569e87..5be4668 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1.h,v 1.62 2022/01/14 08:53:53 tb Exp $ */ +/* $OpenBSD: asn1.h,v 1.76 2023/04/25 19:08:30 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,13 +66,11 @@ #ifndef OPENSSL_NO_BIO #include #endif +#include #include #include #include -#ifndef OPENSSL_NO_DEPRECATED -#include -#endif #ifdef __cplusplus extern "C" { @@ -547,8 +545,6 @@ int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *a); int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp); -ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, - long length); ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long length); @@ -577,9 +573,6 @@ void ASN1_BIT_STRING_free(ASN1_BIT_STRING *a); ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **in, long len); int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **out); extern const ASN1_ITEM ASN1_BIT_STRING_it; -int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp); -ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, - const unsigned char **pp, long length); int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length); int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value); int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n); @@ -599,9 +592,6 @@ void ASN1_INTEGER_free(ASN1_INTEGER *a); ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **in, long len); int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **out); extern const ASN1_ITEM ASN1_INTEGER_it; -int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp); -ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, - long length); ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length); ASN1_INTEGER * ASN1_INTEGER_dup(const ASN1_INTEGER *x); @@ -719,6 +709,11 @@ ASN1_TIME *d2i_ASN1_TIME(ASN1_TIME **a, const unsigned char **in, long len); int i2d_ASN1_TIME(ASN1_TIME *a, unsigned char **out); extern const ASN1_ITEM ASN1_TIME_it; +int ASN1_TIME_to_tm(const ASN1_TIME *s, struct tm *tm); +int ASN1_TIME_compare(const ASN1_TIME *t1, const ASN1_TIME *t2); +int ASN1_TIME_cmp_time_t(const ASN1_TIME *s, time_t t2); +int ASN1_TIME_normalize(ASN1_TIME *t); +int ASN1_TIME_set_string_X509(ASN1_TIME *time, const char *str); int ASN1_TIME_diff(int *pday, int *psec, const ASN1_TIME *from, const ASN1_TIME *to); @@ -748,11 +743,17 @@ int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num); ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len, const char *sn, const char *ln); +int ASN1_INTEGER_get_uint64(uint64_t *out_val, const ASN1_INTEGER *aint); +int ASN1_INTEGER_set_uint64(ASN1_INTEGER *aint, uint64_t val); +int ASN1_INTEGER_get_int64(int64_t *out_val, const ASN1_INTEGER *aint); +int ASN1_INTEGER_set_int64(ASN1_INTEGER *aint, int64_t val); int ASN1_INTEGER_set(ASN1_INTEGER *a, long v); long ASN1_INTEGER_get(const ASN1_INTEGER *a); ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); +int ASN1_ENUMERATED_get_int64(int64_t *out_val, const ASN1_ENUMERATED *aenum); +int ASN1_ENUMERATED_set_int64(ASN1_ENUMERATED *aenum, int64_t val); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); @@ -835,6 +836,7 @@ int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v); int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags); int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num, unsigned char *buf, int off); +int ASN1_buf_print(BIO *bp, const unsigned char *buf, size_t buflen, int indent); int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent); int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent, int dump); #endif @@ -878,7 +880,6 @@ void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it); int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); -int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); void ASN1_add_oid_module(void); @@ -923,23 +924,9 @@ void ASN1_PCTX_set_str_flags(ASN1_PCTX *p, unsigned long flags); const BIO_METHOD *BIO_f_asn1(void); -BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it); - -int i2d_ASN1_bio_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, - const ASN1_ITEM *it); -int PEM_write_bio_ASN1_stream(BIO *out, ASN1_VALUE *val, BIO *in, int flags, - const char *hdr, const ASN1_ITEM *it); -int SMIME_write_ASN1(BIO *bio, ASN1_VALUE *val, BIO *data, int flags, - int ctype_nid, int econt_nid, STACK_OF(X509_ALGOR) *mdalgs, - const ASN1_ITEM *it); -ASN1_VALUE *SMIME_read_ASN1(BIO *bio, BIO **bcont, const ASN1_ITEM *it); int SMIME_crlf_copy(BIO *in, BIO *out, int flags); int SMIME_text(BIO *in, BIO *out); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_ASN1_strings(void); /* Error codes for the ASN1 functions. */ @@ -1109,6 +1096,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_ILLEGAL_HEX 178 #define ASN1_R_ILLEGAL_IMPLICIT_TAG 179 #define ASN1_R_ILLEGAL_INTEGER 180 +#define ASN1_R_ILLEGAL_NEGATIVE_VALUE 226 #define ASN1_R_ILLEGAL_NESTED_TAGGING 181 #define ASN1_R_ILLEGAL_NULL 125 #define ASN1_R_ILLEGAL_NULL_VALUE 182 @@ -1168,8 +1156,11 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_TAG_VALUE_TOO_HIGH 153 #define ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 154 #define ASN1_R_TIME_NOT_ASCII_FORMAT 193 +#define ASN1_R_TOO_LARGE 223 #define ASN1_R_TOO_LONG 155 +#define ASN1_R_TOO_SMALL 224 #define ASN1_R_TYPE_NOT_CONSTRUCTED 156 +#define ASN1_R_TYPE_NOT_PRIMITIVE 231 #define ASN1_R_UNABLE_TO_DECODE_RSA_KEY 157 #define ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY 158 #define ASN1_R_UNEXPECTED_EOC 159 @@ -1186,11 +1177,11 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM 166 #define ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE 167 #define ASN1_R_UNSUPPORTED_TYPE 196 +#define ASN1_R_WRONG_INTEGER_TYPE 225 #define ASN1_R_WRONG_PUBLIC_KEY_TYPE 200 #define ASN1_R_WRONG_TAG 168 #define ASN1_R_WRONG_TYPE 169 - int ASN1_time_parse(const char *_bytes, size_t _len, struct tm *_tm, int _mode); int ASN1_time_tm_cmp(struct tm *_tm1, struct tm *_tm2); #ifdef __cplusplus diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h index 892c8b7..bb49be2 100644 --- a/include/openssl/asn1t.h +++ b/include/openssl/asn1t.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1t.h,v 1.19 2022/01/14 08:43:06 tb Exp $ */ +/* $OpenBSD: asn1t.h,v 1.22 2022/09/03 16:01:23 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -183,10 +183,6 @@ extern "C" { static const ASN1_AUX tname##_aux = {NULL, 0, 0, 0, cb, 0}; \ ASN1_SEQUENCE(tname) -#define ASN1_BROKEN_SEQUENCE(tname) \ - static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_BROKEN, 0, 0, 0, 0}; \ - ASN1_SEQUENCE(tname) - #define ASN1_SEQUENCE_ref(tname, cb, lck) \ static const ASN1_AUX tname##_aux = {NULL, ASN1_AFLG_REFCOUNT, offsetof(tname, references), lck, cb, 0}; \ ASN1_SEQUENCE(tname) @@ -219,8 +215,6 @@ extern "C" { #tname \ ASN1_ITEM_end(tname) -#define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname) - #define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) #define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) @@ -352,11 +346,6 @@ extern "C" { (flags), (tag), offsetof(stname, field),\ #field, ASN1_ITEM_ref(type) } -/* used when the structure is combined with the parent */ - -#define ASN1_EX_COMBINE(flags, tag, type) { \ - (flags)|ASN1_TFLG_COMBINE, (tag), 0, NULL, ASN1_ITEM_ref(type) } - /* implicit and explicit helper macros */ #define ASN1_IMP_EX(stname, field, type, tag, ex) \ @@ -569,17 +558,6 @@ struct ASN1_ADB_TABLE_st { #define ASN1_TFLG_ADB_INT (0x1<<9) -/* - * This flag means a parent structure is passed - * instead of the field: this is useful is a - * SEQUENCE is being combined with a CHOICE for - * example. Since this means the structure and - * item name will differ we need to use the - * ASN1_CHOICE_END_name() macro for example. - */ - -#define ASN1_TFLG_COMBINE (0x1<<10) - /* * This flag when present in a SEQUENCE OF, SET OF * or EXPLICIT causes indefinite length constructed @@ -761,8 +739,6 @@ typedef struct ASN1_STREAM_ARG_st { #define ASN1_AFLG_REFCOUNT 1 /* Save the encoding of structure (useful for signatures) */ #define ASN1_AFLG_ENCODING 2 -/* The Sequence length is invalid */ -#define ASN1_AFLG_BROKEN 4 /* operation values for asn1_cb */ @@ -906,11 +882,14 @@ extern const ASN1_ITEM ASN1_BOOLEAN_it; extern const ASN1_ITEM ASN1_TBOOLEAN_it; extern const ASN1_ITEM ASN1_FBOOLEAN_it; extern const ASN1_ITEM ASN1_SEQUENCE_it; -extern const ASN1_ITEM CBIGNUM_it; extern const ASN1_ITEM BIGNUM_it; extern const ASN1_ITEM LONG_it; extern const ASN1_ITEM ZLONG_it; +#ifndef LIBRESSL_INTERNAL +extern const ASN1_ITEM CBIGNUM_it; +#endif + DECLARE_STACK_OF(ASN1_VALUE) /* Functions used internally by the ASN1 code */ diff --git a/include/openssl/bio.h b/include/openssl/bio.h index d4bf8cb..53217f8 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bio.h,v 1.54 2022/01/14 08:40:57 tb Exp $ */ +/* $OpenBSD: bio.h,v 1.56 2022/09/11 17:26:03 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -276,8 +276,9 @@ void BIO_set_callback_arg(BIO *b, char *arg); const char *BIO_method_name(const BIO *b); int BIO_method_type(const BIO *b); -typedef void bio_info_cb(struct bio_st *, int, const char *, int, long, long); typedef int BIO_info_cb(BIO *, int, int); +/* Compatibility with OpenSSL's backward compatibility. */ +typedef BIO_info_cb bio_info_cb; typedef struct bio_method_st BIO_METHOD; @@ -698,11 +699,6 @@ BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args) __nonnull__(3))); #endif - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_BIO_strings(void); /* Error codes for the BIO functions. */ diff --git a/include/openssl/blowfish.h b/include/openssl/blowfish.h index 260545e..592bd83 100644 --- a/include/openssl/blowfish.h +++ b/include/openssl/blowfish.h @@ -1,25 +1,25 @@ -/* $OpenBSD: blowfish.h,v 1.15 2021/11/30 18:31:36 tb Exp $ */ +/* $OpenBSD: blowfish.h,v 1.16 2022/11/11 12:08:29 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -85,23 +85,23 @@ extern "C" { #define BF_BLOCK 8 typedef struct bf_key_st { - BF_LONG P[BF_ROUNDS+2]; + BF_LONG P[BF_ROUNDS + 2]; BF_LONG S[4*256]; } BF_KEY; void BF_set_key(BF_KEY *key, int len, const unsigned char *data); -void BF_encrypt(BF_LONG *data,const BF_KEY *key); -void BF_decrypt(BF_LONG *data,const BF_KEY *key); +void BF_encrypt(BF_LONG *data, const BF_KEY *key); +void BF_decrypt(BF_LONG *data, const BF_KEY *key); void BF_ecb_encrypt(const unsigned char *in, unsigned char *out, - const BF_KEY *key, int enc); + const BF_KEY *key, int enc); void BF_cbc_encrypt(const unsigned char *in, unsigned char *out, long length, - const BF_KEY *schedule, unsigned char *ivec, int enc); + const BF_KEY *schedule, unsigned char *ivec, int enc); void BF_cfb64_encrypt(const unsigned char *in, unsigned char *out, long length, - const BF_KEY *schedule, unsigned char *ivec, int *num, int enc); + const BF_KEY *schedule, unsigned char *ivec, int *num, int enc); void BF_ofb64_encrypt(const unsigned char *in, unsigned char *out, long length, - const BF_KEY *schedule, unsigned char *ivec, int *num); + const BF_KEY *schedule, unsigned char *ivec, int *num); const char *BF_options(void); #ifdef __cplusplus diff --git a/include/openssl/bn.h b/include/openssl/bn.h index abf8cfc..386f8df 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.52 2022/01/14 08:01:47 tb Exp $ */ +/* $OpenBSD: bn.h,v 1.71 2023/04/27 06:48:47 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -138,24 +138,6 @@ extern "C" { #endif -/* These preprocessor symbols control various aspects of the bignum headers and - * library code. They're not defined by any "normal" configuration, as they are - * intended for development and testing purposes. NB: defining all three can be - * useful for debugging application code as well as openssl itself. - * - * BN_DEBUG - turn on various debugging alterations to the bignum code - * BN_DEBUG_RAND - uses random poisoning of unused words to trip up - * mismanagement of bignum internals. You must also define BN_DEBUG. - */ -/* #define BN_DEBUG */ -/* #define BN_DEBUG_RAND */ - -#ifndef OPENSSL_SMALL_FOOTPRINT -#define BN_MUL_COMBA -#define BN_SQR_COMBA -#define BN_RECURSION -#endif - /* This next option uses the C libraries (2 word)/(1 word) function. * If it is not defined, I use my C version (which is slower). * The reason for this flag is that when the particular C compiler @@ -219,15 +201,6 @@ extern "C" { * BN_mod_inverse() will call BN_mod_inverse_no_branch. */ -#ifndef OPENSSL_NO_DEPRECATED -#define BN_FLG_EXP_CONSTTIME BN_FLG_CONSTTIME /* deprecated name for the flag */ - /* avoid leaking exponent information through timings - * (BN_mod_exp_mont() will call BN_mod_exp_mont_consttime) */ -#endif - -#ifndef OPENSSL_NO_DEPRECATED -#define BN_FLG_FREE 0x8000 /* used for debugging */ -#endif void BN_set_flags(BIGNUM *b, int n); int BN_get_flags(const BIGNUM *b, int n); void BN_with_flags(BIGNUM *dest, const BIGNUM *src, int flags); @@ -341,22 +314,12 @@ int BN_is_one(const BIGNUM *a); int BN_is_word(const BIGNUM *a, const BN_ULONG w); int BN_is_odd(const BIGNUM *a); -#define BN_one(a) BN_set_word((a), 1) - -void BN_zero_ex(BIGNUM *a); - -#ifdef OPENSSL_NO_DEPRECATED -#define BN_zero(a) BN_zero_ex(a) -#else -#define BN_zero(a) (BN_set_word((a),0)) -#endif +void BN_zero(BIGNUM *a); +int BN_one(BIGNUM *a); const BIGNUM *BN_value_one(void); char * BN_options(void); BN_CTX *BN_CTX_new(void); -#ifndef OPENSSL_NO_DEPRECATED -void BN_CTX_init(BN_CTX *c); -#endif void BN_CTX_free(BN_CTX *c); void BN_CTX_start(BN_CTX *ctx); BIGNUM *BN_CTX_get(BN_CTX *ctx); @@ -368,7 +331,6 @@ int BN_pseudo_rand_range(BIGNUM *rnd, const BIGNUM *range); int BN_num_bits(const BIGNUM *a); int BN_num_bits_word(BN_ULONG); BIGNUM *BN_new(void); -void BN_init(BIGNUM *); void BN_clear_free(BIGNUM *a); BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b); void BN_swap(BIGNUM *a, BIGNUM *b); @@ -385,10 +347,6 @@ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); int BN_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); int BN_sqr(BIGNUM *r, const BIGNUM *a, BN_CTX *ctx); -/** BN_set_negative sets sign of a BIGNUM - * \param b pointer to the BIGNUM object - * \param n 0 if the BIGNUM b should be positive and a value != 0 otherwise - */ void BN_set_negative(BIGNUM *b, int n); int BN_is_negative(const BIGNUM *b); @@ -445,7 +403,6 @@ int BN_mod_exp_simple(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, int BN_mask_bits(BIGNUM *a, int n); int BN_print_fp(FILE *fp, const BIGNUM *a); int BN_print(BIO *fp, const BIGNUM *a); -int BN_reciprocal(BIGNUM *r, const BIGNUM *m, int len, BN_CTX *ctx); int BN_rshift(BIGNUM *r, const BIGNUM *a, int n); int BN_rshift1(BIGNUM *r, const BIGNUM *a); void BN_clear(BIGNUM *a); @@ -471,39 +428,15 @@ BIGNUM *BN_mod_sqrt(BIGNUM *ret, void BN_consttime_swap(BN_ULONG swap, BIGNUM *a, BIGNUM *b, int nwords); -/* Deprecated versions */ -#ifndef OPENSSL_NO_DEPRECATED -BIGNUM *BN_generate_prime(BIGNUM *ret, int bits, int safe, - const BIGNUM *add, const BIGNUM *rem, - void (*callback)(int, int, void *), void *cb_arg); -int BN_is_prime(const BIGNUM *p, int nchecks, - void (*callback)(int, int, void *), - BN_CTX *ctx, void *cb_arg); -int BN_is_prime_fasttest(const BIGNUM *p, int nchecks, - void (*callback)(int, int, void *), BN_CTX *ctx, void *cb_arg, - int do_trial_division); -#endif /* !defined(OPENSSL_NO_DEPRECATED) */ +int BN_security_bits(int L, int N); -/* Newer versions */ int BN_generate_prime_ex(BIGNUM *ret, int bits, int safe, const BIGNUM *add, const BIGNUM *rem, BN_GENCB *cb); int BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, BN_GENCB *cb); int BN_is_prime_fasttest_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, int do_trial_division, BN_GENCB *cb); -int BN_X931_generate_Xpq(BIGNUM *Xp, BIGNUM *Xq, int nbits, BN_CTX *ctx); - -int BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, - const BIGNUM *Xp, const BIGNUM *Xp1, const BIGNUM *Xp2, - const BIGNUM *e, BN_CTX *ctx, BN_GENCB *cb); -int BN_X931_generate_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, - BIGNUM *Xp1, BIGNUM *Xp2, - const BIGNUM *Xp, - const BIGNUM *e, BN_CTX *ctx, - BN_GENCB *cb); - BN_MONT_CTX *BN_MONT_CTX_new(void ); -void BN_MONT_CTX_init(BN_MONT_CTX *ctx); int BN_mod_mul_montgomery(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_MONT_CTX *mont, BN_CTX *ctx); int BN_to_montgomery(BIGNUM *r, const BIGNUM *a, BN_MONT_CTX *mont, @@ -527,10 +460,7 @@ int BN_BLINDING_convert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_invert(BIGNUM *n, BN_BLINDING *b, BN_CTX *ctx); int BN_BLINDING_convert_ex(BIGNUM *n, BIGNUM *r, BN_BLINDING *b, BN_CTX *); int BN_BLINDING_invert_ex(BIGNUM *n, const BIGNUM *r, BN_BLINDING *b, BN_CTX *); -#ifndef OPENSSL_NO_DEPRECATED -unsigned long BN_BLINDING_get_thread_id(const BN_BLINDING *); -void BN_BLINDING_set_thread_id(BN_BLINDING *, unsigned long); -#endif + CRYPTO_THREADID *BN_BLINDING_thread_id(BN_BLINDING *); unsigned long BN_BLINDING_get_flags(const BN_BLINDING *); void BN_BLINDING_set_flags(BN_BLINDING *, unsigned long); @@ -540,97 +470,6 @@ BN_BLINDING *BN_BLINDING_create_param(BN_BLINDING *b, const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx), BN_MONT_CTX *m_ctx); -#ifndef OPENSSL_NO_DEPRECATED -void BN_set_params(int mul, int high, int low, int mont); -int BN_get_params(int which); /* 0, mul, 1 high, 2 low, 3 mont */ -#endif - -void BN_RECP_CTX_init(BN_RECP_CTX *recp); -BN_RECP_CTX *BN_RECP_CTX_new(void); -void BN_RECP_CTX_free(BN_RECP_CTX *recp); -int BN_RECP_CTX_set(BN_RECP_CTX *recp, const BIGNUM *rdiv, BN_CTX *ctx); -int BN_mod_mul_reciprocal(BIGNUM *r, const BIGNUM *x, const BIGNUM *y, - BN_RECP_CTX *recp, BN_CTX *ctx); -int BN_mod_exp_recp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - const BIGNUM *m, BN_CTX *ctx); -int BN_div_recp(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - BN_RECP_CTX *recp, BN_CTX *ctx); - -#ifndef OPENSSL_NO_EC2M - -/* Functions for arithmetic over binary polynomials represented by BIGNUMs. - * - * The BIGNUM::neg property of BIGNUMs representing binary polynomials is - * ignored. - * - * Note that input arguments are not const so that their bit arrays can - * be expanded to the appropriate size if needed. - */ - -int BN_GF2m_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b); /*r = a + b*/ -#define BN_GF2m_sub(r, a, b) BN_GF2m_add(r, a, b) -int BN_GF2m_mod(BIGNUM *r, const BIGNUM *a, const BIGNUM *p); /*r=a mod p*/ -int -BN_GF2m_mod_mul(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *p, BN_CTX *ctx); /* r = (a * b) mod p */ -int -BN_GF2m_mod_sqr(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx); /* r = (a * a) mod p */ -int -BN_GF2m_mod_inv(BIGNUM *r, const BIGNUM *b, const BIGNUM *p, - BN_CTX *ctx); /* r = (1 / b) mod p */ -int -BN_GF2m_mod_div(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *p, BN_CTX *ctx); /* r = (a / b) mod p */ -int -BN_GF2m_mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const BIGNUM *p, BN_CTX *ctx); /* r = (a ^ b) mod p */ -int -BN_GF2m_mod_sqrt(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx); /* r = sqrt(a) mod p */ -int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, - BN_CTX *ctx); /* r^2 + r = a mod p */ -#define BN_GF2m_cmp(a, b) BN_ucmp((a), (b)) -/* Some functions allow for representation of the irreducible polynomials - * as an unsigned int[], say p. The irreducible f(t) is then of the form: - * t^p[0] + t^p[1] + ... + t^p[k] - * where m = p[0] > p[1] > ... > p[k] = 0. - */ -int BN_GF2m_mod_arr(BIGNUM *r, const BIGNUM *a, const int p[]); -/* r = a mod p */ -int BN_GF2m_mod_mul_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const int p[], BN_CTX *ctx); /* r = (a * b) mod p */ -int BN_GF2m_mod_sqr_arr(BIGNUM *r, const BIGNUM *a, const int p[], - BN_CTX *ctx); /* r = (a * a) mod p */ -int BN_GF2m_mod_inv_arr(BIGNUM *r, const BIGNUM *b, const int p[], - BN_CTX *ctx); /* r = (1 / b) mod p */ -int BN_GF2m_mod_div_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const int p[], BN_CTX *ctx); /* r = (a / b) mod p */ -int BN_GF2m_mod_exp_arr(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, - const int p[], BN_CTX *ctx); /* r = (a ^ b) mod p */ -int BN_GF2m_mod_sqrt_arr(BIGNUM *r, const BIGNUM *a, - const int p[], BN_CTX *ctx); /* r = sqrt(a) mod p */ -int BN_GF2m_mod_solve_quad_arr(BIGNUM *r, const BIGNUM *a, - const int p[], BN_CTX *ctx); /* r^2 + r = a mod p */ -int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max); -int BN_GF2m_arr2poly(const int p[], BIGNUM *a); - -#endif - -/* faster mod functions for the 'NIST primes' - * 0 <= a < p^2 */ -int BN_nist_mod_192(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -int BN_nist_mod_224(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -int BN_nist_mod_256(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -int BN_nist_mod_384(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -int BN_nist_mod_521(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); - -const BIGNUM *BN_get0_nist_prime_192(void); -const BIGNUM *BN_get0_nist_prime_224(void); -const BIGNUM *BN_get0_nist_prime_256(void); -const BIGNUM *BN_get0_nist_prime_384(void); -const BIGNUM *BN_get0_nist_prime_521(void); - /* Primes from RFC 2409 */ BIGNUM *get_rfc2409_prime_768(BIGNUM *bn); BIGNUM *get_rfc2409_prime_1024(BIGNUM *bn); @@ -651,10 +490,6 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn); BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn); BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_BN_strings(void); /* Error codes for the BN functions. */ diff --git a/include/openssl/buffer.h b/include/openssl/buffer.h index ed6dac0..c210bfd 100644 --- a/include/openssl/buffer.h +++ b/include/openssl/buffer.h @@ -1,4 +1,4 @@ -/* $OpenBSD: buffer.h,v 1.15 2015/06/24 10:05:14 jsing Exp $ */ +/* $OpenBSD: buffer.h,v 1.16 2022/07/12 14:42:48 kn Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -98,10 +98,6 @@ size_t BUF_strlcat(char *dst, const char *src, size_t siz) __attribute__ ((__bounded__(__string__,1,3))); #endif -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_BUF_strings(void); /* Error codes for the BUF functions. */ diff --git a/include/openssl/comp.h b/include/openssl/comp.h index 7c99ead..58b51c6 100644 --- a/include/openssl/comp.h +++ b/include/openssl/comp.h @@ -1,4 +1,116 @@ -/* $OpenBSD: comp.h,v 1.9 2022/01/14 08:21:12 tb Exp $ */ +/* $OpenBSD: comp.h,v 1.11 2022/12/24 07:12:09 tb Exp $ */ +/* + * --------------------------------------------------------------------------- + * Patches to this file were contributed by + * Dr. Stephen Henson . + * --------------------------------------------------------------------------- + * Copyright (c) 1999, 2002, 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + * --------------------------------------------------------------------------- + * Parts of this file are derived from SSLeay code + * which is covered by the following Copyright and license: + * --------------------------------------------------------------------------- + * Copyright (c) 1998 Eric Young + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young . + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson . + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given + * attribution as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young " + * The word 'cryptographic' can be left out if the rouines from the + * library being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) + * from the apps directory (application code) you must include an + * acknowledgement: "This product includes software written + * by Tim Hudson " + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version + * or derivative of this code cannot be changed. i.e. this code cannot + * simply be copied and put under another distribution licence + * [including the GNU Public Licence.] + */ #ifndef HEADER_COMP_H #define HEADER_COMP_H diff --git a/include/openssl/conf.h b/include/openssl/conf.h index bea6a87..5d10163 100644 --- a/include/openssl/conf.h +++ b/include/openssl/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.15 2020/02/17 12:51:48 inoguchi Exp $ */ +/* $OpenBSD: conf.h,v 1.16 2022/07/12 14:42:48 kn Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -193,10 +193,6 @@ int CONF_parse_list(const char *list, int sep, int nospc, void OPENSSL_load_builtin_modules(void); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_CONF_strings(void); /* Error codes for the CONF functions. */ diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 5524fee..0519202 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.h,v 1.54 2022/01/14 08:23:25 tb Exp $ */ +/* $OpenBSD: crypto.h,v 1.60 2023/04/30 17:07:46 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -248,8 +248,8 @@ DECLARE_STACK_OF(void) * The current classes are SSL_CTX, SSL, SSL_SESSION, and a few more */ typedef struct crypto_ex_data_func_st { - long argl; /* Arbitary long */ - void *argp; /* Arbitary void * */ + long argl; /* Arbitrary long */ + void *argp; /* Arbitrary void * */ CRYPTO_EX_new *new_func; CRYPTO_EX_free *free_func; CRYPTO_EX_dup *dup_func; @@ -509,10 +509,6 @@ void OPENSSL_init(void); int CRYPTO_memcmp(const void *a, const void *b, size_t len); #endif -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_CRYPTO_strings(void); /* Error codes for the CRYPTO functions. */ @@ -544,7 +540,7 @@ void ERR_load_CRYPTO_strings(void); #define _OPENSSL_INIT_FLAG_NOOP 0x80000000L /* - * These are provided for compatibiliy, but have no effect + * These are provided for compatibility, but have no effect * on how LibreSSL is initialized. */ #define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS _OPENSSL_INIT_FLAG_NOOP @@ -566,6 +562,7 @@ void ERR_load_CRYPTO_strings(void); #define OPENSSL_INIT_ENGINE_ALL_BUILTIN _OPENSSL_INIT_FLAG_NOOP int OPENSSL_init_crypto(uint64_t opts, const void *settings); +void OPENSSL_cleanup(void); #ifdef __cplusplus } diff --git a/include/openssl/ct.h b/include/openssl/ct.h index 2b54903..895046e 100644 --- a/include/openssl/ct.h +++ b/include/openssl/ct.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ct.h,v 1.6 2021/12/18 16:50:40 tb Exp $ */ +/* $OpenBSD: ct.h,v 1.7 2022/05/08 20:59:32 tb Exp $ */ /* * Public API for Certificate Transparency (CT). * Written by Rob Percival (robpercival@google.com) for the OpenSSL project. @@ -61,7 +61,6 @@ #include #include #include -#include #ifdef __cplusplus extern "C" { #endif @@ -507,6 +506,60 @@ int CTLOG_STORE_load_file(CTLOG_STORE *store, const char *file); */ int CTLOG_STORE_load_default_file(CTLOG_STORE *store); +int ERR_load_CT_strings(void); + +/* + * CT function codes. + */ +# define CT_F_CTLOG_NEW 117 +# define CT_F_CTLOG_NEW_FROM_BASE64 118 +# define CT_F_CTLOG_NEW_FROM_CONF 119 +# define CT_F_CTLOG_STORE_LOAD_CTX_NEW 122 +# define CT_F_CTLOG_STORE_LOAD_FILE 123 +# define CT_F_CTLOG_STORE_LOAD_LOG 130 +# define CT_F_CTLOG_STORE_NEW 131 +# define CT_F_CT_BASE64_DECODE 124 +# define CT_F_CT_POLICY_EVAL_CTX_NEW 133 +# define CT_F_CT_V1_LOG_ID_FROM_PKEY 125 +# define CT_F_I2O_SCT 107 +# define CT_F_I2O_SCT_LIST 108 +# define CT_F_I2O_SCT_SIGNATURE 109 +# define CT_F_O2I_SCT 110 +# define CT_F_O2I_SCT_LIST 111 +# define CT_F_O2I_SCT_SIGNATURE 112 +# define CT_F_SCT_CTX_NEW 126 +# define CT_F_SCT_CTX_VERIFY 128 +# define CT_F_SCT_NEW 100 +# define CT_F_SCT_NEW_FROM_BASE64 127 +# define CT_F_SCT_SET0_LOG_ID 101 +# define CT_F_SCT_SET1_EXTENSIONS 114 +# define CT_F_SCT_SET1_LOG_ID 115 +# define CT_F_SCT_SET1_SIGNATURE 116 +# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102 +# define CT_F_SCT_SET_SIGNATURE_NID 103 +# define CT_F_SCT_SET_VERSION 104 + +/* + * CT reason codes. + */ +# define CT_R_BASE64_DECODE_ERROR 108 +# define CT_R_INVALID_LOG_ID_LENGTH 100 +# define CT_R_LOG_CONF_INVALID 109 +# define CT_R_LOG_CONF_INVALID_KEY 110 +# define CT_R_LOG_CONF_MISSING_DESCRIPTION 111 +# define CT_R_LOG_CONF_MISSING_KEY 112 +# define CT_R_LOG_KEY_INVALID 113 +# define CT_R_SCT_FUTURE_TIMESTAMP 116 +# define CT_R_SCT_INVALID 104 +# define CT_R_SCT_INVALID_SIGNATURE 107 +# define CT_R_SCT_LIST_INVALID 105 +# define CT_R_SCT_LOG_ID_MISMATCH 114 +# define CT_R_SCT_NOT_SET 106 +# define CT_R_SCT_UNSUPPORTED_VERSION 115 +# define CT_R_UNRECOGNIZED_SIGNATURE_NID 101 +# define CT_R_UNSUPPORTED_ENTRY_TYPE 102 +# define CT_R_UNSUPPORTED_VERSION 103 + #ifdef __cplusplus } #endif diff --git a/include/openssl/cterr.h b/include/openssl/cterr.h deleted file mode 100644 index 07ae519..0000000 --- a/include/openssl/cterr.h +++ /dev/null @@ -1,127 +0,0 @@ -/* $OpenBSD: cterr.h,v 1.5 2021/12/18 16:50:40 tb Exp $ */ -/* ==================================================================== - * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#ifndef HEADER_CTERR_H -# define HEADER_CTERR_H - -# include - -# ifndef OPENSSL_NO_CT - -#ifdef __cplusplus -extern "C" -#endif - -int ERR_load_CT_strings(void); - -/* - * CT function codes. - */ -# define CT_F_CTLOG_NEW 117 -# define CT_F_CTLOG_NEW_FROM_BASE64 118 -# define CT_F_CTLOG_NEW_FROM_CONF 119 -# define CT_F_CTLOG_STORE_LOAD_CTX_NEW 122 -# define CT_F_CTLOG_STORE_LOAD_FILE 123 -# define CT_F_CTLOG_STORE_LOAD_LOG 130 -# define CT_F_CTLOG_STORE_NEW 131 -# define CT_F_CT_BASE64_DECODE 124 -# define CT_F_CT_POLICY_EVAL_CTX_NEW 133 -# define CT_F_CT_V1_LOG_ID_FROM_PKEY 125 -# define CT_F_I2O_SCT 107 -# define CT_F_I2O_SCT_LIST 108 -# define CT_F_I2O_SCT_SIGNATURE 109 -# define CT_F_O2I_SCT 110 -# define CT_F_O2I_SCT_LIST 111 -# define CT_F_O2I_SCT_SIGNATURE 112 -# define CT_F_SCT_CTX_NEW 126 -# define CT_F_SCT_CTX_VERIFY 128 -# define CT_F_SCT_NEW 100 -# define CT_F_SCT_NEW_FROM_BASE64 127 -# define CT_F_SCT_SET0_LOG_ID 101 -# define CT_F_SCT_SET1_EXTENSIONS 114 -# define CT_F_SCT_SET1_LOG_ID 115 -# define CT_F_SCT_SET1_SIGNATURE 116 -# define CT_F_SCT_SET_LOG_ENTRY_TYPE 102 -# define CT_F_SCT_SET_SIGNATURE_NID 103 -# define CT_F_SCT_SET_VERSION 104 - -/* - * CT reason codes. - */ -# define CT_R_BASE64_DECODE_ERROR 108 -# define CT_R_INVALID_LOG_ID_LENGTH 100 -# define CT_R_LOG_CONF_INVALID 109 -# define CT_R_LOG_CONF_INVALID_KEY 110 -# define CT_R_LOG_CONF_MISSING_DESCRIPTION 111 -# define CT_R_LOG_CONF_MISSING_KEY 112 -# define CT_R_LOG_KEY_INVALID 113 -# define CT_R_SCT_FUTURE_TIMESTAMP 116 -# define CT_R_SCT_INVALID 104 -# define CT_R_SCT_INVALID_SIGNATURE 107 -# define CT_R_SCT_LIST_INVALID 105 -# define CT_R_SCT_LOG_ID_MISMATCH 114 -# define CT_R_SCT_NOT_SET 106 -# define CT_R_SCT_UNSUPPORTED_VERSION 115 -# define CT_R_UNRECOGNIZED_SIGNATURE_NID 101 -# define CT_R_UNSUPPORTED_ENTRY_TYPE 102 -# define CT_R_UNSUPPORTED_VERSION 103 - -# endif -#endif diff --git a/include/openssl/curve25519.h b/include/openssl/curve25519.h index c16a4e2..e42bc22 100644 --- a/include/openssl/curve25519.h +++ b/include/openssl/curve25519.h @@ -1,4 +1,4 @@ -/* $OpenBSD: curve25519.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */ +/* $OpenBSD: curve25519.h,v 1.7 2022/11/13 14:05:04 tb Exp $ */ /* * Copyright (c) 2015, Google Inc. * @@ -61,6 +61,42 @@ int X25519(uint8_t out_shared_key[X25519_KEY_LENGTH], const uint8_t private_key[X25519_KEY_LENGTH], const uint8_t peers_public_value[X25519_KEY_LENGTH]); +/* + * ED25519 + * + * Ed25519 is a signature scheme using a twisted Edwards curve that is + * birationally equivalent to curve25519. + */ + +#define ED25519_PRIVATE_KEY_LENGTH 32 +#define ED25519_PUBLIC_KEY_LENGTH 32 +#define ED25519_SIGNATURE_LENGTH 64 + +/* + * ED25519_keypair sets |out_public_key| and |out_private_key| to a freshly + * generated, public/private key pair. + */ +void ED25519_keypair(uint8_t out_public_key[ED25519_PUBLIC_KEY_LENGTH], + uint8_t out_private_key[ED25519_PRIVATE_KEY_LENGTH]); + +/* + * ED25519_sign sets |out_sig| to be a signature of |message_len| bytes from + * |message| using |public_key| and |private_key|. It returns one on success + * or zero on allocation failure. + */ +int ED25519_sign(uint8_t *out_sig, const uint8_t *message, size_t message_len, + const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH], + const uint8_t private_key_seed[ED25519_PRIVATE_KEY_LENGTH]); + +/* + * ED25519_verify returns one iff |signature| is a valid signature by + * |public_key| of |message_len| bytes from |message|. It returns zero + * otherwise. + */ +int ED25519_verify(const uint8_t *message, size_t message_len, + const uint8_t signature[ED25519_SIGNATURE_LENGTH], + const uint8_t public_key[ED25519_PUBLIC_KEY_LENGTH]); + #if defined(__cplusplus) } /* extern C */ #endif diff --git a/include/openssl/dh.h b/include/openssl/dh.h index ef10495..65b4348 100644 --- a/include/openssl/dh.h +++ b/include/openssl/dh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dh.h,v 1.32 2022/01/14 08:25:44 tb Exp $ */ +/* $OpenBSD: dh.h,v 1.37 2023/04/18 08:33:43 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -69,9 +69,7 @@ #include #endif #include -#ifndef OPENSSL_NO_DEPRECATED #include -#endif #ifndef OPENSSL_DH_MAX_MODULUS_BITS # define OPENSSL_DH_MAX_MODULUS_BITS 10000 @@ -143,6 +141,7 @@ int DH_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int DH_set_ex_data(DH *d, int idx, void *arg); void *DH_get_ex_data(DH *d, int idx); +int DH_security_bits(const DH *dh); ENGINE *DH_get0_engine(DH *d); void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, @@ -161,11 +160,12 @@ void DH_set_flags(DH *dh, int flags); long DH_get_length(const DH *dh); int DH_set_length(DH *dh, long length); -/* Deprecated version */ -#ifndef OPENSSL_NO_DEPRECATED +/* + * Wrapped in OPENSSL_NO_DEPRECATED in 0.9.8, added to rust-openssl in 2020, + * for "advanced DH support". + */ DH * DH_generate_parameters(int prime_len,int generator, void (*callback)(int,int,void *),void *cb_arg); -#endif /* !defined(OPENSSL_NO_DEPRECATED) */ /* New version */ int DH_generate_parameters_ex(DH *dh, int prime_len,int generator, BN_GENCB *cb); @@ -195,10 +195,6 @@ int DHparams_print(char *bp, const DH *x); #define EVP_PKEY_CTRL_DH_PARAMGEN_GENERATOR (EVP_PKEY_ALG_CTRL + 2) -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_DH_strings(void); /* Error codes for the DH functions. */ diff --git a/include/openssl/dsa.h b/include/openssl/dsa.h index 4fafce3..8029e7f 100644 --- a/include/openssl/dsa.h +++ b/include/openssl/dsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa.h,v 1.35 2022/01/14 08:27:23 tb Exp $ */ +/* $OpenBSD: dsa.h,v 1.43 2023/04/18 08:47:28 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,15 +74,13 @@ #ifndef OPENSSL_NO_BIO #include #endif -#include -#include - -#ifndef OPENSSL_NO_DEPRECATED #include +#include #ifndef OPENSSL_NO_DH # include #endif -#endif + +#include #ifndef OPENSSL_DSA_MAX_MODULUS_BITS # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 @@ -151,6 +149,7 @@ int DSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); int DSA_set_ex_data(DSA *d, int idx, void *arg); void *DSA_get_ex_data(DSA *d, int idx); +int DSA_security_bits(const DSA *d); DSA *d2i_DSAPublicKey(DSA **a, const unsigned char **pp, long length); int i2d_DSAPublicKey(const DSA *a, unsigned char **pp); @@ -164,13 +163,11 @@ DSA *d2i_DSAparams(DSA **a, const unsigned char **pp, long length); int i2d_DSAparams(const DSA *a,unsigned char **pp); extern const ASN1_ITEM DSAparams_it; -/* Deprecated version */ -#ifndef OPENSSL_NO_DEPRECATED +/* Wrapped in OPENSSL_NO_DEPRECATED in 0.9.8. Still used in 2023. */ DSA * DSA_generate_parameters(int bits, unsigned char *seed,int seed_len, int *counter_ret, unsigned long *h_ret,void (*callback)(int, int, void *),void *cb_arg); -#endif /* !defined(OPENSSL_NO_DEPRECATED) */ /* New version */ int DSA_generate_parameters_ex(DSA *dsa, int bits, @@ -219,6 +216,8 @@ ENGINE *DSA_get0_engine(DSA *d); DSA_METHOD *DSA_meth_new(const char *name, int flags); void DSA_meth_free(DSA_METHOD *meth); DSA_METHOD *DSA_meth_dup(const DSA_METHOD *meth); +const char *DSA_meth_get0_name(const DSA_METHOD *meth); +int DSA_meth_set1_name(DSA_METHOD *meth, const char *name); int DSA_meth_set_sign(DSA_METHOD *meth, DSA_SIG *(*sign)(const unsigned char *, int, DSA *)); int DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *)); @@ -231,10 +230,6 @@ int DSA_meth_set_finish(DSA_METHOD *meth, int (*finish)(DSA *)); #define EVP_PKEY_CTRL_DSA_PARAMGEN_Q_BITS (EVP_PKEY_ALG_CTRL + 2) #define EVP_PKEY_CTRL_DSA_PARAMGEN_MD (EVP_PKEY_ALG_CTRL + 3) -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_DSA_strings(void); /* Error codes for the DSA functions. */ @@ -273,6 +268,7 @@ void ERR_load_DSA_strings(void); #define DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE 100 #define DSA_R_DECODE_ERROR 104 #define DSA_R_INVALID_DIGEST_TYPE 106 +#define DSA_R_INVALID_PARAMETERS 112 #define DSA_R_MISSING_PARAMETERS 101 #define DSA_R_MODULUS_TOO_LARGE 103 #define DSA_R_NEED_NEW_SETUP_VALUES 110 diff --git a/include/openssl/dso.h b/include/openssl/dso.h index 6c982c9..c3963a8 100644 --- a/include/openssl/dso.h +++ b/include/openssl/dso.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dso.h,v 1.12 2016/03/15 20:50:22 krw Exp $ */ +/* $OpenBSD: dso.h,v 1.14 2022/12/26 07:18:51 jmc Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -109,14 +109,14 @@ typedef struct dso_st DSO; /* The function prototype used for method functions (or caller-provided * callbacks) that transform filenames. They are passed a DSO structure pointer - * (or NULL if they are to be used independantly of a DSO object) and a + * (or NULL if they are to be used independently of a DSO object) and a * filename to transform. They should either return NULL (if there is an error * condition) or a newly allocated string containing the transformed form that * the caller will need to free with free() when done. */ typedef char* (*DSO_NAME_CONVERTER_FUNC)(DSO *, const char *); /* The function prototype used for method functions (or caller-provided * callbacks) that merge two file specifications. They are passed a - * DSO structure pointer (or NULL if they are to be used independantly of + * DSO structure pointer (or NULL if they are to be used independently of * a DSO object) and two file specifications to merge. They should * either return NULL (if there is an error condition) or a newly allocated * string containing the result of merging that the caller will need @@ -285,7 +285,7 @@ DSO_METHOD *DSO_METHOD_dlfcn(void); * containing 'addr' into 'sz' large caller-provided 'path' and * returns the number of characters [including trailing zero] * written to it. If 'sz' is 0 or negative, 'path' is ignored and - * required amount of charachers [including trailing zero] to + * required amount of characters [including trailing zero] to * accommodate pathname is returned. If 'addr' is NULL, then * pathname of cryptolib itself is returned. Negative or zero * return value denotes error. @@ -302,10 +302,6 @@ int DSO_pathbyaddr(void *addr, char *path, int sz); * itself or libsocket. */ void *DSO_global_lookup(const char *name); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_DSO_strings(void); /* Error codes for the DSO functions. */ diff --git a/include/openssl/ec.h b/include/openssl/ec.h index d8ff42c..6b5d7b4 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1,11 +1,7 @@ -/* $OpenBSD: ec.h,v 1.27 2021/09/12 16:23:19 tb Exp $ */ +/* $OpenBSD: ec.h,v 1.41 2023/04/27 07:10:05 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ -/** - * \file crypto/ec/ec.h Include file for the OpenSSL EC functions - * \author Originally written by Bodo Moeller for the OpenSSL project - */ /* ==================================================================== * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. * @@ -14,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -62,15 +58,14 @@ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * - * Portions of the attached software ("Contribution") are developed by + * Portions of the attached software ("Contribution") are developed by * SUN MICROSYSTEMS, INC., and are contributed to the OpenSSL project. * * The Contribution is licensed pursuant to the OpenSSL open source * license provided above. * - * The elliptic curve binary polynomial software is originally written by + * The elliptic curve binary polynomial software is originally written by * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories. - * */ #ifndef HEADER_EC_H @@ -83,9 +78,7 @@ #endif #include -#ifndef OPENSSL_NO_DEPRECATED #include -#endif #ifdef __cplusplus extern "C" { @@ -95,187 +88,52 @@ extern "C" { # endif #endif - #ifndef OPENSSL_ECC_MAX_FIELD_BITS #define OPENSSL_ECC_MAX_FIELD_BITS 661 #endif -/** Enum for the point conversion form as defined in X9.62 (ECDSA) - * for the encoding of a elliptic curve point (x,y) */ +/* Elliptic point conversion form as per X9.62, page 4 and section 4.4.2. */ typedef enum { - /** the point is encoded as z||x, where the octet z specifies - * which solution of the quadratic equation y is */ POINT_CONVERSION_COMPRESSED = 2, - /** the point is encoded as z||x||y, where z is the octet 0x02 */ POINT_CONVERSION_UNCOMPRESSED = 4, - /** the point is encoded as z||x||y, where the octet z specifies - * which solution of the quadratic equation y is */ POINT_CONVERSION_HYBRID = 6 } point_conversion_form_t; - typedef struct ec_method_st EC_METHOD; - -typedef struct ec_group_st - /* - EC_METHOD *meth; - -- field definition - -- curve coefficients - -- optional generator with associated information (order, cofactor) - -- optional extra data (precomputed table for fast computation of multiples of generator) - -- ASN1 stuff - */ - EC_GROUP; - +typedef struct ec_group_st EC_GROUP; typedef struct ec_point_st EC_POINT; - -/********************************************************************/ -/* EC_METHODs for curves over GF(p) */ -/********************************************************************/ - -/** Returns the basic GFp ec methods which provides the basis for the - * optimized methods. - * \return EC_METHOD object - */ const EC_METHOD *EC_GFp_simple_method(void); - -/** Returns GFp methods using montgomery multiplication. - * \return EC_METHOD object - */ const EC_METHOD *EC_GFp_mont_method(void); -/** Returns GFp methods using optimized methods for NIST recommended curves - * \return EC_METHOD object - */ -const EC_METHOD *EC_GFp_nist_method(void); - -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -/** Returns 64-bit optimized methods for nistp224 - * \return EC_METHOD object - */ -const EC_METHOD *EC_GFp_nistp224_method(void); - -/** Returns 64-bit optimized methods for nistp256 - * \return EC_METHOD object - */ -const EC_METHOD *EC_GFp_nistp256_method(void); - -/** Returns 64-bit optimized methods for nistp521 - * \return EC_METHOD object - */ -const EC_METHOD *EC_GFp_nistp521_method(void); -#endif - -#ifndef OPENSSL_NO_EC2M -/********************************************************************/ -/* EC_METHOD for curves over GF(2^m) */ -/********************************************************************/ - -/** Returns the basic GF2m ec method - * \return EC_METHOD object - */ -const EC_METHOD *EC_GF2m_simple_method(void); - -#endif - - -/********************************************************************/ -/* EC_GROUP functions */ -/********************************************************************/ - -/** Creates a new EC_GROUP object - * \param meth EC_METHOD to use - * \return newly created EC_GROUP object or NULL in case of an error. - */ EC_GROUP *EC_GROUP_new(const EC_METHOD *meth); - -/** Frees a EC_GROUP object - * \param group EC_GROUP object to be freed. - */ void EC_GROUP_free(EC_GROUP *group); - -/** Clears and frees a EC_GROUP object - * \param group EC_GROUP object to be cleared and freed. - */ +#ifndef LIBRESSL_INTERNAL void EC_GROUP_clear_free(EC_GROUP *group); +#endif -/** Copies EC_GROUP objects. Note: both EC_GROUPs must use the same EC_METHOD. - * \param dst destination EC_GROUP object - * \param src source EC_GROUP object - * \return 1 on success and 0 if an error occurred. - */ int EC_GROUP_copy(EC_GROUP *dst, const EC_GROUP *src); - -/** Creates a new EC_GROUP object and copies the copies the content - * form src to the newly created EC_KEY object - * \param src source EC_GROUP object - * \return newly created EC_GROUP object or NULL in case of an error. - */ EC_GROUP *EC_GROUP_dup(const EC_GROUP *src); -/** Returns the EC_METHOD of the EC_GROUP object. - * \param group EC_GROUP object - * \return EC_METHOD used in this EC_GROUP object. - */ const EC_METHOD *EC_GROUP_method_of(const EC_GROUP *group); - -/** Returns the field type of the EC_METHOD. - * \param meth EC_METHOD object - * \return NID of the underlying field type OID. - */ int EC_METHOD_get_field_type(const EC_METHOD *meth); -/** Sets the generator and it's order/cofactor of a EC_GROUP object. - * \param group EC_GROUP object - * \param generator EC_POINT object with the generator. - * \param order the order of the group generated by the generator. - * \param cofactor the index of the sub-group generated by the generator - * in the group of all points on the elliptic curve. - * \return 1 on success and 0 if an error occured - */ -int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, const BIGNUM *order, const BIGNUM *cofactor); - -/** Returns the generator of a EC_GROUP object. - * \param group EC_GROUP object - * \return the currently used generator (possibly NULL). - */ +int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, + const BIGNUM *order, const BIGNUM *cofactor); const EC_POINT *EC_GROUP_get0_generator(const EC_GROUP *group); -/** Gets the order of a EC_GROUP - * \param group EC_GROUP object - * \param order BIGNUM to which the order is copied - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ int EC_GROUP_get_order(const EC_GROUP *group, BIGNUM *order, BN_CTX *ctx); - int EC_GROUP_order_bits(const EC_GROUP *group); - -/** Gets the cofactor of a EC_GROUP - * \param group EC_GROUP object - * \param cofactor BIGNUM to which the cofactor is copied - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ int EC_GROUP_get_cofactor(const EC_GROUP *group, BIGNUM *cofactor, BN_CTX *ctx); -/** Sets the name of a EC_GROUP object - * \param group EC_GROUP object - * \param nid NID of the curve name OID - */ void EC_GROUP_set_curve_name(EC_GROUP *group, int nid); - -/** Returns the curve name of a EC_GROUP object - * \param group EC_GROUP object - * \return NID of the curve name OID or 0 if not set. - */ int EC_GROUP_get_curve_name(const EC_GROUP *group); void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); int EC_GROUP_get_asn1_flag(const EC_GROUP *group); -void EC_GROUP_set_point_conversion_form(EC_GROUP *group, point_conversion_form_t form); +void EC_GROUP_set_point_conversion_form(EC_GROUP *group, + point_conversion_form_t form); point_conversion_form_t EC_GROUP_get_point_conversion_form(const EC_GROUP *); unsigned char *EC_GROUP_get0_seed(const EC_GROUP *x); @@ -286,173 +144,46 @@ int EC_GROUP_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); int EC_GROUP_get_curve(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); + #if !defined(LIBRESSL_INTERNAL) -/** Sets the parameter of a ec over GFp defined by y^2 = x^3 + a*x + b - * \param group EC_GROUP object - * \param p BIGNUM with the prime number - * \param a BIGNUM with parameter a of the equation - * \param b BIGNUM with parameter b of the equation - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); - -/** Gets the parameter of the ec over GFp defined by y^2 = x^3 + a*x + b - * \param group EC_GROUP object - * \param p BIGNUM for the prime number - * \param a BIGNUM for parameter a of the equation - * \param b BIGNUM for parameter b of the equation - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); - -#ifndef OPENSSL_NO_EC2M -/** Sets the parameter of a ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b - * \param group EC_GROUP object - * \param p BIGNUM with the polynomial defining the underlying field - * \param a BIGNUM with parameter a of the equation - * \param b BIGNUM with parameter b of the equation - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_GROUP_set_curve_GF2m(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); - -/** Gets the parameter of the ec over GF2m defined by y^2 + x*y = x^3 + a*x^2 + b - * \param group EC_GROUP object - * \param p BIGNUM for the polynomial defining the underlying field - * \param a BIGNUM for parameter a of the equation - * \param b BIGNUM for parameter b of the equation - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_GROUP_get_curve_GF2m(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, BIGNUM *b, BN_CTX *ctx); -#endif +int EC_GROUP_set_curve_GFp(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx); +int EC_GROUP_get_curve_GFp(const EC_GROUP *group, BIGNUM *p, BIGNUM *a, + BIGNUM *b, BN_CTX *ctx); #endif -/** Returns the number of bits needed to represent a field element - * \param group EC_GROUP object - * \return number of bits needed to represent a field element - */ int EC_GROUP_get_degree(const EC_GROUP *group); -/** Checks whether the parameter in the EC_GROUP define a valid ec group - * \param group EC_GROUP object - * \param ctx BN_CTX object (optional) - * \return 1 if group is a valid ec group and 0 otherwise - */ int EC_GROUP_check(const EC_GROUP *group, BN_CTX *ctx); - -/** Checks whether the discriminant of the elliptic curve is zero or not - * \param group EC_GROUP object - * \param ctx BN_CTX object (optional) - * \return 1 if the discriminant is not zero and 0 otherwise - */ int EC_GROUP_check_discriminant(const EC_GROUP *group, BN_CTX *ctx); -/** Compares two EC_GROUP objects - * \param a first EC_GROUP object - * \param b second EC_GROUP object - * \param ctx BN_CTX object (optional) - * \return 0 if both groups are equal and 1 otherwise - */ +/* Compare two EC_GROUPs. Returns 0 if both groups are equal, 1 otherwise. */ int EC_GROUP_cmp(const EC_GROUP *a, const EC_GROUP *b, BN_CTX *ctx); -/* EC_GROUP_new_GF*() calls EC_GROUP_new() and EC_GROUP_set_GF*() - * after choosing an appropriate EC_METHOD */ - -/** Creates a new EC_GROUP object with the specified parameters defined - * over GFp (defined by the equation y^2 = x^3 + a*x + b) - * \param p BIGNUM with the prime number - * \param a BIGNUM with the parameter a of the equation - * \param b BIGNUM with the parameter b of the equation - * \param ctx BN_CTX object (optional) - * \return newly created EC_GROUP object with the specified parameters - */ -EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -#ifndef OPENSSL_NO_EC2M -/** Creates a new EC_GROUP object with the specified parameters defined - * over GF2m (defined by the equation y^2 + x*y = x^3 + a*x^2 + b) - * \param p BIGNUM with the polynomial defining the underlying field - * \param a BIGNUM with the parameter a of the equation - * \param b BIGNUM with the parameter b of the equation - * \param ctx BN_CTX object (optional) - * \return newly created EC_GROUP object with the specified parameters - */ -EC_GROUP *EC_GROUP_new_curve_GF2m(const BIGNUM *p, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); -#endif -/** Creates a EC_GROUP object with a curve specified by a NID - * \param nid NID of the OID of the curve name - * \return newly created EC_GROUP object with specified curve or NULL - * if an error occurred - */ +EC_GROUP *EC_GROUP_new_curve_GFp(const BIGNUM *p, const BIGNUM *a, + const BIGNUM *b, BN_CTX *ctx); EC_GROUP *EC_GROUP_new_by_curve_name(int nid); - -/********************************************************************/ -/* handling of internal curves */ -/********************************************************************/ - -typedef struct { +typedef struct { int nid; const char *comment; - } EC_builtin_curve; +} EC_builtin_curve; -/* EC_builtin_curves(EC_builtin_curve *r, size_t size) returns number - * of all available curves or zero if a error occurred. - * In case r ist not zero nitems EC_builtin_curve structures - * are filled with the data of the first nitems internal groups */ size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems); const char *EC_curve_nid2nist(int nid); int EC_curve_nist2nid(const char *name); -/********************************************************************/ -/* EC_POINT functions */ -/********************************************************************/ - -/** Creates a new EC_POINT object for the specified EC_GROUP - * \param group EC_GROUP the underlying EC_GROUP object - * \return newly created EC_POINT object or NULL if an error occurred - */ EC_POINT *EC_POINT_new(const EC_GROUP *group); - -/** Frees a EC_POINT object - * \param point EC_POINT object to be freed - */ void EC_POINT_free(EC_POINT *point); - -/** Clears and frees a EC_POINT object - * \param point EC_POINT object to be cleared and freed - */ +#ifndef LIBRESSL_INTERNAL void EC_POINT_clear_free(EC_POINT *point); - -/** Copies EC_POINT object - * \param dst destination EC_POINT object - * \param src source EC_POINT object - * \return 1 on success and 0 if an error occured - */ +#endif int EC_POINT_copy(EC_POINT *dst, const EC_POINT *src); - -/** Creates a new EC_POINT object and copies the content of the supplied - * EC_POINT - * \param src source EC_POINT object - * \param group underlying the EC_GROUP object - * \return newly created EC_POINT object or NULL if an error occurred - */ EC_POINT *EC_POINT_dup(const EC_POINT *src, const EC_GROUP *group); - -/** Returns the EC_METHOD used in EC_POINT object - * \param point EC_POINT object - * \return the EC_METHOD used - */ + const EC_METHOD *EC_POINT_method_of(const EC_POINT *point); -/** Sets a point to infinity (neutral element) - * \param group underlying EC_GROUP object - * \param point EC_POINT to set to infinity - * \return 1 on success and 0 if an error occured - */ int EC_POINT_set_to_infinity(const EC_GROUP *group, EC_POINT *point); int EC_POINT_set_affine_coordinates(const EC_GROUP *group, EC_POINT *p, @@ -462,251 +193,54 @@ int EC_POINT_get_affine_coordinates(const EC_GROUP *group, const EC_POINT *p, int EC_POINT_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *p, const BIGNUM *x, int y_bit, BN_CTX *ctx); -#if defined(LIBRESSL_INTERNAL) - -int EC_POINT_set_Jprojective_coordinates(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); -int EC_POINT_get_Jprojective_coordinates(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); - -#else - -/** Sets the jacobian projective coordinates of a EC_POINT over GFp - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM with the x-coordinate - * \param y BIGNUM with the y-coordinate - * \param z BIGNUM with the z-coordinate - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ +#ifndef LIBRESSL_INTERNAL int EC_POINT_set_Jprojective_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); - -/** Gets the jacobian projective coordinates of a EC_POINT over GFp - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM for the x-coordinate - * \param y BIGNUM for the y-coordinate - * \param z BIGNUM for the z-coordinate - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ + const BIGNUM *x, const BIGNUM *y, const BIGNUM *z, BN_CTX *ctx); int EC_POINT_get_Jprojective_coordinates_GFp(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); - -/** Sets the affine coordinates of a EC_POINT over GFp - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM with the x-coordinate - * \param y BIGNUM with the y-coordinate - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BIGNUM *z, BN_CTX *ctx); int EC_POINT_set_affine_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); - -/** Gets the affine coordinates of a EC_POINT over GFp - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM for the x-coordinate - * \param y BIGNUM for the y-coordinate - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ + const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); int EC_POINT_get_affine_coordinates_GFp(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); - -/** Sets the x9.62 compressed coordinates of a EC_POINT over GFp - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM with x-coordinate - * \param y_bit integer with the y-Bit (either 0 or 1) - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ + const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); int EC_POINT_set_compressed_coordinates_GFp(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, int y_bit, BN_CTX *ctx); - -#ifndef OPENSSL_NO_EC2M -/** Sets the affine coordinates of a EC_POINT over GF2m - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM with the x-coordinate - * \param y BIGNUM with the y-coordinate - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINT_set_affine_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, const BIGNUM *y, BN_CTX *ctx); - -/** Gets the affine coordinates of a EC_POINT over GF2m - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM for the x-coordinate - * \param y BIGNUM for the y-coordinate - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINT_get_affine_coordinates_GF2m(const EC_GROUP *group, - const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx); - -/** Sets the x9.62 compressed coordinates of a EC_POINT over GF2m - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param x BIGNUM with x-coordinate - * \param y_bit integer with the y-Bit (either 0 or 1) - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINT_set_compressed_coordinates_GF2m(const EC_GROUP *group, EC_POINT *p, - const BIGNUM *x, int y_bit, BN_CTX *ctx); -#endif /* OPENSSL_NO_EC2M */ + const BIGNUM *x, int y_bit, BN_CTX *ctx); #endif /* !LIBRESSL_INTERNAL */ - -/** Encodes a EC_POINT object to a octet string - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param form point conversion form - * \param buf memory buffer for the result. If NULL the function returns - * required buffer size. - * \param len length of the memory buffer - * \param ctx BN_CTX object (optional) - * \return the length of the encoded octet string or 0 if an error occurred - */ size_t EC_POINT_point2oct(const EC_GROUP *group, const EC_POINT *p, - point_conversion_form_t form, - unsigned char *buf, size_t len, BN_CTX *ctx); - -/** Decodes a EC_POINT from a octet string - * \param group underlying EC_GROUP object - * \param p EC_POINT object - * \param buf memory buffer with the encoded ec point - * \param len length of the encoded ec point - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ + point_conversion_form_t form, unsigned char *buf, size_t len, BN_CTX *ctx); int EC_POINT_oct2point(const EC_GROUP *group, EC_POINT *p, - const unsigned char *buf, size_t len, BN_CTX *ctx); + const unsigned char *buf, size_t len, BN_CTX *ctx); -/* other interfaces to point2oct/oct2point: */ BIGNUM *EC_POINT_point2bn(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BIGNUM *, BN_CTX *); -EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *, - EC_POINT *, BN_CTX *); + point_conversion_form_t form, BIGNUM *, BN_CTX *); +EC_POINT *EC_POINT_bn2point(const EC_GROUP *, const BIGNUM *, EC_POINT *, + BN_CTX *); char *EC_POINT_point2hex(const EC_GROUP *, const EC_POINT *, - point_conversion_form_t form, BN_CTX *); -EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *, - EC_POINT *, BN_CTX *); + point_conversion_form_t form, BN_CTX *); +EC_POINT *EC_POINT_hex2point(const EC_GROUP *, const char *, EC_POINT *, + BN_CTX *); - -/********************************************************************/ -/* functions for doing EC_POINT arithmetic */ -/********************************************************************/ - -/** Computes the sum of two EC_POINT - * \param group underlying EC_GROUP object - * \param r EC_POINT object for the result (r = a + b) - * \param a EC_POINT object with the first summand - * \param b EC_POINT object with the second summand - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); - -/** Computes the double of a EC_POINT - * \param group underlying EC_GROUP object - * \param r EC_POINT object for the result (r = 2 * a) - * \param a EC_POINT object - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, BN_CTX *ctx); - -/** Computes the inverse of a EC_POINT - * \param group underlying EC_GROUP object - * \param a EC_POINT object to be inverted (it's used for the result as well) - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ +int EC_POINT_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, + const EC_POINT *b, BN_CTX *ctx); +int EC_POINT_dbl(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, + BN_CTX *ctx); int EC_POINT_invert(const EC_GROUP *group, EC_POINT *a, BN_CTX *ctx); - -/** Checks whether the point is the neutral element of the group - * \param group the underlying EC_GROUP object - * \param p EC_POINT object - * \return 1 if the point is the neutral element and 0 otherwise - */ int EC_POINT_is_at_infinity(const EC_GROUP *group, const EC_POINT *p); - -/** Checks whether the point is on the curve - * \param group underlying EC_GROUP object - * \param point EC_POINT object to check - * \param ctx BN_CTX object (optional) - * \return 1 if point if on the curve and 0 otherwise - */ -int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX *ctx); - -/** Compares two EC_POINTs - * \param group underlying EC_GROUP object - * \param a first EC_POINT object - * \param b second EC_POINT object - * \param ctx BN_CTX object (optional) - * \return 0 if both points are equal and a value != 0 otherwise - */ -int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, BN_CTX *ctx); +int EC_POINT_is_on_curve(const EC_GROUP *group, const EC_POINT *point, + BN_CTX *ctx); +int EC_POINT_cmp(const EC_GROUP *group, const EC_POINT *a, const EC_POINT *b, + BN_CTX *ctx); int EC_POINT_make_affine(const EC_GROUP *group, EC_POINT *point, BN_CTX *ctx); -int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], BN_CTX *ctx); - -/** Computes r = generator * n sum_{i=0}^num p[i] * m[i] - * \param group underlying EC_GROUP object - * \param r EC_POINT object for the result - * \param n BIGNUM with the multiplier for the group generator (optional) - * \param num number futher summands - * \param p array of size num of EC_POINT objects - * \param m array of size num of BIGNUM objects - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx); - -/** Computes r = generator * n + q * m - * \param group underlying EC_GROUP object - * \param r EC_POINT object for the result - * \param n BIGNUM with the multiplier for the group generator (optional) - * \param q EC_POINT object with the first factor of the second summand - * \param m BIGNUM with the second factor of the second summand - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ -int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); - -/** Stores multiples of generator for faster point multiplication - * \param group EC_GROUP object - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occured - */ +int EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], + BN_CTX *ctx); +int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, + size_t num, const EC_POINT *p[], const BIGNUM *m[], BN_CTX *ctx); +int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *n, + const EC_POINT *q, const BIGNUM *m, BN_CTX *ctx); int EC_GROUP_precompute_mult(EC_GROUP *group, BN_CTX *ctx); - -/** Reports whether a precomputation has been done - * \param group EC_GROUP object - * \return 1 if a pre-computation has been done and 0 otherwise - */ int EC_GROUP_have_precompute_mult(const EC_GROUP *group); - -/********************************************************************/ -/* ASN1 stuff */ -/********************************************************************/ - -/* EC_GROUP_get_basis_type() returns the NID of the basis type - * used to represent the field elements */ int EC_GROUP_get_basis_type(const EC_GROUP *); -#ifndef OPENSSL_NO_EC2M -int EC_GROUP_get_trinomial_basis(const EC_GROUP *, unsigned int *k); -int EC_GROUP_get_pentanomial_basis(const EC_GROUP *, unsigned int *k1, - unsigned int *k2, unsigned int *k3); -#endif #define OPENSSL_EC_EXPLICIT_CURVE 0x000 #define OPENSSL_EC_NAMED_CURVE 0x001 @@ -724,257 +258,62 @@ int i2d_ECPKParameters(const EC_GROUP *, unsigned char **out); (unsigned char *)(x)) #ifndef OPENSSL_NO_BIO -int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); +int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off); #endif -int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); - - -/********************************************************************/ -/* EC_KEY functions */ -/********************************************************************/ +int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); typedef struct ec_key_st EC_KEY; typedef struct ec_key_method_st EC_KEY_METHOD; -/* some values for the encoding_flag */ #define EC_PKEY_NO_PARAMETERS 0x001 #define EC_PKEY_NO_PUBKEY 0x002 -/* some values for the flags field */ #define EC_FLAG_NON_FIPS_ALLOW 0x1 #define EC_FLAG_FIPS_CHECKED 0x2 #define EC_FLAG_COFACTOR_ECDH 0x1000 -/** Creates a new EC_KEY object. - * \return EC_KEY object or NULL if an error occurred. - */ EC_KEY *EC_KEY_new(void); - int EC_KEY_get_flags(const EC_KEY *key); - void EC_KEY_set_flags(EC_KEY *key, int flags); - void EC_KEY_clear_flags(EC_KEY *key, int flags); - -/** Creates a new EC_KEY object using a named curve as underlying - * EC_GROUP object. - * \param nid NID of the named curve. - * \return EC_KEY object or NULL if an error occurred. - */ EC_KEY *EC_KEY_new_by_curve_name(int nid); - -/** Frees a EC_KEY object. - * \param key EC_KEY object to be freed. - */ void EC_KEY_free(EC_KEY *key); - -/** Copies a EC_KEY object. - * \param dst destination EC_KEY object - * \param src src EC_KEY object - * \return dst or NULL if an error occurred. - */ EC_KEY *EC_KEY_copy(EC_KEY *dst, const EC_KEY *src); - -/** Creates a new EC_KEY object and copies the content from src to it. - * \param src the source EC_KEY object - * \return newly created EC_KEY object or NULL if an error occurred. - */ EC_KEY *EC_KEY_dup(const EC_KEY *src); - -/** Increases the internal reference count of a EC_KEY object. - * \param key EC_KEY object - * \return 1 on success and 0 if an error occurred. - */ int EC_KEY_up_ref(EC_KEY *key); -/** Returns the EC_GROUP object of a EC_KEY object - * \param key EC_KEY object - * \return the EC_GROUP object (possibly NULL). - */ const EC_GROUP *EC_KEY_get0_group(const EC_KEY *key); - -/** Sets the EC_GROUP of a EC_KEY object. - * \param key EC_KEY object - * \param group EC_GROUP to use in the EC_KEY object (note: the EC_KEY - * object will use an own copy of the EC_GROUP). - * \return 1 on success and 0 if an error occurred. - */ int EC_KEY_set_group(EC_KEY *key, const EC_GROUP *group); - -/** Returns the private key of a EC_KEY object. - * \param key EC_KEY object - * \return a BIGNUM with the private key (possibly NULL). - */ const BIGNUM *EC_KEY_get0_private_key(const EC_KEY *key); - -/** Sets the private key of a EC_KEY object. - * \param key EC_KEY object - * \param prv BIGNUM with the private key (note: the EC_KEY object - * will use an own copy of the BIGNUM). - * \return 1 on success and 0 if an error occurred. - */ int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *prv); - -/** Returns the public key of a EC_KEY object. - * \param key the EC_KEY object - * \return a EC_POINT object with the public key (possibly NULL) - */ const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key); - -/** Sets the public key of a EC_KEY object. - * \param key EC_KEY object - * \param pub EC_POINT object with the public key (note: the EC_KEY object - * will use an own copy of the EC_POINT object). - * \return 1 on success and 0 if an error occurred. - */ int EC_KEY_set_public_key(EC_KEY *key, const EC_POINT *pub); unsigned EC_KEY_get_enc_flags(const EC_KEY *key); void EC_KEY_set_enc_flags(EC_KEY *eckey, unsigned int flags); point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key); void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform); -/* functions to set/get method specific data */ -void *EC_KEY_get_key_method_data(EC_KEY *key, - void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -/** Sets the key method data of an EC_KEY object, if none has yet been set. - * \param key EC_KEY object - * \param data opaque data to install. - * \param dup_func a function that duplicates |data|. - * \param free_func a function that frees |data|. - * \param clear_free_func a function that wipes and frees |data|. - * \return the previously set data pointer, or NULL if |data| was inserted. - */ -void *EC_KEY_insert_key_method_data(EC_KEY *key, void *data, - void *(*dup_func)(void *), void (*free_func)(void *), void (*clear_free_func)(void *)); -/* wrapper functions for the underlying EC_GROUP object */ + void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag); - -/** Creates a table of pre-computed multiples of the generator to - * accelerate further EC_KEY operations. - * \param key EC_KEY object - * \param ctx BN_CTX object (optional) - * \return 1 on success and 0 if an error occurred. - */ int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx); - -/** Creates a new ec private (and optional a new public) key. - * \param key EC_KEY object - * \return 1 on success and 0 if an error occurred. - */ int EC_KEY_generate_key(EC_KEY *key); - -/** Verifies that a private and/or public key is valid. - * \param key the EC_KEY object - * \return 1 on success and 0 otherwise. - */ int EC_KEY_check_key(const EC_KEY *key); - -/** Sets a public key from affine coordindates performing - * neccessary NIST PKV tests. - * \param key the EC_KEY object - * \param x public key x coordinate - * \param y public key y coordinate - * \return 1 on success and 0 otherwise. - */ int EC_KEY_set_public_key_affine_coordinates(EC_KEY *key, BIGNUM *x, BIGNUM *y); - -/********************************************************************/ -/* de- and encoding functions for SEC1 ECPrivateKey */ -/********************************************************************/ - -/** Decodes a private key from a memory buffer. - * \param key a pointer to a EC_KEY object which should be used (or NULL) - * \param in pointer to memory with the DER encoded private key - * \param len length of the DER encoded private key - * \return the decoded private key or NULL if an error occurred. - */ EC_KEY *d2i_ECPrivateKey(EC_KEY **key, const unsigned char **in, long len); - -/** Encodes a private key object and stores the result in a buffer. - * \param key the EC_KEY object to encode - * \param out the buffer for the result (if NULL the function returns number - * of bytes needed). - * \return 1 on success and 0 if an error occurred. - */ int i2d_ECPrivateKey(EC_KEY *key, unsigned char **out); - - -/********************************************************************/ -/* de- and encoding functions for EC parameters */ -/********************************************************************/ - -/** Decodes ec parameter from a memory buffer. - * \param key a pointer to a EC_KEY object which should be used (or NULL) - * \param in pointer to memory with the DER encoded ec parameters - * \param len length of the DER encoded ec parameters - * \return a EC_KEY object with the decoded parameters or NULL if an error - * occurred. - */ EC_KEY *d2i_ECParameters(EC_KEY **key, const unsigned char **in, long len); - -/** Encodes ec parameter and stores the result in a buffer. - * \param key the EC_KEY object with ec paramters to encode - * \param out the buffer for the result (if NULL the function returns number - * of bytes needed). - * \return 1 on success and 0 if an error occurred. - */ int i2d_ECParameters(EC_KEY *key, unsigned char **out); - -/********************************************************************/ -/* de- and encoding functions for EC public key */ -/* (octet string, not DER -- hence 'o2i' and 'i2o') */ -/********************************************************************/ - -/** Decodes a ec public key from a octet string. - * \param key a pointer to a EC_KEY object which should be used - * \param in memory buffer with the encoded public key - * \param len length of the encoded public key - * \return EC_KEY object with decoded public key or NULL if an error - * occurred. - */ EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len); - -/** Encodes a ec public key in an octet string. - * \param key the EC_KEY object with the public key - * \param out the buffer for the result (if NULL the function returns number - * of bytes needed). - * \return 1 on success and 0 if an error occurred - */ int i2o_ECPublicKey(const EC_KEY *key, unsigned char **out); #ifndef OPENSSL_NO_BIO -/** Prints out the ec parameters on human readable form. - * \param bp BIO object to which the information is printed - * \param key EC_KEY object - * \return 1 on success and 0 if an error occurred - */ -int ECParameters_print(BIO *bp, const EC_KEY *key); - -/** Prints out the contents of a EC_KEY object - * \param bp BIO object to which the information is printed - * \param key EC_KEY object - * \param off line offset - * \return 1 on success and 0 if an error occurred - */ -int EC_KEY_print(BIO *bp, const EC_KEY *key, int off); - +int ECParameters_print(BIO *bp, const EC_KEY *key); +int EC_KEY_print(BIO *bp, const EC_KEY *key, int off); #endif -/** Prints out the ec parameters on human readable form. - * \param fp file descriptor to which the information is printed - * \param key EC_KEY object - * \return 1 on success and 0 if an error occurred - */ -int ECParameters_print_fp(FILE *fp, const EC_KEY *key); - -/** Prints out the contents of a EC_KEY object - * \param fp file descriptor to which the information is printed - * \param key EC_KEY object - * \param off line offset - * \return 1 on success and 0 if an error occurred - */ -int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); +int ECParameters_print_fp(FILE *fp, const EC_KEY *key); +int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); #define EC_KEY_get_ex_new_index(l, p, newf, dupf, freef) \ CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, l, p, newf, dupf, freef) @@ -1116,10 +455,6 @@ EC_KEY *ECParameters_dup(EC_KEY *key); #define EVP_PKEY_ECDH_KDF_NONE 1 #define EVP_PKEY_ECDH_KDF_X9_63 2 -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_EC_strings(void); /* Error codes for the EC functions. */ @@ -1293,6 +628,8 @@ void ERR_load_EC_strings(void); #define EC_R_INVALID_FIELD 103 #define EC_R_INVALID_FORM 104 #define EC_R_INVALID_GROUP_ORDER 122 +#define EC_R_INVALID_KEY 165 +#define EC_R_INVALID_PEER_KEY 152 #define EC_R_INVALID_PENTANOMIAL_BASIS 132 #define EC_R_INVALID_PRIVATE_KEY 123 #define EC_R_INVALID_TRINOMIAL_BASIS 137 diff --git a/include/openssl/ecdh.h b/include/openssl/ecdh.h index ccc1312..98cc222 100644 --- a/include/openssl/ecdh.h +++ b/include/openssl/ecdh.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ecdh.h,v 1.5 2015/09/13 12:03:07 jsing Exp $ */ +/* $OpenBSD: ecdh.h,v 1.7 2023/04/18 08:33:43 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -77,9 +77,7 @@ #include #include -#ifndef OPENSSL_NO_DEPRECATED #include -#endif #ifdef __cplusplus extern "C" { @@ -102,10 +100,6 @@ int ECDH_set_ex_data(EC_KEY *d, int idx, void *arg); void *ECDH_get_ex_data(EC_KEY *d, int idx); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_ECDH_strings(void); /* Error codes for the ECDH functions. */ diff --git a/include/openssl/ecdsa.h b/include/openssl/ecdsa.h index eccca65..6139dba 100644 --- a/include/openssl/ecdsa.h +++ b/include/openssl/ecdsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ecdsa.h,v 1.11 2022/01/14 08:31:03 tb Exp $ */ +/* $OpenBSD: ecdsa.h,v 1.15 2023/04/18 08:47:28 tb Exp $ */ /** * \file crypto/ecdsa/ecdsa.h Include file for the OpenSSL ECDSA functions * \author Written by Nils Larsch for the OpenSSL project @@ -65,11 +65,10 @@ #error ECDSA is disabled. #endif -#include -#include -#ifndef OPENSSL_NO_DEPRECATED #include -#endif +#include + +#include #ifdef __cplusplus extern "C" { @@ -156,7 +155,7 @@ ECDSA_SIG *ECDSA_do_sign(const unsigned char *dgst, int dgst_len, * \param dgst pointer to the hash value to sign * \param dgstlen length of the hash value * \param kinv BIGNUM with a pre-computed inverse k (optional) - * \param rp BIGNUM with a pre-computed rp value (optioanl), + * \param rp BIGNUM with a pre-computed rp value (optional), * see ECDSA_sign_setup * \param eckey EC_KEY object containing a private EC key * \return pointer to a ECDSA_SIG structure or NULL if an error occurred @@ -233,7 +232,7 @@ int ECDSA_sign(int type, const unsigned char *dgst, int dgstlen, * \param sig buffer to hold the DER encoded signature * \param siglen pointer to the length of the returned signature * \param kinv BIGNUM with a pre-computed inverse k (optional) - * \param rp BIGNUM with a pre-computed rp value (optioanl), + * \param rp BIGNUM with a pre-computed rp value (optional), * see ECDSA_sign_setup * \param eckey EC_KEY object containing a private EC key * \return 1 on success and 0 otherwise @@ -293,11 +292,6 @@ void EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth, int (**pverify_sig)(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey)); - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_ECDSA_strings(void); /* Error codes for the ECDSA functions. */ diff --git a/include/openssl/engine.h b/include/openssl/engine.h index dc14be8..0c620ba 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.h,v 1.33 2019/01/19 01:07:00 tb Exp $ */ +/* $OpenBSD: engine.h,v 1.38 2023/04/18 09:10:44 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -70,16 +70,15 @@ #error ENGINE is disabled. #endif -#ifndef OPENSSL_NO_DEPRECATED #include -#ifndef OPENSSL_NO_RSA -#include +#ifndef OPENSSL_NO_DH +#include #endif #ifndef OPENSSL_NO_DSA #include #endif -#ifndef OPENSSL_NO_DH -#include +#ifndef OPENSSL_NO_EC +#include #endif #ifndef OPENSSL_NO_ECDH #include @@ -87,17 +86,15 @@ #ifndef OPENSSL_NO_ECDSA #include #endif -#ifndef OPENSSL_NO_EC -#include +#include +#ifndef OPENSSL_NO_RSA +#include #endif #include -#include -#endif +#include #include -#include - #ifdef __cplusplus extern "C" { #endif @@ -631,7 +628,7 @@ typedef struct st_dynamic_MEM_fns { dyn_MEM_free_cb free_cb; } dynamic_MEM_fns; /* FIXME: Perhaps the memory and locking code (crypto.h) should declare and use - * these types so we (and any other dependant code) can simplify a bit?? */ + * these types so we (and any other dependent code) can simplify a bit?? */ typedef void (*dyn_lock_locking_cb)(int, int, const char *, int); typedef int (*dyn_lock_add_lock_cb)(int*, int, int, const char *, int); typedef struct CRYPTO_dynlock_value *(*dyn_dynlock_create_cb)( @@ -716,10 +713,6 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, * values. */ void *ENGINE_get_static_state(void); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_ENGINE_strings(void); /* Error codes for the ENGINE functions. */ diff --git a/include/openssl/err.h b/include/openssl/err.h index 20fa908..b61599d 100644 --- a/include/openssl/err.h +++ b/include/openssl/err.h @@ -1,4 +1,4 @@ -/* $OpenBSD: err.h,v 1.26 2021/11/24 01:12:43 beck Exp $ */ +/* $OpenBSD: err.h,v 1.29 2023/04/09 19:10:23 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -197,6 +197,7 @@ typedef struct err_state_st { #define ERR_LIB_JPAKE 49 #define ERR_LIB_GOST 50 #define ERR_LIB_CT 51 +#define ERR_LIB_KDF 52 #define ERR_LIB_USER 128 @@ -236,6 +237,7 @@ typedef struct err_state_st { #define GOSTerr(f,r) ERR_PUT_error(ERR_LIB_GOST,(f),(r),__FILE__,__LINE__) #define SSLerr(f,r) ERR_PUT_error(ERR_LIB_SSL,(f),(r),__FILE__,__LINE__) #define CTerr(f, r) ERR_PUT_error(ERR_LIB_CT,(f),(r),__FILE__,__LINE__) +#define KDFerr(f, r) ERR_PUT_error(ERR_LIB_KDF,(f),(r),__FILE__,__LINE__) #endif #ifdef LIBRESSL_INTERNAL @@ -273,6 +275,7 @@ typedef struct err_state_st { #define JPAKEerror(r) ERR_PUT_error(ERR_LIB_JPAKE,(0xfff),(r),__FILE__,__LINE__) #define GOSTerror(r) ERR_PUT_error(ERR_LIB_GOST,(0xfff),(r),__FILE__,__LINE__) #define CTerror(r) ERR_PUT_error(ERR_LIB_CT,(0xfff),(r),__FILE__,__LINE__) +#define KDFerror(r) ERR_PUT_error(ERR_LIB_KDF,(0xfff),(r),__FILE__,__LINE__) #endif #define ERR_PACK(l,f,r) (((((unsigned long)l)&0xffL)<<24L)| \ @@ -343,11 +346,11 @@ typedef struct err_state_st { #define ERR_R_PASSED_NULL_PARAMETER (3|ERR_R_FATAL) #define ERR_R_INTERNAL_ERROR (4|ERR_R_FATAL) #define ERR_R_DISABLED (5|ERR_R_FATAL) +#define ERR_R_INIT_FAIL (6|ERR_R_FATAL) /* 99 is the maximum possible ERR_R_... code, higher values * are reserved for the individual libraries */ - typedef struct ERR_string_data_st { unsigned long error; const char *string; @@ -392,9 +395,8 @@ void ERR_load_crypto_strings(void); void ERR_free_strings(void); void ERR_remove_thread_state(const CRYPTO_THREADID *tid); -#ifndef OPENSSL_NO_DEPRECATED -void ERR_remove_state(unsigned long pid); /* if zero we look it up */ -#endif +/* Wrapped in OPENSSL_NO_DEPRECATED in 0.9.8. Still used in 2023. */ +void ERR_remove_state(unsigned long pid); ERR_STATE *ERR_get_state(void); #ifndef OPENSSL_NO_LHASH diff --git a/include/openssl/evp.h b/include/openssl/evp.h index a80cf18..fa1a98d 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.99 2022/01/14 08:38:05 tb Exp $ */ +/* $OpenBSD: evp.h,v 1.118 2023/04/25 18:39:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -97,23 +97,26 @@ #define EVP_PKS_EC 0x0400 #define EVP_PKT_EXP 0x1000 /* <= 512 bit key */ -#define EVP_PKEY_NONE NID_undef -#define EVP_PKEY_RSA NID_rsaEncryption -#define EVP_PKEY_RSA_PSS NID_rsassaPss -#define EVP_PKEY_RSA2 NID_rsa -#define EVP_PKEY_DSA NID_dsa -#define EVP_PKEY_DSA1 NID_dsa_2 -#define EVP_PKEY_DSA2 NID_dsaWithSHA -#define EVP_PKEY_DSA3 NID_dsaWithSHA1 -#define EVP_PKEY_DSA4 NID_dsaWithSHA1_2 -#define EVP_PKEY_DH NID_dhKeyAgreement -#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey -#define EVP_PKEY_GOSTR01 NID_id_GostR3410_2001 -#define EVP_PKEY_GOSTIMIT NID_id_Gost28147_89_MAC -#define EVP_PKEY_HMAC NID_hmac -#define EVP_PKEY_CMAC NID_cmac -#define EVP_PKEY_GOSTR12_256 NID_id_tc26_gost3410_2012_256 -#define EVP_PKEY_GOSTR12_512 NID_id_tc26_gost3410_2012_512 +#define EVP_PKEY_NONE NID_undef +#define EVP_PKEY_RSA NID_rsaEncryption +#define EVP_PKEY_RSA_PSS NID_rsassaPss +#define EVP_PKEY_RSA2 NID_rsa +#define EVP_PKEY_DSA NID_dsa +#define EVP_PKEY_DSA1 NID_dsa_2 +#define EVP_PKEY_DSA2 NID_dsaWithSHA +#define EVP_PKEY_DSA3 NID_dsaWithSHA1 +#define EVP_PKEY_DSA4 NID_dsaWithSHA1_2 +#define EVP_PKEY_DH NID_dhKeyAgreement +#define EVP_PKEY_EC NID_X9_62_id_ecPublicKey +#define EVP_PKEY_GOSTR01 NID_id_GostR3410_2001 +#define EVP_PKEY_GOSTIMIT NID_id_Gost28147_89_MAC +#define EVP_PKEY_HMAC NID_hmac +#define EVP_PKEY_CMAC NID_cmac +#define EVP_PKEY_HKDF NID_hkdf +#define EVP_PKEY_GOSTR12_256 NID_id_tc26_gost3410_2012_256 +#define EVP_PKEY_GOSTR12_512 NID_id_tc26_gost3410_2012_512 +#define EVP_PKEY_ED25519 NID_ED25519 +#define EVP_PKEY_X25519 NID_X25519 #ifdef __cplusplus extern "C" { @@ -180,7 +183,6 @@ extern "C" { */ #define EVP_MD_CTX_FLAG_PAD_MASK 0xF0 /* RSA mode to use */ #define EVP_MD_CTX_FLAG_PAD_PKCS1 0x00 /* PKCS#1 v1.5 mode */ -#define EVP_MD_CTX_FLAG_PAD_X931 0x10 /* X9.31 mode */ #define EVP_MD_CTX_FLAG_PAD_PSS 0x20 /* PSS mode */ #define EVP_MD_CTX_FLAG_NO_INIT 0x0100 /* Don't initialize md_data */ @@ -250,10 +252,11 @@ extern "C" { #define EVP_CTRL_AEAD_SET_IVLEN 0x9 #define EVP_CTRL_AEAD_GET_TAG 0x10 #define EVP_CTRL_AEAD_SET_TAG 0x11 +#define EVP_CTRL_AEAD_SET_IV_FIXED 0x12 #define EVP_CTRL_GCM_SET_IVLEN EVP_CTRL_AEAD_SET_IVLEN #define EVP_CTRL_GCM_GET_TAG EVP_CTRL_AEAD_GET_TAG #define EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG -#define EVP_CTRL_GCM_SET_IV_FIXED 0x12 +#define EVP_CTRL_GCM_SET_IV_FIXED EVP_CTRL_AEAD_SET_IV_FIXED #define EVP_CTRL_GCM_IV_GEN 0x13 #define EVP_CTRL_CCM_SET_IVLEN EVP_CTRL_AEAD_SET_IVLEN #define EVP_CTRL_CCM_GET_TAG EVP_CTRL_AEAD_GET_TAG @@ -280,6 +283,27 @@ extern "C" { /* Length of tag for TLS */ #define EVP_GCM_TLS_TAG_LEN 16 +/* CCM TLS constants */ +/* Length of fixed part of IV derived from PRF */ +#define EVP_CCM_TLS_FIXED_IV_LEN 4 +/* Length of explicit part of IV part of TLS records */ +#define EVP_CCM_TLS_EXPLICIT_IV_LEN 8 +/* Total length of CCM IV length for TLS */ +#define EVP_CCM_TLS_IV_LEN 12 +/* Length of tag for TLS */ +#define EVP_CCM_TLS_TAG_LEN 16 +/* Length of CCM8 tag for TLS */ +#define EVP_CCM8_TLS_TAG_LEN 8 + +/* Length of tag for TLS */ +#define EVP_CHACHAPOLY_TLS_TAG_LEN 16 + +/* XXX - do we want to expose these? */ +#if defined(LIBRESSL_INTERNAL) +#define ED25519_KEYLEN 32 +#define X25519_KEYLEN 32 +#endif + typedef struct evp_cipher_info_st { const EVP_CIPHER *cipher; unsigned char iv[EVP_MAX_IV_LENGTH]; @@ -382,6 +406,37 @@ unsigned char *EVP_CIPHER_CTX_buf_noconst(EVP_CIPHER_CTX *ctx); unsigned long EVP_CIPHER_CTX_flags(const EVP_CIPHER_CTX *ctx); #define EVP_CIPHER_CTX_mode(e) (EVP_CIPHER_CTX_flags(e) & EVP_CIPH_MODE) +EVP_CIPHER *EVP_CIPHER_meth_new(int cipher_type, int block_size, int key_len); +EVP_CIPHER *EVP_CIPHER_meth_dup(const EVP_CIPHER *cipher); +void EVP_CIPHER_meth_free(EVP_CIPHER *cipher); + +int EVP_CIPHER_meth_set_iv_length(EVP_CIPHER *cipher, int iv_len); +int EVP_CIPHER_meth_set_flags(EVP_CIPHER *cipher, unsigned long flags); +int EVP_CIPHER_meth_set_impl_ctx_size(EVP_CIPHER *cipher, int ctx_size); +int EVP_CIPHER_meth_set_init(EVP_CIPHER *cipher, + int (*init)(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc)); +int EVP_CIPHER_meth_set_do_cipher(EVP_CIPHER *cipher, + int (*do_cipher)(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl)); +int EVP_CIPHER_meth_set_cleanup(EVP_CIPHER *cipher, + int (*cleanup)(EVP_CIPHER_CTX *)); +int EVP_CIPHER_meth_set_set_asn1_params(EVP_CIPHER *cipher, + int (*set_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)); +int EVP_CIPHER_meth_set_get_asn1_params(EVP_CIPHER *cipher, + int (*get_asn1_parameters)(EVP_CIPHER_CTX *, ASN1_TYPE *)); +int EVP_CIPHER_meth_set_ctrl(EVP_CIPHER *cipher, + int (*ctrl)(EVP_CIPHER_CTX *, int type, int arg, void *ptr)); + +EVP_PKEY *EVP_PKEY_new_raw_private_key(int type, ENGINE *engine, + const unsigned char *private_key, size_t len); +EVP_PKEY *EVP_PKEY_new_raw_public_key(int type, ENGINE *engine, + const unsigned char *public_key, size_t len); +int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, + unsigned char *out_private_key, size_t *out_len); +int EVP_PKEY_get_raw_public_key(const EVP_PKEY *pkey, + unsigned char *out_public_key, size_t *out_len); + #define EVP_ENCODE_LENGTH(l) (((l+2)/3*4)+(l/48+1)*2+80) #define EVP_DECODE_LENGTH(l) ((l+3)/4*3+80) @@ -565,6 +620,14 @@ const EVP_MD *EVP_sha256(void); #ifndef OPENSSL_NO_SHA512 const EVP_MD *EVP_sha384(void); const EVP_MD *EVP_sha512(void); +const EVP_MD *EVP_sha512_224(void); +const EVP_MD *EVP_sha512_256(void); +#endif +#ifndef OPENSSL_NO_SHA3 +const EVP_MD *EVP_sha3_224(void); +const EVP_MD *EVP_sha3_256(void); +const EVP_MD *EVP_sha3_384(void); +const EVP_MD *EVP_sha3_512(void); #endif #ifndef OPENSSL_NO_SM3 const EVP_MD *EVP_sm3(void); @@ -679,6 +742,9 @@ const EVP_CIPHER *EVP_aes_256_ccm(void); const EVP_CIPHER *EVP_aes_256_gcm(void); const EVP_CIPHER *EVP_aes_256_wrap(void); const EVP_CIPHER *EVP_aes_256_xts(void); +#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) +const EVP_CIPHER *EVP_chacha20_poly1305(void); +#endif #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); const EVP_CIPHER *EVP_aes_256_cbc_hmac_sha1(void); @@ -768,6 +834,7 @@ int EVP_PKEY_type(int type); int EVP_PKEY_id(const EVP_PKEY *pkey); int EVP_PKEY_base_id(const EVP_PKEY *pkey); int EVP_PKEY_bits(const EVP_PKEY *pkey); +int EVP_PKEY_security_bits(const EVP_PKEY *pkey); int EVP_PKEY_size(const EVP_PKEY *pkey); int EVP_PKEY_set_type(EVP_PKEY *pkey, int type); int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len); @@ -930,6 +997,8 @@ void EVP_PKEY_asn1_set_free(EVP_PKEY_ASN1_METHOD *ameth, void (*pkey_free)(EVP_PKEY *pkey)); void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, int (*pkey_ctrl)(EVP_PKEY *pkey, int op, long arg1, void *arg2)); +void EVP_PKEY_asn1_set_security_bits(EVP_PKEY_ASN1_METHOD *ameth, + int (*pkey_security_bits)(const EVP_PKEY *pkey)); void EVP_PKEY_asn1_set_check(EVP_PKEY_ASN1_METHOD *ameth, int (*pkey_check)(const EVP_PKEY *pk)); @@ -1258,10 +1327,6 @@ int EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, unsigned char *out, void EVP_add_alg_module(void); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_EVP_strings(void); /* Error codes for the EVP functions. */ @@ -1395,6 +1460,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_EXPECTING_A_ECDSA_KEY 141 #define EVP_R_EXPECTING_A_EC_KEY 142 #define EVP_R_FIPS_MODE_NOT_SUPPORTED 167 +#define EVP_R_GET_RAW_KEY_FAILED 182 #define EVP_R_INITIALIZATION_ERROR 134 #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 @@ -1416,6 +1482,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_NO_OPERATION_SET 149 #define EVP_R_NO_SIGN_FUNCTION_CONFIGURED 104 #define EVP_R_NO_VERIFY_FUNCTION_CONFIGURED 105 +#define EVP_R_ONLY_ONESHOT_SUPPORTED 177 #define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 #define EVP_R_OPERATON_NOT_INITIALIZED 151 #define EVP_R_OUTPUT_ALIASES_INPUT 172 diff --git a/include/openssl/gost.h b/include/openssl/gost.h index 092f96f..c7d9d25 100644 --- a/include/openssl/gost.h +++ b/include/openssl/gost.h @@ -1,4 +1,4 @@ -/* $OpenBSD: gost.h,v 1.3 2016/09/04 17:02:31 jsing Exp $ */ +/* $OpenBSD: gost.h,v 1.4 2022/07/12 14:42:49 kn Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -199,10 +199,6 @@ size_t GOST_KEY_get_size(const GOST_KEY * r); #define GOST_SIG_FORMAT_SR_BE 0 #define GOST_SIG_FORMAT_RS_LE 1 -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_GOST_strings(void); /* Error codes for the GOST functions. */ diff --git a/include/openssl/hmac.h b/include/openssl/hmac.h index ff01ae2..1ce3652 100644 --- a/include/openssl/hmac.h +++ b/include/openssl/hmac.h @@ -1,4 +1,4 @@ -/* $OpenBSD: hmac.h,v 1.16 2022/01/14 08:06:03 tb Exp $ */ +/* $OpenBSD: hmac.h,v 1.17 2023/04/25 15:48:48 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include -#define HMAC_MAX_MD_CBLOCK 128 /* largest known is SHA512 */ +#define HMAC_MAX_MD_CBLOCK 144 /* largest known is SHA3-224 */ #ifdef __cplusplus extern "C" { diff --git a/crypto/x509/pcy_data.c b/include/openssl/kdf.h similarity index 51% rename from crypto/x509/pcy_data.c rename to include/openssl/kdf.h index dadacb5..f823bf9 100644 --- a/crypto/x509/pcy_data.c +++ b/include/openssl/kdf.h @@ -1,9 +1,10 @@ -/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2004. +/* $OpenBSD: kdf.h,v 1.8 2022/07/12 14:42:49 kn Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. */ /* ==================================================================== - * Copyright (c) 2004 The OpenSSL Project. All rights reserved. + * Copyright (c) 2016-2018 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -49,81 +50,62 @@ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * */ -#include -#include +#ifndef HEADER_KDF_H +# define HEADER_KDF_H -#include "pcy_int.h" +#ifdef __cplusplus +extern "C" { +#endif -/* Policy Node routines */ +# define EVP_PKEY_CTRL_HKDF_MD (EVP_PKEY_ALG_CTRL + 3) +# define EVP_PKEY_CTRL_HKDF_SALT (EVP_PKEY_ALG_CTRL + 4) +# define EVP_PKEY_CTRL_HKDF_KEY (EVP_PKEY_ALG_CTRL + 5) +# define EVP_PKEY_CTRL_HKDF_INFO (EVP_PKEY_ALG_CTRL + 6) +# define EVP_PKEY_CTRL_HKDF_MODE (EVP_PKEY_ALG_CTRL + 7) -void -policy_data_free(X509_POLICY_DATA *data) -{ - ASN1_OBJECT_free(data->valid_policy); - /* Don't free qualifiers if shared */ - if (!(data->flags & POLICY_DATA_FLAG_SHARED_QUALIFIERS)) - sk_POLICYQUALINFO_pop_free(data->qualifier_set, - POLICYQUALINFO_free); - sk_ASN1_OBJECT_pop_free(data->expected_policy_set, ASN1_OBJECT_free); - free(data); -} +# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0 +# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 1 +# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 2 -/* Create a data based on an existing policy. If 'id' is NULL use the - * oid in the policy, otherwise use 'id'. This behaviour covers the two - * types of data in RFC3280: data with from a CertificatePolcies extension - * and additional data with just the qualifiers of anyPolicy and ID from - * another source. +# define EVP_PKEY_CTX_set_hkdf_md(pctx, md) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_HKDF_MD, 0, (void *)(md)) + +# define EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, saltlen) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_HKDF_SALT, saltlen, (void *)(salt)) + +# define EVP_PKEY_CTX_set1_hkdf_key(pctx, key, keylen) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_HKDF_KEY, keylen, (void *)(key)) + +# define EVP_PKEY_CTX_add1_hkdf_info(pctx, info, infolen) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_HKDF_INFO, infolen, (void *)(info)) + +# define EVP_PKEY_CTX_hkdf_mode(pctx, mode) \ + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_HKDF_MODE, mode, NULL) + +int ERR_load_KDF_strings(void); + +/* + * KDF function codes. */ +# define KDF_F_PKEY_HKDF_CTRL_STR 103 +# define KDF_F_PKEY_HKDF_DERIVE 102 +# define KDF_F_PKEY_HKDF_INIT 108 -X509_POLICY_DATA * -policy_data_new(POLICYINFO *policy, const ASN1_OBJECT *cid, int crit) -{ - X509_POLICY_DATA *ret = NULL; - ASN1_OBJECT *id = NULL; +/* + * KDF reason codes. + */ +# define KDF_R_MISSING_KEY 104 +# define KDF_R_MISSING_MESSAGE_DIGEST 105 +# define KDF_R_UNKNOWN_PARAMETER_TYPE 103 - if (policy == NULL && cid == NULL) - return NULL; - if (cid != NULL) { - id = OBJ_dup(cid); - if (id == NULL) - return NULL; - } - ret = malloc(sizeof(X509_POLICY_DATA)); - if (ret == NULL) - goto err; - ret->expected_policy_set = sk_ASN1_OBJECT_new_null(); - if (ret->expected_policy_set == NULL) - goto err; - - if (crit) - ret->flags = POLICY_DATA_FLAG_CRITICAL; - else - ret->flags = 0; - - if (id != NULL) - ret->valid_policy = id; - else { - ret->valid_policy = policy->policyid; - policy->policyid = NULL; - } - - if (policy != NULL) { - ret->qualifier_set = policy->qualifiers; - policy->qualifiers = NULL; - } else - ret->qualifier_set = NULL; - - return ret; - -err: - free(ret); - ASN1_OBJECT_free(id); - return NULL; +# ifdef __cplusplus } +# endif +#endif diff --git a/include/openssl/modes.h b/include/openssl/modes.h index 67ec751..44d8326 100644 --- a/include/openssl/modes.h +++ b/include/openssl/modes.h @@ -1,4 +1,4 @@ -/* $OpenBSD: modes.h,v 1.3 2018/07/24 10:47:19 bcook Exp $ */ +/* $OpenBSD: modes.h,v 1.5 2023/04/25 17:54:10 tb Exp $ */ /* ==================================================================== * Copyright (c) 2008 The OpenSSL Project. All rights reserved. * @@ -63,32 +63,6 @@ void CRYPTO_cfb128_1_encrypt(const unsigned char *in, unsigned char *out, unsigned char ivec[16], int *num, int enc, block128_f block); -size_t CRYPTO_cts128_encrypt_block(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], block128_f block); -size_t CRYPTO_cts128_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], cbc128_f cbc); -size_t CRYPTO_cts128_decrypt_block(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], block128_f block); -size_t CRYPTO_cts128_decrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], cbc128_f cbc); - -size_t CRYPTO_nistcts128_encrypt_block(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], block128_f block); -size_t CRYPTO_nistcts128_encrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], cbc128_f cbc); -size_t CRYPTO_nistcts128_decrypt_block(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], block128_f block); -size_t CRYPTO_nistcts128_decrypt(const unsigned char *in, unsigned char *out, - size_t len, const void *key, - unsigned char ivec[16], cbc128_f cbc); - typedef struct gcm128_context GCM128_CONTEXT; GCM128_CONTEXT *CRYPTO_gcm128_new(void *key, block128_f block); diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 5da2b5d..51cd083 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -620,6 +620,16 @@ #define NID_sha224WithRSAEncryption 671 #define OBJ_sha224WithRSAEncryption OBJ_pkcs1,14L +#define SN_sha512_224WithRSAEncryption "RSA-SHA512/224" +#define LN_sha512_224WithRSAEncryption "sha512-224WithRSAEncryption" +#define NID_sha512_224WithRSAEncryption 1025 +#define OBJ_sha512_224WithRSAEncryption OBJ_pkcs1,15L + +#define SN_sha512_256WithRSAEncryption "RSA-SHA512/256" +#define LN_sha512_256WithRSAEncryption "sha512-256WithRSAEncryption" +#define NID_sha512_256WithRSAEncryption 1026 +#define OBJ_sha512_256WithRSAEncryption OBJ_pkcs1,16L + #define SN_pkcs3 "pkcs3" #define NID_pkcs3 27 #define OBJ_pkcs3 OBJ_pkcs,3L @@ -885,6 +895,10 @@ #define NID_id_ct_ASPA 1017 #define OBJ_id_ct_ASPA OBJ_id_smime_ct,49L +#define SN_id_ct_signedTAL "id-ct-signedTAL" +#define NID_id_ct_signedTAL 1024 +#define OBJ_id_ct_signedTAL OBJ_id_smime_ct,50L + #define SN_id_smime_aa_receiptRequest "id-smime-aa-receiptRequest" #define NID_id_smime_aa_receiptRequest 212 #define OBJ_id_smime_aa_receiptRequest OBJ_id_smime_aa,1L @@ -1001,6 +1015,10 @@ #define NID_id_smime_aa_dvcs_dvc 240 #define OBJ_id_smime_aa_dvcs_dvc OBJ_id_smime_aa,29L +#define SN_id_smime_aa_signingCertificateV2 "id-smime-aa-signingCertificateV2" +#define NID_id_smime_aa_signingCertificateV2 1023 +#define OBJ_id_smime_aa_signingCertificateV2 OBJ_id_smime_aa,47L + #define SN_id_smime_alg_ESDHwith3DES "id-smime-alg-ESDHwith3DES" #define NID_id_smime_alg_ESDHwith3DES 241 #define OBJ_id_smime_alg_ESDHwith3DES OBJ_id_smime_alg,1L @@ -1208,6 +1226,14 @@ #define NID_hmacWithSHA512 801 #define OBJ_hmacWithSHA512 OBJ_rsadsi,2L,11L +#define LN_hmacWithSHA512_224 "hmacWithSHA512-224" +#define NID_hmacWithSHA512_224 1027 +#define OBJ_hmacWithSHA512_224 OBJ_rsadsi,2L,12L + +#define LN_hmacWithSHA512_256 "hmacWithSHA512-256" +#define NID_hmacWithSHA512_256 1028 +#define OBJ_hmacWithSHA512_256 OBJ_rsadsi,2L,13L + #define SN_rc2_cbc "RC2-CBC" #define LN_rc2_cbc "rc2-cbc" #define NID_rc2_cbc 37 @@ -2878,15 +2904,137 @@ #define NID_sha224 675 #define OBJ_sha224 OBJ_nist_hashalgs,4L -#define OBJ_dsa_with_sha2 OBJ_nistAlgorithms,3L +#define SN_sha512_224 "SHA512-224" +#define LN_sha512_224 "sha512-224" +#define NID_sha512_224 1029 +#define OBJ_sha512_224 OBJ_nist_hashalgs,5L -#define SN_dsa_with_SHA224 "dsa_with_SHA224" +#define SN_sha512_256 "SHA512-256" +#define LN_sha512_256 "sha512-256" +#define NID_sha512_256 1030 +#define OBJ_sha512_256 OBJ_nist_hashalgs,6L + +#define SN_sha3_224 "SHA3-224" +#define LN_sha3_224 "sha3-224" +#define NID_sha3_224 1031 +#define OBJ_sha3_224 OBJ_nist_hashalgs,7L + +#define SN_sha3_256 "SHA3-256" +#define LN_sha3_256 "sha3-256" +#define NID_sha3_256 1032 +#define OBJ_sha3_256 OBJ_nist_hashalgs,8L + +#define SN_sha3_384 "SHA3-384" +#define LN_sha3_384 "sha3-384" +#define NID_sha3_384 1033 +#define OBJ_sha3_384 OBJ_nist_hashalgs,9L + +#define SN_sha3_512 "SHA3-512" +#define LN_sha3_512 "sha3-512" +#define NID_sha3_512 1034 +#define OBJ_sha3_512 OBJ_nist_hashalgs,10L + +#define SN_hmac_sha3_224 "id-hmacWithSHA3-224" +#define LN_hmac_sha3_224 "hmac-sha3-224" +#define NID_hmac_sha3_224 1035 +#define OBJ_hmac_sha3_224 OBJ_nist_hashalgs,13L + +#define SN_hmac_sha3_256 "id-hmacWithSHA3-256" +#define LN_hmac_sha3_256 "hmac-sha3-256" +#define NID_hmac_sha3_256 1036 +#define OBJ_hmac_sha3_256 OBJ_nist_hashalgs,14L + +#define SN_hmac_sha3_384 "id-hmacWithSHA3-384" +#define LN_hmac_sha3_384 "hmac-sha3-384" +#define NID_hmac_sha3_384 1037 +#define OBJ_hmac_sha3_384 OBJ_nist_hashalgs,15L + +#define SN_hmac_sha3_512 "id-hmacWithSHA3-512" +#define LN_hmac_sha3_512 "hmac-sha3-512" +#define NID_hmac_sha3_512 1038 +#define OBJ_hmac_sha3_512 OBJ_nist_hashalgs,16L + +#define OBJ_nist_sigalgs OBJ_nistAlgorithms,3L + +#define SN_dsa_with_SHA224 "id-dsa-with-sha224" +#define LN_dsa_with_SHA224 "dsa_with_SHA224" #define NID_dsa_with_SHA224 802 -#define OBJ_dsa_with_SHA224 OBJ_dsa_with_sha2,1L +#define OBJ_dsa_with_SHA224 OBJ_nist_sigalgs,1L -#define SN_dsa_with_SHA256 "dsa_with_SHA256" +#define SN_dsa_with_SHA256 "id-dsa-with-sha256" +#define LN_dsa_with_SHA256 "dsa_with_SHA256" #define NID_dsa_with_SHA256 803 -#define OBJ_dsa_with_SHA256 OBJ_dsa_with_sha2,2L +#define OBJ_dsa_with_SHA256 OBJ_nist_sigalgs,2L + +#define SN_dsa_with_SHA384 "id-dsa-with-sha384" +#define LN_dsa_with_SHA384 "dsa_with_SHA384" +#define NID_dsa_with_SHA384 1039 +#define OBJ_dsa_with_SHA384 OBJ_nist_sigalgs,3L + +#define SN_dsa_with_SHA512 "id-dsa-with-sha512" +#define LN_dsa_with_SHA512 "dsa_with_SHA512" +#define NID_dsa_with_SHA512 1040 +#define OBJ_dsa_with_SHA512 OBJ_nist_sigalgs,4L + +#define SN_dsa_with_SHA3_224 "id-dsa-with-sha3-224" +#define LN_dsa_with_SHA3_224 "dsa_with_SHA3-224" +#define NID_dsa_with_SHA3_224 1041 +#define OBJ_dsa_with_SHA3_224 OBJ_nist_sigalgs,5L + +#define SN_dsa_with_SHA3_256 "id-dsa-with-sha3-256" +#define LN_dsa_with_SHA3_256 "dsa_with_SHA3-256" +#define NID_dsa_with_SHA3_256 1042 +#define OBJ_dsa_with_SHA3_256 OBJ_nist_sigalgs,6L + +#define SN_dsa_with_SHA3_384 "id-dsa-with-sha3-384" +#define LN_dsa_with_SHA3_384 "dsa_with_SHA3-384" +#define NID_dsa_with_SHA3_384 1043 +#define OBJ_dsa_with_SHA3_384 OBJ_nist_sigalgs,7L + +#define SN_dsa_with_SHA3_512 "id-dsa-with-sha3-512" +#define LN_dsa_with_SHA3_512 "dsa_with_SHA3-512" +#define NID_dsa_with_SHA3_512 1044 +#define OBJ_dsa_with_SHA3_512 OBJ_nist_sigalgs,8L + +#define SN_ecdsa_with_SHA3_224 "id-ecdsa-with-sha3-224" +#define LN_ecdsa_with_SHA3_224 "ecdsa_with_SHA3-224" +#define NID_ecdsa_with_SHA3_224 1045 +#define OBJ_ecdsa_with_SHA3_224 OBJ_nist_sigalgs,9L + +#define SN_ecdsa_with_SHA3_256 "id-ecdsa-with-sha3-256" +#define LN_ecdsa_with_SHA3_256 "ecdsa_with_SHA3-256" +#define NID_ecdsa_with_SHA3_256 1046 +#define OBJ_ecdsa_with_SHA3_256 OBJ_nist_sigalgs,10L + +#define SN_ecdsa_with_SHA3_384 "id-ecdsa-with-sha3-384" +#define LN_ecdsa_with_SHA3_384 "ecdsa_with_SHA3-384" +#define NID_ecdsa_with_SHA3_384 1047 +#define OBJ_ecdsa_with_SHA3_384 OBJ_nist_sigalgs,11L + +#define SN_ecdsa_with_SHA3_512 "id-ecdsa-with-sha3-512" +#define LN_ecdsa_with_SHA3_512 "ecdsa_with_SHA3-512" +#define NID_ecdsa_with_SHA3_512 1048 +#define OBJ_ecdsa_with_SHA3_512 OBJ_nist_sigalgs,12L + +#define SN_RSA_SHA3_224 "id-rsassa-pkcs1-v1_5-with-sha3-224" +#define LN_RSA_SHA3_224 "RSA-SHA3-224" +#define NID_RSA_SHA3_224 1049 +#define OBJ_RSA_SHA3_224 OBJ_nist_sigalgs,13L + +#define SN_RSA_SHA3_256 "id-rsassa-pkcs1-v1_5-with-sha3-256" +#define LN_RSA_SHA3_256 "RSA-SHA3-256" +#define NID_RSA_SHA3_256 1050 +#define OBJ_RSA_SHA3_256 OBJ_nist_sigalgs,14L + +#define SN_RSA_SHA3_384 "id-rsassa-pkcs1-v1_5-with-sha3-384" +#define LN_RSA_SHA3_384 "RSA-SHA3-384" +#define NID_RSA_SHA3_384 1051 +#define OBJ_RSA_SHA3_384 OBJ_nist_sigalgs,15L + +#define SN_RSA_SHA3_512 "id-rsassa-pkcs1-v1_5-with-sha3-512" +#define LN_RSA_SHA3_512 "RSA-SHA3-512" +#define NID_RSA_SHA3_512 1052 +#define OBJ_RSA_SHA3_512 OBJ_nist_sigalgs,16L #define SN_hold_instruction_code "holdInstructionCode" #define LN_hold_instruction_code "Hold Instruction Code" @@ -4250,6 +4398,10 @@ #define NID_ct_cert_scts 1021 #define OBJ_ct_cert_scts 1L,3L,6L,1L,4L,1L,11129L,2L,4L,5L +#define SN_hkdf "HKDF" +#define LN_hkdf "hkdf" +#define NID_hkdf 1022 + #define SN_teletrust "teletrust" #define NID_teletrust 920 #define OBJ_teletrust OBJ_identified_organization,36L diff --git a/include/openssl/objects.h b/include/openssl/objects.h index 918928e..7fc11fa 100644 --- a/include/openssl/objects.h +++ b/include/openssl/objects.h @@ -1,4 +1,4 @@ -/* $OpenBSD: objects.h,v 1.17 2022/01/14 08:56:00 tb Exp $ */ +/* $OpenBSD: objects.h,v 1.21 2022/11/13 14:03:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -59,902 +59,11 @@ #ifndef HEADER_OBJECTS_H #define HEADER_OBJECTS_H -#define USE_OBJ_MAC - -#ifdef USE_OBJ_MAC #include -#else -#define SN_undef "UNDEF" -#define LN_undef "undefined" -#define NID_undef 0 -#define OBJ_undef 0L -#define SN_Algorithm "Algorithm" -#define LN_algorithm "algorithm" -#define NID_algorithm 38 -#define OBJ_algorithm 1L,3L,14L,3L,2L - -#define LN_rsadsi "rsadsi" -#define NID_rsadsi 1 -#define OBJ_rsadsi 1L,2L,840L,113549L - -#define LN_pkcs "pkcs" -#define NID_pkcs 2 -#define OBJ_pkcs OBJ_rsadsi,1L - -#define SN_md2 "MD2" -#define LN_md2 "md2" -#define NID_md2 3 -#define OBJ_md2 OBJ_rsadsi,2L,2L - -#define SN_md5 "MD5" -#define LN_md5 "md5" -#define NID_md5 4 -#define OBJ_md5 OBJ_rsadsi,2L,5L - -#define SN_rc4 "RC4" -#define LN_rc4 "rc4" -#define NID_rc4 5 -#define OBJ_rc4 OBJ_rsadsi,3L,4L - -#define LN_rsaEncryption "rsaEncryption" -#define NID_rsaEncryption 6 -#define OBJ_rsaEncryption OBJ_pkcs,1L,1L - -#define SN_md2WithRSAEncryption "RSA-MD2" -#define LN_md2WithRSAEncryption "md2WithRSAEncryption" -#define NID_md2WithRSAEncryption 7 -#define OBJ_md2WithRSAEncryption OBJ_pkcs,1L,2L - -#define SN_md5WithRSAEncryption "RSA-MD5" -#define LN_md5WithRSAEncryption "md5WithRSAEncryption" -#define NID_md5WithRSAEncryption 8 -#define OBJ_md5WithRSAEncryption OBJ_pkcs,1L,4L - -#define SN_pbeWithMD2AndDES_CBC "PBE-MD2-DES" -#define LN_pbeWithMD2AndDES_CBC "pbeWithMD2AndDES-CBC" -#define NID_pbeWithMD2AndDES_CBC 9 -#define OBJ_pbeWithMD2AndDES_CBC OBJ_pkcs,5L,1L - -#define SN_pbeWithMD5AndDES_CBC "PBE-MD5-DES" -#define LN_pbeWithMD5AndDES_CBC "pbeWithMD5AndDES-CBC" -#define NID_pbeWithMD5AndDES_CBC 10 -#define OBJ_pbeWithMD5AndDES_CBC OBJ_pkcs,5L,3L - -#define LN_X500 "X500" -#define NID_X500 11 -#define OBJ_X500 2L,5L - -#define LN_X509 "X509" -#define NID_X509 12 -#define OBJ_X509 OBJ_X500,4L - -#define SN_commonName "CN" -#define LN_commonName "commonName" -#define NID_commonName 13 -#define OBJ_commonName OBJ_X509,3L - -#define SN_countryName "C" -#define LN_countryName "countryName" -#define NID_countryName 14 -#define OBJ_countryName OBJ_X509,6L - -#define SN_localityName "L" -#define LN_localityName "localityName" -#define NID_localityName 15 -#define OBJ_localityName OBJ_X509,7L - -/* Postal Address? PA */ - -/* should be "ST" (rfc1327) but MS uses 'S' */ -#define SN_stateOrProvinceName "ST" -#define LN_stateOrProvinceName "stateOrProvinceName" -#define NID_stateOrProvinceName 16 -#define OBJ_stateOrProvinceName OBJ_X509,8L - -#define SN_organizationName "O" -#define LN_organizationName "organizationName" -#define NID_organizationName 17 -#define OBJ_organizationName OBJ_X509,10L - -#define SN_organizationalUnitName "OU" -#define LN_organizationalUnitName "organizationalUnitName" -#define NID_organizationalUnitName 18 -#define OBJ_organizationalUnitName OBJ_X509,11L - -#define SN_rsa "RSA" -#define LN_rsa "rsa" -#define NID_rsa 19 -#define OBJ_rsa OBJ_X500,8L,1L,1L - -#define LN_pkcs7 "pkcs7" -#define NID_pkcs7 20 -#define OBJ_pkcs7 OBJ_pkcs,7L - -#define LN_pkcs7_data "pkcs7-data" -#define NID_pkcs7_data 21 -#define OBJ_pkcs7_data OBJ_pkcs7,1L - -#define LN_pkcs7_signed "pkcs7-signedData" -#define NID_pkcs7_signed 22 -#define OBJ_pkcs7_signed OBJ_pkcs7,2L - -#define LN_pkcs7_enveloped "pkcs7-envelopedData" -#define NID_pkcs7_enveloped 23 -#define OBJ_pkcs7_enveloped OBJ_pkcs7,3L - -#define LN_pkcs7_signedAndEnveloped "pkcs7-signedAndEnvelopedData" -#define NID_pkcs7_signedAndEnveloped 24 -#define OBJ_pkcs7_signedAndEnveloped OBJ_pkcs7,4L - -#define LN_pkcs7_digest "pkcs7-digestData" -#define NID_pkcs7_digest 25 -#define OBJ_pkcs7_digest OBJ_pkcs7,5L - -#define LN_pkcs7_encrypted "pkcs7-encryptedData" -#define NID_pkcs7_encrypted 26 -#define OBJ_pkcs7_encrypted OBJ_pkcs7,6L - -#define LN_pkcs3 "pkcs3" -#define NID_pkcs3 27 -#define OBJ_pkcs3 OBJ_pkcs,3L - -#define LN_dhKeyAgreement "dhKeyAgreement" -#define NID_dhKeyAgreement 28 -#define OBJ_dhKeyAgreement OBJ_pkcs3,1L - -#define SN_des_ecb "DES-ECB" -#define LN_des_ecb "des-ecb" -#define NID_des_ecb 29 -#define OBJ_des_ecb OBJ_algorithm,6L - -#define SN_des_cfb64 "DES-CFB" -#define LN_des_cfb64 "des-cfb" -#define NID_des_cfb64 30 -/* IV + num */ -#define OBJ_des_cfb64 OBJ_algorithm,9L - -#define SN_des_cbc "DES-CBC" -#define LN_des_cbc "des-cbc" -#define NID_des_cbc 31 -/* IV */ -#define OBJ_des_cbc OBJ_algorithm,7L - -#define SN_des_ede "DES-EDE" -#define LN_des_ede "des-ede" -#define NID_des_ede 32 -/* ?? */ -#define OBJ_des_ede OBJ_algorithm,17L - -#define SN_des_ede3 "DES-EDE3" -#define LN_des_ede3 "des-ede3" -#define NID_des_ede3 33 - -#define SN_idea_cbc "IDEA-CBC" -#define LN_idea_cbc "idea-cbc" -#define NID_idea_cbc 34 -#define OBJ_idea_cbc 1L,3L,6L,1L,4L,1L,188L,7L,1L,1L,2L - -#define SN_idea_cfb64 "IDEA-CFB" -#define LN_idea_cfb64 "idea-cfb" -#define NID_idea_cfb64 35 - -#define SN_idea_ecb "IDEA-ECB" -#define LN_idea_ecb "idea-ecb" -#define NID_idea_ecb 36 - -#define SN_rc2_cbc "RC2-CBC" -#define LN_rc2_cbc "rc2-cbc" -#define NID_rc2_cbc 37 -#define OBJ_rc2_cbc OBJ_rsadsi,3L,2L - -#define SN_rc2_ecb "RC2-ECB" -#define LN_rc2_ecb "rc2-ecb" -#define NID_rc2_ecb 38 - -#define SN_rc2_cfb64 "RC2-CFB" -#define LN_rc2_cfb64 "rc2-cfb" -#define NID_rc2_cfb64 39 - -#define SN_rc2_ofb64 "RC2-OFB" -#define LN_rc2_ofb64 "rc2-ofb" -#define NID_rc2_ofb64 40 - -#define SN_sha "SHA" -#define LN_sha "sha" -#define NID_sha 41 -#define OBJ_sha OBJ_algorithm,18L - -#define SN_shaWithRSAEncryption "RSA-SHA" -#define LN_shaWithRSAEncryption "shaWithRSAEncryption" -#define NID_shaWithRSAEncryption 42 -#define OBJ_shaWithRSAEncryption OBJ_algorithm,15L - -#define SN_des_ede_cbc "DES-EDE-CBC" -#define LN_des_ede_cbc "des-ede-cbc" -#define NID_des_ede_cbc 43 - -#define SN_des_ede3_cbc "DES-EDE3-CBC" -#define LN_des_ede3_cbc "des-ede3-cbc" -#define NID_des_ede3_cbc 44 -#define OBJ_des_ede3_cbc OBJ_rsadsi,3L,7L - -#define SN_des_ofb64 "DES-OFB" -#define LN_des_ofb64 "des-ofb" -#define NID_des_ofb64 45 -#define OBJ_des_ofb64 OBJ_algorithm,8L - -#define SN_idea_ofb64 "IDEA-OFB" -#define LN_idea_ofb64 "idea-ofb" -#define NID_idea_ofb64 46 - -#define LN_pkcs9 "pkcs9" -#define NID_pkcs9 47 -#define OBJ_pkcs9 OBJ_pkcs,9L - -#define SN_pkcs9_emailAddress "Email" -#define LN_pkcs9_emailAddress "emailAddress" -#define NID_pkcs9_emailAddress 48 -#define OBJ_pkcs9_emailAddress OBJ_pkcs9,1L - -#define LN_pkcs9_unstructuredName "unstructuredName" -#define NID_pkcs9_unstructuredName 49 -#define OBJ_pkcs9_unstructuredName OBJ_pkcs9,2L - -#define LN_pkcs9_contentType "contentType" -#define NID_pkcs9_contentType 50 -#define OBJ_pkcs9_contentType OBJ_pkcs9,3L - -#define LN_pkcs9_messageDigest "messageDigest" -#define NID_pkcs9_messageDigest 51 -#define OBJ_pkcs9_messageDigest OBJ_pkcs9,4L - -#define LN_pkcs9_signingTime "signingTime" -#define NID_pkcs9_signingTime 52 -#define OBJ_pkcs9_signingTime OBJ_pkcs9,5L - -#define LN_pkcs9_countersignature "countersignature" -#define NID_pkcs9_countersignature 53 -#define OBJ_pkcs9_countersignature OBJ_pkcs9,6L - -#define LN_pkcs9_challengePassword "challengePassword" -#define NID_pkcs9_challengePassword 54 -#define OBJ_pkcs9_challengePassword OBJ_pkcs9,7L - -#define LN_pkcs9_unstructuredAddress "unstructuredAddress" -#define NID_pkcs9_unstructuredAddress 55 -#define OBJ_pkcs9_unstructuredAddress OBJ_pkcs9,8L - -#define LN_pkcs9_extCertAttributes "extendedCertificateAttributes" -#define NID_pkcs9_extCertAttributes 56 -#define OBJ_pkcs9_extCertAttributes OBJ_pkcs9,9L - -#define SN_netscape "Netscape" -#define LN_netscape "Netscape Communications Corp." -#define NID_netscape 57 -#define OBJ_netscape 2L,16L,840L,1L,113730L - -#define SN_netscape_cert_extension "nsCertExt" -#define LN_netscape_cert_extension "Netscape Certificate Extension" -#define NID_netscape_cert_extension 58 -#define OBJ_netscape_cert_extension OBJ_netscape,1L - -#define SN_netscape_data_type "nsDataType" -#define LN_netscape_data_type "Netscape Data Type" -#define NID_netscape_data_type 59 -#define OBJ_netscape_data_type OBJ_netscape,2L - -#define SN_des_ede_cfb64 "DES-EDE-CFB" -#define LN_des_ede_cfb64 "des-ede-cfb" -#define NID_des_ede_cfb64 60 - -#define SN_des_ede3_cfb64 "DES-EDE3-CFB" -#define LN_des_ede3_cfb64 "des-ede3-cfb" -#define NID_des_ede3_cfb64 61 - -#define SN_des_ede_ofb64 "DES-EDE-OFB" -#define LN_des_ede_ofb64 "des-ede-ofb" -#define NID_des_ede_ofb64 62 - -#define SN_des_ede3_ofb64 "DES-EDE3-OFB" -#define LN_des_ede3_ofb64 "des-ede3-ofb" -#define NID_des_ede3_ofb64 63 - -/* I'm not sure about the object ID */ -#define SN_sha1 "SHA1" -#define LN_sha1 "sha1" -#define NID_sha1 64 -#define OBJ_sha1 OBJ_algorithm,26L -/* 28 Jun 1996 - eay */ -/* #define OBJ_sha1 1L,3L,14L,2L,26L,05L <- wrong */ - -#define SN_sha1WithRSAEncryption "RSA-SHA1" -#define LN_sha1WithRSAEncryption "sha1WithRSAEncryption" -#define NID_sha1WithRSAEncryption 65 -#define OBJ_sha1WithRSAEncryption OBJ_pkcs,1L,5L - -#define SN_dsaWithSHA "DSA-SHA" -#define LN_dsaWithSHA "dsaWithSHA" -#define NID_dsaWithSHA 66 -#define OBJ_dsaWithSHA OBJ_algorithm,13L - -#define SN_dsa_2 "DSA-old" -#define LN_dsa_2 "dsaEncryption-old" -#define NID_dsa_2 67 -#define OBJ_dsa_2 OBJ_algorithm,12L - -/* proposed by microsoft to RSA */ -#define SN_pbeWithSHA1AndRC2_CBC "PBE-SHA1-RC2-64" -#define LN_pbeWithSHA1AndRC2_CBC "pbeWithSHA1AndRC2-CBC" -#define NID_pbeWithSHA1AndRC2_CBC 68 -#define OBJ_pbeWithSHA1AndRC2_CBC OBJ_pkcs,5L,11L - -/* proposed by microsoft to RSA as pbeWithSHA1AndRC4: it is now - * defined explicitly in PKCS#5 v2.0 as id-PBKDF2 which is something - * completely different. - */ -#define LN_id_pbkdf2 "PBKDF2" -#define NID_id_pbkdf2 69 -#define OBJ_id_pbkdf2 OBJ_pkcs,5L,12L - -#define SN_dsaWithSHA1_2 "DSA-SHA1-old" -#define LN_dsaWithSHA1_2 "dsaWithSHA1-old" -#define NID_dsaWithSHA1_2 70 -/* Got this one from 'sdn706r20.pdf' which is actually an NSA document :-) */ -#define OBJ_dsaWithSHA1_2 OBJ_algorithm,27L - -#define SN_netscape_cert_type "nsCertType" -#define LN_netscape_cert_type "Netscape Cert Type" -#define NID_netscape_cert_type 71 -#define OBJ_netscape_cert_type OBJ_netscape_cert_extension,1L - -#define SN_netscape_base_url "nsBaseUrl" -#define LN_netscape_base_url "Netscape Base Url" -#define NID_netscape_base_url 72 -#define OBJ_netscape_base_url OBJ_netscape_cert_extension,2L - -#define SN_netscape_revocation_url "nsRevocationUrl" -#define LN_netscape_revocation_url "Netscape Revocation Url" -#define NID_netscape_revocation_url 73 -#define OBJ_netscape_revocation_url OBJ_netscape_cert_extension,3L - -#define SN_netscape_ca_revocation_url "nsCaRevocationUrl" -#define LN_netscape_ca_revocation_url "Netscape CA Revocation Url" -#define NID_netscape_ca_revocation_url 74 -#define OBJ_netscape_ca_revocation_url OBJ_netscape_cert_extension,4L - -#define SN_netscape_renewal_url "nsRenewalUrl" -#define LN_netscape_renewal_url "Netscape Renewal Url" -#define NID_netscape_renewal_url 75 -#define OBJ_netscape_renewal_url OBJ_netscape_cert_extension,7L - -#define SN_netscape_ca_policy_url "nsCaPolicyUrl" -#define LN_netscape_ca_policy_url "Netscape CA Policy Url" -#define NID_netscape_ca_policy_url 76 -#define OBJ_netscape_ca_policy_url OBJ_netscape_cert_extension,8L - -#define SN_netscape_ssl_server_name "nsSslServerName" -#define LN_netscape_ssl_server_name "Netscape SSL Server Name" -#define NID_netscape_ssl_server_name 77 -#define OBJ_netscape_ssl_server_name OBJ_netscape_cert_extension,12L - -#define SN_netscape_comment "nsComment" -#define LN_netscape_comment "Netscape Comment" -#define NID_netscape_comment 78 -#define OBJ_netscape_comment OBJ_netscape_cert_extension,13L - -#define SN_netscape_cert_sequence "nsCertSequence" -#define LN_netscape_cert_sequence "Netscape Certificate Sequence" -#define NID_netscape_cert_sequence 79 -#define OBJ_netscape_cert_sequence OBJ_netscape_data_type,5L - -#define SN_desx_cbc "DESX-CBC" -#define LN_desx_cbc "desx-cbc" -#define NID_desx_cbc 80 - -#define SN_id_ce "id-ce" -#define NID_id_ce 81 -#define OBJ_id_ce 2L,5L,29L - -#define SN_subject_key_identifier "subjectKeyIdentifier" -#define LN_subject_key_identifier "X509v3 Subject Key Identifier" -#define NID_subject_key_identifier 82 -#define OBJ_subject_key_identifier OBJ_id_ce,14L - -#define SN_key_usage "keyUsage" -#define LN_key_usage "X509v3 Key Usage" -#define NID_key_usage 83 -#define OBJ_key_usage OBJ_id_ce,15L - -#define SN_private_key_usage_period "privateKeyUsagePeriod" -#define LN_private_key_usage_period "X509v3 Private Key Usage Period" -#define NID_private_key_usage_period 84 -#define OBJ_private_key_usage_period OBJ_id_ce,16L - -#define SN_subject_alt_name "subjectAltName" -#define LN_subject_alt_name "X509v3 Subject Alternative Name" -#define NID_subject_alt_name 85 -#define OBJ_subject_alt_name OBJ_id_ce,17L - -#define SN_issuer_alt_name "issuerAltName" -#define LN_issuer_alt_name "X509v3 Issuer Alternative Name" -#define NID_issuer_alt_name 86 -#define OBJ_issuer_alt_name OBJ_id_ce,18L - -#define SN_basic_constraints "basicConstraints" -#define LN_basic_constraints "X509v3 Basic Constraints" -#define NID_basic_constraints 87 -#define OBJ_basic_constraints OBJ_id_ce,19L - -#define SN_crl_number "crlNumber" -#define LN_crl_number "X509v3 CRL Number" -#define NID_crl_number 88 -#define OBJ_crl_number OBJ_id_ce,20L - -#define SN_certificate_policies "certificatePolicies" -#define LN_certificate_policies "X509v3 Certificate Policies" -#define NID_certificate_policies 89 -#define OBJ_certificate_policies OBJ_id_ce,32L - -#define SN_authority_key_identifier "authorityKeyIdentifier" -#define LN_authority_key_identifier "X509v3 Authority Key Identifier" -#define NID_authority_key_identifier 90 -#define OBJ_authority_key_identifier OBJ_id_ce,35L - -#define SN_bf_cbc "BF-CBC" -#define LN_bf_cbc "bf-cbc" -#define NID_bf_cbc 91 -#define OBJ_bf_cbc 1L,3L,6L,1L,4L,1L,3029L,1L,2L - -#define SN_bf_ecb "BF-ECB" -#define LN_bf_ecb "bf-ecb" -#define NID_bf_ecb 92 - -#define SN_bf_cfb64 "BF-CFB" -#define LN_bf_cfb64 "bf-cfb" -#define NID_bf_cfb64 93 - -#define SN_bf_ofb64 "BF-OFB" -#define LN_bf_ofb64 "bf-ofb" -#define NID_bf_ofb64 94 - -#define SN_mdc2 "MDC2" -#define LN_mdc2 "mdc2" -#define NID_mdc2 95 -#define OBJ_mdc2 2L,5L,8L,3L,101L -/* An alternative? 1L,3L,14L,3L,2L,19L */ - -#define SN_mdc2WithRSA "RSA-MDC2" -#define LN_mdc2WithRSA "mdc2withRSA" -#define NID_mdc2WithRSA 96 -#define OBJ_mdc2WithRSA 2L,5L,8L,3L,100L - -#define SN_rc4_40 "RC4-40" -#define LN_rc4_40 "rc4-40" -#define NID_rc4_40 97 - -#define SN_rc2_40_cbc "RC2-40-CBC" -#define LN_rc2_40_cbc "rc2-40-cbc" -#define NID_rc2_40_cbc 98 - -#define SN_givenName "G" -#define LN_givenName "givenName" -#define NID_givenName 99 -#define OBJ_givenName OBJ_X509,42L - -#define SN_surname "S" -#define LN_surname "surname" -#define NID_surname 100 -#define OBJ_surname OBJ_X509,4L - -#define SN_initials "I" -#define LN_initials "initials" -#define NID_initials 101 -#define OBJ_initials OBJ_X509,43L - -#define SN_uniqueIdentifier "UID" -#define LN_uniqueIdentifier "uniqueIdentifier" -#define NID_uniqueIdentifier 102 -#define OBJ_uniqueIdentifier OBJ_X509,45L - -#define SN_crl_distribution_points "crlDistributionPoints" -#define LN_crl_distribution_points "X509v3 CRL Distribution Points" -#define NID_crl_distribution_points 103 -#define OBJ_crl_distribution_points OBJ_id_ce,31L - -#define SN_md5WithRSA "RSA-NP-MD5" -#define LN_md5WithRSA "md5WithRSA" -#define NID_md5WithRSA 104 -#define OBJ_md5WithRSA OBJ_algorithm,3L - -#define SN_serialNumber "SN" -#define LN_serialNumber "serialNumber" -#define NID_serialNumber 105 -#define OBJ_serialNumber OBJ_X509,5L - -#define SN_title "T" -#define LN_title "title" -#define NID_title 106 -#define OBJ_title OBJ_X509,12L - -#define SN_description "D" -#define LN_description "description" -#define NID_description 107 -#define OBJ_description OBJ_X509,13L - -/* CAST5 is CAST-128, I'm just sticking with the documentation */ -#define SN_cast5_cbc "CAST5-CBC" -#define LN_cast5_cbc "cast5-cbc" -#define NID_cast5_cbc 108 -#define OBJ_cast5_cbc 1L,2L,840L,113533L,7L,66L,10L - -#define SN_cast5_ecb "CAST5-ECB" -#define LN_cast5_ecb "cast5-ecb" -#define NID_cast5_ecb 109 - -#define SN_cast5_cfb64 "CAST5-CFB" -#define LN_cast5_cfb64 "cast5-cfb" -#define NID_cast5_cfb64 110 - -#define SN_cast5_ofb64 "CAST5-OFB" -#define LN_cast5_ofb64 "cast5-ofb" -#define NID_cast5_ofb64 111 - -#define LN_pbeWithMD5AndCast5_CBC "pbeWithMD5AndCast5CBC" -#define NID_pbeWithMD5AndCast5_CBC 112 -#define OBJ_pbeWithMD5AndCast5_CBC 1L,2L,840L,113533L,7L,66L,12L - -/* This is one sun will soon be using :-( - * id-dsa-with-sha1 ID ::= { - * iso(1) member-body(2) us(840) x9-57 (10040) x9cm(4) 3 } - */ -#define SN_dsaWithSHA1 "DSA-SHA1" -#define LN_dsaWithSHA1 "dsaWithSHA1" -#define NID_dsaWithSHA1 113 -#define OBJ_dsaWithSHA1 1L,2L,840L,10040L,4L,3L - -#define NID_md5_sha1 114 -#define SN_md5_sha1 "MD5-SHA1" -#define LN_md5_sha1 "md5-sha1" - -#define SN_sha1WithRSA "RSA-SHA1-2" -#define LN_sha1WithRSA "sha1WithRSA" -#define NID_sha1WithRSA 115 -#define OBJ_sha1WithRSA OBJ_algorithm,29L - -#define SN_dsa "DSA" -#define LN_dsa "dsaEncryption" -#define NID_dsa 116 -#define OBJ_dsa 1L,2L,840L,10040L,4L,1L - -#define SN_ripemd160 "RIPEMD160" -#define LN_ripemd160 "ripemd160" -#define NID_ripemd160 117 -#define OBJ_ripemd160 1L,3L,36L,3L,2L,1L - -/* The name should actually be rsaSignatureWithripemd160, but I'm going - * to continue using the convention I'm using with the other ciphers */ -#define SN_ripemd160WithRSA "RSA-RIPEMD160" -#define LN_ripemd160WithRSA "ripemd160WithRSA" -#define NID_ripemd160WithRSA 119 -#define OBJ_ripemd160WithRSA 1L,3L,36L,3L,3L,1L,2L - -/* Taken from rfc2040 - * RC5_CBC_Parameters ::= SEQUENCE { - * version INTEGER (v1_0(16)), - * rounds INTEGER (8..127), - * blockSizeInBits INTEGER (64, 128), - * iv OCTET STRING OPTIONAL - * } - */ -#define SN_rc5_cbc "RC5-CBC" -#define LN_rc5_cbc "rc5-cbc" -#define NID_rc5_cbc 120 -#define OBJ_rc5_cbc OBJ_rsadsi,3L,8L - -#define SN_rc5_ecb "RC5-ECB" -#define LN_rc5_ecb "rc5-ecb" -#define NID_rc5_ecb 121 - -#define SN_rc5_cfb64 "RC5-CFB" -#define LN_rc5_cfb64 "rc5-cfb" -#define NID_rc5_cfb64 122 - -#define SN_rc5_ofb64 "RC5-OFB" -#define LN_rc5_ofb64 "rc5-ofb" -#define NID_rc5_ofb64 123 - -#define SN_rle_compression "RLE" -#define LN_rle_compression "run length compression" -#define NID_rle_compression 124 -#define OBJ_rle_compression 1L,1L,1L,1L,666L,1L - -#define SN_zlib_compression "ZLIB" -#define LN_zlib_compression "zlib compression" -#define NID_zlib_compression 125 -#define OBJ_zlib_compression 1L,1L,1L,1L,666L,2L - -#define SN_ext_key_usage "extendedKeyUsage" -#define LN_ext_key_usage "X509v3 Extended Key Usage" -#define NID_ext_key_usage 126 -#define OBJ_ext_key_usage OBJ_id_ce,37 - -#define SN_id_pkix "PKIX" -#define NID_id_pkix 127 -#define OBJ_id_pkix 1L,3L,6L,1L,5L,5L,7L - -#define SN_id_kp "id-kp" -#define NID_id_kp 128 -#define OBJ_id_kp OBJ_id_pkix,3L - -/* PKIX extended key usage OIDs */ - -#define SN_server_auth "serverAuth" -#define LN_server_auth "TLS Web Server Authentication" -#define NID_server_auth 129 -#define OBJ_server_auth OBJ_id_kp,1L - -#define SN_client_auth "clientAuth" -#define LN_client_auth "TLS Web Client Authentication" -#define NID_client_auth 130 -#define OBJ_client_auth OBJ_id_kp,2L - -#define SN_code_sign "codeSigning" -#define LN_code_sign "Code Signing" -#define NID_code_sign 131 -#define OBJ_code_sign OBJ_id_kp,3L - -#define SN_email_protect "emailProtection" -#define LN_email_protect "E-mail Protection" -#define NID_email_protect 132 -#define OBJ_email_protect OBJ_id_kp,4L - -#define SN_time_stamp "timeStamping" -#define LN_time_stamp "Time Stamping" -#define NID_time_stamp 133 -#define OBJ_time_stamp OBJ_id_kp,8L - -/* Additional extended key usage OIDs: Microsoft */ - -#define SN_ms_code_ind "msCodeInd" -#define LN_ms_code_ind "Microsoft Individual Code Signing" -#define NID_ms_code_ind 134 -#define OBJ_ms_code_ind 1L,3L,6L,1L,4L,1L,311L,2L,1L,21L - -#define SN_ms_code_com "msCodeCom" -#define LN_ms_code_com "Microsoft Commercial Code Signing" -#define NID_ms_code_com 135 -#define OBJ_ms_code_com 1L,3L,6L,1L,4L,1L,311L,2L,1L,22L - -#define SN_ms_ctl_sign "msCTLSign" -#define LN_ms_ctl_sign "Microsoft Trust List Signing" -#define NID_ms_ctl_sign 136 -#define OBJ_ms_ctl_sign 1L,3L,6L,1L,4L,1L,311L,10L,3L,1L - -#define SN_ms_sgc "msSGC" -#define LN_ms_sgc "Microsoft Server Gated Crypto" -#define NID_ms_sgc 137 -#define OBJ_ms_sgc 1L,3L,6L,1L,4L,1L,311L,10L,3L,3L - -#define SN_ms_efs "msEFS" -#define LN_ms_efs "Microsoft Encrypted File System" -#define NID_ms_efs 138 -#define OBJ_ms_efs 1L,3L,6L,1L,4L,1L,311L,10L,3L,4L - -/* Additional usage: Netscape */ - -#define SN_ns_sgc "nsSGC" -#define LN_ns_sgc "Netscape Server Gated Crypto" -#define NID_ns_sgc 139 -#define OBJ_ns_sgc OBJ_netscape,4L,1L - -#define SN_delta_crl "deltaCRL" -#define LN_delta_crl "X509v3 Delta CRL Indicator" -#define NID_delta_crl 140 -#define OBJ_delta_crl OBJ_id_ce,27L - -#define SN_crl_reason "CRLReason" -#define LN_crl_reason "CRL Reason Code" -#define NID_crl_reason 141 -#define OBJ_crl_reason OBJ_id_ce,21L - -#define SN_invalidity_date "invalidityDate" -#define LN_invalidity_date "Invalidity Date" -#define NID_invalidity_date 142 -#define OBJ_invalidity_date OBJ_id_ce,24L - -#define SN_sxnet "SXNetID" -#define LN_sxnet "Strong Extranet ID" -#define NID_sxnet 143 -#define OBJ_sxnet 1L,3L,101L,1L,4L,1L - -/* PKCS12 and related OBJECT IDENTIFIERS */ - -#define OBJ_pkcs12 OBJ_pkcs,12L -#define OBJ_pkcs12_pbeids OBJ_pkcs12, 1 - -#define SN_pbe_WithSHA1And128BitRC4 "PBE-SHA1-RC4-128" -#define LN_pbe_WithSHA1And128BitRC4 "pbeWithSHA1And128BitRC4" -#define NID_pbe_WithSHA1And128BitRC4 144 -#define OBJ_pbe_WithSHA1And128BitRC4 OBJ_pkcs12_pbeids, 1L - -#define SN_pbe_WithSHA1And40BitRC4 "PBE-SHA1-RC4-40" -#define LN_pbe_WithSHA1And40BitRC4 "pbeWithSHA1And40BitRC4" -#define NID_pbe_WithSHA1And40BitRC4 145 -#define OBJ_pbe_WithSHA1And40BitRC4 OBJ_pkcs12_pbeids, 2L - -#define SN_pbe_WithSHA1And3_Key_TripleDES_CBC "PBE-SHA1-3DES" -#define LN_pbe_WithSHA1And3_Key_TripleDES_CBC "pbeWithSHA1And3-KeyTripleDES-CBC" -#define NID_pbe_WithSHA1And3_Key_TripleDES_CBC 146 -#define OBJ_pbe_WithSHA1And3_Key_TripleDES_CBC OBJ_pkcs12_pbeids, 3L - -#define SN_pbe_WithSHA1And2_Key_TripleDES_CBC "PBE-SHA1-2DES" -#define LN_pbe_WithSHA1And2_Key_TripleDES_CBC "pbeWithSHA1And2-KeyTripleDES-CBC" -#define NID_pbe_WithSHA1And2_Key_TripleDES_CBC 147 -#define OBJ_pbe_WithSHA1And2_Key_TripleDES_CBC OBJ_pkcs12_pbeids, 4L - -#define SN_pbe_WithSHA1And128BitRC2_CBC "PBE-SHA1-RC2-128" -#define LN_pbe_WithSHA1And128BitRC2_CBC "pbeWithSHA1And128BitRC2-CBC" -#define NID_pbe_WithSHA1And128BitRC2_CBC 148 -#define OBJ_pbe_WithSHA1And128BitRC2_CBC OBJ_pkcs12_pbeids, 5L - -#define SN_pbe_WithSHA1And40BitRC2_CBC "PBE-SHA1-RC2-40" -#define LN_pbe_WithSHA1And40BitRC2_CBC "pbeWithSHA1And40BitRC2-CBC" -#define NID_pbe_WithSHA1And40BitRC2_CBC 149 -#define OBJ_pbe_WithSHA1And40BitRC2_CBC OBJ_pkcs12_pbeids, 6L - -#define OBJ_pkcs12_Version1 OBJ_pkcs12, 10L - -#define OBJ_pkcs12_BagIds OBJ_pkcs12_Version1, 1L - -#define LN_keyBag "keyBag" -#define NID_keyBag 150 -#define OBJ_keyBag OBJ_pkcs12_BagIds, 1L - -#define LN_pkcs8ShroudedKeyBag "pkcs8ShroudedKeyBag" -#define NID_pkcs8ShroudedKeyBag 151 -#define OBJ_pkcs8ShroudedKeyBag OBJ_pkcs12_BagIds, 2L - -#define LN_certBag "certBag" -#define NID_certBag 152 -#define OBJ_certBag OBJ_pkcs12_BagIds, 3L - -#define LN_crlBag "crlBag" -#define NID_crlBag 153 -#define OBJ_crlBag OBJ_pkcs12_BagIds, 4L - -#define LN_secretBag "secretBag" -#define NID_secretBag 154 -#define OBJ_secretBag OBJ_pkcs12_BagIds, 5L - -#define LN_safeContentsBag "safeContentsBag" -#define NID_safeContentsBag 155 -#define OBJ_safeContentsBag OBJ_pkcs12_BagIds, 6L - -#define LN_friendlyName "friendlyName" -#define NID_friendlyName 156 -#define OBJ_friendlyName OBJ_pkcs9, 20L - -#define LN_localKeyID "localKeyID" -#define NID_localKeyID 157 -#define OBJ_localKeyID OBJ_pkcs9, 21L - -#define OBJ_certTypes OBJ_pkcs9, 22L - -#define LN_x509Certificate "x509Certificate" -#define NID_x509Certificate 158 -#define OBJ_x509Certificate OBJ_certTypes, 1L - -#define LN_sdsiCertificate "sdsiCertificate" -#define NID_sdsiCertificate 159 -#define OBJ_sdsiCertificate OBJ_certTypes, 2L - -#define OBJ_crlTypes OBJ_pkcs9, 23L - -#define LN_x509Crl "x509Crl" -#define NID_x509Crl 160 -#define OBJ_x509Crl OBJ_crlTypes, 1L - -/* PKCS#5 v2 OIDs */ - -#define LN_pbes2 "PBES2" -#define NID_pbes2 161 -#define OBJ_pbes2 OBJ_pkcs,5L,13L - -#define LN_pbmac1 "PBMAC1" -#define NID_pbmac1 162 -#define OBJ_pbmac1 OBJ_pkcs,5L,14L - -#define LN_hmacWithSHA1 "hmacWithSHA1" -#define NID_hmacWithSHA1 163 -#define OBJ_hmacWithSHA1 OBJ_rsadsi,2L,7L - -/* Policy Qualifier Ids */ - -#define LN_id_qt_cps "Policy Qualifier CPS" -#define SN_id_qt_cps "id-qt-cps" -#define NID_id_qt_cps 164 -#define OBJ_id_qt_cps OBJ_id_pkix,2L,1L - -#define LN_id_qt_unotice "Policy Qualifier User Notice" -#define SN_id_qt_unotice "id-qt-unotice" -#define NID_id_qt_unotice 165 -#define OBJ_id_qt_unotice OBJ_id_pkix,2L,2L - -#define SN_rc2_64_cbc "RC2-64-CBC" -#define LN_rc2_64_cbc "rc2-64-cbc" -#define NID_rc2_64_cbc 166 - -#define SN_SMIMECapabilities "SMIME-CAPS" -#define LN_SMIMECapabilities "S/MIME Capabilities" -#define NID_SMIMECapabilities 167 -#define OBJ_SMIMECapabilities OBJ_pkcs9,15L - -#define SN_pbeWithMD2AndRC2_CBC "PBE-MD2-RC2-64" -#define LN_pbeWithMD2AndRC2_CBC "pbeWithMD2AndRC2-CBC" -#define NID_pbeWithMD2AndRC2_CBC 168 -#define OBJ_pbeWithMD2AndRC2_CBC OBJ_pkcs,5L,4L - -#define SN_pbeWithMD5AndRC2_CBC "PBE-MD5-RC2-64" -#define LN_pbeWithMD5AndRC2_CBC "pbeWithMD5AndRC2-CBC" -#define NID_pbeWithMD5AndRC2_CBC 169 -#define OBJ_pbeWithMD5AndRC2_CBC OBJ_pkcs,5L,6L - -#define SN_pbeWithSHA1AndDES_CBC "PBE-SHA1-DES" -#define LN_pbeWithSHA1AndDES_CBC "pbeWithSHA1AndDES-CBC" -#define NID_pbeWithSHA1AndDES_CBC 170 -#define OBJ_pbeWithSHA1AndDES_CBC OBJ_pkcs,5L,10L - -/* Extension request OIDs */ - -#define LN_ms_ext_req "Microsoft Extension Request" -#define SN_ms_ext_req "msExtReq" -#define NID_ms_ext_req 171 -#define OBJ_ms_ext_req 1L,3L,6L,1L,4L,1L,311L,2L,1L,14L - -#define LN_ext_req "Extension Request" -#define SN_ext_req "extReq" -#define NID_ext_req 172 -#define OBJ_ext_req OBJ_pkcs9,14L - -#define SN_name "name" -#define LN_name "name" -#define NID_name 173 -#define OBJ_name OBJ_X509,41L - -#define SN_dnQualifier "dnQualifier" -#define LN_dnQualifier "dnQualifier" -#define NID_dnQualifier 174 -#define OBJ_dnQualifier OBJ_X509,46L - -#define SN_id_pe "id-pe" -#define NID_id_pe 175 -#define OBJ_id_pe OBJ_id_pkix,1L - -#define SN_id_ad "id-ad" -#define NID_id_ad 176 -#define OBJ_id_ad OBJ_id_pkix,48L - -#define SN_info_access "authorityInfoAccess" -#define LN_info_access "Authority Information Access" -#define NID_info_access 177 -#define OBJ_info_access OBJ_id_pe,1L - -#define SN_ad_OCSP "OCSP" -#define LN_ad_OCSP "OCSP" -#define NID_ad_OCSP 178 -#define OBJ_ad_OCSP OBJ_id_ad,1L - -#define SN_ad_ca_issuers "caIssuers" -#define LN_ad_ca_issuers "CA Issuers" -#define NID_ad_ca_issuers 179 -#define OBJ_ad_ca_issuers OBJ_id_ad,2L - -#define SN_OCSP_sign "OCSPSigning" -#define LN_OCSP_sign "OCSP Signing" -#define NID_OCSP_sign 180 -#define OBJ_OCSP_sign OBJ_id_kp,9L -#endif /* USE_OBJ_MAC */ +#define SN_ED25519 SN_Ed25519 +#define NID_ED25519 NID_Ed25519 +#define OBJ_ED25519 OBJ_Ed25519 #include #include @@ -1038,10 +147,6 @@ extern int obj_cleanup_defer; void check_defer(int nid); #endif -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_OBJ_strings(void); /* Error codes for the OBJ functions. */ diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index f869f8a..691ee4a 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.h,v 1.19 2022/01/14 08:32:26 tb Exp $ */ +/* $OpenBSD: ocsp.h,v 1.20 2022/07/12 14:42:49 kn Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -421,10 +421,6 @@ int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE* o, unsigned long flags); int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_OCSP_strings(void); /* Error codes for the OCSP functions. */ diff --git a/include/openssl/opensslconf.h b/include/openssl/opensslconf.h index bb71768..748ed8f 100644 --- a/include/openssl/opensslconf.h +++ b/include/openssl/opensslconf.h @@ -1,10 +1,6 @@ #include /* crypto/opensslconf.h.in */ -#if defined(_MSC_VER) && !defined(__attribute__) -#define __attribute__(a) -#endif - #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) #define OPENSSLDIR "/etc/ssl" #endif @@ -62,9 +58,14 @@ /* Should we define BN_DIV2W here? */ /* Only one for the following should be defined */ +/* The prime number generation stuff may not work when + * EIGHT_BIT but I don't care since I've only used this mode + * for debugging the bignum libraries */ #define SIXTY_FOUR_BIT_LONG #undef SIXTY_FOUR_BIT #undef THIRTY_TWO_BIT +#undef SIXTEEN_BIT +#undef EIGHT_BIT #endif #if defined(HEADER_RC4_LOCL_H) && !defined(CONFIG_HEADER_RC4_LOCL_H) @@ -89,7 +90,7 @@ #endif /* This helps C compiler generate the correct code for multiple functional - * units. It reduces register dependancies at the expense of 2 more + * units. It reduces register dependencies at the expense of 2 more * registers */ #ifndef DES_RISC1 #undef DES_RISC1 @@ -104,7 +105,7 @@ YOU SHOULD NOT HAVE BOTH DES_RISC1 AND DES_RISC2 DEFINED!!!!! #endif /* Unroll the inner loop, this sometimes helps, sometimes hinders. - * Very mucy CPU dependant */ + * Very much CPU dependent */ #ifndef DES_UNROLL #define DES_UNROLL #endif diff --git a/include/openssl/opensslfeatures.h b/include/openssl/opensslfeatures.h index 49a5f15..17a4764 100644 --- a/include/openssl/opensslfeatures.h +++ b/include/openssl/opensslfeatures.h @@ -3,12 +3,22 @@ * are enabled, rather than not being able to tell when things are * enabled (or possibly not yet not implemented, or removed!). */ +#define LIBRESSL_HAS_QUIC #define LIBRESSL_HAS_TLS1_3 #define LIBRESSL_HAS_DTLS1_2 +/* + * Used for compatibility with compilers lacking __attribute__ + */ +#if defined(_MSC_VER) && !defined(__clang__) && !defined(__attribute__) +#define __attribute__(a) +#endif + #define OPENSSL_THREADS #define OPENSSL_NO_BUF_FREELISTS +#define OPENSSL_NO_DEPRECATED +#define OPENSSL_NO_EC2M #define OPENSSL_NO_GMP #define OPENSSL_NO_JPAKE #define OPENSSL_NO_KRB5 @@ -55,7 +65,6 @@ /* #define OPENSSL_NO_DTLS1_METHOD */ #define OPENSSL_NO_DYNAMIC_ENGINE /* #define OPENSSL_NO_EC */ -/* #define OPENSSL_NO_EC2M */ #define OPENSSL_NO_EC_NISTP_64_GCC_128 #define OPENSSL_NO_EGD /* #define OPENSSL_NO_ENGINE */ diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 1cafae6..87164d2 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -1,11 +1,11 @@ -/* $OpenBSD: opensslv.h,v 1.69 2022/03/15 21:15:08 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.75 2023/04/27 10:43:47 tb Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x3050200fL +#define LIBRESSL_VERSION_NUMBER 0x3080000fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 3.5.2" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.8.0" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff --git a/include/openssl/ossl_typ.h b/include/openssl/ossl_typ.h index f4796ba..1d4fcfb 100644 --- a/include/openssl/ossl_typ.h +++ b/include/openssl/ossl_typ.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ossl_typ.h,v 1.21 2022/01/14 08:59:30 tb Exp $ */ +/* $OpenBSD: ossl_typ.h,v 1.25 2023/04/25 18:28:05 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * @@ -105,7 +105,6 @@ typedef struct bignum_st BIGNUM; typedef struct bignum_ctx BN_CTX; typedef struct bn_blinding_st BN_BLINDING; typedef struct bn_mont_ctx_st BN_MONT_CTX; -typedef struct bn_recp_ctx_st BN_RECP_CTX; typedef struct bn_gencb_st BN_GENCB; typedef struct bio_st BIO; @@ -176,17 +175,12 @@ typedef struct engine_st ENGINE; typedef struct ssl_st SSL; typedef struct ssl_ctx_st SSL_CTX; -typedef struct X509_POLICY_NODE_st X509_POLICY_NODE; -typedef struct X509_POLICY_LEVEL_st X509_POLICY_LEVEL; -typedef struct X509_POLICY_TREE_st X509_POLICY_TREE; -typedef struct X509_POLICY_CACHE_st X509_POLICY_CACHE; - typedef struct AUTHORITY_KEYID_st AUTHORITY_KEYID; typedef struct DIST_POINT_st DIST_POINT; typedef struct ISSUING_DIST_POINT_st ISSUING_DIST_POINT; typedef struct NAME_CONSTRAINTS_st NAME_CONSTRAINTS; -/* If placed in pkcs12.h, we end up with a circular depency with pkcs7.h */ +/* If placed in pkcs12.h, we end up with a circular dependency with pkcs7.h */ #define DECLARE_PKCS12_STACK_OF(type) /* Nothing */ #define IMPLEMENT_PKCS12_STACK_OF(type) /* Nothing */ diff --git a/include/openssl/pem.h b/include/openssl/pem.h index 95f1e03..130acbc 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pem.h,v 1.23 2022/01/14 07:52:24 tb Exp $ */ +/* $OpenBSD: pem.h,v 1.26 2023/04/25 17:51:36 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -425,8 +425,6 @@ DECLARE_PEM_rw(X509_CRL, X509_CRL) DECLARE_PEM_rw(PKCS7, PKCS7) -DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE, NETSCAPE_CERT_SEQUENCE) - DECLARE_PEM_rw(PKCS8, X509_SIG) DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO) @@ -516,10 +514,6 @@ int i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, #endif -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_PEM_strings(void); /* Error codes for the PEM functions. */ diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h index 56635f9..44dbb38 100644 --- a/include/openssl/pkcs12.h +++ b/include/openssl/pkcs12.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs12.h,v 1.24 2018/05/30 15:32:11 tb Exp $ */ +/* $OpenBSD: pkcs12.h,v 1.27 2022/09/11 17:30:13 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -96,43 +96,16 @@ extern "C" { #define KEY_EX 0x10 #define KEY_SIG 0x80 -typedef struct { - X509_SIG *dinfo; - ASN1_OCTET_STRING *salt; - ASN1_INTEGER *iter; /* defaults to 1 */ -} PKCS12_MAC_DATA; +typedef struct PKCS12_MAC_DATA_st PKCS12_MAC_DATA; -typedef struct { - ASN1_INTEGER *version; - PKCS12_MAC_DATA *mac; - PKCS7 *authsafes; -} PKCS12; +typedef struct PKCS12_st PKCS12; -typedef struct { - ASN1_OBJECT *type; - union { - struct pkcs12_bag_st *bag; /* secret, crl and certbag */ - struct pkcs8_priv_key_info_st *keybag; /* keybag */ - X509_SIG *shkeybag; /* shrouded key bag */ - STACK_OF(PKCS12_SAFEBAG) *safes; - ASN1_TYPE *other; - } value; - STACK_OF(X509_ATTRIBUTE) *attrib; -} PKCS12_SAFEBAG; +typedef struct PKCS12_SAFEBAG_st PKCS12_SAFEBAG; DECLARE_STACK_OF(PKCS12_SAFEBAG) DECLARE_PKCS12_STACK_OF(PKCS12_SAFEBAG) -typedef struct pkcs12_bag_st { - ASN1_OBJECT *type; - union { - ASN1_OCTET_STRING *x509cert; - ASN1_OCTET_STRING *x509crl; - ASN1_OCTET_STRING *octet; - ASN1_IA5STRING *sdsicert; - ASN1_TYPE *other; /* Secret or other bag */ - } value; -} PKCS12_BAGS; +typedef struct pkcs12_bag_st PKCS12_BAGS; #define PKCS12_ERROR 0 #define PKCS12_OK 1 @@ -155,29 +128,55 @@ typedef struct pkcs12_bag_st { #define M_PKCS12_decrypt_skey PKCS12_decrypt_skey #define M_PKCS8_decrypt PKCS8_decrypt -#define M_PKCS12_bag_type(bg) OBJ_obj2nid((bg)->type) -#define M_PKCS12_cert_bag_type(bg) OBJ_obj2nid((bg)->value.bag->type) -#define M_PKCS12_crl_bag_type M_PKCS12_cert_bag_type - #endif /* !LIBRESSL_INTERNAL */ -#define PKCS12_get_attr(bag, attr_nid) \ - PKCS12_get_attr_gen(bag->attrib, attr_nid) +#define M_PKCS12_bag_type PKCS12_bag_type +#define M_PKCS12_cert_bag_type PKCS12_cert_bag_type +#define M_PKCS12_crl_bag_type PKCS12_cert_bag_type -#define PKCS8_get_attr(p8, attr_nid) \ - PKCS12_get_attr_gen(p8->attributes, attr_nid) +#define PKCS12_bag_type PKCS12_SAFEBAG_get_nid +#define PKCS12_cert_bag_type PKCS12_SAFEBAG_get_bag_nid -#define PKCS12_mac_present(p12) ((p12)->mac ? 1 : 0) +#define PKCS12_certbag2x509 PKCS12_SAFEBAG_get1_cert +#define PKCS12_certbag2x509crl PKCS12_SAFEBAG_get1_crl +#define PKCS12_x5092certbag PKCS12_SAFEBAG_create_cert +#define PKCS12_x509crl2certbag PKCS12_SAFEBAG_create_crl +#define PKCS12_MAKE_KEYBAG PKCS12_SAFEBAG_create0_p8inf +#define PKCS12_MAKE_SHKEYBAG PKCS12_SAFEBAG_create_pkcs8_encrypt -PKCS12_SAFEBAG *PKCS12_x5092certbag(X509 *x509); -PKCS12_SAFEBAG *PKCS12_x509crl2certbag(X509_CRL *crl); -X509 *PKCS12_certbag2x509(PKCS12_SAFEBAG *bag); -X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag); +const ASN1_TYPE *PKCS12_SAFEBAG_get0_attr(const PKCS12_SAFEBAG *bag, + int attr_nid); +const STACK_OF(X509_ATTRIBUTE) * + PKCS12_SAFEBAG_get0_attrs(const PKCS12_SAFEBAG *bag); +int PKCS12_SAFEBAG_get_nid(const PKCS12_SAFEBAG *bag); +int PKCS12_SAFEBAG_get_bag_nid(const PKCS12_SAFEBAG *bag); + +X509 *PKCS12_SAFEBAG_get1_cert(const PKCS12_SAFEBAG *bag); +X509_CRL *PKCS12_SAFEBAG_get1_crl(const PKCS12_SAFEBAG *bag); + +ASN1_TYPE *PKCS8_get_attr(PKCS8_PRIV_KEY_INFO *p8, int attr_nid); +int PKCS12_mac_present(const PKCS12 *p12); +void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, const X509_ALGOR **pmacalg, + const ASN1_OCTET_STRING **psalt, const ASN1_INTEGER **piter, + const PKCS12 *p12); + +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_cert(X509 *x509); +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_crl(X509_CRL *crl); +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_p8inf(PKCS8_PRIV_KEY_INFO *p8); +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create0_pkcs8(X509_SIG *p8); +PKCS12_SAFEBAG *PKCS12_SAFEBAG_create_pkcs8_encrypt(int pbe_nid, + const char *pass, int passlen, unsigned char *salt, int saltlen, int iter, + PKCS8_PRIV_KEY_INFO *p8); + +const PKCS8_PRIV_KEY_INFO *PKCS12_SAFEBAG_get0_p8inf(const PKCS12_SAFEBAG *bag); +const X509_SIG *PKCS12_SAFEBAG_get0_pkcs8(const PKCS12_SAFEBAG *bag); +const STACK_OF(PKCS12_SAFEBAG) * + PKCS12_SAFEBAG_get0_safes(const PKCS12_SAFEBAG *bag); +const ASN1_OBJECT *PKCS12_SAFEBAG_get0_type(const PKCS12_SAFEBAG *bag); PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2); -PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8); PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen); PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, @@ -185,9 +184,6 @@ PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8); -PKCS12_SAFEBAG *PKCS12_MAKE_SHKEYBAG(int pbe_nid, const char *pass, - int passlen, unsigned char *salt, int saltlen, int iter, - PKCS8_PRIV_KEY_INFO *p8); PKCS7 *PKCS12_pack_p7data(STACK_OF(PKCS12_SAFEBAG) *sk); STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7); PKCS7 *PKCS12_pack_p7encdata(int pbe_nid, const char *pass, int passlen, @@ -283,10 +279,6 @@ PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12); PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12); int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_PKCS12_strings(void); /* Error codes for the PKCS12 functions. */ diff --git a/include/openssl/pkcs7.h b/include/openssl/pkcs7.h index cff7c96..196c9b8 100644 --- a/include/openssl/pkcs7.h +++ b/include/openssl/pkcs7.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7.h,v 1.18 2016/12/27 16:12:47 jsing Exp $ */ +/* $OpenBSD: pkcs7.h,v 1.21 2023/04/25 18:04:03 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -333,7 +333,6 @@ extern const ASN1_ITEM PKCS7_it; extern const ASN1_ITEM PKCS7_ATTR_SIGN_it; extern const ASN1_ITEM PKCS7_ATTR_VERIFY_it; -int i2d_PKCS7_NDEF(PKCS7 *a, unsigned char **out); int PKCS7_print_ctx(BIO *out, PKCS7 *x, int indent, const ASN1_PCTX *pctx); long PKCS7_ctrl(PKCS7 *p7, int cmd, long larg, char *parg); @@ -417,10 +416,6 @@ PKCS7 *SMIME_read_PKCS7(BIO *bio, BIO **bcont); BIO *BIO_new_PKCS7(BIO *out, PKCS7 *p7); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_PKCS7_strings(void); /* Error codes for the PKCS7 functions. */ diff --git a/include/openssl/rand.h b/include/openssl/rand.h index fcb2e92..a0e9b47 100644 --- a/include/openssl/rand.h +++ b/include/openssl/rand.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rand.h,v 1.22 2014/10/22 14:02:52 jsing Exp $ */ +/* $OpenBSD: rand.h,v 1.23 2022/07/12 14:42:50 kn Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -101,10 +101,6 @@ int RAND_status(void); int RAND_poll(void); #endif -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_RAND_strings(void); /* Error codes for the RAND functions. (no longer used) */ diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index d59fd03..ff88240 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.55 2022/01/14 08:34:39 tb Exp $ */ +/* $OpenBSD: rsa.h,v 1.64 2023/05/05 12:30:40 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,11 +66,10 @@ #ifndef OPENSSL_NO_BIO #include #endif -#include -#include -#ifndef OPENSSL_NO_DEPRECATED #include -#endif +#include + +#include #ifdef OPENSSL_NO_RSA #error RSA is disabled. @@ -226,6 +225,7 @@ typedef struct rsa_oaep_params_st { #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 #define RSA_PKCS1_OAEP_PADDING 4 +/* rust-openssl and erlang expose this and salt even uses it. */ #define RSA_X931_PADDING 5 /* EVP_PKEY_ only */ #define RSA_PKCS1_PSS_PADDING 6 @@ -240,11 +240,12 @@ RSA *RSA_new_method(ENGINE *engine); int RSA_bits(const RSA *rsa); int RSA_size(const RSA *rsa); -/* Deprecated version */ -#ifndef OPENSSL_NO_DEPRECATED +/* + * Wrapped in OPENSSL_NO_DEPRECATED in 0.9.8. Still used for libressl bindings + * in rust-openssl. + */ RSA *RSA_generate_key(int bits, unsigned long e, void (*callback)(int, int, void *), void *cb_arg); -#endif /* !defined(OPENSSL_NO_DEPRECATED) */ /* New version */ int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e, BN_GENCB *cb); @@ -348,11 +349,6 @@ int RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *f, int fl); int RSA_padding_check_none(unsigned char *to, int tlen, const unsigned char *f, int fl, int rsa_len); -int RSA_padding_add_X931(unsigned char *to, int tlen, - const unsigned char *f, int fl); -int RSA_padding_check_X931(unsigned char *to, int tlen, - const unsigned char *f, int fl, int rsa_len); -int RSA_X931_hash_id(int nid); int RSA_verify_PKCS1_PSS(RSA *rsa, const unsigned char *mHash, const EVP_MD *Hash, const unsigned char *EM, int sLen); @@ -372,6 +368,8 @@ int RSA_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int RSA_set_ex_data(RSA *r, int idx, void *arg); void *RSA_get_ex_data(const RSA *r, int idx); +int RSA_security_bits(const RSA *rsa); + void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); @@ -473,10 +471,6 @@ int RSA_meth_set_verify(RSA_METHOD *rsa, int (*verify)(int dtype, unsigned int siglen, const RSA *rsa)); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_RSA_strings(void); /* Error codes for the RSA functions. */ diff --git a/include/openssl/safestack.h b/include/openssl/safestack.h index e1e7e24..c58ebea 100644 --- a/include/openssl/safestack.h +++ b/include/openssl/safestack.h @@ -1,4 +1,4 @@ -/* $OpenBSD: safestack.h,v 1.21 2022/01/14 08:59:30 tb Exp $ */ +/* $OpenBSD: safestack.h,v 1.26 2023/04/25 18:53:42 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * @@ -773,6 +773,30 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_ESS_CERT_ID_sort(st) SKM_sk_sort(ESS_CERT_ID, (st)) #define sk_ESS_CERT_ID_is_sorted(st) SKM_sk_is_sorted(ESS_CERT_ID, (st)) +#ifdef LIBRESSL_INTERNAL +#define sk_ESS_CERT_ID_V2_new(cmp) SKM_sk_new(ESS_CERT_ID_V2, (cmp)) +#define sk_ESS_CERT_ID_V2_new_null() SKM_sk_new_null(ESS_CERT_ID_V2) +#define sk_ESS_CERT_ID_V2_free(st) SKM_sk_free(ESS_CERT_ID_V2, (st)) +#define sk_ESS_CERT_ID_V2_num(st) SKM_sk_num(ESS_CERT_ID_V2, (st)) +#define sk_ESS_CERT_ID_V2_value(st, i) SKM_sk_value(ESS_CERT_ID_V2, (st), (i)) +#define sk_ESS_CERT_ID_V2_set(st, i, val) SKM_sk_set(ESS_CERT_ID_V2, (st), (i), (val)) +#define sk_ESS_CERT_ID_V2_zero(st) SKM_sk_zero(ESS_CERT_ID_V2, (st)) +#define sk_ESS_CERT_ID_V2_push(st, val) SKM_sk_push(ESS_CERT_ID_V2, (st), (val)) +#define sk_ESS_CERT_ID_V2_unshift(st, val) SKM_sk_unshift(ESS_CERT_ID_V2, (st), (val)) +#define sk_ESS_CERT_ID_V2_find(st, val) SKM_sk_find(ESS_CERT_ID_V2, (st), (val)) +#define sk_ESS_CERT_ID_V2_find_ex(st, val) SKM_sk_find_ex(ESS_CERT_ID_V2, (st), (val)) +#define sk_ESS_CERT_ID_V2_delete(st, i) SKM_sk_delete(ESS_CERT_ID_V2, (st), (i)) +#define sk_ESS_CERT_ID_V2_delete_ptr(st, ptr) SKM_sk_delete_ptr(ESS_CERT_ID_V2, (st), (ptr)) +#define sk_ESS_CERT_ID_V2_insert(st, val, i) SKM_sk_insert(ESS_CERT_ID_V2, (st), (val), (i)) +#define sk_ESS_CERT_ID_V2_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(ESS_CERT_ID_V2, (st), (cmp)) +#define sk_ESS_CERT_ID_V2_dup(st) SKM_sk_dup(ESS_CERT_ID_V2, st) +#define sk_ESS_CERT_ID_V2_pop_free(st, free_func) SKM_sk_pop_free(ESS_CERT_ID_V2, (st), (free_func)) +#define sk_ESS_CERT_ID_V2_shift(st) SKM_sk_shift(ESS_CERT_ID_V2, (st)) +#define sk_ESS_CERT_ID_V2_pop(st) SKM_sk_pop(ESS_CERT_ID_V2, (st)) +#define sk_ESS_CERT_ID_V2_sort(st) SKM_sk_sort(ESS_CERT_ID_V2, (st)) +#define sk_ESS_CERT_ID_V2_is_sorted(st) SKM_sk_is_sorted(ESS_CERT_ID_V2, (st)) +#endif /* LIBRESSL_INTERNAL */ + #define sk_EVP_MD_new(cmp) SKM_sk_new(EVP_MD, (cmp)) #define sk_EVP_MD_new_null() SKM_sk_new_null(EVP_MD) #define sk_EVP_MD_free(st) SKM_sk_free(EVP_MD, (st)) @@ -1455,28 +1479,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_STORE_OBJECT_sort(st) SKM_sk_sort(STORE_OBJECT, (st)) #define sk_STORE_OBJECT_is_sorted(st) SKM_sk_is_sorted(STORE_OBJECT, (st)) -#define sk_SXNETID_new(cmp) SKM_sk_new(SXNETID, (cmp)) -#define sk_SXNETID_new_null() SKM_sk_new_null(SXNETID) -#define sk_SXNETID_free(st) SKM_sk_free(SXNETID, (st)) -#define sk_SXNETID_num(st) SKM_sk_num(SXNETID, (st)) -#define sk_SXNETID_value(st, i) SKM_sk_value(SXNETID, (st), (i)) -#define sk_SXNETID_set(st, i, val) SKM_sk_set(SXNETID, (st), (i), (val)) -#define sk_SXNETID_zero(st) SKM_sk_zero(SXNETID, (st)) -#define sk_SXNETID_push(st, val) SKM_sk_push(SXNETID, (st), (val)) -#define sk_SXNETID_unshift(st, val) SKM_sk_unshift(SXNETID, (st), (val)) -#define sk_SXNETID_find(st, val) SKM_sk_find(SXNETID, (st), (val)) -#define sk_SXNETID_find_ex(st, val) SKM_sk_find_ex(SXNETID, (st), (val)) -#define sk_SXNETID_delete(st, i) SKM_sk_delete(SXNETID, (st), (i)) -#define sk_SXNETID_delete_ptr(st, ptr) SKM_sk_delete_ptr(SXNETID, (st), (ptr)) -#define sk_SXNETID_insert(st, val, i) SKM_sk_insert(SXNETID, (st), (val), (i)) -#define sk_SXNETID_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SXNETID, (st), (cmp)) -#define sk_SXNETID_dup(st) SKM_sk_dup(SXNETID, st) -#define sk_SXNETID_pop_free(st, free_func) SKM_sk_pop_free(SXNETID, (st), (free_func)) -#define sk_SXNETID_shift(st) SKM_sk_shift(SXNETID, (st)) -#define sk_SXNETID_pop(st) SKM_sk_pop(SXNETID, (st)) -#define sk_SXNETID_sort(st) SKM_sk_sort(SXNETID, (st)) -#define sk_SXNETID_is_sorted(st) SKM_sk_is_sorted(SXNETID, (st)) - #define sk_UI_STRING_new(cmp) SKM_sk_new(UI_STRING, (cmp)) #define sk_UI_STRING_new_null() SKM_sk_new_null(UI_STRING) #define sk_UI_STRING_free(st) SKM_sk_free(UI_STRING, (st)) @@ -1741,50 +1743,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_X509_OBJECT_sort(st) SKM_sk_sort(X509_OBJECT, (st)) #define sk_X509_OBJECT_is_sorted(st) SKM_sk_is_sorted(X509_OBJECT, (st)) -#define sk_X509_POLICY_DATA_new(cmp) SKM_sk_new(X509_POLICY_DATA, (cmp)) -#define sk_X509_POLICY_DATA_new_null() SKM_sk_new_null(X509_POLICY_DATA) -#define sk_X509_POLICY_DATA_free(st) SKM_sk_free(X509_POLICY_DATA, (st)) -#define sk_X509_POLICY_DATA_num(st) SKM_sk_num(X509_POLICY_DATA, (st)) -#define sk_X509_POLICY_DATA_value(st, i) SKM_sk_value(X509_POLICY_DATA, (st), (i)) -#define sk_X509_POLICY_DATA_set(st, i, val) SKM_sk_set(X509_POLICY_DATA, (st), (i), (val)) -#define sk_X509_POLICY_DATA_zero(st) SKM_sk_zero(X509_POLICY_DATA, (st)) -#define sk_X509_POLICY_DATA_push(st, val) SKM_sk_push(X509_POLICY_DATA, (st), (val)) -#define sk_X509_POLICY_DATA_unshift(st, val) SKM_sk_unshift(X509_POLICY_DATA, (st), (val)) -#define sk_X509_POLICY_DATA_find(st, val) SKM_sk_find(X509_POLICY_DATA, (st), (val)) -#define sk_X509_POLICY_DATA_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_DATA, (st), (val)) -#define sk_X509_POLICY_DATA_delete(st, i) SKM_sk_delete(X509_POLICY_DATA, (st), (i)) -#define sk_X509_POLICY_DATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_DATA, (st), (ptr)) -#define sk_X509_POLICY_DATA_insert(st, val, i) SKM_sk_insert(X509_POLICY_DATA, (st), (val), (i)) -#define sk_X509_POLICY_DATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_DATA, (st), (cmp)) -#define sk_X509_POLICY_DATA_dup(st) SKM_sk_dup(X509_POLICY_DATA, st) -#define sk_X509_POLICY_DATA_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_DATA, (st), (free_func)) -#define sk_X509_POLICY_DATA_shift(st) SKM_sk_shift(X509_POLICY_DATA, (st)) -#define sk_X509_POLICY_DATA_pop(st) SKM_sk_pop(X509_POLICY_DATA, (st)) -#define sk_X509_POLICY_DATA_sort(st) SKM_sk_sort(X509_POLICY_DATA, (st)) -#define sk_X509_POLICY_DATA_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_DATA, (st)) - -#define sk_X509_POLICY_NODE_new(cmp) SKM_sk_new(X509_POLICY_NODE, (cmp)) -#define sk_X509_POLICY_NODE_new_null() SKM_sk_new_null(X509_POLICY_NODE) -#define sk_X509_POLICY_NODE_free(st) SKM_sk_free(X509_POLICY_NODE, (st)) -#define sk_X509_POLICY_NODE_num(st) SKM_sk_num(X509_POLICY_NODE, (st)) -#define sk_X509_POLICY_NODE_value(st, i) SKM_sk_value(X509_POLICY_NODE, (st), (i)) -#define sk_X509_POLICY_NODE_set(st, i, val) SKM_sk_set(X509_POLICY_NODE, (st), (i), (val)) -#define sk_X509_POLICY_NODE_zero(st) SKM_sk_zero(X509_POLICY_NODE, (st)) -#define sk_X509_POLICY_NODE_push(st, val) SKM_sk_push(X509_POLICY_NODE, (st), (val)) -#define sk_X509_POLICY_NODE_unshift(st, val) SKM_sk_unshift(X509_POLICY_NODE, (st), (val)) -#define sk_X509_POLICY_NODE_find(st, val) SKM_sk_find(X509_POLICY_NODE, (st), (val)) -#define sk_X509_POLICY_NODE_find_ex(st, val) SKM_sk_find_ex(X509_POLICY_NODE, (st), (val)) -#define sk_X509_POLICY_NODE_delete(st, i) SKM_sk_delete(X509_POLICY_NODE, (st), (i)) -#define sk_X509_POLICY_NODE_delete_ptr(st, ptr) SKM_sk_delete_ptr(X509_POLICY_NODE, (st), (ptr)) -#define sk_X509_POLICY_NODE_insert(st, val, i) SKM_sk_insert(X509_POLICY_NODE, (st), (val), (i)) -#define sk_X509_POLICY_NODE_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(X509_POLICY_NODE, (st), (cmp)) -#define sk_X509_POLICY_NODE_dup(st) SKM_sk_dup(X509_POLICY_NODE, st) -#define sk_X509_POLICY_NODE_pop_free(st, free_func) SKM_sk_pop_free(X509_POLICY_NODE, (st), (free_func)) -#define sk_X509_POLICY_NODE_shift(st) SKM_sk_shift(X509_POLICY_NODE, (st)) -#define sk_X509_POLICY_NODE_pop(st) SKM_sk_pop(X509_POLICY_NODE, (st)) -#define sk_X509_POLICY_NODE_sort(st) SKM_sk_sort(X509_POLICY_NODE, (st)) -#define sk_X509_POLICY_NODE_is_sorted(st) SKM_sk_is_sorted(X509_POLICY_NODE, (st)) - #define sk_X509_PURPOSE_new(cmp) SKM_sk_new(X509_PURPOSE, (cmp)) #define sk_X509_PURPOSE_new_null() SKM_sk_new_null(X509_PURPOSE) #define sk_X509_PURPOSE_free(st) SKM_sk_free(X509_PURPOSE, (st)) diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index e313268..acde94c 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.215 2021/11/01 08:14:36 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.230 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -361,6 +361,10 @@ typedef struct ssl_method_st SSL_METHOD; typedef struct ssl_cipher_st SSL_CIPHER; typedef struct ssl_session_st SSL_SESSION; +#if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL) +typedef struct ssl_quic_method_st SSL_QUIC_METHOD; +#endif + DECLARE_STACK_OF(SSL_CIPHER) /* SRTP protection profiles for use with the use_srtp extension (RFC 5764)*/ @@ -823,15 +827,18 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); /* Offset to get an SSL_R_... value from an SSL_AD_... value. */ #define SSL_AD_REASON_OFFSET 1000 -#define SSL_ERROR_NONE 0 -#define SSL_ERROR_SSL 1 -#define SSL_ERROR_WANT_READ 2 -#define SSL_ERROR_WANT_WRITE 3 -#define SSL_ERROR_WANT_X509_LOOKUP 4 -#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */ -#define SSL_ERROR_ZERO_RETURN 6 -#define SSL_ERROR_WANT_CONNECT 7 -#define SSL_ERROR_WANT_ACCEPT 8 +#define SSL_ERROR_NONE 0 +#define SSL_ERROR_SSL 1 +#define SSL_ERROR_WANT_READ 2 +#define SSL_ERROR_WANT_WRITE 3 +#define SSL_ERROR_WANT_X509_LOOKUP 4 +#define SSL_ERROR_SYSCALL 5 +#define SSL_ERROR_ZERO_RETURN 6 +#define SSL_ERROR_WANT_CONNECT 7 +#define SSL_ERROR_WANT_ACCEPT 8 +#define SSL_ERROR_WANT_ASYNC 9 +#define SSL_ERROR_WANT_ASYNC_JOB 10 +#define SSL_ERROR_WANT_CLIENT_HELLO_CB 11 #define SSL_CTRL_NEED_TMP_RSA 1 #define SSL_CTRL_SET_TMP_RSA 2 @@ -930,8 +937,8 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_SET_GROUPS 91 #define SSL_CTRL_SET_GROUPS_LIST 92 - -#define SSL_CTRL_SET_ECDH_AUTO 94 +#define SSL_CTRL_GET_SHARED_GROUP 93 +#define SSL_CTRL_SET_ECDH_AUTO 94 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) #define SSL_CTRL_GET_PEER_SIGNATURE_NID 108 @@ -1047,6 +1054,10 @@ const SSL_METHOD *SSL_CTX_get_ssl_method(const SSL_CTX *ctx); #define SSL_CTX_clear_extra_chain_certs(ctx) \ SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL) +#define SSL_get_shared_group(s, n) \ + SSL_ctrl((s), SSL_CTRL_GET_SHARED_GROUP, (n), NULL) +#define SSL_get_shared_curve SSL_get_shared_group + #define SSL_get_server_tmp_key(s, pk) \ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) @@ -1507,10 +1518,289 @@ int SSL_set_session_secret_cb(SSL *s, void SSL_set_debug(SSL *s, int debug); int SSL_cache_hit(SSL *s); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. +/* What the "other" parameter contains in security callback */ +/* Mask for type */ +#define SSL_SECOP_OTHER_TYPE 0xffff0000 +#define SSL_SECOP_OTHER_NONE 0 +#define SSL_SECOP_OTHER_CIPHER (1 << 16) +#define SSL_SECOP_OTHER_CURVE (2 << 16) +#define SSL_SECOP_OTHER_DH (3 << 16) +#define SSL_SECOP_OTHER_PKEY (4 << 16) +#define SSL_SECOP_OTHER_SIGALG (5 << 16) +#define SSL_SECOP_OTHER_CERT (6 << 16) + +/* Indicated operation refers to peer key or certificate */ +#define SSL_SECOP_PEER 0x1000 + +/* Values for "op" parameter in security callback */ + +/* Called to filter ciphers */ +/* Ciphers client supports */ +#define SSL_SECOP_CIPHER_SUPPORTED (1 | SSL_SECOP_OTHER_CIPHER) +/* Cipher shared by client/server */ +#define SSL_SECOP_CIPHER_SHARED (2 | SSL_SECOP_OTHER_CIPHER) +/* Sanity check of cipher server selects */ +#define SSL_SECOP_CIPHER_CHECK (3 | SSL_SECOP_OTHER_CIPHER) +/* Curves supported by client */ +#define SSL_SECOP_CURVE_SUPPORTED (4 | SSL_SECOP_OTHER_CURVE) +/* Curves shared by client/server */ +#define SSL_SECOP_CURVE_SHARED (5 | SSL_SECOP_OTHER_CURVE) +/* Sanity check of curve server selects */ +#define SSL_SECOP_CURVE_CHECK (6 | SSL_SECOP_OTHER_CURVE) +/* Temporary DH key */ +/* + * XXX: changed in OpenSSL e2b420fdd70 to (7 | SSL_SECOP_OTHER_PKEY) + * Needs switching internal use of DH to EVP_PKEY. The code is not reachable + * from outside the library as long as we do not expose the callback in the API. */ +#define SSL_SECOP_TMP_DH (7 | SSL_SECOP_OTHER_DH) +/* SSL/TLS version */ +#define SSL_SECOP_VERSION (9 | SSL_SECOP_OTHER_NONE) +/* Session tickets */ +#define SSL_SECOP_TICKET (10 | SSL_SECOP_OTHER_NONE) +/* Supported signature algorithms sent to peer */ +#define SSL_SECOP_SIGALG_SUPPORTED (11 | SSL_SECOP_OTHER_SIGALG) +/* Shared signature algorithm */ +#define SSL_SECOP_SIGALG_SHARED (12 | SSL_SECOP_OTHER_SIGALG) +/* Sanity check signature algorithm allowed */ +#define SSL_SECOP_SIGALG_CHECK (13 | SSL_SECOP_OTHER_SIGALG) +/* Used to get mask of supported public key signature algorithms */ +#define SSL_SECOP_SIGALG_MASK (14 | SSL_SECOP_OTHER_SIGALG) +/* Use to see if compression is allowed */ +#define SSL_SECOP_COMPRESSION (15 | SSL_SECOP_OTHER_NONE) +/* EE key in certificate */ +#define SSL_SECOP_EE_KEY (16 | SSL_SECOP_OTHER_CERT) +/* CA key in certificate */ +#define SSL_SECOP_CA_KEY (17 | SSL_SECOP_OTHER_CERT) +/* CA digest algorithm in certificate */ +#define SSL_SECOP_CA_MD (18 | SSL_SECOP_OTHER_CERT) +/* Peer EE key in certificate */ +#define SSL_SECOP_PEER_EE_KEY (SSL_SECOP_EE_KEY | SSL_SECOP_PEER) +/* Peer CA key in certificate */ +#define SSL_SECOP_PEER_CA_KEY (SSL_SECOP_CA_KEY | SSL_SECOP_PEER) +/* Peer CA digest algorithm in certificate */ +#define SSL_SECOP_PEER_CA_MD (SSL_SECOP_CA_MD | SSL_SECOP_PEER) + +void SSL_set_security_level(SSL *ssl, int level); +int SSL_get_security_level(const SSL *ssl); + +void SSL_CTX_set_security_level(SSL_CTX *ctx, int level); +int SSL_CTX_get_security_level(const SSL_CTX *ctx); + +#if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL) +/* + * QUIC integration. + * + * QUIC acts as an underlying transport for the TLS 1.3 handshake. The following + * functions allow a QUIC implementation to serve as the underlying transport as + * described in RFC 9001. + * + * When configured for QUIC, |SSL_do_handshake| will drive the handshake as + * before, but it will not use the configured |BIO|. It will call functions on + * |SSL_QUIC_METHOD| to configure secrets and send data. If data is needed from + * the peer, it will return |SSL_ERROR_WANT_READ|. As the caller receives data + * it can decrypt, it calls |SSL_provide_quic_data|. Subsequent + * |SSL_do_handshake| calls will then consume that data and progress the + * handshake. After the handshake is complete, the caller should continue to + * call |SSL_provide_quic_data| for any post-handshake data, followed by + * |SSL_process_quic_post_handshake| to process it. It is an error to call + * |SSL_peek|, |SSL_read| and |SSL_write| in QUIC. + * + * To avoid DoS attacks, the QUIC implementation must limit the amount of data + * being queued up. The implementation can call + * |SSL_quic_max_handshake_flight_len| to get the maximum buffer length at each + * encryption level. + * + * QUIC implementations must additionally configure transport parameters with + * |SSL_set_quic_transport_params|. |SSL_get_peer_quic_transport_params| may be + * used to query the value received from the peer. This extension is handled + * as an opaque byte string, which the caller is responsible for serializing + * and parsing. See RFC 9000 section 7.4 for further details. + */ + +/* + * ssl_encryption_level_t specifies the QUIC encryption level used to transmit + * handshake messages. + */ +typedef enum ssl_encryption_level_t { + ssl_encryption_initial = 0, + ssl_encryption_early_data, + ssl_encryption_handshake, + ssl_encryption_application, +} OSSL_ENCRYPTION_LEVEL; + +/* + * ssl_quic_method_st (aka |SSL_QUIC_METHOD|) describes custom QUIC hooks. + * + * Note that we provide both the new (BoringSSL) secrets interface + * (set_read_secret/set_write_secret) along with the old interface + * (set_encryption_secrets), which quictls is still using. + * + * Since some consumers fail to use named initialisers, the order of these + * functions is important. Hopefully all of these consumers use the old version. + */ +struct ssl_quic_method_st { + /* + * set_encryption_secrets configures the read and write secrets for the + * given encryption level. This function will always be called before an + * encryption level other than |ssl_encryption_initial| is used. + * + * When reading packets at a given level, the QUIC implementation must + * send ACKs at the same level, so this function provides read and write + * secrets together. The exception is |ssl_encryption_early_data|, where + * secrets are only available in the client to server direction. The + * other secret will be NULL. The server acknowledges such data at + * |ssl_encryption_application|, which will be configured in the same + * |SSL_do_handshake| call. + * + * This function should use |SSL_get_current_cipher| to determine the TLS + * cipher suite. + */ + int (*set_encryption_secrets)(SSL *ssl, enum ssl_encryption_level_t level, + const uint8_t *read_secret, const uint8_t *write_secret, + size_t secret_len); + + /* + * add_handshake_data adds handshake data to the current flight at the + * given encryption level. It returns one on success and zero on error. + * Callers should defer writing data to the network until |flush_flight| + * to better pack QUIC packets into transport datagrams. + * + * If |level| is not |ssl_encryption_initial|, this function will not be + * called before |level| is initialized with |set_write_secret|. + */ + int (*add_handshake_data)(SSL *ssl, enum ssl_encryption_level_t level, + const uint8_t *data, size_t len); + + /* + * flush_flight is called when the current flight is complete and should + * be written to the transport. Note a flight may contain data at + * several encryption levels. It returns one on success and zero on + * error. + */ + int (*flush_flight)(SSL *ssl); + + /* + * send_alert sends a fatal alert at the specified encryption level. It + * returns one on success and zero on error. + * + * If |level| is not |ssl_encryption_initial|, this function will not be + * called before |level| is initialized with |set_write_secret|. + */ + int (*send_alert)(SSL *ssl, enum ssl_encryption_level_t level, + uint8_t alert); + + /* + * set_read_secret configures the read secret and cipher suite for the + * given encryption level. It returns one on success and zero to + * terminate the handshake with an error. It will be called at most once + * per encryption level. + * + * Read keys will not be released before QUIC may use them. Once a level + * has been initialized, QUIC may begin processing data from it. + * Handshake data should be passed to |SSL_provide_quic_data| and + * application data (if |level| is |ssl_encryption_early_data| or + * |ssl_encryption_application|) may be processed according to the rules + * of the QUIC protocol. + */ + int (*set_read_secret)(SSL *ssl, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len); + + /* + * set_write_secret behaves like |set_read_secret| but configures the + * write secret and cipher suite for the given encryption level. It will + * be called at most once per encryption level. + * + * Write keys will not be released before QUIC may use them. If |level| + * is |ssl_encryption_early_data| or |ssl_encryption_application|, QUIC + * may begin sending application data at |level|. + */ + int (*set_write_secret)(SSL *ssl, enum ssl_encryption_level_t level, + const SSL_CIPHER *cipher, const uint8_t *secret, size_t secret_len); +}; + +/* + * SSL_CTX_set_quic_method configures the QUIC hooks. This should only be + * configured with a minimum version of TLS 1.3. |quic_method| must remain valid + * for the lifetime of |ctx|. It returns one on success and zero on error. + */ +int SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method); + +/* + * SSL_set_quic_method configures the QUIC hooks. This should only be + * configured with a minimum version of TLS 1.3. |quic_method| must remain valid + * for the lifetime of |ssl|. It returns one on success and zero on error. + */ +int SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method); + +/* SSL_is_quic returns true if an SSL has been configured for use with QUIC. */ +int SSL_is_quic(const SSL *ssl); + +/* + * SSL_quic_max_handshake_flight_len returns returns the maximum number of bytes + * that may be received at the given encryption level. This function should be + * used to limit buffering in the QUIC implementation. See RFC 9000 section 7.5. + */ +size_t SSL_quic_max_handshake_flight_len(const SSL *ssl, + enum ssl_encryption_level_t level); + +/* + * SSL_quic_read_level returns the current read encryption level. + */ +enum ssl_encryption_level_t SSL_quic_read_level(const SSL *ssl); + +/* + * SSL_quic_write_level returns the current write encryption level. + */ +enum ssl_encryption_level_t SSL_quic_write_level(const SSL *ssl); + +/* + * SSL_provide_quic_data provides data from QUIC at a particular encryption + * level |level|. It returns one on success and zero on error. Note this + * function will return zero if the handshake is not expecting data from |level| + * at this time. The QUIC implementation should then close the connection with + * an error. + */ +int SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, + const uint8_t *data, size_t len); + +/* + * SSL_process_quic_post_handshake processes any data that QUIC has provided + * after the handshake has completed. This includes NewSessionTicket messages + * sent by the server. It returns one on success and zero on error. + */ +int SSL_process_quic_post_handshake(SSL *ssl); + +/* + * SSL_set_quic_transport_params configures |ssl| to send |params| (of length + * |params_len|) in the quic_transport_parameters extension in either the + * ClientHello or EncryptedExtensions handshake message. It is an error to set + * transport parameters if |ssl| is not configured for QUIC. The buffer pointed + * to by |params| only need be valid for the duration of the call to this + * function. This function returns 1 on success and 0 on failure. + */ +int SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, + size_t params_len); + +/* + * SSL_get_peer_quic_transport_params provides the caller with the value of the + * quic_transport_parameters extension sent by the peer. A pointer to the buffer + * containing the TransportParameters will be put in |*out_params|, and its + * length in |*params_len|. This buffer will be valid for the lifetime of the + * |SSL|. If no params were received from the peer, |*out_params_len| will be 0. + */ +void SSL_get_peer_quic_transport_params(const SSL *ssl, + const uint8_t **out_params, size_t *out_params_len); + +/* + * SSL_set_quic_use_legacy_codepoint configures whether to use the legacy QUIC + * extension codepoint 0xffa5 as opposed to the official value 57. This is + * unsupported in LibreSSL. + */ +void SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy); + +#endif + void ERR_load_SSL_strings(void); /* Error codes for the SSL functions. */ @@ -1787,6 +2077,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_BN_LIB 130 #define SSL_R_CA_DN_LENGTH_MISMATCH 131 #define SSL_R_CA_DN_TOO_LONG 132 +#define SSL_R_CA_KEY_TOO_SMALL 397 +#define SSL_R_CA_MD_TOO_WEAK 398 #define SSL_R_CCS_RECEIVED_EARLY 133 #define SSL_R_CERTIFICATE_VERIFY_FAILED 134 #define SSL_R_CERT_LENGTH_MISMATCH 135 @@ -1808,6 +2100,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_DATA_LENGTH_TOO_LONG 146 #define SSL_R_DECRYPTION_FAILED 147 #define SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC 281 +#define SSL_R_DH_KEY_TOO_SMALL 394 #define SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG 148 #define SSL_R_DIGEST_CHECK_FAILED 149 #define SSL_R_DTLS_MESSAGE_TOO_BIG 334 @@ -1817,6 +2110,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE 322 #define SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE 323 #define SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER 310 +#define SSL_R_EE_KEY_TOO_SMALL 399 #define SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST 354 #define SSL_R_ENCRYPTED_LENGTH_TOO_LONG 150 #define SSL_R_ERROR_GENERATING_TMP_RSA_KEY 282 @@ -2031,6 +2325,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_UNSUPPORTED_SSL_VERSION 259 #define SSL_R_UNSUPPORTED_STATUS_TYPE 329 #define SSL_R_USE_SRTP_NOT_NEGOTIATED 369 +#define SSL_R_VERSION_TOO_LOW 396 #define SSL_R_WRITE_BIO_NOT_SET 260 #define SSL_R_WRONG_CIPHER_RETURNED 261 #define SSL_R_WRONG_CURVE 378 @@ -2044,6 +2339,8 @@ void ERR_load_SSL_strings(void); #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #define SSL_R_PEER_BEHAVING_BADLY 666 +#define SSL_R_QUIC_INTERNAL_ERROR 667 +#define SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED 668 #define SSL_R_UNKNOWN 999 /* @@ -2051,7 +2348,7 @@ void ERR_load_SSL_strings(void); */ /* - * These are provided for compatibiliy, but have no effect + * These are provided for compatibility, but have no effect * on how LibreSSL is initialized. */ #define OPENSSL_INIT_LOAD_SSL_STRINGS _OPENSSL_INIT_FLAG_NOOP diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 547fb86..2bdbd3c 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.51 2022/02/05 18:18:18 tb Exp $ */ +/* $OpenBSD: tls1.h,v 1.56 2022/07/17 14:39:09 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -159,6 +159,8 @@ extern "C" { #endif +#define OPENSSL_TLS_SECURITY_LEVEL 1 + #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 #if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) @@ -270,6 +272,11 @@ extern "C" { #define TLSEXT_TYPE_key_share 51 #endif +/* ExtensionType value from RFC 9001 section 8.2 */ +#if defined(LIBRESSL_HAS_QUIC) || defined(LIBRESSL_INTERNAL) +#define TLSEXT_TYPE_quic_transport_parameters 57 +#endif + /* * TLS 1.3 extension names from OpenSSL, where they decided to use a different * name from that given in RFC 8446. diff --git a/include/openssl/ts.h b/include/openssl/ts.h index fa8eb94..6021a30 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ts.h,v 1.10 2018/05/13 15:35:46 tb Exp $ */ +/* $OpenBSD: ts.h,v 1.21 2023/04/25 17:52:54 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL * project 2002, 2003, 2004. */ @@ -93,99 +93,12 @@ extern "C" { #include #include -/* -MessageImprint ::= SEQUENCE { - hashAlgorithm AlgorithmIdentifier, - hashedMessage OCTET STRING } -*/ - -typedef struct TS_msg_imprint_st { - X509_ALGOR *hash_algo; - ASN1_OCTET_STRING *hashed_msg; -} TS_MSG_IMPRINT; - -/* -TimeStampReq ::= SEQUENCE { - version INTEGER { v1(1) }, - messageImprint MessageImprint, - --a hash algorithm OID and the hash value of the data to be - --time-stamped - reqPolicy TSAPolicyId OPTIONAL, - nonce INTEGER OPTIONAL, - certReq BOOLEAN DEFAULT FALSE, - extensions [0] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_req_st { - ASN1_INTEGER *version; - TS_MSG_IMPRINT *msg_imprint; - ASN1_OBJECT *policy_id; /* OPTIONAL */ - ASN1_INTEGER *nonce; /* OPTIONAL */ - ASN1_BOOLEAN cert_req; /* DEFAULT FALSE */ - STACK_OF(X509_EXTENSION) *extensions; /* [0] OPTIONAL */ -} TS_REQ; - -/* -Accuracy ::= SEQUENCE { - seconds INTEGER OPTIONAL, - millis [0] INTEGER (1..999) OPTIONAL, - micros [1] INTEGER (1..999) OPTIONAL } -*/ - -typedef struct TS_accuracy_st { - ASN1_INTEGER *seconds; - ASN1_INTEGER *millis; - ASN1_INTEGER *micros; -} TS_ACCURACY; - -/* -TSTInfo ::= SEQUENCE { - version INTEGER { v1(1) }, - policy TSAPolicyId, - messageImprint MessageImprint, - -- MUST have the same value as the similar field in - -- TimeStampReq - serialNumber INTEGER, - -- Time-Stamping users MUST be ready to accommodate integers - -- up to 160 bits. - genTime GeneralizedTime, - accuracy Accuracy OPTIONAL, - ordering BOOLEAN DEFAULT FALSE, - nonce INTEGER OPTIONAL, - -- MUST be present if the similar field was present - -- in TimeStampReq. In that case it MUST have the same value. - tsa [0] GeneralName OPTIONAL, - extensions [1] IMPLICIT Extensions OPTIONAL } -*/ - -typedef struct TS_tst_info_st { - ASN1_INTEGER *version; - ASN1_OBJECT *policy_id; - TS_MSG_IMPRINT *msg_imprint; - ASN1_INTEGER *serial; - ASN1_GENERALIZEDTIME *time; - TS_ACCURACY *accuracy; - ASN1_BOOLEAN ordering; - ASN1_INTEGER *nonce; - GENERAL_NAME *tsa; - STACK_OF(X509_EXTENSION) *extensions; -} TS_TST_INFO; - -/* -PKIStatusInfo ::= SEQUENCE { - status PKIStatus, - statusString PKIFreeText OPTIONAL, - failInfo PKIFailureInfo OPTIONAL } - -From RFC 1510 - section 3.1.1: -PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String - -- text encoded as UTF-8 String (note: each UTF8String SHOULD - -- include an RFC 1766 language tag to indicate the language - -- of the contained text) -*/ - -/* Possible values for status. See ts_resp_print.c && ts_resp_verify.c. */ +typedef struct TS_msg_imprint_st TS_MSG_IMPRINT; +typedef struct TS_req_st TS_REQ; +typedef struct TS_accuracy_st TS_ACCURACY; +typedef struct TS_tst_info_st TS_TST_INFO; +/* Possible values for status. */ #define TS_STATUS_GRANTED 0 #define TS_STATUS_GRANTED_WITH_MODS 1 #define TS_STATUS_REJECTION 2 @@ -193,8 +106,7 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String #define TS_STATUS_REVOCATION_WARNING 4 #define TS_STATUS_REVOCATION_NOTIFICATION 5 -/* Possible values for failure_info. See ts_resp_print.c && ts_resp_verify.c */ - +/* Possible values for failure_info. */ #define TS_INFO_BAD_ALG 0 #define TS_INFO_BAD_REQUEST 2 #define TS_INFO_BAD_DATA_FORMAT 5 @@ -204,66 +116,21 @@ PKIFreeText ::= SEQUENCE SIZE (1..MAX) OF UTF8String #define TS_INFO_ADD_INFO_NOT_AVAILABLE 17 #define TS_INFO_SYSTEM_FAILURE 25 -typedef struct TS_status_info_st { - ASN1_INTEGER *status; - STACK_OF(ASN1_UTF8STRING) *text; - ASN1_BIT_STRING *failure_info; -} TS_STATUS_INFO; +typedef struct TS_status_info_st TS_STATUS_INFO; DECLARE_STACK_OF(ASN1_UTF8STRING) -/* -TimeStampResp ::= SEQUENCE { - status PKIStatusInfo, - timeStampToken TimeStampToken OPTIONAL } -*/ - -typedef struct TS_resp_st { - TS_STATUS_INFO *status_info; - PKCS7 *token; - TS_TST_INFO *tst_info; -} TS_RESP; - -/* The structure below would belong to the ESS component. */ - -/* -IssuerSerial ::= SEQUENCE { - issuer GeneralNames, - serialNumber CertificateSerialNumber - } -*/ - -typedef struct ESS_issuer_serial { - STACK_OF(GENERAL_NAME) *issuer; - ASN1_INTEGER *serial; -} ESS_ISSUER_SERIAL; - -/* -ESSCertID ::= SEQUENCE { - certHash Hash, - issuerSerial IssuerSerial OPTIONAL -} -*/ - -typedef struct ESS_cert_id { - ASN1_OCTET_STRING *hash; /* Always SHA-1 digest. */ - ESS_ISSUER_SERIAL *issuer_serial; -} ESS_CERT_ID; - +typedef struct ESS_issuer_serial ESS_ISSUER_SERIAL; +typedef struct ESS_cert_id ESS_CERT_ID; DECLARE_STACK_OF(ESS_CERT_ID) +typedef struct ESS_signing_cert ESS_SIGNING_CERT; -/* -SigningCertificate ::= SEQUENCE { - certs SEQUENCE OF ESSCertID, - policies SEQUENCE OF PolicyInformation OPTIONAL -} -*/ +typedef struct ESS_cert_id_v2 ESS_CERT_ID_V2; +DECLARE_STACK_OF(ESS_CERT_ID_V2) -typedef struct ESS_signing_cert { - STACK_OF(ESS_CERT_ID) *cert_ids; - STACK_OF(POLICYINFO) *policy_info; -} ESS_SIGNING_CERT; +typedef struct ESS_signing_cert_v2 ESS_SIGNING_CERT_V2; +typedef struct TS_resp_st TS_RESP; TS_REQ *TS_REQ_new(void); void TS_REQ_free(TS_REQ *a); @@ -351,8 +218,6 @@ ESS_SIGNING_CERT *d2i_ESS_SIGNING_CERT(ESS_SIGNING_CERT **a, const unsigned char **pp, long length); ESS_SIGNING_CERT *ESS_SIGNING_CERT_dup(ESS_SIGNING_CERT *a); -void ERR_load_TS_strings(void); - int TS_REQ_set_version(TS_REQ *a, long version); long TS_REQ_get_version(const TS_REQ *a); @@ -389,11 +254,17 @@ void *TS_REQ_get_ext_d2i(TS_REQ *a, int nid, int *crit, int *idx); int TS_REQ_print_bio(BIO *bio, TS_REQ *a); -/* Function declarations for TS_RESP defined in ts/ts_resp_utils.c */ +/* Function declarations for TS_RESP defined in ts/ts_rsp_utils.c */ int TS_RESP_set_status_info(TS_RESP *a, TS_STATUS_INFO *info); TS_STATUS_INFO *TS_RESP_get_status_info(TS_RESP *a); +const ASN1_UTF8STRING *TS_STATUS_INFO_get0_failure_info(const TS_STATUS_INFO *si); +const STACK_OF(ASN1_UTF8STRING) * + TS_STATUS_INFO_get0_text(const TS_STATUS_INFO *si); +const ASN1_INTEGER *TS_STATUS_INFO_get0_status(const TS_STATUS_INFO *si); +int TS_STATUS_INFO_set_status(TS_STATUS_INFO *si, int i); + /* Caller loses ownership of PKCS7 and TS_TST_INFO objects. */ void TS_RESP_set_tst_info(TS_RESP *a, PKCS7 *p7, TS_TST_INFO *tst_info); PKCS7 *TS_RESP_get_token(TS_RESP *a); @@ -447,7 +318,7 @@ X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc); int TS_TST_INFO_add_ext(TS_TST_INFO *a, X509_EXTENSION *ex, int loc); void *TS_TST_INFO_get_ext_d2i(TS_TST_INFO *a, int nid, int *crit, int *idx); -/* Declarations related to response generation, defined in ts/ts_resp_sign.c. */ +/* Declarations related to response generation, defined in ts/ts_rsp_sign.c. */ /* Optional flags for response generation. */ @@ -482,35 +353,7 @@ typedef int (*TS_time_cb)(struct TS_resp_ctx *, void *, time_t *sec, long *usec) */ typedef int (*TS_extension_cb)(struct TS_resp_ctx *, X509_EXTENSION *, void *); -typedef struct TS_resp_ctx { - X509 *signer_cert; - EVP_PKEY *signer_key; - STACK_OF(X509) *certs; /* Certs to include in signed data. */ - STACK_OF(ASN1_OBJECT) *policies; /* Acceptable policies. */ - ASN1_OBJECT *default_policy; /* It may appear in policies, too. */ - STACK_OF(EVP_MD) *mds; /* Acceptable message digests. */ - ASN1_INTEGER *seconds; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *millis; /* accuracy, 0 means not specified. */ - ASN1_INTEGER *micros; /* accuracy, 0 means not specified. */ - unsigned clock_precision_digits; /* fraction of seconds in - time stamp token. */ - unsigned flags; /* Optional info, see values above. */ - - /* Callback functions. */ - TS_serial_cb serial_cb; - void *serial_cb_data; /* User data for serial_cb. */ - - TS_time_cb time_cb; - void *time_cb_data; /* User data for time_cb. */ - - TS_extension_cb extension_cb; - void *extension_cb_data; /* User data for extension_cb. */ - - /* These members are used only while creating the response. */ - TS_REQ *request; - TS_RESP *response; - TS_TST_INFO *tst_info; -} TS_RESP_CTX; +typedef struct TS_resp_ctx TS_RESP_CTX; DECLARE_STACK_OF(EVP_MD) @@ -555,6 +398,9 @@ void TS_RESP_CTX_add_flags(TS_RESP_CTX *ctx, int flags); /* Default callback always returns a constant. */ void TS_RESP_CTX_set_serial_cb(TS_RESP_CTX *ctx, TS_serial_cb cb, void *data); +/* Default callback uses gettimeofday() and gmtime(). */ +void TS_RESP_CTX_set_time_cb(TS_RESP_CTX *ctx, TS_time_cb cb, void *data); + /* Default callback rejects all extensions. The extension callback is called * when the TS_TST_INFO object is already set up and not signed yet. */ /* FIXME: extension handling is not tested yet. */ @@ -585,7 +431,7 @@ TS_RESP *TS_RESP_create_response(TS_RESP_CTX *ctx, BIO *req_bio); /* * Declarations related to response verification, - * they are defined in ts/ts_resp_verify.c. + * they are defined in ts/ts_rsp_verify.c. */ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, @@ -629,32 +475,7 @@ int TS_RESP_verify_signature(PKCS7 *token, STACK_OF(X509) *certs, | TS_VFY_SIGNER \ | TS_VFY_TSA_NAME) -typedef struct TS_verify_ctx { - /* Set this to the union of TS_VFY_... flags you want to carry out. */ - unsigned flags; - - /* Must be set only with TS_VFY_SIGNATURE. certs is optional. */ - X509_STORE *store; - STACK_OF(X509) *certs; - - /* Must be set only with TS_VFY_POLICY. */ - ASN1_OBJECT *policy; - - /* Must be set only with TS_VFY_IMPRINT. If md_alg is NULL, - the algorithm from the response is used. */ - X509_ALGOR *md_alg; - unsigned char *imprint; - unsigned imprint_len; - - /* Must be set only with TS_VFY_DATA. */ - BIO *data; - - /* Must be set only with TS_VFY_TSA_NAME. */ - ASN1_INTEGER *nonce; - - /* Must be set only with TS_VFY_TSA_NAME. */ - GENERAL_NAME *tsa_name; -} TS_VERIFY_CTX; +typedef struct TS_verify_ctx TS_VERIFY_CTX; int TS_RESP_verify_response(TS_VERIFY_CTX *ctx, TS_RESP *response); int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); @@ -666,10 +487,20 @@ int TS_RESP_verify_token(TS_VERIFY_CTX *ctx, PKCS7 *token); /* Set all fields to zero. */ TS_VERIFY_CTX *TS_VERIFY_CTX_new(void); -void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); +int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags); +int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags); +BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio); +X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store); +/* R$ special */ +#define TS_VERIFY_CTS_set_certs TS_VERIFY_CTX_set_certs +STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, + STACK_OF(X509) *certs); +unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, + unsigned char *imprint, long imprint_len); + /* * If ctx is NULL, it allocates and returns a new object, otherwise * it returns ctx. It initialises all the members as follows: @@ -682,13 +513,13 @@ void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); * imprint, imprint_len = imprint from request * data = NULL * nonce, nonce_len = nonce from the request or NULL if absent (in this case - * TS_VFY_NONCE is cleared from flags as well) + * TS_VFY_NONCE is cleared from flags as well) * tsa_name = NULL * Important: after calling this method TS_VFY_SIGNATURE should be added! */ TS_VERIFY_CTX *TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx); -/* Function declarations for TS_RESP defined in ts/ts_resp_print.c */ +/* Function declarations for TS_RESP defined in ts/ts_rsp_print.c */ int TS_RESP_print_bio(BIO *bio, TS_RESP *a); int TS_STATUS_INFO_print_bio(BIO *bio, TS_STATUS_INFO *a); @@ -732,11 +563,6 @@ int TS_CONF_set_tsa_name(CONF *conf, const char *section, TS_RESP_CTX *ctx); int TS_CONF_set_ess_cert_id_chain(CONF *conf, const char *section, TS_RESP_CTX *ctx); -/* -------------------------------------------------- */ -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_TS_strings(void); /* Error codes for the TS functions. */ diff --git a/include/openssl/ui.h b/include/openssl/ui.h index 5ca65b0..c688431 100644 --- a/include/openssl/ui.h +++ b/include/openssl/ui.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ui.h,v 1.12 2020/09/24 19:20:32 tb Exp $ */ +/* $OpenBSD: ui.h,v 1.18 2023/04/18 08:33:43 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -61,9 +61,7 @@ #include -#ifndef OPENSSL_NO_DEPRECATED #include -#endif #include #include @@ -257,6 +255,7 @@ const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth); /* The method with all the built-in thingies */ UI_METHOD *UI_OpenSSL(void); +const UI_METHOD *UI_null(void); /* * ---------- For method writers ---------- @@ -273,7 +272,7 @@ UI_METHOD *UI_OpenSSL(void); * display a dialog box after it has been built. * a reader This function is called to read a given prompt, * maybe from the tty, maybe from a field in a - * window. Note that it's called wth all string + * window. Note that it's called with all string * structures, not only the prompt ones, so it must * check such things itself. * a closer This function closes the session, maybe by closing @@ -371,11 +370,6 @@ int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify); -/* BEGIN ERROR CODES */ -/* - * The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_UI_strings(void); /* Error codes for the UI functions. */ diff --git a/include/openssl/ui_compat.h b/include/openssl/ui_compat.h index 860e80c..6484bf6 100644 --- a/include/openssl/ui_compat.h +++ b/include/openssl/ui_compat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_compat.h,v 1.4 2014/06/12 15:49:31 deraadt Exp $ */ +/* $OpenBSD: ui_compat.h,v 1.5 2022/12/23 02:20:28 jsing Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -62,22 +62,4 @@ #include #include -#ifdef __cplusplus -extern "C" { -#endif - -/* The following functions were previously part of the DES section, - and are provided here for backward compatibility reasons. */ - -#define des_read_pw_string(b,l,p,v) \ - _ossl_old_des_read_pw_string((b),(l),(p),(v)) -#define des_read_pw(b,bf,s,p,v) \ - _ossl_old_des_read_pw((b),(bf),(s),(p),(v)) - -int _ossl_old_des_read_pw_string(char *buf, int length, const char *prompt, int verify); -int _ossl_old_des_read_pw(char *buf, char *buff, int size, const char *prompt, int verify); - -#ifdef __cplusplus -} -#endif #endif diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 05872e1..d371886 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.89 2022/01/10 14:13:03 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.100 2023/04/25 18:57:57 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,46 +66,40 @@ #include -#ifndef OPENSSL_NO_BUFFER -#include -#endif -#ifndef OPENSSL_NO_EVP -#include -#endif +#include #ifndef OPENSSL_NO_BIO #include #endif -#include -#include -#include - -#ifndef OPENSSL_NO_EC -#include -#endif - -#ifndef OPENSSL_NO_ECDSA -#include -#endif - -#ifndef OPENSSL_NO_ECDH -#include -#endif - -#ifndef OPENSSL_NO_DEPRECATED -#ifndef OPENSSL_NO_RSA -#include -#endif -#ifndef OPENSSL_NO_DSA -#include +#ifndef OPENSSL_NO_BUFFER +#include #endif #ifndef OPENSSL_NO_DH #include #endif +#ifndef OPENSSL_NO_DSA +#include +#endif +#ifndef OPENSSL_NO_EC +#include +#endif +#ifndef OPENSSL_NO_ECDSA +#include +#endif +#ifndef OPENSSL_NO_ECDH +#include +#endif +#ifndef OPENSSL_NO_EVP +#include +#endif +#ifndef OPENSSL_NO_RSA +#include #endif - #ifndef OPENSSL_NO_SHA #include #endif +#include +#include + #include #ifdef __cplusplus @@ -353,13 +347,6 @@ typedef struct Netscape_spki_st { ASN1_BIT_STRING *signature; } NETSCAPE_SPKI; -/* Netscape certificate sequence structure */ -typedef struct Netscape_certificate_sequence { - ASN1_OBJECT *type; - STACK_OF(X509) *certs; -} NETSCAPE_CERT_SEQUENCE; - - /* Password based encryption structure */ typedef struct PBEPARAM_st { @@ -413,6 +400,8 @@ STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg); +const X509_ALGOR *X509_CRL_get0_tbs_sigalg(const X509_CRL *crl); + int X509_REQ_get_signature_nid(const X509_REQ *req); void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, @@ -754,11 +743,6 @@ void NETSCAPE_SPKAC_free(NETSCAPE_SPKAC *a); NETSCAPE_SPKAC *d2i_NETSCAPE_SPKAC(NETSCAPE_SPKAC **a, const unsigned char **in, long len); int i2d_NETSCAPE_SPKAC(NETSCAPE_SPKAC *a, unsigned char **out); extern const ASN1_ITEM NETSCAPE_SPKAC_it; -NETSCAPE_CERT_SEQUENCE *NETSCAPE_CERT_SEQUENCE_new(void); -void NETSCAPE_CERT_SEQUENCE_free(NETSCAPE_CERT_SEQUENCE *a); -NETSCAPE_CERT_SEQUENCE *d2i_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE **a, const unsigned char **in, long len); -int i2d_NETSCAPE_CERT_SEQUENCE(NETSCAPE_CERT_SEQUENCE *a, unsigned char **out); -extern const ASN1_ITEM NETSCAPE_CERT_SEQUENCE_it; #ifndef OPENSSL_NO_EVP X509_INFO * X509_INFO_new(void); @@ -780,6 +764,8 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, #endif const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); +void X509_get0_uids(const X509 *x, const ASN1_BIT_STRING **piuid, + const ASN1_BIT_STRING **psuid); const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); int X509_set_version(X509 *x, long version); long X509_get_version(const X509 *x); @@ -906,7 +892,7 @@ int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, int X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf,int len); -/* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use +/* NOTE: you should be passing -1, not 0 as lastpos. The functions that use * lastpos, search after that position on. */ int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos); @@ -1136,10 +1122,6 @@ int X509_TRUST_get_trust(const X509_TRUST *xp); int X509_up_ref(X509 *x); STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_X509_strings(void); /* Error codes for the X509 functions. */ @@ -1200,6 +1182,7 @@ void ERR_load_X509_strings(void); #define X509_R_INVALID_DIRECTORY 113 #define X509_R_INVALID_FIELD_NAME 119 #define X509_R_INVALID_TRUST 123 +#define X509_R_INVALID_VERSION 137 #define X509_R_KEY_TYPE_MISMATCH 115 #define X509_R_KEY_VALUES_MISMATCH 116 #define X509_R_LOADING_CERT_DIR 103 diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 9a649cb..202cf74 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.50 2022/01/14 07:53:45 tb Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.63 2023/04/28 16:50:16 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -205,10 +205,15 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Issuer lookup error */ #define X509_V_ERR_STORE_LOOKUP 66 +/* Security level errors */ +#define X509_V_ERR_EE_KEY_TOO_SMALL 67 +#define X509_V_ERR_CA_KEY_TOO_SMALL 68 +#define X509_V_ERR_CA_MD_TOO_WEAK 69 + /* Certificate verify flags */ -/* Send issuer+subject checks to verify_cb */ -#define X509_V_FLAG_CB_ISSUER_CHECK 0x1 +/* Deprecated in 1.1.0, has no effect. Various FFI bindings still expose it. */ +#define X509_V_FLAG_CB_ISSUER_CHECK 0x0 /* Use check time instead of current time */ #define X509_V_FLAG_USE_CHECK_TIME 0x2 /* Lookup CRLs */ @@ -221,7 +226,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_V_FLAG_X509_STRICT 0x20 /* Enable proxy certificate validation */ #define X509_V_FLAG_ALLOW_PROXY_CERTS 0x40 -/* Enable policy checking */ +/* Does nothing as its functionality has been enabled by default */ #define X509_V_FLAG_POLICY_CHECK 0x80 /* Policy variable require-explicit-policy */ #define X509_V_FLAG_EXPLICIT_POLICY 0x100 @@ -250,7 +255,7 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Do not check certificate or CRL validity against current time. */ #define X509_V_FLAG_NO_CHECK_TIME 0x200000 -/* Force the use of the legacy certificate verifcation */ +/* Force the use of the legacy certificate verification */ #define X509_V_FLAG_LEGACY_VERIFY 0x400000 #define X509_VP_FLAG_DEFAULT 0x1 @@ -259,7 +264,10 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); #define X509_VP_FLAG_LOCKED 0x8 #define X509_VP_FLAG_ONCE 0x10 -/* Internal use: mask of policy related options */ +/* + * Obsolete internal use: mask of policy related options. + * This should really go away. + */ #define X509_V_FLAG_POLICY_MASK (X509_V_FLAG_POLICY_CHECK \ | X509_V_FLAG_EXPLICIT_POLICY \ | X509_V_FLAG_INHIBIT_ANY \ @@ -280,8 +288,10 @@ X509_CRL *X509_OBJECT_get0_X509_CRL(X509_OBJECT *xo); X509_STORE *X509_STORE_new(void); void X509_STORE_free(X509_STORE *v); int X509_STORE_up_ref(X509_STORE *x); -STACK_OF(X509) *X509_STORE_get1_certs(X509_STORE_CTX *st, X509_NAME *nm); -STACK_OF(X509_CRL) *X509_STORE_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); +#define X509_STORE_get1_certs X509_STORE_CTX_get1_certs +#define X509_STORE_get1_crls X509_STORE_CTX_get1_crls +STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *st, X509_NAME *nm); +STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *st, X509_NAME *nm); STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *xs); void *X509_STORE_get_ex_data(X509_STORE *xs, int idx); int X509_STORE_set_ex_data(X509_STORE *xs, int idx, void *data); @@ -305,6 +315,15 @@ void X509_STORE_set_verify_cb(X509_STORE *ctx, #define X509_STORE_set_verify_cb_func(ctx, func) \ X509_STORE_set_verify_cb((ctx), (func)) +typedef int (*X509_STORE_CTX_check_issued_fn)(X509_STORE_CTX *ctx, + X509 *subject, X509 *issuer); + +X509_STORE_CTX_check_issued_fn X509_STORE_get_check_issued(X509_STORE *store); +void X509_STORE_set_check_issued(X509_STORE *store, + X509_STORE_CTX_check_issued_fn check_issued); +X509_STORE_CTX_check_issued_fn + X509_STORE_CTX_get_check_issued(X509_STORE_CTX *ctx); + X509_STORE_CTX *X509_STORE_CTX_new(void); int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); @@ -402,8 +421,6 @@ X509_STORE_CTX_verify_fn X509_STORE_get_verify(X509_STORE *ctx); #define X509_STORE_set_verify_func(ctx, func) \ X509_STORE_set_verify((ctx), (func)) -X509_POLICY_TREE *X509_STORE_CTX_get0_policy_tree(X509_STORE_CTX *ctx); -int X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx); int X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx); X509_VERIFY_PARAM *X509_STORE_CTX_get0_param(X509_STORE_CTX *ctx); @@ -426,6 +443,8 @@ unsigned long X509_VERIFY_PARAM_get_flags(X509_VERIFY_PARAM *param); int X509_VERIFY_PARAM_set_purpose(X509_VERIFY_PARAM *param, int purpose); int X509_VERIFY_PARAM_set_trust(X509_VERIFY_PARAM *param, int trust); void X509_VERIFY_PARAM_set_depth(X509_VERIFY_PARAM *param, int depth); +void X509_VERIFY_PARAM_set_auth_level(X509_VERIFY_PARAM *param, int auth_level); +time_t X509_VERIFY_PARAM_get_time(const X509_VERIFY_PARAM *param); void X509_VERIFY_PARAM_set_time(X509_VERIFY_PARAM *param, time_t t); int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param, ASN1_OBJECT *policy); @@ -452,36 +471,7 @@ int X509_VERIFY_PARAM_add0_table(X509_VERIFY_PARAM *param); const X509_VERIFY_PARAM *X509_VERIFY_PARAM_lookup(const char *name); void X509_VERIFY_PARAM_table_cleanup(void); -int X509_policy_check(X509_POLICY_TREE **ptree, int *pexplicit_policy, - STACK_OF(X509) *certs, - STACK_OF(ASN1_OBJECT) *policy_oids, - unsigned int flags); - -void X509_policy_tree_free(X509_POLICY_TREE *tree); - -int X509_policy_tree_level_count(const X509_POLICY_TREE *tree); -X509_POLICY_LEVEL * - X509_policy_tree_get0_level(const X509_POLICY_TREE *tree, int i); - -STACK_OF(X509_POLICY_NODE) * - X509_policy_tree_get0_policies(const X509_POLICY_TREE *tree); - -STACK_OF(X509_POLICY_NODE) * - X509_policy_tree_get0_user_policies(const X509_POLICY_TREE *tree); - -int X509_policy_level_node_count(X509_POLICY_LEVEL *level); - -X509_POLICY_NODE *X509_policy_level_get0_node(X509_POLICY_LEVEL *level, int i); - -const ASN1_OBJECT *X509_policy_node_get0_policy(const X509_POLICY_NODE *node); - -STACK_OF(POLICYQUALINFO) * - X509_policy_node_get0_qualifiers(const X509_POLICY_NODE *node); -const X509_POLICY_NODE * - X509_policy_node_get0_parent(const X509_POLICY_NODE *node); - #ifdef __cplusplus } #endif #endif - diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index c82ecae..74dbf8d 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.14 2022/01/14 09:01:36 tb Exp $ */ +/* $OpenBSD: x509v3.h,v 1.24 2023/04/25 19:01:01 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -10,7 +10,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -95,49 +95,49 @@ typedef void * (*X509V3_EXT_R2I)(const struct v3_ext_method *method, /* V3 extension structure */ struct v3_ext_method { -int ext_nid; -int ext_flags; -/* If this is set the following four fields are ignored */ -ASN1_ITEM_EXP *it; -/* Old style ASN1 calls */ -X509V3_EXT_NEW ext_new; -X509V3_EXT_FREE ext_free; -X509V3_EXT_D2I d2i; -X509V3_EXT_I2D i2d; + int ext_nid; + int ext_flags; + /* If this is set the following four fields are ignored */ + ASN1_ITEM_EXP *it; + /* Old style ASN1 calls */ + X509V3_EXT_NEW ext_new; + X509V3_EXT_FREE ext_free; + X509V3_EXT_D2I d2i; + X509V3_EXT_I2D i2d; -/* The following pair is used for string extensions */ -X509V3_EXT_I2S i2s; -X509V3_EXT_S2I s2i; + /* The following pair is used for string extensions */ + X509V3_EXT_I2S i2s; + X509V3_EXT_S2I s2i; -/* The following pair is used for multi-valued extensions */ -X509V3_EXT_I2V i2v; -X509V3_EXT_V2I v2i; + /* The following pair is used for multi-valued extensions */ + X509V3_EXT_I2V i2v; + X509V3_EXT_V2I v2i; -/* The following are used for raw extensions */ -X509V3_EXT_I2R i2r; -X509V3_EXT_R2I r2i; + /* The following are used for raw extensions */ + X509V3_EXT_I2R i2r; + X509V3_EXT_R2I r2i; -void *usr_data; /* Any extension specific data */ + void *usr_data; /* Any extension specific data */ }; typedef struct X509V3_CONF_METHOD_st { -char *(*get_string)(void *db, const char *section, const char *value); -STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section); -void (*free_string)(void *db, char *string); -void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section); + char *(*get_string)(void *db, const char *section, const char *value); + STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section); + void (*free_string)(void *db, char *string); + void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section); } X509V3_CONF_METHOD; /* Context specific info */ struct v3_ext_ctx { -#define CTX_TEST 0x1 -int flags; -X509 *issuer_cert; -X509 *subject_cert; -X509_REQ *subject_req; -X509_CRL *crl; -X509V3_CONF_METHOD *db_meth; -void *db; -/* Maybe more here */ + #define CTX_TEST 0x1 + int flags; + X509 *issuer_cert; + X509 *subject_cert; + X509_REQ *subject_req; + X509_CRL *crl; + X509V3_CONF_METHOD *db_meth; + void *db; + /* Maybe more here */ }; typedef struct v3_ext_method X509V3_EXT_METHOD; @@ -152,19 +152,19 @@ DECLARE_STACK_OF(X509V3_EXT_METHOD) typedef BIT_STRING_BITNAME ENUMERATED_NAMES; typedef struct BASIC_CONSTRAINTS_st { -int ca; -ASN1_INTEGER *pathlen; + int ca; + ASN1_INTEGER *pathlen; } BASIC_CONSTRAINTS; typedef struct PKEY_USAGE_PERIOD_st { -ASN1_GENERALIZEDTIME *notBefore; -ASN1_GENERALIZEDTIME *notAfter; + ASN1_GENERALIZEDTIME *notBefore; + ASN1_GENERALIZEDTIME *notAfter; } PKEY_USAGE_PERIOD; typedef struct otherName_st { -ASN1_OBJECT *type_id; -ASN1_TYPE *value; + ASN1_OBJECT *type_id; + ASN1_TYPE *value; } OTHERNAME; typedef struct EDIPartyName_st { @@ -174,36 +174,35 @@ typedef struct EDIPartyName_st { typedef struct GENERAL_NAME_st { -#define GEN_OTHERNAME 0 -#define GEN_EMAIL 1 -#define GEN_DNS 2 -#define GEN_X400 3 -#define GEN_DIRNAME 4 -#define GEN_EDIPARTY 5 -#define GEN_URI 6 -#define GEN_IPADD 7 -#define GEN_RID 8 + #define GEN_OTHERNAME 0 + #define GEN_EMAIL 1 + #define GEN_DNS 2 + #define GEN_X400 3 + #define GEN_DIRNAME 4 + #define GEN_EDIPARTY 5 + #define GEN_URI 6 + #define GEN_IPADD 7 + #define GEN_RID 8 -int type; -union { - char *ptr; - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; - ASN1_TYPE *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; - ASN1_OCTET_STRING *iPAddress; - ASN1_OBJECT *registeredID; + int type; + union { + char *ptr; + OTHERNAME *otherName; /* otherName */ + ASN1_IA5STRING *rfc822Name; + ASN1_IA5STRING *dNSName; + ASN1_STRING *x400Address; + X509_NAME *directoryName; + EDIPARTYNAME *ediPartyName; + ASN1_IA5STRING *uniformResourceIdentifier; + ASN1_OCTET_STRING *iPAddress; + ASN1_OBJECT *registeredID; - /* Old names */ - ASN1_OCTET_STRING *ip; /* iPAddress */ - X509_NAME *dirn; /* dirn */ - ASN1_IA5STRING *ia5;/* rfc822Name, dNSName, uniformResourceIdentifier */ - ASN1_OBJECT *rid; /* registeredID */ - ASN1_TYPE *other; /* x400Address */ -} d; + /* Old names */ + ASN1_OCTET_STRING *ip; /* iPAddress */ + X509_NAME *dirn; /* dirn */ + ASN1_IA5STRING *ia5; /* rfc822Name, dNSName, uniformResourceIdentifier */ + ASN1_OBJECT *rid; /* registeredID */ + } d; } GENERAL_NAME; typedef struct ACCESS_DESCRIPTION_st { @@ -223,13 +222,13 @@ DECLARE_STACK_OF(GENERAL_NAMES) DECLARE_STACK_OF(ACCESS_DESCRIPTION) typedef struct DIST_POINT_NAME_st { -int type; -union { - GENERAL_NAMES *fullname; - STACK_OF(X509_NAME_ENTRY) *relativename; -} name; -/* If relativename then this contains the full distribution point name */ -X509_NAME *dpname; + int type; + union { + GENERAL_NAMES *fullname; + STACK_OF(X509_NAME_ENTRY) *relativename; + } name; + /* If relativename then this contains the full distribution point name */ + X509_NAME *dpname; } DIST_POINT_NAME; /* All existing reasons */ #define CRLDP_ALL_REASONS 0x807f @@ -247,10 +246,10 @@ X509_NAME *dpname; #define CRL_REASON_AA_COMPROMISE 10 struct DIST_POINT_st { -DIST_POINT_NAME *distpoint; -ASN1_BIT_STRING *reasons; -GENERAL_NAMES *CRLissuer; -int dp_reasons; + DIST_POINT_NAME *distpoint; + ASN1_BIT_STRING *reasons; + GENERAL_NAMES *CRLissuer; + int dp_reasons; }; typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; @@ -258,25 +257,11 @@ typedef STACK_OF(DIST_POINT) CRL_DIST_POINTS; DECLARE_STACK_OF(DIST_POINT) struct AUTHORITY_KEYID_st { -ASN1_OCTET_STRING *keyid; -GENERAL_NAMES *issuer; -ASN1_INTEGER *serial; + ASN1_OCTET_STRING *keyid; + GENERAL_NAMES *issuer; + ASN1_INTEGER *serial; }; -/* Strong extranet structures */ - -typedef struct SXNET_ID_st { - ASN1_INTEGER *zone; - ASN1_OCTET_STRING *user; -} SXNETID; - -DECLARE_STACK_OF(SXNETID) - -typedef struct SXNET_st { - ASN1_INTEGER *version; - STACK_OF(SXNETID) *ids; -} SXNET; - typedef struct NOTICEREF_st { ASN1_STRING *organization; STACK_OF(ASN1_INTEGER) *noticenos; @@ -334,39 +319,14 @@ typedef struct POLICY_CONSTRAINTS_st { ASN1_INTEGER *inhibitPolicyMapping; } POLICY_CONSTRAINTS; -/* Proxy certificate structures, see RFC 3820 */ -typedef struct PROXY_POLICY_st - { - ASN1_OBJECT *policyLanguage; - ASN1_OCTET_STRING *policy; - } PROXY_POLICY; - -typedef struct PROXY_CERT_INFO_EXTENSION_st - { - ASN1_INTEGER *pcPathLengthConstraint; - PROXY_POLICY *proxyPolicy; - } PROXY_CERT_INFO_EXTENSION; - -PROXY_POLICY *PROXY_POLICY_new(void); -void PROXY_POLICY_free(PROXY_POLICY *a); -PROXY_POLICY *d2i_PROXY_POLICY(PROXY_POLICY **a, const unsigned char **in, long len); -int i2d_PROXY_POLICY(PROXY_POLICY *a, unsigned char **out); -extern const ASN1_ITEM PROXY_POLICY_it; -PROXY_CERT_INFO_EXTENSION *PROXY_CERT_INFO_EXTENSION_new(void); -void PROXY_CERT_INFO_EXTENSION_free(PROXY_CERT_INFO_EXTENSION *a); -PROXY_CERT_INFO_EXTENSION *d2i_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION **a, const unsigned char **in, long len); -int i2d_PROXY_CERT_INFO_EXTENSION(PROXY_CERT_INFO_EXTENSION *a, unsigned char **out); -extern const ASN1_ITEM PROXY_CERT_INFO_EXTENSION_it; - -struct ISSUING_DIST_POINT_st - { +struct ISSUING_DIST_POINT_st { DIST_POINT_NAME *distpoint; int onlyuser; int onlyCA; ASN1_BIT_STRING *onlysomereasons; int indirectCRL; int onlyattr; - }; +}; /* Values in idp_flags field */ /* IDP present */ @@ -423,7 +383,9 @@ struct ISSUING_DIST_POINT_st #define EXFLAG_INVALID 0x0080 #define EXFLAG_SET 0x0100 #define EXFLAG_CRITICAL 0x0200 +#if !defined(LIBRESSL_INTERNAL) #define EXFLAG_PROXY 0x0400 +#endif #define EXFLAG_INVALID_POLICY 0x0800 #define EXFLAG_FRESHEST 0x1000 #define EXFLAG_SS 0x2000 /* Self signed. */ @@ -515,28 +477,6 @@ BASIC_CONSTRAINTS *d2i_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS **a, const unsigned c int i2d_BASIC_CONSTRAINTS(BASIC_CONSTRAINTS *a, unsigned char **out); extern const ASN1_ITEM BASIC_CONSTRAINTS_it; -SXNET *SXNET_new(void); -void SXNET_free(SXNET *a); -SXNET *d2i_SXNET(SXNET **a, const unsigned char **in, long len); -int i2d_SXNET(SXNET *a, unsigned char **out); -extern const ASN1_ITEM SXNET_it; -SXNETID *SXNETID_new(void); -void SXNETID_free(SXNETID *a); -SXNETID *d2i_SXNETID(SXNETID **a, const unsigned char **in, long len); -int i2d_SXNETID(SXNETID *a, unsigned char **out); -extern const ASN1_ITEM SXNETID_it; - -int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, - int userlen); -int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user, - int userlen); -int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user, - int userlen); - -ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone); -ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone); -ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone); - AUTHORITY_KEYID *AUTHORITY_KEYID_new(void); void AUTHORITY_KEYID_free(AUTHORITY_KEYID *a); AUTHORITY_KEYID *d2i_AUTHORITY_KEYID(AUTHORITY_KEYID **a, const unsigned char **in, long len); @@ -594,7 +534,7 @@ void GENERAL_NAME_set0_value(GENERAL_NAME *a, int type, void *value); void *GENERAL_NAME_get0_value(GENERAL_NAME *a, int *ptype); int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, ASN1_OBJECT *oid, ASN1_TYPE *value); -int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, +int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid, ASN1_TYPE **pvalue); char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, @@ -843,9 +783,6 @@ int a2i_ipadd(unsigned char *ipout, const char *ipasc); int X509V3_NAME_from_section(X509_NAME *nm, STACK_OF(CONF_VALUE)*dn_sk, unsigned long chtype); -void X509_POLICY_NODE_print(BIO *out, X509_POLICY_NODE *node, int indent); -DECLARE_STACK_OF(X509_POLICY_NODE) - #ifndef OPENSSL_NO_RFC3779 typedef struct ASRange_st { ASN1_INTEGER *min; @@ -1036,10 +973,6 @@ int X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext, #endif /* !OPENSSL_NO_RFC3779 */ -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ void ERR_load_X509V3_strings(void); /* Error codes for the X509V3 functions. */ diff --git a/ltmain.sh b/ltmain.sh deleted file mode 100644 index 5d29bd6..0000000 --- a/ltmain.sh +++ /dev/null @@ -1,9630 +0,0 @@ - -# libtool (GNU libtool) 2.4.2 -# Written by Gordon Matzigkeit , 1996 - -# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, -# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. -# This is free software; see the source for copying conditions. There is NO -# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. - -# GNU Libtool is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# As a special exception to the GNU General Public License, -# if you distribute this file as part of a program or library that -# is built using GNU Libtool, you may include this file under the -# same distribution terms that you use for the rest of that program. -# -# GNU Libtool is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with GNU Libtool; see the file COPYING. If not, a copy -# can be downloaded from http://www.gnu.org/licenses/gpl.html, -# or obtained by writing to the Free Software Foundation, Inc., -# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - -# Usage: $progname [OPTION]... [MODE-ARG]... -# -# Provide generalized library-building support services. -# -# --config show all configuration variables -# --debug enable verbose shell tracing -# -n, --dry-run display commands without modifying any files -# --features display basic configuration information and exit -# --mode=MODE use operation mode MODE -# --preserve-dup-deps don't remove duplicate dependency libraries -# --quiet, --silent don't print informational messages -# --no-quiet, --no-silent -# print informational messages (default) -# --no-warn don't display warning messages -# --tag=TAG use configuration variables from tag TAG -# -v, --verbose print more informational messages than default -# --no-verbose don't print the extra informational messages -# --version print version information -# -h, --help, --help-all print short, long, or detailed help message -# -# MODE must be one of the following: -# -# clean remove files from the build directory -# compile compile a source file into a libtool object -# execute automatically set library path, then run a program -# finish complete the installation of libtool libraries -# install install libraries or executables -# link create a library or an executable -# uninstall remove libraries from an installed directory -# -# MODE-ARGS vary depending on the MODE. When passed as first option, -# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that. -# Try `$progname --help --mode=MODE' for a more detailed description of MODE. -# -# When reporting a bug, please describe a test case to reproduce it and -# include the following information: -# -# host-triplet: $host -# shell: $SHELL -# compiler: $LTCC -# compiler flags: $LTCFLAGS -# linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.4.2 -# automake: $automake_version -# autoconf: $autoconf_version -# -# Report bugs to . -# GNU libtool home page: . -# General help using GNU software: . - -PROGRAM=libtool -PACKAGE=libtool -VERSION=2.4.2 -TIMESTAMP="" -package_revision=1.3337 - -# Be Bourne compatible -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else - case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac -fi -BIN_SH=xpg4; export BIN_SH # for Tru64 -DUALCASE=1; export DUALCASE # for MKS sh - -# A function that is used when there is no print builtin or printf. -func_fallback_echo () -{ - eval 'cat <<_LTECHO_EOF -$1 -_LTECHO_EOF' -} - -# NLS nuisances: We save the old values to restore during execute mode. -lt_user_locale= -lt_safe_locale= -for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES -do - eval "if test \"\${$lt_var+set}\" = set; then - save_$lt_var=\$$lt_var - $lt_var=C - export $lt_var - lt_user_locale=\"$lt_var=\\\$save_\$lt_var; \$lt_user_locale\" - lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\" - fi" -done -LC_ALL=C -LANGUAGE=C -export LANGUAGE LC_ALL - -$lt_unset CDPATH - - -# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh -# is ksh but when the shell is invoked as "sh" and the current value of -# the _XPG environment variable is not equal to 1 (one), the special -# positional parameter $0, within a function call, is the name of the -# function. -progpath="$0" - - - -: ${CP="cp -f"} -test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} -: ${MAKE="make"} -: ${MKDIR="mkdir"} -: ${MV="mv -f"} -: ${RM="rm -f"} -: ${SHELL="${CONFIG_SHELL-/bin/sh}"} -: ${Xsed="$SED -e 1s/^X//"} - -# Global variables: -EXIT_SUCCESS=0 -EXIT_FAILURE=1 -EXIT_MISMATCH=63 # $? = 63 is used to indicate version mismatch to missing. -EXIT_SKIP=77 # $? = 77 is used to indicate a skipped test to automake. - -exit_status=$EXIT_SUCCESS - -# Make sure IFS has a sensible default -lt_nl=' -' -IFS=" $lt_nl" - -dirname="s,/[^/]*$,," -basename="s,^.*/,," - -# func_dirname file append nondir_replacement -# Compute the dirname of FILE. If nonempty, add APPEND to the result, -# otherwise set result to NONDIR_REPLACEMENT. -func_dirname () -{ - func_dirname_result=`$ECHO "${1}" | $SED "$dirname"` - if test "X$func_dirname_result" = "X${1}"; then - func_dirname_result="${3}" - else - func_dirname_result="$func_dirname_result${2}" - fi -} # func_dirname may be replaced by extended shell implementation - - -# func_basename file -func_basename () -{ - func_basename_result=`$ECHO "${1}" | $SED "$basename"` -} # func_basename may be replaced by extended shell implementation - - -# func_dirname_and_basename file append nondir_replacement -# perform func_basename and func_dirname in a single function -# call: -# dirname: Compute the dirname of FILE. If nonempty, -# add APPEND to the result, otherwise set result -# to NONDIR_REPLACEMENT. -# value returned in "$func_dirname_result" -# basename: Compute filename of FILE. -# value retuned in "$func_basename_result" -# Implementation must be kept synchronized with func_dirname -# and func_basename. For efficiency, we do not delegate to -# those functions but instead duplicate the functionality here. -func_dirname_and_basename () -{ - # Extract subdirectory from the argument. - func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"` - if test "X$func_dirname_result" = "X${1}"; then - func_dirname_result="${3}" - else - func_dirname_result="$func_dirname_result${2}" - fi - func_basename_result=`$ECHO "${1}" | $SED -e "$basename"` -} # func_dirname_and_basename may be replaced by extended shell implementation - - -# func_stripname prefix suffix name -# strip PREFIX and SUFFIX off of NAME. -# PREFIX and SUFFIX must not contain globbing or regex special -# characters, hashes, percent signs, but SUFFIX may contain a leading -# dot (in which case that matches only a dot). -# func_strip_suffix prefix name -func_stripname () -{ - case ${2} in - .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;; - *) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;; - esac -} # func_stripname may be replaced by extended shell implementation - - -# These SED scripts presuppose an absolute path with a trailing slash. -pathcar='s,^/\([^/]*\).*$,\1,' -pathcdr='s,^/[^/]*,,' -removedotparts=':dotsl - s@/\./@/@g - t dotsl - s,/\.$,/,' -collapseslashes='s@/\{1,\}@/@g' -finalslash='s,/*$,/,' - -# func_normal_abspath PATH -# Remove doubled-up and trailing slashes, "." path components, -# and cancel out any ".." path components in PATH after making -# it an absolute path. -# value returned in "$func_normal_abspath_result" -func_normal_abspath () -{ - # Start from root dir and reassemble the path. - func_normal_abspath_result= - func_normal_abspath_tpath=$1 - func_normal_abspath_altnamespace= - case $func_normal_abspath_tpath in - "") - # Empty path, that just means $cwd. - func_stripname '' '/' "`pwd`" - func_normal_abspath_result=$func_stripname_result - return - ;; - # The next three entries are used to spot a run of precisely - # two leading slashes without using negated character classes; - # we take advantage of case's first-match behaviour. - ///*) - # Unusual form of absolute path, do nothing. - ;; - //*) - # Not necessarily an ordinary path; POSIX reserves leading '//' - # and for example Cygwin uses it to access remote file shares - # over CIFS/SMB, so we conserve a leading double slash if found. - func_normal_abspath_altnamespace=/ - ;; - /*) - # Absolute path, do nothing. - ;; - *) - # Relative path, prepend $cwd. - func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath - ;; - esac - # Cancel out all the simple stuff to save iterations. We also want - # the path to end with a slash for ease of parsing, so make sure - # there is one (and only one) here. - func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ - -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"` - while :; do - # Processed it all yet? - if test "$func_normal_abspath_tpath" = / ; then - # If we ascended to the root using ".." the result may be empty now. - if test -z "$func_normal_abspath_result" ; then - func_normal_abspath_result=/ - fi - break - fi - func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \ - -e "$pathcar"` - func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ - -e "$pathcdr"` - # Figure out what to do with it - case $func_normal_abspath_tcomponent in - "") - # Trailing empty path component, ignore it. - ;; - ..) - # Parent dir; strip last assembled component from result. - func_dirname "$func_normal_abspath_result" - func_normal_abspath_result=$func_dirname_result - ;; - *) - # Actual path component, append it. - func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent - ;; - esac - done - # Restore leading double-slash if one was found on entry. - func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result -} - -# func_relative_path SRCDIR DSTDIR -# generates a relative path from SRCDIR to DSTDIR, with a trailing -# slash if non-empty, suitable for immediately appending a filename -# without needing to append a separator. -# value returned in "$func_relative_path_result" -func_relative_path () -{ - func_relative_path_result= - func_normal_abspath "$1" - func_relative_path_tlibdir=$func_normal_abspath_result - func_normal_abspath "$2" - func_relative_path_tbindir=$func_normal_abspath_result - - # Ascend the tree starting from libdir - while :; do - # check if we have found a prefix of bindir - case $func_relative_path_tbindir in - $func_relative_path_tlibdir) - # found an exact match - func_relative_path_tcancelled= - break - ;; - $func_relative_path_tlibdir*) - # found a matching prefix - func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir" - func_relative_path_tcancelled=$func_stripname_result - if test -z "$func_relative_path_result"; then - func_relative_path_result=. - fi - break - ;; - *) - func_dirname $func_relative_path_tlibdir - func_relative_path_tlibdir=${func_dirname_result} - if test "x$func_relative_path_tlibdir" = x ; then - # Have to descend all the way to the root! - func_relative_path_result=../$func_relative_path_result - func_relative_path_tcancelled=$func_relative_path_tbindir - break - fi - func_relative_path_result=../$func_relative_path_result - ;; - esac - done - - # Now calculate path; take care to avoid doubling-up slashes. - func_stripname '' '/' "$func_relative_path_result" - func_relative_path_result=$func_stripname_result - func_stripname '/' '/' "$func_relative_path_tcancelled" - if test "x$func_stripname_result" != x ; then - func_relative_path_result=${func_relative_path_result}/${func_stripname_result} - fi - - # Normalisation. If bindir is libdir, return empty string, - # else relative path ending with a slash; either way, target - # file name can be directly appended. - if test ! -z "$func_relative_path_result"; then - func_stripname './' '' "$func_relative_path_result/" - func_relative_path_result=$func_stripname_result - fi -} - -# The name of this program: -func_dirname_and_basename "$progpath" -progname=$func_basename_result - -# Make sure we have an absolute path for reexecution: -case $progpath in - [\\/]*|[A-Za-z]:\\*) ;; - *[\\/]*) - progdir=$func_dirname_result - progdir=`cd "$progdir" && pwd` - progpath="$progdir/$progname" - ;; - *) - save_IFS="$IFS" - IFS=${PATH_SEPARATOR-:} - for progdir in $PATH; do - IFS="$save_IFS" - test -x "$progdir/$progname" && break - done - IFS="$save_IFS" - test -n "$progdir" || progdir=`pwd` - progpath="$progdir/$progname" - ;; -esac - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -Xsed="${SED}"' -e 1s/^X//' -sed_quote_subst='s/\([`"$\\]\)/\\\1/g' - -# Same as above, but do not quote variable references. -double_quote_subst='s/\(["`\\]\)/\\\1/g' - -# Sed substitution that turns a string into a regex matching for the -# string literally. -sed_make_literal_regex='s,[].[^$\\*\/],\\&,g' - -# Sed substitution that converts a w32 file name or path -# which contains forward slashes, into one that contains -# (escaped) backslashes. A very naive implementation. -lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' - -# Re-`\' parameter expansions in output of double_quote_subst that were -# `\'-ed in input to the same. If an odd number of `\' preceded a '$' -# in input to double_quote_subst, that '$' was protected from expansion. -# Since each input `\' is now two `\'s, look for any number of runs of -# four `\'s followed by two `\'s and then a '$'. `\' that '$'. -bs='\\' -bs2='\\\\' -bs4='\\\\\\\\' -dollar='\$' -sed_double_backslash="\ - s/$bs4/&\\ -/g - s/^$bs2$dollar/$bs&/ - s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g - s/\n//g" - -# Standard options: -opt_dry_run=false -opt_help=false -opt_quiet=false -opt_verbose=false -opt_warning=: - -# func_echo arg... -# Echo program name prefixed message, along with the current mode -# name if it has been set yet. -func_echo () -{ - $ECHO "$progname: ${opt_mode+$opt_mode: }$*" -} - -# func_verbose arg... -# Echo program name prefixed message in verbose mode only. -func_verbose () -{ - $opt_verbose && func_echo ${1+"$@"} - - # A bug in bash halts the script if the last line of a function - # fails when set -e is in force, so we need another command to - # work around that: - : -} - -# func_echo_all arg... -# Invoke $ECHO with all args, space-separated. -func_echo_all () -{ - $ECHO "$*" -} - -# func_error arg... -# Echo program name prefixed message to standard error. -func_error () -{ - $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2 -} - -# func_warning arg... -# Echo program name prefixed warning message to standard error. -func_warning () -{ - $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2 - - # bash bug again: - : -} - -# func_fatal_error arg... -# Echo program name prefixed message to standard error, and exit. -func_fatal_error () -{ - func_error ${1+"$@"} - exit $EXIT_FAILURE -} - -# func_fatal_help arg... -# Echo program name prefixed message to standard error, followed by -# a help hint, and exit. -func_fatal_help () -{ - func_error ${1+"$@"} - func_fatal_error "$help" -} -help="Try \`$progname --help' for more information." ## default - - -# func_grep expression filename -# Check whether EXPRESSION matches any line of FILENAME, without output. -func_grep () -{ - $GREP "$1" "$2" >/dev/null 2>&1 -} - - -# func_mkdir_p directory-path -# Make sure the entire path to DIRECTORY-PATH is available. -func_mkdir_p () -{ - my_directory_path="$1" - my_dir_list= - - if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then - - # Protect directory names starting with `-' - case $my_directory_path in - -*) my_directory_path="./$my_directory_path" ;; - esac - - # While some portion of DIR does not yet exist... - while test ! -d "$my_directory_path"; do - # ...make a list in topmost first order. Use a colon delimited - # list incase some portion of path contains whitespace. - my_dir_list="$my_directory_path:$my_dir_list" - - # If the last portion added has no slash in it, the list is done - case $my_directory_path in */*) ;; *) break ;; esac - - # ...otherwise throw away the child directory and loop - my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"` - done - my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'` - - save_mkdir_p_IFS="$IFS"; IFS=':' - for my_dir in $my_dir_list; do - IFS="$save_mkdir_p_IFS" - # mkdir can fail with a `File exist' error if two processes - # try to create one of the directories concurrently. Don't - # stop in that case! - $MKDIR "$my_dir" 2>/dev/null || : - done - IFS="$save_mkdir_p_IFS" - - # Bail out if we (or some other process) failed to create a directory. - test -d "$my_directory_path" || \ - func_fatal_error "Failed to create \`$1'" - fi -} - - -# func_mktempdir [string] -# Make a temporary directory that won't clash with other running -# libtool processes, and avoids race conditions if possible. If -# given, STRING is the basename for that directory. -func_mktempdir () -{ - my_template="${TMPDIR-/tmp}/${1-$progname}" - - if test "$opt_dry_run" = ":"; then - # Return a directory name, but don't create it in dry-run mode - my_tmpdir="${my_template}-$$" - else - - # If mktemp works, use that first and foremost - my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null` - - if test ! -d "$my_tmpdir"; then - # Failing that, at least try and use $RANDOM to avoid a race - my_tmpdir="${my_template}-${RANDOM-0}$$" - - save_mktempdir_umask=`umask` - umask 0077 - $MKDIR "$my_tmpdir" - umask $save_mktempdir_umask - fi - - # If we're not in dry-run mode, bomb out on failure - test -d "$my_tmpdir" || \ - func_fatal_error "cannot create temporary directory \`$my_tmpdir'" - fi - - $ECHO "$my_tmpdir" -} - - -# func_quote_for_eval arg -# Aesthetically quote ARG to be evaled later. -# This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT -# is double-quoted, suitable for a subsequent eval, whereas -# FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters -# which are still active within double quotes backslashified. -func_quote_for_eval () -{ - case $1 in - *[\\\`\"\$]*) - func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;; - *) - func_quote_for_eval_unquoted_result="$1" ;; - esac - - case $func_quote_for_eval_unquoted_result in - # Double-quote args containing shell metacharacters to delay - # word splitting, command substitution and and variable - # expansion for a subsequent eval. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\"" - ;; - *) - func_quote_for_eval_result="$func_quote_for_eval_unquoted_result" - esac -} - - -# func_quote_for_expand arg -# Aesthetically quote ARG to be evaled later; same as above, -# but do not quote variable references. -func_quote_for_expand () -{ - case $1 in - *[\\\`\"]*) - my_arg=`$ECHO "$1" | $SED \ - -e "$double_quote_subst" -e "$sed_double_backslash"` ;; - *) - my_arg="$1" ;; - esac - - case $my_arg in - # Double-quote args containing shell metacharacters to delay - # word splitting and command substitution for a subsequent eval. - # Many Bourne shells cannot handle close brackets correctly - # in scan sets, so we specify it separately. - *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") - my_arg="\"$my_arg\"" - ;; - esac - - func_quote_for_expand_result="$my_arg" -} - - -# func_show_eval cmd [fail_exp] -# Unless opt_silent is true, then output CMD. Then, if opt_dryrun is -# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP -# is given, then evaluate it. -func_show_eval () -{ - my_cmd="$1" - my_fail_exp="${2-:}" - - ${opt_silent-false} || { - func_quote_for_expand "$my_cmd" - eval "func_echo $func_quote_for_expand_result" - } - - if ${opt_dry_run-false}; then :; else - eval "$my_cmd" - my_status=$? - if test "$my_status" -eq 0; then :; else - eval "(exit $my_status); $my_fail_exp" - fi - fi -} - - -# func_show_eval_locale cmd [fail_exp] -# Unless opt_silent is true, then output CMD. Then, if opt_dryrun is -# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP -# is given, then evaluate it. Use the saved locale for evaluation. -func_show_eval_locale () -{ - my_cmd="$1" - my_fail_exp="${2-:}" - - ${opt_silent-false} || { - func_quote_for_expand "$my_cmd" - eval "func_echo $func_quote_for_expand_result" - } - - if ${opt_dry_run-false}; then :; else - eval "$lt_user_locale - $my_cmd" - my_status=$? - eval "$lt_safe_locale" - if test "$my_status" -eq 0; then :; else - eval "(exit $my_status); $my_fail_exp" - fi - fi -} - -# func_tr_sh -# Turn $1 into a string suitable for a shell variable name. -# Result is stored in $func_tr_sh_result. All characters -# not in the set a-zA-Z0-9_ are replaced with '_'. Further, -# if $1 begins with a digit, a '_' is prepended as well. -func_tr_sh () -{ - case $1 in - [0-9]* | *[!a-zA-Z0-9_]*) - func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'` - ;; - * ) - func_tr_sh_result=$1 - ;; - esac -} - - -# func_version -# Echo version message to standard output and exit. -func_version () -{ - $opt_debug - - $SED -n '/(C)/!b go - :more - /\./!{ - N - s/\n# / / - b more - } - :go - /^# '$PROGRAM' (GNU /,/# warranty; / { - s/^# // - s/^# *$// - s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/ - p - }' < "$progpath" - exit $? -} - -# func_usage -# Echo short help message to standard output and exit. -func_usage () -{ - $opt_debug - - $SED -n '/^# Usage:/,/^# *.*--help/ { - s/^# // - s/^# *$// - s/\$progname/'$progname'/ - p - }' < "$progpath" - echo - $ECHO "run \`$progname --help | more' for full usage" - exit $? -} - -# func_help [NOEXIT] -# Echo long help message to standard output and exit, -# unless 'noexit' is passed as argument. -func_help () -{ - $opt_debug - - $SED -n '/^# Usage:/,/# Report bugs to/ { - :print - s/^# // - s/^# *$// - s*\$progname*'$progname'* - s*\$host*'"$host"'* - s*\$SHELL*'"$SHELL"'* - s*\$LTCC*'"$LTCC"'* - s*\$LTCFLAGS*'"$LTCFLAGS"'* - s*\$LD*'"$LD"'* - s/\$with_gnu_ld/'"$with_gnu_ld"'/ - s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/ - s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/ - p - d - } - /^# .* home page:/b print - /^# General help using/b print - ' < "$progpath" - ret=$? - if test -z "$1"; then - exit $ret - fi -} - -# func_missing_arg argname -# Echo program name prefixed message to standard error and set global -# exit_cmd. -func_missing_arg () -{ - $opt_debug - - func_error "missing argument for $1." - exit_cmd=exit -} - - -# func_split_short_opt shortopt -# Set func_split_short_opt_name and func_split_short_opt_arg shell -# variables after splitting SHORTOPT after the 2nd character. -func_split_short_opt () -{ - my_sed_short_opt='1s/^\(..\).*$/\1/;q' - my_sed_short_rest='1s/^..\(.*\)$/\1/;q' - - func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"` - func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"` -} # func_split_short_opt may be replaced by extended shell implementation - - -# func_split_long_opt longopt -# Set func_split_long_opt_name and func_split_long_opt_arg shell -# variables after splitting LONGOPT at the `=' sign. -func_split_long_opt () -{ - my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q' - my_sed_long_arg='1s/^--[^=]*=//' - - func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"` - func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"` -} # func_split_long_opt may be replaced by extended shell implementation - -exit_cmd=: - - - - - -magic="%%%MAGIC variable%%%" -magic_exe="%%%MAGIC EXE variable%%%" - -# Global variables. -nonopt= -preserve_args= -lo2o="s/\\.lo\$/.${objext}/" -o2lo="s/\\.${objext}\$/.lo/" -extracted_archives= -extracted_serial=0 - -# If this variable is set in any of the actions, the command in it -# will be execed at the end. This prevents here-documents from being -# left over by shells. -exec_cmd= - -# func_append var value -# Append VALUE to the end of shell variable VAR. -func_append () -{ - eval "${1}=\$${1}\${2}" -} # func_append may be replaced by extended shell implementation - -# func_append_quoted var value -# Quote VALUE and append to the end of shell variable VAR, separated -# by a space. -func_append_quoted () -{ - func_quote_for_eval "${2}" - eval "${1}=\$${1}\\ \$func_quote_for_eval_result" -} # func_append_quoted may be replaced by extended shell implementation - - -# func_arith arithmetic-term... -func_arith () -{ - func_arith_result=`expr "${@}"` -} # func_arith may be replaced by extended shell implementation - - -# func_len string -# STRING may not start with a hyphen. -func_len () -{ - func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len` -} # func_len may be replaced by extended shell implementation - - -# func_lo2o object -func_lo2o () -{ - func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"` -} # func_lo2o may be replaced by extended shell implementation - - -# func_xform libobj-or-source -func_xform () -{ - func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'` -} # func_xform may be replaced by extended shell implementation - - -# func_fatal_configuration arg... -# Echo program name prefixed message to standard error, followed by -# a configuration failure hint, and exit. -func_fatal_configuration () -{ - func_error ${1+"$@"} - func_error "See the $PACKAGE documentation for more information." - func_fatal_error "Fatal configuration error." -} - - -# func_config -# Display the configuration for all the tags in this script. -func_config () -{ - re_begincf='^# ### BEGIN LIBTOOL' - re_endcf='^# ### END LIBTOOL' - - # Default configuration. - $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath" - - # Now print the configurations for the tags. - for tagname in $taglist; do - $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath" - done - - exit $? -} - -# func_features -# Display the features supported by this script. -func_features () -{ - echo "host: $host" - if test "$build_libtool_libs" = yes; then - echo "enable shared libraries" - else - echo "disable shared libraries" - fi - if test "$build_old_libs" = yes; then - echo "enable static libraries" - else - echo "disable static libraries" - fi - - exit $? -} - -# func_enable_tag tagname -# Verify that TAGNAME is valid, and either flag an error and exit, or -# enable the TAGNAME tag. We also add TAGNAME to the global $taglist -# variable here. -func_enable_tag () -{ - # Global variable: - tagname="$1" - - re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$" - re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$" - sed_extractcf="/$re_begincf/,/$re_endcf/p" - - # Validate tagname. - case $tagname in - *[!-_A-Za-z0-9,/]*) - func_fatal_error "invalid tag name: $tagname" - ;; - esac - - # Don't test for the "default" C tag, as we know it's - # there but not specially marked. - case $tagname in - CC) ;; - *) - if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then - taglist="$taglist $tagname" - - # Evaluate the configuration. Be careful to quote the path - # and the sed script, to avoid splitting on whitespace, but - # also don't use non-portable quotes within backquotes within - # quotes we have to do it in 2 steps: - extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"` - eval "$extractedcf" - else - func_error "ignoring unknown tag $tagname" - fi - ;; - esac -} - -# func_check_version_match -# Ensure that we are using m4 macros, and libtool script from the same -# release of libtool. -func_check_version_match () -{ - if test "$package_revision" != "$macro_revision"; then - if test "$VERSION" != "$macro_version"; then - if test -z "$macro_version"; then - cat >&2 <<_LT_EOF -$progname: Version mismatch error. This is $PACKAGE $VERSION, but the -$progname: definition of this LT_INIT comes from an older release. -$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION -$progname: and run autoconf again. -_LT_EOF - else - cat >&2 <<_LT_EOF -$progname: Version mismatch error. This is $PACKAGE $VERSION, but the -$progname: definition of this LT_INIT comes from $PACKAGE $macro_version. -$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION -$progname: and run autoconf again. -_LT_EOF - fi - else - cat >&2 <<_LT_EOF -$progname: Version mismatch error. This is $PACKAGE $VERSION, revision $package_revision, -$progname: but the definition of this LT_INIT comes from revision $macro_revision. -$progname: You should recreate aclocal.m4 with macros from revision $package_revision -$progname: of $PACKAGE $VERSION and run autoconf again. -_LT_EOF - fi - - exit $EXIT_MISMATCH - fi -} - - -# Shorthand for --mode=foo, only valid as the first argument -case $1 in -clean|clea|cle|cl) - shift; set dummy --mode clean ${1+"$@"}; shift - ;; -compile|compil|compi|comp|com|co|c) - shift; set dummy --mode compile ${1+"$@"}; shift - ;; -execute|execut|execu|exec|exe|ex|e) - shift; set dummy --mode execute ${1+"$@"}; shift - ;; -finish|finis|fini|fin|fi|f) - shift; set dummy --mode finish ${1+"$@"}; shift - ;; -install|instal|insta|inst|ins|in|i) - shift; set dummy --mode install ${1+"$@"}; shift - ;; -link|lin|li|l) - shift; set dummy --mode link ${1+"$@"}; shift - ;; -uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) - shift; set dummy --mode uninstall ${1+"$@"}; shift - ;; -esac - - - -# Option defaults: -opt_debug=: -opt_dry_run=false -opt_config=false -opt_preserve_dup_deps=false -opt_features=false -opt_finish=false -opt_help=false -opt_help_all=false -opt_silent=: -opt_warning=: -opt_verbose=: -opt_silent=false -opt_verbose=false - - -# Parse options once, thoroughly. This comes as soon as possible in the -# script to make things like `--version' happen as quickly as we can. -{ - # this just eases exit handling - while test $# -gt 0; do - opt="$1" - shift - case $opt in - --debug|-x) opt_debug='set -x' - func_echo "enabling shell trace mode" - $opt_debug - ;; - --dry-run|--dryrun|-n) - opt_dry_run=: - ;; - --config) - opt_config=: -func_config - ;; - --dlopen|-dlopen) - optarg="$1" - opt_dlopen="${opt_dlopen+$opt_dlopen -}$optarg" - shift - ;; - --preserve-dup-deps) - opt_preserve_dup_deps=: - ;; - --features) - opt_features=: -func_features - ;; - --finish) - opt_finish=: -set dummy --mode finish ${1+"$@"}; shift - ;; - --help) - opt_help=: - ;; - --help-all) - opt_help_all=: -opt_help=': help-all' - ;; - --mode) - test $# = 0 && func_missing_arg $opt && break - optarg="$1" - opt_mode="$optarg" -case $optarg in - # Valid mode arguments: - clean|compile|execute|finish|install|link|relink|uninstall) ;; - - # Catch anything else as an error - *) func_error "invalid argument for $opt" - exit_cmd=exit - break - ;; -esac - shift - ;; - --no-silent|--no-quiet) - opt_silent=false -func_append preserve_args " $opt" - ;; - --no-warning|--no-warn) - opt_warning=false -func_append preserve_args " $opt" - ;; - --no-verbose) - opt_verbose=false -func_append preserve_args " $opt" - ;; - --silent|--quiet) - opt_silent=: -func_append preserve_args " $opt" - opt_verbose=false - ;; - --verbose|-v) - opt_verbose=: -func_append preserve_args " $opt" -opt_silent=false - ;; - --tag) - test $# = 0 && func_missing_arg $opt && break - optarg="$1" - opt_tag="$optarg" -func_append preserve_args " $opt $optarg" -func_enable_tag "$optarg" - shift - ;; - - -\?|-h) func_usage ;; - --help) func_help ;; - --version) func_version ;; - - # Separate optargs to long options: - --*=*) - func_split_long_opt "$opt" - set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"} - shift - ;; - - # Separate non-argument short options: - -\?*|-h*|-n*|-v*) - func_split_short_opt "$opt" - set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"} - shift - ;; - - --) break ;; - -*) func_fatal_help "unrecognized option \`$opt'" ;; - *) set dummy "$opt" ${1+"$@"}; shift; break ;; - esac - done - - # Validate options: - - # save first non-option argument - if test "$#" -gt 0; then - nonopt="$opt" - shift - fi - - # preserve --debug - test "$opt_debug" = : || func_append preserve_args " --debug" - - case $host in - *cygwin* | *mingw* | *pw32* | *cegcc*) - # don't eliminate duplications in $postdeps and $predeps - opt_duplicate_compiler_generated_deps=: - ;; - *) - opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps - ;; - esac - - $opt_help || { - # Sanity checks first: - func_check_version_match - - if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then - func_fatal_configuration "not configured to build any kind of library" - fi - - # Darwin sucks - eval std_shrext=\"$shrext_cmds\" - - # Only execute mode is allowed to have -dlopen flags. - if test -n "$opt_dlopen" && test "$opt_mode" != execute; then - func_error "unrecognized option \`-dlopen'" - $ECHO "$help" 1>&2 - exit $EXIT_FAILURE - fi - - # Change the help message to a mode-specific one. - generic_help="$help" - help="Try \`$progname --help --mode=$opt_mode' for more information." - } - - - # Bail if the options were screwed - $exit_cmd $EXIT_FAILURE -} - - - - -## ----------- ## -## Main. ## -## ----------- ## - -# func_lalib_p file -# True iff FILE is a libtool `.la' library or `.lo' object file. -# This function is only a basic sanity check; it will hardly flush out -# determined imposters. -func_lalib_p () -{ - test -f "$1" && - $SED -e 4q "$1" 2>/dev/null \ - | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1 -} - -# func_lalib_unsafe_p file -# True iff FILE is a libtool `.la' library or `.lo' object file. -# This function implements the same check as func_lalib_p without -# resorting to external programs. To this end, it redirects stdin and -# closes it afterwards, without saving the original file descriptor. -# As a safety measure, use it only where a negative result would be -# fatal anyway. Works if `file' does not exist. -func_lalib_unsafe_p () -{ - lalib_p=no - if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then - for lalib_p_l in 1 2 3 4 - do - read lalib_p_line - case "$lalib_p_line" in - \#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;; - esac - done - exec 0<&5 5<&- - fi - test "$lalib_p" = yes -} - -# func_ltwrapper_script_p file -# True iff FILE is a libtool wrapper script -# This function is only a basic sanity check; it will hardly flush out -# determined imposters. -func_ltwrapper_script_p () -{ - func_lalib_p "$1" -} - -# func_ltwrapper_executable_p file -# True iff FILE is a libtool wrapper executable -# This function is only a basic sanity check; it will hardly flush out -# determined imposters. -func_ltwrapper_executable_p () -{ - func_ltwrapper_exec_suffix= - case $1 in - *.exe) ;; - *) func_ltwrapper_exec_suffix=.exe ;; - esac - $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1 -} - -# func_ltwrapper_scriptname file -# Assumes file is an ltwrapper_executable -# uses $file to determine the appropriate filename for a -# temporary ltwrapper_script. -func_ltwrapper_scriptname () -{ - func_dirname_and_basename "$1" "" "." - func_stripname '' '.exe' "$func_basename_result" - func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper" -} - -# func_ltwrapper_p file -# True iff FILE is a libtool wrapper script or wrapper executable -# This function is only a basic sanity check; it will hardly flush out -# determined imposters. -func_ltwrapper_p () -{ - func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1" -} - - -# func_execute_cmds commands fail_cmd -# Execute tilde-delimited COMMANDS. -# If FAIL_CMD is given, eval that upon failure. -# FAIL_CMD may read-access the current command in variable CMD! -func_execute_cmds () -{ - $opt_debug - save_ifs=$IFS; IFS='~' - for cmd in $1; do - IFS=$save_ifs - eval cmd=\"$cmd\" - func_show_eval "$cmd" "${2-:}" - done - IFS=$save_ifs -} - - -# func_source file -# Source FILE, adding directory component if necessary. -# Note that it is not necessary on cygwin/mingw to append a dot to -# FILE even if both FILE and FILE.exe exist: automatic-append-.exe -# behavior happens only for exec(3), not for open(2)! Also, sourcing -# `FILE.' does not work on cygwin managed mounts. -func_source () -{ - $opt_debug - case $1 in - */* | *\\*) . "$1" ;; - *) . "./$1" ;; - esac -} - - -# func_resolve_sysroot PATH -# Replace a leading = in PATH with a sysroot. Store the result into -# func_resolve_sysroot_result -func_resolve_sysroot () -{ - func_resolve_sysroot_result=$1 - case $func_resolve_sysroot_result in - =*) - func_stripname '=' '' "$func_resolve_sysroot_result" - func_resolve_sysroot_result=$lt_sysroot$func_stripname_result - ;; - esac -} - -# func_replace_sysroot PATH -# If PATH begins with the sysroot, replace it with = and -# store the result into func_replace_sysroot_result. -func_replace_sysroot () -{ - case "$lt_sysroot:$1" in - ?*:"$lt_sysroot"*) - func_stripname "$lt_sysroot" '' "$1" - func_replace_sysroot_result="=$func_stripname_result" - ;; - *) - # Including no sysroot. - func_replace_sysroot_result=$1 - ;; - esac -} - -# func_infer_tag arg -# Infer tagged configuration to use if any are available and -# if one wasn't chosen via the "--tag" command line option. -# Only attempt this if the compiler in the base compile -# command doesn't match the default compiler. -# arg is usually of the form 'gcc ...' -func_infer_tag () -{ - $opt_debug - if test -n "$available_tags" && test -z "$tagname"; then - CC_quoted= - for arg in $CC; do - func_append_quoted CC_quoted "$arg" - done - CC_expanded=`func_echo_all $CC` - CC_quoted_expanded=`func_echo_all $CC_quoted` - case $@ in - # Blanks in the command may have been stripped by the calling shell, - # but not from the CC environment variable when configure was run. - " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ - " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;; - # Blanks at the start of $base_compile will cause this to fail - # if we don't check for them as well. - *) - for z in $available_tags; do - if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then - # Evaluate the configuration. - eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`" - CC_quoted= - for arg in $CC; do - # Double-quote args containing other shell metacharacters. - func_append_quoted CC_quoted "$arg" - done - CC_expanded=`func_echo_all $CC` - CC_quoted_expanded=`func_echo_all $CC_quoted` - case "$@ " in - " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ - " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) - # The compiler in the base compile command matches - # the one in the tagged configuration. - # Assume this is the tagged configuration we want. - tagname=$z - break - ;; - esac - fi - done - # If $tagname still isn't set, then no tagged configuration - # was found and let the user know that the "--tag" command - # line option must be used. - if test -z "$tagname"; then - func_echo "unable to infer tagged configuration" - func_fatal_error "specify a tag with \`--tag'" -# else -# func_verbose "using $tagname tagged configuration" - fi - ;; - esac - fi -} - - - -# func_write_libtool_object output_name pic_name nonpic_name -# Create a libtool object file (analogous to a ".la" file), -# but don't create it if we're doing a dry run. -func_write_libtool_object () -{ - write_libobj=${1} - if test "$build_libtool_libs" = yes; then - write_lobj=\'${2}\' - else - write_lobj=none - fi - - if test "$build_old_libs" = yes; then - write_oldobj=\'${3}\' - else - write_oldobj=none - fi - - $opt_dry_run || { - cat >${write_libobj}T </dev/null` - if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then - func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" | - $SED -e "$lt_sed_naive_backslashify"` - else - func_convert_core_file_wine_to_w32_result= - fi - fi -} -# end: func_convert_core_file_wine_to_w32 - - -# func_convert_core_path_wine_to_w32 ARG -# Helper function used by path conversion functions when $build is *nix, and -# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly -# configured wine environment available, with the winepath program in $build's -# $PATH. Assumes ARG has no leading or trailing path separator characters. -# -# ARG is path to be converted from $build format to win32. -# Result is available in $func_convert_core_path_wine_to_w32_result. -# Unconvertible file (directory) names in ARG are skipped; if no directory names -# are convertible, then the result may be empty. -func_convert_core_path_wine_to_w32 () -{ - $opt_debug - # unfortunately, winepath doesn't convert paths, only file names - func_convert_core_path_wine_to_w32_result="" - if test -n "$1"; then - oldIFS=$IFS - IFS=: - for func_convert_core_path_wine_to_w32_f in $1; do - IFS=$oldIFS - func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f" - if test -n "$func_convert_core_file_wine_to_w32_result" ; then - if test -z "$func_convert_core_path_wine_to_w32_result"; then - func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result" - else - func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result" - fi - fi - done - IFS=$oldIFS - fi -} -# end: func_convert_core_path_wine_to_w32 - - -# func_cygpath ARGS... -# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when -# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2) -# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or -# (2), returns the Cygwin file name or path in func_cygpath_result (input -# file name or path is assumed to be in w32 format, as previously converted -# from $build's *nix or MSYS format). In case (3), returns the w32 file name -# or path in func_cygpath_result (input file name or path is assumed to be in -# Cygwin format). Returns an empty string on error. -# -# ARGS are passed to cygpath, with the last one being the file name or path to -# be converted. -# -# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH -# environment variable; do not put it in $PATH. -func_cygpath () -{ - $opt_debug - if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then - func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null` - if test "$?" -ne 0; then - # on failure, ensure result is empty - func_cygpath_result= - fi - else - func_cygpath_result= - func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'" - fi -} -#end: func_cygpath - - -# func_convert_core_msys_to_w32 ARG -# Convert file name or path ARG from MSYS format to w32 format. Return -# result in func_convert_core_msys_to_w32_result. -func_convert_core_msys_to_w32 () -{ - $opt_debug - # awkward: cmd appends spaces to result - func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null | - $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"` -} -#end: func_convert_core_msys_to_w32 - - -# func_convert_file_check ARG1 ARG2 -# Verify that ARG1 (a file name in $build format) was converted to $host -# format in ARG2. Otherwise, emit an error message, but continue (resetting -# func_to_host_file_result to ARG1). -func_convert_file_check () -{ - $opt_debug - if test -z "$2" && test -n "$1" ; then - func_error "Could not determine host file name corresponding to" - func_error " \`$1'" - func_error "Continuing, but uninstalled executables may not work." - # Fallback: - func_to_host_file_result="$1" - fi -} -# end func_convert_file_check - - -# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH -# Verify that FROM_PATH (a path in $build format) was converted to $host -# format in TO_PATH. Otherwise, emit an error message, but continue, resetting -# func_to_host_file_result to a simplistic fallback value (see below). -func_convert_path_check () -{ - $opt_debug - if test -z "$4" && test -n "$3"; then - func_error "Could not determine the host path corresponding to" - func_error " \`$3'" - func_error "Continuing, but uninstalled executables may not work." - # Fallback. This is a deliberately simplistic "conversion" and - # should not be "improved". See libtool.info. - if test "x$1" != "x$2"; then - lt_replace_pathsep_chars="s|$1|$2|g" - func_to_host_path_result=`echo "$3" | - $SED -e "$lt_replace_pathsep_chars"` - else - func_to_host_path_result="$3" - fi - fi -} -# end func_convert_path_check - - -# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG -# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT -# and appending REPL if ORIG matches BACKPAT. -func_convert_path_front_back_pathsep () -{ - $opt_debug - case $4 in - $1 ) func_to_host_path_result="$3$func_to_host_path_result" - ;; - esac - case $4 in - $2 ) func_append func_to_host_path_result "$3" - ;; - esac -} -# end func_convert_path_front_back_pathsep - - -################################################## -# $build to $host FILE NAME CONVERSION FUNCTIONS # -################################################## -# invoked via `$to_host_file_cmd ARG' -# -# In each case, ARG is the path to be converted from $build to $host format. -# Result will be available in $func_to_host_file_result. - - -# func_to_host_file ARG -# Converts the file name ARG from $build format to $host format. Return result -# in func_to_host_file_result. -func_to_host_file () -{ - $opt_debug - $to_host_file_cmd "$1" -} -# end func_to_host_file - - -# func_to_tool_file ARG LAZY -# converts the file name ARG from $build format to toolchain format. Return -# result in func_to_tool_file_result. If the conversion in use is listed -# in (the comma separated) LAZY, no conversion takes place. -func_to_tool_file () -{ - $opt_debug - case ,$2, in - *,"$to_tool_file_cmd",*) - func_to_tool_file_result=$1 - ;; - *) - $to_tool_file_cmd "$1" - func_to_tool_file_result=$func_to_host_file_result - ;; - esac -} -# end func_to_tool_file - - -# func_convert_file_noop ARG -# Copy ARG to func_to_host_file_result. -func_convert_file_noop () -{ - func_to_host_file_result="$1" -} -# end func_convert_file_noop - - -# func_convert_file_msys_to_w32 ARG -# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic -# conversion to w32 is not available inside the cwrapper. Returns result in -# func_to_host_file_result. -func_convert_file_msys_to_w32 () -{ - $opt_debug - func_to_host_file_result="$1" - if test -n "$1"; then - func_convert_core_msys_to_w32 "$1" - func_to_host_file_result="$func_convert_core_msys_to_w32_result" - fi - func_convert_file_check "$1" "$func_to_host_file_result" -} -# end func_convert_file_msys_to_w32 - - -# func_convert_file_cygwin_to_w32 ARG -# Convert file name ARG from Cygwin to w32 format. Returns result in -# func_to_host_file_result. -func_convert_file_cygwin_to_w32 () -{ - $opt_debug - func_to_host_file_result="$1" - if test -n "$1"; then - # because $build is cygwin, we call "the" cygpath in $PATH; no need to use - # LT_CYGPATH in this case. - func_to_host_file_result=`cygpath -m "$1"` - fi - func_convert_file_check "$1" "$func_to_host_file_result" -} -# end func_convert_file_cygwin_to_w32 - - -# func_convert_file_nix_to_w32 ARG -# Convert file name ARG from *nix to w32 format. Requires a wine environment -# and a working winepath. Returns result in func_to_host_file_result. -func_convert_file_nix_to_w32 () -{ - $opt_debug - func_to_host_file_result="$1" - if test -n "$1"; then - func_convert_core_file_wine_to_w32 "$1" - func_to_host_file_result="$func_convert_core_file_wine_to_w32_result" - fi - func_convert_file_check "$1" "$func_to_host_file_result" -} -# end func_convert_file_nix_to_w32 - - -# func_convert_file_msys_to_cygwin ARG -# Convert file name ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. -# Returns result in func_to_host_file_result. -func_convert_file_msys_to_cygwin () -{ - $opt_debug - func_to_host_file_result="$1" - if test -n "$1"; then - func_convert_core_msys_to_w32 "$1" - func_cygpath -u "$func_convert_core_msys_to_w32_result" - func_to_host_file_result="$func_cygpath_result" - fi - func_convert_file_check "$1" "$func_to_host_file_result" -} -# end func_convert_file_msys_to_cygwin - - -# func_convert_file_nix_to_cygwin ARG -# Convert file name ARG from *nix to Cygwin format. Requires Cygwin installed -# in a wine environment, working winepath, and LT_CYGPATH set. Returns result -# in func_to_host_file_result. -func_convert_file_nix_to_cygwin () -{ - $opt_debug - func_to_host_file_result="$1" - if test -n "$1"; then - # convert from *nix to w32, then use cygpath to convert from w32 to cygwin. - func_convert_core_file_wine_to_w32 "$1" - func_cygpath -u "$func_convert_core_file_wine_to_w32_result" - func_to_host_file_result="$func_cygpath_result" - fi - func_convert_file_check "$1" "$func_to_host_file_result" -} -# end func_convert_file_nix_to_cygwin - - -############################################# -# $build to $host PATH CONVERSION FUNCTIONS # -############################################# -# invoked via `$to_host_path_cmd ARG' -# -# In each case, ARG is the path to be converted from $build to $host format. -# The result will be available in $func_to_host_path_result. -# -# Path separators are also converted from $build format to $host format. If -# ARG begins or ends with a path separator character, it is preserved (but -# converted to $host format) on output. -# -# All path conversion functions are named using the following convention: -# file name conversion function : func_convert_file_X_to_Y () -# path conversion function : func_convert_path_X_to_Y () -# where, for any given $build/$host combination the 'X_to_Y' value is the -# same. If conversion functions are added for new $build/$host combinations, -# the two new functions must follow this pattern, or func_init_to_host_path_cmd -# will break. - - -# func_init_to_host_path_cmd -# Ensures that function "pointer" variable $to_host_path_cmd is set to the -# appropriate value, based on the value of $to_host_file_cmd. -to_host_path_cmd= -func_init_to_host_path_cmd () -{ - $opt_debug - if test -z "$to_host_path_cmd"; then - func_stripname 'func_convert_file_' '' "$to_host_file_cmd" - to_host_path_cmd="func_convert_path_${func_stripname_result}" - fi -} - - -# func_to_host_path ARG -# Converts the path ARG from $build format to $host format. Return result -# in func_to_host_path_result. -func_to_host_path () -{ - $opt_debug - func_init_to_host_path_cmd - $to_host_path_cmd "$1" -} -# end func_to_host_path - - -# func_convert_path_noop ARG -# Copy ARG to func_to_host_path_result. -func_convert_path_noop () -{ - func_to_host_path_result="$1" -} -# end func_convert_path_noop - - -# func_convert_path_msys_to_w32 ARG -# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic -# conversion to w32 is not available inside the cwrapper. Returns result in -# func_to_host_path_result. -func_convert_path_msys_to_w32 () -{ - $opt_debug - func_to_host_path_result="$1" - if test -n "$1"; then - # Remove leading and trailing path separator characters from ARG. MSYS - # behavior is inconsistent here; cygpath turns them into '.;' and ';.'; - # and winepath ignores them completely. - func_stripname : : "$1" - func_to_host_path_tmp1=$func_stripname_result - func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" - func_to_host_path_result="$func_convert_core_msys_to_w32_result" - func_convert_path_check : ";" \ - "$func_to_host_path_tmp1" "$func_to_host_path_result" - func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" - fi -} -# end func_convert_path_msys_to_w32 - - -# func_convert_path_cygwin_to_w32 ARG -# Convert path ARG from Cygwin to w32 format. Returns result in -# func_to_host_file_result. -func_convert_path_cygwin_to_w32 () -{ - $opt_debug - func_to_host_path_result="$1" - if test -n "$1"; then - # See func_convert_path_msys_to_w32: - func_stripname : : "$1" - func_to_host_path_tmp1=$func_stripname_result - func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"` - func_convert_path_check : ";" \ - "$func_to_host_path_tmp1" "$func_to_host_path_result" - func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" - fi -} -# end func_convert_path_cygwin_to_w32 - - -# func_convert_path_nix_to_w32 ARG -# Convert path ARG from *nix to w32 format. Requires a wine environment and -# a working winepath. Returns result in func_to_host_file_result. -func_convert_path_nix_to_w32 () -{ - $opt_debug - func_to_host_path_result="$1" - if test -n "$1"; then - # See func_convert_path_msys_to_w32: - func_stripname : : "$1" - func_to_host_path_tmp1=$func_stripname_result - func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" - func_to_host_path_result="$func_convert_core_path_wine_to_w32_result" - func_convert_path_check : ";" \ - "$func_to_host_path_tmp1" "$func_to_host_path_result" - func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" - fi -} -# end func_convert_path_nix_to_w32 - - -# func_convert_path_msys_to_cygwin ARG -# Convert path ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. -# Returns result in func_to_host_file_result. -func_convert_path_msys_to_cygwin () -{ - $opt_debug - func_to_host_path_result="$1" - if test -n "$1"; then - # See func_convert_path_msys_to_w32: - func_stripname : : "$1" - func_to_host_path_tmp1=$func_stripname_result - func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" - func_cygpath -u -p "$func_convert_core_msys_to_w32_result" - func_to_host_path_result="$func_cygpath_result" - func_convert_path_check : : \ - "$func_to_host_path_tmp1" "$func_to_host_path_result" - func_convert_path_front_back_pathsep ":*" "*:" : "$1" - fi -} -# end func_convert_path_msys_to_cygwin - - -# func_convert_path_nix_to_cygwin ARG -# Convert path ARG from *nix to Cygwin format. Requires Cygwin installed in a -# a wine environment, working winepath, and LT_CYGPATH set. Returns result in -# func_to_host_file_result. -func_convert_path_nix_to_cygwin () -{ - $opt_debug - func_to_host_path_result="$1" - if test -n "$1"; then - # Remove leading and trailing path separator characters from - # ARG. msys behavior is inconsistent here, cygpath turns them - # into '.;' and ';.', and winepath ignores them completely. - func_stripname : : "$1" - func_to_host_path_tmp1=$func_stripname_result - func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" - func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result" - func_to_host_path_result="$func_cygpath_result" - func_convert_path_check : : \ - "$func_to_host_path_tmp1" "$func_to_host_path_result" - func_convert_path_front_back_pathsep ":*" "*:" : "$1" - fi -} -# end func_convert_path_nix_to_cygwin - - -# func_mode_compile arg... -func_mode_compile () -{ - $opt_debug - # Get the compilation command and the source file. - base_compile= - srcfile="$nonopt" # always keep a non-empty value in "srcfile" - suppress_opt=yes - suppress_output= - arg_mode=normal - libobj= - later= - pie_flag= - - for arg - do - case $arg_mode in - arg ) - # do not "continue". Instead, add this to base_compile - lastarg="$arg" - arg_mode=normal - ;; - - target ) - libobj="$arg" - arg_mode=normal - continue - ;; - - normal ) - # Accept any command-line options. - case $arg in - -o) - test -n "$libobj" && \ - func_fatal_error "you cannot specify \`-o' more than once" - arg_mode=target - continue - ;; - - -pie | -fpie | -fPIE) - func_append pie_flag " $arg" - continue - ;; - - -shared | -static | -prefer-pic | -prefer-non-pic) - func_append later " $arg" - continue - ;; - - -no-suppress) - suppress_opt=no - continue - ;; - - -Xcompiler) - arg_mode=arg # the next one goes into the "base_compile" arg list - continue # The current "srcfile" will either be retained or - ;; # replaced later. I would guess that would be a bug. - - -Wc,*) - func_stripname '-Wc,' '' "$arg" - args=$func_stripname_result - lastarg= - save_ifs="$IFS"; IFS=',' - for arg in $args; do - IFS="$save_ifs" - func_append_quoted lastarg "$arg" - done - IFS="$save_ifs" - func_stripname ' ' '' "$lastarg" - lastarg=$func_stripname_result - - # Add the arguments to base_compile. - func_append base_compile " $lastarg" - continue - ;; - - *) - # Accept the current argument as the source file. - # The previous "srcfile" becomes the current argument. - # - lastarg="$srcfile" - srcfile="$arg" - ;; - esac # case $arg - ;; - esac # case $arg_mode - - # Aesthetically quote the previous argument. - func_append_quoted base_compile "$lastarg" - done # for arg - - case $arg_mode in - arg) - func_fatal_error "you must specify an argument for -Xcompile" - ;; - target) - func_fatal_error "you must specify a target with \`-o'" - ;; - *) - # Get the name of the library object. - test -z "$libobj" && { - func_basename "$srcfile" - libobj="$func_basename_result" - } - ;; - esac - - # Recognize several different file suffixes. - # If the user specifies -o file.o, it is replaced with file.lo - case $libobj in - *.[cCFSifmso] | \ - *.ada | *.adb | *.ads | *.asm | \ - *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ - *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup) - func_xform "$libobj" - libobj=$func_xform_result - ;; - esac - - case $libobj in - *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;; - *) - func_fatal_error "cannot determine name of library object from \`$libobj'" - ;; - esac - - func_infer_tag $base_compile - - for arg in $later; do - case $arg in - -shared) - test "$build_libtool_libs" != yes && \ - func_fatal_configuration "can not build a shared library" - build_old_libs=no - continue - ;; - - -static) - build_libtool_libs=no - build_old_libs=yes - continue - ;; - - -prefer-pic) - pic_mode=yes - continue - ;; - - -prefer-non-pic) - pic_mode=no - continue - ;; - esac - done - - func_quote_for_eval "$libobj" - test "X$libobj" != "X$func_quote_for_eval_result" \ - && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ - && func_warning "libobj name \`$libobj' may not contain shell special characters." - func_dirname_and_basename "$obj" "/" "" - objname="$func_basename_result" - xdir="$func_dirname_result" - lobj=${xdir}$objdir/$objname - - test -z "$base_compile" && \ - func_fatal_help "you must specify a compilation command" - - # Delete any leftover library objects. - if test "$build_old_libs" = yes; then - removelist="$obj $lobj $libobj ${libobj}T" - else - removelist="$lobj $libobj ${libobj}T" - fi - - # On Cygwin there's no "real" PIC flag so we must build both object types - case $host_os in - cygwin* | mingw* | pw32* | os2* | cegcc*) - pic_mode=default - ;; - esac - if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then - # non-PIC code in shared libraries is not supported - pic_mode=default - fi - - # Calculate the filename of the output object if compiler does - # not support -o with -c - if test "$compiler_c_o" = no; then - output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext} - lockfile="$output_obj.lock" - else - output_obj= - need_locks=no - lockfile= - fi - - # Lock this critical section if it is needed - # We use this script file to make the link, it avoids creating a new file - if test "$need_locks" = yes; then - until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do - func_echo "Waiting for $lockfile to be removed" - sleep 2 - done - elif test "$need_locks" = warn; then - if test -f "$lockfile"; then - $ECHO "\ -*** ERROR, $lockfile exists and contains: -`cat $lockfile 2>/dev/null` - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $opt_dry_run || $RM $removelist - exit $EXIT_FAILURE - fi - func_append removelist " $output_obj" - $ECHO "$srcfile" > "$lockfile" - fi - - $opt_dry_run || $RM $removelist - func_append removelist " $lockfile" - trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15 - - func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 - srcfile=$func_to_tool_file_result - func_quote_for_eval "$srcfile" - qsrcfile=$func_quote_for_eval_result - - # Only build a PIC object if we are building libtool libraries. - if test "$build_libtool_libs" = yes; then - # Without this assignment, base_compile gets emptied. - fbsd_hideous_sh_bug=$base_compile - - if test "$pic_mode" != no; then - command="$base_compile $qsrcfile $pic_flag" - else - # Don't build PIC code - command="$base_compile $qsrcfile" - fi - - func_mkdir_p "$xdir$objdir" - - if test -z "$output_obj"; then - # Place PIC objects in $objdir - func_append command " -o $lobj" - fi - - func_show_eval_locale "$command" \ - 'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE' - - if test "$need_locks" = warn && - test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then - $ECHO "\ -*** ERROR, $lockfile contains: -`cat $lockfile 2>/dev/null` - -but it should contain: -$srcfile - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $opt_dry_run || $RM $removelist - exit $EXIT_FAILURE - fi - - # Just move the object if needed, then go on to compile the next one - if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then - func_show_eval '$MV "$output_obj" "$lobj"' \ - 'error=$?; $opt_dry_run || $RM $removelist; exit $error' - fi - - # Allow error messages only from the first compilation. - if test "$suppress_opt" = yes; then - suppress_output=' >/dev/null 2>&1' - fi - fi - - # Only build a position-dependent object if we build old libraries. - if test "$build_old_libs" = yes; then - if test "$pic_mode" != yes; then - # Don't build PIC code - command="$base_compile $qsrcfile$pie_flag" - else - command="$base_compile $qsrcfile $pic_flag" - fi - if test "$compiler_c_o" = yes; then - func_append command " -o $obj" - fi - - # Suppress compiler output if we already did a PIC compilation. - func_append command "$suppress_output" - func_show_eval_locale "$command" \ - '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' - - if test "$need_locks" = warn && - test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then - $ECHO "\ -*** ERROR, $lockfile contains: -`cat $lockfile 2>/dev/null` - -but it should contain: -$srcfile - -This indicates that another process is trying to use the same -temporary object file, and libtool could not work around it because -your compiler does not support \`-c' and \`-o' together. If you -repeat this compilation, it may succeed, by chance, but you had better -avoid parallel builds (make -j) in this platform, or get a better -compiler." - - $opt_dry_run || $RM $removelist - exit $EXIT_FAILURE - fi - - # Just move the object if needed - if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then - func_show_eval '$MV "$output_obj" "$obj"' \ - 'error=$?; $opt_dry_run || $RM $removelist; exit $error' - fi - fi - - $opt_dry_run || { - func_write_libtool_object "$libobj" "$objdir/$objname" "$objname" - - # Unlock the critical section if it was locked - if test "$need_locks" != no; then - removelist=$lockfile - $RM "$lockfile" - fi - } - - exit $EXIT_SUCCESS -} - -$opt_help || { - test "$opt_mode" = compile && func_mode_compile ${1+"$@"} -} - -func_mode_help () -{ - # We need to display help for each of the modes. - case $opt_mode in - "") - # Generic help is extracted from the usage comments - # at the start of this file. - func_help - ;; - - clean) - $ECHO \ -"Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE... - -Remove files from the build directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, object or program, all the files associated -with it are deleted. Otherwise, only FILE itself is deleted using RM." - ;; - - compile) - $ECHO \ -"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE - -Compile a source file into a libtool library object. - -This mode accepts the following additional options: - - -o OUTPUT-FILE set the output file name to OUTPUT-FILE - -no-suppress do not suppress compiler output for multiple passes - -prefer-pic try to build PIC objects only - -prefer-non-pic try to build non-PIC objects only - -shared do not build a \`.o' file suitable for static linking - -static only build a \`.o' file suitable for static linking - -Wc,FLAG pass FLAG directly to the compiler - -COMPILE-COMMAND is a command to be used in creating a \`standard' object file -from the given SOURCEFILE. - -The output file name is determined by removing the directory component from -SOURCEFILE, then substituting the C source code suffix \`.c' with the -library object suffix, \`.lo'." - ;; - - execute) - $ECHO \ -"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]... - -Automatically set library path, then run a program. - -This mode accepts the following additional options: - - -dlopen FILE add the directory containing FILE to the library path - -This mode sets the library path environment variable according to \`-dlopen' -flags. - -If any of the ARGS are libtool executable wrappers, then they are translated -into their corresponding uninstalled binary, and any of their required library -directories are added to the library path. - -Then, COMMAND is executed, with ARGS as arguments." - ;; - - finish) - $ECHO \ -"Usage: $progname [OPTION]... --mode=finish [LIBDIR]... - -Complete the installation of libtool libraries. - -Each LIBDIR is a directory that contains libtool libraries. - -The commands that this mode executes may require superuser privileges. Use -the \`--dry-run' option if you just want to see what would be executed." - ;; - - install) - $ECHO \ -"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND... - -Install executables or libraries. - -INSTALL-COMMAND is the installation command. The first component should be -either the \`install' or \`cp' program. - -The following components of INSTALL-COMMAND are treated specially: - - -inst-prefix-dir PREFIX-DIR Use PREFIX-DIR as a staging area for installation - -The rest of the components are interpreted as arguments to that command (only -BSD-compatible install options are recognized)." - ;; - - link) - $ECHO \ -"Usage: $progname [OPTION]... --mode=link LINK-COMMAND... - -Link object files or libraries together to form another library, or to -create an executable program. - -LINK-COMMAND is a command using the C compiler that you would use to create -a program from several object files. - -The following components of LINK-COMMAND are treated specially: - - -all-static do not do any dynamic linking at all - -avoid-version do not add a version suffix if possible - -bindir BINDIR specify path to binaries directory (for systems where - libraries must be found in the PATH setting at runtime) - -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime - -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols - -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) - -export-symbols SYMFILE - try to export only the symbols listed in SYMFILE - -export-symbols-regex REGEX - try to export only the symbols matching REGEX - -LLIBDIR search LIBDIR for required installed libraries - -lNAME OUTPUT-FILE requires the installed library libNAME - -module build a library that can dlopened - -no-fast-install disable the fast-install mode - -no-install link a not-installable executable - -no-undefined declare that a library does not refer to external symbols - -o OUTPUT-FILE create OUTPUT-FILE from the specified objects - -objectlist FILE Use a list of object files found in FILE to specify objects - -precious-files-regex REGEX - don't remove output files matching REGEX - -release RELEASE specify package release information - -rpath LIBDIR the created library will eventually be installed in LIBDIR - -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries - -shared only do dynamic linking of libtool libraries - -shrext SUFFIX override the standard shared library file extension - -static do not do any dynamic linking of uninstalled libtool libraries - -static-libtool-libs - do not do any dynamic linking of libtool libraries - -version-info CURRENT[:REVISION[:AGE]] - specify library version info [each variable defaults to 0] - -weak LIBNAME declare that the target provides the LIBNAME interface - -Wc,FLAG - -Xcompiler FLAG pass linker-specific FLAG directly to the compiler - -Wl,FLAG - -Xlinker FLAG pass linker-specific FLAG directly to the linker - -XCClinker FLAG pass link-specific FLAG to the compiler driver (CC) - -All other options (arguments beginning with \`-') are ignored. - -Every other argument is treated as a filename. Files ending in \`.la' are -treated as uninstalled libtool libraries, other files are standard or library -object files. - -If the OUTPUT-FILE ends in \`.la', then a libtool library is created, -only library objects (\`.lo' files) may be specified, and \`-rpath' is -required, except when creating a convenience library. - -If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created -using \`ar' and \`ranlib', or on Windows using \`lib'. - -If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file -is created, otherwise an executable program is created." - ;; - - uninstall) - $ECHO \ -"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... - -Remove libraries from an installation directory. - -RM is the name of the program to use to delete files associated with each FILE -(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed -to RM. - -If FILE is a libtool library, all the files associated with it are deleted. -Otherwise, only FILE itself is deleted using RM." - ;; - - *) - func_fatal_help "invalid operation mode \`$opt_mode'" - ;; - esac - - echo - $ECHO "Try \`$progname --help' for more information about other modes." -} - -# Now that we've collected a possible --mode arg, show help if necessary -if $opt_help; then - if test "$opt_help" = :; then - func_mode_help - else - { - func_help noexit - for opt_mode in compile link execute install finish uninstall clean; do - func_mode_help - done - } | sed -n '1p; 2,$s/^Usage:/ or: /p' - { - func_help noexit - for opt_mode in compile link execute install finish uninstall clean; do - echo - func_mode_help - done - } | - sed '1d - /^When reporting/,/^Report/{ - H - d - } - $x - /information about other modes/d - /more detailed .*MODE/d - s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/' - fi - exit $? -fi - - -# func_mode_execute arg... -func_mode_execute () -{ - $opt_debug - # The first argument is the command name. - cmd="$nonopt" - test -z "$cmd" && \ - func_fatal_help "you must specify a COMMAND" - - # Handle -dlopen flags immediately. - for file in $opt_dlopen; do - test -f "$file" \ - || func_fatal_help "\`$file' is not a file" - - dir= - case $file in - *.la) - func_resolve_sysroot "$file" - file=$func_resolve_sysroot_result - - # Check to see that this really is a libtool archive. - func_lalib_unsafe_p "$file" \ - || func_fatal_help "\`$lib' is not a valid libtool archive" - - # Read the libtool library. - dlname= - library_names= - func_source "$file" - - # Skip this library if it cannot be dlopened. - if test -z "$dlname"; then - # Warn if it was a shared library. - test -n "$library_names" && \ - func_warning "\`$file' was not linked with \`-export-dynamic'" - continue - fi - - func_dirname "$file" "" "." - dir="$func_dirname_result" - - if test -f "$dir/$objdir/$dlname"; then - func_append dir "/$objdir" - else - if test ! -f "$dir/$dlname"; then - func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" - fi - fi - ;; - - *.lo) - # Just add the directory containing the .lo file. - func_dirname "$file" "" "." - dir="$func_dirname_result" - ;; - - *) - func_warning "\`-dlopen' is ignored for non-libtool libraries and objects" - continue - ;; - esac - - # Get the absolute pathname. - absdir=`cd "$dir" && pwd` - test -n "$absdir" && dir="$absdir" - - # Now add the directory to shlibpath_var. - if eval "test -z \"\$$shlibpath_var\""; then - eval "$shlibpath_var=\"\$dir\"" - else - eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" - fi - done - - # This variable tells wrapper scripts just to set shlibpath_var - # rather than running their programs. - libtool_execute_magic="$magic" - - # Check if any of the arguments is a wrapper script. - args= - for file - do - case $file in - -* | *.la | *.lo ) ;; - *) - # Do a test to see if this is really a libtool program. - if func_ltwrapper_script_p "$file"; then - func_source "$file" - # Transform arg to wrapped name. - file="$progdir/$program" - elif func_ltwrapper_executable_p "$file"; then - func_ltwrapper_scriptname "$file" - func_source "$func_ltwrapper_scriptname_result" - # Transform arg to wrapped name. - file="$progdir/$program" - fi - ;; - esac - # Quote arguments (to preserve shell metacharacters). - func_append_quoted args "$file" - done - - if test "X$opt_dry_run" = Xfalse; then - if test -n "$shlibpath_var"; then - # Export the shlibpath_var. - eval "export $shlibpath_var" - fi - - # Restore saved environment variables - for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES - do - eval "if test \"\${save_$lt_var+set}\" = set; then - $lt_var=\$save_$lt_var; export $lt_var - else - $lt_unset $lt_var - fi" - done - - # Now prepare to actually exec the command. - exec_cmd="\$cmd$args" - else - # Display what would be done. - if test -n "$shlibpath_var"; then - eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\"" - echo "export $shlibpath_var" - fi - $ECHO "$cmd$args" - exit $EXIT_SUCCESS - fi -} - -test "$opt_mode" = execute && func_mode_execute ${1+"$@"} - - -# func_mode_finish arg... -func_mode_finish () -{ - $opt_debug - libs= - libdirs= - admincmds= - - for opt in "$nonopt" ${1+"$@"} - do - if test -d "$opt"; then - func_append libdirs " $opt" - - elif test -f "$opt"; then - if func_lalib_unsafe_p "$opt"; then - func_append libs " $opt" - else - func_warning "\`$opt' is not a valid libtool archive" - fi - - else - func_fatal_error "invalid argument \`$opt'" - fi - done - - if test -n "$libs"; then - if test -n "$lt_sysroot"; then - sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"` - sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;" - else - sysroot_cmd= - fi - - # Remove sysroot references - if $opt_dry_run; then - for lib in $libs; do - echo "removing references to $lt_sysroot and \`=' prefixes from $lib" - done - else - tmpdir=`func_mktempdir` - for lib in $libs; do - sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \ - > $tmpdir/tmp-la - mv -f $tmpdir/tmp-la $lib - done - ${RM}r "$tmpdir" - fi - fi - - if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then - for libdir in $libdirs; do - if test -n "$finish_cmds"; then - # Do each command in the finish commands. - func_execute_cmds "$finish_cmds" 'admincmds="$admincmds -'"$cmd"'"' - fi - if test -n "$finish_eval"; then - # Do the single finish_eval. - eval cmds=\"$finish_eval\" - $opt_dry_run || eval "$cmds" || func_append admincmds " - $cmds" - fi - done - fi - - # Exit here if they wanted silent mode. - $opt_silent && exit $EXIT_SUCCESS - - exit $EXIT_SUCCESS -} - -test "$opt_mode" = finish && func_mode_finish ${1+"$@"} - - -# func_mode_install arg... -func_mode_install () -{ - $opt_debug - # There may be an optional sh(1) argument at the beginning of - # install_prog (especially on Windows NT). - if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || - # Allow the use of GNU shtool's install command. - case $nonopt in *shtool*) :;; *) false;; esac; then - # Aesthetically quote it. - func_quote_for_eval "$nonopt" - install_prog="$func_quote_for_eval_result " - arg=$1 - shift - else - install_prog= - arg=$nonopt - fi - - # The real first argument should be the name of the installation program. - # Aesthetically quote it. - func_quote_for_eval "$arg" - func_append install_prog "$func_quote_for_eval_result" - install_shared_prog=$install_prog - case " $install_prog " in - *[\\\ /]cp\ *) install_cp=: ;; - *) install_cp=false ;; - esac - - # We need to accept at least all the BSD install flags. - dest= - files= - opts= - prev= - install_type= - isdir=no - stripme= - no_mode=: - for arg - do - arg2= - if test -n "$dest"; then - func_append files " $dest" - dest=$arg - continue - fi - - case $arg in - -d) isdir=yes ;; - -f) - if $install_cp; then :; else - prev=$arg - fi - ;; - -g | -m | -o) - prev=$arg - ;; - -s) - stripme=" -s" - continue - ;; - -*) - ;; - *) - # If the previous option needed an argument, then skip it. - if test -n "$prev"; then - if test "x$prev" = x-m && test -n "$install_override_mode"; then - arg2=$install_override_mode - no_mode=false - fi - prev= - else - dest=$arg - continue - fi - ;; - esac - - # Aesthetically quote the argument. - func_quote_for_eval "$arg" - func_append install_prog " $func_quote_for_eval_result" - if test -n "$arg2"; then - func_quote_for_eval "$arg2" - fi - func_append install_shared_prog " $func_quote_for_eval_result" - done - case " $install_prog " in - *[\\\ /]cp\ *) extra_mode=;; - *) extra_mode='-m 644';; - esac - - test -z "$install_prog" && \ - func_fatal_help "you must specify an install program" - - test -n "$prev" && \ - func_fatal_help "the \`$prev' option requires an argument" - - if test -n "$install_override_mode" && $no_mode; then - if $install_cp; then :; else - func_quote_for_eval "$install_override_mode" - func_append install_shared_prog " -m $func_quote_for_eval_result" - fi - fi - - if test -z "$files"; then - if test -z "$dest"; then - func_fatal_help "no file or destination specified" - else - func_fatal_help "you must specify a destination" - fi - fi - - # Strip any trailing slash from the destination. - func_stripname '' '/' "$dest" - dest=$func_stripname_result - - # Check to see that the destination is a directory. - test -d "$dest" && isdir=yes - if test "$isdir" = yes; then - destdir="$dest" - destname= - else - func_dirname_and_basename "$dest" "" "." - destdir="$func_dirname_result" - destname="$func_basename_result" - - # Not a directory, so check to see that there is only one file specified. - set dummy $files; shift - test "$#" -gt 1 && \ - func_fatal_help "\`$dest' is not a directory" - fi - case $destdir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - for file in $files; do - case $file in - *.lo) ;; - *) - func_fatal_help "\`$destdir' must be an absolute directory name" - ;; - esac - done - ;; - esac - - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" - - staticlibs= - future_libdirs= - current_libdirs= - for file in $files; do - - # Do each installation. - case $file in - *.$libext) - # Do the static libraries later. - func_append staticlibs " $file" - ;; - - *.la) - func_resolve_sysroot "$file" - file=$func_resolve_sysroot_result - - # Check to see that this really is a libtool archive. - func_lalib_unsafe_p "$file" \ - || func_fatal_help "\`$file' is not a valid libtool archive" - - library_names= - old_library= - relink_command= - func_source "$file" - - # Add the libdir to current_libdirs if it is the destination. - if test "X$destdir" = "X$libdir"; then - case "$current_libdirs " in - *" $libdir "*) ;; - *) func_append current_libdirs " $libdir" ;; - esac - else - # Note the libdir as a future libdir. - case "$future_libdirs " in - *" $libdir "*) ;; - *) func_append future_libdirs " $libdir" ;; - esac - fi - - func_dirname "$file" "/" "" - dir="$func_dirname_result" - func_append dir "$objdir" - - if test -n "$relink_command"; then - # Determine the prefix the user has applied to our future dir. - inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"` - - # Don't allow the user to place us outside of our expected - # location b/c this prevents finding dependent libraries that - # are installed to the same prefix. - # At present, this check doesn't affect windows .dll's that - # are installed into $libdir/../bin (currently, that works fine) - # but it's something to keep an eye on. - test "$inst_prefix_dir" = "$destdir" && \ - func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir" - - if test -n "$inst_prefix_dir"; then - # Stick the inst_prefix_dir data into the link command. - relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` - else - relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"` - fi - - func_warning "relinking \`$file'" - func_show_eval "$relink_command" \ - 'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"' - fi - - # See the names of the shared library. - set dummy $library_names; shift - if test -n "$1"; then - realname="$1" - shift - - srcname="$realname" - test -n "$relink_command" && srcname="$realname"T - - # Install the shared library and build the symlinks. - func_show_eval "$install_shared_prog $extra_mode $dir/$srcname $destdir/$realname" \ - 'exit $?' - tstripme="$stripme" - case $host_os in - cygwin* | mingw* | pw32* | cegcc*) - case $realname in - *.dll.a) - tstripme="" - ;; - esac - ;; - esac - if test -n "$tstripme" && test -n "$striplib"; then - func_show_eval "$striplib $destdir/$realname" 'exit $?' - fi - - if test "$#" -gt 0; then - # Delete the old symlinks, and create new ones. - # Try `ln -sf' first, because the `ln' binary might depend on - # the symlink we replace! Solaris /bin/ln does not understand -f, - # so we also need to try rm && ln -s. - for linkname - do - test "$linkname" != "$realname" \ - && func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })" - done - fi - - # Do each command in the postinstall commands. - lib="$destdir/$realname" - func_execute_cmds "$postinstall_cmds" 'exit $?' - fi - - # Install the pseudo-library for information purposes. - func_basename "$file" - name="$func_basename_result" - instname="$dir/$name"i - func_show_eval "$install_prog $extra_mode $instname $destdir/$name" 'exit $?' - - # Maybe install the static library, too. - test -n "$old_library" && func_append staticlibs " $dir/$old_library" - ;; - - *.lo) - # Install (i.e. copy) a libtool object. - - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - func_basename "$file" - destfile="$func_basename_result" - destfile="$destdir/$destfile" - fi - - # Deduce the name of the destination old-style object file. - case $destfile in - *.lo) - func_lo2o "$destfile" - staticdest=$func_lo2o_result - ;; - *.$objext) - staticdest="$destfile" - destfile= - ;; - *) - func_fatal_help "cannot copy a libtool object to \`$destfile'" - ;; - esac - - # Install the libtool object if requested. - test -n "$destfile" && \ - func_show_eval "$install_prog $extra_mode $file $destfile" 'exit $?' - - # Install the old object if enabled. - if test "$build_old_libs" = yes; then - # Deduce the name of the old-style object file. - func_lo2o "$file" - staticobj=$func_lo2o_result - func_show_eval "$install_prog $extra_mode \$staticobj \$staticdest" 'exit $?' - fi - exit $EXIT_SUCCESS - ;; - - *) - # Figure out destination file name, if it wasn't already specified. - if test -n "$destname"; then - destfile="$destdir/$destname" - else - func_basename "$file" - destfile="$func_basename_result" - destfile="$destdir/$destfile" - fi - - # If the file is missing, and there is a .exe on the end, strip it - # because it is most likely a libtool script we actually want to - # install - stripped_ext="" - case $file in - *.exe) - if test ! -f "$file"; then - func_stripname '' '.exe' "$file" - file=$func_stripname_result - stripped_ext=".exe" - fi - ;; - esac - - # Do a test to see if this is really a libtool program. - case $host in - *cygwin* | *mingw*) - if func_ltwrapper_executable_p "$file"; then - func_ltwrapper_scriptname "$file" - wrapper=$func_ltwrapper_scriptname_result - else - func_stripname '' '.exe' "$file" - wrapper=$func_stripname_result - fi - ;; - *) - wrapper=$file - ;; - esac - if func_ltwrapper_script_p "$wrapper"; then - notinst_deplibs= - relink_command= - - func_source "$wrapper" - - # Check the variables that should have been set. - test -z "$generated_by_libtool_version" && \ - func_fatal_error "invalid libtool wrapper script \`$wrapper'" - - finalize=yes - for lib in $notinst_deplibs; do - # Check to see that each library is installed. - libdir= - if test -f "$lib"; then - func_source "$lib" - fi - libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test - if test -n "$libdir" && test ! -f "$libfile"; then - func_warning "\`$lib' has not been installed in \`$libdir'" - finalize=no - fi - done - - relink_command= - func_source "$wrapper" - - outputname= - if test "$fast_install" = no && test -n "$relink_command"; then - $opt_dry_run || { - if test "$finalize" = yes; then - tmpdir=`func_mktempdir` - func_basename "$file$stripped_ext" - file="$func_basename_result" - outputname="$tmpdir/$file" - # Replace the output file specification. - relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` - - $opt_silent || { - func_quote_for_expand "$relink_command" - eval "func_echo $func_quote_for_expand_result" - } - if eval "$relink_command"; then : - else - func_error "error: relink \`$file' with the above command before installing it" - $opt_dry_run || ${RM}r "$tmpdir" - continue - fi - file="$outputname" - else - func_warning "cannot relink \`$file'" - fi - } - else - # Install the binary that we compiled earlier. - file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"` - fi - fi - - # remove .exe since cygwin /usr/bin/install will append another - # one anyway - case $install_prog,$host in - */usr/bin/install*,*cygwin*) - case $file:$destfile in - *.exe:*.exe) - # this is ok - ;; - *.exe:*) - destfile=$destfile.exe - ;; - *:*.exe) - func_stripname '' '.exe' "$destfile" - destfile=$func_stripname_result - ;; - esac - ;; - esac - func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?' - $opt_dry_run || if test -n "$outputname"; then - ${RM}r "$tmpdir" - fi - ;; - esac - done - - for file in $staticlibs; do - func_basename "$file" - name="$func_basename_result" - - # Set up the ranlib parameters. - oldlib="$destdir/$name" - func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 - tool_oldlib=$func_to_tool_file_result - - func_show_eval "$install_prog \$file \$oldlib" 'exit $?' - - if test -n "$stripme" && test -n "$old_striplib"; then - func_show_eval "$old_striplib $tool_oldlib" 'exit $?' - fi - - # Do each command in the postinstall commands. - func_execute_cmds "$old_postinstall_cmds" 'exit $?' - done - - test -n "$future_libdirs" && \ - func_warning "remember to run \`$progname --finish$future_libdirs'" - - if test -n "$current_libdirs"; then - # Maybe just do a dry run. - $opt_dry_run && current_libdirs=" -n$current_libdirs" - exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs' - else - exit $EXIT_SUCCESS - fi -} - -test "$opt_mode" = install && func_mode_install ${1+"$@"} - - -# func_generate_dlsyms outputname originator pic_p -# Extract symbols from dlprefiles and create ${outputname}S.o with -# a dlpreopen symbol table. -func_generate_dlsyms () -{ - $opt_debug - my_outputname="$1" - my_originator="$2" - my_pic_p="${3-no}" - my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'` - my_dlsyms= - - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - if test -n "$NM" && test -n "$global_symbol_pipe"; then - my_dlsyms="${my_outputname}S.c" - else - func_error "not configured to extract global symbols from dlpreopened files" - fi - fi - - if test -n "$my_dlsyms"; then - case $my_dlsyms in - "") ;; - *.c) - # Discover the nlist of each of the dlfiles. - nlist="$output_objdir/${my_outputname}.nm" - - func_show_eval "$RM $nlist ${nlist}S ${nlist}T" - - # Parse the name list into a source file. - func_verbose "creating $output_objdir/$my_dlsyms" - - $opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\ -/* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */ -/* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */ - -#ifdef __cplusplus -extern \"C\" { -#endif - -#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4)) -#pragma GCC diagnostic ignored \"-Wstrict-prototypes\" -#endif - -/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ -#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) -/* DATA imports from DLLs on WIN32 con't be const, because runtime - relocations are performed -- see ld's documentation on pseudo-relocs. */ -# define LT_DLSYM_CONST -#elif defined(__osf__) -/* This system does not cope well with relocations in const data. */ -# define LT_DLSYM_CONST -#else -# define LT_DLSYM_CONST const -#endif - -/* External symbol declarations for the compiler. */\ -" - - if test "$dlself" = yes; then - func_verbose "generating symbol list for \`$output'" - - $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist" - - # Add our own program objects to the symbol list. - progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP` - for progfile in $progfiles; do - func_to_tool_file "$progfile" func_convert_file_msys_to_w32 - func_verbose "extracting global C symbols from \`$func_to_tool_file_result'" - $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'" - done - - if test -n "$exclude_expsyms"; then - $opt_dry_run || { - eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' - eval '$MV "$nlist"T "$nlist"' - } - fi - - if test -n "$export_symbols_regex"; then - $opt_dry_run || { - eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' - eval '$MV "$nlist"T "$nlist"' - } - fi - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - export_symbols="$output_objdir/$outputname.exp" - $opt_dry_run || { - $RM $export_symbols - eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' - case $host in - *cygwin* | *mingw* | *cegcc* ) - eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' - eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"' - ;; - esac - } - else - $opt_dry_run || { - eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"' - eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' - eval '$MV "$nlist"T "$nlist"' - case $host in - *cygwin* | *mingw* | *cegcc* ) - eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' - eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' - ;; - esac - } - fi - fi - - for dlprefile in $dlprefiles; do - func_verbose "extracting global C symbols from \`$dlprefile'" - func_basename "$dlprefile" - name="$func_basename_result" - case $host in - *cygwin* | *mingw* | *cegcc* ) - # if an import library, we need to obtain dlname - if func_win32_import_lib_p "$dlprefile"; then - func_tr_sh "$dlprefile" - eval "curr_lafile=\$libfile_$func_tr_sh_result" - dlprefile_dlbasename="" - if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then - # Use subshell, to avoid clobbering current variable values - dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"` - if test -n "$dlprefile_dlname" ; then - func_basename "$dlprefile_dlname" - dlprefile_dlbasename="$func_basename_result" - else - # no lafile. user explicitly requested -dlpreopen . - $sharedlib_from_linklib_cmd "$dlprefile" - dlprefile_dlbasename=$sharedlib_from_linklib_result - fi - fi - $opt_dry_run || { - if test -n "$dlprefile_dlbasename" ; then - eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"' - else - func_warning "Could not compute DLL name from $name" - eval '$ECHO ": $name " >> "$nlist"' - fi - func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 - eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe | - $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'" - } - else # not an import lib - $opt_dry_run || { - eval '$ECHO ": $name " >> "$nlist"' - func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 - eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" - } - fi - ;; - *) - $opt_dry_run || { - eval '$ECHO ": $name " >> "$nlist"' - func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 - eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" - } - ;; - esac - done - - $opt_dry_run || { - # Make sure we have at least an empty file. - test -f "$nlist" || : > "$nlist" - - if test -n "$exclude_expsyms"; then - $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T - $MV "$nlist"T "$nlist" - fi - - # Try sorting and uniquifying the output. - if $GREP -v "^: " < "$nlist" | - if sort -k 3 /dev/null 2>&1; then - sort -k 3 - else - sort +2 - fi | - uniq > "$nlist"S; then - : - else - $GREP -v "^: " < "$nlist" > "$nlist"S - fi - - if test -f "$nlist"S; then - eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"' - else - echo '/* NONE */' >> "$output_objdir/$my_dlsyms" - fi - - echo >> "$output_objdir/$my_dlsyms" "\ - -/* The mapping between symbol names and symbols. */ -typedef struct { - const char *name; - void *address; -} lt_dlsymlist; -extern LT_DLSYM_CONST lt_dlsymlist -lt_${my_prefix}_LTX_preloaded_symbols[]; -LT_DLSYM_CONST lt_dlsymlist -lt_${my_prefix}_LTX_preloaded_symbols[] = -{\ - { \"$my_originator\", (void *) 0 }," - - case $need_lib_prefix in - no) - eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms" - ;; - *) - eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms" - ;; - esac - echo >> "$output_objdir/$my_dlsyms" "\ - {0, (void *) 0} -}; - -/* This works around a problem in FreeBSD linker */ -#ifdef FREEBSD_WORKAROUND -static const void *lt_preloaded_setup() { - return lt_${my_prefix}_LTX_preloaded_symbols; -} -#endif - -#ifdef __cplusplus -} -#endif\ -" - } # !$opt_dry_run - - pic_flag_for_symtable= - case "$compile_command " in - *" -static "*) ;; - *) - case $host in - # compiling the symbol table file with pic_flag works around - # a FreeBSD bug that causes programs to crash when -lm is - # linked before any other PIC object. But we must not use - # pic_flag when linking with -static. The problem exists in - # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. - *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) - pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; - *-*-hpux*) - pic_flag_for_symtable=" $pic_flag" ;; - *) - if test "X$my_pic_p" != Xno; then - pic_flag_for_symtable=" $pic_flag" - fi - ;; - esac - ;; - esac - symtab_cflags= - for arg in $LTCFLAGS; do - case $arg in - -pie | -fpie | -fPIE) ;; - *) func_append symtab_cflags " $arg" ;; - esac - done - - # Now compile the dynamic symbol file. - func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?' - - # Clean up the generated files. - func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"' - - # Transform the symbol file into the correct name. - symfileobj="$output_objdir/${my_outputname}S.$objext" - case $host in - *cygwin* | *mingw* | *cegcc* ) - if test -f "$output_objdir/$my_outputname.def"; then - compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` - finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` - else - compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` - finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` - fi - ;; - *) - compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` - finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` - ;; - esac - ;; - *) - func_fatal_error "unknown suffix for \`$my_dlsyms'" - ;; - esac - else - # We keep going just in case the user didn't refer to - # lt_preloaded_symbols. The linker will fail if global_symbol_pipe - # really was required. - - # Nullify the symbol file. - compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"` - finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"` - fi -} - -# func_win32_libid arg -# return the library type of file 'arg' -# -# Need a lot of goo to handle *both* DLLs and import libs -# Has to be a shell function in order to 'eat' the argument -# that is supplied when $file_magic_command is called. -# Despite the name, also deal with 64 bit binaries. -func_win32_libid () -{ - $opt_debug - win32_libid_type="unknown" - win32_fileres=`file -L $1 2>/dev/null` - case $win32_fileres in - *ar\ archive\ import\ library*) # definitely import - win32_libid_type="x86 archive import" - ;; - *ar\ archive*) # could be an import, or static - # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD. - if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | - $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then - func_to_tool_file "$1" func_convert_file_msys_to_w32 - win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" | - $SED -n -e ' - 1,100{ - / I /{ - s,.*,import, - p - q - } - }'` - case $win32_nmres in - import*) win32_libid_type="x86 archive import";; - *) win32_libid_type="x86 archive static";; - esac - fi - ;; - *DLL*) - win32_libid_type="x86 DLL" - ;; - *executable*) # but shell scripts are "executable" too... - case $win32_fileres in - *MS\ Windows\ PE\ Intel*) - win32_libid_type="x86 DLL" - ;; - esac - ;; - esac - $ECHO "$win32_libid_type" -} - -# func_cygming_dll_for_implib ARG -# -# Platform-specific function to extract the -# name of the DLL associated with the specified -# import library ARG. -# Invoked by eval'ing the libtool variable -# $sharedlib_from_linklib_cmd -# Result is available in the variable -# $sharedlib_from_linklib_result -func_cygming_dll_for_implib () -{ - $opt_debug - sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"` -} - -# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs -# -# The is the core of a fallback implementation of a -# platform-specific function to extract the name of the -# DLL associated with the specified import library LIBNAME. -# -# SECTION_NAME is either .idata$6 or .idata$7, depending -# on the platform and compiler that created the implib. -# -# Echos the name of the DLL associated with the -# specified import library. -func_cygming_dll_for_implib_fallback_core () -{ - $opt_debug - match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"` - $OBJDUMP -s --section "$1" "$2" 2>/dev/null | - $SED '/^Contents of section '"$match_literal"':/{ - # Place marker at beginning of archive member dllname section - s/.*/====MARK====/ - p - d - } - # These lines can sometimes be longer than 43 characters, but - # are always uninteresting - /:[ ]*file format pe[i]\{,1\}-/d - /^In archive [^:]*:/d - # Ensure marker is printed - /^====MARK====/p - # Remove all lines with less than 43 characters - /^.\{43\}/!d - # From remaining lines, remove first 43 characters - s/^.\{43\}//' | - $SED -n ' - # Join marker and all lines until next marker into a single line - /^====MARK====/ b para - H - $ b para - b - :para - x - s/\n//g - # Remove the marker - s/^====MARK====// - # Remove trailing dots and whitespace - s/[\. \t]*$// - # Print - /./p' | - # we now have a list, one entry per line, of the stringified - # contents of the appropriate section of all members of the - # archive which possess that section. Heuristic: eliminate - # all those which have a first or second character that is - # a '.' (that is, objdump's representation of an unprintable - # character.) This should work for all archives with less than - # 0x302f exports -- but will fail for DLLs whose name actually - # begins with a literal '.' or a single character followed by - # a '.'. - # - # Of those that remain, print the first one. - $SED -e '/^\./d;/^.\./d;q' -} - -# func_cygming_gnu_implib_p ARG -# This predicate returns with zero status (TRUE) if -# ARG is a GNU/binutils-style import library. Returns -# with nonzero status (FALSE) otherwise. -func_cygming_gnu_implib_p () -{ - $opt_debug - func_to_tool_file "$1" func_convert_file_msys_to_w32 - func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'` - test -n "$func_cygming_gnu_implib_tmp" -} - -# func_cygming_ms_implib_p ARG -# This predicate returns with zero status (TRUE) if -# ARG is an MS-style import library. Returns -# with nonzero status (FALSE) otherwise. -func_cygming_ms_implib_p () -{ - $opt_debug - func_to_tool_file "$1" func_convert_file_msys_to_w32 - func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'` - test -n "$func_cygming_ms_implib_tmp" -} - -# func_cygming_dll_for_implib_fallback ARG -# Platform-specific function to extract the -# name of the DLL associated with the specified -# import library ARG. -# -# This fallback implementation is for use when $DLLTOOL -# does not support the --identify-strict option. -# Invoked by eval'ing the libtool variable -# $sharedlib_from_linklib_cmd -# Result is available in the variable -# $sharedlib_from_linklib_result -func_cygming_dll_for_implib_fallback () -{ - $opt_debug - if func_cygming_gnu_implib_p "$1" ; then - # binutils import library - sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"` - elif func_cygming_ms_implib_p "$1" ; then - # ms-generated import library - sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"` - else - # unknown - sharedlib_from_linklib_result="" - fi -} - - -# func_extract_an_archive dir oldlib -func_extract_an_archive () -{ - $opt_debug - f_ex_an_ar_dir="$1"; shift - f_ex_an_ar_oldlib="$1" - if test "$lock_old_archive_extraction" = yes; then - lockfile=$f_ex_an_ar_oldlib.lock - until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do - func_echo "Waiting for $lockfile to be removed" - sleep 2 - done - fi - func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \ - 'stat=$?; rm -f "$lockfile"; exit $stat' - if test "$lock_old_archive_extraction" = yes; then - $opt_dry_run || rm -f "$lockfile" - fi - if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then - : - else - func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" - fi -} - - -# func_extract_archives gentop oldlib ... -func_extract_archives () -{ - $opt_debug - my_gentop="$1"; shift - my_oldlibs=${1+"$@"} - my_oldobjs="" - my_xlib="" - my_xabs="" - my_xdir="" - - for my_xlib in $my_oldlibs; do - # Extract the objects. - case $my_xlib in - [\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;; - *) my_xabs=`pwd`"/$my_xlib" ;; - esac - func_basename "$my_xlib" - my_xlib="$func_basename_result" - my_xlib_u=$my_xlib - while :; do - case " $extracted_archives " in - *" $my_xlib_u "*) - func_arith $extracted_serial + 1 - extracted_serial=$func_arith_result - my_xlib_u=lt$extracted_serial-$my_xlib ;; - *) break ;; - esac - done - extracted_archives="$extracted_archives $my_xlib_u" - my_xdir="$my_gentop/$my_xlib_u" - - func_mkdir_p "$my_xdir" - - case $host in - *-darwin*) - func_verbose "Extracting $my_xabs" - # Do not bother doing anything if just a dry run - $opt_dry_run || { - darwin_orig_dir=`pwd` - cd $my_xdir || exit $? - darwin_archive=$my_xabs - darwin_curdir=`pwd` - darwin_base_archive=`basename "$darwin_archive"` - darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true` - if test -n "$darwin_arches"; then - darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'` - darwin_arch= - func_verbose "$darwin_base_archive has multiple architectures $darwin_arches" - for darwin_arch in $darwin_arches ; do - func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}" - $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}" - cd "unfat-$$/${darwin_base_archive}-${darwin_arch}" - func_extract_an_archive "`pwd`" "${darwin_base_archive}" - cd "$darwin_curdir" - $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" - done # $darwin_arches - ## Okay now we've a bunch of thin objects, gotta fatten them up :) - darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u` - darwin_file= - darwin_files= - for darwin_file in $darwin_filelist; do - darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP` - $LIPO -create -output "$darwin_file" $darwin_files - done # $darwin_filelist - $RM -rf unfat-$$ - cd "$darwin_orig_dir" - else - cd $darwin_orig_dir - func_extract_an_archive "$my_xdir" "$my_xabs" - fi # $darwin_arches - } # !$opt_dry_run - ;; - *) - func_extract_an_archive "$my_xdir" "$my_xabs" - ;; - esac - my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP` - done - - func_extract_archives_result="$my_oldobjs" -} - - -# func_emit_wrapper [arg=no] -# -# Emit a libtool wrapper script on stdout. -# Don't directly open a file because we may want to -# incorporate the script contents within a cygwin/mingw -# wrapper executable. Must ONLY be called from within -# func_mode_link because it depends on a number of variables -# set therein. -# -# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR -# variable will take. If 'yes', then the emitted script -# will assume that the directory in which it is stored is -# the $objdir directory. This is a cygwin/mingw-specific -# behavior. -func_emit_wrapper () -{ - func_emit_wrapper_arg1=${1-no} - - $ECHO "\ -#! $SHELL - -# $output - temporary wrapper script for $objdir/$outputname -# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION -# -# The $output program cannot be directly executed until all the libtool -# libraries that it depends on are installed. -# -# This wrapper script should never be moved out of the build directory. -# If it is, it will not operate correctly. - -# Sed substitution that helps us do robust quoting. It backslashifies -# metacharacters that are still active within double-quoted strings. -sed_quote_subst='$sed_quote_subst' - -# Be Bourne compatible -if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then - emulate sh - NULLCMD=: - # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which - # is contrary to our usage. Disable this feature. - alias -g '\${1+\"\$@\"}'='\"\$@\"' - setopt NO_GLOB_SUBST -else - case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac -fi -BIN_SH=xpg4; export BIN_SH # for Tru64 -DUALCASE=1; export DUALCASE # for MKS sh - -# The HP-UX ksh and POSIX shell print the target directory to stdout -# if CDPATH is set. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - -relink_command=\"$relink_command\" - -# This environment variable determines our operation mode. -if test \"\$libtool_install_magic\" = \"$magic\"; then - # install mode needs the following variables: - generated_by_libtool_version='$macro_version' - notinst_deplibs='$notinst_deplibs' -else - # When we are sourced in execute mode, \$file and \$ECHO are already set. - if test \"\$libtool_execute_magic\" != \"$magic\"; then - file=\"\$0\"" - - qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` - $ECHO "\ - -# A function that is used when there is no print builtin or printf. -func_fallback_echo () -{ - eval 'cat <<_LTECHO_EOF -\$1 -_LTECHO_EOF' -} - ECHO=\"$qECHO\" - fi - -# Very basic option parsing. These options are (a) specific to -# the libtool wrapper, (b) are identical between the wrapper -# /script/ and the wrapper /executable/ which is used only on -# windows platforms, and (c) all begin with the string "--lt-" -# (application programs are unlikely to have options which match -# this pattern). -# -# There are only two supported options: --lt-debug and -# --lt-dump-script. There is, deliberately, no --lt-help. -# -# The first argument to this parsing function should be the -# script's $0 value, followed by "$@". -lt_option_debug= -func_parse_lt_options () -{ - lt_script_arg0=\$0 - shift - for lt_opt - do - case \"\$lt_opt\" in - --lt-debug) lt_option_debug=1 ;; - --lt-dump-script) - lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\` - test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=. - lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\` - cat \"\$lt_dump_D/\$lt_dump_F\" - exit 0 - ;; - --lt-*) - \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2 - exit 1 - ;; - esac - done - - # Print the debug banner immediately: - if test -n \"\$lt_option_debug\"; then - echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2 - fi -} - -# Used when --lt-debug. Prints its arguments to stdout -# (redirection is the responsibility of the caller) -func_lt_dump_args () -{ - lt_dump_args_N=1; - for lt_arg - do - \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\" - lt_dump_args_N=\`expr \$lt_dump_args_N + 1\` - done -} - -# Core function for launching the target application -func_exec_program_core () -{ -" - case $host in - # Backslashes separate directories on plain windows - *-*-mingw | *-*-os2* | *-cegcc*) - $ECHO "\ - if test -n \"\$lt_option_debug\"; then - \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2 - func_lt_dump_args \${1+\"\$@\"} 1>&2 - fi - exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} -" - ;; - - *) - $ECHO "\ - if test -n \"\$lt_option_debug\"; then - \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2 - func_lt_dump_args \${1+\"\$@\"} 1>&2 - fi - exec \"\$progdir/\$program\" \${1+\"\$@\"} -" - ;; - esac - $ECHO "\ - \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 - exit 1 -} - -# A function to encapsulate launching the target application -# Strips options in the --lt-* namespace from \$@ and -# launches target application with the remaining arguments. -func_exec_program () -{ - case \" \$* \" in - *\\ --lt-*) - for lt_wr_arg - do - case \$lt_wr_arg in - --lt-*) ;; - *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; - esac - shift - done ;; - esac - func_exec_program_core \${1+\"\$@\"} -} - - # Parse options - func_parse_lt_options \"\$0\" \${1+\"\$@\"} - - # Find the directory that this script lives in. - thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\` - test \"x\$thisdir\" = \"x\$file\" && thisdir=. - - # Follow symbolic links until we get to the real thisdir. - file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\` - while test -n \"\$file\"; do - destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\` - - # If there was a directory component, then change thisdir. - if test \"x\$destdir\" != \"x\$file\"; then - case \"\$destdir\" in - [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; - *) thisdir=\"\$thisdir/\$destdir\" ;; - esac - fi - - file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\` - file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\` - done - - # Usually 'no', except on cygwin/mingw when embedded into - # the cwrapper. - WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1 - if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then - # special case for '.' - if test \"\$thisdir\" = \".\"; then - thisdir=\`pwd\` - fi - # remove .libs from thisdir - case \"\$thisdir\" in - *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;; - $objdir ) thisdir=. ;; - esac - fi - - # Try to get the absolute directory name. - absdir=\`cd \"\$thisdir\" && pwd\` - test -n \"\$absdir\" && thisdir=\"\$absdir\" -" - - if test "$fast_install" = yes; then - $ECHO "\ - program=lt-'$outputname'$exeext - progdir=\"\$thisdir/$objdir\" - - if test ! -f \"\$progdir/\$program\" || - { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\ - test \"X\$file\" != \"X\$progdir/\$program\"; }; then - - file=\"\$\$-\$program\" - - if test ! -d \"\$progdir\"; then - $MKDIR \"\$progdir\" - else - $RM \"\$progdir/\$file\" - fi" - - $ECHO "\ - - # relink executable if necessary - if test -n \"\$relink_command\"; then - if relink_command_output=\`eval \$relink_command 2>&1\`; then : - else - $ECHO \"\$relink_command_output\" >&2 - $RM \"\$progdir/\$file\" - exit 1 - fi - fi - - $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || - { $RM \"\$progdir/\$program\"; - $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; } - $RM \"\$progdir/\$file\" - fi" - else - $ECHO "\ - program='$outputname' - progdir=\"\$thisdir/$objdir\" -" - fi - - $ECHO "\ - - if test -f \"\$progdir/\$program\"; then" - - # fixup the dll searchpath if we need to. - # - # Fix the DLL searchpath if we need to. Do this before prepending - # to shlibpath, because on Windows, both are PATH and uninstalled - # libraries must come first. - if test -n "$dllsearchpath"; then - $ECHO "\ - # Add the dll search path components to the executable PATH - PATH=$dllsearchpath:\$PATH -" - fi - - # Export our shlibpath_var if we have one. - if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then - $ECHO "\ - # Add our own library path to $shlibpath_var - $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" - - # Some systems cannot cope with colon-terminated $shlibpath_var - # The second colon is a workaround for a bug in BeOS R4 sed - $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\` - - export $shlibpath_var -" - fi - - $ECHO "\ - if test \"\$libtool_execute_magic\" != \"$magic\"; then - # Run the actual program with our arguments. - func_exec_program \${1+\"\$@\"} - fi - else - # The program doesn't exist. - \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2 - \$ECHO \"This script is just a wrapper for \$program.\" 1>&2 - \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 - exit 1 - fi -fi\ -" -} - - -# func_emit_cwrapperexe_src -# emit the source code for a wrapper executable on stdout -# Must ONLY be called from within func_mode_link because -# it depends on a number of variable set therein. -func_emit_cwrapperexe_src () -{ - cat < -#include -#ifdef _MSC_VER -# include -# include -# include -#else -# include -# include -# ifdef __CYGWIN__ -# include -# endif -#endif -#include -#include -#include -#include -#include -#include -#include -#include - -/* declarations of non-ANSI functions */ -#if defined(__MINGW32__) -# ifdef __STRICT_ANSI__ -int _putenv (const char *); -# endif -#elif defined(__CYGWIN__) -# ifdef __STRICT_ANSI__ -char *realpath (const char *, char *); -int putenv (char *); -int setenv (const char *, const char *, int); -# endif -/* #elif defined (other platforms) ... */ -#endif - -/* portability defines, excluding path handling macros */ -#if defined(_MSC_VER) -# define setmode _setmode -# define stat _stat -# define chmod _chmod -# define getcwd _getcwd -# define putenv _putenv -# define S_IXUSR _S_IEXEC -# ifndef _INTPTR_T_DEFINED -# define _INTPTR_T_DEFINED -# define intptr_t int -# endif -#elif defined(__MINGW32__) -# define setmode _setmode -# define stat _stat -# define chmod _chmod -# define getcwd _getcwd -# define putenv _putenv -#elif defined(__CYGWIN__) -# define HAVE_SETENV -# define FOPEN_WB "wb" -/* #elif defined (other platforms) ... */ -#endif - -#if defined(PATH_MAX) -# define LT_PATHMAX PATH_MAX -#elif defined(MAXPATHLEN) -# define LT_PATHMAX MAXPATHLEN -#else -# define LT_PATHMAX 1024 -#endif - -#ifndef S_IXOTH -# define S_IXOTH 0 -#endif -#ifndef S_IXGRP -# define S_IXGRP 0 -#endif - -/* path handling portability macros */ -#ifndef DIR_SEPARATOR -# define DIR_SEPARATOR '/' -# define PATH_SEPARATOR ':' -#endif - -#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \ - defined (__OS2__) -# define HAVE_DOS_BASED_FILE_SYSTEM -# define FOPEN_WB "wb" -# ifndef DIR_SEPARATOR_2 -# define DIR_SEPARATOR_2 '\\' -# endif -# ifndef PATH_SEPARATOR_2 -# define PATH_SEPARATOR_2 ';' -# endif -#endif - -#ifndef DIR_SEPARATOR_2 -# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) -#else /* DIR_SEPARATOR_2 */ -# define IS_DIR_SEPARATOR(ch) \ - (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) -#endif /* DIR_SEPARATOR_2 */ - -#ifndef PATH_SEPARATOR_2 -# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR) -#else /* PATH_SEPARATOR_2 */ -# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) -#endif /* PATH_SEPARATOR_2 */ - -#ifndef FOPEN_WB -# define FOPEN_WB "w" -#endif -#ifndef _O_BINARY -# define _O_BINARY 0 -#endif - -#define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) -#define XFREE(stale) do { \ - if (stale) { free ((void *) stale); stale = 0; } \ -} while (0) - -#if defined(LT_DEBUGWRAPPER) -static int lt_debug = 1; -#else -static int lt_debug = 0; -#endif - -const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */ - -void *xmalloc (size_t num); -char *xstrdup (const char *string); -const char *base_name (const char *name); -char *find_executable (const char *wrapper); -char *chase_symlinks (const char *pathspec); -int make_executable (const char *path); -int check_executable (const char *path); -char *strendzap (char *str, const char *pat); -void lt_debugprintf (const char *file, int line, const char *fmt, ...); -void lt_fatal (const char *file, int line, const char *message, ...); -static const char *nonnull (const char *s); -static const char *nonempty (const char *s); -void lt_setenv (const char *name, const char *value); -char *lt_extend_str (const char *orig_value, const char *add, int to_end); -void lt_update_exe_path (const char *name, const char *value); -void lt_update_lib_path (const char *name, const char *value); -char **prepare_spawn (char **argv); -void lt_dump_script (FILE *f); -EOF - - cat <= 0) - && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) - return 1; - else - return 0; -} - -int -make_executable (const char *path) -{ - int rval = 0; - struct stat st; - - lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n", - nonempty (path)); - if ((!path) || (!*path)) - return 0; - - if (stat (path, &st) >= 0) - { - rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR); - } - return rval; -} - -/* Searches for the full path of the wrapper. Returns - newly allocated full path name if found, NULL otherwise - Does not chase symlinks, even on platforms that support them. -*/ -char * -find_executable (const char *wrapper) -{ - int has_slash = 0; - const char *p; - const char *p_next; - /* static buffer for getcwd */ - char tmp[LT_PATHMAX + 1]; - int tmp_len; - char *concat_name; - - lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n", - nonempty (wrapper)); - - if ((wrapper == NULL) || (*wrapper == '\0')) - return NULL; - - /* Absolute path? */ -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':') - { - concat_name = xstrdup (wrapper); - if (check_executable (concat_name)) - return concat_name; - XFREE (concat_name); - } - else - { -#endif - if (IS_DIR_SEPARATOR (wrapper[0])) - { - concat_name = xstrdup (wrapper); - if (check_executable (concat_name)) - return concat_name; - XFREE (concat_name); - } -#if defined (HAVE_DOS_BASED_FILE_SYSTEM) - } -#endif - - for (p = wrapper; *p; p++) - if (*p == '/') - { - has_slash = 1; - break; - } - if (!has_slash) - { - /* no slashes; search PATH */ - const char *path = getenv ("PATH"); - if (path != NULL) - { - for (p = path; *p; p = p_next) - { - const char *q; - size_t p_len; - for (q = p; *q; q++) - if (IS_PATH_SEPARATOR (*q)) - break; - p_len = q - p; - p_next = (*q == '\0' ? q : q + 1); - if (p_len == 0) - { - /* empty path: current directory */ - if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", - nonnull (strerror (errno))); - tmp_len = strlen (tmp); - concat_name = - XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); - memcpy (concat_name, tmp, tmp_len); - concat_name[tmp_len] = '/'; - strcpy (concat_name + tmp_len + 1, wrapper); - } - else - { - concat_name = - XMALLOC (char, p_len + 1 + strlen (wrapper) + 1); - memcpy (concat_name, p, p_len); - concat_name[p_len] = '/'; - strcpy (concat_name + p_len + 1, wrapper); - } - if (check_executable (concat_name)) - return concat_name; - XFREE (concat_name); - } - } - /* not found in PATH; assume curdir */ - } - /* Relative path | not found in path: prepend cwd */ - if (getcwd (tmp, LT_PATHMAX) == NULL) - lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", - nonnull (strerror (errno))); - tmp_len = strlen (tmp); - concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); - memcpy (concat_name, tmp, tmp_len); - concat_name[tmp_len] = '/'; - strcpy (concat_name + tmp_len + 1, wrapper); - - if (check_executable (concat_name)) - return concat_name; - XFREE (concat_name); - return NULL; -} - -char * -chase_symlinks (const char *pathspec) -{ -#ifndef S_ISLNK - return xstrdup (pathspec); -#else - char buf[LT_PATHMAX]; - struct stat s; - char *tmp_pathspec = xstrdup (pathspec); - char *p; - int has_symlinks = 0; - while (strlen (tmp_pathspec) && !has_symlinks) - { - lt_debugprintf (__FILE__, __LINE__, - "checking path component for symlinks: %s\n", - tmp_pathspec); - if (lstat (tmp_pathspec, &s) == 0) - { - if (S_ISLNK (s.st_mode) != 0) - { - has_symlinks = 1; - break; - } - - /* search backwards for last DIR_SEPARATOR */ - p = tmp_pathspec + strlen (tmp_pathspec) - 1; - while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) - p--; - if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) - { - /* no more DIR_SEPARATORS left */ - break; - } - *p = '\0'; - } - else - { - lt_fatal (__FILE__, __LINE__, - "error accessing file \"%s\": %s", - tmp_pathspec, nonnull (strerror (errno))); - } - } - XFREE (tmp_pathspec); - - if (!has_symlinks) - { - return xstrdup (pathspec); - } - - tmp_pathspec = realpath (pathspec, buf); - if (tmp_pathspec == 0) - { - lt_fatal (__FILE__, __LINE__, - "could not follow symlinks for %s", pathspec); - } - return xstrdup (tmp_pathspec); -#endif -} - -char * -strendzap (char *str, const char *pat) -{ - size_t len, patlen; - - assert (str != NULL); - assert (pat != NULL); - - len = strlen (str); - patlen = strlen (pat); - - if (patlen <= len) - { - str += len - patlen; - if (strcmp (str, pat) == 0) - *str = '\0'; - } - return str; -} - -void -lt_debugprintf (const char *file, int line, const char *fmt, ...) -{ - va_list args; - if (lt_debug) - { - (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line); - va_start (args, fmt); - (void) vfprintf (stderr, fmt, args); - va_end (args); - } -} - -static void -lt_error_core (int exit_status, const char *file, - int line, const char *mode, - const char *message, va_list ap) -{ - fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode); - vfprintf (stderr, message, ap); - fprintf (stderr, ".\n"); - - if (exit_status >= 0) - exit (exit_status); -} - -void -lt_fatal (const char *file, int line, const char *message, ...) -{ - va_list ap; - va_start (ap, message); - lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap); - va_end (ap); -} - -static const char * -nonnull (const char *s) -{ - return s ? s : "(null)"; -} - -static const char * -nonempty (const char *s) -{ - return (s && !*s) ? "(empty)" : nonnull (s); -} - -void -lt_setenv (const char *name, const char *value) -{ - lt_debugprintf (__FILE__, __LINE__, - "(lt_setenv) setting '%s' to '%s'\n", - nonnull (name), nonnull (value)); - { -#ifdef HAVE_SETENV - /* always make a copy, for consistency with !HAVE_SETENV */ - char *str = xstrdup (value); - setenv (name, str, 1); -#else - int len = strlen (name) + 1 + strlen (value) + 1; - char *str = XMALLOC (char, len); - sprintf (str, "%s=%s", name, value); - if (putenv (str) != EXIT_SUCCESS) - { - XFREE (str); - } -#endif - } -} - -char * -lt_extend_str (const char *orig_value, const char *add, int to_end) -{ - char *new_value; - if (orig_value && *orig_value) - { - int orig_value_len = strlen (orig_value); - int add_len = strlen (add); - new_value = XMALLOC (char, add_len + orig_value_len + 1); - if (to_end) - { - strcpy (new_value, orig_value); - strcpy (new_value + orig_value_len, add); - } - else - { - strcpy (new_value, add); - strcpy (new_value + add_len, orig_value); - } - } - else - { - new_value = xstrdup (add); - } - return new_value; -} - -void -lt_update_exe_path (const char *name, const char *value) -{ - lt_debugprintf (__FILE__, __LINE__, - "(lt_update_exe_path) modifying '%s' by prepending '%s'\n", - nonnull (name), nonnull (value)); - - if (name && *name && value && *value) - { - char *new_value = lt_extend_str (getenv (name), value, 0); - /* some systems can't cope with a ':'-terminated path #' */ - int len = strlen (new_value); - while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1])) - { - new_value[len-1] = '\0'; - } - lt_setenv (name, new_value); - XFREE (new_value); - } -} - -void -lt_update_lib_path (const char *name, const char *value) -{ - lt_debugprintf (__FILE__, __LINE__, - "(lt_update_lib_path) modifying '%s' by prepending '%s'\n", - nonnull (name), nonnull (value)); - - if (name && *name && value && *value) - { - char *new_value = lt_extend_str (getenv (name), value, 0); - lt_setenv (name, new_value); - XFREE (new_value); - } -} - -EOF - case $host_os in - mingw*) - cat <<"EOF" - -/* Prepares an argument vector before calling spawn(). - Note that spawn() does not by itself call the command interpreter - (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") : - ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); - GetVersionEx(&v); - v.dwPlatformId == VER_PLATFORM_WIN32_NT; - }) ? "cmd.exe" : "command.com"). - Instead it simply concatenates the arguments, separated by ' ', and calls - CreateProcess(). We must quote the arguments since Win32 CreateProcess() - interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a - special way: - - Space and tab are interpreted as delimiters. They are not treated as - delimiters if they are surrounded by double quotes: "...". - - Unescaped double quotes are removed from the input. Their only effect is - that within double quotes, space and tab are treated like normal - characters. - - Backslashes not followed by double quotes are not special. - - But 2*n+1 backslashes followed by a double quote become - n backslashes followed by a double quote (n >= 0): - \" -> " - \\\" -> \" - \\\\\" -> \\" - */ -#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" -#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" -char ** -prepare_spawn (char **argv) -{ - size_t argc; - char **new_argv; - size_t i; - - /* Count number of arguments. */ - for (argc = 0; argv[argc] != NULL; argc++) - ; - - /* Allocate new argument vector. */ - new_argv = XMALLOC (char *, argc + 1); - - /* Put quoted arguments into the new argument vector. */ - for (i = 0; i < argc; i++) - { - const char *string = argv[i]; - - if (string[0] == '\0') - new_argv[i] = xstrdup ("\"\""); - else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL) - { - int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL); - size_t length; - unsigned int backslashes; - const char *s; - char *quoted_string; - char *p; - - length = 0; - backslashes = 0; - if (quote_around) - length++; - for (s = string; *s != '\0'; s++) - { - char c = *s; - if (c == '"') - length += backslashes + 1; - length++; - if (c == '\\') - backslashes++; - else - backslashes = 0; - } - if (quote_around) - length += backslashes + 1; - - quoted_string = XMALLOC (char, length + 1); - - p = quoted_string; - backslashes = 0; - if (quote_around) - *p++ = '"'; - for (s = string; *s != '\0'; s++) - { - char c = *s; - if (c == '"') - { - unsigned int j; - for (j = backslashes + 1; j > 0; j--) - *p++ = '\\'; - } - *p++ = c; - if (c == '\\') - backslashes++; - else - backslashes = 0; - } - if (quote_around) - { - unsigned int j; - for (j = backslashes; j > 0; j--) - *p++ = '\\'; - *p++ = '"'; - } - *p = '\0'; - - new_argv[i] = quoted_string; - } - else - new_argv[i] = (char *) string; - } - new_argv[argc] = NULL; - - return new_argv; -} -EOF - ;; - esac - - cat <<"EOF" -void lt_dump_script (FILE* f) -{ -EOF - func_emit_wrapper yes | - $SED -n -e ' -s/^\(.\{79\}\)\(..*\)/\1\ -\2/ -h -s/\([\\"]\)/\\\1/g -s/$/\\n/ -s/\([^\n]*\).*/ fputs ("\1", f);/p -g -D' - cat <<"EOF" -} -EOF -} -# end: func_emit_cwrapperexe_src - -# func_win32_import_lib_p ARG -# True if ARG is an import lib, as indicated by $file_magic_cmd -func_win32_import_lib_p () -{ - $opt_debug - case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in - *import*) : ;; - *) false ;; - esac -} - -# func_mode_link arg... -func_mode_link () -{ - $opt_debug - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) - # It is impossible to link a dll without this setting, and - # we shouldn't force the makefile maintainer to figure out - # which system we are compiling for in order to pass an extra - # flag for every libtool invocation. - # allow_undefined=no - - # FIXME: Unfortunately, there are problems with the above when trying - # to make a dll which has undefined symbols, in which case not - # even a static library is built. For now, we need to specify - # -no-undefined on the libtool link line when we can be certain - # that all symbols are satisfied, otherwise we get a static library. - allow_undefined=yes - ;; - *) - allow_undefined=yes - ;; - esac - libtool_args=$nonopt - base_compile="$nonopt $@" - compile_command=$nonopt - finalize_command=$nonopt - - compile_rpath= - finalize_rpath= - compile_shlibpath= - finalize_shlibpath= - convenience= - old_convenience= - deplibs= - old_deplibs= - compiler_flags= - linker_flags= - dllsearchpath= - lib_search_path=`pwd` - inst_prefix_dir= - new_inherited_linker_flags= - - avoid_version=no - bindir= - dlfiles= - dlprefiles= - dlself=no - export_dynamic=no - export_symbols= - export_symbols_regex= - generated= - libobjs= - ltlibs= - module=no - no_install=no - objs= - non_pic_objects= - precious_files_regex= - prefer_static_libs=no - preload=no - prev= - prevarg= - release= - rpath= - xrpath= - perm_rpath= - temp_rpath= - thread_safe=no - vinfo= - vinfo_number=no - weak_libs= - single_module="${wl}-single_module" - func_infer_tag $base_compile - - # We need to know -static, to get the right output filenames. - for arg - do - case $arg in - -shared) - test "$build_libtool_libs" != yes && \ - func_fatal_configuration "can not build a shared library" - build_old_libs=no - break - ;; - -all-static | -static | -static-libtool-libs) - case $arg in - -all-static) - if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then - func_warning "complete static linking is impossible in this configuration" - fi - if test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - prefer_static_libs=yes - ;; - -static) - if test -z "$pic_flag" && test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - prefer_static_libs=built - ;; - -static-libtool-libs) - if test -z "$pic_flag" && test -n "$link_static_flag"; then - dlopen_self=$dlopen_self_static - fi - prefer_static_libs=yes - ;; - esac - build_libtool_libs=no - build_old_libs=yes - break - ;; - esac - done - - # See if our shared archives depend on static archives. - test -n "$old_archive_from_new_cmds" && build_old_libs=yes - - # Go through the arguments, transforming them on the way. - while test "$#" -gt 0; do - arg="$1" - shift - func_quote_for_eval "$arg" - qarg=$func_quote_for_eval_unquoted_result - func_append libtool_args " $func_quote_for_eval_result" - - # If the previous option needs an argument, assign it. - if test -n "$prev"; then - case $prev in - output) - func_append compile_command " @OUTPUT@" - func_append finalize_command " @OUTPUT@" - ;; - esac - - case $prev in - bindir) - bindir="$arg" - prev= - continue - ;; - dlfiles|dlprefiles) - if test "$preload" = no; then - # Add the symbol object into the linking commands. - func_append compile_command " @SYMFILE@" - func_append finalize_command " @SYMFILE@" - preload=yes - fi - case $arg in - *.la | *.lo) ;; # We handle these cases below. - force) - if test "$dlself" = no; then - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - self) - if test "$prev" = dlprefiles; then - dlself=yes - elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then - dlself=yes - else - dlself=needless - export_dynamic=yes - fi - prev= - continue - ;; - *) - if test "$prev" = dlfiles; then - func_append dlfiles " $arg" - else - func_append dlprefiles " $arg" - fi - prev= - continue - ;; - esac - ;; - expsyms) - export_symbols="$arg" - test -f "$arg" \ - || func_fatal_error "symbol file \`$arg' does not exist" - prev= - continue - ;; - expsyms_regex) - export_symbols_regex="$arg" - prev= - continue - ;; - framework) - case $host in - *-*-darwin*) - case "$deplibs " in - *" $qarg.ltframework "*) ;; - *) func_append deplibs " $qarg.ltframework" # this is fixed later - ;; - esac - ;; - esac - prev= - continue - ;; - inst_prefix) - inst_prefix_dir="$arg" - prev= - continue - ;; - objectlist) - if test -f "$arg"; then - save_arg=$arg - moreargs= - for fil in `cat "$save_arg"` - do -# func_append moreargs " $fil" - arg=$fil - # A libtool-controlled object. - - # Check to see that this really is a libtool object. - if func_lalib_unsafe_p "$arg"; then - pic_object= - non_pic_object= - - # Read the .lo file - func_source "$arg" - - if test -z "$pic_object" || - test -z "$non_pic_object" || - test "$pic_object" = none && - test "$non_pic_object" = none; then - func_fatal_error "cannot find name of object for \`$arg'" - fi - - # Extract subdirectory from the argument. - func_dirname "$arg" "/" "" - xdir="$func_dirname_result" - - if test "$pic_object" != none; then - # Prepend the subdirectory the object is found in. - pic_object="$xdir$pic_object" - - if test "$prev" = dlfiles; then - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - func_append dlfiles " $pic_object" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi - - # CHECK ME: I think I busted this. -Ossama - if test "$prev" = dlprefiles; then - # Preload the old-style object. - func_append dlprefiles " $pic_object" - prev= - fi - - # A PIC object. - func_append libobjs " $pic_object" - arg="$pic_object" - fi - - # Non-PIC object. - if test "$non_pic_object" != none; then - # Prepend the subdirectory the object is found in. - non_pic_object="$xdir$non_pic_object" - - # A standard non-PIC object - func_append non_pic_objects " $non_pic_object" - if test -z "$pic_object" || test "$pic_object" = none ; then - arg="$non_pic_object" - fi - else - # If the PIC object exists, use it instead. - # $xdir was prepended to $pic_object above. - non_pic_object="$pic_object" - func_append non_pic_objects " $non_pic_object" - fi - else - # Only an error if not doing a dry-run. - if $opt_dry_run; then - # Extract subdirectory from the argument. - func_dirname "$arg" "/" "" - xdir="$func_dirname_result" - - func_lo2o "$arg" - pic_object=$xdir$objdir/$func_lo2o_result - non_pic_object=$xdir$func_lo2o_result - func_append libobjs " $pic_object" - func_append non_pic_objects " $non_pic_object" - else - func_fatal_error "\`$arg' is not a valid libtool object" - fi - fi - done - else - func_fatal_error "link input file \`$arg' does not exist" - fi - arg=$save_arg - prev= - continue - ;; - precious_regex) - precious_files_regex="$arg" - prev= - continue - ;; - release) - release="-$arg" - prev= - continue - ;; - rpath | xrpath) - # We need an absolute path. - case $arg in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - func_fatal_error "only absolute run-paths are allowed" - ;; - esac - if test "$prev" = rpath; then - case "$rpath " in - *" $arg "*) ;; - *) func_append rpath " $arg" ;; - esac - else - case "$xrpath " in - *" $arg "*) ;; - *) func_append xrpath " $arg" ;; - esac - fi - prev= - continue - ;; - shrext) - shrext_cmds="$arg" - prev= - continue - ;; - weak) - func_append weak_libs " $arg" - prev= - continue - ;; - xcclinker) - func_append linker_flags " $qarg" - func_append compiler_flags " $qarg" - prev= - func_append compile_command " $qarg" - func_append finalize_command " $qarg" - continue - ;; - xcompiler) - func_append compiler_flags " $qarg" - prev= - func_append compile_command " $qarg" - func_append finalize_command " $qarg" - continue - ;; - xlinker) - func_append linker_flags " $qarg" - func_append compiler_flags " $wl$qarg" - prev= - func_append compile_command " $wl$qarg" - func_append finalize_command " $wl$qarg" - continue - ;; - *) - eval "$prev=\"\$arg\"" - prev= - continue - ;; - esac - fi # test -n "$prev" - - prevarg="$arg" - - case $arg in - -all-static) - if test -n "$link_static_flag"; then - # See comment for -static flag below, for more details. - func_append compile_command " $link_static_flag" - func_append finalize_command " $link_static_flag" - fi - continue - ;; - - -allow-undefined) - # FIXME: remove this flag sometime in the future. - func_fatal_error "\`-allow-undefined' must not be used because it is the default" - ;; - - -avoid-version) - avoid_version=yes - continue - ;; - - -bindir) - prev=bindir - continue - ;; - - -dlopen) - prev=dlfiles - continue - ;; - - -dlpreopen) - prev=dlprefiles - continue - ;; - - -export-dynamic) - export_dynamic=yes - continue - ;; - - -export-symbols | -export-symbols-regex) - if test -n "$export_symbols" || test -n "$export_symbols_regex"; then - func_fatal_error "more than one -exported-symbols argument is not allowed" - fi - if test "X$arg" = "X-export-symbols"; then - prev=expsyms - else - prev=expsyms_regex - fi - continue - ;; - - -framework) - prev=framework - continue - ;; - - -inst-prefix-dir) - prev=inst_prefix - continue - ;; - - # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* - # so, if we see these flags be careful not to treat them like -L - -L[A-Z][A-Z]*:*) - case $with_gcc/$host in - no/*-*-irix* | /*-*-irix*) - func_append compile_command " $arg" - func_append finalize_command " $arg" - ;; - esac - continue - ;; - - -L*) - func_stripname "-L" '' "$arg" - if test -z "$func_stripname_result"; then - if test "$#" -gt 0; then - func_fatal_error "require no space between \`-L' and \`$1'" - else - func_fatal_error "need path for \`-L' option" - fi - fi - func_resolve_sysroot "$func_stripname_result" - dir=$func_resolve_sysroot_result - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - *) - absdir=`cd "$dir" && pwd` - test -z "$absdir" && \ - func_fatal_error "cannot determine absolute directory name of \`$dir'" - dir="$absdir" - ;; - esac - case "$deplibs " in - *" -L$dir "* | *" $arg "*) - # Will only happen for absolute or sysroot arguments - ;; - *) - # Preserve sysroot, but never include relative directories - case $dir in - [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;; - *) func_append deplibs " -L$dir" ;; - esac - func_append lib_search_path " $dir" - ;; - esac - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) - testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'` - case :$dllsearchpath: in - *":$dir:"*) ;; - ::) dllsearchpath=$dir;; - *) func_append dllsearchpath ":$dir";; - esac - case :$dllsearchpath: in - *":$testbindir:"*) ;; - ::) dllsearchpath=$testbindir;; - *) func_append dllsearchpath ":$testbindir";; - esac - ;; - esac - continue - ;; - - -l*) - if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*) - # These systems don't actually have a C or math library (as such) - continue - ;; - *-*-os2*) - # These systems don't actually have a C library (as such) - test "X$arg" = "X-lc" && continue - ;; - *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) - # Do not include libc due to us having libc/libc_r. - test "X$arg" = "X-lc" && continue - ;; - *-*-rhapsody* | *-*-darwin1.[012]) - # Rhapsody C and math libraries are in the System framework - func_append deplibs " System.ltframework" - continue - ;; - *-*-sco3.2v5* | *-*-sco5v6*) - # Causes problems with __ctype - test "X$arg" = "X-lc" && continue - ;; - *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) - # Compiler inserts libc in the correct place for threads to work - test "X$arg" = "X-lc" && continue - ;; - esac - elif test "X$arg" = "X-lc_r"; then - case $host in - *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) - # Do not include libc_r directly, use -pthread flag. - continue - ;; - esac - fi - func_append deplibs " $arg" - continue - ;; - - -module) - module=yes - continue - ;; - - # Tru64 UNIX uses -model [arg] to determine the layout of C++ - # classes, name mangling, and exception handling. - # Darwin uses the -arch flag to determine output architecture. - -model|-arch|-isysroot|--sysroot) - func_append compiler_flags " $arg" - func_append compile_command " $arg" - func_append finalize_command " $arg" - prev=xcompiler - continue - ;; - - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ - |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) - func_append compiler_flags " $arg" - func_append compile_command " $arg" - func_append finalize_command " $arg" - func_append deplibs " $arg" - case "$new_inherited_linker_flags " in - *" $arg "*) ;; - * ) func_append new_inherited_linker_flags " $arg" ;; - esac - continue - ;; - - -multi_module) - single_module="${wl}-multi_module" - continue - ;; - - -no-fast-install) - fast_install=no - continue - ;; - - -no-install) - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*) - # The PATH hackery in wrapper scripts is required on Windows - # and Darwin in order for the loader to find any dlls it needs. - func_warning "\`-no-install' is ignored for $host" - func_warning "assuming \`-no-fast-install' instead" - fast_install=no - ;; - *) no_install=yes ;; - esac - continue - ;; - - -no-undefined) - allow_undefined=no - continue - ;; - - -objectlist) - prev=objectlist - continue - ;; - - -o) prev=output ;; - - -precious-files-regex) - prev=precious_regex - continue - ;; - - -release) - prev=release - continue - ;; - - -rpath) - prev=rpath - continue - ;; - - -R) - prev=xrpath - continue - ;; - - -R*) - func_stripname '-R' '' "$arg" - dir=$func_stripname_result - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) ;; - =*) - func_stripname '=' '' "$dir" - dir=$lt_sysroot$func_stripname_result - ;; - *) - func_fatal_error "only absolute run-paths are allowed" - ;; - esac - case "$xrpath " in - *" $dir "*) ;; - *) func_append xrpath " $dir" ;; - esac - continue - ;; - - -shared) - # The effects of -shared are defined in a previous loop. - continue - ;; - - -shrext) - prev=shrext - continue - ;; - - -static | -static-libtool-libs) - # The effects of -static are defined in a previous loop. - # We used to do the same as -all-static on platforms that - # didn't have a PIC flag, but the assumption that the effects - # would be equivalent was wrong. It would break on at least - # Digital Unix and AIX. - continue - ;; - - -thread-safe) - thread_safe=yes - continue - ;; - - -version-info) - prev=vinfo - continue - ;; - - -version-number) - prev=vinfo - vinfo_number=yes - continue - ;; - - -weak) - prev=weak - continue - ;; - - -Wc,*) - func_stripname '-Wc,' '' "$arg" - args=$func_stripname_result - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - func_quote_for_eval "$flag" - func_append arg " $func_quote_for_eval_result" - func_append compiler_flags " $func_quote_for_eval_result" - done - IFS="$save_ifs" - func_stripname ' ' '' "$arg" - arg=$func_stripname_result - ;; - - -Wl,*) - func_stripname '-Wl,' '' "$arg" - args=$func_stripname_result - arg= - save_ifs="$IFS"; IFS=',' - for flag in $args; do - IFS="$save_ifs" - func_quote_for_eval "$flag" - func_append arg " $wl$func_quote_for_eval_result" - func_append compiler_flags " $wl$func_quote_for_eval_result" - func_append linker_flags " $func_quote_for_eval_result" - done - IFS="$save_ifs" - func_stripname ' ' '' "$arg" - arg=$func_stripname_result - ;; - - -Xcompiler) - prev=xcompiler - continue - ;; - - -Xlinker) - prev=xlinker - continue - ;; - - -XCClinker) - prev=xcclinker - continue - ;; - - # -msg_* for osf cc - -msg_*) - func_quote_for_eval "$arg" - arg="$func_quote_for_eval_result" - ;; - - # Flags to be passed through unchanged, with rationale: - # -64, -mips[0-9] enable 64-bit mode for the SGI compiler - # -r[0-9][0-9]* specify processor for the SGI compiler - # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler - # +DA*, +DD* enable 64-bit mode for the HP compiler - # -q* compiler args for the IBM compiler - # -m*, -t[45]*, -txscale* architecture-specific flags for GCC - # -F/path path to uninstalled frameworks, gcc on darwin - # -p, -pg, --coverage, -fprofile-* profiling flags for GCC - # @file GCC response files - # -tp=* Portland pgcc target processor selection - # --sysroot=* for sysroot support - # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization - -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ - -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ - -O*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*) - func_quote_for_eval "$arg" - arg="$func_quote_for_eval_result" - func_append compile_command " $arg" - func_append finalize_command " $arg" - func_append compiler_flags " $arg" - continue - ;; - - # Some other compiler flag. - -* | +*) - func_quote_for_eval "$arg" - arg="$func_quote_for_eval_result" - ;; - - *.$objext) - # A standard object. - func_append objs " $arg" - ;; - - *.lo) - # A libtool-controlled object. - - # Check to see that this really is a libtool object. - if func_lalib_unsafe_p "$arg"; then - pic_object= - non_pic_object= - - # Read the .lo file - func_source "$arg" - - if test -z "$pic_object" || - test -z "$non_pic_object" || - test "$pic_object" = none && - test "$non_pic_object" = none; then - func_fatal_error "cannot find name of object for \`$arg'" - fi - - # Extract subdirectory from the argument. - func_dirname "$arg" "/" "" - xdir="$func_dirname_result" - - if test "$pic_object" != none; then - # Prepend the subdirectory the object is found in. - pic_object="$xdir$pic_object" - - if test "$prev" = dlfiles; then - if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then - func_append dlfiles " $pic_object" - prev= - continue - else - # If libtool objects are unsupported, then we need to preload. - prev=dlprefiles - fi - fi - - # CHECK ME: I think I busted this. -Ossama - if test "$prev" = dlprefiles; then - # Preload the old-style object. - func_append dlprefiles " $pic_object" - prev= - fi - - # A PIC object. - func_append libobjs " $pic_object" - arg="$pic_object" - fi - - # Non-PIC object. - if test "$non_pic_object" != none; then - # Prepend the subdirectory the object is found in. - non_pic_object="$xdir$non_pic_object" - - # A standard non-PIC object - func_append non_pic_objects " $non_pic_object" - if test -z "$pic_object" || test "$pic_object" = none ; then - arg="$non_pic_object" - fi - else - # If the PIC object exists, use it instead. - # $xdir was prepended to $pic_object above. - non_pic_object="$pic_object" - func_append non_pic_objects " $non_pic_object" - fi - else - # Only an error if not doing a dry-run. - if $opt_dry_run; then - # Extract subdirectory from the argument. - func_dirname "$arg" "/" "" - xdir="$func_dirname_result" - - func_lo2o "$arg" - pic_object=$xdir$objdir/$func_lo2o_result - non_pic_object=$xdir$func_lo2o_result - func_append libobjs " $pic_object" - func_append non_pic_objects " $non_pic_object" - else - func_fatal_error "\`$arg' is not a valid libtool object" - fi - fi - ;; - - *.$libext) - # An archive. - func_append deplibs " $arg" - func_append old_deplibs " $arg" - continue - ;; - - *.la) - # A libtool-controlled library. - - func_resolve_sysroot "$arg" - if test "$prev" = dlfiles; then - # This library was specified with -dlopen. - func_append dlfiles " $func_resolve_sysroot_result" - prev= - elif test "$prev" = dlprefiles; then - # The library was specified with -dlpreopen. - func_append dlprefiles " $func_resolve_sysroot_result" - prev= - else - func_append deplibs " $func_resolve_sysroot_result" - fi - continue - ;; - - # Some other compiler argument. - *) - # Unknown arguments in both finalize_command and compile_command need - # to be aesthetically quoted because they are evaled later. - func_quote_for_eval "$arg" - arg="$func_quote_for_eval_result" - ;; - esac # arg - - # Now actually substitute the argument into the commands. - if test -n "$arg"; then - func_append compile_command " $arg" - func_append finalize_command " $arg" - fi - done # argument parsing loop - - test -n "$prev" && \ - func_fatal_help "the \`$prevarg' option requires an argument" - - if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then - eval arg=\"$export_dynamic_flag_spec\" - func_append compile_command " $arg" - func_append finalize_command " $arg" - fi - - oldlibs= - # calculate the name of the file, without its directory - func_basename "$output" - outputname="$func_basename_result" - libobjs_save="$libobjs" - - if test -n "$shlibpath_var"; then - # get the directories listed in $shlibpath_var - eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\` - else - shlib_search_path= - fi - eval sys_lib_search_path=\"$sys_lib_search_path_spec\" - eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" - - func_dirname "$output" "/" "" - output_objdir="$func_dirname_result$objdir" - func_to_tool_file "$output_objdir/" - tool_output_objdir=$func_to_tool_file_result - # Create the object directory. - func_mkdir_p "$output_objdir" - - # Determine the type of output - case $output in - "") - func_fatal_help "you must specify an output file" - ;; - *.$libext) linkmode=oldlib ;; - *.lo | *.$objext) linkmode=obj ;; - *.la) linkmode=lib ;; - *) linkmode=prog ;; # Anything else should be a program. - esac - - specialdeplibs= - - libs= - # Find all interdependent deplibs by searching for libraries - # that are linked more than once (e.g. -la -lb -la) - for deplib in $deplibs; do - if $opt_preserve_dup_deps ; then - case "$libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append libs " $deplib" - done - - if test "$linkmode" = lib; then - libs="$predeps $libs $compiler_lib_search_path $postdeps" - - # Compute libraries that are listed more than once in $predeps - # $postdeps and mark them as special (i.e., whose duplicates are - # not to be eliminated). - pre_post_deps= - if $opt_duplicate_compiler_generated_deps; then - for pre_post_dep in $predeps $postdeps; do - case "$pre_post_deps " in - *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;; - esac - func_append pre_post_deps " $pre_post_dep" - done - fi - pre_post_deps= - fi - - deplibs= - newdependency_libs= - newlib_search_path= - need_relink=no # whether we're linking any uninstalled libtool libraries - notinst_deplibs= # not-installed libtool libraries - notinst_path= # paths that contain not-installed libtool libraries - - case $linkmode in - lib) - passes="conv dlpreopen link" - for file in $dlfiles $dlprefiles; do - case $file in - *.la) ;; - *) - func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file" - ;; - esac - done - ;; - prog) - compile_deplibs= - finalize_deplibs= - alldeplibs=no - newdlfiles= - newdlprefiles= - passes="conv scan dlopen dlpreopen link" - ;; - *) passes="conv" - ;; - esac - - for pass in $passes; do - # The preopen pass in lib mode reverses $deplibs; put it back here - # so that -L comes before libs that need it for instance... - if test "$linkmode,$pass" = "lib,link"; then - ## FIXME: Find the place where the list is rebuilt in the wrong - ## order, and fix it there properly - tmp_deplibs= - for deplib in $deplibs; do - tmp_deplibs="$deplib $tmp_deplibs" - done - deplibs="$tmp_deplibs" - fi - - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan"; then - libs="$deplibs" - deplibs= - fi - if test "$linkmode" = prog; then - case $pass in - dlopen) libs="$dlfiles" ;; - dlpreopen) libs="$dlprefiles" ;; - link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; - esac - fi - if test "$linkmode,$pass" = "lib,dlpreopen"; then - # Collect and forward deplibs of preopened libtool libs - for lib in $dlprefiles; do - # Ignore non-libtool-libs - dependency_libs= - func_resolve_sysroot "$lib" - case $lib in - *.la) func_source "$func_resolve_sysroot_result" ;; - esac - - # Collect preopened libtool deplibs, except any this library - # has declared as weak libs - for deplib in $dependency_libs; do - func_basename "$deplib" - deplib_base=$func_basename_result - case " $weak_libs " in - *" $deplib_base "*) ;; - *) func_append deplibs " $deplib" ;; - esac - done - done - libs="$dlprefiles" - fi - if test "$pass" = dlopen; then - # Collect dlpreopened libraries - save_deplibs="$deplibs" - deplibs= - fi - - for deplib in $libs; do - lib= - found=no - case $deplib in - -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ - |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - func_append compiler_flags " $deplib" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - if test "$linkmode" = lib ; then - case "$new_inherited_linker_flags " in - *" $deplib "*) ;; - * ) func_append new_inherited_linker_flags " $deplib" ;; - esac - fi - fi - continue - ;; - -l*) - if test "$linkmode" != lib && test "$linkmode" != prog; then - func_warning "\`-l' is ignored for archives/objects" - continue - fi - func_stripname '-l' '' "$deplib" - name=$func_stripname_result - if test "$linkmode" = lib; then - searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path" - else - searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path" - fi - for searchdir in $searchdirs; do - for search_ext in .la $std_shrext .so .a; do - # Search the libtool library - lib="$searchdir/lib${name}${search_ext}" - if test -f "$lib"; then - if test "$search_ext" = ".la"; then - found=yes - else - found=no - fi - break 2 - fi - done - done - if test "$found" != yes; then - # deplib doesn't seem to be a libtool library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - else # deplib is a libtool library - # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, - # We need to do some special things here, and not later. - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - case " $predeps $postdeps " in - *" $deplib "*) - if func_lalib_p "$lib"; then - library_names= - old_library= - func_source "$lib" - for l in $old_library $library_names; do - ll="$l" - done - if test "X$ll" = "X$old_library" ; then # only static version available - found=no - func_dirname "$lib" "" "." - ladir="$func_dirname_result" - lib=$ladir/$old_library - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" - fi - continue - fi - fi - ;; - *) ;; - esac - fi - fi - ;; # -l - *.ltframework) - if test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - deplibs="$deplib $deplibs" - if test "$linkmode" = lib ; then - case "$new_inherited_linker_flags " in - *" $deplib "*) ;; - * ) func_append new_inherited_linker_flags " $deplib" ;; - esac - fi - fi - continue - ;; - -L*) - case $linkmode in - lib) - deplibs="$deplib $deplibs" - test "$pass" = conv && continue - newdependency_libs="$deplib $newdependency_libs" - func_stripname '-L' '' "$deplib" - func_resolve_sysroot "$func_stripname_result" - func_append newlib_search_path " $func_resolve_sysroot_result" - ;; - prog) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - if test "$pass" = scan; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - func_stripname '-L' '' "$deplib" - func_resolve_sysroot "$func_stripname_result" - func_append newlib_search_path " $func_resolve_sysroot_result" - ;; - *) - func_warning "\`-L' is ignored for archives/objects" - ;; - esac # linkmode - continue - ;; # -L - -R*) - if test "$pass" = link; then - func_stripname '-R' '' "$deplib" - func_resolve_sysroot "$func_stripname_result" - dir=$func_resolve_sysroot_result - # Make sure the xrpath contains only unique directories. - case "$xrpath " in - *" $dir "*) ;; - *) func_append xrpath " $dir" ;; - esac - fi - deplibs="$deplib $deplibs" - continue - ;; - *.la) - func_resolve_sysroot "$deplib" - lib=$func_resolve_sysroot_result - ;; - *.$libext) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - continue - fi - case $linkmode in - lib) - # Linking convenience modules into shared libraries is allowed, - # but linking other static libraries is non-portable. - case " $dlpreconveniencelibs " in - *" $deplib "*) ;; - *) - valid_a_lib=no - case $deplibs_check_method in - match_pattern*) - set dummy $deplibs_check_method; shift - match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` - if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \ - | $EGREP "$match_pattern_regex" > /dev/null; then - valid_a_lib=yes - fi - ;; - pass_all) - valid_a_lib=yes - ;; - esac - if test "$valid_a_lib" != yes; then - echo - $ECHO "*** Warning: Trying to link with static lib archive $deplib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have" - echo "*** because the file extensions .$libext of this argument makes me believe" - echo "*** that it is just a static archive that I should not use here." - else - echo - $ECHO "*** Warning: Linking the shared library $output against the" - $ECHO "*** static library $deplib is not portable!" - deplibs="$deplib $deplibs" - fi - ;; - esac - continue - ;; - prog) - if test "$pass" != link; then - deplibs="$deplib $deplibs" - else - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - fi - continue - ;; - esac # linkmode - ;; # *.$libext - *.lo | *.$objext) - if test "$pass" = conv; then - deplibs="$deplib $deplibs" - elif test "$linkmode" = prog; then - if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then - # If there is no dlopen support or we're linking statically, - # we need to preload. - func_append newdlprefiles " $deplib" - compile_deplibs="$deplib $compile_deplibs" - finalize_deplibs="$deplib $finalize_deplibs" - else - func_append newdlfiles " $deplib" - fi - fi - continue - ;; - %DEPLIBS%) - alldeplibs=yes - continue - ;; - esac # case $deplib - - if test "$found" = yes || test -f "$lib"; then : - else - func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'" - fi - - # Check to see that this really is a libtool archive. - func_lalib_unsafe_p "$lib" \ - || func_fatal_error "\`$lib' is not a valid libtool archive" - - func_dirname "$lib" "" "." - ladir="$func_dirname_result" - - dlname= - dlopen= - dlpreopen= - libdir= - library_names= - old_library= - inherited_linker_flags= - # If the library was installed with an old release of libtool, - # it will not redefine variables installed, or shouldnotlink - installed=yes - shouldnotlink=no - avoidtemprpath= - - - # Read the .la file - func_source "$lib" - - # Convert "-framework foo" to "foo.ltframework" - if test -n "$inherited_linker_flags"; then - tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'` - for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do - case " $new_inherited_linker_flags " in - *" $tmp_inherited_linker_flag "*) ;; - *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";; - esac - done - fi - dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - if test "$linkmode,$pass" = "lib,link" || - test "$linkmode,$pass" = "prog,scan" || - { test "$linkmode" != prog && test "$linkmode" != lib; }; then - test -n "$dlopen" && func_append dlfiles " $dlopen" - test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen" - fi - - if test "$pass" = conv; then - # Only check for convenience libraries - deplibs="$lib $deplibs" - if test -z "$libdir"; then - if test -z "$old_library"; then - func_fatal_error "cannot find name of link library for \`$lib'" - fi - # It is a libtool convenience library, so add in its objects. - func_append convenience " $ladir/$objdir/$old_library" - func_append old_convenience " $ladir/$objdir/$old_library" - elif test "$linkmode" != prog && test "$linkmode" != lib; then - func_fatal_error "\`$lib' is not a convenience library" - fi - tmp_libs= - for deplib in $dependency_libs; do - deplibs="$deplib $deplibs" - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append tmp_libs " $deplib" - done - continue - fi # $pass = conv - - - # Get the name of the library we link against. - linklib= - if test -n "$old_library" && - { test "$prefer_static_libs" = yes || - test "$prefer_static_libs,$installed" = "built,no"; }; then - linklib=$old_library - else - for l in $old_library $library_names; do - linklib="$l" - done - fi - if test -z "$linklib"; then - func_fatal_error "cannot find name of link library for \`$lib'" - fi - - # This library was specified with -dlopen. - if test "$pass" = dlopen; then - if test -z "$libdir"; then - func_fatal_error "cannot -dlopen a convenience library: \`$lib'" - fi - if test -z "$dlname" || - test "$dlopen_support" != yes || - test "$build_libtool_libs" = no; then - # If there is no dlname, no dlopen support or we're linking - # statically, we need to preload. We also need to preload any - # dependent libraries so libltdl's deplib preloader doesn't - # bomb out in the load deplibs phase. - func_append dlprefiles " $lib $dependency_libs" - else - func_append newdlfiles " $lib" - fi - continue - fi # $pass = dlopen - - # We need an absolute path. - case $ladir in - [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; - *) - abs_ladir=`cd "$ladir" && pwd` - if test -z "$abs_ladir"; then - func_warning "cannot determine absolute directory name of \`$ladir'" - func_warning "passing it literally to the linker, although it might fail" - abs_ladir="$ladir" - fi - ;; - esac - func_basename "$lib" - laname="$func_basename_result" - - # Find the relevant object directory and library name. - if test "X$installed" = Xyes; then - if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then - func_warning "library \`$lib' was moved." - dir="$ladir" - absdir="$abs_ladir" - libdir="$abs_ladir" - else - dir="$lt_sysroot$libdir" - absdir="$lt_sysroot$libdir" - fi - test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes - else - if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then - dir="$ladir" - absdir="$abs_ladir" - # Remove this search path later - func_append notinst_path " $abs_ladir" - else - dir="$ladir/$objdir" - absdir="$abs_ladir/$objdir" - # Remove this search path later - func_append notinst_path " $abs_ladir" - fi - fi # $installed = yes - func_stripname 'lib' '.la' "$laname" - name=$func_stripname_result - - # This library was specified with -dlpreopen. - if test "$pass" = dlpreopen; then - if test -z "$libdir" && test "$linkmode" = prog; then - func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'" - fi - case "$host" in - # special handling for platforms with PE-DLLs. - *cygwin* | *mingw* | *cegcc* ) - # Linker will automatically link against shared library if both - # static and shared are present. Therefore, ensure we extract - # symbols from the import library if a shared library is present - # (otherwise, the dlopen module name will be incorrect). We do - # this by putting the import library name into $newdlprefiles. - # We recover the dlopen module name by 'saving' the la file - # name in a special purpose variable, and (later) extracting the - # dlname from the la file. - if test -n "$dlname"; then - func_tr_sh "$dir/$linklib" - eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname" - func_append newdlprefiles " $dir/$linklib" - else - func_append newdlprefiles " $dir/$old_library" - # Keep a list of preopened convenience libraries to check - # that they are being used correctly in the link pass. - test -z "$libdir" && \ - func_append dlpreconveniencelibs " $dir/$old_library" - fi - ;; - * ) - # Prefer using a static library (so that no silly _DYNAMIC symbols - # are required to link). - if test -n "$old_library"; then - func_append newdlprefiles " $dir/$old_library" - # Keep a list of preopened convenience libraries to check - # that they are being used correctly in the link pass. - test -z "$libdir" && \ - func_append dlpreconveniencelibs " $dir/$old_library" - # Otherwise, use the dlname, so that lt_dlopen finds it. - elif test -n "$dlname"; then - func_append newdlprefiles " $dir/$dlname" - else - func_append newdlprefiles " $dir/$linklib" - fi - ;; - esac - fi # $pass = dlpreopen - - if test -z "$libdir"; then - # Link the convenience library - if test "$linkmode" = lib; then - deplibs="$dir/$old_library $deplibs" - elif test "$linkmode,$pass" = "prog,link"; then - compile_deplibs="$dir/$old_library $compile_deplibs" - finalize_deplibs="$dir/$old_library $finalize_deplibs" - else - deplibs="$lib $deplibs" # used for prog,scan pass - fi - continue - fi - - - if test "$linkmode" = prog && test "$pass" != link; then - func_append newlib_search_path " $ladir" - deplibs="$lib $deplibs" - - linkalldeplibs=no - if test "$link_all_deplibs" != no || test -z "$library_names" || - test "$build_libtool_libs" = no; then - linkalldeplibs=yes - fi - - tmp_libs= - for deplib in $dependency_libs; do - case $deplib in - -L*) func_stripname '-L' '' "$deplib" - func_resolve_sysroot "$func_stripname_result" - func_append newlib_search_path " $func_resolve_sysroot_result" - ;; - esac - # Need to link against all dependency_libs? - if test "$linkalldeplibs" = yes; then - deplibs="$deplib $deplibs" - else - # Need to hardcode shared library paths - # or/and link against static libraries - newdependency_libs="$deplib $newdependency_libs" - fi - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $deplib "*) func_append specialdeplibs " $deplib" ;; - esac - fi - func_append tmp_libs " $deplib" - done # for deplib - continue - fi # $linkmode = prog... - - if test "$linkmode,$pass" = "prog,link"; then - if test -n "$library_names" && - { { test "$prefer_static_libs" = no || - test "$prefer_static_libs,$installed" = "built,yes"; } || - test -z "$old_library"; }; then - # We need to hardcode the library path - if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then - # Make sure the rpath contains only unique directories. - case "$temp_rpath:" in - *"$absdir:"*) ;; - *) func_append temp_rpath "$absdir:" ;; - esac - fi - - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) func_append compile_rpath " $absdir" ;; - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) func_append finalize_rpath " $libdir" ;; - esac - ;; - esac - fi # $linkmode,$pass = prog,link... - - if test "$alldeplibs" = yes && - { test "$deplibs_check_method" = pass_all || - { test "$build_libtool_libs" = yes && - test -n "$library_names"; }; }; then - # We only need to search for static libraries - continue - fi - fi - - link_static=no # Whether the deplib will be linked statically - use_static_libs=$prefer_static_libs - if test "$use_static_libs" = built && test "$installed" = yes; then - use_static_libs=no - fi - if test -n "$library_names" && - { test "$use_static_libs" = no || test -z "$old_library"; }; then - case $host in - *cygwin* | *mingw* | *cegcc*) - # No point in relinking DLLs because paths are not encoded - func_append notinst_deplibs " $lib" - need_relink=no - ;; - *) - if test "$installed" = no; then - func_append notinst_deplibs " $lib" - test -z "$DESTDIR" && need_relink=yes - fi - ;; - esac - # This is a shared library - - # Warn about portability, can't link against -module's on some - # systems (darwin). Don't bleat about dlopened modules though! - dlopenmodule="" - for dlpremoduletest in $dlprefiles; do - if test "X$dlpremoduletest" = "X$lib"; then - dlopenmodule="$dlpremoduletest" - break - fi - done - if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then - echo - if test "$linkmode" = prog; then - $ECHO "*** Warning: Linking the executable $output against the loadable module" - else - $ECHO "*** Warning: Linking the shared library $output against the loadable module" - fi - $ECHO "*** $linklib is not portable!" - fi - if test "$linkmode" = lib && - test "$hardcode_into_libs" = yes; then - # Hardcode the library path. - # Skip directories that are in the system default run-time - # search path. - case " $sys_lib_dlsearch_path " in - *" $absdir "*) ;; - *) - case "$compile_rpath " in - *" $absdir "*) ;; - *) func_append compile_rpath " $absdir" ;; - esac - ;; - esac - case " $sys_lib_dlsearch_path " in - *" $libdir "*) ;; - *) - case "$finalize_rpath " in - *" $libdir "*) ;; - *) func_append finalize_rpath " $libdir" ;; - esac - ;; - esac - fi - - if test -n "$old_archive_from_expsyms_cmds"; then - # figure out the soname - set dummy $library_names - shift - realname="$1" - shift - libname=`eval "\\$ECHO \"$libname_spec\""` - # use dlname if we got it. it's perfectly good, no? - if test -n "$dlname"; then - soname="$dlname" - elif test -n "$soname_spec"; then - # bleh windows - case $host in - *cygwin* | mingw* | *cegcc*) - func_arith $current - $age - major=$func_arith_result - versuffix="-$major" - ;; - esac - eval soname=\"$soname_spec\" - else - soname="$realname" - fi - - # Make a new name for the extract_expsyms_cmds to use - soroot="$soname" - func_basename "$soroot" - soname="$func_basename_result" - func_stripname 'lib' '.dll' "$soname" - newlib=libimp-$func_stripname_result.a - - # If the library has no export list, then create one now - if test -f "$output_objdir/$soname-def"; then : - else - func_verbose "extracting exported symbol list from \`$soname'" - func_execute_cmds "$extract_expsyms_cmds" 'exit $?' - fi - - # Create $newlib - if test -f "$output_objdir/$newlib"; then :; else - func_verbose "generating import library for \`$soname'" - func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?' - fi - # make sure the library variables are pointing to the new library - dir=$output_objdir - linklib=$newlib - fi # test -n "$old_archive_from_expsyms_cmds" - - if test "$linkmode" = prog || test "$opt_mode" != relink; then - add_shlibpath= - add_dir= - add= - lib_linked=yes - case $hardcode_action in - immediate | unsupported) - if test "$hardcode_direct" = no; then - add="$dir/$linklib" - case $host in - *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;; - *-*-sysv4*uw2*) add_dir="-L$dir" ;; - *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \ - *-*-unixware7*) add_dir="-L$dir" ;; - *-*-darwin* ) - # if the lib is a (non-dlopened) module then we can not - # link against it, someone is ignoring the earlier warnings - if /usr/bin/file -L $add 2> /dev/null | - $GREP ": [^:]* bundle" >/dev/null ; then - if test "X$dlopenmodule" != "X$lib"; then - $ECHO "*** Warning: lib $linklib is a module, not a shared library" - if test -z "$old_library" ; then - echo - echo "*** And there doesn't seem to be a static archive available" - echo "*** The link will probably fail, sorry" - else - add="$dir/$old_library" - fi - elif test -n "$old_library"; then - add="$dir/$old_library" - fi - fi - esac - elif test "$hardcode_minus_L" = no; then - case $host in - *-*-sunos*) add_shlibpath="$dir" ;; - esac - add_dir="-L$dir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = no; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - relink) - if test "$hardcode_direct" = yes && - test "$hardcode_direct_absolute" = no; then - add="$dir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$absdir" - # Try looking first in the location we're being installed to. - if test -n "$inst_prefix_dir"; then - case $libdir in - [\\/]*) - func_append add_dir " -L$inst_prefix_dir$libdir" - ;; - esac - fi - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - add_shlibpath="$dir" - add="-l$name" - else - lib_linked=no - fi - ;; - *) lib_linked=no ;; - esac - - if test "$lib_linked" != yes; then - func_fatal_configuration "unsupported hardcode properties" - fi - - if test -n "$add_shlibpath"; then - case :$compile_shlibpath: in - *":$add_shlibpath:"*) ;; - *) func_append compile_shlibpath "$add_shlibpath:" ;; - esac - fi - if test "$linkmode" = prog; then - test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" - test -n "$add" && compile_deplibs="$add $compile_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - if test "$hardcode_direct" != yes && - test "$hardcode_minus_L" != yes && - test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) func_append finalize_shlibpath "$libdir:" ;; - esac - fi - fi - fi - - if test "$linkmode" = prog || test "$opt_mode" = relink; then - add_shlibpath= - add_dir= - add= - # Finalize command for both is simple: just hardcode it. - if test "$hardcode_direct" = yes && - test "$hardcode_direct_absolute" = no; then - add="$libdir/$linklib" - elif test "$hardcode_minus_L" = yes; then - add_dir="-L$libdir" - add="-l$name" - elif test "$hardcode_shlibpath_var" = yes; then - case :$finalize_shlibpath: in - *":$libdir:"*) ;; - *) func_append finalize_shlibpath "$libdir:" ;; - esac - add="-l$name" - elif test "$hardcode_automatic" = yes; then - if test -n "$inst_prefix_dir" && - test -f "$inst_prefix_dir$libdir/$linklib" ; then - add="$inst_prefix_dir$libdir/$linklib" - else - add="$libdir/$linklib" - fi - else - # We cannot seem to hardcode it, guess we'll fake it. - add_dir="-L$libdir" - # Try looking first in the location we're being installed to. - if test -n "$inst_prefix_dir"; then - case $libdir in - [\\/]*) - func_append add_dir " -L$inst_prefix_dir$libdir" - ;; - esac - fi - add="-l$name" - fi - - if test "$linkmode" = prog; then - test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" - test -n "$add" && finalize_deplibs="$add $finalize_deplibs" - else - test -n "$add_dir" && deplibs="$add_dir $deplibs" - test -n "$add" && deplibs="$add $deplibs" - fi - fi - elif test "$linkmode" = prog; then - # Here we assume that one of hardcode_direct or hardcode_minus_L - # is not unsupported. This is valid on all known static and - # shared platforms. - if test "$hardcode_direct" != unsupported; then - test -n "$old_library" && linklib="$old_library" - compile_deplibs="$dir/$linklib $compile_deplibs" - finalize_deplibs="$dir/$linklib $finalize_deplibs" - else - compile_deplibs="-l$name -L$dir $compile_deplibs" - finalize_deplibs="-l$name -L$dir $finalize_deplibs" - fi - elif test "$build_libtool_libs" = yes; then - # Not a shared library - if test "$deplibs_check_method" != pass_all; then - # We're trying link a shared library against a static one - # but the system doesn't support it. - - # Just print a warning and add the library to dependency_libs so - # that the program can be linked against the static library. - echo - $ECHO "*** Warning: This system can not link to static lib archive $lib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have." - if test "$module" = yes; then - echo "*** But as you try to build a module library, libtool will still create " - echo "*** a static module, that should work as long as the dlopening application" - echo "*** is linked with the -dlopen flag to resolve symbols at runtime." - if test -z "$global_symbol_pipe"; then - echo - echo "*** However, this would only work if libtool was able to extract symbol" - echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - echo "*** not find such a program. So, this module is probably useless." - echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - else - deplibs="$dir/$old_library $deplibs" - link_static=yes - fi - fi # link shared/static library? - - if test "$linkmode" = lib; then - if test -n "$dependency_libs" && - { test "$hardcode_into_libs" != yes || - test "$build_old_libs" = yes || - test "$link_static" = yes; }; then - # Extract -R from dependency_libs - temp_deplibs= - for libdir in $dependency_libs; do - case $libdir in - -R*) func_stripname '-R' '' "$libdir" - temp_xrpath=$func_stripname_result - case " $xrpath " in - *" $temp_xrpath "*) ;; - *) func_append xrpath " $temp_xrpath";; - esac;; - *) func_append temp_deplibs " $libdir";; - esac - done - dependency_libs="$temp_deplibs" - fi - - func_append newlib_search_path " $absdir" - # Link against this library - test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" - # ... and its dependency_libs - tmp_libs= - for deplib in $dependency_libs; do - newdependency_libs="$deplib $newdependency_libs" - case $deplib in - -L*) func_stripname '-L' '' "$deplib" - func_resolve_sysroot "$func_stripname_result";; - *) func_resolve_sysroot "$deplib" ;; - esac - if $opt_preserve_dup_deps ; then - case "$tmp_libs " in - *" $func_resolve_sysroot_result "*) - func_append specialdeplibs " $func_resolve_sysroot_result" ;; - esac - fi - func_append tmp_libs " $func_resolve_sysroot_result" - done - - if test "$link_all_deplibs" != no; then - # Add the search paths of all dependency libraries - for deplib in $dependency_libs; do - path= - case $deplib in - -L*) path="$deplib" ;; - *.la) - func_resolve_sysroot "$deplib" - deplib=$func_resolve_sysroot_result - func_dirname "$deplib" "" "." - dir=$func_dirname_result - # We need an absolute path. - case $dir in - [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; - *) - absdir=`cd "$dir" && pwd` - if test -z "$absdir"; then - func_warning "cannot determine absolute directory name of \`$dir'" - absdir="$dir" - fi - ;; - esac - if $GREP "^installed=no" $deplib > /dev/null; then - case $host in - *-*-darwin*) - depdepl= - eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` - if test -n "$deplibrary_names" ; then - for tmp in $deplibrary_names ; do - depdepl=$tmp - done - if test -f "$absdir/$objdir/$depdepl" ; then - depdepl="$absdir/$objdir/$depdepl" - darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` - if test -z "$darwin_install_name"; then - darwin_install_name=`${OTOOL64} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` - fi - func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}" - func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}" - path= - fi - fi - ;; - *) - path="-L$absdir/$objdir" - ;; - esac - else - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` - test -z "$libdir" && \ - func_fatal_error "\`$deplib' is not a valid libtool archive" - test "$absdir" != "$libdir" && \ - func_warning "\`$deplib' seems to be moved" - - path="-L$absdir" - fi - ;; - esac - case " $deplibs " in - *" $path "*) ;; - *) deplibs="$path $deplibs" ;; - esac - done - fi # link_all_deplibs != no - fi # linkmode = lib - done # for deplib in $libs - if test "$pass" = link; then - if test "$linkmode" = "prog"; then - compile_deplibs="$new_inherited_linker_flags $compile_deplibs" - finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs" - else - compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - fi - fi - dependency_libs="$newdependency_libs" - if test "$pass" = dlpreopen; then - # Link the dlpreopened libraries before other libraries - for deplib in $save_deplibs; do - deplibs="$deplib $deplibs" - done - fi - if test "$pass" != dlopen; then - if test "$pass" != conv; then - # Make sure lib_search_path contains only unique directories. - lib_search_path= - for dir in $newlib_search_path; do - case "$lib_search_path " in - *" $dir "*) ;; - *) func_append lib_search_path " $dir" ;; - esac - done - newlib_search_path= - fi - - if test "$linkmode,$pass" != "prog,link"; then - vars="deplibs" - else - vars="compile_deplibs finalize_deplibs" - fi - for var in $vars dependency_libs; do - # Add libraries to $var in reverse order - eval tmp_libs=\"\$$var\" - new_libs= - for deplib in $tmp_libs; do - # FIXME: Pedantically, this is the right thing to do, so - # that some nasty dependency loop isn't accidentally - # broken: - #new_libs="$deplib $new_libs" - # Pragmatically, this seems to cause very few problems in - # practice: - case $deplib in - -L*) new_libs="$deplib $new_libs" ;; - -R*) ;; - *) - # And here is the reason: when a library appears more - # than once as an explicit dependence of a library, or - # is implicitly linked in more than once by the - # compiler, it is considered special, and multiple - # occurrences thereof are not removed. Compare this - # with having the same library being listed as a - # dependency of multiple other libraries: in this case, - # we know (pedantically, we assume) the library does not - # need to be listed more than once, so we keep only the - # last copy. This is not always right, but it is rare - # enough that we require users that really mean to play - # such unportable linking tricks to link the library - # using -Wl,-lname, so that libtool does not consider it - # for duplicate removal. - case " $specialdeplibs " in - *" $deplib "*) new_libs="$deplib $new_libs" ;; - *) - case " $new_libs " in - *" $deplib "*) ;; - *) new_libs="$deplib $new_libs" ;; - esac - ;; - esac - ;; - esac - done - tmp_libs= - for deplib in $new_libs; do - case $deplib in - -L*) - case " $tmp_libs " in - *" $deplib "*) ;; - *) func_append tmp_libs " $deplib" ;; - esac - ;; - *) func_append tmp_libs " $deplib" ;; - esac - done - eval $var=\"$tmp_libs\" - done # for var - fi - # Last step: remove runtime libs from dependency_libs - # (they stay in deplibs) - tmp_libs= - for i in $dependency_libs ; do - case " $predeps $postdeps $compiler_lib_search_path " in - *" $i "*) - i="" - ;; - esac - if test -n "$i" ; then - func_append tmp_libs " $i" - fi - done - dependency_libs=$tmp_libs - done # for pass - if test "$linkmode" = prog; then - dlfiles="$newdlfiles" - fi - if test "$linkmode" = prog || test "$linkmode" = lib; then - dlprefiles="$newdlprefiles" - fi - - case $linkmode in - oldlib) - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - func_warning "\`-dlopen' is ignored for archives" - fi - - case " $deplibs" in - *\ -l* | *\ -L*) - func_warning "\`-l' and \`-L' are ignored for archives" ;; - esac - - test -n "$rpath" && \ - func_warning "\`-rpath' is ignored for archives" - - test -n "$xrpath" && \ - func_warning "\`-R' is ignored for archives" - - test -n "$vinfo" && \ - func_warning "\`-version-info/-version-number' is ignored for archives" - - test -n "$release" && \ - func_warning "\`-release' is ignored for archives" - - test -n "$export_symbols$export_symbols_regex" && \ - func_warning "\`-export-symbols' is ignored for archives" - - # Now set the variables for building old libraries. - build_libtool_libs=no - oldlibs="$output" - func_append objs "$old_deplibs" - ;; - - lib) - # Make sure we only generate libraries of the form `libNAME.la'. - case $outputname in - lib*) - func_stripname 'lib' '.la' "$outputname" - name=$func_stripname_result - eval shared_ext=\"$shrext_cmds\" - eval libname=\"$libname_spec\" - ;; - *) - test "$module" = no && \ - func_fatal_help "libtool library \`$output' must begin with \`lib'" - - if test "$need_lib_prefix" != no; then - # Add the "lib" prefix for modules if required - func_stripname '' '.la' "$outputname" - name=$func_stripname_result - eval shared_ext=\"$shrext_cmds\" - eval libname=\"$libname_spec\" - else - func_stripname '' '.la' "$outputname" - libname=$func_stripname_result - fi - ;; - esac - - if test -n "$objs"; then - if test "$deplibs_check_method" != pass_all; then - func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs" - else - echo - $ECHO "*** Warning: Linking the shared library $output against the non-libtool" - $ECHO "*** objects $objs is not portable!" - func_append libobjs " $objs" - fi - fi - - test "$dlself" != no && \ - func_warning "\`-dlopen self' is ignored for libtool libraries" - - set dummy $rpath - shift - test "$#" -gt 1 && \ - func_warning "ignoring multiple \`-rpath's for a libtool library" - - install_libdir="$1" - - oldlibs= - if test -z "$rpath"; then - if test "$build_libtool_libs" = yes; then - # Building a libtool convenience library. - # Some compilers have problems with a `.al' extension so - # convenience libraries should have the same extension an - # archive normally would. - oldlibs="$output_objdir/$libname.$libext $oldlibs" - build_libtool_libs=convenience - build_old_libs=yes - fi - - test -n "$vinfo" && \ - func_warning "\`-version-info/-version-number' is ignored for convenience libraries" - - test -n "$release" && \ - func_warning "\`-release' is ignored for convenience libraries" - else - - # Parse the version information argument. - save_ifs="$IFS"; IFS=':' - set dummy $vinfo 0 0 0 - shift - IFS="$save_ifs" - - test -n "$7" && \ - func_fatal_help "too many parameters to \`-version-info'" - - # convert absolute version numbers to libtool ages - # this retains compatibility with .la files and attempts - # to make the code below a bit more comprehensible - - case $vinfo_number in - yes) - number_major="$1" - number_minor="$2" - number_revision="$3" - # - # There are really only two kinds -- those that - # use the current revision as the major version - # and those that subtract age and use age as - # a minor version. But, then there is irix - # which has an extra 1 added just for fun - # - case $version_type in - # correct linux to gnu/linux during the next big refactor - darwin|linux|osf|windows|none) - func_arith $number_major + $number_minor - current=$func_arith_result - age="$number_minor" - revision="$number_revision" - ;; - freebsd-aout|freebsd-elf|qnx|sunos) - current="$number_major" - revision="$number_minor" - age="0" - ;; - irix|nonstopux) - func_arith $number_major + $number_minor - current=$func_arith_result - age="$number_minor" - revision="$number_minor" - lt_irix_increment=no - ;; - esac - ;; - no) - current="$1" - revision="$2" - age="$3" - ;; - esac - - # Check that each of the things are valid numbers. - case $current in - 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; - *) - func_error "CURRENT \`$current' must be a nonnegative integer" - func_fatal_error "\`$vinfo' is not valid version information" - ;; - esac - - case $revision in - 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; - *) - func_error "REVISION \`$revision' must be a nonnegative integer" - func_fatal_error "\`$vinfo' is not valid version information" - ;; - esac - - case $age in - 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; - *) - func_error "AGE \`$age' must be a nonnegative integer" - func_fatal_error "\`$vinfo' is not valid version information" - ;; - esac - - if test "$age" -gt "$current"; then - func_error "AGE \`$age' is greater than the current interface number \`$current'" - func_fatal_error "\`$vinfo' is not valid version information" - fi - - # Calculate the version variables. - major= - versuffix= - verstring= - case $version_type in - none) ;; - - darwin) - # Like Linux, but with the current version available in - # verstring for coding it into the library header - func_arith $current - $age - major=.$func_arith_result - versuffix="$major.$age.$revision" - # Darwin ld doesn't like 0 for these options... - func_arith $current + 1 - minor_current=$func_arith_result - xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision" - verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" - ;; - - freebsd-aout) - major=".$current" - versuffix=".$current.$revision"; - ;; - - freebsd-elf) - major=".$current" - versuffix=".$current" - ;; - - irix | nonstopux) - if test "X$lt_irix_increment" = "Xno"; then - func_arith $current - $age - else - func_arith $current - $age + 1 - fi - major=$func_arith_result - - case $version_type in - nonstopux) verstring_prefix=nonstopux ;; - *) verstring_prefix=sgi ;; - esac - verstring="$verstring_prefix$major.$revision" - - # Add in all the interfaces that we are compatible with. - loop=$revision - while test "$loop" -ne 0; do - func_arith $revision - $loop - iface=$func_arith_result - func_arith $loop - 1 - loop=$func_arith_result - verstring="$verstring_prefix$major.$iface:$verstring" - done - - # Before this point, $major must not contain `.'. - major=.$major - versuffix="$major.$revision" - ;; - - linux) # correct to gnu/linux during the next big refactor - func_arith $current - $age - major=.$func_arith_result - versuffix="$major.$age.$revision" - ;; - - osf) - func_arith $current - $age - major=.$func_arith_result - versuffix=".$current.$age.$revision" - verstring="$current.$age.$revision" - - # Add in all the interfaces that we are compatible with. - loop=$age - while test "$loop" -ne 0; do - func_arith $current - $loop - iface=$func_arith_result - func_arith $loop - 1 - loop=$func_arith_result - verstring="$verstring:${iface}.0" - done - - # Make executables depend on our current version. - func_append verstring ":${current}.0" - ;; - - qnx) - major=".$current" - versuffix=".$current" - ;; - - sunos) - major=".$current" - versuffix=".$current.$revision" - ;; - - windows) - # Use '-' rather than '.', since we only want one - # extension on DOS 8.3 filesystems. - func_arith $current - $age - major=$func_arith_result - versuffix="-$major" - ;; - - *) - func_fatal_configuration "unknown library version type \`$version_type'" - ;; - esac - - # Clear the version info if we defaulted, and they specified a release. - if test -z "$vinfo" && test -n "$release"; then - major= - case $version_type in - darwin) - # we can't check for "0.0" in archive_cmds due to quoting - # problems, so we reset it completely - verstring= - ;; - *) - verstring="0.0" - ;; - esac - if test "$need_version" = no; then - versuffix= - else - versuffix=".0.0" - fi - fi - - # Remove version info from name if versioning should be avoided - if test "$avoid_version" = yes && test "$need_version" = no; then - major= - versuffix= - verstring="" - else - # XXX - tmp=`echo $libname|sed -e 's,+,_,g' -e 's,-,_,g' -e 's,\.,_,g'` - eval tmp2=\$${tmp}_ltversion - if ! test -z "${SHARED_LIBS_LOG}"; then - if ! test -f ${SHARED_LIBS_LOG}; then - echo "# SHARED_LIBS+= # " >${SHARED_LIBS_LOG} - fi - tmp4=`echo $libname|sed -e 's/^lib//'` - printf "SHARED_LIBS +=\t%-20s %-8s # %s\n" "$tmp4" "$tmp2" "$versuffix" >>${SHARED_LIBS_LOG} - fi - if test -n "$versuffix" && test -n "$tmp2"; then - versuffix=".$tmp2" - fi - fi - - # Check to see if the archive will have undefined symbols. - if test "$allow_undefined" = yes; then - if test "$allow_undefined_flag" = unsupported; then - func_warning "undefined symbols not allowed in $host shared libraries" - build_libtool_libs=no - build_old_libs=yes - fi - else - # Don't allow undefined symbols. - allow_undefined_flag="$no_undefined_flag" - fi - - fi - - func_generate_dlsyms "$libname" "$libname" "yes" - func_append libobjs " $symfileobj" - test "X$libobjs" = "X " && libobjs= - - if test "$opt_mode" != relink; then - # Remove our outputs, but don't remove object files since they - # may have been created when compiling PIC objects. - removelist= - tempremovelist=`$ECHO "$output_objdir/*"` - for p in $tempremovelist; do - case $p in - *.$objext | *.gcno) - ;; - $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) - if test "X$precious_files_regex" != "X"; then - if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 - then - continue - fi - fi - func_append removelist " $p" - ;; - *) ;; - esac - done - test -n "$removelist" && \ - func_show_eval "${RM}r \$removelist" - fi - - # Now set the variables for building old libraries. - if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then - func_append oldlibs " $output_objdir/$libname.$libext" - - # Transform .lo files to .o files. - oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP` - fi - - # Eliminate all temporary directories. - #for path in $notinst_path; do - # lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"` - # deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"` - # dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"` - #done - - if test -n "$xrpath"; then - # If the user specified any rpath flags, then add them. - temp_xrpath= - for libdir in $xrpath; do - func_replace_sysroot "$libdir" - func_append temp_xrpath " -R$func_replace_sysroot_result" - case "$finalize_rpath " in - *" $libdir "*) ;; - *) func_append finalize_rpath " $libdir" ;; - esac - done - if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then - dependency_libs="$temp_xrpath $dependency_libs" - fi - fi - - # Make sure dlfiles contains only unique files that won't be dlpreopened - old_dlfiles="$dlfiles" - dlfiles= - for lib in $old_dlfiles; do - case " $dlprefiles $dlfiles " in - *" $lib "*) ;; - *) func_append dlfiles " $lib" ;; - esac - done - - # Make sure dlprefiles contains only unique files - old_dlprefiles="$dlprefiles" - dlprefiles= - for lib in $old_dlprefiles; do - case "$dlprefiles " in - *" $lib "*) ;; - *) func_append dlprefiles " $lib" ;; - esac - done - - if test "$build_libtool_libs" = yes; then - if test -n "$rpath"; then - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*) - # these systems don't actually have a c library (as such)! - ;; - *-*-rhapsody* | *-*-darwin1.[012]) - # Rhapsody C library is in the System framework - func_append deplibs " System.ltframework" - ;; - *-*-netbsd*) - # Don't link with libc until the a.out ld.so is fixed. - ;; - *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) - # Do not include libc due to us having libc/libc_r. - ;; - *-*-sco3.2v5* | *-*-sco5v6*) - # Causes problems with __ctype - ;; - *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) - # Compiler inserts libc in the correct place for threads to work - ;; - *) - # Add libc to deplibs on all other systems if necessary. - if test "$build_libtool_need_lc" = "yes"; then - func_append deplibs " -lc" - fi - ;; - esac - fi - - # Transform deplibs into only deplibs that can be linked in shared. - name_save=$name - libname_save=$libname - release_save=$release - versuffix_save=$versuffix - major_save=$major - # I'm not sure if I'm treating the release correctly. I think - # release should show up in the -l (ie -lgmp5) so we don't want to - # add it in twice. Is that correct? - release="" - versuffix="" - major="" - newdeplibs= - droppeddeps=no - case $deplibs_check_method in - pass_all) - # Don't check for shared/static. Everything works. - # This might be a little naive. We might want to check - # whether the library exists or not. But this is on - # osf3 & osf4 and I'm not really sure... Just - # implementing what was already the behavior. - newdeplibs=$deplibs - ;; - test_compile) - # This code stresses the "libraries are programs" paradigm to its - # limits. Maybe even breaks it. We compile a program, linking it - # against the deplibs as a proxy for the library. Then we can check - # whether they linked in statically or dynamically with ldd. - $opt_dry_run || $RM conftest.c - cat > conftest.c </dev/null` - $nocaseglob - else - potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null` - fi - for potent_lib in $potential_libs; do - # Follow soft links. - if ls -lLd "$potent_lib" 2>/dev/null | - $GREP " -> " >/dev/null; then - continue - fi - # The statement above tries to avoid entering an - # endless loop below, in case of cyclic links. - # We might still enter an endless loop, since a link - # loop can be closed while we follow links, - # but so what? - potlib="$potent_lib" - while test -h "$potlib" 2>/dev/null; do - potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` - case $potliblink in - [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; - *) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";; - esac - done - if eval $file_magic_cmd \"\$potlib\" 2>/dev/null | - $SED -e 10q | - $EGREP "$file_magic_regex" > /dev/null; then - func_append newdeplibs " $a_deplib" - a_deplib="" - break 2 - fi - done - done - fi - if test -n "$a_deplib" ; then - droppeddeps=yes - echo - $ECHO "*** Warning: linker path does not have real file for library $a_deplib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have" - echo "*** because I did check the linker path looking for a file starting" - if test -z "$potlib" ; then - $ECHO "*** with $libname but no candidates were found. (...for file magic test)" - else - $ECHO "*** with $libname and none of the candidates passed a file format test" - $ECHO "*** using a file magic. Last file checked: $potlib" - fi - fi - ;; - *) - # Add a -L argument. - func_append newdeplibs " $a_deplib" - ;; - esac - done # Gone through all deplibs. - ;; - match_pattern*) - set dummy $deplibs_check_method; shift - match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` - for a_deplib in $deplibs; do - case $a_deplib in - -l*) - func_stripname -l '' "$a_deplib" - name=$func_stripname_result - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - case " $predeps $postdeps " in - *" $a_deplib "*) - func_append newdeplibs " $a_deplib" - a_deplib="" - ;; - esac - fi - if test -n "$a_deplib" ; then - libname=`eval "\\$ECHO \"$libname_spec\""` - for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do - potential_libs=`ls $i/$libname[.-]* 2>/dev/null` - for potent_lib in $potential_libs; do - potlib="$potent_lib" # see symlink-check above in file_magic test - if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \ - $EGREP "$match_pattern_regex" > /dev/null; then - func_append newdeplibs " $a_deplib" - a_deplib="" - break 2 - fi - done - done - fi - if test -n "$a_deplib" ; then - droppeddeps=yes - echo - $ECHO "*** Warning: linker path does not have real file for library $a_deplib." - echo "*** I have the capability to make that library automatically link in when" - echo "*** you link to this library. But I can only do this if you have a" - echo "*** shared version of the library, which you do not appear to have" - echo "*** because I did check the linker path looking for a file starting" - if test -z "$potlib" ; then - $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)" - else - $ECHO "*** with $libname and none of the candidates passed a file format test" - $ECHO "*** using a regex pattern. Last file checked: $potlib" - fi - fi - ;; - *) - # Add a -L argument. - func_append newdeplibs " $a_deplib" - ;; - esac - done # Gone through all deplibs. - ;; - none | unknown | *) - newdeplibs="" - tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'` - if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then - for i in $predeps $postdeps ; do - # can't use Xsed below, because $i might contain '/' - tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"` - done - fi - case $tmp_deplibs in - *[!\ \ ]*) - echo - if test "X$deplibs_check_method" = "Xnone"; then - echo "*** Warning: inter-library dependencies are not supported in this platform." - else - echo "*** Warning: inter-library dependencies are not known to be supported." - fi - echo "*** All declared inter-library dependencies are being dropped." - droppeddeps=yes - ;; - esac - ;; - esac - versuffix=$versuffix_save - major=$major_save - release=$release_save - libname=$libname_save - name=$name_save - - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library with the System framework - newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'` - ;; - esac - - if test "$droppeddeps" = yes; then - if test "$module" = yes; then - echo - echo "*** Warning: libtool could not satisfy all declared inter-library" - $ECHO "*** dependencies of module $libname. Therefore, libtool will create" - echo "*** a static module, that should work as long as the dlopening" - echo "*** application is linked with the -dlopen flag." - if test -z "$global_symbol_pipe"; then - echo - echo "*** However, this would only work if libtool was able to extract symbol" - echo "*** lists from a program, using \`nm' or equivalent, but libtool could" - echo "*** not find such a program. So, this module is probably useless." - echo "*** \`nm' from GNU binutils and a full rebuild may help." - fi - if test "$build_old_libs" = no; then - oldlibs="$output_objdir/$libname.$libext" - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - else - echo "*** The inter-library dependencies that have been dropped here will be" - echo "*** automatically added whenever a program is linked with this library" - echo "*** or is declared to -dlopen it." - - if test "$allow_undefined" = no; then - echo - echo "*** Since this library must not contain undefined symbols," - echo "*** because either the platform does not support them or" - echo "*** it was explicitly requested with -no-undefined," - echo "*** libtool will only create a static version of it." - if test "$build_old_libs" = no; then - oldlibs="$output_objdir/$libname.$libext" - build_libtool_libs=module - build_old_libs=yes - else - build_libtool_libs=no - fi - fi - fi - fi - # Done checking deplibs! - deplibs=$newdeplibs - fi - # Time to change all our "foo.ltframework" stuff back to "-framework foo" - case $host in - *-*-darwin*) - newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - ;; - esac - - # move library search paths that coincide with paths to not yet - # installed libraries to the beginning of the library search list - new_libs= - for path in $notinst_path; do - case " $new_libs " in - *" -L$path/$objdir "*) ;; - *) - case " $deplibs " in - *" -L$path/$objdir "*) - func_append new_libs " -L$path/$objdir" ;; - esac - ;; - esac - done - for deplib in $deplibs; do - case $deplib in - -L*) - case " $new_libs " in - *" $deplib "*) ;; - *) func_append new_libs " $deplib" ;; - esac - ;; - *) func_append new_libs " $deplib" ;; - esac - done - deplibs="$new_libs" - - # All the library-specific variables (install_libdir is set above). - library_names= - old_library= - dlname= - - # Test again, we may have decided not to build it any more - if test "$build_libtool_libs" = yes; then - # Remove ${wl} instances when linking with ld. - # FIXME: should test the right _cmds variable. - case $archive_cmds in - *\$LD\ *) wl= ;; - esac - if test "$hardcode_into_libs" = yes; then - # Hardcode the library paths - hardcode_libdirs= - dep_rpath= - rpath="$finalize_rpath" - test "$opt_mode" != relink && rpath="$compile_rpath$rpath" - for libdir in $rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - func_replace_sysroot "$libdir" - libdir=$func_replace_sysroot_result - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - func_append dep_rpath " $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) func_append perm_rpath " $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval "dep_rpath=\"$hardcode_libdir_flag_spec\"" - fi - if test -n "$runpath_var" && test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - func_append rpath "$dir:" - done - eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" - fi - test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" - fi - - shlibpath="$finalize_shlibpath" - test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath" - if test -n "$shlibpath"; then - eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" - fi - - # Get the real and link names of the library. - eval shared_ext=\"$shrext_cmds\" - eval library_names=\"$library_names_spec\" - set dummy $library_names - shift - realname="$1" - shift - - if test -n "$soname_spec"; then - eval soname=\"$soname_spec\" - else - soname="$realname" - fi - if test -z "$dlname"; then - dlname=$soname - fi - - lib="$output_objdir/$realname" - linknames= - for link - do - func_append linknames " $link" - done - - # Use standard objects if they are pic - test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP` - test "X$libobjs" = "X " && libobjs= - - delfiles= - if test -n "$export_symbols" && test -n "$include_expsyms"; then - $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp" - export_symbols="$output_objdir/$libname.uexp" - func_append delfiles " $export_symbols" - fi - - orig_export_symbols= - case $host_os in - cygwin* | mingw* | cegcc*) - if test -n "$export_symbols" && test -z "$export_symbols_regex"; then - # exporting using user supplied symfile - if test "x`$SED 1q $export_symbols`" != xEXPORTS; then - # and it's NOT already a .def file. Must figure out - # which of the given symbols are data symbols and tag - # them as such. So, trigger use of export_symbols_cmds. - # export_symbols gets reassigned inside the "prepare - # the list of exported symbols" if statement, so the - # include_expsyms logic still works. - orig_export_symbols="$export_symbols" - export_symbols= - always_export_symbols=yes - fi - fi - ;; - esac - - # Prepare the list of exported symbols - if test -z "$export_symbols"; then - if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then - func_verbose "generating symbol list for \`$libname.la'" - export_symbols="$output_objdir/$libname.exp" - $opt_dry_run || $RM $export_symbols - cmds=$export_symbols_cmds - save_ifs="$IFS"; IFS='~' - for cmd1 in $cmds; do - IFS="$save_ifs" - # Take the normal branch if the nm_file_list_spec branch - # doesn't work or if tool conversion is not needed. - case $nm_file_list_spec~$to_tool_file_cmd in - *~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*) - try_normal_branch=yes - eval cmd=\"$cmd1\" - func_len " $cmd" - len=$func_len_result - ;; - *) - try_normal_branch=no - ;; - esac - if test "$try_normal_branch" = yes \ - && { test "$len" -lt "$max_cmd_len" \ - || test "$max_cmd_len" -le -1; } - then - func_show_eval "$cmd" 'exit $?' - skipped_export=false - elif test -n "$nm_file_list_spec"; then - func_basename "$output" - output_la=$func_basename_result - save_libobjs=$libobjs - save_output=$output - output=${output_objdir}/${output_la}.nm - func_to_tool_file "$output" - libobjs=$nm_file_list_spec$func_to_tool_file_result - func_append delfiles " $output" - func_verbose "creating $NM input file list: $output" - for obj in $save_libobjs; do - func_to_tool_file "$obj" - $ECHO "$func_to_tool_file_result" - done > "$output" - eval cmd=\"$cmd1\" - func_show_eval "$cmd" 'exit $?' - output=$save_output - libobjs=$save_libobjs - skipped_export=false - else - # The command line is too long to execute in one step. - func_verbose "using reloadable object file for export list..." - skipped_export=: - # Break out early, otherwise skipped_export may be - # set to false by a later but shorter cmd. - break - fi - done - IFS="$save_ifs" - if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then - func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' - func_show_eval '$MV "${export_symbols}T" "$export_symbols"' - fi - fi - fi - - if test -n "$export_symbols" && test -n "$include_expsyms"; then - tmp_export_symbols="$export_symbols" - test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" - $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' - fi - - if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then - # The given exports_symbols file has to be filtered, so filter it. - func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" - # FIXME: $output_objdir/$libname.filter potentially contains lots of - # 's' commands which not all seds can handle. GNU sed should be fine - # though. Also, the filter scales superlinearly with the number of - # global variables. join(1) would be nice here, but unfortunately - # isn't a blessed tool. - $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter - func_append delfiles " $export_symbols $output_objdir/$libname.filter" - export_symbols=$output_objdir/$libname.def - $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols - fi - - tmp_deplibs= - for test_deplib in $deplibs; do - case " $convenience " in - *" $test_deplib "*) ;; - *) - func_append tmp_deplibs " $test_deplib" - ;; - esac - done - deplibs="$tmp_deplibs" - - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec" && - test "$compiler_needs_object" = yes && - test -z "$libobjs"; then - # extract the archives, so we have objects to list. - # TODO: could optimize this to just extract one archive. - whole_archive_flag_spec= - fi - if test -n "$whole_archive_flag_spec"; then - save_libobjs=$libobjs - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - test "X$libobjs" = "X " && libobjs= - else - gentop="$output_objdir/${outputname}x" - func_append generated " $gentop" - - func_extract_archives $gentop $convenience - func_append libobjs " $func_extract_archives_result" - test "X$libobjs" = "X " && libobjs= - fi - fi - - if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then - eval flag=\"$thread_safe_flag_spec\" - func_append linker_flags " $flag" - fi - - # Make a backup of the uninstalled library when relinking - if test "$opt_mode" = relink; then - $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $? - fi - - # Do each of the archive commands. - if test "$module" = yes && test -n "$module_cmds" ; then - if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then - eval test_cmds=\"$module_expsym_cmds\" - cmds=$module_expsym_cmds - else - eval test_cmds=\"$module_cmds\" - cmds=$module_cmds - fi - else - if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then - eval test_cmds=\"$archive_expsym_cmds\" - cmds=$archive_expsym_cmds - else - eval test_cmds=\"$archive_cmds\" - cmds=$archive_cmds - fi - fi - - if test "X$skipped_export" != "X:" && - func_len " $test_cmds" && - len=$func_len_result && - test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then - : - else - # The command line is too long to link in one step, link piecewise - # or, if using GNU ld and skipped_export is not :, use a linker - # script. - - # Save the value of $output and $libobjs because we want to - # use them later. If we have whole_archive_flag_spec, we - # want to use save_libobjs as it was before - # whole_archive_flag_spec was expanded, because we can't - # assume the linker understands whole_archive_flag_spec. - # This may have to be revisited, in case too many - # convenience libraries get linked in and end up exceeding - # the spec. - if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then - save_libobjs=$libobjs - fi - save_output=$output - func_basename "$output" - output_la=$func_basename_result - - # Clear the reloadable object creation command queue and - # initialize k to one. - test_cmds= - concat_cmds= - objlist= - last_robj= - k=1 - - if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then - output=${output_objdir}/${output_la}.lnkscript - func_verbose "creating GNU ld script: $output" - echo 'INPUT (' > $output - for obj in $save_libobjs - do - func_to_tool_file "$obj" - $ECHO "$func_to_tool_file_result" >> $output - done - echo ')' >> $output - func_append delfiles " $output" - func_to_tool_file "$output" - output=$func_to_tool_file_result - elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then - output=${output_objdir}/${output_la}.lnk - func_verbose "creating linker input file list: $output" - : > $output - set x $save_libobjs - shift - firstobj= - if test "$compiler_needs_object" = yes; then - firstobj="$1 " - shift - fi - for obj - do - func_to_tool_file "$obj" - $ECHO "$func_to_tool_file_result" >> $output - done - func_append delfiles " $output" - func_to_tool_file "$output" - output=$firstobj\"$file_list_spec$func_to_tool_file_result\" - else - if test -n "$save_libobjs"; then - func_verbose "creating reloadable object files..." - output=$output_objdir/$output_la-${k}.$objext - eval test_cmds=\"$reload_cmds\" - func_len " $test_cmds" - len0=$func_len_result - len=$len0 - - # Loop over the list of objects to be linked. - for obj in $save_libobjs - do - func_len " $obj" - func_arith $len + $func_len_result - len=$func_arith_result - if test "X$objlist" = X || - test "$len" -lt "$max_cmd_len"; then - func_append objlist " $obj" - else - # The command $test_cmds is almost too long, add a - # command to the queue. - if test "$k" -eq 1 ; then - # The first file doesn't have a previous command to add. - reload_objs=$objlist - eval concat_cmds=\"$reload_cmds\" - else - # All subsequent reloadable object files will link in - # the last one created. - reload_objs="$objlist $last_robj" - eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\" - fi - last_robj=$output_objdir/$output_la-${k}.$objext - func_arith $k + 1 - k=$func_arith_result - output=$output_objdir/$output_la-${k}.$objext - objlist=" $obj" - func_len " $last_robj" - func_arith $len0 + $func_len_result - len=$func_arith_result - fi - done - # Handle the remaining objects by creating one last - # reloadable object file. All subsequent reloadable object - # files will link in the last one created. - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - reload_objs="$objlist $last_robj" - eval concat_cmds=\"\${concat_cmds}$reload_cmds\" - if test -n "$last_robj"; then - eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\" - fi - func_append delfiles " $output" - - else - output= - fi - - if ${skipped_export-false}; then - func_verbose "generating symbol list for \`$libname.la'" - export_symbols="$output_objdir/$libname.exp" - $opt_dry_run || $RM $export_symbols - libobjs=$output - # Append the command to create the export file. - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\" - if test -n "$last_robj"; then - eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\" - fi - fi - - test -n "$save_libobjs" && - func_verbose "creating a temporary reloadable object file: $output" - - # Loop through the commands generated above and execute them. - save_ifs="$IFS"; IFS='~' - for cmd in $concat_cmds; do - IFS="$save_ifs" - $opt_silent || { - func_quote_for_expand "$cmd" - eval "func_echo $func_quote_for_expand_result" - } - $opt_dry_run || eval "$cmd" || { - lt_exit=$? - - # Restore the uninstalled library and exit - if test "$opt_mode" = relink; then - ( cd "$output_objdir" && \ - $RM "${realname}T" && \ - $MV "${realname}U" "$realname" ) - fi - - exit $lt_exit - } - done - IFS="$save_ifs" - - if test -n "$export_symbols_regex" && ${skipped_export-false}; then - func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' - func_show_eval '$MV "${export_symbols}T" "$export_symbols"' - fi - fi - - if ${skipped_export-false}; then - if test -n "$export_symbols" && test -n "$include_expsyms"; then - tmp_export_symbols="$export_symbols" - test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" - $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' - fi - - if test -n "$orig_export_symbols"; then - # The given exports_symbols file has to be filtered, so filter it. - func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" - # FIXME: $output_objdir/$libname.filter potentially contains lots of - # 's' commands which not all seds can handle. GNU sed should be fine - # though. Also, the filter scales superlinearly with the number of - # global variables. join(1) would be nice here, but unfortunately - # isn't a blessed tool. - $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter - func_append delfiles " $export_symbols $output_objdir/$libname.filter" - export_symbols=$output_objdir/$libname.def - $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols - fi - fi - - libobjs=$output - # Restore the value of output. - output=$save_output - - if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then - eval libobjs=\"\$libobjs $whole_archive_flag_spec\" - test "X$libobjs" = "X " && libobjs= - fi - # Expand the library linking commands again to reset the - # value of $libobjs for piecewise linking. - - # Do each of the archive commands. - if test "$module" = yes && test -n "$module_cmds" ; then - if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then - cmds=$module_expsym_cmds - else - cmds=$module_cmds - fi - else - if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then - cmds=$archive_expsym_cmds - else - cmds=$archive_cmds - fi - fi - fi - - if test -n "$delfiles"; then - # Append the command to remove temporary files to $cmds. - eval cmds=\"\$cmds~\$RM $delfiles\" - fi - - # Add any objects from preloaded convenience libraries - if test -n "$dlprefiles"; then - gentop="$output_objdir/${outputname}x" - func_append generated " $gentop" - - func_extract_archives $gentop $dlprefiles - func_append libobjs " $func_extract_archives_result" - test "X$libobjs" = "X " && libobjs= - fi - - save_ifs="$IFS"; IFS='~' - for cmd in $cmds; do - IFS="$save_ifs" - eval cmd=\"$cmd\" - $opt_silent || { - func_quote_for_expand "$cmd" - eval "func_echo $func_quote_for_expand_result" - } - $opt_dry_run || eval "$cmd" || { - lt_exit=$? - - # Restore the uninstalled library and exit - if test "$opt_mode" = relink; then - ( cd "$output_objdir" && \ - $RM "${realname}T" && \ - $MV "${realname}U" "$realname" ) - fi - - exit $lt_exit - } - done - IFS="$save_ifs" - - # Restore the uninstalled library and exit - if test "$opt_mode" = relink; then - $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $? - - if test -n "$convenience"; then - if test -z "$whole_archive_flag_spec"; then - func_show_eval '${RM}r "$gentop"' - fi - fi - - exit $EXIT_SUCCESS - fi - - # Create links to the real library. - for linkname in $linknames; do - if test "$realname" != "$linkname"; then - func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?' - fi - done - - # If -module or -export-dynamic was specified, set the dlname. - if test "$module" = yes || test "$export_dynamic" = yes; then - # On all known operating systems, these are identical. - dlname="$soname" - fi - fi - ;; - - obj) - if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then - func_warning "\`-dlopen' is ignored for objects" - fi - - case " $deplibs" in - *\ -l* | *\ -L*) - func_warning "\`-l' and \`-L' are ignored for objects" ;; - esac - - test -n "$rpath" && \ - func_warning "\`-rpath' is ignored for objects" - - test -n "$xrpath" && \ - func_warning "\`-R' is ignored for objects" - - test -n "$vinfo" && \ - func_warning "\`-version-info' is ignored for objects" - - test -n "$release" && \ - func_warning "\`-release' is ignored for objects" - - case $output in - *.lo) - test -n "$objs$old_deplibs" && \ - func_fatal_error "cannot build library object \`$output' from non-libtool objects" - - libobj=$output - func_lo2o "$libobj" - obj=$func_lo2o_result - ;; - *) - libobj= - obj="$output" - ;; - esac - - # Delete the old objects. - $opt_dry_run || $RM $obj $libobj - - # Objects from convenience libraries. This assumes - # single-version convenience libraries. Whenever we create - # different ones for PIC/non-PIC, this we'll have to duplicate - # the extraction. - reload_conv_objs= - gentop= - # reload_cmds runs $LD directly, so let us get rid of - # -Wl from whole_archive_flag_spec and hope we can get by with - # turning comma into space.. - wl= - - if test -n "$convenience"; then - if test -n "$whole_archive_flag_spec"; then - eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" - reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'` - else - gentop="$output_objdir/${obj}x" - func_append generated " $gentop" - - func_extract_archives $gentop $convenience - reload_conv_objs="$reload_objs $func_extract_archives_result" - fi - fi - - # If we're not building shared, we need to use non_pic_objs - test "$build_libtool_libs" != yes && libobjs="$non_pic_objects" - - # Create the old-style object. - reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test - - output="$obj" - func_execute_cmds "$reload_cmds" 'exit $?' - - # Exit if we aren't doing a library object file. - if test -z "$libobj"; then - if test -n "$gentop"; then - func_show_eval '${RM}r "$gentop"' - fi - - exit $EXIT_SUCCESS - fi - - if test "$build_libtool_libs" != yes; then - if test -n "$gentop"; then - func_show_eval '${RM}r "$gentop"' - fi - - # Create an invalid libtool object if no PIC, so that we don't - # accidentally link it into a program. - # $show "echo timestamp > $libobj" - # $opt_dry_run || eval "echo timestamp > $libobj" || exit $? - exit $EXIT_SUCCESS - fi - - if test -n "$pic_flag" || test "$pic_mode" != default; then - # Only do commands if we really have different PIC objects. - reload_objs="$libobjs $reload_conv_objs" - output="$libobj" - func_execute_cmds "$reload_cmds" 'exit $?' - fi - - if test -n "$gentop"; then - func_show_eval '${RM}r "$gentop"' - fi - - exit $EXIT_SUCCESS - ;; - - prog) - case $host in - *cygwin*) func_stripname '' '.exe' "$output" - output=$func_stripname_result.exe;; - esac - test -n "$vinfo" && \ - func_warning "\`-version-info' is ignored for programs" - - test -n "$release" && \ - func_warning "\`-release' is ignored for programs" - - test "$preload" = yes \ - && test "$dlopen_support" = unknown \ - && test "$dlopen_self" = unknown \ - && test "$dlopen_self_static" = unknown && \ - func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support." - - case $host in - *-*-rhapsody* | *-*-darwin1.[012]) - # On Rhapsody replace the C library is the System framework - compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'` - finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'` - ;; - esac - - case $host in - *-*-darwin*) - # Don't allow lazy linking, it breaks C++ global constructors - # But is supposedly fixed on 10.4 or later (yay!). - if test "$tagname" = CXX ; then - case ${MACOSX_DEPLOYMENT_TARGET-10.0} in - 10.[0123]) - func_append compile_command " ${wl}-bind_at_load" - func_append finalize_command " ${wl}-bind_at_load" - ;; - esac - fi - # Time to change all our "foo.ltframework" stuff back to "-framework foo" - compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` - ;; - esac - - - # move library search paths that coincide with paths to not yet - # installed libraries to the beginning of the library search list - new_libs= - for path in $notinst_path; do - case " $new_libs " in - *" -L$path/$objdir "*) ;; - *) - case " $compile_deplibs " in - *" -L$path/$objdir "*) - func_append new_libs " -L$path/$objdir" ;; - esac - ;; - esac - done - for deplib in $compile_deplibs; do - case $deplib in - -L*) - case " $new_libs " in - *" $deplib "*) ;; - *) func_append new_libs " $deplib" ;; - esac - ;; - *) func_append new_libs " $deplib" ;; - esac - done - compile_deplibs="$new_libs" - - - func_append compile_command " $compile_deplibs" - func_append finalize_command " $finalize_deplibs" - - if test -n "$rpath$xrpath"; then - # If the user specified any rpath flags, then add them. - for libdir in $rpath $xrpath; do - # This is the magic to use -rpath. - case "$finalize_rpath " in - *" $libdir "*) ;; - *) func_append finalize_rpath " $libdir" ;; - esac - done - fi - - # Now hardcode the library paths - rpath= - hardcode_libdirs= - for libdir in $compile_rpath $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - func_append rpath " $flag" - fi - elif test -n "$runpath_var"; then - case "$perm_rpath " in - *" $libdir "*) ;; - *) func_append perm_rpath " $libdir" ;; - esac - fi - case $host in - *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) - testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'` - case :$dllsearchpath: in - *":$libdir:"*) ;; - ::) dllsearchpath=$libdir;; - *) func_append dllsearchpath ":$libdir";; - esac - case :$dllsearchpath: in - *":$testbindir:"*) ;; - ::) dllsearchpath=$testbindir;; - *) func_append dllsearchpath ":$testbindir";; - esac - ;; - esac - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - compile_rpath="$rpath" - - rpath= - hardcode_libdirs= - for libdir in $finalize_rpath; do - if test -n "$hardcode_libdir_flag_spec"; then - if test -n "$hardcode_libdir_separator"; then - if test -z "$hardcode_libdirs"; then - hardcode_libdirs="$libdir" - else - # Just accumulate the unique libdirs. - case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in - *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) - ;; - *) - func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" - ;; - esac - fi - else - eval flag=\"$hardcode_libdir_flag_spec\" - func_append rpath " $flag" - fi - elif test -n "$runpath_var"; then - case "$finalize_perm_rpath " in - *" $libdir "*) ;; - *) func_append finalize_perm_rpath " $libdir" ;; - esac - fi - done - # Substitute the hardcoded libdirs into the rpath. - if test -n "$hardcode_libdir_separator" && - test -n "$hardcode_libdirs"; then - libdir="$hardcode_libdirs" - eval rpath=\" $hardcode_libdir_flag_spec\" - fi - finalize_rpath="$rpath" - - if test -n "$libobjs" && test "$build_old_libs" = yes; then - # Transform all the library objects into standard objects. - compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP` - finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP` - fi - - func_generate_dlsyms "$outputname" "@PROGRAM@" "no" - - # template prelinking step - if test -n "$prelink_cmds"; then - func_execute_cmds "$prelink_cmds" 'exit $?' - fi - - wrappers_required=yes - case $host in - *cegcc* | *mingw32ce*) - # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway. - wrappers_required=no - ;; - *cygwin* | *mingw* ) - if test "$build_libtool_libs" != yes; then - wrappers_required=no - fi - ;; - *) - if test "$need_relink" = no || test "$build_libtool_libs" != yes; then - wrappers_required=no - fi - ;; - esac - if test "$wrappers_required" = no; then - # Replace the output file specification. - compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'` - link_command="$compile_command$compile_rpath" - - # We have no uninstalled library dependencies, so finalize right now. - exit_status=0 - func_show_eval "$link_command" 'exit_status=$?' - - if test -n "$postlink_cmds"; then - func_to_tool_file "$output" - postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` - func_execute_cmds "$postlink_cmds" 'exit $?' - fi - - # Delete the generated files. - if test -f "$output_objdir/${outputname}S.${objext}"; then - func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"' - fi - - exit $exit_status - fi - - if test -n "$compile_shlibpath$finalize_shlibpath"; then - compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" - fi - if test -n "$finalize_shlibpath"; then - finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" - fi - - compile_var= - finalize_var= - if test -n "$runpath_var"; then - if test -n "$perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $perm_rpath; do - func_append rpath "$dir:" - done - compile_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - if test -n "$finalize_perm_rpath"; then - # We should set the runpath_var. - rpath= - for dir in $finalize_perm_rpath; do - func_append rpath "$dir:" - done - finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " - fi - fi - - if test "$no_install" = yes; then - # We don't need to create a wrapper script. - link_command="$compile_var$compile_command$compile_rpath" - # Replace the output file specification. - link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'` - # Delete the old output file. - $opt_dry_run || $RM $output - # Link the executable and exit - func_show_eval "$link_command" 'exit $?' - - if test -n "$postlink_cmds"; then - func_to_tool_file "$output" - postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` - func_execute_cmds "$postlink_cmds" 'exit $?' - fi - - exit $EXIT_SUCCESS - fi - - if test "$hardcode_action" = relink; then - # Fast installation is not supported - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - - func_warning "this platform does not like uninstalled shared libraries" - func_warning "\`$output' will be relinked during installation" - else - if test "$fast_install" != no; then - link_command="$finalize_var$compile_command$finalize_rpath" - if test "$fast_install" = yes; then - relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'` - else - # fast_install is set to needless - relink_command= - fi - else - link_command="$compile_var$compile_command$compile_rpath" - relink_command="$finalize_var$finalize_command$finalize_rpath" - fi - fi - - # Replace the output file specification. - link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` - - # Delete the old output files. - $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname - - func_show_eval "$link_command" 'exit $?' - - if test -n "$postlink_cmds"; then - func_to_tool_file "$output_objdir/$outputname" - postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` - func_execute_cmds "$postlink_cmds" 'exit $?' - fi - - # Now create the wrapper script. - func_verbose "creating $output" - - # Quote the relink command for shipping. - if test -n "$relink_command"; then - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" - else - func_quote_for_eval "$var_value" - relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" - fi - done - relink_command="(cd `pwd`; $relink_command)" - relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` - fi - - # Only actually do things if not in dry run mode. - $opt_dry_run || { - # win32 will think the script is a binary if it has - # a .exe suffix, so we strip it off here. - case $output in - *.exe) func_stripname '' '.exe' "$output" - output=$func_stripname_result ;; - esac - # test for cygwin because mv fails w/o .exe extensions - case $host in - *cygwin*) - exeext=.exe - func_stripname '' '.exe' "$outputname" - outputname=$func_stripname_result ;; - *) exeext= ;; - esac - case $host in - *cygwin* | *mingw* ) - func_dirname_and_basename "$output" "" "." - output_name=$func_basename_result - output_path=$func_dirname_result - cwrappersource="$output_path/$objdir/lt-$output_name.c" - cwrapper="$output_path/$output_name.exe" - $RM $cwrappersource $cwrapper - trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15 - - func_emit_cwrapperexe_src > $cwrappersource - - # The wrapper executable is built using the $host compiler, - # because it contains $host paths and files. If cross- - # compiling, it, like the target executable, must be - # executed on the $host or under an emulation environment. - $opt_dry_run || { - $LTCC $LTCFLAGS -o $cwrapper $cwrappersource - $STRIP $cwrapper - } - - # Now, create the wrapper script for func_source use: - func_ltwrapper_scriptname $cwrapper - $RM $func_ltwrapper_scriptname_result - trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15 - $opt_dry_run || { - # note: this script will not be executed, so do not chmod. - if test "x$build" = "x$host" ; then - $cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result - else - func_emit_wrapper no > $func_ltwrapper_scriptname_result - fi - } - ;; - * ) - $RM $output - trap "$RM $output; exit $EXIT_FAILURE" 1 2 15 - - func_emit_wrapper no > $output - chmod +x $output - ;; - esac - } - exit $EXIT_SUCCESS - ;; - esac - - # See if we need to build an old-fashioned archive. - for oldlib in $oldlibs; do - - if test "$build_libtool_libs" = convenience; then - oldobjs="$libobjs_save $symfileobj" - addlibs="$convenience" - build_libtool_libs=no - else - if test "$build_libtool_libs" = module; then - oldobjs="$libobjs_save" - build_libtool_libs=no - else - oldobjs="$old_deplibs $non_pic_objects" - if test "$preload" = yes && test -f "$symfileobj"; then - func_append oldobjs " $symfileobj" - fi - fi - addlibs="$old_convenience" - fi - - if test -n "$addlibs"; then - gentop="$output_objdir/${outputname}x" - func_append generated " $gentop" - - func_extract_archives $gentop $addlibs - func_append oldobjs " $func_extract_archives_result" - fi - - # Do each command in the archive commands. - if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then - cmds=$old_archive_from_new_cmds - else - - # Add any objects from preloaded convenience libraries - if test -n "$dlprefiles"; then - gentop="$output_objdir/${outputname}x" - func_append generated " $gentop" - - func_extract_archives $gentop $dlprefiles - func_append oldobjs " $func_extract_archives_result" - fi - - # POSIX demands no paths to be encoded in archives. We have - # to avoid creating archives with duplicate basenames if we - # might have to extract them afterwards, e.g., when creating a - # static archive out of a convenience library, or when linking - # the entirety of a libtool archive into another (currently - # not supported by libtool). - if (for obj in $oldobjs - do - func_basename "$obj" - $ECHO "$func_basename_result" - done | sort | sort -uc >/dev/null 2>&1); then - : - else - echo "copying selected object files to avoid basename conflicts..." - gentop="$output_objdir/${outputname}x" - func_append generated " $gentop" - func_mkdir_p "$gentop" - save_oldobjs=$oldobjs - oldobjs= - counter=1 - for obj in $save_oldobjs - do - func_basename "$obj" - objbase="$func_basename_result" - case " $oldobjs " in - " ") oldobjs=$obj ;; - *[\ /]"$objbase "*) - while :; do - # Make sure we don't pick an alternate name that also - # overlaps. - newobj=lt$counter-$objbase - func_arith $counter + 1 - counter=$func_arith_result - case " $oldobjs " in - *[\ /]"$newobj "*) ;; - *) if test ! -f "$gentop/$newobj"; then break; fi ;; - esac - done - func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" - func_append oldobjs " $gentop/$newobj" - ;; - *) func_append oldobjs " $obj" ;; - esac - done - fi - func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 - tool_oldlib=$func_to_tool_file_result - eval cmds=\"$old_archive_cmds\" - - func_len " $cmds" - len=$func_len_result - if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then - cmds=$old_archive_cmds - elif test -n "$archiver_list_spec"; then - func_verbose "using command file archive linking..." - for obj in $oldobjs - do - func_to_tool_file "$obj" - $ECHO "$func_to_tool_file_result" - done > $output_objdir/$libname.libcmd - func_to_tool_file "$output_objdir/$libname.libcmd" - oldobjs=" $archiver_list_spec$func_to_tool_file_result" - cmds=$old_archive_cmds - else - # the command line is too long to link in one step, link in parts - func_verbose "using piecewise archive linking..." - save_RANLIB=$RANLIB - RANLIB=: - objlist= - concat_cmds= - save_oldobjs=$oldobjs - oldobjs= - # Is there a better way of finding the last object in the list? - for obj in $save_oldobjs - do - last_oldobj=$obj - done - eval test_cmds=\"$old_archive_cmds\" - func_len " $test_cmds" - len0=$func_len_result - len=$len0 - for obj in $save_oldobjs - do - func_len " $obj" - func_arith $len + $func_len_result - len=$func_arith_result - func_append objlist " $obj" - if test "$len" -lt "$max_cmd_len"; then - : - else - # the above command should be used before it gets too long - oldobjs=$objlist - if test "$obj" = "$last_oldobj" ; then - RANLIB=$save_RANLIB - fi - test -z "$concat_cmds" || concat_cmds=$concat_cmds~ - eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" - objlist= - len=$len0 - fi - done - RANLIB=$save_RANLIB - oldobjs=$objlist - if test "X$oldobjs" = "X" ; then - eval cmds=\"\$concat_cmds\" - else - eval cmds=\"\$concat_cmds~\$old_archive_cmds\" - fi - fi - fi - func_execute_cmds "$cmds" 'exit $?' - done - - test -n "$generated" && \ - func_show_eval "${RM}r$generated" - - # Now create the libtool archive. - case $output in - *.la) - old_library= - test "$build_old_libs" = yes && old_library="$libname.$libext" - func_verbose "creating $output" - - # Preserve any variables that may affect compiler behavior - for var in $variables_saved_for_relink; do - if eval test -z \"\${$var+set}\"; then - relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" - elif eval var_value=\$$var; test -z "$var_value"; then - relink_command="$var=; export $var; $relink_command" - else - func_quote_for_eval "$var_value" - relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" - fi - done - # Quote the link command for shipping. - relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" - relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` - if test "$hardcode_automatic" = yes ; then - relink_command= - fi - - # Only create the output if not a dry run. - $opt_dry_run || { - for installed in no yes; do - if test "$installed" = yes; then - if test -z "$install_libdir"; then - break - fi - output="$output_objdir/$outputname"i - # Replace all uninstalled libtool libraries with the installed ones - newdependency_libs= - for deplib in $dependency_libs; do - case $deplib in - *.la) - func_basename "$deplib" - name="$func_basename_result" - func_resolve_sysroot "$deplib" - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result` - test -z "$libdir" && \ - func_fatal_error "\`$deplib' is not a valid libtool archive" - func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name" - ;; - -L*) - func_stripname -L '' "$deplib" - func_replace_sysroot "$func_stripname_result" - func_append newdependency_libs " -L$func_replace_sysroot_result" - ;; - -R*) - func_stripname -R '' "$deplib" - func_replace_sysroot "$func_stripname_result" - func_append newdependency_libs " -R$func_replace_sysroot_result" - ;; - *) func_append newdependency_libs " $deplib" ;; - esac - done - dependency_libs="$newdependency_libs" - newdlfiles= - - for lib in $dlfiles; do - case $lib in - *.la) - func_basename "$lib" - name="$func_basename_result" - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - test -z "$libdir" && \ - func_fatal_error "\`$lib' is not a valid libtool archive" - func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name" - ;; - *) func_append newdlfiles " $lib" ;; - esac - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - case $lib in - *.la) - # Only pass preopened files to the pseudo-archive (for - # eventual linking with the app. that links it) if we - # didn't already link the preopened objects directly into - # the library: - func_basename "$lib" - name="$func_basename_result" - eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` - test -z "$libdir" && \ - func_fatal_error "\`$lib' is not a valid libtool archive" - func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name" - ;; - esac - done - dlprefiles="$newdlprefiles" - else - newdlfiles= - for lib in $dlfiles; do - case $lib in - [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; - *) abs=`pwd`"/$lib" ;; - esac - func_append newdlfiles " $abs" - done - dlfiles="$newdlfiles" - newdlprefiles= - for lib in $dlprefiles; do - case $lib in - [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; - *) abs=`pwd`"/$lib" ;; - esac - func_append newdlprefiles " $abs" - done - dlprefiles="$newdlprefiles" - fi - $RM $output - # place dlname in correct position for cygwin - # In fact, it would be nice if we could use this code for all target - # systems that can't hard-code library paths into their executables - # and that have no shared library path variable independent of PATH, - # but it turns out we can't easily determine that from inspecting - # libtool variables, so we have to hard-code the OSs to which it - # applies here; at the moment, that means platforms that use the PE - # object format with DLL files. See the long comment at the top of - # tests/bindir.at for full details. - tdlname=$dlname - case $host,$output,$installed,$module,$dlname in - *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) - # If a -bindir argument was supplied, place the dll there. - if test "x$bindir" != x ; - then - func_relative_path "$install_libdir" "$bindir" - tdlname=$func_relative_path_result$dlname - else - # Otherwise fall back on heuristic. - tdlname=../bin/$dlname - fi - ;; - esac - $ECHO > $output "\ -# $outputname - a libtool library file -# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION -# -# Please DO NOT delete this file! -# It is necessary for linking the library. - -# The name that we can dlopen(3). -dlname='$tdlname' - -# Names of this library. -library_names='$library_names' - -# The name of the static archive. -old_library='$old_library' - -# Linker flags that can not go in dependency_libs. -inherited_linker_flags='$new_inherited_linker_flags' - -# Libraries that this one depends upon. -dependency_libs='$dependency_libs' - -# Names of additional weak libraries provided by this library -weak_library_names='$weak_libs' - -# Version information for $libname. -current=$current -age=$age -revision=$revision - -# Is this an already installed library? -installed=$installed - -# Should we warn about portability when linking against -modules? -shouldnotlink=$module - -# Files to dlopen/dlpreopen -dlopen='$dlfiles' -dlpreopen='$dlprefiles' - -# Directory that this library needs to be installed in: -libdir='$install_libdir'" - if test "$installed" = no && test "$need_relink" = yes; then - $ECHO >> $output "\ -relink_command=\"$relink_command\"" - fi - done - } - - # Do a symbolic link so that the libtool archive can be found in - # LD_LIBRARY_PATH before the program is installed. - func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?' - ;; - esac - exit $EXIT_SUCCESS -} - -{ test "$opt_mode" = link || test "$opt_mode" = relink; } && - func_mode_link ${1+"$@"} - - -# func_mode_uninstall arg... -func_mode_uninstall () -{ - $opt_debug - RM="$nonopt" - files= - rmforce= - exit_status=0 - - # This variable tells wrapper scripts just to set variables rather - # than running their programs. - libtool_install_magic="$magic" - - for arg - do - case $arg in - -f) func_append RM " $arg"; rmforce=yes ;; - -*) func_append RM " $arg" ;; - *) func_append files " $arg" ;; - esac - done - - test -z "$RM" && \ - func_fatal_help "you must specify an RM program" - - rmdirs= - - for file in $files; do - func_dirname "$file" "" "." - dir="$func_dirname_result" - if test "X$dir" = X.; then - odir="$objdir" - else - odir="$dir/$objdir" - fi - func_basename "$file" - name="$func_basename_result" - test "$opt_mode" = uninstall && odir="$dir" - - # Remember odir for removal later, being careful to avoid duplicates - if test "$opt_mode" = clean; then - case " $rmdirs " in - *" $odir "*) ;; - *) func_append rmdirs " $odir" ;; - esac - fi - - # Don't error if the file doesn't exist and rm -f was used. - if { test -L "$file"; } >/dev/null 2>&1 || - { test -h "$file"; } >/dev/null 2>&1 || - test -f "$file"; then - : - elif test -d "$file"; then - exit_status=1 - continue - elif test "$rmforce" = yes; then - continue - fi - - rmfiles="$file" - - case $name in - *.la) - # Possibly a libtool archive, so verify it. - if func_lalib_p "$file"; then - func_source $dir/$name - - # Delete the libtool libraries and symlinks. - for n in $library_names; do - func_append rmfiles " $odir/$n" - done - test -n "$old_library" && func_append rmfiles " $odir/$old_library" - - case "$opt_mode" in - clean) - case " $library_names " in - *" $dlname "*) ;; - *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;; - esac - test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i" - ;; - uninstall) - if test -n "$library_names"; then - # Do each command in the postuninstall commands. - func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' - fi - - if test -n "$old_library"; then - # Do each command in the old_postuninstall commands. - func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' - fi - # FIXME: should reinstall the best remaining shared library. - ;; - esac - fi - ;; - - *.lo) - # Possibly a libtool object, so verify it. - if func_lalib_p "$file"; then - - # Read the .lo file - func_source $dir/$name - - # Add PIC object to the list of files to remove. - if test -n "$pic_object" && - test "$pic_object" != none; then - func_append rmfiles " $dir/$pic_object" - fi - - # Add non-PIC object to the list of files to remove. - if test -n "$non_pic_object" && - test "$non_pic_object" != none; then - func_append rmfiles " $dir/$non_pic_object" - fi - fi - ;; - - *) - if test "$opt_mode" = clean ; then - noexename=$name - case $file in - *.exe) - func_stripname '' '.exe' "$file" - file=$func_stripname_result - func_stripname '' '.exe' "$name" - noexename=$func_stripname_result - # $file with .exe has already been added to rmfiles, - # add $file without .exe - func_append rmfiles " $file" - ;; - esac - # Do a test to see if this is a libtool program. - if func_ltwrapper_p "$file"; then - if func_ltwrapper_executable_p "$file"; then - func_ltwrapper_scriptname "$file" - relink_command= - func_source $func_ltwrapper_scriptname_result - func_append rmfiles " $func_ltwrapper_scriptname_result" - else - relink_command= - func_source $dir/$noexename - fi - - # note $name still contains .exe if it was in $file originally - # as does the version of $file that was added into $rmfiles - func_append rmfiles " $odir/$name $odir/${name}S.${objext}" - if test "$fast_install" = yes && test -n "$relink_command"; then - func_append rmfiles " $odir/lt-$name" - fi - if test "X$noexename" != "X$name" ; then - func_append rmfiles " $odir/lt-${noexename}.c" - fi - fi - fi - ;; - esac - func_show_eval "$RM $rmfiles" 'exit_status=1' - done - - # Try to remove the ${objdir}s in the directories where we deleted files - for dir in $rmdirs; do - if test -d "$dir"; then - func_show_eval "rmdir $dir >/dev/null 2>&1" - fi - done - - exit $exit_status -} - -{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } && - func_mode_uninstall ${1+"$@"} - -test -z "$opt_mode" && { - help="$generic_help" - func_fatal_help "you must specify a MODE" -} - -test -z "$exec_cmd" && \ - func_fatal_help "invalid operation mode \`$opt_mode'" - -if test -n "$exec_cmd"; then - eval exec "$exec_cmd" - exit $EXIT_FAILURE -fi - -exit $exit_status - - -# The TAGs below are defined such that we never get into a situation -# in which we disable both kinds of libraries. Given conflicting -# choices, we go for a static library, that is the most portable, -# since we can't tell whether shared libraries were disabled because -# the user asked for that or because the platform doesn't support -# them. This is particularly important on AIX, because we don't -# support having both static and shared libraries enabled at the same -# time on that platform, so we default to a shared-only configuration. -# If a disable-shared tag is given, we'll fallback to a static-only -# configuration. But we'll never go from static-only to shared-only. - -# ### BEGIN LIBTOOL TAG CONFIG: disable-shared -build_libtool_libs=no -build_old_libs=yes -# ### END LIBTOOL TAG CONFIG: disable-shared - -# ### BEGIN LIBTOOL TAG CONFIG: disable-static -build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` -# ### END LIBTOOL TAG CONFIG: disable-static - -# Local Variables: -# mode:shell-script -# sh-indentation:2 -# End: -# vi:sw=2 - diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt index cec2417..90b5025 100644 --- a/ssl/CMakeLists.txt +++ b/ssl/CMakeLists.txt @@ -23,6 +23,7 @@ set( ssl_packet.c ssl_pkt.c ssl_rsa.c + ssl_seclevel.c ssl_sess.c ssl_sigalgs.c ssl_srvr.c @@ -36,6 +37,7 @@ set( tls_buffer.c tls_content.c tls_key_share.c + tls_lib.c tls12_key_schedule.c tls12_lib.c tls12_record_layer.c @@ -46,6 +48,7 @@ set( tls13_key_schedule.c tls13_legacy.c tls13_lib.c + tls13_quic.c tls13_record.c tls13_record_layer.c tls13_server.c @@ -62,6 +65,7 @@ add_library(ssl_obj OBJECT ${SSL_SRC}) target_include_directories(ssl_obj PRIVATE . + hidden ../crypto/bio ../include/compat PUBLIC @@ -76,7 +80,7 @@ target_include_directories(bs_obj if(BUILD_SHARED_LIBS) add_library(ssl $ $) else() - add_library(ssl $) + add_library(ssl $ empty.c) endif() export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym) @@ -90,15 +94,6 @@ set_target_properties(ssl PROPERTIES set_target_properties(ssl PROPERTIES VERSION ${SSL_VERSION} SOVERSION ${SSL_MAJOR_VERSION}) -if(ENABLE_LIBRESSL_INSTALL) - install( - TARGETS ssl - ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} - LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} - RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} - ) -endif(ENABLE_LIBRESSL_INSTALL) - # build static library for regression test if(BUILD_SHARED_LIBS) add_library(ssl-static STATIC $) diff --git a/ssl/VERSION b/ssl/VERSION index 71e5541..794c6a6 100644 --- a/ssl/VERSION +++ b/ssl/VERSION @@ -1 +1 @@ -52:0:0 +54:0:0 diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index e86b9d8..1a8cda8 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ssl.c,v 1.33 2022/01/14 09:12:53 tb Exp $ */ +/* $OpenBSD: bio_ssl.c,v 1.38 2023/02/16 08:38:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -67,7 +67,7 @@ #include #include "bio_local.h" -#include "ssl_locl.h" +#include "ssl_local.h" static int ssl_write(BIO *h, const char *buf, int num); static int ssl_read(BIO *h, char *buf, int size); @@ -103,6 +103,7 @@ BIO_f_ssl(void) { return (&methods_sslp); } +LSSL_ALIAS(BIO_f_ssl); static int ssl_new(BIO *bi) @@ -294,11 +295,9 @@ ssl_ctrl(BIO *b, int cmd, long num, void *ptr) case BIO_CTRL_RESET: SSL_shutdown(ssl); - if (ssl->internal->handshake_func == - ssl->method->ssl_connect) + if (ssl->handshake_func == ssl->method->ssl_connect) SSL_set_connect_state(ssl); - else if (ssl->internal->handshake_func == - ssl->method->ssl_accept) + else if (ssl->handshake_func == ssl->method->ssl_accept) SSL_set_accept_state(ssl); SSL_clear(ssl); @@ -534,6 +533,7 @@ BIO_new_ssl_connect(SSL_CTX *ctx) BIO_free(ssl); return (NULL); } +LSSL_ALIAS(BIO_new_ssl_connect); BIO * BIO_new_ssl(SSL_CTX *ctx, int client) @@ -558,6 +558,7 @@ BIO_new_ssl(SSL_CTX *ctx, int client) BIO_free(ret); return (NULL); } +LSSL_ALIAS(BIO_new_ssl); int BIO_ssl_copy_session_id(BIO *t, BIO *f) diff --git a/ssl/bs_cbb.c b/ssl/bs_cbb.c index 95e5386..e2f87be 100644 --- a/ssl/bs_cbb.c +++ b/ssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.27 2022/01/06 14:30:30 jsing Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.28 2022/07/07 17:12:15 tb Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -163,6 +163,9 @@ CBB_finish(CBB *cbb, uint8_t **out_data, size_t *out_len) */ return 0; + if (out_data != NULL && *out_data != NULL) + return 0; + if (out_data != NULL) *out_data = cbb->base->buf; diff --git a/ssl/bytestring.h b/ssl/bytestring.h index 022bc68..51284da 100644 --- a/ssl/bytestring.h +++ b/ssl/bytestring.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bytestring.h,v 1.23 2022/01/06 14:30:30 jsing Exp $ */ +/* $OpenBSD: bytestring.h,v 1.24 2022/11/09 23:14:51 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -80,11 +80,9 @@ int CBS_stow(const CBS *cbs, uint8_t **out_ptr, size_t *out_len); /* * CBS_strdup copies the current contents of |cbs| into |*out_ptr| as a * NUL-terminated C string. If |*out_ptr| is not NULL, the contents are freed - * with free. It returns one on success and zero on allocation - * failure. On success, |*out_ptr| should be freed with free. - * - * NOTE: If |cbs| contains NUL bytes, the string will be truncated. Call - * |CBS_contains_zero_byte(cbs)| to check for NUL bytes. + * with free. It returns one on success and zero on failure. On success, + * |*out_ptr| should be freed with free. If |cbs| contains NUL bytes, + * CBS_strdup will fail. */ int CBS_strdup(const CBS *cbs, char **out_ptr); diff --git a/ssl/d1_both.c b/ssl/d1_both.c index fd7c07a..b5c68a1 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.81 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.84 2022/12/26 07:31:44 jmc Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -123,9 +123,9 @@ #include #include "bytestring.h" -#include "dtls_locl.h" +#include "dtls_local.h" #include "pqueue.h" -#include "ssl_locl.h" +#include "ssl_local.h" #define RSMBLY_BITMASK_SIZE(msg_len) (((msg_len) + 7) / 8) @@ -206,7 +206,7 @@ dtls1_hm_fragment_free(hm_fragment *frag) free(frag); } -/* send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ +/* send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or SSL3_RT_CHANGE_CIPHER_SPEC) */ int dtls1_do_write(SSL *s, int type) { @@ -237,15 +237,15 @@ dtls1_do_write(SSL *s, int type) OPENSSL_assert(s->d1->mtu >= dtls1_min_mtu()); /* should have something reasonable now */ - if (s->internal->init_off == 0 && type == SSL3_RT_HANDSHAKE) - OPENSSL_assert(s->internal->init_num == + if (s->init_off == 0 && type == SSL3_RT_HANDSHAKE) + OPENSSL_assert(s->init_num == (int)s->d1->w_msg_hdr.msg_len + DTLS1_HM_HEADER_LENGTH); - if (!tls12_record_layer_write_overhead(s->internal->rl, &overhead)) + if (!tls12_record_layer_write_overhead(s->rl, &overhead)) return -1; frag_off = 0; - while (s->internal->init_num) { + while (s->init_num) { curr_mtu = s->d1->mtu - BIO_wpending(SSL_get_wbio(s)) - DTLS1_RT_HEADER_LENGTH - overhead; @@ -258,22 +258,22 @@ dtls1_do_write(SSL *s, int type) overhead; } - if (s->internal->init_num > curr_mtu) + if (s->init_num > curr_mtu) len = curr_mtu; else - len = s->internal->init_num; + len = s->init_num; /* XDTLS: this function is too long. split out the CCS part */ if (type == SSL3_RT_HANDSHAKE) { - if (s->internal->init_off != 0) { - OPENSSL_assert(s->internal->init_off > DTLS1_HM_HEADER_LENGTH); - s->internal->init_off -= DTLS1_HM_HEADER_LENGTH; - s->internal->init_num += DTLS1_HM_HEADER_LENGTH; + if (s->init_off != 0) { + OPENSSL_assert(s->init_off > DTLS1_HM_HEADER_LENGTH); + s->init_off -= DTLS1_HM_HEADER_LENGTH; + s->init_num += DTLS1_HM_HEADER_LENGTH; - if (s->internal->init_num > curr_mtu) + if (s->init_num > curr_mtu) len = curr_mtu; else - len = s->internal->init_num; + len = s->init_num; } dtls1_fix_message_header(s, frag_off, @@ -281,14 +281,14 @@ dtls1_do_write(SSL *s, int type) if (!dtls1_write_message_header(&s->d1->w_msg_hdr, s->d1->w_msg_hdr.frag_off, s->d1->w_msg_hdr.frag_len, - (unsigned char *)&s->internal->init_buf->data[s->internal->init_off])) + (unsigned char *)&s->init_buf->data[s->init_off])) return -1; OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); } ret = dtls1_write_bytes(s, type, - &s->internal->init_buf->data[s->internal->init_off], len); + &s->init_buf->data[s->init_off], len); if (ret < 0) { /* * Might need to update MTU here, but we don't know @@ -319,7 +319,7 @@ dtls1_do_write(SSL *s, int type) * but in that case we'll ignore the result * anyway */ - unsigned char *p = (unsigned char *)&s->internal->init_buf->data[s->internal->init_off]; + unsigned char *p = (unsigned char *)&s->init_buf->data[s->init_off]; const struct hm_header_st *msg_hdr = &s->d1->w_msg_hdr; int xlen; @@ -340,21 +340,21 @@ dtls1_do_write(SSL *s, int type) tls1_transcript_record(s, p, xlen); } - if (ret == s->internal->init_num) { - if (s->internal->msg_callback) - s->internal->msg_callback(1, s->version, type, - s->internal->init_buf->data, - (size_t)(s->internal->init_off + s->internal->init_num), - s, s->internal->msg_callback_arg); + if (ret == s->init_num) { + if (s->msg_callback) + s->msg_callback(1, s->version, type, + s->init_buf->data, + (size_t)(s->init_off + s->init_num), + s, s->msg_callback_arg); - s->internal->init_off = 0; + s->init_off = 0; /* done writing this message */ - s->internal->init_num = 0; + s->init_num = 0; return (1); } - s->internal->init_off += ret; - s->internal->init_num -= ret; + s->init_off += ret; + s->init_num -= ret; frag_off += (ret -= DTLS1_HM_HEADER_LENGTH); } } @@ -377,7 +377,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) int i, al, ok; /* - * s3->internal->tmp is used to store messages that are unexpected, caused + * s3->tmp is used to store messages that are unexpected, caused * by the absence of an optional handshake message */ if (s->s3->hs.tls12.reuse_message) { @@ -387,8 +387,8 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto fatal_err; } - s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; - s->internal->init_num = (int)s->s3->hs.tls12.message_size; + s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; + s->init_num = (int)s->s3->hs.tls12.message_size; return 1; } @@ -403,7 +403,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) else if (i <= 0 && !ok) return i; - p = (unsigned char *)s->internal->init_buf->data; + p = (unsigned char *)s->init_buf->data; msg_len = msg_hdr->msg_len; /* reconstruct message header */ @@ -413,9 +413,9 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) msg_len += DTLS1_HM_HEADER_LENGTH; tls1_transcript_record(s, p, msg_len); - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, - s, s->internal->msg_callback_arg); + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, + s, s->msg_callback_arg); memset(msg_hdr, 0, sizeof(struct hm_header_st)); @@ -423,7 +423,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max) if (!s->d1->listen) s->d1->handshake_read_seq++; - s->internal->init_msg = s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; + s->init_msg = s->init_buf->data + DTLS1_HM_HEADER_LENGTH; return 1; fatal_err: @@ -457,7 +457,7 @@ dtls1_preprocess_fragment(SSL *s, struct hm_header_st *msg_hdr, int max) * msg_len is limited to 2^24, but is effectively checked * against max above */ - if (!BUF_MEM_grow_clean(s->internal->init_buf, + if (!BUF_MEM_grow_clean(s->init_buf, msg_len + DTLS1_HM_HEADER_LENGTH)) { SSLerror(s, ERR_R_BUF_LIB); return SSL_AD_INTERNAL_ERROR; @@ -486,8 +486,8 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) /* * (0) check whether the desired fragment is available * if so: - * (1) copy over the fragment to s->internal->init_buf->data[] - * (2) update s->internal->init_num + * (1) copy over the fragment to s->init_buf->data[] + * (2) update s->init_num */ pitem *item; hm_fragment *frag; @@ -512,7 +512,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) if (al == 0) /* no alert */ { - unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; + unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; memcpy(&p[frag->msg_header.frag_off], frag->fragment, frag->msg_header.frag_len); } @@ -526,7 +526,7 @@ dtls1_retrieve_buffered_fragment(SSL *s, long max, int *ok) } ssl3_send_alert(s, SSL3_AL_FATAL, al); - s->internal->init_num = 0; + s->init_num = 0; *ok = 0; return -1; } else @@ -544,8 +544,8 @@ dtls1_max_handshake_message_len(const SSL *s) unsigned long max_len; max_len = DTLS1_HM_HEADER_LENGTH + SSL3_RT_MAX_ENCRYPTED_LENGTH; - if (max_len < (unsigned long)s->internal->max_cert_list) - return s->internal->max_cert_list; + if (max_len < (unsigned long)s->max_cert_list) + return s->max_cert_list; return max_len; } @@ -749,7 +749,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) /* see if we have the required fragment already */ if ((frag_len = dtls1_retrieve_buffered_fragment(s, max, ok)) || *ok) { if (*ok) - s->internal->init_num = frag_len; + s->init_num = frag_len; return frag_len; } @@ -758,7 +758,7 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) DTLS1_HM_HEADER_LENGTH, 0); if (i <= 0) { /* nbio, or an error */ - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; *ok = 0; return i; } @@ -797,16 +797,16 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) * 'Finished' MAC. */ if (wire[1] == 0 && wire[2] == 0 && wire[3] == 0) { - if (s->internal->msg_callback) - s->internal->msg_callback(0, s->version, + if (s->msg_callback) + s->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, wire, DTLS1_HM_HEADER_LENGTH, s, - s->internal->msg_callback_arg); + s->msg_callback_arg); - s->internal->init_num = 0; + s->init_num = 0; goto again; } - else /* Incorrectly formated Hello request */ + else /* Incorrectly formatted Hello request */ { al = SSL_AD_UNEXPECTED_MESSAGE; SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); @@ -817,17 +817,17 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) if ((al = dtls1_preprocess_fragment(s, &msg_hdr, max))) goto fatal_err; - /* XDTLS: ressurect this when restart is in place */ + /* XDTLS: resurrect this when restart is in place */ s->s3->hs.state = stn; if (frag_len > 0) { - unsigned char *p = (unsigned char *)s->internal->init_buf->data + DTLS1_HM_HEADER_LENGTH; + unsigned char *p = (unsigned char *)s->init_buf->data + DTLS1_HM_HEADER_LENGTH; i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, &p[frag_off], frag_len, 0); /* XDTLS: fix this--message fragments cannot span multiple packets */ if (i <= 0) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; *ok = 0; return i; } @@ -845,18 +845,18 @@ dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok) } /* - * Note that s->internal->init_num is *not* used as current offset in - * s->internal->init_buf->data, but as a counter summing up fragments' + * Note that s->init_num is *not* used as current offset in + * s->init_buf->data, but as a counter summing up fragments' * lengths: as soon as they sum up to handshake packet * length, we assume we have got all the fragments. */ - s->internal->init_num = frag_len; + s->init_num = frag_len; *ok = 1; return frag_len; fatal_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - s->internal->init_num = 0; + s->init_num = 0; *ok = 0; return (-1); @@ -942,23 +942,23 @@ dtls1_buffer_message(SSL *s, int is_ccs) hm_fragment *frag; unsigned char seq64be[8]; - /* Buffer the messsage in order to handle DTLS retransmissions. */ + /* Buffer the message in order to handle DTLS retransmissions. */ /* * This function is called immediately after a message has * been serialized */ - OPENSSL_assert(s->internal->init_off == 0); + OPENSSL_assert(s->init_off == 0); - frag = dtls1_hm_fragment_new(s->internal->init_num, 0); + frag = dtls1_hm_fragment_new(s->init_num, 0); if (frag == NULL) return 0; - memcpy(frag->fragment, s->internal->init_buf->data, s->internal->init_num); + memcpy(frag->fragment, s->init_buf->data, s->init_num); OPENSSL_assert(s->d1->w_msg_hdr.msg_len + (is_ccs ? DTLS1_CCS_HEADER_LENGTH : DTLS1_HM_HEADER_LENGTH) == - (unsigned int)s->internal->init_num); + (unsigned int)s->init_num); frag->msg_header.msg_len = s->d1->w_msg_hdr.msg_len; frag->msg_header.seq = s->d1->w_msg_hdr.seq; @@ -970,7 +970,7 @@ dtls1_buffer_message(SSL *s, int is_ccs) /* save current state*/ frag->msg_header.saved_retransmit_state.session = s->session; frag->msg_header.saved_retransmit_state.epoch = - tls12_record_layer_write_epoch(s->internal->rl); + tls12_record_layer_write_epoch(s->rl); memset(seq64be, 0, sizeof(seq64be)); seq64be[6] = (unsigned char)(dtls1_get_queue_priority( @@ -1001,8 +1001,8 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, struct dtls1_retransmit_state saved_state; /* - OPENSSL_assert(s->internal->init_num == 0); - OPENSSL_assert(s->internal->init_off == 0); + OPENSSL_assert(s->init_num == 0); + OPENSSL_assert(s->init_off == 0); */ /* XDTLS: the requested message ought to be found, otherwise error */ @@ -1027,9 +1027,9 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, else header_length = DTLS1_HM_HEADER_LENGTH; - memcpy(s->internal->init_buf->data, frag->fragment, + memcpy(s->init_buf->data, frag->fragment, frag->msg_header.msg_len + header_length); - s->internal->init_num = frag->msg_header.msg_len + header_length; + s->init_num = frag->msg_header.msg_len + header_length; dtls1_set_message_header_int(s, frag->msg_header.type, frag->msg_header.msg_len, frag->msg_header.seq, 0, @@ -1037,13 +1037,13 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, /* save current state */ saved_state.session = s->session; - saved_state.epoch = tls12_record_layer_write_epoch(s->internal->rl); + saved_state.epoch = tls12_record_layer_write_epoch(s->rl); s->d1->retransmitting = 1; /* restore state in which the message was originally sent */ s->session = frag->msg_header.saved_retransmit_state.session; - if (!tls12_record_layer_use_write_epoch(s->internal->rl, + if (!tls12_record_layer_use_write_epoch(s->rl, frag->msg_header.saved_retransmit_state.epoch)) return 0; @@ -1052,7 +1052,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, /* restore current state */ s->session = saved_state.session; - if (!tls12_record_layer_use_write_epoch(s->internal->rl, + if (!tls12_record_layer_use_write_epoch(s->rl, saved_state.epoch)) return 0; @@ -1073,7 +1073,7 @@ dtls1_clear_record_buffer(SSL *s) item = pqueue_pop(s->d1->sent_messages)) { frag = item->data; if (frag->msg_header.is_ccs) - tls12_record_layer_write_epoch_done(s->internal->rl, + tls12_record_layer_write_epoch_done(s->rl, frag->msg_header.saved_retransmit_state.epoch); dtls1_hm_fragment_free(frag); pitem_free(item); diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 770734e..ae6a665 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.61 2021/10/23 13:36:03 jsing Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.64 2022/11/26 16:08:55 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -67,9 +67,9 @@ #include -#include "dtls_locl.h" +#include "dtls_local.h" #include "pqueue.h" -#include "ssl_locl.h" +#include "ssl_local.h" void dtls1_hm_fragment_free(hm_fragment *frag); @@ -104,6 +104,23 @@ dtls1_new(SSL *s) return (0); } +static void +dtls1_drain_rcontents(pqueue queue) +{ + DTLS1_RCONTENT_DATA_INTERNAL *rdata; + pitem *item; + + if (queue == NULL) + return; + + while ((item = pqueue_pop(queue)) != NULL) { + rdata = (DTLS1_RCONTENT_DATA_INTERNAL *)item->data; + tls_content_free(rdata->rcontent); + free(item->data); + pitem_free(item); + } +} + static void dtls1_drain_records(pqueue queue) { @@ -141,7 +158,7 @@ dtls1_clear_queues(SSL *s) dtls1_drain_records(s->d1->unprocessed_rcds.q); dtls1_drain_fragments(s->d1->buffered_messages); dtls1_drain_fragments(s->d1->sent_messages); - dtls1_drain_records(s->d1->buffered_app_data.q); + dtls1_drain_rcontents(s->d1->buffered_app_data.q); } void @@ -187,7 +204,7 @@ dtls1_clear(SSL *s) memset(s->d1, 0, sizeof(*s->d1)); s->d1->unprocessed_rcds.epoch = - tls12_record_layer_read_epoch(s->internal->rl) + 1; + tls12_record_layer_read_epoch(s->rl) + 1; if (s->server) { s->d1->cookie_len = sizeof(s->d1->cookie); diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 456f871..5409d39 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.123 2022/03/26 15:05:53 jsing Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.127 2022/11/26 16:08:55 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -115,15 +115,17 @@ #include #include +#include #include #include #include #include "bytestring.h" -#include "dtls_locl.h" +#include "dtls_local.h" #include "pqueue.h" -#include "ssl_locl.h" +#include "ssl_local.h" +#include "tls_content.h" /* mod 128 saturating subtract of two 64-bit values in big-endian order */ static int @@ -193,8 +195,8 @@ dtls1_copy_record(SSL *s, DTLS1_RECORD_DATA_INTERNAL *rdata) { ssl3_release_buffer(&s->s3->rbuf); - s->internal->packet = rdata->packet; - s->internal->packet_length = rdata->packet_length; + s->packet = rdata->packet; + s->packet_length = rdata->packet_length; memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); memcpy(&(s->s3->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL)); @@ -216,15 +218,15 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) if (rdata == NULL || item == NULL) goto init_err; - rdata->packet = s->internal->packet; - rdata->packet_length = s->internal->packet_length; + rdata->packet = s->packet; + rdata->packet_length = s->packet_length; memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); memcpy(&(rdata->rrec), &(s->s3->rrec), sizeof(SSL3_RECORD_INTERNAL)); item->data = rdata; - s->internal->packet = NULL; - s->internal->packet_length = 0; + s->packet = NULL; + s->packet_length = 0; memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL)); memset(&(s->s3->rrec), 0, sizeof(SSL3_RECORD_INTERNAL)); @@ -247,6 +249,44 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (-1); } +static int +dtls1_buffer_rcontent(SSL *s, rcontent_pqueue *queue, unsigned char *priority) +{ + DTLS1_RCONTENT_DATA_INTERNAL *rdata; + pitem *item; + + /* Limit the size of the queue to prevent DOS attacks */ + if (pqueue_size(queue->q) >= 100) + return 0; + + rdata = malloc(sizeof(DTLS1_RCONTENT_DATA_INTERNAL)); + item = pitem_new(priority, rdata); + if (rdata == NULL || item == NULL) + goto init_err; + + rdata->rcontent = s->s3->rcontent; + s->s3->rcontent = NULL; + + item->data = rdata; + + /* insert should not fail, since duplicates are dropped */ + if (pqueue_insert(queue->q, item) == NULL) + goto err; + + if ((s->s3->rcontent = tls_content_new()) == NULL) + goto err; + + return (1); + + err: + tls_content_free(rdata->rcontent); + + init_err: + SSLerror(s, ERR_R_INTERNAL_ERROR); + free(rdata); + pitem_free(item); + return (-1); +} static int dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) @@ -266,18 +306,41 @@ dtls1_retrieve_buffered_record(SSL *s, record_pqueue *queue) return (0); } +static int +dtls1_retrieve_buffered_rcontent(SSL *s, rcontent_pqueue *queue) +{ + DTLS1_RCONTENT_DATA_INTERNAL *rdata; + pitem *item; + + item = pqueue_pop(queue->q); + if (item) { + rdata = item->data; + + tls_content_free(s->s3->rcontent); + s->s3->rcontent = rdata->rcontent; + s->s3->rrec.epoch = tls_content_epoch(s->s3->rcontent); + + free(item->data); + pitem_free(item); + + return (1); + } + + return (0); +} + static int dtls1_process_buffered_record(SSL *s) { /* Check if epoch is current. */ if (s->d1->unprocessed_rcds.epoch != - tls12_record_layer_read_epoch(s->internal->rl)) + tls12_record_layer_read_epoch(s->rl)) return (0); /* Update epoch once all unprocessed records have been processed. */ if (pqueue_peek(s->d1->unprocessed_rcds.q) == NULL) { s->d1->unprocessed_rcds.epoch = - tls12_record_layer_read_epoch(s->internal->rl) + 1; + tls12_record_layer_read_epoch(s->rl) + 1; return (0); } @@ -295,14 +358,12 @@ dtls1_process_record(SSL *s) { SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec); uint8_t alert_desc; - uint8_t *out; - size_t out_len; - tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_version(s->rl, s->version); - if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, - s->internal->packet_length, &out, &out_len)) { - tls12_record_layer_alert(s->internal->rl, &alert_desc); + if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length, + s->s3->rcontent)) { + tls12_record_layer_alert(s->rl, &alert_desc); if (alert_desc == 0) goto err; @@ -311,10 +372,8 @@ dtls1_process_record(SSL *s) * DTLS should silently discard invalid records, including those * with a bad MAC, as per RFC 6347 section 4.1.2.1. */ - if (alert_desc == SSL_AD_BAD_RECORD_MAC) { - out_len = 0; + if (alert_desc == SSL_AD_BAD_RECORD_MAC) goto done; - } if (alert_desc == SSL_AD_RECORD_OVERFLOW) SSLerror(s, SSL_R_ENCRYPTED_LENGTH_TOO_LONG); @@ -322,12 +381,11 @@ dtls1_process_record(SSL *s) goto fatal_err; } - done: - rr->data = out; - rr->length = out_len; - rr->off = 0; + /* XXX move to record layer. */ + tls_content_set_epoch(s->s3->rcontent, rr->epoch); - s->internal->packet_length = 0; + done: + s->packet_length = 0; return (1); @@ -341,9 +399,9 @@ dtls1_process_record(SSL *s) * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->internal->rrec.type - is the type of record - * ssl->s3->internal->rrec.data, - data - * ssl->s3->internal->rrec.length, - number of bytes + * ssl->s3->rrec.type - is the type of record + * ssl->s3->rrec.data, - data + * ssl->s3->rrec.length, - number of bytes */ /* used only by dtls1_read_bytes */ int @@ -364,12 +422,12 @@ dtls1_get_record(SSL *s) again: /* dump this record on all retries */ rr->length = 0; - s->internal->packet_length = 0; + s->packet_length = 0; } /* check if we have the header */ - if ((s->internal->rstate != SSL_ST_READ_BODY) || - (s->internal->packet_length < DTLS1_RT_HEADER_LENGTH)) { + if ((s->rstate != SSL_ST_READ_BODY) || + (s->packet_length < DTLS1_RT_HEADER_LENGTH)) { CBS header, seq_no; uint16_t epoch, len, ssl_version; uint8_t type; @@ -382,9 +440,9 @@ dtls1_get_record(SSL *s) if (n != DTLS1_RT_HEADER_LENGTH) goto again; - s->internal->rstate = SSL_ST_READ_BODY; + s->rstate = SSL_ST_READ_BODY; - CBS_init(&header, s->internal->packet, s->internal->packet_length); + CBS_init(&header, s->packet, s->packet_length); /* Pull apart the header into the DTLS1_RECORD */ if (!CBS_get_u8(&header, &type)) @@ -409,7 +467,7 @@ dtls1_get_record(SSL *s) rr->length = len; /* unexpected version, silently discard */ - if (!s->internal->first_packet && ssl_version != s->version) + if (!s->first_packet && ssl_version != s->version) goto again; /* wrong version, silently discard record */ @@ -420,11 +478,11 @@ dtls1_get_record(SSL *s) if (rr->length > SSL3_RT_MAX_ENCRYPTED_LENGTH) goto again; - /* now s->internal->rstate == SSL_ST_READ_BODY */ + /* now s->rstate == SSL_ST_READ_BODY */ p = (unsigned char *)CBS_data(&header); } - /* s->internal->rstate == SSL_ST_READ_BODY, get and decode the data */ + /* s->rstate == SSL_ST_READ_BODY, get and decode the data */ n = ssl3_packet_extend(s, DTLS1_RT_HEADER_LENGTH + rr->length); if (n <= 0) @@ -434,7 +492,7 @@ dtls1_get_record(SSL *s) if (n != DTLS1_RT_HEADER_LENGTH + rr->length) goto again; - s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ + s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ /* match epochs. NULL means the packet is dropped on the floor */ bitmap = dtls1_get_bitmap(s, rr, &is_next_epoch); @@ -463,7 +521,7 @@ dtls1_get_record(SSL *s) * anything while listening. */ if (is_next_epoch) { - if ((SSL_in_init(s) || s->internal->in_handshake) && !s->d1->listen) { + if ((SSL_in_init(s) || s->in_handshake) && !s->d1->listen) { if (dtls1_buffer_record(s, &(s->d1->unprocessed_rcds), rr->seq_num) < 0) return (-1); @@ -485,29 +543,25 @@ dtls1_get_record(SSL *s) static int dtls1_read_handshake_unexpected(SSL *s) { - SSL3_RECORD_INTERNAL *rr = &s->s3->rrec; struct hm_header_st hs_msg_hdr; CBS cbs; int ret; - if (s->internal->in_handshake) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - return -1; - } - - if (rr->off != 0) { + if (s->in_handshake) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } /* Parse handshake message header. */ - CBS_init(&cbs, rr->data, rr->length); + CBS_dup(tls_content_cbs(s->s3->rcontent), &cbs); if (!dtls1_get_message_header(&cbs, &hs_msg_hdr)) return -1; /* XXX - probably should drop/continue. */ /* This may just be a stale retransmit. */ - if (rr->epoch != tls12_record_layer_read_epoch(s->internal->rl)) { - rr->length = 0; + if (tls_content_epoch(s->s3->rcontent) != + tls12_record_layer_read_epoch(s->rl)) { + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; return 1; } @@ -532,10 +586,11 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; } - ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, rr->data, - DTLS1_HM_HEADER_LENGTH); + ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, + tls_content_cbs(s->s3->rcontent)); - rr->length = 0; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; /* * It should be impossible to hit this, but keep the safety @@ -556,7 +611,7 @@ dtls1_read_handshake_unexpected(SSL *s) s->d1->handshake_read_seq++; /* XXX - why is this set here but not in ssl3? */ - s->internal->new_session = 1; + s->new_session = 1; if (!ssl3_renegotiate(s)) return 1; @@ -589,7 +644,7 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; } - if ((s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { + if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); return -1; @@ -609,8 +664,8 @@ dtls1_read_handshake_unexpected(SSL *s) } s->s3->hs.state = SSL_ST_ACCEPT; - s->internal->renegotiate = 1; - s->internal->new_session = 1; + s->renegotiate = 1; + s->new_session = 1; } else if (hs_msg_hdr.type == SSL3_MT_FINISHED && s->server) { /* @@ -624,7 +679,8 @@ dtls1_read_handshake_unexpected(SSL *s) dtls1_retransmit_buffered_messages(s); - rr->length = 0; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; return 1; @@ -634,14 +690,14 @@ dtls1_read_handshake_unexpected(SSL *s) return -1; } - if ((ret = s->internal->handshake_func(s)) < 0) + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } - if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) { ssl_force_want_read(s); return -1; @@ -685,9 +741,8 @@ dtls1_read_handshake_unexpected(SSL *s) int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { - SSL3_RECORD_INTERNAL *rr; int rrcount = 0; - unsigned int n; + ssize_t ssret; int ret; if (s->s3->rbuf.buf == NULL) { @@ -695,6 +750,11 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } + if (s->s3->rcontent == NULL) { + if ((s->s3->rcontent = tls_content_new()) == NULL) + return -1; + } + if (len < 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; @@ -710,8 +770,8 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - if (SSL_in_init(s) && !s->internal->in_handshake) { - if ((ret = s->internal->handshake_func(s)) < 0) + if (SSL_in_init(s) && !s->in_handshake) { + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); @@ -733,21 +793,20 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - s->internal->rwstate = SSL_NOTHING; - - rr = &s->s3->rrec; + s->rwstate = SSL_NOTHING; /* * We are not handshaking and have no data yet, so process data buffered * during the last handshake in advance, if any. */ - if (s->s3->hs.state == SSL_ST_OK && rr->length == 0) - dtls1_retrieve_buffered_record(s, &s->d1->buffered_app_data); + if (s->s3->hs.state == SSL_ST_OK && + tls_content_remaining(s->s3->rcontent) == 0) + dtls1_retrieve_buffered_rcontent(s, &s->d1->buffered_app_data); if (dtls1_handle_timeout(s) > 0) goto start; - if (rr->length == 0 || s->internal->rstate == SSL_ST_READ_BODY) { + if (tls_content_remaining(s->s3->rcontent) == 0) { if ((ret = dtls1_get_record(s)) <= 0) { /* Anything other than a timeout is an error. */ if ((ret = dtls1_read_failed(s, ret)) <= 0) @@ -756,26 +815,30 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } } - if (s->d1->listen && rr->type != SSL3_RT_HANDSHAKE) { - rr->length = 0; + if (s->d1->listen && + tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) { + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; goto start; } /* We now have a packet which can be read and processed. */ - if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) { + if (s->s3->change_cipher_spec && + tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) { /* * We now have application data between CCS and Finished. * Most likely the packets were reordered on their way, so * buffer the application data for later processing rather * than dropping the connection. */ - if (dtls1_buffer_record(s, &s->d1->buffered_app_data, - rr->seq_num) < 0) { + if (dtls1_buffer_rcontent(s, &s->d1->buffered_app_data, + s->s3->rrec.seq_num) < 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return (-1); } - rr->length = 0; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; goto start; } @@ -783,20 +846,21 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * If the other end has shut down, throw anything we read away (even in * 'peek' mode). */ - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; - rr->length = 0; + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { + s->rwstate = SSL_NOTHING; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; return 0; } /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ - if (type == rr->type) { + if (tls_content_type(s->s3->rcontent) == type) { /* * Make sure that we are not getting application data when we * are doing a handshake for the first time. */ if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && - !tls12_record_layer_read_protected(s->internal->rl)) { + !tls12_record_layer_read_protected(s->rl)) { SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -806,43 +870,36 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (len <= 0) return len; - if ((unsigned int)len > rr->length) - n = rr->length; - else - n = (unsigned int)len; - - memcpy(buf, &rr->data[rr->off], n); - if (!peek) { - memset(&rr->data[rr->off], 0, n); - rr->length -= n; - rr->off += n; - if (rr->length == 0) { - s->internal->rstate = SSL_ST_READ_HEADER; - rr->off = 0; - } + if (peek) { + ssret = tls_content_peek(s->s3->rcontent, buf, len); + } else { + ssret = tls_content_read(s->s3->rcontent, buf, len); } + if (ssret < INT_MIN || ssret > INT_MAX) + return -1; + if (ssret < 0) + return (int)ssret; - return n; + if (tls_content_remaining(s->s3->rcontent) == 0) + s->rstate = SSL_ST_READ_HEADER; + + return (int)ssret; } - /* - * If we get here, then type != rr->type; if we have a handshake - * message, then it was unexpected (Hello Request or Client Hello). - */ - - if (rr->type == SSL3_RT_ALERT) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) { if ((ret = ssl3_read_alert(s)) <= 0) return ret; goto start; } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; - rr->length = 0; + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; return (0); } - if (rr->type == SSL3_RT_APPLICATION_DATA) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) { /* * At this point, we were expecting handshake data, but have * application data. If the library was running inside @@ -868,13 +925,13 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } } - if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) { if ((ret = ssl3_read_change_cipher_spec(s)) <= 0) return ret; goto start; } - if (rr->type == SSL3_RT_HANDSHAKE) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) { if ((ret = dtls1_read_handshake_unexpected(s)) <= 0) return ret; goto start; @@ -891,9 +948,8 @@ dtls1_write_app_data_bytes(SSL *s, int type, const void *buf_, int len) { int i; - if (SSL_in_init(s) && !s->internal->in_handshake) - { - i = s->internal->handshake_func(s); + if (SSL_in_init(s) && !s->in_handshake) { + i = s->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -920,7 +976,7 @@ dtls1_write_bytes(SSL *s, int type, const void *buf, int len) int i; OPENSSL_assert(len <= SSL3_RT_MAX_PLAIN_LENGTH); - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; i = do_dtls1_write(s, type, buf, len); return i; } @@ -959,9 +1015,9 @@ do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (!CBB_init_fixed(&cbb, wb->buf, wb->len)) goto err; - tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_version(s->rl, s->version); - if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + if (!tls12_record_layer_seal_record(s->rl, type, buf, len, &cbb)) goto err; if (!CBB_finish(&cbb, NULL, &out_len)) @@ -1035,7 +1091,7 @@ dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) *is_next_epoch = 0; - read_epoch = tls12_record_layer_read_epoch(s->internal->rl); + read_epoch = tls12_record_layer_read_epoch(s->rl); read_epoch_next = read_epoch + 1; /* In current epoch, accept HM, CCS, DATA, & ALERT */ diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index 793fa86..6073f0d 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.30 2022/01/28 13:11:56 inoguchi Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.32 2022/11/26 16:08:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,8 +123,8 @@ #ifndef OPENSSL_NO_SRTP #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" #include "srtp.h" static const SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { @@ -227,13 +227,13 @@ ssl_ctx_make_profiles(const char *profiles_string, int SSL_CTX_set_tlsext_use_srtp(SSL_CTX *ctx, const char *profiles) { - return ssl_ctx_make_profiles(profiles, &ctx->internal->srtp_profiles); + return ssl_ctx_make_profiles(profiles, &ctx->srtp_profiles); } int SSL_set_tlsext_use_srtp(SSL *s, const char *profiles) { - return ssl_ctx_make_profiles(profiles, &s->internal->srtp_profiles); + return ssl_ctx_make_profiles(profiles, &s->srtp_profiles); } @@ -241,11 +241,11 @@ STACK_OF(SRTP_PROTECTION_PROFILE) * SSL_get_srtp_profiles(SSL *s) { if (s != NULL) { - if (s->internal->srtp_profiles != NULL) { - return s->internal->srtp_profiles; + if (s->srtp_profiles != NULL) { + return s->srtp_profiles; } else if ((s->ctx != NULL) && - (s->ctx->internal->srtp_profiles != NULL)) { - return s->ctx->internal->srtp_profiles; + (s->ctx->srtp_profiles != NULL)) { + return s->ctx->srtp_profiles; } } @@ -256,7 +256,7 @@ SRTP_PROTECTION_PROFILE * SSL_get_selected_srtp_profile(SSL *s) { /* XXX cast away the const */ - return (SRTP_PROTECTION_PROFILE *)s->internal->srtp_profile; + return (SRTP_PROTECTION_PROFILE *)s->srtp_profile; } #endif diff --git a/ssl/dtls_locl.h b/ssl/dtls_local.h similarity index 94% rename from ssl/dtls_locl.h rename to ssl/dtls_local.h index da5c259..c7c413f 100644 --- a/ssl/dtls_locl.h +++ b/ssl/dtls_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dtls_locl.h,v 1.10 2021/10/23 13:45:44 jsing Exp $ */ +/* $OpenBSD: dtls_local.h,v 1.2 2022/11/26 17:23:18 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -64,7 +64,8 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" +#include "tls_content.h" __BEGIN_HIDDEN_DECLS @@ -109,6 +110,11 @@ typedef struct record_pqueue_st { struct _pqueue *q; } record_pqueue; +typedef struct rcontent_pqueue_st { + unsigned short epoch; + struct _pqueue *q; +} rcontent_pqueue; + typedef struct hm_fragment_st { struct hm_header_st msg_header; unsigned char *fragment; @@ -122,6 +128,10 @@ typedef struct dtls1_record_data_internal_st { SSL3_RECORD_INTERNAL rrec; } DTLS1_RECORD_DATA_INTERNAL; +typedef struct dtls1_rcontent_data_internal_st { + struct tls_content *rcontent; +} DTLS1_RCONTENT_DATA_INTERNAL; + struct dtls1_state_st { /* Buffered (sent) handshake records */ struct _pqueue *sent_messages; @@ -160,7 +170,7 @@ struct dtls1_state_st { * to prevent either protocol violation or * unnecessary message loss. */ - record_pqueue buffered_app_data; + rcontent_pqueue buffered_app_data; /* Is set when listening for new connections with dtls1_listen() */ unsigned int listen; @@ -219,4 +229,4 @@ int dtls1_get_record(SSL *s); __END_HIDDEN_DECLS -#endif +#endif /* !HEADER_DTLS_LOCL_H */ diff --git a/ssl/empty.c b/ssl/empty.c new file mode 100644 index 0000000..e69de29 diff --git a/ssl/hidden/openssl/ssl.h b/ssl/hidden/openssl/ssl.h new file mode 100644 index 0000000..f171ec2 --- /dev/null +++ b/ssl/hidden/openssl/ssl.h @@ -0,0 +1,35 @@ +/* $OpenBSD: ssl.h,v 1.1 2022/11/11 11:25:18 beck Exp $ */ +/* + * Copyright (c) 2022 Philip Guenther + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBSSL_SSL_H_ +#define _LIBSSL_SSL_H_ + +#ifdef _MSC_VER +#include <../include/openssl/ssl.h> +#else +#include_next +#endif +#include "ssl_namespace.h" + +LSSL_USED(BIO_f_ssl); +LSSL_USED(BIO_new_ssl); +LSSL_USED(BIO_new_ssl_connect); +LSSL_UNUSED(BIO_new_buffer_ssl_connect); +LSSL_UNUSED(BIO_ssl_copy_session_id); +LSSL_UNUSED(BIO_ssl_shutdown); + +#endif /* _LIBSSL_SSL_H_ */ diff --git a/ssl/hidden/ssl_namespace.h b/ssl/hidden/ssl_namespace.h new file mode 100644 index 0000000..b79f7cc --- /dev/null +++ b/ssl/hidden/ssl_namespace.h @@ -0,0 +1,43 @@ +/* $OpenBSD: ssl_namespace.h,v 1.2 2023/02/16 08:38:17 tb Exp $ */ +/* + * Copyright (c) 2016 Philip Guenther + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef _LIBSSL_SSL_NAMESPACE_H_ +#define _LIBSSL_SSL_NAMESPACE_H_ + +/* + * If marked as 'used', then internal calls use the name with prefix "_lssl_" + * and we alias that to the normal name. + */ + +#ifdef _MSC_VER +#define LSSL_UNUSED(x) +#define LSSL_USED(x) +#define LSSL_ALIAS(x) +#else +#ifdef LIBRESSL_NAMESPACE +#define LSSL_UNUSED(x) typeof(x) x __attribute__((deprecated)) +#define LSSL_USED(x) __attribute__((visibility("hidden"))) \ + typeof(x) x asm("_lssl_"#x) +#define LSSL_ALIAS(x) asm(".global "#x"; "#x" = _lssl_"#x) +#else +#define LSSL_UNUSED(x) +#define LSSL_USED(x) +#define LSSL_ALIAS(x) asm("") +#endif +#endif /* _MSC_VER */ + +#endif /* _LIBSSL_SSL_NAMESPACE_H_ */ diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index e0289d8..32b7460 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_cbc.c,v 1.25 2021/12/09 17:45:49 tb Exp $ */ +/* $OpenBSD: s3_cbc.c,v 1.26 2022/11/26 16:08:55 tb Exp $ */ /* ==================================================================== * Copyright (c) 2012 The OpenSSL Project. All rights reserved. * @@ -56,7 +56,7 @@ #include #include -#include "ssl_locl.h" +#include "ssl_local.h" /* MAX_HASH_BIT_COUNT_BYTES is the maximum number of bytes in the hash's length * field. (SHA-384/512 have 128-bit length.) */ diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 624841a..4229b2e 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.228 2022/03/17 17:24:37 jsing Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.243 2023/05/16 14:10:43 jcs Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -159,10 +159,11 @@ #include #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" +#include "tls_content.h" #define SSL3_NUM_CIPHERS (sizeof(ssl3_ciphers) / sizeof(SSL_CIPHER)) @@ -1441,11 +1442,12 @@ ssl3_cipher_get_value(const SSL_CIPHER *c) int ssl3_pending(const SSL *s) { - if (s->internal->rstate == SSL_ST_READ_BODY) + if (s->s3->rcontent == NULL) + return 0; + if (tls_content_type(s->s3->rcontent) != SSL3_RT_APPLICATION_DATA) return 0; - return (s->s3->rrec.type == SSL3_RT_APPLICATION_DATA) ? - s->s3->rrec.length : 0; + return tls_content_remaining(s->s3->rcontent); } int @@ -1493,13 +1495,13 @@ ssl3_handshake_msg_finish(SSL *s, CBB *handshake) if (outlen > INT_MAX) goto err; - if (!BUF_MEM_grow_clean(s->internal->init_buf, outlen)) + if (!BUF_MEM_grow_clean(s->init_buf, outlen)) goto err; - memcpy(s->internal->init_buf->data, data, outlen); + memcpy(s->init_buf->data, data, outlen); - s->internal->init_num = (int)outlen; - s->internal->init_off = 0; + s->init_num = (int)outlen; + s->init_off = 0; if (SSL_is_dtls(s)) { unsigned long len; @@ -1559,22 +1561,35 @@ ssl3_free(SSL *s) tls1_cleanup_key_block(s); ssl3_release_read_buffer(s); ssl3_release_write_buffer(s); - freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); + tls_content_free(s->s3->rcontent); + + tls_buffer_free(s->s3->alert_fragment); + tls_buffer_free(s->s3->handshake_fragment); + + freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); + sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); + sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); tls_key_share_free(s->s3->hs.key_share); tls13_secrets_destroy(s->s3->hs.tls13.secrets); freezero(s->s3->hs.tls13.cookie, s->s3->hs.tls13.cookie_len); tls13_clienthello_hash_clear(&s->s3->hs.tls13); + tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); + sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); - sk_X509_pop_free(s->internal->verified_chain, X509_free); + sk_X509_pop_free(s->verified_chain, X509_free); + s->verified_chain = NULL; tls1_transcript_free(s); tls1_transcript_hash_free(s); free(s->s3->alpn_selected); + freezero(s->s3->peer_quic_transport_params, + s->s3->peer_quic_transport_params_len); + freezero(s->s3, sizeof(*s->s3)); s->s3 = NULL; @@ -1583,18 +1598,28 @@ ssl3_free(SSL *s) void ssl3_clear(SSL *s) { - unsigned char *rp, *wp; - size_t rlen, wlen; + unsigned char *rp, *wp; + size_t rlen, wlen; tls1_cleanup_key_block(s); sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); - sk_X509_pop_free(s->internal->verified_chain, X509_free); - s->internal->verified_chain = NULL; + sk_X509_pop_free(s->verified_chain, X509_free); + s->verified_chain = NULL; + + tls_buffer_free(s->s3->alert_fragment); + s->s3->alert_fragment = NULL; + tls_buffer_free(s->s3->handshake_fragment); + s->s3->handshake_fragment = NULL; freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); s->s3->hs.sigalgs = NULL; s->s3->hs.sigalgs_len = 0; + sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); + s->s3->hs.peer_certs = NULL; + sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); + s->s3->hs.peer_certs_no_leaf = NULL; + tls_key_share_free(s->s3->hs.key_share); s->s3->hs.key_share = NULL; @@ -1605,6 +1630,11 @@ ssl3_clear(SSL *s) s->s3->hs.tls13.cookie_len = 0; tls13_clienthello_hash_clear(&s->s3->hs.tls13); + tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); + s->s3->hs.tls13.quic_read_buffer = NULL; + s->s3->hs.tls13.quic_read_level = ssl_encryption_initial; + s->s3->hs.tls13.quic_write_level = ssl_encryption_initial; + s->s3->hs.extensions_seen = 0; rp = s->s3->rbuf.buf; @@ -1612,6 +1642,9 @@ ssl3_clear(SSL *s) rlen = s->s3->rbuf.len; wlen = s->s3->wbuf.len; + tls_content_free(s->s3->rcontent); + s->s3->rcontent = NULL; + tls1_transcript_free(s); tls1_transcript_hash_free(s); @@ -1619,6 +1652,11 @@ ssl3_clear(SSL *s) s->s3->alpn_selected = NULL; s->s3->alpn_selected_len = 0; + freezero(s->s3->peer_quic_transport_params, + s->s3->peer_quic_transport_params_len); + s->s3->peer_quic_transport_params = NULL; + s->s3->peer_quic_transport_params_len = 0; + memset(s->s3, 0, sizeof(*s->s3)); s->s3->rbuf.buf = rp; @@ -1634,12 +1672,45 @@ ssl3_clear(SSL *s) s->s3->num_renegotiations = 0; s->s3->in_read_app_data = 0; - s->internal->packet_length = 0; + s->packet_length = 0; s->version = TLS1_VERSION; s->s3->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } +long +_SSL_get_shared_group(SSL *s, long n) +{ + size_t count; + int nid; + + /* OpenSSL document that they return -1 for clients. They return 0. */ + if (!s->server) + return 0; + + if (n == -1) { + if (!tls1_count_shared_groups(s, &count)) + return 0; + + if (count > LONG_MAX) + count = LONG_MAX; + + return count; + } + + /* Undocumented special case added for Suite B profile support. */ + if (n == -2) + n = 0; + + if (n < 0) + return 0; + + if (!tls1_get_shared_group_by_index(s, n, &nid)) + return NID_undef; + + return nid; +} + long _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) { @@ -1670,7 +1741,7 @@ _SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) static int _SSL_session_reused(SSL *s) { - return s->internal->hit; + return s->hit; } static int @@ -1706,6 +1777,11 @@ _SSL_set_tmp_dh(SSL *s, DH *dh) return 0; } + if (!ssl_security_dh(s, dh)) { + SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); + return 0; + } + if ((dhe_params = DHparams_dup(dh)) == NULL) { SSLerror(s, ERR_R_DH_LIB); return 0; @@ -1774,7 +1850,7 @@ _SSL_set_tlsext_host_name(SSL *s, const char *name) static int _SSL_set_tlsext_debug_arg(SSL *s, void *arg) { - s->internal->tlsext_debug_arg = arg; + s->tlsext_debug_arg = arg; return 1; } @@ -1794,7 +1870,7 @@ _SSL_set_tlsext_status_type(SSL *s, int type) static int _SSL_get_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) **exts) { - *exts = s->internal->tlsext_ocsp_exts; + *exts = s->tlsext_ocsp_exts; return 1; } @@ -1802,14 +1878,14 @@ static int _SSL_set_tlsext_status_exts(SSL *s, STACK_OF(X509_EXTENSION) *exts) { /* XXX - leak... */ - s->internal->tlsext_ocsp_exts = exts; + s->tlsext_ocsp_exts = exts; return 1; } static int _SSL_get_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) **ids) { - *ids = s->internal->tlsext_ocsp_ids; + *ids = s->tlsext_ocsp_ids; return 1; } @@ -1817,17 +1893,17 @@ static int _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) { /* XXX - leak... */ - s->internal->tlsext_ocsp_ids = ids; + s->tlsext_ocsp_ids = ids; return 1; } static int _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) { - if (s->internal->tlsext_ocsp_resp != NULL && - s->internal->tlsext_ocsp_resp_len < INT_MAX) { - *resp = s->internal->tlsext_ocsp_resp; - return (int)s->internal->tlsext_ocsp_resp_len; + if (s->tlsext_ocsp_resp != NULL && + s->tlsext_ocsp_resp_len < INT_MAX) { + *resp = s->tlsext_ocsp_resp; + return (int)s->tlsext_ocsp_resp_len; } *resp = NULL; @@ -1838,15 +1914,15 @@ _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) static int _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) { - free(s->internal->tlsext_ocsp_resp); - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; if (resp_len < 0) return 0; - s->internal->tlsext_ocsp_resp = resp; - s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; + s->tlsext_ocsp_resp = resp; + s->tlsext_ocsp_resp_len = (size_t)resp_len; return 1; } @@ -1854,25 +1930,25 @@ _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) { - return ssl_cert_set0_chain(ssl->cert, chain); + return ssl_cert_set0_chain(NULL, ssl, chain); } int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) { - return ssl_cert_set1_chain(ssl->cert, chain); + return ssl_cert_set1_chain(NULL, ssl, chain); } int SSL_add0_chain_cert(SSL *ssl, X509 *x509) { - return ssl_cert_add0_chain_cert(ssl->cert, x509); + return ssl_cert_add0_chain_cert(NULL, ssl, x509); } int SSL_add1_chain_cert(SSL *ssl, X509 *x509) { - return ssl_cert_add1_chain_cert(ssl->cert, x509); + return ssl_cert_add1_chain_cert(NULL, ssl, x509); } int @@ -1889,21 +1965,21 @@ SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) int SSL_clear_chain_certs(SSL *ssl) { - return ssl_cert_set0_chain(ssl->cert, NULL); + return ssl_cert_set0_chain(NULL, ssl, NULL); } int SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) { - return tls1_set_groups(&s->internal->tlsext_supportedgroups, - &s->internal->tlsext_supportedgroups_length, groups, groups_len); + return tls1_set_groups(&s->tlsext_supportedgroups, + &s->tlsext_supportedgroups_length, groups, groups_len); } int SSL_set1_groups_list(SSL *s, const char *groups) { - return tls1_set_group_list(&s->internal->tlsext_supportedgroups, - &s->internal->tlsext_supportedgroups_length, groups); + return tls1_set_group_list(&s->tlsext_supportedgroups, + &s->tlsext_supportedgroups_length, groups); } static int @@ -2055,6 +2131,9 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_GROUPS_LIST: return SSL_set1_groups_list(s, parg); + case SSL_CTRL_GET_SHARED_GROUP: + return _SSL_get_shared_group(s, larg); + /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ case SSL_CTRL_GET_SERVER_TMP_KEY: if (s->server != 0) @@ -2120,7 +2199,7 @@ ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) return 1; case SSL_CTRL_SET_TLSEXT_DEBUG_CB: - s->internal->tlsext_debug_cb = (void (*)(SSL *, int , int, + s->tlsext_debug_cb = (void (*)(SSL *, int , int, unsigned char *, int, void *))fp; return 1; } @@ -2138,13 +2217,18 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) return 0; } + if (!ssl_ctx_security_dh(ctx, dh)) { + SSLerrorx(SSL_R_DH_KEY_TOO_SMALL); + return 0; + } + if ((dhe_params = DHparams_dup(dh)) == NULL) { SSLerrorx(ERR_R_DH_LIB); return 0; } - DH_free(ctx->internal->cert->dhe_params); - ctx->internal->cert->dhe_params = dhe_params; + DH_free(ctx->cert->dhe_params); + ctx->cert->dhe_params = dhe_params; return 1; } @@ -2152,7 +2236,7 @@ _SSL_CTX_set_tmp_dh(SSL_CTX *ctx, DH *dh) static int _SSL_CTX_set_dh_auto(SSL_CTX *ctx, int state) { - ctx->internal->cert->dhe_params_auto = state; + ctx->cert->dhe_params_auto = state; return 1; } @@ -2180,7 +2264,7 @@ _SSL_CTX_set_ecdh_auto(SSL_CTX *ctx, int state) static int _SSL_CTX_set_tlsext_servername_arg(SSL_CTX *ctx, void *arg) { - ctx->internal->tlsext_servername_arg = arg; + ctx->tlsext_servername_arg = arg; return 1; } @@ -2195,9 +2279,9 @@ _SSL_CTX_get_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) return 0; } - memcpy(keys, ctx->internal->tlsext_tick_key_name, 16); - memcpy(keys + 16, ctx->internal->tlsext_tick_hmac_key, 16); - memcpy(keys + 32, ctx->internal->tlsext_tick_aes_key, 16); + memcpy(keys, ctx->tlsext_tick_key_name, 16); + memcpy(keys + 16, ctx->tlsext_tick_hmac_key, 16); + memcpy(keys + 32, ctx->tlsext_tick_aes_key, 16); return 1; } @@ -2213,9 +2297,9 @@ _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) return 0; } - memcpy(ctx->internal->tlsext_tick_key_name, keys, 16); - memcpy(ctx->internal->tlsext_tick_hmac_key, keys + 16, 16); - memcpy(ctx->internal->tlsext_tick_aes_key, keys + 32, 16); + memcpy(ctx->tlsext_tick_key_name, keys, 16); + memcpy(ctx->tlsext_tick_hmac_key, keys + 16, 16); + memcpy(ctx->tlsext_tick_aes_key, keys + 32, 16); return 1; } @@ -2223,39 +2307,39 @@ _SSL_CTX_set_tlsext_ticket_keys(SSL_CTX *ctx, unsigned char *keys, int keys_len) static int _SSL_CTX_get_tlsext_status_arg(SSL_CTX *ctx, void **arg) { - *arg = ctx->internal->tlsext_status_arg; + *arg = ctx->tlsext_status_arg; return 1; } static int _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) { - ctx->internal->tlsext_status_arg = arg; + ctx->tlsext_status_arg = arg; return 1; } int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { - return ssl_cert_set0_chain(ctx->internal->cert, chain); + return ssl_cert_set0_chain(ctx, NULL, chain); } int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) { - return ssl_cert_set1_chain(ctx->internal->cert, chain); + return ssl_cert_set1_chain(ctx, NULL, chain); } int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) { - return ssl_cert_add0_chain_cert(ctx->internal->cert, x509); + return ssl_cert_add0_chain_cert(ctx, NULL, x509); } int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) { - return ssl_cert_add1_chain_cert(ctx->internal->cert, x509); + return ssl_cert_add1_chain_cert(ctx, NULL, x509); } int @@ -2263,8 +2347,8 @@ SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) { *out_chain = NULL; - if (ctx->internal->cert->key != NULL) - *out_chain = ctx->internal->cert->key->chain; + if (ctx->cert->key != NULL) + *out_chain = ctx->cert->key->chain; return 1; } @@ -2272,7 +2356,7 @@ SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) int SSL_CTX_clear_chain_certs(SSL_CTX *ctx) { - return ssl_cert_set0_chain(ctx->internal->cert, NULL); + return ssl_cert_set0_chain(ctx, NULL, NULL); } static int @@ -2293,7 +2377,7 @@ _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) { *certs = ctx->extra_certs; if (*certs == NULL) - *certs = ctx->internal->cert->key->chain; + *certs = ctx->cert->key->chain; return 1; } @@ -2316,15 +2400,15 @@ _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) { - return tls1_set_groups(&ctx->internal->tlsext_supportedgroups, - &ctx->internal->tlsext_supportedgroups_length, groups, groups_len); + return tls1_set_groups(&ctx->tlsext_supportedgroups, + &ctx->tlsext_supportedgroups_length, groups, groups_len); } int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) { - return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups, - &ctx->internal->tlsext_supportedgroups_length, groups); + return tls1_set_group_list(&ctx->tlsext_supportedgroups, + &ctx->tlsext_supportedgroups_length, groups); } long @@ -2439,7 +2523,7 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return 0; case SSL_CTRL_SET_TMP_DH_CB: - ctx->internal->cert->dhe_params_cb = + ctx->cert->dhe_params_cb = (DH *(*)(SSL *, int, int))fp; return 1; @@ -2447,20 +2531,20 @@ ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) return 1; case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB: - ctx->internal->tlsext_servername_callback = + ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp; return 1; case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB: - *(int (**)(SSL *, void *))fp = ctx->internal->tlsext_status_cb; + *(int (**)(SSL *, void *))fp = ctx->tlsext_status_cb; return 1; case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB: - ctx->internal->tlsext_status_cb = (int (*)(SSL *, void *))fp; + ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp; return 1; case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB: - ctx->internal->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, + ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int))fp; return 1; } @@ -2476,13 +2560,13 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *prio, *allow; SSL_CIPHER *c, *ret = NULL; int can_use_ecc; - int i, ii, ok; + int i, ii, nid, ok; SSL_CERT *cert; /* Let's see which ciphers we can support */ cert = s->cert; - can_use_ecc = (tls1_get_shared_curve(s) != NID_undef); + can_use_ecc = tls1_get_supported_group(s, &nid); /* * Do not set the compare functions, because this may lead to a @@ -2491,7 +2575,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * but would have to pay with the price of sk_SSL_CIPHER_dup(). */ - if (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { + if (s->options & SSL_OP_CIPHER_SERVER_PREFERENCE) { prio = srvr; allow = clnt; } else { @@ -2517,6 +2601,9 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, !(c->algorithm_ssl & SSL_TLSV1_3)) continue; + if (!ssl_security_shared_cipher(s, c)) + continue; + ssl_set_cert_masks(cert, c); mask_k = cert->mask_k; mask_a = cert->mask_a; @@ -2599,13 +2686,13 @@ ssl3_shutdown(SSL *s) * Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ - if ((s->internal->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { - s->internal->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); + if ((s->quiet_shutdown) || (s->s3->hs.state == SSL_ST_BEFORE)) { + s->shutdown = (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); return (1); } - if (!(s->internal->shutdown & SSL_SENT_SHUTDOWN)) { - s->internal->shutdown|=SSL_SENT_SHUTDOWN; + if (!(s->shutdown & SSL_SENT_SHUTDOWN)) { + s->shutdown|=SSL_SENT_SHUTDOWN; ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); /* * Our shutdown alert has been sent now, and if it still needs @@ -2625,15 +2712,15 @@ ssl3_shutdown(SSL *s) */ return (ret); } - } else if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { + } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ s->method->ssl_read_bytes(s, 0, NULL, 0, 0); - if (!(s->internal->shutdown & SSL_RECEIVED_SHUTDOWN)) { + if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { return (-1); /* return WANT_READ */ } } - if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && + if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && !s->s3->alert_dispatch) return (1); else @@ -2666,16 +2753,16 @@ ssl3_read_internal(SSL *s, void *buf, int len, int peek) peek); if ((ret == -1) && (s->s3->in_read_app_data == 2)) { /* - * ssl3_read_bytes decided to call s->internal->handshake_func, + * ssl3_read_bytes decided to call s->handshake_func, * which called ssl3_read_bytes to read handshake data. * However, ssl3_read_bytes actually found application data * and thinks that application data makes sense here; so disable * handshake processing and try to read application data again. */ - s->internal->in_handshake++; + s->in_handshake++; ret = s->method->ssl_read_bytes(s, SSL3_RT_APPLICATION_DATA, buf, len, peek); - s->internal->in_handshake--; + s->in_handshake--; } else s->s3->in_read_app_data = 0; @@ -2697,7 +2784,7 @@ ssl3_peek(SSL *s, void *buf, int len) int ssl3_renegotiate(SSL *s) { - if (s->internal->handshake_func == NULL) + if (s->handshake_func == NULL) return 1; if (s->s3->flags & SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) diff --git a/ssl/ssl.sym b/ssl/ssl.sym index d18bcc4..2b9ec25 100644 --- a/ssl/ssl.sym +++ b/ssl/ssl.sym @@ -7,34 +7,18 @@ BIO_ssl_shutdown DTLS_client_method DTLS_method DTLS_server_method -DTLSv1_client_method -DTLSv1_method -DTLSv1_server_method DTLSv1_2_client_method DTLSv1_2_method DTLSv1_2_server_method -SSLv23_client_method -SSLv23_method -SSLv23_server_method -TLS_client_method -TLS_method -TLS_server_method -TLSv1_1_client_method -TLSv1_1_method -TLSv1_1_server_method -TLSv1_2_client_method -TLSv1_2_method -TLSv1_2_server_method -TLSv1_client_method -TLSv1_method -TLSv1_server_method +DTLSv1_client_method +DTLSv1_method +DTLSv1_server_method +ERR_load_SSL_strings +OPENSSL_init_ssl PEM_read_SSL_SESSION PEM_read_bio_SSL_SESSION PEM_write_SSL_SESSION PEM_write_bio_SSL_SESSION -d2i_SSL_SESSION -i2d_SSL_SESSION -ERR_load_SSL_strings SSL_CIPHER_description SSL_CIPHER_find SSL_CIPHER_get_auth_nid @@ -81,6 +65,7 @@ SSL_CTX_get_max_proto_version SSL_CTX_get_min_proto_version SSL_CTX_get_num_tickets SSL_CTX_get_quiet_shutdown +SSL_CTX_get_security_level SSL_CTX_get_ssl_method SSL_CTX_get_timeout SSL_CTX_get_verify_callback @@ -129,7 +114,9 @@ SSL_CTX_set_next_protos_advertised_cb SSL_CTX_set_num_tickets SSL_CTX_set_post_handshake_auth SSL_CTX_set_purpose +SSL_CTX_set_quic_method SSL_CTX_set_quiet_shutdown +SSL_CTX_set_security_level SSL_CTX_set_session_id_context SSL_CTX_set_ssl_version SSL_CTX_set_timeout @@ -235,11 +222,13 @@ SSL_get_num_tickets SSL_get_peer_cert_chain SSL_get_peer_certificate SSL_get_peer_finished +SSL_get_peer_quic_transport_params SSL_get_privatekey SSL_get_quiet_shutdown SSL_get_rbio SSL_get_read_ahead SSL_get_rfd +SSL_get_security_level SSL_get_selected_srtp_profile SSL_get_server_random SSL_get_servername @@ -258,6 +247,7 @@ SSL_get_wbio SSL_get_wfd SSL_has_matching_session_id SSL_is_dtls +SSL_is_quic SSL_is_server SSL_library_init SSL_load_client_CA_file @@ -266,6 +256,11 @@ SSL_new SSL_peek SSL_peek_ex SSL_pending +SSL_process_quic_post_handshake +SSL_provide_quic_data +SSL_quic_max_handshake_flight_len +SSL_quic_read_level +SSL_quic_write_level SSL_read SSL_read_early_data SSL_read_ex @@ -304,9 +299,13 @@ SSL_set_num_tickets SSL_set_post_handshake_auth SSL_set_psk_use_session_callback SSL_set_purpose +SSL_set_quic_method +SSL_set_quic_transport_params +SSL_set_quic_use_legacy_codepoint SSL_set_quiet_shutdown SSL_set_read_ahead SSL_set_rfd +SSL_set_security_level SSL_set_session SSL_set_session_id_context SSL_set_session_secret_cb @@ -346,4 +345,20 @@ SSL_want SSL_write SSL_write_early_data SSL_write_ex -OPENSSL_init_ssl +SSLv23_client_method +SSLv23_method +SSLv23_server_method +TLS_client_method +TLS_method +TLS_server_method +TLSv1_1_client_method +TLSv1_1_method +TLSv1_1_server_method +TLSv1_2_client_method +TLSv1_2_method +TLSv1_2_server_method +TLSv1_client_method +TLSv1_method +TLSv1_server_method +d2i_SSL_SESSION +i2d_SSL_SESSION diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index 5ecbb34..ab23f4b 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_algs.c,v 1.30 2022/01/14 08:38:48 tb Exp $ */ +/* $OpenBSD: ssl_algs.c,v 1.31 2022/11/26 16:08:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include #include -#include "ssl_locl.h" +#include "ssl_local.h" int SSL_library_init(void) diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 70a50ac..7684602 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.61 2022/01/11 18:39:28 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.66 2022/11/26 16:08:55 tb Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -21,7 +21,7 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" #define SSLASN1_TAG (CBS_ASN1_CONSTRUCTED | CBS_ASN1_CONTEXT_SPECIFIC) #define SSLASN1_TIME_TAG (SSLASN1_TAG | 1) @@ -71,7 +71,7 @@ SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, /* Cipher suite ID. */ /* XXX - require cipher to be non-NULL or always/only use cipher_id. */ - cid = (uint16_t)(s->cipher_id & 0xffff); + cid = (uint16_t)(s->cipher_id & SSL3_CK_VALUE_MASK); if (s->cipher != NULL) cid = ssl3_cipher_get_value(s->cipher); if (!CBB_add_asn1(&session, &cipher_suite, CBS_ASN1_OCTETSTRING)) @@ -295,21 +295,15 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) if (!CBS_get_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) goto err; if (!CBS_write_bytes(&session_id, s->session_id, sizeof(s->session_id), - &data_len)) + &s->session_id_length)) goto err; - if (data_len > UINT_MAX) - goto err; - s->session_id_length = (unsigned int)data_len; /* Master key. */ if (!CBS_get_asn1(&session, &master_key, CBS_ASN1_OCTETSTRING)) goto err; if (!CBS_write_bytes(&master_key, s->master_key, sizeof(s->master_key), - &data_len)) + &s->master_key_length)) goto err; - if (data_len > INT_MAX) - goto err; - s->master_key_length = (int)data_len; /* Time [1]. */ s->time = time(NULL); @@ -354,11 +348,8 @@ d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp, long length) goto err; if (present) { if (!CBS_write_bytes(&session_id, (uint8_t *)&s->sid_ctx, - sizeof(s->sid_ctx), &data_len)) + sizeof(s->sid_ctx), &s->sid_ctx_length)) goto err; - if (data_len > UINT_MAX) - goto err; - s->sid_ctx_length = (unsigned int)data_len; } /* Verify result [5]. */ diff --git a/ssl/ssl_both.c b/ssl/ssl_both.c index cfd3238..3feedc1 100644 --- a/ssl/ssl_both.c +++ b/ssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.42 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.45 2022/11/26 16:08:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -124,11 +124,11 @@ #include #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" /* - * Send s->internal->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or + * Send s->init_buf in records of type 'type' (SSL3_RT_HANDSHAKE or * SSL3_RT_CHANGE_CIPHER_SPEC). */ int @@ -136,8 +136,8 @@ ssl3_do_write(SSL *s, int type) { int ret; - ret = ssl3_write_bytes(s, type, &s->internal->init_buf->data[s->internal->init_off], - s->internal->init_num); + ret = ssl3_write_bytes(s, type, &s->init_buf->data[s->init_off], + s->init_num); if (ret < 0) return (-1); @@ -147,166 +147,20 @@ ssl3_do_write(SSL *s, int type) * we'll ignore the result anyway. */ tls1_transcript_record(s, - (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); + (unsigned char *)&s->init_buf->data[s->init_off], ret); - if (ret == s->internal->init_num) { - ssl_msg_callback(s, 1, type, s->internal->init_buf->data, - (size_t)(s->internal->init_off + s->internal->init_num)); + if (ret == s->init_num) { + ssl_msg_callback(s, 1, type, s->init_buf->data, + (size_t)(s->init_off + s->init_num)); return (1); } - s->internal->init_off += ret; - s->internal->init_num -= ret; + s->init_off += ret; + s->init_num -= ret; return (0); } -int -ssl3_send_finished(SSL *s, int state_a, int state_b) -{ - CBB cbb, finished; - - memset(&cbb, 0, sizeof(cbb)); - - if (s->s3->hs.state == state_a) { - if (!tls12_derive_finished(s)) - goto err; - - /* Copy finished so we can use it for renegotiation checks. */ - if (!s->server) { - memcpy(s->s3->previous_client_finished, - s->s3->hs.finished, s->s3->hs.finished_len); - s->s3->previous_client_finished_len = - s->s3->hs.finished_len; - } else { - memcpy(s->s3->previous_server_finished, - s->s3->hs.finished, s->s3->hs.finished_len); - s->s3->previous_server_finished_len = - s->s3->hs.finished_len; - } - - if (!ssl3_handshake_msg_start(s, &cbb, &finished, - SSL3_MT_FINISHED)) - goto err; - if (!CBB_add_bytes(&finished, s->s3->hs.finished, - s->s3->hs.finished_len)) - goto err; - if (!ssl3_handshake_msg_finish(s, &cbb)) - goto err; - - s->s3->hs.state = state_b; - } - - return (ssl3_handshake_write(s)); - - err: - CBB_cleanup(&cbb); - - return (-1); -} - -int -ssl3_get_finished(SSL *s, int a, int b) -{ - int al, md_len, ret; - CBS cbs; - - /* should actually be 36+4 :-) */ - if ((ret = ssl3_get_message(s, a, b, SSL3_MT_FINISHED, 64)) <= 0) - return ret; - - /* If this occurs, we have missed a message */ - if (!s->s3->change_cipher_spec) { - al = SSL_AD_UNEXPECTED_MESSAGE; - SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); - goto fatal_err; - } - s->s3->change_cipher_spec = 0; - - md_len = TLS1_FINISH_MAC_LENGTH; - - if (s->internal->init_num < 0) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); - goto fatal_err; - } - - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); - - if (s->s3->hs.peer_finished_len != md_len || - CBS_len(&cbs) != md_len) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); - goto fatal_err; - } - - if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) { - al = SSL_AD_DECRYPT_ERROR; - SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); - goto fatal_err; - } - - /* Copy finished so we can use it for renegotiation checks. */ - OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); - if (s->server) { - memcpy(s->s3->previous_client_finished, - s->s3->hs.peer_finished, md_len); - s->s3->previous_client_finished_len = md_len; - } else { - memcpy(s->s3->previous_server_finished, - s->s3->hs.peer_finished, md_len); - s->s3->previous_server_finished_len = md_len; - } - - return (1); - fatal_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); - return (0); -} - -int -ssl3_send_change_cipher_spec(SSL *s, int a, int b) -{ - size_t outlen; - CBB cbb; - - memset(&cbb, 0, sizeof(cbb)); - - if (s->s3->hs.state == a) { - if (!CBB_init_fixed(&cbb, s->internal->init_buf->data, - s->internal->init_buf->length)) - goto err; - if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) - goto err; - if (!CBB_finish(&cbb, NULL, &outlen)) - goto err; - - if (outlen > INT_MAX) - goto err; - - s->internal->init_num = (int)outlen; - s->internal->init_off = 0; - - if (SSL_is_dtls(s)) { - s->d1->handshake_write_seq = - s->d1->next_handshake_write_seq; - dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, - s->d1->handshake_write_seq, 0, 0); - dtls1_buffer_message(s, 1); - } - - s->s3->hs.state = b; - } - - /* SSL3_ST_CW_CHANGE_B */ - return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); - - err: - CBB_cleanup(&cbb); - - return -1; -} - static int ssl3_add_cert(CBB *cbb, X509 *x) { @@ -353,7 +207,7 @@ ssl3_output_cert_chain(SSL *s, CBB *cbb, SSL_CERT_PKEY *cpk) if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; - if (chain != NULL || (s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if (chain != NULL || (s->mode & SSL_MODE_NO_AUTO_CHAIN)) { if (!ssl3_add_cert(&cert_list, cpk->x509)) goto err; } else { @@ -415,27 +269,27 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); goto fatal_err; } - s->internal->init_msg = s->internal->init_buf->data + + s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; - s->internal->init_num = (int)s->s3->hs.tls12.message_size; + s->init_num = (int)s->s3->hs.tls12.message_size; return 1; } - p = (unsigned char *)s->internal->init_buf->data; + p = (unsigned char *)s->init_buf->data; if (s->s3->hs.state == st1) { int skip_message; do { - while (s->internal->init_num < SSL3_HM_HEADER_LENGTH) { + while (s->init_num < SSL3_HM_HEADER_LENGTH) { i = s->method->ssl_read_bytes(s, - SSL3_RT_HANDSHAKE, &p[s->internal->init_num], - SSL3_HM_HEADER_LENGTH - s->internal->init_num, 0); + SSL3_RT_HANDSHAKE, &p[s->init_num], + SSL3_HM_HEADER_LENGTH - s->init_num, 0); if (i <= 0) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; return i; } - s->internal->init_num += i; + s->init_num += i; } skip_message = 0; @@ -447,7 +301,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) * correct. Does not count for 'Finished' MAC. */ if (p[1] == 0 && p[2] == 0 &&p[3] == 0) { - s->internal->init_num = 0; + s->init_num = 0; skip_message = 1; ssl_msg_callback(s, 0, @@ -476,7 +330,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) SSLerror(s, SSL_R_EXCESSIVE_MESSAGE_SIZE); goto fatal_err; } - if (l && !BUF_MEM_grow_clean(s->internal->init_buf, + if (l && !BUF_MEM_grow_clean(s->init_buf, l + SSL3_HM_HEADER_LENGTH)) { SSLerror(s, ERR_R_BUF_LIB); goto err; @@ -484,33 +338,33 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max) s->s3->hs.tls12.message_size = l; s->s3->hs.state = stn; - s->internal->init_msg = s->internal->init_buf->data + + s->init_msg = s->init_buf->data + SSL3_HM_HEADER_LENGTH; - s->internal->init_num = 0; + s->init_num = 0; } /* next state (stn) */ - p = s->internal->init_msg; - n = s->s3->hs.tls12.message_size - s->internal->init_num; + p = s->init_msg; + n = s->s3->hs.tls12.message_size - s->init_num; while (n > 0) { i = s->method->ssl_read_bytes(s, SSL3_RT_HANDSHAKE, - &p[s->internal->init_num], n, 0); + &p[s->init_num], n, 0); if (i <= 0) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; return i; } - s->internal->init_num += i; + s->init_num += i; n -= i; } /* Feed this message into MAC computation. */ - if (s->internal->mac_packet) { - tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data, - s->internal->init_num + SSL3_HM_HEADER_LENGTH); + if (s->mac_packet) { + tls1_transcript_record(s, (unsigned char *)s->init_buf->data, + s->init_num + SSL3_HM_HEADER_LENGTH); ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, - s->internal->init_buf->data, - (size_t)s->internal->init_num + SSL3_HM_HEADER_LENGTH); + s->init_buf->data, + (size_t)s->init_num + SSL3_HM_HEADER_LENGTH); } return 1; @@ -605,7 +459,7 @@ ssl3_setup_init_buffer(SSL *s) { BUF_MEM *buf = NULL; - if (s->internal->init_buf != NULL) + if (s->init_buf != NULL) return (1); if ((buf = BUF_MEM_new()) == NULL) @@ -613,7 +467,7 @@ ssl3_setup_init_buffer(SSL *s) if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) goto err; - s->internal->init_buf = buf; + s->init_buf = buf; return (1); err: @@ -624,11 +478,11 @@ ssl3_setup_init_buffer(SSL *s) void ssl3_release_init_buffer(SSL *s) { - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; - s->internal->init_msg = NULL; - s->internal->init_num = 0; - s->internal->init_off = 0; + BUF_MEM_free(s->init_buf); + s->init_buf = NULL; + s->init_msg = NULL; + s->init_num = 0; + s->init_off = 0; } int @@ -653,7 +507,7 @@ ssl3_setup_read_buffer(SSL *s) s->s3->rbuf.len = len; } - s->internal->packet = s->s3->rbuf.buf; + s->packet = s->s3->rbuf.buf; return 1; err: @@ -677,7 +531,7 @@ ssl3_setup_write_buffer(SSL *s) if (s->s3->wbuf.buf == NULL) { len = s->max_send_fragment + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index 30e99ad..4fe8052 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.95 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.105 2022/11/26 16:08:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -128,7 +128,7 @@ #include #include -#include "ssl_locl.h" +#include "ssl_local.h" int SSL_get_ex_data_X509_STORE_CTX_idx(void) @@ -170,6 +170,9 @@ ssl_cert_new(void) } ret->key = &(ret->pkeys[SSL_PKEY_RSA]); ret->references = 1; + ret->security_cb = ssl_security_default_cb; + ret->security_level = OPENSSL_TLS_SECURITY_LEVEL; + ret->security_ex_data = NULL; return (ret); } @@ -246,6 +249,10 @@ ssl_cert_dup(SSL_CERT *cert) } } + ret->security_cb = cert->security_cb; + ret->security_level = cert->security_level; + ret->security_ex_data = cert->security_ex_data; + /* * ret->extra_certs *should* exist, but currently the own certificate * chain is held inside SSL_CTX @@ -291,20 +298,46 @@ ssl_cert_free(SSL_CERT *c) free(c); } -int -ssl_cert_set0_chain(SSL_CERT *c, STACK_OF(X509) *chain) +SSL_CERT * +ssl_get0_cert(SSL_CTX *ctx, SSL *ssl) { - if (c->key == NULL) + if (ssl != NULL) + return ssl->cert; + + return ctx->cert; +} + +int +ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain) +{ + SSL_CERT *ssl_cert; + SSL_CERT_PKEY *cpk; + X509 *x509; + int ssl_err; + int i; + + if ((ssl_cert = ssl_get0_cert(ctx, ssl)) == NULL) return 0; - sk_X509_pop_free(c->key->chain, X509_free); - c->key->chain = chain; + if ((cpk = ssl_cert->key) == NULL) + return 0; + + for (i = 0; i < sk_X509_num(chain); i++) { + x509 = sk_X509_value(chain, i); + if (!ssl_security_cert(ctx, ssl, x509, 0, &ssl_err)) { + SSLerrorx(ssl_err); + return 0; + } + } + + sk_X509_pop_free(cpk->chain, X509_free); + cpk->chain = chain; return 1; } int -ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain) +ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain) { STACK_OF(X509) *new_chain = NULL; @@ -312,7 +345,7 @@ ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain) if ((new_chain = X509_chain_up_ref(chain)) == NULL) return 0; } - if (!ssl_cert_set0_chain(c, new_chain)) { + if (!ssl_cert_set0_chain(ctx, ssl, new_chain)) { sk_X509_pop_free(new_chain, X509_free); return 0; } @@ -321,25 +354,37 @@ ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain) } int -ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert) +ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert) { - if (c->key == NULL) + SSL_CERT *ssl_cert; + SSL_CERT_PKEY *cpk; + int ssl_err; + + if ((ssl_cert = ssl_get0_cert(ctx, ssl)) == NULL) return 0; - if (c->key->chain == NULL) { - if ((c->key->chain = sk_X509_new_null()) == NULL) + if ((cpk = ssl_cert->key) == NULL) + return 0; + + if (!ssl_security_cert(ctx, ssl, cert, 0, &ssl_err)) { + SSLerrorx(ssl_err); + return 0; + } + + if (cpk->chain == NULL) { + if ((cpk->chain = sk_X509_new_null()) == NULL) return 0; } - if (!sk_X509_push(c->key->chain, cert)) + if (!sk_X509_push(cpk->chain, cert)) return 0; return 1; } int -ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert) +ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert) { - if (!ssl_cert_add0_chain_cert(c, cert)) + if (!ssl_cert_add0_chain_cert(ctx, ssl, cert)) return 0; X509_up_ref(cert); @@ -348,20 +393,21 @@ ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert) } int -ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) +ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs) { X509_STORE_CTX *ctx = NULL; - X509 *x; + X509_VERIFY_PARAM *param; + X509 *cert; int ret = 0; - if ((sk == NULL) || (sk_X509_num(sk) == 0)) + if (sk_X509_num(certs) < 1) goto err; if ((ctx = X509_STORE_CTX_new()) == NULL) goto err; - x = sk_X509_value(sk, 0); - if (!X509_STORE_CTX_init(ctx, s->ctx->cert_store, x, sk)) { + cert = sk_X509_value(certs, 0); + if (!X509_STORE_CTX_init(ctx, s->ctx->cert_store, cert, certs)) { SSLerror(s, ERR_R_X509_LIB); goto err; } @@ -374,27 +420,31 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *sk) */ X509_STORE_CTX_set_default(ctx, s->server ? "ssl_client" : "ssl_server"); + param = X509_STORE_CTX_get0_param(ctx); + + X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s)); + /* * Anything non-default in "param" should overwrite anything * in the ctx. */ - X509_VERIFY_PARAM_set1(X509_STORE_CTX_get0_param(ctx), s->param); + X509_VERIFY_PARAM_set1(param, s->param); - if (s->internal->verify_callback) - X509_STORE_CTX_set_verify_cb(ctx, s->internal->verify_callback); + if (s->verify_callback) + X509_STORE_CTX_set_verify_cb(ctx, s->verify_callback); - if (s->ctx->internal->app_verify_callback != NULL) - ret = s->ctx->internal->app_verify_callback(ctx, - s->ctx->internal->app_verify_arg); + if (s->ctx->app_verify_callback != NULL) + ret = s->ctx->app_verify_callback(ctx, + s->ctx->app_verify_arg); else ret = X509_verify_cert(ctx); s->verify_result = X509_STORE_CTX_get_error(ctx); - sk_X509_pop_free(s->internal->verified_chain, X509_free); - s->internal->verified_chain = NULL; + sk_X509_pop_free(s->verified_chain, X509_free); + s->verified_chain = NULL; if (X509_STORE_CTX_get0_chain(ctx) != NULL) { - s->internal->verified_chain = X509_STORE_CTX_get1_chain(ctx); - if (s->internal->verified_chain == NULL) { + s->verified_chain = X509_STORE_CTX_get1_chain(ctx); + if (s->verified_chain == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); ret = 0; } @@ -441,19 +491,19 @@ SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk) void SSL_set_client_CA_list(SSL *s, STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(s->internal->client_CA), name_list); + set_client_CA_list(&(s->client_CA), name_list); } void SSL_CTX_set_client_CA_list(SSL_CTX *ctx, STACK_OF(X509_NAME) *name_list) { - set_client_CA_list(&(ctx->internal->client_CA), name_list); + set_client_CA_list(&(ctx->client_CA), name_list); } STACK_OF(X509_NAME) * SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) { - return (ctx->internal->client_CA); + return (ctx->client_CA); } STACK_OF(X509_NAME) * @@ -466,10 +516,10 @@ SSL_get_client_CA_list(const SSL *s) else return (NULL); } else { - if (s->internal->client_CA != NULL) - return (s->internal->client_CA); + if (s->client_CA != NULL) + return (s->client_CA); else - return (s->ctx->internal->client_CA); + return (s->ctx->client_CA); } } @@ -496,13 +546,13 @@ add_client_CA(STACK_OF(X509_NAME) **sk, X509 *x) int SSL_add_client_CA(SSL *ssl, X509 *x) { - return (add_client_CA(&(ssl->internal->client_CA), x)); + return (add_client_CA(&(ssl->client_CA), x)); } int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - return (add_client_CA(&(ctx->internal->client_CA), x)); + return (add_client_CA(&(ctx->client_CA), x)); } static int diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 2bc9f8e..a71c504 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.127 2022/03/05 07:13:48 bket Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.135 2022/11/26 16:08:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -149,7 +149,7 @@ #include #endif -#include "ssl_locl.h" +#include "ssl_local.h" #define CIPHER_ADD 1 #define CIPHER_KILL 2 @@ -696,9 +696,6 @@ ssl_cipher_collect_ciphers(const SSL_METHOD *ssl_method, int num_of_ciphers, co_list[co_list_num].prev = NULL; co_list[co_list_num].active = 0; co_list_num++; - /* - if (!sk_push(ca_list,(char *)c)) goto err; - */ } } @@ -945,7 +942,8 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) static int ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) + CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, SSL_CERT *cert, + int *tls13_seen) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; unsigned long algo_strength; @@ -1000,7 +998,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || (ch == '-') || (ch == '.') || - (ch == '_')) { + (ch == '_') || (ch == '=')) { ch = *(++l); buflen++; } @@ -1012,9 +1010,7 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, * alphanumeric, so we call this an error. */ SSLerrorx(SSL_R_INVALID_COMMAND); - retval = found = 0; - l++; - break; + return 0; } if (rule == CIPHER_SPECIAL) { @@ -1156,18 +1152,24 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, if (rule == CIPHER_SPECIAL) { /* special command */ ok = 0; - if ((buflen == 8) && !strncmp(buf, "STRENGTH", 8)) + if (buflen == 8 && strncmp(buf, "STRENGTH", 8) == 0) { ok = ssl_cipher_strength_sort(head_p, tail_p); - else + } else if (buflen == 10 && + strncmp(buf, "SECLEVEL=", 9) == 0) { + int level = buf[9] - '0'; + + if (level >= 0 && level <= 5) { + cert->security_level = level; + ok = 1; + } else { + SSLerrorx(SSL_R_INVALID_COMMAND); + } + } else { SSLerrorx(SSL_R_INVALID_COMMAND); + } if (ok == 0) retval = 0; - /* - * We do not support any "multi" options - * together with "@", so throw away the - * rest of the command, if any left, until - * end or ':' is found. - */ + while ((*l != '\0') && !ITEM_SEP(*l)) l++; } else if (found) { @@ -1201,11 +1203,11 @@ STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, STACK_OF(SSL_CIPHER) *cipher_list_tls13, - const char *rule_str) + const char *rule_str, SSL_CERT *cert) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; - STACK_OF(SSL_CIPHER) *cipherstack; + STACK_OF(SSL_CIPHER) *cipherstack = NULL, *ret = NULL; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; @@ -1218,7 +1220,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, * Return with error if nothing to do. */ if (rule_str == NULL || cipher_list == NULL) - return NULL; + goto err; /* * To reduce the work to do we only want to process the compiled @@ -1235,7 +1237,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, co_list = reallocarray(NULL, num_of_ciphers, sizeof(CIPHER_ORDER)); if (co_list == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); - return(NULL); /* Failure */ + goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, @@ -1288,10 +1290,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* Now sort by symmetric encryption strength. The above ordering remains * in force within each class */ - if (!ssl_cipher_strength_sort(&head, &tail)) { - free(co_list); - return NULL; - } + if (!ssl_cipher_strength_sort(&head, &tail)) + goto err; /* Now disable everything (maintaining the ordering!) */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); @@ -1312,9 +1312,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = reallocarray(NULL, num_of_alias_max, sizeof(SSL_CIPHER *)); if (ca_list == NULL) { - free(co_list); SSLerrorx(ERR_R_MALLOC_FAILURE); - return(NULL); /* Failure */ + goto err; } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, head); @@ -1327,7 +1326,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list, &tls13_seen); + &head, &tail, ca_list, cert, &tls13_seen); rule_p += 7; if (*rule_p == ':') rule_p++; @@ -1335,14 +1334,11 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, if (ok && (strlen(rule_p) > 0)) ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, - &tls13_seen); - - free((void *)ca_list); /* Not needed anymore */ + cert, &tls13_seen); if (!ok) { /* Rule processing failure */ - free(co_list); - return (NULL); + goto err; } /* @@ -1350,15 +1346,18 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { - free(co_list); - return (NULL); + SSLerrorx(ERR_R_MALLOC_FAILURE); + goto err; } /* Prefer TLSv1.3 cipher suites. */ if (cipher_list_tls13 != NULL) { for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); - sk_SSL_CIPHER_push(cipherstack, cipher); + if (!sk_SSL_CIPHER_push(cipherstack, cipher)) { + SSLerrorx(ERR_R_MALLOC_FAILURE); + goto err; + } } tls13_seen = 1; } @@ -1377,19 +1376,29 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, any_active = 0; for (curr = head; curr != NULL; curr = curr->next) { if (curr->active || - (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) - sk_SSL_CIPHER_push(cipherstack, curr->cipher); + (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) { + if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { + SSLerrorx(ERR_R_MALLOC_FAILURE); + goto err; + } + } any_active |= curr->active; } if (!any_active) sk_SSL_CIPHER_zero(cipherstack); - free(co_list); /* Not needed any longer */ - sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; + cipherstack = NULL; - return (cipherstack); + ret = *cipher_list; + + err: + sk_SSL_CIPHER_free(cipherstack); + free((void *)ca_list); + free(co_list); + + return ret; } const SSL_CIPHER * diff --git a/ssl/ssl_ciphers.c b/ssl/ssl_ciphers.c index 3174ae9..4ec1b09 100644 --- a/ssl/ssl_ciphers.c +++ b/ssl/ssl_ciphers.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciphers.c,v 1.13 2022/02/05 18:18:18 tb Exp $ */ +/* $OpenBSD: ssl_ciphers.c,v 1.17 2022/11/26 16:08:55 tb Exp $ */ /* * Copyright (c) 2015-2017 Doug Hogan * Copyright (c) 2015-2018, 2020 Joel Sing @@ -20,7 +20,7 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) @@ -70,6 +70,8 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; + if (!ssl_security_cipher_check(s, cipher)) + continue; if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) return 0; @@ -77,7 +79,7 @@ ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) } /* Add SCSV if there are other ciphers and we're not renegotiating. */ - if (num_ciphers > 0 && !s->internal->renegotiate) { + if (num_ciphers > 0 && !s->renegotiate) { if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) return 0; } @@ -116,7 +118,7 @@ ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if * renegotiating. */ - if (s->internal->renegotiate) { + if (s->renegotiate) { SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c index 607b038..c721aed 100644 --- a/ssl/ssl_clnt.c +++ b/ssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.141 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.158 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -169,13 +169,32 @@ #endif #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); +static int ssl3_send_client_hello(SSL *s); +static int ssl3_get_dtls_hello_verify(SSL *s); +static int ssl3_get_server_hello(SSL *s); +static int ssl3_get_certificate_request(SSL *s); +static int ssl3_get_new_session_ticket(SSL *s); +static int ssl3_get_cert_status(SSL *s); +static int ssl3_get_server_done(SSL *s); +static int ssl3_send_client_verify(SSL *s); +static int ssl3_send_client_certificate(SSL *s); +static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); +static int ssl3_send_client_key_exchange(SSL *s); +static int ssl3_get_server_key_exchange(SSL *s); +static int ssl3_get_server_certificate(SSL *s); +static int ssl3_check_cert_and_algorithm(SSL *s); +static int ssl3_check_finished(SSL *s); +static int ssl3_send_client_change_cipher_spec(SSL *s); +static int ssl3_send_client_finished(SSL *s); +static int ssl3_get_server_finished(SSL *s); + int ssl3_connect(SSL *s) { @@ -185,7 +204,7 @@ ssl3_connect(SSL *s) ERR_clear_error(); errno = 0; - s->internal->in_handshake++; + s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -194,9 +213,9 @@ ssl3_connect(SSL *s) switch (s->s3->hs.state) { case SSL_ST_RENEGOTIATE: - s->internal->renegotiate = 1; + s->renegotiate = 1; s->s3->hs.state = SSL_ST_CONNECT; - s->ctx->internal->stats.sess_connect_renegotiate++; + s->ctx->stats.sess_connect_renegotiate++; /* break */ case SSL_ST_BEFORE: case SSL_ST_CONNECT: @@ -221,6 +240,13 @@ ssl3_connect(SSL *s) goto end; } + if (!ssl_security_version(s, + s->s3->hs.our_min_tls_version)) { + SSLerror(s, SSL_R_VERSION_TOO_LOW); + ret = -1; + goto end; + } + if (!ssl3_setup_init_buffer(s)) { ret = -1; goto end; @@ -242,21 +268,21 @@ ssl3_connect(SSL *s) } s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A; - s->ctx->internal->stats.sess_connect++; - s->internal->init_num = 0; + s->ctx->stats.sess_connect++; + s->init_num = 0; if (SSL_is_dtls(s)) { /* mark client_random uninitialized */ memset(s->s3->client_random, 0, sizeof(s->s3->client_random)); s->d1->send_cookie = 0; - s->internal->hit = 0; + s->hit = 0; } break; case SSL3_ST_CW_CLNT_HELLO_A: case SSL3_ST_CW_CLNT_HELLO_B: - s->internal->shutdown = 0; + s->shutdown = 0; if (SSL_is_dtls(s)) { /* every DTLS ClientHello resets Finished MAC */ @@ -275,7 +301,7 @@ ssl3_connect(SSL *s) } else s->s3->hs.state = SSL3_ST_CR_SRVR_HELLO_A; - s->internal->init_num = 0; + s->init_num = 0; /* turn on buffering for the next lot of output */ if (s->bbio != s->wbio) @@ -289,10 +315,10 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; - if (s->internal->hit) { + if (s->hit) { s->s3->hs.state = SSL3_ST_CR_FINISHED_A; if (!SSL_is_dtls(s)) { - if (s->internal->tlsext_ticket_expected) { + if (s->tlsext_ticket_expected) { /* receive renewed session ticket */ s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A; } @@ -305,7 +331,7 @@ ssl3_connect(SSL *s) } else { s->s3->hs.state = SSL3_ST_CR_CERT_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A: @@ -318,7 +344,7 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_CLNT_HELLO_A; else s->s3->hs.state = SSL3_ST_CR_CERT_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_CERT_A: @@ -327,12 +353,12 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; if (ret == 2) { - s->internal->hit = 1; - if (s->internal->tlsext_ticket_expected) + s->hit = 1; + if (s->tlsext_ticket_expected) s->s3->hs.state = SSL3_ST_CR_SESSION_TICKET_A; else s->s3->hs.state = SSL3_ST_CR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; break; } /* Check if it is anon DH/ECDH. */ @@ -341,7 +367,7 @@ ssl3_connect(SSL *s) ret = ssl3_get_server_certificate(s); if (ret <= 0) goto end; - if (s->internal->tlsext_status_expected) + if (s->tlsext_status_expected) s->s3->hs.state = SSL3_ST_CR_CERT_STATUS_A; else s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; @@ -349,7 +375,7 @@ ssl3_connect(SSL *s) skip = 1; s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_KEY_EXCH_A: @@ -358,7 +384,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_CERT_REQ_A; - s->internal->init_num = 0; + s->init_num = 0; /* * At this point we check that we have the @@ -376,7 +402,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_SRVR_DONE_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_SRVR_DONE_A: @@ -390,7 +416,7 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_CERT_A; else s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; @@ -404,7 +430,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CW_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CW_KEY_EXCH_A: @@ -443,7 +469,7 @@ ssl3_connect(SSL *s) } } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CW_CERT_VRFY_A: @@ -454,21 +480,20 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CW_CHANGE_A; - s->internal->init_num = 0; + s->init_num = 0; s->s3->change_cipher_spec = 0; break; case SSL3_ST_CW_CHANGE_A: case SSL3_ST_CW_CHANGE_B: - if (SSL_is_dtls(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->hit) dtls1_start_timer(s); - ret = ssl3_send_change_cipher_spec(s, - SSL3_ST_CW_CHANGE_A, SSL3_ST_CW_CHANGE_B); + ret = ssl3_send_client_change_cipher_spec(s); if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CW_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; s->session->cipher = s->s3->hs.cipher; if (!tls1_setup_key_block(s)) { @@ -483,10 +508,9 @@ ssl3_connect(SSL *s) case SSL3_ST_CW_FINISHED_A: case SSL3_ST_CW_FINISHED_B: - if (SSL_is_dtls(s) && !s->internal->hit) + if (SSL_is_dtls(s) && !s->hit) dtls1_start_timer(s); - ret = ssl3_send_finished(s, SSL3_ST_CW_FINISHED_A, - SSL3_ST_CW_FINISHED_B); + ret = ssl3_send_client_finished(s); if (ret <= 0) goto end; if (!SSL_is_dtls(s)) @@ -494,18 +518,18 @@ ssl3_connect(SSL *s) s->s3->hs.state = SSL3_ST_CW_FLUSH; /* clear flags */ - if (s->internal->hit) { + if (s->hit) { s->s3->hs.tls12.next_state = SSL_ST_OK; } else { /* Allow NewSessionTicket if ticket expected */ - if (s->internal->tlsext_ticket_expected) + if (s->tlsext_ticket_expected) s->s3->hs.tls12.next_state = SSL3_ST_CR_SESSION_TICKET_A; else s->s3->hs.tls12.next_state = SSL3_ST_CR_FINISHED_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_SESSION_TICKET_A: @@ -514,7 +538,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_CERT_STATUS_A: @@ -523,7 +547,7 @@ ssl3_connect(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_CR_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CR_FINISHED_A: @@ -532,34 +556,33 @@ ssl3_connect(SSL *s) s->d1->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret = ssl3_get_finished(s, SSL3_ST_CR_FINISHED_A, - SSL3_ST_CR_FINISHED_B); + ret = ssl3_get_server_finished(s); if (ret <= 0) goto end; if (SSL_is_dtls(s)) dtls1_stop_timer(s); - if (s->internal->hit) + if (s->hit) s->s3->hs.state = SSL3_ST_CW_CHANGE_A; else s->s3->hs.state = SSL_ST_OK; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_CW_FLUSH: - s->internal->rwstate = SSL_WRITING; + s->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying */ if (!BIO_should_retry(s->wbio)) { - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; } } ret = -1; goto end; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; break; @@ -578,18 +601,18 @@ ssl3_connect(SSL *s) ssl_free_wbio_buffer(s); - s->internal->init_num = 0; - s->internal->renegotiate = 0; - s->internal->new_session = 0; + s->init_num = 0; + s->renegotiate = 0; + s->new_session = 0; ssl_update_cache(s, SSL_SESS_CACHE_CLIENT); - if (s->internal->hit) - s->ctx->internal->stats.sess_hit++; + if (s->hit) + s->ctx->stats.sess_hit++; ret = 1; /* s->server=0; */ - s->internal->handshake_func = ssl3_connect; - s->ctx->internal->stats.sess_connect_good++; + s->handshake_func = ssl3_connect; + s->ctx->stats.sess_connect_good++; ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); @@ -611,7 +634,7 @@ ssl3_connect(SSL *s) /* did we do anything */ if (!s->s3->hs.tls12.reuse_message && !skip) { - if (s->internal->debug) { + if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; } @@ -627,13 +650,13 @@ ssl3_connect(SSL *s) } end: - s->internal->in_handshake--; + s->in_handshake--; ssl_info_callback(s, SSL_CB_CONNECT_EXIT, ret); return (ret); } -int +static int ssl3_send_client_hello(SSL *s) { CBB cbb, client_hello, session_id, cookie, cipher_suites; @@ -652,9 +675,8 @@ ssl3_send_client_hello(SSL *s) } s->version = max_version; - if (sess == NULL || - sess->ssl_version != s->version || - (!sess->session_id_length && !sess->tlsext_tick) || + if (sess == NULL || sess->ssl_version != s->version || + (sess->session_id_length == 0 && sess->tlsext_tick == NULL) || sess->not_resumable) { if (!ssl_get_new_session(s, 0)) goto err; @@ -684,7 +706,7 @@ ssl3_send_client_hello(SSL *s) /* Session ID */ if (!CBB_add_u8_length_prefixed(&client_hello, &session_id)) goto err; - if (!s->internal->new_session && + if (!s->new_session && s->session->session_id_length > 0) { sl = s->session->session_id_length; if (sl > sizeof(s->session->session_id)) { @@ -746,7 +768,7 @@ ssl3_send_client_hello(SSL *s) return (-1); } -int +static int ssl3_get_dtls_hello_verify(SSL *s) { CBS hello_verify_request, cookie; @@ -755,7 +777,7 @@ ssl3_get_dtls_hello_verify(SSL *s) int al, ret; if ((ret = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, - DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list)) <= 0) + DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->max_cert_list)) <= 0) return ret; if (s->s3->hs.tls12.message_type != DTLS1_MT_HELLO_VERIFY_REQUEST) { @@ -764,11 +786,11 @@ ssl3_get_dtls_hello_verify(SSL *s) return (1); } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&hello_verify_request, s->internal->init_msg, - s->internal->init_num); + CBS_init(&hello_verify_request, s->init_msg, + s->init_num); if (!CBS_get_u16(&hello_verify_request, &ssl_version)) goto decode_err; @@ -807,7 +829,7 @@ ssl3_get_dtls_hello_verify(SSL *s) return -1; } -int +static int ssl3_get_server_hello(SSL *s) { CBS cbs, server_random, session_id; @@ -816,19 +838,18 @@ ssl3_get_server_hello(SSL *s) const SSL_CIPHER *cipher; const SSL_METHOD *method; unsigned long alg_k; - size_t outlen; int al, ret; - s->internal->first_packet = 1; + s->first_packet = 1; if ((ret = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, SSL3_ST_CR_SRVR_HELLO_B, -1, 20000 /* ?? */)) <= 0) return ret; - s->internal->first_packet = 0; + s->first_packet = 0; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (SSL_is_dtls(s)) { if (s->s3->hs.tls12.message_type == DTLS1_MT_HELLO_VERIFY_REQUEST) { @@ -923,16 +944,26 @@ ssl3_get_server_hello(SSL *s) * Check if we want to resume the session based on external * pre-shared secret. */ - if (s->internal->tls_session_secret_cb) { + if (s->tls_session_secret_cb != NULL) { SSL_CIPHER *pref_cipher = NULL; - s->session->master_key_length = sizeof(s->session->master_key); - if (s->internal->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, NULL, &pref_cipher, - s->internal->tls_session_secret_cb_arg)) { - s->session->cipher = pref_cipher ? pref_cipher : - ssl3_get_cipher_by_value(cipher_suite); - s->s3->flags |= SSL3_FLAGS_CCS_OK; + int master_key_length = sizeof(s->session->master_key); + + if (!s->tls_session_secret_cb(s, + s->session->master_key, &master_key_length, NULL, + &pref_cipher, s->tls_session_secret_cb_arg)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; } + if (master_key_length <= 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + s->session->master_key_length = master_key_length; + + if ((s->session->cipher = pref_cipher) == NULL) + s->session->cipher = + ssl3_get_cipher_by_value(cipher_suite); + s->s3->flags |= SSL3_FLAGS_CCS_OK; } if (s->session->session_id_length != 0 && @@ -947,13 +978,13 @@ ssl3_get_server_hello(SSL *s) goto fatal_err; } s->s3->flags |= SSL3_FLAGS_CCS_OK; - s->internal->hit = 1; + s->hit = 1; } else { /* a miss or crap from the other end */ /* If we were trying for session-id reuse, make a new * SSL_SESSION so we don't stuff up other people */ - s->internal->hit = 0; + s->hit = 0; if (s->session->session_id_length > 0) { if (!ssl_get_new_session(s, 0)) { al = SSL_AD_INTERNAL_ERROR; @@ -966,9 +997,9 @@ ssl3_get_server_hello(SSL *s) * zero length session identifier. */ if (!CBS_write_bytes(&session_id, s->session->session_id, - sizeof(s->session->session_id), &outlen)) + sizeof(s->session->session_id), + &s->session->session_id_length)) goto err; - s->session->session_id_length = outlen; s->session->ssl_version = s->version; } @@ -1001,7 +1032,7 @@ ssl3_get_server_hello(SSL *s) */ if (s->session->cipher) s->session->cipher_id = s->session->cipher->id; - if (s->internal->hit && (s->session->cipher_id != cipher->id)) { + if (s->hit && (s->session->cipher_id != cipher->id)) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_OLD_SESSION_CIPHER_NOT_RETURNED); goto fatal_err; @@ -1045,7 +1076,7 @@ ssl3_get_server_hello(SSL *s) * absence on initial connect only. */ if (!s->s3->renegotiate_seen && - !(s->internal->options & SSL_OP_LEGACY_SERVER_CONNECT)) { + !(s->options & SSL_OP_LEGACY_SERVER_CONNECT)) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); goto fatal_err; @@ -1068,19 +1099,17 @@ ssl3_get_server_hello(SSL *s) return (-1); } -int +static int ssl3_get_server_certificate(SSL *s) { - CBS cbs, cert_list; - X509 *x = NULL; - const unsigned char *q; - STACK_OF(X509) *sk = NULL; - EVP_PKEY *pkey; - int cert_type; + CBS cbs, cert_list, cert_data; + STACK_OF(X509) *certs = NULL; + X509 *cert = NULL; + const uint8_t *p; int al, ret; if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0) return ret; ret = -1; @@ -1096,95 +1125,57 @@ ssl3_get_server_certificate(SSL *s) goto fatal_err; } - if ((sk = sk_X509_new_null()) == NULL) { + if ((certs = sk_X509_new_null()) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); - if (CBS_len(&cbs) < 3) - goto decode_err; + CBS_init(&cbs, s->init_msg, s->init_num); - if (!CBS_get_u24_length_prefixed(&cbs, &cert_list) || - CBS_len(&cbs) != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_LENGTH_MISMATCH); - goto fatal_err; - } + if (!CBS_get_u24_length_prefixed(&cbs, &cert_list)) + goto decode_err; + if (CBS_len(&cbs) != 0) + goto decode_err; while (CBS_len(&cert_list) > 0) { - CBS cert; - - if (CBS_len(&cert_list) < 3) + if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) goto decode_err; - if (!CBS_get_u24_length_prefixed(&cert_list, &cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto fatal_err; - } - - q = CBS_data(&cert); - x = d2i_X509(NULL, &q, CBS_len(&cert)); - if (x == NULL) { + p = CBS_data(&cert_data); + if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) { al = SSL_AD_BAD_CERTIFICATE; SSLerror(s, ERR_R_ASN1_LIB); goto fatal_err; } - if (q != CBS_data(&cert) + CBS_len(&cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto fatal_err; - } - if (!sk_X509_push(sk, x)) { + if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) + goto decode_err; + if (!sk_X509_push(certs, cert)) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - x = NULL; + cert = NULL; } - if (ssl_verify_cert_chain(s, sk) <= 0 && + /* A server must always provide a non-empty certificate list. */ + if (sk_X509_num(certs) < 1) { + SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); + goto decode_err; + } + + if (ssl_verify_cert_chain(s, certs) <= 0 && s->verify_mode != SSL_VERIFY_NONE) { al = ssl_verify_alarm_type(s->verify_result); SSLerror(s, SSL_R_CERTIFICATE_VERIFY_FAILED); goto fatal_err; } - ERR_clear_error(); /* but we keep s->verify_result */ - - /* - * Inconsistency alert: cert_chain does include the peer's - * certificate, which we don't include in s3_srvr.c - */ - x = sk_X509_value(sk, 0); - - if ((pkey = X509_get0_pubkey(x)) == NULL || - EVP_PKEY_missing_parameters(pkey)) { - x = NULL; - al = SSL3_AL_FATAL; - SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); - goto fatal_err; - } - if ((cert_type = ssl_cert_type(pkey)) < 0) { - x = NULL; - al = SSL3_AL_FATAL; - SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); - goto fatal_err; - } - - X509_up_ref(x); - X509_free(s->session->peer_cert); - s->session->peer_cert = x; - s->session->peer_cert_type = cert_type; - s->session->verify_result = s->verify_result; + ERR_clear_error(); - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = sk; - sk = NULL; + if (!tls_process_peer_certs(s, certs)) + goto err; - x = NULL; ret = 1; if (0) { @@ -1196,8 +1187,8 @@ ssl3_get_server_certificate(SSL *s) ssl3_send_alert(s, SSL3_AL_FATAL, al); } err: - X509_free(x); - sk_X509_pop_free(sk, X509_free); + sk_X509_pop_free(certs, X509_free); + X509_free(cert); return (ret); } @@ -1240,6 +1231,12 @@ ssl3_get_server_kex_dhe(SSL *s, CBS *cbs) goto err; } + if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) { + SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + return 0; + } + return 1; err: @@ -1250,13 +1247,13 @@ static int ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) { uint8_t curve_type; - uint16_t curve_id; + uint16_t group_id; int decode_error; CBS public; if (!CBS_get_u8(cbs, &curve_type)) goto decode_err; - if (!CBS_get_u16(cbs, &curve_id)) + if (!CBS_get_u16(cbs, &group_id)) goto decode_err; /* Only named curves are supported. */ @@ -1270,17 +1267,17 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) goto decode_err; /* - * Check that the curve is one of our preferences - if it is not, - * the server has sent us an invalid curve. + * Check that the group is one of our preferences - if it is not, + * the server has sent us an invalid group. */ - if (!tls1_check_curve(s, curve_id)) { + if (!tls1_check_group(s, group_id)) { SSLerror(s, SSL_R_WRONG_CURVE); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); goto err; } tls_key_share_free(s->s3->hs.key_share); - if ((s->s3->hs.key_share = tls_key_share_new(curve_id)) == NULL) + if ((s->s3->hs.key_share = tls_key_share_new(group_id)) == NULL) goto err; if (!tls_key_share_peer_public(s->s3->hs.key_share, &public, @@ -1299,7 +1296,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, CBS *cbs) return 0; } -int +static int ssl3_get_server_key_exchange(SSL *s) { CBS cbs, signature; @@ -1317,16 +1314,16 @@ ssl3_get_server_key_exchange(SSL *s) * as ServerKeyExchange message may be skipped. */ if ((ret = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, - SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_KEY_EXCH_B, -1, s->max_cert_list)) <= 0) return ret; if ((md_ctx = EVP_MD_CTX_new()) == NULL) goto err; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (s->s3->hs.tls12.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { /* @@ -1447,7 +1444,7 @@ ssl3_get_server_key_exchange(SSL *s) return (-1); } -int +static int ssl3_get_certificate_request(SSL *s) { CBS cert_request, cert_types, rdn_list; @@ -1457,7 +1454,7 @@ ssl3_get_certificate_request(SSL *s) int ret; if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, - SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_CERT_REQ_B, -1, s->max_cert_list)) <= 0) return ret; ret = 0; @@ -1487,9 +1484,9 @@ ssl3_get_certificate_request(SSL *s) goto err; } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cert_request, s->internal->init_msg, s->internal->init_num); + CBS_init(&cert_request, s->init_msg, s->init_num); if ((ca_sk = sk_X509_NAME_new(ca_dn_cmp)) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -1591,11 +1588,12 @@ ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b) return (X509_NAME_cmp(*a, *b)); } -int +static int ssl3_get_new_session_ticket(SSL *s) { uint32_t lifetime_hint; CBS cbs, session_ticket; + unsigned int session_id_length = 0; int al, ret; if ((ret = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, @@ -1612,13 +1610,13 @@ ssl3_get_new_session_ticket(SSL *s) goto fatal_err; } - if (s->internal->init_num < 0) { + if (s->init_num < 0) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); goto fatal_err; } - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); if (!CBS_get_u32(&cbs, &lifetime_hint) || !CBS_get_u16_length_prefixed(&cbs, &session_ticket) || CBS_len(&cbs) != 0) { @@ -1635,7 +1633,7 @@ ssl3_get_new_session_ticket(SSL *s) } /* - * There are two ways to detect a resumed ticket sesion. + * There are two ways to detect a resumed ticket session. * One is to set an appropriate session ID and then the server * must return a match in ServerHello. This allows the normal * client session ID matching to work and we know much @@ -1647,12 +1645,16 @@ ssl3_get_new_session_ticket(SSL *s) * * We choose the former approach because this fits in with * assumptions elsewhere in OpenSSL. The session ID is set - * to the SHA256 (or SHA1 is SHA256 is disabled) hash of the - * ticket. + * to the SHA256 hash of the ticket. */ - EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket), - s->session->session_id, &s->session->session_id_length, - EVP_sha256(), NULL); + /* XXX - ensure this doesn't overflow session_id if hash is changed. */ + if (!EVP_Digest(CBS_data(&session_ticket), CBS_len(&session_ticket), + s->session->session_id, &session_id_length, EVP_sha256(), NULL)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_EVP_LIB); + goto fatal_err; + } + s->session->session_id_length = session_id_length; return (1); @@ -1662,7 +1664,7 @@ ssl3_get_new_session_ticket(SSL *s) return (-1); } -int +static int ssl3_get_cert_status(SSL *s) { CBS cert_status, response; @@ -1678,13 +1680,13 @@ ssl3_get_cert_status(SSL *s) * Tell the callback the server did not send us an OSCP * response, and has decided to head directly to key exchange. */ - if (s->ctx->internal->tlsext_status_cb) { - free(s->internal->tlsext_ocsp_resp); - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + if (s->ctx->tlsext_status_cb) { + free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; - ret = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + ret = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); @@ -1707,14 +1709,14 @@ ssl3_get_cert_status(SSL *s) goto fatal_err; } - if (s->internal->init_num < 0) { + if (s->init_num < 0) { /* need at least status type + length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_MISMATCH); goto fatal_err; } - CBS_init(&cert_status, s->internal->init_msg, s->internal->init_num); + CBS_init(&cert_status, s->init_msg, s->init_num); if (!CBS_get_u8(&cert_status, &status_type) || CBS_len(&cert_status) < 3) { /* need at least status type + length */ @@ -1736,17 +1738,16 @@ ssl3_get_cert_status(SSL *s) goto fatal_err; } - if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, - &s->internal->tlsext_ocsp_resp_len)) { + if (!CBS_stow(&response, &s->tlsext_ocsp_resp, + &s->tlsext_ocsp_resp_len)) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); goto fatal_err; } - if (s->ctx->internal->tlsext_status_cb) { - int ret; - ret = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + if (s->ctx->tlsext_status_cb) { + ret = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (ret == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); @@ -1764,7 +1765,7 @@ ssl3_get_cert_status(SSL *s) return (-1); } -int +static int ssl3_get_server_done(SSL *s) { int ret; @@ -1774,7 +1775,7 @@ ssl3_get_server_done(SSL *s) 30 /* should be very small, like 0 :-) */)) <= 0) return ret; - if (s->internal->init_num != 0) { + if (s->init_num != 0) { /* should contain no data */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerror(s, SSL_R_LENGTH_MISMATCH); @@ -1871,6 +1872,12 @@ ssl3_send_client_kex_dhe(SSL *s, CBB *cbb) if (!tls_key_share_derive(s->s3->hs.key_share, &key, &key_len)) goto err; + if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) { + SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + return 0; + } + if (!tls12_derive_master_secret(s, key, key_len)) goto err; @@ -1934,7 +1941,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb) int nid; int ret = 0; - /* Get server sertificate PKEY and create ctx from it */ + /* Get server certificate PKEY and create ctx from it */ pkey = X509_get0_pubkey(s->session->peer_cert); if (pkey == NULL || s->session->peer_cert_type != SSL_PKEY_GOST01) { SSLerror(s, SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER); @@ -2034,7 +2041,7 @@ ssl3_send_client_kex_gost(SSL *s, CBB *cbb) return ret; } -int +static int ssl3_send_client_key_exchange(SSL *s) { unsigned long alg_k; @@ -2293,7 +2300,7 @@ ssl3_send_client_verify_gost(SSL *s, EVP_PKEY *pkey, CBB *cert_verify) } #endif -int +static int ssl3_send_client_verify(SSL *s) { const struct ssl_sigalg *sigalg; @@ -2355,7 +2362,7 @@ ssl3_send_client_verify(SSL *s) return (-1); } -int +static int ssl3_send_client_certificate(SSL *s) { EVP_PKEY *pkey = NULL; @@ -2377,15 +2384,15 @@ ssl3_send_client_certificate(SSL *s) if (s->s3->hs.state == SSL3_ST_CW_CERT_B) { /* * If we get an error, we need to - * ssl->internal->rwstate = SSL_X509_LOOKUP; return(-1); + * ssl->rwstate = SSL_X509_LOOKUP; return(-1); * We then get retried later. */ i = ssl_do_client_cert_cb(s, &x509, &pkey); if (i < 0) { - s->internal->rwstate = SSL_X509_LOOKUP; + s->rwstate = SSL_X509_LOOKUP; return (-1); } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; if ((i == 1) && (pkey != NULL) && (x509 != NULL)) { s->s3->hs.state = SSL3_ST_CW_CERT_B; if (!SSL_use_certificate(s, x509) || @@ -2433,7 +2440,7 @@ ssl3_send_client_certificate(SSL *s) #define has_bits(i,m) (((i)&(m)) == (m)) -int +static int ssl3_check_cert_and_algorithm(SSL *s) { long alg_k, alg_a; @@ -2491,7 +2498,7 @@ ssl3_check_cert_and_algorithm(SSL *s) * session tickets we have to check the next message to be sure. */ -int +static int ssl3_check_finished(SSL *s) { int ret; @@ -2502,7 +2509,7 @@ ssl3_check_finished(SSL *s) /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ if ((ret = ssl3_get_message(s, SSL3_ST_CR_CERT_A, - SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list)) <= 0) + SSL3_ST_CR_CERT_B, -1, s->max_cert_list)) <= 0) return ret; s->s3->hs.tls12.reuse_message = 1; @@ -2513,21 +2520,155 @@ ssl3_check_finished(SSL *s) return (1); } -int +static int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey) { int i = 0; #ifndef OPENSSL_NO_ENGINE - if (s->ctx->internal->client_cert_engine) { + if (s->ctx->client_cert_engine) { i = ENGINE_load_ssl_client_cert( - s->ctx->internal->client_cert_engine, s, + s->ctx->client_cert_engine, s, SSL_get_client_CA_list(s), px509, ppkey, NULL, NULL, NULL); if (i != 0) return (i); } #endif - if (s->ctx->internal->client_cert_cb) - i = s->ctx->internal->client_cert_cb(s, px509, ppkey); + if (s->ctx->client_cert_cb) + i = s->ctx->client_cert_cb(s, px509, ppkey); return (i); } + +static int +ssl3_send_client_change_cipher_spec(SSL *s) +{ + size_t outlen; + CBB cbb; + + memset(&cbb, 0, sizeof(cbb)); + + if (s->s3->hs.state == SSL3_ST_CW_CHANGE_A) { + if (!CBB_init_fixed(&cbb, s->init_buf->data, + s->init_buf->length)) + goto err; + if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) + goto err; + if (!CBB_finish(&cbb, NULL, &outlen)) + goto err; + + if (outlen > INT_MAX) + goto err; + + s->init_num = (int)outlen; + s->init_off = 0; + + if (SSL_is_dtls(s)) { + s->d1->handshake_write_seq = + s->d1->next_handshake_write_seq; + dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, + s->d1->handshake_write_seq, 0, 0); + dtls1_buffer_message(s, 1); + } + + s->s3->hs.state = SSL3_ST_CW_CHANGE_B; + } + + /* SSL3_ST_CW_CHANGE_B */ + return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); + + err: + CBB_cleanup(&cbb); + + return -1; +} + +static int +ssl3_send_client_finished(SSL *s) +{ + CBB cbb, finished; + + memset(&cbb, 0, sizeof(cbb)); + + if (s->s3->hs.state == SSL3_ST_CW_FINISHED_A) { + if (!tls12_derive_finished(s)) + goto err; + + /* Copy finished so we can use it for renegotiation checks. */ + memcpy(s->s3->previous_client_finished, + s->s3->hs.finished, s->s3->hs.finished_len); + s->s3->previous_client_finished_len = + s->s3->hs.finished_len; + + if (!ssl3_handshake_msg_start(s, &cbb, &finished, + SSL3_MT_FINISHED)) + goto err; + if (!CBB_add_bytes(&finished, s->s3->hs.finished, + s->s3->hs.finished_len)) + goto err; + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; + + s->s3->hs.state = SSL3_ST_CW_FINISHED_B; + } + + return (ssl3_handshake_write(s)); + + err: + CBB_cleanup(&cbb); + + return (-1); +} + +static int +ssl3_get_server_finished(SSL *s) +{ + int al, md_len, ret; + CBS cbs; + + /* should actually be 36+4 :-) */ + if ((ret = ssl3_get_message(s, SSL3_ST_CR_FINISHED_A, + SSL3_ST_CR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0) + return ret; + + /* If this occurs, we have missed a message */ + if (!s->s3->change_cipher_spec) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); + goto fatal_err; + } + s->s3->change_cipher_spec = 0; + + md_len = TLS1_FINISH_MAC_LENGTH; + + if (s->init_num < 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); + goto fatal_err; + } + + CBS_init(&cbs, s->init_msg, s->init_num); + + if (s->s3->hs.peer_finished_len != md_len || + CBS_len(&cbs) != md_len) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); + goto fatal_err; + } + + if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) { + al = SSL_AD_DECRYPT_ERROR; + SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); + goto fatal_err; + } + + /* Copy finished so we can use it for renegotiation checks. */ + OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); + memcpy(s->s3->previous_server_finished, + s->s3->hs.peer_finished, md_len); + s->s3->previous_server_finished_len = md_len; + + return (1); + fatal_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return (0); +} diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index d4c9fbb..59d8119 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.40 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.45 2022/11/26 16:08:55 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -53,20 +53,14 @@ * */ -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - #include #include #include #include -#include "ssl_locl.h" +#include "ssl_local.h" -/* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR #define ERR_FUNC(func) ERR_PACK(ERR_LIB_SSL,func,0) @@ -208,6 +202,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_BN_LIB) , "bn lib"}, {ERR_REASON(SSL_R_CA_DN_LENGTH_MISMATCH) , "ca dn length mismatch"}, {ERR_REASON(SSL_R_CA_DN_TOO_LONG) , "ca dn too long"}, + {ERR_REASON(SSL_R_CA_KEY_TOO_SMALL) , "ca key too small"}, + {ERR_REASON(SSL_R_CA_MD_TOO_WEAK) , "ca md too weak"}, {ERR_REASON(SSL_R_CCS_RECEIVED_EARLY) , "ccs received early"}, {ERR_REASON(SSL_R_CERTIFICATE_VERIFY_FAILED), "certificate verify failed"}, {ERR_REASON(SSL_R_CERT_LENGTH_MISMATCH) , "cert length mismatch"}, @@ -229,6 +225,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_DATA_LENGTH_TOO_LONG) , "data length too long"}, {ERR_REASON(SSL_R_DECRYPTION_FAILED) , "decryption failed"}, {ERR_REASON(SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC), "decryption failed or bad record mac"}, + {ERR_REASON(SSL_R_DH_KEY_TOO_SMALL) , "dh key too small"}, {ERR_REASON(SSL_R_DH_PUBLIC_VALUE_LENGTH_IS_WRONG), "dh public value length is wrong"}, {ERR_REASON(SSL_R_DIGEST_CHECK_FAILED) , "digest check failed"}, {ERR_REASON(SSL_R_DTLS_MESSAGE_TOO_BIG) , "dtls message too big"}, @@ -238,6 +235,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_RSA_SIGNATURE), "ecc cert should have rsa signature"}, {ERR_REASON(SSL_R_ECC_CERT_SHOULD_HAVE_SHA1_SIGNATURE), "ecc cert should have sha1 signature"}, {ERR_REASON(SSL_R_ECGROUP_TOO_LARGE_FOR_CIPHER), "ecgroup too large for cipher"}, + {ERR_REASON(SSL_R_EE_KEY_TOO_SMALL) , "ee key too small"}, {ERR_REASON(SSL_R_EMPTY_SRTP_PROTECTION_PROFILE_LIST), "empty srtp protection profile list"}, {ERR_REASON(SSL_R_ENCRYPTED_LENGTH_TOO_LONG), "encrypted length too long"}, {ERR_REASON(SSL_R_ERROR_GENERATING_TMP_RSA_KEY), "error generating tmp rsa key"}, @@ -327,6 +325,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_PACKET_LENGTH_TOO_LONG), "packet length too long"}, {ERR_REASON(SSL_R_PARSE_TLSEXT) , "parse tlsext"}, {ERR_REASON(SSL_R_PATH_TOO_LONG) , "path too long"}, + {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY) , "peer is doing strange or hostile things"}, {ERR_REASON(SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE), "peer did not return a certificate"}, {ERR_REASON(SSL_R_PEER_ERROR) , "peer error"}, {ERR_REASON(SSL_R_PEER_ERROR_CERTIFICATE), "peer error certificate"}, @@ -342,6 +341,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_PUBLIC_KEY_ENCRYPT_ERROR), "public key encrypt error"}, {ERR_REASON(SSL_R_PUBLIC_KEY_IS_NOT_RSA) , "public key is not rsa"}, {ERR_REASON(SSL_R_PUBLIC_KEY_NOT_RSA) , "public key not rsa"}, + {ERR_REASON(SSL_R_QUIC_INTERNAL_ERROR) , "QUIC: internal error"}, {ERR_REASON(SSL_R_READ_BIO_NOT_SET) , "read bio not set"}, {ERR_REASON(SSL_R_READ_TIMEOUT_EXPIRED) , "read timeout expired"}, {ERR_REASON(SSL_R_READ_WRONG_PACKET_TYPE), "read wrong packet type"}, @@ -432,6 +432,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_UNEXPECTED_MESSAGE) , "unexpected message"}, {ERR_REASON(SSL_R_UNEXPECTED_RECORD) , "unexpected record"}, {ERR_REASON(SSL_R_UNINITIALIZED) , "uninitialized"}, + {ERR_REASON(SSL_R_UNKNOWN), "unknown failure occurred"}, {ERR_REASON(SSL_R_UNKNOWN_ALERT_TYPE) , "unknown alert type"}, {ERR_REASON(SSL_R_UNKNOWN_CERTIFICATE_TYPE), "unknown certificate type"}, {ERR_REASON(SSL_R_UNKNOWN_CIPHER_RETURNED), "unknown cipher returned"}, @@ -452,9 +453,11 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_UNSUPPORTED_SSL_VERSION), "unsupported ssl version"}, {ERR_REASON(SSL_R_UNSUPPORTED_STATUS_TYPE), "unsupported status type"}, {ERR_REASON(SSL_R_USE_SRTP_NOT_NEGOTIATED), "use srtp not negotiated"}, + {ERR_REASON(SSL_R_VERSION_TOO_LOW) , "version too low"}, {ERR_REASON(SSL_R_WRITE_BIO_NOT_SET) , "write bio not set"}, {ERR_REASON(SSL_R_WRONG_CIPHER_RETURNED) , "wrong cipher returned"}, {ERR_REASON(SSL_R_WRONG_CURVE) , "wrong curve"}, + {ERR_REASON(SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED), "QUIC: wrong encryption level received"}, {ERR_REASON(SSL_R_WRONG_MESSAGE_TYPE) , "wrong message type"}, {ERR_REASON(SSL_R_WRONG_NUMBER_OF_KEY_BITS), "wrong number of key bits"}, {ERR_REASON(SSL_R_WRONG_SIGNATURE_LENGTH), "wrong signature length"}, @@ -464,8 +467,6 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) , "wrong version number"}, {ERR_REASON(SSL_R_X509_LIB) , "x509 lib"}, {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "x509 verification setup problems"}, - {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY), "peer is doing strange or hostile things"}, - {ERR_REASON(SSL_R_UNKNOWN), "unknown failure occurred"}, {0, NULL} }; diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index b521d22..65f38e2 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_init.c,v 1.2 2018/03/30 14:59:46 jsing Exp $ */ +/* $OpenBSD: ssl_init.c,v 1.3 2022/11/26 16:08:55 tb Exp $ */ /* * Copyright (c) 2018 Bob Beck * @@ -22,7 +22,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" static pthread_t ssl_init_thread; diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 6adc28a..68e60a5 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.290 2022/03/18 18:01:17 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.309 2023/04/23 18:51:53 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -159,9 +159,11 @@ #endif #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" +#include "ssl_tlsext.h" +#include "tls12_internal.h" const char *SSL_version_str = OPENSSL_VERSION_TEXT; @@ -179,33 +181,33 @@ SSL_clear(SSL *s) } s->error = 0; - s->internal->hit = 0; - s->internal->shutdown = 0; + s->hit = 0; + s->shutdown = 0; - if (s->internal->renegotiate) { + if (s->renegotiate) { SSLerror(s, ERR_R_INTERNAL_ERROR); return (0); } s->version = s->method->version; s->client_version = s->version; - s->internal->rwstate = SSL_NOTHING; - s->internal->rstate = SSL_ST_READ_HEADER; + s->rwstate = SSL_NOTHING; + s->rstate = SSL_ST_READ_HEADER; - tls13_ctx_free(s->internal->tls13); - s->internal->tls13 = NULL; + tls13_ctx_free(s->tls13); + s->tls13 = NULL; ssl3_release_init_buffer(s); ssl_clear_cipher_state(s); - s->internal->first_packet = 0; + s->first_packet = 0; /* * Check to see if we were changed into a different method, if * so, revert back if we are not doing session-id reuse. */ - if (!s->internal->in_handshake && (s->session == NULL) && + if (!s->in_handshake && (s->session == NULL) && (s->method != s->ctx->method)) { s->method->ssl_free(s); s->method = s->ctx->method; @@ -226,7 +228,8 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->method = meth; ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); + ctx->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST, + ctx->cert); if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); @@ -238,6 +241,7 @@ SSL * SSL_new(SSL_CTX *ctx) { SSL *s; + CBS cbs; if (ctx == NULL) { SSLerrorx(SSL_R_NULL_SSL_CTX); @@ -250,98 +254,94 @@ SSL_new(SSL_CTX *ctx) if ((s = calloc(1, sizeof(*s))) == NULL) goto err; - if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) + + if ((s->rl = tls12_record_layer_new()) == NULL) goto err; - if ((s->internal->rl = tls12_record_layer_new()) == NULL) + s->min_tls_version = ctx->min_tls_version; + s->max_tls_version = ctx->max_tls_version; + s->min_proto_version = ctx->min_proto_version; + s->max_proto_version = ctx->max_proto_version; + + s->options = ctx->options; + s->mode = ctx->mode; + s->max_cert_list = ctx->max_cert_list; + s->num_tickets = ctx->num_tickets; + + if ((s->cert = ssl_cert_dup(ctx->cert)) == NULL) goto err; - s->internal->min_tls_version = ctx->internal->min_tls_version; - s->internal->max_tls_version = ctx->internal->max_tls_version; - s->internal->min_proto_version = ctx->internal->min_proto_version; - s->internal->max_proto_version = ctx->internal->max_proto_version; - - s->internal->options = ctx->internal->options; - s->internal->mode = ctx->internal->mode; - s->internal->max_cert_list = ctx->internal->max_cert_list; - s->internal->num_tickets = ctx->internal->num_tickets; - - if ((s->cert = ssl_cert_dup(ctx->internal->cert)) == NULL) - goto err; - - s->internal->read_ahead = ctx->internal->read_ahead; - s->internal->msg_callback = ctx->internal->msg_callback; - s->internal->msg_callback_arg = ctx->internal->msg_callback_arg; + s->read_ahead = ctx->read_ahead; + s->msg_callback = ctx->msg_callback; + s->msg_callback_arg = ctx->msg_callback_arg; s->verify_mode = ctx->verify_mode; s->sid_ctx_length = ctx->sid_ctx_length; OPENSSL_assert(s->sid_ctx_length <= sizeof s->sid_ctx); memcpy(&s->sid_ctx, &ctx->sid_ctx, sizeof(s->sid_ctx)); - s->internal->verify_callback = ctx->internal->default_verify_callback; - s->internal->generate_session_id = ctx->internal->generate_session_id; + s->verify_callback = ctx->default_verify_callback; + s->generate_session_id = ctx->generate_session_id; s->param = X509_VERIFY_PARAM_new(); if (!s->param) goto err; X509_VERIFY_PARAM_inherit(s->param, ctx->param); - s->internal->quiet_shutdown = ctx->internal->quiet_shutdown; - s->max_send_fragment = ctx->internal->max_send_fragment; + s->quiet_shutdown = ctx->quiet_shutdown; + s->max_send_fragment = ctx->max_send_fragment; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->ctx = ctx; - s->internal->tlsext_debug_cb = 0; - s->internal->tlsext_debug_arg = NULL; - s->internal->tlsext_ticket_expected = 0; + s->tlsext_debug_cb = 0; + s->tlsext_debug_arg = NULL; + s->tlsext_ticket_expected = 0; s->tlsext_status_type = -1; - s->internal->tlsext_status_expected = 0; - s->internal->tlsext_ocsp_ids = NULL; - s->internal->tlsext_ocsp_exts = NULL; - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + s->tlsext_status_expected = 0; + s->tlsext_ocsp_ids = NULL; + s->tlsext_ocsp_exts = NULL; + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; - if (ctx->internal->tlsext_ecpointformatlist != NULL) { - s->internal->tlsext_ecpointformatlist = - calloc(ctx->internal->tlsext_ecpointformatlist_length, - sizeof(ctx->internal->tlsext_ecpointformatlist[0])); - if (s->internal->tlsext_ecpointformatlist == NULL) + if (!tlsext_randomize_build_order(s)) + goto err; + + if (ctx->tlsext_ecpointformatlist != NULL) { + s->tlsext_ecpointformatlist = + calloc(ctx->tlsext_ecpointformatlist_length, + sizeof(ctx->tlsext_ecpointformatlist[0])); + if (s->tlsext_ecpointformatlist == NULL) goto err; - memcpy(s->internal->tlsext_ecpointformatlist, - ctx->internal->tlsext_ecpointformatlist, - ctx->internal->tlsext_ecpointformatlist_length * - sizeof(ctx->internal->tlsext_ecpointformatlist[0])); - s->internal->tlsext_ecpointformatlist_length = - ctx->internal->tlsext_ecpointformatlist_length; + memcpy(s->tlsext_ecpointformatlist, + ctx->tlsext_ecpointformatlist, + ctx->tlsext_ecpointformatlist_length * + sizeof(ctx->tlsext_ecpointformatlist[0])); + s->tlsext_ecpointformatlist_length = + ctx->tlsext_ecpointformatlist_length; } - if (ctx->internal->tlsext_supportedgroups != NULL) { - s->internal->tlsext_supportedgroups = - calloc(ctx->internal->tlsext_supportedgroups_length, - sizeof(ctx->internal->tlsext_supportedgroups[0])); - if (s->internal->tlsext_supportedgroups == NULL) + if (ctx->tlsext_supportedgroups != NULL) { + s->tlsext_supportedgroups = + calloc(ctx->tlsext_supportedgroups_length, + sizeof(ctx->tlsext_supportedgroups[0])); + if (s->tlsext_supportedgroups == NULL) goto err; - memcpy(s->internal->tlsext_supportedgroups, - ctx->internal->tlsext_supportedgroups, - ctx->internal->tlsext_supportedgroups_length * - sizeof(ctx->internal->tlsext_supportedgroups[0])); - s->internal->tlsext_supportedgroups_length = - ctx->internal->tlsext_supportedgroups_length; + memcpy(s->tlsext_supportedgroups, + ctx->tlsext_supportedgroups, + ctx->tlsext_supportedgroups_length * + sizeof(ctx->tlsext_supportedgroups[0])); + s->tlsext_supportedgroups_length = + ctx->tlsext_supportedgroups_length; } - if (s->ctx->internal->alpn_client_proto_list != NULL) { - s->internal->alpn_client_proto_list = - malloc(s->ctx->internal->alpn_client_proto_list_len); - if (s->internal->alpn_client_proto_list == NULL) - goto err; - memcpy(s->internal->alpn_client_proto_list, - s->ctx->internal->alpn_client_proto_list, - s->ctx->internal->alpn_client_proto_list_len); - s->internal->alpn_client_proto_list_len = - s->ctx->internal->alpn_client_proto_list_len; - } + CBS_init(&cbs, ctx->alpn_client_proto_list, + ctx->alpn_client_proto_list_len); + if (!CBS_stow(&cbs, &s->alpn_client_proto_list, + &s->alpn_client_proto_list_len)) + goto err; s->verify_result = X509_V_OK; s->method = ctx->method; + s->quic_method = ctx->quic_method; if (!s->method->ssl_new(s)) goto err; @@ -351,7 +351,7 @@ SSL_new(SSL_CTX *ctx) SSL_clear(s); - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->internal->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); return (s); @@ -393,7 +393,7 @@ int SSL_CTX_set_generate_session_id(SSL_CTX *ctx, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - ctx->internal->generate_session_id = cb; + ctx->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); return (1); } @@ -402,7 +402,7 @@ int SSL_set_generate_session_id(SSL *ssl, GEN_SESSION_CB cb) { CRYPTO_w_lock(CRYPTO_LOCK_SSL); - ssl->internal->generate_session_id = cb; + ssl->generate_session_id = cb; CRYPTO_w_unlock(CRYPTO_LOCK_SSL); return (1); } @@ -428,7 +428,7 @@ SSL_has_matching_session_id(const SSL *ssl, const unsigned char *id, memcpy(r.session_id, id, id_len); CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - p = lh_SSL_SESSION_retrieve(ssl->ctx->internal->sessions, &r); + p = lh_SSL_SESSION_retrieve(ssl->ctx->sessions, &r); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); return (p != NULL); } @@ -521,7 +521,7 @@ SSL_free(SSL *s) X509_VERIFY_PARAM_free(s->param); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->internal->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL, s, &s->ex_data); if (s->bbio != NULL) { /* If the buffering BIO is in place, pop it off */ @@ -536,12 +536,12 @@ SSL_free(SSL *s) BIO_free_all(s->rbio); BIO_free_all(s->wbio); - tls13_ctx_free(s->internal->tls13); + tls13_ctx_free(s->tls13); ssl3_release_init_buffer(s); sk_SSL_CIPHER_free(s->cipher_list); - sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); + sk_SSL_CIPHER_free(s->cipher_list_tls13); /* Make the next call work :-) */ if (s->session != NULL) { @@ -553,33 +553,36 @@ SSL_free(SSL *s) ssl_cert_free(s->cert); + free(s->tlsext_build_order); + free(s->tlsext_hostname); SSL_CTX_free(s->initial_ctx); - free(s->internal->tlsext_ecpointformatlist); - free(s->internal->tlsext_supportedgroups); + free(s->tlsext_ecpointformatlist); + free(s->tlsext_supportedgroups); - sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); - sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); - free(s->internal->tlsext_ocsp_resp); + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); + free(s->tlsext_ocsp_resp); - sk_X509_NAME_pop_free(s->internal->client_CA, X509_NAME_free); + sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free); if (s->method != NULL) s->method->ssl_free(s); SSL_CTX_free(s->ctx); - free(s->internal->alpn_client_proto_list); + free(s->alpn_client_proto_list); + + free(s->quic_transport_params); #ifndef OPENSSL_NO_SRTP - sk_SRTP_PROTECTION_PROFILE_free(s->internal->srtp_profiles); + sk_SRTP_PROTECTION_PROFILE_free(s->srtp_profiles); #endif - tls12_record_layer_free(s->internal->rl); + tls12_record_layer_free(s->rl); - free(s->internal); free(s); } @@ -768,25 +771,25 @@ SSL_get_verify_depth(const SSL *s) int (*SSL_get_verify_callback(const SSL *s))(int, X509_STORE_CTX *) { - return (s->internal->verify_callback); + return (s->verify_callback); } void SSL_CTX_set_keylog_callback(SSL_CTX *ctx, SSL_CTX_keylog_cb_func cb) { - ctx->internal->keylog_callback = cb; + ctx->keylog_callback = cb; } SSL_CTX_keylog_cb_func SSL_CTX_get_keylog_callback(const SSL_CTX *ctx) { - return (ctx->internal->keylog_callback); + return (ctx->keylog_callback); } int SSL_set_num_tickets(SSL *s, size_t num_tickets) { - s->internal->num_tickets = num_tickets; + s->num_tickets = num_tickets; return 1; } @@ -794,13 +797,13 @@ SSL_set_num_tickets(SSL *s, size_t num_tickets) size_t SSL_get_num_tickets(const SSL *s) { - return s->internal->num_tickets; + return s->num_tickets; } int SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) { - ctx->internal->num_tickets = num_tickets; + ctx->num_tickets = num_tickets; return 1; } @@ -808,7 +811,7 @@ SSL_CTX_set_num_tickets(SSL_CTX *ctx, size_t num_tickets) size_t SSL_CTX_get_num_tickets(const SSL_CTX *ctx) { - return ctx->internal->num_tickets; + return ctx->num_tickets; } int @@ -826,7 +829,7 @@ SSL_CTX_get_verify_depth(const SSL_CTX *ctx) int (*SSL_CTX_get_verify_callback(const SSL_CTX *ctx))(int, X509_STORE_CTX *) { - return (ctx->internal->default_verify_callback); + return (ctx->default_verify_callback); } void @@ -835,7 +838,7 @@ SSL_set_verify(SSL *s, int mode, { s->verify_mode = mode; if (callback != NULL) - s->internal->verify_callback = callback; + s->verify_callback = callback; } void @@ -847,13 +850,13 @@ SSL_set_verify_depth(SSL *s, int depth) void SSL_set_read_ahead(SSL *s, int yes) { - s->internal->read_ahead = yes; + s->read_ahead = yes; } int SSL_get_read_ahead(const SSL *s) { - return (s->internal->read_ahead); + return (s->read_ahead); } int @@ -881,20 +884,23 @@ SSL_get_peer_certificate(const SSL *s) STACK_OF(X509) * SSL_get_peer_cert_chain(const SSL *s) { - if (s == NULL || s->session == NULL) + if (s == NULL) return NULL; /* - * If we are a client, cert_chain includes the peer's own - * certificate; if we are a server, it does not. + * Achtung! Due to API inconsistency, a client includes the peer's leaf + * certificate in the peer certificate chain, while a server does not. */ - return s->session->cert_chain; + if (!s->server) + return s->s3->hs.peer_certs; + + return s->s3->hs.peer_certs_no_leaf; } STACK_OF(X509) * SSL_get0_verified_chain(const SSL *s) { - return s->internal->verified_chain; + return s->verified_chain; } /* @@ -936,17 +942,17 @@ SSL_copy_session_id(SSL *t, const SSL *f) int SSL_CTX_check_private_key(const SSL_CTX *ctx) { - if ((ctx == NULL) || (ctx->internal->cert == NULL) || - (ctx->internal->cert->key->x509 == NULL)) { + if ((ctx == NULL) || (ctx->cert == NULL) || + (ctx->cert->key->x509 == NULL)) { SSLerrorx(SSL_R_NO_CERTIFICATE_ASSIGNED); return (0); } - if (ctx->internal->cert->key->privatekey == NULL) { + if (ctx->cert->key->privatekey == NULL) { SSLerrorx(SSL_R_NO_PRIVATE_KEY_ASSIGNED); return (0); } - return (X509_check_private_key(ctx->internal->cert->key->x509, - ctx->internal->cert->key->privatekey)); + return (X509_check_private_key(ctx->cert->key->x509, + ctx->cert->key->privatekey)); } /* Fix this function so that it takes an optional type parameter */ @@ -976,7 +982,7 @@ SSL_check_private_key(const SSL *ssl) int SSL_accept(SSL *s) { - if (s->internal->handshake_func == NULL) + if (s->handshake_func == NULL) SSL_set_accept_state(s); /* Not properly initialized yet */ return (s->method->ssl_accept(s)); @@ -985,7 +991,7 @@ SSL_accept(SSL *s) int SSL_connect(SSL *s) { - if (s->internal->handshake_func == NULL) + if (s->handshake_func == NULL) SSL_set_connect_state(s); /* Not properly initialized yet */ return (s->method->ssl_connect(s)); @@ -1027,13 +1033,18 @@ SSL_read(SSL *s, void *buf, int num) return -1; } - if (s->internal->handshake_func == NULL) { + if (SSL_is_quic(s)) { + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return (-1); + } + + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { + s->rwstate = SSL_NOTHING; return (0); } return ssl3_read(s, buf, num); @@ -1066,12 +1077,17 @@ SSL_peek(SSL *s, void *buf, int num) return -1; } - if (s->internal->handshake_func == NULL) { + if (SSL_is_quic(s)) { + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return (-1); + } + + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { return (0); } return ssl3_peek(s, buf, num); @@ -1104,13 +1120,18 @@ SSL_write(SSL *s, const void *buf, int num) return -1; } - if (s->internal->handshake_func == NULL) { + if (SSL_is_quic(s)) { + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return (-1); + } + + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN); return (-1); } @@ -1203,7 +1224,7 @@ SSL_shutdown(SSL *s) * even if blocking I/O is used (see ssl3_shutdown). */ - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_UNINITIALIZED); return (-1); } @@ -1217,10 +1238,10 @@ SSL_shutdown(SSL *s) int SSL_renegotiate(SSL *s) { - if (s->internal->renegotiate == 0) - s->internal->renegotiate = 1; + if (s->renegotiate == 0) + s->renegotiate = 1; - s->internal->new_session = 1; + s->new_session = 1; return (s->method->ssl_renegotiate(s)); } @@ -1228,10 +1249,10 @@ SSL_renegotiate(SSL *s) int SSL_renegotiate_abbreviated(SSL *s) { - if (s->internal->renegotiate == 0) - s->internal->renegotiate = 1; + if (s->renegotiate == 0) + s->renegotiate = 1; - s->internal->new_session = 0; + s->new_session = 0; return (s->method->ssl_renegotiate(s)); } @@ -1243,7 +1264,7 @@ SSL_renegotiate_pending(SSL *s) * Becomes true when negotiation is requested; * false again once a handshake has finished. */ - return (s->internal->renegotiate != 0); + return (s->renegotiate != 0); } long @@ -1253,29 +1274,29 @@ SSL_ctrl(SSL *s, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (s->internal->read_ahead); + return (s->read_ahead); case SSL_CTRL_SET_READ_AHEAD: - l = s->internal->read_ahead; - s->internal->read_ahead = larg; + l = s->read_ahead; + s->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: - s->internal->msg_callback_arg = parg; + s->msg_callback_arg = parg; return (1); case SSL_CTRL_OPTIONS: - return (s->internal->options|=larg); + return (s->options|=larg); case SSL_CTRL_CLEAR_OPTIONS: - return (s->internal->options&=~larg); + return (s->options&=~larg); case SSL_CTRL_MODE: - return (s->internal->mode|=larg); + return (s->mode|=larg); case SSL_CTRL_CLEAR_MODE: - return (s->internal->mode &=~larg); + return (s->mode &=~larg); case SSL_CTRL_GET_MAX_CERT_LIST: - return (s->internal->max_cert_list); + return (s->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = s->internal->max_cert_list; - s->internal->max_cert_list = larg; + l = s->max_cert_list; + s->max_cert_list = larg; return (l); case SSL_CTRL_SET_MTU: #ifndef OPENSSL_NO_DTLS1 @@ -1308,7 +1329,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - s->internal->msg_callback = (ssl_msg_callback_fn *)(fp); + s->msg_callback = (ssl_msg_callback_fn *)(fp); return (1); default: @@ -1319,7 +1340,7 @@ SSL_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) struct lhash_st_SSL_SESSION * SSL_CTX_sessions(SSL_CTX *ctx) { - return (ctx->internal->sessions); + return (ctx->sessions); } long @@ -1329,72 +1350,72 @@ SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) switch (cmd) { case SSL_CTRL_GET_READ_AHEAD: - return (ctx->internal->read_ahead); + return (ctx->read_ahead); case SSL_CTRL_SET_READ_AHEAD: - l = ctx->internal->read_ahead; - ctx->internal->read_ahead = larg; + l = ctx->read_ahead; + ctx->read_ahead = larg; return (l); case SSL_CTRL_SET_MSG_CALLBACK_ARG: - ctx->internal->msg_callback_arg = parg; + ctx->msg_callback_arg = parg; return (1); case SSL_CTRL_GET_MAX_CERT_LIST: - return (ctx->internal->max_cert_list); + return (ctx->max_cert_list); case SSL_CTRL_SET_MAX_CERT_LIST: - l = ctx->internal->max_cert_list; - ctx->internal->max_cert_list = larg; + l = ctx->max_cert_list; + ctx->max_cert_list = larg; return (l); case SSL_CTRL_SET_SESS_CACHE_SIZE: - l = ctx->internal->session_cache_size; - ctx->internal->session_cache_size = larg; + l = ctx->session_cache_size; + ctx->session_cache_size = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_SIZE: - return (ctx->internal->session_cache_size); + return (ctx->session_cache_size); case SSL_CTRL_SET_SESS_CACHE_MODE: - l = ctx->internal->session_cache_mode; - ctx->internal->session_cache_mode = larg; + l = ctx->session_cache_mode; + ctx->session_cache_mode = larg; return (l); case SSL_CTRL_GET_SESS_CACHE_MODE: - return (ctx->internal->session_cache_mode); + return (ctx->session_cache_mode); case SSL_CTRL_SESS_NUMBER: - return (lh_SSL_SESSION_num_items(ctx->internal->sessions)); + return (lh_SSL_SESSION_num_items(ctx->sessions)); case SSL_CTRL_SESS_CONNECT: - return (ctx->internal->stats.sess_connect); + return (ctx->stats.sess_connect); case SSL_CTRL_SESS_CONNECT_GOOD: - return (ctx->internal->stats.sess_connect_good); + return (ctx->stats.sess_connect_good); case SSL_CTRL_SESS_CONNECT_RENEGOTIATE: - return (ctx->internal->stats.sess_connect_renegotiate); + return (ctx->stats.sess_connect_renegotiate); case SSL_CTRL_SESS_ACCEPT: - return (ctx->internal->stats.sess_accept); + return (ctx->stats.sess_accept); case SSL_CTRL_SESS_ACCEPT_GOOD: - return (ctx->internal->stats.sess_accept_good); + return (ctx->stats.sess_accept_good); case SSL_CTRL_SESS_ACCEPT_RENEGOTIATE: - return (ctx->internal->stats.sess_accept_renegotiate); + return (ctx->stats.sess_accept_renegotiate); case SSL_CTRL_SESS_HIT: - return (ctx->internal->stats.sess_hit); + return (ctx->stats.sess_hit); case SSL_CTRL_SESS_CB_HIT: - return (ctx->internal->stats.sess_cb_hit); + return (ctx->stats.sess_cb_hit); case SSL_CTRL_SESS_MISSES: - return (ctx->internal->stats.sess_miss); + return (ctx->stats.sess_miss); case SSL_CTRL_SESS_TIMEOUTS: - return (ctx->internal->stats.sess_timeout); + return (ctx->stats.sess_timeout); case SSL_CTRL_SESS_CACHE_FULL: - return (ctx->internal->stats.sess_cache_full); + return (ctx->stats.sess_cache_full); case SSL_CTRL_OPTIONS: - return (ctx->internal->options|=larg); + return (ctx->options|=larg); case SSL_CTRL_CLEAR_OPTIONS: - return (ctx->internal->options&=~larg); + return (ctx->options&=~larg); case SSL_CTRL_MODE: - return (ctx->internal->mode|=larg); + return (ctx->mode|=larg); case SSL_CTRL_CLEAR_MODE: - return (ctx->internal->mode&=~larg); + return (ctx->mode&=~larg); case SSL_CTRL_SET_MAX_SEND_FRAGMENT: if (larg < 512 || larg > SSL3_RT_MAX_PLAIN_LENGTH) return (0); - ctx->internal->max_send_fragment = larg; + ctx->max_send_fragment = larg; return (1); default: return (ssl3_ctx_ctrl(ctx, cmd, larg, parg)); @@ -1406,7 +1427,7 @@ SSL_CTX_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp)(void)) { switch (cmd) { case SSL_CTRL_SET_MSG_CALLBACK: - ctx->internal->msg_callback = (ssl_msg_callback_fn *)fp; + ctx->msg_callback = (ssl_msg_callback_fn *)fp; return (1); default: @@ -1449,7 +1470,7 @@ STACK_OF(SSL_CIPHER) * SSL_get1_supported_ciphers(SSL *s) { STACK_OF(SSL_CIPHER) *supported_ciphers = NULL, *ciphers; - const SSL_CIPHER *cipher; + SSL_CIPHER *cipher; uint16_t min_vers, max_vers; int i; @@ -1468,6 +1489,8 @@ SSL_get1_supported_ciphers(SSL *s) if (!ssl_cipher_allowed_in_tls_version_range(cipher, min_vers, max_vers)) continue; + if (!ssl_security_supported_cipher(s, cipher)) + continue; if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) goto err; } @@ -1542,7 +1565,7 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) * ctx->cipher_list has been updated. */ ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - ctx->internal->cipher_list_tls13, str); + ctx->cipher_list_tls13, str, ctx->cert); if (ciphers == NULL) { return (0); } else if (sk_SSL_CIPHER_num(ciphers) == 0) { @@ -1555,12 +1578,12 @@ SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) { - if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { + if (!ssl_parse_ciphersuites(&ctx->cipher_list_tls13, str)) { SSLerrorx(SSL_R_NO_CIPHER_MATCH); return 0; } if (!ssl_merge_cipherlists(ctx->cipher_list, - ctx->internal->cipher_list_tls13, &ctx->cipher_list)) + ctx->cipher_list_tls13, &ctx->cipher_list)) return 0; return 1; @@ -1572,12 +1595,12 @@ SSL_set_cipher_list(SSL *s, const char *str) { STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; - if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) - ciphers_tls13 = s->ctx->internal->cipher_list_tls13; + if ((ciphers_tls13 = s->cipher_list_tls13) == NULL) + ciphers_tls13 = s->ctx->cipher_list_tls13; /* See comment in SSL_CTX_set_cipher_list. */ ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - ciphers_tls13, str); + ciphers_tls13, str, s->cert); if (ciphers == NULL) { return (0); } else if (sk_SSL_CIPHER_num(ciphers) == 0) { @@ -1595,11 +1618,11 @@ SSL_set_ciphersuites(SSL *s, const char *str) if ((ciphers = s->cipher_list) == NULL) ciphers = s->ctx->cipher_list; - if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { + if (!ssl_parse_ciphersuites(&s->cipher_list_tls13, str)) { SSLerrorx(SSL_R_NO_CIPHER_MATCH); return (0); } - if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, + if (!ssl_merge_cipherlists(ciphers, s->cipher_list_tls13, &s->cipher_list)) return 0; @@ -1758,27 +1781,28 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned int protos_len) { + CBS cbs; int failed = 1; - if (protos == NULL || protos_len == 0) + if (protos == NULL) + protos_len = 0; + + CBS_init(&cbs, protos, protos_len); + + if (protos_len > 0) { + if (!tlsext_alpn_check_format(&cbs)) + goto err; + } + + if (!CBS_stow(&cbs, &ctx->alpn_client_proto_list, + &ctx->alpn_client_proto_list_len)) goto err; - free(ctx->internal->alpn_client_proto_list); - ctx->internal->alpn_client_proto_list = NULL; - ctx->internal->alpn_client_proto_list_len = 0; - - if ((ctx->internal->alpn_client_proto_list = malloc(protos_len)) - == NULL) - goto err; - ctx->internal->alpn_client_proto_list_len = protos_len; - - memcpy(ctx->internal->alpn_client_proto_list, protos, protos_len); - failed = 0; err: /* NOTE: Return values are the reverse of what you expect. */ - return (failed); + return failed; } /* @@ -1790,27 +1814,28 @@ int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos, unsigned int protos_len) { + CBS cbs; int failed = 1; - if (protos == NULL || protos_len == 0) + if (protos == NULL) + protos_len = 0; + + CBS_init(&cbs, protos, protos_len); + + if (protos_len > 0) { + if (!tlsext_alpn_check_format(&cbs)) + goto err; + } + + if (!CBS_stow(&cbs, &ssl->alpn_client_proto_list, + &ssl->alpn_client_proto_list_len)) goto err; - free(ssl->internal->alpn_client_proto_list); - ssl->internal->alpn_client_proto_list = NULL; - ssl->internal->alpn_client_proto_list_len = 0; - - if ((ssl->internal->alpn_client_proto_list = malloc(protos_len)) - == NULL) - goto err; - ssl->internal->alpn_client_proto_list_len = protos_len; - - memcpy(ssl->internal->alpn_client_proto_list, protos, protos_len); - failed = 0; err: /* NOTE: Return values are the reverse of what you expect. */ - return (failed); + return failed; } /* @@ -1823,8 +1848,8 @@ SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, int (*cb) (SSL *ssl, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg), void *arg) { - ctx->internal->alpn_select_cb = cb; - ctx->internal->alpn_select_cb_arg = arg; + ctx->alpn_select_cb = cb; + ctx->alpn_select_cb_arg = arg; } /* @@ -1848,21 +1873,21 @@ SSL_set_psk_use_session_callback(SSL *s, SSL_psk_use_session_cb_func cb) } int -SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *p, size_t plen, - int use_context) +SSL_export_keying_material(SSL *s, unsigned char *out, size_t out_len, + const char *label, size_t label_len, const unsigned char *context, + size_t context_len, int use_context) { - if (s->internal->tls13 != NULL && s->version == TLS1_3_VERSION) { + if (s->tls13 != NULL && s->version == TLS1_3_VERSION) { if (!use_context) { - p = NULL; - plen = 0; + context = NULL; + context_len = 0; } - return tls13_exporter(s->internal->tls13, label, llen, p, plen, - out, olen); + return tls13_exporter(s->tls13, label, label_len, context, + context_len, out, out_len); } - return (tls1_export_keying_material(s, out, olen, label, llen, p, plen, - use_context)); + return tls12_exporter(s, label, label_len, context, context_len, + use_context, out, out_len); } static unsigned long @@ -1939,11 +1964,6 @@ SSL_CTX_new(const SSL_METHOD *meth) SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } - if ((ret->internal = calloc(1, sizeof(*ret->internal))) == NULL) { - free(ret); - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (NULL); - } if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { SSLerrorx(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); @@ -1951,62 +1971,62 @@ SSL_CTX_new(const SSL_METHOD *meth) } ret->method = meth; - ret->internal->min_tls_version = meth->min_tls_version; - ret->internal->max_tls_version = meth->max_tls_version; - ret->internal->min_proto_version = 0; - ret->internal->max_proto_version = 0; - ret->internal->mode = SSL_MODE_AUTO_RETRY; + ret->min_tls_version = meth->min_tls_version; + ret->max_tls_version = meth->max_tls_version; + ret->min_proto_version = 0; + ret->max_proto_version = 0; + ret->mode = SSL_MODE_AUTO_RETRY; ret->cert_store = NULL; - ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER; - ret->internal->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; - ret->internal->session_cache_head = NULL; - ret->internal->session_cache_tail = NULL; + ret->session_cache_mode = SSL_SESS_CACHE_SERVER; + ret->session_cache_size = SSL_SESSION_CACHE_MAX_SIZE_DEFAULT; + ret->session_cache_head = NULL; + ret->session_cache_tail = NULL; /* We take the system default */ ret->session_timeout = ssl_get_default_timeout(); - ret->internal->new_session_cb = 0; - ret->internal->remove_session_cb = 0; - ret->internal->get_session_cb = 0; - ret->internal->generate_session_id = 0; + ret->new_session_cb = 0; + ret->remove_session_cb = 0; + ret->get_session_cb = 0; + ret->generate_session_id = 0; - memset((char *)&ret->internal->stats, 0, sizeof(ret->internal->stats)); + memset((char *)&ret->stats, 0, sizeof(ret->stats)); ret->references = 1; - ret->internal->quiet_shutdown = 0; + ret->quiet_shutdown = 0; - ret->internal->info_callback = NULL; + ret->info_callback = NULL; - ret->internal->app_verify_callback = 0; - ret->internal->app_verify_arg = NULL; + ret->app_verify_callback = 0; + ret->app_verify_arg = NULL; - ret->internal->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; - ret->internal->read_ahead = 0; - ret->internal->msg_callback = 0; - ret->internal->msg_callback_arg = NULL; + ret->max_cert_list = SSL_MAX_CERT_LIST_DEFAULT; + ret->read_ahead = 0; + ret->msg_callback = 0; + ret->msg_callback_arg = NULL; ret->verify_mode = SSL_VERIFY_NONE; ret->sid_ctx_length = 0; - ret->internal->default_verify_callback = NULL; + ret->default_verify_callback = NULL; - if ((ret->internal->cert = ssl_cert_new()) == NULL) + if ((ret->cert = ssl_cert_new()) == NULL) goto err; ret->default_passwd_callback = 0; ret->default_passwd_callback_userdata = NULL; - ret->internal->client_cert_cb = 0; - ret->internal->app_gen_cookie_cb = 0; - ret->internal->app_verify_cookie_cb = 0; + ret->client_cert_cb = 0; + ret->app_gen_cookie_cb = 0; + ret->app_verify_cookie_cb = 0; - ret->internal->sessions = lh_SSL_SESSION_new(); - if (ret->internal->sessions == NULL) + ret->sessions = lh_SSL_SESSION_new(); + if (ret->sessions == NULL) goto err; ret->cert_store = X509_STORE_new(); if (ret->cert_store == NULL) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, - NULL, SSL_DEFAULT_CIPHER_LIST); + NULL, SSL_DEFAULT_CIPHER_LIST, ret->cert); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); @@ -2017,28 +2037,28 @@ SSL_CTX_new(const SSL_METHOD *meth) if (!ret->param) goto err; - if ((ret->internal->client_CA = sk_X509_NAME_new_null()) == NULL) + if ((ret->client_CA = sk_X509_NAME_new_null()) == NULL) goto err; - CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->internal->ex_data); + CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ret, &ret->ex_data); ret->extra_certs = NULL; - ret->internal->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; + ret->max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH; - ret->internal->tlsext_servername_callback = 0; - ret->internal->tlsext_servername_arg = NULL; + ret->tlsext_servername_callback = 0; + ret->tlsext_servername_arg = NULL; /* Setup RFC4507 ticket keys */ - arc4random_buf(ret->internal->tlsext_tick_key_name, 16); - arc4random_buf(ret->internal->tlsext_tick_hmac_key, 16); - arc4random_buf(ret->internal->tlsext_tick_aes_key, 16); + arc4random_buf(ret->tlsext_tick_key_name, 16); + arc4random_buf(ret->tlsext_tick_hmac_key, 16); + arc4random_buf(ret->tlsext_tick_aes_key, 16); - ret->internal->tlsext_status_cb = 0; - ret->internal->tlsext_status_arg = NULL; + ret->tlsext_status_cb = 0; + ret->tlsext_status_arg = NULL; #ifndef OPENSSL_NO_ENGINE - ret->internal->client_cert_engine = NULL; + ret->client_cert_engine = NULL; #ifdef OPENSSL_SSL_CLIENT_ENGINE_AUTO #define eng_strx(x) #x #define eng_str(x) eng_strx(x) @@ -2061,7 +2081,7 @@ SSL_CTX_new(const SSL_METHOD *meth) * Default is to connect to non-RI servers. When RI is more widely * deployed might change this. */ - ret->internal->options |= SSL_OP_LEGACY_SERVER_CONNECT; + ret->options |= SSL_OP_LEGACY_SERVER_CONNECT; return (ret); err: @@ -2094,35 +2114,34 @@ SSL_CTX_free(SSL_CTX *ctx) * free ex_data, then finally free the cache. * (See ticket [openssl.org #212].) */ - if (ctx->internal->sessions != NULL) + if (ctx->sessions != NULL) SSL_CTX_flush_sessions(ctx, 0); - CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ctx, &ctx->internal->ex_data); + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_SSL_CTX, ctx, &ctx->ex_data); - lh_SSL_SESSION_free(ctx->internal->sessions); + lh_SSL_SESSION_free(ctx->sessions); X509_STORE_free(ctx->cert_store); sk_SSL_CIPHER_free(ctx->cipher_list); - sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); - ssl_cert_free(ctx->internal->cert); - sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); + sk_SSL_CIPHER_free(ctx->cipher_list_tls13); + ssl_cert_free(ctx->cert); + sk_X509_NAME_pop_free(ctx->client_CA, X509_NAME_free); sk_X509_pop_free(ctx->extra_certs, X509_free); #ifndef OPENSSL_NO_SRTP - if (ctx->internal->srtp_profiles) - sk_SRTP_PROTECTION_PROFILE_free(ctx->internal->srtp_profiles); + if (ctx->srtp_profiles) + sk_SRTP_PROTECTION_PROFILE_free(ctx->srtp_profiles); #endif #ifndef OPENSSL_NO_ENGINE - ENGINE_finish(ctx->internal->client_cert_engine); + ENGINE_finish(ctx->client_cert_engine); #endif - free(ctx->internal->tlsext_ecpointformatlist); - free(ctx->internal->tlsext_supportedgroups); + free(ctx->tlsext_ecpointformatlist); + free(ctx->tlsext_supportedgroups); - free(ctx->internal->alpn_client_proto_list); + free(ctx->alpn_client_proto_list); - free(ctx->internal); free(ctx); } @@ -2161,15 +2180,15 @@ void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, void *), void *arg) { - ctx->internal->app_verify_callback = cb; - ctx->internal->app_verify_arg = arg; + ctx->app_verify_callback = cb; + ctx->app_verify_arg = arg; } void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*cb)(int, X509_STORE_CTX *)) { ctx->verify_mode = mode; - ctx->internal->default_verify_callback = cb; + ctx->default_verify_callback = cb; } void @@ -2341,14 +2360,14 @@ ssl_should_update_external_cache(SSL *s, int mode) { int cache_mode; - cache_mode = s->session_ctx->internal->session_cache_mode; + cache_mode = s->session_ctx->session_cache_mode; /* Don't cache if mode says not to */ if ((cache_mode & mode) == 0) return 0; /* if it is not already cached, cache it */ - if (!s->internal->hit) + if (!s->hit) return 1; /* If it's TLS 1.3, do it to match OpenSSL */ @@ -2363,14 +2382,14 @@ ssl_should_update_internal_cache(SSL *s, int mode) { int cache_mode; - cache_mode = s->session_ctx->internal->session_cache_mode; + cache_mode = s->session_ctx->session_cache_mode; /* Don't cache if mode says not to */ if ((cache_mode & mode) == 0) return 0; /* If it is already cached, don't cache it again */ - if (s->internal->hit) + if (s->hit) return 0; if ((cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE) != 0) @@ -2393,11 +2412,11 @@ ssl_should_update_internal_cache(SSL *s, int mode) * to know about this even if it's a stateless ticket * from 1.3 so we can know when it is removed. */ - if (s->session_ctx->internal->remove_session_cb != NULL) + if (s->session_ctx->remove_session_cb != NULL) return 1; /* If we have set OP_NO_TICKET, cache it. */ - if ((s->internal->options & SSL_OP_NO_TICKET) != 0) + if ((s->options & SSL_OP_NO_TICKET) != 0) return 1; /* Otherwise do not cache */ @@ -2412,7 +2431,7 @@ ssl_update_cache(SSL *s, int mode) if (s->session->session_id_length == 0) return; - cache_mode = s->session_ctx->internal->session_cache_mode; + cache_mode = s->session_ctx->session_cache_mode; do_callback = ssl_should_update_external_cache(s, mode); if (ssl_should_update_internal_cache(s, mode)) { @@ -2433,9 +2452,9 @@ ssl_update_cache(SSL *s, int mode) * same glorious experience they expect from OpenSSL which * does it this way. */ - if (do_callback && s->session_ctx->internal->new_session_cb != NULL) { + if (do_callback && s->session_ctx->new_session_cb != NULL) { CRYPTO_add(&s->session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (!s->session_ctx->internal->new_session_cb(s, s->session)) + if (!s->session_ctx->new_session_cb(s, s->session)) SSL_SESSION_free(s->session); } @@ -2444,9 +2463,9 @@ ssl_update_cache(SSL *s, int mode) (cache_mode & mode) != 0) { int connections; if (mode & SSL_SESS_CACHE_CLIENT) - connections = s->session_ctx->internal->stats.sess_connect_good; + connections = s->session_ctx->stats.sess_connect_good; else - connections = s->session_ctx->internal->stats.sess_accept_good; + connections = s->session_ctx->stats.sess_accept_good; if ((connections & 0xff) == 0xff) SSL_CTX_flush_sessions(s->session_ctx, time(NULL)); } @@ -2467,9 +2486,9 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) if (s->method == method) return (ret); - if (s->internal->handshake_func == s->method->ssl_connect) + if (s->handshake_func == s->method->ssl_connect) handshake_func = method->ssl_connect; - else if (s->internal->handshake_func == s->method->ssl_accept) + else if (s->handshake_func == s->method->ssl_accept) handshake_func = method->ssl_accept; if (s->method->version == method->version) { @@ -2479,7 +2498,7 @@ SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) s->method = method; ret = s->method->ssl_new(s); } - s->internal->handshake_func = handshake_func; + s->handshake_func = handshake_func; return (ret); } @@ -2515,7 +2534,7 @@ SSL_get_error(const SSL *s, int i) * try to write to the rbio, and an application * program where rbio and wbio are separate couldn't * even know what it should wait for. However if we - * ever set s->internal->rwstate incorrectly (so that we have + * ever set s->rwstate incorrectly (so that we have * SSL_want_read(s) instead of SSL_want_write(s)) * and rbio and wbio *are* the same, this test works * around that bug; so it might be safer to keep it. @@ -2556,17 +2575,138 @@ SSL_get_error(const SSL *s, int i) if (SSL_want_x509_lookup(s)) return (SSL_ERROR_WANT_X509_LOOKUP); - if ((s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) && + if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) && (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) return (SSL_ERROR_ZERO_RETURN); return (SSL_ERROR_SYSCALL); } +int +SSL_CTX_set_quic_method(SSL_CTX *ctx, const SSL_QUIC_METHOD *quic_method) +{ + if (ctx->method->dtls) + return 0; + + ctx->quic_method = quic_method; + + return 1; +} + +int +SSL_set_quic_method(SSL *ssl, const SSL_QUIC_METHOD *quic_method) +{ + if (ssl->method->dtls) + return 0; + + ssl->quic_method = quic_method; + + return 1; +} + +size_t +SSL_quic_max_handshake_flight_len(const SSL *ssl, + enum ssl_encryption_level_t level) +{ + size_t flight_len; + + /* Limit flights to 16K when there are no large certificate messages. */ + flight_len = 16384; + + switch (level) { + case ssl_encryption_initial: + return flight_len; + + case ssl_encryption_early_data: + /* QUIC does not send EndOfEarlyData. */ + return 0; + + case ssl_encryption_handshake: + if (ssl->server) { + /* + * Servers may receive Certificate message if configured + * to request client certificates. + */ + if ((SSL_get_verify_mode(ssl) & SSL_VERIFY_PEER) != 0 && + ssl->max_cert_list > flight_len) + flight_len = ssl->max_cert_list; + } else { + /* + * Clients may receive both Certificate message and a + * CertificateRequest message. + */ + if (ssl->max_cert_list * 2 > flight_len) + flight_len = ssl->max_cert_list * 2; + } + return flight_len; + case ssl_encryption_application: + /* + * Note there is not actually a bound on the number of + * NewSessionTickets one may send in a row. This level may need + * more involved flow control. + */ + return flight_len; + } + + return 0; +} + +enum ssl_encryption_level_t +SSL_quic_read_level(const SSL *ssl) +{ + return ssl->s3->hs.tls13.quic_read_level; +} + +enum ssl_encryption_level_t +SSL_quic_write_level(const SSL *ssl) +{ + return ssl->s3->hs.tls13.quic_write_level; +} + +int +SSL_provide_quic_data(SSL *ssl, enum ssl_encryption_level_t level, + const uint8_t *data, size_t len) +{ + if (!SSL_is_quic(ssl)) { + SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + if (level != SSL_quic_read_level(ssl)) { + SSLerror(ssl, SSL_R_WRONG_ENCRYPTION_LEVEL_RECEIVED); + return 0; + } + + if (ssl->s3->hs.tls13.quic_read_buffer == NULL) { + ssl->s3->hs.tls13.quic_read_buffer = tls_buffer_new(0); + if (ssl->s3->hs.tls13.quic_read_buffer == NULL) { + SSLerror(ssl, ERR_R_MALLOC_FAILURE); + return 0; + } + } + + /* XXX - note that this does not currently downsize. */ + tls_buffer_set_capacity_limit(ssl->s3->hs.tls13.quic_read_buffer, + SSL_quic_max_handshake_flight_len(ssl, level)); + + /* + * XXX - an append that fails due to exceeding capacity should set + * SSL_R_EXCESSIVE_MESSAGE_SIZE. + */ + return tls_buffer_append(ssl->s3->hs.tls13.quic_read_buffer, data, len); +} + +int +SSL_process_quic_post_handshake(SSL *ssl) +{ + /* XXX - this needs to run PHH received. */ + return 1; +} + int SSL_do_handshake(SSL *s) { - if (s->internal->handshake_func == NULL) { + if (s->handshake_func == NULL) { SSLerror(s, SSL_R_CONNECTION_TYPE_NOT_SET); return (-1); } @@ -2576,7 +2716,7 @@ SSL_do_handshake(SSL *s) if (!SSL_in_init(s) && !SSL_in_before(s)) return 1; - return s->internal->handshake_func(s); + return s->handshake_func(s); } /* @@ -2587,9 +2727,9 @@ void SSL_set_accept_state(SSL *s) { s->server = 1; - s->internal->shutdown = 0; + s->shutdown = 0; s->s3->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE; - s->internal->handshake_func = s->method->ssl_accept; + s->handshake_func = s->method->ssl_accept; ssl_clear_cipher_state(s); } @@ -2597,9 +2737,9 @@ void SSL_set_connect_state(SSL *s) { s->server = 0; - s->internal->shutdown = 0; + s->shutdown = 0; s->s3->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE; - s->internal->handshake_func = s->method->ssl_connect; + s->handshake_func = s->method->ssl_connect; ssl_clear_cipher_state(s); } @@ -2689,24 +2829,24 @@ SSL_dup(SSL *s) goto err; } - ret->internal->options = s->internal->options; - ret->internal->mode = s->internal->mode; + ret->options = s->options; + ret->mode = s->mode; SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s)); SSL_set_read_ahead(ret, SSL_get_read_ahead(s)); - ret->internal->msg_callback = s->internal->msg_callback; - ret->internal->msg_callback_arg = s->internal->msg_callback_arg; + ret->msg_callback = s->msg_callback; + ret->msg_callback_arg = s->msg_callback_arg; SSL_set_verify(ret, SSL_get_verify_mode(s), SSL_get_verify_callback(s)); SSL_set_verify_depth(ret, SSL_get_verify_depth(s)); - ret->internal->generate_session_id = s->internal->generate_session_id; + ret->generate_session_id = s->generate_session_id; SSL_set_info_callback(ret, SSL_get_info_callback(s)); - ret->internal->debug = s->internal->debug; + ret->debug = s->debug; /* copy app data, a little dangerous perhaps */ if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, - &ret->internal->ex_data, &s->internal->ex_data)) + &ret->ex_data, &s->ex_data)) goto err; /* setup rbio, and wbio */ @@ -2721,25 +2861,25 @@ SSL_dup(SSL *s) } else ret->wbio = ret->rbio; } - ret->internal->rwstate = s->internal->rwstate; - ret->internal->in_handshake = s->internal->in_handshake; - ret->internal->handshake_func = s->internal->handshake_func; + ret->rwstate = s->rwstate; + ret->in_handshake = s->in_handshake; + ret->handshake_func = s->handshake_func; ret->server = s->server; - ret->internal->renegotiate = s->internal->renegotiate; - ret->internal->new_session = s->internal->new_session; - ret->internal->quiet_shutdown = s->internal->quiet_shutdown; - ret->internal->shutdown = s->internal->shutdown; + ret->renegotiate = s->renegotiate; + ret->new_session = s->new_session; + ret->quiet_shutdown = s->quiet_shutdown; + ret->shutdown = s->shutdown; /* SSL_dup does not really work at any state, though */ ret->s3->hs.state = s->s3->hs.state; - ret->internal->rstate = s->internal->rstate; + ret->rstate = s->rstate; /* * Would have to copy ret->init_buf, ret->init_msg, ret->init_num, * ret->init_off */ - ret->internal->init_num = 0; + ret->init_num = 0; - ret->internal->hit = s->internal->hit; + ret->hit = s->hit; X509_VERIFY_PARAM_inherit(ret->param, s->param); @@ -2748,16 +2888,16 @@ SSL_dup(SSL *s) sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) goto err; } - if (s->internal->cipher_list_tls13 != NULL) { - if ((ret->internal->cipher_list_tls13 = - sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) + if (s->cipher_list_tls13 != NULL) { + if ((ret->cipher_list_tls13 = + sk_SSL_CIPHER_dup(s->cipher_list_tls13)) == NULL) goto err; } /* Dup the client_CA list */ - if (s->internal->client_CA != NULL) { - if ((sk = sk_X509_NAME_dup(s->internal->client_CA)) == NULL) goto err; - ret->internal->client_CA = sk; + if (s->client_CA != NULL) { + if ((sk = sk_X509_NAME_dup(s->client_CA)) == NULL) goto err; + ret->client_CA = sk; for (i = 0; i < sk_X509_NAME_num(sk); i++) { xn = sk_X509_NAME_value(sk, i); if (sk_X509_NAME_set(sk, i, @@ -2777,8 +2917,8 @@ SSL_dup(SSL *s) void ssl_clear_cipher_state(SSL *s) { - tls12_record_layer_clear_read_state(s->internal->rl); - tls12_record_layer_clear_write_state(s->internal->rl); + tls12_record_layer_clear_read_state(s->rl); + tls12_record_layer_clear_write_state(s->rl); } void @@ -2786,8 +2926,8 @@ ssl_info_callback(const SSL *s, int type, int value) { ssl_info_callback_fn *cb; - if ((cb = s->internal->info_callback) == NULL) - cb = s->ctx->internal->info_callback; + if ((cb = s->info_callback) == NULL) + cb = s->ctx->info_callback; if (cb != NULL) cb(s, type, value); } @@ -2796,9 +2936,17 @@ void ssl_msg_callback(SSL *s, int is_write, int content_type, const void *msg_buf, size_t msg_len) { - if (s->internal->msg_callback != NULL) - s->internal->msg_callback(is_write, s->version, content_type, - msg_buf, msg_len, s, s->internal->msg_callback_arg); + if (s->msg_callback == NULL) + return; + + s->msg_callback(is_write, s->version, content_type, + msg_buf, msg_len, s, s->msg_callback_arg); +} + +void +ssl_msg_callback_cbs(SSL *s, int is_write, int content_type, CBS *cbs) +{ + ssl_msg_callback(s, is_write, content_type, CBS_data(cbs), CBS_len(cbs)); } /* Fix this function so that it takes an optional type parameter */ @@ -2917,37 +3065,37 @@ ssl_free_wbio_buffer(SSL *s) void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx, int mode) { - ctx->internal->quiet_shutdown = mode; + ctx->quiet_shutdown = mode; } int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx) { - return (ctx->internal->quiet_shutdown); + return (ctx->quiet_shutdown); } void SSL_set_quiet_shutdown(SSL *s, int mode) { - s->internal->quiet_shutdown = mode; + s->quiet_shutdown = mode; } int SSL_get_quiet_shutdown(const SSL *s) { - return (s->internal->quiet_shutdown); + return (s->quiet_shutdown); } void SSL_set_shutdown(SSL *s, int mode) { - s->internal->shutdown = mode; + s->shutdown = mode; } int SSL_get_shutdown(const SSL *s) { - return (s->internal->shutdown); + return (s->shutdown); } int @@ -2972,7 +3120,7 @@ SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) if (ssl->ctx == ctx) return (ssl->ctx); - if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL) + if ((new_cert = ssl_cert_dup(ctx->cert)) == NULL) return NULL; ssl_cert_free(ssl->cert); ssl->cert = new_cert; @@ -3006,12 +3154,12 @@ SSL_CTX_load_verify_mem(SSL_CTX *ctx, void *buf, int len) void SSL_set_info_callback(SSL *ssl, void (*cb)(const SSL *ssl, int type, int val)) { - ssl->internal->info_callback = cb; + ssl->info_callback = cb; } void (*SSL_get_info_callback(const SSL *ssl))(const SSL *ssl, int type, int val) { - return (ssl->internal->info_callback); + return (ssl->info_callback); } int @@ -3067,13 +3215,13 @@ SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int SSL_set_ex_data(SSL *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); + return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); } void * SSL_get_ex_data(const SSL *s, int idx) { - return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); + return (CRYPTO_get_ex_data(&s->ex_data, idx)); } int @@ -3087,13 +3235,13 @@ SSL_CTX_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) { - return (CRYPTO_set_ex_data(&s->internal->ex_data, idx, arg)); + return (CRYPTO_set_ex_data(&s->ex_data, idx, arg)); } void * SSL_CTX_get_ex_data(const SSL_CTX *s, int idx) { - return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); + return (CRYPTO_get_ex_data(&s->ex_data, idx)); } int @@ -3118,25 +3266,25 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) X509 * SSL_CTX_get0_certificate(const SSL_CTX *ctx) { - if (ctx->internal->cert == NULL) + if (ctx->cert == NULL) return NULL; - return ctx->internal->cert->key->x509; + return ctx->cert->key->x509; } EVP_PKEY * SSL_CTX_get0_privatekey(const SSL_CTX *ctx) { - if (ctx->internal->cert == NULL) + if (ctx->cert == NULL) return NULL; - return ctx->internal->cert->key->privatekey; + return ctx->cert->key->privatekey; } int SSL_want(const SSL *s) { - return (s->internal->rwstate); + return (s->rwstate); } void @@ -3201,68 +3349,68 @@ SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, void SSL_set_debug(SSL *s, int debug) { - s->internal->debug = debug; + s->debug = debug; } int SSL_cache_hit(SSL *s) { - return (s->internal->hit); + return (s->hit); } int SSL_CTX_get_min_proto_version(SSL_CTX *ctx) { - return ctx->internal->min_proto_version; + return ctx->min_proto_version; } int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_min(ctx->method, version, - ctx->internal->max_tls_version, &ctx->internal->min_tls_version, - &ctx->internal->min_proto_version); + ctx->max_tls_version, &ctx->min_tls_version, + &ctx->min_proto_version); } int SSL_CTX_get_max_proto_version(SSL_CTX *ctx) { - return ctx->internal->max_proto_version; + return ctx->max_proto_version; } int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, uint16_t version) { return ssl_version_set_max(ctx->method, version, - ctx->internal->min_tls_version, &ctx->internal->max_tls_version, - &ctx->internal->max_proto_version); + ctx->min_tls_version, &ctx->max_tls_version, + &ctx->max_proto_version); } int SSL_get_min_proto_version(SSL *ssl) { - return ssl->internal->min_proto_version; + return ssl->min_proto_version; } int SSL_set_min_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_min(ssl->method, version, - ssl->internal->max_tls_version, &ssl->internal->min_tls_version, - &ssl->internal->min_proto_version); + ssl->max_tls_version, &ssl->min_tls_version, + &ssl->min_proto_version); } int SSL_get_max_proto_version(SSL *ssl) { - return ssl->internal->max_proto_version; + return ssl->max_proto_version; } int SSL_set_max_proto_version(SSL *ssl, uint16_t version) { return ssl_version_set_max(ssl->method, version, - ssl->internal->min_tls_version, &ssl->internal->max_tls_version, - &ssl->internal->max_proto_version); + ssl->min_tls_version, &ssl->max_tls_version, + &ssl->max_proto_version); } const SSL_METHOD * @@ -3271,6 +3419,68 @@ SSL_CTX_get_ssl_method(const SSL_CTX *ctx) return ctx->method; } +int +SSL_CTX_get_security_level(const SSL_CTX *ctx) +{ + return ctx->cert->security_level; +} + +void +SSL_CTX_set_security_level(SSL_CTX *ctx, int level) +{ + ctx->cert->security_level = level; +} + +int +SSL_get_security_level(const SSL *ssl) +{ + return ssl->cert->security_level; +} + +void +SSL_set_security_level(SSL *ssl, int level) +{ + ssl->cert->security_level = level; +} + +int +SSL_is_quic(const SSL *ssl) +{ + return ssl->quic_method != NULL; +} + +int +SSL_set_quic_transport_params(SSL *ssl, const uint8_t *params, + size_t params_len) +{ + freezero(ssl->quic_transport_params, + ssl->quic_transport_params_len); + ssl->quic_transport_params = NULL; + ssl->quic_transport_params_len = 0; + + if ((ssl->quic_transport_params = malloc(params_len)) == NULL) + return 0; + + memcpy(ssl->quic_transport_params, params, params_len); + ssl->quic_transport_params_len = params_len; + + return 1; +} + +void +SSL_get_peer_quic_transport_params(const SSL *ssl, const uint8_t **out_params, + size_t *out_params_len) +{ + *out_params = ssl->s3->peer_quic_transport_params; + *out_params_len = ssl->s3->peer_quic_transport_params_len; +} + +void +SSL_set_quic_use_legacy_codepoint(SSL *ssl, int use_legacy) +{ + /* Not supported. */ +} + static int ssl_cipher_id_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_local.h similarity index 91% rename from ssl/ssl_locl.h rename to ssl/ssl_local.h index f0c261b..876a5e4 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.388 2022/03/17 17:22:16 jsing Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.5 2023/04/25 07:48:15 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -162,6 +162,7 @@ #include #include "bytestring.h" +#include "tls_content.h" #include "tls13_internal.h" __BEGIN_HIDDEN_DECLS @@ -213,10 +214,10 @@ __BEGIN_HIDDEN_DECLS /* Bits for algorithm_auth (server authentication) */ #define SSL_aRSA 0x00000001L /* RSA auth */ -#define SSL_aDSS 0x00000002L /* DSS auth */ -#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ +#define SSL_aDSS 0x00000002L /* DSS auth */ +#define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ #define SSL_aECDSA 0x00000040L /* ECDSA auth*/ -#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ +#define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ #define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */ /* Bits for algorithm_enc (symmetric encryption) */ @@ -234,7 +235,7 @@ __BEGIN_HIDDEN_DECLS #define SSL_AES256GCM 0x00000800L #define SSL_CHACHA20POLY1305 0x00001000L -#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) +#define SSL_AES (SSL_AES128|SSL_AES256|SSL_AES128GCM|SSL_AES256GCM) #define SSL_CAMELLIA (SSL_CAMELLIA128|SSL_CAMELLIA256) @@ -341,7 +342,7 @@ __BEGIN_HIDDEN_DECLS #define SSL_MAX_EMPTY_RECORDS 32 /* SSL_kRSA <- RSA_ENC | (RSA_TMP & RSA_SIGN) | - * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) + * <- (EXPORT & (RSA_ENC | RSA_TMP) & RSA_SIGN) * SSL_kDH <- DH_ENC & (RSA_ENC | RSA_SIGN | DSA_SIGN) * SSL_kDHE <- RSA_ENC | RSA_SIGN | DSA_SIGN * SSL_aRSA <- RSA_ENC | RSA_SIGN @@ -380,6 +381,11 @@ typedef struct ssl_cert_st { DH *(*dhe_params_cb)(SSL *ssl, int is_export, int keysize); int dhe_params_auto; + int (*security_cb)(const SSL *s, const SSL_CTX *ctx, int op, int bits, + int nid, void *other, void *ex_data); /* Not exposed in API. */ + int security_level; + void *security_ex_data; /* Not exposed in API. */ + int references; /* >1 only if SSL_copy_session_id is used */ } SSL_CERT; @@ -434,13 +440,14 @@ struct ssl_method_st { unsigned int enc_flags; /* SSL_ENC_FLAG_* */ }; -/* Lets make this into an ASN.1 type structure as follows +/* + * Let's make this into an ASN.1 type structure as follows * SSL_SESSION_ID ::= SEQUENCE { - * version INTEGER, -- structure version number - * SSLversion INTEGER, -- SSL version number - * Cipher OCTET STRING, -- the 3 byte cipher ID - * Session_ID OCTET STRING, -- the Session ID - * Master_key OCTET STRING, -- the master key + * version INTEGER, -- structure version number + * SSLversion INTEGER, -- SSL version number + * Cipher OCTET STRING, -- the 2 byte cipher ID + * Session_ID OCTET STRING, -- the Session ID + * Master_key OCTET STRING, -- the master key * KRB5_principal OCTET STRING -- optional Kerberos principal * Time [ 1 ] EXPLICIT INTEGER, -- optional Start Time * Timeout [ 2 ] EXPLICIT INTEGER, -- optional Timeout ins seconds @@ -454,7 +461,7 @@ struct ssl_method_st { * Ticket [10] EXPLICIT OCTET STRING, -- session ticket (clients only) * Compression_meth [11] EXPLICIT OCTET STRING, -- optional compression method * SRP_username [ 12 ] EXPLICIT OCTET STRING -- optional SRP username - * } + * } * Look in ssl/ssl_asn1.c for more details * I'm using EXPLICIT tags so I can read the damn things using asn1parse :-). */ @@ -462,17 +469,17 @@ struct ssl_session_st { int ssl_version; /* what ssl version session info is * being kept in here? */ - int master_key_length; + size_t master_key_length; unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; /* session_id - valid? */ - unsigned int session_id_length; + size_t session_id_length; unsigned char session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; /* this is used to determine whether the session is being reused in * the appropriate context. It is up to the application to set this, * via SSL_new */ - unsigned int sid_ctx_length; + size_t sid_ctx_length; unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; /* Peer provided leaf (end-entity) certificate. */ @@ -496,10 +503,12 @@ struct ssl_session_st { char *tlsext_hostname; - /* RFC4507 info */ + /* Session resumption - RFC 5077 and RFC 8446. */ unsigned char *tlsext_tick; /* Session ticket */ size_t tlsext_ticklen; /* Session ticket length */ uint32_t tlsext_tick_lifetime_hint; /* Session lifetime hint in seconds */ + uint32_t tlsext_tick_age_add; /* TLSv1.3 ticket age obfuscation (in ms) */ + struct tls13_secret resumption_master_secret; CRYPTO_EX_DATA ex_data; /* application specific data */ @@ -512,8 +521,6 @@ struct ssl_session_st { * not_resumable_session_cb to disable session caching and tickets. */ int not_resumable; - STACK_OF(X509) *cert_chain; /* as received from peer */ - size_t tlsext_ecpointformatlist_length; uint8_t *tlsext_ecpointformatlist; /* peer's list */ size_t tlsext_supportedgroups_length; @@ -548,6 +555,9 @@ typedef struct ssl_handshake_tls13_st { int use_legacy; int hrr; + /* Client indicates psk_dhe_ke support in PskKeyExchangeMode. */ + int use_psk_dhe_ke; + /* Certificate selected for use (static pointer). */ const SSL_CERT_PKEY *cpk; @@ -572,6 +582,11 @@ typedef struct ssl_handshake_tls13_st { EVP_MD_CTX *clienthello_md_ctx; unsigned char *clienthello_hash; unsigned int clienthello_hash_len; + + /* QUIC read buffer and read/write encryption levels. */ + struct tls_buffer *quic_read_buffer; + enum ssl_encryption_level_t quic_read_level; + enum ssl_encryption_level_t quic_write_level; } SSL_HANDSHAKE_TLS13; typedef struct ssl_handshake_st { @@ -632,6 +647,10 @@ typedef struct ssl_handshake_st { uint8_t peer_finished[EVP_MAX_MD_SIZE]; size_t peer_finished_len; + /* List of certificates received from our peer. */ + STACK_OF(X509) *peer_certs; + STACK_OF(X509) *peer_certs_no_leaf; + SSL_HANDSHAKE_TLS12 tls12; SSL_HANDSHAKE_TLS13 tls13; } SSL_HANDSHAKE; @@ -688,7 +707,7 @@ int tls12_record_layer_change_read_cipher_state(struct tls12_record_layer *rl, int tls12_record_layer_change_write_cipher_state(struct tls12_record_layer *rl, CBS *mac_key, CBS *key, CBS *iv); int tls12_record_layer_open_record(struct tls12_record_layer *rl, - uint8_t *buf, size_t buf_len, uint8_t **out, size_t *out_len); + uint8_t *buf, size_t buf_len, struct tls_content *out); int tls12_record_layer_seal_record(struct tls12_record_layer *rl, uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out); @@ -697,7 +716,42 @@ typedef void (ssl_info_callback_fn)(const SSL *s, int type, int val); typedef void (ssl_msg_callback_fn)(int is_write, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg); -typedef struct ssl_ctx_internal_st { +struct ssl_ctx_st { + const SSL_METHOD *method; + const SSL_QUIC_METHOD *quic_method; + + STACK_OF(SSL_CIPHER) *cipher_list; + + struct x509_store_st /* X509_STORE */ *cert_store; + + /* If timeout is not 0, it is the default timeout value set + * when SSL_new() is called. This has been put in to make + * life easier to set things up */ + long session_timeout; + + int references; + + /* Default values to use in SSL structures follow (these are copied by SSL_new) */ + + STACK_OF(X509) *extra_certs; + + int verify_mode; + size_t sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + + X509_VERIFY_PARAM *param; + + /* + * XXX + * default_passwd_cb used by python and openvpn, need to keep it until we + * add an accessor + */ + /* Default password callback. */ + pem_password_cb *default_passwd_callback; + + /* Default password callback user data. */ + void *default_passwd_callback_userdata; + uint16_t min_tls_version; uint16_t max_tls_version; @@ -854,8 +908,8 @@ typedef struct ssl_ctx_internal_st { void *alpn_select_cb_arg; /* Client list of supported protocols in wire format. */ - unsigned char *alpn_client_proto_list; - unsigned int alpn_client_proto_list_len; + uint8_t *alpn_client_proto_list; + size_t alpn_client_proto_list_len; size_t tlsext_ecpointformatlist_length; uint8_t *tlsext_ecpointformatlist; /* our list */ @@ -863,47 +917,75 @@ typedef struct ssl_ctx_internal_st { uint16_t *tlsext_supportedgroups; /* our list */ SSL_CTX_keylog_cb_func keylog_callback; /* Unused. For OpenSSL compatibility. */ size_t num_tickets; /* Unused, for OpenSSL compatibility */ -} SSL_CTX_INTERNAL; +}; + +struct ssl_st { + /* protocol version + * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) + */ + int version; -struct ssl_ctx_st { const SSL_METHOD *method; + const SSL_QUIC_METHOD *quic_method; - STACK_OF(SSL_CIPHER) *cipher_list; + /* There are 2 BIO's even though they are normally both the + * same. This is so data can be read and written to different + * handlers */ - struct x509_store_st /* X509_STORE */ *cert_store; + BIO *rbio; /* used by SSL_read */ + BIO *wbio; /* used by SSL_write */ + BIO *bbio; /* used during session-id reuse to concatenate + * messages */ + int server; /* are we the server side? - mostly used by SSL_clear*/ - /* If timeout is not 0, it is the default timeout value set - * when SSL_new() is called. This has been put in to make - * life easier to set things up */ - long session_timeout; - - int references; - - /* Default values to use in SSL structures follow (these are copied by SSL_new) */ - - STACK_OF(X509) *extra_certs; - - int verify_mode; - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + struct ssl3_state_st *s3; /* SSLv3 variables */ + struct dtls1_state_st *d1; /* DTLSv1 variables */ X509_VERIFY_PARAM *param; - /* - * XXX - * default_passwd_cb used by python and openvpn, need to keep it until we - * add an accessor - */ - /* Default password callback. */ - pem_password_cb *default_passwd_callback; + /* crypto */ + STACK_OF(SSL_CIPHER) *cipher_list; - /* Default password callback user data. */ - void *default_passwd_callback_userdata; + /* This is used to hold the server certificate used */ + SSL_CERT *cert; - struct ssl_ctx_internal_st *internal; -}; + /* the session_id_context is used to ensure sessions are only reused + * in the appropriate context */ + size_t sid_ctx_length; + unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; + + /* This can also be in the session once a session is established */ + SSL_SESSION *session; + + /* Used in SSL2 and SSL3 */ + int verify_mode; /* 0 don't care about verify failure. + * 1 fail if verify fails */ + int error; /* error bytes to be written */ + int error_code; /* actual code */ + + SSL_CTX *ctx; + + long verify_result; + + int references; + + int client_version; /* what was passed, used for + * SSLv3/TLS rollback check */ + + unsigned int max_send_fragment; + + const struct tls_extension **tlsext_build_order; + size_t tlsext_build_order_len; + + char *tlsext_hostname; + + /* certificate status request info */ + /* Status type or -1 if no status type */ + int tlsext_status_type; + + SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ +#define session_ctx initial_ctx -typedef struct ssl_internal_st { struct tls13_ctx *tls13; uint16_t min_tls_version; @@ -920,8 +1002,12 @@ typedef struct ssl_internal_st { unsigned long mode; /* API behaviour */ /* Client list of supported protocols in wire format. */ - unsigned char *alpn_client_proto_list; - unsigned int alpn_client_proto_list_len; + uint8_t *alpn_client_proto_list; + size_t alpn_client_proto_list_len; + + /* QUIC transport params we will send */ + uint8_t *quic_transport_params; + size_t quic_transport_params_len; /* XXX Callbacks */ @@ -1004,7 +1090,7 @@ typedef struct ssl_internal_st { STACK_OF(X509_NAME) *client_CA; /* set this flag to 1 and a sleep(1) is put into all SSL_read() - * and SSL_write() calls, good for nbio debuging :-) */ + * and SSL_write() calls, good for nbio debugging :-) */ int debug; long max_cert_list; int first_packet; @@ -1034,7 +1120,7 @@ typedef struct ssl_internal_st { const SRTP_PROTECTION_PROFILE *srtp_profile; /* What's been chosen */ int renegotiate;/* 1 if we are renegotiating. - * 2 if we are a server and are inside a handshake + * 2 if we are a server and are inside a handshake * (i.e. not just sending a HelloRequest) */ int rstate; /* where we are when reading */ @@ -1045,72 +1131,6 @@ typedef struct ssl_internal_st { size_t num_tickets; /* Unused, for OpenSSL compatibility */ STACK_OF(X509) *verified_chain; -} SSL_INTERNAL; - -struct ssl_st { - /* protocol version - * (one of SSL2_VERSION, SSL3_VERSION, TLS1_VERSION, DTLS1_VERSION) - */ - int version; - - const SSL_METHOD *method; /* SSLv3 */ - - /* There are 2 BIO's even though they are normally both the - * same. This is so data can be read and written to different - * handlers */ - - BIO *rbio; /* used by SSL_read */ - BIO *wbio; /* used by SSL_write */ - BIO *bbio; /* used during session-id reuse to concatenate - * messages */ - int server; /* are we the server side? - mostly used by SSL_clear*/ - - struct ssl3_state_st *s3; /* SSLv3 variables */ - struct dtls1_state_st *d1; /* DTLSv1 variables */ - - X509_VERIFY_PARAM *param; - - /* crypto */ - STACK_OF(SSL_CIPHER) *cipher_list; - - /* This is used to hold the server certificate used */ - SSL_CERT *cert; - - /* the session_id_context is used to ensure sessions are only reused - * in the appropriate context */ - unsigned int sid_ctx_length; - unsigned char sid_ctx[SSL_MAX_SID_CTX_LENGTH]; - - /* This can also be in the session once a session is established */ - SSL_SESSION *session; - - /* Used in SSL2 and SSL3 */ - int verify_mode; /* 0 don't care about verify failure. - * 1 fail if verify fails */ - int error; /* error bytes to be written */ - int error_code; /* actual code */ - - SSL_CTX *ctx; - - long verify_result; - - int references; - - int client_version; /* what was passed, used for - * SSLv3/TLS rollback check */ - - unsigned int max_send_fragment; - - char *tlsext_hostname; - - /* certificate status request info */ - /* Status type or -1 if no status type */ - int tlsext_status_type; - - SSL_CTX * initial_ctx; /* initial ctx, used to store sessions */ -#define session_ctx initial_ctx - - struct ssl_internal_st *internal; }; typedef struct ssl3_record_internal_st { @@ -1141,6 +1161,10 @@ typedef struct ssl3_state_st { SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ + SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */ + + struct tls_content *rcontent; /* Content from opened TLS records. */ + /* we allow one fatal and one warning alert to be outstanding, * send close alert via the warning alert */ int alert_dispatch; @@ -1150,14 +1174,9 @@ typedef struct ssl3_state_st { int need_empty_fragments; int empty_fragment_done; - SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */ - - /* storage for Alert/Handshake protocol data received but not - * yet processed by ssl3_read_bytes: */ - unsigned char alert_fragment[2]; - unsigned int alert_fragment_len; - unsigned char handshake_fragment[4]; - unsigned int handshake_fragment_len; + /* Unprocessed Alert/Handshake protocol data. */ + struct tls_buffer *alert_fragment; + struct tls_buffer *handshake_fragment; /* partial write - check the numbers match */ unsigned int wnum; /* number of bytes sent so far */ @@ -1167,7 +1186,7 @@ typedef struct ssl3_state_st { const unsigned char *wpend_buf; /* Transcript of handshake messages that have been sent and received. */ - BUF_MEM *handshake_transcript; + struct tls_buffer *handshake_transcript; /* Rolling hash of handshake messages. */ EVP_MD_CTX *handshake_hash; @@ -1207,8 +1226,12 @@ typedef struct ssl3_state_st { * protocol that the server selected once the ServerHello has been * processed. */ - unsigned char *alpn_selected; + uint8_t *alpn_selected; size_t alpn_selected_len; + + /* Contains the QUIC transport params received from our peer. */ + uint8_t *peer_quic_transport_params; + size_t peer_quic_transport_params_len; } SSL3_STATE; /* @@ -1264,15 +1287,36 @@ int ssl_clear_bad_session(SSL *s); void ssl_info_callback(const SSL *s, int type, int value); void ssl_msg_callback(SSL *s, int is_write, int content_type, const void *msg_buf, size_t msg_len); +void ssl_msg_callback_cbs(SSL *s, int is_write, int content_type, CBS *cbs); SSL_CERT *ssl_cert_new(void); SSL_CERT *ssl_cert_dup(SSL_CERT *cert); void ssl_cert_free(SSL_CERT *c); -int ssl_cert_set0_chain(SSL_CERT *c, STACK_OF(X509) *chain); -int ssl_cert_set1_chain(SSL_CERT *c, STACK_OF(X509) *chain); -int ssl_cert_add0_chain_cert(SSL_CERT *c, X509 *cert); -int ssl_cert_add1_chain_cert(SSL_CERT *c, X509 *cert); +SSL_CERT *ssl_get0_cert(SSL_CTX *ctx, SSL *ssl); +int ssl_cert_set0_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain); +int ssl_cert_set1_chain(SSL_CTX *ctx, SSL *ssl, STACK_OF(X509) *chain); +int ssl_cert_add0_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert); +int ssl_cert_add1_chain_cert(SSL_CTX *ctx, SSL *ssl, X509 *cert); +int ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int op, + int bits, int nid, void *other, void *ex_data); + +int ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher); +int ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher); +int ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher); +int ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh); +int ssl_security_dh(const SSL *ssl, DH *dh); +int ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey); +int ssl_security_tickets(const SSL *ssl); +int ssl_security_version(const SSL *ssl, int version); +int ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, + int is_peer, int *out_error); +int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, + X509 *x509, int *out_error); +int ssl_security_shared_group(const SSL *ssl, uint16_t group_id); +int ssl_security_supported_group(const SSL *ssl, uint16_t group_id); + +SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket); int ssl_get_new_session(SSL *s, int session); int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert); @@ -1283,7 +1327,7 @@ int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, - const char *rule_str); + const char *rule_str, SSL_CERT *cert); int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, STACK_OF(SSL_CIPHER) *cipherlist_tls13, @@ -1311,16 +1355,10 @@ int ssl_verify_alarm_type(long type); int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len); const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); -int ssl3_send_server_certificate(SSL *s); -int ssl3_send_newsession_ticket(SSL *s); -int ssl3_send_cert_status(SSL *s); -int ssl3_get_finished(SSL *s, int state_a, int state_b); -int ssl3_send_change_cipher_spec(SSL *s, int state_a, int state_b); int ssl3_do_write(SSL *s, int type); int ssl3_send_alert(SSL *s, int level, int desc); int ssl3_get_req_cert_types(SSL *s, CBB *cbb); int ssl3_get_message(SSL *s, int st1, int stn, int mt, long max); -int ssl3_send_finished(SSL *s, int state_a, int state_b); int ssl3_num_ciphers(void); const SSL_CIPHER *ssl3_get_cipher(unsigned int u); const SSL_CIPHER *ssl3_get_cipher_by_id(unsigned int id); @@ -1378,35 +1416,6 @@ int ssl_server_legacy_first_packet(SSL *s); int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len); -/* some client-only functions */ -int ssl3_send_client_hello(SSL *s); -int ssl3_get_dtls_hello_verify(SSL *s); -int ssl3_get_server_hello(SSL *s); -int ssl3_get_certificate_request(SSL *s); -int ssl3_get_new_session_ticket(SSL *s); -int ssl3_get_cert_status(SSL *s); -int ssl3_get_server_done(SSL *s); -int ssl3_send_client_verify(SSL *s); -int ssl3_send_client_certificate(SSL *s); -int ssl_do_client_cert_cb(SSL *s, X509 **px509, EVP_PKEY **ppkey); -int ssl3_send_client_key_exchange(SSL *s); -int ssl3_get_server_key_exchange(SSL *s); -int ssl3_get_server_certificate(SSL *s); -int ssl3_check_cert_and_algorithm(SSL *s); -int ssl3_check_finished(SSL *s); - -/* some server-only functions */ -int ssl3_get_client_hello(SSL *s); -int ssl3_send_dtls_hello_verify_request(SSL *s); -int ssl3_send_server_hello(SSL *s); -int ssl3_send_hello_request(SSL *s); -int ssl3_send_server_key_exchange(SSL *s); -int ssl3_send_certificate_request(SSL *s); -int ssl3_send_server_done(SSL *s); -int ssl3_get_client_certificate(SSL *s); -int ssl3_get_client_key_exchange(SSL *s); -int ssl3_get_cert_verify(SSL *s); - int ssl_kex_generate_dhe(DH *dh, DH *dh_params); int ssl_kex_generate_dhe_params_auto(DH *dh, size_t key_len); int ssl_kex_params_dhe(DH *dh, CBB *cbb); @@ -1457,9 +1466,6 @@ int tls1_change_read_cipher_state(SSL *s); int tls1_change_write_cipher_state(SSL *s); int tls1_setup_key_block(SSL *s); int tls1_generate_key_block(SSL *s, uint8_t *key_block, size_t key_block_len); -int tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *p, size_t plen, - int use_context); int ssl_ok(SSL *s); int tls12_derive_finished(SSL *s); @@ -1470,20 +1476,23 @@ int tls12_derive_master_secret(SSL *s, uint8_t *premaster_secret, int ssl_using_ecc_cipher(SSL *s); int ssl_check_srvr_ecc_cert_and_alg(SSL *s, X509 *x); -void tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, - size_t *pformatslen); -void tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, - size_t *pgroupslen); +void tls1_get_formatlist(const SSL *s, int client_formats, + const uint8_t **pformats, size_t *pformatslen); +void tls1_get_group_list(const SSL *s, int client_groups, + const uint16_t **pgroups, size_t *pgroupslen); int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, const int *groups, size_t ngroups); int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, const char *groups); -int tls1_ec_curve_id2nid(const uint16_t curve_id); -uint16_t tls1_ec_nid2curve_id(const int nid); -int tls1_check_curve(SSL *s, const uint16_t group_id); -int tls1_get_shared_curve(SSL *s); +int tls1_ec_group_id2nid(uint16_t group_id, int *out_nid); +int tls1_ec_group_id2bits(uint16_t group_id, int *out_bits); +int tls1_ec_nid2group_id(int nid, uint16_t *out_group_id); +int tls1_check_group(SSL *s, uint16_t group_id); +int tls1_count_shared_groups(const SSL *ssl, size_t *out_count); +int tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid); +int tls1_get_supported_group(const SSL *s, int *out_nid); int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); @@ -1525,6 +1534,8 @@ int srtp_find_profile_by_num(unsigned int profile_num, #endif /* OPENSSL_NO_SRTP */ +int tls_process_peer_certs(SSL *s, STACK_OF(X509) *peer_certs); + __END_HIDDEN_DECLS -#endif +#endif /* !HEADER_SSL_LOCL_H */ diff --git a/ssl/ssl_methods.c b/ssl/ssl_methods.c index d8ffbb7..dac2801 100644 --- a/ssl/ssl_methods.c +++ b/ssl/ssl_methods.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_methods.c,v 1.28 2021/07/26 03:17:38 jsing Exp $ */ +/* $OpenBSD: ssl_methods.c,v 1.29 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,8 +56,8 @@ * [including the GNU Public Licence.] */ -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" #include "tls13_internal.h" static const SSL_METHOD DTLS_method_data = { diff --git a/ssl/ssl_packet.c b/ssl/ssl_packet.c index 091685b..70017b4 100644 --- a/ssl/ssl_packet.c +++ b/ssl/ssl_packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_packet.c,v 1.13 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_packet.c,v 1.15 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -16,7 +16,7 @@ */ #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" static int ssl_is_sslv2_client_hello(CBS *header) @@ -84,7 +84,7 @@ ssl_convert_sslv2_client_hello(SSL *s) memset(&cbb, 0, sizeof(cbb)); - CBS_init(&cbs, s->internal->packet, SSL3_RT_HEADER_LENGTH); + CBS_init(&cbs, s->packet, SSL3_RT_HEADER_LENGTH); if (!CBS_get_u16(&cbs, &record_length) || !CBS_get_u8(&cbs, &message_type) || @@ -119,17 +119,17 @@ ssl_convert_sslv2_client_hello(SSL *s) if (n != record_length + 2) return n; - tls1_transcript_record(s, s->internal->packet + 2, - s->internal->packet_length - 2); - s->internal->mac_packet = 0; + tls1_transcript_record(s, s->packet + 2, + s->packet_length - 2); + s->mac_packet = 0; - if (s->internal->msg_callback) - s->internal->msg_callback(0, SSL2_VERSION, 0, - s->internal->packet + 2, s->internal->packet_length - 2, s, - s->internal->msg_callback_arg); + if (s->msg_callback) + s->msg_callback(0, SSL2_VERSION, 0, + s->packet + 2, s->packet_length - 2, s, + s->msg_callback_arg); /* Decode the SSLv2 record containing the client hello. */ - CBS_init(&cbs, s->internal->packet, s->internal->packet_length); + CBS_init(&cbs, s->packet, s->packet_length); if (!CBS_get_u16(&cbs, &record_length)) return -1; @@ -212,9 +212,9 @@ ssl_convert_sslv2_client_hello(SSL *s) if (data_len > s->s3->rbuf.len) goto err; - s->internal->packet = s->s3->rbuf.buf; - s->internal->packet_length = data_len; - memcpy(s->internal->packet, data, data_len); + s->packet = s->s3->rbuf.buf; + s->packet_length = data_len; + memcpy(s->packet, data, data_len); ret = 1; err: @@ -240,7 +240,7 @@ ssl_server_legacy_first_packet(SSL *s) if (SSL_is_dtls(s)) return 1; - CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); + CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH); if (ssl_is_sslv3_handshake(&header) == 1) return 1; diff --git a/ssl/ssl_pkt.c b/ssl/ssl_pkt.c index 3dd0269..728ac14 100644 --- a/ssl/ssl_pkt.c +++ b/ssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.58 2022/03/26 15:05:53 jsing Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.65 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -110,14 +110,16 @@ */ #include +#include #include #include #include #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" +#include "tls_content.h" static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len); @@ -136,16 +138,16 @@ ssl_force_want_read(SSL *s) BIO_clear_retry_flags(bio); BIO_set_retry_read(bio); - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; } /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. * The packet will be in the sub-array of s->s3->rbuf.buf specified - * by s->internal->packet and s->internal->packet_length. - * (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf - * [plus s->internal->packet_length bytes if extend == 1].) + * by s->packet and s->packet_length. + * (If s->read_ahead is set, 'max' bytes may be stored in rbuf + * [plus s->packet_length bytes if extend == 1].) */ static int ssl3_read_n(SSL *s, int n, int max, int extend) @@ -158,9 +160,12 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (n <= 0) return n; - if (rb->buf == NULL) + if (rb->buf == NULL) { if (!ssl3_setup_read_buffer(s)) return -1; + } + if (rb->buf == NULL) + return -1; left = rb->left; align = (size_t)rb->buf + SSL3_RT_HEADER_LENGTH; @@ -187,8 +192,8 @@ ssl3_read_n(SSL *s, int n, int max, int extend) rb->offset = align; } } - s->internal->packet = rb->buf + rb->offset; - s->internal->packet_length = 0; + s->packet = rb->buf + rb->offset; + s->packet_length = 0; /* ... now we can act as if 'extend' was set */ } @@ -202,7 +207,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* if there is enough in the buffer from a previous read, take some */ if (left >= n) { - s->internal->packet_length += n; + s->packet_length += n; rb->left = left - n; rb->offset += n; return (n); @@ -210,15 +215,15 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* else we need to read more data */ - len = s->internal->packet_length; + len = s->packet_length; pkt = rb->buf + align; /* Move any available bytes to front of buffer: * 'len' bytes already pointed to by 'packet', * 'left' extra ones at the end */ - if (s->internal->packet != pkt) { + if (s->packet != pkt) { /* len > 0 */ - memmove(pkt, s->internal->packet, len + left); - s->internal->packet = pkt; + memmove(pkt, s->packet, len + left); + s->packet = pkt; rb->offset = len + align; } @@ -228,7 +233,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) return -1; } - if (s->internal->read_ahead || SSL_is_dtls(s)) { + if (s->read_ahead || SSL_is_dtls(s)) { if (max < n) max = n; if (max > (int)(rb->len - rb->offset)) @@ -245,7 +250,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) errno = 0; if (s->rbio != NULL) { - s->internal->rwstate = SSL_READING; + s->rwstate = SSL_READING; i = BIO_read(s->rbio, pkt + len + left, max - left); } else { SSLerror(s, SSL_R_READ_BIO_NOT_SET); @@ -254,7 +259,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) if (i <= 0) { rb->left = left; - if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_is_dtls(s)) { if (len + left == 0) ssl3_release_read_buffer(s); @@ -277,8 +282,8 @@ ssl3_read_n(SSL *s, int n, int max, int extend) /* done reading, now the book-keeping */ rb->offset += n; rb->left = left - n; - s->internal->packet_length += n; - s->internal->rwstate = SSL_NOTHING; + s->packet_length += n; + s->rwstate = SSL_NOTHING; return (n); } @@ -291,8 +296,8 @@ ssl3_packet_read(SSL *s, int plen) n = ssl3_read_n(s, plen, s->s3->rbuf.len, 0); if (n <= 0) return n; - if (s->internal->packet_length < plen) - return s->internal->packet_length; + if (s->packet_length < plen) + return s->packet_length; return plen; } @@ -302,15 +307,15 @@ ssl3_packet_extend(SSL *s, int plen) { int rlen, n; - if (s->internal->packet_length >= plen) + if (s->packet_length >= plen) return plen; - rlen = plen - s->internal->packet_length; + rlen = plen - s->packet_length; n = ssl3_read_n(s, rlen, rlen, 1); if (n <= 0) return n; - if (s->internal->packet_length < plen) - return s->internal->packet_length; + if (s->packet_length < plen) + return s->packet_length; return plen; } @@ -319,9 +324,9 @@ ssl3_packet_extend(SSL *s, int plen) * It will return <= 0 if more data is needed, normally due to an error * or non-blocking IO. * When it finishes, one packet has been decoded and can be found in - * ssl->s3->internal->rrec.type - is the type of record - * ssl->s3->internal->rrec.data, - data - * ssl->s3->internal->rrec.length, - number of bytes + * ssl->s3->rrec.type - is the type of record + * ssl->s3->rrec.data, - data + * ssl->s3->rrec.length, - number of bytes */ /* used only by ssl3_read_bytes */ static int @@ -330,15 +335,13 @@ ssl3_get_record(SSL *s) SSL3_BUFFER_INTERNAL *rb = &(s->s3->rbuf); SSL3_RECORD_INTERNAL *rr = &(s->s3->rrec); uint8_t alert_desc; - uint8_t *out; - size_t out_len; int al, n; int ret = -1; again: /* check if we have the header */ - if ((s->internal->rstate != SSL_ST_READ_BODY) || - (s->internal->packet_length < SSL3_RT_HEADER_LENGTH)) { + if ((s->rstate != SSL_ST_READ_BODY) || + (s->packet_length < SSL3_RT_HEADER_LENGTH)) { CBS header; uint16_t len, ssl_version; uint8_t type; @@ -347,16 +350,16 @@ ssl3_get_record(SSL *s) if (n <= 0) return (n); - s->internal->mac_packet = 1; - s->internal->rstate = SSL_ST_READ_BODY; + s->mac_packet = 1; + s->rstate = SSL_ST_READ_BODY; - if (s->server && s->internal->first_packet) { + if (s->server && s->first_packet) { if ((ret = ssl_server_legacy_first_packet(s)) != 1) return (ret); ret = -1; } - CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); + CBS_init(&header, s->packet, SSL3_RT_HEADER_LENGTH); /* Pull apart the header into the SSL3_RECORD_INTERNAL */ if (!CBS_get_u8(&header, &type) || @@ -370,9 +373,9 @@ ssl3_get_record(SSL *s) rr->length = len; /* Lets check version */ - if (!s->internal->first_packet && ssl_version != s->version) { + if (!s->first_packet && ssl_version != s->version) { if ((s->version & 0xFF00) == (ssl_version & 0xFF00) && - !tls12_record_layer_write_protected(s->internal->rl)) { + !tls12_record_layer_write_protected(s->rl)) { /* Send back error using their minor version number :-) */ s->version = ssl_version; } @@ -399,17 +402,17 @@ ssl3_get_record(SSL *s) if (n != SSL3_RT_HEADER_LENGTH + rr->length) return (n); - s->internal->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ + s->rstate = SSL_ST_READ_HEADER; /* set state for later operations */ /* * A full record has now been read from the wire, which now needs * to be processed. */ - tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_version(s->rl, s->version); - if (!tls12_record_layer_open_record(s->internal->rl, s->internal->packet, - s->internal->packet_length, &out, &out_len)) { - tls12_record_layer_alert(s->internal->rl, &alert_desc); + if (!tls12_record_layer_open_record(s->rl, s->packet, s->packet_length, + s->s3->rcontent)) { + tls12_record_layer_alert(s->rl, &alert_desc); if (alert_desc == 0) goto err; @@ -423,14 +426,10 @@ ssl3_get_record(SSL *s) goto fatal_err; } - rr->data = out; - rr->length = out_len; - rr->off = 0; - /* we have pulled in a full packet so zero things */ - s->internal->packet_length = 0; + s->packet_length = 0; - if (rr->length == 0) { + if (tls_content_remaining(s->s3->rcontent) == 0) { /* * Zero-length fragments are only permitted for application * data, as per RFC 5246 section 6.2.1. @@ -441,23 +440,25 @@ ssl3_get_record(SSL *s) goto fatal_err; } + tls_content_clear(s->s3->rcontent); + /* * CBC countermeasures for known IV weaknesses can legitimately * insert a single empty record, so we allow ourselves to read * once past a single empty record without forcing want_read. */ - if (s->internal->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { + if (s->empty_record_count++ > SSL_MAX_EMPTY_RECORDS) { SSLerror(s, SSL_R_PEER_BEHAVING_BADLY); return -1; } - if (s->internal->empty_record_count > 1) { + if (s->empty_record_count > 1) { ssl_force_want_read(s); return -1; } goto again; } - s->internal->empty_record_count = 0; + s->empty_record_count = 0; return (1); @@ -482,12 +483,12 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) return -1; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; tot = s->s3->wnum; s->s3->wnum = 0; - if (SSL_in_init(s) && !s->internal->in_handshake) { - i = s->internal->handshake_func(s); + if (SSL_in_init(s) && !s->in_handshake) { + i = s->handshake_func(s); if (i < 0) return (i); if (i == 0) { @@ -512,7 +513,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } if ((i == (int)n) || (type == SSL3_RT_APPLICATION_DATA && - (s->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { + (s->mode & SSL_MODE_ENABLE_PARTIAL_WRITE))) { /* * Next chunk of data should get another prepended * empty fragment in ciphersuites with known-IV @@ -573,7 +574,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) */ version = s->version; if (s->s3->hs.state == SSL3_ST_CW_CLNT_HELLO_B && - !s->internal->renegotiate && + !s->renegotiate && s->s3->hs.our_max_tls_version > TLS1_VERSION) version = TLS1_VERSION; @@ -582,7 +583,7 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this * is unnecessary for AEAD. */ - if (sess != NULL && tls12_record_layer_write_protected(s->internal->rl)) { + if (sess != NULL && tls12_record_layer_write_protected(s->rl)) { if (s->s3->need_empty_fragments && !s->s3->empty_fragment_done && type == SSL3_RT_APPLICATION_DATA) @@ -603,16 +604,16 @@ do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) goto err; - tls12_record_layer_set_version(s->internal->rl, version); + tls12_record_layer_set_version(s->rl, version); if (need_empty_fragment) { - if (!tls12_record_layer_seal_record(s->internal->rl, type, + if (!tls12_record_layer_seal_record(s->rl, type, buf, 0, &cbb)) goto err; s->s3->empty_fragment_done = 1; } - if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + if (!tls12_record_layer_seal_record(s->rl, type, buf, len, &cbb)) goto err; if (!CBB_finish(&cbb, NULL, &out_len)) @@ -647,7 +648,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) /* XXXX */ if ((s->s3->wpend_tot > (int)len) || ((s->s3->wpend_buf != buf) && - !(s->internal->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || + !(s->mode & SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER)) || (s->s3->wpend_type != type)) { SSLerror(s, SSL_R_BAD_WRITE_RETRY); return (-1); @@ -656,7 +657,7 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) for (;;) { errno = 0; if (s->wbio != NULL) { - s->internal->rwstate = SSL_WRITING; + s->rwstate = SSL_WRITING; i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]), (unsigned int)wb->left); } else { @@ -666,10 +667,10 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) if (i == wb->left) { wb->left = 0; wb->offset += i; - if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && + if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_is_dtls(s)) ssl3_release_write_buffer(s); - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; return (s->s3->wpend_ret); } else if (i <= 0) { /* @@ -685,11 +686,22 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) } } +static ssize_t +ssl3_read_cb(void *buf, size_t n, void *cb_arg) +{ + SSL *s = cb_arg; + + return tls_content_read(s->s3->rcontent, buf, n); +} + +#define SSL3_ALERT_LENGTH 2 + int ssl3_read_alert(SSL *s) { - SSL3_RECORD_INTERNAL *rr = &s->s3->rrec; uint8_t alert_level, alert_descr; + ssize_t ret; + CBS cbs; /* * TLSv1.2 permits an alert to be fragmented across multiple records or @@ -698,13 +710,17 @@ ssl3_read_alert(SSL *s) * fragmented across multiple records, hence a full alert must be * available in the record. */ - while (rr->length > 0 && - s->s3->alert_fragment_len < sizeof(s->s3->alert_fragment)) { - s->s3->alert_fragment[s->s3->alert_fragment_len++] = - rr->data[rr->off++]; - rr->length--; + if (s->s3->alert_fragment == NULL) { + if ((s->s3->alert_fragment = tls_buffer_new(0)) == NULL) + return -1; + tls_buffer_set_capacity_limit(s->s3->alert_fragment, + SSL3_ALERT_LENGTH); } - if (s->s3->alert_fragment_len < sizeof(s->s3->alert_fragment)) { + ret = tls_buffer_extend(s->s3->alert_fragment, SSL3_ALERT_LENGTH, + ssl3_read_cb, s); + if (ret <= 0 && ret != TLS_IO_WANT_POLLIN) + return -1; + if (ret != SSL3_ALERT_LENGTH) { if (SSL_is_dtls(s)) { SSLerror(s, SSL_R_BAD_LENGTH); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -713,11 +729,18 @@ ssl3_read_alert(SSL *s) return 1; } - ssl_msg_callback(s, 0, SSL3_RT_ALERT, s->s3->alert_fragment, 2); + if (!tls_buffer_data(s->s3->alert_fragment, &cbs)) + return -1; - alert_level = s->s3->alert_fragment[0]; - alert_descr = s->s3->alert_fragment[1]; - s->s3->alert_fragment_len = 0; + ssl_msg_callback_cbs(s, 0, SSL3_RT_ALERT, &cbs); + + if (!CBS_get_u8(&cbs, &alert_level)) + return -1; + if (!CBS_get_u8(&cbs, &alert_descr)) + return -1; + + tls_buffer_free(s->s3->alert_fragment); + s->s3->alert_fragment = NULL; ssl_info_callback(s, SSL_CB_READ_ALERT, (alert_level << 8) | alert_descr); @@ -725,7 +748,7 @@ ssl3_read_alert(SSL *s) if (alert_level == SSL3_AL_WARNING) { s->s3->warn_alert = alert_descr; if (alert_descr == SSL_AD_CLOSE_NOTIFY) { - s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + s->shutdown |= SSL_RECEIVED_SHUTDOWN; return 0; } /* We requested renegotiation and the peer rejected it. */ @@ -736,11 +759,11 @@ ssl3_read_alert(SSL *s) return -1; } } else if (alert_level == SSL3_AL_FATAL) { - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->fatal_alert = alert_descr; SSLerror(s, SSL_AD_REASON_OFFSET + alert_descr); ERR_asprintf_error_data("SSL alert number %d", alert_descr); - s->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + s->shutdown |= SSL_RECEIVED_SHUTDOWN; SSL_CTX_remove_session(s->ctx, s->session); return 0; } else { @@ -755,18 +778,18 @@ ssl3_read_alert(SSL *s) int ssl3_read_change_cipher_spec(SSL *s) { - SSL3_RECORD_INTERNAL *rr = &s->s3->rrec; + const uint8_t ccs[1] = { SSL3_MT_CCS }; /* * 'Change Cipher Spec' is just a single byte, so we know exactly what * the record payload has to look like. */ - if (rr->length != 1 || rr->off != 0) { + if (tls_content_remaining(s->s3->rcontent) != sizeof(ccs)) { SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); return -1; } - if (rr->data[0] != SSL3_MT_CCS) { + if (!tls_content_equal(s->s3->rcontent, ccs, sizeof(ccs))) { SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_ILLEGAL_PARAMETER); return -1; @@ -774,7 +797,8 @@ ssl3_read_change_cipher_spec(SSL *s) /* XDTLS: check that epoch is consistent */ - ssl_msg_callback(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, rr->data, 1); + ssl_msg_callback_cbs(s, 0, SSL3_RT_CHANGE_CIPHER_SPEC, + tls_content_cbs(s->s3->rcontent)); /* Check that we have a cipher to change to. */ if (s->s3->hs.cipher == NULL) { @@ -791,7 +815,7 @@ ssl3_read_change_cipher_spec(SSL *s) * handshake messages are still missing, so just * drop it. */ - rr->length = 0; + tls_content_clear(s->s3->rcontent); return 1; } s->d1->change_cipher_spec_ok = 0; @@ -805,7 +829,7 @@ ssl3_read_change_cipher_spec(SSL *s) s->s3->flags &= ~SSL3_FLAGS_CCS_OK; } - rr->length = 0; + tls_content_clear(s->s3->rcontent); s->s3->change_cipher_spec = 1; if (!ssl3_do_change_cipher_spec(s)) @@ -817,9 +841,9 @@ ssl3_read_change_cipher_spec(SSL *s) static int ssl3_read_handshake_unexpected(SSL *s) { - SSL3_RECORD_INTERNAL *rr = &s->s3->rrec; uint32_t hs_msg_length; uint8_t hs_msg_type; + ssize_t ssret; CBS cbs; int ret; @@ -828,17 +852,20 @@ ssl3_read_handshake_unexpected(SSL *s) * header - this may be in the same record or fragmented across multiple * records. */ - while (rr->length > 0 && - s->s3->handshake_fragment_len < sizeof(s->s3->handshake_fragment)) { - s->s3->handshake_fragment[s->s3->handshake_fragment_len++] = - rr->data[rr->off++]; - rr->length--; + if (s->s3->handshake_fragment == NULL) { + if ((s->s3->handshake_fragment = tls_buffer_new(0)) == NULL) + return -1; + tls_buffer_set_capacity_limit(s->s3->handshake_fragment, + SSL3_HM_HEADER_LENGTH); } - - if (s->s3->handshake_fragment_len < sizeof(s->s3->handshake_fragment)) + ssret = tls_buffer_extend(s->s3->handshake_fragment, SSL3_HM_HEADER_LENGTH, + ssl3_read_cb, s); + if (ssret <= 0 && ssret != TLS_IO_WANT_POLLIN) + return -1; + if (ssret != SSL3_HM_HEADER_LENGTH) return 1; - if (s->internal->in_handshake) { + if (s->in_handshake) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; } @@ -850,7 +877,8 @@ ssl3_read_handshake_unexpected(SSL *s) */ /* Parse handshake message header. */ - CBS_init(&cbs, s->s3->handshake_fragment, s->s3->handshake_fragment_len); + if (!tls_buffer_data(s->s3->handshake_fragment, &cbs)) + return -1; if (!CBS_get_u8(&cbs, &hs_msg_type)) return -1; if (!CBS_get_u24(&cbs, &hs_msg_length)) @@ -876,10 +904,12 @@ ssl3_read_handshake_unexpected(SSL *s) return -1; } - ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, - s->s3->handshake_fragment, s->s3->handshake_fragment_len); + if (!tls_buffer_data(s->s3->handshake_fragment, &cbs)) + return -1; + ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs); - s->s3->handshake_fragment_len = 0; + tls_buffer_free(s->s3->handshake_fragment); + s->s3->handshake_fragment = NULL; /* * It should be impossible to hit this, but keep the safety @@ -928,7 +958,7 @@ ssl3_read_handshake_unexpected(SSL *s) return -1; } - if ((s->internal->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { + if ((s->options & SSL_OP_NO_CLIENT_RENEGOTIATION) != 0) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_NO_RENEGOTIATION); return -1; @@ -948,8 +978,8 @@ ssl3_read_handshake_unexpected(SSL *s) } s->s3->hs.state = SSL_ST_ACCEPT; - s->internal->renegotiate = 1; - s->internal->new_session = 1; + s->renegotiate = 1; + s->new_session = 1; } else { SSLerror(s, SSL_R_UNEXPECTED_MESSAGE); @@ -957,14 +987,14 @@ ssl3_read_handshake_unexpected(SSL *s) return -1; } - if ((ret = s->internal->handshake_func(s)) < 0) + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); return -1; } - if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { + if (!(s->mode & SSL_MODE_AUTO_RETRY)) { if (s->s3->rbuf.left == 0) { ssl_force_want_read(s); return -1; @@ -1008,9 +1038,8 @@ ssl3_read_handshake_unexpected(SSL *s) int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { - SSL3_RECORD_INTERNAL *rr; int rrcount = 0; - unsigned int n; + ssize_t ssret; int ret; if (s->s3->rbuf.buf == NULL) { @@ -1018,6 +1047,11 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } + if (s->s3->rcontent == NULL) { + if ((s->s3->rcontent = tls_content_new()) == NULL) + return -1; + } + if (len < 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return -1; @@ -1033,28 +1067,25 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - if (type == SSL3_RT_HANDSHAKE && s->s3->handshake_fragment_len > 0) { - /* Partially satisfy request from fragment storage. */ - unsigned char *src = s->s3->handshake_fragment; - unsigned char *dst = buf; - unsigned int k; + if (type == SSL3_RT_HANDSHAKE && + s->s3->handshake_fragment != NULL && + tls_buffer_remaining(s->s3->handshake_fragment) > 0) { + ssize_t ssn; - /* peek == 0 */ - n = 0; - while (len > 0 && s->s3->handshake_fragment_len > 0) { - *dst++ = *src++; - len--; - s->s3->handshake_fragment_len--; - n++; + if ((ssn = tls_buffer_read(s->s3->handshake_fragment, buf, + len)) <= 0) + return -1; + + if (tls_buffer_remaining(s->s3->handshake_fragment) == 0) { + tls_buffer_free(s->s3->handshake_fragment); + s->s3->handshake_fragment = NULL; } - /* move any remaining fragment bytes: */ - for (k = 0; k < s->s3->handshake_fragment_len; k++) - s->s3->handshake_fragment[k] = *src++; - return n; + + return (int)ssn; } - if (SSL_in_init(s) && !s->internal->in_handshake) { - if ((ret = s->internal->handshake_func(s)) < 0) + if (SSL_in_init(s) && !s->in_handshake) { + if ((ret = s->handshake_func(s)) < 0) return ret; if (ret == 0) { SSLerror(s, SSL_R_SSL_HANDSHAKE_FAILURE); @@ -1076,18 +1107,17 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) return -1; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; - rr = &s->s3->rrec; - - if (rr->length == 0 || s->internal->rstate == SSL_ST_READ_BODY) { + if (tls_content_remaining(s->s3->rcontent) == 0) { if ((ret = ssl3_get_record(s)) <= 0) return ret; } /* We now have a packet which can be read and processed. */ - if (s->s3->change_cipher_spec && rr->type != SSL3_RT_HANDSHAKE) { + if (s->s3->change_cipher_spec && + tls_content_type(s->s3->rcontent) != SSL3_RT_HANDSHAKE) { SSLerror(s, SSL_R_DATA_BETWEEN_CCS_AND_FINISHED); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); return -1; @@ -1097,20 +1127,21 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * If the other end has shut down, throw anything we read away (even in * 'peek' mode). */ - if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; - rr->length = 0; + if (s->shutdown & SSL_RECEIVED_SHUTDOWN) { + s->rwstate = SSL_NOTHING; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; return 0; } /* SSL3_RT_APPLICATION_DATA or SSL3_RT_HANDSHAKE */ - if (type == rr->type) { + if (tls_content_type(s->s3->rcontent) == type) { /* * Make sure that we are not getting application data when we * are doing a handshake for the first time. */ if (SSL_in_init(s) && type == SSL3_RT_APPLICATION_DATA && - !tls12_record_layer_read_protected(s->internal->rl)) { + !tls12_record_layer_read_protected(s->rl)) { SSLerror(s, SSL_R_APP_DATA_IN_HANDSHAKE); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_UNEXPECTED_MESSAGE); @@ -1120,46 +1151,41 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) if (len <= 0) return len; - if ((unsigned int)len > rr->length) - n = rr->length; - else - n = (unsigned int)len; + if (peek) { + ssret = tls_content_peek(s->s3->rcontent, buf, len); + } else { + ssret = tls_content_read(s->s3->rcontent, buf, len); + } + if (ssret < INT_MIN || ssret > INT_MAX) + return -1; + if (ssret < 0) + return (int)ssret; - memcpy(buf, &rr->data[rr->off], n); - if (!peek) { - memset(&rr->data[rr->off], 0, n); - rr->length -= n; - rr->off += n; - if (rr->length == 0) { - s->internal->rstate = SSL_ST_READ_HEADER; - rr->off = 0; - if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && - s->s3->rbuf.left == 0) - ssl3_release_read_buffer(s); - } + if (tls_content_remaining(s->s3->rcontent) == 0) { + s->rstate = SSL_ST_READ_HEADER; + + if (s->mode & SSL_MODE_RELEASE_BUFFERS && + s->s3->rbuf.left == 0) + ssl3_release_read_buffer(s); } - return n; + return ssret; } - /* - * If we get here, then type != rr->type; if we have a handshake - * message, then it was unexpected (Hello Request or Client Hello). - */ - - if (rr->type == SSL3_RT_ALERT) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_ALERT) { if ((ret = ssl3_read_alert(s)) <= 0) return ret; goto start; } - if (s->internal->shutdown & SSL_SENT_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; - rr->length = 0; + if (s->shutdown & SSL_SENT_SHUTDOWN) { + s->rwstate = SSL_NOTHING; + tls_content_clear(s->s3->rcontent); + s->s3->rrec.length = 0; return 0; } - if (rr->type == SSL3_RT_APPLICATION_DATA) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_APPLICATION_DATA) { /* * At this point, we were expecting handshake data, but have * application data. If the library was running inside @@ -1185,13 +1211,13 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } } - if (rr->type == SSL3_RT_CHANGE_CIPHER_SPEC) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_CHANGE_CIPHER_SPEC) { if ((ret = ssl3_read_change_cipher_spec(s)) <= 0) return ret; goto start; } - if (rr->type == SSL3_RT_HANDSHAKE) { + if (tls_content_type(s->s3->rcontent) == SSL3_RT_HANDSHAKE) { if ((ret = ssl3_read_handshake_unexpected(s)) <= 0) return ret; goto start; @@ -1202,7 +1228,7 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) * earlier versions silently ignore the record. */ if (ssl_effective_tls_version(s) <= TLS1_1_VERSION) { - rr->length = 0; + tls_content_clear(s->s3->rcontent); goto start; } SSLerror(s, SSL_R_UNEXPECTED_RECORD); diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index f5c90fc..f84315b 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.39 2022/02/03 16:33:12 jsing Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.49 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,14 +64,15 @@ #include #include -#include "ssl_locl.h" +#include "ssl_local.h" -static int ssl_set_cert(SSL_CERT *c, X509 *x509); -static int ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey); -static int use_certificate_chain_bio(BIO *in, SSL_CERT *cert, - pem_password_cb *passwd_cb, void *passwd_arg); -static int use_certificate_chain_file(const char *file, SSL_CERT *cert, - pem_password_cb *passwd_cb, void *passwd_arg); +static int ssl_get_password_cb_and_arg(SSL_CTX *ctx, SSL *ssl, + pem_password_cb **passwd_cb, void **passwd_arg); +static int ssl_set_cert(SSL_CTX *ctx, SSL *ssl, X509 *x509); +static int ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey); +static int ssl_use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in); +static int ssl_use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, + const char *file); int SSL_use_certificate(SSL *ssl, X509 *x) @@ -80,7 +81,7 @@ SSL_use_certificate(SSL *ssl, X509 *x) SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } - return (ssl_set_cert(ssl->cert, x)); + return ssl_set_cert(NULL, ssl, x); } int @@ -161,14 +162,15 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey, rsa); - ret = ssl_set_pkey(ssl->cert, pkey); + ret = ssl_set_pkey(NULL, ssl, pkey); EVP_PKEY_free(pkey); return (ret); } static int -ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey) +ssl_set_pkey(SSL_CTX *ctx, SSL *ssl, EVP_PKEY *pkey) { + SSL_CERT *c; int i; i = ssl_cert_type(pkey); @@ -177,11 +179,22 @@ ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey) return (0); } + if ((c = ssl_get0_cert(ctx, ssl)) == NULL) + return (0); + if (c->pkeys[i].x509 != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(c->pkeys[i].x509); + + if ((pktmp = X509_get0_pubkey(c->pkeys[i].x509)) == NULL) + return 0; + + /* + * Callers of EVP_PKEY_copy_parameters() can't distinguish + * errors from the absence of a param_copy() method. So + * pretend it can never fail. + */ EVP_PKEY_copy_parameters(pktmp, pkey); - EVP_PKEY_free(pktmp); + ERR_clear_error(); /* @@ -204,7 +217,7 @@ ssl_set_pkey(SSL_CERT *c, EVP_PKEY *pkey) c->key = &(c->pkeys[i]); c->valid = 0; - return (1); + return 1; } int @@ -272,7 +285,7 @@ SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } - ret = ssl_set_pkey(ssl->cert, pkey); + ret = ssl_set_pkey(NULL, ssl, pkey); return (ret); } @@ -339,15 +352,38 @@ SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } - return (ssl_set_cert(ctx->internal->cert, x)); + return ssl_set_cert(ctx, NULL, x); } static int -ssl_set_cert(SSL_CERT *c, X509 *x) +ssl_get_password_cb_and_arg(SSL_CTX *ctx, SSL *ssl, + pem_password_cb **passwd_cb, void **passwd_arg) { + if (ssl != NULL) + ctx = ssl->ctx; + + *passwd_cb = ctx->default_passwd_callback; + *passwd_arg = ctx->default_passwd_callback_userdata; + + return 1; +} + +static int +ssl_set_cert(SSL_CTX *ctx, SSL *ssl, X509 *x) +{ + SSL_CERT *c; EVP_PKEY *pkey; + int ssl_err; int i; + if (!ssl_security_cert(ctx, ssl, x, 1, &ssl_err)) { + SSLerrorx(ssl_err); + return (0); + } + + if ((c = ssl_get0_cert(ctx, ssl)) == NULL) + return (0); + pkey = X509_get_pubkey(x); if (pkey == NULL) { SSLerrorx(SSL_R_X509_LIB); @@ -475,7 +511,7 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) RSA_up_ref(rsa); EVP_PKEY_assign_RSA(pkey, rsa); - ret = ssl_set_pkey(ctx->internal->cert, pkey); + ret = ssl_set_pkey(ctx, NULL, pkey); EVP_PKEY_free(pkey); return (ret); } @@ -543,7 +579,7 @@ SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } - return (ssl_set_pkey(ctx->internal->cert, pkey)); + return ssl_set_pkey(ctx, NULL, pkey); } int @@ -610,29 +646,33 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, * sent to the peer in the Certificate message. */ static int -use_certificate_chain_bio(BIO *in, SSL_CERT *cert, pem_password_cb *passwd_cb, - void *passwd_arg) +ssl_use_certificate_chain_bio(SSL_CTX *ctx, SSL *ssl, BIO *in) { + pem_password_cb *passwd_cb; + void *passwd_arg; X509 *ca, *x = NULL; unsigned long err; int ret = 0; + if (!ssl_get_password_cb_and_arg(ctx, ssl, &passwd_cb, &passwd_arg)) + goto err; + if ((x = PEM_read_bio_X509_AUX(in, NULL, passwd_cb, passwd_arg)) == NULL) { SSLerrorx(ERR_R_PEM_LIB); goto err; } - if (!ssl_set_cert(cert, x)) + if (!ssl_set_cert(ctx, ssl, x)) goto err; - if (!ssl_cert_set0_chain(cert, NULL)) + if (!ssl_cert_set0_chain(ctx, ssl, NULL)) goto err; /* Process any additional CA certificates. */ while ((ca = PEM_read_bio_X509(in, NULL, passwd_cb, passwd_arg)) != NULL) { - if (!ssl_cert_add0_chain_cert(cert, ca)) { + if (!ssl_cert_add0_chain_cert(ctx, ssl, ca)) { X509_free(ca); goto err; } @@ -653,8 +693,7 @@ use_certificate_chain_bio(BIO *in, SSL_CERT *cert, pem_password_cb *passwd_cb, } int -use_certificate_chain_file(const char *file, SSL_CERT *cert, - pem_password_cb *passwd_cb, void *passwd_arg) +ssl_use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file) { BIO *in; int ret = 0; @@ -670,7 +709,7 @@ use_certificate_chain_file(const char *file, SSL_CERT *cert, goto end; } - ret = use_certificate_chain_bio(in, cert, passwd_cb, passwd_arg); + ret = ssl_use_certificate_chain_bio(ctx, ssl, in); end: BIO_free(in); @@ -680,17 +719,13 @@ use_certificate_chain_file(const char *file, SSL_CERT *cert, int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) { - return use_certificate_chain_file(file, ctx->internal->cert, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + return ssl_use_certificate_chain_file(ctx, NULL, file); } int SSL_use_certificate_chain_file(SSL *ssl, const char *file) { - return use_certificate_chain_file(file, ssl->cert, - ssl->ctx->default_passwd_callback, - ssl->ctx->default_passwd_callback_userdata); + return ssl_use_certificate_chain_file(NULL, ssl, file); } int @@ -705,9 +740,7 @@ SSL_CTX_use_certificate_chain_mem(SSL_CTX *ctx, void *buf, int len) goto end; } - ret = use_certificate_chain_bio(in, ctx->internal->cert, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); + ret = ssl_use_certificate_chain_bio(ctx, NULL, in); end: BIO_free(in); diff --git a/ssl/ssl_seclevel.c b/ssl/ssl_seclevel.c new file mode 100644 index 0000000..1869c81 --- /dev/null +++ b/ssl/ssl_seclevel.c @@ -0,0 +1,473 @@ +/* $OpenBSD: ssl_seclevel.c,v 1.27 2022/11/26 16:08:56 tb Exp $ */ +/* + * Copyright (c) 2020-2022 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "bytestring.h" +#include "ssl_local.h" + +static int +ssl_security_normalize_level(const SSL_CTX *ctx, const SSL *ssl, int *out_level) +{ + int security_level; + + if (ctx != NULL) + security_level = SSL_CTX_get_security_level(ctx); + else + security_level = SSL_get_security_level(ssl); + + if (security_level < 0) + security_level = 0; + if (security_level > 5) + security_level = 5; + + *out_level = security_level; + + return 1; +} + +static int +ssl_security_level_to_minimum_bits(int security_level, int *out_minimum_bits) +{ + if (security_level < 0) + return 0; + + if (security_level == 0) + *out_minimum_bits = 0; + else if (security_level == 1) + *out_minimum_bits = 80; + else if (security_level == 2) + *out_minimum_bits = 112; + else if (security_level == 3) + *out_minimum_bits = 128; + else if (security_level == 4) + *out_minimum_bits = 192; + else if (security_level >= 5) + *out_minimum_bits = 256; + + return 1; +} + +static int +ssl_security_level_and_minimum_bits(const SSL_CTX *ctx, const SSL *ssl, + int *out_level, int *out_minimum_bits) +{ + int security_level = 0, minimum_bits = 0; + + if (!ssl_security_normalize_level(ctx, ssl, &security_level)) + return 0; + if (!ssl_security_level_to_minimum_bits(security_level, &minimum_bits)) + return 0; + + if (out_level != NULL) + *out_level = security_level; + if (out_minimum_bits != NULL) + *out_minimum_bits = minimum_bits; + + return 1; +} + +static int +ssl_security_secop_cipher(const SSL_CTX *ctx, const SSL *ssl, int bits, + void *arg) +{ + const SSL_CIPHER *cipher = arg; + int security_level, minimum_bits; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, + &minimum_bits)) + return 0; + + if (security_level <= 0) + return 1; + + if (bits < minimum_bits) + return 0; + + /* No unauthenticated ciphersuites. */ + if (cipher->algorithm_auth & SSL_aNULL) + return 0; + + if (cipher->algorithm_mac & SSL_MD5) + return 0; + + if (security_level <= 1) + return 1; + + if (cipher->algorithm_enc & SSL_RC4) + return 0; + + if (security_level <= 2) + return 1; + + /* Security level >= 3 requires a cipher with forward secrecy. */ + if ((cipher->algorithm_mkey & (SSL_kDHE | SSL_kECDHE)) == 0 && + cipher->algorithm_ssl != SSL_TLSV1_3) + return 0; + + if (security_level <= 3) + return 1; + + if (cipher->algorithm_mac & SSL_SHA1) + return 0; + + return 1; +} + +static int +ssl_security_secop_version(const SSL_CTX *ctx, const SSL *ssl, int version) +{ + int min_version = TLS1_2_VERSION; + int security_level; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) + return 0; + + if (security_level < 4) + min_version = TLS1_1_VERSION; + if (security_level < 3) + min_version = TLS1_VERSION; + + return ssl_tls_version(version) >= min_version; +} + +static int +ssl_security_secop_compression(const SSL_CTX *ctx, const SSL *ssl) +{ + return 0; +} + +static int +ssl_security_secop_tickets(const SSL_CTX *ctx, const SSL *ssl) +{ + int security_level; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, NULL)) + return 0; + + return security_level < 3; +} + +static int +ssl_security_secop_tmp_dh(const SSL_CTX *ctx, const SSL *ssl, int bits) +{ + int security_level, minimum_bits; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, &security_level, + &minimum_bits)) + return 0; + + /* Disallow DHE keys weaker than 1024 bits even at security level 0. */ + if (security_level <= 0 && bits < 80) + return 0; + + return bits >= minimum_bits; +} + +static int +ssl_security_secop_default(const SSL_CTX *ctx, const SSL *ssl, int bits) +{ + int minimum_bits; + + if (!ssl_security_level_and_minimum_bits(ctx, ssl, NULL, &minimum_bits)) + return 0; + + return bits >= minimum_bits; +} + +int +ssl_security_default_cb(const SSL *ssl, const SSL_CTX *ctx, int secop, int bits, + int version, void *cipher, void *ex_data) +{ + switch (secop) { + case SSL_SECOP_CIPHER_SUPPORTED: + case SSL_SECOP_CIPHER_SHARED: + case SSL_SECOP_CIPHER_CHECK: + return ssl_security_secop_cipher(ctx, ssl, bits, cipher); + case SSL_SECOP_VERSION: + return ssl_security_secop_version(ctx, ssl, version); + case SSL_SECOP_COMPRESSION: + return ssl_security_secop_compression(ctx, ssl); + case SSL_SECOP_TICKET: + return ssl_security_secop_tickets(ctx, ssl); + case SSL_SECOP_TMP_DH: + return ssl_security_secop_tmp_dh(ctx, ssl, bits); + default: + return ssl_security_secop_default(ctx, ssl, bits); + } +} + +static int +ssl_ctx_security(const SSL_CTX *ctx, int secop, int bits, int nid, void *other) +{ + return ctx->cert->security_cb(NULL, ctx, secop, bits, nid, + other, ctx->cert->security_ex_data); +} + +static int +ssl_security(const SSL *ssl, int secop, int bits, int nid, void *other) +{ + return ssl->cert->security_cb(ssl, NULL, secop, bits, nid, other, + ssl->cert->security_ex_data); +} + +int +ssl_security_sigalg_check(const SSL *ssl, const EVP_PKEY *pkey) +{ + int bits; + + bits = EVP_PKEY_security_bits(pkey); + + return ssl_security(ssl, SSL_SECOP_SIGALG_CHECK, bits, 0, NULL); +} + +int +ssl_security_tickets(const SSL *ssl) +{ + return ssl_security(ssl, SSL_SECOP_TICKET, 0, 0, NULL); +} + +int +ssl_security_version(const SSL *ssl, int version) +{ + return ssl_security(ssl, SSL_SECOP_VERSION, 0, version, NULL); +} + +static int +ssl_security_cipher(const SSL *ssl, SSL_CIPHER *cipher, int secop) +{ + return ssl_security(ssl, secop, cipher->strength_bits, 0, cipher); +} + +int +ssl_security_cipher_check(const SSL *ssl, SSL_CIPHER *cipher) +{ + return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_CHECK); +} + +int +ssl_security_shared_cipher(const SSL *ssl, SSL_CIPHER *cipher) +{ + return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SHARED); +} + +int +ssl_security_supported_cipher(const SSL *ssl, SSL_CIPHER *cipher) +{ + return ssl_security_cipher(ssl, cipher, SSL_SECOP_CIPHER_SUPPORTED); +} + +int +ssl_ctx_security_dh(const SSL_CTX *ctx, DH *dh) +{ + int bits; + + bits = DH_security_bits(dh); + + return ssl_ctx_security(ctx, SSL_SECOP_TMP_DH, bits, 0, dh); +} + +int +ssl_security_dh(const SSL *ssl, DH *dh) +{ + int bits; + + bits = DH_security_bits(dh); + + return ssl_security(ssl, SSL_SECOP_TMP_DH, bits, 0, dh); +} + +static int +ssl_cert_pubkey_security_bits(const X509 *x509) +{ + EVP_PKEY *pkey; + + if ((pkey = X509_get0_pubkey(x509)) == NULL) + return -1; + + /* + * XXX: DSA_security_bits() returns -1 on keys without parameters and + * makes the default security callback fail. + */ + + return EVP_PKEY_security_bits(pkey); +} + +static int +ssl_security_cert_key(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop) +{ + int security_bits; + + security_bits = ssl_cert_pubkey_security_bits(x509); + + if (ssl != NULL) + return ssl_security(ssl, secop, security_bits, 0, x509); + + return ssl_ctx_security(ctx, secop, security_bits, 0, x509); +} + +static int +ssl_cert_signature_md_nid(X509 *x509) +{ + int md_nid, signature_nid; + + if ((signature_nid = X509_get_signature_nid(x509)) == NID_undef) + return NID_undef; + + if (!OBJ_find_sigid_algs(signature_nid, &md_nid, NULL)) + return NID_undef; + + return md_nid; +} + +static int +ssl_cert_md_nid_security_bits(int md_nid) +{ + const EVP_MD *md; + + if (md_nid == NID_undef) + return -1; + + if ((md = EVP_get_digestbynid(md_nid)) == NULL) + return -1; + + /* Assume 4 bits of collision resistance for each hash octet. */ + return EVP_MD_size(md) * 4; +} + +static int +ssl_security_cert_sig(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, int secop) +{ + int md_nid, security_bits; + + /* Don't check signature if self signed. */ + if ((X509_get_extension_flags(x509) & EXFLAG_SS) != 0) + return 1; + + md_nid = ssl_cert_signature_md_nid(x509); + security_bits = ssl_cert_md_nid_security_bits(md_nid); + + if (ssl != NULL) + return ssl_security(ssl, secop, security_bits, md_nid, x509); + + return ssl_ctx_security(ctx, secop, security_bits, md_nid, x509); +} + +int +ssl_security_cert(const SSL_CTX *ctx, const SSL *ssl, X509 *x509, + int is_ee, int *out_error) +{ + int key_error, operation; + + *out_error = 0; + + if (is_ee) { + operation = SSL_SECOP_EE_KEY; + key_error = SSL_R_EE_KEY_TOO_SMALL; + } else { + operation = SSL_SECOP_CA_KEY; + key_error = SSL_R_CA_KEY_TOO_SMALL; + } + + if (!ssl_security_cert_key(ctx, ssl, x509, operation)) { + *out_error = key_error; + return 0; + } + + if (!ssl_security_cert_sig(ctx, ssl, x509, SSL_SECOP_CA_MD)) { + *out_error = SSL_R_CA_MD_TOO_WEAK; + return 0; + } + + return 1; +} + +/* + * Check security of a chain. If |sk| includes the end entity certificate + * then |x509| must be NULL. + */ +int +ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk, X509 *x509, + int *out_error) +{ + int start_idx = 0; + int is_ee; + int i; + + if (x509 == NULL) { + x509 = sk_X509_value(sk, 0); + start_idx = 1; + } + + is_ee = 1; + if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error)) + return 0; + + is_ee = 0; + for (i = start_idx; i < sk_X509_num(sk); i++) { + x509 = sk_X509_value(sk, i); + + if (!ssl_security_cert(NULL, ssl, x509, is_ee, out_error)) + return 0; + } + + return 1; +} + +static int +ssl_security_group(const SSL *ssl, uint16_t group_id, int secop) +{ + CBB cbb; + int bits, nid; + uint8_t group[2]; + + if (!tls1_ec_group_id2bits(group_id, &bits)) + return 0; + if (!tls1_ec_group_id2nid(group_id, &nid)) + return 0; + + if (!CBB_init_fixed(&cbb, group, sizeof(group))) + return 0; + if (!CBB_add_u16(&cbb, group_id)) + return 0; + if (!CBB_finish(&cbb, NULL, NULL)) + return 0; + + return ssl_security(ssl, secop, bits, nid, group); +} + +int +ssl_security_shared_group(const SSL *ssl, uint16_t group_id) +{ + return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SHARED); +} + +int +ssl_security_supported_group(const SSL *ssl, uint16_t group_id) +{ + return ssl_security_group(ssl, group_id, SSL_SECOP_CURVE_SUPPORTED); +} diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index 44c2e84..5847a43 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.109 2022/01/11 19:03:15 jsing Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.121 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -142,7 +142,7 @@ #include #endif -#include "ssl_locl.h" +#include "ssl_local.h" static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s); static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s); @@ -224,12 +224,14 @@ SSL_SESSION_new(void) ss->verify_result = 1; /* avoid 0 (= X509_V_OK) just in case */ ss->references = 1; - ss->timeout=60*5+4; /* 5 minute timeout by default */ + ss->timeout = 60 * 5 + 4; /* 5 minutes 4 seconds timeout by default */ ss->time = time(NULL); ss->prev = NULL; ss->next = NULL; ss->tlsext_hostname = NULL; + ss->peer_cert_type = -1; + ss->tlsext_ecpointformatlist_length = 0; ss->tlsext_ecpointformatlist = NULL; ss->tlsext_supportedgroups_length = 0; @@ -240,11 +242,116 @@ SSL_SESSION_new(void) return (ss); } +SSL_SESSION * +ssl_session_dup(SSL_SESSION *sess, int include_ticket) +{ + SSL_SESSION *copy; + CBS cbs; + + if ((copy = calloc(1, sizeof(*copy))) == NULL) { + SSLerrorx(ERR_R_MALLOC_FAILURE); + goto err; + } + + copy->ssl_version = sess->ssl_version; + + CBS_init(&cbs, sess->master_key, sess->master_key_length); + if (!CBS_write_bytes(&cbs, copy->master_key, sizeof(copy->master_key), + ©->master_key_length)) + goto err; + + CBS_init(&cbs, sess->session_id, sess->session_id_length); + if (!CBS_write_bytes(&cbs, copy->session_id, sizeof(copy->session_id), + ©->session_id_length)) + goto err; + + CBS_init(&cbs, sess->sid_ctx, sess->sid_ctx_length); + if (!CBS_write_bytes(&cbs, copy->sid_ctx, sizeof(copy->sid_ctx), + ©->sid_ctx_length)) + goto err; + + if (sess->peer_cert != NULL) { + if (!X509_up_ref(sess->peer_cert)) + goto err; + copy->peer_cert = sess->peer_cert; + } + copy->peer_cert_type = sess->peer_cert_type; + + copy->verify_result = sess->verify_result; + + copy->timeout = sess->timeout; + copy->time = sess->time; + copy->references = 1; + + copy->cipher = sess->cipher; + copy->cipher_id = sess->cipher_id; + + if (sess->ciphers != NULL) { + if ((copy->ciphers = sk_SSL_CIPHER_dup(sess->ciphers)) == NULL) + goto err; + } + + if (sess->tlsext_hostname != NULL) { + copy->tlsext_hostname = strdup(sess->tlsext_hostname); + if (copy->tlsext_hostname == NULL) + goto err; + } + + if (include_ticket) { + CBS_init(&cbs, sess->tlsext_tick, sess->tlsext_ticklen); + if (!CBS_stow(&cbs, ©->tlsext_tick, ©->tlsext_ticklen)) + goto err; + copy->tlsext_tick_lifetime_hint = + sess->tlsext_tick_lifetime_hint; + + /* + * XXX - copy sess->resumption_master_secret and all other + * TLSv1.3 info here. + */ + } + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, copy, + ©->ex_data)) + goto err; + + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, ©->ex_data, + &sess->ex_data)) + goto err; + + /* Omit prev/next: the new session gets its own slot in the cache. */ + + copy->not_resumable = sess->not_resumable; + + CBS_init(&cbs, sess->tlsext_ecpointformatlist, + sess->tlsext_ecpointformatlist_length); + if (!CBS_stow(&cbs, ©->tlsext_ecpointformatlist, + ©->tlsext_ecpointformatlist_length)) + goto err; + + if (sess->tlsext_supportedgroups != NULL) { + if ((copy->tlsext_supportedgroups = calloc(sizeof(uint16_t), + sess->tlsext_supportedgroups_length)) == NULL) + goto err; + memcpy(copy->tlsext_supportedgroups, + sess->tlsext_supportedgroups, + sizeof(uint16_t) * sess->tlsext_supportedgroups_length); + copy->tlsext_supportedgroups_length = + sess->tlsext_supportedgroups_length; + } + + return copy; + + err: + SSL_SESSION_free(copy); + + return NULL; +} + const unsigned char * SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len) { if (len != NULL) - *len = ss->session_id_length; + *len = (unsigned int)ss->session_id_length; return ss->session_id; } @@ -352,17 +459,17 @@ ssl_get_new_session(SSL *s, int session) } /* If RFC4507 ticket use empty session ID. */ - if (s->internal->tlsext_ticket_expected) { + if (s->tlsext_ticket_expected) { ss->session_id_length = 0; goto sess_id_done; } /* Choose which callback will set the session ID. */ CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - if (s->internal->generate_session_id) - cb = s->internal->generate_session_id; - else if (s->session_ctx->internal->generate_session_id) - cb = s->session_ctx->internal->generate_session_id; + if (s->generate_session_id) + cb = s->generate_session_id; + else if (s->session_ctx->generate_session_id) + cb = s->session_ctx->generate_session_id; CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); /* Choose a session ID. */ @@ -378,7 +485,7 @@ ssl_get_new_session(SSL *s, int session) * Don't allow the callback to set the session length to zero. * nor set it higher than it was. */ - if (!tmp || (tmp > ss->session_id_length)) { + if (tmp == 0 || tmp > ss->session_id_length) { /* The callback set an illegal length */ SSLerror(s, SSL_R_SSL_SESSION_ID_HAS_BAD_LENGTH); SSL_SESSION_free(ss); @@ -388,7 +495,7 @@ ssl_get_new_session(SSL *s, int session) /* Finally, check for a conflict. */ if (SSL_has_matching_session_id(s, ss->session_id, - ss->session_id_length)) { + ss->session_id_length)) { SSLerror(s, SSL_R_SSL_SESSION_ID_CONFLICT); SSL_SESSION_free(ss); return (0); @@ -428,24 +535,26 @@ ssl_session_from_cache(SSL *s, CBS *session_id) SSL_SESSION *sess; SSL_SESSION data; - if ((s->session_ctx->internal->session_cache_mode & + if ((s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) return NULL; memset(&data, 0, sizeof(data)); data.ssl_version = s->version; - data.session_id_length = CBS_len(session_id); - memcpy(data.session_id, CBS_data(session_id), CBS_len(session_id)); + + if (!CBS_write_bytes(session_id, data.session_id, + sizeof(data.session_id), &data.session_id_length)) + return NULL; CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - sess = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); + sess = lh_SSL_SESSION_retrieve(s->session_ctx->sessions, &data); if (sess != NULL) CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); if (sess == NULL) - s->session_ctx->internal->stats.sess_miss++; + s->session_ctx->stats.sess_miss++; return sess; } @@ -456,11 +565,11 @@ ssl_session_from_callback(SSL *s, CBS *session_id) SSL_SESSION *sess; int copy; - if (s->session_ctx->internal->get_session_cb == NULL) + if (s->session_ctx->get_session_cb == NULL) return NULL; copy = 1; - if ((sess = s->session_ctx->internal->get_session_cb(s, + if ((sess = s->session_ctx->get_session_cb(s, CBS_data(session_id), CBS_len(session_id), ©)) == NULL) return NULL; /* @@ -472,10 +581,10 @@ ssl_session_from_callback(SSL *s, CBS *session_id) if (copy) CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); - s->session_ctx->internal->stats.sess_cb_hit++; + s->session_ctx->stats.sess_cb_hit++; /* Add the externally cached session to the internal cache as well. */ - if (!(s->session_ctx->internal->session_cache_mode & + if (!(s->session_ctx->session_cache_mode & SSL_SESS_CACHE_NO_INTERNAL_STORE)) { /* * The following should not return 1, @@ -519,14 +628,13 @@ ssl_session_by_id(SSL *s, CBS *session_id) * - If a session is found then s->session is pointed at it (after freeing * an existing session if need be) and s->verify_result is set from the * session. - * - For both new and resumed sessions, s->internal->tlsext_ticket_expected + * - For both new and resumed sessions, s->tlsext_ticket_expected * indicates whether the server should issue a new session ticket or not. */ int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) { SSL_SESSION *sess = NULL; - size_t session_id_len; int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0; int ticket_decrypted = 0; @@ -535,7 +643,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) if (CBS_len(session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; - /* Sets s->internal->tlsext_ticket_expected. */ + /* Sets s->tlsext_ticket_expected. */ switch (tls1_process_ticket(s, ext_block, &alert_desc, &sess)) { case TLS1_TICKET_FATAL_ERROR: fatal = 1; @@ -555,11 +663,10 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) * ticket has been accepted so we copy it into sess. */ if (!CBS_write_bytes(session_id, sess->session_id, - sizeof(sess->session_id), &session_id_len)) { + sizeof(sess->session_id), &sess->session_id_length)) { fatal = 1; goto err; } - sess->session_id_length = (unsigned int)session_id_len; break; default: SSLerror(s, ERR_R_INTERNAL_ERROR); @@ -603,7 +710,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) } if (sess->timeout < (time(NULL) - sess->time)) { - s->session_ctx->internal->stats.sess_timeout++; + s->session_ctx->stats.sess_timeout++; if (!ticket_decrypted) { /* The session was from the cache, so remove it. */ SSL_CTX_remove_session(s->session_ctx, sess); @@ -611,7 +718,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) goto err; } - s->session_ctx->internal->stats.sess_hit++; + s->session_ctx->stats.sess_hit++; SSL_SESSION_free(s->session); s->session = sess; @@ -626,7 +733,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) * The session was from a ticket. Issue a ticket for the new * session. */ - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; } if (fatal) { *alert = alert_desc; @@ -653,12 +760,12 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) * later. */ CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - s = lh_SSL_SESSION_insert(ctx->internal->sessions, c); + s = lh_SSL_SESSION_insert(ctx->sessions, c); /* * s != NULL iff we already had a session with the given PID. * In this case, s == c should hold (then we did not really modify - * ctx->internal->sessions), or we're in trouble. + * ctx->sessions), or we're in trouble. */ if (s != NULL && s != c) { /* We *are* in trouble ... */ @@ -698,10 +805,10 @@ SSL_CTX_add_session(SSL_CTX *ctx, SSL_SESSION *c) while (SSL_CTX_sess_number(ctx) > SSL_CTX_sess_get_cache_size(ctx)) { if (!remove_session_lock(ctx, - ctx->internal->session_cache_tail, 0)) + ctx->session_cache_tail, 0)) break; else - ctx->internal->stats.sess_cache_full++; + ctx->stats.sess_cache_full++; } } } @@ -721,26 +828,27 @@ remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck) SSL_SESSION *r; int ret = 0; - if ((c != NULL) && (c->session_id_length != 0)) { - if (lck) - CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); - if ((r = lh_SSL_SESSION_retrieve(ctx->internal->sessions, c)) == c) { - ret = 1; - r = lh_SSL_SESSION_delete(ctx->internal->sessions, c); - SSL_SESSION_list_remove(ctx, c); - } - if (lck) - CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + if (c == NULL || c->session_id_length == 0) + return 0; - if (ret) { - r->not_resumable = 1; - if (ctx->internal->remove_session_cb != NULL) - ctx->internal->remove_session_cb(ctx, r); - SSL_SESSION_free(r); - } - } else - ret = 0; - return (ret); + if (lck) + CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); + if ((r = lh_SSL_SESSION_retrieve(ctx->sessions, c)) == c) { + ret = 1; + r = lh_SSL_SESSION_delete(ctx->sessions, c); + SSL_SESSION_list_remove(ctx, c); + } + if (lck) + CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); + + if (ret) { + r->not_resumable = 1; + if (ctx->remove_session_cb != NULL) + ctx->remove_session_cb(ctx, r); + SSL_SESSION_free(r); + } + + return ret; } void @@ -760,8 +868,6 @@ SSL_SESSION_free(SSL_SESSION *ss) explicit_bzero(ss->master_key, sizeof ss->master_key); explicit_bzero(ss->session_id, sizeof ss->session_id); - sk_X509_pop_free(ss->cert_chain, X509_free); - X509_free(ss->peer_cert); sk_SSL_CIPHER_free(ss->ciphers); @@ -771,6 +877,8 @@ SSL_SESSION_free(SSL_SESSION *ss) free(ss->tlsext_ecpointformatlist); free(ss->tlsext_supportedgroups); + tls13_secret_cleanup(&ss->resumption_master_secret); + freezero(ss, sizeof(*ss)); } @@ -941,8 +1049,8 @@ SSL_set_session_secret_cb(SSL *s, int (*tls_session_secret_cb)(SSL *s, { if (s == NULL) return (0); - s->internal->tls_session_secret_cb = tls_session_secret_cb; - s->internal->tls_session_secret_cb_arg = arg; + s->tls_session_secret_cb = tls_session_secret_cb; + s->tls_session_secret_cb_arg = arg; return (1); } @@ -952,8 +1060,8 @@ SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb, { if (s == NULL) return (0); - s->internal->tls_session_ticket_ext_cb = cb; - s->internal->tls_session_ticket_ext_cb_arg = arg; + s->tls_session_ticket_ext_cb = cb; + s->tls_session_ticket_ext_cb_arg = arg; return (1); } @@ -961,23 +1069,23 @@ int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len) { if (s->version >= TLS1_VERSION) { - free(s->internal->tlsext_session_ticket); - s->internal->tlsext_session_ticket = + free(s->tlsext_session_ticket); + s->tlsext_session_ticket = malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len); - if (!s->internal->tlsext_session_ticket) { + if (!s->tlsext_session_ticket) { SSLerror(s, ERR_R_MALLOC_FAILURE); return 0; } if (ext_data) { - s->internal->tlsext_session_ticket->length = ext_len; - s->internal->tlsext_session_ticket->data = - s->internal->tlsext_session_ticket + 1; - memcpy(s->internal->tlsext_session_ticket->data, + s->tlsext_session_ticket->length = ext_len; + s->tlsext_session_ticket->data = + s->tlsext_session_ticket + 1; + memcpy(s->tlsext_session_ticket->data, ext_data, ext_len); } else { - s->internal->tlsext_session_ticket->length = 0; - s->internal->tlsext_session_ticket->data = NULL; + s->tlsext_session_ticket->length = 0; + s->tlsext_session_ticket->data = NULL; } return 1; @@ -1002,8 +1110,8 @@ timeout_doall_arg(SSL_SESSION *s, TIMEOUT_PARAM *p) (void)lh_SSL_SESSION_delete(p->cache, s); SSL_SESSION_list_remove(p->ctx, s); s->not_resumable = 1; - if (p->ctx->internal->remove_session_cb != NULL) - p->ctx->internal->remove_session_cb(p->ctx, s); + if (p->ctx->remove_session_cb != NULL) + p->ctx->remove_session_cb(p->ctx, s); SSL_SESSION_free(s); } } @@ -1025,7 +1133,7 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t) TIMEOUT_PARAM tp; tp.ctx = s; - tp.cache = s->internal->sessions; + tp.cache = s->sessions; if (tp.cache == NULL) return; tp.time = t; @@ -1041,7 +1149,7 @@ SSL_CTX_flush_sessions(SSL_CTX *s, long t) int ssl_clear_bad_session(SSL *s) { - if ((s->session != NULL) && !(s->internal->shutdown & SSL_SENT_SHUTDOWN) && + if ((s->session != NULL) && !(s->shutdown & SSL_SENT_SHUTDOWN) && !(SSL_in_init(s) || SSL_in_before(s))) { SSL_CTX_remove_session(s->ctx, s->session); return (1); @@ -1056,23 +1164,23 @@ SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s) if (s->next == NULL || s->prev == NULL) return; - if (s->next == (SSL_SESSION *)&(ctx->internal->session_cache_tail)) { + if (s->next == (SSL_SESSION *)&(ctx->session_cache_tail)) { /* last element in list */ - if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) { + if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { /* only one element in list */ - ctx->internal->session_cache_head = NULL; - ctx->internal->session_cache_tail = NULL; + ctx->session_cache_head = NULL; + ctx->session_cache_tail = NULL; } else { - ctx->internal->session_cache_tail = s->prev; + ctx->session_cache_tail = s->prev; s->prev->next = - (SSL_SESSION *)&(ctx->internal->session_cache_tail); + (SSL_SESSION *)&(ctx->session_cache_tail); } } else { - if (s->prev == (SSL_SESSION *)&(ctx->internal->session_cache_head)) { + if (s->prev == (SSL_SESSION *)&(ctx->session_cache_head)) { /* first element in list */ - ctx->internal->session_cache_head = s->next; + ctx->session_cache_head = s->next; s->next->prev = - (SSL_SESSION *)&(ctx->internal->session_cache_head); + (SSL_SESSION *)&(ctx->session_cache_head); } else { /* middle of list */ s->next->prev = s->prev; @@ -1088,83 +1196,83 @@ SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s) if (s->next != NULL && s->prev != NULL) SSL_SESSION_list_remove(ctx, s); - if (ctx->internal->session_cache_head == NULL) { - ctx->internal->session_cache_head = s; - ctx->internal->session_cache_tail = s; - s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head); - s->next = (SSL_SESSION *)&(ctx->internal->session_cache_tail); + if (ctx->session_cache_head == NULL) { + ctx->session_cache_head = s; + ctx->session_cache_tail = s; + s->prev = (SSL_SESSION *)&(ctx->session_cache_head); + s->next = (SSL_SESSION *)&(ctx->session_cache_tail); } else { - s->next = ctx->internal->session_cache_head; + s->next = ctx->session_cache_head; s->next->prev = s; - s->prev = (SSL_SESSION *)&(ctx->internal->session_cache_head); - ctx->internal->session_cache_head = s; + s->prev = (SSL_SESSION *)&(ctx->session_cache_head); + ctx->session_cache_head = s; } } void SSL_CTX_sess_set_new_cb(SSL_CTX *ctx, int (*cb)(struct ssl_st *ssl, SSL_SESSION *sess)) { - ctx->internal->new_session_cb = cb; + ctx->new_session_cb = cb; } int (*SSL_CTX_sess_get_new_cb(SSL_CTX *ctx))(SSL *ssl, SSL_SESSION *sess) { - return ctx->internal->new_session_cb; + return ctx->new_session_cb; } void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*cb)(SSL_CTX *ctx, SSL_SESSION *sess)) { - ctx->internal->remove_session_cb = cb; + ctx->remove_session_cb = cb; } void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(SSL_CTX * ctx, SSL_SESSION *sess) { - return ctx->internal->remove_session_cb; + return ctx->remove_session_cb; } void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl, const unsigned char *data, int len, int *copy)) { - ctx->internal->get_session_cb = cb; + ctx->get_session_cb = cb; } SSL_SESSION * (*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, const unsigned char *data, int len, int *copy) { - return ctx->internal->get_session_cb; + return ctx->get_session_cb; } void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int val)) { - ctx->internal->info_callback = cb; + ctx->info_callback = cb; } void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, int val) { - return ctx->internal->info_callback; + return ctx->info_callback; } void SSL_CTX_set_client_cert_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, X509 **x509, EVP_PKEY **pkey)) { - ctx->internal->client_cert_cb = cb; + ctx->client_cert_cb = cb; } int (*SSL_CTX_get_client_cert_cb(SSL_CTX *ctx))(SSL * ssl, X509 ** x509, EVP_PKEY **pkey) { - return ctx->internal->client_cert_cb; + return ctx->client_cert_cb; } #ifndef OPENSSL_NO_ENGINE @@ -1180,7 +1288,7 @@ SSL_CTX_set_client_cert_engine(SSL_CTX *ctx, ENGINE *e) ENGINE_finish(e); return 0; } - ctx->internal->client_cert_engine = e; + ctx->client_cert_engine = e; return 1; } #endif @@ -1189,14 +1297,14 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)) { - ctx->internal->app_gen_cookie_cb = cb; + ctx->app_gen_cookie_cb = cb; } void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, int (*cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len)) { - ctx->internal->app_verify_cookie_cb = cb; + ctx->app_verify_cookie_cb = cb; } int diff --git a/ssl/ssl_sigalgs.c b/ssl/ssl_sigalgs.c index daf735a..f59beb4 100644 --- a/ssl/ssl_sigalgs.c +++ b/ssl/ssl_sigalgs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.c,v 1.41 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.c,v 1.48 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2018-2020 Bob Beck * Copyright (c) 2021 Joel Sing @@ -23,7 +23,7 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "tls13_internal.h" @@ -32,114 +32,134 @@ const struct ssl_sigalg sigalgs[] = { .value = SIGALG_RSA_PKCS1_SHA512, .key_type = EVP_PKEY_RSA, .md = EVP_sha512, + .security_level = 5, }, { .value = SIGALG_ECDSA_SECP521R1_SHA512, .key_type = EVP_PKEY_EC, .md = EVP_sha512, - .curve_nid = NID_secp521r1, + .security_level = 5, + .group_nid = NID_secp521r1, }, #ifndef OPENSSL_NO_GOST { .value = SIGALG_GOSTR12_512_STREEBOG_512, .key_type = EVP_PKEY_GOSTR12_512, .md = EVP_streebog512, + .security_level = 0, }, #endif { .value = SIGALG_RSA_PKCS1_SHA384, .key_type = EVP_PKEY_RSA, .md = EVP_sha384, + .security_level = 4, }, { .value = SIGALG_ECDSA_SECP384R1_SHA384, .key_type = EVP_PKEY_EC, .md = EVP_sha384, - .curve_nid = NID_secp384r1, + .security_level = 4, + .group_nid = NID_secp384r1, }, { .value = SIGALG_RSA_PKCS1_SHA256, .key_type = EVP_PKEY_RSA, .md = EVP_sha256, + .security_level = 3, }, { .value = SIGALG_ECDSA_SECP256R1_SHA256, .key_type = EVP_PKEY_EC, .md = EVP_sha256, - .curve_nid = NID_X9_62_prime256v1, + .security_level = 3, + .group_nid = NID_X9_62_prime256v1, }, #ifndef OPENSSL_NO_GOST { .value = SIGALG_GOSTR12_256_STREEBOG_256, .key_type = EVP_PKEY_GOSTR12_256, .md = EVP_streebog256, + .security_level = 0, }, { .value = SIGALG_GOSTR01_GOST94, .key_type = EVP_PKEY_GOSTR01, .md = EVP_gostr341194, + .security_level = 0, /* XXX */ }, #endif { .value = SIGALG_RSA_PSS_RSAE_SHA256, .key_type = EVP_PKEY_RSA, .md = EVP_sha256, + .security_level = 3, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_RSAE_SHA384, .key_type = EVP_PKEY_RSA, .md = EVP_sha384, + .security_level = 4, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_RSAE_SHA512, .key_type = EVP_PKEY_RSA, .md = EVP_sha512, + .security_level = 5, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA256, .key_type = EVP_PKEY_RSA, .md = EVP_sha256, + .security_level = 3, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA384, .key_type = EVP_PKEY_RSA, .md = EVP_sha384, + .security_level = 4, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PSS_PSS_SHA512, .key_type = EVP_PKEY_RSA, .md = EVP_sha512, + .security_level = 5, .flags = SIGALG_FLAG_RSA_PSS, }, { .value = SIGALG_RSA_PKCS1_SHA224, .key_type = EVP_PKEY_RSA, .md = EVP_sha224, + .security_level = 2, }, { .value = SIGALG_ECDSA_SECP224R1_SHA224, .key_type = EVP_PKEY_EC, .md = EVP_sha224, + .security_level = 2, }, { .value = SIGALG_RSA_PKCS1_SHA1, .key_type = EVP_PKEY_RSA, .md = EVP_sha1, + .security_level = 1, }, { .value = SIGALG_ECDSA_SHA1, .key_type = EVP_PKEY_EC, .md = EVP_sha1, + .security_level = 1, }, { .value = SIGALG_RSA_PKCS1_MD5_SHA1, .key_type = EVP_PKEY_RSA, .md = EVP_md5_sha1, + .security_level = 1, }, { .value = SIGALG_NONE, @@ -221,11 +241,13 @@ ssl_sigalg_from_value(SSL *s, uint16_t value) } int -ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) +ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level) { + const struct ssl_sigalg *sigalg; const uint16_t *values; size_t len; size_t i; + int ret = 0; ssl_sigalgs_for_version(tls_version, &values, &len); @@ -234,17 +256,25 @@ ssl_sigalgs_build(uint16_t tls_version, CBB *cbb) /* Do not allow the legacy value for < 1.2 to be used. */ if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) return 0; - if (ssl_sigalg_lookup(values[i]) == NULL) + if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL) return 0; + if (sigalg->security_level < security_level) + continue; + if (!CBB_add_u16(cbb, values[i])) return 0; + + ret = 1; } - return 1; + return ret; } static const struct ssl_sigalg * ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey) { + if (SSL_get_security_level(s) > 1) + return NULL; + /* Default signature algorithms used for TLSv1.2 and earlier. */ switch (EVP_PKEY_id(pkey)) { case EVP_PKEY_RSA: @@ -277,6 +307,9 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) return 0; } + if (!ssl_security_sigalg_check(s, pkey)) + return 0; + if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION) return 1; @@ -285,12 +318,12 @@ ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey) (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) return 0; - /* Ensure that curve matches for EC keys. */ + /* Ensure that group matches for EC keys. */ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) { - if (sigalg->curve_nid == 0) + if (sigalg->group_nid == 0) return 0; if (EC_GROUP_get_curve_name(EC_KEY_get0_group( - EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) + EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid) return 0; } diff --git a/ssl/ssl_sigalgs.h b/ssl/ssl_sigalgs.h index beab11a..21a54d6 100644 --- a/ssl/ssl_sigalgs.h +++ b/ssl/ssl_sigalgs.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sigalgs.h,v 1.23 2021/06/29 19:25:59 jsing Exp $ */ +/* $OpenBSD: ssl_sigalgs.h,v 1.26 2022/07/02 16:00:12 tb Exp $ */ /* * Copyright (c) 2018-2019 Bob Beck * @@ -64,11 +64,12 @@ struct ssl_sigalg { uint16_t value; int key_type; const EVP_MD *(*md)(void); - int curve_nid; + int security_level; + int group_nid; int flags; }; -int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb); +int ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level); const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); const struct ssl_sigalg *ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value); diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c index 3593950..556107f 100644 --- a/ssl/ssl_srvr.c +++ b/ssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.141 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.153 2022/12/26 07:31:44 jmc Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -148,6 +148,7 @@ * OTHERWISE. */ +#include #include #include @@ -166,11 +167,28 @@ #endif #include "bytestring.h" -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" +static int ssl3_get_client_hello(SSL *s); +static int ssl3_send_dtls_hello_verify_request(SSL *s); +static int ssl3_send_server_hello(SSL *s); +static int ssl3_send_hello_request(SSL *s); +static int ssl3_send_server_certificate(SSL *s); +static int ssl3_send_server_key_exchange(SSL *s); +static int ssl3_send_certificate_request(SSL *s); +static int ssl3_send_server_done(SSL *s); +static int ssl3_get_client_certificate(SSL *s); +static int ssl3_get_client_key_exchange(SSL *s); +static int ssl3_get_cert_verify(SSL *s); +static int ssl3_send_newsession_ticket(SSL *s); +static int ssl3_send_cert_status(SSL *s); +static int ssl3_send_server_change_cipher_spec(SSL *s); +static int ssl3_send_server_finished(SSL *s); +static int ssl3_get_client_finished(SSL *s); + int ssl3_accept(SSL *s) { @@ -186,7 +204,7 @@ ssl3_accept(SSL *s) listen = s->d1->listen; /* init things to blank */ - s->internal->in_handshake++; + s->in_handshake++; if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s); @@ -198,7 +216,7 @@ ssl3_accept(SSL *s) switch (s->s3->hs.state) { case SSL_ST_RENEGOTIATE: - s->internal->renegotiate = 1; + s->renegotiate = 1; /* s->s3->hs.state=SSL_ST_ACCEPT; */ case SSL_ST_BEFORE: @@ -223,6 +241,13 @@ ssl3_accept(SSL *s) goto end; } + if (!ssl_security_version(s, + s->s3->hs.our_min_tls_version)) { + SSLerror(s, SSL_R_VERSION_TOO_LOW); + ret = -1; + goto end; + } + if (!ssl3_setup_init_buffer(s)) { ret = -1; goto end; @@ -232,7 +257,7 @@ ssl3_accept(SSL *s) goto end; } - s->internal->init_num = 0; + s->init_num = 0; if (s->s3->hs.state != SSL_ST_RENEGOTIATE) { /* @@ -251,7 +276,7 @@ ssl3_accept(SSL *s) } s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_A; - s->ctx->internal->stats.sess_accept++; + s->ctx->stats.sess_accept++; } else if (!SSL_is_dtls(s) && !s->s3->send_connection_binding) { /* * Server attempting to renegotiate with @@ -268,14 +293,14 @@ ssl3_accept(SSL *s) * s->s3->hs.state == SSL_ST_RENEGOTIATE, * we will just send a HelloRequest. */ - s->ctx->internal->stats.sess_accept_renegotiate++; + s->ctx->stats.sess_accept_renegotiate++; s->s3->hs.state = SSL3_ST_SW_HELLO_REQ_A; } break; case SSL3_ST_SW_HELLO_REQ_A: case SSL3_ST_SW_HELLO_REQ_B: - s->internal->shutdown = 0; + s->shutdown = 0; if (SSL_is_dtls(s)) { dtls1_clear_record_buffer(s); dtls1_start_timer(s); @@ -288,7 +313,7 @@ ssl3_accept(SSL *s) else s->s3->hs.tls12.next_state = SSL3_ST_SW_HELLO_REQ_C; s->s3->hs.state = SSL3_ST_SW_FLUSH; - s->internal->init_num = 0; + s->init_num = 0; if (SSL_is_dtls(s)) { if (!tls1_transcript_init(s)) { @@ -305,7 +330,7 @@ ssl3_accept(SSL *s) case SSL3_ST_SR_CLNT_HELLO_A: case SSL3_ST_SR_CLNT_HELLO_B: case SSL3_ST_SR_CLNT_HELLO_C: - s->internal->shutdown = 0; + s->shutdown = 0; if (SSL_is_dtls(s)) { ret = ssl3_get_client_hello(s); if (ret <= 0) @@ -318,7 +343,7 @@ ssl3_accept(SSL *s) else s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A; - s->internal->init_num = 0; + s->init_num = 0; /* * Reflect ClientHello sequence to remain @@ -326,7 +351,7 @@ ssl3_accept(SSL *s) */ if (listen) { tls12_record_layer_reflect_seq_num( - s->internal->rl); + s->rl); } /* If we're just listening, stop here */ @@ -343,15 +368,15 @@ ssl3_accept(SSL *s) goto end; } } else { - if (s->internal->rwstate != SSL_X509_LOOKUP) { + if (s->rwstate != SSL_X509_LOOKUP) { ret = ssl3_get_client_hello(s); if (ret <= 0) goto end; } - s->internal->renegotiate = 2; + s->renegotiate = 2; s->s3->hs.state = SSL3_ST_SW_SRVR_HELLO_A; - s->internal->init_num = 0; + s->init_num = 0; } break; @@ -370,21 +395,21 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_SRVR_HELLO_A: case SSL3_ST_SW_SRVR_HELLO_B: if (SSL_is_dtls(s)) { - s->internal->renegotiate = 2; + s->renegotiate = 2; dtls1_start_timer(s); } ret = ssl3_send_server_hello(s); if (ret <= 0) goto end; - if (s->internal->hit) { - if (s->internal->tlsext_ticket_expected) + if (s->hit) { + if (s->tlsext_ticket_expected) s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A; else s->s3->hs.state = SSL3_ST_SW_CHANGE_A; } else { s->s3->hs.state = SSL3_ST_SW_CERT_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CERT_A: @@ -397,7 +422,7 @@ ssl3_accept(SSL *s) ret = ssl3_send_server_certificate(s); if (ret <= 0) goto end; - if (s->internal->tlsext_status_expected) + if (s->tlsext_status_expected) s->s3->hs.state = SSL3_ST_SW_CERT_STATUS_A; else s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A; @@ -405,7 +430,7 @@ ssl3_accept(SSL *s) skip = 1; s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A; } - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_KEY_EXCH_A: @@ -430,7 +455,7 @@ ssl3_accept(SSL *s) skip = 1; s->s3->hs.state = SSL3_ST_SW_CERT_REQ_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CERT_REQ_A: @@ -473,7 +498,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_SRVR_DONE_A; - s->internal->init_num = 0; + s->init_num = 0; } break; @@ -486,7 +511,7 @@ ssl3_accept(SSL *s) goto end; s->s3->hs.tls12.next_state = SSL3_ST_SR_CERT_A; s->s3->hs.state = SSL3_ST_SW_FLUSH; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_FLUSH: @@ -500,30 +525,30 @@ ssl3_accept(SSL *s) * still exist. So instead we just flush * unconditionally. */ - s->internal->rwstate = SSL_WRITING; + s->rwstate = SSL_WRITING; if (BIO_flush(s->wbio) <= 0) { if (SSL_is_dtls(s)) { /* If the write error was fatal, stop trying. */ if (!BIO_should_retry(s->wbio)) { - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; } } ret = -1; goto end; } - s->internal->rwstate = SSL_NOTHING; + s->rwstate = SSL_NOTHING; s->s3->hs.state = s->s3->hs.tls12.next_state; break; case SSL3_ST_SR_CERT_A: case SSL3_ST_SR_CERT_B: - if (s->s3->hs.tls12.cert_request) { + if (s->s3->hs.tls12.cert_request != 0) { ret = ssl3_get_client_certificate(s); if (ret <= 0) goto end; } - s->internal->init_num = 0; + s->init_num = 0; s->s3->hs.state = SSL3_ST_SR_KEY_EXCH_A; break; @@ -535,7 +560,7 @@ ssl3_accept(SSL *s) if (SSL_is_dtls(s)) { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; - s->internal->init_num = 0; + s->init_num = 0; } alg_k = s->s3->hs.cipher->algorithm_mkey; @@ -546,10 +571,10 @@ ssl3_accept(SSL *s) * the CertificateVerify message is not sent. */ s->s3->hs.state = SSL3_ST_SR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; } else if (SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; - s->internal->init_num = 0; + s->init_num = 0; if (!s->session->peer_cert) break; /* @@ -559,7 +584,7 @@ ssl3_accept(SSL *s) tls1_transcript_freeze(s); } else { s->s3->hs.state = SSL3_ST_SR_CERT_VRFY_A; - s->internal->init_num = 0; + s->init_num = 0; tls1_transcript_free(s); @@ -589,7 +614,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SR_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SR_FINISHED_A: @@ -598,19 +623,18 @@ ssl3_accept(SSL *s) s->d1->change_cipher_spec_ok = 1; else s->s3->flags |= SSL3_FLAGS_CCS_OK; - ret = ssl3_get_finished(s, SSL3_ST_SR_FINISHED_A, - SSL3_ST_SR_FINISHED_B); + ret = ssl3_get_client_finished(s); if (ret <= 0) goto end; if (SSL_is_dtls(s)) dtls1_stop_timer(s); - if (s->internal->hit) + if (s->hit) s->s3->hs.state = SSL_ST_OK; - else if (s->internal->tlsext_ticket_expected) + else if (s->tlsext_ticket_expected) s->s3->hs.state = SSL3_ST_SW_SESSION_TICKET_A; else s->s3->hs.state = SSL3_ST_SW_CHANGE_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_SESSION_TICKET_A: @@ -619,7 +643,7 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_CHANGE_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CERT_STATUS_A: @@ -628,17 +652,16 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_KEY_EXCH_A; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL3_ST_SW_CHANGE_A: case SSL3_ST_SW_CHANGE_B: - ret = ssl3_send_change_cipher_spec(s, - SSL3_ST_SW_CHANGE_A, SSL3_ST_SW_CHANGE_B); + ret = ssl3_send_server_change_cipher_spec(s); if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_FINISHED_A; - s->internal->init_num = 0; + s->init_num = 0; s->session->cipher = s->s3->hs.cipher; if (!tls1_setup_key_block(s)) { @@ -653,17 +676,16 @@ ssl3_accept(SSL *s) case SSL3_ST_SW_FINISHED_A: case SSL3_ST_SW_FINISHED_B: - ret = ssl3_send_finished(s, SSL3_ST_SW_FINISHED_A, - SSL3_ST_SW_FINISHED_B); + ret = ssl3_send_server_finished(s); if (ret <= 0) goto end; s->s3->hs.state = SSL3_ST_SW_FLUSH; - if (s->internal->hit) { + if (s->hit) { s->s3->hs.tls12.next_state = SSL3_ST_SR_FINISHED_A; tls1_transcript_free(s); } else s->s3->hs.tls12.next_state = SSL_ST_OK; - s->internal->init_num = 0; + s->init_num = 0; break; case SSL_ST_OK: @@ -682,18 +704,18 @@ ssl3_accept(SSL *s) /* remove buffering on output */ ssl_free_wbio_buffer(s); - s->internal->init_num = 0; + s->init_num = 0; /* Skipped if we just sent a HelloRequest. */ - if (s->internal->renegotiate == 2) { - s->internal->renegotiate = 0; - s->internal->new_session = 0; + if (s->renegotiate == 2) { + s->renegotiate = 0; + s->new_session = 0; ssl_update_cache(s, SSL_SESS_CACHE_SERVER); - s->ctx->internal->stats.sess_accept_good++; + s->ctx->stats.sess_accept_good++; /* s->server=1; */ - s->internal->handshake_func = ssl3_accept; + s->handshake_func = ssl3_accept; ssl_info_callback(s, SSL_CB_HANDSHAKE_DONE, 1); } @@ -718,7 +740,7 @@ ssl3_accept(SSL *s) } if (!s->s3->hs.tls12.reuse_message && !skip) { - if (s->internal->debug) { + if (s->debug) { if ((ret = BIO_flush(s->wbio)) <= 0) goto end; } @@ -735,13 +757,13 @@ ssl3_accept(SSL *s) } end: /* BIO_flush(s->wbio); */ - s->internal->in_handshake--; + s->in_handshake--; ssl_info_callback(s, SSL_CB_ACCEPT_EXIT, ret); return (ret); } -int +static int ssl3_send_hello_request(SSL *s) { CBB cbb, hello; @@ -767,7 +789,7 @@ ssl3_send_hello_request(SSL *s) return (-1); } -int +static int ssl3_get_client_hello(SSL *s) { CBS cbs, client_random, session_id, cookie, cipher_suites; @@ -793,19 +815,19 @@ ssl3_get_client_hello(SSL *s) if (s->s3->hs.state == SSL3_ST_SR_CLNT_HELLO_A) s->s3->hs.state = SSL3_ST_SR_CLNT_HELLO_B; - s->internal->first_packet = 1; + s->first_packet = 1; if ((ret = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH)) <= 0) return ret; - s->internal->first_packet = 0; + s->first_packet = 0; ret = -1; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); /* Parse client hello up until the extensions (if any). */ if (!CBS_get_u16(&cbs, &client_version)) @@ -834,7 +856,7 @@ ssl3_get_client_hello(SSL *s) */ if (!ssl_max_shared_version(s, client_version, &shared_version)) { if ((client_version >> 8) == SSL3_VERSION_MAJOR && - !tls12_record_layer_write_protected(s->internal->rl)) { + !tls12_record_layer_write_protected(s->rl)) { /* * Similar to ssl3_get_record, send alert using remote * version number. @@ -876,7 +898,7 @@ ssl3_get_client_hello(SSL *s) sizeof(s->s3->client_random), NULL)) goto err; - s->internal->hit = 0; + s->hit = 0; /* * Versions before 0.9.7 always allow clients to resume sessions in @@ -888,12 +910,12 @@ ssl3_get_client_hello(SSL *s) * library versions). * * 1.0.1 and later also have a function SSL_renegotiate_abbreviated() - * to request renegotiation but not a new session (s->internal->new_session + * to request renegotiation but not a new session (s->new_session * remains unset): for servers, this essentially just means that the * SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION setting will be * ignored. */ - if ((s->internal->new_session && (s->internal->options & + if ((s->new_session && (s->options & SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION))) { if (!ssl_get_new_session(s, 1)) goto err; @@ -904,7 +926,7 @@ ssl3_get_client_hello(SSL *s) i = ssl_get_prev_session(s, &session_id, &ext_block, &al); if (i == 1) { /* previous session */ - s->internal->hit = 1; + s->hit = 1; } else if (i == -1) goto fatal_err; else { @@ -936,8 +958,8 @@ ssl3_get_client_hello(SSL *s) sizeof(s->d1->rcvd_cookie), &cookie_len)) goto err; - if (s->ctx->internal->app_verify_cookie_cb != NULL) { - if (s->ctx->internal->app_verify_cookie_cb(s, + if (s->ctx->app_verify_cookie_cb != NULL) { + if (s->ctx->app_verify_cookie_cb(s, s->d1->rcvd_cookie, cookie_len) == 0) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_COOKIE_MISMATCH); @@ -972,7 +994,7 @@ ssl3_get_client_hello(SSL *s) /* If it is a hit, check that the cipher is in the list */ /* XXX - CBS_len(&cipher_suites) will always be zero here... */ - if (s->internal->hit && CBS_len(&cipher_suites) > 0) { + if (s->hit && CBS_len(&cipher_suites) > 0) { j = 0; id = s->session->cipher->id; @@ -1015,7 +1037,7 @@ ssl3_get_client_hello(SSL *s) if (CBS_len(&cbs) != 0) goto decode_err; - if (!s->s3->renegotiate_seen && s->internal->renegotiate) { + if (!s->s3->renegotiate_seen && s->renegotiate) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED); goto fatal_err; @@ -1055,34 +1077,42 @@ ssl3_get_client_hello(SSL *s) } } - if (!s->internal->hit && s->internal->tls_session_secret_cb) { + if (!s->hit && s->tls_session_secret_cb != NULL) { SSL_CIPHER *pref_cipher = NULL; + int master_key_length = sizeof(s->session->master_key); - s->session->master_key_length = sizeof(s->session->master_key); - if (s->internal->tls_session_secret_cb(s, s->session->master_key, - &s->session->master_key_length, ciphers, &pref_cipher, - s->internal->tls_session_secret_cb_arg)) { - s->internal->hit = 1; - s->session->ciphers = ciphers; - s->session->verify_result = X509_V_OK; - - ciphers = NULL; - - /* check if some cipher was preferred by call back */ - pref_cipher = pref_cipher ? pref_cipher : - ssl3_choose_cipher(s, s->session->ciphers, - SSL_get_ciphers(s)); - if (pref_cipher == NULL) { - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(s, SSL_R_NO_SHARED_CIPHER); - goto fatal_err; - } - - s->session->cipher = pref_cipher; - - sk_SSL_CIPHER_free(s->cipher_list); - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); + if (!s->tls_session_secret_cb(s, + s->session->master_key, &master_key_length, ciphers, + &pref_cipher, s->tls_session_secret_cb_arg)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; } + if (master_key_length <= 0) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + s->session->master_key_length = master_key_length; + + s->hit = 1; + s->session->verify_result = X509_V_OK; + + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = ciphers; + ciphers = NULL; + + /* Check if some cipher was preferred by the callback. */ + if (pref_cipher == NULL) + pref_cipher = ssl3_choose_cipher(s, s->session->ciphers, + SSL_get_ciphers(s)); + if (pref_cipher == NULL) { + al = SSL_AD_HANDSHAKE_FAILURE; + SSLerror(s, SSL_R_NO_SHARED_CIPHER); + goto fatal_err; + } + s->session->cipher = pref_cipher; + + sk_SSL_CIPHER_free(s->cipher_list); + s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); } /* @@ -1090,19 +1120,18 @@ ssl3_get_client_hello(SSL *s) * pick a cipher */ - if (!s->internal->hit) { - sk_SSL_CIPHER_free(s->session->ciphers); - s->session->ciphers = ciphers; + if (!s->hit) { if (ciphers == NULL) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_NO_CIPHERS_PASSED); goto fatal_err; } + sk_SSL_CIPHER_free(s->session->ciphers); + s->session->ciphers = ciphers; ciphers = NULL; - c = ssl3_choose_cipher(s, s->session->ciphers, - SSL_get_ciphers(s)); - if (c == NULL) { + if ((c = ssl3_choose_cipher(s, s->session->ciphers, + SSL_get_ciphers(s))) == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_NO_SHARED_CIPHER); goto fatal_err; @@ -1123,12 +1152,12 @@ ssl3_get_client_hello(SSL *s) /* * We now have the following setup. * client_random - * cipher_list - our prefered list of ciphers - * ciphers - the clients prefered list of ciphers + * cipher_list - our preferred list of ciphers + * ciphers - the clients preferred list of ciphers * compression - basically ignored right now * ssl version is set - sslv3 * s->session - The ssl session has been setup. - * s->internal->hit - session reuse flag + * s->hit - session reuse flag * s->hs.cipher - the new cipher to use. */ @@ -1153,7 +1182,7 @@ ssl3_get_client_hello(SSL *s) return (ret); } -int +static int ssl3_send_dtls_hello_verify_request(SSL *s) { CBB cbb, verify, cookie; @@ -1161,8 +1190,8 @@ ssl3_send_dtls_hello_verify_request(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (s->s3->hs.state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A) { - if (s->ctx->internal->app_gen_cookie_cb == NULL || - s->ctx->internal->app_gen_cookie_cb(s, s->d1->cookie, + if (s->ctx->app_gen_cookie_cb == NULL || + s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &(s->d1->cookie_len)) == 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; @@ -1197,7 +1226,7 @@ ssl3_send_dtls_hello_verify_request(SSL *s) return (-1); } -int +static int ssl3_send_server_hello(SSL *s) { CBB cbb, server_hello, session_id; @@ -1230,12 +1259,12 @@ ssl3_send_server_hello(SSL *s) * - However, if we want the new session to be single-use, * we send back a 0-length session ID. * - * s->internal->hit is non-zero in either case of session reuse, + * s->hit is non-zero in either case of session reuse, * so the following won't overwrite an ID that we're supposed * to send back. */ - if (!(s->ctx->internal->session_cache_mode & SSL_SESS_CACHE_SERVER) - && !s->internal->hit) + if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) + && !s->hit) s->session->session_id_length = 0; sl = s->session->session_id_length; @@ -1276,7 +1305,7 @@ ssl3_send_server_hello(SSL *s) return (-1); } -int +static int ssl3_send_server_done(SSL *s) { CBB cbb, done; @@ -1348,6 +1377,12 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) if (!tls_key_share_public(s->s3->hs.key_share, cbb)) goto err; + if (!tls_key_share_peer_security(s, s->s3->hs.key_share)) { + SSLerror(s, SSL_R_DH_KEY_TOO_SMALL); + ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); + return 0; + } + return 1; err: @@ -1360,7 +1395,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb) CBB public; int nid; - if ((nid = tls1_get_shared_curve(s)) == NID_undef) { + if (!tls1_get_supported_group(s, &nid)) { SSLerror(s, SSL_R_UNSUPPORTED_ELLIPTIC_CURVE); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE); goto err; @@ -1393,7 +1428,7 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb) return 0; } -int +static int ssl3_send_server_key_exchange(SSL *s) { CBB cbb, cbb_params, cbb_signature, server_kex; @@ -1532,7 +1567,7 @@ ssl3_send_server_key_exchange(SSL *s) return (-1); } -int +static int ssl3_send_certificate_request(SSL *s) { CBB cbb, cert_request, cert_types, sigalgs, cert_auth, dn; @@ -1560,8 +1595,8 @@ ssl3_send_certificate_request(SSL *s) if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) goto err; - if (!ssl_sigalgs_build( - s->s3->hs.negotiated_tls_version, &sigalgs)) + if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, + &sigalgs, SSL_get_security_level(s))) goto err; } @@ -1848,7 +1883,7 @@ ssl3_get_client_kex_gost(SSL *s, CBS *cbs) return 0; } -int +static int ssl3_get_client_key_exchange(SSL *s) { unsigned long alg_k; @@ -1860,10 +1895,10 @@ ssl3_get_client_key_exchange(SSL *s) SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048)) <= 0) return ret; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); alg_k = s->s3->hs.cipher->algorithm_mkey; @@ -1899,7 +1934,7 @@ ssl3_get_client_key_exchange(SSL *s) return (-1); } -int +static int ssl3_get_cert_verify(SSL *s) { CBS cbs, signature; @@ -1920,13 +1955,13 @@ ssl3_get_cert_verify(SSL *s) ret = 0; - if (s->internal->init_num < 0) + if (s->init_num < 0) goto err; if ((mctx = EVP_MD_CTX_new()) == NULL) goto err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); peer_cert = s->session->peer_cert; pkey = X509_get0_pubkey(peer_cert); @@ -2133,17 +2168,17 @@ ssl3_get_cert_verify(SSL *s) return (ret); } -int +static int ssl3_get_client_certificate(SSL *s) { - CBS cbs, client_certs; - X509 *x = NULL; - const unsigned char *q; - STACK_OF(X509) *sk = NULL; - int i, al, ret; + CBS cbs, cert_list, cert_data; + STACK_OF(X509) *certs = NULL; + X509 *cert = NULL; + const uint8_t *p; + int al, ret; if ((ret = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, - -1, s->internal->max_cert_list)) <= 0) + -1, s->max_cert_list)) <= 0) return ret; ret = -1; @@ -2155,13 +2190,13 @@ ssl3_get_client_certificate(SSL *s) al = SSL_AD_HANDSHAKE_FAILURE; goto fatal_err; } + /* - * If tls asked for a client cert, - * the client must return a 0 list. + * If we asked for a client certificate and the client has none, + * it must respond with a certificate list of length zero. */ - if (s->s3->hs.tls12.cert_request) { - SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST - ); + if (s->s3->hs.tls12.cert_request != 0) { + SSLerror(s, SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST); al = SSL_AD_UNEXPECTED_MESSAGE; goto fatal_err; } @@ -2175,52 +2210,22 @@ ssl3_get_client_certificate(SSL *s) goto fatal_err; } - if (s->internal->init_num < 0) + if (s->init_num < 0) goto decode_err; - CBS_init(&cbs, s->internal->init_msg, s->internal->init_num); + CBS_init(&cbs, s->init_msg, s->init_num); - if ((sk = sk_X509_new_null()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (!CBS_get_u24_length_prefixed(&cbs, &client_certs) || - CBS_len(&cbs) != 0) + if (!CBS_get_u24_length_prefixed(&cbs, &cert_list)) + goto decode_err; + if (CBS_len(&cbs) != 0) goto decode_err; - while (CBS_len(&client_certs) > 0) { - CBS cert; - - if (!CBS_get_u24_length_prefixed(&client_certs, &cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto fatal_err; - } - - q = CBS_data(&cert); - x = d2i_X509(NULL, &q, CBS_len(&cert)); - if (x == NULL) { - SSLerror(s, ERR_R_ASN1_LIB); - goto err; - } - if (q != CBS_data(&cert) + CBS_len(&cert)) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_CERT_LENGTH_MISMATCH); - goto fatal_err; - } - if (!sk_X509_push(sk, x)) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - x = NULL; - } - - if (sk_X509_num(sk) <= 0) { - /* - * TLS does not mind 0 certs returned. - * Fail for TLS only if we required a certificate. - */ + /* + * A TLS client must send an empty certificate list, if no suitable + * certificate is available (rather than omitting the Certificate + * handshake message) - see RFC 5246 section 7.4.6. + */ + if (CBS_len(&cert_list) == 0) { if ((s->verify_mode & SSL_VERIFY_PEER) && (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) { SSLerror(s, SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE); @@ -2229,28 +2234,43 @@ ssl3_get_client_certificate(SSL *s) } /* No client certificate so free transcript. */ tls1_transcript_free(s); - } else { - i = ssl_verify_cert_chain(s, sk); - if (i <= 0) { - al = ssl_verify_alarm_type(s->verify_result); - SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED); - goto fatal_err; - } + goto done; } - X509_free(s->session->peer_cert); - s->session->peer_cert = sk_X509_shift(sk); + if ((certs = sk_X509_new_null()) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } - /* - * Inconsistency alert: cert_chain does *not* include the - * peer's own certificate, while we do include it in s3_clnt.c - */ - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = sk; - sk = NULL; + while (CBS_len(&cert_list) > 0) { + if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) + goto decode_err; + p = CBS_data(&cert_data); + if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) { + SSLerror(s, ERR_R_ASN1_LIB); + goto err; + } + if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) + goto decode_err; + if (!sk_X509_push(certs, cert)) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + cert = NULL; + } + if (ssl_verify_cert_chain(s, certs) <= 0) { + al = ssl_verify_alarm_type(s->verify_result); + SSLerror(s, SSL_R_NO_CERTIFICATE_RETURNED); + goto fatal_err; + } s->session->verify_result = s->verify_result; + ERR_clear_error(); + if (!tls_process_peer_certs(s, certs)) + goto err; + + done: ret = 1; if (0) { decode_err: @@ -2260,13 +2280,13 @@ ssl3_get_client_certificate(SSL *s) ssl3_send_alert(s, SSL3_AL_FATAL, al); } err: - X509_free(x); - sk_X509_pop_free(sk, X509_free); + sk_X509_pop_free(certs, X509_free); + X509_free(cert); return (ret); } -int +static int ssl3_send_server_certificate(SSL *s) { CBB cbb, server_cert; @@ -2305,7 +2325,7 @@ ssl3_send_server_certificate(SSL *s) } /* send a new session ticket (not necessarily for a new session) */ -int +static int ssl3_send_newsession_ticket(SSL *s) { CBB cbb, session_ticket, ticket; @@ -2347,17 +2367,17 @@ ssl3_send_newsession_ticket(SSL *s) * it does all the work, otherwise use generated values from * parent context. */ - if (tctx->internal->tlsext_ticket_key_cb != NULL) { - if (tctx->internal->tlsext_ticket_key_cb(s, + if (tctx->tlsext_ticket_key_cb != NULL) { + if (tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx, hctx, 1) < 0) goto err; } else { arc4random_buf(iv, 16); EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, - tctx->internal->tlsext_tick_aes_key, iv); - HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, + tctx->tlsext_tick_aes_key, iv); + HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, 16, EVP_sha256(), NULL); - memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16); + memcpy(key_name, tctx->tlsext_tick_key_name, 16); } /* Encrypt the session state. */ @@ -2395,7 +2415,7 @@ ssl3_send_newsession_ticket(SSL *s) * sessions will live as long as their sessions. */ if (!CBB_add_u32(&session_ticket, - s->internal->hit ? 0 : s->session->timeout)) + s->hit ? 0 : s->session->timeout)) goto err; if (!CBB_add_u16_length_prefixed(&session_ticket, &ticket)) @@ -2438,7 +2458,7 @@ ssl3_send_newsession_ticket(SSL *s) return (-1); } -int +static int ssl3_send_cert_status(SSL *s) { CBB cbb, certstatus, ocspresp; @@ -2453,8 +2473,8 @@ ssl3_send_cert_status(SSL *s) goto err; if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp)) goto err; - if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp, - s->internal->tlsext_ocsp_resp_len)) + if (!CBB_add_bytes(&ocspresp, s->tlsext_ocsp_resp, + s->tlsext_ocsp_resp_len)) goto err; if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; @@ -2470,3 +2490,136 @@ ssl3_send_cert_status(SSL *s) return (-1); } + +static int +ssl3_send_server_change_cipher_spec(SSL *s) +{ + size_t outlen; + CBB cbb; + + memset(&cbb, 0, sizeof(cbb)); + + if (s->s3->hs.state == SSL3_ST_SW_CHANGE_A) { + if (!CBB_init_fixed(&cbb, s->init_buf->data, + s->init_buf->length)) + goto err; + if (!CBB_add_u8(&cbb, SSL3_MT_CCS)) + goto err; + if (!CBB_finish(&cbb, NULL, &outlen)) + goto err; + + if (outlen > INT_MAX) + goto err; + + s->init_num = (int)outlen; + s->init_off = 0; + + if (SSL_is_dtls(s)) { + s->d1->handshake_write_seq = + s->d1->next_handshake_write_seq; + dtls1_set_message_header_int(s, SSL3_MT_CCS, 0, + s->d1->handshake_write_seq, 0, 0); + dtls1_buffer_message(s, 1); + } + + s->s3->hs.state = SSL3_ST_SW_CHANGE_B; + } + + /* SSL3_ST_SW_CHANGE_B */ + return ssl3_record_write(s, SSL3_RT_CHANGE_CIPHER_SPEC); + + err: + CBB_cleanup(&cbb); + + return -1; +} + +static int +ssl3_get_client_finished(SSL *s) +{ + int al, md_len, ret; + CBS cbs; + + /* should actually be 36+4 :-) */ + if ((ret = ssl3_get_message(s, SSL3_ST_SR_FINISHED_A, + SSL3_ST_SR_FINISHED_B, SSL3_MT_FINISHED, 64)) <= 0) + return ret; + + /* If this occurs, we have missed a message */ + if (!s->s3->change_cipher_spec) { + al = SSL_AD_UNEXPECTED_MESSAGE; + SSLerror(s, SSL_R_GOT_A_FIN_BEFORE_A_CCS); + goto fatal_err; + } + s->s3->change_cipher_spec = 0; + + md_len = TLS1_FINISH_MAC_LENGTH; + + if (s->init_num < 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); + goto fatal_err; + } + + CBS_init(&cbs, s->init_msg, s->init_num); + + if (s->s3->hs.peer_finished_len != md_len || + CBS_len(&cbs) != md_len) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_BAD_DIGEST_LENGTH); + goto fatal_err; + } + + if (!CBS_mem_equal(&cbs, s->s3->hs.peer_finished, CBS_len(&cbs))) { + al = SSL_AD_DECRYPT_ERROR; + SSLerror(s, SSL_R_DIGEST_CHECK_FAILED); + goto fatal_err; + } + + /* Copy finished so we can use it for renegotiation checks. */ + OPENSSL_assert(md_len <= EVP_MAX_MD_SIZE); + memcpy(s->s3->previous_client_finished, + s->s3->hs.peer_finished, md_len); + s->s3->previous_client_finished_len = md_len; + + return (1); + fatal_err: + ssl3_send_alert(s, SSL3_AL_FATAL, al); + return (0); +} + +static int +ssl3_send_server_finished(SSL *s) +{ + CBB cbb, finished; + + memset(&cbb, 0, sizeof(cbb)); + + if (s->s3->hs.state == SSL3_ST_SW_FINISHED_A) { + if (!tls12_derive_finished(s)) + goto err; + + /* Copy finished so we can use it for renegotiation checks. */ + memcpy(s->s3->previous_server_finished, + s->s3->hs.finished, s->s3->hs.finished_len); + s->s3->previous_server_finished_len = s->s3->hs.finished_len; + + if (!ssl3_handshake_msg_start(s, &cbb, &finished, + SSL3_MT_FINISHED)) + goto err; + if (!CBB_add_bytes(&finished, s->s3->hs.finished, + s->s3->hs.finished_len)) + goto err; + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; + + s->s3->hs.state = SSL3_ST_SW_FINISHED_B; + } + + return (ssl3_handshake_write(s)); + + err: + CBB_cleanup(&cbb); + + return (-1); +} diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index 5d35528..b423033 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_stat.c,v 1.18 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_stat.c,v 1.20 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -84,7 +84,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" const char * SSL_state_string_long(const SSL *s) @@ -325,7 +325,7 @@ SSL_rstate_string_long(const SSL *s) { const char *str; - switch (s->internal->rstate) { + switch (s->rstate) { case SSL_ST_READ_HEADER: str = "read header"; break; @@ -771,7 +771,7 @@ SSL_rstate_string(const SSL *s) { const char *str; - switch (s->internal->rstate) { + switch (s->rstate) { case SSL_ST_READ_HEADER: str = "RH"; break; diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c index f93f44c..5dd4b69 100644 --- a/ssl/ssl_tlsext.c +++ b/ssl/ssl_tlsext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.110 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.137 2023/04/28 18:14:59 tb Exp $ */ /* * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -28,23 +28,25 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" +#define TLSEXT_TYPE_alpn TLSEXT_TYPE_application_layer_protocol_negotiation + /* * Supported Application-Layer Protocol Negotiation - RFC 7301 */ -int +static int tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) { /* ALPN protos have been specified and this is the initial handshake */ - return s->internal->alpn_client_proto_list != NULL && + return s->alpn_client_proto_list != NULL && s->s3->hs.finished_len == 0; } -int +static int tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB protolist; @@ -52,8 +54,8 @@ tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &protolist)) return 0; - if (!CBB_add_bytes(&protolist, s->internal->alpn_client_proto_list, - s->internal->alpn_client_proto_list_len)) + if (!CBB_add_bytes(&protolist, s->alpn_client_proto_list, + s->alpn_client_proto_list_len)) return 0; if (!CBB_flush(cbb)) @@ -63,31 +65,41 @@ tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) } int +tlsext_alpn_check_format(CBS *cbs) +{ + CBS proto_name_list; + + if (CBS_len(cbs) == 0) + return 0; + + CBS_dup(cbs, &proto_name_list); + while (CBS_len(&proto_name_list) > 0) { + CBS proto_name; + + if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) + return 0; + if (CBS_len(&proto_name) == 0) + return 0; + } + + return 1; +} + +static int tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) { - CBS proto_name_list, alpn; + CBS alpn, selected_cbs; const unsigned char *selected; unsigned char selected_len; int r; if (!CBS_get_u16_length_prefixed(cbs, &alpn)) - goto err; - if (CBS_len(&alpn) < 2) - goto err; - if (CBS_len(cbs) != 0) - goto err; + return 0; - CBS_dup(&alpn, &proto_name_list); - while (CBS_len(&proto_name_list) > 0) { - CBS proto_name; + if (!tlsext_alpn_check_format(&alpn)) + return 0; - if (!CBS_get_u8_length_prefixed(&proto_name_list, &proto_name)) - goto err; - if (CBS_len(&proto_name) == 0) - goto err; - } - - if (s->ctx->internal->alpn_select_cb == NULL) + if (s->ctx->alpn_select_cb == NULL) return 1; /* @@ -96,19 +108,18 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) * 2. Should the callback be called even if no ALPN extension was sent? * 3. TLSv1.2 and earlier: ensure that SNI has already been processed. */ - r = s->ctx->internal->alpn_select_cb(s, &selected, &selected_len, + r = s->ctx->alpn_select_cb(s, &selected, &selected_len, CBS_data(&alpn), CBS_len(&alpn), - s->ctx->internal->alpn_select_cb_arg); + s->ctx->alpn_select_cb_arg); if (r == SSL_TLSEXT_ERR_OK) { - free(s->s3->alpn_selected); - if ((s->s3->alpn_selected = malloc(selected_len)) == NULL) { - s->s3->alpn_selected_len = 0; + CBS_init(&selected_cbs, selected, selected_len); + + if (!CBS_stow(&selected_cbs, &s->s3->alpn_selected, + &s->s3->alpn_selected_len)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } - memcpy(s->s3->alpn_selected, selected, selected_len); - s->s3->alpn_selected_len = selected_len; return 1; } @@ -121,19 +132,15 @@ tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) SSLerror(s, SSL_R_NO_APPLICATION_PROTOCOL); return 0; - - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; } -int +static int tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) { return s->s3->alpn_selected != NULL; } -int +static int tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB list, selected; @@ -154,51 +161,44 @@ tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS list, proto; - if (s->internal->alpn_client_proto_list == NULL) { + if (s->alpn_client_proto_list == NULL) { *alert = SSL_AD_UNSUPPORTED_EXTENSION; return 0; } if (!CBS_get_u16_length_prefixed(cbs, &list)) - goto err; - if (CBS_len(cbs) != 0) - goto err; + return 0; if (!CBS_get_u8_length_prefixed(&list, &proto)) - goto err; + return 0; if (CBS_len(&list) != 0) - goto err; + return 0; if (CBS_len(&proto) == 0) - goto err; + return 0; - if (!CBS_stow(&proto, &(s->s3->alpn_selected), - &(s->s3->alpn_selected_len))) - goto err; + if (!CBS_stow(&proto, &s->s3->alpn_selected, &s->s3->alpn_selected_len)) + return 0; return 1; - - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; } /* * Supported Groups - RFC 7919 section 2 */ -int +static int tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) { return ssl_has_ecc_ciphers(s) || (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); } -int +static int tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { const uint16_t *groups; @@ -216,6 +216,8 @@ tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 0; for (i = 0; i < groups_len; i++) { + if (!ssl_security_supported_group(s, groups[i])) + continue; if (!CBB_add_u16(&grouplist, groups[i])) return 0; } @@ -226,100 +228,80 @@ tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS grouplist; + uint16_t *groups; size_t groups_len; + int i; if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) - goto err; - if (CBS_len(cbs) != 0) - goto err; + return 0; groups_len = CBS_len(&grouplist); if (groups_len == 0 || groups_len % 2 != 0) - goto err; + return 0; groups_len /= 2; - if (!s->internal->hit) { - uint16_t *groups; - int i; + if (s->hit) + return 1; - if (s->s3->hs.tls13.hrr) { - if (s->session->tlsext_supportedgroups == NULL) { - *alert = SSL_AD_HANDSHAKE_FAILURE; - return 0; - } - /* - * In the case of TLSv1.3 the client cannot change - * the supported groups. - */ - if (groups_len != s->session->tlsext_supportedgroups_length) { - *alert = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - for (i = 0; i < groups_len; i++) { - uint16_t group; - - if (!CBS_get_u16(&grouplist, &group)) - goto err; - if (s->session->tlsext_supportedgroups[i] != group) { - *alert = SSL_AD_ILLEGAL_PARAMETER; - return 0; - } - } - - return 1; - } - - if (s->session->tlsext_supportedgroups != NULL) - goto err; - - if ((groups = reallocarray(NULL, groups_len, - sizeof(uint16_t))) == NULL) { - *alert = SSL_AD_INTERNAL_ERROR; + if (s->s3->hs.tls13.hrr) { + if (s->session->tlsext_supportedgroups == NULL) { + *alert = SSL_AD_HANDSHAKE_FAILURE; return 0; } - for (i = 0; i < groups_len; i++) { - if (!CBS_get_u16(&grouplist, &groups[i])) { - free(groups); - goto err; - } - } + /* + * The ClientHello extension hashing ensures that the client + * did not change its list of supported groups. + */ - if (CBS_len(&grouplist) != 0) { - free(groups); - goto err; - } - - s->session->tlsext_supportedgroups = groups; - s->session->tlsext_supportedgroups_length = groups_len; + return 1; } - return 1; + if (s->session->tlsext_supportedgroups != NULL) + return 0; /* XXX internal error? */ - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; + if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { + *alert = SSL_AD_INTERNAL_ERROR; + return 0; + } + + for (i = 0; i < groups_len; i++) { + if (!CBS_get_u16(&grouplist, &groups[i])) { + free(groups); + return 0; + } + } + + if (CBS_len(&grouplist) != 0) { + free(groups); + return 0; + } + + s->session->tlsext_supportedgroups = groups; + s->session->tlsext_supportedgroups_length = groups_len; + + return 1; } /* This extension is never used by the server. */ -int +static int tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) { return 0; } -int +static int tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return 0; } -int +static int tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { @@ -377,8 +359,6 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; if (CBS_len(&ecpf) == 0) return 0; - if (CBS_len(cbs) != 0) - return 0; /* Must contain uncompressed (0) - RFC 8422, section 5.1.2. */ if (!CBS_contains_zero_byte(&ecpf)) { @@ -387,7 +367,7 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } - if (!s->internal->hit) { + if (!s->hit) { if (!CBS_stow(&ecpf, &(s->session->tlsext_ecpointformatlist), &(s->session->tlsext_ecpointformatlist_length))) { *alert = SSL_AD_INTERNAL_ERROR; @@ -398,37 +378,37 @@ tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 1; } -int +static int tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) { return ssl_has_ecc_ciphers(s); } -int +static int tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { return tlsext_ecpf_build(s, msg_type, cbb); } -int +static int tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { return tlsext_ecpf_parse(s, msg_type, cbs, alert); } -int +static int tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) { return ssl_using_ecc_cipher(s); } -int +static int tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return tlsext_ecpf_build(s, msg_type, cbb); } -int +static int tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { return tlsext_ecpf_parse(s, msg_type, cbs, alert); @@ -437,13 +417,13 @@ tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* * Renegotiation Indication - RFC 5746. */ -int +static int tlsext_ri_client_needs(SSL *s, uint16_t msg_type) { - return (s->internal->renegotiate); + return (s->renegotiate); } -int +static int tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB reneg; @@ -459,15 +439,15 @@ tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS reneg; - if (!CBS_get_u8_length_prefixed(cbs, &reneg)) - goto err; - if (CBS_len(cbs) != 0) - goto err; + if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } if (!CBS_mem_equal(&reneg, s->s3->previous_client_finished, s->s3->previous_client_finished_len)) { @@ -480,21 +460,16 @@ tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) s->s3->send_connection_binding = 1; return 1; - - err: - SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); - *alert = SSL_AD_DECODE_ERROR; - return 0; } -int +static int tlsext_ri_server_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION && s->s3->send_connection_binding); } -int +static int tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB reneg; @@ -513,7 +488,7 @@ tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS reneg, prev_client, prev_server; @@ -530,18 +505,24 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } - if (!CBS_get_u8_length_prefixed(cbs, &reneg)) - goto err; + if (!CBS_get_u8_length_prefixed(cbs, &reneg)) { + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } if (!CBS_get_bytes(&reneg, &prev_client, - s->s3->previous_client_finished_len)) - goto err; + s->s3->previous_client_finished_len)) { + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } if (!CBS_get_bytes(&reneg, &prev_server, - s->s3->previous_server_finished_len)) - goto err; - if (CBS_len(&reneg) != 0) - goto err; - if (CBS_len(cbs) != 0) - goto err; + s->s3->previous_server_finished_len)) { + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } + if (CBS_len(&reneg) != 0) { + SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); + return 0; + } if (!CBS_mem_equal(&prev_client, s->s3->previous_client_finished, s->s3->previous_client_finished_len)) { @@ -560,23 +541,18 @@ tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) s->s3->send_connection_binding = 1; return 1; - - err: - SSLerror(s, SSL_R_RENEGOTIATION_ENCODING_ERR); - *alert = SSL_AD_DECODE_ERROR; - return 0; } /* * Signature Algorithms - RFC 5246 section 7.4.1.4.1. */ -int +static int tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.our_max_tls_version >= TLS1_2_VERSION); } -int +static int tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { uint16_t tls_version = s->s3->hs.negotiated_tls_version; @@ -587,7 +563,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!ssl_sigalgs_build(tls_version, &sigalgs)) + if (!ssl_sigalgs_build(tls_version, &sigalgs, SSL_get_security_level(s))) return 0; if (!CBB_flush(cbb)) return 0; @@ -595,7 +571,7 @@ tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS sigalgs; @@ -610,20 +586,21 @@ tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 1; } -int +static int tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); } -int +static int tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB sigalgs; if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs)) + if (!ssl_sigalgs_build(s->s3->hs.negotiated_tls_version, &sigalgs, + SSL_get_security_level(s))) return 0; if (!CBB_flush(cbb)) return 0; @@ -631,7 +608,7 @@ tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS sigalgs; @@ -652,13 +629,13 @@ tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* * Server Name Indication - RFC 6066, section 3. */ -int +static int tlsext_sni_client_needs(SSL *s, uint16_t msg_type) { return (s->tlsext_hostname != NULL); } -int +static int tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB server_name_list, host_name; @@ -758,7 +735,7 @@ tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip) return 1; } -int +static int tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS server_name_list, host_name; @@ -804,7 +781,7 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; } - if (s->internal->hit || s->s3->hs.tls13.hrr) { + if (s->hit || s->s3->hs.tls13.hrr) { if (s->session->tlsext_hostname == NULL) { *alert = SSL_AD_UNRECOGNIZED_NAME; goto err; @@ -832,8 +809,6 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) *alert = SSL_AD_ILLEGAL_PARAMETER; goto err; } - if (CBS_len(cbs) != 0) - goto err; return 1; @@ -841,22 +816,22 @@ tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } -int +static int tlsext_sni_server_needs(SSL *s, uint16_t msg_type) { - if (s->internal->hit) + if (s->hit) return 0; return (s->session->tlsext_hostname != NULL); } -int +static int tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return 1; } -int +static int tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { @@ -864,7 +839,7 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } - if (s->internal->hit) { + if (s->hit) { if (s->session->tlsext_hostname == NULL) { *alert = SSL_AD_UNRECOGNIZED_NAME; return 0; @@ -875,10 +850,8 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } } else { - if (s->session->tlsext_hostname != NULL) { - *alert = SSL_AD_DECODE_ERROR; + if (s->session->tlsext_hostname != NULL) return 0; - } if ((s->session->tlsext_hostname = strdup(s->tlsext_hostname)) == NULL) { *alert = SSL_AD_INTERNAL_ERROR; @@ -889,12 +862,11 @@ tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 1; } - /* * Certificate Status Request - RFC 6066 section 8. */ -int +static int tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) { if (msg_type != SSL_TLSEXT_MSG_CH) @@ -903,7 +875,7 @@ tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); } -int +static int tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB respid_list, respid, exts; @@ -915,12 +887,12 @@ tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 0; if (!CBB_add_u16_length_prefixed(cbb, &respid_list)) return 0; - for (i = 0; i < sk_OCSP_RESPID_num(s->internal->tlsext_ocsp_ids); i++) { + for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) { unsigned char *respid_data; OCSP_RESPID *id; size_t id_len; - if ((id = sk_OCSP_RESPID_value(s->internal->tlsext_ocsp_ids, + if ((id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i)) == NULL) return 0; if ((id_len = i2d_OCSP_RESPID(id, NULL)) == -1) @@ -934,12 +906,12 @@ tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) } if (!CBB_add_u16_length_prefixed(cbb, &exts)) return 0; - if ((ext_len = i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, + if ((ext_len = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL)) == -1) return 0; if (!CBB_add_space(&exts, &ext_data, ext_len)) return 0; - if ((i2d_X509_EXTENSIONS(s->internal->tlsext_ocsp_exts, &ext_data) != + if ((i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &ext_data) != ext_len)) return 0; if (!CBB_flush(cbb)) @@ -947,7 +919,7 @@ tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { int alert_desc = SSL_AD_DECODE_ERROR; @@ -976,11 +948,11 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; /* XXX */ - sk_OCSP_RESPID_pop_free(s->internal->tlsext_ocsp_ids, OCSP_RESPID_free); - s->internal->tlsext_ocsp_ids = NULL; + sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free); + s->tlsext_ocsp_ids = NULL; if (CBS_len(&respid_list) > 0) { - s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); - if (s->internal->tlsext_ocsp_ids == NULL) { + s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); + if (s->tlsext_ocsp_ids == NULL) { alert_desc = SSL_AD_INTERNAL_ERROR; goto err; } @@ -994,7 +966,7 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) p = CBS_data(&respid); if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) goto err; - if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { + if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) { alert_desc = SSL_AD_INTERNAL_ERROR; OCSP_RESPID_free(id); goto err; @@ -1005,18 +977,14 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &exts)) goto err; if (CBS_len(&exts) > 0) { - sk_X509_EXTENSION_pop_free(s->internal->tlsext_ocsp_exts, + sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free); p = CBS_data(&exts); - if ((s->internal->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, + if ((s->tlsext_ocsp_exts = d2i_X509_EXTENSIONS(NULL, &p, CBS_len(&exts))) == NULL) goto err; } - /* should be nothing left */ - if (CBS_len(cbs) > 0) - goto err; - ret = 1; err: if (ret == 0) @@ -1024,22 +992,22 @@ tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return ret; } -int +static int tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) { if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->ctx->internal->tlsext_status_cb != NULL) { - s->internal->tlsext_status_expected = 0; - if (s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && - s->internal->tlsext_ocsp_resp_len > 0) - s->internal->tlsext_status_expected = 1; + s->ctx->tlsext_status_cb != NULL) { + s->tlsext_status_expected = 0; + if (s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && + s->tlsext_ocsp_resp_len > 0) + s->tlsext_status_expected = 1; } - return s->internal->tlsext_status_expected; + return s->tlsext_status_expected; } -int +static int tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB ocsp_response; @@ -1050,8 +1018,8 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) return 0; if (!CBB_add_bytes(&ocsp_response, - s->internal->tlsext_ocsp_resp, - s->internal->tlsext_ocsp_resp_len)) + s->tlsext_ocsp_resp, + s->tlsext_ocsp_resp_len)) return 0; if (!CBB_flush(cbb)) return 0; @@ -1059,7 +1027,7 @@ tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { uint8_t status_type; @@ -1093,8 +1061,8 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); return 0; } - if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, - &s->internal->tlsext_ocsp_resp_len)) { + if (!CBS_stow(&response, &s->tlsext_ocsp_resp, + &s->tlsext_ocsp_resp_len)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1104,7 +1072,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 0; } /* Set flag to expect CertificateStatus message */ - s->internal->tlsext_status_expected = 1; + s->tlsext_status_expected = 1; } return 1; } @@ -1112,7 +1080,7 @@ tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* * SessionTicket extension - RFC 5077 section 3.2 */ -int +static int tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) { /* @@ -1123,24 +1091,27 @@ tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) if ((SSL_get_options(s) & SSL_OP_NO_TICKET) != 0) return 0; - if (s->internal->new_session) + if (!ssl_security_tickets(s)) + return 0; + + if (s->new_session) return 1; - if (s->internal->tlsext_session_ticket != NULL && - s->internal->tlsext_session_ticket->data == NULL) + if (s->tlsext_session_ticket != NULL && + s->tlsext_session_ticket->data == NULL) return 0; return 1; } -int +static int tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* * Signal that we support session tickets by sending an empty * extension when renegotiating or no session found. */ - if (s->internal->new_session || s->session == NULL) + if (s->new_session || s->session == NULL) return 1; if (s->session->tlsext_tick != NULL) { @@ -1149,18 +1120,18 @@ tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) s->session->tlsext_ticklen)) return 0; - } else if (s->internal->tlsext_session_ticket != NULL) { + } else if (s->tlsext_session_ticket != NULL) { /* * Attempt to resume with a custom provided session ticket set * by SSL_set_session_ticket_ext(). */ - if (s->internal->tlsext_session_ticket->length > 0) { - size_t ticklen = s->internal->tlsext_session_ticket->length; + if (s->tlsext_session_ticket->length > 0) { + size_t ticklen = s->tlsext_session_ticket->length; if ((s->session->tlsext_tick = malloc(ticklen)) == NULL) return 0; memcpy(s->session->tlsext_tick, - s->internal->tlsext_session_ticket->data, + s->tlsext_session_ticket->data, ticklen); s->session->tlsext_ticklen = ticklen; @@ -1176,14 +1147,14 @@ tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - if (s->internal->tls_session_ticket_ext_cb) { - if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), + if (s->tls_session_ticket_ext_cb) { + if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), - s->internal->tls_session_ticket_ext_cb_arg)) { + s->tls_session_ticket_ext_cb_arg)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1198,28 +1169,29 @@ tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, return 1; } -int +static int tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) { - return (s->internal->tlsext_ticket_expected && - !(SSL_get_options(s) & SSL_OP_NO_TICKET)); + return (s->tlsext_ticket_expected && + !(SSL_get_options(s) & SSL_OP_NO_TICKET) && + ssl_security_tickets(s)); } -int +static int tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* Empty ticket */ return 1; } -int +static int tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - if (s->internal->tls_session_ticket_ext_cb) { - if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), + if (s->tls_session_ticket_ext_cb) { + if (!s->tls_session_ticket_ext_cb(s, CBS_data(cbs), (int)CBS_len(cbs), - s->internal->tls_session_ticket_ext_cb_arg)) { + s->tls_session_ticket_ext_cb_arg)) { *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -1230,7 +1202,7 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, return 0; } - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; return 1; } @@ -1241,13 +1213,13 @@ tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, #ifndef OPENSSL_NO_SRTP -int +static int tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) { return SSL_is_dtls(s) && SSL_get_srtp_profiles(s) != NULL; } -int +static int tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB profiles, mki; @@ -1284,7 +1256,7 @@ tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { const SRTP_PROTECTION_PROFILE *cprof, *sprof; @@ -1316,11 +1288,8 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { SSLerror(s, SSL_R_BAD_SRTP_MKI_VALUE); - *alert = SSL_AD_DECODE_ERROR; goto done; } - if (CBS_len(cbs) != 0) - goto err; /* * Per RFC 5764 section 4.1.1 @@ -1334,8 +1303,7 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if ((srvr = SSL_get_srtp_profiles(s)) == NULL) goto err; for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(srvr); i++) { - if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) - == NULL) + if ((sprof = sk_SRTP_PROTECTION_PROFILE_value(srvr, i)) == NULL) goto err; for (j = 0; j < sk_SRTP_PROTECTION_PROFILE_num(clnt); j++) { @@ -1344,7 +1312,7 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) goto err; if (cprof->id == sprof->id) { - s->internal->srtp_profile = sprof; + s->srtp_profile = sprof; ret = 1; goto done; } @@ -1357,20 +1325,19 @@ tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) err: SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - *alert = SSL_AD_DECODE_ERROR; done: sk_SRTP_PROTECTION_PROFILE_free(clnt); return ret; } -int +static int tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) { return SSL_is_dtls(s) && SSL_get_selected_srtp_profile(s) != NULL; } -int +static int tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { SRTP_PROTECTION_PROFILE *profile; @@ -1394,7 +1361,7 @@ tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; @@ -1405,12 +1372,12 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &profile_ids)) { SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - goto err; + return 0; } if (!CBS_get_u16(&profile_ids, &id) || CBS_len(&profile_ids) != 0) { SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - goto err; + return 0; } if (!CBS_get_u8_length_prefixed(cbs, &mki) || CBS_len(&mki) != 0) { @@ -1421,25 +1388,24 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) if ((clnt = SSL_get_srtp_profiles(s)) == NULL) { SSLerror(s, SSL_R_NO_SRTP_PROFILES); - goto err; + return 0; } for (i = 0; i < sk_SRTP_PROTECTION_PROFILE_num(clnt); i++) { if ((prof = sk_SRTP_PROTECTION_PROFILE_value(clnt, i)) == NULL) { SSLerror(s, SSL_R_NO_SRTP_PROFILES); - goto err; + return 0; } if (prof->id == id) { - s->internal->srtp_profile = prof; + s->srtp_profile = prof; return 1; } } SSLerror(s, SSL_R_BAD_SRTP_PROTECTION_PROFILE_LIST); - err: - *alert = SSL_AD_DECODE_ERROR; + return 0; } @@ -1448,13 +1414,13 @@ tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* * TLSv1.3 Key Share - RFC 8446 section 4.2.8. */ -int +static int tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); } -int +static int tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB client_shares, key_exchange; @@ -1476,7 +1442,7 @@ tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS client_shares, key_exchange; @@ -1509,7 +1475,7 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) continue; /* XXX - consider implementing server preference. */ - if (!tls1_check_curve(s, group)) + if (!tls1_check_group(s, group)) continue; /* Decode and store the selected key share. */ @@ -1528,14 +1494,14 @@ tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) return 1; } -int +static int tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION && tlsext_extension_seen(s, TLSEXT_TYPE_key_share)); } -int +static int tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB key_exchange; @@ -1563,7 +1529,7 @@ tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS key_exchange; @@ -1607,13 +1573,13 @@ tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) /* * Supported Versions - RFC 8446 section 4.2.1. */ -int +static int tlsext_versions_client_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); } -int +static int tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { uint16_t max, min; @@ -1638,7 +1604,7 @@ tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS versions; @@ -1650,11 +1616,11 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) min = s->s3->hs.our_min_tls_version; if (!CBS_get_u8_length_prefixed(cbs, &versions)) - goto err; + return 0; while (CBS_len(&versions) > 0) { if (!CBS_get_u16(&versions, &version)) - goto err; + return 0; /* * XXX What is below implements client preference, and * ignores any server preference entirely. @@ -1671,33 +1637,27 @@ tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) *alert = SSL_AD_PROTOCOL_VERSION; return 0; - - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; } -int +static int tlsext_versions_server_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION); } -int +static int tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return CBB_add_u16(cbb, TLS1_3_VERSION); } -int +static int tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { uint16_t selected_version; - if (!CBS_get_u16(cbs, &selected_version)) { - *alert = SSL_AD_DECODE_ERROR; + if (!CBS_get_u16(cbs, &selected_version)) return 0; - } /* XXX - need to fix for DTLS 1.3 */ if (selected_version < TLS1_3_VERSION) { @@ -1716,14 +1676,14 @@ tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) * Cookie - RFC 8446 section 4.2.2. */ -int +static int tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) { return (s->s3->hs.our_max_tls_version >= TLS1_3_VERSION && s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); } -int +static int tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB cookie; @@ -1741,16 +1701,16 @@ tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS cookie; if (!CBS_get_u16_length_prefixed(cbs, &cookie)) - goto err; + return 0; if (CBS_len(&cookie) != s->s3->hs.tls13.cookie_len) - goto err; + return 0; /* * Check provided cookie value against what server previously @@ -1765,13 +1725,9 @@ tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } return 1; - - err: - *alert = SSL_AD_DECODE_ERROR; - return 0; } -int +static int tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) { /* @@ -1782,7 +1738,7 @@ tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) s->s3->hs.tls13.cookie_len > 0 && s->s3->hs.tls13.cookie != NULL); } -int +static int tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB cookie; @@ -1802,7 +1758,7 @@ tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) return 1; } -int +static int tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS cookie; @@ -1819,19 +1775,199 @@ tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) } if (!CBS_get_u16_length_prefixed(cbs, &cookie)) - goto err; + return 0; if (!CBS_stow(&cookie, &s->s3->hs.tls13.cookie, &s->s3->hs.tls13.cookie_len)) - goto err; + return 0; return 1; +} - err: - *alert = SSL_AD_DECODE_ERROR; +/* + * Pre-Shared Key Exchange Modes - RFC 8446, 4.2.9. + */ + +static int +tlsext_psk_kex_modes_client_needs(SSL *s, uint16_t msg_type) +{ + return (s->s3->hs.tls13.use_psk_dhe_ke && + s->s3->hs.our_max_tls_version >= TLS1_3_VERSION); +} + +static int +tlsext_psk_kex_modes_client_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + CBB ke_modes; + + if (!CBB_add_u8_length_prefixed(cbb, &ke_modes)) + return 0; + + /* Only indicate support for PSK with DHE key establishment. */ + if (!CBB_add_u8(&ke_modes, TLS13_PSK_DHE_KE)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +static int +tlsext_psk_kex_modes_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) +{ + CBS ke_modes; + uint8_t ke_mode; + + if (!CBS_get_u8_length_prefixed(cbs, &ke_modes)) + return 0; + + while (CBS_len(&ke_modes) > 0) { + if (!CBS_get_u8(&ke_modes, &ke_mode)) + return 0; + + if (ke_mode == TLS13_PSK_DHE_KE) + s->s3->hs.tls13.use_psk_dhe_ke = 1; + } + + return 1; +} + +static int +tlsext_psk_kex_modes_server_needs(SSL *s, uint16_t msg_type) +{ + /* Servers MUST NOT send this extension. */ return 0; } +static int +tlsext_psk_kex_modes_server_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + return 0; +} + +static int +tlsext_psk_kex_modes_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) +{ + return 0; +} + +/* + * Pre-Shared Key Extension - RFC 8446, 4.2.11 + */ + +static int +tlsext_psk_client_needs(SSL *s, uint16_t msg_type) +{ + return 0; +} + +static int +tlsext_psk_client_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + return 0; +} + +static int +tlsext_psk_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + return CBS_skip(cbs, CBS_len(cbs)); +} + +static int +tlsext_psk_server_needs(SSL *s, uint16_t msg_type) +{ + return 0; +} + +static int +tlsext_psk_server_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + return 0; +} + +static int +tlsext_psk_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + return CBS_skip(cbs, CBS_len(cbs)); +} + +/* + * QUIC transport parameters extension - RFC 9001 section 8.2. + */ + +static int +tlsext_quic_transport_parameters_client_needs(SSL *s, uint16_t msg_type) +{ + return SSL_is_quic(s) && s->quic_transport_params_len > 0; +} + +static int +tlsext_quic_transport_parameters_client_build(SSL *s, uint16_t msg_type, + CBB *cbb) +{ + if (!CBB_add_bytes(cbb, s->quic_transport_params, + s->quic_transport_params_len)) + return 0; + + return 1; +} + +static int +tlsext_quic_transport_parameters_client_parse(SSL *s, uint16_t msg_type, + CBS *cbs, int *alert) +{ + if (!SSL_is_quic(s)) { + *alert = SSL_AD_UNSUPPORTED_EXTENSION; + return 0; + } + + if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, + &s->s3->peer_quic_transport_params_len)) + return 0; + if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) + return 0; + + return 1; +} + +static int +tlsext_quic_transport_parameters_server_needs(SSL *s, uint16_t msg_type) +{ + return SSL_is_quic(s) && s->quic_transport_params_len > 0; +} + +static int +tlsext_quic_transport_parameters_server_build(SSL *s, uint16_t msg_type, + CBB *cbb) +{ + if (!CBB_add_bytes(cbb, s->quic_transport_params, + s->quic_transport_params_len)) + return 0; + + return 1; +} + +static int +tlsext_quic_transport_parameters_server_parse(SSL *s, uint16_t msg_type, + CBS *cbs, int *alert) +{ + if (!SSL_is_quic(s)) { + *alert = SSL_AD_UNSUPPORTED_EXTENSION; + return 0; + } + + if (!CBS_stow(cbs, &s->s3->peer_quic_transport_params, + &s->s3->peer_quic_transport_params_len)) + return 0; + if (!CBS_skip(cbs, s->s3->peer_quic_transport_params_len)) + return 0; + + return 1; +} + struct tls_extension_funcs { int (*needs)(SSL *s, uint16_t msg_type); int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); @@ -1976,7 +2112,7 @@ static const struct tls_extension tls_extensions[] = { }, }, { - .type = TLSEXT_TYPE_application_layer_protocol_negotiation, + .type = TLSEXT_TYPE_alpn, .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, .client = { .needs = tlsext_alpn_client_needs, @@ -2018,8 +2154,52 @@ static const struct tls_extension tls_extensions[] = { .build = tlsext_srtp_server_build, .parse = tlsext_srtp_server_parse, }, - } + }, #endif /* OPENSSL_NO_SRTP */ + { + .type = TLSEXT_TYPE_quic_transport_parameters, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, + .client = { + .needs = tlsext_quic_transport_parameters_client_needs, + .build = tlsext_quic_transport_parameters_client_build, + .parse = tlsext_quic_transport_parameters_client_parse, + }, + .server = { + .needs = tlsext_quic_transport_parameters_server_needs, + .build = tlsext_quic_transport_parameters_server_build, + .parse = tlsext_quic_transport_parameters_server_parse, + }, + }, + { + .type = TLSEXT_TYPE_psk_key_exchange_modes, + .messages = SSL_TLSEXT_MSG_CH, + .client = { + .needs = tlsext_psk_kex_modes_client_needs, + .build = tlsext_psk_kex_modes_client_build, + .parse = tlsext_psk_kex_modes_client_parse, + }, + .server = { + .needs = tlsext_psk_kex_modes_server_needs, + .build = tlsext_psk_kex_modes_server_build, + .parse = tlsext_psk_kex_modes_server_parse, + }, + }, + { + /* MUST be last extension in CH per RFC 8446 section 4.2. */ + + .type = TLSEXT_TYPE_pre_shared_key, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, + .client = { + .needs = tlsext_psk_client_needs, + .build = tlsext_psk_client_build, + .parse = tlsext_psk_client_parse, + }, + .server = { + .needs = tlsext_psk_server_needs, + .build = tlsext_psk_server_build, + .parse = tlsext_psk_server_parse, + }, + }, }; #define N_TLS_EXTENSIONS (sizeof(tls_extensions) / sizeof(*tls_extensions)) @@ -2027,6 +2207,12 @@ static const struct tls_extension tls_extensions[] = { /* Ensure that extensions fit in a uint32_t bitmask. */ CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); +uint16_t +tls_extension_type(const struct tls_extension *extension) +{ + return extension->type; +} + const struct tls_extension * tls_extension_find(uint16_t type, size_t *tls_extensions_idx) { @@ -2052,7 +2238,7 @@ tlsext_extension_seen(SSL *s, uint16_t type) return ((s->s3->hs.extensions_seen & (1 << idx)) != 0); } -static const struct tls_extension_funcs * +const struct tls_extension_funcs * tlsext_funcs(const struct tls_extension *tlsext, int is_server) { if (is_server) @@ -2061,6 +2247,75 @@ tlsext_funcs(const struct tls_extension *tlsext, int is_server) return &tlsext->client; } +int +tlsext_randomize_build_order(SSL *s) +{ + size_t idx, new_idx, psk_idx; + size_t alpn_idx = 0, sni_idx = 0; + + free(s->tlsext_build_order); + s->tlsext_build_order_len = 0; + + if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), + N_TLS_EXTENSIONS)) == NULL) + return 0; + s->tlsext_build_order_len = N_TLS_EXTENSIONS; + + /* RFC 8446, section 4.2: PSK must be the last extension in the CH. */ + psk_idx = N_TLS_EXTENSIONS - 1; + s->tlsext_build_order[psk_idx] = &tls_extensions[psk_idx]; + + /* Fisher-Yates shuffle with PSK fixed. */ + for (idx = 0; idx < psk_idx; idx++) { + new_idx = arc4random_uniform(idx + 1); + s->tlsext_build_order[idx] = s->tlsext_build_order[new_idx]; + s->tlsext_build_order[new_idx] = &tls_extensions[idx]; + } + + /* + * XXX - Apache2 special until year 2025: ensure that SNI precedes ALPN + * for clients so that virtual host setups work correctly. + */ + + if (s->server) + return 1; + + for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) { + if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_alpn) + alpn_idx = idx; + if (s->tlsext_build_order[idx]->type == TLSEXT_TYPE_server_name) + sni_idx = idx; + } + if (alpn_idx < sni_idx) { + const struct tls_extension *tmp; + + tmp = s->tlsext_build_order[alpn_idx]; + s->tlsext_build_order[alpn_idx] = s->tlsext_build_order[sni_idx]; + s->tlsext_build_order[sni_idx] = tmp; + } + + return 1; +} + +int +tlsext_linearize_build_order(SSL *s) +{ + size_t idx; + + free(s->tlsext_build_order); + s->tlsext_build_order_len = 0; + + if ((s->tlsext_build_order = calloc(sizeof(*s->tlsext_build_order), + N_TLS_EXTENSIONS)) == NULL) + return 0; + s->tlsext_build_order_len = N_TLS_EXTENSIONS; + + for (idx = 0; idx < N_TLS_EXTENSIONS; idx++) + s->tlsext_build_order[idx] = &tls_extensions[idx]; + + return 1; +} + static int tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) { @@ -2077,7 +2332,7 @@ tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) return 0; for (i = 0; i < N_TLS_EXTENSIONS; i++) { - tlsext = &tls_extensions[i]; + tlsext = s->tlsext_build_order[i]; ext = tlsext_funcs(tlsext, is_server); /* RFC 8446 Section 4.2 */ @@ -2116,7 +2371,7 @@ tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) * RFC 8446 4.1.2. For subsequent CH, early data will be removed, * cookie may be added, padding may be removed. */ - struct tls13_ctx *ctx = s->internal->tls13; + struct tls13_ctx *ctx = s->tls13; if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || type == TLSEXT_TYPE_padding) @@ -2166,11 +2421,11 @@ tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) goto err; - if (s->internal->tlsext_debug_cb != NULL) - s->internal->tlsext_debug_cb(s, !is_server, type, + if (s->tlsext_debug_cb != NULL) + s->tlsext_debug_cb(s, !is_server, type, (unsigned char *)CBS_data(&extension_data), CBS_len(&extension_data), - s->internal->tlsext_debug_arg); + s->tlsext_debug_arg); /* Unknown extensions are ignored. */ if ((tlsext = tls_extension_find(type, &idx)) == NULL) @@ -2219,7 +2474,7 @@ tlsext_server_reset_state(SSL *s) free(s->s3->alpn_selected); s->s3->alpn_selected = NULL; s->s3->alpn_selected_len = 0; - s->internal->srtp_profile = NULL; + s->srtp_profile = NULL; } int diff --git a/ssl/ssl_tlsext.h b/ssl/ssl_tlsext.h index b4c135f..da14f7f 100644 --- a/ssl/ssl_tlsext.h +++ b/ssl/ssl_tlsext.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_tlsext.h,v 1.27 2021/11/01 16:37:17 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.h,v 1.33 2023/04/23 18:51:53 tb Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan @@ -31,111 +31,18 @@ __BEGIN_HIDDEN_DECLS -int tlsext_alpn_client_needs(SSL *s, uint16_t msg_type); -int tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_alpn_server_needs(SSL *s, uint16_t msg_type); -int tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_alpn_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); - -int tlsext_ri_client_needs(SSL *s, uint16_t msg_type); -int tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_ri_server_needs(SSL *s, uint16_t msg_type); -int tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); - -int tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type); -int tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); -int tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type); -int tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); - -int tlsext_sni_client_needs(SSL *s, uint16_t msg_type); -int tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_sni_server_needs(SSL *s, uint16_t msg_type); -int tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_alpn_check_format(CBS *cbs); int tlsext_sni_is_valid_hostname(CBS *cbs, int *is_ip); -int tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type); -int tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); -int tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type); -int tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); - -int tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type); -int tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type); -int tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); - -int tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type); -int tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type); -int tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); - -int tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type); -int tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); -int tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type); -int tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); - -int tlsext_versions_client_needs(SSL *s, uint16_t msg_type); -int tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); -int tlsext_versions_server_needs(SSL *s, uint16_t msg_type); -int tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); - -int tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type); -int tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); -int tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type); -int tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, - int *alert); - -int tlsext_cookie_client_needs(SSL *s, uint16_t msg_type); -int tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_cookie_server_needs(SSL *s, uint16_t msg_type); -int tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); - -#ifndef OPENSSL_NO_SRTP -int tlsext_srtp_client_needs(SSL *s, uint16_t msg_type); -int tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_srtp_server_needs(SSL *s, uint16_t msg_type); -int tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb); -int tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -#endif - int tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb); int tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb); int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -const struct tls_extension *tls_extension_find(uint16_t, size_t *); int tlsext_extension_seen(SSL *s, uint16_t); +int tlsext_randomize_build_order(SSL *s); + __END_HIDDEN_DECLS #endif diff --git a/ssl/ssl_transcript.c b/ssl/ssl_transcript.c index d0af8e6..22cd6c3 100644 --- a/ssl/ssl_transcript.c +++ b/ssl/ssl_transcript.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_transcript.c,v 1.7 2022/03/17 17:22:16 jsing Exp $ */ +/* $OpenBSD: ssl_transcript.c,v 1.9 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -17,7 +17,8 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" +#include "tls_internal.h" int tls1_transcript_hash_init(SSL *s) @@ -118,7 +119,7 @@ tls1_transcript_init(SSL *s) if (s->s3->handshake_transcript != NULL) return 0; - if ((s->s3->handshake_transcript = BUF_MEM_new()) == NULL) + if ((s->s3->handshake_transcript = tls_buffer_new(0)) == NULL) return 0; tls1_transcript_reset(s); @@ -129,21 +130,14 @@ tls1_transcript_init(SSL *s) void tls1_transcript_free(SSL *s) { - BUF_MEM_free(s->s3->handshake_transcript); + tls_buffer_free(s->s3->handshake_transcript); s->s3->handshake_transcript = NULL; } void tls1_transcript_reset(SSL *s) { - /* - * We should check the return value of BUF_MEM_grow_clean(), however - * due to yet another bad API design, when called with a length of zero - * it is impossible to tell if it succeeded (returning a length of zero) - * or if it failed (and returned zero)... our implementation never - * fails with a length of zero, so we trust all is okay... - */ - (void)BUF_MEM_grow_clean(s->s3->handshake_transcript, 0); + tls_buffer_clear(s->s3->handshake_transcript); tls1_transcript_unfreeze(s); } @@ -151,36 +145,29 @@ tls1_transcript_reset(SSL *s) int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len) { - size_t olen, nlen; - if (s->s3->handshake_transcript == NULL) return 1; if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT) return 1; - olen = s->s3->handshake_transcript->length; - nlen = olen + len; - - if (nlen < olen) - return 0; - - if (BUF_MEM_grow(s->s3->handshake_transcript, nlen) == 0) - return 0; - - memcpy(s->s3->handshake_transcript->data + olen, buf, len); - - return 1; + return tls_buffer_append(s->s3->handshake_transcript, buf, len); } int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len) { + CBS cbs; + if (s->s3->handshake_transcript == NULL) return 0; - *data = s->s3->handshake_transcript->data; - *len = s->s3->handshake_transcript->length; + if (!tls_buffer_data(s->s3->handshake_transcript, &cbs)) + return 0; + + /* XXX - change to caller providing a CBS argument. */ + *data = CBS_data(&cbs); + *len = CBS_len(&cbs); return 1; } diff --git a/ssl/ssl_txt.c b/ssl/ssl_txt.c index 8718f8c..79da59a 100644 --- a/ssl/ssl_txt.c +++ b/ssl/ssl_txt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_txt.c,v 1.31 2021/11/29 18:36:27 tb Exp $ */ +/* $OpenBSD: ssl_txt.c,v 1.36 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -87,7 +87,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" int SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) @@ -97,92 +97,104 @@ SSL_SESSION_print_fp(FILE *fp, const SSL_SESSION *x) if ((b = BIO_new(BIO_s_file())) == NULL) { SSLerrorx(ERR_R_BUF_LIB); - return (0); + return 0; } BIO_set_fp(b, fp, BIO_NOCLOSE); ret = SSL_SESSION_print(b, x); BIO_free(b); - return (ret); + return ret; } int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x) { - unsigned int i; - const char *s; + size_t i; + int ret = 0; if (x == NULL) goto err; + if (BIO_puts(bp, "SSL-Session:\n") <= 0) goto err; - s = ssl_version_string(x->ssl_version); - if (BIO_printf(bp, " Protocol : %s\n", s) <= 0) + if (BIO_printf(bp, " Protocol : %s\n", + ssl_version_string(x->ssl_version)) <= 0) goto err; if (x->cipher == NULL) { - if (((x->cipher_id) & 0xff000000) == 0x02000000) { - if (BIO_printf(bp, " Cipher : %06lX\n", x->cipher_id&0xffffff) <= 0) - goto err; - } else { - if (BIO_printf(bp, " Cipher : %04lX\n", x->cipher_id&0xffff) <= 0) - goto err; - } + if (BIO_printf(bp, " Cipher : %04lX\n", + x->cipher_id & SSL3_CK_VALUE_MASK) <= 0) + goto err; } else { - if (BIO_printf(bp, " Cipher : %s\n",((x->cipher == NULL)?"unknown":x->cipher->name)) <= 0) + const char *cipher_name = "unknown"; + + if (x->cipher->name != NULL) + cipher_name = x->cipher->name; + + if (BIO_printf(bp, " Cipher : %s\n", cipher_name) <= 0) goto err; } + if (BIO_puts(bp, " Session-ID: ") <= 0) goto err; + for (i = 0; i < x->session_id_length; i++) { if (BIO_printf(bp, "%02X", x->session_id[i]) <= 0) goto err; } + if (BIO_puts(bp, "\n Session-ID-ctx: ") <= 0) goto err; + for (i = 0; i < x->sid_ctx_length; i++) { if (BIO_printf(bp, "%02X", x->sid_ctx[i]) <= 0) goto err; } + if (BIO_puts(bp, "\n Master-Key: ") <= 0) goto err; - for (i = 0; i < (unsigned int)x->master_key_length; i++) { + + for (i = 0; i < x->master_key_length; i++) { if (BIO_printf(bp, "%02X", x->master_key[i]) <= 0) goto err; } - if (x->tlsext_tick_lifetime_hint) { + + if (x->tlsext_tick_lifetime_hint > 0) { if (BIO_printf(bp, "\n TLS session ticket lifetime hint: %u (seconds)", x->tlsext_tick_lifetime_hint) <= 0) goto err; } - if (x->tlsext_tick) { + + if (x->tlsext_tick != NULL) { if (BIO_puts(bp, "\n TLS session ticket:\n") <= 0) goto err; - if (BIO_dump_indent(bp, (char *)x->tlsext_tick, x->tlsext_ticklen, 4) <= 0) + if (BIO_dump_indent(bp, x->tlsext_tick, x->tlsext_ticklen, + 4) <= 0) goto err; } if (x->time != 0) { - if (BIO_printf(bp, "\n Start Time: %"PRId64, (int64_t)x->time) <= 0) + if (BIO_printf(bp, "\n Start Time: %"PRId64, + (int64_t)x->time) <= 0) goto err; } - if (x->timeout != 0L) { - if (BIO_printf(bp, "\n Timeout : %ld (sec)", x->timeout) <= 0) + + if (x->timeout != 0) { + if (BIO_printf(bp, "\n Timeout : %ld (sec)", + x->timeout) <= 0) goto err; } + if (BIO_puts(bp, "\n") <= 0) goto err; - if (BIO_puts(bp, " Verify return code: ") <= 0) - goto err; - - if (BIO_printf(bp, "%ld (%s)\n", x->verify_result, + if (BIO_printf(bp, " Verify return code: %ld (%s)\n", + x->verify_result, X509_verify_cert_error_string(x->verify_result)) <= 0) goto err; - return (1); + ret = 1; err: - return (0); + return ret; } - diff --git a/ssl/ssl_versions.c b/ssl/ssl_versions.c index 4069670..fbc0004 100644 --- a/ssl/ssl_versions.c +++ b/ssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.22 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.26 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -15,7 +15,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" +#include "ssl_local.h" static uint16_t ssl_dtls_to_tls_version(uint16_t dtls_ver) @@ -140,13 +140,13 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) min_version = 0; max_version = TLS1_3_VERSION; - options = s->internal->options; + options = s->options; if (SSL_is_dtls(s)) { options = 0; - if (s->internal->options & SSL_OP_NO_DTLSv1) + if (s->options & SSL_OP_NO_DTLSv1) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1; - if (s->internal->options & SSL_OP_NO_DTLSv1_2) + if (s->options & SSL_OP_NO_DTLSv1_2) options |= SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_2; } @@ -174,9 +174,17 @@ ssl_enabled_tls_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) /* Limit to configured version range. */ if (!ssl_clamp_tls_version_range(&min_version, &max_version, - s->internal->min_tls_version, s->internal->max_tls_version)) + s->min_tls_version, s->max_tls_version)) return 0; + /* QUIC requires a minimum of TLSv1.3. */ + if (SSL_is_quic(s)) { + if (max_version < TLS1_3_VERSION) + return 0; + if (min_version < TLS1_3_VERSION) + min_version = TLS1_3_VERSION; + } + if (min_ver != NULL) *min_ver = min_version; if (max_ver != NULL) @@ -329,6 +337,9 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) return 0; } + if (!ssl_security_version(s, shared_version)) + return 0; + *max_ver = shared_version; return 1; @@ -352,8 +363,11 @@ ssl_check_version_from_server(SSL *s, uint16_t server_version) &max_tls_version)) return 0; - return (server_tls_version >= min_tls_version && - server_tls_version <= max_tls_version); + if (server_tls_version < min_tls_version || + server_tls_version > max_tls_version) + return 0; + + return ssl_security_version(s, server_tls_version); } int diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index c996159..c6140e9 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.154 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.157 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -143,8 +143,8 @@ #include #include -#include "dtls_locl.h" -#include "ssl_locl.h" +#include "dtls_local.h" +#include "ssl_local.h" void tls1_cleanup_key_block(SSL *s) @@ -311,13 +311,13 @@ tls1_change_cipher_state(SSL *s, int is_write) } if (!is_write) { - if (!tls12_record_layer_change_read_cipher_state(s->internal->rl, + if (!tls12_record_layer_change_read_cipher_state(s->rl, &mac_key, &key, &iv)) goto err; if (SSL_is_dtls(s)) dtls1_reset_read_seq_numbers(s); } else { - if (!tls12_record_layer_change_write_cipher_state(s->internal->rl, + if (!tls12_record_layer_change_write_cipher_state(s->rl, &mac_key, &key, &iv)) goto err; } @@ -375,8 +375,8 @@ tls1_setup_key_block(SSL *s) if (!ssl_get_handshake_evp_md(s, &handshake_hash)) return (0); - tls12_record_layer_set_aead(s->internal->rl, aead); - tls12_record_layer_set_cipher_hash(s->internal->rl, cipher, + tls12_record_layer_set_aead(s->rl, aead); + tls12_record_layer_set_cipher_hash(s->rl, cipher, handshake_hash, mac_hash); if ((key_block = tls12_key_block_new()) == NULL) @@ -387,7 +387,7 @@ tls1_setup_key_block(SSL *s) s->s3->hs.tls12.key_block = key_block; key_block = NULL; - if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && + if (!(s->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS) && s->method->version <= TLS1_VERSION) { /* * Enable vulnerability countermeasure for CBC ciphers with @@ -413,83 +413,3 @@ tls1_setup_key_block(SSL *s) return (ret); } - -int -tls1_export_keying_material(SSL *s, unsigned char *out, size_t olen, - const char *label, size_t llen, const unsigned char *context, - size_t contextlen, int use_context) -{ - unsigned char *val = NULL; - size_t vallen, currentvalpos; - int rv; - - if (!SSL_is_init_finished(s)) { - SSLerror(s, SSL_R_BAD_STATE); - return 0; - } - - /* construct PRF arguments - * we construct the PRF argument ourself rather than passing separate - * values into the TLS PRF to ensure that the concatenation of values - * does not create a prohibited label. - */ - vallen = llen + SSL3_RANDOM_SIZE * 2; - if (use_context) { - vallen += 2 + contextlen; - } - - val = malloc(vallen); - if (val == NULL) - goto err2; - currentvalpos = 0; - memcpy(val + currentvalpos, (unsigned char *) label, llen); - currentvalpos += llen; - memcpy(val + currentvalpos, s->s3->client_random, SSL3_RANDOM_SIZE); - currentvalpos += SSL3_RANDOM_SIZE; - memcpy(val + currentvalpos, s->s3->server_random, SSL3_RANDOM_SIZE); - currentvalpos += SSL3_RANDOM_SIZE; - - if (use_context) { - val[currentvalpos] = (contextlen >> 8) & 0xff; - currentvalpos++; - val[currentvalpos] = contextlen & 0xff; - currentvalpos++; - if ((contextlen > 0) || (context != NULL)) { - memcpy(val + currentvalpos, context, contextlen); - } - } - - /* disallow prohibited labels - * note that SSL3_RANDOM_SIZE > max(prohibited label len) = - * 15, so size of val > max(prohibited label len) = 15 and the - * comparisons won't have buffer overflow - */ - if (memcmp(val, TLS_MD_CLIENT_FINISH_CONST, - TLS_MD_CLIENT_FINISH_CONST_SIZE) == 0) - goto err1; - if (memcmp(val, TLS_MD_SERVER_FINISH_CONST, - TLS_MD_SERVER_FINISH_CONST_SIZE) == 0) - goto err1; - if (memcmp(val, TLS_MD_MASTER_SECRET_CONST, - TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) - goto err1; - if (memcmp(val, TLS_MD_KEY_EXPANSION_CONST, - TLS_MD_KEY_EXPANSION_CONST_SIZE) == 0) - goto err1; - - rv = tls1_PRF(s, s->session->master_key, s->session->master_key_length, - val, vallen, NULL, 0, NULL, 0, NULL, 0, NULL, 0, out, olen); - - goto ret; - err1: - SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); - rv = 0; - goto ret; - err2: - SSLerror(s, ERR_R_MALLOC_FAILURE); - rv = 0; - ret: - free(val); - - return (rv); -} diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index fc1ccca..85d5eaa 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.186 2022/01/24 13:47:53 tb Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.197 2022/11/26 16:08:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -117,7 +117,7 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" @@ -139,7 +139,7 @@ tls1_free(SSL *s) if (s == NULL) return; - free(s->internal->tlsext_session_ticket); + free(s->tlsext_session_ticket); ssl3_free(s); } @@ -150,38 +150,136 @@ tls1_clear(SSL *s) s->version = s->method->version; } -static const int nid_list[] = { - NID_sect163k1, /* sect163k1 (1) */ - NID_sect163r1, /* sect163r1 (2) */ - NID_sect163r2, /* sect163r2 (3) */ - NID_sect193r1, /* sect193r1 (4) */ - NID_sect193r2, /* sect193r2 (5) */ - NID_sect233k1, /* sect233k1 (6) */ - NID_sect233r1, /* sect233r1 (7) */ - NID_sect239k1, /* sect239k1 (8) */ - NID_sect283k1, /* sect283k1 (9) */ - NID_sect283r1, /* sect283r1 (10) */ - NID_sect409k1, /* sect409k1 (11) */ - NID_sect409r1, /* sect409r1 (12) */ - NID_sect571k1, /* sect571k1 (13) */ - NID_sect571r1, /* sect571r1 (14) */ - NID_secp160k1, /* secp160k1 (15) */ - NID_secp160r1, /* secp160r1 (16) */ - NID_secp160r2, /* secp160r2 (17) */ - NID_secp192k1, /* secp192k1 (18) */ - NID_X9_62_prime192v1, /* secp192r1 (19) */ - NID_secp224k1, /* secp224k1 (20) */ - NID_secp224r1, /* secp224r1 (21) */ - NID_secp256k1, /* secp256k1 (22) */ - NID_X9_62_prime256v1, /* secp256r1 (23) */ - NID_secp384r1, /* secp384r1 (24) */ - NID_secp521r1, /* secp521r1 (25) */ - NID_brainpoolP256r1, /* brainpoolP256r1 (26) */ - NID_brainpoolP384r1, /* brainpoolP384r1 (27) */ - NID_brainpoolP512r1, /* brainpoolP512r1 (28) */ - NID_X25519, /* X25519 (29) */ +struct supported_group { + int nid; + int bits; }; +/* + * Supported groups (formerly known as named curves) + * https://www.iana.org/assignments/tls-parameters/#tls-parameters-8 + */ +static const struct supported_group nid_list[] = { + [1] = { + .nid = NID_sect163k1, + .bits = 80, + }, + [2] = { + .nid = NID_sect163r1, + .bits = 80, + }, + [3] = { + .nid = NID_sect163r2, + .bits = 80, + }, + [4] = { + .nid = NID_sect193r1, + .bits = 80, + }, + [5] = { + .nid = NID_sect193r2, + .bits = 80, + }, + [6] = { + .nid = NID_sect233k1, + .bits = 112, + }, + [7] = { + .nid = NID_sect233r1, + .bits = 112, + }, + [8] = { + .nid = NID_sect239k1, + .bits = 112, + }, + [9] = { + .nid = NID_sect283k1, + .bits = 128, + }, + [10] = { + .nid = NID_sect283r1, + .bits = 128, + }, + [11] = { + .nid = NID_sect409k1, + .bits = 192, + }, + [12] = { + .nid = NID_sect409r1, + .bits = 192, + }, + [13] = { + .nid = NID_sect571k1, + .bits = 256, + }, + [14] = { + .nid = NID_sect571r1, + .bits = 256, + }, + [15] = { + .nid = NID_secp160k1, + .bits = 80, + }, + [16] = { + .nid = NID_secp160r1, + .bits = 80, + }, + [17] = { + .nid = NID_secp160r2, + .bits = 80, + }, + [18] = { + .nid = NID_secp192k1, + .bits = 80, + }, + [19] = { + .nid = NID_X9_62_prime192v1, /* aka secp192r1 */ + .bits = 80, + }, + [20] = { + .nid = NID_secp224k1, + .bits = 112, + }, + [21] = { + .nid = NID_secp224r1, + .bits = 112, + }, + [22] = { + .nid = NID_secp256k1, + .bits = 128, + }, + [23] = { + .nid = NID_X9_62_prime256v1, /* aka secp256r1 */ + .bits = 128, + }, + [24] = { + .nid = NID_secp384r1, + .bits = 192, + }, + [25] = { + .nid = NID_secp521r1, + .bits = 256, + }, + [26] = { + .nid = NID_brainpoolP256r1, + .bits = 128, + }, + [27] = { + .nid = NID_brainpoolP384r1, + .bits = 192, + }, + [28] = { + .nid = NID_brainpoolP512r1, + .bits = 256, + }, + [29] = { + .nid = NID_X25519, + .bits = 128, + }, +}; + +#define NID_LIST_LEN (sizeof(nid_list) / sizeof(nid_list[0])) + #if 0 static const uint8_t ecformats_list[] = { TLSEXT_ECPOINTFORMAT_uncompressed, @@ -195,7 +293,7 @@ static const uint8_t ecformats_default[] = { }; #if 0 -static const uint16_t eccurves_list[] = { +static const uint16_t ecgroups_list[] = { 29, /* X25519 (29) */ 14, /* sect571r1 (14) */ 13, /* sect571k1 (13) */ @@ -228,95 +326,67 @@ static const uint16_t eccurves_list[] = { }; #endif -static const uint16_t eccurves_client_default[] = { +static const uint16_t ecgroups_client_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 24, /* secp384r1 (24) */ 25, /* secp521r1 (25) */ }; -static const uint16_t eccurves_server_default[] = { +static const uint16_t ecgroups_server_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 24, /* secp384r1 (24) */ }; int -tls1_ec_curve_id2nid(const uint16_t curve_id) +tls1_ec_group_id2nid(uint16_t group_id, int *out_nid) { - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ - if ((curve_id < 1) || - ((unsigned int)curve_id > sizeof(nid_list) / sizeof(nid_list[0]))) + int nid; + + if (group_id >= NID_LIST_LEN) return 0; - return nid_list[curve_id - 1]; + + if ((nid = nid_list[group_id].nid) == 0) + return 0; + + *out_nid = nid; + + return 1; } -uint16_t -tls1_ec_nid2curve_id(const int nid) +int +tls1_ec_group_id2bits(uint16_t group_id, int *out_bits) { - /* ECC curves from draft-ietf-tls-ecc-12.txt (Oct. 17, 2005) */ - switch (nid) { - case NID_sect163k1: /* sect163k1 (1) */ - return 1; - case NID_sect163r1: /* sect163r1 (2) */ - return 2; - case NID_sect163r2: /* sect163r2 (3) */ - return 3; - case NID_sect193r1: /* sect193r1 (4) */ - return 4; - case NID_sect193r2: /* sect193r2 (5) */ - return 5; - case NID_sect233k1: /* sect233k1 (6) */ - return 6; - case NID_sect233r1: /* sect233r1 (7) */ - return 7; - case NID_sect239k1: /* sect239k1 (8) */ - return 8; - case NID_sect283k1: /* sect283k1 (9) */ - return 9; - case NID_sect283r1: /* sect283r1 (10) */ - return 10; - case NID_sect409k1: /* sect409k1 (11) */ - return 11; - case NID_sect409r1: /* sect409r1 (12) */ - return 12; - case NID_sect571k1: /* sect571k1 (13) */ - return 13; - case NID_sect571r1: /* sect571r1 (14) */ - return 14; - case NID_secp160k1: /* secp160k1 (15) */ - return 15; - case NID_secp160r1: /* secp160r1 (16) */ - return 16; - case NID_secp160r2: /* secp160r2 (17) */ - return 17; - case NID_secp192k1: /* secp192k1 (18) */ - return 18; - case NID_X9_62_prime192v1: /* secp192r1 (19) */ - return 19; - case NID_secp224k1: /* secp224k1 (20) */ - return 20; - case NID_secp224r1: /* secp224r1 (21) */ - return 21; - case NID_secp256k1: /* secp256k1 (22) */ - return 22; - case NID_X9_62_prime256v1: /* secp256r1 (23) */ - return 23; - case NID_secp384r1: /* secp384r1 (24) */ - return 24; - case NID_secp521r1: /* secp521r1 (25) */ - return 25; - case NID_brainpoolP256r1: /* brainpoolP256r1 (26) */ - return 26; - case NID_brainpoolP384r1: /* brainpoolP384r1 (27) */ - return 27; - case NID_brainpoolP512r1: /* brainpoolP512r1 (28) */ - return 28; - case NID_X25519: /* X25519 (29) */ - return 29; - default: + int bits; + + if (group_id >= NID_LIST_LEN) return 0; + + if ((bits = nid_list[group_id].bits) == 0) + return 0; + + *out_bits = bits; + + return 1; +} + +int +tls1_ec_nid2group_id(int nid, uint16_t *out_group_id) +{ + uint16_t group_id; + + if (nid == 0) + return 0; + + for (group_id = 0; group_id < NID_LIST_LEN; group_id++) { + if (nid_list[group_id].nid == nid) { + *out_group_id = group_id; + return 1; + } } + + return 0; } /* @@ -325,7 +395,7 @@ tls1_ec_nid2curve_id(const int nid) * exists, or the default formats if a custom list has not been specified. */ void -tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, +tls1_get_formatlist(const SSL *s, int client_formats, const uint8_t **pformats, size_t *pformatslen) { if (client_formats != 0) { @@ -334,8 +404,8 @@ tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, return; } - *pformats = s->internal->tlsext_ecpointformatlist; - *pformatslen = s->internal->tlsext_ecpointformatlist_length; + *pformats = s->tlsext_ecpointformatlist; + *pformatslen = s->tlsext_ecpointformatlist_length; if (*pformats == NULL) { *pformats = ecformats_default; *pformatslen = sizeof(ecformats_default); @@ -348,7 +418,7 @@ tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, * exists, or the default groups if a custom list has not been specified. */ void -tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, +tls1_get_group_list(const SSL *s, int client_groups, const uint16_t **pgroups, size_t *pgroupslen) { if (client_groups != 0) { @@ -357,20 +427,114 @@ tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, return; } - *pgroups = s->internal->tlsext_supportedgroups; - *pgroupslen = s->internal->tlsext_supportedgroups_length; + *pgroups = s->tlsext_supportedgroups; + *pgroupslen = s->tlsext_supportedgroups_length; if (*pgroups != NULL) return; if (!s->server) { - *pgroups = eccurves_client_default; - *pgroupslen = sizeof(eccurves_client_default) / 2; + *pgroups = ecgroups_client_default; + *pgroupslen = sizeof(ecgroups_client_default) / 2; } else { - *pgroups = eccurves_server_default; - *pgroupslen = sizeof(eccurves_server_default) / 2; + *pgroups = ecgroups_server_default; + *pgroupslen = sizeof(ecgroups_server_default) / 2; } } +static int +tls1_get_group_lists(const SSL *ssl, const uint16_t **pref, size_t *preflen, + const uint16_t **supp, size_t *supplen) +{ + unsigned long server_pref; + + /* Cannot do anything on the client side. */ + if (!ssl->server) + return 0; + + server_pref = (ssl->options & SSL_OP_CIPHER_SERVER_PREFERENCE); + tls1_get_group_list(ssl, (server_pref == 0), pref, preflen); + tls1_get_group_list(ssl, (server_pref != 0), supp, supplen); + + return 1; +} + +static int +tls1_group_id_present(uint16_t group_id, const uint16_t *list, size_t list_len) +{ + size_t i; + + for (i = 0; i < list_len; i++) { + if (group_id == list[i]) + return 1; + } + + return 0; +} + +int +tls1_count_shared_groups(const SSL *ssl, size_t *out_count) +{ + size_t count, preflen, supplen, i; + const uint16_t *pref, *supp; + + if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen)) + return 0; + + count = 0; + for (i = 0; i < preflen; i++) { + if (!tls1_group_id_present(pref[i], supp, supplen)) + continue; + + if (!ssl_security_shared_group(ssl, pref[i])) + continue; + + count++; + } + + *out_count = count; + + return 1; +} + +static int +tls1_group_by_index(const SSL *ssl, size_t n, int *out_nid, + int (*ssl_security_fn)(const SSL *, uint16_t)) +{ + size_t count, preflen, supplen, i; + const uint16_t *pref, *supp; + + if (!tls1_get_group_lists(ssl, &pref, &preflen, &supp, &supplen)) + return 0; + + count = 0; + for (i = 0; i < preflen; i++) { + if (!tls1_group_id_present(pref[i], supp, supplen)) + continue; + + if (!ssl_security_fn(ssl, pref[i])) + continue; + + if (count++ == n) + return tls1_ec_group_id2nid(pref[i], out_nid); + } + + return 0; +} + +int +tls1_get_shared_group_by_index(const SSL *ssl, size_t index, int *out_nid) +{ + return tls1_group_by_index(ssl, index, out_nid, + ssl_security_shared_group); +} + +int +tls1_get_supported_group(const SSL *ssl, int *out_nid) +{ + return tls1_group_by_index(ssl, 0, out_nid, + ssl_security_supported_group); +} + int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, const int *groups, size_t ngroups) @@ -378,13 +542,11 @@ tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, uint16_t *group_ids; size_t i; - group_ids = calloc(ngroups, sizeof(uint16_t)); - if (group_ids == NULL) + if ((group_ids = calloc(ngroups, sizeof(uint16_t))) == NULL) return 0; for (i = 0; i < ngroups; i++) { - group_ids[i] = tls1_ec_nid2curve_id(groups[i]); - if (group_ids[i] == 0) { + if (!tls1_ec_nid2group_id(groups[i], &group_ids[i])) { free(group_ids); return 0; } @@ -424,8 +586,7 @@ tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, goto err; group_ids = new_group_ids; - group_ids[ngroups] = tls1_ec_nid2curve_id(nid); - if (group_ids[ngroups] == 0) + if (!tls1_ec_nid2group_id(nid, &group_ids[ngroups])) goto err; ngroups++; @@ -445,9 +606,9 @@ tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, return 0; } -/* Check that a curve is one of our preferences. */ +/* Check that a group is one of our preferences. */ int -tls1_check_curve(SSL *s, const uint16_t curve_id) +tls1_check_group(SSL *s, uint16_t group_id) { const uint16_t *groups; size_t groupslen, i; @@ -455,40 +616,17 @@ tls1_check_curve(SSL *s, const uint16_t curve_id) tls1_get_group_list(s, 0, &groups, &groupslen); for (i = 0; i < groupslen; i++) { - if (groups[i] == curve_id) - return (1); + if (!ssl_security_supported_group(s, groups[i])) + continue; + if (groups[i] == group_id) + return 1; } - return (0); -} - -int -tls1_get_shared_curve(SSL *s) -{ - size_t preflen, supplen, i, j; - const uint16_t *pref, *supp; - unsigned long server_pref; - - /* Cannot do anything on the client side. */ - if (s->server == 0) - return (NID_undef); - - /* Return first preference shared curve. */ - server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); - tls1_get_group_list(s, (server_pref == 0), &pref, &preflen); - tls1_get_group_list(s, (server_pref != 0), &supp, &supplen); - - for (i = 0; i < preflen; i++) { - for (j = 0; j < supplen; j++) { - if (pref[i] == supp[j]) - return (tls1_ec_curve_id2nid(pref[i])); - } - } - return (NID_undef); + return 0; } /* For an EC key set TLS ID and required compression based on parameters. */ static int -tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) +tls1_set_ec_id(uint16_t *group_id, uint8_t *comp_id, EC_KEY *ec) { const EC_GROUP *grp; const EC_METHOD *meth; @@ -498,18 +636,18 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) if (ec == NULL) return (0); - /* Determine whether the curve is defined over a prime field. */ + /* Determine whether the group is defined over a prime field. */ if ((grp = EC_KEY_get0_group(ec)) == NULL) return (0); if ((meth = EC_GROUP_method_of(grp)) == NULL) return (0); prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); - /* Determine curve ID - NID_undef results in a curve ID of zero. */ + /* Determine group ID. */ nid = EC_GROUP_get_curve_name(grp); - /* If we have an ID set it, otherwise set arbitrary explicit curve. */ - if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0) - *curve_id = prime_field ? 0xff01 : 0xff02; + /* If we have an ID set it, otherwise set arbitrary explicit group. */ + if (!tls1_ec_nid2group_id(nid, group_id)) + *group_id = prime_field ? 0xff01 : 0xff02; if (comp_id == NULL) return (1); @@ -529,7 +667,7 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) /* Check that an EC key is compatible with extensions. */ static int -tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) +tls1_check_ec_key(SSL *s, const uint16_t *group_id, const uint8_t *comp_id) { size_t groupslen, formatslen, i; const uint16_t *groups; @@ -550,12 +688,12 @@ tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) } /* - * Check curve list if present, otherwise everything is supported. + * Check group list if present, otherwise everything is supported. */ tls1_get_group_list(s, 1, &groups, &groupslen); - if (curve_id != NULL && groups != NULL) { + if (group_id != NULL && groups != NULL) { for (i = 0; i < groupslen; i++) { - if (groups[i] == *curve_id) + if (groups[i] == *group_id) break; } if (i == groupslen) @@ -570,7 +708,7 @@ int tls1_check_ec_server_key(SSL *s) { SSL_CERT_PKEY *cpk = s->cert->pkeys + SSL_PKEY_ECC; - uint16_t curve_id; + uint16_t group_id; uint8_t comp_id; EC_KEY *eckey; EVP_PKEY *pkey; @@ -581,10 +719,10 @@ tls1_check_ec_server_key(SSL *s) return (0); if ((eckey = EVP_PKEY_get0_EC_KEY(pkey)) == NULL) return (0); - if (!tls1_set_ec_id(&curve_id, &comp_id, eckey)) + if (!tls1_set_ec_id(&group_id, &comp_id, eckey)) return (0); - return tls1_check_ec_key(s, &curve_id, &comp_id); + return tls1_check_ec_key(s, &group_id, &comp_id); } int @@ -600,12 +738,12 @@ ssl_check_clienthello_tlsext_early(SSL *s) * ssl3_choose_cipher in s3_lib.c. */ - if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) - ret = s->ctx->internal->tlsext_servername_callback(s, &al, - s->ctx->internal->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) - ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, - s->initial_ctx->internal->tlsext_servername_arg); + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + ret = s->ctx->tlsext_servername_callback(s, &al, + s->ctx->tlsext_servername_arg); + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + ret = s->initial_ctx->tlsext_servername_callback(s, &al, + s->initial_ctx->tlsext_servername_arg); switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -632,32 +770,32 @@ ssl_check_clienthello_tlsext_late(SSL *s) * has been chosen because this may influence which certificate is sent */ if ((s->tlsext_status_type != -1) && - s->ctx && s->ctx->internal->tlsext_status_cb) { + s->ctx && s->ctx->tlsext_status_cb) { int r; SSL_CERT_PKEY *certpkey; certpkey = ssl_get_server_send_pkey(s); /* If no certificate can't return certificate status */ if (certpkey == NULL) { - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; return 1; } /* Set current certificate to one we will use so * SSL_get_certificate et al can pick it up. */ s->cert->key = certpkey; - r = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + r = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); switch (r) { /* We don't want to send a status request response */ case SSL_TLSEXT_ERR_NOACK: - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; break; /* status request response should be sent */ case SSL_TLSEXT_ERR_OK: - if (s->internal->tlsext_ocsp_resp) - s->internal->tlsext_status_expected = 1; + if (s->tlsext_ocsp_resp) + s->tlsext_status_expected = 1; else - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; break; /* something bad happened */ case SSL_TLSEXT_ERR_ALERT_FATAL: @@ -666,7 +804,7 @@ ssl_check_clienthello_tlsext_late(SSL *s) goto err; } } else - s->internal->tlsext_status_expected = 0; + s->tlsext_status_expected = 0; err: switch (ret) { @@ -689,26 +827,26 @@ ssl_check_serverhello_tlsext(SSL *s) ret = SSL_TLSEXT_ERR_OK; - if (s->ctx != NULL && s->ctx->internal->tlsext_servername_callback != 0) - ret = s->ctx->internal->tlsext_servername_callback(s, &al, - s->ctx->internal->tlsext_servername_arg); - else if (s->initial_ctx != NULL && s->initial_ctx->internal->tlsext_servername_callback != 0) - ret = s->initial_ctx->internal->tlsext_servername_callback(s, &al, - s->initial_ctx->internal->tlsext_servername_arg); + if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0) + ret = s->ctx->tlsext_servername_callback(s, &al, + s->ctx->tlsext_servername_arg); + else if (s->initial_ctx != NULL && s->initial_ctx->tlsext_servername_callback != 0) + ret = s->initial_ctx->tlsext_servername_callback(s, &al, + s->initial_ctx->tlsext_servername_arg); /* If we've requested certificate status and we wont get one * tell the callback */ - if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && - s->ctx && s->ctx->internal->tlsext_status_cb) { + if ((s->tlsext_status_type != -1) && !(s->tlsext_status_expected) && + s->ctx && s->ctx->tlsext_status_cb) { int r; - free(s->internal->tlsext_ocsp_resp); - s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resp_len = 0; + free(s->tlsext_ocsp_resp); + s->tlsext_ocsp_resp = NULL; + s->tlsext_ocsp_resp_len = 0; - r = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + r = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (r == 0) { al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE; ret = SSL_TLSEXT_ERR_ALERT_FATAL; @@ -740,27 +878,27 @@ ssl_check_serverhello_tlsext(SSL *s) * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * - * If s->internal->tls_session_secret_cb is set then we are expecting a pre-shared key + * If s->tls_session_secret_cb is set then we are expecting a pre-shared key * ciphersuite, in which case we have no use for session tickets and one will - * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. + * never be decrypted, nor will s->tlsext_ticket_expected be set to 1. * * Returns: * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the * client supports session tickets but doesn't currently have one to offer. - * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was + * TLS1_TICKET_NOT_DECRYPTED: either s->tls_session_secret_cb was * set, or a ticket was offered but couldn't be decrypted because of a * non-fatal error. * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. * * Side effects: - * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue + * Sets s->tlsext_ticket_expected to 1 if the server will have to issue * a new session ticket to the client because the client indicated support - * (and s->internal->tls_session_secret_cb is NULL) but the client either doesn't have + * (and s->tls_session_secret_cb is NULL) but the client either doesn't have * a session ticket or we couldn't use the one it gave us, or if * s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket. - * Otherwise, s->internal->tlsext_ticket_expected is set to 0. + * Otherwise, s->tlsext_ticket_expected is set to 0. */ int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) @@ -768,7 +906,7 @@ tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) CBS extensions, ext_data; uint16_t ext_type = 0; - s->internal->tlsext_ticket_expected = 0; + s->tlsext_ticket_expected = 0; *ret = NULL; /* @@ -809,11 +947,11 @@ tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) * The client will accept a ticket but does not currently * have one. */ - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; return TLS1_TICKET_EMPTY; } - if (s->internal->tls_session_secret_cb != NULL) { + if (s->tls_session_secret_cb != NULL) { /* * Indicate that the ticket could not be decrypted rather than * generating the session from ticket now, trigger abbreviated @@ -866,7 +1004,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) if ((hctx = HMAC_CTX_new()) == NULL) goto err; - if (tctx->internal->tlsext_ticket_key_cb != NULL) { + if (tctx->tlsext_ticket_key_cb != NULL) { int rv; /* @@ -878,7 +1016,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) if (CBS_len(ticket) < EVP_MAX_IV_LENGTH) goto derr; - if ((rv = tctx->internal->tlsext_ticket_key_cb(s, + if ((rv = tctx->tlsext_ticket_key_cb(s, (unsigned char *)CBS_data(&ticket_name), (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) goto err; @@ -886,7 +1024,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) goto derr; if (rv == 2) { /* Renew ticket. */ - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; } /* @@ -899,17 +1037,17 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) } else { /* Check that the key name matches. */ if (!CBS_mem_equal(&ticket_name, - tctx->internal->tlsext_tick_key_name, - sizeof(tctx->internal->tlsext_tick_key_name))) + tctx->tlsext_tick_key_name, + sizeof(tctx->tlsext_tick_key_name))) goto derr; if (!CBS_get_bytes(ticket, &ticket_iv, EVP_CIPHER_iv_length(EVP_aes_128_cbc()))) goto derr; if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL, - tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv))) + tctx->tlsext_tick_aes_key, CBS_data(&ticket_iv))) goto err; - if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, - sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(), + if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key, + sizeof(tctx->tlsext_tick_hmac_key), EVP_sha256(), NULL)) goto err; } @@ -975,7 +1113,7 @@ tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) derr: ERR_clear_error(); - s->internal->tlsext_ticket_expected = 1; + s->tlsext_ticket_expected = 1; ret = TLS1_TICKET_NOT_DECRYPTED; goto done; diff --git a/ssl/tls12_internal.h b/ssl/tls12_internal.h new file mode 100644 index 0000000..d416b2e --- /dev/null +++ b/ssl/tls12_internal.h @@ -0,0 +1,29 @@ +/* $OpenBSD: tls12_internal.h,v 1.1 2022/11/07 11:58:45 jsing Exp $ */ +/* + * Copyright (c) 2022 Joel Sing + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_TLS12_INTERNAL_H +#define HEADER_TLS12_INTERNAL_H + +__BEGIN_HIDDEN_DECLS + +int tls12_exporter(SSL *s, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, int use_context, + uint8_t *out, size_t out_len); + +__END_HIDDEN_DECLS + +#endif diff --git a/ssl/tls12_key_schedule.c b/ssl/tls12_key_schedule.c index c206460..6d714c1 100644 --- a/ssl/tls12_key_schedule.c +++ b/ssl/tls12_key_schedule.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_key_schedule.c,v 1.1 2021/05/05 10:05:27 jsing Exp $ */ +/* $OpenBSD: tls12_key_schedule.c,v 1.3 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2021 Joel Sing * @@ -20,7 +20,8 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" +#include "tls12_internal.h" struct tls12_key_block { CBS client_write_mac_key; @@ -173,3 +174,122 @@ tls12_key_block_generate(struct tls12_key_block *kb, SSL *s, return 0; } + +struct tls12_reserved_label { + const char *label; + size_t label_len; +}; + +/* + * RFC 5705 section 6. + */ +static const struct tls12_reserved_label tls12_reserved_labels[] = { + { + .label = TLS_MD_CLIENT_FINISH_CONST, + .label_len = TLS_MD_CLIENT_FINISH_CONST_SIZE, + }, + { + .label = TLS_MD_SERVER_FINISH_CONST, + .label_len = TLS_MD_SERVER_FINISH_CONST_SIZE, + }, + { + .label = TLS_MD_MASTER_SECRET_CONST, + .label_len = TLS_MD_MASTER_SECRET_CONST_SIZE, + }, + { + .label = TLS_MD_KEY_EXPANSION_CONST, + .label_len = TLS_MD_KEY_EXPANSION_CONST_SIZE, + }, + { + .label = NULL, + .label_len = 0, + }, +}; + +int +tls12_exporter(SSL *s, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, int use_context, + uint8_t *out, size_t out_len) +{ + uint8_t *data = NULL; + size_t data_len = 0; + CBB cbb, context; + CBS seed; + size_t i; + int ret = 0; + + /* + * RFC 5705 - Key Material Exporters for TLS. + */ + + memset(&cbb, 0, sizeof(cbb)); + + if (!SSL_is_init_finished(s)) { + SSLerror(s, SSL_R_BAD_STATE); + goto err; + } + + if (s->s3->hs.negotiated_tls_version >= TLS1_3_VERSION) + goto err; + + /* + * Due to exceptional design choices, we need to build a concatenation + * of the label and the seed value, before checking for reserved + * labels. This prevents a reserved label from being split across the + * label and the seed (that includes the client random), which are + * concatenated by the PRF. + */ + if (!CBB_init(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, label, label_len)) + goto err; + if (!CBB_add_bytes(&cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) + goto err; + if (!CBB_add_bytes(&cbb, s->s3->server_random, SSL3_RANDOM_SIZE)) + goto err; + if (use_context) { + if (!CBB_add_u16_length_prefixed(&cbb, &context)) + goto err; + if (context_value_len > 0) { + if (!CBB_add_bytes(&context, context_value, + context_value_len)) + goto err; + } + } + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + + /* + * Ensure that the block (label + seed) does not start with a reserved + * label - in an ideal world we would ensure that the label has an + * explicitly permitted prefix instead, but of course this also got + * messed up by the standards. + */ + for (i = 0; tls12_reserved_labels[i].label != NULL; i++) { + /* XXX - consider adding/using CBS_has_prefix(). */ + if (tls12_reserved_labels[i].label_len > data_len) + goto err; + if (memcmp(data, tls12_reserved_labels[i].label, + tls12_reserved_labels[i].label_len) == 0) { + SSLerror(s, SSL_R_TLS_ILLEGAL_EXPORTER_LABEL); + goto err; + } + } + + CBS_init(&seed, data, data_len); + if (!CBS_skip(&seed, label_len)) + goto err; + + if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length, + label, label_len, CBS_data(&seed), CBS_len(&seed), NULL, 0, NULL, 0, + NULL, 0, out, out_len)) + goto err; + + ret = 1; + + err: + freezero(data, data_len); + CBB_cleanup(&cbb); + + return ret; +} diff --git a/ssl/tls12_lib.c b/ssl/tls12_lib.c index 773ba30..96b3abc 100644 --- a/ssl/tls12_lib.c +++ b/ssl/tls12_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_lib.c,v 1.4 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: tls12_lib.c,v 1.6 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2021 Joel Sing * @@ -15,7 +15,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include "ssl_locl.h" +#include "ssl_local.h" static int tls12_finished_verify_data(SSL *s, const char *finished_label, @@ -27,7 +27,7 @@ tls12_finished_verify_data(SSL *s, const char *finished_label, *out_len = 0; - if (s->session->master_key_length <= 0) + if (s->session->master_key_length == 0) return 0; if (verify_data_len < TLS1_FINISH_MAC_LENGTH) diff --git a/ssl/tls12_record_layer.c b/ssl/tls12_record_layer.c index 3568e18..59f5d32 100644 --- a/ssl/tls12_record_layer.c +++ b/ssl/tls12_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls12_record_layer.c,v 1.36 2022/01/14 09:12:15 tb Exp $ */ +/* $OpenBSD: tls12_record_layer.c,v 1.38 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -20,7 +20,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" #define TLS12_RECORD_SEQ_NUM_LEN 8 #define TLS12_AEAD_FIXED_NONCE_MAX_LEN 12 @@ -864,28 +864,25 @@ tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, static int tls12_record_layer_open_record_plaintext(struct tls12_record_layer *rl, - uint8_t content_type, CBS *fragment, uint8_t **out, size_t *out_len) + uint8_t content_type, CBS *fragment, struct tls_content *out) { if (tls12_record_protection_engaged(rl->read)) return 0; - /* XXX - decrypt/process in place for now. */ - *out = (uint8_t *)CBS_data(fragment); - *out_len = CBS_len(fragment); - - return 1; + return tls_content_dup_data(out, content_type, CBS_data(fragment), + CBS_len(fragment)); } static int tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, - uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, - size_t *out_len) + uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) { struct tls12_record_protection *rp = rl->read; uint8_t *header = NULL; size_t header_len = 0; - uint8_t *plain; - size_t plain_len; + uint8_t *content = NULL; + size_t content_len = 0; + size_t out_len = 0; CBS var_nonce; int ret = 0; @@ -913,43 +910,47 @@ tls12_record_layer_open_record_protected_aead(struct tls12_record_layer *rl, goto err; } - /* XXX - decrypt/process in place for now. */ - plain = (uint8_t *)CBS_data(fragment); - plain_len = CBS_len(fragment) - rp->aead_tag_len; + content_len = CBS_len(fragment) - rp->aead_tag_len; + if ((content = calloc(1, CBS_len(fragment))) == NULL) { + content_len = 0; + goto err; + } - if (!tls12_record_layer_pseudo_header(rl, content_type, plain_len, + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, seq_num, &header, &header_len)) goto err; - if (!EVP_AEAD_CTX_open(rp->aead_ctx, plain, out_len, plain_len, + if (!EVP_AEAD_CTX_open(rp->aead_ctx, content, &out_len, content_len, rp->aead_nonce, rp->aead_nonce_len, CBS_data(fragment), CBS_len(fragment), header, header_len)) { rl->alert_desc = SSL_AD_BAD_RECORD_MAC; goto err; } - if (*out_len > SSL3_RT_MAX_PLAIN_LENGTH) { + if (out_len > SSL3_RT_MAX_PLAIN_LENGTH) { rl->alert_desc = SSL_AD_RECORD_OVERFLOW; goto err; } - if (*out_len != plain_len) + if (out_len != content_len) goto err; - *out = plain; + tls_content_set_data(out, content_type, content, content_len); + content = NULL; + content_len = 0; ret = 1; err: freezero(header, header_len); + freezero(content, content_len); return ret; } static int tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, - uint8_t content_type, CBS *seq_num, CBS *fragment, uint8_t **out, - size_t *out_len) + uint8_t content_type, CBS *seq_num, CBS *fragment, struct tls_content *out) { EVP_CIPHER_CTX *enc = rl->read->cipher_ctx; SSL3_RECORD_INTERNAL rrec; @@ -958,8 +959,8 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, size_t mac_len = 0; uint8_t *out_mac = NULL; size_t out_mac_len = 0; - uint8_t *plain; - size_t plain_len; + uint8_t *content = NULL; + size_t content_len = 0; size_t min_len; CBB cbb_mac; int ret = 0; @@ -1001,16 +1002,16 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, goto err; } - /* XXX - decrypt/process in place for now. */ - plain = (uint8_t *)CBS_data(fragment); - plain_len = CBS_len(fragment); + if ((content = calloc(1, CBS_len(fragment))) == NULL) + goto err; + content_len = CBS_len(fragment); - if (!EVP_Cipher(enc, plain, CBS_data(fragment), plain_len)) + if (!EVP_Cipher(enc, content, CBS_data(fragment), CBS_len(fragment))) goto err; - rrec.data = plain; - rrec.input = plain; - rrec.length = plain_len; + rrec.data = content; + rrec.input = content; + rrec.length = content_len; /* * We now have to remove padding, extract MAC, calculate MAC @@ -1058,8 +1059,13 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, goto err; } - *out = rrec.data; - *out_len = rrec.length; + tls_content_set_data(out, content_type, content, content_len); + content = NULL; + content_len = 0; + + /* Actual content is after EIV, minus padding and MAC. */ + if (!tls_content_set_bounds(out, eiv_len, rrec.length)) + goto err; ret = 1; @@ -1067,13 +1073,14 @@ tls12_record_layer_open_record_protected_cipher(struct tls12_record_layer *rl, CBB_cleanup(&cbb_mac); freezero(mac, mac_len); freezero(out_mac, out_mac_len); + freezero(content, content_len); return ret; } int tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, - size_t buf_len, uint8_t **out, size_t *out_len) + size_t buf_len, struct tls_content *out) { CBS cbs, fragment, seq_num; uint16_t version; @@ -1105,15 +1112,15 @@ tls12_record_layer_open_record(struct tls12_record_layer *rl, uint8_t *buf, if (rl->read->aead_ctx != NULL) { if (!tls12_record_layer_open_record_protected_aead(rl, - content_type, &seq_num, &fragment, out, out_len)) + content_type, &seq_num, &fragment, out)) return 0; } else if (rl->read->cipher_ctx != NULL) { if (!tls12_record_layer_open_record_protected_cipher(rl, - content_type, &seq_num, &fragment, out, out_len)) + content_type, &seq_num, &fragment, out)) return 0; } else { if (!tls12_record_layer_open_record_plaintext(rl, - content_type, &fragment, out, out_len)) + content_type, &fragment, out)) return 0; } diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c index 11eb880..3555eba 100644 --- a/ssl/tls13_client.c +++ b/ssl/tls13_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_client.c,v 1.94 2022/02/03 16:33:12 jsing Exp $ */ +/* $OpenBSD: tls13_client.c,v 1.101 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -18,7 +18,7 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" #include "tls13_handshake.h" @@ -39,7 +39,7 @@ tls13_client_init(struct tls13_ctx *ctx) s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, - (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + (s->mode & SSL_MODE_AUTO_RETRY) != 0); if (!ssl_get_new_session(s, 0)) /* XXX */ return 0; @@ -148,12 +148,12 @@ tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) int tls13_client_hello_sent(struct tls13_ctx *ctx) { - tls13_record_layer_allow_ccs(ctx->rl, 1); - tls1_transcript_freeze(ctx->ssl); - if (ctx->middlebox_compat) + if (ctx->middlebox_compat) { + tls13_record_layer_allow_ccs(ctx->rl, 1); ctx->send_dummy_ccs = 1; + } return 1; } @@ -382,10 +382,10 @@ tls13_client_engage_record_protection(struct tls13_ctx *ctx) tls13_record_layer_set_hash(ctx->rl, ctx->hash); if (!tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->server_handshake_traffic)) + &secrets->server_handshake_traffic, ssl_encryption_handshake)) goto err; if (!tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->client_handshake_traffic)) + &secrets->client_handshake_traffic, ssl_encryption_handshake)) goto err; ret = 1; @@ -440,7 +440,7 @@ tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) * supported groups and is not the same as the key share we previously * offered. */ - if (!tls1_check_curve(ctx->ssl, ctx->hs->tls13.server_group)) + if (!tls1_check_group(ctx->ssl, ctx->hs->tls13.server_group)) return 0; /* XXX alert */ if (ctx->hs->tls13.server_group == tls_key_share_group(ctx->hs->key_share)) return 0; /* XXX alert */ @@ -504,16 +504,10 @@ tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { ctx->alert = alert_desc; - goto err; + return 0; } return 1; - - err: - if (ctx->alert == 0) - ctx->alert = TLS13_ALERT_DECODE_ERROR; - - return 0; } int @@ -559,9 +553,8 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) struct stack_st_X509 *certs = NULL; SSL *s = ctx->ssl; X509 *cert = NULL; - EVP_PKEY *pkey; const uint8_t *p; - int alert_desc, cert_type; + int alert_desc; int ret = 0; if ((certs = sk_X509_new_null()) == NULL) @@ -616,28 +609,11 @@ tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) "failed to verify peer certificate", NULL); goto err; } + s->session->verify_result = s->verify_result; ERR_clear_error(); - cert = sk_X509_value(certs, 0); - X509_up_ref(cert); - - if ((pkey = X509_get0_pubkey(cert)) == NULL) + if (!tls_process_peer_certs(s, certs)) goto err; - if (EVP_PKEY_missing_parameters(pkey)) - goto err; - if ((cert_type = ssl_cert_type(pkey)) < 0) - goto err; - - X509_up_ref(cert); - X509_free(s->session->peer_cert); - s->session->peer_cert = cert; - s->session->peer_cert_type = cert_type; - - s->session->verify_result = s->verify_result; - - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = certs; - certs = NULL; if (ctx->ocsp_status_recv_cb != NULL && !ctx->ocsp_status_recv_cb(ctx)) @@ -807,7 +783,7 @@ tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) * using the server application traffic keys. */ if (!tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->server_application_traffic)) + &secrets->server_application_traffic, ssl_encryption_application)) goto err; tls13_record_layer_allow_ccs(ctx->rl, 0); @@ -1086,5 +1062,5 @@ tls13_client_finished_sent(struct tls13_ctx *ctx) * using the client application traffic keys. */ return tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->client_application_traffic); + &secrets->client_application_traffic, ssl_encryption_application); } diff --git a/ssl/tls13_handshake.c b/ssl/tls13_handshake.c index cca8560..9723edf 100644 --- a/ssl/tls13_handshake.c +++ b/ssl/tls13_handshake.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake.c,v 1.70 2021/09/16 19:25:30 jsing Exp $ */ +/* $OpenBSD: tls13_handshake.c,v 1.72 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2018-2021 Theo Buehler * Copyright (c) 2019 Joel Sing @@ -18,7 +18,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" #include "tls13_handshake.h" #include "tls13_internal.h" @@ -291,8 +291,6 @@ tls13_handshake_message_name(uint8_t msg_type) return "CertificateVerify"; case TLS13_MT_FINISHED: return "Finished"; - case TLS13_MT_KEY_UPDATE: - return "KeyUpdate"; } return "Unknown"; } diff --git a/ssl/tls13_handshake_msg.c b/ssl/tls13_handshake_msg.c index 67eab31..134cfb2 100644 --- a/ssl/tls13_handshake_msg.c +++ b/ssl/tls13_handshake_msg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_handshake_msg.c,v 1.4 2021/10/23 13:12:14 jsing Exp $ */ +/* $OpenBSD: tls13_handshake_msg.c,v 1.6 2022/07/22 19:33:53 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -71,12 +71,6 @@ tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs) CBS_init(cbs, msg->data, msg->data_len); } -int -tls13_handshake_msg_set_buffer(struct tls13_handshake_msg *msg, CBS *cbs) -{ - return tls_buffer_set_data(msg->buf, cbs); -} - uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg) { @@ -142,7 +136,8 @@ tls13_handshake_msg_recv(struct tls13_handshake_msg *msg, tls13_handshake_msg_read_cb, rl)) <= 0) return ret; - tls_buffer_cbs(msg->buf, &cbs); + if (!tls_buffer_data(msg->buf, &cbs)) + return TLS13_IO_FAILURE; if (!CBS_get_u8(&cbs, &msg_type)) return TLS13_IO_FAILURE; diff --git a/ssl/tls13_internal.h b/ssl/tls13_internal.h index 4c3a328..f4b17bd 100644 --- a/ssl/tls13_internal.h +++ b/ssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.96 2022/01/05 17:10:02 jsing Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.101 2022/07/24 14:28:16 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck * Copyright (c) 2018 Theo Buehler @@ -88,12 +88,23 @@ __BEGIN_HIDDEN_DECLS #define TLS13_INFO_CONNECT_EXIT SSL_CB_CONNECT_EXIT typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); -typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *_cbs); +typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg); typedef void (*tls13_phh_sent_cb)(void *_cb_arg); typedef void (*tls13_handshake_message_cb)(void *_cb_arg); typedef void (*tls13_info_cb)(void *_cb_arg, int _state, int _ret); typedef int (*tls13_ocsp_status_cb)(void *_cb_arg); +/* + * PSK support. + */ + +/* + * Known PskKeyExchangeMode values. + * https://www.iana.org/assignments/tls-parameters/#tls-pskkeyexchangemode + */ +#define TLS13_PSK_KE 0 +#define TLS13_PSK_DHE_KE 1 + /* * Secrets. */ @@ -164,9 +175,19 @@ int tls13_update_server_traffic_secret(struct tls13_secrets *secrets); struct tls13_record_layer; struct tls13_record_layer_callbacks { + /* Wire callbacks. */ tls_read_cb wire_read; tls_write_cb wire_write; tls_flush_cb wire_flush; + + /* Interceptors. */ + tls_handshake_read_cb handshake_read; + tls_handshake_write_cb handshake_write; + tls_traffic_key_cb set_read_traffic_key; + tls_traffic_key_cb set_write_traffic_key; + tls_alert_send_cb alert_send; + + /* Notification callbacks. */ tls13_alert_cb alert_recv; tls13_alert_cb alert_sent; tls13_phh_recv_cb phh_recv; @@ -176,6 +197,8 @@ struct tls13_record_layer_callbacks { struct tls13_record_layer *tls13_record_layer_new( const struct tls13_record_layer_callbacks *callbacks, void *cb_arg); void tls13_record_layer_free(struct tls13_record_layer *rl); +void tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, + const struct tls13_record_layer_callbacks *callbacks, void *cb_arg); void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow); void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow); void tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs); @@ -188,9 +211,9 @@ void tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, void tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry); void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, - struct tls13_secret *read_key); + struct tls13_secret *read_key, enum ssl_encryption_level_t read_level); int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, - struct tls13_secret *write_key); + struct tls13_secret *write_key, enum ssl_encryption_level_t write_level); ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); ssize_t tls13_record_layer_flush(struct tls13_record_layer *rl); @@ -215,7 +238,6 @@ struct tls13_handshake_msg; struct tls13_handshake_msg *tls13_handshake_msg_new(void); void tls13_handshake_msg_free(struct tls13_handshake_msg *msg); void tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs); -int tls13_handshake_msg_set_buffer(struct tls13_handshake_msg *msg, CBS *cbs); uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg); int tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs); int tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body, @@ -281,12 +303,19 @@ struct tls13_ctx { #define TLS13_PHH_LIMIT 100 #endif -struct tls13_ctx *tls13_ctx_new(int mode); +struct tls13_ctx *tls13_ctx_new(int mode, SSL *ssl); void tls13_ctx_free(struct tls13_ctx *ctx); const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher); const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher); +void tls13_alert_received_cb(uint8_t alert_desc, void *arg); +void tls13_alert_sent_cb(uint8_t alert_desc, void *arg); +ssize_t tls13_phh_received_cb(void *cb_arg); +void tls13_phh_done_cb(void *cb_arg); + +int tls13_quic_init(struct tls13_ctx *ctx); + /* * Legacy interfaces. */ diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c index bb96cf3..05bcf0f 100644 --- a/ssl/tls13_key_schedule.c +++ b/ssl/tls13_key_schedule.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_key_schedule.c,v 1.14 2021/01/05 18:36:22 tb Exp $ */ +/* $OpenBSD: tls13_key_schedule.c,v 1.18 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2018, Bob Beck * @@ -21,6 +21,7 @@ #include #include "bytestring.h" +#include "ssl_local.h" #include "tls13_internal.h" int @@ -169,13 +170,17 @@ tls13_hkdf_expand_label_with_length(struct tls13_secret *out, const uint8_t *label, size_t label_len, const struct tls13_secret *context) { const char tls13_plabel[] = "tls13 "; - uint8_t *hkdf_label; + uint8_t *hkdf_label = NULL; size_t hkdf_label_len; CBB cbb, child; int ret; if (!CBB_init(&cbb, 256)) - return 0; + goto err; + + if (out->data == NULL || out->len == 0) + goto err; + if (!CBB_add_u16(&cbb, out->len)) goto err; if (!CBB_add_u8_length_prefixed(&cbb, &child)) @@ -381,3 +386,73 @@ tls13_update_server_traffic_secret(struct tls13_secrets *secrets) secrets->digest, &secrets->server_application_traffic, "traffic upd", &context); } + +int +tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, + const uint8_t *context_value, size_t context_value_len, uint8_t *out, + size_t out_len) +{ + struct tls13_secret context, export_out, export_secret; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + EVP_MD_CTX *md_ctx = NULL; + unsigned int md_out_len; + int md_len; + int ret = 0; + + /* + * RFC 8446 Section 7.5. + */ + + memset(&context, 0, sizeof(context)); + memset(&export_secret, 0, sizeof(export_secret)); + + export_out.data = out; + export_out.len = out_len; + + if (!ctx->handshake_completed) + return 0; + + md_len = EVP_MD_size(secrets->digest); + if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) + goto err; + + if (!tls13_secret_init(&export_secret, md_len)) + goto err; + if (!tls13_secret_init(&context, md_len)) + goto err; + + /* In TLSv1.3 no context is equivalent to an empty context. */ + if (context_value == NULL) { + context_value = ""; + context_value_len = 0; + } + + if ((md_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) + goto err; + if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) + goto err; + if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) + goto err; + if (md_len != md_out_len) + goto err; + + if (!tls13_derive_secret_with_label_length(&export_secret, + secrets->digest, &secrets->exporter_master, label, label_len, + &secrets->empty_hash)) + goto err; + + if (!tls13_hkdf_expand_label(&export_out, secrets->digest, + &export_secret, "exporter", &context)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_free(md_ctx); + tls13_secret_cleanup(&context); + tls13_secret_cleanup(&export_secret); + + return ret; +} diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c index 27e030f..1d6a5a1 100644 --- a/ssl/tls13_legacy.c +++ b/ssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.37 2022/02/06 16:08:14 jsing Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.40 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -17,7 +17,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" #include "tls13_internal.h" static ssize_t @@ -30,7 +30,7 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) return TLS13_IO_FAILURE; } - ssl->internal->rwstate = SSL_READING; + ssl->rwstate = SSL_READING; errno = 0; if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { @@ -46,7 +46,7 @@ tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) } if (n == len) - ssl->internal->rwstate = SSL_NOTHING; + ssl->rwstate = SSL_NOTHING; return n; } @@ -69,7 +69,7 @@ tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) return TLS13_IO_FAILURE; } - ssl->internal->rwstate = SSL_WRITING; + ssl->rwstate = SSL_WRITING; errno = 0; if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { @@ -83,7 +83,7 @@ tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) } if (n == len) - ssl->internal->rwstate = SSL_NOTHING; + ssl->rwstate = SSL_NOTHING; return n; } @@ -123,7 +123,7 @@ tls13_legacy_wire_flush_cb(void *arg) static void tls13_legacy_error(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; int reason = SSL_R_UNKNOWN; /* If we received a fatal alert we already put an error on the stack. */ @@ -171,7 +171,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) if (ret > 0) return ret; - ssl->internal->rwstate = SSL_NOTHING; + ssl->rwstate = SSL_NOTHING; switch (ret) { case TLS13_IO_EOF: @@ -187,12 +187,12 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) case TLS13_IO_WANT_POLLIN: BIO_set_retry_read(ssl->rbio); - ssl->internal->rwstate = SSL_READING; + ssl->rwstate = SSL_READING; return -1; case TLS13_IO_WANT_POLLOUT: BIO_set_retry_write(ssl->wbio); - ssl->internal->rwstate = SSL_WRITING; + ssl->rwstate = SSL_WRITING; return -1; case TLS13_IO_WANT_RETRY: @@ -207,7 +207,7 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) int tls13_legacy_pending(const SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; ssize_t ret; if (ctx == NULL) @@ -223,11 +223,11 @@ tls13_legacy_pending(const SSL *ssl) int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; ssize_t ret; if (ctx == NULL || !ctx->handshake_completed) { - if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + if ((ret = ssl->handshake_func(ssl)) <= 0) return ret; if (len == 0) return 0; @@ -235,7 +235,7 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee } tls13_record_layer_set_retry_after_phh(ctx->rl, - (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + (ctx->ssl->mode & SSL_MODE_AUTO_RETRY) != 0); if (type != SSL3_RT_APPLICATION_DATA) { SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -257,13 +257,13 @@ tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int pee int tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; const uint8_t *buf = vbuf; size_t n, sent; ssize_t ret; if (ctx == NULL || !ctx->handshake_completed) { - if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + if ((ret = ssl->handshake_func(ssl)) <= 0) return ret; if (len == 0) return 0; @@ -283,7 +283,7 @@ tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) * The TLSv1.3 record layer write behaviour is the same as * SSL_MODE_ENABLE_PARTIAL_WRITE. */ - if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { + if (ssl->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { ret = tls13_write_application_data(ctx->rl, buf, len); return tls13_legacy_return_code(ssl, ret); } @@ -352,18 +352,18 @@ tls13_use_legacy_stack(struct tls13_ctx *ctx) s->s3->rbuf.left = CBS_len(&cbs); s->s3->rrec.type = SSL3_RT_HANDSHAKE; s->s3->rrec.length = CBS_len(&cbs); - s->internal->rstate = SSL_ST_READ_BODY; - s->internal->packet = s->s3->rbuf.buf; - s->internal->packet_length = SSL3_RT_HEADER_LENGTH; - s->internal->mac_packet = 1; + s->rstate = SSL_ST_READ_BODY; + s->packet = s->s3->rbuf.buf; + s->packet_length = SSL3_RT_HEADER_LENGTH; + s->mac_packet = 1; } /* Stash the current handshake message. */ tls13_handshake_msg_data(ctx->hs_msg, &cbs); - if (!BUF_MEM_grow_clean(s->internal->init_buf, CBS_len(&cbs))) + if (!BUF_MEM_grow_clean(s->init_buf, CBS_len(&cbs))) goto err; - if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, - s->internal->init_buf->length, NULL)) + if (!CBS_write_bytes(&cbs, s->init_buf->data, + s->init_buf->length, NULL)) goto err; s->s3->hs.tls12.reuse_message = 1; @@ -386,7 +386,7 @@ tls13_use_legacy_client(struct tls13_ctx *ctx) if (!tls13_use_legacy_stack(ctx)) return 0; - s->internal->handshake_func = s->method->ssl_connect; + s->handshake_func = s->method->ssl_connect; s->version = s->method->max_tls_version; return 1; @@ -400,7 +400,7 @@ tls13_use_legacy_server(struct tls13_ctx *ctx) if (!tls13_use_legacy_stack(ctx)) return 0; - s->internal->handshake_func = s->method->ssl_accept; + s->handshake_func = s->method->ssl_accept; s->version = s->method->max_tls_version; s->server = 1; @@ -410,18 +410,14 @@ tls13_use_legacy_server(struct tls13_ctx *ctx) int tls13_legacy_accept(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; int ret; if (ctx == NULL) { - if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { + if ((ctx = tls13_ctx_new(TLS13_HS_SERVER, ssl)) == NULL) { SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ return -1; } - ssl->internal->tls13 = ctx; - ctx->ssl = ssl; - ctx->hs = &ssl->s3->hs; - if (!tls13_server_init(ctx)) { if (ERR_peek_error() == 0) SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ @@ -446,18 +442,14 @@ tls13_legacy_accept(SSL *ssl) int tls13_legacy_connect(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; int ret; if (ctx == NULL) { - if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { + if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT, ssl)) == NULL) { SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ return -1; } - ssl->internal->tls13 = ctx; - ctx->ssl = ssl; - ctx->hs = &ssl->s3->hs; - if (!tls13_client_init(ctx)) { if (ERR_peek_error() == 0) SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ @@ -482,7 +474,7 @@ tls13_legacy_connect(SSL *ssl) int tls13_legacy_shutdown(SSL *ssl) { - struct tls13_ctx *ctx = ssl->internal->tls13; + struct tls13_ctx *ctx = ssl->tls13; uint8_t buf[512]; /* XXX */ ssize_t ret; @@ -492,15 +484,15 @@ tls13_legacy_shutdown(SSL *ssl) * alerts. All other cases, including EOF, return -1 and set internal * state appropriately. */ - if (ctx == NULL || ssl->internal->quiet_shutdown) { - ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; + if (ctx == NULL || ssl->quiet_shutdown) { + ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; return 1; } if (!ctx->close_notify_sent) { /* Enqueue and send close notify. */ - if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { - ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; + if (!(ssl->shutdown & SSL_SENT_SHUTDOWN)) { + ssl->shutdown |= SSL_SENT_SHUTDOWN; if ((ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY)) < 0) return tls13_legacy_return_code(ssl, ret); @@ -541,13 +533,13 @@ tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) SSL_CTX *ssl_ctx = ctx->ssl->ctx; SSL *s = ctx->ssl; - if (ssl_ctx->internal->tlsext_servername_callback == NULL) + if (ssl_ctx->tlsext_servername_callback == NULL) ssl_ctx = s->initial_ctx; - if (ssl_ctx->internal->tlsext_servername_callback == NULL) + if (ssl_ctx->tlsext_servername_callback == NULL) return 1; - ret = ssl_ctx->internal->tlsext_servername_callback(s, &legacy_alert, - ssl_ctx->internal->tlsext_servername_arg); + ret = ssl_ctx->tlsext_servername_callback(s, &legacy_alert, + ssl_ctx->tlsext_servername_arg); /* * Ignore SSL_TLSEXT_ERR_ALERT_WARNING returns to match OpenSSL's diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c index 20d3a38..05f125a 100644 --- a/ssl/tls13_lib.c +++ b/ssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.63 2022/02/05 14:54:10 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.76 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -20,10 +20,17 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_tlsext.h" #include "tls13_internal.h" +/* + * RFC 8446, section 4.6.1. Servers must not indicate a lifetime longer than + * 7 days and clients must not cache tickets for longer than 7 days. + */ + +#define TLS13_MAX_TICKET_LIFETIME (7 * 24 * 3600) + /* * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set * by the server in server random if it is willing to downgrade but supports @@ -103,14 +110,14 @@ tls13_cipher_hash(const SSL_CIPHER *cipher) return NULL; } -static void +void tls13_alert_received_cb(uint8_t alert_desc, void *arg) { struct tls13_ctx *ctx = arg; if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { ctx->close_notify_recv = 1; - ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + ctx->ssl->shutdown |= SSL_RECEIVED_SHUTDOWN; ctx->ssl->s3->warn_alert = alert_desc; return; } @@ -132,7 +139,7 @@ tls13_alert_received_cb(uint8_t alert_desc, void *arg) SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); } -static void +void tls13_alert_sent_cb(uint8_t alert_desc, void *arg) { struct tls13_ctx *ctx = arg; @@ -158,11 +165,11 @@ tls13_legacy_handshake_message_recv_cb(void *arg) SSL *s = ctx->ssl; CBS cbs; - if (s->internal->msg_callback == NULL) + if (s->msg_callback == NULL) return; tls13_handshake_msg_data(ctx->hs_msg, &cbs); - ssl_msg_callback(s, 0, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs)); + ssl_msg_callback_cbs(s, 0, SSL3_RT_HANDSHAKE, &cbs); } static void @@ -172,11 +179,11 @@ tls13_legacy_handshake_message_sent_cb(void *arg) SSL *s = ctx->ssl; CBS cbs; - if (s->internal->msg_callback == NULL) + if (s->msg_callback == NULL) return; tls13_handshake_msg_data(ctx->hs_msg, &cbs); - ssl_msg_callback(s, 1, SSL3_RT_HANDSHAKE, CBS_data(&cbs), CBS_len(&cbs)); + ssl_msg_callback_cbs(s, 1, SSL3_RT_HANDSHAKE, &cbs); } static void @@ -195,11 +202,11 @@ tls13_legacy_ocsp_status_recv_cb(void *arg) SSL *s = ctx->ssl; int ret; - if (s->ctx->internal->tlsext_status_cb == NULL) + if (s->ctx->tlsext_status_cb == NULL) return 1; - ret = s->ctx->internal->tlsext_status_cb(s, - s->ctx->internal->tlsext_status_arg); + ret = s->ctx->tlsext_status_cb(s, + s->ctx->tlsext_status_arg); if (ret < 0) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); @@ -215,31 +222,43 @@ tls13_legacy_ocsp_status_recv_cb(void *arg) } static int -tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) +tls13_phh_update_read_traffic_secret(struct tls13_ctx *ctx) { struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + struct tls13_secret *secret; - if (ctx->mode == TLS13_HS_CLIENT) - return (tls13_update_client_traffic_secret(secrets) && - tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->client_application_traffic)); - return (tls13_update_server_traffic_secret(secrets) && - tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->server_application_traffic)); + if (ctx->mode == TLS13_HS_CLIENT) { + secret = &secrets->server_application_traffic; + if (!tls13_update_server_traffic_secret(secrets)) + return 0; + } else { + secret = &secrets->client_application_traffic; + if (!tls13_update_client_traffic_secret(secrets)) + return 0; + } + + return tls13_record_layer_set_read_traffic_key(ctx->rl, + secret, ssl_encryption_application); } static int -tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) +tls13_phh_update_write_traffic_secret(struct tls13_ctx *ctx) { struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + struct tls13_secret *secret; - if (ctx->mode == TLS13_HS_CLIENT) - return (tls13_update_server_traffic_secret(secrets) && - tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->server_application_traffic)); - return (tls13_update_client_traffic_secret(secrets) && - tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->client_application_traffic)); + if (ctx->mode == TLS13_HS_CLIENT) { + secret = &secrets->client_application_traffic; + if (!tls13_update_client_traffic_secret(secrets)) + return 0; + } else { + secret = &secrets->server_application_traffic; + if (!tls13_update_server_traffic_secret(secrets)) + return 0; + } + + return tls13_record_layer_set_write_traffic_key(ctx->rl, + secret, ssl_encryption_application); } /* @@ -285,13 +304,13 @@ tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) goto err; } - if (!tls13_phh_update_peer_traffic_secret(ctx)) + if (!tls13_phh_update_read_traffic_secret(ctx)) goto err; if (key_update_request == 0) return TLS13_IO_SUCCESS; - /* key_update_request == 1 */ + /* Our peer requested that we update our write traffic keys. */ if ((hs_msg = tls13_handshake_msg_new()) == NULL) goto err; if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE)) @@ -316,23 +335,113 @@ tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) return tls13_send_alert(ctx->rl, alert); } -static void -tls13_phh_done_cb(void *cb_arg) +/* RFC 8446 section 4.6.1 */ +static ssize_t +tls13_new_session_ticket_recv(struct tls13_ctx *ctx, CBS *cbs) { - struct tls13_ctx *ctx = cb_arg; + struct tls13_secrets *secrets = ctx->hs->tls13.secrets; + struct tls13_secret nonce; + uint32_t ticket_lifetime, ticket_age_add; + CBS ticket_nonce, ticket; + SSL_SESSION *sess = NULL; + int alert, session_id_length; + ssize_t ret = 0; - if (ctx->key_update_request) { - tls13_phh_update_local_traffic_secret(ctx); - ctx->key_update_request = 0; + memset(&nonce, 0, sizeof(nonce)); + + if (ctx->mode != TLS13_HS_CLIENT) { + alert = TLS13_ALERT_UNEXPECTED_MESSAGE; + goto err; } + + alert = TLS13_ALERT_DECODE_ERROR; + + if (!CBS_get_u32(cbs, &ticket_lifetime)) + goto err; + if (!CBS_get_u32(cbs, &ticket_age_add)) + goto err; + if (!CBS_get_u8_length_prefixed(cbs, &ticket_nonce)) + goto err; + if (!CBS_get_u16_length_prefixed(cbs, &ticket)) + goto err; + /* Extensions can only contain early_data, which we currently ignore. */ + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_NST, cbs, &alert)) + goto err; + + if (CBS_len(cbs) != 0) + goto err; + + /* Zero indicates that the ticket should be discarded immediately. */ + if (ticket_lifetime == 0) { + ret = TLS13_IO_SUCCESS; + goto done; + } + + /* Servers MUST NOT use any value larger than 7 days. */ + if (ticket_lifetime > TLS13_MAX_TICKET_LIFETIME) { + alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + alert = TLS13_ALERT_INTERNAL_ERROR; + + /* + * Create new session instead of modifying the current session. + * The current session could already be in the session cache. + */ + if ((sess = ssl_session_dup(ctx->ssl->session, 0)) == NULL) + goto err; + + sess->time = time(NULL); + + sess->tlsext_tick_lifetime_hint = ticket_lifetime; + sess->tlsext_tick_age_add = ticket_age_add; + + if (!CBS_stow(&ticket, &sess->tlsext_tick, &sess->tlsext_ticklen)) + goto err; + + /* XXX - ensure this doesn't overflow session_id if hash is changed. */ + if (!EVP_Digest(CBS_data(&ticket), CBS_len(&ticket), + sess->session_id, &session_id_length, EVP_sha256(), NULL)) + goto err; + sess->session_id_length = session_id_length; + + if (!CBS_stow(&ticket_nonce, &nonce.data, &nonce.len)) + goto err; + + if (!tls13_secret_init(&sess->resumption_master_secret, 256)) + goto err; + + if (!tls13_derive_secret(&sess->resumption_master_secret, + secrets->digest, &secrets->resumption_master, "resumption", + &nonce)) + goto err; + + SSL_SESSION_free(ctx->ssl->session); + ctx->ssl->session = sess; + sess = NULL; + + ssl_update_cache(ctx->ssl, SSL_SESS_CACHE_CLIENT); + + ret = TLS13_IO_SUCCESS; + goto done; + + err: + ret = tls13_send_alert(ctx->rl, alert); + + done: + tls13_secret_cleanup(&nonce); + SSL_SESSION_free(sess); + + return ret; } -static ssize_t -tls13_phh_received_cb(void *cb_arg, CBS *cbs) +ssize_t +tls13_phh_received_cb(void *cb_arg) { ssize_t ret = TLS13_IO_FAILURE; struct tls13_ctx *ctx = cb_arg; - CBS phh_cbs; + CBS cbs; if (!tls13_phh_limit_check(ctx)) return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); @@ -341,22 +450,19 @@ tls13_phh_received_cb(void *cb_arg, CBS *cbs) ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) return TLS13_IO_FAILURE; - if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs)) - return TLS13_IO_FAILURE; - - if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) - != TLS13_IO_SUCCESS) + if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) != + TLS13_IO_SUCCESS) return ret; - if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs)) + if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) return TLS13_IO_FAILURE; switch(tls13_handshake_msg_type(ctx->hs_msg)) { case TLS13_MT_KEY_UPDATE: - ret = tls13_key_update_recv(ctx, &phh_cbs); + ret = tls13_key_update_recv(ctx, &cbs); break; case TLS13_MT_NEW_SESSION_TICKET: - /* XXX do nothing for now and ignore this */ + ret = tls13_new_session_ticket_recv(ctx, &cbs); break; case TLS13_MT_CERTIFICATE_REQUEST: /* XXX add support if we choose to advertise this */ @@ -371,10 +477,22 @@ tls13_phh_received_cb(void *cb_arg, CBS *cbs) return ret; } -static const struct tls13_record_layer_callbacks rl_callbacks = { +void +tls13_phh_done_cb(void *cb_arg) +{ + struct tls13_ctx *ctx = cb_arg; + + if (ctx->key_update_request) { + tls13_phh_update_write_traffic_secret(ctx); + ctx->key_update_request = 0; + } +} + +static const struct tls13_record_layer_callbacks tls13_rl_callbacks = { .wire_read = tls13_legacy_wire_read_cb, .wire_write = tls13_legacy_wire_write_cb, .wire_flush = tls13_legacy_wire_flush_cb, + .alert_recv = tls13_alert_received_cb, .alert_sent = tls13_alert_sent_cb, .phh_recv = tls13_phh_received_cb, @@ -382,16 +500,18 @@ static const struct tls13_record_layer_callbacks rl_callbacks = { }; struct tls13_ctx * -tls13_ctx_new(int mode) +tls13_ctx_new(int mode, SSL *ssl) { struct tls13_ctx *ctx = NULL; if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) goto err; + ctx->hs = &ssl->s3->hs; ctx->mode = mode; + ctx->ssl = ssl; - if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL) + if ((ctx->rl = tls13_record_layer_new(&tls13_rl_callbacks, ctx)) == NULL) goto err; ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; @@ -401,6 +521,13 @@ tls13_ctx_new(int mode) ctx->middlebox_compat = 1; + ssl->tls13 = ctx; + + if (SSL_is_quic(ssl)) { + if (!tls13_quic_init(ctx)) + goto err; + } + return ctx; err: @@ -572,73 +699,3 @@ tls13_clienthello_hash_validate(struct tls13_ctx *ctx) return 1; } - -int -tls13_exporter(struct tls13_ctx *ctx, const uint8_t *label, size_t label_len, - const uint8_t *context_value, size_t context_value_len, uint8_t *out, - size_t out_len) -{ - struct tls13_secret context, export_out, export_secret; - struct tls13_secrets *secrets = ctx->hs->tls13.secrets; - EVP_MD_CTX *md_ctx = NULL; - unsigned int md_out_len; - int md_len; - int ret = 0; - - /* - * RFC 8446 Section 7.5. - */ - - memset(&context, 0, sizeof(context)); - memset(&export_secret, 0, sizeof(export_secret)); - - export_out.data = out; - export_out.len = out_len; - - if (!ctx->handshake_completed) - return 0; - - md_len = EVP_MD_size(secrets->digest); - if (md_len <= 0 || md_len > EVP_MAX_MD_SIZE) - goto err; - - if (!tls13_secret_init(&export_secret, md_len)) - goto err; - if (!tls13_secret_init(&context, md_len)) - goto err; - - /* In TLSv1.3 no context is equivalent to an empty context. */ - if (context_value == NULL) { - context_value = ""; - context_value_len = 0; - } - - if ((md_ctx = EVP_MD_CTX_new()) == NULL) - goto err; - if (!EVP_DigestInit_ex(md_ctx, secrets->digest, NULL)) - goto err; - if (!EVP_DigestUpdate(md_ctx, context_value, context_value_len)) - goto err; - if (!EVP_DigestFinal_ex(md_ctx, context.data, &md_out_len)) - goto err; - if (md_len != md_out_len) - goto err; - - if (!tls13_derive_secret_with_label_length(&export_secret, - secrets->digest, &secrets->exporter_master, label, label_len, - &secrets->empty_hash)) - goto err; - - if (!tls13_hkdf_expand_label(&export_out, secrets->digest, - &export_secret, "exporter", &context)) - goto err; - - ret = 1; - - err: - EVP_MD_CTX_free(md_ctx); - tls13_secret_cleanup(&context); - tls13_secret_cleanup(&export_secret); - - return ret; -} diff --git a/ssl/tls13_quic.c b/ssl/tls13_quic.c new file mode 100644 index 0000000..e5c386e --- /dev/null +++ b/ssl/tls13_quic.c @@ -0,0 +1,181 @@ +/* $OpenBSD: tls13_quic.c,v 1.7 2022/11/26 16:08:56 tb Exp $ */ +/* + * Copyright (c) 2022 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_local.h" +#include "tls13_internal.h" + +static ssize_t +tls13_quic_wire_read_cb(void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + SSLerror(ssl, SSL_R_QUIC_INTERNAL_ERROR); + return TLS13_IO_FAILURE; +} + +static ssize_t +tls13_quic_wire_write_cb(const void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + SSLerror(ssl, SSL_R_QUIC_INTERNAL_ERROR); + return TLS13_IO_FAILURE; +} + +static ssize_t +tls13_quic_wire_flush_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + if (!ssl->quic_method->flush_flight(ssl)) { + SSLerror(ssl, SSL_R_QUIC_INTERNAL_ERROR); + return TLS13_IO_FAILURE; + } + + return TLS13_IO_SUCCESS; +} + +static ssize_t +tls13_quic_handshake_read_cb(void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + + if (ctx->hs->tls13.quic_read_buffer == NULL) + return TLS13_IO_WANT_POLLIN; + + return tls_buffer_read(ctx->hs->tls13.quic_read_buffer, buf, n); +} + +static ssize_t +tls13_quic_handshake_write_cb(const void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + if (!ssl->quic_method->add_handshake_data(ssl, + ctx->hs->tls13.quic_write_level, buf, n)) { + SSLerror(ssl, SSL_R_QUIC_INTERNAL_ERROR); + return TLS13_IO_FAILURE; + } + + return n; +} + +static int +tls13_quic_set_read_traffic_key(struct tls13_secret *read_key, + enum ssl_encryption_level_t read_level, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + ctx->hs->tls13.quic_read_level = read_level; + + /* Handle both the new (BoringSSL) and old (quictls) APIs. */ + + if (ssl->quic_method->set_read_secret != NULL) + return ssl->quic_method->set_read_secret(ssl, + ctx->hs->tls13.quic_read_level, ctx->hs->cipher, + read_key->data, read_key->len); + + if (ssl->quic_method->set_encryption_secrets != NULL) + return ssl->quic_method->set_encryption_secrets(ssl, + ctx->hs->tls13.quic_read_level, read_key->data, NULL, + read_key->len); + + return 0; +} + +static int +tls13_quic_set_write_traffic_key(struct tls13_secret *write_key, + enum ssl_encryption_level_t write_level, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + ctx->hs->tls13.quic_write_level = write_level; + + /* Handle both the new (BoringSSL) and old (quictls) APIs. */ + + if (ssl->quic_method->set_write_secret != NULL) + return ssl->quic_method->set_write_secret(ssl, + ctx->hs->tls13.quic_write_level, ctx->hs->cipher, + write_key->data, write_key->len); + + if (ssl->quic_method->set_encryption_secrets != NULL) + return ssl->quic_method->set_encryption_secrets(ssl, + ctx->hs->tls13.quic_write_level, NULL, write_key->data, + write_key->len); + + return 0; +} + +static int +tls13_quic_alert_send_cb(int alert_desc, void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *ssl = ctx->ssl; + + if (!ssl->quic_method->send_alert(ssl, ctx->hs->tls13.quic_write_level, + alert_desc)) { + SSLerror(ssl, SSL_R_QUIC_INTERNAL_ERROR); + return TLS13_IO_FAILURE; + } + + return TLS13_IO_SUCCESS; +} + +static const struct tls13_record_layer_callbacks quic_rl_callbacks = { + .wire_read = tls13_quic_wire_read_cb, + .wire_write = tls13_quic_wire_write_cb, + .wire_flush = tls13_quic_wire_flush_cb, + + .handshake_read = tls13_quic_handshake_read_cb, + .handshake_write = tls13_quic_handshake_write_cb, + .set_read_traffic_key = tls13_quic_set_read_traffic_key, + .set_write_traffic_key = tls13_quic_set_write_traffic_key, + .alert_send = tls13_quic_alert_send_cb, + + .alert_recv = tls13_alert_received_cb, + .alert_sent = tls13_alert_sent_cb, + .phh_recv = tls13_phh_received_cb, + .phh_sent = tls13_phh_done_cb, +}; + +int +tls13_quic_init(struct tls13_ctx *ctx) +{ + BIO *bio; + + tls13_record_layer_set_callbacks(ctx->rl, &quic_rl_callbacks, ctx); + + ctx->middlebox_compat = 0; + + /* + * QUIC does not use BIOs, however we currently expect a BIO to exist + * for status handling. + */ + if ((bio = BIO_new(BIO_s_null())) == NULL) + return 0; + + SSL_set_bio(ctx->ssl, bio, bio); + bio = NULL; + + return 1; +} diff --git a/ssl/tls13_record.c b/ssl/tls13_record.c index 2c74466..dbc835c 100644 --- a/ssl/tls13_record.c +++ b/ssl/tls13_record.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record.c,v 1.9 2021/10/23 13:12:14 jsing Exp $ */ +/* $OpenBSD: tls13_record.c,v 1.10 2022/07/22 19:33:53 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -134,7 +134,8 @@ tls13_record_recv(struct tls13_record *rec, tls_read_cb wire_read, TLS13_RECORD_HEADER_LEN, wire_read, wire_arg)) <= 0) return ret; - tls_buffer_cbs(rec->buf, &cbs); + if (!tls_buffer_data(rec->buf, &cbs)) + return TLS13_IO_FAILURE; if (!CBS_get_u8(&cbs, &content_type)) return TLS13_IO_FAILURE; diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c index c68ee3b..4ae4e29 100644 --- a/ssl/tls13_record_layer.c +++ b/ssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.67 2022/01/14 09:12:15 tb Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.72 2022/11/11 17:15:27 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -146,8 +146,8 @@ tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, goto err; rl->legacy_version = TLS1_2_VERSION; - rl->cb = *callbacks; - rl->cb_arg = cb_arg; + + tls13_record_layer_set_callbacks(rl, callbacks, cb_arg); return rl; @@ -177,6 +177,14 @@ tls13_record_layer_free(struct tls13_record_layer *rl) freezero(rl, sizeof(struct tls13_record_layer)); } +void +tls13_record_layer_set_callbacks(struct tls13_record_layer *rl, + const struct tls13_record_layer_callbacks *callbacks, void *cb_arg) +{ + rl->cb = *callbacks; + rl->cb_arg = cb_arg; +} + void tls13_record_layer_rcontent(struct tls13_record_layer *rl, CBS *cbs) { @@ -487,16 +495,24 @@ tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, const EVP_MD *hash, int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, - struct tls13_secret *read_key) + struct tls13_secret *read_key, enum ssl_encryption_level_t read_level) { + if (rl->cb.set_read_traffic_key != NULL) + return rl->cb.set_read_traffic_key(read_key, read_level, + rl->cb_arg); + return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, rl->read, read_key); } int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, - struct tls13_secret *write_key) + struct tls13_secret *write_key, enum ssl_encryption_level_t write_level) { + if (rl->cb.set_write_traffic_key != NULL) + return rl->cb.set_write_traffic_key(write_key, write_level, + rl->cb_arg); + return tls13_record_layer_set_traffic_key(rl->aead, rl->hash, rl->write, write_key); } @@ -545,6 +561,7 @@ tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) if (!tls13_record_content(rl->rrec, &enc_record)) goto err; + /* XXX - minus tag len? */ if ((content = calloc(1, CBS_len(&enc_record))) == NULL) goto err; content_len = CBS_len(&enc_record); @@ -834,6 +851,8 @@ tls13_record_layer_read_record(struct tls13_record_layer *rl) return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); if (ccs != 1) return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); + if (CBS_len(&cbs) != 0) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); rl->ccs_seen++; tls13_record_layer_rrec_free(rl); return TLS13_IO_WANT_RETRY; @@ -909,7 +928,7 @@ tls13_record_layer_recv_phh(struct tls13_record_layer *rl) * TLS13_IO_FAILURE something broke. */ if (rl->cb.phh_recv != NULL) - ret = rl->cb.phh_recv(rl->cb_arg, tls_content_cbs(rl->rcontent)); + ret = rl->cb.phh_recv(rl->cb_arg); tls_content_clear(rl->rcontent); @@ -1128,6 +1147,9 @@ tls13_send_dummy_ccs(struct tls13_record_layer *rl) ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) { + if (rl->cb.handshake_read != NULL) + return rl->cb.handshake_read(buf, n, rl->cb_arg); + return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); } @@ -1135,6 +1157,9 @@ ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, size_t n) { + if (rl->cb.handshake_write != NULL) + return rl->cb.handshake_write(buf, n, rl->cb_arg); + return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); } @@ -1181,6 +1206,9 @@ tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; ssize_t ret; + if (rl->cb.alert_send != NULL) + return rl->cb.alert_send(alert_desc, rl->cb_arg); + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || alert_desc == TLS13_ALERT_USER_CANCELED) alert_level = TLS13_ALERT_LEVEL_WARNING; diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c index 4ac84a8..75510a9 100644 --- a/ssl/tls13_server.c +++ b/ssl/tls13_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_server.c,v 1.96 2022/02/03 16:33:12 jsing Exp $ */ +/* $OpenBSD: tls13_server.c,v 1.105 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2019, 2020 Joel Sing * Copyright (c) 2020 Bob Beck @@ -18,7 +18,7 @@ #include -#include "ssl_locl.h" +#include "ssl_local.h" #include "ssl_sigalgs.h" #include "ssl_tlsext.h" #include "tls13_handshake.h" @@ -37,7 +37,7 @@ tls13_server_init(struct tls13_ctx *ctx) s->version = ctx->hs->our_max_tls_version; tls13_record_layer_set_retry_after_phh(ctx->rl, - (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + (s->mode & SSL_MODE_AUTO_RETRY) != 0); if (!ssl_get_new_session(s, 0)) /* XXX */ return 0; @@ -108,10 +108,15 @@ tls13_client_hello_required_extensions(struct tls13_ctx *ctx) */ /* - * If we got no pre_shared_key, then signature_algorithms and - * supported_groups must both be present. + * RFC 8446 section 4.2.9 - if we received a pre_shared_key, then we + * also need psk_key_exchange_modes. Otherwise, section 9.2 specifies + * that we need both signature_algorithms and supported_groups. */ - if (!tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { + if (tlsext_extension_seen(s, TLSEXT_TYPE_pre_shared_key)) { + if (!tlsext_extension_seen(s, + TLSEXT_TYPE_psk_key_exchange_modes)) + return 0; + } else { if (!tlsext_extension_seen(s, TLSEXT_TYPE_signature_algorithms)) return 0; if (!tlsext_extension_seen(s, TLSEXT_TYPE_supported_groups)) @@ -169,6 +174,15 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) /* Ensure we send subsequent alerts with the correct record version. */ tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); + /* + * Ensure that the client has not requested middlebox compatibility mode + * if it is prohibited from doing so. + */ + if (!ctx->middlebox_compat && CBS_len(&session_id) != 0) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + /* Add decoded values to the current ClientHello hash */ if (!tls13_clienthello_hash_init(ctx)) { ctx->alert = TLS13_ALERT_INTERNAL_ERROR; @@ -229,8 +243,14 @@ tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) goto err; } - /* Store legacy session identifier so we can echo it. */ - if (CBS_len(&session_id) > sizeof(ctx->hs->tls13.legacy_session_id)) { + /* + * The legacy session identifier must either be zero length or a 32 byte + * value (in which case the client is requesting middlebox compatibility + * mode), as per RFC 8446 section 4.1.2. If it is valid, store the value + * so that we can echo it back to the client. + */ + if (CBS_len(&session_id) != 0 && + CBS_len(&session_id) != sizeof(ctx->hs->tls13.legacy_session_id)) { ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; goto err; } @@ -298,7 +318,6 @@ tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) if (ctx->hs->key_share != NULL) ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; - /* XXX - check this is the correct point */ tls13_record_layer_allow_ccs(ctx->rl, 1); return 1; @@ -398,10 +417,10 @@ tls13_server_engage_record_protection(struct tls13_ctx *ctx) tls13_record_layer_set_hash(ctx->rl, ctx->hash); if (!tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->client_handshake_traffic)) + &secrets->client_handshake_traffic, ssl_encryption_handshake)) goto err; if (!tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->server_handshake_traffic)) + &secrets->server_handshake_traffic, ssl_encryption_handshake)) goto err; ctx->handshake_stage.hs_type |= NEGOTIATED; @@ -427,9 +446,9 @@ tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) if (ctx->hs->key_share != NULL) return 0; - if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) + if (!tls1_get_supported_group(ctx->ssl, &nid)) return 0; - if ((ctx->hs->tls13.server_group = tls1_ec_nid2curve_id(nid)) == 0) + if (!tls1_ec_nid2group_id(nid, &ctx->hs->tls13.server_group)) return 0; if (!tls13_server_hello_build(ctx, cbb, 1)) @@ -637,7 +656,7 @@ tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) if ((chain = cpk->chain) == NULL) chain = s->ctx->extra_certs; - if (chain == NULL && !(s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if (chain == NULL && !(s->mode & SSL_MODE_NO_AUTO_CHAIN)) { if ((xsc = X509_STORE_CTX_new()) == NULL) goto err; if (!X509_STORE_CTX_init(xsc, s->ctx->cert_store, cpk->x509, NULL)) @@ -845,7 +864,7 @@ tls13_server_finished_sent(struct tls13_ctx *ctx) * using the server application traffic keys. */ return tls13_record_layer_set_write_traffic_key(ctx->rl, - &secrets->server_application_traffic); + &secrets->server_application_traffic, ssl_encryption_application); } int @@ -855,9 +874,7 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) struct stack_st_X509 *certs = NULL; SSL *s = ctx->ssl; X509 *cert = NULL; - EVP_PKEY *pkey; const uint8_t *p; - int cert_type; int ret = 0; if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) @@ -906,31 +923,11 @@ tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) "failed to verify peer certificate", NULL); goto err; } + s->session->verify_result = s->verify_result; ERR_clear_error(); - /* - * Achtung! Due to API inconsistency, a client includes the peer's leaf - * certificate in the stored certificate chain, while a server does not. - */ - cert = sk_X509_shift(certs); - - if ((pkey = X509_get0_pubkey(cert)) == NULL) + if (!tls_process_peer_certs(s, certs)) goto err; - if (EVP_PKEY_missing_parameters(pkey)) - goto err; - if ((cert_type = ssl_cert_type(pkey)) < 0) - goto err; - - X509_up_ref(cert); - X509_free(s->session->peer_cert); - s->session->peer_cert = cert; - s->session->peer_cert_type = cert_type; - - s->session->verify_result = s->verify_result; - - sk_X509_pop_free(s->session->cert_chain, X509_free); - s->session->cert_chain = certs; - certs = NULL; ctx->handshake_stage.hs_type |= WITH_CCV; ret = 1; @@ -1089,7 +1086,7 @@ tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) * using the client application traffic keys. */ if (!tls13_record_layer_set_read_traffic_key(ctx->rl, - &secrets->client_application_traffic)) + &secrets->client_application_traffic, ssl_encryption_application)) goto err; tls13_record_layer_allow_ccs(ctx->rl, 0); diff --git a/ssl/tls_buffer.c b/ssl/tls_buffer.c index 5c0ca7e..517d66d 100644 --- a/ssl/tls_buffer.c +++ b/ssl/tls_buffer.c @@ -1,6 +1,6 @@ -/* $OpenBSD: tls_buffer.c,v 1.1 2021/10/23 13:12:14 jsing Exp $ */ +/* $OpenBSD: tls_buffer.c,v 1.4 2022/11/10 18:06:37 jsing Exp $ */ /* - * Copyright (c) 2018, 2019 Joel Sing + * Copyright (c) 2018, 2019, 2022 Joel Sing * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -21,8 +21,11 @@ #include "bytestring.h" #include "tls_internal.h" +#define TLS_BUFFER_CAPACITY_LIMIT (1024 * 1024) + struct tls_buffer { size_t capacity; + size_t capacity_limit; uint8_t *data; size_t len; size_t offset; @@ -38,6 +41,8 @@ tls_buffer_new(size_t init_size) if ((buf = calloc(1, sizeof(struct tls_buffer))) == NULL) goto err; + buf->capacity_limit = TLS_BUFFER_CAPACITY_LIMIT; + if (!tls_buffer_resize(buf, init_size)) goto err; @@ -49,40 +54,75 @@ tls_buffer_new(size_t init_size) return NULL; } +void +tls_buffer_clear(struct tls_buffer *buf) +{ + freezero(buf->data, buf->capacity); + + buf->data = NULL; + buf->capacity = 0; + buf->len = 0; + buf->offset = 0; +} + void tls_buffer_free(struct tls_buffer *buf) { if (buf == NULL) return; - freezero(buf->data, buf->capacity); + tls_buffer_clear(buf); + freezero(buf, sizeof(struct tls_buffer)); } +static int +tls_buffer_grow(struct tls_buffer *buf, size_t capacity) +{ + if (buf->capacity >= capacity) + return 1; + + return tls_buffer_resize(buf, capacity); +} + static int tls_buffer_resize(struct tls_buffer *buf, size_t capacity) { uint8_t *data; + /* + * XXX - Consider maintaining a minimum size and growing more + * intelligently (rather than exactly). + */ if (buf->capacity == capacity) return 1; + if (capacity > buf->capacity_limit) + return 0; + if ((data = recallocarray(buf->data, buf->capacity, capacity, 1)) == NULL) return 0; buf->data = data; buf->capacity = capacity; + /* Ensure that len and offset are valid if capacity decreased. */ + if (buf->len > buf->capacity) + buf->len = buf->capacity; + if (buf->offset > buf->len) + buf->offset = buf->len; + return 1; } -int -tls_buffer_set_data(struct tls_buffer *buf, CBS *data) +void +tls_buffer_set_capacity_limit(struct tls_buffer *buf, size_t limit) { - if (!tls_buffer_resize(buf, CBS_len(data))) - return 0; - memcpy(buf->data, CBS_data(data), CBS_len(data)); - return 1; + /* + * XXX - do we want to force a resize if this limit is less than current + * capacity... and what do we do with existing data? Force a clear? + */ + buf->capacity_limit = limit; } ssize_t @@ -115,10 +155,88 @@ tls_buffer_extend(struct tls_buffer *buf, size_t len, } } -void -tls_buffer_cbs(struct tls_buffer *buf, CBS *cbs) +size_t +tls_buffer_remaining(struct tls_buffer *buf) { - CBS_init(cbs, buf->data, buf->len); + if (buf->offset > buf->len) + return 0; + + return buf->len - buf->offset; +} + +ssize_t +tls_buffer_read(struct tls_buffer *buf, uint8_t *rbuf, size_t n) +{ + if (buf->offset > buf->len) + return TLS_IO_FAILURE; + + if (buf->offset == buf->len) + return TLS_IO_WANT_POLLIN; + + if (n > buf->len - buf->offset) + n = buf->len - buf->offset; + + memcpy(rbuf, &buf->data[buf->offset], n); + + buf->offset += n; + + return n; +} + +ssize_t +tls_buffer_write(struct tls_buffer *buf, const uint8_t *wbuf, size_t n) +{ + if (buf->offset > buf->len) + return TLS_IO_FAILURE; + + /* + * To avoid continually growing the buffer, pull data up to the + * start of the buffer. If all data has been read then we can simply + * reset, otherwise wait until we're going to save at least 4KB of + * memory to reduce overhead. + */ + if (buf->offset == buf->len) { + buf->len = 0; + buf->offset = 0; + } + if (buf->offset >= 4096) { + memmove(buf->data, &buf->data[buf->offset], + buf->len - buf->offset); + buf->len -= buf->offset; + buf->offset = 0; + } + + if (buf->len > SIZE_MAX - n) + return TLS_IO_FAILURE; + if (!tls_buffer_grow(buf, buf->len + n)) + return TLS_IO_FAILURE; + + memcpy(&buf->data[buf->len], wbuf, n); + + buf->len += n; + + return n; +} + +int +tls_buffer_append(struct tls_buffer *buf, const uint8_t *wbuf, size_t n) +{ + return tls_buffer_write(buf, wbuf, n) == n; +} + +int +tls_buffer_data(struct tls_buffer *buf, CBS *out_cbs) +{ + CBS cbs; + + CBS_init(&cbs, buf->data, buf->len); + + if (!CBS_skip(&cbs, buf->offset)) + return 0; + + CBS_dup(&cbs, out_cbs); + + return 1; } int @@ -130,9 +248,10 @@ tls_buffer_finish(struct tls_buffer *buf, uint8_t **out, size_t *out_len) *out = buf->data; *out_len = buf->len; - buf->capacity = 0; buf->data = NULL; + buf->capacity = 0; buf->len = 0; + buf->offset = 0; return 1; } diff --git a/ssl/tls_content.c b/ssl/tls_content.c index ede178f..726de0f 100644 --- a/ssl/tls_content.c +++ b/ssl/tls_content.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_content.c,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ +/* $OpenBSD: tls_content.c,v 1.2 2022/11/11 17:15:27 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -26,7 +26,7 @@ struct tls_content { uint16_t epoch; const uint8_t *data; - size_t len; + size_t data_len; CBS cbs; }; @@ -39,7 +39,7 @@ tls_content_new(void) void tls_content_clear(struct tls_content *content) { - freezero((void *)content->data, content->len); + freezero((void *)content->data, content->data_len); memset(content, 0, sizeof(*content)); } @@ -113,9 +113,24 @@ tls_content_set_data(struct tls_content *content, uint8_t type, content->type = type; content->data = data; - content->len = data_len; + content->data_len = data_len; - CBS_init(&content->cbs, content->data, content->len); + CBS_init(&content->cbs, content->data, content->data_len); +} + +int +tls_content_set_bounds(struct tls_content *content, size_t offset, size_t len) +{ + size_t content_len; + + content_len = offset + len; + if (content_len < len) + return 0; + if (content_len > content->data_len) + return 0; + + CBS_init(&content->cbs, content->data, content_len); + return CBS_skip(&content->cbs, offset); } static ssize_t diff --git a/ssl/tls_content.h b/ssl/tls_content.h index 173af2a..b807248 100644 --- a/ssl/tls_content.h +++ b/ssl/tls_content.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_content.h,v 1.1 2021/09/04 16:26:12 jsing Exp $ */ +/* $OpenBSD: tls_content.h,v 1.2 2022/11/11 17:15:27 jsing Exp $ */ /* * Copyright (c) 2020 Joel Sing * @@ -38,6 +38,8 @@ int tls_content_dup_data(struct tls_content *content, uint8_t type, const uint8_t *data, size_t data_len); void tls_content_set_data(struct tls_content *content, uint8_t type, const uint8_t *data, size_t data_len); +int tls_content_set_bounds(struct tls_content *content, size_t offset, + size_t len); void tls_content_set_epoch(struct tls_content *content, uint16_t epoch); ssize_t tls_content_peek(struct tls_content *content, uint8_t *buf, size_t n); diff --git a/ssl/tls_internal.h b/ssl/tls_internal.h index a009635..84edde8 100644 --- a/ssl/tls_internal.h +++ b/ssl/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.5 2022/01/11 18:28:41 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.10 2022/11/10 18:06:37 jsing Exp $ */ /* * Copyright (c) 2018, 2019, 2021 Joel Sing * @@ -33,6 +33,10 @@ __BEGIN_HIDDEN_DECLS #define TLS_IO_WANT_POLLOUT -4 #define TLS_IO_WANT_RETRY -5 /* Retry the previous call immediately. */ +enum ssl_encryption_level_t; + +struct tls13_secret; + /* * Callbacks. */ @@ -41,17 +45,30 @@ typedef ssize_t (*tls_write_cb)(const void *_buf, size_t _buflen, void *_cb_arg); typedef ssize_t (*tls_flush_cb)(void *_cb_arg); +typedef ssize_t (*tls_handshake_read_cb)(void *_buf, size_t _buflen, + void *_cb_arg); +typedef ssize_t (*tls_handshake_write_cb)(const void *_buf, size_t _buflen, + void *_cb_arg); +typedef int (*tls_traffic_key_cb)(struct tls13_secret *key, + enum ssl_encryption_level_t level, void *_cb_arg); +typedef int (*tls_alert_send_cb)(int _alert_desc, void *_cb_arg); + /* * Buffers. */ struct tls_buffer; struct tls_buffer *tls_buffer_new(size_t init_size); -int tls_buffer_set_data(struct tls_buffer *buf, CBS *data); +void tls_buffer_clear(struct tls_buffer *buf); void tls_buffer_free(struct tls_buffer *buf); +void tls_buffer_set_capacity_limit(struct tls_buffer *buf, size_t limit); ssize_t tls_buffer_extend(struct tls_buffer *buf, size_t len, tls_read_cb read_cb, void *cb_arg); -void tls_buffer_cbs(struct tls_buffer *buf, CBS *cbs); +size_t tls_buffer_remaining(struct tls_buffer *buf); +ssize_t tls_buffer_read(struct tls_buffer *buf, uint8_t *rbuf, size_t n); +ssize_t tls_buffer_write(struct tls_buffer *buf, const uint8_t *wbuf, size_t n); +int tls_buffer_append(struct tls_buffer *buf, const uint8_t *wbuf, size_t n); +int tls_buffer_data(struct tls_buffer *buf, CBS *cbs); int tls_buffer_finish(struct tls_buffer *buf, uint8_t **out, size_t *out_len); /* @@ -77,6 +94,7 @@ int tls_key_share_peer_public(struct tls_key_share *ks, CBS *cbs, int *decode_error, int *invalid_key); int tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key, size_t *shared_key_len); +int tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks); __END_HIDDEN_DECLS diff --git a/ssl/tls_key_share.c b/ssl/tls_key_share.c index e5e6c30..cf7b1da 100644 --- a/ssl/tls_key_share.c +++ b/ssl/tls_key_share.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_key_share.c,v 1.4 2022/01/11 18:28:41 jsing Exp $ */ +/* $OpenBSD: tls_key_share.c,v 1.8 2022/11/26 16:08:56 tb Exp $ */ /* * Copyright (c) 2020, 2021 Joel Sing * @@ -23,7 +23,7 @@ #include #include "bytestring.h" -#include "ssl_locl.h" +#include "ssl_local.h" #include "tls_internal.h" struct tls_key_share { @@ -61,7 +61,7 @@ tls_key_share_new(uint16_t group_id) { int nid; - if ((nid = tls1_ec_curve_id2nid(group_id)) == 0) + if (!tls1_ec_group_id2nid(group_id, &nid)) return NULL; return tls_key_share_new_internal(nid, group_id); @@ -73,7 +73,7 @@ tls_key_share_new_nid(int nid) uint16_t group_id = 0; if (nid != NID_dhKeyAgreement) { - if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) + if (!tls1_ec_nid2group_id(nid, &group_id)) return NULL; } @@ -471,3 +471,14 @@ tls_key_share_derive(struct tls_key_share *ks, uint8_t **shared_key, return tls_key_share_derive_ecdhe_ecp(ks, shared_key, shared_key_len); } + +int +tls_key_share_peer_security(const SSL *ssl, struct tls_key_share *ks) +{ + switch (ks->nid) { + case NID_dhKeyAgreement: + return ssl_security_dh(ssl, ks->dhe_peer); + default: + return 0; + } +} diff --git a/ssl/tls_lib.c b/ssl/tls_lib.c new file mode 100644 index 0000000..db734c3 --- /dev/null +++ b/ssl/tls_lib.c @@ -0,0 +1,68 @@ +/* $OpenBSD: tls_lib.c,v 1.3 2022/11/26 16:08:56 tb Exp $ */ +/* + * Copyright (c) 2019, 2021 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_local.h" + +int +tls_process_peer_certs(SSL *s, STACK_OF(X509) *peer_certs) +{ + STACK_OF(X509) *peer_certs_no_leaf; + X509 *peer_cert = NULL; + EVP_PKEY *pkey; + int cert_type; + int ret = 0; + + if (sk_X509_num(peer_certs) < 1) + goto err; + peer_cert = sk_X509_value(peer_certs, 0); + X509_up_ref(peer_cert); + + if ((pkey = X509_get0_pubkey(peer_cert)) == NULL) { + SSLerror(s, SSL_R_NO_PUBLICKEY); + goto err; + } + if (EVP_PKEY_missing_parameters(pkey)) { + SSLerror(s, SSL_R_UNABLE_TO_FIND_PUBLIC_KEY_PARAMETERS); + goto err; + } + if ((cert_type = ssl_cert_type(pkey)) < 0) { + SSLerror(s, SSL_R_UNKNOWN_CERTIFICATE_TYPE); + goto err; + } + + s->session->peer_cert_type = cert_type; + + X509_free(s->session->peer_cert); + s->session->peer_cert = peer_cert; + peer_cert = NULL; + + sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); + if ((s->s3->hs.peer_certs = X509_chain_up_ref(peer_certs)) == NULL) + goto err; + + if ((peer_certs_no_leaf = X509_chain_up_ref(peer_certs)) == NULL) + goto err; + X509_free(sk_X509_shift(peer_certs_no_leaf)); + sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); + s->s3->hs.peer_certs_no_leaf = peer_certs_no_leaf; + + ret = 1; + err: + X509_free(peer_cert); + + return ret; +} diff --git a/tap-driver.sh b/tap-driver.sh deleted file mode 100755 index 0ca4903..0000000 --- a/tap-driver.sh +++ /dev/null @@ -1,651 +0,0 @@ -#! /bin/sh -# Copyright (C) 2011-2020 Free Software Foundation, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# This file is maintained in Automake, please report -# bugs to or send patches to -# . - -scriptversion=2013-12-23.17; # UTC - -# Make unconditional expansion of undefined variables an error. This -# helps a lot in preventing typo-related bugs. -set -u - -me=tap-driver.sh - -fatal () -{ - echo "$me: fatal: $*" >&2 - exit 1 -} - -usage_error () -{ - echo "$me: $*" >&2 - print_usage >&2 - exit 2 -} - -print_usage () -{ - cat < - # - trap : 1 3 2 13 15 - if test $merge -gt 0; then - exec 2>&1 - else - exec 2>&3 - fi - "$@" - echo $? - ) | LC_ALL=C ${AM_TAP_AWK-awk} \ - -v me="$me" \ - -v test_script_name="$test_name" \ - -v log_file="$log_file" \ - -v trs_file="$trs_file" \ - -v expect_failure="$expect_failure" \ - -v merge="$merge" \ - -v ignore_exit="$ignore_exit" \ - -v comments="$comments" \ - -v diag_string="$diag_string" \ -' -# TODO: the usages of "cat >&3" below could be optimized when using -# GNU awk, and/on on systems that supports /dev/fd/. - -# Implementation note: in what follows, `result_obj` will be an -# associative array that (partly) simulates a TAP result object -# from the `TAP::Parser` perl module. - -## ----------- ## -## FUNCTIONS ## -## ----------- ## - -function fatal(msg) -{ - print me ": " msg | "cat >&2" - exit 1 -} - -function abort(where) -{ - fatal("internal error " where) -} - -# Convert a boolean to a "yes"/"no" string. -function yn(bool) -{ - return bool ? "yes" : "no"; -} - -function add_test_result(result) -{ - if (!test_results_index) - test_results_index = 0 - test_results_list[test_results_index] = result - test_results_index += 1 - test_results_seen[result] = 1; -} - -# Whether the test script should be re-run by "make recheck". -function must_recheck() -{ - for (k in test_results_seen) - if (k != "XFAIL" && k != "PASS" && k != "SKIP") - return 1 - return 0 -} - -# Whether the content of the log file associated to this test should -# be copied into the "global" test-suite.log. -function copy_in_global_log() -{ - for (k in test_results_seen) - if (k != "PASS") - return 1 - return 0 -} - -function get_global_test_result() -{ - if ("ERROR" in test_results_seen) - return "ERROR" - if ("FAIL" in test_results_seen || "XPASS" in test_results_seen) - return "FAIL" - all_skipped = 1 - for (k in test_results_seen) - if (k != "SKIP") - all_skipped = 0 - if (all_skipped) - return "SKIP" - return "PASS"; -} - -function stringify_result_obj(result_obj) -{ - if (result_obj["is_unplanned"] || result_obj["number"] != testno) - return "ERROR" - - if (plan_seen == LATE_PLAN) - return "ERROR" - - if (result_obj["directive"] == "TODO") - return result_obj["is_ok"] ? "XPASS" : "XFAIL" - - if (result_obj["directive"] == "SKIP") - return result_obj["is_ok"] ? "SKIP" : COOKED_FAIL; - - if (length(result_obj["directive"])) - abort("in function stringify_result_obj()") - - return result_obj["is_ok"] ? COOKED_PASS : COOKED_FAIL -} - -function decorate_result(result) -{ - color_name = color_for_result[result] - if (color_name) - return color_map[color_name] "" result "" color_map["std"] - # If we are not using colorized output, or if we do not know how - # to colorize the given result, we should return it unchanged. - return result -} - -function report(result, details) -{ - if (result ~ /^(X?(PASS|FAIL)|SKIP|ERROR)/) - { - msg = ": " test_script_name - add_test_result(result) - } - else if (result == "#") - { - msg = " " test_script_name ":" - } - else - { - abort("in function report()") - } - if (length(details)) - msg = msg " " details - # Output on console might be colorized. - print decorate_result(result) msg - # Log the result in the log file too, to help debugging (this is - # especially true when said result is a TAP error or "Bail out!"). - print result msg | "cat >&3"; -} - -function testsuite_error(error_message) -{ - report("ERROR", "- " error_message) -} - -function handle_tap_result() -{ - details = result_obj["number"]; - if (length(result_obj["description"])) - details = details " " result_obj["description"] - - if (plan_seen == LATE_PLAN) - { - details = details " # AFTER LATE PLAN"; - } - else if (result_obj["is_unplanned"]) - { - details = details " # UNPLANNED"; - } - else if (result_obj["number"] != testno) - { - details = sprintf("%s # OUT-OF-ORDER (expecting %d)", - details, testno); - } - else if (result_obj["directive"]) - { - details = details " # " result_obj["directive"]; - if (length(result_obj["explanation"])) - details = details " " result_obj["explanation"] - } - - report(stringify_result_obj(result_obj), details) -} - -# `skip_reason` should be empty whenever planned > 0. -function handle_tap_plan(planned, skip_reason) -{ - planned += 0 # Avoid getting confused if, say, `planned` is "00" - if (length(skip_reason) && planned > 0) - abort("in function handle_tap_plan()") - if (plan_seen) - { - # Error, only one plan per stream is acceptable. - testsuite_error("multiple test plans") - return; - } - planned_tests = planned - # The TAP plan can come before or after *all* the TAP results; we speak - # respectively of an "early" or a "late" plan. If we see the plan line - # after at least one TAP result has been seen, assume we have a late - # plan; in this case, any further test result seen after the plan will - # be flagged as an error. - plan_seen = (testno >= 1 ? LATE_PLAN : EARLY_PLAN) - # If testno > 0, we have an error ("too many tests run") that will be - # automatically dealt with later, so do not worry about it here. If - # $plan_seen is true, we have an error due to a repeated plan, and that - # has already been dealt with above. Otherwise, we have a valid "plan - # with SKIP" specification, and should report it as a particular kind - # of SKIP result. - if (planned == 0 && testno == 0) - { - if (length(skip_reason)) - skip_reason = "- " skip_reason; - report("SKIP", skip_reason); - } -} - -function extract_tap_comment(line) -{ - if (index(line, diag_string) == 1) - { - # Strip leading `diag_string` from `line`. - line = substr(line, length(diag_string) + 1) - # And strip any leading and trailing whitespace left. - sub("^[ \t]*", "", line) - sub("[ \t]*$", "", line) - # Return what is left (if any). - return line; - } - return ""; -} - -# When this function is called, we know that line is a TAP result line, -# so that it matches the (perl) RE "^(not )?ok\b". -function setup_result_obj(line) -{ - # Get the result, and remove it from the line. - result_obj["is_ok"] = (substr(line, 1, 2) == "ok" ? 1 : 0) - sub("^(not )?ok[ \t]*", "", line) - - # If the result has an explicit number, get it and strip it; otherwise, - # automatically assign the next test number to it. - if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/) - { - match(line, "^[0-9]+") - # The final `+ 0` is to normalize numbers with leading zeros. - result_obj["number"] = substr(line, 1, RLENGTH) + 0 - line = substr(line, RLENGTH + 1) - } - else - { - result_obj["number"] = testno - } - - if (plan_seen == LATE_PLAN) - # No further test results are acceptable after a "late" TAP plan - # has been seen. - result_obj["is_unplanned"] = 1 - else if (plan_seen && testno > planned_tests) - result_obj["is_unplanned"] = 1 - else - result_obj["is_unplanned"] = 0 - - # Strip trailing and leading whitespace. - sub("^[ \t]*", "", line) - sub("[ \t]*$", "", line) - - # This will have to be corrected if we have a "TODO"/"SKIP" directive. - result_obj["description"] = line - result_obj["directive"] = "" - result_obj["explanation"] = "" - - if (index(line, "#") == 0) - return # No possible directive, nothing more to do. - - # Directives are case-insensitive. - rx = "[ \t]*#[ \t]*([tT][oO][dD][oO]|[sS][kK][iI][pP])[ \t]*" - - # See whether we have the directive, and if yes, where. - pos = match(line, rx "$") - if (!pos) - pos = match(line, rx "[^a-zA-Z0-9_]") - - # If there was no TAP directive, we have nothing more to do. - if (!pos) - return - - # Let`s now see if the TAP directive has been escaped. For example: - # escaped: ok \# SKIP - # not escaped: ok \\# SKIP - # escaped: ok \\\\\# SKIP - # not escaped: ok \ # SKIP - if (substr(line, pos, 1) == "#") - { - bslash_count = 0 - for (i = pos; i > 1 && substr(line, i - 1, 1) == "\\"; i--) - bslash_count += 1 - if (bslash_count % 2) - return # Directive was escaped. - } - - # Strip the directive and its explanation (if any) from the test - # description. - result_obj["description"] = substr(line, 1, pos - 1) - # Now remove the test description from the line, that has been dealt - # with already. - line = substr(line, pos) - # Strip the directive, and save its value (normalized to upper case). - sub("^[ \t]*#[ \t]*", "", line) - result_obj["directive"] = toupper(substr(line, 1, 4)) - line = substr(line, 5) - # Now get the explanation for the directive (if any), with leading - # and trailing whitespace removed. - sub("^[ \t]*", "", line) - sub("[ \t]*$", "", line) - result_obj["explanation"] = line -} - -function get_test_exit_message(status) -{ - if (status == 0) - return "" - if (status !~ /^[1-9][0-9]*$/) - abort("getting exit status") - if (status < 127) - exit_details = "" - else if (status == 127) - exit_details = " (command not found?)" - else if (status >= 128 && status <= 255) - exit_details = sprintf(" (terminated by signal %d?)", status - 128) - else if (status > 256 && status <= 384) - # We used to report an "abnormal termination" here, but some Korn - # shells, when a child process die due to signal number n, can leave - # in $? an exit status of 256+n instead of the more standard 128+n. - # Apparently, both behaviours are allowed by POSIX (2008), so be - # prepared to handle them both. See also Austing Group report ID - # 0000051 - exit_details = sprintf(" (terminated by signal %d?)", status - 256) - else - # Never seen in practice. - exit_details = " (abnormal termination)" - return sprintf("exited with status %d%s", status, exit_details) -} - -function write_test_results() -{ - print ":global-test-result: " get_global_test_result() > trs_file - print ":recheck: " yn(must_recheck()) > trs_file - print ":copy-in-global-log: " yn(copy_in_global_log()) > trs_file - for (i = 0; i < test_results_index; i += 1) - print ":test-result: " test_results_list[i] > trs_file - close(trs_file); -} - -BEGIN { - -## ------- ## -## SETUP ## -## ------- ## - -'"$init_colors"' - -# Properly initialized once the TAP plan is seen. -planned_tests = 0 - -COOKED_PASS = expect_failure ? "XPASS": "PASS"; -COOKED_FAIL = expect_failure ? "XFAIL": "FAIL"; - -# Enumeration-like constants to remember which kind of plan (if any) -# has been seen. It is important that NO_PLAN evaluates "false" as -# a boolean. -NO_PLAN = 0 -EARLY_PLAN = 1 -LATE_PLAN = 2 - -testno = 0 # Number of test results seen so far. -bailed_out = 0 # Whether a "Bail out!" directive has been seen. - -# Whether the TAP plan has been seen or not, and if yes, which kind -# it is ("early" is seen before any test result, "late" otherwise). -plan_seen = NO_PLAN - -## --------- ## -## PARSING ## -## --------- ## - -is_first_read = 1 - -while (1) - { - # Involutions required so that we are able to read the exit status - # from the last input line. - st = getline - if (st < 0) # I/O error. - fatal("I/O error while reading from input stream") - else if (st == 0) # End-of-input - { - if (is_first_read) - abort("in input loop: only one input line") - break - } - if (is_first_read) - { - is_first_read = 0 - nextline = $0 - continue - } - else - { - curline = nextline - nextline = $0 - $0 = curline - } - # Copy any input line verbatim into the log file. - print | "cat >&3" - # Parsing of TAP input should stop after a "Bail out!" directive. - if (bailed_out) - continue - - # TAP test result. - if ($0 ~ /^(not )?ok$/ || $0 ~ /^(not )?ok[^a-zA-Z0-9_]/) - { - testno += 1 - setup_result_obj($0) - handle_tap_result() - } - # TAP plan (normal or "SKIP" without explanation). - else if ($0 ~ /^1\.\.[0-9]+[ \t]*$/) - { - # The next two lines will put the number of planned tests in $0. - sub("^1\\.\\.", "") - sub("[^0-9]*$", "") - handle_tap_plan($0, "") - continue - } - # TAP "SKIP" plan, with an explanation. - else if ($0 ~ /^1\.\.0+[ \t]*#/) - { - # The next lines will put the skip explanation in $0, stripping - # any leading and trailing whitespace. This is a little more - # tricky in truth, since we want to also strip a potential leading - # "SKIP" string from the message. - sub("^[^#]*#[ \t]*(SKIP[: \t][ \t]*)?", "") - sub("[ \t]*$", ""); - handle_tap_plan(0, $0) - } - # "Bail out!" magic. - # Older versions of prove and TAP::Harness (e.g., 3.17) did not - # recognize a "Bail out!" directive when preceded by leading - # whitespace, but more modern versions (e.g., 3.23) do. So we - # emulate the latter, "more modern" behaviour. - else if ($0 ~ /^[ \t]*Bail out!/) - { - bailed_out = 1 - # Get the bailout message (if any), with leading and trailing - # whitespace stripped. The message remains stored in `$0`. - sub("^[ \t]*Bail out![ \t]*", ""); - sub("[ \t]*$", ""); - # Format the error message for the - bailout_message = "Bail out!" - if (length($0)) - bailout_message = bailout_message " " $0 - testsuite_error(bailout_message) - } - # Maybe we have too look for dianogtic comments too. - else if (comments != 0) - { - comment = extract_tap_comment($0); - if (length(comment)) - report("#", comment); - } - } - -## -------- ## -## FINISH ## -## -------- ## - -# A "Bail out!" directive should cause us to ignore any following TAP -# error, as well as a non-zero exit status from the TAP producer. -if (!bailed_out) - { - if (!plan_seen) - { - testsuite_error("missing test plan") - } - else if (planned_tests != testno) - { - bad_amount = testno > planned_tests ? "many" : "few" - testsuite_error(sprintf("too %s tests run (expected %d, got %d)", - bad_amount, planned_tests, testno)) - } - if (!ignore_exit) - { - # Fetch exit status from the last line. - exit_message = get_test_exit_message(nextline) - if (exit_message) - testsuite_error(exit_message) - } - } - -write_test_results() - -exit 0 - -} # End of "BEGIN" block. -' - -# TODO: document that we consume the file descriptor 3 :-( -} 3>"$log_file" - -test $? -eq 0 || fatal "I/O or internal error" - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'before-save-hook 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC0" -# time-stamp-end: "; # UTC" -# End: diff --git a/test-driver b/test-driver deleted file mode 100755 index 9759384..0000000 --- a/test-driver +++ /dev/null @@ -1,150 +0,0 @@ -#! /bin/sh -# test-driver - basic testsuite driver script. - -scriptversion=2018-03-07.03; # UTC - -# Copyright (C) 2011-2020 Free Software Foundation, Inc. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2, or (at your option) -# any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program. If not, see . - -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# This file is maintained in Automake, please report -# bugs to or send patches to -# . - -# Make unconditional expansion of undefined variables an error. This -# helps a lot in preventing typo-related bugs. -set -u - -usage_error () -{ - echo "$0: $*" >&2 - print_usage >&2 - exit 2 -} - -print_usage () -{ - cat <$log_file 2>&1 -estatus=$? - -if test $enable_hard_errors = no && test $estatus -eq 99; then - tweaked_estatus=1 -else - tweaked_estatus=$estatus -fi - -case $tweaked_estatus:$expect_failure in - 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; - 0:*) col=$grn res=PASS recheck=no gcopy=no;; - 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; - 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;; - *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;; - *:*) col=$red res=FAIL recheck=yes gcopy=yes;; -esac - -# Report the test outcome and exit status in the logs, so that one can -# know whether the test passed or failed simply by looking at the '.log' -# file, without the need of also peaking into the corresponding '.trs' -# file (automake bug#11814). -echo "$res $test_name (exit status: $estatus)" >>$log_file - -# Report outcome to console. -echo "${col}${res}${std}: $test_name" - -# Register the test result, and other relevant metadata. -echo ":test-result: $res" > $trs_file -echo ":global-test-result: $res" >> $trs_file -echo ":recheck: $recheck" >> $trs_file -echo ":copy-in-global-log: $gcopy" >> $trs_file - -# Local Variables: -# mode: shell-script -# sh-indentation: 2 -# eval: (add-hook 'before-save-hook 'time-stamp) -# time-stamp-start: "scriptversion=" -# time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC0" -# time-stamp-end: "; # UTC" -# End: diff --git a/tls/CMakeLists.txt b/tls/CMakeLists.txt index 7827a5e..3d0a619 100644 --- a/tls/CMakeLists.txt +++ b/tls/CMakeLists.txt @@ -48,7 +48,7 @@ target_include_directories(tls_obj ../include) add_library(tls $ $ - $) + $ empty.c) export_symbol(tls ${CMAKE_CURRENT_BINARY_DIR}/tls.sym) target_link_libraries(tls ${PLATFORM_LIBS}) @@ -61,15 +61,6 @@ set_target_properties(tls PROPERTIES set_target_properties(tls PROPERTIES VERSION ${TLS_VERSION} SOVERSION ${TLS_MAJOR_VERSION}) -if(ENABLE_LIBRESSL_INSTALL) - install( - TARGETS tls - ARCHIVE DESTINATION ${CMAKE_INSTALL_LIBDIR} - LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR} - RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR} - ) -endif(ENABLE_LIBRESSL_INSTALL) - # build static library for regression test if(BUILD_SHARED_LIBS) add_library(tls-static STATIC $ diff --git a/tls/VERSION b/tls/VERSION index 4afa027..6e2f32a 100644 --- a/tls/VERSION +++ b/tls/VERSION @@ -1 +1 @@ -25:0:0 +27:0:0 diff --git a/tls/empty.c b/tls/empty.c new file mode 100644 index 0000000..e69de29 diff --git a/tls/tls.c b/tls/tls.c index ff33ebe..989339d 100644 --- a/tls/tls.c +++ b/tls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.94 2022/02/08 19:13:50 tb Exp $ */ +/* $OpenBSD: tls.c,v 1.96 2023/05/25 07:46:21 op Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -21,6 +21,7 @@ #include #include #include +#include #include #include @@ -409,12 +410,18 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p tls_set_errorx(ctx, "RSA key setup failure"); goto err; } - if (ctx->config->sign_cb == NULL) - break; - if ((rsa_method = tls_signer_rsa_method()) == NULL || - RSA_set_ex_data(rsa, 1, ctx->config) == 0 || - RSA_set_method(rsa, rsa_method) == 0) { - tls_set_errorx(ctx, "failed to setup RSA key"); + if (ctx->config->sign_cb != NULL) { + rsa_method = tls_signer_rsa_method(); + if (rsa_method == NULL || + RSA_set_ex_data(rsa, 1, ctx->config) == 0 || + RSA_set_method(rsa, rsa_method) == 0) { + tls_set_errorx(ctx, "failed to setup RSA key"); + goto err; + } + } + /* Reset the key to work around caching in OpenSSL 3. */ + if (EVP_PKEY_set1_RSA(pkey, rsa) == 0) { + tls_set_errorx(ctx, "failed to set RSA key"); goto err; } break; @@ -424,12 +431,18 @@ tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *p tls_set_errorx(ctx, "EC key setup failure"); goto err; } - if (ctx->config->sign_cb == NULL) - break; - if ((ecdsa_method = tls_signer_ecdsa_method()) == NULL || - ECDSA_set_ex_data(eckey, 1, ctx->config) == 0 || - ECDSA_set_method(eckey, ecdsa_method) == 0) { - tls_set_errorx(ctx, "failed to setup EC key"); + if (ctx->config->sign_cb != NULL) { + ecdsa_method = tls_signer_ecdsa_method(); + if (ecdsa_method == NULL || + ECDSA_set_ex_data(eckey, 1, ctx->config) == 0 || + ECDSA_set_method(eckey, ecdsa_method) == 0) { + tls_set_errorx(ctx, "failed to setup EC key"); + goto err; + } + } + /* Reset the key to work around caching in OpenSSL 3. */ + if (EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) { + tls_set_errorx(ctx, "failed to set EC key"); goto err; } break; diff --git a/tls/tls_bio_cb.c b/tls/tls_bio_cb.c index dad9d23..8a1edfd 100644 --- a/tls/tls_bio_cb.c +++ b/tls/tls_bio_cb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_bio_cb.c,v 1.20 2022/01/10 23:39:48 tb Exp $ */ +/* $OpenBSD: tls_bio_cb.c,v 1.21 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2016 Tobias Pape * @@ -17,6 +17,7 @@ #include #include +#include #include #include diff --git a/tls/tls_client.c b/tls/tls_client.c index 1629697..deb24eb 100644 --- a/tls/tls_client.c +++ b/tls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.48 2021/10/21 08:38:11 tb Exp $ */ +/* $OpenBSD: tls_client.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -25,6 +25,7 @@ #include #include #include +#include #include #include diff --git a/tls/tls_config.c b/tls/tls_config.c index 15e218b..3efd0dd 100644 --- a/tls/tls_config.c +++ b/tls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.65 2022/01/25 21:51:24 eric Exp $ */ +/* $OpenBSD: tls_config.c,v 1.66 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -22,6 +22,7 @@ #include #include #include +#include #include #include diff --git a/tls/tls_conninfo.c b/tls/tls_conninfo.c index 4d9ae29..b2aadab 100644 --- a/tls/tls_conninfo.c +++ b/tls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.22 2021/01/05 15:57:38 tb Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.23 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -17,6 +17,7 @@ */ #include +#include #include diff --git a/tls/tls_internal.h b/tls/tls_internal.h index ca1d96f..f4c23f6 100644 --- a/tls/tls_internal.h +++ b/tls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.80 2022/03/24 15:56:34 tb Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.81 2023/04/09 18:26:26 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -302,7 +302,6 @@ ECDSA_METHOD *tls_signer_ecdsa_method(void); #define TLS_PADDING_NONE 0 #define TLS_PADDING_RSA_PKCS1 1 -#define TLS_PADDING_RSA_X9_31 2 int tls_config_set_sign_cb(struct tls_config *_config, tls_sign_cb _cb, void *_cb_arg); diff --git a/tls/tls_ocsp.c b/tls/tls_ocsp.c index 83585fa..acf6935 100644 --- a/tls/tls_ocsp.c +++ b/tls/tls_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_ocsp.c,v 1.22 2021/10/31 16:39:32 tb Exp $ */ +/* $OpenBSD: tls_ocsp.c,v 1.23 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2015 Marko Kreen * Copyright (c) 2016 Bob Beck @@ -21,6 +21,8 @@ #include #include +#include + #include #include #include diff --git a/tls/tls_server.c b/tls/tls_server.c index 72f797b..5f93c7a 100644 --- a/tls/tls_server.c +++ b/tls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.48 2022/01/19 11:10:55 inoguchi Exp $ */ +/* $OpenBSD: tls_server.c,v 1.49 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -19,6 +19,8 @@ #include +#include + #include #include #include diff --git a/tls/tls_signer.c b/tls/tls_signer.c index 1f11096..f6005d3 100644 --- a/tls/tls_signer.c +++ b/tls/tls_signer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_signer.c,v 1.4 2022/02/01 17:18:38 jsing Exp $ */ +/* $OpenBSD: tls_signer.c,v 1.5 2023/04/09 18:26:26 tb Exp $ */ /* * Copyright (c) 2021 Eric Faurot * @@ -193,8 +193,6 @@ tls_sign_rsa(struct tls_signer *signer, struct tls_signer_key *skey, rsa_padding = RSA_NO_PADDING; } else if (padding_type == TLS_PADDING_RSA_PKCS1) { rsa_padding = RSA_PKCS1_PADDING; - } else if (padding_type == TLS_PADDING_RSA_X9_31) { - rsa_padding = RSA_X931_PADDING; } else { tls_error_setx(&signer->error, "invalid RSA padding type (%d)", padding_type); @@ -331,8 +329,6 @@ tls_rsa_priv_enc(int from_len, const unsigned char *from, unsigned char *to, padding_type = TLS_PADDING_NONE; } else if (rsa_padding == RSA_PKCS1_PADDING) { padding_type = TLS_PADDING_RSA_PKCS1; - } else if (rsa_padding == RSA_X931_PADDING) { - padding_type = TLS_PADDING_RSA_X9_31; } else { goto err; } diff --git a/tls/tls_util.c b/tls/tls_util.c index d8103a5..b276d2c 100644 --- a/tls/tls_util.c +++ b/tls/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.15 2021/08/16 13:54:38 tb Exp $ */ +/* $OpenBSD: tls_util.c,v 1.16 2023/05/14 07:26:25 op Exp $ */ /* * Copyright (c) 2014 Joel Sing * Copyright (c) 2014 Ted Unangst @@ -20,6 +20,7 @@ #include #include +#include #include #include diff --git a/tls/tls_verify.c b/tls/tls_verify.c index acbe163..0cb86f6 100644 --- a/tls/tls_verify.c +++ b/tls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.23 2023/05/11 07:35:27 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -115,7 +115,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, count = sk_GENERAL_NAME_num(altname_stack); for (i = 0; i < count; i++) { - GENERAL_NAME *altname; + GENERAL_NAME *altname; altname = sk_GENERAL_NAME_value(altname_stack, i); @@ -126,12 +126,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, continue; if (type == GEN_DNS) { - unsigned char *data; - int format, len; + const unsigned char *data; + int format, len; format = ASN1_STRING_type(altname->d.dNSName); if (format == V_ASN1_IA5STRING) { - data = ASN1_STRING_data(altname->d.dNSName); + data = ASN1_STRING_get0_data(altname->d.dNSName); len = ASN1_STRING_length(altname->d.dNSName); if (len < 0 || (size_t)len != strlen(data)) { @@ -171,11 +171,11 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, } } else if (type == GEN_IPADD) { - unsigned char *data; - int datalen; + const unsigned char *data; + int datalen; datalen = ASN1_STRING_length(altname->d.iPAddress); - data = ASN1_STRING_data(altname->d.iPAddress); + data = ASN1_STRING_get0_data(altname->d.iPAddress); if (datalen < 0) { tls_set_errorx(ctx, @@ -209,7 +209,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, char *common_name = NULL; union tls_addr addrbuf; int common_name_len; - int rv = 0; + int rv = -1; *cn_match = 0; @@ -223,8 +223,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, goto done; common_name = calloc(common_name_len + 1, 1); - if (common_name == NULL) - goto done; + if (common_name == NULL) { + tls_set_error(ctx, "out of memory"); + goto err; + } X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, common_name_len + 1); @@ -235,8 +237,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, tls_set_errorx(ctx, "error verifying name '%s': " "NUL byte in Common Name field, " "probably a malicious certificate", name); - rv = -1; - goto done; + goto err; } /* @@ -254,6 +255,9 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, *cn_match = 1; done: + rv = 0; + + err: free(common_name); return rv; }