diff --git a/CMakeLists.txt b/CMakeLists.txt index cf980a5..600f70f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1,5 +1,14 @@ -cmake_minimum_required (VERSION 2.8.8) +if(MSVC) + cmake_minimum_required (VERSION 3.16.4) + cmake_policy(SET CMP0091 NEW) +else() + cmake_minimum_required (VERSION 3.0) +endif() + +project (LibreSSL C ASM) + include(CheckFunctionExists) +include(CheckSymbolExists) include(CheckLibraryExists) include(CheckIncludeFiles) include(CheckTypeSize) @@ -8,8 +17,6 @@ set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}" ${CMAKE_MODULE_PATH}) include(cmake_export_symbol) include(GNUInstallDirs) -project (LibreSSL C) - enable_testing() file(READ ${CMAKE_CURRENT_SOURCE_DIR}/ssl/VERSION SSL_VERSION) @@ -28,11 +35,18 @@ string(REPLACE ":" "." TLS_VERSION ${TLS_VERSION}) string(REGEX REPLACE "\\..*" "" TLS_MAJOR_VERSION ${TLS_VERSION}) option(LIBRESSL_SKIP_INSTALL "Skip installation" ${LIBRESSL_SKIP_INSTALL}) +option(LIBRESSL_APPS "Build apps" ON) +option(LIBRESSL_TESTS "Build tests" ON) option(ENABLE_ASM "Enable assembly" ON) option(ENABLE_EXTRATESTS "Enable extra tests that may be unreliable on some platforms" OFF) option(ENABLE_NC "Enable installing TLS-enabled nc(1)" OFF) set(OPENSSLDIR ${OPENSSLDIR} CACHE PATH "Set the default openssl directory" FORCE) +option(USE_STATIC_MSVC_RUNTIMES "Use /MT instead of /MD in MSVC" OFF) +if(USE_STATIC_MSVC_RUNTIMES) + set(CMAKE_MSVC_RUNTIME_LIBRARY "MultiThreaded$<$:Debug>") +endif() + if(NOT LIBRESSL_SKIP_INSTALL) set( ENABLE_LIBRESSL_INSTALL ON ) endif(NOT LIBRESSL_SKIP_INSTALL) @@ -46,6 +60,7 @@ endif() if(CMAKE_SYSTEM_NAME MATCHES "OpenBSD") add_definitions(-DHAVE_ATTRIBUTE__BOUNDED__) + add_definitions(-DHAVE_ATTRIBUTE__DEAD__) endif() if(CMAKE_SYSTEM_NAME MATCHES "Linux") @@ -53,32 +68,37 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux") add_definitions(-D_BSD_SOURCE) add_definitions(-D_POSIX_SOURCE) add_definitions(-D_GNU_SOURCE) + set(PLATFORM_LIBS ${PLATFORM_LIBS} pthread) endif() -if(CMAKE_SYSTEM_NAME MATCHES "MINGW") +if(WIN32 OR (CMAKE_SYSTEM_NAME MATCHES "MINGW")) set(BUILD_NC false) + add_definitions(-D_GNU_SOURCE) + add_definitions(-D_POSIX) + add_definitions(-D_POSIX_SOURCE) + add_definitions(-D__USE_MINGW_ANSI_STDIO) endif() -if(WIN32) - set(BUILD_NC false) -endif() +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O2 -Wall") if(CMAKE_SYSTEM_NAME MATCHES "HP-UX") if(CMAKE_C_COMPILER MATCHES "gcc") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -fno-strict-aliasing") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -mlp64") else() - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -g -O2 +DD64 +Otype_safety=off") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} +DD64 +Otype_safety=off") endif() set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600 -D__STRICT_ALIGNMENT") + set(PLATFORM_LIBS ${PLATFORM_LIBS} pthread) endif() if(CMAKE_SYSTEM_NAME MATCHES "SunOS") - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall -std=gnu99 -fno-strict-aliasing") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=gnu99 -fno-strict-aliasing") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D__EXTENSIONS__") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_XOPEN_SOURCE=600") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DBSD_COMP") set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fpic") + set(PLATFORM_LIBS ${PLATFORM_LIBS} nsl socket) endif() add_definitions(-DLIBRESSL_INTERNAL) @@ -98,7 +118,8 @@ if(WIN32) add_definitions(-D_CRT_DEPRECATED_NO_WARNINGS) add_definitions(-D_REENTRANT -D_POSIX_THREAD_SAFE_FUNCTIONS) add_definitions(-DWIN32_LEAN_AND_MEAN -D_WIN32_WINNT=0x0600) - add_definitions(-DCPPFLAGS -DOPENSSL_NO_SPEED -DNO_SYSLOG -DNO_CRYPT) + add_definitions(-DCPPFLAGS -DNO_SYSLOG -DNO_CRYPT) + set(PLATFORM_LIBS ${PLATFORM_LIBS} ws2_32) endif() if(MSVC) @@ -223,11 +244,31 @@ if(HAVE_GETENTROPY) add_definitions(-DHAVE_GETENTROPY) endif() -check_function_exists(getpagesize HAVE_GETPAGESIZE) +check_symbol_exists(getpagesize unistd.h HAVE_GETPAGESIZE) if(HAVE_GETPAGESIZE) add_definitions(-DHAVE_GETPAGESIZE) endif() +check_function_exists(getprogname HAVE_GETPROGNAME) +if(HAVE_GETPROGNAME) + add_definitions(-DHAVE_GETPROGNAME) +endif() + +check_function_exists(syslog_r HAVE_SYSLOG_R) +if(HAVE_SYSLOG_R) + add_definitions(-DHAVE_SYSLOG_R) +endif() + +check_function_exists(syslog HAVE_SYSLOG) +if(HAVE_SYSLOG) + add_definitions(-DHAVE_SYSLOG) +endif() + +check_symbol_exists(timespecsub sys/time.h HAVE_TIMESPECSUB) +if(HAVE_TIMESPECSUB) + add_definitions(-DHAVE_TIMESPECSUB) +endif() + check_function_exists(timingsafe_bcmp HAVE_TIMINGSAFE_BCMP) if(HAVE_TIMINGSAFE_BCMP) add_definitions(-DHAVE_TIMINGSAFE_BCMP) @@ -252,37 +293,33 @@ if(ENABLE_ASM) if("${CMAKE_C_COMPILER_ABI}" STREQUAL "ELF") if("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "(x86_64|amd64)") set(HOST_ASM_ELF_X86_64 true) + elseif("${CMAKE_SYSTEM_PROCESSOR}" MATCHES "arm") + set(HOST_ASM_ELF_ARMV4 true) elseif(CMAKE_SYSTEM_NAME STREQUAL "SunOS" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "i386") set(HOST_ASM_ELF_X86_64 true) endif() elseif(APPLE AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") set(HOST_ASM_MACOSX_X86_64 true) + elseif(MSVC AND ("${CMAKE_GENERATOR}" MATCHES "Win64" OR "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) + set(HOST_ASM_MASM_X86_64 true) + ENABLE_LANGUAGE(ASM_MASM) + elseif(CMAKE_SYSTEM_NAME MATCHES "MINGW" AND "${CMAKE_SYSTEM_PROCESSOR}" STREQUAL "x86_64") + set(HOST_ASM_MINGW64_X86_64 true) endif() endif() -set(OPENSSL_LIBS tls ssl crypto) - -if(WIN32) - set(OPENSSL_LIBS ${OPENSSL_LIBS} ws2_32) -endif() - -check_function_exists(clock_gettime HAVE_CLOCK_GETTIME) -if(HAVE_CLOCK_GETTIME) - add_definitions(-DHAVE_CLOCK_GETTIME) -endif() - if(CMAKE_SYSTEM_NAME MATCHES "Linux") + # Check if we need -lrt to get clock_gettime on Linux check_library_exists(rt clock_gettime "time.h" HAVE_CLOCK_GETTIME) if (HAVE_CLOCK_GETTIME) - set(OPENSSL_LIBS ${OPENSSL_LIBS} rt) + set(PLATFORM_LIBS ${PLATFORM_LIBS} rt) endif() - set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread) +else() + # Otherwise, simply check if it exists + check_function_exists(clock_gettime HAVE_CLOCK_GETTIME) endif() -if(CMAKE_SYSTEM_NAME MATCHES "HP-UX") - set(OPENSSL_LIBS ${OPENSSL_LIBS} pthread) -endif() -if(CMAKE_SYSTEM_NAME MATCHES "SunOS") - set(OPENSSL_LIBS ${OPENSSL_LIBS} nsl socket) +if(HAVE_CLOCK_GETTIME) + add_definitions(-DHAVE_CLOCK_GETTIME) endif() check_type_size(time_t SIZEOF_TIME_T) @@ -294,7 +331,40 @@ if(SIZEOF_TIME_T STREQUAL "4") endif() add_definitions(-DSIZEOF_TIME_T=${SIZEOF_TIME_T}) +set(OPENSSL_LIBS tls ssl crypto ${PLATFORM_LIBS}) + add_subdirectory(crypto) add_subdirectory(ssl) +if(LIBRESSL_APPS) + add_subdirectory(apps) +endif() add_subdirectory(tls) add_subdirectory(include) +if(NOT MSVC) + add_subdirectory(man) +endif() +# Tests require the openssl executable and are unavailable when building shared libraries +if(LIBRESSL_APPS AND LIBRESSL_TESTS) + add_subdirectory(tests) +endif() + +if(NOT MSVC) + # Create pkgconfig files. + set(prefix ${CMAKE_INSTALL_PREFIX}) + set(exec_prefix \${prefix}) + set(libdir \${exec_prefix}/${CMAKE_INSTALL_LIBDIR}) + set(includedir \${prefix}/include) + if(PLATFORM_LIBS) + string(REGEX REPLACE ";" " -l" PLATFORM_LDADD ";${PLATFORM_LIBS}") + endif() + file(STRINGS "VERSION" VERSION LIMIT_COUNT 1) + file(GLOB OPENSSL_PKGCONFIGS "*.pc.in") + foreach(file ${OPENSSL_PKGCONFIGS}) + get_filename_component(filename ${file} NAME) + string(REPLACE ".in" "" new_file "${filename}") + configure_file(${filename} pkgconfig/${new_file} @ONLY) + endforeach() + install(DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/pkgconfig + DESTINATION ${CMAKE_INSTALL_LIBDIR}) +endif() + diff --git a/ChangeLog b/ChangeLog index e00e9f6..4598456 100644 --- a/ChangeLog +++ b/ChangeLog @@ -28,6 +28,638 @@ history is also available from Git. LibreSSL Portable Release Notes: +3.2.2 - Stable release + + * This is the first stable release with the new TLSv1.3 + implementation enabled by default for both client and server. The + OpenSSL 1.1 TLSv1.3 API is not yet available and will be provided + in an upcoming release. + + * New X509 certificate chain validator that correctly handles + multiple paths through intermediate certificates. Loosely based on + Go's X509 validator. + + * New name constraints verification implementation which passes the + bettertls.com certificate validation check suite. + + * Improve the handling of BIO_read()/BIO_write() failures in the + TLSv1.3 stack. + + * Start replacing the existing TLSv1.2 record layer. + + * Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h. + + * Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash. + + * Send alert on ssl_get_prev_session() failure. + + * Zero out variable on the stack to avoid leaving garbage in the tail + of short session IDs. + + * Move state initialization from SSL_clear() to ssl3_clear() to ensure + that it gets correctly reinitialized across a SSL_set_ssl_method() + call. + + * Avoid an out-of-bounds write in BN_rand(). + + * Fix numerous leaks in the UI_dup_* functions. Simplify and tidy up + the code in ui_lib.c. + + * Correctly track selected ALPN length to avoid a potential segmentation + fault with SSL_get0_alpn_selected() when alpn_selected is NULL. + + * Include machine/endian.h gost2814789.c in order to pick up the + __STRICT_ALIGNMENT define. + + * Simplify SSL method lookups. + + * Clean up and simplify SSL_get_ciphers(), SSL_set_session(), + SSL_set_ssl_method() and several internal functions. + + * Correctly handle ssl_cert_dup() failure in SSL_set_SSL_CTX(). + + * Refactor dtls1_new(), dtls1_hm_fragment_new(), + dtls1_drain_fragments(), dtls1_clear_queues(). + + * Copy the session ID directly in ssl_get_prev_session() instead of + handing it through several functions for copying. + + * Clean up and refactor ssl_get_prev_session(); simplify + tls_decrypt_ticket() and tls1_process_ticket() exit paths. + + * Avoid memset() before memcpy() in CBS_add_bytes(). + + * Rewrite X509_INFO_{new,free}() more idiomatically. + + * Remove unnecessary zeroing after recallocarray() in + ASN1_BIT_STRING_set_bit(). + + * Convert openssl(1) ocsp new option handling. + + * Document SSL_set1_host(3), SSL_set_SSL_CTX(3). + + * Document return value from EC_KEY_get0_public_key(3). + + * Greatly expanded test coverage via the tlsfuzzer test scripts. + + * Expanded test coverage via the bettertls certificate test suite. + + * Test interoperability with the Botan TLS client. + + * Make pthread_mutex static initialisation work on Windows. + + * Get __STRICT_ALIGNMENT from machine/endian.h with portable build. + +3.2.1 - Development release + + * Propagate alerts from the read half of the TLSv1.3 record layer to I/O + functions. + + * Send a record overflow alert for TLSv1.3 messages having overlong + plaintext or inner plaintext. + + * Send an illegal parameter alert if a client sends an invalid DH key + share. + + * Document PKCS7_final(3), PKCS7_add_attribute(3). + + * Collapse x509v3 directory into x509. + + * Improve TLSv1.3 client certificate selection to allow EC certificates + instead of only RSA certificates. + + * Fail on receiving an invalid NID in X509_ATTRIBUTE_create() instead + of constructing a broken objects that may cause NULL pointer accesses. + + * Add support for additional GOST curves from RFC 7836 and + draft-deremin-rfc4491-bis. + + * Add OIDs for HMAC using the Streebog hash function. + + * Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5. + + * Enable GOST_SIG_FORMAT_RS_LE when verifying certificate signatures. + + * Handle GOST in ssl_cert_dup(). + + * Stop sending GOST R 34.10-94 as a CertificateType. + + * Use IANA allocated GOST ClientCertificateTypes. + + * Add a custom copy handler for AES keywrap to fix a use-after-free. + + * Enforce in the TLSv1.3 server that that ClientHello messages after + a HelloRetryRequest match the original ClientHello as per RFC 8446 + section 4.1.2 + + * Document more PKCS7 attribute functions. + + * Document PKCS7_get_signer_info(3). + + * Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3). + + * Document PEM_def_callback(3). + + * Document EVP_read_pw_string_min(3). + + * Merge documentation of X509_get0_serialNumber from OpenSSL 1.1.1. + + * Document error handling of X509_PUBKEY_get0(3) and X509_PUBKEY_get(3) + + * Document X509_get0_pubkey_bitstr(3). + + * Fix an off-by-one in the CBC padding removal. From BoringSSL. + + * Enforce restrictions on extensions present in the ClientHello as per + RFC 8446, section 9.2. + + * Add new CMAC_Init(3) and ChaCha(3) manual pages. + + * Fix SSL_shutdown behavior to match the legacy stack. The previous + behavior could cause a hang. + + * Add initial support for openbsd/powerpc64. + + * Make the message type available in the internal TLS extensions API + functions. + + * Enable TLSv1.3 for the generic TLS_method(). + + * Convert openssl(1) s_client option handling. + + * Document openssl(1) certhash. + + * Convert openssl(1) verify option handling. + + * Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that could cause + use-after-free and double-free issues in calling programs. + + * Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3). + + * Handle SSL_MODE_AUTO_RETRY being changed during a TLSv1.3 session. + + * Convert openssl(1) s_server option handling. + + * Add minimal info callback support for TLSv1.3. + + * Refactor, clean up and simplify some SSL3/DTLS1 record writing code. + + * Correctly handle server requests for an OCSP response. + + * Add the P-521 curve to the list of curves supported by default + in the client. + + * Convert openssl(1) req option handling. + + * Avoid calling freezero with a negative size if a server sends a + malformed plaintext of all zeroes. + + * Send an unexpected message alert if no valid content type is found + in a TLSv1.3 record. + +3.2.0 - Development release + + * Enable TLS 1.3 server side in addition to client by default. + With this change TLS 1.3 is handled entirely on the new stack + and state machine, with fallback to the legacy stack and + state machine for older versions. Note that the OpenSSL TLS 1.3 + API is not yet visible/available. + + * Improve length checks in the TLS 1.3 record layer and provide + appropriate alerts for violations of record layer limits. + + * Enforce that SNI hostnames received by the TLS server are correctly + formed as per RFC 5890 and RFC 6066, responding with illegal parameter + for a nonconformant host name. + + * Support SSL_MODE_AUTO_RETRY in TLS 1.3 to allow the automatic + retry of handshake messages. + + * Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the default + similar to new OpenSSL releases. + + * Modify openssl(1) to clear SSL_MODE_AUTO_RETRY appropriately in + various commands. + + * Add tlsfuzzer based regression tests. + + * Support sending certificate status requests from the TLS 1.3 + client to request OCSP staples for leaf certificates. + + * Support sending certificate status replies from the TLS 1.3 server + in order to send OCSP staples for leaf certificates. + + * Send correct alerts when handling failed key share extensions + on the TLS 1.3 server. + + * Various compatibility fixes for TLS 1.3 to 1.2 fallback for + switching from the new to legacy stacks. + + * Support TLS 1.3 options in the openssl(1) command. + + * Many alert cleanups in TLS 1.3 to provide expected alerts in failure + conditions. + + * Modify "openssl x509" to display invalid certificate times as + invalid, and correctly deal with the failing return case from + X509_cmp_time so that a certificate with an invalid NotAfter does + not appear valid. + + * Support sending dummy change_cipher_spec records for TLS 1.3 middlebox + compatibility. + + * Ensure only PSS signatures are used with RSA in TLS 1.3. + + * Ensure that TLS 1.3 clients advertise exactly the "null" compression + method in its legacy_compression_methods. + + * Correct use of sockaddr_storage instead of sockaddr in openssl(1) + s_client, which could lead to using 14 bytes of stack garbage instead + of an IPv6 address in DTLS mode. + + * Use non-expired certificates first when building a certificate chain. + +3.1.4 - Interoperability and bug fixes for the TLSv1.3 client: + + * Improve client certificate selection to allow EC certificates + instead of only RSA certificates. + + * Do not error out if a TLSv1.3 server requests an OCSP response as + part of a certificate request. + + * Fix SSL_shutdown behavior to match the legacy stack. The previous + behaviour could cause a hang. + + * Fix a memory leak and add a missing error check in the handling of + the key update message. + + * Fix a memory leak in tls13_record_layer_set_traffic_key. + + * Avoid calling freezero with a negative size if a server sends a + malformed plaintext of all zeroes. + + * Ensure that only PSS may be used with RSA in TLSv1.3 in order + to avoid using PKCS1-based signatures. + + * Add the P-521 curve to the list of curves supported by default + in the client. + +3.1.3 - Bug fix + + * libcrypto may fail to build a valid certificate chain due to + expired untrusted issuer certificates. + +3.1.2 - Bug fix + + * A TLS client with peer verification disabled may crash when + contacting a server that sends an empty certificate list. + +3.1.1 - Stable release + + * Improved cipher suite handling to automatically include TLSv1.3 + cipher suites when they are not explicitly referred to in the + cipher string. + + * Improved handling of TLSv1.3 HelloRetryRequests, simplifying + state transitions and ensuring that the legacy session identifer + retains the same value across the handshake. + + * Provided TLSv1.3 cipher suite aliases to match the names used + in RFC 8446. + + * Improved TLSv1.3 client key share handling to allow the use of + any groups in our configured NID list. + + * Fixed printing the serialNumber with X509_print_ex() fall back to + the colon separated hex bytes in case greater than int value. + + * Fix to disallow setting the AES-GCM IV length to zero. + + * Added -groups option to openssl(1) s_server subcommand. + + * Fix to show TLSv1.3 extension types with openssl(1) -tlsextdebug. + + * Improved portable builds to support the use of static MSVC runtimes. + + * Fixed portable builds to avoid exporting a sleep() symbol. + +3.1.0 - Development release + + * Completed initial TLS 1.3 implementation with a completely new state + machine and record layer. TLS 1.3 is now enabled by default for the + client side, with the server side to be enabled in a future release. + Note that the OpenSSL TLS 1.3 API is not yet visible/available. + + * Many more code cleanups, fixes, and improvements to memory handling + and protocol parsing. + + * Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1. + + * Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL + 1.1.1 and enabled by default. + + * Improved compatibility by backporting functionality and documentation + from OpenSSL 1.1.1. + + * Added many new additional crypto test vectors. + + * Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics. + + * Default CA bundle location is now configurable in portable builds. + + * Added cms subcommand to openssl(1). + + * Added -addext option to openssl(1) req subcommand. + +3.0.2 - Stable release + + * Use a valid curve when constructing an EC_KEY that looks like X25519. + The recent EC group cofactor change results in stricter validation, + which causes the EC_GROUP_set_generator() call to fail. + Issue reported and fix tested by rsadowski@ + + * Fixed a padding oracle in PKCS7_dataDecode and CMS_decrypt_set1_pkey. + (Note that the CMS code is currently disabled) + Port of Edlinger's Fix for CVE-2019-1563 from OpenSSL 1.1.1 (old license) + + * Avoid a path traversal bug in s_server on Windows when run with the -WWW + or -HTTP options, due to incomplete path check logic. + Issue reported and fix tested by Jobert Abma + +3.0.1 - Development release + + * Ported Billy Brumley's fix for CVE-2019-1547 in OpenSSL 1.1.1. If a NULL + or zero cofactor is passed to EC_GROUP_set_generator(), try to compute + it using Hasse's bound. This works as long as the cofactor is small + enough. + + * Fixed a memory leak in error paths for eckey_type2param(). + + * Initial work on supporting Cryptographic Message Syntax (CMS) in + libcrypto (not enabled). + + * Various manual page improvements and additions. + + * Added a CMake check for an existing uninstall target, facilitating + embedding LibreSSL in larger CMake projects, from Matthew Albrecht. + +3.0.0 - Development release + + * Completed the port of RSA_METHOD accessors from the OpenSSL 1.1 API. + + * Documented undescribed options and removed unfunctional options + description in openssl(1) manual. + + * A plethora of small fixes due to regular oss-fuzz testing. + + * Various side channels in DSA and ECDSA were addressed. These are some of + the many issues found in an extensive systematic analysis of bignum usage + by Samuel Weiser, David Schrammel et al. + + * Enabled openssl(1) speed subcommand on Windows platform. + + * Enabled performance optimizations when building with Visual Studio on Windows. + + * Fixed incorrect carry operation in 512 addition for Streebog. + + * Fixed -modulus option with openssl(1) dsa subcommand. + + * Fixed PVK format output issue with openssl(1) dsa and rsa subcommand. + +2.9.2 - Bug fixes + + * Fixed portable builds with older versions of MacOS, + Android targets < API 21, and Solaris 10 + + * Fixed SRTP profile advertisement for DTLS servers. + +2.9.1 - Stable release + + * Added support for XChaCha20 and XChaCha20-Poly1305. + + * Added support for AES key wrap constructions via the EVP interface. + + * Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH. + + * Added pbkdf2 key derivation support to openssl(1) + + * Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake. + + * Changed the default digest type of openssl(1) enc to to sha256. + + * Changed the default digest type of openssl(1) dgst to sha256. + + * Changed the default digest type of openssl(1) x509 -fingerprint to sha256. + + * Changed the default digest type of openssl(1) crl -fingerprint to sha256. + + * Improved Windows, Android, and ARM compatibility, including assembly + optimizations on Mingw-w64 targets. + +2.9.0 - Development release + + * Added the SM4 block cipher from the Chinese standard GB/T 32907-2016. + + * Fixed warnings about clock_gettime on Windows Visual Studio builds. + + * Fixed CMake builds on systems where getpagesize is defined as an + inline function. + + * CRYPTO_LOCK is now automatically initialized, with the legacy + callbacks stubbed for compatibility. + + * Added the SM3 hash function from the Chinese standard GB/T 32905-2016. + + * Added more OPENSSL_NO_* macros for compatibility with OpenSSL. + + * Added extensive interoperability tests between LibreSSL and OpenSSL + 1.0 and 1.1. + + * Added additional Wycheproof tests and related bug fixes. + + * Simplified sigalgs option processing and handshake signing algorithm + + * Added the ability to use the RSA PSS algorithm for handshake + signatures. + + * Added bn_rand_interval() and use it in code needing ranges of random + bn values. + + * Added functionality to derive early, handshake, and application + secrets as per RFC8446. + + * Added handshake state machine from RFC8446. + + * Removed some ASN.1 related code from libcrypto that had not been used + since around 2000. + + * Unexported internal symbols and internalized more record layer structs. + + * Added support for assembly optimizations on 32-bit ARM ELF targets. + + * Improved protection against timing side channels in ECDSA signature + generation. + + * Coordinate blinding was added to some elliptic curves. This is the + last bit of the work by Brumley et al. to protect against the + Portsmash vulnerability. + + * Ensure transcript handshake is always freed with TLS 1.2. + +2.8.2 - Stable release + + * Added Wycheproof support for ECDH and ECDSA Web Crypto test vectors, + along with test harness fixes. + + * Fixed memory leak in nc(1) + +2.8.1 - Test and compatibility improvements + + * Added Wycheproof support for ECDH, RSASSA-PSS, AES-GCM, + AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305, ECDSA, and + X25519 test vectors. Applied appropriate fixes for errors uncovered + by tests. + + * Simplified key exchange signature generation and verification. + + * Fixed a one-byte buffer overrun in callers of EVP_read_pw_string + + * Converted more code paths to use CBB/CBS. All handshake messages are + now created by CBB. + + * Fixed various memory leaks found by Coverity. + + * Simplified session ticket parsing and handling, inspired by + BoringSSL. + + * Modified signature of CRYPTO_mem_leaks_* to return -1. This function + is a no-op in LibreSSL, so this function returns an error to not + indicate the (non-)existence of memory leaks. + + * SSL_copy_session_id, PEM_Sign, EVP_EncodeUpdate, BIO_set_cipher, + X509_OBJECT_up_ref_count now return an int for error handling, + matching OpenSSL. + + * Converted a number of #defines into proper functions, matching + OpenSSL's ABI. + + * Added X509_get0_serialNumber from OpenSSL. + + * Removed EVP_PKEY2PKCS8_broken and PKCS8_set_broken, while adding + PKCS8_pkey_add1_attr_by_NID and PKCS8_pkey_get0_attrs, matching + OpenSSL. + + * Removed broken pkcs8 formats from openssl(1). + + * Converted more functions in public API to use const arguments. + + * Stopped handing AES-GCM in ssl_cipher_get_evp, since they use the + EVP_AEAD interface. + + * Stopped using composite EVP_CIPHER AEADs. + + * Added timing-safe compares for checking results of signature + verification. There are no known attacks, this is just inexpensive + prudence. + + * Correctly clear the current cipher state, when changing cipher state. + This fixed an issue where renegotiation of cipher suites would fail + when switched from AEAD to non-AEAD or vice-versa. + Issue reported by Bernard Spil. + + * Added more cipher tests to appstest.sh, including all TLSv1.2 + ciphers. + + * Added RSA_meth_get_finish() RSA_meth_set1_name() from OpenSSL. + + * Added new EVP_CIPHER_CTX_(get|set)_iv() API that allows the IV to be + retrieved and set with appropriate validation. + +2.8.0 - Bug fixes, security, and compatibility improvements + + * Extensive documentation updates and additional API history. + + * Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry + + * Tighten up checks for various X509_VERIFY_PARAM functions, + 'poisoning' parameters so that an unverified certificate cannot be + used if it fails verification. + + * Fixed a potential memory leak on failure in ASN1_item_digest + + * Fixed a potential memory alignment crash in asn1_item_combine_free + + * Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and + SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO paths. + + * Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds. + + * Made ENGINE_finish and ENGINE_free succeed on NULL and simplify callers + and matching OpenSSL behavior, rewrote ENGINE_* documentation. + + * Added const annotations to many existing APIs from OpenSSL, making + interoperability easier for downstream applications. + + * Fixed small timing side-channels in ecdsa_sign_setup and + dsa_sign_setup. + + * Documented security pitfalls with BN_FLG_CONSTTIME and constant-time + operation of BN_* functions. + + * Updated BN_clear to use explicit_bzero. + + * Added a missing bounds check in c2i_ASN1_BIT_STRING. + + * More CBS conversions, including simplifications to RSA key exchange, + and converted code to use dedicated buffers for secrets. + + * Removed three remaining single DES cipher suites. + + * Fixed a potential leak/incorrect return value in DSA signature + generation. + + * Added a blinding value when generating DSA and ECDSA signatures, in + order to reduce the possibility of a side-channel attack leaking the + private key. + + * Added ECC constant time scalar multiplication support. + From Billy Brumley and his team at Tampere University of Technology. + + * Revised the implementation of RSASSA-PKCS1-v1_5 to match the + specification in RFC 8017. Based on an OpenSSL commit by David + Benjamin. + + * Cleaned up BN_* implementations following changes made in OpenSSL by + Davide Galassi and others. + +2.7.4 - Security fixes + + * Avoid a timing side-channel leak when generating DSA and ECDSA + signatures. This is caused by an attempt to do fast modular + arithmetic, which introduces branches that leak information + regarding secret values. Issue identified and reported by Keegan + Ryan of NCC Group. + + * Reject excessively large primes in DH key generation. Problem + reported by Guido Vranken to OpenSSL + (https://github.com/openssl/openssl/pull/6457) and based on his + diff. + +2.7.3 - Bug fixes + + * Removed incorrect NULL checks in DH_set0_key(). Reported by Ondrej + Sury + + * Fixed an issue normalizing CPU architecture in the configure script, + which disabled assembly optimizations on platforms that get detected + as 'amd64', opposed to 'x86_64' + + * Limited tls_config_clear_keys() to only clear private keys. + This was inadvertently clearing the keypair, which includes the OCSP + staple and pubkey hash - if an application called tls_configure() + followed by tls_config_clear_keys(), this would prevent OCSP staples + from working. + 2.7.2 - Stable release * Updated and added extensive new HISTORY sections to API manuals. @@ -904,7 +1536,7 @@ LibreSSL Portable Release Notes: * Removed nonfunctional Netscape browser-hang workaround code. - * Simplfied and refactored SSL/DTLS handshake code. + * Simplified and refactored SSL/DTLS handshake code. * Added SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932. diff --git a/FindLibreSSL.cmake b/FindLibreSSL.cmake new file mode 100644 index 0000000..6bdc069 --- /dev/null +++ b/FindLibreSSL.cmake @@ -0,0 +1,227 @@ +#[=======================================================================[ + +Copyright (c) 2019 John Norrbin + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +FindLibreSSL +------------ + +Find the LibreSSL encryption library. + +Optional Components +^^^^^^^^^^^^^^^^^^^ + +This module supports two optional components: SSL and TLS. Both +components have associated imported targets, as described below. + +Imported Targets +^^^^^^^^^^^^^^^^ + +This module defines the following imported targets: + +LibreSSL::Crypto + The LibreSSL crypto library, if found. + +LibreSSL::SSL + The LibreSSL ssl library, if found. Requires and includes LibreSSL::Crypto automatically. + +LibreSSL::TLS + The LibreSSL tls library, if found. Requires and includes LibreSSL::SSL and LibreSSL::Crypto automatically. + +Result Variables +^^^^^^^^^^^^^^^^ + +This module will set the following variables in your project: + +LIBRESSL_FOUND + System has the LibreSSL library. If no components are requested it only requires the crypto library. +LIBRESSL_INCLUDE_DIR + The LibreSSL include directory. +LIBRESSL_CRYPTO_LIBRARY + The LibreSSL crypto library. +LIBRESSL_SSL_LIBRARY + The LibreSSL SSL library. +LIBRESSL_TLS_LIBRARY + The LibreSSL TLS library. +LIBRESSL_LIBRARIES + All LibreSSL libraries. +LIBRESSL_VERSION + This is set to $major.$minor.$revision (e.g. 2.6.8). + +Hints +^^^^^ + +Set LIBRESSL_ROOT_DIR to the root directory of an LibreSSL installation. + +]=======================================================================] + +INCLUDE(FindPackageHandleStandardArgs) + +# Set Hints +set(_LIBRESSL_ROOT_HINTS + ${LIBRESSL_ROOT_DIR} + ENV LIBRESSL_ROOT_DIR +) + +# Set Paths +if (WIN32) + file(TO_CMAKE_PATH "$ENV{PROGRAMFILES}" _programfiles) + set(_LIBRESSL_ROOT_PATHS + "${_programfiles}/LibreSSL" + ) + unset(_programfiles) +else() + set(_LIBRESSL_ROOT_PATHS + "/usr/local/" + ) +endif() + +# Combine +set(_LIBRESSL_ROOT_HINTS_AND_PATHS + HINTS ${_LIBRESSL_ROOT_HINTS} + PATHS ${_LIBRESSL_ROOT_PATHS} +) + +# Find Include Path +find_path(LIBRESSL_INCLUDE_DIR + NAMES + tls.h + ${_LIBRESSL_ROOT_HINTS_AND_PATHS} + PATH_SUFFIXES + include +) + +# Find Crypto Library +find_library(LIBRESSL_CRYPTO_LIBRARY + NAMES + libcrypto + crypto + NAMES_PER_DIR + ${_LIBRESSL_ROOT_HINTS_AND_PATHS} + PATH_SUFFIXES + lib +) + +# Find SSL Library +find_library(LIBRESSL_SSL_LIBRARY + NAMES + libssl + ssl + NAMES_PER_DIR + ${_LIBRESSL_ROOT_HINTS_AND_PATHS} + PATH_SUFFIXES + lib +) + +# Find TLS Library +find_library(LIBRESSL_TLS_LIBRARY + NAMES + libtls + tls + NAMES_PER_DIR + ${_LIBRESSL_ROOT_HINTS_AND_PATHS} + PATH_SUFFIXES + lib +) + +# Set Libraries +set(LIBRESSL_LIBRARIES ${LIBRESSL_CRYPTO_LIBRARY} ${LIBRESSL_SSL_LIBRARY} ${LIBRESSL_TLS_LIBRARY}) + +# Mark Variables As Advanced +mark_as_advanced(LIBRESSL_INCLUDE_DIR LIBRESSL_LIBRARIES LIBRESSL_CRYPTO_LIBRARY LIBRESSL_SSL_LIBRARY LIBRESSL_TLS_LIBRARY) + +# Find Version File +if(LIBRESSL_INCLUDE_DIR AND EXISTS "${LIBRESSL_INCLUDE_DIR}/openssl/opensslv.h") + + # Get Version From File + file(STRINGS "${LIBRESSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSLV.H REGEX "#define LIBRESSL_VERSION_TEXT[ ]+\".*\"") + + # Match Version String + string(REGEX REPLACE ".*\".*([0-9]+)\\.([0-9]+)\\.([0-9]+)\"" "\\1;\\2;\\3" LIBRESSL_VERSION_LIST "${OPENSSLV.H}") + + # Split Parts + list(GET LIBRESSL_VERSION_LIST 0 LIBRESSL_VERSION_MAJOR) + list(GET LIBRESSL_VERSION_LIST 1 LIBRESSL_VERSION_MINOR) + list(GET LIBRESSL_VERSION_LIST 2 LIBRESSL_VERSION_REVISION) + + # Set Version String + set(LIBRESSL_VERSION "${LIBRESSL_VERSION_MAJOR}.${LIBRESSL_VERSION_MINOR}.${LIBRESSL_VERSION_REVISION}") + +endif() + +# Set Find Package Arguments +find_package_handle_standard_args(LibreSSL + REQUIRED_VARS + LIBRESSL_CRYPTO_LIBRARY + LIBRESSL_INCLUDE_DIR + VERSION_VAR + LIBRESSL_VERSION + HANDLE_COMPONENTS + FAIL_MESSAGE + "Could NOT find LibreSSL, try setting the path to LibreSSL using the LIBRESSL_ROOT_DIR environment variable" +) + +# LibreSSL Found +if(LIBRESSL_FOUND) + + # Set LibreSSL::Crypto + if(NOT TARGET LibreSSL::Crypto AND EXISTS "${LIBRESSL_CRYPTO_LIBRARY}") + + # Add Library + add_library(LibreSSL::Crypto UNKNOWN IMPORTED) + + # Set Properties + set_target_properties( + LibreSSL::Crypto + PROPERTIES + INTERFACE_INCLUDE_DIRECTORIES "${LIBRESSL_INCLUDE_DIR}" + IMPORTED_LINK_INTERFACE_LANGUAGES "C" + IMPORTED_LOCATION "${LIBRESSL_CRYPTO_LIBRARY}" + ) + + endif() # LibreSSL::Crypto + + # Set LibreSSL::SSL + if(NOT TARGET LibreSSL::SSL AND EXISTS "${LIBRESSL_SSL_LIBRARY}") + + # Add Library + add_library(LibreSSL::SSL UNKNOWN IMPORTED) + + # Set Properties + set_target_properties( + LibreSSL::SSL + PROPERTIES + INTERFACE_INCLUDE_DIRECTORIES "${LIBRESSL_INCLUDE_DIR}" + IMPORTED_LINK_INTERFACE_LANGUAGES "C" + IMPORTED_LOCATION "${LIBRESSL_SSL_LIBRARY}" + INTERFACE_LINK_LIBRARIES LibreSSL::Crypto + ) + + endif() # LibreSSL::SSL + + # Set LibreSSL::TLS + if(NOT TARGET LibreSSL::TLS AND EXISTS "${LIBRESSL_TLS_LIBRARY}") + add_library(LibreSSL::TLS UNKNOWN IMPORTED) + set_target_properties( + LibreSSL::TLS + PROPERTIES + INTERFACE_INCLUDE_DIRECTORIES "${LIBRESSL_INCLUDE_DIR}" + IMPORTED_LINK_INTERFACE_LANGUAGES "C" + IMPORTED_LOCATION "${LIBRESSL_TLS_LIBRARY}" + INTERFACE_LINK_LIBRARIES LibreSSL::SSL + ) + + endif() # LibreSSL::TLS + +endif(LIBRESSL_FOUND) diff --git a/README.md b/README.md index d03e3bb..833f0d4 100644 --- a/README.md +++ b/README.md @@ -1,21 +1,10 @@ -Official repository is development, not release versions of LibreSSL, and needs external applications to prepare for -build. +![LibreSSL image](https://www.libressl.org/images/libressl.jpg) +## Official portable version of [LibreSSL](https://www.libressl.org) ## -Built from https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.2.tar.gz - -Modifications: -- Removed tests/mandocs/pkgconfig/scripts/apps/cmake_uninstall from both filesystem and CMakeLists.txt -- Removed m4 configuration files + make build scripts - -=== - -![LibreSSL image](http://www.libressl.org/images/libressl.jpg) -## Official portable version of [LibreSSL](http://www.libressl.org) ## - -[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) +[![Build Status](https://travis-ci.org/libressl-portable/portable.svg?branch=master)](https://travis-ci.org/libressl-portable/portable) [![Fuzzing Status](https://oss-fuzz-build-logs.storage.googleapis.com/badges/libressl.svg)](https://bugs.chromium.org/p/oss-fuzz/issues/list?sort=-opened&can=1&q=proj:libressl) LibreSSL is a fork of [OpenSSL](https://www.openssl.org) 1.0.1g developed by the -[OpenBSD](http://www.openbsd.org) project. Our goal is to modernize the codebase, +[OpenBSD](https://www.openbsd.org) project. Our goal is to modernize the codebase, improve security, and apply best practice development processes from OpenBSD. ## Compatibility with OpenSSL: ## @@ -37,7 +26,7 @@ the LibreSSL portable project attempts to provide working alternatives for other operating systems, and assists with improving OS-native implementations where possible. -At the time of this writing, LibreSSL is know to build and work on: +At the time of this writing, LibreSSL is known to build and work on: * Linux (kernel 3.17 or later recommended) * FreeBSD (tested with 9.2 and later) @@ -48,14 +37,14 @@ At the time of this writing, LibreSSL is know to build and work on: * AIX (5.3 and later) LibreSSL also supports the following Windows environments: -* Microsoft Windows (XP or higher, x86 and x64) +* Microsoft Windows (Vista or higher, x86 and x64) * Wine (32-bit and 64-bit) * Builds with Mingw-w64, Cygwin, and Visual Studio Official release tarballs are available at your friendly neighborhood OpenBSD mirror in directory -[LibreSSL](http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/), -although we suggest that you use a [mirror](http://www.openbsd.org/ftp.html). +[LibreSSL](https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/), +although we suggest that you use a [mirror](https://www.openbsd.org/ftp.html). The LibreSSL portable build framework is also [mirrored](https://github.com/libressl-portable/portable) in Github. @@ -77,13 +66,13 @@ building. _Note: Your build will fail if you do not follow these instructions! I 1. Ensure you have the following packages installed: automake, autoconf, git, libtool, perl -2. Run './autogen.sh' to prepare the source tree for building or - run './dist.sh' to prepare a tarball. +2. Run `./autogen.sh` to prepare the source tree for building or + run `./dist.sh` to prepare a tarball. ## Steps that apply to all builds ## Once you have a source tree, either by downloaded using git and having -run the autogen.sh script above, or by downloading a release distribution from +run the `autogen.sh` script above, or by downloading a release distribution from an OpenBSD mirror, run these commands to build and install the package on most systems: @@ -117,7 +106,7 @@ ninja test #### HP-UX (11i) #### -Set the UNIX_STD environment variable to '2003' before running 'configure' +Set the UNIX_STD environment variable to `2003` before running `configure` in order to build with the HP C/aC++ compiler. See the "standards(5)" man page for more details. @@ -145,7 +134,7 @@ directory and run: cmake -G"Visual Studio 12 2013" .. ``` -Replace "Visual Studion 12 2013" with whatever version of Visual Studio you +Replace "Visual Studio 12 2013" with whatever version of Visual Studio you have installed. This will generate a LibreSSL.sln file that you can incorporate into other projects or build by itself. @@ -154,9 +143,62 @@ into other projects or build by itself. | Option Name | Default | Description | ------------ | -----: | ------ | LIBRESSL_SKIP_INSTALL | OFF | allows skipping install() rules. Can be specified from command line using
```-DLIBRESSL_SKIP_INSTALL=ON``` | +| LIBRESSL_APPS | ON | allows skipping application builds. Apps are required to run tests | +| LIBRESSL_TESTS | ON | allows skipping of tests. Tests are only available in static builds | +| BUILD_SHARED_LIBS | OFF | CMake option for building shared libraries. | | ENABLE_ASM | ON | builds assembly optimized rules. | | ENABLE_EXTRATESTS | OFF | Enable extra tests that may be unreliable on some platforms | | ENABLE_NC | OFF | Enable installing TLS-enabled nc(1) | -| ENABLE_VSTEST | OFF | Enable test on Visual Studio | | OPENSSLDIR | Blank | Set the default openssl directory. Can be specified from command line using
```-DOPENSSLDIR=``` | +# Using LibreSSL # + +## CMake ## + +Make a new folder in your project root (where your main CMakeLists.txt file is located) called CMake. Copy the FindLibreSSL.cmake file to that folder, and add the following line to your main CMakeLists.txt: + +```cmake +set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}") +``` + +After your **add_executable** or **add_library** line in your CMakeLists.txt file add the following: + +```cmake +find_package(LibreSSL REQUIRED) +``` + +It will tell CMake to find LibreSSL and if found will let you use the following 3 interfaces in your CMakeLists.txt file: + +* LibreSSL::Crypto +* LibreSSL::SSL +* LibreSSL::TLS + +If you for example want to use the LibreSSL TLS library in your test program, include it like so (SSL and Cryto are required by TLS and included automatically too): + +```cmake +target_link_libraries(test LibreSSL::TLS) +``` + +Full example: + +```cmake +cmake_minimum_required(VERSION 3.10.0) + +set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/CMake;${CMAKE_MODULE_PATH}") + +project(test) + +add_executable(test Main.cpp) + +find_package(LibreSSL REQUIRED) + +target_link_libraries(test LibreSSL::TLS) +``` + +#### Linux #### + +Following the guide in the sections above to compile LibreSSL using make and running "sudo make install" will install LibreSSL to the /usr/local/ folder, and will found automatically by find_package. If your system installs it to another location or you have placed them yourself in a different location, you can set the CMake variable LIBRESSL_ROOT_DIR to the correct path, to help CMake find the library. + +#### Windows #### + +Placing the library files in C:/Program Files/LibreSSL/lib and the include files in C:/Program Files/LibreSSL/include should let CMake find them automatically, but it is recommended that you use CMake-GUI to set the paths. It is more convenient as you can have the files in any folder you choose. diff --git a/VERSION b/VERSION index c57e1bc..19ef286 100644 --- a/VERSION +++ b/VERSION @@ -1,2 +1,2 @@ -2.7.2 +3.2.2 diff --git a/cmake_uninstall.cmake.in b/cmake_uninstall.cmake.in deleted file mode 100644 index bb8055d..0000000 --- a/cmake_uninstall.cmake.in +++ /dev/null @@ -1,21 +0,0 @@ -if(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt") - message(FATAL_ERROR "Cannot find install manifest: @CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt") -endif(NOT EXISTS "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt") - -file(READ "@CMAKE_CURRENT_BINARY_DIR@/install_manifest.txt" files) -string(REGEX REPLACE "\n" ";" files "${files}") -foreach(file ${files}) - message(STATUS "Uninstalling $ENV{DESTDIR}${file}") - if(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}") - exec_program( - "@CMAKE_COMMAND@" ARGS "-E remove \"$ENV{DESTDIR}${file}\"" - OUTPUT_VARIABLE rm_out - RETURN_VALUE rm_retval - ) - if(NOT "${rm_retval}" STREQUAL 0) - message(FATAL_ERROR "Problem when removing $ENV{DESTDIR}${file}") - endif(NOT "${rm_retval}" STREQUAL 0) - else(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}") - message(STATUS "File $ENV{DESTDIR}${file} does not exist.") - endif(IS_SYMLINK "$ENV{DESTDIR}${file}" OR EXISTS "$ENV{DESTDIR}${file}") -endforeach(file) diff --git a/crypto/CMakeLists.txt b/crypto/CMakeLists.txt index 2fa08a5..7066cc8 100644 --- a/crypto/CMakeLists.txt +++ b/crypto/CMakeLists.txt @@ -1,13 +1,27 @@ -include_directories( - . - ../include - ../include/compat - asn1 - bn - dsa - evp - modes -) +if(HOST_ASM_ELF_ARMV4) + set( + ASM_ARMV4_ELF_SRC + aes/aes-elf-armv4.S + bn/gf2m-elf-armv4.S + bn/mont-elf-armv4.S + sha/sha1-elf-armv4.S + sha/sha512-elf-armv4.S + sha/sha256-elf-armv4.S + modes/ghash-elf-armv4.S + armv4cpuid.S + armcap.c + ) + add_definitions(-DAES_ASM) + add_definitions(-DOPENSSL_BN_ASM_MONT) + add_definitions(-DOPENSSL_BN_ASM_GF2m) + add_definitions(-DGHASH_ASM) + add_definitions(-DSHA1_ASM) + add_definitions(-DSHA256_ASM) + add_definitions(-DSHA512_ASM) + add_definitions(-DOPENSSL_CPUID_OBJ) + set_property(SOURCE ${ASM_ARMV4_ELF_SRC} PROPERTY LANGUAGE C) + set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_ARMV4_ELF_SRC}) +endif() if(HOST_ASM_ELF_X86_64) set( @@ -91,14 +105,113 @@ if(HOST_ASM_MACOSX_X86_64) add_definitions(-DOPENSSL_CPUID_OBJ) set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MACOSX_SRC}) set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY LANGUAGE C) + set_property(SOURCE ${ASM_X86_64_MACOSX_SRC} PROPERTY XCODE_EXPLICIT_FILE_TYPE "sourcecode.asm") endif() -if((NOT HOST_ASM_ELF_X86_64) AND (NOT HOST_ASM_MACOSX_X86_64)) +if(HOST_ASM_MASM_X86_64) + set( + ASM_X86_64_MASM_SRC + aes/aes-masm-x86_64.S + aes/bsaes-masm-x86_64.S + aes/vpaes-masm-x86_64.S + aes/aesni-masm-x86_64.S + aes/aesni-sha1-masm-x86_64.S + #bn/modexp512-masm-x86_64.S + #bn/mont-masm-x86_64.S + #bn/mont5-masm-x86_64.S + #bn/gf2m-masm-x86_64.S + camellia/cmll-masm-x86_64.S + md5/md5-masm-x86_64.S + modes/ghash-masm-x86_64.S + rc4/rc4-masm-x86_64.S + rc4/rc4-md5-masm-x86_64.S + sha/sha1-masm-x86_64.S + sha/sha256-masm-x86_64.S + sha/sha512-masm-x86_64.S + whrlpool/wp-masm-x86_64.S + cpuid-masm-x86_64.S + ) + add_definitions(-DAES_ASM) + add_definitions(-DBSAES_ASM) + add_definitions(-DVPAES_ASM) + add_definitions(-DOPENSSL_IA32_SSE2) + #add_definitions(-DOPENSSL_BN_ASM_MONT) + #add_definitions(-DOPENSSL_BN_ASM_MONT5) + #add_definitions(-DOPENSSL_BN_ASM_GF2m) + add_definitions(-DMD5_ASM) + add_definitions(-DGHASH_ASM) + add_definitions(-DRSA_ASM) + add_definitions(-DSHA1_ASM) + add_definitions(-DSHA256_ASM) + add_definitions(-DSHA512_ASM) + add_definitions(-DWHIRLPOOL_ASM) + add_definitions(-DOPENSSL_CPUID_OBJ) + set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MASM_SRC}) + set_property(SOURCE ${ASM_X86_64_MASM_SRC} PROPERTY LANGUAGE ASM_MASM) +endif() + +if(HOST_ASM_MINGW64_X86_64) + set( + ASM_X86_64_MINGW64_SRC + aes/aes-mingw64-x86_64.S + aes/bsaes-mingw64-x86_64.S + aes/vpaes-mingw64-x86_64.S + aes/aesni-mingw64-x86_64.S + aes/aesni-sha1-mingw64-x86_64.S + #bn/modexp512-mingw64-x86_64.S + #bn/mont-mingw64-x86_64.S + #bn/mont5-mingw64-x86_64.S + #bn/gf2m-mingw64-x86_64.S + camellia/cmll-mingw64-x86_64.S + md5/md5-mingw64-x86_64.S + modes/ghash-mingw64-x86_64.S + rc4/rc4-mingw64-x86_64.S + rc4/rc4-md5-mingw64-x86_64.S + sha/sha1-mingw64-x86_64.S + sha/sha256-mingw64-x86_64.S + sha/sha512-mingw64-x86_64.S + whrlpool/wp-mingw64-x86_64.S + cpuid-mingw64-x86_64.S + ) + add_definitions(-DAES_ASM) + add_definitions(-DBSAES_ASM) + add_definitions(-DVPAES_ASM) + add_definitions(-DOPENSSL_IA32_SSE2) + #add_definitions(-DOPENSSL_BN_ASM_MONT) + #add_definitions(-DOPENSSL_BN_ASM_MONT5) + #add_definitions(-DOPENSSL_BN_ASM_GF2m) + add_definitions(-DMD5_ASM) + add_definitions(-DGHASH_ASM) + add_definitions(-DRSA_ASM) + add_definitions(-DSHA1_ASM) + add_definitions(-DSHA256_ASM) + add_definitions(-DSHA512_ASM) + add_definitions(-DWHIRLPOOL_ASM) + add_definitions(-DOPENSSL_CPUID_OBJ) + set(CRYPTO_SRC ${CRYPTO_SRC} ${ASM_X86_64_MINGW64_SRC}) + set_property(SOURCE ${ASM_X86_64_MINGW64_SRC} PROPERTY LANGUAGE C) +endif() + +if((NOT HOST_ASM_ELF_X86_64) AND + (NOT HOST_ASM_MACOSX_X86_64) AND + (NOT HOST_ASM_MASM_X86_64) AND + (NOT HOST_ASM_MINGW64_X86_64) AND + (NOT HOST_ASM_ELF_ARMV4)) + set( + CRYPTO_SRC + ${CRYPTO_SRC} + aes/aes_core.c + ) +endif() + +if((NOT HOST_ASM_ELF_X86_64) AND + (NOT HOST_ASM_MACOSX_X86_64) AND + (NOT HOST_ASM_MASM_X86_64) AND + (NOT HOST_ASM_MINGW64_X86_64)) set( CRYPTO_SRC ${CRYPTO_SRC} aes/aes_cbc.c - aes/aes_core.c camellia/camellia.c camellia/cmll_cbc.c rc4/rc4_enc.c @@ -130,7 +243,6 @@ set( aes/aes_wrap.c asn1/a_bitstr.c asn1/a_bool.c - asn1/a_bytes.c asn1/a_d2i_fp.c asn1/a_digest.c asn1/a_dup.c @@ -141,7 +253,6 @@ set( asn1/a_object.c asn1/a_octet.c asn1/a_print.c - asn1/a_set.c asn1/a_sign.c asn1/a_strex.c asn1/a_strnid.c @@ -273,6 +384,20 @@ set( cmac/cm_ameth.c cmac/cm_pmeth.c cmac/cmac.c + cms/cms_asn1.c + cms/cms_att.c + cms/cms_cd.c + cms/cms_dd.c + cms/cms_enc.c + cms/cms_env.c + cms/cms_err.c + cms/cms_ess.c + cms/cms_io.c + cms/cms_kari.c + cms/cms_lib.c + cms/cms_pwri.c + cms/cms_sd.c + cms/cms_smime.c comp/c_rle.c comp/c_zlib.c comp/comp_err.c @@ -346,6 +471,7 @@ set( ec/ec_cvt.c ec/ec_err.c ec/ec_key.c + ec/ec_kmeth.c ec/ec_lib.c ec/ec_mult.c ec/ec_oct.c @@ -356,6 +482,7 @@ set( ec/ecp_nist.c ec/ecp_oct.c ec/ecp_smpl.c + ecdh/ecdh_kdf.c ecdh/ech_err.c ecdh/ech_key.c ecdh/ech_lib.c @@ -384,6 +511,7 @@ set( engine/tb_dsa.c engine/tb_ecdh.c engine/tb_ecdsa.c + engine/tb_eckey.c engine/tb_pkmeth.c engine/tb_rand.c engine/tb_rsa.c @@ -412,6 +540,7 @@ set( evp/e_rc2.c evp/e_rc4.c evp/e_rc4_hmac_md5.c + evp/e_sm4.c evp/e_xcbc_d.c evp/encode.c evp/evp_aead.c @@ -434,6 +563,7 @@ set( evp/m_sha1.c evp/m_sigver.c evp/m_streebog.c + evp/m_sm3.c evp/m_wp.c evp/names.c evp/p5_crpt.c @@ -568,6 +698,8 @@ set( sha/sha1dgst.c sha/sha256.c sha/sha512.c + sm3/sm3.c + sm4/sm4.c stack/stack.c ts/ts_asn1.c ts/ts_conf.c @@ -588,20 +720,56 @@ set( x509/by_dir.c x509/by_file.c x509/by_mem.c + x509/pcy_cache.c + x509/pcy_data.c + x509/pcy_lib.c + x509/pcy_map.c + x509/pcy_node.c + x509/pcy_tree.c + x509/x509_akey.c + x509/x509_akeya.c + x509/x509_alt.c x509/x509_att.c + x509/x509_bcons.c + x509/x509_bitst.c x509/x509_cmp.c + x509/x509_conf.c + x509/x509_constraints.c + x509/x509_cpols.c + x509/x509_crld.c x509/x509_d2.c x509/x509_def.c + x509/x509_enum.c x509/x509_err.c x509/x509_ext.c + x509/x509_extku.c + x509/x509_genn.c + x509/x509_ia5.c + x509/x509_info.c + x509/x509_int.c + x509/x509_issuer_cache.c + x509/x509_lib.c x509/x509_lu.c + x509/x509_ncons.c x509/x509_obj.c + x509/x509_ocsp.c + x509/x509_pci.c + x509/x509_pcia.c + x509/x509_pcons.c + x509/x509_pku.c + x509/x509_pmaps.c + x509/x509_prn.c + x509/x509_purp.c x509/x509_r2x.c x509/x509_req.c x509/x509_set.c + x509/x509_skey.c + x509/x509_sxnet.c x509/x509_trs.c x509/x509_txt.c + x509/x509_utl.c x509/x509_v3.c + x509/x509_verify.c x509/x509_vfy.c x509/x509_vpm.c x509/x509cset.c @@ -610,49 +778,17 @@ set( x509/x509spki.c x509/x509type.c x509/x_all.c - x509v3/pcy_cache.c - x509v3/pcy_data.c - x509v3/pcy_lib.c - x509v3/pcy_map.c - x509v3/pcy_node.c - x509v3/pcy_tree.c - x509v3/v3_akey.c - x509v3/v3_akeya.c - x509v3/v3_alt.c - x509v3/v3_bcons.c - x509v3/v3_bitst.c - x509v3/v3_conf.c - x509v3/v3_cpols.c - x509v3/v3_crld.c - x509v3/v3_enum.c - x509v3/v3_extku.c - x509v3/v3_genn.c - x509v3/v3_ia5.c - x509v3/v3_info.c - x509v3/v3_int.c - x509v3/v3_lib.c - x509v3/v3_ncons.c - x509v3/v3_ocsp.c - x509v3/v3_pci.c - x509v3/v3_pcia.c - x509v3/v3_pcons.c - x509v3/v3_pku.c - x509v3/v3_pmaps.c - x509v3/v3_prn.c - x509v3/v3_purp.c - x509v3/v3_skey.c - x509v3/v3_sxnet.c - x509v3/v3_utl.c - x509v3/v3err.c ) if(UNIX) + set(CRYPTO_SRC ${CRYPTO_SRC} crypto_lock.c) set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_posix.c) set(CRYPTO_SRC ${CRYPTO_SRC} bio/bss_log.c) set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl.c) endif() if(WIN32) + set(CRYPTO_SRC ${CRYPTO_SRC} compat/crypto_lock_win.c) set(CRYPTO_SRC ${CRYPTO_SRC} bio/b_win.c) set(CRYPTO_UNEXPORT ${CRYPTO_UNEXPORT} BIO_s_log) set(CRYPTO_SRC ${CRYPTO_SRC} ui/ui_openssl_win.c) @@ -661,6 +797,7 @@ endif() if(WIN32) set(CRYPTO_SRC ${CRYPTO_SRC} compat/posix_win.c) set(EXTRA_EXPORT ${EXTRA_EXPORT} gettimeofday) + set(EXTRA_EXPORT ${EXTRA_EXPORT} getuid) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_perror) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fopen) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_fgets) @@ -672,7 +809,6 @@ if(WIN32) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_write) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_getsockopt) set(EXTRA_EXPORT ${EXTRA_EXPORT} posix_setsockopt) - set(EXTRA_EXPORT ${EXTRA_EXPORT} sleep) endif() if(NOT HAVE_ASPRINTF) @@ -690,6 +826,16 @@ if(NOT HAVE_GETPAGESIZE) set(CRYPTO_SRC ${CRYPTO_SRC} compat/getpagesize.c) endif() +if(NOT HAVE_GETPROGNAME) + if(WIN32) + set(CRYPTO_SRC ${CRYPTO_SRC} compat/getprogname_windows.c) + elseif(CMAKE_SYSTEM_NAME MATCHES "Linux") + set(CRYPTO_SRC ${CRYPTO_SRC} compat/getprogname_linux.c) + else() + set(CRYPTO_SRC ${CRYPTO_SRC} compat/getprogname_unimpl.c) + endif() +endif() + if(NOT HAVE_REALLOCARRAY) set(CRYPTO_SRC ${CRYPTO_SRC} compat/reallocarray.c) set(EXTRA_EXPORT ${EXTRA_EXPORT} reallocarray) @@ -729,6 +875,10 @@ if(NOT HAVE_STRSEP) set(EXTRA_EXPORT ${EXTRA_EXPORT} strsep) endif() +if(NOT HAVE_SYSLOG_R) + set(CRYPTO_SRC ${CRYPTO_SRC} compat/syslog_r.c) +endif() + if(NOT HAVE_TIMEGM) set(CRYPTO_SRC ${CRYPTO_SRC} compat/timegm.c) set(EXTRA_EXPORT ${EXTRA_EXPORT} timegm) @@ -786,7 +936,12 @@ endif() if(NOT ENABLE_ASM) add_definitions(-DOPENSSL_NO_ASM) else() - if(WIN32) + if(MSVC) + if((NOT "${CMAKE_GENERATOR}" MATCHES "Win64") AND + (NOT "${CMAKE_GENERATOR_PLATFORM}" STREQUAL "x64")) + add_definitions(-DOPENSSL_NO_ASM) + endif() + elseif(WIN32) add_definitions(-DOPENSSL_NO_ASM) endif() endif() @@ -794,7 +949,11 @@ endif() if(NOT "${OPENSSLDIR}" STREQUAL "") add_definitions(-DOPENSSLDIR=\"${OPENSSLDIR}\") else() - add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\") + if(WIN32) + add_definitions(-DOPENSSLDIR=\"C:/Windows/libressl/ssl\") + else() + add_definitions(-DOPENSSLDIR=\"${CMAKE_INSTALL_PREFIX}/etc/ssl\") + endif() endif() file(READ ${CMAKE_CURRENT_SOURCE_DIR}/crypto.sym SYMS) @@ -810,18 +969,31 @@ if(EXTRA_EXPORT) endif() add_library(crypto ${CRYPTO_SRC}) -if (BUILD_SHARED_LIBS) - export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym) - if (WIN32) - target_link_libraries(crypto Ws2_32.lib) - set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION}) - endif() - set_target_properties(crypto PROPERTIES - OUTPUT_NAME crypto${CRYPTO_POSTFIX} - ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX}) - set_target_properties(crypto PROPERTIES VERSION - ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION}) +target_include_directories(crypto + PRIVATE + . + asn1 + bn + dsa + ec + ecdh + ecdsa + evp + modes + ../include/compat + PUBLIC + ../include) + +export_symbol(crypto ${CMAKE_CURRENT_BINARY_DIR}/crypto_p.sym) +target_link_libraries(crypto ${PLATFORM_LIBS}) +if (WIN32) + set(CRYPTO_POSTFIX -${CRYPTO_MAJOR_VERSION}) endif() +set_target_properties(crypto PROPERTIES + OUTPUT_NAME crypto${CRYPTO_POSTFIX} + ARCHIVE_OUTPUT_NAME crypto${CRYPTO_POSTFIX}) +set_target_properties(crypto PROPERTIES VERSION + ${CRYPTO_VERSION} SOVERSION ${CRYPTO_MAJOR_VERSION}) if(ENABLE_LIBRESSL_INSTALL) install( diff --git a/crypto/VERSION b/crypto/VERSION index 80d708c..0eaa4dc 100644 --- a/crypto/VERSION +++ b/crypto/VERSION @@ -1 +1 @@ -43:1:0 +46:1:0 diff --git a/crypto/aes/aes-elf-armv4.S b/crypto/aes/aes-elf-armv4.S new file mode 100644 index 0000000..8164b53 --- /dev/null +++ b/crypto/aes/aes-elf-armv4.S @@ -0,0 +1,1074 @@ +#include "arm_arch.h" +.text +.code 32 + +.type AES_Te,%object +.align 5 +AES_Te: +.word 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d +.word 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554 +.word 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d +.word 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a +.word 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87 +.word 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b +.word 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea +.word 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b +.word 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a +.word 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f +.word 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108 +.word 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f +.word 0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e +.word 0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5 +.word 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d +.word 0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f +.word 0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e +.word 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb +.word 0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce +.word 0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497 +.word 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c +.word 0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed +.word 0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b +.word 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a +.word 0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16 +.word 0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594 +.word 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81 +.word 0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3 +.word 0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a +.word 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504 +.word 0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163 +.word 0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d +.word 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f +.word 0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739 +.word 0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47 +.word 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395 +.word 0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f +.word 0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883 +.word 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c +.word 0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76 +.word 0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e +.word 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4 +.word 0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6 +.word 0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b +.word 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7 +.word 0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0 +.word 0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25 +.word 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818 +.word 0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72 +.word 0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651 +.word 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21 +.word 0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85 +.word 0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa +.word 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12 +.word 0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0 +.word 0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9 +.word 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133 +.word 0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7 +.word 0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920 +.word 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a +.word 0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17 +.word 0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8 +.word 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11 +.word 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a +@ Te4[256] +.byte 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5 +.byte 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76 +.byte 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0 +.byte 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0 +.byte 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc +.byte 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15 +.byte 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a +.byte 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75 +.byte 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0 +.byte 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84 +.byte 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b +.byte 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf +.byte 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85 +.byte 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8 +.byte 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5 +.byte 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2 +.byte 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17 +.byte 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73 +.byte 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88 +.byte 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb +.byte 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c +.byte 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79 +.byte 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9 +.byte 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08 +.byte 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6 +.byte 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a +.byte 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e +.byte 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e +.byte 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94 +.byte 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf +.byte 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68 +.byte 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16 +@ rcon[] +.word 0x01000000, 0x02000000, 0x04000000, 0x08000000 +.word 0x10000000, 0x20000000, 0x40000000, 0x80000000 +.word 0x1B000000, 0x36000000, 0, 0, 0, 0, 0, 0 +.size AES_Te,.-AES_Te + +@ void AES_encrypt(const unsigned char *in, unsigned char *out, +@ const AES_KEY *key) { +.global AES_encrypt +.type AES_encrypt,%function +.align 5 +AES_encrypt: + sub r3,pc,#8 @ AES_encrypt + stmdb sp!,{r1,r4-r12,lr} + mov r12,r0 @ inp + mov r11,r2 + sub r10,r3,#AES_encrypt-AES_Te @ Te +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r0,[r12,#3] @ load input data in endian-neutral + ldrb r4,[r12,#2] @ manner... + ldrb r5,[r12,#1] + ldrb r6,[r12,#0] + orr r0,r0,r4,lsl#8 + ldrb r1,[r12,#7] + orr r0,r0,r5,lsl#16 + ldrb r4,[r12,#6] + orr r0,r0,r6,lsl#24 + ldrb r5,[r12,#5] + ldrb r6,[r12,#4] + orr r1,r1,r4,lsl#8 + ldrb r2,[r12,#11] + orr r1,r1,r5,lsl#16 + ldrb r4,[r12,#10] + orr r1,r1,r6,lsl#24 + ldrb r5,[r12,#9] + ldrb r6,[r12,#8] + orr r2,r2,r4,lsl#8 + ldrb r3,[r12,#15] + orr r2,r2,r5,lsl#16 + ldrb r4,[r12,#14] + orr r2,r2,r6,lsl#24 + ldrb r5,[r12,#13] + ldrb r6,[r12,#12] + orr r3,r3,r4,lsl#8 + orr r3,r3,r5,lsl#16 + orr r3,r3,r6,lsl#24 +#else + ldr r0,[r12,#0] + ldr r1,[r12,#4] + ldr r2,[r12,#8] + ldr r3,[r12,#12] +#ifdef __ARMEL__ + rev r0,r0 + rev r1,r1 + rev r2,r2 + rev r3,r3 +#endif +#endif + bl _armv4_AES_encrypt + + ldr r12,[sp],#4 @ pop out +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) +#ifdef __ARMEL__ + rev r0,r0 + rev r1,r1 + rev r2,r2 + rev r3,r3 +#endif + str r0,[r12,#0] + str r1,[r12,#4] + str r2,[r12,#8] + str r3,[r12,#12] +#else + mov r4,r0,lsr#24 @ write output in endian-neutral + mov r5,r0,lsr#16 @ manner... + mov r6,r0,lsr#8 + strb r4,[r12,#0] + strb r5,[r12,#1] + mov r4,r1,lsr#24 + strb r6,[r12,#2] + mov r5,r1,lsr#16 + strb r0,[r12,#3] + mov r6,r1,lsr#8 + strb r4,[r12,#4] + strb r5,[r12,#5] + mov r4,r2,lsr#24 + strb r6,[r12,#6] + mov r5,r2,lsr#16 + strb r1,[r12,#7] + mov r6,r2,lsr#8 + strb r4,[r12,#8] + strb r5,[r12,#9] + mov r4,r3,lsr#24 + strb r6,[r12,#10] + mov r5,r3,lsr#16 + strb r2,[r12,#11] + mov r6,r3,lsr#8 + strb r4,[r12,#12] + strb r5,[r12,#13] + strb r6,[r12,#14] + strb r3,[r12,#15] +#endif +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r12,pc} +#else + ldmia sp!,{r4-r12,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size AES_encrypt,.-AES_encrypt + +.type _armv4_AES_encrypt,%function +.align 2 +_armv4_AES_encrypt: + str lr,[sp,#-4]! @ push lr + ldmia r11!,{r4-r7} + eor r0,r0,r4 + ldr r12,[r11,#240-16] + eor r1,r1,r5 + eor r2,r2,r6 + eor r3,r3,r7 + sub r12,r12,#1 + mov lr,#255 + + and r7,lr,r0 + and r8,lr,r0,lsr#8 + and r9,lr,r0,lsr#16 + mov r0,r0,lsr#24 +.Lenc_loop: + ldr r4,[r10,r7,lsl#2] @ Te3[s0>>0] + and r7,lr,r1,lsr#16 @ i0 + ldr r5,[r10,r8,lsl#2] @ Te2[s0>>8] + and r8,lr,r1 + ldr r6,[r10,r9,lsl#2] @ Te1[s0>>16] + and r9,lr,r1,lsr#8 + ldr r0,[r10,r0,lsl#2] @ Te0[s0>>24] + mov r1,r1,lsr#24 + + ldr r7,[r10,r7,lsl#2] @ Te1[s1>>16] + ldr r8,[r10,r8,lsl#2] @ Te3[s1>>0] + ldr r9,[r10,r9,lsl#2] @ Te2[s1>>8] + eor r0,r0,r7,ror#8 + ldr r1,[r10,r1,lsl#2] @ Te0[s1>>24] + and r7,lr,r2,lsr#8 @ i0 + eor r5,r5,r8,ror#8 + and r8,lr,r2,lsr#16 @ i1 + eor r6,r6,r9,ror#8 + and r9,lr,r2 + ldr r7,[r10,r7,lsl#2] @ Te2[s2>>8] + eor r1,r1,r4,ror#24 + ldr r8,[r10,r8,lsl#2] @ Te1[s2>>16] + mov r2,r2,lsr#24 + + ldr r9,[r10,r9,lsl#2] @ Te3[s2>>0] + eor r0,r0,r7,ror#16 + ldr r2,[r10,r2,lsl#2] @ Te0[s2>>24] + and r7,lr,r3 @ i0 + eor r1,r1,r8,ror#8 + and r8,lr,r3,lsr#8 @ i1 + eor r6,r6,r9,ror#16 + and r9,lr,r3,lsr#16 @ i2 + ldr r7,[r10,r7,lsl#2] @ Te3[s3>>0] + eor r2,r2,r5,ror#16 + ldr r8,[r10,r8,lsl#2] @ Te2[s3>>8] + mov r3,r3,lsr#24 + + ldr r9,[r10,r9,lsl#2] @ Te1[s3>>16] + eor r0,r0,r7,ror#24 + ldr r7,[r11],#16 + eor r1,r1,r8,ror#16 + ldr r3,[r10,r3,lsl#2] @ Te0[s3>>24] + eor r2,r2,r9,ror#8 + ldr r4,[r11,#-12] + eor r3,r3,r6,ror#8 + + ldr r5,[r11,#-8] + eor r0,r0,r7 + ldr r6,[r11,#-4] + and r7,lr,r0 + eor r1,r1,r4 + and r8,lr,r0,lsr#8 + eor r2,r2,r5 + and r9,lr,r0,lsr#16 + eor r3,r3,r6 + mov r0,r0,lsr#24 + + subs r12,r12,#1 + bne .Lenc_loop + + add r10,r10,#2 + + ldrb r4,[r10,r7,lsl#2] @ Te4[s0>>0] + and r7,lr,r1,lsr#16 @ i0 + ldrb r5,[r10,r8,lsl#2] @ Te4[s0>>8] + and r8,lr,r1 + ldrb r6,[r10,r9,lsl#2] @ Te4[s0>>16] + and r9,lr,r1,lsr#8 + ldrb r0,[r10,r0,lsl#2] @ Te4[s0>>24] + mov r1,r1,lsr#24 + + ldrb r7,[r10,r7,lsl#2] @ Te4[s1>>16] + ldrb r8,[r10,r8,lsl#2] @ Te4[s1>>0] + ldrb r9,[r10,r9,lsl#2] @ Te4[s1>>8] + eor r0,r7,r0,lsl#8 + ldrb r1,[r10,r1,lsl#2] @ Te4[s1>>24] + and r7,lr,r2,lsr#8 @ i0 + eor r5,r8,r5,lsl#8 + and r8,lr,r2,lsr#16 @ i1 + eor r6,r9,r6,lsl#8 + and r9,lr,r2 + ldrb r7,[r10,r7,lsl#2] @ Te4[s2>>8] + eor r1,r4,r1,lsl#24 + ldrb r8,[r10,r8,lsl#2] @ Te4[s2>>16] + mov r2,r2,lsr#24 + + ldrb r9,[r10,r9,lsl#2] @ Te4[s2>>0] + eor r0,r7,r0,lsl#8 + ldrb r2,[r10,r2,lsl#2] @ Te4[s2>>24] + and r7,lr,r3 @ i0 + eor r1,r1,r8,lsl#16 + and r8,lr,r3,lsr#8 @ i1 + eor r6,r9,r6,lsl#8 + and r9,lr,r3,lsr#16 @ i2 + ldrb r7,[r10,r7,lsl#2] @ Te4[s3>>0] + eor r2,r5,r2,lsl#24 + ldrb r8,[r10,r8,lsl#2] @ Te4[s3>>8] + mov r3,r3,lsr#24 + + ldrb r9,[r10,r9,lsl#2] @ Te4[s3>>16] + eor r0,r7,r0,lsl#8 + ldr r7,[r11,#0] + ldrb r3,[r10,r3,lsl#2] @ Te4[s3>>24] + eor r1,r1,r8,lsl#8 + ldr r4,[r11,#4] + eor r2,r2,r9,lsl#16 + ldr r5,[r11,#8] + eor r3,r6,r3,lsl#24 + ldr r6,[r11,#12] + + eor r0,r0,r7 + eor r1,r1,r4 + eor r2,r2,r5 + eor r3,r3,r6 + + sub r10,r10,#2 + ldr pc,[sp],#4 @ pop and return +.size _armv4_AES_encrypt,.-_armv4_AES_encrypt + +.global AES_set_encrypt_key +.type AES_set_encrypt_key,%function +.align 5 +AES_set_encrypt_key: +_armv4_AES_set_encrypt_key: + sub r3,pc,#8 @ AES_set_encrypt_key + teq r0,#0 + moveq r0,#-1 + beq .Labrt + teq r2,#0 + moveq r0,#-1 + beq .Labrt + + teq r1,#128 + beq .Lok + teq r1,#192 + beq .Lok + teq r1,#256 + movne r0,#-1 + bne .Labrt + +.Lok: stmdb sp!,{r4-r12,lr} + sub r10,r3,#_armv4_AES_set_encrypt_key-AES_Te-1024 @ Te4 + + mov r12,r0 @ inp + mov lr,r1 @ bits + mov r11,r2 @ key + +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r0,[r12,#3] @ load input data in endian-neutral + ldrb r4,[r12,#2] @ manner... + ldrb r5,[r12,#1] + ldrb r6,[r12,#0] + orr r0,r0,r4,lsl#8 + ldrb r1,[r12,#7] + orr r0,r0,r5,lsl#16 + ldrb r4,[r12,#6] + orr r0,r0,r6,lsl#24 + ldrb r5,[r12,#5] + ldrb r6,[r12,#4] + orr r1,r1,r4,lsl#8 + ldrb r2,[r12,#11] + orr r1,r1,r5,lsl#16 + ldrb r4,[r12,#10] + orr r1,r1,r6,lsl#24 + ldrb r5,[r12,#9] + ldrb r6,[r12,#8] + orr r2,r2,r4,lsl#8 + ldrb r3,[r12,#15] + orr r2,r2,r5,lsl#16 + ldrb r4,[r12,#14] + orr r2,r2,r6,lsl#24 + ldrb r5,[r12,#13] + ldrb r6,[r12,#12] + orr r3,r3,r4,lsl#8 + str r0,[r11],#16 + orr r3,r3,r5,lsl#16 + str r1,[r11,#-12] + orr r3,r3,r6,lsl#24 + str r2,[r11,#-8] + str r3,[r11,#-4] +#else + ldr r0,[r12,#0] + ldr r1,[r12,#4] + ldr r2,[r12,#8] + ldr r3,[r12,#12] +#ifdef __ARMEL__ + rev r0,r0 + rev r1,r1 + rev r2,r2 + rev r3,r3 +#endif + str r0,[r11],#16 + str r1,[r11,#-12] + str r2,[r11,#-8] + str r3,[r11,#-4] +#endif + + teq lr,#128 + bne .Lnot128 + mov r12,#10 + str r12,[r11,#240-16] + add r6,r10,#256 @ rcon + mov lr,#255 + +.L128_loop: + and r5,lr,r3,lsr#24 + and r7,lr,r3,lsr#16 + ldrb r5,[r10,r5] + and r8,lr,r3,lsr#8 + ldrb r7,[r10,r7] + and r9,lr,r3 + ldrb r8,[r10,r8] + orr r5,r5,r7,lsl#24 + ldrb r9,[r10,r9] + orr r5,r5,r8,lsl#16 + ldr r4,[r6],#4 @ rcon[i++] + orr r5,r5,r9,lsl#8 + eor r5,r5,r4 + eor r0,r0,r5 @ rk[4]=rk[0]^... + eor r1,r1,r0 @ rk[5]=rk[1]^rk[4] + str r0,[r11],#16 + eor r2,r2,r1 @ rk[6]=rk[2]^rk[5] + str r1,[r11,#-12] + eor r3,r3,r2 @ rk[7]=rk[3]^rk[6] + str r2,[r11,#-8] + subs r12,r12,#1 + str r3,[r11,#-4] + bne .L128_loop + sub r2,r11,#176 + b .Ldone + +.Lnot128: +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r8,[r12,#19] + ldrb r4,[r12,#18] + ldrb r5,[r12,#17] + ldrb r6,[r12,#16] + orr r8,r8,r4,lsl#8 + ldrb r9,[r12,#23] + orr r8,r8,r5,lsl#16 + ldrb r4,[r12,#22] + orr r8,r8,r6,lsl#24 + ldrb r5,[r12,#21] + ldrb r6,[r12,#20] + orr r9,r9,r4,lsl#8 + orr r9,r9,r5,lsl#16 + str r8,[r11],#8 + orr r9,r9,r6,lsl#24 + str r9,[r11,#-4] +#else + ldr r8,[r12,#16] + ldr r9,[r12,#20] +#ifdef __ARMEL__ + rev r8,r8 + rev r9,r9 +#endif + str r8,[r11],#8 + str r9,[r11,#-4] +#endif + + teq lr,#192 + bne .Lnot192 + mov r12,#12 + str r12,[r11,#240-24] + add r6,r10,#256 @ rcon + mov lr,#255 + mov r12,#8 + +.L192_loop: + and r5,lr,r9,lsr#24 + and r7,lr,r9,lsr#16 + ldrb r5,[r10,r5] + and r8,lr,r9,lsr#8 + ldrb r7,[r10,r7] + and r9,lr,r9 + ldrb r8,[r10,r8] + orr r5,r5,r7,lsl#24 + ldrb r9,[r10,r9] + orr r5,r5,r8,lsl#16 + ldr r4,[r6],#4 @ rcon[i++] + orr r5,r5,r9,lsl#8 + eor r9,r5,r4 + eor r0,r0,r9 @ rk[6]=rk[0]^... + eor r1,r1,r0 @ rk[7]=rk[1]^rk[6] + str r0,[r11],#24 + eor r2,r2,r1 @ rk[8]=rk[2]^rk[7] + str r1,[r11,#-20] + eor r3,r3,r2 @ rk[9]=rk[3]^rk[8] + str r2,[r11,#-16] + subs r12,r12,#1 + str r3,[r11,#-12] + subeq r2,r11,#216 + beq .Ldone + + ldr r7,[r11,#-32] + ldr r8,[r11,#-28] + eor r7,r7,r3 @ rk[10]=rk[4]^rk[9] + eor r9,r8,r7 @ rk[11]=rk[5]^rk[10] + str r7,[r11,#-8] + str r9,[r11,#-4] + b .L192_loop + +.Lnot192: +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r8,[r12,#27] + ldrb r4,[r12,#26] + ldrb r5,[r12,#25] + ldrb r6,[r12,#24] + orr r8,r8,r4,lsl#8 + ldrb r9,[r12,#31] + orr r8,r8,r5,lsl#16 + ldrb r4,[r12,#30] + orr r8,r8,r6,lsl#24 + ldrb r5,[r12,#29] + ldrb r6,[r12,#28] + orr r9,r9,r4,lsl#8 + orr r9,r9,r5,lsl#16 + str r8,[r11],#8 + orr r9,r9,r6,lsl#24 + str r9,[r11,#-4] +#else + ldr r8,[r12,#24] + ldr r9,[r12,#28] +#ifdef __ARMEL__ + rev r8,r8 + rev r9,r9 +#endif + str r8,[r11],#8 + str r9,[r11,#-4] +#endif + + mov r12,#14 + str r12,[r11,#240-32] + add r6,r10,#256 @ rcon + mov lr,#255 + mov r12,#7 + +.L256_loop: + and r5,lr,r9,lsr#24 + and r7,lr,r9,lsr#16 + ldrb r5,[r10,r5] + and r8,lr,r9,lsr#8 + ldrb r7,[r10,r7] + and r9,lr,r9 + ldrb r8,[r10,r8] + orr r5,r5,r7,lsl#24 + ldrb r9,[r10,r9] + orr r5,r5,r8,lsl#16 + ldr r4,[r6],#4 @ rcon[i++] + orr r5,r5,r9,lsl#8 + eor r9,r5,r4 + eor r0,r0,r9 @ rk[8]=rk[0]^... + eor r1,r1,r0 @ rk[9]=rk[1]^rk[8] + str r0,[r11],#32 + eor r2,r2,r1 @ rk[10]=rk[2]^rk[9] + str r1,[r11,#-28] + eor r3,r3,r2 @ rk[11]=rk[3]^rk[10] + str r2,[r11,#-24] + subs r12,r12,#1 + str r3,[r11,#-20] + subeq r2,r11,#256 + beq .Ldone + + and r5,lr,r3 + and r7,lr,r3,lsr#8 + ldrb r5,[r10,r5] + and r8,lr,r3,lsr#16 + ldrb r7,[r10,r7] + and r9,lr,r3,lsr#24 + ldrb r8,[r10,r8] + orr r5,r5,r7,lsl#8 + ldrb r9,[r10,r9] + orr r5,r5,r8,lsl#16 + ldr r4,[r11,#-48] + orr r5,r5,r9,lsl#24 + + ldr r7,[r11,#-44] + ldr r8,[r11,#-40] + eor r4,r4,r5 @ rk[12]=rk[4]^... + ldr r9,[r11,#-36] + eor r7,r7,r4 @ rk[13]=rk[5]^rk[12] + str r4,[r11,#-16] + eor r8,r8,r7 @ rk[14]=rk[6]^rk[13] + str r7,[r11,#-12] + eor r9,r9,r8 @ rk[15]=rk[7]^rk[14] + str r8,[r11,#-8] + str r9,[r11,#-4] + b .L256_loop + +.Ldone: mov r0,#0 + ldmia sp!,{r4-r12,lr} +.Labrt: tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +.size AES_set_encrypt_key,.-AES_set_encrypt_key + +.global AES_set_decrypt_key +.type AES_set_decrypt_key,%function +.align 5 +AES_set_decrypt_key: + str lr,[sp,#-4]! @ push lr + bl _armv4_AES_set_encrypt_key + teq r0,#0 + ldrne lr,[sp],#4 @ pop lr + bne .Labrt + + stmdb sp!,{r4-r12} + + ldr r12,[r2,#240] @ AES_set_encrypt_key preserves r2, + mov r11,r2 @ which is AES_KEY *key + mov r7,r2 + add r8,r2,r12,lsl#4 + +.Linv: ldr r0,[r7] + ldr r1,[r7,#4] + ldr r2,[r7,#8] + ldr r3,[r7,#12] + ldr r4,[r8] + ldr r5,[r8,#4] + ldr r6,[r8,#8] + ldr r9,[r8,#12] + str r0,[r8],#-16 + str r1,[r8,#16+4] + str r2,[r8,#16+8] + str r3,[r8,#16+12] + str r4,[r7],#16 + str r5,[r7,#-12] + str r6,[r7,#-8] + str r9,[r7,#-4] + teq r7,r8 + bne .Linv + ldr r0,[r11,#16]! @ prefetch tp1 + mov r7,#0x80 + mov r8,#0x1b + orr r7,r7,#0x8000 + orr r8,r8,#0x1b00 + orr r7,r7,r7,lsl#16 + orr r8,r8,r8,lsl#16 + sub r12,r12,#1 + mvn r9,r7 + mov r12,r12,lsl#2 @ (rounds-1)*4 + +.Lmix: and r4,r0,r7 + and r1,r0,r9 + sub r4,r4,r4,lsr#7 + and r4,r4,r8 + eor r1,r4,r1,lsl#1 @ tp2 + + and r4,r1,r7 + and r2,r1,r9 + sub r4,r4,r4,lsr#7 + and r4,r4,r8 + eor r2,r4,r2,lsl#1 @ tp4 + + and r4,r2,r7 + and r3,r2,r9 + sub r4,r4,r4,lsr#7 + and r4,r4,r8 + eor r3,r4,r3,lsl#1 @ tp8 + + eor r4,r1,r2 + eor r5,r0,r3 @ tp9 + eor r4,r4,r3 @ tpe + eor r4,r4,r1,ror#24 + eor r4,r4,r5,ror#24 @ ^= ROTATE(tpb=tp9^tp2,8) + eor r4,r4,r2,ror#16 + eor r4,r4,r5,ror#16 @ ^= ROTATE(tpd=tp9^tp4,16) + eor r4,r4,r5,ror#8 @ ^= ROTATE(tp9,24) + + ldr r0,[r11,#4] @ prefetch tp1 + str r4,[r11],#4 + subs r12,r12,#1 + bne .Lmix + + mov r0,#0 +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r12,pc} +#else + ldmia sp!,{r4-r12,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size AES_set_decrypt_key,.-AES_set_decrypt_key + +.type AES_Td,%object +.align 5 +AES_Td: +.word 0x51f4a750, 0x7e416553, 0x1a17a4c3, 0x3a275e96 +.word 0x3bab6bcb, 0x1f9d45f1, 0xacfa58ab, 0x4be30393 +.word 0x2030fa55, 0xad766df6, 0x88cc7691, 0xf5024c25 +.word 0x4fe5d7fc, 0xc52acbd7, 0x26354480, 0xb562a38f +.word 0xdeb15a49, 0x25ba1b67, 0x45ea0e98, 0x5dfec0e1 +.word 0xc32f7502, 0x814cf012, 0x8d4697a3, 0x6bd3f9c6 +.word 0x038f5fe7, 0x15929c95, 0xbf6d7aeb, 0x955259da +.word 0xd4be832d, 0x587421d3, 0x49e06929, 0x8ec9c844 +.word 0x75c2896a, 0xf48e7978, 0x99583e6b, 0x27b971dd +.word 0xbee14fb6, 0xf088ad17, 0xc920ac66, 0x7dce3ab4 +.word 0x63df4a18, 0xe51a3182, 0x97513360, 0x62537f45 +.word 0xb16477e0, 0xbb6bae84, 0xfe81a01c, 0xf9082b94 +.word 0x70486858, 0x8f45fd19, 0x94de6c87, 0x527bf8b7 +.word 0xab73d323, 0x724b02e2, 0xe31f8f57, 0x6655ab2a +.word 0xb2eb2807, 0x2fb5c203, 0x86c57b9a, 0xd33708a5 +.word 0x302887f2, 0x23bfa5b2, 0x02036aba, 0xed16825c +.word 0x8acf1c2b, 0xa779b492, 0xf307f2f0, 0x4e69e2a1 +.word 0x65daf4cd, 0x0605bed5, 0xd134621f, 0xc4a6fe8a +.word 0x342e539d, 0xa2f355a0, 0x058ae132, 0xa4f6eb75 +.word 0x0b83ec39, 0x4060efaa, 0x5e719f06, 0xbd6e1051 +.word 0x3e218af9, 0x96dd063d, 0xdd3e05ae, 0x4de6bd46 +.word 0x91548db5, 0x71c45d05, 0x0406d46f, 0x605015ff +.word 0x1998fb24, 0xd6bde997, 0x894043cc, 0x67d99e77 +.word 0xb0e842bd, 0x07898b88, 0xe7195b38, 0x79c8eedb +.word 0xa17c0a47, 0x7c420fe9, 0xf8841ec9, 0x00000000 +.word 0x09808683, 0x322bed48, 0x1e1170ac, 0x6c5a724e +.word 0xfd0efffb, 0x0f853856, 0x3daed51e, 0x362d3927 +.word 0x0a0fd964, 0x685ca621, 0x9b5b54d1, 0x24362e3a +.word 0x0c0a67b1, 0x9357e70f, 0xb4ee96d2, 0x1b9b919e +.word 0x80c0c54f, 0x61dc20a2, 0x5a774b69, 0x1c121a16 +.word 0xe293ba0a, 0xc0a02ae5, 0x3c22e043, 0x121b171d +.word 0x0e090d0b, 0xf28bc7ad, 0x2db6a8b9, 0x141ea9c8 +.word 0x57f11985, 0xaf75074c, 0xee99ddbb, 0xa37f60fd +.word 0xf701269f, 0x5c72f5bc, 0x44663bc5, 0x5bfb7e34 +.word 0x8b432976, 0xcb23c6dc, 0xb6edfc68, 0xb8e4f163 +.word 0xd731dcca, 0x42638510, 0x13972240, 0x84c61120 +.word 0x854a247d, 0xd2bb3df8, 0xaef93211, 0xc729a16d +.word 0x1d9e2f4b, 0xdcb230f3, 0x0d8652ec, 0x77c1e3d0 +.word 0x2bb3166c, 0xa970b999, 0x119448fa, 0x47e96422 +.word 0xa8fc8cc4, 0xa0f03f1a, 0x567d2cd8, 0x223390ef +.word 0x87494ec7, 0xd938d1c1, 0x8ccaa2fe, 0x98d40b36 +.word 0xa6f581cf, 0xa57ade28, 0xdab78e26, 0x3fadbfa4 +.word 0x2c3a9de4, 0x5078920d, 0x6a5fcc9b, 0x547e4662 +.word 0xf68d13c2, 0x90d8b8e8, 0x2e39f75e, 0x82c3aff5 +.word 0x9f5d80be, 0x69d0937c, 0x6fd52da9, 0xcf2512b3 +.word 0xc8ac993b, 0x10187da7, 0xe89c636e, 0xdb3bbb7b +.word 0xcd267809, 0x6e5918f4, 0xec9ab701, 0x834f9aa8 +.word 0xe6956e65, 0xaaffe67e, 0x21bccf08, 0xef15e8e6 +.word 0xbae79bd9, 0x4a6f36ce, 0xea9f09d4, 0x29b07cd6 +.word 0x31a4b2af, 0x2a3f2331, 0xc6a59430, 0x35a266c0 +.word 0x744ebc37, 0xfc82caa6, 0xe090d0b0, 0x33a7d815 +.word 0xf104984a, 0x41ecdaf7, 0x7fcd500e, 0x1791f62f +.word 0x764dd68d, 0x43efb04d, 0xccaa4d54, 0xe49604df +.word 0x9ed1b5e3, 0x4c6a881b, 0xc12c1fb8, 0x4665517f +.word 0x9d5eea04, 0x018c355d, 0xfa877473, 0xfb0b412e +.word 0xb3671d5a, 0x92dbd252, 0xe9105633, 0x6dd64713 +.word 0x9ad7618c, 0x37a10c7a, 0x59f8148e, 0xeb133c89 +.word 0xcea927ee, 0xb761c935, 0xe11ce5ed, 0x7a47b13c +.word 0x9cd2df59, 0x55f2733f, 0x1814ce79, 0x73c737bf +.word 0x53f7cdea, 0x5ffdaa5b, 0xdf3d6f14, 0x7844db86 +.word 0xcaaff381, 0xb968c43e, 0x3824342c, 0xc2a3405f +.word 0x161dc372, 0xbce2250c, 0x283c498b, 0xff0d9541 +.word 0x39a80171, 0x080cb3de, 0xd8b4e49c, 0x6456c190 +.word 0x7bcb8461, 0xd532b670, 0x486c5c74, 0xd0b85742 +@ Td4[256] +.byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38 +.byte 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb +.byte 0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87 +.byte 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb +.byte 0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d +.byte 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e +.byte 0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2 +.byte 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25 +.byte 0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16 +.byte 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92 +.byte 0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda +.byte 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84 +.byte 0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a +.byte 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06 +.byte 0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02 +.byte 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b +.byte 0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea +.byte 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73 +.byte 0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85 +.byte 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e +.byte 0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89 +.byte 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b +.byte 0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20 +.byte 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4 +.byte 0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31 +.byte 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f +.byte 0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d +.byte 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef +.byte 0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0 +.byte 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61 +.byte 0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26 +.byte 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d +.size AES_Td,.-AES_Td + +@ void AES_decrypt(const unsigned char *in, unsigned char *out, +@ const AES_KEY *key) { +.global AES_decrypt +.type AES_decrypt,%function +.align 5 +AES_decrypt: + sub r3,pc,#8 @ AES_decrypt + stmdb sp!,{r1,r4-r12,lr} + mov r12,r0 @ inp + mov r11,r2 + sub r10,r3,#AES_decrypt-AES_Td @ Td +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r0,[r12,#3] @ load input data in endian-neutral + ldrb r4,[r12,#2] @ manner... + ldrb r5,[r12,#1] + ldrb r6,[r12,#0] + orr r0,r0,r4,lsl#8 + ldrb r1,[r12,#7] + orr r0,r0,r5,lsl#16 + ldrb r4,[r12,#6] + orr r0,r0,r6,lsl#24 + ldrb r5,[r12,#5] + ldrb r6,[r12,#4] + orr r1,r1,r4,lsl#8 + ldrb r2,[r12,#11] + orr r1,r1,r5,lsl#16 + ldrb r4,[r12,#10] + orr r1,r1,r6,lsl#24 + ldrb r5,[r12,#9] + ldrb r6,[r12,#8] + orr r2,r2,r4,lsl#8 + ldrb r3,[r12,#15] + orr r2,r2,r5,lsl#16 + ldrb r4,[r12,#14] + orr r2,r2,r6,lsl#24 + ldrb r5,[r12,#13] + ldrb r6,[r12,#12] + orr r3,r3,r4,lsl#8 + orr r3,r3,r5,lsl#16 + orr r3,r3,r6,lsl#24 +#else + ldr r0,[r12,#0] + ldr r1,[r12,#4] + ldr r2,[r12,#8] + ldr r3,[r12,#12] +#ifdef __ARMEL__ + rev r0,r0 + rev r1,r1 + rev r2,r2 + rev r3,r3 +#endif +#endif + bl _armv4_AES_decrypt + + ldr r12,[sp],#4 @ pop out +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) +#ifdef __ARMEL__ + rev r0,r0 + rev r1,r1 + rev r2,r2 + rev r3,r3 +#endif + str r0,[r12,#0] + str r1,[r12,#4] + str r2,[r12,#8] + str r3,[r12,#12] +#else + mov r4,r0,lsr#24 @ write output in endian-neutral + mov r5,r0,lsr#16 @ manner... + mov r6,r0,lsr#8 + strb r4,[r12,#0] + strb r5,[r12,#1] + mov r4,r1,lsr#24 + strb r6,[r12,#2] + mov r5,r1,lsr#16 + strb r0,[r12,#3] + mov r6,r1,lsr#8 + strb r4,[r12,#4] + strb r5,[r12,#5] + mov r4,r2,lsr#24 + strb r6,[r12,#6] + mov r5,r2,lsr#16 + strb r1,[r12,#7] + mov r6,r2,lsr#8 + strb r4,[r12,#8] + strb r5,[r12,#9] + mov r4,r3,lsr#24 + strb r6,[r12,#10] + mov r5,r3,lsr#16 + strb r2,[r12,#11] + mov r6,r3,lsr#8 + strb r4,[r12,#12] + strb r5,[r12,#13] + strb r6,[r12,#14] + strb r3,[r12,#15] +#endif +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r12,pc} +#else + ldmia sp!,{r4-r12,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size AES_decrypt,.-AES_decrypt + +.type _armv4_AES_decrypt,%function +.align 2 +_armv4_AES_decrypt: + str lr,[sp,#-4]! @ push lr + ldmia r11!,{r4-r7} + eor r0,r0,r4 + ldr r12,[r11,#240-16] + eor r1,r1,r5 + eor r2,r2,r6 + eor r3,r3,r7 + sub r12,r12,#1 + mov lr,#255 + + and r7,lr,r0,lsr#16 + and r8,lr,r0,lsr#8 + and r9,lr,r0 + mov r0,r0,lsr#24 +.Ldec_loop: + ldr r4,[r10,r7,lsl#2] @ Td1[s0>>16] + and r7,lr,r1 @ i0 + ldr r5,[r10,r8,lsl#2] @ Td2[s0>>8] + and r8,lr,r1,lsr#16 + ldr r6,[r10,r9,lsl#2] @ Td3[s0>>0] + and r9,lr,r1,lsr#8 + ldr r0,[r10,r0,lsl#2] @ Td0[s0>>24] + mov r1,r1,lsr#24 + + ldr r7,[r10,r7,lsl#2] @ Td3[s1>>0] + ldr r8,[r10,r8,lsl#2] @ Td1[s1>>16] + ldr r9,[r10,r9,lsl#2] @ Td2[s1>>8] + eor r0,r0,r7,ror#24 + ldr r1,[r10,r1,lsl#2] @ Td0[s1>>24] + and r7,lr,r2,lsr#8 @ i0 + eor r5,r8,r5,ror#8 + and r8,lr,r2 @ i1 + eor r6,r9,r6,ror#8 + and r9,lr,r2,lsr#16 + ldr r7,[r10,r7,lsl#2] @ Td2[s2>>8] + eor r1,r1,r4,ror#8 + ldr r8,[r10,r8,lsl#2] @ Td3[s2>>0] + mov r2,r2,lsr#24 + + ldr r9,[r10,r9,lsl#2] @ Td1[s2>>16] + eor r0,r0,r7,ror#16 + ldr r2,[r10,r2,lsl#2] @ Td0[s2>>24] + and r7,lr,r3,lsr#16 @ i0 + eor r1,r1,r8,ror#24 + and r8,lr,r3,lsr#8 @ i1 + eor r6,r9,r6,ror#8 + and r9,lr,r3 @ i2 + ldr r7,[r10,r7,lsl#2] @ Td1[s3>>16] + eor r2,r2,r5,ror#8 + ldr r8,[r10,r8,lsl#2] @ Td2[s3>>8] + mov r3,r3,lsr#24 + + ldr r9,[r10,r9,lsl#2] @ Td3[s3>>0] + eor r0,r0,r7,ror#8 + ldr r7,[r11],#16 + eor r1,r1,r8,ror#16 + ldr r3,[r10,r3,lsl#2] @ Td0[s3>>24] + eor r2,r2,r9,ror#24 + + ldr r4,[r11,#-12] + eor r0,r0,r7 + ldr r5,[r11,#-8] + eor r3,r3,r6,ror#8 + ldr r6,[r11,#-4] + and r7,lr,r0,lsr#16 + eor r1,r1,r4 + and r8,lr,r0,lsr#8 + eor r2,r2,r5 + and r9,lr,r0 + eor r3,r3,r6 + mov r0,r0,lsr#24 + + subs r12,r12,#1 + bne .Ldec_loop + + add r10,r10,#1024 + + ldr r5,[r10,#0] @ prefetch Td4 + ldr r6,[r10,#32] + ldr r4,[r10,#64] + ldr r5,[r10,#96] + ldr r6,[r10,#128] + ldr r4,[r10,#160] + ldr r5,[r10,#192] + ldr r6,[r10,#224] + + ldrb r0,[r10,r0] @ Td4[s0>>24] + ldrb r4,[r10,r7] @ Td4[s0>>16] + and r7,lr,r1 @ i0 + ldrb r5,[r10,r8] @ Td4[s0>>8] + and r8,lr,r1,lsr#16 + ldrb r6,[r10,r9] @ Td4[s0>>0] + and r9,lr,r1,lsr#8 + + ldrb r7,[r10,r7] @ Td4[s1>>0] + ldrb r1,[r10,r1,lsr#24] @ Td4[s1>>24] + ldrb r8,[r10,r8] @ Td4[s1>>16] + eor r0,r7,r0,lsl#24 + ldrb r9,[r10,r9] @ Td4[s1>>8] + eor r1,r4,r1,lsl#8 + and r7,lr,r2,lsr#8 @ i0 + eor r5,r5,r8,lsl#8 + and r8,lr,r2 @ i1 + ldrb r7,[r10,r7] @ Td4[s2>>8] + eor r6,r6,r9,lsl#8 + ldrb r8,[r10,r8] @ Td4[s2>>0] + and r9,lr,r2,lsr#16 + + ldrb r2,[r10,r2,lsr#24] @ Td4[s2>>24] + eor r0,r0,r7,lsl#8 + ldrb r9,[r10,r9] @ Td4[s2>>16] + eor r1,r8,r1,lsl#16 + and r7,lr,r3,lsr#16 @ i0 + eor r2,r5,r2,lsl#16 + and r8,lr,r3,lsr#8 @ i1 + ldrb r7,[r10,r7] @ Td4[s3>>16] + eor r6,r6,r9,lsl#16 + ldrb r8,[r10,r8] @ Td4[s3>>8] + and r9,lr,r3 @ i2 + + ldrb r9,[r10,r9] @ Td4[s3>>0] + ldrb r3,[r10,r3,lsr#24] @ Td4[s3>>24] + eor r0,r0,r7,lsl#16 + ldr r7,[r11,#0] + eor r1,r1,r8,lsl#8 + ldr r4,[r11,#4] + eor r2,r9,r2,lsl#8 + ldr r5,[r11,#8] + eor r3,r6,r3,lsl#24 + ldr r6,[r11,#12] + + eor r0,r0,r7 + eor r1,r1,r4 + eor r2,r2,r5 + eor r3,r3,r6 + + sub r10,r10,#1024 + ldr pc,[sp],#4 @ pop and return +.size _armv4_AES_decrypt,.-_armv4_AES_decrypt +.asciz "AES for ARMv4, CRYPTOGAMS by " +.align 2 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/aes/aes-masm-x86_64.S b/crypto/aes/aes-masm-x86_64.S new file mode 100644 index 0000000..9094c72 --- /dev/null +++ b/crypto/aes/aes-masm-x86_64.S @@ -0,0 +1,2948 @@ +; 1 "crypto/aes/aes-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/aes/aes-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/aes/aes-masm-x86_64.S.tmp" 2 + +.text$ SEGMENT ALIGN(64) 'CODE' + +ALIGN 16 +_x86_64_AES_encrypt PROC PRIVATE + xor eax,DWORD PTR[r15] + xor ebx,DWORD PTR[4+r15] + xor ecx,DWORD PTR[8+r15] + xor edx,DWORD PTR[12+r15] + + mov r13d,DWORD PTR[240+r15] + sub r13d,1 + jmp $L$enc_loop +ALIGN 16 +$L$enc_loop:: + + movzx esi,al + movzx edi,bl + movzx ebp,cl + mov r10d,DWORD PTR[rsi*8+r14] + mov r11d,DWORD PTR[rdi*8+r14] + mov r12d,DWORD PTR[rbp*8+r14] + + movzx esi,bh + movzx edi,ch + movzx ebp,dl + xor r10d,DWORD PTR[3+rsi*8+r14] + xor r11d,DWORD PTR[3+rdi*8+r14] + mov r8d,DWORD PTR[rbp*8+r14] + + movzx esi,dh + shr ecx,16 + movzx ebp,ah + xor r12d,DWORD PTR[3+rsi*8+r14] + shr edx,16 + xor r8d,DWORD PTR[3+rbp*8+r14] + + shr ebx,16 + lea r15,QWORD PTR[16+r15] + shr eax,16 + + movzx esi,cl + movzx edi,dl + movzx ebp,al + xor r10d,DWORD PTR[2+rsi*8+r14] + xor r11d,DWORD PTR[2+rdi*8+r14] + xor r12d,DWORD PTR[2+rbp*8+r14] + + movzx esi,dh + movzx edi,ah + movzx ebp,bl + xor r10d,DWORD PTR[1+rsi*8+r14] + xor r11d,DWORD PTR[1+rdi*8+r14] + xor r8d,DWORD PTR[2+rbp*8+r14] + + mov edx,DWORD PTR[12+r15] + movzx edi,bh + movzx ebp,ch + mov eax,DWORD PTR[r15] + xor r12d,DWORD PTR[1+rdi*8+r14] + xor r8d,DWORD PTR[1+rbp*8+r14] + + mov ebx,DWORD PTR[4+r15] + mov ecx,DWORD PTR[8+r15] + xor eax,r10d + xor ebx,r11d + xor ecx,r12d + xor edx,r8d + sub r13d,1 + jnz $L$enc_loop + movzx esi,al + movzx edi,bl + movzx ebp,cl + movzx r10d,BYTE PTR[2+rsi*8+r14] + movzx r11d,BYTE PTR[2+rdi*8+r14] + movzx r12d,BYTE PTR[2+rbp*8+r14] + + movzx esi,dl + movzx edi,bh + movzx ebp,ch + movzx r8d,BYTE PTR[2+rsi*8+r14] + mov edi,DWORD PTR[rdi*8+r14] + mov ebp,DWORD PTR[rbp*8+r14] + + and edi,00000ff00h + and ebp,00000ff00h + + xor r10d,edi + xor r11d,ebp + shr ecx,16 + + movzx esi,dh + movzx edi,ah + shr edx,16 + mov esi,DWORD PTR[rsi*8+r14] + mov edi,DWORD PTR[rdi*8+r14] + + and esi,00000ff00h + and edi,00000ff00h + shr ebx,16 + xor r12d,esi + xor r8d,edi + shr eax,16 + + movzx esi,cl + movzx edi,dl + movzx ebp,al + mov esi,DWORD PTR[rsi*8+r14] + mov edi,DWORD PTR[rdi*8+r14] + mov ebp,DWORD PTR[rbp*8+r14] + + and esi,000ff0000h + and edi,000ff0000h + and ebp,000ff0000h + + xor r10d,esi + xor r11d,edi + xor r12d,ebp + + movzx esi,bl + movzx edi,dh + movzx ebp,ah + mov esi,DWORD PTR[rsi*8+r14] + mov edi,DWORD PTR[2+rdi*8+r14] + mov ebp,DWORD PTR[2+rbp*8+r14] + + and esi,000ff0000h + and edi,0ff000000h + and ebp,0ff000000h + + xor r8d,esi + xor r10d,edi + xor r11d,ebp + + movzx esi,bh + movzx edi,ch + mov edx,DWORD PTR[((16+12))+r15] + mov esi,DWORD PTR[2+rsi*8+r14] + mov edi,DWORD PTR[2+rdi*8+r14] + mov eax,DWORD PTR[((16+0))+r15] + + and esi,0ff000000h + and edi,0ff000000h + + xor r12d,esi + xor r8d,edi + + mov ebx,DWORD PTR[((16+4))+r15] + mov ecx,DWORD PTR[((16+8))+r15] + xor eax,r10d + xor ebx,r11d + xor ecx,r12d + xor edx,r8d + DB 0F3h,0C3h ;repret +_x86_64_AES_encrypt ENDP + +ALIGN 16 +_x86_64_AES_encrypt_compact PROC PRIVATE + lea r8,QWORD PTR[128+r14] + mov edi,DWORD PTR[((0-128))+r8] + mov ebp,DWORD PTR[((32-128))+r8] + mov r10d,DWORD PTR[((64-128))+r8] + mov r11d,DWORD PTR[((96-128))+r8] + mov edi,DWORD PTR[((128-128))+r8] + mov ebp,DWORD PTR[((160-128))+r8] + mov r10d,DWORD PTR[((192-128))+r8] + mov r11d,DWORD PTR[((224-128))+r8] + jmp $L$enc_loop_compact +ALIGN 16 +$L$enc_loop_compact:: + xor eax,DWORD PTR[r15] + xor ebx,DWORD PTR[4+r15] + xor ecx,DWORD PTR[8+r15] + xor edx,DWORD PTR[12+r15] + lea r15,QWORD PTR[16+r15] + movzx r10d,al + movzx r11d,bl + movzx r12d,cl + movzx r10d,BYTE PTR[r10*1+r14] + movzx r11d,BYTE PTR[r11*1+r14] + movzx r12d,BYTE PTR[r12*1+r14] + + movzx r8d,dl + movzx esi,bh + movzx edi,ch + movzx r8d,BYTE PTR[r8*1+r14] + movzx r9d,BYTE PTR[rsi*1+r14] + movzx r13d,BYTE PTR[rdi*1+r14] + + movzx ebp,dh + movzx esi,ah + shr ecx,16 + movzx ebp,BYTE PTR[rbp*1+r14] + movzx esi,BYTE PTR[rsi*1+r14] + shr edx,16 + + movzx edi,cl + shl r9d,8 + shl r13d,8 + movzx edi,BYTE PTR[rdi*1+r14] + xor r10d,r9d + xor r11d,r13d + + movzx r9d,dl + shr eax,16 + shr ebx,16 + movzx r13d,al + shl ebp,8 + shl esi,8 + movzx r9d,BYTE PTR[r9*1+r14] + movzx r13d,BYTE PTR[r13*1+r14] + xor r12d,ebp + xor r8d,esi + + movzx ebp,bl + movzx esi,dh + shl edi,16 + movzx ebp,BYTE PTR[rbp*1+r14] + movzx esi,BYTE PTR[rsi*1+r14] + xor r10d,edi + + movzx edi,ah + shr ecx,8 + shr ebx,8 + movzx edi,BYTE PTR[rdi*1+r14] + movzx edx,BYTE PTR[rcx*1+r14] + movzx ecx,BYTE PTR[rbx*1+r14] + shl r9d,16 + shl r13d,16 + shl ebp,16 + xor r11d,r9d + xor r12d,r13d + xor r8d,ebp + + shl esi,24 + shl edi,24 + shl edx,24 + xor r10d,esi + shl ecx,24 + xor r11d,edi + mov eax,r10d + mov ebx,r11d + xor ecx,r12d + xor edx,r8d + cmp r15,QWORD PTR[16+rsp] + je $L$enc_compact_done + mov esi,eax + mov edi,ebx + and esi,080808080h + and edi,080808080h + mov r10d,esi + mov r11d,edi + shr r10d,7 + lea r8d,DWORD PTR[rax*1+rax] + shr r11d,7 + lea r9d,DWORD PTR[rbx*1+rbx] + sub esi,r10d + sub edi,r11d + and r8d,0fefefefeh + and r9d,0fefefefeh + and esi,01b1b1b1bh + and edi,01b1b1b1bh + mov r10d,eax + mov r11d,ebx + xor r8d,esi + xor r9d,edi + + xor eax,r8d + xor ebx,r9d + mov esi,ecx + mov edi,edx + rol eax,24 + rol ebx,24 + and esi,080808080h + and edi,080808080h + xor eax,r8d + xor ebx,r9d + mov r12d,esi + mov ebp,edi + ror r10d,16 + ror r11d,16 + shr r12d,7 + lea r8d,DWORD PTR[rcx*1+rcx] + xor eax,r10d + xor ebx,r11d + shr ebp,7 + lea r9d,DWORD PTR[rdx*1+rdx] + ror r10d,8 + ror r11d,8 + sub esi,r12d + sub edi,ebp + xor eax,r10d + xor ebx,r11d + + and r8d,0fefefefeh + and r9d,0fefefefeh + and esi,01b1b1b1bh + and edi,01b1b1b1bh + mov r12d,ecx + mov ebp,edx + xor r8d,esi + xor r9d,edi + + xor ecx,r8d + xor edx,r9d + rol ecx,24 + rol edx,24 + xor ecx,r8d + xor edx,r9d + mov esi,DWORD PTR[r14] + ror r12d,16 + ror ebp,16 + mov edi,DWORD PTR[64+r14] + xor ecx,r12d + xor edx,ebp + mov r8d,DWORD PTR[128+r14] + ror r12d,8 + ror ebp,8 + mov r9d,DWORD PTR[192+r14] + xor ecx,r12d + xor edx,ebp + jmp $L$enc_loop_compact +ALIGN 16 +$L$enc_compact_done:: + xor eax,DWORD PTR[r15] + xor ebx,DWORD PTR[4+r15] + xor ecx,DWORD PTR[8+r15] + xor edx,DWORD PTR[12+r15] + DB 0F3h,0C3h ;repret +_x86_64_AES_encrypt_compact ENDP +PUBLIC AES_encrypt + +ALIGN 16 +PUBLIC asm_AES_encrypt + +asm_AES_encrypt:: +AES_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_AES_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + + + mov r10,rsp + lea rcx,QWORD PTR[((-63))+rdx] + and rsp,-64 + sub rcx,rsp + neg rcx + and rcx,03c0h + sub rsp,rcx + sub rsp,32 + + mov QWORD PTR[16+rsp],rsi + mov QWORD PTR[24+rsp],r10 +$L$enc_prologue:: + + mov r15,rdx + mov r13d,DWORD PTR[240+r15] + + mov eax,DWORD PTR[rdi] + mov ebx,DWORD PTR[4+rdi] + mov ecx,DWORD PTR[8+rdi] + mov edx,DWORD PTR[12+rdi] + + shl r13d,4 + lea rbp,QWORD PTR[r13*1+r15] + mov QWORD PTR[rsp],r15 + mov QWORD PTR[8+rsp],rbp + + + lea r14,QWORD PTR[(($L$AES_Te+2048))] + lea rbp,QWORD PTR[768+rsp] + sub rbp,r14 + and rbp,0300h + lea r14,QWORD PTR[rbp*1+r14] + + call _x86_64_AES_encrypt_compact + + mov r9,QWORD PTR[16+rsp] + mov rsi,QWORD PTR[24+rsp] + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$enc_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_AES_encrypt:: +AES_encrypt ENDP + +ALIGN 16 +_x86_64_AES_decrypt PROC PRIVATE + xor eax,DWORD PTR[r15] + xor ebx,DWORD PTR[4+r15] + xor ecx,DWORD PTR[8+r15] + xor edx,DWORD PTR[12+r15] + + mov r13d,DWORD PTR[240+r15] + sub r13d,1 + jmp $L$dec_loop +ALIGN 16 +$L$dec_loop:: + + movzx esi,al + movzx edi,bl + movzx ebp,cl + mov r10d,DWORD PTR[rsi*8+r14] + mov r11d,DWORD PTR[rdi*8+r14] + mov r12d,DWORD PTR[rbp*8+r14] + + movzx esi,dh + movzx edi,ah + movzx ebp,dl + xor r10d,DWORD PTR[3+rsi*8+r14] + xor r11d,DWORD PTR[3+rdi*8+r14] + mov r8d,DWORD PTR[rbp*8+r14] + + movzx esi,bh + shr eax,16 + movzx ebp,ch + xor r12d,DWORD PTR[3+rsi*8+r14] + shr edx,16 + xor r8d,DWORD PTR[3+rbp*8+r14] + + shr ebx,16 + lea r15,QWORD PTR[16+r15] + shr ecx,16 + + movzx esi,cl + movzx edi,dl + movzx ebp,al + xor r10d,DWORD PTR[2+rsi*8+r14] + xor r11d,DWORD PTR[2+rdi*8+r14] + xor r12d,DWORD PTR[2+rbp*8+r14] + + movzx esi,bh + movzx edi,ch + movzx ebp,bl + xor r10d,DWORD PTR[1+rsi*8+r14] + xor r11d,DWORD PTR[1+rdi*8+r14] + xor r8d,DWORD PTR[2+rbp*8+r14] + + movzx esi,dh + mov edx,DWORD PTR[12+r15] + movzx ebp,ah + xor r12d,DWORD PTR[1+rsi*8+r14] + mov eax,DWORD PTR[r15] + xor r8d,DWORD PTR[1+rbp*8+r14] + + xor eax,r10d + mov ebx,DWORD PTR[4+r15] + mov ecx,DWORD PTR[8+r15] + xor ecx,r12d + xor ebx,r11d + xor edx,r8d + sub r13d,1 + jnz $L$dec_loop + lea r14,QWORD PTR[2048+r14] + movzx esi,al + movzx edi,bl + movzx ebp,cl + movzx r10d,BYTE PTR[rsi*1+r14] + movzx r11d,BYTE PTR[rdi*1+r14] + movzx r12d,BYTE PTR[rbp*1+r14] + + movzx esi,dl + movzx edi,dh + movzx ebp,ah + movzx r8d,BYTE PTR[rsi*1+r14] + movzx edi,BYTE PTR[rdi*1+r14] + movzx ebp,BYTE PTR[rbp*1+r14] + + shl edi,8 + shl ebp,8 + + xor r10d,edi + xor r11d,ebp + shr edx,16 + + movzx esi,bh + movzx edi,ch + shr eax,16 + movzx esi,BYTE PTR[rsi*1+r14] + movzx edi,BYTE PTR[rdi*1+r14] + + shl esi,8 + shl edi,8 + shr ebx,16 + xor r12d,esi + xor r8d,edi + shr ecx,16 + + movzx esi,cl + movzx edi,dl + movzx ebp,al + movzx esi,BYTE PTR[rsi*1+r14] + movzx edi,BYTE PTR[rdi*1+r14] + movzx ebp,BYTE PTR[rbp*1+r14] + + shl esi,16 + shl edi,16 + shl ebp,16 + + xor r10d,esi + xor r11d,edi + xor r12d,ebp + + movzx esi,bl + movzx edi,bh + movzx ebp,ch + movzx esi,BYTE PTR[rsi*1+r14] + movzx edi,BYTE PTR[rdi*1+r14] + movzx ebp,BYTE PTR[rbp*1+r14] + + shl esi,16 + shl edi,24 + shl ebp,24 + + xor r8d,esi + xor r10d,edi + xor r11d,ebp + + movzx esi,dh + movzx edi,ah + mov edx,DWORD PTR[((16+12))+r15] + movzx esi,BYTE PTR[rsi*1+r14] + movzx edi,BYTE PTR[rdi*1+r14] + mov eax,DWORD PTR[((16+0))+r15] + + shl esi,24 + shl edi,24 + + xor r12d,esi + xor r8d,edi + + mov ebx,DWORD PTR[((16+4))+r15] + mov ecx,DWORD PTR[((16+8))+r15] + lea r14,QWORD PTR[((-2048))+r14] + xor eax,r10d + xor ebx,r11d + xor ecx,r12d + xor edx,r8d + DB 0F3h,0C3h ;repret +_x86_64_AES_decrypt ENDP + +ALIGN 16 +_x86_64_AES_decrypt_compact PROC PRIVATE + lea r8,QWORD PTR[128+r14] + mov edi,DWORD PTR[((0-128))+r8] + mov ebp,DWORD PTR[((32-128))+r8] + mov r10d,DWORD PTR[((64-128))+r8] + mov r11d,DWORD PTR[((96-128))+r8] + mov edi,DWORD PTR[((128-128))+r8] + mov ebp,DWORD PTR[((160-128))+r8] + mov r10d,DWORD PTR[((192-128))+r8] + mov r11d,DWORD PTR[((224-128))+r8] + jmp $L$dec_loop_compact + +ALIGN 16 +$L$dec_loop_compact:: + xor eax,DWORD PTR[r15] + xor ebx,DWORD PTR[4+r15] + xor ecx,DWORD PTR[8+r15] + xor edx,DWORD PTR[12+r15] + lea r15,QWORD PTR[16+r15] + movzx r10d,al + movzx r11d,bl + movzx r12d,cl + movzx r10d,BYTE PTR[r10*1+r14] + movzx r11d,BYTE PTR[r11*1+r14] + movzx r12d,BYTE PTR[r12*1+r14] + + movzx r8d,dl + movzx esi,dh + movzx edi,ah + movzx r8d,BYTE PTR[r8*1+r14] + movzx r9d,BYTE PTR[rsi*1+r14] + movzx r13d,BYTE PTR[rdi*1+r14] + + movzx ebp,bh + movzx esi,ch + shr ecx,16 + movzx ebp,BYTE PTR[rbp*1+r14] + movzx esi,BYTE PTR[rsi*1+r14] + shr edx,16 + + movzx edi,cl + shl r9d,8 + shl r13d,8 + movzx edi,BYTE PTR[rdi*1+r14] + xor r10d,r9d + xor r11d,r13d + + movzx r9d,dl + shr eax,16 + shr ebx,16 + movzx r13d,al + shl ebp,8 + shl esi,8 + movzx r9d,BYTE PTR[r9*1+r14] + movzx r13d,BYTE PTR[r13*1+r14] + xor r12d,ebp + xor r8d,esi + + movzx ebp,bl + movzx esi,bh + shl edi,16 + movzx ebp,BYTE PTR[rbp*1+r14] + movzx esi,BYTE PTR[rsi*1+r14] + xor r10d,edi + + movzx edi,ch + shl r9d,16 + shl r13d,16 + movzx ebx,BYTE PTR[rdi*1+r14] + xor r11d,r9d + xor r12d,r13d + + movzx edi,dh + shr eax,8 + shl ebp,16 + movzx ecx,BYTE PTR[rdi*1+r14] + movzx edx,BYTE PTR[rax*1+r14] + xor r8d,ebp + + shl esi,24 + shl ebx,24 + shl ecx,24 + xor r10d,esi + shl edx,24 + xor ebx,r11d + mov eax,r10d + xor ecx,r12d + xor edx,r8d + cmp r15,QWORD PTR[16+rsp] + je $L$dec_compact_done + + mov rsi,QWORD PTR[((256+0))+r14] + shl rbx,32 + shl rdx,32 + mov rdi,QWORD PTR[((256+8))+r14] + or rax,rbx + or rcx,rdx + mov rbp,QWORD PTR[((256+16))+r14] + mov rbx,rax + mov rdx,rcx + and rbx,rsi + and rdx,rsi + mov r9,rbx + mov r12,rdx + shr r9,7 + lea r8,QWORD PTR[rax*1+rax] + shr r12,7 + lea r11,QWORD PTR[rcx*1+rcx] + sub rbx,r9 + sub rdx,r12 + and r8,rdi + and r11,rdi + and rbx,rbp + and rdx,rbp + xor rbx,r8 + xor rdx,r11 + mov r8,rbx + mov r11,rdx + + and rbx,rsi + and rdx,rsi + mov r10,rbx + mov r13,rdx + shr r10,7 + lea r9,QWORD PTR[r8*1+r8] + shr r13,7 + lea r12,QWORD PTR[r11*1+r11] + sub rbx,r10 + sub rdx,r13 + and r9,rdi + and r12,rdi + and rbx,rbp + and rdx,rbp + xor rbx,r9 + xor rdx,r12 + mov r9,rbx + mov r12,rdx + + and rbx,rsi + and rdx,rsi + mov r10,rbx + mov r13,rdx + shr r10,7 + xor r8,rax + shr r13,7 + xor r11,rcx + sub rbx,r10 + sub rdx,r13 + lea r10,QWORD PTR[r9*1+r9] + lea r13,QWORD PTR[r12*1+r12] + xor r9,rax + xor r12,rcx + and r10,rdi + and r13,rdi + and rbx,rbp + and rdx,rbp + xor r10,rbx + xor r13,rdx + + xor rax,r10 + xor rcx,r13 + xor r8,r10 + xor r11,r13 + mov rbx,rax + mov rdx,rcx + xor r9,r10 + xor r12,r13 + shr rbx,32 + shr rdx,32 + xor r10,r8 + xor r13,r11 + rol eax,8 + rol ecx,8 + xor r10,r9 + xor r13,r12 + + rol ebx,8 + rol edx,8 + xor eax,r10d + xor ecx,r13d + shr r10,32 + shr r13,32 + xor ebx,r10d + xor edx,r13d + + mov r10,r8 + mov r13,r11 + shr r10,32 + shr r13,32 + rol r8d,24 + rol r11d,24 + rol r10d,24 + rol r13d,24 + xor eax,r8d + xor ecx,r11d + mov r8,r9 + mov r11,r12 + xor ebx,r10d + xor edx,r13d + + mov rsi,QWORD PTR[r14] + shr r8,32 + shr r11,32 + mov rdi,QWORD PTR[64+r14] + rol r9d,16 + rol r12d,16 + mov rbp,QWORD PTR[128+r14] + rol r8d,16 + rol r11d,16 + mov r10,QWORD PTR[192+r14] + xor eax,r9d + xor ecx,r12d + mov r13,QWORD PTR[256+r14] + xor ebx,r8d + xor edx,r11d + jmp $L$dec_loop_compact +ALIGN 16 +$L$dec_compact_done:: + xor eax,DWORD PTR[r15] + xor ebx,DWORD PTR[4+r15] + xor ecx,DWORD PTR[8+r15] + xor edx,DWORD PTR[12+r15] + DB 0F3h,0C3h ;repret +_x86_64_AES_decrypt_compact ENDP +PUBLIC AES_decrypt + +ALIGN 16 +PUBLIC asm_AES_decrypt + +asm_AES_decrypt:: +AES_decrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_AES_decrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + + + mov r10,rsp + lea rcx,QWORD PTR[((-63))+rdx] + and rsp,-64 + sub rcx,rsp + neg rcx + and rcx,03c0h + sub rsp,rcx + sub rsp,32 + + mov QWORD PTR[16+rsp],rsi + mov QWORD PTR[24+rsp],r10 +$L$dec_prologue:: + + mov r15,rdx + mov r13d,DWORD PTR[240+r15] + + mov eax,DWORD PTR[rdi] + mov ebx,DWORD PTR[4+rdi] + mov ecx,DWORD PTR[8+rdi] + mov edx,DWORD PTR[12+rdi] + + shl r13d,4 + lea rbp,QWORD PTR[r13*1+r15] + mov QWORD PTR[rsp],r15 + mov QWORD PTR[8+rsp],rbp + + + lea r14,QWORD PTR[(($L$AES_Td+2048))] + lea rbp,QWORD PTR[768+rsp] + sub rbp,r14 + and rbp,0300h + lea r14,QWORD PTR[rbp*1+r14] + shr rbp,3 + add r14,rbp + + call _x86_64_AES_decrypt_compact + + mov r9,QWORD PTR[16+rsp] + mov rsi,QWORD PTR[24+rsp] + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$dec_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_AES_decrypt:: +AES_decrypt ENDP +PUBLIC AES_set_encrypt_key + +ALIGN 16 +AES_set_encrypt_key PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_AES_set_encrypt_key:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + sub rsp,8 +$L$enc_key_prologue:: + + call _x86_64_AES_set_encrypt_key + + mov r15,QWORD PTR[8+rsp] + mov r14,QWORD PTR[16+rsp] + mov r13,QWORD PTR[24+rsp] + mov r12,QWORD PTR[32+rsp] + mov rbp,QWORD PTR[40+rsp] + mov rbx,QWORD PTR[48+rsp] + add rsp,56 +$L$enc_key_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_AES_set_encrypt_key:: +AES_set_encrypt_key ENDP + + +ALIGN 16 +_x86_64_AES_set_encrypt_key PROC PRIVATE + mov ecx,esi + mov rsi,rdi + mov rdi,rdx + + test rsi,-1 + jz $L$badpointer + test rdi,-1 + jz $L$badpointer + + lea rbp,QWORD PTR[$L$AES_Te] + lea rbp,QWORD PTR[((2048+128))+rbp] + + + mov eax,DWORD PTR[((0-128))+rbp] + mov ebx,DWORD PTR[((32-128))+rbp] + mov r8d,DWORD PTR[((64-128))+rbp] + mov edx,DWORD PTR[((96-128))+rbp] + mov eax,DWORD PTR[((128-128))+rbp] + mov ebx,DWORD PTR[((160-128))+rbp] + mov r8d,DWORD PTR[((192-128))+rbp] + mov edx,DWORD PTR[((224-128))+rbp] + + cmp ecx,128 + je $L$10rounds + cmp ecx,192 + je $L$12rounds + cmp ecx,256 + je $L$14rounds + mov rax,-2 + jmp $L$exit + +$L$10rounds:: + mov rax,QWORD PTR[rsi] + mov rdx,QWORD PTR[8+rsi] + mov QWORD PTR[rdi],rax + mov QWORD PTR[8+rdi],rdx + + shr rdx,32 + xor ecx,ecx + jmp $L$10shortcut +ALIGN 4 +$L$10loop:: + mov eax,DWORD PTR[rdi] + mov edx,DWORD PTR[12+rdi] +$L$10shortcut:: + movzx esi,dl + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,24 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shr edx,16 + movzx esi,dl + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,8 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shl ebx,16 + xor eax,ebx + + xor eax,DWORD PTR[((1024-128))+rcx*4+rbp] + mov DWORD PTR[16+rdi],eax + xor eax,DWORD PTR[4+rdi] + mov DWORD PTR[20+rdi],eax + xor eax,DWORD PTR[8+rdi] + mov DWORD PTR[24+rdi],eax + xor eax,DWORD PTR[12+rdi] + mov DWORD PTR[28+rdi],eax + add ecx,1 + lea rdi,QWORD PTR[16+rdi] + cmp ecx,10 + jl $L$10loop + + mov DWORD PTR[80+rdi],10 + xor rax,rax + jmp $L$exit + +$L$12rounds:: + mov rax,QWORD PTR[rsi] + mov rbx,QWORD PTR[8+rsi] + mov rdx,QWORD PTR[16+rsi] + mov QWORD PTR[rdi],rax + mov QWORD PTR[8+rdi],rbx + mov QWORD PTR[16+rdi],rdx + + shr rdx,32 + xor ecx,ecx + jmp $L$12shortcut +ALIGN 4 +$L$12loop:: + mov eax,DWORD PTR[rdi] + mov edx,DWORD PTR[20+rdi] +$L$12shortcut:: + movzx esi,dl + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,24 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shr edx,16 + movzx esi,dl + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,8 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shl ebx,16 + xor eax,ebx + + xor eax,DWORD PTR[((1024-128))+rcx*4+rbp] + mov DWORD PTR[24+rdi],eax + xor eax,DWORD PTR[4+rdi] + mov DWORD PTR[28+rdi],eax + xor eax,DWORD PTR[8+rdi] + mov DWORD PTR[32+rdi],eax + xor eax,DWORD PTR[12+rdi] + mov DWORD PTR[36+rdi],eax + + cmp ecx,7 + je $L$12break + add ecx,1 + + xor eax,DWORD PTR[16+rdi] + mov DWORD PTR[40+rdi],eax + xor eax,DWORD PTR[20+rdi] + mov DWORD PTR[44+rdi],eax + + lea rdi,QWORD PTR[24+rdi] + jmp $L$12loop +$L$12break:: + mov DWORD PTR[72+rdi],12 + xor rax,rax + jmp $L$exit + +$L$14rounds:: + mov rax,QWORD PTR[rsi] + mov rbx,QWORD PTR[8+rsi] + mov rcx,QWORD PTR[16+rsi] + mov rdx,QWORD PTR[24+rsi] + mov QWORD PTR[rdi],rax + mov QWORD PTR[8+rdi],rbx + mov QWORD PTR[16+rdi],rcx + mov QWORD PTR[24+rdi],rdx + + shr rdx,32 + xor ecx,ecx + jmp $L$14shortcut +ALIGN 4 +$L$14loop:: + mov eax,DWORD PTR[rdi] + mov edx,DWORD PTR[28+rdi] +$L$14shortcut:: + movzx esi,dl + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,24 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shr edx,16 + movzx esi,dl + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,8 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shl ebx,16 + xor eax,ebx + + xor eax,DWORD PTR[((1024-128))+rcx*4+rbp] + mov DWORD PTR[32+rdi],eax + xor eax,DWORD PTR[4+rdi] + mov DWORD PTR[36+rdi],eax + xor eax,DWORD PTR[8+rdi] + mov DWORD PTR[40+rdi],eax + xor eax,DWORD PTR[12+rdi] + mov DWORD PTR[44+rdi],eax + + cmp ecx,6 + je $L$14break + add ecx,1 + + mov edx,eax + mov eax,DWORD PTR[16+rdi] + movzx esi,dl + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shr edx,16 + shl ebx,8 + movzx esi,dl + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + movzx esi,dh + shl ebx,16 + xor eax,ebx + + movzx ebx,BYTE PTR[((-128))+rsi*1+rbp] + shl ebx,24 + xor eax,ebx + + mov DWORD PTR[48+rdi],eax + xor eax,DWORD PTR[20+rdi] + mov DWORD PTR[52+rdi],eax + xor eax,DWORD PTR[24+rdi] + mov DWORD PTR[56+rdi],eax + xor eax,DWORD PTR[28+rdi] + mov DWORD PTR[60+rdi],eax + + lea rdi,QWORD PTR[32+rdi] + jmp $L$14loop +$L$14break:: + mov DWORD PTR[48+rdi],14 + xor rax,rax + jmp $L$exit + +$L$badpointer:: + mov rax,-1 +$L$exit:: + DB 0F3h,0C3h ;repret +_x86_64_AES_set_encrypt_key ENDP +PUBLIC AES_set_decrypt_key + +ALIGN 16 +AES_set_decrypt_key PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_AES_set_decrypt_key:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + push rdx +$L$dec_key_prologue:: + + call _x86_64_AES_set_encrypt_key + mov r8,QWORD PTR[rsp] + cmp eax,0 + jne $L$abort + + mov r14d,DWORD PTR[240+r8] + xor rdi,rdi + lea rcx,QWORD PTR[r14*4+rdi] + mov rsi,r8 + lea rdi,QWORD PTR[rcx*4+r8] +ALIGN 4 +$L$invert:: + mov rax,QWORD PTR[rsi] + mov rbx,QWORD PTR[8+rsi] + mov rcx,QWORD PTR[rdi] + mov rdx,QWORD PTR[8+rdi] + mov QWORD PTR[rdi],rax + mov QWORD PTR[8+rdi],rbx + mov QWORD PTR[rsi],rcx + mov QWORD PTR[8+rsi],rdx + lea rsi,QWORD PTR[16+rsi] + lea rdi,QWORD PTR[((-16))+rdi] + cmp rdi,rsi + jne $L$invert + + lea rax,QWORD PTR[(($L$AES_Te+2048+1024))] + + mov rsi,QWORD PTR[40+rax] + mov rdi,QWORD PTR[48+rax] + mov rbp,QWORD PTR[56+rax] + + mov r15,r8 + sub r14d,1 +ALIGN 4 +$L$permute:: + lea r15,QWORD PTR[16+r15] + mov rax,QWORD PTR[r15] + mov rcx,QWORD PTR[8+r15] + mov rbx,rax + mov rdx,rcx + and rbx,rsi + and rdx,rsi + mov r9,rbx + mov r12,rdx + shr r9,7 + lea r8,QWORD PTR[rax*1+rax] + shr r12,7 + lea r11,QWORD PTR[rcx*1+rcx] + sub rbx,r9 + sub rdx,r12 + and r8,rdi + and r11,rdi + and rbx,rbp + and rdx,rbp + xor rbx,r8 + xor rdx,r11 + mov r8,rbx + mov r11,rdx + + and rbx,rsi + and rdx,rsi + mov r10,rbx + mov r13,rdx + shr r10,7 + lea r9,QWORD PTR[r8*1+r8] + shr r13,7 + lea r12,QWORD PTR[r11*1+r11] + sub rbx,r10 + sub rdx,r13 + and r9,rdi + and r12,rdi + and rbx,rbp + and rdx,rbp + xor rbx,r9 + xor rdx,r12 + mov r9,rbx + mov r12,rdx + + and rbx,rsi + and rdx,rsi + mov r10,rbx + mov r13,rdx + shr r10,7 + xor r8,rax + shr r13,7 + xor r11,rcx + sub rbx,r10 + sub rdx,r13 + lea r10,QWORD PTR[r9*1+r9] + lea r13,QWORD PTR[r12*1+r12] + xor r9,rax + xor r12,rcx + and r10,rdi + and r13,rdi + and rbx,rbp + and rdx,rbp + xor r10,rbx + xor r13,rdx + + xor rax,r10 + xor rcx,r13 + xor r8,r10 + xor r11,r13 + mov rbx,rax + mov rdx,rcx + xor r9,r10 + xor r12,r13 + shr rbx,32 + shr rdx,32 + xor r10,r8 + xor r13,r11 + rol eax,8 + rol ecx,8 + xor r10,r9 + xor r13,r12 + + rol ebx,8 + rol edx,8 + xor eax,r10d + xor ecx,r13d + shr r10,32 + shr r13,32 + xor ebx,r10d + xor edx,r13d + + mov r10,r8 + mov r13,r11 + shr r10,32 + shr r13,32 + rol r8d,24 + rol r11d,24 + rol r10d,24 + rol r13d,24 + xor eax,r8d + xor ecx,r11d + mov r8,r9 + mov r11,r12 + xor ebx,r10d + xor edx,r13d + + + shr r8,32 + shr r11,32 + + rol r9d,16 + rol r12d,16 + + rol r8d,16 + rol r11d,16 + + xor eax,r9d + xor ecx,r12d + + xor ebx,r8d + xor edx,r11d + mov DWORD PTR[r15],eax + mov DWORD PTR[4+r15],ebx + mov DWORD PTR[8+r15],ecx + mov DWORD PTR[12+r15],edx + sub r14d,1 + jnz $L$permute + + xor rax,rax +$L$abort:: + mov r15,QWORD PTR[8+rsp] + mov r14,QWORD PTR[16+rsp] + mov r13,QWORD PTR[24+rsp] + mov r12,QWORD PTR[32+rsp] + mov rbp,QWORD PTR[40+rsp] + mov rbx,QWORD PTR[48+rsp] + add rsp,56 +$L$dec_key_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_AES_set_decrypt_key:: +AES_set_decrypt_key ENDP +PUBLIC AES_cbc_encrypt + +ALIGN 16 +EXTERN OPENSSL_ia32cap_P:NEAR + +PUBLIC asm_AES_cbc_encrypt + +asm_AES_cbc_encrypt:: +AES_cbc_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_AES_cbc_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + cmp rdx,0 + je $L$cbc_epilogue + pushfq + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 +$L$cbc_prologue:: + + cld + mov r9d,r9d + + lea r14,QWORD PTR[$L$AES_Te] + cmp r9,0 + jne $L$cbc_picked_te + lea r14,QWORD PTR[$L$AES_Td] +$L$cbc_picked_te:: + + mov r10d,DWORD PTR[OPENSSL_ia32cap_P] + cmp rdx,512 + jb $L$cbc_slow_prologue + test rdx,15 + jnz $L$cbc_slow_prologue + bt r10d,28 + jc $L$cbc_slow_prologue + + + lea r15,QWORD PTR[((-88-248))+rsp] + and r15,-64 + + + mov r10,r14 + lea r11,QWORD PTR[2304+r14] + mov r12,r15 + and r10,0FFFh + and r11,0FFFh + and r12,0FFFh + + cmp r12,r11 + jb $L$cbc_te_break_out + sub r12,r11 + sub r15,r12 + jmp $L$cbc_te_ok +$L$cbc_te_break_out:: + sub r12,r10 + and r12,0FFFh + add r12,320 + sub r15,r12 +ALIGN 4 +$L$cbc_te_ok:: + + xchg r15,rsp + + mov QWORD PTR[16+rsp],r15 +$L$cbc_fast_body:: + mov QWORD PTR[24+rsp],rdi + mov QWORD PTR[32+rsp],rsi + mov QWORD PTR[40+rsp],rdx + mov QWORD PTR[48+rsp],rcx + mov QWORD PTR[56+rsp],r8 + mov DWORD PTR[((80+240))+rsp],0 + mov rbp,r8 + mov rbx,r9 + mov r9,rsi + mov r8,rdi + mov r15,rcx + + mov eax,DWORD PTR[240+r15] + + mov r10,r15 + sub r10,r14 + and r10,0fffh + cmp r10,2304 + jb $L$cbc_do_ecopy + cmp r10,4096-248 + jb $L$cbc_skip_ecopy +ALIGN 4 +$L$cbc_do_ecopy:: + mov rsi,r15 + lea rdi,QWORD PTR[80+rsp] + lea r15,QWORD PTR[80+rsp] + mov ecx,240/8 + DD 090A548F3h + mov DWORD PTR[rdi],eax +$L$cbc_skip_ecopy:: + mov QWORD PTR[rsp],r15 + + mov ecx,18 +ALIGN 4 +$L$cbc_prefetch_te:: + mov r10,QWORD PTR[r14] + mov r11,QWORD PTR[32+r14] + mov r12,QWORD PTR[64+r14] + mov r13,QWORD PTR[96+r14] + lea r14,QWORD PTR[128+r14] + sub ecx,1 + jnz $L$cbc_prefetch_te + lea r14,QWORD PTR[((-2304))+r14] + + cmp rbx,0 + je $L$FAST_DECRYPT + + + mov eax,DWORD PTR[rbp] + mov ebx,DWORD PTR[4+rbp] + mov ecx,DWORD PTR[8+rbp] + mov edx,DWORD PTR[12+rbp] + +ALIGN 4 +$L$cbc_fast_enc_loop:: + xor eax,DWORD PTR[r8] + xor ebx,DWORD PTR[4+r8] + xor ecx,DWORD PTR[8+r8] + xor edx,DWORD PTR[12+r8] + mov r15,QWORD PTR[rsp] + mov QWORD PTR[24+rsp],r8 + + call _x86_64_AES_encrypt + + mov r8,QWORD PTR[24+rsp] + mov r10,QWORD PTR[40+rsp] + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + lea r8,QWORD PTR[16+r8] + lea r9,QWORD PTR[16+r9] + sub r10,16 + test r10,-16 + mov QWORD PTR[40+rsp],r10 + jnz $L$cbc_fast_enc_loop + mov rbp,QWORD PTR[56+rsp] + mov DWORD PTR[rbp],eax + mov DWORD PTR[4+rbp],ebx + mov DWORD PTR[8+rbp],ecx + mov DWORD PTR[12+rbp],edx + + jmp $L$cbc_fast_cleanup + + +ALIGN 16 +$L$FAST_DECRYPT:: + cmp r9,r8 + je $L$cbc_fast_dec_in_place + + mov QWORD PTR[64+rsp],rbp +ALIGN 4 +$L$cbc_fast_dec_loop:: + mov eax,DWORD PTR[r8] + mov ebx,DWORD PTR[4+r8] + mov ecx,DWORD PTR[8+r8] + mov edx,DWORD PTR[12+r8] + mov r15,QWORD PTR[rsp] + mov QWORD PTR[24+rsp],r8 + + call _x86_64_AES_decrypt + + mov rbp,QWORD PTR[64+rsp] + mov r8,QWORD PTR[24+rsp] + mov r10,QWORD PTR[40+rsp] + xor eax,DWORD PTR[rbp] + xor ebx,DWORD PTR[4+rbp] + xor ecx,DWORD PTR[8+rbp] + xor edx,DWORD PTR[12+rbp] + mov rbp,r8 + + sub r10,16 + mov QWORD PTR[40+rsp],r10 + mov QWORD PTR[64+rsp],rbp + + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + lea r8,QWORD PTR[16+r8] + lea r9,QWORD PTR[16+r9] + jnz $L$cbc_fast_dec_loop + mov r12,QWORD PTR[56+rsp] + mov r10,QWORD PTR[rbp] + mov r11,QWORD PTR[8+rbp] + mov QWORD PTR[r12],r10 + mov QWORD PTR[8+r12],r11 + jmp $L$cbc_fast_cleanup + +ALIGN 16 +$L$cbc_fast_dec_in_place:: + mov r10,QWORD PTR[rbp] + mov r11,QWORD PTR[8+rbp] + mov QWORD PTR[((0+64))+rsp],r10 + mov QWORD PTR[((8+64))+rsp],r11 +ALIGN 4 +$L$cbc_fast_dec_in_place_loop:: + mov eax,DWORD PTR[r8] + mov ebx,DWORD PTR[4+r8] + mov ecx,DWORD PTR[8+r8] + mov edx,DWORD PTR[12+r8] + mov r15,QWORD PTR[rsp] + mov QWORD PTR[24+rsp],r8 + + call _x86_64_AES_decrypt + + mov r8,QWORD PTR[24+rsp] + mov r10,QWORD PTR[40+rsp] + xor eax,DWORD PTR[((0+64))+rsp] + xor ebx,DWORD PTR[((4+64))+rsp] + xor ecx,DWORD PTR[((8+64))+rsp] + xor edx,DWORD PTR[((12+64))+rsp] + + mov r11,QWORD PTR[r8] + mov r12,QWORD PTR[8+r8] + sub r10,16 + jz $L$cbc_fast_dec_in_place_done + + mov QWORD PTR[((0+64))+rsp],r11 + mov QWORD PTR[((8+64))+rsp],r12 + + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + lea r8,QWORD PTR[16+r8] + lea r9,QWORD PTR[16+r9] + mov QWORD PTR[40+rsp],r10 + jmp $L$cbc_fast_dec_in_place_loop +$L$cbc_fast_dec_in_place_done:: + mov rdi,QWORD PTR[56+rsp] + mov QWORD PTR[rdi],r11 + mov QWORD PTR[8+rdi],r12 + + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + +ALIGN 4 +$L$cbc_fast_cleanup:: + cmp DWORD PTR[((80+240))+rsp],0 + lea rdi,QWORD PTR[80+rsp] + je $L$cbc_exit + mov ecx,240/8 + xor rax,rax + DD 090AB48F3h + + jmp $L$cbc_exit + + +ALIGN 16 +$L$cbc_slow_prologue:: + + lea rbp,QWORD PTR[((-88))+rsp] + and rbp,-64 + + lea r10,QWORD PTR[((-88-63))+rcx] + sub r10,rbp + neg r10 + and r10,03c0h + sub rbp,r10 + + xchg rbp,rsp + + mov QWORD PTR[16+rsp],rbp +$L$cbc_slow_body:: + + + + + mov QWORD PTR[56+rsp],r8 + mov rbp,r8 + mov rbx,r9 + mov r9,rsi + mov r8,rdi + mov r15,rcx + mov r10,rdx + + mov eax,DWORD PTR[240+r15] + mov QWORD PTR[rsp],r15 + shl eax,4 + lea rax,QWORD PTR[rax*1+r15] + mov QWORD PTR[8+rsp],rax + + + lea r14,QWORD PTR[2048+r14] + lea rax,QWORD PTR[((768-8))+rsp] + sub rax,r14 + and rax,0300h + lea r14,QWORD PTR[rax*1+r14] + + cmp rbx,0 + je $L$SLOW_DECRYPT + + + test r10,-16 + mov eax,DWORD PTR[rbp] + mov ebx,DWORD PTR[4+rbp] + mov ecx,DWORD PTR[8+rbp] + mov edx,DWORD PTR[12+rbp] + jz $L$cbc_slow_enc_tail + +ALIGN 4 +$L$cbc_slow_enc_loop:: + xor eax,DWORD PTR[r8] + xor ebx,DWORD PTR[4+r8] + xor ecx,DWORD PTR[8+r8] + xor edx,DWORD PTR[12+r8] + mov r15,QWORD PTR[rsp] + mov QWORD PTR[24+rsp],r8 + mov QWORD PTR[32+rsp],r9 + mov QWORD PTR[40+rsp],r10 + + call _x86_64_AES_encrypt_compact + + mov r8,QWORD PTR[24+rsp] + mov r9,QWORD PTR[32+rsp] + mov r10,QWORD PTR[40+rsp] + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + lea r8,QWORD PTR[16+r8] + lea r9,QWORD PTR[16+r9] + sub r10,16 + test r10,-16 + jnz $L$cbc_slow_enc_loop + test r10,15 + jnz $L$cbc_slow_enc_tail + mov rbp,QWORD PTR[56+rsp] + mov DWORD PTR[rbp],eax + mov DWORD PTR[4+rbp],ebx + mov DWORD PTR[8+rbp],ecx + mov DWORD PTR[12+rbp],edx + + jmp $L$cbc_exit + +ALIGN 4 +$L$cbc_slow_enc_tail:: + mov r11,rax + mov r12,rcx + mov rcx,r10 + mov rsi,r8 + mov rdi,r9 + DD 09066A4F3h + mov rcx,16 + sub rcx,r10 + xor rax,rax + DD 09066AAF3h + mov r8,r9 + mov r10,16 + mov rax,r11 + mov rcx,r12 + jmp $L$cbc_slow_enc_loop + +ALIGN 16 +$L$SLOW_DECRYPT:: + shr rax,3 + add r14,rax + + mov r11,QWORD PTR[rbp] + mov r12,QWORD PTR[8+rbp] + mov QWORD PTR[((0+64))+rsp],r11 + mov QWORD PTR[((8+64))+rsp],r12 + +ALIGN 4 +$L$cbc_slow_dec_loop:: + mov eax,DWORD PTR[r8] + mov ebx,DWORD PTR[4+r8] + mov ecx,DWORD PTR[8+r8] + mov edx,DWORD PTR[12+r8] + mov r15,QWORD PTR[rsp] + mov QWORD PTR[24+rsp],r8 + mov QWORD PTR[32+rsp],r9 + mov QWORD PTR[40+rsp],r10 + + call _x86_64_AES_decrypt_compact + + mov r8,QWORD PTR[24+rsp] + mov r9,QWORD PTR[32+rsp] + mov r10,QWORD PTR[40+rsp] + xor eax,DWORD PTR[((0+64))+rsp] + xor ebx,DWORD PTR[((4+64))+rsp] + xor ecx,DWORD PTR[((8+64))+rsp] + xor edx,DWORD PTR[((12+64))+rsp] + + mov r11,QWORD PTR[r8] + mov r12,QWORD PTR[8+r8] + sub r10,16 + jc $L$cbc_slow_dec_partial + jz $L$cbc_slow_dec_done + + mov QWORD PTR[((0+64))+rsp],r11 + mov QWORD PTR[((8+64))+rsp],r12 + + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + lea r8,QWORD PTR[16+r8] + lea r9,QWORD PTR[16+r9] + jmp $L$cbc_slow_dec_loop +$L$cbc_slow_dec_done:: + mov rdi,QWORD PTR[56+rsp] + mov QWORD PTR[rdi],r11 + mov QWORD PTR[8+rdi],r12 + + mov DWORD PTR[r9],eax + mov DWORD PTR[4+r9],ebx + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + + jmp $L$cbc_exit + +ALIGN 4 +$L$cbc_slow_dec_partial:: + mov rdi,QWORD PTR[56+rsp] + mov QWORD PTR[rdi],r11 + mov QWORD PTR[8+rdi],r12 + + mov DWORD PTR[((0+64))+rsp],eax + mov DWORD PTR[((4+64))+rsp],ebx + mov DWORD PTR[((8+64))+rsp],ecx + mov DWORD PTR[((12+64))+rsp],edx + + mov rdi,r9 + lea rsi,QWORD PTR[64+rsp] + lea rcx,QWORD PTR[16+r10] + DD 09066A4F3h + jmp $L$cbc_exit + +ALIGN 16 +$L$cbc_exit:: + mov rsi,QWORD PTR[16+rsp] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$cbc_popfq:: + popfq +$L$cbc_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_AES_cbc_encrypt:: +AES_cbc_encrypt ENDP +ALIGN 64 +$L$AES_Te:: + DD 0a56363c6h,0a56363c6h + DD 0847c7cf8h,0847c7cf8h + DD 0997777eeh,0997777eeh + DD 08d7b7bf6h,08d7b7bf6h + DD 00df2f2ffh,00df2f2ffh + DD 0bd6b6bd6h,0bd6b6bd6h + DD 0b16f6fdeh,0b16f6fdeh + DD 054c5c591h,054c5c591h + DD 050303060h,050303060h + DD 003010102h,003010102h + DD 0a96767ceh,0a96767ceh + DD 07d2b2b56h,07d2b2b56h + DD 019fefee7h,019fefee7h + DD 062d7d7b5h,062d7d7b5h + DD 0e6abab4dh,0e6abab4dh + DD 09a7676ech,09a7676ech + DD 045caca8fh,045caca8fh + DD 09d82821fh,09d82821fh + DD 040c9c989h,040c9c989h + DD 0877d7dfah,0877d7dfah + DD 015fafaefh,015fafaefh + DD 0eb5959b2h,0eb5959b2h + DD 0c947478eh,0c947478eh + DD 00bf0f0fbh,00bf0f0fbh + DD 0ecadad41h,0ecadad41h + DD 067d4d4b3h,067d4d4b3h + DD 0fda2a25fh,0fda2a25fh + DD 0eaafaf45h,0eaafaf45h + DD 0bf9c9c23h,0bf9c9c23h + DD 0f7a4a453h,0f7a4a453h + DD 0967272e4h,0967272e4h + DD 05bc0c09bh,05bc0c09bh + DD 0c2b7b775h,0c2b7b775h + DD 01cfdfde1h,01cfdfde1h + DD 0ae93933dh,0ae93933dh + DD 06a26264ch,06a26264ch + DD 05a36366ch,05a36366ch + DD 0413f3f7eh,0413f3f7eh + DD 002f7f7f5h,002f7f7f5h + DD 04fcccc83h,04fcccc83h + DD 05c343468h,05c343468h + DD 0f4a5a551h,0f4a5a551h + DD 034e5e5d1h,034e5e5d1h + DD 008f1f1f9h,008f1f1f9h + DD 0937171e2h,0937171e2h + DD 073d8d8abh,073d8d8abh + DD 053313162h,053313162h + DD 03f15152ah,03f15152ah + DD 00c040408h,00c040408h + DD 052c7c795h,052c7c795h + DD 065232346h,065232346h + DD 05ec3c39dh,05ec3c39dh + DD 028181830h,028181830h + DD 0a1969637h,0a1969637h + DD 00f05050ah,00f05050ah + DD 0b59a9a2fh,0b59a9a2fh + DD 00907070eh,00907070eh + DD 036121224h,036121224h + DD 09b80801bh,09b80801bh + DD 03de2e2dfh,03de2e2dfh + DD 026ebebcdh,026ebebcdh + DD 06927274eh,06927274eh + DD 0cdb2b27fh,0cdb2b27fh + DD 09f7575eah,09f7575eah + DD 01b090912h,01b090912h + DD 09e83831dh,09e83831dh + DD 0742c2c58h,0742c2c58h + DD 02e1a1a34h,02e1a1a34h + DD 02d1b1b36h,02d1b1b36h + DD 0b26e6edch,0b26e6edch + DD 0ee5a5ab4h,0ee5a5ab4h + DD 0fba0a05bh,0fba0a05bh + DD 0f65252a4h,0f65252a4h + DD 04d3b3b76h,04d3b3b76h + DD 061d6d6b7h,061d6d6b7h + DD 0ceb3b37dh,0ceb3b37dh + DD 07b292952h,07b292952h + DD 03ee3e3ddh,03ee3e3ddh + DD 0712f2f5eh,0712f2f5eh + DD 097848413h,097848413h + DD 0f55353a6h,0f55353a6h + DD 068d1d1b9h,068d1d1b9h + DD 000000000h,000000000h + DD 02cededc1h,02cededc1h + DD 060202040h,060202040h + DD 01ffcfce3h,01ffcfce3h + DD 0c8b1b179h,0c8b1b179h + DD 0ed5b5bb6h,0ed5b5bb6h + DD 0be6a6ad4h,0be6a6ad4h + DD 046cbcb8dh,046cbcb8dh + DD 0d9bebe67h,0d9bebe67h + DD 04b393972h,04b393972h + DD 0de4a4a94h,0de4a4a94h + DD 0d44c4c98h,0d44c4c98h + DD 0e85858b0h,0e85858b0h + DD 04acfcf85h,04acfcf85h + DD 06bd0d0bbh,06bd0d0bbh + DD 02aefefc5h,02aefefc5h + DD 0e5aaaa4fh,0e5aaaa4fh + DD 016fbfbedh,016fbfbedh + DD 0c5434386h,0c5434386h + DD 0d74d4d9ah,0d74d4d9ah + DD 055333366h,055333366h + DD 094858511h,094858511h + DD 0cf45458ah,0cf45458ah + DD 010f9f9e9h,010f9f9e9h + DD 006020204h,006020204h + DD 0817f7ffeh,0817f7ffeh + DD 0f05050a0h,0f05050a0h + DD 0443c3c78h,0443c3c78h + DD 0ba9f9f25h,0ba9f9f25h + DD 0e3a8a84bh,0e3a8a84bh + DD 0f35151a2h,0f35151a2h + DD 0fea3a35dh,0fea3a35dh + DD 0c0404080h,0c0404080h + DD 08a8f8f05h,08a8f8f05h + DD 0ad92923fh,0ad92923fh + DD 0bc9d9d21h,0bc9d9d21h + DD 048383870h,048383870h + DD 004f5f5f1h,004f5f5f1h + DD 0dfbcbc63h,0dfbcbc63h + DD 0c1b6b677h,0c1b6b677h + DD 075dadaafh,075dadaafh + DD 063212142h,063212142h + DD 030101020h,030101020h + DD 01affffe5h,01affffe5h + DD 00ef3f3fdh,00ef3f3fdh + DD 06dd2d2bfh,06dd2d2bfh + DD 04ccdcd81h,04ccdcd81h + DD 0140c0c18h,0140c0c18h + DD 035131326h,035131326h + DD 02fececc3h,02fececc3h + DD 0e15f5fbeh,0e15f5fbeh + DD 0a2979735h,0a2979735h + DD 0cc444488h,0cc444488h + DD 03917172eh,03917172eh + DD 057c4c493h,057c4c493h + DD 0f2a7a755h,0f2a7a755h + DD 0827e7efch,0827e7efch + DD 0473d3d7ah,0473d3d7ah + DD 0ac6464c8h,0ac6464c8h + DD 0e75d5dbah,0e75d5dbah + DD 02b191932h,02b191932h + DD 0957373e6h,0957373e6h + DD 0a06060c0h,0a06060c0h + DD 098818119h,098818119h + DD 0d14f4f9eh,0d14f4f9eh + DD 07fdcdca3h,07fdcdca3h + DD 066222244h,066222244h + DD 07e2a2a54h,07e2a2a54h + DD 0ab90903bh,0ab90903bh + DD 08388880bh,08388880bh + DD 0ca46468ch,0ca46468ch + DD 029eeeec7h,029eeeec7h + DD 0d3b8b86bh,0d3b8b86bh + DD 03c141428h,03c141428h + DD 079dedea7h,079dedea7h + DD 0e25e5ebch,0e25e5ebch + DD 01d0b0b16h,01d0b0b16h + DD 076dbdbadh,076dbdbadh + DD 03be0e0dbh,03be0e0dbh + DD 056323264h,056323264h + DD 04e3a3a74h,04e3a3a74h + DD 01e0a0a14h,01e0a0a14h + DD 0db494992h,0db494992h + DD 00a06060ch,00a06060ch + DD 06c242448h,06c242448h + DD 0e45c5cb8h,0e45c5cb8h + DD 05dc2c29fh,05dc2c29fh + DD 06ed3d3bdh,06ed3d3bdh + DD 0efacac43h,0efacac43h + DD 0a66262c4h,0a66262c4h + DD 0a8919139h,0a8919139h + DD 0a4959531h,0a4959531h + DD 037e4e4d3h,037e4e4d3h + DD 08b7979f2h,08b7979f2h + DD 032e7e7d5h,032e7e7d5h + DD 043c8c88bh,043c8c88bh + DD 05937376eh,05937376eh + DD 0b76d6ddah,0b76d6ddah + DD 08c8d8d01h,08c8d8d01h + DD 064d5d5b1h,064d5d5b1h + DD 0d24e4e9ch,0d24e4e9ch + DD 0e0a9a949h,0e0a9a949h + DD 0b46c6cd8h,0b46c6cd8h + DD 0fa5656ach,0fa5656ach + DD 007f4f4f3h,007f4f4f3h + DD 025eaeacfh,025eaeacfh + DD 0af6565cah,0af6565cah + DD 08e7a7af4h,08e7a7af4h + DD 0e9aeae47h,0e9aeae47h + DD 018080810h,018080810h + DD 0d5baba6fh,0d5baba6fh + DD 0887878f0h,0887878f0h + DD 06f25254ah,06f25254ah + DD 0722e2e5ch,0722e2e5ch + DD 0241c1c38h,0241c1c38h + DD 0f1a6a657h,0f1a6a657h + DD 0c7b4b473h,0c7b4b473h + DD 051c6c697h,051c6c697h + DD 023e8e8cbh,023e8e8cbh + DD 07cdddda1h,07cdddda1h + DD 09c7474e8h,09c7474e8h + DD 0211f1f3eh,0211f1f3eh + DD 0dd4b4b96h,0dd4b4b96h + DD 0dcbdbd61h,0dcbdbd61h + DD 0868b8b0dh,0868b8b0dh + DD 0858a8a0fh,0858a8a0fh + DD 0907070e0h,0907070e0h + DD 0423e3e7ch,0423e3e7ch + DD 0c4b5b571h,0c4b5b571h + DD 0aa6666cch,0aa6666cch + DD 0d8484890h,0d8484890h + DD 005030306h,005030306h + DD 001f6f6f7h,001f6f6f7h + DD 0120e0e1ch,0120e0e1ch + DD 0a36161c2h,0a36161c2h + DD 05f35356ah,05f35356ah + DD 0f95757aeh,0f95757aeh + DD 0d0b9b969h,0d0b9b969h + DD 091868617h,091868617h + DD 058c1c199h,058c1c199h + DD 0271d1d3ah,0271d1d3ah + DD 0b99e9e27h,0b99e9e27h + DD 038e1e1d9h,038e1e1d9h + DD 013f8f8ebh,013f8f8ebh + DD 0b398982bh,0b398982bh + DD 033111122h,033111122h + DD 0bb6969d2h,0bb6969d2h + DD 070d9d9a9h,070d9d9a9h + DD 0898e8e07h,0898e8e07h + DD 0a7949433h,0a7949433h + DD 0b69b9b2dh,0b69b9b2dh + DD 0221e1e3ch,0221e1e3ch + DD 092878715h,092878715h + DD 020e9e9c9h,020e9e9c9h + DD 049cece87h,049cece87h + DD 0ff5555aah,0ff5555aah + DD 078282850h,078282850h + DD 07adfdfa5h,07adfdfa5h + DD 08f8c8c03h,08f8c8c03h + DD 0f8a1a159h,0f8a1a159h + DD 080898909h,080898909h + DD 0170d0d1ah,0170d0d1ah + DD 0dabfbf65h,0dabfbf65h + DD 031e6e6d7h,031e6e6d7h + DD 0c6424284h,0c6424284h + DD 0b86868d0h,0b86868d0h + DD 0c3414182h,0c3414182h + DD 0b0999929h,0b0999929h + DD 0772d2d5ah,0772d2d5ah + DD 0110f0f1eh,0110f0f1eh + DD 0cbb0b07bh,0cbb0b07bh + DD 0fc5454a8h,0fc5454a8h + DD 0d6bbbb6dh,0d6bbbb6dh + DD 03a16162ch,03a16162ch +DB 063h,07ch,077h,07bh,0f2h,06bh,06fh,0c5h +DB 030h,001h,067h,02bh,0feh,0d7h,0abh,076h +DB 0cah,082h,0c9h,07dh,0fah,059h,047h,0f0h +DB 0adh,0d4h,0a2h,0afh,09ch,0a4h,072h,0c0h +DB 0b7h,0fdh,093h,026h,036h,03fh,0f7h,0cch +DB 034h,0a5h,0e5h,0f1h,071h,0d8h,031h,015h +DB 004h,0c7h,023h,0c3h,018h,096h,005h,09ah +DB 007h,012h,080h,0e2h,0ebh,027h,0b2h,075h +DB 009h,083h,02ch,01ah,01bh,06eh,05ah,0a0h +DB 052h,03bh,0d6h,0b3h,029h,0e3h,02fh,084h +DB 053h,0d1h,000h,0edh,020h,0fch,0b1h,05bh +DB 06ah,0cbh,0beh,039h,04ah,04ch,058h,0cfh +DB 0d0h,0efh,0aah,0fbh,043h,04dh,033h,085h +DB 045h,0f9h,002h,07fh,050h,03ch,09fh,0a8h +DB 051h,0a3h,040h,08fh,092h,09dh,038h,0f5h +DB 0bch,0b6h,0dah,021h,010h,0ffh,0f3h,0d2h +DB 0cdh,00ch,013h,0ech,05fh,097h,044h,017h +DB 0c4h,0a7h,07eh,03dh,064h,05dh,019h,073h +DB 060h,081h,04fh,0dch,022h,02ah,090h,088h +DB 046h,0eeh,0b8h,014h,0deh,05eh,00bh,0dbh +DB 0e0h,032h,03ah,00ah,049h,006h,024h,05ch +DB 0c2h,0d3h,0ach,062h,091h,095h,0e4h,079h +DB 0e7h,0c8h,037h,06dh,08dh,0d5h,04eh,0a9h +DB 06ch,056h,0f4h,0eah,065h,07ah,0aeh,008h +DB 0bah,078h,025h,02eh,01ch,0a6h,0b4h,0c6h +DB 0e8h,0ddh,074h,01fh,04bh,0bdh,08bh,08ah +DB 070h,03eh,0b5h,066h,048h,003h,0f6h,00eh +DB 061h,035h,057h,0b9h,086h,0c1h,01dh,09eh +DB 0e1h,0f8h,098h,011h,069h,0d9h,08eh,094h +DB 09bh,01eh,087h,0e9h,0ceh,055h,028h,0dfh +DB 08ch,0a1h,089h,00dh,0bfh,0e6h,042h,068h +DB 041h,099h,02dh,00fh,0b0h,054h,0bbh,016h +DB 063h,07ch,077h,07bh,0f2h,06bh,06fh,0c5h +DB 030h,001h,067h,02bh,0feh,0d7h,0abh,076h +DB 0cah,082h,0c9h,07dh,0fah,059h,047h,0f0h +DB 0adh,0d4h,0a2h,0afh,09ch,0a4h,072h,0c0h +DB 0b7h,0fdh,093h,026h,036h,03fh,0f7h,0cch +DB 034h,0a5h,0e5h,0f1h,071h,0d8h,031h,015h +DB 004h,0c7h,023h,0c3h,018h,096h,005h,09ah +DB 007h,012h,080h,0e2h,0ebh,027h,0b2h,075h +DB 009h,083h,02ch,01ah,01bh,06eh,05ah,0a0h +DB 052h,03bh,0d6h,0b3h,029h,0e3h,02fh,084h +DB 053h,0d1h,000h,0edh,020h,0fch,0b1h,05bh +DB 06ah,0cbh,0beh,039h,04ah,04ch,058h,0cfh +DB 0d0h,0efh,0aah,0fbh,043h,04dh,033h,085h +DB 045h,0f9h,002h,07fh,050h,03ch,09fh,0a8h +DB 051h,0a3h,040h,08fh,092h,09dh,038h,0f5h +DB 0bch,0b6h,0dah,021h,010h,0ffh,0f3h,0d2h +DB 0cdh,00ch,013h,0ech,05fh,097h,044h,017h +DB 0c4h,0a7h,07eh,03dh,064h,05dh,019h,073h +DB 060h,081h,04fh,0dch,022h,02ah,090h,088h +DB 046h,0eeh,0b8h,014h,0deh,05eh,00bh,0dbh +DB 0e0h,032h,03ah,00ah,049h,006h,024h,05ch +DB 0c2h,0d3h,0ach,062h,091h,095h,0e4h,079h +DB 0e7h,0c8h,037h,06dh,08dh,0d5h,04eh,0a9h +DB 06ch,056h,0f4h,0eah,065h,07ah,0aeh,008h +DB 0bah,078h,025h,02eh,01ch,0a6h,0b4h,0c6h +DB 0e8h,0ddh,074h,01fh,04bh,0bdh,08bh,08ah +DB 070h,03eh,0b5h,066h,048h,003h,0f6h,00eh +DB 061h,035h,057h,0b9h,086h,0c1h,01dh,09eh +DB 0e1h,0f8h,098h,011h,069h,0d9h,08eh,094h +DB 09bh,01eh,087h,0e9h,0ceh,055h,028h,0dfh +DB 08ch,0a1h,089h,00dh,0bfh,0e6h,042h,068h +DB 041h,099h,02dh,00fh,0b0h,054h,0bbh,016h +DB 063h,07ch,077h,07bh,0f2h,06bh,06fh,0c5h +DB 030h,001h,067h,02bh,0feh,0d7h,0abh,076h +DB 0cah,082h,0c9h,07dh,0fah,059h,047h,0f0h +DB 0adh,0d4h,0a2h,0afh,09ch,0a4h,072h,0c0h +DB 0b7h,0fdh,093h,026h,036h,03fh,0f7h,0cch +DB 034h,0a5h,0e5h,0f1h,071h,0d8h,031h,015h +DB 004h,0c7h,023h,0c3h,018h,096h,005h,09ah +DB 007h,012h,080h,0e2h,0ebh,027h,0b2h,075h +DB 009h,083h,02ch,01ah,01bh,06eh,05ah,0a0h +DB 052h,03bh,0d6h,0b3h,029h,0e3h,02fh,084h +DB 053h,0d1h,000h,0edh,020h,0fch,0b1h,05bh +DB 06ah,0cbh,0beh,039h,04ah,04ch,058h,0cfh +DB 0d0h,0efh,0aah,0fbh,043h,04dh,033h,085h +DB 045h,0f9h,002h,07fh,050h,03ch,09fh,0a8h +DB 051h,0a3h,040h,08fh,092h,09dh,038h,0f5h +DB 0bch,0b6h,0dah,021h,010h,0ffh,0f3h,0d2h +DB 0cdh,00ch,013h,0ech,05fh,097h,044h,017h +DB 0c4h,0a7h,07eh,03dh,064h,05dh,019h,073h +DB 060h,081h,04fh,0dch,022h,02ah,090h,088h +DB 046h,0eeh,0b8h,014h,0deh,05eh,00bh,0dbh +DB 0e0h,032h,03ah,00ah,049h,006h,024h,05ch +DB 0c2h,0d3h,0ach,062h,091h,095h,0e4h,079h +DB 0e7h,0c8h,037h,06dh,08dh,0d5h,04eh,0a9h +DB 06ch,056h,0f4h,0eah,065h,07ah,0aeh,008h +DB 0bah,078h,025h,02eh,01ch,0a6h,0b4h,0c6h +DB 0e8h,0ddh,074h,01fh,04bh,0bdh,08bh,08ah +DB 070h,03eh,0b5h,066h,048h,003h,0f6h,00eh +DB 061h,035h,057h,0b9h,086h,0c1h,01dh,09eh +DB 0e1h,0f8h,098h,011h,069h,0d9h,08eh,094h +DB 09bh,01eh,087h,0e9h,0ceh,055h,028h,0dfh +DB 08ch,0a1h,089h,00dh,0bfh,0e6h,042h,068h +DB 041h,099h,02dh,00fh,0b0h,054h,0bbh,016h +DB 063h,07ch,077h,07bh,0f2h,06bh,06fh,0c5h +DB 030h,001h,067h,02bh,0feh,0d7h,0abh,076h +DB 0cah,082h,0c9h,07dh,0fah,059h,047h,0f0h +DB 0adh,0d4h,0a2h,0afh,09ch,0a4h,072h,0c0h +DB 0b7h,0fdh,093h,026h,036h,03fh,0f7h,0cch +DB 034h,0a5h,0e5h,0f1h,071h,0d8h,031h,015h +DB 004h,0c7h,023h,0c3h,018h,096h,005h,09ah +DB 007h,012h,080h,0e2h,0ebh,027h,0b2h,075h +DB 009h,083h,02ch,01ah,01bh,06eh,05ah,0a0h +DB 052h,03bh,0d6h,0b3h,029h,0e3h,02fh,084h +DB 053h,0d1h,000h,0edh,020h,0fch,0b1h,05bh +DB 06ah,0cbh,0beh,039h,04ah,04ch,058h,0cfh +DB 0d0h,0efh,0aah,0fbh,043h,04dh,033h,085h +DB 045h,0f9h,002h,07fh,050h,03ch,09fh,0a8h +DB 051h,0a3h,040h,08fh,092h,09dh,038h,0f5h +DB 0bch,0b6h,0dah,021h,010h,0ffh,0f3h,0d2h +DB 0cdh,00ch,013h,0ech,05fh,097h,044h,017h +DB 0c4h,0a7h,07eh,03dh,064h,05dh,019h,073h +DB 060h,081h,04fh,0dch,022h,02ah,090h,088h +DB 046h,0eeh,0b8h,014h,0deh,05eh,00bh,0dbh +DB 0e0h,032h,03ah,00ah,049h,006h,024h,05ch +DB 0c2h,0d3h,0ach,062h,091h,095h,0e4h,079h +DB 0e7h,0c8h,037h,06dh,08dh,0d5h,04eh,0a9h +DB 06ch,056h,0f4h,0eah,065h,07ah,0aeh,008h +DB 0bah,078h,025h,02eh,01ch,0a6h,0b4h,0c6h +DB 0e8h,0ddh,074h,01fh,04bh,0bdh,08bh,08ah +DB 070h,03eh,0b5h,066h,048h,003h,0f6h,00eh +DB 061h,035h,057h,0b9h,086h,0c1h,01dh,09eh +DB 0e1h,0f8h,098h,011h,069h,0d9h,08eh,094h +DB 09bh,01eh,087h,0e9h,0ceh,055h,028h,0dfh +DB 08ch,0a1h,089h,00dh,0bfh,0e6h,042h,068h +DB 041h,099h,02dh,00fh,0b0h,054h,0bbh,016h + DD 000000001h,000000002h,000000004h,000000008h + DD 000000010h,000000020h,000000040h,000000080h + DD 00000001bh,000000036h,080808080h,080808080h + DD 0fefefefeh,0fefefefeh,01b1b1b1bh,01b1b1b1bh +ALIGN 64 +$L$AES_Td:: + DD 050a7f451h,050a7f451h + DD 05365417eh,05365417eh + DD 0c3a4171ah,0c3a4171ah + DD 0965e273ah,0965e273ah + DD 0cb6bab3bh,0cb6bab3bh + DD 0f1459d1fh,0f1459d1fh + DD 0ab58faach,0ab58faach + DD 09303e34bh,09303e34bh + DD 055fa3020h,055fa3020h + DD 0f66d76adh,0f66d76adh + DD 09176cc88h,09176cc88h + DD 0254c02f5h,0254c02f5h + DD 0fcd7e54fh,0fcd7e54fh + DD 0d7cb2ac5h,0d7cb2ac5h + DD 080443526h,080443526h + DD 08fa362b5h,08fa362b5h + DD 0495ab1deh,0495ab1deh + DD 0671bba25h,0671bba25h + DD 0980eea45h,0980eea45h + DD 0e1c0fe5dh,0e1c0fe5dh + DD 002752fc3h,002752fc3h + DD 012f04c81h,012f04c81h + DD 0a397468dh,0a397468dh + DD 0c6f9d36bh,0c6f9d36bh + DD 0e75f8f03h,0e75f8f03h + DD 0959c9215h,0959c9215h + DD 0eb7a6dbfh,0eb7a6dbfh + DD 0da595295h,0da595295h + DD 02d83bed4h,02d83bed4h + DD 0d3217458h,0d3217458h + DD 02969e049h,02969e049h + DD 044c8c98eh,044c8c98eh + DD 06a89c275h,06a89c275h + DD 078798ef4h,078798ef4h + DD 06b3e5899h,06b3e5899h + DD 0dd71b927h,0dd71b927h + DD 0b64fe1beh,0b64fe1beh + DD 017ad88f0h,017ad88f0h + DD 066ac20c9h,066ac20c9h + DD 0b43ace7dh,0b43ace7dh + DD 0184adf63h,0184adf63h + DD 082311ae5h,082311ae5h + DD 060335197h,060335197h + DD 0457f5362h,0457f5362h + DD 0e07764b1h,0e07764b1h + DD 084ae6bbbh,084ae6bbbh + DD 01ca081feh,01ca081feh + DD 0942b08f9h,0942b08f9h + DD 058684870h,058684870h + DD 019fd458fh,019fd458fh + DD 0876cde94h,0876cde94h + DD 0b7f87b52h,0b7f87b52h + DD 023d373abh,023d373abh + DD 0e2024b72h,0e2024b72h + DD 0578f1fe3h,0578f1fe3h + DD 02aab5566h,02aab5566h + DD 00728ebb2h,00728ebb2h + DD 003c2b52fh,003c2b52fh + DD 09a7bc586h,09a7bc586h + DD 0a50837d3h,0a50837d3h + DD 0f2872830h,0f2872830h + DD 0b2a5bf23h,0b2a5bf23h + DD 0ba6a0302h,0ba6a0302h + DD 05c8216edh,05c8216edh + DD 02b1ccf8ah,02b1ccf8ah + DD 092b479a7h,092b479a7h + DD 0f0f207f3h,0f0f207f3h + DD 0a1e2694eh,0a1e2694eh + DD 0cdf4da65h,0cdf4da65h + DD 0d5be0506h,0d5be0506h + DD 01f6234d1h,01f6234d1h + DD 08afea6c4h,08afea6c4h + DD 09d532e34h,09d532e34h + DD 0a055f3a2h,0a055f3a2h + DD 032e18a05h,032e18a05h + DD 075ebf6a4h,075ebf6a4h + DD 039ec830bh,039ec830bh + DD 0aaef6040h,0aaef6040h + DD 0069f715eh,0069f715eh + DD 051106ebdh,051106ebdh + DD 0f98a213eh,0f98a213eh + DD 03d06dd96h,03d06dd96h + DD 0ae053eddh,0ae053eddh + DD 046bde64dh,046bde64dh + DD 0b58d5491h,0b58d5491h + DD 0055dc471h,0055dc471h + DD 06fd40604h,06fd40604h + DD 0ff155060h,0ff155060h + DD 024fb9819h,024fb9819h + DD 097e9bdd6h,097e9bdd6h + DD 0cc434089h,0cc434089h + DD 0779ed967h,0779ed967h + DD 0bd42e8b0h,0bd42e8b0h + DD 0888b8907h,0888b8907h + DD 0385b19e7h,0385b19e7h + DD 0dbeec879h,0dbeec879h + DD 0470a7ca1h,0470a7ca1h + DD 0e90f427ch,0e90f427ch + DD 0c91e84f8h,0c91e84f8h + DD 000000000h,000000000h + DD 083868009h,083868009h + DD 048ed2b32h,048ed2b32h + DD 0ac70111eh,0ac70111eh + DD 04e725a6ch,04e725a6ch + DD 0fbff0efdh,0fbff0efdh + DD 05638850fh,05638850fh + DD 01ed5ae3dh,01ed5ae3dh + DD 027392d36h,027392d36h + DD 064d90f0ah,064d90f0ah + DD 021a65c68h,021a65c68h + DD 0d1545b9bh,0d1545b9bh + DD 03a2e3624h,03a2e3624h + DD 0b1670a0ch,0b1670a0ch + DD 00fe75793h,00fe75793h + DD 0d296eeb4h,0d296eeb4h + DD 09e919b1bh,09e919b1bh + DD 04fc5c080h,04fc5c080h + DD 0a220dc61h,0a220dc61h + DD 0694b775ah,0694b775ah + DD 0161a121ch,0161a121ch + DD 00aba93e2h,00aba93e2h + DD 0e52aa0c0h,0e52aa0c0h + DD 043e0223ch,043e0223ch + DD 01d171b12h,01d171b12h + DD 00b0d090eh,00b0d090eh + DD 0adc78bf2h,0adc78bf2h + DD 0b9a8b62dh,0b9a8b62dh + DD 0c8a91e14h,0c8a91e14h + DD 08519f157h,08519f157h + DD 04c0775afh,04c0775afh + DD 0bbdd99eeh,0bbdd99eeh + DD 0fd607fa3h,0fd607fa3h + DD 09f2601f7h,09f2601f7h + DD 0bcf5725ch,0bcf5725ch + DD 0c53b6644h,0c53b6644h + DD 0347efb5bh,0347efb5bh + DD 07629438bh,07629438bh + DD 0dcc623cbh,0dcc623cbh + DD 068fcedb6h,068fcedb6h + DD 063f1e4b8h,063f1e4b8h + DD 0cadc31d7h,0cadc31d7h + DD 010856342h,010856342h + DD 040229713h,040229713h + DD 02011c684h,02011c684h + DD 07d244a85h,07d244a85h + DD 0f83dbbd2h,0f83dbbd2h + DD 01132f9aeh,01132f9aeh + DD 06da129c7h,06da129c7h + DD 04b2f9e1dh,04b2f9e1dh + DD 0f330b2dch,0f330b2dch + DD 0ec52860dh,0ec52860dh + DD 0d0e3c177h,0d0e3c177h + DD 06c16b32bh,06c16b32bh + DD 099b970a9h,099b970a9h + DD 0fa489411h,0fa489411h + DD 02264e947h,02264e947h + DD 0c48cfca8h,0c48cfca8h + DD 01a3ff0a0h,01a3ff0a0h + DD 0d82c7d56h,0d82c7d56h + DD 0ef903322h,0ef903322h + DD 0c74e4987h,0c74e4987h + DD 0c1d138d9h,0c1d138d9h + DD 0fea2ca8ch,0fea2ca8ch + DD 0360bd498h,0360bd498h + DD 0cf81f5a6h,0cf81f5a6h + DD 028de7aa5h,028de7aa5h + DD 0268eb7dah,0268eb7dah + DD 0a4bfad3fh,0a4bfad3fh + DD 0e49d3a2ch,0e49d3a2ch + DD 00d927850h,00d927850h + DD 09bcc5f6ah,09bcc5f6ah + DD 062467e54h,062467e54h + DD 0c2138df6h,0c2138df6h + DD 0e8b8d890h,0e8b8d890h + DD 05ef7392eh,05ef7392eh + DD 0f5afc382h,0f5afc382h + DD 0be805d9fh,0be805d9fh + DD 07c93d069h,07c93d069h + DD 0a92dd56fh,0a92dd56fh + DD 0b31225cfh,0b31225cfh + DD 03b99acc8h,03b99acc8h + DD 0a77d1810h,0a77d1810h + DD 06e639ce8h,06e639ce8h + DD 07bbb3bdbh,07bbb3bdbh + DD 0097826cdh,0097826cdh + DD 0f418596eh,0f418596eh + DD 001b79aech,001b79aech + DD 0a89a4f83h,0a89a4f83h + DD 0656e95e6h,0656e95e6h + DD 07ee6ffaah,07ee6ffaah + DD 008cfbc21h,008cfbc21h + DD 0e6e815efh,0e6e815efh + DD 0d99be7bah,0d99be7bah + DD 0ce366f4ah,0ce366f4ah + DD 0d4099feah,0d4099feah + DD 0d67cb029h,0d67cb029h + DD 0afb2a431h,0afb2a431h + DD 031233f2ah,031233f2ah + DD 03094a5c6h,03094a5c6h + DD 0c066a235h,0c066a235h + DD 037bc4e74h,037bc4e74h + DD 0a6ca82fch,0a6ca82fch + DD 0b0d090e0h,0b0d090e0h + DD 015d8a733h,015d8a733h + DD 04a9804f1h,04a9804f1h + DD 0f7daec41h,0f7daec41h + DD 00e50cd7fh,00e50cd7fh + DD 02ff69117h,02ff69117h + DD 08dd64d76h,08dd64d76h + DD 04db0ef43h,04db0ef43h + DD 0544daacch,0544daacch + DD 0df0496e4h,0df0496e4h + DD 0e3b5d19eh,0e3b5d19eh + DD 01b886a4ch,01b886a4ch + DD 0b81f2cc1h,0b81f2cc1h + DD 07f516546h,07f516546h + DD 004ea5e9dh,004ea5e9dh + DD 05d358c01h,05d358c01h + DD 0737487fah,0737487fah + DD 02e410bfbh,02e410bfbh + DD 05a1d67b3h,05a1d67b3h + DD 052d2db92h,052d2db92h + DD 0335610e9h,0335610e9h + DD 01347d66dh,01347d66dh + DD 08c61d79ah,08c61d79ah + DD 07a0ca137h,07a0ca137h + DD 08e14f859h,08e14f859h + DD 0893c13ebh,0893c13ebh + DD 0ee27a9ceh,0ee27a9ceh + DD 035c961b7h,035c961b7h + DD 0ede51ce1h,0ede51ce1h + DD 03cb1477ah,03cb1477ah + DD 059dfd29ch,059dfd29ch + DD 03f73f255h,03f73f255h + DD 079ce1418h,079ce1418h + DD 0bf37c773h,0bf37c773h + DD 0eacdf753h,0eacdf753h + DD 05baafd5fh,05baafd5fh + DD 0146f3ddfh,0146f3ddfh + DD 086db4478h,086db4478h + DD 081f3afcah,081f3afcah + DD 03ec468b9h,03ec468b9h + DD 02c342438h,02c342438h + DD 05f40a3c2h,05f40a3c2h + DD 072c31d16h,072c31d16h + DD 00c25e2bch,00c25e2bch + DD 08b493c28h,08b493c28h + DD 041950dffh,041950dffh + DD 07101a839h,07101a839h + DD 0deb30c08h,0deb30c08h + DD 09ce4b4d8h,09ce4b4d8h + DD 090c15664h,090c15664h + DD 06184cb7bh,06184cb7bh + DD 070b632d5h,070b632d5h + DD 0745c6c48h,0745c6c48h + DD 04257b8d0h,04257b8d0h +DB 052h,009h,06ah,0d5h,030h,036h,0a5h,038h +DB 0bfh,040h,0a3h,09eh,081h,0f3h,0d7h,0fbh +DB 07ch,0e3h,039h,082h,09bh,02fh,0ffh,087h +DB 034h,08eh,043h,044h,0c4h,0deh,0e9h,0cbh +DB 054h,07bh,094h,032h,0a6h,0c2h,023h,03dh +DB 0eeh,04ch,095h,00bh,042h,0fah,0c3h,04eh +DB 008h,02eh,0a1h,066h,028h,0d9h,024h,0b2h +DB 076h,05bh,0a2h,049h,06dh,08bh,0d1h,025h +DB 072h,0f8h,0f6h,064h,086h,068h,098h,016h +DB 0d4h,0a4h,05ch,0cch,05dh,065h,0b6h,092h +DB 06ch,070h,048h,050h,0fdh,0edh,0b9h,0dah +DB 05eh,015h,046h,057h,0a7h,08dh,09dh,084h +DB 090h,0d8h,0abh,000h,08ch,0bch,0d3h,00ah +DB 0f7h,0e4h,058h,005h,0b8h,0b3h,045h,006h +DB 0d0h,02ch,01eh,08fh,0cah,03fh,00fh,002h +DB 0c1h,0afh,0bdh,003h,001h,013h,08ah,06bh +DB 03ah,091h,011h,041h,04fh,067h,0dch,0eah +DB 097h,0f2h,0cfh,0ceh,0f0h,0b4h,0e6h,073h +DB 096h,0ach,074h,022h,0e7h,0adh,035h,085h +DB 0e2h,0f9h,037h,0e8h,01ch,075h,0dfh,06eh +DB 047h,0f1h,01ah,071h,01dh,029h,0c5h,089h +DB 06fh,0b7h,062h,00eh,0aah,018h,0beh,01bh +DB 0fch,056h,03eh,04bh,0c6h,0d2h,079h,020h +DB 09ah,0dbh,0c0h,0feh,078h,0cdh,05ah,0f4h +DB 01fh,0ddh,0a8h,033h,088h,007h,0c7h,031h +DB 0b1h,012h,010h,059h,027h,080h,0ech,05fh +DB 060h,051h,07fh,0a9h,019h,0b5h,04ah,00dh +DB 02dh,0e5h,07ah,09fh,093h,0c9h,09ch,0efh +DB 0a0h,0e0h,03bh,04dh,0aeh,02ah,0f5h,0b0h +DB 0c8h,0ebh,0bbh,03ch,083h,053h,099h,061h +DB 017h,02bh,004h,07eh,0bah,077h,0d6h,026h +DB 0e1h,069h,014h,063h,055h,021h,00ch,07dh + DD 080808080h,080808080h,0fefefefeh,0fefefefeh + DD 01b1b1b1bh,01b1b1b1bh,0,0 +DB 052h,009h,06ah,0d5h,030h,036h,0a5h,038h +DB 0bfh,040h,0a3h,09eh,081h,0f3h,0d7h,0fbh +DB 07ch,0e3h,039h,082h,09bh,02fh,0ffh,087h +DB 034h,08eh,043h,044h,0c4h,0deh,0e9h,0cbh +DB 054h,07bh,094h,032h,0a6h,0c2h,023h,03dh +DB 0eeh,04ch,095h,00bh,042h,0fah,0c3h,04eh +DB 008h,02eh,0a1h,066h,028h,0d9h,024h,0b2h +DB 076h,05bh,0a2h,049h,06dh,08bh,0d1h,025h +DB 072h,0f8h,0f6h,064h,086h,068h,098h,016h +DB 0d4h,0a4h,05ch,0cch,05dh,065h,0b6h,092h +DB 06ch,070h,048h,050h,0fdh,0edh,0b9h,0dah +DB 05eh,015h,046h,057h,0a7h,08dh,09dh,084h +DB 090h,0d8h,0abh,000h,08ch,0bch,0d3h,00ah +DB 0f7h,0e4h,058h,005h,0b8h,0b3h,045h,006h +DB 0d0h,02ch,01eh,08fh,0cah,03fh,00fh,002h +DB 0c1h,0afh,0bdh,003h,001h,013h,08ah,06bh +DB 03ah,091h,011h,041h,04fh,067h,0dch,0eah +DB 097h,0f2h,0cfh,0ceh,0f0h,0b4h,0e6h,073h +DB 096h,0ach,074h,022h,0e7h,0adh,035h,085h +DB 0e2h,0f9h,037h,0e8h,01ch,075h,0dfh,06eh +DB 047h,0f1h,01ah,071h,01dh,029h,0c5h,089h +DB 06fh,0b7h,062h,00eh,0aah,018h,0beh,01bh +DB 0fch,056h,03eh,04bh,0c6h,0d2h,079h,020h +DB 09ah,0dbh,0c0h,0feh,078h,0cdh,05ah,0f4h +DB 01fh,0ddh,0a8h,033h,088h,007h,0c7h,031h +DB 0b1h,012h,010h,059h,027h,080h,0ech,05fh +DB 060h,051h,07fh,0a9h,019h,0b5h,04ah,00dh +DB 02dh,0e5h,07ah,09fh,093h,0c9h,09ch,0efh +DB 0a0h,0e0h,03bh,04dh,0aeh,02ah,0f5h,0b0h +DB 0c8h,0ebh,0bbh,03ch,083h,053h,099h,061h +DB 017h,02bh,004h,07eh,0bah,077h,0d6h,026h +DB 0e1h,069h,014h,063h,055h,021h,00ch,07dh + DD 080808080h,080808080h,0fefefefeh,0fefefefeh + DD 01b1b1b1bh,01b1b1b1bh,0,0 +DB 052h,009h,06ah,0d5h,030h,036h,0a5h,038h +DB 0bfh,040h,0a3h,09eh,081h,0f3h,0d7h,0fbh +DB 07ch,0e3h,039h,082h,09bh,02fh,0ffh,087h +DB 034h,08eh,043h,044h,0c4h,0deh,0e9h,0cbh +DB 054h,07bh,094h,032h,0a6h,0c2h,023h,03dh +DB 0eeh,04ch,095h,00bh,042h,0fah,0c3h,04eh +DB 008h,02eh,0a1h,066h,028h,0d9h,024h,0b2h +DB 076h,05bh,0a2h,049h,06dh,08bh,0d1h,025h +DB 072h,0f8h,0f6h,064h,086h,068h,098h,016h +DB 0d4h,0a4h,05ch,0cch,05dh,065h,0b6h,092h +DB 06ch,070h,048h,050h,0fdh,0edh,0b9h,0dah +DB 05eh,015h,046h,057h,0a7h,08dh,09dh,084h +DB 090h,0d8h,0abh,000h,08ch,0bch,0d3h,00ah +DB 0f7h,0e4h,058h,005h,0b8h,0b3h,045h,006h +DB 0d0h,02ch,01eh,08fh,0cah,03fh,00fh,002h +DB 0c1h,0afh,0bdh,003h,001h,013h,08ah,06bh +DB 03ah,091h,011h,041h,04fh,067h,0dch,0eah +DB 097h,0f2h,0cfh,0ceh,0f0h,0b4h,0e6h,073h +DB 096h,0ach,074h,022h,0e7h,0adh,035h,085h +DB 0e2h,0f9h,037h,0e8h,01ch,075h,0dfh,06eh +DB 047h,0f1h,01ah,071h,01dh,029h,0c5h,089h +DB 06fh,0b7h,062h,00eh,0aah,018h,0beh,01bh +DB 0fch,056h,03eh,04bh,0c6h,0d2h,079h,020h +DB 09ah,0dbh,0c0h,0feh,078h,0cdh,05ah,0f4h +DB 01fh,0ddh,0a8h,033h,088h,007h,0c7h,031h +DB 0b1h,012h,010h,059h,027h,080h,0ech,05fh +DB 060h,051h,07fh,0a9h,019h,0b5h,04ah,00dh +DB 02dh,0e5h,07ah,09fh,093h,0c9h,09ch,0efh +DB 0a0h,0e0h,03bh,04dh,0aeh,02ah,0f5h,0b0h +DB 0c8h,0ebh,0bbh,03ch,083h,053h,099h,061h +DB 017h,02bh,004h,07eh,0bah,077h,0d6h,026h +DB 0e1h,069h,014h,063h,055h,021h,00ch,07dh + DD 080808080h,080808080h,0fefefefeh,0fefefefeh + DD 01b1b1b1bh,01b1b1b1bh,0,0 +DB 052h,009h,06ah,0d5h,030h,036h,0a5h,038h +DB 0bfh,040h,0a3h,09eh,081h,0f3h,0d7h,0fbh +DB 07ch,0e3h,039h,082h,09bh,02fh,0ffh,087h +DB 034h,08eh,043h,044h,0c4h,0deh,0e9h,0cbh +DB 054h,07bh,094h,032h,0a6h,0c2h,023h,03dh +DB 0eeh,04ch,095h,00bh,042h,0fah,0c3h,04eh +DB 008h,02eh,0a1h,066h,028h,0d9h,024h,0b2h +DB 076h,05bh,0a2h,049h,06dh,08bh,0d1h,025h +DB 072h,0f8h,0f6h,064h,086h,068h,098h,016h +DB 0d4h,0a4h,05ch,0cch,05dh,065h,0b6h,092h +DB 06ch,070h,048h,050h,0fdh,0edh,0b9h,0dah +DB 05eh,015h,046h,057h,0a7h,08dh,09dh,084h +DB 090h,0d8h,0abh,000h,08ch,0bch,0d3h,00ah +DB 0f7h,0e4h,058h,005h,0b8h,0b3h,045h,006h +DB 0d0h,02ch,01eh,08fh,0cah,03fh,00fh,002h +DB 0c1h,0afh,0bdh,003h,001h,013h,08ah,06bh +DB 03ah,091h,011h,041h,04fh,067h,0dch,0eah +DB 097h,0f2h,0cfh,0ceh,0f0h,0b4h,0e6h,073h +DB 096h,0ach,074h,022h,0e7h,0adh,035h,085h +DB 0e2h,0f9h,037h,0e8h,01ch,075h,0dfh,06eh +DB 047h,0f1h,01ah,071h,01dh,029h,0c5h,089h +DB 06fh,0b7h,062h,00eh,0aah,018h,0beh,01bh +DB 0fch,056h,03eh,04bh,0c6h,0d2h,079h,020h +DB 09ah,0dbh,0c0h,0feh,078h,0cdh,05ah,0f4h +DB 01fh,0ddh,0a8h,033h,088h,007h,0c7h,031h +DB 0b1h,012h,010h,059h,027h,080h,0ech,05fh +DB 060h,051h,07fh,0a9h,019h,0b5h,04ah,00dh +DB 02dh,0e5h,07ah,09fh,093h,0c9h,09ch,0efh +DB 0a0h,0e0h,03bh,04dh,0aeh,02ah,0f5h,0b0h +DB 0c8h,0ebh,0bbh,03ch,083h,053h,099h,061h +DB 017h,02bh,004h,07eh,0bah,077h,0d6h,026h +DB 0e1h,069h,014h,063h,055h,021h,00ch,07dh + DD 080808080h,080808080h,0fefefefeh,0fefefefeh + DD 01b1b1b1bh,01b1b1b1bh,0,0 +DB 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32 +DB 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 +DB 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 +DB 62,0 +ALIGN 64 +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +block_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$in_block_prologue + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$in_block_prologue + + mov rax,QWORD PTR[24+rax] + lea rax,QWORD PTR[48+rax] + + mov rbx,QWORD PTR[((-8))+rax] + mov rbp,QWORD PTR[((-16))+rax] + mov r12,QWORD PTR[((-24))+rax] + mov r13,QWORD PTR[((-32))+rax] + mov r14,QWORD PTR[((-40))+rax] + mov r15,QWORD PTR[((-48))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + mov QWORD PTR[240+r8],r15 + +$L$in_block_prologue:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + jmp $L$common_seh_exit +block_se_handler ENDP + + +ALIGN 16 +key_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$in_key_prologue + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$in_key_prologue + + lea rax,QWORD PTR[56+rax] + + mov rbx,QWORD PTR[((-8))+rax] + mov rbp,QWORD PTR[((-16))+rax] + mov r12,QWORD PTR[((-24))+rax] + mov r13,QWORD PTR[((-32))+rax] + mov r14,QWORD PTR[((-40))+rax] + mov r15,QWORD PTR[((-48))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + mov QWORD PTR[240+r8],r15 + +$L$in_key_prologue:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + jmp $L$common_seh_exit +key_se_handler ENDP + + +ALIGN 16 +cbc_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + lea r10,QWORD PTR[$L$cbc_prologue] + cmp rbx,r10 + jb $L$in_cbc_prologue + + lea r10,QWORD PTR[$L$cbc_fast_body] + cmp rbx,r10 + jb $L$in_cbc_frame_setup + + lea r10,QWORD PTR[$L$cbc_slow_prologue] + cmp rbx,r10 + jb $L$in_cbc_body + + lea r10,QWORD PTR[$L$cbc_slow_body] + cmp rbx,r10 + jb $L$in_cbc_frame_setup + +$L$in_cbc_body:: + mov rax,QWORD PTR[152+r8] + + lea r10,QWORD PTR[$L$cbc_epilogue] + cmp rbx,r10 + jae $L$in_cbc_prologue + + lea rax,QWORD PTR[8+rax] + + lea r10,QWORD PTR[$L$cbc_popfq] + cmp rbx,r10 + jae $L$in_cbc_prologue + + mov rax,QWORD PTR[8+rax] + lea rax,QWORD PTR[56+rax] + +$L$in_cbc_frame_setup:: + mov rbx,QWORD PTR[((-16))+rax] + mov rbp,QWORD PTR[((-24))+rax] + mov r12,QWORD PTR[((-32))+rax] + mov r13,QWORD PTR[((-40))+rax] + mov r14,QWORD PTR[((-48))+rax] + mov r15,QWORD PTR[((-56))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + mov QWORD PTR[240+r8],r15 + +$L$in_cbc_prologue:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + +$L$common_seh_exit:: + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +cbc_se_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_AES_encrypt + DD imagerel $L$SEH_end_AES_encrypt + DD imagerel $L$SEH_info_AES_encrypt + + DD imagerel $L$SEH_begin_AES_decrypt + DD imagerel $L$SEH_end_AES_decrypt + DD imagerel $L$SEH_info_AES_decrypt + + DD imagerel $L$SEH_begin_AES_set_encrypt_key + DD imagerel $L$SEH_end_AES_set_encrypt_key + DD imagerel $L$SEH_info_AES_set_encrypt_key + + DD imagerel $L$SEH_begin_AES_set_decrypt_key + DD imagerel $L$SEH_end_AES_set_decrypt_key + DD imagerel $L$SEH_info_AES_set_decrypt_key + + DD imagerel $L$SEH_begin_AES_cbc_encrypt + DD imagerel $L$SEH_end_AES_cbc_encrypt + DD imagerel $L$SEH_info_AES_cbc_encrypt + +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_AES_encrypt:: +DB 9,0,0,0 + DD imagerel block_se_handler + DD imagerel $L$enc_prologue,imagerel $L$enc_epilogue +$L$SEH_info_AES_decrypt:: +DB 9,0,0,0 + DD imagerel block_se_handler + DD imagerel $L$dec_prologue,imagerel $L$dec_epilogue +$L$SEH_info_AES_set_encrypt_key:: +DB 9,0,0,0 + DD imagerel key_se_handler + DD imagerel $L$enc_key_prologue,imagerel $L$enc_key_epilogue +$L$SEH_info_AES_set_decrypt_key:: +DB 9,0,0,0 + DD imagerel key_se_handler + DD imagerel $L$dec_key_prologue,imagerel $L$dec_key_epilogue +$L$SEH_info_AES_cbc_encrypt:: +DB 9,0,0,0 + DD imagerel cbc_se_handler + +.xdata ENDS +END + diff --git a/crypto/aes/aes-mingw64-x86_64.S b/crypto/aes/aes-mingw64-x86_64.S new file mode 100644 index 0000000..ca2d60f --- /dev/null +++ b/crypto/aes/aes-mingw64-x86_64.S @@ -0,0 +1,2861 @@ +#include "x86_arch.h" + +.text +.def _x86_64_AES_encrypt; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_AES_encrypt: + xorl 0(%r15),%eax + xorl 4(%r15),%ebx + xorl 8(%r15),%ecx + xorl 12(%r15),%edx + + movl 240(%r15),%r13d + subl $1,%r13d + jmp .Lenc_loop +.p2align 4 +.Lenc_loop: + + movzbl %al,%esi + movzbl %bl,%edi + movzbl %cl,%ebp + movl 0(%r14,%rsi,8),%r10d + movl 0(%r14,%rdi,8),%r11d + movl 0(%r14,%rbp,8),%r12d + + movzbl %bh,%esi + movzbl %ch,%edi + movzbl %dl,%ebp + xorl 3(%r14,%rsi,8),%r10d + xorl 3(%r14,%rdi,8),%r11d + movl 0(%r14,%rbp,8),%r8d + + movzbl %dh,%esi + shrl $16,%ecx + movzbl %ah,%ebp + xorl 3(%r14,%rsi,8),%r12d + shrl $16,%edx + xorl 3(%r14,%rbp,8),%r8d + + shrl $16,%ebx + leaq 16(%r15),%r15 + shrl $16,%eax + + movzbl %cl,%esi + movzbl %dl,%edi + movzbl %al,%ebp + xorl 2(%r14,%rsi,8),%r10d + xorl 2(%r14,%rdi,8),%r11d + xorl 2(%r14,%rbp,8),%r12d + + movzbl %dh,%esi + movzbl %ah,%edi + movzbl %bl,%ebp + xorl 1(%r14,%rsi,8),%r10d + xorl 1(%r14,%rdi,8),%r11d + xorl 2(%r14,%rbp,8),%r8d + + movl 12(%r15),%edx + movzbl %bh,%edi + movzbl %ch,%ebp + movl 0(%r15),%eax + xorl 1(%r14,%rdi,8),%r12d + xorl 1(%r14,%rbp,8),%r8d + + movl 4(%r15),%ebx + movl 8(%r15),%ecx + xorl %r10d,%eax + xorl %r11d,%ebx + xorl %r12d,%ecx + xorl %r8d,%edx + subl $1,%r13d + jnz .Lenc_loop + movzbl %al,%esi + movzbl %bl,%edi + movzbl %cl,%ebp + movzbl 2(%r14,%rsi,8),%r10d + movzbl 2(%r14,%rdi,8),%r11d + movzbl 2(%r14,%rbp,8),%r12d + + movzbl %dl,%esi + movzbl %bh,%edi + movzbl %ch,%ebp + movzbl 2(%r14,%rsi,8),%r8d + movl 0(%r14,%rdi,8),%edi + movl 0(%r14,%rbp,8),%ebp + + andl $65280,%edi + andl $65280,%ebp + + xorl %edi,%r10d + xorl %ebp,%r11d + shrl $16,%ecx + + movzbl %dh,%esi + movzbl %ah,%edi + shrl $16,%edx + movl 0(%r14,%rsi,8),%esi + movl 0(%r14,%rdi,8),%edi + + andl $65280,%esi + andl $65280,%edi + shrl $16,%ebx + xorl %esi,%r12d + xorl %edi,%r8d + shrl $16,%eax + + movzbl %cl,%esi + movzbl %dl,%edi + movzbl %al,%ebp + movl 0(%r14,%rsi,8),%esi + movl 0(%r14,%rdi,8),%edi + movl 0(%r14,%rbp,8),%ebp + + andl $16711680,%esi + andl $16711680,%edi + andl $16711680,%ebp + + xorl %esi,%r10d + xorl %edi,%r11d + xorl %ebp,%r12d + + movzbl %bl,%esi + movzbl %dh,%edi + movzbl %ah,%ebp + movl 0(%r14,%rsi,8),%esi + movl 2(%r14,%rdi,8),%edi + movl 2(%r14,%rbp,8),%ebp + + andl $16711680,%esi + andl $4278190080,%edi + andl $4278190080,%ebp + + xorl %esi,%r8d + xorl %edi,%r10d + xorl %ebp,%r11d + + movzbl %bh,%esi + movzbl %ch,%edi + movl 16+12(%r15),%edx + movl 2(%r14,%rsi,8),%esi + movl 2(%r14,%rdi,8),%edi + movl 16+0(%r15),%eax + + andl $4278190080,%esi + andl $4278190080,%edi + + xorl %esi,%r12d + xorl %edi,%r8d + + movl 16+4(%r15),%ebx + movl 16+8(%r15),%ecx + xorl %r10d,%eax + xorl %r11d,%ebx + xorl %r12d,%ecx + xorl %r8d,%edx + retq + +.def _x86_64_AES_encrypt_compact; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_AES_encrypt_compact: + leaq 128(%r14),%r8 + movl 0-128(%r8),%edi + movl 32-128(%r8),%ebp + movl 64-128(%r8),%r10d + movl 96-128(%r8),%r11d + movl 128-128(%r8),%edi + movl 160-128(%r8),%ebp + movl 192-128(%r8),%r10d + movl 224-128(%r8),%r11d + jmp .Lenc_loop_compact +.p2align 4 +.Lenc_loop_compact: + xorl 0(%r15),%eax + xorl 4(%r15),%ebx + xorl 8(%r15),%ecx + xorl 12(%r15),%edx + leaq 16(%r15),%r15 + movzbl %al,%r10d + movzbl %bl,%r11d + movzbl %cl,%r12d + movzbl (%r14,%r10,1),%r10d + movzbl (%r14,%r11,1),%r11d + movzbl (%r14,%r12,1),%r12d + + movzbl %dl,%r8d + movzbl %bh,%esi + movzbl %ch,%edi + movzbl (%r14,%r8,1),%r8d + movzbl (%r14,%rsi,1),%r9d + movzbl (%r14,%rdi,1),%r13d + + movzbl %dh,%ebp + movzbl %ah,%esi + shrl $16,%ecx + movzbl (%r14,%rbp,1),%ebp + movzbl (%r14,%rsi,1),%esi + shrl $16,%edx + + movzbl %cl,%edi + shll $8,%r9d + shll $8,%r13d + movzbl (%r14,%rdi,1),%edi + xorl %r9d,%r10d + xorl %r13d,%r11d + + movzbl %dl,%r9d + shrl $16,%eax + shrl $16,%ebx + movzbl %al,%r13d + shll $8,%ebp + shll $8,%esi + movzbl (%r14,%r9,1),%r9d + movzbl (%r14,%r13,1),%r13d + xorl %ebp,%r12d + xorl %esi,%r8d + + movzbl %bl,%ebp + movzbl %dh,%esi + shll $16,%edi + movzbl (%r14,%rbp,1),%ebp + movzbl (%r14,%rsi,1),%esi + xorl %edi,%r10d + + movzbl %ah,%edi + shrl $8,%ecx + shrl $8,%ebx + movzbl (%r14,%rdi,1),%edi + movzbl (%r14,%rcx,1),%edx + movzbl (%r14,%rbx,1),%ecx + shll $16,%r9d + shll $16,%r13d + shll $16,%ebp + xorl %r9d,%r11d + xorl %r13d,%r12d + xorl %ebp,%r8d + + shll $24,%esi + shll $24,%edi + shll $24,%edx + xorl %esi,%r10d + shll $24,%ecx + xorl %edi,%r11d + movl %r10d,%eax + movl %r11d,%ebx + xorl %r12d,%ecx + xorl %r8d,%edx + cmpq 16(%rsp),%r15 + je .Lenc_compact_done + movl %eax,%esi + movl %ebx,%edi + andl $2155905152,%esi + andl $2155905152,%edi + movl %esi,%r10d + movl %edi,%r11d + shrl $7,%r10d + leal (%rax,%rax,1),%r8d + shrl $7,%r11d + leal (%rbx,%rbx,1),%r9d + subl %r10d,%esi + subl %r11d,%edi + andl $4278124286,%r8d + andl $4278124286,%r9d + andl $454761243,%esi + andl $454761243,%edi + movl %eax,%r10d + movl %ebx,%r11d + xorl %esi,%r8d + xorl %edi,%r9d + + xorl %r8d,%eax + xorl %r9d,%ebx + movl %ecx,%esi + movl %edx,%edi + roll $24,%eax + roll $24,%ebx + andl $2155905152,%esi + andl $2155905152,%edi + xorl %r8d,%eax + xorl %r9d,%ebx + movl %esi,%r12d + movl %edi,%ebp + rorl $16,%r10d + rorl $16,%r11d + shrl $7,%r12d + leal (%rcx,%rcx,1),%r8d + xorl %r10d,%eax + xorl %r11d,%ebx + shrl $7,%ebp + leal (%rdx,%rdx,1),%r9d + rorl $8,%r10d + rorl $8,%r11d + subl %r12d,%esi + subl %ebp,%edi + xorl %r10d,%eax + xorl %r11d,%ebx + + andl $4278124286,%r8d + andl $4278124286,%r9d + andl $454761243,%esi + andl $454761243,%edi + movl %ecx,%r12d + movl %edx,%ebp + xorl %esi,%r8d + xorl %edi,%r9d + + xorl %r8d,%ecx + xorl %r9d,%edx + roll $24,%ecx + roll $24,%edx + xorl %r8d,%ecx + xorl %r9d,%edx + movl 0(%r14),%esi + rorl $16,%r12d + rorl $16,%ebp + movl 64(%r14),%edi + xorl %r12d,%ecx + xorl %ebp,%edx + movl 128(%r14),%r8d + rorl $8,%r12d + rorl $8,%ebp + movl 192(%r14),%r9d + xorl %r12d,%ecx + xorl %ebp,%edx + jmp .Lenc_loop_compact +.p2align 4 +.Lenc_compact_done: + xorl 0(%r15),%eax + xorl 4(%r15),%ebx + xorl 8(%r15),%ecx + xorl 12(%r15),%edx + retq + +.globl AES_encrypt +.def AES_encrypt; .scl 2; .type 32; .endef +.p2align 4 +.globl asm_AES_encrypt + +asm_AES_encrypt: +AES_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_AES_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + + + movq %rsp,%r10 + leaq -63(%rdx),%rcx + andq $-64,%rsp + subq %rsp,%rcx + negq %rcx + andq $960,%rcx + subq %rcx,%rsp + subq $32,%rsp + + movq %rsi,16(%rsp) + movq %r10,24(%rsp) +.Lenc_prologue: + + movq %rdx,%r15 + movl 240(%r15),%r13d + + movl 0(%rdi),%eax + movl 4(%rdi),%ebx + movl 8(%rdi),%ecx + movl 12(%rdi),%edx + + shll $4,%r13d + leaq (%r15,%r13,1),%rbp + movq %r15,(%rsp) + movq %rbp,8(%rsp) + + + leaq .LAES_Te+2048(%rip),%r14 + leaq 768(%rsp),%rbp + subq %r14,%rbp + andq $768,%rbp + leaq (%r14,%rbp,1),%r14 + + call _x86_64_AES_encrypt_compact + + movq 16(%rsp),%r9 + movq 24(%rsp),%rsi + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + movq (%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lenc_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_AES_encrypt: +.def _x86_64_AES_decrypt; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_AES_decrypt: + xorl 0(%r15),%eax + xorl 4(%r15),%ebx + xorl 8(%r15),%ecx + xorl 12(%r15),%edx + + movl 240(%r15),%r13d + subl $1,%r13d + jmp .Ldec_loop +.p2align 4 +.Ldec_loop: + + movzbl %al,%esi + movzbl %bl,%edi + movzbl %cl,%ebp + movl 0(%r14,%rsi,8),%r10d + movl 0(%r14,%rdi,8),%r11d + movl 0(%r14,%rbp,8),%r12d + + movzbl %dh,%esi + movzbl %ah,%edi + movzbl %dl,%ebp + xorl 3(%r14,%rsi,8),%r10d + xorl 3(%r14,%rdi,8),%r11d + movl 0(%r14,%rbp,8),%r8d + + movzbl %bh,%esi + shrl $16,%eax + movzbl %ch,%ebp + xorl 3(%r14,%rsi,8),%r12d + shrl $16,%edx + xorl 3(%r14,%rbp,8),%r8d + + shrl $16,%ebx + leaq 16(%r15),%r15 + shrl $16,%ecx + + movzbl %cl,%esi + movzbl %dl,%edi + movzbl %al,%ebp + xorl 2(%r14,%rsi,8),%r10d + xorl 2(%r14,%rdi,8),%r11d + xorl 2(%r14,%rbp,8),%r12d + + movzbl %bh,%esi + movzbl %ch,%edi + movzbl %bl,%ebp + xorl 1(%r14,%rsi,8),%r10d + xorl 1(%r14,%rdi,8),%r11d + xorl 2(%r14,%rbp,8),%r8d + + movzbl %dh,%esi + movl 12(%r15),%edx + movzbl %ah,%ebp + xorl 1(%r14,%rsi,8),%r12d + movl 0(%r15),%eax + xorl 1(%r14,%rbp,8),%r8d + + xorl %r10d,%eax + movl 4(%r15),%ebx + movl 8(%r15),%ecx + xorl %r12d,%ecx + xorl %r11d,%ebx + xorl %r8d,%edx + subl $1,%r13d + jnz .Ldec_loop + leaq 2048(%r14),%r14 + movzbl %al,%esi + movzbl %bl,%edi + movzbl %cl,%ebp + movzbl (%r14,%rsi,1),%r10d + movzbl (%r14,%rdi,1),%r11d + movzbl (%r14,%rbp,1),%r12d + + movzbl %dl,%esi + movzbl %dh,%edi + movzbl %ah,%ebp + movzbl (%r14,%rsi,1),%r8d + movzbl (%r14,%rdi,1),%edi + movzbl (%r14,%rbp,1),%ebp + + shll $8,%edi + shll $8,%ebp + + xorl %edi,%r10d + xorl %ebp,%r11d + shrl $16,%edx + + movzbl %bh,%esi + movzbl %ch,%edi + shrl $16,%eax + movzbl (%r14,%rsi,1),%esi + movzbl (%r14,%rdi,1),%edi + + shll $8,%esi + shll $8,%edi + shrl $16,%ebx + xorl %esi,%r12d + xorl %edi,%r8d + shrl $16,%ecx + + movzbl %cl,%esi + movzbl %dl,%edi + movzbl %al,%ebp + movzbl (%r14,%rsi,1),%esi + movzbl (%r14,%rdi,1),%edi + movzbl (%r14,%rbp,1),%ebp + + shll $16,%esi + shll $16,%edi + shll $16,%ebp + + xorl %esi,%r10d + xorl %edi,%r11d + xorl %ebp,%r12d + + movzbl %bl,%esi + movzbl %bh,%edi + movzbl %ch,%ebp + movzbl (%r14,%rsi,1),%esi + movzbl (%r14,%rdi,1),%edi + movzbl (%r14,%rbp,1),%ebp + + shll $16,%esi + shll $24,%edi + shll $24,%ebp + + xorl %esi,%r8d + xorl %edi,%r10d + xorl %ebp,%r11d + + movzbl %dh,%esi + movzbl %ah,%edi + movl 16+12(%r15),%edx + movzbl (%r14,%rsi,1),%esi + movzbl (%r14,%rdi,1),%edi + movl 16+0(%r15),%eax + + shll $24,%esi + shll $24,%edi + + xorl %esi,%r12d + xorl %edi,%r8d + + movl 16+4(%r15),%ebx + movl 16+8(%r15),%ecx + leaq -2048(%r14),%r14 + xorl %r10d,%eax + xorl %r11d,%ebx + xorl %r12d,%ecx + xorl %r8d,%edx + retq + +.def _x86_64_AES_decrypt_compact; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_AES_decrypt_compact: + leaq 128(%r14),%r8 + movl 0-128(%r8),%edi + movl 32-128(%r8),%ebp + movl 64-128(%r8),%r10d + movl 96-128(%r8),%r11d + movl 128-128(%r8),%edi + movl 160-128(%r8),%ebp + movl 192-128(%r8),%r10d + movl 224-128(%r8),%r11d + jmp .Ldec_loop_compact + +.p2align 4 +.Ldec_loop_compact: + xorl 0(%r15),%eax + xorl 4(%r15),%ebx + xorl 8(%r15),%ecx + xorl 12(%r15),%edx + leaq 16(%r15),%r15 + movzbl %al,%r10d + movzbl %bl,%r11d + movzbl %cl,%r12d + movzbl (%r14,%r10,1),%r10d + movzbl (%r14,%r11,1),%r11d + movzbl (%r14,%r12,1),%r12d + + movzbl %dl,%r8d + movzbl %dh,%esi + movzbl %ah,%edi + movzbl (%r14,%r8,1),%r8d + movzbl (%r14,%rsi,1),%r9d + movzbl (%r14,%rdi,1),%r13d + + movzbl %bh,%ebp + movzbl %ch,%esi + shrl $16,%ecx + movzbl (%r14,%rbp,1),%ebp + movzbl (%r14,%rsi,1),%esi + shrl $16,%edx + + movzbl %cl,%edi + shll $8,%r9d + shll $8,%r13d + movzbl (%r14,%rdi,1),%edi + xorl %r9d,%r10d + xorl %r13d,%r11d + + movzbl %dl,%r9d + shrl $16,%eax + shrl $16,%ebx + movzbl %al,%r13d + shll $8,%ebp + shll $8,%esi + movzbl (%r14,%r9,1),%r9d + movzbl (%r14,%r13,1),%r13d + xorl %ebp,%r12d + xorl %esi,%r8d + + movzbl %bl,%ebp + movzbl %bh,%esi + shll $16,%edi + movzbl (%r14,%rbp,1),%ebp + movzbl (%r14,%rsi,1),%esi + xorl %edi,%r10d + + movzbl %ch,%edi + shll $16,%r9d + shll $16,%r13d + movzbl (%r14,%rdi,1),%ebx + xorl %r9d,%r11d + xorl %r13d,%r12d + + movzbl %dh,%edi + shrl $8,%eax + shll $16,%ebp + movzbl (%r14,%rdi,1),%ecx + movzbl (%r14,%rax,1),%edx + xorl %ebp,%r8d + + shll $24,%esi + shll $24,%ebx + shll $24,%ecx + xorl %esi,%r10d + shll $24,%edx + xorl %r11d,%ebx + movl %r10d,%eax + xorl %r12d,%ecx + xorl %r8d,%edx + cmpq 16(%rsp),%r15 + je .Ldec_compact_done + + movq 256+0(%r14),%rsi + shlq $32,%rbx + shlq $32,%rdx + movq 256+8(%r14),%rdi + orq %rbx,%rax + orq %rdx,%rcx + movq 256+16(%r14),%rbp + movq %rax,%rbx + movq %rcx,%rdx + andq %rsi,%rbx + andq %rsi,%rdx + movq %rbx,%r9 + movq %rdx,%r12 + shrq $7,%r9 + leaq (%rax,%rax,1),%r8 + shrq $7,%r12 + leaq (%rcx,%rcx,1),%r11 + subq %r9,%rbx + subq %r12,%rdx + andq %rdi,%r8 + andq %rdi,%r11 + andq %rbp,%rbx + andq %rbp,%rdx + xorq %r8,%rbx + xorq %r11,%rdx + movq %rbx,%r8 + movq %rdx,%r11 + + andq %rsi,%rbx + andq %rsi,%rdx + movq %rbx,%r10 + movq %rdx,%r13 + shrq $7,%r10 + leaq (%r8,%r8,1),%r9 + shrq $7,%r13 + leaq (%r11,%r11,1),%r12 + subq %r10,%rbx + subq %r13,%rdx + andq %rdi,%r9 + andq %rdi,%r12 + andq %rbp,%rbx + andq %rbp,%rdx + xorq %r9,%rbx + xorq %r12,%rdx + movq %rbx,%r9 + movq %rdx,%r12 + + andq %rsi,%rbx + andq %rsi,%rdx + movq %rbx,%r10 + movq %rdx,%r13 + shrq $7,%r10 + xorq %rax,%r8 + shrq $7,%r13 + xorq %rcx,%r11 + subq %r10,%rbx + subq %r13,%rdx + leaq (%r9,%r9,1),%r10 + leaq (%r12,%r12,1),%r13 + xorq %rax,%r9 + xorq %rcx,%r12 + andq %rdi,%r10 + andq %rdi,%r13 + andq %rbp,%rbx + andq %rbp,%rdx + xorq %rbx,%r10 + xorq %rdx,%r13 + + xorq %r10,%rax + xorq %r13,%rcx + xorq %r10,%r8 + xorq %r13,%r11 + movq %rax,%rbx + movq %rcx,%rdx + xorq %r10,%r9 + xorq %r13,%r12 + shrq $32,%rbx + shrq $32,%rdx + xorq %r8,%r10 + xorq %r11,%r13 + roll $8,%eax + roll $8,%ecx + xorq %r9,%r10 + xorq %r12,%r13 + + roll $8,%ebx + roll $8,%edx + xorl %r10d,%eax + xorl %r13d,%ecx + shrq $32,%r10 + shrq $32,%r13 + xorl %r10d,%ebx + xorl %r13d,%edx + + movq %r8,%r10 + movq %r11,%r13 + shrq $32,%r10 + shrq $32,%r13 + roll $24,%r8d + roll $24,%r11d + roll $24,%r10d + roll $24,%r13d + xorl %r8d,%eax + xorl %r11d,%ecx + movq %r9,%r8 + movq %r12,%r11 + xorl %r10d,%ebx + xorl %r13d,%edx + + movq 0(%r14),%rsi + shrq $32,%r8 + shrq $32,%r11 + movq 64(%r14),%rdi + roll $16,%r9d + roll $16,%r12d + movq 128(%r14),%rbp + roll $16,%r8d + roll $16,%r11d + movq 192(%r14),%r10 + xorl %r9d,%eax + xorl %r12d,%ecx + movq 256(%r14),%r13 + xorl %r8d,%ebx + xorl %r11d,%edx + jmp .Ldec_loop_compact +.p2align 4 +.Ldec_compact_done: + xorl 0(%r15),%eax + xorl 4(%r15),%ebx + xorl 8(%r15),%ecx + xorl 12(%r15),%edx + retq + +.globl AES_decrypt +.def AES_decrypt; .scl 2; .type 32; .endef +.p2align 4 +.globl asm_AES_decrypt + +asm_AES_decrypt: +AES_decrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_AES_decrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + + + movq %rsp,%r10 + leaq -63(%rdx),%rcx + andq $-64,%rsp + subq %rsp,%rcx + negq %rcx + andq $960,%rcx + subq %rcx,%rsp + subq $32,%rsp + + movq %rsi,16(%rsp) + movq %r10,24(%rsp) +.Ldec_prologue: + + movq %rdx,%r15 + movl 240(%r15),%r13d + + movl 0(%rdi),%eax + movl 4(%rdi),%ebx + movl 8(%rdi),%ecx + movl 12(%rdi),%edx + + shll $4,%r13d + leaq (%r15,%r13,1),%rbp + movq %r15,(%rsp) + movq %rbp,8(%rsp) + + + leaq .LAES_Td+2048(%rip),%r14 + leaq 768(%rsp),%rbp + subq %r14,%rbp + andq $768,%rbp + leaq (%r14,%rbp,1),%r14 + shrq $3,%rbp + addq %rbp,%r14 + + call _x86_64_AES_decrypt_compact + + movq 16(%rsp),%r9 + movq 24(%rsp),%rsi + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + movq (%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Ldec_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_AES_decrypt: +.globl AES_set_encrypt_key +.def AES_set_encrypt_key; .scl 2; .type 32; .endef +.p2align 4 +AES_set_encrypt_key: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_AES_set_encrypt_key: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + subq $8,%rsp +.Lenc_key_prologue: + + call _x86_64_AES_set_encrypt_key + + movq 8(%rsp),%r15 + movq 16(%rsp),%r14 + movq 24(%rsp),%r13 + movq 32(%rsp),%r12 + movq 40(%rsp),%rbp + movq 48(%rsp),%rbx + addq $56,%rsp +.Lenc_key_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_AES_set_encrypt_key: + +.def _x86_64_AES_set_encrypt_key; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_AES_set_encrypt_key: + movl %esi,%ecx + movq %rdi,%rsi + movq %rdx,%rdi + + testq $-1,%rsi + jz .Lbadpointer + testq $-1,%rdi + jz .Lbadpointer + + leaq .LAES_Te(%rip),%rbp + leaq 2048+128(%rbp),%rbp + + + movl 0-128(%rbp),%eax + movl 32-128(%rbp),%ebx + movl 64-128(%rbp),%r8d + movl 96-128(%rbp),%edx + movl 128-128(%rbp),%eax + movl 160-128(%rbp),%ebx + movl 192-128(%rbp),%r8d + movl 224-128(%rbp),%edx + + cmpl $128,%ecx + je .L10rounds + cmpl $192,%ecx + je .L12rounds + cmpl $256,%ecx + je .L14rounds + movq $-2,%rax + jmp .Lexit + +.L10rounds: + movq 0(%rsi),%rax + movq 8(%rsi),%rdx + movq %rax,0(%rdi) + movq %rdx,8(%rdi) + + shrq $32,%rdx + xorl %ecx,%ecx + jmp .L10shortcut +.p2align 2 +.L10loop: + movl 0(%rdi),%eax + movl 12(%rdi),%edx +.L10shortcut: + movzbl %dl,%esi + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $24,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shrl $16,%edx + movzbl %dl,%esi + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $8,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shll $16,%ebx + xorl %ebx,%eax + + xorl 1024-128(%rbp,%rcx,4),%eax + movl %eax,16(%rdi) + xorl 4(%rdi),%eax + movl %eax,20(%rdi) + xorl 8(%rdi),%eax + movl %eax,24(%rdi) + xorl 12(%rdi),%eax + movl %eax,28(%rdi) + addl $1,%ecx + leaq 16(%rdi),%rdi + cmpl $10,%ecx + jl .L10loop + + movl $10,80(%rdi) + xorq %rax,%rax + jmp .Lexit + +.L12rounds: + movq 0(%rsi),%rax + movq 8(%rsi),%rbx + movq 16(%rsi),%rdx + movq %rax,0(%rdi) + movq %rbx,8(%rdi) + movq %rdx,16(%rdi) + + shrq $32,%rdx + xorl %ecx,%ecx + jmp .L12shortcut +.p2align 2 +.L12loop: + movl 0(%rdi),%eax + movl 20(%rdi),%edx +.L12shortcut: + movzbl %dl,%esi + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $24,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shrl $16,%edx + movzbl %dl,%esi + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $8,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shll $16,%ebx + xorl %ebx,%eax + + xorl 1024-128(%rbp,%rcx,4),%eax + movl %eax,24(%rdi) + xorl 4(%rdi),%eax + movl %eax,28(%rdi) + xorl 8(%rdi),%eax + movl %eax,32(%rdi) + xorl 12(%rdi),%eax + movl %eax,36(%rdi) + + cmpl $7,%ecx + je .L12break + addl $1,%ecx + + xorl 16(%rdi),%eax + movl %eax,40(%rdi) + xorl 20(%rdi),%eax + movl %eax,44(%rdi) + + leaq 24(%rdi),%rdi + jmp .L12loop +.L12break: + movl $12,72(%rdi) + xorq %rax,%rax + jmp .Lexit + +.L14rounds: + movq 0(%rsi),%rax + movq 8(%rsi),%rbx + movq 16(%rsi),%rcx + movq 24(%rsi),%rdx + movq %rax,0(%rdi) + movq %rbx,8(%rdi) + movq %rcx,16(%rdi) + movq %rdx,24(%rdi) + + shrq $32,%rdx + xorl %ecx,%ecx + jmp .L14shortcut +.p2align 2 +.L14loop: + movl 0(%rdi),%eax + movl 28(%rdi),%edx +.L14shortcut: + movzbl %dl,%esi + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $24,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shrl $16,%edx + movzbl %dl,%esi + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $8,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shll $16,%ebx + xorl %ebx,%eax + + xorl 1024-128(%rbp,%rcx,4),%eax + movl %eax,32(%rdi) + xorl 4(%rdi),%eax + movl %eax,36(%rdi) + xorl 8(%rdi),%eax + movl %eax,40(%rdi) + xorl 12(%rdi),%eax + movl %eax,44(%rdi) + + cmpl $6,%ecx + je .L14break + addl $1,%ecx + + movl %eax,%edx + movl 16(%rdi),%eax + movzbl %dl,%esi + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shrl $16,%edx + shll $8,%ebx + movzbl %dl,%esi + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + movzbl %dh,%esi + shll $16,%ebx + xorl %ebx,%eax + + movzbl -128(%rbp,%rsi,1),%ebx + shll $24,%ebx + xorl %ebx,%eax + + movl %eax,48(%rdi) + xorl 20(%rdi),%eax + movl %eax,52(%rdi) + xorl 24(%rdi),%eax + movl %eax,56(%rdi) + xorl 28(%rdi),%eax + movl %eax,60(%rdi) + + leaq 32(%rdi),%rdi + jmp .L14loop +.L14break: + movl $14,48(%rdi) + xorq %rax,%rax + jmp .Lexit + +.Lbadpointer: + movq $-1,%rax +.Lexit: + retq + +.globl AES_set_decrypt_key +.def AES_set_decrypt_key; .scl 2; .type 32; .endef +.p2align 4 +AES_set_decrypt_key: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_AES_set_decrypt_key: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushq %rdx +.Ldec_key_prologue: + + call _x86_64_AES_set_encrypt_key + movq (%rsp),%r8 + cmpl $0,%eax + jne .Labort + + movl 240(%r8),%r14d + xorq %rdi,%rdi + leaq (%rdi,%r14,4),%rcx + movq %r8,%rsi + leaq (%r8,%rcx,4),%rdi +.p2align 2 +.Linvert: + movq 0(%rsi),%rax + movq 8(%rsi),%rbx + movq 0(%rdi),%rcx + movq 8(%rdi),%rdx + movq %rax,0(%rdi) + movq %rbx,8(%rdi) + movq %rcx,0(%rsi) + movq %rdx,8(%rsi) + leaq 16(%rsi),%rsi + leaq -16(%rdi),%rdi + cmpq %rsi,%rdi + jne .Linvert + + leaq .LAES_Te+2048+1024(%rip),%rax + + movq 40(%rax),%rsi + movq 48(%rax),%rdi + movq 56(%rax),%rbp + + movq %r8,%r15 + subl $1,%r14d +.p2align 2 +.Lpermute: + leaq 16(%r15),%r15 + movq 0(%r15),%rax + movq 8(%r15),%rcx + movq %rax,%rbx + movq %rcx,%rdx + andq %rsi,%rbx + andq %rsi,%rdx + movq %rbx,%r9 + movq %rdx,%r12 + shrq $7,%r9 + leaq (%rax,%rax,1),%r8 + shrq $7,%r12 + leaq (%rcx,%rcx,1),%r11 + subq %r9,%rbx + subq %r12,%rdx + andq %rdi,%r8 + andq %rdi,%r11 + andq %rbp,%rbx + andq %rbp,%rdx + xorq %r8,%rbx + xorq %r11,%rdx + movq %rbx,%r8 + movq %rdx,%r11 + + andq %rsi,%rbx + andq %rsi,%rdx + movq %rbx,%r10 + movq %rdx,%r13 + shrq $7,%r10 + leaq (%r8,%r8,1),%r9 + shrq $7,%r13 + leaq (%r11,%r11,1),%r12 + subq %r10,%rbx + subq %r13,%rdx + andq %rdi,%r9 + andq %rdi,%r12 + andq %rbp,%rbx + andq %rbp,%rdx + xorq %r9,%rbx + xorq %r12,%rdx + movq %rbx,%r9 + movq %rdx,%r12 + + andq %rsi,%rbx + andq %rsi,%rdx + movq %rbx,%r10 + movq %rdx,%r13 + shrq $7,%r10 + xorq %rax,%r8 + shrq $7,%r13 + xorq %rcx,%r11 + subq %r10,%rbx + subq %r13,%rdx + leaq (%r9,%r9,1),%r10 + leaq (%r12,%r12,1),%r13 + xorq %rax,%r9 + xorq %rcx,%r12 + andq %rdi,%r10 + andq %rdi,%r13 + andq %rbp,%rbx + andq %rbp,%rdx + xorq %rbx,%r10 + xorq %rdx,%r13 + + xorq %r10,%rax + xorq %r13,%rcx + xorq %r10,%r8 + xorq %r13,%r11 + movq %rax,%rbx + movq %rcx,%rdx + xorq %r10,%r9 + xorq %r13,%r12 + shrq $32,%rbx + shrq $32,%rdx + xorq %r8,%r10 + xorq %r11,%r13 + roll $8,%eax + roll $8,%ecx + xorq %r9,%r10 + xorq %r12,%r13 + + roll $8,%ebx + roll $8,%edx + xorl %r10d,%eax + xorl %r13d,%ecx + shrq $32,%r10 + shrq $32,%r13 + xorl %r10d,%ebx + xorl %r13d,%edx + + movq %r8,%r10 + movq %r11,%r13 + shrq $32,%r10 + shrq $32,%r13 + roll $24,%r8d + roll $24,%r11d + roll $24,%r10d + roll $24,%r13d + xorl %r8d,%eax + xorl %r11d,%ecx + movq %r9,%r8 + movq %r12,%r11 + xorl %r10d,%ebx + xorl %r13d,%edx + + + shrq $32,%r8 + shrq $32,%r11 + + roll $16,%r9d + roll $16,%r12d + + roll $16,%r8d + roll $16,%r11d + + xorl %r9d,%eax + xorl %r12d,%ecx + + xorl %r8d,%ebx + xorl %r11d,%edx + movl %eax,0(%r15) + movl %ebx,4(%r15) + movl %ecx,8(%r15) + movl %edx,12(%r15) + subl $1,%r14d + jnz .Lpermute + + xorq %rax,%rax +.Labort: + movq 8(%rsp),%r15 + movq 16(%rsp),%r14 + movq 24(%rsp),%r13 + movq 32(%rsp),%r12 + movq 40(%rsp),%rbp + movq 48(%rsp),%rbx + addq $56,%rsp +.Ldec_key_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_AES_set_decrypt_key: +.globl AES_cbc_encrypt +.def AES_cbc_encrypt; .scl 2; .type 32; .endef +.p2align 4 + + +.globl asm_AES_cbc_encrypt + +asm_AES_cbc_encrypt: +AES_cbc_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_AES_cbc_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + cmpq $0,%rdx + je .Lcbc_epilogue + pushfq + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 +.Lcbc_prologue: + + cld + movl %r9d,%r9d + + leaq .LAES_Te(%rip),%r14 + cmpq $0,%r9 + jne .Lcbc_picked_te + leaq .LAES_Td(%rip),%r14 +.Lcbc_picked_te: + + movl OPENSSL_ia32cap_P(%rip),%r10d + cmpq $512,%rdx + jb .Lcbc_slow_prologue + testq $15,%rdx + jnz .Lcbc_slow_prologue + btl $IA32CAP_BIT0_HT,%r10d + jc .Lcbc_slow_prologue + + + leaq -88-248(%rsp),%r15 + andq $-64,%r15 + + + movq %r14,%r10 + leaq 2304(%r14),%r11 + movq %r15,%r12 + andq $4095,%r10 + andq $4095,%r11 + andq $4095,%r12 + + cmpq %r11,%r12 + jb .Lcbc_te_break_out + subq %r11,%r12 + subq %r12,%r15 + jmp .Lcbc_te_ok +.Lcbc_te_break_out: + subq %r10,%r12 + andq $4095,%r12 + addq $320,%r12 + subq %r12,%r15 +.p2align 2 +.Lcbc_te_ok: + + xchgq %rsp,%r15 + + movq %r15,16(%rsp) +.Lcbc_fast_body: + movq %rdi,24(%rsp) + movq %rsi,32(%rsp) + movq %rdx,40(%rsp) + movq %rcx,48(%rsp) + movq %r8,56(%rsp) + movl $0,80+240(%rsp) + movq %r8,%rbp + movq %r9,%rbx + movq %rsi,%r9 + movq %rdi,%r8 + movq %rcx,%r15 + + movl 240(%r15),%eax + + movq %r15,%r10 + subq %r14,%r10 + andq $4095,%r10 + cmpq $2304,%r10 + jb .Lcbc_do_ecopy + cmpq $4096-248,%r10 + jb .Lcbc_skip_ecopy +.p2align 2 +.Lcbc_do_ecopy: + movq %r15,%rsi + leaq 80(%rsp),%rdi + leaq 80(%rsp),%r15 + movl $30,%ecx +.long 0x90A548F3 + movl %eax,(%rdi) +.Lcbc_skip_ecopy: + movq %r15,0(%rsp) + + movl $18,%ecx +.p2align 2 +.Lcbc_prefetch_te: + movq 0(%r14),%r10 + movq 32(%r14),%r11 + movq 64(%r14),%r12 + movq 96(%r14),%r13 + leaq 128(%r14),%r14 + subl $1,%ecx + jnz .Lcbc_prefetch_te + leaq -2304(%r14),%r14 + + cmpq $0,%rbx + je .LFAST_DECRYPT + + + movl 0(%rbp),%eax + movl 4(%rbp),%ebx + movl 8(%rbp),%ecx + movl 12(%rbp),%edx + +.p2align 2 +.Lcbc_fast_enc_loop: + xorl 0(%r8),%eax + xorl 4(%r8),%ebx + xorl 8(%r8),%ecx + xorl 12(%r8),%edx + movq 0(%rsp),%r15 + movq %r8,24(%rsp) + + call _x86_64_AES_encrypt + + movq 24(%rsp),%r8 + movq 40(%rsp),%r10 + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + leaq 16(%r8),%r8 + leaq 16(%r9),%r9 + subq $16,%r10 + testq $-16,%r10 + movq %r10,40(%rsp) + jnz .Lcbc_fast_enc_loop + movq 56(%rsp),%rbp + movl %eax,0(%rbp) + movl %ebx,4(%rbp) + movl %ecx,8(%rbp) + movl %edx,12(%rbp) + + jmp .Lcbc_fast_cleanup + + +.p2align 4 +.LFAST_DECRYPT: + cmpq %r8,%r9 + je .Lcbc_fast_dec_in_place + + movq %rbp,64(%rsp) +.p2align 2 +.Lcbc_fast_dec_loop: + movl 0(%r8),%eax + movl 4(%r8),%ebx + movl 8(%r8),%ecx + movl 12(%r8),%edx + movq 0(%rsp),%r15 + movq %r8,24(%rsp) + + call _x86_64_AES_decrypt + + movq 64(%rsp),%rbp + movq 24(%rsp),%r8 + movq 40(%rsp),%r10 + xorl 0(%rbp),%eax + xorl 4(%rbp),%ebx + xorl 8(%rbp),%ecx + xorl 12(%rbp),%edx + movq %r8,%rbp + + subq $16,%r10 + movq %r10,40(%rsp) + movq %rbp,64(%rsp) + + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + leaq 16(%r8),%r8 + leaq 16(%r9),%r9 + jnz .Lcbc_fast_dec_loop + movq 56(%rsp),%r12 + movq 0(%rbp),%r10 + movq 8(%rbp),%r11 + movq %r10,0(%r12) + movq %r11,8(%r12) + jmp .Lcbc_fast_cleanup + +.p2align 4 +.Lcbc_fast_dec_in_place: + movq 0(%rbp),%r10 + movq 8(%rbp),%r11 + movq %r10,0+64(%rsp) + movq %r11,8+64(%rsp) +.p2align 2 +.Lcbc_fast_dec_in_place_loop: + movl 0(%r8),%eax + movl 4(%r8),%ebx + movl 8(%r8),%ecx + movl 12(%r8),%edx + movq 0(%rsp),%r15 + movq %r8,24(%rsp) + + call _x86_64_AES_decrypt + + movq 24(%rsp),%r8 + movq 40(%rsp),%r10 + xorl 0+64(%rsp),%eax + xorl 4+64(%rsp),%ebx + xorl 8+64(%rsp),%ecx + xorl 12+64(%rsp),%edx + + movq 0(%r8),%r11 + movq 8(%r8),%r12 + subq $16,%r10 + jz .Lcbc_fast_dec_in_place_done + + movq %r11,0+64(%rsp) + movq %r12,8+64(%rsp) + + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + leaq 16(%r8),%r8 + leaq 16(%r9),%r9 + movq %r10,40(%rsp) + jmp .Lcbc_fast_dec_in_place_loop +.Lcbc_fast_dec_in_place_done: + movq 56(%rsp),%rdi + movq %r11,0(%rdi) + movq %r12,8(%rdi) + + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + +.p2align 2 +.Lcbc_fast_cleanup: + cmpl $0,80+240(%rsp) + leaq 80(%rsp),%rdi + je .Lcbc_exit + movl $30,%ecx + xorq %rax,%rax +.long 0x90AB48F3 + + jmp .Lcbc_exit + + +.p2align 4 +.Lcbc_slow_prologue: + + leaq -88(%rsp),%rbp + andq $-64,%rbp + + leaq -88-63(%rcx),%r10 + subq %rbp,%r10 + negq %r10 + andq $960,%r10 + subq %r10,%rbp + + xchgq %rsp,%rbp + + movq %rbp,16(%rsp) +.Lcbc_slow_body: + + + + + movq %r8,56(%rsp) + movq %r8,%rbp + movq %r9,%rbx + movq %rsi,%r9 + movq %rdi,%r8 + movq %rcx,%r15 + movq %rdx,%r10 + + movl 240(%r15),%eax + movq %r15,0(%rsp) + shll $4,%eax + leaq (%r15,%rax,1),%rax + movq %rax,8(%rsp) + + + leaq 2048(%r14),%r14 + leaq 768-8(%rsp),%rax + subq %r14,%rax + andq $768,%rax + leaq (%r14,%rax,1),%r14 + + cmpq $0,%rbx + je .LSLOW_DECRYPT + + + testq $-16,%r10 + movl 0(%rbp),%eax + movl 4(%rbp),%ebx + movl 8(%rbp),%ecx + movl 12(%rbp),%edx + jz .Lcbc_slow_enc_tail + +.p2align 2 +.Lcbc_slow_enc_loop: + xorl 0(%r8),%eax + xorl 4(%r8),%ebx + xorl 8(%r8),%ecx + xorl 12(%r8),%edx + movq 0(%rsp),%r15 + movq %r8,24(%rsp) + movq %r9,32(%rsp) + movq %r10,40(%rsp) + + call _x86_64_AES_encrypt_compact + + movq 24(%rsp),%r8 + movq 32(%rsp),%r9 + movq 40(%rsp),%r10 + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + leaq 16(%r8),%r8 + leaq 16(%r9),%r9 + subq $16,%r10 + testq $-16,%r10 + jnz .Lcbc_slow_enc_loop + testq $15,%r10 + jnz .Lcbc_slow_enc_tail + movq 56(%rsp),%rbp + movl %eax,0(%rbp) + movl %ebx,4(%rbp) + movl %ecx,8(%rbp) + movl %edx,12(%rbp) + + jmp .Lcbc_exit + +.p2align 2 +.Lcbc_slow_enc_tail: + movq %rax,%r11 + movq %rcx,%r12 + movq %r10,%rcx + movq %r8,%rsi + movq %r9,%rdi +.long 0x9066A4F3 + movq $16,%rcx + subq %r10,%rcx + xorq %rax,%rax +.long 0x9066AAF3 + movq %r9,%r8 + movq $16,%r10 + movq %r11,%rax + movq %r12,%rcx + jmp .Lcbc_slow_enc_loop + +.p2align 4 +.LSLOW_DECRYPT: + shrq $3,%rax + addq %rax,%r14 + + movq 0(%rbp),%r11 + movq 8(%rbp),%r12 + movq %r11,0+64(%rsp) + movq %r12,8+64(%rsp) + +.p2align 2 +.Lcbc_slow_dec_loop: + movl 0(%r8),%eax + movl 4(%r8),%ebx + movl 8(%r8),%ecx + movl 12(%r8),%edx + movq 0(%rsp),%r15 + movq %r8,24(%rsp) + movq %r9,32(%rsp) + movq %r10,40(%rsp) + + call _x86_64_AES_decrypt_compact + + movq 24(%rsp),%r8 + movq 32(%rsp),%r9 + movq 40(%rsp),%r10 + xorl 0+64(%rsp),%eax + xorl 4+64(%rsp),%ebx + xorl 8+64(%rsp),%ecx + xorl 12+64(%rsp),%edx + + movq 0(%r8),%r11 + movq 8(%r8),%r12 + subq $16,%r10 + jc .Lcbc_slow_dec_partial + jz .Lcbc_slow_dec_done + + movq %r11,0+64(%rsp) + movq %r12,8+64(%rsp) + + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + leaq 16(%r8),%r8 + leaq 16(%r9),%r9 + jmp .Lcbc_slow_dec_loop +.Lcbc_slow_dec_done: + movq 56(%rsp),%rdi + movq %r11,0(%rdi) + movq %r12,8(%rdi) + + movl %eax,0(%r9) + movl %ebx,4(%r9) + movl %ecx,8(%r9) + movl %edx,12(%r9) + + jmp .Lcbc_exit + +.p2align 2 +.Lcbc_slow_dec_partial: + movq 56(%rsp),%rdi + movq %r11,0(%rdi) + movq %r12,8(%rdi) + + movl %eax,0+64(%rsp) + movl %ebx,4+64(%rsp) + movl %ecx,8+64(%rsp) + movl %edx,12+64(%rsp) + + movq %r9,%rdi + leaq 64(%rsp),%rsi + leaq 16(%r10),%rcx +.long 0x9066A4F3 + jmp .Lcbc_exit + +.p2align 4 +.Lcbc_exit: + movq 16(%rsp),%rsi + movq (%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lcbc_popfq: + popfq +.Lcbc_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_AES_cbc_encrypt: +.p2align 6 +.LAES_Te: +.long 0xa56363c6,0xa56363c6 +.long 0x847c7cf8,0x847c7cf8 +.long 0x997777ee,0x997777ee +.long 0x8d7b7bf6,0x8d7b7bf6 +.long 0x0df2f2ff,0x0df2f2ff +.long 0xbd6b6bd6,0xbd6b6bd6 +.long 0xb16f6fde,0xb16f6fde +.long 0x54c5c591,0x54c5c591 +.long 0x50303060,0x50303060 +.long 0x03010102,0x03010102 +.long 0xa96767ce,0xa96767ce +.long 0x7d2b2b56,0x7d2b2b56 +.long 0x19fefee7,0x19fefee7 +.long 0x62d7d7b5,0x62d7d7b5 +.long 0xe6abab4d,0xe6abab4d +.long 0x9a7676ec,0x9a7676ec +.long 0x45caca8f,0x45caca8f +.long 0x9d82821f,0x9d82821f +.long 0x40c9c989,0x40c9c989 +.long 0x877d7dfa,0x877d7dfa +.long 0x15fafaef,0x15fafaef +.long 0xeb5959b2,0xeb5959b2 +.long 0xc947478e,0xc947478e +.long 0x0bf0f0fb,0x0bf0f0fb +.long 0xecadad41,0xecadad41 +.long 0x67d4d4b3,0x67d4d4b3 +.long 0xfda2a25f,0xfda2a25f +.long 0xeaafaf45,0xeaafaf45 +.long 0xbf9c9c23,0xbf9c9c23 +.long 0xf7a4a453,0xf7a4a453 +.long 0x967272e4,0x967272e4 +.long 0x5bc0c09b,0x5bc0c09b +.long 0xc2b7b775,0xc2b7b775 +.long 0x1cfdfde1,0x1cfdfde1 +.long 0xae93933d,0xae93933d +.long 0x6a26264c,0x6a26264c +.long 0x5a36366c,0x5a36366c +.long 0x413f3f7e,0x413f3f7e +.long 0x02f7f7f5,0x02f7f7f5 +.long 0x4fcccc83,0x4fcccc83 +.long 0x5c343468,0x5c343468 +.long 0xf4a5a551,0xf4a5a551 +.long 0x34e5e5d1,0x34e5e5d1 +.long 0x08f1f1f9,0x08f1f1f9 +.long 0x937171e2,0x937171e2 +.long 0x73d8d8ab,0x73d8d8ab +.long 0x53313162,0x53313162 +.long 0x3f15152a,0x3f15152a +.long 0x0c040408,0x0c040408 +.long 0x52c7c795,0x52c7c795 +.long 0x65232346,0x65232346 +.long 0x5ec3c39d,0x5ec3c39d +.long 0x28181830,0x28181830 +.long 0xa1969637,0xa1969637 +.long 0x0f05050a,0x0f05050a +.long 0xb59a9a2f,0xb59a9a2f +.long 0x0907070e,0x0907070e +.long 0x36121224,0x36121224 +.long 0x9b80801b,0x9b80801b +.long 0x3de2e2df,0x3de2e2df +.long 0x26ebebcd,0x26ebebcd +.long 0x6927274e,0x6927274e +.long 0xcdb2b27f,0xcdb2b27f +.long 0x9f7575ea,0x9f7575ea +.long 0x1b090912,0x1b090912 +.long 0x9e83831d,0x9e83831d +.long 0x742c2c58,0x742c2c58 +.long 0x2e1a1a34,0x2e1a1a34 +.long 0x2d1b1b36,0x2d1b1b36 +.long 0xb26e6edc,0xb26e6edc +.long 0xee5a5ab4,0xee5a5ab4 +.long 0xfba0a05b,0xfba0a05b +.long 0xf65252a4,0xf65252a4 +.long 0x4d3b3b76,0x4d3b3b76 +.long 0x61d6d6b7,0x61d6d6b7 +.long 0xceb3b37d,0xceb3b37d +.long 0x7b292952,0x7b292952 +.long 0x3ee3e3dd,0x3ee3e3dd +.long 0x712f2f5e,0x712f2f5e +.long 0x97848413,0x97848413 +.long 0xf55353a6,0xf55353a6 +.long 0x68d1d1b9,0x68d1d1b9 +.long 0x00000000,0x00000000 +.long 0x2cededc1,0x2cededc1 +.long 0x60202040,0x60202040 +.long 0x1ffcfce3,0x1ffcfce3 +.long 0xc8b1b179,0xc8b1b179 +.long 0xed5b5bb6,0xed5b5bb6 +.long 0xbe6a6ad4,0xbe6a6ad4 +.long 0x46cbcb8d,0x46cbcb8d +.long 0xd9bebe67,0xd9bebe67 +.long 0x4b393972,0x4b393972 +.long 0xde4a4a94,0xde4a4a94 +.long 0xd44c4c98,0xd44c4c98 +.long 0xe85858b0,0xe85858b0 +.long 0x4acfcf85,0x4acfcf85 +.long 0x6bd0d0bb,0x6bd0d0bb +.long 0x2aefefc5,0x2aefefc5 +.long 0xe5aaaa4f,0xe5aaaa4f +.long 0x16fbfbed,0x16fbfbed +.long 0xc5434386,0xc5434386 +.long 0xd74d4d9a,0xd74d4d9a +.long 0x55333366,0x55333366 +.long 0x94858511,0x94858511 +.long 0xcf45458a,0xcf45458a +.long 0x10f9f9e9,0x10f9f9e9 +.long 0x06020204,0x06020204 +.long 0x817f7ffe,0x817f7ffe +.long 0xf05050a0,0xf05050a0 +.long 0x443c3c78,0x443c3c78 +.long 0xba9f9f25,0xba9f9f25 +.long 0xe3a8a84b,0xe3a8a84b +.long 0xf35151a2,0xf35151a2 +.long 0xfea3a35d,0xfea3a35d +.long 0xc0404080,0xc0404080 +.long 0x8a8f8f05,0x8a8f8f05 +.long 0xad92923f,0xad92923f +.long 0xbc9d9d21,0xbc9d9d21 +.long 0x48383870,0x48383870 +.long 0x04f5f5f1,0x04f5f5f1 +.long 0xdfbcbc63,0xdfbcbc63 +.long 0xc1b6b677,0xc1b6b677 +.long 0x75dadaaf,0x75dadaaf +.long 0x63212142,0x63212142 +.long 0x30101020,0x30101020 +.long 0x1affffe5,0x1affffe5 +.long 0x0ef3f3fd,0x0ef3f3fd +.long 0x6dd2d2bf,0x6dd2d2bf +.long 0x4ccdcd81,0x4ccdcd81 +.long 0x140c0c18,0x140c0c18 +.long 0x35131326,0x35131326 +.long 0x2fececc3,0x2fececc3 +.long 0xe15f5fbe,0xe15f5fbe +.long 0xa2979735,0xa2979735 +.long 0xcc444488,0xcc444488 +.long 0x3917172e,0x3917172e +.long 0x57c4c493,0x57c4c493 +.long 0xf2a7a755,0xf2a7a755 +.long 0x827e7efc,0x827e7efc +.long 0x473d3d7a,0x473d3d7a +.long 0xac6464c8,0xac6464c8 +.long 0xe75d5dba,0xe75d5dba +.long 0x2b191932,0x2b191932 +.long 0x957373e6,0x957373e6 +.long 0xa06060c0,0xa06060c0 +.long 0x98818119,0x98818119 +.long 0xd14f4f9e,0xd14f4f9e +.long 0x7fdcdca3,0x7fdcdca3 +.long 0x66222244,0x66222244 +.long 0x7e2a2a54,0x7e2a2a54 +.long 0xab90903b,0xab90903b +.long 0x8388880b,0x8388880b +.long 0xca46468c,0xca46468c +.long 0x29eeeec7,0x29eeeec7 +.long 0xd3b8b86b,0xd3b8b86b +.long 0x3c141428,0x3c141428 +.long 0x79dedea7,0x79dedea7 +.long 0xe25e5ebc,0xe25e5ebc +.long 0x1d0b0b16,0x1d0b0b16 +.long 0x76dbdbad,0x76dbdbad +.long 0x3be0e0db,0x3be0e0db +.long 0x56323264,0x56323264 +.long 0x4e3a3a74,0x4e3a3a74 +.long 0x1e0a0a14,0x1e0a0a14 +.long 0xdb494992,0xdb494992 +.long 0x0a06060c,0x0a06060c +.long 0x6c242448,0x6c242448 +.long 0xe45c5cb8,0xe45c5cb8 +.long 0x5dc2c29f,0x5dc2c29f +.long 0x6ed3d3bd,0x6ed3d3bd +.long 0xefacac43,0xefacac43 +.long 0xa66262c4,0xa66262c4 +.long 0xa8919139,0xa8919139 +.long 0xa4959531,0xa4959531 +.long 0x37e4e4d3,0x37e4e4d3 +.long 0x8b7979f2,0x8b7979f2 +.long 0x32e7e7d5,0x32e7e7d5 +.long 0x43c8c88b,0x43c8c88b +.long 0x5937376e,0x5937376e +.long 0xb76d6dda,0xb76d6dda +.long 0x8c8d8d01,0x8c8d8d01 +.long 0x64d5d5b1,0x64d5d5b1 +.long 0xd24e4e9c,0xd24e4e9c +.long 0xe0a9a949,0xe0a9a949 +.long 0xb46c6cd8,0xb46c6cd8 +.long 0xfa5656ac,0xfa5656ac +.long 0x07f4f4f3,0x07f4f4f3 +.long 0x25eaeacf,0x25eaeacf +.long 0xaf6565ca,0xaf6565ca +.long 0x8e7a7af4,0x8e7a7af4 +.long 0xe9aeae47,0xe9aeae47 +.long 0x18080810,0x18080810 +.long 0xd5baba6f,0xd5baba6f +.long 0x887878f0,0x887878f0 +.long 0x6f25254a,0x6f25254a +.long 0x722e2e5c,0x722e2e5c +.long 0x241c1c38,0x241c1c38 +.long 0xf1a6a657,0xf1a6a657 +.long 0xc7b4b473,0xc7b4b473 +.long 0x51c6c697,0x51c6c697 +.long 0x23e8e8cb,0x23e8e8cb +.long 0x7cdddda1,0x7cdddda1 +.long 0x9c7474e8,0x9c7474e8 +.long 0x211f1f3e,0x211f1f3e +.long 0xdd4b4b96,0xdd4b4b96 +.long 0xdcbdbd61,0xdcbdbd61 +.long 0x868b8b0d,0x868b8b0d +.long 0x858a8a0f,0x858a8a0f +.long 0x907070e0,0x907070e0 +.long 0x423e3e7c,0x423e3e7c +.long 0xc4b5b571,0xc4b5b571 +.long 0xaa6666cc,0xaa6666cc +.long 0xd8484890,0xd8484890 +.long 0x05030306,0x05030306 +.long 0x01f6f6f7,0x01f6f6f7 +.long 0x120e0e1c,0x120e0e1c +.long 0xa36161c2,0xa36161c2 +.long 0x5f35356a,0x5f35356a +.long 0xf95757ae,0xf95757ae +.long 0xd0b9b969,0xd0b9b969 +.long 0x91868617,0x91868617 +.long 0x58c1c199,0x58c1c199 +.long 0x271d1d3a,0x271d1d3a +.long 0xb99e9e27,0xb99e9e27 +.long 0x38e1e1d9,0x38e1e1d9 +.long 0x13f8f8eb,0x13f8f8eb +.long 0xb398982b,0xb398982b +.long 0x33111122,0x33111122 +.long 0xbb6969d2,0xbb6969d2 +.long 0x70d9d9a9,0x70d9d9a9 +.long 0x898e8e07,0x898e8e07 +.long 0xa7949433,0xa7949433 +.long 0xb69b9b2d,0xb69b9b2d +.long 0x221e1e3c,0x221e1e3c +.long 0x92878715,0x92878715 +.long 0x20e9e9c9,0x20e9e9c9 +.long 0x49cece87,0x49cece87 +.long 0xff5555aa,0xff5555aa +.long 0x78282850,0x78282850 +.long 0x7adfdfa5,0x7adfdfa5 +.long 0x8f8c8c03,0x8f8c8c03 +.long 0xf8a1a159,0xf8a1a159 +.long 0x80898909,0x80898909 +.long 0x170d0d1a,0x170d0d1a +.long 0xdabfbf65,0xdabfbf65 +.long 0x31e6e6d7,0x31e6e6d7 +.long 0xc6424284,0xc6424284 +.long 0xb86868d0,0xb86868d0 +.long 0xc3414182,0xc3414182 +.long 0xb0999929,0xb0999929 +.long 0x772d2d5a,0x772d2d5a +.long 0x110f0f1e,0x110f0f1e +.long 0xcbb0b07b,0xcbb0b07b +.long 0xfc5454a8,0xfc5454a8 +.long 0xd6bbbb6d,0xd6bbbb6d +.long 0x3a16162c,0x3a16162c +.byte 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5 +.byte 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76 +.byte 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0 +.byte 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0 +.byte 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc +.byte 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15 +.byte 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a +.byte 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75 +.byte 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0 +.byte 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84 +.byte 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b +.byte 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf +.byte 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85 +.byte 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8 +.byte 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5 +.byte 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2 +.byte 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17 +.byte 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73 +.byte 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88 +.byte 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb +.byte 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c +.byte 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79 +.byte 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9 +.byte 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08 +.byte 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6 +.byte 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a +.byte 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e +.byte 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e +.byte 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94 +.byte 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf +.byte 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68 +.byte 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16 +.byte 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5 +.byte 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76 +.byte 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0 +.byte 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0 +.byte 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc +.byte 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15 +.byte 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a +.byte 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75 +.byte 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0 +.byte 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84 +.byte 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b +.byte 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf +.byte 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85 +.byte 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8 +.byte 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5 +.byte 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2 +.byte 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17 +.byte 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73 +.byte 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88 +.byte 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb +.byte 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c +.byte 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79 +.byte 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9 +.byte 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08 +.byte 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6 +.byte 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a +.byte 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e +.byte 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e +.byte 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94 +.byte 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf +.byte 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68 +.byte 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16 +.byte 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5 +.byte 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76 +.byte 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0 +.byte 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0 +.byte 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc +.byte 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15 +.byte 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a +.byte 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75 +.byte 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0 +.byte 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84 +.byte 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b +.byte 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf +.byte 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85 +.byte 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8 +.byte 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5 +.byte 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2 +.byte 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17 +.byte 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73 +.byte 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88 +.byte 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb +.byte 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c +.byte 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79 +.byte 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9 +.byte 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08 +.byte 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6 +.byte 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a +.byte 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e +.byte 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e +.byte 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94 +.byte 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf +.byte 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68 +.byte 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16 +.byte 0x63,0x7c,0x77,0x7b,0xf2,0x6b,0x6f,0xc5 +.byte 0x30,0x01,0x67,0x2b,0xfe,0xd7,0xab,0x76 +.byte 0xca,0x82,0xc9,0x7d,0xfa,0x59,0x47,0xf0 +.byte 0xad,0xd4,0xa2,0xaf,0x9c,0xa4,0x72,0xc0 +.byte 0xb7,0xfd,0x93,0x26,0x36,0x3f,0xf7,0xcc +.byte 0x34,0xa5,0xe5,0xf1,0x71,0xd8,0x31,0x15 +.byte 0x04,0xc7,0x23,0xc3,0x18,0x96,0x05,0x9a +.byte 0x07,0x12,0x80,0xe2,0xeb,0x27,0xb2,0x75 +.byte 0x09,0x83,0x2c,0x1a,0x1b,0x6e,0x5a,0xa0 +.byte 0x52,0x3b,0xd6,0xb3,0x29,0xe3,0x2f,0x84 +.byte 0x53,0xd1,0x00,0xed,0x20,0xfc,0xb1,0x5b +.byte 0x6a,0xcb,0xbe,0x39,0x4a,0x4c,0x58,0xcf +.byte 0xd0,0xef,0xaa,0xfb,0x43,0x4d,0x33,0x85 +.byte 0x45,0xf9,0x02,0x7f,0x50,0x3c,0x9f,0xa8 +.byte 0x51,0xa3,0x40,0x8f,0x92,0x9d,0x38,0xf5 +.byte 0xbc,0xb6,0xda,0x21,0x10,0xff,0xf3,0xd2 +.byte 0xcd,0x0c,0x13,0xec,0x5f,0x97,0x44,0x17 +.byte 0xc4,0xa7,0x7e,0x3d,0x64,0x5d,0x19,0x73 +.byte 0x60,0x81,0x4f,0xdc,0x22,0x2a,0x90,0x88 +.byte 0x46,0xee,0xb8,0x14,0xde,0x5e,0x0b,0xdb +.byte 0xe0,0x32,0x3a,0x0a,0x49,0x06,0x24,0x5c +.byte 0xc2,0xd3,0xac,0x62,0x91,0x95,0xe4,0x79 +.byte 0xe7,0xc8,0x37,0x6d,0x8d,0xd5,0x4e,0xa9 +.byte 0x6c,0x56,0xf4,0xea,0x65,0x7a,0xae,0x08 +.byte 0xba,0x78,0x25,0x2e,0x1c,0xa6,0xb4,0xc6 +.byte 0xe8,0xdd,0x74,0x1f,0x4b,0xbd,0x8b,0x8a +.byte 0x70,0x3e,0xb5,0x66,0x48,0x03,0xf6,0x0e +.byte 0x61,0x35,0x57,0xb9,0x86,0xc1,0x1d,0x9e +.byte 0xe1,0xf8,0x98,0x11,0x69,0xd9,0x8e,0x94 +.byte 0x9b,0x1e,0x87,0xe9,0xce,0x55,0x28,0xdf +.byte 0x8c,0xa1,0x89,0x0d,0xbf,0xe6,0x42,0x68 +.byte 0x41,0x99,0x2d,0x0f,0xb0,0x54,0xbb,0x16 +.long 0x00000001, 0x00000002, 0x00000004, 0x00000008 +.long 0x00000010, 0x00000020, 0x00000040, 0x00000080 +.long 0x0000001b, 0x00000036, 0x80808080, 0x80808080 +.long 0xfefefefe, 0xfefefefe, 0x1b1b1b1b, 0x1b1b1b1b +.p2align 6 +.LAES_Td: +.long 0x50a7f451,0x50a7f451 +.long 0x5365417e,0x5365417e +.long 0xc3a4171a,0xc3a4171a +.long 0x965e273a,0x965e273a +.long 0xcb6bab3b,0xcb6bab3b +.long 0xf1459d1f,0xf1459d1f +.long 0xab58faac,0xab58faac +.long 0x9303e34b,0x9303e34b +.long 0x55fa3020,0x55fa3020 +.long 0xf66d76ad,0xf66d76ad +.long 0x9176cc88,0x9176cc88 +.long 0x254c02f5,0x254c02f5 +.long 0xfcd7e54f,0xfcd7e54f +.long 0xd7cb2ac5,0xd7cb2ac5 +.long 0x80443526,0x80443526 +.long 0x8fa362b5,0x8fa362b5 +.long 0x495ab1de,0x495ab1de +.long 0x671bba25,0x671bba25 +.long 0x980eea45,0x980eea45 +.long 0xe1c0fe5d,0xe1c0fe5d +.long 0x02752fc3,0x02752fc3 +.long 0x12f04c81,0x12f04c81 +.long 0xa397468d,0xa397468d +.long 0xc6f9d36b,0xc6f9d36b +.long 0xe75f8f03,0xe75f8f03 +.long 0x959c9215,0x959c9215 +.long 0xeb7a6dbf,0xeb7a6dbf +.long 0xda595295,0xda595295 +.long 0x2d83bed4,0x2d83bed4 +.long 0xd3217458,0xd3217458 +.long 0x2969e049,0x2969e049 +.long 0x44c8c98e,0x44c8c98e +.long 0x6a89c275,0x6a89c275 +.long 0x78798ef4,0x78798ef4 +.long 0x6b3e5899,0x6b3e5899 +.long 0xdd71b927,0xdd71b927 +.long 0xb64fe1be,0xb64fe1be +.long 0x17ad88f0,0x17ad88f0 +.long 0x66ac20c9,0x66ac20c9 +.long 0xb43ace7d,0xb43ace7d +.long 0x184adf63,0x184adf63 +.long 0x82311ae5,0x82311ae5 +.long 0x60335197,0x60335197 +.long 0x457f5362,0x457f5362 +.long 0xe07764b1,0xe07764b1 +.long 0x84ae6bbb,0x84ae6bbb +.long 0x1ca081fe,0x1ca081fe +.long 0x942b08f9,0x942b08f9 +.long 0x58684870,0x58684870 +.long 0x19fd458f,0x19fd458f +.long 0x876cde94,0x876cde94 +.long 0xb7f87b52,0xb7f87b52 +.long 0x23d373ab,0x23d373ab +.long 0xe2024b72,0xe2024b72 +.long 0x578f1fe3,0x578f1fe3 +.long 0x2aab5566,0x2aab5566 +.long 0x0728ebb2,0x0728ebb2 +.long 0x03c2b52f,0x03c2b52f +.long 0x9a7bc586,0x9a7bc586 +.long 0xa50837d3,0xa50837d3 +.long 0xf2872830,0xf2872830 +.long 0xb2a5bf23,0xb2a5bf23 +.long 0xba6a0302,0xba6a0302 +.long 0x5c8216ed,0x5c8216ed +.long 0x2b1ccf8a,0x2b1ccf8a +.long 0x92b479a7,0x92b479a7 +.long 0xf0f207f3,0xf0f207f3 +.long 0xa1e2694e,0xa1e2694e +.long 0xcdf4da65,0xcdf4da65 +.long 0xd5be0506,0xd5be0506 +.long 0x1f6234d1,0x1f6234d1 +.long 0x8afea6c4,0x8afea6c4 +.long 0x9d532e34,0x9d532e34 +.long 0xa055f3a2,0xa055f3a2 +.long 0x32e18a05,0x32e18a05 +.long 0x75ebf6a4,0x75ebf6a4 +.long 0x39ec830b,0x39ec830b +.long 0xaaef6040,0xaaef6040 +.long 0x069f715e,0x069f715e +.long 0x51106ebd,0x51106ebd +.long 0xf98a213e,0xf98a213e +.long 0x3d06dd96,0x3d06dd96 +.long 0xae053edd,0xae053edd +.long 0x46bde64d,0x46bde64d +.long 0xb58d5491,0xb58d5491 +.long 0x055dc471,0x055dc471 +.long 0x6fd40604,0x6fd40604 +.long 0xff155060,0xff155060 +.long 0x24fb9819,0x24fb9819 +.long 0x97e9bdd6,0x97e9bdd6 +.long 0xcc434089,0xcc434089 +.long 0x779ed967,0x779ed967 +.long 0xbd42e8b0,0xbd42e8b0 +.long 0x888b8907,0x888b8907 +.long 0x385b19e7,0x385b19e7 +.long 0xdbeec879,0xdbeec879 +.long 0x470a7ca1,0x470a7ca1 +.long 0xe90f427c,0xe90f427c +.long 0xc91e84f8,0xc91e84f8 +.long 0x00000000,0x00000000 +.long 0x83868009,0x83868009 +.long 0x48ed2b32,0x48ed2b32 +.long 0xac70111e,0xac70111e +.long 0x4e725a6c,0x4e725a6c +.long 0xfbff0efd,0xfbff0efd +.long 0x5638850f,0x5638850f +.long 0x1ed5ae3d,0x1ed5ae3d +.long 0x27392d36,0x27392d36 +.long 0x64d90f0a,0x64d90f0a +.long 0x21a65c68,0x21a65c68 +.long 0xd1545b9b,0xd1545b9b +.long 0x3a2e3624,0x3a2e3624 +.long 0xb1670a0c,0xb1670a0c +.long 0x0fe75793,0x0fe75793 +.long 0xd296eeb4,0xd296eeb4 +.long 0x9e919b1b,0x9e919b1b +.long 0x4fc5c080,0x4fc5c080 +.long 0xa220dc61,0xa220dc61 +.long 0x694b775a,0x694b775a +.long 0x161a121c,0x161a121c +.long 0x0aba93e2,0x0aba93e2 +.long 0xe52aa0c0,0xe52aa0c0 +.long 0x43e0223c,0x43e0223c +.long 0x1d171b12,0x1d171b12 +.long 0x0b0d090e,0x0b0d090e +.long 0xadc78bf2,0xadc78bf2 +.long 0xb9a8b62d,0xb9a8b62d +.long 0xc8a91e14,0xc8a91e14 +.long 0x8519f157,0x8519f157 +.long 0x4c0775af,0x4c0775af +.long 0xbbdd99ee,0xbbdd99ee +.long 0xfd607fa3,0xfd607fa3 +.long 0x9f2601f7,0x9f2601f7 +.long 0xbcf5725c,0xbcf5725c +.long 0xc53b6644,0xc53b6644 +.long 0x347efb5b,0x347efb5b +.long 0x7629438b,0x7629438b +.long 0xdcc623cb,0xdcc623cb +.long 0x68fcedb6,0x68fcedb6 +.long 0x63f1e4b8,0x63f1e4b8 +.long 0xcadc31d7,0xcadc31d7 +.long 0x10856342,0x10856342 +.long 0x40229713,0x40229713 +.long 0x2011c684,0x2011c684 +.long 0x7d244a85,0x7d244a85 +.long 0xf83dbbd2,0xf83dbbd2 +.long 0x1132f9ae,0x1132f9ae +.long 0x6da129c7,0x6da129c7 +.long 0x4b2f9e1d,0x4b2f9e1d +.long 0xf330b2dc,0xf330b2dc +.long 0xec52860d,0xec52860d +.long 0xd0e3c177,0xd0e3c177 +.long 0x6c16b32b,0x6c16b32b +.long 0x99b970a9,0x99b970a9 +.long 0xfa489411,0xfa489411 +.long 0x2264e947,0x2264e947 +.long 0xc48cfca8,0xc48cfca8 +.long 0x1a3ff0a0,0x1a3ff0a0 +.long 0xd82c7d56,0xd82c7d56 +.long 0xef903322,0xef903322 +.long 0xc74e4987,0xc74e4987 +.long 0xc1d138d9,0xc1d138d9 +.long 0xfea2ca8c,0xfea2ca8c +.long 0x360bd498,0x360bd498 +.long 0xcf81f5a6,0xcf81f5a6 +.long 0x28de7aa5,0x28de7aa5 +.long 0x268eb7da,0x268eb7da +.long 0xa4bfad3f,0xa4bfad3f +.long 0xe49d3a2c,0xe49d3a2c +.long 0x0d927850,0x0d927850 +.long 0x9bcc5f6a,0x9bcc5f6a +.long 0x62467e54,0x62467e54 +.long 0xc2138df6,0xc2138df6 +.long 0xe8b8d890,0xe8b8d890 +.long 0x5ef7392e,0x5ef7392e +.long 0xf5afc382,0xf5afc382 +.long 0xbe805d9f,0xbe805d9f +.long 0x7c93d069,0x7c93d069 +.long 0xa92dd56f,0xa92dd56f +.long 0xb31225cf,0xb31225cf +.long 0x3b99acc8,0x3b99acc8 +.long 0xa77d1810,0xa77d1810 +.long 0x6e639ce8,0x6e639ce8 +.long 0x7bbb3bdb,0x7bbb3bdb +.long 0x097826cd,0x097826cd +.long 0xf418596e,0xf418596e +.long 0x01b79aec,0x01b79aec +.long 0xa89a4f83,0xa89a4f83 +.long 0x656e95e6,0x656e95e6 +.long 0x7ee6ffaa,0x7ee6ffaa +.long 0x08cfbc21,0x08cfbc21 +.long 0xe6e815ef,0xe6e815ef +.long 0xd99be7ba,0xd99be7ba +.long 0xce366f4a,0xce366f4a +.long 0xd4099fea,0xd4099fea +.long 0xd67cb029,0xd67cb029 +.long 0xafb2a431,0xafb2a431 +.long 0x31233f2a,0x31233f2a +.long 0x3094a5c6,0x3094a5c6 +.long 0xc066a235,0xc066a235 +.long 0x37bc4e74,0x37bc4e74 +.long 0xa6ca82fc,0xa6ca82fc +.long 0xb0d090e0,0xb0d090e0 +.long 0x15d8a733,0x15d8a733 +.long 0x4a9804f1,0x4a9804f1 +.long 0xf7daec41,0xf7daec41 +.long 0x0e50cd7f,0x0e50cd7f +.long 0x2ff69117,0x2ff69117 +.long 0x8dd64d76,0x8dd64d76 +.long 0x4db0ef43,0x4db0ef43 +.long 0x544daacc,0x544daacc +.long 0xdf0496e4,0xdf0496e4 +.long 0xe3b5d19e,0xe3b5d19e +.long 0x1b886a4c,0x1b886a4c +.long 0xb81f2cc1,0xb81f2cc1 +.long 0x7f516546,0x7f516546 +.long 0x04ea5e9d,0x04ea5e9d +.long 0x5d358c01,0x5d358c01 +.long 0x737487fa,0x737487fa +.long 0x2e410bfb,0x2e410bfb +.long 0x5a1d67b3,0x5a1d67b3 +.long 0x52d2db92,0x52d2db92 +.long 0x335610e9,0x335610e9 +.long 0x1347d66d,0x1347d66d +.long 0x8c61d79a,0x8c61d79a +.long 0x7a0ca137,0x7a0ca137 +.long 0x8e14f859,0x8e14f859 +.long 0x893c13eb,0x893c13eb +.long 0xee27a9ce,0xee27a9ce +.long 0x35c961b7,0x35c961b7 +.long 0xede51ce1,0xede51ce1 +.long 0x3cb1477a,0x3cb1477a +.long 0x59dfd29c,0x59dfd29c +.long 0x3f73f255,0x3f73f255 +.long 0x79ce1418,0x79ce1418 +.long 0xbf37c773,0xbf37c773 +.long 0xeacdf753,0xeacdf753 +.long 0x5baafd5f,0x5baafd5f +.long 0x146f3ddf,0x146f3ddf +.long 0x86db4478,0x86db4478 +.long 0x81f3afca,0x81f3afca +.long 0x3ec468b9,0x3ec468b9 +.long 0x2c342438,0x2c342438 +.long 0x5f40a3c2,0x5f40a3c2 +.long 0x72c31d16,0x72c31d16 +.long 0x0c25e2bc,0x0c25e2bc +.long 0x8b493c28,0x8b493c28 +.long 0x41950dff,0x41950dff +.long 0x7101a839,0x7101a839 +.long 0xdeb30c08,0xdeb30c08 +.long 0x9ce4b4d8,0x9ce4b4d8 +.long 0x90c15664,0x90c15664 +.long 0x6184cb7b,0x6184cb7b +.long 0x70b632d5,0x70b632d5 +.long 0x745c6c48,0x745c6c48 +.long 0x4257b8d0,0x4257b8d0 +.byte 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38 +.byte 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb +.byte 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87 +.byte 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb +.byte 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d +.byte 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e +.byte 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2 +.byte 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25 +.byte 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16 +.byte 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92 +.byte 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda +.byte 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84 +.byte 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a +.byte 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06 +.byte 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02 +.byte 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b +.byte 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea +.byte 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73 +.byte 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85 +.byte 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e +.byte 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89 +.byte 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b +.byte 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20 +.byte 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4 +.byte 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31 +.byte 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f +.byte 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d +.byte 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef +.byte 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0 +.byte 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61 +.byte 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26 +.byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +.long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe +.long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 +.byte 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38 +.byte 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb +.byte 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87 +.byte 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb +.byte 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d +.byte 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e +.byte 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2 +.byte 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25 +.byte 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16 +.byte 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92 +.byte 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda +.byte 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84 +.byte 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a +.byte 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06 +.byte 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02 +.byte 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b +.byte 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea +.byte 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73 +.byte 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85 +.byte 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e +.byte 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89 +.byte 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b +.byte 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20 +.byte 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4 +.byte 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31 +.byte 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f +.byte 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d +.byte 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef +.byte 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0 +.byte 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61 +.byte 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26 +.byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +.long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe +.long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 +.byte 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38 +.byte 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb +.byte 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87 +.byte 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb +.byte 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d +.byte 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e +.byte 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2 +.byte 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25 +.byte 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16 +.byte 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92 +.byte 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda +.byte 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84 +.byte 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a +.byte 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06 +.byte 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02 +.byte 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b +.byte 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea +.byte 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73 +.byte 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85 +.byte 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e +.byte 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89 +.byte 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b +.byte 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20 +.byte 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4 +.byte 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31 +.byte 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f +.byte 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d +.byte 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef +.byte 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0 +.byte 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61 +.byte 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26 +.byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +.long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe +.long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 +.byte 0x52,0x09,0x6a,0xd5,0x30,0x36,0xa5,0x38 +.byte 0xbf,0x40,0xa3,0x9e,0x81,0xf3,0xd7,0xfb +.byte 0x7c,0xe3,0x39,0x82,0x9b,0x2f,0xff,0x87 +.byte 0x34,0x8e,0x43,0x44,0xc4,0xde,0xe9,0xcb +.byte 0x54,0x7b,0x94,0x32,0xa6,0xc2,0x23,0x3d +.byte 0xee,0x4c,0x95,0x0b,0x42,0xfa,0xc3,0x4e +.byte 0x08,0x2e,0xa1,0x66,0x28,0xd9,0x24,0xb2 +.byte 0x76,0x5b,0xa2,0x49,0x6d,0x8b,0xd1,0x25 +.byte 0x72,0xf8,0xf6,0x64,0x86,0x68,0x98,0x16 +.byte 0xd4,0xa4,0x5c,0xcc,0x5d,0x65,0xb6,0x92 +.byte 0x6c,0x70,0x48,0x50,0xfd,0xed,0xb9,0xda +.byte 0x5e,0x15,0x46,0x57,0xa7,0x8d,0x9d,0x84 +.byte 0x90,0xd8,0xab,0x00,0x8c,0xbc,0xd3,0x0a +.byte 0xf7,0xe4,0x58,0x05,0xb8,0xb3,0x45,0x06 +.byte 0xd0,0x2c,0x1e,0x8f,0xca,0x3f,0x0f,0x02 +.byte 0xc1,0xaf,0xbd,0x03,0x01,0x13,0x8a,0x6b +.byte 0x3a,0x91,0x11,0x41,0x4f,0x67,0xdc,0xea +.byte 0x97,0xf2,0xcf,0xce,0xf0,0xb4,0xe6,0x73 +.byte 0x96,0xac,0x74,0x22,0xe7,0xad,0x35,0x85 +.byte 0xe2,0xf9,0x37,0xe8,0x1c,0x75,0xdf,0x6e +.byte 0x47,0xf1,0x1a,0x71,0x1d,0x29,0xc5,0x89 +.byte 0x6f,0xb7,0x62,0x0e,0xaa,0x18,0xbe,0x1b +.byte 0xfc,0x56,0x3e,0x4b,0xc6,0xd2,0x79,0x20 +.byte 0x9a,0xdb,0xc0,0xfe,0x78,0xcd,0x5a,0xf4 +.byte 0x1f,0xdd,0xa8,0x33,0x88,0x07,0xc7,0x31 +.byte 0xb1,0x12,0x10,0x59,0x27,0x80,0xec,0x5f +.byte 0x60,0x51,0x7f,0xa9,0x19,0xb5,0x4a,0x0d +.byte 0x2d,0xe5,0x7a,0x9f,0x93,0xc9,0x9c,0xef +.byte 0xa0,0xe0,0x3b,0x4d,0xae,0x2a,0xf5,0xb0 +.byte 0xc8,0xeb,0xbb,0x3c,0x83,0x53,0x99,0x61 +.byte 0x17,0x2b,0x04,0x7e,0xba,0x77,0xd6,0x26 +.byte 0xe1,0x69,0x14,0x63,0x55,0x21,0x0c,0x7d +.long 0x80808080, 0x80808080, 0xfefefefe, 0xfefefefe +.long 0x1b1b1b1b, 0x1b1b1b1b, 0, 0 +.byte 65,69,83,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 + +.def block_se_handler; .scl 3; .type 32; .endef +.p2align 4 +block_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lin_block_prologue + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lin_block_prologue + + movq 24(%rax),%rax + leaq 48(%rax),%rax + + movq -8(%rax),%rbx + movq -16(%rax),%rbp + movq -24(%rax),%r12 + movq -32(%rax),%r13 + movq -40(%rax),%r14 + movq -48(%rax),%r15 + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + movq %r13,224(%r8) + movq %r14,232(%r8) + movq %r15,240(%r8) + +.Lin_block_prologue: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + jmp .Lcommon_seh_exit + + +.def key_se_handler; .scl 3; .type 32; .endef +.p2align 4 +key_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lin_key_prologue + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lin_key_prologue + + leaq 56(%rax),%rax + + movq -8(%rax),%rbx + movq -16(%rax),%rbp + movq -24(%rax),%r12 + movq -32(%rax),%r13 + movq -40(%rax),%r14 + movq -48(%rax),%r15 + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + movq %r13,224(%r8) + movq %r14,232(%r8) + movq %r15,240(%r8) + +.Lin_key_prologue: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + jmp .Lcommon_seh_exit + + +.def cbc_se_handler; .scl 3; .type 32; .endef +.p2align 4 +cbc_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + leaq .Lcbc_prologue(%rip),%r10 + cmpq %r10,%rbx + jb .Lin_cbc_prologue + + leaq .Lcbc_fast_body(%rip),%r10 + cmpq %r10,%rbx + jb .Lin_cbc_frame_setup + + leaq .Lcbc_slow_prologue(%rip),%r10 + cmpq %r10,%rbx + jb .Lin_cbc_body + + leaq .Lcbc_slow_body(%rip),%r10 + cmpq %r10,%rbx + jb .Lin_cbc_frame_setup + +.Lin_cbc_body: + movq 152(%r8),%rax + + leaq .Lcbc_epilogue(%rip),%r10 + cmpq %r10,%rbx + jae .Lin_cbc_prologue + + leaq 8(%rax),%rax + + leaq .Lcbc_popfq(%rip),%r10 + cmpq %r10,%rbx + jae .Lin_cbc_prologue + + movq 8(%rax),%rax + leaq 56(%rax),%rax + +.Lin_cbc_frame_setup: + movq -16(%rax),%rbx + movq -24(%rax),%rbp + movq -32(%rax),%r12 + movq -40(%rax),%r13 + movq -48(%rax),%r14 + movq -56(%rax),%r15 + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + movq %r13,224(%r8) + movq %r14,232(%r8) + movq %r15,240(%r8) + +.Lin_cbc_prologue: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + +.Lcommon_seh_exit: + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .LSEH_begin_AES_encrypt +.rva .LSEH_end_AES_encrypt +.rva .LSEH_info_AES_encrypt + +.rva .LSEH_begin_AES_decrypt +.rva .LSEH_end_AES_decrypt +.rva .LSEH_info_AES_decrypt + +.rva .LSEH_begin_AES_set_encrypt_key +.rva .LSEH_end_AES_set_encrypt_key +.rva .LSEH_info_AES_set_encrypt_key + +.rva .LSEH_begin_AES_set_decrypt_key +.rva .LSEH_end_AES_set_decrypt_key +.rva .LSEH_info_AES_set_decrypt_key + +.rva .LSEH_begin_AES_cbc_encrypt +.rva .LSEH_end_AES_cbc_encrypt +.rva .LSEH_info_AES_cbc_encrypt + +.section .xdata +.p2align 3 +.LSEH_info_AES_encrypt: +.byte 9,0,0,0 +.rva block_se_handler +.rva .Lenc_prologue,.Lenc_epilogue +.LSEH_info_AES_decrypt: +.byte 9,0,0,0 +.rva block_se_handler +.rva .Ldec_prologue,.Ldec_epilogue +.LSEH_info_AES_set_encrypt_key: +.byte 9,0,0,0 +.rva key_se_handler +.rva .Lenc_key_prologue,.Lenc_key_epilogue +.LSEH_info_AES_set_decrypt_key: +.byte 9,0,0,0 +.rva key_se_handler +.rva .Ldec_key_prologue,.Ldec_key_epilogue +.LSEH_info_AES_cbc_encrypt: +.byte 9,0,0,0 +.rva cbc_se_handler diff --git a/crypto/aes/aes_wrap.c b/crypto/aes/aes_wrap.c index ac2f83a..b30630f 100644 --- a/crypto/aes/aes_wrap.c +++ b/crypto/aes/aes_wrap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: aes_wrap.c,v 1.10 2015/09/10 15:56:24 jsing Exp $ */ +/* $OpenBSD: aes_wrap.c,v 1.12 2018/11/07 18:31:16 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -66,11 +66,12 @@ AES_wrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, { unsigned char *A, B[16], *R; unsigned int i, j, t; - if ((inlen & 0x7) || (inlen < 8)) + + if ((inlen & 0x7) || (inlen < 16)) return -1; A = B; t = 1; - memcpy(out + 8, in, inlen); + memmove(out + 8, in, inlen); if (!iv) iv = default_iv; @@ -100,15 +101,14 @@ AES_unwrap_key(AES_KEY *key, const unsigned char *iv, unsigned char *out, { unsigned char *A, B[16], *R; unsigned int i, j, t; + + if ((inlen & 0x7) || (inlen < 24)) + return -1; inlen -= 8; - if (inlen & 0x7) - return -1; - if (inlen < 8) - return -1; A = B; t = 6 * (inlen >> 3); memcpy(A, in, 8); - memcpy(out, in + 8, inlen); + memmove(out, in + 8, inlen); for (j = 0; j < 6; j++) { R = out + inlen - 8; for (i = 0; i < inlen; i += 8, t--, R -= 8) { diff --git a/crypto/aes/aesni-masm-x86_64.S b/crypto/aes/aesni-masm-x86_64.S new file mode 100644 index 0000000..f2a2490 --- /dev/null +++ b/crypto/aes/aesni-masm-x86_64.S @@ -0,0 +1,3099 @@ +; 1 "crypto/aes/aesni-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/aes/aesni-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/aes/aesni-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' +PUBLIC aesni_encrypt + +ALIGN 16 +aesni_encrypt PROC PUBLIC + movups xmm2,XMMWORD PTR[rcx] + mov eax,DWORD PTR[240+r8] + movups xmm0,XMMWORD PTR[r8] + movups xmm1,XMMWORD PTR[16+r8] + lea r8,QWORD PTR[32+r8] + xorps xmm2,xmm0 +$L$oop_enc1_1:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[r8] + lea r8,QWORD PTR[16+r8] + jnz $L$oop_enc1_1 + aesenclast xmm2,xmm1 + movups XMMWORD PTR[rdx],xmm2 + DB 0F3h,0C3h ;repret +aesni_encrypt ENDP + +PUBLIC aesni_decrypt + +ALIGN 16 +aesni_decrypt PROC PUBLIC + movups xmm2,XMMWORD PTR[rcx] + mov eax,DWORD PTR[240+r8] + movups xmm0,XMMWORD PTR[r8] + movups xmm1,XMMWORD PTR[16+r8] + lea r8,QWORD PTR[32+r8] + xorps xmm2,xmm0 +$L$oop_dec1_2:: + aesdec xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[r8] + lea r8,QWORD PTR[16+r8] + jnz $L$oop_dec1_2 + aesdeclast xmm2,xmm1 + movups XMMWORD PTR[rdx],xmm2 + DB 0F3h,0C3h ;repret +aesni_decrypt ENDP + +ALIGN 16 +_aesni_encrypt3 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + xorps xmm3,xmm0 + xorps xmm4,xmm0 + movups xmm0,XMMWORD PTR[rcx] + +$L$enc_loop3:: + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + dec eax + aesenc xmm4,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + aesenc xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm4,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$enc_loop3 + + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + aesenc xmm4,xmm1 + aesenclast xmm2,xmm0 + aesenclast xmm3,xmm0 + aesenclast xmm4,xmm0 + DB 0F3h,0C3h ;repret +_aesni_encrypt3 ENDP + +ALIGN 16 +_aesni_decrypt3 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + xorps xmm3,xmm0 + xorps xmm4,xmm0 + movups xmm0,XMMWORD PTR[rcx] + +$L$dec_loop3:: + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + dec eax + aesdec xmm4,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + aesdec xmm2,xmm0 + aesdec xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesdec xmm4,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$dec_loop3 + + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + aesdec xmm4,xmm1 + aesdeclast xmm2,xmm0 + aesdeclast xmm3,xmm0 + aesdeclast xmm4,xmm0 + DB 0F3h,0C3h ;repret +_aesni_decrypt3 ENDP + +ALIGN 16 +_aesni_encrypt4 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + xorps xmm3,xmm0 + xorps xmm4,xmm0 + xorps xmm5,xmm0 + movups xmm0,XMMWORD PTR[rcx] + +$L$enc_loop4:: + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + dec eax + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + aesenc xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm4,xmm0 + aesenc xmm5,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$enc_loop4 + + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenclast xmm2,xmm0 + aesenclast xmm3,xmm0 + aesenclast xmm4,xmm0 + aesenclast xmm5,xmm0 + DB 0F3h,0C3h ;repret +_aesni_encrypt4 ENDP + +ALIGN 16 +_aesni_decrypt4 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + xorps xmm3,xmm0 + xorps xmm4,xmm0 + xorps xmm5,xmm0 + movups xmm0,XMMWORD PTR[rcx] + +$L$dec_loop4:: + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + dec eax + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + aesdec xmm2,xmm0 + aesdec xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesdec xmm4,xmm0 + aesdec xmm5,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$dec_loop4 + + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + aesdeclast xmm2,xmm0 + aesdeclast xmm3,xmm0 + aesdeclast xmm4,xmm0 + aesdeclast xmm5,xmm0 + DB 0F3h,0C3h ;repret +_aesni_decrypt4 ENDP + +ALIGN 16 +_aesni_encrypt6 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + pxor xmm3,xmm0 + aesenc xmm2,xmm1 + pxor xmm4,xmm0 + aesenc xmm3,xmm1 + pxor xmm5,xmm0 + aesenc xmm4,xmm1 + pxor xmm6,xmm0 + aesenc xmm5,xmm1 + pxor xmm7,xmm0 + dec eax + aesenc xmm6,xmm1 + movups xmm0,XMMWORD PTR[rcx] + aesenc xmm7,xmm1 + jmp $L$enc_loop6_enter +ALIGN 16 +$L$enc_loop6:: + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + dec eax + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 +$L$enc_loop6_enter:: + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + aesenc xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm4,xmm0 + aesenc xmm5,xmm0 + aesenc xmm6,xmm0 + aesenc xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$enc_loop6 + + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 + aesenclast xmm2,xmm0 + aesenclast xmm3,xmm0 + aesenclast xmm4,xmm0 + aesenclast xmm5,xmm0 + aesenclast xmm6,xmm0 + aesenclast xmm7,xmm0 + DB 0F3h,0C3h ;repret +_aesni_encrypt6 ENDP + +ALIGN 16 +_aesni_decrypt6 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + pxor xmm3,xmm0 + aesdec xmm2,xmm1 + pxor xmm4,xmm0 + aesdec xmm3,xmm1 + pxor xmm5,xmm0 + aesdec xmm4,xmm1 + pxor xmm6,xmm0 + aesdec xmm5,xmm1 + pxor xmm7,xmm0 + dec eax + aesdec xmm6,xmm1 + movups xmm0,XMMWORD PTR[rcx] + aesdec xmm7,xmm1 + jmp $L$dec_loop6_enter +ALIGN 16 +$L$dec_loop6:: + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + dec eax + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 +$L$dec_loop6_enter:: + movups xmm1,XMMWORD PTR[16+rcx] + aesdec xmm2,xmm0 + aesdec xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesdec xmm4,xmm0 + aesdec xmm5,xmm0 + aesdec xmm6,xmm0 + aesdec xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$dec_loop6 + + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 + aesdeclast xmm2,xmm0 + aesdeclast xmm3,xmm0 + aesdeclast xmm4,xmm0 + aesdeclast xmm5,xmm0 + aesdeclast xmm6,xmm0 + aesdeclast xmm7,xmm0 + DB 0F3h,0C3h ;repret +_aesni_decrypt6 ENDP + +ALIGN 16 +_aesni_encrypt8 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + xorps xmm3,xmm0 + aesenc xmm2,xmm1 + pxor xmm4,xmm0 + aesenc xmm3,xmm1 + pxor xmm5,xmm0 + aesenc xmm4,xmm1 + pxor xmm6,xmm0 + aesenc xmm5,xmm1 + pxor xmm7,xmm0 + dec eax + aesenc xmm6,xmm1 + pxor xmm8,xmm0 + aesenc xmm7,xmm1 + pxor xmm9,xmm0 + movups xmm0,XMMWORD PTR[rcx] + aesenc xmm8,xmm1 + aesenc xmm9,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + jmp $L$enc_loop8_enter +ALIGN 16 +$L$enc_loop8:: + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + dec eax + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 + aesenc xmm8,xmm1 + aesenc xmm9,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] +$L$enc_loop8_enter:: + aesenc xmm2,xmm0 + aesenc xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm4,xmm0 + aesenc xmm5,xmm0 + aesenc xmm6,xmm0 + aesenc xmm7,xmm0 + aesenc xmm8,xmm0 + aesenc xmm9,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$enc_loop8 + + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 + aesenc xmm8,xmm1 + aesenc xmm9,xmm1 + aesenclast xmm2,xmm0 + aesenclast xmm3,xmm0 + aesenclast xmm4,xmm0 + aesenclast xmm5,xmm0 + aesenclast xmm6,xmm0 + aesenclast xmm7,xmm0 + aesenclast xmm8,xmm0 + aesenclast xmm9,xmm0 + DB 0F3h,0C3h ;repret +_aesni_encrypt8 ENDP + +ALIGN 16 +_aesni_decrypt8 PROC PRIVATE + movups xmm0,XMMWORD PTR[rcx] + shr eax,1 + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 + xorps xmm3,xmm0 + aesdec xmm2,xmm1 + pxor xmm4,xmm0 + aesdec xmm3,xmm1 + pxor xmm5,xmm0 + aesdec xmm4,xmm1 + pxor xmm6,xmm0 + aesdec xmm5,xmm1 + pxor xmm7,xmm0 + dec eax + aesdec xmm6,xmm1 + pxor xmm8,xmm0 + aesdec xmm7,xmm1 + pxor xmm9,xmm0 + movups xmm0,XMMWORD PTR[rcx] + aesdec xmm8,xmm1 + aesdec xmm9,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + jmp $L$dec_loop8_enter +ALIGN 16 +$L$dec_loop8:: + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + dec eax + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 + aesdec xmm8,xmm1 + aesdec xmm9,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] +$L$dec_loop8_enter:: + aesdec xmm2,xmm0 + aesdec xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesdec xmm4,xmm0 + aesdec xmm5,xmm0 + aesdec xmm6,xmm0 + aesdec xmm7,xmm0 + aesdec xmm8,xmm0 + aesdec xmm9,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$dec_loop8 + + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 + aesdec xmm8,xmm1 + aesdec xmm9,xmm1 + aesdeclast xmm2,xmm0 + aesdeclast xmm3,xmm0 + aesdeclast xmm4,xmm0 + aesdeclast xmm5,xmm0 + aesdeclast xmm6,xmm0 + aesdeclast xmm7,xmm0 + aesdeclast xmm8,xmm0 + aesdeclast xmm9,xmm0 + DB 0F3h,0C3h ;repret +_aesni_decrypt8 ENDP +PUBLIC aesni_ecb_encrypt + +ALIGN 16 +aesni_ecb_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_ecb_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + + + and rdx,-16 + jz $L$ecb_ret + + mov eax,DWORD PTR[240+rcx] + movups xmm0,XMMWORD PTR[rcx] + mov r11,rcx + mov r10d,eax + test r8d,r8d + jz $L$ecb_decrypt + + cmp rdx,080h + jb $L$ecb_enc_tail + + movdqu xmm2,XMMWORD PTR[rdi] + movdqu xmm3,XMMWORD PTR[16+rdi] + movdqu xmm4,XMMWORD PTR[32+rdi] + movdqu xmm5,XMMWORD PTR[48+rdi] + movdqu xmm6,XMMWORD PTR[64+rdi] + movdqu xmm7,XMMWORD PTR[80+rdi] + movdqu xmm8,XMMWORD PTR[96+rdi] + movdqu xmm9,XMMWORD PTR[112+rdi] + lea rdi,QWORD PTR[128+rdi] + sub rdx,080h + jmp $L$ecb_enc_loop8_enter +ALIGN 16 +$L$ecb_enc_loop8:: + movups XMMWORD PTR[rsi],xmm2 + mov rcx,r11 + movdqu xmm2,XMMWORD PTR[rdi] + mov eax,r10d + movups XMMWORD PTR[16+rsi],xmm3 + movdqu xmm3,XMMWORD PTR[16+rdi] + movups XMMWORD PTR[32+rsi],xmm4 + movdqu xmm4,XMMWORD PTR[32+rdi] + movups XMMWORD PTR[48+rsi],xmm5 + movdqu xmm5,XMMWORD PTR[48+rdi] + movups XMMWORD PTR[64+rsi],xmm6 + movdqu xmm6,XMMWORD PTR[64+rdi] + movups XMMWORD PTR[80+rsi],xmm7 + movdqu xmm7,XMMWORD PTR[80+rdi] + movups XMMWORD PTR[96+rsi],xmm8 + movdqu xmm8,XMMWORD PTR[96+rdi] + movups XMMWORD PTR[112+rsi],xmm9 + lea rsi,QWORD PTR[128+rsi] + movdqu xmm9,XMMWORD PTR[112+rdi] + lea rdi,QWORD PTR[128+rdi] +$L$ecb_enc_loop8_enter:: + + call _aesni_encrypt8 + + sub rdx,080h + jnc $L$ecb_enc_loop8 + + movups XMMWORD PTR[rsi],xmm2 + mov rcx,r11 + movups XMMWORD PTR[16+rsi],xmm3 + mov eax,r10d + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + movups XMMWORD PTR[96+rsi],xmm8 + movups XMMWORD PTR[112+rsi],xmm9 + lea rsi,QWORD PTR[128+rsi] + add rdx,080h + jz $L$ecb_ret + +$L$ecb_enc_tail:: + movups xmm2,XMMWORD PTR[rdi] + cmp rdx,020h + jb $L$ecb_enc_one + movups xmm3,XMMWORD PTR[16+rdi] + je $L$ecb_enc_two + movups xmm4,XMMWORD PTR[32+rdi] + cmp rdx,040h + jb $L$ecb_enc_three + movups xmm5,XMMWORD PTR[48+rdi] + je $L$ecb_enc_four + movups xmm6,XMMWORD PTR[64+rdi] + cmp rdx,060h + jb $L$ecb_enc_five + movups xmm7,XMMWORD PTR[80+rdi] + je $L$ecb_enc_six + movdqu xmm8,XMMWORD PTR[96+rdi] + call _aesni_encrypt8 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + movups XMMWORD PTR[96+rsi],xmm8 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_enc_one:: + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_enc1_3:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_enc1_3 + aesenclast xmm2,xmm1 + movups XMMWORD PTR[rsi],xmm2 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_enc_two:: + xorps xmm4,xmm4 + call _aesni_encrypt3 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_enc_three:: + call _aesni_encrypt3 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_enc_four:: + call _aesni_encrypt4 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_enc_five:: + xorps xmm7,xmm7 + call _aesni_encrypt6 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_enc_six:: + call _aesni_encrypt6 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + jmp $L$ecb_ret + +ALIGN 16 +$L$ecb_decrypt:: + cmp rdx,080h + jb $L$ecb_dec_tail + + movdqu xmm2,XMMWORD PTR[rdi] + movdqu xmm3,XMMWORD PTR[16+rdi] + movdqu xmm4,XMMWORD PTR[32+rdi] + movdqu xmm5,XMMWORD PTR[48+rdi] + movdqu xmm6,XMMWORD PTR[64+rdi] + movdqu xmm7,XMMWORD PTR[80+rdi] + movdqu xmm8,XMMWORD PTR[96+rdi] + movdqu xmm9,XMMWORD PTR[112+rdi] + lea rdi,QWORD PTR[128+rdi] + sub rdx,080h + jmp $L$ecb_dec_loop8_enter +ALIGN 16 +$L$ecb_dec_loop8:: + movups XMMWORD PTR[rsi],xmm2 + mov rcx,r11 + movdqu xmm2,XMMWORD PTR[rdi] + mov eax,r10d + movups XMMWORD PTR[16+rsi],xmm3 + movdqu xmm3,XMMWORD PTR[16+rdi] + movups XMMWORD PTR[32+rsi],xmm4 + movdqu xmm4,XMMWORD PTR[32+rdi] + movups XMMWORD PTR[48+rsi],xmm5 + movdqu xmm5,XMMWORD PTR[48+rdi] + movups XMMWORD PTR[64+rsi],xmm6 + movdqu xmm6,XMMWORD PTR[64+rdi] + movups XMMWORD PTR[80+rsi],xmm7 + movdqu xmm7,XMMWORD PTR[80+rdi] + movups XMMWORD PTR[96+rsi],xmm8 + movdqu xmm8,XMMWORD PTR[96+rdi] + movups XMMWORD PTR[112+rsi],xmm9 + lea rsi,QWORD PTR[128+rsi] + movdqu xmm9,XMMWORD PTR[112+rdi] + lea rdi,QWORD PTR[128+rdi] +$L$ecb_dec_loop8_enter:: + + call _aesni_decrypt8 + + movups xmm0,XMMWORD PTR[r11] + sub rdx,080h + jnc $L$ecb_dec_loop8 + + movups XMMWORD PTR[rsi],xmm2 + mov rcx,r11 + movups XMMWORD PTR[16+rsi],xmm3 + mov eax,r10d + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + movups XMMWORD PTR[96+rsi],xmm8 + movups XMMWORD PTR[112+rsi],xmm9 + lea rsi,QWORD PTR[128+rsi] + add rdx,080h + jz $L$ecb_ret + +$L$ecb_dec_tail:: + movups xmm2,XMMWORD PTR[rdi] + cmp rdx,020h + jb $L$ecb_dec_one + movups xmm3,XMMWORD PTR[16+rdi] + je $L$ecb_dec_two + movups xmm4,XMMWORD PTR[32+rdi] + cmp rdx,040h + jb $L$ecb_dec_three + movups xmm5,XMMWORD PTR[48+rdi] + je $L$ecb_dec_four + movups xmm6,XMMWORD PTR[64+rdi] + cmp rdx,060h + jb $L$ecb_dec_five + movups xmm7,XMMWORD PTR[80+rdi] + je $L$ecb_dec_six + movups xmm8,XMMWORD PTR[96+rdi] + movups xmm0,XMMWORD PTR[rcx] + call _aesni_decrypt8 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + movups XMMWORD PTR[96+rsi],xmm8 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_dec_one:: + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_dec1_4:: + aesdec xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_dec1_4 + aesdeclast xmm2,xmm1 + movups XMMWORD PTR[rsi],xmm2 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_dec_two:: + xorps xmm4,xmm4 + call _aesni_decrypt3 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_dec_three:: + call _aesni_decrypt3 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_dec_four:: + call _aesni_decrypt4 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_dec_five:: + xorps xmm7,xmm7 + call _aesni_decrypt6 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + jmp $L$ecb_ret +ALIGN 16 +$L$ecb_dec_six:: + call _aesni_decrypt6 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + +$L$ecb_ret:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_ecb_encrypt:: +aesni_ecb_encrypt ENDP +PUBLIC aesni_ccm64_encrypt_blocks + +ALIGN 16 +aesni_ccm64_encrypt_blocks PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_ccm64_encrypt_blocks:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + lea rsp,QWORD PTR[((-88))+rsp] + movaps XMMWORD PTR[rsp],xmm6 + movaps XMMWORD PTR[16+rsp],xmm7 + movaps XMMWORD PTR[32+rsp],xmm8 + movaps XMMWORD PTR[48+rsp],xmm9 +$L$ccm64_enc_body:: + mov eax,DWORD PTR[240+rcx] + movdqu xmm9,XMMWORD PTR[r8] + movdqa xmm6,XMMWORD PTR[$L$increment64] + movdqa xmm7,XMMWORD PTR[$L$bswap_mask] + + shr eax,1 + lea r11,QWORD PTR[rcx] + movdqu xmm3,XMMWORD PTR[r9] + movdqa xmm2,xmm9 + mov r10d,eax +DB 102,68,15,56,0,207 + jmp $L$ccm64_enc_outer +ALIGN 16 +$L$ccm64_enc_outer:: + movups xmm0,XMMWORD PTR[r11] + mov eax,r10d + movups xmm8,XMMWORD PTR[rdi] + + xorps xmm2,xmm0 + movups xmm1,XMMWORD PTR[16+r11] + xorps xmm0,xmm8 + lea rcx,QWORD PTR[32+r11] + xorps xmm3,xmm0 + movups xmm0,XMMWORD PTR[rcx] + +$L$ccm64_enc2_loop:: + aesenc xmm2,xmm1 + dec eax + aesenc xmm3,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm3,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$ccm64_enc2_loop + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + paddq xmm9,xmm6 + aesenclast xmm2,xmm0 + aesenclast xmm3,xmm0 + + dec rdx + lea rdi,QWORD PTR[16+rdi] + xorps xmm8,xmm2 + movdqa xmm2,xmm9 + movups XMMWORD PTR[rsi],xmm8 + lea rsi,QWORD PTR[16+rsi] +DB 102,15,56,0,215 + jnz $L$ccm64_enc_outer + + movups XMMWORD PTR[r9],xmm3 + movaps xmm6,XMMWORD PTR[rsp] + movaps xmm7,XMMWORD PTR[16+rsp] + movaps xmm8,XMMWORD PTR[32+rsp] + movaps xmm9,XMMWORD PTR[48+rsp] + lea rsp,QWORD PTR[88+rsp] +$L$ccm64_enc_ret:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_ccm64_encrypt_blocks:: +aesni_ccm64_encrypt_blocks ENDP +PUBLIC aesni_ccm64_decrypt_blocks + +ALIGN 16 +aesni_ccm64_decrypt_blocks PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_ccm64_decrypt_blocks:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + lea rsp,QWORD PTR[((-88))+rsp] + movaps XMMWORD PTR[rsp],xmm6 + movaps XMMWORD PTR[16+rsp],xmm7 + movaps XMMWORD PTR[32+rsp],xmm8 + movaps XMMWORD PTR[48+rsp],xmm9 +$L$ccm64_dec_body:: + mov eax,DWORD PTR[240+rcx] + movups xmm9,XMMWORD PTR[r8] + movdqu xmm3,XMMWORD PTR[r9] + movdqa xmm6,XMMWORD PTR[$L$increment64] + movdqa xmm7,XMMWORD PTR[$L$bswap_mask] + + movaps xmm2,xmm9 + mov r10d,eax + mov r11,rcx +DB 102,68,15,56,0,207 + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_enc1_5:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_enc1_5 + aesenclast xmm2,xmm1 + movups xmm8,XMMWORD PTR[rdi] + paddq xmm9,xmm6 + lea rdi,QWORD PTR[16+rdi] + jmp $L$ccm64_dec_outer +ALIGN 16 +$L$ccm64_dec_outer:: + xorps xmm8,xmm2 + movdqa xmm2,xmm9 + mov eax,r10d + movups XMMWORD PTR[rsi],xmm8 + lea rsi,QWORD PTR[16+rsi] +DB 102,15,56,0,215 + + sub rdx,1 + jz $L$ccm64_dec_break + + movups xmm0,XMMWORD PTR[r11] + shr eax,1 + movups xmm1,XMMWORD PTR[16+r11] + xorps xmm8,xmm0 + lea rcx,QWORD PTR[32+r11] + xorps xmm2,xmm0 + xorps xmm3,xmm8 + movups xmm0,XMMWORD PTR[rcx] + +$L$ccm64_dec2_loop:: + aesenc xmm2,xmm1 + dec eax + aesenc xmm3,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm3,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$ccm64_dec2_loop + movups xmm8,XMMWORD PTR[rdi] + paddq xmm9,xmm6 + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + lea rdi,QWORD PTR[16+rdi] + aesenclast xmm2,xmm0 + aesenclast xmm3,xmm0 + jmp $L$ccm64_dec_outer + +ALIGN 16 +$L$ccm64_dec_break:: + + movups xmm0,XMMWORD PTR[r11] + movups xmm1,XMMWORD PTR[16+r11] + xorps xmm8,xmm0 + lea r11,QWORD PTR[32+r11] + xorps xmm3,xmm8 +$L$oop_enc1_6:: + aesenc xmm3,xmm1 + dec eax + movups xmm1,XMMWORD PTR[r11] + lea r11,QWORD PTR[16+r11] + jnz $L$oop_enc1_6 + aesenclast xmm3,xmm1 + movups XMMWORD PTR[r9],xmm3 + movaps xmm6,XMMWORD PTR[rsp] + movaps xmm7,XMMWORD PTR[16+rsp] + movaps xmm8,XMMWORD PTR[32+rsp] + movaps xmm9,XMMWORD PTR[48+rsp] + lea rsp,QWORD PTR[88+rsp] +$L$ccm64_dec_ret:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_ccm64_decrypt_blocks:: +aesni_ccm64_decrypt_blocks ENDP +PUBLIC aesni_ctr32_encrypt_blocks + +ALIGN 16 +aesni_ctr32_encrypt_blocks PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_ctr32_encrypt_blocks:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + + + lea rsp,QWORD PTR[((-200))+rsp] + movaps XMMWORD PTR[32+rsp],xmm6 + movaps XMMWORD PTR[48+rsp],xmm7 + movaps XMMWORD PTR[64+rsp],xmm8 + movaps XMMWORD PTR[80+rsp],xmm9 + movaps XMMWORD PTR[96+rsp],xmm10 + movaps XMMWORD PTR[112+rsp],xmm11 + movaps XMMWORD PTR[128+rsp],xmm12 + movaps XMMWORD PTR[144+rsp],xmm13 + movaps XMMWORD PTR[160+rsp],xmm14 + movaps XMMWORD PTR[176+rsp],xmm15 +$L$ctr32_body:: + cmp rdx,1 + je $L$ctr32_one_shortcut + + movdqu xmm14,XMMWORD PTR[r8] + movdqa xmm15,XMMWORD PTR[$L$bswap_mask] + xor eax,eax +DB 102,69,15,58,22,242,3 +DB 102,68,15,58,34,240,3 + + mov eax,DWORD PTR[240+rcx] + bswap r10d + pxor xmm12,xmm12 + pxor xmm13,xmm13 +DB 102,69,15,58,34,226,0 + lea r11,QWORD PTR[3+r10] +DB 102,69,15,58,34,235,0 + inc r10d +DB 102,69,15,58,34,226,1 + inc r11 +DB 102,69,15,58,34,235,1 + inc r10d +DB 102,69,15,58,34,226,2 + inc r11 +DB 102,69,15,58,34,235,2 + movdqa XMMWORD PTR[rsp],xmm12 +DB 102,69,15,56,0,231 + movdqa XMMWORD PTR[16+rsp],xmm13 +DB 102,69,15,56,0,239 + + pshufd xmm2,xmm12,192 + pshufd xmm3,xmm12,128 + pshufd xmm4,xmm12,64 + cmp rdx,6 + jb $L$ctr32_tail + shr eax,1 + mov r11,rcx + mov r10d,eax + sub rdx,6 + jmp $L$ctr32_loop6 + +ALIGN 16 +$L$ctr32_loop6:: + pshufd xmm5,xmm13,192 + por xmm2,xmm14 + movups xmm0,XMMWORD PTR[r11] + pshufd xmm6,xmm13,128 + por xmm3,xmm14 + movups xmm1,XMMWORD PTR[16+r11] + pshufd xmm7,xmm13,64 + por xmm4,xmm14 + por xmm5,xmm14 + xorps xmm2,xmm0 + por xmm6,xmm14 + por xmm7,xmm14 + + + + + pxor xmm3,xmm0 + aesenc xmm2,xmm1 + lea rcx,QWORD PTR[32+r11] + pxor xmm4,xmm0 + aesenc xmm3,xmm1 + movdqa xmm13,XMMWORD PTR[$L$increment32] + pxor xmm5,xmm0 + aesenc xmm4,xmm1 + movdqa xmm12,XMMWORD PTR[rsp] + pxor xmm6,xmm0 + aesenc xmm5,xmm1 + pxor xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + dec eax + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 + jmp $L$ctr32_enc_loop6_enter +ALIGN 16 +$L$ctr32_enc_loop6:: + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + dec eax + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 +$L$ctr32_enc_loop6_enter:: + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + aesenc xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm4,xmm0 + aesenc xmm5,xmm0 + aesenc xmm6,xmm0 + aesenc xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$ctr32_enc_loop6 + + aesenc xmm2,xmm1 + paddd xmm12,xmm13 + aesenc xmm3,xmm1 + paddd xmm13,XMMWORD PTR[16+rsp] + aesenc xmm4,xmm1 + movdqa XMMWORD PTR[rsp],xmm12 + aesenc xmm5,xmm1 + movdqa XMMWORD PTR[16+rsp],xmm13 + aesenc xmm6,xmm1 +DB 102,69,15,56,0,231 + aesenc xmm7,xmm1 +DB 102,69,15,56,0,239 + + aesenclast xmm2,xmm0 + movups xmm8,XMMWORD PTR[rdi] + aesenclast xmm3,xmm0 + movups xmm9,XMMWORD PTR[16+rdi] + aesenclast xmm4,xmm0 + movups xmm10,XMMWORD PTR[32+rdi] + aesenclast xmm5,xmm0 + movups xmm11,XMMWORD PTR[48+rdi] + aesenclast xmm6,xmm0 + movups xmm1,XMMWORD PTR[64+rdi] + aesenclast xmm7,xmm0 + movups xmm0,XMMWORD PTR[80+rdi] + lea rdi,QWORD PTR[96+rdi] + + xorps xmm8,xmm2 + pshufd xmm2,xmm12,192 + xorps xmm9,xmm3 + pshufd xmm3,xmm12,128 + movups XMMWORD PTR[rsi],xmm8 + xorps xmm10,xmm4 + pshufd xmm4,xmm12,64 + movups XMMWORD PTR[16+rsi],xmm9 + xorps xmm11,xmm5 + movups XMMWORD PTR[32+rsi],xmm10 + xorps xmm1,xmm6 + movups XMMWORD PTR[48+rsi],xmm11 + xorps xmm0,xmm7 + movups XMMWORD PTR[64+rsi],xmm1 + movups XMMWORD PTR[80+rsi],xmm0 + lea rsi,QWORD PTR[96+rsi] + mov eax,r10d + sub rdx,6 + jnc $L$ctr32_loop6 + + add rdx,6 + jz $L$ctr32_done + mov rcx,r11 + lea eax,DWORD PTR[1+rax*1+rax] + +$L$ctr32_tail:: + por xmm2,xmm14 + movups xmm8,XMMWORD PTR[rdi] + cmp rdx,2 + jb $L$ctr32_one + + por xmm3,xmm14 + movups xmm9,XMMWORD PTR[16+rdi] + je $L$ctr32_two + + pshufd xmm5,xmm13,192 + por xmm4,xmm14 + movups xmm10,XMMWORD PTR[32+rdi] + cmp rdx,4 + jb $L$ctr32_three + + pshufd xmm6,xmm13,128 + por xmm5,xmm14 + movups xmm11,XMMWORD PTR[48+rdi] + je $L$ctr32_four + + por xmm6,xmm14 + xorps xmm7,xmm7 + + call _aesni_encrypt6 + + movups xmm1,XMMWORD PTR[64+rdi] + xorps xmm8,xmm2 + xorps xmm9,xmm3 + movups XMMWORD PTR[rsi],xmm8 + xorps xmm10,xmm4 + movups XMMWORD PTR[16+rsi],xmm9 + xorps xmm11,xmm5 + movups XMMWORD PTR[32+rsi],xmm10 + xorps xmm1,xmm6 + movups XMMWORD PTR[48+rsi],xmm11 + movups XMMWORD PTR[64+rsi],xmm1 + jmp $L$ctr32_done + +ALIGN 16 +$L$ctr32_one_shortcut:: + movups xmm2,XMMWORD PTR[r8] + movups xmm8,XMMWORD PTR[rdi] + mov eax,DWORD PTR[240+rcx] +$L$ctr32_one:: + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_enc1_7:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_enc1_7 + aesenclast xmm2,xmm1 + xorps xmm8,xmm2 + movups XMMWORD PTR[rsi],xmm8 + jmp $L$ctr32_done + +ALIGN 16 +$L$ctr32_two:: + xorps xmm4,xmm4 + call _aesni_encrypt3 + xorps xmm8,xmm2 + xorps xmm9,xmm3 + movups XMMWORD PTR[rsi],xmm8 + movups XMMWORD PTR[16+rsi],xmm9 + jmp $L$ctr32_done + +ALIGN 16 +$L$ctr32_three:: + call _aesni_encrypt3 + xorps xmm8,xmm2 + xorps xmm9,xmm3 + movups XMMWORD PTR[rsi],xmm8 + xorps xmm10,xmm4 + movups XMMWORD PTR[16+rsi],xmm9 + movups XMMWORD PTR[32+rsi],xmm10 + jmp $L$ctr32_done + +ALIGN 16 +$L$ctr32_four:: + call _aesni_encrypt4 + xorps xmm8,xmm2 + xorps xmm9,xmm3 + movups XMMWORD PTR[rsi],xmm8 + xorps xmm10,xmm4 + movups XMMWORD PTR[16+rsi],xmm9 + xorps xmm11,xmm5 + movups XMMWORD PTR[32+rsi],xmm10 + movups XMMWORD PTR[48+rsi],xmm11 + +$L$ctr32_done:: + movaps xmm6,XMMWORD PTR[32+rsp] + movaps xmm7,XMMWORD PTR[48+rsp] + movaps xmm8,XMMWORD PTR[64+rsp] + movaps xmm9,XMMWORD PTR[80+rsp] + movaps xmm10,XMMWORD PTR[96+rsp] + movaps xmm11,XMMWORD PTR[112+rsp] + movaps xmm12,XMMWORD PTR[128+rsp] + movaps xmm13,XMMWORD PTR[144+rsp] + movaps xmm14,XMMWORD PTR[160+rsp] + movaps xmm15,XMMWORD PTR[176+rsp] + lea rsp,QWORD PTR[200+rsp] +$L$ctr32_ret:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_ctr32_encrypt_blocks:: +aesni_ctr32_encrypt_blocks ENDP +PUBLIC aesni_xts_encrypt + +ALIGN 16 +aesni_xts_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_xts_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + lea rsp,QWORD PTR[((-264))+rsp] + movaps XMMWORD PTR[96+rsp],xmm6 + movaps XMMWORD PTR[112+rsp],xmm7 + movaps XMMWORD PTR[128+rsp],xmm8 + movaps XMMWORD PTR[144+rsp],xmm9 + movaps XMMWORD PTR[160+rsp],xmm10 + movaps XMMWORD PTR[176+rsp],xmm11 + movaps XMMWORD PTR[192+rsp],xmm12 + movaps XMMWORD PTR[208+rsp],xmm13 + movaps XMMWORD PTR[224+rsp],xmm14 + movaps XMMWORD PTR[240+rsp],xmm15 +$L$xts_enc_body:: + movups xmm15,XMMWORD PTR[r9] + mov eax,DWORD PTR[240+r8] + mov r10d,DWORD PTR[240+rcx] + movups xmm0,XMMWORD PTR[r8] + movups xmm1,XMMWORD PTR[16+r8] + lea r8,QWORD PTR[32+r8] + xorps xmm15,xmm0 +$L$oop_enc1_8:: + aesenc xmm15,xmm1 + dec eax + movups xmm1,XMMWORD PTR[r8] + lea r8,QWORD PTR[16+r8] + jnz $L$oop_enc1_8 + aesenclast xmm15,xmm1 + mov r11,rcx + mov eax,r10d + mov r9,rdx + and rdx,-16 + + movdqa xmm8,XMMWORD PTR[$L$xts_magic] + pxor xmm14,xmm14 + pcmpgtd xmm14,xmm15 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm10,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm11,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm12,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm13,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + sub rdx,16*6 + jc $L$xts_enc_short + + shr eax,1 + sub eax,1 + mov r10d,eax + jmp $L$xts_enc_grandloop + +ALIGN 16 +$L$xts_enc_grandloop:: + pshufd xmm9,xmm14,013h + movdqa xmm14,xmm15 + paddq xmm15,xmm15 + movdqu xmm2,XMMWORD PTR[rdi] + pand xmm9,xmm8 + movdqu xmm3,XMMWORD PTR[16+rdi] + pxor xmm15,xmm9 + + movdqu xmm4,XMMWORD PTR[32+rdi] + pxor xmm2,xmm10 + movdqu xmm5,XMMWORD PTR[48+rdi] + pxor xmm3,xmm11 + movdqu xmm6,XMMWORD PTR[64+rdi] + pxor xmm4,xmm12 + movdqu xmm7,XMMWORD PTR[80+rdi] + lea rdi,QWORD PTR[96+rdi] + pxor xmm5,xmm13 + movups xmm0,XMMWORD PTR[r11] + pxor xmm6,xmm14 + pxor xmm7,xmm15 + + + + movups xmm1,XMMWORD PTR[16+r11] + pxor xmm2,xmm0 + pxor xmm3,xmm0 + movdqa XMMWORD PTR[rsp],xmm10 + aesenc xmm2,xmm1 + lea rcx,QWORD PTR[32+r11] + pxor xmm4,xmm0 + movdqa XMMWORD PTR[16+rsp],xmm11 + aesenc xmm3,xmm1 + pxor xmm5,xmm0 + movdqa XMMWORD PTR[32+rsp],xmm12 + aesenc xmm4,xmm1 + pxor xmm6,xmm0 + movdqa XMMWORD PTR[48+rsp],xmm13 + aesenc xmm5,xmm1 + pxor xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + dec eax + movdqa XMMWORD PTR[64+rsp],xmm14 + aesenc xmm6,xmm1 + movdqa XMMWORD PTR[80+rsp],xmm15 + aesenc xmm7,xmm1 + pxor xmm14,xmm14 + pcmpgtd xmm14,xmm15 + jmp $L$xts_enc_loop6_enter + +ALIGN 16 +$L$xts_enc_loop6:: + aesenc xmm2,xmm1 + aesenc xmm3,xmm1 + dec eax + aesenc xmm4,xmm1 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 +$L$xts_enc_loop6_enter:: + movups xmm1,XMMWORD PTR[16+rcx] + aesenc xmm2,xmm0 + aesenc xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesenc xmm4,xmm0 + aesenc xmm5,xmm0 + aesenc xmm6,xmm0 + aesenc xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$xts_enc_loop6 + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + paddq xmm15,xmm15 + aesenc xmm2,xmm1 + pand xmm9,xmm8 + aesenc xmm3,xmm1 + pcmpgtd xmm14,xmm15 + aesenc xmm4,xmm1 + pxor xmm15,xmm9 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm10,xmm15 + paddq xmm15,xmm15 + aesenc xmm2,xmm0 + pand xmm9,xmm8 + aesenc xmm3,xmm0 + pcmpgtd xmm14,xmm15 + aesenc xmm4,xmm0 + pxor xmm15,xmm9 + aesenc xmm5,xmm0 + aesenc xmm6,xmm0 + aesenc xmm7,xmm0 + movups xmm0,XMMWORD PTR[32+rcx] + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm11,xmm15 + paddq xmm15,xmm15 + aesenc xmm2,xmm1 + pand xmm9,xmm8 + aesenc xmm3,xmm1 + pcmpgtd xmm14,xmm15 + aesenc xmm4,xmm1 + pxor xmm15,xmm9 + aesenc xmm5,xmm1 + aesenc xmm6,xmm1 + aesenc xmm7,xmm1 + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm12,xmm15 + paddq xmm15,xmm15 + aesenclast xmm2,xmm0 + pand xmm9,xmm8 + aesenclast xmm3,xmm0 + pcmpgtd xmm14,xmm15 + aesenclast xmm4,xmm0 + pxor xmm15,xmm9 + aesenclast xmm5,xmm0 + aesenclast xmm6,xmm0 + aesenclast xmm7,xmm0 + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm13,xmm15 + paddq xmm15,xmm15 + xorps xmm2,XMMWORD PTR[rsp] + pand xmm9,xmm8 + xorps xmm3,XMMWORD PTR[16+rsp] + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + + xorps xmm4,XMMWORD PTR[32+rsp] + movups XMMWORD PTR[rsi],xmm2 + xorps xmm5,XMMWORD PTR[48+rsp] + movups XMMWORD PTR[16+rsi],xmm3 + xorps xmm6,XMMWORD PTR[64+rsp] + movups XMMWORD PTR[32+rsi],xmm4 + xorps xmm7,XMMWORD PTR[80+rsp] + movups XMMWORD PTR[48+rsi],xmm5 + mov eax,r10d + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + lea rsi,QWORD PTR[96+rsi] + sub rdx,16*6 + jnc $L$xts_enc_grandloop + + lea eax,DWORD PTR[3+rax*1+rax] + mov rcx,r11 + mov r10d,eax + +$L$xts_enc_short:: + add rdx,16*6 + jz $L$xts_enc_done + + cmp rdx,020h + jb $L$xts_enc_one + je $L$xts_enc_two + + cmp rdx,040h + jb $L$xts_enc_three + je $L$xts_enc_four + + pshufd xmm9,xmm14,013h + movdqa xmm14,xmm15 + paddq xmm15,xmm15 + movdqu xmm2,XMMWORD PTR[rdi] + pand xmm9,xmm8 + movdqu xmm3,XMMWORD PTR[16+rdi] + pxor xmm15,xmm9 + + movdqu xmm4,XMMWORD PTR[32+rdi] + pxor xmm2,xmm10 + movdqu xmm5,XMMWORD PTR[48+rdi] + pxor xmm3,xmm11 + movdqu xmm6,XMMWORD PTR[64+rdi] + lea rdi,QWORD PTR[80+rdi] + pxor xmm4,xmm12 + pxor xmm5,xmm13 + pxor xmm6,xmm14 + + call _aesni_encrypt6 + + xorps xmm2,xmm10 + movdqa xmm10,xmm15 + xorps xmm3,xmm11 + xorps xmm4,xmm12 + movdqu XMMWORD PTR[rsi],xmm2 + xorps xmm5,xmm13 + movdqu XMMWORD PTR[16+rsi],xmm3 + xorps xmm6,xmm14 + movdqu XMMWORD PTR[32+rsi],xmm4 + movdqu XMMWORD PTR[48+rsi],xmm5 + movdqu XMMWORD PTR[64+rsi],xmm6 + lea rsi,QWORD PTR[80+rsi] + jmp $L$xts_enc_done + +ALIGN 16 +$L$xts_enc_one:: + movups xmm2,XMMWORD PTR[rdi] + lea rdi,QWORD PTR[16+rdi] + xorps xmm2,xmm10 + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_enc1_9:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_enc1_9 + aesenclast xmm2,xmm1 + xorps xmm2,xmm10 + movdqa xmm10,xmm11 + movups XMMWORD PTR[rsi],xmm2 + lea rsi,QWORD PTR[16+rsi] + jmp $L$xts_enc_done + +ALIGN 16 +$L$xts_enc_two:: + movups xmm2,XMMWORD PTR[rdi] + movups xmm3,XMMWORD PTR[16+rdi] + lea rdi,QWORD PTR[32+rdi] + xorps xmm2,xmm10 + xorps xmm3,xmm11 + + call _aesni_encrypt3 + + xorps xmm2,xmm10 + movdqa xmm10,xmm12 + xorps xmm3,xmm11 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + lea rsi,QWORD PTR[32+rsi] + jmp $L$xts_enc_done + +ALIGN 16 +$L$xts_enc_three:: + movups xmm2,XMMWORD PTR[rdi] + movups xmm3,XMMWORD PTR[16+rdi] + movups xmm4,XMMWORD PTR[32+rdi] + lea rdi,QWORD PTR[48+rdi] + xorps xmm2,xmm10 + xorps xmm3,xmm11 + xorps xmm4,xmm12 + + call _aesni_encrypt3 + + xorps xmm2,xmm10 + movdqa xmm10,xmm13 + xorps xmm3,xmm11 + xorps xmm4,xmm12 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + lea rsi,QWORD PTR[48+rsi] + jmp $L$xts_enc_done + +ALIGN 16 +$L$xts_enc_four:: + movups xmm2,XMMWORD PTR[rdi] + movups xmm3,XMMWORD PTR[16+rdi] + movups xmm4,XMMWORD PTR[32+rdi] + xorps xmm2,xmm10 + movups xmm5,XMMWORD PTR[48+rdi] + lea rdi,QWORD PTR[64+rdi] + xorps xmm3,xmm11 + xorps xmm4,xmm12 + xorps xmm5,xmm13 + + call _aesni_encrypt4 + + xorps xmm2,xmm10 + movdqa xmm10,xmm15 + xorps xmm3,xmm11 + xorps xmm4,xmm12 + movups XMMWORD PTR[rsi],xmm2 + xorps xmm5,xmm13 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + lea rsi,QWORD PTR[64+rsi] + jmp $L$xts_enc_done + +ALIGN 16 +$L$xts_enc_done:: + and r9,15 + jz $L$xts_enc_ret + mov rdx,r9 + +$L$xts_enc_steal:: + movzx eax,BYTE PTR[rdi] + movzx ecx,BYTE PTR[((-16))+rsi] + lea rdi,QWORD PTR[1+rdi] + mov BYTE PTR[((-16))+rsi],al + mov BYTE PTR[rsi],cl + lea rsi,QWORD PTR[1+rsi] + sub rdx,1 + jnz $L$xts_enc_steal + + sub rsi,r9 + mov rcx,r11 + mov eax,r10d + + movups xmm2,XMMWORD PTR[((-16))+rsi] + xorps xmm2,xmm10 + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_enc1_10:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_enc1_10 + aesenclast xmm2,xmm1 + xorps xmm2,xmm10 + movups XMMWORD PTR[(-16)+rsi],xmm2 + +$L$xts_enc_ret:: + movaps xmm6,XMMWORD PTR[96+rsp] + movaps xmm7,XMMWORD PTR[112+rsp] + movaps xmm8,XMMWORD PTR[128+rsp] + movaps xmm9,XMMWORD PTR[144+rsp] + movaps xmm10,XMMWORD PTR[160+rsp] + movaps xmm11,XMMWORD PTR[176+rsp] + movaps xmm12,XMMWORD PTR[192+rsp] + movaps xmm13,XMMWORD PTR[208+rsp] + movaps xmm14,XMMWORD PTR[224+rsp] + movaps xmm15,XMMWORD PTR[240+rsp] + lea rsp,QWORD PTR[264+rsp] +$L$xts_enc_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_xts_encrypt:: +aesni_xts_encrypt ENDP +PUBLIC aesni_xts_decrypt + +ALIGN 16 +aesni_xts_decrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_xts_decrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + lea rsp,QWORD PTR[((-264))+rsp] + movaps XMMWORD PTR[96+rsp],xmm6 + movaps XMMWORD PTR[112+rsp],xmm7 + movaps XMMWORD PTR[128+rsp],xmm8 + movaps XMMWORD PTR[144+rsp],xmm9 + movaps XMMWORD PTR[160+rsp],xmm10 + movaps XMMWORD PTR[176+rsp],xmm11 + movaps XMMWORD PTR[192+rsp],xmm12 + movaps XMMWORD PTR[208+rsp],xmm13 + movaps XMMWORD PTR[224+rsp],xmm14 + movaps XMMWORD PTR[240+rsp],xmm15 +$L$xts_dec_body:: + movups xmm15,XMMWORD PTR[r9] + mov eax,DWORD PTR[240+r8] + mov r10d,DWORD PTR[240+rcx] + movups xmm0,XMMWORD PTR[r8] + movups xmm1,XMMWORD PTR[16+r8] + lea r8,QWORD PTR[32+r8] + xorps xmm15,xmm0 +$L$oop_enc1_11:: + aesenc xmm15,xmm1 + dec eax + movups xmm1,XMMWORD PTR[r8] + lea r8,QWORD PTR[16+r8] + jnz $L$oop_enc1_11 + aesenclast xmm15,xmm1 + xor eax,eax + test rdx,15 + setnz al + shl rax,4 + sub rdx,rax + + mov r11,rcx + mov eax,r10d + mov r9,rdx + and rdx,-16 + + movdqa xmm8,XMMWORD PTR[$L$xts_magic] + pxor xmm14,xmm14 + pcmpgtd xmm14,xmm15 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm10,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm11,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm12,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm13,xmm15 + paddq xmm15,xmm15 + pand xmm9,xmm8 + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + sub rdx,16*6 + jc $L$xts_dec_short + + shr eax,1 + sub eax,1 + mov r10d,eax + jmp $L$xts_dec_grandloop + +ALIGN 16 +$L$xts_dec_grandloop:: + pshufd xmm9,xmm14,013h + movdqa xmm14,xmm15 + paddq xmm15,xmm15 + movdqu xmm2,XMMWORD PTR[rdi] + pand xmm9,xmm8 + movdqu xmm3,XMMWORD PTR[16+rdi] + pxor xmm15,xmm9 + + movdqu xmm4,XMMWORD PTR[32+rdi] + pxor xmm2,xmm10 + movdqu xmm5,XMMWORD PTR[48+rdi] + pxor xmm3,xmm11 + movdqu xmm6,XMMWORD PTR[64+rdi] + pxor xmm4,xmm12 + movdqu xmm7,XMMWORD PTR[80+rdi] + lea rdi,QWORD PTR[96+rdi] + pxor xmm5,xmm13 + movups xmm0,XMMWORD PTR[r11] + pxor xmm6,xmm14 + pxor xmm7,xmm15 + + + + movups xmm1,XMMWORD PTR[16+r11] + pxor xmm2,xmm0 + pxor xmm3,xmm0 + movdqa XMMWORD PTR[rsp],xmm10 + aesdec xmm2,xmm1 + lea rcx,QWORD PTR[32+r11] + pxor xmm4,xmm0 + movdqa XMMWORD PTR[16+rsp],xmm11 + aesdec xmm3,xmm1 + pxor xmm5,xmm0 + movdqa XMMWORD PTR[32+rsp],xmm12 + aesdec xmm4,xmm1 + pxor xmm6,xmm0 + movdqa XMMWORD PTR[48+rsp],xmm13 + aesdec xmm5,xmm1 + pxor xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + dec eax + movdqa XMMWORD PTR[64+rsp],xmm14 + aesdec xmm6,xmm1 + movdqa XMMWORD PTR[80+rsp],xmm15 + aesdec xmm7,xmm1 + pxor xmm14,xmm14 + pcmpgtd xmm14,xmm15 + jmp $L$xts_dec_loop6_enter + +ALIGN 16 +$L$xts_dec_loop6:: + aesdec xmm2,xmm1 + aesdec xmm3,xmm1 + dec eax + aesdec xmm4,xmm1 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 +$L$xts_dec_loop6_enter:: + movups xmm1,XMMWORD PTR[16+rcx] + aesdec xmm2,xmm0 + aesdec xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + aesdec xmm4,xmm0 + aesdec xmm5,xmm0 + aesdec xmm6,xmm0 + aesdec xmm7,xmm0 + movups xmm0,XMMWORD PTR[rcx] + jnz $L$xts_dec_loop6 + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + paddq xmm15,xmm15 + aesdec xmm2,xmm1 + pand xmm9,xmm8 + aesdec xmm3,xmm1 + pcmpgtd xmm14,xmm15 + aesdec xmm4,xmm1 + pxor xmm15,xmm9 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm10,xmm15 + paddq xmm15,xmm15 + aesdec xmm2,xmm0 + pand xmm9,xmm8 + aesdec xmm3,xmm0 + pcmpgtd xmm14,xmm15 + aesdec xmm4,xmm0 + pxor xmm15,xmm9 + aesdec xmm5,xmm0 + aesdec xmm6,xmm0 + aesdec xmm7,xmm0 + movups xmm0,XMMWORD PTR[32+rcx] + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm11,xmm15 + paddq xmm15,xmm15 + aesdec xmm2,xmm1 + pand xmm9,xmm8 + aesdec xmm3,xmm1 + pcmpgtd xmm14,xmm15 + aesdec xmm4,xmm1 + pxor xmm15,xmm9 + aesdec xmm5,xmm1 + aesdec xmm6,xmm1 + aesdec xmm7,xmm1 + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm12,xmm15 + paddq xmm15,xmm15 + aesdeclast xmm2,xmm0 + pand xmm9,xmm8 + aesdeclast xmm3,xmm0 + pcmpgtd xmm14,xmm15 + aesdeclast xmm4,xmm0 + pxor xmm15,xmm9 + aesdeclast xmm5,xmm0 + aesdeclast xmm6,xmm0 + aesdeclast xmm7,xmm0 + + pshufd xmm9,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm13,xmm15 + paddq xmm15,xmm15 + xorps xmm2,XMMWORD PTR[rsp] + pand xmm9,xmm8 + xorps xmm3,XMMWORD PTR[16+rsp] + pcmpgtd xmm14,xmm15 + pxor xmm15,xmm9 + + xorps xmm4,XMMWORD PTR[32+rsp] + movups XMMWORD PTR[rsi],xmm2 + xorps xmm5,XMMWORD PTR[48+rsp] + movups XMMWORD PTR[16+rsi],xmm3 + xorps xmm6,XMMWORD PTR[64+rsp] + movups XMMWORD PTR[32+rsi],xmm4 + xorps xmm7,XMMWORD PTR[80+rsp] + movups XMMWORD PTR[48+rsi],xmm5 + mov eax,r10d + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + lea rsi,QWORD PTR[96+rsi] + sub rdx,16*6 + jnc $L$xts_dec_grandloop + + lea eax,DWORD PTR[3+rax*1+rax] + mov rcx,r11 + mov r10d,eax + +$L$xts_dec_short:: + add rdx,16*6 + jz $L$xts_dec_done + + cmp rdx,020h + jb $L$xts_dec_one + je $L$xts_dec_two + + cmp rdx,040h + jb $L$xts_dec_three + je $L$xts_dec_four + + pshufd xmm9,xmm14,013h + movdqa xmm14,xmm15 + paddq xmm15,xmm15 + movdqu xmm2,XMMWORD PTR[rdi] + pand xmm9,xmm8 + movdqu xmm3,XMMWORD PTR[16+rdi] + pxor xmm15,xmm9 + + movdqu xmm4,XMMWORD PTR[32+rdi] + pxor xmm2,xmm10 + movdqu xmm5,XMMWORD PTR[48+rdi] + pxor xmm3,xmm11 + movdqu xmm6,XMMWORD PTR[64+rdi] + lea rdi,QWORD PTR[80+rdi] + pxor xmm4,xmm12 + pxor xmm5,xmm13 + pxor xmm6,xmm14 + + call _aesni_decrypt6 + + xorps xmm2,xmm10 + xorps xmm3,xmm11 + xorps xmm4,xmm12 + movdqu XMMWORD PTR[rsi],xmm2 + xorps xmm5,xmm13 + movdqu XMMWORD PTR[16+rsi],xmm3 + xorps xmm6,xmm14 + movdqu XMMWORD PTR[32+rsi],xmm4 + pxor xmm14,xmm14 + movdqu XMMWORD PTR[48+rsi],xmm5 + pcmpgtd xmm14,xmm15 + movdqu XMMWORD PTR[64+rsi],xmm6 + lea rsi,QWORD PTR[80+rsi] + pshufd xmm11,xmm14,013h + and r9,15 + jz $L$xts_dec_ret + + movdqa xmm10,xmm15 + paddq xmm15,xmm15 + pand xmm11,xmm8 + pxor xmm11,xmm15 + jmp $L$xts_dec_done2 + +ALIGN 16 +$L$xts_dec_one:: + movups xmm2,XMMWORD PTR[rdi] + lea rdi,QWORD PTR[16+rdi] + xorps xmm2,xmm10 + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_dec1_12:: + aesdec xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_dec1_12 + aesdeclast xmm2,xmm1 + xorps xmm2,xmm10 + movdqa xmm10,xmm11 + movups XMMWORD PTR[rsi],xmm2 + movdqa xmm11,xmm12 + lea rsi,QWORD PTR[16+rsi] + jmp $L$xts_dec_done + +ALIGN 16 +$L$xts_dec_two:: + movups xmm2,XMMWORD PTR[rdi] + movups xmm3,XMMWORD PTR[16+rdi] + lea rdi,QWORD PTR[32+rdi] + xorps xmm2,xmm10 + xorps xmm3,xmm11 + + call _aesni_decrypt3 + + xorps xmm2,xmm10 + movdqa xmm10,xmm12 + xorps xmm3,xmm11 + movdqa xmm11,xmm13 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + lea rsi,QWORD PTR[32+rsi] + jmp $L$xts_dec_done + +ALIGN 16 +$L$xts_dec_three:: + movups xmm2,XMMWORD PTR[rdi] + movups xmm3,XMMWORD PTR[16+rdi] + movups xmm4,XMMWORD PTR[32+rdi] + lea rdi,QWORD PTR[48+rdi] + xorps xmm2,xmm10 + xorps xmm3,xmm11 + xorps xmm4,xmm12 + + call _aesni_decrypt3 + + xorps xmm2,xmm10 + movdqa xmm10,xmm13 + xorps xmm3,xmm11 + movdqa xmm11,xmm15 + xorps xmm4,xmm12 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + lea rsi,QWORD PTR[48+rsi] + jmp $L$xts_dec_done + +ALIGN 16 +$L$xts_dec_four:: + pshufd xmm9,xmm14,013h + movdqa xmm14,xmm15 + paddq xmm15,xmm15 + movups xmm2,XMMWORD PTR[rdi] + pand xmm9,xmm8 + movups xmm3,XMMWORD PTR[16+rdi] + pxor xmm15,xmm9 + + movups xmm4,XMMWORD PTR[32+rdi] + xorps xmm2,xmm10 + movups xmm5,XMMWORD PTR[48+rdi] + lea rdi,QWORD PTR[64+rdi] + xorps xmm3,xmm11 + xorps xmm4,xmm12 + xorps xmm5,xmm13 + + call _aesni_decrypt4 + + xorps xmm2,xmm10 + movdqa xmm10,xmm14 + xorps xmm3,xmm11 + movdqa xmm11,xmm15 + xorps xmm4,xmm12 + movups XMMWORD PTR[rsi],xmm2 + xorps xmm5,xmm13 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + lea rsi,QWORD PTR[64+rsi] + jmp $L$xts_dec_done + +ALIGN 16 +$L$xts_dec_done:: + and r9,15 + jz $L$xts_dec_ret +$L$xts_dec_done2:: + mov rdx,r9 + mov rcx,r11 + mov eax,r10d + + movups xmm2,XMMWORD PTR[rdi] + xorps xmm2,xmm11 + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_dec1_13:: + aesdec xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_dec1_13 + aesdeclast xmm2,xmm1 + xorps xmm2,xmm11 + movups XMMWORD PTR[rsi],xmm2 + +$L$xts_dec_steal:: + movzx eax,BYTE PTR[16+rdi] + movzx ecx,BYTE PTR[rsi] + lea rdi,QWORD PTR[1+rdi] + mov BYTE PTR[rsi],al + mov BYTE PTR[16+rsi],cl + lea rsi,QWORD PTR[1+rsi] + sub rdx,1 + jnz $L$xts_dec_steal + + sub rsi,r9 + mov rcx,r11 + mov eax,r10d + + movups xmm2,XMMWORD PTR[rsi] + xorps xmm2,xmm10 + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_dec1_14:: + aesdec xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_dec1_14 + aesdeclast xmm2,xmm1 + xorps xmm2,xmm10 + movups XMMWORD PTR[rsi],xmm2 + +$L$xts_dec_ret:: + movaps xmm6,XMMWORD PTR[96+rsp] + movaps xmm7,XMMWORD PTR[112+rsp] + movaps xmm8,XMMWORD PTR[128+rsp] + movaps xmm9,XMMWORD PTR[144+rsp] + movaps xmm10,XMMWORD PTR[160+rsp] + movaps xmm11,XMMWORD PTR[176+rsp] + movaps xmm12,XMMWORD PTR[192+rsp] + movaps xmm13,XMMWORD PTR[208+rsp] + movaps xmm14,XMMWORD PTR[224+rsp] + movaps xmm15,XMMWORD PTR[240+rsp] + lea rsp,QWORD PTR[264+rsp] +$L$xts_dec_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_xts_decrypt:: +aesni_xts_decrypt ENDP +PUBLIC aesni_cbc_encrypt + +ALIGN 16 +aesni_cbc_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_cbc_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + test rdx,rdx + jz $L$cbc_ret + + mov r10d,DWORD PTR[240+rcx] + mov r11,rcx + test r9d,r9d + jz $L$cbc_decrypt + + movups xmm2,XMMWORD PTR[r8] + mov eax,r10d + cmp rdx,16 + jb $L$cbc_enc_tail + sub rdx,16 + jmp $L$cbc_enc_loop +ALIGN 16 +$L$cbc_enc_loop:: + movups xmm3,XMMWORD PTR[rdi] + lea rdi,QWORD PTR[16+rdi] + + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + xorps xmm3,xmm0 + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm3 +$L$oop_enc1_15:: + aesenc xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_enc1_15 + aesenclast xmm2,xmm1 + mov eax,r10d + mov rcx,r11 + movups XMMWORD PTR[rsi],xmm2 + lea rsi,QWORD PTR[16+rsi] + sub rdx,16 + jnc $L$cbc_enc_loop + add rdx,16 + jnz $L$cbc_enc_tail + movups XMMWORD PTR[r8],xmm2 + jmp $L$cbc_ret + +$L$cbc_enc_tail:: + mov rcx,rdx + xchg rsi,rdi + DD 09066A4F3h + mov ecx,16 + sub rcx,rdx + xor eax,eax + DD 09066AAF3h + lea rdi,QWORD PTR[((-16))+rdi] + mov eax,r10d + mov rsi,rdi + mov rcx,r11 + xor rdx,rdx + jmp $L$cbc_enc_loop + +ALIGN 16 +$L$cbc_decrypt:: + lea rsp,QWORD PTR[((-88))+rsp] + movaps XMMWORD PTR[rsp],xmm6 + movaps XMMWORD PTR[16+rsp],xmm7 + movaps XMMWORD PTR[32+rsp],xmm8 + movaps XMMWORD PTR[48+rsp],xmm9 +$L$cbc_decrypt_body:: + movups xmm9,XMMWORD PTR[r8] + mov eax,r10d + cmp rdx,070h + jbe $L$cbc_dec_tail + shr r10d,1 + sub rdx,070h + mov eax,r10d + movaps XMMWORD PTR[64+rsp],xmm9 + jmp $L$cbc_dec_loop8_enter +ALIGN 16 +$L$cbc_dec_loop8:: + movaps XMMWORD PTR[64+rsp],xmm0 + movups XMMWORD PTR[rsi],xmm9 + lea rsi,QWORD PTR[16+rsi] +$L$cbc_dec_loop8_enter:: + movups xmm0,XMMWORD PTR[rcx] + movups xmm2,XMMWORD PTR[rdi] + movups xmm3,XMMWORD PTR[16+rdi] + movups xmm1,XMMWORD PTR[16+rcx] + + lea rcx,QWORD PTR[32+rcx] + movdqu xmm4,XMMWORD PTR[32+rdi] + xorps xmm2,xmm0 + movdqu xmm5,XMMWORD PTR[48+rdi] + xorps xmm3,xmm0 + movdqu xmm6,XMMWORD PTR[64+rdi] + aesdec xmm2,xmm1 + pxor xmm4,xmm0 + movdqu xmm7,XMMWORD PTR[80+rdi] + aesdec xmm3,xmm1 + pxor xmm5,xmm0 + movdqu xmm8,XMMWORD PTR[96+rdi] + aesdec xmm4,xmm1 + pxor xmm6,xmm0 + movdqu xmm9,XMMWORD PTR[112+rdi] + aesdec xmm5,xmm1 + pxor xmm7,xmm0 + dec eax + aesdec xmm6,xmm1 + pxor xmm8,xmm0 + aesdec xmm7,xmm1 + pxor xmm9,xmm0 + movups xmm0,XMMWORD PTR[rcx] + aesdec xmm8,xmm1 + aesdec xmm9,xmm1 + movups xmm1,XMMWORD PTR[16+rcx] + + call $L$dec_loop8_enter + + movups xmm1,XMMWORD PTR[rdi] + movups xmm0,XMMWORD PTR[16+rdi] + xorps xmm2,XMMWORD PTR[64+rsp] + xorps xmm3,xmm1 + movups xmm1,XMMWORD PTR[32+rdi] + xorps xmm4,xmm0 + movups xmm0,XMMWORD PTR[48+rdi] + xorps xmm5,xmm1 + movups xmm1,XMMWORD PTR[64+rdi] + xorps xmm6,xmm0 + movups xmm0,XMMWORD PTR[80+rdi] + xorps xmm7,xmm1 + movups xmm1,XMMWORD PTR[96+rdi] + xorps xmm8,xmm0 + movups xmm0,XMMWORD PTR[112+rdi] + xorps xmm9,xmm1 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + mov eax,r10d + movups XMMWORD PTR[64+rsi],xmm6 + mov rcx,r11 + movups XMMWORD PTR[80+rsi],xmm7 + lea rdi,QWORD PTR[128+rdi] + movups XMMWORD PTR[96+rsi],xmm8 + lea rsi,QWORD PTR[112+rsi] + sub rdx,080h + ja $L$cbc_dec_loop8 + + movaps xmm2,xmm9 + movaps xmm9,xmm0 + add rdx,070h + jle $L$cbc_dec_tail_collected + movups XMMWORD PTR[rsi],xmm2 + lea eax,DWORD PTR[1+r10*1+r10] + lea rsi,QWORD PTR[16+rsi] +$L$cbc_dec_tail:: + movups xmm2,XMMWORD PTR[rdi] + movaps xmm8,xmm2 + cmp rdx,010h + jbe $L$cbc_dec_one + + movups xmm3,XMMWORD PTR[16+rdi] + movaps xmm7,xmm3 + cmp rdx,020h + jbe $L$cbc_dec_two + + movups xmm4,XMMWORD PTR[32+rdi] + movaps xmm6,xmm4 + cmp rdx,030h + jbe $L$cbc_dec_three + + movups xmm5,XMMWORD PTR[48+rdi] + cmp rdx,040h + jbe $L$cbc_dec_four + + movups xmm6,XMMWORD PTR[64+rdi] + cmp rdx,050h + jbe $L$cbc_dec_five + + movups xmm7,XMMWORD PTR[80+rdi] + cmp rdx,060h + jbe $L$cbc_dec_six + + movups xmm8,XMMWORD PTR[96+rdi] + movaps XMMWORD PTR[64+rsp],xmm9 + call _aesni_decrypt8 + movups xmm1,XMMWORD PTR[rdi] + movups xmm0,XMMWORD PTR[16+rdi] + xorps xmm2,XMMWORD PTR[64+rsp] + xorps xmm3,xmm1 + movups xmm1,XMMWORD PTR[32+rdi] + xorps xmm4,xmm0 + movups xmm0,XMMWORD PTR[48+rdi] + xorps xmm5,xmm1 + movups xmm1,XMMWORD PTR[64+rdi] + xorps xmm6,xmm0 + movups xmm0,XMMWORD PTR[80+rdi] + xorps xmm7,xmm1 + movups xmm9,XMMWORD PTR[96+rdi] + xorps xmm8,xmm0 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + movups XMMWORD PTR[80+rsi],xmm7 + lea rsi,QWORD PTR[96+rsi] + movaps xmm2,xmm8 + sub rdx,070h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_one:: + movups xmm0,XMMWORD PTR[rcx] + movups xmm1,XMMWORD PTR[16+rcx] + lea rcx,QWORD PTR[32+rcx] + xorps xmm2,xmm0 +$L$oop_dec1_16:: + aesdec xmm2,xmm1 + dec eax + movups xmm1,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + jnz $L$oop_dec1_16 + aesdeclast xmm2,xmm1 + xorps xmm2,xmm9 + movaps xmm9,xmm8 + sub rdx,010h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_two:: + xorps xmm4,xmm4 + call _aesni_decrypt3 + xorps xmm2,xmm9 + xorps xmm3,xmm8 + movups XMMWORD PTR[rsi],xmm2 + movaps xmm9,xmm7 + movaps xmm2,xmm3 + lea rsi,QWORD PTR[16+rsi] + sub rdx,020h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_three:: + call _aesni_decrypt3 + xorps xmm2,xmm9 + xorps xmm3,xmm8 + movups XMMWORD PTR[rsi],xmm2 + xorps xmm4,xmm7 + movups XMMWORD PTR[16+rsi],xmm3 + movaps xmm9,xmm6 + movaps xmm2,xmm4 + lea rsi,QWORD PTR[32+rsi] + sub rdx,030h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_four:: + call _aesni_decrypt4 + xorps xmm2,xmm9 + movups xmm9,XMMWORD PTR[48+rdi] + xorps xmm3,xmm8 + movups XMMWORD PTR[rsi],xmm2 + xorps xmm4,xmm7 + movups XMMWORD PTR[16+rsi],xmm3 + xorps xmm5,xmm6 + movups XMMWORD PTR[32+rsi],xmm4 + movaps xmm2,xmm5 + lea rsi,QWORD PTR[48+rsi] + sub rdx,040h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_five:: + xorps xmm7,xmm7 + call _aesni_decrypt6 + movups xmm1,XMMWORD PTR[16+rdi] + movups xmm0,XMMWORD PTR[32+rdi] + xorps xmm2,xmm9 + xorps xmm3,xmm8 + xorps xmm4,xmm1 + movups xmm1,XMMWORD PTR[48+rdi] + xorps xmm5,xmm0 + movups xmm9,XMMWORD PTR[64+rdi] + xorps xmm6,xmm1 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + lea rsi,QWORD PTR[64+rsi] + movaps xmm2,xmm6 + sub rdx,050h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_six:: + call _aesni_decrypt6 + movups xmm1,XMMWORD PTR[16+rdi] + movups xmm0,XMMWORD PTR[32+rdi] + xorps xmm2,xmm9 + xorps xmm3,xmm8 + xorps xmm4,xmm1 + movups xmm1,XMMWORD PTR[48+rdi] + xorps xmm5,xmm0 + movups xmm0,XMMWORD PTR[64+rdi] + xorps xmm6,xmm1 + movups xmm9,XMMWORD PTR[80+rdi] + xorps xmm7,xmm0 + movups XMMWORD PTR[rsi],xmm2 + movups XMMWORD PTR[16+rsi],xmm3 + movups XMMWORD PTR[32+rsi],xmm4 + movups XMMWORD PTR[48+rsi],xmm5 + movups XMMWORD PTR[64+rsi],xmm6 + lea rsi,QWORD PTR[80+rsi] + movaps xmm2,xmm7 + sub rdx,060h + jmp $L$cbc_dec_tail_collected +ALIGN 16 +$L$cbc_dec_tail_collected:: + and rdx,15 + movups XMMWORD PTR[r8],xmm9 + jnz $L$cbc_dec_tail_partial + movups XMMWORD PTR[rsi],xmm2 + jmp $L$cbc_dec_ret +ALIGN 16 +$L$cbc_dec_tail_partial:: + movaps XMMWORD PTR[64+rsp],xmm2 + mov rcx,16 + mov rdi,rsi + sub rcx,rdx + lea rsi,QWORD PTR[64+rsp] + DD 09066A4F3h + +$L$cbc_dec_ret:: + movaps xmm6,XMMWORD PTR[rsp] + movaps xmm7,XMMWORD PTR[16+rsp] + movaps xmm8,XMMWORD PTR[32+rsp] + movaps xmm9,XMMWORD PTR[48+rsp] + lea rsp,QWORD PTR[88+rsp] +$L$cbc_ret:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_cbc_encrypt:: +aesni_cbc_encrypt ENDP +PUBLIC aesni_set_decrypt_key + +ALIGN 16 +aesni_set_decrypt_key PROC PUBLIC + sub rsp,8 + call __aesni_set_encrypt_key + shl edx,4 + test eax,eax + jnz $L$dec_key_ret + lea rcx,QWORD PTR[16+rdx*1+r8] + + movups xmm0,XMMWORD PTR[r8] + movups xmm1,XMMWORD PTR[rcx] + movups XMMWORD PTR[rcx],xmm0 + movups XMMWORD PTR[r8],xmm1 + lea r8,QWORD PTR[16+r8] + lea rcx,QWORD PTR[((-16))+rcx] + +$L$dec_key_inverse:: + movups xmm0,XMMWORD PTR[r8] + movups xmm1,XMMWORD PTR[rcx] + aesimc xmm0,xmm0 + aesimc xmm1,xmm1 + lea r8,QWORD PTR[16+r8] + lea rcx,QWORD PTR[((-16))+rcx] + movups XMMWORD PTR[16+rcx],xmm0 + movups XMMWORD PTR[(-16)+r8],xmm1 + cmp rcx,r8 + ja $L$dec_key_inverse + + movups xmm0,XMMWORD PTR[r8] + aesimc xmm0,xmm0 + movups XMMWORD PTR[rcx],xmm0 +$L$dec_key_ret:: + add rsp,8 + DB 0F3h,0C3h ;repret +$L$SEH_end_set_decrypt_key:: +aesni_set_decrypt_key ENDP +PUBLIC aesni_set_encrypt_key + +ALIGN 16 +aesni_set_encrypt_key PROC PUBLIC +__aesni_set_encrypt_key:: + sub rsp,8 + mov rax,-1 + test rcx,rcx + jz $L$enc_key_ret + test r8,r8 + jz $L$enc_key_ret + + movups xmm0,XMMWORD PTR[rcx] + xorps xmm4,xmm4 + lea rax,QWORD PTR[16+r8] + cmp edx,256 + je $L$14rounds + cmp edx,192 + je $L$12rounds + cmp edx,128 + jne $L$bad_keybits + +$L$10rounds:: + mov edx,9 + movups XMMWORD PTR[r8],xmm0 + aeskeygenassist xmm1,xmm0,01h + call $L$key_expansion_128_cold + aeskeygenassist xmm1,xmm0,02h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,04h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,08h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,010h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,020h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,040h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,080h + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,01bh + call $L$key_expansion_128 + aeskeygenassist xmm1,xmm0,036h + call $L$key_expansion_128 + movups XMMWORD PTR[rax],xmm0 + mov DWORD PTR[80+rax],edx + xor eax,eax + jmp $L$enc_key_ret + +ALIGN 16 +$L$12rounds:: + movq xmm2,QWORD PTR[16+rcx] + mov edx,11 + movups XMMWORD PTR[r8],xmm0 + aeskeygenassist xmm1,xmm2,01h + call $L$key_expansion_192a_cold + aeskeygenassist xmm1,xmm2,02h + call $L$key_expansion_192b + aeskeygenassist xmm1,xmm2,04h + call $L$key_expansion_192a + aeskeygenassist xmm1,xmm2,08h + call $L$key_expansion_192b + aeskeygenassist xmm1,xmm2,010h + call $L$key_expansion_192a + aeskeygenassist xmm1,xmm2,020h + call $L$key_expansion_192b + aeskeygenassist xmm1,xmm2,040h + call $L$key_expansion_192a + aeskeygenassist xmm1,xmm2,080h + call $L$key_expansion_192b + movups XMMWORD PTR[rax],xmm0 + mov DWORD PTR[48+rax],edx + xor rax,rax + jmp $L$enc_key_ret + +ALIGN 16 +$L$14rounds:: + movups xmm2,XMMWORD PTR[16+rcx] + mov edx,13 + lea rax,QWORD PTR[16+rax] + movups XMMWORD PTR[r8],xmm0 + movups XMMWORD PTR[16+r8],xmm2 + aeskeygenassist xmm1,xmm2,01h + call $L$key_expansion_256a_cold + aeskeygenassist xmm1,xmm0,01h + call $L$key_expansion_256b + aeskeygenassist xmm1,xmm2,02h + call $L$key_expansion_256a + aeskeygenassist xmm1,xmm0,02h + call $L$key_expansion_256b + aeskeygenassist xmm1,xmm2,04h + call $L$key_expansion_256a + aeskeygenassist xmm1,xmm0,04h + call $L$key_expansion_256b + aeskeygenassist xmm1,xmm2,08h + call $L$key_expansion_256a + aeskeygenassist xmm1,xmm0,08h + call $L$key_expansion_256b + aeskeygenassist xmm1,xmm2,010h + call $L$key_expansion_256a + aeskeygenassist xmm1,xmm0,010h + call $L$key_expansion_256b + aeskeygenassist xmm1,xmm2,020h + call $L$key_expansion_256a + aeskeygenassist xmm1,xmm0,020h + call $L$key_expansion_256b + aeskeygenassist xmm1,xmm2,040h + call $L$key_expansion_256a + movups XMMWORD PTR[rax],xmm0 + mov DWORD PTR[16+rax],edx + xor rax,rax + jmp $L$enc_key_ret + +ALIGN 16 +$L$bad_keybits:: + mov rax,-2 +$L$enc_key_ret:: + add rsp,8 + DB 0F3h,0C3h ;repret +$L$SEH_end_set_encrypt_key:: + +ALIGN 16 +$L$key_expansion_128:: + movups XMMWORD PTR[rax],xmm0 + lea rax,QWORD PTR[16+rax] +$L$key_expansion_128_cold:: + shufps xmm4,xmm0,16 + xorps xmm0,xmm4 + shufps xmm4,xmm0,140 + xorps xmm0,xmm4 + shufps xmm1,xmm1,255 + xorps xmm0,xmm1 + DB 0F3h,0C3h ;repret + +ALIGN 16 +$L$key_expansion_192a:: + movups XMMWORD PTR[rax],xmm0 + lea rax,QWORD PTR[16+rax] +$L$key_expansion_192a_cold:: + movaps xmm5,xmm2 +$L$key_expansion_192b_warm:: + shufps xmm4,xmm0,16 + movdqa xmm3,xmm2 + xorps xmm0,xmm4 + shufps xmm4,xmm0,140 + pslldq xmm3,4 + xorps xmm0,xmm4 + pshufd xmm1,xmm1,85 + pxor xmm2,xmm3 + pxor xmm0,xmm1 + pshufd xmm3,xmm0,255 + pxor xmm2,xmm3 + DB 0F3h,0C3h ;repret + +ALIGN 16 +$L$key_expansion_192b:: + movaps xmm3,xmm0 + shufps xmm5,xmm0,68 + movups XMMWORD PTR[rax],xmm5 + shufps xmm3,xmm2,78 + movups XMMWORD PTR[16+rax],xmm3 + lea rax,QWORD PTR[32+rax] + jmp $L$key_expansion_192b_warm + +ALIGN 16 +$L$key_expansion_256a:: + movups XMMWORD PTR[rax],xmm2 + lea rax,QWORD PTR[16+rax] +$L$key_expansion_256a_cold:: + shufps xmm4,xmm0,16 + xorps xmm0,xmm4 + shufps xmm4,xmm0,140 + xorps xmm0,xmm4 + shufps xmm1,xmm1,255 + xorps xmm0,xmm1 + DB 0F3h,0C3h ;repret + +ALIGN 16 +$L$key_expansion_256b:: + movups XMMWORD PTR[rax],xmm0 + lea rax,QWORD PTR[16+rax] + + shufps xmm4,xmm2,16 + xorps xmm2,xmm4 + shufps xmm4,xmm2,140 + xorps xmm2,xmm4 + shufps xmm1,xmm1,170 + xorps xmm2,xmm1 + DB 0F3h,0C3h ;repret +aesni_set_encrypt_key ENDP + +ALIGN 64 +$L$bswap_mask:: +DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +$L$increment32:: + DD 6,6,6,0 +$L$increment64:: + DD 1,0,0,0 +$L$xts_magic:: + DD 087h,0,1,0 + +DB 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69 +DB 83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83 +DB 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 +DB 115,108,46,111,114,103,62,0 +ALIGN 64 +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +ecb_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[152+r8] + + jmp $L$common_seh_tail +ecb_se_handler ENDP + + +ALIGN 16 +ccm64_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$common_seh_tail + + lea rsi,QWORD PTR[rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,8 + DD 0a548f3fch + lea rax,QWORD PTR[88+rax] + + jmp $L$common_seh_tail +ccm64_se_handler ENDP + + +ALIGN 16 +ctr32_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + lea r10,QWORD PTR[$L$ctr32_body] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + lea r10,QWORD PTR[$L$ctr32_ret] + cmp rbx,r10 + jae $L$common_seh_tail + + lea rsi,QWORD PTR[32+rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,20 + DD 0a548f3fch + lea rax,QWORD PTR[200+rax] + + jmp $L$common_seh_tail +ctr32_se_handler ENDP + + +ALIGN 16 +xts_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$common_seh_tail + + lea rsi,QWORD PTR[96+rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,20 + DD 0a548f3fch + lea rax,QWORD PTR[((104+160))+rax] + + jmp $L$common_seh_tail +xts_se_handler ENDP + +ALIGN 16 +cbc_se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[152+r8] + mov rbx,QWORD PTR[248+r8] + + lea r10,QWORD PTR[$L$cbc_decrypt] + cmp rbx,r10 + jb $L$common_seh_tail + + lea r10,QWORD PTR[$L$cbc_decrypt_body] + cmp rbx,r10 + jb $L$restore_cbc_rax + + lea r10,QWORD PTR[$L$cbc_ret] + cmp rbx,r10 + jae $L$common_seh_tail + + lea rsi,QWORD PTR[rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,8 + DD 0a548f3fch + lea rax,QWORD PTR[88+rax] + jmp $L$common_seh_tail + +$L$restore_cbc_rax:: + mov rax,QWORD PTR[120+r8] + +$L$common_seh_tail:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +cbc_se_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_aesni_ecb_encrypt + DD imagerel $L$SEH_end_aesni_ecb_encrypt + DD imagerel $L$SEH_info_ecb + + DD imagerel $L$SEH_begin_aesni_ccm64_encrypt_blocks + DD imagerel $L$SEH_end_aesni_ccm64_encrypt_blocks + DD imagerel $L$SEH_info_ccm64_enc + + DD imagerel $L$SEH_begin_aesni_ccm64_decrypt_blocks + DD imagerel $L$SEH_end_aesni_ccm64_decrypt_blocks + DD imagerel $L$SEH_info_ccm64_dec + + DD imagerel $L$SEH_begin_aesni_ctr32_encrypt_blocks + DD imagerel $L$SEH_end_aesni_ctr32_encrypt_blocks + DD imagerel $L$SEH_info_ctr32 + + DD imagerel $L$SEH_begin_aesni_xts_encrypt + DD imagerel $L$SEH_end_aesni_xts_encrypt + DD imagerel $L$SEH_info_xts_enc + + DD imagerel $L$SEH_begin_aesni_xts_decrypt + DD imagerel $L$SEH_end_aesni_xts_decrypt + DD imagerel $L$SEH_info_xts_dec + DD imagerel $L$SEH_begin_aesni_cbc_encrypt + DD imagerel $L$SEH_end_aesni_cbc_encrypt + DD imagerel $L$SEH_info_cbc + + DD imagerel aesni_set_decrypt_key + DD imagerel $L$SEH_end_set_decrypt_key + DD imagerel $L$SEH_info_key + + DD imagerel aesni_set_encrypt_key + DD imagerel $L$SEH_end_set_encrypt_key + DD imagerel $L$SEH_info_key +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_ecb:: +DB 9,0,0,0 + DD imagerel ecb_se_handler +$L$SEH_info_ccm64_enc:: +DB 9,0,0,0 + DD imagerel ccm64_se_handler + DD imagerel $L$ccm64_enc_body,imagerel $L$ccm64_enc_ret +$L$SEH_info_ccm64_dec:: +DB 9,0,0,0 + DD imagerel ccm64_se_handler + DD imagerel $L$ccm64_dec_body,imagerel $L$ccm64_dec_ret +$L$SEH_info_ctr32:: +DB 9,0,0,0 + DD imagerel ctr32_se_handler +$L$SEH_info_xts_enc:: +DB 9,0,0,0 + DD imagerel xts_se_handler + DD imagerel $L$xts_enc_body,imagerel $L$xts_enc_epilogue +$L$SEH_info_xts_dec:: +DB 9,0,0,0 + DD imagerel xts_se_handler + DD imagerel $L$xts_dec_body,imagerel $L$xts_dec_epilogue +$L$SEH_info_cbc:: +DB 9,0,0,0 + DD imagerel cbc_se_handler +$L$SEH_info_key:: +DB 001h,004h,001h,000h +DB 004h,002h,000h,000h + +.xdata ENDS +END + diff --git a/crypto/aes/aesni-mingw64-x86_64.S b/crypto/aes/aesni-mingw64-x86_64.S new file mode 100644 index 0000000..0a82a10 --- /dev/null +++ b/crypto/aes/aesni-mingw64-x86_64.S @@ -0,0 +1,3008 @@ +#include "x86_arch.h" +.text +.globl aesni_encrypt +.def aesni_encrypt; .scl 2; .type 32; .endef +.p2align 4 +aesni_encrypt: + movups (%rcx),%xmm2 + movl 240(%r8),%eax + movups (%r8),%xmm0 + movups 16(%r8),%xmm1 + leaq 32(%r8),%r8 + xorps %xmm0,%xmm2 +.Loop_enc1_1: + aesenc %xmm1,%xmm2 + decl %eax + movups (%r8),%xmm1 + leaq 16(%r8),%r8 + jnz .Loop_enc1_1 + aesenclast %xmm1,%xmm2 + movups %xmm2,(%rdx) + retq + + +.globl aesni_decrypt +.def aesni_decrypt; .scl 2; .type 32; .endef +.p2align 4 +aesni_decrypt: + movups (%rcx),%xmm2 + movl 240(%r8),%eax + movups (%r8),%xmm0 + movups 16(%r8),%xmm1 + leaq 32(%r8),%r8 + xorps %xmm0,%xmm2 +.Loop_dec1_2: + aesdec %xmm1,%xmm2 + decl %eax + movups (%r8),%xmm1 + leaq 16(%r8),%r8 + jnz .Loop_dec1_2 + aesdeclast %xmm1,%xmm2 + movups %xmm2,(%rdx) + retq + +.def _aesni_encrypt3; .scl 3; .type 32; .endef +.p2align 4 +_aesni_encrypt3: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + xorps %xmm0,%xmm3 + xorps %xmm0,%xmm4 + movups (%rcx),%xmm0 + +.Lenc_loop3: + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + decl %eax + aesenc %xmm1,%xmm4 + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + aesenc %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm4 + movups (%rcx),%xmm0 + jnz .Lenc_loop3 + + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + aesenc %xmm1,%xmm4 + aesenclast %xmm0,%xmm2 + aesenclast %xmm0,%xmm3 + aesenclast %xmm0,%xmm4 + retq + +.def _aesni_decrypt3; .scl 3; .type 32; .endef +.p2align 4 +_aesni_decrypt3: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + xorps %xmm0,%xmm3 + xorps %xmm0,%xmm4 + movups (%rcx),%xmm0 + +.Ldec_loop3: + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + decl %eax + aesdec %xmm1,%xmm4 + movups 16(%rcx),%xmm1 + aesdec %xmm0,%xmm2 + aesdec %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesdec %xmm0,%xmm4 + movups (%rcx),%xmm0 + jnz .Ldec_loop3 + + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + aesdec %xmm1,%xmm4 + aesdeclast %xmm0,%xmm2 + aesdeclast %xmm0,%xmm3 + aesdeclast %xmm0,%xmm4 + retq + +.def _aesni_encrypt4; .scl 3; .type 32; .endef +.p2align 4 +_aesni_encrypt4: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + xorps %xmm0,%xmm3 + xorps %xmm0,%xmm4 + xorps %xmm0,%xmm5 + movups (%rcx),%xmm0 + +.Lenc_loop4: + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + decl %eax + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + aesenc %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm4 + aesenc %xmm0,%xmm5 + movups (%rcx),%xmm0 + jnz .Lenc_loop4 + + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenclast %xmm0,%xmm2 + aesenclast %xmm0,%xmm3 + aesenclast %xmm0,%xmm4 + aesenclast %xmm0,%xmm5 + retq + +.def _aesni_decrypt4; .scl 3; .type 32; .endef +.p2align 4 +_aesni_decrypt4: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + xorps %xmm0,%xmm3 + xorps %xmm0,%xmm4 + xorps %xmm0,%xmm5 + movups (%rcx),%xmm0 + +.Ldec_loop4: + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + decl %eax + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + movups 16(%rcx),%xmm1 + aesdec %xmm0,%xmm2 + aesdec %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesdec %xmm0,%xmm4 + aesdec %xmm0,%xmm5 + movups (%rcx),%xmm0 + jnz .Ldec_loop4 + + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + aesdeclast %xmm0,%xmm2 + aesdeclast %xmm0,%xmm3 + aesdeclast %xmm0,%xmm4 + aesdeclast %xmm0,%xmm5 + retq + +.def _aesni_encrypt6; .scl 3; .type 32; .endef +.p2align 4 +_aesni_encrypt6: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + aesenc %xmm1,%xmm2 + pxor %xmm0,%xmm4 + aesenc %xmm1,%xmm3 + pxor %xmm0,%xmm5 + aesenc %xmm1,%xmm4 + pxor %xmm0,%xmm6 + aesenc %xmm1,%xmm5 + pxor %xmm0,%xmm7 + decl %eax + aesenc %xmm1,%xmm6 + movups (%rcx),%xmm0 + aesenc %xmm1,%xmm7 + jmp .Lenc_loop6_enter +.p2align 4 +.Lenc_loop6: + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + decl %eax + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 +.Lenc_loop6_enter: + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + aesenc %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm4 + aesenc %xmm0,%xmm5 + aesenc %xmm0,%xmm6 + aesenc %xmm0,%xmm7 + movups (%rcx),%xmm0 + jnz .Lenc_loop6 + + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 + aesenclast %xmm0,%xmm2 + aesenclast %xmm0,%xmm3 + aesenclast %xmm0,%xmm4 + aesenclast %xmm0,%xmm5 + aesenclast %xmm0,%xmm6 + aesenclast %xmm0,%xmm7 + retq + +.def _aesni_decrypt6; .scl 3; .type 32; .endef +.p2align 4 +_aesni_decrypt6: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + pxor %xmm0,%xmm3 + aesdec %xmm1,%xmm2 + pxor %xmm0,%xmm4 + aesdec %xmm1,%xmm3 + pxor %xmm0,%xmm5 + aesdec %xmm1,%xmm4 + pxor %xmm0,%xmm6 + aesdec %xmm1,%xmm5 + pxor %xmm0,%xmm7 + decl %eax + aesdec %xmm1,%xmm6 + movups (%rcx),%xmm0 + aesdec %xmm1,%xmm7 + jmp .Ldec_loop6_enter +.p2align 4 +.Ldec_loop6: + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + decl %eax + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 +.Ldec_loop6_enter: + movups 16(%rcx),%xmm1 + aesdec %xmm0,%xmm2 + aesdec %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesdec %xmm0,%xmm4 + aesdec %xmm0,%xmm5 + aesdec %xmm0,%xmm6 + aesdec %xmm0,%xmm7 + movups (%rcx),%xmm0 + jnz .Ldec_loop6 + + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 + aesdeclast %xmm0,%xmm2 + aesdeclast %xmm0,%xmm3 + aesdeclast %xmm0,%xmm4 + aesdeclast %xmm0,%xmm5 + aesdeclast %xmm0,%xmm6 + aesdeclast %xmm0,%xmm7 + retq + +.def _aesni_encrypt8; .scl 3; .type 32; .endef +.p2align 4 +_aesni_encrypt8: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + xorps %xmm0,%xmm3 + aesenc %xmm1,%xmm2 + pxor %xmm0,%xmm4 + aesenc %xmm1,%xmm3 + pxor %xmm0,%xmm5 + aesenc %xmm1,%xmm4 + pxor %xmm0,%xmm6 + aesenc %xmm1,%xmm5 + pxor %xmm0,%xmm7 + decl %eax + aesenc %xmm1,%xmm6 + pxor %xmm0,%xmm8 + aesenc %xmm1,%xmm7 + pxor %xmm0,%xmm9 + movups (%rcx),%xmm0 + aesenc %xmm1,%xmm8 + aesenc %xmm1,%xmm9 + movups 16(%rcx),%xmm1 + jmp .Lenc_loop8_enter +.p2align 4 +.Lenc_loop8: + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + decl %eax + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 + aesenc %xmm1,%xmm8 + aesenc %xmm1,%xmm9 + movups 16(%rcx),%xmm1 +.Lenc_loop8_enter: + aesenc %xmm0,%xmm2 + aesenc %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm4 + aesenc %xmm0,%xmm5 + aesenc %xmm0,%xmm6 + aesenc %xmm0,%xmm7 + aesenc %xmm0,%xmm8 + aesenc %xmm0,%xmm9 + movups (%rcx),%xmm0 + jnz .Lenc_loop8 + + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 + aesenc %xmm1,%xmm8 + aesenc %xmm1,%xmm9 + aesenclast %xmm0,%xmm2 + aesenclast %xmm0,%xmm3 + aesenclast %xmm0,%xmm4 + aesenclast %xmm0,%xmm5 + aesenclast %xmm0,%xmm6 + aesenclast %xmm0,%xmm7 + aesenclast %xmm0,%xmm8 + aesenclast %xmm0,%xmm9 + retq + +.def _aesni_decrypt8; .scl 3; .type 32; .endef +.p2align 4 +_aesni_decrypt8: + movups (%rcx),%xmm0 + shrl $1,%eax + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 + xorps %xmm0,%xmm3 + aesdec %xmm1,%xmm2 + pxor %xmm0,%xmm4 + aesdec %xmm1,%xmm3 + pxor %xmm0,%xmm5 + aesdec %xmm1,%xmm4 + pxor %xmm0,%xmm6 + aesdec %xmm1,%xmm5 + pxor %xmm0,%xmm7 + decl %eax + aesdec %xmm1,%xmm6 + pxor %xmm0,%xmm8 + aesdec %xmm1,%xmm7 + pxor %xmm0,%xmm9 + movups (%rcx),%xmm0 + aesdec %xmm1,%xmm8 + aesdec %xmm1,%xmm9 + movups 16(%rcx),%xmm1 + jmp .Ldec_loop8_enter +.p2align 4 +.Ldec_loop8: + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + decl %eax + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 + aesdec %xmm1,%xmm8 + aesdec %xmm1,%xmm9 + movups 16(%rcx),%xmm1 +.Ldec_loop8_enter: + aesdec %xmm0,%xmm2 + aesdec %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesdec %xmm0,%xmm4 + aesdec %xmm0,%xmm5 + aesdec %xmm0,%xmm6 + aesdec %xmm0,%xmm7 + aesdec %xmm0,%xmm8 + aesdec %xmm0,%xmm9 + movups (%rcx),%xmm0 + jnz .Ldec_loop8 + + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 + aesdec %xmm1,%xmm8 + aesdec %xmm1,%xmm9 + aesdeclast %xmm0,%xmm2 + aesdeclast %xmm0,%xmm3 + aesdeclast %xmm0,%xmm4 + aesdeclast %xmm0,%xmm5 + aesdeclast %xmm0,%xmm6 + aesdeclast %xmm0,%xmm7 + aesdeclast %xmm0,%xmm8 + aesdeclast %xmm0,%xmm9 + retq + +.globl aesni_ecb_encrypt +.def aesni_ecb_encrypt; .scl 2; .type 32; .endef +.p2align 4 +aesni_ecb_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_ecb_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + + andq $-16,%rdx + jz .Lecb_ret + + movl 240(%rcx),%eax + movups (%rcx),%xmm0 + movq %rcx,%r11 + movl %eax,%r10d + testl %r8d,%r8d + jz .Lecb_decrypt + + cmpq $128,%rdx + jb .Lecb_enc_tail + + movdqu (%rdi),%xmm2 + movdqu 16(%rdi),%xmm3 + movdqu 32(%rdi),%xmm4 + movdqu 48(%rdi),%xmm5 + movdqu 64(%rdi),%xmm6 + movdqu 80(%rdi),%xmm7 + movdqu 96(%rdi),%xmm8 + movdqu 112(%rdi),%xmm9 + leaq 128(%rdi),%rdi + subq $128,%rdx + jmp .Lecb_enc_loop8_enter +.p2align 4 +.Lecb_enc_loop8: + movups %xmm2,(%rsi) + movq %r11,%rcx + movdqu (%rdi),%xmm2 + movl %r10d,%eax + movups %xmm3,16(%rsi) + movdqu 16(%rdi),%xmm3 + movups %xmm4,32(%rsi) + movdqu 32(%rdi),%xmm4 + movups %xmm5,48(%rsi) + movdqu 48(%rdi),%xmm5 + movups %xmm6,64(%rsi) + movdqu 64(%rdi),%xmm6 + movups %xmm7,80(%rsi) + movdqu 80(%rdi),%xmm7 + movups %xmm8,96(%rsi) + movdqu 96(%rdi),%xmm8 + movups %xmm9,112(%rsi) + leaq 128(%rsi),%rsi + movdqu 112(%rdi),%xmm9 + leaq 128(%rdi),%rdi +.Lecb_enc_loop8_enter: + + call _aesni_encrypt8 + + subq $128,%rdx + jnc .Lecb_enc_loop8 + + movups %xmm2,(%rsi) + movq %r11,%rcx + movups %xmm3,16(%rsi) + movl %r10d,%eax + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + movups %xmm8,96(%rsi) + movups %xmm9,112(%rsi) + leaq 128(%rsi),%rsi + addq $128,%rdx + jz .Lecb_ret + +.Lecb_enc_tail: + movups (%rdi),%xmm2 + cmpq $32,%rdx + jb .Lecb_enc_one + movups 16(%rdi),%xmm3 + je .Lecb_enc_two + movups 32(%rdi),%xmm4 + cmpq $64,%rdx + jb .Lecb_enc_three + movups 48(%rdi),%xmm5 + je .Lecb_enc_four + movups 64(%rdi),%xmm6 + cmpq $96,%rdx + jb .Lecb_enc_five + movups 80(%rdi),%xmm7 + je .Lecb_enc_six + movdqu 96(%rdi),%xmm8 + call _aesni_encrypt8 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + movups %xmm8,96(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_enc_one: + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_enc1_3: + aesenc %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_enc1_3 + aesenclast %xmm1,%xmm2 + movups %xmm2,(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_enc_two: + xorps %xmm4,%xmm4 + call _aesni_encrypt3 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_enc_three: + call _aesni_encrypt3 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_enc_four: + call _aesni_encrypt4 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_enc_five: + xorps %xmm7,%xmm7 + call _aesni_encrypt6 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_enc_six: + call _aesni_encrypt6 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + jmp .Lecb_ret + +.p2align 4 +.Lecb_decrypt: + cmpq $128,%rdx + jb .Lecb_dec_tail + + movdqu (%rdi),%xmm2 + movdqu 16(%rdi),%xmm3 + movdqu 32(%rdi),%xmm4 + movdqu 48(%rdi),%xmm5 + movdqu 64(%rdi),%xmm6 + movdqu 80(%rdi),%xmm7 + movdqu 96(%rdi),%xmm8 + movdqu 112(%rdi),%xmm9 + leaq 128(%rdi),%rdi + subq $128,%rdx + jmp .Lecb_dec_loop8_enter +.p2align 4 +.Lecb_dec_loop8: + movups %xmm2,(%rsi) + movq %r11,%rcx + movdqu (%rdi),%xmm2 + movl %r10d,%eax + movups %xmm3,16(%rsi) + movdqu 16(%rdi),%xmm3 + movups %xmm4,32(%rsi) + movdqu 32(%rdi),%xmm4 + movups %xmm5,48(%rsi) + movdqu 48(%rdi),%xmm5 + movups %xmm6,64(%rsi) + movdqu 64(%rdi),%xmm6 + movups %xmm7,80(%rsi) + movdqu 80(%rdi),%xmm7 + movups %xmm8,96(%rsi) + movdqu 96(%rdi),%xmm8 + movups %xmm9,112(%rsi) + leaq 128(%rsi),%rsi + movdqu 112(%rdi),%xmm9 + leaq 128(%rdi),%rdi +.Lecb_dec_loop8_enter: + + call _aesni_decrypt8 + + movups (%r11),%xmm0 + subq $128,%rdx + jnc .Lecb_dec_loop8 + + movups %xmm2,(%rsi) + movq %r11,%rcx + movups %xmm3,16(%rsi) + movl %r10d,%eax + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + movups %xmm8,96(%rsi) + movups %xmm9,112(%rsi) + leaq 128(%rsi),%rsi + addq $128,%rdx + jz .Lecb_ret + +.Lecb_dec_tail: + movups (%rdi),%xmm2 + cmpq $32,%rdx + jb .Lecb_dec_one + movups 16(%rdi),%xmm3 + je .Lecb_dec_two + movups 32(%rdi),%xmm4 + cmpq $64,%rdx + jb .Lecb_dec_three + movups 48(%rdi),%xmm5 + je .Lecb_dec_four + movups 64(%rdi),%xmm6 + cmpq $96,%rdx + jb .Lecb_dec_five + movups 80(%rdi),%xmm7 + je .Lecb_dec_six + movups 96(%rdi),%xmm8 + movups (%rcx),%xmm0 + call _aesni_decrypt8 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + movups %xmm8,96(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_dec_one: + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_dec1_4: + aesdec %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_dec1_4 + aesdeclast %xmm1,%xmm2 + movups %xmm2,(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_dec_two: + xorps %xmm4,%xmm4 + call _aesni_decrypt3 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_dec_three: + call _aesni_decrypt3 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_dec_four: + call _aesni_decrypt4 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_dec_five: + xorps %xmm7,%xmm7 + call _aesni_decrypt6 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + jmp .Lecb_ret +.p2align 4 +.Lecb_dec_six: + call _aesni_decrypt6 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + +.Lecb_ret: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_ecb_encrypt: +.globl aesni_ccm64_encrypt_blocks +.def aesni_ccm64_encrypt_blocks; .scl 2; .type 32; .endef +.p2align 4 +aesni_ccm64_encrypt_blocks: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_ccm64_encrypt_blocks: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + leaq -88(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,16(%rsp) + movaps %xmm8,32(%rsp) + movaps %xmm9,48(%rsp) +.Lccm64_enc_body: + movl 240(%rcx),%eax + movdqu (%r8),%xmm9 + movdqa .Lincrement64(%rip),%xmm6 + movdqa .Lbswap_mask(%rip),%xmm7 + + shrl $1,%eax + leaq 0(%rcx),%r11 + movdqu (%r9),%xmm3 + movdqa %xmm9,%xmm2 + movl %eax,%r10d +.byte 102,68,15,56,0,207 + jmp .Lccm64_enc_outer +.p2align 4 +.Lccm64_enc_outer: + movups (%r11),%xmm0 + movl %r10d,%eax + movups (%rdi),%xmm8 + + xorps %xmm0,%xmm2 + movups 16(%r11),%xmm1 + xorps %xmm8,%xmm0 + leaq 32(%r11),%rcx + xorps %xmm0,%xmm3 + movups (%rcx),%xmm0 + +.Lccm64_enc2_loop: + aesenc %xmm1,%xmm2 + decl %eax + aesenc %xmm1,%xmm3 + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm3 + movups 0(%rcx),%xmm0 + jnz .Lccm64_enc2_loop + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + paddq %xmm6,%xmm9 + aesenclast %xmm0,%xmm2 + aesenclast %xmm0,%xmm3 + + decq %rdx + leaq 16(%rdi),%rdi + xorps %xmm2,%xmm8 + movdqa %xmm9,%xmm2 + movups %xmm8,(%rsi) + leaq 16(%rsi),%rsi +.byte 102,15,56,0,215 + jnz .Lccm64_enc_outer + + movups %xmm3,(%r9) + movaps (%rsp),%xmm6 + movaps 16(%rsp),%xmm7 + movaps 32(%rsp),%xmm8 + movaps 48(%rsp),%xmm9 + leaq 88(%rsp),%rsp +.Lccm64_enc_ret: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_ccm64_encrypt_blocks: +.globl aesni_ccm64_decrypt_blocks +.def aesni_ccm64_decrypt_blocks; .scl 2; .type 32; .endef +.p2align 4 +aesni_ccm64_decrypt_blocks: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_ccm64_decrypt_blocks: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + leaq -88(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,16(%rsp) + movaps %xmm8,32(%rsp) + movaps %xmm9,48(%rsp) +.Lccm64_dec_body: + movl 240(%rcx),%eax + movups (%r8),%xmm9 + movdqu (%r9),%xmm3 + movdqa .Lincrement64(%rip),%xmm6 + movdqa .Lbswap_mask(%rip),%xmm7 + + movaps %xmm9,%xmm2 + movl %eax,%r10d + movq %rcx,%r11 +.byte 102,68,15,56,0,207 + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_enc1_5: + aesenc %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_enc1_5 + aesenclast %xmm1,%xmm2 + movups (%rdi),%xmm8 + paddq %xmm6,%xmm9 + leaq 16(%rdi),%rdi + jmp .Lccm64_dec_outer +.p2align 4 +.Lccm64_dec_outer: + xorps %xmm2,%xmm8 + movdqa %xmm9,%xmm2 + movl %r10d,%eax + movups %xmm8,(%rsi) + leaq 16(%rsi),%rsi +.byte 102,15,56,0,215 + + subq $1,%rdx + jz .Lccm64_dec_break + + movups (%r11),%xmm0 + shrl $1,%eax + movups 16(%r11),%xmm1 + xorps %xmm0,%xmm8 + leaq 32(%r11),%rcx + xorps %xmm0,%xmm2 + xorps %xmm8,%xmm3 + movups (%rcx),%xmm0 + +.Lccm64_dec2_loop: + aesenc %xmm1,%xmm2 + decl %eax + aesenc %xmm1,%xmm3 + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm3 + movups 0(%rcx),%xmm0 + jnz .Lccm64_dec2_loop + movups (%rdi),%xmm8 + paddq %xmm6,%xmm9 + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + leaq 16(%rdi),%rdi + aesenclast %xmm0,%xmm2 + aesenclast %xmm0,%xmm3 + jmp .Lccm64_dec_outer + +.p2align 4 +.Lccm64_dec_break: + + movups (%r11),%xmm0 + movups 16(%r11),%xmm1 + xorps %xmm0,%xmm8 + leaq 32(%r11),%r11 + xorps %xmm8,%xmm3 +.Loop_enc1_6: + aesenc %xmm1,%xmm3 + decl %eax + movups (%r11),%xmm1 + leaq 16(%r11),%r11 + jnz .Loop_enc1_6 + aesenclast %xmm1,%xmm3 + movups %xmm3,(%r9) + movaps (%rsp),%xmm6 + movaps 16(%rsp),%xmm7 + movaps 32(%rsp),%xmm8 + movaps 48(%rsp),%xmm9 + leaq 88(%rsp),%rsp +.Lccm64_dec_ret: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_ccm64_decrypt_blocks: +.globl aesni_ctr32_encrypt_blocks +.def aesni_ctr32_encrypt_blocks; .scl 2; .type 32; .endef +.p2align 4 +aesni_ctr32_encrypt_blocks: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_ctr32_encrypt_blocks: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + + leaq -200(%rsp),%rsp + movaps %xmm6,32(%rsp) + movaps %xmm7,48(%rsp) + movaps %xmm8,64(%rsp) + movaps %xmm9,80(%rsp) + movaps %xmm10,96(%rsp) + movaps %xmm11,112(%rsp) + movaps %xmm12,128(%rsp) + movaps %xmm13,144(%rsp) + movaps %xmm14,160(%rsp) + movaps %xmm15,176(%rsp) +.Lctr32_body: + cmpq $1,%rdx + je .Lctr32_one_shortcut + + movdqu (%r8),%xmm14 + movdqa .Lbswap_mask(%rip),%xmm15 + xorl %eax,%eax +.byte 102,69,15,58,22,242,3 +.byte 102,68,15,58,34,240,3 + + movl 240(%rcx),%eax + bswapl %r10d + pxor %xmm12,%xmm12 + pxor %xmm13,%xmm13 +.byte 102,69,15,58,34,226,0 + leaq 3(%r10),%r11 +.byte 102,69,15,58,34,235,0 + incl %r10d +.byte 102,69,15,58,34,226,1 + incq %r11 +.byte 102,69,15,58,34,235,1 + incl %r10d +.byte 102,69,15,58,34,226,2 + incq %r11 +.byte 102,69,15,58,34,235,2 + movdqa %xmm12,0(%rsp) +.byte 102,69,15,56,0,231 + movdqa %xmm13,16(%rsp) +.byte 102,69,15,56,0,239 + + pshufd $192,%xmm12,%xmm2 + pshufd $128,%xmm12,%xmm3 + pshufd $64,%xmm12,%xmm4 + cmpq $6,%rdx + jb .Lctr32_tail + shrl $1,%eax + movq %rcx,%r11 + movl %eax,%r10d + subq $6,%rdx + jmp .Lctr32_loop6 + +.p2align 4 +.Lctr32_loop6: + pshufd $192,%xmm13,%xmm5 + por %xmm14,%xmm2 + movups (%r11),%xmm0 + pshufd $128,%xmm13,%xmm6 + por %xmm14,%xmm3 + movups 16(%r11),%xmm1 + pshufd $64,%xmm13,%xmm7 + por %xmm14,%xmm4 + por %xmm14,%xmm5 + xorps %xmm0,%xmm2 + por %xmm14,%xmm6 + por %xmm14,%xmm7 + + + + + pxor %xmm0,%xmm3 + aesenc %xmm1,%xmm2 + leaq 32(%r11),%rcx + pxor %xmm0,%xmm4 + aesenc %xmm1,%xmm3 + movdqa .Lincrement32(%rip),%xmm13 + pxor %xmm0,%xmm5 + aesenc %xmm1,%xmm4 + movdqa 0(%rsp),%xmm12 + pxor %xmm0,%xmm6 + aesenc %xmm1,%xmm5 + pxor %xmm0,%xmm7 + movups (%rcx),%xmm0 + decl %eax + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 + jmp .Lctr32_enc_loop6_enter +.p2align 4 +.Lctr32_enc_loop6: + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + decl %eax + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 +.Lctr32_enc_loop6_enter: + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + aesenc %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm4 + aesenc %xmm0,%xmm5 + aesenc %xmm0,%xmm6 + aesenc %xmm0,%xmm7 + movups (%rcx),%xmm0 + jnz .Lctr32_enc_loop6 + + aesenc %xmm1,%xmm2 + paddd %xmm13,%xmm12 + aesenc %xmm1,%xmm3 + paddd 16(%rsp),%xmm13 + aesenc %xmm1,%xmm4 + movdqa %xmm12,0(%rsp) + aesenc %xmm1,%xmm5 + movdqa %xmm13,16(%rsp) + aesenc %xmm1,%xmm6 +.byte 102,69,15,56,0,231 + aesenc %xmm1,%xmm7 +.byte 102,69,15,56,0,239 + + aesenclast %xmm0,%xmm2 + movups (%rdi),%xmm8 + aesenclast %xmm0,%xmm3 + movups 16(%rdi),%xmm9 + aesenclast %xmm0,%xmm4 + movups 32(%rdi),%xmm10 + aesenclast %xmm0,%xmm5 + movups 48(%rdi),%xmm11 + aesenclast %xmm0,%xmm6 + movups 64(%rdi),%xmm1 + aesenclast %xmm0,%xmm7 + movups 80(%rdi),%xmm0 + leaq 96(%rdi),%rdi + + xorps %xmm2,%xmm8 + pshufd $192,%xmm12,%xmm2 + xorps %xmm3,%xmm9 + pshufd $128,%xmm12,%xmm3 + movups %xmm8,(%rsi) + xorps %xmm4,%xmm10 + pshufd $64,%xmm12,%xmm4 + movups %xmm9,16(%rsi) + xorps %xmm5,%xmm11 + movups %xmm10,32(%rsi) + xorps %xmm6,%xmm1 + movups %xmm11,48(%rsi) + xorps %xmm7,%xmm0 + movups %xmm1,64(%rsi) + movups %xmm0,80(%rsi) + leaq 96(%rsi),%rsi + movl %r10d,%eax + subq $6,%rdx + jnc .Lctr32_loop6 + + addq $6,%rdx + jz .Lctr32_done + movq %r11,%rcx + leal 1(%rax,%rax,1),%eax + +.Lctr32_tail: + por %xmm14,%xmm2 + movups (%rdi),%xmm8 + cmpq $2,%rdx + jb .Lctr32_one + + por %xmm14,%xmm3 + movups 16(%rdi),%xmm9 + je .Lctr32_two + + pshufd $192,%xmm13,%xmm5 + por %xmm14,%xmm4 + movups 32(%rdi),%xmm10 + cmpq $4,%rdx + jb .Lctr32_three + + pshufd $128,%xmm13,%xmm6 + por %xmm14,%xmm5 + movups 48(%rdi),%xmm11 + je .Lctr32_four + + por %xmm14,%xmm6 + xorps %xmm7,%xmm7 + + call _aesni_encrypt6 + + movups 64(%rdi),%xmm1 + xorps %xmm2,%xmm8 + xorps %xmm3,%xmm9 + movups %xmm8,(%rsi) + xorps %xmm4,%xmm10 + movups %xmm9,16(%rsi) + xorps %xmm5,%xmm11 + movups %xmm10,32(%rsi) + xorps %xmm6,%xmm1 + movups %xmm11,48(%rsi) + movups %xmm1,64(%rsi) + jmp .Lctr32_done + +.p2align 4 +.Lctr32_one_shortcut: + movups (%r8),%xmm2 + movups (%rdi),%xmm8 + movl 240(%rcx),%eax +.Lctr32_one: + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_enc1_7: + aesenc %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_enc1_7 + aesenclast %xmm1,%xmm2 + xorps %xmm2,%xmm8 + movups %xmm8,(%rsi) + jmp .Lctr32_done + +.p2align 4 +.Lctr32_two: + xorps %xmm4,%xmm4 + call _aesni_encrypt3 + xorps %xmm2,%xmm8 + xorps %xmm3,%xmm9 + movups %xmm8,(%rsi) + movups %xmm9,16(%rsi) + jmp .Lctr32_done + +.p2align 4 +.Lctr32_three: + call _aesni_encrypt3 + xorps %xmm2,%xmm8 + xorps %xmm3,%xmm9 + movups %xmm8,(%rsi) + xorps %xmm4,%xmm10 + movups %xmm9,16(%rsi) + movups %xmm10,32(%rsi) + jmp .Lctr32_done + +.p2align 4 +.Lctr32_four: + call _aesni_encrypt4 + xorps %xmm2,%xmm8 + xorps %xmm3,%xmm9 + movups %xmm8,(%rsi) + xorps %xmm4,%xmm10 + movups %xmm9,16(%rsi) + xorps %xmm5,%xmm11 + movups %xmm10,32(%rsi) + movups %xmm11,48(%rsi) + +.Lctr32_done: + movaps 32(%rsp),%xmm6 + movaps 48(%rsp),%xmm7 + movaps 64(%rsp),%xmm8 + movaps 80(%rsp),%xmm9 + movaps 96(%rsp),%xmm10 + movaps 112(%rsp),%xmm11 + movaps 128(%rsp),%xmm12 + movaps 144(%rsp),%xmm13 + movaps 160(%rsp),%xmm14 + movaps 176(%rsp),%xmm15 + leaq 200(%rsp),%rsp +.Lctr32_ret: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_ctr32_encrypt_blocks: +.globl aesni_xts_encrypt +.def aesni_xts_encrypt; .scl 2; .type 32; .endef +.p2align 4 +aesni_xts_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_xts_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + leaq -264(%rsp),%rsp + movaps %xmm6,96(%rsp) + movaps %xmm7,112(%rsp) + movaps %xmm8,128(%rsp) + movaps %xmm9,144(%rsp) + movaps %xmm10,160(%rsp) + movaps %xmm11,176(%rsp) + movaps %xmm12,192(%rsp) + movaps %xmm13,208(%rsp) + movaps %xmm14,224(%rsp) + movaps %xmm15,240(%rsp) +.Lxts_enc_body: + movups (%r9),%xmm15 + movl 240(%r8),%eax + movl 240(%rcx),%r10d + movups (%r8),%xmm0 + movups 16(%r8),%xmm1 + leaq 32(%r8),%r8 + xorps %xmm0,%xmm15 +.Loop_enc1_8: + aesenc %xmm1,%xmm15 + decl %eax + movups (%r8),%xmm1 + leaq 16(%r8),%r8 + jnz .Loop_enc1_8 + aesenclast %xmm1,%xmm15 + movq %rcx,%r11 + movl %r10d,%eax + movq %rdx,%r9 + andq $-16,%rdx + + movdqa .Lxts_magic(%rip),%xmm8 + pxor %xmm14,%xmm14 + pcmpgtd %xmm15,%xmm14 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm10 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm11 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm12 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm13 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + subq $96,%rdx + jc .Lxts_enc_short + + shrl $1,%eax + subl $1,%eax + movl %eax,%r10d + jmp .Lxts_enc_grandloop + +.p2align 4 +.Lxts_enc_grandloop: + pshufd $19,%xmm14,%xmm9 + movdqa %xmm15,%xmm14 + paddq %xmm15,%xmm15 + movdqu 0(%rdi),%xmm2 + pand %xmm8,%xmm9 + movdqu 16(%rdi),%xmm3 + pxor %xmm9,%xmm15 + + movdqu 32(%rdi),%xmm4 + pxor %xmm10,%xmm2 + movdqu 48(%rdi),%xmm5 + pxor %xmm11,%xmm3 + movdqu 64(%rdi),%xmm6 + pxor %xmm12,%xmm4 + movdqu 80(%rdi),%xmm7 + leaq 96(%rdi),%rdi + pxor %xmm13,%xmm5 + movups (%r11),%xmm0 + pxor %xmm14,%xmm6 + pxor %xmm15,%xmm7 + + + + movups 16(%r11),%xmm1 + pxor %xmm0,%xmm2 + pxor %xmm0,%xmm3 + movdqa %xmm10,0(%rsp) + aesenc %xmm1,%xmm2 + leaq 32(%r11),%rcx + pxor %xmm0,%xmm4 + movdqa %xmm11,16(%rsp) + aesenc %xmm1,%xmm3 + pxor %xmm0,%xmm5 + movdqa %xmm12,32(%rsp) + aesenc %xmm1,%xmm4 + pxor %xmm0,%xmm6 + movdqa %xmm13,48(%rsp) + aesenc %xmm1,%xmm5 + pxor %xmm0,%xmm7 + movups (%rcx),%xmm0 + decl %eax + movdqa %xmm14,64(%rsp) + aesenc %xmm1,%xmm6 + movdqa %xmm15,80(%rsp) + aesenc %xmm1,%xmm7 + pxor %xmm14,%xmm14 + pcmpgtd %xmm15,%xmm14 + jmp .Lxts_enc_loop6_enter + +.p2align 4 +.Lxts_enc_loop6: + aesenc %xmm1,%xmm2 + aesenc %xmm1,%xmm3 + decl %eax + aesenc %xmm1,%xmm4 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 +.Lxts_enc_loop6_enter: + movups 16(%rcx),%xmm1 + aesenc %xmm0,%xmm2 + aesenc %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesenc %xmm0,%xmm4 + aesenc %xmm0,%xmm5 + aesenc %xmm0,%xmm6 + aesenc %xmm0,%xmm7 + movups (%rcx),%xmm0 + jnz .Lxts_enc_loop6 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + paddq %xmm15,%xmm15 + aesenc %xmm1,%xmm2 + pand %xmm8,%xmm9 + aesenc %xmm1,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesenc %xmm1,%xmm4 + pxor %xmm9,%xmm15 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 + movups 16(%rcx),%xmm1 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm10 + paddq %xmm15,%xmm15 + aesenc %xmm0,%xmm2 + pand %xmm8,%xmm9 + aesenc %xmm0,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesenc %xmm0,%xmm4 + pxor %xmm9,%xmm15 + aesenc %xmm0,%xmm5 + aesenc %xmm0,%xmm6 + aesenc %xmm0,%xmm7 + movups 32(%rcx),%xmm0 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm11 + paddq %xmm15,%xmm15 + aesenc %xmm1,%xmm2 + pand %xmm8,%xmm9 + aesenc %xmm1,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesenc %xmm1,%xmm4 + pxor %xmm9,%xmm15 + aesenc %xmm1,%xmm5 + aesenc %xmm1,%xmm6 + aesenc %xmm1,%xmm7 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm12 + paddq %xmm15,%xmm15 + aesenclast %xmm0,%xmm2 + pand %xmm8,%xmm9 + aesenclast %xmm0,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesenclast %xmm0,%xmm4 + pxor %xmm9,%xmm15 + aesenclast %xmm0,%xmm5 + aesenclast %xmm0,%xmm6 + aesenclast %xmm0,%xmm7 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm13 + paddq %xmm15,%xmm15 + xorps 0(%rsp),%xmm2 + pand %xmm8,%xmm9 + xorps 16(%rsp),%xmm3 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + + xorps 32(%rsp),%xmm4 + movups %xmm2,0(%rsi) + xorps 48(%rsp),%xmm5 + movups %xmm3,16(%rsi) + xorps 64(%rsp),%xmm6 + movups %xmm4,32(%rsi) + xorps 80(%rsp),%xmm7 + movups %xmm5,48(%rsi) + movl %r10d,%eax + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + leaq 96(%rsi),%rsi + subq $96,%rdx + jnc .Lxts_enc_grandloop + + leal 3(%rax,%rax,1),%eax + movq %r11,%rcx + movl %eax,%r10d + +.Lxts_enc_short: + addq $96,%rdx + jz .Lxts_enc_done + + cmpq $32,%rdx + jb .Lxts_enc_one + je .Lxts_enc_two + + cmpq $64,%rdx + jb .Lxts_enc_three + je .Lxts_enc_four + + pshufd $19,%xmm14,%xmm9 + movdqa %xmm15,%xmm14 + paddq %xmm15,%xmm15 + movdqu (%rdi),%xmm2 + pand %xmm8,%xmm9 + movdqu 16(%rdi),%xmm3 + pxor %xmm9,%xmm15 + + movdqu 32(%rdi),%xmm4 + pxor %xmm10,%xmm2 + movdqu 48(%rdi),%xmm5 + pxor %xmm11,%xmm3 + movdqu 64(%rdi),%xmm6 + leaq 80(%rdi),%rdi + pxor %xmm12,%xmm4 + pxor %xmm13,%xmm5 + pxor %xmm14,%xmm6 + + call _aesni_encrypt6 + + xorps %xmm10,%xmm2 + movdqa %xmm15,%xmm10 + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + movdqu %xmm2,(%rsi) + xorps %xmm13,%xmm5 + movdqu %xmm3,16(%rsi) + xorps %xmm14,%xmm6 + movdqu %xmm4,32(%rsi) + movdqu %xmm5,48(%rsi) + movdqu %xmm6,64(%rsi) + leaq 80(%rsi),%rsi + jmp .Lxts_enc_done + +.p2align 4 +.Lxts_enc_one: + movups (%rdi),%xmm2 + leaq 16(%rdi),%rdi + xorps %xmm10,%xmm2 + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_enc1_9: + aesenc %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_enc1_9 + aesenclast %xmm1,%xmm2 + xorps %xmm10,%xmm2 + movdqa %xmm11,%xmm10 + movups %xmm2,(%rsi) + leaq 16(%rsi),%rsi + jmp .Lxts_enc_done + +.p2align 4 +.Lxts_enc_two: + movups (%rdi),%xmm2 + movups 16(%rdi),%xmm3 + leaq 32(%rdi),%rdi + xorps %xmm10,%xmm2 + xorps %xmm11,%xmm3 + + call _aesni_encrypt3 + + xorps %xmm10,%xmm2 + movdqa %xmm12,%xmm10 + xorps %xmm11,%xmm3 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + leaq 32(%rsi),%rsi + jmp .Lxts_enc_done + +.p2align 4 +.Lxts_enc_three: + movups (%rdi),%xmm2 + movups 16(%rdi),%xmm3 + movups 32(%rdi),%xmm4 + leaq 48(%rdi),%rdi + xorps %xmm10,%xmm2 + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + + call _aesni_encrypt3 + + xorps %xmm10,%xmm2 + movdqa %xmm13,%xmm10 + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + leaq 48(%rsi),%rsi + jmp .Lxts_enc_done + +.p2align 4 +.Lxts_enc_four: + movups (%rdi),%xmm2 + movups 16(%rdi),%xmm3 + movups 32(%rdi),%xmm4 + xorps %xmm10,%xmm2 + movups 48(%rdi),%xmm5 + leaq 64(%rdi),%rdi + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + xorps %xmm13,%xmm5 + + call _aesni_encrypt4 + + xorps %xmm10,%xmm2 + movdqa %xmm15,%xmm10 + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + movups %xmm2,(%rsi) + xorps %xmm13,%xmm5 + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + leaq 64(%rsi),%rsi + jmp .Lxts_enc_done + +.p2align 4 +.Lxts_enc_done: + andq $15,%r9 + jz .Lxts_enc_ret + movq %r9,%rdx + +.Lxts_enc_steal: + movzbl (%rdi),%eax + movzbl -16(%rsi),%ecx + leaq 1(%rdi),%rdi + movb %al,-16(%rsi) + movb %cl,0(%rsi) + leaq 1(%rsi),%rsi + subq $1,%rdx + jnz .Lxts_enc_steal + + subq %r9,%rsi + movq %r11,%rcx + movl %r10d,%eax + + movups -16(%rsi),%xmm2 + xorps %xmm10,%xmm2 + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_enc1_10: + aesenc %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_enc1_10 + aesenclast %xmm1,%xmm2 + xorps %xmm10,%xmm2 + movups %xmm2,-16(%rsi) + +.Lxts_enc_ret: + movaps 96(%rsp),%xmm6 + movaps 112(%rsp),%xmm7 + movaps 128(%rsp),%xmm8 + movaps 144(%rsp),%xmm9 + movaps 160(%rsp),%xmm10 + movaps 176(%rsp),%xmm11 + movaps 192(%rsp),%xmm12 + movaps 208(%rsp),%xmm13 + movaps 224(%rsp),%xmm14 + movaps 240(%rsp),%xmm15 + leaq 264(%rsp),%rsp +.Lxts_enc_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_xts_encrypt: +.globl aesni_xts_decrypt +.def aesni_xts_decrypt; .scl 2; .type 32; .endef +.p2align 4 +aesni_xts_decrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_xts_decrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + leaq -264(%rsp),%rsp + movaps %xmm6,96(%rsp) + movaps %xmm7,112(%rsp) + movaps %xmm8,128(%rsp) + movaps %xmm9,144(%rsp) + movaps %xmm10,160(%rsp) + movaps %xmm11,176(%rsp) + movaps %xmm12,192(%rsp) + movaps %xmm13,208(%rsp) + movaps %xmm14,224(%rsp) + movaps %xmm15,240(%rsp) +.Lxts_dec_body: + movups (%r9),%xmm15 + movl 240(%r8),%eax + movl 240(%rcx),%r10d + movups (%r8),%xmm0 + movups 16(%r8),%xmm1 + leaq 32(%r8),%r8 + xorps %xmm0,%xmm15 +.Loop_enc1_11: + aesenc %xmm1,%xmm15 + decl %eax + movups (%r8),%xmm1 + leaq 16(%r8),%r8 + jnz .Loop_enc1_11 + aesenclast %xmm1,%xmm15 + xorl %eax,%eax + testq $15,%rdx + setnz %al + shlq $4,%rax + subq %rax,%rdx + + movq %rcx,%r11 + movl %r10d,%eax + movq %rdx,%r9 + andq $-16,%rdx + + movdqa .Lxts_magic(%rip),%xmm8 + pxor %xmm14,%xmm14 + pcmpgtd %xmm15,%xmm14 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm10 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm11 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm12 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm13 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm9 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + subq $96,%rdx + jc .Lxts_dec_short + + shrl $1,%eax + subl $1,%eax + movl %eax,%r10d + jmp .Lxts_dec_grandloop + +.p2align 4 +.Lxts_dec_grandloop: + pshufd $19,%xmm14,%xmm9 + movdqa %xmm15,%xmm14 + paddq %xmm15,%xmm15 + movdqu 0(%rdi),%xmm2 + pand %xmm8,%xmm9 + movdqu 16(%rdi),%xmm3 + pxor %xmm9,%xmm15 + + movdqu 32(%rdi),%xmm4 + pxor %xmm10,%xmm2 + movdqu 48(%rdi),%xmm5 + pxor %xmm11,%xmm3 + movdqu 64(%rdi),%xmm6 + pxor %xmm12,%xmm4 + movdqu 80(%rdi),%xmm7 + leaq 96(%rdi),%rdi + pxor %xmm13,%xmm5 + movups (%r11),%xmm0 + pxor %xmm14,%xmm6 + pxor %xmm15,%xmm7 + + + + movups 16(%r11),%xmm1 + pxor %xmm0,%xmm2 + pxor %xmm0,%xmm3 + movdqa %xmm10,0(%rsp) + aesdec %xmm1,%xmm2 + leaq 32(%r11),%rcx + pxor %xmm0,%xmm4 + movdqa %xmm11,16(%rsp) + aesdec %xmm1,%xmm3 + pxor %xmm0,%xmm5 + movdqa %xmm12,32(%rsp) + aesdec %xmm1,%xmm4 + pxor %xmm0,%xmm6 + movdqa %xmm13,48(%rsp) + aesdec %xmm1,%xmm5 + pxor %xmm0,%xmm7 + movups (%rcx),%xmm0 + decl %eax + movdqa %xmm14,64(%rsp) + aesdec %xmm1,%xmm6 + movdqa %xmm15,80(%rsp) + aesdec %xmm1,%xmm7 + pxor %xmm14,%xmm14 + pcmpgtd %xmm15,%xmm14 + jmp .Lxts_dec_loop6_enter + +.p2align 4 +.Lxts_dec_loop6: + aesdec %xmm1,%xmm2 + aesdec %xmm1,%xmm3 + decl %eax + aesdec %xmm1,%xmm4 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 +.Lxts_dec_loop6_enter: + movups 16(%rcx),%xmm1 + aesdec %xmm0,%xmm2 + aesdec %xmm0,%xmm3 + leaq 32(%rcx),%rcx + aesdec %xmm0,%xmm4 + aesdec %xmm0,%xmm5 + aesdec %xmm0,%xmm6 + aesdec %xmm0,%xmm7 + movups (%rcx),%xmm0 + jnz .Lxts_dec_loop6 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + paddq %xmm15,%xmm15 + aesdec %xmm1,%xmm2 + pand %xmm8,%xmm9 + aesdec %xmm1,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesdec %xmm1,%xmm4 + pxor %xmm9,%xmm15 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 + movups 16(%rcx),%xmm1 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm10 + paddq %xmm15,%xmm15 + aesdec %xmm0,%xmm2 + pand %xmm8,%xmm9 + aesdec %xmm0,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesdec %xmm0,%xmm4 + pxor %xmm9,%xmm15 + aesdec %xmm0,%xmm5 + aesdec %xmm0,%xmm6 + aesdec %xmm0,%xmm7 + movups 32(%rcx),%xmm0 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm11 + paddq %xmm15,%xmm15 + aesdec %xmm1,%xmm2 + pand %xmm8,%xmm9 + aesdec %xmm1,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesdec %xmm1,%xmm4 + pxor %xmm9,%xmm15 + aesdec %xmm1,%xmm5 + aesdec %xmm1,%xmm6 + aesdec %xmm1,%xmm7 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm12 + paddq %xmm15,%xmm15 + aesdeclast %xmm0,%xmm2 + pand %xmm8,%xmm9 + aesdeclast %xmm0,%xmm3 + pcmpgtd %xmm15,%xmm14 + aesdeclast %xmm0,%xmm4 + pxor %xmm9,%xmm15 + aesdeclast %xmm0,%xmm5 + aesdeclast %xmm0,%xmm6 + aesdeclast %xmm0,%xmm7 + + pshufd $19,%xmm14,%xmm9 + pxor %xmm14,%xmm14 + movdqa %xmm15,%xmm13 + paddq %xmm15,%xmm15 + xorps 0(%rsp),%xmm2 + pand %xmm8,%xmm9 + xorps 16(%rsp),%xmm3 + pcmpgtd %xmm15,%xmm14 + pxor %xmm9,%xmm15 + + xorps 32(%rsp),%xmm4 + movups %xmm2,0(%rsi) + xorps 48(%rsp),%xmm5 + movups %xmm3,16(%rsi) + xorps 64(%rsp),%xmm6 + movups %xmm4,32(%rsi) + xorps 80(%rsp),%xmm7 + movups %xmm5,48(%rsi) + movl %r10d,%eax + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + leaq 96(%rsi),%rsi + subq $96,%rdx + jnc .Lxts_dec_grandloop + + leal 3(%rax,%rax,1),%eax + movq %r11,%rcx + movl %eax,%r10d + +.Lxts_dec_short: + addq $96,%rdx + jz .Lxts_dec_done + + cmpq $32,%rdx + jb .Lxts_dec_one + je .Lxts_dec_two + + cmpq $64,%rdx + jb .Lxts_dec_three + je .Lxts_dec_four + + pshufd $19,%xmm14,%xmm9 + movdqa %xmm15,%xmm14 + paddq %xmm15,%xmm15 + movdqu (%rdi),%xmm2 + pand %xmm8,%xmm9 + movdqu 16(%rdi),%xmm3 + pxor %xmm9,%xmm15 + + movdqu 32(%rdi),%xmm4 + pxor %xmm10,%xmm2 + movdqu 48(%rdi),%xmm5 + pxor %xmm11,%xmm3 + movdqu 64(%rdi),%xmm6 + leaq 80(%rdi),%rdi + pxor %xmm12,%xmm4 + pxor %xmm13,%xmm5 + pxor %xmm14,%xmm6 + + call _aesni_decrypt6 + + xorps %xmm10,%xmm2 + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + movdqu %xmm2,(%rsi) + xorps %xmm13,%xmm5 + movdqu %xmm3,16(%rsi) + xorps %xmm14,%xmm6 + movdqu %xmm4,32(%rsi) + pxor %xmm14,%xmm14 + movdqu %xmm5,48(%rsi) + pcmpgtd %xmm15,%xmm14 + movdqu %xmm6,64(%rsi) + leaq 80(%rsi),%rsi + pshufd $19,%xmm14,%xmm11 + andq $15,%r9 + jz .Lxts_dec_ret + + movdqa %xmm15,%xmm10 + paddq %xmm15,%xmm15 + pand %xmm8,%xmm11 + pxor %xmm15,%xmm11 + jmp .Lxts_dec_done2 + +.p2align 4 +.Lxts_dec_one: + movups (%rdi),%xmm2 + leaq 16(%rdi),%rdi + xorps %xmm10,%xmm2 + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_dec1_12: + aesdec %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_dec1_12 + aesdeclast %xmm1,%xmm2 + xorps %xmm10,%xmm2 + movdqa %xmm11,%xmm10 + movups %xmm2,(%rsi) + movdqa %xmm12,%xmm11 + leaq 16(%rsi),%rsi + jmp .Lxts_dec_done + +.p2align 4 +.Lxts_dec_two: + movups (%rdi),%xmm2 + movups 16(%rdi),%xmm3 + leaq 32(%rdi),%rdi + xorps %xmm10,%xmm2 + xorps %xmm11,%xmm3 + + call _aesni_decrypt3 + + xorps %xmm10,%xmm2 + movdqa %xmm12,%xmm10 + xorps %xmm11,%xmm3 + movdqa %xmm13,%xmm11 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + leaq 32(%rsi),%rsi + jmp .Lxts_dec_done + +.p2align 4 +.Lxts_dec_three: + movups (%rdi),%xmm2 + movups 16(%rdi),%xmm3 + movups 32(%rdi),%xmm4 + leaq 48(%rdi),%rdi + xorps %xmm10,%xmm2 + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + + call _aesni_decrypt3 + + xorps %xmm10,%xmm2 + movdqa %xmm13,%xmm10 + xorps %xmm11,%xmm3 + movdqa %xmm15,%xmm11 + xorps %xmm12,%xmm4 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + leaq 48(%rsi),%rsi + jmp .Lxts_dec_done + +.p2align 4 +.Lxts_dec_four: + pshufd $19,%xmm14,%xmm9 + movdqa %xmm15,%xmm14 + paddq %xmm15,%xmm15 + movups (%rdi),%xmm2 + pand %xmm8,%xmm9 + movups 16(%rdi),%xmm3 + pxor %xmm9,%xmm15 + + movups 32(%rdi),%xmm4 + xorps %xmm10,%xmm2 + movups 48(%rdi),%xmm5 + leaq 64(%rdi),%rdi + xorps %xmm11,%xmm3 + xorps %xmm12,%xmm4 + xorps %xmm13,%xmm5 + + call _aesni_decrypt4 + + xorps %xmm10,%xmm2 + movdqa %xmm14,%xmm10 + xorps %xmm11,%xmm3 + movdqa %xmm15,%xmm11 + xorps %xmm12,%xmm4 + movups %xmm2,(%rsi) + xorps %xmm13,%xmm5 + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + leaq 64(%rsi),%rsi + jmp .Lxts_dec_done + +.p2align 4 +.Lxts_dec_done: + andq $15,%r9 + jz .Lxts_dec_ret +.Lxts_dec_done2: + movq %r9,%rdx + movq %r11,%rcx + movl %r10d,%eax + + movups (%rdi),%xmm2 + xorps %xmm11,%xmm2 + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_dec1_13: + aesdec %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_dec1_13 + aesdeclast %xmm1,%xmm2 + xorps %xmm11,%xmm2 + movups %xmm2,(%rsi) + +.Lxts_dec_steal: + movzbl 16(%rdi),%eax + movzbl (%rsi),%ecx + leaq 1(%rdi),%rdi + movb %al,(%rsi) + movb %cl,16(%rsi) + leaq 1(%rsi),%rsi + subq $1,%rdx + jnz .Lxts_dec_steal + + subq %r9,%rsi + movq %r11,%rcx + movl %r10d,%eax + + movups (%rsi),%xmm2 + xorps %xmm10,%xmm2 + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_dec1_14: + aesdec %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_dec1_14 + aesdeclast %xmm1,%xmm2 + xorps %xmm10,%xmm2 + movups %xmm2,(%rsi) + +.Lxts_dec_ret: + movaps 96(%rsp),%xmm6 + movaps 112(%rsp),%xmm7 + movaps 128(%rsp),%xmm8 + movaps 144(%rsp),%xmm9 + movaps 160(%rsp),%xmm10 + movaps 176(%rsp),%xmm11 + movaps 192(%rsp),%xmm12 + movaps 208(%rsp),%xmm13 + movaps 224(%rsp),%xmm14 + movaps 240(%rsp),%xmm15 + leaq 264(%rsp),%rsp +.Lxts_dec_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_xts_decrypt: +.globl aesni_cbc_encrypt +.def aesni_cbc_encrypt; .scl 2; .type 32; .endef +.p2align 4 +aesni_cbc_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_cbc_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + testq %rdx,%rdx + jz .Lcbc_ret + + movl 240(%rcx),%r10d + movq %rcx,%r11 + testl %r9d,%r9d + jz .Lcbc_decrypt + + movups (%r8),%xmm2 + movl %r10d,%eax + cmpq $16,%rdx + jb .Lcbc_enc_tail + subq $16,%rdx + jmp .Lcbc_enc_loop +.p2align 4 +.Lcbc_enc_loop: + movups (%rdi),%xmm3 + leaq 16(%rdi),%rdi + + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + xorps %xmm0,%xmm3 + leaq 32(%rcx),%rcx + xorps %xmm3,%xmm2 +.Loop_enc1_15: + aesenc %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_enc1_15 + aesenclast %xmm1,%xmm2 + movl %r10d,%eax + movq %r11,%rcx + movups %xmm2,0(%rsi) + leaq 16(%rsi),%rsi + subq $16,%rdx + jnc .Lcbc_enc_loop + addq $16,%rdx + jnz .Lcbc_enc_tail + movups %xmm2,(%r8) + jmp .Lcbc_ret + +.Lcbc_enc_tail: + movq %rdx,%rcx + xchgq %rdi,%rsi +.long 0x9066A4F3 + movl $16,%ecx + subq %rdx,%rcx + xorl %eax,%eax +.long 0x9066AAF3 + leaq -16(%rdi),%rdi + movl %r10d,%eax + movq %rdi,%rsi + movq %r11,%rcx + xorq %rdx,%rdx + jmp .Lcbc_enc_loop + +.p2align 4 +.Lcbc_decrypt: + leaq -88(%rsp),%rsp + movaps %xmm6,(%rsp) + movaps %xmm7,16(%rsp) + movaps %xmm8,32(%rsp) + movaps %xmm9,48(%rsp) +.Lcbc_decrypt_body: + movups (%r8),%xmm9 + movl %r10d,%eax + cmpq $112,%rdx + jbe .Lcbc_dec_tail + shrl $1,%r10d + subq $112,%rdx + movl %r10d,%eax + movaps %xmm9,64(%rsp) + jmp .Lcbc_dec_loop8_enter +.p2align 4 +.Lcbc_dec_loop8: + movaps %xmm0,64(%rsp) + movups %xmm9,(%rsi) + leaq 16(%rsi),%rsi +.Lcbc_dec_loop8_enter: + movups (%rcx),%xmm0 + movups (%rdi),%xmm2 + movups 16(%rdi),%xmm3 + movups 16(%rcx),%xmm1 + + leaq 32(%rcx),%rcx + movdqu 32(%rdi),%xmm4 + xorps %xmm0,%xmm2 + movdqu 48(%rdi),%xmm5 + xorps %xmm0,%xmm3 + movdqu 64(%rdi),%xmm6 + aesdec %xmm1,%xmm2 + pxor %xmm0,%xmm4 + movdqu 80(%rdi),%xmm7 + aesdec %xmm1,%xmm3 + pxor %xmm0,%xmm5 + movdqu 96(%rdi),%xmm8 + aesdec %xmm1,%xmm4 + pxor %xmm0,%xmm6 + movdqu 112(%rdi),%xmm9 + aesdec %xmm1,%xmm5 + pxor %xmm0,%xmm7 + decl %eax + aesdec %xmm1,%xmm6 + pxor %xmm0,%xmm8 + aesdec %xmm1,%xmm7 + pxor %xmm0,%xmm9 + movups (%rcx),%xmm0 + aesdec %xmm1,%xmm8 + aesdec %xmm1,%xmm9 + movups 16(%rcx),%xmm1 + + call .Ldec_loop8_enter + + movups (%rdi),%xmm1 + movups 16(%rdi),%xmm0 + xorps 64(%rsp),%xmm2 + xorps %xmm1,%xmm3 + movups 32(%rdi),%xmm1 + xorps %xmm0,%xmm4 + movups 48(%rdi),%xmm0 + xorps %xmm1,%xmm5 + movups 64(%rdi),%xmm1 + xorps %xmm0,%xmm6 + movups 80(%rdi),%xmm0 + xorps %xmm1,%xmm7 + movups 96(%rdi),%xmm1 + xorps %xmm0,%xmm8 + movups 112(%rdi),%xmm0 + xorps %xmm1,%xmm9 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movl %r10d,%eax + movups %xmm6,64(%rsi) + movq %r11,%rcx + movups %xmm7,80(%rsi) + leaq 128(%rdi),%rdi + movups %xmm8,96(%rsi) + leaq 112(%rsi),%rsi + subq $128,%rdx + ja .Lcbc_dec_loop8 + + movaps %xmm9,%xmm2 + movaps %xmm0,%xmm9 + addq $112,%rdx + jle .Lcbc_dec_tail_collected + movups %xmm2,(%rsi) + leal 1(%r10,%r10,1),%eax + leaq 16(%rsi),%rsi +.Lcbc_dec_tail: + movups (%rdi),%xmm2 + movaps %xmm2,%xmm8 + cmpq $16,%rdx + jbe .Lcbc_dec_one + + movups 16(%rdi),%xmm3 + movaps %xmm3,%xmm7 + cmpq $32,%rdx + jbe .Lcbc_dec_two + + movups 32(%rdi),%xmm4 + movaps %xmm4,%xmm6 + cmpq $48,%rdx + jbe .Lcbc_dec_three + + movups 48(%rdi),%xmm5 + cmpq $64,%rdx + jbe .Lcbc_dec_four + + movups 64(%rdi),%xmm6 + cmpq $80,%rdx + jbe .Lcbc_dec_five + + movups 80(%rdi),%xmm7 + cmpq $96,%rdx + jbe .Lcbc_dec_six + + movups 96(%rdi),%xmm8 + movaps %xmm9,64(%rsp) + call _aesni_decrypt8 + movups (%rdi),%xmm1 + movups 16(%rdi),%xmm0 + xorps 64(%rsp),%xmm2 + xorps %xmm1,%xmm3 + movups 32(%rdi),%xmm1 + xorps %xmm0,%xmm4 + movups 48(%rdi),%xmm0 + xorps %xmm1,%xmm5 + movups 64(%rdi),%xmm1 + xorps %xmm0,%xmm6 + movups 80(%rdi),%xmm0 + xorps %xmm1,%xmm7 + movups 96(%rdi),%xmm9 + xorps %xmm0,%xmm8 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + movups %xmm7,80(%rsi) + leaq 96(%rsi),%rsi + movaps %xmm8,%xmm2 + subq $112,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_one: + movups (%rcx),%xmm0 + movups 16(%rcx),%xmm1 + leaq 32(%rcx),%rcx + xorps %xmm0,%xmm2 +.Loop_dec1_16: + aesdec %xmm1,%xmm2 + decl %eax + movups (%rcx),%xmm1 + leaq 16(%rcx),%rcx + jnz .Loop_dec1_16 + aesdeclast %xmm1,%xmm2 + xorps %xmm9,%xmm2 + movaps %xmm8,%xmm9 + subq $16,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_two: + xorps %xmm4,%xmm4 + call _aesni_decrypt3 + xorps %xmm9,%xmm2 + xorps %xmm8,%xmm3 + movups %xmm2,(%rsi) + movaps %xmm7,%xmm9 + movaps %xmm3,%xmm2 + leaq 16(%rsi),%rsi + subq $32,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_three: + call _aesni_decrypt3 + xorps %xmm9,%xmm2 + xorps %xmm8,%xmm3 + movups %xmm2,(%rsi) + xorps %xmm7,%xmm4 + movups %xmm3,16(%rsi) + movaps %xmm6,%xmm9 + movaps %xmm4,%xmm2 + leaq 32(%rsi),%rsi + subq $48,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_four: + call _aesni_decrypt4 + xorps %xmm9,%xmm2 + movups 48(%rdi),%xmm9 + xorps %xmm8,%xmm3 + movups %xmm2,(%rsi) + xorps %xmm7,%xmm4 + movups %xmm3,16(%rsi) + xorps %xmm6,%xmm5 + movups %xmm4,32(%rsi) + movaps %xmm5,%xmm2 + leaq 48(%rsi),%rsi + subq $64,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_five: + xorps %xmm7,%xmm7 + call _aesni_decrypt6 + movups 16(%rdi),%xmm1 + movups 32(%rdi),%xmm0 + xorps %xmm9,%xmm2 + xorps %xmm8,%xmm3 + xorps %xmm1,%xmm4 + movups 48(%rdi),%xmm1 + xorps %xmm0,%xmm5 + movups 64(%rdi),%xmm9 + xorps %xmm1,%xmm6 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + leaq 64(%rsi),%rsi + movaps %xmm6,%xmm2 + subq $80,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_six: + call _aesni_decrypt6 + movups 16(%rdi),%xmm1 + movups 32(%rdi),%xmm0 + xorps %xmm9,%xmm2 + xorps %xmm8,%xmm3 + xorps %xmm1,%xmm4 + movups 48(%rdi),%xmm1 + xorps %xmm0,%xmm5 + movups 64(%rdi),%xmm0 + xorps %xmm1,%xmm6 + movups 80(%rdi),%xmm9 + xorps %xmm0,%xmm7 + movups %xmm2,(%rsi) + movups %xmm3,16(%rsi) + movups %xmm4,32(%rsi) + movups %xmm5,48(%rsi) + movups %xmm6,64(%rsi) + leaq 80(%rsi),%rsi + movaps %xmm7,%xmm2 + subq $96,%rdx + jmp .Lcbc_dec_tail_collected +.p2align 4 +.Lcbc_dec_tail_collected: + andq $15,%rdx + movups %xmm9,(%r8) + jnz .Lcbc_dec_tail_partial + movups %xmm2,(%rsi) + jmp .Lcbc_dec_ret +.p2align 4 +.Lcbc_dec_tail_partial: + movaps %xmm2,64(%rsp) + movq $16,%rcx + movq %rsi,%rdi + subq %rdx,%rcx + leaq 64(%rsp),%rsi +.long 0x9066A4F3 + +.Lcbc_dec_ret: + movaps (%rsp),%xmm6 + movaps 16(%rsp),%xmm7 + movaps 32(%rsp),%xmm8 + movaps 48(%rsp),%xmm9 + leaq 88(%rsp),%rsp +.Lcbc_ret: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_cbc_encrypt: +.globl aesni_set_decrypt_key +.def aesni_set_decrypt_key; .scl 2; .type 32; .endef +.p2align 4 +aesni_set_decrypt_key: + subq $8,%rsp + call __aesni_set_encrypt_key + shll $4,%edx + testl %eax,%eax + jnz .Ldec_key_ret + leaq 16(%r8,%rdx,1),%rcx + + movups (%r8),%xmm0 + movups (%rcx),%xmm1 + movups %xmm0,(%rcx) + movups %xmm1,(%r8) + leaq 16(%r8),%r8 + leaq -16(%rcx),%rcx + +.Ldec_key_inverse: + movups (%r8),%xmm0 + movups (%rcx),%xmm1 + aesimc %xmm0,%xmm0 + aesimc %xmm1,%xmm1 + leaq 16(%r8),%r8 + leaq -16(%rcx),%rcx + movups %xmm0,16(%rcx) + movups %xmm1,-16(%r8) + cmpq %r8,%rcx + ja .Ldec_key_inverse + + movups (%r8),%xmm0 + aesimc %xmm0,%xmm0 + movups %xmm0,(%rcx) +.Ldec_key_ret: + addq $8,%rsp + retq +.LSEH_end_set_decrypt_key: + +.globl aesni_set_encrypt_key +.def aesni_set_encrypt_key; .scl 2; .type 32; .endef +.p2align 4 +aesni_set_encrypt_key: +__aesni_set_encrypt_key: + subq $8,%rsp + movq $-1,%rax + testq %rcx,%rcx + jz .Lenc_key_ret + testq %r8,%r8 + jz .Lenc_key_ret + + movups (%rcx),%xmm0 + xorps %xmm4,%xmm4 + leaq 16(%r8),%rax + cmpl $256,%edx + je .L14rounds + cmpl $192,%edx + je .L12rounds + cmpl $128,%edx + jne .Lbad_keybits + +.L10rounds: + movl $9,%edx + movups %xmm0,(%r8) + aeskeygenassist $1,%xmm0,%xmm1 + call .Lkey_expansion_128_cold + aeskeygenassist $2,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $4,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $8,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $16,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $32,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $64,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $128,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $27,%xmm0,%xmm1 + call .Lkey_expansion_128 + aeskeygenassist $54,%xmm0,%xmm1 + call .Lkey_expansion_128 + movups %xmm0,(%rax) + movl %edx,80(%rax) + xorl %eax,%eax + jmp .Lenc_key_ret + +.p2align 4 +.L12rounds: + movq 16(%rcx),%xmm2 + movl $11,%edx + movups %xmm0,(%r8) + aeskeygenassist $1,%xmm2,%xmm1 + call .Lkey_expansion_192a_cold + aeskeygenassist $2,%xmm2,%xmm1 + call .Lkey_expansion_192b + aeskeygenassist $4,%xmm2,%xmm1 + call .Lkey_expansion_192a + aeskeygenassist $8,%xmm2,%xmm1 + call .Lkey_expansion_192b + aeskeygenassist $16,%xmm2,%xmm1 + call .Lkey_expansion_192a + aeskeygenassist $32,%xmm2,%xmm1 + call .Lkey_expansion_192b + aeskeygenassist $64,%xmm2,%xmm1 + call .Lkey_expansion_192a + aeskeygenassist $128,%xmm2,%xmm1 + call .Lkey_expansion_192b + movups %xmm0,(%rax) + movl %edx,48(%rax) + xorq %rax,%rax + jmp .Lenc_key_ret + +.p2align 4 +.L14rounds: + movups 16(%rcx),%xmm2 + movl $13,%edx + leaq 16(%rax),%rax + movups %xmm0,(%r8) + movups %xmm2,16(%r8) + aeskeygenassist $1,%xmm2,%xmm1 + call .Lkey_expansion_256a_cold + aeskeygenassist $1,%xmm0,%xmm1 + call .Lkey_expansion_256b + aeskeygenassist $2,%xmm2,%xmm1 + call .Lkey_expansion_256a + aeskeygenassist $2,%xmm0,%xmm1 + call .Lkey_expansion_256b + aeskeygenassist $4,%xmm2,%xmm1 + call .Lkey_expansion_256a + aeskeygenassist $4,%xmm0,%xmm1 + call .Lkey_expansion_256b + aeskeygenassist $8,%xmm2,%xmm1 + call .Lkey_expansion_256a + aeskeygenassist $8,%xmm0,%xmm1 + call .Lkey_expansion_256b + aeskeygenassist $16,%xmm2,%xmm1 + call .Lkey_expansion_256a + aeskeygenassist $16,%xmm0,%xmm1 + call .Lkey_expansion_256b + aeskeygenassist $32,%xmm2,%xmm1 + call .Lkey_expansion_256a + aeskeygenassist $32,%xmm0,%xmm1 + call .Lkey_expansion_256b + aeskeygenassist $64,%xmm2,%xmm1 + call .Lkey_expansion_256a + movups %xmm0,(%rax) + movl %edx,16(%rax) + xorq %rax,%rax + jmp .Lenc_key_ret + +.p2align 4 +.Lbad_keybits: + movq $-2,%rax +.Lenc_key_ret: + addq $8,%rsp + retq +.LSEH_end_set_encrypt_key: + +.p2align 4 +.Lkey_expansion_128: + movups %xmm0,(%rax) + leaq 16(%rax),%rax +.Lkey_expansion_128_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + retq + +.p2align 4 +.Lkey_expansion_192a: + movups %xmm0,(%rax) + leaq 16(%rax),%rax +.Lkey_expansion_192a_cold: + movaps %xmm2,%xmm5 +.Lkey_expansion_192b_warm: + shufps $16,%xmm0,%xmm4 + movdqa %xmm2,%xmm3 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + pslldq $4,%xmm3 + xorps %xmm4,%xmm0 + pshufd $85,%xmm1,%xmm1 + pxor %xmm3,%xmm2 + pxor %xmm1,%xmm0 + pshufd $255,%xmm0,%xmm3 + pxor %xmm3,%xmm2 + retq + +.p2align 4 +.Lkey_expansion_192b: + movaps %xmm0,%xmm3 + shufps $68,%xmm0,%xmm5 + movups %xmm5,(%rax) + shufps $78,%xmm2,%xmm3 + movups %xmm3,16(%rax) + leaq 32(%rax),%rax + jmp .Lkey_expansion_192b_warm + +.p2align 4 +.Lkey_expansion_256a: + movups %xmm2,(%rax) + leaq 16(%rax),%rax +.Lkey_expansion_256a_cold: + shufps $16,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $140,%xmm0,%xmm4 + xorps %xmm4,%xmm0 + shufps $255,%xmm1,%xmm1 + xorps %xmm1,%xmm0 + retq + +.p2align 4 +.Lkey_expansion_256b: + movups %xmm0,(%rax) + leaq 16(%rax),%rax + + shufps $16,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $140,%xmm2,%xmm4 + xorps %xmm4,%xmm2 + shufps $170,%xmm1,%xmm1 + xorps %xmm1,%xmm2 + retq + + +.p2align 6 +.Lbswap_mask: +.byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +.Lincrement32: +.long 6,6,6,0 +.Lincrement64: +.long 1,0,0,0 +.Lxts_magic: +.long 0x87,0,1,0 + +.byte 65,69,83,32,102,111,114,32,73,110,116,101,108,32,65,69,83,45,78,73,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 + +.def ecb_se_handler; .scl 3; .type 32; .endef +.p2align 4 +ecb_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 152(%r8),%rax + + jmp .Lcommon_seh_tail + + +.def ccm64_se_handler; .scl 3; .type 32; .endef +.p2align 4 +ccm64_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + leaq 0(%rax),%rsi + leaq 512(%r8),%rdi + movl $8,%ecx +.long 0xa548f3fc + leaq 88(%rax),%rax + + jmp .Lcommon_seh_tail + + +.def ctr32_se_handler; .scl 3; .type 32; .endef +.p2align 4 +ctr32_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + leaq .Lctr32_body(%rip),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + movq 152(%r8),%rax + + leaq .Lctr32_ret(%rip),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + leaq 32(%rax),%rsi + leaq 512(%r8),%rdi + movl $20,%ecx +.long 0xa548f3fc + leaq 200(%rax),%rax + + jmp .Lcommon_seh_tail + + +.def xts_se_handler; .scl 3; .type 32; .endef +.p2align 4 +xts_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + leaq 96(%rax),%rsi + leaq 512(%r8),%rdi + movl $20,%ecx +.long 0xa548f3fc + leaq 104+160(%rax),%rax + + jmp .Lcommon_seh_tail + +.def cbc_se_handler; .scl 3; .type 32; .endef +.p2align 4 +cbc_se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 152(%r8),%rax + movq 248(%r8),%rbx + + leaq .Lcbc_decrypt(%rip),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + leaq .Lcbc_decrypt_body(%rip),%r10 + cmpq %r10,%rbx + jb .Lrestore_cbc_rax + + leaq .Lcbc_ret(%rip),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + leaq 0(%rax),%rsi + leaq 512(%r8),%rdi + movl $8,%ecx +.long 0xa548f3fc + leaq 88(%rax),%rax + jmp .Lcommon_seh_tail + +.Lrestore_cbc_rax: + movq 120(%r8),%rax + +.Lcommon_seh_tail: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .LSEH_begin_aesni_ecb_encrypt +.rva .LSEH_end_aesni_ecb_encrypt +.rva .LSEH_info_ecb + +.rva .LSEH_begin_aesni_ccm64_encrypt_blocks +.rva .LSEH_end_aesni_ccm64_encrypt_blocks +.rva .LSEH_info_ccm64_enc + +.rva .LSEH_begin_aesni_ccm64_decrypt_blocks +.rva .LSEH_end_aesni_ccm64_decrypt_blocks +.rva .LSEH_info_ccm64_dec + +.rva .LSEH_begin_aesni_ctr32_encrypt_blocks +.rva .LSEH_end_aesni_ctr32_encrypt_blocks +.rva .LSEH_info_ctr32 + +.rva .LSEH_begin_aesni_xts_encrypt +.rva .LSEH_end_aesni_xts_encrypt +.rva .LSEH_info_xts_enc + +.rva .LSEH_begin_aesni_xts_decrypt +.rva .LSEH_end_aesni_xts_decrypt +.rva .LSEH_info_xts_dec +.rva .LSEH_begin_aesni_cbc_encrypt +.rva .LSEH_end_aesni_cbc_encrypt +.rva .LSEH_info_cbc + +.rva aesni_set_decrypt_key +.rva .LSEH_end_set_decrypt_key +.rva .LSEH_info_key + +.rva aesni_set_encrypt_key +.rva .LSEH_end_set_encrypt_key +.rva .LSEH_info_key +.section .xdata +.p2align 3 +.LSEH_info_ecb: +.byte 9,0,0,0 +.rva ecb_se_handler +.LSEH_info_ccm64_enc: +.byte 9,0,0,0 +.rva ccm64_se_handler +.rva .Lccm64_enc_body,.Lccm64_enc_ret +.LSEH_info_ccm64_dec: +.byte 9,0,0,0 +.rva ccm64_se_handler +.rva .Lccm64_dec_body,.Lccm64_dec_ret +.LSEH_info_ctr32: +.byte 9,0,0,0 +.rva ctr32_se_handler +.LSEH_info_xts_enc: +.byte 9,0,0,0 +.rva xts_se_handler +.rva .Lxts_enc_body,.Lxts_enc_epilogue +.LSEH_info_xts_dec: +.byte 9,0,0,0 +.rva xts_se_handler +.rva .Lxts_dec_body,.Lxts_dec_epilogue +.LSEH_info_cbc: +.byte 9,0,0,0 +.rva cbc_se_handler +.LSEH_info_key: +.byte 0x01,0x04,0x01,0x00 +.byte 0x04,0x02,0x00,0x00 diff --git a/crypto/aes/aesni-sha1-masm-x86_64.S b/crypto/aes/aesni-sha1-masm-x86_64.S new file mode 100644 index 0000000..db95881 --- /dev/null +++ b/crypto/aes/aesni-sha1-masm-x86_64.S @@ -0,0 +1,1616 @@ +; 1 "crypto/aes/aesni-sha1-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/aes/aesni-sha1-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/aes/aesni-sha1-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' +EXTERN OPENSSL_ia32cap_P:NEAR + + +PUBLIC aesni_cbc_sha1_enc + +ALIGN 16 +aesni_cbc_sha1_enc PROC PUBLIC + + mov r10d,DWORD PTR[((OPENSSL_ia32cap_P+0))] + mov r11d,DWORD PTR[((OPENSSL_ia32cap_P+4))] + jmp aesni_cbc_sha1_enc_ssse3 + DB 0F3h,0C3h ;repret +aesni_cbc_sha1_enc ENDP + +ALIGN 16 +aesni_cbc_sha1_enc_ssse3 PROC PRIVATE + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_aesni_cbc_sha1_enc_ssse3:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + mov r10,QWORD PTR[56+rsp] + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + lea rsp,QWORD PTR[((-264))+rsp] + + + movaps XMMWORD PTR[(96+0)+rsp],xmm6 + movaps XMMWORD PTR[(96+16)+rsp],xmm7 + movaps XMMWORD PTR[(96+32)+rsp],xmm8 + movaps XMMWORD PTR[(96+48)+rsp],xmm9 + movaps XMMWORD PTR[(96+64)+rsp],xmm10 + movaps XMMWORD PTR[(96+80)+rsp],xmm11 + movaps XMMWORD PTR[(96+96)+rsp],xmm12 + movaps XMMWORD PTR[(96+112)+rsp],xmm13 + movaps XMMWORD PTR[(96+128)+rsp],xmm14 + movaps XMMWORD PTR[(96+144)+rsp],xmm15 +$L$prologue_ssse3:: + mov r12,rdi + mov r13,rsi + mov r14,rdx + mov r15,rcx + movdqu xmm11,XMMWORD PTR[r8] + mov QWORD PTR[88+rsp],r8 + shl r14,6 + sub r13,r12 + mov r8d,DWORD PTR[240+r15] + add r14,r10 + + lea r11,QWORD PTR[K_XX_XX] + mov eax,DWORD PTR[r9] + mov ebx,DWORD PTR[4+r9] + mov ecx,DWORD PTR[8+r9] + mov edx,DWORD PTR[12+r9] + mov esi,ebx + mov ebp,DWORD PTR[16+r9] + + movdqa xmm6,XMMWORD PTR[64+r11] + movdqa xmm9,XMMWORD PTR[r11] + movdqu xmm0,XMMWORD PTR[r10] + movdqu xmm1,XMMWORD PTR[16+r10] + movdqu xmm2,XMMWORD PTR[32+r10] + movdqu xmm3,XMMWORD PTR[48+r10] +DB 102,15,56,0,198 + add r10,64 +DB 102,15,56,0,206 +DB 102,15,56,0,214 +DB 102,15,56,0,222 + paddd xmm0,xmm9 + paddd xmm1,xmm9 + paddd xmm2,xmm9 + movdqa XMMWORD PTR[rsp],xmm0 + psubd xmm0,xmm9 + movdqa XMMWORD PTR[16+rsp],xmm1 + psubd xmm1,xmm9 + movdqa XMMWORD PTR[32+rsp],xmm2 + psubd xmm2,xmm9 + movups xmm13,XMMWORD PTR[r15] + movups xmm14,XMMWORD PTR[16+r15] + jmp $L$oop_ssse3 +ALIGN 16 +$L$oop_ssse3:: + movdqa xmm4,xmm1 + add ebp,DWORD PTR[rsp] + movups xmm12,XMMWORD PTR[r12] + xorps xmm12,xmm13 + xorps xmm11,xmm12 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[32+r15] + xor ecx,edx + movdqa xmm8,xmm3 +DB 102,15,58,15,224,8 + mov edi,eax + rol eax,5 + paddd xmm9,xmm3 + and esi,ecx + xor ecx,edx + psrldq xmm8,4 + xor esi,edx + add ebp,eax + pxor xmm4,xmm0 + ror ebx,2 + add ebp,esi + pxor xmm8,xmm2 + add edx,DWORD PTR[4+rsp] + xor ebx,ecx + mov esi,ebp + rol ebp,5 + pxor xmm4,xmm8 + and edi,ebx + xor ebx,ecx + movdqa XMMWORD PTR[48+rsp],xmm9 + xor edi,ecx + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[48+r15] + add edx,ebp + movdqa xmm10,xmm4 + movdqa xmm8,xmm4 + ror eax,7 + add edx,edi + add ecx,DWORD PTR[8+rsp] + xor eax,ebx + pslldq xmm10,12 + paddd xmm4,xmm4 + mov edi,edx + rol edx,5 + and esi,eax + xor eax,ebx + psrld xmm8,31 + xor esi,ebx + add ecx,edx + movdqa xmm9,xmm10 + ror ebp,7 + add ecx,esi + psrld xmm10,30 + por xmm4,xmm8 + add ebx,DWORD PTR[12+rsp] + xor ebp,eax + mov esi,ecx + rol ecx,5 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[64+r15] + pslld xmm9,2 + pxor xmm4,xmm10 + and edi,ebp + xor ebp,eax + movdqa xmm10,XMMWORD PTR[r11] + xor edi,eax + add ebx,ecx + pxor xmm4,xmm9 + ror edx,7 + add ebx,edi + movdqa xmm5,xmm2 + add eax,DWORD PTR[16+rsp] + xor edx,ebp + movdqa xmm9,xmm4 +DB 102,15,58,15,233,8 + mov edi,ebx + rol ebx,5 + paddd xmm10,xmm4 + and esi,edx + xor edx,ebp + psrldq xmm9,4 + xor esi,ebp + add eax,ebx + pxor xmm5,xmm1 + ror ecx,7 + add eax,esi + pxor xmm9,xmm3 + add ebp,DWORD PTR[20+rsp] + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[80+r15] + xor ecx,edx + mov esi,eax + rol eax,5 + pxor xmm5,xmm9 + and edi,ecx + xor ecx,edx + movdqa XMMWORD PTR[rsp],xmm10 + xor edi,edx + add ebp,eax + movdqa xmm8,xmm5 + movdqa xmm9,xmm5 + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[24+rsp] + xor ebx,ecx + pslldq xmm8,12 + paddd xmm5,xmm5 + mov edi,ebp + rol ebp,5 + and esi,ebx + xor ebx,ecx + psrld xmm9,31 + xor esi,ecx + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[96+r15] + add edx,ebp + movdqa xmm10,xmm8 + ror eax,7 + add edx,esi + psrld xmm8,30 + por xmm5,xmm9 + add ecx,DWORD PTR[28+rsp] + xor eax,ebx + mov esi,edx + rol edx,5 + pslld xmm10,2 + pxor xmm5,xmm8 + and edi,eax + xor eax,ebx + movdqa xmm8,XMMWORD PTR[16+r11] + xor edi,ebx + add ecx,edx + pxor xmm5,xmm10 + ror ebp,7 + add ecx,edi + movdqa xmm6,xmm3 + add ebx,DWORD PTR[32+rsp] + xor ebp,eax + movdqa xmm10,xmm5 +DB 102,15,58,15,242,8 + mov edi,ecx + rol ecx,5 + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[112+r15] + paddd xmm8,xmm5 + and esi,ebp + xor ebp,eax + psrldq xmm10,4 + xor esi,eax + add ebx,ecx + pxor xmm6,xmm2 + ror edx,7 + add ebx,esi + pxor xmm10,xmm4 + add eax,DWORD PTR[36+rsp] + xor edx,ebp + mov esi,ebx + rol ebx,5 + pxor xmm6,xmm10 + and edi,edx + xor edx,ebp + movdqa XMMWORD PTR[16+rsp],xmm8 + xor edi,ebp + add eax,ebx + movdqa xmm9,xmm6 + movdqa xmm10,xmm6 + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[40+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[128+r15] + xor ecx,edx + pslldq xmm9,12 + paddd xmm6,xmm6 + mov edi,eax + rol eax,5 + and esi,ecx + xor ecx,edx + psrld xmm10,31 + xor esi,edx + add ebp,eax + movdqa xmm8,xmm9 + ror ebx,7 + add ebp,esi + psrld xmm9,30 + por xmm6,xmm10 + add edx,DWORD PTR[44+rsp] + xor ebx,ecx + mov esi,ebp + rol ebp,5 + pslld xmm8,2 + pxor xmm6,xmm9 + and edi,ebx + xor ebx,ecx + movdqa xmm9,XMMWORD PTR[16+r11] + xor edi,ecx + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[144+r15] + add edx,ebp + pxor xmm6,xmm8 + ror eax,7 + add edx,edi + movdqa xmm7,xmm4 + add ecx,DWORD PTR[48+rsp] + xor eax,ebx + movdqa xmm8,xmm6 +DB 102,15,58,15,251,8 + mov edi,edx + rol edx,5 + paddd xmm9,xmm6 + and esi,eax + xor eax,ebx + psrldq xmm8,4 + xor esi,ebx + add ecx,edx + pxor xmm7,xmm3 + ror ebp,7 + add ecx,esi + pxor xmm8,xmm5 + add ebx,DWORD PTR[52+rsp] + xor ebp,eax + mov esi,ecx + rol ecx,5 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[160+r15] + pxor xmm7,xmm8 + and edi,ebp + xor ebp,eax + movdqa XMMWORD PTR[32+rsp],xmm9 + xor edi,eax + add ebx,ecx + movdqa xmm10,xmm7 + movdqa xmm8,xmm7 + ror edx,7 + add ebx,edi + add eax,DWORD PTR[56+rsp] + xor edx,ebp + pslldq xmm10,12 + paddd xmm7,xmm7 + mov edi,ebx + rol ebx,5 + and esi,edx + xor edx,ebp + psrld xmm8,31 + xor esi,ebp + add eax,ebx + movdqa xmm9,xmm10 + ror ecx,7 + add eax,esi + psrld xmm10,30 + por xmm7,xmm8 + add ebp,DWORD PTR[60+rsp] + cmp r8d,11 + jb $L$aesenclast1 + movups xmm14,XMMWORD PTR[176+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[192+r15] + aesenc xmm11,xmm14 + je $L$aesenclast1 + movups xmm14,XMMWORD PTR[208+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[224+r15] + aesenc xmm11,xmm14 +$L$aesenclast1:: + aesenclast xmm11,xmm15 + movups xmm14,XMMWORD PTR[16+r15] + xor ecx,edx + mov esi,eax + rol eax,5 + pslld xmm9,2 + pxor xmm7,xmm10 + and edi,ecx + xor ecx,edx + movdqa xmm10,XMMWORD PTR[16+r11] + xor edi,edx + add ebp,eax + pxor xmm7,xmm9 + ror ebx,7 + add ebp,edi + movdqa xmm9,xmm7 + add edx,DWORD PTR[rsp] + pxor xmm0,xmm4 +DB 102,68,15,58,15,206,8 + xor ebx,ecx + mov edi,ebp + rol ebp,5 + pxor xmm0,xmm1 + and esi,ebx + xor ebx,ecx + movdqa xmm8,xmm10 + paddd xmm10,xmm7 + xor esi,ecx + movups xmm12,XMMWORD PTR[16+r12] + xorps xmm12,xmm13 + movups XMMWORD PTR[r12*1+r13],xmm11 + xorps xmm11,xmm12 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[32+r15] + add edx,ebp + pxor xmm0,xmm9 + ror eax,7 + add edx,esi + add ecx,DWORD PTR[4+rsp] + xor eax,ebx + movdqa xmm9,xmm0 + movdqa XMMWORD PTR[48+rsp],xmm10 + mov esi,edx + rol edx,5 + and edi,eax + xor eax,ebx + pslld xmm0,2 + xor edi,ebx + add ecx,edx + psrld xmm9,30 + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[8+rsp] + xor ebp,eax + mov edi,ecx + rol ecx,5 + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[48+r15] + por xmm0,xmm9 + and esi,ebp + xor ebp,eax + movdqa xmm10,xmm0 + xor esi,eax + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[12+rsp] + xor edx,ebp + mov esi,ebx + rol ebx,5 + and edi,edx + xor edx,ebp + xor edi,ebp + add eax,ebx + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[16+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[64+r15] + pxor xmm1,xmm5 +DB 102,68,15,58,15,215,8 + xor esi,edx + mov edi,eax + rol eax,5 + pxor xmm1,xmm2 + xor esi,ecx + add ebp,eax + movdqa xmm9,xmm8 + paddd xmm8,xmm0 + ror ebx,7 + add ebp,esi + pxor xmm1,xmm10 + add edx,DWORD PTR[20+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + movdqa xmm10,xmm1 + movdqa XMMWORD PTR[rsp],xmm8 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + pslld xmm1,2 + add ecx,DWORD PTR[24+rsp] + xor esi,ebx + psrld xmm10,30 + mov edi,edx + rol edx,5 + xor esi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[80+r15] + add ecx,edx + ror ebp,7 + add ecx,esi + por xmm1,xmm10 + add ebx,DWORD PTR[28+rsp] + xor edi,eax + movdqa xmm8,xmm1 + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[32+rsp] + pxor xmm2,xmm6 +DB 102,68,15,58,15,192,8 + xor esi,ebp + mov edi,ebx + rol ebx,5 + pxor xmm2,xmm3 + xor esi,edx + add eax,ebx + movdqa xmm10,XMMWORD PTR[32+r11] + paddd xmm9,xmm1 + ror ecx,7 + add eax,esi + pxor xmm2,xmm8 + add ebp,DWORD PTR[36+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[96+r15] + xor edi,edx + mov esi,eax + rol eax,5 + movdqa xmm8,xmm2 + movdqa XMMWORD PTR[16+rsp],xmm9 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + pslld xmm2,2 + add edx,DWORD PTR[40+rsp] + xor esi,ecx + psrld xmm8,30 + mov edi,ebp + rol ebp,5 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + por xmm2,xmm8 + add ecx,DWORD PTR[44+rsp] + xor edi,ebx + movdqa xmm9,xmm2 + mov esi,edx + rol edx,5 + xor edi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[112+r15] + add ecx,edx + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[48+rsp] + pxor xmm3,xmm7 +DB 102,68,15,58,15,201,8 + xor esi,eax + mov edi,ecx + rol ecx,5 + pxor xmm3,xmm4 + xor esi,ebp + add ebx,ecx + movdqa xmm8,xmm10 + paddd xmm10,xmm2 + ror edx,7 + add ebx,esi + pxor xmm3,xmm9 + add eax,DWORD PTR[52+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + movdqa xmm9,xmm3 + movdqa XMMWORD PTR[32+rsp],xmm10 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + pslld xmm3,2 + add ebp,DWORD PTR[56+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[128+r15] + xor esi,edx + psrld xmm9,30 + mov edi,eax + rol eax,5 + xor esi,ecx + add ebp,eax + ror ebx,7 + add ebp,esi + por xmm3,xmm9 + add edx,DWORD PTR[60+rsp] + xor edi,ecx + movdqa xmm10,xmm3 + mov esi,ebp + rol ebp,5 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + add ecx,DWORD PTR[rsp] + pxor xmm4,xmm0 +DB 102,68,15,58,15,210,8 + xor esi,ebx + mov edi,edx + rol edx,5 + pxor xmm4,xmm5 + xor esi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[144+r15] + add ecx,edx + movdqa xmm9,xmm8 + paddd xmm8,xmm3 + ror ebp,7 + add ecx,esi + pxor xmm4,xmm10 + add ebx,DWORD PTR[4+rsp] + xor edi,eax + mov esi,ecx + rol ecx,5 + movdqa xmm10,xmm4 + movdqa XMMWORD PTR[48+rsp],xmm8 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + pslld xmm4,2 + add eax,DWORD PTR[8+rsp] + xor esi,ebp + psrld xmm10,30 + mov edi,ebx + rol ebx,5 + xor esi,edx + add eax,ebx + ror ecx,7 + add eax,esi + por xmm4,xmm10 + add ebp,DWORD PTR[12+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[160+r15] + xor edi,edx + movdqa xmm8,xmm4 + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[16+rsp] + pxor xmm5,xmm1 +DB 102,68,15,58,15,195,8 + xor esi,ecx + mov edi,ebp + rol ebp,5 + pxor xmm5,xmm6 + xor esi,ebx + add edx,ebp + movdqa xmm10,xmm9 + paddd xmm9,xmm4 + ror eax,7 + add edx,esi + pxor xmm5,xmm8 + add ecx,DWORD PTR[20+rsp] + xor edi,ebx + mov esi,edx + rol edx,5 + movdqa xmm8,xmm5 + movdqa XMMWORD PTR[rsp],xmm9 + xor edi,eax + cmp r8d,11 + jb $L$aesenclast2 + movups xmm14,XMMWORD PTR[176+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[192+r15] + aesenc xmm11,xmm14 + je $L$aesenclast2 + movups xmm14,XMMWORD PTR[208+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[224+r15] + aesenc xmm11,xmm14 +$L$aesenclast2:: + aesenclast xmm11,xmm15 + movups xmm14,XMMWORD PTR[16+r15] + add ecx,edx + ror ebp,7 + add ecx,edi + pslld xmm5,2 + add ebx,DWORD PTR[24+rsp] + xor esi,eax + psrld xmm8,30 + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + por xmm5,xmm8 + add eax,DWORD PTR[28+rsp] + xor edi,ebp + movdqa xmm9,xmm5 + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + mov edi,ecx + movups xmm12,XMMWORD PTR[32+r12] + xorps xmm12,xmm13 + movups XMMWORD PTR[16+r12*1+r13],xmm11 + xorps xmm11,xmm12 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[32+r15] + pxor xmm6,xmm2 +DB 102,68,15,58,15,204,8 + xor ecx,edx + add ebp,DWORD PTR[32+rsp] + and edi,edx + pxor xmm6,xmm7 + and esi,ecx + ror ebx,7 + movdqa xmm8,xmm10 + paddd xmm10,xmm5 + add ebp,edi + mov edi,eax + pxor xmm6,xmm9 + rol eax,5 + add ebp,esi + xor ecx,edx + add ebp,eax + movdqa xmm9,xmm6 + movdqa XMMWORD PTR[16+rsp],xmm10 + mov esi,ebx + xor ebx,ecx + add edx,DWORD PTR[36+rsp] + and esi,ecx + pslld xmm6,2 + and edi,ebx + ror eax,7 + psrld xmm9,30 + add edx,esi + mov esi,ebp + rol ebp,5 + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[48+r15] + add edx,edi + xor ebx,ecx + add edx,ebp + por xmm6,xmm9 + mov edi,eax + xor eax,ebx + movdqa xmm10,xmm6 + add ecx,DWORD PTR[40+rsp] + and edi,ebx + and esi,eax + ror ebp,7 + add ecx,edi + mov edi,edx + rol edx,5 + add ecx,esi + xor eax,ebx + add ecx,edx + mov esi,ebp + xor ebp,eax + add ebx,DWORD PTR[44+rsp] + and esi,eax + and edi,ebp + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[64+r15] + ror edx,7 + add ebx,esi + mov esi,ecx + rol ecx,5 + add ebx,edi + xor ebp,eax + add ebx,ecx + mov edi,edx + pxor xmm7,xmm3 +DB 102,68,15,58,15,213,8 + xor edx,ebp + add eax,DWORD PTR[48+rsp] + and edi,ebp + pxor xmm7,xmm0 + and esi,edx + ror ecx,7 + movdqa xmm9,XMMWORD PTR[48+r11] + paddd xmm8,xmm6 + add eax,edi + mov edi,ebx + pxor xmm7,xmm10 + rol ebx,5 + add eax,esi + xor edx,ebp + add eax,ebx + movdqa xmm10,xmm7 + movdqa XMMWORD PTR[32+rsp],xmm8 + mov esi,ecx + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[80+r15] + xor ecx,edx + add ebp,DWORD PTR[52+rsp] + and esi,edx + pslld xmm7,2 + and edi,ecx + ror ebx,7 + psrld xmm10,30 + add ebp,esi + mov esi,eax + rol eax,5 + add ebp,edi + xor ecx,edx + add ebp,eax + por xmm7,xmm10 + mov edi,ebx + xor ebx,ecx + movdqa xmm8,xmm7 + add edx,DWORD PTR[56+rsp] + and edi,ecx + and esi,ebx + ror eax,7 + add edx,edi + mov edi,ebp + rol ebp,5 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[96+r15] + add edx,esi + xor ebx,ecx + add edx,ebp + mov esi,eax + xor eax,ebx + add ecx,DWORD PTR[60+rsp] + and esi,ebx + and edi,eax + ror ebp,7 + add ecx,esi + mov esi,edx + rol edx,5 + add ecx,edi + xor eax,ebx + add ecx,edx + mov edi,ebp + pxor xmm0,xmm4 +DB 102,68,15,58,15,198,8 + xor ebp,eax + add ebx,DWORD PTR[rsp] + and edi,eax + pxor xmm0,xmm1 + and esi,ebp + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[112+r15] + ror edx,7 + movdqa xmm10,xmm9 + paddd xmm9,xmm7 + add ebx,edi + mov edi,ecx + pxor xmm0,xmm8 + rol ecx,5 + add ebx,esi + xor ebp,eax + add ebx,ecx + movdqa xmm8,xmm0 + movdqa XMMWORD PTR[48+rsp],xmm9 + mov esi,edx + xor edx,ebp + add eax,DWORD PTR[4+rsp] + and esi,ebp + pslld xmm0,2 + and edi,edx + ror ecx,7 + psrld xmm8,30 + add eax,esi + mov esi,ebx + rol ebx,5 + add eax,edi + xor edx,ebp + add eax,ebx + por xmm0,xmm8 + mov edi,ecx + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[128+r15] + xor ecx,edx + movdqa xmm9,xmm0 + add ebp,DWORD PTR[8+rsp] + and edi,edx + and esi,ecx + ror ebx,7 + add ebp,edi + mov edi,eax + rol eax,5 + add ebp,esi + xor ecx,edx + add ebp,eax + mov esi,ebx + xor ebx,ecx + add edx,DWORD PTR[12+rsp] + and esi,ecx + and edi,ebx + ror eax,7 + add edx,esi + mov esi,ebp + rol ebp,5 + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[144+r15] + add edx,edi + xor ebx,ecx + add edx,ebp + mov edi,eax + pxor xmm1,xmm5 +DB 102,68,15,58,15,207,8 + xor eax,ebx + add ecx,DWORD PTR[16+rsp] + and edi,ebx + pxor xmm1,xmm2 + and esi,eax + ror ebp,7 + movdqa xmm8,xmm10 + paddd xmm10,xmm0 + add ecx,edi + mov edi,edx + pxor xmm1,xmm9 + rol edx,5 + add ecx,esi + xor eax,ebx + add ecx,edx + movdqa xmm9,xmm1 + movdqa XMMWORD PTR[rsp],xmm10 + mov esi,ebp + xor ebp,eax + add ebx,DWORD PTR[20+rsp] + and esi,eax + pslld xmm1,2 + and edi,ebp + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[160+r15] + ror edx,7 + psrld xmm9,30 + add ebx,esi + mov esi,ecx + rol ecx,5 + add ebx,edi + xor ebp,eax + add ebx,ecx + por xmm1,xmm9 + mov edi,edx + xor edx,ebp + movdqa xmm10,xmm1 + add eax,DWORD PTR[24+rsp] + and edi,ebp + and esi,edx + ror ecx,7 + add eax,edi + mov edi,ebx + rol ebx,5 + add eax,esi + xor edx,ebp + add eax,ebx + mov esi,ecx + cmp r8d,11 + jb $L$aesenclast3 + movups xmm14,XMMWORD PTR[176+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[192+r15] + aesenc xmm11,xmm14 + je $L$aesenclast3 + movups xmm14,XMMWORD PTR[208+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[224+r15] + aesenc xmm11,xmm14 +$L$aesenclast3:: + aesenclast xmm11,xmm15 + movups xmm14,XMMWORD PTR[16+r15] + xor ecx,edx + add ebp,DWORD PTR[28+rsp] + and esi,edx + and edi,ecx + ror ebx,7 + add ebp,esi + mov esi,eax + rol eax,5 + add ebp,edi + xor ecx,edx + add ebp,eax + mov edi,ebx + pxor xmm2,xmm6 +DB 102,68,15,58,15,208,8 + xor ebx,ecx + add edx,DWORD PTR[32+rsp] + and edi,ecx + pxor xmm2,xmm3 + and esi,ebx + ror eax,7 + movdqa xmm9,xmm8 + paddd xmm8,xmm1 + add edx,edi + mov edi,ebp + pxor xmm2,xmm10 + rol ebp,5 + movups xmm12,XMMWORD PTR[48+r12] + xorps xmm12,xmm13 + movups XMMWORD PTR[32+r12*1+r13],xmm11 + xorps xmm11,xmm12 + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[32+r15] + add edx,esi + xor ebx,ecx + add edx,ebp + movdqa xmm10,xmm2 + movdqa XMMWORD PTR[16+rsp],xmm8 + mov esi,eax + xor eax,ebx + add ecx,DWORD PTR[36+rsp] + and esi,ebx + pslld xmm2,2 + and edi,eax + ror ebp,7 + psrld xmm10,30 + add ecx,esi + mov esi,edx + rol edx,5 + add ecx,edi + xor eax,ebx + add ecx,edx + por xmm2,xmm10 + mov edi,ebp + xor ebp,eax + movdqa xmm8,xmm2 + add ebx,DWORD PTR[40+rsp] + and edi,eax + and esi,ebp + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[48+r15] + ror edx,7 + add ebx,edi + mov edi,ecx + rol ecx,5 + add ebx,esi + xor ebp,eax + add ebx,ecx + mov esi,edx + xor edx,ebp + add eax,DWORD PTR[44+rsp] + and esi,ebp + and edi,edx + ror ecx,7 + add eax,esi + mov esi,ebx + rol ebx,5 + add eax,edi + xor edx,ebp + add eax,ebx + add ebp,DWORD PTR[48+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[64+r15] + pxor xmm3,xmm7 +DB 102,68,15,58,15,193,8 + xor esi,edx + mov edi,eax + rol eax,5 + pxor xmm3,xmm4 + xor esi,ecx + add ebp,eax + movdqa xmm10,xmm9 + paddd xmm9,xmm2 + ror ebx,7 + add ebp,esi + pxor xmm3,xmm8 + add edx,DWORD PTR[52+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + movdqa xmm8,xmm3 + movdqa XMMWORD PTR[32+rsp],xmm9 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + pslld xmm3,2 + add ecx,DWORD PTR[56+rsp] + xor esi,ebx + psrld xmm8,30 + mov edi,edx + rol edx,5 + xor esi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[80+r15] + add ecx,edx + ror ebp,7 + add ecx,esi + por xmm3,xmm8 + add ebx,DWORD PTR[60+rsp] + xor edi,eax + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[rsp] + paddd xmm10,xmm3 + xor esi,ebp + mov edi,ebx + rol ebx,5 + xor esi,edx + movdqa XMMWORD PTR[48+rsp],xmm10 + add eax,ebx + ror ecx,7 + add eax,esi + add ebp,DWORD PTR[4+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[96+r15] + xor edi,edx + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[8+rsp] + xor esi,ecx + mov edi,ebp + rol ebp,5 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + add ecx,DWORD PTR[12+rsp] + xor edi,ebx + mov esi,edx + rol edx,5 + xor edi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[112+r15] + add ecx,edx + ror ebp,7 + add ecx,edi + cmp r10,r14 + je $L$done_ssse3 + movdqa xmm6,XMMWORD PTR[64+r11] + movdqa xmm9,XMMWORD PTR[r11] + movdqu xmm0,XMMWORD PTR[r10] + movdqu xmm1,XMMWORD PTR[16+r10] + movdqu xmm2,XMMWORD PTR[32+r10] + movdqu xmm3,XMMWORD PTR[48+r10] +DB 102,15,56,0,198 + add r10,64 + add ebx,DWORD PTR[16+rsp] + xor esi,eax +DB 102,15,56,0,206 + mov edi,ecx + rol ecx,5 + paddd xmm0,xmm9 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + movdqa XMMWORD PTR[rsp],xmm0 + add eax,DWORD PTR[20+rsp] + xor edi,ebp + psubd xmm0,xmm9 + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[24+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[128+r15] + xor esi,edx + mov edi,eax + rol eax,5 + xor esi,ecx + add ebp,eax + ror ebx,7 + add ebp,esi + add edx,DWORD PTR[28+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + add ecx,DWORD PTR[32+rsp] + xor esi,ebx +DB 102,15,56,0,214 + mov edi,edx + rol edx,5 + paddd xmm1,xmm9 + xor esi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[144+r15] + add ecx,edx + ror ebp,7 + add ecx,esi + movdqa XMMWORD PTR[16+rsp],xmm1 + add ebx,DWORD PTR[36+rsp] + xor edi,eax + psubd xmm1,xmm9 + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[40+rsp] + xor esi,ebp + mov edi,ebx + rol ebx,5 + xor esi,edx + add eax,ebx + ror ecx,7 + add eax,esi + add ebp,DWORD PTR[44+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[160+r15] + xor edi,edx + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[48+rsp] + xor esi,ecx +DB 102,15,56,0,222 + mov edi,ebp + rol ebp,5 + paddd xmm2,xmm9 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + movdqa XMMWORD PTR[32+rsp],xmm2 + add ecx,DWORD PTR[52+rsp] + xor edi,ebx + psubd xmm2,xmm9 + mov esi,edx + rol edx,5 + xor edi,eax + cmp r8d,11 + jb $L$aesenclast4 + movups xmm14,XMMWORD PTR[176+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[192+r15] + aesenc xmm11,xmm14 + je $L$aesenclast4 + movups xmm14,XMMWORD PTR[208+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[224+r15] + aesenc xmm11,xmm14 +$L$aesenclast4:: + aesenclast xmm11,xmm15 + movups xmm14,XMMWORD PTR[16+r15] + add ecx,edx + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[56+rsp] + xor esi,eax + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[60+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + movups XMMWORD PTR[48+r12*1+r13],xmm11 + lea r12,QWORD PTR[64+r12] + + add eax,DWORD PTR[r9] + add esi,DWORD PTR[4+r9] + add ecx,DWORD PTR[8+r9] + add edx,DWORD PTR[12+r9] + mov DWORD PTR[r9],eax + add ebp,DWORD PTR[16+r9] + mov DWORD PTR[4+r9],esi + mov ebx,esi + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + mov DWORD PTR[16+r9],ebp + jmp $L$oop_ssse3 + +ALIGN 16 +$L$done_ssse3:: + add ebx,DWORD PTR[16+rsp] + xor esi,eax + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[20+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[24+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[128+r15] + xor esi,edx + mov edi,eax + rol eax,5 + xor esi,ecx + add ebp,eax + ror ebx,7 + add ebp,esi + add edx,DWORD PTR[28+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + add ecx,DWORD PTR[32+rsp] + xor esi,ebx + mov edi,edx + rol edx,5 + xor esi,eax + aesenc xmm11,xmm15 + movups xmm14,XMMWORD PTR[144+r15] + add ecx,edx + ror ebp,7 + add ecx,esi + add ebx,DWORD PTR[36+rsp] + xor edi,eax + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[40+rsp] + xor esi,ebp + mov edi,ebx + rol ebx,5 + xor esi,edx + add eax,ebx + ror ecx,7 + add eax,esi + add ebp,DWORD PTR[44+rsp] + aesenc xmm11,xmm14 + movups xmm15,XMMWORD PTR[160+r15] + xor edi,edx + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[48+rsp] + xor esi,ecx + mov edi,ebp + rol ebp,5 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + add ecx,DWORD PTR[52+rsp] + xor edi,ebx + mov esi,edx + rol edx,5 + xor edi,eax + cmp r8d,11 + jb $L$aesenclast5 + movups xmm14,XMMWORD PTR[176+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[192+r15] + aesenc xmm11,xmm14 + je $L$aesenclast5 + movups xmm14,XMMWORD PTR[208+r15] + aesenc xmm11,xmm15 + movups xmm15,XMMWORD PTR[224+r15] + aesenc xmm11,xmm14 +$L$aesenclast5:: + aesenclast xmm11,xmm15 + movups xmm14,XMMWORD PTR[16+r15] + add ecx,edx + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[56+rsp] + xor esi,eax + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[60+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + movups XMMWORD PTR[48+r12*1+r13],xmm11 + mov r8,QWORD PTR[88+rsp] + + add eax,DWORD PTR[r9] + add esi,DWORD PTR[4+r9] + add ecx,DWORD PTR[8+r9] + mov DWORD PTR[r9],eax + add edx,DWORD PTR[12+r9] + mov DWORD PTR[4+r9],esi + add ebp,DWORD PTR[16+r9] + mov DWORD PTR[8+r9],ecx + mov DWORD PTR[12+r9],edx + mov DWORD PTR[16+r9],ebp + movups XMMWORD PTR[r8],xmm11 + movaps xmm6,XMMWORD PTR[((96+0))+rsp] + movaps xmm7,XMMWORD PTR[((96+16))+rsp] + movaps xmm8,XMMWORD PTR[((96+32))+rsp] + movaps xmm9,XMMWORD PTR[((96+48))+rsp] + movaps xmm10,XMMWORD PTR[((96+64))+rsp] + movaps xmm11,XMMWORD PTR[((96+80))+rsp] + movaps xmm12,XMMWORD PTR[((96+96))+rsp] + movaps xmm13,XMMWORD PTR[((96+112))+rsp] + movaps xmm14,XMMWORD PTR[((96+128))+rsp] + movaps xmm15,XMMWORD PTR[((96+144))+rsp] + lea rsi,QWORD PTR[264+rsp] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$epilogue_ssse3:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_aesni_cbc_sha1_enc_ssse3:: +aesni_cbc_sha1_enc_ssse3 ENDP +ALIGN 64 +K_XX_XX:: + DD 05a827999h,05a827999h,05a827999h,05a827999h + DD 06ed9eba1h,06ed9eba1h,06ed9eba1h,06ed9eba1h + DD 08f1bbcdch,08f1bbcdch,08f1bbcdch,08f1bbcdch + DD 0ca62c1d6h,0ca62c1d6h,0ca62c1d6h,0ca62c1d6h + DD 000010203h,004050607h,008090a0bh,00c0d0e0fh + +DB 65,69,83,78,73,45,67,66,67,43,83,72,65,49,32,115 +DB 116,105,116,99,104,32,102,111,114,32,120,56,54,95,54,52 +DB 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 +DB 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 +DB 114,103,62,0 +ALIGN 64 +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +ssse3_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$common_seh_tail + + lea rsi,QWORD PTR[96+rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,20 + DD 0a548f3fch + lea rax,QWORD PTR[264+rax] + + mov r15,QWORD PTR[rax] + mov r14,QWORD PTR[8+rax] + mov r13,QWORD PTR[16+rax] + mov r12,QWORD PTR[24+rax] + mov rbp,QWORD PTR[32+rax] + mov rbx,QWORD PTR[40+rax] + lea rax,QWORD PTR[48+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + mov QWORD PTR[240+r8],r15 + +$L$common_seh_tail:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +ssse3_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_aesni_cbc_sha1_enc_ssse3 + DD imagerel $L$SEH_end_aesni_cbc_sha1_enc_ssse3 + DD imagerel $L$SEH_info_aesni_cbc_sha1_enc_ssse3 +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_aesni_cbc_sha1_enc_ssse3:: +DB 9,0,0,0 + DD imagerel ssse3_handler + DD imagerel $L$prologue_ssse3,imagerel $L$epilogue_ssse3 + +.xdata ENDS +END + diff --git a/crypto/aes/aesni-sha1-mingw64-x86_64.S b/crypto/aes/aesni-sha1-mingw64-x86_64.S new file mode 100644 index 0000000..c7a2d5c --- /dev/null +++ b/crypto/aes/aesni-sha1-mingw64-x86_64.S @@ -0,0 +1,1536 @@ +#include "x86_arch.h" +.text + + + +.globl aesni_cbc_sha1_enc +.def aesni_cbc_sha1_enc; .scl 2; .type 32; .endef +.p2align 4 +aesni_cbc_sha1_enc: + + movl OPENSSL_ia32cap_P+0(%rip),%r10d + movl OPENSSL_ia32cap_P+4(%rip),%r11d + jmp aesni_cbc_sha1_enc_ssse3 + retq + +.def aesni_cbc_sha1_enc_ssse3; .scl 3; .type 32; .endef +.p2align 4 +aesni_cbc_sha1_enc_ssse3: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_aesni_cbc_sha1_enc_ssse3: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + movq 56(%rsp),%r10 + + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + leaq -264(%rsp),%rsp + + + movaps %xmm6,96+0(%rsp) + movaps %xmm7,96+16(%rsp) + movaps %xmm8,96+32(%rsp) + movaps %xmm9,96+48(%rsp) + movaps %xmm10,96+64(%rsp) + movaps %xmm11,96+80(%rsp) + movaps %xmm12,96+96(%rsp) + movaps %xmm13,96+112(%rsp) + movaps %xmm14,96+128(%rsp) + movaps %xmm15,96+144(%rsp) +.Lprologue_ssse3: + movq %rdi,%r12 + movq %rsi,%r13 + movq %rdx,%r14 + movq %rcx,%r15 + movdqu (%r8),%xmm11 + movq %r8,88(%rsp) + shlq $6,%r14 + subq %r12,%r13 + movl 240(%r15),%r8d + addq %r10,%r14 + + leaq K_XX_XX(%rip),%r11 + movl 0(%r9),%eax + movl 4(%r9),%ebx + movl 8(%r9),%ecx + movl 12(%r9),%edx + movl %ebx,%esi + movl 16(%r9),%ebp + + movdqa 64(%r11),%xmm6 + movdqa 0(%r11),%xmm9 + movdqu 0(%r10),%xmm0 + movdqu 16(%r10),%xmm1 + movdqu 32(%r10),%xmm2 + movdqu 48(%r10),%xmm3 +.byte 102,15,56,0,198 + addq $64,%r10 +.byte 102,15,56,0,206 +.byte 102,15,56,0,214 +.byte 102,15,56,0,222 + paddd %xmm9,%xmm0 + paddd %xmm9,%xmm1 + paddd %xmm9,%xmm2 + movdqa %xmm0,0(%rsp) + psubd %xmm9,%xmm0 + movdqa %xmm1,16(%rsp) + psubd %xmm9,%xmm1 + movdqa %xmm2,32(%rsp) + psubd %xmm9,%xmm2 + movups (%r15),%xmm13 + movups 16(%r15),%xmm14 + jmp .Loop_ssse3 +.p2align 4 +.Loop_ssse3: + movdqa %xmm1,%xmm4 + addl 0(%rsp),%ebp + movups 0(%r12),%xmm12 + xorps %xmm13,%xmm12 + xorps %xmm12,%xmm11 + aesenc %xmm14,%xmm11 + movups 32(%r15),%xmm15 + xorl %edx,%ecx + movdqa %xmm3,%xmm8 +.byte 102,15,58,15,224,8 + movl %eax,%edi + roll $5,%eax + paddd %xmm3,%xmm9 + andl %ecx,%esi + xorl %edx,%ecx + psrldq $4,%xmm8 + xorl %edx,%esi + addl %eax,%ebp + pxor %xmm0,%xmm4 + rorl $2,%ebx + addl %esi,%ebp + pxor %xmm2,%xmm8 + addl 4(%rsp),%edx + xorl %ecx,%ebx + movl %ebp,%esi + roll $5,%ebp + pxor %xmm8,%xmm4 + andl %ebx,%edi + xorl %ecx,%ebx + movdqa %xmm9,48(%rsp) + xorl %ecx,%edi + aesenc %xmm15,%xmm11 + movups 48(%r15),%xmm14 + addl %ebp,%edx + movdqa %xmm4,%xmm10 + movdqa %xmm4,%xmm8 + rorl $7,%eax + addl %edi,%edx + addl 8(%rsp),%ecx + xorl %ebx,%eax + pslldq $12,%xmm10 + paddd %xmm4,%xmm4 + movl %edx,%edi + roll $5,%edx + andl %eax,%esi + xorl %ebx,%eax + psrld $31,%xmm8 + xorl %ebx,%esi + addl %edx,%ecx + movdqa %xmm10,%xmm9 + rorl $7,%ebp + addl %esi,%ecx + psrld $30,%xmm10 + por %xmm8,%xmm4 + addl 12(%rsp),%ebx + xorl %eax,%ebp + movl %ecx,%esi + roll $5,%ecx + aesenc %xmm14,%xmm11 + movups 64(%r15),%xmm15 + pslld $2,%xmm9 + pxor %xmm10,%xmm4 + andl %ebp,%edi + xorl %eax,%ebp + movdqa 0(%r11),%xmm10 + xorl %eax,%edi + addl %ecx,%ebx + pxor %xmm9,%xmm4 + rorl $7,%edx + addl %edi,%ebx + movdqa %xmm2,%xmm5 + addl 16(%rsp),%eax + xorl %ebp,%edx + movdqa %xmm4,%xmm9 +.byte 102,15,58,15,233,8 + movl %ebx,%edi + roll $5,%ebx + paddd %xmm4,%xmm10 + andl %edx,%esi + xorl %ebp,%edx + psrldq $4,%xmm9 + xorl %ebp,%esi + addl %ebx,%eax + pxor %xmm1,%xmm5 + rorl $7,%ecx + addl %esi,%eax + pxor %xmm3,%xmm9 + addl 20(%rsp),%ebp + aesenc %xmm15,%xmm11 + movups 80(%r15),%xmm14 + xorl %edx,%ecx + movl %eax,%esi + roll $5,%eax + pxor %xmm9,%xmm5 + andl %ecx,%edi + xorl %edx,%ecx + movdqa %xmm10,0(%rsp) + xorl %edx,%edi + addl %eax,%ebp + movdqa %xmm5,%xmm8 + movdqa %xmm5,%xmm9 + rorl $7,%ebx + addl %edi,%ebp + addl 24(%rsp),%edx + xorl %ecx,%ebx + pslldq $12,%xmm8 + paddd %xmm5,%xmm5 + movl %ebp,%edi + roll $5,%ebp + andl %ebx,%esi + xorl %ecx,%ebx + psrld $31,%xmm9 + xorl %ecx,%esi + aesenc %xmm14,%xmm11 + movups 96(%r15),%xmm15 + addl %ebp,%edx + movdqa %xmm8,%xmm10 + rorl $7,%eax + addl %esi,%edx + psrld $30,%xmm8 + por %xmm9,%xmm5 + addl 28(%rsp),%ecx + xorl %ebx,%eax + movl %edx,%esi + roll $5,%edx + pslld $2,%xmm10 + pxor %xmm8,%xmm5 + andl %eax,%edi + xorl %ebx,%eax + movdqa 16(%r11),%xmm8 + xorl %ebx,%edi + addl %edx,%ecx + pxor %xmm10,%xmm5 + rorl $7,%ebp + addl %edi,%ecx + movdqa %xmm3,%xmm6 + addl 32(%rsp),%ebx + xorl %eax,%ebp + movdqa %xmm5,%xmm10 +.byte 102,15,58,15,242,8 + movl %ecx,%edi + roll $5,%ecx + aesenc %xmm15,%xmm11 + movups 112(%r15),%xmm14 + paddd %xmm5,%xmm8 + andl %ebp,%esi + xorl %eax,%ebp + psrldq $4,%xmm10 + xorl %eax,%esi + addl %ecx,%ebx + pxor %xmm2,%xmm6 + rorl $7,%edx + addl %esi,%ebx + pxor %xmm4,%xmm10 + addl 36(%rsp),%eax + xorl %ebp,%edx + movl %ebx,%esi + roll $5,%ebx + pxor %xmm10,%xmm6 + andl %edx,%edi + xorl %ebp,%edx + movdqa %xmm8,16(%rsp) + xorl %ebp,%edi + addl %ebx,%eax + movdqa %xmm6,%xmm9 + movdqa %xmm6,%xmm10 + rorl $7,%ecx + addl %edi,%eax + addl 40(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 128(%r15),%xmm15 + xorl %edx,%ecx + pslldq $12,%xmm9 + paddd %xmm6,%xmm6 + movl %eax,%edi + roll $5,%eax + andl %ecx,%esi + xorl %edx,%ecx + psrld $31,%xmm10 + xorl %edx,%esi + addl %eax,%ebp + movdqa %xmm9,%xmm8 + rorl $7,%ebx + addl %esi,%ebp + psrld $30,%xmm9 + por %xmm10,%xmm6 + addl 44(%rsp),%edx + xorl %ecx,%ebx + movl %ebp,%esi + roll $5,%ebp + pslld $2,%xmm8 + pxor %xmm9,%xmm6 + andl %ebx,%edi + xorl %ecx,%ebx + movdqa 16(%r11),%xmm9 + xorl %ecx,%edi + aesenc %xmm15,%xmm11 + movups 144(%r15),%xmm14 + addl %ebp,%edx + pxor %xmm8,%xmm6 + rorl $7,%eax + addl %edi,%edx + movdqa %xmm4,%xmm7 + addl 48(%rsp),%ecx + xorl %ebx,%eax + movdqa %xmm6,%xmm8 +.byte 102,15,58,15,251,8 + movl %edx,%edi + roll $5,%edx + paddd %xmm6,%xmm9 + andl %eax,%esi + xorl %ebx,%eax + psrldq $4,%xmm8 + xorl %ebx,%esi + addl %edx,%ecx + pxor %xmm3,%xmm7 + rorl $7,%ebp + addl %esi,%ecx + pxor %xmm5,%xmm8 + addl 52(%rsp),%ebx + xorl %eax,%ebp + movl %ecx,%esi + roll $5,%ecx + aesenc %xmm14,%xmm11 + movups 160(%r15),%xmm15 + pxor %xmm8,%xmm7 + andl %ebp,%edi + xorl %eax,%ebp + movdqa %xmm9,32(%rsp) + xorl %eax,%edi + addl %ecx,%ebx + movdqa %xmm7,%xmm10 + movdqa %xmm7,%xmm8 + rorl $7,%edx + addl %edi,%ebx + addl 56(%rsp),%eax + xorl %ebp,%edx + pslldq $12,%xmm10 + paddd %xmm7,%xmm7 + movl %ebx,%edi + roll $5,%ebx + andl %edx,%esi + xorl %ebp,%edx + psrld $31,%xmm8 + xorl %ebp,%esi + addl %ebx,%eax + movdqa %xmm10,%xmm9 + rorl $7,%ecx + addl %esi,%eax + psrld $30,%xmm10 + por %xmm8,%xmm7 + addl 60(%rsp),%ebp + cmpl $11,%r8d + jb .Laesenclast1 + movups 176(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 192(%r15),%xmm15 + aesenc %xmm14,%xmm11 + je .Laesenclast1 + movups 208(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 224(%r15),%xmm15 + aesenc %xmm14,%xmm11 +.Laesenclast1: + aesenclast %xmm15,%xmm11 + movups 16(%r15),%xmm14 + xorl %edx,%ecx + movl %eax,%esi + roll $5,%eax + pslld $2,%xmm9 + pxor %xmm10,%xmm7 + andl %ecx,%edi + xorl %edx,%ecx + movdqa 16(%r11),%xmm10 + xorl %edx,%edi + addl %eax,%ebp + pxor %xmm9,%xmm7 + rorl $7,%ebx + addl %edi,%ebp + movdqa %xmm7,%xmm9 + addl 0(%rsp),%edx + pxor %xmm4,%xmm0 +.byte 102,68,15,58,15,206,8 + xorl %ecx,%ebx + movl %ebp,%edi + roll $5,%ebp + pxor %xmm1,%xmm0 + andl %ebx,%esi + xorl %ecx,%ebx + movdqa %xmm10,%xmm8 + paddd %xmm7,%xmm10 + xorl %ecx,%esi + movups 16(%r12),%xmm12 + xorps %xmm13,%xmm12 + movups %xmm11,0(%r13,%r12,1) + xorps %xmm12,%xmm11 + aesenc %xmm14,%xmm11 + movups 32(%r15),%xmm15 + addl %ebp,%edx + pxor %xmm9,%xmm0 + rorl $7,%eax + addl %esi,%edx + addl 4(%rsp),%ecx + xorl %ebx,%eax + movdqa %xmm0,%xmm9 + movdqa %xmm10,48(%rsp) + movl %edx,%esi + roll $5,%edx + andl %eax,%edi + xorl %ebx,%eax + pslld $2,%xmm0 + xorl %ebx,%edi + addl %edx,%ecx + psrld $30,%xmm9 + rorl $7,%ebp + addl %edi,%ecx + addl 8(%rsp),%ebx + xorl %eax,%ebp + movl %ecx,%edi + roll $5,%ecx + aesenc %xmm15,%xmm11 + movups 48(%r15),%xmm14 + por %xmm9,%xmm0 + andl %ebp,%esi + xorl %eax,%ebp + movdqa %xmm0,%xmm10 + xorl %eax,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 12(%rsp),%eax + xorl %ebp,%edx + movl %ebx,%esi + roll $5,%ebx + andl %edx,%edi + xorl %ebp,%edx + xorl %ebp,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 16(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 64(%r15),%xmm15 + pxor %xmm5,%xmm1 +.byte 102,68,15,58,15,215,8 + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + pxor %xmm2,%xmm1 + xorl %ecx,%esi + addl %eax,%ebp + movdqa %xmm8,%xmm9 + paddd %xmm0,%xmm8 + rorl $7,%ebx + addl %esi,%ebp + pxor %xmm10,%xmm1 + addl 20(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + movdqa %xmm1,%xmm10 + movdqa %xmm8,0(%rsp) + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + pslld $2,%xmm1 + addl 24(%rsp),%ecx + xorl %ebx,%esi + psrld $30,%xmm10 + movl %edx,%edi + roll $5,%edx + xorl %eax,%esi + aesenc %xmm15,%xmm11 + movups 80(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + por %xmm10,%xmm1 + addl 28(%rsp),%ebx + xorl %eax,%edi + movdqa %xmm1,%xmm8 + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 32(%rsp),%eax + pxor %xmm6,%xmm2 +.byte 102,68,15,58,15,192,8 + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + pxor %xmm3,%xmm2 + xorl %edx,%esi + addl %ebx,%eax + movdqa 32(%r11),%xmm10 + paddd %xmm1,%xmm9 + rorl $7,%ecx + addl %esi,%eax + pxor %xmm8,%xmm2 + addl 36(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 96(%r15),%xmm15 + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + movdqa %xmm2,%xmm8 + movdqa %xmm9,16(%rsp) + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + pslld $2,%xmm2 + addl 40(%rsp),%edx + xorl %ecx,%esi + psrld $30,%xmm8 + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + por %xmm8,%xmm2 + addl 44(%rsp),%ecx + xorl %ebx,%edi + movdqa %xmm2,%xmm9 + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + aesenc %xmm15,%xmm11 + movups 112(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + addl 48(%rsp),%ebx + pxor %xmm7,%xmm3 +.byte 102,68,15,58,15,201,8 + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + pxor %xmm4,%xmm3 + xorl %ebp,%esi + addl %ecx,%ebx + movdqa %xmm10,%xmm8 + paddd %xmm2,%xmm10 + rorl $7,%edx + addl %esi,%ebx + pxor %xmm9,%xmm3 + addl 52(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + movdqa %xmm3,%xmm9 + movdqa %xmm10,32(%rsp) + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + pslld $2,%xmm3 + addl 56(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 128(%r15),%xmm15 + xorl %edx,%esi + psrld $30,%xmm9 + movl %eax,%edi + roll $5,%eax + xorl %ecx,%esi + addl %eax,%ebp + rorl $7,%ebx + addl %esi,%ebp + por %xmm9,%xmm3 + addl 60(%rsp),%edx + xorl %ecx,%edi + movdqa %xmm3,%xmm10 + movl %ebp,%esi + roll $5,%ebp + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + addl 0(%rsp),%ecx + pxor %xmm0,%xmm4 +.byte 102,68,15,58,15,210,8 + xorl %ebx,%esi + movl %edx,%edi + roll $5,%edx + pxor %xmm5,%xmm4 + xorl %eax,%esi + aesenc %xmm15,%xmm11 + movups 144(%r15),%xmm14 + addl %edx,%ecx + movdqa %xmm8,%xmm9 + paddd %xmm3,%xmm8 + rorl $7,%ebp + addl %esi,%ecx + pxor %xmm10,%xmm4 + addl 4(%rsp),%ebx + xorl %eax,%edi + movl %ecx,%esi + roll $5,%ecx + movdqa %xmm4,%xmm10 + movdqa %xmm8,48(%rsp) + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + pslld $2,%xmm4 + addl 8(%rsp),%eax + xorl %ebp,%esi + psrld $30,%xmm10 + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + por %xmm10,%xmm4 + addl 12(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 160(%r15),%xmm15 + xorl %edx,%edi + movdqa %xmm4,%xmm8 + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 16(%rsp),%edx + pxor %xmm1,%xmm5 +.byte 102,68,15,58,15,195,8 + xorl %ecx,%esi + movl %ebp,%edi + roll $5,%ebp + pxor %xmm6,%xmm5 + xorl %ebx,%esi + addl %ebp,%edx + movdqa %xmm9,%xmm10 + paddd %xmm4,%xmm9 + rorl $7,%eax + addl %esi,%edx + pxor %xmm8,%xmm5 + addl 20(%rsp),%ecx + xorl %ebx,%edi + movl %edx,%esi + roll $5,%edx + movdqa %xmm5,%xmm8 + movdqa %xmm9,0(%rsp) + xorl %eax,%edi + cmpl $11,%r8d + jb .Laesenclast2 + movups 176(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 192(%r15),%xmm15 + aesenc %xmm14,%xmm11 + je .Laesenclast2 + movups 208(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 224(%r15),%xmm15 + aesenc %xmm14,%xmm11 +.Laesenclast2: + aesenclast %xmm15,%xmm11 + movups 16(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + pslld $2,%xmm5 + addl 24(%rsp),%ebx + xorl %eax,%esi + psrld $30,%xmm8 + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + por %xmm8,%xmm5 + addl 28(%rsp),%eax + xorl %ebp,%edi + movdqa %xmm5,%xmm9 + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + movl %ecx,%edi + movups 32(%r12),%xmm12 + xorps %xmm13,%xmm12 + movups %xmm11,16(%r13,%r12,1) + xorps %xmm12,%xmm11 + aesenc %xmm14,%xmm11 + movups 32(%r15),%xmm15 + pxor %xmm2,%xmm6 +.byte 102,68,15,58,15,204,8 + xorl %edx,%ecx + addl 32(%rsp),%ebp + andl %edx,%edi + pxor %xmm7,%xmm6 + andl %ecx,%esi + rorl $7,%ebx + movdqa %xmm10,%xmm8 + paddd %xmm5,%xmm10 + addl %edi,%ebp + movl %eax,%edi + pxor %xmm9,%xmm6 + roll $5,%eax + addl %esi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + movdqa %xmm6,%xmm9 + movdqa %xmm10,16(%rsp) + movl %ebx,%esi + xorl %ecx,%ebx + addl 36(%rsp),%edx + andl %ecx,%esi + pslld $2,%xmm6 + andl %ebx,%edi + rorl $7,%eax + psrld $30,%xmm9 + addl %esi,%edx + movl %ebp,%esi + roll $5,%ebp + aesenc %xmm15,%xmm11 + movups 48(%r15),%xmm14 + addl %edi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + por %xmm9,%xmm6 + movl %eax,%edi + xorl %ebx,%eax + movdqa %xmm6,%xmm10 + addl 40(%rsp),%ecx + andl %ebx,%edi + andl %eax,%esi + rorl $7,%ebp + addl %edi,%ecx + movl %edx,%edi + roll $5,%edx + addl %esi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + movl %ebp,%esi + xorl %eax,%ebp + addl 44(%rsp),%ebx + andl %eax,%esi + andl %ebp,%edi + aesenc %xmm14,%xmm11 + movups 64(%r15),%xmm15 + rorl $7,%edx + addl %esi,%ebx + movl %ecx,%esi + roll $5,%ecx + addl %edi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + movl %edx,%edi + pxor %xmm3,%xmm7 +.byte 102,68,15,58,15,213,8 + xorl %ebp,%edx + addl 48(%rsp),%eax + andl %ebp,%edi + pxor %xmm0,%xmm7 + andl %edx,%esi + rorl $7,%ecx + movdqa 48(%r11),%xmm9 + paddd %xmm6,%xmm8 + addl %edi,%eax + movl %ebx,%edi + pxor %xmm10,%xmm7 + roll $5,%ebx + addl %esi,%eax + xorl %ebp,%edx + addl %ebx,%eax + movdqa %xmm7,%xmm10 + movdqa %xmm8,32(%rsp) + movl %ecx,%esi + aesenc %xmm15,%xmm11 + movups 80(%r15),%xmm14 + xorl %edx,%ecx + addl 52(%rsp),%ebp + andl %edx,%esi + pslld $2,%xmm7 + andl %ecx,%edi + rorl $7,%ebx + psrld $30,%xmm10 + addl %esi,%ebp + movl %eax,%esi + roll $5,%eax + addl %edi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + por %xmm10,%xmm7 + movl %ebx,%edi + xorl %ecx,%ebx + movdqa %xmm7,%xmm8 + addl 56(%rsp),%edx + andl %ecx,%edi + andl %ebx,%esi + rorl $7,%eax + addl %edi,%edx + movl %ebp,%edi + roll $5,%ebp + aesenc %xmm14,%xmm11 + movups 96(%r15),%xmm15 + addl %esi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + movl %eax,%esi + xorl %ebx,%eax + addl 60(%rsp),%ecx + andl %ebx,%esi + andl %eax,%edi + rorl $7,%ebp + addl %esi,%ecx + movl %edx,%esi + roll $5,%edx + addl %edi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + movl %ebp,%edi + pxor %xmm4,%xmm0 +.byte 102,68,15,58,15,198,8 + xorl %eax,%ebp + addl 0(%rsp),%ebx + andl %eax,%edi + pxor %xmm1,%xmm0 + andl %ebp,%esi + aesenc %xmm15,%xmm11 + movups 112(%r15),%xmm14 + rorl $7,%edx + movdqa %xmm9,%xmm10 + paddd %xmm7,%xmm9 + addl %edi,%ebx + movl %ecx,%edi + pxor %xmm8,%xmm0 + roll $5,%ecx + addl %esi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + movdqa %xmm0,%xmm8 + movdqa %xmm9,48(%rsp) + movl %edx,%esi + xorl %ebp,%edx + addl 4(%rsp),%eax + andl %ebp,%esi + pslld $2,%xmm0 + andl %edx,%edi + rorl $7,%ecx + psrld $30,%xmm8 + addl %esi,%eax + movl %ebx,%esi + roll $5,%ebx + addl %edi,%eax + xorl %ebp,%edx + addl %ebx,%eax + por %xmm8,%xmm0 + movl %ecx,%edi + aesenc %xmm14,%xmm11 + movups 128(%r15),%xmm15 + xorl %edx,%ecx + movdqa %xmm0,%xmm9 + addl 8(%rsp),%ebp + andl %edx,%edi + andl %ecx,%esi + rorl $7,%ebx + addl %edi,%ebp + movl %eax,%edi + roll $5,%eax + addl %esi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + movl %ebx,%esi + xorl %ecx,%ebx + addl 12(%rsp),%edx + andl %ecx,%esi + andl %ebx,%edi + rorl $7,%eax + addl %esi,%edx + movl %ebp,%esi + roll $5,%ebp + aesenc %xmm15,%xmm11 + movups 144(%r15),%xmm14 + addl %edi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + movl %eax,%edi + pxor %xmm5,%xmm1 +.byte 102,68,15,58,15,207,8 + xorl %ebx,%eax + addl 16(%rsp),%ecx + andl %ebx,%edi + pxor %xmm2,%xmm1 + andl %eax,%esi + rorl $7,%ebp + movdqa %xmm10,%xmm8 + paddd %xmm0,%xmm10 + addl %edi,%ecx + movl %edx,%edi + pxor %xmm9,%xmm1 + roll $5,%edx + addl %esi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + movdqa %xmm1,%xmm9 + movdqa %xmm10,0(%rsp) + movl %ebp,%esi + xorl %eax,%ebp + addl 20(%rsp),%ebx + andl %eax,%esi + pslld $2,%xmm1 + andl %ebp,%edi + aesenc %xmm14,%xmm11 + movups 160(%r15),%xmm15 + rorl $7,%edx + psrld $30,%xmm9 + addl %esi,%ebx + movl %ecx,%esi + roll $5,%ecx + addl %edi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + por %xmm9,%xmm1 + movl %edx,%edi + xorl %ebp,%edx + movdqa %xmm1,%xmm10 + addl 24(%rsp),%eax + andl %ebp,%edi + andl %edx,%esi + rorl $7,%ecx + addl %edi,%eax + movl %ebx,%edi + roll $5,%ebx + addl %esi,%eax + xorl %ebp,%edx + addl %ebx,%eax + movl %ecx,%esi + cmpl $11,%r8d + jb .Laesenclast3 + movups 176(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 192(%r15),%xmm15 + aesenc %xmm14,%xmm11 + je .Laesenclast3 + movups 208(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 224(%r15),%xmm15 + aesenc %xmm14,%xmm11 +.Laesenclast3: + aesenclast %xmm15,%xmm11 + movups 16(%r15),%xmm14 + xorl %edx,%ecx + addl 28(%rsp),%ebp + andl %edx,%esi + andl %ecx,%edi + rorl $7,%ebx + addl %esi,%ebp + movl %eax,%esi + roll $5,%eax + addl %edi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + movl %ebx,%edi + pxor %xmm6,%xmm2 +.byte 102,68,15,58,15,208,8 + xorl %ecx,%ebx + addl 32(%rsp),%edx + andl %ecx,%edi + pxor %xmm3,%xmm2 + andl %ebx,%esi + rorl $7,%eax + movdqa %xmm8,%xmm9 + paddd %xmm1,%xmm8 + addl %edi,%edx + movl %ebp,%edi + pxor %xmm10,%xmm2 + roll $5,%ebp + movups 48(%r12),%xmm12 + xorps %xmm13,%xmm12 + movups %xmm11,32(%r13,%r12,1) + xorps %xmm12,%xmm11 + aesenc %xmm14,%xmm11 + movups 32(%r15),%xmm15 + addl %esi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + movdqa %xmm2,%xmm10 + movdqa %xmm8,16(%rsp) + movl %eax,%esi + xorl %ebx,%eax + addl 36(%rsp),%ecx + andl %ebx,%esi + pslld $2,%xmm2 + andl %eax,%edi + rorl $7,%ebp + psrld $30,%xmm10 + addl %esi,%ecx + movl %edx,%esi + roll $5,%edx + addl %edi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + por %xmm10,%xmm2 + movl %ebp,%edi + xorl %eax,%ebp + movdqa %xmm2,%xmm8 + addl 40(%rsp),%ebx + andl %eax,%edi + andl %ebp,%esi + aesenc %xmm15,%xmm11 + movups 48(%r15),%xmm14 + rorl $7,%edx + addl %edi,%ebx + movl %ecx,%edi + roll $5,%ecx + addl %esi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + movl %edx,%esi + xorl %ebp,%edx + addl 44(%rsp),%eax + andl %ebp,%esi + andl %edx,%edi + rorl $7,%ecx + addl %esi,%eax + movl %ebx,%esi + roll $5,%ebx + addl %edi,%eax + xorl %ebp,%edx + addl %ebx,%eax + addl 48(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 64(%r15),%xmm15 + pxor %xmm7,%xmm3 +.byte 102,68,15,58,15,193,8 + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + pxor %xmm4,%xmm3 + xorl %ecx,%esi + addl %eax,%ebp + movdqa %xmm9,%xmm10 + paddd %xmm2,%xmm9 + rorl $7,%ebx + addl %esi,%ebp + pxor %xmm8,%xmm3 + addl 52(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + movdqa %xmm3,%xmm8 + movdqa %xmm9,32(%rsp) + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + pslld $2,%xmm3 + addl 56(%rsp),%ecx + xorl %ebx,%esi + psrld $30,%xmm8 + movl %edx,%edi + roll $5,%edx + xorl %eax,%esi + aesenc %xmm15,%xmm11 + movups 80(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + por %xmm8,%xmm3 + addl 60(%rsp),%ebx + xorl %eax,%edi + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 0(%rsp),%eax + paddd %xmm3,%xmm10 + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + movdqa %xmm10,48(%rsp) + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + addl 4(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 96(%r15),%xmm15 + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 8(%rsp),%edx + xorl %ecx,%esi + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + addl 12(%rsp),%ecx + xorl %ebx,%edi + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + aesenc %xmm15,%xmm11 + movups 112(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + cmpq %r14,%r10 + je .Ldone_ssse3 + movdqa 64(%r11),%xmm6 + movdqa 0(%r11),%xmm9 + movdqu 0(%r10),%xmm0 + movdqu 16(%r10),%xmm1 + movdqu 32(%r10),%xmm2 + movdqu 48(%r10),%xmm3 +.byte 102,15,56,0,198 + addq $64,%r10 + addl 16(%rsp),%ebx + xorl %eax,%esi +.byte 102,15,56,0,206 + movl %ecx,%edi + roll $5,%ecx + paddd %xmm9,%xmm0 + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + movdqa %xmm0,0(%rsp) + addl 20(%rsp),%eax + xorl %ebp,%edi + psubd %xmm9,%xmm0 + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 24(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 128(%r15),%xmm15 + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + xorl %ecx,%esi + addl %eax,%ebp + rorl $7,%ebx + addl %esi,%ebp + addl 28(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + addl 32(%rsp),%ecx + xorl %ebx,%esi +.byte 102,15,56,0,214 + movl %edx,%edi + roll $5,%edx + paddd %xmm9,%xmm1 + xorl %eax,%esi + aesenc %xmm15,%xmm11 + movups 144(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + movdqa %xmm1,16(%rsp) + addl 36(%rsp),%ebx + xorl %eax,%edi + psubd %xmm9,%xmm1 + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 40(%rsp),%eax + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + addl 44(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 160(%r15),%xmm15 + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 48(%rsp),%edx + xorl %ecx,%esi +.byte 102,15,56,0,222 + movl %ebp,%edi + roll $5,%ebp + paddd %xmm9,%xmm2 + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + movdqa %xmm2,32(%rsp) + addl 52(%rsp),%ecx + xorl %ebx,%edi + psubd %xmm9,%xmm2 + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + cmpl $11,%r8d + jb .Laesenclast4 + movups 176(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 192(%r15),%xmm15 + aesenc %xmm14,%xmm11 + je .Laesenclast4 + movups 208(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 224(%r15),%xmm15 + aesenc %xmm14,%xmm11 +.Laesenclast4: + aesenclast %xmm15,%xmm11 + movups 16(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + addl 56(%rsp),%ebx + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 60(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + movups %xmm11,48(%r13,%r12,1) + leaq 64(%r12),%r12 + + addl 0(%r9),%eax + addl 4(%r9),%esi + addl 8(%r9),%ecx + addl 12(%r9),%edx + movl %eax,0(%r9) + addl 16(%r9),%ebp + movl %esi,4(%r9) + movl %esi,%ebx + movl %ecx,8(%r9) + movl %edx,12(%r9) + movl %ebp,16(%r9) + jmp .Loop_ssse3 + +.p2align 4 +.Ldone_ssse3: + addl 16(%rsp),%ebx + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 20(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 24(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 128(%r15),%xmm15 + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + xorl %ecx,%esi + addl %eax,%ebp + rorl $7,%ebx + addl %esi,%ebp + addl 28(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + addl 32(%rsp),%ecx + xorl %ebx,%esi + movl %edx,%edi + roll $5,%edx + xorl %eax,%esi + aesenc %xmm15,%xmm11 + movups 144(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + addl 36(%rsp),%ebx + xorl %eax,%edi + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 40(%rsp),%eax + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + addl 44(%rsp),%ebp + aesenc %xmm14,%xmm11 + movups 160(%r15),%xmm15 + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 48(%rsp),%edx + xorl %ecx,%esi + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + addl 52(%rsp),%ecx + xorl %ebx,%edi + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + cmpl $11,%r8d + jb .Laesenclast5 + movups 176(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 192(%r15),%xmm15 + aesenc %xmm14,%xmm11 + je .Laesenclast5 + movups 208(%r15),%xmm14 + aesenc %xmm15,%xmm11 + movups 224(%r15),%xmm15 + aesenc %xmm14,%xmm11 +.Laesenclast5: + aesenclast %xmm15,%xmm11 + movups 16(%r15),%xmm14 + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + addl 56(%rsp),%ebx + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 60(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + movups %xmm11,48(%r13,%r12,1) + movq 88(%rsp),%r8 + + addl 0(%r9),%eax + addl 4(%r9),%esi + addl 8(%r9),%ecx + movl %eax,0(%r9) + addl 12(%r9),%edx + movl %esi,4(%r9) + addl 16(%r9),%ebp + movl %ecx,8(%r9) + movl %edx,12(%r9) + movl %ebp,16(%r9) + movups %xmm11,(%r8) + movaps 96+0(%rsp),%xmm6 + movaps 96+16(%rsp),%xmm7 + movaps 96+32(%rsp),%xmm8 + movaps 96+48(%rsp),%xmm9 + movaps 96+64(%rsp),%xmm10 + movaps 96+80(%rsp),%xmm11 + movaps 96+96(%rsp),%xmm12 + movaps 96+112(%rsp),%xmm13 + movaps 96+128(%rsp),%xmm14 + movaps 96+144(%rsp),%xmm15 + leaq 264(%rsp),%rsi + movq 0(%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lepilogue_ssse3: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_aesni_cbc_sha1_enc_ssse3: +.p2align 6 +K_XX_XX: +.long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 +.long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 +.long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc +.long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 +.long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f + +.byte 65,69,83,78,73,45,67,66,67,43,83,72,65,49,32,115,116,105,116,99,104,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 + +.def ssse3_handler; .scl 3; .type 32; .endef +.p2align 4 +ssse3_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + leaq 96(%rax),%rsi + leaq 512(%r8),%rdi + movl $20,%ecx +.long 0xa548f3fc + leaq 264(%rax),%rax + + movq 0(%rax),%r15 + movq 8(%rax),%r14 + movq 16(%rax),%r13 + movq 24(%rax),%r12 + movq 32(%rax),%rbp + movq 40(%rax),%rbx + leaq 48(%rax),%rax + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + movq %r13,224(%r8) + movq %r14,232(%r8) + movq %r15,240(%r8) + +.Lcommon_seh_tail: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .LSEH_begin_aesni_cbc_sha1_enc_ssse3 +.rva .LSEH_end_aesni_cbc_sha1_enc_ssse3 +.rva .LSEH_info_aesni_cbc_sha1_enc_ssse3 +.section .xdata +.p2align 3 +.LSEH_info_aesni_cbc_sha1_enc_ssse3: +.byte 9,0,0,0 +.rva ssse3_handler +.rva .Lprologue_ssse3,.Lepilogue_ssse3 diff --git a/crypto/aes/bsaes-masm-x86_64.S b/crypto/aes/bsaes-masm-x86_64.S new file mode 100644 index 0000000..6b1a97d --- /dev/null +++ b/crypto/aes/bsaes-masm-x86_64.S @@ -0,0 +1,2803 @@ +; 1 "crypto/aes/bsaes-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/aes/bsaes-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/aes/bsaes-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +EXTERN asm_AES_encrypt:NEAR +EXTERN asm_AES_decrypt:NEAR + + +ALIGN 64 +_bsaes_encrypt8 PROC PRIVATE + lea r11,QWORD PTR[$L$BS0] + + movdqa xmm8,XMMWORD PTR[rax] + lea rax,QWORD PTR[16+rax] + movdqa xmm7,XMMWORD PTR[80+r11] + pxor xmm15,xmm8 + pxor xmm0,xmm8 +DB 102,68,15,56,0,255 + pxor xmm1,xmm8 +DB 102,15,56,0,199 + pxor xmm2,xmm8 +DB 102,15,56,0,207 + pxor xmm3,xmm8 +DB 102,15,56,0,215 + pxor xmm4,xmm8 +DB 102,15,56,0,223 + pxor xmm5,xmm8 +DB 102,15,56,0,231 + pxor xmm6,xmm8 +DB 102,15,56,0,239 +DB 102,15,56,0,247 +_bsaes_encrypt8_bitslice:: + movdqa xmm7,XMMWORD PTR[r11] + movdqa xmm8,XMMWORD PTR[16+r11] + movdqa xmm9,xmm5 + psrlq xmm5,1 + movdqa xmm10,xmm3 + psrlq xmm3,1 + pxor xmm5,xmm6 + pxor xmm3,xmm4 + pand xmm5,xmm7 + pand xmm3,xmm7 + pxor xmm6,xmm5 + psllq xmm5,1 + pxor xmm4,xmm3 + psllq xmm3,1 + pxor xmm5,xmm9 + pxor xmm3,xmm10 + movdqa xmm9,xmm1 + psrlq xmm1,1 + movdqa xmm10,xmm15 + psrlq xmm15,1 + pxor xmm1,xmm2 + pxor xmm15,xmm0 + pand xmm1,xmm7 + pand xmm15,xmm7 + pxor xmm2,xmm1 + psllq xmm1,1 + pxor xmm0,xmm15 + psllq xmm15,1 + pxor xmm1,xmm9 + pxor xmm15,xmm10 + movdqa xmm7,XMMWORD PTR[32+r11] + movdqa xmm9,xmm4 + psrlq xmm4,2 + movdqa xmm10,xmm3 + psrlq xmm3,2 + pxor xmm4,xmm6 + pxor xmm3,xmm5 + pand xmm4,xmm8 + pand xmm3,xmm8 + pxor xmm6,xmm4 + psllq xmm4,2 + pxor xmm5,xmm3 + psllq xmm3,2 + pxor xmm4,xmm9 + pxor xmm3,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,2 + movdqa xmm10,xmm15 + psrlq xmm15,2 + pxor xmm0,xmm2 + pxor xmm15,xmm1 + pand xmm0,xmm8 + pand xmm15,xmm8 + pxor xmm2,xmm0 + psllq xmm0,2 + pxor xmm1,xmm15 + psllq xmm15,2 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + movdqa xmm9,xmm2 + psrlq xmm2,4 + movdqa xmm10,xmm1 + psrlq xmm1,4 + pxor xmm2,xmm6 + pxor xmm1,xmm5 + pand xmm2,xmm7 + pand xmm1,xmm7 + pxor xmm6,xmm2 + psllq xmm2,4 + pxor xmm5,xmm1 + psllq xmm1,4 + pxor xmm2,xmm9 + pxor xmm1,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,4 + movdqa xmm10,xmm15 + psrlq xmm15,4 + pxor xmm0,xmm4 + pxor xmm15,xmm3 + pand xmm0,xmm7 + pand xmm15,xmm7 + pxor xmm4,xmm0 + psllq xmm0,4 + pxor xmm3,xmm15 + psllq xmm15,4 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + dec r10d + jmp $L$enc_sbox +ALIGN 16 +$L$enc_loop:: + pxor xmm15,XMMWORD PTR[rax] + pxor xmm0,XMMWORD PTR[16+rax] +DB 102,68,15,56,0,255 + pxor xmm1,XMMWORD PTR[32+rax] +DB 102,15,56,0,199 + pxor xmm2,XMMWORD PTR[48+rax] +DB 102,15,56,0,207 + pxor xmm3,XMMWORD PTR[64+rax] +DB 102,15,56,0,215 + pxor xmm4,XMMWORD PTR[80+rax] +DB 102,15,56,0,223 + pxor xmm5,XMMWORD PTR[96+rax] +DB 102,15,56,0,231 + pxor xmm6,XMMWORD PTR[112+rax] +DB 102,15,56,0,239 + lea rax,QWORD PTR[128+rax] +DB 102,15,56,0,247 +$L$enc_sbox:: + pxor xmm4,xmm5 + pxor xmm1,xmm0 + pxor xmm2,xmm15 + pxor xmm5,xmm1 + pxor xmm4,xmm15 + + pxor xmm5,xmm2 + pxor xmm2,xmm6 + pxor xmm6,xmm4 + pxor xmm2,xmm3 + pxor xmm3,xmm4 + pxor xmm2,xmm0 + + pxor xmm1,xmm6 + pxor xmm0,xmm4 + movdqa xmm10,xmm6 + movdqa xmm9,xmm0 + movdqa xmm8,xmm4 + movdqa xmm12,xmm1 + movdqa xmm11,xmm5 + + pxor xmm10,xmm3 + pxor xmm9,xmm1 + pxor xmm8,xmm2 + movdqa xmm13,xmm10 + pxor xmm12,xmm3 + movdqa xmm7,xmm9 + pxor xmm11,xmm15 + movdqa xmm14,xmm10 + + por xmm9,xmm8 + por xmm10,xmm11 + pxor xmm14,xmm7 + pand xmm13,xmm11 + pxor xmm11,xmm8 + pand xmm7,xmm8 + pand xmm14,xmm11 + movdqa xmm11,xmm2 + pxor xmm11,xmm15 + pand xmm12,xmm11 + pxor xmm10,xmm12 + pxor xmm9,xmm12 + movdqa xmm12,xmm6 + movdqa xmm11,xmm4 + pxor xmm12,xmm0 + pxor xmm11,xmm5 + movdqa xmm8,xmm12 + pand xmm12,xmm11 + por xmm8,xmm11 + pxor xmm7,xmm12 + pxor xmm10,xmm14 + pxor xmm9,xmm13 + pxor xmm8,xmm14 + movdqa xmm11,xmm1 + pxor xmm7,xmm13 + movdqa xmm12,xmm3 + pxor xmm8,xmm13 + movdqa xmm13,xmm0 + pand xmm11,xmm2 + movdqa xmm14,xmm6 + pand xmm12,xmm15 + pand xmm13,xmm4 + por xmm14,xmm5 + pxor xmm10,xmm11 + pxor xmm9,xmm12 + pxor xmm8,xmm13 + pxor xmm7,xmm14 + + + + + + movdqa xmm11,xmm10 + pand xmm10,xmm8 + pxor xmm11,xmm9 + + movdqa xmm13,xmm7 + movdqa xmm14,xmm11 + pxor xmm13,xmm10 + pand xmm14,xmm13 + + movdqa xmm12,xmm8 + pxor xmm14,xmm9 + pxor xmm12,xmm7 + + pxor xmm10,xmm9 + + pand xmm12,xmm10 + + movdqa xmm9,xmm13 + pxor xmm12,xmm7 + + pxor xmm9,xmm12 + pxor xmm8,xmm12 + + pand xmm9,xmm7 + + pxor xmm13,xmm9 + pxor xmm8,xmm9 + + pand xmm13,xmm14 + + pxor xmm13,xmm11 + movdqa xmm11,xmm5 + movdqa xmm7,xmm4 + movdqa xmm9,xmm14 + pxor xmm9,xmm13 + pand xmm9,xmm5 + pxor xmm5,xmm4 + pand xmm4,xmm14 + pand xmm5,xmm13 + pxor xmm5,xmm4 + pxor xmm4,xmm9 + pxor xmm11,xmm15 + pxor xmm7,xmm2 + pxor xmm14,xmm12 + pxor xmm13,xmm8 + movdqa xmm10,xmm14 + movdqa xmm9,xmm12 + pxor xmm10,xmm13 + pxor xmm9,xmm8 + pand xmm10,xmm11 + pand xmm9,xmm15 + pxor xmm11,xmm7 + pxor xmm15,xmm2 + pand xmm7,xmm14 + pand xmm2,xmm12 + pand xmm11,xmm13 + pand xmm15,xmm8 + pxor xmm7,xmm11 + pxor xmm15,xmm2 + pxor xmm11,xmm10 + pxor xmm2,xmm9 + pxor xmm5,xmm11 + pxor xmm15,xmm11 + pxor xmm4,xmm7 + pxor xmm2,xmm7 + + movdqa xmm11,xmm6 + movdqa xmm7,xmm0 + pxor xmm11,xmm3 + pxor xmm7,xmm1 + movdqa xmm10,xmm14 + movdqa xmm9,xmm12 + pxor xmm10,xmm13 + pxor xmm9,xmm8 + pand xmm10,xmm11 + pand xmm9,xmm3 + pxor xmm11,xmm7 + pxor xmm3,xmm1 + pand xmm7,xmm14 + pand xmm1,xmm12 + pand xmm11,xmm13 + pand xmm3,xmm8 + pxor xmm7,xmm11 + pxor xmm3,xmm1 + pxor xmm11,xmm10 + pxor xmm1,xmm9 + pxor xmm14,xmm12 + pxor xmm13,xmm8 + movdqa xmm10,xmm14 + pxor xmm10,xmm13 + pand xmm10,xmm6 + pxor xmm6,xmm0 + pand xmm0,xmm14 + pand xmm6,xmm13 + pxor xmm6,xmm0 + pxor xmm0,xmm10 + pxor xmm6,xmm11 + pxor xmm3,xmm11 + pxor xmm0,xmm7 + pxor xmm1,xmm7 + pxor xmm6,xmm15 + pxor xmm0,xmm5 + pxor xmm3,xmm6 + pxor xmm5,xmm15 + pxor xmm15,xmm0 + + pxor xmm0,xmm4 + pxor xmm4,xmm1 + pxor xmm1,xmm2 + pxor xmm2,xmm4 + pxor xmm3,xmm4 + + pxor xmm5,xmm2 + dec r10d + jl $L$enc_done + pshufd xmm7,xmm15,093h + pshufd xmm8,xmm0,093h + pxor xmm15,xmm7 + pshufd xmm9,xmm3,093h + pxor xmm0,xmm8 + pshufd xmm10,xmm5,093h + pxor xmm3,xmm9 + pshufd xmm11,xmm2,093h + pxor xmm5,xmm10 + pshufd xmm12,xmm6,093h + pxor xmm2,xmm11 + pshufd xmm13,xmm1,093h + pxor xmm6,xmm12 + pshufd xmm14,xmm4,093h + pxor xmm1,xmm13 + pxor xmm4,xmm14 + + pxor xmm8,xmm15 + pxor xmm7,xmm4 + pxor xmm8,xmm4 + pshufd xmm15,xmm15,04Eh + pxor xmm9,xmm0 + pshufd xmm0,xmm0,04Eh + pxor xmm12,xmm2 + pxor xmm15,xmm7 + pxor xmm13,xmm6 + pxor xmm0,xmm8 + pxor xmm11,xmm5 + pshufd xmm7,xmm2,04Eh + pxor xmm14,xmm1 + pshufd xmm8,xmm6,04Eh + pxor xmm10,xmm3 + pshufd xmm2,xmm5,04Eh + pxor xmm10,xmm4 + pshufd xmm6,xmm4,04Eh + pxor xmm11,xmm4 + pshufd xmm5,xmm1,04Eh + pxor xmm7,xmm11 + pshufd xmm1,xmm3,04Eh + pxor xmm8,xmm12 + pxor xmm2,xmm10 + pxor xmm6,xmm14 + pxor xmm5,xmm13 + movdqa xmm3,xmm7 + pxor xmm1,xmm9 + movdqa xmm4,xmm8 + movdqa xmm7,XMMWORD PTR[48+r11] + jnz $L$enc_loop + movdqa xmm7,XMMWORD PTR[64+r11] + jmp $L$enc_loop +ALIGN 16 +$L$enc_done:: + movdqa xmm7,XMMWORD PTR[r11] + movdqa xmm8,XMMWORD PTR[16+r11] + movdqa xmm9,xmm1 + psrlq xmm1,1 + movdqa xmm10,xmm2 + psrlq xmm2,1 + pxor xmm1,xmm4 + pxor xmm2,xmm6 + pand xmm1,xmm7 + pand xmm2,xmm7 + pxor xmm4,xmm1 + psllq xmm1,1 + pxor xmm6,xmm2 + psllq xmm2,1 + pxor xmm1,xmm9 + pxor xmm2,xmm10 + movdqa xmm9,xmm3 + psrlq xmm3,1 + movdqa xmm10,xmm15 + psrlq xmm15,1 + pxor xmm3,xmm5 + pxor xmm15,xmm0 + pand xmm3,xmm7 + pand xmm15,xmm7 + pxor xmm5,xmm3 + psllq xmm3,1 + pxor xmm0,xmm15 + psllq xmm15,1 + pxor xmm3,xmm9 + pxor xmm15,xmm10 + movdqa xmm7,XMMWORD PTR[32+r11] + movdqa xmm9,xmm6 + psrlq xmm6,2 + movdqa xmm10,xmm2 + psrlq xmm2,2 + pxor xmm6,xmm4 + pxor xmm2,xmm1 + pand xmm6,xmm8 + pand xmm2,xmm8 + pxor xmm4,xmm6 + psllq xmm6,2 + pxor xmm1,xmm2 + psllq xmm2,2 + pxor xmm6,xmm9 + pxor xmm2,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,2 + movdqa xmm10,xmm15 + psrlq xmm15,2 + pxor xmm0,xmm5 + pxor xmm15,xmm3 + pand xmm0,xmm8 + pand xmm15,xmm8 + pxor xmm5,xmm0 + psllq xmm0,2 + pxor xmm3,xmm15 + psllq xmm15,2 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + movdqa xmm9,xmm5 + psrlq xmm5,4 + movdqa xmm10,xmm3 + psrlq xmm3,4 + pxor xmm5,xmm4 + pxor xmm3,xmm1 + pand xmm5,xmm7 + pand xmm3,xmm7 + pxor xmm4,xmm5 + psllq xmm5,4 + pxor xmm1,xmm3 + psllq xmm3,4 + pxor xmm5,xmm9 + pxor xmm3,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,4 + movdqa xmm10,xmm15 + psrlq xmm15,4 + pxor xmm0,xmm6 + pxor xmm15,xmm2 + pand xmm0,xmm7 + pand xmm15,xmm7 + pxor xmm6,xmm0 + psllq xmm0,4 + pxor xmm2,xmm15 + psllq xmm15,4 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + movdqa xmm7,XMMWORD PTR[rax] + pxor xmm3,xmm7 + pxor xmm5,xmm7 + pxor xmm2,xmm7 + pxor xmm6,xmm7 + pxor xmm1,xmm7 + pxor xmm4,xmm7 + pxor xmm15,xmm7 + pxor xmm0,xmm7 + DB 0F3h,0C3h ;repret +_bsaes_encrypt8 ENDP + + +ALIGN 64 +_bsaes_decrypt8 PROC PRIVATE + lea r11,QWORD PTR[$L$BS0] + + movdqa xmm8,XMMWORD PTR[rax] + lea rax,QWORD PTR[16+rax] + movdqa xmm7,XMMWORD PTR[((-48))+r11] + pxor xmm15,xmm8 + pxor xmm0,xmm8 +DB 102,68,15,56,0,255 + pxor xmm1,xmm8 +DB 102,15,56,0,199 + pxor xmm2,xmm8 +DB 102,15,56,0,207 + pxor xmm3,xmm8 +DB 102,15,56,0,215 + pxor xmm4,xmm8 +DB 102,15,56,0,223 + pxor xmm5,xmm8 +DB 102,15,56,0,231 + pxor xmm6,xmm8 +DB 102,15,56,0,239 +DB 102,15,56,0,247 + movdqa xmm7,XMMWORD PTR[r11] + movdqa xmm8,XMMWORD PTR[16+r11] + movdqa xmm9,xmm5 + psrlq xmm5,1 + movdqa xmm10,xmm3 + psrlq xmm3,1 + pxor xmm5,xmm6 + pxor xmm3,xmm4 + pand xmm5,xmm7 + pand xmm3,xmm7 + pxor xmm6,xmm5 + psllq xmm5,1 + pxor xmm4,xmm3 + psllq xmm3,1 + pxor xmm5,xmm9 + pxor xmm3,xmm10 + movdqa xmm9,xmm1 + psrlq xmm1,1 + movdqa xmm10,xmm15 + psrlq xmm15,1 + pxor xmm1,xmm2 + pxor xmm15,xmm0 + pand xmm1,xmm7 + pand xmm15,xmm7 + pxor xmm2,xmm1 + psllq xmm1,1 + pxor xmm0,xmm15 + psllq xmm15,1 + pxor xmm1,xmm9 + pxor xmm15,xmm10 + movdqa xmm7,XMMWORD PTR[32+r11] + movdqa xmm9,xmm4 + psrlq xmm4,2 + movdqa xmm10,xmm3 + psrlq xmm3,2 + pxor xmm4,xmm6 + pxor xmm3,xmm5 + pand xmm4,xmm8 + pand xmm3,xmm8 + pxor xmm6,xmm4 + psllq xmm4,2 + pxor xmm5,xmm3 + psllq xmm3,2 + pxor xmm4,xmm9 + pxor xmm3,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,2 + movdqa xmm10,xmm15 + psrlq xmm15,2 + pxor xmm0,xmm2 + pxor xmm15,xmm1 + pand xmm0,xmm8 + pand xmm15,xmm8 + pxor xmm2,xmm0 + psllq xmm0,2 + pxor xmm1,xmm15 + psllq xmm15,2 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + movdqa xmm9,xmm2 + psrlq xmm2,4 + movdqa xmm10,xmm1 + psrlq xmm1,4 + pxor xmm2,xmm6 + pxor xmm1,xmm5 + pand xmm2,xmm7 + pand xmm1,xmm7 + pxor xmm6,xmm2 + psllq xmm2,4 + pxor xmm5,xmm1 + psllq xmm1,4 + pxor xmm2,xmm9 + pxor xmm1,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,4 + movdqa xmm10,xmm15 + psrlq xmm15,4 + pxor xmm0,xmm4 + pxor xmm15,xmm3 + pand xmm0,xmm7 + pand xmm15,xmm7 + pxor xmm4,xmm0 + psllq xmm0,4 + pxor xmm3,xmm15 + psllq xmm15,4 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + dec r10d + jmp $L$dec_sbox +ALIGN 16 +$L$dec_loop:: + pxor xmm15,XMMWORD PTR[rax] + pxor xmm0,XMMWORD PTR[16+rax] +DB 102,68,15,56,0,255 + pxor xmm1,XMMWORD PTR[32+rax] +DB 102,15,56,0,199 + pxor xmm2,XMMWORD PTR[48+rax] +DB 102,15,56,0,207 + pxor xmm3,XMMWORD PTR[64+rax] +DB 102,15,56,0,215 + pxor xmm4,XMMWORD PTR[80+rax] +DB 102,15,56,0,223 + pxor xmm5,XMMWORD PTR[96+rax] +DB 102,15,56,0,231 + pxor xmm6,XMMWORD PTR[112+rax] +DB 102,15,56,0,239 + lea rax,QWORD PTR[128+rax] +DB 102,15,56,0,247 +$L$dec_sbox:: + pxor xmm2,xmm3 + + pxor xmm3,xmm6 + pxor xmm1,xmm6 + pxor xmm5,xmm3 + pxor xmm6,xmm5 + pxor xmm0,xmm6 + + pxor xmm15,xmm0 + pxor xmm1,xmm4 + pxor xmm2,xmm15 + pxor xmm4,xmm15 + pxor xmm0,xmm2 + movdqa xmm10,xmm2 + movdqa xmm9,xmm6 + movdqa xmm8,xmm0 + movdqa xmm12,xmm3 + movdqa xmm11,xmm4 + + pxor xmm10,xmm15 + pxor xmm9,xmm3 + pxor xmm8,xmm5 + movdqa xmm13,xmm10 + pxor xmm12,xmm15 + movdqa xmm7,xmm9 + pxor xmm11,xmm1 + movdqa xmm14,xmm10 + + por xmm9,xmm8 + por xmm10,xmm11 + pxor xmm14,xmm7 + pand xmm13,xmm11 + pxor xmm11,xmm8 + pand xmm7,xmm8 + pand xmm14,xmm11 + movdqa xmm11,xmm5 + pxor xmm11,xmm1 + pand xmm12,xmm11 + pxor xmm10,xmm12 + pxor xmm9,xmm12 + movdqa xmm12,xmm2 + movdqa xmm11,xmm0 + pxor xmm12,xmm6 + pxor xmm11,xmm4 + movdqa xmm8,xmm12 + pand xmm12,xmm11 + por xmm8,xmm11 + pxor xmm7,xmm12 + pxor xmm10,xmm14 + pxor xmm9,xmm13 + pxor xmm8,xmm14 + movdqa xmm11,xmm3 + pxor xmm7,xmm13 + movdqa xmm12,xmm15 + pxor xmm8,xmm13 + movdqa xmm13,xmm6 + pand xmm11,xmm5 + movdqa xmm14,xmm2 + pand xmm12,xmm1 + pand xmm13,xmm0 + por xmm14,xmm4 + pxor xmm10,xmm11 + pxor xmm9,xmm12 + pxor xmm8,xmm13 + pxor xmm7,xmm14 + + + + + + movdqa xmm11,xmm10 + pand xmm10,xmm8 + pxor xmm11,xmm9 + + movdqa xmm13,xmm7 + movdqa xmm14,xmm11 + pxor xmm13,xmm10 + pand xmm14,xmm13 + + movdqa xmm12,xmm8 + pxor xmm14,xmm9 + pxor xmm12,xmm7 + + pxor xmm10,xmm9 + + pand xmm12,xmm10 + + movdqa xmm9,xmm13 + pxor xmm12,xmm7 + + pxor xmm9,xmm12 + pxor xmm8,xmm12 + + pand xmm9,xmm7 + + pxor xmm13,xmm9 + pxor xmm8,xmm9 + + pand xmm13,xmm14 + + pxor xmm13,xmm11 + movdqa xmm11,xmm4 + movdqa xmm7,xmm0 + movdqa xmm9,xmm14 + pxor xmm9,xmm13 + pand xmm9,xmm4 + pxor xmm4,xmm0 + pand xmm0,xmm14 + pand xmm4,xmm13 + pxor xmm4,xmm0 + pxor xmm0,xmm9 + pxor xmm11,xmm1 + pxor xmm7,xmm5 + pxor xmm14,xmm12 + pxor xmm13,xmm8 + movdqa xmm10,xmm14 + movdqa xmm9,xmm12 + pxor xmm10,xmm13 + pxor xmm9,xmm8 + pand xmm10,xmm11 + pand xmm9,xmm1 + pxor xmm11,xmm7 + pxor xmm1,xmm5 + pand xmm7,xmm14 + pand xmm5,xmm12 + pand xmm11,xmm13 + pand xmm1,xmm8 + pxor xmm7,xmm11 + pxor xmm1,xmm5 + pxor xmm11,xmm10 + pxor xmm5,xmm9 + pxor xmm4,xmm11 + pxor xmm1,xmm11 + pxor xmm0,xmm7 + pxor xmm5,xmm7 + + movdqa xmm11,xmm2 + movdqa xmm7,xmm6 + pxor xmm11,xmm15 + pxor xmm7,xmm3 + movdqa xmm10,xmm14 + movdqa xmm9,xmm12 + pxor xmm10,xmm13 + pxor xmm9,xmm8 + pand xmm10,xmm11 + pand xmm9,xmm15 + pxor xmm11,xmm7 + pxor xmm15,xmm3 + pand xmm7,xmm14 + pand xmm3,xmm12 + pand xmm11,xmm13 + pand xmm15,xmm8 + pxor xmm7,xmm11 + pxor xmm15,xmm3 + pxor xmm11,xmm10 + pxor xmm3,xmm9 + pxor xmm14,xmm12 + pxor xmm13,xmm8 + movdqa xmm10,xmm14 + pxor xmm10,xmm13 + pand xmm10,xmm2 + pxor xmm2,xmm6 + pand xmm6,xmm14 + pand xmm2,xmm13 + pxor xmm2,xmm6 + pxor xmm6,xmm10 + pxor xmm2,xmm11 + pxor xmm15,xmm11 + pxor xmm6,xmm7 + pxor xmm3,xmm7 + pxor xmm0,xmm6 + pxor xmm5,xmm4 + + pxor xmm3,xmm0 + pxor xmm1,xmm6 + pxor xmm4,xmm6 + pxor xmm3,xmm1 + pxor xmm6,xmm15 + pxor xmm3,xmm4 + pxor xmm2,xmm5 + pxor xmm5,xmm0 + pxor xmm2,xmm3 + + pxor xmm3,xmm15 + pxor xmm6,xmm2 + dec r10d + jl $L$dec_done + + pshufd xmm7,xmm15,04Eh + pshufd xmm13,xmm2,04Eh + pxor xmm7,xmm15 + pshufd xmm14,xmm4,04Eh + pxor xmm13,xmm2 + pshufd xmm8,xmm0,04Eh + pxor xmm14,xmm4 + pshufd xmm9,xmm5,04Eh + pxor xmm8,xmm0 + pshufd xmm10,xmm3,04Eh + pxor xmm9,xmm5 + pxor xmm15,xmm13 + pxor xmm0,xmm13 + pshufd xmm11,xmm1,04Eh + pxor xmm10,xmm3 + pxor xmm5,xmm7 + pxor xmm3,xmm8 + pshufd xmm12,xmm6,04Eh + pxor xmm11,xmm1 + pxor xmm0,xmm14 + pxor xmm1,xmm9 + pxor xmm12,xmm6 + + pxor xmm5,xmm14 + pxor xmm3,xmm13 + pxor xmm1,xmm13 + pxor xmm6,xmm10 + pxor xmm2,xmm11 + pxor xmm1,xmm14 + pxor xmm6,xmm14 + pxor xmm4,xmm12 + pshufd xmm7,xmm15,093h + pshufd xmm8,xmm0,093h + pxor xmm15,xmm7 + pshufd xmm9,xmm5,093h + pxor xmm0,xmm8 + pshufd xmm10,xmm3,093h + pxor xmm5,xmm9 + pshufd xmm11,xmm1,093h + pxor xmm3,xmm10 + pshufd xmm12,xmm6,093h + pxor xmm1,xmm11 + pshufd xmm13,xmm2,093h + pxor xmm6,xmm12 + pshufd xmm14,xmm4,093h + pxor xmm2,xmm13 + pxor xmm4,xmm14 + + pxor xmm8,xmm15 + pxor xmm7,xmm4 + pxor xmm8,xmm4 + pshufd xmm15,xmm15,04Eh + pxor xmm9,xmm0 + pshufd xmm0,xmm0,04Eh + pxor xmm12,xmm1 + pxor xmm15,xmm7 + pxor xmm13,xmm6 + pxor xmm0,xmm8 + pxor xmm11,xmm3 + pshufd xmm7,xmm1,04Eh + pxor xmm14,xmm2 + pshufd xmm8,xmm6,04Eh + pxor xmm10,xmm5 + pshufd xmm1,xmm3,04Eh + pxor xmm10,xmm4 + pshufd xmm6,xmm4,04Eh + pxor xmm11,xmm4 + pshufd xmm3,xmm2,04Eh + pxor xmm7,xmm11 + pshufd xmm2,xmm5,04Eh + pxor xmm8,xmm12 + pxor xmm10,xmm1 + pxor xmm6,xmm14 + pxor xmm13,xmm3 + movdqa xmm3,xmm7 + pxor xmm2,xmm9 + movdqa xmm5,xmm13 + movdqa xmm4,xmm8 + movdqa xmm1,xmm2 + movdqa xmm2,xmm10 + movdqa xmm7,XMMWORD PTR[((-16))+r11] + jnz $L$dec_loop + movdqa xmm7,XMMWORD PTR[((-32))+r11] + jmp $L$dec_loop +ALIGN 16 +$L$dec_done:: + movdqa xmm7,XMMWORD PTR[r11] + movdqa xmm8,XMMWORD PTR[16+r11] + movdqa xmm9,xmm2 + psrlq xmm2,1 + movdqa xmm10,xmm1 + psrlq xmm1,1 + pxor xmm2,xmm4 + pxor xmm1,xmm6 + pand xmm2,xmm7 + pand xmm1,xmm7 + pxor xmm4,xmm2 + psllq xmm2,1 + pxor xmm6,xmm1 + psllq xmm1,1 + pxor xmm2,xmm9 + pxor xmm1,xmm10 + movdqa xmm9,xmm5 + psrlq xmm5,1 + movdqa xmm10,xmm15 + psrlq xmm15,1 + pxor xmm5,xmm3 + pxor xmm15,xmm0 + pand xmm5,xmm7 + pand xmm15,xmm7 + pxor xmm3,xmm5 + psllq xmm5,1 + pxor xmm0,xmm15 + psllq xmm15,1 + pxor xmm5,xmm9 + pxor xmm15,xmm10 + movdqa xmm7,XMMWORD PTR[32+r11] + movdqa xmm9,xmm6 + psrlq xmm6,2 + movdqa xmm10,xmm1 + psrlq xmm1,2 + pxor xmm6,xmm4 + pxor xmm1,xmm2 + pand xmm6,xmm8 + pand xmm1,xmm8 + pxor xmm4,xmm6 + psllq xmm6,2 + pxor xmm2,xmm1 + psllq xmm1,2 + pxor xmm6,xmm9 + pxor xmm1,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,2 + movdqa xmm10,xmm15 + psrlq xmm15,2 + pxor xmm0,xmm3 + pxor xmm15,xmm5 + pand xmm0,xmm8 + pand xmm15,xmm8 + pxor xmm3,xmm0 + psllq xmm0,2 + pxor xmm5,xmm15 + psllq xmm15,2 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + movdqa xmm9,xmm3 + psrlq xmm3,4 + movdqa xmm10,xmm5 + psrlq xmm5,4 + pxor xmm3,xmm4 + pxor xmm5,xmm2 + pand xmm3,xmm7 + pand xmm5,xmm7 + pxor xmm4,xmm3 + psllq xmm3,4 + pxor xmm2,xmm5 + psllq xmm5,4 + pxor xmm3,xmm9 + pxor xmm5,xmm10 + movdqa xmm9,xmm0 + psrlq xmm0,4 + movdqa xmm10,xmm15 + psrlq xmm15,4 + pxor xmm0,xmm6 + pxor xmm15,xmm1 + pand xmm0,xmm7 + pand xmm15,xmm7 + pxor xmm6,xmm0 + psllq xmm0,4 + pxor xmm1,xmm15 + psllq xmm15,4 + pxor xmm0,xmm9 + pxor xmm15,xmm10 + movdqa xmm7,XMMWORD PTR[rax] + pxor xmm5,xmm7 + pxor xmm3,xmm7 + pxor xmm1,xmm7 + pxor xmm6,xmm7 + pxor xmm2,xmm7 + pxor xmm4,xmm7 + pxor xmm15,xmm7 + pxor xmm0,xmm7 + DB 0F3h,0C3h ;repret +_bsaes_decrypt8 ENDP + +ALIGN 16 +_bsaes_key_convert PROC PRIVATE + lea r11,QWORD PTR[$L$masks] + movdqu xmm7,XMMWORD PTR[rcx] + lea rcx,QWORD PTR[16+rcx] + movdqa xmm0,XMMWORD PTR[r11] + movdqa xmm1,XMMWORD PTR[16+r11] + movdqa xmm2,XMMWORD PTR[32+r11] + movdqa xmm3,XMMWORD PTR[48+r11] + movdqa xmm4,XMMWORD PTR[64+r11] + pcmpeqd xmm5,xmm5 + + movdqu xmm6,XMMWORD PTR[rcx] + movdqa XMMWORD PTR[rax],xmm7 + lea rax,QWORD PTR[16+rax] + dec r10d + jmp $L$key_loop +ALIGN 16 +$L$key_loop:: +DB 102,15,56,0,244 + + movdqa xmm8,xmm0 + movdqa xmm9,xmm1 + + pand xmm8,xmm6 + pand xmm9,xmm6 + movdqa xmm10,xmm2 + pcmpeqb xmm8,xmm0 + psllq xmm0,4 + movdqa xmm11,xmm3 + pcmpeqb xmm9,xmm1 + psllq xmm1,4 + + pand xmm10,xmm6 + pand xmm11,xmm6 + movdqa xmm12,xmm0 + pcmpeqb xmm10,xmm2 + psllq xmm2,4 + movdqa xmm13,xmm1 + pcmpeqb xmm11,xmm3 + psllq xmm3,4 + + movdqa xmm14,xmm2 + movdqa xmm15,xmm3 + pxor xmm8,xmm5 + pxor xmm9,xmm5 + + pand xmm12,xmm6 + pand xmm13,xmm6 + movdqa XMMWORD PTR[rax],xmm8 + pcmpeqb xmm12,xmm0 + psrlq xmm0,4 + movdqa XMMWORD PTR[16+rax],xmm9 + pcmpeqb xmm13,xmm1 + psrlq xmm1,4 + lea rcx,QWORD PTR[16+rcx] + + pand xmm14,xmm6 + pand xmm15,xmm6 + movdqa XMMWORD PTR[32+rax],xmm10 + pcmpeqb xmm14,xmm2 + psrlq xmm2,4 + movdqa XMMWORD PTR[48+rax],xmm11 + pcmpeqb xmm15,xmm3 + psrlq xmm3,4 + movdqu xmm6,XMMWORD PTR[rcx] + + pxor xmm13,xmm5 + pxor xmm14,xmm5 + movdqa XMMWORD PTR[64+rax],xmm12 + movdqa XMMWORD PTR[80+rax],xmm13 + movdqa XMMWORD PTR[96+rax],xmm14 + movdqa XMMWORD PTR[112+rax],xmm15 + lea rax,QWORD PTR[128+rax] + dec r10d + jnz $L$key_loop + + movdqa xmm7,XMMWORD PTR[80+r11] + + DB 0F3h,0C3h ;repret +_bsaes_key_convert ENDP +EXTERN asm_AES_cbc_encrypt:NEAR +PUBLIC bsaes_cbc_encrypt + +ALIGN 16 +bsaes_cbc_encrypt PROC PUBLIC + mov r11d,DWORD PTR[48+rsp] + cmp r11d,0 + jne asm_AES_cbc_encrypt + cmp r8,128 + jb asm_AES_cbc_encrypt + + mov rax,rsp +$L$cbc_dec_prologue:: + push rbp + push rbx + push r12 + push r13 + push r14 + push r15 + lea rsp,QWORD PTR[((-72))+rsp] + mov r10,QWORD PTR[160+rsp] + lea rsp,QWORD PTR[((-160))+rsp] + movaps XMMWORD PTR[64+rsp],xmm6 + movaps XMMWORD PTR[80+rsp],xmm7 + movaps XMMWORD PTR[96+rsp],xmm8 + movaps XMMWORD PTR[112+rsp],xmm9 + movaps XMMWORD PTR[128+rsp],xmm10 + movaps XMMWORD PTR[144+rsp],xmm11 + movaps XMMWORD PTR[160+rsp],xmm12 + movaps XMMWORD PTR[176+rsp],xmm13 + movaps XMMWORD PTR[192+rsp],xmm14 + movaps XMMWORD PTR[208+rsp],xmm15 +$L$cbc_dec_body:: + mov rbp,rsp + mov eax,DWORD PTR[240+r9] + mov r12,rcx + mov r13,rdx + mov r14,r8 + mov r15,r9 + mov rbx,r10 + shr r14,4 + + mov edx,eax + shl rax,7 + sub rax,96 + sub rsp,rax + + mov rax,rsp + mov rcx,r15 + mov r10d,edx + call _bsaes_key_convert + pxor xmm7,XMMWORD PTR[rsp] + movdqa XMMWORD PTR[rax],xmm6 + movdqa XMMWORD PTR[rsp],xmm7 + + movdqu xmm14,XMMWORD PTR[rbx] + sub r14,8 +$L$cbc_dec_loop:: + movdqu xmm15,XMMWORD PTR[r12] + movdqu xmm0,XMMWORD PTR[16+r12] + movdqu xmm1,XMMWORD PTR[32+r12] + movdqu xmm2,XMMWORD PTR[48+r12] + movdqu xmm3,XMMWORD PTR[64+r12] + movdqu xmm4,XMMWORD PTR[80+r12] + mov rax,rsp + movdqu xmm5,XMMWORD PTR[96+r12] + mov r10d,edx + movdqu xmm6,XMMWORD PTR[112+r12] + movdqa XMMWORD PTR[32+rbp],xmm14 + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm5,xmm8 + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm3,xmm9 + movdqu xmm11,XMMWORD PTR[64+r12] + pxor xmm1,xmm10 + movdqu xmm12,XMMWORD PTR[80+r12] + pxor xmm6,xmm11 + movdqu xmm13,XMMWORD PTR[96+r12] + pxor xmm2,xmm12 + movdqu xmm14,XMMWORD PTR[112+r12] + pxor xmm4,xmm13 + movdqu XMMWORD PTR[r13],xmm15 + lea r12,QWORD PTR[128+r12] + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + movdqu XMMWORD PTR[48+r13],xmm3 + movdqu XMMWORD PTR[64+r13],xmm1 + movdqu XMMWORD PTR[80+r13],xmm6 + movdqu XMMWORD PTR[96+r13],xmm2 + movdqu XMMWORD PTR[112+r13],xmm4 + lea r13,QWORD PTR[128+r13] + sub r14,8 + jnc $L$cbc_dec_loop + + add r14,8 + jz $L$cbc_dec_done + + movdqu xmm15,XMMWORD PTR[r12] + mov rax,rsp + mov r10d,edx + cmp r14,2 + jb $L$cbc_dec_one + movdqu xmm0,XMMWORD PTR[16+r12] + je $L$cbc_dec_two + movdqu xmm1,XMMWORD PTR[32+r12] + cmp r14,4 + jb $L$cbc_dec_three + movdqu xmm2,XMMWORD PTR[48+r12] + je $L$cbc_dec_four + movdqu xmm3,XMMWORD PTR[64+r12] + cmp r14,6 + jb $L$cbc_dec_five + movdqu xmm4,XMMWORD PTR[80+r12] + je $L$cbc_dec_six + movdqu xmm5,XMMWORD PTR[96+r12] + movdqa XMMWORD PTR[32+rbp],xmm14 + call _bsaes_decrypt8 + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm5,xmm8 + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm3,xmm9 + movdqu xmm11,XMMWORD PTR[64+r12] + pxor xmm1,xmm10 + movdqu xmm12,XMMWORD PTR[80+r12] + pxor xmm6,xmm11 + movdqu xmm14,XMMWORD PTR[96+r12] + pxor xmm2,xmm12 + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + movdqu XMMWORD PTR[48+r13],xmm3 + movdqu XMMWORD PTR[64+r13],xmm1 + movdqu XMMWORD PTR[80+r13],xmm6 + movdqu XMMWORD PTR[96+r13],xmm2 + jmp $L$cbc_dec_done +ALIGN 16 +$L$cbc_dec_six:: + movdqa XMMWORD PTR[32+rbp],xmm14 + call _bsaes_decrypt8 + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm5,xmm8 + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm3,xmm9 + movdqu xmm11,XMMWORD PTR[64+r12] + pxor xmm1,xmm10 + movdqu xmm14,XMMWORD PTR[80+r12] + pxor xmm6,xmm11 + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + movdqu XMMWORD PTR[48+r13],xmm3 + movdqu XMMWORD PTR[64+r13],xmm1 + movdqu XMMWORD PTR[80+r13],xmm6 + jmp $L$cbc_dec_done +ALIGN 16 +$L$cbc_dec_five:: + movdqa XMMWORD PTR[32+rbp],xmm14 + call _bsaes_decrypt8 + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm5,xmm8 + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm3,xmm9 + movdqu xmm14,XMMWORD PTR[64+r12] + pxor xmm1,xmm10 + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + movdqu XMMWORD PTR[48+r13],xmm3 + movdqu XMMWORD PTR[64+r13],xmm1 + jmp $L$cbc_dec_done +ALIGN 16 +$L$cbc_dec_four:: + movdqa XMMWORD PTR[32+rbp],xmm14 + call _bsaes_decrypt8 + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm5,xmm8 + movdqu xmm14,XMMWORD PTR[48+r12] + pxor xmm3,xmm9 + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + movdqu XMMWORD PTR[48+r13],xmm3 + jmp $L$cbc_dec_done +ALIGN 16 +$L$cbc_dec_three:: + movdqa XMMWORD PTR[32+rbp],xmm14 + call _bsaes_decrypt8 + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu xmm14,XMMWORD PTR[32+r12] + pxor xmm5,xmm8 + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + jmp $L$cbc_dec_done +ALIGN 16 +$L$cbc_dec_two:: + movdqa XMMWORD PTR[32+rbp],xmm14 + call _bsaes_decrypt8 + pxor xmm15,XMMWORD PTR[32+rbp] + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm14,XMMWORD PTR[16+r12] + pxor xmm0,xmm7 + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + jmp $L$cbc_dec_done +ALIGN 16 +$L$cbc_dec_one:: + lea rcx,QWORD PTR[r12] + lea rdx,QWORD PTR[32+rbp] + lea r8,QWORD PTR[r15] + call asm_AES_decrypt + pxor xmm14,XMMWORD PTR[32+rbp] + movdqu XMMWORD PTR[r13],xmm14 + movdqa xmm14,xmm15 + +$L$cbc_dec_done:: + movdqu XMMWORD PTR[rbx],xmm14 + lea rax,QWORD PTR[rsp] + pxor xmm0,xmm0 +$L$cbc_dec_bzero:: + movdqa XMMWORD PTR[rax],xmm0 + movdqa XMMWORD PTR[16+rax],xmm0 + lea rax,QWORD PTR[32+rax] + cmp rbp,rax + ja $L$cbc_dec_bzero + + lea rsp,QWORD PTR[rbp] + movaps xmm6,XMMWORD PTR[64+rbp] + movaps xmm7,XMMWORD PTR[80+rbp] + movaps xmm8,XMMWORD PTR[96+rbp] + movaps xmm9,XMMWORD PTR[112+rbp] + movaps xmm10,XMMWORD PTR[128+rbp] + movaps xmm11,XMMWORD PTR[144+rbp] + movaps xmm12,XMMWORD PTR[160+rbp] + movaps xmm13,XMMWORD PTR[176+rbp] + movaps xmm14,XMMWORD PTR[192+rbp] + movaps xmm15,XMMWORD PTR[208+rbp] + lea rsp,QWORD PTR[160+rbp] + mov r15,QWORD PTR[72+rsp] + mov r14,QWORD PTR[80+rsp] + mov r13,QWORD PTR[88+rsp] + mov r12,QWORD PTR[96+rsp] + mov rbx,QWORD PTR[104+rsp] + mov rax,QWORD PTR[112+rsp] + lea rsp,QWORD PTR[120+rsp] + mov rbp,rax +$L$cbc_dec_epilogue:: + DB 0F3h,0C3h ;repret +bsaes_cbc_encrypt ENDP + +PUBLIC bsaes_ctr32_encrypt_blocks + +ALIGN 16 +bsaes_ctr32_encrypt_blocks PROC PUBLIC + mov rax,rsp +$L$ctr_enc_prologue:: + push rbp + push rbx + push r12 + push r13 + push r14 + push r15 + lea rsp,QWORD PTR[((-72))+rsp] + mov r10,QWORD PTR[160+rsp] + lea rsp,QWORD PTR[((-160))+rsp] + movaps XMMWORD PTR[64+rsp],xmm6 + movaps XMMWORD PTR[80+rsp],xmm7 + movaps XMMWORD PTR[96+rsp],xmm8 + movaps XMMWORD PTR[112+rsp],xmm9 + movaps XMMWORD PTR[128+rsp],xmm10 + movaps XMMWORD PTR[144+rsp],xmm11 + movaps XMMWORD PTR[160+rsp],xmm12 + movaps XMMWORD PTR[176+rsp],xmm13 + movaps XMMWORD PTR[192+rsp],xmm14 + movaps XMMWORD PTR[208+rsp],xmm15 +$L$ctr_enc_body:: + mov rbp,rsp + movdqu xmm0,XMMWORD PTR[r10] + mov eax,DWORD PTR[240+r9] + mov r12,rcx + mov r13,rdx + mov r14,r8 + mov r15,r9 + movdqa XMMWORD PTR[32+rbp],xmm0 + cmp r8,8 + jb $L$ctr_enc_short + + mov ebx,eax + shl rax,7 + sub rax,96 + sub rsp,rax + + mov rax,rsp + mov rcx,r15 + mov r10d,ebx + call _bsaes_key_convert + pxor xmm7,xmm6 + movdqa XMMWORD PTR[rax],xmm7 + + movdqa xmm8,XMMWORD PTR[rsp] + lea r11,QWORD PTR[$L$ADD1] + movdqa xmm15,XMMWORD PTR[32+rbp] + movdqa xmm7,XMMWORD PTR[((-32))+r11] +DB 102,68,15,56,0,199 +DB 102,68,15,56,0,255 + movdqa XMMWORD PTR[rsp],xmm8 + jmp $L$ctr_enc_loop +ALIGN 16 +$L$ctr_enc_loop:: + movdqa XMMWORD PTR[32+rbp],xmm15 + movdqa xmm0,xmm15 + movdqa xmm1,xmm15 + paddd xmm0,XMMWORD PTR[r11] + movdqa xmm2,xmm15 + paddd xmm1,XMMWORD PTR[16+r11] + movdqa xmm3,xmm15 + paddd xmm2,XMMWORD PTR[32+r11] + movdqa xmm4,xmm15 + paddd xmm3,XMMWORD PTR[48+r11] + movdqa xmm5,xmm15 + paddd xmm4,XMMWORD PTR[64+r11] + movdqa xmm6,xmm15 + paddd xmm5,XMMWORD PTR[80+r11] + paddd xmm6,XMMWORD PTR[96+r11] + + + + movdqa xmm8,XMMWORD PTR[rsp] + lea rax,QWORD PTR[16+rsp] + movdqa xmm7,XMMWORD PTR[((-16))+r11] + pxor xmm15,xmm8 + pxor xmm0,xmm8 +DB 102,68,15,56,0,255 + pxor xmm1,xmm8 +DB 102,15,56,0,199 + pxor xmm2,xmm8 +DB 102,15,56,0,207 + pxor xmm3,xmm8 +DB 102,15,56,0,215 + pxor xmm4,xmm8 +DB 102,15,56,0,223 + pxor xmm5,xmm8 +DB 102,15,56,0,231 + pxor xmm6,xmm8 +DB 102,15,56,0,239 + lea r11,QWORD PTR[$L$BS0] +DB 102,15,56,0,247 + mov r10d,ebx + + call _bsaes_encrypt8_bitslice + + sub r14,8 + jc $L$ctr_enc_loop_done + + movdqu xmm7,XMMWORD PTR[r12] + movdqu xmm8,XMMWORD PTR[16+r12] + movdqu xmm9,XMMWORD PTR[32+r12] + movdqu xmm10,XMMWORD PTR[48+r12] + movdqu xmm11,XMMWORD PTR[64+r12] + movdqu xmm12,XMMWORD PTR[80+r12] + movdqu xmm13,XMMWORD PTR[96+r12] + movdqu xmm14,XMMWORD PTR[112+r12] + lea r12,QWORD PTR[128+r12] + pxor xmm7,xmm15 + movdqa xmm15,XMMWORD PTR[32+rbp] + pxor xmm0,xmm8 + movdqu XMMWORD PTR[r13],xmm7 + pxor xmm3,xmm9 + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm5,xmm10 + movdqu XMMWORD PTR[32+r13],xmm3 + pxor xmm2,xmm11 + movdqu XMMWORD PTR[48+r13],xmm5 + pxor xmm6,xmm12 + movdqu XMMWORD PTR[64+r13],xmm2 + pxor xmm1,xmm13 + movdqu XMMWORD PTR[80+r13],xmm6 + pxor xmm4,xmm14 + movdqu XMMWORD PTR[96+r13],xmm1 + lea r11,QWORD PTR[$L$ADD1] + movdqu XMMWORD PTR[112+r13],xmm4 + lea r13,QWORD PTR[128+r13] + paddd xmm15,XMMWORD PTR[112+r11] + jnz $L$ctr_enc_loop + + jmp $L$ctr_enc_done +ALIGN 16 +$L$ctr_enc_loop_done:: + add r14,8 + movdqu xmm7,XMMWORD PTR[r12] + pxor xmm15,xmm7 + movdqu XMMWORD PTR[r13],xmm15 + cmp r14,2 + jb $L$ctr_enc_done + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm0,xmm8 + movdqu XMMWORD PTR[16+r13],xmm0 + je $L$ctr_enc_done + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm3,xmm9 + movdqu XMMWORD PTR[32+r13],xmm3 + cmp r14,4 + jb $L$ctr_enc_done + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm5,xmm10 + movdqu XMMWORD PTR[48+r13],xmm5 + je $L$ctr_enc_done + movdqu xmm11,XMMWORD PTR[64+r12] + pxor xmm2,xmm11 + movdqu XMMWORD PTR[64+r13],xmm2 + cmp r14,6 + jb $L$ctr_enc_done + movdqu xmm12,XMMWORD PTR[80+r12] + pxor xmm6,xmm12 + movdqu XMMWORD PTR[80+r13],xmm6 + je $L$ctr_enc_done + movdqu xmm13,XMMWORD PTR[96+r12] + pxor xmm1,xmm13 + movdqu XMMWORD PTR[96+r13],xmm1 + jmp $L$ctr_enc_done + +ALIGN 16 +$L$ctr_enc_short:: + lea rcx,QWORD PTR[32+rbp] + lea rdx,QWORD PTR[48+rbp] + lea r8,QWORD PTR[r15] + call asm_AES_encrypt + movdqu xmm0,XMMWORD PTR[r12] + lea r12,QWORD PTR[16+r12] + mov eax,DWORD PTR[44+rbp] + bswap eax + pxor xmm0,XMMWORD PTR[48+rbp] + inc eax + movdqu XMMWORD PTR[r13],xmm0 + bswap eax + lea r13,QWORD PTR[16+r13] + mov DWORD PTR[44+rsp],eax + dec r14 + jnz $L$ctr_enc_short + +$L$ctr_enc_done:: + lea rax,QWORD PTR[rsp] + pxor xmm0,xmm0 +$L$ctr_enc_bzero:: + movdqa XMMWORD PTR[rax],xmm0 + movdqa XMMWORD PTR[16+rax],xmm0 + lea rax,QWORD PTR[32+rax] + cmp rbp,rax + ja $L$ctr_enc_bzero + + lea rsp,QWORD PTR[rbp] + movaps xmm6,XMMWORD PTR[64+rbp] + movaps xmm7,XMMWORD PTR[80+rbp] + movaps xmm8,XMMWORD PTR[96+rbp] + movaps xmm9,XMMWORD PTR[112+rbp] + movaps xmm10,XMMWORD PTR[128+rbp] + movaps xmm11,XMMWORD PTR[144+rbp] + movaps xmm12,XMMWORD PTR[160+rbp] + movaps xmm13,XMMWORD PTR[176+rbp] + movaps xmm14,XMMWORD PTR[192+rbp] + movaps xmm15,XMMWORD PTR[208+rbp] + lea rsp,QWORD PTR[160+rbp] + mov r15,QWORD PTR[72+rsp] + mov r14,QWORD PTR[80+rsp] + mov r13,QWORD PTR[88+rsp] + mov r12,QWORD PTR[96+rsp] + mov rbx,QWORD PTR[104+rsp] + mov rax,QWORD PTR[112+rsp] + lea rsp,QWORD PTR[120+rsp] + mov rbp,rax +$L$ctr_enc_epilogue:: + DB 0F3h,0C3h ;repret +bsaes_ctr32_encrypt_blocks ENDP +PUBLIC bsaes_xts_encrypt + +ALIGN 16 +bsaes_xts_encrypt PROC PUBLIC + mov rax,rsp +$L$xts_enc_prologue:: + push rbp + push rbx + push r12 + push r13 + push r14 + push r15 + lea rsp,QWORD PTR[((-72))+rsp] + mov r10,QWORD PTR[160+rsp] + mov r11,QWORD PTR[168+rsp] + lea rsp,QWORD PTR[((-160))+rsp] + movaps XMMWORD PTR[64+rsp],xmm6 + movaps XMMWORD PTR[80+rsp],xmm7 + movaps XMMWORD PTR[96+rsp],xmm8 + movaps XMMWORD PTR[112+rsp],xmm9 + movaps XMMWORD PTR[128+rsp],xmm10 + movaps XMMWORD PTR[144+rsp],xmm11 + movaps XMMWORD PTR[160+rsp],xmm12 + movaps XMMWORD PTR[176+rsp],xmm13 + movaps XMMWORD PTR[192+rsp],xmm14 + movaps XMMWORD PTR[208+rsp],xmm15 +$L$xts_enc_body:: + mov rbp,rsp + mov r12,rcx + mov r13,rdx + mov r14,r8 + mov r15,r9 + + lea rcx,QWORD PTR[r11] + lea rdx,QWORD PTR[32+rbp] + lea r8,QWORD PTR[r10] + call asm_AES_encrypt + + mov eax,DWORD PTR[240+r15] + mov rbx,r14 + + mov edx,eax + shl rax,7 + sub rax,96 + sub rsp,rax + + mov rax,rsp + mov rcx,r15 + mov r10d,edx + call _bsaes_key_convert + pxor xmm7,xmm6 + movdqa XMMWORD PTR[rax],xmm7 + + and r14,-16 + sub rsp,080h + movdqa xmm6,XMMWORD PTR[32+rbp] + + pxor xmm14,xmm14 + movdqa xmm12,XMMWORD PTR[$L$xts_magic] + pcmpgtd xmm14,xmm6 + + sub r14,080h + jc $L$xts_enc_short + jmp $L$xts_enc_loop + +ALIGN 16 +$L$xts_enc_loop:: + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm15,xmm6 + movdqa XMMWORD PTR[rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm0,xmm6 + movdqa XMMWORD PTR[16+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm7,XMMWORD PTR[r12] + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm1,xmm6 + movdqa XMMWORD PTR[32+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm15,xmm7 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm2,xmm6 + movdqa XMMWORD PTR[48+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm0,xmm8 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm3,xmm6 + movdqa XMMWORD PTR[64+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm1,xmm9 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm4,xmm6 + movdqa XMMWORD PTR[80+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm11,XMMWORD PTR[64+r12] + pxor xmm2,xmm10 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm5,xmm6 + movdqa XMMWORD PTR[96+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm12,XMMWORD PTR[80+r12] + pxor xmm3,xmm11 + movdqu xmm13,XMMWORD PTR[96+r12] + pxor xmm4,xmm12 + movdqu xmm14,XMMWORD PTR[112+r12] + lea r12,QWORD PTR[128+r12] + movdqa XMMWORD PTR[112+rsp],xmm6 + pxor xmm5,xmm13 + lea rax,QWORD PTR[128+rsp] + pxor xmm6,xmm14 + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm3,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm5,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm3 + pxor xmm2,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm5 + pxor xmm6,XMMWORD PTR[80+rsp] + movdqu XMMWORD PTR[64+r13],xmm2 + pxor xmm1,XMMWORD PTR[96+rsp] + movdqu XMMWORD PTR[80+r13],xmm6 + pxor xmm4,XMMWORD PTR[112+rsp] + movdqu XMMWORD PTR[96+r13],xmm1 + movdqu XMMWORD PTR[112+r13],xmm4 + lea r13,QWORD PTR[128+r13] + + movdqa xmm6,XMMWORD PTR[112+rsp] + pxor xmm14,xmm14 + movdqa xmm12,XMMWORD PTR[$L$xts_magic] + pcmpgtd xmm14,xmm6 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + + sub r14,080h + jnc $L$xts_enc_loop + +$L$xts_enc_short:: + add r14,080h + jz $L$xts_enc_done + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm15,xmm6 + movdqa XMMWORD PTR[rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm0,xmm6 + movdqa XMMWORD PTR[16+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm7,XMMWORD PTR[r12] + cmp r14,16 + je $L$xts_enc_1 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm1,xmm6 + movdqa XMMWORD PTR[32+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm8,XMMWORD PTR[16+r12] + cmp r14,32 + je $L$xts_enc_2 + pxor xmm15,xmm7 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm2,xmm6 + movdqa XMMWORD PTR[48+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm9,XMMWORD PTR[32+r12] + cmp r14,48 + je $L$xts_enc_3 + pxor xmm0,xmm8 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm3,xmm6 + movdqa XMMWORD PTR[64+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm10,XMMWORD PTR[48+r12] + cmp r14,64 + je $L$xts_enc_4 + pxor xmm1,xmm9 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm4,xmm6 + movdqa XMMWORD PTR[80+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm11,XMMWORD PTR[64+r12] + cmp r14,80 + je $L$xts_enc_5 + pxor xmm2,xmm10 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm5,xmm6 + movdqa XMMWORD PTR[96+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm12,XMMWORD PTR[80+r12] + cmp r14,96 + je $L$xts_enc_6 + pxor xmm3,xmm11 + movdqu xmm13,XMMWORD PTR[96+r12] + pxor xmm4,xmm12 + movdqa XMMWORD PTR[112+rsp],xmm6 + lea r12,QWORD PTR[112+r12] + pxor xmm5,xmm13 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm3,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm5,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm3 + pxor xmm2,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm5 + pxor xmm6,XMMWORD PTR[80+rsp] + movdqu XMMWORD PTR[64+r13],xmm2 + pxor xmm1,XMMWORD PTR[96+rsp] + movdqu XMMWORD PTR[80+r13],xmm6 + movdqu XMMWORD PTR[96+r13],xmm1 + lea r13,QWORD PTR[112+r13] + + movdqa xmm6,XMMWORD PTR[112+rsp] + jmp $L$xts_enc_done +ALIGN 16 +$L$xts_enc_6:: + pxor xmm3,xmm11 + lea r12,QWORD PTR[96+r12] + pxor xmm4,xmm12 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm3,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm5,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm3 + pxor xmm2,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm5 + pxor xmm6,XMMWORD PTR[80+rsp] + movdqu XMMWORD PTR[64+r13],xmm2 + movdqu XMMWORD PTR[80+r13],xmm6 + lea r13,QWORD PTR[96+r13] + + movdqa xmm6,XMMWORD PTR[96+rsp] + jmp $L$xts_enc_done +ALIGN 16 +$L$xts_enc_5:: + pxor xmm2,xmm10 + lea r12,QWORD PTR[80+r12] + pxor xmm3,xmm11 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm3,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm5,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm3 + pxor xmm2,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm5 + movdqu XMMWORD PTR[64+r13],xmm2 + lea r13,QWORD PTR[80+r13] + + movdqa xmm6,XMMWORD PTR[80+rsp] + jmp $L$xts_enc_done +ALIGN 16 +$L$xts_enc_4:: + pxor xmm1,xmm9 + lea r12,QWORD PTR[64+r12] + pxor xmm2,xmm10 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm3,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm5,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm3 + movdqu XMMWORD PTR[48+r13],xmm5 + lea r13,QWORD PTR[64+r13] + + movdqa xmm6,XMMWORD PTR[64+rsp] + jmp $L$xts_enc_done +ALIGN 16 +$L$xts_enc_3:: + pxor xmm0,xmm8 + lea r12,QWORD PTR[48+r12] + pxor xmm1,xmm9 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm3,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm3 + lea r13,QWORD PTR[48+r13] + + movdqa xmm6,XMMWORD PTR[48+rsp] + jmp $L$xts_enc_done +ALIGN 16 +$L$xts_enc_2:: + pxor xmm15,xmm7 + lea r12,QWORD PTR[32+r12] + pxor xmm0,xmm8 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_encrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + lea r13,QWORD PTR[32+r13] + + movdqa xmm6,XMMWORD PTR[32+rsp] + jmp $L$xts_enc_done +ALIGN 16 +$L$xts_enc_1:: + pxor xmm7,xmm15 + lea r12,QWORD PTR[16+r12] + movdqa XMMWORD PTR[32+rbp],xmm7 + lea rcx,QWORD PTR[32+rbp] + lea rdx,QWORD PTR[32+rbp] + lea r8,QWORD PTR[r15] + call asm_AES_encrypt + pxor xmm15,XMMWORD PTR[32+rbp] + + + + + + movdqu XMMWORD PTR[r13],xmm15 + lea r13,QWORD PTR[16+r13] + + movdqa xmm6,XMMWORD PTR[16+rsp] + +$L$xts_enc_done:: + and ebx,15 + jz $L$xts_enc_ret + mov rdx,r13 + +$L$xts_enc_steal:: + movzx eax,BYTE PTR[r12] + movzx ecx,BYTE PTR[((-16))+rdx] + lea r12,QWORD PTR[1+r12] + mov BYTE PTR[((-16))+rdx],al + mov BYTE PTR[rdx],cl + lea rdx,QWORD PTR[1+rdx] + sub ebx,1 + jnz $L$xts_enc_steal + + movdqu xmm15,XMMWORD PTR[((-16))+r13] + lea rcx,QWORD PTR[32+rbp] + pxor xmm15,xmm6 + lea rdx,QWORD PTR[32+rbp] + movdqa XMMWORD PTR[32+rbp],xmm15 + lea r8,QWORD PTR[r15] + call asm_AES_encrypt + pxor xmm6,XMMWORD PTR[32+rbp] + movdqu XMMWORD PTR[(-16)+r13],xmm6 + +$L$xts_enc_ret:: + lea rax,QWORD PTR[rsp] + pxor xmm0,xmm0 +$L$xts_enc_bzero:: + movdqa XMMWORD PTR[rax],xmm0 + movdqa XMMWORD PTR[16+rax],xmm0 + lea rax,QWORD PTR[32+rax] + cmp rbp,rax + ja $L$xts_enc_bzero + + lea rsp,QWORD PTR[rbp] + movaps xmm6,XMMWORD PTR[64+rbp] + movaps xmm7,XMMWORD PTR[80+rbp] + movaps xmm8,XMMWORD PTR[96+rbp] + movaps xmm9,XMMWORD PTR[112+rbp] + movaps xmm10,XMMWORD PTR[128+rbp] + movaps xmm11,XMMWORD PTR[144+rbp] + movaps xmm12,XMMWORD PTR[160+rbp] + movaps xmm13,XMMWORD PTR[176+rbp] + movaps xmm14,XMMWORD PTR[192+rbp] + movaps xmm15,XMMWORD PTR[208+rbp] + lea rsp,QWORD PTR[160+rbp] + mov r15,QWORD PTR[72+rsp] + mov r14,QWORD PTR[80+rsp] + mov r13,QWORD PTR[88+rsp] + mov r12,QWORD PTR[96+rsp] + mov rbx,QWORD PTR[104+rsp] + mov rax,QWORD PTR[112+rsp] + lea rsp,QWORD PTR[120+rsp] + mov rbp,rax +$L$xts_enc_epilogue:: + DB 0F3h,0C3h ;repret +bsaes_xts_encrypt ENDP + +PUBLIC bsaes_xts_decrypt + +ALIGN 16 +bsaes_xts_decrypt PROC PUBLIC + mov rax,rsp +$L$xts_dec_prologue:: + push rbp + push rbx + push r12 + push r13 + push r14 + push r15 + lea rsp,QWORD PTR[((-72))+rsp] + mov r10,QWORD PTR[160+rsp] + mov r11,QWORD PTR[168+rsp] + lea rsp,QWORD PTR[((-160))+rsp] + movaps XMMWORD PTR[64+rsp],xmm6 + movaps XMMWORD PTR[80+rsp],xmm7 + movaps XMMWORD PTR[96+rsp],xmm8 + movaps XMMWORD PTR[112+rsp],xmm9 + movaps XMMWORD PTR[128+rsp],xmm10 + movaps XMMWORD PTR[144+rsp],xmm11 + movaps XMMWORD PTR[160+rsp],xmm12 + movaps XMMWORD PTR[176+rsp],xmm13 + movaps XMMWORD PTR[192+rsp],xmm14 + movaps XMMWORD PTR[208+rsp],xmm15 +$L$xts_dec_body:: + mov rbp,rsp + mov r12,rcx + mov r13,rdx + mov r14,r8 + mov r15,r9 + + lea rcx,QWORD PTR[r11] + lea rdx,QWORD PTR[32+rbp] + lea r8,QWORD PTR[r10] + call asm_AES_encrypt + + mov eax,DWORD PTR[240+r15] + mov rbx,r14 + + mov edx,eax + shl rax,7 + sub rax,96 + sub rsp,rax + + mov rax,rsp + mov rcx,r15 + mov r10d,edx + call _bsaes_key_convert + pxor xmm7,XMMWORD PTR[rsp] + movdqa XMMWORD PTR[rax],xmm6 + movdqa XMMWORD PTR[rsp],xmm7 + + xor eax,eax + and r14,-16 + test ebx,15 + setnz al + shl rax,4 + sub r14,rax + + sub rsp,080h + movdqa xmm6,XMMWORD PTR[32+rbp] + + pxor xmm14,xmm14 + movdqa xmm12,XMMWORD PTR[$L$xts_magic] + pcmpgtd xmm14,xmm6 + + sub r14,080h + jc $L$xts_dec_short + jmp $L$xts_dec_loop + +ALIGN 16 +$L$xts_dec_loop:: + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm15,xmm6 + movdqa XMMWORD PTR[rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm0,xmm6 + movdqa XMMWORD PTR[16+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm7,XMMWORD PTR[r12] + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm1,xmm6 + movdqa XMMWORD PTR[32+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm8,XMMWORD PTR[16+r12] + pxor xmm15,xmm7 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm2,xmm6 + movdqa XMMWORD PTR[48+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm9,XMMWORD PTR[32+r12] + pxor xmm0,xmm8 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm3,xmm6 + movdqa XMMWORD PTR[64+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm10,XMMWORD PTR[48+r12] + pxor xmm1,xmm9 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm4,xmm6 + movdqa XMMWORD PTR[80+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm11,XMMWORD PTR[64+r12] + pxor xmm2,xmm10 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm5,xmm6 + movdqa XMMWORD PTR[96+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm12,XMMWORD PTR[80+r12] + pxor xmm3,xmm11 + movdqu xmm13,XMMWORD PTR[96+r12] + pxor xmm4,xmm12 + movdqu xmm14,XMMWORD PTR[112+r12] + lea r12,QWORD PTR[128+r12] + movdqa XMMWORD PTR[112+rsp],xmm6 + pxor xmm5,xmm13 + lea rax,QWORD PTR[128+rsp] + pxor xmm6,xmm14 + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm5,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm3,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm5 + pxor xmm1,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm3 + pxor xmm6,XMMWORD PTR[80+rsp] + movdqu XMMWORD PTR[64+r13],xmm1 + pxor xmm2,XMMWORD PTR[96+rsp] + movdqu XMMWORD PTR[80+r13],xmm6 + pxor xmm4,XMMWORD PTR[112+rsp] + movdqu XMMWORD PTR[96+r13],xmm2 + movdqu XMMWORD PTR[112+r13],xmm4 + lea r13,QWORD PTR[128+r13] + + movdqa xmm6,XMMWORD PTR[112+rsp] + pxor xmm14,xmm14 + movdqa xmm12,XMMWORD PTR[$L$xts_magic] + pcmpgtd xmm14,xmm6 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + + sub r14,080h + jnc $L$xts_dec_loop + +$L$xts_dec_short:: + add r14,080h + jz $L$xts_dec_done + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm15,xmm6 + movdqa XMMWORD PTR[rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm0,xmm6 + movdqa XMMWORD PTR[16+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm7,XMMWORD PTR[r12] + cmp r14,16 + je $L$xts_dec_1 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm1,xmm6 + movdqa XMMWORD PTR[32+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm8,XMMWORD PTR[16+r12] + cmp r14,32 + je $L$xts_dec_2 + pxor xmm15,xmm7 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm2,xmm6 + movdqa XMMWORD PTR[48+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm9,XMMWORD PTR[32+r12] + cmp r14,48 + je $L$xts_dec_3 + pxor xmm0,xmm8 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm3,xmm6 + movdqa XMMWORD PTR[64+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm10,XMMWORD PTR[48+r12] + cmp r14,64 + je $L$xts_dec_4 + pxor xmm1,xmm9 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm4,xmm6 + movdqa XMMWORD PTR[80+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm11,XMMWORD PTR[64+r12] + cmp r14,80 + je $L$xts_dec_5 + pxor xmm2,xmm10 + pshufd xmm13,xmm14,013h + pxor xmm14,xmm14 + movdqa xmm5,xmm6 + movdqa XMMWORD PTR[96+rsp],xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + pcmpgtd xmm14,xmm6 + pxor xmm6,xmm13 + movdqu xmm12,XMMWORD PTR[80+r12] + cmp r14,96 + je $L$xts_dec_6 + pxor xmm3,xmm11 + movdqu xmm13,XMMWORD PTR[96+r12] + pxor xmm4,xmm12 + movdqa XMMWORD PTR[112+rsp],xmm6 + lea r12,QWORD PTR[112+r12] + pxor xmm5,xmm13 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm5,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm3,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm5 + pxor xmm1,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm3 + pxor xmm6,XMMWORD PTR[80+rsp] + movdqu XMMWORD PTR[64+r13],xmm1 + pxor xmm2,XMMWORD PTR[96+rsp] + movdqu XMMWORD PTR[80+r13],xmm6 + movdqu XMMWORD PTR[96+r13],xmm2 + lea r13,QWORD PTR[112+r13] + + movdqa xmm6,XMMWORD PTR[112+rsp] + jmp $L$xts_dec_done +ALIGN 16 +$L$xts_dec_6:: + pxor xmm3,xmm11 + lea r12,QWORD PTR[96+r12] + pxor xmm4,xmm12 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm5,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm3,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm5 + pxor xmm1,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm3 + pxor xmm6,XMMWORD PTR[80+rsp] + movdqu XMMWORD PTR[64+r13],xmm1 + movdqu XMMWORD PTR[80+r13],xmm6 + lea r13,QWORD PTR[96+r13] + + movdqa xmm6,XMMWORD PTR[96+rsp] + jmp $L$xts_dec_done +ALIGN 16 +$L$xts_dec_5:: + pxor xmm2,xmm10 + lea r12,QWORD PTR[80+r12] + pxor xmm3,xmm11 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm5,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm3,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm5 + pxor xmm1,XMMWORD PTR[64+rsp] + movdqu XMMWORD PTR[48+r13],xmm3 + movdqu XMMWORD PTR[64+r13],xmm1 + lea r13,QWORD PTR[80+r13] + + movdqa xmm6,XMMWORD PTR[80+rsp] + jmp $L$xts_dec_done +ALIGN 16 +$L$xts_dec_4:: + pxor xmm1,xmm9 + lea r12,QWORD PTR[64+r12] + pxor xmm2,xmm10 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm5,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + pxor xmm3,XMMWORD PTR[48+rsp] + movdqu XMMWORD PTR[32+r13],xmm5 + movdqu XMMWORD PTR[48+r13],xmm3 + lea r13,QWORD PTR[64+r13] + + movdqa xmm6,XMMWORD PTR[64+rsp] + jmp $L$xts_dec_done +ALIGN 16 +$L$xts_dec_3:: + pxor xmm0,xmm8 + lea r12,QWORD PTR[48+r12] + pxor xmm1,xmm9 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + pxor xmm5,XMMWORD PTR[32+rsp] + movdqu XMMWORD PTR[16+r13],xmm0 + movdqu XMMWORD PTR[32+r13],xmm5 + lea r13,QWORD PTR[48+r13] + + movdqa xmm6,XMMWORD PTR[48+rsp] + jmp $L$xts_dec_done +ALIGN 16 +$L$xts_dec_2:: + pxor xmm15,xmm7 + lea r12,QWORD PTR[32+r12] + pxor xmm0,xmm8 + lea rax,QWORD PTR[128+rsp] + mov r10d,edx + + call _bsaes_decrypt8 + + pxor xmm15,XMMWORD PTR[rsp] + pxor xmm0,XMMWORD PTR[16+rsp] + movdqu XMMWORD PTR[r13],xmm15 + movdqu XMMWORD PTR[16+r13],xmm0 + lea r13,QWORD PTR[32+r13] + + movdqa xmm6,XMMWORD PTR[32+rsp] + jmp $L$xts_dec_done +ALIGN 16 +$L$xts_dec_1:: + pxor xmm7,xmm15 + lea r12,QWORD PTR[16+r12] + movdqa XMMWORD PTR[32+rbp],xmm7 + lea rcx,QWORD PTR[32+rbp] + lea rdx,QWORD PTR[32+rbp] + lea r8,QWORD PTR[r15] + call asm_AES_decrypt + pxor xmm15,XMMWORD PTR[32+rbp] + + + + + + movdqu XMMWORD PTR[r13],xmm15 + lea r13,QWORD PTR[16+r13] + + movdqa xmm6,XMMWORD PTR[16+rsp] + +$L$xts_dec_done:: + and ebx,15 + jz $L$xts_dec_ret + + pxor xmm14,xmm14 + movdqa xmm12,XMMWORD PTR[$L$xts_magic] + pcmpgtd xmm14,xmm6 + pshufd xmm13,xmm14,013h + movdqa xmm5,xmm6 + paddq xmm6,xmm6 + pand xmm13,xmm12 + movdqu xmm15,XMMWORD PTR[r12] + pxor xmm6,xmm13 + + lea rcx,QWORD PTR[32+rbp] + pxor xmm15,xmm6 + lea rdx,QWORD PTR[32+rbp] + movdqa XMMWORD PTR[32+rbp],xmm15 + lea r8,QWORD PTR[r15] + call asm_AES_decrypt + pxor xmm6,XMMWORD PTR[32+rbp] + mov rdx,r13 + movdqu XMMWORD PTR[r13],xmm6 + +$L$xts_dec_steal:: + movzx eax,BYTE PTR[16+r12] + movzx ecx,BYTE PTR[rdx] + lea r12,QWORD PTR[1+r12] + mov BYTE PTR[rdx],al + mov BYTE PTR[16+rdx],cl + lea rdx,QWORD PTR[1+rdx] + sub ebx,1 + jnz $L$xts_dec_steal + + movdqu xmm15,XMMWORD PTR[r13] + lea rcx,QWORD PTR[32+rbp] + pxor xmm15,xmm5 + lea rdx,QWORD PTR[32+rbp] + movdqa XMMWORD PTR[32+rbp],xmm15 + lea r8,QWORD PTR[r15] + call asm_AES_decrypt + pxor xmm5,XMMWORD PTR[32+rbp] + movdqu XMMWORD PTR[r13],xmm5 + +$L$xts_dec_ret:: + lea rax,QWORD PTR[rsp] + pxor xmm0,xmm0 +$L$xts_dec_bzero:: + movdqa XMMWORD PTR[rax],xmm0 + movdqa XMMWORD PTR[16+rax],xmm0 + lea rax,QWORD PTR[32+rax] + cmp rbp,rax + ja $L$xts_dec_bzero + + lea rsp,QWORD PTR[rbp] + movaps xmm6,XMMWORD PTR[64+rbp] + movaps xmm7,XMMWORD PTR[80+rbp] + movaps xmm8,XMMWORD PTR[96+rbp] + movaps xmm9,XMMWORD PTR[112+rbp] + movaps xmm10,XMMWORD PTR[128+rbp] + movaps xmm11,XMMWORD PTR[144+rbp] + movaps xmm12,XMMWORD PTR[160+rbp] + movaps xmm13,XMMWORD PTR[176+rbp] + movaps xmm14,XMMWORD PTR[192+rbp] + movaps xmm15,XMMWORD PTR[208+rbp] + lea rsp,QWORD PTR[160+rbp] + mov r15,QWORD PTR[72+rsp] + mov r14,QWORD PTR[80+rsp] + mov r13,QWORD PTR[88+rsp] + mov r12,QWORD PTR[96+rsp] + mov rbx,QWORD PTR[104+rsp] + mov rax,QWORD PTR[112+rsp] + lea rsp,QWORD PTR[120+rsp] + mov rbp,rax +$L$xts_dec_epilogue:: + DB 0F3h,0C3h ;repret +bsaes_xts_decrypt ENDP + +ALIGN 64 +_bsaes_const:: +$L$M0ISR:: + DQ 00a0e0206070b0f03h,00004080c0d010509h +$L$ISRM0:: + DQ 001040b0e0205080fh,00306090c00070a0dh +$L$ISR:: + DQ 00504070602010003h,00f0e0d0c080b0a09h +$L$BS0:: + DQ 05555555555555555h,05555555555555555h +$L$BS1:: + DQ 03333333333333333h,03333333333333333h +$L$BS2:: + DQ 00f0f0f0f0f0f0f0fh,00f0f0f0f0f0f0f0fh +$L$SR:: + DQ 00504070600030201h,00f0e0d0c0a09080bh +$L$SRM0:: + DQ 00304090e00050a0fh,001060b0c0207080dh +$L$M0SR:: + DQ 00a0e02060f03070bh,00004080c05090d01h +$L$SWPUP:: + DQ 00706050403020100h,00c0d0e0f0b0a0908h +$L$SWPUPM0SR:: + DQ 00a0d02060c03070bh,00004080f05090e01h +$L$ADD1:: + DQ 00000000000000000h,00000000100000000h +$L$ADD2:: + DQ 00000000000000000h,00000000200000000h +$L$ADD3:: + DQ 00000000000000000h,00000000300000000h +$L$ADD4:: + DQ 00000000000000000h,00000000400000000h +$L$ADD5:: + DQ 00000000000000000h,00000000500000000h +$L$ADD6:: + DQ 00000000000000000h,00000000600000000h +$L$ADD7:: + DQ 00000000000000000h,00000000700000000h +$L$ADD8:: + DQ 00000000000000000h,00000000800000000h +$L$xts_magic:: + DD 087h,0,1,0 +$L$masks:: + DQ 00101010101010101h,00101010101010101h + DQ 00202020202020202h,00202020202020202h + DQ 00404040404040404h,00404040404040404h + DQ 00808080808080808h,00808080808080808h +$L$M0:: + DQ 002060a0e03070b0fh,00004080c0105090dh +$L$63:: + DQ 06363636363636363h,06363636363636363h +DB 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102 +DB 111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44 +DB 32,69,109,105,108,105,97,32,75,195,164,115,112,101,114,44 +DB 32,80,101,116,101,114,32,83,99,104,119,97,98,101,44,32 +DB 65,110,100,121,32,80,111,108,121,97,107,111,118,0 +ALIGN 64 + +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$in_prologue + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$in_prologue + + mov rax,QWORD PTR[160+r8] + + lea rsi,QWORD PTR[64+rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,20 + DD 0a548f3fch + lea rax,QWORD PTR[160+rax] + + mov rbp,QWORD PTR[112+rax] + mov rbx,QWORD PTR[104+rax] + mov r12,QWORD PTR[96+rax] + mov r13,QWORD PTR[88+rax] + mov r14,QWORD PTR[80+rax] + mov r15,QWORD PTR[72+rax] + lea rax,QWORD PTR[120+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + mov QWORD PTR[240+r8],r15 + +$L$in_prologue:: + mov QWORD PTR[152+r8],rax + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +se_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$cbc_dec_prologue + DD imagerel $L$cbc_dec_epilogue + DD imagerel $L$cbc_dec_info + + DD imagerel $L$ctr_enc_prologue + DD imagerel $L$ctr_enc_epilogue + DD imagerel $L$ctr_enc_info + + DD imagerel $L$xts_enc_prologue + DD imagerel $L$xts_enc_epilogue + DD imagerel $L$xts_enc_info + + DD imagerel $L$xts_dec_prologue + DD imagerel $L$xts_dec_epilogue + DD imagerel $L$xts_dec_info + +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$cbc_dec_info:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$cbc_dec_body,imagerel $L$cbc_dec_epilogue +$L$ctr_enc_info:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$ctr_enc_body,imagerel $L$ctr_enc_epilogue +$L$xts_enc_info:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$xts_enc_body,imagerel $L$xts_enc_epilogue +$L$xts_dec_info:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$xts_dec_body,imagerel $L$xts_dec_epilogue + +.xdata ENDS +END + diff --git a/crypto/aes/bsaes-mingw64-x86_64.S b/crypto/aes/bsaes-mingw64-x86_64.S new file mode 100644 index 0000000..f0b07cb --- /dev/null +++ b/crypto/aes/bsaes-mingw64-x86_64.S @@ -0,0 +1,2725 @@ +#include "x86_arch.h" +.text + + + + +.def _bsaes_encrypt8; .scl 3; .type 32; .endef +.p2align 6 +_bsaes_encrypt8: + leaq .LBS0(%rip),%r11 + + movdqa (%rax),%xmm8 + leaq 16(%rax),%rax + movdqa 80(%r11),%xmm7 + pxor %xmm8,%xmm15 + pxor %xmm8,%xmm0 +.byte 102,68,15,56,0,255 + pxor %xmm8,%xmm1 +.byte 102,15,56,0,199 + pxor %xmm8,%xmm2 +.byte 102,15,56,0,207 + pxor %xmm8,%xmm3 +.byte 102,15,56,0,215 + pxor %xmm8,%xmm4 +.byte 102,15,56,0,223 + pxor %xmm8,%xmm5 +.byte 102,15,56,0,231 + pxor %xmm8,%xmm6 +.byte 102,15,56,0,239 +.byte 102,15,56,0,247 +_bsaes_encrypt8_bitslice: + movdqa 0(%r11),%xmm7 + movdqa 16(%r11),%xmm8 + movdqa %xmm5,%xmm9 + psrlq $1,%xmm5 + movdqa %xmm3,%xmm10 + psrlq $1,%xmm3 + pxor %xmm6,%xmm5 + pxor %xmm4,%xmm3 + pand %xmm7,%xmm5 + pand %xmm7,%xmm3 + pxor %xmm5,%xmm6 + psllq $1,%xmm5 + pxor %xmm3,%xmm4 + psllq $1,%xmm3 + pxor %xmm9,%xmm5 + pxor %xmm10,%xmm3 + movdqa %xmm1,%xmm9 + psrlq $1,%xmm1 + movdqa %xmm15,%xmm10 + psrlq $1,%xmm15 + pxor %xmm2,%xmm1 + pxor %xmm0,%xmm15 + pand %xmm7,%xmm1 + pand %xmm7,%xmm15 + pxor %xmm1,%xmm2 + psllq $1,%xmm1 + pxor %xmm15,%xmm0 + psllq $1,%xmm15 + pxor %xmm9,%xmm1 + pxor %xmm10,%xmm15 + movdqa 32(%r11),%xmm7 + movdqa %xmm4,%xmm9 + psrlq $2,%xmm4 + movdqa %xmm3,%xmm10 + psrlq $2,%xmm3 + pxor %xmm6,%xmm4 + pxor %xmm5,%xmm3 + pand %xmm8,%xmm4 + pand %xmm8,%xmm3 + pxor %xmm4,%xmm6 + psllq $2,%xmm4 + pxor %xmm3,%xmm5 + psllq $2,%xmm3 + pxor %xmm9,%xmm4 + pxor %xmm10,%xmm3 + movdqa %xmm0,%xmm9 + psrlq $2,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $2,%xmm15 + pxor %xmm2,%xmm0 + pxor %xmm1,%xmm15 + pand %xmm8,%xmm0 + pand %xmm8,%xmm15 + pxor %xmm0,%xmm2 + psllq $2,%xmm0 + pxor %xmm15,%xmm1 + psllq $2,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + movdqa %xmm2,%xmm9 + psrlq $4,%xmm2 + movdqa %xmm1,%xmm10 + psrlq $4,%xmm1 + pxor %xmm6,%xmm2 + pxor %xmm5,%xmm1 + pand %xmm7,%xmm2 + pand %xmm7,%xmm1 + pxor %xmm2,%xmm6 + psllq $4,%xmm2 + pxor %xmm1,%xmm5 + psllq $4,%xmm1 + pxor %xmm9,%xmm2 + pxor %xmm10,%xmm1 + movdqa %xmm0,%xmm9 + psrlq $4,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $4,%xmm15 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm15 + pand %xmm7,%xmm0 + pand %xmm7,%xmm15 + pxor %xmm0,%xmm4 + psllq $4,%xmm0 + pxor %xmm15,%xmm3 + psllq $4,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + decl %r10d + jmp .Lenc_sbox +.p2align 4 +.Lenc_loop: + pxor 0(%rax),%xmm15 + pxor 16(%rax),%xmm0 +.byte 102,68,15,56,0,255 + pxor 32(%rax),%xmm1 +.byte 102,15,56,0,199 + pxor 48(%rax),%xmm2 +.byte 102,15,56,0,207 + pxor 64(%rax),%xmm3 +.byte 102,15,56,0,215 + pxor 80(%rax),%xmm4 +.byte 102,15,56,0,223 + pxor 96(%rax),%xmm5 +.byte 102,15,56,0,231 + pxor 112(%rax),%xmm6 +.byte 102,15,56,0,239 + leaq 128(%rax),%rax +.byte 102,15,56,0,247 +.Lenc_sbox: + pxor %xmm5,%xmm4 + pxor %xmm0,%xmm1 + pxor %xmm15,%xmm2 + pxor %xmm1,%xmm5 + pxor %xmm15,%xmm4 + + pxor %xmm2,%xmm5 + pxor %xmm6,%xmm2 + pxor %xmm4,%xmm6 + pxor %xmm3,%xmm2 + pxor %xmm4,%xmm3 + pxor %xmm0,%xmm2 + + pxor %xmm6,%xmm1 + pxor %xmm4,%xmm0 + movdqa %xmm6,%xmm10 + movdqa %xmm0,%xmm9 + movdqa %xmm4,%xmm8 + movdqa %xmm1,%xmm12 + movdqa %xmm5,%xmm11 + + pxor %xmm3,%xmm10 + pxor %xmm1,%xmm9 + pxor %xmm2,%xmm8 + movdqa %xmm10,%xmm13 + pxor %xmm3,%xmm12 + movdqa %xmm9,%xmm7 + pxor %xmm15,%xmm11 + movdqa %xmm10,%xmm14 + + por %xmm8,%xmm9 + por %xmm11,%xmm10 + pxor %xmm7,%xmm14 + pand %xmm11,%xmm13 + pxor %xmm8,%xmm11 + pand %xmm8,%xmm7 + pand %xmm11,%xmm14 + movdqa %xmm2,%xmm11 + pxor %xmm15,%xmm11 + pand %xmm11,%xmm12 + pxor %xmm12,%xmm10 + pxor %xmm12,%xmm9 + movdqa %xmm6,%xmm12 + movdqa %xmm4,%xmm11 + pxor %xmm0,%xmm12 + pxor %xmm5,%xmm11 + movdqa %xmm12,%xmm8 + pand %xmm11,%xmm12 + por %xmm11,%xmm8 + pxor %xmm12,%xmm7 + pxor %xmm14,%xmm10 + pxor %xmm13,%xmm9 + pxor %xmm14,%xmm8 + movdqa %xmm1,%xmm11 + pxor %xmm13,%xmm7 + movdqa %xmm3,%xmm12 + pxor %xmm13,%xmm8 + movdqa %xmm0,%xmm13 + pand %xmm2,%xmm11 + movdqa %xmm6,%xmm14 + pand %xmm15,%xmm12 + pand %xmm4,%xmm13 + por %xmm5,%xmm14 + pxor %xmm11,%xmm10 + pxor %xmm12,%xmm9 + pxor %xmm13,%xmm8 + pxor %xmm14,%xmm7 + + + + + + movdqa %xmm10,%xmm11 + pand %xmm8,%xmm10 + pxor %xmm9,%xmm11 + + movdqa %xmm7,%xmm13 + movdqa %xmm11,%xmm14 + pxor %xmm10,%xmm13 + pand %xmm13,%xmm14 + + movdqa %xmm8,%xmm12 + pxor %xmm9,%xmm14 + pxor %xmm7,%xmm12 + + pxor %xmm9,%xmm10 + + pand %xmm10,%xmm12 + + movdqa %xmm13,%xmm9 + pxor %xmm7,%xmm12 + + pxor %xmm12,%xmm9 + pxor %xmm12,%xmm8 + + pand %xmm7,%xmm9 + + pxor %xmm9,%xmm13 + pxor %xmm9,%xmm8 + + pand %xmm14,%xmm13 + + pxor %xmm11,%xmm13 + movdqa %xmm5,%xmm11 + movdqa %xmm4,%xmm7 + movdqa %xmm14,%xmm9 + pxor %xmm13,%xmm9 + pand %xmm5,%xmm9 + pxor %xmm4,%xmm5 + pand %xmm14,%xmm4 + pand %xmm13,%xmm5 + pxor %xmm4,%xmm5 + pxor %xmm9,%xmm4 + pxor %xmm15,%xmm11 + pxor %xmm2,%xmm7 + pxor %xmm12,%xmm14 + pxor %xmm8,%xmm13 + movdqa %xmm14,%xmm10 + movdqa %xmm12,%xmm9 + pxor %xmm13,%xmm10 + pxor %xmm8,%xmm9 + pand %xmm11,%xmm10 + pand %xmm15,%xmm9 + pxor %xmm7,%xmm11 + pxor %xmm2,%xmm15 + pand %xmm14,%xmm7 + pand %xmm12,%xmm2 + pand %xmm13,%xmm11 + pand %xmm8,%xmm15 + pxor %xmm11,%xmm7 + pxor %xmm2,%xmm15 + pxor %xmm10,%xmm11 + pxor %xmm9,%xmm2 + pxor %xmm11,%xmm5 + pxor %xmm11,%xmm15 + pxor %xmm7,%xmm4 + pxor %xmm7,%xmm2 + + movdqa %xmm6,%xmm11 + movdqa %xmm0,%xmm7 + pxor %xmm3,%xmm11 + pxor %xmm1,%xmm7 + movdqa %xmm14,%xmm10 + movdqa %xmm12,%xmm9 + pxor %xmm13,%xmm10 + pxor %xmm8,%xmm9 + pand %xmm11,%xmm10 + pand %xmm3,%xmm9 + pxor %xmm7,%xmm11 + pxor %xmm1,%xmm3 + pand %xmm14,%xmm7 + pand %xmm12,%xmm1 + pand %xmm13,%xmm11 + pand %xmm8,%xmm3 + pxor %xmm11,%xmm7 + pxor %xmm1,%xmm3 + pxor %xmm10,%xmm11 + pxor %xmm9,%xmm1 + pxor %xmm12,%xmm14 + pxor %xmm8,%xmm13 + movdqa %xmm14,%xmm10 + pxor %xmm13,%xmm10 + pand %xmm6,%xmm10 + pxor %xmm0,%xmm6 + pand %xmm14,%xmm0 + pand %xmm13,%xmm6 + pxor %xmm0,%xmm6 + pxor %xmm10,%xmm0 + pxor %xmm11,%xmm6 + pxor %xmm11,%xmm3 + pxor %xmm7,%xmm0 + pxor %xmm7,%xmm1 + pxor %xmm15,%xmm6 + pxor %xmm5,%xmm0 + pxor %xmm6,%xmm3 + pxor %xmm15,%xmm5 + pxor %xmm0,%xmm15 + + pxor %xmm4,%xmm0 + pxor %xmm1,%xmm4 + pxor %xmm2,%xmm1 + pxor %xmm4,%xmm2 + pxor %xmm4,%xmm3 + + pxor %xmm2,%xmm5 + decl %r10d + jl .Lenc_done + pshufd $147,%xmm15,%xmm7 + pshufd $147,%xmm0,%xmm8 + pxor %xmm7,%xmm15 + pshufd $147,%xmm3,%xmm9 + pxor %xmm8,%xmm0 + pshufd $147,%xmm5,%xmm10 + pxor %xmm9,%xmm3 + pshufd $147,%xmm2,%xmm11 + pxor %xmm10,%xmm5 + pshufd $147,%xmm6,%xmm12 + pxor %xmm11,%xmm2 + pshufd $147,%xmm1,%xmm13 + pxor %xmm12,%xmm6 + pshufd $147,%xmm4,%xmm14 + pxor %xmm13,%xmm1 + pxor %xmm14,%xmm4 + + pxor %xmm15,%xmm8 + pxor %xmm4,%xmm7 + pxor %xmm4,%xmm8 + pshufd $78,%xmm15,%xmm15 + pxor %xmm0,%xmm9 + pshufd $78,%xmm0,%xmm0 + pxor %xmm2,%xmm12 + pxor %xmm7,%xmm15 + pxor %xmm6,%xmm13 + pxor %xmm8,%xmm0 + pxor %xmm5,%xmm11 + pshufd $78,%xmm2,%xmm7 + pxor %xmm1,%xmm14 + pshufd $78,%xmm6,%xmm8 + pxor %xmm3,%xmm10 + pshufd $78,%xmm5,%xmm2 + pxor %xmm4,%xmm10 + pshufd $78,%xmm4,%xmm6 + pxor %xmm4,%xmm11 + pshufd $78,%xmm1,%xmm5 + pxor %xmm11,%xmm7 + pshufd $78,%xmm3,%xmm1 + pxor %xmm12,%xmm8 + pxor %xmm10,%xmm2 + pxor %xmm14,%xmm6 + pxor %xmm13,%xmm5 + movdqa %xmm7,%xmm3 + pxor %xmm9,%xmm1 + movdqa %xmm8,%xmm4 + movdqa 48(%r11),%xmm7 + jnz .Lenc_loop + movdqa 64(%r11),%xmm7 + jmp .Lenc_loop +.p2align 4 +.Lenc_done: + movdqa 0(%r11),%xmm7 + movdqa 16(%r11),%xmm8 + movdqa %xmm1,%xmm9 + psrlq $1,%xmm1 + movdqa %xmm2,%xmm10 + psrlq $1,%xmm2 + pxor %xmm4,%xmm1 + pxor %xmm6,%xmm2 + pand %xmm7,%xmm1 + pand %xmm7,%xmm2 + pxor %xmm1,%xmm4 + psllq $1,%xmm1 + pxor %xmm2,%xmm6 + psllq $1,%xmm2 + pxor %xmm9,%xmm1 + pxor %xmm10,%xmm2 + movdqa %xmm3,%xmm9 + psrlq $1,%xmm3 + movdqa %xmm15,%xmm10 + psrlq $1,%xmm15 + pxor %xmm5,%xmm3 + pxor %xmm0,%xmm15 + pand %xmm7,%xmm3 + pand %xmm7,%xmm15 + pxor %xmm3,%xmm5 + psllq $1,%xmm3 + pxor %xmm15,%xmm0 + psllq $1,%xmm15 + pxor %xmm9,%xmm3 + pxor %xmm10,%xmm15 + movdqa 32(%r11),%xmm7 + movdqa %xmm6,%xmm9 + psrlq $2,%xmm6 + movdqa %xmm2,%xmm10 + psrlq $2,%xmm2 + pxor %xmm4,%xmm6 + pxor %xmm1,%xmm2 + pand %xmm8,%xmm6 + pand %xmm8,%xmm2 + pxor %xmm6,%xmm4 + psllq $2,%xmm6 + pxor %xmm2,%xmm1 + psllq $2,%xmm2 + pxor %xmm9,%xmm6 + pxor %xmm10,%xmm2 + movdqa %xmm0,%xmm9 + psrlq $2,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $2,%xmm15 + pxor %xmm5,%xmm0 + pxor %xmm3,%xmm15 + pand %xmm8,%xmm0 + pand %xmm8,%xmm15 + pxor %xmm0,%xmm5 + psllq $2,%xmm0 + pxor %xmm15,%xmm3 + psllq $2,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + movdqa %xmm5,%xmm9 + psrlq $4,%xmm5 + movdqa %xmm3,%xmm10 + psrlq $4,%xmm3 + pxor %xmm4,%xmm5 + pxor %xmm1,%xmm3 + pand %xmm7,%xmm5 + pand %xmm7,%xmm3 + pxor %xmm5,%xmm4 + psllq $4,%xmm5 + pxor %xmm3,%xmm1 + psllq $4,%xmm3 + pxor %xmm9,%xmm5 + pxor %xmm10,%xmm3 + movdqa %xmm0,%xmm9 + psrlq $4,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $4,%xmm15 + pxor %xmm6,%xmm0 + pxor %xmm2,%xmm15 + pand %xmm7,%xmm0 + pand %xmm7,%xmm15 + pxor %xmm0,%xmm6 + psllq $4,%xmm0 + pxor %xmm15,%xmm2 + psllq $4,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + movdqa (%rax),%xmm7 + pxor %xmm7,%xmm3 + pxor %xmm7,%xmm5 + pxor %xmm7,%xmm2 + pxor %xmm7,%xmm6 + pxor %xmm7,%xmm1 + pxor %xmm7,%xmm4 + pxor %xmm7,%xmm15 + pxor %xmm7,%xmm0 + retq + + +.def _bsaes_decrypt8; .scl 3; .type 32; .endef +.p2align 6 +_bsaes_decrypt8: + leaq .LBS0(%rip),%r11 + + movdqa (%rax),%xmm8 + leaq 16(%rax),%rax + movdqa -48(%r11),%xmm7 + pxor %xmm8,%xmm15 + pxor %xmm8,%xmm0 +.byte 102,68,15,56,0,255 + pxor %xmm8,%xmm1 +.byte 102,15,56,0,199 + pxor %xmm8,%xmm2 +.byte 102,15,56,0,207 + pxor %xmm8,%xmm3 +.byte 102,15,56,0,215 + pxor %xmm8,%xmm4 +.byte 102,15,56,0,223 + pxor %xmm8,%xmm5 +.byte 102,15,56,0,231 + pxor %xmm8,%xmm6 +.byte 102,15,56,0,239 +.byte 102,15,56,0,247 + movdqa 0(%r11),%xmm7 + movdqa 16(%r11),%xmm8 + movdqa %xmm5,%xmm9 + psrlq $1,%xmm5 + movdqa %xmm3,%xmm10 + psrlq $1,%xmm3 + pxor %xmm6,%xmm5 + pxor %xmm4,%xmm3 + pand %xmm7,%xmm5 + pand %xmm7,%xmm3 + pxor %xmm5,%xmm6 + psllq $1,%xmm5 + pxor %xmm3,%xmm4 + psllq $1,%xmm3 + pxor %xmm9,%xmm5 + pxor %xmm10,%xmm3 + movdqa %xmm1,%xmm9 + psrlq $1,%xmm1 + movdqa %xmm15,%xmm10 + psrlq $1,%xmm15 + pxor %xmm2,%xmm1 + pxor %xmm0,%xmm15 + pand %xmm7,%xmm1 + pand %xmm7,%xmm15 + pxor %xmm1,%xmm2 + psllq $1,%xmm1 + pxor %xmm15,%xmm0 + psllq $1,%xmm15 + pxor %xmm9,%xmm1 + pxor %xmm10,%xmm15 + movdqa 32(%r11),%xmm7 + movdqa %xmm4,%xmm9 + psrlq $2,%xmm4 + movdqa %xmm3,%xmm10 + psrlq $2,%xmm3 + pxor %xmm6,%xmm4 + pxor %xmm5,%xmm3 + pand %xmm8,%xmm4 + pand %xmm8,%xmm3 + pxor %xmm4,%xmm6 + psllq $2,%xmm4 + pxor %xmm3,%xmm5 + psllq $2,%xmm3 + pxor %xmm9,%xmm4 + pxor %xmm10,%xmm3 + movdqa %xmm0,%xmm9 + psrlq $2,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $2,%xmm15 + pxor %xmm2,%xmm0 + pxor %xmm1,%xmm15 + pand %xmm8,%xmm0 + pand %xmm8,%xmm15 + pxor %xmm0,%xmm2 + psllq $2,%xmm0 + pxor %xmm15,%xmm1 + psllq $2,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + movdqa %xmm2,%xmm9 + psrlq $4,%xmm2 + movdqa %xmm1,%xmm10 + psrlq $4,%xmm1 + pxor %xmm6,%xmm2 + pxor %xmm5,%xmm1 + pand %xmm7,%xmm2 + pand %xmm7,%xmm1 + pxor %xmm2,%xmm6 + psllq $4,%xmm2 + pxor %xmm1,%xmm5 + psllq $4,%xmm1 + pxor %xmm9,%xmm2 + pxor %xmm10,%xmm1 + movdqa %xmm0,%xmm9 + psrlq $4,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $4,%xmm15 + pxor %xmm4,%xmm0 + pxor %xmm3,%xmm15 + pand %xmm7,%xmm0 + pand %xmm7,%xmm15 + pxor %xmm0,%xmm4 + psllq $4,%xmm0 + pxor %xmm15,%xmm3 + psllq $4,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + decl %r10d + jmp .Ldec_sbox +.p2align 4 +.Ldec_loop: + pxor 0(%rax),%xmm15 + pxor 16(%rax),%xmm0 +.byte 102,68,15,56,0,255 + pxor 32(%rax),%xmm1 +.byte 102,15,56,0,199 + pxor 48(%rax),%xmm2 +.byte 102,15,56,0,207 + pxor 64(%rax),%xmm3 +.byte 102,15,56,0,215 + pxor 80(%rax),%xmm4 +.byte 102,15,56,0,223 + pxor 96(%rax),%xmm5 +.byte 102,15,56,0,231 + pxor 112(%rax),%xmm6 +.byte 102,15,56,0,239 + leaq 128(%rax),%rax +.byte 102,15,56,0,247 +.Ldec_sbox: + pxor %xmm3,%xmm2 + + pxor %xmm6,%xmm3 + pxor %xmm6,%xmm1 + pxor %xmm3,%xmm5 + pxor %xmm5,%xmm6 + pxor %xmm6,%xmm0 + + pxor %xmm0,%xmm15 + pxor %xmm4,%xmm1 + pxor %xmm15,%xmm2 + pxor %xmm15,%xmm4 + pxor %xmm2,%xmm0 + movdqa %xmm2,%xmm10 + movdqa %xmm6,%xmm9 + movdqa %xmm0,%xmm8 + movdqa %xmm3,%xmm12 + movdqa %xmm4,%xmm11 + + pxor %xmm15,%xmm10 + pxor %xmm3,%xmm9 + pxor %xmm5,%xmm8 + movdqa %xmm10,%xmm13 + pxor %xmm15,%xmm12 + movdqa %xmm9,%xmm7 + pxor %xmm1,%xmm11 + movdqa %xmm10,%xmm14 + + por %xmm8,%xmm9 + por %xmm11,%xmm10 + pxor %xmm7,%xmm14 + pand %xmm11,%xmm13 + pxor %xmm8,%xmm11 + pand %xmm8,%xmm7 + pand %xmm11,%xmm14 + movdqa %xmm5,%xmm11 + pxor %xmm1,%xmm11 + pand %xmm11,%xmm12 + pxor %xmm12,%xmm10 + pxor %xmm12,%xmm9 + movdqa %xmm2,%xmm12 + movdqa %xmm0,%xmm11 + pxor %xmm6,%xmm12 + pxor %xmm4,%xmm11 + movdqa %xmm12,%xmm8 + pand %xmm11,%xmm12 + por %xmm11,%xmm8 + pxor %xmm12,%xmm7 + pxor %xmm14,%xmm10 + pxor %xmm13,%xmm9 + pxor %xmm14,%xmm8 + movdqa %xmm3,%xmm11 + pxor %xmm13,%xmm7 + movdqa %xmm15,%xmm12 + pxor %xmm13,%xmm8 + movdqa %xmm6,%xmm13 + pand %xmm5,%xmm11 + movdqa %xmm2,%xmm14 + pand %xmm1,%xmm12 + pand %xmm0,%xmm13 + por %xmm4,%xmm14 + pxor %xmm11,%xmm10 + pxor %xmm12,%xmm9 + pxor %xmm13,%xmm8 + pxor %xmm14,%xmm7 + + + + + + movdqa %xmm10,%xmm11 + pand %xmm8,%xmm10 + pxor %xmm9,%xmm11 + + movdqa %xmm7,%xmm13 + movdqa %xmm11,%xmm14 + pxor %xmm10,%xmm13 + pand %xmm13,%xmm14 + + movdqa %xmm8,%xmm12 + pxor %xmm9,%xmm14 + pxor %xmm7,%xmm12 + + pxor %xmm9,%xmm10 + + pand %xmm10,%xmm12 + + movdqa %xmm13,%xmm9 + pxor %xmm7,%xmm12 + + pxor %xmm12,%xmm9 + pxor %xmm12,%xmm8 + + pand %xmm7,%xmm9 + + pxor %xmm9,%xmm13 + pxor %xmm9,%xmm8 + + pand %xmm14,%xmm13 + + pxor %xmm11,%xmm13 + movdqa %xmm4,%xmm11 + movdqa %xmm0,%xmm7 + movdqa %xmm14,%xmm9 + pxor %xmm13,%xmm9 + pand %xmm4,%xmm9 + pxor %xmm0,%xmm4 + pand %xmm14,%xmm0 + pand %xmm13,%xmm4 + pxor %xmm0,%xmm4 + pxor %xmm9,%xmm0 + pxor %xmm1,%xmm11 + pxor %xmm5,%xmm7 + pxor %xmm12,%xmm14 + pxor %xmm8,%xmm13 + movdqa %xmm14,%xmm10 + movdqa %xmm12,%xmm9 + pxor %xmm13,%xmm10 + pxor %xmm8,%xmm9 + pand %xmm11,%xmm10 + pand %xmm1,%xmm9 + pxor %xmm7,%xmm11 + pxor %xmm5,%xmm1 + pand %xmm14,%xmm7 + pand %xmm12,%xmm5 + pand %xmm13,%xmm11 + pand %xmm8,%xmm1 + pxor %xmm11,%xmm7 + pxor %xmm5,%xmm1 + pxor %xmm10,%xmm11 + pxor %xmm9,%xmm5 + pxor %xmm11,%xmm4 + pxor %xmm11,%xmm1 + pxor %xmm7,%xmm0 + pxor %xmm7,%xmm5 + + movdqa %xmm2,%xmm11 + movdqa %xmm6,%xmm7 + pxor %xmm15,%xmm11 + pxor %xmm3,%xmm7 + movdqa %xmm14,%xmm10 + movdqa %xmm12,%xmm9 + pxor %xmm13,%xmm10 + pxor %xmm8,%xmm9 + pand %xmm11,%xmm10 + pand %xmm15,%xmm9 + pxor %xmm7,%xmm11 + pxor %xmm3,%xmm15 + pand %xmm14,%xmm7 + pand %xmm12,%xmm3 + pand %xmm13,%xmm11 + pand %xmm8,%xmm15 + pxor %xmm11,%xmm7 + pxor %xmm3,%xmm15 + pxor %xmm10,%xmm11 + pxor %xmm9,%xmm3 + pxor %xmm12,%xmm14 + pxor %xmm8,%xmm13 + movdqa %xmm14,%xmm10 + pxor %xmm13,%xmm10 + pand %xmm2,%xmm10 + pxor %xmm6,%xmm2 + pand %xmm14,%xmm6 + pand %xmm13,%xmm2 + pxor %xmm6,%xmm2 + pxor %xmm10,%xmm6 + pxor %xmm11,%xmm2 + pxor %xmm11,%xmm15 + pxor %xmm7,%xmm6 + pxor %xmm7,%xmm3 + pxor %xmm6,%xmm0 + pxor %xmm4,%xmm5 + + pxor %xmm0,%xmm3 + pxor %xmm6,%xmm1 + pxor %xmm6,%xmm4 + pxor %xmm1,%xmm3 + pxor %xmm15,%xmm6 + pxor %xmm4,%xmm3 + pxor %xmm5,%xmm2 + pxor %xmm0,%xmm5 + pxor %xmm3,%xmm2 + + pxor %xmm15,%xmm3 + pxor %xmm2,%xmm6 + decl %r10d + jl .Ldec_done + + pshufd $78,%xmm15,%xmm7 + pshufd $78,%xmm2,%xmm13 + pxor %xmm15,%xmm7 + pshufd $78,%xmm4,%xmm14 + pxor %xmm2,%xmm13 + pshufd $78,%xmm0,%xmm8 + pxor %xmm4,%xmm14 + pshufd $78,%xmm5,%xmm9 + pxor %xmm0,%xmm8 + pshufd $78,%xmm3,%xmm10 + pxor %xmm5,%xmm9 + pxor %xmm13,%xmm15 + pxor %xmm13,%xmm0 + pshufd $78,%xmm1,%xmm11 + pxor %xmm3,%xmm10 + pxor %xmm7,%xmm5 + pxor %xmm8,%xmm3 + pshufd $78,%xmm6,%xmm12 + pxor %xmm1,%xmm11 + pxor %xmm14,%xmm0 + pxor %xmm9,%xmm1 + pxor %xmm6,%xmm12 + + pxor %xmm14,%xmm5 + pxor %xmm13,%xmm3 + pxor %xmm13,%xmm1 + pxor %xmm10,%xmm6 + pxor %xmm11,%xmm2 + pxor %xmm14,%xmm1 + pxor %xmm14,%xmm6 + pxor %xmm12,%xmm4 + pshufd $147,%xmm15,%xmm7 + pshufd $147,%xmm0,%xmm8 + pxor %xmm7,%xmm15 + pshufd $147,%xmm5,%xmm9 + pxor %xmm8,%xmm0 + pshufd $147,%xmm3,%xmm10 + pxor %xmm9,%xmm5 + pshufd $147,%xmm1,%xmm11 + pxor %xmm10,%xmm3 + pshufd $147,%xmm6,%xmm12 + pxor %xmm11,%xmm1 + pshufd $147,%xmm2,%xmm13 + pxor %xmm12,%xmm6 + pshufd $147,%xmm4,%xmm14 + pxor %xmm13,%xmm2 + pxor %xmm14,%xmm4 + + pxor %xmm15,%xmm8 + pxor %xmm4,%xmm7 + pxor %xmm4,%xmm8 + pshufd $78,%xmm15,%xmm15 + pxor %xmm0,%xmm9 + pshufd $78,%xmm0,%xmm0 + pxor %xmm1,%xmm12 + pxor %xmm7,%xmm15 + pxor %xmm6,%xmm13 + pxor %xmm8,%xmm0 + pxor %xmm3,%xmm11 + pshufd $78,%xmm1,%xmm7 + pxor %xmm2,%xmm14 + pshufd $78,%xmm6,%xmm8 + pxor %xmm5,%xmm10 + pshufd $78,%xmm3,%xmm1 + pxor %xmm4,%xmm10 + pshufd $78,%xmm4,%xmm6 + pxor %xmm4,%xmm11 + pshufd $78,%xmm2,%xmm3 + pxor %xmm11,%xmm7 + pshufd $78,%xmm5,%xmm2 + pxor %xmm12,%xmm8 + pxor %xmm1,%xmm10 + pxor %xmm14,%xmm6 + pxor %xmm3,%xmm13 + movdqa %xmm7,%xmm3 + pxor %xmm9,%xmm2 + movdqa %xmm13,%xmm5 + movdqa %xmm8,%xmm4 + movdqa %xmm2,%xmm1 + movdqa %xmm10,%xmm2 + movdqa -16(%r11),%xmm7 + jnz .Ldec_loop + movdqa -32(%r11),%xmm7 + jmp .Ldec_loop +.p2align 4 +.Ldec_done: + movdqa 0(%r11),%xmm7 + movdqa 16(%r11),%xmm8 + movdqa %xmm2,%xmm9 + psrlq $1,%xmm2 + movdqa %xmm1,%xmm10 + psrlq $1,%xmm1 + pxor %xmm4,%xmm2 + pxor %xmm6,%xmm1 + pand %xmm7,%xmm2 + pand %xmm7,%xmm1 + pxor %xmm2,%xmm4 + psllq $1,%xmm2 + pxor %xmm1,%xmm6 + psllq $1,%xmm1 + pxor %xmm9,%xmm2 + pxor %xmm10,%xmm1 + movdqa %xmm5,%xmm9 + psrlq $1,%xmm5 + movdqa %xmm15,%xmm10 + psrlq $1,%xmm15 + pxor %xmm3,%xmm5 + pxor %xmm0,%xmm15 + pand %xmm7,%xmm5 + pand %xmm7,%xmm15 + pxor %xmm5,%xmm3 + psllq $1,%xmm5 + pxor %xmm15,%xmm0 + psllq $1,%xmm15 + pxor %xmm9,%xmm5 + pxor %xmm10,%xmm15 + movdqa 32(%r11),%xmm7 + movdqa %xmm6,%xmm9 + psrlq $2,%xmm6 + movdqa %xmm1,%xmm10 + psrlq $2,%xmm1 + pxor %xmm4,%xmm6 + pxor %xmm2,%xmm1 + pand %xmm8,%xmm6 + pand %xmm8,%xmm1 + pxor %xmm6,%xmm4 + psllq $2,%xmm6 + pxor %xmm1,%xmm2 + psllq $2,%xmm1 + pxor %xmm9,%xmm6 + pxor %xmm10,%xmm1 + movdqa %xmm0,%xmm9 + psrlq $2,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $2,%xmm15 + pxor %xmm3,%xmm0 + pxor %xmm5,%xmm15 + pand %xmm8,%xmm0 + pand %xmm8,%xmm15 + pxor %xmm0,%xmm3 + psllq $2,%xmm0 + pxor %xmm15,%xmm5 + psllq $2,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + movdqa %xmm3,%xmm9 + psrlq $4,%xmm3 + movdqa %xmm5,%xmm10 + psrlq $4,%xmm5 + pxor %xmm4,%xmm3 + pxor %xmm2,%xmm5 + pand %xmm7,%xmm3 + pand %xmm7,%xmm5 + pxor %xmm3,%xmm4 + psllq $4,%xmm3 + pxor %xmm5,%xmm2 + psllq $4,%xmm5 + pxor %xmm9,%xmm3 + pxor %xmm10,%xmm5 + movdqa %xmm0,%xmm9 + psrlq $4,%xmm0 + movdqa %xmm15,%xmm10 + psrlq $4,%xmm15 + pxor %xmm6,%xmm0 + pxor %xmm1,%xmm15 + pand %xmm7,%xmm0 + pand %xmm7,%xmm15 + pxor %xmm0,%xmm6 + psllq $4,%xmm0 + pxor %xmm15,%xmm1 + psllq $4,%xmm15 + pxor %xmm9,%xmm0 + pxor %xmm10,%xmm15 + movdqa (%rax),%xmm7 + pxor %xmm7,%xmm5 + pxor %xmm7,%xmm3 + pxor %xmm7,%xmm1 + pxor %xmm7,%xmm6 + pxor %xmm7,%xmm2 + pxor %xmm7,%xmm4 + pxor %xmm7,%xmm15 + pxor %xmm7,%xmm0 + retq + +.def _bsaes_key_convert; .scl 3; .type 32; .endef +.p2align 4 +_bsaes_key_convert: + leaq .Lmasks(%rip),%r11 + movdqu (%rcx),%xmm7 + leaq 16(%rcx),%rcx + movdqa 0(%r11),%xmm0 + movdqa 16(%r11),%xmm1 + movdqa 32(%r11),%xmm2 + movdqa 48(%r11),%xmm3 + movdqa 64(%r11),%xmm4 + pcmpeqd %xmm5,%xmm5 + + movdqu (%rcx),%xmm6 + movdqa %xmm7,(%rax) + leaq 16(%rax),%rax + decl %r10d + jmp .Lkey_loop +.p2align 4 +.Lkey_loop: +.byte 102,15,56,0,244 + + movdqa %xmm0,%xmm8 + movdqa %xmm1,%xmm9 + + pand %xmm6,%xmm8 + pand %xmm6,%xmm9 + movdqa %xmm2,%xmm10 + pcmpeqb %xmm0,%xmm8 + psllq $4,%xmm0 + movdqa %xmm3,%xmm11 + pcmpeqb %xmm1,%xmm9 + psllq $4,%xmm1 + + pand %xmm6,%xmm10 + pand %xmm6,%xmm11 + movdqa %xmm0,%xmm12 + pcmpeqb %xmm2,%xmm10 + psllq $4,%xmm2 + movdqa %xmm1,%xmm13 + pcmpeqb %xmm3,%xmm11 + psllq $4,%xmm3 + + movdqa %xmm2,%xmm14 + movdqa %xmm3,%xmm15 + pxor %xmm5,%xmm8 + pxor %xmm5,%xmm9 + + pand %xmm6,%xmm12 + pand %xmm6,%xmm13 + movdqa %xmm8,0(%rax) + pcmpeqb %xmm0,%xmm12 + psrlq $4,%xmm0 + movdqa %xmm9,16(%rax) + pcmpeqb %xmm1,%xmm13 + psrlq $4,%xmm1 + leaq 16(%rcx),%rcx + + pand %xmm6,%xmm14 + pand %xmm6,%xmm15 + movdqa %xmm10,32(%rax) + pcmpeqb %xmm2,%xmm14 + psrlq $4,%xmm2 + movdqa %xmm11,48(%rax) + pcmpeqb %xmm3,%xmm15 + psrlq $4,%xmm3 + movdqu (%rcx),%xmm6 + + pxor %xmm5,%xmm13 + pxor %xmm5,%xmm14 + movdqa %xmm12,64(%rax) + movdqa %xmm13,80(%rax) + movdqa %xmm14,96(%rax) + movdqa %xmm15,112(%rax) + leaq 128(%rax),%rax + decl %r10d + jnz .Lkey_loop + + movdqa 80(%r11),%xmm7 + + retq + + +.globl bsaes_cbc_encrypt +.def bsaes_cbc_encrypt; .scl 2; .type 32; .endef +.p2align 4 +bsaes_cbc_encrypt: + movl 48(%rsp),%r11d + cmpl $0,%r11d + jne asm_AES_cbc_encrypt + cmpq $128,%r8 + jb asm_AES_cbc_encrypt + + movq %rsp,%rax +.Lcbc_dec_prologue: + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + leaq -72(%rsp),%rsp + movq 160(%rsp),%r10 + leaq -160(%rsp),%rsp + movaps %xmm6,64(%rsp) + movaps %xmm7,80(%rsp) + movaps %xmm8,96(%rsp) + movaps %xmm9,112(%rsp) + movaps %xmm10,128(%rsp) + movaps %xmm11,144(%rsp) + movaps %xmm12,160(%rsp) + movaps %xmm13,176(%rsp) + movaps %xmm14,192(%rsp) + movaps %xmm15,208(%rsp) +.Lcbc_dec_body: + movq %rsp,%rbp + movl 240(%r9),%eax + movq %rcx,%r12 + movq %rdx,%r13 + movq %r8,%r14 + movq %r9,%r15 + movq %r10,%rbx + shrq $4,%r14 + + movl %eax,%edx + shlq $7,%rax + subq $96,%rax + subq %rax,%rsp + + movq %rsp,%rax + movq %r15,%rcx + movl %edx,%r10d + call _bsaes_key_convert + pxor (%rsp),%xmm7 + movdqa %xmm6,(%rax) + movdqa %xmm7,(%rsp) + + movdqu (%rbx),%xmm14 + subq $8,%r14 +.Lcbc_dec_loop: + movdqu 0(%r12),%xmm15 + movdqu 16(%r12),%xmm0 + movdqu 32(%r12),%xmm1 + movdqu 48(%r12),%xmm2 + movdqu 64(%r12),%xmm3 + movdqu 80(%r12),%xmm4 + movq %rsp,%rax + movdqu 96(%r12),%xmm5 + movl %edx,%r10d + movdqu 112(%r12),%xmm6 + movdqa %xmm14,32(%rbp) + + call _bsaes_decrypt8 + + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm0 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm5 + movdqu 48(%r12),%xmm10 + pxor %xmm9,%xmm3 + movdqu 64(%r12),%xmm11 + pxor %xmm10,%xmm1 + movdqu 80(%r12),%xmm12 + pxor %xmm11,%xmm6 + movdqu 96(%r12),%xmm13 + pxor %xmm12,%xmm2 + movdqu 112(%r12),%xmm14 + pxor %xmm13,%xmm4 + movdqu %xmm15,0(%r13) + leaq 128(%r12),%r12 + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + movdqu %xmm3,48(%r13) + movdqu %xmm1,64(%r13) + movdqu %xmm6,80(%r13) + movdqu %xmm2,96(%r13) + movdqu %xmm4,112(%r13) + leaq 128(%r13),%r13 + subq $8,%r14 + jnc .Lcbc_dec_loop + + addq $8,%r14 + jz .Lcbc_dec_done + + movdqu 0(%r12),%xmm15 + movq %rsp,%rax + movl %edx,%r10d + cmpq $2,%r14 + jb .Lcbc_dec_one + movdqu 16(%r12),%xmm0 + je .Lcbc_dec_two + movdqu 32(%r12),%xmm1 + cmpq $4,%r14 + jb .Lcbc_dec_three + movdqu 48(%r12),%xmm2 + je .Lcbc_dec_four + movdqu 64(%r12),%xmm3 + cmpq $6,%r14 + jb .Lcbc_dec_five + movdqu 80(%r12),%xmm4 + je .Lcbc_dec_six + movdqu 96(%r12),%xmm5 + movdqa %xmm14,32(%rbp) + call _bsaes_decrypt8 + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm0 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm5 + movdqu 48(%r12),%xmm10 + pxor %xmm9,%xmm3 + movdqu 64(%r12),%xmm11 + pxor %xmm10,%xmm1 + movdqu 80(%r12),%xmm12 + pxor %xmm11,%xmm6 + movdqu 96(%r12),%xmm14 + pxor %xmm12,%xmm2 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + movdqu %xmm3,48(%r13) + movdqu %xmm1,64(%r13) + movdqu %xmm6,80(%r13) + movdqu %xmm2,96(%r13) + jmp .Lcbc_dec_done +.p2align 4 +.Lcbc_dec_six: + movdqa %xmm14,32(%rbp) + call _bsaes_decrypt8 + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm0 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm5 + movdqu 48(%r12),%xmm10 + pxor %xmm9,%xmm3 + movdqu 64(%r12),%xmm11 + pxor %xmm10,%xmm1 + movdqu 80(%r12),%xmm14 + pxor %xmm11,%xmm6 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + movdqu %xmm3,48(%r13) + movdqu %xmm1,64(%r13) + movdqu %xmm6,80(%r13) + jmp .Lcbc_dec_done +.p2align 4 +.Lcbc_dec_five: + movdqa %xmm14,32(%rbp) + call _bsaes_decrypt8 + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm0 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm5 + movdqu 48(%r12),%xmm10 + pxor %xmm9,%xmm3 + movdqu 64(%r12),%xmm14 + pxor %xmm10,%xmm1 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + movdqu %xmm3,48(%r13) + movdqu %xmm1,64(%r13) + jmp .Lcbc_dec_done +.p2align 4 +.Lcbc_dec_four: + movdqa %xmm14,32(%rbp) + call _bsaes_decrypt8 + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm0 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm5 + movdqu 48(%r12),%xmm14 + pxor %xmm9,%xmm3 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + movdqu %xmm3,48(%r13) + jmp .Lcbc_dec_done +.p2align 4 +.Lcbc_dec_three: + movdqa %xmm14,32(%rbp) + call _bsaes_decrypt8 + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm0 + movdqu 32(%r12),%xmm14 + pxor %xmm8,%xmm5 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + jmp .Lcbc_dec_done +.p2align 4 +.Lcbc_dec_two: + movdqa %xmm14,32(%rbp) + call _bsaes_decrypt8 + pxor 32(%rbp),%xmm15 + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm14 + pxor %xmm7,%xmm0 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + jmp .Lcbc_dec_done +.p2align 4 +.Lcbc_dec_one: + leaq (%r12),%rcx + leaq 32(%rbp),%rdx + leaq (%r15),%r8 + call asm_AES_decrypt + pxor 32(%rbp),%xmm14 + movdqu %xmm14,(%r13) + movdqa %xmm15,%xmm14 + +.Lcbc_dec_done: + movdqu %xmm14,(%rbx) + leaq (%rsp),%rax + pxor %xmm0,%xmm0 +.Lcbc_dec_bzero: + movdqa %xmm0,0(%rax) + movdqa %xmm0,16(%rax) + leaq 32(%rax),%rax + cmpq %rax,%rbp + ja .Lcbc_dec_bzero + + leaq (%rbp),%rsp + movaps 64(%rbp),%xmm6 + movaps 80(%rbp),%xmm7 + movaps 96(%rbp),%xmm8 + movaps 112(%rbp),%xmm9 + movaps 128(%rbp),%xmm10 + movaps 144(%rbp),%xmm11 + movaps 160(%rbp),%xmm12 + movaps 176(%rbp),%xmm13 + movaps 192(%rbp),%xmm14 + movaps 208(%rbp),%xmm15 + leaq 160(%rbp),%rsp + movq 72(%rsp),%r15 + movq 80(%rsp),%r14 + movq 88(%rsp),%r13 + movq 96(%rsp),%r12 + movq 104(%rsp),%rbx + movq 112(%rsp),%rax + leaq 120(%rsp),%rsp + movq %rax,%rbp +.Lcbc_dec_epilogue: + retq + + +.globl bsaes_ctr32_encrypt_blocks +.def bsaes_ctr32_encrypt_blocks; .scl 2; .type 32; .endef +.p2align 4 +bsaes_ctr32_encrypt_blocks: + movq %rsp,%rax +.Lctr_enc_prologue: + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + leaq -72(%rsp),%rsp + movq 160(%rsp),%r10 + leaq -160(%rsp),%rsp + movaps %xmm6,64(%rsp) + movaps %xmm7,80(%rsp) + movaps %xmm8,96(%rsp) + movaps %xmm9,112(%rsp) + movaps %xmm10,128(%rsp) + movaps %xmm11,144(%rsp) + movaps %xmm12,160(%rsp) + movaps %xmm13,176(%rsp) + movaps %xmm14,192(%rsp) + movaps %xmm15,208(%rsp) +.Lctr_enc_body: + movq %rsp,%rbp + movdqu (%r10),%xmm0 + movl 240(%r9),%eax + movq %rcx,%r12 + movq %rdx,%r13 + movq %r8,%r14 + movq %r9,%r15 + movdqa %xmm0,32(%rbp) + cmpq $8,%r8 + jb .Lctr_enc_short + + movl %eax,%ebx + shlq $7,%rax + subq $96,%rax + subq %rax,%rsp + + movq %rsp,%rax + movq %r15,%rcx + movl %ebx,%r10d + call _bsaes_key_convert + pxor %xmm6,%xmm7 + movdqa %xmm7,(%rax) + + movdqa (%rsp),%xmm8 + leaq .LADD1(%rip),%r11 + movdqa 32(%rbp),%xmm15 + movdqa -32(%r11),%xmm7 +.byte 102,68,15,56,0,199 +.byte 102,68,15,56,0,255 + movdqa %xmm8,(%rsp) + jmp .Lctr_enc_loop +.p2align 4 +.Lctr_enc_loop: + movdqa %xmm15,32(%rbp) + movdqa %xmm15,%xmm0 + movdqa %xmm15,%xmm1 + paddd 0(%r11),%xmm0 + movdqa %xmm15,%xmm2 + paddd 16(%r11),%xmm1 + movdqa %xmm15,%xmm3 + paddd 32(%r11),%xmm2 + movdqa %xmm15,%xmm4 + paddd 48(%r11),%xmm3 + movdqa %xmm15,%xmm5 + paddd 64(%r11),%xmm4 + movdqa %xmm15,%xmm6 + paddd 80(%r11),%xmm5 + paddd 96(%r11),%xmm6 + + + + movdqa (%rsp),%xmm8 + leaq 16(%rsp),%rax + movdqa -16(%r11),%xmm7 + pxor %xmm8,%xmm15 + pxor %xmm8,%xmm0 +.byte 102,68,15,56,0,255 + pxor %xmm8,%xmm1 +.byte 102,15,56,0,199 + pxor %xmm8,%xmm2 +.byte 102,15,56,0,207 + pxor %xmm8,%xmm3 +.byte 102,15,56,0,215 + pxor %xmm8,%xmm4 +.byte 102,15,56,0,223 + pxor %xmm8,%xmm5 +.byte 102,15,56,0,231 + pxor %xmm8,%xmm6 +.byte 102,15,56,0,239 + leaq .LBS0(%rip),%r11 +.byte 102,15,56,0,247 + movl %ebx,%r10d + + call _bsaes_encrypt8_bitslice + + subq $8,%r14 + jc .Lctr_enc_loop_done + + movdqu 0(%r12),%xmm7 + movdqu 16(%r12),%xmm8 + movdqu 32(%r12),%xmm9 + movdqu 48(%r12),%xmm10 + movdqu 64(%r12),%xmm11 + movdqu 80(%r12),%xmm12 + movdqu 96(%r12),%xmm13 + movdqu 112(%r12),%xmm14 + leaq 128(%r12),%r12 + pxor %xmm15,%xmm7 + movdqa 32(%rbp),%xmm15 + pxor %xmm8,%xmm0 + movdqu %xmm7,0(%r13) + pxor %xmm9,%xmm3 + movdqu %xmm0,16(%r13) + pxor %xmm10,%xmm5 + movdqu %xmm3,32(%r13) + pxor %xmm11,%xmm2 + movdqu %xmm5,48(%r13) + pxor %xmm12,%xmm6 + movdqu %xmm2,64(%r13) + pxor %xmm13,%xmm1 + movdqu %xmm6,80(%r13) + pxor %xmm14,%xmm4 + movdqu %xmm1,96(%r13) + leaq .LADD1(%rip),%r11 + movdqu %xmm4,112(%r13) + leaq 128(%r13),%r13 + paddd 112(%r11),%xmm15 + jnz .Lctr_enc_loop + + jmp .Lctr_enc_done +.p2align 4 +.Lctr_enc_loop_done: + addq $8,%r14 + movdqu 0(%r12),%xmm7 + pxor %xmm7,%xmm15 + movdqu %xmm15,0(%r13) + cmpq $2,%r14 + jb .Lctr_enc_done + movdqu 16(%r12),%xmm8 + pxor %xmm8,%xmm0 + movdqu %xmm0,16(%r13) + je .Lctr_enc_done + movdqu 32(%r12),%xmm9 + pxor %xmm9,%xmm3 + movdqu %xmm3,32(%r13) + cmpq $4,%r14 + jb .Lctr_enc_done + movdqu 48(%r12),%xmm10 + pxor %xmm10,%xmm5 + movdqu %xmm5,48(%r13) + je .Lctr_enc_done + movdqu 64(%r12),%xmm11 + pxor %xmm11,%xmm2 + movdqu %xmm2,64(%r13) + cmpq $6,%r14 + jb .Lctr_enc_done + movdqu 80(%r12),%xmm12 + pxor %xmm12,%xmm6 + movdqu %xmm6,80(%r13) + je .Lctr_enc_done + movdqu 96(%r12),%xmm13 + pxor %xmm13,%xmm1 + movdqu %xmm1,96(%r13) + jmp .Lctr_enc_done + +.p2align 4 +.Lctr_enc_short: + leaq 32(%rbp),%rcx + leaq 48(%rbp),%rdx + leaq (%r15),%r8 + call asm_AES_encrypt + movdqu (%r12),%xmm0 + leaq 16(%r12),%r12 + movl 44(%rbp),%eax + bswapl %eax + pxor 48(%rbp),%xmm0 + incl %eax + movdqu %xmm0,(%r13) + bswapl %eax + leaq 16(%r13),%r13 + movl %eax,44(%rsp) + decq %r14 + jnz .Lctr_enc_short + +.Lctr_enc_done: + leaq (%rsp),%rax + pxor %xmm0,%xmm0 +.Lctr_enc_bzero: + movdqa %xmm0,0(%rax) + movdqa %xmm0,16(%rax) + leaq 32(%rax),%rax + cmpq %rax,%rbp + ja .Lctr_enc_bzero + + leaq (%rbp),%rsp + movaps 64(%rbp),%xmm6 + movaps 80(%rbp),%xmm7 + movaps 96(%rbp),%xmm8 + movaps 112(%rbp),%xmm9 + movaps 128(%rbp),%xmm10 + movaps 144(%rbp),%xmm11 + movaps 160(%rbp),%xmm12 + movaps 176(%rbp),%xmm13 + movaps 192(%rbp),%xmm14 + movaps 208(%rbp),%xmm15 + leaq 160(%rbp),%rsp + movq 72(%rsp),%r15 + movq 80(%rsp),%r14 + movq 88(%rsp),%r13 + movq 96(%rsp),%r12 + movq 104(%rsp),%rbx + movq 112(%rsp),%rax + leaq 120(%rsp),%rsp + movq %rax,%rbp +.Lctr_enc_epilogue: + retq + +.globl bsaes_xts_encrypt +.def bsaes_xts_encrypt; .scl 2; .type 32; .endef +.p2align 4 +bsaes_xts_encrypt: + movq %rsp,%rax +.Lxts_enc_prologue: + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + leaq -72(%rsp),%rsp + movq 160(%rsp),%r10 + movq 168(%rsp),%r11 + leaq -160(%rsp),%rsp + movaps %xmm6,64(%rsp) + movaps %xmm7,80(%rsp) + movaps %xmm8,96(%rsp) + movaps %xmm9,112(%rsp) + movaps %xmm10,128(%rsp) + movaps %xmm11,144(%rsp) + movaps %xmm12,160(%rsp) + movaps %xmm13,176(%rsp) + movaps %xmm14,192(%rsp) + movaps %xmm15,208(%rsp) +.Lxts_enc_body: + movq %rsp,%rbp + movq %rcx,%r12 + movq %rdx,%r13 + movq %r8,%r14 + movq %r9,%r15 + + leaq (%r11),%rcx + leaq 32(%rbp),%rdx + leaq (%r10),%r8 + call asm_AES_encrypt + + movl 240(%r15),%eax + movq %r14,%rbx + + movl %eax,%edx + shlq $7,%rax + subq $96,%rax + subq %rax,%rsp + + movq %rsp,%rax + movq %r15,%rcx + movl %edx,%r10d + call _bsaes_key_convert + pxor %xmm6,%xmm7 + movdqa %xmm7,(%rax) + + andq $-16,%r14 + subq $128,%rsp + movdqa 32(%rbp),%xmm6 + + pxor %xmm14,%xmm14 + movdqa .Lxts_magic(%rip),%xmm12 + pcmpgtd %xmm6,%xmm14 + + subq $128,%r14 + jc .Lxts_enc_short + jmp .Lxts_enc_loop + +.p2align 4 +.Lxts_enc_loop: + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm15 + movdqa %xmm6,0(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm0 + movdqa %xmm6,16(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 0(%r12),%xmm7 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm1 + movdqa %xmm6,32(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm15 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm2 + movdqa %xmm6,48(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm0 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm3 + movdqa %xmm6,64(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 48(%r12),%xmm10 + pxor %xmm9,%xmm1 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm4 + movdqa %xmm6,80(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 64(%r12),%xmm11 + pxor %xmm10,%xmm2 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm5 + movdqa %xmm6,96(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 80(%r12),%xmm12 + pxor %xmm11,%xmm3 + movdqu 96(%r12),%xmm13 + pxor %xmm12,%xmm4 + movdqu 112(%r12),%xmm14 + leaq 128(%r12),%r12 + movdqa %xmm6,112(%rsp) + pxor %xmm13,%xmm5 + leaq 128(%rsp),%rax + pxor %xmm14,%xmm6 + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm3 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm5 + movdqu %xmm3,32(%r13) + pxor 64(%rsp),%xmm2 + movdqu %xmm5,48(%r13) + pxor 80(%rsp),%xmm6 + movdqu %xmm2,64(%r13) + pxor 96(%rsp),%xmm1 + movdqu %xmm6,80(%r13) + pxor 112(%rsp),%xmm4 + movdqu %xmm1,96(%r13) + movdqu %xmm4,112(%r13) + leaq 128(%r13),%r13 + + movdqa 112(%rsp),%xmm6 + pxor %xmm14,%xmm14 + movdqa .Lxts_magic(%rip),%xmm12 + pcmpgtd %xmm6,%xmm14 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + + subq $128,%r14 + jnc .Lxts_enc_loop + +.Lxts_enc_short: + addq $128,%r14 + jz .Lxts_enc_done + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm15 + movdqa %xmm6,0(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm0 + movdqa %xmm6,16(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 0(%r12),%xmm7 + cmpq $16,%r14 + je .Lxts_enc_1 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm1 + movdqa %xmm6,32(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 16(%r12),%xmm8 + cmpq $32,%r14 + je .Lxts_enc_2 + pxor %xmm7,%xmm15 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm2 + movdqa %xmm6,48(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 32(%r12),%xmm9 + cmpq $48,%r14 + je .Lxts_enc_3 + pxor %xmm8,%xmm0 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm3 + movdqa %xmm6,64(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 48(%r12),%xmm10 + cmpq $64,%r14 + je .Lxts_enc_4 + pxor %xmm9,%xmm1 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm4 + movdqa %xmm6,80(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 64(%r12),%xmm11 + cmpq $80,%r14 + je .Lxts_enc_5 + pxor %xmm10,%xmm2 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm5 + movdqa %xmm6,96(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 80(%r12),%xmm12 + cmpq $96,%r14 + je .Lxts_enc_6 + pxor %xmm11,%xmm3 + movdqu 96(%r12),%xmm13 + pxor %xmm12,%xmm4 + movdqa %xmm6,112(%rsp) + leaq 112(%r12),%r12 + pxor %xmm13,%xmm5 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm3 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm5 + movdqu %xmm3,32(%r13) + pxor 64(%rsp),%xmm2 + movdqu %xmm5,48(%r13) + pxor 80(%rsp),%xmm6 + movdqu %xmm2,64(%r13) + pxor 96(%rsp),%xmm1 + movdqu %xmm6,80(%r13) + movdqu %xmm1,96(%r13) + leaq 112(%r13),%r13 + + movdqa 112(%rsp),%xmm6 + jmp .Lxts_enc_done +.p2align 4 +.Lxts_enc_6: + pxor %xmm11,%xmm3 + leaq 96(%r12),%r12 + pxor %xmm12,%xmm4 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm3 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm5 + movdqu %xmm3,32(%r13) + pxor 64(%rsp),%xmm2 + movdqu %xmm5,48(%r13) + pxor 80(%rsp),%xmm6 + movdqu %xmm2,64(%r13) + movdqu %xmm6,80(%r13) + leaq 96(%r13),%r13 + + movdqa 96(%rsp),%xmm6 + jmp .Lxts_enc_done +.p2align 4 +.Lxts_enc_5: + pxor %xmm10,%xmm2 + leaq 80(%r12),%r12 + pxor %xmm11,%xmm3 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm3 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm5 + movdqu %xmm3,32(%r13) + pxor 64(%rsp),%xmm2 + movdqu %xmm5,48(%r13) + movdqu %xmm2,64(%r13) + leaq 80(%r13),%r13 + + movdqa 80(%rsp),%xmm6 + jmp .Lxts_enc_done +.p2align 4 +.Lxts_enc_4: + pxor %xmm9,%xmm1 + leaq 64(%r12),%r12 + pxor %xmm10,%xmm2 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm3 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm5 + movdqu %xmm3,32(%r13) + movdqu %xmm5,48(%r13) + leaq 64(%r13),%r13 + + movdqa 64(%rsp),%xmm6 + jmp .Lxts_enc_done +.p2align 4 +.Lxts_enc_3: + pxor %xmm8,%xmm0 + leaq 48(%r12),%r12 + pxor %xmm9,%xmm1 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm3 + movdqu %xmm0,16(%r13) + movdqu %xmm3,32(%r13) + leaq 48(%r13),%r13 + + movdqa 48(%rsp),%xmm6 + jmp .Lxts_enc_done +.p2align 4 +.Lxts_enc_2: + pxor %xmm7,%xmm15 + leaq 32(%r12),%r12 + pxor %xmm8,%xmm0 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_encrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + leaq 32(%r13),%r13 + + movdqa 32(%rsp),%xmm6 + jmp .Lxts_enc_done +.p2align 4 +.Lxts_enc_1: + pxor %xmm15,%xmm7 + leaq 16(%r12),%r12 + movdqa %xmm7,32(%rbp) + leaq 32(%rbp),%rcx + leaq 32(%rbp),%rdx + leaq (%r15),%r8 + call asm_AES_encrypt + pxor 32(%rbp),%xmm15 + + + + + + movdqu %xmm15,0(%r13) + leaq 16(%r13),%r13 + + movdqa 16(%rsp),%xmm6 + +.Lxts_enc_done: + andl $15,%ebx + jz .Lxts_enc_ret + movq %r13,%rdx + +.Lxts_enc_steal: + movzbl (%r12),%eax + movzbl -16(%rdx),%ecx + leaq 1(%r12),%r12 + movb %al,-16(%rdx) + movb %cl,0(%rdx) + leaq 1(%rdx),%rdx + subl $1,%ebx + jnz .Lxts_enc_steal + + movdqu -16(%r13),%xmm15 + leaq 32(%rbp),%rcx + pxor %xmm6,%xmm15 + leaq 32(%rbp),%rdx + movdqa %xmm15,32(%rbp) + leaq (%r15),%r8 + call asm_AES_encrypt + pxor 32(%rbp),%xmm6 + movdqu %xmm6,-16(%r13) + +.Lxts_enc_ret: + leaq (%rsp),%rax + pxor %xmm0,%xmm0 +.Lxts_enc_bzero: + movdqa %xmm0,0(%rax) + movdqa %xmm0,16(%rax) + leaq 32(%rax),%rax + cmpq %rax,%rbp + ja .Lxts_enc_bzero + + leaq (%rbp),%rsp + movaps 64(%rbp),%xmm6 + movaps 80(%rbp),%xmm7 + movaps 96(%rbp),%xmm8 + movaps 112(%rbp),%xmm9 + movaps 128(%rbp),%xmm10 + movaps 144(%rbp),%xmm11 + movaps 160(%rbp),%xmm12 + movaps 176(%rbp),%xmm13 + movaps 192(%rbp),%xmm14 + movaps 208(%rbp),%xmm15 + leaq 160(%rbp),%rsp + movq 72(%rsp),%r15 + movq 80(%rsp),%r14 + movq 88(%rsp),%r13 + movq 96(%rsp),%r12 + movq 104(%rsp),%rbx + movq 112(%rsp),%rax + leaq 120(%rsp),%rsp + movq %rax,%rbp +.Lxts_enc_epilogue: + retq + + +.globl bsaes_xts_decrypt +.def bsaes_xts_decrypt; .scl 2; .type 32; .endef +.p2align 4 +bsaes_xts_decrypt: + movq %rsp,%rax +.Lxts_dec_prologue: + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + leaq -72(%rsp),%rsp + movq 160(%rsp),%r10 + movq 168(%rsp),%r11 + leaq -160(%rsp),%rsp + movaps %xmm6,64(%rsp) + movaps %xmm7,80(%rsp) + movaps %xmm8,96(%rsp) + movaps %xmm9,112(%rsp) + movaps %xmm10,128(%rsp) + movaps %xmm11,144(%rsp) + movaps %xmm12,160(%rsp) + movaps %xmm13,176(%rsp) + movaps %xmm14,192(%rsp) + movaps %xmm15,208(%rsp) +.Lxts_dec_body: + movq %rsp,%rbp + movq %rcx,%r12 + movq %rdx,%r13 + movq %r8,%r14 + movq %r9,%r15 + + leaq (%r11),%rcx + leaq 32(%rbp),%rdx + leaq (%r10),%r8 + call asm_AES_encrypt + + movl 240(%r15),%eax + movq %r14,%rbx + + movl %eax,%edx + shlq $7,%rax + subq $96,%rax + subq %rax,%rsp + + movq %rsp,%rax + movq %r15,%rcx + movl %edx,%r10d + call _bsaes_key_convert + pxor (%rsp),%xmm7 + movdqa %xmm6,(%rax) + movdqa %xmm7,(%rsp) + + xorl %eax,%eax + andq $-16,%r14 + testl $15,%ebx + setnz %al + shlq $4,%rax + subq %rax,%r14 + + subq $128,%rsp + movdqa 32(%rbp),%xmm6 + + pxor %xmm14,%xmm14 + movdqa .Lxts_magic(%rip),%xmm12 + pcmpgtd %xmm6,%xmm14 + + subq $128,%r14 + jc .Lxts_dec_short + jmp .Lxts_dec_loop + +.p2align 4 +.Lxts_dec_loop: + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm15 + movdqa %xmm6,0(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm0 + movdqa %xmm6,16(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 0(%r12),%xmm7 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm1 + movdqa %xmm6,32(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 16(%r12),%xmm8 + pxor %xmm7,%xmm15 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm2 + movdqa %xmm6,48(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 32(%r12),%xmm9 + pxor %xmm8,%xmm0 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm3 + movdqa %xmm6,64(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 48(%r12),%xmm10 + pxor %xmm9,%xmm1 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm4 + movdqa %xmm6,80(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 64(%r12),%xmm11 + pxor %xmm10,%xmm2 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm5 + movdqa %xmm6,96(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 80(%r12),%xmm12 + pxor %xmm11,%xmm3 + movdqu 96(%r12),%xmm13 + pxor %xmm12,%xmm4 + movdqu 112(%r12),%xmm14 + leaq 128(%r12),%r12 + movdqa %xmm6,112(%rsp) + pxor %xmm13,%xmm5 + leaq 128(%rsp),%rax + pxor %xmm14,%xmm6 + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm5 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm3 + movdqu %xmm5,32(%r13) + pxor 64(%rsp),%xmm1 + movdqu %xmm3,48(%r13) + pxor 80(%rsp),%xmm6 + movdqu %xmm1,64(%r13) + pxor 96(%rsp),%xmm2 + movdqu %xmm6,80(%r13) + pxor 112(%rsp),%xmm4 + movdqu %xmm2,96(%r13) + movdqu %xmm4,112(%r13) + leaq 128(%r13),%r13 + + movdqa 112(%rsp),%xmm6 + pxor %xmm14,%xmm14 + movdqa .Lxts_magic(%rip),%xmm12 + pcmpgtd %xmm6,%xmm14 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + + subq $128,%r14 + jnc .Lxts_dec_loop + +.Lxts_dec_short: + addq $128,%r14 + jz .Lxts_dec_done + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm15 + movdqa %xmm6,0(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm0 + movdqa %xmm6,16(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 0(%r12),%xmm7 + cmpq $16,%r14 + je .Lxts_dec_1 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm1 + movdqa %xmm6,32(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 16(%r12),%xmm8 + cmpq $32,%r14 + je .Lxts_dec_2 + pxor %xmm7,%xmm15 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm2 + movdqa %xmm6,48(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 32(%r12),%xmm9 + cmpq $48,%r14 + je .Lxts_dec_3 + pxor %xmm8,%xmm0 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm3 + movdqa %xmm6,64(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 48(%r12),%xmm10 + cmpq $64,%r14 + je .Lxts_dec_4 + pxor %xmm9,%xmm1 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm4 + movdqa %xmm6,80(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 64(%r12),%xmm11 + cmpq $80,%r14 + je .Lxts_dec_5 + pxor %xmm10,%xmm2 + pshufd $19,%xmm14,%xmm13 + pxor %xmm14,%xmm14 + movdqa %xmm6,%xmm5 + movdqa %xmm6,96(%rsp) + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + pcmpgtd %xmm6,%xmm14 + pxor %xmm13,%xmm6 + movdqu 80(%r12),%xmm12 + cmpq $96,%r14 + je .Lxts_dec_6 + pxor %xmm11,%xmm3 + movdqu 96(%r12),%xmm13 + pxor %xmm12,%xmm4 + movdqa %xmm6,112(%rsp) + leaq 112(%r12),%r12 + pxor %xmm13,%xmm5 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm5 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm3 + movdqu %xmm5,32(%r13) + pxor 64(%rsp),%xmm1 + movdqu %xmm3,48(%r13) + pxor 80(%rsp),%xmm6 + movdqu %xmm1,64(%r13) + pxor 96(%rsp),%xmm2 + movdqu %xmm6,80(%r13) + movdqu %xmm2,96(%r13) + leaq 112(%r13),%r13 + + movdqa 112(%rsp),%xmm6 + jmp .Lxts_dec_done +.p2align 4 +.Lxts_dec_6: + pxor %xmm11,%xmm3 + leaq 96(%r12),%r12 + pxor %xmm12,%xmm4 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm5 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm3 + movdqu %xmm5,32(%r13) + pxor 64(%rsp),%xmm1 + movdqu %xmm3,48(%r13) + pxor 80(%rsp),%xmm6 + movdqu %xmm1,64(%r13) + movdqu %xmm6,80(%r13) + leaq 96(%r13),%r13 + + movdqa 96(%rsp),%xmm6 + jmp .Lxts_dec_done +.p2align 4 +.Lxts_dec_5: + pxor %xmm10,%xmm2 + leaq 80(%r12),%r12 + pxor %xmm11,%xmm3 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm5 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm3 + movdqu %xmm5,32(%r13) + pxor 64(%rsp),%xmm1 + movdqu %xmm3,48(%r13) + movdqu %xmm1,64(%r13) + leaq 80(%r13),%r13 + + movdqa 80(%rsp),%xmm6 + jmp .Lxts_dec_done +.p2align 4 +.Lxts_dec_4: + pxor %xmm9,%xmm1 + leaq 64(%r12),%r12 + pxor %xmm10,%xmm2 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm5 + movdqu %xmm0,16(%r13) + pxor 48(%rsp),%xmm3 + movdqu %xmm5,32(%r13) + movdqu %xmm3,48(%r13) + leaq 64(%r13),%r13 + + movdqa 64(%rsp),%xmm6 + jmp .Lxts_dec_done +.p2align 4 +.Lxts_dec_3: + pxor %xmm8,%xmm0 + leaq 48(%r12),%r12 + pxor %xmm9,%xmm1 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + pxor 32(%rsp),%xmm5 + movdqu %xmm0,16(%r13) + movdqu %xmm5,32(%r13) + leaq 48(%r13),%r13 + + movdqa 48(%rsp),%xmm6 + jmp .Lxts_dec_done +.p2align 4 +.Lxts_dec_2: + pxor %xmm7,%xmm15 + leaq 32(%r12),%r12 + pxor %xmm8,%xmm0 + leaq 128(%rsp),%rax + movl %edx,%r10d + + call _bsaes_decrypt8 + + pxor 0(%rsp),%xmm15 + pxor 16(%rsp),%xmm0 + movdqu %xmm15,0(%r13) + movdqu %xmm0,16(%r13) + leaq 32(%r13),%r13 + + movdqa 32(%rsp),%xmm6 + jmp .Lxts_dec_done +.p2align 4 +.Lxts_dec_1: + pxor %xmm15,%xmm7 + leaq 16(%r12),%r12 + movdqa %xmm7,32(%rbp) + leaq 32(%rbp),%rcx + leaq 32(%rbp),%rdx + leaq (%r15),%r8 + call asm_AES_decrypt + pxor 32(%rbp),%xmm15 + + + + + + movdqu %xmm15,0(%r13) + leaq 16(%r13),%r13 + + movdqa 16(%rsp),%xmm6 + +.Lxts_dec_done: + andl $15,%ebx + jz .Lxts_dec_ret + + pxor %xmm14,%xmm14 + movdqa .Lxts_magic(%rip),%xmm12 + pcmpgtd %xmm6,%xmm14 + pshufd $19,%xmm14,%xmm13 + movdqa %xmm6,%xmm5 + paddq %xmm6,%xmm6 + pand %xmm12,%xmm13 + movdqu (%r12),%xmm15 + pxor %xmm13,%xmm6 + + leaq 32(%rbp),%rcx + pxor %xmm6,%xmm15 + leaq 32(%rbp),%rdx + movdqa %xmm15,32(%rbp) + leaq (%r15),%r8 + call asm_AES_decrypt + pxor 32(%rbp),%xmm6 + movq %r13,%rdx + movdqu %xmm6,(%r13) + +.Lxts_dec_steal: + movzbl 16(%r12),%eax + movzbl (%rdx),%ecx + leaq 1(%r12),%r12 + movb %al,(%rdx) + movb %cl,16(%rdx) + leaq 1(%rdx),%rdx + subl $1,%ebx + jnz .Lxts_dec_steal + + movdqu (%r13),%xmm15 + leaq 32(%rbp),%rcx + pxor %xmm5,%xmm15 + leaq 32(%rbp),%rdx + movdqa %xmm15,32(%rbp) + leaq (%r15),%r8 + call asm_AES_decrypt + pxor 32(%rbp),%xmm5 + movdqu %xmm5,(%r13) + +.Lxts_dec_ret: + leaq (%rsp),%rax + pxor %xmm0,%xmm0 +.Lxts_dec_bzero: + movdqa %xmm0,0(%rax) + movdqa %xmm0,16(%rax) + leaq 32(%rax),%rax + cmpq %rax,%rbp + ja .Lxts_dec_bzero + + leaq (%rbp),%rsp + movaps 64(%rbp),%xmm6 + movaps 80(%rbp),%xmm7 + movaps 96(%rbp),%xmm8 + movaps 112(%rbp),%xmm9 + movaps 128(%rbp),%xmm10 + movaps 144(%rbp),%xmm11 + movaps 160(%rbp),%xmm12 + movaps 176(%rbp),%xmm13 + movaps 192(%rbp),%xmm14 + movaps 208(%rbp),%xmm15 + leaq 160(%rbp),%rsp + movq 72(%rsp),%r15 + movq 80(%rsp),%r14 + movq 88(%rsp),%r13 + movq 96(%rsp),%r12 + movq 104(%rsp),%rbx + movq 112(%rsp),%rax + leaq 120(%rsp),%rsp + movq %rax,%rbp +.Lxts_dec_epilogue: + retq + + +.p2align 6 +_bsaes_const: +.LM0ISR: +.quad 0x0a0e0206070b0f03, 0x0004080c0d010509 +.LISRM0: +.quad 0x01040b0e0205080f, 0x0306090c00070a0d +.LISR: +.quad 0x0504070602010003, 0x0f0e0d0c080b0a09 +.LBS0: +.quad 0x5555555555555555, 0x5555555555555555 +.LBS1: +.quad 0x3333333333333333, 0x3333333333333333 +.LBS2: +.quad 0x0f0f0f0f0f0f0f0f, 0x0f0f0f0f0f0f0f0f +.LSR: +.quad 0x0504070600030201, 0x0f0e0d0c0a09080b +.LSRM0: +.quad 0x0304090e00050a0f, 0x01060b0c0207080d +.LM0SR: +.quad 0x0a0e02060f03070b, 0x0004080c05090d01 +.LSWPUP: +.quad 0x0706050403020100, 0x0c0d0e0f0b0a0908 +.LSWPUPM0SR: +.quad 0x0a0d02060c03070b, 0x0004080f05090e01 +.LADD1: +.quad 0x0000000000000000, 0x0000000100000000 +.LADD2: +.quad 0x0000000000000000, 0x0000000200000000 +.LADD3: +.quad 0x0000000000000000, 0x0000000300000000 +.LADD4: +.quad 0x0000000000000000, 0x0000000400000000 +.LADD5: +.quad 0x0000000000000000, 0x0000000500000000 +.LADD6: +.quad 0x0000000000000000, 0x0000000600000000 +.LADD7: +.quad 0x0000000000000000, 0x0000000700000000 +.LADD8: +.quad 0x0000000000000000, 0x0000000800000000 +.Lxts_magic: +.long 0x87,0,1,0 +.Lmasks: +.quad 0x0101010101010101, 0x0101010101010101 +.quad 0x0202020202020202, 0x0202020202020202 +.quad 0x0404040404040404, 0x0404040404040404 +.quad 0x0808080808080808, 0x0808080808080808 +.LM0: +.quad 0x02060a0e03070b0f, 0x0004080c0105090d +.L63: +.quad 0x6363636363636363, 0x6363636363636363 +.byte 66,105,116,45,115,108,105,99,101,100,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,69,109,105,108,105,97,32,75,195,164,115,112,101,114,44,32,80,101,116,101,114,32,83,99,104,119,97,98,101,44,32,65,110,100,121,32,80,111,108,121,97,107,111,118,0 +.p2align 6 + + +.def se_handler; .scl 3; .type 32; .endef +.p2align 4 +se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lin_prologue + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lin_prologue + + movq 160(%r8),%rax + + leaq 64(%rax),%rsi + leaq 512(%r8),%rdi + movl $20,%ecx +.long 0xa548f3fc + leaq 160(%rax),%rax + + movq 112(%rax),%rbp + movq 104(%rax),%rbx + movq 96(%rax),%r12 + movq 88(%rax),%r13 + movq 80(%rax),%r14 + movq 72(%rax),%r15 + leaq 120(%rax),%rax + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + movq %r13,224(%r8) + movq %r14,232(%r8) + movq %r15,240(%r8) + +.Lin_prologue: + movq %rax,152(%r8) + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .Lcbc_dec_prologue +.rva .Lcbc_dec_epilogue +.rva .Lcbc_dec_info + +.rva .Lctr_enc_prologue +.rva .Lctr_enc_epilogue +.rva .Lctr_enc_info + +.rva .Lxts_enc_prologue +.rva .Lxts_enc_epilogue +.rva .Lxts_enc_info + +.rva .Lxts_dec_prologue +.rva .Lxts_dec_epilogue +.rva .Lxts_dec_info + +.section .xdata +.p2align 3 +.Lcbc_dec_info: +.byte 9,0,0,0 +.rva se_handler +.rva .Lcbc_dec_body,.Lcbc_dec_epilogue +.Lctr_enc_info: +.byte 9,0,0,0 +.rva se_handler +.rva .Lctr_enc_body,.Lctr_enc_epilogue +.Lxts_enc_info: +.byte 9,0,0,0 +.rva se_handler +.rva .Lxts_enc_body,.Lxts_enc_epilogue +.Lxts_dec_info: +.byte 9,0,0,0 +.rva se_handler +.rva .Lxts_dec_body,.Lxts_dec_epilogue diff --git a/crypto/aes/vpaes-masm-x86_64.S b/crypto/aes/vpaes-masm-x86_64.S new file mode 100644 index 0000000..e10d98d --- /dev/null +++ b/crypto/aes/vpaes-masm-x86_64.S @@ -0,0 +1,1213 @@ +; 1 "crypto/aes/vpaes-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/aes/vpaes-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/aes/vpaes-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + + + + + + + + + + + + + + + + + +ALIGN 16 +_vpaes_encrypt_core PROC PRIVATE + mov r9,rdx + mov r11,16 + mov eax,DWORD PTR[240+rdx] + movdqa xmm1,xmm9 + movdqa xmm2,XMMWORD PTR[$L$k_ipt] + pandn xmm1,xmm0 + movdqu xmm5,XMMWORD PTR[r9] + psrld xmm1,4 + pand xmm0,xmm9 +DB 102,15,56,0,208 + movdqa xmm0,XMMWORD PTR[(($L$k_ipt+16))] +DB 102,15,56,0,193 + pxor xmm2,xmm5 + pxor xmm0,xmm2 + add r9,16 + lea r10,QWORD PTR[$L$k_mc_backward] + jmp $L$enc_entry + +ALIGN 16 +$L$enc_loop:: + + movdqa xmm4,xmm13 +DB 102,15,56,0,226 + pxor xmm4,xmm5 + movdqa xmm0,xmm12 +DB 102,15,56,0,195 + pxor xmm0,xmm4 + movdqa xmm5,xmm15 +DB 102,15,56,0,234 + movdqa xmm1,XMMWORD PTR[((-64))+r10*1+r11] + movdqa xmm2,xmm14 +DB 102,15,56,0,211 + pxor xmm2,xmm5 + movdqa xmm4,XMMWORD PTR[r10*1+r11] + movdqa xmm3,xmm0 +DB 102,15,56,0,193 + add r9,16 + pxor xmm0,xmm2 +DB 102,15,56,0,220 + add r11,16 + pxor xmm3,xmm0 +DB 102,15,56,0,193 + and r11,030h + pxor xmm0,xmm3 + sub rax,1 + +$L$enc_entry:: + + movdqa xmm1,xmm9 + pandn xmm1,xmm0 + psrld xmm1,4 + pand xmm0,xmm9 + movdqa xmm5,xmm11 +DB 102,15,56,0,232 + pxor xmm0,xmm1 + movdqa xmm3,xmm10 +DB 102,15,56,0,217 + pxor xmm3,xmm5 + movdqa xmm4,xmm10 +DB 102,15,56,0,224 + pxor xmm4,xmm5 + movdqa xmm2,xmm10 +DB 102,15,56,0,211 + pxor xmm2,xmm0 + movdqa xmm3,xmm10 + movdqu xmm5,XMMWORD PTR[r9] +DB 102,15,56,0,220 + pxor xmm3,xmm1 + jnz $L$enc_loop + + + movdqa xmm4,XMMWORD PTR[((-96))+r10] + movdqa xmm0,XMMWORD PTR[((-80))+r10] +DB 102,15,56,0,226 + pxor xmm4,xmm5 +DB 102,15,56,0,195 + movdqa xmm1,XMMWORD PTR[64+r10*1+r11] + pxor xmm0,xmm4 +DB 102,15,56,0,193 + DB 0F3h,0C3h ;repret +_vpaes_encrypt_core ENDP + + + + + + + +ALIGN 16 +_vpaes_decrypt_core PROC PRIVATE + mov r9,rdx + mov eax,DWORD PTR[240+rdx] + movdqa xmm1,xmm9 + movdqa xmm2,XMMWORD PTR[$L$k_dipt] + pandn xmm1,xmm0 + mov r11,rax + psrld xmm1,4 + movdqu xmm5,XMMWORD PTR[r9] + shl r11,4 + pand xmm0,xmm9 +DB 102,15,56,0,208 + movdqa xmm0,XMMWORD PTR[(($L$k_dipt+16))] + xor r11,030h + lea r10,QWORD PTR[$L$k_dsbd] +DB 102,15,56,0,193 + and r11,030h + pxor xmm2,xmm5 + movdqa xmm5,XMMWORD PTR[(($L$k_mc_forward+48))] + pxor xmm0,xmm2 + add r9,16 + add r11,r10 + jmp $L$dec_entry + +ALIGN 16 +$L$dec_loop:: + + + + movdqa xmm4,XMMWORD PTR[((-32))+r10] +DB 102,15,56,0,226 + pxor xmm4,xmm0 + movdqa xmm0,XMMWORD PTR[((-16))+r10] +DB 102,15,56,0,195 + pxor xmm0,xmm4 + add r9,16 + +DB 102,15,56,0,197 + movdqa xmm4,XMMWORD PTR[r10] +DB 102,15,56,0,226 + pxor xmm4,xmm0 + movdqa xmm0,XMMWORD PTR[16+r10] +DB 102,15,56,0,195 + pxor xmm0,xmm4 + sub rax,1 + +DB 102,15,56,0,197 + movdqa xmm4,XMMWORD PTR[32+r10] +DB 102,15,56,0,226 + pxor xmm4,xmm0 + movdqa xmm0,XMMWORD PTR[48+r10] +DB 102,15,56,0,195 + pxor xmm0,xmm4 + +DB 102,15,56,0,197 + movdqa xmm4,XMMWORD PTR[64+r10] +DB 102,15,56,0,226 + pxor xmm4,xmm0 + movdqa xmm0,XMMWORD PTR[80+r10] +DB 102,15,56,0,195 + pxor xmm0,xmm4 + +DB 102,15,58,15,237,12 + +$L$dec_entry:: + + movdqa xmm1,xmm9 + pandn xmm1,xmm0 + psrld xmm1,4 + pand xmm0,xmm9 + movdqa xmm2,xmm11 +DB 102,15,56,0,208 + pxor xmm0,xmm1 + movdqa xmm3,xmm10 +DB 102,15,56,0,217 + pxor xmm3,xmm2 + movdqa xmm4,xmm10 +DB 102,15,56,0,224 + pxor xmm4,xmm2 + movdqa xmm2,xmm10 +DB 102,15,56,0,211 + pxor xmm2,xmm0 + movdqa xmm3,xmm10 +DB 102,15,56,0,220 + pxor xmm3,xmm1 + movdqu xmm0,XMMWORD PTR[r9] + jnz $L$dec_loop + + + movdqa xmm4,XMMWORD PTR[96+r10] +DB 102,15,56,0,226 + pxor xmm4,xmm0 + movdqa xmm0,XMMWORD PTR[112+r10] + movdqa xmm2,XMMWORD PTR[((-352))+r11] +DB 102,15,56,0,195 + pxor xmm0,xmm4 +DB 102,15,56,0,194 + DB 0F3h,0C3h ;repret +_vpaes_decrypt_core ENDP + + + + + + + +ALIGN 16 +_vpaes_schedule_core PROC PRIVATE + + + + + + call _vpaes_preheat + movdqa xmm8,XMMWORD PTR[$L$k_rcon] + movdqu xmm0,XMMWORD PTR[rdi] + + + movdqa xmm3,xmm0 + lea r11,QWORD PTR[$L$k_ipt] + call _vpaes_schedule_transform + movdqa xmm7,xmm0 + + lea r10,QWORD PTR[$L$k_sr] + test rcx,rcx + jnz $L$schedule_am_decrypting + + + movdqu XMMWORD PTR[rdx],xmm0 + jmp $L$schedule_go + +$L$schedule_am_decrypting:: + + movdqa xmm1,XMMWORD PTR[r10*1+r8] +DB 102,15,56,0,217 + movdqu XMMWORD PTR[rdx],xmm3 + xor r8,030h + +$L$schedule_go:: + cmp esi,192 + ja $L$schedule_256 + je $L$schedule_192 + + + + + + + + + + +$L$schedule_128:: + mov esi,10 + +$L$oop_schedule_128:: + call _vpaes_schedule_round + dec rsi + jz $L$schedule_mangle_last + call _vpaes_schedule_mangle + jmp $L$oop_schedule_128 + + + + + + + + + + + + + + + + +ALIGN 16 +$L$schedule_192:: + movdqu xmm0,XMMWORD PTR[8+rdi] + call _vpaes_schedule_transform + movdqa xmm6,xmm0 + pxor xmm4,xmm4 + movhlps xmm6,xmm4 + mov esi,4 + +$L$oop_schedule_192:: + call _vpaes_schedule_round +DB 102,15,58,15,198,8 + call _vpaes_schedule_mangle + call _vpaes_schedule_192_smear + call _vpaes_schedule_mangle + call _vpaes_schedule_round + dec rsi + jz $L$schedule_mangle_last + call _vpaes_schedule_mangle + call _vpaes_schedule_192_smear + jmp $L$oop_schedule_192 + + + + + + + + + + + +ALIGN 16 +$L$schedule_256:: + movdqu xmm0,XMMWORD PTR[16+rdi] + call _vpaes_schedule_transform + mov esi,7 + +$L$oop_schedule_256:: + call _vpaes_schedule_mangle + movdqa xmm6,xmm0 + + + call _vpaes_schedule_round + dec rsi + jz $L$schedule_mangle_last + call _vpaes_schedule_mangle + + + pshufd xmm0,xmm0,0FFh + movdqa xmm5,xmm7 + movdqa xmm7,xmm6 + call _vpaes_schedule_low_round + movdqa xmm7,xmm5 + + jmp $L$oop_schedule_256 + + + + + + + + + + + + +ALIGN 16 +$L$schedule_mangle_last:: + + lea r11,QWORD PTR[$L$k_deskew] + test rcx,rcx + jnz $L$schedule_mangle_last_dec + + + movdqa xmm1,XMMWORD PTR[r10*1+r8] +DB 102,15,56,0,193 + lea r11,QWORD PTR[$L$k_opt] + add rdx,32 + +$L$schedule_mangle_last_dec:: + add rdx,-16 + pxor xmm0,XMMWORD PTR[$L$k_s63] + call _vpaes_schedule_transform + movdqu XMMWORD PTR[rdx],xmm0 + + + pxor xmm0,xmm0 + pxor xmm1,xmm1 + pxor xmm2,xmm2 + pxor xmm3,xmm3 + pxor xmm4,xmm4 + pxor xmm5,xmm5 + pxor xmm6,xmm6 + pxor xmm7,xmm7 + DB 0F3h,0C3h ;repret +_vpaes_schedule_core ENDP + + + + + + + + + + + + + + + + +ALIGN 16 +_vpaes_schedule_192_smear PROC PRIVATE + pshufd xmm0,xmm6,080h + pxor xmm6,xmm0 + pshufd xmm0,xmm7,0FEh + pxor xmm6,xmm0 + movdqa xmm0,xmm6 + pxor xmm1,xmm1 + movhlps xmm6,xmm1 + DB 0F3h,0C3h ;repret +_vpaes_schedule_192_smear ENDP + + + + + + + + + + + + + + + + + + + + +ALIGN 16 +_vpaes_schedule_round PROC PRIVATE + + pxor xmm1,xmm1 +DB 102,65,15,58,15,200,15 +DB 102,69,15,58,15,192,15 + pxor xmm7,xmm1 + + + pshufd xmm0,xmm0,0FFh +DB 102,15,58,15,192,1 + + + + +_vpaes_schedule_low_round:: + + movdqa xmm1,xmm7 + pslldq xmm7,4 + pxor xmm7,xmm1 + movdqa xmm1,xmm7 + pslldq xmm7,8 + pxor xmm7,xmm1 + pxor xmm7,XMMWORD PTR[$L$k_s63] + + + movdqa xmm1,xmm9 + pandn xmm1,xmm0 + psrld xmm1,4 + pand xmm0,xmm9 + movdqa xmm2,xmm11 +DB 102,15,56,0,208 + pxor xmm0,xmm1 + movdqa xmm3,xmm10 +DB 102,15,56,0,217 + pxor xmm3,xmm2 + movdqa xmm4,xmm10 +DB 102,15,56,0,224 + pxor xmm4,xmm2 + movdqa xmm2,xmm10 +DB 102,15,56,0,211 + pxor xmm2,xmm0 + movdqa xmm3,xmm10 +DB 102,15,56,0,220 + pxor xmm3,xmm1 + movdqa xmm4,xmm13 +DB 102,15,56,0,226 + movdqa xmm0,xmm12 +DB 102,15,56,0,195 + pxor xmm0,xmm4 + + + pxor xmm0,xmm7 + movdqa xmm7,xmm0 + DB 0F3h,0C3h ;repret +_vpaes_schedule_round ENDP + + + + + + + + + + + +ALIGN 16 +_vpaes_schedule_transform PROC PRIVATE + movdqa xmm1,xmm9 + pandn xmm1,xmm0 + psrld xmm1,4 + pand xmm0,xmm9 + movdqa xmm2,XMMWORD PTR[r11] +DB 102,15,56,0,208 + movdqa xmm0,XMMWORD PTR[16+r11] +DB 102,15,56,0,193 + pxor xmm0,xmm2 + DB 0F3h,0C3h ;repret +_vpaes_schedule_transform ENDP + + + + + + + + + + + + + + + + + + + + + + + + + +ALIGN 16 +_vpaes_schedule_mangle PROC PRIVATE + movdqa xmm4,xmm0 + movdqa xmm5,XMMWORD PTR[$L$k_mc_forward] + test rcx,rcx + jnz $L$schedule_mangle_dec + + + add rdx,16 + pxor xmm4,XMMWORD PTR[$L$k_s63] +DB 102,15,56,0,229 + movdqa xmm3,xmm4 +DB 102,15,56,0,229 + pxor xmm3,xmm4 +DB 102,15,56,0,229 + pxor xmm3,xmm4 + + jmp $L$schedule_mangle_both +ALIGN 16 +$L$schedule_mangle_dec:: + + lea r11,QWORD PTR[$L$k_dksd] + movdqa xmm1,xmm9 + pandn xmm1,xmm4 + psrld xmm1,4 + pand xmm4,xmm9 + + movdqa xmm2,XMMWORD PTR[r11] +DB 102,15,56,0,212 + movdqa xmm3,XMMWORD PTR[16+r11] +DB 102,15,56,0,217 + pxor xmm3,xmm2 +DB 102,15,56,0,221 + + movdqa xmm2,XMMWORD PTR[32+r11] +DB 102,15,56,0,212 + pxor xmm2,xmm3 + movdqa xmm3,XMMWORD PTR[48+r11] +DB 102,15,56,0,217 + pxor xmm3,xmm2 +DB 102,15,56,0,221 + + movdqa xmm2,XMMWORD PTR[64+r11] +DB 102,15,56,0,212 + pxor xmm2,xmm3 + movdqa xmm3,XMMWORD PTR[80+r11] +DB 102,15,56,0,217 + pxor xmm3,xmm2 +DB 102,15,56,0,221 + + movdqa xmm2,XMMWORD PTR[96+r11] +DB 102,15,56,0,212 + pxor xmm2,xmm3 + movdqa xmm3,XMMWORD PTR[112+r11] +DB 102,15,56,0,217 + pxor xmm3,xmm2 + + add rdx,-16 + +$L$schedule_mangle_both:: + movdqa xmm1,XMMWORD PTR[r10*1+r8] +DB 102,15,56,0,217 + add r8,-16 + and r8,030h + movdqu XMMWORD PTR[rdx],xmm3 + DB 0F3h,0C3h ;repret +_vpaes_schedule_mangle ENDP + + + + +PUBLIC vpaes_set_encrypt_key + +ALIGN 16 +vpaes_set_encrypt_key PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_vpaes_set_encrypt_key:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + lea rsp,QWORD PTR[((-184))+rsp] + movaps XMMWORD PTR[16+rsp],xmm6 + movaps XMMWORD PTR[32+rsp],xmm7 + movaps XMMWORD PTR[48+rsp],xmm8 + movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[80+rsp],xmm10 + movaps XMMWORD PTR[96+rsp],xmm11 + movaps XMMWORD PTR[112+rsp],xmm12 + movaps XMMWORD PTR[128+rsp],xmm13 + movaps XMMWORD PTR[144+rsp],xmm14 + movaps XMMWORD PTR[160+rsp],xmm15 +$L$enc_key_body:: + mov eax,esi + shr eax,5 + add eax,5 + mov DWORD PTR[240+rdx],eax + + mov ecx,0 + mov r8d,030h + call _vpaes_schedule_core + movaps xmm6,XMMWORD PTR[16+rsp] + movaps xmm7,XMMWORD PTR[32+rsp] + movaps xmm8,XMMWORD PTR[48+rsp] + movaps xmm9,XMMWORD PTR[64+rsp] + movaps xmm10,XMMWORD PTR[80+rsp] + movaps xmm11,XMMWORD PTR[96+rsp] + movaps xmm12,XMMWORD PTR[112+rsp] + movaps xmm13,XMMWORD PTR[128+rsp] + movaps xmm14,XMMWORD PTR[144+rsp] + movaps xmm15,XMMWORD PTR[160+rsp] + lea rsp,QWORD PTR[184+rsp] +$L$enc_key_epilogue:: + xor eax,eax + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_vpaes_set_encrypt_key:: +vpaes_set_encrypt_key ENDP + +PUBLIC vpaes_set_decrypt_key + +ALIGN 16 +vpaes_set_decrypt_key PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_vpaes_set_decrypt_key:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + lea rsp,QWORD PTR[((-184))+rsp] + movaps XMMWORD PTR[16+rsp],xmm6 + movaps XMMWORD PTR[32+rsp],xmm7 + movaps XMMWORD PTR[48+rsp],xmm8 + movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[80+rsp],xmm10 + movaps XMMWORD PTR[96+rsp],xmm11 + movaps XMMWORD PTR[112+rsp],xmm12 + movaps XMMWORD PTR[128+rsp],xmm13 + movaps XMMWORD PTR[144+rsp],xmm14 + movaps XMMWORD PTR[160+rsp],xmm15 +$L$dec_key_body:: + mov eax,esi + shr eax,5 + add eax,5 + mov DWORD PTR[240+rdx],eax + shl eax,4 + lea rdx,QWORD PTR[16+rax*1+rdx] + + mov ecx,1 + mov r8d,esi + shr r8d,1 + and r8d,32 + xor r8d,32 + call _vpaes_schedule_core + movaps xmm6,XMMWORD PTR[16+rsp] + movaps xmm7,XMMWORD PTR[32+rsp] + movaps xmm8,XMMWORD PTR[48+rsp] + movaps xmm9,XMMWORD PTR[64+rsp] + movaps xmm10,XMMWORD PTR[80+rsp] + movaps xmm11,XMMWORD PTR[96+rsp] + movaps xmm12,XMMWORD PTR[112+rsp] + movaps xmm13,XMMWORD PTR[128+rsp] + movaps xmm14,XMMWORD PTR[144+rsp] + movaps xmm15,XMMWORD PTR[160+rsp] + lea rsp,QWORD PTR[184+rsp] +$L$dec_key_epilogue:: + xor eax,eax + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_vpaes_set_decrypt_key:: +vpaes_set_decrypt_key ENDP + +PUBLIC vpaes_encrypt + +ALIGN 16 +vpaes_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_vpaes_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + lea rsp,QWORD PTR[((-184))+rsp] + movaps XMMWORD PTR[16+rsp],xmm6 + movaps XMMWORD PTR[32+rsp],xmm7 + movaps XMMWORD PTR[48+rsp],xmm8 + movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[80+rsp],xmm10 + movaps XMMWORD PTR[96+rsp],xmm11 + movaps XMMWORD PTR[112+rsp],xmm12 + movaps XMMWORD PTR[128+rsp],xmm13 + movaps XMMWORD PTR[144+rsp],xmm14 + movaps XMMWORD PTR[160+rsp],xmm15 +$L$enc_body:: + movdqu xmm0,XMMWORD PTR[rdi] + call _vpaes_preheat + call _vpaes_encrypt_core + movdqu XMMWORD PTR[rsi],xmm0 + movaps xmm6,XMMWORD PTR[16+rsp] + movaps xmm7,XMMWORD PTR[32+rsp] + movaps xmm8,XMMWORD PTR[48+rsp] + movaps xmm9,XMMWORD PTR[64+rsp] + movaps xmm10,XMMWORD PTR[80+rsp] + movaps xmm11,XMMWORD PTR[96+rsp] + movaps xmm12,XMMWORD PTR[112+rsp] + movaps xmm13,XMMWORD PTR[128+rsp] + movaps xmm14,XMMWORD PTR[144+rsp] + movaps xmm15,XMMWORD PTR[160+rsp] + lea rsp,QWORD PTR[184+rsp] +$L$enc_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_vpaes_encrypt:: +vpaes_encrypt ENDP + +PUBLIC vpaes_decrypt + +ALIGN 16 +vpaes_decrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_vpaes_decrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + lea rsp,QWORD PTR[((-184))+rsp] + movaps XMMWORD PTR[16+rsp],xmm6 + movaps XMMWORD PTR[32+rsp],xmm7 + movaps XMMWORD PTR[48+rsp],xmm8 + movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[80+rsp],xmm10 + movaps XMMWORD PTR[96+rsp],xmm11 + movaps XMMWORD PTR[112+rsp],xmm12 + movaps XMMWORD PTR[128+rsp],xmm13 + movaps XMMWORD PTR[144+rsp],xmm14 + movaps XMMWORD PTR[160+rsp],xmm15 +$L$dec_body:: + movdqu xmm0,XMMWORD PTR[rdi] + call _vpaes_preheat + call _vpaes_decrypt_core + movdqu XMMWORD PTR[rsi],xmm0 + movaps xmm6,XMMWORD PTR[16+rsp] + movaps xmm7,XMMWORD PTR[32+rsp] + movaps xmm8,XMMWORD PTR[48+rsp] + movaps xmm9,XMMWORD PTR[64+rsp] + movaps xmm10,XMMWORD PTR[80+rsp] + movaps xmm11,XMMWORD PTR[96+rsp] + movaps xmm12,XMMWORD PTR[112+rsp] + movaps xmm13,XMMWORD PTR[128+rsp] + movaps xmm14,XMMWORD PTR[144+rsp] + movaps xmm15,XMMWORD PTR[160+rsp] + lea rsp,QWORD PTR[184+rsp] +$L$dec_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_vpaes_decrypt:: +vpaes_decrypt ENDP +PUBLIC vpaes_cbc_encrypt + +ALIGN 16 +vpaes_cbc_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_vpaes_cbc_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + xchg rdx,rcx + sub rcx,16 + jc $L$cbc_abort + lea rsp,QWORD PTR[((-184))+rsp] + movaps XMMWORD PTR[16+rsp],xmm6 + movaps XMMWORD PTR[32+rsp],xmm7 + movaps XMMWORD PTR[48+rsp],xmm8 + movaps XMMWORD PTR[64+rsp],xmm9 + movaps XMMWORD PTR[80+rsp],xmm10 + movaps XMMWORD PTR[96+rsp],xmm11 + movaps XMMWORD PTR[112+rsp],xmm12 + movaps XMMWORD PTR[128+rsp],xmm13 + movaps XMMWORD PTR[144+rsp],xmm14 + movaps XMMWORD PTR[160+rsp],xmm15 +$L$cbc_body:: + movdqu xmm6,XMMWORD PTR[r8] + sub rsi,rdi + call _vpaes_preheat + cmp r9d,0 + je $L$cbc_dec_loop + jmp $L$cbc_enc_loop +ALIGN 16 +$L$cbc_enc_loop:: + movdqu xmm0,XMMWORD PTR[rdi] + pxor xmm0,xmm6 + call _vpaes_encrypt_core + movdqa xmm6,xmm0 + movdqu XMMWORD PTR[rdi*1+rsi],xmm0 + lea rdi,QWORD PTR[16+rdi] + sub rcx,16 + jnc $L$cbc_enc_loop + jmp $L$cbc_done +ALIGN 16 +$L$cbc_dec_loop:: + movdqu xmm0,XMMWORD PTR[rdi] + movdqa xmm7,xmm0 + call _vpaes_decrypt_core + pxor xmm0,xmm6 + movdqa xmm6,xmm7 + movdqu XMMWORD PTR[rdi*1+rsi],xmm0 + lea rdi,QWORD PTR[16+rdi] + sub rcx,16 + jnc $L$cbc_dec_loop +$L$cbc_done:: + movdqu XMMWORD PTR[r8],xmm6 + movaps xmm6,XMMWORD PTR[16+rsp] + movaps xmm7,XMMWORD PTR[32+rsp] + movaps xmm8,XMMWORD PTR[48+rsp] + movaps xmm9,XMMWORD PTR[64+rsp] + movaps xmm10,XMMWORD PTR[80+rsp] + movaps xmm11,XMMWORD PTR[96+rsp] + movaps xmm12,XMMWORD PTR[112+rsp] + movaps xmm13,XMMWORD PTR[128+rsp] + movaps xmm14,XMMWORD PTR[144+rsp] + movaps xmm15,XMMWORD PTR[160+rsp] + lea rsp,QWORD PTR[184+rsp] +$L$cbc_epilogue:: +$L$cbc_abort:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_vpaes_cbc_encrypt:: +vpaes_cbc_encrypt ENDP + + + + + + + +ALIGN 16 +_vpaes_preheat PROC PRIVATE + lea r10,QWORD PTR[$L$k_s0F] + movdqa xmm10,XMMWORD PTR[((-32))+r10] + movdqa xmm11,XMMWORD PTR[((-16))+r10] + movdqa xmm9,XMMWORD PTR[r10] + movdqa xmm13,XMMWORD PTR[48+r10] + movdqa xmm12,XMMWORD PTR[64+r10] + movdqa xmm15,XMMWORD PTR[80+r10] + movdqa xmm14,XMMWORD PTR[96+r10] + DB 0F3h,0C3h ;repret +_vpaes_preheat ENDP + + + + + + +ALIGN 64 +_vpaes_consts:: +$L$k_inv:: + DQ 00E05060F0D080180h,0040703090A0B0C02h + DQ 001040A060F0B0780h,0030D0E0C02050809h + +$L$k_s0F:: + DQ 00F0F0F0F0F0F0F0Fh,00F0F0F0F0F0F0F0Fh + +$L$k_ipt:: + DQ 0C2B2E8985A2A7000h,0CABAE09052227808h + DQ 04C01307D317C4D00h,0CD80B1FCB0FDCC81h + +$L$k_sb1:: + DQ 0B19BE18FCB503E00h,0A5DF7A6E142AF544h + DQ 03618D415FAE22300h,03BF7CCC10D2ED9EFh +$L$k_sb2:: + DQ 0E27A93C60B712400h,05EB7E955BC982FCDh + DQ 069EB88400AE12900h,0C2A163C8AB82234Ah +$L$k_sbo:: + DQ 0D0D26D176FBDC700h,015AABF7AC502A878h + DQ 0CFE474A55FBB6A00h,08E1E90D1412B35FAh + +$L$k_mc_forward:: + DQ 00407060500030201h,00C0F0E0D080B0A09h + DQ 0080B0A0904070605h,0000302010C0F0E0Dh + DQ 00C0F0E0D080B0A09h,00407060500030201h + DQ 0000302010C0F0E0Dh,0080B0A0904070605h + +$L$k_mc_backward:: + DQ 00605040702010003h,00E0D0C0F0A09080Bh + DQ 0020100030E0D0C0Fh,00A09080B06050407h + DQ 00E0D0C0F0A09080Bh,00605040702010003h + DQ 00A09080B06050407h,0020100030E0D0C0Fh + +$L$k_sr:: + DQ 00706050403020100h,00F0E0D0C0B0A0908h + DQ 0030E09040F0A0500h,00B06010C07020D08h + DQ 00F060D040B020900h,0070E050C030A0108h + DQ 00B0E0104070A0D00h,00306090C0F020508h + +$L$k_rcon:: + DQ 01F8391B9AF9DEEB6h,0702A98084D7C7D81h + +$L$k_s63:: + DQ 05B5B5B5B5B5B5B5Bh,05B5B5B5B5B5B5B5Bh + +$L$k_opt:: + DQ 0FF9F4929D6B66000h,0F7974121DEBE6808h + DQ 001EDBD5150BCEC00h,0E10D5DB1B05C0CE0h + +$L$k_deskew:: + DQ 007E4A34047A4E300h,01DFEB95A5DBEF91Ah + DQ 05F36B5DC83EA6900h,02841C2ABF49D1E77h + + + + + +$L$k_dksd:: + DQ 0FEB91A5DA3E44700h,00740E3A45A1DBEF9h + DQ 041C277F4B5368300h,05FDC69EAAB289D1Eh +$L$k_dksb:: + DQ 09A4FCA1F8550D500h,003D653861CC94C99h + DQ 0115BEDA7B6FC4A00h,0D993256F7E3482C8h +$L$k_dkse:: + DQ 0D5031CCA1FC9D600h,053859A4C994F5086h + DQ 0A23196054FDC7BE8h,0CD5EF96A20B31487h +$L$k_dks9:: + DQ 0B6116FC87ED9A700h,04AED933482255BFCh + DQ 04576516227143300h,08BB89FACE9DAFDCEh + + + + + +$L$k_dipt:: + DQ 00F505B040B545F00h,0154A411E114E451Ah + DQ 086E383E660056500h,012771772F491F194h + +$L$k_dsb9:: + DQ 0851C03539A86D600h,0CAD51F504F994CC9h + DQ 0C03B1789ECD74900h,0725E2C9EB2FBA565h +$L$k_dsbd:: + DQ 07D57CCDFE6B1A200h,0F56E9B13882A4439h + DQ 03CE2FAF724C6CB00h,02931180D15DEEFD3h +$L$k_dsbb:: + DQ 0D022649296B44200h,0602646F6B0F2D404h + DQ 0C19498A6CD596700h,0F3FF0C3E3255AA6Bh +$L$k_dsbe:: + DQ 046F2929626D4D000h,02242600464B4F6B0h + DQ 00C55A6CDFFAAC100h,09467F36B98593E32h +$L$k_dsbo:: + DQ 01387EA537EF94000h,0C7AA6DB9D4943E2Dh + DQ 012D7560F93441D00h,0CA4B8159D8C58E9Ch +DB 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105 +DB 111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54 +DB 52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97 +DB 109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32 +DB 85,110,105,118,101,114,115,105,116,121,41,0 +ALIGN 64 + +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$in_prologue + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$in_prologue + + lea rsi,QWORD PTR[16+rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,20 + DD 0a548f3fch + lea rax,QWORD PTR[184+rax] + +$L$in_prologue:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +se_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_vpaes_set_encrypt_key + DD imagerel $L$SEH_end_vpaes_set_encrypt_key + DD imagerel $L$SEH_info_vpaes_set_encrypt_key + + DD imagerel $L$SEH_begin_vpaes_set_decrypt_key + DD imagerel $L$SEH_end_vpaes_set_decrypt_key + DD imagerel $L$SEH_info_vpaes_set_decrypt_key + + DD imagerel $L$SEH_begin_vpaes_encrypt + DD imagerel $L$SEH_end_vpaes_encrypt + DD imagerel $L$SEH_info_vpaes_encrypt + + DD imagerel $L$SEH_begin_vpaes_decrypt + DD imagerel $L$SEH_end_vpaes_decrypt + DD imagerel $L$SEH_info_vpaes_decrypt + + DD imagerel $L$SEH_begin_vpaes_cbc_encrypt + DD imagerel $L$SEH_end_vpaes_cbc_encrypt + DD imagerel $L$SEH_info_vpaes_cbc_encrypt + +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_vpaes_set_encrypt_key:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$enc_key_body,imagerel $L$enc_key_epilogue +$L$SEH_info_vpaes_set_decrypt_key:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$dec_key_body,imagerel $L$dec_key_epilogue +$L$SEH_info_vpaes_encrypt:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$enc_body,imagerel $L$enc_epilogue +$L$SEH_info_vpaes_decrypt:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$dec_body,imagerel $L$dec_epilogue +$L$SEH_info_vpaes_cbc_encrypt:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$cbc_body,imagerel $L$cbc_epilogue + +.xdata ENDS +END + diff --git a/crypto/aes/vpaes-mingw64-x86_64.S b/crypto/aes/vpaes-mingw64-x86_64.S new file mode 100644 index 0000000..d6cb860 --- /dev/null +++ b/crypto/aes/vpaes-mingw64-x86_64.S @@ -0,0 +1,1125 @@ +#include "x86_arch.h" +.text + + + + + + + + + + + + + + + + +.def _vpaes_encrypt_core; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_encrypt_core: + movq %rdx,%r9 + movq $16,%r11 + movl 240(%rdx),%eax + movdqa %xmm9,%xmm1 + movdqa .Lk_ipt(%rip),%xmm2 + pandn %xmm0,%xmm1 + movdqu (%r9),%xmm5 + psrld $4,%xmm1 + pand %xmm9,%xmm0 +.byte 102,15,56,0,208 + movdqa .Lk_ipt+16(%rip),%xmm0 +.byte 102,15,56,0,193 + pxor %xmm5,%xmm2 + pxor %xmm2,%xmm0 + addq $16,%r9 + leaq .Lk_mc_backward(%rip),%r10 + jmp .Lenc_entry + +.p2align 4 +.Lenc_loop: + + movdqa %xmm13,%xmm4 +.byte 102,15,56,0,226 + pxor %xmm5,%xmm4 + movdqa %xmm12,%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + movdqa %xmm15,%xmm5 +.byte 102,15,56,0,234 + movdqa -64(%r11,%r10,1),%xmm1 + movdqa %xmm14,%xmm2 +.byte 102,15,56,0,211 + pxor %xmm5,%xmm2 + movdqa (%r11,%r10,1),%xmm4 + movdqa %xmm0,%xmm3 +.byte 102,15,56,0,193 + addq $16,%r9 + pxor %xmm2,%xmm0 +.byte 102,15,56,0,220 + addq $16,%r11 + pxor %xmm0,%xmm3 +.byte 102,15,56,0,193 + andq $48,%r11 + pxor %xmm3,%xmm0 + subq $1,%rax + +.Lenc_entry: + + movdqa %xmm9,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm9,%xmm0 + movdqa %xmm11,%xmm5 +.byte 102,15,56,0,232 + pxor %xmm1,%xmm0 + movdqa %xmm10,%xmm3 +.byte 102,15,56,0,217 + pxor %xmm5,%xmm3 + movdqa %xmm10,%xmm4 +.byte 102,15,56,0,224 + pxor %xmm5,%xmm4 + movdqa %xmm10,%xmm2 +.byte 102,15,56,0,211 + pxor %xmm0,%xmm2 + movdqa %xmm10,%xmm3 + movdqu (%r9),%xmm5 +.byte 102,15,56,0,220 + pxor %xmm1,%xmm3 + jnz .Lenc_loop + + + movdqa -96(%r10),%xmm4 + movdqa -80(%r10),%xmm0 +.byte 102,15,56,0,226 + pxor %xmm5,%xmm4 +.byte 102,15,56,0,195 + movdqa 64(%r11,%r10,1),%xmm1 + pxor %xmm4,%xmm0 +.byte 102,15,56,0,193 + retq + + + + + + + +.def _vpaes_decrypt_core; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_decrypt_core: + movq %rdx,%r9 + movl 240(%rdx),%eax + movdqa %xmm9,%xmm1 + movdqa .Lk_dipt(%rip),%xmm2 + pandn %xmm0,%xmm1 + movq %rax,%r11 + psrld $4,%xmm1 + movdqu (%r9),%xmm5 + shlq $4,%r11 + pand %xmm9,%xmm0 +.byte 102,15,56,0,208 + movdqa .Lk_dipt+16(%rip),%xmm0 + xorq $48,%r11 + leaq .Lk_dsbd(%rip),%r10 +.byte 102,15,56,0,193 + andq $48,%r11 + pxor %xmm5,%xmm2 + movdqa .Lk_mc_forward+48(%rip),%xmm5 + pxor %xmm2,%xmm0 + addq $16,%r9 + addq %r10,%r11 + jmp .Ldec_entry + +.p2align 4 +.Ldec_loop: + + + + movdqa -32(%r10),%xmm4 +.byte 102,15,56,0,226 + pxor %xmm0,%xmm4 + movdqa -16(%r10),%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + addq $16,%r9 + +.byte 102,15,56,0,197 + movdqa 0(%r10),%xmm4 +.byte 102,15,56,0,226 + pxor %xmm0,%xmm4 + movdqa 16(%r10),%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + subq $1,%rax + +.byte 102,15,56,0,197 + movdqa 32(%r10),%xmm4 +.byte 102,15,56,0,226 + pxor %xmm0,%xmm4 + movdqa 48(%r10),%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + +.byte 102,15,56,0,197 + movdqa 64(%r10),%xmm4 +.byte 102,15,56,0,226 + pxor %xmm0,%xmm4 + movdqa 80(%r10),%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + +.byte 102,15,58,15,237,12 + +.Ldec_entry: + + movdqa %xmm9,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm9,%xmm0 + movdqa %xmm11,%xmm2 +.byte 102,15,56,0,208 + pxor %xmm1,%xmm0 + movdqa %xmm10,%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 + movdqa %xmm10,%xmm4 +.byte 102,15,56,0,224 + pxor %xmm2,%xmm4 + movdqa %xmm10,%xmm2 +.byte 102,15,56,0,211 + pxor %xmm0,%xmm2 + movdqa %xmm10,%xmm3 +.byte 102,15,56,0,220 + pxor %xmm1,%xmm3 + movdqu (%r9),%xmm0 + jnz .Ldec_loop + + + movdqa 96(%r10),%xmm4 +.byte 102,15,56,0,226 + pxor %xmm0,%xmm4 + movdqa 112(%r10),%xmm0 + movdqa -352(%r11),%xmm2 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 +.byte 102,15,56,0,194 + retq + + + + + + + +.def _vpaes_schedule_core; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_schedule_core: + + + + + + call _vpaes_preheat + movdqa .Lk_rcon(%rip),%xmm8 + movdqu (%rdi),%xmm0 + + + movdqa %xmm0,%xmm3 + leaq .Lk_ipt(%rip),%r11 + call _vpaes_schedule_transform + movdqa %xmm0,%xmm7 + + leaq .Lk_sr(%rip),%r10 + testq %rcx,%rcx + jnz .Lschedule_am_decrypting + + + movdqu %xmm0,(%rdx) + jmp .Lschedule_go + +.Lschedule_am_decrypting: + + movdqa (%r8,%r10,1),%xmm1 +.byte 102,15,56,0,217 + movdqu %xmm3,(%rdx) + xorq $48,%r8 + +.Lschedule_go: + cmpl $192,%esi + ja .Lschedule_256 + je .Lschedule_192 + + + + + + + + + + +.Lschedule_128: + movl $10,%esi + +.Loop_schedule_128: + call _vpaes_schedule_round + decq %rsi + jz .Lschedule_mangle_last + call _vpaes_schedule_mangle + jmp .Loop_schedule_128 + + + + + + + + + + + + + + + + +.p2align 4 +.Lschedule_192: + movdqu 8(%rdi),%xmm0 + call _vpaes_schedule_transform + movdqa %xmm0,%xmm6 + pxor %xmm4,%xmm4 + movhlps %xmm4,%xmm6 + movl $4,%esi + +.Loop_schedule_192: + call _vpaes_schedule_round +.byte 102,15,58,15,198,8 + call _vpaes_schedule_mangle + call _vpaes_schedule_192_smear + call _vpaes_schedule_mangle + call _vpaes_schedule_round + decq %rsi + jz .Lschedule_mangle_last + call _vpaes_schedule_mangle + call _vpaes_schedule_192_smear + jmp .Loop_schedule_192 + + + + + + + + + + + +.p2align 4 +.Lschedule_256: + movdqu 16(%rdi),%xmm0 + call _vpaes_schedule_transform + movl $7,%esi + +.Loop_schedule_256: + call _vpaes_schedule_mangle + movdqa %xmm0,%xmm6 + + + call _vpaes_schedule_round + decq %rsi + jz .Lschedule_mangle_last + call _vpaes_schedule_mangle + + + pshufd $255,%xmm0,%xmm0 + movdqa %xmm7,%xmm5 + movdqa %xmm6,%xmm7 + call _vpaes_schedule_low_round + movdqa %xmm5,%xmm7 + + jmp .Loop_schedule_256 + + + + + + + + + + + + +.p2align 4 +.Lschedule_mangle_last: + + leaq .Lk_deskew(%rip),%r11 + testq %rcx,%rcx + jnz .Lschedule_mangle_last_dec + + + movdqa (%r8,%r10,1),%xmm1 +.byte 102,15,56,0,193 + leaq .Lk_opt(%rip),%r11 + addq $32,%rdx + +.Lschedule_mangle_last_dec: + addq $-16,%rdx + pxor .Lk_s63(%rip),%xmm0 + call _vpaes_schedule_transform + movdqu %xmm0,(%rdx) + + + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + retq + + + + + + + + + + + + + + + + +.def _vpaes_schedule_192_smear; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_schedule_192_smear: + pshufd $128,%xmm6,%xmm0 + pxor %xmm0,%xmm6 + pshufd $254,%xmm7,%xmm0 + pxor %xmm0,%xmm6 + movdqa %xmm6,%xmm0 + pxor %xmm1,%xmm1 + movhlps %xmm1,%xmm6 + retq + + + + + + + + + + + + + + + + + + + + +.def _vpaes_schedule_round; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_schedule_round: + + pxor %xmm1,%xmm1 +.byte 102,65,15,58,15,200,15 +.byte 102,69,15,58,15,192,15 + pxor %xmm1,%xmm7 + + + pshufd $255,%xmm0,%xmm0 +.byte 102,15,58,15,192,1 + + + + +_vpaes_schedule_low_round: + + movdqa %xmm7,%xmm1 + pslldq $4,%xmm7 + pxor %xmm1,%xmm7 + movdqa %xmm7,%xmm1 + pslldq $8,%xmm7 + pxor %xmm1,%xmm7 + pxor .Lk_s63(%rip),%xmm7 + + + movdqa %xmm9,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm9,%xmm0 + movdqa %xmm11,%xmm2 +.byte 102,15,56,0,208 + pxor %xmm1,%xmm0 + movdqa %xmm10,%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 + movdqa %xmm10,%xmm4 +.byte 102,15,56,0,224 + pxor %xmm2,%xmm4 + movdqa %xmm10,%xmm2 +.byte 102,15,56,0,211 + pxor %xmm0,%xmm2 + movdqa %xmm10,%xmm3 +.byte 102,15,56,0,220 + pxor %xmm1,%xmm3 + movdqa %xmm13,%xmm4 +.byte 102,15,56,0,226 + movdqa %xmm12,%xmm0 +.byte 102,15,56,0,195 + pxor %xmm4,%xmm0 + + + pxor %xmm7,%xmm0 + movdqa %xmm0,%xmm7 + retq + + + + + + + + + + + +.def _vpaes_schedule_transform; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_schedule_transform: + movdqa %xmm9,%xmm1 + pandn %xmm0,%xmm1 + psrld $4,%xmm1 + pand %xmm9,%xmm0 + movdqa (%r11),%xmm2 +.byte 102,15,56,0,208 + movdqa 16(%r11),%xmm0 +.byte 102,15,56,0,193 + pxor %xmm2,%xmm0 + retq + + + + + + + + + + + + + + + + + + + + + + + + + +.def _vpaes_schedule_mangle; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_schedule_mangle: + movdqa %xmm0,%xmm4 + movdqa .Lk_mc_forward(%rip),%xmm5 + testq %rcx,%rcx + jnz .Lschedule_mangle_dec + + + addq $16,%rdx + pxor .Lk_s63(%rip),%xmm4 +.byte 102,15,56,0,229 + movdqa %xmm4,%xmm3 +.byte 102,15,56,0,229 + pxor %xmm4,%xmm3 +.byte 102,15,56,0,229 + pxor %xmm4,%xmm3 + + jmp .Lschedule_mangle_both +.p2align 4 +.Lschedule_mangle_dec: + + leaq .Lk_dksd(%rip),%r11 + movdqa %xmm9,%xmm1 + pandn %xmm4,%xmm1 + psrld $4,%xmm1 + pand %xmm9,%xmm4 + + movdqa 0(%r11),%xmm2 +.byte 102,15,56,0,212 + movdqa 16(%r11),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,221 + + movdqa 32(%r11),%xmm2 +.byte 102,15,56,0,212 + pxor %xmm3,%xmm2 + movdqa 48(%r11),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,221 + + movdqa 64(%r11),%xmm2 +.byte 102,15,56,0,212 + pxor %xmm3,%xmm2 + movdqa 80(%r11),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 +.byte 102,15,56,0,221 + + movdqa 96(%r11),%xmm2 +.byte 102,15,56,0,212 + pxor %xmm3,%xmm2 + movdqa 112(%r11),%xmm3 +.byte 102,15,56,0,217 + pxor %xmm2,%xmm3 + + addq $-16,%rdx + +.Lschedule_mangle_both: + movdqa (%r8,%r10,1),%xmm1 +.byte 102,15,56,0,217 + addq $-16,%r8 + andq $48,%r8 + movdqu %xmm3,(%rdx) + retq + + + + + +.globl vpaes_set_encrypt_key +.def vpaes_set_encrypt_key; .scl 2; .type 32; .endef +.p2align 4 +vpaes_set_encrypt_key: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_vpaes_set_encrypt_key: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) + movaps %xmm8,48(%rsp) + movaps %xmm9,64(%rsp) + movaps %xmm10,80(%rsp) + movaps %xmm11,96(%rsp) + movaps %xmm12,112(%rsp) + movaps %xmm13,128(%rsp) + movaps %xmm14,144(%rsp) + movaps %xmm15,160(%rsp) +.Lenc_key_body: + movl %esi,%eax + shrl $5,%eax + addl $5,%eax + movl %eax,240(%rdx) + + movl $0,%ecx + movl $48,%r8d + call _vpaes_schedule_core + movaps 16(%rsp),%xmm6 + movaps 32(%rsp),%xmm7 + movaps 48(%rsp),%xmm8 + movaps 64(%rsp),%xmm9 + movaps 80(%rsp),%xmm10 + movaps 96(%rsp),%xmm11 + movaps 112(%rsp),%xmm12 + movaps 128(%rsp),%xmm13 + movaps 144(%rsp),%xmm14 + movaps 160(%rsp),%xmm15 + leaq 184(%rsp),%rsp +.Lenc_key_epilogue: + xorl %eax,%eax + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_vpaes_set_encrypt_key: + +.globl vpaes_set_decrypt_key +.def vpaes_set_decrypt_key; .scl 2; .type 32; .endef +.p2align 4 +vpaes_set_decrypt_key: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_vpaes_set_decrypt_key: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) + movaps %xmm8,48(%rsp) + movaps %xmm9,64(%rsp) + movaps %xmm10,80(%rsp) + movaps %xmm11,96(%rsp) + movaps %xmm12,112(%rsp) + movaps %xmm13,128(%rsp) + movaps %xmm14,144(%rsp) + movaps %xmm15,160(%rsp) +.Ldec_key_body: + movl %esi,%eax + shrl $5,%eax + addl $5,%eax + movl %eax,240(%rdx) + shll $4,%eax + leaq 16(%rdx,%rax,1),%rdx + + movl $1,%ecx + movl %esi,%r8d + shrl $1,%r8d + andl $32,%r8d + xorl $32,%r8d + call _vpaes_schedule_core + movaps 16(%rsp),%xmm6 + movaps 32(%rsp),%xmm7 + movaps 48(%rsp),%xmm8 + movaps 64(%rsp),%xmm9 + movaps 80(%rsp),%xmm10 + movaps 96(%rsp),%xmm11 + movaps 112(%rsp),%xmm12 + movaps 128(%rsp),%xmm13 + movaps 144(%rsp),%xmm14 + movaps 160(%rsp),%xmm15 + leaq 184(%rsp),%rsp +.Ldec_key_epilogue: + xorl %eax,%eax + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_vpaes_set_decrypt_key: + +.globl vpaes_encrypt +.def vpaes_encrypt; .scl 2; .type 32; .endef +.p2align 4 +vpaes_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_vpaes_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) + movaps %xmm8,48(%rsp) + movaps %xmm9,64(%rsp) + movaps %xmm10,80(%rsp) + movaps %xmm11,96(%rsp) + movaps %xmm12,112(%rsp) + movaps %xmm13,128(%rsp) + movaps %xmm14,144(%rsp) + movaps %xmm15,160(%rsp) +.Lenc_body: + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_encrypt_core + movdqu %xmm0,(%rsi) + movaps 16(%rsp),%xmm6 + movaps 32(%rsp),%xmm7 + movaps 48(%rsp),%xmm8 + movaps 64(%rsp),%xmm9 + movaps 80(%rsp),%xmm10 + movaps 96(%rsp),%xmm11 + movaps 112(%rsp),%xmm12 + movaps 128(%rsp),%xmm13 + movaps 144(%rsp),%xmm14 + movaps 160(%rsp),%xmm15 + leaq 184(%rsp),%rsp +.Lenc_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_vpaes_encrypt: + +.globl vpaes_decrypt +.def vpaes_decrypt; .scl 2; .type 32; .endef +.p2align 4 +vpaes_decrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_vpaes_decrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) + movaps %xmm8,48(%rsp) + movaps %xmm9,64(%rsp) + movaps %xmm10,80(%rsp) + movaps %xmm11,96(%rsp) + movaps %xmm12,112(%rsp) + movaps %xmm13,128(%rsp) + movaps %xmm14,144(%rsp) + movaps %xmm15,160(%rsp) +.Ldec_body: + movdqu (%rdi),%xmm0 + call _vpaes_preheat + call _vpaes_decrypt_core + movdqu %xmm0,(%rsi) + movaps 16(%rsp),%xmm6 + movaps 32(%rsp),%xmm7 + movaps 48(%rsp),%xmm8 + movaps 64(%rsp),%xmm9 + movaps 80(%rsp),%xmm10 + movaps 96(%rsp),%xmm11 + movaps 112(%rsp),%xmm12 + movaps 128(%rsp),%xmm13 + movaps 144(%rsp),%xmm14 + movaps 160(%rsp),%xmm15 + leaq 184(%rsp),%rsp +.Ldec_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_vpaes_decrypt: +.globl vpaes_cbc_encrypt +.def vpaes_cbc_encrypt; .scl 2; .type 32; .endef +.p2align 4 +vpaes_cbc_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_vpaes_cbc_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + xchgq %rcx,%rdx + subq $16,%rcx + jc .Lcbc_abort + leaq -184(%rsp),%rsp + movaps %xmm6,16(%rsp) + movaps %xmm7,32(%rsp) + movaps %xmm8,48(%rsp) + movaps %xmm9,64(%rsp) + movaps %xmm10,80(%rsp) + movaps %xmm11,96(%rsp) + movaps %xmm12,112(%rsp) + movaps %xmm13,128(%rsp) + movaps %xmm14,144(%rsp) + movaps %xmm15,160(%rsp) +.Lcbc_body: + movdqu (%r8),%xmm6 + subq %rdi,%rsi + call _vpaes_preheat + cmpl $0,%r9d + je .Lcbc_dec_loop + jmp .Lcbc_enc_loop +.p2align 4 +.Lcbc_enc_loop: + movdqu (%rdi),%xmm0 + pxor %xmm6,%xmm0 + call _vpaes_encrypt_core + movdqa %xmm0,%xmm6 + movdqu %xmm0,(%rsi,%rdi,1) + leaq 16(%rdi),%rdi + subq $16,%rcx + jnc .Lcbc_enc_loop + jmp .Lcbc_done +.p2align 4 +.Lcbc_dec_loop: + movdqu (%rdi),%xmm0 + movdqa %xmm0,%xmm7 + call _vpaes_decrypt_core + pxor %xmm6,%xmm0 + movdqa %xmm7,%xmm6 + movdqu %xmm0,(%rsi,%rdi,1) + leaq 16(%rdi),%rdi + subq $16,%rcx + jnc .Lcbc_dec_loop +.Lcbc_done: + movdqu %xmm6,(%r8) + movaps 16(%rsp),%xmm6 + movaps 32(%rsp),%xmm7 + movaps 48(%rsp),%xmm8 + movaps 64(%rsp),%xmm9 + movaps 80(%rsp),%xmm10 + movaps 96(%rsp),%xmm11 + movaps 112(%rsp),%xmm12 + movaps 128(%rsp),%xmm13 + movaps 144(%rsp),%xmm14 + movaps 160(%rsp),%xmm15 + leaq 184(%rsp),%rsp +.Lcbc_epilogue: +.Lcbc_abort: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_vpaes_cbc_encrypt: + + + + + + +.def _vpaes_preheat; .scl 3; .type 32; .endef +.p2align 4 +_vpaes_preheat: + leaq .Lk_s0F(%rip),%r10 + movdqa -32(%r10),%xmm10 + movdqa -16(%r10),%xmm11 + movdqa 0(%r10),%xmm9 + movdqa 48(%r10),%xmm13 + movdqa 64(%r10),%xmm12 + movdqa 80(%r10),%xmm15 + movdqa 96(%r10),%xmm14 + retq + + + + + + + +.p2align 6 +_vpaes_consts: +.Lk_inv: +.quad 0x0E05060F0D080180, 0x040703090A0B0C02 +.quad 0x01040A060F0B0780, 0x030D0E0C02050809 + +.Lk_s0F: +.quad 0x0F0F0F0F0F0F0F0F, 0x0F0F0F0F0F0F0F0F + +.Lk_ipt: +.quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 +.quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 + +.Lk_sb1: +.quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 +.quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF +.Lk_sb2: +.quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD +.quad 0x69EB88400AE12900, 0xC2A163C8AB82234A +.Lk_sbo: +.quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 +.quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA + +.Lk_mc_forward: +.quad 0x0407060500030201, 0x0C0F0E0D080B0A09 +.quad 0x080B0A0904070605, 0x000302010C0F0E0D +.quad 0x0C0F0E0D080B0A09, 0x0407060500030201 +.quad 0x000302010C0F0E0D, 0x080B0A0904070605 + +.Lk_mc_backward: +.quad 0x0605040702010003, 0x0E0D0C0F0A09080B +.quad 0x020100030E0D0C0F, 0x0A09080B06050407 +.quad 0x0E0D0C0F0A09080B, 0x0605040702010003 +.quad 0x0A09080B06050407, 0x020100030E0D0C0F + +.Lk_sr: +.quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 +.quad 0x030E09040F0A0500, 0x0B06010C07020D08 +.quad 0x0F060D040B020900, 0x070E050C030A0108 +.quad 0x0B0E0104070A0D00, 0x0306090C0F020508 + +.Lk_rcon: +.quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 + +.Lk_s63: +.quad 0x5B5B5B5B5B5B5B5B, 0x5B5B5B5B5B5B5B5B + +.Lk_opt: +.quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 +.quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 + +.Lk_deskew: +.quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A +.quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 + + + + + +.Lk_dksd: +.quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 +.quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E +.Lk_dksb: +.quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 +.quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 +.Lk_dkse: +.quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 +.quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 +.Lk_dks9: +.quad 0xB6116FC87ED9A700, 0x4AED933482255BFC +.quad 0x4576516227143300, 0x8BB89FACE9DAFDCE + + + + + +.Lk_dipt: +.quad 0x0F505B040B545F00, 0x154A411E114E451A +.quad 0x86E383E660056500, 0x12771772F491F194 + +.Lk_dsb9: +.quad 0x851C03539A86D600, 0xCAD51F504F994CC9 +.quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 +.Lk_dsbd: +.quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 +.quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 +.Lk_dsbb: +.quad 0xD022649296B44200, 0x602646F6B0F2D404 +.quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B +.Lk_dsbe: +.quad 0x46F2929626D4D000, 0x2242600464B4F6B0 +.quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 +.Lk_dsbo: +.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D +.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C +.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,120,56,54,95,54,52,47,83,83,83,69,51,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 +.p2align 6 + + +.def se_handler; .scl 3; .type 32; .endef +.p2align 4 +se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lin_prologue + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lin_prologue + + leaq 16(%rax),%rsi + leaq 512(%r8),%rdi + movl $20,%ecx +.long 0xa548f3fc + leaq 184(%rax),%rax + +.Lin_prologue: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .LSEH_begin_vpaes_set_encrypt_key +.rva .LSEH_end_vpaes_set_encrypt_key +.rva .LSEH_info_vpaes_set_encrypt_key + +.rva .LSEH_begin_vpaes_set_decrypt_key +.rva .LSEH_end_vpaes_set_decrypt_key +.rva .LSEH_info_vpaes_set_decrypt_key + +.rva .LSEH_begin_vpaes_encrypt +.rva .LSEH_end_vpaes_encrypt +.rva .LSEH_info_vpaes_encrypt + +.rva .LSEH_begin_vpaes_decrypt +.rva .LSEH_end_vpaes_decrypt +.rva .LSEH_info_vpaes_decrypt + +.rva .LSEH_begin_vpaes_cbc_encrypt +.rva .LSEH_end_vpaes_cbc_encrypt +.rva .LSEH_info_vpaes_cbc_encrypt + +.section .xdata +.p2align 3 +.LSEH_info_vpaes_set_encrypt_key: +.byte 9,0,0,0 +.rva se_handler +.rva .Lenc_key_body,.Lenc_key_epilogue +.LSEH_info_vpaes_set_decrypt_key: +.byte 9,0,0,0 +.rva se_handler +.rva .Ldec_key_body,.Ldec_key_epilogue +.LSEH_info_vpaes_encrypt: +.byte 9,0,0,0 +.rva se_handler +.rva .Lenc_body,.Lenc_epilogue +.LSEH_info_vpaes_decrypt: +.byte 9,0,0,0 +.rva se_handler +.rva .Ldec_body,.Ldec_epilogue +.LSEH_info_vpaes_cbc_encrypt: +.byte 9,0,0,0 +.rva se_handler +.rva .Lcbc_body,.Lcbc_epilogue diff --git a/crypto/arm_arch.h b/crypto/arm_arch.h new file mode 100644 index 0000000..8c5115e --- /dev/null +++ b/crypto/arm_arch.h @@ -0,0 +1,59 @@ +/* $OpenBSD: arm_arch.h,v 1.10 2019/07/02 19:31:28 patrick Exp $ */ +#ifndef __ARM_ARCH_H__ +#define __ARM_ARCH_H__ + +#if !defined(__ARM_ARCH__) +# if defined(__CC_ARM) +# define __ARM_ARCH__ __TARGET_ARCH_ARM +# if defined(__BIG_ENDIAN) +# define __ARMEB__ +# else +# define __ARMEL__ +# endif +# elif defined(__GNUC__) + /* + * Why doesn't gcc define __ARM_ARCH__? Instead it defines + * bunch of below macros. See all_architectures[] table in + * gcc/config/arm/arm.c. On a side note it defines + * __ARMEL__/__ARMEB__ for little-/big-endian. + */ +# if defined(__ARM_ARCH) +# define __ARM_ARCH__ __ARM_ARCH +# elif defined(__ARM_ARCH_8A__) +# define __ARM_ARCH__ 8 +# elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \ + defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__) || \ + defined(__ARM_ARCH_7EM__) +# define __ARM_ARCH__ 7 +# elif defined(__ARM_ARCH_6__) || defined(__ARM_ARCH_6J__) || \ + defined(__ARM_ARCH_6K__)|| defined(__ARM_ARCH_6M__) || \ + defined(__ARM_ARCH_6Z__)|| defined(__ARM_ARCH_6ZK__) || \ + defined(__ARM_ARCH_6T2__) +# define __ARM_ARCH__ 6 +# elif defined(__ARM_ARCH_5__) || defined(__ARM_ARCH_5T__) || \ + defined(__ARM_ARCH_5E__)|| defined(__ARM_ARCH_5TE__) || \ + defined(__ARM_ARCH_5TEJ__) +# define __ARM_ARCH__ 5 +# elif defined(__ARM_ARCH_4__) || defined(__ARM_ARCH_4T__) +# define __ARM_ARCH__ 4 +# else +# error "unsupported ARM architecture" +# endif +# endif +#endif + +#if !defined(__ASSEMBLER__) +extern unsigned int OPENSSL_armcap_P; + +#define ARMV7_NEON (1<<0) +#define ARMV8_AES (1<<1) +#define ARMV8_SHA1 (1<<2) +#define ARMV8_SHA256 (1<<3) +#define ARMV8_PMULL (1<<4) +#endif + +#if defined(__OpenBSD__) +#define __STRICT_ALIGNMENT +#endif + +#endif diff --git a/crypto/armcap.c b/crypto/armcap.c new file mode 100644 index 0000000..8c49832 --- /dev/null +++ b/crypto/armcap.c @@ -0,0 +1,88 @@ +/* $OpenBSD: armcap.c,v 1.8 2019/03/13 10:18:30 patrick Exp $ */ +#include +#include +#include +#include +#include +#include + +#include "arm_arch.h" + +unsigned int OPENSSL_armcap_P; + +#if __ARM_ARCH__ >= 7 +static sigset_t all_masked; + +static sigjmp_buf ill_jmp; + static void ill_handler (int sig) { siglongjmp(ill_jmp, sig); +} + +/* + * Following subroutines could have been inlined, but it's not all + * ARM compilers support inline assembler... + */ +void _armv7_neon_probe(void); +void _armv8_aes_probe(void); +void _armv8_sha1_probe(void); +void _armv8_sha256_probe(void); +void _armv8_pmull_probe(void); +#endif + +#if defined(__GNUC__) && __GNUC__>=2 +void OPENSSL_cpuid_setup(void) __attribute__((constructor)); +#endif + +void +OPENSSL_cpuid_setup(void) +{ +#if __ARM_ARCH__ >= 7 + struct sigaction ill_oact, ill_act; + sigset_t oset; +#endif + static int trigger = 0; + + if (trigger) + return; + trigger = 1; + + OPENSSL_armcap_P = 0; + +#if __ARM_ARCH__ >= 7 + sigfillset(&all_masked); + sigdelset(&all_masked, SIGILL); + sigdelset(&all_masked, SIGTRAP); + sigdelset(&all_masked, SIGFPE); + sigdelset(&all_masked, SIGBUS); + sigdelset(&all_masked, SIGSEGV); + + memset(&ill_act, 0, sizeof(ill_act)); + ill_act.sa_handler = ill_handler; + ill_act.sa_mask = all_masked; + + sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset); + sigaction(SIGILL, &ill_act, &ill_oact); + + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv7_neon_probe(); + OPENSSL_armcap_P |= ARMV7_NEON; + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_pmull_probe(); + OPENSSL_armcap_P |= ARMV8_PMULL | ARMV8_AES; + } else if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_aes_probe(); + OPENSSL_armcap_P |= ARMV8_AES; + } + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_sha1_probe(); + OPENSSL_armcap_P |= ARMV8_SHA1; + } + if (sigsetjmp(ill_jmp, 1) == 0) { + _armv8_sha256_probe(); + OPENSSL_armcap_P |= ARMV8_SHA256; + } + } + + sigaction (SIGILL, &ill_oact, NULL); + sigprocmask(SIG_SETMASK, &oset, NULL); +#endif +} diff --git a/crypto/armv4cpuid.S b/crypto/armv4cpuid.S new file mode 100644 index 0000000..bb9abaf --- /dev/null +++ b/crypto/armv4cpuid.S @@ -0,0 +1,165 @@ +#include "arm_arch.h" + +.text +#if defined(__thumb2__) && !defined(__APPLE__) +.syntax unified +.thumb +#else +.code 32 +#undef __thumb2__ +#endif + +.align 5 +.globl OPENSSL_atomic_add +.type OPENSSL_atomic_add,%function +OPENSSL_atomic_add: +#if __ARM_ARCH__>=6 +.Ladd: ldrex r2,[r0] + add r3,r2,r1 + strex r2,r3,[r0] + cmp r2,#0 + bne .Ladd + mov r0,r3 + bx lr +#else + stmdb sp!,{r4,r5,r6,lr} + ldr r2,.Lspinlock + adr r3,.Lspinlock + mov r4,r0 + mov r5,r1 + add r6,r3,r2 @ &spinlock + b .+8 +.Lspin: bl sched_yield + mov r0,#-1 + swp r0,r0,[r6] + cmp r0,#0 + bne .Lspin + + ldr r2,[r4] + add r2,r2,r5 + str r2,[r4] + str r0,[r6] @ release spinlock + ldmia sp!,{r4,r5,r6,lr} + tst lr,#1 + moveq pc,lr +.word 0xe12fff1e @ bx lr +#endif +.size OPENSSL_atomic_add,.-OPENSSL_atomic_add + +#if __ARM_ARCH__>=7 +.arch armv7-a +.fpu neon + +.align 5 +.globl _armv7_neon_probe +.type _armv7_neon_probe,%function +_armv7_neon_probe: + vorr q0,q0,q0 + bx lr +.size _armv7_neon_probe,.-_armv7_neon_probe + +.globl _armv8_aes_probe +.type _armv8_aes_probe,%function +_armv8_aes_probe: +#if defined(__thumb2__) && !defined(__APPLE__) +.byte 0xb0,0xff,0x00,0x03 @ aese.8 q0,q0 +#else +.byte 0x00,0x03,0xb0,0xf3 @ aese.8 q0,q0 +#endif + bx lr +.size _armv8_aes_probe,.-_armv8_aes_probe + +.globl _armv8_sha1_probe +.type _armv8_sha1_probe,%function +_armv8_sha1_probe: +#if defined(__thumb2__) && !defined(__APPLE__) +.byte 0x00,0xef,0x40,0x0c @ sha1c.32 q0,q0,q0 +#else +.byte 0x40,0x0c,0x00,0xf2 @ sha1c.32 q0,q0,q0 +#endif + bx lr +.size _armv8_sha1_probe,.-_armv8_sha1_probe + +.globl _armv8_sha256_probe +.type _armv8_sha256_probe,%function +_armv8_sha256_probe: +#if defined(__thumb2__) && !defined(__APPLE__) +.byte 0x00,0xff,0x40,0x0c @ sha256h.32 q0,q0,q0 +#else +.byte 0x40,0x0c,0x00,0xf3 @ sha256h.32 q0,q0,q0 +#endif + bx lr +.size _armv8_sha256_probe,.-_armv8_sha256_probe +.globl _armv8_pmull_probe +.type _armv8_pmull_probe,%function +_armv8_pmull_probe: +#if defined(__thumb2__) && !defined(__APPLE__) +.byte 0xa0,0xef,0x00,0x0e @ vmull.p64 q0,d0,d0 +#else +.byte 0x00,0x0e,0xa0,0xf2 @ vmull.p64 q0,d0,d0 +#endif + bx lr +.size _armv8_pmull_probe,.-_armv8_pmull_probe +#endif + +.globl OPENSSL_wipe_cpu +.type OPENSSL_wipe_cpu,%function +OPENSSL_wipe_cpu: +#if __ARM_ARCH__>=7 + ldr r0,.LOPENSSL_armcap + adr r1,.LOPENSSL_armcap + ldr r0,[r1,r0] +#ifdef __APPLE__ + ldr r0,[r0] +#endif +#endif + eor r2,r2,r2 + eor r3,r3,r3 + eor ip,ip,ip +#if __ARM_ARCH__>=7 + tst r0,#1 + beq .Lwipe_done + veor q0, q0, q0 + veor q1, q1, q1 + veor q2, q2, q2 + veor q3, q3, q3 + veor q8, q8, q8 + veor q9, q9, q9 + veor q10, q10, q10 + veor q11, q11, q11 + veor q12, q12, q12 + veor q13, q13, q13 + veor q14, q14, q14 + veor q15, q15, q15 +.Lwipe_done: +#endif + mov r0,sp +#if __ARM_ARCH__>=5 + bx lr +#else + tst lr,#1 + moveq pc,lr +.word 0xe12fff1e @ bx lr +#endif +.size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu + +.align 5 +#if __ARM_ARCH__>=7 +.LOPENSSL_armcap: +.word OPENSSL_armcap_P-. +#endif +#if __ARM_ARCH__>=6 +.align 5 +#else +.Lspinlock: +.word atomic_add_spinlock-.Lspinlock +.align 5 + +.data +.align 2 +atomic_add_spinlock: +.word 0 +#endif + +.comm OPENSSL_armcap_P,4,4 +.hidden OPENSSL_armcap_P diff --git a/crypto/asn1/a_bitstr.c b/crypto/asn1/a_bitstr.c index 9ba77d6..f217f13 100644 --- a/crypto/asn1/a_bitstr.c +++ b/crypto/asn1/a_bitstr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_bitstr.c,v 1.24 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: a_bitstr.c,v 1.30 2020/09/03 17:19:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -118,10 +118,11 @@ i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp) *(p++) = (unsigned char)bits; d = a->data; - memcpy(p, d, len); - p += len; - if (len > 0) - p[-1]&=(0xff << bits); + if (len > 0) { + memcpy(p, d, len); + p += len; + p[-1] &= 0xff << bits; + } *pp = p; return (ret); } @@ -135,29 +136,34 @@ c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **pp, long len) int i; if (len < 1) { - i = ASN1_R_STRING_TOO_SHORT; + ASN1error(ASN1_R_STRING_TOO_SHORT); goto err; } - if ((a == NULL) || ((*a) == NULL)) { + if (a == NULL || *a == NULL) { if ((ret = ASN1_BIT_STRING_new()) == NULL) return (NULL); } else - ret = (*a); + ret = *a; p = *pp; i = *(p++); - /* We do this to preserve the settings. If we modify - * the settings, via the _set_bit function, we will recalculate - * on output */ - ret->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear */ - ret->flags|=(ASN1_STRING_FLAG_BITS_LEFT|(i&0x07)); /* set */ + if (i > 7) { + ASN1error(ASN1_R_INVALID_BIT_STRING_BITS_LEFT); + goto err; + } - if (len-- > 1) /* using one because of the bits left byte */ - { - s = malloc(len); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; + /* + * We do this to preserve the settings. If we modify the settings, + * via the _set_bit function, we will recalculate on output. + */ + ret->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); /* clear */ + ret->flags |= (ASN1_STRING_FLAG_BITS_LEFT | i); /* set */ + + /* using one because of the bits left byte */ + if (len-- > 1) { + if ((s = malloc(len)) == NULL) { + ASN1error(ERR_R_MALLOC_FAILURE); goto err; } memcpy(s, p, len); @@ -166,24 +172,25 @@ c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **pp, long len) } else s = NULL; - ret->length = (int)len; free(ret->data); ret->data = s; + ret->length = (int)len; ret->type = V_ASN1_BIT_STRING; + if (a != NULL) - (*a) = ret; + *a = ret; + *pp = p; + return (ret); -err: - ASN1error(i); - if ((ret != NULL) && ((a == NULL) || (*a != ret))) + err: + if (a == NULL || *a != ret) ASN1_BIT_STRING_free(ret); + return (NULL); } -/* These next 2 functions from Goetz Babin-Ebell - */ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) { @@ -204,13 +211,10 @@ ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) if ((a->length < (w + 1)) || (a->data == NULL)) { if (!value) return(1); /* Don't need to set */ - c = OPENSSL_realloc_clean(a->data, a->length, w + 1); - if (c == NULL) { + if ((c = recallocarray(a->data, a->length, w + 1, 1)) == NULL) { ASN1error(ERR_R_MALLOC_FAILURE); return 0; } - if (w + 1 - a->length > 0) - memset(c + a->length, 0, w + 1 - a->length); a->data = c; a->length = w + 1; } @@ -222,7 +226,7 @@ ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value) } int -ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n) +ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n) { int w, v; @@ -240,7 +244,8 @@ ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n) * 'len' is the length of 'flags'. */ int -ASN1_BIT_STRING_check(ASN1_BIT_STRING *a, unsigned char *flags, int flags_len) +ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a, const unsigned char *flags, + int flags_len) { int i, ok; diff --git a/crypto/asn1/a_bytes.c b/crypto/asn1/a_bytes.c deleted file mode 100644 index f3fe234..0000000 --- a/crypto/asn1/a_bytes.c +++ /dev/null @@ -1,306 +0,0 @@ -/* $OpenBSD: a_bytes.c,v 1.19 2017/01/29 17:49:22 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include -#include -#include - -static int asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c); -/* type is a 'bitmap' of acceptable string types. - */ -ASN1_STRING * -d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, - long length, int type) -{ - ASN1_STRING *ret = NULL; - const unsigned char *p; - unsigned char *s; - long len; - int inf, tag, xclass; - int i = 0; - - p = *pp; - inf = ASN1_get_object(&p, &len, &tag, &xclass, length); - if (inf & 0x80) - goto err; - - if (tag >= 32) { - i = ASN1_R_TAG_VALUE_TOO_HIGH; - goto err; - } - if (!(ASN1_tag2bit(tag) & type)) { - i = ASN1_R_WRONG_TYPE; - goto err; - } - - /* If a bit-string, exit early */ - if (tag == V_ASN1_BIT_STRING) - return (d2i_ASN1_BIT_STRING(a, pp, length)); - - if ((a == NULL) || ((*a) == NULL)) { - if ((ret = ASN1_STRING_new()) == NULL) - return (NULL); - } else - ret = (*a); - - if (len != 0) { - s = malloc(len + 1); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; - goto err; - } - memcpy(s, p, len); - s[len]='\0'; - p += len; - } else - s = NULL; - - free(ret->data); - ret->length = (int)len; - ret->data = s; - ret->type = tag; - if (a != NULL) - (*a) = ret; - *pp = p; - return (ret); - -err: - ASN1error(i); - if (a == NULL || *a != ret) - ASN1_STRING_free(ret); - return (NULL); -} - -int -i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass) -{ - int ret, r, constructed; - unsigned char *p; - - if (a == NULL) - return (0); - - if (tag == V_ASN1_BIT_STRING) - return (i2d_ASN1_BIT_STRING(a, pp)); - - ret = a->length; - r = ASN1_object_size(0, ret, tag); - if (pp == NULL) - return (r); - p = *pp; - - if ((tag == V_ASN1_SEQUENCE) || (tag == V_ASN1_SET)) - constructed = 1; - else - constructed = 0; - ASN1_put_object(&p, constructed, ret, tag, xclass); - memcpy(p, a->data, a->length); - p += a->length; - *pp = p; - return (r); -} - -ASN1_STRING * -d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, - long length, int Ptag, int Pclass) -{ - ASN1_STRING *ret = NULL; - const unsigned char *p; - unsigned char *s; - long len; - int inf, tag, xclass; - int i = 0; - - if ((a == NULL) || ((*a) == NULL)) { - if ((ret = ASN1_STRING_new()) == NULL) - return (NULL); - } else - ret = (*a); - - p= *pp; - inf = ASN1_get_object(&p, &len, &tag, &xclass, length); - if (inf & 0x80) { - i = ASN1_R_BAD_OBJECT_HEADER; - goto err; - } - - if (tag != Ptag) { - i = ASN1_R_WRONG_TAG; - goto err; - } - - if (inf & V_ASN1_CONSTRUCTED) { - ASN1_const_CTX c; - - c.pp = pp; - c.p = p; - c.inf = inf; - c.slen = len; - c.tag = Ptag; - c.xclass = Pclass; - c.max = (length == 0) ? 0 : (p + length); - if (!asn1_collate_primitive(ret, &c)) - goto err; - else { - p = c.p; - } - } else { - if (len != 0) { - if ((ret->length < len) || (ret->data == NULL)) { - free(ret->data); - ret->data = NULL; - s = malloc(len + 1); - if (s == NULL) { - i = ERR_R_MALLOC_FAILURE; - goto err; - } - } else - s = ret->data; - memcpy(s, p, len); - s[len] = '\0'; - p += len; - } else { - s = NULL; - free(ret->data); - } - - ret->length = (int)len; - ret->data = s; - ret->type = Ptag; - } - - if (a != NULL) - (*a) = ret; - *pp = p; - return (ret); - -err: - if (a == NULL || *a != ret) - ASN1_STRING_free(ret); - ASN1error(i); - return (NULL); -} - - -/* We are about to parse 0..n d2i_ASN1_bytes objects, we are to collapse - * them into the one structure that is then returned */ -/* There have been a few bug fixes for this function from - * Paul Keogh , many thanks to him */ -static int -asn1_collate_primitive(ASN1_STRING *a, ASN1_const_CTX *c) -{ - ASN1_STRING *os = NULL; - BUF_MEM b; - int num; - - b.length = 0; - b.max = 0; - b.data = NULL; - - if (a == NULL) { - c->error = ERR_R_PASSED_NULL_PARAMETER; - goto err; - } - - num = 0; - for (;;) { - if (c->inf & 1) { - c->eos = ASN1_const_check_infinite_end(&c->p, - (long)(c->max - c->p)); - if (c->eos) - break; - } else { - if (c->slen <= 0) - break; - } - - c->q = c->p; - if (d2i_ASN1_bytes(&os, &c->p, c->max - c->p, c->tag, - c->xclass) == NULL) { - c->error = ERR_R_ASN1_LIB; - goto err; - } - - if (!BUF_MEM_grow_clean(&b, num + os->length)) { - c->error = ERR_R_BUF_LIB; - goto err; - } - memcpy(&(b.data[num]), os->data, os->length); - if (!(c->inf & 1)) - c->slen -= (c->p - c->q); - num += os->length; - } - - if (!asn1_const_Finish(c)) - goto err; - - a->length = num; - free(a->data); - a->data = (unsigned char *)b.data; - ASN1_STRING_free(os); - return (1); - -err: - ASN1error(c->error); - ASN1_STRING_free(os); - free(b.data); - return (0); -} diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c index 085a57d..5b95adf 100644 --- a/crypto/asn1/a_digest.c +++ b/crypto/asn1/a_digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_digest.c,v 1.15 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: a_digest.c,v 1.16 2018/04/06 09:19:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -77,8 +77,11 @@ ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn, if (!str) return (0); - if (!EVP_Digest(str, i, md, len, type, NULL)) - return 0; + if (!EVP_Digest(str, i, md, len, type, NULL)) { + free(str); + return (0); + } + free(str); return (1); } diff --git a/crypto/asn1/a_enum.c b/crypto/asn1/a_enum.c index 2387595..0952e04 100644 --- a/crypto/asn1/a_enum.c +++ b/crypto/asn1/a_enum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_enum.c,v 1.18 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: a_enum.c,v 1.20 2019/04/28 05:05:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -104,10 +105,10 @@ ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v) } long -ASN1_ENUMERATED_get(ASN1_ENUMERATED *a) +ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a) { int neg = 0, i; - long r = 0; + unsigned long r = 0; if (a == NULL) return (0L); @@ -128,13 +129,17 @@ ASN1_ENUMERATED_get(ASN1_ENUMERATED *a) r <<= 8; r |= (unsigned char)a->data[i]; } + + if (r > LONG_MAX) + return -1; + if (neg) - r = -r; - return (r); + return -(long)r; + return (long)r; } ASN1_ENUMERATED * -BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai) +BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai) { ASN1_ENUMERATED *ret; int len, j; @@ -177,7 +182,7 @@ err: } BIGNUM * -ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn) +ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn) { BIGNUM *ret; diff --git a/crypto/asn1/a_int.c b/crypto/asn1/a_int.c index 95d0f6d..d14bd79 100644 --- a/crypto/asn1/a_int.c +++ b/crypto/asn1/a_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_int.c,v 1.31 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: a_int.c,v 1.34 2019/04/28 05:03:56 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -56,6 +56,7 @@ * [including the GNU Public Licence.] */ +#include #include #include @@ -63,9 +64,18 @@ #include #include +static int +ASN1_INTEGER_valid(const ASN1_INTEGER *a) +{ + return (a != NULL && a->length >= 0); +} + ASN1_INTEGER * ASN1_INTEGER_dup(const ASN1_INTEGER *x) { + if (!ASN1_INTEGER_valid(x)) + return NULL; + return ASN1_STRING_dup(x); } @@ -123,8 +133,9 @@ i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp) int pad = 0, ret, i, neg; unsigned char *p, *n, pb = 0; - if (a == NULL) - return (0); + if (!ASN1_INTEGER_valid(a)) + return 0; + neg = a->type & V_ASN1_NEG; if (a->length == 0) ret = 1; @@ -201,11 +212,24 @@ c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp, long len) } else ret = (*a); + if (!ASN1_INTEGER_valid(ret)) { + /* + * XXX using i for an alert is confusing, + * we should call this al + */ + i = ERR_R_ASN1_LENGTH_MISMATCH; + goto err; + } + p = *pp; pend = p + len; /* We must malloc stuff, even for 0 bytes otherwise it * signifies a missing NULL parameter. */ + if (len < 0 || len > INT_MAX) { + i = ERR_R_ASN1_LENGTH_MISMATCH; + goto err; + } s = malloc(len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; @@ -294,6 +318,11 @@ d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length) } else ret = (*a); + if (!ASN1_INTEGER_valid(ret)) { + i = ERR_R_ASN1_LENGTH_MISMATCH; + goto err; + } + p = *pp; inf = ASN1_get_object(&p, &len, &tag, &xclass, length); if (inf & 0x80) { @@ -308,6 +337,10 @@ d2i_ASN1_UINTEGER(ASN1_INTEGER **a, const unsigned char **pp, long length) /* We must malloc stuff, even for 0 bytes otherwise it * signifies a missing NULL parameter. */ + if (len < 0 || len > INT_MAX) { + i = ERR_R_ASN1_LENGTH_MISMATCH; + goto err; + } s = malloc(len + 1); if (s == NULL) { i = ERR_R_MALLOC_FAILURE; @@ -375,11 +408,17 @@ ASN1_INTEGER_set(ASN1_INTEGER *a, long v) return (1); } +/* + * XXX this particular API is a gibbering eidrich horror that makes it + * impossible to determine valid return cases from errors.. "a bit + * ugly" is preserved for posterity, unfortunately this is probably + * unfixable without changing public API + */ long ASN1_INTEGER_get(const ASN1_INTEGER *a) { int neg = 0, i; - long r = 0; + unsigned long r = 0; if (a == NULL) return (0L); @@ -389,6 +428,9 @@ ASN1_INTEGER_get(const ASN1_INTEGER *a) else if (i != V_ASN1_INTEGER) return -1; + if (!ASN1_INTEGER_valid(a)) + return -1; /* XXX best effort */ + if (a->length > (int)sizeof(long)) { /* hmm... a bit ugly, return all ones */ return -1; @@ -400,9 +442,13 @@ ASN1_INTEGER_get(const ASN1_INTEGER *a) r <<= 8; r |= (unsigned char)a->data[i]; } + + if (r > LONG_MAX) + return -1; + if (neg) - r = -r; - return (r); + return -(long)r; + return (long)r; } ASN1_INTEGER * @@ -419,6 +465,10 @@ BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai) ASN1error(ERR_R_NESTED_ASN1_ERROR); goto err; } + + if (!ASN1_INTEGER_valid(ret)) + goto err; + if (BN_is_negative(bn)) ret->type = V_ASN1_NEG_INTEGER; else @@ -453,6 +503,9 @@ ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn) { BIGNUM *ret; + if (!ASN1_INTEGER_valid(ai)) + return (NULL); + if ((ret = BN_bin2bn(ai->data, ai->length, bn)) == NULL) ASN1error(ASN1_R_BN_LIB); else if (ai->type == V_ASN1_NEG_INTEGER) diff --git a/crypto/asn1/a_object.c b/crypto/asn1/a_object.c index e10af97..16c3a1c 100644 --- a/crypto/asn1/a_object.c +++ b/crypto/asn1/a_object.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_object.c,v 1.30 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: a_object.c,v 1.31 2018/04/25 11:48:21 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -67,7 +67,7 @@ #include int -i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp) +i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp) { unsigned char *p; int objsize; @@ -213,13 +213,13 @@ err: } int -i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a) +i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a) { return OBJ_obj2txt(buf, buf_len, a, 0); } int -i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a) +i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a) { char *tmp = NULL; size_t tlen = 256; diff --git a/crypto/asn1/a_set.c b/crypto/asn1/a_set.c deleted file mode 100644 index 4d5cae3..0000000 --- a/crypto/asn1/a_set.c +++ /dev/null @@ -1,236 +0,0 @@ -/* $OpenBSD: a_set.c,v 1.18 2017/01/29 17:49:22 beck Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include -#include - -#include -#include - -#ifndef NO_ASN1_OLD - -typedef struct { - unsigned char *pbData; - int cbData; -} MYBLOB; - -/* SetBlobCmp - * This function compares two elements of SET_OF block - */ -static int -SetBlobCmp(const void *elem1, const void *elem2) -{ - const MYBLOB *b1 = (const MYBLOB *)elem1; - const MYBLOB *b2 = (const MYBLOB *)elem2; - int r; - - r = memcmp(b1->pbData, b2->pbData, - b1->cbData < b2->cbData ? b1->cbData : b2->cbData); - if (r != 0) - return r; - return b1->cbData - b2->cbData; -} - -/* int is_set: if TRUE, then sort the contents (i.e. it isn't a SEQUENCE) */ -int -i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, i2d_of_void *i2d, - int ex_tag, int ex_class, int is_set) -{ - int ret = 0, r; - int i; - unsigned char *p; - unsigned char *pStart, *pTempMem; - MYBLOB *rgSetBlob; - int totSize; - - if (a == NULL) - return 0; - for (i = sk_OPENSSL_BLOCK_num(a) - 1; i >= 0; i--) - ret += i2d(sk_OPENSSL_BLOCK_value(a, i), NULL); - r = ASN1_object_size(1, ret, ex_tag); - if (pp == NULL) - return r; - - p = *pp; - ASN1_put_object(&p, 1, ret, ex_tag, ex_class); - - /* Modified by gp@nsj.co.jp */ - /* And then again by Ben */ - /* And again by Steve */ - - if (!is_set || (sk_OPENSSL_BLOCK_num(a) < 2)) { - for (i = 0; i < sk_OPENSSL_BLOCK_num(a); i++) - i2d(sk_OPENSSL_BLOCK_value(a, i), &p); - - *pp = p; - return r; - } - - pStart = p; /* Catch the beg of Setblobs*/ - /* In this array we will store the SET blobs */ - rgSetBlob = reallocarray(NULL, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB)); - if (rgSetBlob == NULL) { - ASN1error(ERR_R_MALLOC_FAILURE); - return 0; - } - - for (i = 0; i < sk_OPENSSL_BLOCK_num(a); i++) { - rgSetBlob[i].pbData = p; /* catch each set encode blob */ - i2d(sk_OPENSSL_BLOCK_value(a, i), &p); - /* Length of this SetBlob */ - rgSetBlob[i].cbData = p - rgSetBlob[i].pbData; - } - *pp = p; - totSize = p - pStart; /* This is the total size of all set blobs */ - - /* Now we have to sort the blobs. I am using a simple algo. - * Sort ptrs - * Copy to temp-mem - * Copy from temp-mem to user-mem - */ - qsort(rgSetBlob, sk_OPENSSL_BLOCK_num(a), sizeof(MYBLOB), SetBlobCmp); - if ((pTempMem = malloc(totSize)) == NULL) { - free(rgSetBlob); - ASN1error(ERR_R_MALLOC_FAILURE); - return 0; - } - - /* Copy to temp mem */ - p = pTempMem; - for (i = 0; i < sk_OPENSSL_BLOCK_num(a); ++i) { - memcpy(p, rgSetBlob[i].pbData, rgSetBlob[i].cbData); - p += rgSetBlob[i].cbData; - } - - /* Copy back to user mem*/ - memcpy(pStart, pTempMem, totSize); - free(pTempMem); - free(rgSetBlob); - - return r; -} - -STACK_OF(OPENSSL_BLOCK) * -d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a, const unsigned char **pp, long length, - d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK), int ex_tag, - int ex_class) -{ - ASN1_const_CTX c; - STACK_OF(OPENSSL_BLOCK) *ret = NULL; - - if (a == NULL || (*a) == NULL) { - if ((ret = sk_OPENSSL_BLOCK_new_null()) == NULL) { - ASN1error(ERR_R_MALLOC_FAILURE); - goto err; - } - } else - ret = *a; - - c.p = *pp; - c.max = (length == 0) ? 0 : (c.p + length); - - c.inf = ASN1_get_object(&c.p, &c.slen, &c.tag, &c.xclass, c.max - c.p); - if (c.inf & 0x80) - goto err; - if (ex_class != c.xclass) { - ASN1error(ASN1_R_BAD_CLASS); - goto err; - } - if (ex_tag != c.tag) { - ASN1error(ASN1_R_BAD_TAG); - goto err; - } - if (c.slen + c.p > c.max) { - ASN1error(ASN1_R_LENGTH_ERROR); - goto err; - } - /* check for infinite constructed - it can be as long - * as the amount of data passed to us */ - if (c.inf == (V_ASN1_CONSTRUCTED + 1)) - c.slen = length + *pp - c.p; - c.max = c.p + c.slen; - - while (c.p < c.max) { - char *s; - - if (M_ASN1_D2I_end_sequence()) - break; - if ((s = d2i(NULL, &c.p, c.slen)) == NULL) { - ASN1error(ASN1_R_ERROR_PARSING_SET_ELEMENT); - asn1_add_error(*pp, (int)(c.p - *pp)); - goto err; - } - if (!sk_OPENSSL_BLOCK_push(ret, s)) - goto err; - } - if (a != NULL) - *a = ret; - *pp = c.p; - return ret; - -err: - if (a == NULL || *a != ret) { - if (free_func != NULL) - sk_OPENSSL_BLOCK_pop_free(ret, free_func); - else - sk_OPENSSL_BLOCK_free(ret); - } - return NULL; -} - -#endif diff --git a/crypto/asn1/a_strex.c b/crypto/asn1/a_strex.c index f60a70d..4e3decc 100644 --- a/crypto/asn1/a_strex.c +++ b/crypto/asn1/a_strex.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_strex.c,v 1.25 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: a_strex.c,v 1.28 2018/05/19 10:46:28 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -289,7 +289,7 @@ do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen) */ static int -do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str) +do_dump(unsigned long lflags, char_io *io_ch, void *arg, const ASN1_STRING *str) { /* Placing the ASN1_STRING in a temp ASN1_TYPE allows * the DER encoding to readily obtained @@ -346,7 +346,8 @@ static const signed char tag2nbyte[] = { */ static int -do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str) +do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, + const ASN1_STRING *str) { int outlen, len; int type; @@ -439,7 +440,7 @@ do_indent(char_io *io_ch, void *arg, int indent) #define FN_WIDTH_SN 10 static int -do_name_ex(char_io *io_ch, void *arg, X509_NAME *n, int indent, +do_name_ex(char_io *io_ch, void *arg, const X509_NAME *n, int indent, unsigned long flags) { int i, prev = -1, orflags, cnt; @@ -581,7 +582,8 @@ do_name_ex(char_io *io_ch, void *arg, X509_NAME *n, int indent, /* Wrappers round the main functions */ int -X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags) +X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, + unsigned long flags) { if (flags == XN_FLAG_COMPAT) return X509_NAME_print(out, nm, indent); @@ -589,7 +591,8 @@ X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags) } int -X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags) +X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, + unsigned long flags) { if (flags == XN_FLAG_COMPAT) { BIO *btmp; @@ -605,13 +608,13 @@ X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags) } int -ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags) +ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags) { return do_print_ex(send_bio_chars, out, flags, str); } int -ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags) +ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, unsigned long flags) { return do_print_ex(send_fp_chars, fp, flags, str); } @@ -621,7 +624,7 @@ ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags) */ int -ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in) +ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in) { ASN1_STRING stmp, *str = &stmp; int mbflag, type, ret; diff --git a/crypto/asn1/a_time_tm.c b/crypto/asn1/a_time_tm.c index b13f7c7..b6e22cb 100644 --- a/crypto/asn1/a_time_tm.c +++ b/crypto/asn1/a_time_tm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_time_tm.c,v 1.14 2017/08/28 17:42:47 jsing Exp $ */ +/* $OpenBSD: a_time_tm.c,v 1.15 2018/04/25 11:48:21 tb Exp $ */ /* * Copyright (c) 2015 Bob Beck * @@ -337,7 +337,7 @@ ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, long offset_sec) } int -ASN1_TIME_check(ASN1_TIME *t) +ASN1_TIME_check(const ASN1_TIME *t) { if (t->type != V_ASN1_GENERALIZEDTIME && t->type != V_ASN1_UTCTIME) return (0); @@ -345,7 +345,7 @@ ASN1_TIME_check(ASN1_TIME *t) } ASN1_GENERALIZEDTIME * -ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZEDTIME **out) +ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out) { ASN1_GENERALIZEDTIME *tmp = NULL; struct tm tm; @@ -386,7 +386,7 @@ ASN1_TIME_set_string(ASN1_TIME *s, const char *str) */ int -ASN1_UTCTIME_check(ASN1_UTCTIME *d) +ASN1_UTCTIME_check(const ASN1_UTCTIME *d) { if (d->type != V_ASN1_UTCTIME) return (0); @@ -442,7 +442,7 @@ ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t2) */ int -ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d) +ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d) { if (d->type != V_ASN1_GENERALIZEDTIME) return (0); diff --git a/crypto/asn1/a_type.c b/crypto/asn1/a_type.c index ed1dec0..a18ffe6 100644 --- a/crypto/asn1/a_type.c +++ b/crypto/asn1/a_type.c @@ -1,4 +1,4 @@ -/* $OpenBSD: a_type.c,v 1.19 2016/05/04 15:00:24 tedu Exp $ */ +/* $OpenBSD: a_type.c,v 1.21 2019/10/24 16:36:10 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,7 +62,7 @@ #include int -ASN1_TYPE_get(ASN1_TYPE *a) +ASN1_TYPE_get(const ASN1_TYPE *a) { if ((a->value.ptr != NULL) || (a->type == V_ASN1_NULL)) return (a->type); @@ -108,7 +108,7 @@ ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value) /* Returns 0 if they are equal, != 0 otherwise. */ int -ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) +ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b) { int result = -1; @@ -154,3 +154,34 @@ ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b) return result; } + +ASN1_TYPE * +ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t) +{ + ASN1_OCTET_STRING *oct; + ASN1_TYPE *rt; + + if ((oct = ASN1_item_pack(s, it, NULL)) == NULL) + return NULL; + + if (t != NULL && *t != NULL) { + rt = *t; + } else { + if ((rt = ASN1_TYPE_new()) == NULL) { + ASN1_OCTET_STRING_free(oct); + return NULL; + } + if (t != NULL) + *t = rt; + } + ASN1_TYPE_set(rt, V_ASN1_SEQUENCE, oct); + return rt; +} + +void * +ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t) +{ + if (t == NULL || t->type != V_ASN1_SEQUENCE || t->value.sequence == NULL) + return NULL; + return ASN1_item_unpack(t->value.sequence, it); +} diff --git a/crypto/asn1/ameth_lib.c b/crypto/asn1/ameth_lib.c index b27d72a..8be8206 100644 --- a/crypto/asn1/ameth_lib.c +++ b/crypto/asn1/ameth_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ameth_lib.c,v 1.16 2017/01/21 04:31:25 jsing Exp $ */ +/* $OpenBSD: ameth_lib.c,v 1.21 2019/11/02 16:06:25 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -71,6 +71,7 @@ #include "asn1_locl.h" extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[]; +extern const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth; extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[]; extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth; extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth; @@ -104,6 +105,9 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = { #endif &hmac_asn1_meth, &cmac_asn1_meth, +#ifndef OPENSSL_NO_RSA + &rsa_pss_asn1_meth, +#endif #ifndef OPENSSL_NO_GOST &gostr01_asn1_meths[1], &gostr01_asn1_meths[2], @@ -299,7 +303,7 @@ EVP_PKEY_asn1_get0_info(int *ppkey_id, int *ppkey_base_id, int *ppkey_flags, } const EVP_PKEY_ASN1_METHOD* -EVP_PKEY_get0_asn1(EVP_PKEY *pkey) +EVP_PKEY_get0_asn1(const EVP_PKEY *pkey) { return pkey->ameth; } @@ -309,59 +313,26 @@ EVP_PKEY_asn1_new(int id, int flags, const char *pem_str, const char *info) { EVP_PKEY_ASN1_METHOD *ameth; - ameth = calloc(1, sizeof(EVP_PKEY_ASN1_METHOD)); - if (!ameth) + if ((ameth = calloc(1, sizeof(EVP_PKEY_ASN1_METHOD))) == NULL) return NULL; ameth->pkey_id = id; ameth->pkey_base_id = id; ameth->pkey_flags = flags | ASN1_PKEY_DYNAMIC; - if (info) { - ameth->info = strdup(info); - if (!ameth->info) + if (info != NULL) { + if ((ameth->info = strdup(info)) == NULL) goto err; - } else - ameth->info = NULL; + } - if (pem_str) { - ameth->pem_str = strdup(pem_str); - if (!ameth->pem_str) + if (pem_str != NULL) { + if ((ameth->pem_str = strdup(pem_str)) == NULL) goto err; - } else - ameth->pem_str = NULL; - - ameth->pub_decode = 0; - ameth->pub_encode = 0; - ameth->pub_cmp = 0; - ameth->pub_print = 0; - - ameth->priv_decode = 0; - ameth->priv_encode = 0; - ameth->priv_print = 0; - - ameth->old_priv_encode = 0; - ameth->old_priv_decode = 0; - - ameth->item_verify = 0; - ameth->item_sign = 0; - - ameth->pkey_size = 0; - ameth->pkey_bits = 0; - - ameth->param_decode = 0; - ameth->param_encode = 0; - ameth->param_missing = 0; - ameth->param_copy = 0; - ameth->param_cmp = 0; - ameth->param_print = 0; - - ameth->pkey_free = 0; - ameth->pkey_ctrl = 0; + } return ameth; -err: + err: EVP_PKEY_asn1_free(ameth); return NULL; } @@ -390,6 +361,7 @@ EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, const EVP_PKEY_ASN1_METHOD *src) dst->param_copy = src->param_copy; dst->param_cmp = src->param_cmp; dst->param_print = src->param_print; + dst->sig_print = src->sig_print; dst->pkey_free = src->pkey_free; dst->pkey_ctrl = src->pkey_ctrl; @@ -428,7 +400,7 @@ EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth, - int (*priv_decode)(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf), + int (*priv_decode)(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf), int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk), int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx)) diff --git a/crypto/asn1/asn1_err.c b/crypto/asn1/asn1_err.c index 0c827a9..5cc3550 100644 --- a/crypto/asn1/asn1_err.c +++ b/crypto/asn1/asn1_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_err.c,v 1.20 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: asn1_err.c,v 1.21 2018/03/29 02:29:24 inoguchi Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -150,6 +150,7 @@ static ERR_STRING_DATA ASN1_str_reasons[] = { {ERR_REASON(ASN1_R_MSTRING_NOT_UNIVERSAL), "mstring not universal"}, {ERR_REASON(ASN1_R_MSTRING_WRONG_TAG) , "mstring wrong tag"}, {ERR_REASON(ASN1_R_NESTED_ASN1_STRING) , "nested asn1 string"}, + {ERR_REASON(ASN1_R_NESTED_TOO_DEEP) , "nested too deep"}, {ERR_REASON(ASN1_R_NON_HEX_CHARACTERS) , "non hex characters"}, {ERR_REASON(ASN1_R_NOT_ASCII_FORMAT) , "not ascii format"}, {ERR_REASON(ASN1_R_NOT_ENOUGH_DATA) , "not enough data"}, diff --git a/crypto/asn1/asn1_gen.c b/crypto/asn1/asn1_gen.c index f84cc61..ad7802c 100644 --- a/crypto/asn1/asn1_gen.c +++ b/crypto/asn1/asn1_gen.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_gen.c,v 1.16 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: asn1_gen.c,v 1.17 2018/04/25 11:48:21 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2002. */ @@ -121,7 +121,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype); static int asn1_str2tag(const char *tagstr, int len); ASN1_TYPE * -ASN1_generate_nconf(char *str, CONF *nconf) +ASN1_generate_nconf(const char *str, CONF *nconf) { X509V3_CTX cnf; @@ -133,7 +133,7 @@ ASN1_generate_nconf(char *str, CONF *nconf) } ASN1_TYPE * -ASN1_generate_v3(char *str, X509V3_CTX *cnf) +ASN1_generate_v3(const char *str, X509V3_CTX *cnf) { ASN1_TYPE *ret; tag_exp_arg asn1_tags; diff --git a/crypto/asn1/asn1_lib.c b/crypto/asn1/asn1_lib.c index 970102c..5dc520c 100644 --- a/crypto/asn1/asn1_lib.c +++ b/crypto/asn1/asn1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_lib.c,v 1.40 2018/02/14 16:46:04 jsing Exp $ */ +/* $OpenBSD: asn1_lib.c,v 1.44 2018/11/17 09:34:11 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -98,7 +98,7 @@ ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, { int i, ret; long l; - const unsigned char *p= *pp; + const unsigned char *p = *pp; int tag, xclass, inf; long max = omax; @@ -106,7 +106,7 @@ ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, goto err; ret = (*p & V_ASN1_CONSTRUCTED); xclass = (*p & V_ASN1_PRIVATE); - i= *p & V_ASN1_PRIMITIVE_TAG; + i = *p & V_ASN1_PRIMITIVE_TAG; if (i == V_ASN1_PRIMITIVE_TAG) { /* high-tag */ p++; if (--max == 0) @@ -156,7 +156,7 @@ err: static int asn1_get_length(const unsigned char **pp, int *inf, long *rl, int max) { - const unsigned char *p= *pp; + const unsigned char *p = *pp; unsigned long ret = 0; unsigned int i; @@ -168,7 +168,7 @@ asn1_get_length(const unsigned char **pp, int *inf, long *rl, int max) p++; } else { *inf = 0; - i= *p & 0x7f; + i = *p & 0x7f; if (*(p++) & 0x80) { if (max < (int)i) return (0); @@ -199,7 +199,7 @@ void ASN1_put_object(unsigned char **pp, int constructed, int length, int tag, int xclass) { - unsigned char *p= *pp; + unsigned char *p = *pp; int i, ttag; i = (constructed) ? V_ASN1_CONSTRUCTED : 0; @@ -240,7 +240,7 @@ ASN1_put_eoc(unsigned char **pp) static void asn1_put_length(unsigned char **pp, int length) { - unsigned char *p= *pp; + unsigned char *p = *pp; int i, l; if (length <= 127) @@ -285,62 +285,6 @@ ASN1_object_size(int constructed, int length, int tag) return (ret); } -static int -_asn1_Finish(ASN1_const_CTX *c) -{ - if ((c->inf == (1|V_ASN1_CONSTRUCTED)) && (!c->eos)) { - if (!ASN1_const_check_infinite_end(&c->p, c->slen)) { - c->error = ERR_R_MISSING_ASN1_EOS; - return (0); - } - } - if (((c->slen != 0) && !(c->inf & 1)) || - ((c->slen < 0) && (c->inf & 1))) { - c->error = ERR_R_ASN1_LENGTH_MISMATCH; - return (0); - } - return (1); -} - -int -asn1_Finish(ASN1_CTX *c) -{ - return _asn1_Finish((ASN1_const_CTX *)c); -} - -int -asn1_const_Finish(ASN1_const_CTX *c) -{ - return _asn1_Finish(c); -} - -int -asn1_GetSequence(ASN1_const_CTX *c, long *length) -{ - const unsigned char *q; - - q = c->p; - c->inf = ASN1_get_object(&(c->p), &(c->slen), &(c->tag), &(c->xclass), - *length); - if (c->inf & 0x80) { - c->error = ERR_R_BAD_GET_ASN1_OBJECT_CALL; - return (0); - } - if (c->tag != V_ASN1_SEQUENCE) { - c->error = ERR_R_EXPECTING_AN_ASN1_SEQUENCE; - return (0); - } - (*length) -= (c->p - q); - if (c->max && (*length < 0)) { - c->error = ERR_R_ASN1_LENGTH_MISMATCH; - return (0); - } - if (c->inf == (1|V_ASN1_CONSTRUCTED)) - c->slen= *length+ *(c->pp) - c->p; - c->eos = 0; - return (1); -} - int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str) { @@ -394,7 +338,7 @@ ASN1_STRING_set(ASN1_STRING *str, const void *_data, int len) if (data != NULL) { memmove(str->data, data, len); } - str->data[str->length]='\0'; + str->data[str->length] = '\0'; return (1); } @@ -474,7 +418,7 @@ ASN1_STRING_length_set(ASN1_STRING *x, int len) } int -ASN1_STRING_type(ASN1_STRING *x) +ASN1_STRING_type(const ASN1_STRING *x) { return (x->type); } diff --git a/crypto/asn1/asn1_locl.h b/crypto/asn1/asn1_locl.h index aa35f7b..39779d9 100644 --- a/crypto/asn1/asn1_locl.h +++ b/crypto/asn1/asn1_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_locl.h,v 1.10 2017/08/27 01:39:26 beck Exp $ */ +/* $OpenBSD: asn1_locl.h,v 1.12 2019/10/24 16:36:10 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -60,6 +60,9 @@ __BEGIN_HIDDEN_DECLS /* Internal ASN1 structures and functions: not for application use */ +ASN1_TYPE *ASN1_TYPE_pack_sequence(const ASN1_ITEM *it, void *s, ASN1_TYPE **t); +void *ASN1_TYPE_unpack_sequence(const ASN1_ITEM *it, const ASN1_TYPE *t); + /* ASN1 print context structure */ struct asn1_pctx_st { @@ -86,7 +89,7 @@ struct evp_pkey_asn1_method_st { int (*pub_print)(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); - int (*priv_decode)(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf); + int (*priv_decode)(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf); int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk); int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx); diff --git a/crypto/asn1/asn1_par.c b/crypto/asn1/asn1_par.c index 72326a9..1ec9b1a 100644 --- a/crypto/asn1/asn1_par.c +++ b/crypto/asn1/asn1_par.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1_par.c,v 1.25 2015/09/30 19:01:14 jsing Exp $ */ +/* $OpenBSD: asn1_par.c,v 1.28 2020/01/09 11:27:21 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -123,6 +123,8 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, int nl, hl, j, r; ASN1_OBJECT *o = NULL; ASN1_OCTET_STRING *os = NULL; + ASN1_INTEGER *ai = NULL; + ASN1_ENUMERATED *ae = NULL; /* ASN1_BMPSTRING *bmp=NULL;*/ int dump_indent; @@ -130,6 +132,10 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, p = *pp; tot = p + length; op = p - 1; + if (depth > 128) { + BIO_printf(bp, "Max depth exceeded\n"); + goto end; + } while ((p < tot) && (op < p)) { op = p; j = ASN1_get_object(&p, &len, &tag, &xclass, length); @@ -177,12 +183,14 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, ret = 0; goto end; } - if ((r == 2) || (p >= tot)) + if ((r == 2) || (p >= tot)) { + len = (long)(p - ep); break; + } } - } else + } else { while (p < ep) { - r = asn1_parse2(bp, &p, (long)len, + r = asn1_parse2(bp, &p, (long)(ep - p), offset + (p - *pp), depth + 1, indent, dump); if (r == 0) { @@ -190,6 +198,7 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, goto end; } } + } } else if (xclass != 0) { p += len; if (BIO_write(bp, "\n", 1) <= 0) @@ -289,23 +298,22 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, ASN1_OCTET_STRING_free(os); os = NULL; } else if (tag == V_ASN1_INTEGER) { - ASN1_INTEGER *bs; int i; opp = op; - bs = d2i_ASN1_INTEGER(NULL, &opp, len + hl); - if (bs != NULL) { + ai = d2i_ASN1_INTEGER(NULL, &opp, len + hl); + if (ai != NULL) { if (BIO_write(bp, ":", 1) <= 0) goto end; - if (bs->type == V_ASN1_NEG_INTEGER) + if (ai->type == V_ASN1_NEG_INTEGER) if (BIO_write(bp, "-", 1) <= 0) goto end; - for (i = 0; i < bs->length; i++) { + for (i = 0; i < ai->length; i++) { if (BIO_printf(bp, "%02X", - bs->data[i]) <= 0) + ai->data[i]) <= 0) goto end; } - if (bs->length == 0) { + if (ai->length == 0) { if (BIO_write(bp, "00", 2) <= 0) goto end; } @@ -313,25 +321,25 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, if (BIO_write(bp, "BAD INTEGER", 11) <= 0) goto end; } - ASN1_INTEGER_free(bs); + ASN1_INTEGER_free(ai); + ai = NULL; } else if (tag == V_ASN1_ENUMERATED) { - ASN1_ENUMERATED *bs; int i; opp = op; - bs = d2i_ASN1_ENUMERATED(NULL, &opp, len + hl); - if (bs != NULL) { + ae = d2i_ASN1_ENUMERATED(NULL, &opp, len + hl); + if (ae != NULL) { if (BIO_write(bp, ":", 1) <= 0) goto end; - if (bs->type == V_ASN1_NEG_ENUMERATED) + if (ae->type == V_ASN1_NEG_ENUMERATED) if (BIO_write(bp, "-", 1) <= 0) goto end; - for (i = 0; i < bs->length; i++) { + for (i = 0; i < ae->length; i++) { if (BIO_printf(bp, "%02X", - bs->data[i]) <= 0) + ae->data[i]) <= 0) goto end; } - if (bs->length == 0) { + if (ae->length == 0) { if (BIO_write(bp, "00", 2) <= 0) goto end; } @@ -339,7 +347,8 @@ asn1_parse2(BIO *bp, const unsigned char **pp, long length, int offset, if (BIO_write(bp, "BAD ENUMERATED", 14) <= 0) goto end; } - ASN1_ENUMERATED_free(bs); + ASN1_ENUMERATED_free(ae); + ae = NULL; } else if (len > 0 && dump) { if (!nl) { if (BIO_write(bp, "\n", 1) <= 0) @@ -370,6 +379,8 @@ end: if (o != NULL) ASN1_OBJECT_free(o); ASN1_OCTET_STRING_free(os); + ASN1_INTEGER_free(ai); + ASN1_ENUMERATED_free(ae); *pp = p; return (ret); } diff --git a/crypto/asn1/asn_pack.c b/crypto/asn1/asn_pack.c index 09d1505..090beff 100644 --- a/crypto/asn1/asn_pack.c +++ b/crypto/asn1/asn_pack.c @@ -1,4 +1,4 @@ -/* $OpenBSD: asn_pack.c,v 1.16 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: asn_pack.c,v 1.18 2018/10/24 17:57:22 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -61,112 +61,7 @@ #include #include -#ifndef NO_ASN1_OLD - -/* ASN1 packing and unpacking functions */ - -/* Turn an ASN1 encoded SEQUENCE OF into a STACK of structures */ - -STACK_OF(OPENSSL_BLOCK) * -ASN1_seq_unpack(const unsigned char *buf, int len, d2i_of_void *d2i, - void (*free_func)(OPENSSL_BLOCK)) -{ - STACK_OF(OPENSSL_BLOCK) *sk; - const unsigned char *pbuf; - - pbuf = buf; - if (!(sk = d2i_ASN1_SET(NULL, &pbuf, len, d2i, free_func, - V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL))) - ASN1error(ASN1_R_DECODE_ERROR); - return sk; -} - -/* Turn a STACK structures into an ASN1 encoded SEQUENCE OF structure in a - * OPENSSL_malloc'ed buffer - */ - -unsigned char * -ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, - unsigned char **buf, int *len) -{ - int safelen; - unsigned char *safe, *p; - - if (!(safelen = i2d_ASN1_SET(safes, NULL, i2d, V_ASN1_SEQUENCE, - V_ASN1_UNIVERSAL, IS_SEQUENCE))) { - ASN1error(ASN1_R_ENCODE_ERROR); - return NULL; - } - if (!(safe = malloc(safelen))) { - ASN1error(ERR_R_MALLOC_FAILURE); - return NULL; - } - p = safe; - i2d_ASN1_SET(safes, &p, i2d, V_ASN1_SEQUENCE, V_ASN1_UNIVERSAL, - IS_SEQUENCE); - if (len) - *len = safelen; - if (buf) - *buf = safe; - return safe; -} - -/* Extract an ASN1 object from an ASN1_STRING */ - -void * -ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i) -{ - const unsigned char *p; - char *ret; - - p = oct->data; - if (!(ret = d2i(NULL, &p, oct->length))) - ASN1error(ASN1_R_DECODE_ERROR); - return ret; -} - -/* Pack an ASN1 object into an ASN1_STRING */ - -ASN1_STRING * -ASN1_pack_string(void *obj, i2d_of_void *i2d, ASN1_STRING **oct) -{ - unsigned char *p; - ASN1_STRING *octmp; - - if (!oct || !*oct) { - if (!(octmp = ASN1_STRING_new())) { - ASN1error(ERR_R_MALLOC_FAILURE); - return NULL; - } - } else - octmp = *oct; - - if (!(octmp->length = i2d(obj, NULL))) { - ASN1error(ASN1_R_ENCODE_ERROR); - goto err; - } - if (!(p = malloc (octmp->length))) { - ASN1error(ERR_R_MALLOC_FAILURE); - goto err; - } - octmp->data = p; - i2d (obj, &p); - if (oct) - *oct = octmp; - return octmp; -err: - if (!oct || octmp != *oct) { - ASN1_STRING_free(octmp); - if (oct) - *oct = NULL; - } - return NULL; -} - -#endif - -/* ASN1_ITEM versions of the above */ - +/* Pack an ASN1 object into an ASN1_STRING. */ ASN1_STRING * ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct) { @@ -200,10 +95,9 @@ err: return NULL; } -/* Extract an ASN1 object from an ASN1_STRING */ - +/* Extract an ASN1 object from an ASN1_STRING. */ void * -ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it) +ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it) { const unsigned char *p; void *ret; diff --git a/crypto/asn1/bio_asn1.c b/crypto/asn1/bio_asn1.c index 02ad310..93bcb33 100644 --- a/crypto/asn1/bio_asn1.c +++ b/crypto/asn1/bio_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_asn1.c,v 1.12 2015/12/23 01:46:33 mmcc Exp $ */ +/* $OpenBSD: bio_asn1.c,v 1.13 2018/05/01 13:29:09 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -125,7 +125,7 @@ static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx, asn1_ps_func *setup, asn1_bio_state_t ex_state, asn1_bio_state_t other_state); -static BIO_METHOD methods_asn1 = { +static const BIO_METHOD methods_asn1 = { .type = BIO_TYPE_ASN1, .name = "asn1", .bwrite = asn1_bio_write, @@ -138,7 +138,7 @@ static BIO_METHOD methods_asn1 = { .callback_ctrl = asn1_bio_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_asn1(void) { return (&methods_asn1); diff --git a/crypto/asn1/d2i_pr.c b/crypto/asn1/d2i_pr.c index 7a5880a..e450dee 100644 --- a/crypto/asn1/d2i_pr.c +++ b/crypto/asn1/d2i_pr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d2i_pr.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: d2i_pr.c,v 1.17 2019/04/10 16:23:55 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,6 +76,7 @@ EVP_PKEY * d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) { + const unsigned char *p = *pp; EVP_PKEY *ret; if ((a == NULL) || (*a == NULL)) { @@ -86,10 +87,8 @@ d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) } else { ret = *a; #ifndef OPENSSL_NO_ENGINE - if (ret->engine) { - ENGINE_finish(ret->engine); - ret->engine = NULL; - } + ENGINE_finish(ret->engine); + ret->engine = NULL; #endif } @@ -102,6 +101,7 @@ d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp, long length) !ret->ameth->old_priv_decode(ret, pp, length)) { if (ret->ameth->priv_decode) { PKCS8_PRIV_KEY_INFO *p8 = NULL; + *pp = p; /* XXX */ p8 = d2i_PKCS8_PRIV_KEY_INFO(NULL, pp, length); if (!p8) goto err; diff --git a/crypto/asn1/evp_asn1.c b/crypto/asn1/evp_asn1.c index 5f74da1..4b7ebbb 100644 --- a/crypto/asn1/evp_asn1.c +++ b/crypto/asn1/evp_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_asn1.c,v 1.20 2017/11/28 16:51:21 jsing Exp $ */ +/* $OpenBSD: evp_asn1.c,v 1.23 2018/11/09 04:20:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,7 +64,7 @@ #include int -ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) +ASN1_TYPE_set_octetstring(ASN1_TYPE *a, const unsigned char *data, int len) { ASN1_STRING *os; @@ -79,7 +79,7 @@ ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len) } int -ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len) +ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len) { int ret, num; unsigned char *p; @@ -127,7 +127,7 @@ const ASN1_ITEM ASN1_INT_OCTETSTRING_it = { }; int -ASN1_TYPE_set_int_octetstring(ASN1_TYPE *at, long num, unsigned char *data, +ASN1_TYPE_set_int_octetstring(ASN1_TYPE *at, long num, const unsigned char *data, int len) { ASN1_int_octetstring *ios; @@ -137,12 +137,8 @@ ASN1_TYPE_set_int_octetstring(ASN1_TYPE *at, long num, unsigned char *data, if ((ios = (ASN1_int_octetstring *)ASN1_item_new( &ASN1_INT_OCTETSTRING_it)) == NULL) goto err; - if ((ios->num = ASN1_INTEGER_new()) == NULL) - goto err; if (!ASN1_INTEGER_set(ios->num, num)) goto err; - if ((ios->value = ASN1_OCTET_STRING_new()) == NULL) - goto err; if (!ASN1_OCTET_STRING_set(ios->value, data, len)) goto err; @@ -162,7 +158,7 @@ ASN1_TYPE_set_int_octetstring(ASN1_TYPE *at, long num, unsigned char *data, } int -ASN1_TYPE_get_int_octetstring(ASN1_TYPE *at, long *num, unsigned char *data, +ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *at, long *num, unsigned char *data, int max_len) { ASN1_STRING *sp = at->value.sequence; diff --git a/crypto/asn1/f_enum.c b/crypto/asn1/f_enum.c index 64feb97..cc4b7df 100644 --- a/crypto/asn1/f_enum.c +++ b/crypto/asn1/f_enum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: f_enum.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: f_enum.c,v 1.16 2018/04/25 11:48:21 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,7 +65,7 @@ /* Based on a_int.c: equivalent ENUMERATED functions */ int -i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a) +i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a) { int i, n = 0; static const char h[] = "0123456789ABCDEF"; diff --git a/crypto/asn1/f_int.c b/crypto/asn1/f_int.c index 7516887..d03fafe 100644 --- a/crypto/asn1/f_int.c +++ b/crypto/asn1/f_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: f_int.c,v 1.18 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: f_int.c,v 1.20 2018/05/13 13:48:08 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include int -i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a) +i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a) { int i, n = 0; static const char h[] = "0123456789ABCDEF"; @@ -158,8 +158,7 @@ a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size) } i /= 2; if (num + i > slen) { - sp = OPENSSL_realloc_clean(s, slen, num + i); - if (sp == NULL) { + if ((sp = recallocarray(s, slen, num + i, 1)) == NULL) { ASN1error(ERR_R_MALLOC_FAILURE); goto err; } diff --git a/crypto/asn1/f_string.c b/crypto/asn1/f_string.c index 138044e..af17f43 100644 --- a/crypto/asn1/f_string.c +++ b/crypto/asn1/f_string.c @@ -1,4 +1,4 @@ -/* $OpenBSD: f_string.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: f_string.c,v 1.18 2018/04/25 11:48:21 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,7 +63,7 @@ #include int -i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type) +i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type) { int i, n = 0; static const char h[] = "0123456789ABCDEF"; diff --git a/crypto/asn1/n_pkey.c b/crypto/asn1/n_pkey.c index d2fabf6..6c70316 100644 --- a/crypto/asn1/n_pkey.c +++ b/crypto/asn1/n_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: n_pkey.c,v 1.31 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: n_pkey.c,v 1.32 2018/08/05 13:35:45 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -273,11 +273,11 @@ i2d_RSA_NET(const RSA *a, unsigned char **pp, goto err; } + enckey->enckey->digest->data = zz; if (!ASN1_STRING_set(enckey->os, "private-key", -1)) { ASN1error(ERR_R_MALLOC_FAILURE); goto err; } - enckey->enckey->digest->data = zz; i2d_NETSCAPE_PKEY(pkey, &zz); /* Wipe the private key encoding */ diff --git a/crypto/asn1/p8_pkey.c b/crypto/asn1/p8_pkey.c index 71d5794..d2f8e6b 100644 --- a/crypto/asn1/p8_pkey.c +++ b/crypto/asn1/p8_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p8_pkey.c,v 1.17 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: p8_pkey.c,v 1.19 2018/08/24 20:17:33 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -69,11 +69,8 @@ pkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) /* Since the structure must still be valid use ASN1_OP_FREE_PRE */ if (operation == ASN1_OP_FREE_PRE) { PKCS8_PRIV_KEY_INFO *key = (PKCS8_PRIV_KEY_INFO *)*pval; - if (key->pkey != NULL && - key->pkey->type == V_ASN1_OCTET_STRING && - key->pkey->value.octet_string != NULL) - explicit_bzero(key->pkey->value.octet_string->data, - key->pkey->value.octet_string->length); + if (key->pkey != NULL) + explicit_bzero(key->pkey->data, key->pkey->length); } return 1; } @@ -95,7 +92,7 @@ static const ASN1_TEMPLATE PKCS8_PRIV_KEY_INFO_seq_tt[] = { { .offset = offsetof(PKCS8_PRIV_KEY_INFO, pkey), .field_name = "pkey", - .item = &ASN1_ANY_it, + .item = &ASN1_OCTET_STRING_it, }, { .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, @@ -145,57 +142,45 @@ int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, int version, int ptype, void *pval, unsigned char *penc, int penclen) { - unsigned char **ppenc = NULL; - if (version >= 0) { if (!ASN1_INTEGER_set(priv->version, version)) return 0; } - if (penc) { - int pmtype; - ASN1_OCTET_STRING *oct; - oct = ASN1_OCTET_STRING_new(); - if (!oct) - return 0; - oct->data = penc; - ppenc = &oct->data; - oct->length = penclen; - if (priv->broken == PKCS8_NO_OCTET) - pmtype = V_ASN1_SEQUENCE; - else - pmtype = V_ASN1_OCTET_STRING; - ASN1_TYPE_set(priv->pkey, pmtype, oct); - } - if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval)) { - /* If call fails do not swallow 'enc' */ - if (ppenc) - *ppenc = NULL; + if (!X509_ALGOR_set0(priv->pkeyalg, aobj, ptype, pval)) return 0; - } + if (penc != NULL) + ASN1_STRING_set0(priv->pkey, penc, penclen); return 1; } int -PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, PKCS8_PRIV_KEY_INFO *p8) +PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg, const unsigned char **pk, + int *ppklen, const X509_ALGOR **pa, const PKCS8_PRIV_KEY_INFO *p8) { - if (ppkalg) + if (ppkalg != NULL) *ppkalg = p8->pkeyalg->algorithm; - if (p8->pkey->type == V_ASN1_OCTET_STRING) { - p8->broken = PKCS8_OK; - if (pk) { - *pk = p8->pkey->value.octet_string->data; - *ppklen = p8->pkey->value.octet_string->length; - } - } else if (p8->pkey->type == V_ASN1_SEQUENCE) { - p8->broken = PKCS8_NO_OCTET; - if (pk) { - *pk = p8->pkey->value.sequence->data; - *ppklen = p8->pkey->value.sequence->length; - } - } else - return 0; - if (pa) + if (pk != NULL) { + *pk = ASN1_STRING_data(p8->pkey); + *ppklen = ASN1_STRING_length(p8->pkey); + } + if (pa != NULL) *pa = p8->pkeyalg; return 1; } + +const STACK_OF(X509_ATTRIBUTE) * +PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8) +{ + return p8->attributes; +} + +int +PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type, + const unsigned char *bytes, int len) +{ + if (X509at_add1_attr_by_NID(&p8->attributes, nid, type, bytes, + len) != NULL) + return 1; + return 0; +} + diff --git a/crypto/asn1/t_bitst.c b/crypto/asn1/t_bitst.c index ea4138e..51515b8 100644 --- a/crypto/asn1/t_bitst.c +++ b/crypto/asn1/t_bitst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_bitst.c,v 1.7 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: t_bitst.c,v 1.8 2018/04/25 11:48:21 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -83,7 +83,7 @@ ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, } int -ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, +ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, const char *name, int value, BIT_STRING_BITNAME *tbl) { int bitnum; @@ -99,7 +99,7 @@ ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, } int -ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl) +ASN1_BIT_STRING_num_asc(const char *name, BIT_STRING_BITNAME *tbl) { BIT_STRING_BITNAME *bnam; diff --git a/crypto/asn1/t_crl.c b/crypto/asn1/t_crl.c index c812244..057b8fe 100644 --- a/crypto/asn1/t_crl.c +++ b/crypto/asn1/t_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_crl.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: t_crl.c,v 1.18 2019/05/12 15:56:31 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -57,6 +57,7 @@ */ #include +#include #include #include @@ -92,6 +93,8 @@ X509_CRL_print(BIO *out, X509_CRL *x) BIO_printf(out, "Certificate Revocation List (CRL):\n"); l = X509_CRL_get_version(x); + if (l < 0 || l == LONG_MAX) + goto err; BIO_printf(out, "%8sVersion %lu (0x%lx)\n", "", l + 1, l); i = OBJ_obj2nid(x->sig_alg->algorithm); if (X509_signature_print(out, x->sig_alg, NULL) == 0) diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c index 3dfaaa4..73a0491 100644 --- a/crypto/asn1/t_x509.c +++ b/crypto/asn1/t_x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t_x509.c,v 1.28 2017/04/03 15:52:59 beck Exp $ */ +/* $OpenBSD: t_x509.c,v 1.32 2020/04/10 07:05:24 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -145,8 +145,10 @@ X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag) goto err; bs = X509_get_serialNumber(x); - if (bs->length <= (int)sizeof(long)) { + l = -1; + if (bs->length <= (int)sizeof(long)) l = ASN1_INTEGER_get(bs); + if (l != -1) { if (bs->type == V_ASN1_NEG_INTEGER) { l = -l; neg = "-"; @@ -246,7 +248,8 @@ err: return (ret); } -int X509_ocspid_print (BIO *bp, X509 *x) +int +X509_ocspid_print(BIO *bp, X509 *x) { unsigned char *der = NULL; unsigned char *dertmp; @@ -320,7 +323,7 @@ X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent) } int -X509_signature_print(BIO *bp, X509_ALGOR *sigalg, ASN1_STRING *sig) +X509_signature_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig) { int sig_nid; if (BIO_puts(bp, " Signature Algorithm: ") <= 0) @@ -387,7 +390,7 @@ ASN1_TIME_print(BIO *bp, const ASN1_TIME *tm) } static const char *mon[12] = { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }; @@ -489,7 +492,7 @@ err: } int -X509_NAME_print(BIO *bp, X509_NAME *name, int obase) +X509_NAME_print(BIO *bp, const X509_NAME *name, int obase) { char *s, *c, *b; int ret = 0, l, i; diff --git a/crypto/asn1/tasn_dec.c b/crypto/asn1/tasn_dec.c index 3f680c6..70dc355 100644 --- a/crypto/asn1/tasn_dec.c +++ b/crypto/asn1/tasn_dec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_dec.c,v 1.34 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: tasn_dec.c,v 1.37 2019/04/01 15:48:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -65,6 +65,12 @@ #include #include +/* Constructed types with a recursive definition (such as can be found in PKCS7) + * could eventually exceed the stack given malicious input with excessive + * recursion. Therefore we limit the stack depth. + */ +#define ASN1_MAX_CONSTRUCTED_NEST 30 + static int asn1_check_eoc(const unsigned char **in, long len); static int asn1_find_end(const unsigned char **in, long len, char inf); @@ -78,9 +84,9 @@ static int asn1_check_tlen(long *olen, int *otag, unsigned char *oclass, int expclass, char opt, ASN1_TLC *ctx); static int asn1_template_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, - long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); + long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth); static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, - long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx); + long len, const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth); static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, const unsigned char **in, long len, const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx); @@ -142,7 +148,7 @@ ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, ASN1_TLC c; asn1_tlc_clear_nc(&c); - return asn1_template_ex_d2i(pval, in, len, tt, 0, &c); + return asn1_template_ex_d2i(pval, in, len, tt, 0, &c, 0); } @@ -150,14 +156,15 @@ ASN1_template_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, * If 'opt' set and tag mismatch return -1 to handle OPTIONAL */ -int -ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, - const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) +static int +asn1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx, + int depth) { const ASN1_TEMPLATE *tt, *errtt = NULL; const ASN1_EXTERN_FUNCS *ef; const ASN1_AUX *aux = it->funcs; - ASN1_aux_cb *asn1_cb; + ASN1_aux_cb *asn1_cb = NULL; const unsigned char *p = NULL, *q; unsigned char oclass; char seq_eoc, seq_nolen, cst, isopt; @@ -176,8 +183,11 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, if (aux && aux->asn1_cb) asn1_cb = aux->asn1_cb; - else - asn1_cb = 0; + + if (++depth > ASN1_MAX_CONSTRUCTED_NEST) { + ASN1error(ASN1_R_NESTED_TOO_DEEP); + goto err; + } switch (it->itype) { case ASN1_ITYPE_PRIMITIVE: @@ -193,7 +203,7 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, goto err; } return asn1_template_ex_d2i(pval, in, len, - it->templates, opt, ctx); + it->templates, opt, ctx, depth); } return asn1_d2i_ex_primitive(pval, in, len, it, tag, aclass, opt, ctx); @@ -258,7 +268,8 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, /* We mark field as OPTIONAL so its absence * can be recognised. */ - ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx); + ret = asn1_template_ex_d2i(pchptr, &p, len, tt, 1, ctx, + depth); /* If field not present, try the next one */ if (ret == -1) continue; @@ -376,7 +387,7 @@ ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, * OPTIONAL */ ret = asn1_template_ex_d2i(pseqval, &p, len, - seqtt, isopt, ctx); + seqtt, isopt, ctx, depth); if (!ret) { errtt = seqtt; goto err; @@ -448,13 +459,20 @@ err: return 0; } +int +ASN1_item_ex_d2i(ASN1_VALUE **pval, const unsigned char **in, long len, + const ASN1_ITEM *it, int tag, int aclass, char opt, ASN1_TLC *ctx) +{ + return asn1_item_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx, 0); +} + /* Templates are handled with two separate functions. * One handles any EXPLICIT tag and the other handles the rest. */ static int asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, - const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) + const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth) { int flags, aclass; int ret; @@ -489,7 +507,7 @@ asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, return 0; } /* We've found the field so it can't be OPTIONAL now */ - ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx); + ret = asn1_template_noexp_d2i(val, &p, len, tt, 0, ctx, depth); if (!ret) { ASN1error(ERR_R_NESTED_ASN1_ERROR); return 0; @@ -511,7 +529,8 @@ asn1_template_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long inlen, } } } else - return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx); + return asn1_template_noexp_d2i(val, in, inlen, tt, opt, ctx, + depth); *in = p; return 1; @@ -523,7 +542,7 @@ err: static int asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, - const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx) + const ASN1_TEMPLATE *tt, char opt, ASN1_TLC *ctx, int depth) { int flags, aclass; int ret; @@ -594,8 +613,8 @@ asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, break; } skfield = NULL; - if (!ASN1_item_ex_d2i(&skfield, &p, len, - tt->item, -1, 0, 0, ctx)) { + if (!asn1_item_ex_d2i(&skfield, &p, len, + tt->item, -1, 0, 0, ctx, depth)) { ASN1error(ERR_R_NESTED_ASN1_ERROR); goto err; } @@ -612,8 +631,8 @@ asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, } } else if (flags & ASN1_TFLG_IMPTAG) { /* IMPLICIT tagging */ - ret = ASN1_item_ex_d2i(val, &p, len, - tt->item, tt->tag, aclass, opt, ctx); + ret = asn1_item_ex_d2i(val, &p, len, + tt->item, tt->tag, aclass, opt, ctx, depth); if (!ret) { ASN1error(ERR_R_NESTED_ASN1_ERROR); goto err; @@ -621,8 +640,8 @@ asn1_template_noexp_d2i(ASN1_VALUE **val, const unsigned char **in, long len, return -1; } else { /* Nothing special */ - ret = ASN1_item_ex_d2i(val, &p, len, tt->item, - -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx); + ret = asn1_item_ex_d2i(val, &p, len, tt->item, + -1, tt->flags & ASN1_TFLG_COMBINE, opt, ctx, depth); if (!ret) { ASN1error(ERR_R_NESTED_ASN1_ERROR); goto err; @@ -774,14 +793,17 @@ asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, ASN1_VALUE **opval = NULL; ASN1_STRING *stmp; ASN1_TYPE *typ = NULL; - int ret = 0; - const ASN1_PRIMITIVE_FUNCS *pf; ASN1_INTEGER **tint; + int ret = 0; - pf = it->funcs; + if (it->funcs != NULL) { + const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; - if (pf && pf->prim_c2i) + if (pf->prim_c2i == NULL) + return 0; return pf->prim_c2i(pval, cont, len, utype, free_cont, it); + } + /* If ANY type clear type and set pointer to internal value */ if (it->utype == V_ASN1_ANY) { if (!*pval) { diff --git a/crypto/asn1/tasn_enc.c b/crypto/asn1/tasn_enc.c index f334190..d103c4d 100644 --- a/crypto/asn1/tasn_enc.c +++ b/crypto/asn1/tasn_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_enc.c,v 1.21 2016/12/30 16:04:34 jsing Exp $ */ +/* $OpenBSD: tasn_enc.c,v 1.22 2019/04/01 15:48:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -541,11 +541,14 @@ asn1_ex_i2c(ASN1_VALUE **pval, unsigned char *cout, int *putype, const unsigned char *cont; unsigned char c; int len; - const ASN1_PRIMITIVE_FUNCS *pf; - pf = it->funcs; - if (pf && pf->prim_i2c) + if (it->funcs != NULL) { + const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; + + if (pf->prim_i2c == NULL) + return -1; return pf->prim_i2c(pval, cout, putype, it); + } /* Should type be omitted? */ if ((it->itype != ASN1_ITYPE_PRIMITIVE) || diff --git a/crypto/asn1/tasn_fre.c b/crypto/asn1/tasn_fre.c index 9276034..b621af3 100644 --- a/crypto/asn1/tasn_fre.c +++ b/crypto/asn1/tasn_fre.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_fre.c,v 1.15 2016/12/30 16:04:34 jsing Exp $ */ +/* $OpenBSD: tasn_fre.c,v 1.17 2019/04/01 15:48:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -88,7 +88,10 @@ asn1_item_combine_free(ASN1_VALUE **pval, const ASN1_ITEM *it, int combine) ASN1_aux_cb *asn1_cb = NULL; int i; - if (pval == NULL || *pval == NULL) + if (pval == NULL) + return; + /* For primitive types *pval may be something other than C pointer. */ + if (it->itype != ASN1_ITYPE_PRIMITIVE && *pval == NULL) return; if (aux != NULL && aux->asn1_cb != NULL) @@ -190,14 +193,14 @@ void ASN1_primitive_free(ASN1_VALUE **pval, const ASN1_ITEM *it) { int utype; - if (it) { - const ASN1_PRIMITIVE_FUNCS *pf; - pf = it->funcs; - if (pf && pf->prim_free) { - pf->prim_free(pval, it); - return; - } + + if (it != NULL && it->funcs != NULL) { + const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; + + pf->prim_free(pval, it); + return; } + /* Special case: if 'it' is NULL free contents of ASN1_TYPE */ if (!it) { ASN1_TYPE *typ = (ASN1_TYPE *)*pval; diff --git a/crypto/asn1/tasn_new.c b/crypto/asn1/tasn_new.c index e9bbc05..7c9bb98 100644 --- a/crypto/asn1/tasn_new.c +++ b/crypto/asn1/tasn_new.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_new.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: tasn_new.c,v 1.18 2019/04/01 15:48:04 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -306,10 +306,12 @@ ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it) ASN1_STRING *str; int utype; - if (it && it->funcs) { + if (it != NULL && it->funcs != NULL) { const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; - if (pf->prim_new) - return pf->prim_new(pval, it); + + if (pf->prim_new == NULL) + return 0; + return pf->prim_new(pval, it); } if (!it || (it->itype == ASN1_ITYPE_MSTRING)) @@ -355,14 +357,17 @@ static void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it) { int utype; - if (it && it->funcs) { + + if (it != NULL && it->funcs != NULL) { const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; + if (pf->prim_clear) pf->prim_clear(pval, it); else *pval = NULL; return; } + if (!it || (it->itype == ASN1_ITYPE_MSTRING)) utype = V_ASN1_UNDEF; else diff --git a/crypto/asn1/tasn_prn.c b/crypto/asn1/tasn_prn.c index 7cccd56..4c676d8 100644 --- a/crypto/asn1/tasn_prn.c +++ b/crypto/asn1/tasn_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tasn_prn.c,v 1.16 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: tasn_prn.c,v 1.21 2020/03/24 10:46:38 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -105,7 +105,7 @@ ASN1_PCTX_free(ASN1_PCTX *p) } unsigned long -ASN1_PCTX_get_flags(ASN1_PCTX *p) +ASN1_PCTX_get_flags(const ASN1_PCTX *p) { return p->flags; } @@ -117,7 +117,7 @@ ASN1_PCTX_set_flags(ASN1_PCTX *p, unsigned long flags) } unsigned long -ASN1_PCTX_get_nm_flags(ASN1_PCTX *p) +ASN1_PCTX_get_nm_flags(const ASN1_PCTX *p) { return p->nm_flags; } @@ -129,7 +129,7 @@ ASN1_PCTX_set_nm_flags(ASN1_PCTX *p, unsigned long flags) } unsigned long -ASN1_PCTX_get_cert_flags(ASN1_PCTX *p) +ASN1_PCTX_get_cert_flags(const ASN1_PCTX *p) { return p->cert_flags; } @@ -141,7 +141,7 @@ ASN1_PCTX_set_cert_flags(ASN1_PCTX *p, unsigned long flags) } unsigned long -ASN1_PCTX_get_oid_flags(ASN1_PCTX *p) +ASN1_PCTX_get_oid_flags(const ASN1_PCTX *p) { return p->oid_flags; } @@ -153,7 +153,7 @@ ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags) } unsigned long -ASN1_PCTX_get_str_flags(ASN1_PCTX *p) +ASN1_PCTX_get_str_flags(const ASN1_PCTX *p) { return p->str_flags; } @@ -216,7 +216,8 @@ asn1_item_print_ctx(BIO *out, ASN1_VALUE **fld, int indent, const ASN1_ITEM *it, } else asn1_cb = NULL; - if (*fld == NULL) { + if ((it->itype != ASN1_ITYPE_PRIMITIVE || + it->utype != V_ASN1_BOOLEAN) && *fld == NULL) { if (pctx->flags & ASN1_PCTX_FLAGS_SHOW_ABSENT) { if (!nohdr && !asn1_print_fsname(out, indent, fname, sname, pctx)) @@ -454,7 +455,8 @@ asn1_print_integer_ctx(BIO *out, ASN1_INTEGER *str, const ASN1_PCTX *pctx) { char *s; int ret = 1; - s = i2s_ASN1_INTEGER(NULL, str); + if ((s = i2s_ASN1_INTEGER(NULL, str)) == NULL) + return 0; if (BIO_puts(out, s) <= 0) ret = 0; free(s); @@ -500,18 +502,28 @@ asn1_primitive_print(BIO *out, ASN1_VALUE **fld, const ASN1_ITEM *it, ASN1_STRING *str; int ret = 1, needlf = 1; const char *pname; - const ASN1_PRIMITIVE_FUNCS *pf; - pf = it->funcs; if (!asn1_print_fsname(out, indent, fname, sname, pctx)) return 0; - if (pf && pf->prim_print) + + if (it != NULL && it->funcs != NULL) { + const ASN1_PRIMITIVE_FUNCS *pf = it->funcs; + + if (pf->prim_print == NULL) + return 0; + return pf->prim_print(out, fld, it, indent, pctx); - str = (ASN1_STRING *)*fld; - if (it->itype == ASN1_ITYPE_MSTRING) + } + if (it->itype == ASN1_ITYPE_MSTRING) { + str = (ASN1_STRING *)*fld; utype = str->type & ~V_ASN1_NEG; - else + } else { utype = it->utype; + if (utype == V_ASN1_BOOLEAN) + str = NULL; + else + str = (ASN1_STRING *)*fld; + } if (utype == V_ASN1_ANY) { ASN1_TYPE *atype = (ASN1_TYPE *)*fld; utype = atype->type; diff --git a/crypto/asn1/x_algor.c b/crypto/asn1/x_algor.c index 27405a2..2013de7 100644 --- a/crypto/asn1/x_algor.c +++ b/crypto/asn1/x_algor.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_algor.c,v 1.21 2015/07/24 15:09:52 jsing Exp $ */ +/* $OpenBSD: x_algor.c,v 1.22 2018/05/01 19:01:27 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -176,8 +176,8 @@ X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval) } void -X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, - X509_ALGOR *algor) +X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype, const void **ppval, + const X509_ALGOR *algor) { if (paobj) *paobj = algor->algorithm; diff --git a/crypto/asn1/x_attrib.c b/crypto/asn1/x_attrib.c index bb74a1b..04816ea 100644 --- a/crypto/asn1/x_attrib.c +++ b/crypto/asn1/x_attrib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_attrib.c,v 1.13 2015/02/14 14:56:45 jsing Exp $ */ +/* $OpenBSD: x_attrib.c,v 1.14 2020/06/04 21:21:03 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -174,10 +174,13 @@ X509_ATTRIBUTE_create(int nid, int atrtype, void *value) { X509_ATTRIBUTE *ret = NULL; ASN1_TYPE *val = NULL; + ASN1_OBJECT *oid; + if ((oid = OBJ_nid2obj(nid)) == NULL) + return (NULL); if ((ret = X509_ATTRIBUTE_new()) == NULL) return (NULL); - ret->object = OBJ_nid2obj(nid); + ret->object = oid; ret->single = 0; if ((ret->value.set = sk_ASN1_TYPE_new_null()) == NULL) goto err; diff --git a/crypto/asn1/x_bignum.c b/crypto/asn1/x_bignum.c index 73f0f73..fab8fc2 100644 --- a/crypto/asn1/x_bignum.c +++ b/crypto/asn1/x_bignum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_bignum.c,v 1.8 2015/07/25 17:07:17 jsing Exp $ */ +/* $OpenBSD: x_bignum.c,v 1.10 2019/04/01 15:49:22 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -75,15 +75,18 @@ static int bn_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); static int bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); +static int bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, + int indent, const ASN1_PCTX *pctx); static ASN1_PRIMITIVE_FUNCS bignum_pf = { - NULL, - 0, - bn_new, - bn_free, - 0, - bn_c2i, - bn_i2c + .app_data = NULL, + .flags = 0, + .prim_new = bn_new, + .prim_free = bn_free, + .prim_clear = NULL, /* XXX */ + .prim_c2i = bn_c2i, + .prim_i2c = bn_i2c, + .prim_print = bn_print, }; const ASN1_ITEM BIGNUM_it = { @@ -165,3 +168,17 @@ bn_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, } return 1; } + +static int +bn_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, + const ASN1_PCTX *pctx) +{ + BIGNUM *bn = (BIGNUM *)*pval; + + if (!BN_print(out, bn)) + return 0; + if (BIO_printf(out, "\n") <= 0) + return 0; + + return 1; +} diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c index e0e6cc8..bc1783d 100644 --- a/crypto/asn1/x_crl.c +++ b/crypto/asn1/x_crl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_crl.c,v 1.30 2018/03/17 14:33:20 jsing Exp $ */ +/* $OpenBSD: x_crl.c,v 1.34 2019/03/13 20:34:00 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -527,9 +527,7 @@ X509_CRL_dup(X509_CRL *x) static int X509_REVOKED_cmp(const X509_REVOKED * const *a, const X509_REVOKED * const *b) { - return(ASN1_STRING_cmp( - (ASN1_STRING *)(*a)->serialNumber, - (ASN1_STRING *)(*b)->serialNumber)); + return(ASN1_INTEGER_cmp((*a)->serialNumber, (*b)->serialNumber)); } int @@ -675,6 +673,8 @@ X509_CRL_METHOD_new(int (*crl_init)(X509_CRL *crl), void X509_CRL_METHOD_free(X509_CRL_METHOD *m) { + if (m == NULL) + return; if (!(m->flags & X509_CRL_METHOD_DYNAMIC)) return; free(m); @@ -704,18 +704,48 @@ X509_CRL_get0_extensions(const X509_CRL *crl) return crl->crl->extensions; } +long +X509_CRL_get_version(const X509_CRL *crl) +{ + return ASN1_INTEGER_get(crl->crl->version); +} + const ASN1_TIME * X509_CRL_get0_lastUpdate(const X509_CRL *crl) { return crl->crl->lastUpdate; } +ASN1_TIME * +X509_CRL_get_lastUpdate(X509_CRL *crl) +{ + return crl->crl->lastUpdate; +} + const ASN1_TIME * X509_CRL_get0_nextUpdate(const X509_CRL *crl) { return crl->crl->nextUpdate; } +ASN1_TIME * +X509_CRL_get_nextUpdate(X509_CRL *crl) +{ + return crl->crl->nextUpdate; +} + +X509_NAME * +X509_CRL_get_issuer(const X509_CRL *crl) +{ + return crl->crl->issuer; +} + +STACK_OF(X509_REVOKED) * +X509_CRL_get_REVOKED(X509_CRL *crl) +{ + return crl->crl->revoked; +} + void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg) diff --git a/crypto/asn1/x_info.c b/crypto/asn1/x_info.c index c476923..9285e3e 100644 --- a/crypto/asn1/x_info.c +++ b/crypto/asn1/x_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_info.c,v 1.17 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: x_info.c,v 1.18 2020/09/03 17:29:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -60,48 +60,35 @@ #include #include -#include #include X509_INFO * X509_INFO_new(void) { - X509_INFO *ret = NULL; + X509_INFO *ret; - ret = malloc(sizeof(X509_INFO)); - if (ret == NULL) { + if ((ret = calloc(1, sizeof(X509_INFO))) == NULL) { ASN1error(ERR_R_MALLOC_FAILURE); return (NULL); } - - ret->enc_cipher.cipher = NULL; - ret->enc_len = 0; - ret->enc_data = NULL; - ret->references = 1; - ret->x509 = NULL; - ret->crl = NULL; - ret->x_pkey = NULL; - return (ret); + + return ret; } void X509_INFO_free(X509_INFO *x) { - int i; - if (x == NULL) return; - i = CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO); - if (i > 0) + if (CRYPTO_add(&x->references, -1, CRYPTO_LOCK_X509_INFO) > 0) return; X509_free(x->x509); - if (x->crl != NULL) - X509_CRL_free(x->crl); - if (x->x_pkey != NULL) - X509_PKEY_free(x->x_pkey); + X509_CRL_free(x->crl); + X509_PKEY_free(x->x_pkey); free(x->enc_data); + free(x); } diff --git a/crypto/asn1/x_long.c b/crypto/asn1/x_long.c index 9df3a31..ff72338 100644 --- a/crypto/asn1/x_long.c +++ b/crypto/asn1/x_long.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_long.c,v 1.11 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: x_long.c,v 1.16 2019/04/20 11:13:15 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -63,26 +63,30 @@ #include #include -/* Custom primitive type for long handling. This converts between an ASN1_INTEGER - * and a long directly. +/* + * Custom primitive type for long handling. This converts between an + * ASN1_INTEGER and a long directly. */ - static int long_new(ASN1_VALUE **pval, const ASN1_ITEM *it); static void long_free(ASN1_VALUE **pval, const ASN1_ITEM *it); -static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const ASN1_ITEM *it); -static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it); -static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx); +static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, + const ASN1_ITEM *it); +static int long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, + int utype, char *free_cont, const ASN1_ITEM *it); +static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, + int indent, const ASN1_PCTX *pctx); static ASN1_PRIMITIVE_FUNCS long_pf = { - NULL, 0, - long_new, - long_free, - long_free, /* Clear should set to initial value */ - long_c2i, - long_i2c, - long_print + .app_data = NULL, + .flags = 0, + .prim_new = long_new, + .prim_free = long_free, + .prim_clear = long_free, /* Clear should set to initial value */ + .prim_c2i = long_c2i, + .prim_i2c = long_i2c, + .prim_print = long_print, }; const ASN1_ITEM LONG_it = { @@ -138,7 +142,7 @@ long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, * octet is set. */ if (ltmp < 0) - utmp = -ltmp - 1; + utmp = -(ltmp + 1); else utmp = ltmp; clen = BN_num_bits_word(utmp); @@ -191,8 +195,8 @@ long_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len, int utype, } ltmp = (long)utmp; if (neg) { - ltmp++; ltmp = -ltmp; + ltmp--; } if (ltmp == it->size) { ASN1error(ASN1_R_INTEGER_TOO_LARGE_FOR_LONG); @@ -206,5 +210,8 @@ static int long_print(BIO *out, ASN1_VALUE **pval, const ASN1_ITEM *it, int indent, const ASN1_PCTX *pctx) { - return BIO_printf(out, "%ld\n", *(long *)pval); + if (BIO_printf(out, "%ld\n", *(long *)pval) <= 0) + return 0; + + return 1; } diff --git a/crypto/asn1/x_x509a.c b/crypto/asn1/x_x509a.c index 2981791..b0d7150 100644 --- a/crypto/asn1/x_x509a.c +++ b/crypto/asn1/x_x509a.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x_x509a.c,v 1.14 2015/02/14 15:28:39 miod Exp $ */ +/* $OpenBSD: x_x509a.c,v 1.15 2018/05/01 19:01:27 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -154,7 +154,7 @@ aux_get(X509 *x) } int -X509_alias_set1(X509 *x, unsigned char *name, int len) +X509_alias_set1(X509 *x, const unsigned char *name, int len) { X509_CERT_AUX *aux; if (!name) { @@ -172,7 +172,7 @@ X509_alias_set1(X509 *x, unsigned char *name, int len) } int -X509_keyid_set1(X509 *x, unsigned char *id, int len) +X509_keyid_set1(X509 *x, const unsigned char *id, int len) { X509_CERT_AUX *aux; if (!id) { @@ -210,7 +210,7 @@ X509_keyid_get0(X509 *x, int *len) } int -X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj) +X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj) { X509_CERT_AUX *aux; ASN1_OBJECT *objtmp; @@ -232,7 +232,7 @@ err: } int -X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj) +X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj) { X509_CERT_AUX *aux; ASN1_OBJECT *objtmp; diff --git a/crypto/bio/b_print.c b/crypto/bio/b_print.c index 0974776..c9d5480 100644 --- a/crypto/bio/b_print.c +++ b/crypto/bio/b_print.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b_print.c,v 1.25 2014/06/12 15:49:28 deraadt Exp $ */ +/* $OpenBSD: b_print.c,v 1.26 2019/06/28 05:47:57 deraadt Exp $ */ /* Theo de Raadt places this file in the public domain. */ @@ -49,13 +49,10 @@ BIO_vprintf(BIO *bio, const char *format, va_list args) char *buf = NULL; ret = vasprintf(&buf, format, args); - if (buf == NULL) { - ret = -1; - goto fail; - } + if (ret == -1) + return (ret); BIO_write(bio, buf, ret); free(buf); -fail: return (ret); } diff --git a/crypto/bio/bf_buff.c b/crypto/bio/bf_buff.c index 30765b0..5b9ee35 100644 --- a/crypto/bio/bf_buff.c +++ b/crypto/bio/bf_buff.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bf_buff.c,v 1.24 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bf_buff.c,v 1.25 2018/05/01 13:29:09 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,7 +73,7 @@ static int buffer_free(BIO *data); static long buffer_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); #define DEFAULT_BUFFER_SIZE 4096 -static BIO_METHOD methods_buffer = { +static const BIO_METHOD methods_buffer = { .type = BIO_TYPE_BUFFER, .name = "buffer", .bwrite = buffer_write, @@ -86,7 +86,7 @@ static BIO_METHOD methods_buffer = { .callback_ctrl = buffer_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_buffer(void) { return (&methods_buffer); diff --git a/crypto/bio/bf_nbio.c b/crypto/bio/bf_nbio.c index 24e2e7e..05fa916 100644 --- a/crypto/bio/bf_nbio.c +++ b/crypto/bio/bf_nbio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bf_nbio.c,v 1.19 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: bf_nbio.c,v 1.20 2018/05/01 13:29:09 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -80,7 +80,7 @@ typedef struct nbio_test_st { int lwn; } NBIO_TEST; -static BIO_METHOD methods_nbiof = { +static const BIO_METHOD methods_nbiof = { .type = BIO_TYPE_NBIO_TEST, .name = "non-blocking IO test filter", .bwrite = nbiof_write, @@ -93,7 +93,7 @@ static BIO_METHOD methods_nbiof = { .callback_ctrl = nbiof_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_nbio_test(void) { return (&methods_nbiof); diff --git a/crypto/bio/bf_null.c b/crypto/bio/bf_null.c index 09d54b6..25abb8a 100644 --- a/crypto/bio/bf_null.c +++ b/crypto/bio/bf_null.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bf_null.c,v 1.11 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: bf_null.c,v 1.12 2018/05/01 13:29:09 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,7 +73,7 @@ static int nullf_new(BIO *h); static int nullf_free(BIO *data); static long nullf_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); -static BIO_METHOD methods_nullf = { +static const BIO_METHOD methods_nullf = { .type = BIO_TYPE_NULL_FILTER, .name = "NULL filter", .bwrite = nullf_write, @@ -86,7 +86,7 @@ static BIO_METHOD methods_nullf = { .callback_ctrl = nullf_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_null(void) { return (&methods_nullf); diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index ddab542..7ef1784 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_lib.c,v 1.27 2018/02/22 16:38:43 jsing Exp $ */ +/* $OpenBSD: bio_lib.c,v 1.29 2019/04/14 17:39:03 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -79,7 +79,7 @@ BIO_get_new_index(void) } BIO * -BIO_new(BIO_METHOD *method) +BIO_new(const BIO_METHOD *method) { BIO *ret = NULL; @@ -96,7 +96,7 @@ BIO_new(BIO_METHOD *method) } int -BIO_set(BIO *bio, BIO_METHOD *method) +BIO_set(BIO *bio, const BIO_METHOD *method) { bio->method = method; bio->callback = NULL; @@ -250,7 +250,13 @@ BIO_read(BIO *b, void *out, int outl) int i; long (*cb)(BIO *, int, const char *, int, long, long); - if ((b == NULL) || (b->method == NULL) || (b->method->bread == NULL)) { + if (b == NULL) + return (0); + + if (out == NULL || outl <= 0) + return (0); + + if (b->method == NULL || b->method->bread == NULL) { BIOerror(BIO_R_UNSUPPORTED_METHOD); return (-2); } @@ -273,6 +279,7 @@ BIO_read(BIO *b, void *out, int outl) if (cb != NULL) i = (int)cb(b, BIO_CB_READ|BIO_CB_RETURN, out, outl, 0L, (long)i); + return (i); } @@ -285,12 +292,15 @@ BIO_write(BIO *b, const void *in, int inl) if (b == NULL) return (0); - cb = b->callback; - if ((b->method == NULL) || (b->method->bwrite == NULL)) { + if (in == NULL || inl <= 0) + return (0); + + if (b->method == NULL || b->method->bwrite == NULL) { BIOerror(BIO_R_UNSUPPORTED_METHOD); return (-2); } + cb = b->callback; if ((cb != NULL) && ((i = (int)cb(b, BIO_CB_WRITE, in, inl, 0L, 1L)) <= 0)) return (i); diff --git a/crypto/bio/bio_meth.c b/crypto/bio/bio_meth.c index c795c3f..4327c01 100644 --- a/crypto/bio/bio_meth.c +++ b/crypto/bio/bio_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_meth.c,v 1.5 2018/02/20 18:51:35 tb Exp $ */ +/* $OpenBSD: bio_meth.c,v 1.6 2018/06/02 04:41:12 tb Exp $ */ /* * Copyright (c) 2018 Theo Buehler * @@ -40,7 +40,7 @@ BIO_meth_free(BIO_METHOD *biom) } int -(*BIO_meth_get_write(BIO_METHOD *biom))(BIO *, const char *, int) +(*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int) { return biom->bwrite; } @@ -53,7 +53,7 @@ BIO_meth_set_write(BIO_METHOD *biom, int (*write)(BIO *, const char *, int)) } int -(*BIO_meth_get_read(BIO_METHOD *biom))(BIO *, char *, int) +(*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int) { return biom->bread; } @@ -66,7 +66,7 @@ BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int)) } int -(*BIO_meth_get_puts(BIO_METHOD *biom))(BIO *, const char *) +(*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *) { return biom->bputs; } @@ -79,7 +79,7 @@ BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *)) } int -(*BIO_meth_get_gets(BIO_METHOD *biom))(BIO *, char *, int) +(*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int) { return biom->bgets; } @@ -92,7 +92,7 @@ BIO_meth_set_gets(BIO_METHOD *biom, int (*gets)(BIO *, char *, int)) } long -(*BIO_meth_get_ctrl(BIO_METHOD *biom))(BIO *, int, long, void *) +(*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *) { return biom->ctrl; } @@ -105,7 +105,7 @@ BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl)(BIO *, int, long, void *)) } int -(*BIO_meth_get_create(BIO_METHOD *biom))(BIO *) +(*BIO_meth_get_create(const BIO_METHOD *biom))(BIO *) { return biom->create; } @@ -118,7 +118,7 @@ BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *)) } int -(*BIO_meth_get_destroy(BIO_METHOD *biom))(BIO *) +(*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *) { return biom->destroy; } @@ -131,7 +131,7 @@ BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *)) } long -(*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))(BIO *, int, BIO_info_cb *) +(*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *) { return (long (*)(BIO *, int, BIO_info_cb *))biom->callback_ctrl; /* XXX */ diff --git a/crypto/bio/bss_acpt.c b/crypto/bio/bss_acpt.c index 20508a7..c95ddde 100644 --- a/crypto/bio/bss_acpt.c +++ b/crypto/bio/bss_acpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_acpt.c,v 1.27 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bss_acpt.c,v 1.29 2018/05/12 18:51:59 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -100,7 +100,7 @@ static void BIO_ACCEPT_free(BIO_ACCEPT *a); #define ACPT_S_GET_ACCEPT_SOCKET 2 #define ACPT_S_OK 3 -static BIO_METHOD methods_acceptp = { +static const BIO_METHOD methods_acceptp = { .type = BIO_TYPE_ACCEPT, .name = "socket accept", .bwrite = acpt_write, @@ -111,7 +111,7 @@ static BIO_METHOD methods_acceptp = { .destroy = acpt_free }; -BIO_METHOD * +const BIO_METHOD * BIO_s_accept(void) { return (&methods_acceptp); @@ -436,7 +436,7 @@ acpt_puts(BIO *bp, const char *str) } BIO * -BIO_new_accept(char *str) +BIO_new_accept(const char *str) { BIO *ret; diff --git a/crypto/bio/bss_bio.c b/crypto/bio/bss_bio.c index 20eb9a9..74f86a5 100644 --- a/crypto/bio/bss_bio.c +++ b/crypto/bio/bss_bio.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_bio.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bss_bio.c,v 1.24 2018/05/01 13:29:09 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2003 The OpenSSL Project. All rights reserved. * @@ -94,7 +94,7 @@ static int bio_puts(BIO *bio, const char *str); static int bio_make_pair(BIO *bio1, BIO *bio2); static void bio_destroy_pair(BIO *bio); -static BIO_METHOD methods_biop = { +static const BIO_METHOD methods_biop = { .type = BIO_TYPE_BIO, .name = "BIO pair", .bwrite = bio_write, @@ -105,7 +105,7 @@ static BIO_METHOD methods_biop = { .destroy = bio_free }; -BIO_METHOD * +const BIO_METHOD * BIO_s_bio(void) { return &methods_biop; diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 5552738..46a37b0 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_conn.c,v 1.33 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bss_conn.c,v 1.35 2018/05/12 18:51:59 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -106,7 +106,7 @@ static void conn_close_socket(BIO *data); BIO_CONNECT *BIO_CONNECT_new(void); void BIO_CONNECT_free(BIO_CONNECT *a); -static BIO_METHOD methods_connectp = { +static const BIO_METHOD methods_connectp = { .type = BIO_TYPE_CONNECT, .name = "socket connect", .bwrite = conn_write, @@ -319,7 +319,7 @@ BIO_CONNECT_free(BIO_CONNECT *a) free(a); } -BIO_METHOD * +const BIO_METHOD * BIO_s_connect(void) { return (&methods_connectp); @@ -583,7 +583,7 @@ conn_puts(BIO *bp, const char *str) } BIO * -BIO_new_connect(char *str) +BIO_new_connect(const char *str) { BIO *ret; diff --git a/crypto/bio/bss_dgram.c b/crypto/bio/bss_dgram.c index a965740..794b6d1 100644 --- a/crypto/bio/bss_dgram.c +++ b/crypto/bio/bss_dgram.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_dgram.c,v 1.41 2015/07/20 23:15:28 doug Exp $ */ +/* $OpenBSD: bss_dgram.c,v 1.42 2018/05/12 17:47:53 tb Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -86,7 +86,7 @@ static int dgram_clear(BIO *bio); static int BIO_dgram_should_retry(int s); -static BIO_METHOD methods_dgramp = { +static const BIO_METHOD methods_dgramp = { .type = BIO_TYPE_DGRAM, .name = "datagram socket", .bwrite = dgram_write, @@ -112,7 +112,7 @@ typedef struct bio_dgram_data_st { } bio_dgram_data; -BIO_METHOD * +const BIO_METHOD * BIO_s_datagram(void) { return (&methods_dgramp); diff --git a/crypto/bio/bss_fd.c b/crypto/bio/bss_fd.c index b21dbd9..bbe08ef 100644 --- a/crypto/bio/bss_fd.c +++ b/crypto/bio/bss_fd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_fd.c,v 1.18 2015/02/12 03:54:07 jsing Exp $ */ +/* $OpenBSD: bss_fd.c,v 1.19 2018/05/01 13:29:09 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,7 +74,7 @@ static int fd_new(BIO *h); static int fd_free(BIO *data); int BIO_fd_should_retry(int s); -static BIO_METHOD methods_fdp = { +static const BIO_METHOD methods_fdp = { .type = BIO_TYPE_FD, .name = "file descriptor", .bwrite = fd_write, @@ -86,7 +86,7 @@ static BIO_METHOD methods_fdp = { .destroy = fd_free }; -BIO_METHOD * +const BIO_METHOD * BIO_s_fd(void) { return (&methods_fdp); diff --git a/crypto/bio/bss_file.c b/crypto/bio/bss_file.c index 01f4a3f..fe93738 100644 --- a/crypto/bio/bss_file.c +++ b/crypto/bio/bss_file.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_file.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bss_file.c,v 1.33 2018/05/30 00:23:04 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -98,7 +98,7 @@ static long file_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int file_new(BIO *h); static int file_free(BIO *data); -static BIO_METHOD methods_filep = { +static const BIO_METHOD methods_filep = { .type = BIO_TYPE_FILE, .name = "FILE pointer", .bwrite = file_write, @@ -148,7 +148,7 @@ BIO_new_fp(FILE *stream, int close_flag) return (ret); } -BIO_METHOD * +const BIO_METHOD * BIO_s_file(void) { return (&methods_filep); diff --git a/crypto/bio/bss_log.c b/crypto/bio/bss_log.c index fcaa985..7ef1312 100644 --- a/crypto/bio/bss_log.c +++ b/crypto/bio/bss_log.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_log.c,v 1.21 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: bss_log.c,v 1.22 2018/05/01 13:29:10 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * @@ -81,7 +81,7 @@ static void xopenlog(BIO* bp, char* name, int level); static void xsyslog(BIO* bp, int priority, const char* string); static void xcloselog(BIO* bp); -static BIO_METHOD methods_slg = { +static const BIO_METHOD methods_slg = { .type = BIO_TYPE_MEM, .name = "syslog", .bwrite = slg_write, @@ -91,7 +91,7 @@ static BIO_METHOD methods_slg = { .destroy = slg_free }; -BIO_METHOD * +const BIO_METHOD * BIO_s_log(void) { return (&methods_slg); diff --git a/crypto/bio/bss_mem.c b/crypto/bio/bss_mem.c index be491ca..e76e1ad 100644 --- a/crypto/bio/bss_mem.c +++ b/crypto/bio/bss_mem.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_mem.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bss_mem.c,v 1.17 2018/05/12 18:51:59 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -72,7 +72,7 @@ static long mem_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int mem_new(BIO *h); static int mem_free(BIO *data); -static BIO_METHOD mem_method = { +static const BIO_METHOD mem_method = { .type = BIO_TYPE_MEM, .name = "memory buffer", .bwrite = mem_write, @@ -87,14 +87,14 @@ static BIO_METHOD mem_method = { /* bio->num is used to hold the value to return on 'empty', if it is * 0, should_retry is not set */ -BIO_METHOD * +const BIO_METHOD * BIO_s_mem(void) { return (&mem_method); } BIO * -BIO_new_mem_buf(void *buf, int len) +BIO_new_mem_buf(const void *buf, int len) { BIO *ret; BUF_MEM *b; @@ -108,7 +108,7 @@ BIO_new_mem_buf(void *buf, int len) if (!(ret = BIO_new(BIO_s_mem()))) return NULL; b = (BUF_MEM *)ret->ptr; - b->data = buf; + b->data = (void *)buf; /* Trust in the BIO_FLAGS_MEM_RDONLY flag. */ b->length = sz; b->max = sz; ret->flags |= BIO_FLAGS_MEM_RDONLY; diff --git a/crypto/bio/bss_null.c b/crypto/bio/bss_null.c index 42ee626..c6de844 100644 --- a/crypto/bio/bss_null.c +++ b/crypto/bio/bss_null.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_null.c,v 1.10 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: bss_null.c,v 1.11 2018/05/01 13:29:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,7 +70,7 @@ static long null_ctrl(BIO *h, int cmd, long arg1, void *arg2); static int null_new(BIO *h); static int null_free(BIO *data); -static BIO_METHOD null_method = { +static const BIO_METHOD null_method = { .type = BIO_TYPE_NULL, .name = "NULL", .bwrite = null_write, @@ -82,7 +82,7 @@ static BIO_METHOD null_method = { .destroy = null_free }; -BIO_METHOD * +const BIO_METHOD * BIO_s_null(void) { return (&null_method); diff --git a/crypto/bio/bss_sock.c b/crypto/bio/bss_sock.c index dd470eb..9c650a8 100644 --- a/crypto/bio/bss_sock.c +++ b/crypto/bio/bss_sock.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bss_sock.c,v 1.23 2014/07/11 08:44:47 jsing Exp $ */ +/* $OpenBSD: bss_sock.c,v 1.24 2018/05/01 13:29:10 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -73,7 +73,7 @@ static int sock_new(BIO *h); static int sock_free(BIO *data); int BIO_sock_should_retry(int s); -static BIO_METHOD methods_sockp = { +static const BIO_METHOD methods_sockp = { .type = BIO_TYPE_SOCKET, .name = "socket", .bwrite = sock_write, @@ -84,7 +84,7 @@ static BIO_METHOD methods_sockp = { .destroy = sock_free }; -BIO_METHOD * +const BIO_METHOD * BIO_s_socket(void) { return (&methods_sockp); diff --git a/crypto/bn/bn_add.c b/crypto/bn/bn_add.c index 334fb4f..048a136 100644 --- a/crypto/bn/bn_add.c +++ b/crypto/bn/bn_add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_add.c,v 1.11 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_add.c,v 1.13 2018/07/23 18:07:21 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,61 +62,51 @@ #include "bn_lcl.h" -/* r can == a or b */ int BN_add(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { - const BIGNUM *tmp; - int a_neg = a->neg, ret; + int ret, r_neg; bn_check_top(a); bn_check_top(b); - /* a + b a+b - * a + -b a-b - * -a + b b-a - * -a + -b -(a+b) - */ - if (a_neg ^ b->neg) { - /* only one is negative */ - if (a_neg) - { tmp = a; - a = b; - b = tmp; - } + if (a->neg == b->neg) { + r_neg = a->neg; + ret = BN_uadd(r, a, b); + } else { + int cmp = BN_ucmp(a, b); - /* we are now a - b */ - - if (BN_ucmp(a, b) < 0) { - if (!BN_usub(r, b, a)) - return (0); - r->neg = 1; + if (cmp > 0) { + r_neg = a->neg; + ret = BN_usub(r, a, b); + } else if (cmp < 0) { + r_neg = b->neg; + ret = BN_usub(r, b, a); } else { - if (!BN_usub(r, a, b)) - return (0); - r->neg = 0; + r_neg = 0; + BN_zero(r); + ret = 1; } - return (1); } - ret = BN_uadd(r, a, b); - r->neg = a_neg; + r->neg = r_neg; bn_check_top(r); return ret; } -/* unsigned add of b to a */ int BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { int max, min, dif; - BN_ULONG *ap, *bp, *rp, carry, t1, t2; - const BIGNUM *tmp; + const BN_ULONG *ap, *bp; + BN_ULONG *rp, carry, t1, t2; bn_check_top(a); bn_check_top(b); if (a->top < b->top) { + const BIGNUM *tmp; + tmp = a; a = b; b = tmp; @@ -137,41 +127,28 @@ BN_uadd(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) carry = bn_add_words(rp, ap, bp, min); rp += min; ap += min; - bp += min; - if (carry) { - while (dif) { - dif--; - t1 = *(ap++); - t2 = (t1 + 1) & BN_MASK2; - *(rp++) = t2; - if (t2) { - carry = 0; - break; - } - } - if (carry) { - /* carry != 0 => dif == 0 */ - *rp = 1; - r->top++; - } + while (dif) { + dif--; + t1 = *(ap++); + t2 = (t1 + carry) & BN_MASK2; + *(rp++) = t2; + carry &= (t2 == 0); } - if (dif && rp != ap) - while (dif--) - /* copy remaining words if ap != rp */ - *(rp++) = *(ap++); + *rp = carry; + r->top += carry; + r->neg = 0; bn_check_top(r); return 1; } -/* unsigned subtraction of b from a, a must be larger than b. */ int BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { int max, min, dif; - BN_ULONG t1, t2, *ap, *bp, *rp; - int i, carry; + const BN_ULONG *ap, *bp; + BN_ULONG t1, t2, borrow, *rp; bn_check_top(a); bn_check_top(b); @@ -180,134 +157,67 @@ BN_usub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) min = b->top; dif = max - min; - if (dif < 0) /* hmm... should not be happening */ - { + if (dif < 0) { BNerror(BN_R_ARG2_LT_ARG3); - return (0); + return 0; } if (bn_wexpand(r, max) == NULL) - return (0); + return 0; ap = a->d; bp = b->d; rp = r->d; -#if 1 - carry = 0; - for (i = min; i != 0; i--) { - t1= *(ap++); - t2= *(bp++); - if (carry) { - carry = (t1 <= t2); - t1 = (t1 - t2 - 1)&BN_MASK2; - } else { - carry = (t1 < t2); - t1 = (t1 - t2)&BN_MASK2; - } - *(rp++) = t1&BN_MASK2; - } -#else - carry = bn_sub_words(rp, ap, bp, min); + borrow = bn_sub_words(rp, ap, bp, min); ap += min; - bp += min; rp += min; -#endif - if (carry) /* subtracted */ - { - if (!dif) - /* error: a < b */ - return 0; - while (dif) { - dif--; - t1 = *(ap++); - t2 = (t1 - 1)&BN_MASK2; - *(rp++) = t2; - if (t1) - break; - } + + while (dif) { + dif--; + t1 = *(ap++); + t2 = (t1 - borrow) & BN_MASK2; + *(rp++) = t2; + borrow &= (t1 == 0); } -#if 0 - memcpy(rp, ap, sizeof(*rp)*(max - i)); -#else - if (rp != ap) { - for (;;) { - if (!dif--) - break; - rp[0] = ap[0]; - if (!dif--) - break; - rp[1] = ap[1]; - if (!dif--) - break; - rp[2] = ap[2]; - if (!dif--) - break; - rp[3] = ap[3]; - rp += 4; - ap += 4; - } - } -#endif + + while (max > 0 && *--rp == 0) + max--; r->top = max; r->neg = 0; bn_correct_top(r); - return (1); + return 1; } int BN_sub(BIGNUM *r, const BIGNUM *a, const BIGNUM *b) { - int max; - int add = 0, neg = 0; - const BIGNUM *tmp; + int ret, r_neg; bn_check_top(a); bn_check_top(b); - /* a - b a-b - * a - -b a+b - * -a - b -(a+b) - * -a - -b b-a - */ - if (a->neg) { - if (b->neg) { - tmp = a; - a = b; - b = tmp; + if (a->neg != b->neg) { + r_neg = a->neg; + ret = BN_uadd(r, a, b); + } else { + int cmp = BN_ucmp(a, b); + + if (cmp > 0) { + r_neg = a->neg; + ret = BN_usub(r, a, b); + } else if (cmp < 0) { + r_neg = !b->neg; + ret = BN_usub(r, b, a); } else { - add = 1; - neg = 1; - } - } else { - if (b->neg) { - add = 1; - neg = 0; + r_neg = 0; + BN_zero(r); + ret = 1; } } - if (add) { - if (!BN_uadd(r, a, b)) - return (0); - r->neg = neg; - return (1); - } - - /* We are actually doing a - b :-) */ - - max = (a->top > b->top) ? a->top : b->top; - if (bn_wexpand(r, max) == NULL) - return (0); - if (BN_ucmp(a, b) < 0) { - if (!BN_usub(r, b, a)) - return (0); - r->neg = 1; - } else { - if (!BN_usub(r, a, b)) - return (0); - r->neg = 0; - } + r->neg = r_neg; bn_check_top(r); - return (1); + return ret; } diff --git a/crypto/bn/bn_ctx.c b/crypto/bn/bn_ctx.c index 1237ac1..0d64cca 100644 --- a/crypto/bn/bn_ctx.c +++ b/crypto/bn/bn_ctx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_ctx.c,v 1.15 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: bn_ctx.c,v 1.16 2019/08/20 10:59:09 schwarze Exp $ */ /* Written by Ulf Moeller for the OpenSSL project. */ /* ==================================================================== * Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved. @@ -283,6 +283,9 @@ BN_CTX_start(BN_CTX *ctx) void BN_CTX_end(BN_CTX *ctx) { + if (ctx == NULL) + return; + CTXDBG_ENTRY("BN_CTX_end", ctx); if (ctx->err_stack) diff --git a/crypto/bn/bn_div.c b/crypto/bn/bn_div.c index f3a97bc..1249a11 100644 --- a/crypto/bn/bn_div.c +++ b/crypto/bn/bn_div.c @@ -89,7 +89,7 @@ q; \ }) # define REMAINDER_IS_ALREADY_CALCULATED -# elif defined(__x86_64) +# elif defined(__x86_64) && defined(_LP64) /* * Same story here, but it's 128-bit by 64-bit division. Wow! * diff --git a/crypto/bn/bn_lcl.h b/crypto/bn/bn_lcl.h index c010410..a165d02 100644 --- a/crypto/bn/bn_lcl.h +++ b/crypto/bn/bn_lcl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_lcl.h,v 1.27 2017/01/25 06:15:44 beck Exp $ */ +/* $OpenBSD: bn_lcl.h,v 1.30 2018/11/05 23:52:47 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -239,7 +239,7 @@ __BEGIN_HIDDEN_DECLS : "r"(a), "r"(b)); \ ret; }) # endif /* compiler */ -# elif defined(__x86_64) || defined(__x86_64__) +# elif (defined(__x86_64) || defined(__x86_64__)) && defined(_LP64) # if defined(__GNUC__) && __GNUC__>=2 # define BN_UMULT_HIGH(a,b) ({ \ BN_ULONG ret,discard; \ @@ -583,6 +583,7 @@ BN_ULONG bn_add_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int BN_ULONG bn_sub_words(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, int num); int BN_bntest_rand(BIGNUM *rnd, int bits, int top, int bottom); +int bn_rand_interval(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc); /* Explicitly const time / non-const time versions for internal use */ int BN_mod_exp_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, @@ -605,5 +606,8 @@ BIGNUM *BN_mod_inverse_nonct(BIGNUM *ret, const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx); int BN_gcd_ct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); int BN_gcd_nonct(BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *ctx); + +int BN_swap_ct(BN_ULONG swap, BIGNUM *a, BIGNUM *b, size_t nwords); + __END_HIDDEN_DECLS #endif diff --git a/crypto/bn/bn_lib.c b/crypto/bn/bn_lib.c index ffb5ee7..1a91b9e 100644 --- a/crypto/bn/bn_lib.c +++ b/crypto/bn/bn_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_lib.c,v 1.39 2018/02/20 17:13:14 jsing Exp $ */ +/* $OpenBSD: bn_lib.c,v 1.47 2019/06/17 17:11:48 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -151,53 +151,23 @@ BN_value_one(void) int BN_num_bits_word(BN_ULONG l) { - static const unsigned char bits[256] = { - 0, 1, 2, 2, 3, 3, 3, 3, 4, 4, 4, 4, 4, 4, 4, 4, - 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, 5, - 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, - 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, 6, - 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, - 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, - 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, - 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, 7, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8, - }; + BN_ULONG x, mask; + int bits; + unsigned int shift; -#ifdef _LP64 - if (l & 0xffffffff00000000L) { - if (l & 0xffff000000000000L) { - if (l & 0xff00000000000000L) { - return (bits[(int)(l >> 56)] + 56); - } else - return (bits[(int)(l >> 48)] + 48); - } else { - if (l & 0x0000ff0000000000L) { - return (bits[(int)(l >> 40)] + 40); - } else - return (bits[(int)(l >> 32)] + 32); - } - } else -#endif - { - if (l & 0xffff0000L) { - if (l & 0xff000000L) - return (bits[(int)(l >> 24L)] + 24); - else - return (bits[(int)(l >> 16L)] + 16); - } else { - if (l & 0xff00L) - return (bits[(int)(l >> 8)] + 8); - else - return (bits[(int)(l)]); - } - } + /* Constant time calculation of floor(log2(l)) + 1. */ + bits = (l != 0); + shift = BN_BITS4; /* On _LP64 this is 32, otherwise 16. */ + do { + x = l >> shift; + /* If x is 0, set mask to 0, otherwise set it to all 1s. */ + mask = ((~x & (x - 1)) >> (BN_BITS2 - 1)) - 1; + bits += shift & mask; + /* If x is 0, leave l alone, otherwise set l = x. */ + l ^= (x ^ l) & mask; + } while ((shift /= 2) != 0); + + return bits; } int @@ -529,7 +499,7 @@ BN_clear(BIGNUM *a) { bn_check_top(a); if (a->d != NULL) - memset(a->d, 0, a->dmax * sizeof(a->d[0])); + explicit_bzero(a->d, a->dmax * sizeof(a->d[0])); a->top = 0; a->neg = 0; } @@ -578,6 +548,8 @@ BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret) BN_ULONG l; BIGNUM *bn = NULL; + if (len < 0) + return (NULL); if (ret == NULL) ret = bn = BN_new(); if (ret == NULL) @@ -837,8 +809,10 @@ bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b, int cl, int dl) /* * Constant-time conditional swap of a and b. - * a and b are swapped if condition is not 0. The code assumes that at most one bit of condition is set. - * nwords is the number of words to swap. The code assumes that at least nwords are allocated in both a and b, + * a and b are swapped if condition is not 0. + * The code assumes that at most one bit of condition is set. + * nwords is the number of words to swap. + * The code assumes that at least nwords are allocated in both a and b, * and that no more than nwords are used by either a or b. * a and b cannot be the same number */ @@ -889,6 +863,57 @@ BN_consttime_swap(BN_ULONG condition, BIGNUM *a, BIGNUM *b, int nwords) #undef BN_CONSTTIME_SWAP } +/* + * Constant-time conditional swap of a and b. + * a and b are swapped if condition is not 0. + * nwords is the number of words to swap. + */ +int +BN_swap_ct(BN_ULONG condition, BIGNUM *a, BIGNUM *b, size_t nwords) +{ + BN_ULONG t; + int i, words; + + if (a == b) + return 1; + if (nwords > INT_MAX) + return 0; + words = (int)nwords; + if (bn_wexpand(a, words) == NULL || bn_wexpand(b, words) == NULL) + return 0; + if (a->top > words || b->top > words) { + BNerror(BN_R_INVALID_LENGTH); + return 0; + } + + /* Set condition to 0 (if it was zero) or all 1s otherwise. */ + condition = ((~condition & (condition - 1)) >> (BN_BITS2 - 1)) - 1; + + /* swap top field */ + t = (a->top ^ b->top) & condition; + a->top ^= t; + b->top ^= t; + + /* swap neg field */ + t = (a->neg ^ b->neg) & condition; + a->neg ^= t; + b->neg ^= t; + + /* swap BN_FLG_CONSTTIME from flag field */ + t = ((a->flags ^ b->flags) & BN_FLG_CONSTTIME) & condition; + a->flags ^= t; + b->flags ^= t; + + /* swap the data */ + for (i = 0; i < words; i++) { + t = (a->d[i] ^ b->d[i]) & condition; + a->d[i] ^= t; + b->d[i] ^= t; + } + + return 1; +} + BN_GENCB * BN_GENCB_new(void) { diff --git a/crypto/bn/bn_rand.c b/crypto/bn/bn_rand.c index 8625757..f94ce1d 100644 --- a/crypto/bn/bn_rand.c +++ b/crypto/bn/bn_rand.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_rand.c,v 1.20 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: bn_rand.c,v 1.24 2020/09/12 17:16:36 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -129,6 +129,11 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) return (0); } + if (bits < 0 || (bits == 1 && top > 0)) { + BNerror(BN_R_BITS_TOO_SMALL); + return (0); + } + if (bits == 0) { BN_zero(rnd); return (1); @@ -166,18 +171,16 @@ bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom) } #endif - if (top != -1) { - if (top) { - if (bit == 0) { - buf[0] = 1; - buf[1] |= 0x80; - } else { - buf[0] |= (3 << (bit - 1)); - } + if (top > 0) { + if (bit == 0) { + buf[0] = 1; + buf[1] |= 0x80; } else { - buf[0] |= (1 << bit); + buf[0] |= (3 << (bit - 1)); } } + if (top == 0) + buf[0] |= (1 << bit); buf[0] &= ~mask; if (bottom) /* set bottom bit if requested */ buf[bytes - 1] |= 1; @@ -279,6 +282,33 @@ BN_rand_range(BIGNUM *r, const BIGNUM *range) return bn_rand_range(0, r, range); } +int +bn_rand_interval(BIGNUM *rnd, const BIGNUM *lower_inc, const BIGNUM *upper_exc) +{ + BIGNUM *len = NULL; + int ret = 0; + + if (BN_cmp(lower_inc, upper_exc) >= 0) + goto err; + + if ((len = BN_new()) == NULL) + goto err; + + if (!BN_sub(len, upper_exc, lower_inc)) + goto err; + + if (!bn_rand_range(0, rnd, len)) + goto err; + + if (!BN_add(rnd, rnd, lower_inc)) + goto err; + + ret = 1; + err: + BN_free(len); + return ret; +} + int BN_pseudo_rand_range(BIGNUM *r, const BIGNUM *range) { diff --git a/crypto/bn/bn_x931p.c b/crypto/bn/bn_x931p.c index 45b61c9..55ca21c 100644 --- a/crypto/bn/bn_x931p.c +++ b/crypto/bn/bn_x931p.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bn_x931p.c,v 1.10 2017/01/25 06:15:44 beck Exp $ */ +/* $OpenBSD: bn_x931p.c,v 1.11 2019/01/20 01:56:59 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -71,7 +71,7 @@ static int bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx, BN_GENCB *cb) { - int i = 0; + int i = 0, is_prime; if (!BN_copy(pi, Xpi)) return 0; @@ -81,7 +81,10 @@ bn_x931_derive_pi(BIGNUM *pi, const BIGNUM *Xpi, BN_CTX *ctx, BN_GENCB *cb) i++; BN_GENCB_call(cb, 0, i); /* NB 27 MR is specificed in X9.31 */ - if (BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb)) + is_prime = BN_is_prime_fasttest_ex(pi, 27, ctx, 1, cb); + if (is_prime < 0) + return 0; + if (is_prime == 1) break; if (!BN_add_word(pi, 2)) return 0; @@ -173,13 +176,20 @@ BN_X931_derive_prime_ex(BIGNUM *p, BIGNUM *p1, BIGNUM *p2, const BIGNUM *Xp, goto err; if (!BN_gcd_ct(t, pm1, e, ctx)) goto err; - if (BN_is_one(t) - /* X9.31 specifies 8 MR and 1 Lucas test or any prime test - * offering similar or better guarantees 50 MR is considerably - * better. - */ - && BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb)) - break; + if (BN_is_one(t)) { + int r; + + /* + * X9.31 specifies 8 MR and 1 Lucas test or any prime + * test offering similar or better guarantees 50 MR + * is considerably better. + */ + r = BN_is_prime_fasttest_ex(p, 50, ctx, 1, cb); + if (r < 0) + goto err; + if (r == 1) + break; + } if (!BN_add(p, p, p1p2)) goto err; } diff --git a/crypto/bn/gf2m-elf-armv4.S b/crypto/bn/gf2m-elf-armv4.S new file mode 100644 index 0000000..8e214cc --- /dev/null +++ b/crypto/bn/gf2m-elf-armv4.S @@ -0,0 +1,216 @@ +#include "arm_arch.h" + +.text +.code 32 + +#if __ARM_ARCH__>=7 +.fpu neon + +.type mul_1x1_neon,%function +.align 5 +mul_1x1_neon: + vshl.u64 d2,d16,#8 @ q1-q3 are slided + vmull.p8 q0,d16,d17 @ a·bb + vshl.u64 d4,d16,#16 + vmull.p8 q1,d2,d17 @ a<<8·bb + vshl.u64 d6,d16,#24 + vmull.p8 q2,d4,d17 @ a<<16·bb + vshr.u64 d2,#8 + vmull.p8 q3,d6,d17 @ a<<24·bb + vshl.u64 d3,#24 + veor d0,d2 + vshr.u64 d4,#16 + veor d0,d3 + vshl.u64 d5,#16 + veor d0,d4 + vshr.u64 d6,#24 + veor d0,d5 + vshl.u64 d7,#8 + veor d0,d6 + veor d0,d7 + .word 0xe12fff1e +.size mul_1x1_neon,.-mul_1x1_neon +#endif +.type mul_1x1_ialu,%function +.align 5 +mul_1x1_ialu: + mov r4,#0 + bic r5,r1,#3<<30 @ a1=a&0x3fffffff + str r4,[sp,#0] @ tab[0]=0 + add r6,r5,r5 @ a2=a1<<1 + str r5,[sp,#4] @ tab[1]=a1 + eor r7,r5,r6 @ a1^a2 + str r6,[sp,#8] @ tab[2]=a2 + mov r8,r5,lsl#2 @ a4=a1<<2 + str r7,[sp,#12] @ tab[3]=a1^a2 + eor r9,r5,r8 @ a1^a4 + str r8,[sp,#16] @ tab[4]=a4 + eor r4,r6,r8 @ a2^a4 + str r9,[sp,#20] @ tab[5]=a1^a4 + eor r7,r7,r8 @ a1^a2^a4 + str r4,[sp,#24] @ tab[6]=a2^a4 + and r8,r12,r0,lsl#2 + str r7,[sp,#28] @ tab[7]=a1^a2^a4 + + and r9,r12,r0,lsr#1 + ldr r5,[sp,r8] @ tab[b & 0x7] + and r8,r12,r0,lsr#4 + ldr r7,[sp,r9] @ tab[b >> 3 & 0x7] + and r9,r12,r0,lsr#7 + ldr r6,[sp,r8] @ tab[b >> 6 & 0x7] + eor r5,r5,r7,lsl#3 @ stall + mov r4,r7,lsr#29 + ldr r7,[sp,r9] @ tab[b >> 9 & 0x7] + + and r8,r12,r0,lsr#10 + eor r5,r5,r6,lsl#6 + eor r4,r4,r6,lsr#26 + ldr r6,[sp,r8] @ tab[b >> 12 & 0x7] + + and r9,r12,r0,lsr#13 + eor r5,r5,r7,lsl#9 + eor r4,r4,r7,lsr#23 + ldr r7,[sp,r9] @ tab[b >> 15 & 0x7] + + and r8,r12,r0,lsr#16 + eor r5,r5,r6,lsl#12 + eor r4,r4,r6,lsr#20 + ldr r6,[sp,r8] @ tab[b >> 18 & 0x7] + + and r9,r12,r0,lsr#19 + eor r5,r5,r7,lsl#15 + eor r4,r4,r7,lsr#17 + ldr r7,[sp,r9] @ tab[b >> 21 & 0x7] + + and r8,r12,r0,lsr#22 + eor r5,r5,r6,lsl#18 + eor r4,r4,r6,lsr#14 + ldr r6,[sp,r8] @ tab[b >> 24 & 0x7] + + and r9,r12,r0,lsr#25 + eor r5,r5,r7,lsl#21 + eor r4,r4,r7,lsr#11 + ldr r7,[sp,r9] @ tab[b >> 27 & 0x7] + + tst r1,#1<<30 + and r8,r12,r0,lsr#28 + eor r5,r5,r6,lsl#24 + eor r4,r4,r6,lsr#8 + ldr r6,[sp,r8] @ tab[b >> 30 ] + + eorne r5,r5,r0,lsl#30 + eorne r4,r4,r0,lsr#2 + tst r1,#1<<31 + eor r5,r5,r7,lsl#27 + eor r4,r4,r7,lsr#5 + eorne r5,r5,r0,lsl#31 + eorne r4,r4,r0,lsr#1 + eor r5,r5,r6,lsl#30 + eor r4,r4,r6,lsr#2 + + mov pc,lr +.size mul_1x1_ialu,.-mul_1x1_ialu +.global bn_GF2m_mul_2x2 +.type bn_GF2m_mul_2x2,%function +.align 5 +bn_GF2m_mul_2x2: +#if __ARM_ARCH__>=7 + ldr r12,.LOPENSSL_armcap +.Lpic: ldr r12,[pc,r12] + tst r12,#1 + beq .Lialu + + veor d18,d18 + vmov d19,r3,r3 @ two copies of b1 + vmov.32 d18[0],r1 @ a1 + + veor d20,d20 + vld1.32 d21[],[sp,:32] @ two copies of b0 + vmov.32 d20[0],r2 @ a0 + mov r12,lr + + vmov d16,d18 + vmov d17,d19 + bl mul_1x1_neon @ a1·b1 + vmov d22,d0 + + vmov d16,d20 + vmov d17,d21 + bl mul_1x1_neon @ a0·b0 + vmov d23,d0 + + veor d16,d20,d18 + veor d17,d21,d19 + veor d20,d23,d22 + bl mul_1x1_neon @ (a0+a1)·(b0+b1) + + veor d0,d20 @ (a0+a1)·(b0+b1)-a0·b0-a1·b1 + vshl.u64 d1,d0,#32 + vshr.u64 d0,d0,#32 + veor d23,d1 + veor d22,d0 + vst1.32 {d23[0]},[r0,:32]! + vst1.32 {d23[1]},[r0,:32]! + vst1.32 {d22[0]},[r0,:32]! + vst1.32 {d22[1]},[r0,:32] + bx r12 +.align 4 +.Lialu: +#endif + stmdb sp!,{r4-r10,lr} + mov r10,r0 @ reassign 1st argument + mov r0,r3 @ r0=b1 + ldr r3,[sp,#32] @ load b0 + mov r12,#7<<2 + sub sp,sp,#32 @ allocate tab[8] + + bl mul_1x1_ialu @ a1·b1 + str r5,[r10,#8] + str r4,[r10,#12] + + eor r0,r0,r3 @ flip b0 and b1 + eor r1,r1,r2 @ flip a0 and a1 + eor r3,r3,r0 + eor r2,r2,r1 + eor r0,r0,r3 + eor r1,r1,r2 + bl mul_1x1_ialu @ a0·b0 + str r5,[r10] + str r4,[r10,#4] + + eor r1,r1,r2 + eor r0,r0,r3 + bl mul_1x1_ialu @ (a1+a0)·(b1+b0) + ldmia r10,{r6-r9} + eor r5,r5,r4 + eor r4,r4,r7 + eor r5,r5,r6 + eor r4,r4,r8 + eor r5,r5,r9 + eor r4,r4,r9 + str r4,[r10,#8] + eor r5,r5,r4 + add sp,sp,#32 @ destroy tab[8] + str r5,[r10,#4] + +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r10,pc} +#else + ldmia sp!,{r4-r10,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size bn_GF2m_mul_2x2,.-bn_GF2m_mul_2x2 +#if __ARM_ARCH__>=7 +.align 5 +.LOPENSSL_armcap: +.word OPENSSL_armcap_P-(.Lpic+8) +#endif +.asciz "GF(2^m) Multiplication for ARMv4/NEON, CRYPTOGAMS by " +.align 5 + +.comm OPENSSL_armcap_P,4,4 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/gf2m-masm-x86_64.S b/crypto/bn/gf2m-masm-x86_64.S new file mode 100644 index 0000000..8fcaa2d --- /dev/null +++ b/crypto/bn/gf2m-masm-x86_64.S @@ -0,0 +1,469 @@ +; 1 "crypto/bn/gf2m-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/bn/gf2m-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/bn/gf2m-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + + +ALIGN 16 +_mul_1x1 PROC PRIVATE + sub rsp,128+8 + mov r9,-1 + lea rsi,QWORD PTR[rax*1+rax] + shr r9,3 + lea rdi,QWORD PTR[rax*4] + and r9,rax + lea r12,QWORD PTR[rax*8] + sar rax,63 + lea r10,QWORD PTR[r9*1+r9] + sar rsi,63 + lea r11,QWORD PTR[r9*4] + and rax,rbp + sar rdi,63 + mov rdx,rax + shl rax,63 + and rsi,rbp + shr rdx,1 + mov rcx,rsi + shl rsi,62 + and rdi,rbp + shr rcx,2 + xor rax,rsi + mov rbx,rdi + shl rdi,61 + xor rdx,rcx + shr rbx,3 + xor rax,rdi + xor rdx,rbx + + mov r13,r9 + mov QWORD PTR[rsp],0 + xor r13,r10 + mov QWORD PTR[8+rsp],r9 + mov r14,r11 + mov QWORD PTR[16+rsp],r10 + xor r14,r12 + mov QWORD PTR[24+rsp],r13 + + xor r9,r11 + mov QWORD PTR[32+rsp],r11 + xor r10,r11 + mov QWORD PTR[40+rsp],r9 + xor r13,r11 + mov QWORD PTR[48+rsp],r10 + xor r9,r14 + mov QWORD PTR[56+rsp],r13 + xor r10,r14 + + mov QWORD PTR[64+rsp],r12 + xor r13,r14 + mov QWORD PTR[72+rsp],r9 + xor r9,r11 + mov QWORD PTR[80+rsp],r10 + xor r10,r11 + mov QWORD PTR[88+rsp],r13 + + xor r13,r11 + mov QWORD PTR[96+rsp],r14 + mov rsi,r8 + mov QWORD PTR[104+rsp],r9 + and rsi,rbp + mov QWORD PTR[112+rsp],r10 + shr rbp,4 + mov QWORD PTR[120+rsp],r13 + mov rdi,r8 + and rdi,rbp + shr rbp,4 + + movq xmm0,QWORD PTR[rsi*8+rsp] + mov rsi,r8 + and rsi,rbp + shr rbp,4 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,4 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,60 + xor rax,rcx + pslldq xmm1,1 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,12 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,52 + xor rax,rcx + pslldq xmm1,2 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,20 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,44 + xor rax,rcx + pslldq xmm1,3 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,28 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,36 + xor rax,rcx + pslldq xmm1,4 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,36 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,28 + xor rax,rcx + pslldq xmm1,5 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,44 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,20 + xor rax,rcx + pslldq xmm1,6 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rdi,r8 + mov rbx,rcx + shl rcx,52 + and rdi,rbp + movq xmm1,QWORD PTR[rsi*8+rsp] + shr rbx,12 + xor rax,rcx + pslldq xmm1,7 + mov rsi,r8 + shr rbp,4 + xor rdx,rbx + and rsi,rbp + shr rbp,4 + pxor xmm0,xmm1 + mov rcx,QWORD PTR[rdi*8+rsp] + mov rbx,rcx + shl rcx,60 + movd rsi,xmm0 + shr rbx,4 + xor rax,rcx + psrldq xmm0,8 + xor rdx,rbx + movd rdi,xmm0 + xor rax,rsi + xor rdx,rdi + + add rsp,128+8 + DB 0F3h,0C3h ;repret +$L$end_mul_1x1:: +_mul_1x1 ENDP +EXTERN OPENSSL_ia32cap_P:NEAR + +PUBLIC bn_GF2m_mul_2x2 + +ALIGN 16 +bn_GF2m_mul_2x2 PROC PUBLIC + mov eax,DWORD PTR[((OPENSSL_ia32cap_P+4))] + bt eax,1 + jnc $L$vanilla_mul_2x2 + + movd xmm0,rdx + movd xmm1,r9 + movd xmm2,r8 + movq xmm3,QWORD PTR[40+rsp] + movdqa xmm4,xmm0 + movdqa xmm5,xmm1 +DB 102,15,58,68,193,0 + pxor xmm4,xmm2 + pxor xmm5,xmm3 +DB 102,15,58,68,211,0 +DB 102,15,58,68,229,0 + xorps xmm4,xmm0 + xorps xmm4,xmm2 + movdqa xmm5,xmm4 + pslldq xmm4,8 + psrldq xmm5,8 + pxor xmm2,xmm4 + pxor xmm0,xmm5 + movdqu XMMWORD PTR[rcx],xmm2 + movdqu XMMWORD PTR[16+rcx],xmm0 + DB 0F3h,0C3h ;repret + +ALIGN 16 +$L$vanilla_mul_2x2:: + lea rsp,QWORD PTR[((-136))+rsp] + mov r10,QWORD PTR[176+rsp] + mov QWORD PTR[120+rsp],rdi + mov QWORD PTR[128+rsp],rsi + mov QWORD PTR[80+rsp],r14 + mov QWORD PTR[88+rsp],r13 + mov QWORD PTR[96+rsp],r12 + mov QWORD PTR[104+rsp],rbp + mov QWORD PTR[112+rsp],rbx +$L$body_mul_2x2:: + mov QWORD PTR[32+rsp],rcx + mov QWORD PTR[40+rsp],rdx + mov QWORD PTR[48+rsp],r8 + mov QWORD PTR[56+rsp],r9 + mov QWORD PTR[64+rsp],r10 + + mov r8,0fh + mov rax,rdx + mov rbp,r9 + call _mul_1x1 + mov QWORD PTR[16+rsp],rax + mov QWORD PTR[24+rsp],rdx + + mov rax,QWORD PTR[48+rsp] + mov rbp,QWORD PTR[64+rsp] + call _mul_1x1 + mov QWORD PTR[rsp],rax + mov QWORD PTR[8+rsp],rdx + + mov rax,QWORD PTR[40+rsp] + mov rbp,QWORD PTR[56+rsp] + xor rax,QWORD PTR[48+rsp] + xor rbp,QWORD PTR[64+rsp] + call _mul_1x1 + mov rbx,QWORD PTR[rsp] + mov rcx,QWORD PTR[8+rsp] + mov rdi,QWORD PTR[16+rsp] + mov rsi,QWORD PTR[24+rsp] + mov rbp,QWORD PTR[32+rsp] + + xor rax,rdx + xor rdx,rcx + xor rax,rbx + mov QWORD PTR[rbp],rbx + xor rdx,rdi + mov QWORD PTR[24+rbp],rsi + xor rax,rsi + xor rdx,rsi + xor rax,rdx + mov QWORD PTR[16+rbp],rdx + mov QWORD PTR[8+rbp],rax + + mov r14,QWORD PTR[80+rsp] + mov r13,QWORD PTR[88+rsp] + mov r12,QWORD PTR[96+rsp] + mov rbp,QWORD PTR[104+rsp] + mov rbx,QWORD PTR[112+rsp] + mov rdi,QWORD PTR[120+rsp] + mov rsi,QWORD PTR[128+rsp] + lea rsp,QWORD PTR[136+rsp] + DB 0F3h,0C3h ;repret +$L$end_mul_2x2:: +bn_GF2m_mul_2x2 ENDP +DB 71,70,40,50,94,109,41,32,77,117,108,116,105,112,108,105 +DB 99,97,116,105,111,110,32,102,111,114,32,120,56,54,95,54 +DB 52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121 +DB 32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46 +DB 111,114,103,62,0 +ALIGN 16 +EXTERN __imp_RtlVirtualUnwind:NEAR + + +ALIGN 16 +se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[152+r8] + mov rbx,QWORD PTR[248+r8] + + lea r10,QWORD PTR[$L$body_mul_2x2] + cmp rbx,r10 + jb $L$in_prologue + + mov r14,QWORD PTR[80+rax] + mov r13,QWORD PTR[88+rax] + mov r12,QWORD PTR[96+rax] + mov rbp,QWORD PTR[104+rax] + mov rbx,QWORD PTR[112+rax] + mov rdi,QWORD PTR[120+rax] + mov rsi,QWORD PTR[128+rax] + + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + +$L$in_prologue:: + lea rax,QWORD PTR[136+rax] + mov QWORD PTR[152+r8],rax + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +se_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel _mul_1x1 + DD imagerel $L$end_mul_1x1 + DD imagerel $L$SEH_info_1x1 + + DD imagerel $L$vanilla_mul_2x2 + DD imagerel $L$end_mul_2x2 + DD imagerel $L$SEH_info_2x2 +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_1x1:: +DB 001h,007h,002h,000h +DB 007h,001h,011h,000h +$L$SEH_info_2x2:: +DB 9,0,0,0 + DD imagerel se_handler + +.xdata ENDS +END + diff --git a/crypto/bn/modexp512-masm-x86_64.S b/crypto/bn/modexp512-masm-x86_64.S new file mode 100644 index 0000000..453cfac --- /dev/null +++ b/crypto/bn/modexp512-masm-x86_64.S @@ -0,0 +1,1859 @@ +; 1 "crypto/bn/modexp512-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/bn/modexp512-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/bn/modexp512-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + + +ALIGN 16 +MULADD_128x512 PROC PRIVATE + mov rax,QWORD PTR[rsi] + mul rbp + add r8,rax + adc rdx,0 + mov QWORD PTR[rcx],r8 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov r8,rdx + mov rbp,QWORD PTR[8+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r9,rax + adc rdx,0 + mov QWORD PTR[8+rcx],r9 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov r9,rdx + DB 0F3h,0C3h ;repret +MULADD_128x512 ENDP + +ALIGN 16 +mont_reduce PROC PRIVATE + lea rdi,QWORD PTR[192+rsp] + mov rsi,QWORD PTR[32+rsp] + add rsi,576 + lea rcx,QWORD PTR[520+rsp] + + mov rbp,QWORD PTR[96+rcx] + mov rax,QWORD PTR[rsi] + mul rbp + mov r8,QWORD PTR[rcx] + add r8,rax + adc rdx,0 + mov QWORD PTR[rdi],r8 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + mov r9,QWORD PTR[8+rcx] + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + mov r10,QWORD PTR[16+rcx] + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + mov r11,QWORD PTR[24+rcx] + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + mov r12,QWORD PTR[32+rcx] + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + mov r13,QWORD PTR[40+rcx] + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + mov r14,QWORD PTR[48+rcx] + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + mov r15,QWORD PTR[56+rcx] + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov r8,rdx + mov rbp,QWORD PTR[104+rcx] + mov rax,QWORD PTR[rsi] + mul rbp + add r9,rax + adc rdx,0 + mov QWORD PTR[8+rdi],r9 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov r9,rdx + mov rbp,QWORD PTR[112+rcx] + mov rax,QWORD PTR[rsi] + mul rbp + add r10,rax + adc rdx,0 + mov QWORD PTR[16+rdi],r10 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov r10,rdx + mov rbp,QWORD PTR[120+rcx] + mov rax,QWORD PTR[rsi] + mul rbp + add r11,rax + adc rdx,0 + mov QWORD PTR[24+rdi],r11 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov r11,rdx + xor rax,rax + + add r8,QWORD PTR[64+rcx] + adc r9,QWORD PTR[72+rcx] + adc r10,QWORD PTR[80+rcx] + adc r11,QWORD PTR[88+rcx] + adc rax,0 + + + + + mov QWORD PTR[64+rdi],r8 + mov QWORD PTR[72+rdi],r9 + mov rbp,r10 + mov QWORD PTR[88+rdi],r11 + + mov QWORD PTR[384+rsp],rax + + mov r8,QWORD PTR[rdi] + mov r9,QWORD PTR[8+rdi] + mov r10,QWORD PTR[16+rdi] + mov r11,QWORD PTR[24+rdi] + + + + + + + + + add rdi,8*10 + + add rsi,64 + lea rcx,QWORD PTR[296+rsp] + + call MULADD_128x512 + + mov rax,QWORD PTR[384+rsp] + + + add r8,QWORD PTR[((-16))+rdi] + adc r9,QWORD PTR[((-8))+rdi] + mov QWORD PTR[64+rcx],r8 + mov QWORD PTR[72+rcx],r9 + + adc rax,rax + mov QWORD PTR[384+rsp],rax + + lea rdi,QWORD PTR[192+rsp] + add rsi,64 + + + + + + mov r8,QWORD PTR[rsi] + mov rbx,QWORD PTR[8+rsi] + + mov rax,QWORD PTR[rcx] + mul r8 + mov rbp,rax + mov r9,rdx + + mov rax,QWORD PTR[8+rcx] + mul r8 + add r9,rax + + mov rax,QWORD PTR[rcx] + mul rbx + add r9,rax + + mov QWORD PTR[8+rdi],r9 + + + sub rsi,192 + + mov r8,QWORD PTR[rcx] + mov r9,QWORD PTR[8+rcx] + + call MULADD_128x512 + + + + + mov rax,QWORD PTR[rsi] + mov rbx,QWORD PTR[8+rsi] + mov rdi,QWORD PTR[16+rsi] + mov rdx,QWORD PTR[24+rsi] + + + mov rbp,QWORD PTR[384+rsp] + + add r8,QWORD PTR[64+rcx] + adc r9,QWORD PTR[72+rcx] + + + adc rbp,rbp + + + + shl rbp,3 + mov rcx,QWORD PTR[32+rsp] + add rbp,rcx + + + xor rsi,rsi + + add r10,QWORD PTR[rbp] + adc r11,QWORD PTR[64+rbp] + adc r12,QWORD PTR[128+rbp] + adc r13,QWORD PTR[192+rbp] + adc r14,QWORD PTR[256+rbp] + adc r15,QWORD PTR[320+rbp] + adc r8,QWORD PTR[384+rbp] + adc r9,QWORD PTR[448+rbp] + + + + sbb rsi,0 + + + and rax,rsi + and rbx,rsi + and rdi,rsi + and rdx,rsi + + mov rbp,1 + sub r10,rax + sbb r11,rbx + sbb r12,rdi + sbb r13,rdx + + + + + sbb rbp,0 + + + + add rcx,512 + mov rax,QWORD PTR[32+rcx] + mov rbx,QWORD PTR[40+rcx] + mov rdi,QWORD PTR[48+rcx] + mov rdx,QWORD PTR[56+rcx] + + + + and rax,rsi + and rbx,rsi + and rdi,rsi + and rdx,rsi + + + + sub rbp,1 + + sbb r14,rax + sbb r15,rbx + sbb r8,rdi + sbb r9,rdx + + + + mov rsi,QWORD PTR[144+rsp] + mov QWORD PTR[rsi],r10 + mov QWORD PTR[8+rsi],r11 + mov QWORD PTR[16+rsi],r12 + mov QWORD PTR[24+rsi],r13 + mov QWORD PTR[32+rsi],r14 + mov QWORD PTR[40+rsi],r15 + mov QWORD PTR[48+rsi],r8 + mov QWORD PTR[56+rsi],r9 + + DB 0F3h,0C3h ;repret +mont_reduce ENDP + +ALIGN 16 +mont_mul_a3b PROC PRIVATE + + + + + mov rbp,QWORD PTR[rdi] + + mov rax,r10 + mul rbp + mov QWORD PTR[520+rsp],rax + mov r10,rdx + mov rax,r11 + mul rbp + add r10,rax + adc rdx,0 + mov r11,rdx + mov rax,r12 + mul rbp + add r11,rax + adc rdx,0 + mov r12,rdx + mov rax,r13 + mul rbp + add r12,rax + adc rdx,0 + mov r13,rdx + mov rax,r14 + mul rbp + add r13,rax + adc rdx,0 + mov r14,rdx + mov rax,r15 + mul rbp + add r14,rax + adc rdx,0 + mov r15,rdx + mov rax,r8 + mul rbp + add r15,rax + adc rdx,0 + mov r8,rdx + mov rax,r9 + mul rbp + add r8,rax + adc rdx,0 + mov r9,rdx + mov rbp,QWORD PTR[8+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r10,rax + adc rdx,0 + mov QWORD PTR[528+rsp],r10 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov r10,rdx + mov rbp,QWORD PTR[16+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r11,rax + adc rdx,0 + mov QWORD PTR[536+rsp],r11 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov r11,rdx + mov rbp,QWORD PTR[24+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r12,rax + adc rdx,0 + mov QWORD PTR[544+rsp],r12 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov r12,rdx + mov rbp,QWORD PTR[32+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r13,rax + adc rdx,0 + mov QWORD PTR[552+rsp],r13 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov r13,rdx + mov rbp,QWORD PTR[40+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r14,rax + adc rdx,0 + mov QWORD PTR[560+rsp],r14 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov r14,rdx + mov rbp,QWORD PTR[48+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r15,rax + adc rdx,0 + mov QWORD PTR[568+rsp],r15 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r8,rax + adc rdx,0 + add r8,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov r15,rdx + mov rbp,QWORD PTR[56+rdi] + mov rax,QWORD PTR[rsi] + mul rbp + add r8,rax + adc rdx,0 + mov QWORD PTR[576+rsp],r8 + mov rbx,rdx + + mov rax,QWORD PTR[8+rsi] + mul rbp + add r9,rax + adc rdx,0 + add r9,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[16+rsi] + mul rbp + add r10,rax + adc rdx,0 + add r10,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[24+rsi] + mul rbp + add r11,rax + adc rdx,0 + add r11,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[32+rsi] + mul rbp + add r12,rax + adc rdx,0 + add r12,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[40+rsi] + mul rbp + add r13,rax + adc rdx,0 + add r13,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[48+rsi] + mul rbp + add r14,rax + adc rdx,0 + add r14,rbx + adc rdx,0 + mov rbx,rdx + + mov rax,QWORD PTR[56+rsi] + mul rbp + add r15,rax + adc rdx,0 + add r15,rbx + adc rdx,0 + mov r8,rdx + mov QWORD PTR[584+rsp],r9 + mov QWORD PTR[592+rsp],r10 + mov QWORD PTR[600+rsp],r11 + mov QWORD PTR[608+rsp],r12 + mov QWORD PTR[616+rsp],r13 + mov QWORD PTR[624+rsp],r14 + mov QWORD PTR[632+rsp],r15 + mov QWORD PTR[640+rsp],r8 + + + + + + jmp mont_reduce + + +mont_mul_a3b ENDP + +ALIGN 16 +sqr_reduce PROC PRIVATE + mov rcx,QWORD PTR[16+rsp] + + + + mov rbx,r10 + + mov rax,r11 + mul rbx + mov QWORD PTR[528+rsp],rax + mov r10,rdx + mov rax,r12 + mul rbx + add r10,rax + adc rdx,0 + mov r11,rdx + mov rax,r13 + mul rbx + add r11,rax + adc rdx,0 + mov r12,rdx + mov rax,r14 + mul rbx + add r12,rax + adc rdx,0 + mov r13,rdx + mov rax,r15 + mul rbx + add r13,rax + adc rdx,0 + mov r14,rdx + mov rax,r8 + mul rbx + add r14,rax + adc rdx,0 + mov r15,rdx + mov rax,r9 + mul rbx + add r15,rax + adc rdx,0 + mov rsi,rdx + + mov QWORD PTR[536+rsp],r10 + + + + + + mov rbx,QWORD PTR[8+rcx] + + mov rax,QWORD PTR[16+rcx] + mul rbx + add r11,rax + adc rdx,0 + mov QWORD PTR[544+rsp],r11 + + mov r10,rdx + mov rax,QWORD PTR[24+rcx] + mul rbx + add r12,rax + adc rdx,0 + add r12,r10 + adc rdx,0 + mov QWORD PTR[552+rsp],r12 + + mov r10,rdx + mov rax,QWORD PTR[32+rcx] + mul rbx + add r13,rax + adc rdx,0 + add r13,r10 + adc rdx,0 + + mov r10,rdx + mov rax,QWORD PTR[40+rcx] + mul rbx + add r14,rax + adc rdx,0 + add r14,r10 + adc rdx,0 + + mov r10,rdx + mov rax,r8 + mul rbx + add r15,rax + adc rdx,0 + add r15,r10 + adc rdx,0 + + mov r10,rdx + mov rax,r9 + mul rbx + add rsi,rax + adc rdx,0 + add rsi,r10 + adc rdx,0 + + mov r11,rdx + + + + + mov rbx,QWORD PTR[16+rcx] + + mov rax,QWORD PTR[24+rcx] + mul rbx + add r13,rax + adc rdx,0 + mov QWORD PTR[560+rsp],r13 + + mov r10,rdx + mov rax,QWORD PTR[32+rcx] + mul rbx + add r14,rax + adc rdx,0 + add r14,r10 + adc rdx,0 + mov QWORD PTR[568+rsp],r14 + + mov r10,rdx + mov rax,QWORD PTR[40+rcx] + mul rbx + add r15,rax + adc rdx,0 + add r15,r10 + adc rdx,0 + + mov r10,rdx + mov rax,r8 + mul rbx + add rsi,rax + adc rdx,0 + add rsi,r10 + adc rdx,0 + + mov r10,rdx + mov rax,r9 + mul rbx + add r11,rax + adc rdx,0 + add r11,r10 + adc rdx,0 + + mov r12,rdx + + + + + + mov rbx,QWORD PTR[24+rcx] + + mov rax,QWORD PTR[32+rcx] + mul rbx + add r15,rax + adc rdx,0 + mov QWORD PTR[576+rsp],r15 + + mov r10,rdx + mov rax,QWORD PTR[40+rcx] + mul rbx + add rsi,rax + adc rdx,0 + add rsi,r10 + adc rdx,0 + mov QWORD PTR[584+rsp],rsi + + mov r10,rdx + mov rax,r8 + mul rbx + add r11,rax + adc rdx,0 + add r11,r10 + adc rdx,0 + + mov r10,rdx + mov rax,r9 + mul rbx + add r12,rax + adc rdx,0 + add r12,r10 + adc rdx,0 + + mov r15,rdx + + + + + mov rbx,QWORD PTR[32+rcx] + + mov rax,QWORD PTR[40+rcx] + mul rbx + add r11,rax + adc rdx,0 + mov QWORD PTR[592+rsp],r11 + + mov r10,rdx + mov rax,r8 + mul rbx + add r12,rax + adc rdx,0 + add r12,r10 + adc rdx,0 + mov QWORD PTR[600+rsp],r12 + + mov r10,rdx + mov rax,r9 + mul rbx + add r15,rax + adc rdx,0 + add r15,r10 + adc rdx,0 + + mov r11,rdx + + + + + mov rbx,QWORD PTR[40+rcx] + + mov rax,r8 + mul rbx + add r15,rax + adc rdx,0 + mov QWORD PTR[608+rsp],r15 + + mov r10,rdx + mov rax,r9 + mul rbx + add r11,rax + adc rdx,0 + add r11,r10 + adc rdx,0 + mov QWORD PTR[616+rsp],r11 + + mov r12,rdx + + + + + mov rbx,r8 + + mov rax,r9 + mul rbx + add r12,rax + adc rdx,0 + mov QWORD PTR[624+rsp],r12 + + mov QWORD PTR[632+rsp],rdx + + + mov r10,QWORD PTR[528+rsp] + mov r11,QWORD PTR[536+rsp] + mov r12,QWORD PTR[544+rsp] + mov r13,QWORD PTR[552+rsp] + mov r14,QWORD PTR[560+rsp] + mov r15,QWORD PTR[568+rsp] + + mov rax,QWORD PTR[24+rcx] + mul rax + mov rdi,rax + mov r8,rdx + + add r10,r10 + adc r11,r11 + adc r12,r12 + adc r13,r13 + adc r14,r14 + adc r15,r15 + adc r8,0 + + mov rax,QWORD PTR[rcx] + mul rax + mov QWORD PTR[520+rsp],rax + mov rbx,rdx + + mov rax,QWORD PTR[8+rcx] + mul rax + + add r10,rbx + adc r11,rax + adc rdx,0 + + mov rbx,rdx + mov QWORD PTR[528+rsp],r10 + mov QWORD PTR[536+rsp],r11 + + mov rax,QWORD PTR[16+rcx] + mul rax + + add r12,rbx + adc r13,rax + adc rdx,0 + + mov rbx,rdx + + mov QWORD PTR[544+rsp],r12 + mov QWORD PTR[552+rsp],r13 + + xor rbp,rbp + add r14,rbx + adc r15,rdi + adc rbp,0 + + mov QWORD PTR[560+rsp],r14 + mov QWORD PTR[568+rsp],r15 + + + + + mov r10,QWORD PTR[576+rsp] + mov r11,QWORD PTR[584+rsp] + mov r12,QWORD PTR[592+rsp] + mov r13,QWORD PTR[600+rsp] + mov r14,QWORD PTR[608+rsp] + mov r15,QWORD PTR[616+rsp] + mov rdi,QWORD PTR[624+rsp] + mov rsi,QWORD PTR[632+rsp] + + mov rax,r9 + mul rax + mov r9,rax + mov rbx,rdx + + add r10,r10 + adc r11,r11 + adc r12,r12 + adc r13,r13 + adc r14,r14 + adc r15,r15 + adc rdi,rdi + adc rsi,rsi + adc rbx,0 + + add r10,rbp + + mov rax,QWORD PTR[32+rcx] + mul rax + + add r10,r8 + adc r11,rax + adc rdx,0 + + mov rbp,rdx + + mov QWORD PTR[576+rsp],r10 + mov QWORD PTR[584+rsp],r11 + + mov rax,QWORD PTR[40+rcx] + mul rax + + add r12,rbp + adc r13,rax + adc rdx,0 + + mov rbp,rdx + + mov QWORD PTR[592+rsp],r12 + mov QWORD PTR[600+rsp],r13 + + mov rax,QWORD PTR[48+rcx] + mul rax + + add r14,rbp + adc r15,rax + adc rdx,0 + + mov QWORD PTR[608+rsp],r14 + mov QWORD PTR[616+rsp],r15 + + add rdi,rdx + adc rsi,r9 + adc rbx,0 + + mov QWORD PTR[624+rsp],rdi + mov QWORD PTR[632+rsp],rsi + mov QWORD PTR[640+rsp],rbx + + jmp mont_reduce + + +sqr_reduce ENDP +PUBLIC mod_exp_512 + +mod_exp_512 PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_mod_exp_512:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + + push rbp + push rbx + push r12 + push r13 + push r14 + push r15 + + + mov r8,rsp + sub rsp,2688 + and rsp,-64 + + + mov QWORD PTR[rsp],r8 + mov QWORD PTR[8+rsp],rdi + mov QWORD PTR[16+rsp],rsi + mov QWORD PTR[24+rsp],rcx +$L$body:: + + + + pxor xmm4,xmm4 + movdqu xmm0,XMMWORD PTR[rsi] + movdqu xmm1,XMMWORD PTR[16+rsi] + movdqu xmm2,XMMWORD PTR[32+rsi] + movdqu xmm3,XMMWORD PTR[48+rsi] + movdqa XMMWORD PTR[512+rsp],xmm4 + movdqa XMMWORD PTR[528+rsp],xmm4 + movdqa XMMWORD PTR[608+rsp],xmm4 + movdqa XMMWORD PTR[624+rsp],xmm4 + movdqa XMMWORD PTR[544+rsp],xmm0 + movdqa XMMWORD PTR[560+rsp],xmm1 + movdqa XMMWORD PTR[576+rsp],xmm2 + movdqa XMMWORD PTR[592+rsp],xmm3 + + + movdqu xmm0,XMMWORD PTR[rdx] + movdqu xmm1,XMMWORD PTR[16+rdx] + movdqu xmm2,XMMWORD PTR[32+rdx] + movdqu xmm3,XMMWORD PTR[48+rdx] + + lea rbx,QWORD PTR[384+rsp] + mov QWORD PTR[136+rsp],rbx + call mont_reduce + + + lea rcx,QWORD PTR[448+rsp] + xor rax,rax + mov QWORD PTR[rcx],rax + mov QWORD PTR[8+rcx],rax + mov QWORD PTR[24+rcx],rax + mov QWORD PTR[32+rcx],rax + mov QWORD PTR[40+rcx],rax + mov QWORD PTR[48+rcx],rax + mov QWORD PTR[56+rcx],rax + mov QWORD PTR[128+rsp],rax + mov QWORD PTR[16+rcx],1 + + lea rbp,QWORD PTR[640+rsp] + mov rsi,rcx + mov rdi,rbp + mov rax,8 +loop_0:: + mov rbx,QWORD PTR[rcx] + mov WORD PTR[rdi],bx + shr rbx,16 + mov WORD PTR[64+rdi],bx + shr rbx,16 + mov WORD PTR[128+rdi],bx + shr rbx,16 + mov WORD PTR[192+rdi],bx + lea rcx,QWORD PTR[8+rcx] + lea rdi,QWORD PTR[256+rdi] + dec rax + jnz loop_0 + mov rax,31 + mov QWORD PTR[32+rsp],rax + mov QWORD PTR[40+rsp],rbp + + mov QWORD PTR[136+rsp],rsi + mov r10,QWORD PTR[rsi] + mov r11,QWORD PTR[8+rsi] + mov r12,QWORD PTR[16+rsi] + mov r13,QWORD PTR[24+rsi] + mov r14,QWORD PTR[32+rsi] + mov r15,QWORD PTR[40+rsi] + mov r8,QWORD PTR[48+rsi] + mov r9,QWORD PTR[56+rsi] +init_loop:: + lea rdi,QWORD PTR[384+rsp] + call mont_mul_a3b + lea rsi,QWORD PTR[448+rsp] + mov rbp,QWORD PTR[40+rsp] + add rbp,2 + mov QWORD PTR[40+rsp],rbp + mov rcx,rsi + mov rax,8 +loop_1:: + mov rbx,QWORD PTR[rcx] + mov WORD PTR[rbp],bx + shr rbx,16 + mov WORD PTR[64+rbp],bx + shr rbx,16 + mov WORD PTR[128+rbp],bx + shr rbx,16 + mov WORD PTR[192+rbp],bx + lea rcx,QWORD PTR[8+rcx] + lea rbp,QWORD PTR[256+rbp] + dec rax + jnz loop_1 + mov rax,QWORD PTR[32+rsp] + sub rax,1 + mov QWORD PTR[32+rsp],rax + jne init_loop + + + + movdqa XMMWORD PTR[64+rsp],xmm0 + movdqa XMMWORD PTR[80+rsp],xmm1 + movdqa XMMWORD PTR[96+rsp],xmm2 + movdqa XMMWORD PTR[112+rsp],xmm3 + + + + + + mov eax,DWORD PTR[126+rsp] + mov rdx,rax + shr rax,11 + and edx,007FFh + mov DWORD PTR[126+rsp],edx + lea rsi,QWORD PTR[640+rax*2+rsp] + mov rdx,QWORD PTR[8+rsp] + mov rbp,4 +loop_2:: + movzx rbx,WORD PTR[192+rsi] + movzx rax,WORD PTR[448+rsi] + shl rbx,16 + shl rax,16 + mov bx,WORD PTR[128+rsi] + mov ax,WORD PTR[384+rsi] + shl rbx,16 + shl rax,16 + mov bx,WORD PTR[64+rsi] + mov ax,WORD PTR[320+rsi] + shl rbx,16 + shl rax,16 + mov bx,WORD PTR[rsi] + mov ax,WORD PTR[256+rsi] + mov QWORD PTR[rdx],rbx + mov QWORD PTR[8+rdx],rax + lea rsi,QWORD PTR[512+rsi] + lea rdx,QWORD PTR[16+rdx] + sub rbp,1 + jnz loop_2 + mov QWORD PTR[48+rsp],505 + + mov rcx,QWORD PTR[8+rsp] + mov QWORD PTR[136+rsp],rcx + mov r10,QWORD PTR[rcx] + mov r11,QWORD PTR[8+rcx] + mov r12,QWORD PTR[16+rcx] + mov r13,QWORD PTR[24+rcx] + mov r14,QWORD PTR[32+rcx] + mov r15,QWORD PTR[40+rcx] + mov r8,QWORD PTR[48+rcx] + mov r9,QWORD PTR[56+rcx] + jmp sqr_2 + +main_loop_a3b:: + call sqr_reduce + call sqr_reduce + call sqr_reduce +sqr_2:: + call sqr_reduce + call sqr_reduce + + + + mov rcx,QWORD PTR[48+rsp] + mov rax,rcx + shr rax,4 + mov edx,DWORD PTR[64+rax*2+rsp] + and rcx,15 + shr rdx,cl + and rdx,01Fh + + lea rsi,QWORD PTR[640+rdx*2+rsp] + lea rdx,QWORD PTR[448+rsp] + mov rdi,rdx + mov rbp,4 +loop_3:: + movzx rbx,WORD PTR[192+rsi] + movzx rax,WORD PTR[448+rsi] + shl rbx,16 + shl rax,16 + mov bx,WORD PTR[128+rsi] + mov ax,WORD PTR[384+rsi] + shl rbx,16 + shl rax,16 + mov bx,WORD PTR[64+rsi] + mov ax,WORD PTR[320+rsi] + shl rbx,16 + shl rax,16 + mov bx,WORD PTR[rsi] + mov ax,WORD PTR[256+rsi] + mov QWORD PTR[rdx],rbx + mov QWORD PTR[8+rdx],rax + lea rsi,QWORD PTR[512+rsi] + lea rdx,QWORD PTR[16+rdx] + sub rbp,1 + jnz loop_3 + mov rsi,QWORD PTR[8+rsp] + call mont_mul_a3b + + + + mov rcx,QWORD PTR[48+rsp] + sub rcx,5 + mov QWORD PTR[48+rsp],rcx + jge main_loop_a3b + + + +end_main_loop_a3b:: + + + mov rdx,QWORD PTR[8+rsp] + pxor xmm4,xmm4 + movdqu xmm0,XMMWORD PTR[rdx] + movdqu xmm1,XMMWORD PTR[16+rdx] + movdqu xmm2,XMMWORD PTR[32+rdx] + movdqu xmm3,XMMWORD PTR[48+rdx] + movdqa XMMWORD PTR[576+rsp],xmm4 + movdqa XMMWORD PTR[592+rsp],xmm4 + movdqa XMMWORD PTR[608+rsp],xmm4 + movdqa XMMWORD PTR[624+rsp],xmm4 + movdqa XMMWORD PTR[512+rsp],xmm0 + movdqa XMMWORD PTR[528+rsp],xmm1 + movdqa XMMWORD PTR[544+rsp],xmm2 + movdqa XMMWORD PTR[560+rsp],xmm3 + call mont_reduce + + + + mov rax,QWORD PTR[8+rsp] + mov r8,QWORD PTR[rax] + mov r9,QWORD PTR[8+rax] + mov r10,QWORD PTR[16+rax] + mov r11,QWORD PTR[24+rax] + mov r12,QWORD PTR[32+rax] + mov r13,QWORD PTR[40+rax] + mov r14,QWORD PTR[48+rax] + mov r15,QWORD PTR[56+rax] + + + mov rbx,QWORD PTR[24+rsp] + add rbx,512 + + sub r8,QWORD PTR[rbx] + sbb r9,QWORD PTR[8+rbx] + sbb r10,QWORD PTR[16+rbx] + sbb r11,QWORD PTR[24+rbx] + sbb r12,QWORD PTR[32+rbx] + sbb r13,QWORD PTR[40+rbx] + sbb r14,QWORD PTR[48+rbx] + sbb r15,QWORD PTR[56+rbx] + + + mov rsi,QWORD PTR[rax] + mov rdi,QWORD PTR[8+rax] + mov rcx,QWORD PTR[16+rax] + mov rdx,QWORD PTR[24+rax] + cmovnc rsi,r8 + cmovnc rdi,r9 + cmovnc rcx,r10 + cmovnc rdx,r11 + mov QWORD PTR[rax],rsi + mov QWORD PTR[8+rax],rdi + mov QWORD PTR[16+rax],rcx + mov QWORD PTR[24+rax],rdx + + mov rsi,QWORD PTR[32+rax] + mov rdi,QWORD PTR[40+rax] + mov rcx,QWORD PTR[48+rax] + mov rdx,QWORD PTR[56+rax] + cmovnc rsi,r12 + cmovnc rdi,r13 + cmovnc rcx,r14 + cmovnc rdx,r15 + mov QWORD PTR[32+rax],rsi + mov QWORD PTR[40+rax],rdi + mov QWORD PTR[48+rax],rcx + mov QWORD PTR[56+rax],rdx + + mov rsi,QWORD PTR[rsp] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbx,QWORD PTR[32+rsi] + mov rbp,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_mod_exp_512:: +mod_exp_512 ENDP + +.text$ ENDS +END + diff --git a/crypto/bn/mont-elf-armv4.S b/crypto/bn/mont-elf-armv4.S new file mode 100644 index 0000000..136da62 --- /dev/null +++ b/crypto/bn/mont-elf-armv4.S @@ -0,0 +1,148 @@ +.text + +.global bn_mul_mont +.type bn_mul_mont,%function + +.align 2 +bn_mul_mont: + stmdb sp!,{r0,r2} @ sp points at argument block + ldr r0,[sp,#3*4] @ load num + cmp r0,#2 + movlt r0,#0 + addlt sp,sp,#2*4 + blt .Labrt + + stmdb sp!,{r4-r12,lr} @ save 10 registers + + mov r0,r0,lsl#2 @ rescale r0 for byte count + sub sp,sp,r0 @ alloca(4*num) + sub sp,sp,#4 @ +extra dword + sub r0,r0,#4 @ "num=num-1" + add r4,r2,r0 @ &bp[num-1] + + add r0,sp,r0 @ r0 to point at &tp[num-1] + ldr r8,[r0,#14*4] @ &n0 + ldr r2,[r2] @ bp[0] + ldr r5,[r1],#4 @ ap[0],ap++ + ldr r6,[r3],#4 @ np[0],np++ + ldr r8,[r8] @ *n0 + str r4,[r0,#15*4] @ save &bp[num] + + umull r10,r11,r5,r2 @ ap[0]*bp[0] + str r8,[r0,#14*4] @ save n0 value + mul r8,r10,r8 @ "tp[0]"*n0 + mov r12,#0 + umlal r10,r12,r6,r8 @ np[0]*n0+"t[0]" + mov r4,sp + +.L1st: + ldr r5,[r1],#4 @ ap[j],ap++ + mov r10,r11 + ldr r6,[r3],#4 @ np[j],np++ + mov r11,#0 + umlal r10,r11,r5,r2 @ ap[j]*bp[0] + mov r14,#0 + umlal r12,r14,r6,r8 @ np[j]*n0 + adds r12,r12,r10 + str r12,[r4],#4 @ tp[j-1]=,tp++ + adc r12,r14,#0 + cmp r4,r0 + bne .L1st + + adds r12,r12,r11 + ldr r4,[r0,#13*4] @ restore bp + mov r14,#0 + ldr r8,[r0,#14*4] @ restore n0 + adc r14,r14,#0 + str r12,[r0] @ tp[num-1]= + str r14,[r0,#4] @ tp[num]= + +.Louter: + sub r7,r0,sp @ "original" r0-1 value + sub r1,r1,r7 @ "rewind" ap to &ap[1] + ldr r2,[r4,#4]! @ *(++bp) + sub r3,r3,r7 @ "rewind" np to &np[1] + ldr r5,[r1,#-4] @ ap[0] + ldr r10,[sp] @ tp[0] + ldr r6,[r3,#-4] @ np[0] + ldr r7,[sp,#4] @ tp[1] + + mov r11,#0 + umlal r10,r11,r5,r2 @ ap[0]*bp[i]+tp[0] + str r4,[r0,#13*4] @ save bp + mul r8,r10,r8 + mov r12,#0 + umlal r10,r12,r6,r8 @ np[0]*n0+"tp[0]" + mov r4,sp + +.Linner: + ldr r5,[r1],#4 @ ap[j],ap++ + adds r10,r11,r7 @ +=tp[j] + ldr r6,[r3],#4 @ np[j],np++ + mov r11,#0 + umlal r10,r11,r5,r2 @ ap[j]*bp[i] + mov r14,#0 + umlal r12,r14,r6,r8 @ np[j]*n0 + adc r11,r11,#0 + ldr r7,[r4,#8] @ tp[j+1] + adds r12,r12,r10 + str r12,[r4],#4 @ tp[j-1]=,tp++ + adc r12,r14,#0 + cmp r4,r0 + bne .Linner + + adds r12,r12,r11 + mov r14,#0 + ldr r4,[r0,#13*4] @ restore bp + adc r14,r14,#0 + ldr r8,[r0,#14*4] @ restore n0 + adds r12,r12,r7 + ldr r7,[r0,#15*4] @ restore &bp[num] + adc r14,r14,#0 + str r12,[r0] @ tp[num-1]= + str r14,[r0,#4] @ tp[num]= + + cmp r4,r7 + bne .Louter + + ldr r2,[r0,#12*4] @ pull rp + add r0,r0,#4 @ r0 to point at &tp[num] + sub r5,r0,sp @ "original" num value + mov r4,sp @ "rewind" r4 + mov r1,r4 @ "borrow" r1 + sub r3,r3,r5 @ "rewind" r3 to &np[0] + + subs r7,r7,r7 @ "clear" carry flag +.Lsub: ldr r7,[r4],#4 + ldr r6,[r3],#4 + sbcs r7,r7,r6 @ tp[j]-np[j] + str r7,[r2],#4 @ rp[j]= + teq r4,r0 @ preserve carry + bne .Lsub + sbcs r14,r14,#0 @ upmost carry + mov r4,sp @ "rewind" r4 + sub r2,r2,r5 @ "rewind" r2 + + and r1,r4,r14 + bic r3,r2,r14 + orr r1,r1,r3 @ ap=borrow?tp:rp + +.Lcopy: ldr r7,[r1],#4 @ copy or in-place refresh + str sp,[r4],#4 @ zap tp + str r7,[r2],#4 + cmp r4,r0 + bne .Lcopy + + add sp,r0,#4 @ skip over tp[num+1] + ldmia sp!,{r4-r12,lr} @ restore registers + add sp,sp,#2*4 @ skip over {r0,r2} + mov r0,#1 +.Labrt: tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +.size bn_mul_mont,.-bn_mul_mont +.asciz "Montgomery multiplication for ARMv4, CRYPTOGAMS by " +.align 2 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/bn/mont-masm-x86_64.S b/crypto/bn/mont-masm-x86_64.S new file mode 100644 index 0000000..c943f15 --- /dev/null +++ b/crypto/bn/mont-masm-x86_64.S @@ -0,0 +1,1496 @@ +; 1 "crypto/bn/mont-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/bn/mont-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/bn/mont-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC bn_mul_mont + +ALIGN 16 +bn_mul_mont PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_bn_mul_mont:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + test r9d,3 + jnz $L$mul_enter + cmp r9d,8 + jb $L$mul_enter + cmp rdx,rsi + jne $L$mul4x_enter + jmp $L$sqr4x_enter + +ALIGN 16 +$L$mul_enter:: + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + + mov r9d,r9d + lea r10,QWORD PTR[2+r9] + mov r11,rsp + neg r10 + lea rsp,QWORD PTR[r10*8+rsp] + and rsp,-1024 + + mov QWORD PTR[8+r9*8+rsp],r11 +$L$mul_body:: + mov r12,rdx + mov r8,QWORD PTR[r8] + mov rbx,QWORD PTR[r12] + mov rax,QWORD PTR[rsi] + + xor r14,r14 + xor r15,r15 + + mov rbp,r8 + mul rbx + mov r10,rax + mov rax,QWORD PTR[rcx] + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov r13,rdx + + lea r15,QWORD PTR[1+r15] + jmp $L$1st_enter + +ALIGN 16 +$L$1st:: + add r13,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add r13,r11 + mov r11,r10 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + +$L$1st_enter:: + mul rbx + add r11,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + lea r15,QWORD PTR[1+r15] + mov r10,rdx + + mul rbp + cmp r15,r9 + jl $L$1st + + add r13,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add r13,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + mov r11,r10 + + xor rdx,rdx + add r13,r11 + adc rdx,0 + mov QWORD PTR[((-8))+r9*8+rsp],r13 + mov QWORD PTR[r9*8+rsp],rdx + + lea r14,QWORD PTR[1+r14] + jmp $L$outer +ALIGN 16 +$L$outer:: + mov rbx,QWORD PTR[r14*8+r12] + xor r15,r15 + mov rbp,r8 + mov r10,QWORD PTR[rsp] + mul rbx + add r10,rax + mov rax,QWORD PTR[rcx] + adc rdx,0 + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov r10,QWORD PTR[8+rsp] + mov r13,rdx + + lea r15,QWORD PTR[1+r15] + jmp $L$inner_enter + +ALIGN 16 +$L$inner:: + add r13,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add r13,r10 + mov r10,QWORD PTR[r15*8+rsp] + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + +$L$inner_enter:: + mul rbx + add r11,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + add r10,r11 + mov r11,rdx + adc r11,0 + lea r15,QWORD PTR[1+r15] + + mul rbp + cmp r15,r9 + jl $L$inner + + add r13,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add r13,r10 + mov r10,QWORD PTR[r15*8+rsp] + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + + xor rdx,rdx + add r13,r11 + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-8))+r9*8+rsp],r13 + mov QWORD PTR[r9*8+rsp],rdx + + lea r14,QWORD PTR[1+r14] + cmp r14,r9 + jl $L$outer + + xor r14,r14 + mov rax,QWORD PTR[rsp] + lea rsi,QWORD PTR[rsp] + mov r15,r9 + jmp $L$sub +ALIGN 16 +$L$sub:: sbb rax,QWORD PTR[r14*8+rcx] + mov QWORD PTR[r14*8+rdi],rax + mov rax,QWORD PTR[8+r14*8+rsi] + lea r14,QWORD PTR[1+r14] + dec r15 + jnz $L$sub + + sbb rax,0 + xor r14,r14 + and rsi,rax + not rax + mov rcx,rdi + and rcx,rax + mov r15,r9 + or rsi,rcx +ALIGN 16 +$L$copy:: + mov rax,QWORD PTR[r14*8+rsi] + mov QWORD PTR[r14*8+rsp],r14 + mov QWORD PTR[r14*8+rdi],rax + lea r14,QWORD PTR[1+r14] + sub r15,1 + jnz $L$copy + + mov rsi,QWORD PTR[8+r9*8+rsp] + mov rax,1 + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$mul_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_bn_mul_mont:: +bn_mul_mont ENDP + +ALIGN 16 +bn_mul4x_mont PROC PRIVATE + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_bn_mul4x_mont:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + +$L$mul4x_enter:: + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + + mov r9d,r9d + lea r10,QWORD PTR[4+r9] + mov r11,rsp + neg r10 + lea rsp,QWORD PTR[r10*8+rsp] + and rsp,-1024 + + mov QWORD PTR[8+r9*8+rsp],r11 +$L$mul4x_body:: + mov QWORD PTR[16+r9*8+rsp],rdi + mov r12,rdx + mov r8,QWORD PTR[r8] + mov rbx,QWORD PTR[r12] + mov rax,QWORD PTR[rsi] + + xor r14,r14 + xor r15,r15 + + mov rbp,r8 + mul rbx + mov r10,rax + mov rax,QWORD PTR[rcx] + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+rcx] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[16+rsi] + adc rdx,0 + add rdi,r11 + lea r15,QWORD PTR[4+r15] + adc rdx,0 + mov QWORD PTR[rsp],rdi + mov r13,rdx + jmp $L$1st4x +ALIGN 16 +$L$1st4x:: + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov r13,rdx + + mul rbx + add r10,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[8+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+r15*8+rcx] + adc rdx,0 + lea r15,QWORD PTR[4+r15] + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[((-16))+r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-32))+r15*8+rsp],rdi + mov r13,rdx + cmp r15,r9 + jl $L$1st4x + + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov r13,rdx + + xor rdi,rdi + add r13,r10 + adc rdi,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov QWORD PTR[r15*8+rsp],rdi + + lea r14,QWORD PTR[1+r14] +ALIGN 4 +$L$outer4x:: + mov rbx,QWORD PTR[r14*8+r12] + xor r15,r15 + mov r10,QWORD PTR[rsp] + mov rbp,r8 + mul rbx + add r10,rax + mov rax,QWORD PTR[rcx] + adc rdx,0 + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+rcx] + adc rdx,0 + add r11,QWORD PTR[8+rsp] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[16+rsi] + adc rdx,0 + add rdi,r11 + lea r15,QWORD PTR[4+r15] + adc rdx,0 + mov QWORD PTR[rsp],rdi + mov r13,rdx + jmp $L$inner4x +ALIGN 16 +$L$inner4x:: + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + add r10,QWORD PTR[((-16))+r15*8+rsp] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + add r11,QWORD PTR[((-8))+r15*8+rsp] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov r13,rdx + + mul rbx + add r10,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + add r10,QWORD PTR[r15*8+rsp] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[8+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+r15*8+rcx] + adc rdx,0 + add r11,QWORD PTR[8+r15*8+rsp] + adc rdx,0 + lea r15,QWORD PTR[4+r15] + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[((-16))+r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-32))+r15*8+rsp],rdi + mov r13,rdx + cmp r15,r9 + jl $L$inner4x + + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + add r10,QWORD PTR[((-16))+r15*8+rsp] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + add r11,QWORD PTR[((-8))+r15*8+rsp] + adc rdx,0 + lea r14,QWORD PTR[1+r14] + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov r13,rdx + + xor rdi,rdi + add r13,r10 + adc rdi,0 + add r13,QWORD PTR[r9*8+rsp] + adc rdi,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov QWORD PTR[r15*8+rsp],rdi + + cmp r14,r9 + jl $L$outer4x + mov rdi,QWORD PTR[16+r9*8+rsp] + mov rax,QWORD PTR[rsp] + pxor xmm0,xmm0 + mov rdx,QWORD PTR[8+rsp] + shr r9,2 + lea rsi,QWORD PTR[rsp] + xor r14,r14 + + sub rax,QWORD PTR[rcx] + mov rbx,QWORD PTR[16+rsi] + mov rbp,QWORD PTR[24+rsi] + sbb rdx,QWORD PTR[8+rcx] + lea r15,QWORD PTR[((-1))+r9] + jmp $L$sub4x +ALIGN 16 +$L$sub4x:: + mov QWORD PTR[r14*8+rdi],rax + mov QWORD PTR[8+r14*8+rdi],rdx + sbb rbx,QWORD PTR[16+r14*8+rcx] + mov rax,QWORD PTR[32+r14*8+rsi] + mov rdx,QWORD PTR[40+r14*8+rsi] + sbb rbp,QWORD PTR[24+r14*8+rcx] + mov QWORD PTR[16+r14*8+rdi],rbx + mov QWORD PTR[24+r14*8+rdi],rbp + sbb rax,QWORD PTR[32+r14*8+rcx] + mov rbx,QWORD PTR[48+r14*8+rsi] + mov rbp,QWORD PTR[56+r14*8+rsi] + sbb rdx,QWORD PTR[40+r14*8+rcx] + lea r14,QWORD PTR[4+r14] + dec r15 + jnz $L$sub4x + + mov QWORD PTR[r14*8+rdi],rax + mov rax,QWORD PTR[32+r14*8+rsi] + sbb rbx,QWORD PTR[16+r14*8+rcx] + mov QWORD PTR[8+r14*8+rdi],rdx + sbb rbp,QWORD PTR[24+r14*8+rcx] + mov QWORD PTR[16+r14*8+rdi],rbx + + sbb rax,0 + mov QWORD PTR[24+r14*8+rdi],rbp + xor r14,r14 + and rsi,rax + not rax + mov rcx,rdi + and rcx,rax + lea r15,QWORD PTR[((-1))+r9] + or rsi,rcx + + movdqu xmm1,XMMWORD PTR[rsi] + movdqa XMMWORD PTR[rsp],xmm0 + movdqu XMMWORD PTR[rdi],xmm1 + jmp $L$copy4x +ALIGN 16 +$L$copy4x:: + movdqu xmm2,XMMWORD PTR[16+r14*1+rsi] + movdqu xmm1,XMMWORD PTR[32+r14*1+rsi] + movdqa XMMWORD PTR[16+r14*1+rsp],xmm0 + movdqu XMMWORD PTR[16+r14*1+rdi],xmm2 + movdqa XMMWORD PTR[32+r14*1+rsp],xmm0 + movdqu XMMWORD PTR[32+r14*1+rdi],xmm1 + lea r14,QWORD PTR[32+r14] + dec r15 + jnz $L$copy4x + + shl r9,2 + movdqu xmm2,XMMWORD PTR[16+r14*1+rsi] + movdqa XMMWORD PTR[16+r14*1+rsp],xmm0 + movdqu XMMWORD PTR[16+r14*1+rdi],xmm2 + mov rsi,QWORD PTR[8+r9*8+rsp] + mov rax,1 + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$mul4x_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_bn_mul4x_mont:: +bn_mul4x_mont ENDP + +ALIGN 16 +bn_sqr4x_mont PROC PRIVATE + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_bn_sqr4x_mont:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + +$L$sqr4x_enter:: + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + + shl r9d,3 + xor r10,r10 + mov r11,rsp + sub r10,r9 + mov r8,QWORD PTR[r8] + lea rsp,QWORD PTR[((-72))+r10*2+rsp] + and rsp,-1024 + + + + + + + + + + + + mov QWORD PTR[32+rsp],rdi + mov QWORD PTR[40+rsp],rcx + mov QWORD PTR[48+rsp],r8 + mov QWORD PTR[56+rsp],r11 +$L$sqr4x_body:: + + + + + + + + lea rbp,QWORD PTR[32+r10] + lea rsi,QWORD PTR[r9*1+rsi] + + mov rcx,r9 + + + mov r14,QWORD PTR[((-32))+rbp*1+rsi] + lea rdi,QWORD PTR[64+r9*2+rsp] + mov rax,QWORD PTR[((-24))+rbp*1+rsi] + lea rdi,QWORD PTR[((-32))+rbp*1+rdi] + mov rbx,QWORD PTR[((-16))+rbp*1+rsi] + mov r15,rax + + mul r14 + mov r10,rax + mov rax,rbx + mov r11,rdx + mov QWORD PTR[((-24))+rbp*1+rdi],r10 + + xor r10,r10 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + mov QWORD PTR[((-16))+rbp*1+rdi],r11 + + lea rcx,QWORD PTR[((-16))+rbp] + + + mov rbx,QWORD PTR[8+rcx*1+rsi] + mul r15 + mov r12,rax + mov rax,rbx + mov r13,rdx + + xor r11,r11 + add r10,r12 + lea rcx,QWORD PTR[16+rcx] + adc r11,0 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[((-8))+rcx*1+rdi],r10 + jmp $L$sqr4x_1st + +ALIGN 16 +$L$sqr4x_1st:: + mov rbx,QWORD PTR[rcx*1+rsi] + xor r12,r12 + mul r15 + add r13,rax + mov rax,rbx + adc r12,rdx + + xor r10,r10 + add r11,r13 + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + mov QWORD PTR[rcx*1+rdi],r11 + + + mov rbx,QWORD PTR[8+rcx*1+rsi] + xor r13,r13 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + + xor r11,r11 + add r10,r12 + adc r11,0 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[8+rcx*1+rdi],r10 + + mov rbx,QWORD PTR[16+rcx*1+rsi] + xor r12,r12 + mul r15 + add r13,rax + mov rax,rbx + adc r12,rdx + + xor r10,r10 + add r11,r13 + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + mov QWORD PTR[16+rcx*1+rdi],r11 + + + mov rbx,QWORD PTR[24+rcx*1+rsi] + xor r13,r13 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + + xor r11,r11 + add r10,r12 + lea rcx,QWORD PTR[32+rcx] + adc r11,0 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[((-8))+rcx*1+rdi],r10 + + cmp rcx,0 + jne $L$sqr4x_1st + + xor r12,r12 + add r13,r11 + adc r12,0 + mul r15 + add r13,rax + adc r12,rdx + + mov QWORD PTR[rdi],r13 + lea rbp,QWORD PTR[16+rbp] + mov QWORD PTR[8+rdi],r12 + jmp $L$sqr4x_outer + +ALIGN 16 +$L$sqr4x_outer:: + mov r14,QWORD PTR[((-32))+rbp*1+rsi] + lea rdi,QWORD PTR[64+r9*2+rsp] + mov rax,QWORD PTR[((-24))+rbp*1+rsi] + lea rdi,QWORD PTR[((-32))+rbp*1+rdi] + mov rbx,QWORD PTR[((-16))+rbp*1+rsi] + mov r15,rax + + mov r10,QWORD PTR[((-24))+rbp*1+rdi] + xor r11,r11 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[((-24))+rbp*1+rdi],r10 + + xor r10,r10 + add r11,QWORD PTR[((-16))+rbp*1+rdi] + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + mov QWORD PTR[((-16))+rbp*1+rdi],r11 + + lea rcx,QWORD PTR[((-16))+rbp] + xor r12,r12 + + + mov rbx,QWORD PTR[8+rcx*1+rsi] + xor r13,r13 + add r12,QWORD PTR[8+rcx*1+rdi] + adc r13,0 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + + xor r11,r11 + add r10,r12 + adc r11,0 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[8+rcx*1+rdi],r10 + + lea rcx,QWORD PTR[16+rcx] + jmp $L$sqr4x_inner + +ALIGN 16 +$L$sqr4x_inner:: + mov rbx,QWORD PTR[rcx*1+rsi] + xor r12,r12 + add r13,QWORD PTR[rcx*1+rdi] + adc r12,0 + mul r15 + add r13,rax + mov rax,rbx + adc r12,rdx + + xor r10,r10 + add r11,r13 + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + mov QWORD PTR[rcx*1+rdi],r11 + + mov rbx,QWORD PTR[8+rcx*1+rsi] + xor r13,r13 + add r12,QWORD PTR[8+rcx*1+rdi] + adc r13,0 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + + xor r11,r11 + add r10,r12 + lea rcx,QWORD PTR[16+rcx] + adc r11,0 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[((-8))+rcx*1+rdi],r10 + + cmp rcx,0 + jne $L$sqr4x_inner + + xor r12,r12 + add r13,r11 + adc r12,0 + mul r15 + add r13,rax + adc r12,rdx + + mov QWORD PTR[rdi],r13 + mov QWORD PTR[8+rdi],r12 + + add rbp,16 + jnz $L$sqr4x_outer + + + mov r14,QWORD PTR[((-32))+rsi] + lea rdi,QWORD PTR[64+r9*2+rsp] + mov rax,QWORD PTR[((-24))+rsi] + lea rdi,QWORD PTR[((-32))+rbp*1+rdi] + mov rbx,QWORD PTR[((-16))+rsi] + mov r15,rax + + xor r11,r11 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[((-24))+rdi],r10 + + xor r10,r10 + add r11,r13 + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + mov QWORD PTR[((-16))+rdi],r11 + + mov rbx,QWORD PTR[((-8))+rsi] + mul r15 + add r12,rax + mov rax,rbx + adc rdx,0 + + xor r11,r11 + add r10,r12 + mov r13,rdx + adc r11,0 + mul r14 + add r10,rax + mov rax,rbx + adc r11,rdx + mov QWORD PTR[((-8))+rdi],r10 + + xor r12,r12 + add r13,r11 + adc r12,0 + mul r15 + add r13,rax + mov rax,QWORD PTR[((-16))+rsi] + adc r12,rdx + + mov QWORD PTR[rdi],r13 + mov QWORD PTR[8+rdi],r12 + + mul rbx + add rbp,16 + xor r14,r14 + sub rbp,r9 + xor r15,r15 + + add rax,r12 + adc rdx,0 + mov QWORD PTR[8+rdi],rax + mov QWORD PTR[16+rdi],rdx + mov QWORD PTR[24+rdi],r15 + + mov rax,QWORD PTR[((-16))+rbp*1+rsi] + lea rdi,QWORD PTR[64+r9*2+rsp] + xor r10,r10 + mov r11,QWORD PTR[((-24))+rbp*2+rdi] + + lea r12,QWORD PTR[r10*2+r14] + shr r10,63 + lea r13,QWORD PTR[r11*2+rcx] + shr r11,63 + or r13,r10 + mov r10,QWORD PTR[((-16))+rbp*2+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[((-8))+rbp*2+rdi] + adc r12,rax + mov rax,QWORD PTR[((-8))+rbp*1+rsi] + mov QWORD PTR[((-32))+rbp*2+rdi],r12 + adc r13,rdx + + lea rbx,QWORD PTR[r10*2+r14] + mov QWORD PTR[((-24))+rbp*2+rdi],r13 + sbb r15,r15 + shr r10,63 + lea r8,QWORD PTR[r11*2+rcx] + shr r11,63 + or r8,r10 + mov r10,QWORD PTR[rbp*2+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[8+rbp*2+rdi] + adc rbx,rax + mov rax,QWORD PTR[rbp*1+rsi] + mov QWORD PTR[((-16))+rbp*2+rdi],rbx + adc r8,rdx + lea rbp,QWORD PTR[16+rbp] + mov QWORD PTR[((-40))+rbp*2+rdi],r8 + sbb r15,r15 + jmp $L$sqr4x_shift_n_add + +ALIGN 16 +$L$sqr4x_shift_n_add:: + lea r12,QWORD PTR[r10*2+r14] + shr r10,63 + lea r13,QWORD PTR[r11*2+rcx] + shr r11,63 + or r13,r10 + mov r10,QWORD PTR[((-16))+rbp*2+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[((-8))+rbp*2+rdi] + adc r12,rax + mov rax,QWORD PTR[((-8))+rbp*1+rsi] + mov QWORD PTR[((-32))+rbp*2+rdi],r12 + adc r13,rdx + + lea rbx,QWORD PTR[r10*2+r14] + mov QWORD PTR[((-24))+rbp*2+rdi],r13 + sbb r15,r15 + shr r10,63 + lea r8,QWORD PTR[r11*2+rcx] + shr r11,63 + or r8,r10 + mov r10,QWORD PTR[rbp*2+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[8+rbp*2+rdi] + adc rbx,rax + mov rax,QWORD PTR[rbp*1+rsi] + mov QWORD PTR[((-16))+rbp*2+rdi],rbx + adc r8,rdx + + lea r12,QWORD PTR[r10*2+r14] + mov QWORD PTR[((-8))+rbp*2+rdi],r8 + sbb r15,r15 + shr r10,63 + lea r13,QWORD PTR[r11*2+rcx] + shr r11,63 + or r13,r10 + mov r10,QWORD PTR[16+rbp*2+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[24+rbp*2+rdi] + adc r12,rax + mov rax,QWORD PTR[8+rbp*1+rsi] + mov QWORD PTR[rbp*2+rdi],r12 + adc r13,rdx + + lea rbx,QWORD PTR[r10*2+r14] + mov QWORD PTR[8+rbp*2+rdi],r13 + sbb r15,r15 + shr r10,63 + lea r8,QWORD PTR[r11*2+rcx] + shr r11,63 + or r8,r10 + mov r10,QWORD PTR[32+rbp*2+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[40+rbp*2+rdi] + adc rbx,rax + mov rax,QWORD PTR[16+rbp*1+rsi] + mov QWORD PTR[16+rbp*2+rdi],rbx + adc r8,rdx + mov QWORD PTR[24+rbp*2+rdi],r8 + sbb r15,r15 + add rbp,32 + jnz $L$sqr4x_shift_n_add + + lea r12,QWORD PTR[r10*2+r14] + shr r10,63 + lea r13,QWORD PTR[r11*2+rcx] + shr r11,63 + or r13,r10 + mov r10,QWORD PTR[((-16))+rdi] + mov r14,r11 + mul rax + neg r15 + mov r11,QWORD PTR[((-8))+rdi] + adc r12,rax + mov rax,QWORD PTR[((-8))+rsi] + mov QWORD PTR[((-32))+rdi],r12 + adc r13,rdx + + lea rbx,QWORD PTR[r10*2+r14] + mov QWORD PTR[((-24))+rdi],r13 + sbb r15,r15 + shr r10,63 + lea r8,QWORD PTR[r11*2+rcx] + shr r11,63 + or r8,r10 + mul rax + neg r15 + adc rbx,rax + adc r8,rdx + mov QWORD PTR[((-16))+rdi],rbx + mov QWORD PTR[((-8))+rdi],r8 + mov rsi,QWORD PTR[40+rsp] + mov r8,QWORD PTR[48+rsp] + xor rcx,rcx + mov QWORD PTR[rsp],r9 + sub rcx,r9 + mov r10,QWORD PTR[64+rsp] + mov r14,r8 + lea rax,QWORD PTR[64+r9*2+rsp] + lea rdi,QWORD PTR[64+r9*1+rsp] + mov QWORD PTR[8+rsp],rax + lea rsi,QWORD PTR[r9*1+rsi] + xor rbp,rbp + + mov rax,QWORD PTR[rcx*1+rsi] + mov r9,QWORD PTR[8+rcx*1+rsi] + imul r14,r10 + mov rbx,rax + jmp $L$sqr4x_mont_outer + +ALIGN 16 +$L$sqr4x_mont_outer:: + xor r11,r11 + mul r14 + add r10,rax + mov rax,r9 + adc r11,rdx + mov r15,r8 + + xor r10,r10 + add r11,QWORD PTR[8+rcx*1+rdi] + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + + imul r15,r11 + + mov rbx,QWORD PTR[16+rcx*1+rsi] + xor r13,r13 + add r12,r11 + adc r13,0 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + mov QWORD PTR[8+rcx*1+rdi],r12 + + xor r11,r11 + add r10,QWORD PTR[16+rcx*1+rdi] + adc r11,0 + mul r14 + add r10,rax + mov rax,r9 + adc r11,rdx + + mov r9,QWORD PTR[24+rcx*1+rsi] + xor r12,r12 + add r13,r10 + adc r12,0 + mul r15 + add r13,rax + mov rax,r9 + adc r12,rdx + mov QWORD PTR[16+rcx*1+rdi],r13 + + xor r10,r10 + add r11,QWORD PTR[24+rcx*1+rdi] + lea rcx,QWORD PTR[32+rcx] + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + jmp $L$sqr4x_mont_inner + +ALIGN 16 +$L$sqr4x_mont_inner:: + mov rbx,QWORD PTR[rcx*1+rsi] + xor r13,r13 + add r12,r11 + adc r13,0 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + mov QWORD PTR[((-8))+rcx*1+rdi],r12 + + xor r11,r11 + add r10,QWORD PTR[rcx*1+rdi] + adc r11,0 + mul r14 + add r10,rax + mov rax,r9 + adc r11,rdx + + mov r9,QWORD PTR[8+rcx*1+rsi] + xor r12,r12 + add r13,r10 + adc r12,0 + mul r15 + add r13,rax + mov rax,r9 + adc r12,rdx + mov QWORD PTR[rcx*1+rdi],r13 + + xor r10,r10 + add r11,QWORD PTR[8+rcx*1+rdi] + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + + + mov rbx,QWORD PTR[16+rcx*1+rsi] + xor r13,r13 + add r12,r11 + adc r13,0 + mul r15 + add r12,rax + mov rax,rbx + adc r13,rdx + mov QWORD PTR[8+rcx*1+rdi],r12 + + xor r11,r11 + add r10,QWORD PTR[16+rcx*1+rdi] + adc r11,0 + mul r14 + add r10,rax + mov rax,r9 + adc r11,rdx + + mov r9,QWORD PTR[24+rcx*1+rsi] + xor r12,r12 + add r13,r10 + adc r12,0 + mul r15 + add r13,rax + mov rax,r9 + adc r12,rdx + mov QWORD PTR[16+rcx*1+rdi],r13 + + xor r10,r10 + add r11,QWORD PTR[24+rcx*1+rdi] + lea rcx,QWORD PTR[32+rcx] + adc r10,0 + mul r14 + add r11,rax + mov rax,rbx + adc r10,rdx + cmp rcx,0 + jne $L$sqr4x_mont_inner + + sub rcx,QWORD PTR[rsp] + mov r14,r8 + + xor r13,r13 + add r12,r11 + adc r13,0 + mul r15 + add r12,rax + mov rax,r9 + adc r13,rdx + mov QWORD PTR[((-8))+rdi],r12 + + xor r11,r11 + add r10,QWORD PTR[rdi] + adc r11,0 + mov rbx,QWORD PTR[rcx*1+rsi] + add r10,rbp + adc r11,0 + + imul r14,QWORD PTR[16+rcx*1+rdi] + xor r12,r12 + mov r9,QWORD PTR[8+rcx*1+rsi] + add r13,r10 + mov r10,QWORD PTR[16+rcx*1+rdi] + adc r12,0 + mul r15 + add r13,rax + mov rax,rbx + adc r12,rdx + mov QWORD PTR[rdi],r13 + + xor rbp,rbp + add r12,QWORD PTR[8+rdi] + adc rbp,rbp + add r12,r11 + lea rdi,QWORD PTR[16+rdi] + adc rbp,0 + mov QWORD PTR[((-8))+rdi],r12 + cmp rdi,QWORD PTR[8+rsp] + jb $L$sqr4x_mont_outer + + mov r9,QWORD PTR[rsp] + mov QWORD PTR[rdi],rbp + mov rax,QWORD PTR[64+r9*1+rsp] + lea rbx,QWORD PTR[64+r9*1+rsp] + mov rsi,QWORD PTR[40+rsp] + shr r9,5 + mov rdx,QWORD PTR[8+rbx] + xor rbp,rbp + + mov rdi,QWORD PTR[32+rsp] + sub rax,QWORD PTR[rsi] + mov r10,QWORD PTR[16+rbx] + mov r11,QWORD PTR[24+rbx] + sbb rdx,QWORD PTR[8+rsi] + lea rcx,QWORD PTR[((-1))+r9] + jmp $L$sqr4x_sub +ALIGN 16 +$L$sqr4x_sub:: + mov QWORD PTR[rbp*8+rdi],rax + mov QWORD PTR[8+rbp*8+rdi],rdx + sbb r10,QWORD PTR[16+rbp*8+rsi] + mov rax,QWORD PTR[32+rbp*8+rbx] + mov rdx,QWORD PTR[40+rbp*8+rbx] + sbb r11,QWORD PTR[24+rbp*8+rsi] + mov QWORD PTR[16+rbp*8+rdi],r10 + mov QWORD PTR[24+rbp*8+rdi],r11 + sbb rax,QWORD PTR[32+rbp*8+rsi] + mov r10,QWORD PTR[48+rbp*8+rbx] + mov r11,QWORD PTR[56+rbp*8+rbx] + sbb rdx,QWORD PTR[40+rbp*8+rsi] + lea rbp,QWORD PTR[4+rbp] + dec rcx + jnz $L$sqr4x_sub + + mov QWORD PTR[rbp*8+rdi],rax + mov rax,QWORD PTR[32+rbp*8+rbx] + sbb r10,QWORD PTR[16+rbp*8+rsi] + mov QWORD PTR[8+rbp*8+rdi],rdx + sbb r11,QWORD PTR[24+rbp*8+rsi] + mov QWORD PTR[16+rbp*8+rdi],r10 + + sbb rax,0 + mov QWORD PTR[24+rbp*8+rdi],r11 + xor rbp,rbp + and rbx,rax + not rax + mov rsi,rdi + and rsi,rax + lea rcx,QWORD PTR[((-1))+r9] + or rbx,rsi + + pxor xmm0,xmm0 + lea rsi,QWORD PTR[64+r9*8+rsp] + movdqu xmm1,XMMWORD PTR[rbx] + lea rsi,QWORD PTR[r9*8+rsi] + movdqa XMMWORD PTR[64+rsp],xmm0 + movdqa XMMWORD PTR[rsi],xmm0 + movdqu XMMWORD PTR[rdi],xmm1 + jmp $L$sqr4x_copy +ALIGN 16 +$L$sqr4x_copy:: + movdqu xmm2,XMMWORD PTR[16+rbp*1+rbx] + movdqu xmm1,XMMWORD PTR[32+rbp*1+rbx] + movdqa XMMWORD PTR[80+rbp*1+rsp],xmm0 + movdqa XMMWORD PTR[96+rbp*1+rsp],xmm0 + movdqa XMMWORD PTR[16+rbp*1+rsi],xmm0 + movdqa XMMWORD PTR[32+rbp*1+rsi],xmm0 + movdqu XMMWORD PTR[16+rbp*1+rdi],xmm2 + movdqu XMMWORD PTR[32+rbp*1+rdi],xmm1 + lea rbp,QWORD PTR[32+rbp] + dec rcx + jnz $L$sqr4x_copy + + movdqu xmm2,XMMWORD PTR[16+rbp*1+rbx] + movdqa XMMWORD PTR[80+rbp*1+rsp],xmm0 + movdqa XMMWORD PTR[16+rbp*1+rsi],xmm0 + movdqu XMMWORD PTR[16+rbp*1+rdi],xmm2 + mov rsi,QWORD PTR[56+rsp] + mov rax,1 + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$sqr4x_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_bn_sqr4x_mont:: +bn_sqr4x_mont ENDP +DB 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 +DB 112,108,105,99,97,116,105,111,110,32,102,111,114,32,120,56 +DB 54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83 +DB 32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115 +DB 115,108,46,111,114,103,62,0 +ALIGN 16 + +.text$ ENDS +END + diff --git a/crypto/bn/mont5-masm-x86_64.S b/crypto/bn/mont5-masm-x86_64.S new file mode 100644 index 0000000..dbbbe35 --- /dev/null +++ b/crypto/bn/mont5-masm-x86_64.S @@ -0,0 +1,1412 @@ +; 1 "crypto/bn/mont5-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/bn/mont5-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/bn/mont5-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC bn_mul_mont_gather5 + +ALIGN 64 +bn_mul_mont_gather5 PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_bn_mul_mont_gather5:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + test r9d,3 + jnz $L$mul_enter + cmp r9d,8 + jb $L$mul_enter + jmp $L$mul4x_enter + +ALIGN 16 +$L$mul_enter:: + mov r9d,r9d + movd xmm5,DWORD PTR[56+rsp] + lea r10,QWORD PTR[$L$inc] + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + +$L$mul_alloca:: + mov rax,rsp + lea r11,QWORD PTR[2+r9] + neg r11 + lea rsp,QWORD PTR[((-264))+r11*8+rsp] + and rsp,-1024 + + mov QWORD PTR[8+r9*8+rsp],rax +$L$mul_body:: + lea r12,QWORD PTR[128+rdx] + movdqa xmm0,XMMWORD PTR[r10] + movdqa xmm1,XMMWORD PTR[16+r10] + lea r10,QWORD PTR[((24-112))+r9*8+rsp] + and r10,-16 + + pshufd xmm5,xmm5,0 + movdqa xmm4,xmm1 + movdqa xmm2,xmm1 + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 +DB 067h + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[112+r10],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[128+r10],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[144+r10],xmm2 + movdqa xmm2,xmm4 + + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[160+r10],xmm3 + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[176+r10],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[192+r10],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[208+r10],xmm2 + movdqa xmm2,xmm4 + + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[224+r10],xmm3 + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[240+r10],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[256+r10],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[272+r10],xmm2 + movdqa xmm2,xmm4 + + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[288+r10],xmm3 + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[304+r10],xmm0 + + paddd xmm3,xmm2 +DB 067h + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[320+r10],xmm1 + + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[336+r10],xmm2 + pand xmm0,XMMWORD PTR[64+r12] + + pand xmm1,XMMWORD PTR[80+r12] + pand xmm2,XMMWORD PTR[96+r12] + movdqa XMMWORD PTR[352+r10],xmm3 + pand xmm3,XMMWORD PTR[112+r12] + por xmm0,xmm2 + por xmm1,xmm3 + movdqa xmm4,XMMWORD PTR[((-128))+r12] + movdqa xmm5,XMMWORD PTR[((-112))+r12] + movdqa xmm2,XMMWORD PTR[((-96))+r12] + pand xmm4,XMMWORD PTR[112+r10] + movdqa xmm3,XMMWORD PTR[((-80))+r12] + pand xmm5,XMMWORD PTR[128+r10] + por xmm0,xmm4 + pand xmm2,XMMWORD PTR[144+r10] + por xmm1,xmm5 + pand xmm3,XMMWORD PTR[160+r10] + por xmm0,xmm2 + por xmm1,xmm3 + movdqa xmm4,XMMWORD PTR[((-64))+r12] + movdqa xmm5,XMMWORD PTR[((-48))+r12] + movdqa xmm2,XMMWORD PTR[((-32))+r12] + pand xmm4,XMMWORD PTR[176+r10] + movdqa xmm3,XMMWORD PTR[((-16))+r12] + pand xmm5,XMMWORD PTR[192+r10] + por xmm0,xmm4 + pand xmm2,XMMWORD PTR[208+r10] + por xmm1,xmm5 + pand xmm3,XMMWORD PTR[224+r10] + por xmm0,xmm2 + por xmm1,xmm3 + movdqa xmm4,XMMWORD PTR[r12] + movdqa xmm5,XMMWORD PTR[16+r12] + movdqa xmm2,XMMWORD PTR[32+r12] + pand xmm4,XMMWORD PTR[240+r10] + movdqa xmm3,XMMWORD PTR[48+r12] + pand xmm5,XMMWORD PTR[256+r10] + por xmm0,xmm4 + pand xmm2,XMMWORD PTR[272+r10] + por xmm1,xmm5 + pand xmm3,XMMWORD PTR[288+r10] + por xmm0,xmm2 + por xmm1,xmm3 + por xmm0,xmm1 + pshufd xmm1,xmm0,04eh + por xmm0,xmm1 + lea r12,QWORD PTR[256+r12] + movd rbx,xmm0 + + mov r8,QWORD PTR[r8] + mov rax,QWORD PTR[rsi] + + xor r14,r14 + xor r15,r15 + + mov rbp,r8 + mul rbx + mov r10,rax + mov rax,QWORD PTR[rcx] + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov r13,rdx + + lea r15,QWORD PTR[1+r15] + jmp $L$1st_enter + +ALIGN 16 +$L$1st:: + add r13,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add r13,r11 + mov r11,r10 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + +$L$1st_enter:: + mul rbx + add r11,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + lea r15,QWORD PTR[1+r15] + mov r10,rdx + + mul rbp + cmp r15,r9 + jl $L$1st + + add r13,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add r13,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + mov r11,r10 + + xor rdx,rdx + add r13,r11 + adc rdx,0 + mov QWORD PTR[((-8))+r9*8+rsp],r13 + mov QWORD PTR[r9*8+rsp],rdx + + lea r14,QWORD PTR[1+r14] + jmp $L$outer +ALIGN 16 +$L$outer:: + lea rdx,QWORD PTR[((24+128))+r9*8+rsp] + and rdx,-16 + pxor xmm4,xmm4 + pxor xmm5,xmm5 + movdqa xmm0,XMMWORD PTR[((-128))+r12] + movdqa xmm1,XMMWORD PTR[((-112))+r12] + movdqa xmm2,XMMWORD PTR[((-96))+r12] + movdqa xmm3,XMMWORD PTR[((-80))+r12] + pand xmm0,XMMWORD PTR[((-128))+rdx] + pand xmm1,XMMWORD PTR[((-112))+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[((-96))+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[((-80))+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[((-64))+r12] + movdqa xmm1,XMMWORD PTR[((-48))+r12] + movdqa xmm2,XMMWORD PTR[((-32))+r12] + movdqa xmm3,XMMWORD PTR[((-16))+r12] + pand xmm0,XMMWORD PTR[((-64))+rdx] + pand xmm1,XMMWORD PTR[((-48))+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[((-32))+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[((-16))+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[r12] + movdqa xmm1,XMMWORD PTR[16+r12] + movdqa xmm2,XMMWORD PTR[32+r12] + movdqa xmm3,XMMWORD PTR[48+r12] + pand xmm0,XMMWORD PTR[rdx] + pand xmm1,XMMWORD PTR[16+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[32+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[48+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[64+r12] + movdqa xmm1,XMMWORD PTR[80+r12] + movdqa xmm2,XMMWORD PTR[96+r12] + movdqa xmm3,XMMWORD PTR[112+r12] + pand xmm0,XMMWORD PTR[64+rdx] + pand xmm1,XMMWORD PTR[80+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[96+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[112+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + por xmm4,xmm5 + pshufd xmm0,xmm4,04eh + por xmm0,xmm4 + lea r12,QWORD PTR[256+r12] + movd rbx,xmm0 + + xor r15,r15 + mov rbp,r8 + mov r10,QWORD PTR[rsp] + + mul rbx + add r10,rax + mov rax,QWORD PTR[rcx] + adc rdx,0 + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov r10,QWORD PTR[8+rsp] + mov r13,rdx + + lea r15,QWORD PTR[1+r15] + jmp $L$inner_enter + +ALIGN 16 +$L$inner:: + add r13,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add r13,r10 + mov r10,QWORD PTR[r15*8+rsp] + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + +$L$inner_enter:: + mul rbx + add r11,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + add r10,r11 + mov r11,rdx + adc r11,0 + lea r15,QWORD PTR[1+r15] + + mul rbp + cmp r15,r9 + jl $L$inner + + add r13,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add r13,r10 + mov r10,QWORD PTR[r15*8+rsp] + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],r13 + mov r13,rdx + + xor rdx,rdx + add r13,r11 + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-8))+r9*8+rsp],r13 + mov QWORD PTR[r9*8+rsp],rdx + + lea r14,QWORD PTR[1+r14] + cmp r14,r9 + jl $L$outer + + xor r14,r14 + mov rax,QWORD PTR[rsp] + lea rsi,QWORD PTR[rsp] + mov r15,r9 + jmp $L$sub +ALIGN 16 +$L$sub:: sbb rax,QWORD PTR[r14*8+rcx] + mov QWORD PTR[r14*8+rdi],rax + mov rax,QWORD PTR[8+r14*8+rsi] + lea r14,QWORD PTR[1+r14] + dec r15 + jnz $L$sub + + sbb rax,0 + xor r14,r14 + and rsi,rax + not rax + mov rcx,rdi + and rcx,rax + mov r15,r9 + or rsi,rcx +ALIGN 16 +$L$copy:: + mov rax,QWORD PTR[r14*8+rsi] + mov QWORD PTR[r14*8+rsp],r14 + mov QWORD PTR[r14*8+rdi],rax + lea r14,QWORD PTR[1+r14] + sub r15,1 + jnz $L$copy + + mov rsi,QWORD PTR[8+r9*8+rsp] + mov rax,1 + + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$mul_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_bn_mul_mont_gather5:: +bn_mul_mont_gather5 ENDP + +ALIGN 16 +bn_mul4x_mont_gather5 PROC PRIVATE + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_bn_mul4x_mont_gather5:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + +$L$mul4x_enter:: + mov r9d,r9d + movd xmm5,DWORD PTR[56+rsp] + lea r10,QWORD PTR[$L$inc] + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + +$L$mul4x_alloca:: + mov rax,rsp + lea r11,QWORD PTR[4+r9] + neg r11 + lea rsp,QWORD PTR[((-256))+r11*8+rsp] + and rsp,-1024 + + mov QWORD PTR[8+r9*8+rsp],rax +$L$mul4x_body:: + mov QWORD PTR[16+r9*8+rsp],rdi + lea r12,QWORD PTR[128+rdx] + movdqa xmm0,XMMWORD PTR[r10] + movdqa xmm1,XMMWORD PTR[16+r10] + lea r10,QWORD PTR[((32-112))+r9*8+rsp] + + pshufd xmm5,xmm5,0 + movdqa xmm4,xmm1 +DB 067h,067h + movdqa xmm2,xmm1 + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 +DB 067h + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[112+r10],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[128+r10],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[144+r10],xmm2 + movdqa xmm2,xmm4 + + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[160+r10],xmm3 + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[176+r10],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[192+r10],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[208+r10],xmm2 + movdqa xmm2,xmm4 + + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[224+r10],xmm3 + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[240+r10],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[256+r10],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[272+r10],xmm2 + movdqa xmm2,xmm4 + + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[288+r10],xmm3 + movdqa xmm3,xmm4 + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[304+r10],xmm0 + + paddd xmm3,xmm2 +DB 067h + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[320+r10],xmm1 + + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[336+r10],xmm2 + pand xmm0,XMMWORD PTR[64+r12] + + pand xmm1,XMMWORD PTR[80+r12] + pand xmm2,XMMWORD PTR[96+r12] + movdqa XMMWORD PTR[352+r10],xmm3 + pand xmm3,XMMWORD PTR[112+r12] + por xmm0,xmm2 + por xmm1,xmm3 + movdqa xmm4,XMMWORD PTR[((-128))+r12] + movdqa xmm5,XMMWORD PTR[((-112))+r12] + movdqa xmm2,XMMWORD PTR[((-96))+r12] + pand xmm4,XMMWORD PTR[112+r10] + movdqa xmm3,XMMWORD PTR[((-80))+r12] + pand xmm5,XMMWORD PTR[128+r10] + por xmm0,xmm4 + pand xmm2,XMMWORD PTR[144+r10] + por xmm1,xmm5 + pand xmm3,XMMWORD PTR[160+r10] + por xmm0,xmm2 + por xmm1,xmm3 + movdqa xmm4,XMMWORD PTR[((-64))+r12] + movdqa xmm5,XMMWORD PTR[((-48))+r12] + movdqa xmm2,XMMWORD PTR[((-32))+r12] + pand xmm4,XMMWORD PTR[176+r10] + movdqa xmm3,XMMWORD PTR[((-16))+r12] + pand xmm5,XMMWORD PTR[192+r10] + por xmm0,xmm4 + pand xmm2,XMMWORD PTR[208+r10] + por xmm1,xmm5 + pand xmm3,XMMWORD PTR[224+r10] + por xmm0,xmm2 + por xmm1,xmm3 + movdqa xmm4,XMMWORD PTR[r12] + movdqa xmm5,XMMWORD PTR[16+r12] + movdqa xmm2,XMMWORD PTR[32+r12] + pand xmm4,XMMWORD PTR[240+r10] + movdqa xmm3,XMMWORD PTR[48+r12] + pand xmm5,XMMWORD PTR[256+r10] + por xmm0,xmm4 + pand xmm2,XMMWORD PTR[272+r10] + por xmm1,xmm5 + pand xmm3,XMMWORD PTR[288+r10] + por xmm0,xmm2 + por xmm1,xmm3 + por xmm0,xmm1 + pshufd xmm1,xmm0,04eh + por xmm0,xmm1 + lea r12,QWORD PTR[256+r12] + movd rbx,xmm0 + + mov r8,QWORD PTR[r8] + mov rax,QWORD PTR[rsi] + + xor r14,r14 + xor r15,r15 + + mov rbp,r8 + mul rbx + mov r10,rax + mov rax,QWORD PTR[rcx] + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+rcx] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[16+rsi] + adc rdx,0 + add rdi,r11 + lea r15,QWORD PTR[4+r15] + adc rdx,0 + mov QWORD PTR[rsp],rdi + mov r13,rdx + jmp $L$1st4x +ALIGN 16 +$L$1st4x:: + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov r13,rdx + + mul rbx + add r10,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[8+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+r15*8+rcx] + adc rdx,0 + lea r15,QWORD PTR[4+r15] + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[((-16))+r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-32))+r15*8+rsp],rdi + mov r13,rdx + cmp r15,r9 + jl $L$1st4x + + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov r13,rdx + + xor rdi,rdi + add r13,r10 + adc rdi,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov QWORD PTR[r15*8+rsp],rdi + + lea r14,QWORD PTR[1+r14] +ALIGN 4 +$L$outer4x:: + lea rdx,QWORD PTR[((32+128))+r9*8+rsp] + pxor xmm4,xmm4 + pxor xmm5,xmm5 + movdqa xmm0,XMMWORD PTR[((-128))+r12] + movdqa xmm1,XMMWORD PTR[((-112))+r12] + movdqa xmm2,XMMWORD PTR[((-96))+r12] + movdqa xmm3,XMMWORD PTR[((-80))+r12] + pand xmm0,XMMWORD PTR[((-128))+rdx] + pand xmm1,XMMWORD PTR[((-112))+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[((-96))+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[((-80))+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[((-64))+r12] + movdqa xmm1,XMMWORD PTR[((-48))+r12] + movdqa xmm2,XMMWORD PTR[((-32))+r12] + movdqa xmm3,XMMWORD PTR[((-16))+r12] + pand xmm0,XMMWORD PTR[((-64))+rdx] + pand xmm1,XMMWORD PTR[((-48))+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[((-32))+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[((-16))+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[r12] + movdqa xmm1,XMMWORD PTR[16+r12] + movdqa xmm2,XMMWORD PTR[32+r12] + movdqa xmm3,XMMWORD PTR[48+r12] + pand xmm0,XMMWORD PTR[rdx] + pand xmm1,XMMWORD PTR[16+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[32+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[48+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[64+r12] + movdqa xmm1,XMMWORD PTR[80+r12] + movdqa xmm2,XMMWORD PTR[96+r12] + movdqa xmm3,XMMWORD PTR[112+r12] + pand xmm0,XMMWORD PTR[64+rdx] + pand xmm1,XMMWORD PTR[80+rdx] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[96+rdx] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[112+rdx] + por xmm4,xmm2 + por xmm5,xmm3 + por xmm4,xmm5 + pshufd xmm0,xmm4,04eh + por xmm0,xmm4 + lea r12,QWORD PTR[256+r12] + movd rbx,xmm0 + + xor r15,r15 + + mov r10,QWORD PTR[rsp] + mov rbp,r8 + mul rbx + add r10,rax + mov rax,QWORD PTR[rcx] + adc rdx,0 + + imul rbp,r10 + mov r11,rdx + + mul rbp + add r10,rax + mov rax,QWORD PTR[8+rsi] + adc rdx,0 + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+rcx] + adc rdx,0 + add r11,QWORD PTR[8+rsp] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[16+rsi] + adc rdx,0 + add rdi,r11 + lea r15,QWORD PTR[4+r15] + adc rdx,0 + mov r13,rdx + jmp $L$inner4x +ALIGN 16 +$L$inner4x:: + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + add r10,QWORD PTR[((-16))+r15*8+rsp] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-32))+r15*8+rsp],rdi + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + add r11,QWORD PTR[((-8))+r15*8+rsp] + adc rdx,0 + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov r13,rdx + + mul rbx + add r10,rax + mov rax,QWORD PTR[r15*8+rcx] + adc rdx,0 + add r10,QWORD PTR[r15*8+rsp] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[8+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-16))+r15*8+rsp],rdi + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[8+r15*8+rcx] + adc rdx,0 + add r11,QWORD PTR[8+r15*8+rsp] + adc rdx,0 + lea r15,QWORD PTR[4+r15] + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[((-16))+r15*8+rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-40))+r15*8+rsp],r13 + mov r13,rdx + cmp r15,r9 + jl $L$inner4x + + mul rbx + add r10,rax + mov rax,QWORD PTR[((-16))+r15*8+rcx] + adc rdx,0 + add r10,QWORD PTR[((-16))+r15*8+rsp] + adc rdx,0 + mov r11,rdx + + mul rbp + add r13,rax + mov rax,QWORD PTR[((-8))+r15*8+rsi] + adc rdx,0 + add r13,r10 + adc rdx,0 + mov QWORD PTR[((-32))+r15*8+rsp],rdi + mov rdi,rdx + + mul rbx + add r11,rax + mov rax,QWORD PTR[((-8))+r15*8+rcx] + adc rdx,0 + add r11,QWORD PTR[((-8))+r15*8+rsp] + adc rdx,0 + lea r14,QWORD PTR[1+r14] + mov r10,rdx + + mul rbp + add rdi,rax + mov rax,QWORD PTR[rsi] + adc rdx,0 + add rdi,r11 + adc rdx,0 + mov QWORD PTR[((-24))+r15*8+rsp],r13 + mov r13,rdx + + mov QWORD PTR[((-16))+r15*8+rsp],rdi + + xor rdi,rdi + add r13,r10 + adc rdi,0 + add r13,QWORD PTR[r9*8+rsp] + adc rdi,0 + mov QWORD PTR[((-8))+r15*8+rsp],r13 + mov QWORD PTR[r15*8+rsp],rdi + + cmp r14,r9 + jl $L$outer4x + mov rdi,QWORD PTR[16+r9*8+rsp] + mov rax,QWORD PTR[rsp] + pxor xmm0,xmm0 + mov rdx,QWORD PTR[8+rsp] + shr r9,2 + lea rsi,QWORD PTR[rsp] + xor r14,r14 + + sub rax,QWORD PTR[rcx] + mov rbx,QWORD PTR[16+rsi] + mov rbp,QWORD PTR[24+rsi] + sbb rdx,QWORD PTR[8+rcx] + lea r15,QWORD PTR[((-1))+r9] + jmp $L$sub4x +ALIGN 16 +$L$sub4x:: + mov QWORD PTR[r14*8+rdi],rax + mov QWORD PTR[8+r14*8+rdi],rdx + sbb rbx,QWORD PTR[16+r14*8+rcx] + mov rax,QWORD PTR[32+r14*8+rsi] + mov rdx,QWORD PTR[40+r14*8+rsi] + sbb rbp,QWORD PTR[24+r14*8+rcx] + mov QWORD PTR[16+r14*8+rdi],rbx + mov QWORD PTR[24+r14*8+rdi],rbp + sbb rax,QWORD PTR[32+r14*8+rcx] + mov rbx,QWORD PTR[48+r14*8+rsi] + mov rbp,QWORD PTR[56+r14*8+rsi] + sbb rdx,QWORD PTR[40+r14*8+rcx] + lea r14,QWORD PTR[4+r14] + dec r15 + jnz $L$sub4x + + mov QWORD PTR[r14*8+rdi],rax + mov rax,QWORD PTR[32+r14*8+rsi] + sbb rbx,QWORD PTR[16+r14*8+rcx] + mov QWORD PTR[8+r14*8+rdi],rdx + sbb rbp,QWORD PTR[24+r14*8+rcx] + mov QWORD PTR[16+r14*8+rdi],rbx + + sbb rax,0 + mov QWORD PTR[24+r14*8+rdi],rbp + xor r14,r14 + and rsi,rax + not rax + mov rcx,rdi + and rcx,rax + lea r15,QWORD PTR[((-1))+r9] + or rsi,rcx + + movdqu xmm1,XMMWORD PTR[rsi] + movdqa XMMWORD PTR[rsp],xmm0 + movdqu XMMWORD PTR[rdi],xmm1 + jmp $L$copy4x +ALIGN 16 +$L$copy4x:: + movdqu xmm2,XMMWORD PTR[16+r14*1+rsi] + movdqu xmm1,XMMWORD PTR[32+r14*1+rsi] + movdqa XMMWORD PTR[16+r14*1+rsp],xmm0 + movdqu XMMWORD PTR[16+r14*1+rdi],xmm2 + movdqa XMMWORD PTR[32+r14*1+rsp],xmm0 + movdqu XMMWORD PTR[32+r14*1+rdi],xmm1 + lea r14,QWORD PTR[32+r14] + dec r15 + jnz $L$copy4x + + shl r9,2 + movdqu xmm2,XMMWORD PTR[16+r14*1+rsi] + movdqa XMMWORD PTR[16+r14*1+rsp],xmm0 + movdqu XMMWORD PTR[16+r14*1+rdi],xmm2 + mov rsi,QWORD PTR[8+r9*8+rsp] + mov rax,1 + + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$mul4x_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_bn_mul4x_mont_gather5:: +bn_mul4x_mont_gather5 ENDP +PUBLIC bn_scatter5 + +ALIGN 16 +bn_scatter5 PROC PUBLIC + cmp rdx,0 + jz $L$scatter_epilogue + lea r8,QWORD PTR[r9*8+r8] +$L$scatter:: + mov rax,QWORD PTR[rcx] + lea rcx,QWORD PTR[8+rcx] + mov QWORD PTR[r8],rax + lea r8,QWORD PTR[256+r8] + sub rdx,1 + jnz $L$scatter +$L$scatter_epilogue:: + DB 0F3h,0C3h ;repret +bn_scatter5 ENDP + +PUBLIC bn_gather5 + +ALIGN 16 +bn_gather5 PROC PUBLIC +$L$SEH_begin_bn_gather5:: + +DB 04ch,08dh,014h,024h +DB 048h,081h,0ech,008h,001h,000h,000h + lea rax,QWORD PTR[$L$inc] + and rsp,-16 + + movd xmm5,r9d + movdqa xmm0,XMMWORD PTR[rax] + movdqa xmm1,XMMWORD PTR[16+rax] + lea r11,QWORD PTR[128+r8] + lea rax,QWORD PTR[128+rsp] + + pshufd xmm5,xmm5,0 + movdqa xmm4,xmm1 + movdqa xmm2,xmm1 + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa xmm3,xmm4 + + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[(-128)+rax],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[(-112)+rax],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[(-96)+rax],xmm2 + movdqa xmm2,xmm4 + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[(-80)+rax],xmm3 + movdqa xmm3,xmm4 + + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[(-64)+rax],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[(-48)+rax],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[(-32)+rax],xmm2 + movdqa xmm2,xmm4 + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[(-16)+rax],xmm3 + movdqa xmm3,xmm4 + + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[rax],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[16+rax],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[32+rax],xmm2 + movdqa xmm2,xmm4 + paddd xmm1,xmm0 + pcmpeqd xmm0,xmm5 + movdqa XMMWORD PTR[48+rax],xmm3 + movdqa xmm3,xmm4 + + paddd xmm2,xmm1 + pcmpeqd xmm1,xmm5 + movdqa XMMWORD PTR[64+rax],xmm0 + movdqa xmm0,xmm4 + + paddd xmm3,xmm2 + pcmpeqd xmm2,xmm5 + movdqa XMMWORD PTR[80+rax],xmm1 + movdqa xmm1,xmm4 + + paddd xmm0,xmm3 + pcmpeqd xmm3,xmm5 + movdqa XMMWORD PTR[96+rax],xmm2 + movdqa xmm2,xmm4 + movdqa XMMWORD PTR[112+rax],xmm3 + jmp $L$gather + +ALIGN 32 +$L$gather:: + pxor xmm4,xmm4 + pxor xmm5,xmm5 + movdqa xmm0,XMMWORD PTR[((-128))+r11] + movdqa xmm1,XMMWORD PTR[((-112))+r11] + movdqa xmm2,XMMWORD PTR[((-96))+r11] + pand xmm0,XMMWORD PTR[((-128))+rax] + movdqa xmm3,XMMWORD PTR[((-80))+r11] + pand xmm1,XMMWORD PTR[((-112))+rax] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[((-96))+rax] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[((-80))+rax] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[((-64))+r11] + movdqa xmm1,XMMWORD PTR[((-48))+r11] + movdqa xmm2,XMMWORD PTR[((-32))+r11] + pand xmm0,XMMWORD PTR[((-64))+rax] + movdqa xmm3,XMMWORD PTR[((-16))+r11] + pand xmm1,XMMWORD PTR[((-48))+rax] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[((-32))+rax] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[((-16))+rax] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[r11] + movdqa xmm1,XMMWORD PTR[16+r11] + movdqa xmm2,XMMWORD PTR[32+r11] + pand xmm0,XMMWORD PTR[rax] + movdqa xmm3,XMMWORD PTR[48+r11] + pand xmm1,XMMWORD PTR[16+rax] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[32+rax] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[48+rax] + por xmm4,xmm2 + por xmm5,xmm3 + movdqa xmm0,XMMWORD PTR[64+r11] + movdqa xmm1,XMMWORD PTR[80+r11] + movdqa xmm2,XMMWORD PTR[96+r11] + pand xmm0,XMMWORD PTR[64+rax] + movdqa xmm3,XMMWORD PTR[112+r11] + pand xmm1,XMMWORD PTR[80+rax] + por xmm4,xmm0 + pand xmm2,XMMWORD PTR[96+rax] + por xmm5,xmm1 + pand xmm3,XMMWORD PTR[112+rax] + por xmm4,xmm2 + por xmm5,xmm3 + por xmm4,xmm5 + lea r11,QWORD PTR[256+r11] + pshufd xmm0,xmm4,04eh + por xmm0,xmm4 + movq QWORD PTR[rcx],xmm0 + lea rcx,QWORD PTR[8+rcx] + sub rdx,1 + jnz $L$gather + + lea rsp,QWORD PTR[r10] + DB 0F3h,0C3h ;repret +$L$SEH_end_bn_gather5:: +bn_gather5 ENDP +ALIGN 64 +$L$inc:: + DD 0,0,1,1 + DD 2,2,2,2 +DB 77,111,110,116,103,111,109,101,114,121,32,77,117,108,116,105 +DB 112,108,105,99,97,116,105,111,110,32,119,105,116,104,32,115 +DB 99,97,116,116,101,114,47,103,97,116,104,101,114,32,102,111 +DB 114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79 +DB 71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111 +DB 112,101,110,115,115,108,46,111,114,103,62,0 +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +mul_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$common_seh_tail + + lea rax,QWORD PTR[48+rax] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[8+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$common_seh_tail + + mov r10,QWORD PTR[192+r8] + mov rax,QWORD PTR[8+r10*8+rax] + + lea rax,QWORD PTR[48+rax] + + mov rbx,QWORD PTR[((-8))+rax] + mov rbp,QWORD PTR[((-16))+rax] + mov r12,QWORD PTR[((-24))+rax] + mov r13,QWORD PTR[((-32))+rax] + mov r14,QWORD PTR[((-40))+rax] + mov r15,QWORD PTR[((-48))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + mov QWORD PTR[232+r8],r14 + mov QWORD PTR[240+r8],r15 + +$L$common_seh_tail:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +mul_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_bn_mul_mont_gather5 + DD imagerel $L$SEH_end_bn_mul_mont_gather5 + DD imagerel $L$SEH_info_bn_mul_mont_gather5 + + DD imagerel $L$SEH_begin_bn_mul4x_mont_gather5 + DD imagerel $L$SEH_end_bn_mul4x_mont_gather5 + DD imagerel $L$SEH_info_bn_mul4x_mont_gather5 + + DD imagerel $L$SEH_begin_bn_gather5 + DD imagerel $L$SEH_end_bn_gather5 + DD imagerel $L$SEH_info_bn_gather5 + +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_bn_mul_mont_gather5:: +DB 9,0,0,0 + DD imagerel mul_handler + DD imagerel $L$mul_alloca,imagerel $L$mul_body,imagerel $L$mul_epilogue +ALIGN 8 +$L$SEH_info_bn_mul4x_mont_gather5:: +DB 9,0,0,0 + DD imagerel mul_handler + DD imagerel $L$mul4x_alloca,imagerel $L$mul4x_body,imagerel $L$mul4x_epilogue +ALIGN 8 +$L$SEH_info_bn_gather5:: +DB 001h,00bh,003h,00ah +DB 00bh,001h,021h,000h +DB 004h,0a3h,000h,000h +ALIGN 8 + +.xdata ENDS +END + diff --git a/crypto/camellia/cmll-masm-x86_64.S b/crypto/camellia/cmll-masm-x86_64.S new file mode 100644 index 0000000..9941bb9 --- /dev/null +++ b/crypto/camellia/cmll-masm-x86_64.S @@ -0,0 +1,1966 @@ +; 1 "crypto/camellia/cmll-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/camellia/cmll-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/camellia/cmll-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + + +PUBLIC Camellia_EncryptBlock + +ALIGN 16 +Camellia_EncryptBlock PROC PUBLIC + mov eax,128 + sub eax,edi + mov edi,3 + adc edi,0 + jmp $L$enc_rounds +Camellia_EncryptBlock ENDP + +PUBLIC Camellia_EncryptBlock_Rounds + +ALIGN 16 +$L$enc_rounds:: +Camellia_EncryptBlock_Rounds PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_Camellia_EncryptBlock_Rounds:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + + push rbx + push rbp + push r13 + push r14 + push r15 +$L$enc_prologue:: + + + mov r13,rcx + mov r14,rdx + + shl edi,6 + lea rbp,QWORD PTR[$L$Camellia_SBOX] + lea r15,QWORD PTR[rdi*1+r14] + + mov r8d,DWORD PTR[rsi] + mov r9d,DWORD PTR[4+rsi] + mov r10d,DWORD PTR[8+rsi] + bswap r8d + mov r11d,DWORD PTR[12+rsi] + bswap r9d + bswap r10d + bswap r11d + + call _x86_64_Camellia_encrypt + + bswap r8d + bswap r9d + bswap r10d + mov DWORD PTR[r13],r8d + bswap r11d + mov DWORD PTR[4+r13],r9d + mov DWORD PTR[8+r13],r10d + mov DWORD PTR[12+r13],r11d + + mov r15,QWORD PTR[rsp] + mov r14,QWORD PTR[8+rsp] + mov r13,QWORD PTR[16+rsp] + mov rbp,QWORD PTR[24+rsp] + mov rbx,QWORD PTR[32+rsp] + lea rsp,QWORD PTR[40+rsp] +$L$enc_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_Camellia_EncryptBlock_Rounds:: +Camellia_EncryptBlock_Rounds ENDP + + +ALIGN 16 +_x86_64_Camellia_encrypt PROC PRIVATE + xor r9d,DWORD PTR[r14] + xor r8d,DWORD PTR[4+r14] + xor r11d,DWORD PTR[8+r14] + xor r10d,DWORD PTR[12+r14] +ALIGN 16 +$L$eloop:: + mov ebx,DWORD PTR[16+r14] + mov eax,DWORD PTR[20+r14] + + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[24+r14] + mov eax,DWORD PTR[28+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[32+r14] + mov eax,DWORD PTR[36+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[40+r14] + mov eax,DWORD PTR[44+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[48+r14] + mov eax,DWORD PTR[52+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[56+r14] + mov eax,DWORD PTR[60+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[64+r14] + mov eax,DWORD PTR[68+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + lea r14,QWORD PTR[64+r14] + cmp r14,r15 + mov edx,DWORD PTR[8+r14] + mov ecx,DWORD PTR[12+r14] + je $L$edone + + and eax,r8d + or edx,r11d + rol eax,1 + xor r10d,edx + xor r9d,eax + and ecx,r10d + or ebx,r9d + rol ecx,1 + xor r8d,ebx + xor r11d,ecx + jmp $L$eloop + +ALIGN 16 +$L$edone:: + xor eax,r10d + xor ebx,r11d + xor ecx,r8d + xor edx,r9d + + mov r8d,eax + mov r9d,ebx + mov r10d,ecx + mov r11d,edx + + DB 0F3h,0C3h ;repret +_x86_64_Camellia_encrypt ENDP + + +PUBLIC Camellia_DecryptBlock + +ALIGN 16 +Camellia_DecryptBlock PROC PUBLIC + mov eax,128 + sub eax,edi + mov edi,3 + adc edi,0 + jmp $L$dec_rounds +Camellia_DecryptBlock ENDP + +PUBLIC Camellia_DecryptBlock_Rounds + +ALIGN 16 +$L$dec_rounds:: +Camellia_DecryptBlock_Rounds PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_Camellia_DecryptBlock_Rounds:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + + push rbx + push rbp + push r13 + push r14 + push r15 +$L$dec_prologue:: + + + mov r13,rcx + mov r15,rdx + + shl edi,6 + lea rbp,QWORD PTR[$L$Camellia_SBOX] + lea r14,QWORD PTR[rdi*1+r15] + + mov r8d,DWORD PTR[rsi] + mov r9d,DWORD PTR[4+rsi] + mov r10d,DWORD PTR[8+rsi] + bswap r8d + mov r11d,DWORD PTR[12+rsi] + bswap r9d + bswap r10d + bswap r11d + + call _x86_64_Camellia_decrypt + + bswap r8d + bswap r9d + bswap r10d + mov DWORD PTR[r13],r8d + bswap r11d + mov DWORD PTR[4+r13],r9d + mov DWORD PTR[8+r13],r10d + mov DWORD PTR[12+r13],r11d + + mov r15,QWORD PTR[rsp] + mov r14,QWORD PTR[8+rsp] + mov r13,QWORD PTR[16+rsp] + mov rbp,QWORD PTR[24+rsp] + mov rbx,QWORD PTR[32+rsp] + lea rsp,QWORD PTR[40+rsp] +$L$dec_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_Camellia_DecryptBlock_Rounds:: +Camellia_DecryptBlock_Rounds ENDP + + +ALIGN 16 +_x86_64_Camellia_decrypt PROC PRIVATE + xor r9d,DWORD PTR[r14] + xor r8d,DWORD PTR[4+r14] + xor r11d,DWORD PTR[8+r14] + xor r10d,DWORD PTR[12+r14] +ALIGN 16 +$L$dloop:: + mov ebx,DWORD PTR[((-8))+r14] + mov eax,DWORD PTR[((-4))+r14] + + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[((-16))+r14] + mov eax,DWORD PTR[((-12))+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[((-24))+r14] + mov eax,DWORD PTR[((-20))+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[((-32))+r14] + mov eax,DWORD PTR[((-28))+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[((-40))+r14] + mov eax,DWORD PTR[((-36))+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[((-48))+r14] + mov eax,DWORD PTR[((-44))+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[((-56))+r14] + mov eax,DWORD PTR[((-52))+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + lea r14,QWORD PTR[((-64))+r14] + cmp r14,r15 + mov edx,DWORD PTR[r14] + mov ecx,DWORD PTR[4+r14] + je $L$ddone + + and eax,r8d + or edx,r11d + rol eax,1 + xor r10d,edx + xor r9d,eax + and ecx,r10d + or ebx,r9d + rol ecx,1 + xor r8d,ebx + xor r11d,ecx + + jmp $L$dloop + +ALIGN 16 +$L$ddone:: + xor ecx,r10d + xor edx,r11d + xor eax,r8d + xor ebx,r9d + + mov r8d,ecx + mov r9d,edx + mov r10d,eax + mov r11d,ebx + + DB 0F3h,0C3h ;repret +_x86_64_Camellia_decrypt ENDP +PUBLIC Camellia_Ekeygen + +ALIGN 16 +Camellia_Ekeygen PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_Camellia_Ekeygen:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbx + push rbp + push r13 + push r14 + push r15 +$L$key_prologue:: + + mov r15,rdi + mov r13,rdx + + mov r8d,DWORD PTR[rsi] + mov r9d,DWORD PTR[4+rsi] + mov r10d,DWORD PTR[8+rsi] + mov r11d,DWORD PTR[12+rsi] + + bswap r8d + bswap r9d + bswap r10d + bswap r11d + mov DWORD PTR[r13],r9d + mov DWORD PTR[4+r13],r8d + mov DWORD PTR[8+r13],r11d + mov DWORD PTR[12+r13],r10d + cmp r15,128 + je $L$1st128 + + mov r8d,DWORD PTR[16+rsi] + mov r9d,DWORD PTR[20+rsi] + cmp r15,192 + je $L$1st192 + mov r10d,DWORD PTR[24+rsi] + mov r11d,DWORD PTR[28+rsi] + jmp $L$1st256 +$L$1st192:: + mov r10d,r8d + mov r11d,r9d + not r10d + not r11d +$L$1st256:: + bswap r8d + bswap r9d + bswap r10d + bswap r11d + mov DWORD PTR[32+r13],r9d + mov DWORD PTR[36+r13],r8d + mov DWORD PTR[40+r13],r11d + mov DWORD PTR[44+r13],r10d + xor r9d,DWORD PTR[r13] + xor r8d,DWORD PTR[4+r13] + xor r11d,DWORD PTR[8+r13] + xor r10d,DWORD PTR[12+r13] + +$L$1st128:: + lea r14,QWORD PTR[$L$Camellia_SIGMA] + lea rbp,QWORD PTR[$L$Camellia_SBOX] + + mov ebx,DWORD PTR[r14] + mov eax,DWORD PTR[4+r14] + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[8+r14] + mov eax,DWORD PTR[12+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[16+r14] + mov eax,DWORD PTR[20+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + xor r9d,DWORD PTR[r13] + xor r8d,DWORD PTR[4+r13] + xor r11d,DWORD PTR[8+r13] + xor r10d,DWORD PTR[12+r13] + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[24+r14] + mov eax,DWORD PTR[28+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[32+r14] + mov eax,DWORD PTR[36+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + cmp r15,128 + jne $L$2nd256 + + lea r13,QWORD PTR[128+r13] + shl r8,32 + shl r10,32 + or r8,r9 + or r10,r11 + mov rax,QWORD PTR[((-128))+r13] + mov rbx,QWORD PTR[((-120))+r13] + mov QWORD PTR[((-112))+r13],r8 + mov QWORD PTR[((-104))+r13],r10 + mov r11,rax + shl rax,15 + mov r9,rbx + shr r9,49 + shr r11,49 + or rax,r9 + shl rbx,15 + or rbx,r11 + mov QWORD PTR[((-96))+r13],rax + mov QWORD PTR[((-88))+r13],rbx + mov r11,r8 + shl r8,15 + mov r9,r10 + shr r9,49 + shr r11,49 + or r8,r9 + shl r10,15 + or r10,r11 + mov QWORD PTR[((-80))+r13],r8 + mov QWORD PTR[((-72))+r13],r10 + mov r11,r8 + shl r8,15 + mov r9,r10 + shr r9,49 + shr r11,49 + or r8,r9 + shl r10,15 + or r10,r11 + mov QWORD PTR[((-64))+r13],r8 + mov QWORD PTR[((-56))+r13],r10 + mov r11,rax + shl rax,30 + mov r9,rbx + shr r9,34 + shr r11,34 + or rax,r9 + shl rbx,30 + or rbx,r11 + mov QWORD PTR[((-48))+r13],rax + mov QWORD PTR[((-40))+r13],rbx + mov r11,r8 + shl r8,15 + mov r9,r10 + shr r9,49 + shr r11,49 + or r8,r9 + shl r10,15 + or r10,r11 + mov QWORD PTR[((-32))+r13],r8 + mov r11,rax + shl rax,15 + mov r9,rbx + shr r9,49 + shr r11,49 + or rax,r9 + shl rbx,15 + or rbx,r11 + mov QWORD PTR[((-24))+r13],rbx + mov r11,r8 + shl r8,15 + mov r9,r10 + shr r9,49 + shr r11,49 + or r8,r9 + shl r10,15 + or r10,r11 + mov QWORD PTR[((-16))+r13],r8 + mov QWORD PTR[((-8))+r13],r10 + mov r11,rax + shl rax,17 + mov r9,rbx + shr r9,47 + shr r11,47 + or rax,r9 + shl rbx,17 + or rbx,r11 + mov QWORD PTR[r13],rax + mov QWORD PTR[8+r13],rbx + mov r11,rax + shl rax,17 + mov r9,rbx + shr r9,47 + shr r11,47 + or rax,r9 + shl rbx,17 + or rbx,r11 + mov QWORD PTR[16+r13],rax + mov QWORD PTR[24+r13],rbx + mov r11,r8 + shl r8,34 + mov r9,r10 + shr r9,30 + shr r11,30 + or r8,r9 + shl r10,34 + or r10,r11 + mov QWORD PTR[32+r13],r8 + mov QWORD PTR[40+r13],r10 + mov r11,rax + shl rax,17 + mov r9,rbx + shr r9,47 + shr r11,47 + or rax,r9 + shl rbx,17 + or rbx,r11 + mov QWORD PTR[48+r13],rax + mov QWORD PTR[56+r13],rbx + mov r11,r8 + shl r8,17 + mov r9,r10 + shr r9,47 + shr r11,47 + or r8,r9 + shl r10,17 + or r10,r11 + mov QWORD PTR[64+r13],r8 + mov QWORD PTR[72+r13],r10 + mov eax,3 + jmp $L$done +ALIGN 16 +$L$2nd256:: + mov DWORD PTR[48+r13],r9d + mov DWORD PTR[52+r13],r8d + mov DWORD PTR[56+r13],r11d + mov DWORD PTR[60+r13],r10d + xor r9d,DWORD PTR[32+r13] + xor r8d,DWORD PTR[36+r13] + xor r11d,DWORD PTR[40+r13] + xor r10d,DWORD PTR[44+r13] + xor eax,r8d + xor ebx,r9d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[40+r14] + mov eax,DWORD PTR[44+r14] + xor ecx,edx + ror edx,8 + xor r10d,ecx + xor r11d,ecx + xor r11d,edx + xor eax,r10d + xor ebx,r11d + movzx esi,ah + movzx edi,bl + mov edx,DWORD PTR[2052+rsi*8+rbp] + mov ecx,DWORD PTR[rdi*8+rbp] + movzx esi,al + shr eax,16 + movzx edi,bh + xor edx,DWORD PTR[4+rsi*8+rbp] + shr ebx,16 + xor ecx,DWORD PTR[4+rdi*8+rbp] + movzx esi,ah + movzx edi,bl + xor edx,DWORD PTR[rsi*8+rbp] + xor ecx,DWORD PTR[2052+rdi*8+rbp] + movzx esi,al + movzx edi,bh + xor edx,DWORD PTR[2048+rsi*8+rbp] + xor ecx,DWORD PTR[2048+rdi*8+rbp] + mov ebx,DWORD PTR[48+r14] + mov eax,DWORD PTR[52+r14] + xor ecx,edx + ror edx,8 + xor r8d,ecx + xor r9d,ecx + xor r9d,edx + mov rax,QWORD PTR[r13] + mov rbx,QWORD PTR[8+r13] + mov rcx,QWORD PTR[32+r13] + mov rdx,QWORD PTR[40+r13] + mov r14,QWORD PTR[48+r13] + mov r15,QWORD PTR[56+r13] + lea r13,QWORD PTR[128+r13] + shl r8,32 + shl r10,32 + or r8,r9 + or r10,r11 + mov QWORD PTR[((-112))+r13],r8 + mov QWORD PTR[((-104))+r13],r10 + mov r11,rcx + shl rcx,15 + mov r9,rdx + shr r9,49 + shr r11,49 + or rcx,r9 + shl rdx,15 + or rdx,r11 + mov QWORD PTR[((-96))+r13],rcx + mov QWORD PTR[((-88))+r13],rdx + mov r11,r14 + shl r14,15 + mov r9,r15 + shr r9,49 + shr r11,49 + or r14,r9 + shl r15,15 + or r15,r11 + mov QWORD PTR[((-80))+r13],r14 + mov QWORD PTR[((-72))+r13],r15 + mov r11,rcx + shl rcx,15 + mov r9,rdx + shr r9,49 + shr r11,49 + or rcx,r9 + shl rdx,15 + or rdx,r11 + mov QWORD PTR[((-64))+r13],rcx + mov QWORD PTR[((-56))+r13],rdx + mov r11,r8 + shl r8,30 + mov r9,r10 + shr r9,34 + shr r11,34 + or r8,r9 + shl r10,30 + or r10,r11 + mov QWORD PTR[((-48))+r13],r8 + mov QWORD PTR[((-40))+r13],r10 + mov r11,rax + shl rax,45 + mov r9,rbx + shr r9,19 + shr r11,19 + or rax,r9 + shl rbx,45 + or rbx,r11 + mov QWORD PTR[((-32))+r13],rax + mov QWORD PTR[((-24))+r13],rbx + mov r11,r14 + shl r14,30 + mov r9,r15 + shr r9,34 + shr r11,34 + or r14,r9 + shl r15,30 + or r15,r11 + mov QWORD PTR[((-16))+r13],r14 + mov QWORD PTR[((-8))+r13],r15 + mov r11,rax + shl rax,15 + mov r9,rbx + shr r9,49 + shr r11,49 + or rax,r9 + shl rbx,15 + or rbx,r11 + mov QWORD PTR[r13],rax + mov QWORD PTR[8+r13],rbx + mov r11,rcx + shl rcx,30 + mov r9,rdx + shr r9,34 + shr r11,34 + or rcx,r9 + shl rdx,30 + or rdx,r11 + mov QWORD PTR[16+r13],rcx + mov QWORD PTR[24+r13],rdx + mov r11,r8 + shl r8,30 + mov r9,r10 + shr r9,34 + shr r11,34 + or r8,r9 + shl r10,30 + or r10,r11 + mov QWORD PTR[32+r13],r8 + mov QWORD PTR[40+r13],r10 + mov r11,rax + shl rax,17 + mov r9,rbx + shr r9,47 + shr r11,47 + or rax,r9 + shl rbx,17 + or rbx,r11 + mov QWORD PTR[48+r13],rax + mov QWORD PTR[56+r13],rbx + mov r11,r14 + shl r14,32 + mov r9,r15 + shr r9,32 + shr r11,32 + or r14,r9 + shl r15,32 + or r15,r11 + mov QWORD PTR[64+r13],r14 + mov QWORD PTR[72+r13],r15 + mov r11,rcx + shl rcx,34 + mov r9,rdx + shr r9,30 + shr r11,30 + or rcx,r9 + shl rdx,34 + or rdx,r11 + mov QWORD PTR[80+r13],rcx + mov QWORD PTR[88+r13],rdx + mov r11,r14 + shl r14,17 + mov r9,r15 + shr r9,47 + shr r11,47 + or r14,r9 + shl r15,17 + or r15,r11 + mov QWORD PTR[96+r13],r14 + mov QWORD PTR[104+r13],r15 + mov r11,rax + shl rax,34 + mov r9,rbx + shr r9,30 + shr r11,30 + or rax,r9 + shl rbx,34 + or rbx,r11 + mov QWORD PTR[112+r13],rax + mov QWORD PTR[120+r13],rbx + mov r11,r8 + shl r8,51 + mov r9,r10 + shr r9,13 + shr r11,13 + or r8,r9 + shl r10,51 + or r10,r11 + mov QWORD PTR[128+r13],r8 + mov QWORD PTR[136+r13],r10 + mov eax,4 +$L$done:: + mov r15,QWORD PTR[rsp] + mov r14,QWORD PTR[8+rsp] + mov r13,QWORD PTR[16+rsp] + mov rbp,QWORD PTR[24+rsp] + mov rbx,QWORD PTR[32+rsp] + lea rsp,QWORD PTR[40+rsp] +$L$key_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_Camellia_Ekeygen:: +Camellia_Ekeygen ENDP +ALIGN 64 +$L$Camellia_SIGMA:: + DD 03bcc908bh,0a09e667fh,04caa73b2h,0b67ae858h + DD 0e94f82beh,0c6ef372fh,0f1d36f1ch,054ff53a5h + DD 0de682d1dh,010e527fah,0b3e6c1fdh,0b05688c2h + DD 0,0,0,0 +$L$Camellia_SBOX:: + DD 070707000h,070700070h + DD 082828200h,02c2c002ch + DD 02c2c2c00h,0b3b300b3h + DD 0ececec00h,0c0c000c0h + DD 0b3b3b300h,0e4e400e4h + DD 027272700h,057570057h + DD 0c0c0c000h,0eaea00eah + DD 0e5e5e500h,0aeae00aeh + DD 0e4e4e400h,023230023h + DD 085858500h,06b6b006bh + DD 057575700h,045450045h + DD 035353500h,0a5a500a5h + DD 0eaeaea00h,0eded00edh + DD 00c0c0c00h,04f4f004fh + DD 0aeaeae00h,01d1d001dh + DD 041414100h,092920092h + DD 023232300h,086860086h + DD 0efefef00h,0afaf00afh + DD 06b6b6b00h,07c7c007ch + DD 093939300h,01f1f001fh + DD 045454500h,03e3e003eh + DD 019191900h,0dcdc00dch + DD 0a5a5a500h,05e5e005eh + DD 021212100h,00b0b000bh + DD 0ededed00h,0a6a600a6h + DD 00e0e0e00h,039390039h + DD 04f4f4f00h,0d5d500d5h + DD 04e4e4e00h,05d5d005dh + DD 01d1d1d00h,0d9d900d9h + DD 065656500h,05a5a005ah + DD 092929200h,051510051h + DD 0bdbdbd00h,06c6c006ch + DD 086868600h,08b8b008bh + DD 0b8b8b800h,09a9a009ah + DD 0afafaf00h,0fbfb00fbh + DD 08f8f8f00h,0b0b000b0h + DD 07c7c7c00h,074740074h + DD 0ebebeb00h,02b2b002bh + DD 01f1f1f00h,0f0f000f0h + DD 0cecece00h,084840084h + DD 03e3e3e00h,0dfdf00dfh + DD 030303000h,0cbcb00cbh + DD 0dcdcdc00h,034340034h + DD 05f5f5f00h,076760076h + DD 05e5e5e00h,06d6d006dh + DD 0c5c5c500h,0a9a900a9h + DD 00b0b0b00h,0d1d100d1h + DD 01a1a1a00h,004040004h + DD 0a6a6a600h,014140014h + DD 0e1e1e100h,03a3a003ah + DD 039393900h,0dede00deh + DD 0cacaca00h,011110011h + DD 0d5d5d500h,032320032h + DD 047474700h,09c9c009ch + DD 05d5d5d00h,053530053h + DD 03d3d3d00h,0f2f200f2h + DD 0d9d9d900h,0fefe00feh + DD 001010100h,0cfcf00cfh + DD 05a5a5a00h,0c3c300c3h + DD 0d6d6d600h,07a7a007ah + DD 051515100h,024240024h + DD 056565600h,0e8e800e8h + DD 06c6c6c00h,060600060h + DD 04d4d4d00h,069690069h + DD 08b8b8b00h,0aaaa00aah + DD 00d0d0d00h,0a0a000a0h + DD 09a9a9a00h,0a1a100a1h + DD 066666600h,062620062h + DD 0fbfbfb00h,054540054h + DD 0cccccc00h,01e1e001eh + DD 0b0b0b000h,0e0e000e0h + DD 02d2d2d00h,064640064h + DD 074747400h,010100010h + DD 012121200h,000000000h + DD 02b2b2b00h,0a3a300a3h + DD 020202000h,075750075h + DD 0f0f0f000h,08a8a008ah + DD 0b1b1b100h,0e6e600e6h + DD 084848400h,009090009h + DD 099999900h,0dddd00ddh + DD 0dfdfdf00h,087870087h + DD 04c4c4c00h,083830083h + DD 0cbcbcb00h,0cdcd00cdh + DD 0c2c2c200h,090900090h + DD 034343400h,073730073h + DD 07e7e7e00h,0f6f600f6h + DD 076767600h,09d9d009dh + DD 005050500h,0bfbf00bfh + DD 06d6d6d00h,052520052h + DD 0b7b7b700h,0d8d800d8h + DD 0a9a9a900h,0c8c800c8h + DD 031313100h,0c6c600c6h + DD 0d1d1d100h,081810081h + DD 017171700h,06f6f006fh + DD 004040400h,013130013h + DD 0d7d7d700h,063630063h + DD 014141400h,0e9e900e9h + DD 058585800h,0a7a700a7h + DD 03a3a3a00h,09f9f009fh + DD 061616100h,0bcbc00bch + DD 0dedede00h,029290029h + DD 01b1b1b00h,0f9f900f9h + DD 011111100h,02f2f002fh + DD 01c1c1c00h,0b4b400b4h + DD 032323200h,078780078h + DD 00f0f0f00h,006060006h + DD 09c9c9c00h,0e7e700e7h + DD 016161600h,071710071h + DD 053535300h,0d4d400d4h + DD 018181800h,0abab00abh + DD 0f2f2f200h,088880088h + DD 022222200h,08d8d008dh + DD 0fefefe00h,072720072h + DD 044444400h,0b9b900b9h + DD 0cfcfcf00h,0f8f800f8h + DD 0b2b2b200h,0acac00ach + DD 0c3c3c300h,036360036h + DD 0b5b5b500h,02a2a002ah + DD 07a7a7a00h,03c3c003ch + DD 091919100h,0f1f100f1h + DD 024242400h,040400040h + DD 008080800h,0d3d300d3h + DD 0e8e8e800h,0bbbb00bbh + DD 0a8a8a800h,043430043h + DD 060606000h,015150015h + DD 0fcfcfc00h,0adad00adh + DD 069696900h,077770077h + DD 050505000h,080800080h + DD 0aaaaaa00h,082820082h + DD 0d0d0d000h,0ecec00ech + DD 0a0a0a000h,027270027h + DD 07d7d7d00h,0e5e500e5h + DD 0a1a1a100h,085850085h + DD 089898900h,035350035h + DD 062626200h,00c0c000ch + DD 097979700h,041410041h + DD 054545400h,0efef00efh + DD 05b5b5b00h,093930093h + DD 01e1e1e00h,019190019h + DD 095959500h,021210021h + DD 0e0e0e000h,00e0e000eh + DD 0ffffff00h,04e4e004eh + DD 064646400h,065650065h + DD 0d2d2d200h,0bdbd00bdh + DD 010101000h,0b8b800b8h + DD 0c4c4c400h,08f8f008fh + DD 000000000h,0ebeb00ebh + DD 048484800h,0cece00ceh + DD 0a3a3a300h,030300030h + DD 0f7f7f700h,05f5f005fh + DD 075757500h,0c5c500c5h + DD 0dbdbdb00h,01a1a001ah + DD 08a8a8a00h,0e1e100e1h + DD 003030300h,0caca00cah + DD 0e6e6e600h,047470047h + DD 0dadada00h,03d3d003dh + DD 009090900h,001010001h + DD 03f3f3f00h,0d6d600d6h + DD 0dddddd00h,056560056h + DD 094949400h,04d4d004dh + DD 087878700h,00d0d000dh + DD 05c5c5c00h,066660066h + DD 083838300h,0cccc00cch + DD 002020200h,02d2d002dh + DD 0cdcdcd00h,012120012h + DD 04a4a4a00h,020200020h + DD 090909000h,0b1b100b1h + DD 033333300h,099990099h + DD 073737300h,04c4c004ch + DD 067676700h,0c2c200c2h + DD 0f6f6f600h,07e7e007eh + DD 0f3f3f300h,005050005h + DD 09d9d9d00h,0b7b700b7h + DD 07f7f7f00h,031310031h + DD 0bfbfbf00h,017170017h + DD 0e2e2e200h,0d7d700d7h + DD 052525200h,058580058h + DD 09b9b9b00h,061610061h + DD 0d8d8d800h,01b1b001bh + DD 026262600h,01c1c001ch + DD 0c8c8c800h,00f0f000fh + DD 037373700h,016160016h + DD 0c6c6c600h,018180018h + DD 03b3b3b00h,022220022h + DD 081818100h,044440044h + DD 096969600h,0b2b200b2h + DD 06f6f6f00h,0b5b500b5h + DD 04b4b4b00h,091910091h + DD 013131300h,008080008h + DD 0bebebe00h,0a8a800a8h + DD 063636300h,0fcfc00fch + DD 02e2e2e00h,050500050h + DD 0e9e9e900h,0d0d000d0h + DD 079797900h,07d7d007dh + DD 0a7a7a700h,089890089h + DD 08c8c8c00h,097970097h + DD 09f9f9f00h,05b5b005bh + DD 06e6e6e00h,095950095h + DD 0bcbcbc00h,0ffff00ffh + DD 08e8e8e00h,0d2d200d2h + DD 029292900h,0c4c400c4h + DD 0f5f5f500h,048480048h + DD 0f9f9f900h,0f7f700f7h + DD 0b6b6b600h,0dbdb00dbh + DD 02f2f2f00h,003030003h + DD 0fdfdfd00h,0dada00dah + DD 0b4b4b400h,03f3f003fh + DD 059595900h,094940094h + DD 078787800h,05c5c005ch + DD 098989800h,002020002h + DD 006060600h,04a4a004ah + DD 06a6a6a00h,033330033h + DD 0e7e7e700h,067670067h + DD 046464600h,0f3f300f3h + DD 071717100h,07f7f007fh + DD 0bababa00h,0e2e200e2h + DD 0d4d4d400h,09b9b009bh + DD 025252500h,026260026h + DD 0ababab00h,037370037h + DD 042424200h,03b3b003bh + DD 088888800h,096960096h + DD 0a2a2a200h,04b4b004bh + DD 08d8d8d00h,0bebe00beh + DD 0fafafa00h,02e2e002eh + DD 072727200h,079790079h + DD 007070700h,08c8c008ch + DD 0b9b9b900h,06e6e006eh + DD 055555500h,08e8e008eh + DD 0f8f8f800h,0f5f500f5h + DD 0eeeeee00h,0b6b600b6h + DD 0acacac00h,0fdfd00fdh + DD 00a0a0a00h,059590059h + DD 036363600h,098980098h + DD 049494900h,06a6a006ah + DD 02a2a2a00h,046460046h + DD 068686800h,0baba00bah + DD 03c3c3c00h,025250025h + DD 038383800h,042420042h + DD 0f1f1f100h,0a2a200a2h + DD 0a4a4a400h,0fafa00fah + DD 040404000h,007070007h + DD 028282800h,055550055h + DD 0d3d3d300h,0eeee00eeh + DD 07b7b7b00h,00a0a000ah + DD 0bbbbbb00h,049490049h + DD 0c9c9c900h,068680068h + DD 043434300h,038380038h + DD 0c1c1c100h,0a4a400a4h + DD 015151500h,028280028h + DD 0e3e3e300h,07b7b007bh + DD 0adadad00h,0c9c900c9h + DD 0f4f4f400h,0c1c100c1h + DD 077777700h,0e3e300e3h + DD 0c7c7c700h,0f4f400f4h + DD 080808000h,0c7c700c7h + DD 09e9e9e00h,09e9e009eh + DD 000e0e0e0h,038003838h + DD 000050505h,041004141h + DD 000585858h,016001616h + DD 000d9d9d9h,076007676h + DD 000676767h,0d900d9d9h + DD 0004e4e4eh,093009393h + DD 000818181h,060006060h + DD 000cbcbcbh,0f200f2f2h + DD 000c9c9c9h,072007272h + DD 0000b0b0bh,0c200c2c2h + DD 000aeaeaeh,0ab00ababh + DD 0006a6a6ah,09a009a9ah + DD 000d5d5d5h,075007575h + DD 000181818h,006000606h + DD 0005d5d5dh,057005757h + DD 000828282h,0a000a0a0h + DD 000464646h,091009191h + DD 000dfdfdfh,0f700f7f7h + DD 000d6d6d6h,0b500b5b5h + DD 000272727h,0c900c9c9h + DD 0008a8a8ah,0a200a2a2h + DD 000323232h,08c008c8ch + DD 0004b4b4bh,0d200d2d2h + DD 000424242h,090009090h + DD 000dbdbdbh,0f600f6f6h + DD 0001c1c1ch,007000707h + DD 0009e9e9eh,0a700a7a7h + DD 0009c9c9ch,027002727h + DD 0003a3a3ah,08e008e8eh + DD 000cacacah,0b200b2b2h + DD 000252525h,049004949h + DD 0007b7b7bh,0de00dedeh + DD 0000d0d0dh,043004343h + DD 000717171h,05c005c5ch + DD 0005f5f5fh,0d700d7d7h + DD 0001f1f1fh,0c700c7c7h + DD 000f8f8f8h,03e003e3eh + DD 000d7d7d7h,0f500f5f5h + DD 0003e3e3eh,08f008f8fh + DD 0009d9d9dh,067006767h + DD 0007c7c7ch,01f001f1fh + DD 000606060h,018001818h + DD 000b9b9b9h,06e006e6eh + DD 000bebebeh,0af00afafh + DD 000bcbcbch,02f002f2fh + DD 0008b8b8bh,0e200e2e2h + DD 000161616h,085008585h + DD 000343434h,00d000d0dh + DD 0004d4d4dh,053005353h + DD 000c3c3c3h,0f000f0f0h + DD 000727272h,09c009c9ch + DD 000959595h,065006565h + DD 000abababh,0ea00eaeah + DD 0008e8e8eh,0a300a3a3h + DD 000bababah,0ae00aeaeh + DD 0007a7a7ah,09e009e9eh + DD 000b3b3b3h,0ec00ecech + DD 000020202h,080008080h + DD 000b4b4b4h,02d002d2dh + DD 000adadadh,06b006b6bh + DD 000a2a2a2h,0a800a8a8h + DD 000acacach,02b002b2bh + DD 000d8d8d8h,036003636h + DD 0009a9a9ah,0a600a6a6h + DD 000171717h,0c500c5c5h + DD 0001a1a1ah,086008686h + DD 000353535h,04d004d4dh + DD 000cccccch,033003333h + DD 000f7f7f7h,0fd00fdfdh + DD 000999999h,066006666h + DD 000616161h,058005858h + DD 0005a5a5ah,096009696h + DD 000e8e8e8h,03a003a3ah + DD 000242424h,009000909h + DD 000565656h,095009595h + DD 000404040h,010001010h + DD 000e1e1e1h,078007878h + DD 000636363h,0d800d8d8h + DD 000090909h,042004242h + DD 000333333h,0cc00cccch + DD 000bfbfbfh,0ef00efefh + DD 000989898h,026002626h + DD 000979797h,0e500e5e5h + DD 000858585h,061006161h + DD 000686868h,01a001a1ah + DD 000fcfcfch,03f003f3fh + DD 000ececech,03b003b3bh + DD 0000a0a0ah,082008282h + DD 000dadadah,0b600b6b6h + DD 0006f6f6fh,0db00dbdbh + DD 000535353h,0d400d4d4h + DD 000626262h,098009898h + DD 000a3a3a3h,0e800e8e8h + DD 0002e2e2eh,08b008b8bh + DD 000080808h,002000202h + DD 000afafafh,0eb00ebebh + DD 000282828h,00a000a0ah + DD 000b0b0b0h,02c002c2ch + DD 000747474h,01d001d1dh + DD 000c2c2c2h,0b000b0b0h + DD 000bdbdbdh,06f006f6fh + DD 000363636h,08d008d8dh + DD 000222222h,088008888h + DD 000383838h,00e000e0eh + DD 000646464h,019001919h + DD 0001e1e1eh,087008787h + DD 000393939h,04e004e4eh + DD 0002c2c2ch,00b000b0bh + DD 000a6a6a6h,0a900a9a9h + DD 000303030h,00c000c0ch + DD 000e5e5e5h,079007979h + DD 000444444h,011001111h + DD 000fdfdfdh,07f007f7fh + DD 000888888h,022002222h + DD 0009f9f9fh,0e700e7e7h + DD 000656565h,059005959h + DD 000878787h,0e100e1e1h + DD 0006b6b6bh,0da00dadah + DD 000f4f4f4h,03d003d3dh + DD 000232323h,0c800c8c8h + DD 000484848h,012001212h + DD 000101010h,004000404h + DD 000d1d1d1h,074007474h + DD 000515151h,054005454h + DD 000c0c0c0h,030003030h + DD 000f9f9f9h,07e007e7eh + DD 000d2d2d2h,0b400b4b4h + DD 000a0a0a0h,028002828h + DD 000555555h,055005555h + DD 000a1a1a1h,068006868h + DD 000414141h,050005050h + DD 000fafafah,0be00bebeh + DD 000434343h,0d000d0d0h + DD 000131313h,0c400c4c4h + DD 000c4c4c4h,031003131h + DD 0002f2f2fh,0cb00cbcbh + DD 000a8a8a8h,02a002a2ah + DD 000b6b6b6h,0ad00adadh + DD 0003c3c3ch,00f000f0fh + DD 0002b2b2bh,0ca00cacah + DD 000c1c1c1h,070007070h + DD 000ffffffh,0ff00ffffh + DD 000c8c8c8h,032003232h + DD 000a5a5a5h,069006969h + DD 000202020h,008000808h + DD 000898989h,062006262h + DD 000000000h,000000000h + DD 000909090h,024002424h + DD 000474747h,0d100d1d1h + DD 000efefefh,0fb00fbfbh + DD 000eaeaeah,0ba00babah + DD 000b7b7b7h,0ed00ededh + DD 000151515h,045004545h + DD 000060606h,081008181h + DD 000cdcdcdh,073007373h + DD 000b5b5b5h,06d006d6dh + DD 000121212h,084008484h + DD 0007e7e7eh,09f009f9fh + DD 000bbbbbbh,0ee00eeeeh + DD 000292929h,04a004a4ah + DD 0000f0f0fh,0c300c3c3h + DD 000b8b8b8h,02e002e2eh + DD 000070707h,0c100c1c1h + DD 000040404h,001000101h + DD 0009b9b9bh,0e600e6e6h + DD 000949494h,025002525h + DD 000212121h,048004848h + DD 000666666h,099009999h + DD 000e6e6e6h,0b900b9b9h + DD 000cececeh,0b300b3b3h + DD 000edededh,07b007b7bh + DD 000e7e7e7h,0f900f9f9h + DD 0003b3b3bh,0ce00ceceh + DD 000fefefeh,0bf00bfbfh + DD 0007f7f7fh,0df00dfdfh + DD 000c5c5c5h,071007171h + DD 000a4a4a4h,029002929h + DD 000373737h,0cd00cdcdh + DD 000b1b1b1h,06c006c6ch + DD 0004c4c4ch,013001313h + DD 000919191h,064006464h + DD 0006e6e6eh,09b009b9bh + DD 0008d8d8dh,063006363h + DD 000767676h,09d009d9dh + DD 000030303h,0c000c0c0h + DD 0002d2d2dh,04b004b4bh + DD 000dededeh,0b700b7b7h + DD 000969696h,0a500a5a5h + DD 000262626h,089008989h + DD 0007d7d7dh,05f005f5fh + DD 000c6c6c6h,0b100b1b1h + DD 0005c5c5ch,017001717h + DD 000d3d3d3h,0f400f4f4h + DD 000f2f2f2h,0bc00bcbch + DD 0004f4f4fh,0d300d3d3h + DD 000191919h,046004646h + DD 0003f3f3fh,0cf00cfcfh + DD 000dcdcdch,037003737h + DD 000797979h,05e005e5eh + DD 0001d1d1dh,047004747h + DD 000525252h,094009494h + DD 000ebebebh,0fa00fafah + DD 000f3f3f3h,0fc00fcfch + DD 0006d6d6dh,05b005b5bh + DD 0005e5e5eh,097009797h + DD 000fbfbfbh,0fe00fefeh + DD 000696969h,05a005a5ah + DD 000b2b2b2h,0ac00acach + DD 000f0f0f0h,03c003c3ch + DD 000313131h,04c004c4ch + DD 0000c0c0ch,003000303h + DD 000d4d4d4h,035003535h + DD 000cfcfcfh,0f300f3f3h + DD 0008c8c8ch,023002323h + DD 000e2e2e2h,0b800b8b8h + DD 000757575h,05d005d5dh + DD 000a9a9a9h,06a006a6ah + DD 0004a4a4ah,092009292h + DD 000575757h,0d500d5d5h + DD 000848484h,021002121h + DD 000111111h,044004444h + DD 000454545h,051005151h + DD 0001b1b1bh,0c600c6c6h + DD 000f5f5f5h,07d007d7dh + DD 000e4e4e4h,039003939h + DD 0000e0e0eh,083008383h + DD 000737373h,0dc00dcdch + DD 000aaaaaah,0aa00aaaah + DD 000f1f1f1h,07c007c7ch + DD 000ddddddh,077007777h + DD 000595959h,056005656h + DD 000141414h,005000505h + DD 0006c6c6ch,01b001b1bh + DD 000929292h,0a400a4a4h + DD 000545454h,015001515h + DD 000d0d0d0h,034003434h + DD 000787878h,01e001e1eh + DD 000707070h,01c001c1ch + DD 000e3e3e3h,0f800f8f8h + DD 000494949h,052005252h + DD 000808080h,020002020h + DD 000505050h,014001414h + DD 000a7a7a7h,0e900e9e9h + DD 000f6f6f6h,0bd00bdbdh + DD 000777777h,0dd00ddddh + DD 000939393h,0e400e4e4h + DD 000868686h,0a100a1a1h + DD 000838383h,0e000e0e0h + DD 0002a2a2ah,08a008a8ah + DD 000c7c7c7h,0f100f1f1h + DD 0005b5b5bh,0d600d6d6h + DD 000e9e9e9h,07a007a7ah + DD 000eeeeeeh,0bb00bbbbh + DD 0008f8f8fh,0e300e3e3h + DD 000010101h,040004040h + DD 0003d3d3dh,04f004f4fh +PUBLIC Camellia_cbc_encrypt + +ALIGN 16 +Camellia_cbc_encrypt PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_Camellia_cbc_encrypt:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + cmp rdx,0 + je $L$cbc_abort + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 +$L$cbc_prologue:: + + mov rbp,rsp + sub rsp,64 + and rsp,-64 + + + + lea r10,QWORD PTR[((-64-63))+rcx] + sub r10,rsp + neg r10 + and r10,03C0h + sub rsp,r10 + + + mov r12,rdi + mov r13,rsi + mov rbx,r8 + mov r14,rcx + mov r15d,DWORD PTR[272+rcx] + + mov QWORD PTR[40+rsp],r8 + mov QWORD PTR[48+rsp],rbp + +$L$cbc_body:: + lea rbp,QWORD PTR[$L$Camellia_SBOX] + + mov ecx,32 +ALIGN 4 +$L$cbc_prefetch_sbox:: + mov rax,QWORD PTR[rbp] + mov rsi,QWORD PTR[32+rbp] + mov rdi,QWORD PTR[64+rbp] + mov r11,QWORD PTR[96+rbp] + lea rbp,QWORD PTR[128+rbp] + loop $L$cbc_prefetch_sbox + sub rbp,4096 + shl r15,6 + mov rcx,rdx + lea r15,QWORD PTR[r15*1+r14] + + cmp r9d,0 + je $L$CBC_DECRYPT + + and rdx,-16 + and rcx,15 + lea rdx,QWORD PTR[rdx*1+r12] + mov QWORD PTR[rsp],r14 + mov QWORD PTR[8+rsp],rdx + mov QWORD PTR[16+rsp],rcx + + cmp rdx,r12 + mov r8d,DWORD PTR[rbx] + mov r9d,DWORD PTR[4+rbx] + mov r10d,DWORD PTR[8+rbx] + mov r11d,DWORD PTR[12+rbx] + je $L$cbc_enc_tail + jmp $L$cbc_eloop + +ALIGN 16 +$L$cbc_eloop:: + xor r8d,DWORD PTR[r12] + xor r9d,DWORD PTR[4+r12] + xor r10d,DWORD PTR[8+r12] + bswap r8d + xor r11d,DWORD PTR[12+r12] + bswap r9d + bswap r10d + bswap r11d + + call _x86_64_Camellia_encrypt + + mov r14,QWORD PTR[rsp] + bswap r8d + mov rdx,QWORD PTR[8+rsp] + bswap r9d + mov rcx,QWORD PTR[16+rsp] + bswap r10d + mov DWORD PTR[r13],r8d + bswap r11d + mov DWORD PTR[4+r13],r9d + mov DWORD PTR[8+r13],r10d + lea r12,QWORD PTR[16+r12] + mov DWORD PTR[12+r13],r11d + cmp r12,rdx + lea r13,QWORD PTR[16+r13] + jne $L$cbc_eloop + + cmp rcx,0 + jne $L$cbc_enc_tail + + mov r13,QWORD PTR[40+rsp] + mov DWORD PTR[r13],r8d + mov DWORD PTR[4+r13],r9d + mov DWORD PTR[8+r13],r10d + mov DWORD PTR[12+r13],r11d + jmp $L$cbc_done + +ALIGN 16 +$L$cbc_enc_tail:: + xor rax,rax + mov QWORD PTR[((0+24))+rsp],rax + mov QWORD PTR[((8+24))+rsp],rax + mov QWORD PTR[16+rsp],rax + +$L$cbc_enc_pushf:: + pushfq + cld + mov rsi,r12 + lea rdi,QWORD PTR[((8+24))+rsp] + DD 09066A4F3h + popfq +$L$cbc_enc_popf:: + + lea r12,QWORD PTR[24+rsp] + lea rax,QWORD PTR[((16+24))+rsp] + mov QWORD PTR[8+rsp],rax + jmp $L$cbc_eloop + +ALIGN 16 +$L$CBC_DECRYPT:: + xchg r15,r14 + add rdx,15 + and rcx,15 + and rdx,-16 + mov QWORD PTR[rsp],r14 + lea rdx,QWORD PTR[rdx*1+r12] + mov QWORD PTR[8+rsp],rdx + mov QWORD PTR[16+rsp],rcx + + mov rax,QWORD PTR[rbx] + mov rbx,QWORD PTR[8+rbx] + jmp $L$cbc_dloop +ALIGN 16 +$L$cbc_dloop:: + mov r8d,DWORD PTR[r12] + mov r9d,DWORD PTR[4+r12] + mov r10d,DWORD PTR[8+r12] + bswap r8d + mov r11d,DWORD PTR[12+r12] + bswap r9d + mov QWORD PTR[((0+24))+rsp],rax + bswap r10d + mov QWORD PTR[((8+24))+rsp],rbx + bswap r11d + + call _x86_64_Camellia_decrypt + + mov r14,QWORD PTR[rsp] + mov rdx,QWORD PTR[8+rsp] + mov rcx,QWORD PTR[16+rsp] + + bswap r8d + mov rax,QWORD PTR[r12] + bswap r9d + mov rbx,QWORD PTR[8+r12] + bswap r10d + xor r8d,DWORD PTR[((0+24))+rsp] + bswap r11d + xor r9d,DWORD PTR[((4+24))+rsp] + xor r10d,DWORD PTR[((8+24))+rsp] + lea r12,QWORD PTR[16+r12] + xor r11d,DWORD PTR[((12+24))+rsp] + cmp r12,rdx + je $L$cbc_ddone + + mov DWORD PTR[r13],r8d + mov DWORD PTR[4+r13],r9d + mov DWORD PTR[8+r13],r10d + mov DWORD PTR[12+r13],r11d + + lea r13,QWORD PTR[16+r13] + jmp $L$cbc_dloop + +ALIGN 16 +$L$cbc_ddone:: + mov rdx,QWORD PTR[40+rsp] + cmp rcx,0 + jne $L$cbc_dec_tail + + mov DWORD PTR[r13],r8d + mov DWORD PTR[4+r13],r9d + mov DWORD PTR[8+r13],r10d + mov DWORD PTR[12+r13],r11d + + mov QWORD PTR[rdx],rax + mov QWORD PTR[8+rdx],rbx + jmp $L$cbc_done +ALIGN 16 +$L$cbc_dec_tail:: + mov DWORD PTR[((0+24))+rsp],r8d + mov DWORD PTR[((4+24))+rsp],r9d + mov DWORD PTR[((8+24))+rsp],r10d + mov DWORD PTR[((12+24))+rsp],r11d + +$L$cbc_dec_pushf:: + pushfq + cld + lea rsi,QWORD PTR[((8+24))+rsp] + lea rdi,QWORD PTR[r13] + DD 09066A4F3h + popfq +$L$cbc_dec_popf:: + + mov QWORD PTR[rdx],rax + mov QWORD PTR[8+rdx],rbx + jmp $L$cbc_done + +ALIGN 16 +$L$cbc_done:: + mov rcx,QWORD PTR[48+rsp] + mov r15,QWORD PTR[rcx] + mov r14,QWORD PTR[8+rcx] + mov r13,QWORD PTR[16+rcx] + mov r12,QWORD PTR[24+rcx] + mov rbp,QWORD PTR[32+rcx] + mov rbx,QWORD PTR[40+rcx] + lea rsp,QWORD PTR[48+rcx] +$L$cbc_abort:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_Camellia_cbc_encrypt:: +Camellia_cbc_encrypt ENDP + +DB 67,97,109,101,108,108,105,97,32,102,111,114,32,120,56,54 +DB 95,54,52,32,98,121,32,60,97,112,112,114,111,64,111,112 +DB 101,110,115,115,108,46,111,114,103,62,0 + +.text$ ENDS +END + diff --git a/crypto/camellia/cmll-mingw64-x86_64.S b/crypto/camellia/cmll-mingw64-x86_64.S new file mode 100644 index 0000000..75966f4 --- /dev/null +++ b/crypto/camellia/cmll-mingw64-x86_64.S @@ -0,0 +1,1884 @@ +#include "x86_arch.h" +.text + + +.globl Camellia_EncryptBlock +.def Camellia_EncryptBlock; .scl 2; .type 32; .endef +.p2align 4 +Camellia_EncryptBlock: + movl $128,%eax + subl %edi,%eax + movl $3,%edi + adcl $0,%edi + jmp .Lenc_rounds + + +.globl Camellia_EncryptBlock_Rounds +.def Camellia_EncryptBlock_Rounds; .scl 2; .type 32; .endef +.p2align 4 +.Lenc_rounds: +Camellia_EncryptBlock_Rounds: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_Camellia_EncryptBlock_Rounds: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + + pushq %rbx + pushq %rbp + pushq %r13 + pushq %r14 + pushq %r15 +.Lenc_prologue: + + + movq %rcx,%r13 + movq %rdx,%r14 + + shll $6,%edi + leaq .LCamellia_SBOX(%rip),%rbp + leaq (%r14,%rdi,1),%r15 + + movl 0(%rsi),%r8d + movl 4(%rsi),%r9d + movl 8(%rsi),%r10d + bswapl %r8d + movl 12(%rsi),%r11d + bswapl %r9d + bswapl %r10d + bswapl %r11d + + call _x86_64_Camellia_encrypt + + bswapl %r8d + bswapl %r9d + bswapl %r10d + movl %r8d,0(%r13) + bswapl %r11d + movl %r9d,4(%r13) + movl %r10d,8(%r13) + movl %r11d,12(%r13) + + movq 0(%rsp),%r15 + movq 8(%rsp),%r14 + movq 16(%rsp),%r13 + movq 24(%rsp),%rbp + movq 32(%rsp),%rbx + leaq 40(%rsp),%rsp +.Lenc_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_Camellia_EncryptBlock_Rounds: + +.def _x86_64_Camellia_encrypt; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_Camellia_encrypt: + xorl 0(%r14),%r9d + xorl 4(%r14),%r8d + xorl 8(%r14),%r11d + xorl 12(%r14),%r10d +.p2align 4 +.Leloop: + movl 16(%r14),%ebx + movl 20(%r14),%eax + + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 24(%r14),%ebx + movl 28(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 32(%r14),%ebx + movl 36(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 40(%r14),%ebx + movl 44(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 48(%r14),%ebx + movl 52(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 56(%r14),%ebx + movl 60(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 64(%r14),%ebx + movl 68(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + leaq 64(%r14),%r14 + cmpq %r15,%r14 + movl 8(%r14),%edx + movl 12(%r14),%ecx + je .Ledone + + andl %r8d,%eax + orl %r11d,%edx + roll $1,%eax + xorl %edx,%r10d + xorl %eax,%r9d + andl %r10d,%ecx + orl %r9d,%ebx + roll $1,%ecx + xorl %ebx,%r8d + xorl %ecx,%r11d + jmp .Leloop + +.p2align 4 +.Ledone: + xorl %r10d,%eax + xorl %r11d,%ebx + xorl %r8d,%ecx + xorl %r9d,%edx + + movl %eax,%r8d + movl %ebx,%r9d + movl %ecx,%r10d + movl %edx,%r11d + + retq + + + +.globl Camellia_DecryptBlock +.def Camellia_DecryptBlock; .scl 2; .type 32; .endef +.p2align 4 +Camellia_DecryptBlock: + movl $128,%eax + subl %edi,%eax + movl $3,%edi + adcl $0,%edi + jmp .Ldec_rounds + + +.globl Camellia_DecryptBlock_Rounds +.def Camellia_DecryptBlock_Rounds; .scl 2; .type 32; .endef +.p2align 4 +.Ldec_rounds: +Camellia_DecryptBlock_Rounds: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_Camellia_DecryptBlock_Rounds: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + + pushq %rbx + pushq %rbp + pushq %r13 + pushq %r14 + pushq %r15 +.Ldec_prologue: + + + movq %rcx,%r13 + movq %rdx,%r15 + + shll $6,%edi + leaq .LCamellia_SBOX(%rip),%rbp + leaq (%r15,%rdi,1),%r14 + + movl 0(%rsi),%r8d + movl 4(%rsi),%r9d + movl 8(%rsi),%r10d + bswapl %r8d + movl 12(%rsi),%r11d + bswapl %r9d + bswapl %r10d + bswapl %r11d + + call _x86_64_Camellia_decrypt + + bswapl %r8d + bswapl %r9d + bswapl %r10d + movl %r8d,0(%r13) + bswapl %r11d + movl %r9d,4(%r13) + movl %r10d,8(%r13) + movl %r11d,12(%r13) + + movq 0(%rsp),%r15 + movq 8(%rsp),%r14 + movq 16(%rsp),%r13 + movq 24(%rsp),%rbp + movq 32(%rsp),%rbx + leaq 40(%rsp),%rsp +.Ldec_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_Camellia_DecryptBlock_Rounds: + +.def _x86_64_Camellia_decrypt; .scl 3; .type 32; .endef +.p2align 4 +_x86_64_Camellia_decrypt: + xorl 0(%r14),%r9d + xorl 4(%r14),%r8d + xorl 8(%r14),%r11d + xorl 12(%r14),%r10d +.p2align 4 +.Ldloop: + movl -8(%r14),%ebx + movl -4(%r14),%eax + + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl -16(%r14),%ebx + movl -12(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl -24(%r14),%ebx + movl -20(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl -32(%r14),%ebx + movl -28(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl -40(%r14),%ebx + movl -36(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl -48(%r14),%ebx + movl -44(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl -56(%r14),%ebx + movl -52(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + leaq -64(%r14),%r14 + cmpq %r15,%r14 + movl 0(%r14),%edx + movl 4(%r14),%ecx + je .Lddone + + andl %r8d,%eax + orl %r11d,%edx + roll $1,%eax + xorl %edx,%r10d + xorl %eax,%r9d + andl %r10d,%ecx + orl %r9d,%ebx + roll $1,%ecx + xorl %ebx,%r8d + xorl %ecx,%r11d + + jmp .Ldloop + +.p2align 4 +.Lddone: + xorl %r10d,%ecx + xorl %r11d,%edx + xorl %r8d,%eax + xorl %r9d,%ebx + + movl %ecx,%r8d + movl %edx,%r9d + movl %eax,%r10d + movl %ebx,%r11d + + retq + +.globl Camellia_Ekeygen +.def Camellia_Ekeygen; .scl 2; .type 32; .endef +.p2align 4 +Camellia_Ekeygen: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_Camellia_Ekeygen: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbx + pushq %rbp + pushq %r13 + pushq %r14 + pushq %r15 +.Lkey_prologue: + + movq %rdi,%r15 + movq %rdx,%r13 + + movl 0(%rsi),%r8d + movl 4(%rsi),%r9d + movl 8(%rsi),%r10d + movl 12(%rsi),%r11d + + bswapl %r8d + bswapl %r9d + bswapl %r10d + bswapl %r11d + movl %r9d,0(%r13) + movl %r8d,4(%r13) + movl %r11d,8(%r13) + movl %r10d,12(%r13) + cmpq $128,%r15 + je .L1st128 + + movl 16(%rsi),%r8d + movl 20(%rsi),%r9d + cmpq $192,%r15 + je .L1st192 + movl 24(%rsi),%r10d + movl 28(%rsi),%r11d + jmp .L1st256 +.L1st192: + movl %r8d,%r10d + movl %r9d,%r11d + notl %r10d + notl %r11d +.L1st256: + bswapl %r8d + bswapl %r9d + bswapl %r10d + bswapl %r11d + movl %r9d,32(%r13) + movl %r8d,36(%r13) + movl %r11d,40(%r13) + movl %r10d,44(%r13) + xorl 0(%r13),%r9d + xorl 4(%r13),%r8d + xorl 8(%r13),%r11d + xorl 12(%r13),%r10d + +.L1st128: + leaq .LCamellia_SIGMA(%rip),%r14 + leaq .LCamellia_SBOX(%rip),%rbp + + movl 0(%r14),%ebx + movl 4(%r14),%eax + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 8(%r14),%ebx + movl 12(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 16(%r14),%ebx + movl 20(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + xorl 0(%r13),%r9d + xorl 4(%r13),%r8d + xorl 8(%r13),%r11d + xorl 12(%r13),%r10d + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 24(%r14),%ebx + movl 28(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 32(%r14),%ebx + movl 36(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + cmpq $128,%r15 + jne .L2nd256 + + leaq 128(%r13),%r13 + shlq $32,%r8 + shlq $32,%r10 + orq %r9,%r8 + orq %r11,%r10 + movq -128(%r13),%rax + movq -120(%r13),%rbx + movq %r8,-112(%r13) + movq %r10,-104(%r13) + movq %rax,%r11 + shlq $15,%rax + movq %rbx,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%rax + shlq $15,%rbx + orq %r11,%rbx + movq %rax,-96(%r13) + movq %rbx,-88(%r13) + movq %r8,%r11 + shlq $15,%r8 + movq %r10,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%r8 + shlq $15,%r10 + orq %r11,%r10 + movq %r8,-80(%r13) + movq %r10,-72(%r13) + movq %r8,%r11 + shlq $15,%r8 + movq %r10,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%r8 + shlq $15,%r10 + orq %r11,%r10 + movq %r8,-64(%r13) + movq %r10,-56(%r13) + movq %rax,%r11 + shlq $30,%rax + movq %rbx,%r9 + shrq $34,%r9 + shrq $34,%r11 + orq %r9,%rax + shlq $30,%rbx + orq %r11,%rbx + movq %rax,-48(%r13) + movq %rbx,-40(%r13) + movq %r8,%r11 + shlq $15,%r8 + movq %r10,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%r8 + shlq $15,%r10 + orq %r11,%r10 + movq %r8,-32(%r13) + movq %rax,%r11 + shlq $15,%rax + movq %rbx,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%rax + shlq $15,%rbx + orq %r11,%rbx + movq %rbx,-24(%r13) + movq %r8,%r11 + shlq $15,%r8 + movq %r10,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%r8 + shlq $15,%r10 + orq %r11,%r10 + movq %r8,-16(%r13) + movq %r10,-8(%r13) + movq %rax,%r11 + shlq $17,%rax + movq %rbx,%r9 + shrq $47,%r9 + shrq $47,%r11 + orq %r9,%rax + shlq $17,%rbx + orq %r11,%rbx + movq %rax,0(%r13) + movq %rbx,8(%r13) + movq %rax,%r11 + shlq $17,%rax + movq %rbx,%r9 + shrq $47,%r9 + shrq $47,%r11 + orq %r9,%rax + shlq $17,%rbx + orq %r11,%rbx + movq %rax,16(%r13) + movq %rbx,24(%r13) + movq %r8,%r11 + shlq $34,%r8 + movq %r10,%r9 + shrq $30,%r9 + shrq $30,%r11 + orq %r9,%r8 + shlq $34,%r10 + orq %r11,%r10 + movq %r8,32(%r13) + movq %r10,40(%r13) + movq %rax,%r11 + shlq $17,%rax + movq %rbx,%r9 + shrq $47,%r9 + shrq $47,%r11 + orq %r9,%rax + shlq $17,%rbx + orq %r11,%rbx + movq %rax,48(%r13) + movq %rbx,56(%r13) + movq %r8,%r11 + shlq $17,%r8 + movq %r10,%r9 + shrq $47,%r9 + shrq $47,%r11 + orq %r9,%r8 + shlq $17,%r10 + orq %r11,%r10 + movq %r8,64(%r13) + movq %r10,72(%r13) + movl $3,%eax + jmp .Ldone +.p2align 4 +.L2nd256: + movl %r9d,48(%r13) + movl %r8d,52(%r13) + movl %r11d,56(%r13) + movl %r10d,60(%r13) + xorl 32(%r13),%r9d + xorl 36(%r13),%r8d + xorl 40(%r13),%r11d + xorl 44(%r13),%r10d + xorl %r8d,%eax + xorl %r9d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 40(%r14),%ebx + movl 44(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r10d + xorl %ecx,%r11d + xorl %edx,%r11d + xorl %r10d,%eax + xorl %r11d,%ebx + movzbl %ah,%esi + movzbl %bl,%edi + movl 2052(%rbp,%rsi,8),%edx + movl 0(%rbp,%rdi,8),%ecx + movzbl %al,%esi + shrl $16,%eax + movzbl %bh,%edi + xorl 4(%rbp,%rsi,8),%edx + shrl $16,%ebx + xorl 4(%rbp,%rdi,8),%ecx + movzbl %ah,%esi + movzbl %bl,%edi + xorl 0(%rbp,%rsi,8),%edx + xorl 2052(%rbp,%rdi,8),%ecx + movzbl %al,%esi + movzbl %bh,%edi + xorl 2048(%rbp,%rsi,8),%edx + xorl 2048(%rbp,%rdi,8),%ecx + movl 48(%r14),%ebx + movl 52(%r14),%eax + xorl %edx,%ecx + rorl $8,%edx + xorl %ecx,%r8d + xorl %ecx,%r9d + xorl %edx,%r9d + movq 0(%r13),%rax + movq 8(%r13),%rbx + movq 32(%r13),%rcx + movq 40(%r13),%rdx + movq 48(%r13),%r14 + movq 56(%r13),%r15 + leaq 128(%r13),%r13 + shlq $32,%r8 + shlq $32,%r10 + orq %r9,%r8 + orq %r11,%r10 + movq %r8,-112(%r13) + movq %r10,-104(%r13) + movq %rcx,%r11 + shlq $15,%rcx + movq %rdx,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%rcx + shlq $15,%rdx + orq %r11,%rdx + movq %rcx,-96(%r13) + movq %rdx,-88(%r13) + movq %r14,%r11 + shlq $15,%r14 + movq %r15,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%r14 + shlq $15,%r15 + orq %r11,%r15 + movq %r14,-80(%r13) + movq %r15,-72(%r13) + movq %rcx,%r11 + shlq $15,%rcx + movq %rdx,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%rcx + shlq $15,%rdx + orq %r11,%rdx + movq %rcx,-64(%r13) + movq %rdx,-56(%r13) + movq %r8,%r11 + shlq $30,%r8 + movq %r10,%r9 + shrq $34,%r9 + shrq $34,%r11 + orq %r9,%r8 + shlq $30,%r10 + orq %r11,%r10 + movq %r8,-48(%r13) + movq %r10,-40(%r13) + movq %rax,%r11 + shlq $45,%rax + movq %rbx,%r9 + shrq $19,%r9 + shrq $19,%r11 + orq %r9,%rax + shlq $45,%rbx + orq %r11,%rbx + movq %rax,-32(%r13) + movq %rbx,-24(%r13) + movq %r14,%r11 + shlq $30,%r14 + movq %r15,%r9 + shrq $34,%r9 + shrq $34,%r11 + orq %r9,%r14 + shlq $30,%r15 + orq %r11,%r15 + movq %r14,-16(%r13) + movq %r15,-8(%r13) + movq %rax,%r11 + shlq $15,%rax + movq %rbx,%r9 + shrq $49,%r9 + shrq $49,%r11 + orq %r9,%rax + shlq $15,%rbx + orq %r11,%rbx + movq %rax,0(%r13) + movq %rbx,8(%r13) + movq %rcx,%r11 + shlq $30,%rcx + movq %rdx,%r9 + shrq $34,%r9 + shrq $34,%r11 + orq %r9,%rcx + shlq $30,%rdx + orq %r11,%rdx + movq %rcx,16(%r13) + movq %rdx,24(%r13) + movq %r8,%r11 + shlq $30,%r8 + movq %r10,%r9 + shrq $34,%r9 + shrq $34,%r11 + orq %r9,%r8 + shlq $30,%r10 + orq %r11,%r10 + movq %r8,32(%r13) + movq %r10,40(%r13) + movq %rax,%r11 + shlq $17,%rax + movq %rbx,%r9 + shrq $47,%r9 + shrq $47,%r11 + orq %r9,%rax + shlq $17,%rbx + orq %r11,%rbx + movq %rax,48(%r13) + movq %rbx,56(%r13) + movq %r14,%r11 + shlq $32,%r14 + movq %r15,%r9 + shrq $32,%r9 + shrq $32,%r11 + orq %r9,%r14 + shlq $32,%r15 + orq %r11,%r15 + movq %r14,64(%r13) + movq %r15,72(%r13) + movq %rcx,%r11 + shlq $34,%rcx + movq %rdx,%r9 + shrq $30,%r9 + shrq $30,%r11 + orq %r9,%rcx + shlq $34,%rdx + orq %r11,%rdx + movq %rcx,80(%r13) + movq %rdx,88(%r13) + movq %r14,%r11 + shlq $17,%r14 + movq %r15,%r9 + shrq $47,%r9 + shrq $47,%r11 + orq %r9,%r14 + shlq $17,%r15 + orq %r11,%r15 + movq %r14,96(%r13) + movq %r15,104(%r13) + movq %rax,%r11 + shlq $34,%rax + movq %rbx,%r9 + shrq $30,%r9 + shrq $30,%r11 + orq %r9,%rax + shlq $34,%rbx + orq %r11,%rbx + movq %rax,112(%r13) + movq %rbx,120(%r13) + movq %r8,%r11 + shlq $51,%r8 + movq %r10,%r9 + shrq $13,%r9 + shrq $13,%r11 + orq %r9,%r8 + shlq $51,%r10 + orq %r11,%r10 + movq %r8,128(%r13) + movq %r10,136(%r13) + movl $4,%eax +.Ldone: + movq 0(%rsp),%r15 + movq 8(%rsp),%r14 + movq 16(%rsp),%r13 + movq 24(%rsp),%rbp + movq 32(%rsp),%rbx + leaq 40(%rsp),%rsp +.Lkey_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_Camellia_Ekeygen: +.p2align 6 +.LCamellia_SIGMA: +.long 0x3bcc908b, 0xa09e667f, 0x4caa73b2, 0xb67ae858 +.long 0xe94f82be, 0xc6ef372f, 0xf1d36f1c, 0x54ff53a5 +.long 0xde682d1d, 0x10e527fa, 0xb3e6c1fd, 0xb05688c2 +.long 0, 0, 0, 0 +.LCamellia_SBOX: +.long 0x70707000,0x70700070 +.long 0x82828200,0x2c2c002c +.long 0x2c2c2c00,0xb3b300b3 +.long 0xececec00,0xc0c000c0 +.long 0xb3b3b300,0xe4e400e4 +.long 0x27272700,0x57570057 +.long 0xc0c0c000,0xeaea00ea +.long 0xe5e5e500,0xaeae00ae +.long 0xe4e4e400,0x23230023 +.long 0x85858500,0x6b6b006b +.long 0x57575700,0x45450045 +.long 0x35353500,0xa5a500a5 +.long 0xeaeaea00,0xeded00ed +.long 0x0c0c0c00,0x4f4f004f +.long 0xaeaeae00,0x1d1d001d +.long 0x41414100,0x92920092 +.long 0x23232300,0x86860086 +.long 0xefefef00,0xafaf00af +.long 0x6b6b6b00,0x7c7c007c +.long 0x93939300,0x1f1f001f +.long 0x45454500,0x3e3e003e +.long 0x19191900,0xdcdc00dc +.long 0xa5a5a500,0x5e5e005e +.long 0x21212100,0x0b0b000b +.long 0xededed00,0xa6a600a6 +.long 0x0e0e0e00,0x39390039 +.long 0x4f4f4f00,0xd5d500d5 +.long 0x4e4e4e00,0x5d5d005d +.long 0x1d1d1d00,0xd9d900d9 +.long 0x65656500,0x5a5a005a +.long 0x92929200,0x51510051 +.long 0xbdbdbd00,0x6c6c006c +.long 0x86868600,0x8b8b008b +.long 0xb8b8b800,0x9a9a009a +.long 0xafafaf00,0xfbfb00fb +.long 0x8f8f8f00,0xb0b000b0 +.long 0x7c7c7c00,0x74740074 +.long 0xebebeb00,0x2b2b002b +.long 0x1f1f1f00,0xf0f000f0 +.long 0xcecece00,0x84840084 +.long 0x3e3e3e00,0xdfdf00df +.long 0x30303000,0xcbcb00cb +.long 0xdcdcdc00,0x34340034 +.long 0x5f5f5f00,0x76760076 +.long 0x5e5e5e00,0x6d6d006d +.long 0xc5c5c500,0xa9a900a9 +.long 0x0b0b0b00,0xd1d100d1 +.long 0x1a1a1a00,0x04040004 +.long 0xa6a6a600,0x14140014 +.long 0xe1e1e100,0x3a3a003a +.long 0x39393900,0xdede00de +.long 0xcacaca00,0x11110011 +.long 0xd5d5d500,0x32320032 +.long 0x47474700,0x9c9c009c +.long 0x5d5d5d00,0x53530053 +.long 0x3d3d3d00,0xf2f200f2 +.long 0xd9d9d900,0xfefe00fe +.long 0x01010100,0xcfcf00cf +.long 0x5a5a5a00,0xc3c300c3 +.long 0xd6d6d600,0x7a7a007a +.long 0x51515100,0x24240024 +.long 0x56565600,0xe8e800e8 +.long 0x6c6c6c00,0x60600060 +.long 0x4d4d4d00,0x69690069 +.long 0x8b8b8b00,0xaaaa00aa +.long 0x0d0d0d00,0xa0a000a0 +.long 0x9a9a9a00,0xa1a100a1 +.long 0x66666600,0x62620062 +.long 0xfbfbfb00,0x54540054 +.long 0xcccccc00,0x1e1e001e +.long 0xb0b0b000,0xe0e000e0 +.long 0x2d2d2d00,0x64640064 +.long 0x74747400,0x10100010 +.long 0x12121200,0x00000000 +.long 0x2b2b2b00,0xa3a300a3 +.long 0x20202000,0x75750075 +.long 0xf0f0f000,0x8a8a008a +.long 0xb1b1b100,0xe6e600e6 +.long 0x84848400,0x09090009 +.long 0x99999900,0xdddd00dd +.long 0xdfdfdf00,0x87870087 +.long 0x4c4c4c00,0x83830083 +.long 0xcbcbcb00,0xcdcd00cd +.long 0xc2c2c200,0x90900090 +.long 0x34343400,0x73730073 +.long 0x7e7e7e00,0xf6f600f6 +.long 0x76767600,0x9d9d009d +.long 0x05050500,0xbfbf00bf +.long 0x6d6d6d00,0x52520052 +.long 0xb7b7b700,0xd8d800d8 +.long 0xa9a9a900,0xc8c800c8 +.long 0x31313100,0xc6c600c6 +.long 0xd1d1d100,0x81810081 +.long 0x17171700,0x6f6f006f +.long 0x04040400,0x13130013 +.long 0xd7d7d700,0x63630063 +.long 0x14141400,0xe9e900e9 +.long 0x58585800,0xa7a700a7 +.long 0x3a3a3a00,0x9f9f009f +.long 0x61616100,0xbcbc00bc +.long 0xdedede00,0x29290029 +.long 0x1b1b1b00,0xf9f900f9 +.long 0x11111100,0x2f2f002f +.long 0x1c1c1c00,0xb4b400b4 +.long 0x32323200,0x78780078 +.long 0x0f0f0f00,0x06060006 +.long 0x9c9c9c00,0xe7e700e7 +.long 0x16161600,0x71710071 +.long 0x53535300,0xd4d400d4 +.long 0x18181800,0xabab00ab +.long 0xf2f2f200,0x88880088 +.long 0x22222200,0x8d8d008d +.long 0xfefefe00,0x72720072 +.long 0x44444400,0xb9b900b9 +.long 0xcfcfcf00,0xf8f800f8 +.long 0xb2b2b200,0xacac00ac +.long 0xc3c3c300,0x36360036 +.long 0xb5b5b500,0x2a2a002a +.long 0x7a7a7a00,0x3c3c003c +.long 0x91919100,0xf1f100f1 +.long 0x24242400,0x40400040 +.long 0x08080800,0xd3d300d3 +.long 0xe8e8e800,0xbbbb00bb +.long 0xa8a8a800,0x43430043 +.long 0x60606000,0x15150015 +.long 0xfcfcfc00,0xadad00ad +.long 0x69696900,0x77770077 +.long 0x50505000,0x80800080 +.long 0xaaaaaa00,0x82820082 +.long 0xd0d0d000,0xecec00ec +.long 0xa0a0a000,0x27270027 +.long 0x7d7d7d00,0xe5e500e5 +.long 0xa1a1a100,0x85850085 +.long 0x89898900,0x35350035 +.long 0x62626200,0x0c0c000c +.long 0x97979700,0x41410041 +.long 0x54545400,0xefef00ef +.long 0x5b5b5b00,0x93930093 +.long 0x1e1e1e00,0x19190019 +.long 0x95959500,0x21210021 +.long 0xe0e0e000,0x0e0e000e +.long 0xffffff00,0x4e4e004e +.long 0x64646400,0x65650065 +.long 0xd2d2d200,0xbdbd00bd +.long 0x10101000,0xb8b800b8 +.long 0xc4c4c400,0x8f8f008f +.long 0x00000000,0xebeb00eb +.long 0x48484800,0xcece00ce +.long 0xa3a3a300,0x30300030 +.long 0xf7f7f700,0x5f5f005f +.long 0x75757500,0xc5c500c5 +.long 0xdbdbdb00,0x1a1a001a +.long 0x8a8a8a00,0xe1e100e1 +.long 0x03030300,0xcaca00ca +.long 0xe6e6e600,0x47470047 +.long 0xdadada00,0x3d3d003d +.long 0x09090900,0x01010001 +.long 0x3f3f3f00,0xd6d600d6 +.long 0xdddddd00,0x56560056 +.long 0x94949400,0x4d4d004d +.long 0x87878700,0x0d0d000d +.long 0x5c5c5c00,0x66660066 +.long 0x83838300,0xcccc00cc +.long 0x02020200,0x2d2d002d +.long 0xcdcdcd00,0x12120012 +.long 0x4a4a4a00,0x20200020 +.long 0x90909000,0xb1b100b1 +.long 0x33333300,0x99990099 +.long 0x73737300,0x4c4c004c +.long 0x67676700,0xc2c200c2 +.long 0xf6f6f600,0x7e7e007e +.long 0xf3f3f300,0x05050005 +.long 0x9d9d9d00,0xb7b700b7 +.long 0x7f7f7f00,0x31310031 +.long 0xbfbfbf00,0x17170017 +.long 0xe2e2e200,0xd7d700d7 +.long 0x52525200,0x58580058 +.long 0x9b9b9b00,0x61610061 +.long 0xd8d8d800,0x1b1b001b +.long 0x26262600,0x1c1c001c +.long 0xc8c8c800,0x0f0f000f +.long 0x37373700,0x16160016 +.long 0xc6c6c600,0x18180018 +.long 0x3b3b3b00,0x22220022 +.long 0x81818100,0x44440044 +.long 0x96969600,0xb2b200b2 +.long 0x6f6f6f00,0xb5b500b5 +.long 0x4b4b4b00,0x91910091 +.long 0x13131300,0x08080008 +.long 0xbebebe00,0xa8a800a8 +.long 0x63636300,0xfcfc00fc +.long 0x2e2e2e00,0x50500050 +.long 0xe9e9e900,0xd0d000d0 +.long 0x79797900,0x7d7d007d +.long 0xa7a7a700,0x89890089 +.long 0x8c8c8c00,0x97970097 +.long 0x9f9f9f00,0x5b5b005b +.long 0x6e6e6e00,0x95950095 +.long 0xbcbcbc00,0xffff00ff +.long 0x8e8e8e00,0xd2d200d2 +.long 0x29292900,0xc4c400c4 +.long 0xf5f5f500,0x48480048 +.long 0xf9f9f900,0xf7f700f7 +.long 0xb6b6b600,0xdbdb00db +.long 0x2f2f2f00,0x03030003 +.long 0xfdfdfd00,0xdada00da +.long 0xb4b4b400,0x3f3f003f +.long 0x59595900,0x94940094 +.long 0x78787800,0x5c5c005c +.long 0x98989800,0x02020002 +.long 0x06060600,0x4a4a004a +.long 0x6a6a6a00,0x33330033 +.long 0xe7e7e700,0x67670067 +.long 0x46464600,0xf3f300f3 +.long 0x71717100,0x7f7f007f +.long 0xbababa00,0xe2e200e2 +.long 0xd4d4d400,0x9b9b009b +.long 0x25252500,0x26260026 +.long 0xababab00,0x37370037 +.long 0x42424200,0x3b3b003b +.long 0x88888800,0x96960096 +.long 0xa2a2a200,0x4b4b004b +.long 0x8d8d8d00,0xbebe00be +.long 0xfafafa00,0x2e2e002e +.long 0x72727200,0x79790079 +.long 0x07070700,0x8c8c008c +.long 0xb9b9b900,0x6e6e006e +.long 0x55555500,0x8e8e008e +.long 0xf8f8f800,0xf5f500f5 +.long 0xeeeeee00,0xb6b600b6 +.long 0xacacac00,0xfdfd00fd +.long 0x0a0a0a00,0x59590059 +.long 0x36363600,0x98980098 +.long 0x49494900,0x6a6a006a +.long 0x2a2a2a00,0x46460046 +.long 0x68686800,0xbaba00ba +.long 0x3c3c3c00,0x25250025 +.long 0x38383800,0x42420042 +.long 0xf1f1f100,0xa2a200a2 +.long 0xa4a4a400,0xfafa00fa +.long 0x40404000,0x07070007 +.long 0x28282800,0x55550055 +.long 0xd3d3d300,0xeeee00ee +.long 0x7b7b7b00,0x0a0a000a +.long 0xbbbbbb00,0x49490049 +.long 0xc9c9c900,0x68680068 +.long 0x43434300,0x38380038 +.long 0xc1c1c100,0xa4a400a4 +.long 0x15151500,0x28280028 +.long 0xe3e3e300,0x7b7b007b +.long 0xadadad00,0xc9c900c9 +.long 0xf4f4f400,0xc1c100c1 +.long 0x77777700,0xe3e300e3 +.long 0xc7c7c700,0xf4f400f4 +.long 0x80808000,0xc7c700c7 +.long 0x9e9e9e00,0x9e9e009e +.long 0x00e0e0e0,0x38003838 +.long 0x00050505,0x41004141 +.long 0x00585858,0x16001616 +.long 0x00d9d9d9,0x76007676 +.long 0x00676767,0xd900d9d9 +.long 0x004e4e4e,0x93009393 +.long 0x00818181,0x60006060 +.long 0x00cbcbcb,0xf200f2f2 +.long 0x00c9c9c9,0x72007272 +.long 0x000b0b0b,0xc200c2c2 +.long 0x00aeaeae,0xab00abab +.long 0x006a6a6a,0x9a009a9a +.long 0x00d5d5d5,0x75007575 +.long 0x00181818,0x06000606 +.long 0x005d5d5d,0x57005757 +.long 0x00828282,0xa000a0a0 +.long 0x00464646,0x91009191 +.long 0x00dfdfdf,0xf700f7f7 +.long 0x00d6d6d6,0xb500b5b5 +.long 0x00272727,0xc900c9c9 +.long 0x008a8a8a,0xa200a2a2 +.long 0x00323232,0x8c008c8c +.long 0x004b4b4b,0xd200d2d2 +.long 0x00424242,0x90009090 +.long 0x00dbdbdb,0xf600f6f6 +.long 0x001c1c1c,0x07000707 +.long 0x009e9e9e,0xa700a7a7 +.long 0x009c9c9c,0x27002727 +.long 0x003a3a3a,0x8e008e8e +.long 0x00cacaca,0xb200b2b2 +.long 0x00252525,0x49004949 +.long 0x007b7b7b,0xde00dede +.long 0x000d0d0d,0x43004343 +.long 0x00717171,0x5c005c5c +.long 0x005f5f5f,0xd700d7d7 +.long 0x001f1f1f,0xc700c7c7 +.long 0x00f8f8f8,0x3e003e3e +.long 0x00d7d7d7,0xf500f5f5 +.long 0x003e3e3e,0x8f008f8f +.long 0x009d9d9d,0x67006767 +.long 0x007c7c7c,0x1f001f1f +.long 0x00606060,0x18001818 +.long 0x00b9b9b9,0x6e006e6e +.long 0x00bebebe,0xaf00afaf +.long 0x00bcbcbc,0x2f002f2f +.long 0x008b8b8b,0xe200e2e2 +.long 0x00161616,0x85008585 +.long 0x00343434,0x0d000d0d +.long 0x004d4d4d,0x53005353 +.long 0x00c3c3c3,0xf000f0f0 +.long 0x00727272,0x9c009c9c +.long 0x00959595,0x65006565 +.long 0x00ababab,0xea00eaea +.long 0x008e8e8e,0xa300a3a3 +.long 0x00bababa,0xae00aeae +.long 0x007a7a7a,0x9e009e9e +.long 0x00b3b3b3,0xec00ecec +.long 0x00020202,0x80008080 +.long 0x00b4b4b4,0x2d002d2d +.long 0x00adadad,0x6b006b6b +.long 0x00a2a2a2,0xa800a8a8 +.long 0x00acacac,0x2b002b2b +.long 0x00d8d8d8,0x36003636 +.long 0x009a9a9a,0xa600a6a6 +.long 0x00171717,0xc500c5c5 +.long 0x001a1a1a,0x86008686 +.long 0x00353535,0x4d004d4d +.long 0x00cccccc,0x33003333 +.long 0x00f7f7f7,0xfd00fdfd +.long 0x00999999,0x66006666 +.long 0x00616161,0x58005858 +.long 0x005a5a5a,0x96009696 +.long 0x00e8e8e8,0x3a003a3a +.long 0x00242424,0x09000909 +.long 0x00565656,0x95009595 +.long 0x00404040,0x10001010 +.long 0x00e1e1e1,0x78007878 +.long 0x00636363,0xd800d8d8 +.long 0x00090909,0x42004242 +.long 0x00333333,0xcc00cccc +.long 0x00bfbfbf,0xef00efef +.long 0x00989898,0x26002626 +.long 0x00979797,0xe500e5e5 +.long 0x00858585,0x61006161 +.long 0x00686868,0x1a001a1a +.long 0x00fcfcfc,0x3f003f3f +.long 0x00ececec,0x3b003b3b +.long 0x000a0a0a,0x82008282 +.long 0x00dadada,0xb600b6b6 +.long 0x006f6f6f,0xdb00dbdb +.long 0x00535353,0xd400d4d4 +.long 0x00626262,0x98009898 +.long 0x00a3a3a3,0xe800e8e8 +.long 0x002e2e2e,0x8b008b8b +.long 0x00080808,0x02000202 +.long 0x00afafaf,0xeb00ebeb +.long 0x00282828,0x0a000a0a +.long 0x00b0b0b0,0x2c002c2c +.long 0x00747474,0x1d001d1d +.long 0x00c2c2c2,0xb000b0b0 +.long 0x00bdbdbd,0x6f006f6f +.long 0x00363636,0x8d008d8d +.long 0x00222222,0x88008888 +.long 0x00383838,0x0e000e0e +.long 0x00646464,0x19001919 +.long 0x001e1e1e,0x87008787 +.long 0x00393939,0x4e004e4e +.long 0x002c2c2c,0x0b000b0b +.long 0x00a6a6a6,0xa900a9a9 +.long 0x00303030,0x0c000c0c +.long 0x00e5e5e5,0x79007979 +.long 0x00444444,0x11001111 +.long 0x00fdfdfd,0x7f007f7f +.long 0x00888888,0x22002222 +.long 0x009f9f9f,0xe700e7e7 +.long 0x00656565,0x59005959 +.long 0x00878787,0xe100e1e1 +.long 0x006b6b6b,0xda00dada +.long 0x00f4f4f4,0x3d003d3d +.long 0x00232323,0xc800c8c8 +.long 0x00484848,0x12001212 +.long 0x00101010,0x04000404 +.long 0x00d1d1d1,0x74007474 +.long 0x00515151,0x54005454 +.long 0x00c0c0c0,0x30003030 +.long 0x00f9f9f9,0x7e007e7e +.long 0x00d2d2d2,0xb400b4b4 +.long 0x00a0a0a0,0x28002828 +.long 0x00555555,0x55005555 +.long 0x00a1a1a1,0x68006868 +.long 0x00414141,0x50005050 +.long 0x00fafafa,0xbe00bebe +.long 0x00434343,0xd000d0d0 +.long 0x00131313,0xc400c4c4 +.long 0x00c4c4c4,0x31003131 +.long 0x002f2f2f,0xcb00cbcb +.long 0x00a8a8a8,0x2a002a2a +.long 0x00b6b6b6,0xad00adad +.long 0x003c3c3c,0x0f000f0f +.long 0x002b2b2b,0xca00caca +.long 0x00c1c1c1,0x70007070 +.long 0x00ffffff,0xff00ffff +.long 0x00c8c8c8,0x32003232 +.long 0x00a5a5a5,0x69006969 +.long 0x00202020,0x08000808 +.long 0x00898989,0x62006262 +.long 0x00000000,0x00000000 +.long 0x00909090,0x24002424 +.long 0x00474747,0xd100d1d1 +.long 0x00efefef,0xfb00fbfb +.long 0x00eaeaea,0xba00baba +.long 0x00b7b7b7,0xed00eded +.long 0x00151515,0x45004545 +.long 0x00060606,0x81008181 +.long 0x00cdcdcd,0x73007373 +.long 0x00b5b5b5,0x6d006d6d +.long 0x00121212,0x84008484 +.long 0x007e7e7e,0x9f009f9f +.long 0x00bbbbbb,0xee00eeee +.long 0x00292929,0x4a004a4a +.long 0x000f0f0f,0xc300c3c3 +.long 0x00b8b8b8,0x2e002e2e +.long 0x00070707,0xc100c1c1 +.long 0x00040404,0x01000101 +.long 0x009b9b9b,0xe600e6e6 +.long 0x00949494,0x25002525 +.long 0x00212121,0x48004848 +.long 0x00666666,0x99009999 +.long 0x00e6e6e6,0xb900b9b9 +.long 0x00cecece,0xb300b3b3 +.long 0x00ededed,0x7b007b7b +.long 0x00e7e7e7,0xf900f9f9 +.long 0x003b3b3b,0xce00cece +.long 0x00fefefe,0xbf00bfbf +.long 0x007f7f7f,0xdf00dfdf +.long 0x00c5c5c5,0x71007171 +.long 0x00a4a4a4,0x29002929 +.long 0x00373737,0xcd00cdcd +.long 0x00b1b1b1,0x6c006c6c +.long 0x004c4c4c,0x13001313 +.long 0x00919191,0x64006464 +.long 0x006e6e6e,0x9b009b9b +.long 0x008d8d8d,0x63006363 +.long 0x00767676,0x9d009d9d +.long 0x00030303,0xc000c0c0 +.long 0x002d2d2d,0x4b004b4b +.long 0x00dedede,0xb700b7b7 +.long 0x00969696,0xa500a5a5 +.long 0x00262626,0x89008989 +.long 0x007d7d7d,0x5f005f5f +.long 0x00c6c6c6,0xb100b1b1 +.long 0x005c5c5c,0x17001717 +.long 0x00d3d3d3,0xf400f4f4 +.long 0x00f2f2f2,0xbc00bcbc +.long 0x004f4f4f,0xd300d3d3 +.long 0x00191919,0x46004646 +.long 0x003f3f3f,0xcf00cfcf +.long 0x00dcdcdc,0x37003737 +.long 0x00797979,0x5e005e5e +.long 0x001d1d1d,0x47004747 +.long 0x00525252,0x94009494 +.long 0x00ebebeb,0xfa00fafa +.long 0x00f3f3f3,0xfc00fcfc +.long 0x006d6d6d,0x5b005b5b +.long 0x005e5e5e,0x97009797 +.long 0x00fbfbfb,0xfe00fefe +.long 0x00696969,0x5a005a5a +.long 0x00b2b2b2,0xac00acac +.long 0x00f0f0f0,0x3c003c3c +.long 0x00313131,0x4c004c4c +.long 0x000c0c0c,0x03000303 +.long 0x00d4d4d4,0x35003535 +.long 0x00cfcfcf,0xf300f3f3 +.long 0x008c8c8c,0x23002323 +.long 0x00e2e2e2,0xb800b8b8 +.long 0x00757575,0x5d005d5d +.long 0x00a9a9a9,0x6a006a6a +.long 0x004a4a4a,0x92009292 +.long 0x00575757,0xd500d5d5 +.long 0x00848484,0x21002121 +.long 0x00111111,0x44004444 +.long 0x00454545,0x51005151 +.long 0x001b1b1b,0xc600c6c6 +.long 0x00f5f5f5,0x7d007d7d +.long 0x00e4e4e4,0x39003939 +.long 0x000e0e0e,0x83008383 +.long 0x00737373,0xdc00dcdc +.long 0x00aaaaaa,0xaa00aaaa +.long 0x00f1f1f1,0x7c007c7c +.long 0x00dddddd,0x77007777 +.long 0x00595959,0x56005656 +.long 0x00141414,0x05000505 +.long 0x006c6c6c,0x1b001b1b +.long 0x00929292,0xa400a4a4 +.long 0x00545454,0x15001515 +.long 0x00d0d0d0,0x34003434 +.long 0x00787878,0x1e001e1e +.long 0x00707070,0x1c001c1c +.long 0x00e3e3e3,0xf800f8f8 +.long 0x00494949,0x52005252 +.long 0x00808080,0x20002020 +.long 0x00505050,0x14001414 +.long 0x00a7a7a7,0xe900e9e9 +.long 0x00f6f6f6,0xbd00bdbd +.long 0x00777777,0xdd00dddd +.long 0x00939393,0xe400e4e4 +.long 0x00868686,0xa100a1a1 +.long 0x00838383,0xe000e0e0 +.long 0x002a2a2a,0x8a008a8a +.long 0x00c7c7c7,0xf100f1f1 +.long 0x005b5b5b,0xd600d6d6 +.long 0x00e9e9e9,0x7a007a7a +.long 0x00eeeeee,0xbb00bbbb +.long 0x008f8f8f,0xe300e3e3 +.long 0x00010101,0x40004040 +.long 0x003d3d3d,0x4f004f4f +.globl Camellia_cbc_encrypt +.def Camellia_cbc_encrypt; .scl 2; .type 32; .endef +.p2align 4 +Camellia_cbc_encrypt: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_Camellia_cbc_encrypt: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + cmpq $0,%rdx + je .Lcbc_abort + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 +.Lcbc_prologue: + + movq %rsp,%rbp + subq $64,%rsp + andq $-64,%rsp + + + + leaq -64-63(%rcx),%r10 + subq %rsp,%r10 + negq %r10 + andq $960,%r10 + subq %r10,%rsp + + + movq %rdi,%r12 + movq %rsi,%r13 + movq %r8,%rbx + movq %rcx,%r14 + movl 272(%rcx),%r15d + + movq %r8,40(%rsp) + movq %rbp,48(%rsp) + +.Lcbc_body: + leaq .LCamellia_SBOX(%rip),%rbp + + movl $32,%ecx +.p2align 2 +.Lcbc_prefetch_sbox: + movq 0(%rbp),%rax + movq 32(%rbp),%rsi + movq 64(%rbp),%rdi + movq 96(%rbp),%r11 + leaq 128(%rbp),%rbp + loop .Lcbc_prefetch_sbox + subq $4096,%rbp + shlq $6,%r15 + movq %rdx,%rcx + leaq (%r14,%r15,1),%r15 + + cmpl $0,%r9d + je .LCBC_DECRYPT + + andq $-16,%rdx + andq $15,%rcx + leaq (%r12,%rdx,1),%rdx + movq %r14,0(%rsp) + movq %rdx,8(%rsp) + movq %rcx,16(%rsp) + + cmpq %r12,%rdx + movl 0(%rbx),%r8d + movl 4(%rbx),%r9d + movl 8(%rbx),%r10d + movl 12(%rbx),%r11d + je .Lcbc_enc_tail + jmp .Lcbc_eloop + +.p2align 4 +.Lcbc_eloop: + xorl 0(%r12),%r8d + xorl 4(%r12),%r9d + xorl 8(%r12),%r10d + bswapl %r8d + xorl 12(%r12),%r11d + bswapl %r9d + bswapl %r10d + bswapl %r11d + + call _x86_64_Camellia_encrypt + + movq 0(%rsp),%r14 + bswapl %r8d + movq 8(%rsp),%rdx + bswapl %r9d + movq 16(%rsp),%rcx + bswapl %r10d + movl %r8d,0(%r13) + bswapl %r11d + movl %r9d,4(%r13) + movl %r10d,8(%r13) + leaq 16(%r12),%r12 + movl %r11d,12(%r13) + cmpq %rdx,%r12 + leaq 16(%r13),%r13 + jne .Lcbc_eloop + + cmpq $0,%rcx + jne .Lcbc_enc_tail + + movq 40(%rsp),%r13 + movl %r8d,0(%r13) + movl %r9d,4(%r13) + movl %r10d,8(%r13) + movl %r11d,12(%r13) + jmp .Lcbc_done + +.p2align 4 +.Lcbc_enc_tail: + xorq %rax,%rax + movq %rax,0+24(%rsp) + movq %rax,8+24(%rsp) + movq %rax,16(%rsp) + +.Lcbc_enc_pushf: + pushfq + cld + movq %r12,%rsi + leaq 8+24(%rsp),%rdi +.long 0x9066A4F3 + popfq +.Lcbc_enc_popf: + + leaq 24(%rsp),%r12 + leaq 16+24(%rsp),%rax + movq %rax,8(%rsp) + jmp .Lcbc_eloop + +.p2align 4 +.LCBC_DECRYPT: + xchgq %r14,%r15 + addq $15,%rdx + andq $15,%rcx + andq $-16,%rdx + movq %r14,0(%rsp) + leaq (%r12,%rdx,1),%rdx + movq %rdx,8(%rsp) + movq %rcx,16(%rsp) + + movq (%rbx),%rax + movq 8(%rbx),%rbx + jmp .Lcbc_dloop +.p2align 4 +.Lcbc_dloop: + movl 0(%r12),%r8d + movl 4(%r12),%r9d + movl 8(%r12),%r10d + bswapl %r8d + movl 12(%r12),%r11d + bswapl %r9d + movq %rax,0+24(%rsp) + bswapl %r10d + movq %rbx,8+24(%rsp) + bswapl %r11d + + call _x86_64_Camellia_decrypt + + movq 0(%rsp),%r14 + movq 8(%rsp),%rdx + movq 16(%rsp),%rcx + + bswapl %r8d + movq (%r12),%rax + bswapl %r9d + movq 8(%r12),%rbx + bswapl %r10d + xorl 0+24(%rsp),%r8d + bswapl %r11d + xorl 4+24(%rsp),%r9d + xorl 8+24(%rsp),%r10d + leaq 16(%r12),%r12 + xorl 12+24(%rsp),%r11d + cmpq %rdx,%r12 + je .Lcbc_ddone + + movl %r8d,0(%r13) + movl %r9d,4(%r13) + movl %r10d,8(%r13) + movl %r11d,12(%r13) + + leaq 16(%r13),%r13 + jmp .Lcbc_dloop + +.p2align 4 +.Lcbc_ddone: + movq 40(%rsp),%rdx + cmpq $0,%rcx + jne .Lcbc_dec_tail + + movl %r8d,0(%r13) + movl %r9d,4(%r13) + movl %r10d,8(%r13) + movl %r11d,12(%r13) + + movq %rax,(%rdx) + movq %rbx,8(%rdx) + jmp .Lcbc_done +.p2align 4 +.Lcbc_dec_tail: + movl %r8d,0+24(%rsp) + movl %r9d,4+24(%rsp) + movl %r10d,8+24(%rsp) + movl %r11d,12+24(%rsp) + +.Lcbc_dec_pushf: + pushfq + cld + leaq 8+24(%rsp),%rsi + leaq (%r13),%rdi +.long 0x9066A4F3 + popfq +.Lcbc_dec_popf: + + movq %rax,(%rdx) + movq %rbx,8(%rdx) + jmp .Lcbc_done + +.p2align 4 +.Lcbc_done: + movq 48(%rsp),%rcx + movq 0(%rcx),%r15 + movq 8(%rcx),%r14 + movq 16(%rcx),%r13 + movq 24(%rcx),%r12 + movq 32(%rcx),%rbp + movq 40(%rcx),%rbx + leaq 48(%rcx),%rsp +.Lcbc_abort: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_Camellia_cbc_encrypt: + +.byte 67,97,109,101,108,108,105,97,32,102,111,114,32,120,56,54,95,54,52,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 diff --git a/crypto/cast/cast_lcl.h b/crypto/cast/cast_lcl.h index ad4e2fe..100ff1f 100644 --- a/crypto/cast/cast_lcl.h +++ b/crypto/cast/cast_lcl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: cast_lcl.h,v 1.11 2015/11/05 21:46:51 miod Exp $ */ +/* $OpenBSD: cast_lcl.h,v 1.12 2020/01/26 11:49:21 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -145,7 +145,7 @@ *((c)++)=(unsigned char)(((l) )&0xff)) /* only invoked with 0 <= n <= 31 */ -#define ROTL(a,n) ((((a)<<(n))&0xffffffffL)|((a)>>(32-(n)))) +#define ROTL(a,n) ((((a)<<(n))&0xffffffffL)|((a)>>((32-(n))&31))) #define C_M 0x3fc #define C_0 22L diff --git a/crypto/chacha/chacha-merged.c b/crypto/chacha/chacha-merged.c index 08511ed..67508f2 100644 --- a/crypto/chacha/chacha-merged.c +++ b/crypto/chacha/chacha-merged.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha-merged.c,v 1.8 2017/08/13 16:55:31 jsing Exp $ */ +/* $OpenBSD: chacha-merged.c,v 1.9 2019/01/22 00:59:21 dlg Exp $ */ /* chacha-merged.c version 20080118 D. J. Bernstein @@ -277,3 +277,49 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes) m += 64; } } + +void +CRYPTO_hchacha_20(unsigned char subkey[32], const unsigned char key[32], + const unsigned char nonce[16]) +{ + uint32_t x[16]; + int i; + + x[0] = U8TO32_LITTLE(sigma + 0); + x[1] = U8TO32_LITTLE(sigma + 4); + x[2] = U8TO32_LITTLE(sigma + 8); + x[3] = U8TO32_LITTLE(sigma + 12); + x[4] = U8TO32_LITTLE(key + 0); + x[5] = U8TO32_LITTLE(key + 4); + x[6] = U8TO32_LITTLE(key + 8); + x[7] = U8TO32_LITTLE(key + 12); + x[8] = U8TO32_LITTLE(key + 16); + x[9] = U8TO32_LITTLE(key + 20); + x[10] = U8TO32_LITTLE(key + 24); + x[11] = U8TO32_LITTLE(key + 28); + x[12] = U8TO32_LITTLE(nonce + 0); + x[13] = U8TO32_LITTLE(nonce + 4); + x[14] = U8TO32_LITTLE(nonce + 8); + x[15] = U8TO32_LITTLE(nonce + 12); + + for (i = 20; i > 0; i -= 2) { + QUARTERROUND(x[0], x[4], x[8], x[12]) + QUARTERROUND(x[1], x[5], x[9], x[13]) + QUARTERROUND(x[2], x[6], x[10], x[14]) + QUARTERROUND(x[3], x[7], x[11], x[15]) + QUARTERROUND(x[0], x[5], x[10], x[15]) + QUARTERROUND(x[1], x[6], x[11], x[12]) + QUARTERROUND(x[2], x[7], x[8], x[13]) + QUARTERROUND(x[3], x[4], x[9], x[14]) + } + + U32TO8_LITTLE(subkey + 0, x[0]); + U32TO8_LITTLE(subkey + 4, x[1]); + U32TO8_LITTLE(subkey + 8, x[2]); + U32TO8_LITTLE(subkey + 12, x[3]); + + U32TO8_LITTLE(subkey + 16, x[12]); + U32TO8_LITTLE(subkey + 20, x[13]); + U32TO8_LITTLE(subkey + 24, x[14]); + U32TO8_LITTLE(subkey + 28, x[15]); +} diff --git a/crypto/chacha/chacha.c b/crypto/chacha/chacha.c index 0c384ab..6a2dddf 100644 --- a/crypto/chacha/chacha.c +++ b/crypto/chacha/chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha.c,v 1.7 2015/12/09 14:07:55 bcook Exp $ */ +/* $OpenBSD: chacha.c,v 1.8 2019/01/22 00:59:21 dlg Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -75,3 +75,13 @@ CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, chacha_encrypt_bytes(&ctx, in, out, (uint32_t)len); } + +void +CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len, + const unsigned char key[32], const unsigned char iv[24]) +{ + uint8_t subkey[32]; + + CRYPTO_hchacha_20(subkey, key, iv); + CRYPTO_chacha_20(out, in, len, subkey, iv + 16, 0); +} diff --git a/crypto/cms/cms_asn1.c b/crypto/cms/cms_asn1.c new file mode 100644 index 0000000..ac53fec --- /dev/null +++ b/crypto/cms/cms_asn1.c @@ -0,0 +1,1627 @@ +/* $OpenBSD: cms_asn1.c,v 1.18 2019/08/11 10:43:57 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include "cms_lcl.h" + + +static const ASN1_TEMPLATE CMS_IssuerAndSerialNumber_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_IssuerAndSerialNumber, issuer), + .field_name = "issuer", + .item = &X509_NAME_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_IssuerAndSerialNumber, serialNumber), + .field_name = "serialNumber", + .item = &ASN1_INTEGER_it, + }, +}; + +const ASN1_ITEM CMS_IssuerAndSerialNumber_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_IssuerAndSerialNumber_seq_tt, + .tcount = sizeof(CMS_IssuerAndSerialNumber_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_IssuerAndSerialNumber), + .sname = "CMS_IssuerAndSerialNumber", +}; + +static const ASN1_TEMPLATE CMS_OtherCertificateFormat_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherCertificateFormat, otherCertFormat), + .field_name = "otherCertFormat", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherCertificateFormat, otherCert), + .field_name = "otherCert", + .item = &ASN1_ANY_it, + }, +}; + +static const ASN1_ITEM CMS_OtherCertificateFormat_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherCertificateFormat_seq_tt, + .tcount = sizeof(CMS_OtherCertificateFormat_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherCertificateFormat), + .sname = "CMS_OtherCertificateFormat", +}; + +static const ASN1_TEMPLATE CMS_CertificateChoices_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CertificateChoices, d.certificate), + .field_name = "d.certificate", + .item = &X509_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_CertificateChoices, d.extendedCertificate), + .field_name = "d.extendedCertificate", + .item = &ASN1_SEQUENCE_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_CertificateChoices, d.v1AttrCert), + .field_name = "d.v1AttrCert", + .item = &ASN1_SEQUENCE_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 2, + .offset = offsetof(CMS_CertificateChoices, d.v2AttrCert), + .field_name = "d.v2AttrCert", + .item = &ASN1_SEQUENCE_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 3, + .offset = offsetof(CMS_CertificateChoices, d.other), + .field_name = "d.other", + .item = &CMS_OtherCertificateFormat_it, + }, +}; + +const ASN1_ITEM CMS_CertificateChoices_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_CertificateChoices, type), + .templates = CMS_CertificateChoices_ch_tt, + .tcount = sizeof(CMS_CertificateChoices_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_CertificateChoices), + .sname = "CMS_CertificateChoices", +}; + +static const ASN1_TEMPLATE CMS_SignerIdentifier_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerIdentifier, d.issuerAndSerialNumber), + .field_name = "d.issuerAndSerialNumber", + .item = &CMS_IssuerAndSerialNumber_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_SignerIdentifier, d.subjectKeyIdentifier), + .field_name = "d.subjectKeyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +static const ASN1_ITEM CMS_SignerIdentifier_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_SignerIdentifier, type), + .templates = CMS_SignerIdentifier_ch_tt, + .tcount = sizeof(CMS_SignerIdentifier_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_SignerIdentifier), + .sname = "CMS_SignerIdentifier", +}; + +static const ASN1_TEMPLATE CMS_EncapsulatedContentInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncapsulatedContentInfo, eContentType), + .field_name = "eContentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_EncapsulatedContentInfo, eContent), + .field_name = "eContent", + .item = &ASN1_OCTET_STRING_NDEF_it, + }, +}; + +static const ASN1_ITEM CMS_EncapsulatedContentInfo_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EncapsulatedContentInfo_seq_tt, + .tcount = sizeof(CMS_EncapsulatedContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EncapsulatedContentInfo), + .sname = "CMS_EncapsulatedContentInfo", +}; + +/* Minor tweak to operation: free up signer key, cert */ +static int +cms_si_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + if (operation == ASN1_OP_FREE_POST) { + CMS_SignerInfo *si = (CMS_SignerInfo *)*pval; + EVP_PKEY_free(si->pkey); + X509_free(si->signer); + EVP_MD_CTX_free(si->mctx); + } + return 1; +} + +static const ASN1_AUX CMS_SignerInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_si_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_SignerInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, sid), + .field_name = "sid", + .item = &CMS_SignerIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, digestAlgorithm), + .field_name = "digestAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, signedAttrs), + .field_name = "signedAttrs", + .item = &X509_ATTRIBUTE_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, signatureAlgorithm), + .field_name = "signatureAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignerInfo, signature), + .field_name = "signature", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_SignerInfo, unsignedAttrs), + .field_name = "unsignedAttrs", + .item = &X509_ATTRIBUTE_it, + }, +}; + +const ASN1_ITEM CMS_SignerInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_SignerInfo_seq_tt, + .tcount = sizeof(CMS_SignerInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_SignerInfo_aux, + .size = sizeof(CMS_SignerInfo), + .sname = "CMS_SignerInfo", +}; + +static const ASN1_TEMPLATE CMS_OtherRevocationInfoFormat_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherRevocationInfoFormat, otherRevInfoFormat), + .field_name = "otherRevInfoFormat", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherRevocationInfoFormat, otherRevInfo), + .field_name = "otherRevInfo", + .item = &ASN1_ANY_it, + }, +}; + +static const ASN1_ITEM CMS_OtherRevocationInfoFormat_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherRevocationInfoFormat_seq_tt, + .tcount = sizeof(CMS_OtherRevocationInfoFormat_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherRevocationInfoFormat), + .sname = "CMS_OtherRevocationInfoFormat", +}; + +static const ASN1_TEMPLATE CMS_RevocationInfoChoice_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RevocationInfoChoice, d.crl), + .field_name = "d.crl", + .item = &X509_CRL_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_RevocationInfoChoice, d.other), + .field_name = "d.other", + .item = &CMS_OtherRevocationInfoFormat_it, + }, +}; + +const ASN1_ITEM CMS_RevocationInfoChoice_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_RevocationInfoChoice, type), + .templates = CMS_RevocationInfoChoice_ch_tt, + .tcount = sizeof(CMS_RevocationInfoChoice_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_RevocationInfoChoice), + .sname = "CMS_RevocationInfoChoice", +}; + +static const ASN1_TEMPLATE CMS_SignedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_SignedData, digestAlgorithms), + .field_name = "digestAlgorithms", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SignedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_SignedData, certificates), + .field_name = "certificates", + .item = &CMS_CertificateChoices_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_SignedData, crls), + .field_name = "crls", + .item = &CMS_RevocationInfoChoice_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_SignedData, signerInfos), + .field_name = "signerInfos", + .item = &CMS_SignerInfo_it, + }, +}; + +const ASN1_ITEM CMS_SignedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_SignedData_seq_tt, + .tcount = sizeof(CMS_SignedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_SignedData), + .sname = "CMS_SignedData", +}; + +static const ASN1_TEMPLATE CMS_OriginatorInfo_seq_tt[] = { + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OriginatorInfo, certificates), + .field_name = "certificates", + .item = &CMS_CertificateChoices_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_OriginatorInfo, crls), + .field_name = "crls", + .item = &CMS_RevocationInfoChoice_it, + }, +}; + +static const ASN1_ITEM CMS_OriginatorInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OriginatorInfo_seq_tt, + .tcount = sizeof(CMS_OriginatorInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OriginatorInfo), + .sname = "CMS_OriginatorInfo", +}; + +static const ASN1_TEMPLATE CMS_EncryptedContentInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedContentInfo, contentType), + .field_name = "contentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedContentInfo, contentEncryptionAlgorithm), + .field_name = "contentEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_EncryptedContentInfo, encryptedContent), + .field_name = "encryptedContent", + .item = &ASN1_OCTET_STRING_NDEF_it, + }, +}; + +static const ASN1_ITEM CMS_EncryptedContentInfo_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EncryptedContentInfo_seq_tt, + .tcount = sizeof(CMS_EncryptedContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EncryptedContentInfo), + .sname = "CMS_EncryptedContentInfo", +}; + +static const ASN1_TEMPLATE CMS_KeyTransRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, rid), + .field_name = "rid", + .item = &CMS_SignerIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyTransRecipientInfo, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_KeyTransRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KeyTransRecipientInfo_seq_tt, + .tcount = sizeof(CMS_KeyTransRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KeyTransRecipientInfo), + .sname = "CMS_KeyTransRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_OtherKeyAttribute_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherKeyAttribute, keyAttrId), + .field_name = "keyAttrId", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherKeyAttribute, keyAttr), + .field_name = "keyAttr", + .item = &ASN1_ANY_it, + }, +}; + +const ASN1_ITEM CMS_OtherKeyAttribute_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherKeyAttribute_seq_tt, + .tcount = sizeof(CMS_OtherKeyAttribute_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherKeyAttribute), + .sname = "CMS_OtherKeyAttribute", +}; + +static const ASN1_TEMPLATE CMS_RecipientKeyIdentifier_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientKeyIdentifier, subjectKeyIdentifier), + .field_name = "subjectKeyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_RecipientKeyIdentifier, date), + .field_name = "date", + .item = &ASN1_GENERALIZEDTIME_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_RecipientKeyIdentifier, other), + .field_name = "other", + .item = &CMS_OtherKeyAttribute_it, + }, +}; + +const ASN1_ITEM CMS_RecipientKeyIdentifier_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_RecipientKeyIdentifier_seq_tt, + .tcount = sizeof(CMS_RecipientKeyIdentifier_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_RecipientKeyIdentifier), + .sname = "CMS_RecipientKeyIdentifier", +}; + +static const ASN1_TEMPLATE CMS_KeyAgreeRecipientIdentifier_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientIdentifier, d.issuerAndSerialNumber), + .field_name = "d.issuerAndSerialNumber", + .item = &CMS_IssuerAndSerialNumber_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientIdentifier, d.rKeyId), + .field_name = "d.rKeyId", + .item = &CMS_RecipientKeyIdentifier_it, + }, +}; + +static const ASN1_ITEM CMS_KeyAgreeRecipientIdentifier_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_KeyAgreeRecipientIdentifier, type), + .templates = CMS_KeyAgreeRecipientIdentifier_ch_tt, + .tcount = sizeof(CMS_KeyAgreeRecipientIdentifier_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KeyAgreeRecipientIdentifier), + .sname = "CMS_KeyAgreeRecipientIdentifier", +}; + +static int +cms_rek_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + CMS_RecipientEncryptedKey *rek = (CMS_RecipientEncryptedKey *)*pval; + if (operation == ASN1_OP_FREE_POST) { + EVP_PKEY_free(rek->pkey); + } + return 1; +} + +static const ASN1_AUX CMS_RecipientEncryptedKey_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_rek_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_RecipientEncryptedKey_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientEncryptedKey, rid), + .field_name = "rid", + .item = &CMS_KeyAgreeRecipientIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientEncryptedKey, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_RecipientEncryptedKey_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_RecipientEncryptedKey_seq_tt, + .tcount = sizeof(CMS_RecipientEncryptedKey_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_RecipientEncryptedKey_aux, + .size = sizeof(CMS_RecipientEncryptedKey), + .sname = "CMS_RecipientEncryptedKey", +}; + +static const ASN1_TEMPLATE CMS_OriginatorPublicKey_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OriginatorPublicKey, algorithm), + .field_name = "algorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OriginatorPublicKey, publicKey), + .field_name = "publicKey", + .item = &ASN1_BIT_STRING_it, + }, +}; + +const ASN1_ITEM CMS_OriginatorPublicKey_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OriginatorPublicKey_seq_tt, + .tcount = sizeof(CMS_OriginatorPublicKey_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OriginatorPublicKey), + .sname = "CMS_OriginatorPublicKey", +}; + +static const ASN1_TEMPLATE CMS_OriginatorIdentifierOrKey_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.issuerAndSerialNumber), + .field_name = "d.issuerAndSerialNumber", + .item = &CMS_IssuerAndSerialNumber_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.subjectKeyIdentifier), + .field_name = "d.subjectKeyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_OriginatorIdentifierOrKey, d.originatorKey), + .field_name = "d.originatorKey", + .item = &CMS_OriginatorPublicKey_it, + }, +}; + +static const ASN1_ITEM CMS_OriginatorIdentifierOrKey_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_OriginatorIdentifierOrKey, type), + .templates = CMS_OriginatorIdentifierOrKey_ch_tt, + .tcount = sizeof(CMS_OriginatorIdentifierOrKey_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OriginatorIdentifierOrKey), + .sname = "CMS_OriginatorIdentifierOrKey", +}; + +static int +cms_kari_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + CMS_KeyAgreeRecipientInfo *kari = (CMS_KeyAgreeRecipientInfo *)*pval; + if (operation == ASN1_OP_NEW_POST) { + kari->ctx = EVP_CIPHER_CTX_new(); + if (kari->ctx == NULL) + return 0; + EVP_CIPHER_CTX_set_flags(kari->ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); + kari->pctx = NULL; + } else if (operation == ASN1_OP_FREE_POST) { + EVP_PKEY_CTX_free(kari->pctx); + EVP_CIPHER_CTX_free(kari->ctx); + } + return 1; +} + +static const ASN1_AUX CMS_KeyAgreeRecipientInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_kari_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_KeyAgreeRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, originator), + .field_name = "originator", + .item = &CMS_OriginatorIdentifierOrKey_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, ukm), + .field_name = "ukm", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(CMS_KeyAgreeRecipientInfo, recipientEncryptedKeys), + .field_name = "recipientEncryptedKeys", + .item = &CMS_RecipientEncryptedKey_it, + }, +}; + +const ASN1_ITEM CMS_KeyAgreeRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KeyAgreeRecipientInfo_seq_tt, + .tcount = sizeof(CMS_KeyAgreeRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_KeyAgreeRecipientInfo_aux, + .size = sizeof(CMS_KeyAgreeRecipientInfo), + .sname = "CMS_KeyAgreeRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_KEKIdentifier_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKIdentifier, keyIdentifier), + .field_name = "keyIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_KEKIdentifier, date), + .field_name = "date", + .item = &ASN1_GENERALIZEDTIME_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_KEKIdentifier, other), + .field_name = "other", + .item = &CMS_OtherKeyAttribute_it, + }, +}; + +static const ASN1_ITEM CMS_KEKIdentifier_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KEKIdentifier_seq_tt, + .tcount = sizeof(CMS_KEKIdentifier_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KEKIdentifier), + .sname = "CMS_KEKIdentifier", +}; + +static const ASN1_TEMPLATE CMS_KEKRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, kekid), + .field_name = "kekid", + .item = &CMS_KEKIdentifier_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_KEKRecipientInfo, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_KEKRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_KEKRecipientInfo_seq_tt, + .tcount = sizeof(CMS_KEKRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_KEKRecipientInfo), + .sname = "CMS_KEKRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_PasswordRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, keyDerivationAlgorithm), + .field_name = "keyDerivationAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, keyEncryptionAlgorithm), + .field_name = "keyEncryptionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_PasswordRecipientInfo, encryptedKey), + .field_name = "encryptedKey", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_PasswordRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_PasswordRecipientInfo_seq_tt, + .tcount = sizeof(CMS_PasswordRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_PasswordRecipientInfo), + .sname = "CMS_PasswordRecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_OtherRecipientInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_OtherRecipientInfo, oriType), + .field_name = "oriType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_OtherRecipientInfo, oriValue), + .field_name = "oriValue", + .item = &ASN1_ANY_it, + }, +}; + +static const ASN1_ITEM CMS_OtherRecipientInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_OtherRecipientInfo_seq_tt, + .tcount = sizeof(CMS_OtherRecipientInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_OtherRecipientInfo), + .sname = "CMS_OtherRecipientInfo", +}; + +/* Free up RecipientInfo additional data */ +static int +cms_ri_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + if (operation == ASN1_OP_FREE_PRE) { + CMS_RecipientInfo *ri = (CMS_RecipientInfo *)*pval; + if (ri->type == CMS_RECIPINFO_TRANS) { + CMS_KeyTransRecipientInfo *ktri = ri->d.ktri; + EVP_PKEY_free(ktri->pkey); + X509_free(ktri->recip); + EVP_PKEY_CTX_free(ktri->pctx); + } else if (ri->type == CMS_RECIPINFO_KEK) { + CMS_KEKRecipientInfo *kekri = ri->d.kekri; + freezero(kekri->key, kekri->keylen); + } else if (ri->type == CMS_RECIPINFO_PASS) { + CMS_PasswordRecipientInfo *pwri = ri->d.pwri; + freezero(pwri->pass, pwri->passlen); + } + } + return 1; +} + +static const ASN1_AUX CMS_RecipientInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_ri_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_RecipientInfo_ch_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_RecipientInfo, d.ktri), + .field_name = "d.ktri", + .item = &CMS_KeyTransRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_RecipientInfo, d.kari), + .field_name = "d.kari", + .item = &CMS_KeyAgreeRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 2, + .offset = offsetof(CMS_RecipientInfo, d.kekri), + .field_name = "d.kekri", + .item = &CMS_KEKRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 3, + .offset = offsetof(CMS_RecipientInfo, d.pwri), + .field_name = "d.pwri", + .item = &CMS_PasswordRecipientInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 4, + .offset = offsetof(CMS_RecipientInfo, d.ori), + .field_name = "d.ori", + .item = &CMS_OtherRecipientInfo_it, + }, +}; + +const ASN1_ITEM CMS_RecipientInfo_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_RecipientInfo, type), + .templates = CMS_RecipientInfo_ch_tt, + .tcount = sizeof(CMS_RecipientInfo_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_RecipientInfo_aux, + .size = sizeof(CMS_RecipientInfo), + .sname = "CMS_RecipientInfo", +}; + +static const ASN1_TEMPLATE CMS_EnvelopedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, originatorInfo), + .field_name = "originatorInfo", + .item = &CMS_OriginatorInfo_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, recipientInfos), + .field_name = "recipientInfos", + .item = &CMS_RecipientInfo_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EnvelopedData, encryptedContentInfo), + .field_name = "encryptedContentInfo", + .item = &CMS_EncryptedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_EnvelopedData, unprotectedAttrs), + .field_name = "unprotectedAttrs", + .item = &X509_ATTRIBUTE_it, + }, +}; + +const ASN1_ITEM CMS_EnvelopedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EnvelopedData_seq_tt, + .tcount = sizeof(CMS_EnvelopedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EnvelopedData), + .sname = "CMS_EnvelopedData", +}; + +static const ASN1_TEMPLATE CMS_DigestedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, digestAlgorithm), + .field_name = "digestAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_DigestedData, digest), + .field_name = "digest", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_DigestedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_DigestedData_seq_tt, + .tcount = sizeof(CMS_DigestedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_DigestedData), + .sname = "CMS_DigestedData", +}; + +static const ASN1_TEMPLATE CMS_EncryptedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_EncryptedData, encryptedContentInfo), + .field_name = "encryptedContentInfo", + .item = &CMS_EncryptedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(CMS_EncryptedData, unprotectedAttrs), + .field_name = "unprotectedAttrs", + .item = &X509_ATTRIBUTE_it, + }, +}; + +const ASN1_ITEM CMS_EncryptedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_EncryptedData_seq_tt, + .tcount = sizeof(CMS_EncryptedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_EncryptedData), + .sname = "CMS_EncryptedData", +}; + +static const ASN1_TEMPLATE CMS_AuthenticatedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, originatorInfo), + .field_name = "originatorInfo", + .item = &CMS_OriginatorInfo_it, + }, + { + .flags = ASN1_TFLG_SET_OF, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, recipientInfos), + .field_name = "recipientInfos", + .item = &CMS_RecipientInfo_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, macAlgorithm), + .field_name = "macAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 1, + .offset = offsetof(CMS_AuthenticatedData, digestAlgorithm), + .field_name = "digestAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 2, + .offset = offsetof(CMS_AuthenticatedData, authAttrs), + .field_name = "authAttrs", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_AuthenticatedData, mac), + .field_name = "mac", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SET_OF | ASN1_TFLG_OPTIONAL, + .tag = 3, + .offset = offsetof(CMS_AuthenticatedData, unauthAttrs), + .field_name = "unauthAttrs", + .item = &X509_ALGOR_it, + }, +}; + +static const ASN1_ITEM CMS_AuthenticatedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_AuthenticatedData_seq_tt, + .tcount = sizeof(CMS_AuthenticatedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_AuthenticatedData), + .sname = "CMS_AuthenticatedData", +}; + +static const ASN1_TEMPLATE CMS_CompressedData_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CompressedData, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CompressedData, compressionAlgorithm), + .field_name = "compressionAlgorithm", + .item = &X509_ALGOR_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_CompressedData, encapContentInfo), + .field_name = "encapContentInfo", + .item = &CMS_EncapsulatedContentInfo_it, + }, +}; + +const ASN1_ITEM CMS_CompressedData_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_CompressedData_seq_tt, + .tcount = sizeof(CMS_CompressedData_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_CompressedData), + .sname = "CMS_CompressedData", +}; + +/* This is the ANY DEFINED BY table for the top level ContentInfo structure */ + +static const ASN1_TEMPLATE cms_default_tt = { + .flags = ASN1_TFLG_EXPLICIT, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.other), + .field_name = "d.other", + .item = &ASN1_ANY_it, +}; + +static const ASN1_ADB_TABLE CMS_ContentInfo_adbtbl[] = { + { + .value = NID_pkcs7_data, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.data), + .field_name = "d.data", + .item = &ASN1_OCTET_STRING_NDEF_it, + }, + + }, + { + .value = NID_pkcs7_signed, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.signedData), + .field_name = "d.signedData", + .item = &CMS_SignedData_it, + }, + + }, + { + .value = NID_pkcs7_enveloped, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.envelopedData), + .field_name = "d.envelopedData", + .item = &CMS_EnvelopedData_it, + }, + + }, + { + .value = NID_pkcs7_digest, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.digestedData), + .field_name = "d.digestedData", + .item = &CMS_DigestedData_it, + }, + + }, + { + .value = NID_pkcs7_encrypted, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.encryptedData), + .field_name = "d.encryptedData", + .item = &CMS_EncryptedData_it, + }, + + }, + { + .value = NID_id_smime_ct_authData, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.authenticatedData), + .field_name = "d.authenticatedData", + .item = &CMS_AuthenticatedData_it, + }, + + }, + { + .value = NID_id_smime_ct_compressedData, + .tt = { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_NDEF, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, d.compressedData), + .field_name = "d.compressedData", + .item = &CMS_CompressedData_it, + }, + + }, +}; + +static const ASN1_ADB CMS_ContentInfo_adb = { + .flags = 0, + .offset = offsetof(CMS_ContentInfo, contentType), + .app_items = 0, + .tbl = CMS_ContentInfo_adbtbl, + .tblcount = sizeof(CMS_ContentInfo_adbtbl) / sizeof(ASN1_ADB_TABLE), + .default_tt = &cms_default_tt, + .null_tt = NULL, +}; + +/* CMS streaming support */ +static int +cms_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + ASN1_STREAM_ARG *sarg = exarg; + CMS_ContentInfo *cms = NULL; + if (pval) + cms = (CMS_ContentInfo *)*pval; + else + return 1; + switch (operation) { + + case ASN1_OP_STREAM_PRE: + if (CMS_stream(&sarg->boundary, cms) <= 0) + return 0; + /* fall thru */ + case ASN1_OP_DETACHED_PRE: + sarg->ndef_bio = CMS_dataInit(cms, sarg->out); + if (!sarg->ndef_bio) + return 0; + break; + + case ASN1_OP_STREAM_POST: + case ASN1_OP_DETACHED_POST: + if (CMS_dataFinal(cms, sarg->ndef_bio) <= 0) + return 0; + break; + + } + return 1; +} + +static const ASN1_AUX CMS_ContentInfo_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = cms_cb, + .enc_offset = 0, +}; +static const ASN1_TEMPLATE CMS_ContentInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_ContentInfo, contentType), + .field_name = "contentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = ASN1_TFLG_ADB_OID, + .tag = -1, + .offset = 0, + .field_name = "CMS_ContentInfo", + .item = (const ASN1_ITEM *)&CMS_ContentInfo_adb, + }, +}; + +const ASN1_ITEM CMS_ContentInfo_it = { + .itype = ASN1_ITYPE_NDEF_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_ContentInfo_seq_tt, + .tcount = sizeof(CMS_ContentInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &CMS_ContentInfo_aux, + .size = sizeof(CMS_ContentInfo), + .sname = "CMS_ContentInfo", +}; + +/* Specials for signed attributes */ + +/* + * When signing attributes we want to reorder them to match the sorted + * encoding. + */ + +static const ASN1_TEMPLATE CMS_Attributes_Sign_item_tt = { + .flags = ASN1_TFLG_SET_ORDER, + .tag = 0, + .offset = 0, + .field_name = "CMS_ATTRIBUTES", + .item = &X509_ATTRIBUTE_it, +}; + +const ASN1_ITEM CMS_Attributes_Sign_it = { + .itype = ASN1_ITYPE_PRIMITIVE, + .utype = -1, + .templates = &CMS_Attributes_Sign_item_tt, + .tcount = 0, + .funcs = NULL, + .size = 0, + .sname = "CMS_Attributes_Sign", +}; + +/* + * When verifying attributes we need to use the received order. So we use + * SEQUENCE OF and tag it to SET OF + */ + +static const ASN1_TEMPLATE CMS_Attributes_Verify_item_tt = { + .flags = ASN1_TFLG_SEQUENCE_OF | ASN1_TFLG_IMPTAG | ASN1_TFLG_UNIVERSAL, + .tag = V_ASN1_SET, + .offset = 0, + .field_name = "CMS_ATTRIBUTES", + .item = &X509_ATTRIBUTE_it, +}; + +const ASN1_ITEM CMS_Attributes_Verify_it = { + .itype = ASN1_ITYPE_PRIMITIVE, + .utype = -1, + .templates = &CMS_Attributes_Verify_item_tt, + .tcount = 0, + .funcs = NULL, + .size = 0, + .sname = "CMS_Attributes_Verify", +}; + + + +static const ASN1_TEMPLATE CMS_ReceiptsFrom_ch_tt[] = { + { + .flags = ASN1_TFLG_IMPLICIT, + .tag = 0, + .offset = offsetof(CMS_ReceiptsFrom, d.allOrFirstTier), + .field_name = "d.allOrFirstTier", + .item = &LONG_it, + }, + { + .flags = ASN1_TFLG_IMPLICIT | ASN1_TFLG_SEQUENCE_OF, + .tag = 1, + .offset = offsetof(CMS_ReceiptsFrom, d.receiptList), + .field_name = "d.receiptList", + .item = &GENERAL_NAMES_it, + }, +}; + +static const ASN1_ITEM CMS_ReceiptsFrom_it = { + .itype = ASN1_ITYPE_CHOICE, + .utype = offsetof(CMS_ReceiptsFrom, type), + .templates = CMS_ReceiptsFrom_ch_tt, + .tcount = sizeof(CMS_ReceiptsFrom_ch_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_ReceiptsFrom), + .sname = "CMS_ReceiptsFrom", +}; + +static const ASN1_TEMPLATE CMS_ReceiptRequest_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_ReceiptRequest, signedContentIdentifier), + .field_name = "signedContentIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_ReceiptRequest, receiptsFrom), + .field_name = "receiptsFrom", + .item = &CMS_ReceiptsFrom_it, + }, + { + .flags = ASN1_TFLG_SEQUENCE_OF, + .tag = 0, + .offset = offsetof(CMS_ReceiptRequest, receiptsTo), + .field_name = "receiptsTo", + .item = &GENERAL_NAMES_it, + }, +}; + +const ASN1_ITEM CMS_ReceiptRequest_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_ReceiptRequest_seq_tt, + .tcount = sizeof(CMS_ReceiptRequest_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_ReceiptRequest), + .sname = "CMS_ReceiptRequest", +}; + +static const ASN1_TEMPLATE CMS_Receipt_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, version), + .field_name = "version", + .item = &LONG_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, contentType), + .field_name = "contentType", + .item = &ASN1_OBJECT_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, signedContentIdentifier), + .field_name = "signedContentIdentifier", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_Receipt, originatorSignatureValue), + .field_name = "originatorSignatureValue", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +const ASN1_ITEM CMS_Receipt_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_Receipt_seq_tt, + .tcount = sizeof(CMS_Receipt_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_Receipt), + .sname = "CMS_Receipt", +}; + +/* + * Utilities to encode the CMS_SharedInfo structure used during key + * derivation. + */ + +typedef struct { + X509_ALGOR *keyInfo; + ASN1_OCTET_STRING *entityUInfo; + ASN1_OCTET_STRING *suppPubInfo; +} CMS_SharedInfo; + +static const ASN1_TEMPLATE CMS_SharedInfo_seq_tt[] = { + { + .flags = 0, + .tag = 0, + .offset = offsetof(CMS_SharedInfo, keyInfo), + .field_name = "keyInfo", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(CMS_SharedInfo, entityUInfo), + .field_name = "entityUInfo", + .item = &ASN1_OCTET_STRING_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 2, + .offset = offsetof(CMS_SharedInfo, suppPubInfo), + .field_name = "suppPubInfo", + .item = &ASN1_OCTET_STRING_it, + }, +}; + +static const ASN1_ITEM CMS_SharedInfo_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = CMS_SharedInfo_seq_tt, + .tcount = sizeof(CMS_SharedInfo_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = NULL, + .size = sizeof(CMS_SharedInfo), + .sname = "CMS_SharedInfo", +}; + +int +CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, + ASN1_OCTET_STRING *ukm, int keylen) +{ + union { + CMS_SharedInfo *pecsi; + ASN1_VALUE *a; + } intsi = { + NULL + }; + + ASN1_OCTET_STRING oklen; + unsigned char kl[4]; + CMS_SharedInfo ecsi; + + keylen <<= 3; + kl[0] = (keylen >> 24) & 0xff; + kl[1] = (keylen >> 16) & 0xff; + kl[2] = (keylen >> 8) & 0xff; + kl[3] = keylen & 0xff; + oklen.length = 4; + oklen.data = kl; + oklen.type = V_ASN1_OCTET_STRING; + oklen.flags = 0; + ecsi.keyInfo = kekalg; + ecsi.entityUInfo = ukm; + ecsi.suppPubInfo = &oklen; + intsi.pecsi = &ecsi; + + return ASN1_item_i2d(intsi.a, pder, &CMS_SharedInfo_it); +} diff --git a/crypto/cms/cms_att.c b/crypto/cms/cms_att.c new file mode 100644 index 0000000..b03c743 --- /dev/null +++ b/crypto/cms/cms_att.c @@ -0,0 +1,211 @@ +/* $OpenBSD: cms_att.c,v 1.9 2019/08/10 18:15:52 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +/* CMS SignedData Attribute utilities */ + +int +CMS_signed_get_attr_count(const CMS_SignerInfo *si) +{ + return X509at_get_attr_count(si->signedAttrs); +} + +int +CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos) +{ + return X509at_get_attr_by_NID(si->signedAttrs, nid, lastpos); +} + +int +CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int lastpos) +{ + return X509at_get_attr_by_OBJ(si->signedAttrs, obj, lastpos); +} + +X509_ATTRIBUTE * +CMS_signed_get_attr(const CMS_SignerInfo *si, int loc) +{ + return X509at_get_attr(si->signedAttrs, loc); +} + +X509_ATTRIBUTE * +CMS_signed_delete_attr(CMS_SignerInfo *si, int loc) +{ + return X509at_delete_attr(si->signedAttrs, loc); +} + +int +CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr) +{ + if (X509at_add1_attr(&si->signedAttrs, attr)) + return 1; + return 0; +} + +int +CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_OBJ(&si->signedAttrs, obj, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_NID(&si->signedAttrs, nid, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_txt(&si->signedAttrs, attrname, type, bytes, len)) + return 1; + return 0; +} + +void * +CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *oid, + int lastpos, int type) +{ + return X509at_get0_data_by_OBJ(si->signedAttrs, oid, lastpos, type); +} + +int +CMS_unsigned_get_attr_count(const CMS_SignerInfo *si) +{ + return X509at_get_attr_count(si->unsignedAttrs); +} + +int +CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos) +{ + return X509at_get_attr_by_NID(si->unsignedAttrs, nid, lastpos); +} + +int +CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int lastpos) +{ + return X509at_get_attr_by_OBJ(si->unsignedAttrs, obj, lastpos); +} + +X509_ATTRIBUTE * +CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc) +{ + return X509at_get_attr(si->unsignedAttrs, loc); +} + +X509_ATTRIBUTE * +CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc) +{ + return X509at_delete_attr(si->unsignedAttrs, loc); +} + +int +CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr) +{ + if (X509at_add1_attr(&si->unsignedAttrs, attr)) + return 1; + return 0; +} + +int +CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int type, const void *bytes, int len) +{ + if (X509at_add1_attr_by_OBJ(&si->unsignedAttrs, obj, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type, + const void *bytes, int len) +{ + if (X509at_add1_attr_by_NID(&si->unsignedAttrs, nid, type, bytes, len)) + return 1; + return 0; +} + +int +CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, + int type, const void *bytes, int len) +{ + if (X509at_add1_attr_by_txt(&si->unsignedAttrs, attrname, type, + bytes, len)) + return 1; + return 0; +} + +void * +CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, int lastpos, + int type) +{ + return X509at_get0_data_by_OBJ(si->unsignedAttrs, oid, lastpos, type); +} + +/* Specific attribute cases */ diff --git a/crypto/cms/cms_cd.c b/crypto/cms/cms_cd.c new file mode 100644 index 0000000..ec67cf1 --- /dev/null +++ b/crypto/cms/cms_cd.c @@ -0,0 +1,128 @@ +/* $OpenBSD: cms_cd.c,v 1.15 2019/08/11 11:04:18 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +#ifdef ZLIB + +/* CMS CompressedData Utilities */ + +CMS_ContentInfo * +cms_CompressedData_create(int comp_nid) +{ + CMS_ContentInfo *cms; + CMS_CompressedData *cd; + + /* + * Will need something cleverer if there is ever more than one + * compression algorithm or parameters have some meaning... + */ + if (comp_nid != NID_zlib_compression) { + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return NULL; + } + cms = CMS_ContentInfo_new(); + if (cms == NULL) + return NULL; + + cd = (CMS_CompressedData *)ASN1_item_new(&CMS_CompressedData_it); + + if (cd == NULL) + goto err; + + cms->contentType = OBJ_nid2obj(NID_id_smime_ct_compressedData); + cms->d.compressedData = cd; + + cd->version = 0; + + X509_ALGOR_set0(cd->compressionAlgorithm, + OBJ_nid2obj(NID_zlib_compression), V_ASN1_UNDEF, NULL); + + cd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data); + + return cms; + + err: + CMS_ContentInfo_free(cms); + return NULL; +} + +BIO * +cms_CompressedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_CompressedData *cd; + const ASN1_OBJECT *compoid; + + if (OBJ_obj2nid(cms->contentType) != NID_id_smime_ct_compressedData) { + CMSerror(CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA); + return NULL; + } + cd = cms->d.compressedData; + X509_ALGOR_get0(&compoid, NULL, NULL, cd->compressionAlgorithm); + if (OBJ_obj2nid(compoid) != NID_zlib_compression) { + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return NULL; + } + return BIO_new(BIO_f_zlib()); +} + +#endif diff --git a/crypto/cms/cms_dd.c b/crypto/cms/cms_dd.c new file mode 100644 index 0000000..f1aafe3 --- /dev/null +++ b/crypto/cms/cms_dd.c @@ -0,0 +1,150 @@ +/* $OpenBSD: cms_dd.c,v 1.14 2019/08/11 11:04:18 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +/* CMS DigestedData Utilities */ + +CMS_ContentInfo * +cms_DigestedData_create(const EVP_MD *md) +{ + CMS_ContentInfo *cms; + CMS_DigestedData *dd; + + cms = CMS_ContentInfo_new(); + if (cms == NULL) + return NULL; + + dd = (CMS_DigestedData *)ASN1_item_new(&CMS_DigestedData_it); + + if (dd == NULL) + goto err; + + cms->contentType = OBJ_nid2obj(NID_pkcs7_digest); + cms->d.digestedData = dd; + + dd->version = 0; + dd->encapContentInfo->eContentType = OBJ_nid2obj(NID_pkcs7_data); + + X509_ALGOR_set_md(dd->digestAlgorithm, md); + + return cms; + + err: + CMS_ContentInfo_free(cms); + + return NULL; +} + +BIO * +cms_DigestedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_DigestedData *dd; + + dd = cms->d.digestedData; + + return cms_DigestAlgorithm_init_bio(dd->digestAlgorithm); +} + +int +cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify) +{ + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen; + int r = 0; + CMS_DigestedData *dd; + + if (mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + dd = cms->d.digestedData; + + if (!cms_DigestAlgorithm_find_ctx(mctx, chain, dd->digestAlgorithm)) + goto err; + + if (EVP_DigestFinal_ex(mctx, md, &mdlen) <= 0) + goto err; + + if (verify) { + if (mdlen != (unsigned int)dd->digest->length) { + CMSerror(CMS_R_MESSAGEDIGEST_WRONG_LENGTH); + goto err; + } + + if (memcmp(md, dd->digest->data, mdlen)) + CMSerror(CMS_R_VERIFICATION_FAILURE); + else + r = 1; + } else { + if (!ASN1_STRING_set(dd->digest, md, mdlen)) + goto err; + r = 1; + } + + err: + EVP_MD_CTX_free(mctx); + + return r; +} diff --git a/crypto/cms/cms_enc.c b/crypto/cms/cms_enc.c new file mode 100644 index 0000000..fd2df99 --- /dev/null +++ b/crypto/cms/cms_enc.c @@ -0,0 +1,262 @@ +/* $OpenBSD: cms_enc.c,v 1.20 2019/08/11 11:04:18 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +/* CMS EncryptedData Utilities */ + +/* Return BIO based on EncryptedContentInfo and key */ + +BIO * +cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec) +{ + BIO *b; + EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *ciph; + X509_ALGOR *calg = ec->contentEncryptionAlgorithm; + unsigned char iv[EVP_MAX_IV_LENGTH], *piv = NULL; + unsigned char *tkey = NULL; + size_t tkeylen = 0; + + int ok = 0; + + int enc, keep_key = 0; + + enc = ec->cipher ? 1 : 0; + + b = BIO_new(BIO_f_cipher()); + if (b == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + + BIO_get_cipher_ctx(b, &ctx); + + if (enc) { + ciph = ec->cipher; + /* + * If not keeping key set cipher to NULL so subsequent calls decrypt. + */ + if (ec->key) + ec->cipher = NULL; + } else { + ciph = EVP_get_cipherbyobj(calg->algorithm); + + if (!ciph) { + CMSerror(CMS_R_UNKNOWN_CIPHER); + goto err; + } + } + + if (EVP_CipherInit_ex(ctx, ciph, NULL, NULL, NULL, enc) <= 0) { + CMSerror(CMS_R_CIPHER_INITIALISATION_ERROR); + goto err; + } + + if (enc) { + int ivlen; + calg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); + /* Generate a random IV if we need one */ + ivlen = EVP_CIPHER_CTX_iv_length(ctx); + if (ivlen > 0) { + arc4random_buf(iv, ivlen); + piv = iv; + } + } else if (EVP_CIPHER_asn1_to_param(ctx, calg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + tkeylen = EVP_CIPHER_CTX_key_length(ctx); + /* Generate random session key */ + if (!enc || !ec->key) { + tkey = malloc(tkeylen); + if (tkey == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_CIPHER_CTX_rand_key(ctx, tkey) <= 0) + goto err; + } + + if (!ec->key) { + ec->key = tkey; + ec->keylen = tkeylen; + tkey = NULL; + if (enc) + keep_key = 1; + else + ERR_clear_error(); + + } + + if (ec->keylen != tkeylen) { + /* If necessary set key length */ + if (EVP_CIPHER_CTX_set_key_length(ctx, ec->keylen) <= 0) { + /* + * Only reveal failure if debugging so we don't leak information + * which may be useful in MMA. + */ + if (enc || ec->debug) { + CMSerror(CMS_R_INVALID_KEY_LENGTH); + goto err; + } else { + /* Use random key */ + freezero(ec->key, ec->keylen); + ec->key = tkey; + ec->keylen = tkeylen; + tkey = NULL; + ERR_clear_error(); + } + } + } + + if (EVP_CipherInit_ex(ctx, NULL, NULL, ec->key, piv, enc) <= 0) { + CMSerror(CMS_R_CIPHER_INITIALISATION_ERROR); + goto err; + } + if (enc) { + calg->parameter = ASN1_TYPE_new(); + if (calg->parameter == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_CIPHER_param_to_asn1(ctx, calg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + /* If parameter type not set omit parameter */ + if (calg->parameter->type == V_ASN1_UNDEF) { + ASN1_TYPE_free(calg->parameter); + calg->parameter = NULL; + } + } + ok = 1; + + err: + if (!keep_key || !ok) { + freezero(ec->key, ec->keylen); + ec->key = NULL; + } + freezero(tkey, tkeylen); + if (ok) + return b; + BIO_free(b); + return NULL; +} + +int +cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen) +{ + ec->cipher = cipher; + if (key) { + if ((ec->key = malloc(keylen)) == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + memcpy(ec->key, key, keylen); + } + ec->keylen = keylen; + if (cipher) + ec->contentType = OBJ_nid2obj(NID_pkcs7_data); + + return 1; +} + +int +CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, + const unsigned char *key, size_t keylen) +{ + CMS_EncryptedContentInfo *ec; + + if (!key || !keylen) { + CMSerror(CMS_R_NO_KEY); + return 0; + } + if (ciph) { + cms->d.encryptedData = (CMS_EncryptedData *)ASN1_item_new(&CMS_EncryptedData_it); + if (!cms->d.encryptedData) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + cms->contentType = OBJ_nid2obj(NID_pkcs7_encrypted); + cms->d.encryptedData->version = 0; + } else if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_encrypted) { + CMSerror(CMS_R_NOT_ENCRYPTED_DATA); + return 0; + } + ec = cms->d.encryptedData->encryptedContentInfo; + + return cms_EncryptedContent_init(ec, ciph, key, keylen); +} + +BIO * +cms_EncryptedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_EncryptedData *enc = cms->d.encryptedData; + + if (enc->encryptedContentInfo->cipher && enc->unprotectedAttrs) + enc->version = 2; + + return cms_EncryptedContent_init_bio(enc->encryptedContentInfo); +} diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c new file mode 100644 index 0000000..74d957e --- /dev/null +++ b/crypto/cms/cms_env.c @@ -0,0 +1,978 @@ +/* $OpenBSD: cms_env.c,v 1.23 2019/10/04 18:03:56 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" +#include "evp/evp_locl.h" + +/* CMS EnvelopedData Utilities */ + +CMS_EnvelopedData * +cms_get0_enveloped(CMS_ContentInfo *cms) +{ + if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_enveloped) { + CMSerror(CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA); + return NULL; + } + return cms->d.envelopedData; +} + +static CMS_EnvelopedData * +cms_enveloped_data_init(CMS_ContentInfo *cms) +{ + if (cms->d.other == NULL) { + cms->d.envelopedData = (CMS_EnvelopedData *)ASN1_item_new(&CMS_EnvelopedData_it); + if (!cms->d.envelopedData) { + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + cms->d.envelopedData->version = 0; + cms->d.envelopedData->encryptedContentInfo->contentType = + OBJ_nid2obj(NID_pkcs7_data); + ASN1_OBJECT_free(cms->contentType); + cms->contentType = OBJ_nid2obj(NID_pkcs7_enveloped); + return cms->d.envelopedData; + } + return cms_get0_enveloped(cms); +} + +int +cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd) +{ + EVP_PKEY *pkey; + int i; + + if (ri->type == CMS_RECIPINFO_TRANS) + pkey = ri->d.ktri->pkey; + else if (ri->type == CMS_RECIPINFO_AGREE) { + EVP_PKEY_CTX *pctx = ri->d.kari->pctx; + if (!pctx) + return 0; + pkey = EVP_PKEY_CTX_get0_pkey(pctx); + if (!pkey) + return 0; + } else + return 0; + if (!pkey->ameth || !pkey->ameth->pkey_ctrl) + return 1; + i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_ENVELOPE, cmd, ri); + if (i == -2) { + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + return 0; + } + if (i <= 0) { + CMSerror(CMS_R_CTRL_FAILURE); + return 0; + } + + return 1; +} + +STACK_OF(CMS_RecipientInfo) * +CMS_get0_RecipientInfos(CMS_ContentInfo *cms) +{ + CMS_EnvelopedData *env; + + env = cms_get0_enveloped(cms); + if (!env) + return NULL; + + return env->recipientInfos; +} + +int +CMS_RecipientInfo_type(CMS_RecipientInfo *ri) +{ + return ri->type; +} + +EVP_PKEY_CTX * +CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri) +{ + if (ri->type == CMS_RECIPINFO_TRANS) + return ri->d.ktri->pctx; + else if (ri->type == CMS_RECIPINFO_AGREE) + return ri->d.kari->pctx; + + return NULL; +} + +CMS_ContentInfo * +CMS_EnvelopedData_create(const EVP_CIPHER *cipher) +{ + CMS_ContentInfo *cms; + CMS_EnvelopedData *env; + + cms = CMS_ContentInfo_new(); + if (cms == NULL) + goto merr; + env = cms_enveloped_data_init(cms); + if (env == NULL) + goto merr; + if (!cms_EncryptedContent_init(env->encryptedContentInfo, cipher, + NULL, 0)) + goto merr; + + return cms; + + merr: + CMS_ContentInfo_free(cms); + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; +} + +/* Key Transport Recipient Info (KTRI) routines */ + +/* Initialise a ktri based on passed certificate and key */ + +static int +cms_RecipientInfo_ktri_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *pk, + unsigned int flags) +{ + CMS_KeyTransRecipientInfo *ktri; + int idtype; + + ri->d.ktri = (CMS_KeyTransRecipientInfo *)ASN1_item_new(&CMS_KeyTransRecipientInfo_it); + if (!ri->d.ktri) + return 0; + ri->type = CMS_RECIPINFO_TRANS; + + ktri = ri->d.ktri; + + if (flags & CMS_USE_KEYID) { + ktri->version = 2; + idtype = CMS_RECIPINFO_KEYIDENTIFIER; + } else { + ktri->version = 0; + idtype = CMS_RECIPINFO_ISSUER_SERIAL; + } + + /* + * Not a typo: RecipientIdentifier and SignerIdentifier are the same + * structure. + */ + + if (!cms_set1_SignerIdentifier(ktri->rid, recip, idtype)) + return 0; + + X509_up_ref(recip); + EVP_PKEY_up_ref(pk); + + ktri->pkey = pk; + ktri->recip = recip; + + if (flags & CMS_KEY_PARAM) { + ktri->pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL); + if (ktri->pctx == NULL) + return 0; + if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) + return 0; + } else if (!cms_env_asn1_ctrl(ri, 0)) + return 0; + + return 1; +} + +/* + * Add a recipient certificate using appropriate type of RecipientInfo + */ + +CMS_RecipientInfo * +CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, unsigned int flags) +{ + CMS_RecipientInfo *ri = NULL; + CMS_EnvelopedData *env; + EVP_PKEY *pk = NULL; + + env = cms_get0_enveloped(cms); + if (!env) + goto err; + + /* Initialize recipient info */ + ri = (CMS_RecipientInfo *)ASN1_item_new(&CMS_RecipientInfo_it); + if (!ri) + goto merr; + + pk = X509_get0_pubkey(recip); + if (!pk) { + CMSerror(CMS_R_ERROR_GETTING_PUBLIC_KEY); + goto err; + } + + switch (cms_pkey_get_ri_type(pk)) { + + case CMS_RECIPINFO_TRANS: + if (!cms_RecipientInfo_ktri_init(ri, recip, pk, flags)) + goto err; + break; + + case CMS_RECIPINFO_AGREE: + if (!cms_RecipientInfo_kari_init(ri, recip, pk, flags)) + goto err; + break; + + default: + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + goto err; + + } + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + return ri; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + ASN1_item_free((ASN1_VALUE *)ri, &CMS_RecipientInfo_it); + return NULL; +} + +int +CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, EVP_PKEY **pk, + X509 **recip, X509_ALGOR **palg) +{ + CMS_KeyTransRecipientInfo *ktri; + + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + + ktri = ri->d.ktri; + + if (pk) + *pk = ktri->pkey; + if (recip) + *recip = ktri->recip; + if (palg) + *palg = ktri->keyEncryptionAlgorithm; + + return 1; +} + +int +CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno) +{ + CMS_KeyTransRecipientInfo *ktri; + + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + ktri = ri->d.ktri; + + return cms_SignerIdentifier_get0_signer_id(ktri->rid, keyid, issuer, sno); +} + +int +CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert) +{ + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return -2; + } + + return cms_SignerIdentifier_cert_cmp(ri->d.ktri->rid, cert); +} + +int +CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey) +{ + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + EVP_PKEY_free(ri->d.ktri->pkey); + ri->d.ktri->pkey = pkey; + + return 1; +} + +/* Encrypt content key in key transport recipient info */ + +static int +cms_RecipientInfo_ktri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_KeyTransRecipientInfo *ktri; + CMS_EncryptedContentInfo *ec; + EVP_PKEY_CTX *pctx; + unsigned char *ek = NULL; + size_t eklen; + + int ret = 0; + + if (ri->type != CMS_RECIPINFO_TRANS) { + CMSerror(CMS_R_NOT_KEY_TRANSPORT); + return 0; + } + ktri = ri->d.ktri; + ec = cms->d.envelopedData->encryptedContentInfo; + + pctx = ktri->pctx; + + if (pctx) { + if (!cms_env_asn1_ctrl(ri, 0)) + goto err; + } else { + pctx = EVP_PKEY_CTX_new(ktri->pkey, NULL); + if (pctx == NULL) + return 0; + + if (EVP_PKEY_encrypt_init(pctx) <= 0) + goto err; + } + + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_ENCRYPT, + EVP_PKEY_CTRL_CMS_ENCRYPT, 0, ri) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) + goto err; + + ek = malloc(eklen); + + if (ek == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (EVP_PKEY_encrypt(pctx, ek, &eklen, ec->key, ec->keylen) <= 0) + goto err; + + ASN1_STRING_set0(ktri->encryptedKey, ek, eklen); + ek = NULL; + + ret = 1; + + err: + EVP_PKEY_CTX_free(pctx); + ktri->pctx = NULL; + free(ek); + + return ret; +} + +/* Decrypt content key from KTRI */ + +static int +cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_KeyTransRecipientInfo *ktri = ri->d.ktri; + EVP_PKEY *pkey = ktri->pkey; + unsigned char *ek = NULL; + size_t eklen; + size_t fixlen = 0; + int ret = 0; + CMS_EncryptedContentInfo *ec; + + ec = cms->d.envelopedData->encryptedContentInfo; + + if (ktri->pkey == NULL) { + CMSerror(CMS_R_NO_PRIVATE_KEY); + return 0; + } + + if (cms->d.envelopedData->encryptedContentInfo->havenocert && + !cms->d.envelopedData->encryptedContentInfo->debug) { + X509_ALGOR *calg = ec->contentEncryptionAlgorithm; + const EVP_CIPHER *ciph; + + if ((ciph = EVP_get_cipherbyobj(calg->algorithm)) == NULL) { + CMSerror(CMS_R_UNKNOWN_CIPHER); + return 0; + } + + fixlen = EVP_CIPHER_key_length(ciph); + } + + ktri->pctx = EVP_PKEY_CTX_new(pkey, NULL); + if (ktri->pctx == NULL) + return 0; + + if (EVP_PKEY_decrypt_init(ktri->pctx) <= 0) + goto err; + + if (!cms_env_asn1_ctrl(ri, 1)) + goto err; + + if (EVP_PKEY_CTX_ctrl(ktri->pctx, -1, EVP_PKEY_OP_DECRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, 0, ri) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0 || eklen == 0 || + (fixlen != 0 && eklen != fixlen)) { + CMSerror(CMS_R_CMS_LIB); + goto err; + } + + ek = malloc(eklen); + + if (ek == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (EVP_PKEY_decrypt(ktri->pctx, ek, &eklen, ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0) { + CMSerror(CMS_R_CMS_LIB); + goto err; + } + + ret = 1; + + freezero(ec->key, ec->keylen); + ec->key = ek; + ec->keylen = eklen; + + err: + EVP_PKEY_CTX_free(ktri->pctx); + ktri->pctx = NULL; + if (!ret) + free(ek); + + return ret; +} + +/* Key Encrypted Key (KEK) RecipientInfo routines */ + +int +CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, const unsigned char *id, + size_t idlen) +{ + ASN1_OCTET_STRING tmp_os; + CMS_KEKRecipientInfo *kekri; + + if (ri->type != CMS_RECIPINFO_KEK) { + CMSerror(CMS_R_NOT_KEK); + return -2; + } + kekri = ri->d.kekri; + tmp_os.type = V_ASN1_OCTET_STRING; + tmp_os.flags = 0; + tmp_os.data = (unsigned char *)id; + tmp_os.length = (int)idlen; + + return ASN1_OCTET_STRING_cmp(&tmp_os, kekri->kekid->keyIdentifier); +} + +/* For now hard code AES key wrap info */ + +static size_t +aes_wrap_keylen(int nid) +{ + switch (nid) { + case NID_id_aes128_wrap: + return 16; + + case NID_id_aes192_wrap: + return 24; + + case NID_id_aes256_wrap: + return 32; + + default: + return 0; + } +} + +CMS_RecipientInfo * +CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, unsigned char *key, + size_t keylen, unsigned char *id, size_t idlen, ASN1_GENERALIZEDTIME *date, + ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType) +{ + CMS_RecipientInfo *ri = NULL; + CMS_EnvelopedData *env; + CMS_KEKRecipientInfo *kekri; + + env = cms_get0_enveloped(cms); + if (!env) + goto err; + + if (nid == NID_undef) { + switch (keylen) { + case 16: + nid = NID_id_aes128_wrap; + break; + + case 24: + nid = NID_id_aes192_wrap; + break; + + case 32: + nid = NID_id_aes256_wrap; + break; + + default: + CMSerror(CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + } else { + + size_t exp_keylen = aes_wrap_keylen(nid); + + if (!exp_keylen) { + CMSerror(CMS_R_UNSUPPORTED_KEK_ALGORITHM); + goto err; + } + + if (keylen != exp_keylen) { + CMSerror(CMS_R_INVALID_KEY_LENGTH); + goto err; + } + + } + + /* Initialize recipient info */ + ri = (CMS_RecipientInfo *)ASN1_item_new(&CMS_RecipientInfo_it); + if (!ri) + goto merr; + + ri->d.kekri = (CMS_KEKRecipientInfo *)ASN1_item_new(&CMS_KEKRecipientInfo_it); + if (!ri->d.kekri) + goto merr; + ri->type = CMS_RECIPINFO_KEK; + + kekri = ri->d.kekri; + + if (otherTypeId) { + kekri->kekid->other = (CMS_OtherKeyAttribute *)ASN1_item_new(&CMS_OtherKeyAttribute_it); + if (kekri->kekid->other == NULL) + goto merr; + } + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + /* After this point no calls can fail */ + + kekri->version = 4; + + kekri->key = key; + kekri->keylen = keylen; + + ASN1_STRING_set0(kekri->kekid->keyIdentifier, id, idlen); + + kekri->kekid->date = date; + + if (kekri->kekid->other) { + kekri->kekid->other->keyAttrId = otherTypeId; + kekri->kekid->other->keyAttr = otherType; + } + + X509_ALGOR_set0(kekri->keyEncryptionAlgorithm, + OBJ_nid2obj(nid), V_ASN1_UNDEF, NULL); + + return ri; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + ASN1_item_free((ASN1_VALUE *)ri, &CMS_RecipientInfo_it); + return NULL; +} + +int +CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, + ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate, + ASN1_OBJECT **potherid, ASN1_TYPE **pothertype) +{ + CMS_KEKIdentifier *rkid; + + if (ri->type != CMS_RECIPINFO_KEK) { + CMSerror(CMS_R_NOT_KEK); + return 0; + } + rkid = ri->d.kekri->kekid; + if (palg) + *palg = ri->d.kekri->keyEncryptionAlgorithm; + if (pid) + *pid = rkid->keyIdentifier; + if (pdate) + *pdate = rkid->date; + if (potherid) { + if (rkid->other) + *potherid = rkid->other->keyAttrId; + else + *potherid = NULL; + } + if (pothertype) { + if (rkid->other) + *pothertype = rkid->other->keyAttr; + else + *pothertype = NULL; + } + + return 1; +} + +int +CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, + size_t keylen) +{ + CMS_KEKRecipientInfo *kekri; + + if (ri->type != CMS_RECIPINFO_KEK) { + CMSerror(CMS_R_NOT_KEK); + return 0; + } + + kekri = ri->d.kekri; + kekri->key = key; + kekri->keylen = keylen; + return 1; +} + +/* Encrypt content key in KEK recipient info */ + +static int +cms_RecipientInfo_kekri_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_EncryptedContentInfo *ec; + CMS_KEKRecipientInfo *kekri; + AES_KEY actx; + unsigned char *wkey = NULL; + int wkeylen; + int r = 0; + + ec = cms->d.envelopedData->encryptedContentInfo; + kekri = ri->d.kekri; + + if (!kekri->key) { + CMSerror(CMS_R_NO_KEY); + return 0; + } + + if (AES_set_encrypt_key(kekri->key, kekri->keylen << 3, &actx)) { + CMSerror(CMS_R_ERROR_SETTING_KEY); + goto err; + } + + wkey = malloc(ec->keylen + 8); + if (wkey == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + wkeylen = AES_wrap_key(&actx, NULL, wkey, ec->key, ec->keylen); + if (wkeylen <= 0) { + CMSerror(CMS_R_WRAP_ERROR); + goto err; + } + + ASN1_STRING_set0(kekri->encryptedKey, wkey, wkeylen); + + r = 1; + + err: + if (!r) + free(wkey); + explicit_bzero(&actx, sizeof(actx)); + + return r; +} + +/* Decrypt content key in KEK recipient info */ + +static int +cms_RecipientInfo_kekri_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_EncryptedContentInfo *ec; + CMS_KEKRecipientInfo *kekri; + AES_KEY actx; + unsigned char *ukey = NULL; + int ukeylen; + int r = 0, wrap_nid; + + ec = cms->d.envelopedData->encryptedContentInfo; + kekri = ri->d.kekri; + + if (!kekri->key) { + CMSerror(CMS_R_NO_KEY); + return 0; + } + + wrap_nid = OBJ_obj2nid(kekri->keyEncryptionAlgorithm->algorithm); + if (aes_wrap_keylen(wrap_nid) != kekri->keylen) { + CMSerror(CMS_R_INVALID_KEY_LENGTH); + return 0; + } + + /* If encrypted key length is invalid don't bother */ + + if (kekri->encryptedKey->length < 16) { + CMSerror(CMS_R_INVALID_ENCRYPTED_KEY_LENGTH); + goto err; + } + + if (AES_set_decrypt_key(kekri->key, kekri->keylen << 3, &actx)) { + CMSerror(CMS_R_ERROR_SETTING_KEY); + goto err; + } + + ukey = malloc(kekri->encryptedKey->length - 8); + if (ukey == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + ukeylen = AES_unwrap_key(&actx, NULL, ukey, kekri->encryptedKey->data, + kekri->encryptedKey->length); + + if (ukeylen <= 0) { + CMSerror(CMS_R_UNWRAP_ERROR); + goto err; + } + + ec->key = ukey; + ec->keylen = ukeylen; + + r = 1; + + err: + + if (!r) + free(ukey); + explicit_bzero(&actx, sizeof(actx)); + + return r; +} + +int +CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + switch (ri->type) { + case CMS_RECIPINFO_TRANS: + return cms_RecipientInfo_ktri_decrypt(cms, ri); + + case CMS_RECIPINFO_KEK: + return cms_RecipientInfo_kekri_decrypt(cms, ri); + + case CMS_RECIPINFO_PASS: + return cms_RecipientInfo_pwri_crypt(cms, ri, 0); + + default: + CMSerror(CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE); + return 0; + } +} + +int +CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + switch (ri->type) { + case CMS_RECIPINFO_TRANS: + return cms_RecipientInfo_ktri_encrypt(cms, ri); + + case CMS_RECIPINFO_AGREE: + return cms_RecipientInfo_kari_encrypt(cms, ri); + + case CMS_RECIPINFO_KEK: + return cms_RecipientInfo_kekri_encrypt(cms, ri); + + case CMS_RECIPINFO_PASS: + return cms_RecipientInfo_pwri_crypt(cms, ri, 1); + + default: + CMSerror(CMS_R_UNSUPPORTED_RECIPIENT_TYPE); + return 0; + } +} + +/* Check structures and fixup version numbers (if necessary) */ + +static void +cms_env_set_originfo_version(CMS_EnvelopedData *env) +{ + CMS_OriginatorInfo *org = env->originatorInfo; + int i; + + if (org == NULL) + return; + for (i = 0; i < sk_CMS_CertificateChoices_num(org->certificates); i++) { + CMS_CertificateChoices *cch; + + cch = sk_CMS_CertificateChoices_value(org->certificates, i); + if (cch->type == CMS_CERTCHOICE_OTHER) { + env->version = 4; + return; + } else if (cch->type == CMS_CERTCHOICE_V2ACERT) { + if (env->version < 3) + env->version = 3; + } + } + + for (i = 0; i < sk_CMS_RevocationInfoChoice_num(org->crls); i++) { + CMS_RevocationInfoChoice *rch; + + rch = sk_CMS_RevocationInfoChoice_value(org->crls, i); + if (rch->type == CMS_REVCHOICE_OTHER) { + env->version = 4; + return; + } + } +} + +static void +cms_env_set_version(CMS_EnvelopedData *env) +{ + int i; + CMS_RecipientInfo *ri; + + /* + * Can't set version higher than 4 so if 4 or more already nothing to do. + */ + if (env->version >= 4) + return; + + cms_env_set_originfo_version(env); + + if (env->version >= 3) + return; + + for (i = 0; i < sk_CMS_RecipientInfo_num(env->recipientInfos); i++) { + ri = sk_CMS_RecipientInfo_value(env->recipientInfos, i); + if (ri->type == CMS_RECIPINFO_PASS || ri->type == CMS_RECIPINFO_OTHER) { + env->version = 3; + return; + } else if (ri->type != CMS_RECIPINFO_TRANS + || ri->d.ktri->version != 0) { + env->version = 2; + } + } + if (env->originatorInfo || env->unprotectedAttrs) + env->version = 2; + if (env->version == 2) + return; + env->version = 0; +} + +BIO * +cms_EnvelopedData_init_bio(CMS_ContentInfo *cms) +{ + CMS_EncryptedContentInfo *ec; + STACK_OF(CMS_RecipientInfo) *rinfos; + CMS_RecipientInfo *ri; + int i, ok = 0; + BIO *ret; + + /* Get BIO first to set up key */ + + ec = cms->d.envelopedData->encryptedContentInfo; + ret = cms_EncryptedContent_init_bio(ec); + + /* If error or no cipher end of processing */ + + if (!ret || !ec->cipher) + return ret; + + /* Now encrypt content key according to each RecipientInfo type */ + + rinfos = cms->d.envelopedData->recipientInfos; + + for (i = 0; i < sk_CMS_RecipientInfo_num(rinfos); i++) { + ri = sk_CMS_RecipientInfo_value(rinfos, i); + if (CMS_RecipientInfo_encrypt(cms, ri) <= 0) { + CMSerror(CMS_R_ERROR_SETTING_RECIPIENTINFO); + goto err; + } + } + cms_env_set_version(cms->d.envelopedData); + + ok = 1; + + err: + ec->cipher = NULL; + freezero(ec->key, ec->keylen); + ec->key = NULL; + ec->keylen = 0; + if (ok) + return ret; + BIO_free(ret); + return NULL; +} + +/* + * Get RecipientInfo type (if any) supported by a key (public or private). To + * retain compatibility with previous behaviour if the ctrl value isn't + * supported we assume key transport. + */ +int +cms_pkey_get_ri_type(EVP_PKEY *pk) +{ + if (pk->ameth && pk->ameth->pkey_ctrl) { + int i, r; + i = pk->ameth->pkey_ctrl(pk, ASN1_PKEY_CTRL_CMS_RI_TYPE, 0, &r); + if (i > 0) + return r; + } + return CMS_RECIPINFO_TRANS; +} diff --git a/crypto/cms/cms_err.c b/crypto/cms/cms_err.c new file mode 100644 index 0000000..2fd550c --- /dev/null +++ b/crypto/cms/cms_err.c @@ -0,0 +1,164 @@ +/* $OpenBSD: cms_err.c,v 1.12 2020/06/05 16:51:12 jsing Exp $ */ +/* + * Generated by util/mkerr.pl DO NOT EDIT + * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include +#include + +#ifndef OPENSSL_NO_ERR + +#define ERR_FUNC(func) ERR_PACK(ERR_LIB_CMS,func,0) +#define ERR_REASON(reason) ERR_PACK(ERR_LIB_CMS,0,reason) + +static ERR_STRING_DATA CMS_str_functs[] = { + {ERR_FUNC(0xfff), "CRYPTO_internal"}, + {0, NULL} +}; + +static ERR_STRING_DATA CMS_str_reasons[] = { + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT), + "certificate already present"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_HAS_NO_KEYID), + "certificate has no keyid"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_VERIFY_ERROR), + "certificate verify error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_INITIALISATION_ERROR), + "cipher initialisation error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR), + "cipher parameter initialisation error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CMS_DATAFINAL_ERROR), + "cms datafinal error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CMS_LIB), "cms lib"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENTIDENTIFIER_MISMATCH), + "contentidentifier mismatch"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_NOT_FOUND), "content not found"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_MISMATCH), + "content type mismatch"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA), + "content type not compressed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA), + "content type not enveloped data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA), + "content type not signed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CONTENT_VERIFY_ERROR), + "content verify error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CTRL_ERROR), "ctrl error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CTRL_FAILURE), "ctrl failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_DECRYPT_ERROR), "decrypt error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_GETTING_PUBLIC_KEY), + "error getting public key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE), + "error reading messagedigest attribute"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_KEY), "error setting key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ERROR_SETTING_RECIPIENTINFO), + "error setting recipientinfo"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_ENCRYPTED_KEY_LENGTH), + "invalid encrypted key length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER), + "invalid key encryption parameter"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_INVALID_KEY_LENGTH), "invalid key length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MD_BIO_INIT_ERROR), "md bio init error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH), + "messagedigest attribute wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MESSAGEDIGEST_WRONG_LENGTH), + "messagedigest wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_ERROR), "msgsigdigest error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE), + "msgsigdigest verification failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_MSGSIGDIGEST_WRONG_LENGTH), + "msgsigdigest wrong length"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NEED_ONE_SIGNER), "need one signer"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_A_SIGNED_RECEIPT), + "not a signed receipt"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_ENCRYPTED_DATA), "not encrypted data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEK), "not kek"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_AGREEMENT), "not key agreement"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_KEY_TRANSPORT), "not key transport"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_PWRI), "not pwri"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE), + "not supported for this key type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CIPHER), "no cipher"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CONTENT), "no content"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_CONTENT_TYPE), "no content type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_DEFAULT_DIGEST), "no default digest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_DIGEST_SET), "no digest set"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_KEY), "no key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_KEY_OR_CERT), "no key or cert"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_DIGEST), "no matching digest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_RECIPIENT), + "no matching recipient"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MATCHING_SIGNATURE), + "no matching signature"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_MSGSIGDIGEST), "no msgsigdigest"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PASSWORD), "no password"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PRIVATE_KEY), "no private key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_PUBLIC_KEY), "no public key"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_RECEIPT_REQUEST), "no receipt request"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_NO_SIGNERS), "no signers"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE), + "private key does not match certificate"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_RECEIPT_DECODE_ERROR), + "receipt decode error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_RECIPIENT_ERROR), "recipient error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SIGNER_CERTIFICATE_NOT_FOUND), + "signer certificate not found"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SIGNFINAL_ERROR), "signfinal error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_SMIME_TEXT_ERROR), "smime text error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_STORE_INIT_ERROR), "store init error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_COMPRESSED_DATA), + "type not compressed data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_DATA), "type not data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_DIGESTED_DATA), + "type not digested data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_ENCRYPTED_DATA), + "type not encrypted data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_TYPE_NOT_ENVELOPED_DATA), + "type not enveloped data"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNABLE_TO_FINALIZE_CONTEXT), + "unable to finalize context"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_CIPHER), "unknown cipher"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_DIGEST_ALGORITHM), + "unknown digest algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNKNOWN_ID), "unknown id"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM), + "unsupported compression algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_CONTENT_TYPE), + "unsupported content type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEK_ALGORITHM), + "unsupported kek algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM), + "unsupported key encryption algorithm"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE), + "unsupported recipientinfo type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_RECIPIENT_TYPE), + "unsupported recipient type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNSUPPORTED_TYPE), "unsupported type"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_ERROR), "unwrap error"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_UNWRAP_FAILURE), "unwrap failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_VERIFICATION_FAILURE), + "verification failure"}, + {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_WRAP_ERROR), "wrap error"}, + {0, NULL} +}; + +#endif + +int +ERR_load_CMS_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(CMS_str_functs[0].error) == NULL) { + ERR_load_strings(ERR_LIB_CMS, CMS_str_functs); + ERR_load_strings(ERR_LIB_CMS, CMS_str_reasons); + } +#endif + return 1; +} diff --git a/crypto/cms/cms_ess.c b/crypto/cms/cms_ess.c new file mode 100644 index 0000000..9420405 --- /dev/null +++ b/crypto/cms/cms_ess.c @@ -0,0 +1,404 @@ +/* $OpenBSD: cms_ess.c,v 1.21 2019/08/11 14:19:09 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + + +CMS_ReceiptRequest * +d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len) +{ + return (CMS_ReceiptRequest *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &CMS_ReceiptRequest_it); +} + +int +i2d_CMS_ReceiptRequest(CMS_ReceiptRequest *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &CMS_ReceiptRequest_it); +} + +CMS_ReceiptRequest * +CMS_ReceiptRequest_new(void) +{ + return (CMS_ReceiptRequest *)ASN1_item_new(&CMS_ReceiptRequest_it); +} + +void +CMS_ReceiptRequest_free(CMS_ReceiptRequest *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &CMS_ReceiptRequest_it); +} + +/* ESS services: for now just Signed Receipt related */ + +int +CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr) +{ + ASN1_STRING *str; + CMS_ReceiptRequest *rr = NULL; + + if (prr) + *prr = NULL; + str = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_id_smime_aa_receiptRequest), -3, V_ASN1_SEQUENCE); + if (!str) + return 0; + + rr = ASN1_item_unpack(str, &CMS_ReceiptRequest_it); + if (!rr) + return -1; + if (prr) + *prr = rr; + else + CMS_ReceiptRequest_free(rr); + + return 1; +} + +CMS_ReceiptRequest * +CMS_ReceiptRequest_create0(unsigned char *id, int idlen, int allorfirst, + STACK_OF(GENERAL_NAMES) *receiptList, STACK_OF(GENERAL_NAMES) *receiptsTo) +{ + CMS_ReceiptRequest *rr = NULL; + + rr = CMS_ReceiptRequest_new(); + if (rr == NULL) + goto merr; + if (id) + ASN1_STRING_set0(rr->signedContentIdentifier, id, idlen); + else { + if (!ASN1_STRING_set(rr->signedContentIdentifier, NULL, 32)) + goto merr; + arc4random_buf(rr->signedContentIdentifier->data, 32); + } + + sk_GENERAL_NAMES_pop_free(rr->receiptsTo, GENERAL_NAMES_free); + rr->receiptsTo = receiptsTo; + + if (receiptList) { + rr->receiptsFrom->type = 1; + rr->receiptsFrom->d.receiptList = receiptList; + } else { + rr->receiptsFrom->type = 0; + rr->receiptsFrom->d.allOrFirstTier = allorfirst; + } + + return rr; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + CMS_ReceiptRequest_free(rr); + + return NULL; +} + +int +CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr) +{ + unsigned char *rrder = NULL; + int rrderlen, r = 0; + + rrderlen = i2d_CMS_ReceiptRequest(rr, &rrder); + if (rrderlen < 0) + goto merr; + + if (!CMS_signed_add1_attr_by_NID(si, NID_id_smime_aa_receiptRequest, + V_ASN1_SEQUENCE, rrder, rrderlen)) + goto merr; + + r = 1; + + merr: + if (!r) + CMSerror(ERR_R_MALLOC_FAILURE); + + free(rrder); + + return r; +} + +void +CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, + int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist, + STACK_OF(GENERAL_NAMES) **prto) +{ + if (pcid) + *pcid = rr->signedContentIdentifier; + if (rr->receiptsFrom->type == 0) { + if (pallorfirst) + *pallorfirst = (int)rr->receiptsFrom->d.allOrFirstTier; + if (plist) + *plist = NULL; + } else { + if (pallorfirst) + *pallorfirst = -1; + if (plist) + *plist = rr->receiptsFrom->d.receiptList; + } + if (prto) + *prto = rr->receiptsTo; +} + +/* Digest a SignerInfo structure for msgSigDigest attribute processing */ + +static int +cms_msgSigDigest(CMS_SignerInfo *si, unsigned char *dig, unsigned int *diglen) +{ + const EVP_MD *md; + + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); + if (md == NULL) + return 0; + if (!ASN1_item_digest(&CMS_Attributes_Verify_it, md, + si->signedAttrs, dig, diglen)) + return 0; + + return 1; +} + +/* Add a msgSigDigest attribute to a SignerInfo */ + +int +cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src) +{ + unsigned char dig[EVP_MAX_MD_SIZE]; + unsigned int diglen; + + if (!cms_msgSigDigest(src, dig, &diglen)) { + CMSerror(CMS_R_MSGSIGDIGEST_ERROR); + return 0; + } + if (!CMS_signed_add1_attr_by_NID(dest, NID_id_smime_aa_msgSigDigest, + V_ASN1_OCTET_STRING, dig, diglen)) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + return 1; +} + +/* Verify signed receipt after it has already passed normal CMS verify */ + +int +cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms) +{ + int r = 0, i; + CMS_ReceiptRequest *rr = NULL; + CMS_Receipt *rct = NULL; + STACK_OF(CMS_SignerInfo) *sis, *osis; + CMS_SignerInfo *si, *osi = NULL; + ASN1_OCTET_STRING *msig, **pcont; + ASN1_OBJECT *octype; + unsigned char dig[EVP_MAX_MD_SIZE]; + unsigned int diglen; + + /* Get SignerInfos, also checks SignedData content type */ + osis = CMS_get0_SignerInfos(req_cms); + sis = CMS_get0_SignerInfos(cms); + if (!osis || !sis) + goto err; + + if (sk_CMS_SignerInfo_num(sis) != 1) { + CMSerror(CMS_R_NEED_ONE_SIGNER); + goto err; + } + + /* Check receipt content type */ + if (OBJ_obj2nid(CMS_get0_eContentType(cms)) != NID_id_smime_ct_receipt) { + CMSerror(CMS_R_NOT_A_SIGNED_RECEIPT); + goto err; + } + + /* Extract and decode receipt content */ + pcont = CMS_get0_content(cms); + if (!pcont || !*pcont) { + CMSerror(CMS_R_NO_CONTENT); + goto err; + } + + rct = ASN1_item_unpack(*pcont, &CMS_Receipt_it); + + if (!rct) { + CMSerror(CMS_R_RECEIPT_DECODE_ERROR); + goto err; + } + + /* Locate original request */ + + for (i = 0; i < sk_CMS_SignerInfo_num(osis); i++) { + osi = sk_CMS_SignerInfo_value(osis, i); + if (!ASN1_STRING_cmp(osi->signature, rct->originatorSignatureValue)) + break; + } + + if (i == sk_CMS_SignerInfo_num(osis)) { + CMSerror(CMS_R_NO_MATCHING_SIGNATURE); + goto err; + } + + si = sk_CMS_SignerInfo_value(sis, 0); + + /* Get msgSigDigest value and compare */ + + msig = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_id_smime_aa_msgSigDigest), -3, V_ASN1_OCTET_STRING); + + if (!msig) { + CMSerror(CMS_R_NO_MSGSIGDIGEST); + goto err; + } + + if (!cms_msgSigDigest(osi, dig, &diglen)) { + CMSerror(CMS_R_MSGSIGDIGEST_ERROR); + goto err; + } + + if (diglen != (unsigned int)msig->length) { + CMSerror(CMS_R_MSGSIGDIGEST_WRONG_LENGTH); + goto err; + } + + if (memcmp(dig, msig->data, diglen)) { + CMSerror(CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE); + goto err; + } + + /* Compare content types */ + + octype = CMS_signed_get0_data_by_OBJ(osi, + OBJ_nid2obj(NID_pkcs9_contentType), -3, V_ASN1_OBJECT); + if (!octype) { + CMSerror(CMS_R_NO_CONTENT_TYPE); + goto err; + } + + /* Compare details in receipt request */ + + if (OBJ_cmp(octype, rct->contentType)) { + CMSerror(CMS_R_CONTENT_TYPE_MISMATCH); + goto err; + } + + /* Get original receipt request details */ + + if (CMS_get1_ReceiptRequest(osi, &rr) <= 0) { + CMSerror(CMS_R_NO_RECEIPT_REQUEST); + goto err; + } + + if (ASN1_STRING_cmp(rr->signedContentIdentifier, + rct->signedContentIdentifier)) { + CMSerror(CMS_R_CONTENTIDENTIFIER_MISMATCH); + goto err; + } + + r = 1; + + err: + CMS_ReceiptRequest_free(rr); + ASN1_item_free((ASN1_VALUE *)rct, &CMS_Receipt_it); + return r; +} + +/* + * Encode a Receipt into an OCTET STRING read for including into content of a + * SignedData ContentInfo. + */ + +ASN1_OCTET_STRING * +cms_encode_Receipt(CMS_SignerInfo *si) +{ + CMS_Receipt rct; + CMS_ReceiptRequest *rr = NULL; + ASN1_OBJECT *ctype; + ASN1_OCTET_STRING *os = NULL; + + /* Get original receipt request */ + + /* Get original receipt request details */ + + if (CMS_get1_ReceiptRequest(si, &rr) <= 0) { + CMSerror(CMS_R_NO_RECEIPT_REQUEST); + goto err; + } + + /* Get original content type */ + + ctype = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_pkcs9_contentType), -3, V_ASN1_OBJECT); + if (!ctype) { + CMSerror(CMS_R_NO_CONTENT_TYPE); + goto err; + } + + rct.version = 1; + rct.contentType = ctype; + rct.signedContentIdentifier = rr->signedContentIdentifier; + rct.originatorSignatureValue = si->signature; + + os = ASN1_item_pack(&rct, &CMS_Receipt_it, NULL); + + err: + CMS_ReceiptRequest_free(rr); + return os; +} diff --git a/crypto/cms/cms_io.c b/crypto/cms/cms_io.c new file mode 100644 index 0000000..4466d6a --- /dev/null +++ b/crypto/cms/cms_io.c @@ -0,0 +1,166 @@ +/* $OpenBSD: cms_io.c,v 1.11 2019/08/11 10:38:27 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include "cms_lcl.h" + +int +CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos; + + pos = CMS_get0_content(cms); + if (pos == NULL) + return 0; + if (*pos == NULL) + *pos = ASN1_OCTET_STRING_new(); + if (*pos != NULL) { + (*pos)->flags |= ASN1_STRING_FLAG_NDEF; + (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; + *boundary = &(*pos)->data; + return 1; + } + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; +} + +CMS_ContentInfo * +d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms) +{ + return ASN1_item_d2i_bio(&CMS_ContentInfo_it, bp, cms); +} + +int +i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms) +{ + return ASN1_item_i2d_bio(&CMS_ContentInfo_it, bp, cms); +} + + +CMS_ContentInfo * +PEM_read_bio_CMS(BIO *bp, CMS_ContentInfo **x, pem_password_cb *cb, void *u) +{ + return PEM_ASN1_read_bio((d2i_of_void *)d2i_CMS_ContentInfo, PEM_STRING_CMS, bp, + (void **)x, cb, u); +} + +CMS_ContentInfo * +PEM_read_CMS(FILE *fp, CMS_ContentInfo **x, pem_password_cb *cb, void *u) +{ + return PEM_ASN1_read((d2i_of_void *)d2i_CMS_ContentInfo, PEM_STRING_CMS, fp, + (void **)x, cb, u); +} + +int +PEM_write_bio_CMS(BIO *bp, const CMS_ContentInfo *x) +{ + return PEM_ASN1_write_bio((i2d_of_void *)i2d_CMS_ContentInfo, PEM_STRING_CMS, bp, + (void *)x, NULL, NULL, 0, NULL, NULL); +} + +int +PEM_write_CMS(FILE *fp, const CMS_ContentInfo *x) +{ + return PEM_ASN1_write((i2d_of_void *)i2d_CMS_ContentInfo, PEM_STRING_CMS, fp, + (void *)x, NULL, NULL, 0, NULL, NULL); +} + +BIO * +BIO_new_CMS(BIO *out, CMS_ContentInfo *cms) +{ + return BIO_new_NDEF(out, (ASN1_VALUE *)cms, + &CMS_ContentInfo_it); +} + +/* CMS wrappers round generalised stream and MIME routines */ + +int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) +{ + return i2d_ASN1_bio_stream(out, (ASN1_VALUE *)cms, in, flags, + &CMS_ContentInfo_it); +} + +int +PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags) +{ + return PEM_write_bio_ASN1_stream(out, (ASN1_VALUE *)cms, in, flags, + "CMS", &CMS_ContentInfo_it); +} + +int +SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags) +{ + STACK_OF(X509_ALGOR) *mdalgs; + int ctype_nid = OBJ_obj2nid(cms->contentType); + int econt_nid = OBJ_obj2nid(CMS_get0_eContentType(cms)); + + if (ctype_nid == NID_pkcs7_signed) + mdalgs = cms->d.signedData->digestAlgorithms; + else + mdalgs = NULL; + + return SMIME_write_ASN1(bio, (ASN1_VALUE *)cms, data, flags, ctype_nid, + econt_nid, mdalgs, &CMS_ContentInfo_it); +} + +CMS_ContentInfo * +SMIME_read_CMS(BIO *bio, BIO **bcont) +{ + return (CMS_ContentInfo *)SMIME_read_ASN1(bio, bcont, + &CMS_ContentInfo_it); +} diff --git a/crypto/cms/cms_kari.c b/crypto/cms/cms_kari.c new file mode 100644 index 0000000..21e3ce8 --- /dev/null +++ b/crypto/cms/cms_kari.c @@ -0,0 +1,483 @@ +/* $OpenBSD: cms_kari.c,v 1.13 2019/08/11 14:27:01 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" + +/* Key Agreement Recipient Info (KARI) routines */ + +int +CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, X509_ALGOR **palg, + ASN1_OCTET_STRING **pukm) +{ + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return 0; + } + if (palg) + *palg = ri->d.kari->keyEncryptionAlgorithm; + if (pukm) + *pukm = ri->d.kari->ukm; + + return 1; +} + +/* Retrieve recipient encrypted keys from a kari */ + +STACK_OF(CMS_RecipientEncryptedKey) * +CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri) +{ + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return NULL; + } + return ri->d.kari->recipientEncryptedKeys; +} + +int +CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri, X509_ALGOR **pubalg, + ASN1_BIT_STRING **pubkey, ASN1_OCTET_STRING **keyid, X509_NAME **issuer, + ASN1_INTEGER **sno) +{ + CMS_OriginatorIdentifierOrKey *oik; + + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return 0; + } + oik = ri->d.kari->originator; + if (issuer) + *issuer = NULL; + if (sno) + *sno = NULL; + if (keyid) + *keyid = NULL; + if (pubalg) + *pubalg = NULL; + if (pubkey) + *pubkey = NULL; + if (oik->type == CMS_OIK_ISSUER_SERIAL) { + if (issuer) + *issuer = oik->d.issuerAndSerialNumber->issuer; + if (sno) + *sno = oik->d.issuerAndSerialNumber->serialNumber; + } else if (oik->type == CMS_OIK_KEYIDENTIFIER) { + if (keyid) + *keyid = oik->d.subjectKeyIdentifier; + } else if (oik->type == CMS_OIK_PUBKEY) { + if (pubalg) + *pubalg = oik->d.originatorKey->algorithm; + if (pubkey) + *pubkey = oik->d.originatorKey->publicKey; + } else + return 0; + + return 1; +} + +int +CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert) +{ + CMS_OriginatorIdentifierOrKey *oik; + + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return -2; + } + oik = ri->d.kari->originator; + if (oik->type == CMS_OIK_ISSUER_SERIAL) + return cms_ias_cert_cmp(oik->d.issuerAndSerialNumber, cert); + else if (oik->type == CMS_OIK_KEYIDENTIFIER) + return cms_keyid_cert_cmp(oik->d.subjectKeyIdentifier, cert); + + return -1; +} + +int +CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek, + ASN1_OCTET_STRING **keyid, ASN1_GENERALIZEDTIME **tm, + CMS_OtherKeyAttribute **other, X509_NAME **issuer, ASN1_INTEGER **sno) +{ + CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; + + if (rid->type == CMS_REK_ISSUER_SERIAL) { + if (issuer) + *issuer = rid->d.issuerAndSerialNumber->issuer; + if (sno) + *sno = rid->d.issuerAndSerialNumber->serialNumber; + if (keyid) + *keyid = NULL; + if (tm) + *tm = NULL; + if (other) + *other = NULL; + } else if (rid->type == CMS_REK_KEYIDENTIFIER) { + if (keyid) + *keyid = rid->d.rKeyId->subjectKeyIdentifier; + if (tm) + *tm = rid->d.rKeyId->date; + if (other) + *other = rid->d.rKeyId->other; + if (issuer) + *issuer = NULL; + if (sno) + *sno = NULL; + } else + return 0; + + return 1; +} + +int +CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, X509 *cert) +{ + CMS_KeyAgreeRecipientIdentifier *rid = rek->rid; + + if (rid->type == CMS_REK_ISSUER_SERIAL) + return cms_ias_cert_cmp(rid->d.issuerAndSerialNumber, cert); + else if (rid->type == CMS_REK_KEYIDENTIFIER) + return cms_keyid_cert_cmp(rid->d.rKeyId->subjectKeyIdentifier, cert); + else + return -1; +} + +int +CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk) +{ + EVP_PKEY_CTX *pctx; + CMS_KeyAgreeRecipientInfo *kari = ri->d.kari; + + EVP_PKEY_CTX_free(kari->pctx); + kari->pctx = NULL; + if (!pk) + return 1; + pctx = EVP_PKEY_CTX_new(pk, NULL); + if (!pctx || !EVP_PKEY_derive_init(pctx)) + goto err; + kari->pctx = pctx; + return 1; + + err: + EVP_PKEY_CTX_free(pctx); + return 0; +} + +EVP_CIPHER_CTX * +CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri) +{ + if (ri->type == CMS_RECIPINFO_AGREE) + return ri->d.kari->ctx; + return NULL; +} + +/* + * Derive KEK and decrypt/encrypt with it to produce either the original CEK + * or the encrypted CEK. + */ + +static int +cms_kek_cipher(unsigned char **pout, size_t *poutlen, const unsigned char *in, + size_t inlen, CMS_KeyAgreeRecipientInfo *kari, int enc) +{ + /* Key encryption key */ + unsigned char kek[EVP_MAX_KEY_LENGTH]; + size_t keklen; + int rv = 0; + unsigned char *out = NULL; + int outlen; + + keklen = EVP_CIPHER_CTX_key_length(kari->ctx); + if (keklen > EVP_MAX_KEY_LENGTH) + return 0; + /* Derive KEK */ + if (EVP_PKEY_derive(kari->pctx, kek, &keklen) <= 0) + goto err; + /* Set KEK in context */ + if (!EVP_CipherInit_ex(kari->ctx, NULL, NULL, kek, NULL, enc)) + goto err; + /* obtain output length of ciphered key */ + if (!EVP_CipherUpdate(kari->ctx, NULL, &outlen, in, inlen)) + goto err; + out = malloc(outlen); + if (out == NULL) + goto err; + if (!EVP_CipherUpdate(kari->ctx, out, &outlen, in, inlen)) + goto err; + *pout = out; + *poutlen = (size_t)outlen; + rv = 1; + + err: + explicit_bzero(kek, keklen); + if (!rv) + free(out); + EVP_CIPHER_CTX_reset(kari->ctx); + /* FIXME: WHY IS kari->pctx freed here? /RL */ + EVP_PKEY_CTX_free(kari->pctx); + kari->pctx = NULL; + + return rv; +} + +int +CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, + CMS_RecipientEncryptedKey *rek) +{ + int rv = 0; + unsigned char *enckey = NULL, *cek = NULL; + size_t enckeylen; + size_t ceklen; + CMS_EncryptedContentInfo *ec; + + enckeylen = rek->encryptedKey->length; + enckey = rek->encryptedKey->data; + /* Setup all parameters to derive KEK */ + if (!cms_env_asn1_ctrl(ri, 1)) + goto err; + /* Attempt to decrypt CEK */ + if (!cms_kek_cipher(&cek, &ceklen, enckey, enckeylen, ri->d.kari, 0)) + goto err; + ec = cms->d.envelopedData->encryptedContentInfo; + freezero(ec->key, ec->keylen); + ec->key = cek; + ec->keylen = ceklen; + cek = NULL; + rv = 1; + + err: + free(cek); + + return rv; +} + +/* Create ephemeral key and initialise context based on it */ +static int +cms_kari_create_ephemeral_key(CMS_KeyAgreeRecipientInfo *kari, EVP_PKEY *pk) +{ + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *ekey = NULL; + int rv = 0; + + pctx = EVP_PKEY_CTX_new(pk, NULL); + if (!pctx) + goto err; + if (EVP_PKEY_keygen_init(pctx) <= 0) + goto err; + if (EVP_PKEY_keygen(pctx, &ekey) <= 0) + goto err; + EVP_PKEY_CTX_free(pctx); + pctx = EVP_PKEY_CTX_new(ekey, NULL); + if (!pctx) + goto err; + if (EVP_PKEY_derive_init(pctx) <= 0) + goto err; + kari->pctx = pctx; + rv = 1; + + err: + if (!rv) + EVP_PKEY_CTX_free(pctx); + EVP_PKEY_free(ekey); + + return rv; +} + +/* Initialise a kari based on passed certificate and key */ + +int +cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, EVP_PKEY *pk, + unsigned int flags) +{ + CMS_KeyAgreeRecipientInfo *kari; + CMS_RecipientEncryptedKey *rek = NULL; + + ri->d.kari = (CMS_KeyAgreeRecipientInfo *)ASN1_item_new(&CMS_KeyAgreeRecipientInfo_it); + if (!ri->d.kari) + return 0; + ri->type = CMS_RECIPINFO_AGREE; + + kari = ri->d.kari; + kari->version = 3; + + rek = (CMS_RecipientEncryptedKey *)ASN1_item_new(&CMS_RecipientEncryptedKey_it); + if (rek == NULL) + return 0; + + if (!sk_CMS_RecipientEncryptedKey_push(kari->recipientEncryptedKeys, rek)) { + ASN1_item_free((ASN1_VALUE *)rek, &CMS_RecipientEncryptedKey_it); + return 0; + } + + if (flags & CMS_USE_KEYID) { + rek->rid->type = CMS_REK_KEYIDENTIFIER; + rek->rid->d.rKeyId = (CMS_RecipientKeyIdentifier *)ASN1_item_new(&CMS_RecipientKeyIdentifier_it); + if (rek->rid->d.rKeyId == NULL) + return 0; + if (!cms_set1_keyid(&rek->rid->d.rKeyId->subjectKeyIdentifier, recip)) + return 0; + } else { + rek->rid->type = CMS_REK_ISSUER_SERIAL; + if (!cms_set1_ias(&rek->rid->d.issuerAndSerialNumber, recip)) + return 0; + } + + /* Create ephemeral key */ + if (!cms_kari_create_ephemeral_key(kari, pk)) + return 0; + + EVP_PKEY_up_ref(pk); + rek->pkey = pk; + + return 1; +} + +static int +cms_wrap_init(CMS_KeyAgreeRecipientInfo *kari, const EVP_CIPHER *cipher) +{ + EVP_CIPHER_CTX *ctx = kari->ctx; + const EVP_CIPHER *kekcipher; + int keylen = EVP_CIPHER_key_length(cipher); + + /* If a suitable wrap algorithm is already set nothing to do */ + kekcipher = EVP_CIPHER_CTX_cipher(ctx); + + if (kekcipher) { + if (EVP_CIPHER_CTX_mode(ctx) != EVP_CIPH_WRAP_MODE) + return 0; + return 1; + } + /* + * Pick a cipher based on content encryption cipher. If it is DES3 use + * DES3 wrap otherwise use AES wrap similar to key size. + */ +#ifndef OPENSSL_NO_DES +#if 0 + /* + * XXX - we do not currently support DES3 wrap and probably should just + * drop this code. + */ + if (EVP_CIPHER_type(cipher) == NID_des_ede3_cbc) + kekcipher = EVP_des_ede3_wrap(); + else +#endif +#endif + if (keylen <= 16) + kekcipher = EVP_aes_128_wrap(); + else if (keylen <= 24) + kekcipher = EVP_aes_192_wrap(); + else + kekcipher = EVP_aes_256_wrap(); + + return EVP_EncryptInit_ex(ctx, kekcipher, NULL, NULL, NULL); +} + +/* Encrypt content key in key agreement recipient info */ + +int +cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri) +{ + CMS_KeyAgreeRecipientInfo *kari; + CMS_EncryptedContentInfo *ec; + CMS_RecipientEncryptedKey *rek; + STACK_OF(CMS_RecipientEncryptedKey) *reks; + int i; + + if (ri->type != CMS_RECIPINFO_AGREE) { + CMSerror(CMS_R_NOT_KEY_AGREEMENT); + return 0; + } + kari = ri->d.kari; + reks = kari->recipientEncryptedKeys; + ec = cms->d.envelopedData->encryptedContentInfo; + /* Initialise wrap algorithm parameters */ + if (!cms_wrap_init(kari, ec->cipher)) + return 0; + /* + * If no originator key set up initialise for ephemeral key the public key + * ASN1 structure will set the actual public key value. + */ + if (kari->originator->type == -1) { + CMS_OriginatorIdentifierOrKey *oik = kari->originator; + oik->type = CMS_OIK_PUBKEY; + oik->d.originatorKey = (CMS_OriginatorPublicKey *)ASN1_item_new(&CMS_OriginatorPublicKey_it); + if (!oik->d.originatorKey) + return 0; + } + /* Initialise KDF algorithm */ + if (!cms_env_asn1_ctrl(ri, 0)) + return 0; + /* For each rek, derive KEK, encrypt CEK */ + for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { + unsigned char *enckey; + size_t enckeylen; + rek = sk_CMS_RecipientEncryptedKey_value(reks, i); + if (EVP_PKEY_derive_set_peer(kari->pctx, rek->pkey) <= 0) + return 0; + if (!cms_kek_cipher(&enckey, &enckeylen, ec->key, ec->keylen, + kari, 1)) + return 0; + ASN1_STRING_set0(rek->encryptedKey, enckey, enckeylen); + } + + return 1; +} diff --git a/crypto/cms/cms_lcl.h b/crypto/cms/cms_lcl.h new file mode 100644 index 0000000..8083e55 --- /dev/null +++ b/crypto/cms/cms_lcl.h @@ -0,0 +1,484 @@ +/* $OpenBSD: cms_lcl.h,v 1.12 2019/10/04 18:03:56 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#ifndef HEADER_CMS_LCL_H +#define HEADER_CMS_LCL_H + +#include + +/* + * Cryptographic message syntax (CMS) structures: taken from RFC3852 + */ + +/* Forward references */ + +typedef struct CMS_IssuerAndSerialNumber_st CMS_IssuerAndSerialNumber; +typedef struct CMS_EncapsulatedContentInfo_st CMS_EncapsulatedContentInfo; +typedef struct CMS_SignerIdentifier_st CMS_SignerIdentifier; +typedef struct CMS_SignedData_st CMS_SignedData; +typedef struct CMS_OtherRevocationInfoFormat_st CMS_OtherRevocationInfoFormat; +typedef struct CMS_OriginatorInfo_st CMS_OriginatorInfo; +typedef struct CMS_EncryptedContentInfo_st CMS_EncryptedContentInfo; +typedef struct CMS_EnvelopedData_st CMS_EnvelopedData; +typedef struct CMS_DigestedData_st CMS_DigestedData; +typedef struct CMS_EncryptedData_st CMS_EncryptedData; +typedef struct CMS_AuthenticatedData_st CMS_AuthenticatedData; +typedef struct CMS_CompressedData_st CMS_CompressedData; +typedef struct CMS_OtherCertificateFormat_st CMS_OtherCertificateFormat; +typedef struct CMS_KeyTransRecipientInfo_st CMS_KeyTransRecipientInfo; +typedef struct CMS_OriginatorPublicKey_st CMS_OriginatorPublicKey; +typedef struct CMS_OriginatorIdentifierOrKey_st CMS_OriginatorIdentifierOrKey; +typedef struct CMS_KeyAgreeRecipientInfo_st CMS_KeyAgreeRecipientInfo; +typedef struct CMS_RecipientKeyIdentifier_st CMS_RecipientKeyIdentifier; +typedef struct CMS_KeyAgreeRecipientIdentifier_st + CMS_KeyAgreeRecipientIdentifier; +typedef struct CMS_KEKIdentifier_st CMS_KEKIdentifier; +typedef struct CMS_KEKRecipientInfo_st CMS_KEKRecipientInfo; +typedef struct CMS_PasswordRecipientInfo_st CMS_PasswordRecipientInfo; +typedef struct CMS_OtherRecipientInfo_st CMS_OtherRecipientInfo; +typedef struct CMS_ReceiptsFrom_st CMS_ReceiptsFrom; + +struct CMS_ContentInfo_st { + ASN1_OBJECT *contentType; + union { + ASN1_OCTET_STRING *data; + CMS_SignedData *signedData; + CMS_EnvelopedData *envelopedData; + CMS_DigestedData *digestedData; + CMS_EncryptedData *encryptedData; + CMS_AuthenticatedData *authenticatedData; + CMS_CompressedData *compressedData; + ASN1_TYPE *other; + /* Other types ... */ + void *otherData; + } d; +}; + +DECLARE_STACK_OF(CMS_CertificateChoices) + +struct CMS_SignedData_st { + long version; + STACK_OF(X509_ALGOR) *digestAlgorithms; + CMS_EncapsulatedContentInfo *encapContentInfo; + STACK_OF(CMS_CertificateChoices) *certificates; + STACK_OF(CMS_RevocationInfoChoice) *crls; + STACK_OF(CMS_SignerInfo) *signerInfos; +}; + +struct CMS_EncapsulatedContentInfo_st { + ASN1_OBJECT *eContentType; + ASN1_OCTET_STRING *eContent; + /* Set to 1 if incomplete structure only part set up */ + int partial; +}; + +struct CMS_SignerInfo_st { + long version; + CMS_SignerIdentifier *sid; + X509_ALGOR *digestAlgorithm; + STACK_OF(X509_ATTRIBUTE) *signedAttrs; + X509_ALGOR *signatureAlgorithm; + ASN1_OCTET_STRING *signature; + STACK_OF(X509_ATTRIBUTE) *unsignedAttrs; + /* Signing certificate and key */ + X509 *signer; + EVP_PKEY *pkey; + /* Digest and public key context for alternative parameters */ + EVP_MD_CTX *mctx; + EVP_PKEY_CTX *pctx; +}; + +struct CMS_SignerIdentifier_st { + int type; + union { + CMS_IssuerAndSerialNumber *issuerAndSerialNumber; + ASN1_OCTET_STRING *subjectKeyIdentifier; + } d; +}; + +struct CMS_EnvelopedData_st { + long version; + CMS_OriginatorInfo *originatorInfo; + STACK_OF(CMS_RecipientInfo) *recipientInfos; + CMS_EncryptedContentInfo *encryptedContentInfo; + STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs; +}; + +struct CMS_OriginatorInfo_st { + STACK_OF(CMS_CertificateChoices) *certificates; + STACK_OF(CMS_RevocationInfoChoice) *crls; +}; + +struct CMS_EncryptedContentInfo_st { + ASN1_OBJECT *contentType; + X509_ALGOR *contentEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedContent; + /* Content encryption algorithm and key */ + const EVP_CIPHER *cipher; + unsigned char *key; + size_t keylen; + /* Set to 1 if we are debugging decrypt and don't fake keys for MMA */ + int debug; + /* Set to 1 if we have no cert and need exta safety measures for MMA */ + int havenocert; +}; + +struct CMS_RecipientInfo_st { + int type; + union { + CMS_KeyTransRecipientInfo *ktri; + CMS_KeyAgreeRecipientInfo *kari; + CMS_KEKRecipientInfo *kekri; + CMS_PasswordRecipientInfo *pwri; + CMS_OtherRecipientInfo *ori; + } d; +}; + +typedef CMS_SignerIdentifier CMS_RecipientIdentifier; + +struct CMS_KeyTransRecipientInfo_st { + long version; + CMS_RecipientIdentifier *rid; + X509_ALGOR *keyEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedKey; + /* Recipient Key and cert */ + X509 *recip; + EVP_PKEY *pkey; + /* Public key context for this operation */ + EVP_PKEY_CTX *pctx; +}; + +struct CMS_KeyAgreeRecipientInfo_st { + long version; + CMS_OriginatorIdentifierOrKey *originator; + ASN1_OCTET_STRING *ukm; + X509_ALGOR *keyEncryptionAlgorithm; + STACK_OF(CMS_RecipientEncryptedKey) *recipientEncryptedKeys; + /* Public key context associated with current operation */ + EVP_PKEY_CTX *pctx; + /* Cipher context for CEK wrapping */ + EVP_CIPHER_CTX *ctx; +}; + +struct CMS_OriginatorIdentifierOrKey_st { + int type; + union { + CMS_IssuerAndSerialNumber *issuerAndSerialNumber; + ASN1_OCTET_STRING *subjectKeyIdentifier; + CMS_OriginatorPublicKey *originatorKey; + } d; +}; + +struct CMS_OriginatorPublicKey_st { + X509_ALGOR *algorithm; + ASN1_BIT_STRING *publicKey; +}; + +struct CMS_RecipientEncryptedKey_st { + CMS_KeyAgreeRecipientIdentifier *rid; + ASN1_OCTET_STRING *encryptedKey; + /* Public key associated with this recipient */ + EVP_PKEY *pkey; +}; + +struct CMS_KeyAgreeRecipientIdentifier_st { + int type; + union { + CMS_IssuerAndSerialNumber *issuerAndSerialNumber; + CMS_RecipientKeyIdentifier *rKeyId; + } d; +}; + +struct CMS_RecipientKeyIdentifier_st { + ASN1_OCTET_STRING *subjectKeyIdentifier; + ASN1_GENERALIZEDTIME *date; + CMS_OtherKeyAttribute *other; +}; + +struct CMS_KEKRecipientInfo_st { + long version; + CMS_KEKIdentifier *kekid; + X509_ALGOR *keyEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedKey; + /* Extra info: symmetric key to use */ + unsigned char *key; + size_t keylen; +}; + +struct CMS_KEKIdentifier_st { + ASN1_OCTET_STRING *keyIdentifier; + ASN1_GENERALIZEDTIME *date; + CMS_OtherKeyAttribute *other; +}; + +struct CMS_PasswordRecipientInfo_st { + long version; + X509_ALGOR *keyDerivationAlgorithm; + X509_ALGOR *keyEncryptionAlgorithm; + ASN1_OCTET_STRING *encryptedKey; + /* Extra info: password to use */ + unsigned char *pass; + size_t passlen; +}; + +struct CMS_OtherRecipientInfo_st { + ASN1_OBJECT *oriType; + ASN1_TYPE *oriValue; +}; + +struct CMS_DigestedData_st { + long version; + X509_ALGOR *digestAlgorithm; + CMS_EncapsulatedContentInfo *encapContentInfo; + ASN1_OCTET_STRING *digest; +}; + +struct CMS_EncryptedData_st { + long version; + CMS_EncryptedContentInfo *encryptedContentInfo; + STACK_OF(X509_ATTRIBUTE) *unprotectedAttrs; +}; + +struct CMS_AuthenticatedData_st { + long version; + CMS_OriginatorInfo *originatorInfo; + STACK_OF(CMS_RecipientInfo) *recipientInfos; + X509_ALGOR *macAlgorithm; + X509_ALGOR *digestAlgorithm; + CMS_EncapsulatedContentInfo *encapContentInfo; + STACK_OF(X509_ATTRIBUTE) *authAttrs; + ASN1_OCTET_STRING *mac; + STACK_OF(X509_ATTRIBUTE) *unauthAttrs; +}; + +struct CMS_CompressedData_st { + long version; + X509_ALGOR *compressionAlgorithm; + STACK_OF(CMS_RecipientInfo) *recipientInfos; + CMS_EncapsulatedContentInfo *encapContentInfo; +}; + +struct CMS_RevocationInfoChoice_st { + int type; + union { + X509_CRL *crl; + CMS_OtherRevocationInfoFormat *other; + } d; +}; + +#define CMS_REVCHOICE_CRL 0 +#define CMS_REVCHOICE_OTHER 1 + +struct CMS_OtherRevocationInfoFormat_st { + ASN1_OBJECT *otherRevInfoFormat; + ASN1_TYPE *otherRevInfo; +}; + +struct CMS_CertificateChoices { + int type; + union { + X509 *certificate; + ASN1_STRING *extendedCertificate; /* Obsolete */ + ASN1_STRING *v1AttrCert; /* Left encoded for now */ + ASN1_STRING *v2AttrCert; /* Left encoded for now */ + CMS_OtherCertificateFormat *other; + } d; +}; + +#define CMS_CERTCHOICE_CERT 0 +#define CMS_CERTCHOICE_EXCERT 1 +#define CMS_CERTCHOICE_V1ACERT 2 +#define CMS_CERTCHOICE_V2ACERT 3 +#define CMS_CERTCHOICE_OTHER 4 + +struct CMS_OtherCertificateFormat_st { + ASN1_OBJECT *otherCertFormat; + ASN1_TYPE *otherCert; +}; + +/* + * This is also defined in pkcs7.h but we duplicate it to allow the CMS code + * to be independent of PKCS#7 + */ + +struct CMS_IssuerAndSerialNumber_st { + X509_NAME *issuer; + ASN1_INTEGER *serialNumber; +}; + +struct CMS_OtherKeyAttribute_st { + ASN1_OBJECT *keyAttrId; + ASN1_TYPE *keyAttr; +}; + +/* ESS structures */ + +#ifdef HEADER_X509V3_H + +struct CMS_ReceiptRequest_st { + ASN1_OCTET_STRING *signedContentIdentifier; + CMS_ReceiptsFrom *receiptsFrom; + STACK_OF(GENERAL_NAMES) *receiptsTo; +}; + +struct CMS_ReceiptsFrom_st { + int type; + union { + long allOrFirstTier; + STACK_OF(GENERAL_NAMES) *receiptList; + } d; +}; +#endif + +struct CMS_Receipt_st { + long version; + ASN1_OBJECT *contentType; + ASN1_OCTET_STRING *signedContentIdentifier; + ASN1_OCTET_STRING *originatorSignatureValue; +}; + +CMS_ContentInfo *CMS_ContentInfo_new(void); +void CMS_ContentInfo_free(CMS_ContentInfo *a); +CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len); +int i2d_CMS_ContentInfo(CMS_ContentInfo *a, unsigned char **out); +extern const ASN1_ITEM CMS_ContentInfo_it; +extern const ASN1_ITEM CMS_SignerInfo_it; +extern const ASN1_ITEM CMS_IssuerAndSerialNumber_it; +extern const ASN1_ITEM CMS_Attributes_Sign_it; +extern const ASN1_ITEM CMS_Attributes_Verify_it; +extern const ASN1_ITEM CMS_RecipientInfo_it; +extern const ASN1_ITEM CMS_PasswordRecipientInfo_it; +CMS_IssuerAndSerialNumber *CMS_IssuerAndSerialNumber_new(void); +void CMS_IssuerAndSerialNumber_free(CMS_IssuerAndSerialNumber *a); + +#define CMS_SIGNERINFO_ISSUER_SERIAL 0 +#define CMS_SIGNERINFO_KEYIDENTIFIER 1 + +#define CMS_RECIPINFO_ISSUER_SERIAL 0 +#define CMS_RECIPINFO_KEYIDENTIFIER 1 + +#define CMS_REK_ISSUER_SERIAL 0 +#define CMS_REK_KEYIDENTIFIER 1 + +#define CMS_OIK_ISSUER_SERIAL 0 +#define CMS_OIK_KEYIDENTIFIER 1 +#define CMS_OIK_PUBKEY 2 + +BIO *cms_content_bio(CMS_ContentInfo *cms); + +CMS_ContentInfo *cms_Data_create(void); + +CMS_ContentInfo *cms_DigestedData_create(const EVP_MD *md); +BIO *cms_DigestedData_init_bio(CMS_ContentInfo *cms); +int cms_DigestedData_do_final(CMS_ContentInfo *cms, BIO *chain, int verify); + +BIO *cms_SignedData_init_bio(CMS_ContentInfo *cms); +int cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain); +int cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type); +int cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno); +int cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert); + +CMS_ContentInfo *cms_CompressedData_create(int comp_nid); +BIO *cms_CompressedData_init_bio(CMS_ContentInfo *cms); + +BIO *cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm); +int cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, + X509_ALGOR *mdalg); + +int cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert); +int cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert); +int cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert); +int cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert); + +BIO *cms_EncryptedContent_init_bio(CMS_EncryptedContentInfo *ec); +BIO *cms_EncryptedData_init_bio(CMS_ContentInfo *cms); +int cms_EncryptedContent_init(CMS_EncryptedContentInfo *ec, + const EVP_CIPHER *cipher, const unsigned char *key, size_t keylen); + +int cms_Receipt_verify(CMS_ContentInfo *cms, CMS_ContentInfo *req_cms); +int cms_msgSigDigest_add1(CMS_SignerInfo *dest, CMS_SignerInfo *src); +ASN1_OCTET_STRING *cms_encode_Receipt(CMS_SignerInfo *si); + +BIO *cms_EnvelopedData_init_bio(CMS_ContentInfo *cms); +CMS_EnvelopedData *cms_get0_enveloped(CMS_ContentInfo *cms); +int cms_env_asn1_ctrl(CMS_RecipientInfo *ri, int cmd); +int cms_pkey_get_ri_type(EVP_PKEY *pk); +/* KARI routines */ +int cms_RecipientInfo_kari_init(CMS_RecipientInfo *ri, X509 *recip, + EVP_PKEY *pk, unsigned int flags); +int cms_RecipientInfo_kari_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); + +/* PWRI routines */ +int cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, + int en_de); + +extern const ASN1_ITEM CMS_CertificateChoices_it; +extern const ASN1_ITEM CMS_DigestedData_it; +extern const ASN1_ITEM CMS_EncryptedData_it; +extern const ASN1_ITEM CMS_EnvelopedData_it; +extern const ASN1_ITEM CMS_KEKRecipientInfo_it; +extern const ASN1_ITEM CMS_KeyAgreeRecipientInfo_it; +extern const ASN1_ITEM CMS_KeyTransRecipientInfo_it; +extern const ASN1_ITEM CMS_OriginatorPublicKey_it; +extern const ASN1_ITEM CMS_OtherKeyAttribute_it; +extern const ASN1_ITEM CMS_Receipt_it; +extern const ASN1_ITEM CMS_ReceiptRequest_it; +extern const ASN1_ITEM CMS_RecipientEncryptedKey_it; +extern const ASN1_ITEM CMS_RecipientKeyIdentifier_it; +extern const ASN1_ITEM CMS_RevocationInfoChoice_it; +extern const ASN1_ITEM CMS_SignedData_it; +extern const ASN1_ITEM CMS_CompressedData_it; + +#endif diff --git a/crypto/cms/cms_lib.c b/crypto/cms/cms_lib.c new file mode 100644 index 0000000..b6580dd --- /dev/null +++ b/crypto/cms/cms_lib.c @@ -0,0 +1,720 @@ +/* $OpenBSD: cms_lib.c,v 1.14 2019/08/12 18:13:13 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" + + +CMS_ContentInfo * +d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len) +{ + return (CMS_ContentInfo *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &CMS_ContentInfo_it); +} + +int +i2d_CMS_ContentInfo(CMS_ContentInfo *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &CMS_ContentInfo_it); +} + +CMS_ContentInfo * +CMS_ContentInfo_new(void) +{ + return (CMS_ContentInfo *)ASN1_item_new(&CMS_ContentInfo_it); +} + +void +CMS_ContentInfo_free(CMS_ContentInfo *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &CMS_ContentInfo_it); +} + +int +CMS_ContentInfo_print_ctx(BIO *out, CMS_ContentInfo *x, int indent, const ASN1_PCTX *pctx) +{ + return ASN1_item_print(out, (ASN1_VALUE *)x, indent, + &CMS_ContentInfo_it, pctx); +} + +const ASN1_OBJECT * +CMS_get0_type(const CMS_ContentInfo *cms) +{ + return cms->contentType; +} + +CMS_ContentInfo * +cms_Data_create(void) +{ + CMS_ContentInfo *cms; + + cms = CMS_ContentInfo_new(); + if (cms != NULL) { + cms->contentType = OBJ_nid2obj(NID_pkcs7_data); + /* Never detached */ + CMS_set_detached(cms, 0); + } + return cms; +} + +BIO * +cms_content_bio(CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos = CMS_get0_content(cms); + + if (!pos) + return NULL; + /* If content detached data goes nowhere: create NULL BIO */ + if (!*pos) + return BIO_new(BIO_s_null()); + /* + * If content not detached and created return memory BIO + */ + if (!*pos || ((*pos)->flags == ASN1_STRING_FLAG_CONT)) + return BIO_new(BIO_s_mem()); + + /* Else content was read in: return read only BIO for it */ + return BIO_new_mem_buf((*pos)->data, (*pos)->length); +} + +BIO * +CMS_dataInit(CMS_ContentInfo *cms, BIO *icont) +{ + BIO *cmsbio, *cont; + + if (icont) + cont = icont; + else + cont = cms_content_bio(cms); + if (!cont) { + CMSerror(CMS_R_NO_CONTENT); + return NULL; + } + switch (OBJ_obj2nid(cms->contentType)) { + + case NID_pkcs7_data: + return cont; + + case NID_pkcs7_signed: + cmsbio = cms_SignedData_init_bio(cms); + break; + + case NID_pkcs7_digest: + cmsbio = cms_DigestedData_init_bio(cms); + break; +#ifdef ZLIB + case NID_id_smime_ct_compressedData: + cmsbio = cms_CompressedData_init_bio(cms); + break; +#endif + + case NID_pkcs7_encrypted: + cmsbio = cms_EncryptedData_init_bio(cms); + break; + + case NID_pkcs7_enveloped: + cmsbio = cms_EnvelopedData_init_bio(cms); + break; + + default: + CMSerror(CMS_R_UNSUPPORTED_TYPE); + return NULL; + } + + if (cmsbio) + return BIO_push(cmsbio, cont); + + if (!icont) + BIO_free(cont); + + return NULL; +} + +int +CMS_dataFinal(CMS_ContentInfo *cms, BIO *cmsbio) +{ + ASN1_OCTET_STRING **pos = CMS_get0_content(cms); + + if (!pos) + return 0; + /* If embedded content find memory BIO and set content */ + if (*pos && ((*pos)->flags & ASN1_STRING_FLAG_CONT)) { + BIO *mbio; + unsigned char *cont; + long contlen; + mbio = BIO_find_type(cmsbio, BIO_TYPE_MEM); + if (!mbio) { + CMSerror(CMS_R_CONTENT_NOT_FOUND); + return 0; + } + contlen = BIO_get_mem_data(mbio, &cont); + /* Set bio as read only so its content can't be clobbered */ + BIO_set_flags(mbio, BIO_FLAGS_MEM_RDONLY); + BIO_set_mem_eof_return(mbio, 0); + ASN1_STRING_set0(*pos, cont, contlen); + (*pos)->flags &= ~ASN1_STRING_FLAG_CONT; + } + + switch (OBJ_obj2nid(cms->contentType)) { + + case NID_pkcs7_data: + case NID_pkcs7_enveloped: + case NID_pkcs7_encrypted: + case NID_id_smime_ct_compressedData: + /* Nothing to do */ + return 1; + + case NID_pkcs7_signed: + return cms_SignedData_final(cms, cmsbio); + + case NID_pkcs7_digest: + return cms_DigestedData_do_final(cms, cmsbio, 0); + + default: + CMSerror(CMS_R_UNSUPPORTED_TYPE); + return 0; + } +} + +/* + * Return an OCTET STRING pointer to content. This allows it to be accessed + * or set later. + */ + +ASN1_OCTET_STRING ** +CMS_get0_content(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_data: + return &cms->d.data; + + case NID_pkcs7_signed: + return &cms->d.signedData->encapContentInfo->eContent; + + case NID_pkcs7_enveloped: + return &cms->d.envelopedData->encryptedContentInfo->encryptedContent; + + case NID_pkcs7_digest: + return &cms->d.digestedData->encapContentInfo->eContent; + + case NID_pkcs7_encrypted: + return &cms->d.encryptedData->encryptedContentInfo->encryptedContent; + + case NID_id_smime_ct_authData: + return &cms->d.authenticatedData->encapContentInfo->eContent; + + case NID_id_smime_ct_compressedData: + return &cms->d.compressedData->encapContentInfo->eContent; + + default: + if (cms->d.other->type == V_ASN1_OCTET_STRING) + return &cms->d.other->value.octet_string; + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +/* + * Return an ASN1_OBJECT pointer to content type. This allows it to be + * accessed or set later. + */ + +static ASN1_OBJECT ** +cms_get0_econtent_type(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_signed: + return &cms->d.signedData->encapContentInfo->eContentType; + + case NID_pkcs7_enveloped: + return &cms->d.envelopedData->encryptedContentInfo->contentType; + + case NID_pkcs7_digest: + return &cms->d.digestedData->encapContentInfo->eContentType; + + case NID_pkcs7_encrypted: + return &cms->d.encryptedData->encryptedContentInfo->contentType; + + case NID_id_smime_ct_authData: + return &cms->d.authenticatedData->encapContentInfo->eContentType; + + case NID_id_smime_ct_compressedData: + return &cms->d.compressedData->encapContentInfo->eContentType; + + default: + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +const ASN1_OBJECT * +CMS_get0_eContentType(CMS_ContentInfo *cms) +{ + ASN1_OBJECT **petype; + + petype = cms_get0_econtent_type(cms); + if (petype) + return *petype; + + return NULL; +} + +int +CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid) +{ + ASN1_OBJECT **petype, *etype; + + petype = cms_get0_econtent_type(cms); + if (!petype) + return 0; + if (!oid) + return 1; + etype = OBJ_dup(oid); + if (!etype) + return 0; + ASN1_OBJECT_free(*petype); + *petype = etype; + + return 1; +} + +int +CMS_is_detached(CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos; + + pos = CMS_get0_content(cms); + if (!pos) + return -1; + if (*pos) + return 0; + + return 1; +} + +int +CMS_set_detached(CMS_ContentInfo *cms, int detached) +{ + ASN1_OCTET_STRING **pos; + + pos = CMS_get0_content(cms); + if (!pos) + return 0; + if (detached) { + ASN1_OCTET_STRING_free(*pos); + *pos = NULL; + return 1; + } + if (*pos == NULL) + *pos = ASN1_OCTET_STRING_new(); + if (*pos != NULL) { + /* + * NB: special flag to show content is created and not read in. + */ + (*pos)->flags |= ASN1_STRING_FLAG_CONT; + return 1; + } + CMSerror(ERR_R_MALLOC_FAILURE); + + return 0; +} + +/* Create a digest BIO from an X509_ALGOR structure */ + +BIO * +cms_DigestAlgorithm_init_bio(X509_ALGOR *digestAlgorithm) +{ + BIO *mdbio = NULL; + const ASN1_OBJECT *digestoid; + const EVP_MD *digest; + + X509_ALGOR_get0(&digestoid, NULL, NULL, digestAlgorithm); + digest = EVP_get_digestbyobj(digestoid); + if (!digest) { + CMSerror(CMS_R_UNKNOWN_DIGEST_ALGORITHM); + goto err; + } + mdbio = BIO_new(BIO_f_md()); + if (mdbio == NULL || !BIO_set_md(mdbio, digest)) { + CMSerror(CMS_R_MD_BIO_INIT_ERROR); + goto err; + } + return mdbio; + + err: + BIO_free(mdbio); + + return NULL; +} + +/* Locate a message digest content from a BIO chain based on SignerInfo */ + +int +cms_DigestAlgorithm_find_ctx(EVP_MD_CTX *mctx, BIO *chain, X509_ALGOR *mdalg) +{ + int nid; + const ASN1_OBJECT *mdoid; + + X509_ALGOR_get0(&mdoid, NULL, NULL, mdalg); + nid = OBJ_obj2nid(mdoid); + /* Look for digest type to match signature */ + for (;;) { + EVP_MD_CTX *mtmp; + chain = BIO_find_type(chain, BIO_TYPE_MD); + if (chain == NULL) { + CMSerror(CMS_R_NO_MATCHING_DIGEST); + return 0; + } + BIO_get_md_ctx(chain, &mtmp); + if (EVP_MD_CTX_type(mtmp) == nid + /* + * Workaround for broken implementations that use signature + * algorithm OID instead of digest. + */ + || EVP_MD_pkey_type(EVP_MD_CTX_md(mtmp)) == nid) + return EVP_MD_CTX_copy_ex(mctx, mtmp); + chain = BIO_next(chain); + } +} + +static STACK_OF(CMS_CertificateChoices) ** +cms_get0_certificate_choices(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_signed: + return &cms->d.signedData->certificates; + + case NID_pkcs7_enveloped: + if (cms->d.envelopedData->originatorInfo == NULL) + return NULL; + return &cms->d.envelopedData->originatorInfo->certificates; + + default: + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +CMS_CertificateChoices * +CMS_add0_CertificateChoices(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_CertificateChoices) **pcerts; + CMS_CertificateChoices *cch; + + pcerts = cms_get0_certificate_choices(cms); + if (!pcerts) + return NULL; + if (!*pcerts) + *pcerts = sk_CMS_CertificateChoices_new_null(); + if (!*pcerts) + return NULL; + cch = (CMS_CertificateChoices *)ASN1_item_new(&CMS_CertificateChoices_it); + if (!cch) + return NULL; + if (!sk_CMS_CertificateChoices_push(*pcerts, cch)) { + ASN1_item_free((ASN1_VALUE *)cch, &CMS_CertificateChoices_it); + return NULL; + } + + return cch; +} + +int +CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert) +{ + CMS_CertificateChoices *cch; + STACK_OF(CMS_CertificateChoices) **pcerts; + int i; + + pcerts = cms_get0_certificate_choices(cms); + if (!pcerts) + return 0; + for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { + cch = sk_CMS_CertificateChoices_value(*pcerts, i); + if (cch->type == CMS_CERTCHOICE_CERT) { + if (!X509_cmp(cch->d.certificate, cert)) { + CMSerror(CMS_R_CERTIFICATE_ALREADY_PRESENT); + return 0; + } + } + } + cch = CMS_add0_CertificateChoices(cms); + if (!cch) + return 0; + cch->type = CMS_CERTCHOICE_CERT; + cch->d.certificate = cert; + + return 1; +} + +int +CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert) +{ + int r; + + r = CMS_add0_cert(cms, cert); + if (r > 0) + X509_up_ref(cert); + + return r; +} + +static STACK_OF(CMS_RevocationInfoChoice) ** +cms_get0_revocation_choices(CMS_ContentInfo *cms) +{ + switch (OBJ_obj2nid(cms->contentType)) { + case NID_pkcs7_signed: + return &cms->d.signedData->crls; + + case NID_pkcs7_enveloped: + if (cms->d.envelopedData->originatorInfo == NULL) + return NULL; + return &cms->d.envelopedData->originatorInfo->crls; + + default: + CMSerror(CMS_R_UNSUPPORTED_CONTENT_TYPE); + return NULL; + } +} + +CMS_RevocationInfoChoice * +CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms) +{ + STACK_OF(CMS_RevocationInfoChoice) **pcrls; + CMS_RevocationInfoChoice *rch; + + pcrls = cms_get0_revocation_choices(cms); + if (!pcrls) + return NULL; + if (!*pcrls) + *pcrls = sk_CMS_RevocationInfoChoice_new_null(); + if (!*pcrls) + return NULL; + rch = (CMS_RevocationInfoChoice *)ASN1_item_new(&CMS_RevocationInfoChoice_it); + if (!rch) + return NULL; + if (!sk_CMS_RevocationInfoChoice_push(*pcrls, rch)) { + ASN1_item_free((ASN1_VALUE *)rch, &CMS_RevocationInfoChoice_it); + return NULL; + } + + return rch; +} + +int +CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl) +{ + CMS_RevocationInfoChoice *rch; + + rch = CMS_add0_RevocationInfoChoice(cms); + if (!rch) + return 0; + rch->type = CMS_REVCHOICE_CRL; + rch->d.crl = crl; + + return 1; +} + +int +CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl) +{ + int r; + + r = CMS_add0_crl(cms, crl); + if (r > 0) + X509_CRL_up_ref(crl); + + return r; +} + +STACK_OF(X509) * +CMS_get1_certs(CMS_ContentInfo *cms) +{ + STACK_OF(X509) *certs = NULL; + CMS_CertificateChoices *cch; + STACK_OF(CMS_CertificateChoices) **pcerts; + int i; + + pcerts = cms_get0_certificate_choices(cms); + if (!pcerts) + return NULL; + for (i = 0; i < sk_CMS_CertificateChoices_num(*pcerts); i++) { + cch = sk_CMS_CertificateChoices_value(*pcerts, i); + if (cch->type == 0) { + if (!certs) { + certs = sk_X509_new_null(); + if (!certs) + return NULL; + } + if (!sk_X509_push(certs, cch->d.certificate)) { + sk_X509_pop_free(certs, X509_free); + return NULL; + } + X509_up_ref(cch->d.certificate); + } + } + return certs; +} + +STACK_OF(X509_CRL) * +CMS_get1_crls(CMS_ContentInfo *cms) +{ + STACK_OF(X509_CRL) *crls = NULL; + STACK_OF(CMS_RevocationInfoChoice) **pcrls; + CMS_RevocationInfoChoice *rch; + int i; + + pcrls = cms_get0_revocation_choices(cms); + if (!pcrls) + return NULL; + for (i = 0; i < sk_CMS_RevocationInfoChoice_num(*pcrls); i++) { + rch = sk_CMS_RevocationInfoChoice_value(*pcrls, i); + if (rch->type == 0) { + if (!crls) { + crls = sk_X509_CRL_new_null(); + if (!crls) + return NULL; + } + if (!sk_X509_CRL_push(crls, rch->d.crl)) { + sk_X509_CRL_pop_free(crls, X509_CRL_free); + return NULL; + } + X509_CRL_up_ref(rch->d.crl); + } + } + return crls; +} + +static const ASN1_OCTET_STRING * +cms_X509_get0_subject_key_id(X509 *x) +{ + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(x, -1, -1); + return x->skid; +} + +int +cms_ias_cert_cmp(CMS_IssuerAndSerialNumber *ias, X509 *cert) +{ + int ret; + + ret = X509_NAME_cmp(ias->issuer, X509_get_issuer_name(cert)); + if (ret) + return ret; + + return ASN1_INTEGER_cmp(ias->serialNumber, X509_get_serialNumber(cert)); +} + +int +cms_keyid_cert_cmp(ASN1_OCTET_STRING *keyid, X509 *cert) +{ + const ASN1_OCTET_STRING *cert_keyid = cms_X509_get0_subject_key_id(cert); + + if (cert_keyid == NULL) + return -1; + + return ASN1_OCTET_STRING_cmp(keyid, cert_keyid); +} + +int +cms_set1_ias(CMS_IssuerAndSerialNumber **pias, X509 *cert) +{ + CMS_IssuerAndSerialNumber *ias; + + ias = (CMS_IssuerAndSerialNumber *)ASN1_item_new(&CMS_IssuerAndSerialNumber_it); + if (!ias) + goto err; + if (!X509_NAME_set(&ias->issuer, X509_get_issuer_name(cert))) + goto err; + if (!ASN1_STRING_copy(ias->serialNumber, X509_get_serialNumber(cert))) + goto err; + ASN1_item_free((ASN1_VALUE *)*pias, &CMS_IssuerAndSerialNumber_it); + *pias = ias; + + return 1; + + err: + ASN1_item_free((ASN1_VALUE *)ias, &CMS_IssuerAndSerialNumber_it); + CMSerror(ERR_R_MALLOC_FAILURE); + + return 0; +} + +int +cms_set1_keyid(ASN1_OCTET_STRING **pkeyid, X509 *cert) +{ + ASN1_OCTET_STRING *keyid = NULL; + const ASN1_OCTET_STRING *cert_keyid; + + cert_keyid = cms_X509_get0_subject_key_id(cert); + if (cert_keyid == NULL) { + CMSerror(CMS_R_CERTIFICATE_HAS_NO_KEYID); + return 0; + } + keyid = ASN1_STRING_dup(cert_keyid); + if (!keyid) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + ASN1_OCTET_STRING_free(*pkeyid); + *pkeyid = keyid; + + return 1; +} diff --git a/crypto/cms/cms_pwri.c b/crypto/cms/cms_pwri.c new file mode 100644 index 0000000..cf28dfc --- /dev/null +++ b/crypto/cms/cms_pwri.c @@ -0,0 +1,431 @@ +/* $OpenBSD: cms_pwri.c,v 1.26 2019/08/12 18:04:57 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2009 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" + +int +CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, unsigned char *pass, + ssize_t passlen) +{ + CMS_PasswordRecipientInfo *pwri; + + if (ri->type != CMS_RECIPINFO_PASS) { + CMSerror(CMS_R_NOT_PWRI); + return 0; + } + + pwri = ri->d.pwri; + pwri->pass = pass; + if (pass && passlen < 0) + passlen = strlen((char *)pass); + pwri->passlen = passlen; + + return 1; +} + +CMS_RecipientInfo * +CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, int wrap_nid, + int pbe_nid, unsigned char *pass, ssize_t passlen, + const EVP_CIPHER *kekciph) +{ + CMS_RecipientInfo *ri = NULL; + CMS_EnvelopedData *env; + CMS_PasswordRecipientInfo *pwri; + EVP_CIPHER_CTX *ctx = NULL; + X509_ALGOR *encalg = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + int ivlen; + + env = cms_get0_enveloped(cms); + if (!env) + return NULL; + + if (wrap_nid <= 0) + wrap_nid = NID_id_alg_PWRI_KEK; + + if (pbe_nid <= 0) + pbe_nid = NID_id_pbkdf2; + + /* Get from enveloped data */ + if (kekciph == NULL) + kekciph = env->encryptedContentInfo->cipher; + + if (kekciph == NULL) { + CMSerror(CMS_R_NO_CIPHER); + return NULL; + } + if (wrap_nid != NID_id_alg_PWRI_KEK) { + CMSerror(CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); + return NULL; + } + + /* Setup algorithm identifier for cipher */ + encalg = X509_ALGOR_new(); + if (encalg == NULL) { + goto merr; + } + ctx = EVP_CIPHER_CTX_new(); + + if (EVP_EncryptInit_ex(ctx, kekciph, NULL, NULL, NULL) <= 0) { + CMSerror(ERR_R_EVP_LIB); + goto err; + } + + ivlen = EVP_CIPHER_CTX_iv_length(ctx); + + if (ivlen > 0) { + arc4random_buf(iv, ivlen); + if (EVP_EncryptInit_ex(ctx, NULL, NULL, NULL, iv) <= 0) { + CMSerror(ERR_R_EVP_LIB); + goto err; + } + encalg->parameter = ASN1_TYPE_new(); + if (!encalg->parameter) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_CIPHER_param_to_asn1(ctx, encalg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + } + + encalg->algorithm = OBJ_nid2obj(EVP_CIPHER_CTX_type(ctx)); + + EVP_CIPHER_CTX_free(ctx); + ctx = NULL; + + /* Initialize recipient info */ + ri = (CMS_RecipientInfo *)ASN1_item_new(&CMS_RecipientInfo_it); + if (ri == NULL) + goto merr; + + ri->d.pwri = (CMS_PasswordRecipientInfo *)ASN1_item_new(&CMS_PasswordRecipientInfo_it); + if (ri->d.pwri == NULL) + goto merr; + ri->type = CMS_RECIPINFO_PASS; + + pwri = ri->d.pwri; + /* Since this is overwritten, free up empty structure already there */ + X509_ALGOR_free(pwri->keyEncryptionAlgorithm); + pwri->keyEncryptionAlgorithm = X509_ALGOR_new(); + if (pwri->keyEncryptionAlgorithm == NULL) + goto merr; + pwri->keyEncryptionAlgorithm->algorithm = OBJ_nid2obj(wrap_nid); + pwri->keyEncryptionAlgorithm->parameter = ASN1_TYPE_new(); + if (pwri->keyEncryptionAlgorithm->parameter == NULL) + goto merr; + + if (!ASN1_item_pack(encalg, &X509_ALGOR_it, + &pwri->keyEncryptionAlgorithm->parameter->value.sequence)) + goto merr; + pwri->keyEncryptionAlgorithm->parameter->type = V_ASN1_SEQUENCE; + + X509_ALGOR_free(encalg); + encalg = NULL; + + /* Setup PBE algorithm */ + + pwri->keyDerivationAlgorithm = PKCS5_pbkdf2_set(iter, NULL, 0, -1, -1); + + if (!pwri->keyDerivationAlgorithm) + goto err; + + CMS_RecipientInfo_set0_password(ri, pass, passlen); + pwri->version = 0; + + if (!sk_CMS_RecipientInfo_push(env->recipientInfos, ri)) + goto merr; + + return ri; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + EVP_CIPHER_CTX_free(ctx); + if (ri) + ASN1_item_free((ASN1_VALUE *)ri, &CMS_RecipientInfo_it); + X509_ALGOR_free(encalg); + + return NULL; +} + +/* + * This is an implementation of the key wrapping mechanism in RFC3211, at + * some point this should go into EVP. + */ + +static int +kek_unwrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, + size_t inlen, EVP_CIPHER_CTX *ctx) +{ + size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); + unsigned char *tmp; + int outl, rv = 0; + + if (inlen < 2 * blocklen) { + /* too small */ + return 0; + } + if (inlen % blocklen) { + /* Invalid size */ + return 0; + } + if ((tmp = malloc(inlen)) == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + /* setup IV by decrypting last two blocks */ + if (!EVP_DecryptUpdate(ctx, tmp + inlen - 2 * blocklen, &outl, + in + inlen - 2 * blocklen, blocklen * 2) + /* + * Do a decrypt of last decrypted block to set IV to correct value + * output it to start of buffer so we don't corrupt decrypted block + * this works because buffer is at least two block lengths long. + */ + || !EVP_DecryptUpdate(ctx, tmp, &outl, tmp + inlen - blocklen, blocklen) + /* Can now decrypt first n - 1 blocks */ + || !EVP_DecryptUpdate(ctx, tmp, &outl, in, inlen - blocklen) + + /* Reset IV to original value */ + || !EVP_DecryptInit_ex(ctx, NULL, NULL, NULL, NULL) + /* Decrypt again */ + || !EVP_DecryptUpdate(ctx, tmp, &outl, tmp, inlen)) + goto err; + /* Check check bytes */ + if (((tmp[1] ^ tmp[4]) & (tmp[2] ^ tmp[5]) & (tmp[3] ^ tmp[6])) != 0xff) { + /* Check byte failure */ + goto err; + } + if (inlen < (size_t)(tmp[0] - 4)) { + /* Invalid length value */ + goto err; + } + *outlen = (size_t)tmp[0]; + memcpy(out, tmp + 4, *outlen); + rv = 1; + + err: + freezero(tmp, inlen); + + return rv; +} + +static int +kek_wrap_key(unsigned char *out, size_t *outlen, const unsigned char *in, + size_t inlen, EVP_CIPHER_CTX *ctx) +{ + size_t blocklen = EVP_CIPHER_CTX_block_size(ctx); + size_t olen; + int dummy; + + /* + * First decide length of output buffer: need header and round up to + * multiple of block length. + */ + olen = (inlen + 4 + blocklen - 1) / blocklen; + olen *= blocklen; + if (olen < 2 * blocklen) { + /* Key too small */ + return 0; + } + if (inlen > 0xFF) { + /* Key too large */ + return 0; + } + if (out) { + /* Set header */ + out[0] = (unsigned char)inlen; + out[1] = in[0] ^ 0xFF; + out[2] = in[1] ^ 0xFF; + out[3] = in[2] ^ 0xFF; + memcpy(out + 4, in, inlen); + /* Add random padding to end */ + if (olen > inlen + 4) + arc4random_buf(out + 4 + inlen, olen - 4 - inlen); + /* Encrypt twice */ + if (!EVP_EncryptUpdate(ctx, out, &dummy, out, olen) || + !EVP_EncryptUpdate(ctx, out, &dummy, out, olen)) + return 0; + } + + *outlen = olen; + + return 1; +} + +/* Encrypt/Decrypt content key in PWRI recipient info */ + +int +cms_RecipientInfo_pwri_crypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, + int en_de) +{ + CMS_EncryptedContentInfo *ec; + CMS_PasswordRecipientInfo *pwri; + int r = 0; + X509_ALGOR *algtmp, *kekalg = NULL; + EVP_CIPHER_CTX *kekctx = NULL; + const EVP_CIPHER *kekcipher; + unsigned char *key = NULL; + size_t keylen; + + ec = cms->d.envelopedData->encryptedContentInfo; + + pwri = ri->d.pwri; + + if (!pwri->pass) { + CMSerror(CMS_R_NO_PASSWORD); + return 0; + } + algtmp = pwri->keyEncryptionAlgorithm; + + if (!algtmp || OBJ_obj2nid(algtmp->algorithm) != NID_id_alg_PWRI_KEK) { + CMSerror(CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM); + return 0; + } + + if (algtmp->parameter != NULL && + algtmp->parameter->type == V_ASN1_SEQUENCE && + algtmp->parameter->value.sequence != NULL) + kekalg = ASN1_item_unpack(algtmp->parameter->value.sequence, + &X509_ALGOR_it); + + if (kekalg == NULL) { + CMSerror(CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER); + return 0; + } + + kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); + if (!kekcipher) { + CMSerror(CMS_R_UNKNOWN_CIPHER); + return 0; + } + + kekctx = EVP_CIPHER_CTX_new(); + if (kekctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + /* Fixup cipher based on AlgorithmIdentifier to set IV etc */ + if (!EVP_CipherInit_ex(kekctx, kekcipher, NULL, NULL, NULL, en_de)) + goto err; + EVP_CIPHER_CTX_set_padding(kekctx, 0); + if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) { + CMSerror(CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR); + goto err; + } + + algtmp = pwri->keyDerivationAlgorithm; + + /* Finish password based key derivation to setup key in "ctx" */ + + if (EVP_PBE_CipherInit(algtmp->algorithm, (char *)pwri->pass, + pwri->passlen, algtmp->parameter, kekctx, en_de) < 0) { + CMSerror(ERR_R_EVP_LIB); + goto err; + } + + /* Finally wrap/unwrap the key */ + + if (en_de) { + if (!kek_wrap_key(NULL, &keylen, ec->key, ec->keylen, kekctx)) + goto err; + + key = malloc(keylen); + if (key == NULL) + goto err; + + if (!kek_wrap_key(key, &keylen, ec->key, ec->keylen, kekctx)) + goto err; + pwri->encryptedKey->data = key; + pwri->encryptedKey->length = keylen; + } else { + key = malloc(pwri->encryptedKey->length); + if (key == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (!kek_unwrap_key(key, &keylen, pwri->encryptedKey->data, + pwri->encryptedKey->length, kekctx)) { + CMSerror(CMS_R_UNWRAP_FAILURE); + goto err; + } + + freezero(ec->key, ec->keylen); + ec->key = key; + ec->keylen = keylen; + } + + r = 1; + + err: + EVP_CIPHER_CTX_free(kekctx); + if (!r) + free(key); + X509_ALGOR_free(kekalg); + + return r; +} diff --git a/crypto/cms/cms_sd.c b/crypto/cms/cms_sd.c new file mode 100644 index 0000000..95343d0 --- /dev/null +++ b/crypto/cms/cms_sd.c @@ -0,0 +1,1014 @@ +/* $OpenBSD: cms_sd.c,v 1.23 2019/08/11 14:35:57 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" +#include "evp/evp_locl.h" + +/* CMS SignedData Utilities */ + +static CMS_SignedData * +cms_get0_signed(CMS_ContentInfo *cms) +{ + if (OBJ_obj2nid(cms->contentType) != NID_pkcs7_signed) { + CMSerror(CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA); + return NULL; + } + return cms->d.signedData; +} + +static CMS_SignedData * +cms_signed_data_init(CMS_ContentInfo *cms) +{ + if (cms->d.other == NULL) { + cms->d.signedData = (CMS_SignedData *)ASN1_item_new(&CMS_SignedData_it); + if (!cms->d.signedData) { + CMSerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + cms->d.signedData->version = 1; + cms->d.signedData->encapContentInfo->eContentType = + OBJ_nid2obj(NID_pkcs7_data); + cms->d.signedData->encapContentInfo->partial = 1; + ASN1_OBJECT_free(cms->contentType); + cms->contentType = OBJ_nid2obj(NID_pkcs7_signed); + return cms->d.signedData; + } + return cms_get0_signed(cms); +} + +/* Just initialise SignedData e.g. for certs only structure */ + +int +CMS_SignedData_init(CMS_ContentInfo *cms) +{ + if (cms_signed_data_init(cms)) + return 1; + else + return 0; +} + +/* Check structures and fixup version numbers (if necessary) */ + +static void +cms_sd_set_version(CMS_SignedData *sd) +{ + int i; + CMS_CertificateChoices *cch; + CMS_RevocationInfoChoice *rch; + CMS_SignerInfo *si; + + for (i = 0; i < sk_CMS_CertificateChoices_num(sd->certificates); i++) { + cch = sk_CMS_CertificateChoices_value(sd->certificates, i); + if (cch->type == CMS_CERTCHOICE_OTHER) { + if (sd->version < 5) + sd->version = 5; + } else if (cch->type == CMS_CERTCHOICE_V2ACERT) { + if (sd->version < 4) + sd->version = 4; + } else if (cch->type == CMS_CERTCHOICE_V1ACERT) { + if (sd->version < 3) + sd->version = 3; + } + } + + for (i = 0; i < sk_CMS_RevocationInfoChoice_num(sd->crls); i++) { + rch = sk_CMS_RevocationInfoChoice_value(sd->crls, i); + if (rch->type == CMS_REVCHOICE_OTHER) { + if (sd->version < 5) + sd->version = 5; + } + } + + if ((OBJ_obj2nid(sd->encapContentInfo->eContentType) != NID_pkcs7_data) + && (sd->version < 3)) + sd->version = 3; + + for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) { + si = sk_CMS_SignerInfo_value(sd->signerInfos, i); + if (si->sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { + if (si->version < 3) + si->version = 3; + if (sd->version < 3) + sd->version = 3; + } else if (si->version < 1) + si->version = 1; + } + + if (sd->version < 1) + sd->version = 1; +} + +/* Copy an existing messageDigest value */ + +static int +cms_copy_messageDigest(CMS_ContentInfo *cms, CMS_SignerInfo *si) +{ + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *sitmp; + int i; + + sinfos = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + ASN1_OCTET_STRING *messageDigest; + sitmp = sk_CMS_SignerInfo_value(sinfos, i); + if (sitmp == si) + continue; + if (CMS_signed_get_attr_count(sitmp) < 0) + continue; + if (OBJ_cmp(si->digestAlgorithm->algorithm, + sitmp->digestAlgorithm->algorithm)) + continue; + messageDigest = CMS_signed_get0_data_by_OBJ(sitmp, + OBJ_nid2obj(NID_pkcs9_messageDigest), -3, V_ASN1_OCTET_STRING); + if (!messageDigest) { + CMSerror(CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE); + return 0; + } + + if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, + V_ASN1_OCTET_STRING, messageDigest, -1)) + return 1; + else + return 0; + } + + CMSerror(CMS_R_NO_MATCHING_DIGEST); + + return 0; +} + +int +cms_set1_SignerIdentifier(CMS_SignerIdentifier *sid, X509 *cert, int type) +{ + switch (type) { + case CMS_SIGNERINFO_ISSUER_SERIAL: + if (!cms_set1_ias(&sid->d.issuerAndSerialNumber, cert)) + return 0; + break; + + case CMS_SIGNERINFO_KEYIDENTIFIER: + if (!cms_set1_keyid(&sid->d.subjectKeyIdentifier, cert)) + return 0; + break; + + default: + CMSerror(CMS_R_UNKNOWN_ID); + return 0; + } + + sid->type = type; + + return 1; +} + +int +cms_SignerIdentifier_get0_signer_id(CMS_SignerIdentifier *sid, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno) +{ + if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) { + if (issuer) + *issuer = sid->d.issuerAndSerialNumber->issuer; + if (sno) + *sno = sid->d.issuerAndSerialNumber->serialNumber; + } else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) { + if (keyid) + *keyid = sid->d.subjectKeyIdentifier; + } else + return 0; + + return 1; +} + +int +cms_SignerIdentifier_cert_cmp(CMS_SignerIdentifier *sid, X509 *cert) +{ + if (sid->type == CMS_SIGNERINFO_ISSUER_SERIAL) + return cms_ias_cert_cmp(sid->d.issuerAndSerialNumber, cert); + else if (sid->type == CMS_SIGNERINFO_KEYIDENTIFIER) + return cms_keyid_cert_cmp(sid->d.subjectKeyIdentifier, cert); + else + return -1; +} + +static int +cms_sd_asn1_ctrl(CMS_SignerInfo *si, int cmd) +{ + EVP_PKEY *pkey = si->pkey; + int i; + + if (!pkey->ameth || !pkey->ameth->pkey_ctrl) + return 1; + i = pkey->ameth->pkey_ctrl(pkey, ASN1_PKEY_CTRL_CMS_SIGN, cmd, si); + if (i == -2) { + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + return 0; + } + if (i <= 0) { + CMSerror(CMS_R_CTRL_FAILURE); + return 0; + } + + return 1; +} + +CMS_SignerInfo * +CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, EVP_PKEY *pk, + const EVP_MD *md, unsigned int flags) +{ + CMS_SignedData *sd; + CMS_SignerInfo *si = NULL; + X509_ALGOR *alg; + int i, type; + + if (!X509_check_private_key(signer, pk)) { + CMSerror(CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE); + return NULL; + } + sd = cms_signed_data_init(cms); + if (!sd) + goto err; + si = (CMS_SignerInfo *)ASN1_item_new(&CMS_SignerInfo_it); + if (!si) + goto merr; + /* Call for side-effect of computing hash and caching extensions */ + X509_check_purpose(signer, -1, -1); + + X509_up_ref(signer); + EVP_PKEY_up_ref(pk); + + si->pkey = pk; + si->signer = signer; + si->mctx = EVP_MD_CTX_new(); + si->pctx = NULL; + + if (si->mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + if (flags & CMS_USE_KEYID) { + si->version = 3; + if (sd->version < 3) + sd->version = 3; + type = CMS_SIGNERINFO_KEYIDENTIFIER; + } else { + type = CMS_SIGNERINFO_ISSUER_SERIAL; + si->version = 1; + } + + if (!cms_set1_SignerIdentifier(si->sid, signer, type)) + goto err; + + if (md == NULL) { + int def_nid; + if (EVP_PKEY_get_default_digest_nid(pk, &def_nid) <= 0) + goto err; + md = EVP_get_digestbynid(def_nid); + if (md == NULL) { + CMSerror(CMS_R_NO_DEFAULT_DIGEST); + goto err; + } + } + + if (!md) { + CMSerror(CMS_R_NO_DIGEST_SET); + goto err; + } + + X509_ALGOR_set_md(si->digestAlgorithm, md); + + /* See if digest is present in digestAlgorithms */ + for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { + const ASN1_OBJECT *aoid; + alg = sk_X509_ALGOR_value(sd->digestAlgorithms, i); + X509_ALGOR_get0(&aoid, NULL, NULL, alg); + if (OBJ_obj2nid(aoid) == EVP_MD_type(md)) + break; + } + + if (i == sk_X509_ALGOR_num(sd->digestAlgorithms)) { + alg = X509_ALGOR_new(); + if (alg == NULL) + goto merr; + X509_ALGOR_set_md(alg, md); + if (!sk_X509_ALGOR_push(sd->digestAlgorithms, alg)) { + X509_ALGOR_free(alg); + goto merr; + } + } + + if (!(flags & CMS_KEY_PARAM) && !cms_sd_asn1_ctrl(si, 0)) + goto err; + if (!(flags & CMS_NOATTR)) { + /* + * Initialize signed attributes structure so other attributes + * such as signing time etc are added later even if we add none here. + */ + if (!si->signedAttrs) { + si->signedAttrs = sk_X509_ATTRIBUTE_new_null(); + if (!si->signedAttrs) + goto merr; + } + + if (!(flags & CMS_NOSMIMECAP)) { + STACK_OF(X509_ALGOR) *smcap = NULL; + + i = CMS_add_standard_smimecap(&smcap); + if (i) + i = CMS_add_smimecap(si, smcap); + sk_X509_ALGOR_pop_free(smcap, X509_ALGOR_free); + if (!i) + goto merr; + } + if (flags & CMS_REUSE_DIGEST) { + if (!cms_copy_messageDigest(cms, si)) + goto err; + if (!(flags & (CMS_PARTIAL | CMS_KEY_PARAM)) && + !CMS_SignerInfo_sign(si)) + goto err; + } + } + + if (!(flags & CMS_NOCERTS)) { + /* NB ignore -1 return for duplicate cert */ + if (!CMS_add1_cert(cms, signer)) + goto merr; + } + + if (flags & CMS_KEY_PARAM) { + if (flags & CMS_NOATTR) { + si->pctx = EVP_PKEY_CTX_new(si->pkey, NULL); + if (si->pctx == NULL) + goto err; + if (EVP_PKEY_sign_init(si->pctx) <= 0) + goto err; + if (EVP_PKEY_CTX_set_signature_md(si->pctx, md) <= 0) + goto err; + } else if (EVP_DigestSignInit(si->mctx, &si->pctx, md, + NULL, pk) <= 0) + goto err; + } + + if (!sd->signerInfos) + sd->signerInfos = sk_CMS_SignerInfo_new_null(); + if (!sd->signerInfos || !sk_CMS_SignerInfo_push(sd->signerInfos, si)) + goto merr; + + return si; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + ASN1_item_free((ASN1_VALUE *)si, &CMS_SignerInfo_it); + + return NULL; +} + +static int +cms_add1_signingTime(CMS_SignerInfo *si, ASN1_TIME *t) +{ + ASN1_TIME *tt; + int r = 0; + + if (t) + tt = t; + else + tt = X509_gmtime_adj(NULL, 0); + + if (!tt) + goto merr; + + if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_signingTime, + tt->type, tt, -1) <= 0) + goto merr; + + r = 1; + + merr: + if (!t) + ASN1_TIME_free(tt); + if (!r) + CMSerror(ERR_R_MALLOC_FAILURE); + + return r; +} + +EVP_PKEY_CTX * +CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si) +{ + return si->pctx; +} + +EVP_MD_CTX * +CMS_SignerInfo_get0_md_ctx(CMS_SignerInfo *si) +{ + return si->mctx; +} + +STACK_OF(CMS_SignerInfo) * +CMS_get0_SignerInfos(CMS_ContentInfo *cms) +{ + CMS_SignedData *sd; + + sd = cms_get0_signed(cms); + if (!sd) + return NULL; + + return sd->signerInfos; +} + +STACK_OF(X509) * +CMS_get0_signers(CMS_ContentInfo *cms) +{ + STACK_OF(X509) *signers = NULL; + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *si; + int i; + + sinfos = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (si->signer) { + if (!signers) { + signers = sk_X509_new_null(); + if (!signers) + return NULL; + } + if (!sk_X509_push(signers, si->signer)) { + sk_X509_free(signers); + return NULL; + } + } + } + + return signers; +} + +void +CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer) +{ + if (signer) { + X509_up_ref(signer); + EVP_PKEY_free(si->pkey); + si->pkey = X509_get_pubkey(signer); + } + X509_free(si->signer); + si->signer = signer; +} + +int +CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, ASN1_INTEGER **sno) +{ + return cms_SignerIdentifier_get0_signer_id(si->sid, keyid, issuer, sno); +} + +int +CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert) +{ + return cms_SignerIdentifier_cert_cmp(si->sid, cert); +} + +int +CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *scerts, + unsigned int flags) +{ + CMS_SignedData *sd; + CMS_SignerInfo *si; + CMS_CertificateChoices *cch; + STACK_OF(CMS_CertificateChoices) *certs; + X509 *x; + int i, j; + int ret = 0; + + sd = cms_get0_signed(cms); + if (!sd) + return -1; + certs = sd->certificates; + for (i = 0; i < sk_CMS_SignerInfo_num(sd->signerInfos); i++) { + si = sk_CMS_SignerInfo_value(sd->signerInfos, i); + if (si->signer) + continue; + + for (j = 0; j < sk_X509_num(scerts); j++) { + x = sk_X509_value(scerts, j); + if (CMS_SignerInfo_cert_cmp(si, x) == 0) { + CMS_SignerInfo_set1_signer_cert(si, x); + ret++; + break; + } + } + + if (si->signer || (flags & CMS_NOINTERN)) + continue; + + for (j = 0; j < sk_CMS_CertificateChoices_num(certs); j++) { + cch = sk_CMS_CertificateChoices_value(certs, j); + if (cch->type != 0) + continue; + x = cch->d.certificate; + if (CMS_SignerInfo_cert_cmp(si, x) == 0) { + CMS_SignerInfo_set1_signer_cert(si, x); + ret++; + break; + } + } + } + return ret; +} + +void +CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, X509 **signer, +X509_ALGOR **pdig, X509_ALGOR **psig) +{ + if (pk) + *pk = si->pkey; + if (signer) + *signer = si->signer; + if (pdig) + *pdig = si->digestAlgorithm; + if (psig) + *psig = si->signatureAlgorithm; +} + +ASN1_OCTET_STRING * +CMS_SignerInfo_get0_signature(CMS_SignerInfo *si) +{ + return si->signature; +} + +static int +cms_SignerInfo_content_sign(CMS_ContentInfo *cms, CMS_SignerInfo *si, BIO *chain) +{ + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + int r = 0; + EVP_PKEY_CTX *pctx = NULL; + + if (mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return 0; + } + + if (!si->pkey) { + CMSerror(CMS_R_NO_PRIVATE_KEY); + goto err; + } + + if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) + goto err; + /* Set SignerInfo algorithm details if we used custom parameter */ + if (si->pctx && !cms_sd_asn1_ctrl(si, 0)) + goto err; + + /* + * If any signed attributes calculate and add messageDigest attribute + */ + + if (CMS_signed_get_attr_count(si) >= 0) { + ASN1_OBJECT *ctype = + cms->d.signedData->encapContentInfo->eContentType; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen; + + if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) + goto err; + if (!CMS_signed_add1_attr_by_NID(si, NID_pkcs9_messageDigest, + V_ASN1_OCTET_STRING, md, mdlen)) + goto err; + /* Copy content type across */ + if (CMS_signed_add1_attr_by_NID(si, NID_pkcs9_contentType, + V_ASN1_OBJECT, ctype, -1) <= 0) + goto err; + if (!CMS_SignerInfo_sign(si)) + goto err; + } else if (si->pctx) { + unsigned char *sig; + size_t siglen; + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen; + + pctx = si->pctx; + if (!EVP_DigestFinal_ex(mctx, md, &mdlen)) + goto err; + siglen = EVP_PKEY_size(si->pkey); + sig = malloc(siglen); + if (sig == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (EVP_PKEY_sign(pctx, sig, &siglen, md, mdlen) <= 0) { + free(sig); + goto err; + } + ASN1_STRING_set0(si->signature, sig, siglen); + } else { + unsigned char *sig; + unsigned int siglen; + + sig = malloc(EVP_PKEY_size(si->pkey)); + if (sig == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_SignFinal(mctx, sig, &siglen, si->pkey)) { + CMSerror(CMS_R_SIGNFINAL_ERROR); + free(sig); + goto err; + } + ASN1_STRING_set0(si->signature, sig, siglen); + } + + r = 1; + + err: + EVP_MD_CTX_free(mctx); + EVP_PKEY_CTX_free(pctx); + + return r; +} + +int +cms_SignedData_final(CMS_ContentInfo *cms, BIO *chain) +{ + STACK_OF(CMS_SignerInfo) *sinfos; + CMS_SignerInfo *si; + int i; + + sinfos = CMS_get0_SignerInfos(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (!cms_SignerInfo_content_sign(cms, si, chain)) + return 0; + } + cms->d.signedData->encapContentInfo->partial = 0; + + return 1; +} + +int +CMS_SignerInfo_sign(CMS_SignerInfo *si) +{ + EVP_MD_CTX *mctx = si->mctx; + EVP_PKEY_CTX *pctx = NULL; + unsigned char *abuf = NULL; + int alen; + size_t siglen; + const EVP_MD *md = NULL; + + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); + if (md == NULL) + return 0; + + if (CMS_signed_get_attr_by_NID(si, NID_pkcs9_signingTime, -1) < 0) { + if (!cms_add1_signingTime(si, NULL)) + goto err; + } + + if (si->pctx) + pctx = si->pctx; + else { + EVP_MD_CTX_reset(mctx); + if (EVP_DigestSignInit(mctx, &pctx, md, NULL, si->pkey) <= 0) + goto err; + si->pctx = pctx; + } + + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_CMS_SIGN, 0, si) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, + &CMS_Attributes_Sign_it); + if (!abuf) + goto err; + if (EVP_DigestSignUpdate(mctx, abuf, alen) <= 0) + goto err; + if (EVP_DigestSignFinal(mctx, NULL, &siglen) <= 0) + goto err; + free(abuf); + abuf = malloc(siglen); + if (abuf == NULL) + goto err; + if (EVP_DigestSignFinal(mctx, abuf, &siglen) <= 0) + goto err; + + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_CMS_SIGN, 1, si) <= 0) { + CMSerror(CMS_R_CTRL_ERROR); + goto err; + } + + EVP_MD_CTX_reset(mctx); + + ASN1_STRING_set0(si->signature, abuf, siglen); + + return 1; + + err: + free(abuf); + EVP_MD_CTX_reset(mctx); + + return 0; +} + +int +CMS_SignerInfo_verify(CMS_SignerInfo *si) +{ + EVP_MD_CTX *mctx = NULL; + unsigned char *abuf = NULL; + int alen, r = -1; + const EVP_MD *md = NULL; + + if (!si->pkey) { + CMSerror(CMS_R_NO_PUBLIC_KEY); + return -1; + } + + md = EVP_get_digestbyobj(si->digestAlgorithm->algorithm); + if (md == NULL) + return -1; + if (si->mctx == NULL && (si->mctx = EVP_MD_CTX_new()) == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + return -1; + } + mctx = si->mctx; + if (EVP_DigestVerifyInit(mctx, &si->pctx, md, NULL, si->pkey) <= 0) + goto err; + + if (!cms_sd_asn1_ctrl(si, 1)) + goto err; + + alen = ASN1_item_i2d((ASN1_VALUE *)si->signedAttrs, &abuf, + &CMS_Attributes_Verify_it); + if (!abuf) + goto err; + r = EVP_DigestVerifyUpdate(mctx, abuf, alen); + free(abuf); + if (r <= 0) { + r = -1; + goto err; + } + + r = EVP_DigestVerifyFinal(mctx, si->signature->data, + si->signature->length); + if (r <= 0) + CMSerror(CMS_R_VERIFICATION_FAILURE); + + err: + EVP_MD_CTX_reset(mctx); + + return r; +} + +/* Create a chain of digest BIOs from a CMS ContentInfo */ + +BIO * +cms_SignedData_init_bio(CMS_ContentInfo *cms) +{ + int i; + CMS_SignedData *sd; + BIO *chain = NULL; + + sd = cms_get0_signed(cms); + if (!sd) + return NULL; + if (cms->d.signedData->encapContentInfo->partial) + cms_sd_set_version(sd); + for (i = 0; i < sk_X509_ALGOR_num(sd->digestAlgorithms); i++) { + X509_ALGOR *digestAlgorithm; + BIO *mdbio; + digestAlgorithm = sk_X509_ALGOR_value(sd->digestAlgorithms, i); + mdbio = cms_DigestAlgorithm_init_bio(digestAlgorithm); + if (!mdbio) + goto err; + if (chain) + BIO_push(chain, mdbio); + else + chain = mdbio; + } + + return chain; + + err: + BIO_free_all(chain); + + return NULL; +} + +int +CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain) +{ + ASN1_OCTET_STRING *os = NULL; + EVP_MD_CTX *mctx = EVP_MD_CTX_new(); + EVP_PKEY_CTX *pkctx = NULL; + int r = -1; + unsigned char mval[EVP_MAX_MD_SIZE]; + unsigned int mlen; + + if (mctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + /* If we have any signed attributes look for messageDigest value */ + if (CMS_signed_get_attr_count(si) >= 0) { + os = CMS_signed_get0_data_by_OBJ(si, + OBJ_nid2obj(NID_pkcs9_messageDigest), -3, + V_ASN1_OCTET_STRING); + if (!os) { + CMSerror(CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE); + goto err; + } + } + + if (!cms_DigestAlgorithm_find_ctx(mctx, chain, si->digestAlgorithm)) + goto err; + + if (EVP_DigestFinal_ex(mctx, mval, &mlen) <= 0) { + CMSerror(CMS_R_UNABLE_TO_FINALIZE_CONTEXT); + goto err; + } + + /* If messageDigest found compare it */ + + if (os) { + if (mlen != (unsigned int)os->length) { + CMSerror(CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH); + goto err; + } + + if (memcmp(mval, os->data, mlen)) { + CMSerror(CMS_R_VERIFICATION_FAILURE); + r = 0; + } else + r = 1; + } else { + const EVP_MD *md = EVP_MD_CTX_md(mctx); + + pkctx = EVP_PKEY_CTX_new(si->pkey, NULL); + if (pkctx == NULL) + goto err; + if (EVP_PKEY_verify_init(pkctx) <= 0) + goto err; + if (EVP_PKEY_CTX_set_signature_md(pkctx, md) <= 0) + goto err; + si->pctx = pkctx; + if (!cms_sd_asn1_ctrl(si, 1)) + goto err; + r = EVP_PKEY_verify(pkctx, si->signature->data, + si->signature->length, mval, mlen); + if (r <= 0) { + CMSerror(CMS_R_VERIFICATION_FAILURE); + r = 0; + } + } + + err: + EVP_PKEY_CTX_free(pkctx); + EVP_MD_CTX_free(mctx); + + return r; +} + +int +CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs) +{ + unsigned char *smder = NULL; + int smderlen, r; + + smderlen = i2d_X509_ALGORS(algs, &smder); + if (smderlen <= 0) + return 0; + r = CMS_signed_add1_attr_by_NID(si, NID_SMIMECapabilities, + V_ASN1_SEQUENCE, smder, smderlen); + free(smder); + + return r; +} + +int +CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, int algnid, int keysize) +{ + X509_ALGOR *alg; + ASN1_INTEGER *key = NULL; + + if (keysize > 0) { + key = ASN1_INTEGER_new(); + if (key == NULL || !ASN1_INTEGER_set(key, keysize)) + return 0; + } + alg = X509_ALGOR_new(); + if (alg == NULL) { + ASN1_INTEGER_free(key); + return 0; + } + + X509_ALGOR_set0(alg, OBJ_nid2obj(algnid), + key ? V_ASN1_INTEGER : V_ASN1_UNDEF, key); + if (*algs == NULL) + *algs = sk_X509_ALGOR_new_null(); + if (*algs == NULL || !sk_X509_ALGOR_push(*algs, alg)) { + X509_ALGOR_free(alg); + return 0; + } + + return 1; +} + +/* Check to see if a cipher exists and if so add S/MIME capabilities */ + +static int +cms_add_cipher_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg) +{ + if (EVP_get_cipherbynid(nid)) + return CMS_add_simple_smimecap(sk, nid, arg); + return 1; +} + +static int +cms_add_digest_smcap(STACK_OF(X509_ALGOR) **sk, int nid, int arg) +{ + if (EVP_get_digestbynid(nid)) + return CMS_add_simple_smimecap(sk, nid, arg); + return 1; +} + +int +CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap) +{ + if (!cms_add_cipher_smcap(smcap, NID_aes_256_cbc, -1) || + !cms_add_digest_smcap(smcap, NID_id_GostR3411_94, -1) || + !cms_add_cipher_smcap(smcap, NID_id_Gost28147_89, -1) || + !cms_add_cipher_smcap(smcap, NID_aes_192_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_aes_128_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_des_ede3_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 128) || + !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 64) || + !cms_add_cipher_smcap(smcap, NID_des_cbc, -1) || + !cms_add_cipher_smcap(smcap, NID_rc2_cbc, 40)) + return 0; + + return 1; +} diff --git a/crypto/cms/cms_smime.c b/crypto/cms/cms_smime.c new file mode 100644 index 0000000..367810f --- /dev/null +++ b/crypto/cms/cms_smime.c @@ -0,0 +1,934 @@ +/* $OpenBSD: cms_smime.c,v 1.24 2019/10/04 18:03:56 tb Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include "cryptlib.h" +#include +#include +#include +#include +#include +#include "cms_lcl.h" +#include "asn1/asn1_locl.h" + +static BIO * +cms_get_text_bio(BIO *out, unsigned int flags) +{ + BIO *rbio; + + if (out == NULL) + rbio = BIO_new(BIO_s_null()); + else if (flags & CMS_TEXT) { + rbio = BIO_new(BIO_s_mem()); + BIO_set_mem_eof_return(rbio, 0); + } else + rbio = out; + + return rbio; +} + +static int +cms_copy_content(BIO *out, BIO *in, unsigned int flags) +{ + unsigned char buf[4096]; + int r = 0, i; + BIO *tmpout; + + tmpout = cms_get_text_bio(out, flags); + + if (tmpout == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + + /* Read all content through chain to process digest, decrypt etc */ + for (;;) { + i = BIO_read(in, buf, sizeof(buf)); + if (i <= 0) { + if (BIO_method_type(in) == BIO_TYPE_CIPHER) { + if (!BIO_get_cipher_status(in)) + goto err; + } + if (i < 0) + goto err; + break; + } + + if (tmpout && (BIO_write(tmpout, buf, i) != i)) + goto err; + } + + if (flags & CMS_TEXT) { + if (!SMIME_text(tmpout, out)) { + CMSerror(CMS_R_SMIME_TEXT_ERROR); + goto err; + } + } + + r = 1; + + err: + if (tmpout != out) + BIO_free(tmpout); + + return r; +} + +static int +check_content(CMS_ContentInfo *cms) +{ + ASN1_OCTET_STRING **pos = CMS_get0_content(cms); + + if (!pos || !*pos) { + CMSerror(CMS_R_NO_CONTENT); + return 0; + } + + return 1; +} + +static void +do_free_upto(BIO *f, BIO *upto) +{ + if (upto) { + BIO *tbio; + do { + tbio = BIO_pop(f); + BIO_free(f); + f = tbio; + } + while (f && f != upto); + } else + BIO_free_all(f); +} + +int +CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_data) { + CMSerror(CMS_R_TYPE_NOT_DATA); + return 0; + } + cont = CMS_dataInit(cms, NULL); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + BIO_free_all(cont); + + return r; +} + +CMS_ContentInfo * +CMS_data_create(BIO *in, unsigned int flags) +{ + CMS_ContentInfo *cms; + + cms = cms_Data_create(); + if (!cms) + return NULL; + + if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +int +CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_digest) { + CMSerror(CMS_R_TYPE_NOT_DIGESTED_DATA); + return 0; + } + + if (!dcont && !check_content(cms)) + return 0; + + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + if (r) + r = cms_DigestedData_do_final(cms, cont, 1); + do_free_upto(cont, dcont); + + return r; +} + +CMS_ContentInfo * +CMS_digest_create(BIO *in, const EVP_MD *md, unsigned int flags) +{ + CMS_ContentInfo *cms; + + if (!md) + md = EVP_sha1(); + cms = cms_DigestedData_create(md); + if (!cms) + return NULL; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +int +CMS_EncryptedData_decrypt(CMS_ContentInfo *cms, const unsigned char *key, + size_t keylen, BIO *dcont, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_encrypted) { + CMSerror(CMS_R_TYPE_NOT_ENCRYPTED_DATA); + return 0; + } + + if (!dcont && !check_content(cms)) + return 0; + + if (CMS_EncryptedData_set1_key(cms, NULL, key, keylen) <= 0) + return 0; + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + do_free_upto(cont, dcont); + + return r; +} + +CMS_ContentInfo * +CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher, + const unsigned char *key, size_t keylen, unsigned int flags) +{ + CMS_ContentInfo *cms; + + if (!cipher) { + CMSerror(CMS_R_NO_CIPHER); + return NULL; + } + cms = CMS_ContentInfo_new(); + if (cms == NULL) + return NULL; + if (!CMS_EncryptedData_set1_key(cms, cipher, key, keylen)) + return NULL; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & (CMS_STREAM | CMS_PARTIAL)) || + CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +static int +cms_signerinfo_verify_cert(CMS_SignerInfo *si, X509_STORE *store, + STACK_OF(X509) *certs, STACK_OF(X509_CRL) *crls) +{ + X509_STORE_CTX *ctx = X509_STORE_CTX_new(); + X509 *signer; + int i, j, r = 0; + + if (ctx == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL); + if (!X509_STORE_CTX_init(ctx, store, signer, certs)) { + CMSerror(CMS_R_STORE_INIT_ERROR); + goto err; + } + X509_STORE_CTX_set_default(ctx, "smime_sign"); + if (crls) + X509_STORE_CTX_set0_crls(ctx, crls); + + i = X509_verify_cert(ctx); + if (i <= 0) { + j = X509_STORE_CTX_get_error(ctx); + CMSerror(CMS_R_CERTIFICATE_VERIFY_ERROR); + ERR_asprintf_error_data("Verify error: %s", + X509_verify_cert_error_string(j)); + goto err; + } + r = 1; + + err: + X509_STORE_CTX_free(ctx); + + return r; +} + +int +CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, X509_STORE *store, + BIO *dcont, BIO *out, unsigned int flags) +{ + CMS_SignerInfo *si; + STACK_OF(CMS_SignerInfo) *sinfos; + STACK_OF(X509) *cms_certs = NULL; + STACK_OF(X509_CRL) *crls = NULL; + X509 *signer; + int i, scount = 0, ret = 0; + BIO *cmsbio = NULL, *tmpin = NULL, *tmpout = NULL; + + if (!dcont && !check_content(cms)) + return 0; + if (dcont && !(flags & CMS_BINARY)) { + const ASN1_OBJECT *coid = CMS_get0_eContentType(cms); + if (OBJ_obj2nid(coid) == NID_id_ct_asciiTextWithCRLF) + flags |= CMS_ASCIICRLF; + } + + /* Attempt to find all signer certificates */ + + sinfos = CMS_get0_SignerInfos(cms); + if (sk_CMS_SignerInfo_num(sinfos) <= 0) { + CMSerror(CMS_R_NO_SIGNERS); + goto err; + } + + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + CMS_SignerInfo_get0_algs(si, NULL, &signer, NULL, NULL); + if (signer) + scount++; + } + + if (scount != sk_CMS_SignerInfo_num(sinfos)) + scount += CMS_set1_signers_certs(cms, certs, flags); + + if (scount != sk_CMS_SignerInfo_num(sinfos)) { + CMSerror(CMS_R_SIGNER_CERTIFICATE_NOT_FOUND); + goto err; + } + + /* Attempt to verify all signers certs */ + + if (!(flags & CMS_NO_SIGNER_CERT_VERIFY)) { + cms_certs = CMS_get1_certs(cms); + if (!(flags & CMS_NOCRL)) + crls = CMS_get1_crls(cms); + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (!cms_signerinfo_verify_cert(si, store, cms_certs, crls)) + goto err; + } + } + + /* Attempt to verify all SignerInfo signed attribute signatures */ + + if (!(flags & CMS_NO_ATTR_VERIFY)) { + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (CMS_signed_get_attr_count(si) < 0) + continue; + if (CMS_SignerInfo_verify(si) <= 0) + goto err; + } + } + + /* + * Performance optimization: if the content is a memory BIO then store + * its contents in a temporary read only memory BIO. This avoids + * potentially large numbers of slow copies of data which will occur when + * reading from a read write memory BIO when signatures are calculated. + */ + + if (dcont && (BIO_method_type(dcont) == BIO_TYPE_MEM)) { + char *ptr; + long len; + + len = BIO_get_mem_data(dcont, &ptr); + tmpin = BIO_new_mem_buf(ptr, len); + if (tmpin == NULL) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err2; + } + } else + tmpin = dcont; + + /* + * If not binary mode and detached generate digests by *writing* through + * the BIO. That makes it possible to canonicalise the input. + */ + if (!(flags & SMIME_BINARY) && dcont) { + /* + * Create output BIO so we can either handle text or to ensure + * included content doesn't override detached content. + */ + tmpout = cms_get_text_bio(out, flags); + if (!tmpout) { + CMSerror(ERR_R_MALLOC_FAILURE); + goto err; + } + cmsbio = CMS_dataInit(cms, tmpout); + if (!cmsbio) + goto err; + /* + * Don't use SMIME_TEXT for verify: it adds headers and we want to + * remove them. + */ + SMIME_crlf_copy(dcont, cmsbio, flags & ~SMIME_TEXT); + + if (flags & CMS_TEXT) { + if (!SMIME_text(tmpout, out)) { + CMSerror(CMS_R_SMIME_TEXT_ERROR); + goto err; + } + } + } else { + cmsbio = CMS_dataInit(cms, tmpin); + if (!cmsbio) + goto err; + + if (!cms_copy_content(out, cmsbio, flags)) + goto err; + + } + if (!(flags & CMS_NO_CONTENT_VERIFY)) { + for (i = 0; i < sk_CMS_SignerInfo_num(sinfos); i++) { + si = sk_CMS_SignerInfo_value(sinfos, i); + if (CMS_SignerInfo_verify_content(si, cmsbio) <= 0) { + CMSerror(CMS_R_CONTENT_VERIFY_ERROR); + goto err; + } + } + } + + ret = 1; + + err: + if (!(flags & SMIME_BINARY) && dcont) { + do_free_upto(cmsbio, tmpout); + if (tmpin != dcont) + BIO_free(tmpin); + } else { + if (dcont && (tmpin == dcont)) + do_free_upto(cmsbio, dcont); + else + BIO_free_all(cmsbio); + } + + if (out != tmpout) + BIO_free_all(tmpout); + + err2: + sk_X509_pop_free(cms_certs, X509_free); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + + return ret; +} + +int +CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, + STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags) +{ + int r; + + flags &= ~(CMS_DETACHED | CMS_TEXT); + r = CMS_verify(rcms, certs, store, NULL, NULL, flags); + if (r <= 0) + return r; + + return cms_Receipt_verify(rcms, ocms); +} + +CMS_ContentInfo * +CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, BIO *data, + unsigned int flags) +{ + CMS_ContentInfo *cms; + int i; + + cms = CMS_ContentInfo_new(); + if (cms == NULL || !CMS_SignedData_init(cms)) + goto merr; + if (flags & CMS_ASCIICRLF && + !CMS_set1_eContentType(cms, OBJ_nid2obj(NID_id_ct_asciiTextWithCRLF))) + goto err; + + if (pkey && !CMS_add1_signer(cms, signcert, pkey, NULL, flags)) { + CMSerror(CMS_R_ADD_SIGNER_ERROR); + goto err; + } + + for (i = 0; i < sk_X509_num(certs); i++) { + X509 *x = sk_X509_value(certs, i); + if (!CMS_add1_cert(cms, x)) + goto merr; + } + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & (CMS_STREAM | CMS_PARTIAL)) || + CMS_final(cms, data, NULL, flags)) + return cms; + else + goto err; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + + err: + CMS_ContentInfo_free(cms); + + return NULL; +} + +CMS_ContentInfo * +CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, EVP_PKEY *pkey, + STACK_OF(X509) *certs, unsigned int flags) +{ + CMS_SignerInfo *rct_si; + CMS_ContentInfo *cms = NULL; + ASN1_OCTET_STRING **pos, *os; + BIO *rct_cont = NULL; + int r = 0; + + flags &= ~(CMS_STREAM | CMS_TEXT); + /* Not really detached but avoids content being allocated */ + flags |= CMS_PARTIAL | CMS_BINARY | CMS_DETACHED; + if (!pkey || !signcert) { + CMSerror(CMS_R_NO_KEY_OR_CERT); + return NULL; + } + + /* Initialize signed data */ + + cms = CMS_sign(NULL, NULL, certs, NULL, flags); + if (!cms) + goto err; + + /* Set inner content type to signed receipt */ + if (!CMS_set1_eContentType(cms, OBJ_nid2obj(NID_id_smime_ct_receipt))) + goto err; + + rct_si = CMS_add1_signer(cms, signcert, pkey, NULL, flags); + if (!rct_si) { + CMSerror(CMS_R_ADD_SIGNER_ERROR); + goto err; + } + + os = cms_encode_Receipt(si); + if (!os) + goto err; + + /* Set content to digest */ + rct_cont = BIO_new_mem_buf(os->data, os->length); + if (!rct_cont) + goto err; + + /* Add msgSigDigest attribute */ + + if (!cms_msgSigDigest_add1(rct_si, si)) + goto err; + + /* Finalize structure */ + if (!CMS_final(cms, rct_cont, NULL, flags)) + goto err; + + /* Set embedded content */ + pos = CMS_get0_content(cms); + *pos = os; + + r = 1; + + err: + BIO_free(rct_cont); + if (r) + return cms; + CMS_ContentInfo_free(cms); + + return NULL; +} + +CMS_ContentInfo * +CMS_encrypt(STACK_OF(X509) *certs, BIO *data, const EVP_CIPHER *cipher, + unsigned int flags) +{ + CMS_ContentInfo *cms; + int i; + X509 *recip; + + cms = CMS_EnvelopedData_create(cipher); + if (!cms) + goto merr; + for (i = 0; i < sk_X509_num(certs); i++) { + recip = sk_X509_value(certs, i); + if (!CMS_add1_recipient_cert(cms, recip, flags)) { + CMSerror(CMS_R_RECIPIENT_ERROR); + goto err; + } + } + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & (CMS_STREAM | CMS_PARTIAL)) || + CMS_final(cms, data, NULL, flags)) + return cms; + else + goto err; + + merr: + CMSerror(ERR_R_MALLOC_FAILURE); + err: + CMS_ContentInfo_free(cms); + + return NULL; +} + +static int +cms_kari_set1_pkey(CMS_ContentInfo *cms, CMS_RecipientInfo *ri, EVP_PKEY *pk, + X509 *cert) +{ + int i; + STACK_OF(CMS_RecipientEncryptedKey) *reks; + CMS_RecipientEncryptedKey *rek; + + reks = CMS_RecipientInfo_kari_get0_reks(ri); + for (i = 0; i < sk_CMS_RecipientEncryptedKey_num(reks); i++) { + int rv; + + rek = sk_CMS_RecipientEncryptedKey_value(reks, i); + if (cert != NULL && CMS_RecipientEncryptedKey_cert_cmp(rek, cert)) + continue; + CMS_RecipientInfo_kari_set0_pkey(ri, pk); + rv = CMS_RecipientInfo_kari_decrypt(cms, ri, rek); + CMS_RecipientInfo_kari_set0_pkey(ri, NULL); + if (rv > 0) + return 1; + return cert == NULL ? 0 : -1; + } + + return 0; +} + +int +CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert) +{ + STACK_OF(CMS_RecipientInfo) *ris; + CMS_RecipientInfo *ri; + int i, r, ri_type; + int debug = 0, match_ri = 0; + + ris = CMS_get0_RecipientInfos(cms); + if (ris) + debug = cms->d.envelopedData->encryptedContentInfo->debug; + ri_type = cms_pkey_get_ri_type(pk); + if (ri_type == CMS_RECIPINFO_NONE) { + CMSerror(CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE); + return 0; + } + + for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { + ri = sk_CMS_RecipientInfo_value(ris, i); + if (CMS_RecipientInfo_type(ri) != ri_type) + continue; + match_ri = 1; + if (ri_type == CMS_RECIPINFO_AGREE) { + r = cms_kari_set1_pkey(cms, ri, pk, cert); + if (r > 0) + return 1; + if (r < 0) + return 0; + } + /* + * If we have a cert try matching RecipientInfo otherwise try them + * all. + */ + else if (!cert || !CMS_RecipientInfo_ktri_cert_cmp(ri, cert)) { + EVP_PKEY_up_ref(pk); + CMS_RecipientInfo_set0_pkey(ri, pk); + r = CMS_RecipientInfo_decrypt(cms, ri); + CMS_RecipientInfo_set0_pkey(ri, NULL); + if (cert) { + /* + * If not debugging clear any error and return success to + * avoid leaking of information useful to MMA + */ + if (!debug) { + ERR_clear_error(); + return 1; + } + if (r > 0) + return 1; + CMSerror(CMS_R_DECRYPT_ERROR); + return 0; + } + /* + * If no cert and not debugging don't leave loop after first + * successful decrypt. Always attempt to decrypt all recipients + * to avoid leaking timing of a successful decrypt. + */ + else if (r > 0 && debug) + return 1; + } + } + /* If no cert, key transport and not debugging always return success */ + if (cert == NULL && ri_type == CMS_RECIPINFO_TRANS && match_ri && !debug) { + ERR_clear_error(); + return 1; + } + + CMSerror(CMS_R_NO_MATCHING_RECIPIENT); + + return 0; +} + +int +CMS_decrypt_set1_key(CMS_ContentInfo *cms, unsigned char *key, size_t keylen, + const unsigned char *id, size_t idlen) +{ + STACK_OF(CMS_RecipientInfo) *ris; + CMS_RecipientInfo *ri; + int i, r; + + ris = CMS_get0_RecipientInfos(cms); + for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { + ri = sk_CMS_RecipientInfo_value(ris, i); + if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_KEK) + continue; + + /* + * If we have an id try matching RecipientInfo otherwise try them + * all. + */ + if (!id || (CMS_RecipientInfo_kekri_id_cmp(ri, id, idlen) == 0)) { + CMS_RecipientInfo_set0_key(ri, key, keylen); + r = CMS_RecipientInfo_decrypt(cms, ri); + CMS_RecipientInfo_set0_key(ri, NULL, 0); + if (r > 0) + return 1; + if (id) { + CMSerror(CMS_R_DECRYPT_ERROR); + return 0; + } + ERR_clear_error(); + } + } + + CMSerror(CMS_R_NO_MATCHING_RECIPIENT); + + return 0; +} + +int +CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass, + ssize_t passlen) +{ + STACK_OF(CMS_RecipientInfo) *ris; + CMS_RecipientInfo *ri; + int i, r; + + ris = CMS_get0_RecipientInfos(cms); + for (i = 0; i < sk_CMS_RecipientInfo_num(ris); i++) { + ri = sk_CMS_RecipientInfo_value(ris, i); + if (CMS_RecipientInfo_type(ri) != CMS_RECIPINFO_PASS) + continue; + CMS_RecipientInfo_set0_password(ri, pass, passlen); + r = CMS_RecipientInfo_decrypt(cms, ri); + CMS_RecipientInfo_set0_password(ri, NULL, 0); + if (r > 0) + return 1; + } + + CMSerror(CMS_R_NO_MATCHING_RECIPIENT); + + return 0; +} + +int +CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert, BIO *dcont, + BIO *out, unsigned int flags) +{ + int r; + BIO *cont; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_pkcs7_enveloped) { + CMSerror(CMS_R_TYPE_NOT_ENVELOPED_DATA); + return 0; + } + if (!dcont && !check_content(cms)) + return 0; + if (flags & CMS_DEBUG_DECRYPT) + cms->d.envelopedData->encryptedContentInfo->debug = 1; + else + cms->d.envelopedData->encryptedContentInfo->debug = 0; + if (!cert) + cms->d.envelopedData->encryptedContentInfo->havenocert = 1; + else + cms->d.envelopedData->encryptedContentInfo->havenocert = 0; + if (!pk && !cert && !dcont && !out) + return 1; + if (pk && !CMS_decrypt_set1_pkey(cms, pk, cert)) + return 0; + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + do_free_upto(cont, dcont); + + return r; +} + +int +CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags) +{ + BIO *cmsbio; + int ret = 0; + + if ((cmsbio = CMS_dataInit(cms, dcont)) == NULL) { + CMSerror(CMS_R_CMS_LIB); + return 0; + } + + SMIME_crlf_copy(data, cmsbio, flags); + + (void)BIO_flush(cmsbio); + + if (!CMS_dataFinal(cms, cmsbio)) { + CMSerror(CMS_R_CMS_DATAFINAL_ERROR); + goto err; + } + + ret = 1; + + err: + do_free_upto(cmsbio, dcont); + + return ret; +} + +#ifdef ZLIB + +int +CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags) +{ + BIO *cont; + int r; + + if (OBJ_obj2nid(CMS_get0_type(cms)) != NID_id_smime_ct_compressedData) { + CMSerror(CMS_R_TYPE_NOT_COMPRESSED_DATA); + return 0; + } + + if (!dcont && !check_content(cms)) + return 0; + + cont = CMS_dataInit(cms, dcont); + if (!cont) + return 0; + r = cms_copy_content(out, cont, flags); + do_free_upto(cont, dcont); + + return r; +} + +CMS_ContentInfo * +CMS_compress(BIO *in, int comp_nid, unsigned int flags) +{ + CMS_ContentInfo *cms; + + if (comp_nid <= 0) + comp_nid = NID_zlib_compression; + cms = cms_CompressedData_create(comp_nid); + if (!cms) + return NULL; + + if (!(flags & CMS_DETACHED)) + CMS_set_detached(cms, 0); + + if ((flags & CMS_STREAM) || CMS_final(cms, in, NULL, flags)) + return cms; + + CMS_ContentInfo_free(cms); + + return NULL; +} + +#else + +int +CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, unsigned int flags) +{ + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return 0; +} + +CMS_ContentInfo * +CMS_compress(BIO *in, int comp_nid, unsigned int flags) +{ + CMSerror(CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM); + return NULL; +} + +#endif diff --git a/crypto/compat/arc4random.c b/crypto/compat/arc4random.c index b151f4d..2bb4dbf 100644 --- a/crypto/compat/arc4random.c +++ b/crypto/compat/arc4random.c @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random.c,v 1.54 2015/09/13 08:31:47 guenther Exp $ */ +/* $OpenBSD: arc4random.c,v 1.55 2019/03/24 17:56:54 deraadt Exp $ */ /* * Copyright (c) 1996, David Mazieres @@ -75,7 +75,7 @@ _rs_init(u_char *buf, size_t n) if (rs == NULL) { if (_rs_allocate(&rs, &rsx) == -1) - abort(); + _exit(1); } chacha_keysetup(&rsx->rs_chacha, buf, KEYSZ * 8, 0); diff --git a/crypto/compat/arc4random.h b/crypto/compat/arc4random.h index 762aec2..ffa3239 100644 --- a/crypto/compat/arc4random.h +++ b/crypto/compat/arc4random.h @@ -15,6 +15,9 @@ #elif defined(__linux__) #include "arc4random_linux.h" +#elif defined(__midipix__) +#include "arc4random_linux.h" + #elif defined(__NetBSD__) #include "arc4random_netbsd.h" diff --git a/crypto/compat/arc4random_linux.h b/crypto/compat/arc4random_linux.h index 879f966..5e1cf34 100644 --- a/crypto/compat/arc4random_linux.h +++ b/crypto/compat/arc4random_linux.h @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random_linux.h,v 1.11 2016/06/30 12:19:51 bcook Exp $ */ +/* $OpenBSD: arc4random_linux.h,v 1.12 2019/07/11 10:37:28 inoguchi Exp $ */ /* * Copyright (c) 1996, David Mazieres @@ -32,7 +32,7 @@ static pthread_mutex_t arc4random_mtx = PTHREAD_MUTEX_INITIALIZER; #define _ARC4_LOCK() pthread_mutex_lock(&arc4random_mtx) #define _ARC4_UNLOCK() pthread_mutex_unlock(&arc4random_mtx) -#ifdef __GLIBC__ +#if defined(__GLIBC__) && !(defined(__UCLIBC__) && !defined(__ARCH_USE_MMU__)) extern void *__dso_handle; extern int __register_atfork(void (*)(void), void(*)(void), void (*)(void), void *); #define _ARC4_ATFORK(f) __register_atfork(NULL, NULL, (f), __dso_handle) diff --git a/crypto/compat/arc4random_uniform.c b/crypto/compat/arc4random_uniform.c index 2d22434..06cd29c 100644 --- a/crypto/compat/arc4random_uniform.c +++ b/crypto/compat/arc4random_uniform.c @@ -1,4 +1,4 @@ -/* $OpenBSD: arc4random_uniform.c,v 1.2 2015/09/13 08:31:47 guenther Exp $ */ +/* $OpenBSD: arc4random_uniform.c,v 1.3 2019/01/20 02:59:07 bcook Exp $ */ /* * Copyright (c) 2008, Damien Miller @@ -16,7 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include +#include #include /* diff --git a/crypto/compat/crypto_lock_win.c b/crypto/compat/crypto_lock_win.c new file mode 100644 index 0000000..b3b1858 --- /dev/null +++ b/crypto/compat/crypto_lock_win.c @@ -0,0 +1,56 @@ +/* $OpenBSD: crypto_lock.c,v 1.1 2018/11/11 06:41:28 bcook Exp $ */ +/* + * Copyright (c) 2019 Brent Cook + * Copyright (c) 2019 John Norrbin + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +static volatile LPCRITICAL_SECTION locks[CRYPTO_NUM_LOCKS] = { NULL }; + +void +CRYPTO_lock(int mode, int type, const char *file, int line) +{ + if (type < 0 || type >= CRYPTO_NUM_LOCKS) + return; + + if (locks[type] == NULL) { + LPCRITICAL_SECTION lcs = malloc(sizeof(CRITICAL_SECTION)); + if (lcs == NULL) exit(ENOMEM); + InitializeCriticalSection(lcs); + if (InterlockedCompareExchangePointer((PVOID*)&locks[type], (PVOID)lcs, NULL) != NULL) { + DeleteCriticalSection(lcs); + free(lcs); + } + } + + if (mode & CRYPTO_LOCK) + EnterCriticalSection(locks[type]); + else + LeaveCriticalSection(locks[type]); +} + +int +CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, + int line) +{ + /* + * Windows is LLP64. sizeof(LONG) == sizeof(int) on 32-bit and 64-bit. + */ + int ret = InterlockedExchangeAdd((LONG *)pointer, (LONG)amount); + return ret + amount; +} diff --git a/crypto/compat/getentropy_aix.c b/crypto/compat/getentropy_aix.c index ff48ae7..422e685 100644 --- a/crypto/compat/getentropy_aix.c +++ b/crypto/compat/getentropy_aix.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_aix.c,v 1.5 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_aix.c,v 1.7 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2015 Michael Felt @@ -44,7 +44,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -60,7 +60,6 @@ int getentropy(void *buf, size_t len); -static int gotdata(char *buf, size_t len); static int getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck); static int getentropy_fallback(void *buf, size_t len); @@ -118,22 +117,6 @@ getentropy(void *buf, size_t len) return (ret); } -/* - * Basic sanity checking; wish we could do better. - */ -static int -gotdata(char *buf, size_t len) -{ - char any_set = 0; - size_t i; - - for (i = 0; i < len; ++i) - any_set |= buf[i]; - if (any_set == 0) - return (-1); - return (0); -} - static int getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck) { @@ -179,10 +162,8 @@ start: i += ret; } close(fd); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } + errno = save_errno; + return (0); /* satisfied */ nodevrandom: errno = EIO; return (-1); @@ -411,15 +392,11 @@ getentropy_fallback(void *buf, size_t len) HD(cnt); } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } - errno = EIO; - return (-1); + errno = save_errno; + return (0); /* satisfied */ } diff --git a/crypto/compat/getentropy_hpux.c b/crypto/compat/getentropy_hpux.c index 3ae6a6a..c981880 100644 --- a/crypto/compat/getentropy_hpux.c +++ b/crypto/compat/getentropy_hpux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_hpux.c,v 1.5 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_hpux.c,v 1.7 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -48,7 +48,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -64,7 +64,6 @@ int getentropy(void *buf, size_t len); -static int gotdata(char *buf, size_t len); static int getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck); static int getentropy_fallback(void *buf, size_t len); @@ -122,22 +121,6 @@ getentropy(void *buf, size_t len) return (ret); } -/* - * Basic sanity checking; wish we could do better. - */ -static int -gotdata(char *buf, size_t len) -{ - char any_set = 0; - size_t i; - - for (i = 0; i < len; ++i) - any_set |= buf[i]; - if (any_set == 0) - return (-1); - return (0); -} - static int getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck) { @@ -183,10 +166,8 @@ start: i += ret; } close(fd); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } + errno = save_errno; + return (0); /* satisfied */ nodevrandom: errno = EIO; return (-1); @@ -405,15 +386,11 @@ getentropy_fallback(void *buf, size_t len) HD(cnt); } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } - errno = EIO; - return (-1); + errno = save_errno; + return (0); /* satisfied */ } diff --git a/crypto/compat/getentropy_linux.c b/crypto/compat/getentropy_linux.c index 408d7fd..bc7a6be 100644 --- a/crypto/compat/getentropy_linux.c +++ b/crypto/compat/getentropy_linux.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_linux.c,v 1.45 2018/03/13 22:53:28 bcook Exp $ */ +/* $OpenBSD: getentropy_linux.c,v 1.47 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -57,7 +57,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -73,7 +73,6 @@ int getentropy(void *buf, size_t len); -static int gotdata(char *buf, size_t len); #if defined(SYS_getrandom) && defined(GRND_NONBLOCK) static int getentropy_getrandom(void *buf, size_t len); #endif @@ -177,22 +176,6 @@ getentropy(void *buf, size_t len) return (ret); } -/* - * Basic sanity checking; wish we could do better. - */ -static int -gotdata(char *buf, size_t len) -{ - char any_set = 0; - size_t i; - - for (i = 0; i < len; ++i) - any_set |= buf[i]; - if (any_set == 0) - return (-1); - return (0); -} - #if defined(SYS_getrandom) && defined(GRND_NONBLOCK) static int getentropy_getrandom(void *buf, size_t len) @@ -261,10 +244,8 @@ start: i += ret; } close(fd); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } + errno = save_errno; + return (0); /* satisfied */ nodevrandom: errno = EIO; return (-1); @@ -279,7 +260,7 @@ getentropy_sysctl(void *buf, size_t len) int save_errno = errno; for (i = 0; i < len; ) { - size_t chunk = min(len - i, 16); + size_t chunk = MINIMUM(len - i, 16); /* SYS__sysctl because some systems already removed sysctl() */ struct __sysctl_args args = { @@ -292,10 +273,8 @@ getentropy_sysctl(void *buf, size_t len) goto sysctlfailed; i += chunk; } - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } + errno = save_errno; + return (0); /* satisfied */ sysctlfailed: errno = EIO; return (-1); @@ -536,15 +515,11 @@ getentropy_fallback(void *buf, size_t len) #endif SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } - errno = EIO; - return (-1); + errno = save_errno; + return (0); /* satisfied */ } diff --git a/crypto/compat/getentropy_osx.c b/crypto/compat/getentropy_osx.c index 2a5f83f..5d4067b 100644 --- a/crypto/compat/getentropy_osx.c +++ b/crypto/compat/getentropy_osx.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_osx.c,v 1.11 2016/09/03 15:24:09 bcook Exp $ */ +/* $OpenBSD: getentropy_osx.c,v 1.13 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -66,7 +66,7 @@ #define SHA512_DIGEST_LENGTH CC_SHA512_DIGEST_LENGTH #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -82,7 +82,6 @@ int getentropy(void *buf, size_t len); -static int gotdata(char *buf, size_t len); static int getentropy_urandom(void *buf, size_t len); static int getentropy_fallback(void *buf, size_t len); @@ -142,22 +141,6 @@ getentropy(void *buf, size_t len) return (ret); } -/* - * Basic sanity checking; wish we could do better. - */ -static int -gotdata(char *buf, size_t len) -{ - char any_set = 0; - size_t i; - - for (i = 0; i < len; ++i) - any_set |= buf[i]; - if (any_set == 0) - return (-1); - return (0); -} - static int getentropy_urandom(void *buf, size_t len) { @@ -203,10 +186,8 @@ start: i += ret; } close(fd); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } + errno = save_errno; + return (0); /* satisfied */ nodevrandom: errno = EIO; return (-1); @@ -426,15 +407,11 @@ getentropy_fallback(void *buf, size_t len) } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } - errno = EIO; - return (-1); + errno = save_errno; + return (0); /* satisfied */ } diff --git a/crypto/compat/getentropy_solaris.c b/crypto/compat/getentropy_solaris.c index f0fcdcf..cf5b9bf 100644 --- a/crypto/compat/getentropy_solaris.c +++ b/crypto/compat/getentropy_solaris.c @@ -1,4 +1,4 @@ -/* $OpenBSD: getentropy_solaris.c,v 1.12 2016/08/07 03:27:21 tb Exp $ */ +/* $OpenBSD: getentropy_solaris.c,v 1.14 2020/05/17 14:44:20 deraadt Exp $ */ /* * Copyright (c) 2014 Theo de Raadt @@ -52,7 +52,7 @@ #include #define REPEAT 5 -#define min(a, b) (((a) < (b)) ? (a) : (b)) +#define MINIMUM(a, b) (((a) < (b)) ? (a) : (b)) #define HX(a, b) \ do { \ @@ -68,7 +68,6 @@ int getentropy(void *buf, size_t len); -static int gotdata(char *buf, size_t len); static int getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck); static int getentropy_fallback(void *buf, size_t len); @@ -148,22 +147,6 @@ getentropy(void *buf, size_t len) return (ret); } -/* - * Basic sanity checking; wish we could do better. - */ -static int -gotdata(char *buf, size_t len) -{ - char any_set = 0; - size_t i; - - for (i = 0; i < len; ++i) - any_set |= buf[i]; - if (any_set == 0) - return (-1); - return (0); -} - static int getentropy_urandom(void *buf, size_t len, const char *path, int devfscheck) { @@ -210,10 +193,8 @@ start: i += ret; } close(fd); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } + errno = save_errno; + return (0); /* satisfied */ nodevrandom: errno = EIO; return (-1); @@ -431,15 +412,11 @@ getentropy_fallback(void *buf, size_t len) HD(cnt); } SHA512_Final(results, &ctx); - memcpy((char *)buf + i, results, min(sizeof(results), len - i)); - i += min(sizeof(results), len - i); + memcpy((char *)buf + i, results, MINIMUM(sizeof(results), len - i)); + i += MINIMUM(sizeof(results), len - i); } explicit_bzero(&ctx, sizeof ctx); explicit_bzero(results, sizeof results); - if (gotdata(buf, len) == 0) { - errno = save_errno; - return (0); /* satisfied */ - } - errno = EIO; - return (-1); + errno = save_errno; + return (0); /* satisfied */ } diff --git a/crypto/compat/getpagesize.c b/crypto/compat/getpagesize.c index 098efa9..cbaae92 100644 --- a/crypto/compat/getpagesize.c +++ b/crypto/compat/getpagesize.c @@ -2,13 +2,13 @@ #include -#ifdef _MSC_VER +#ifdef _WIN32 #include #endif int getpagesize(void) { -#ifdef _MSC_VER +#ifdef _WIN32 SYSTEM_INFO system_info; GetSystemInfo(&system_info); return system_info.dwPageSize; diff --git a/crypto/compat/getprogname_linux.c b/crypto/compat/getprogname_linux.c new file mode 100644 index 0000000..1850e86 --- /dev/null +++ b/crypto/compat/getprogname_linux.c @@ -0,0 +1,23 @@ +#include + +#include + +const char * +getprogname(void) +{ +#if defined(__ANDROID_API__) && __ANDROID_API__ < 21 + /* + * Android added getprogname with API 21, so we should not end up here + * with APIs newer than 21. + * https://github.com/aosp-mirror/platform_bionic/blob/1eb6d3/libc/include/stdlib.h#L160 + * + * Since Android is using portions of OpenBSD libc, it should have + * a symbol called __progname. + * https://github.com/aosp-mirror/platform_bionic/commit/692207 + */ + extern const char *__progname; + return __progname; +#else + return program_invocation_short_name; +#endif +} diff --git a/crypto/compat/getprogname_unimpl.c b/crypto/compat/getprogname_unimpl.c new file mode 100644 index 0000000..339c54a --- /dev/null +++ b/crypto/compat/getprogname_unimpl.c @@ -0,0 +1,7 @@ +#include + +const char * +getprogname(void) +{ + return "?"; +} diff --git a/crypto/compat/getprogname_windows.c b/crypto/compat/getprogname_windows.c new file mode 100644 index 0000000..eb04ec0 --- /dev/null +++ b/crypto/compat/getprogname_windows.c @@ -0,0 +1,13 @@ +#include + +#include + +const char * +getprogname(void) +{ + static char progname[MAX_PATH + 1]; + DWORD length = GetModuleFileName(NULL, progname, sizeof (progname) - 1); + if (length < 0) + return "?"; + return progname; +} diff --git a/crypto/compat/posix_win.c b/crypto/compat/posix_win.c index d6e2dcb..30c93cd 100644 --- a/crypto/compat/posix_win.c +++ b/crypto/compat/posix_win.c @@ -4,6 +4,7 @@ * BSD socket emulation code for Winsock2 * File IO compatibility shims * Brent Cook + * Kinichiro Inoguchi */ #define NO_REDEF_POSIX_FUNCTIONS @@ -161,7 +162,8 @@ posix_close(int fd) { if (closesocket(fd) == SOCKET_ERROR) { int err = WSAGetLastError(); - return (err == WSAENOTSOCK || err == WSAEBADF) ? + return (err == WSAENOTSOCK || err == WSAEBADF || + err == WSANOTINITIALISED) ? close(fd) : wsa_errno(err); } return 0; @@ -173,7 +175,8 @@ posix_read(int fd, void *buf, size_t count) ssize_t rc = recv(fd, buf, count, 0); if (rc == SOCKET_ERROR) { int err = WSAGetLastError(); - return (err == WSAENOTSOCK || err == WSAEBADF) ? + return (err == WSAENOTSOCK || err == WSAEBADF || + err == WSANOTINITIALISED) ? read(fd, buf, count) : wsa_errno(err); } return rc; @@ -185,7 +188,8 @@ posix_write(int fd, const void *buf, size_t count) ssize_t rc = send(fd, buf, count, 0); if (rc == SOCKET_ERROR) { int err = WSAGetLastError(); - return (err == WSAENOTSOCK || err == WSAEBADF) ? + return (err == WSAENOTSOCK || err == WSAEBADF || + err == WSANOTINITIALISED) ? write(fd, buf, count) : wsa_errno(err); } return rc; @@ -208,6 +212,12 @@ posix_setsockopt(int sockfd, int level, int optname, return rc == 0 ? 0 : wsa_errno(WSAGetLastError()); } +uid_t getuid(void) +{ + /* Windows fstat sets 0 as st_uid */ + return 0; +} + #ifdef _MSC_VER struct timezone; int gettimeofday(struct timeval * tp, struct timezone * tzp) @@ -232,10 +242,4 @@ int gettimeofday(struct timeval * tp, struct timezone * tzp) return 0; } -unsigned int sleep(unsigned int seconds) -{ - Sleep(seconds * 1000); - return seconds; -} - #endif diff --git a/crypto/compat/strlcat.c b/crypto/compat/strlcat.c index f27dfe0..c94e90d 100644 --- a/crypto/compat/strlcat.c +++ b/crypto/compat/strlcat.c @@ -1,7 +1,7 @@ -/* $OpenBSD: strlcat.c,v 1.18 2016/10/16 17:37:39 dtucker Exp $ */ +/* $OpenBSD: strlcat.c,v 1.19 2019/01/25 00:19:25 millert Exp $ */ /* - * Copyright (c) 1998, 2015 Todd C. Miller + * Copyright (c) 1998, 2015 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/crypto/compat/strlcpy.c b/crypto/compat/strlcpy.c index 241586e..2fa498c 100644 --- a/crypto/compat/strlcpy.c +++ b/crypto/compat/strlcpy.c @@ -1,7 +1,7 @@ -/* $OpenBSD: strlcpy.c,v 1.15 2016/10/16 17:37:39 dtucker Exp $ */ +/* $OpenBSD: strlcpy.c,v 1.16 2019/01/25 00:19:25 millert Exp $ */ /* - * Copyright (c) 1998, 2015 Todd C. Miller + * Copyright (c) 1998, 2015 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/crypto/compat/strndup.c b/crypto/compat/strndup.c index f43ba65..0f15e42 100644 --- a/crypto/compat/strndup.c +++ b/crypto/compat/strndup.c @@ -1,7 +1,7 @@ -/* $OpenBSD: strndup.c,v 1.2 2015/08/31 02:53:57 guenther Exp $ */ +/* $OpenBSD: strndup.c,v 1.3 2019/01/25 00:19:25 millert Exp $ */ /* - * Copyright (c) 2010 Todd C. Miller + * Copyright (c) 2010 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/crypto/compat/strnlen.c b/crypto/compat/strnlen.c index a2017e1..84f2d22 100644 --- a/crypto/compat/strnlen.c +++ b/crypto/compat/strnlen.c @@ -1,7 +1,7 @@ -/* $OpenBSD: strnlen.c,v 1.8 2016/10/16 17:37:39 dtucker Exp $ */ +/* $OpenBSD: strnlen.c,v 1.9 2019/01/25 00:19:25 millert Exp $ */ /* - * Copyright (c) 2010 Todd C. Miller + * Copyright (c) 2010 Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/crypto/compat/syslog_r.c b/crypto/compat/syslog_r.c new file mode 100644 index 0000000..d68169d --- /dev/null +++ b/crypto/compat/syslog_r.c @@ -0,0 +1,19 @@ +#include + +void +syslog_r(int pri, struct syslog_data *data, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + vsyslog_r(pri, data, fmt, ap); + va_end(ap); +} + +void +vsyslog_r(int pri, struct syslog_data *data, const char *fmt, va_list ap) +{ +#ifdef HAVE_SYSLOG + vsyslog(pri, fmt, ap); +#endif +} diff --git a/crypto/conf/conf_def.c b/crypto/conf/conf_def.c index 4099ffc..f2b2c94 100644 --- a/crypto/conf/conf_def.c +++ b/crypto/conf/conf_def.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_def.c,v 1.32 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: conf_def.c,v 1.33 2020/02/17 12:51:48 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,6 +70,8 @@ #include "conf_def.h" +#define MAX_CONF_VALUE_LENGTH 65536 + static char *eat_ws(CONF *conf, char *p); static char *eat_alpha_numeric(CONF *conf, char *p); static void clear_comments(CONF *conf, char *p); @@ -455,6 +457,7 @@ str_copy(CONF *conf, char *section, char **pto, char *from) { int q, r,rr = 0, to = 0, len = 0; char *s, *e, *rp, *p, *rrp, *np, *cp, v; + size_t newsize; BUF_MEM *buf; if ((buf = BUF_MEM_new()) == NULL) @@ -563,8 +566,12 @@ str_copy(CONF *conf, char *section, char **pto, char *from) CONFerror(CONF_R_VARIABLE_HAS_NO_VALUE); goto err; } - if (!BUF_MEM_grow_clean(buf, - (strlen(p) + buf->length - (e - from)))) { + newsize = strlen(p) + buf->length - (e - from); + if (newsize > MAX_CONF_VALUE_LENGTH) { + CONFerror(CONF_R_VARIABLE_EXPANSION_TOO_LONG); + goto err; + } + if (!BUF_MEM_grow_clean(buf, newsize)) { CONFerror(CONF_R_MODULE_INITIALIZATION_ERROR); goto err; } diff --git a/crypto/conf/conf_err.c b/crypto/conf/conf_err.c index dbb373a..1e5eaff 100644 --- a/crypto/conf/conf_err.c +++ b/crypto/conf/conf_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: conf_err.c,v 1.13 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: conf_err.c,v 1.14 2020/02/17 12:51:48 inoguchi Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -92,6 +92,7 @@ static ERR_STRING_DATA CONF_str_reasons[]= { {ERR_REASON(CONF_R_NO_VALUE) , "no value"}, {ERR_REASON(CONF_R_UNABLE_TO_CREATE_NEW_SECTION), "unable to create new section"}, {ERR_REASON(CONF_R_UNKNOWN_MODULE_NAME) , "unknown module name"}, + {ERR_REASON(CONF_R_VARIABLE_EXPANSION_TOO_LONG), "variable expansion too long"}, {ERR_REASON(CONF_R_VARIABLE_HAS_NO_VALUE), "variable has no value"}, {0, NULL} }; diff --git a/crypto/constant_time_locl.h b/crypto/constant_time_locl.h index 2cabfb4..2d511cc 100644 --- a/crypto/constant_time_locl.h +++ b/crypto/constant_time_locl.h @@ -200,6 +200,8 @@ static inline int constant_time_select_int(unsigned int mask, int a, int b) return (int)(constant_time_select(mask, (unsigned)(a), (unsigned)(b))); } +void err_clear_last_constant_time(int clear); + __END_HIDDEN_DECLS #endif /* HEADER_CONSTANT_TIME_LOCL_H */ diff --git a/crypto/cpuid-masm-x86_64.S b/crypto/cpuid-masm-x86_64.S new file mode 100644 index 0000000..d646821 --- /dev/null +++ b/crypto/cpuid-masm-x86_64.S @@ -0,0 +1,253 @@ +; 1 "crypto/cpuid-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/cpuid-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/cpuid-masm-x86_64.S.tmp" 2 +EXTERN OPENSSL_cpuid_setup:NEAR + +.CRT$XCU SEGMENT READONLY ALIGN(8) + DQ OPENSSL_cpuid_setup + +EXTERN OPENSSL_ia32cap_P:NEAR + + +.CRT$XCU ENDS +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC OPENSSL_atomic_add + +ALIGN 16 +OPENSSL_atomic_add PROC PUBLIC + mov eax,DWORD PTR[rdi] +$L$spin:: lea r8,QWORD PTR[rax*1+rsi] +DB 0f0h + cmpxchg DWORD PTR[rdi],r8d + jne $L$spin + mov eax,r8d +DB 048h,098h + DB 0F3h,0C3h ;repret +OPENSSL_atomic_add ENDP + +PUBLIC OPENSSL_ia32_cpuid + +ALIGN 16 +OPENSSL_ia32_cpuid PROC PUBLIC + mov r8,rbx + + xor eax,eax + cpuid + mov r11d,eax + + xor eax,eax + cmp ebx,0756e6547h + setne al + mov r9d,eax + cmp edx,049656e69h + setne al + or r9d,eax + cmp ecx,06c65746eh + setne al + or r9d,eax + jz $L$intel + + cmp ebx,068747541h + setne al + mov r10d,eax + cmp edx,069746E65h + setne al + or r10d,eax + cmp ecx,0444D4163h + setne al + or r10d,eax + jnz $L$intel + + + mov eax,080000000h + cpuid + cmp eax,080000001h + jb $L$intel + mov r10d,eax + mov eax,080000001h + cpuid + and r9d,(1 SHL 11) + or r9d,1 + + cmp r10d,080000008h + jb $L$intel + + mov eax,080000008h + cpuid + movzx r10,cl + inc r10 + + mov eax,1 + cpuid + bt edx,28 + jnc $L$generic + shr ebx,16 + cmp bl,r10b + ja $L$generic + xor edx,(1 SHL 28) + jmp $L$generic + +$L$intel:: + cmp r11d,4 + mov r10d,-1 + jb $L$nocacheinfo + + mov eax,4 + mov ecx,0 + cpuid + mov r10d,eax + shr r10d,14 + and r10d,0fffh + +$L$nocacheinfo:: + mov eax,1 + cpuid + + and edx,(NOT((1 SHL 20) OR (1 SHL 30))) + cmp r9d,0 + jne $L$notintel + + or edx,(1 SHL 30) + and ah,15 + cmp ah,15 + jne $L$notintel + + or edx,(1 SHL 20) +$L$notintel:: + bt edx,28 + jnc $L$generic + xor edx,(1 SHL 28) + cmp r10d,0 + je $L$generic + + or edx,(1 SHL 28) + shr ebx,16 + cmp bl,1 + ja $L$generic + xor edx,(1 SHL 28) + +$L$generic:: + and r9d,(1 SHL 11) + and ecx,(NOT(1 SHL 11)) + or r9d,ecx + + mov r10d,edx + bt r9d,27 + jnc $L$clear_avx + xor ecx,ecx +DB 00fh,001h,0d0h + and eax,6 + cmp eax,6 + je $L$done +$L$clear_avx:: + mov eax,(NOT((1 SHL 28) OR (1 SHL 12) OR (1 SHL 11))) + and r9d,eax +$L$done:: + shl r9,32 + mov eax,r10d + mov rbx,r8 + or rax,r9 + DB 0F3h,0C3h ;repret +OPENSSL_ia32_cpuid ENDP +PUBLIC OPENSSL_wipe_cpu + +ALIGN 16 +OPENSSL_wipe_cpu PROC PUBLIC + pxor xmm0,xmm0 + pxor xmm1,xmm1 + pxor xmm2,xmm2 + pxor xmm3,xmm3 + pxor xmm4,xmm4 + pxor xmm5,xmm5 + pxor xmm6,xmm6 + pxor xmm7,xmm7 + pxor xmm8,xmm8 + pxor xmm9,xmm9 + pxor xmm10,xmm10 + pxor xmm11,xmm11 + pxor xmm12,xmm12 + pxor xmm13,xmm13 + pxor xmm14,xmm14 + pxor xmm15,xmm15 + xor rcx,rcx + xor rdx,rdx + xor rsi,rsi + xor rdi,rdi + xor r8,r8 + xor r9,r9 + xor r10,r10 + xor r11,r11 + lea rax,QWORD PTR[8+rsp] + DB 0F3h,0C3h ;repret +OPENSSL_wipe_cpu ENDP + +.text$ ENDS +END + diff --git a/crypto/cpuid-mingw64-x86_64.S b/crypto/cpuid-mingw64-x86_64.S new file mode 100644 index 0000000..db9578c --- /dev/null +++ b/crypto/cpuid-mingw64-x86_64.S @@ -0,0 +1,181 @@ +#include "x86_arch.h" + + +.section .ctors + .p2align 3 + .quad OPENSSL_cpuid_setup + + + + +.text + +.globl OPENSSL_atomic_add +.def OPENSSL_atomic_add; .scl 2; .type 32; .endef +.p2align 4 +OPENSSL_atomic_add: + movl (%rdi),%eax +.Lspin: leaq (%rsi,%rax,1),%r8 +.byte 0xf0 + cmpxchgl %r8d,(%rdi) + jne .Lspin + movl %r8d,%eax +.byte 0x48,0x98 + retq + + +.globl OPENSSL_ia32_cpuid +.def OPENSSL_ia32_cpuid; .scl 2; .type 32; .endef +.p2align 4 +OPENSSL_ia32_cpuid: + movq %rbx,%r8 + + xorl %eax,%eax + cpuid + movl %eax,%r11d + + xorl %eax,%eax + cmpl $1970169159,%ebx + setne %al + movl %eax,%r9d + cmpl $1231384169,%edx + setne %al + orl %eax,%r9d + cmpl $1818588270,%ecx + setne %al + orl %eax,%r9d + jz .Lintel + + cmpl $1752462657,%ebx + setne %al + movl %eax,%r10d + cmpl $1769238117,%edx + setne %al + orl %eax,%r10d + cmpl $1145913699,%ecx + setne %al + orl %eax,%r10d + jnz .Lintel + + + movl $2147483648,%eax + cpuid + cmpl $2147483649,%eax + jb .Lintel + movl %eax,%r10d + movl $2147483649,%eax + cpuid + andl $IA32CAP_MASK1_AMD_XOP,%r9d + orl $1,%r9d + + cmpl $2147483656,%r10d + jb .Lintel + + movl $2147483656,%eax + cpuid + movzbq %cl,%r10 + incq %r10 + + movl $1,%eax + cpuid + btl $IA32CAP_BIT0_HT,%edx + jnc .Lgeneric + shrl $16,%ebx + cmpb %r10b,%bl + ja .Lgeneric + xorl $IA32CAP_MASK0_HT,%edx + jmp .Lgeneric + +.Lintel: + cmpl $4,%r11d + movl $-1,%r10d + jb .Lnocacheinfo + + movl $4,%eax + movl $0,%ecx + cpuid + movl %eax,%r10d + shrl $14,%r10d + andl $4095,%r10d + +.Lnocacheinfo: + movl $1,%eax + cpuid + + andl $(~(IA32CAP_MASK0_INTELP4 | IA32CAP_MASK0_INTEL)),%edx + cmpl $0,%r9d + jne .Lnotintel + + orl $IA32CAP_MASK0_INTEL,%edx + andb $15,%ah + cmpb $15,%ah + jne .Lnotintel + + orl $IA32CAP_MASK0_INTELP4,%edx +.Lnotintel: + btl $IA32CAP_BIT0_HT,%edx + jnc .Lgeneric + xorl $IA32CAP_MASK0_HT,%edx + cmpl $0,%r10d + je .Lgeneric + + orl $IA32CAP_MASK0_HT,%edx + shrl $16,%ebx + cmpb $1,%bl + ja .Lgeneric + xorl $IA32CAP_MASK0_HT,%edx + +.Lgeneric: + andl $IA32CAP_MASK1_AMD_XOP,%r9d + andl $(~IA32CAP_MASK1_AMD_XOP),%ecx + orl %ecx,%r9d + + movl %edx,%r10d + btl $IA32CAP_BIT1_OSXSAVE,%r9d + jnc .Lclear_avx + xorl %ecx,%ecx +.byte 0x0f,0x01,0xd0 + andl $6,%eax + cmpl $6,%eax + je .Ldone +.Lclear_avx: + movl $(~(IA32CAP_MASK1_AVX | IA32CAP_MASK1_FMA3 | IA32CAP_MASK1_AMD_XOP)),%eax + andl %eax,%r9d +.Ldone: + shlq $32,%r9 + movl %r10d,%eax + movq %r8,%rbx + orq %r9,%rax + retq + +.globl OPENSSL_wipe_cpu +.def OPENSSL_wipe_cpu; .scl 2; .type 32; .endef +.p2align 4 +OPENSSL_wipe_cpu: + pxor %xmm0,%xmm0 + pxor %xmm1,%xmm1 + pxor %xmm2,%xmm2 + pxor %xmm3,%xmm3 + pxor %xmm4,%xmm4 + pxor %xmm5,%xmm5 + pxor %xmm6,%xmm6 + pxor %xmm7,%xmm7 + pxor %xmm8,%xmm8 + pxor %xmm9,%xmm9 + pxor %xmm10,%xmm10 + pxor %xmm11,%xmm11 + pxor %xmm12,%xmm12 + pxor %xmm13,%xmm13 + pxor %xmm14,%xmm14 + pxor %xmm15,%xmm15 + xorq %rcx,%rcx + xorq %rdx,%rdx + xorq %rsi,%rsi + xorq %rdi,%rdi + xorq %r8,%r8 + xorq %r9,%r9 + xorq %r10,%r10 + xorq %r11,%r11 + leaq 8(%rsp),%rax + retq + diff --git a/crypto/cryptlib.c b/crypto/cryptlib.c index f7b783a..38d31e7 100644 --- a/crypto/cryptlib.c +++ b/crypto/cryptlib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cryptlib.c,v 1.41 2017/04/29 21:48:43 jsing Exp $ */ +/* $OpenBSD: cryptlib.c,v 1.45 2019/01/26 11:30:32 deraadt Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -114,367 +114,172 @@ * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ -#include +#include #include -#include +#include #include +#include #include #include - #include -#include -#include -#include -#include - -DECLARE_STACK_OF(CRYPTO_dynlock) - -/* real #defines in crypto.h, keep these upto date */ -static const char* const lock_names[CRYPTO_NUM_LOCKS] = { - "<>", - "err", - "ex_data", - "x509", - "x509_info", - "x509_pkey", - "x509_crl", - "x509_req", - "dsa", - "rsa", - "evp_pkey", - "x509_store", - "ssl_ctx", - "ssl_cert", - "ssl_session", - "ssl_sess_cert", - "ssl", - "ssl_method", - "rand", - "rand2", - "debug_malloc", - "BIO", - "gethostbyname", - "getservbyname", - "readdir", - "RSA_blinding", - "dh", - "debug_malloc2", - "dso", - "dynlock", - "engine", - "ui", - "ecdsa", - "ec", - "ecdh", - "bn", - "ec_pre_comp", - "store", - "comp", - "fips", - "fips2", -#if CRYPTO_NUM_LOCKS != 41 -# error "Inconsistency between crypto.h and cryptlib.c" -#endif -}; - -/* This is for applications to allocate new type names in the non-dynamic - array of lock names. These are numbered with positive numbers. */ -static STACK_OF(OPENSSL_STRING) *app_locks = NULL; - -/* For applications that want a more dynamic way of handling threads, the - following stack is used. These are externally numbered with negative - numbers. */ -static STACK_OF(CRYPTO_dynlock) *dyn_locks = NULL; static void (*locking_callback)(int mode, int type, - const char *file, int line) = 0; + const char *file, int line) = NULL; static int (*add_lock_callback)(int *pointer, int amount, - int type, const char *file, int line) = 0; -#ifndef OPENSSL_NO_DEPRECATED -static unsigned long (*id_callback)(void) = 0; -#endif -static void (*threadid_callback)(CRYPTO_THREADID *) = 0; -static struct CRYPTO_dynlock_value *(*dynlock_create_callback)( - const char *file, int line) = 0; -static void (*dynlock_lock_callback)(int mode, - struct CRYPTO_dynlock_value *l, const char *file, int line) = 0; -static void (*dynlock_destroy_callback)(struct CRYPTO_dynlock_value *l, - const char *file, int line) = 0; - -int -CRYPTO_get_new_lockid(char *name) -{ - char *str; - int i; - - if ((app_locks == NULL) && - ((app_locks = sk_OPENSSL_STRING_new_null()) == NULL)) { - CRYPTOerror(ERR_R_MALLOC_FAILURE); - return (0); - } - if (name == NULL || (str = strdup(name)) == NULL) { - CRYPTOerror(ERR_R_MALLOC_FAILURE); - return (0); - } - i = sk_OPENSSL_STRING_push(app_locks, str); - if (!i) - free(str); - else - i += CRYPTO_NUM_LOCKS; /* gap of one :-) */ - return (i); -} + int type, const char *file, int line) = NULL; int CRYPTO_num_locks(void) { - return CRYPTO_NUM_LOCKS; + return 1; } -int -CRYPTO_get_new_dynlockid(void) +unsigned long +(*CRYPTO_get_id_callback(void))(void) { - int i = 0; - CRYPTO_dynlock *pointer = NULL; - - if (dynlock_create_callback == NULL) { - CRYPTOerror(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK); - return (0); - } - CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK); - if ((dyn_locks == NULL) && - ((dyn_locks = sk_CRYPTO_dynlock_new_null()) == NULL)) { - CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - CRYPTOerror(ERR_R_MALLOC_FAILURE); - return (0); - } - CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - - pointer = malloc(sizeof(CRYPTO_dynlock)); - if (pointer == NULL) { - CRYPTOerror(ERR_R_MALLOC_FAILURE); - return (0); - } - pointer->references = 1; - pointer->data = dynlock_create_callback(__FILE__, __LINE__); - if (pointer->data == NULL) { - free(pointer); - CRYPTOerror(ERR_R_MALLOC_FAILURE); - return (0); - } - - CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK); - /* First, try to find an existing empty slot */ - i = sk_CRYPTO_dynlock_find(dyn_locks, NULL); - /* If there was none, push, thereby creating a new one */ - if (i == -1) - /* Since sk_push() returns the number of items on the - stack, not the location of the pushed item, we need - to transform the returned number into a position, - by decreasing it. */ - i = sk_CRYPTO_dynlock_push(dyn_locks, pointer) - 1; - else - /* If we found a place with a NULL pointer, put our pointer - in it. */ - (void)sk_CRYPTO_dynlock_set(dyn_locks, i, pointer); - CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - - if (i == -1) { - dynlock_destroy_callback(pointer->data, __FILE__, __LINE__); - free(pointer); - } else - i += 1; /* to avoid 0 */ - return -i; -} - -void -CRYPTO_destroy_dynlockid(int i) -{ - CRYPTO_dynlock *pointer = NULL; - - if (i) - i = -i - 1; - if (dynlock_destroy_callback == NULL) - return; - - CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK); - - if (dyn_locks == NULL || i >= sk_CRYPTO_dynlock_num(dyn_locks)) { - CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - return; - } - pointer = sk_CRYPTO_dynlock_value(dyn_locks, i); - if (pointer != NULL) { - --pointer->references; - if (pointer->references <= 0) { - (void)sk_CRYPTO_dynlock_set(dyn_locks, i, NULL); - } else - pointer = NULL; - } - CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - - if (pointer) { - dynlock_destroy_callback(pointer->data, __FILE__, __LINE__); - free(pointer); - } -} - -struct CRYPTO_dynlock_value * -CRYPTO_get_dynlock_value(int i) -{ - CRYPTO_dynlock *pointer = NULL; - - if (i) - i = -i - 1; - - CRYPTO_w_lock(CRYPTO_LOCK_DYNLOCK); - - if (dyn_locks != NULL && i < sk_CRYPTO_dynlock_num(dyn_locks)) - pointer = sk_CRYPTO_dynlock_value(dyn_locks, i); - if (pointer) - pointer->references++; - - CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK); - - if (pointer) - return pointer->data; return NULL; } -struct CRYPTO_dynlock_value * -(*CRYPTO_get_dynlock_create_callback(void))(const char *file, int line) +void +CRYPTO_set_id_callback(unsigned long (*func)(void)) { - return (dynlock_create_callback); + return; +} + +unsigned long +CRYPTO_thread_id(void) +{ + return (unsigned long)pthread_self(); } void -(*CRYPTO_get_dynlock_lock_callback(void))(int mode, - struct CRYPTO_dynlock_value *l, const char *file, int line) +CRYPTO_set_locking_callback(void (*func)(int mode, int lock_num, + const char *file, int line)) { - return (dynlock_lock_callback); + locking_callback = func; } void -(*CRYPTO_get_dynlock_destroy_callback(void))(struct CRYPTO_dynlock_value *l, - const char *file, int line) +(*CRYPTO_get_locking_callback(void))(int mode, int lock_num, + const char *file, int line) { - return (dynlock_destroy_callback); + return locking_callback; } void -CRYPTO_set_dynlock_create_callback( - struct CRYPTO_dynlock_value *(*func)(const char *file, int line)) +CRYPTO_set_add_lock_callback(int (*func)(int *num, int mount, int lock_num, + const char *file, int line)) { - dynlock_create_callback = func; -} - -void -CRYPTO_set_dynlock_lock_callback(void (*func)(int mode, - struct CRYPTO_dynlock_value *l, const char *file, int line)) -{ - dynlock_lock_callback = func; -} - -void -CRYPTO_set_dynlock_destroy_callback( - void (*func)(struct CRYPTO_dynlock_value *l, const char *file, int line)) -{ - dynlock_destroy_callback = func; -} - -void -(*CRYPTO_get_locking_callback(void))(int mode, int type, const char *file, - int line) -{ - return (locking_callback); + add_lock_callback = func; } int (*CRYPTO_get_add_lock_callback(void))(int *num, int mount, int type, const char *file, int line) { - return (add_lock_callback); + return add_lock_callback; +} + +const char * +CRYPTO_get_lock_name(int lock_num) +{ + return ""; +} + +struct CRYPTO_dynlock_value * +CRYPTO_get_dynlock_value(int i) +{ + return NULL; +} + +int CRYPTO_get_new_dynlockid(void) +{ + return 0; } void -CRYPTO_set_locking_callback(void (*func)(int mode, int type, - const char *file, int line)) +CRYPTO_destroy_dynlockid(int i) { - /* Calling this here ensures initialisation before any threads - * are started. - */ - locking_callback = func; + return; } -void -CRYPTO_set_add_lock_callback(int (*func)(int *num, int mount, int type, - const char *file, int line)) +int CRYPTO_get_new_lockid(char *name) { - add_lock_callback = func; -} - -/* the memset() here and in set_pointer() seem overkill, but for the sake of - * CRYPTO_THREADID_cmp() this avoids any platform silliness that might cause two - * "equal" THREADID structs to not be memcmp()-identical. */ -void -CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) -{ - memset(id, 0, sizeof(*id)); - id->val = val; -} - -void -CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) -{ - memset(id, 0, sizeof(*id)); - id->ptr = ptr; -#if ULONG_MAX >= UINTPTR_MAX - /*s u 'ptr' can be embedded in 'val' without loss of uniqueness */ - id->val = (uintptr_t)id->ptr; -#else - { - SHA256_CTX ctx; - uint8_t results[SHA256_DIGEST_LENGTH]; - - SHA256_Init(&ctx); - SHA256_Update(&ctx, (char *)(&id->ptr), sizeof(id->ptr)); - SHA256_Final(results, &ctx); - memcpy(&id->val, results, sizeof(id->val)); - } -#endif + return 0; } int CRYPTO_THREADID_set_callback(void (*func)(CRYPTO_THREADID *)) { - if (threadid_callback) - return 0; - threadid_callback = func; return 1; } -void (*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *) +void +(*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *) { - return threadid_callback; + return NULL; +} + +void +CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val) +{ + return; +} + +void +CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr) +{ + return; +} + +void +CRYPTO_set_dynlock_create_callback(struct CRYPTO_dynlock_value *( + *dyn_create_function)(const char *file, int line)) +{ + return; +} + +void +CRYPTO_set_dynlock_lock_callback(void (*dyn_lock_function)( + int mode, struct CRYPTO_dynlock_value *l, const char *file, int line)) +{ + return; +} + +void +CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)( + struct CRYPTO_dynlock_value *l, const char *file, int line)) +{ + return; +} + +struct CRYPTO_dynlock_value * +(*CRYPTO_get_dynlock_create_callback(void))( + const char *file, int line) +{ + return NULL; +} + +void +(*CRYPTO_get_dynlock_lock_callback(void))(int mode, + struct CRYPTO_dynlock_value *l, const char *file, int line) +{ + return NULL; +} + +void +(*CRYPTO_get_dynlock_destroy_callback(void))( + struct CRYPTO_dynlock_value *l, const char *file, int line) +{ + return NULL; } void CRYPTO_THREADID_current(CRYPTO_THREADID *id) { - if (threadid_callback) { - threadid_callback(id); - return; - } -#ifndef OPENSSL_NO_DEPRECATED - /* If the deprecated callback was set, fall back to that */ - if (id_callback) { - CRYPTO_THREADID_set_numeric(id, id_callback()); - return; - } -#endif - /* Else pick a backup */ - /* For everything else, default to using the address of 'errno' */ - CRYPTO_THREADID_set_pointer(id, (void*)&errno); + memset(id, 0, sizeof(*id)); + id->val = (unsigned long)pthread_self(); } int @@ -495,129 +300,6 @@ CRYPTO_THREADID_hash(const CRYPTO_THREADID *id) return id->val; } -#ifndef OPENSSL_NO_DEPRECATED -unsigned long (*CRYPTO_get_id_callback(void))(void) -{ - return (id_callback); -} - -void -CRYPTO_set_id_callback(unsigned long (*func)(void)) -{ - id_callback = func; -} - -unsigned long -CRYPTO_thread_id(void) -{ - unsigned long ret = 0; - - if (id_callback == NULL) { - ret = (unsigned long)getpid(); - } else - ret = id_callback(); - return (ret); -} -#endif - -void -CRYPTO_lock(int mode, int type, const char *file, int line) -{ -#ifdef LOCK_DEBUG - { - CRYPTO_THREADID id; - char *rw_text, *operation_text; - - if (mode & CRYPTO_LOCK) - operation_text = "lock "; - else if (mode & CRYPTO_UNLOCK) - operation_text = "unlock"; - else - operation_text = "ERROR "; - - if (mode & CRYPTO_READ) - rw_text = "r"; - else if (mode & CRYPTO_WRITE) - rw_text = "w"; - else - rw_text = "ERROR"; - - CRYPTO_THREADID_current(&id); - fprintf(stderr, "lock:%08lx:(%s)%s %-18s %s:%d\n", - CRYPTO_THREADID_hash(&id), rw_text, operation_text, - CRYPTO_get_lock_name(type), file, line); - } -#endif - if (type < 0) { - if (dynlock_lock_callback != NULL) { - struct CRYPTO_dynlock_value *pointer = - CRYPTO_get_dynlock_value(type); - - OPENSSL_assert(pointer != NULL); - - dynlock_lock_callback(mode, pointer, file, line); - - CRYPTO_destroy_dynlockid(type); - } - } else if (locking_callback != NULL) - locking_callback(mode, type, file, line); -} - -int -CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, - int line) -{ - int ret = 0; - - if (add_lock_callback != NULL) { -#ifdef LOCK_DEBUG - int before= *pointer; -#endif - - ret = add_lock_callback(pointer, amount, type, file, line); -#ifdef LOCK_DEBUG - { - CRYPTO_THREADID id; - CRYPTO_THREADID_current(&id); - fprintf(stderr, "ladd:%08lx:%2d+%2d->%2d %-18s %s:%d\n", - CRYPTO_THREADID_hash(&id), before, amount, ret, - CRYPTO_get_lock_name(type), - file, line); - } -#endif - } else { - CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE, type, file, line); - - ret= *pointer + amount; -#ifdef LOCK_DEBUG - { - CRYPTO_THREADID id; - CRYPTO_THREADID_current(&id); - fprintf(stderr, "ladd:%08lx:%2d+%2d->%2d %-18s %s:%d\n", - CRYPTO_THREADID_hash(&id), *pointer, amount, ret, - CRYPTO_get_lock_name(type), file, line); - } -#endif - *pointer = ret; - CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE, type, file, line); - } - return (ret); -} - -const char * -CRYPTO_get_lock_name(int type) -{ - if (type < 0) - return("dynamic"); - else if (type < CRYPTO_NUM_LOCKS) - return (lock_names[type]); - else if (type - CRYPTO_NUM_LOCKS > sk_OPENSSL_STRING_num(app_locks)) - return("ERROR"); - else - return (sk_OPENSSL_STRING_value(app_locks, - type - CRYPTO_NUM_LOCKS)); -} - #if defined(__i386) || defined(__i386__) || defined(_M_IX86) || \ defined(__INTEL__) || \ defined(__x86_64) || defined(__x86_64__) || defined(_M_AMD64) || defined(_M_X64) @@ -663,10 +345,11 @@ OPENSSL_cpuid_setup(void) static void OPENSSL_showfatal(const char *fmta, ...) { + struct syslog_data sdata = SYSLOG_DATA_INIT; va_list ap; va_start(ap, fmta); - vfprintf(stderr, fmta, ap); + vsyslog_r(LOG_INFO|LOG_LOCAL2, &sdata, fmta, ap); va_end(ap); } @@ -674,9 +357,9 @@ void OpenSSLDie(const char *file, int line, const char *assertion) { OPENSSL_showfatal( - "%s(%d): OpenSSL internal error, assertion failed: %s\n", - file, line, assertion); - abort(); + "uid %u cmd %s %s(%d): OpenSSL internal error, assertion failed: %s\n", + getuid(), getprogname(), file, line, assertion); + _exit(1); } int diff --git a/crypto/crypto.sym b/crypto/crypto.sym index 78ffb85..48a76e8 100644 --- a/crypto/crypto.sym +++ b/crypto/crypto.sym @@ -199,15 +199,12 @@ ASN1_item_verify ASN1_mbstring_copy ASN1_mbstring_ncopy ASN1_object_size -ASN1_pack_string ASN1_parse ASN1_parse_dump ASN1_primitive_free ASN1_primitive_new ASN1_put_eoc ASN1_put_object -ASN1_seq_pack -ASN1_seq_unpack ASN1_tag2bit ASN1_tag2str ASN1_template_d2i @@ -217,7 +214,6 @@ ASN1_template_new ASN1_time_parse ASN1_time_tm_clamp_notafter ASN1_time_tm_cmp -ASN1_unpack_string AUTHORITY_INFO_ACCESS_free AUTHORITY_INFO_ACCESS_it AUTHORITY_INFO_ACCESS_new @@ -310,6 +306,7 @@ BIO_meth_set_write BIO_method_name BIO_method_type BIO_new +BIO_new_CMS BIO_new_NDEF BIO_new_PKCS7 BIO_new_accept @@ -562,6 +559,118 @@ CMAC_Final CMAC_Init CMAC_Update CMAC_resume +CMS_ContentInfo_free +CMS_ContentInfo_it +CMS_ContentInfo_new +CMS_ContentInfo_print_ctx +CMS_EncryptedData_decrypt +CMS_EncryptedData_encrypt +CMS_EncryptedData_set1_key +CMS_EnvelopedData_create +CMS_ReceiptRequest_create0 +CMS_ReceiptRequest_free +CMS_ReceiptRequest_get0_values +CMS_ReceiptRequest_it +CMS_ReceiptRequest_new +CMS_RecipientEncryptedKey_cert_cmp +CMS_RecipientEncryptedKey_get0_id +CMS_RecipientInfo_decrypt +CMS_RecipientInfo_encrypt +CMS_RecipientInfo_get0_pkey_ctx +CMS_RecipientInfo_kari_decrypt +CMS_RecipientInfo_kari_get0_alg +CMS_RecipientInfo_kari_get0_ctx +CMS_RecipientInfo_kari_get0_orig_id +CMS_RecipientInfo_kari_get0_reks +CMS_RecipientInfo_kari_orig_id_cmp +CMS_RecipientInfo_kari_set0_pkey +CMS_RecipientInfo_kekri_get0_id +CMS_RecipientInfo_kekri_id_cmp +CMS_RecipientInfo_ktri_cert_cmp +CMS_RecipientInfo_ktri_get0_algs +CMS_RecipientInfo_ktri_get0_signer_id +CMS_RecipientInfo_set0_key +CMS_RecipientInfo_set0_password +CMS_RecipientInfo_set0_pkey +CMS_RecipientInfo_type +CMS_SharedInfo_encode +CMS_SignedData_init +CMS_SignerInfo_cert_cmp +CMS_SignerInfo_get0_algs +CMS_SignerInfo_get0_md_ctx +CMS_SignerInfo_get0_pkey_ctx +CMS_SignerInfo_get0_signature +CMS_SignerInfo_get0_signer_id +CMS_SignerInfo_set1_signer_cert +CMS_SignerInfo_sign +CMS_SignerInfo_verify +CMS_SignerInfo_verify_content +CMS_add0_CertificateChoices +CMS_add0_RevocationInfoChoice +CMS_add0_cert +CMS_add0_crl +CMS_add0_recipient_key +CMS_add0_recipient_password +CMS_add1_ReceiptRequest +CMS_add1_cert +CMS_add1_crl +CMS_add1_recipient_cert +CMS_add1_signer +CMS_add_simple_smimecap +CMS_add_smimecap +CMS_add_standard_smimecap +CMS_compress +CMS_data +CMS_dataFinal +CMS_dataInit +CMS_data_create +CMS_decrypt +CMS_decrypt_set1_key +CMS_decrypt_set1_password +CMS_decrypt_set1_pkey +CMS_digest_create +CMS_digest_verify +CMS_encrypt +CMS_final +CMS_get0_RecipientInfos +CMS_get0_SignerInfos +CMS_get0_content +CMS_get0_eContentType +CMS_get0_signers +CMS_get0_type +CMS_get1_ReceiptRequest +CMS_get1_certs +CMS_get1_crls +CMS_is_detached +CMS_set1_eContentType +CMS_set1_signers_certs +CMS_set_detached +CMS_sign +CMS_sign_receipt +CMS_signed_add1_attr +CMS_signed_add1_attr_by_NID +CMS_signed_add1_attr_by_OBJ +CMS_signed_add1_attr_by_txt +CMS_signed_delete_attr +CMS_signed_get0_data_by_OBJ +CMS_signed_get_attr +CMS_signed_get_attr_by_NID +CMS_signed_get_attr_by_OBJ +CMS_signed_get_attr_count +CMS_stream +CMS_uncompress +CMS_unsigned_add1_attr +CMS_unsigned_add1_attr_by_NID +CMS_unsigned_add1_attr_by_OBJ +CMS_unsigned_add1_attr_by_txt +CMS_unsigned_delete_attr +CMS_unsigned_get0_data_by_OBJ +CMS_unsigned_get_attr +CMS_unsigned_get_attr_by_NID +CMS_unsigned_get_attr_by_OBJ +CMS_unsigned_get_attr_count +CMS_verify +CMS_verify_receipt COMP_CTX_free COMP_CTX_new COMP_compress_block @@ -671,6 +780,7 @@ CRYPTO_get_mem_ex_functions CRYPTO_get_mem_functions CRYPTO_get_new_dynlockid CRYPTO_get_new_lockid +CRYPTO_hchacha_20 CRYPTO_is_mem_check_on CRYPTO_lock CRYPTO_malloc @@ -712,6 +822,7 @@ CRYPTO_set_mem_ex_functions CRYPTO_set_mem_functions CRYPTO_strdup CRYPTO_thread_id +CRYPTO_xchacha_20 CRYPTO_xts128_encrypt Camellia_cbc_encrypt Camellia_cfb128_encrypt @@ -959,6 +1070,19 @@ EC_GROUP_set_curve_name EC_GROUP_set_generator EC_GROUP_set_point_conversion_form EC_GROUP_set_seed +EC_KEY_METHOD_free +EC_KEY_METHOD_get_compute_key +EC_KEY_METHOD_get_init +EC_KEY_METHOD_get_keygen +EC_KEY_METHOD_get_sign +EC_KEY_METHOD_get_verify +EC_KEY_METHOD_new +EC_KEY_METHOD_set_compute_key +EC_KEY_METHOD_set_init +EC_KEY_METHOD_set_keygen +EC_KEY_METHOD_set_sign +EC_KEY_METHOD_set_verify +EC_KEY_OpenSSL EC_KEY_check_key EC_KEY_clear_flags EC_KEY_copy @@ -969,20 +1093,27 @@ EC_KEY_get0_group EC_KEY_get0_private_key EC_KEY_get0_public_key EC_KEY_get_conv_form +EC_KEY_get_default_method EC_KEY_get_enc_flags +EC_KEY_get_ex_data EC_KEY_get_flags EC_KEY_get_key_method_data +EC_KEY_get_method EC_KEY_insert_key_method_data EC_KEY_new EC_KEY_new_by_curve_name +EC_KEY_new_method EC_KEY_precompute_mult EC_KEY_print EC_KEY_print_fp EC_KEY_set_asn1_flag EC_KEY_set_conv_form +EC_KEY_set_default_method EC_KEY_set_enc_flags +EC_KEY_set_ex_data EC_KEY_set_flags EC_KEY_set_group +EC_KEY_set_method EC_KEY_set_private_key EC_KEY_set_public_key EC_KEY_set_public_key_affine_coordinates @@ -1040,6 +1171,7 @@ ENGINE_finish ENGINE_free ENGINE_get_DH ENGINE_get_DSA +ENGINE_get_EC ENGINE_get_ECDH ENGINE_get_ECDSA ENGINE_get_RAND @@ -1052,6 +1184,7 @@ ENGINE_get_cmd_defns ENGINE_get_ctrl_function ENGINE_get_default_DH ENGINE_get_default_DSA +ENGINE_get_default_EC ENGINE_get_default_ECDH ENGINE_get_default_ECDSA ENGINE_get_default_RAND @@ -1094,6 +1227,7 @@ ENGINE_new ENGINE_pkey_asn1_find_str ENGINE_register_DH ENGINE_register_DSA +ENGINE_register_EC ENGINE_register_ECDH ENGINE_register_ECDSA ENGINE_register_RAND @@ -1101,6 +1235,7 @@ ENGINE_register_RSA ENGINE_register_STORE ENGINE_register_all_DH ENGINE_register_all_DSA +ENGINE_register_all_EC ENGINE_register_all_ECDH ENGINE_register_all_ECDSA ENGINE_register_all_RAND @@ -1119,6 +1254,7 @@ ENGINE_register_pkey_meths ENGINE_remove ENGINE_set_DH ENGINE_set_DSA +ENGINE_set_EC ENGINE_set_ECDH ENGINE_set_ECDSA ENGINE_set_RAND @@ -1130,6 +1266,7 @@ ENGINE_set_ctrl_function ENGINE_set_default ENGINE_set_default_DH ENGINE_set_default_DSA +ENGINE_set_default_EC ENGINE_set_default_ECDH ENGINE_set_default_ECDSA ENGINE_set_default_RAND @@ -1155,6 +1292,7 @@ ENGINE_set_pkey_meths ENGINE_set_table_flags ENGINE_unregister_DH ENGINE_unregister_DSA +ENGINE_unregister_EC ENGINE_unregister_ECDH ENGINE_unregister_ECDSA ENGINE_unregister_RAND @@ -1186,6 +1324,7 @@ ERR_load_ASN1_strings ERR_load_BIO_strings ERR_load_BN_strings ERR_load_BUF_strings +ERR_load_CMS_strings ERR_load_COMP_strings ERR_load_CONF_strings ERR_load_CRYPTO_strings @@ -1258,9 +1397,11 @@ EVP_CIPHER_CTX_cleanup EVP_CIPHER_CTX_clear_flags EVP_CIPHER_CTX_copy EVP_CIPHER_CTX_ctrl +EVP_CIPHER_CTX_encrypting EVP_CIPHER_CTX_flags EVP_CIPHER_CTX_free EVP_CIPHER_CTX_get_app_data +EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_init EVP_CIPHER_CTX_iv_length EVP_CIPHER_CTX_key_length @@ -1270,6 +1411,7 @@ EVP_CIPHER_CTX_rand_key EVP_CIPHER_CTX_reset EVP_CIPHER_CTX_set_app_data EVP_CIPHER_CTX_set_flags +EVP_CIPHER_CTX_set_iv EVP_CIPHER_CTX_set_key_length EVP_CIPHER_CTX_set_padding EVP_CIPHER_CTX_test_flags @@ -1310,6 +1452,8 @@ EVP_DigestSignInit EVP_DigestUpdate EVP_DigestVerifyFinal EVP_DigestVerifyInit +EVP_ENCODE_CTX_free +EVP_ENCODE_CTX_new EVP_EncodeBlock EVP_EncodeFinal EVP_EncodeInit @@ -1349,7 +1493,6 @@ EVP_PBE_cleanup EVP_PBE_find EVP_PKCS82PKEY EVP_PKEY2PKCS8 -EVP_PKEY2PKCS8_broken EVP_PKEY_CTX_ctrl EVP_PKEY_CTX_ctrl_str EVP_PKEY_CTX_dup @@ -1409,6 +1552,7 @@ EVP_PKEY_get0_DSA EVP_PKEY_get0_EC_KEY EVP_PKEY_get0_RSA EVP_PKEY_get0_asn1 +EVP_PKEY_get0_hmac EVP_PKEY_get1_DH EVP_PKEY_get1_DSA EVP_PKEY_get1_EC_KEY @@ -1474,6 +1618,7 @@ EVP_add_digest EVP_aead_aes_128_gcm EVP_aead_aes_256_gcm EVP_aead_chacha20_poly1305 +EVP_aead_xchacha20_poly1305 EVP_aes_128_cbc EVP_aes_128_cbc_hmac_sha1 EVP_aes_128_ccm @@ -1485,6 +1630,7 @@ EVP_aes_128_ctr EVP_aes_128_ecb EVP_aes_128_gcm EVP_aes_128_ofb +EVP_aes_128_wrap EVP_aes_128_xts EVP_aes_192_cbc EVP_aes_192_ccm @@ -1496,6 +1642,7 @@ EVP_aes_192_ctr EVP_aes_192_ecb EVP_aes_192_gcm EVP_aes_192_ofb +EVP_aes_192_wrap EVP_aes_256_cbc EVP_aes_256_cbc_hmac_sha1 EVP_aes_256_ccm @@ -1507,6 +1654,7 @@ EVP_aes_256_ctr EVP_aes_256_ecb EVP_aes_256_gcm EVP_aes_256_ofb +EVP_aes_256_wrap EVP_aes_256_xts EVP_bf_cbc EVP_bf_cfb @@ -1600,6 +1748,12 @@ EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 +EVP_sm3 +EVP_sm4_cbc +EVP_sm4_cfb128 +EVP_sm4_ctr +EVP_sm4_ecb +EVP_sm4_ofb EVP_streebog256 EVP_streebog512 EVP_whirlpool @@ -1653,7 +1807,6 @@ Gost2814789_cnt_encrypt Gost2814789_ecb_encrypt Gost2814789_set_key Gost2814789_set_sbox -Gost28147_TestParamSet HKDF HKDF_expand HKDF_extract @@ -1941,6 +2094,7 @@ PEM_do_header PEM_get_EVP_CIPHER_INFO PEM_proc_type PEM_read +PEM_read_CMS PEM_read_DHparams PEM_read_DSAPrivateKey PEM_read_DSA_PUBKEY @@ -1963,6 +2117,7 @@ PEM_read_X509_CERT_PAIR PEM_read_X509_CRL PEM_read_X509_REQ PEM_read_bio +PEM_read_bio_CMS PEM_read_bio_DHparams PEM_read_bio_DSAPrivateKey PEM_read_bio_DSA_PUBKEY @@ -1986,6 +2141,7 @@ PEM_read_bio_X509_CERT_PAIR PEM_read_bio_X509_CRL PEM_read_bio_X509_REQ PEM_write +PEM_write_CMS PEM_write_DHparams PEM_write_DSAPrivateKey PEM_write_DSA_PUBKEY @@ -2012,6 +2168,8 @@ PEM_write_X509_REQ PEM_write_X509_REQ_NEW PEM_write_bio PEM_write_bio_ASN1_stream +PEM_write_bio_CMS +PEM_write_bio_CMS_stream PEM_write_bio_DHparams PEM_write_bio_DSAPrivateKey PEM_write_bio_DSA_PUBKEY @@ -2191,9 +2349,10 @@ PKCS8_PRIV_KEY_INFO_new PKCS8_add_keyusage PKCS8_decrypt PKCS8_encrypt +PKCS8_pkey_add1_attr_by_NID PKCS8_pkey_get0 +PKCS8_pkey_get0_attrs PKCS8_pkey_set0 -PKCS8_set_broken PKEY_USAGE_PERIOD_free PKEY_USAGE_PERIOD_it PKEY_USAGE_PERIOD_new @@ -2249,6 +2408,10 @@ RSAPrivateKey_dup RSAPrivateKey_it RSAPublicKey_dup RSAPublicKey_it +RSA_OAEP_PARAMS_free +RSA_OAEP_PARAMS_it +RSA_OAEP_PARAMS_new +RSA_PKCS1_OpenSSL RSA_PKCS1_SSLeay RSA_PSS_PARAMS_free RSA_PSS_PARAMS_it @@ -2272,13 +2435,39 @@ RSA_get_ex_new_index RSA_get_method RSA_meth_dup RSA_meth_free +RSA_meth_get0_app_data +RSA_meth_get0_name +RSA_meth_get_bn_mod_exp +RSA_meth_get_finish +RSA_meth_get_flags +RSA_meth_get_init +RSA_meth_get_keygen +RSA_meth_get_mod_exp +RSA_meth_get_priv_dec +RSA_meth_get_priv_enc +RSA_meth_get_pub_dec +RSA_meth_get_pub_enc +RSA_meth_get_sign +RSA_meth_get_verify RSA_meth_new +RSA_meth_set0_app_data +RSA_meth_set1_name +RSA_meth_set_bn_mod_exp RSA_meth_set_finish +RSA_meth_set_flags +RSA_meth_set_init +RSA_meth_set_keygen +RSA_meth_set_mod_exp RSA_meth_set_priv_dec RSA_meth_set_priv_enc +RSA_meth_set_pub_dec +RSA_meth_set_pub_enc +RSA_meth_set_sign +RSA_meth_set_verify RSA_new RSA_new_method RSA_padding_add_PKCS1_OAEP +RSA_padding_add_PKCS1_OAEP_mgf1 RSA_padding_add_PKCS1_PSS RSA_padding_add_PKCS1_PSS_mgf1 RSA_padding_add_PKCS1_type_1 @@ -2286,10 +2475,12 @@ RSA_padding_add_PKCS1_type_2 RSA_padding_add_X931 RSA_padding_add_none RSA_padding_check_PKCS1_OAEP +RSA_padding_check_PKCS1_OAEP_mgf1 RSA_padding_check_PKCS1_type_1 RSA_padding_check_PKCS1_type_2 RSA_padding_check_X931 RSA_padding_check_none +RSA_pkey_ctx_ctrl RSA_print RSA_print_fp RSA_private_decrypt @@ -2336,11 +2527,19 @@ SHA512_Final SHA512_Init SHA512_Transform SHA512_Update +SM3_Final +SM3_Init +SM3_Update +SM4_decrypt +SM4_encrypt +SM4_set_key SMIME_crlf_copy SMIME_read_ASN1 +SMIME_read_CMS SMIME_read_PKCS7 SMIME_text SMIME_write_ASN1 +SMIME_write_CMS SMIME_write_PKCS7 SSLeay SSLeay_version @@ -2670,14 +2869,19 @@ X509_CRL_get0_extensions X509_CRL_get0_lastUpdate X509_CRL_get0_nextUpdate X509_CRL_get0_signature +X509_CRL_get_REVOKED X509_CRL_get_ext X509_CRL_get_ext_by_NID X509_CRL_get_ext_by_OBJ X509_CRL_get_ext_by_critical X509_CRL_get_ext_count X509_CRL_get_ext_d2i +X509_CRL_get_issuer +X509_CRL_get_lastUpdate X509_CRL_get_meth_data +X509_CRL_get_nextUpdate X509_CRL_get_signature_nid +X509_CRL_get_version X509_CRL_it X509_CRL_match X509_CRL_new @@ -2817,6 +3021,8 @@ X509_REQ_get_extension_nids X509_REQ_get_extensions X509_REQ_get_pubkey X509_REQ_get_signature_nid +X509_REQ_get_subject_name +X509_REQ_get_version X509_REQ_it X509_REQ_new X509_REQ_print @@ -2986,6 +3192,7 @@ X509_get0_notAfter X509_get0_notBefore X509_get0_pubkey X509_get0_pubkey_bitstr +X509_get0_serialNumber X509_get0_signature X509_get0_tbs_sigalg X509_get1_email @@ -3009,7 +3216,9 @@ X509_get_pubkey X509_get_pubkey_parameters X509_get_serialNumber X509_get_signature_nid +X509_get_signature_type X509_get_subject_name +X509_get_version X509_getm_notAfter X509_getm_notBefore X509_gmtime_adj @@ -3095,6 +3304,13 @@ X9_62_PENTANOMIAL_free X9_62_PENTANOMIAL_it X9_62_PENTANOMIAL_new ZLONG_it +_CONF_add_string +_CONF_free_data +_CONF_get_section +_CONF_get_section_values +_CONF_get_string +_CONF_new_data +_CONF_new_section a2d_ASN1_OBJECT a2i_ASN1_ENUMERATED a2i_ASN1_INTEGER @@ -3103,10 +3319,6 @@ a2i_GENERAL_NAME a2i_IPADDRESS a2i_IPADDRESS_NC a2i_ipadd -asn1_Finish -asn1_GetSequence -asn1_add_error -asn1_const_Finish asn1_do_adb asn1_do_lock asn1_enc_free @@ -3141,7 +3353,6 @@ d2i_ASN1_OCTET_STRING d2i_ASN1_PRINTABLE d2i_ASN1_PRINTABLESTRING d2i_ASN1_SEQUENCE_ANY -d2i_ASN1_SET d2i_ASN1_SET_ANY d2i_ASN1_T61STRING d2i_ASN1_TIME @@ -3151,13 +3362,14 @@ d2i_ASN1_UNIVERSALSTRING d2i_ASN1_UTCTIME d2i_ASN1_UTF8STRING d2i_ASN1_VISIBLESTRING -d2i_ASN1_bytes -d2i_ASN1_type_bytes d2i_AUTHORITY_INFO_ACCESS d2i_AUTHORITY_KEYID d2i_AutoPrivateKey d2i_BASIC_CONSTRAINTS d2i_CERTIFICATEPOLICIES +d2i_CMS_ContentInfo +d2i_CMS_ReceiptRequest +d2i_CMS_bio d2i_CRL_DIST_POINTS d2i_DHparams d2i_DHparams_bio @@ -3270,6 +3482,7 @@ d2i_RSAPublicKey d2i_RSAPublicKey_bio d2i_RSAPublicKey_fp d2i_RSA_NET +d2i_RSA_OAEP_PARAMS d2i_RSA_PSS_PARAMS d2i_RSA_PUBKEY d2i_RSA_PUBKEY_bio @@ -3351,7 +3564,6 @@ i2d_ASN1_OCTET_STRING i2d_ASN1_PRINTABLE i2d_ASN1_PRINTABLESTRING i2d_ASN1_SEQUENCE_ANY -i2d_ASN1_SET i2d_ASN1_SET_ANY i2d_ASN1_T61STRING i2d_ASN1_TIME @@ -3361,11 +3573,14 @@ i2d_ASN1_UTCTIME i2d_ASN1_UTF8STRING i2d_ASN1_VISIBLESTRING i2d_ASN1_bio_stream -i2d_ASN1_bytes i2d_AUTHORITY_INFO_ACCESS i2d_AUTHORITY_KEYID i2d_BASIC_CONSTRAINTS i2d_CERTIFICATEPOLICIES +i2d_CMS_ContentInfo +i2d_CMS_ReceiptRequest +i2d_CMS_bio +i2d_CMS_bio_stream i2d_CRL_DIST_POINTS i2d_DHparams i2d_DHparams_bio @@ -3484,6 +3699,7 @@ i2d_RSAPublicKey i2d_RSAPublicKey_bio i2d_RSAPublicKey_fp i2d_RSA_NET +i2d_RSA_OAEP_PARAMS i2d_RSA_PSS_PARAMS i2d_RSA_PUBKEY i2d_RSA_PUBKEY_bio diff --git a/crypto/crypto_init.c b/crypto/crypto_init.c index 08fb55f..67e7920 100644 --- a/crypto/crypto_init.c +++ b/crypto/crypto_init.c @@ -23,6 +23,7 @@ #include #include #include + #include "cryptlib.h" int OpenSSL_config(const char *); @@ -34,6 +35,7 @@ static void OPENSSL_init_crypto_internal(void) { crypto_init_thread = pthread_self(); + OPENSSL_cpuid_setup(); ERR_load_crypto_strings(); OpenSSL_add_all_ciphers(); diff --git a/crypto/crypto_lock.c b/crypto/crypto_lock.c new file mode 100644 index 0000000..5d317a8 --- /dev/null +++ b/crypto/crypto_lock.c @@ -0,0 +1,95 @@ +/* $OpenBSD: crypto_lock.c,v 1.2 2018/11/28 15:51:32 jsing Exp $ */ +/* + * Copyright (c) 2018 Brent Cook + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +static pthread_mutex_t locks[] = { + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, + PTHREAD_MUTEX_INITIALIZER, +}; + +#define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ + __attribute__((__unused__)) + +CTASSERT((sizeof(locks) / sizeof(*locks)) == CRYPTO_NUM_LOCKS); + +void +CRYPTO_lock(int mode, int type, const char *file, int line) +{ + if (type < 0 || type >= CRYPTO_NUM_LOCKS) + return; + + if (mode & CRYPTO_LOCK) + (void) pthread_mutex_lock(&locks[type]); + else if (mode & CRYPTO_UNLOCK) + (void) pthread_mutex_unlock(&locks[type]); +} + +int +CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, + int line) +{ + int ret; + + CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE, type, file, line); + ret = *pointer + amount; + *pointer = ret; + CRYPTO_lock(CRYPTO_UNLOCK|CRYPTO_WRITE, type, file, line); + + return (ret); +} diff --git a/crypto/curve25519/curve25519-generic.c b/crypto/curve25519/curve25519-generic.c index e7373d2..d533731 100644 --- a/crypto/curve25519/curve25519-generic.c +++ b/crypto/curve25519/curve25519-generic.c @@ -1,3 +1,4 @@ +/* $OpenBSD: curve25519-generic.c,v 1.2 2019/05/11 15:55:52 tb Exp $ */ /* * Copyright (c) 2015, Google Inc. * diff --git a/crypto/curve25519/curve25519.c b/crypto/curve25519/curve25519.c index 994b804..13b54c3 100644 --- a/crypto/curve25519/curve25519.c +++ b/crypto/curve25519/curve25519.c @@ -1,3 +1,4 @@ +/* $OpenBSD: curve25519.c,v 1.5 2019/05/11 15:55:52 tb Exp $ */ /* * Copyright (c) 2015, Google Inc. * diff --git a/crypto/curve25519/curve25519_internal.h b/crypto/curve25519/curve25519_internal.h index f80424a..09d20a4 100644 --- a/crypto/curve25519/curve25519_internal.h +++ b/crypto/curve25519/curve25519_internal.h @@ -1,3 +1,4 @@ +/* $OpenBSD: curve25519_internal.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */ /* * Copyright (c) 2015, Google Inc. * diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c index 0402092..af15fb2 100644 --- a/crypto/dh/dh_ameth.c +++ b/crypto/dh/dh_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_ameth.c,v 1.14 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dh_ameth.c,v 1.18 2020/01/04 13:57:43 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -78,8 +78,8 @@ dh_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; + const void *pval; + const ASN1_STRING *pstr; X509_ALGOR *palg; ASN1_INTEGER *public_key = NULL; DH *dh = NULL; @@ -180,14 +180,14 @@ err: */ static int -dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) +dh_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) { const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; - X509_ALGOR *palg; + const void *pval; + const ASN1_STRING *pstr; + const X509_ALGOR *palg; ASN1_INTEGER *privkey = NULL; DH *dh = NULL; @@ -225,6 +225,7 @@ dh_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) decerr: DHerror(EVP_R_DECODE_ERROR); dherr: + ASN1_INTEGER_free(privkey); DH_free(dh); return 0; } diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c index a6010f0..a8227d3 100644 --- a/crypto/dh/dh_check.c +++ b/crypto/dh/dh_check.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_check.c,v 1.16 2016/07/05 02:54:35 bcook Exp $ */ +/* $OpenBSD: dh_check.c,v 1.17 2019/01/20 01:56:59 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,7 +74,7 @@ int DH_check(const DH *dh, int *ret) { - int ok = 0; + int is_prime, ok = 0; BN_CTX *ctx = NULL; BN_ULONG l; BIGNUM *q = NULL; @@ -102,16 +102,23 @@ DH_check(const DH *dh, int *ret) } else *ret |= DH_UNABLE_TO_CHECK_GENERATOR; - if (!BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL)) + is_prime = BN_is_prime_ex(dh->p, BN_prime_checks, ctx, NULL); + if (is_prime < 0) + goto err; + if (is_prime == 0) *ret |= DH_CHECK_P_NOT_PRIME; else { if (!BN_rshift1(q, dh->p)) goto err; - if (!BN_is_prime_ex(q, BN_prime_checks, ctx, NULL)) + is_prime = BN_is_prime_ex(q, BN_prime_checks, ctx, NULL); + if (is_prime < 0) + goto err; + if (is_prime == 0) *ret |= DH_CHECK_P_NOT_SAFE_PRIME; } ok = 1; -err: + + err: BN_CTX_free(ctx); BN_free(q); return ok; diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c index 63d3877..a77e795 100644 --- a/crypto/dh/dh_key.c +++ b/crypto/dh/dh_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_key.c,v 1.27 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dh_key.c,v 1.36 2018/11/12 17:39:17 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -102,30 +102,29 @@ static int generate_key(DH *dh) { int ok = 0; - int generate_new_key = 0; unsigned l; BN_CTX *ctx; BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL, *two = NULL; + + if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { + DHerror(DH_R_MODULUS_TOO_LARGE); + return 0; + } ctx = BN_CTX_new(); if (ctx == NULL) goto err; - if (dh->priv_key == NULL) { - priv_key = BN_new(); - if (priv_key == NULL) + if ((priv_key = dh->priv_key) == NULL) { + if ((priv_key = BN_new()) == NULL) goto err; - generate_new_key = 1; - } else - priv_key = dh->priv_key; + } - if (dh->pub_key == NULL) { - pub_key = BN_new(); - if (pub_key == NULL) + if ((pub_key = dh->pub_key) == NULL) { + if ((pub_key = BN_new()) == NULL) goto err; - } else - pub_key = dh->pub_key; + } if (dh->flags & DH_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dh->method_mont_p, @@ -134,12 +133,14 @@ generate_key(DH *dh) goto err; } - if (generate_new_key) { + if (dh->priv_key == NULL) { if (dh->q) { - do { - if (!BN_rand_range(priv_key, dh->q)) - goto err; - } while (BN_is_zero(priv_key) || BN_is_one(priv_key)); + if ((two = BN_new()) == NULL) + goto err; + if (!BN_add(two, BN_value_one(), BN_value_one())) + goto err; + if (!bn_rand_interval(priv_key, two, dh->q)) + goto err; } else { /* secret exponent length */ l = dh->length ? dh->length : BN_num_bits(dh->p) - 1; @@ -148,30 +149,23 @@ generate_key(DH *dh) } } - { - BIGNUM prk; - - BN_init(&prk); - BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - - if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, &prk, dh->p, ctx, - mont)) { - goto err; - } - } + if (!dh->meth->bn_mod_exp(dh, pub_key, dh->g, priv_key, dh->p, ctx, + mont)) + goto err; dh->pub_key = pub_key; dh->priv_key = priv_key; ok = 1; -err: + err: if (ok != 1) DHerror(ERR_R_BN_LIB); - if (pub_key != NULL && dh->pub_key == NULL) + if (dh->pub_key == NULL) BN_free(pub_key); - if (priv_key != NULL && dh->priv_key == NULL) + if (dh->priv_key == NULL) BN_free(priv_key); BN_CTX_free(ctx); + BN_free(two); return ok; } @@ -195,7 +189,7 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) BN_CTX_start(ctx); if ((tmp = BN_CTX_get(ctx)) == NULL) goto err; - + if (dh->priv_key == NULL) { DHerror(DH_R_NO_PRIVATE_VALUE); goto err; @@ -223,7 +217,7 @@ compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) } ret = BN_bn2bin(tmp, key); -err: + err: if (ctx != NULL) { BN_CTX_end(ctx); BN_CTX_free(ctx); diff --git a/crypto/dh/dh_lib.c b/crypto/dh/dh_lib.c index e02ce74..446bc65 100644 --- a/crypto/dh/dh_lib.c +++ b/crypto/dh/dh_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dh_lib.c,v 1.30 2018/02/22 16:41:04 jsing Exp $ */ +/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -98,10 +98,8 @@ DH_set_method(DH *dh, const DH_METHOD *meth) if (mtmp->finish) mtmp->finish(dh); #ifndef OPENSSL_NO_ENGINE - if (dh->engine) { - ENGINE_finish(dh->engine); - dh->engine = NULL; - } + ENGINE_finish(dh->engine); + dh->engine = NULL; #endif dh->meth = meth; if (meth->init) @@ -139,7 +137,7 @@ DH_new_method(ENGINE *engine) ret->engine = ENGINE_get_default_DH(); if(ret->engine) { ret->meth = ENGINE_get_DH(ret->engine); - if (!ret->meth) { + if (ret->meth == NULL) { DHerror(ERR_R_ENGINE_LIB); ENGINE_finish(ret->engine); free(ret); @@ -166,8 +164,7 @@ DH_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); if (ret->meth->init != NULL && !ret->meth->init(ret)) { #ifndef OPENSSL_NO_ENGINE - if (ret->engine) - ENGINE_finish(ret->engine); + ENGINE_finish(ret->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, ret, &ret->ex_data); free(ret); @@ -190,8 +187,7 @@ DH_free(DH *r) if (r->meth->finish) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE - if (r->engine) - ENGINE_finish(r->engine); + ENGINE_finish(r->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DH, r, &r->ex_data); @@ -298,10 +294,6 @@ DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) { - if ((dh->pub_key == NULL && pub_key == NULL) || - (dh->priv_key == NULL && priv_key == NULL)) - return 0; - if (pub_key != NULL) { BN_free(dh->pub_key); dh->pub_key = pub_key; diff --git a/crypto/dsa/dsa_ameth.c b/crypto/dsa/dsa_ameth.c index 92f543d..cfb3323 100644 --- a/crypto/dsa/dsa_ameth.c +++ b/crypto/dsa/dsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ameth.c,v 1.23 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_ameth.c,v 1.28 2019/11/01 15:15:35 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -62,6 +62,7 @@ #include #include +#include #include #include #include @@ -75,8 +76,8 @@ dsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; + const void *pval; + const ASN1_STRING *pstr; X509_ALGOR *palg; ASN1_INTEGER *public_key = NULL; @@ -179,14 +180,14 @@ err: * AlgorithmIdentifier the pubkey must be recalculated. */ static int -dsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) +dsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) { const unsigned char *p, *pm; int pklen, pmlen; int ptype; - void *pval; - ASN1_STRING *pstr; - X509_ALGOR *palg; + const void *pval; + const ASN1_STRING *pstr; + const X509_ALGOR *palg; ASN1_INTEGER *privkey = NULL; BN_CTX *ctx = NULL; DSA *dsa = NULL; @@ -515,7 +516,7 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) * Check that q is not a composite number. */ - if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) == 0) { + if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) <= 0) { DSAerror(DSA_R_BAD_Q_VALUE); goto err; } @@ -525,7 +526,7 @@ old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) EVP_PKEY_assign_DSA(pkey, dsa); return 1; -err: + err: BN_CTX_free(ctx); DSA_free(dsa); return 0; @@ -604,6 +605,29 @@ dsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) } return 1; +#ifndef OPENSSL_NO_CMS + case ASN1_PKEY_CTRL_CMS_SIGN: + if (arg1 == 0) { + int snid, hnid; + X509_ALGOR *alg1, *alg2; + + CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); + if (alg1 == NULL || alg1->algorithm == NULL) + return -1; + hnid = OBJ_obj2nid(alg1->algorithm); + if (hnid == NID_undef) + return -1; + if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) + return -1; + X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); + } + return 1; + + case ASN1_PKEY_CTRL_CMS_RI_TYPE: + *(int *)arg2 = CMS_RECIPINFO_NONE; + return 1; +#endif + case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *)arg2 = NID_sha1; return 2; diff --git a/crypto/dsa/dsa_asn1.c b/crypto/dsa/dsa_asn1.c index aac67db..23f08bb 100644 --- a/crypto/dsa/dsa_asn1.c +++ b/crypto/dsa/dsa_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_asn1.c,v 1.21 2018/02/20 17:48:35 tb Exp $ */ +/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -71,13 +71,10 @@ sig_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) if (operation == ASN1_OP_NEW_PRE) { DSA_SIG *sig; - sig = malloc(sizeof(DSA_SIG)); - if (!sig) { + if ((sig = DSA_SIG_new()) == NULL) { DSAerror(ERR_R_MALLOC_FAILURE); return 0; } - sig->r = NULL; - sig->s = NULL; *pval = (ASN1_VALUE *)sig; return 2; } diff --git a/crypto/dsa/dsa_key.c b/crypto/dsa/dsa_key.c index cb95e13..a0487e9 100644 --- a/crypto/dsa/dsa_key.c +++ b/crypto/dsa/dsa_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_key.c,v 1.23 2017/01/21 09:38:59 beck Exp $ */ +/* $OpenBSD: dsa_key.c,v 1.29 2018/11/09 23:45:19 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -87,40 +87,30 @@ dsa_builtin_keygen(DSA *dsa) if ((ctx = BN_CTX_new()) == NULL) goto err; - if (dsa->priv_key == NULL) { + if ((priv_key = dsa->priv_key) == NULL) { if ((priv_key = BN_new()) == NULL) goto err; - } else - priv_key=dsa->priv_key; + } - do { - if (!BN_rand_range(priv_key, dsa->q)) - goto err; - } while (BN_is_zero(priv_key)); + if (!bn_rand_interval(priv_key, BN_value_one(), dsa->q)) + goto err; - if (dsa->pub_key == NULL) { + if ((pub_key = dsa->pub_key) == NULL) { if ((pub_key = BN_new()) == NULL) goto err; - } else - pub_key=dsa->pub_key; - - { - BIGNUM prk; - - BN_with_flags(&prk, priv_key, BN_FLG_CONSTTIME); - - if (!BN_mod_exp_ct(pub_key, dsa->g, &prk, dsa->p, ctx)) - goto err; } + + if (!BN_mod_exp_ct(pub_key, dsa->g, priv_key, dsa->p, ctx)) + goto err; dsa->priv_key = priv_key; dsa->pub_key = pub_key; ok = 1; -err: - if (pub_key != NULL && dsa->pub_key == NULL) + err: + if (dsa->pub_key == NULL) BN_free(pub_key); - if (priv_key != NULL && dsa->priv_key == NULL) + if (dsa->priv_key == NULL) BN_free(priv_key); BN_CTX_free(ctx); return ok; diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c index 8190d07..d5fdd6e 100644 --- a/crypto/dsa/dsa_lib.c +++ b/crypto/dsa/dsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_lib.c,v 1.28 2018/02/20 17:52:27 tb Exp $ */ +/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -108,10 +108,8 @@ DSA_set_method(DSA *dsa, const DSA_METHOD *meth) if (mtmp->finish) mtmp->finish(dsa); #ifndef OPENSSL_NO_ENGINE - if (dsa->engine) { - ENGINE_finish(dsa->engine); - dsa->engine = NULL; - } + ENGINE_finish(dsa->engine); + dsa->engine = NULL; #endif dsa->meth = meth; if (meth->init) @@ -142,7 +140,7 @@ DSA_new_method(ENGINE *engine) ret->engine = ENGINE_get_default_DSA(); if (ret->engine) { ret->meth = ENGINE_get_DSA(ret->engine); - if (!ret->meth) { + if (ret->meth == NULL) { DSAerror(ERR_R_ENGINE_LIB); ENGINE_finish(ret->engine); free(ret); @@ -170,8 +168,7 @@ DSA_new_method(ENGINE *engine) CRYPTO_new_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); if (ret->meth->init != NULL && !ret->meth->init(ret)) { #ifndef OPENSSL_NO_ENGINE - if (ret->engine) - ENGINE_finish(ret->engine); + ENGINE_finish(ret->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, ret, &ret->ex_data); free(ret); @@ -196,8 +193,7 @@ DSA_free(DSA *r) if (r->meth->finish) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE - if (r->engine) - ENGINE_finish(r->engine); + ENGINE_finish(r->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_DSA, r, &r->ex_data); diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index f1013fe..ecf2662 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_ossl.c,v 1.30 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_ossl.c,v 1.42 2019/06/04 18:12:26 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,9 +70,9 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp); + BIGNUM **rp); static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, - DSA *dsa); + DSA *dsa); static int dsa_init(DSA *dsa); static int dsa_finish(DSA *dsa); @@ -82,7 +82,7 @@ static DSA_METHOD openssl_dsa_meth = { .dsa_sign_setup = dsa_sign_setup, .dsa_do_verify = dsa_do_verify, .init = dsa_init, - .finish = dsa_finish + .finish = dsa_finish, }; const DSA_METHOD * @@ -94,16 +94,17 @@ DSA_OpenSSL(void) static DSA_SIG * dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) { - BIGNUM *kinv = NULL, *r = NULL, *s = NULL; - BIGNUM m; - BIGNUM xr; + BIGNUM b, bm, bxr, binv, m, *kinv = NULL, *r = NULL, *s = NULL; BN_CTX *ctx = NULL; int reason = ERR_R_BN_LIB; DSA_SIG *ret = NULL; int noredo = 0; + BN_init(&b); + BN_init(&binv); + BN_init(&bm); + BN_init(&bxr); BN_init(&m); - BN_init(&xr); if (!dsa->p || !dsa->q || !dsa->g) { reason = DSA_R_MISSING_PARAMETERS; @@ -116,7 +117,18 @@ dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) ctx = BN_CTX_new(); if (ctx == NULL) goto err; -redo: + + /* + * If the digest length is greater than N (the bit length of q), the + * leftmost N bits of the digest shall be used, see FIPS 186-3, 4.2. + * In this case the digest length is given in bytes. + */ + if (dlen > BN_num_bytes(dsa->q)) + dlen = BN_num_bytes(dsa->q); + if (BN_bin2bn(dgst, dlen, &m) == NULL) + goto err; + + redo: if (dsa->kinv == NULL || dsa->r == NULL) { if (!DSA_sign_setup(dsa, ctx, &kinv, &r)) goto err; @@ -128,34 +140,39 @@ redo: noredo = 1; } - /* - * If the digest length is greater than the size of q use the - * BN_num_bits(dsa->q) leftmost bits of the digest, see - * fips 186-3, 4.2 + * Compute: + * + * s = inv(k)(m + xr) mod q + * + * In order to reduce the possibility of a side-channel attack, the + * following is calculated using a blinding value: + * + * s = inv(b)(bm + bxr)inv(k) mod q + * + * Where b is a random value in the range [1, q). */ - if (dlen > BN_num_bytes(dsa->q)) - dlen = BN_num_bytes(dsa->q); - if (BN_bin2bn(dgst,dlen,&m) == NULL) + if (!bn_rand_interval(&b, BN_value_one(), dsa->q)) + goto err; + if (BN_mod_inverse_ct(&binv, &b, dsa->q, ctx) == NULL) goto err; - /* Compute s = inv(k) (m + xr) mod q */ - if (!BN_mod_mul(&xr, dsa->priv_key, r, dsa->q, ctx)) /* s = xr */ + if (!BN_mod_mul(&bxr, &b, dsa->priv_key, dsa->q, ctx)) /* bx */ goto err; - if (!BN_add(s, &xr, &m)) /* s = m + xr */ + if (!BN_mod_mul(&bxr, &bxr, r, dsa->q, ctx)) /* bxr */ goto err; - if (BN_cmp(s, dsa->q) > 0) - if (!BN_sub(s, s, dsa->q)) - goto err; - if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) + if (!BN_mod_mul(&bm, &b, &m, dsa->q, ctx)) /* bm */ + goto err; + if (!BN_mod_add(s, &bxr, &bm, dsa->q, ctx)) /* s = bm + bxr */ + goto err; + if (!BN_mod_mul(s, s, kinv, dsa->q, ctx)) /* s = b(m + xr)k^-1 */ + goto err; + if (!BN_mod_mul(s, s, &binv, dsa->q, ctx)) /* s = (m + xr)k^-1 */ goto err; - ret = DSA_SIG_new(); - if (ret == NULL) - goto err; /* - * Redo if r or s is zero as required by FIPS 186-3: this is - * very unlikely. + * Redo if r or s is zero as required by FIPS 186-3: this is very + * unlikely. */ if (BN_is_zero(r) || BN_is_zero(s)) { if (noredo) { @@ -164,19 +181,28 @@ redo: } goto redo; } + + if ((ret = DSA_SIG_new()) == NULL) { + reason = ERR_R_MALLOC_FAILURE; + goto err; + } ret->r = r; ret->s = s; -err: + err: if (!ret) { DSAerror(reason); BN_free(r); BN_free(s); } BN_CTX_free(ctx); + BN_clear_free(&b); + BN_clear_free(&bm); + BN_clear_free(&bxr); + BN_clear_free(&binv); BN_clear_free(&m); - BN_clear_free(&xr); BN_clear_free(kinv); + return ret; } @@ -184,8 +210,8 @@ static int dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { BN_CTX *ctx; - BIGNUM k, *kinv = NULL, *r = NULL; - int ret = 0; + BIGNUM k, l, m, *kinv = NULL, *r = NULL; + int q_bits, ret = 0; if (!dsa->p || !dsa->q || !dsa->g) { DSAerror(DSA_R_MISSING_PARAMETERS); @@ -193,6 +219,8 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) } BN_init(&k); + BN_init(&l); + BN_init(&m); if (ctx_in == NULL) { if ((ctx = BN_CTX_new()) == NULL) @@ -203,11 +231,15 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) if ((r = BN_new()) == NULL) goto err; - /* Get random k */ - do { - if (!BN_rand_range(&k, dsa->q)) - goto err; - } while (BN_is_zero(&k)); + /* Preallocate space */ + q_bits = BN_num_bits(dsa->q); + if (!BN_set_bit(&k, q_bits) || + !BN_set_bit(&l, q_bits) || + !BN_set_bit(&m, q_bits)) + goto err; + + if (!bn_rand_interval(&k, BN_value_one(), dsa->q)) + goto err; BN_set_flags(&k, BN_FLG_CONSTTIME); @@ -221,30 +253,33 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) /* * We do not want timing information to leak the length of k, - * so we compute g^k using an equivalent exponent of fixed - * length. + * so we compute G^k using an equivalent exponent of fixed + * bit-length. * - * (This is a kludge that we need because the BN_mod_exp_mont() - * does not let us specify the desired timing behaviour.) + * We unconditionally perform both of these additions to prevent a + * small timing information leakage. We then choose the sum that is + * one bit longer than the modulus. + * + * TODO: revisit the BN_copy aiming for a memory access agnostic + * conditional copy. */ - if (!BN_add(&k, &k, dsa->q)) + if (!BN_add(&l, &k, dsa->q) || + !BN_add(&m, &l, dsa->q) || + !BN_copy(&k, BN_num_bits(&l) > q_bits ? &l : &m)) goto err; - if (BN_num_bits(&k) <= BN_num_bits(dsa->q)) { - if (!BN_add(&k, &k, dsa->q)) - goto err; - } if (dsa->meth->bn_mod_exp != NULL) { if (!dsa->meth->bn_mod_exp(dsa, r, dsa->g, &k, dsa->p, ctx, - dsa->method_mont_p)) + dsa->method_mont_p)) goto err; } else { - if (!BN_mod_exp_mont_ct(r, dsa->g, &k, dsa->p, ctx, dsa->method_mont_p)) + if (!BN_mod_exp_mont_ct(r, dsa->g, &k, dsa->p, ctx, + dsa->method_mont_p)) goto err; } - if (!BN_mod_ct(r,r,dsa->q,ctx)) + if (!BN_mod_ct(r, r, dsa->q, ctx)) goto err; /* Compute part of 's = inv(k) (m + xr) mod q' */ @@ -256,8 +291,10 @@ dsa_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) kinv = NULL; BN_clear_free(*rp); *rp = r; + ret = 1; -err: + + err: if (!ret) { DSAerror(ERR_R_BN_LIB); BN_clear_free(r); @@ -265,6 +302,9 @@ err: if (ctx_in == NULL) BN_CTX_free(ctx); BN_clear_free(&k); + BN_clear_free(&l); + BN_clear_free(&m); + return ret; } @@ -282,7 +322,7 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) } i = BN_num_bits(dsa->q); - /* fips 186-3 allows only different sizes for q */ + /* FIPS 186-3 allows only three different sizes for q. */ if (i != 160 && i != 224 && i != 256) { DSAerror(DSA_R_BAD_Q_VALUE); return -1; @@ -310,23 +350,22 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) goto err; } - /* Calculate W = inv(S) mod Q - * save W in u2 */ + /* Calculate w = inv(s) mod q, saving w in u2. */ if ((BN_mod_inverse_ct(&u2, sig->s, dsa->q, ctx)) == NULL) goto err; - /* save M in u1 */ /* * If the digest length is greater than the size of q use the - * BN_num_bits(dsa->q) leftmost bits of the digest, see - * fips 186-3, 4.2 + * BN_num_bits(dsa->q) leftmost bits of the digest, see FIPS 186-3, 4.2. */ if (dgst_len > (i >> 3)) dgst_len = (i >> 3); + + /* Save m in u1. */ if (BN_bin2bn(dgst, dgst_len, &u1) == NULL) goto err; - /* u1 = M * w mod q */ + /* u1 = m * w mod q */ if (!BN_mod_mul(&u1, &u1, &u2, dsa->q, ctx)) goto err; @@ -334,7 +373,6 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) if (!BN_mod_mul(&u2, sig->r, &u2, dsa->q, ctx)) goto err; - if (dsa->flags & DSA_FLAG_CACHE_MONT_P) { mont = BN_MONT_CTX_set_locked(&dsa->method_mont_p, CRYPTO_LOCK_DSA, dsa->p, ctx); @@ -343,12 +381,12 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) } if (dsa->meth->dsa_mod_exp != NULL) { - if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, &u2, - dsa->p, ctx, mont)) + if (!dsa->meth->dsa_mod_exp(dsa, &t1, dsa->g, &u1, dsa->pub_key, + &u2, dsa->p, ctx, mont)) goto err; } else { - if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, dsa->p, ctx, - mont)) + if (!BN_mod_exp2_mont(&t1, dsa->g, &u1, dsa->pub_key, &u2, + dsa->p, ctx, mont)) goto err; } @@ -357,17 +395,17 @@ dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) if (!BN_mod_ct(&u1, &t1, dsa->q, ctx)) goto err; - /* V is now in u1. If the signature is correct, it will be - * equal to R. */ + /* v is in u1 - if the signature is correct, it will be equal to r. */ ret = BN_ucmp(&u1, sig->r) == 0; -err: + err: if (ret < 0) DSAerror(ERR_R_BN_LIB); BN_CTX_free(ctx); BN_free(&u1); BN_free(&u2); BN_free(&t1); + return ret; } diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index 780b070..dd0da34 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_pmeth.c,v 1.11 2017/01/29 17:49:22 beck Exp $ */ +/* $OpenBSD: dsa_pmeth.c,v 1.12 2019/09/09 18:06:25 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -214,6 +214,10 @@ pkey_dsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) dctx->md = p2; return 1; + case EVP_PKEY_CTRL_GET_MD: + *(const EVP_MD **)p2 = dctx->md; + return 1; + case EVP_PKEY_CTRL_DIGESTINIT: case EVP_PKEY_CTRL_PKCS7_SIGN: case EVP_PKEY_CTRL_CMS_SIGN: diff --git a/crypto/dsa/dsa_sign.c b/crypto/dsa/dsa_sign.c index 355bdd2..0f55ea1 100644 --- a/crypto/dsa/dsa_sign.c +++ b/crypto/dsa/dsa_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_sign.c,v 1.19 2014/10/18 17:20:40 jsing Exp $ */ +/* $OpenBSD: dsa_sign.c,v 1.20 2018/06/14 17:01:49 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,20 +76,13 @@ DSA_sign_setup(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) DSA_SIG * DSA_SIG_new(void) { - DSA_SIG *sig; - - sig = malloc(sizeof(DSA_SIG)); - if (!sig) - return NULL; - sig->r = NULL; - sig->s = NULL; - return sig; + return calloc(1, sizeof(DSA_SIG)); } void DSA_SIG_free(DSA_SIG *sig) { - if (sig) { + if (sig != NULL) { BN_free(sig->r); BN_free(sig->s); free(sig); diff --git a/crypto/dso/dso_lib.c b/crypto/dso/dso_lib.c index 7902fbc..6dc9880 100644 --- a/crypto/dso/dso_lib.c +++ b/crypto/dso/dso_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dso_lib.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: dso_lib.c,v 1.20 2018/08/24 19:27:01 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -174,13 +174,15 @@ DSO_flags(DSO *dso) int DSO_up_ref(DSO *dso) { + int refs; + if (dso == NULL) { DSOerror(ERR_R_PASSED_NULL_PARAMETER); return (0); } - CRYPTO_add(&dso->references, 1, CRYPTO_LOCK_DSO); - return (1); + refs = CRYPTO_add(&dso->references, 1, CRYPTO_LOCK_DSO); + return ((refs > 1) ? 1 : 0); } DSO * diff --git a/crypto/ec/ec2_mult.c b/crypto/ec/ec2_mult.c index 1c8bb18..3e5d1dc 100644 --- a/crypto/ec/ec2_mult.c +++ b/crypto/ec/ec2_mult.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_mult.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec2_mult.c,v 1.13 2018/07/23 18:24:22 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -71,6 +71,7 @@ #include +#include "bn_lcl.h" #include "ec_lcl.h" #ifndef OPENSSL_NO_EC2M @@ -111,7 +112,7 @@ gf2m_Mdouble(const EC_GROUP *group, BIGNUM *x, BIGNUM *z, BN_CTX *ctx) ret = 1; -err: + err: BN_CTX_end(ctx); return ret; } @@ -155,7 +156,7 @@ gf2m_Madd(const EC_GROUP *group, const BIGNUM *x, BIGNUM *x1, BIGNUM *z1, ret = 1; -err: + err: BN_CTX_end(ctx); return ret; } @@ -243,7 +244,7 @@ gf2m_Mxy(const EC_GROUP *group, const BIGNUM *x, const BIGNUM *y, BIGNUM *x1, ret = 2; -err: + err: BN_CTX_end(ctx); return ret; } @@ -324,14 +325,18 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, for (; i >= 0; i--) { word = scalar->d[i]; while (mask) { - BN_consttime_swap(word & mask, x1, x2, group->field.top); - BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) + goto err; + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) + goto err; if (!gf2m_Madd(group, &point->X, x2, z2, x1, z1, ctx)) goto err; if (!gf2m_Mdouble(group, x1, z1, ctx)) goto err; - BN_consttime_swap(word & mask, x1, x2, group->field.top); - BN_consttime_swap(word & mask, z1, z2, group->field.top); + if (!BN_swap_ct(word & mask, x1, x2, group->field.top)) + goto err; + if (!BN_swap_ct(word & mask, z1, z2, group->field.top)) + goto err; mask >>= 1; } mask = BN_TBIT; @@ -356,7 +361,7 @@ ec_GF2m_montgomery_point_multiply(const EC_GROUP *group, EC_POINT *r, ret = 1; -err: + err: BN_CTX_end(ctx); return ret; } @@ -424,7 +429,7 @@ ec_GF2m_simple_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, ret = 1; -err: + err: EC_POINT_free(p); EC_POINT_free(acc); BN_CTX_free(new_ctx); diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index f434d72..268eccf 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_oct.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec2_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -157,7 +157,7 @@ ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, EC_POINT *point ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -272,7 +272,7 @@ ec_GF2m_simple_point2oct(const EC_GROUP *group, const EC_POINT *point, BN_CTX_free(new_ctx); return ret; -err: + err: if (used_ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -374,7 +374,7 @@ ec_GF2m_simple_oct2point(const EC_GROUP *group, EC_POINT *point, } ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; diff --git a/crypto/ec/ec2_smpl.c b/crypto/ec/ec2_smpl.c index 6157599..936cee4 100644 --- a/crypto/ec/ec2_smpl.c +++ b/crypto/ec/ec2_smpl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec2_smpl.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec2_smpl.c,v 1.21 2018/11/05 20:18:21 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -107,18 +107,15 @@ EC_GF2m_simple_method(void) .point_cmp = ec_GF2m_simple_cmp, .make_affine = ec_GF2m_simple_make_affine, .points_make_affine = ec_GF2m_simple_points_make_affine, - - /* - * the following three method functions are defined in - * ec2_mult.c - */ - .mul = ec_GF2m_simple_mul, + .mul_generator_ct = ec_GFp_simple_mul_generator_ct, + .mul_single_ct = ec_GFp_simple_mul_single_ct, + .mul_double_nonct = ec_GFp_simple_mul_double_nonct, .precompute_mult = ec_GF2m_precompute_mult, .have_precompute_mult = ec_GF2m_have_precompute_mult, - .field_mul = ec_GF2m_simple_field_mul, .field_sqr = ec_GF2m_simple_field_sqr, .field_div = ec_GF2m_simple_field_div, + .blind_coordinates = NULL, }; return &ret; @@ -232,7 +229,7 @@ ec_GF2m_simple_group_set_curve(EC_GROUP * group, group->b.d[i] = 0; ret = 1; -err: + err: return ret; } @@ -260,7 +257,7 @@ ec_GF2m_simple_group_get_curve(const EC_GROUP *group, } ret = 1; -err: + err: return ret; } @@ -306,7 +303,7 @@ ec_GF2m_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) ret = 1; -err: + err: if (ctx != NULL) BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -398,7 +395,7 @@ ec_GF2m_simple_point_set_affine_coordinates(const EC_GROUP * group, EC_POINT * p point->Z_is_one = 1; ret = 1; -err: + err: return ret; } @@ -432,7 +429,7 @@ ec_GF2m_simple_point_get_affine_coordinates(const EC_GROUP *group, } ret = 1; -err: + err: return ret; } @@ -549,7 +546,7 @@ ec_GF2m_simple_add(const EC_GROUP *group, EC_POINT *r, const EC_POINT *a, ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -641,7 +638,7 @@ ec_GF2m_simple_is_on_curve(const EC_GROUP *group, const EC_POINT *point, BN_CTX if (!BN_GF2m_add(lh, lh, y2)) goto err; ret = BN_is_zero(lh); -err: + err: if (ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -693,7 +690,7 @@ ec_GF2m_simple_cmp(const EC_GROUP *group, const EC_POINT *a, goto err; ret = ((BN_cmp(aX, bX) == 0) && BN_cmp(aY, bY) == 0) ? 0 : 1; -err: + err: if (ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -734,7 +731,7 @@ ec_GF2m_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ct ret = 1; -err: + err: if (ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c index 0932f1e..2e73bdd 100644 --- a/crypto/ec/ec_ameth.c +++ b/crypto/ec/ec_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_ameth.c,v 1.19 2018/03/12 13:14:21 inoguchi Exp $ */ +/* $OpenBSD: ec_ameth.c,v 1.28 2019/09/09 20:26:16 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -61,13 +61,18 @@ #include #include +#include #include #include #include - #include "asn1_locl.h" +#ifndef OPENSSL_NO_CMS +static int ecdh_cms_decrypt(CMS_RecipientInfo *ri); +static int ecdh_cms_encrypt(CMS_RecipientInfo *ri); +#endif + static int eckey_param2type(int *pptype, void **ppval, EC_KEY * ec_key) { @@ -126,7 +131,7 @@ eckey_pub_encode(X509_PUBKEY * pk, const EVP_PKEY * pkey) if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_EC), ptype, pval, penc, penclen)) return 1; -err: + err: if (ptype == V_ASN1_OBJECT) ASN1_OBJECT_free(pval); else @@ -136,12 +141,13 @@ err: } static EC_KEY * -eckey_type2param(int ptype, void *pval) +eckey_type2param(int ptype, const void *pval) { + EC_GROUP *group = NULL; EC_KEY *eckey = NULL; if (ptype == V_ASN1_SEQUENCE) { - ASN1_STRING *pstr = pval; + const ASN1_STRING *pstr = pval; const unsigned char *pm = NULL; int pmlen; @@ -152,8 +158,7 @@ eckey_type2param(int ptype, void *pval) goto ecerr; } } else if (ptype == V_ASN1_OBJECT) { - ASN1_OBJECT *poid = pval; - EC_GROUP *group; + const ASN1_OBJECT *poid = pval; /* * type == V_ASN1_OBJECT => the parameters are given by an @@ -169,17 +174,17 @@ eckey_type2param(int ptype, void *pval) EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); if (EC_KEY_set_group(eckey, group) == 0) goto ecerr; - EC_GROUP_free(group); } else { ECerror(EC_R_DECODE_ERROR); goto ecerr; } + EC_GROUP_free(group); return eckey; -ecerr: - if (eckey) - EC_KEY_free(eckey); + ecerr: + EC_KEY_free(eckey); + EC_GROUP_free(group); return NULL; } @@ -187,7 +192,7 @@ static int eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey) { const unsigned char *p = NULL; - void *pval; + const void *pval; int ptype, pklen; EC_KEY *eckey = NULL; X509_ALGOR *palg; @@ -210,7 +215,7 @@ eckey_pub_decode(EVP_PKEY * pkey, X509_PUBKEY * pubkey) EVP_PKEY_assign_EC_KEY(pkey, eckey); return 1; -ecerr: + ecerr: if (eckey) EC_KEY_free(eckey); return 0; @@ -232,13 +237,13 @@ eckey_pub_cmp(const EVP_PKEY * a, const EVP_PKEY * b) } static int -eckey_priv_decode(EVP_PKEY * pkey, PKCS8_PRIV_KEY_INFO * p8) +eckey_priv_decode(EVP_PKEY * pkey, const PKCS8_PRIV_KEY_INFO * p8) { const unsigned char *p = NULL; - void *pval; + const void *pval; int ptype, pklen; EC_KEY *eckey = NULL; - X509_ALGOR *palg; + const X509_ALGOR *palg; if (!PKCS8_pkey_get0(NULL, &p, &pklen, &palg, p8)) return 0; @@ -290,9 +295,9 @@ eckey_priv_decode(EVP_PKEY * pkey, PKCS8_PRIV_KEY_INFO * p8) EVP_PKEY_assign_EC_KEY(pkey, eckey); return 1; -ecliberr: + ecliberr: ECerror(ERR_R_EC_LIB); -ecerr: + ecerr: if (eckey) EC_KEY_free(eckey); return 0; @@ -483,7 +488,7 @@ do_EC_KEY_print(BIO * bp, const EC_KEY * x, int off, int ktype) if (!ECPKParameters_print(bp, group, off)) goto err; ret = 1; -err: + err: if (!ret) ECerror(reason); BN_free(pub_key); @@ -573,6 +578,36 @@ ec_pkey_ctrl(EVP_PKEY * pkey, int op, long arg1, void *arg2) } return 1; +#ifndef OPENSSL_NO_CMS + case ASN1_PKEY_CTRL_CMS_SIGN: + if (arg1 == 0) { + X509_ALGOR *alg1, *alg2; + int snid, hnid; + + CMS_SignerInfo_get0_algs(arg2, NULL, NULL, &alg1, &alg2); + if (alg1 == NULL || alg1->algorithm == NULL) + return -1; + hnid = OBJ_obj2nid(alg1->algorithm); + if (hnid == NID_undef) + return -1; + if (!OBJ_find_sigid_by_algs(&snid, hnid, EVP_PKEY_id(pkey))) + return -1; + X509_ALGOR_set0(alg2, OBJ_nid2obj(snid), V_ASN1_UNDEF, 0); + } + return 1; + + case ASN1_PKEY_CTRL_CMS_ENVELOPE: + if (arg1 == 0) + return ecdh_cms_encrypt(arg2); + else if (arg1 == 1) + return ecdh_cms_decrypt(arg2); + return -2; + + case ASN1_PKEY_CTRL_CMS_RI_TYPE: + *(int *)arg2 = CMS_RECIPINFO_AGREE; + return 1; +#endif + case ASN1_PKEY_CTRL_DEFAULT_MD_NID: *(int *) arg2 = NID_sha1; return 2; @@ -584,6 +619,338 @@ ec_pkey_ctrl(EVP_PKEY * pkey, int op, long arg1, void *arg2) } +#ifndef OPENSSL_NO_CMS + +static int +ecdh_cms_set_peerkey(EVP_PKEY_CTX *pctx, X509_ALGOR *alg, + ASN1_BIT_STRING *pubkey) +{ + const ASN1_OBJECT *aoid; + int atype; + const void *aval; + int rv = 0; + EVP_PKEY *pkpeer = NULL; + EC_KEY *ecpeer = NULL; + const unsigned char *p; + int plen; + + X509_ALGOR_get0(&aoid, &atype, &aval, alg); + if (OBJ_obj2nid(aoid) != NID_X9_62_id_ecPublicKey) + goto err; + + /* If absent parameters get group from main key */ + if (atype == V_ASN1_UNDEF || atype == V_ASN1_NULL) { + const EC_GROUP *grp; + EVP_PKEY *pk; + + pk = EVP_PKEY_CTX_get0_pkey(pctx); + if (!pk) + goto err; + grp = EC_KEY_get0_group(pk->pkey.ec); + ecpeer = EC_KEY_new(); + if (ecpeer == NULL) + goto err; + if (!EC_KEY_set_group(ecpeer, grp)) + goto err; + } else { + ecpeer = eckey_type2param(atype, aval); + if (!ecpeer) + goto err; + } + + /* We have parameters now set public key */ + plen = ASN1_STRING_length(pubkey); + p = ASN1_STRING_get0_data(pubkey); + if (!p || !plen) + goto err; + if (!o2i_ECPublicKey(&ecpeer, &p, plen)) + goto err; + pkpeer = EVP_PKEY_new(); + if (pkpeer == NULL) + goto err; + EVP_PKEY_set1_EC_KEY(pkpeer, ecpeer); + if (EVP_PKEY_derive_set_peer(pctx, pkpeer) > 0) + rv = 1; + err: + EC_KEY_free(ecpeer); + EVP_PKEY_free(pkpeer); + return rv; +} + +/* Set KDF parameters based on KDF NID */ +static int +ecdh_cms_set_kdf_param(EVP_PKEY_CTX *pctx, int eckdf_nid) +{ + int kdf_nid, kdfmd_nid, cofactor; + const EVP_MD *kdf_md; + + if (eckdf_nid == NID_undef) + return 0; + + /* Lookup KDF type, cofactor mode and digest */ + if (!OBJ_find_sigid_algs(eckdf_nid, &kdfmd_nid, &kdf_nid)) + return 0; + + if (kdf_nid == NID_dh_std_kdf) + cofactor = 0; + else if (kdf_nid == NID_dh_cofactor_kdf) + cofactor = 1; + else + return 0; + + if (EVP_PKEY_CTX_set_ecdh_cofactor_mode(pctx, cofactor) <= 0) + return 0; + + if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, EVP_PKEY_ECDH_KDF_X9_63) <= 0) + return 0; + + kdf_md = EVP_get_digestbynid(kdfmd_nid); + if (!kdf_md) + return 0; + + if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) + return 0; + + return 1; +} + +static int +ecdh_cms_set_shared_info(EVP_PKEY_CTX *pctx, CMS_RecipientInfo *ri) +{ + X509_ALGOR *alg, *kekalg = NULL; + ASN1_OCTET_STRING *ukm; + const unsigned char *p; + unsigned char *der = NULL; + int plen, keylen; + const EVP_CIPHER *kekcipher; + EVP_CIPHER_CTX *kekctx; + int rv = 0; + + if (!CMS_RecipientInfo_kari_get0_alg(ri, &alg, &ukm)) + return 0; + + if (!ecdh_cms_set_kdf_param(pctx, OBJ_obj2nid(alg->algorithm))) { + ECerror(EC_R_KDF_PARAMETER_ERROR); + return 0; + } + + if (alg->parameter->type != V_ASN1_SEQUENCE) + return 0; + + p = alg->parameter->value.sequence->data; + plen = alg->parameter->value.sequence->length; + kekalg = d2i_X509_ALGOR(NULL, &p, plen); + if (!kekalg) + goto err; + kekctx = CMS_RecipientInfo_kari_get0_ctx(ri); + if (!kekctx) + goto err; + kekcipher = EVP_get_cipherbyobj(kekalg->algorithm); + if (!kekcipher || EVP_CIPHER_mode(kekcipher) != EVP_CIPH_WRAP_MODE) + goto err; + if (!EVP_EncryptInit_ex(kekctx, kekcipher, NULL, NULL, NULL)) + goto err; + if (EVP_CIPHER_asn1_to_param(kekctx, kekalg->parameter) <= 0) + goto err; + + keylen = EVP_CIPHER_CTX_key_length(kekctx); + if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) + goto err; + + plen = CMS_SharedInfo_encode(&der, kekalg, ukm, keylen); + if (!plen) + goto err; + + if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, der, plen) <= 0) + goto err; + der = NULL; + + rv = 1; + err: + X509_ALGOR_free(kekalg); + free(der); + return rv; +} + +static int +ecdh_cms_decrypt(CMS_RecipientInfo *ri) +{ + EVP_PKEY_CTX *pctx; + + pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (!pctx) + return 0; + + /* See if we need to set peer key */ + if (!EVP_PKEY_CTX_get0_peerkey(pctx)) { + X509_ALGOR *alg; + ASN1_BIT_STRING *pubkey; + + if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &alg, &pubkey, + NULL, NULL, NULL)) + return 0; + if (!alg || !pubkey) + return 0; + if (!ecdh_cms_set_peerkey(pctx, alg, pubkey)) { + ECerror(EC_R_PEER_KEY_ERROR); + return 0; + } + } + + /* Set ECDH derivation parameters and initialise unwrap context */ + if (!ecdh_cms_set_shared_info(pctx, ri)) { + ECerror(EC_R_SHARED_INFO_ERROR); + return 0; + } + + return 1; +} + +static int +ecdh_cms_encrypt(CMS_RecipientInfo *ri) +{ + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + EVP_CIPHER_CTX *ctx; + int keylen; + X509_ALGOR *talg, *wrap_alg = NULL; + const ASN1_OBJECT *aoid; + ASN1_BIT_STRING *pubkey; + ASN1_STRING *wrap_str; + ASN1_OCTET_STRING *ukm; + unsigned char *penc = NULL; + int penclen; + int ecdh_nid, kdf_type, kdf_nid, wrap_nid; + const EVP_MD *kdf_md; + int rv = 0; + + pctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (!pctx) + return 0; + /* Get ephemeral key */ + pkey = EVP_PKEY_CTX_get0_pkey(pctx); + if (!CMS_RecipientInfo_kari_get0_orig_id(ri, &talg, &pubkey, + NULL, NULL, NULL)) + goto err; + X509_ALGOR_get0(&aoid, NULL, NULL, talg); + + /* Is everything uninitialised? */ + if (aoid == OBJ_nid2obj(NID_undef)) { + EC_KEY *eckey = pkey->pkey.ec; + unsigned char *p; + + /* Set the key */ + penclen = i2o_ECPublicKey(eckey, NULL); + if (penclen <= 0) + goto err; + penc = malloc(penclen); + if (penc == NULL) + goto err; + p = penc; + penclen = i2o_ECPublicKey(eckey, &p); + if (penclen <= 0) + goto err; + ASN1_STRING_set0(pubkey, penc, penclen); + pubkey->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07); + pubkey->flags |= ASN1_STRING_FLAG_BITS_LEFT; + penc = NULL; + + X509_ALGOR_set0(talg, OBJ_nid2obj(NID_X9_62_id_ecPublicKey), + V_ASN1_UNDEF, NULL); + } + + /* See if custom parameters set */ + kdf_type = EVP_PKEY_CTX_get_ecdh_kdf_type(pctx); + if (kdf_type <= 0) + goto err; + if (!EVP_PKEY_CTX_get_ecdh_kdf_md(pctx, &kdf_md)) + goto err; + ecdh_nid = EVP_PKEY_CTX_get_ecdh_cofactor_mode(pctx); + if (ecdh_nid < 0) + goto err; + else if (ecdh_nid == 0) + ecdh_nid = NID_dh_std_kdf; + else if (ecdh_nid == 1) + ecdh_nid = NID_dh_cofactor_kdf; + + if (kdf_type == EVP_PKEY_ECDH_KDF_NONE) { + kdf_type = EVP_PKEY_ECDH_KDF_X9_63; + if (EVP_PKEY_CTX_set_ecdh_kdf_type(pctx, kdf_type) <= 0) + goto err; + } else { + /* Unknown KDF */ + goto err; + } + if (kdf_md == NULL) { + /* Fixme later for better MD */ + kdf_md = EVP_sha1(); + if (EVP_PKEY_CTX_set_ecdh_kdf_md(pctx, kdf_md) <= 0) + goto err; + } + + if (!CMS_RecipientInfo_kari_get0_alg(ri, &talg, &ukm)) + goto err; + + /* Lookup NID for KDF+cofactor+digest */ + if (!OBJ_find_sigid_by_algs(&kdf_nid, EVP_MD_type(kdf_md), ecdh_nid)) + goto err; + + /* Get wrap NID */ + ctx = CMS_RecipientInfo_kari_get0_ctx(ri); + wrap_nid = EVP_CIPHER_CTX_type(ctx); + keylen = EVP_CIPHER_CTX_key_length(ctx); + + /* Package wrap algorithm in an AlgorithmIdentifier */ + + wrap_alg = X509_ALGOR_new(); + if (wrap_alg == NULL) + goto err; + wrap_alg->algorithm = OBJ_nid2obj(wrap_nid); + wrap_alg->parameter = ASN1_TYPE_new(); + if (wrap_alg->parameter == NULL) + goto err; + if (EVP_CIPHER_param_to_asn1(ctx, wrap_alg->parameter) <= 0) + goto err; + if (ASN1_TYPE_get(wrap_alg->parameter) == NID_undef) { + ASN1_TYPE_free(wrap_alg->parameter); + wrap_alg->parameter = NULL; + } + + if (EVP_PKEY_CTX_set_ecdh_kdf_outlen(pctx, keylen) <= 0) + goto err; + + penclen = CMS_SharedInfo_encode(&penc, wrap_alg, ukm, keylen); + if (!penclen) + goto err; + + if (EVP_PKEY_CTX_set0_ecdh_kdf_ukm(pctx, penc, penclen) <= 0) + goto err; + penc = NULL; + + /* + * Now need to wrap encoding of wrap AlgorithmIdentifier into parameter + * of another AlgorithmIdentifier. + */ + penclen = i2d_X509_ALGOR(wrap_alg, &penc); + if (!penc || !penclen) + goto err; + wrap_str = ASN1_STRING_new(); + if (wrap_str == NULL) + goto err; + ASN1_STRING_set0(wrap_str, penc, penclen); + penc = NULL; + X509_ALGOR_set0(talg, OBJ_nid2obj(kdf_nid), V_ASN1_SEQUENCE, wrap_str); + + rv = 1; + + err: + free(penc); + X509_ALGOR_free(wrap_alg); + return rv; +} + +#endif + const EVP_PKEY_ASN1_METHOD eckey_asn1_meth = { .pkey_id = EVP_PKEY_EC, .pkey_base_id = EVP_PKEY_EC, diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c index 381addf..f69dd02 100644 --- a/crypto/ec/ec_asn1.c +++ b/crypto/ec/ec_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_asn1.c,v 1.25 2018/03/12 13:14:21 inoguchi Exp $ */ +/* $OpenBSD: ec_asn1.c,v 1.31 2018/09/01 16:23:15 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -86,6 +86,7 @@ EC_GROUP_get_basis_type(const EC_GROUP * group) /* everything else is currently not supported */ return 0; } + #ifndef OPENSSL_NO_EC2M int EC_GROUP_get_trinomial_basis(const EC_GROUP * group, unsigned int *k) @@ -104,6 +105,7 @@ EC_GROUP_get_trinomial_basis(const EC_GROUP * group, unsigned int *k) return 1; } + int EC_GROUP_get_pentanomial_basis(const EC_GROUP * group, unsigned int *k1, unsigned int *k2, unsigned int *k3) @@ -128,7 +130,6 @@ EC_GROUP_get_pentanomial_basis(const EC_GROUP * group, unsigned int *k1, } #endif - /* some structures needed for the asn1 encoding */ typedef struct x9_62_pentanomial_st { long k1; @@ -334,6 +335,7 @@ const ASN1_ITEM X9_62_CHARACTERISTIC_TWO_it = { .size = sizeof(X9_62_CHARACTERISTIC_TWO), .sname = "X9_62_CHARACTERISTIC_TWO", }; + X9_62_CHARACTERISTIC_TWO *X9_62_CHARACTERISTIC_TWO_new(void); void X9_62_CHARACTERISTIC_TWO_free(X9_62_CHARACTERISTIC_TWO *a); @@ -348,6 +350,7 @@ X9_62_CHARACTERISTIC_TWO_free(X9_62_CHARACTERISTIC_TWO *a) { ASN1_item_free((ASN1_VALUE *)a, &X9_62_CHARACTERISTIC_TWO_it); } + static const ASN1_TEMPLATE fieldID_def_tt = { .flags = 0, .tag = 0, @@ -506,6 +509,7 @@ const ASN1_ITEM ECPARAMETERS_it = { .size = sizeof(ECPARAMETERS), .sname = "ECPARAMETERS", }; + ECPARAMETERS *ECPARAMETERS_new(void); void ECPARAMETERS_free(ECPARAMETERS *a); @@ -655,6 +659,7 @@ EC_PRIVATEKEY_free(EC_PRIVATEKEY *a) { ASN1_item_free((ASN1_VALUE *)a, &EC_PRIVATEKEY_it); } + /* some declarations of internal function */ /* ec_asn1_group2field() sets the values in a X9_62_FIELDID object */ @@ -675,7 +680,6 @@ static EC_GROUP *ec_asn1_pkparameters2group(const ECPKPARAMETERS *); static ECPKPARAMETERS *ec_asn1_group2pkparameters(const EC_GROUP *, ECPKPARAMETERS *); - /* the function definitions */ static int @@ -789,7 +793,7 @@ ec_asn1_group2fieldid(const EC_GROUP * group, X9_62_FIELDID * field) ok = 1; -err: + err: BN_free(tmp); return (ok); } @@ -892,7 +896,7 @@ ec_asn1_group2curve(const EC_GROUP * group, X9_62_CURVE * curve) ok = 1; -err: + err: free(buffer_1); free(buffer_2); BN_free(tmp_1); @@ -984,7 +988,8 @@ ec_asn1_group2parameters(const EC_GROUP * group, ECPARAMETERS * param) } ok = 1; -err: if (!ok) { + err: + if (!ok) { if (ret && !param) ECPARAMETERS_free(ret); ret = NULL; @@ -1240,7 +1245,8 @@ ec_asn1_parameters2group(const ECPARAMETERS * params) } ok = 1; -err: if (!ok) { + err: + if (!ok) { EC_GROUP_clear_free(ret); ret = NULL; } @@ -1308,7 +1314,7 @@ d2i_ECPKParameters(EC_GROUP ** a, const unsigned char **in, long len) *a = group; } -err: + err: ECPKPARAMETERS_free(params); return (group); } @@ -1421,7 +1427,7 @@ d2i_ECPrivateKey(EC_KEY ** a, const unsigned char **in, long len) *a = ret; return (ret); -err: + err: if (a == NULL || *a != ret) EC_KEY_free(ret); if (priv_key) @@ -1506,7 +1512,7 @@ i2d_ECPrivateKey(EC_KEY * a, unsigned char **out) goto err; } ok = 1; -err: + err: free(buffer); if (priv_key) EC_PRIVATEKEY_free(priv_key); @@ -1558,10 +1564,7 @@ o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len) EC_KEY *ret = NULL; if (a == NULL || (*a) == NULL || (*a)->group == NULL) { - /* - * sorry, but a EC_GROUP-structur is necessary to set the - * public key - */ + /* An EC_GROUP structure is necessary to set the public key. */ ECerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } @@ -1582,7 +1585,7 @@ o2i_ECPublicKey(EC_KEY ** a, const unsigned char **in, long len) } int -i2o_ECPublicKey(EC_KEY * a, unsigned char **out) +i2o_ECPublicKey(const EC_KEY * a, unsigned char **out) { size_t buf_len = 0; int new_buffer = 0; diff --git a/crypto/ec/ec_check.c b/crypto/ec/ec_check.c index bbb0349..dcca661 100644 --- a/crypto/ec/ec_check.c +++ b/crypto/ec/ec_check.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_check.c,v 1.6 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_check.c,v 1.9 2018/07/15 16:27:39 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -106,7 +106,7 @@ EC_GROUP_check(const EC_GROUP * group, BN_CTX * ctx) } ret = 1; -err: + err: if (ctx != NULL) BN_CTX_end(ctx); BN_CTX_free(new_ctx); diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c index d4f6c28..84a565d 100644 --- a/crypto/ec/ec_curve.c +++ b/crypto/ec/ec_curve.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_curve.c,v 1.16 2018/03/16 12:31:09 mpi Exp $ */ +/* $OpenBSD: ec_curve.c,v 1.20 2020/06/05 17:12:09 jsing Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -2900,11 +2900,105 @@ static const struct { } }; +/* + * This curve is defined in two birationally equal forms: canonical and Twisted + * Edwards. We do calculations in canonical (Weierstrass) form. + */ +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +} + _EC_GOST_2012_256_TC26_A = { + { + NID_X9_62_prime_field, 0, 32, 4 + }, + { /* no seed */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, + 0xFD, 0x97, + 0xc2, 0x17, 0x3f, 0x15, 0x13, 0x98, 0x16, 0x73, 0xaf, 0x48, /* a */ + 0x92, 0xc2, 0x30, 0x35, 0xa2, 0x7c, 0xe2, 0x5e, 0x20, 0x13, + 0xbf, 0x95, 0xaa, 0x33, 0xb2, 0x2c, 0x65, 0x6f, 0x27, 0x7e, + 0x73, 0x35, + 0x29, 0x5f, 0x9b, 0xae, 0x74, 0x28, 0xed, 0x9c, 0xcc, 0x20, /* b */ + 0xe7, 0xc3, 0x59, 0xa9, 0xd4, 0x1a, 0x22, 0xfc, 0xcd, 0x91, + 0x08, 0xe1, 0x7b, 0xf7, 0xba, 0x93, 0x37, 0xa6, 0xf8, 0xae, + 0x95, 0x13, + 0x91, 0xe3, 0x84, 0x43, 0xa5, 0xe8, 0x2c, 0x0d, 0x88, 0x09, /* x */ + 0x23, 0x42, 0x57, 0x12, 0xb2, 0xbb, 0x65, 0x8b, 0x91, 0x96, + 0x93, 0x2e, 0x02, 0xc7, 0x8b, 0x25, 0x82, 0xfe, 0x74, 0x2d, + 0xaa, 0x28, + 0x32, 0x87, 0x94, 0x23, 0xab, 0x1a, 0x03, 0x75, 0x89, 0x57, /* y */ + 0x86, 0xc4, 0xbb, 0x46, 0xe9, 0x56, 0x5f, 0xde, 0x0b, 0x53, + 0x44, 0x76, 0x67, 0x40, 0xaf, 0x26, 0x8a, 0xdb, 0x32, 0x32, + 0x2e, 0x5c, + 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* order */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0f, 0xd8, 0xcd, 0xdf, + 0xc8, 0x7b, 0x66, 0x35, 0xc1, 0x15, 0xaf, 0x55, 0x6c, 0x36, + 0x0c, 0x67, + } +}; + static const struct { EC_CURVE_DATA h; unsigned char data[0 + 64 * 6]; } - _EC_GOST_2012_TC26_A = { + _EC_GOST_2012_512_Test = { + { + NID_X9_62_prime_field, 0, 64, 1 + }, + { /* no seed */ + 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, /* p */ + 0x26, 0x7b, 0x6b, 0x2f, 0xee, 0x80, 0x92, 0x2b, 0x14, 0xb2, + 0xff, 0xb9, 0x0f, 0x04, 0xd4, 0xeb, 0x7c, 0x09, 0xb5, 0xd2, + 0xd1, 0x5d, 0xf1, 0xd8, 0x52, 0x74, 0x1a, 0xf4, 0x70, 0x4a, + 0x04, 0x58, 0x04, 0x7e, 0x80, 0xe4, 0x54, 0x6d, 0x35, 0xb8, + 0x33, 0x6f, 0xac, 0x22, 0x4d, 0xd8, 0x16, 0x64, 0xbb, 0xf5, + 0x28, 0xbe, 0x63, 0x73, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* a */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x07, + 0x1c, 0xff, 0x08, 0x06, 0xa3, 0x11, 0x16, 0xda, 0x29, 0xd8, /* b */ + 0xcf, 0xa5, 0x4e, 0x57, 0xeb, 0x74, 0x8b, 0xc5, 0xf3, 0x77, + 0xe4, 0x94, 0x00, 0xfd, 0xd7, 0x88, 0xb6, 0x49, 0xec, 0xa1, + 0xac, 0x43, 0x61, 0x83, 0x40, 0x13, 0xb2, 0xad, 0x73, 0x22, + 0x48, 0x0a, 0x89, 0xca, 0x58, 0xe0, 0xcf, 0x74, 0xbc, 0x9e, + 0x54, 0x0c, 0x2a, 0xdd, 0x68, 0x97, 0xfa, 0xd0, 0xa3, 0x08, + 0x4f, 0x30, 0x2a, 0xdc, + 0x24, 0xd1, 0x9c, 0xc6, 0x45, 0x72, 0xee, 0x30, 0xf3, 0x96, /* x */ + 0xbf, 0x6e, 0xbb, 0xfd, 0x7a, 0x6c, 0x52, 0x13, 0xb3, 0xb3, + 0xd7, 0x05, 0x7c, 0xc8, 0x25, 0xf9, 0x10, 0x93, 0xa6, 0x8c, + 0xd7, 0x62, 0xfd, 0x60, 0x61, 0x12, 0x62, 0xcd, 0x83, 0x8d, + 0xc6, 0xb6, 0x0a, 0xa7, 0xee, 0xe8, 0x04, 0xe2, 0x8b, 0xc8, + 0x49, 0x97, 0x7f, 0xac, 0x33, 0xb4, 0xb5, 0x30, 0xf1, 0xb1, + 0x20, 0x24, 0x8a, 0x9a, + 0x2b, 0xb3, 0x12, 0xa4, 0x3b, 0xd2, 0xce, 0x6e, 0x0d, 0x02, /* y */ + 0x06, 0x13, 0xc8, 0x57, 0xac, 0xdd, 0xcf, 0xbf, 0x06, 0x1e, + 0x91, 0xe5, 0xf2, 0xc3, 0xf3, 0x24, 0x47, 0xc2, 0x59, 0xf3, + 0x9b, 0x2c, 0x83, 0xab, 0x15, 0x6d, 0x77, 0xf1, 0x49, 0x6b, + 0xf7, 0xeb, 0x33, 0x51, 0xe1, 0xee, 0x4e, 0x43, 0xdc, 0x1a, + 0x18, 0xb9, 0x1b, 0x24, 0x64, 0x0b, 0x6d, 0xbb, 0x92, 0xcb, + 0x1a, 0xdd, 0x37, 0x1e, + 0x45, 0x31, 0xac, 0xd1, 0xfe, 0x00, 0x23, 0xc7, 0x55, 0x0d, /* order */ + 0x26, 0x7b, 0x6b, 0x2f, 0xee, 0x80, 0x92, 0x2b, 0x14, 0xb2, + 0xff, 0xb9, 0x0f, 0x04, 0xd4, 0xeb, 0x7c, 0x09, 0xb5, 0xd2, + 0xd1, 0x5d, 0xa8, 0x2f, 0x2d, 0x7e, 0xcb, 0x1d, 0xba, 0xc7, + 0x19, 0x90, 0x5c, 0x5e, 0xec, 0xc4, 0x23, 0xf1, 0xd8, 0x6e, + 0x25, 0xed, 0xbe, 0x23, 0xc5, 0x95, 0xd6, 0x44, 0xaa, 0xf1, + 0x87, 0xe6, 0xe6, 0xdf, + } +}; + +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 64 * 6]; +} + _EC_GOST_2012_512_TC26_A = { { NID_X9_62_prime_field, 0, 64, 1 }, @@ -2958,7 +3052,7 @@ static const struct { EC_CURVE_DATA h; unsigned char data[0 + 64 * 6]; } - _EC_GOST_2012_TC26_B = { + _EC_GOST_2012_512_TC26_B = { { NID_X9_62_prime_field, 0, 64, 1 }, @@ -3008,6 +3102,64 @@ static const struct { } }; +/* + * This curve is defined in two birationally equal forms: canonical and Twisted + * Edwards. We do calculations in canonical (Weierstrass) form. + */ +static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 64 * 6]; +} + _EC_GOST_2012_512_TC26_C = { + { + NID_X9_62_prime_field, 0, 64, 4 + }, + { /* no seed */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* p */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xfd, 0xc7, + 0xdc, 0x92, 0x03, 0xe5, 0x14, 0xa7, 0x21, 0x87, 0x54, 0x85, /* a */ + 0xa5, 0x29, 0xd2, 0xc7, 0x22, 0xfb, 0x18, 0x7b, 0xc8, 0x98, + 0x0e, 0xb8, 0x66, 0x64, 0x4d, 0xe4, 0x1c, 0x68, 0xe1, 0x43, + 0x06, 0x45, 0x46, 0xe8, 0x61, 0xc0, 0xe2, 0xc9, 0xed, 0xd9, + 0x2a, 0xde, 0x71, 0xf4, 0x6f, 0xcf, 0x50, 0xff, 0x2a, 0xd9, + 0x7f, 0x95, 0x1f, 0xda, 0x9f, 0x2a, 0x2e, 0xb6, 0x54, 0x6f, + 0x39, 0x68, 0x9b, 0xd3, + 0xb4, 0xc4, 0xee, 0x28, 0xce, 0xbc, 0x6c, 0x2c, 0x8a, 0xc1, /* b */ + 0x29, 0x52, 0xcf, 0x37, 0xf1, 0x6a, 0xc7, 0xef, 0xb6, 0xa9, + 0xf6, 0x9f, 0x4b, 0x57, 0xff, 0xda, 0x2e, 0x4f, 0x0d, 0xe5, + 0xad, 0xe0, 0x38, 0xcb, 0xc2, 0xff, 0xf7, 0x19, 0xd2, 0xc1, + 0x8d, 0xe0, 0x28, 0x4b, 0x8b, 0xfe, 0xf3, 0xb5, 0x2b, 0x8c, + 0xc7, 0xa5, 0xf5, 0xbf, 0x0a, 0x3c, 0x8d, 0x23, 0x19, 0xa5, + 0x31, 0x25, 0x57, 0xe1, + 0xe2, 0xe3, 0x1e, 0xdf, 0xc2, 0x3d, 0xe7, 0xbd, 0xeb, 0xe2, /* x */ + 0x41, 0xce, 0x59, 0x3e, 0xf5, 0xde, 0x22, 0x95, 0xb7, 0xa9, + 0xcb, 0xae, 0xf0, 0x21, 0xd3, 0x85, 0xf7, 0x07, 0x4c, 0xea, + 0x04, 0x3a, 0xa2, 0x72, 0x72, 0xa7, 0xae, 0x60, 0x2b, 0xf2, + 0xa7, 0xb9, 0x03, 0x3d, 0xb9, 0xed, 0x36, 0x10, 0xc6, 0xfb, + 0x85, 0x48, 0x7e, 0xae, 0x97, 0xaa, 0xc5, 0xbc, 0x79, 0x28, + 0xc1, 0x95, 0x01, 0x48, + 0xf5, 0xce, 0x40, 0xd9, 0x5b, 0x5e, 0xb8, 0x99, 0xab, 0xbc, /* y */ + 0xcf, 0xf5, 0x91, 0x1c, 0xb8, 0x57, 0x79, 0x39, 0x80, 0x4d, + 0x65, 0x27, 0x37, 0x8b, 0x8c, 0x10, 0x8c, 0x3d, 0x20, 0x90, + 0xff, 0x9b, 0xe1, 0x8e, 0x2d, 0x33, 0xe3, 0x02, 0x1e, 0xd2, + 0xef, 0x32, 0xd8, 0x58, 0x22, 0x42, 0x3b, 0x63, 0x04, 0xf7, + 0x26, 0xaa, 0x85, 0x4b, 0xae, 0x07, 0xd0, 0x39, 0x6e, 0x9a, + 0x9a, 0xdd, 0xc4, 0x0f, + 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, /* order */ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xc9, 0x8c, 0xdb, 0xa4, 0x65, 0x06, 0xab, 0x00, + 0x4c, 0x33, 0xa9, 0xff, 0x51, 0x47, 0x50, 0x2c, 0xc8, 0xed, + 0xa9, 0xe7, 0xa7, 0x69, 0xa1, 0x26, 0x94, 0x62, 0x3c, 0xef, + 0x47, 0xf0, 0x23, 0xed, + } +}; + #endif typedef struct _ec_list_element_st { @@ -3147,8 +3299,14 @@ static const ec_list_element curve_list[] = { {NID_id_GostR3410_2001_CryptoPro_C_ParamSet, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-C"}, {NID_id_GostR3410_2001_CryptoPro_XchA_ParamSet, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2001 CryptoPro-XchA"}, {NID_id_GostR3410_2001_CryptoPro_XchB_ParamSet, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2001 CryptoPro-XchB"}, - {NID_id_tc26_gost_3410_2012_512_paramSetA, &_EC_GOST_2012_TC26_A.h, 0, "GOST R 34.10-2012 TC26-A"}, - {NID_id_tc26_gost_3410_2012_512_paramSetB, &_EC_GOST_2012_TC26_B.h, 0, "GOST R 34.10-2012 TC26-B"}, + {NID_id_tc26_gost_3410_12_256_paramSetA, &_EC_GOST_2012_256_TC26_A.h, 0, "GOST R 34.10-2012 256 TC26-A"}, + {NID_id_tc26_gost_3410_12_256_paramSetB, &_EC_GOST_2001_CryptoPro_A.h, 0, "GOST R 34.10-2012 256 TC26-B"}, + {NID_id_tc26_gost_3410_12_256_paramSetC, &_EC_GOST_2001_CryptoPro_B.h, 0, "GOST R 34.10-2012 256 TC26-C"}, + {NID_id_tc26_gost_3410_12_256_paramSetD, &_EC_GOST_2001_CryptoPro_C.h, 0, "GOST R 34.10-2012 256 TC26-D"}, + {NID_id_tc26_gost_3410_12_512_paramSetTest, &_EC_GOST_2012_512_Test.h, 0, "GOST R 34.10-2012 512 Test Curve"}, + {NID_id_tc26_gost_3410_12_512_paramSetA, &_EC_GOST_2012_512_TC26_A.h, 0, "GOST R 34.10-2012 512 TC26-A"}, + {NID_id_tc26_gost_3410_12_512_paramSetB, &_EC_GOST_2012_512_TC26_B.h, 0, "GOST R 34.10-2012 512 TC26-B"}, + {NID_id_tc26_gost_3410_12_512_paramSetC, &_EC_GOST_2012_512_TC26_C.h, 0, "GOST R 34.10-2012 512 TC26-C"}, #endif }; @@ -3235,7 +3393,7 @@ ec_group_new_from_data(const ec_list_element curve) } } ok = 1; -err: + err: if (!ok) { EC_GROUP_free(group); group = NULL; diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c index fa5dece..95c15a1 100644 --- a/crypto/ec/ec_err.c +++ b/crypto/ec/ec_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_err.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_err.c,v 1.12 2019/09/29 10:09:09 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -96,6 +96,7 @@ static ERR_STRING_DATA EC_str_reasons[] = {ERR_REASON(EC_R_INVALID_COMPRESSED_POINT), "invalid compressed point"}, {ERR_REASON(EC_R_INVALID_COMPRESSION_BIT), "invalid compression bit"}, {ERR_REASON(EC_R_INVALID_CURVE), "invalid curve"}, + {ERR_REASON(EC_R_INVALID_DIGEST), "invalid digest"}, {ERR_REASON(EC_R_INVALID_DIGEST_TYPE), "invalid digest type"}, {ERR_REASON(EC_R_INVALID_ENCODING), "invalid encoding"}, {ERR_REASON(EC_R_INVALID_FIELD), "invalid field"}, @@ -104,6 +105,7 @@ static ERR_STRING_DATA EC_str_reasons[] = {ERR_REASON(EC_R_INVALID_PENTANOMIAL_BASIS), "invalid pentanomial basis"}, {ERR_REASON(EC_R_INVALID_PRIVATE_KEY), "invalid private key"}, {ERR_REASON(EC_R_INVALID_TRINOMIAL_BASIS), "invalid trinomial basis"}, + {ERR_REASON(EC_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, {ERR_REASON(EC_R_KEYS_NOT_SET), "keys not set"}, {ERR_REASON(EC_R_MISSING_PARAMETERS), "missing parameters"}, {ERR_REASON(EC_R_MISSING_PRIVATE_KEY), "missing private key"}, @@ -114,12 +116,15 @@ static ERR_STRING_DATA EC_str_reasons[] = {ERR_REASON(EC_R_NO_FIELD_MOD), "no field mod"}, {ERR_REASON(EC_R_NO_PARAMETERS_SET), "no parameters set"}, {ERR_REASON(EC_R_PASSED_NULL_PARAMETER), "passed null parameter"}, + {ERR_REASON(EC_R_PEER_KEY_ERROR), "peer key error"}, {ERR_REASON(EC_R_PKPARAMETERS2GROUP_FAILURE), "pkparameters2group failure"}, {ERR_REASON(EC_R_POINT_AT_INFINITY), "point at infinity"}, {ERR_REASON(EC_R_POINT_IS_NOT_ON_CURVE), "point is not on curve"}, + {ERR_REASON(EC_R_SHARED_INFO_ERROR), "shared info error"}, {ERR_REASON(EC_R_SLOT_FULL), "slot full"}, {ERR_REASON(EC_R_UNDEFINED_GENERATOR), "undefined generator"}, {ERR_REASON(EC_R_UNDEFINED_ORDER), "undefined order"}, + {ERR_REASON(EC_R_UNKNOWN_COFACTOR), "unknown cofactor"}, {ERR_REASON(EC_R_UNKNOWN_GROUP), "unknown group"}, {ERR_REASON(EC_R_UNKNOWN_ORDER), "unknown order"}, {ERR_REASON(EC_R_UNSUPPORTED_FIELD), "unsupported field"}, diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c index 595b88c..1d0a03a 100644 --- a/crypto/ec/ec_key.c +++ b/crypto/ec/ec_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_key.c,v 1.14 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: ec_key.c,v 1.24 2019/01/19 01:12:48 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -65,29 +65,18 @@ #include -#include "ec_lcl.h" +#ifndef OPENSSL_NO_ENGINE +#include +#endif #include +#include "bn_lcl.h" +#include "ec_lcl.h" + EC_KEY * EC_KEY_new(void) { - EC_KEY *ret; - - ret = malloc(sizeof(EC_KEY)); - if (ret == NULL) { - ECerror(ERR_R_MALLOC_FAILURE); - return (NULL); - } - ret->version = 1; - ret->flags = 0; - ret->group = NULL; - ret->pub_key = NULL; - ret->priv_key = NULL; - ret->enc_flag = 0; - ret->conv_form = POINT_CONVERSION_UNCOMPRESSED; - ret->references = 1; - ret->method_data = NULL; - return (ret); + return EC_KEY_new_method(NULL); } EC_KEY * @@ -101,6 +90,11 @@ EC_KEY_new_by_curve_name(int nid) EC_KEY_free(ret); return NULL; } + if (ret->meth->set_group != NULL && + ret->meth->set_group(ret, ret->group) == 0) { + EC_KEY_free(ret); + return NULL; + } return ret; } @@ -116,6 +110,14 @@ EC_KEY_free(EC_KEY * r) if (i > 0) return; + if (r->meth != NULL && r->meth->finish != NULL) + r->meth->finish(r); + +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(r->engine); +#endif + CRYPTO_free_ex_data(CRYPTO_EX_INDEX_EC_KEY, r, &r->ex_data); + EC_GROUP_free(r->group); EC_POINT_free(r->pub_key); BN_clear_free(r->priv_key); @@ -134,6 +136,15 @@ EC_KEY_copy(EC_KEY * dest, const EC_KEY * src) ECerror(ERR_R_PASSED_NULL_PARAMETER); return NULL; } + if (src->meth != dest->meth) { + if (dest->meth != NULL && dest->meth->finish != NULL) + dest->meth->finish(dest); +#ifndef OPENSSL_NO_ENGINE + if (ENGINE_finish(dest->engine) == 0) + return 0; + dest->engine = NULL; +#endif + } /* copy the parameters */ if (src->group) { const EC_METHOD *meth = EC_GROUP_method_of(src->group); @@ -183,14 +194,32 @@ EC_KEY_copy(EC_KEY * dest, const EC_KEY * src) dest->version = src->version; dest->flags = src->flags; + if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_EC_KEY, &dest->ex_data, + &((EC_KEY *)src)->ex_data)) /* XXX const */ + return NULL; + + if (src->meth != dest->meth) { +#ifndef OPENSSL_NO_ENGINE + if (src->engine != NULL && ENGINE_init(src->engine) == 0) + return 0; + dest->engine = src->engine; +#endif + dest->meth = src->meth; + } + + if (src->meth != NULL && src->meth->copy != NULL && + src->meth->copy(dest, src) == 0) + return 0; + return dest; } EC_KEY * EC_KEY_dup(const EC_KEY * ec_key) { - EC_KEY *ret = EC_KEY_new(); - if (ret == NULL) + EC_KEY *ret; + + if ((ret = EC_KEY_new_method(ec_key->engine)) == NULL) return NULL; if (EC_KEY_copy(ret, ec_key) == NULL) { EC_KEY_free(ret); @@ -206,8 +235,29 @@ EC_KEY_up_ref(EC_KEY * r) return ((i > 1) ? 1 : 0); } -int -EC_KEY_generate_key(EC_KEY * eckey) +int +EC_KEY_set_ex_data(EC_KEY *r, int idx, void *arg) +{ + return CRYPTO_set_ex_data(&r->ex_data, idx, arg); +} + +void * +EC_KEY_get_ex_data(const EC_KEY *r, int idx) +{ + return CRYPTO_get_ex_data(&r->ex_data, idx); +} + +int +EC_KEY_generate_key(EC_KEY *eckey) +{ + if (eckey->meth->keygen != NULL) + return eckey->meth->keygen(eckey); + ECerror(EC_R_NOT_IMPLEMENTED); + return 0; +} + +int +ossl_ec_key_gen(EC_KEY *eckey) { int ok = 0; BN_CTX *ctx = NULL; @@ -218,32 +268,27 @@ EC_KEY_generate_key(EC_KEY * eckey) ECerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } + if ((order = BN_new()) == NULL) goto err; if ((ctx = BN_CTX_new()) == NULL) goto err; - if (eckey->priv_key == NULL) { - priv_key = BN_new(); - if (priv_key == NULL) + if ((priv_key = eckey->priv_key) == NULL) { + if ((priv_key = BN_new()) == NULL) goto err; - } else - priv_key = eckey->priv_key; + } if (!EC_GROUP_get_order(eckey->group, order, ctx)) goto err; - do - if (!BN_rand_range(priv_key, order)) - goto err; - while (BN_is_zero(priv_key)); + if (!bn_rand_interval(priv_key, BN_value_one(), order)) + goto err; - if (eckey->pub_key == NULL) { - pub_key = EC_POINT_new(eckey->group); - if (pub_key == NULL) + if ((pub_key = eckey->pub_key) == NULL) { + if ((pub_key = EC_POINT_new(eckey->group)) == NULL) goto err; - } else - pub_key = eckey->pub_key; + } if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) goto err; @@ -253,11 +298,11 @@ EC_KEY_generate_key(EC_KEY * eckey) ok = 1; -err: + err: BN_free(order); - if (pub_key != NULL && eckey->pub_key == NULL) + if (eckey->pub_key == NULL) EC_POINT_free(pub_key); - if (priv_key != NULL && eckey->priv_key == NULL) + if (eckey->priv_key == NULL) BN_free(priv_key); BN_CTX_free(ctx); return (ok); @@ -324,7 +369,7 @@ EC_KEY_check_key(const EC_KEY * eckey) } } ok = 1; -err: + err: BN_CTX_free(ctx); EC_POINT_free(point); return (ok); @@ -395,7 +440,7 @@ EC_KEY_set_public_key_affine_coordinates(EC_KEY * key, BIGNUM * x, BIGNUM * y) ok = 1; -err: + err: BN_CTX_free(ctx); EC_POINT_free(point); return ok; @@ -411,6 +456,9 @@ EC_KEY_get0_group(const EC_KEY * key) int EC_KEY_set_group(EC_KEY * key, const EC_GROUP * group) { + if (key->meth->set_group != NULL && + key->meth->set_group(key, group) == 0) + return 0; EC_GROUP_free(key->group); key->group = EC_GROUP_dup(group); return (key->group == NULL) ? 0 : 1; @@ -425,6 +473,9 @@ EC_KEY_get0_private_key(const EC_KEY * key) int EC_KEY_set_private_key(EC_KEY * key, const BIGNUM * priv_key) { + if (key->meth->set_private != NULL && + key->meth->set_private(key, priv_key) == 0) + return 0; BN_clear_free(key->priv_key); key->priv_key = BN_dup(priv_key); return (key->priv_key == NULL) ? 0 : 1; @@ -439,6 +490,9 @@ EC_KEY_get0_public_key(const EC_KEY * key) int EC_KEY_set_public_key(EC_KEY * key, const EC_POINT * pub_key) { + if (key->meth->set_public != NULL && + key->meth->set_public(key, pub_key) == 0) + return 0; EC_POINT_free(key->pub_key); key->pub_key = EC_POINT_dup(pub_key, key->group); return (key->pub_key == NULL) ? 0 : 1; diff --git a/crypto/ec/ec_kmeth.c b/crypto/ec/ec_kmeth.c new file mode 100644 index 0000000..1fb9e57 --- /dev/null +++ b/crypto/ec/ec_kmeth.c @@ -0,0 +1,335 @@ +/* $OpenBSD: ec_kmeth.c,v 1.5 2019/05/10 19:15:06 bcook Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2015 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include +#ifndef OPENSSL_NO_ENGINE +#include +#endif +#include + +#include "ec_lcl.h" +#include "ecs_locl.h" + +static const EC_KEY_METHOD openssl_ec_key_method = { + .name = "OpenSSL EC_KEY method", + .flags = 0, + + .init = NULL, + .finish = NULL, + .copy = NULL, + + .set_group = NULL, + .set_private = NULL, + .set_public = NULL, + + .keygen = ossl_ec_key_gen, + .compute_key = ossl_ecdh_compute_key, + + .sign = ossl_ecdsa_sign, + .sign_setup = ossl_ecdsa_sign_setup, + .sign_sig = ossl_ecdsa_sign_sig, + + .verify = ossl_ecdsa_verify, + .verify_sig = ossl_ecdsa_verify_sig, +}; + +const EC_KEY_METHOD *default_ec_key_meth = &openssl_ec_key_method; + +const EC_KEY_METHOD * +EC_KEY_OpenSSL(void) +{ + return &openssl_ec_key_method; +} + +const EC_KEY_METHOD * +EC_KEY_get_default_method(void) +{ + return default_ec_key_meth; +} + +void +EC_KEY_set_default_method(const EC_KEY_METHOD *meth) +{ + if (meth == NULL) + default_ec_key_meth = &openssl_ec_key_method; + else + default_ec_key_meth = meth; +} + +const EC_KEY_METHOD * +EC_KEY_get_method(const EC_KEY *key) +{ + return key->meth; +} + +int +EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth) +{ + void (*finish)(EC_KEY *key) = key->meth->finish; + + if (finish != NULL) + finish(key); + +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(key->engine); + key->engine = NULL; +#endif + + key->meth = meth; + if (meth->init != NULL) + return meth->init(key); + return 1; +} + +EC_KEY * +EC_KEY_new_method(ENGINE *engine) +{ + EC_KEY *ret; + + if ((ret = calloc(1, sizeof(EC_KEY))) == NULL) { + ECerror(ERR_R_MALLOC_FAILURE); + return NULL; + } + ret->meth = EC_KEY_get_default_method(); +#ifndef OPENSSL_NO_ENGINE + if (engine != NULL) { + if (!ENGINE_init(engine)) { + ECerror(ERR_R_ENGINE_LIB); + goto err; + } + ret->engine = engine; + } else + ret->engine = ENGINE_get_default_EC(); + if (ret->engine) { + ret->meth = ENGINE_get_EC(ret->engine); + if (ret->meth == NULL) { + ECerror(ERR_R_ENGINE_LIB); + goto err; + } + } +#endif + ret->version = 1; + ret->flags = 0; + ret->group = NULL; + ret->pub_key = NULL; + ret->priv_key = NULL; + ret->enc_flag = 0; + ret->conv_form = POINT_CONVERSION_UNCOMPRESSED; + ret->references = 1; + ret->method_data = NULL; + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) + goto err; + if (ret->meth->init != NULL && ret->meth->init(ret) == 0) + goto err; + + return ret; + + err: + EC_KEY_free(ret); + return NULL; +} + +EC_KEY_METHOD * +EC_KEY_METHOD_new(const EC_KEY_METHOD *meth) +{ + EC_KEY_METHOD *ret; + + if ((ret = calloc(1, sizeof(*meth))) == NULL) + return NULL; + if (meth != NULL) + *ret = *meth; + ret->flags |= EC_KEY_METHOD_DYNAMIC; + return ret; +} + +void +EC_KEY_METHOD_free(EC_KEY_METHOD *meth) +{ + if (meth == NULL) + return; + if (meth->flags & EC_KEY_METHOD_DYNAMIC) + free(meth); +} + +void +EC_KEY_METHOD_set_init(EC_KEY_METHOD *meth, + int (*init)(EC_KEY *key), + void (*finish)(EC_KEY *key), + int (*copy)(EC_KEY *dest, const EC_KEY *src), + int (*set_group)(EC_KEY *key, const EC_GROUP *grp), + int (*set_private)(EC_KEY *key, const BIGNUM *priv_key), + int (*set_public)(EC_KEY *key, const EC_POINT *pub_key)) +{ + meth->init = init; + meth->finish = finish; + meth->copy = copy; + meth->set_group = set_group; + meth->set_private = set_private; + meth->set_public = set_public; +} + +void +EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth, int (*keygen)(EC_KEY *key)) +{ + meth->keygen = keygen; +} + +void +EC_KEY_METHOD_set_compute_key(EC_KEY_METHOD *meth, + int (*ckey)(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen))) +{ + meth->compute_key = ckey; +} + +void +EC_KEY_METHOD_set_sign(EC_KEY_METHOD *meth, + int (*sign)(int type, const unsigned char *dgst, + int dlen, unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey), + int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, + BIGNUM **kinvp, BIGNUM **rp), + ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, + int dgst_len, const BIGNUM *in_kinv, + const BIGNUM *in_r, EC_KEY *eckey)) +{ + meth->sign = sign; + meth->sign_setup = sign_setup; + meth->sign_sig = sign_sig; +} + +void +EC_KEY_METHOD_set_verify(EC_KEY_METHOD *meth, + int (*verify)(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey), + int (*verify_sig)(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey)) +{ + meth->verify = verify; + meth->verify_sig = verify_sig; +} + + +void +EC_KEY_METHOD_get_init(const EC_KEY_METHOD *meth, + int (**pinit)(EC_KEY *key), + void (**pfinish)(EC_KEY *key), + int (**pcopy)(EC_KEY *dest, const EC_KEY *src), + int (**pset_group)(EC_KEY *key, const EC_GROUP *grp), + int (**pset_private)(EC_KEY *key, const BIGNUM *priv_key), + int (**pset_public)(EC_KEY *key, const EC_POINT *pub_key)) +{ + if (pinit != NULL) + *pinit = meth->init; + if (pfinish != NULL) + *pfinish = meth->finish; + if (pcopy != NULL) + *pcopy = meth->copy; + if (pset_group != NULL) + *pset_group = meth->set_group; + if (pset_private != NULL) + *pset_private = meth->set_private; + if (pset_public != NULL) + *pset_public = meth->set_public; +} + +void +EC_KEY_METHOD_get_keygen(const EC_KEY_METHOD *meth, + int (**pkeygen)(EC_KEY *key)) +{ + if (pkeygen != NULL) + *pkeygen = meth->keygen; +} + +void +EC_KEY_METHOD_get_compute_key(const EC_KEY_METHOD *meth, + int (**pck)(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen))) +{ + if (pck != NULL) + *pck = meth->compute_key; +} + +void +EC_KEY_METHOD_get_sign(const EC_KEY_METHOD *meth, + int (**psign)(int type, const unsigned char *dgst, + int dlen, unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey), + int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, + BIGNUM **kinvp, BIGNUM **rp), + ECDSA_SIG *(**psign_sig)(const unsigned char *dgst, + int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey)) +{ + if (psign != NULL) + *psign = meth->sign; + if (psign_setup != NULL) + *psign_setup = meth->sign_setup; + if (psign_sig != NULL) + *psign_sig = meth->sign_sig; +} + +void +EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth, + int (**pverify)(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey), + int (**pverify_sig)(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey)) +{ + if (pverify != NULL) + *pverify = meth->verify; + if (pverify_sig != NULL) + *pverify_sig = meth->verify_sig; +} diff --git a/crypto/ec/ec_lcl.h b/crypto/ec/ec_lcl.h index e1c91e6..8948e51 100644 --- a/crypto/ec/ec_lcl.h +++ b/crypto/ec/ec_lcl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lcl.h,v 1.7 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: ec_lcl.h,v 1.13 2019/01/19 01:12:48 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -73,6 +73,7 @@ #include #include +#include #include __BEGIN_HIDDEN_DECLS @@ -160,10 +161,12 @@ struct ec_method_st { int (*make_affine)(const EC_GROUP *, EC_POINT *, BN_CTX *); int (*points_make_affine)(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); - /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult - * (default implementations are used if the 'mul' pointer is 0): */ - int (*mul)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, - size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *); + /* used by EC_POINTs_mul, EC_POINT_mul, EC_POINT_precompute_mult, EC_POINT_have_precompute_mult */ + int (*mul_generator_ct)(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *); + int (*mul_single_ct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + const EC_POINT *point, BN_CTX *); + int (*mul_double_nonct)(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, + const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *); int (*precompute_mult)(EC_GROUP *group, BN_CTX *); int (*have_precompute_mult)(const EC_GROUP *group); @@ -180,6 +183,7 @@ struct ec_method_st { int (*field_encode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. to Montgomery */ int (*field_decode)(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); /* e.g. from Montgomery */ int (*field_set_to_one)(const EC_GROUP *, BIGNUM *r, BN_CTX *); + int (*blind_coordinates)(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); } /* EC_METHOD */; typedef struct ec_extra_data_st { @@ -242,6 +246,9 @@ struct ec_group_st { } /* EC_GROUP */; struct ec_key_st { + const EC_KEY_METHOD *meth; + ENGINE *engine; + int version; EC_GROUP *group; @@ -256,6 +263,7 @@ struct ec_key_st { int flags; EC_EXTRA_DATA *method_data; + CRYPTO_EX_DATA ex_data; } /* EC_KEY */; /* Basically a 'mixin' for extra data, but available for EC_GROUPs/EC_KEYs only @@ -337,6 +345,12 @@ int ec_GFp_simple_make_affine(const EC_GROUP *, EC_POINT *, BN_CTX *); int ec_GFp_simple_points_make_affine(const EC_GROUP *, size_t num, EC_POINT *[], BN_CTX *); int ec_GFp_simple_field_mul(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, const BIGNUM *b, BN_CTX *); int ec_GFp_simple_field_sqr(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); +int ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); +int ec_GFp_simple_mul_generator_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, BN_CTX *); +int ec_GFp_simple_mul_single_ct(const EC_GROUP *, EC_POINT *r, const BIGNUM *scalar, + const EC_POINT *point, BN_CTX *); +int ec_GFp_simple_mul_double_nonct(const EC_GROUP *, EC_POINT *r, const BIGNUM *g_scalar, + const BIGNUM *p_scalar, const EC_POINT *point, BN_CTX *); /* method functions in ecp_mont.c */ @@ -351,6 +365,7 @@ int ec_GFp_mont_field_encode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CT int ec_GFp_mont_field_decode(const EC_GROUP *, BIGNUM *r, const BIGNUM *a, BN_CTX *); int ec_GFp_mont_field_set_to_one(const EC_GROUP *, BIGNUM *r, BN_CTX *); +int ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx); /* method functions in ecp_nist.c */ int ec_GFp_nist_group_copy(EC_GROUP *dest, const EC_GROUP *src); @@ -431,6 +446,44 @@ int ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); const EC_METHOD *EC_GFp_nistz256_method(void); #endif +/* EC_METHOD definitions */ + +struct ec_key_method_st { + const char *name; + int32_t flags; + int (*init)(EC_KEY *key); + void (*finish)(EC_KEY *key); + int (*copy)(EC_KEY *dest, const EC_KEY *src); + int (*set_group)(EC_KEY *key, const EC_GROUP *grp); + int (*set_private)(EC_KEY *key, const BIGNUM *priv_key); + int (*set_public)(EC_KEY *key, const EC_POINT *pub_key); + int (*keygen)(EC_KEY *key); + int (*compute_key)(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen)); + int (*sign)(int type, const unsigned char *dgst, int dlen, unsigned char + *sig, unsigned int *siglen, const BIGNUM *kinv, + const BIGNUM *r, EC_KEY *eckey); + int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp); + ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, int dgst_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey); + int (*verify)(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); + int (*verify_sig)(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); +} /* EC_KEY_METHOD */; + +#define EC_KEY_METHOD_DYNAMIC 1 + +int ossl_ec_key_gen(EC_KEY *eckey); +int ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen)); +int ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey); +int ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey); + /* method functions in ecp_nistp521.c */ int ec_GFp_nistp521_group_init(EC_GROUP *group); int ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, const BIGNUM *n, BN_CTX *); diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c index 0d06211..df90616 100644 --- a/crypto/ec/ec_lib.c +++ b/crypto/ec/ec_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_lib.c,v 1.24 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: ec_lib.c,v 1.32 2019/09/29 10:09:09 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -68,6 +68,7 @@ #include #include +#include "bn_lcl.h" #include "ec_lcl.h" /* functions for EC_GROUP objects */ @@ -252,6 +253,80 @@ EC_METHOD_get_field_type(const EC_METHOD *meth) return meth->field_type; } +/* + * Try computing the cofactor from generator order n and field cardinality q. + * This works for all curves of cryptographic interest. + * + * Hasse's theorem: | h * n - (q + 1) | <= 2 * sqrt(q) + * + * So: h_min = (q + 1 - 2*sqrt(q)) / n and h_max = (q + 1 + 2*sqrt(q)) / n and + * therefore h_max - h_min = 4*sqrt(q) / n. So if n > 4*sqrt(q) holds, there is + * only one possible value for h: + * + * h = \lfloor (h_min + h_max)/2 \rceil = \lfloor (q + 1)/n \rceil + * + * Otherwise, zero cofactor and return success. + */ +static int +ec_guess_cofactor(EC_GROUP *group) +{ + BN_CTX *ctx = NULL; + BIGNUM *q = NULL; + int ret = 0; + + /* + * If the cofactor is too large, we cannot guess it and default to zero. + * The RHS of below is a strict overestimate of log(4 * sqrt(q)). + */ + if (BN_num_bits(&group->order) <= + (BN_num_bits(&group->field) + 1) / 2 + 3) { + BN_zero(&group->cofactor); + return 1; + } + + if ((ctx = BN_CTX_new()) == NULL) + goto err; + + BN_CTX_start(ctx); + if ((q = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Set q = 2**m for binary fields; q = p otherwise. */ + if (group->meth->field_type == NID_X9_62_characteristic_two_field) { + BN_zero(q); + if (!BN_set_bit(q, BN_num_bits(&group->field) - 1)) + goto err; + } else { + if (!BN_copy(q, &group->field)) + goto err; + } + + /* + * Compute + * h = \lfloor (q + 1)/n \rceil = \lfloor (q + 1 + n/2) / n \rfloor. + */ + + /* h = n/2 */ + if (!BN_rshift1(&group->cofactor, &group->order)) + goto err; + /* h = 1 + n/2 */ + if (!BN_add(&group->cofactor, &group->cofactor, BN_value_one())) + goto err; + /* h = q + 1 + n/2 */ + if (!BN_add(&group->cofactor, &group->cofactor, q)) + goto err; + /* h = (q + 1 + n/2) / n */ + if (!BN_div_ct(&group->cofactor, NULL, &group->cofactor, &group->order, + ctx)) + goto err; + + ret = 1; + err: + BN_CTX_end(ctx); + BN_CTX_free(ctx); + BN_zero(&group->cofactor); + return ret; +} int EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, @@ -261,6 +336,33 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, ECerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } + + /* Require group->field >= 1. */ + if (BN_is_zero(&group->field) || BN_is_negative(&group->field)) { + ECerror(EC_R_INVALID_FIELD); + return 0; + } + + /* + * Require order >= 1 and enforce an upper bound of at most one bit more + * than the field cardinality due to Hasse's theorem. + */ + if (order == NULL || BN_is_zero(order) || BN_is_negative(order) || + BN_num_bits(order) > BN_num_bits(&group->field) + 1) { + ECerror(EC_R_INVALID_GROUP_ORDER); + return 0; + } + + /* + * Unfortunately, the cofactor is an optional field in many standards. + * Internally, the library uses a 0 cofactor as a marker for "unknown + * cofactor". So accept cofactor == NULL or cofactor >= 0. + */ + if (cofactor != NULL && BN_is_negative(cofactor)) { + ECerror(EC_R_UNKNOWN_COFACTOR); + return 0; + } + if (group->generator == NULL) { group->generator = EC_POINT_new(group); if (group->generator == NULL) @@ -269,17 +371,15 @@ EC_GROUP_set_generator(EC_GROUP *group, const EC_POINT *generator, if (!EC_POINT_copy(group->generator, generator)) return 0; - if (order != NULL) { - if (!BN_copy(&group->order, order)) - return 0; - } else - BN_zero(&group->order); + if (!BN_copy(&group->order, order)) + return 0; - if (cofactor != NULL) { + /* Either take the provided positive cofactor, or try to compute it. */ + if (cofactor != NULL && !BN_is_zero(cofactor)) { if (!BN_copy(&group->cofactor, cofactor)) return 0; - } else - BN_zero(&group->cofactor); + } else if (!ec_guess_cofactor(group)) + return 0; return 1; } @@ -526,13 +626,30 @@ EC_GROUP_cmp(const EC_GROUP * a, const EC_GROUP * b, BN_CTX * ctx) return r; -err: + err: BN_CTX_end(ctx); if (ctx_new) BN_CTX_free(ctx); return -1; } +/* + * Coordinate blinding for EC_POINT. + * + * The underlying EC_METHOD can optionally implement this function: + * underlying implementations should return 0 on errors, or 1 on success. + * + * This wrapper returns 1 in case the underlying EC_METHOD does not support + * coordinate blinding. + */ +int +ec_point_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) +{ + if (group->meth->blind_coordinates == NULL) + return 1; + + return group->meth->blind_coordinates(group, p, ctx); +} /* this has 'package' visibility */ int @@ -1026,47 +1143,88 @@ EC_POINTs_make_affine(const EC_GROUP *group, size_t num, EC_POINT *points[], } -/* Functions for point multiplication. - * - * If group->meth->mul is 0, we use the wNAF-based implementations in ec_mult.c; - * otherwise we dispatch through methods. - */ - +/* Functions for point multiplication */ int EC_POINTs_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, size_t num, const EC_POINT *points[], const BIGNUM *scalars[], BN_CTX *ctx) { - if (group->meth->mul == 0) - /* use default */ - return ec_wNAF_mul(group, r, scalar, num, points, scalars, ctx); - - return group->meth->mul(group, r, scalar, num, points, scalars, ctx); + /* + * The function pointers must be set, and only support num == 0 and + * num == 1. + */ + if (group->meth->mul_generator_ct == NULL || + group->meth->mul_single_ct == NULL || + group->meth->mul_double_nonct == NULL || + num > 1) { + ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + + /* Either bP or aG + bP, this is sane. */ + if (num == 1 && points != NULL && scalars != NULL) + return EC_POINT_mul(group, r, scalar, points[0], scalars[0], + ctx); + + /* aG, this is sane */ + if (scalar != NULL && points == NULL && scalars == NULL) + return EC_POINT_mul(group, r, scalar, NULL, NULL, ctx); + + /* anything else is an error */ + ECerror(ERR_R_EC_LIB); + return 0; } int EC_POINT_mul(const EC_GROUP *group, EC_POINT *r, const BIGNUM *g_scalar, const EC_POINT *point, const BIGNUM *p_scalar, BN_CTX *ctx) { - /* just a convenient interface to EC_POINTs_mul() */ - - const EC_POINT *points[1]; - const BIGNUM *scalars[1]; - - points[0] = point; - scalars[0] = p_scalar; - - return EC_POINTs_mul(group, r, g_scalar, - (point != NULL && p_scalar != NULL), - points, scalars, ctx); + if (group->meth->mul_generator_ct == NULL || + group->meth->mul_single_ct == NULL || + group->meth->mul_double_nonct == NULL) { + ECerror(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; + } + if (g_scalar != NULL && point == NULL && p_scalar == NULL) { + /* + * In this case we want to compute g_scalar * GeneratorPoint: + * this codepath is reached most prominently by (ephemeral) key + * generation of EC cryptosystems (i.e. ECDSA keygen and sign + * setup, ECDH keygen/first half), where the scalar is always + * secret. This is why we ignore if BN_FLG_CONSTTIME is actually + * set and we always call the constant time version. + */ + return group->meth->mul_generator_ct(group, r, g_scalar, ctx); + } + if (g_scalar == NULL && point != NULL && p_scalar != NULL) { + /* In this case we want to compute p_scalar * GenericPoint: + * this codepath is reached most prominently by the second half + * of ECDH, where the secret scalar is multiplied by the peer's + * public point. To protect the secret scalar, we ignore if + * BN_FLG_CONSTTIME is actually set and we always call the + * constant time version. + */ + return group->meth->mul_single_ct(group, r, p_scalar, point, + ctx); + } + if (g_scalar != NULL && point != NULL && p_scalar != NULL) { + /* + * In this case we want to compute + * g_scalar * GeneratorPoint + p_scalar * GenericPoint: + * this codepath is reached most prominently by ECDSA signature + * verification. So we call the non-ct version. + */ + return group->meth->mul_double_nonct(group, r, g_scalar, + p_scalar, point, ctx); + } + + /* Anything else is an error. */ + ECerror(ERR_R_EC_LIB); + return 0; } int EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx) { - if (group->meth->mul == 0) - /* use default */ - return ec_wNAF_precompute_mult(group, ctx); - if (group->meth->precompute_mult != 0) return group->meth->precompute_mult(group, ctx); else @@ -1076,10 +1234,6 @@ EC_GROUP_precompute_mult(EC_GROUP * group, BN_CTX * ctx) int EC_GROUP_have_precompute_mult(const EC_GROUP * group) { - if (group->meth->mul == 0) - /* use default */ - return ec_wNAF_have_precompute_mult(group); - if (group->meth->have_precompute_mult != 0) return group->meth->have_precompute_mult(group); else diff --git a/crypto/ec/ec_mult.c b/crypto/ec/ec_mult.c index a565263..05f89a5 100644 --- a/crypto/ec/ec_mult.c +++ b/crypto/ec/ec_mult.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_mult.c,v 1.21 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: ec_mult.c,v 1.24 2018/07/15 16:27:39 tb Exp $ */ /* * Originally written by Bodo Moeller and Nils Larsch for the OpenSSL project. */ @@ -301,7 +301,7 @@ compute_wNAF(const BIGNUM * scalar, int w, size_t * ret_len) len = j; ok = 1; -err: + err: if (!ok) { free(r); r = NULL; @@ -678,7 +678,7 @@ ec_wNAF_mul(const EC_GROUP * group, EC_POINT * r, const BIGNUM * scalar, ret = 1; -err: + err: BN_CTX_free(new_ctx); EC_POINT_free(tmp); free(wsize); @@ -857,7 +857,7 @@ ec_wNAF_precompute_mult(EC_GROUP * group, BN_CTX * ctx) pre_comp = NULL; ret = 1; -err: + err: if (ctx != NULL) BN_CTX_end(ctx); BN_CTX_free(new_ctx); diff --git a/crypto/ec/ec_pmeth.c b/crypto/ec/ec_pmeth.c index 08172fe..c57d26a 100644 --- a/crypto/ec/ec_pmeth.c +++ b/crypto/ec/ec_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ec_pmeth.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ec_pmeth.c,v 1.12 2019/09/09 18:06:25 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -66,6 +66,8 @@ #include #include +#include "ec_lcl.h" +#include "ech_locl.h" #include "evp_locl.h" /* EC pkey context structure */ @@ -75,17 +77,33 @@ typedef struct { EC_GROUP *gen_group; /* message digest */ const EVP_MD *md; + /* Duplicate key if custom cofactor needed */ + EC_KEY *co_key; + /* Cofactor mode */ + signed char cofactor_mode; + /* KDF (if any) to use for ECDH */ + char kdf_type; + /* Message digest to use for key derivation */ + const EVP_MD *kdf_md; + /* User key material */ + unsigned char *kdf_ukm; + size_t kdf_ukmlen; + /* KDF output length */ + size_t kdf_outlen; } EC_PKEY_CTX; static int pkey_ec_init(EVP_PKEY_CTX * ctx) { EC_PKEY_CTX *dctx; - dctx = malloc(sizeof(EC_PKEY_CTX)); - if (!dctx) + + if ((dctx = calloc(1, sizeof(EC_PKEY_CTX))) == NULL) { + ECerror(ERR_R_MALLOC_FAILURE); return 0; - dctx->gen_group = NULL; - dctx->md = NULL; + } + + dctx->cofactor_mode = -1; + dctx->kdf_type = EVP_PKEY_ECDH_KDF_NONE; ctx->data = dctx; @@ -106,6 +124,24 @@ pkey_ec_copy(EVP_PKEY_CTX * dst, EVP_PKEY_CTX * src) return 0; } dctx->md = sctx->md; + + if (sctx->co_key) { + dctx->co_key = EC_KEY_dup(sctx->co_key); + if (!dctx->co_key) + return 0; + } + dctx->kdf_type = sctx->kdf_type; + dctx->kdf_md = sctx->kdf_md; + dctx->kdf_outlen = sctx->kdf_outlen; + if (sctx->kdf_ukm) { + if ((dctx->kdf_ukm = calloc(1, sctx->kdf_ukmlen)) == NULL) + return 0; + memcpy(dctx->kdf_ukm, sctx->kdf_ukm, sctx->kdf_ukmlen); + } else + dctx->kdf_ukm = NULL; + + dctx->kdf_ukmlen = sctx->kdf_ukmlen; + return 1; } @@ -113,9 +149,13 @@ static void pkey_ec_cleanup(EVP_PKEY_CTX * ctx) { EC_PKEY_CTX *dctx = ctx->data; - if (dctx) { + + if (dctx != NULL) { EC_GROUP_free(dctx->gen_group); + EC_KEY_free(dctx->co_key); + free(dctx->kdf_ukm); free(dctx); + ctx->data = NULL; } } @@ -140,9 +180,7 @@ pkey_ec_sign(EVP_PKEY_CTX * ctx, unsigned char *sig, size_t * siglen, else type = NID_sha1; - ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); - if (ret <= 0) return ret; *siglen = (size_t) sltmp; @@ -174,13 +212,18 @@ pkey_ec_derive(EVP_PKEY_CTX * ctx, unsigned char *key, size_t * keylen) int ret; size_t outlen; const EC_POINT *pubkey = NULL; + EC_KEY *eckey; + EC_PKEY_CTX *dctx = ctx->data; + if (!ctx->pkey || !ctx->peerkey) { ECerror(EC_R_KEYS_NOT_SET); return 0; } + + eckey = dctx->co_key ? dctx->co_key : ctx->pkey->pkey.ec; if (!key) { const EC_GROUP *group; - group = EC_KEY_get0_group(ctx->pkey->pkey.ec); + group = EC_KEY_get0_group(eckey); *keylen = (EC_GROUP_get_degree(group) + 7) / 8; return 1; } @@ -193,18 +236,58 @@ pkey_ec_derive(EVP_PKEY_CTX * ctx, unsigned char *key, size_t * keylen) outlen = *keylen; - ret = ECDH_compute_key(key, outlen, pubkey, ctx->pkey->pkey.ec, 0); - if (ret < 0) - return ret; + ret = ECDH_compute_key(key, outlen, pubkey, eckey, 0); + if (ret <= 0) + return 0; + *keylen = ret; + return 1; } +static int +pkey_ec_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, size_t *keylen) +{ + EC_PKEY_CTX *dctx = ctx->data; + unsigned char *ktmp = NULL; + size_t ktmplen; + int rv = 0; + + if (dctx->kdf_type == EVP_PKEY_ECDH_KDF_NONE) + return pkey_ec_derive(ctx, key, keylen); + + if (!key) { + *keylen = dctx->kdf_outlen; + return 1; + } + if (*keylen != dctx->kdf_outlen) + return 0; + if (!pkey_ec_derive(ctx, NULL, &ktmplen)) + return 0; + if ((ktmp = calloc(1, ktmplen)) == NULL) { + ECerror(ERR_R_MALLOC_FAILURE); + return 0; + } + if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) + goto err; + /* Do KDF stuff */ + if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, dctx->kdf_ukm, + dctx->kdf_ukmlen, dctx->kdf_md)) + goto err; + rv = 1; + + err: + freezero(ktmp, ktmplen); + + return rv; +} + static int pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) { EC_PKEY_CTX *dctx = ctx->data; EC_GROUP *group; + switch (type) { case EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID: group = EC_GROUP_new_by_curve_name(p1); @@ -216,6 +299,86 @@ pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) dctx->gen_group = group; return 1; + case EVP_PKEY_CTRL_EC_PARAM_ENC: + if (!dctx->gen_group) { + ECerror(EC_R_NO_PARAMETERS_SET); + return 0; + } + EC_GROUP_set_asn1_flag(dctx->gen_group, p1); + return 1; + + case EVP_PKEY_CTRL_EC_ECDH_COFACTOR: + if (p1 == -2) { + if (dctx->cofactor_mode != -1) + return dctx->cofactor_mode; + else { + EC_KEY *ec_key = ctx->pkey->pkey.ec; + return EC_KEY_get_flags(ec_key) & EC_FLAG_COFACTOR_ECDH ? 1 : 0; + } + } else if (p1 < -1 || p1 > 1) + return -2; + dctx->cofactor_mode = p1; + if (p1 != -1) { + EC_KEY *ec_key = ctx->pkey->pkey.ec; + if (!ec_key->group) + return -2; + /* If cofactor is 1 cofactor mode does nothing */ + if (BN_is_one(&ec_key->group->cofactor)) + return 1; + if (!dctx->co_key) { + dctx->co_key = EC_KEY_dup(ec_key); + if (!dctx->co_key) + return 0; + } + if (p1) + EC_KEY_set_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); + else + EC_KEY_clear_flags(dctx->co_key, EC_FLAG_COFACTOR_ECDH); + } else { + EC_KEY_free(dctx->co_key); + dctx->co_key = NULL; + } + return 1; + + case EVP_PKEY_CTRL_EC_KDF_TYPE: + if (p1 == -2) + return dctx->kdf_type; + if (p1 != EVP_PKEY_ECDH_KDF_NONE && p1 != EVP_PKEY_ECDH_KDF_X9_63) + return -2; + dctx->kdf_type = p1; + return 1; + + case EVP_PKEY_CTRL_EC_KDF_MD: + dctx->kdf_md = p2; + return 1; + + case EVP_PKEY_CTRL_GET_EC_KDF_MD: + *(const EVP_MD **)p2 = dctx->kdf_md; + return 1; + + case EVP_PKEY_CTRL_EC_KDF_OUTLEN: + if (p1 <= 0) + return -2; + dctx->kdf_outlen = (size_t)p1; + return 1; + + case EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN: + *(int *)p2 = dctx->kdf_outlen; + return 1; + + case EVP_PKEY_CTRL_EC_KDF_UKM: + free(dctx->kdf_ukm); + dctx->kdf_ukm = p2; + if (p2) + dctx->kdf_ukmlen = p1; + else + dctx->kdf_ukmlen = 0; + return 1; + + case EVP_PKEY_CTRL_GET_EC_KDF_UKM: + *(unsigned char **)p2 = dctx->kdf_ukm; + return dctx->kdf_ukmlen; + case EVP_PKEY_CTRL_MD: if (EVP_MD_type((const EVP_MD *) p2) != NID_sha1 && EVP_MD_type((const EVP_MD *) p2) != NID_ecdsa_with_SHA1 && @@ -229,6 +392,10 @@ pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) dctx->md = p2; return 1; + case EVP_PKEY_CTRL_GET_MD: + *(const EVP_MD **)p2 = dctx->md; + return 1; + case EVP_PKEY_CTRL_PEER_KEY: /* Default behaviour is OK */ case EVP_PKEY_CTRL_DIGESTINIT: @@ -243,8 +410,7 @@ pkey_ec_ctrl(EVP_PKEY_CTX * ctx, int type, int p1, void *p2) } static int -pkey_ec_ctrl_str(EVP_PKEY_CTX * ctx, - const char *type, const char *value) +pkey_ec_ctrl_str(EVP_PKEY_CTX * ctx, const char *type, const char *value) { if (!strcmp(type, "ec_paramgen_curve")) { int nid; @@ -258,6 +424,26 @@ pkey_ec_ctrl_str(EVP_PKEY_CTX * ctx, return 0; } return EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid); + } else if (strcmp(type, "ec_param_enc") == 0) { + int param_enc; + if (strcmp(value, "explicit") == 0) + param_enc = 0; + else if (strcmp(value, "named_curve") == 0) + param_enc = OPENSSL_EC_NAMED_CURVE; + else + return -2; + return EVP_PKEY_CTX_set_ec_param_enc(ctx, param_enc); + } else if (strcmp(type, "ecdh_kdf_md") == 0) { + const EVP_MD *md; + if ((md = EVP_get_digestbyname(value)) == NULL) { + ECerror(EC_R_INVALID_DIGEST); + return 0; + } + return EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md); + } else if (strcmp(type, "ecdh_cofactor_mode") == 0) { + int co_mode; + co_mode = atoi(value); + return EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, co_mode); } return -2; } @@ -287,18 +473,29 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * ctx, EVP_PKEY * pkey) { EC_KEY *ec = NULL; - if (ctx->pkey == NULL) { + EC_PKEY_CTX *dctx = ctx->data; + + if (ctx->pkey == NULL && dctx->gen_group == NULL) { ECerror(EC_R_NO_PARAMETERS_SET); return 0; } ec = EC_KEY_new(); - if (!ec) + if (ec == NULL) return 0; - EVP_PKEY_assign_EC_KEY(pkey, ec); - /* Note: if error return, pkey is freed by parent routine */ - if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey)) + if (!EVP_PKEY_assign_EC_KEY(pkey, ec)) { + EC_KEY_free(ec); return 0; - return EC_KEY_generate_key(pkey->pkey.ec); + } + /* Note: if error is returned, we count on caller to free pkey->pkey.ec */ + if (ctx->pkey != NULL) { + if (!EVP_PKEY_copy_parameters(pkey, ctx->pkey)) + return 0; + } else { + if (!EC_KEY_set_group(ec, dctx->gen_group)) + return 0; + } + + return EC_KEY_generate_key(ec); } const EVP_PKEY_METHOD ec_pkey_meth = { @@ -316,7 +513,7 @@ const EVP_PKEY_METHOD ec_pkey_meth = { .verify = pkey_ec_verify, - .derive = pkey_ec_derive, + .derive = pkey_ec_kdf_derive, .ctrl = pkey_ec_ctrl, .ctrl_str = pkey_ec_ctrl_str diff --git a/crypto/ec/eck_prn.c b/crypto/ec/eck_prn.c index 653d78e..be57d87 100644 --- a/crypto/ec/eck_prn.c +++ b/crypto/ec/eck_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eck_prn.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eck_prn.c,v 1.15 2018/07/15 16:27:39 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -321,7 +321,7 @@ ECPKParameters_print(BIO * bp, const EC_GROUP * x, int off) goto err; } ret = 1; -err: + err: if (!ret) ECerror(reason); BN_free(p); diff --git a/crypto/ec/ecp_mont.c b/crypto/ec/ecp_mont.c index 68fc26d..f4dff9a 100644 --- a/crypto/ec/ecp_mont.c +++ b/crypto/ec/ecp_mont.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_mont.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ecp_mont.c,v 1.17 2018/11/05 20:18:21 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -102,11 +102,15 @@ EC_GFp_mont_method(void) .point_cmp = ec_GFp_simple_cmp, .make_affine = ec_GFp_simple_make_affine, .points_make_affine = ec_GFp_simple_points_make_affine, + .mul_generator_ct = ec_GFp_simple_mul_generator_ct, + .mul_single_ct = ec_GFp_simple_mul_single_ct, + .mul_double_nonct = ec_GFp_simple_mul_double_nonct, .field_mul = ec_GFp_mont_field_mul, .field_sqr = ec_GFp_mont_field_sqr, .field_encode = ec_GFp_mont_field_encode, .field_decode = ec_GFp_mont_field_decode, - .field_set_to_one = ec_GFp_mont_field_set_to_one + .field_set_to_one = ec_GFp_mont_field_set_to_one, + .blind_coordinates = ec_GFp_simple_blind_coordinates, }; return &ret; @@ -172,7 +176,7 @@ ec_GFp_mont_group_copy(EC_GROUP * dest, const EC_GROUP * src) } return 1; -err: + err: if (dest->field_data1 != NULL) { BN_MONT_CTX_free(dest->field_data1); dest->field_data1 = NULL; @@ -225,7 +229,7 @@ ec_GFp_mont_group_set_curve(EC_GROUP *group, const BIGNUM *p, const BIGNUM *a, BN_free(group->field_data2); group->field_data2 = NULL; } -err: + err: BN_CTX_free(new_ctx); BN_MONT_CTX_free(mont); BN_free(one); diff --git a/crypto/ec/ecp_nist.c b/crypto/ec/ecp_nist.c index 24cba64..073c041 100644 --- a/crypto/ec/ecp_nist.c +++ b/crypto/ec/ecp_nist.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_nist.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ecp_nist.c,v 1.15 2018/11/05 20:18:21 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project. */ @@ -103,8 +103,12 @@ EC_GFp_nist_method(void) .point_cmp = ec_GFp_simple_cmp, .make_affine = ec_GFp_simple_make_affine, .points_make_affine = ec_GFp_simple_points_make_affine, + .mul_generator_ct = ec_GFp_simple_mul_generator_ct, + .mul_single_ct = ec_GFp_simple_mul_single_ct, + .mul_double_nonct = ec_GFp_simple_mul_double_nonct, .field_mul = ec_GFp_nist_field_mul, - .field_sqr = ec_GFp_nist_field_sqr + .field_sqr = ec_GFp_nist_field_sqr, + .blind_coordinates = ec_GFp_simple_blind_coordinates, }; return &ret; @@ -151,7 +155,7 @@ ec_GFp_nist_group_set_curve(EC_GROUP *group, const BIGNUM *p, ret = ec_GFp_simple_group_set_curve(group, p, a, b, ctx); -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -179,7 +183,7 @@ ec_GFp_nist_field_mul(const EC_GROUP *group, BIGNUM *r, const BIGNUM *a, goto err; ret = 1; -err: + err: BN_CTX_free(ctx_new); return ret; } @@ -206,7 +210,7 @@ ec_GFp_nist_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, goto err; ret = 1; -err: + err: BN_CTX_free(ctx_new); return ret; } diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index b93b516..90c5ca2 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_oct.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ecp_oct.c,v 1.11 2018/07/15 16:27:39 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -190,7 +190,7 @@ ec_GFp_simple_set_compressed_coordinates(const EC_GROUP * group, ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -294,7 +294,7 @@ ec_GFp_simple_point2oct(const EC_GROUP * group, const EC_POINT * point, point_co BN_CTX_free(new_ctx); return ret; -err: + err: if (used_ctx) BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -388,7 +388,7 @@ ec_GFp_simple_oct2point(const EC_GROUP * group, EC_POINT * point, } ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; diff --git a/crypto/ec/ecp_smpl.c b/crypto/ec/ecp_smpl.c index ddba49c..3957bd1 100644 --- a/crypto/ec/ecp_smpl.c +++ b/crypto/ec/ecp_smpl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecp_smpl.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ecp_smpl.c,v 1.29 2018/11/15 05:53:31 tb Exp $ */ /* Includes code written by Lenka Fibikova * for the OpenSSL project. * Includes code written by Bodo Moeller for the OpenSSL project. @@ -103,8 +103,12 @@ EC_GFp_simple_method(void) .point_cmp = ec_GFp_simple_cmp, .make_affine = ec_GFp_simple_make_affine, .points_make_affine = ec_GFp_simple_points_make_affine, + .mul_generator_ct = ec_GFp_simple_mul_generator_ct, + .mul_single_ct = ec_GFp_simple_mul_single_ct, + .mul_double_nonct = ec_GFp_simple_mul_double_nonct, .field_mul = ec_GFp_simple_field_mul, - .field_sqr = ec_GFp_simple_field_sqr + .field_sqr = ec_GFp_simple_field_sqr, + .blind_coordinates = ec_GFp_simple_blind_coordinates, }; return &ret; @@ -220,7 +224,7 @@ ec_GFp_simple_group_set_curve(EC_GROUP * group, ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -265,7 +269,7 @@ ec_GFp_simple_group_get_curve(const EC_GROUP * group, BIGNUM * p, BIGNUM * a, BI } ret = 1; -err: + err: BN_CTX_free(new_ctx); return ret; } @@ -346,7 +350,7 @@ ec_GFp_simple_group_check_discriminant(const EC_GROUP * group, BN_CTX * ctx) } ret = 1; -err: + err: if (ctx != NULL) BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -456,7 +460,7 @@ ec_GFp_simple_set_Jprojective_coordinates_GFp(const EC_GROUP * group, EC_POINT * } ret = 1; -err: + err: BN_CTX_free(new_ctx); return ret; } @@ -504,7 +508,7 @@ ec_GFp_simple_get_Jprojective_coordinates_GFp(const EC_GROUP * group, const EC_P ret = 1; -err: + err: BN_CTX_free(new_ctx); return ret; } @@ -624,7 +628,7 @@ ec_GFp_simple_point_get_affine_coordinates(const EC_GROUP * group, const EC_POIN ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -811,7 +815,7 @@ ec_GFp_simple_add(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, cons ret = 1; -end: + end: if (ctx) /* otherwise we already called BN_CTX_end */ BN_CTX_end(ctx); BN_CTX_free(new_ctx); @@ -954,7 +958,7 @@ ec_GFp_simple_dbl(const EC_GROUP * group, EC_POINT * r, const EC_POINT * a, BN_C ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -1075,7 +1079,7 @@ ec_GFp_simple_is_on_curve(const EC_GROUP * group, const EC_POINT * point, BN_CTX ret = (0 == BN_ucmp(tmp, rh)); -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -1177,7 +1181,7 @@ ec_GFp_simple_cmp(const EC_GROUP * group, const EC_POINT * a, const EC_POINT * b /* points are equal */ ret = 0; -end: + end: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -1215,7 +1219,7 @@ ec_GFp_simple_make_affine(const EC_GROUP * group, EC_POINT * point, BN_CTX * ctx } ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); return ret; @@ -1380,7 +1384,7 @@ ec_GFp_simple_points_make_affine(const EC_GROUP * group, size_t num, EC_POINT * ret = 1; -err: + err: BN_CTX_end(ctx); BN_CTX_free(new_ctx); if (heap != NULL) { @@ -1403,9 +1407,319 @@ ec_GFp_simple_field_mul(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, co return BN_mod_mul(r, a, b, &group->field, ctx); } - int ec_GFp_simple_field_sqr(const EC_GROUP * group, BIGNUM * r, const BIGNUM * a, BN_CTX * ctx) { return BN_mod_sqr(r, a, &group->field, ctx); } + +/* + * Apply randomization of EC point projective coordinates: + * + * (X, Y, Z) = (lambda^2 * X, lambda^3 * Y, lambda * Z) + * + * where lambda is in the interval [1, group->field). + */ +int +ec_GFp_simple_blind_coordinates(const EC_GROUP *group, EC_POINT *p, BN_CTX *ctx) +{ + BIGNUM *lambda = NULL; + BIGNUM *tmp = NULL; + int ret = 0; + + BN_CTX_start(ctx); + if ((lambda = BN_CTX_get(ctx)) == NULL) + goto err; + if ((tmp = BN_CTX_get(ctx)) == NULL) + goto err; + + /* Generate lambda in [1, group->field - 1] */ + if (!bn_rand_interval(lambda, BN_value_one(), &group->field)) + goto err; + + if (group->meth->field_encode != NULL && + !group->meth->field_encode(group, lambda, lambda, ctx)) + goto err; + + /* Z = lambda * Z */ + if (!group->meth->field_mul(group, &p->Z, lambda, &p->Z, ctx)) + goto err; + + /* tmp = lambda^2 */ + if (!group->meth->field_sqr(group, tmp, lambda, ctx)) + goto err; + + /* X = lambda^2 * X */ + if (!group->meth->field_mul(group, &p->X, tmp, &p->X, ctx)) + goto err; + + /* tmp = lambda^3 */ + if (!group->meth->field_mul(group, tmp, tmp, lambda, ctx)) + goto err; + + /* Y = lambda^3 * Y */ + if (!group->meth->field_mul(group, &p->Y, tmp, &p->Y, ctx)) + goto err; + + /* Disable optimized arithmetics after replacing Z by lambda * Z. */ + p->Z_is_one = 0; + + ret = 1; + + err: + BN_CTX_end(ctx); + return ret; +} + + +#define EC_POINT_BN_set_flags(P, flags) do { \ + BN_set_flags(&(P)->X, (flags)); \ + BN_set_flags(&(P)->Y, (flags)); \ + BN_set_flags(&(P)->Z, (flags)); \ +} while(0) + +#define EC_POINT_CSWAP(c, a, b, w, t) do { \ + if (!BN_swap_ct(c, &(a)->X, &(b)->X, w) || \ + !BN_swap_ct(c, &(a)->Y, &(b)->Y, w) || \ + !BN_swap_ct(c, &(a)->Z, &(b)->Z, w)) \ + goto err; \ + t = ((a)->Z_is_one ^ (b)->Z_is_one) & (c); \ + (a)->Z_is_one ^= (t); \ + (b)->Z_is_one ^= (t); \ +} while(0) + +/* + * This function computes (in constant time) a point multiplication over the + * EC group. + * + * At a high level, it is Montgomery ladder with conditional swaps. + * + * It performs either a fixed point multiplication + * (scalar * generator) + * when point is NULL, or a variable point multiplication + * (scalar * point) + * when point is not NULL. + * + * scalar should be in the range [0,n) otherwise all constant time bets are off. + * + * NB: This says nothing about EC_POINT_add and EC_POINT_dbl, + * which of course are not constant time themselves. + * + * The product is stored in r. + * + * Returns 1 on success, 0 otherwise. + */ +static int +ec_GFp_simple_mul_ct(const EC_GROUP *group, EC_POINT *r, const BIGNUM *scalar, + const EC_POINT *point, BN_CTX *ctx) +{ + int i, cardinality_bits, group_top, kbit, pbit, Z_is_one; + EC_POINT *s = NULL; + BIGNUM *k = NULL; + BIGNUM *lambda = NULL; + BIGNUM *cardinality = NULL; + BN_CTX *new_ctx = NULL; + int ret = 0; + + if (ctx == NULL && (ctx = new_ctx = BN_CTX_new()) == NULL) + return 0; + + BN_CTX_start(ctx); + + if ((s = EC_POINT_new(group)) == NULL) + goto err; + + if (point == NULL) { + if (!EC_POINT_copy(s, group->generator)) + goto err; + } else { + if (!EC_POINT_copy(s, point)) + goto err; + } + + EC_POINT_BN_set_flags(s, BN_FLG_CONSTTIME); + + if ((cardinality = BN_CTX_get(ctx)) == NULL) + goto err; + if ((lambda = BN_CTX_get(ctx)) == NULL) + goto err; + if ((k = BN_CTX_get(ctx)) == NULL) + goto err; + if (!BN_mul(cardinality, &group->order, &group->cofactor, ctx)) + goto err; + + /* + * Group cardinalities are often on a word boundary. + * So when we pad the scalar, some timing diff might + * pop if it needs to be expanded due to carries. + * So expand ahead of time. + */ + cardinality_bits = BN_num_bits(cardinality); + group_top = cardinality->top; + if ((bn_wexpand(k, group_top + 2) == NULL) || + (bn_wexpand(lambda, group_top + 2) == NULL)) + goto err; + + if (!BN_copy(k, scalar)) + goto err; + + BN_set_flags(k, BN_FLG_CONSTTIME); + + if (BN_num_bits(k) > cardinality_bits || BN_is_negative(k)) { + /* + * This is an unusual input, and we don't guarantee + * constant-timeness + */ + if (!BN_nnmod(k, k, cardinality, ctx)) + goto err; + } + + if (!BN_add(lambda, k, cardinality)) + goto err; + BN_set_flags(lambda, BN_FLG_CONSTTIME); + if (!BN_add(k, lambda, cardinality)) + goto err; + /* + * lambda := scalar + cardinality + * k := scalar + 2*cardinality + */ + kbit = BN_is_bit_set(lambda, cardinality_bits); + if (!BN_swap_ct(kbit, k, lambda, group_top + 2)) + goto err; + + group_top = group->field.top; + if ((bn_wexpand(&s->X, group_top) == NULL) || + (bn_wexpand(&s->Y, group_top) == NULL) || + (bn_wexpand(&s->Z, group_top) == NULL) || + (bn_wexpand(&r->X, group_top) == NULL) || + (bn_wexpand(&r->Y, group_top) == NULL) || + (bn_wexpand(&r->Z, group_top) == NULL)) + goto err; + + /* + * Apply coordinate blinding for EC_POINT if the underlying EC_METHOD + * implements it. + */ + if (!ec_point_blind_coordinates(group, s, ctx)) + goto err; + + /* top bit is a 1, in a fixed pos */ + if (!EC_POINT_copy(r, s)) + goto err; + + EC_POINT_BN_set_flags(r, BN_FLG_CONSTTIME); + + if (!EC_POINT_dbl(group, s, s, ctx)) + goto err; + + pbit = 0; + + /* + * The ladder step, with branches, is + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * Swapping R, S conditionally on k[i] leaves you with state + * + * k[i] == 0: T, U = R, S + * k[i] == 1: T, U = S, R + * + * Then perform the ECC ops. + * + * U = add(T, U) + * T = dbl(T) + * + * Which leaves you with state + * + * k[i] == 0: U = add(R, S), T = dbl(R) + * k[i] == 1: U = add(S, R), T = dbl(S) + * + * Swapping T, U conditionally on k[i] leaves you with state + * + * k[i] == 0: R, S = T, U + * k[i] == 1: R, S = U, T + * + * Which leaves you with state + * + * k[i] == 0: S = add(R, S), R = dbl(R) + * k[i] == 1: R = add(S, R), S = dbl(S) + * + * So we get the same logic, but instead of a branch it's a + * conditional swap, followed by ECC ops, then another conditional swap. + * + * Optimization: The end of iteration i and start of i-1 looks like + * + * ... + * CSWAP(k[i], R, S) + * ECC + * CSWAP(k[i], R, S) + * (next iteration) + * CSWAP(k[i-1], R, S) + * ECC + * CSWAP(k[i-1], R, S) + * ... + * + * So instead of two contiguous swaps, you can merge the condition + * bits and do a single swap. + * + * k[i] k[i-1] Outcome + * 0 0 No Swap + * 0 1 Swap + * 1 0 Swap + * 1 1 No Swap + * + * This is XOR. pbit tracks the previous bit of k. + */ + + for (i = cardinality_bits - 1; i >= 0; i--) { + kbit = BN_is_bit_set(k, i) ^ pbit; + EC_POINT_CSWAP(kbit, r, s, group_top, Z_is_one); + if (!EC_POINT_add(group, s, r, s, ctx)) + goto err; + if (!EC_POINT_dbl(group, r, r, ctx)) + goto err; + /* + * pbit logic merges this cswap with that of the + * next iteration + */ + pbit ^= kbit; + } + /* one final cswap to move the right value into r */ + EC_POINT_CSWAP(pbit, r, s, group_top, Z_is_one); + + ret = 1; + + err: + EC_POINT_free(s); + if (ctx != NULL) + BN_CTX_end(ctx); + BN_CTX_free(new_ctx); + + return ret; +} + +#undef EC_POINT_BN_set_flags +#undef EC_POINT_CSWAP + +int +ec_GFp_simple_mul_generator_ct(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, BN_CTX *ctx) +{ + return ec_GFp_simple_mul_ct(group, r, scalar, NULL, ctx); +} + +int +ec_GFp_simple_mul_single_ct(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *scalar, const EC_POINT *point, BN_CTX *ctx) +{ + return ec_GFp_simple_mul_ct(group, r, scalar, point, ctx); +} + +int +ec_GFp_simple_mul_double_nonct(const EC_GROUP *group, EC_POINT *r, + const BIGNUM *g_scalar, const BIGNUM *p_scalar, const EC_POINT *point, + BN_CTX *ctx) +{ + return ec_wNAF_mul(group, r, g_scalar, 1, &point, &p_scalar, ctx); +} diff --git a/crypto/ecdh/ecdh_kdf.c b/crypto/ecdh/ecdh_kdf.c new file mode 100644 index 0000000..2539862 --- /dev/null +++ b/crypto/ecdh/ecdh_kdf.c @@ -0,0 +1,119 @@ +/* + * Written by Stephen Henson for the OpenSSL project. + */ +/* ==================================================================== + * Copyright (c) 2013 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#include + +#include +#include + +#include "ech_locl.h" + +/* + * Key derivation function from X9.63/SECG. + */ + +/* Way more than we will ever need */ +#define ECDH_KDF_MAX (1 << 30) + +int +ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z, + size_t Zlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md) +{ + EVP_MD_CTX *mctx = NULL; + unsigned int i; + size_t mdlen; + unsigned char ctr[4]; + int rv = 0; + + if (sinfolen > ECDH_KDF_MAX || outlen > ECDH_KDF_MAX || + Zlen > ECDH_KDF_MAX) + return 0; + mctx = EVP_MD_CTX_new(); + if (mctx == NULL) + return 0; + mdlen = EVP_MD_size(md); + for (i = 1;; i++) { + unsigned char mtmp[EVP_MAX_MD_SIZE]; + if (!EVP_DigestInit_ex(mctx, md, NULL)) + goto err; + ctr[3] = i & 0xFF; + ctr[2] = (i >> 8) & 0xFF; + ctr[1] = (i >> 16) & 0xFF; + ctr[0] = (i >> 24) & 0xFF; + if (!EVP_DigestUpdate(mctx, Z, Zlen)) + goto err; + if (!EVP_DigestUpdate(mctx, ctr, sizeof(ctr))) + goto err; + if (!EVP_DigestUpdate(mctx, sinfo, sinfolen)) + goto err; + if (outlen >= mdlen) { + if (!EVP_DigestFinal(mctx, out, NULL)) + goto err; + outlen -= mdlen; + if (outlen == 0) + break; + out += mdlen; + } else { + if (!EVP_DigestFinal(mctx, mtmp, NULL)) + goto err; + memcpy(out, mtmp, outlen); + explicit_bzero(mtmp, mdlen); + break; + } + } + rv = 1; + + err: + EVP_MD_CTX_free(mctx); + + return rv; +} diff --git a/crypto/ecdh/ech_key.c b/crypto/ecdh/ech_key.c index 5c2dc70..378912c 100644 --- a/crypto/ecdh/ech_key.c +++ b/crypto/ecdh/ech_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_key.c,v 1.7 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ech_key.c,v 1.9 2019/01/19 01:12:48 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -78,6 +78,7 @@ #include #include "ech_locl.h" +#include "ec_lcl.h" static int ecdh_compute_key(void *out, size_t len, const EC_POINT *pub_key, EC_KEY *ecdh, @@ -125,6 +126,10 @@ ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, } group = EC_KEY_get0_group(ecdh); + + if (!EC_POINT_is_on_curve(group, pub_key, ctx)) + goto err; + if ((tmp = EC_POINT_new(group)) == NULL) { ECDHerror(ERR_R_MALLOC_FAILURE); goto err; @@ -211,13 +216,26 @@ ECDH_OpenSSL(void) return &openssl_ecdh_meth; } +/* replace w/ ecdh_compute_key() when ECDH_METHOD gets removed */ +int +ossl_ecdh_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, + EC_KEY *eckey, + void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen)) +{ + ECDH_DATA *ecdh; + + if ((ecdh = ecdh_check(eckey)) == NULL) + return 0; + return ecdh->meth->compute_key(out, outlen, pub_key, eckey, KDF); +} + int ECDH_compute_key(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *eckey, void *(*KDF)(const void *in, size_t inlen, void *out, size_t *outlen)) { - ECDH_DATA *ecdh = ecdh_check(eckey); - if (ecdh == NULL) - return 0; - return ecdh->meth->compute_key(out, outlen, pub_key, eckey, KDF); + if (eckey->meth->compute_key != NULL) + return eckey->meth->compute_key(out, outlen, pub_key, eckey, KDF); + ECerror(EC_R_NOT_IMPLEMENTED); + return 0; } diff --git a/crypto/ecdh/ech_lib.c b/crypto/ecdh/ech_lib.c index 2846a88..cc8edaf 100644 --- a/crypto/ecdh/ech_lib.c +++ b/crypto/ecdh/ech_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_lib.c,v 1.13 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: ech_lib.c,v 1.14 2018/04/14 07:09:21 tb Exp $ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * @@ -109,10 +109,8 @@ ECDH_set_method(EC_KEY *eckey, const ECDH_METHOD *meth) return 0; #ifndef OPENSSL_NO_ENGINE - if (ecdh->engine) { - ENGINE_finish(ecdh->engine); - ecdh->engine = NULL; - } + ENGINE_finish(ecdh->engine); + ecdh->engine = NULL; #endif ecdh->meth = meth; return 1; @@ -138,7 +136,7 @@ ECDH_DATA_new_method(ENGINE *engine) ret->engine = ENGINE_get_default_ECDH(); if (ret->engine) { ret->meth = ENGINE_get_ECDH(ret->engine); - if (!ret->meth) { + if (ret->meth == NULL) { ECDHerror(ERR_R_ENGINE_LIB); ENGINE_finish(ret->engine); free(ret); @@ -176,8 +174,7 @@ ecdh_data_free(void *data) ECDH_DATA *r = (ECDH_DATA *)data; #ifndef OPENSSL_NO_ENGINE - if (r->engine) - ENGINE_finish(r->engine); + ENGINE_finish(r->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDH, r, &r->ex_data); diff --git a/crypto/ecdh/ech_locl.h b/crypto/ecdh/ech_locl.h index b5777df..b04d325 100644 --- a/crypto/ecdh/ech_locl.h +++ b/crypto/ecdh/ech_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ech_locl.h,v 1.5 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: ech_locl.h,v 1.6 2019/09/05 16:12:36 jsing Exp $ */ /* ==================================================================== * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. * @@ -88,6 +88,12 @@ typedef struct ecdh_data_st { ECDH_DATA *ecdh_check(EC_KEY *); +/* + * ECDH Key Derivation Function as defined in ANSI X9.63. + */ +int ecdh_KDF_X9_63(unsigned char *out, size_t outlen, const unsigned char *Z, + size_t Zlen, const unsigned char *sinfo, size_t sinfolen, const EVP_MD *md); + __END_HIDDEN_DECLS #endif /* HEADER_ECH_LOCL_H */ diff --git a/crypto/ecdsa/ecs_lib.c b/crypto/ecdsa/ecs_lib.c index 4fbe1e0..c688a95 100644 --- a/crypto/ecdsa/ecs_lib.c +++ b/crypto/ecdsa/ecs_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_lib.c,v 1.12 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: ecs_lib.c,v 1.13 2018/04/14 07:09:21 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. * @@ -96,10 +96,8 @@ ECDSA_set_method(EC_KEY *eckey, const ECDSA_METHOD *meth) return 0; #ifndef OPENSSL_NO_ENGINE - if (ecdsa->engine) { - ENGINE_finish(ecdsa->engine); - ecdsa->engine = NULL; - } + ENGINE_finish(ecdsa->engine); + ecdsa->engine = NULL; #endif ecdsa->meth = meth; @@ -126,7 +124,7 @@ ECDSA_DATA_new_method(ENGINE *engine) ret->engine = ENGINE_get_default_ECDSA(); if (ret->engine) { ret->meth = ENGINE_get_ECDSA(ret->engine); - if (!ret->meth) { + if (ret->meth == NULL) { ECDSAerror(ERR_R_ENGINE_LIB); ENGINE_finish(ret->engine); free(ret); @@ -164,8 +162,7 @@ ecdsa_data_free(void *data) ECDSA_DATA *r = (ECDSA_DATA *)data; #ifndef OPENSSL_NO_ENGINE - if (r->engine) - ENGINE_finish(r->engine); + ENGINE_finish(r->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_ECDSA, r, &r->ex_data); diff --git a/crypto/ecdsa/ecs_locl.h b/crypto/ecdsa/ecs_locl.h index 94e8874..0a9f179 100644 --- a/crypto/ecdsa/ecs_locl.h +++ b/crypto/ecdsa/ecs_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_locl.h,v 1.5 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: ecs_locl.h,v 1.6 2019/01/19 01:07:00 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -81,6 +81,14 @@ typedef struct ecdsa_data_st { */ ECDSA_DATA *ecdsa_check(EC_KEY *eckey); +int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, + BIGNUM **rp); +int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, + unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, + const BIGNUM *r, EC_KEY *eckey); +ECDSA_SIG *ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey); + __END_HIDDEN_DECLS #endif /* HEADER_ECS_LOCL_H */ diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index c7f4bcb..8a6685d 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_ossl.c,v 1.9 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ecs_ossl.c,v 1.20 2019/06/04 18:15:27 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -56,6 +56,8 @@ * */ +#include + #include #include @@ -65,7 +67,9 @@ #include "bn_lcl.h" #include "ecs_locl.h" -static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dlen, +static int ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len, + BIGNUM *order, BIGNUM *ret); +static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *, const BIGNUM *, EC_KEY *eckey); static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp); @@ -85,37 +89,72 @@ ECDSA_OpenSSL(void) return &openssl_ecdsa_meth; } +static int +ecdsa_prepare_digest(const unsigned char *dgst, int dgst_len, BIGNUM *order, + BIGNUM *ret) +{ + int dgst_bits, order_bits; + + if (!BN_bin2bn(dgst, dgst_len, ret)) { + ECDSAerror(ERR_R_BN_LIB); + return 0; + } + + /* FIPS 186-3 6.4: Use order_bits leftmost bits if digest is too long */ + dgst_bits = 8 * dgst_len; + order_bits = BN_num_bits(order); + if (dgst_bits > order_bits) { + if (!BN_rshift(ret, ret, dgst_bits - order_bits)) { + ECDSAerror(ERR_R_BN_LIB); + return 0; + } + } + + return 1; +} + +int +ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, unsigned char *sig, + unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) +{ + ECDSA_SIG *s; + + if ((s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey)) == NULL) { + *siglen = 0; + return 0; + } + *siglen = i2d_ECDSA_SIG(s, &sig); + ECDSA_SIG_free(s); + return 1; +} + static int ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { - BN_CTX *ctx = NULL; - BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; - EC_POINT *tmp_point = NULL; + BN_CTX *ctx = ctx_in; + BIGNUM *k = NULL, *r = NULL, *order = NULL, *X = NULL; + EC_POINT *point = NULL; const EC_GROUP *group; - int ret = 0; + int order_bits, ret = 0; if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL) { ECDSAerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } - if (ctx_in == NULL) { + if (ctx == NULL) { if ((ctx = BN_CTX_new()) == NULL) { ECDSAerror(ERR_R_MALLOC_FAILURE); return 0; } - } else - ctx = ctx_in; + } - k = BN_new(); /* this value is later returned in *kinvp */ - r = BN_new(); /* this value is later returned in *rp */ - order = BN_new(); - X = BN_new(); - if (!k || !r || !order || !X) { + if ((k = BN_new()) == NULL || (r = BN_new()) == NULL || + (order = BN_new()) == NULL || (X = BN_new()) == NULL) { ECDSAerror(ERR_R_MALLOC_FAILURE); goto err; } - if ((tmp_point = EC_POINT_new(group)) == NULL) { + if ((point = EC_POINT_new(group)) == NULL) { ECDSAerror(ERR_R_EC_LIB); goto err; } @@ -124,44 +163,60 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) goto err; } + /* Preallocate space. */ + order_bits = BN_num_bits(order); + if (!BN_set_bit(k, order_bits) || + !BN_set_bit(r, order_bits) || + !BN_set_bit(X, order_bits)) + goto err; + do { - /* get random k */ - do + do { if (!BN_rand_range(k, order)) { - ECDSAerror(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); + ECDSAerror( + ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED); goto err; } - while (BN_is_zero(k)); + } while (BN_is_zero(k)); - /* We do not want timing information to leak the length of k, - * so we compute G*k using an equivalent scalar of fixed - * bit-length. */ - if (!BN_add(k, k, order)) + /* + * We do not want timing information to leak the length of k, + * so we compute G * k using an equivalent scalar of fixed + * bit-length. + * + * We unconditionally perform both of these additions to prevent + * a small timing information leakage. We then choose the sum + * that is one bit longer than the order. This guarantees the + * code path used in the constant time implementations + * elsewhere. + * + * TODO: revisit the BN_copy aiming for a memory access agnostic + * conditional copy. + */ + if (!BN_add(r, k, order) || + !BN_add(X, r, order) || + !BN_copy(k, BN_num_bits(r) > order_bits ? r : X)) goto err; - if (BN_num_bits(k) <= BN_num_bits(order)) - if (!BN_add(k, k, order)) - goto err; BN_set_flags(k, BN_FLG_CONSTTIME); - /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { + /* Compute r, the x-coordinate of G * k. */ + if (!EC_POINT_mul(group, point, k, NULL, NULL, ctx)) { ECDSAerror(ERR_R_EC_LIB); goto err; } if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(group, - tmp_point, X, NULL, ctx)) { + if (!EC_POINT_get_affine_coordinates_GFp(group, point, + X, NULL, ctx)) { ECDSAerror(ERR_R_EC_LIB); goto err; } } #ifndef OPENSSL_NO_EC2M - else /* NID_X9_62_characteristic_two_field */ - { - if (!EC_POINT_get_affine_coordinates_GF2m(group, - tmp_point, X, NULL, ctx)) { + else { /* NID_X9_62_characteristic_two_field */ + if (!EC_POINT_get_affine_coordinates_GF2m(group, point, + X, NULL, ctx)) { ECDSAerror(ERR_R_EC_LIB); goto err; } @@ -173,45 +228,52 @@ ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) } } while (BN_is_zero(r)); - /* compute the inverse of k */ if (!BN_mod_inverse_ct(k, k, order, ctx)) { ECDSAerror(ERR_R_BN_LIB); goto err; } - /* clear old values if necessary */ BN_clear_free(*rp); BN_clear_free(*kinvp); - /* save the pre-computed values */ *rp = r; *kinvp = k; ret = 1; -err: - if (!ret) { + err: + if (ret == 0) { BN_clear_free(k); BN_clear_free(r); } if (ctx_in == NULL) BN_CTX_free(ctx); BN_free(order); - EC_POINT_free(tmp_point); + EC_POINT_free(point); BN_clear_free(X); return (ret); } +/* replace w/ ecdsa_sign_setup() when ECDSA_METHOD gets removed */ +int +ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) +{ + ECDSA_DATA *ecdsa; + + if ((ecdsa = ecdsa_check(eckey)) == NULL) + return 0; + return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); +} static ECDSA_SIG * ecdsa_do_sign(const unsigned char *dgst, int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) { - int ok = 0, i; - BIGNUM *kinv = NULL, *s, *m = NULL, *tmp = NULL, *order = NULL; - const BIGNUM *ckinv; - BN_CTX *ctx = NULL; - const EC_GROUP *group; + BIGNUM *b = NULL, *binv = NULL, *bm = NULL, *bxr = NULL; + BIGNUM *kinv = NULL, *m = NULL, *order = NULL, *range = NULL, *s; + const BIGNUM *ckinv, *priv_key; + BN_CTX *ctx = NULL; + const EC_GROUP *group; ECDSA_SIG *ret; ECDSA_DATA *ecdsa; - const BIGNUM *priv_key; + int ok = 0; ecdsa = ecdsa_check(eckey); group = EC_KEY_get0_group(eckey); @@ -222,15 +284,16 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, return NULL; } - ret = ECDSA_SIG_new(); - if (!ret) { + if ((ret = ECDSA_SIG_new()) == NULL) { ECDSAerror(ERR_R_MALLOC_FAILURE); return NULL; } s = ret->s; if ((ctx = BN_CTX_new()) == NULL || (order = BN_new()) == NULL || - (tmp = BN_new()) == NULL || (m = BN_new()) == NULL) { + (range = BN_new()) == NULL || (b = BN_new()) == NULL || + (binv = BN_new()) == NULL || (bm = BN_new()) == NULL || + (bxr = BN_new()) == NULL || (m = BN_new()) == NULL) { ECDSAerror(ERR_R_MALLOC_FAILURE); goto err; } @@ -239,21 +302,10 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ECDSAerror(ERR_R_EC_LIB); goto err; } - i = BN_num_bits(order); - /* Need to truncate digest if it is too long: first truncate whole - * bytes. - */ - if (8 * dgst_len > i) - dgst_len = (i + 7)/8; - if (!BN_bin2bn(dgst, dgst_len, m)) { - ECDSAerror(ERR_R_BN_LIB); + + if (!ecdsa_prepare_digest(dgst, dgst_len, order, m)) goto err; - } - /* If still too long truncate remaining bits with a shift */ - if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { - ECDSAerror(ERR_R_BN_LIB); - goto err; - } + do { if (in_kinv == NULL || in_r == NULL) { if (!ECDSA_sign_setup(eckey, ctx, &kinv, &ret->r)) { @@ -269,21 +321,68 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, } } - if (!BN_mod_mul(tmp, priv_key, ret->r, order, ctx)) { + /* + * Compute: + * + * s = inv(k)(m + xr) mod order + * + * In order to reduce the possibility of a side-channel attack, + * the following is calculated using a blinding value: + * + * s = inv(b)(bm + bxr)inv(k) mod order + * + * where b is a random value in the range [1, order-1]. + */ + + /* Generate b in range [1, order-1]. */ + if (!BN_sub(range, order, BN_value_one())) { ECDSAerror(ERR_R_BN_LIB); goto err; } - if (!BN_mod_add_quick(s, tmp, m, order)) { + if (!BN_rand_range(b, range)) { ECDSAerror(ERR_R_BN_LIB); goto err; } - if (!BN_mod_mul(s, s, ckinv, order, ctx)) { + if (!BN_add(b, b, BN_value_one())) { ECDSAerror(ERR_R_BN_LIB); goto err; } + + if (BN_mod_inverse_ct(binv, b, order, ctx) == NULL) { + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + + if (!BN_mod_mul(bxr, b, priv_key, order, ctx)) { /* bx */ + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_mul(bxr, bxr, ret->r, order, ctx)) { /* bxr */ + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_mul(bm, b, m, order, ctx)) { /* bm */ + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_add(s, bm, bxr, order, ctx)) { /* s = bm + bxr */ + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_mul(s, s, ckinv, order, ctx)) { /* s = b(m + xr)k^-1 */ + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + if (!BN_mod_mul(s, s, binv, order, ctx)) { /* s = (m + xr)k^-1 */ + ECDSAerror(ERR_R_BN_LIB); + goto err; + } + if (BN_is_zero(s)) { - /* if kinv and r have been supplied by the caller - * don't to generate new kinv and r values */ + /* + * If kinv and r have been supplied by the caller, + * don't generate new kinv and r values + */ if (in_kinv != NULL && in_r != NULL) { ECDSAerror(ECDSA_R_NEED_NEW_SETUP_VALUES); goto err; @@ -295,39 +394,79 @@ ecdsa_do_sign(const unsigned char *dgst, int dgst_len, ok = 1; -err: - if (!ok) { + err: + if (ok == 0) { ECDSA_SIG_free(ret); ret = NULL; } BN_CTX_free(ctx); - BN_clear_free(m); - BN_clear_free(tmp); - BN_free(order); + BN_clear_free(b); + BN_clear_free(binv); + BN_clear_free(bm); + BN_clear_free(bxr); BN_clear_free(kinv); + BN_clear_free(m); + BN_free(order); + BN_free(range); return ret; } +/* replace w/ ecdsa_do_sign() when ECDSA_METHOD gets removed */ +ECDSA_SIG * +ossl_ecdsa_sign_sig(const unsigned char *dgst, int dgst_len, + const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey) +{ + ECDSA_DATA *ecdsa; + + if ((ecdsa = ecdsa_check(eckey)) == NULL) + return NULL; + return ecdsa->meth->ecdsa_do_sign(dgst, dgst_len, in_kinv, in_r, eckey); +} + +int +ossl_ecdsa_verify(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) +{ + ECDSA_SIG *s; + unsigned char *der = NULL; + const unsigned char *p = sigbuf; + int derlen = -1; + int ret = -1; + + if ((s = ECDSA_SIG_new()) == NULL) + return (ret); + if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) + goto err; + /* Ensure signature uses DER and doesn't have trailing garbage */ + derlen = i2d_ECDSA_SIG(s, &der); + if (derlen != sig_len || memcmp(sigbuf, der, derlen)) + goto err; + ret = ECDSA_do_verify(dgst, dgst_len, s, eckey); + + err: + freezero(der, derlen); + ECDSA_SIG_free(s); + return (ret); +} + static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey) { - int ret = -1, i; - BN_CTX *ctx; - BIGNUM *order, *u1, *u2, *m, *X; + BN_CTX *ctx; + BIGNUM *order, *u1, *u2, *m, *X; EC_POINT *point = NULL; const EC_GROUP *group; const EC_POINT *pub_key; + int ret = -1; - /* check input values */ if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { ECDSAerror(ECDSA_R_MISSING_PARAMETERS); return -1; } - ctx = BN_CTX_new(); - if (!ctx) { + if ((ctx = BN_CTX_new()) == NULL) { ECDSAerror(ERR_R_MALLOC_FAILURE); return -1; } @@ -337,7 +476,7 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, u2 = BN_CTX_get(ctx); m = BN_CTX_get(ctx); X = BN_CTX_get(ctx); - if (!X) { + if (X == NULL) { ECDSAerror(ERR_R_BN_LIB); goto err; } @@ -347,45 +486,33 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, goto err; } - if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || - BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || - BN_is_negative(sig->s) || BN_ucmp(sig->s, order) >= 0) { + /* Verify that r and s are in the range [1, order-1]. */ + if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || + BN_ucmp(sig->r, order) >= 0 || + BN_is_zero(sig->s) || BN_is_negative(sig->s) || + BN_ucmp(sig->s, order) >= 0) { ECDSAerror(ECDSA_R_BAD_SIGNATURE); - ret = 0; /* signature is invalid */ + ret = 0; goto err; } - /* calculate tmp1 = inv(S) mod order */ - if (!BN_mod_inverse_ct(u2, sig->s, order, ctx)) { + + if (!ecdsa_prepare_digest(dgst, dgst_len, order, m)) + goto err; + + if (!BN_mod_inverse_ct(u2, sig->s, order, ctx)) { /* w = inv(s) */ ECDSAerror(ERR_R_BN_LIB); goto err; } - /* digest -> m */ - i = BN_num_bits(order); - /* Need to truncate digest if it is too long: first truncate whole - * bytes. - */ - if (8 * dgst_len > i) - dgst_len = (i + 7)/8; - if (!BN_bin2bn(dgst, dgst_len, m)) { + if (!BN_mod_mul(u1, m, u2, order, ctx)) { /* u1 = mw */ ECDSAerror(ERR_R_BN_LIB); goto err; } - /* If still too long truncate remaining bits with a shift */ - if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7))) { - ECDSAerror(ERR_R_BN_LIB); - goto err; - } - /* u1 = m * tmp mod order */ - if (!BN_mod_mul(u1, m, u2, order, ctx)) { - ECDSAerror(ERR_R_BN_LIB); - goto err; - } - /* u2 = r * w mod q */ - if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { + if (!BN_mod_mul(u2, sig->r, u2, order, ctx)) { /* u2 = rw */ ECDSAerror(ERR_R_BN_LIB); goto err; } + /* Compute the x-coordinate of G * u1 + pub_key * u2. */ if ((point = EC_POINT_new(group)) == NULL) { ECDSAerror(ERR_R_MALLOC_FAILURE); goto err; @@ -396,17 +523,16 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, } if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) == NID_X9_62_prime_field) { - if (!EC_POINT_get_affine_coordinates_GFp(group, - point, X, NULL, ctx)) { + if (!EC_POINT_get_affine_coordinates_GFp(group, point, X, NULL, + ctx)) { ECDSAerror(ERR_R_EC_LIB); goto err; } } #ifndef OPENSSL_NO_EC2M - else /* NID_X9_62_characteristic_two_field */ - { - if (!EC_POINT_get_affine_coordinates_GF2m(group, - point, X, NULL, ctx)) { + else { /* NID_X9_62_characteristic_two_field */ + if (!EC_POINT_get_affine_coordinates_GF2m(group, point, X, NULL, + ctx)) { ECDSAerror(ERR_R_EC_LIB); goto err; } @@ -416,12 +542,25 @@ ecdsa_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, ECDSAerror(ERR_R_BN_LIB); goto err; } - /* if the signature is correct u1 is equal to sig->r */ + + /* If the signature is correct, the x-coordinate is equal to sig->r. */ ret = (BN_ucmp(u1, sig->r) == 0); -err: + err: BN_CTX_end(ctx); BN_CTX_free(ctx); EC_POINT_free(point); return ret; } + +/* replace w/ ecdsa_do_verify() when ECDSA_METHOD gets removed */ +int +ossl_ecdsa_verify_sig(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey) +{ + ECDSA_DATA *ecdsa; + + if ((ecdsa = ecdsa_check(eckey)) == NULL) + return 0; + return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, eckey); +} diff --git a/crypto/ecdsa/ecs_sign.c b/crypto/ecdsa/ecs_sign.c index 029a0cb..5beb853 100644 --- a/crypto/ecdsa/ecs_sign.c +++ b/crypto/ecdsa/ecs_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_sign.c,v 1.6 2015/02/08 13:35:07 jsing Exp $ */ +/* $OpenBSD: ecs_sign.c,v 1.7 2019/01/19 01:07:00 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2002 The OpenSSL Project. All rights reserved. * @@ -55,11 +55,13 @@ #include -#include "ecs_locl.h" #ifndef OPENSSL_NO_ENGINE #include #endif +#include "ecs_locl.h" +#include "ec_lcl.h" + ECDSA_SIG * ECDSA_do_sign(const unsigned char *dgst, int dlen, EC_KEY *eckey) { @@ -70,11 +72,10 @@ ECDSA_SIG * ECDSA_do_sign_ex(const unsigned char *dgst, int dlen, const BIGNUM *kinv, const BIGNUM *rp, EC_KEY *eckey) { - ECDSA_DATA *ecdsa = ecdsa_check(eckey); - - if (ecdsa == NULL) - return NULL; - return ecdsa->meth->ecdsa_do_sign(dgst, dlen, kinv, rp, eckey); + if (eckey->meth->sign_sig != NULL) + return eckey->meth->sign_sig(dgst, dlen, kinv, rp, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; } int @@ -88,24 +89,17 @@ int ECDSA_sign_ex(int type, const unsigned char *dgst, int dlen, unsigned char *sig, unsigned int *siglen, const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) { - ECDSA_SIG *s; - - s = ECDSA_do_sign_ex(dgst, dlen, kinv, r, eckey); - if (s == NULL) { - *siglen = 0; - return 0; - } - *siglen = i2d_ECDSA_SIG(s, &sig); - ECDSA_SIG_free(s); - return 1; + if (eckey->meth->sign != NULL) + return eckey->meth->sign(type, dgst, dlen, sig, siglen, kinv, r, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; } int ECDSA_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, BIGNUM **rp) { - ECDSA_DATA *ecdsa = ecdsa_check(eckey); - - if (ecdsa == NULL) - return 0; - return ecdsa->meth->ecdsa_sign_setup(eckey, ctx_in, kinvp, rp); + if (eckey->meth->sign_setup != NULL) + return eckey->meth->sign_setup(eckey, ctx_in, kinvp, rp); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; } diff --git a/crypto/ecdsa/ecs_vrf.c b/crypto/ecdsa/ecs_vrf.c index 270af94..4c1bc85 100644 --- a/crypto/ecdsa/ecs_vrf.c +++ b/crypto/ecdsa/ecs_vrf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ecs_vrf.c,v 1.6 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: ecs_vrf.c,v 1.7 2019/01/19 01:12:48 tb Exp $ */ /* * Written by Nils Larsch for the OpenSSL project */ @@ -56,10 +56,10 @@ * */ -#include #include #include "ecs_locl.h" +#include "ec_lcl.h" #ifndef OPENSSL_NO_ENGINE #include #endif @@ -73,11 +73,10 @@ int ECDSA_do_verify(const unsigned char *dgst, int dgst_len, const ECDSA_SIG *sig, EC_KEY *eckey) { - ECDSA_DATA *ecdsa = ecdsa_check(eckey); - - if (ecdsa == NULL) - return 0; - return ecdsa->meth->ecdsa_do_verify(dgst, dgst_len, sig, eckey); + if (eckey->meth->verify_sig != NULL) + return eckey->meth->verify_sig(dgst, dgst_len, sig, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; } /* returns @@ -89,25 +88,9 @@ int ECDSA_verify(int type, const unsigned char *dgst, int dgst_len, const unsigned char *sigbuf, int sig_len, EC_KEY *eckey) { - ECDSA_SIG *s; - unsigned char *der = NULL; - const unsigned char *p = sigbuf; - int derlen = -1; - int ret = -1; - - s = ECDSA_SIG_new(); - if (s == NULL) - return (ret); - if (d2i_ECDSA_SIG(&s, &p, sig_len) == NULL) - goto err; - /* Ensure signature uses DER and doesn't have trailing garbage */ - derlen = i2d_ECDSA_SIG(s, &der); - if (derlen != sig_len || memcmp(sigbuf, der, derlen)) - goto err; - ret = ECDSA_do_verify(dgst, dgst_len, s, eckey); - -err: - freezero(der, derlen); - ECDSA_SIG_free(s); - return (ret); + if (eckey->meth->verify != NULL) + return eckey->meth->verify(type, dgst, dgst_len, + sigbuf, sig_len, eckey); + ECDSAerror(EVP_R_METHOD_NOT_SUPPORTED); + return 0; } diff --git a/crypto/engine/eng_cnf.c b/crypto/engine/eng_cnf.c index 2ac077d..24358af 100644 --- a/crypto/engine/eng_cnf.c +++ b/crypto/engine/eng_cnf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_cnf.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_cnf.c,v 1.15 2018/04/14 07:18:37 tb Exp $ */ /* Written by Stephen Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -200,8 +200,7 @@ err: "section=%s, name=%s, value=%s", ecmd->section, ecmd->name, ecmd->value); } - if (e) - ENGINE_free(e); + ENGINE_free(e); return ret; } diff --git a/crypto/engine/eng_fat.c b/crypto/engine/eng_fat.c index c97695a..baf1a54 100644 --- a/crypto/engine/eng_fat.c +++ b/crypto/engine/eng_fat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_fat.c,v 1.16 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_fat.c,v 1.17 2019/01/19 01:07:00 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * @@ -92,6 +92,10 @@ ENGINE_set_default(ENGINE *e, unsigned int flags) #ifndef OPENSSL_NO_ECDSA if ((flags & ENGINE_METHOD_ECDSA) && !ENGINE_set_default_ECDSA(e)) return 0; +#endif +#ifndef OPENSSL_NO_EC + if ((flags & ENGINE_METHOD_EC) && !ENGINE_set_default_EC(e)) + return 0; #endif if ((flags & ENGINE_METHOD_RAND) && !ENGINE_set_default_RAND(e)) return 0; @@ -123,6 +127,8 @@ int_def_cb(const char *alg, int len, void *arg) *pflags |= ENGINE_METHOD_ECDSA; else if (!strncmp(alg, "DH", len)) *pflags |= ENGINE_METHOD_DH; + else if (strncmp(alg, "EC", len) == 0) + *pflags |= ENGINE_METHOD_EC; else if (!strncmp(alg, "RAND", len)) *pflags |= ENGINE_METHOD_RAND; else if (!strncmp(alg, "CIPHERS", len)) @@ -173,6 +179,9 @@ ENGINE_register_complete(ENGINE *e) #endif #ifndef OPENSSL_NO_ECDSA ENGINE_register_ECDSA(e); +#endif +#ifndef OPENSSL_NO_EC + ENGINE_register_EC(e); #endif ENGINE_register_RAND(e); ENGINE_register_pkey_meths(e); diff --git a/crypto/engine/eng_init.c b/crypto/engine/eng_init.c index 75d6698..793adba 100644 --- a/crypto/engine/eng_init.c +++ b/crypto/engine/eng_init.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_init.c,v 1.8 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_init.c,v 1.9 2018/04/14 07:09:21 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2001 The OpenSSL Project. All rights reserved. * @@ -134,10 +134,8 @@ ENGINE_finish(ENGINE *e) { int to_return = 1; - if (e == NULL) { - ENGINEerror(ERR_R_PASSED_NULL_PARAMETER); - return 0; - } + if (e == NULL) + return 1; CRYPTO_w_lock(CRYPTO_LOCK_ENGINE); to_return = engine_unlocked_finish(e, 1); CRYPTO_w_unlock(CRYPTO_LOCK_ENGINE); diff --git a/crypto/engine/eng_int.h b/crypto/engine/eng_int.h index dbb6399..298c0e3 100644 --- a/crypto/engine/eng_int.h +++ b/crypto/engine/eng_int.h @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_int.h,v 1.9 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: eng_int.h,v 1.10 2019/01/19 01:07:00 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -159,6 +159,7 @@ struct engine_st { const DH_METHOD *dh_meth; const ECDH_METHOD *ecdh_meth; const ECDSA_METHOD *ecdsa_meth; + const EC_KEY_METHOD *ec_meth; const RAND_METHOD *rand_meth; const STORE_METHOD *store_meth; /* Cipher handling is via this callback */ diff --git a/crypto/engine/eng_lib.c b/crypto/engine/eng_lib.c index 11ad771..1aedcb1 100644 --- a/crypto/engine/eng_lib.c +++ b/crypto/engine/eng_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_lib.c,v 1.13 2018/03/17 16:20:01 beck Exp $ */ +/* $OpenBSD: eng_lib.c,v 1.14 2018/04/14 07:18:37 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -115,10 +115,8 @@ engine_free_util(ENGINE *e, int locked) { int i; - if (e == NULL) { - ENGINEerror(ERR_R_PASSED_NULL_PARAMETER); - return 0; - } + if (e == NULL) + return 1; if (locked) i = CRYPTO_add(&e->struct_ref, -1, CRYPTO_LOCK_ENGINE); else diff --git a/crypto/engine/eng_list.c b/crypto/engine/eng_list.c index 8bb1bc5..b29b410 100644 --- a/crypto/engine/eng_list.c +++ b/crypto/engine/eng_list.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_list.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: eng_list.c,v 1.24 2019/01/19 01:07:00 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -315,6 +315,9 @@ engine_cpy(ENGINE *dest, const ENGINE *src) #endif #ifndef OPENSSL_NO_ECDSA dest->ecdsa_meth = src->ecdsa_meth; +#endif +#ifndef OPENSSL_NO_EC + dest->ec_meth = src->ec_meth; #endif dest->rand_meth = src->rand_meth; dest->store_meth = src->store_meth; @@ -373,10 +376,12 @@ ENGINE_by_id(const char *id) int ENGINE_up_ref(ENGINE *e) { + int refs; + if (e == NULL) { ENGINEerror(ERR_R_PASSED_NULL_PARAMETER); return 0; } - CRYPTO_add(&e->struct_ref, 1, CRYPTO_LOCK_ENGINE); - return 1; + refs = CRYPTO_add(&e->struct_ref, 1, CRYPTO_LOCK_ENGINE); + return refs > 1 ? 1 : 0; } diff --git a/crypto/engine/eng_openssl.c b/crypto/engine/eng_openssl.c index 6154aeb..f8f6c8f 100644 --- a/crypto/engine/eng_openssl.c +++ b/crypto/engine/eng_openssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: eng_openssl.c,v 1.12 2015/12/07 03:30:09 bcook Exp $ */ +/* $OpenBSD: eng_openssl.c,v 1.13 2018/04/14 07:18:37 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -177,7 +177,7 @@ engine_openssl(void) { ENGINE *ret = ENGINE_new(); - if (!ret) + if (ret == NULL) return NULL; if (!bind_helper(ret)) { ENGINE_free(ret); @@ -191,7 +191,7 @@ ENGINE_load_openssl(void) { ENGINE *toadd = engine_openssl(); - if (!toadd) + if (toadd == NULL) return; (void) ENGINE_add(toadd); /* If the "add" worked, it gets a structural reference. So either way, diff --git a/ssl/d1_meth.c b/crypto/engine/tb_eckey.c similarity index 60% rename from ssl/d1_meth.c rename to crypto/engine/tb_eckey.c index 9ecca00..464156a 100644 --- a/ssl/d1_meth.c +++ b/crypto/engine/tb_eckey.c @@ -1,10 +1,6 @@ -/* $OpenBSD: d1_meth.c,v 1.15 2017/10/12 15:52:50 jsing Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ +/* $OpenBSD: tb_eckey.c,v 1.2 2019/01/19 01:18:56 tb Exp $ */ /* ==================================================================== - * Copyright (c) 1999-2005 The OpenSSL Project. All rights reserved. + * Copyright (c) 2000 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -26,7 +22,7 @@ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. + * licensing@OpenSSL.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written @@ -57,58 +53,72 @@ * */ -#include +#include "eng_int.h" -#include +static ENGINE_TABLE *ec_table = NULL; +static const int dummy_nid = 1; -#include "ssl_locl.h" - -static const SSL_METHOD *dtls1_get_method(int ver); - -static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = dtls1_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = dtls1_get_method, - .get_timeout = dtls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, -}; - -static const SSL_METHOD DTLSv1_method_data = { - .ssl_dispatch_alert = dtls1_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_method_internal_data, -}; - -const SSL_METHOD * -DTLSv1_method(void) +void +ENGINE_unregister_EC(ENGINE *e) { - return &DTLSv1_method_data; + engine_table_unregister(&ec_table, e); } -static const SSL_METHOD * -dtls1_get_method(int ver) +static void +engine_unregister_all_EC(void) { - if (ver == DTLS1_VERSION) - return (DTLSv1_method()); - return (NULL); + engine_table_cleanup(&ec_table); +} + +int +ENGINE_register_EC(ENGINE *e) +{ + if (e->ec_meth) + return engine_table_register(&ec_table, + engine_unregister_all_EC, e, &dummy_nid, 1, 0); + return 1; +} + +void +ENGINE_register_all_EC(void) +{ + ENGINE *e; + + for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) + ENGINE_register_EC(e); +} + +int +ENGINE_set_default_EC(ENGINE *e) +{ + if (e->ec_meth != NULL) + return engine_table_register(&ec_table, + engine_unregister_all_EC, e, &dummy_nid, 1, 1); + return 1; +} + +/* + * Exposed API function to get a functional reference from the implementation + * table (ie. try to get a functional reference from the tabled structural + * references). + */ +ENGINE * +ENGINE_get_default_EC(void) +{ + return engine_table_select(&ec_table, dummy_nid); +} + +/* Obtains an EC_KEY implementation from an ENGINE functional reference */ +const EC_KEY_METHOD * +ENGINE_get_EC(const ENGINE *e) +{ + return e->ec_meth; +} + +/* Sets an EC_KEY implementation in an ENGINE structure */ +int +ENGINE_set_EC(ENGINE *e, const EC_KEY_METHOD *ec_meth) +{ + e->ec_meth = ec_meth; + return 1; } diff --git a/crypto/err/err.c b/crypto/err/err.c index 320078d..f05567e 100644 --- a/crypto/err/err.c +++ b/crypto/err/err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err.c,v 1.46 2018/03/17 16:20:01 beck Exp $ */ +/* $OpenBSD: err.c,v 1.48 2019/10/17 14:28:53 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1107,7 +1107,8 @@ ERR_set_error_data(char *data, int flags) } void -ERR_asprintf_error_data(char * format, ...) { +ERR_asprintf_error_data(char * format, ...) +{ char *errbuf = NULL; va_list ap; int r; @@ -1183,3 +1184,24 @@ ERR_pop_to_mark(void) es->err_flags[es->top]&=~ERR_FLAG_MARK; return 1; } + +void +err_clear_last_constant_time(int clear) +{ + ERR_STATE *es; + int top; + + es = ERR_get_state(); + if (es == NULL) + return; + + top = es->top; + + es->err_flags[top] &= ~(0 - clear); + es->err_buffer[top] &= ~(0UL - clear); + es->err_file[top] = (const char *)((uintptr_t)es->err_file[top] & + ~((uintptr_t)0 - clear)); + es->err_line[top] |= 0 - clear; + + es->top = (top + ERR_NUM_ERRORS - clear) % ERR_NUM_ERRORS; +} diff --git a/crypto/err/err_all.c b/crypto/err/err_all.c index 24de3c9..e641238 100644 --- a/crypto/err/err_all.c +++ b/crypto/err/err_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: err_all.c,v 1.24 2018/03/17 16:20:01 beck Exp $ */ +/* $OpenBSD: err_all.c,v 1.25 2019/09/09 17:56:21 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,6 +66,7 @@ #include #include #include +#include #include #include #include @@ -154,6 +155,9 @@ ERR_load_crypto_strings_internal(void) #ifndef OPENSSL_NO_GOST ERR_load_GOST_strings(); #endif +#ifndef OPENSSL_NO_CMS + ERR_load_CMS_strings(); +#endif #endif } diff --git a/crypto/evp/bio_b64.c b/crypto/evp/bio_b64.c index b54e879..82aaa8b 100644 --- a/crypto/evp/bio_b64.c +++ b/crypto/evp/bio_b64.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_b64.c,v 1.20 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: bio_b64.c,v 1.22 2018/08/24 19:47:25 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -91,7 +91,7 @@ typedef struct b64_struct { char tmp[B64_BLOCK_SIZE]; } BIO_B64_CTX; -static BIO_METHOD methods_b64 = { +static const BIO_METHOD methods_b64 = { .type = BIO_TYPE_BASE64, .name = "base64 encoding", .bwrite = b64_write, @@ -103,7 +103,7 @@ static BIO_METHOD methods_b64 = { .callback_ctrl = b64_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_base64(void) { return (&methods_b64); @@ -430,9 +430,10 @@ b64_write(BIO *b, const char *in, int inl) ret += n; } } else { - EVP_EncodeUpdate(&(ctx->base64), + if (!EVP_EncodeUpdate(&(ctx->base64), (unsigned char *)ctx->buf, &ctx->buf_len, - (unsigned char *)in, n); + (unsigned char *)in, n)) + return ((ret == 0) ? -1 : ret); OPENSSL_assert(ctx->buf_len <= (int)sizeof(ctx->buf)); OPENSSL_assert(ctx->buf_len >= ctx->buf_off); ret += n; diff --git a/crypto/evp/bio_enc.c b/crypto/evp/bio_enc.c index 7c7cf9a..7b55998 100644 --- a/crypto/evp/bio_enc.c +++ b/crypto/evp/bio_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_enc.c,v 1.20 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: bio_enc.c,v 1.22 2018/08/24 19:30:24 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -87,7 +87,7 @@ typedef struct enc_struct { char buf[ENC_BLOCK_SIZE + BUF_OFFSET + 2]; } BIO_ENC_CTX; -static BIO_METHOD methods_enc = { +static const BIO_METHOD methods_enc = { .type = BIO_TYPE_CIPHER, .name = "cipher", .bwrite = enc_write, @@ -98,7 +98,7 @@ static BIO_METHOD methods_enc = { .callback_ctrl = enc_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_cipher(void) { return (&methods_enc); @@ -404,23 +404,32 @@ EVP_CIPHER_ctx *c; } */ -void +int BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k, const unsigned char *i, int e) { BIO_ENC_CTX *ctx; + long (*cb)(BIO *, int, const char *, int, long, long); if (b == NULL) - return; + return 0; - if ((b->callback != NULL) && - (b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 0L) <= 0)) - return; + if ((ctx = BIO_get_data(b)) == NULL) + return 0; - b->init = 1; - ctx = (BIO_ENC_CTX *)b->ptr; - EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e); + if ((cb = BIO_get_callback(b)) != NULL) { + if (cb(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 0L) + <= 0) + return 0; + } - if (b->callback != NULL) - b->callback(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L); + BIO_set_init(b, 1); + + if (!EVP_CipherInit_ex(&(ctx->cipher), c, NULL, k, i, e)) + return 0; + + if (cb != NULL) + return cb(b, BIO_CB_CTRL, (const char *)c, BIO_CTRL_SET, e, 1L); + + return 1; } diff --git a/crypto/evp/bio_md.c b/crypto/evp/bio_md.c index b197374..44f7218 100644 --- a/crypto/evp/bio_md.c +++ b/crypto/evp/bio_md.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_md.c,v 1.14 2014/07/11 08:44:48 jsing Exp $ */ +/* $OpenBSD: bio_md.c,v 1.15 2018/05/02 15:51:41 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -74,7 +74,7 @@ static int md_new(BIO *h); static int md_free(BIO *data); static long md_callback_ctrl(BIO *h, int cmd, bio_info_cb *fp); -static BIO_METHOD methods_md = { +static const BIO_METHOD methods_md = { .type = BIO_TYPE_MD, .name = "message digest", .bwrite = md_write, @@ -86,7 +86,7 @@ static BIO_METHOD methods_md = { .callback_ctrl = md_callback_ctrl }; -BIO_METHOD * +const BIO_METHOD * BIO_f_md(void) { return (&methods_md); diff --git a/crypto/evp/c_all.c b/crypto/evp/c_all.c index 87657ed..9e9d39d 100644 --- a/crypto/evp/c_all.c +++ b/crypto/evp/c_all.c @@ -1,4 +1,4 @@ -/* $OpenBSD: c_all.c,v 1.22 2018/03/17 16:20:01 beck Exp $ */ +/* $OpenBSD: c_all.c,v 1.26 2019/03/17 18:07:41 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -152,33 +152,39 @@ OpenSSL_add_all_ciphers_internal(void) #ifndef OPENSSL_NO_AES EVP_add_cipher(EVP_aes_128_ecb()); EVP_add_cipher(EVP_aes_128_cbc()); + EVP_add_cipher(EVP_aes_128_ccm()); EVP_add_cipher(EVP_aes_128_cfb()); EVP_add_cipher(EVP_aes_128_cfb1()); EVP_add_cipher(EVP_aes_128_cfb8()); EVP_add_cipher(EVP_aes_128_ofb()); EVP_add_cipher(EVP_aes_128_ctr()); EVP_add_cipher(EVP_aes_128_gcm()); + EVP_add_cipher(EVP_aes_128_wrap()); EVP_add_cipher(EVP_aes_128_xts()); EVP_add_cipher_alias(SN_aes_128_cbc, "AES128"); EVP_add_cipher_alias(SN_aes_128_cbc, "aes128"); EVP_add_cipher(EVP_aes_192_ecb()); EVP_add_cipher(EVP_aes_192_cbc()); + EVP_add_cipher(EVP_aes_192_ccm()); EVP_add_cipher(EVP_aes_192_cfb()); EVP_add_cipher(EVP_aes_192_cfb1()); EVP_add_cipher(EVP_aes_192_cfb8()); EVP_add_cipher(EVP_aes_192_ofb()); EVP_add_cipher(EVP_aes_192_ctr()); EVP_add_cipher(EVP_aes_192_gcm()); + EVP_add_cipher(EVP_aes_192_wrap()); EVP_add_cipher_alias(SN_aes_192_cbc, "AES192"); EVP_add_cipher_alias(SN_aes_192_cbc, "aes192"); EVP_add_cipher(EVP_aes_256_ecb()); EVP_add_cipher(EVP_aes_256_cbc()); + EVP_add_cipher(EVP_aes_256_ccm()); EVP_add_cipher(EVP_aes_256_cfb()); EVP_add_cipher(EVP_aes_256_cfb1()); EVP_add_cipher(EVP_aes_256_cfb8()); EVP_add_cipher(EVP_aes_256_ofb()); EVP_add_cipher(EVP_aes_256_ctr()); EVP_add_cipher(EVP_aes_256_gcm()); + EVP_add_cipher(EVP_aes_256_wrap()); EVP_add_cipher(EVP_aes_256_xts()); EVP_add_cipher_alias(SN_aes_256_cbc, "AES256"); EVP_add_cipher_alias(SN_aes_256_cbc, "aes256"); @@ -224,6 +230,16 @@ OpenSSL_add_all_ciphers_internal(void) EVP_add_cipher(EVP_gost2814789_cfb64()); EVP_add_cipher(EVP_gost2814789_cnt()); #endif + +#ifndef OPENSSL_NO_SM4 + EVP_add_cipher(EVP_sm4_ecb()); + EVP_add_cipher(EVP_sm4_cbc()); + EVP_add_cipher(EVP_sm4_cfb()); + EVP_add_cipher(EVP_sm4_ofb()); + EVP_add_cipher(EVP_sm4_ctr()); + EVP_add_cipher_alias(SN_sm4_cbc, "SM4"); + EVP_add_cipher_alias(SN_sm4_cbc, "sm4"); +#endif } void @@ -286,6 +302,9 @@ OpenSSL_add_all_digests_internal(void) EVP_add_digest(EVP_sha384()); EVP_add_digest(EVP_sha512()); #endif +#ifndef OPENSSL_NO_SM3 + EVP_add_digest(EVP_sm3()); +#endif #ifndef OPENSSL_NO_WHIRLPOOL EVP_add_digest(EVP_whirlpool()); #endif diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c index b69a928..4cd3565 100644 --- a/crypto/evp/digest.c +++ b/crypto/evp/digest.c @@ -1,4 +1,4 @@ -/* $OpenBSD: digest.c,v 1.29 2018/02/17 14:55:31 jsing Exp $ */ +/* $OpenBSD: digest.c,v 1.31 2019/04/19 17:04:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -146,9 +146,8 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) /* Ensure an ENGINE left lying around from last time is cleared * (the previous check attempted to avoid this if the same * ENGINE and EVP_MD could be used). */ - if (ctx->engine) - ENGINE_finish(ctx->engine); - if (impl) { + ENGINE_finish(ctx->engine); + if (impl != NULL) { if (!ENGINE_init(impl)) { EVPerror(EVP_R_INITIALIZATION_ERROR); return 0; @@ -156,10 +155,10 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) } else /* Ask if an ENGINE is reserved for this job */ impl = ENGINE_get_digest_engine(type->type); - if (impl) { + if (impl != NULL) { /* There's an ENGINE for this job ... (apparently) */ const EVP_MD *d = ENGINE_get_digest(impl, type->type); - if (!d) { + if (d == NULL) { /* Same comment from evp_enc.c */ EVPerror(EVP_R_INITIALIZATION_ERROR); ENGINE_finish(impl); @@ -187,7 +186,7 @@ EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) ctx->digest = type; if (!(ctx->flags & EVP_MD_CTX_FLAG_NO_INIT) && type->ctx_size) { ctx->update = type->update; - ctx->md_data = malloc(type->ctx_size); + ctx->md_data = calloc(1, type->ctx_size); if (ctx->md_data == NULL) { EVP_PKEY_CTX_free(ctx->pctx); ctx->pctx = NULL; @@ -282,11 +281,11 @@ EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) memcpy(out, in, sizeof *out); if (in->md_data && out->digest->ctx_size) { - if (tmp_buf) + if (tmp_buf) { out->md_data = tmp_buf; - else { - out->md_data = malloc(out->digest->ctx_size); - if (!out->md_data) { + } else { + out->md_data = calloc(1, out->digest->ctx_size); + if (out->md_data == NULL) { EVPerror(ERR_R_MALLOC_FAILURE); return 0; } @@ -384,10 +383,7 @@ EVP_MD_CTX_cleanup(EVP_MD_CTX *ctx) freezero(ctx->md_data, ctx->digest->ctx_size); EVP_PKEY_CTX_free(ctx->pctx); #ifndef OPENSSL_NO_ENGINE - if (ctx->engine) - /* The EVP_MD we used belongs to an ENGINE, release the - * functional reference we held for this reason. */ - ENGINE_finish(ctx->engine); + ENGINE_finish(ctx->engine); #endif memset(ctx, 0, sizeof(*ctx)); diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c index 7c713db..05ed002 100644 --- a/crypto/evp/e_aes.c +++ b/crypto/evp/e_aes.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes.c,v 1.34 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: e_aes.c,v 1.42 2020/06/05 18:44:42 tb Exp $ */ /* ==================================================================== * Copyright (c) 2001-2011 The OpenSSL Project. All rights reserved. * @@ -49,6 +49,7 @@ * */ +#include #include #include @@ -720,6 +721,10 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) case EVP_CTRL_INIT: gctx->key_set = 0; gctx->iv_set = 0; + if (c->cipher->iv_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } gctx->ivlen = c->cipher->iv_len; gctx->iv = c->iv; gctx->taglen = -1; @@ -833,11 +838,11 @@ aes_gcm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) return 0; gctx_out->gcm.key = &gctx_out->ks; } - if (gctx->iv == c->iv) + + if (gctx->iv == c->iv) { gctx_out->iv = out->iv; - else { - gctx_out->iv = malloc(gctx->ivlen); - if (!gctx_out->iv) + } else { + if ((gctx_out->iv = calloc(1, gctx->ivlen)) == NULL) return 0; memcpy(gctx_out->iv, gctx->iv, gctx->ivlen); } @@ -1395,8 +1400,7 @@ aead_aes_gcm_init(EVP_AEAD_CTX *ctx, const unsigned char *key, size_t key_len, return 0; } - gcm_ctx = malloc(sizeof(struct aead_aes_gcm_ctx)); - if (gcm_ctx == NULL) + if ((gcm_ctx = calloc(1, sizeof(struct aead_aes_gcm_ctx))) == NULL) return 0; #ifdef AESNI_CAPABLE @@ -1441,6 +1445,11 @@ aead_aes_gcm_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, } memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); + + if (nonce_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); if (ad_len > 0 && CRYPTO_gcm128_aad(&gcm, ad, ad_len)) @@ -1487,6 +1496,11 @@ aead_aes_gcm_open(const EVP_AEAD_CTX *ctx, unsigned char *out, size_t *out_len, } memcpy(&gcm, &gcm_ctx->gcm, sizeof(gcm)); + + if (nonce_len == 0) { + EVPerror(EVP_R_INVALID_IV_LENGTH); + return 0; + } CRYPTO_gcm128_setiv(&gcm, nonce, nonce_len); if (CRYPTO_gcm128_aad(&gcm, ad, ad_len)) @@ -1549,4 +1563,173 @@ EVP_aead_aes_256_gcm(void) return &aead_aes_256_gcm; } +typedef struct { + union { + double align; + AES_KEY ks; + } ks; + unsigned char *iv; +} EVP_AES_WRAP_CTX; + +static int +aes_wrap_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + EVP_AES_WRAP_CTX *wctx = (EVP_AES_WRAP_CTX *)ctx->cipher_data; + + if (iv == NULL && key == NULL) + return 1; + + if (key != NULL) { + if (ctx->encrypt) + AES_set_encrypt_key(key, 8 * ctx->key_len, + &wctx->ks.ks); + else + AES_set_decrypt_key(key, 8 * ctx->key_len, + &wctx->ks.ks); + + if (iv == NULL) + wctx->iv = NULL; + } + + if (iv != NULL) { + memcpy(ctx->iv, iv, EVP_CIPHER_CTX_iv_length(ctx)); + wctx->iv = ctx->iv; + } + + return 1; +} + +static int +aes_wrap_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inlen) +{ + EVP_AES_WRAP_CTX *wctx = ctx->cipher_data; + int ret; + + if (in == NULL) + return 0; + + if (inlen % 8 != 0) + return -1; + if (ctx->encrypt && inlen < 8) + return -1; + if (!ctx->encrypt && inlen < 16) + return -1; + if (inlen > INT_MAX) + return -1; + + if (out == NULL) { + if (ctx->encrypt) + return inlen + 8; + else + return inlen - 8; + } + + if (ctx->encrypt) + ret = AES_wrap_key(&wctx->ks.ks, wctx->iv, out, in, + (unsigned int)inlen); + else + ret = AES_unwrap_key(&wctx->ks.ks, wctx->iv, out, in, + (unsigned int)inlen); + + return ret != 0 ? ret : -1; +} + +static int +aes_wrap_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) +{ + EVP_AES_WRAP_CTX *wctx = c->cipher_data; + + switch (type) { + case EVP_CTRL_COPY: + { + EVP_CIPHER_CTX *out = ptr; + EVP_AES_WRAP_CTX *wctx_out = out->cipher_data; + + if (wctx->iv != NULL) { + if (c->iv != wctx->iv) + return 0; + + wctx_out->iv = out->iv; + } + + return 1; + } + } + + return -1; +} + +#define WRAP_FLAGS \ + ( EVP_CIPH_WRAP_MODE | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER | \ + EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1 | \ + EVP_CIPH_CUSTOM_COPY ) + +static const EVP_CIPHER aes_128_wrap = { + .nid = NID_id_aes128_wrap, + .block_size = 8, + .key_len = 16, + .iv_len = 8, + .flags = WRAP_FLAGS, + .init = aes_wrap_init_key, + .do_cipher = aes_wrap_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_WRAP_CTX), + .set_asn1_parameters = NULL, + .get_asn1_parameters = NULL, + .ctrl = aes_wrap_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_aes_128_wrap(void) +{ + return &aes_128_wrap; +} + +static const EVP_CIPHER aes_192_wrap = { + .nid = NID_id_aes192_wrap, + .block_size = 8, + .key_len = 24, + .iv_len = 8, + .flags = WRAP_FLAGS, + .init = aes_wrap_init_key, + .do_cipher = aes_wrap_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_WRAP_CTX), + .set_asn1_parameters = NULL, + .get_asn1_parameters = NULL, + .ctrl = aes_wrap_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_aes_192_wrap(void) +{ + return &aes_192_wrap; +} + +static const EVP_CIPHER aes_256_wrap = { + .nid = NID_id_aes256_wrap, + .block_size = 8, + .key_len = 32, + .iv_len = 8, + .flags = WRAP_FLAGS, + .init = aes_wrap_init_key, + .do_cipher = aes_wrap_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_AES_WRAP_CTX), + .set_asn1_parameters = NULL, + .get_asn1_parameters = NULL, + .ctrl = aes_wrap_ctrl, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_aes_256_wrap(void) +{ + return &aes_256_wrap; +} + #endif diff --git a/crypto/evp/e_aes_cbc_hmac_sha1.c b/crypto/evp/e_aes_cbc_hmac_sha1.c index f25b927..9be17e3 100644 --- a/crypto/evp/e_aes_cbc_hmac_sha1.c +++ b/crypto/evp/e_aes_cbc_hmac_sha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.14 2016/11/05 10:47:57 miod Exp $ */ +/* $OpenBSD: e_aes_cbc_hmac_sha1.c,v 1.15 2019/04/03 15:33:37 tb Exp $ */ /* ==================================================================== * Copyright (c) 2011-2013 The OpenSSL Project. All rights reserved. * @@ -249,7 +249,11 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, /* decrypt HMAC|padding at once */ aesni_cbc_encrypt(in, out, len, &key->ks, ctx->iv, 0); - if (plen) { /* "TLS" mode of operation */ + if (plen == 0 || plen == NO_PAYLOAD_LENGTH) { + SHA1_Update(&key->md, out, len); + } else if (plen < 4) { + return 0; + } else { /* "TLS" mode of operation */ size_t inp_len, mask, j, i; unsigned int res, maxpad, pad, bitlen; int ret = 1; @@ -459,8 +463,6 @@ aesni_cbc_hmac_sha1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ret &= (int)~res; #endif return ret; - } else { - SHA1_Update(&key->md, out, len); } } @@ -505,7 +507,13 @@ aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) case EVP_CTRL_AEAD_TLS1_AAD: { unsigned char *p = ptr; - unsigned int len = p[arg - 2] << 8 | p[arg - 1]; + unsigned int len; + + /* RFC 5246, 6.2.3.3: additional data has length 13 */ + if (arg != 13) + return -1; + + len = p[arg - 2] << 8 | p[arg - 1]; if (ctx->encrypt) { key->payload_length = len; @@ -521,8 +529,6 @@ aesni_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr) return (int)(((len + SHA_DIGEST_LENGTH + AES_BLOCK_SIZE) & -AES_BLOCK_SIZE) - len); } else { - if (arg > 13) - arg = 13; memcpy(key->aux.tls_aad, ptr, arg); key->payload_length = arg; diff --git a/crypto/evp/e_chacha.c b/crypto/evp/e_chacha.c index b63f586..a27a3c6 100644 --- a/crypto/evp/e_chacha.c +++ b/crypto/evp/e_chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha.c,v 1.5 2014/08/04 04:16:11 miod Exp $ */ +/* $OpenBSD: e_chacha.c,v 1.8 2020/01/26 07:47:26 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -34,8 +34,17 @@ static const EVP_CIPHER chacha20_cipher = { .nid = NID_chacha20, .block_size = 1, .key_len = 32, - .iv_len = 8, - .flags = EVP_CIPH_STREAM_CIPHER, + /* + * The 128 bit EVP IV is split for ChaCha into four 32 bit pieces: + * counter[0] counter[1] iv[0] iv[1] + * OpenSSL exposes these as: + * openssl_iv = counter[0] iv[0] iv[1] iv[2] + * Due to the cipher internal state's symmetry, these are functionally + * equivalent. + */ + .iv_len = 16, + .flags = EVP_CIPH_STREAM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | + EVP_CIPH_CUSTOM_IV, .init = chacha_init, .do_cipher = chacha_cipher, .ctx_size = sizeof(ChaCha_ctx) @@ -49,12 +58,17 @@ EVP_chacha20(void) static int chacha_init(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) + const unsigned char *openssl_iv, int enc) { - ChaCha_set_key((ChaCha_ctx *)ctx->cipher_data, key, - EVP_CIPHER_CTX_key_length(ctx) * 8); - if (iv != NULL) - ChaCha_set_iv((ChaCha_ctx *)ctx->cipher_data, iv, NULL); + if (key != NULL) + ChaCha_set_key((ChaCha_ctx *)ctx->cipher_data, key, + EVP_CIPHER_CTX_key_length(ctx) * 8); + if (openssl_iv != NULL) { + const unsigned char *iv = openssl_iv + 8; + const unsigned char *counter = openssl_iv; + + ChaCha_set_iv((ChaCha_ctx *)ctx->cipher_data, iv, counter); + } return 1; } diff --git a/crypto/evp/e_chacha20poly1305.c b/crypto/evp/e_chacha20poly1305.c index 089ef12..4fd92eb 100644 --- a/crypto/evp/e_chacha20poly1305.c +++ b/crypto/evp/e_chacha20poly1305.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha20poly1305.c,v 1.18 2017/08/28 17:48:02 jsing Exp $ */ +/* $OpenBSD: e_chacha20poly1305.c,v 1.21 2019/03/27 15:34:01 jsing Exp $ */ /* * Copyright (c) 2015 Reyk Floter @@ -36,6 +36,7 @@ #define CHACHA20_CONSTANT_LEN 4 #define CHACHA20_IV_LEN 8 #define CHACHA20_NONCE_LEN (CHACHA20_CONSTANT_LEN + CHACHA20_IV_LEN) +#define XCHACHA20_NONCE_LEN 24 struct aead_chacha20_poly1305_ctx { unsigned char key[32]; @@ -148,8 +149,8 @@ aead_chacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, return 0; } - ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | - nonce[2] << 16 | nonce[3] << 24) << 32; + ctr = (uint64_t)((uint32_t)(nonce[0]) | (uint32_t)(nonce[1]) << 8 | + (uint32_t)(nonce[2]) << 16 | (uint32_t)(nonce[3]) << 24) << 32; iv = nonce + CHACHA20_CONSTANT_LEN; memset(poly1305_key, 0, sizeof(poly1305_key)); @@ -220,8 +221,8 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, return 0; } - ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | - nonce[2] << 16 | nonce[3] << 24) << 32; + ctr = (uint64_t)((uint32_t)(nonce[0]) | (uint32_t)(nonce[1]) << 8 | + (uint32_t)(nonce[2]) << 16 | (uint32_t)(nonce[3]) << 24) << 32; iv = nonce + CHACHA20_CONSTANT_LEN; memset(poly1305_key, 0, sizeof(poly1305_key)); @@ -246,6 +247,108 @@ aead_chacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, return 1; } +static int +aead_xchacha20_poly1305_seal(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t *out_len, size_t max_out_len, const unsigned char *nonce, + size_t nonce_len, const unsigned char *in, size_t in_len, + const unsigned char *ad, size_t ad_len) +{ + const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; + unsigned char poly1305_key[32]; + unsigned char subkey[32]; + poly1305_state poly1305; + + if (max_out_len < in_len + c20_ctx->tag_len) { + EVPerror(EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + if (nonce_len != ctx->aead->nonce_len) { + EVPerror(EVP_R_IV_TOO_LARGE); + return 0; + } + + CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce); + + CRYPTO_chacha_20(out, in, in_len, subkey, nonce + 16, 1); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + subkey, nonce + 16, 0); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, out, in_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, in_len); + + if (c20_ctx->tag_len != POLY1305_TAG_LEN) { + unsigned char tag[POLY1305_TAG_LEN]; + CRYPTO_poly1305_finish(&poly1305, tag); + memcpy(out + in_len, tag, c20_ctx->tag_len); + *out_len = in_len + c20_ctx->tag_len; + return 1; + } + + CRYPTO_poly1305_finish(&poly1305, out + in_len); + *out_len = in_len + POLY1305_TAG_LEN; + return 1; +} + +static int +aead_xchacha20_poly1305_open(const EVP_AEAD_CTX *ctx, unsigned char *out, + size_t *out_len, size_t max_out_len, const unsigned char *nonce, + size_t nonce_len, const unsigned char *in, size_t in_len, + const unsigned char *ad, size_t ad_len) +{ + const struct aead_chacha20_poly1305_ctx *c20_ctx = ctx->aead_state; + unsigned char mac[POLY1305_TAG_LEN]; + unsigned char poly1305_key[32]; + unsigned char subkey[32]; + poly1305_state poly1305; + size_t plaintext_len; + + if (in_len < c20_ctx->tag_len) { + EVPerror(EVP_R_BAD_DECRYPT); + return 0; + } + + if (nonce_len != ctx->aead->nonce_len) { + EVPerror(EVP_R_IV_TOO_LARGE); + return 0; + } + + plaintext_len = in_len - c20_ctx->tag_len; + + if (max_out_len < plaintext_len) { + EVPerror(EVP_R_BUFFER_TOO_SMALL); + return 0; + } + + CRYPTO_hchacha_20(subkey, c20_ctx->key, nonce); + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), + subkey, nonce + 16, 0); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, in, plaintext_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, plaintext_len); + + CRYPTO_poly1305_finish(&poly1305, mac); + if (timingsafe_memcmp(mac, in + plaintext_len, c20_ctx->tag_len) != 0) { + EVPerror(EVP_R_BAD_DECRYPT); + return 0; + } + + CRYPTO_chacha_20(out, in, plaintext_len, subkey, nonce + 16, 1); + + *out_len = plaintext_len; + return 1; +} + /* RFC 7539 */ static const EVP_AEAD aead_chacha20_poly1305 = { .key_len = 32, @@ -265,4 +368,22 @@ EVP_aead_chacha20_poly1305() return &aead_chacha20_poly1305; } +static const EVP_AEAD aead_xchacha20_poly1305 = { + .key_len = 32, + .nonce_len = XCHACHA20_NONCE_LEN, + .overhead = POLY1305_TAG_LEN, + .max_tag_len = POLY1305_TAG_LEN, + + .init = aead_chacha20_poly1305_init, + .cleanup = aead_chacha20_poly1305_cleanup, + .seal = aead_xchacha20_poly1305_seal, + .open = aead_xchacha20_poly1305_open, +}; + +const EVP_AEAD * +EVP_aead_xchacha20_poly1305() +{ + return &aead_xchacha20_poly1305; +} + #endif /* !OPENSSL_NO_CHACHA && !OPENSSL_NO_POLY1305 */ diff --git a/crypto/evp/e_des3.c b/crypto/evp/e_des3.c index 3cb95a8..0138839 100644 --- a/crypto/evp/e_des3.c +++ b/crypto/evp/e_des3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_des3.c,v 1.19 2015/10/12 06:05:52 guenther Exp $ */ +/* $OpenBSD: e_des3.c,v 1.20 2019/05/14 15:40:44 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -163,6 +163,8 @@ des_ede3_cfb1_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, { size_t n; unsigned char c[1], d[1]; + if (!(ctx->flags & EVP_CIPH_FLAG_LENGTH_BITS)) + inl *= 8; for (n = 0; n < inl; ++n) { c[0] = (in[n/8]&(1 << (7 - n % 8))) ? 0x80 : 0; diff --git a/crypto/evp/e_sm4.c b/crypto/evp/e_sm4.c new file mode 100644 index 0000000..554915b --- /dev/null +++ b/crypto/evp/e_sm4.c @@ -0,0 +1,113 @@ +/* $OpenBSD: e_sm4.c,v 1.1 2019/03/17 17:42:37 tb Exp $ */ +/* + * Copyright (c) 2017, 2019 Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef OPENSSL_NO_SM4 +#include +#include +#include + +#include "evp_locl.h" + +typedef struct { + SM4_KEY ks; +} EVP_SM4_KEY; + +static int +sm4_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, + const unsigned char *iv, int enc) +{ + SM4_set_key(key, ctx->cipher_data); + return 1; +} + +static void +sm4_cbc_encrypt(const unsigned char *in, unsigned char *out, size_t len, + const SM4_KEY *key, unsigned char *ivec, const int enc) +{ + if (enc) + CRYPTO_cbc128_encrypt(in, out, len, key, ivec, + (block128_f)SM4_encrypt); + else + CRYPTO_cbc128_decrypt(in, out, len, key, ivec, + (block128_f)SM4_decrypt); +} + +static void +sm4_cfb128_encrypt(const unsigned char *in, unsigned char *out, size_t length, + const SM4_KEY *key, unsigned char *ivec, int *num, const int enc) +{ + CRYPTO_cfb128_encrypt(in, out, length, key, ivec, num, enc, + (block128_f)SM4_encrypt); +} + +static void +sm4_ecb_encrypt(const unsigned char *in, unsigned char *out, const SM4_KEY *key, + const int enc) +{ + if (enc) + SM4_encrypt(in, out, key); + else + SM4_decrypt(in, out, key); +} + +static void +sm4_ofb128_encrypt(const unsigned char *in, unsigned char *out, size_t length, + const SM4_KEY *key, unsigned char *ivec, int *num) +{ + CRYPTO_ofb128_encrypt(in, out, length, key, ivec, num, + (block128_f)SM4_encrypt); +} + +IMPLEMENT_BLOCK_CIPHER(sm4, ks, sm4, EVP_SM4_KEY, NID_sm4, 16, 16, 16, 128, + EVP_CIPH_FLAG_DEFAULT_ASN1, sm4_init_key, NULL, 0, 0, 0) + +static int +sm4_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, + size_t len) +{ + EVP_SM4_KEY *key = EVP_C_DATA(EVP_SM4_KEY, ctx); + + CRYPTO_ctr128_encrypt(in, out, len, &key->ks, ctx->iv, ctx->buf, + &ctx->num, (block128_f)SM4_encrypt); + return 1; +} + +static const EVP_CIPHER sm4_ctr_mode = { + .nid = NID_sm4_ctr, + .block_size = 1, + .key_len = 16, + .iv_len = 16, + .flags = EVP_CIPH_CTR_MODE, + .init = sm4_init_key, + .do_cipher = sm4_ctr_cipher, + .cleanup = NULL, + .ctx_size = sizeof(EVP_SM4_KEY), + .set_asn1_parameters = NULL, + .get_asn1_parameters = NULL, + .ctrl = NULL, + .app_data = NULL, +}; + +const EVP_CIPHER * +EVP_sm4_ctr(void) +{ + return &sm4_ctr_mode; +} + +#endif diff --git a/crypto/evp/encode.c b/crypto/evp/encode.c index 1097a7c..2f942a0 100644 --- a/crypto/evp/encode.c +++ b/crypto/evp/encode.c @@ -1,4 +1,4 @@ -/* $OpenBSD: encode.c,v 1.24 2016/05/04 15:05:13 tedu Exp $ */ +/* $OpenBSD: encode.c,v 1.28 2020/03/04 11:53:21 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -62,8 +62,8 @@ #include +static unsigned char conv_ascii2bin(unsigned char a); #define conv_bin2ascii(a) (data_bin2ascii[(a)&0x3f]) -#define conv_ascii2bin(a) (data_ascii2bin[(a)&0x7f]) /* 64 char lines * pad input with 0 @@ -92,6 +92,7 @@ abcdefghijklmnopqrstuvwxyz0123456789+/"; #define B64_WS 0xE0 #define B64_ERROR 0xFF #define B64_NOT_BASE64(a) (((a)|0x13) == 0xF3) +#define B64_BASE64(a) !B64_NOT_BASE64(a) static const unsigned char data_ascii2bin[128] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, @@ -112,6 +113,26 @@ static const unsigned char data_ascii2bin[128] = { 0x31, 0x32, 0x33, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, }; +static unsigned char +conv_ascii2bin(unsigned char a) +{ + if (a & 0x80) + return B64_ERROR; + return data_ascii2bin[a]; +} + +EVP_ENCODE_CTX * +EVP_ENCODE_CTX_new(void) +{ + return calloc(1, sizeof(EVP_ENCODE_CTX)); +} + +void +EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx) +{ + free(ctx); +} + void EVP_EncodeInit(EVP_ENCODE_CTX *ctx) { @@ -120,7 +141,7 @@ EVP_EncodeInit(EVP_ENCODE_CTX *ctx) ctx->line_num = 0; } -void +int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { @@ -128,13 +149,13 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, size_t total = 0; *outl = 0; - if (inl == 0) - return; + if (inl <= 0) + return 0; OPENSSL_assert(ctx->length <= (int)sizeof(ctx->enc_data)); if (ctx->length - ctx->num > inl) { memcpy(&(ctx->enc_data[ctx->num]), in, inl); ctx->num += inl; - return; + return 1; } if (ctx->num != 0) { i = ctx->length - ctx->num; @@ -160,12 +181,14 @@ EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, if (total > INT_MAX) { /* Too much output data! */ *outl = 0; - return; + return 0; } if (inl != 0) memcpy(&(ctx->enc_data[0]), in, inl); ctx->num = inl; *outl = total; + + return 1; } void @@ -217,151 +240,117 @@ EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int dlen) void EVP_DecodeInit(EVP_ENCODE_CTX *ctx) { - ctx->length = 30; ctx->num = 0; + ctx->length = 0; ctx->line_num = 0; ctx->expect_nl = 0; } -/* -1 for error - * 0 for last line - * 1 for full line - */ int EVP_DecodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl) { - int seof = -1, eof = 0, rv = -1, ret = 0, i, v, tmp, n, ln, exp_nl; + int seof = 0, eof = 0, rv = -1, ret = 0, i, v, tmp, n, decoded_len; unsigned char *d; n = ctx->num; d = ctx->enc_data; - ln = ctx->line_num; - exp_nl = ctx->expect_nl; - /* last line of input. */ - if ((inl == 0) || ((n == 0) && (conv_ascii2bin(in[0]) == B64_EOF))) { + if (n > 0 && d[n - 1] == '=') { + eof++; + if (n > 1 && d[n - 2] == '=') + eof++; + } + + /* Legacy behaviour: an empty input chunk signals end of input. */ + if (inl == 0) { rv = 0; goto end; } - /* We parse the input data */ for (i = 0; i < inl; i++) { - /* If the current line is > 80 characters, scream alot */ - if (ln >= 80) { - rv = -1; - goto end; - } - - /* Get char and put it into the buffer */ - tmp= *(in++); + tmp = *(in++); v = conv_ascii2bin(tmp); - /* only save the good data :-) */ - if (!B64_NOT_BASE64(v)) { - OPENSSL_assert(n < (int)sizeof(ctx->enc_data)); - d[n++] = tmp; - ln++; - } else if (v == B64_ERROR) { + if (v == B64_ERROR) { rv = -1; goto end; } - /* There should not be base64 data after padding. */ - if (eof && tmp != '=' && tmp != '\r' && tmp != '\n' && - v != B64_EOF) { - rv = -1; - goto end; - } - - /* have we seen a '=' which is 'definitely' the last - * input line. seof will point to the character that - * holds it. and eof will hold how many characters to - * chop off. */ if (tmp == '=') { - if (seof == -1) - seof = n; eof++; + } else if (eof > 0 && B64_BASE64(v)) { + /* More data after padding. */ + rv = -1; + goto end; } - /* There should be no more than two padding markers. */ if (eof > 2) { rv = -1; goto end; } - if (v == B64_CR) { - ln = 0; - if (exp_nl) - continue; + if (v == B64_EOF) { + seof = 1; + goto tail; } - /* eoln */ - if (v == B64_EOLN) { - ln = 0; - if (exp_nl) { - exp_nl = 0; - continue; - } - } - exp_nl = 0; - - /* If we are at the end of input and it looks like a - * line, process it. */ - if (((i + 1) == inl) && (((n&3) == 0) || eof)) { - v = B64_EOF; - /* In case things were given us in really small - records (so two '=' were given in separate - updates), eof may contain the incorrect number - of ending bytes to skip, so let's redo the count */ - eof = 0; - if (d[n-1] == '=') - eof++; - if (d[n-2] == '=') - eof++; - /* There will never be more than two '=' */ - } - - if ((v == B64_EOF && (n&3) == 0) || (n >= 64)) { - /* This is needed to work correctly on 64 byte input - * lines. We process the line and then need to - * accept the '\n' */ - if ((v != B64_EOF) && (n >= 64)) - exp_nl = 1; - if (n > 0) { - v = EVP_DecodeBlock(out, d, n); - n = 0; - if (v < 0) { - rv = 0; - goto end; - } - ret += (v - eof); - } else { - eof = 1; - v = 0; - } - - /* This is the case where we have had a short - * but valid input line */ - if ((v < ctx->length) && eof) { - rv = 0; - goto end; - } else - ctx->length = v; - - if (seof >= 0) { - rv = 0; + /* Only save valid base64 characters. */ + if (B64_BASE64(v)) { + if (n >= 64) { + /* + * We increment n once per loop, and empty the + * buffer as soon as we reach 64 characters, so + * this can only happen if someone's manually + * messed with the ctx. Refuse to write any + * more data. + */ + rv = -1; goto end; } - out += v; + OPENSSL_assert(n < (int)sizeof(ctx->enc_data)); + d[n++] = tmp; + } + + if (n == 64) { + decoded_len = EVP_DecodeBlock(out, d, n); + n = 0; + if (decoded_len < 0 || eof > decoded_len) { + rv = -1; + goto end; + } + ret += decoded_len - eof; + out += decoded_len - eof; } } - rv = 1; -end: + /* + * Legacy behaviour: if the current line is a full base64-block (i.e., + * has 0 mod 4 base64 characters), it is processed immediately. We keep + * this behaviour as applications may not be calling EVP_DecodeFinal + * properly. + */ + tail: + if (n > 0) { + if ((n & 3) == 0) { + decoded_len = EVP_DecodeBlock(out, d, n); + n = 0; + if (decoded_len < 0 || eof > decoded_len) { + rv = -1; + goto end; + } + ret += (decoded_len - eof); + } else if (seof) { + /* EOF in the middle of a base64 block. */ + rv = -1; + goto end; + } + } + + rv = seof || (n == 0 && eof) ? 0 : 1; + end: + /* Legacy behaviour. This should probably rather be zeroed on error. */ *outl = ret; ctx->num = n; - ctx->line_num = ln; - ctx->expect_nl = exp_nl; return (rv); } diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c index de7c690..bb49e28 100644 --- a/crypto/evp/evp_enc.c +++ b/crypto/evp/evp_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_enc.c,v 1.38 2018/02/17 16:54:08 jsing Exp $ */ +/* $OpenBSD: evp_enc.c,v 1.43 2019/04/14 17:16:57 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -144,8 +144,8 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, ctx->cipher = cipher; if (ctx->cipher->ctx_size) { - ctx->cipher_data = malloc(ctx->cipher->ctx_size); - if (!ctx->cipher_data) { + ctx->cipher_data = calloc(1, ctx->cipher->ctx_size); + if (ctx->cipher_data == NULL) { EVPerror(ERR_R_MALLOC_FAILURE); return 0; } @@ -153,7 +153,7 @@ EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *impl, ctx->cipher_data = NULL; } ctx->key_len = cipher->key_len; - ctx->flags = 0; + ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { EVPerror(EVP_R_INITIALIZATION_ERROR); @@ -175,6 +175,12 @@ skip_to_init: return 0; } + if (!(ctx->flags & EVP_CIPHER_CTX_FLAG_WRAP_ALLOW) && + EVP_CIPHER_CTX_mode(ctx) == EVP_CIPH_WRAP_MODE) { + EVPerror(EVP_R_WRAP_MODE_NOT_ALLOWED); + return 0; + } + if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_CUSTOM_IV)) { switch (EVP_CIPHER_CTX_mode(ctx)) { @@ -575,12 +581,10 @@ EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *c) if (c->cipher_data) explicit_bzero(c->cipher_data, c->cipher->ctx_size); } + /* XXX - store size of cipher_data so we can always freezero(). */ free(c->cipher_data); #ifndef OPENSSL_NO_ENGINE - if (c->engine) - /* The EVP_CIPHER we used belongs to an ENGINE, release the - * functional reference we held for this reason. */ - ENGINE_finish(c->engine); + ENGINE_finish(c->engine); #endif explicit_bzero(c, sizeof(EVP_CIPHER_CTX)); return 1; @@ -663,16 +667,29 @@ EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in) memcpy(out, in, sizeof *out); if (in->cipher_data && in->cipher->ctx_size) { - out->cipher_data = malloc(in->cipher->ctx_size); - if (!out->cipher_data) { + out->cipher_data = calloc(1, in->cipher->ctx_size); + if (out->cipher_data == NULL) { EVPerror(ERR_R_MALLOC_FAILURE); return 0; } memcpy(out->cipher_data, in->cipher_data, in->cipher->ctx_size); } - if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) - return in->cipher->ctrl((EVP_CIPHER_CTX *)in, - EVP_CTRL_COPY, 0, out); + if (in->cipher->flags & EVP_CIPH_CUSTOM_COPY) { + if (!in->cipher->ctrl((EVP_CIPHER_CTX *)in, EVP_CTRL_COPY, + 0, out)) { + /* + * If the custom copy control failed, assume that there + * may still be pointers copied in the cipher_data that + * we do not own. This may result in a leak from a bad + * custom copy control, but that's preferable to a + * double free... + */ + freezero(out->cipher_data, in->cipher->ctx_size); + out->cipher_data = NULL; + return 0; + } + } + return 1; } diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c index 1e1cc83..2494cf5 100644 --- a/crypto/evp/evp_err.c +++ b/crypto/evp/evp_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_err.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_err.c,v 1.26 2020/04/27 19:31:02 tb Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -100,6 +100,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_ERROR_LOADING_SECTION) , "error loading section"}, {ERR_REASON(EVP_R_ERROR_SETTING_FIPS_MODE), "error setting fips mode"}, {ERR_REASON(EVP_R_EVP_PBE_CIPHERINIT_ERROR), "evp pbe cipherinit error"}, + {ERR_REASON(EVP_R_EXPECTING_AN_HMAC_KEY), "expecting an hmac key"}, {ERR_REASON(EVP_R_EXPECTING_AN_RSA_KEY) , "expecting an rsa key"}, {ERR_REASON(EVP_R_EXPECTING_A_DH_KEY) , "expecting a dh key"}, {ERR_REASON(EVP_R_EXPECTING_A_DSA_KEY) , "expecting a dsa key"}, @@ -110,6 +111,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_INPUT_NOT_INITIALIZED) , "input not initialized"}, {ERR_REASON(EVP_R_INVALID_DIGEST) , "invalid digest"}, {ERR_REASON(EVP_R_INVALID_FIPS_MODE) , "invalid fips mode"}, + {ERR_REASON(EVP_R_INVALID_IV_LENGTH) , "invalid iv length"}, {ERR_REASON(EVP_R_INVALID_KEY_LENGTH) , "invalid key length"}, {ERR_REASON(EVP_R_INVALID_OPERATION) , "invalid operation"}, {ERR_REASON(EVP_R_IV_TOO_LARGE) , "iv too large"}, @@ -147,6 +149,7 @@ static ERR_STRING_DATA EVP_str_reasons[] = { {ERR_REASON(EVP_R_UNSUPPORTED_PRF) , "unsupported prf"}, {ERR_REASON(EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM), "unsupported private key algorithm"}, {ERR_REASON(EVP_R_UNSUPPORTED_SALT_TYPE) , "unsupported salt type"}, + {ERR_REASON(EVP_R_WRAP_MODE_NOT_ALLOWED), "wrap mode not allowed"}, {ERR_REASON(EVP_R_WRONG_FINAL_BLOCK_LENGTH), "wrong final block length"}, {ERR_REASON(EVP_R_WRONG_PUBLIC_KEY_TYPE) , "wrong public key type"}, {0, NULL} diff --git a/crypto/evp/evp_key.c b/crypto/evp/evp_key.c index 33de513..91d0fc0 100644 --- a/crypto/evp/evp_key.c +++ b/crypto/evp/evp_key.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_key.c,v 1.24 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_key.c,v 1.26 2018/08/14 17:59:26 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -101,17 +101,21 @@ EVP_read_pw_string_min(char *buf, int min, int len, const char *prompt, char buff[BUFSIZ]; UI *ui; + if (len > BUFSIZ) + len = BUFSIZ; + /* Ensure that 0 <= min <= len - 1. In particular, 1 <= len. */ + if (min < 0 || len - 1 < min) + return -1; if ((prompt == NULL) && (prompt_string[0] != '\0')) prompt = prompt_string; ui = UI_new(); if (ui == NULL) return -1; - if (UI_add_input_string(ui, prompt, 0, buf, min, - (len >= BUFSIZ) ? BUFSIZ - 1 : len) < 0) + if (UI_add_input_string(ui, prompt, 0, buf, min, len - 1) < 0) return -1; if (verify) { - if (UI_add_verify_string(ui, prompt, 0, buff, min, - (len >= BUFSIZ) ? BUFSIZ - 1 : len, buf) < 0) + if (UI_add_verify_string(ui, prompt, 0, buff, min, len - 1, buf) + < 0) return -1; } ret = UI_process(ui); diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c index ad97a3b..9010773 100644 --- a/crypto/evp/evp_lib.c +++ b/crypto/evp/evp_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_lib.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -207,6 +207,12 @@ EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx) return ctx->cipher; } +int +EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx) +{ + return ctx->encrypt; +} + unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher) { @@ -267,6 +273,44 @@ EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx) return ctx->cipher->nid; } +int +EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx, unsigned char *iv, size_t len) +{ + if (ctx == NULL || len != EVP_CIPHER_CTX_iv_length(ctx)) + return 0; + if (len > EVP_MAX_IV_LENGTH) + return 0; /* sanity check; shouldn't happen */ + /* + * Skip the memcpy entirely when the requested IV length is zero, + * since the iv pointer may be NULL or invalid. + */ + if (len != 0) { + if (iv == NULL) + return 0; + memcpy(iv, ctx->iv, len); + } + return 1; +} + +int +EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) +{ + if (ctx == NULL || len != EVP_CIPHER_CTX_iv_length(ctx)) + return 0; + if (len > EVP_MAX_IV_LENGTH) + return 0; /* sanity check; shouldn't happen */ + /* + * Skip the memcpy entirely when the requested IV length is zero, + * since the iv pointer may be NULL or invalid. + */ + if (len != 0) { + if (iv == NULL) + return 0; + memcpy(ctx->iv, iv, len); + } + return 1; +} + int EVP_MD_block_size(const EVP_MD *md) { diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h index e264f9c..8df6135 100644 --- a/crypto/evp/evp_locl.h +++ b/crypto/evp/evp_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_locl.h,v 1.14 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: evp_locl.h,v 1.16 2019/10/29 07:52:17 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -265,7 +265,7 @@ const EVP_CIPHER *EVP_##cname##_ecb(void) { return &cname##_ecb; } EVP_CIPHER_get_asn1_iv, \ NULL) - struct evp_pkey_ctx_st { +struct evp_pkey_ctx_st { /* Method associated with this operation */ const EVP_PKEY_METHOD *pmeth; /* Engine that implements this method or NULL if builtin */ @@ -367,4 +367,6 @@ struct evp_aead_st { const unsigned char *ad, size_t ad_len); }; +int EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md_name); + __END_HIDDEN_DECLS diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c index de08c8d..65e9e45 100644 --- a/crypto/evp/evp_pbe.c +++ b/crypto/evp/evp_pbe.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_pbe.c,v 1.25 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_pbe.c,v 1.26 2020/06/05 17:30:41 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -114,6 +114,8 @@ static const EVP_PBE_CTL builtin_pbe[] = { {EVP_PBE_TYPE_PRF, NID_hmacWithSHA384, -1, NID_sha384, 0}, {EVP_PBE_TYPE_PRF, NID_hmacWithSHA512, -1, NID_sha512, 0}, {EVP_PBE_TYPE_PRF, NID_id_HMACGostR3411_94, -1, NID_id_GostR3411_94, 0}, + {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_12_256, -1, NID_id_tc26_gost3411_2012_256, 0}, + {EVP_PBE_TYPE_PRF, NID_id_tc26_hmac_gost_3411_12_512, -1, NID_id_tc26_gost3411_2012_512, 0}, }; int diff --git a/crypto/evp/evp_pkey.c b/crypto/evp/evp_pkey.c index 4dcd2a1..9ff544b 100644 --- a/crypto/evp/evp_pkey.c +++ b/crypto/evp/evp_pkey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: evp_pkey.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: evp_pkey.c,v 1.23 2018/08/24 20:26:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -67,10 +67,10 @@ /* Extract a private key from a PKCS8 structure */ EVP_PKEY * -EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8) +EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8) { EVP_PKEY *pkey = NULL; - ASN1_OBJECT *algoid; + const ASN1_OBJECT *algoid; char obj_tmp[80]; if (!PKCS8_pkey_get0(&algoid, NULL, NULL, NULL, p8)) @@ -105,16 +105,10 @@ error: return NULL; } -PKCS8_PRIV_KEY_INFO * -EVP_PKEY2PKCS8(EVP_PKEY *pkey) -{ - return EVP_PKEY2PKCS8_broken(pkey, PKCS8_OK); -} - /* Turn a private key into a PKCS8 structure */ PKCS8_PRIV_KEY_INFO * -EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken) +EVP_PKEY2PKCS8(EVP_PKEY *pkey) { PKCS8_PRIV_KEY_INFO *p8; @@ -122,7 +116,6 @@ EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken) EVPerror(ERR_R_MALLOC_FAILURE); return NULL; } - p8->broken = broken; if (pkey->ameth) { if (pkey->ameth->priv_encode) { @@ -145,27 +138,6 @@ error: return NULL; } -PKCS8_PRIV_KEY_INFO * -PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken) -{ - switch (broken) { - case PKCS8_OK: - p8->broken = PKCS8_OK; - return p8; - break; - - case PKCS8_NO_OCTET: - p8->broken = PKCS8_NO_OCTET; - p8->pkey->type = V_ASN1_SEQUENCE; - return p8; - break; - - default: - EVPerror(EVP_R_PKCS8_UNKNOWN_BROKEN_TYPE); - return NULL; - } -} - /* EVP_PKEY attribute functions */ int @@ -181,7 +153,8 @@ EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos) } int -EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj, int lastpos) +EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj, + int lastpos) { return X509at_get_attr_by_OBJ(key->attributes, obj, lastpos); } diff --git a/crypto/evp/m_md5_sha1.c b/crypto/evp/m_md5_sha1.c index 272cdee..4e8a0c3 100644 --- a/crypto/evp/m_md5_sha1.c +++ b/crypto/evp/m_md5_sha1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_md5_sha1.c,v 1.1 2017/02/28 14:15:37 jsing Exp $ */ +/* $OpenBSD: m_md5_sha1.c,v 1.2 2018/08/10 17:30:29 jsing Exp $ */ /* * Copyright (c) 2017 Joel Sing * @@ -20,6 +20,10 @@ #include #include +#ifndef OPENSSL_NO_RSA +#include +#endif + struct md5_sha1_ctx { MD5_CTX md5; SHA_CTX sha1; @@ -74,6 +78,13 @@ static const EVP_MD md5_sha1_md = { .final = md5_sha1_final, .block_size = MD5_CBLOCK, /* MD5_CBLOCK == SHA_CBLOCK */ .ctx_size = sizeof(EVP_MD *) + sizeof(struct md5_sha1_ctx), +#ifndef OPENSSL_NO_RSA + .sign = (evp_sign_method *)RSA_sign, + .verify = (evp_verify_method *)RSA_verify, + .required_pkey_type = { + EVP_PKEY_RSA, EVP_PKEY_RSA2, 0, 0, + }, +#endif }; const EVP_MD * diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c index 6e955d9..9e313c3 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c @@ -1,4 +1,4 @@ -/* $OpenBSD: m_sigver.c,v 1.6 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: m_sigver.c,v 1.7 2018/05/13 06:35:10 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -166,7 +166,7 @@ EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen) } int -EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t siglen) +EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen) { EVP_MD_CTX tmp_ctx; unsigned char md[EVP_MAX_MD_SIZE]; diff --git a/crypto/evp/m_sm3.c b/crypto/evp/m_sm3.c new file mode 100644 index 0000000..66582b8 --- /dev/null +++ b/crypto/evp/m_sm3.c @@ -0,0 +1,73 @@ +/* $OpenBSD: m_sm3.c,v 1.1 2018/11/11 06:53:31 tb Exp $ */ +/* + * Copyright (c) 2018, Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef OPENSSL_NO_SM3 +#include +#include + +#ifndef OPENSSL_NO_RSA +#include +#endif + +static int +sm3_init(EVP_MD_CTX *ctx) +{ + return SM3_Init(ctx->md_data); +} + +static int +sm3_update(EVP_MD_CTX *ctx, const void *data, size_t count) +{ + return SM3_Update(ctx->md_data, data, count); +} + +static int +sm3_final(EVP_MD_CTX *ctx, unsigned char *md) +{ + return SM3_Final(md, ctx->md_data); +} + +static const EVP_MD sm3_md = { + .type = NID_sm3, + .pkey_type = NID_sm3WithRSAEncryption, + .md_size = SM3_DIGEST_LENGTH, + .flags = EVP_MD_FLAG_PKEY_METHOD_SIGNATURE|EVP_MD_FLAG_DIGALGID_ABSENT, + .init = sm3_init, + .update = sm3_update, + .final = sm3_final, + .copy = NULL, + .cleanup = NULL, +#ifndef OPENSSL_NO_RSA + .sign = (evp_sign_method *)RSA_sign, + .verify = (evp_verify_method *)RSA_verify, + .required_pkey_type = { + EVP_PKEY_RSA, EVP_PKEY_RSA2, 0, 0, + }, +#endif + .block_size = SM3_CBLOCK, + .ctx_size = sizeof(EVP_MD *) + sizeof(SM3_CTX), +}; + +const EVP_MD * +EVP_sm3(void) +{ + return &sm3_md; +} + +#endif /* OPENSSL_NO_SM3 */ diff --git a/crypto/evp/p5_crpt.c b/crypto/evp/p5_crpt.c index 75a631b..98e4549 100644 --- a/crypto/evp/p5_crpt.c +++ b/crypto/evp/p5_crpt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p5_crpt.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p5_crpt.c,v 1.19 2020/01/12 07:11:13 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -108,6 +108,7 @@ PKCS5_PBE_keyivgen(EVP_CIPHER_CTX *cctx, const char *pass, int passlen, iter = 1; else if ((iter = ASN1_INTEGER_get(pbe->iter)) <= 0) { EVPerror(EVP_R_UNSUPORTED_NUMBER_OF_ROUNDS); + PBEPARAM_free(pbe); return 0; } salt = pbe->salt->data; diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 811fe0c..13a9d65 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p_lib.c,v 1.20 2018/02/20 18:05:28 tb Exp $ */ +/* $OpenBSD: p_lib.c,v 1.25 2019/03/17 18:17:45 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -85,7 +85,7 @@ static void EVP_PKEY_free_it(EVP_PKEY *x); int -EVP_PKEY_bits(EVP_PKEY *pkey) +EVP_PKEY_bits(const EVP_PKEY *pkey) { if (pkey && pkey->ameth && pkey->ameth->pkey_bits) return pkey->ameth->pkey_bits(pkey); @@ -93,7 +93,7 @@ EVP_PKEY_bits(EVP_PKEY *pkey) } int -EVP_PKEY_size(EVP_PKEY *pkey) +EVP_PKEY_size(const EVP_PKEY *pkey) { if (pkey && pkey->ameth && pkey->ameth->pkey_size) return pkey->ameth->pkey_size(pkey); @@ -229,11 +229,8 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) if ((type == pkey->save_type) && pkey->ameth) return 1; #ifndef OPENSSL_NO_ENGINE - /* If we have an ENGINE release it */ - if (pkey->engine) { - ENGINE_finish(pkey->engine); - pkey->engine = NULL; - } + ENGINE_finish(pkey->engine); + pkey->engine = NULL; #endif } if (str) @@ -241,7 +238,7 @@ pkey_set_type(EVP_PKEY *pkey, int type, const char *str, int len) else ameth = EVP_PKEY_asn1_find(&e, type); #ifndef OPENSSL_NO_ENGINE - if (!pkey && e) + if (pkey == NULL) ENGINE_finish(e); #endif if (!ameth) { @@ -280,11 +277,27 @@ EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key) } void * -EVP_PKEY_get0(EVP_PKEY *pkey) +EVP_PKEY_get0(const EVP_PKEY *pkey) { return pkey->pkey.ptr; } +const unsigned char * +EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len) +{ + ASN1_OCTET_STRING *os; + + if (pkey->type != EVP_PKEY_HMAC) { + EVPerror(EVP_R_EXPECTING_AN_HMAC_KEY); + return NULL; + } + + os = EVP_PKEY_get0(pkey); + *len = os->length; + + return os->data; +} + #ifndef OPENSSL_NO_RSA RSA * EVP_PKEY_get0_RSA(EVP_PKEY *pkey) @@ -426,8 +439,7 @@ EVP_PKEY_type(int type) else ret = NID_undef; #ifndef OPENSSL_NO_ENGINE - if (e) - ENGINE_finish(e); + ENGINE_finish(e); #endif return ret; } @@ -470,10 +482,8 @@ EVP_PKEY_free_it(EVP_PKEY *x) x->pkey.ptr = NULL; } #ifndef OPENSSL_NO_ENGINE - if (x->engine) { - ENGINE_finish(x->engine); - x->engine = NULL; - } + ENGINE_finish(x->engine); + x->engine = NULL; #endif } diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index fc5f4ef..36bfe8d 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pmeth_lib.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pmeth_lib.c,v 1.16 2019/11/01 15:08:57 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -78,7 +78,8 @@ typedef int sk_cmp_fn_type(const char * const *a, const char * const *b); DECLARE_STACK_OF(EVP_PKEY_METHOD) STACK_OF(EVP_PKEY_METHOD) *app_pkey_methods = NULL; -extern const EVP_PKEY_METHOD rsa_pkey_meth, dh_pkey_meth, dsa_pkey_meth; +extern const EVP_PKEY_METHOD rsa_pkey_meth, rsa_pss_pkey_meth; +extern const EVP_PKEY_METHOD dh_pkey_meth, dsa_pkey_meth; extern const EVP_PKEY_METHOD ec_pkey_meth, hmac_pkey_meth, cmac_pkey_meth; extern const EVP_PKEY_METHOD gostimit_pkey_meth, gostr01_pkey_meth; @@ -101,6 +102,9 @@ static const EVP_PKEY_METHOD *standard_methods[] = { #endif &hmac_pkey_meth, &cmac_pkey_meth, +#ifndef OPENSSL_NO_RSA + &rsa_pss_pkey_meth, +#endif }; static int pmeth_cmp_BSEARCH_CMP_FN(const void *, const void *); @@ -188,10 +192,9 @@ int_ctx_new(EVP_PKEY *pkey, ENGINE *e, int id) } ret = malloc(sizeof(EVP_PKEY_CTX)); - if (!ret) { + if (ret == NULL) { #ifndef OPENSSL_NO_ENGINE - if (e) - ENGINE_finish(e); + ENGINE_finish(e); #endif EVPerror(ERR_R_MALLOC_FAILURE); return NULL; @@ -394,10 +397,7 @@ EVP_PKEY_CTX_free(EVP_PKEY_CTX *ctx) EVP_PKEY_free(ctx->pkey); EVP_PKEY_free(ctx->peerkey); #ifndef OPENSSL_NO_ENGINE - if (ctx->engine) - /* The EVP_PKEY_CTX we used belongs to an ENGINE, release the - * functional reference we held for this reason. */ - ENGINE_finish(ctx->engine); + ENGINE_finish(ctx->engine); #endif free(ctx); } @@ -442,16 +442,24 @@ EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *name, const char *value) return -2; } if (!strcmp(name, "digest")) { - const EVP_MD *md; - if (!value || !(md = EVP_get_digestbyname(value))) { - EVPerror(EVP_R_INVALID_DIGEST); - return 0; - } - return EVP_PKEY_CTX_set_signature_md(ctx, md); + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_SIG, + EVP_PKEY_CTRL_MD, value); } return ctx->pmeth->ctrl_str(ctx, name, value); } +int +EVP_PKEY_CTX_md(EVP_PKEY_CTX *ctx, int optype, int cmd, const char *md_name) +{ + const EVP_MD *md; + + if ((md = EVP_get_digestbyname(md_name)) == NULL) { + EVPerror(EVP_R_INVALID_DIGEST); + return 0; + } + return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, 0, (void *)md); +} + int EVP_PKEY_CTX_get_operation(EVP_PKEY_CTX *ctx) { diff --git a/crypto/gost/gost.h b/crypto/gost/gost.h deleted file mode 100644 index 092f96f..0000000 --- a/crypto/gost/gost.h +++ /dev/null @@ -1,266 +0,0 @@ -/* $OpenBSD: gost.h,v 1.3 2016/09/04 17:02:31 jsing Exp $ */ -/* - * Copyright (c) 2014 Dmitry Eremin-Solenikov - * Copyright (c) 2005-2006 Cryptocom LTD - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - */ - -#ifndef HEADER_GOST_H -#define HEADER_GOST_H - -#include - -#ifdef OPENSSL_NO_GOST -#error GOST is disabled. -#endif - -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif - -typedef struct gost2814789_key_st { - unsigned int key[8]; - unsigned int k87[256],k65[256],k43[256],k21[256]; - unsigned int count; - unsigned key_meshing : 1; -} GOST2814789_KEY; - -int Gost2814789_set_sbox(GOST2814789_KEY *key, int nid); -int Gost2814789_set_key(GOST2814789_KEY *key, - const unsigned char *userKey, const int bits); -void Gost2814789_ecb_encrypt(const unsigned char *in, unsigned char *out, - GOST2814789_KEY *key, const int enc); -void Gost2814789_cfb64_encrypt(const unsigned char *in, unsigned char *out, - size_t length, GOST2814789_KEY *key, - unsigned char *ivec, int *num, const int enc); -void Gost2814789_cnt_encrypt(const unsigned char *in, unsigned char *out, - size_t length, GOST2814789_KEY *key, - unsigned char *ivec, unsigned char *cnt_buf, int *num); - -typedef struct { - ASN1_OCTET_STRING *iv; - ASN1_OBJECT *enc_param_set; -} GOST_CIPHER_PARAMS; - -GOST_CIPHER_PARAMS *GOST_CIPHER_PARAMS_new(void); -void GOST_CIPHER_PARAMS_free(GOST_CIPHER_PARAMS *a); -GOST_CIPHER_PARAMS *d2i_GOST_CIPHER_PARAMS(GOST_CIPHER_PARAMS **a, const unsigned char **in, long len); -int i2d_GOST_CIPHER_PARAMS(GOST_CIPHER_PARAMS *a, unsigned char **out); -extern const ASN1_ITEM GOST_CIPHER_PARAMS_it; - -#define GOST2814789IMIT_LENGTH 4 -#define GOST2814789IMIT_CBLOCK 8 -#define GOST2814789IMIT_LONG unsigned int - -typedef struct GOST2814789IMITstate_st { - GOST2814789IMIT_LONG Nl, Nh; - unsigned char data[GOST2814789IMIT_CBLOCK]; - unsigned int num; - - GOST2814789_KEY cipher; - unsigned char mac[GOST2814789IMIT_CBLOCK]; -} GOST2814789IMIT_CTX; - -/* Note, also removed second parameter and removed dctx->cipher setting */ -int GOST2814789IMIT_Init(GOST2814789IMIT_CTX *c, int nid); -int GOST2814789IMIT_Update(GOST2814789IMIT_CTX *c, const void *data, size_t len); -int GOST2814789IMIT_Final(unsigned char *md, GOST2814789IMIT_CTX *c); -void GOST2814789IMIT_Transform(GOST2814789IMIT_CTX *c, const unsigned char *data); -unsigned char *GOST2814789IMIT(const unsigned char *d, size_t n, - unsigned char *md, int nid, - const unsigned char *key, const unsigned char *iv); - -#define GOSTR341194_LONG unsigned int - -#define GOSTR341194_LENGTH 32 -#define GOSTR341194_CBLOCK 32 -#define GOSTR341194_LBLOCK (GOSTR341194_CBLOCK/4) - -typedef struct GOSTR341194state_st { - GOSTR341194_LONG Nl, Nh; - GOSTR341194_LONG data[GOSTR341194_LBLOCK]; - unsigned int num; - - GOST2814789_KEY cipher; - unsigned char H[GOSTR341194_CBLOCK]; - unsigned char S[GOSTR341194_CBLOCK]; -} GOSTR341194_CTX; - -/* Note, also removed second parameter and removed dctx->cipher setting */ -int GOSTR341194_Init(GOSTR341194_CTX *c, int nid); -int GOSTR341194_Update(GOSTR341194_CTX *c, const void *data, size_t len); -int GOSTR341194_Final(unsigned char *md, GOSTR341194_CTX *c); -void GOSTR341194_Transform(GOSTR341194_CTX *c, const unsigned char *data); -unsigned char *GOSTR341194(const unsigned char *d, size_t n,unsigned char *md, int nid); - -#if defined(_LP64) -#define STREEBOG_LONG64 unsigned long -#define U64(C) C##UL -#else -#define STREEBOG_LONG64 unsigned long long -#define U64(C) C##ULL -#endif - -#define STREEBOG_LBLOCK 8 -#define STREEBOG_CBLOCK 64 -#define STREEBOG256_LENGTH 32 -#define STREEBOG512_LENGTH 64 - -typedef struct STREEBOGstate_st { - STREEBOG_LONG64 data[STREEBOG_LBLOCK]; - unsigned int num; - unsigned int md_len; - STREEBOG_LONG64 h[STREEBOG_LBLOCK]; - STREEBOG_LONG64 N[STREEBOG_LBLOCK]; - STREEBOG_LONG64 Sigma[STREEBOG_LBLOCK]; -} STREEBOG_CTX; - -int STREEBOG256_Init(STREEBOG_CTX *c); -int STREEBOG256_Update(STREEBOG_CTX *c, const void *data, size_t len); -int STREEBOG256_Final(unsigned char *md, STREEBOG_CTX *c); -void STREEBOG256_Transform(STREEBOG_CTX *c, const unsigned char *data); -unsigned char *STREEBOG256(const unsigned char *d, size_t n,unsigned char *md); - -int STREEBOG512_Init(STREEBOG_CTX *c); -int STREEBOG512_Update(STREEBOG_CTX *c, const void *data, size_t len); -int STREEBOG512_Final(unsigned char *md, STREEBOG_CTX *c); -void STREEBOG512_Transform(STREEBOG_CTX *c, const unsigned char *data); -unsigned char *STREEBOG512(const unsigned char *d, size_t n,unsigned char *md); - -typedef struct gost_key_st GOST_KEY; -GOST_KEY *GOST_KEY_new(void); -void GOST_KEY_free(GOST_KEY * r); -int GOST_KEY_check_key(const GOST_KEY * eckey); -int GOST_KEY_set_public_key_affine_coordinates(GOST_KEY * key, BIGNUM * x, BIGNUM * y); -const EC_GROUP * GOST_KEY_get0_group(const GOST_KEY * key); -int GOST_KEY_set_group(GOST_KEY * key, const EC_GROUP * group); -int GOST_KEY_get_digest(const GOST_KEY * key); -int GOST_KEY_set_digest(GOST_KEY * key, int digest_nid); -const BIGNUM * GOST_KEY_get0_private_key(const GOST_KEY * key); -int GOST_KEY_set_private_key(GOST_KEY * key, const BIGNUM * priv_key); -const EC_POINT * GOST_KEY_get0_public_key(const GOST_KEY * key); -int GOST_KEY_set_public_key(GOST_KEY * key, const EC_POINT * pub_key); -size_t GOST_KEY_get_size(const GOST_KEY * r); - -/* Gost-specific pmeth control-function parameters */ -/* For GOST R34.10 parameters */ -#define EVP_PKEY_CTRL_GOST_PARAMSET (EVP_PKEY_ALG_CTRL+1) -#define EVP_PKEY_CTRL_GOST_SIG_FORMAT (EVP_PKEY_ALG_CTRL+2) -#define EVP_PKEY_CTRL_GOST_SET_DIGEST (EVP_PKEY_ALG_CTRL+3) -#define EVP_PKEY_CTRL_GOST_GET_DIGEST (EVP_PKEY_ALG_CTRL+4) - -#define GOST_SIG_FORMAT_SR_BE 0 -#define GOST_SIG_FORMAT_RS_LE 1 - -/* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes - * made after this point may be overwritten when the script is next run. - */ -void ERR_load_GOST_strings(void); - -/* Error codes for the GOST functions. */ - -/* Function codes. */ -#define GOST_F_DECODE_GOST01_ALGOR_PARAMS 104 -#define GOST_F_ENCODE_GOST01_ALGOR_PARAMS 105 -#define GOST_F_GOST2001_COMPUTE_PUBLIC 106 -#define GOST_F_GOST2001_DO_SIGN 107 -#define GOST_F_GOST2001_DO_VERIFY 108 -#define GOST_F_GOST2001_KEYGEN 109 -#define GOST_F_GOST89_GET_ASN1_PARAMETERS 102 -#define GOST_F_GOST89_SET_ASN1_PARAMETERS 103 -#define GOST_F_GOST_KEY_CHECK_KEY 124 -#define GOST_F_GOST_KEY_NEW 125 -#define GOST_F_GOST_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 126 -#define GOST_F_PARAM_COPY_GOST01 110 -#define GOST_F_PARAM_DECODE_GOST01 111 -#define GOST_F_PKEY_GOST01_CTRL 116 -#define GOST_F_PKEY_GOST01_DECRYPT 112 -#define GOST_F_PKEY_GOST01_DERIVE 113 -#define GOST_F_PKEY_GOST01_ENCRYPT 114 -#define GOST_F_PKEY_GOST01_PARAMGEN 115 -#define GOST_F_PKEY_GOST01_SIGN 123 -#define GOST_F_PKEY_GOST_MAC_CTRL 100 -#define GOST_F_PKEY_GOST_MAC_KEYGEN 101 -#define GOST_F_PRIV_DECODE_GOST01 117 -#define GOST_F_PUB_DECODE_GOST01 118 -#define GOST_F_PUB_ENCODE_GOST01 119 -#define GOST_F_PUB_PRINT_GOST01 120 -#define GOST_F_UNPACK_SIGNATURE_CP 121 -#define GOST_F_UNPACK_SIGNATURE_LE 122 - -/* Reason codes. */ -#define GOST_R_BAD_KEY_PARAMETERS_FORMAT 104 -#define GOST_R_BAD_PKEY_PARAMETERS_FORMAT 105 -#define GOST_R_CANNOT_PACK_EPHEMERAL_KEY 106 -#define GOST_R_CTRL_CALL_FAILED 107 -#define GOST_R_ERROR_COMPUTING_SHARED_KEY 108 -#define GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO 109 -#define GOST_R_INCOMPATIBLE_ALGORITHMS 110 -#define GOST_R_INCOMPATIBLE_PEER_KEY 111 -#define GOST_R_INVALID_DIGEST_TYPE 100 -#define GOST_R_INVALID_IV_LENGTH 103 -#define GOST_R_INVALID_MAC_KEY_LENGTH 101 -#define GOST_R_KEY_IS_NOT_INITIALIZED 112 -#define GOST_R_KEY_PARAMETERS_MISSING 113 -#define GOST_R_MAC_KEY_NOT_SET 102 -#define GOST_R_NO_PARAMETERS_SET 115 -#define GOST_R_NO_PEER_KEY 116 -#define GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR 117 -#define GOST_R_PUBLIC_KEY_UNDEFINED 118 -#define GOST_R_RANDOM_NUMBER_GENERATOR_FAILED 120 -#define GOST_R_SIGNATURE_MISMATCH 121 -#define GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q 122 -#define GOST_R_UKM_NOT_SET 123 - -#ifdef __cplusplus -} -#endif -#endif diff --git a/crypto/gost/gost2814789.c b/crypto/gost/gost2814789.c index e285413..f1066f2 100644 --- a/crypto/gost/gost2814789.c +++ b/crypto/gost/gost2814789.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gost2814789.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: gost2814789.c,v 1.6 2020/09/12 02:45:05 inoguchi Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -49,6 +49,8 @@ * ==================================================================== */ +#include + #include #include diff --git a/crypto/gost/gost_err.c b/crypto/gost/gost_err.c index 3bf60ff..e7111dd 100644 --- a/crypto/gost/gost_err.c +++ b/crypto/gost/gost_err.c @@ -73,43 +73,39 @@ static ERR_STRING_DATA GOST_str_functs[]= { {0, NULL} }; -static ERR_STRING_DATA GOST_str_reasons[]= - { -{ERR_REASON(GOST_R_BAD_KEY_PARAMETERS_FORMAT),"bad key parameters format"}, -{ERR_REASON(GOST_R_BAD_PKEY_PARAMETERS_FORMAT),"bad pkey parameters format"}, -{ERR_REASON(GOST_R_CANNOT_PACK_EPHEMERAL_KEY),"cannot pack ephemeral key"}, -{ERR_REASON(GOST_R_CTRL_CALL_FAILED) ,"ctrl call failed"}, -{ERR_REASON(GOST_R_ERROR_COMPUTING_SHARED_KEY),"error computing shared key"}, -{ERR_REASON(GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO),"error parsing key transport info"}, -{ERR_REASON(GOST_R_INCOMPATIBLE_ALGORITHMS),"incompatible algorithms"}, -{ERR_REASON(GOST_R_INCOMPATIBLE_PEER_KEY),"incompatible peer key"}, -{ERR_REASON(GOST_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, -{ERR_REASON(GOST_R_INVALID_IV_LENGTH) ,"invalid iv length"}, -{ERR_REASON(GOST_R_INVALID_MAC_KEY_LENGTH),"invalid mac key length"}, -{ERR_REASON(GOST_R_KEY_IS_NOT_INITIALIZED),"key is not initialized"}, -{ERR_REASON(GOST_R_KEY_PARAMETERS_MISSING),"key parameters missing"}, -{ERR_REASON(GOST_R_MAC_KEY_NOT_SET) ,"mac key not set"}, -{ERR_REASON(GOST_R_NO_PARAMETERS_SET) ,"no parameters set"}, -{ERR_REASON(GOST_R_NO_PEER_KEY) ,"no peer key"}, -{ERR_REASON(GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR),"no private part of non ephemeral keypair"}, -{ERR_REASON(GOST_R_PUBLIC_KEY_UNDEFINED) ,"public key undefined"}, -{ERR_REASON(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED),"random number generator failed"}, -{ERR_REASON(GOST_R_SIGNATURE_MISMATCH) ,"signature mismatch"}, -{ERR_REASON(GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q),"signature parts greater than q"}, -{ERR_REASON(GOST_R_UKM_NOT_SET) ,"ukm not set"}, -{0,NULL} - }; - +static ERR_STRING_DATA GOST_str_reasons[] = { + {ERR_REASON(GOST_R_BAD_KEY_PARAMETERS_FORMAT),"bad key parameters format"}, + {ERR_REASON(GOST_R_BAD_PKEY_PARAMETERS_FORMAT),"bad pkey parameters format"}, + {ERR_REASON(GOST_R_CANNOT_PACK_EPHEMERAL_KEY),"cannot pack ephemeral key"}, + {ERR_REASON(GOST_R_CTRL_CALL_FAILED) ,"ctrl call failed"}, + {ERR_REASON(GOST_R_ERROR_COMPUTING_SHARED_KEY),"error computing shared key"}, + {ERR_REASON(GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO),"error parsing key transport info"}, + {ERR_REASON(GOST_R_INCOMPATIBLE_ALGORITHMS),"incompatible algorithms"}, + {ERR_REASON(GOST_R_INCOMPATIBLE_PEER_KEY),"incompatible peer key"}, + {ERR_REASON(GOST_R_INVALID_DIGEST_TYPE) ,"invalid digest type"}, + {ERR_REASON(GOST_R_INVALID_IV_LENGTH) ,"invalid iv length"}, + {ERR_REASON(GOST_R_INVALID_MAC_KEY_LENGTH),"invalid mac key length"}, + {ERR_REASON(GOST_R_KEY_IS_NOT_INITIALIZED),"key is not initialized"}, + {ERR_REASON(GOST_R_KEY_PARAMETERS_MISSING),"key parameters missing"}, + {ERR_REASON(GOST_R_MAC_KEY_NOT_SET) ,"mac key not set"}, + {ERR_REASON(GOST_R_NO_PARAMETERS_SET) ,"no parameters set"}, + {ERR_REASON(GOST_R_NO_PEER_KEY) ,"no peer key"}, + {ERR_REASON(GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR),"no private part of non ephemeral keypair"}, + {ERR_REASON(GOST_R_PUBLIC_KEY_UNDEFINED) ,"public key undefined"}, + {ERR_REASON(GOST_R_RANDOM_NUMBER_GENERATOR_FAILED),"random number generator failed"}, + {ERR_REASON(GOST_R_SIGNATURE_MISMATCH) ,"signature mismatch"}, + {ERR_REASON(GOST_R_SIGNATURE_PARTS_GREATER_THAN_Q),"signature parts greater than q"}, + {ERR_REASON(GOST_R_UKM_NOT_SET) ,"ukm not set"}, + {0, NULL} +}; #endif -void ERR_load_GOST_strings(void) - { +void +ERR_load_GOST_strings(void) { #ifndef OPENSSL_NO_ERR - - if (ERR_func_error_string(GOST_str_functs[0].error) == NULL) - { + if (ERR_func_error_string(GOST_str_functs[0].error) == NULL) { ERR_load_strings(0,GOST_str_functs); ERR_load_strings(0,GOST_str_reasons); - } -#endif } +#endif +} diff --git a/crypto/gost/gostr341001_ameth.c b/crypto/gost/gostr341001_ameth.c index b6958c7..27a95f2 100644 --- a/crypto/gost/gostr341001_ameth.c +++ b/crypto/gost/gostr341001_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_ameth.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: gostr341001_ameth.c,v 1.16 2020/06/05 17:17:22 jsing Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -96,15 +96,19 @@ decode_gost01_algor_params(EVP_PKEY *pkey, const unsigned char **p, int len) ec = pkey->pkey.gost; if (ec == NULL) { ec = GOST_KEY_new(); - if (ec == NULL) + if (ec == NULL) { + GOSTerror(ERR_R_MALLOC_FAILURE); return 0; + } if (EVP_PKEY_assign_GOST(pkey, ec) == 0) return 0; } group = EC_GROUP_new_by_curve_name(param_nid); - if (group == NULL) + if (group == NULL) { + GOSTerror(EC_R_EC_GROUP_NEW_BY_NAME_FAILURE); return 0; + } EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE); if (GOST_KEY_set_group(ec, group) == 0) { EC_GROUP_free(group); @@ -201,14 +205,16 @@ pub_decode_gost01(EVP_PKEY *pk, X509_PUBKEY *pub) == 0) return 0; (void)EVP_PKEY_assign_GOST(pk, NULL); - X509_ALGOR_get0(NULL, &ptype, (void **)&pval, palg); + X509_ALGOR_get0(NULL, &ptype, (const void **)&pval, palg); if (ptype != V_ASN1_SEQUENCE) { GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; } p = pval->data; - if (decode_gost01_algor_params(pk, &p, pval->length) == 0) + if (decode_gost01_algor_params(pk, &p, pval->length) == 0) { + GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; + } octet = d2i_ASN1_OCTET_STRING(NULL, &pubkey_buf, pub_len); if (octet == NULL) { @@ -394,48 +400,48 @@ priv_print_gost01(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx) } static int -priv_decode_gost01(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf) +priv_decode_gost01(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf) { const unsigned char *pkey_buf = NULL, *p = NULL; int priv_len = 0; BIGNUM *pk_num = NULL; int ret = 0; - X509_ALGOR *palg = NULL; - ASN1_OBJECT *palg_obj = NULL; + const X509_ALGOR *palg = NULL; + const ASN1_OBJECT *palg_obj = NULL; ASN1_INTEGER *priv_key = NULL; GOST_KEY *ec; int ptype = V_ASN1_UNDEF; ASN1_STRING *pval = NULL; - if (PKCS8_pkey_get0(&palg_obj, &pkey_buf, &priv_len, &palg, p8inf) == 0) + if (PKCS8_pkey_get0(&palg_obj, &pkey_buf, &priv_len, &palg, p8inf) == 0) { + GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; + } (void)EVP_PKEY_assign_GOST(pk, NULL); - X509_ALGOR_get0(NULL, &ptype, (void **)&pval, palg); + X509_ALGOR_get0(NULL, &ptype, (const void **)&pval, palg); if (ptype != V_ASN1_SEQUENCE) { GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; } p = pval->data; - if (decode_gost01_algor_params(pk, &p, pval->length) == 0) + if (decode_gost01_algor_params(pk, &p, pval->length) == 0) { + GOSTerror(GOST_R_BAD_KEY_PARAMETERS_FORMAT); return 0; + } p = pkey_buf; if (V_ASN1_OCTET_STRING == *p) { /* New format - Little endian octet string */ - unsigned char rev_buf[32]; - int i; ASN1_OCTET_STRING *s = d2i_ASN1_OCTET_STRING(NULL, &p, priv_len); - if (s == NULL || s->length != 32) { + if (s == NULL) { GOSTerror(EVP_R_DECODE_ERROR); ASN1_STRING_free(s); return 0; } - for (i = 0; i < 32; i++) { - rev_buf[31 - i] = s->data[i]; - } + + pk_num = GOST_le2bn(s->data, s->length, NULL); ASN1_STRING_free(s); - pk_num = BN_bin2bn(rev_buf, 32, NULL); } else { priv_key = d2i_ASN1_INTEGER(NULL, &p, priv_len); if (priv_key == NULL) diff --git a/crypto/gost/gostr341001_params.c b/crypto/gost/gostr341001_params.c index 6500c30..282a210 100644 --- a/crypto/gost/gostr341001_params.c +++ b/crypto/gost/gostr341001_params.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gostr341001_params.c,v 1.3 2015/07/20 22:42:56 bcook Exp $ */ +/* $OpenBSD: gostr341001_params.c,v 1.4 2020/06/05 17:12:09 jsing Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -98,8 +98,8 @@ static const GostR3410_params GostR3410_256_params[] = { }; static const GostR3410_params GostR3410_512_params[] = { - { "A", NID_id_tc26_gost_3410_2012_512_paramSetA }, - { "B", NID_id_tc26_gost_3410_2012_512_paramSetB }, + { "A", NID_id_tc26_gost_3410_12_512_paramSetA }, + { "B", NID_id_tc26_gost_3410_12_512_paramSetB }, { NULL, NID_undef }, }; diff --git a/crypto/gost/streebog.c b/crypto/gost/streebog.c index 902472b..61bce0e 100644 --- a/crypto/gost/streebog.c +++ b/crypto/gost/streebog.c @@ -1,4 +1,4 @@ -/* $OpenBSD: streebog.c,v 1.5 2015/09/10 15:56:25 jsing Exp $ */ +/* $OpenBSD: streebog.c,v 1.6 2019/05/09 22:54:28 tb Exp $ */ /* * Copyright (c) 2014 Dmitry Eremin-Solenikov * Copyright (c) 2005-2006 Cryptocom LTD @@ -1240,6 +1240,7 @@ static void streebog_single_block(STREEBOG_CTX *ctx, const unsigned char *in, size_t num) { STREEBOG_LONG64 M[8], l; + STREEBOG_LONG64 CF; int i; for (i = 0; i < 8; i++) @@ -1258,12 +1259,13 @@ streebog_single_block(STREEBOG_CTX *ctx, const unsigned char *in, size_t num) } } + CF = 0; ctx->Sigma[0] += M[0]; - for (i = 1; i < 8; i++) - if (ctx->Sigma[i-1] < M[i-1]) - ctx->Sigma[i] += M[i] + 1; - else - ctx->Sigma[i] += M[i]; + for (i = 1; i < 8; i++) { + if (ctx->Sigma[i-1] != M[i-1]) + CF = (ctx->Sigma[i-1] < M[i-1]); + ctx->Sigma[i] += M[i] + CF; + } } diff --git a/crypto/hkdf/hkdf.c b/crypto/hkdf/hkdf.c index 9fe587d..b8be10b 100644 --- a/crypto/hkdf/hkdf.c +++ b/crypto/hkdf/hkdf.c @@ -1,3 +1,4 @@ +/* $OpenBSD: hkdf.c,v 1.4 2019/11/21 20:02:20 tim Exp $ */ /* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any @@ -31,10 +32,10 @@ HKDF(uint8_t *out_key, size_t out_len, const EVP_MD *digest, size_t prk_len; if (!HKDF_extract(prk, &prk_len, digest, secret, secret_len, salt, - salt_len)) + salt_len)) return 0; if (!HKDF_expand(out_key, out_len, digest, prk, prk_len, info, - info_len)) + info_len)) return 0; return 1; @@ -49,8 +50,8 @@ HKDF_extract(uint8_t *out_key, size_t *out_len, unsigned int len; /* - * If salt is not given, HashLength zeros are used. However, HMAC does that - * internally already so we can ignore it. + * If salt is not given, HashLength zeros are used. However, HMAC does + * that internally already so we can ignore it. */ if (HMAC(digest, salt, salt_len, secret, secret_len, out_key, &len) == NULL) { @@ -90,7 +91,7 @@ HKDF_expand(uint8_t *out_key, size_t out_len, size_t todo; if (i != 0 && (!HMAC_Init_ex(&hmac, NULL, 0, NULL, NULL) || - !HMAC_Update(&hmac, previous, digest_len))) + !HMAC_Update(&hmac, previous, digest_len))) goto out; if (!HMAC_Update(&hmac, info, info_len) || @@ -110,6 +111,7 @@ HKDF_expand(uint8_t *out_key, size_t out_len, out: HMAC_CTX_cleanup(&hmac); + explicit_bzero(previous, sizeof(previous)); if (ret != 1) CRYPTOerror(ERR_R_CRYPTO_LIB); return ret; diff --git a/crypto/lhash/lhash.c b/crypto/lhash/lhash.c index ac6cc43..a68e466 100644 --- a/crypto/lhash/lhash.c +++ b/crypto/lhash/lhash.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lhash.c,v 1.18 2016/11/08 20:20:06 miod Exp $ */ +/* $OpenBSD: lhash.c,v 1.19 2019/05/12 00:09:59 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -116,45 +116,22 @@ _LHASH * lh_new(LHASH_HASH_FN_TYPE h, LHASH_COMP_FN_TYPE c) { _LHASH *ret; - int i; - if ((ret = malloc(sizeof(_LHASH))) == NULL) - goto err0; - if ((ret->b = reallocarray(NULL, MIN_NODES, sizeof(LHASH_NODE *))) == NULL) - goto err1; - for (i = 0; i < MIN_NODES; i++) - ret->b[i] = NULL; + if ((ret = calloc(1, sizeof(_LHASH))) == NULL) + return NULL; + if ((ret->b = calloc(MIN_NODES, sizeof(LHASH_NODE *))) == NULL) { + free(ret); + return NULL; + } ret->comp = ((c == NULL) ? (LHASH_COMP_FN_TYPE)strcmp : c); ret->hash = ((h == NULL) ? (LHASH_HASH_FN_TYPE)lh_strhash : h); ret->num_nodes = MIN_NODES / 2; ret->num_alloc_nodes = MIN_NODES; - ret->p = 0; ret->pmax = MIN_NODES / 2; ret->up_load = UP_LOAD; ret->down_load = DOWN_LOAD; - ret->num_items = 0; - ret->num_expands = 0; - ret->num_expand_reallocs = 0; - ret->num_contracts = 0; - ret->num_contract_reallocs = 0; - ret->num_hash_calls = 0; - ret->num_comp_calls = 0; - ret->num_insert = 0; - ret->num_replace = 0; - ret->num_delete = 0; - ret->num_no_delete = 0; - ret->num_retrieve = 0; - ret->num_retrieve_miss = 0; - ret->num_hash_comps = 0; - - ret->error = 0; return (ret); - -err1: - free(ret); -err0: - return (NULL); } void diff --git a/crypto/malloc-wrapper.c b/crypto/malloc-wrapper.c index 1286738..cb9a311 100644 --- a/crypto/malloc-wrapper.c +++ b/crypto/malloc-wrapper.c @@ -1,4 +1,4 @@ -/* $OpenBSD: malloc-wrapper.c,v 1.6 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: malloc-wrapper.c,v 1.7 2018/05/13 13:49:04 jsing Exp $ */ /* * Copyright (c) 2014 Bob Beck * @@ -148,7 +148,6 @@ CRYPTO_realloc(void *ptr, int num, const char *file, int line) { if (num <= 0) return NULL; - return realloc(ptr, num); } @@ -156,18 +155,12 @@ void * CRYPTO_realloc_clean(void *ptr, int old_len, int num, const char *file, int line) { - void *ret = NULL; - if (num <= 0) return NULL; + /* Original does not support shrinking. */ if (num < old_len) - return NULL; /* original does not support shrinking */ - ret = malloc(num); - if (ret && ptr && old_len > 0) { - memcpy(ret, ptr, old_len); - freezero(ptr, old_len); - } - return ret; + return NULL; + return recallocarray(ptr, old_len, num, 1); } void diff --git a/crypto/md5/md5-masm-x86_64.S b/crypto/md5/md5-masm-x86_64.S new file mode 100644 index 0000000..40019cd --- /dev/null +++ b/crypto/md5/md5-masm-x86_64.S @@ -0,0 +1,753 @@ +; 1 "crypto/md5/md5-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/md5/md5-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/md5/md5-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' +ALIGN 16 + +PUBLIC md5_block_asm_data_order + +md5_block_asm_data_order PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_md5_block_asm_data_order:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbp + push rbx + push r12 + push r14 + push r15 +$L$prologue:: + + + + + mov rbp,rdi + shl rdx,6 + lea rdi,QWORD PTR[rdx*1+rsi] + mov eax,DWORD PTR[rbp] + mov ebx,DWORD PTR[4+rbp] + mov ecx,DWORD PTR[8+rbp] + mov edx,DWORD PTR[12+rbp] + + + + + + + + cmp rsi,rdi + je $L$end + + +$L$loop:: + mov r8d,eax + mov r9d,ebx + mov r14d,ecx + mov r15d,edx + mov r10d,DWORD PTR[rsi] + mov r11d,edx + xor r11d,ecx + lea eax,DWORD PTR[((-680876936))+r10*1+rax] + and r11d,ebx + xor r11d,edx + mov r10d,DWORD PTR[4+rsi] + add eax,r11d + rol eax,7 + mov r11d,ecx + add eax,ebx + xor r11d,ebx + lea edx,DWORD PTR[((-389564586))+r10*1+rdx] + and r11d,eax + xor r11d,ecx + mov r10d,DWORD PTR[8+rsi] + add edx,r11d + rol edx,12 + mov r11d,ebx + add edx,eax + xor r11d,eax + lea ecx,DWORD PTR[606105819+r10*1+rcx] + and r11d,edx + xor r11d,ebx + mov r10d,DWORD PTR[12+rsi] + add ecx,r11d + rol ecx,17 + mov r11d,eax + add ecx,edx + xor r11d,edx + lea ebx,DWORD PTR[((-1044525330))+r10*1+rbx] + and r11d,ecx + xor r11d,eax + mov r10d,DWORD PTR[16+rsi] + add ebx,r11d + rol ebx,22 + mov r11d,edx + add ebx,ecx + xor r11d,ecx + lea eax,DWORD PTR[((-176418897))+r10*1+rax] + and r11d,ebx + xor r11d,edx + mov r10d,DWORD PTR[20+rsi] + add eax,r11d + rol eax,7 + mov r11d,ecx + add eax,ebx + xor r11d,ebx + lea edx,DWORD PTR[1200080426+r10*1+rdx] + and r11d,eax + xor r11d,ecx + mov r10d,DWORD PTR[24+rsi] + add edx,r11d + rol edx,12 + mov r11d,ebx + add edx,eax + xor r11d,eax + lea ecx,DWORD PTR[((-1473231341))+r10*1+rcx] + and r11d,edx + xor r11d,ebx + mov r10d,DWORD PTR[28+rsi] + add ecx,r11d + rol ecx,17 + mov r11d,eax + add ecx,edx + xor r11d,edx + lea ebx,DWORD PTR[((-45705983))+r10*1+rbx] + and r11d,ecx + xor r11d,eax + mov r10d,DWORD PTR[32+rsi] + add ebx,r11d + rol ebx,22 + mov r11d,edx + add ebx,ecx + xor r11d,ecx + lea eax,DWORD PTR[1770035416+r10*1+rax] + and r11d,ebx + xor r11d,edx + mov r10d,DWORD PTR[36+rsi] + add eax,r11d + rol eax,7 + mov r11d,ecx + add eax,ebx + xor r11d,ebx + lea edx,DWORD PTR[((-1958414417))+r10*1+rdx] + and r11d,eax + xor r11d,ecx + mov r10d,DWORD PTR[40+rsi] + add edx,r11d + rol edx,12 + mov r11d,ebx + add edx,eax + xor r11d,eax + lea ecx,DWORD PTR[((-42063))+r10*1+rcx] + and r11d,edx + xor r11d,ebx + mov r10d,DWORD PTR[44+rsi] + add ecx,r11d + rol ecx,17 + mov r11d,eax + add ecx,edx + xor r11d,edx + lea ebx,DWORD PTR[((-1990404162))+r10*1+rbx] + and r11d,ecx + xor r11d,eax + mov r10d,DWORD PTR[48+rsi] + add ebx,r11d + rol ebx,22 + mov r11d,edx + add ebx,ecx + xor r11d,ecx + lea eax,DWORD PTR[1804603682+r10*1+rax] + and r11d,ebx + xor r11d,edx + mov r10d,DWORD PTR[52+rsi] + add eax,r11d + rol eax,7 + mov r11d,ecx + add eax,ebx + xor r11d,ebx + lea edx,DWORD PTR[((-40341101))+r10*1+rdx] + and r11d,eax + xor r11d,ecx + mov r10d,DWORD PTR[56+rsi] + add edx,r11d + rol edx,12 + mov r11d,ebx + add edx,eax + xor r11d,eax + lea ecx,DWORD PTR[((-1502002290))+r10*1+rcx] + and r11d,edx + xor r11d,ebx + mov r10d,DWORD PTR[60+rsi] + add ecx,r11d + rol ecx,17 + mov r11d,eax + add ecx,edx + xor r11d,edx + lea ebx,DWORD PTR[1236535329+r10*1+rbx] + and r11d,ecx + xor r11d,eax + mov r10d,DWORD PTR[rsi] + add ebx,r11d + rol ebx,22 + mov r11d,edx + add ebx,ecx + mov r10d,DWORD PTR[4+rsi] + mov r11d,edx + mov r12d,edx + not r11d + lea eax,DWORD PTR[((-165796510))+r10*1+rax] + and r12d,ebx + and r11d,ecx + mov r10d,DWORD PTR[24+rsi] + or r12d,r11d + mov r11d,ecx + add eax,r12d + mov r12d,ecx + rol eax,5 + add eax,ebx + not r11d + lea edx,DWORD PTR[((-1069501632))+r10*1+rdx] + and r12d,eax + and r11d,ebx + mov r10d,DWORD PTR[44+rsi] + or r12d,r11d + mov r11d,ebx + add edx,r12d + mov r12d,ebx + rol edx,9 + add edx,eax + not r11d + lea ecx,DWORD PTR[643717713+r10*1+rcx] + and r12d,edx + and r11d,eax + mov r10d,DWORD PTR[rsi] + or r12d,r11d + mov r11d,eax + add ecx,r12d + mov r12d,eax + rol ecx,14 + add ecx,edx + not r11d + lea ebx,DWORD PTR[((-373897302))+r10*1+rbx] + and r12d,ecx + and r11d,edx + mov r10d,DWORD PTR[20+rsi] + or r12d,r11d + mov r11d,edx + add ebx,r12d + mov r12d,edx + rol ebx,20 + add ebx,ecx + not r11d + lea eax,DWORD PTR[((-701558691))+r10*1+rax] + and r12d,ebx + and r11d,ecx + mov r10d,DWORD PTR[40+rsi] + or r12d,r11d + mov r11d,ecx + add eax,r12d + mov r12d,ecx + rol eax,5 + add eax,ebx + not r11d + lea edx,DWORD PTR[38016083+r10*1+rdx] + and r12d,eax + and r11d,ebx + mov r10d,DWORD PTR[60+rsi] + or r12d,r11d + mov r11d,ebx + add edx,r12d + mov r12d,ebx + rol edx,9 + add edx,eax + not r11d + lea ecx,DWORD PTR[((-660478335))+r10*1+rcx] + and r12d,edx + and r11d,eax + mov r10d,DWORD PTR[16+rsi] + or r12d,r11d + mov r11d,eax + add ecx,r12d + mov r12d,eax + rol ecx,14 + add ecx,edx + not r11d + lea ebx,DWORD PTR[((-405537848))+r10*1+rbx] + and r12d,ecx + and r11d,edx + mov r10d,DWORD PTR[36+rsi] + or r12d,r11d + mov r11d,edx + add ebx,r12d + mov r12d,edx + rol ebx,20 + add ebx,ecx + not r11d + lea eax,DWORD PTR[568446438+r10*1+rax] + and r12d,ebx + and r11d,ecx + mov r10d,DWORD PTR[56+rsi] + or r12d,r11d + mov r11d,ecx + add eax,r12d + mov r12d,ecx + rol eax,5 + add eax,ebx + not r11d + lea edx,DWORD PTR[((-1019803690))+r10*1+rdx] + and r12d,eax + and r11d,ebx + mov r10d,DWORD PTR[12+rsi] + or r12d,r11d + mov r11d,ebx + add edx,r12d + mov r12d,ebx + rol edx,9 + add edx,eax + not r11d + lea ecx,DWORD PTR[((-187363961))+r10*1+rcx] + and r12d,edx + and r11d,eax + mov r10d,DWORD PTR[32+rsi] + or r12d,r11d + mov r11d,eax + add ecx,r12d + mov r12d,eax + rol ecx,14 + add ecx,edx + not r11d + lea ebx,DWORD PTR[1163531501+r10*1+rbx] + and r12d,ecx + and r11d,edx + mov r10d,DWORD PTR[52+rsi] + or r12d,r11d + mov r11d,edx + add ebx,r12d + mov r12d,edx + rol ebx,20 + add ebx,ecx + not r11d + lea eax,DWORD PTR[((-1444681467))+r10*1+rax] + and r12d,ebx + and r11d,ecx + mov r10d,DWORD PTR[8+rsi] + or r12d,r11d + mov r11d,ecx + add eax,r12d + mov r12d,ecx + rol eax,5 + add eax,ebx + not r11d + lea edx,DWORD PTR[((-51403784))+r10*1+rdx] + and r12d,eax + and r11d,ebx + mov r10d,DWORD PTR[28+rsi] + or r12d,r11d + mov r11d,ebx + add edx,r12d + mov r12d,ebx + rol edx,9 + add edx,eax + not r11d + lea ecx,DWORD PTR[1735328473+r10*1+rcx] + and r12d,edx + and r11d,eax + mov r10d,DWORD PTR[48+rsi] + or r12d,r11d + mov r11d,eax + add ecx,r12d + mov r12d,eax + rol ecx,14 + add ecx,edx + not r11d + lea ebx,DWORD PTR[((-1926607734))+r10*1+rbx] + and r12d,ecx + and r11d,edx + mov r10d,DWORD PTR[rsi] + or r12d,r11d + mov r11d,edx + add ebx,r12d + mov r12d,edx + rol ebx,20 + add ebx,ecx + mov r10d,DWORD PTR[20+rsi] + mov r11d,ecx + lea eax,DWORD PTR[((-378558))+r10*1+rax] + mov r10d,DWORD PTR[32+rsi] + xor r11d,edx + xor r11d,ebx + add eax,r11d + rol eax,4 + mov r11d,ebx + add eax,ebx + lea edx,DWORD PTR[((-2022574463))+r10*1+rdx] + mov r10d,DWORD PTR[44+rsi] + xor r11d,ecx + xor r11d,eax + add edx,r11d + rol edx,11 + mov r11d,eax + add edx,eax + lea ecx,DWORD PTR[1839030562+r10*1+rcx] + mov r10d,DWORD PTR[56+rsi] + xor r11d,ebx + xor r11d,edx + add ecx,r11d + rol ecx,16 + mov r11d,edx + add ecx,edx + lea ebx,DWORD PTR[((-35309556))+r10*1+rbx] + mov r10d,DWORD PTR[4+rsi] + xor r11d,eax + xor r11d,ecx + add ebx,r11d + rol ebx,23 + mov r11d,ecx + add ebx,ecx + lea eax,DWORD PTR[((-1530992060))+r10*1+rax] + mov r10d,DWORD PTR[16+rsi] + xor r11d,edx + xor r11d,ebx + add eax,r11d + rol eax,4 + mov r11d,ebx + add eax,ebx + lea edx,DWORD PTR[1272893353+r10*1+rdx] + mov r10d,DWORD PTR[28+rsi] + xor r11d,ecx + xor r11d,eax + add edx,r11d + rol edx,11 + mov r11d,eax + add edx,eax + lea ecx,DWORD PTR[((-155497632))+r10*1+rcx] + mov r10d,DWORD PTR[40+rsi] + xor r11d,ebx + xor r11d,edx + add ecx,r11d + rol ecx,16 + mov r11d,edx + add ecx,edx + lea ebx,DWORD PTR[((-1094730640))+r10*1+rbx] + mov r10d,DWORD PTR[52+rsi] + xor r11d,eax + xor r11d,ecx + add ebx,r11d + rol ebx,23 + mov r11d,ecx + add ebx,ecx + lea eax,DWORD PTR[681279174+r10*1+rax] + mov r10d,DWORD PTR[rsi] + xor r11d,edx + xor r11d,ebx + add eax,r11d + rol eax,4 + mov r11d,ebx + add eax,ebx + lea edx,DWORD PTR[((-358537222))+r10*1+rdx] + mov r10d,DWORD PTR[12+rsi] + xor r11d,ecx + xor r11d,eax + add edx,r11d + rol edx,11 + mov r11d,eax + add edx,eax + lea ecx,DWORD PTR[((-722521979))+r10*1+rcx] + mov r10d,DWORD PTR[24+rsi] + xor r11d,ebx + xor r11d,edx + add ecx,r11d + rol ecx,16 + mov r11d,edx + add ecx,edx + lea ebx,DWORD PTR[76029189+r10*1+rbx] + mov r10d,DWORD PTR[36+rsi] + xor r11d,eax + xor r11d,ecx + add ebx,r11d + rol ebx,23 + mov r11d,ecx + add ebx,ecx + lea eax,DWORD PTR[((-640364487))+r10*1+rax] + mov r10d,DWORD PTR[48+rsi] + xor r11d,edx + xor r11d,ebx + add eax,r11d + rol eax,4 + mov r11d,ebx + add eax,ebx + lea edx,DWORD PTR[((-421815835))+r10*1+rdx] + mov r10d,DWORD PTR[60+rsi] + xor r11d,ecx + xor r11d,eax + add edx,r11d + rol edx,11 + mov r11d,eax + add edx,eax + lea ecx,DWORD PTR[530742520+r10*1+rcx] + mov r10d,DWORD PTR[8+rsi] + xor r11d,ebx + xor r11d,edx + add ecx,r11d + rol ecx,16 + mov r11d,edx + add ecx,edx + lea ebx,DWORD PTR[((-995338651))+r10*1+rbx] + mov r10d,DWORD PTR[rsi] + xor r11d,eax + xor r11d,ecx + add ebx,r11d + rol ebx,23 + mov r11d,ecx + add ebx,ecx + mov r10d,DWORD PTR[rsi] + mov r11d,0ffffffffh + xor r11d,edx + lea eax,DWORD PTR[((-198630844))+r10*1+rax] + or r11d,ebx + xor r11d,ecx + add eax,r11d + mov r10d,DWORD PTR[28+rsi] + mov r11d,0ffffffffh + rol eax,6 + xor r11d,ecx + add eax,ebx + lea edx,DWORD PTR[1126891415+r10*1+rdx] + or r11d,eax + xor r11d,ebx + add edx,r11d + mov r10d,DWORD PTR[56+rsi] + mov r11d,0ffffffffh + rol edx,10 + xor r11d,ebx + add edx,eax + lea ecx,DWORD PTR[((-1416354905))+r10*1+rcx] + or r11d,edx + xor r11d,eax + add ecx,r11d + mov r10d,DWORD PTR[20+rsi] + mov r11d,0ffffffffh + rol ecx,15 + xor r11d,eax + add ecx,edx + lea ebx,DWORD PTR[((-57434055))+r10*1+rbx] + or r11d,ecx + xor r11d,edx + add ebx,r11d + mov r10d,DWORD PTR[48+rsi] + mov r11d,0ffffffffh + rol ebx,21 + xor r11d,edx + add ebx,ecx + lea eax,DWORD PTR[1700485571+r10*1+rax] + or r11d,ebx + xor r11d,ecx + add eax,r11d + mov r10d,DWORD PTR[12+rsi] + mov r11d,0ffffffffh + rol eax,6 + xor r11d,ecx + add eax,ebx + lea edx,DWORD PTR[((-1894986606))+r10*1+rdx] + or r11d,eax + xor r11d,ebx + add edx,r11d + mov r10d,DWORD PTR[40+rsi] + mov r11d,0ffffffffh + rol edx,10 + xor r11d,ebx + add edx,eax + lea ecx,DWORD PTR[((-1051523))+r10*1+rcx] + or r11d,edx + xor r11d,eax + add ecx,r11d + mov r10d,DWORD PTR[4+rsi] + mov r11d,0ffffffffh + rol ecx,15 + xor r11d,eax + add ecx,edx + lea ebx,DWORD PTR[((-2054922799))+r10*1+rbx] + or r11d,ecx + xor r11d,edx + add ebx,r11d + mov r10d,DWORD PTR[32+rsi] + mov r11d,0ffffffffh + rol ebx,21 + xor r11d,edx + add ebx,ecx + lea eax,DWORD PTR[1873313359+r10*1+rax] + or r11d,ebx + xor r11d,ecx + add eax,r11d + mov r10d,DWORD PTR[60+rsi] + mov r11d,0ffffffffh + rol eax,6 + xor r11d,ecx + add eax,ebx + lea edx,DWORD PTR[((-30611744))+r10*1+rdx] + or r11d,eax + xor r11d,ebx + add edx,r11d + mov r10d,DWORD PTR[24+rsi] + mov r11d,0ffffffffh + rol edx,10 + xor r11d,ebx + add edx,eax + lea ecx,DWORD PTR[((-1560198380))+r10*1+rcx] + or r11d,edx + xor r11d,eax + add ecx,r11d + mov r10d,DWORD PTR[52+rsi] + mov r11d,0ffffffffh + rol ecx,15 + xor r11d,eax + add ecx,edx + lea ebx,DWORD PTR[1309151649+r10*1+rbx] + or r11d,ecx + xor r11d,edx + add ebx,r11d + mov r10d,DWORD PTR[16+rsi] + mov r11d,0ffffffffh + rol ebx,21 + xor r11d,edx + add ebx,ecx + lea eax,DWORD PTR[((-145523070))+r10*1+rax] + or r11d,ebx + xor r11d,ecx + add eax,r11d + mov r10d,DWORD PTR[44+rsi] + mov r11d,0ffffffffh + rol eax,6 + xor r11d,ecx + add eax,ebx + lea edx,DWORD PTR[((-1120210379))+r10*1+rdx] + or r11d,eax + xor r11d,ebx + add edx,r11d + mov r10d,DWORD PTR[8+rsi] + mov r11d,0ffffffffh + rol edx,10 + xor r11d,ebx + add edx,eax + lea ecx,DWORD PTR[718787259+r10*1+rcx] + or r11d,edx + xor r11d,eax + add ecx,r11d + mov r10d,DWORD PTR[36+rsi] + mov r11d,0ffffffffh + rol ecx,15 + xor r11d,eax + add ecx,edx + lea ebx,DWORD PTR[((-343485551))+r10*1+rbx] + or r11d,ecx + xor r11d,edx + add ebx,r11d + mov r10d,DWORD PTR[rsi] + mov r11d,0ffffffffh + rol ebx,21 + xor r11d,edx + add ebx,ecx + + add eax,r8d + add ebx,r9d + add ecx,r14d + add edx,r15d + + + add rsi,64 + cmp rsi,rdi + jb $L$loop + + +$L$end:: + mov DWORD PTR[rbp],eax + mov DWORD PTR[4+rbp],ebx + mov DWORD PTR[8+rbp],ecx + mov DWORD PTR[12+rbp],edx + + mov r15,QWORD PTR[rsp] + mov r14,QWORD PTR[8+rsp] + mov r12,QWORD PTR[16+rsp] + mov rbx,QWORD PTR[24+rsp] + mov rbp,QWORD PTR[32+rsp] + add rsp,40 +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_md5_block_asm_data_order:: +md5_block_asm_data_order ENDP + +.text$ ENDS +END + diff --git a/crypto/md5/md5-mingw64-x86_64.S b/crypto/md5/md5-mingw64-x86_64.S new file mode 100644 index 0000000..5a611f5 --- /dev/null +++ b/crypto/md5/md5-mingw64-x86_64.S @@ -0,0 +1,679 @@ +#include "x86_arch.h" +.text +.p2align 4 + +.globl md5_block_asm_data_order +.def md5_block_asm_data_order; .scl 2; .type 32; .endef +md5_block_asm_data_order: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_md5_block_asm_data_order: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbp + pushq %rbx + pushq %r12 + pushq %r14 + pushq %r15 +.Lprologue: + + + + + movq %rdi,%rbp + shlq $6,%rdx + leaq (%rsi,%rdx,1),%rdi + movl 0(%rbp),%eax + movl 4(%rbp),%ebx + movl 8(%rbp),%ecx + movl 12(%rbp),%edx + + + + + + + + cmpq %rdi,%rsi + je .Lend + + +.Lloop: + movl %eax,%r8d + movl %ebx,%r9d + movl %ecx,%r14d + movl %edx,%r15d + movl 0(%rsi),%r10d + movl %edx,%r11d + xorl %ecx,%r11d + leal -680876936(%rax,%r10,1),%eax + andl %ebx,%r11d + xorl %edx,%r11d + movl 4(%rsi),%r10d + addl %r11d,%eax + roll $7,%eax + movl %ecx,%r11d + addl %ebx,%eax + xorl %ebx,%r11d + leal -389564586(%rdx,%r10,1),%edx + andl %eax,%r11d + xorl %ecx,%r11d + movl 8(%rsi),%r10d + addl %r11d,%edx + roll $12,%edx + movl %ebx,%r11d + addl %eax,%edx + xorl %eax,%r11d + leal 606105819(%rcx,%r10,1),%ecx + andl %edx,%r11d + xorl %ebx,%r11d + movl 12(%rsi),%r10d + addl %r11d,%ecx + roll $17,%ecx + movl %eax,%r11d + addl %edx,%ecx + xorl %edx,%r11d + leal -1044525330(%rbx,%r10,1),%ebx + andl %ecx,%r11d + xorl %eax,%r11d + movl 16(%rsi),%r10d + addl %r11d,%ebx + roll $22,%ebx + movl %edx,%r11d + addl %ecx,%ebx + xorl %ecx,%r11d + leal -176418897(%rax,%r10,1),%eax + andl %ebx,%r11d + xorl %edx,%r11d + movl 20(%rsi),%r10d + addl %r11d,%eax + roll $7,%eax + movl %ecx,%r11d + addl %ebx,%eax + xorl %ebx,%r11d + leal 1200080426(%rdx,%r10,1),%edx + andl %eax,%r11d + xorl %ecx,%r11d + movl 24(%rsi),%r10d + addl %r11d,%edx + roll $12,%edx + movl %ebx,%r11d + addl %eax,%edx + xorl %eax,%r11d + leal -1473231341(%rcx,%r10,1),%ecx + andl %edx,%r11d + xorl %ebx,%r11d + movl 28(%rsi),%r10d + addl %r11d,%ecx + roll $17,%ecx + movl %eax,%r11d + addl %edx,%ecx + xorl %edx,%r11d + leal -45705983(%rbx,%r10,1),%ebx + andl %ecx,%r11d + xorl %eax,%r11d + movl 32(%rsi),%r10d + addl %r11d,%ebx + roll $22,%ebx + movl %edx,%r11d + addl %ecx,%ebx + xorl %ecx,%r11d + leal 1770035416(%rax,%r10,1),%eax + andl %ebx,%r11d + xorl %edx,%r11d + movl 36(%rsi),%r10d + addl %r11d,%eax + roll $7,%eax + movl %ecx,%r11d + addl %ebx,%eax + xorl %ebx,%r11d + leal -1958414417(%rdx,%r10,1),%edx + andl %eax,%r11d + xorl %ecx,%r11d + movl 40(%rsi),%r10d + addl %r11d,%edx + roll $12,%edx + movl %ebx,%r11d + addl %eax,%edx + xorl %eax,%r11d + leal -42063(%rcx,%r10,1),%ecx + andl %edx,%r11d + xorl %ebx,%r11d + movl 44(%rsi),%r10d + addl %r11d,%ecx + roll $17,%ecx + movl %eax,%r11d + addl %edx,%ecx + xorl %edx,%r11d + leal -1990404162(%rbx,%r10,1),%ebx + andl %ecx,%r11d + xorl %eax,%r11d + movl 48(%rsi),%r10d + addl %r11d,%ebx + roll $22,%ebx + movl %edx,%r11d + addl %ecx,%ebx + xorl %ecx,%r11d + leal 1804603682(%rax,%r10,1),%eax + andl %ebx,%r11d + xorl %edx,%r11d + movl 52(%rsi),%r10d + addl %r11d,%eax + roll $7,%eax + movl %ecx,%r11d + addl %ebx,%eax + xorl %ebx,%r11d + leal -40341101(%rdx,%r10,1),%edx + andl %eax,%r11d + xorl %ecx,%r11d + movl 56(%rsi),%r10d + addl %r11d,%edx + roll $12,%edx + movl %ebx,%r11d + addl %eax,%edx + xorl %eax,%r11d + leal -1502002290(%rcx,%r10,1),%ecx + andl %edx,%r11d + xorl %ebx,%r11d + movl 60(%rsi),%r10d + addl %r11d,%ecx + roll $17,%ecx + movl %eax,%r11d + addl %edx,%ecx + xorl %edx,%r11d + leal 1236535329(%rbx,%r10,1),%ebx + andl %ecx,%r11d + xorl %eax,%r11d + movl 0(%rsi),%r10d + addl %r11d,%ebx + roll $22,%ebx + movl %edx,%r11d + addl %ecx,%ebx + movl 4(%rsi),%r10d + movl %edx,%r11d + movl %edx,%r12d + notl %r11d + leal -165796510(%rax,%r10,1),%eax + andl %ebx,%r12d + andl %ecx,%r11d + movl 24(%rsi),%r10d + orl %r11d,%r12d + movl %ecx,%r11d + addl %r12d,%eax + movl %ecx,%r12d + roll $5,%eax + addl %ebx,%eax + notl %r11d + leal -1069501632(%rdx,%r10,1),%edx + andl %eax,%r12d + andl %ebx,%r11d + movl 44(%rsi),%r10d + orl %r11d,%r12d + movl %ebx,%r11d + addl %r12d,%edx + movl %ebx,%r12d + roll $9,%edx + addl %eax,%edx + notl %r11d + leal 643717713(%rcx,%r10,1),%ecx + andl %edx,%r12d + andl %eax,%r11d + movl 0(%rsi),%r10d + orl %r11d,%r12d + movl %eax,%r11d + addl %r12d,%ecx + movl %eax,%r12d + roll $14,%ecx + addl %edx,%ecx + notl %r11d + leal -373897302(%rbx,%r10,1),%ebx + andl %ecx,%r12d + andl %edx,%r11d + movl 20(%rsi),%r10d + orl %r11d,%r12d + movl %edx,%r11d + addl %r12d,%ebx + movl %edx,%r12d + roll $20,%ebx + addl %ecx,%ebx + notl %r11d + leal -701558691(%rax,%r10,1),%eax + andl %ebx,%r12d + andl %ecx,%r11d + movl 40(%rsi),%r10d + orl %r11d,%r12d + movl %ecx,%r11d + addl %r12d,%eax + movl %ecx,%r12d + roll $5,%eax + addl %ebx,%eax + notl %r11d + leal 38016083(%rdx,%r10,1),%edx + andl %eax,%r12d + andl %ebx,%r11d + movl 60(%rsi),%r10d + orl %r11d,%r12d + movl %ebx,%r11d + addl %r12d,%edx + movl %ebx,%r12d + roll $9,%edx + addl %eax,%edx + notl %r11d + leal -660478335(%rcx,%r10,1),%ecx + andl %edx,%r12d + andl %eax,%r11d + movl 16(%rsi),%r10d + orl %r11d,%r12d + movl %eax,%r11d + addl %r12d,%ecx + movl %eax,%r12d + roll $14,%ecx + addl %edx,%ecx + notl %r11d + leal -405537848(%rbx,%r10,1),%ebx + andl %ecx,%r12d + andl %edx,%r11d + movl 36(%rsi),%r10d + orl %r11d,%r12d + movl %edx,%r11d + addl %r12d,%ebx + movl %edx,%r12d + roll $20,%ebx + addl %ecx,%ebx + notl %r11d + leal 568446438(%rax,%r10,1),%eax + andl %ebx,%r12d + andl %ecx,%r11d + movl 56(%rsi),%r10d + orl %r11d,%r12d + movl %ecx,%r11d + addl %r12d,%eax + movl %ecx,%r12d + roll $5,%eax + addl %ebx,%eax + notl %r11d + leal -1019803690(%rdx,%r10,1),%edx + andl %eax,%r12d + andl %ebx,%r11d + movl 12(%rsi),%r10d + orl %r11d,%r12d + movl %ebx,%r11d + addl %r12d,%edx + movl %ebx,%r12d + roll $9,%edx + addl %eax,%edx + notl %r11d + leal -187363961(%rcx,%r10,1),%ecx + andl %edx,%r12d + andl %eax,%r11d + movl 32(%rsi),%r10d + orl %r11d,%r12d + movl %eax,%r11d + addl %r12d,%ecx + movl %eax,%r12d + roll $14,%ecx + addl %edx,%ecx + notl %r11d + leal 1163531501(%rbx,%r10,1),%ebx + andl %ecx,%r12d + andl %edx,%r11d + movl 52(%rsi),%r10d + orl %r11d,%r12d + movl %edx,%r11d + addl %r12d,%ebx + movl %edx,%r12d + roll $20,%ebx + addl %ecx,%ebx + notl %r11d + leal -1444681467(%rax,%r10,1),%eax + andl %ebx,%r12d + andl %ecx,%r11d + movl 8(%rsi),%r10d + orl %r11d,%r12d + movl %ecx,%r11d + addl %r12d,%eax + movl %ecx,%r12d + roll $5,%eax + addl %ebx,%eax + notl %r11d + leal -51403784(%rdx,%r10,1),%edx + andl %eax,%r12d + andl %ebx,%r11d + movl 28(%rsi),%r10d + orl %r11d,%r12d + movl %ebx,%r11d + addl %r12d,%edx + movl %ebx,%r12d + roll $9,%edx + addl %eax,%edx + notl %r11d + leal 1735328473(%rcx,%r10,1),%ecx + andl %edx,%r12d + andl %eax,%r11d + movl 48(%rsi),%r10d + orl %r11d,%r12d + movl %eax,%r11d + addl %r12d,%ecx + movl %eax,%r12d + roll $14,%ecx + addl %edx,%ecx + notl %r11d + leal -1926607734(%rbx,%r10,1),%ebx + andl %ecx,%r12d + andl %edx,%r11d + movl 0(%rsi),%r10d + orl %r11d,%r12d + movl %edx,%r11d + addl %r12d,%ebx + movl %edx,%r12d + roll $20,%ebx + addl %ecx,%ebx + movl 20(%rsi),%r10d + movl %ecx,%r11d + leal -378558(%rax,%r10,1),%eax + movl 32(%rsi),%r10d + xorl %edx,%r11d + xorl %ebx,%r11d + addl %r11d,%eax + roll $4,%eax + movl %ebx,%r11d + addl %ebx,%eax + leal -2022574463(%rdx,%r10,1),%edx + movl 44(%rsi),%r10d + xorl %ecx,%r11d + xorl %eax,%r11d + addl %r11d,%edx + roll $11,%edx + movl %eax,%r11d + addl %eax,%edx + leal 1839030562(%rcx,%r10,1),%ecx + movl 56(%rsi),%r10d + xorl %ebx,%r11d + xorl %edx,%r11d + addl %r11d,%ecx + roll $16,%ecx + movl %edx,%r11d + addl %edx,%ecx + leal -35309556(%rbx,%r10,1),%ebx + movl 4(%rsi),%r10d + xorl %eax,%r11d + xorl %ecx,%r11d + addl %r11d,%ebx + roll $23,%ebx + movl %ecx,%r11d + addl %ecx,%ebx + leal -1530992060(%rax,%r10,1),%eax + movl 16(%rsi),%r10d + xorl %edx,%r11d + xorl %ebx,%r11d + addl %r11d,%eax + roll $4,%eax + movl %ebx,%r11d + addl %ebx,%eax + leal 1272893353(%rdx,%r10,1),%edx + movl 28(%rsi),%r10d + xorl %ecx,%r11d + xorl %eax,%r11d + addl %r11d,%edx + roll $11,%edx + movl %eax,%r11d + addl %eax,%edx + leal -155497632(%rcx,%r10,1),%ecx + movl 40(%rsi),%r10d + xorl %ebx,%r11d + xorl %edx,%r11d + addl %r11d,%ecx + roll $16,%ecx + movl %edx,%r11d + addl %edx,%ecx + leal -1094730640(%rbx,%r10,1),%ebx + movl 52(%rsi),%r10d + xorl %eax,%r11d + xorl %ecx,%r11d + addl %r11d,%ebx + roll $23,%ebx + movl %ecx,%r11d + addl %ecx,%ebx + leal 681279174(%rax,%r10,1),%eax + movl 0(%rsi),%r10d + xorl %edx,%r11d + xorl %ebx,%r11d + addl %r11d,%eax + roll $4,%eax + movl %ebx,%r11d + addl %ebx,%eax + leal -358537222(%rdx,%r10,1),%edx + movl 12(%rsi),%r10d + xorl %ecx,%r11d + xorl %eax,%r11d + addl %r11d,%edx + roll $11,%edx + movl %eax,%r11d + addl %eax,%edx + leal -722521979(%rcx,%r10,1),%ecx + movl 24(%rsi),%r10d + xorl %ebx,%r11d + xorl %edx,%r11d + addl %r11d,%ecx + roll $16,%ecx + movl %edx,%r11d + addl %edx,%ecx + leal 76029189(%rbx,%r10,1),%ebx + movl 36(%rsi),%r10d + xorl %eax,%r11d + xorl %ecx,%r11d + addl %r11d,%ebx + roll $23,%ebx + movl %ecx,%r11d + addl %ecx,%ebx + leal -640364487(%rax,%r10,1),%eax + movl 48(%rsi),%r10d + xorl %edx,%r11d + xorl %ebx,%r11d + addl %r11d,%eax + roll $4,%eax + movl %ebx,%r11d + addl %ebx,%eax + leal -421815835(%rdx,%r10,1),%edx + movl 60(%rsi),%r10d + xorl %ecx,%r11d + xorl %eax,%r11d + addl %r11d,%edx + roll $11,%edx + movl %eax,%r11d + addl %eax,%edx + leal 530742520(%rcx,%r10,1),%ecx + movl 8(%rsi),%r10d + xorl %ebx,%r11d + xorl %edx,%r11d + addl %r11d,%ecx + roll $16,%ecx + movl %edx,%r11d + addl %edx,%ecx + leal -995338651(%rbx,%r10,1),%ebx + movl 0(%rsi),%r10d + xorl %eax,%r11d + xorl %ecx,%r11d + addl %r11d,%ebx + roll $23,%ebx + movl %ecx,%r11d + addl %ecx,%ebx + movl 0(%rsi),%r10d + movl $4294967295,%r11d + xorl %edx,%r11d + leal -198630844(%rax,%r10,1),%eax + orl %ebx,%r11d + xorl %ecx,%r11d + addl %r11d,%eax + movl 28(%rsi),%r10d + movl $4294967295,%r11d + roll $6,%eax + xorl %ecx,%r11d + addl %ebx,%eax + leal 1126891415(%rdx,%r10,1),%edx + orl %eax,%r11d + xorl %ebx,%r11d + addl %r11d,%edx + movl 56(%rsi),%r10d + movl $4294967295,%r11d + roll $10,%edx + xorl %ebx,%r11d + addl %eax,%edx + leal -1416354905(%rcx,%r10,1),%ecx + orl %edx,%r11d + xorl %eax,%r11d + addl %r11d,%ecx + movl 20(%rsi),%r10d + movl $4294967295,%r11d + roll $15,%ecx + xorl %eax,%r11d + addl %edx,%ecx + leal -57434055(%rbx,%r10,1),%ebx + orl %ecx,%r11d + xorl %edx,%r11d + addl %r11d,%ebx + movl 48(%rsi),%r10d + movl $4294967295,%r11d + roll $21,%ebx + xorl %edx,%r11d + addl %ecx,%ebx + leal 1700485571(%rax,%r10,1),%eax + orl %ebx,%r11d + xorl %ecx,%r11d + addl %r11d,%eax + movl 12(%rsi),%r10d + movl $4294967295,%r11d + roll $6,%eax + xorl %ecx,%r11d + addl %ebx,%eax + leal -1894986606(%rdx,%r10,1),%edx + orl %eax,%r11d + xorl %ebx,%r11d + addl %r11d,%edx + movl 40(%rsi),%r10d + movl $4294967295,%r11d + roll $10,%edx + xorl %ebx,%r11d + addl %eax,%edx + leal -1051523(%rcx,%r10,1),%ecx + orl %edx,%r11d + xorl %eax,%r11d + addl %r11d,%ecx + movl 4(%rsi),%r10d + movl $4294967295,%r11d + roll $15,%ecx + xorl %eax,%r11d + addl %edx,%ecx + leal -2054922799(%rbx,%r10,1),%ebx + orl %ecx,%r11d + xorl %edx,%r11d + addl %r11d,%ebx + movl 32(%rsi),%r10d + movl $4294967295,%r11d + roll $21,%ebx + xorl %edx,%r11d + addl %ecx,%ebx + leal 1873313359(%rax,%r10,1),%eax + orl %ebx,%r11d + xorl %ecx,%r11d + addl %r11d,%eax + movl 60(%rsi),%r10d + movl $4294967295,%r11d + roll $6,%eax + xorl %ecx,%r11d + addl %ebx,%eax + leal -30611744(%rdx,%r10,1),%edx + orl %eax,%r11d + xorl %ebx,%r11d + addl %r11d,%edx + movl 24(%rsi),%r10d + movl $4294967295,%r11d + roll $10,%edx + xorl %ebx,%r11d + addl %eax,%edx + leal -1560198380(%rcx,%r10,1),%ecx + orl %edx,%r11d + xorl %eax,%r11d + addl %r11d,%ecx + movl 52(%rsi),%r10d + movl $4294967295,%r11d + roll $15,%ecx + xorl %eax,%r11d + addl %edx,%ecx + leal 1309151649(%rbx,%r10,1),%ebx + orl %ecx,%r11d + xorl %edx,%r11d + addl %r11d,%ebx + movl 16(%rsi),%r10d + movl $4294967295,%r11d + roll $21,%ebx + xorl %edx,%r11d + addl %ecx,%ebx + leal -145523070(%rax,%r10,1),%eax + orl %ebx,%r11d + xorl %ecx,%r11d + addl %r11d,%eax + movl 44(%rsi),%r10d + movl $4294967295,%r11d + roll $6,%eax + xorl %ecx,%r11d + addl %ebx,%eax + leal -1120210379(%rdx,%r10,1),%edx + orl %eax,%r11d + xorl %ebx,%r11d + addl %r11d,%edx + movl 8(%rsi),%r10d + movl $4294967295,%r11d + roll $10,%edx + xorl %ebx,%r11d + addl %eax,%edx + leal 718787259(%rcx,%r10,1),%ecx + orl %edx,%r11d + xorl %eax,%r11d + addl %r11d,%ecx + movl 36(%rsi),%r10d + movl $4294967295,%r11d + roll $15,%ecx + xorl %eax,%r11d + addl %edx,%ecx + leal -343485551(%rbx,%r10,1),%ebx + orl %ecx,%r11d + xorl %edx,%r11d + addl %r11d,%ebx + movl 0(%rsi),%r10d + movl $4294967295,%r11d + roll $21,%ebx + xorl %edx,%r11d + addl %ecx,%ebx + + addl %r8d,%eax + addl %r9d,%ebx + addl %r14d,%ecx + addl %r15d,%edx + + + addq $64,%rsi + cmpq %rdi,%rsi + jb .Lloop + + +.Lend: + movl %eax,0(%rbp) + movl %ebx,4(%rbp) + movl %ecx,8(%rbp) + movl %edx,12(%rbp) + + movq (%rsp),%r15 + movq 8(%rsp),%r14 + movq 16(%rsp),%r12 + movq 24(%rsp),%rbx + movq 32(%rsp),%rbp + addq $40,%rsp +.Lepilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_md5_block_asm_data_order: diff --git a/crypto/mem_dbg.c b/crypto/mem_dbg.c index cae02a6..602b139 100644 --- a/crypto/mem_dbg.c +++ b/crypto/mem_dbg.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mem_dbg.c,v 1.22 2014/06/12 15:49:27 deraadt Exp $ */ +/* $OpenBSD: mem_dbg.c,v 1.24 2019/01/29 14:40:54 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -162,40 +162,37 @@ void CRYPTO_dbg_malloc(void *addr, int num, const char *file, int line, int before_p) { - /* CRYPTO_dbg_malloc is no longer permitted */ - abort(); + OPENSSL_assert("CRYPTO_dbg_malloc is no longer permitted"); } void CRYPTO_dbg_free(void *addr, int before_p) { - /* CRYPTO_dbg_free is no longer permitted */ - abort(); + OPENSSL_assert("CRYPTO_dbg_free is no longer permitted"); } void CRYPTO_dbg_realloc(void *addr1, void *addr2, int num, const char *file, int line, int before_p) { - /* CRYPTO_dbg_realloc is no longer permitted */ - abort(); + OPENSSL_assert("CRYPTO_dbg_realloc is no longer permitted"); } -void +int CRYPTO_mem_leaks(BIO *b) { - return; + return -1; } -void +int CRYPTO_mem_leaks_fp(FILE *fp) { - return; + return -1; } -void +int CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb) { - return; + return -1; } diff --git a/crypto/modes/ccm128.c b/crypto/modes/ccm128.c index 58cc4f4..12c6e61 100644 --- a/crypto/modes/ccm128.c +++ b/crypto/modes/ccm128.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ccm128.c,v 1.4 2015/02/10 09:46:30 miod Exp $ */ +/* $OpenBSD: ccm128.c,v 1.5 2019/05/08 14:18:25 tb Exp $ */ /* ==================================================================== * Copyright (c) 2011 The OpenSSL Project. All rights reserved. * @@ -435,7 +435,7 @@ size_t CRYPTO_ccm128_tag(CCM128_CONTEXT *ctx,unsigned char *tag,size_t len) { unsigned int M = (ctx->nonce.c[0]>>3)&7; /* the M parameter */ M *= 2; M += 2; - if (lencmac.c,M); return M; } diff --git a/crypto/modes/ghash-elf-armv4.S b/crypto/modes/ghash-elf-armv4.S new file mode 100644 index 0000000..af42593 --- /dev/null +++ b/crypto/modes/ghash-elf-armv4.S @@ -0,0 +1,412 @@ +#include "arm_arch.h" + +.text +.syntax unified +.code 32 + +.type rem_4bit,%object +.align 5 +rem_4bit: +.short 0x0000,0x1C20,0x3840,0x2460 +.short 0x7080,0x6CA0,0x48C0,0x54E0 +.short 0xE100,0xFD20,0xD940,0xC560 +.short 0x9180,0x8DA0,0xA9C0,0xB5E0 +.size rem_4bit,.-rem_4bit + +.type rem_4bit_get,%function +rem_4bit_get: + sub r2,pc,#8 + sub r2,r2,#32 @ &rem_4bit + b .Lrem_4bit_got + nop +.size rem_4bit_get,.-rem_4bit_get + +.global gcm_ghash_4bit +.type gcm_ghash_4bit,%function +gcm_ghash_4bit: + sub r12,pc,#8 + add r3,r2,r3 @ r3 to point at the end + stmdb sp!,{r3-r11,lr} @ save r3/end too + sub r12,r12,#48 @ &rem_4bit + + ldmia r12,{r4-r11} @ copy rem_4bit ... + stmdb sp!,{r4-r11} @ ... to stack + + ldrb r12,[r2,#15] + ldrb r14,[r0,#15] +.Louter: + eor r12,r12,r14 + and r14,r12,#0xf0 + and r12,r12,#0x0f + mov r3,#14 + + add r7,r1,r12,lsl#4 + ldmia r7,{r4-r7} @ load Htbl[nlo] + add r11,r1,r14 + ldrb r12,[r2,#14] + + and r14,r4,#0xf @ rem + ldmia r11,{r8-r11} @ load Htbl[nhi] + add r14,r14,r14 + eor r4,r8,r4,lsr#4 + ldrh r8,[sp,r14] @ rem_4bit[rem] + eor r4,r4,r5,lsl#28 + ldrb r14,[r0,#14] + eor r5,r9,r5,lsr#4 + eor r5,r5,r6,lsl#28 + eor r6,r10,r6,lsr#4 + eor r6,r6,r7,lsl#28 + eor r7,r11,r7,lsr#4 + eor r12,r12,r14 + and r14,r12,#0xf0 + and r12,r12,#0x0f + eor r7,r7,r8,lsl#16 + +.Linner: + add r11,r1,r12,lsl#4 + and r12,r4,#0xf @ rem + subs r3,r3,#1 + add r12,r12,r12 + ldmia r11,{r8-r11} @ load Htbl[nlo] + eor r4,r8,r4,lsr#4 + eor r4,r4,r5,lsl#28 + eor r5,r9,r5,lsr#4 + eor r5,r5,r6,lsl#28 + ldrh r8,[sp,r12] @ rem_4bit[rem] + eor r6,r10,r6,lsr#4 + ldrbpl r12,[r2,r3] + eor r6,r6,r7,lsl#28 + eor r7,r11,r7,lsr#4 + + add r11,r1,r14 + and r14,r4,#0xf @ rem + eor r7,r7,r8,lsl#16 @ ^= rem_4bit[rem] + add r14,r14,r14 + ldmia r11,{r8-r11} @ load Htbl[nhi] + eor r4,r8,r4,lsr#4 + ldrbpl r8,[r0,r3] + eor r4,r4,r5,lsl#28 + eor r5,r9,r5,lsr#4 + ldrh r9,[sp,r14] + eor r5,r5,r6,lsl#28 + eor r6,r10,r6,lsr#4 + eor r6,r6,r7,lsl#28 + eorpl r12,r12,r8 + eor r7,r11,r7,lsr#4 + andpl r14,r12,#0xf0 + andpl r12,r12,#0x0f + eor r7,r7,r9,lsl#16 @ ^= rem_4bit[rem] + bpl .Linner + + ldr r3,[sp,#32] @ re-load r3/end + add r2,r2,#16 + mov r14,r4 +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r4,r4 + str r4,[r0,#12] +#elif defined(__ARMEB__) + str r4,[r0,#12] +#else + mov r9,r4,lsr#8 + strb r4,[r0,#12+3] + mov r10,r4,lsr#16 + strb r9,[r0,#12+2] + mov r11,r4,lsr#24 + strb r10,[r0,#12+1] + strb r11,[r0,#12] +#endif + cmp r2,r3 +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r5,r5 + str r5,[r0,#8] +#elif defined(__ARMEB__) + str r5,[r0,#8] +#else + mov r9,r5,lsr#8 + strb r5,[r0,#8+3] + mov r10,r5,lsr#16 + strb r9,[r0,#8+2] + mov r11,r5,lsr#24 + strb r10,[r0,#8+1] + strb r11,[r0,#8] +#endif + ldrbne r12,[r2,#15] +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r6,r6 + str r6,[r0,#4] +#elif defined(__ARMEB__) + str r6,[r0,#4] +#else + mov r9,r6,lsr#8 + strb r6,[r0,#4+3] + mov r10,r6,lsr#16 + strb r9,[r0,#4+2] + mov r11,r6,lsr#24 + strb r10,[r0,#4+1] + strb r11,[r0,#4] +#endif + +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r7,r7 + str r7,[r0,#0] +#elif defined(__ARMEB__) + str r7,[r0,#0] +#else + mov r9,r7,lsr#8 + strb r7,[r0,#0+3] + mov r10,r7,lsr#16 + strb r9,[r0,#0+2] + mov r11,r7,lsr#24 + strb r10,[r0,#0+1] + strb r11,[r0,#0] +#endif + + bne .Louter + + add sp,sp,#36 +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r11,pc} +#else + ldmia sp!,{r4-r11,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size gcm_ghash_4bit,.-gcm_ghash_4bit + +.global gcm_gmult_4bit +.type gcm_gmult_4bit,%function +gcm_gmult_4bit: + stmdb sp!,{r4-r11,lr} + ldrb r12,[r0,#15] + b rem_4bit_get +.Lrem_4bit_got: + and r14,r12,#0xf0 + and r12,r12,#0x0f + mov r3,#14 + + add r7,r1,r12,lsl#4 + ldmia r7,{r4-r7} @ load Htbl[nlo] + ldrb r12,[r0,#14] + + add r11,r1,r14 + and r14,r4,#0xf @ rem + ldmia r11,{r8-r11} @ load Htbl[nhi] + add r14,r14,r14 + eor r4,r8,r4,lsr#4 + ldrh r8,[r2,r14] @ rem_4bit[rem] + eor r4,r4,r5,lsl#28 + eor r5,r9,r5,lsr#4 + eor r5,r5,r6,lsl#28 + eor r6,r10,r6,lsr#4 + eor r6,r6,r7,lsl#28 + eor r7,r11,r7,lsr#4 + and r14,r12,#0xf0 + eor r7,r7,r8,lsl#16 + and r12,r12,#0x0f + +.Loop: + add r11,r1,r12,lsl#4 + and r12,r4,#0xf @ rem + subs r3,r3,#1 + add r12,r12,r12 + ldmia r11,{r8-r11} @ load Htbl[nlo] + eor r4,r8,r4,lsr#4 + eor r4,r4,r5,lsl#28 + eor r5,r9,r5,lsr#4 + eor r5,r5,r6,lsl#28 + ldrh r8,[r2,r12] @ rem_4bit[rem] + eor r6,r10,r6,lsr#4 + ldrbpl r12,[r0,r3] + eor r6,r6,r7,lsl#28 + eor r7,r11,r7,lsr#4 + + add r11,r1,r14 + and r14,r4,#0xf @ rem + eor r7,r7,r8,lsl#16 @ ^= rem_4bit[rem] + add r14,r14,r14 + ldmia r11,{r8-r11} @ load Htbl[nhi] + eor r4,r8,r4,lsr#4 + eor r4,r4,r5,lsl#28 + eor r5,r9,r5,lsr#4 + ldrh r8,[r2,r14] @ rem_4bit[rem] + eor r5,r5,r6,lsl#28 + eor r6,r10,r6,lsr#4 + eor r6,r6,r7,lsl#28 + eor r7,r11,r7,lsr#4 + andpl r14,r12,#0xf0 + andpl r12,r12,#0x0f + eor r7,r7,r8,lsl#16 @ ^= rem_4bit[rem] + bpl .Loop +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r4,r4 + str r4,[r0,#12] +#elif defined(__ARMEB__) + str r4,[r0,#12] +#else + mov r9,r4,lsr#8 + strb r4,[r0,#12+3] + mov r10,r4,lsr#16 + strb r9,[r0,#12+2] + mov r11,r4,lsr#24 + strb r10,[r0,#12+1] + strb r11,[r0,#12] +#endif + +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r5,r5 + str r5,[r0,#8] +#elif defined(__ARMEB__) + str r5,[r0,#8] +#else + mov r9,r5,lsr#8 + strb r5,[r0,#8+3] + mov r10,r5,lsr#16 + strb r9,[r0,#8+2] + mov r11,r5,lsr#24 + strb r10,[r0,#8+1] + strb r11,[r0,#8] +#endif + +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r6,r6 + str r6,[r0,#4] +#elif defined(__ARMEB__) + str r6,[r0,#4] +#else + mov r9,r6,lsr#8 + strb r6,[r0,#4+3] + mov r10,r6,lsr#16 + strb r9,[r0,#4+2] + mov r11,r6,lsr#24 + strb r10,[r0,#4+1] + strb r11,[r0,#4] +#endif + +#if __ARM_ARCH__>=7 && defined(__ARMEL__) + rev r7,r7 + str r7,[r0,#0] +#elif defined(__ARMEB__) + str r7,[r0,#0] +#else + mov r9,r7,lsr#8 + strb r7,[r0,#0+3] + mov r10,r7,lsr#16 + strb r9,[r0,#0+2] + mov r11,r7,lsr#24 + strb r10,[r0,#0+1] + strb r11,[r0,#0] +#endif + +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r11,pc} +#else + ldmia sp!,{r4-r11,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size gcm_gmult_4bit,.-gcm_gmult_4bit +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) +.fpu neon + +.global gcm_gmult_neon +.type gcm_gmult_neon,%function +.align 4 +gcm_gmult_neon: + sub r1,#16 @ point at H in GCM128_CTX + vld1.64 d29,[r0,:64]!@ load Xi + vmov.i32 d5,#0xe1 @ our irreducible polynomial + vld1.64 d28,[r0,:64]! + vshr.u64 d5,#32 + vldmia r1,{d0-d1} @ load H + veor q12,q12 +#ifdef __ARMEL__ + vrev64.8 q14,q14 +#endif + veor q13,q13 + veor q11,q11 + mov r1,#16 + veor q10,q10 + mov r3,#16 + veor d2,d2 + vdup.8 d4,d28[0] @ broadcast lowest byte + b .Linner_neon +.size gcm_gmult_neon,.-gcm_gmult_neon + +.global gcm_ghash_neon +.type gcm_ghash_neon,%function +.align 4 +gcm_ghash_neon: + vld1.64 d21,[r0,:64]! @ load Xi + vmov.i32 d5,#0xe1 @ our irreducible polynomial + vld1.64 d20,[r0,:64]! + vshr.u64 d5,#32 + vldmia r0,{d0-d1} @ load H + veor q12,q12 + nop +#ifdef __ARMEL__ + vrev64.8 q10,q10 +#endif +.Louter_neon: + vld1.64 d29,[r2]! @ load inp + veor q13,q13 + vld1.64 d28,[r2]! + veor q11,q11 + mov r1,#16 +#ifdef __ARMEL__ + vrev64.8 q14,q14 +#endif + veor d2,d2 + veor q14,q10 @ inp^=Xi + veor q10,q10 + vdup.8 d4,d28[0] @ broadcast lowest byte +.Linner_neon: + subs r1,r1,#1 + vmull.p8 q9,d1,d4 @ H.lo·Xi[i] + vmull.p8 q8,d0,d4 @ H.hi·Xi[i] + vext.8 q14,q12,#1 @ IN>>=8 + + veor q10,q13 @ modulo-scheduled part + vshl.i64 d22,#48 + vdup.8 d4,d28[0] @ broadcast lowest byte + veor d3,d18,d20 + + veor d21,d22 + vuzp.8 q9,q8 + vsli.8 d2,d3,#1 @ compose the "carry" byte + vext.8 q10,q12,#1 @ Z>>=8 + + vmull.p8 q11,d2,d5 @ "carry"·0xe1 + vshr.u8 d2,d3,#7 @ save Z's bottom bit + vext.8 q13,q9,q12,#1 @ Qlo>>=8 + veor q10,q8 + bne .Linner_neon + + veor q10,q13 @ modulo-scheduled artefact + vshl.i64 d22,#48 + veor d21,d22 + + @ finalization, normalize Z:Zo + vand d2,d5 @ suffices to mask the bit + vshr.u64 d3,d20,#63 + vshl.i64 q10,#1 + subs r3,#16 + vorr q10,q1 @ Z=Z:Zo<<1 + bne .Louter_neon + +#ifdef __ARMEL__ + vrev64.8 q10,q10 +#endif + sub r0,#16 + vst1.64 d21,[r0,:64]! @ write out Xi + vst1.64 d20,[r0,:64] + + .word 0xe12fff1e +.size gcm_ghash_neon,.-gcm_ghash_neon +#endif +.asciz "GHASH for ARMv4/NEON, CRYPTOGAMS by " +.align 2 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/modes/ghash-masm-x86_64.S b/crypto/modes/ghash-masm-x86_64.S new file mode 100644 index 0000000..ffdc1b5 --- /dev/null +++ b/crypto/modes/ghash-masm-x86_64.S @@ -0,0 +1,1256 @@ +; 1 "crypto/modes/ghash-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/modes/ghash-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/modes/ghash-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC gcm_gmult_4bit + +ALIGN 16 +gcm_gmult_4bit PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_gcm_gmult_4bit:: + mov rdi,rcx + mov rsi,rdx + + + push rbx + push rbp + push r12 +$L$gmult_prologue:: + + movzx r8,BYTE PTR[15+rdi] + lea r11,QWORD PTR[$L$rem_4bit] + xor rax,rax + xor rbx,rbx + mov al,r8b + mov bl,r8b + shl al,4 + mov rcx,14 + mov r8,QWORD PTR[8+rax*1+rsi] + mov r9,QWORD PTR[rax*1+rsi] + and bl,0f0h + mov rdx,r8 + jmp $L$oop1 + +ALIGN 16 +$L$oop1:: + shr r8,4 + and rdx,0fh + mov r10,r9 + mov al,BYTE PTR[rcx*1+rdi] + shr r9,4 + xor r8,QWORD PTR[8+rbx*1+rsi] + shl r10,60 + xor r9,QWORD PTR[rbx*1+rsi] + mov bl,al + xor r9,QWORD PTR[rdx*8+r11] + mov rdx,r8 + shl al,4 + xor r8,r10 + dec rcx + js $L$break1 + + shr r8,4 + and rdx,0fh + mov r10,r9 + shr r9,4 + xor r8,QWORD PTR[8+rax*1+rsi] + shl r10,60 + xor r9,QWORD PTR[rax*1+rsi] + and bl,0f0h + xor r9,QWORD PTR[rdx*8+r11] + mov rdx,r8 + xor r8,r10 + jmp $L$oop1 + +ALIGN 16 +$L$break1:: + shr r8,4 + and rdx,0fh + mov r10,r9 + shr r9,4 + xor r8,QWORD PTR[8+rax*1+rsi] + shl r10,60 + xor r9,QWORD PTR[rax*1+rsi] + and bl,0f0h + xor r9,QWORD PTR[rdx*8+r11] + mov rdx,r8 + xor r8,r10 + + shr r8,4 + and rdx,0fh + mov r10,r9 + shr r9,4 + xor r8,QWORD PTR[8+rbx*1+rsi] + shl r10,60 + xor r9,QWORD PTR[rbx*1+rsi] + xor r8,r10 + xor r9,QWORD PTR[rdx*8+r11] + + bswap r8 + bswap r9 + mov QWORD PTR[8+rdi],r8 + mov QWORD PTR[rdi],r9 + + mov rbx,QWORD PTR[16+rsp] + lea rsp,QWORD PTR[24+rsp] +$L$gmult_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_gcm_gmult_4bit:: +gcm_gmult_4bit ENDP +PUBLIC gcm_ghash_4bit + +ALIGN 16 +gcm_ghash_4bit PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_gcm_ghash_4bit:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + sub rsp,280 +$L$ghash_prologue:: + mov r14,rdx + mov r15,rcx + sub rsi,-128 + lea rbp,QWORD PTR[((16+128))+rsp] + xor edx,edx + mov r8,QWORD PTR[((0+0-128))+rsi] + mov rax,QWORD PTR[((0+8-128))+rsi] + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov r9,QWORD PTR[((16+0-128))+rsi] + shl dl,4 + mov rbx,QWORD PTR[((16+8-128))+rsi] + shl r10,60 + mov BYTE PTR[rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[rbp],r8 + mov r8,QWORD PTR[((32+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((0-128))+rbp],rax + mov rax,QWORD PTR[((32+8-128))+rsi] + shl r10,60 + mov BYTE PTR[1+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[8+rbp],r9 + mov r9,QWORD PTR[((48+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((8-128))+rbp],rbx + mov rbx,QWORD PTR[((48+8-128))+rsi] + shl r10,60 + mov BYTE PTR[2+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[16+rbp],r8 + mov r8,QWORD PTR[((64+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((16-128))+rbp],rax + mov rax,QWORD PTR[((64+8-128))+rsi] + shl r10,60 + mov BYTE PTR[3+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[24+rbp],r9 + mov r9,QWORD PTR[((80+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((24-128))+rbp],rbx + mov rbx,QWORD PTR[((80+8-128))+rsi] + shl r10,60 + mov BYTE PTR[4+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[32+rbp],r8 + mov r8,QWORD PTR[((96+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((32-128))+rbp],rax + mov rax,QWORD PTR[((96+8-128))+rsi] + shl r10,60 + mov BYTE PTR[5+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[40+rbp],r9 + mov r9,QWORD PTR[((112+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((40-128))+rbp],rbx + mov rbx,QWORD PTR[((112+8-128))+rsi] + shl r10,60 + mov BYTE PTR[6+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[48+rbp],r8 + mov r8,QWORD PTR[((128+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((48-128))+rbp],rax + mov rax,QWORD PTR[((128+8-128))+rsi] + shl r10,60 + mov BYTE PTR[7+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[56+rbp],r9 + mov r9,QWORD PTR[((144+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((56-128))+rbp],rbx + mov rbx,QWORD PTR[((144+8-128))+rsi] + shl r10,60 + mov BYTE PTR[8+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[64+rbp],r8 + mov r8,QWORD PTR[((160+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((64-128))+rbp],rax + mov rax,QWORD PTR[((160+8-128))+rsi] + shl r10,60 + mov BYTE PTR[9+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[72+rbp],r9 + mov r9,QWORD PTR[((176+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((72-128))+rbp],rbx + mov rbx,QWORD PTR[((176+8-128))+rsi] + shl r10,60 + mov BYTE PTR[10+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[80+rbp],r8 + mov r8,QWORD PTR[((192+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((80-128))+rbp],rax + mov rax,QWORD PTR[((192+8-128))+rsi] + shl r10,60 + mov BYTE PTR[11+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[88+rbp],r9 + mov r9,QWORD PTR[((208+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((88-128))+rbp],rbx + mov rbx,QWORD PTR[((208+8-128))+rsi] + shl r10,60 + mov BYTE PTR[12+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[96+rbp],r8 + mov r8,QWORD PTR[((224+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((96-128))+rbp],rax + mov rax,QWORD PTR[((224+8-128))+rsi] + shl r10,60 + mov BYTE PTR[13+rsp],dl + or rbx,r10 + mov dl,al + shr rax,4 + mov r10,r8 + shr r8,4 + mov QWORD PTR[104+rbp],r9 + mov r9,QWORD PTR[((240+0-128))+rsi] + shl dl,4 + mov QWORD PTR[((104-128))+rbp],rbx + mov rbx,QWORD PTR[((240+8-128))+rsi] + shl r10,60 + mov BYTE PTR[14+rsp],dl + or rax,r10 + mov dl,bl + shr rbx,4 + mov r10,r9 + shr r9,4 + mov QWORD PTR[112+rbp],r8 + shl dl,4 + mov QWORD PTR[((112-128))+rbp],rax + shl r10,60 + mov BYTE PTR[15+rsp],dl + or rbx,r10 + mov QWORD PTR[120+rbp],r9 + mov QWORD PTR[((120-128))+rbp],rbx + add rsi,-128 + mov r8,QWORD PTR[8+rdi] + mov r9,QWORD PTR[rdi] + add r15,r14 + lea r11,QWORD PTR[$L$rem_8bit] + jmp $L$outer_loop +ALIGN 16 +$L$outer_loop:: + xor r9,QWORD PTR[r14] + mov rdx,QWORD PTR[8+r14] + lea r14,QWORD PTR[16+r14] + xor rdx,r8 + mov QWORD PTR[rdi],r9 + mov QWORD PTR[8+rdi],rdx + shr rdx,32 + xor rax,rax + rol edx,8 + mov al,dl + movzx ebx,dl + shl al,4 + shr ebx,4 + rol edx,8 + mov r8,QWORD PTR[8+rax*1+rsi] + mov r9,QWORD PTR[rax*1+rsi] + mov al,dl + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + xor r12,r8 + mov r10,r9 + shr r8,8 + movzx r12,r12b + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + mov edx,DWORD PTR[8+rdi] + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + mov edx,DWORD PTR[4+rdi] + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + mov edx,DWORD PTR[rdi] + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + shr ecx,4 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r12,WORD PTR[r12*2+r11] + movzx ebx,dl + shl al,4 + movzx r13,BYTE PTR[rcx*1+rsp] + shr ebx,4 + shl r12,48 + xor r13,r8 + mov r10,r9 + xor r9,r12 + shr r8,8 + movzx r13,r13b + shr r9,8 + xor r8,QWORD PTR[((-128))+rcx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rcx*8+rbp] + rol edx,8 + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + mov al,dl + xor r8,r10 + movzx r13,WORD PTR[r13*2+r11] + movzx ecx,dl + shl al,4 + movzx r12,BYTE PTR[rbx*1+rsp] + and ecx,240 + shl r13,48 + xor r12,r8 + mov r10,r9 + xor r9,r13 + shr r8,8 + movzx r12,r12b + mov edx,DWORD PTR[((-4))+rdi] + shr r9,8 + xor r8,QWORD PTR[((-128))+rbx*8+rbp] + shl r10,56 + xor r9,QWORD PTR[rbx*8+rbp] + movzx r12,WORD PTR[r12*2+r11] + xor r8,QWORD PTR[8+rax*1+rsi] + xor r9,QWORD PTR[rax*1+rsi] + shl r12,48 + xor r8,r10 + xor r9,r12 + movzx r13,r8b + shr r8,4 + mov r10,r9 + shl r13b,4 + shr r9,4 + xor r8,QWORD PTR[8+rcx*1+rsi] + movzx r13,WORD PTR[r13*2+r11] + shl r10,60 + xor r9,QWORD PTR[rcx*1+rsi] + xor r8,r10 + shl r13,48 + bswap r8 + xor r9,r13 + bswap r9 + cmp r14,r15 + jb $L$outer_loop + mov QWORD PTR[8+rdi],r8 + mov QWORD PTR[rdi],r9 + + lea rsi,QWORD PTR[280+rsp] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$ghash_epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_gcm_ghash_4bit:: +gcm_ghash_4bit ENDP +PUBLIC gcm_init_clmul + +ALIGN 16 +gcm_init_clmul PROC PUBLIC + movdqu xmm2,XMMWORD PTR[rdx] + pshufd xmm2,xmm2,78 + + + pshufd xmm4,xmm2,255 + movdqa xmm3,xmm2 + psllq xmm2,1 + pxor xmm5,xmm5 + psrlq xmm3,63 + pcmpgtd xmm5,xmm4 + pslldq xmm3,8 + por xmm2,xmm3 + + + pand xmm5,XMMWORD PTR[$L$0x1c2_polynomial] + pxor xmm2,xmm5 + + + movdqa xmm0,xmm2 + movdqa xmm1,xmm0 + pshufd xmm3,xmm0,78 + pshufd xmm4,xmm2,78 + pxor xmm3,xmm0 + pxor xmm4,xmm2 +DB 102,15,58,68,194,0 +DB 102,15,58,68,202,17 +DB 102,15,58,68,220,0 + pxor xmm3,xmm0 + pxor xmm3,xmm1 + + movdqa xmm4,xmm3 + psrldq xmm3,8 + pslldq xmm4,8 + pxor xmm1,xmm3 + pxor xmm0,xmm4 + + movdqa xmm3,xmm0 + psllq xmm0,1 + pxor xmm0,xmm3 + psllq xmm0,5 + pxor xmm0,xmm3 + psllq xmm0,57 + movdqa xmm4,xmm0 + pslldq xmm0,8 + psrldq xmm4,8 + pxor xmm0,xmm3 + pxor xmm1,xmm4 + + + movdqa xmm4,xmm0 + psrlq xmm0,5 + pxor xmm0,xmm4 + psrlq xmm0,1 + pxor xmm0,xmm4 + pxor xmm4,xmm1 + psrlq xmm0,1 + pxor xmm0,xmm4 + movdqu XMMWORD PTR[rcx],xmm2 + movdqu XMMWORD PTR[16+rcx],xmm0 + DB 0F3h,0C3h ;repret +gcm_init_clmul ENDP +PUBLIC gcm_gmult_clmul + +ALIGN 16 +gcm_gmult_clmul PROC PUBLIC + movdqu xmm0,XMMWORD PTR[rcx] + movdqa xmm5,XMMWORD PTR[$L$bswap_mask] + movdqu xmm2,XMMWORD PTR[rdx] +DB 102,15,56,0,197 + movdqa xmm1,xmm0 + pshufd xmm3,xmm0,78 + pshufd xmm4,xmm2,78 + pxor xmm3,xmm0 + pxor xmm4,xmm2 +DB 102,15,58,68,194,0 +DB 102,15,58,68,202,17 +DB 102,15,58,68,220,0 + pxor xmm3,xmm0 + pxor xmm3,xmm1 + + movdqa xmm4,xmm3 + psrldq xmm3,8 + pslldq xmm4,8 + pxor xmm1,xmm3 + pxor xmm0,xmm4 + + movdqa xmm3,xmm0 + psllq xmm0,1 + pxor xmm0,xmm3 + psllq xmm0,5 + pxor xmm0,xmm3 + psllq xmm0,57 + movdqa xmm4,xmm0 + pslldq xmm0,8 + psrldq xmm4,8 + pxor xmm0,xmm3 + pxor xmm1,xmm4 + + + movdqa xmm4,xmm0 + psrlq xmm0,5 + pxor xmm0,xmm4 + psrlq xmm0,1 + pxor xmm0,xmm4 + pxor xmm4,xmm1 + psrlq xmm0,1 + pxor xmm0,xmm4 +DB 102,15,56,0,197 + movdqu XMMWORD PTR[rcx],xmm0 + DB 0F3h,0C3h ;repret +gcm_gmult_clmul ENDP +PUBLIC gcm_ghash_clmul + +ALIGN 16 +gcm_ghash_clmul PROC PUBLIC +$L$SEH_begin_gcm_ghash_clmul:: + +DB 048h,083h,0ech,058h +DB 00fh,029h,034h,024h +DB 00fh,029h,07ch,024h,010h +DB 044h,00fh,029h,044h,024h,020h +DB 044h,00fh,029h,04ch,024h,030h +DB 044h,00fh,029h,054h,024h,040h + movdqa xmm5,XMMWORD PTR[$L$bswap_mask] + + movdqu xmm0,XMMWORD PTR[rcx] + movdqu xmm2,XMMWORD PTR[rdx] +DB 102,15,56,0,197 + + sub r9,010h + jz $L$odd_tail + + movdqu xmm8,XMMWORD PTR[16+rdx] + + + + + + movdqu xmm3,XMMWORD PTR[r8] + movdqu xmm6,XMMWORD PTR[16+r8] +DB 102,15,56,0,221 +DB 102,15,56,0,245 + pxor xmm0,xmm3 + movdqa xmm7,xmm6 + pshufd xmm3,xmm6,78 + pshufd xmm4,xmm2,78 + pxor xmm3,xmm6 + pxor xmm4,xmm2 +DB 102,15,58,68,242,0 +DB 102,15,58,68,250,17 +DB 102,15,58,68,220,0 + pxor xmm3,xmm6 + pxor xmm3,xmm7 + + movdqa xmm4,xmm3 + psrldq xmm3,8 + pslldq xmm4,8 + pxor xmm7,xmm3 + pxor xmm6,xmm4 + movdqa xmm1,xmm0 + pshufd xmm3,xmm0,78 + pshufd xmm4,xmm8,78 + pxor xmm3,xmm0 + pxor xmm4,xmm8 + + lea r8,QWORD PTR[32+r8] + sub r9,020h + jbe $L$even_tail + +$L$mod_loop:: +DB 102,65,15,58,68,192,0 +DB 102,65,15,58,68,200,17 +DB 102,15,58,68,220,0 + pxor xmm3,xmm0 + pxor xmm3,xmm1 + + movdqa xmm4,xmm3 + psrldq xmm3,8 + pslldq xmm4,8 + pxor xmm1,xmm3 + pxor xmm0,xmm4 + movdqu xmm3,XMMWORD PTR[r8] + pxor xmm0,xmm6 + pxor xmm1,xmm7 + + movdqu xmm6,XMMWORD PTR[16+r8] +DB 102,15,56,0,221 +DB 102,15,56,0,245 + + movdqa xmm7,xmm6 + pshufd xmm9,xmm6,78 + pshufd xmm10,xmm2,78 + pxor xmm9,xmm6 + pxor xmm10,xmm2 + pxor xmm1,xmm3 + + movdqa xmm3,xmm0 + psllq xmm0,1 + pxor xmm0,xmm3 + psllq xmm0,5 + pxor xmm0,xmm3 +DB 102,15,58,68,242,0 + psllq xmm0,57 + movdqa xmm4,xmm0 + pslldq xmm0,8 + psrldq xmm4,8 + pxor xmm0,xmm3 + pxor xmm1,xmm4 + +DB 102,15,58,68,250,17 + movdqa xmm4,xmm0 + psrlq xmm0,5 + pxor xmm0,xmm4 + psrlq xmm0,1 + pxor xmm0,xmm4 + pxor xmm4,xmm1 + psrlq xmm0,1 + pxor xmm0,xmm4 + +DB 102,69,15,58,68,202,0 + movdqa xmm1,xmm0 + pshufd xmm3,xmm0,78 + pshufd xmm4,xmm8,78 + pxor xmm3,xmm0 + pxor xmm4,xmm8 + + pxor xmm9,xmm6 + pxor xmm9,xmm7 + movdqa xmm10,xmm9 + psrldq xmm9,8 + pslldq xmm10,8 + pxor xmm7,xmm9 + pxor xmm6,xmm10 + + lea r8,QWORD PTR[32+r8] + sub r9,020h + ja $L$mod_loop + +$L$even_tail:: +DB 102,65,15,58,68,192,0 +DB 102,65,15,58,68,200,17 +DB 102,15,58,68,220,0 + pxor xmm3,xmm0 + pxor xmm3,xmm1 + + movdqa xmm4,xmm3 + psrldq xmm3,8 + pslldq xmm4,8 + pxor xmm1,xmm3 + pxor xmm0,xmm4 + pxor xmm0,xmm6 + pxor xmm1,xmm7 + + movdqa xmm3,xmm0 + psllq xmm0,1 + pxor xmm0,xmm3 + psllq xmm0,5 + pxor xmm0,xmm3 + psllq xmm0,57 + movdqa xmm4,xmm0 + pslldq xmm0,8 + psrldq xmm4,8 + pxor xmm0,xmm3 + pxor xmm1,xmm4 + + + movdqa xmm4,xmm0 + psrlq xmm0,5 + pxor xmm0,xmm4 + psrlq xmm0,1 + pxor xmm0,xmm4 + pxor xmm4,xmm1 + psrlq xmm0,1 + pxor xmm0,xmm4 + test r9,r9 + jnz $L$done + +$L$odd_tail:: + movdqu xmm3,XMMWORD PTR[r8] +DB 102,15,56,0,221 + pxor xmm0,xmm3 + movdqa xmm1,xmm0 + pshufd xmm3,xmm0,78 + pshufd xmm4,xmm2,78 + pxor xmm3,xmm0 + pxor xmm4,xmm2 +DB 102,15,58,68,194,0 +DB 102,15,58,68,202,17 +DB 102,15,58,68,220,0 + pxor xmm3,xmm0 + pxor xmm3,xmm1 + + movdqa xmm4,xmm3 + psrldq xmm3,8 + pslldq xmm4,8 + pxor xmm1,xmm3 + pxor xmm0,xmm4 + + movdqa xmm3,xmm0 + psllq xmm0,1 + pxor xmm0,xmm3 + psllq xmm0,5 + pxor xmm0,xmm3 + psllq xmm0,57 + movdqa xmm4,xmm0 + pslldq xmm0,8 + psrldq xmm4,8 + pxor xmm0,xmm3 + pxor xmm1,xmm4 + + + movdqa xmm4,xmm0 + psrlq xmm0,5 + pxor xmm0,xmm4 + psrlq xmm0,1 + pxor xmm0,xmm4 + pxor xmm4,xmm1 + psrlq xmm0,1 + pxor xmm0,xmm4 +$L$done:: +DB 102,15,56,0,197 + movdqu XMMWORD PTR[rcx],xmm0 + movaps xmm6,XMMWORD PTR[rsp] + movaps xmm7,XMMWORD PTR[16+rsp] + movaps xmm8,XMMWORD PTR[32+rsp] + movaps xmm9,XMMWORD PTR[48+rsp] + movaps xmm10,XMMWORD PTR[64+rsp] + add rsp,058h + DB 0F3h,0C3h ;repret +$L$SEH_end_gcm_ghash_clmul:: +gcm_ghash_clmul ENDP +ALIGN 64 +$L$bswap_mask:: +DB 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +$L$0x1c2_polynomial:: +DB 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0c2h +ALIGN 64 + +$L$rem_4bit:: + DD 0,0,0,471859200,0,943718400,0,610271232 + DD 0,1887436800,0,1822425088,0,1220542464,0,1423966208 + DD 0,3774873600,0,4246732800,0,3644850176,0,3311403008 + DD 0,2441084928,0,2376073216,0,2847932416,0,3051356160 + +$L$rem_8bit:: + DW 00000h,001C2h,00384h,00246h,00708h,006CAh,0048Ch,0054Eh + DW 00E10h,00FD2h,00D94h,00C56h,00918h,008DAh,00A9Ch,00B5Eh + DW 01C20h,01DE2h,01FA4h,01E66h,01B28h,01AEAh,018ACh,0196Eh + DW 01230h,013F2h,011B4h,01076h,01538h,014FAh,016BCh,0177Eh + DW 03840h,03982h,03BC4h,03A06h,03F48h,03E8Ah,03CCCh,03D0Eh + DW 03650h,03792h,035D4h,03416h,03158h,0309Ah,032DCh,0331Eh + DW 02460h,025A2h,027E4h,02626h,02368h,022AAh,020ECh,0212Eh + DW 02A70h,02BB2h,029F4h,02836h,02D78h,02CBAh,02EFCh,02F3Eh + DW 07080h,07142h,07304h,072C6h,07788h,0764Ah,0740Ch,075CEh + DW 07E90h,07F52h,07D14h,07CD6h,07998h,0785Ah,07A1Ch,07BDEh + DW 06CA0h,06D62h,06F24h,06EE6h,06BA8h,06A6Ah,0682Ch,069EEh + DW 062B0h,06372h,06134h,060F6h,065B8h,0647Ah,0663Ch,067FEh + DW 048C0h,04902h,04B44h,04A86h,04FC8h,04E0Ah,04C4Ch,04D8Eh + DW 046D0h,04712h,04554h,04496h,041D8h,0401Ah,0425Ch,0439Eh + DW 054E0h,05522h,05764h,056A6h,053E8h,0522Ah,0506Ch,051AEh + DW 05AF0h,05B32h,05974h,058B6h,05DF8h,05C3Ah,05E7Ch,05FBEh + DW 0E100h,0E0C2h,0E284h,0E346h,0E608h,0E7CAh,0E58Ch,0E44Eh + DW 0EF10h,0EED2h,0EC94h,0ED56h,0E818h,0E9DAh,0EB9Ch,0EA5Eh + DW 0FD20h,0FCE2h,0FEA4h,0FF66h,0FA28h,0FBEAh,0F9ACh,0F86Eh + DW 0F330h,0F2F2h,0F0B4h,0F176h,0F438h,0F5FAh,0F7BCh,0F67Eh + DW 0D940h,0D882h,0DAC4h,0DB06h,0DE48h,0DF8Ah,0DDCCh,0DC0Eh + DW 0D750h,0D692h,0D4D4h,0D516h,0D058h,0D19Ah,0D3DCh,0D21Eh + DW 0C560h,0C4A2h,0C6E4h,0C726h,0C268h,0C3AAh,0C1ECh,0C02Eh + DW 0CB70h,0CAB2h,0C8F4h,0C936h,0CC78h,0CDBAh,0CFFCh,0CE3Eh + DW 09180h,09042h,09204h,093C6h,09688h,0974Ah,0950Ch,094CEh + DW 09F90h,09E52h,09C14h,09DD6h,09898h,0995Ah,09B1Ch,09ADEh + DW 08DA0h,08C62h,08E24h,08FE6h,08AA8h,08B6Ah,0892Ch,088EEh + DW 083B0h,08272h,08034h,081F6h,084B8h,0857Ah,0873Ch,086FEh + DW 0A9C0h,0A802h,0AA44h,0AB86h,0AEC8h,0AF0Ah,0AD4Ch,0AC8Eh + DW 0A7D0h,0A612h,0A454h,0A596h,0A0D8h,0A11Ah,0A35Ch,0A29Eh + DW 0B5E0h,0B422h,0B664h,0B7A6h,0B2E8h,0B32Ah,0B16Ch,0B0AEh + DW 0BBF0h,0BA32h,0B874h,0B9B6h,0BCF8h,0BD3Ah,0BF7Ch,0BEBEh + +DB 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52 +DB 44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32 +DB 60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111 +DB 114,103,62,0 +ALIGN 64 +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$in_prologue + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$in_prologue + + lea rax,QWORD PTR[24+rax] + + mov rbx,QWORD PTR[((-8))+rax] + mov rbp,QWORD PTR[((-16))+rax] + mov r12,QWORD PTR[((-24))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + +$L$in_prologue:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +se_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_gcm_gmult_4bit + DD imagerel $L$SEH_end_gcm_gmult_4bit + DD imagerel $L$SEH_info_gcm_gmult_4bit + + DD imagerel $L$SEH_begin_gcm_ghash_4bit + DD imagerel $L$SEH_end_gcm_ghash_4bit + DD imagerel $L$SEH_info_gcm_ghash_4bit + + DD imagerel $L$SEH_begin_gcm_ghash_clmul + DD imagerel $L$SEH_end_gcm_ghash_clmul + DD imagerel $L$SEH_info_gcm_ghash_clmul + +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_gcm_gmult_4bit:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$gmult_prologue,imagerel $L$gmult_epilogue +$L$SEH_info_gcm_ghash_4bit:: +DB 9,0,0,0 + DD imagerel se_handler + DD imagerel $L$ghash_prologue,imagerel $L$ghash_epilogue +$L$SEH_info_gcm_ghash_clmul:: +DB 001h,01fh,00bh,000h +DB 01fh,0a8h,004h,000h +DB 019h,098h,003h,000h +DB 013h,088h,002h,000h +DB 00dh,078h,001h,000h +DB 008h,068h,000h,000h +DB 004h,0a2h,000h,000h + +.xdata ENDS +END + diff --git a/crypto/modes/ghash-mingw64-x86_64.S b/crypto/modes/ghash-mingw64-x86_64.S new file mode 100644 index 0000000..cd0823b --- /dev/null +++ b/crypto/modes/ghash-mingw64-x86_64.S @@ -0,0 +1,1175 @@ +#include "x86_arch.h" +.text + +.globl gcm_gmult_4bit +.def gcm_gmult_4bit; .scl 2; .type 32; .endef +.p2align 4 +gcm_gmult_4bit: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_gcm_gmult_4bit: + movq %rcx,%rdi + movq %rdx,%rsi + + pushq %rbx + pushq %rbp + pushq %r12 +.Lgmult_prologue: + + movzbq 15(%rdi),%r8 + leaq .Lrem_4bit(%rip),%r11 + xorq %rax,%rax + xorq %rbx,%rbx + movb %r8b,%al + movb %r8b,%bl + shlb $4,%al + movq $14,%rcx + movq 8(%rsi,%rax,1),%r8 + movq (%rsi,%rax,1),%r9 + andb $240,%bl + movq %r8,%rdx + jmp .Loop1 + +.p2align 4 +.Loop1: + shrq $4,%r8 + andq $15,%rdx + movq %r9,%r10 + movb (%rdi,%rcx,1),%al + shrq $4,%r9 + xorq 8(%rsi,%rbx,1),%r8 + shlq $60,%r10 + xorq (%rsi,%rbx,1),%r9 + movb %al,%bl + xorq (%r11,%rdx,8),%r9 + movq %r8,%rdx + shlb $4,%al + xorq %r10,%r8 + decq %rcx + js .Lbreak1 + + shrq $4,%r8 + andq $15,%rdx + movq %r9,%r10 + shrq $4,%r9 + xorq 8(%rsi,%rax,1),%r8 + shlq $60,%r10 + xorq (%rsi,%rax,1),%r9 + andb $240,%bl + xorq (%r11,%rdx,8),%r9 + movq %r8,%rdx + xorq %r10,%r8 + jmp .Loop1 + +.p2align 4 +.Lbreak1: + shrq $4,%r8 + andq $15,%rdx + movq %r9,%r10 + shrq $4,%r9 + xorq 8(%rsi,%rax,1),%r8 + shlq $60,%r10 + xorq (%rsi,%rax,1),%r9 + andb $240,%bl + xorq (%r11,%rdx,8),%r9 + movq %r8,%rdx + xorq %r10,%r8 + + shrq $4,%r8 + andq $15,%rdx + movq %r9,%r10 + shrq $4,%r9 + xorq 8(%rsi,%rbx,1),%r8 + shlq $60,%r10 + xorq (%rsi,%rbx,1),%r9 + xorq %r10,%r8 + xorq (%r11,%rdx,8),%r9 + + bswapq %r8 + bswapq %r9 + movq %r8,8(%rdi) + movq %r9,(%rdi) + + movq 16(%rsp),%rbx + leaq 24(%rsp),%rsp +.Lgmult_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_gcm_gmult_4bit: +.globl gcm_ghash_4bit +.def gcm_ghash_4bit; .scl 2; .type 32; .endef +.p2align 4 +gcm_ghash_4bit: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_gcm_ghash_4bit: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + subq $280,%rsp +.Lghash_prologue: + movq %rdx,%r14 + movq %rcx,%r15 + subq $-128,%rsi + leaq 16+128(%rsp),%rbp + xorl %edx,%edx + movq 0+0-128(%rsi),%r8 + movq 0+8-128(%rsi),%rax + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq 16+0-128(%rsi),%r9 + shlb $4,%dl + movq 16+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,0(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,0(%rbp) + movq 32+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,0-128(%rbp) + movq 32+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,1(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,8(%rbp) + movq 48+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,8-128(%rbp) + movq 48+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,2(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,16(%rbp) + movq 64+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,16-128(%rbp) + movq 64+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,3(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,24(%rbp) + movq 80+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,24-128(%rbp) + movq 80+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,4(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,32(%rbp) + movq 96+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,32-128(%rbp) + movq 96+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,5(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,40(%rbp) + movq 112+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,40-128(%rbp) + movq 112+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,6(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,48(%rbp) + movq 128+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,48-128(%rbp) + movq 128+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,7(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,56(%rbp) + movq 144+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,56-128(%rbp) + movq 144+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,8(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,64(%rbp) + movq 160+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,64-128(%rbp) + movq 160+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,9(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,72(%rbp) + movq 176+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,72-128(%rbp) + movq 176+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,10(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,80(%rbp) + movq 192+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,80-128(%rbp) + movq 192+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,11(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,88(%rbp) + movq 208+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,88-128(%rbp) + movq 208+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,12(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,96(%rbp) + movq 224+0-128(%rsi),%r8 + shlb $4,%dl + movq %rax,96-128(%rbp) + movq 224+8-128(%rsi),%rax + shlq $60,%r10 + movb %dl,13(%rsp) + orq %r10,%rbx + movb %al,%dl + shrq $4,%rax + movq %r8,%r10 + shrq $4,%r8 + movq %r9,104(%rbp) + movq 240+0-128(%rsi),%r9 + shlb $4,%dl + movq %rbx,104-128(%rbp) + movq 240+8-128(%rsi),%rbx + shlq $60,%r10 + movb %dl,14(%rsp) + orq %r10,%rax + movb %bl,%dl + shrq $4,%rbx + movq %r9,%r10 + shrq $4,%r9 + movq %r8,112(%rbp) + shlb $4,%dl + movq %rax,112-128(%rbp) + shlq $60,%r10 + movb %dl,15(%rsp) + orq %r10,%rbx + movq %r9,120(%rbp) + movq %rbx,120-128(%rbp) + addq $-128,%rsi + movq 8(%rdi),%r8 + movq 0(%rdi),%r9 + addq %r14,%r15 + leaq .Lrem_8bit(%rip),%r11 + jmp .Louter_loop +.p2align 4 +.Louter_loop: + xorq (%r14),%r9 + movq 8(%r14),%rdx + leaq 16(%r14),%r14 + xorq %r8,%rdx + movq %r9,(%rdi) + movq %rdx,8(%rdi) + shrq $32,%rdx + xorq %rax,%rax + roll $8,%edx + movb %dl,%al + movzbl %dl,%ebx + shlb $4,%al + shrl $4,%ebx + roll $8,%edx + movq 8(%rsi,%rax,1),%r8 + movq (%rsi,%rax,1),%r9 + movb %dl,%al + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + xorq %r8,%r12 + movq %r9,%r10 + shrq $8,%r8 + movzbq %r12b,%r12 + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + movl 8(%rdi),%edx + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + movl 4(%rdi),%edx + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + movl 0(%rdi),%edx + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + shrl $4,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r12,2),%r12 + movzbl %dl,%ebx + shlb $4,%al + movzbq (%rsp,%rcx,1),%r13 + shrl $4,%ebx + shlq $48,%r12 + xorq %r8,%r13 + movq %r9,%r10 + xorq %r12,%r9 + shrq $8,%r8 + movzbq %r13b,%r13 + shrq $8,%r9 + xorq -128(%rbp,%rcx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rcx,8),%r9 + roll $8,%edx + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + movb %dl,%al + xorq %r10,%r8 + movzwq (%r11,%r13,2),%r13 + movzbl %dl,%ecx + shlb $4,%al + movzbq (%rsp,%rbx,1),%r12 + andl $240,%ecx + shlq $48,%r13 + xorq %r8,%r12 + movq %r9,%r10 + xorq %r13,%r9 + shrq $8,%r8 + movzbq %r12b,%r12 + movl -4(%rdi),%edx + shrq $8,%r9 + xorq -128(%rbp,%rbx,8),%r8 + shlq $56,%r10 + xorq (%rbp,%rbx,8),%r9 + movzwq (%r11,%r12,2),%r12 + xorq 8(%rsi,%rax,1),%r8 + xorq (%rsi,%rax,1),%r9 + shlq $48,%r12 + xorq %r10,%r8 + xorq %r12,%r9 + movzbq %r8b,%r13 + shrq $4,%r8 + movq %r9,%r10 + shlb $4,%r13b + shrq $4,%r9 + xorq 8(%rsi,%rcx,1),%r8 + movzwq (%r11,%r13,2),%r13 + shlq $60,%r10 + xorq (%rsi,%rcx,1),%r9 + xorq %r10,%r8 + shlq $48,%r13 + bswapq %r8 + xorq %r13,%r9 + bswapq %r9 + cmpq %r15,%r14 + jb .Louter_loop + movq %r8,8(%rdi) + movq %r9,(%rdi) + + leaq 280(%rsp),%rsi + movq 0(%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lghash_epilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_gcm_ghash_4bit: +.globl gcm_init_clmul +.def gcm_init_clmul; .scl 2; .type 32; .endef +.p2align 4 +gcm_init_clmul: + movdqu (%rdx),%xmm2 + pshufd $78,%xmm2,%xmm2 + + + pshufd $255,%xmm2,%xmm4 + movdqa %xmm2,%xmm3 + psllq $1,%xmm2 + pxor %xmm5,%xmm5 + psrlq $63,%xmm3 + pcmpgtd %xmm4,%xmm5 + pslldq $8,%xmm3 + por %xmm3,%xmm2 + + + pand .L0x1c2_polynomial(%rip),%xmm5 + pxor %xmm5,%xmm2 + + + movdqa %xmm2,%xmm0 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm2,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm2,%xmm4 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,220,0 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + + movdqa %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $5,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm4 + pslldq $8,%xmm0 + psrldq $8,%xmm4 + pxor %xmm3,%xmm0 + pxor %xmm4,%xmm1 + + + movdqa %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + pxor %xmm1,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + movdqu %xmm2,(%rcx) + movdqu %xmm0,16(%rcx) + retq + +.globl gcm_gmult_clmul +.def gcm_gmult_clmul; .scl 2; .type 32; .endef +.p2align 4 +gcm_gmult_clmul: + movdqu (%rcx),%xmm0 + movdqa .Lbswap_mask(%rip),%xmm5 + movdqu (%rdx),%xmm2 +.byte 102,15,56,0,197 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm2,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm2,%xmm4 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,220,0 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + + movdqa %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $5,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm4 + pslldq $8,%xmm0 + psrldq $8,%xmm4 + pxor %xmm3,%xmm0 + pxor %xmm4,%xmm1 + + + movdqa %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + pxor %xmm1,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 +.byte 102,15,56,0,197 + movdqu %xmm0,(%rcx) + retq + +.globl gcm_ghash_clmul +.def gcm_ghash_clmul; .scl 2; .type 32; .endef +.p2align 4 +gcm_ghash_clmul: +.LSEH_begin_gcm_ghash_clmul: + +.byte 0x48,0x83,0xec,0x58 +.byte 0x0f,0x29,0x34,0x24 +.byte 0x0f,0x29,0x7c,0x24,0x10 +.byte 0x44,0x0f,0x29,0x44,0x24,0x20 +.byte 0x44,0x0f,0x29,0x4c,0x24,0x30 +.byte 0x44,0x0f,0x29,0x54,0x24,0x40 + movdqa .Lbswap_mask(%rip),%xmm5 + + movdqu (%rcx),%xmm0 + movdqu (%rdx),%xmm2 +.byte 102,15,56,0,197 + + subq $16,%r9 + jz .Lodd_tail + + movdqu 16(%rdx),%xmm8 + + + + + + movdqu (%r8),%xmm3 + movdqu 16(%r8),%xmm6 +.byte 102,15,56,0,221 +.byte 102,15,56,0,245 + pxor %xmm3,%xmm0 + movdqa %xmm6,%xmm7 + pshufd $78,%xmm6,%xmm3 + pshufd $78,%xmm2,%xmm4 + pxor %xmm6,%xmm3 + pxor %xmm2,%xmm4 +.byte 102,15,58,68,242,0 +.byte 102,15,58,68,250,17 +.byte 102,15,58,68,220,0 + pxor %xmm6,%xmm3 + pxor %xmm7,%xmm3 + + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm7 + pxor %xmm4,%xmm6 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm8,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm8,%xmm4 + + leaq 32(%r8),%r8 + subq $32,%r9 + jbe .Leven_tail + +.Lmod_loop: +.byte 102,65,15,58,68,192,0 +.byte 102,65,15,58,68,200,17 +.byte 102,15,58,68,220,0 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + movdqu (%r8),%xmm3 + pxor %xmm6,%xmm0 + pxor %xmm7,%xmm1 + + movdqu 16(%r8),%xmm6 +.byte 102,15,56,0,221 +.byte 102,15,56,0,245 + + movdqa %xmm6,%xmm7 + pshufd $78,%xmm6,%xmm9 + pshufd $78,%xmm2,%xmm10 + pxor %xmm6,%xmm9 + pxor %xmm2,%xmm10 + pxor %xmm3,%xmm1 + + movdqa %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $5,%xmm0 + pxor %xmm3,%xmm0 +.byte 102,15,58,68,242,0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm4 + pslldq $8,%xmm0 + psrldq $8,%xmm4 + pxor %xmm3,%xmm0 + pxor %xmm4,%xmm1 + +.byte 102,15,58,68,250,17 + movdqa %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + pxor %xmm1,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + +.byte 102,69,15,58,68,202,0 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm8,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm8,%xmm4 + + pxor %xmm6,%xmm9 + pxor %xmm7,%xmm9 + movdqa %xmm9,%xmm10 + psrldq $8,%xmm9 + pslldq $8,%xmm10 + pxor %xmm9,%xmm7 + pxor %xmm10,%xmm6 + + leaq 32(%r8),%r8 + subq $32,%r9 + ja .Lmod_loop + +.Leven_tail: +.byte 102,65,15,58,68,192,0 +.byte 102,65,15,58,68,200,17 +.byte 102,15,58,68,220,0 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + pxor %xmm6,%xmm0 + pxor %xmm7,%xmm1 + + movdqa %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $5,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm4 + pslldq $8,%xmm0 + psrldq $8,%xmm4 + pxor %xmm3,%xmm0 + pxor %xmm4,%xmm1 + + + movdqa %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + pxor %xmm1,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + testq %r9,%r9 + jnz .Ldone + +.Lodd_tail: + movdqu (%r8),%xmm3 +.byte 102,15,56,0,221 + pxor %xmm3,%xmm0 + movdqa %xmm0,%xmm1 + pshufd $78,%xmm0,%xmm3 + pshufd $78,%xmm2,%xmm4 + pxor %xmm0,%xmm3 + pxor %xmm2,%xmm4 +.byte 102,15,58,68,194,0 +.byte 102,15,58,68,202,17 +.byte 102,15,58,68,220,0 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + + movdqa %xmm3,%xmm4 + psrldq $8,%xmm3 + pslldq $8,%xmm4 + pxor %xmm3,%xmm1 + pxor %xmm4,%xmm0 + + movdqa %xmm0,%xmm3 + psllq $1,%xmm0 + pxor %xmm3,%xmm0 + psllq $5,%xmm0 + pxor %xmm3,%xmm0 + psllq $57,%xmm0 + movdqa %xmm0,%xmm4 + pslldq $8,%xmm0 + psrldq $8,%xmm4 + pxor %xmm3,%xmm0 + pxor %xmm4,%xmm1 + + + movdqa %xmm0,%xmm4 + psrlq $5,%xmm0 + pxor %xmm4,%xmm0 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 + pxor %xmm1,%xmm4 + psrlq $1,%xmm0 + pxor %xmm4,%xmm0 +.Ldone: +.byte 102,15,56,0,197 + movdqu %xmm0,(%rcx) + movaps (%rsp),%xmm6 + movaps 16(%rsp),%xmm7 + movaps 32(%rsp),%xmm8 + movaps 48(%rsp),%xmm9 + movaps 64(%rsp),%xmm10 + addq $88,%rsp + retq +.LSEH_end_gcm_ghash_clmul: + +.p2align 6 +.Lbswap_mask: +.byte 15,14,13,12,11,10,9,8,7,6,5,4,3,2,1,0 +.L0x1c2_polynomial: +.byte 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0xc2 +.p2align 6 + +.Lrem_4bit: +.long 0,0,0,471859200,0,943718400,0,610271232 +.long 0,1887436800,0,1822425088,0,1220542464,0,1423966208 +.long 0,3774873600,0,4246732800,0,3644850176,0,3311403008 +.long 0,2441084928,0,2376073216,0,2847932416,0,3051356160 + +.Lrem_8bit: +.value 0x0000,0x01C2,0x0384,0x0246,0x0708,0x06CA,0x048C,0x054E +.value 0x0E10,0x0FD2,0x0D94,0x0C56,0x0918,0x08DA,0x0A9C,0x0B5E +.value 0x1C20,0x1DE2,0x1FA4,0x1E66,0x1B28,0x1AEA,0x18AC,0x196E +.value 0x1230,0x13F2,0x11B4,0x1076,0x1538,0x14FA,0x16BC,0x177E +.value 0x3840,0x3982,0x3BC4,0x3A06,0x3F48,0x3E8A,0x3CCC,0x3D0E +.value 0x3650,0x3792,0x35D4,0x3416,0x3158,0x309A,0x32DC,0x331E +.value 0x2460,0x25A2,0x27E4,0x2626,0x2368,0x22AA,0x20EC,0x212E +.value 0x2A70,0x2BB2,0x29F4,0x2836,0x2D78,0x2CBA,0x2EFC,0x2F3E +.value 0x7080,0x7142,0x7304,0x72C6,0x7788,0x764A,0x740C,0x75CE +.value 0x7E90,0x7F52,0x7D14,0x7CD6,0x7998,0x785A,0x7A1C,0x7BDE +.value 0x6CA0,0x6D62,0x6F24,0x6EE6,0x6BA8,0x6A6A,0x682C,0x69EE +.value 0x62B0,0x6372,0x6134,0x60F6,0x65B8,0x647A,0x663C,0x67FE +.value 0x48C0,0x4902,0x4B44,0x4A86,0x4FC8,0x4E0A,0x4C4C,0x4D8E +.value 0x46D0,0x4712,0x4554,0x4496,0x41D8,0x401A,0x425C,0x439E +.value 0x54E0,0x5522,0x5764,0x56A6,0x53E8,0x522A,0x506C,0x51AE +.value 0x5AF0,0x5B32,0x5974,0x58B6,0x5DF8,0x5C3A,0x5E7C,0x5FBE +.value 0xE100,0xE0C2,0xE284,0xE346,0xE608,0xE7CA,0xE58C,0xE44E +.value 0xEF10,0xEED2,0xEC94,0xED56,0xE818,0xE9DA,0xEB9C,0xEA5E +.value 0xFD20,0xFCE2,0xFEA4,0xFF66,0xFA28,0xFBEA,0xF9AC,0xF86E +.value 0xF330,0xF2F2,0xF0B4,0xF176,0xF438,0xF5FA,0xF7BC,0xF67E +.value 0xD940,0xD882,0xDAC4,0xDB06,0xDE48,0xDF8A,0xDDCC,0xDC0E +.value 0xD750,0xD692,0xD4D4,0xD516,0xD058,0xD19A,0xD3DC,0xD21E +.value 0xC560,0xC4A2,0xC6E4,0xC726,0xC268,0xC3AA,0xC1EC,0xC02E +.value 0xCB70,0xCAB2,0xC8F4,0xC936,0xCC78,0xCDBA,0xCFFC,0xCE3E +.value 0x9180,0x9042,0x9204,0x93C6,0x9688,0x974A,0x950C,0x94CE +.value 0x9F90,0x9E52,0x9C14,0x9DD6,0x9898,0x995A,0x9B1C,0x9ADE +.value 0x8DA0,0x8C62,0x8E24,0x8FE6,0x8AA8,0x8B6A,0x892C,0x88EE +.value 0x83B0,0x8272,0x8034,0x81F6,0x84B8,0x857A,0x873C,0x86FE +.value 0xA9C0,0xA802,0xAA44,0xAB86,0xAEC8,0xAF0A,0xAD4C,0xAC8E +.value 0xA7D0,0xA612,0xA454,0xA596,0xA0D8,0xA11A,0xA35C,0xA29E +.value 0xB5E0,0xB422,0xB664,0xB7A6,0xB2E8,0xB32A,0xB16C,0xB0AE +.value 0xBBF0,0xBA32,0xB874,0xB9B6,0xBCF8,0xBD3A,0xBF7C,0xBEBE + +.byte 71,72,65,83,72,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 + +.def se_handler; .scl 3; .type 32; .endef +.p2align 4 +se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lin_prologue + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lin_prologue + + leaq 24(%rax),%rax + + movq -8(%rax),%rbx + movq -16(%rax),%rbp + movq -24(%rax),%r12 + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + +.Lin_prologue: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .LSEH_begin_gcm_gmult_4bit +.rva .LSEH_end_gcm_gmult_4bit +.rva .LSEH_info_gcm_gmult_4bit + +.rva .LSEH_begin_gcm_ghash_4bit +.rva .LSEH_end_gcm_ghash_4bit +.rva .LSEH_info_gcm_ghash_4bit + +.rva .LSEH_begin_gcm_ghash_clmul +.rva .LSEH_end_gcm_ghash_clmul +.rva .LSEH_info_gcm_ghash_clmul + +.section .xdata +.p2align 3 +.LSEH_info_gcm_gmult_4bit: +.byte 9,0,0,0 +.rva se_handler +.rva .Lgmult_prologue,.Lgmult_epilogue +.LSEH_info_gcm_ghash_4bit: +.byte 9,0,0,0 +.rva se_handler +.rva .Lghash_prologue,.Lghash_epilogue +.LSEH_info_gcm_ghash_clmul: +.byte 0x01,0x1f,0x0b,0x00 +.byte 0x1f,0xa8,0x04,0x00 +.byte 0x19,0x98,0x03,0x00 +.byte 0x13,0x88,0x02,0x00 +.byte 0x0d,0x78,0x01,0x00 +.byte 0x08,0x68,0x00,0x00 +.byte 0x04,0xa2,0x00,0x00 diff --git a/crypto/modes/modes_lcl.h b/crypto/modes/modes_lcl.h index f8830e4..bfea189 100644 --- a/crypto/modes/modes_lcl.h +++ b/crypto/modes/modes_lcl.h @@ -45,14 +45,16 @@ typedef unsigned char u8; asm ("bswapl %0" \ : "+r"(ret)); ret; }) # elif (defined(__arm__) || defined(__arm)) && !defined(__STRICT_ALIGNMENT) -# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ +# if (__ARM_ARCH >= 6) +# define BSWAP8(x) ({ u32 lo=(u64)(x)>>32,hi=(x); \ asm ("rev %0,%0; rev %1,%1" \ : "+r"(hi),"+r"(lo)); \ (u64)hi<<32|lo; }) -# define BSWAP4(x) ({ u32 ret; \ +# define BSWAP4(x) ({ u32 ret; \ asm ("rev %0,%1" \ : "=r"(ret) : "r"((u32)(x))); \ ret; }) +# endif # endif #endif #endif diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c index 5b7fac0..c0b63e4 100644 --- a/crypto/objects/obj_dat.c +++ b/crypto/objects/obj_dat.c @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_dat.c,v 1.39 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: obj_dat.c,v 1.42 2019/07/03 03:24:04 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -328,12 +328,12 @@ OBJ_add_object(const ASN1_OBJECT *obj) return (o->nid); -err2: + err2: OBJerror(ERR_R_MALLOC_FAILURE); -err: + err: for (i = ADDED_DATA; i <= ADDED_NID; i++) free(ao[i]); - free(o); + ASN1_OBJECT_free(o); return (NID_undef); } @@ -608,7 +608,7 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) goto err; i = snprintf(buf, buf_len, ".%s", bndec); free(bndec); - if (i == -1) + if (i < 0) goto err; if (i >= buf_len) { buf_len = 0; @@ -619,7 +619,7 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) ret += i; } else { i = snprintf(buf, buf_len, ".%lu", l); - if (i == -1) + if (i < 0) goto err; if (i >= buf_len) { buf_len = 0; @@ -632,11 +632,11 @@ OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) } } -out: + out: BN_free(bl); return ret; -err: + err: ret = 0; goto out; } @@ -810,7 +810,7 @@ OBJ_create(const char *oid, const char *sn, const char *ln) goto err; ok = OBJ_add_object(op); -err: + err: ASN1_OBJECT_free(op); free(buf); return (ok); diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h index c9ac73e..13f2383 100644 --- a/crypto/objects/obj_dat.h +++ b/crypto/objects/obj_dat.h @@ -62,12 +62,12 @@ * [including the GNU Public Licence.] */ -#define NUM_NID 968 -#define NUM_SN 961 -#define NUM_LN 961 -#define NUM_OBJ 893 +#define NUM_NID 1001 +#define NUM_SN 994 +#define NUM_LN 994 +#define NUM_OBJ 924 -static const unsigned char lvalues[6250]={ +static const unsigned char lvalues[6481]={ 0x2A,0x86,0x48,0x86,0xF7,0x0D, /* [ 0] OBJ_rsadsi */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01, /* [ 6] OBJ_pkcs */ 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x02, /* [ 13] OBJ_md2 */ @@ -939,8 +939,8 @@ static const unsigned char lvalues[6250]={ 0x2A,0x85,0x03,0x07,0x01, /* [6118] OBJ_tc26 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x02, /* [6123] OBJ_id_tc26_gost3411_2012_256 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x02,0x03, /* [6131] OBJ_id_tc26_gost3411_2012_512 */ -0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01,/* [6139] OBJ_id_tc26_gost_3410_2012_512_paramSetA */ -0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02,/* [6148] OBJ_id_tc26_gost_3410_2012_512_paramSetB */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x01,/* [6139] OBJ_id_tc26_gost_3410_12_512_paramSetA */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x02,/* [6148] OBJ_id_tc26_gost_3410_12_512_paramSetB */ 0x2A,0x85,0x03,0x07,0x01,0x02,0x05,0x01,0x01,/* [6157] OBJ_id_tc26_gost_28147_param_Z */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x01, /* [6166] OBJ_id_tc26_gost3410_2012_256 */ 0x2A,0x85,0x03,0x07,0x01,0x01,0x01,0x02, /* [6174] OBJ_id_tc26_gost3410_2012_512 */ @@ -955,6 +955,37 @@ static const unsigned char lvalues[6250]={ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x01,/* [6216] OBJ_jurisdictionLocalityName */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x02,/* [6227] OBJ_jurisdictionStateOrProvinceName */ 0x2B,0x06,0x01,0x04,0x01,0x82,0x37,0x3C,0x02,0x01,0x03,/* [6238] OBJ_jurisdictionCountryName */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x11, /* [6249] OBJ_sm3 */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x83,0x78, /* [6257] OBJ_sm3WithRSAEncryption */ +0x2A,0x81,0x1C, /* [6265] OBJ_ISO_CN */ +0x2A,0x81,0x1C,0xCF,0x55, /* [6268] OBJ_oscca */ +0x2A,0x81,0x1C,0xCF,0x55,0x01, /* [6273] OBJ_sm_scheme */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x01, /* [6279] OBJ_sm4_ecb */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x02, /* [6287] OBJ_sm4_cbc */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x03, /* [6295] OBJ_sm4_ofb128 */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x04, /* [6303] OBJ_sm4_cfb128 */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x05, /* [6311] OBJ_sm4_cfb1 */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x06, /* [6319] OBJ_sm4_cfb8 */ +0x2A,0x81,0x1C,0xCF,0x55,0x01,0x68,0x07, /* [6327] OBJ_sm4_ctr */ +0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x02,/* [6335] OBJ_dhSinglePass_stdDH_sha1kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0B,0x00, /* [6344] OBJ_dhSinglePass_stdDH_sha224kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0B,0x01, /* [6350] OBJ_dhSinglePass_stdDH_sha256kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0B,0x02, /* [6356] OBJ_dhSinglePass_stdDH_sha384kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0B,0x03, /* [6362] OBJ_dhSinglePass_stdDH_sha512kdf_scheme */ +0x2B,0x81,0x05,0x10,0x86,0x48,0x3F,0x00,0x03,/* [6368] OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0E,0x00, /* [6377] OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0E,0x01, /* [6383] OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0E,0x02, /* [6389] OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme */ +0x2B,0x81,0x04,0x01,0x0E,0x03, /* [6395] OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme */ +0x2A,0x86,0x48,0x86,0xF7,0x0D,0x01,0x01,0x09,/* [6401] OBJ_pSpecified */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x01,/* [6410] OBJ_id_tc26_gost_3410_12_256_paramSetA */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x02,/* [6419] OBJ_id_tc26_gost_3410_12_256_paramSetB */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x03,/* [6428] OBJ_id_tc26_gost_3410_12_256_paramSetC */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x01,0x04,/* [6437] OBJ_id_tc26_gost_3410_12_256_paramSetD */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x00,/* [6446] OBJ_id_tc26_gost_3410_12_512_paramSetTest */ +0x2A,0x85,0x03,0x07,0x01,0x02,0x01,0x02,0x03,/* [6455] OBJ_id_tc26_gost_3410_12_512_paramSetC */ +0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x01, /* [6464] OBJ_id_tc26_hmac_gost_3411_12_256 */ +0x2A,0x85,0x03,0x07,0x01,0x01,0x04,0x02, /* [6472] OBJ_id_tc26_hmac_gost_3411_12_512 */ }; static const ASN1_OBJECT nid_objs[NUM_NID]={ @@ -2474,12 +2505,12 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ NID_id_tc26_gost3411_2012_256,8,&(lvalues[6123]),0}, {"streebog512","GOST R 34-11-2012 (512 bit)", NID_id_tc26_gost3411_2012_512,8,&(lvalues[6131]),0}, -{"id-tc26-gost-3410-2012-512-paramSetA", - "id-tc26-gost-3410-2012-512-paramSetA", - NID_id_tc26_gost_3410_2012_512_paramSetA,9,&(lvalues[6139]),0}, -{"id-tc26-gost-3410-2012-512-paramSetB", - "id-tc26-gost-3410-2012-512-paramSetB", - NID_id_tc26_gost_3410_2012_512_paramSetB,9,&(lvalues[6148]),0}, +{"id-tc26-gost-3410-12-512-paramSetA", + "GOST R 34.10-2012 (512 bit) ParamSet A", + NID_id_tc26_gost_3410_12_512_paramSetA,9,&(lvalues[6139]),0}, +{"id-tc26-gost-3410-12-512-paramSetB", + "GOST R 34.10-2012 (512 bit) ParamSet B", + NID_id_tc26_gost_3410_12_512_paramSetB,9,&(lvalues[6148]),0}, {"id-tc26-gost-28147-param-Z","id-tc26-gost-28147-param-Z", NID_id_tc26_gost_28147_param_Z,9,&(lvalues[6157]),0}, {"id-tc26-gost3410-2012-256","GOST R 34.10-2012 (256 bit)", @@ -2513,6 +2544,74 @@ static const ASN1_OBJECT nid_objs[NUM_NID]={ {"AuthGOST01","auth-gost01",NID_auth_gost01,0,NULL,0}, {"AuthNULL","auth-null",NID_auth_null,0,NULL,0}, {"ChaCha20-Poly1305","chacha20-poly1305",NID_chacha20_poly1305,0,NULL,0}, +{"SM3","sm3",NID_sm3,8,&(lvalues[6249]),0}, +{"RSA-SM3","sm3WithRSAEncryption",NID_sm3WithRSAEncryption,8, + &(lvalues[6257]),0}, +{"ISO-CN","ISO CN Member Body",NID_ISO_CN,3,&(lvalues[6265]),0}, +{"oscca","oscca",NID_oscca,5,&(lvalues[6268]),0}, +{"sm-scheme","sm-scheme",NID_sm_scheme,6,&(lvalues[6273]),0}, +{"SM4-ECB","sm4-ecb",NID_sm4_ecb,8,&(lvalues[6279]),0}, +{"SM4-CBC","sm4-cbc",NID_sm4_cbc,8,&(lvalues[6287]),0}, +{"SM4-OFB","sm4-ofb",NID_sm4_ofb128,8,&(lvalues[6295]),0}, +{"SM4-CFB","sm4-cfb",NID_sm4_cfb128,8,&(lvalues[6303]),0}, +{"SM4-CFB1","sm4-cfb1",NID_sm4_cfb1,8,&(lvalues[6311]),0}, +{"SM4-CFB8","sm4-cfb8",NID_sm4_cfb8,8,&(lvalues[6319]),0}, +{"SM4-CTR","sm4-ctr",NID_sm4_ctr,8,&(lvalues[6327]),0}, +{"dhSinglePass-stdDH-sha1kdf-scheme", + "dhSinglePass-stdDH-sha1kdf-scheme", + NID_dhSinglePass_stdDH_sha1kdf_scheme,9,&(lvalues[6335]),0}, +{"dhSinglePass-stdDH-sha224kdf-scheme", + "dhSinglePass-stdDH-sha224kdf-scheme", + NID_dhSinglePass_stdDH_sha224kdf_scheme,6,&(lvalues[6344]),0}, +{"dhSinglePass-stdDH-sha256kdf-scheme", + "dhSinglePass-stdDH-sha256kdf-scheme", + NID_dhSinglePass_stdDH_sha256kdf_scheme,6,&(lvalues[6350]),0}, +{"dhSinglePass-stdDH-sha384kdf-scheme", + "dhSinglePass-stdDH-sha384kdf-scheme", + NID_dhSinglePass_stdDH_sha384kdf_scheme,6,&(lvalues[6356]),0}, +{"dhSinglePass-stdDH-sha512kdf-scheme", + "dhSinglePass-stdDH-sha512kdf-scheme", + NID_dhSinglePass_stdDH_sha512kdf_scheme,6,&(lvalues[6362]),0}, +{"dhSinglePass-cofactorDH-sha1kdf-scheme", + "dhSinglePass-cofactorDH-sha1kdf-scheme", + NID_dhSinglePass_cofactorDH_sha1kdf_scheme,9,&(lvalues[6368]),0}, +{"dhSinglePass-cofactorDH-sha224kdf-scheme", + "dhSinglePass-cofactorDH-sha224kdf-scheme", + NID_dhSinglePass_cofactorDH_sha224kdf_scheme,6,&(lvalues[6377]),0}, +{"dhSinglePass-cofactorDH-sha256kdf-scheme", + "dhSinglePass-cofactorDH-sha256kdf-scheme", + NID_dhSinglePass_cofactorDH_sha256kdf_scheme,6,&(lvalues[6383]),0}, +{"dhSinglePass-cofactorDH-sha384kdf-scheme", + "dhSinglePass-cofactorDH-sha384kdf-scheme", + NID_dhSinglePass_cofactorDH_sha384kdf_scheme,6,&(lvalues[6389]),0}, +{"dhSinglePass-cofactorDH-sha512kdf-scheme", + "dhSinglePass-cofactorDH-sha512kdf-scheme", + NID_dhSinglePass_cofactorDH_sha512kdf_scheme,6,&(lvalues[6395]),0}, +{"dh-std-kdf","dh-std-kdf",NID_dh_std_kdf,0,NULL,0}, +{"dh-cofactor-kdf","dh-cofactor-kdf",NID_dh_cofactor_kdf,0,NULL,0}, +{"PSPECIFIED","pSpecified",NID_pSpecified,9,&(lvalues[6401]),0}, +{"id-tc26-gost-3410-12-256-paramSetA", + "GOST R 34.10-2012 (256 bit) ParamSet A", + NID_id_tc26_gost_3410_12_256_paramSetA,9,&(lvalues[6410]),0}, +{"id-tc26-gost-3410-12-256-paramSetB", + "GOST R 34.10-2012 (256 bit) ParamSet B", + NID_id_tc26_gost_3410_12_256_paramSetB,9,&(lvalues[6419]),0}, +{"id-tc26-gost-3410-12-256-paramSetC", + "GOST R 34.10-2012 (256 bit) ParamSet C", + NID_id_tc26_gost_3410_12_256_paramSetC,9,&(lvalues[6428]),0}, +{"id-tc26-gost-3410-12-256-paramSetD", + "GOST R 34.10-2012 (256 bit) ParamSet D", + NID_id_tc26_gost_3410_12_256_paramSetD,9,&(lvalues[6437]),0}, +{"id-tc26-gost-3410-12-512-paramSetTest", + "GOST R 34.10-2012 (512 bit) testing parameter set", + NID_id_tc26_gost_3410_12_512_paramSetTest,9,&(lvalues[6446]),0}, +{"id-tc26-gost-3410-12-512-paramSetC", + "GOST R 34.10-2012 (512 bit) ParamSet C", + NID_id_tc26_gost_3410_12_512_paramSetC,9,&(lvalues[6455]),0}, +{"id-tc26-hmac-gost-3411-12-256","HMAC STREEBOG 256", + NID_id_tc26_hmac_gost_3411_12_256,8,&(lvalues[6464]),0}, +{"id-tc26-hmac-gost-3411-12-512","HMAC STREEBOG 512", + NID_id_tc26_hmac_gost_3411_12_512,8,&(lvalues[6472]),0}, }; static const unsigned int sn_objs[NUM_SN]={ @@ -2622,6 +2721,7 @@ static const unsigned int sn_objs[NUM_SN]={ 36, /* "IDEA-ECB" */ 46, /* "IDEA-OFB" */ 181, /* "ISO" */ +970, /* "ISO-CN" */ 183, /* "ISO-US" */ 645, /* "ITU-T" */ 646, /* "JOINT-ISO-ITU-T" */ @@ -2666,6 +2766,7 @@ static const unsigned int sn_objs[NUM_SN]={ 69, /* "PBKDF2" */ 162, /* "PBMAC1" */ 127, /* "PKIX" */ +992, /* "PSPECIFIED" */ 98, /* "RC2-40-CBC" */ 166, /* "RC2-64-CBC" */ 37, /* "RC2-CBC" */ @@ -2695,6 +2796,7 @@ static const unsigned int sn_objs[NUM_SN]={ 668, /* "RSA-SHA256" */ 669, /* "RSA-SHA384" */ 670, /* "RSA-SHA512" */ +969, /* "RSA-SM3" */ 919, /* "RSAES-OAEP" */ 912, /* "RSASSA-PSS" */ 777, /* "SEED-CBC" */ @@ -2707,6 +2809,14 @@ static const unsigned int sn_objs[NUM_SN]={ 672, /* "SHA256" */ 673, /* "SHA384" */ 674, /* "SHA512" */ +968, /* "SM3" */ +974, /* "SM4-CBC" */ +976, /* "SM4-CFB" */ +977, /* "SM4-CFB1" */ +978, /* "SM4-CFB8" */ +979, /* "SM4-CTR" */ +973, /* "SM4-ECB" */ +975, /* "SM4-OFB" */ 188, /* "SMIME" */ 167, /* "SMIME-CAPS" */ 100, /* "SN" */ @@ -2813,7 +2923,19 @@ static const unsigned int sn_objs[NUM_SN]={ 891, /* "deltaRevocationList" */ 107, /* "description" */ 871, /* "destinationIndicator" */ +991, /* "dh-cofactor-kdf" */ +990, /* "dh-std-kdf" */ 28, /* "dhKeyAgreement" */ +985, /* "dhSinglePass-cofactorDH-sha1kdf-scheme" */ +986, /* "dhSinglePass-cofactorDH-sha224kdf-scheme" */ +987, /* "dhSinglePass-cofactorDH-sha256kdf-scheme" */ +988, /* "dhSinglePass-cofactorDH-sha384kdf-scheme" */ +989, /* "dhSinglePass-cofactorDH-sha512kdf-scheme" */ +980, /* "dhSinglePass-stdDH-sha1kdf-scheme" */ +981, /* "dhSinglePass-stdDH-sha224kdf-scheme" */ +982, /* "dhSinglePass-stdDH-sha256kdf-scheme" */ +983, /* "dhSinglePass-stdDH-sha384kdf-scheme" */ +984, /* "dhSinglePass-stdDH-sha512kdf-scheme" */ 382, /* "directory" */ 887, /* "distinguishedName" */ 892, /* "dmdName" */ @@ -3114,10 +3236,18 @@ static const unsigned int sn_objs[NUM_SN]={ 250, /* "id-smime-spq-ets-sqt-unotice" */ 249, /* "id-smime-spq-ets-sqt-uri" */ 945, /* "id-tc26-gost-28147-param-Z" */ -943, /* "id-tc26-gost-3410-2012-512-paramSetA" */ -944, /* "id-tc26-gost-3410-2012-512-paramSetB" */ +993, /* "id-tc26-gost-3410-12-256-paramSetA" */ +994, /* "id-tc26-gost-3410-12-256-paramSetB" */ +995, /* "id-tc26-gost-3410-12-256-paramSetC" */ +996, /* "id-tc26-gost-3410-12-256-paramSetD" */ +943, /* "id-tc26-gost-3410-12-512-paramSetA" */ +944, /* "id-tc26-gost-3410-12-512-paramSetB" */ +998, /* "id-tc26-gost-3410-12-512-paramSetC" */ +997, /* "id-tc26-gost-3410-12-512-paramSetTest" */ 946, /* "id-tc26-gost3410-2012-256" */ 947, /* "id-tc26-gost3410-2012-512" */ +999, /* "id-tc26-hmac-gost-3411-12-256" */ +1000, /* "id-tc26-hmac-gost-3411-12-512" */ 948, /* "id-tc26-signwithdigest-gost3410-2012-256" */ 949, /* "id-tc26-signwithdigest-gost3410-2012-512" */ 676, /* "identified-organization" */ @@ -3181,6 +3311,7 @@ static const unsigned int sn_objs[NUM_SN]={ 77, /* "nsSslServerName" */ 681, /* "onBasis" */ 491, /* "organizationalStatus" */ +971, /* "oscca" */ 475, /* "otherMailbox" */ 876, /* "owner" */ 489, /* "pagerTelephoneNumber" */ @@ -3427,6 +3558,7 @@ static const unsigned int sn_objs[NUM_SN]={ 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ +972, /* "sm-scheme" */ 387, /* "snmpv2" */ 941, /* "streebog256" */ 942, /* "streebog512" */ @@ -3513,7 +3645,15 @@ static const unsigned int ln_objs[NUM_LN]={ 811, /* "GOST R 34.10-2001" */ 817, /* "GOST R 34.10-2001 DH" */ 946, /* "GOST R 34.10-2012 (256 bit)" */ +993, /* "GOST R 34.10-2012 (256 bit) ParamSet A" */ +994, /* "GOST R 34.10-2012 (256 bit) ParamSet B" */ +995, /* "GOST R 34.10-2012 (256 bit) ParamSet C" */ +996, /* "GOST R 34.10-2012 (256 bit) ParamSet D" */ 947, /* "GOST R 34.10-2012 (512 bit)" */ +943, /* "GOST R 34.10-2012 (512 bit) ParamSet A" */ +944, /* "GOST R 34.10-2012 (512 bit) ParamSet B" */ +998, /* "GOST R 34.10-2012 (512 bit) ParamSet C" */ +997, /* "GOST R 34.10-2012 (512 bit) testing parameter set" */ 812, /* "GOST R 34.10-94" */ 818, /* "GOST R 34.10-94 DH" */ 941, /* "GOST R 34.11-2012 (256 bit)" */ @@ -3527,6 +3667,8 @@ static const unsigned int ln_objs[NUM_LN]={ 852, /* "GOST R 34.11-94 with GOST R 34.10-94 Cryptocom" */ 854, /* "GOST R 3410-2001 Parameter Set Cryptocom" */ 810, /* "HMAC GOST 34.11-94" */ +999, /* "HMAC STREEBOG 256" */ +1000, /* "HMAC STREEBOG 512" */ 432, /* "Hold Instruction Call Issuer" */ 430, /* "Hold Instruction Code" */ 431, /* "Hold Instruction None" */ @@ -3535,6 +3677,7 @@ static const unsigned int ln_objs[NUM_LN]={ 294, /* "IPSec End System" */ 295, /* "IPSec Tunnel" */ 296, /* "IPSec User" */ +970, /* "ISO CN Member Body" */ 182, /* "ISO Member Body" */ 183, /* "ISO US Member Body" */ 667, /* "Independent" */ @@ -3789,7 +3932,19 @@ static const unsigned int ln_objs[NUM_LN]={ 107, /* "description" */ 871, /* "destinationIndicator" */ 80, /* "desx-cbc" */ +991, /* "dh-cofactor-kdf" */ +990, /* "dh-std-kdf" */ 28, /* "dhKeyAgreement" */ +985, /* "dhSinglePass-cofactorDH-sha1kdf-scheme" */ +986, /* "dhSinglePass-cofactorDH-sha224kdf-scheme" */ +987, /* "dhSinglePass-cofactorDH-sha256kdf-scheme" */ +988, /* "dhSinglePass-cofactorDH-sha384kdf-scheme" */ +989, /* "dhSinglePass-cofactorDH-sha512kdf-scheme" */ +980, /* "dhSinglePass-stdDH-sha1kdf-scheme" */ +981, /* "dhSinglePass-stdDH-sha224kdf-scheme" */ +982, /* "dhSinglePass-stdDH-sha256kdf-scheme" */ +983, /* "dhSinglePass-stdDH-sha384kdf-scheme" */ +984, /* "dhSinglePass-stdDH-sha512kdf-scheme" */ 11, /* "directory services (X.500)" */ 378, /* "directory services - algorithms" */ 887, /* "distinguishedName" */ @@ -4065,8 +4220,6 @@ static const unsigned int ln_objs[NUM_LN]={ 250, /* "id-smime-spq-ets-sqt-unotice" */ 249, /* "id-smime-spq-ets-sqt-uri" */ 945, /* "id-tc26-gost-28147-param-Z" */ -943, /* "id-tc26-gost-3410-2012-512-paramSetA" */ -944, /* "id-tc26-gost-3410-2012-512-paramSetB" */ 34, /* "idea-cbc" */ 35, /* "idea-cfb" */ 36, /* "idea-ecb" */ @@ -4123,8 +4276,10 @@ static const unsigned int ln_objs[NUM_LN]={ 17, /* "organizationName" */ 491, /* "organizationalStatus" */ 18, /* "organizationalUnitName" */ +971, /* "oscca" */ 475, /* "otherMailbox" */ 876, /* "owner" */ +992, /* "pSpecified" */ 489, /* "pagerTelephoneNumber" */ 782, /* "password based MAC" */ 374, /* "path" */ @@ -4396,6 +4551,16 @@ static const unsigned int ln_objs[NUM_LN]={ 52, /* "signingTime" */ 454, /* "simpleSecurityObject" */ 496, /* "singleLevelQuality" */ +972, /* "sm-scheme" */ +968, /* "sm3" */ +969, /* "sm3WithRSAEncryption" */ +974, /* "sm4-cbc" */ +976, /* "sm4-cfb" */ +977, /* "sm4-cfb1" */ +978, /* "sm4-cfb8" */ +979, /* "sm4-ctr" */ +973, /* "sm4-ecb" */ +975, /* "sm4-ofb" */ 16, /* "stateOrProvinceName" */ 660, /* "streetAddress" */ 498, /* "subtreeMaximumQuality" */ @@ -4464,6 +4629,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 512, /* OBJ_id_set 2 23 42 */ 678, /* OBJ_wap 2 23 43 */ 435, /* OBJ_pss 0 9 2342 */ +970, /* OBJ_ISO_CN 1 2 156 */ 183, /* OBJ_ISO_US 1 2 840 */ 381, /* OBJ_iana 1 3 6 1 */ 950, /* OBJ_X25519 1 3 101 110 */ @@ -4685,6 +4851,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 637, /* OBJ_set_brand_Diners 2 23 42 8 30 */ 638, /* OBJ_set_brand_AmericanExpress 2 23 42 8 34 */ 639, /* OBJ_set_brand_JCB 2 23 42 8 35 */ +971, /* OBJ_oscca 1 2 156 10197 */ 805, /* OBJ_cryptopro 1 2 643 2 2 */ 806, /* OBJ_cryptocom 1 2 643 2 9 */ 940, /* OBJ_tc26 1 2 643 7 1 */ @@ -4760,6 +4927,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 745, /* OBJ_wap_wsg_idm_ecid_wtls12 2 23 43 1 4 12 */ 804, /* OBJ_whirlpool 1 0 10118 3 0 55 */ 124, /* OBJ_rle_compression 1 1 1 1 666 1 */ +972, /* OBJ_sm_scheme 1 2 156 10197 1 */ 773, /* OBJ_kisa 1 2 410 200004 */ 807, /* OBJ_id_GostR3411_94_with_GostR3410_2001 1 2 643 2 2 3 */ 808, /* OBJ_id_GostR3411_94_with_GostR3410_94 1 2 643 2 2 4 */ @@ -4778,6 +4946,14 @@ static const unsigned int obj_objs[NUM_OBJ]={ 505, /* OBJ_mime_mhs_headings 1 3 6 1 7 1 1 */ 506, /* OBJ_mime_mhs_bodies 1 3 6 1 7 1 2 */ 119, /* OBJ_ripemd160WithRSA 1 3 36 3 3 1 2 */ +981, /* OBJ_dhSinglePass_stdDH_sha224kdf_scheme 1 3 132 1 11 0 */ +982, /* OBJ_dhSinglePass_stdDH_sha256kdf_scheme 1 3 132 1 11 1 */ +983, /* OBJ_dhSinglePass_stdDH_sha384kdf_scheme 1 3 132 1 11 2 */ +984, /* OBJ_dhSinglePass_stdDH_sha512kdf_scheme 1 3 132 1 11 3 */ +986, /* OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme 1 3 132 1 14 0 */ +987, /* OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme 1 3 132 1 14 1 */ +988, /* OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme 1 3 132 1 14 2 */ +989, /* OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme 1 3 132 1 14 3 */ 631, /* OBJ_setAttr_GenCryptgrm 2 23 42 3 3 3 1 */ 632, /* OBJ_setAttr_T2Enc 2 23 42 3 3 4 1 */ 633, /* OBJ_setAttr_T2cleartxt 2 23 42 3 3 4 2 */ @@ -4855,6 +5031,15 @@ static const unsigned int obj_objs[NUM_OBJ]={ 768, /* OBJ_camellia_256_ofb128 0 3 4401 5 3 1 9 43 */ 759, /* OBJ_camellia_256_cfb128 0 3 4401 5 3 1 9 44 */ 437, /* OBJ_pilot 0 9 2342 19200300 100 */ +973, /* OBJ_sm4_ecb 1 2 156 10197 1 104 1 */ +974, /* OBJ_sm4_cbc 1 2 156 10197 1 104 2 */ +975, /* OBJ_sm4_ofb128 1 2 156 10197 1 104 3 */ +976, /* OBJ_sm4_cfb128 1 2 156 10197 1 104 4 */ +977, /* OBJ_sm4_cfb1 1 2 156 10197 1 104 5 */ +978, /* OBJ_sm4_cfb8 1 2 156 10197 1 104 6 */ +979, /* OBJ_sm4_ctr 1 2 156 10197 1 104 7 */ +968, /* OBJ_sm3 1 2 156 10197 1 401 */ +969, /* OBJ_sm3WithRSAEncryption 1 2 156 10197 1 504 */ 776, /* OBJ_seed_ecb 1 2 410 200004 1 3 */ 777, /* OBJ_seed_cbc 1 2 410 200004 1 4 */ 779, /* OBJ_seed_cfb128 1 2 410 200004 1 5 */ @@ -4871,6 +5056,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 942, /* OBJ_id_tc26_gost3411_2012_512 1 2 643 7 1 1 2 3 */ 948, /* OBJ_id_tc26_signwithdigest_gost3410_2012_256 1 2 643 7 1 1 3 2 */ 949, /* OBJ_id_tc26_signwithdigest_gost3410_2012_512 1 2 643 7 1 1 3 3 */ +999, /* OBJ_id_tc26_hmac_gost_3411_12_256 1 2 643 7 1 1 4 1 */ +1000, /* OBJ_id_tc26_hmac_gost_3411_12_512 1 2 643 7 1 1 4 2 */ 186, /* OBJ_pkcs1 1 2 840 113549 1 1 */ 27, /* OBJ_pkcs3 1 2 840 113549 1 3 */ 187, /* OBJ_pkcs5 1 2 840 113549 1 5 */ @@ -5038,8 +5225,14 @@ static const unsigned int obj_objs[NUM_OBJ]={ 439, /* OBJ_pilotAttributeSyntax 0 9 2342 19200300 100 3 */ 440, /* OBJ_pilotObjectClass 0 9 2342 19200300 100 4 */ 441, /* OBJ_pilotGroups 0 9 2342 19200300 100 10 */ -943, /* OBJ_id_tc26_gost_3410_2012_512_paramSetA 1 2 643 7 1 2 1 2 1 */ -944, /* OBJ_id_tc26_gost_3410_2012_512_paramSetB 1 2 643 7 1 2 1 2 2 */ +993, /* OBJ_id_tc26_gost_3410_12_256_paramSetA 1 2 643 7 1 2 1 1 1 */ +994, /* OBJ_id_tc26_gost_3410_12_256_paramSetB 1 2 643 7 1 2 1 1 2 */ +995, /* OBJ_id_tc26_gost_3410_12_256_paramSetC 1 2 643 7 1 2 1 1 3 */ +996, /* OBJ_id_tc26_gost_3410_12_256_paramSetD 1 2 643 7 1 2 1 1 4 */ +997, /* OBJ_id_tc26_gost_3410_12_512_paramSetTest 1 2 643 7 1 2 1 2 0 */ +943, /* OBJ_id_tc26_gost_3410_12_512_paramSetA 1 2 643 7 1 2 1 2 1 */ +944, /* OBJ_id_tc26_gost_3410_12_512_paramSetB 1 2 643 7 1 2 1 2 2 */ +998, /* OBJ_id_tc26_gost_3410_12_512_paramSetC 1 2 643 7 1 2 1 2 3 */ 945, /* OBJ_id_tc26_gost_28147_param_Z 1 2 643 7 1 2 5 1 1 */ 108, /* OBJ_cast5_cbc 1 2 840 113533 7 66 10 */ 112, /* OBJ_pbeWithMD5AndCast5_CBC 1 2 840 113533 7 66 12 */ @@ -5053,6 +5246,7 @@ static const unsigned int obj_objs[NUM_OBJ]={ 644, /* OBJ_rsaOAEPEncryptionSET 1 2 840 113549 1 1 6 */ 919, /* OBJ_rsaesOaep 1 2 840 113549 1 1 7 */ 911, /* OBJ_mgf1 1 2 840 113549 1 1 8 */ +992, /* OBJ_pSpecified 1 2 840 113549 1 1 9 */ 912, /* OBJ_rsassaPss 1 2 840 113549 1 1 10 */ 668, /* OBJ_sha256WithRSAEncryption 1 2 840 113549 1 1 11 */ 669, /* OBJ_sha384WithRSAEncryption 1 2 840 113549 1 1 12 */ @@ -5128,6 +5322,8 @@ static const unsigned int obj_objs[NUM_OBJ]={ 933, /* OBJ_brainpoolP384t1 1 3 36 3 3 2 8 1 1 12 */ 934, /* OBJ_brainpoolP512r1 1 3 36 3 3 2 8 1 1 13 */ 935, /* OBJ_brainpoolP512t1 1 3 36 3 3 2 8 1 1 14 */ +980, /* OBJ_dhSinglePass_stdDH_sha1kdf_scheme 1 3 133 16 840 63 0 2 */ +985, /* OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme 1 3 133 16 840 63 0 3 */ 418, /* OBJ_aes_128_ecb 2 16 840 1 101 3 4 1 1 */ 419, /* OBJ_aes_128_cbc 2 16 840 1 101 3 4 1 2 */ 420, /* OBJ_aes_128_ofb128 2 16 840 1 101 3 4 1 3 */ diff --git a/crypto/objects/obj_lib.c b/crypto/objects/obj_lib.c index 53f3bb9..5327a0c 100644 --- a/crypto/objects/obj_lib.c +++ b/crypto/objects/obj_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: obj_lib.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: obj_lib.c,v 1.15 2018/09/08 10:31:24 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -109,7 +109,7 @@ OBJ_dup(const ASN1_OBJECT *o) ASN1_OBJECT_FLAG_DYNAMIC_STRINGS | ASN1_OBJECT_FLAG_DYNAMIC_DATA); return (r); -err: + err: OBJerror(ERR_R_MALLOC_FAILURE); free(ln); free(sn); diff --git a/crypto/ocsp/ocsp_cl.c b/crypto/ocsp/ocsp_cl.c index c2cd9da..0ed816c 100644 --- a/crypto/ocsp/ocsp_cl.c +++ b/crypto/ocsp/ocsp_cl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_cl.c,v 1.15 2018/03/17 14:44:34 jsing Exp $ */ +/* $OpenBSD: ocsp_cl.c,v 1.16 2018/11/25 19:48:43 jmc Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -139,7 +139,7 @@ OCSP_request_add1_cert(OCSP_REQUEST *req, X509 *cert) return 1; } -/* Sign an OCSP request set the requestorName to the subjec +/* Sign an OCSP request set the requestorName to the subject * name of an optional signers certificate and include one * or more optional certificates in the request. Behaves * like PKCS7_sign(). diff --git a/crypto/ocsp/ocsp_ext.c b/crypto/ocsp/ocsp_ext.c index 1f2563c..eb51cfb 100644 --- a/crypto/ocsp/ocsp_ext.c +++ b/crypto/ocsp/ocsp_ext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_ext.c,v 1.15 2016/12/27 16:01:19 jsing Exp $ */ +/* $OpenBSD: ocsp_ext.c,v 1.18 2018/05/14 23:47:10 tb Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -88,7 +88,8 @@ OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos) } int -OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, int lastpos) +OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj, + int lastpos) { return X509v3_get_ext_by_OBJ(x->tbsRequest->requestExtensions, obj, lastpos); @@ -149,7 +150,7 @@ OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos) } int -OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, int lastpos) +OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, int lastpos) { return X509v3_get_ext_by_OBJ(x->singleRequestExtensions, obj, lastpos); } @@ -209,7 +210,8 @@ OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos) } int -OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, int lastpos) +OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj, + int lastpos) { return X509v3_get_ext_by_OBJ(x->tbsResponseData->responseExtensions, obj, lastpos); @@ -271,7 +273,7 @@ OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos) } int -OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, +OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, const ASN1_OBJECT *obj, int lastpos) { return X509v3_get_ext_by_OBJ(x->singleExtensions, obj, lastpos); @@ -435,7 +437,7 @@ OCSP_copy_nonce(OCSP_BASICRESP *resp, OCSP_REQUEST *req) } X509_EXTENSION * -OCSP_crlID_new(char *url, long *n, char *tim) +OCSP_crlID_new(const char *url, long *n, char *tim) { X509_EXTENSION *x = NULL; OCSP_CRLID *cid = NULL; @@ -517,7 +519,7 @@ err: * method forces NID_ad_ocsp and uniformResourceLocator [6] IA5String. */ X509_EXTENSION * -OCSP_url_svcloc_new(X509_NAME* issuer, char **urls) +OCSP_url_svcloc_new(X509_NAME* issuer, const char **urls) { X509_EXTENSION *x = NULL; ASN1_IA5STRING *ia5 = NULL; diff --git a/crypto/ocsp/ocsp_ht.c b/crypto/ocsp/ocsp_ht.c index b9c9699..255f890 100644 --- a/crypto/ocsp/ocsp_ht.c +++ b/crypto/ocsp/ocsp_ht.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_ht.c,v 1.24 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ocsp_ht.c,v 1.25 2018/05/13 10:42:03 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -149,7 +149,7 @@ OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, } OCSP_REQ_CTX * -OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, int maxline) +OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, int maxline) { OCSP_REQ_CTX *rctx; @@ -440,7 +440,7 @@ next_line: /* Blocking OCSP request handler: now a special case of non-blocking I/O */ OCSP_RESPONSE * -OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req) +OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req) { OCSP_RESPONSE *resp = NULL; OCSP_REQ_CTX *ctx; diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c index d56a002..53d5160 100644 --- a/crypto/ocsp/ocsp_lib.c +++ b/crypto/ocsp/ocsp_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp_lib.c,v 1.20 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ocsp_lib.c,v 1.23 2018/08/24 20:03:21 tb Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -77,10 +77,10 @@ /* Convert a certificate and its issuer to an OCSP_CERTID */ OCSP_CERTID * -OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) +OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, const X509 *issuer) { X509_NAME *iname; - ASN1_INTEGER *serial; + const ASN1_INTEGER *serial; ASN1_BIT_STRING *ikey; #ifndef OPENSSL_NO_SHA1 @@ -89,7 +89,7 @@ OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) #endif if (subject) { iname = X509_get_issuer_name(subject); - serial = X509_get_serialNumber(subject); + serial = X509_get0_serialNumber(subject); } else { iname = X509_get_subject_name(issuer); serial = NULL; @@ -99,8 +99,8 @@ OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer) } OCSP_CERTID * -OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, - ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber) +OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName, + const ASN1_BIT_STRING *issuerKey, const ASN1_INTEGER *serialNumber) { int nid; unsigned int i; @@ -180,7 +180,8 @@ OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b) * it is SSL. */ int -OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pssl) +OCSP_parse_url(const char *url, char **phost, char **pport, char **ppath, + int *pssl) { char *host, *path, *port, *tmp; diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index f02aaa8..33c1de4 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_info.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pem_info.c,v 1.24 2020/07/25 11:53:37 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -101,35 +101,33 @@ PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, pem_password_cb *cb, void *pp; unsigned char *data = NULL; const unsigned char *p; - long len, error = 0; + long len; int ok = 0; - STACK_OF(X509_INFO) *ret = NULL; - unsigned int i, raw, ptype; - d2i_of_void *d2i = 0; + int num_in, ptype, raw; + STACK_OF(X509_INFO) *ret = sk; + d2i_of_void *d2i = NULL; - if (sk == NULL) { + if (ret == NULL) { if ((ret = sk_X509_INFO_new_null()) == NULL) { PEMerror(ERR_R_MALLOC_FAILURE); - return 0; + return NULL; } - } else - ret = sk; + } + num_in = sk_X509_INFO_num(ret); if ((xi = X509_INFO_new()) == NULL) goto err; for (;;) { raw = 0; ptype = 0; - i = PEM_read_bio(bp, &name, &header, &data, &len); - if (i == 0) { - error = ERR_GET_REASON(ERR_peek_last_error()); - if (error == PEM_R_NO_START_LINE) { + if (!PEM_read_bio(bp, &name, &header, &data, &len)) { + if (ERR_GET_REASON(ERR_peek_last_error()) == + PEM_R_NO_START_LINE) { ERR_clear_error(); break; } goto err; } -start: if ((strcmp(name, PEM_STRING_X509) == 0) || (strcmp(name, PEM_STRING_X509_OLD) == 0)) { d2i = (D2I_OF(void))d2i_X509; @@ -138,7 +136,6 @@ start: goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } pp = &(xi->x509); } else if ((strcmp(name, PEM_STRING_X509_TRUSTED) == 0)) { @@ -148,7 +145,6 @@ start: goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } pp = &(xi->x509); } else if (strcmp(name, PEM_STRING_X509_CRL) == 0) { @@ -158,7 +154,6 @@ start: goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } pp = &(xi->crl); } else @@ -170,12 +165,9 @@ start: goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } - xi->enc_data = NULL; xi->enc_len = 0; - xi->x_pkey = X509_PKEY_new(); if (xi->x_pkey == NULL) goto err; @@ -193,12 +185,9 @@ start: goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } - xi->enc_data = NULL; xi->enc_len = 0; - xi->x_pkey = X509_PKEY_new(); if (xi->x_pkey == NULL) goto err; @@ -216,12 +205,9 @@ start: goto err; if ((xi = X509_INFO_new()) == NULL) goto err; - goto start; } - xi->enc_data = NULL; xi->enc_len = 0; - xi->x_pkey = X509_PKEY_new(); if (xi->x_pkey == NULL) goto err; @@ -286,22 +272,19 @@ start: ok = 1; err: - if (xi != NULL) - X509_INFO_free(xi); if (!ok) { - for (i = 0; ((int)i) < sk_X509_INFO_num(ret); i++) { - xi = sk_X509_INFO_value(ret, i); - X509_INFO_free(xi); - } + while (sk_X509_INFO_num(ret) > num_in) + X509_INFO_free(sk_X509_INFO_pop(ret)); if (ret != sk) sk_X509_INFO_free(ret); ret = NULL; } - + X509_INFO_free(xi); free(name); free(header); free(data); - return (ret); + + return ret; } diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c index 0f7c36d..f012679 100644 --- a/crypto/pem/pem_lib.c +++ b/crypto/pem/pem_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_lib.c,v 1.45 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: pem_lib.c,v 1.49 2019/09/06 17:41:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -227,8 +227,7 @@ check_pem(const char *nm, const char *name) else r = 0; #ifndef OPENSSL_NO_ENGINE - if (e) - ENGINE_finish(e); + ENGINE_finish(e); #endif return r; } @@ -264,6 +263,16 @@ check_pem(const char *nm, const char *name) !strcmp(name, PEM_STRING_PKCS7)) return 1; +#ifndef OPENSSL_NO_CMS + if (strcmp(nm, PEM_STRING_X509) == 0 && + strcmp(name, PEM_STRING_CMS) == 0) + return 1; + + /* Allow CMS to be read from PKCS#7 headers */ + if (strcmp(nm, PEM_STRING_PKCS7) == 0 && + strcmp(name, PEM_STRING_CMS) == 0) + return 1; +#endif return 0; } @@ -565,7 +574,8 @@ load_iv(char **fromp, unsigned char *to, int num) } int -PEM_write(FILE *fp, char *name, char *header, unsigned char *data, long len) +PEM_write(FILE *fp, const char *name, const char *header, + const unsigned char *data, long len) { BIO *b; int ret; @@ -581,8 +591,8 @@ PEM_write(FILE *fp, char *name, char *header, unsigned char *data, long len) } int -PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, - long len) +PEM_write_bio(BIO *bp, const char *name, const char *header, + const unsigned char *data, long len) { int nlen, n, i, j, outl; unsigned char *buf = NULL; @@ -613,7 +623,8 @@ PEM_write_bio(BIO *bp, const char *name, char *header, unsigned char *data, i = j = 0; while (len > 0) { n = (int)((len > (PEM_BUFSIZE * 5)) ? (PEM_BUFSIZE * 5) : len); - EVP_EncodeUpdate(&ctx, buf, &outl, &(data[j]), n); + if (!EVP_EncodeUpdate(&ctx, buf, &outl, &(data[j]), n)) + goto err; if ((outl) && (BIO_write(bp, (char *)buf, outl) != outl)) goto err; i += outl; diff --git a/crypto/pem/pem_sign.c b/crypto/pem/pem_sign.c index a225e89..fddeec7 100644 --- a/crypto/pem/pem_sign.c +++ b/crypto/pem/pem_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pem_sign.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pem_sign.c,v 1.14 2018/08/24 19:51:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -64,17 +64,17 @@ #include #include -void +int PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type) { - EVP_DigestInit_ex(ctx, type, NULL); + return EVP_DigestInit_ex(ctx, type, NULL); } -void +int PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *data, unsigned int count) { - EVP_DigestUpdate(ctx, data, count); + return EVP_DigestUpdate(ctx, data, count); } int diff --git a/crypto/pem/pvkfmt.c b/crypto/pem/pvkfmt.c index 18de5d5..abb7f7e 100644 --- a/crypto/pem/pvkfmt.c +++ b/crypto/pem/pvkfmt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pvkfmt.c,v 1.19 2017/05/02 03:59:44 deraadt Exp $ */ +/* $OpenBSD: pvkfmt.c,v 1.22 2019/07/08 11:56:18 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -300,7 +300,7 @@ do_b2i_bio(BIO *in, int ispub) else ret = b2i_rsa(&p, length, bitlen, ispub); -err: + err: free(buf); return ret; } @@ -320,27 +320,27 @@ b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, dsa = DSA_new(); ret = EVP_PKEY_new(); if (!dsa || !ret) - goto memerr; + goto err; if (!read_lebn(&p, nbyte, &dsa->p)) - goto memerr; + goto err; if (!read_lebn(&p, 20, &dsa->q)) - goto memerr; + goto err; if (!read_lebn(&p, nbyte, &dsa->g)) - goto memerr; + goto err; if (ispub) { if (!read_lebn(&p, nbyte, &dsa->pub_key)) - goto memerr; + goto err; } else { if (!read_lebn(&p, 20, &dsa->priv_key)) - goto memerr; + goto err; /* Calculate public key */ if (!(dsa->pub_key = BN_new())) - goto memerr; + goto err; if (!(ctx = BN_CTX_new())) - goto memerr; + goto err; if (!BN_mod_exp_ct(dsa->pub_key, dsa->g, dsa->priv_key, dsa->p, ctx)) - goto memerr; + goto err; BN_CTX_free(ctx); } @@ -349,7 +349,7 @@ b2i_dss(const unsigned char **in, unsigned int length, unsigned int bitlen, *in = p; return ret; -memerr: + err: PEMerror(ERR_R_MALLOC_FAILURE); DSA_free(dsa); EVP_PKEY_free(ret); @@ -371,27 +371,27 @@ b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, rsa = RSA_new(); ret = EVP_PKEY_new(); if (!rsa || !ret) - goto memerr; + goto err; rsa->e = BN_new(); if (!rsa->e) - goto memerr; + goto err; if (!BN_set_word(rsa->e, read_ledword(&p))) - goto memerr; + goto err; if (!read_lebn(&p, nbyte, &rsa->n)) - goto memerr; + goto err; if (!ispub) { if (!read_lebn(&p, hnbyte, &rsa->p)) - goto memerr; + goto err; if (!read_lebn(&p, hnbyte, &rsa->q)) - goto memerr; + goto err; if (!read_lebn(&p, hnbyte, &rsa->dmp1)) - goto memerr; + goto err; if (!read_lebn(&p, hnbyte, &rsa->dmq1)) - goto memerr; + goto err; if (!read_lebn(&p, hnbyte, &rsa->iqmp)) - goto memerr; + goto err; if (!read_lebn(&p, nbyte, &rsa->d)) - goto memerr; + goto err; } EVP_PKEY_set1_RSA(ret, rsa); @@ -399,7 +399,7 @@ b2i_rsa(const unsigned char **in, unsigned int length, unsigned int bitlen, *in = p; return ret; -memerr: + err: PEMerror(ERR_R_MALLOC_FAILURE); RSA_free(rsa); EVP_PKEY_free(ret); @@ -548,20 +548,20 @@ check_bitlen_dsa(DSA *dsa, int ispub, unsigned int *pmagic) bitlen = BN_num_bits(dsa->p); if ((bitlen & 7) || (BN_num_bits(dsa->q) != 160) || (BN_num_bits(dsa->g) > bitlen)) - goto badkey; + goto err; if (ispub) { if (BN_num_bits(dsa->pub_key) > bitlen) - goto badkey; + goto err; *pmagic = MS_DSS1MAGIC; } else { if (BN_num_bits(dsa->priv_key) > 160) - goto badkey; + goto err; *pmagic = MS_DSS2MAGIC; } return bitlen; -badkey: + err: PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); return 0; } @@ -572,7 +572,7 @@ check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) int nbyte, hnbyte, bitlen; if (BN_num_bits(rsa->e) > 32) - goto badkey; + goto err; bitlen = BN_num_bits(rsa->n); nbyte = BN_num_bytes(rsa->n); hnbyte = (BN_num_bits(rsa->n) + 15) >> 4; @@ -585,17 +585,17 @@ check_bitlen_rsa(RSA *rsa, int ispub, unsigned int *pmagic) * hnbyte. */ if (BN_num_bytes(rsa->d) > nbyte) - goto badkey; + goto err; if ((BN_num_bytes(rsa->iqmp) > hnbyte) || (BN_num_bytes(rsa->p) > hnbyte) || (BN_num_bytes(rsa->q) > hnbyte) || (BN_num_bytes(rsa->dmp1) > hnbyte) || (BN_num_bytes(rsa->dmq1) > hnbyte)) - goto badkey; + goto err; } return bitlen; -badkey: + err: PEMerror(PEM_R_UNSUPPORTED_KEY_COMPONENTS); return 0; } @@ -723,9 +723,12 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, const unsigned char *p = *in; unsigned int magic; unsigned char *enctmp = NULL, *q; - EVP_CIPHER_CTX cctx; + EVP_CIPHER_CTX *cctx = NULL; - EVP_CIPHER_CTX_init(&cctx); + if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { + PEMerror(ERR_R_MALLOC_FAILURE); + goto err; + } if (saltlen) { char psbuf[PEM_BUFSIZE]; unsigned char keybuf[20]; @@ -758,23 +761,23 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, } inlen = keylen - 8; q = enctmp + 8; - if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) + if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto err; - if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) + if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) goto err; - if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, &enctmplen)) + if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) goto err; magic = read_ledword((const unsigned char **)&q); if (magic != MS_RSA2MAGIC && magic != MS_DSS2MAGIC) { q = enctmp + 8; memset(keybuf + 5, 0, 11); - if (!EVP_DecryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, + if (!EVP_DecryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) goto err; explicit_bzero(keybuf, 20); - if (!EVP_DecryptUpdate(&cctx, q, &enctmplen, p, inlen)) + if (!EVP_DecryptUpdate(cctx, q, &enctmplen, p, inlen)) goto err; - if (!EVP_DecryptFinal_ex(&cctx, q + enctmplen, + if (!EVP_DecryptFinal_ex(cctx, q + enctmplen, &enctmplen)) goto err; magic = read_ledword((const unsigned char **)&q); @@ -789,8 +792,8 @@ do_PVK_body(const unsigned char **in, unsigned int saltlen, ret = b2i_PrivateKey(&p, keylen); -err: - EVP_CIPHER_CTX_cleanup(&cctx); + err: + EVP_CIPHER_CTX_free(cctx); if (enctmp && saltlen) free(enctmp); return ret; @@ -827,7 +830,7 @@ b2i_PVK_bio(BIO *in, pem_password_cb *cb, void *u) } ret = do_PVK_body(&p, saltlen, keylen, cb, u); -err: + err: freezero(buf, buflen); return ret; } @@ -837,27 +840,23 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, void *u) { int outlen = 24, pklen; - unsigned char *p, *salt = NULL; - EVP_CIPHER_CTX cctx; + unsigned char *p = NULL, *start = NULL, *salt = NULL; + EVP_CIPHER_CTX *cctx = NULL; - EVP_CIPHER_CTX_init(&cctx); - if (enclevel) + if ((cctx = EVP_CIPHER_CTX_new()) == NULL) { + PEMerror(ERR_R_MALLOC_FAILURE); + goto err; + } + if (enclevel != 0) outlen += PVK_SALTLEN; pklen = do_i2b(NULL, pk, 0); if (pklen < 0) - return -1; + goto err; outlen += pklen; - if (!out) - return outlen; - if (*out) - p = *out; - else { - p = malloc(outlen); - if (!p) { - PEMerror(ERR_R_MALLOC_FAILURE); - return -1; - } - *out = p; + start = p = malloc(outlen); + if (!p) { + PEMerror(ERR_R_MALLOC_FAILURE); + goto err; } write_ledword(&p, MS_PVKMAGIC); @@ -869,15 +868,13 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, write_ledword(&p, enclevel ? 1 : 0); write_ledword(&p, enclevel ? PVK_SALTLEN : 0); write_ledword(&p, pklen); - if (enclevel) { + if (enclevel != 0) { arc4random_buf(p, PVK_SALTLEN); salt = p; p += PVK_SALTLEN; } do_i2b(&p, pk, 0); - if (enclevel == 0) - return outlen; - else { + if (enclevel != 0) { char psbuf[PEM_BUFSIZE]; unsigned char keybuf[20]; int enctmplen, inlen; @@ -887,27 +884,29 @@ i2b_PVK(unsigned char **out, EVP_PKEY*pk, int enclevel, pem_password_cb *cb, inlen = PEM_def_callback(psbuf, PEM_BUFSIZE, 1, u); if (inlen <= 0) { PEMerror(PEM_R_BAD_PASSWORD_READ); - goto error; + goto err; } if (!derive_pvk_key(keybuf, salt, PVK_SALTLEN, (unsigned char *)psbuf, inlen)) - goto error; + goto err; if (enclevel == 1) memset(keybuf + 5, 0, 11); p = salt + PVK_SALTLEN + 8; - if (!EVP_EncryptInit_ex(&cctx, EVP_rc4(), NULL, keybuf, NULL)) - goto error; + if (!EVP_EncryptInit_ex(cctx, EVP_rc4(), NULL, keybuf, NULL)) + goto err; explicit_bzero(keybuf, 20); - if (!EVP_DecryptUpdate(&cctx, p, &enctmplen, p, pklen - 8)) - goto error; - if (!EVP_DecryptFinal_ex(&cctx, p + enctmplen, &enctmplen)) - goto error; + if (!EVP_EncryptUpdate(cctx, p, &enctmplen, p, pklen - 8)) + goto err; + if (!EVP_EncryptFinal_ex(cctx, p + enctmplen, &enctmplen)) + goto err; } - EVP_CIPHER_CTX_cleanup(&cctx); + EVP_CIPHER_CTX_free(cctx); + *out = start; return outlen; -error: - EVP_CIPHER_CTX_cleanup(&cctx); + err: + EVP_CIPHER_CTX_free(cctx); + free(start); return -1; } @@ -922,11 +921,11 @@ i2b_PVK_bio(BIO *out, EVP_PKEY *pk, int enclevel, pem_password_cb *cb, void *u) return -1; wrlen = BIO_write(out, tmp, outlen); free(tmp); - if (wrlen == outlen) { + if (wrlen != outlen) { PEMerror(PEM_R_BIO_WRITE_FAILURE); - return outlen; + return -1; } - return -1; + return outlen; } #endif diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c index 5642a14..08bb75d 100644 --- a/crypto/pkcs12/p12_add.c +++ b/crypto/pkcs12/p12_add.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_add.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_add.c,v 1.17 2018/05/13 14:24:07 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -232,7 +232,7 @@ PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen) } PKCS8_PRIV_KEY_INFO * -PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, int passlen) +PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, const char *pass, int passlen) { return PKCS8_decrypt(bag->value.shkeybag, pass, passlen); } @@ -247,7 +247,7 @@ PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes) } STACK_OF(PKCS7) * -PKCS12_unpack_authsafes(PKCS12 *p12) +PKCS12_unpack_authsafes(const PKCS12 *p12) { if (!PKCS7_type_is_data(p12->authsafes)) { PKCS12error(PKCS12_R_CONTENT_TYPE_NOT_DATA); diff --git a/crypto/pkcs12/p12_attr.c b/crypto/pkcs12/p12_attr.c index 7552cf0..65bfaa0 100644 --- a/crypto/pkcs12/p12_attr.c +++ b/crypto/pkcs12/p12_attr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_attr.c,v 1.10 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: p12_attr.c,v 1.12 2018/08/24 20:07:41 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -77,14 +77,10 @@ PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen) int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage) { - unsigned char us_val; + unsigned char us_val = (unsigned char)usage; - us_val = (unsigned char) usage; - if (X509at_add1_attr_by_NID(&p8->attributes, NID_key_usage, - V_ASN1_BIT_STRING, &us_val, 1)) - return 1; - else - return 0; + return PKCS8_pkey_add1_attr_by_NID(p8, NID_key_usage, V_ASN1_BIT_STRING, + &us_val, 1); } /* Add a friendlyname to a safebag */ @@ -122,7 +118,7 @@ PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int namelen) } ASN1_TYPE * -PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) +PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid) { X509_ATTRIBUTE *attrib; int i; diff --git a/crypto/pkcs12/p12_crt.c b/crypto/pkcs12/p12_crt.c index af2c6af..f8ba335 100644 --- a/crypto/pkcs12/p12_crt.c +++ b/crypto/pkcs12/p12_crt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_crt.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_crt.c,v 1.18 2018/05/13 13:46:55 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -80,7 +80,7 @@ copy_bag_attr(PKCS12_SAFEBAG *bag, EVP_PKEY *pkey, int nid) } PKCS12 * -PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, +PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype) { @@ -221,7 +221,7 @@ err: PKCS12_SAFEBAG * PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, int key_usage, - int iter, int nid_key, char *pass) + int iter, int nid_key, const char *pass) { PKCS12_SAFEBAG *bag = NULL; PKCS8_PRIV_KEY_INFO *p8 = NULL; @@ -261,7 +261,7 @@ err: int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, - int nid_safe, int iter, char *pass) + int nid_safe, int iter, const char *pass) { PKCS7 *p7 = NULL; int free_safes = 0; diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c index ca08ee5..1ef5c4a 100644 --- a/crypto/pkcs12/p12_decr.c +++ b/crypto/pkcs12/p12_decr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_decr.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_decr.c,v 1.19 2018/05/13 14:22:34 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -67,8 +67,9 @@ */ unsigned char * -PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, int passlen, - unsigned char *in, int inlen, unsigned char **data, int *datalen, int en_de) +PKCS12_pbe_crypt(const X509_ALGOR *algor, const char *pass, int passlen, + const unsigned char *in, int inlen, unsigned char **data, int *datalen, + int en_de) { unsigned char *out; int outlen, i; @@ -119,8 +120,8 @@ err: */ void * -PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, - const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf) +PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, + const char *pass, int passlen, const ASN1_OCTET_STRING *oct, int zbuf) { unsigned char *out; const unsigned char *p; diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c index 63b3df1..d6b12ed 100644 --- a/crypto/pkcs12/p12_npas.c +++ b/crypto/pkcs12/p12_npas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_npas.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: p12_npas.c,v 1.13 2018/05/13 14:22:34 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -65,10 +65,11 @@ /* PKCS#12 password change routine */ -static int newpass_p12(PKCS12 *p12, char *oldpass, char *newpass); -static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, - char *newpass); -static int newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass); +static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass); +static int newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass, + const char *newpass); +static int newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, + const char *newpass); static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); /* @@ -76,7 +77,7 @@ static int alg_get(X509_ALGOR *alg, int *pnid, int *piter, int *psaltlen); */ int -PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) +PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass) { /* Check for NULL PKCS12 structure */ @@ -103,7 +104,7 @@ PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass) /* Parse the outer PKCS#12 structure */ static int -newpass_p12(PKCS12 *p12, char *oldpass, char *newpass) +newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) { STACK_OF(PKCS7) *asafes, *newsafes; STACK_OF(PKCS12_SAFEBAG) *bags; @@ -189,7 +190,8 @@ err: static int -newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, char *newpass) +newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, const char *oldpass, + const char *newpass) { int i; @@ -204,7 +206,7 @@ newpass_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *oldpass, char *newpass) /* Change password of safebag: only needs handle shrouded keybags */ static int -newpass_bag(PKCS12_SAFEBAG *bag, char *oldpass, char *newpass) +newpass_bag(PKCS12_SAFEBAG *bag, const char *oldpass, const char *newpass) { PKCS8_PRIV_KEY_INFO *p8; X509_SIG *p8new; diff --git a/crypto/pkcs12/p12_p8d.c b/crypto/pkcs12/p12_p8d.c index 68af6bf..0286d4a 100644 --- a/crypto/pkcs12/p12_p8d.c +++ b/crypto/pkcs12/p12_p8d.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_p8d.c,v 1.6 2016/12/30 15:34:35 jsing Exp $ */ +/* $OpenBSD: p12_p8d.c,v 1.7 2018/05/13 14:28:14 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -61,7 +61,7 @@ #include PKCS8_PRIV_KEY_INFO * -PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen) +PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen) { return PKCS12_item_decrypt_d2i(p8->algor, &PKCS8_PRIV_KEY_INFO_it, pass, passlen, p8->digest, 1); diff --git a/crypto/pkcs12/p12_utl.c b/crypto/pkcs12/p12_utl.c index eb95417..ff3a035 100644 --- a/crypto/pkcs12/p12_utl.c +++ b/crypto/pkcs12/p12_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: p12_utl.c,v 1.15 2016/12/30 15:34:35 jsing Exp $ */ +/* $OpenBSD: p12_utl.c,v 1.16 2018/05/30 15:32:11 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -100,7 +100,7 @@ OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen) } char * -OPENSSL_uni2asc(unsigned char *uni, int unilen) +OPENSSL_uni2asc(const unsigned char *uni, int unilen) { size_t asclen, u16len, i; char *asctmp; diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c index 0464a83..c1d075a 100644 --- a/crypto/pkcs12/pk12err.c +++ b/crypto/pkcs12/pk12err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk12err.c,v 1.10 2014/07/10 22:45:57 jsing Exp $ */ +/* $OpenBSD: pk12err.c,v 1.11 2020/06/05 16:51:12 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -72,35 +72,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason) static ERR_STRING_DATA PKCS12_str_functs[]= { - {ERR_FUNC(PKCS12_F_PARSE_BAG), "PARSE_BAG"}, - {ERR_FUNC(PKCS12_F_PARSE_BAGS), "PARSE_BAGS"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME), "PKCS12_ADD_FRIENDLYNAME"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_ASC), "PKCS12_add_friendlyname_asc"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_FRIENDLYNAME_UNI), "PKCS12_add_friendlyname_uni"}, - {ERR_FUNC(PKCS12_F_PKCS12_ADD_LOCALKEYID), "PKCS12_add_localkeyid"}, - {ERR_FUNC(PKCS12_F_PKCS12_CREATE), "PKCS12_create"}, - {ERR_FUNC(PKCS12_F_PKCS12_GEN_MAC), "PKCS12_gen_mac"}, - {ERR_FUNC(PKCS12_F_PKCS12_INIT), "PKCS12_init"}, - {ERR_FUNC(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I), "PKCS12_item_decrypt_d2i"}, - {ERR_FUNC(PKCS12_F_PKCS12_ITEM_I2D_ENCRYPT), "PKCS12_item_i2d_encrypt"}, - {ERR_FUNC(PKCS12_F_PKCS12_ITEM_PACK_SAFEBAG), "PKCS12_item_pack_safebag"}, - {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_ASC), "PKCS12_key_gen_asc"}, - {ERR_FUNC(PKCS12_F_PKCS12_KEY_GEN_UNI), "PKCS12_key_gen_uni"}, - {ERR_FUNC(PKCS12_F_PKCS12_MAKE_KEYBAG), "PKCS12_MAKE_KEYBAG"}, - {ERR_FUNC(PKCS12_F_PKCS12_MAKE_SHKEYBAG), "PKCS12_MAKE_SHKEYBAG"}, - {ERR_FUNC(PKCS12_F_PKCS12_NEWPASS), "PKCS12_newpass"}, - {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7DATA), "PKCS12_pack_p7data"}, - {ERR_FUNC(PKCS12_F_PKCS12_PACK_P7ENCDATA), "PKCS12_pack_p7encdata"}, - {ERR_FUNC(PKCS12_F_PKCS12_PARSE), "PKCS12_parse"}, - {ERR_FUNC(PKCS12_F_PKCS12_PBE_CRYPT), "PKCS12_pbe_crypt"}, - {ERR_FUNC(PKCS12_F_PKCS12_PBE_KEYIVGEN), "PKCS12_PBE_keyivgen"}, - {ERR_FUNC(PKCS12_F_PKCS12_SETUP_MAC), "PKCS12_setup_mac"}, - {ERR_FUNC(PKCS12_F_PKCS12_SET_MAC), "PKCS12_set_mac"}, - {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_AUTHSAFES), "PKCS12_unpack_authsafes"}, - {ERR_FUNC(PKCS12_F_PKCS12_UNPACK_P7DATA), "PKCS12_unpack_p7data"}, - {ERR_FUNC(PKCS12_F_PKCS12_VERIFY_MAC), "PKCS12_verify_mac"}, - {ERR_FUNC(PKCS12_F_PKCS8_ADD_KEYUSAGE), "PKCS8_add_keyusage"}, - {ERR_FUNC(PKCS12_F_PKCS8_ENCRYPT), "PKCS8_encrypt"}, + {ERR_FUNC(0xfff), "CRYPTO_internal"}, {0, NULL} }; diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c index 24ab957..81a72f6 100644 --- a/crypto/pkcs7/pk7_doit.c +++ b/crypto/pkcs7/pk7_doit.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_doit.c,v 1.42 2017/05/02 03:59:45 deraadt Exp $ */ +/* $OpenBSD: pk7_doit.c,v 1.44 2019/10/04 18:03:55 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -191,7 +191,7 @@ err: static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, - EVP_PKEY *pkey) + EVP_PKEY *pkey, size_t fixlen) { EVP_PKEY_CTX *pctx = NULL; unsigned char *ek = NULL; @@ -222,8 +222,9 @@ pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, PKCS7_RECIP_INFO *ri, goto err; } - if (EVP_PKEY_decrypt(pctx, ek, &eklen, - ri->enc_key->data, ri->enc_key->length) <= 0) { + if (EVP_PKEY_decrypt(pctx, ek, &eklen, ri->enc_key->data, + ri->enc_key->length) <= 0 || eklen == 0 || + (fixlen != 0 && eklen != fixlen)) { ret = 0; PKCS7error(ERR_R_EVP_LIB); goto err; @@ -410,7 +411,7 @@ pkcs7_cmp_ri(PKCS7_RECIP_INFO *ri, X509 *pcert) pcert->cert_info->issuer); if (ret) return ret; - return ASN1_STRING_cmp(pcert->cert_info->serialNumber, + return ASN1_INTEGER_cmp(pcert->cert_info->serialNumber, ri->issuer_and_serial->serial); } @@ -535,14 +536,14 @@ PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) for (i = 0; i < sk_PKCS7_RECIP_INFO_num(rsk); i++) { ri = sk_PKCS7_RECIP_INFO_value(rsk, i); - if (pkcs7_decrypt_rinfo(&ek, &eklen, - ri, pkey) < 0) + if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, + EVP_CIPHER_key_length(evp_cipher)) < 0) goto err; ERR_clear_error(); } } else { /* Only exit on fatal errors, not decrypt failure */ - if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey) < 0) + if (pkcs7_decrypt_rinfo(&ek, &eklen, ri, pkey, 0) < 0) goto err; ERR_clear_error(); } diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c index dc407da..afcc179 100644 --- a/crypto/pkcs7/pk7_lib.c +++ b/crypto/pkcs7/pk7_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pk7_lib.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: pk7_lib.c,v 1.21 2020/01/21 10:18:52 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -186,7 +186,6 @@ PKCS7_set_type(PKCS7 *p7, int type) if ((p7->d.signed_and_enveloped = PKCS7_SIGN_ENVELOPE_new()) == NULL) goto err; - ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1); if (!ASN1_INTEGER_set(p7->d.signed_and_enveloped->version, 1)) goto err; p7->d.signed_and_enveloped->enc_data->content_type = @@ -374,7 +373,7 @@ PKCS7_SIGNER_INFO_set(PKCS7_SIGNER_INFO *p7i, X509 *x509, EVP_PKEY *pkey, * things the ugly way. */ ASN1_INTEGER_free(p7i->issuer_and_serial->serial); if (!(p7i->issuer_and_serial->serial = - ASN1_STRING_dup(X509_get_serialNumber(x509)))) + ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) goto err; /* lets keep the pkey around for a while */ @@ -534,7 +533,7 @@ PKCS7_RECIP_INFO_set(PKCS7_RECIP_INFO *p7i, X509 *x509) ASN1_INTEGER_free(p7i->issuer_and_serial->serial); if (!(p7i->issuer_and_serial->serial = - ASN1_STRING_dup(X509_get_serialNumber(x509)))) + ASN1_INTEGER_dup(X509_get_serialNumber(x509)))) return 0; pkey = X509_get_pubkey(x509); diff --git a/crypto/pkcs7/pkcs7err.c b/crypto/pkcs7/pkcs7err.c index 8a67bf5..251e781 100644 --- a/crypto/pkcs7/pkcs7err.c +++ b/crypto/pkcs7/pkcs7err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs7err.c,v 1.11 2014/07/10 22:45:57 jsing Exp $ */ +/* $OpenBSD: pkcs7err.c,v 1.12 2020/06/05 16:51:12 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. * @@ -72,46 +72,7 @@ #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason) static ERR_STRING_DATA PKCS7_str_functs[]= { - {ERR_FUNC(PKCS7_F_B64_READ_PKCS7), "B64_READ_PKCS7"}, - {ERR_FUNC(PKCS7_F_B64_WRITE_PKCS7), "B64_WRITE_PKCS7"}, - {ERR_FUNC(PKCS7_F_DO_PKCS7_SIGNED_ATTRIB), "DO_PKCS7_SIGNED_ATTRIB"}, - {ERR_FUNC(PKCS7_F_I2D_PKCS7_BIO_STREAM), "i2d_PKCS7_bio_stream"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD0_ATTRIB_SIGNING_TIME), "PKCS7_add0_attrib_signing_time"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_ATTRIB_SMIMECAP), "PKCS7_add_attrib_smimecap"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_CERTIFICATE), "PKCS7_add_certificate"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_CRL), "PKCS7_add_crl"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_RECIPIENT_INFO), "PKCS7_add_recipient_info"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNATURE), "PKCS7_add_signature"}, - {ERR_FUNC(PKCS7_F_PKCS7_ADD_SIGNER), "PKCS7_add_signer"}, - {ERR_FUNC(PKCS7_F_PKCS7_BIO_ADD_DIGEST), "PKCS7_BIO_ADD_DIGEST"}, - {ERR_FUNC(PKCS7_F_PKCS7_COPY_EXISTING_DIGEST), "PKCS7_COPY_EXISTING_DIGEST"}, - {ERR_FUNC(PKCS7_F_PKCS7_CTRL), "PKCS7_ctrl"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATADECODE), "PKCS7_dataDecode"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATAFINAL), "PKCS7_dataFinal"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATAINIT), "PKCS7_dataInit"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATASIGN), "PKCS7_DATASIGN"}, - {ERR_FUNC(PKCS7_F_PKCS7_DATAVERIFY), "PKCS7_dataVerify"}, - {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT), "PKCS7_decrypt"}, - {ERR_FUNC(PKCS7_F_PKCS7_DECRYPT_RINFO), "PKCS7_DECRYPT_RINFO"}, - {ERR_FUNC(PKCS7_F_PKCS7_ENCODE_RINFO), "PKCS7_ENCODE_RINFO"}, - {ERR_FUNC(PKCS7_F_PKCS7_ENCRYPT), "PKCS7_encrypt"}, - {ERR_FUNC(PKCS7_F_PKCS7_FINAL), "PKCS7_final"}, - {ERR_FUNC(PKCS7_F_PKCS7_FIND_DIGEST), "PKCS7_FIND_DIGEST"}, - {ERR_FUNC(PKCS7_F_PKCS7_GET0_SIGNERS), "PKCS7_get0_signers"}, - {ERR_FUNC(PKCS7_F_PKCS7_RECIP_INFO_SET), "PKCS7_RECIP_INFO_set"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_CIPHER), "PKCS7_set_cipher"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_CONTENT), "PKCS7_set_content"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_DIGEST), "PKCS7_set_digest"}, - {ERR_FUNC(PKCS7_F_PKCS7_SET_TYPE), "PKCS7_set_type"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGN), "PKCS7_sign"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGNATUREVERIFY), "PKCS7_signatureVerify"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGNER_INFO_SET), "PKCS7_SIGNER_INFO_set"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGNER_INFO_SIGN), "PKCS7_SIGNER_INFO_sign"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIGN_ADD_SIGNER), "PKCS7_sign_add_signer"}, - {ERR_FUNC(PKCS7_F_PKCS7_SIMPLE_SMIMECAP), "PKCS7_simple_smimecap"}, - {ERR_FUNC(PKCS7_F_PKCS7_VERIFY), "PKCS7_verify"}, - {ERR_FUNC(PKCS7_F_SMIME_READ_PKCS7), "SMIME_read_PKCS7"}, - {ERR_FUNC(PKCS7_F_SMIME_TEXT), "SMIME_text"}, + {ERR_FUNC(0xfff), "CRYPTO_internal"}, {0, NULL} }; diff --git a/crypto/rc4/rc4-masm-x86_64.S b/crypto/rc4/rc4-masm-x86_64.S new file mode 100644 index 0000000..b930d98 --- /dev/null +++ b/crypto/rc4/rc4-masm-x86_64.S @@ -0,0 +1,719 @@ +; 1 "crypto/rc4/rc4-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/rc4/rc4-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/rc4/rc4-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' +EXTERN OPENSSL_ia32cap_P:NEAR + + +PUBLIC RC4 + +ALIGN 16 +RC4 PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_RC4:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + or rsi,rsi + jne $L$entry + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$entry:: + push rbx + push r12 + push r13 +$L$prologue:: + mov r11,rsi + mov r12,rdx + mov r13,rcx + xor r10,r10 + xor rcx,rcx + + lea rdi,QWORD PTR[8+rdi] + mov r10b,BYTE PTR[((-8))+rdi] + mov cl,BYTE PTR[((-4))+rdi] + cmp DWORD PTR[256+rdi],-1 + je $L$RC4_CHAR + mov r8d,DWORD PTR[OPENSSL_ia32cap_P] + xor rbx,rbx + inc r10b + sub rbx,r10 + sub r13,r12 + mov eax,DWORD PTR[r10*4+rdi] + test r11,-16 + jz $L$loop1 + bt r8d,30 + jc $L$intel + and rbx,7 + lea rsi,QWORD PTR[1+r10] + jz $L$oop8 + sub r11,rbx +$L$oop8_warmup:: + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov DWORD PTR[r10*4+rdi],edx + add al,dl + inc r10b + mov edx,DWORD PTR[rax*4+rdi] + mov eax,DWORD PTR[r10*4+rdi] + xor dl,BYTE PTR[r12] + mov BYTE PTR[r12*1+r13],dl + lea r12,QWORD PTR[1+r12] + dec rbx + jnz $L$oop8_warmup + + lea rsi,QWORD PTR[1+r10] + jmp $L$oop8 +ALIGN 16 +$L$oop8:: + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov ebx,DWORD PTR[rsi*4+rdi] + ror r8,8 + mov DWORD PTR[r10*4+rdi],edx + add dl,al + mov r8b,BYTE PTR[rdx*4+rdi] + add cl,bl + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + mov eax,DWORD PTR[4+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[4+r10*4+rdi],edx + add dl,bl + mov r8b,BYTE PTR[rdx*4+rdi] + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov ebx,DWORD PTR[8+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[8+r10*4+rdi],edx + add dl,al + mov r8b,BYTE PTR[rdx*4+rdi] + add cl,bl + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + mov eax,DWORD PTR[12+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[12+r10*4+rdi],edx + add dl,bl + mov r8b,BYTE PTR[rdx*4+rdi] + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov ebx,DWORD PTR[16+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[16+r10*4+rdi],edx + add dl,al + mov r8b,BYTE PTR[rdx*4+rdi] + add cl,bl + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + mov eax,DWORD PTR[20+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[20+r10*4+rdi],edx + add dl,bl + mov r8b,BYTE PTR[rdx*4+rdi] + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov ebx,DWORD PTR[24+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[24+r10*4+rdi],edx + add dl,al + mov r8b,BYTE PTR[rdx*4+rdi] + add sil,8 + add cl,bl + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + mov eax,DWORD PTR[((-4))+rsi*4+rdi] + ror r8,8 + mov DWORD PTR[28+r10*4+rdi],edx + add dl,bl + mov r8b,BYTE PTR[rdx*4+rdi] + add r10b,8 + ror r8,8 + sub r11,8 + + xor r8,QWORD PTR[r12] + mov QWORD PTR[r12*1+r13],r8 + lea r12,QWORD PTR[8+r12] + + test r11,-8 + jnz $L$oop8 + cmp r11,0 + jne $L$loop1 + jmp $L$exit + +ALIGN 16 +$L$intel:: + test r11,-32 + jz $L$loop1 + and rbx,15 + jz $L$oop16_is_hot + sub r11,rbx +$L$oop16_warmup:: + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov DWORD PTR[r10*4+rdi],edx + add al,dl + inc r10b + mov edx,DWORD PTR[rax*4+rdi] + mov eax,DWORD PTR[r10*4+rdi] + xor dl,BYTE PTR[r12] + mov BYTE PTR[r12*1+r13],dl + lea r12,QWORD PTR[1+r12] + dec rbx + jnz $L$oop16_warmup + + mov rbx,rcx + xor rcx,rcx + mov cl,bl + +$L$oop16_is_hot:: + lea rsi,QWORD PTR[r10*4+rdi] + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + pxor xmm0,xmm0 + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[4+rsi] + movzx eax,al + mov DWORD PTR[rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],0 + jmp $L$oop16_enter +ALIGN 16 +$L$oop16:: + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + pxor xmm2,xmm0 + psllq xmm1,8 + pxor xmm0,xmm0 + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[4+rsi] + movzx eax,al + mov DWORD PTR[rsi],edx + pxor xmm2,xmm1 + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],0 + movdqu XMMWORD PTR[r12*1+r13],xmm2 + lea r12,QWORD PTR[16+r12] +$L$oop16_enter:: + mov edx,DWORD PTR[rcx*4+rdi] + pxor xmm1,xmm1 + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[8+rsi] + movzx ebx,bl + mov DWORD PTR[4+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],0 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[12+rsi] + movzx eax,al + mov DWORD PTR[8+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],1 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[16+rsi] + movzx ebx,bl + mov DWORD PTR[12+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],1 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[20+rsi] + movzx eax,al + mov DWORD PTR[16+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],2 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[24+rsi] + movzx ebx,bl + mov DWORD PTR[20+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],2 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[28+rsi] + movzx eax,al + mov DWORD PTR[24+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],3 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[32+rsi] + movzx ebx,bl + mov DWORD PTR[28+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],3 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[36+rsi] + movzx eax,al + mov DWORD PTR[32+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],4 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[40+rsi] + movzx ebx,bl + mov DWORD PTR[36+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],4 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[44+rsi] + movzx eax,al + mov DWORD PTR[40+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],5 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[48+rsi] + movzx ebx,bl + mov DWORD PTR[44+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],5 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[52+rsi] + movzx eax,al + mov DWORD PTR[48+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],6 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + mov eax,DWORD PTR[56+rsi] + movzx ebx,bl + mov DWORD PTR[52+rsi],edx + add cl,al + pinsrw xmm1,WORD PTR[rbx*4+rdi],6 + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + add al,dl + mov ebx,DWORD PTR[60+rsi] + movzx eax,al + mov DWORD PTR[56+rsi],edx + add cl,bl + pinsrw xmm0,WORD PTR[rax*4+rdi],7 + add r10b,16 + movdqu xmm2,XMMWORD PTR[r12] + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],ebx + add bl,dl + movzx ebx,bl + mov DWORD PTR[60+rsi],edx + lea rsi,QWORD PTR[r10*4+rdi] + pinsrw xmm1,WORD PTR[rbx*4+rdi],7 + mov eax,DWORD PTR[rsi] + mov rbx,rcx + xor rcx,rcx + sub r11,16 + mov cl,bl + test r11,-16 + jnz $L$oop16 + + psllq xmm1,8 + pxor xmm2,xmm0 + pxor xmm2,xmm1 + movdqu XMMWORD PTR[r12*1+r13],xmm2 + lea r12,QWORD PTR[16+r12] + + cmp r11,0 + jne $L$loop1 + jmp $L$exit + +ALIGN 16 +$L$loop1:: + add cl,al + mov edx,DWORD PTR[rcx*4+rdi] + mov DWORD PTR[rcx*4+rdi],eax + mov DWORD PTR[r10*4+rdi],edx + add al,dl + inc r10b + mov edx,DWORD PTR[rax*4+rdi] + mov eax,DWORD PTR[r10*4+rdi] + xor dl,BYTE PTR[r12] + mov BYTE PTR[r12*1+r13],dl + lea r12,QWORD PTR[1+r12] + dec r11 + jnz $L$loop1 + jmp $L$exit + +ALIGN 16 +$L$RC4_CHAR:: + add r10b,1 + movzx eax,BYTE PTR[r10*1+rdi] + test r11,-8 + jz $L$cloop1 + jmp $L$cloop8 +ALIGN 16 +$L$cloop8:: + mov r8d,DWORD PTR[r12] + mov r9d,DWORD PTR[4+r12] + add cl,al + lea rsi,QWORD PTR[1+r10] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx esi,sil + movzx ebx,BYTE PTR[rsi*1+rdi] + mov BYTE PTR[rcx*1+rdi],al + cmp rcx,rsi + mov BYTE PTR[r10*1+rdi],dl + jne $L$cmov0 + mov rbx,rax +$L$cmov0:: + add dl,al + xor r8b,BYTE PTR[rdx*1+rdi] + ror r8d,8 + add cl,bl + lea r10,QWORD PTR[1+rsi] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx r10d,r10b + movzx eax,BYTE PTR[r10*1+rdi] + mov BYTE PTR[rcx*1+rdi],bl + cmp rcx,r10 + mov BYTE PTR[rsi*1+rdi],dl + jne $L$cmov1 + mov rax,rbx +$L$cmov1:: + add dl,bl + xor r8b,BYTE PTR[rdx*1+rdi] + ror r8d,8 + add cl,al + lea rsi,QWORD PTR[1+r10] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx esi,sil + movzx ebx,BYTE PTR[rsi*1+rdi] + mov BYTE PTR[rcx*1+rdi],al + cmp rcx,rsi + mov BYTE PTR[r10*1+rdi],dl + jne $L$cmov2 + mov rbx,rax +$L$cmov2:: + add dl,al + xor r8b,BYTE PTR[rdx*1+rdi] + ror r8d,8 + add cl,bl + lea r10,QWORD PTR[1+rsi] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx r10d,r10b + movzx eax,BYTE PTR[r10*1+rdi] + mov BYTE PTR[rcx*1+rdi],bl + cmp rcx,r10 + mov BYTE PTR[rsi*1+rdi],dl + jne $L$cmov3 + mov rax,rbx +$L$cmov3:: + add dl,bl + xor r8b,BYTE PTR[rdx*1+rdi] + ror r8d,8 + add cl,al + lea rsi,QWORD PTR[1+r10] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx esi,sil + movzx ebx,BYTE PTR[rsi*1+rdi] + mov BYTE PTR[rcx*1+rdi],al + cmp rcx,rsi + mov BYTE PTR[r10*1+rdi],dl + jne $L$cmov4 + mov rbx,rax +$L$cmov4:: + add dl,al + xor r9b,BYTE PTR[rdx*1+rdi] + ror r9d,8 + add cl,bl + lea r10,QWORD PTR[1+rsi] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx r10d,r10b + movzx eax,BYTE PTR[r10*1+rdi] + mov BYTE PTR[rcx*1+rdi],bl + cmp rcx,r10 + mov BYTE PTR[rsi*1+rdi],dl + jne $L$cmov5 + mov rax,rbx +$L$cmov5:: + add dl,bl + xor r9b,BYTE PTR[rdx*1+rdi] + ror r9d,8 + add cl,al + lea rsi,QWORD PTR[1+r10] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx esi,sil + movzx ebx,BYTE PTR[rsi*1+rdi] + mov BYTE PTR[rcx*1+rdi],al + cmp rcx,rsi + mov BYTE PTR[r10*1+rdi],dl + jne $L$cmov6 + mov rbx,rax +$L$cmov6:: + add dl,al + xor r9b,BYTE PTR[rdx*1+rdi] + ror r9d,8 + add cl,bl + lea r10,QWORD PTR[1+rsi] + movzx edx,BYTE PTR[rcx*1+rdi] + movzx r10d,r10b + movzx eax,BYTE PTR[r10*1+rdi] + mov BYTE PTR[rcx*1+rdi],bl + cmp rcx,r10 + mov BYTE PTR[rsi*1+rdi],dl + jne $L$cmov7 + mov rax,rbx +$L$cmov7:: + add dl,bl + xor r9b,BYTE PTR[rdx*1+rdi] + ror r9d,8 + lea r11,QWORD PTR[((-8))+r11] + mov DWORD PTR[r13],r8d + lea r12,QWORD PTR[8+r12] + mov DWORD PTR[4+r13],r9d + lea r13,QWORD PTR[8+r13] + + test r11,-8 + jnz $L$cloop8 + cmp r11,0 + jne $L$cloop1 + jmp $L$exit +ALIGN 16 +$L$cloop1:: + add cl,al + movzx ecx,cl + movzx edx,BYTE PTR[rcx*1+rdi] + mov BYTE PTR[rcx*1+rdi],al + mov BYTE PTR[r10*1+rdi],dl + add dl,al + add r10b,1 + movzx edx,dl + movzx r10d,r10b + movzx edx,BYTE PTR[rdx*1+rdi] + movzx eax,BYTE PTR[r10*1+rdi] + xor dl,BYTE PTR[r12] + lea r12,QWORD PTR[1+r12] + mov BYTE PTR[r13],dl + lea r13,QWORD PTR[1+r13] + sub r11,1 + jnz $L$cloop1 + jmp $L$exit + +ALIGN 16 +$L$exit:: + sub r10b,1 + mov DWORD PTR[((-8))+rdi],r10d + mov DWORD PTR[((-4))+rdi],ecx + + mov r13,QWORD PTR[rsp] + mov r12,QWORD PTR[8+rsp] + mov rbx,QWORD PTR[16+rsp] + add rsp,24 +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_RC4:: +RC4 ENDP +PUBLIC RC4_set_key + +ALIGN 16 +RC4_set_key PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_RC4_set_key:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + lea rdi,QWORD PTR[8+rdi] + lea rdx,QWORD PTR[rsi*1+rdx] + neg rsi + mov rcx,rsi + xor eax,eax + xor r9,r9 + xor r10,r10 + xor r11,r11 + + mov r8d,DWORD PTR[OPENSSL_ia32cap_P] + bt r8d,20 + jc $L$c1stloop + jmp $L$w1stloop + +ALIGN 16 +$L$w1stloop:: + mov DWORD PTR[rax*4+rdi],eax + add al,1 + jnc $L$w1stloop + + xor r9,r9 + xor r8,r8 +ALIGN 16 +$L$w2ndloop:: + mov r10d,DWORD PTR[r9*4+rdi] + add r8b,BYTE PTR[rsi*1+rdx] + add r8b,r10b + add rsi,1 + mov r11d,DWORD PTR[r8*4+rdi] + cmovz rsi,rcx + mov DWORD PTR[r8*4+rdi],r10d + mov DWORD PTR[r9*4+rdi],r11d + add r9b,1 + jnc $L$w2ndloop + jmp $L$exit_key + +ALIGN 16 +$L$c1stloop:: + mov BYTE PTR[rax*1+rdi],al + add al,1 + jnc $L$c1stloop + + xor r9,r9 + xor r8,r8 +ALIGN 16 +$L$c2ndloop:: + mov r10b,BYTE PTR[r9*1+rdi] + add r8b,BYTE PTR[rsi*1+rdx] + add r8b,r10b + add rsi,1 + mov r11b,BYTE PTR[r8*1+rdi] + jnz $L$cnowrap + mov rsi,rcx +$L$cnowrap:: + mov BYTE PTR[r8*1+rdi],r10b + mov BYTE PTR[r9*1+rdi],r11b + add r9b,1 + jnc $L$c2ndloop + mov DWORD PTR[256+rdi],-1 + +ALIGN 16 +$L$exit_key:: + xor eax,eax + mov DWORD PTR[((-8))+rdi],eax + mov DWORD PTR[((-4))+rdi],eax + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_RC4_set_key:: +RC4_set_key ENDP + +PUBLIC RC4_options + +ALIGN 16 +RC4_options PROC PUBLIC + lea rax,QWORD PTR[$L$opts] + mov edx,DWORD PTR[OPENSSL_ia32cap_P] + bt edx,20 + jc $L$8xchar + bt edx,30 + jnc $L$done + add rax,25 + DB 0F3h,0C3h ;repret +$L$8xchar:: + add rax,12 +$L$done:: + DB 0F3h,0C3h ;repret +ALIGN 64 +$L$opts:: +DB 114,99,52,40,56,120,44,105,110,116,41,0 +DB 114,99,52,40,56,120,44,99,104,97,114,41,0 +DB 114,99,52,40,49,54,120,44,105,110,116,41,0 +DB 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32 +DB 67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97 +DB 112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103 +DB 62,0 +ALIGN 64 +RC4_options ENDP + +.text$ ENDS +END + diff --git a/crypto/rc4/rc4-md5-masm-x86_64.S b/crypto/rc4/rc4-md5-masm-x86_64.S new file mode 100644 index 0000000..3357567 --- /dev/null +++ b/crypto/rc4/rc4-md5-masm-x86_64.S @@ -0,0 +1,1347 @@ +; 1 "crypto/rc4/rc4-md5-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/rc4/rc4-md5-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/rc4/rc4-md5-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' +ALIGN 16 + +PUBLIC rc4_md5_enc + +rc4_md5_enc PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_rc4_md5_enc:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + mov r8,QWORD PTR[40+rsp] + mov r9,QWORD PTR[48+rsp] + + + cmp r9,0 + je $L$abort + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + sub rsp,40 +$L$body:: + mov r11,rcx + mov r12,r9 + mov r13,rsi + mov r14,rdx + mov r15,r8 + xor rbp,rbp + xor rcx,rcx + + lea rdi,QWORD PTR[8+rdi] + mov bpl,BYTE PTR[((-8))+rdi] + mov cl,BYTE PTR[((-4))+rdi] + + inc bpl + sub r14,r13 + mov eax,DWORD PTR[rbp*4+rdi] + add cl,al + lea rsi,QWORD PTR[rbp*4+rdi] + shl r12,6 + add r12,r15 + mov QWORD PTR[16+rsp],r12 + + mov QWORD PTR[24+rsp],r11 + mov r8d,DWORD PTR[r11] + mov r9d,DWORD PTR[4+r11] + mov r10d,DWORD PTR[8+r11] + mov r11d,DWORD PTR[12+r11] + jmp $L$oop + +ALIGN 16 +$L$oop:: + mov DWORD PTR[rsp],r8d + mov DWORD PTR[4+rsp],r9d + mov DWORD PTR[8+rsp],r10d + mov r12d,r11d + mov DWORD PTR[12+rsp],r11d + pxor xmm0,xmm0 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r8d,DWORD PTR[r15] + add al,dl + mov ebx,DWORD PTR[4+rsi] + add r8d,3614090360 + xor r12d,r11d + movzx eax,al + mov DWORD PTR[rsi],edx + add r8d,r12d + add cl,bl + rol r8d,7 + mov r12d,r10d + movd xmm0,DWORD PTR[rax*4+rdi] + + add r8d,r9d + pxor xmm1,xmm1 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r11d,DWORD PTR[4+r15] + add bl,dl + mov eax,DWORD PTR[8+rsi] + add r11d,3905402710 + xor r12d,r10d + movzx ebx,bl + mov DWORD PTR[4+rsi],edx + add r11d,r12d + add cl,al + rol r11d,12 + mov r12d,r9d + movd xmm1,DWORD PTR[rbx*4+rdi] + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r10d,DWORD PTR[8+r15] + add al,dl + mov ebx,DWORD PTR[12+rsi] + add r10d,606105819 + xor r12d,r9d + movzx eax,al + mov DWORD PTR[8+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,17 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],1 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r9d,DWORD PTR[12+r15] + add bl,dl + mov eax,DWORD PTR[16+rsi] + add r9d,3250441966 + xor r12d,r8d + movzx ebx,bl + mov DWORD PTR[12+rsi],edx + add r9d,r12d + add cl,al + rol r9d,22 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],1 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r8d,DWORD PTR[16+r15] + add al,dl + mov ebx,DWORD PTR[20+rsi] + add r8d,4118548399 + xor r12d,r11d + movzx eax,al + mov DWORD PTR[16+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,7 + mov r12d,r10d + pinsrw xmm0,WORD PTR[rax*4+rdi],2 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r11d,DWORD PTR[20+r15] + add bl,dl + mov eax,DWORD PTR[24+rsi] + add r11d,1200080426 + xor r12d,r10d + movzx ebx,bl + mov DWORD PTR[20+rsi],edx + add r11d,r12d + add cl,al + rol r11d,12 + mov r12d,r9d + pinsrw xmm1,WORD PTR[rbx*4+rdi],2 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r10d,DWORD PTR[24+r15] + add al,dl + mov ebx,DWORD PTR[28+rsi] + add r10d,2821735955 + xor r12d,r9d + movzx eax,al + mov DWORD PTR[24+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,17 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],3 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r9d,DWORD PTR[28+r15] + add bl,dl + mov eax,DWORD PTR[32+rsi] + add r9d,4249261313 + xor r12d,r8d + movzx ebx,bl + mov DWORD PTR[28+rsi],edx + add r9d,r12d + add cl,al + rol r9d,22 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],3 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r8d,DWORD PTR[32+r15] + add al,dl + mov ebx,DWORD PTR[36+rsi] + add r8d,1770035416 + xor r12d,r11d + movzx eax,al + mov DWORD PTR[32+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,7 + mov r12d,r10d + pinsrw xmm0,WORD PTR[rax*4+rdi],4 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r11d,DWORD PTR[36+r15] + add bl,dl + mov eax,DWORD PTR[40+rsi] + add r11d,2336552879 + xor r12d,r10d + movzx ebx,bl + mov DWORD PTR[36+rsi],edx + add r11d,r12d + add cl,al + rol r11d,12 + mov r12d,r9d + pinsrw xmm1,WORD PTR[rbx*4+rdi],4 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r10d,DWORD PTR[40+r15] + add al,dl + mov ebx,DWORD PTR[44+rsi] + add r10d,4294925233 + xor r12d,r9d + movzx eax,al + mov DWORD PTR[40+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,17 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],5 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r9d,DWORD PTR[44+r15] + add bl,dl + mov eax,DWORD PTR[48+rsi] + add r9d,2304563134 + xor r12d,r8d + movzx ebx,bl + mov DWORD PTR[44+rsi],edx + add r9d,r12d + add cl,al + rol r9d,22 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],5 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r8d,DWORD PTR[48+r15] + add al,dl + mov ebx,DWORD PTR[52+rsi] + add r8d,1804603682 + xor r12d,r11d + movzx eax,al + mov DWORD PTR[48+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,7 + mov r12d,r10d + pinsrw xmm0,WORD PTR[rax*4+rdi],6 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r11d,DWORD PTR[52+r15] + add bl,dl + mov eax,DWORD PTR[56+rsi] + add r11d,4254626195 + xor r12d,r10d + movzx ebx,bl + mov DWORD PTR[52+rsi],edx + add r11d,r12d + add cl,al + rol r11d,12 + mov r12d,r9d + pinsrw xmm1,WORD PTR[rbx*4+rdi],6 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r10d,DWORD PTR[56+r15] + add al,dl + mov ebx,DWORD PTR[60+rsi] + add r10d,2792965006 + xor r12d,r9d + movzx eax,al + mov DWORD PTR[56+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,17 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],7 + + add r10d,r11d + movdqu xmm2,XMMWORD PTR[r13] + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r9d,DWORD PTR[60+r15] + add bl,dl + mov eax,DWORD PTR[64+rsi] + add r9d,1236535329 + xor r12d,r8d + movzx ebx,bl + mov DWORD PTR[60+rsi],edx + add r9d,r12d + add cl,al + rol r9d,22 + mov r12d,r10d + pinsrw xmm1,WORD PTR[rbx*4+rdi],7 + + add r9d,r10d + psllq xmm1,8 + pxor xmm2,xmm0 + pxor xmm2,xmm1 + pxor xmm0,xmm0 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r8d,DWORD PTR[4+r15] + add al,dl + mov ebx,DWORD PTR[68+rsi] + add r8d,4129170786 + xor r12d,r10d + movzx eax,al + mov DWORD PTR[64+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,5 + mov r12d,r9d + movd xmm0,DWORD PTR[rax*4+rdi] + + add r8d,r9d + pxor xmm1,xmm1 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r11d,DWORD PTR[24+r15] + add bl,dl + mov eax,DWORD PTR[72+rsi] + add r11d,3225465664 + xor r12d,r9d + movzx ebx,bl + mov DWORD PTR[68+rsi],edx + add r11d,r12d + add cl,al + rol r11d,9 + mov r12d,r8d + movd xmm1,DWORD PTR[rbx*4+rdi] + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r10d,DWORD PTR[44+r15] + add al,dl + mov ebx,DWORD PTR[76+rsi] + add r10d,643717713 + xor r12d,r8d + movzx eax,al + mov DWORD PTR[72+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,14 + mov r12d,r11d + pinsrw xmm0,WORD PTR[rax*4+rdi],1 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r9d,DWORD PTR[r15] + add bl,dl + mov eax,DWORD PTR[80+rsi] + add r9d,3921069994 + xor r12d,r11d + movzx ebx,bl + mov DWORD PTR[76+rsi],edx + add r9d,r12d + add cl,al + rol r9d,20 + mov r12d,r10d + pinsrw xmm1,WORD PTR[rbx*4+rdi],1 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r8d,DWORD PTR[20+r15] + add al,dl + mov ebx,DWORD PTR[84+rsi] + add r8d,3593408605 + xor r12d,r10d + movzx eax,al + mov DWORD PTR[80+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,5 + mov r12d,r9d + pinsrw xmm0,WORD PTR[rax*4+rdi],2 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r11d,DWORD PTR[40+r15] + add bl,dl + mov eax,DWORD PTR[88+rsi] + add r11d,38016083 + xor r12d,r9d + movzx ebx,bl + mov DWORD PTR[84+rsi],edx + add r11d,r12d + add cl,al + rol r11d,9 + mov r12d,r8d + pinsrw xmm1,WORD PTR[rbx*4+rdi],2 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r10d,DWORD PTR[60+r15] + add al,dl + mov ebx,DWORD PTR[92+rsi] + add r10d,3634488961 + xor r12d,r8d + movzx eax,al + mov DWORD PTR[88+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,14 + mov r12d,r11d + pinsrw xmm0,WORD PTR[rax*4+rdi],3 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r9d,DWORD PTR[16+r15] + add bl,dl + mov eax,DWORD PTR[96+rsi] + add r9d,3889429448 + xor r12d,r11d + movzx ebx,bl + mov DWORD PTR[92+rsi],edx + add r9d,r12d + add cl,al + rol r9d,20 + mov r12d,r10d + pinsrw xmm1,WORD PTR[rbx*4+rdi],3 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r8d,DWORD PTR[36+r15] + add al,dl + mov ebx,DWORD PTR[100+rsi] + add r8d,568446438 + xor r12d,r10d + movzx eax,al + mov DWORD PTR[96+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,5 + mov r12d,r9d + pinsrw xmm0,WORD PTR[rax*4+rdi],4 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r11d,DWORD PTR[56+r15] + add bl,dl + mov eax,DWORD PTR[104+rsi] + add r11d,3275163606 + xor r12d,r9d + movzx ebx,bl + mov DWORD PTR[100+rsi],edx + add r11d,r12d + add cl,al + rol r11d,9 + mov r12d,r8d + pinsrw xmm1,WORD PTR[rbx*4+rdi],4 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r10d,DWORD PTR[12+r15] + add al,dl + mov ebx,DWORD PTR[108+rsi] + add r10d,4107603335 + xor r12d,r8d + movzx eax,al + mov DWORD PTR[104+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,14 + mov r12d,r11d + pinsrw xmm0,WORD PTR[rax*4+rdi],5 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r9d,DWORD PTR[32+r15] + add bl,dl + mov eax,DWORD PTR[112+rsi] + add r9d,1163531501 + xor r12d,r11d + movzx ebx,bl + mov DWORD PTR[108+rsi],edx + add r9d,r12d + add cl,al + rol r9d,20 + mov r12d,r10d + pinsrw xmm1,WORD PTR[rbx*4+rdi],5 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r11d + add r8d,DWORD PTR[52+r15] + add al,dl + mov ebx,DWORD PTR[116+rsi] + add r8d,2850285829 + xor r12d,r10d + movzx eax,al + mov DWORD PTR[112+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,5 + mov r12d,r9d + pinsrw xmm0,WORD PTR[rax*4+rdi],6 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r10d + add r11d,DWORD PTR[8+r15] + add bl,dl + mov eax,DWORD PTR[120+rsi] + add r11d,4243563512 + xor r12d,r9d + movzx ebx,bl + mov DWORD PTR[116+rsi],edx + add r11d,r12d + add cl,al + rol r11d,9 + mov r12d,r8d + pinsrw xmm1,WORD PTR[rbx*4+rdi],6 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + and r12d,r9d + add r10d,DWORD PTR[28+r15] + add al,dl + mov ebx,DWORD PTR[124+rsi] + add r10d,1735328473 + xor r12d,r8d + movzx eax,al + mov DWORD PTR[120+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,14 + mov r12d,r11d + pinsrw xmm0,WORD PTR[rax*4+rdi],7 + + add r10d,r11d + movdqu xmm3,XMMWORD PTR[16+r13] + add bpl,32 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + and r12d,r8d + add r9d,DWORD PTR[48+r15] + add bl,dl + mov eax,DWORD PTR[rbp*4+rdi] + add r9d,2368359562 + xor r12d,r11d + movzx ebx,bl + mov DWORD PTR[124+rsi],edx + add r9d,r12d + add cl,al + rol r9d,20 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],7 + + add r9d,r10d + mov rsi,rcx + xor rcx,rcx + mov cl,sil + lea rsi,QWORD PTR[rbp*4+rdi] + psllq xmm1,8 + pxor xmm3,xmm0 + pxor xmm3,xmm1 + pxor xmm0,xmm0 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r9d + add r8d,DWORD PTR[20+r15] + add al,dl + mov ebx,DWORD PTR[4+rsi] + add r8d,4294588738 + movzx eax,al + add r8d,r12d + mov DWORD PTR[rsi],edx + add cl,bl + rol r8d,4 + mov r12d,r10d + movd xmm0,DWORD PTR[rax*4+rdi] + + add r8d,r9d + pxor xmm1,xmm1 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r8d + add r11d,DWORD PTR[32+r15] + add bl,dl + mov eax,DWORD PTR[8+rsi] + add r11d,2272392833 + movzx ebx,bl + add r11d,r12d + mov DWORD PTR[4+rsi],edx + add cl,al + rol r11d,11 + mov r12d,r9d + movd xmm1,DWORD PTR[rbx*4+rdi] + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r11d + add r10d,DWORD PTR[44+r15] + add al,dl + mov ebx,DWORD PTR[12+rsi] + add r10d,1839030562 + movzx eax,al + add r10d,r12d + mov DWORD PTR[8+rsi],edx + add cl,bl + rol r10d,16 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],1 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r10d + add r9d,DWORD PTR[56+r15] + add bl,dl + mov eax,DWORD PTR[16+rsi] + add r9d,4259657740 + movzx ebx,bl + add r9d,r12d + mov DWORD PTR[12+rsi],edx + add cl,al + rol r9d,23 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],1 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r9d + add r8d,DWORD PTR[4+r15] + add al,dl + mov ebx,DWORD PTR[20+rsi] + add r8d,2763975236 + movzx eax,al + add r8d,r12d + mov DWORD PTR[16+rsi],edx + add cl,bl + rol r8d,4 + mov r12d,r10d + pinsrw xmm0,WORD PTR[rax*4+rdi],2 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r8d + add r11d,DWORD PTR[16+r15] + add bl,dl + mov eax,DWORD PTR[24+rsi] + add r11d,1272893353 + movzx ebx,bl + add r11d,r12d + mov DWORD PTR[20+rsi],edx + add cl,al + rol r11d,11 + mov r12d,r9d + pinsrw xmm1,WORD PTR[rbx*4+rdi],2 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r11d + add r10d,DWORD PTR[28+r15] + add al,dl + mov ebx,DWORD PTR[28+rsi] + add r10d,4139469664 + movzx eax,al + add r10d,r12d + mov DWORD PTR[24+rsi],edx + add cl,bl + rol r10d,16 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],3 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r10d + add r9d,DWORD PTR[40+r15] + add bl,dl + mov eax,DWORD PTR[32+rsi] + add r9d,3200236656 + movzx ebx,bl + add r9d,r12d + mov DWORD PTR[28+rsi],edx + add cl,al + rol r9d,23 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],3 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r9d + add r8d,DWORD PTR[52+r15] + add al,dl + mov ebx,DWORD PTR[36+rsi] + add r8d,681279174 + movzx eax,al + add r8d,r12d + mov DWORD PTR[32+rsi],edx + add cl,bl + rol r8d,4 + mov r12d,r10d + pinsrw xmm0,WORD PTR[rax*4+rdi],4 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r8d + add r11d,DWORD PTR[r15] + add bl,dl + mov eax,DWORD PTR[40+rsi] + add r11d,3936430074 + movzx ebx,bl + add r11d,r12d + mov DWORD PTR[36+rsi],edx + add cl,al + rol r11d,11 + mov r12d,r9d + pinsrw xmm1,WORD PTR[rbx*4+rdi],4 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r11d + add r10d,DWORD PTR[12+r15] + add al,dl + mov ebx,DWORD PTR[44+rsi] + add r10d,3572445317 + movzx eax,al + add r10d,r12d + mov DWORD PTR[40+rsi],edx + add cl,bl + rol r10d,16 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],5 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r10d + add r9d,DWORD PTR[24+r15] + add bl,dl + mov eax,DWORD PTR[48+rsi] + add r9d,76029189 + movzx ebx,bl + add r9d,r12d + mov DWORD PTR[44+rsi],edx + add cl,al + rol r9d,23 + mov r12d,r11d + pinsrw xmm1,WORD PTR[rbx*4+rdi],5 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r9d + add r8d,DWORD PTR[36+r15] + add al,dl + mov ebx,DWORD PTR[52+rsi] + add r8d,3654602809 + movzx eax,al + add r8d,r12d + mov DWORD PTR[48+rsi],edx + add cl,bl + rol r8d,4 + mov r12d,r10d + pinsrw xmm0,WORD PTR[rax*4+rdi],6 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r8d + add r11d,DWORD PTR[48+r15] + add bl,dl + mov eax,DWORD PTR[56+rsi] + add r11d,3873151461 + movzx ebx,bl + add r11d,r12d + mov DWORD PTR[52+rsi],edx + add cl,al + rol r11d,11 + mov r12d,r9d + pinsrw xmm1,WORD PTR[rbx*4+rdi],6 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],eax + xor r12d,r11d + add r10d,DWORD PTR[60+r15] + add al,dl + mov ebx,DWORD PTR[60+rsi] + add r10d,530742520 + movzx eax,al + add r10d,r12d + mov DWORD PTR[56+rsi],edx + add cl,bl + rol r10d,16 + mov r12d,r8d + pinsrw xmm0,WORD PTR[rax*4+rdi],7 + + add r10d,r11d + movdqu xmm4,XMMWORD PTR[32+r13] + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],ebx + xor r12d,r10d + add r9d,DWORD PTR[8+r15] + add bl,dl + mov eax,DWORD PTR[64+rsi] + add r9d,3299628645 + movzx ebx,bl + add r9d,r12d + mov DWORD PTR[60+rsi],edx + add cl,al + rol r9d,23 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],7 + + add r9d,r10d + psllq xmm1,8 + pxor xmm4,xmm0 + pxor xmm4,xmm1 + pxor xmm0,xmm0 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r9d + add r8d,DWORD PTR[r15] + add al,dl + mov ebx,DWORD PTR[68+rsi] + add r8d,4096336452 + movzx eax,al + xor r12d,r10d + mov DWORD PTR[64+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,6 + mov r12d,-1 + movd xmm0,DWORD PTR[rax*4+rdi] + + add r8d,r9d + pxor xmm1,xmm1 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r8d + add r11d,DWORD PTR[28+r15] + add bl,dl + mov eax,DWORD PTR[72+rsi] + add r11d,1126891415 + movzx ebx,bl + xor r12d,r9d + mov DWORD PTR[68+rsi],edx + add r11d,r12d + add cl,al + rol r11d,10 + mov r12d,-1 + movd xmm1,DWORD PTR[rbx*4+rdi] + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r11d + add r10d,DWORD PTR[56+r15] + add al,dl + mov ebx,DWORD PTR[76+rsi] + add r10d,2878612391 + movzx eax,al + xor r12d,r8d + mov DWORD PTR[72+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,15 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],1 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r10d + add r9d,DWORD PTR[20+r15] + add bl,dl + mov eax,DWORD PTR[80+rsi] + add r9d,4237533241 + movzx ebx,bl + xor r12d,r11d + mov DWORD PTR[76+rsi],edx + add r9d,r12d + add cl,al + rol r9d,21 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],1 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r9d + add r8d,DWORD PTR[48+r15] + add al,dl + mov ebx,DWORD PTR[84+rsi] + add r8d,1700485571 + movzx eax,al + xor r12d,r10d + mov DWORD PTR[80+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,6 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],2 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r8d + add r11d,DWORD PTR[12+r15] + add bl,dl + mov eax,DWORD PTR[88+rsi] + add r11d,2399980690 + movzx ebx,bl + xor r12d,r9d + mov DWORD PTR[84+rsi],edx + add r11d,r12d + add cl,al + rol r11d,10 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],2 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r11d + add r10d,DWORD PTR[40+r15] + add al,dl + mov ebx,DWORD PTR[92+rsi] + add r10d,4293915773 + movzx eax,al + xor r12d,r8d + mov DWORD PTR[88+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,15 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],3 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r10d + add r9d,DWORD PTR[4+r15] + add bl,dl + mov eax,DWORD PTR[96+rsi] + add r9d,2240044497 + movzx ebx,bl + xor r12d,r11d + mov DWORD PTR[92+rsi],edx + add r9d,r12d + add cl,al + rol r9d,21 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],3 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r9d + add r8d,DWORD PTR[32+r15] + add al,dl + mov ebx,DWORD PTR[100+rsi] + add r8d,1873313359 + movzx eax,al + xor r12d,r10d + mov DWORD PTR[96+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,6 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],4 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r8d + add r11d,DWORD PTR[60+r15] + add bl,dl + mov eax,DWORD PTR[104+rsi] + add r11d,4264355552 + movzx ebx,bl + xor r12d,r9d + mov DWORD PTR[100+rsi],edx + add r11d,r12d + add cl,al + rol r11d,10 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],4 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r11d + add r10d,DWORD PTR[24+r15] + add al,dl + mov ebx,DWORD PTR[108+rsi] + add r10d,2734768916 + movzx eax,al + xor r12d,r8d + mov DWORD PTR[104+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,15 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],5 + + add r10d,r11d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r10d + add r9d,DWORD PTR[52+r15] + add bl,dl + mov eax,DWORD PTR[112+rsi] + add r9d,1309151649 + movzx ebx,bl + xor r12d,r11d + mov DWORD PTR[108+rsi],edx + add r9d,r12d + add cl,al + rol r9d,21 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],5 + + add r9d,r10d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r11d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r9d + add r8d,DWORD PTR[16+r15] + add al,dl + mov ebx,DWORD PTR[116+rsi] + add r8d,4149444226 + movzx eax,al + xor r12d,r10d + mov DWORD PTR[112+rsi],edx + add r8d,r12d + add cl,bl + rol r8d,6 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],6 + + add r8d,r9d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r10d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r8d + add r11d,DWORD PTR[44+r15] + add bl,dl + mov eax,DWORD PTR[120+rsi] + add r11d,3174756917 + movzx ebx,bl + xor r12d,r9d + mov DWORD PTR[116+rsi],edx + add r11d,r12d + add cl,al + rol r11d,10 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],6 + + add r11d,r8d + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r9d + mov DWORD PTR[rcx*4+rdi],eax + or r12d,r11d + add r10d,DWORD PTR[8+r15] + add al,dl + mov ebx,DWORD PTR[124+rsi] + add r10d,718787259 + movzx eax,al + xor r12d,r8d + mov DWORD PTR[120+rsi],edx + add r10d,r12d + add cl,bl + rol r10d,15 + mov r12d,-1 + pinsrw xmm0,WORD PTR[rax*4+rdi],7 + + add r10d,r11d + movdqu xmm5,XMMWORD PTR[48+r13] + add bpl,32 + mov edx,DWORD PTR[rcx*4+rdi] + xor r12d,r8d + mov DWORD PTR[rcx*4+rdi],ebx + or r12d,r10d + add r9d,DWORD PTR[36+r15] + add bl,dl + mov eax,DWORD PTR[rbp*4+rdi] + add r9d,3951481745 + movzx ebx,bl + xor r12d,r11d + mov DWORD PTR[124+rsi],edx + add r9d,r12d + add cl,al + rol r9d,21 + mov r12d,-1 + pinsrw xmm1,WORD PTR[rbx*4+rdi],7 + + add r9d,r10d + mov rsi,rbp + xor rbp,rbp + mov bpl,sil + mov rsi,rcx + xor rcx,rcx + mov cl,sil + lea rsi,QWORD PTR[rbp*4+rdi] + psllq xmm1,8 + pxor xmm5,xmm0 + pxor xmm5,xmm1 + add r8d,DWORD PTR[rsp] + add r9d,DWORD PTR[4+rsp] + add r10d,DWORD PTR[8+rsp] + add r11d,DWORD PTR[12+rsp] + + movdqu XMMWORD PTR[r13*1+r14],xmm2 + movdqu XMMWORD PTR[16+r13*1+r14],xmm3 + movdqu XMMWORD PTR[32+r13*1+r14],xmm4 + movdqu XMMWORD PTR[48+r13*1+r14],xmm5 + lea r15,QWORD PTR[64+r15] + lea r13,QWORD PTR[64+r13] + cmp r15,QWORD PTR[16+rsp] + jb $L$oop + + mov r12,QWORD PTR[24+rsp] + sub cl,al + mov DWORD PTR[r12],r8d + mov DWORD PTR[4+r12],r9d + mov DWORD PTR[8+r12],r10d + mov DWORD PTR[12+r12],r11d + sub bpl,1 + mov DWORD PTR[((-8))+rdi],ebp + mov DWORD PTR[((-4))+rdi],ecx + + mov r15,QWORD PTR[40+rsp] + mov r14,QWORD PTR[48+rsp] + mov r13,QWORD PTR[56+rsp] + mov r12,QWORD PTR[64+rsp] + mov rbp,QWORD PTR[72+rsp] + mov rbx,QWORD PTR[80+rsp] + lea rsp,QWORD PTR[88+rsp] +$L$epilogue:: +$L$abort:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_rc4_md5_enc:: +rc4_md5_enc ENDP + +.text$ ENDS +END + diff --git a/crypto/rc4/rc4-md5-mingw64-x86_64.S b/crypto/rc4/rc4-md5-mingw64-x86_64.S new file mode 100644 index 0000000..e11d314 --- /dev/null +++ b/crypto/rc4/rc4-md5-mingw64-x86_64.S @@ -0,0 +1,1273 @@ +#include "x86_arch.h" +.text +.p2align 4 + +.globl rc4_md5_enc +.def rc4_md5_enc; .scl 2; .type 32; .endef +rc4_md5_enc: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_rc4_md5_enc: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + movq 40(%rsp),%r8 + movq 48(%rsp),%r9 + + cmpq $0,%r9 + je .Labort + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + subq $40,%rsp +.Lbody: + movq %rcx,%r11 + movq %r9,%r12 + movq %rsi,%r13 + movq %rdx,%r14 + movq %r8,%r15 + xorq %rbp,%rbp + xorq %rcx,%rcx + + leaq 8(%rdi),%rdi + movb -8(%rdi),%bpl + movb -4(%rdi),%cl + + incb %bpl + subq %r13,%r14 + movl (%rdi,%rbp,4),%eax + addb %al,%cl + leaq (%rdi,%rbp,4),%rsi + shlq $6,%r12 + addq %r15,%r12 + movq %r12,16(%rsp) + + movq %r11,24(%rsp) + movl 0(%r11),%r8d + movl 4(%r11),%r9d + movl 8(%r11),%r10d + movl 12(%r11),%r11d + jmp .Loop + +.p2align 4 +.Loop: + movl %r8d,0(%rsp) + movl %r9d,4(%rsp) + movl %r10d,8(%rsp) + movl %r11d,%r12d + movl %r11d,12(%rsp) + pxor %xmm0,%xmm0 + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 0(%r15),%r8d + addb %dl,%al + movl 4(%rsi),%ebx + addl $3614090360,%r8d + xorl %r11d,%r12d + movzbl %al,%eax + movl %edx,0(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $7,%r8d + movl %r10d,%r12d + movd (%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + pxor %xmm1,%xmm1 + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 4(%r15),%r11d + addb %dl,%bl + movl 8(%rsi),%eax + addl $3905402710,%r11d + xorl %r10d,%r12d + movzbl %bl,%ebx + movl %edx,4(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $12,%r11d + movl %r9d,%r12d + movd (%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 8(%r15),%r10d + addb %dl,%al + movl 12(%rsi),%ebx + addl $606105819,%r10d + xorl %r9d,%r12d + movzbl %al,%eax + movl %edx,8(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $17,%r10d + movl %r8d,%r12d + pinsrw $1,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 12(%r15),%r9d + addb %dl,%bl + movl 16(%rsi),%eax + addl $3250441966,%r9d + xorl %r8d,%r12d + movzbl %bl,%ebx + movl %edx,12(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $22,%r9d + movl %r11d,%r12d + pinsrw $1,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 16(%r15),%r8d + addb %dl,%al + movl 20(%rsi),%ebx + addl $4118548399,%r8d + xorl %r11d,%r12d + movzbl %al,%eax + movl %edx,16(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $7,%r8d + movl %r10d,%r12d + pinsrw $2,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 20(%r15),%r11d + addb %dl,%bl + movl 24(%rsi),%eax + addl $1200080426,%r11d + xorl %r10d,%r12d + movzbl %bl,%ebx + movl %edx,20(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $12,%r11d + movl %r9d,%r12d + pinsrw $2,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 24(%r15),%r10d + addb %dl,%al + movl 28(%rsi),%ebx + addl $2821735955,%r10d + xorl %r9d,%r12d + movzbl %al,%eax + movl %edx,24(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $17,%r10d + movl %r8d,%r12d + pinsrw $3,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 28(%r15),%r9d + addb %dl,%bl + movl 32(%rsi),%eax + addl $4249261313,%r9d + xorl %r8d,%r12d + movzbl %bl,%ebx + movl %edx,28(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $22,%r9d + movl %r11d,%r12d + pinsrw $3,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 32(%r15),%r8d + addb %dl,%al + movl 36(%rsi),%ebx + addl $1770035416,%r8d + xorl %r11d,%r12d + movzbl %al,%eax + movl %edx,32(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $7,%r8d + movl %r10d,%r12d + pinsrw $4,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 36(%r15),%r11d + addb %dl,%bl + movl 40(%rsi),%eax + addl $2336552879,%r11d + xorl %r10d,%r12d + movzbl %bl,%ebx + movl %edx,36(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $12,%r11d + movl %r9d,%r12d + pinsrw $4,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 40(%r15),%r10d + addb %dl,%al + movl 44(%rsi),%ebx + addl $4294925233,%r10d + xorl %r9d,%r12d + movzbl %al,%eax + movl %edx,40(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $17,%r10d + movl %r8d,%r12d + pinsrw $5,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 44(%r15),%r9d + addb %dl,%bl + movl 48(%rsi),%eax + addl $2304563134,%r9d + xorl %r8d,%r12d + movzbl %bl,%ebx + movl %edx,44(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $22,%r9d + movl %r11d,%r12d + pinsrw $5,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 48(%r15),%r8d + addb %dl,%al + movl 52(%rsi),%ebx + addl $1804603682,%r8d + xorl %r11d,%r12d + movzbl %al,%eax + movl %edx,48(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $7,%r8d + movl %r10d,%r12d + pinsrw $6,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 52(%r15),%r11d + addb %dl,%bl + movl 56(%rsi),%eax + addl $4254626195,%r11d + xorl %r10d,%r12d + movzbl %bl,%ebx + movl %edx,52(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $12,%r11d + movl %r9d,%r12d + pinsrw $6,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 56(%r15),%r10d + addb %dl,%al + movl 60(%rsi),%ebx + addl $2792965006,%r10d + xorl %r9d,%r12d + movzbl %al,%eax + movl %edx,56(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $17,%r10d + movl %r8d,%r12d + pinsrw $7,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movdqu (%r13),%xmm2 + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 60(%r15),%r9d + addb %dl,%bl + movl 64(%rsi),%eax + addl $1236535329,%r9d + xorl %r8d,%r12d + movzbl %bl,%ebx + movl %edx,60(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $22,%r9d + movl %r10d,%r12d + pinsrw $7,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + psllq $8,%xmm1 + pxor %xmm0,%xmm2 + pxor %xmm1,%xmm2 + pxor %xmm0,%xmm0 + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 4(%r15),%r8d + addb %dl,%al + movl 68(%rsi),%ebx + addl $4129170786,%r8d + xorl %r10d,%r12d + movzbl %al,%eax + movl %edx,64(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $5,%r8d + movl %r9d,%r12d + movd (%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + pxor %xmm1,%xmm1 + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 24(%r15),%r11d + addb %dl,%bl + movl 72(%rsi),%eax + addl $3225465664,%r11d + xorl %r9d,%r12d + movzbl %bl,%ebx + movl %edx,68(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $9,%r11d + movl %r8d,%r12d + movd (%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 44(%r15),%r10d + addb %dl,%al + movl 76(%rsi),%ebx + addl $643717713,%r10d + xorl %r8d,%r12d + movzbl %al,%eax + movl %edx,72(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $14,%r10d + movl %r11d,%r12d + pinsrw $1,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 0(%r15),%r9d + addb %dl,%bl + movl 80(%rsi),%eax + addl $3921069994,%r9d + xorl %r11d,%r12d + movzbl %bl,%ebx + movl %edx,76(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $20,%r9d + movl %r10d,%r12d + pinsrw $1,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 20(%r15),%r8d + addb %dl,%al + movl 84(%rsi),%ebx + addl $3593408605,%r8d + xorl %r10d,%r12d + movzbl %al,%eax + movl %edx,80(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $5,%r8d + movl %r9d,%r12d + pinsrw $2,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 40(%r15),%r11d + addb %dl,%bl + movl 88(%rsi),%eax + addl $38016083,%r11d + xorl %r9d,%r12d + movzbl %bl,%ebx + movl %edx,84(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $9,%r11d + movl %r8d,%r12d + pinsrw $2,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 60(%r15),%r10d + addb %dl,%al + movl 92(%rsi),%ebx + addl $3634488961,%r10d + xorl %r8d,%r12d + movzbl %al,%eax + movl %edx,88(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $14,%r10d + movl %r11d,%r12d + pinsrw $3,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 16(%r15),%r9d + addb %dl,%bl + movl 96(%rsi),%eax + addl $3889429448,%r9d + xorl %r11d,%r12d + movzbl %bl,%ebx + movl %edx,92(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $20,%r9d + movl %r10d,%r12d + pinsrw $3,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 36(%r15),%r8d + addb %dl,%al + movl 100(%rsi),%ebx + addl $568446438,%r8d + xorl %r10d,%r12d + movzbl %al,%eax + movl %edx,96(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $5,%r8d + movl %r9d,%r12d + pinsrw $4,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 56(%r15),%r11d + addb %dl,%bl + movl 104(%rsi),%eax + addl $3275163606,%r11d + xorl %r9d,%r12d + movzbl %bl,%ebx + movl %edx,100(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $9,%r11d + movl %r8d,%r12d + pinsrw $4,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 12(%r15),%r10d + addb %dl,%al + movl 108(%rsi),%ebx + addl $4107603335,%r10d + xorl %r8d,%r12d + movzbl %al,%eax + movl %edx,104(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $14,%r10d + movl %r11d,%r12d + pinsrw $5,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 32(%r15),%r9d + addb %dl,%bl + movl 112(%rsi),%eax + addl $1163531501,%r9d + xorl %r11d,%r12d + movzbl %bl,%ebx + movl %edx,108(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $20,%r9d + movl %r10d,%r12d + pinsrw $5,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r11d,%r12d + addl 52(%r15),%r8d + addb %dl,%al + movl 116(%rsi),%ebx + addl $2850285829,%r8d + xorl %r10d,%r12d + movzbl %al,%eax + movl %edx,112(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $5,%r8d + movl %r9d,%r12d + pinsrw $6,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r10d,%r12d + addl 8(%r15),%r11d + addb %dl,%bl + movl 120(%rsi),%eax + addl $4243563512,%r11d + xorl %r9d,%r12d + movzbl %bl,%ebx + movl %edx,116(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $9,%r11d + movl %r8d,%r12d + pinsrw $6,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + andl %r9d,%r12d + addl 28(%r15),%r10d + addb %dl,%al + movl 124(%rsi),%ebx + addl $1735328473,%r10d + xorl %r8d,%r12d + movzbl %al,%eax + movl %edx,120(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $14,%r10d + movl %r11d,%r12d + pinsrw $7,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movdqu 16(%r13),%xmm3 + addb $32,%bpl + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + andl %r8d,%r12d + addl 48(%r15),%r9d + addb %dl,%bl + movl 0(%rdi,%rbp,4),%eax + addl $2368359562,%r9d + xorl %r11d,%r12d + movzbl %bl,%ebx + movl %edx,124(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $20,%r9d + movl %r11d,%r12d + pinsrw $7,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movq %rcx,%rsi + xorq %rcx,%rcx + movb %sil,%cl + leaq (%rdi,%rbp,4),%rsi + psllq $8,%xmm1 + pxor %xmm0,%xmm3 + pxor %xmm1,%xmm3 + pxor %xmm0,%xmm0 + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r9d,%r12d + addl 20(%r15),%r8d + addb %dl,%al + movl 4(%rsi),%ebx + addl $4294588738,%r8d + movzbl %al,%eax + addl %r12d,%r8d + movl %edx,0(%rsi) + addb %bl,%cl + roll $4,%r8d + movl %r10d,%r12d + movd (%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + pxor %xmm1,%xmm1 + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r8d,%r12d + addl 32(%r15),%r11d + addb %dl,%bl + movl 8(%rsi),%eax + addl $2272392833,%r11d + movzbl %bl,%ebx + addl %r12d,%r11d + movl %edx,4(%rsi) + addb %al,%cl + roll $11,%r11d + movl %r9d,%r12d + movd (%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r11d,%r12d + addl 44(%r15),%r10d + addb %dl,%al + movl 12(%rsi),%ebx + addl $1839030562,%r10d + movzbl %al,%eax + addl %r12d,%r10d + movl %edx,8(%rsi) + addb %bl,%cl + roll $16,%r10d + movl %r8d,%r12d + pinsrw $1,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r10d,%r12d + addl 56(%r15),%r9d + addb %dl,%bl + movl 16(%rsi),%eax + addl $4259657740,%r9d + movzbl %bl,%ebx + addl %r12d,%r9d + movl %edx,12(%rsi) + addb %al,%cl + roll $23,%r9d + movl %r11d,%r12d + pinsrw $1,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r9d,%r12d + addl 4(%r15),%r8d + addb %dl,%al + movl 20(%rsi),%ebx + addl $2763975236,%r8d + movzbl %al,%eax + addl %r12d,%r8d + movl %edx,16(%rsi) + addb %bl,%cl + roll $4,%r8d + movl %r10d,%r12d + pinsrw $2,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r8d,%r12d + addl 16(%r15),%r11d + addb %dl,%bl + movl 24(%rsi),%eax + addl $1272893353,%r11d + movzbl %bl,%ebx + addl %r12d,%r11d + movl %edx,20(%rsi) + addb %al,%cl + roll $11,%r11d + movl %r9d,%r12d + pinsrw $2,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r11d,%r12d + addl 28(%r15),%r10d + addb %dl,%al + movl 28(%rsi),%ebx + addl $4139469664,%r10d + movzbl %al,%eax + addl %r12d,%r10d + movl %edx,24(%rsi) + addb %bl,%cl + roll $16,%r10d + movl %r8d,%r12d + pinsrw $3,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r10d,%r12d + addl 40(%r15),%r9d + addb %dl,%bl + movl 32(%rsi),%eax + addl $3200236656,%r9d + movzbl %bl,%ebx + addl %r12d,%r9d + movl %edx,28(%rsi) + addb %al,%cl + roll $23,%r9d + movl %r11d,%r12d + pinsrw $3,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r9d,%r12d + addl 52(%r15),%r8d + addb %dl,%al + movl 36(%rsi),%ebx + addl $681279174,%r8d + movzbl %al,%eax + addl %r12d,%r8d + movl %edx,32(%rsi) + addb %bl,%cl + roll $4,%r8d + movl %r10d,%r12d + pinsrw $4,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r8d,%r12d + addl 0(%r15),%r11d + addb %dl,%bl + movl 40(%rsi),%eax + addl $3936430074,%r11d + movzbl %bl,%ebx + addl %r12d,%r11d + movl %edx,36(%rsi) + addb %al,%cl + roll $11,%r11d + movl %r9d,%r12d + pinsrw $4,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r11d,%r12d + addl 12(%r15),%r10d + addb %dl,%al + movl 44(%rsi),%ebx + addl $3572445317,%r10d + movzbl %al,%eax + addl %r12d,%r10d + movl %edx,40(%rsi) + addb %bl,%cl + roll $16,%r10d + movl %r8d,%r12d + pinsrw $5,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r10d,%r12d + addl 24(%r15),%r9d + addb %dl,%bl + movl 48(%rsi),%eax + addl $76029189,%r9d + movzbl %bl,%ebx + addl %r12d,%r9d + movl %edx,44(%rsi) + addb %al,%cl + roll $23,%r9d + movl %r11d,%r12d + pinsrw $5,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r9d,%r12d + addl 36(%r15),%r8d + addb %dl,%al + movl 52(%rsi),%ebx + addl $3654602809,%r8d + movzbl %al,%eax + addl %r12d,%r8d + movl %edx,48(%rsi) + addb %bl,%cl + roll $4,%r8d + movl %r10d,%r12d + pinsrw $6,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r8d,%r12d + addl 48(%r15),%r11d + addb %dl,%bl + movl 56(%rsi),%eax + addl $3873151461,%r11d + movzbl %bl,%ebx + addl %r12d,%r11d + movl %edx,52(%rsi) + addb %al,%cl + roll $11,%r11d + movl %r9d,%r12d + pinsrw $6,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %eax,(%rdi,%rcx,4) + xorl %r11d,%r12d + addl 60(%r15),%r10d + addb %dl,%al + movl 60(%rsi),%ebx + addl $530742520,%r10d + movzbl %al,%eax + addl %r12d,%r10d + movl %edx,56(%rsi) + addb %bl,%cl + roll $16,%r10d + movl %r8d,%r12d + pinsrw $7,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movdqu 32(%r13),%xmm4 + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %ebx,(%rdi,%rcx,4) + xorl %r10d,%r12d + addl 8(%r15),%r9d + addb %dl,%bl + movl 64(%rsi),%eax + addl $3299628645,%r9d + movzbl %bl,%ebx + addl %r12d,%r9d + movl %edx,60(%rsi) + addb %al,%cl + roll $23,%r9d + movl $-1,%r12d + pinsrw $7,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + psllq $8,%xmm1 + pxor %xmm0,%xmm4 + pxor %xmm1,%xmm4 + pxor %xmm0,%xmm0 + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r9d,%r12d + addl 0(%r15),%r8d + addb %dl,%al + movl 68(%rsi),%ebx + addl $4096336452,%r8d + movzbl %al,%eax + xorl %r10d,%r12d + movl %edx,64(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $6,%r8d + movl $-1,%r12d + movd (%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + pxor %xmm1,%xmm1 + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r8d,%r12d + addl 28(%r15),%r11d + addb %dl,%bl + movl 72(%rsi),%eax + addl $1126891415,%r11d + movzbl %bl,%ebx + xorl %r9d,%r12d + movl %edx,68(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $10,%r11d + movl $-1,%r12d + movd (%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r11d,%r12d + addl 56(%r15),%r10d + addb %dl,%al + movl 76(%rsi),%ebx + addl $2878612391,%r10d + movzbl %al,%eax + xorl %r8d,%r12d + movl %edx,72(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $15,%r10d + movl $-1,%r12d + pinsrw $1,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r10d,%r12d + addl 20(%r15),%r9d + addb %dl,%bl + movl 80(%rsi),%eax + addl $4237533241,%r9d + movzbl %bl,%ebx + xorl %r11d,%r12d + movl %edx,76(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $21,%r9d + movl $-1,%r12d + pinsrw $1,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r9d,%r12d + addl 48(%r15),%r8d + addb %dl,%al + movl 84(%rsi),%ebx + addl $1700485571,%r8d + movzbl %al,%eax + xorl %r10d,%r12d + movl %edx,80(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $6,%r8d + movl $-1,%r12d + pinsrw $2,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r8d,%r12d + addl 12(%r15),%r11d + addb %dl,%bl + movl 88(%rsi),%eax + addl $2399980690,%r11d + movzbl %bl,%ebx + xorl %r9d,%r12d + movl %edx,84(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $10,%r11d + movl $-1,%r12d + pinsrw $2,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r11d,%r12d + addl 40(%r15),%r10d + addb %dl,%al + movl 92(%rsi),%ebx + addl $4293915773,%r10d + movzbl %al,%eax + xorl %r8d,%r12d + movl %edx,88(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $15,%r10d + movl $-1,%r12d + pinsrw $3,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r10d,%r12d + addl 4(%r15),%r9d + addb %dl,%bl + movl 96(%rsi),%eax + addl $2240044497,%r9d + movzbl %bl,%ebx + xorl %r11d,%r12d + movl %edx,92(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $21,%r9d + movl $-1,%r12d + pinsrw $3,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r9d,%r12d + addl 32(%r15),%r8d + addb %dl,%al + movl 100(%rsi),%ebx + addl $1873313359,%r8d + movzbl %al,%eax + xorl %r10d,%r12d + movl %edx,96(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $6,%r8d + movl $-1,%r12d + pinsrw $4,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r8d,%r12d + addl 60(%r15),%r11d + addb %dl,%bl + movl 104(%rsi),%eax + addl $4264355552,%r11d + movzbl %bl,%ebx + xorl %r9d,%r12d + movl %edx,100(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $10,%r11d + movl $-1,%r12d + pinsrw $4,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r11d,%r12d + addl 24(%r15),%r10d + addb %dl,%al + movl 108(%rsi),%ebx + addl $2734768916,%r10d + movzbl %al,%eax + xorl %r8d,%r12d + movl %edx,104(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $15,%r10d + movl $-1,%r12d + pinsrw $5,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r10d,%r12d + addl 52(%r15),%r9d + addb %dl,%bl + movl 112(%rsi),%eax + addl $1309151649,%r9d + movzbl %bl,%ebx + xorl %r11d,%r12d + movl %edx,108(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $21,%r9d + movl $-1,%r12d + pinsrw $5,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movl (%rdi,%rcx,4),%edx + xorl %r11d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r9d,%r12d + addl 16(%r15),%r8d + addb %dl,%al + movl 116(%rsi),%ebx + addl $4149444226,%r8d + movzbl %al,%eax + xorl %r10d,%r12d + movl %edx,112(%rsi) + addl %r12d,%r8d + addb %bl,%cl + roll $6,%r8d + movl $-1,%r12d + pinsrw $6,(%rdi,%rax,4),%xmm0 + + addl %r9d,%r8d + movl (%rdi,%rcx,4),%edx + xorl %r10d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r8d,%r12d + addl 44(%r15),%r11d + addb %dl,%bl + movl 120(%rsi),%eax + addl $3174756917,%r11d + movzbl %bl,%ebx + xorl %r9d,%r12d + movl %edx,116(%rsi) + addl %r12d,%r11d + addb %al,%cl + roll $10,%r11d + movl $-1,%r12d + pinsrw $6,(%rdi,%rbx,4),%xmm1 + + addl %r8d,%r11d + movl (%rdi,%rcx,4),%edx + xorl %r9d,%r12d + movl %eax,(%rdi,%rcx,4) + orl %r11d,%r12d + addl 8(%r15),%r10d + addb %dl,%al + movl 124(%rsi),%ebx + addl $718787259,%r10d + movzbl %al,%eax + xorl %r8d,%r12d + movl %edx,120(%rsi) + addl %r12d,%r10d + addb %bl,%cl + roll $15,%r10d + movl $-1,%r12d + pinsrw $7,(%rdi,%rax,4),%xmm0 + + addl %r11d,%r10d + movdqu 48(%r13),%xmm5 + addb $32,%bpl + movl (%rdi,%rcx,4),%edx + xorl %r8d,%r12d + movl %ebx,(%rdi,%rcx,4) + orl %r10d,%r12d + addl 36(%r15),%r9d + addb %dl,%bl + movl 0(%rdi,%rbp,4),%eax + addl $3951481745,%r9d + movzbl %bl,%ebx + xorl %r11d,%r12d + movl %edx,124(%rsi) + addl %r12d,%r9d + addb %al,%cl + roll $21,%r9d + movl $-1,%r12d + pinsrw $7,(%rdi,%rbx,4),%xmm1 + + addl %r10d,%r9d + movq %rbp,%rsi + xorq %rbp,%rbp + movb %sil,%bpl + movq %rcx,%rsi + xorq %rcx,%rcx + movb %sil,%cl + leaq (%rdi,%rbp,4),%rsi + psllq $8,%xmm1 + pxor %xmm0,%xmm5 + pxor %xmm1,%xmm5 + addl 0(%rsp),%r8d + addl 4(%rsp),%r9d + addl 8(%rsp),%r10d + addl 12(%rsp),%r11d + + movdqu %xmm2,(%r14,%r13,1) + movdqu %xmm3,16(%r14,%r13,1) + movdqu %xmm4,32(%r14,%r13,1) + movdqu %xmm5,48(%r14,%r13,1) + leaq 64(%r15),%r15 + leaq 64(%r13),%r13 + cmpq 16(%rsp),%r15 + jb .Loop + + movq 24(%rsp),%r12 + subb %al,%cl + movl %r8d,0(%r12) + movl %r9d,4(%r12) + movl %r10d,8(%r12) + movl %r11d,12(%r12) + subb $1,%bpl + movl %ebp,-8(%rdi) + movl %ecx,-4(%rdi) + + movq 40(%rsp),%r15 + movq 48(%rsp),%r14 + movq 56(%rsp),%r13 + movq 64(%rsp),%r12 + movq 72(%rsp),%rbp + movq 80(%rsp),%rbx + leaq 88(%rsp),%rsp +.Lepilogue: +.Labort: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_rc4_md5_enc: diff --git a/crypto/rc4/rc4-mingw64-x86_64.S b/crypto/rc4/rc4-mingw64-x86_64.S new file mode 100644 index 0000000..c149d7e --- /dev/null +++ b/crypto/rc4/rc4-mingw64-x86_64.S @@ -0,0 +1,640 @@ +#include "x86_arch.h" +.text + + + +.globl RC4 +.def RC4; .scl 2; .type 32; .endef +.p2align 4 +RC4: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_RC4: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + orq %rsi,%rsi + jne .Lentry + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.Lentry: + pushq %rbx + pushq %r12 + pushq %r13 +.Lprologue: + movq %rsi,%r11 + movq %rdx,%r12 + movq %rcx,%r13 + xorq %r10,%r10 + xorq %rcx,%rcx + + leaq 8(%rdi),%rdi + movb -8(%rdi),%r10b + movb -4(%rdi),%cl + cmpl $-1,256(%rdi) + je .LRC4_CHAR + movl OPENSSL_ia32cap_P(%rip),%r8d + xorq %rbx,%rbx + incb %r10b + subq %r10,%rbx + subq %r12,%r13 + movl (%rdi,%r10,4),%eax + testq $-16,%r11 + jz .Lloop1 + btl $IA32CAP_BIT0_INTEL,%r8d + jc .Lintel + andq $7,%rbx + leaq 1(%r10),%rsi + jz .Loop8 + subq %rbx,%r11 +.Loop8_warmup: + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl %edx,(%rdi,%r10,4) + addb %dl,%al + incb %r10b + movl (%rdi,%rax,4),%edx + movl (%rdi,%r10,4),%eax + xorb (%r12),%dl + movb %dl,(%r13,%r12,1) + leaq 1(%r12),%r12 + decq %rbx + jnz .Loop8_warmup + + leaq 1(%r10),%rsi + jmp .Loop8 +.p2align 4 +.Loop8: + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl 0(%rdi,%rsi,4),%ebx + rorq $8,%r8 + movl %edx,0(%rdi,%r10,4) + addb %al,%dl + movb (%rdi,%rdx,4),%r8b + addb %bl,%cl + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + movl 4(%rdi,%rsi,4),%eax + rorq $8,%r8 + movl %edx,4(%rdi,%r10,4) + addb %bl,%dl + movb (%rdi,%rdx,4),%r8b + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl 8(%rdi,%rsi,4),%ebx + rorq $8,%r8 + movl %edx,8(%rdi,%r10,4) + addb %al,%dl + movb (%rdi,%rdx,4),%r8b + addb %bl,%cl + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + movl 12(%rdi,%rsi,4),%eax + rorq $8,%r8 + movl %edx,12(%rdi,%r10,4) + addb %bl,%dl + movb (%rdi,%rdx,4),%r8b + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl 16(%rdi,%rsi,4),%ebx + rorq $8,%r8 + movl %edx,16(%rdi,%r10,4) + addb %al,%dl + movb (%rdi,%rdx,4),%r8b + addb %bl,%cl + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + movl 20(%rdi,%rsi,4),%eax + rorq $8,%r8 + movl %edx,20(%rdi,%r10,4) + addb %bl,%dl + movb (%rdi,%rdx,4),%r8b + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl 24(%rdi,%rsi,4),%ebx + rorq $8,%r8 + movl %edx,24(%rdi,%r10,4) + addb %al,%dl + movb (%rdi,%rdx,4),%r8b + addb $8,%sil + addb %bl,%cl + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + movl -4(%rdi,%rsi,4),%eax + rorq $8,%r8 + movl %edx,28(%rdi,%r10,4) + addb %bl,%dl + movb (%rdi,%rdx,4),%r8b + addb $8,%r10b + rorq $8,%r8 + subq $8,%r11 + + xorq (%r12),%r8 + movq %r8,(%r13,%r12,1) + leaq 8(%r12),%r12 + + testq $-8,%r11 + jnz .Loop8 + cmpq $0,%r11 + jne .Lloop1 + jmp .Lexit + +.p2align 4 +.Lintel: + testq $-32,%r11 + jz .Lloop1 + andq $15,%rbx + jz .Loop16_is_hot + subq %rbx,%r11 +.Loop16_warmup: + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl %edx,(%rdi,%r10,4) + addb %dl,%al + incb %r10b + movl (%rdi,%rax,4),%edx + movl (%rdi,%r10,4),%eax + xorb (%r12),%dl + movb %dl,(%r13,%r12,1) + leaq 1(%r12),%r12 + decq %rbx + jnz .Loop16_warmup + + movq %rcx,%rbx + xorq %rcx,%rcx + movb %bl,%cl + +.Loop16_is_hot: + leaq (%rdi,%r10,4),%rsi + addb %al,%cl + movl (%rdi,%rcx,4),%edx + pxor %xmm0,%xmm0 + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 4(%rsi),%ebx + movzbl %al,%eax + movl %edx,0(%rsi) + addb %bl,%cl + pinsrw $0,(%rdi,%rax,4),%xmm0 + jmp .Loop16_enter +.p2align 4 +.Loop16: + addb %al,%cl + movl (%rdi,%rcx,4),%edx + pxor %xmm0,%xmm2 + psllq $8,%xmm1 + pxor %xmm0,%xmm0 + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 4(%rsi),%ebx + movzbl %al,%eax + movl %edx,0(%rsi) + pxor %xmm1,%xmm2 + addb %bl,%cl + pinsrw $0,(%rdi,%rax,4),%xmm0 + movdqu %xmm2,(%r13,%r12,1) + leaq 16(%r12),%r12 +.Loop16_enter: + movl (%rdi,%rcx,4),%edx + pxor %xmm1,%xmm1 + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 8(%rsi),%eax + movzbl %bl,%ebx + movl %edx,4(%rsi) + addb %al,%cl + pinsrw $0,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 12(%rsi),%ebx + movzbl %al,%eax + movl %edx,8(%rsi) + addb %bl,%cl + pinsrw $1,(%rdi,%rax,4),%xmm0 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 16(%rsi),%eax + movzbl %bl,%ebx + movl %edx,12(%rsi) + addb %al,%cl + pinsrw $1,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 20(%rsi),%ebx + movzbl %al,%eax + movl %edx,16(%rsi) + addb %bl,%cl + pinsrw $2,(%rdi,%rax,4),%xmm0 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 24(%rsi),%eax + movzbl %bl,%ebx + movl %edx,20(%rsi) + addb %al,%cl + pinsrw $2,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 28(%rsi),%ebx + movzbl %al,%eax + movl %edx,24(%rsi) + addb %bl,%cl + pinsrw $3,(%rdi,%rax,4),%xmm0 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 32(%rsi),%eax + movzbl %bl,%ebx + movl %edx,28(%rsi) + addb %al,%cl + pinsrw $3,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 36(%rsi),%ebx + movzbl %al,%eax + movl %edx,32(%rsi) + addb %bl,%cl + pinsrw $4,(%rdi,%rax,4),%xmm0 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 40(%rsi),%eax + movzbl %bl,%ebx + movl %edx,36(%rsi) + addb %al,%cl + pinsrw $4,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 44(%rsi),%ebx + movzbl %al,%eax + movl %edx,40(%rsi) + addb %bl,%cl + pinsrw $5,(%rdi,%rax,4),%xmm0 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 48(%rsi),%eax + movzbl %bl,%ebx + movl %edx,44(%rsi) + addb %al,%cl + pinsrw $5,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 52(%rsi),%ebx + movzbl %al,%eax + movl %edx,48(%rsi) + addb %bl,%cl + pinsrw $6,(%rdi,%rax,4),%xmm0 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movl 56(%rsi),%eax + movzbl %bl,%ebx + movl %edx,52(%rsi) + addb %al,%cl + pinsrw $6,(%rdi,%rbx,4),%xmm1 + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + addb %dl,%al + movl 60(%rsi),%ebx + movzbl %al,%eax + movl %edx,56(%rsi) + addb %bl,%cl + pinsrw $7,(%rdi,%rax,4),%xmm0 + addb $16,%r10b + movdqu (%r12),%xmm2 + movl (%rdi,%rcx,4),%edx + movl %ebx,(%rdi,%rcx,4) + addb %dl,%bl + movzbl %bl,%ebx + movl %edx,60(%rsi) + leaq (%rdi,%r10,4),%rsi + pinsrw $7,(%rdi,%rbx,4),%xmm1 + movl (%rsi),%eax + movq %rcx,%rbx + xorq %rcx,%rcx + subq $16,%r11 + movb %bl,%cl + testq $-16,%r11 + jnz .Loop16 + + psllq $8,%xmm1 + pxor %xmm0,%xmm2 + pxor %xmm1,%xmm2 + movdqu %xmm2,(%r13,%r12,1) + leaq 16(%r12),%r12 + + cmpq $0,%r11 + jne .Lloop1 + jmp .Lexit + +.p2align 4 +.Lloop1: + addb %al,%cl + movl (%rdi,%rcx,4),%edx + movl %eax,(%rdi,%rcx,4) + movl %edx,(%rdi,%r10,4) + addb %dl,%al + incb %r10b + movl (%rdi,%rax,4),%edx + movl (%rdi,%r10,4),%eax + xorb (%r12),%dl + movb %dl,(%r13,%r12,1) + leaq 1(%r12),%r12 + decq %r11 + jnz .Lloop1 + jmp .Lexit + +.p2align 4 +.LRC4_CHAR: + addb $1,%r10b + movzbl (%rdi,%r10,1),%eax + testq $-8,%r11 + jz .Lcloop1 + jmp .Lcloop8 +.p2align 4 +.Lcloop8: + movl (%r12),%r8d + movl 4(%r12),%r9d + addb %al,%cl + leaq 1(%r10),%rsi + movzbl (%rdi,%rcx,1),%edx + movzbl %sil,%esi + movzbl (%rdi,%rsi,1),%ebx + movb %al,(%rdi,%rcx,1) + cmpq %rsi,%rcx + movb %dl,(%rdi,%r10,1) + jne .Lcmov0 + movq %rax,%rbx +.Lcmov0: + addb %al,%dl + xorb (%rdi,%rdx,1),%r8b + rorl $8,%r8d + addb %bl,%cl + leaq 1(%rsi),%r10 + movzbl (%rdi,%rcx,1),%edx + movzbl %r10b,%r10d + movzbl (%rdi,%r10,1),%eax + movb %bl,(%rdi,%rcx,1) + cmpq %r10,%rcx + movb %dl,(%rdi,%rsi,1) + jne .Lcmov1 + movq %rbx,%rax +.Lcmov1: + addb %bl,%dl + xorb (%rdi,%rdx,1),%r8b + rorl $8,%r8d + addb %al,%cl + leaq 1(%r10),%rsi + movzbl (%rdi,%rcx,1),%edx + movzbl %sil,%esi + movzbl (%rdi,%rsi,1),%ebx + movb %al,(%rdi,%rcx,1) + cmpq %rsi,%rcx + movb %dl,(%rdi,%r10,1) + jne .Lcmov2 + movq %rax,%rbx +.Lcmov2: + addb %al,%dl + xorb (%rdi,%rdx,1),%r8b + rorl $8,%r8d + addb %bl,%cl + leaq 1(%rsi),%r10 + movzbl (%rdi,%rcx,1),%edx + movzbl %r10b,%r10d + movzbl (%rdi,%r10,1),%eax + movb %bl,(%rdi,%rcx,1) + cmpq %r10,%rcx + movb %dl,(%rdi,%rsi,1) + jne .Lcmov3 + movq %rbx,%rax +.Lcmov3: + addb %bl,%dl + xorb (%rdi,%rdx,1),%r8b + rorl $8,%r8d + addb %al,%cl + leaq 1(%r10),%rsi + movzbl (%rdi,%rcx,1),%edx + movzbl %sil,%esi + movzbl (%rdi,%rsi,1),%ebx + movb %al,(%rdi,%rcx,1) + cmpq %rsi,%rcx + movb %dl,(%rdi,%r10,1) + jne .Lcmov4 + movq %rax,%rbx +.Lcmov4: + addb %al,%dl + xorb (%rdi,%rdx,1),%r9b + rorl $8,%r9d + addb %bl,%cl + leaq 1(%rsi),%r10 + movzbl (%rdi,%rcx,1),%edx + movzbl %r10b,%r10d + movzbl (%rdi,%r10,1),%eax + movb %bl,(%rdi,%rcx,1) + cmpq %r10,%rcx + movb %dl,(%rdi,%rsi,1) + jne .Lcmov5 + movq %rbx,%rax +.Lcmov5: + addb %bl,%dl + xorb (%rdi,%rdx,1),%r9b + rorl $8,%r9d + addb %al,%cl + leaq 1(%r10),%rsi + movzbl (%rdi,%rcx,1),%edx + movzbl %sil,%esi + movzbl (%rdi,%rsi,1),%ebx + movb %al,(%rdi,%rcx,1) + cmpq %rsi,%rcx + movb %dl,(%rdi,%r10,1) + jne .Lcmov6 + movq %rax,%rbx +.Lcmov6: + addb %al,%dl + xorb (%rdi,%rdx,1),%r9b + rorl $8,%r9d + addb %bl,%cl + leaq 1(%rsi),%r10 + movzbl (%rdi,%rcx,1),%edx + movzbl %r10b,%r10d + movzbl (%rdi,%r10,1),%eax + movb %bl,(%rdi,%rcx,1) + cmpq %r10,%rcx + movb %dl,(%rdi,%rsi,1) + jne .Lcmov7 + movq %rbx,%rax +.Lcmov7: + addb %bl,%dl + xorb (%rdi,%rdx,1),%r9b + rorl $8,%r9d + leaq -8(%r11),%r11 + movl %r8d,(%r13) + leaq 8(%r12),%r12 + movl %r9d,4(%r13) + leaq 8(%r13),%r13 + + testq $-8,%r11 + jnz .Lcloop8 + cmpq $0,%r11 + jne .Lcloop1 + jmp .Lexit +.p2align 4 +.Lcloop1: + addb %al,%cl + movzbl %cl,%ecx + movzbl (%rdi,%rcx,1),%edx + movb %al,(%rdi,%rcx,1) + movb %dl,(%rdi,%r10,1) + addb %al,%dl + addb $1,%r10b + movzbl %dl,%edx + movzbl %r10b,%r10d + movzbl (%rdi,%rdx,1),%edx + movzbl (%rdi,%r10,1),%eax + xorb (%r12),%dl + leaq 1(%r12),%r12 + movb %dl,(%r13) + leaq 1(%r13),%r13 + subq $1,%r11 + jnz .Lcloop1 + jmp .Lexit + +.p2align 4 +.Lexit: + subb $1,%r10b + movl %r10d,-8(%rdi) + movl %ecx,-4(%rdi) + + movq (%rsp),%r13 + movq 8(%rsp),%r12 + movq 16(%rsp),%rbx + addq $24,%rsp +.Lepilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_RC4: +.globl RC4_set_key +.def RC4_set_key; .scl 2; .type 32; .endef +.p2align 4 +RC4_set_key: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_RC4_set_key: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + leaq 8(%rdi),%rdi + leaq (%rdx,%rsi,1),%rdx + negq %rsi + movq %rsi,%rcx + xorl %eax,%eax + xorq %r9,%r9 + xorq %r10,%r10 + xorq %r11,%r11 + + movl OPENSSL_ia32cap_P(%rip),%r8d + btl $IA32CAP_BIT0_INTELP4,%r8d + jc .Lc1stloop + jmp .Lw1stloop + +.p2align 4 +.Lw1stloop: + movl %eax,(%rdi,%rax,4) + addb $1,%al + jnc .Lw1stloop + + xorq %r9,%r9 + xorq %r8,%r8 +.p2align 4 +.Lw2ndloop: + movl (%rdi,%r9,4),%r10d + addb (%rdx,%rsi,1),%r8b + addb %r10b,%r8b + addq $1,%rsi + movl (%rdi,%r8,4),%r11d + cmovzq %rcx,%rsi + movl %r10d,(%rdi,%r8,4) + movl %r11d,(%rdi,%r9,4) + addb $1,%r9b + jnc .Lw2ndloop + jmp .Lexit_key + +.p2align 4 +.Lc1stloop: + movb %al,(%rdi,%rax,1) + addb $1,%al + jnc .Lc1stloop + + xorq %r9,%r9 + xorq %r8,%r8 +.p2align 4 +.Lc2ndloop: + movb (%rdi,%r9,1),%r10b + addb (%rdx,%rsi,1),%r8b + addb %r10b,%r8b + addq $1,%rsi + movb (%rdi,%r8,1),%r11b + jnz .Lcnowrap + movq %rcx,%rsi +.Lcnowrap: + movb %r10b,(%rdi,%r8,1) + movb %r11b,(%rdi,%r9,1) + addb $1,%r9b + jnc .Lc2ndloop + movl $-1,256(%rdi) + +.p2align 4 +.Lexit_key: + xorl %eax,%eax + movl %eax,-8(%rdi) + movl %eax,-4(%rdi) + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_RC4_set_key: + +.globl RC4_options +.def RC4_options; .scl 2; .type 32; .endef +.p2align 4 +RC4_options: + leaq .Lopts(%rip),%rax + movl OPENSSL_ia32cap_P(%rip),%edx + btl $IA32CAP_BIT0_INTELP4,%edx + jc .L8xchar + btl $IA32CAP_BIT0_INTEL,%edx + jnc .Ldone + addq $25,%rax + retq +.L8xchar: + addq $12,%rax +.Ldone: + retq +.p2align 6 +.Lopts: +.byte 114,99,52,40,56,120,44,105,110,116,41,0 +.byte 114,99,52,40,56,120,44,99,104,97,114,41,0 +.byte 114,99,52,40,49,54,120,44,105,110,116,41,0 +.byte 82,67,52,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 + diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c index ec8a71b..d373d7c 100644 --- a/crypto/rsa/rsa_ameth.c +++ b/crypto/rsa/rsa_ameth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_ameth.c,v 1.18 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_ameth.c,v 1.24 2019/11/20 10:46:17 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -62,27 +62,94 @@ #include #include +#include #include -#include #include - #include "asn1_locl.h" +#include "cryptlib.h" +#include "evp_locl.h" +#include "rsa_locl.h" + +#ifndef OPENSSL_NO_CMS +static int rsa_cms_sign(CMS_SignerInfo *si); +static int rsa_cms_verify(CMS_SignerInfo *si); +static int rsa_cms_decrypt(CMS_RecipientInfo *ri); +static int rsa_cms_encrypt(CMS_RecipientInfo *ri); +#endif + +static RSA_PSS_PARAMS *rsa_pss_decode(const X509_ALGOR *alg); + +/* Set any parameters associated with pkey */ +static int +rsa_param_encode(const EVP_PKEY *pkey, ASN1_STRING **pstr, int *pstrtype) +{ + const RSA *rsa = pkey->pkey.rsa; + + *pstr = NULL; + + /* If RSA it's just NULL type */ + if (pkey->ameth->pkey_id != EVP_PKEY_RSA_PSS) { + *pstrtype = V_ASN1_NULL; + return 1; + } + + /* If no PSS parameters we omit parameters entirely */ + if (rsa->pss == NULL) { + *pstrtype = V_ASN1_UNDEF; + return 1; + } + + /* Encode PSS parameters */ + if (ASN1_item_pack(rsa->pss, &RSA_PSS_PARAMS_it, pstr) == NULL) + return 0; + + *pstrtype = V_ASN1_SEQUENCE; + return 1; +} + +/* Decode any parameters and set them in RSA structure */ +static int +rsa_param_decode(RSA *rsa, const X509_ALGOR *alg) +{ + const ASN1_OBJECT *algoid; + const void *algp; + int algptype; + + X509_ALGOR_get0(&algoid, &algptype, &algp, alg); + if (OBJ_obj2nid(algoid) != EVP_PKEY_RSA_PSS) + return 1; + if (algptype == V_ASN1_UNDEF) + return 1; + if (algptype != V_ASN1_SEQUENCE) { + RSAerror(RSA_R_INVALID_PSS_PARAMETERS); + return 0; + } + rsa->pss = rsa_pss_decode(alg); + if (rsa->pss == NULL) + return 0; + return 1; +} static int rsa_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey) { unsigned char *penc = NULL; int penclen; + ASN1_STRING *str; + int strtype; + if (!rsa_param_encode(pkey, &str, &strtype)) + return 0; penclen = i2d_RSAPublicKey(pkey->pkey.rsa, &penc); if (penclen <= 0) return 0; - if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(EVP_PKEY_RSA), - V_ASN1_NULL, NULL, penc, penclen)) + if (X509_PUBKEY_set0_param(pk, OBJ_nid2obj(pkey->ameth->pkey_id), + strtype, str, penc, penclen)) return 1; free(penc); + return 0; } @@ -91,15 +158,23 @@ rsa_pub_decode(EVP_PKEY *pkey, X509_PUBKEY *pubkey) { const unsigned char *p; int pklen; + X509_ALGOR *alg; RSA *rsa = NULL; - if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, NULL, pubkey)) + if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey)) return 0; - if (!(rsa = d2i_RSAPublicKey(NULL, &p, pklen))) { + if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) { RSAerror(ERR_R_RSA_LIB); return 0; } - EVP_PKEY_assign_RSA (pkey, rsa); + if (!rsa_param_decode(rsa, alg)) { + RSA_free(rsa); + return 0; + } + if (!EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa)) { + RSA_free(rsa); + return 0; + } return 1; } @@ -109,6 +184,7 @@ rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b) if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0 || BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0) return 0; + return 1; } @@ -117,11 +193,11 @@ old_rsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen) { RSA *rsa; - if (!(rsa = d2i_RSAPrivateKey (NULL, pder, derlen))) { + if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) { RSAerror(ERR_R_RSA_LIB); return 0; } - EVP_PKEY_assign_RSA(pkey, rsa); + EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); return 1; } @@ -136,17 +212,23 @@ rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) { unsigned char *rk = NULL; int rklen; + ASN1_STRING *str; + int strtype; + + if (!rsa_param_encode(pkey, &str, &strtype)) + return 0; rklen = i2d_RSAPrivateKey(pkey->pkey.rsa, &rk); - if (rklen <= 0) { RSAerror(ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(str); return 0; } - if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(NID_rsaEncryption), 0, - V_ASN1_NULL, NULL, rk, rklen)) { + if (!PKCS8_pkey_set0(p8, OBJ_nid2obj(pkey->ameth->pkey_id), 0, + strtype, str, rk, rklen)) { RSAerror(ERR_R_MALLOC_FAILURE); + ASN1_STRING_free(str); return 0; } @@ -154,14 +236,27 @@ rsa_priv_encode(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pkey) } static int -rsa_priv_decode(EVP_PKEY *pkey, PKCS8_PRIV_KEY_INFO *p8) +rsa_priv_decode(EVP_PKEY *pkey, const PKCS8_PRIV_KEY_INFO *p8) { const unsigned char *p; + RSA *rsa; int pklen; + const X509_ALGOR *alg; - if (!PKCS8_pkey_get0(NULL, &p, &pklen, NULL, p8)) + if (!PKCS8_pkey_get0(NULL, &p, &pklen, &alg, p8)) return 0; - return old_rsa_priv_decode(pkey, &p, pklen); + rsa = d2i_RSAPrivateKey(NULL, &p, pklen); + if (rsa == NULL) { + RSAerror(ERR_R_RSA_LIB); + return 0; + } + if (!rsa_param_decode(rsa, alg)) { + RSA_free(rsa); + return 0; + } + EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa); + + return 1; } static int @@ -182,6 +277,130 @@ int_rsa_free(EVP_PKEY *pkey) RSA_free(pkey->pkey.rsa); } +static X509_ALGOR * +rsa_mgf1_decode(X509_ALGOR *alg) +{ + if (OBJ_obj2nid(alg->algorithm) != NID_mgf1) + return NULL; + + return ASN1_TYPE_unpack_sequence(&X509_ALGOR_it, alg->parameter); +} + +static RSA_PSS_PARAMS * +rsa_pss_decode(const X509_ALGOR *alg) +{ + RSA_PSS_PARAMS *pss; + + pss = ASN1_TYPE_unpack_sequence(&RSA_PSS_PARAMS_it, alg->parameter); + if (pss == NULL) + return NULL; + + if (pss->maskGenAlgorithm != NULL) { + pss->maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); + if (pss->maskHash == NULL) { + RSA_PSS_PARAMS_free(pss); + return NULL; + } + } + + return pss; +} + +static int +rsa_pss_param_print(BIO *bp, int pss_key, RSA_PSS_PARAMS *pss, int indent) +{ + int rv = 0; + X509_ALGOR *maskHash = NULL; + + if (!BIO_indent(bp, indent, 128)) + goto err; + if (pss_key) { + if (pss == NULL) { + if (BIO_puts(bp, "No PSS parameter restrictions\n") <= 0) + return 0; + return 1; + } else { + if (BIO_puts(bp, "PSS parameter restrictions:") <= 0) + return 0; + } + } else if (pss == NULL) { + if (BIO_puts(bp,"(INVALID PSS PARAMETERS)\n") <= 0) + return 0; + return 1; + } + if (BIO_puts(bp, "\n") <= 0) + goto err; + if (pss_key) + indent += 2; + if (!BIO_indent(bp, indent, 128)) + goto err; + if (BIO_puts(bp, "Hash Algorithm: ") <= 0) + goto err; + + if (pss->hashAlgorithm) { + if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) + goto err; + } else if (BIO_puts(bp, "sha1 (default)") <= 0) { + goto err; + } + + if (BIO_puts(bp, "\n") <= 0) + goto err; + + if (!BIO_indent(bp, indent, 128)) + goto err; + + if (BIO_puts(bp, "Mask Algorithm: ") <= 0) + goto err; + if (pss->maskGenAlgorithm) { + if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) + goto err; + if (BIO_puts(bp, " with ") <= 0) + goto err; + maskHash = rsa_mgf1_decode(pss->maskGenAlgorithm); + if (maskHash != NULL) { + if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) + goto err; + } else if (BIO_puts(bp, "INVALID") <= 0) { + goto err; + } + } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) { + goto err; + } + BIO_puts(bp, "\n"); + + if (!BIO_indent(bp, indent, 128)) + goto err; + if (BIO_printf(bp, "%s Salt Length: 0x", pss_key ? "Minimum" : "") <= 0) + goto err; + if (pss->saltLength) { + if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) + goto err; + } else if (BIO_puts(bp, "14 (default)") <= 0) { + goto err; + } + BIO_puts(bp, "\n"); + + if (!BIO_indent(bp, indent, 128)) + goto err; + if (BIO_puts(bp, "Trailer Field: 0x") <= 0) + goto err; + if (pss->trailerField) { + if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) + goto err; + } else if (BIO_puts(bp, "BC (default)") <= 0) { + goto err; + } + BIO_puts(bp, "\n"); + + rv = 1; + + err: + X509_ALGOR_free(maskHash); + return rv; + +} + static void update_buflen(const BIGNUM *b, size_t *pbuflen) { @@ -194,11 +413,12 @@ update_buflen(const BIGNUM *b, size_t *pbuflen) } static int -do_rsa_print(BIO *bp, const RSA *x, int off, int priv) +pkey_rsa_print(BIO *bp, const EVP_PKEY *pkey, int off, int priv) { + const RSA *x = pkey->pkey.rsa; + unsigned char *m = NULL; char *str; const char *s; - unsigned char *m = NULL; int ret = 0, mod_len = 0; size_t buf_len = 0; @@ -226,7 +446,10 @@ do_rsa_print(BIO *bp, const RSA *x, int off, int priv) if (!BIO_indent(bp, off, 128)) goto err; - if (priv && x->d) { + if (BIO_printf(bp, "%s ", pkey_is_pss(pkey) ? "RSA-PSS" : "RSA") <= 0) + goto err; + + if (priv && x->d != NULL) { if (BIO_printf(bp, "Private-Key: (%d bit)\n", mod_len) <= 0) goto err; str = "modulus:"; @@ -235,14 +458,14 @@ do_rsa_print(BIO *bp, const RSA *x, int off, int priv) if (BIO_printf(bp, "Public-Key: (%d bit)\n", mod_len) <= 0) goto err; str = "Modulus:"; - s= "Exponent:"; + s = "Exponent:"; } if (!ASN1_bn_print(bp, str, x->n, m, off)) goto err; if (!ASN1_bn_print(bp, s, x->e, m, off)) goto err; if (priv) { - if (!ASN1_bn_print(bp, "privateExponent:", x->d,m, off)) + if (!ASN1_bn_print(bp, "privateExponent:", x->d, m, off)) goto err; if (!ASN1_bn_print(bp, "prime1:", x->p, m, off)) goto err; @@ -255,148 +478,41 @@ do_rsa_print(BIO *bp, const RSA *x, int off, int priv) if (!ASN1_bn_print(bp, "coefficient:", x->iqmp, m, off)) goto err; } + if (pkey_is_pss(pkey) && !rsa_pss_param_print(bp, 1, x->pss, off)) + goto err; ret = 1; -err: + err: free(m); - return (ret); + return ret; } static int rsa_pub_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) { - return do_rsa_print(bp, pkey->pkey.rsa, indent, 0); + return pkey_rsa_print(bp, pkey, indent, 0); } static int rsa_priv_print(BIO *bp, const EVP_PKEY *pkey, int indent, ASN1_PCTX *ctx) { - return do_rsa_print(bp, pkey->pkey.rsa, indent, 1); -} - -static RSA_PSS_PARAMS * -rsa_pss_decode(const X509_ALGOR *alg, X509_ALGOR **pmaskHash) -{ - const unsigned char *p; - int plen; - RSA_PSS_PARAMS *pss; - - *pmaskHash = NULL; - - if (!alg->parameter || alg->parameter->type != V_ASN1_SEQUENCE) - return NULL; - - p = alg->parameter->value.sequence->data; - plen = alg->parameter->value.sequence->length; - pss = d2i_RSA_PSS_PARAMS(NULL, &p, plen); - - if (!pss) - return NULL; - - if (pss->maskGenAlgorithm) { - ASN1_TYPE *param = pss->maskGenAlgorithm->parameter; - if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) == NID_mgf1 && - param && param->type == V_ASN1_SEQUENCE) { - p = param->value.sequence->data; - plen = param->value.sequence->length; - *pmaskHash = d2i_X509_ALGOR(NULL, &p, plen); - } - } - - return pss; -} - -static int -rsa_pss_param_print(BIO *bp, RSA_PSS_PARAMS *pss, X509_ALGOR *maskHash, - int indent) -{ - int rv = 0; - - if (!pss) { - if (BIO_puts(bp, " (INVALID PSS PARAMETERS)\n") <= 0) - return 0; - return 1; - } - if (BIO_puts(bp, "\n") <= 0) - goto err; - if (!BIO_indent(bp, indent, 128)) - goto err; - if (BIO_puts(bp, "Hash Algorithm: ") <= 0) - goto err; - - if (pss->hashAlgorithm) { - if (i2a_ASN1_OBJECT(bp, pss->hashAlgorithm->algorithm) <= 0) - goto err; - } else if (BIO_puts(bp, "sha1 (default)") <= 0) - goto err; - - if (BIO_puts(bp, "\n") <= 0) - goto err; - - if (!BIO_indent(bp, indent, 128)) - goto err; - - if (BIO_puts(bp, "Mask Algorithm: ") <= 0) - goto err; - if (pss->maskGenAlgorithm) { - if (i2a_ASN1_OBJECT(bp, pss->maskGenAlgorithm->algorithm) <= 0) - goto err; - if (BIO_puts(bp, " with ") <= 0) - goto err; - if (maskHash) { - if (i2a_ASN1_OBJECT(bp, maskHash->algorithm) <= 0) - goto err; - } else if (BIO_puts(bp, "INVALID") <= 0) - goto err; - } else if (BIO_puts(bp, "mgf1 with sha1 (default)") <= 0) - goto err; - BIO_puts(bp, "\n"); - - if (!BIO_indent(bp, indent, 128)) - goto err; - if (BIO_puts(bp, "Salt Length: 0x") <= 0) - goto err; - if (pss->saltLength) { - if (i2a_ASN1_INTEGER(bp, pss->saltLength) <= 0) - goto err; - } else if (BIO_puts(bp, "14 (default)") <= 0) - goto err; - BIO_puts(bp, "\n"); - - if (!BIO_indent(bp, indent, 128)) - goto err; - if (BIO_puts(bp, "Trailer Field: 0x") <= 0) - goto err; - if (pss->trailerField) { - if (i2a_ASN1_INTEGER(bp, pss->trailerField) <= 0) - goto err; - } else if (BIO_puts(bp, "BC (default)") <= 0) - goto err; - BIO_puts(bp, "\n"); - - rv = 1; - -err: - return rv; + return pkey_rsa_print(bp, pkey, indent, 1); } static int rsa_sig_print(BIO *bp, const X509_ALGOR *sigalg, const ASN1_STRING *sig, int indent, ASN1_PCTX *pctx) { - if (OBJ_obj2nid(sigalg->algorithm) == NID_rsassaPss) { + if (OBJ_obj2nid(sigalg->algorithm) == EVP_PKEY_RSA_PSS) { int rv; - RSA_PSS_PARAMS *pss; - X509_ALGOR *maskHash; - pss = rsa_pss_decode(sigalg, &maskHash); - rv = rsa_pss_param_print(bp, pss, maskHash, indent); - if (pss) - RSA_PSS_PARAMS_free(pss); - if (maskHash) - X509_ALGOR_free(maskHash); + RSA_PSS_PARAMS *pss = rsa_pss_decode(sigalg); + + rv = rsa_pss_param_print(bp, 0, pss, indent); + RSA_PSS_PARAMS_free(pss); if (!rv) return 0; - } else if (!sig && BIO_puts(bp, "\n") <= 0) + } else if (!sig && BIO_puts(bp, "\n") <= 0) { return 0; + } if (sig) return X509_signature_dump(bp, sig, indent); return 1; @@ -406,6 +522,9 @@ static int rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) { X509_ALGOR *alg = NULL; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen; switch (op) { case ASN1_PKEY_CTRL_PKCS7_SIGN: @@ -414,12 +533,47 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) break; case ASN1_PKEY_CTRL_PKCS7_ENCRYPT: + if (pkey_is_pss(pkey)) + return -2; if (arg1 == 0) PKCS7_RECIP_INFO_get0_alg(arg2, &alg); break; +#ifndef OPENSSL_NO_CMS + case ASN1_PKEY_CTRL_CMS_SIGN: + if (arg1 == 0) + return rsa_cms_sign(arg2); + else if (arg1 == 1) + return rsa_cms_verify(arg2); + break; + + case ASN1_PKEY_CTRL_CMS_ENVELOPE: + if (pkey_is_pss(pkey)) + return -2; + if (arg1 == 0) + return rsa_cms_encrypt(arg2); + else if (arg1 == 1) + return rsa_cms_decrypt(arg2); + break; + + case ASN1_PKEY_CTRL_CMS_RI_TYPE: + if (pkey_is_pss(pkey)) + return -2; + *(int *)arg2 = CMS_RECIPINFO_TRANS; + return 1; +#endif case ASN1_PKEY_CTRL_DEFAULT_MD_NID: - *(int *)arg2 = NID_sha1; + if (pkey->pkey.rsa->pss != NULL) { + if (!rsa_pss_get_param(pkey->pkey.rsa->pss, &md, &mgf1md, + &min_saltlen)) { + RSAerror(ERR_R_INTERNAL_ERROR); + return 0; + } + *(int *)arg2 = EVP_MD_type(md); + /* Return of 2 indicates this MD is mandatory */ + return 2; + } + *(int *)arg2 = NID_sha256; return 1; default: @@ -433,86 +587,174 @@ rsa_pkey_ctrl(EVP_PKEY *pkey, int op, long arg1, void *arg2) return 1; } -/* Customised RSA item verification routine. This is called - * when a signature is encountered requiring special handling. We - * currently only handle PSS. - */ +/* Allocate and set algorithm ID from EVP_MD, defaults to SHA1. */ static int -rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, - X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) +rsa_md_to_algor(X509_ALGOR **palg, const EVP_MD *md) +{ + if (md == NULL || EVP_MD_type(md) == NID_sha1) + return 1; + *palg = X509_ALGOR_new(); + if (*palg == NULL) + return 0; + X509_ALGOR_set_md(*palg, md); + return 1; +} + +/* Allocate and set MGF1 algorithm ID from EVP_MD. */ +static int +rsa_md_to_mgf1(X509_ALGOR **palg, const EVP_MD *mgf1md) +{ + X509_ALGOR *algtmp = NULL; + ASN1_STRING *stmp = NULL; + + *palg = NULL; + if (mgf1md == NULL || EVP_MD_type(mgf1md) == NID_sha1) + return 1; + /* need to embed algorithm ID inside another */ + if (!rsa_md_to_algor(&algtmp, mgf1md)) + goto err; + if (ASN1_item_pack(algtmp, &X509_ALGOR_it, &stmp) == NULL) + goto err; + *palg = X509_ALGOR_new(); + if (*palg == NULL) + goto err; + X509_ALGOR_set0(*palg, OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); + stmp = NULL; + err: + ASN1_STRING_free(stmp); + X509_ALGOR_free(algtmp); + if (*palg) + return 1; + return 0; +} + +/* Convert algorithm ID to EVP_MD, defaults to SHA1. */ +static const EVP_MD * +rsa_algor_to_md(X509_ALGOR *alg) +{ + const EVP_MD *md; + + if (!alg) + return EVP_sha1(); + md = EVP_get_digestbyobj(alg->algorithm); + if (md == NULL) + RSAerror(RSA_R_UNKNOWN_DIGEST); + return md; +} + +/* + * Convert EVP_PKEY_CTX in PSS mode into corresponding algorithm parameter, + * suitable for setting an AlgorithmIdentifier. + */ +static RSA_PSS_PARAMS * +rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) +{ + const EVP_MD *sigmd, *mgf1md; + EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); + int saltlen; + + if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) + return NULL; + if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) + return NULL; + if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) + return NULL; + if (saltlen == -1) { + saltlen = EVP_MD_size(sigmd); + } else if (saltlen == -2 || saltlen == -3) { + saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; + if ((EVP_PKEY_bits(pk) & 0x7) == 1) + saltlen--; + if (saltlen < 0) + return NULL; + } + + return rsa_pss_params_create(sigmd, mgf1md, saltlen); +} + +RSA_PSS_PARAMS * +rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, int saltlen) +{ + RSA_PSS_PARAMS *pss = RSA_PSS_PARAMS_new(); + + if (pss == NULL) + goto err; + if (saltlen != 20) { + pss->saltLength = ASN1_INTEGER_new(); + if (pss->saltLength == NULL) + goto err; + if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) + goto err; + } + if (!rsa_md_to_algor(&pss->hashAlgorithm, sigmd)) + goto err; + if (mgf1md == NULL) + mgf1md = sigmd; + if (!rsa_md_to_mgf1(&pss->maskGenAlgorithm, mgf1md)) + goto err; + if (!rsa_md_to_algor(&pss->maskHash, mgf1md)) + goto err; + return pss; + err: + RSA_PSS_PARAMS_free(pss); + return NULL; +} + +static ASN1_STRING * +rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx) +{ + RSA_PSS_PARAMS *pss = rsa_ctx_to_pss(pkctx); + ASN1_STRING *os; + + if (pss == NULL) + return NULL; + + os = ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, NULL); + RSA_PSS_PARAMS_free(pss); + return os; +} + +/* + * From PSS AlgorithmIdentifier set public key parameters. If pkey isn't NULL + * then the EVP_MD_CTX is setup and initialised. If it is NULL parameters are + * passed to pkctx instead. + */ + +static int +rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx, + X509_ALGOR *sigalg, EVP_PKEY *pkey) { int rv = -1; int saltlen; const EVP_MD *mgf1md = NULL, *md = NULL; RSA_PSS_PARAMS *pss; - X509_ALGOR *maskHash; - EVP_PKEY_CTX *pkctx; /* Sanity check: make sure it is PSS */ - if (OBJ_obj2nid(sigalg->algorithm) != NID_rsassaPss) { + if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); return -1; } - /* Decode PSS parameters */ - pss = rsa_pss_decode(sigalg, &maskHash); + pss = rsa_pss_decode(sigalg); - if (pss == NULL) { + if (!rsa_pss_get_param(pss, &md, &mgf1md, &saltlen)) { RSAerror(RSA_R_INVALID_PSS_PARAMETERS); goto err; } - /* Check mask and lookup mask hash algorithm */ - if (pss->maskGenAlgorithm) { - if (OBJ_obj2nid(pss->maskGenAlgorithm->algorithm) != NID_mgf1) { - RSAerror(RSA_R_UNSUPPORTED_MASK_ALGORITHM); - goto err; - } - if (!maskHash) { - RSAerror(RSA_R_UNSUPPORTED_MASK_PARAMETER); - goto err; - } - mgf1md = EVP_get_digestbyobj(maskHash->algorithm); - if (mgf1md == NULL) { - RSAerror(RSA_R_UNKNOWN_MASK_DIGEST); - goto err; - } - } else - mgf1md = EVP_sha1(); - - if (pss->hashAlgorithm) { - md = EVP_get_digestbyobj(pss->hashAlgorithm->algorithm); - if (md == NULL) { - RSAerror(RSA_R_UNKNOWN_PSS_DIGEST); - goto err; - } - } else - md = EVP_sha1(); - - if (pss->saltLength) { - saltlen = ASN1_INTEGER_get(pss->saltLength); - - /* Could perform more salt length sanity checks but the main - * RSA routines will trap other invalid values anyway. - */ - if (saltlen < 0) { - RSAerror(RSA_R_INVALID_SALT_LENGTH); - goto err; - } - } else - saltlen = 20; - - /* low-level routines support only trailer field 0xbc (value 1) - * and PKCS#1 says we should reject any other value anyway. - */ - if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { - RSAerror(RSA_R_INVALID_TRAILER); - goto err; - } /* We have all parameters now set up context */ - - if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) - goto err; + if (pkey) { + if (!EVP_DigestVerifyInit(ctx, &pkctx, md, NULL, pkey)) + goto err; + } else { + const EVP_MD *checkmd; + if (EVP_PKEY_CTX_get_signature_md(pkctx, &checkmd) <= 0) + goto err; + if (EVP_MD_type(md) != EVP_MD_type(checkmd)) { + RSAerror(RSA_R_DIGEST_DOES_NOT_MATCH); + goto err; + } + } if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_PSS_PADDING) <= 0) goto err; @@ -523,101 +765,318 @@ rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) goto err; /* Carry on */ - rv = 2; + rv = 1; -err: + err: RSA_PSS_PARAMS_free(pss); - if (maskHash) - X509_ALGOR_free(maskHash); return rv; } +int +rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, + const EVP_MD **pmgf1md, int *psaltlen) +{ + if (pss == NULL) + return 0; + *pmd = rsa_algor_to_md(pss->hashAlgorithm); + if (*pmd == NULL) + return 0; + *pmgf1md = rsa_algor_to_md(pss->maskHash); + if (*pmgf1md == NULL) + return 0; + if (pss->saltLength) { + *psaltlen = ASN1_INTEGER_get(pss->saltLength); + if (*psaltlen < 0) { + RSAerror(RSA_R_INVALID_SALT_LENGTH); + return 0; + } + } else { + *psaltlen = 20; + } + + /* + * low-level routines support only trailer field 0xbc (value 1) and + * PKCS#1 says we should reject any other value anyway. + */ + if (pss->trailerField && ASN1_INTEGER_get(pss->trailerField) != 1) { + RSAerror(RSA_R_INVALID_TRAILER); + return 0; + } + + return 1; +} + +#ifndef OPENSSL_NO_CMS +static int +rsa_cms_verify(CMS_SignerInfo *si) +{ + int nid, nid2; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); + + CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); + nid = OBJ_obj2nid(alg->algorithm); + if (nid == EVP_PKEY_RSA_PSS) + return rsa_pss_to_ctx(NULL, pkctx, alg, NULL); + /* Only PSS allowed for PSS keys */ + if (pkey_ctx_is_pss(pkctx)) { + RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); + return 0; + } + if (nid == NID_rsaEncryption) + return 1; + /* Workaround for some implementation that use a signature OID */ + if (OBJ_find_sigid_algs(nid, NULL, &nid2)) { + if (nid2 == NID_rsaEncryption) + return 1; + } + return 0; +} +#endif + +/* + * Customised RSA item verification routine. This is called when a signature + * is encountered requiring special handling. We currently only handle PSS. + */ +static int +rsa_item_verify(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, + X509_ALGOR *sigalg, ASN1_BIT_STRING *sig, EVP_PKEY *pkey) +{ + /* Sanity check: make sure it is PSS */ + if (OBJ_obj2nid(sigalg->algorithm) != EVP_PKEY_RSA_PSS) { + RSAerror(RSA_R_UNSUPPORTED_SIGNATURE_TYPE); + return -1; + } + if (rsa_pss_to_ctx(ctx, NULL, sigalg, pkey) > 0) { + /* Carry on */ + return 2; + } + return -1; +} + +#ifndef OPENSSL_NO_CMS +static int +rsa_cms_sign(CMS_SignerInfo *si) +{ + int pad_mode = RSA_PKCS1_PADDING; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); + ASN1_STRING *os = NULL; + + CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); + if (pkctx) { + if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) + return 0; + } + if (pad_mode == RSA_PKCS1_PADDING) { + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + return 1; + } + /* We don't support it */ + if (pad_mode != RSA_PKCS1_PSS_PADDING) + return 0; + os = rsa_ctx_to_pss_string(pkctx); + if (!os) + return 0; + X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); + return 1; +} +#endif + static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, void *asn, X509_ALGOR *alg1, X509_ALGOR *alg2, ASN1_BIT_STRING *sig) { - int pad_mode; EVP_PKEY_CTX *pkctx = ctx->pctx; + int pad_mode; if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) return 0; if (pad_mode == RSA_PKCS1_PADDING) return 2; if (pad_mode == RSA_PKCS1_PSS_PADDING) { - const EVP_MD *sigmd, *mgf1md; - RSA_PSS_PARAMS *pss = NULL; - X509_ALGOR *mgf1alg = NULL; - ASN1_STRING *os1 = NULL, *os2 = NULL; - EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); - int saltlen, rv = 0; - - sigmd = EVP_MD_CTX_md(ctx); - if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) - goto err; - if (!EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen)) - goto err; - if (saltlen == -1) - saltlen = EVP_MD_size(sigmd); - else if (saltlen == -2) { - saltlen = EVP_PKEY_size(pk) - EVP_MD_size(sigmd) - 2; - if (((EVP_PKEY_bits(pk) - 1) & 0x7) == 0) - saltlen--; - } - pss = RSA_PSS_PARAMS_new(); - if (!pss) - goto err; - if (saltlen != 20) { - pss->saltLength = ASN1_INTEGER_new(); - if (!pss->saltLength) - goto err; - if (!ASN1_INTEGER_set(pss->saltLength, saltlen)) - goto err; - } - if (EVP_MD_type(sigmd) != NID_sha1) { - pss->hashAlgorithm = X509_ALGOR_new(); - if (!pss->hashAlgorithm) - goto err; - X509_ALGOR_set_md(pss->hashAlgorithm, sigmd); - } - if (EVP_MD_type(mgf1md) != NID_sha1) { - ASN1_STRING *stmp = NULL; - /* need to embed algorithm ID inside another */ - mgf1alg = X509_ALGOR_new(); - X509_ALGOR_set_md(mgf1alg, mgf1md); - if (!ASN1_item_pack(mgf1alg, &X509_ALGOR_it, - &stmp)) - goto err; - pss->maskGenAlgorithm = X509_ALGOR_new(); - if (!pss->maskGenAlgorithm) - goto err; - X509_ALGOR_set0(pss->maskGenAlgorithm, - OBJ_nid2obj(NID_mgf1), V_ASN1_SEQUENCE, stmp); - } - /* Finally create string with pss parameter encoding. */ - if (!ASN1_item_pack(pss, &RSA_PSS_PARAMS_it, &os1)) - goto err; + ASN1_STRING *os1 = NULL; + os1 = rsa_ctx_to_pss_string(pkctx); + if (!os1) + return 0; + /* Duplicate parameters if we have to */ if (alg2) { - os2 = ASN1_STRING_dup(os1); - if (!os2) - goto err; - X509_ALGOR_set0(alg2, OBJ_nid2obj(NID_rsassaPss), + ASN1_STRING *os2 = ASN1_STRING_dup(os1); + if (!os2) { + ASN1_STRING_free(os1); + return 0; + } + X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os2); } - X509_ALGOR_set0(alg1, OBJ_nid2obj(NID_rsassaPss), + X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os1); - os1 = os2 = NULL; - rv = 3; -err: - if (mgf1alg) - X509_ALGOR_free(mgf1alg); - if (pss) - RSA_PSS_PARAMS_free(pss); - ASN1_STRING_free(os1); - return rv; + return 3; } return 2; } +#ifndef OPENSSL_NO_CMS +static RSA_OAEP_PARAMS * +rsa_oaep_decode(const X509_ALGOR *alg) +{ + RSA_OAEP_PARAMS *oaep; + + oaep = ASN1_TYPE_unpack_sequence(&RSA_OAEP_PARAMS_it, alg->parameter); + if (oaep == NULL) + return NULL; + + if (oaep->maskGenFunc != NULL) { + oaep->maskHash = rsa_mgf1_decode(oaep->maskGenFunc); + if (oaep->maskHash == NULL) { + RSA_OAEP_PARAMS_free(oaep); + return NULL; + } + } + return oaep; +} + +static int +rsa_cms_decrypt(CMS_RecipientInfo *ri) +{ + EVP_PKEY_CTX *pkctx; + X509_ALGOR *cmsalg; + int nid; + int rv = -1; + unsigned char *label = NULL; + int labellen = 0; + const EVP_MD *mgf1md = NULL, *md = NULL; + RSA_OAEP_PARAMS *oaep; + + pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + if (pkctx == NULL) + return 0; + if (!CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &cmsalg)) + return -1; + nid = OBJ_obj2nid(cmsalg->algorithm); + if (nid == NID_rsaEncryption) + return 1; + if (nid != NID_rsaesOaep) { + RSAerror(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE); + return -1; + } + /* Decode OAEP parameters */ + oaep = rsa_oaep_decode(cmsalg); + + if (oaep == NULL) { + RSAerror(RSA_R_INVALID_OAEP_PARAMETERS); + goto err; + } + + mgf1md = rsa_algor_to_md(oaep->maskHash); + if (mgf1md == NULL) + goto err; + md = rsa_algor_to_md(oaep->hashFunc); + if (md == NULL) + goto err; + + if (oaep->pSourceFunc != NULL) { + X509_ALGOR *plab = oaep->pSourceFunc; + + if (OBJ_obj2nid(plab->algorithm) != NID_pSpecified) { + RSAerror(RSA_R_UNSUPPORTED_LABEL_SOURCE); + goto err; + } + if (plab->parameter->type != V_ASN1_OCTET_STRING) { + RSAerror(RSA_R_INVALID_LABEL); + goto err; + } + + label = plab->parameter->value.octet_string->data; + + /* Stop label being freed when OAEP parameters are freed */ + /* XXX - this leaks label on error... */ + plab->parameter->value.octet_string->data = NULL; + labellen = plab->parameter->value.octet_string->length; + } + + if (EVP_PKEY_CTX_set_rsa_padding(pkctx, RSA_PKCS1_OAEP_PADDING) <= 0) + goto err; + if (EVP_PKEY_CTX_set_rsa_oaep_md(pkctx, md) <= 0) + goto err; + if (EVP_PKEY_CTX_set_rsa_mgf1_md(pkctx, mgf1md) <= 0) + goto err; + if (EVP_PKEY_CTX_set0_rsa_oaep_label(pkctx, label, labellen) <= 0) + goto err; + + rv = 1; + + err: + RSA_OAEP_PARAMS_free(oaep); + return rv; +} + +static int +rsa_cms_encrypt(CMS_RecipientInfo *ri) +{ + const EVP_MD *md, *mgf1md; + RSA_OAEP_PARAMS *oaep = NULL; + ASN1_STRING *os = NULL; + X509_ALGOR *alg; + EVP_PKEY_CTX *pkctx = CMS_RecipientInfo_get0_pkey_ctx(ri); + int pad_mode = RSA_PKCS1_PADDING, rv = 0, labellen; + unsigned char *label; + + if (CMS_RecipientInfo_ktri_get0_algs(ri, NULL, NULL, &alg) <= 0) + return 0; + if (pkctx) { + if (EVP_PKEY_CTX_get_rsa_padding(pkctx, &pad_mode) <= 0) + return 0; + } + if (pad_mode == RSA_PKCS1_PADDING) { + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaEncryption), V_ASN1_NULL, 0); + return 1; + } + /* Not supported */ + if (pad_mode != RSA_PKCS1_OAEP_PADDING) + return 0; + if (EVP_PKEY_CTX_get_rsa_oaep_md(pkctx, &md) <= 0) + goto err; + if (EVP_PKEY_CTX_get_rsa_mgf1_md(pkctx, &mgf1md) <= 0) + goto err; + labellen = EVP_PKEY_CTX_get0_rsa_oaep_label(pkctx, &label); + if (labellen < 0) + goto err; + oaep = RSA_OAEP_PARAMS_new(); + if (oaep == NULL) + goto err; + if (!rsa_md_to_algor(&oaep->hashFunc, md)) + goto err; + if (!rsa_md_to_mgf1(&oaep->maskGenFunc, mgf1md)) + goto err; + if (labellen > 0) { + ASN1_OCTET_STRING *los; + oaep->pSourceFunc = X509_ALGOR_new(); + if (oaep->pSourceFunc == NULL) + goto err; + los = ASN1_OCTET_STRING_new(); + if (los == NULL) + goto err; + if (!ASN1_OCTET_STRING_set(los, label, labellen)) { + ASN1_OCTET_STRING_free(los); + goto err; + } + X509_ALGOR_set0(oaep->pSourceFunc, OBJ_nid2obj(NID_pSpecified), + V_ASN1_OCTET_STRING, los); + } + /* create string with pss parameter encoding. */ + if (!ASN1_item_pack(oaep, &RSA_OAEP_PARAMS_it, &os)) + goto err; + X509_ALGOR_set0(alg, OBJ_nid2obj(NID_rsaesOaep), V_ASN1_SEQUENCE, os); + os = NULL; + rv = 1; + err: + RSA_OAEP_PARAMS_free(oaep); + ASN1_STRING_free(os); + return rv; +} +#endif + const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { { .pkey_id = EVP_PKEY_RSA, @@ -655,3 +1114,31 @@ const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[] = { .pkey_flags = ASN1_PKEY_ALIAS } }; + +const EVP_PKEY_ASN1_METHOD rsa_pss_asn1_meth = { + .pkey_id = EVP_PKEY_RSA_PSS, + .pkey_base_id = EVP_PKEY_RSA_PSS, + .pkey_flags = ASN1_PKEY_SIGPARAM_NULL, + + .pem_str = "RSA-PSS", + .info = "OpenSSL RSA-PSS method", + + .pub_decode = rsa_pub_decode, + .pub_encode = rsa_pub_encode, + .pub_cmp = rsa_pub_cmp, + .pub_print = rsa_pub_print, + + .priv_decode = rsa_priv_decode, + .priv_encode = rsa_priv_encode, + .priv_print = rsa_priv_print, + + .pkey_size = int_rsa_size, + .pkey_bits = rsa_bits, + + .sig_print = rsa_sig_print, + + .pkey_free = int_rsa_free, + .pkey_ctrl = rsa_pkey_ctrl, + .item_verify = rsa_item_verify, + .item_sign = rsa_item_sign +}; diff --git a/crypto/rsa/rsa_asn1.c b/crypto/rsa/rsa_asn1.c index f931a93..4b8eda2 100644 --- a/crypto/rsa/rsa_asn1.c +++ b/crypto/rsa/rsa_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_asn1.c,v 1.13 2016/12/30 15:47:07 jsing Exp $ */ +/* $OpenBSD: rsa_asn1.c,v 1.15 2019/10/25 14:40:18 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -63,6 +63,8 @@ #include #include +#include "rsa_locl.h" + /* Override the default free and new methods */ static int rsa_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) @@ -200,6 +202,26 @@ const ASN1_ITEM RSAPublicKey_it = { .sname = "RSA", }; +static int +rsa_pss_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + /* Free up maskHash */ + if (operation == ASN1_OP_FREE_PRE) { + RSA_PSS_PARAMS *pss = (RSA_PSS_PARAMS *)*pval; + X509_ALGOR_free(pss->maskHash); + } + return 1; +} + +static const ASN1_AUX RSA_PSS_PARAMS_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = rsa_pss_cb, + .enc_offset = 0, +}; + static const ASN1_TEMPLATE RSA_PSS_PARAMS_seq_tt[] = { { .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, @@ -236,12 +258,11 @@ const ASN1_ITEM RSA_PSS_PARAMS_it = { .utype = V_ASN1_SEQUENCE, .templates = RSA_PSS_PARAMS_seq_tt, .tcount = sizeof(RSA_PSS_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE), - .funcs = NULL, + .funcs = &RSA_PSS_PARAMS_aux, .size = sizeof(RSA_PSS_PARAMS), .sname = "RSA_PSS_PARAMS", }; - RSA_PSS_PARAMS * d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len) { @@ -267,6 +288,85 @@ RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a) ASN1_item_free((ASN1_VALUE *)a, &RSA_PSS_PARAMS_it); } +static int +rsa_oaep_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it, void *exarg) +{ + /* Free up maskHash */ + if (operation == ASN1_OP_FREE_PRE) { + RSA_OAEP_PARAMS *oaep = (RSA_OAEP_PARAMS *)*pval; + X509_ALGOR_free(oaep->maskHash); + } + return 1; +} + +static const ASN1_AUX RSA_OAEP_PARAMS_aux = { + .app_data = NULL, + .flags = 0, + .ref_offset = 0, + .ref_lock = 0, + .asn1_cb = rsa_oaep_cb, + .enc_offset = 0, +}; + +static const ASN1_TEMPLATE RSA_OAEP_PARAMS_seq_tt[] = { + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 0, + .offset = offsetof(RSA_OAEP_PARAMS, hashFunc), + .field_name = "hashFunc", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 1, + .offset = offsetof(RSA_OAEP_PARAMS, maskGenFunc), + .field_name = "maskGenFunc", + .item = &X509_ALGOR_it, + }, + { + .flags = ASN1_TFLG_EXPLICIT | ASN1_TFLG_OPTIONAL, + .tag = 2, + .offset = offsetof(RSA_OAEP_PARAMS, pSourceFunc), + .field_name = "pSourceFunc", + .item = &X509_ALGOR_it, + }, +}; + +const ASN1_ITEM RSA_OAEP_PARAMS_it = { + .itype = ASN1_ITYPE_SEQUENCE, + .utype = V_ASN1_SEQUENCE, + .templates = RSA_OAEP_PARAMS_seq_tt, + .tcount = sizeof(RSA_OAEP_PARAMS_seq_tt) / sizeof(ASN1_TEMPLATE), + .funcs = &RSA_OAEP_PARAMS_aux, + .size = sizeof(RSA_OAEP_PARAMS), + .sname = "RSA_OAEP_PARAMS", +}; + + +RSA_OAEP_PARAMS * +d2i_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS **a, const unsigned char **in, long len) +{ + return (RSA_OAEP_PARAMS *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, + &RSA_OAEP_PARAMS_it); +} + +int +i2d_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS *a, unsigned char **out) +{ + return ASN1_item_i2d((ASN1_VALUE *)a, out, &RSA_OAEP_PARAMS_it); +} + +RSA_OAEP_PARAMS * +RSA_OAEP_PARAMS_new(void) +{ + return (RSA_OAEP_PARAMS *)ASN1_item_new(&RSA_OAEP_PARAMS_it); +} + +void +RSA_OAEP_PARAMS_free(RSA_OAEP_PARAMS *a) +{ + ASN1_item_free((ASN1_VALUE *)a, &RSA_OAEP_PARAMS_it); +} RSA * d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len) diff --git a/crypto/rsa/rsa_eay.c b/crypto/rsa/rsa_eay.c index 8e8c6d5..33201a8 100644 --- a/crypto/rsa/rsa_eay.c +++ b/crypto/rsa/rsa_eay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_eay.c,v 1.50 2017/08/28 17:41:59 jsing Exp $ */ +/* $OpenBSD: rsa_eay.c,v 1.51 2019/11/02 13:52:31 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -144,6 +144,12 @@ static RSA_METHOD rsa_pkcs1_eay_meth = { .finish = RSA_eay_finish, }; +const RSA_METHOD * +RSA_PKCS1_OpenSSL(void) +{ + return &rsa_pkcs1_eay_meth; +} + const RSA_METHOD * RSA_PKCS1_SSLeay(void) { diff --git a/crypto/rsa/rsa_err.c b/crypto/rsa/rsa_err.c index c2b197c..4614937 100644 --- a/crypto/rsa/rsa_err.c +++ b/crypto/rsa/rsa_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_err.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_err.c,v 1.20 2019/11/01 15:13:05 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -90,17 +90,22 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_DATA_TOO_LARGE_FOR_MODULUS), "data too large for modulus"}, {ERR_REASON(RSA_R_DATA_TOO_SMALL) , "data too small"}, {ERR_REASON(RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE), "data too small for key size"}, + {ERR_REASON(RSA_R_DIGEST_DOES_NOT_MATCH) , "digest does not match"}, + {ERR_REASON(RSA_R_DIGEST_NOT_ALLOWED) , "digest not allowed"}, {ERR_REASON(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY), "digest too big for rsa key"}, {ERR_REASON(RSA_R_DMP1_NOT_CONGRUENT_TO_D), "dmp1 not congruent to d"}, {ERR_REASON(RSA_R_DMQ1_NOT_CONGRUENT_TO_D), "dmq1 not congruent to d"}, {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1), "d e not congruent to 1"}, {ERR_REASON(RSA_R_FIRST_OCTET_INVALID) , "first octet invalid"}, {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE), "illegal or unsupported padding mode"}, + {ERR_REASON(RSA_R_INVALID_DIGEST) , "invalid digest"}, {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) , "invalid digest length"}, {ERR_REASON(RSA_R_INVALID_HEADER) , "invalid header"}, + {ERR_REASON(RSA_R_INVALID_LABEL) , "invalid label"}, {ERR_REASON(RSA_R_INVALID_KEYBITS) , "invalid keybits"}, {ERR_REASON(RSA_R_INVALID_MESSAGE_LENGTH), "invalid message length"}, {ERR_REASON(RSA_R_INVALID_MGF1_MD) , "invalid mgf1 md"}, + {ERR_REASON(RSA_R_INVALID_OAEP_PARAMETERS), "invalid oaep parameters"}, {ERR_REASON(RSA_R_INVALID_PADDING) , "invalid padding"}, {ERR_REASON(RSA_R_INVALID_PADDING_MODE) , "invalid padding mode"}, {ERR_REASON(RSA_R_INVALID_PSS_PARAMETERS), "invalid pss parameters"}, @@ -111,6 +116,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_IQMP_NOT_INVERSE_OF_Q) , "iqmp not inverse of q"}, {ERR_REASON(RSA_R_KEY_SIZE_TOO_SMALL) , "key size too small"}, {ERR_REASON(RSA_R_LAST_OCTET_INVALID) , "last octet invalid"}, + {ERR_REASON(RSA_R_MGF1_DIGEST_NOT_ALLOWED), "mgf1 digest not allowed"}, {ERR_REASON(RSA_R_MODULUS_TOO_LARGE) , "modulus too large"}, {ERR_REASON(RSA_R_NON_FIPS_RSA_METHOD) , "non fips rsa method"}, {ERR_REASON(RSA_R_NO_PUBLIC_EXPONENT) , "no public exponent"}, @@ -120,6 +126,7 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), "operation not allowed in fips mode"}, {ERR_REASON(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), "operation not supported for this keytype"}, {ERR_REASON(RSA_R_PADDING_CHECK_FAILED) , "padding check failed"}, + {ERR_REASON(RSA_R_PSS_SALTLEN_TOO_SMALL) , "pss saltlen too small"}, {ERR_REASON(RSA_R_P_NOT_PRIME) , "p not prime"}, {ERR_REASON(RSA_R_Q_NOT_PRIME) , "q not prime"}, {ERR_REASON(RSA_R_RSA_OPERATIONS_NOT_SUPPORTED), "rsa operations not supported"}, @@ -128,9 +135,12 @@ static ERR_STRING_DATA RSA_str_reasons[] = { {ERR_REASON(RSA_R_SSLV3_ROLLBACK_ATTACK) , "sslv3 rollback attack"}, {ERR_REASON(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD), "the asn1 object identifier is not known for this md"}, {ERR_REASON(RSA_R_UNKNOWN_ALGORITHM_TYPE), "unknown algorithm type"}, + {ERR_REASON(RSA_R_UNKNOWN_DIGEST) , "unknown digest"}, {ERR_REASON(RSA_R_UNKNOWN_MASK_DIGEST) , "unknown mask digest"}, {ERR_REASON(RSA_R_UNKNOWN_PADDING_TYPE) , "unknown padding type"}, {ERR_REASON(RSA_R_UNKNOWN_PSS_DIGEST) , "unknown pss digest"}, + {ERR_REASON(RSA_R_UNSUPPORTED_ENCRYPTION_TYPE), "unsupported encryption type"}, + {ERR_REASON(RSA_R_UNSUPPORTED_LABEL_SOURCE), "unsupported label source"}, {ERR_REASON(RSA_R_UNSUPPORTED_MASK_ALGORITHM), "unsupported mask algorithm"}, {ERR_REASON(RSA_R_UNSUPPORTED_MASK_PARAMETER), "unsupported mask parameter"}, {ERR_REASON(RSA_R_UNSUPPORTED_SIGNATURE_TYPE), "unsupported signature type"}, diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c index 544846f..0b76aae 100644 --- a/crypto/rsa/rsa_lib.c +++ b/crypto/rsa/rsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_lib.c,v 1.36 2018/02/20 17:42:32 tb Exp $ */ +/* $OpenBSD: rsa_lib.c,v 1.40 2020/01/17 10:40:03 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,9 +63,12 @@ #include #include #include +#include #include #include +#include "evp_locl.h" + #ifndef OPENSSL_NO_ENGINE #include #endif @@ -114,10 +117,8 @@ RSA_set_method(RSA *rsa, const RSA_METHOD *meth) if (mtmp->finish) mtmp->finish(rsa); #ifndef OPENSSL_NO_ENGINE - if (rsa->engine) { - ENGINE_finish(rsa->engine); - rsa->engine = NULL; - } + ENGINE_finish(rsa->engine); + rsa->engine = NULL; #endif rsa->meth = meth; if (meth->init) @@ -130,70 +131,52 @@ RSA_new_method(ENGINE *engine) { RSA *ret; - ret = malloc(sizeof(RSA)); - if (ret == NULL) { + if ((ret = calloc(1, sizeof(RSA))) == NULL) { RSAerror(ERR_R_MALLOC_FAILURE); return NULL; } ret->meth = RSA_get_default_method(); + #ifndef OPENSSL_NO_ENGINE - if (engine) { + if (engine != NULL) { if (!ENGINE_init(engine)) { RSAerror(ERR_R_ENGINE_LIB); - free(ret); - return NULL; + goto err; } ret->engine = engine; - } else + } else { ret->engine = ENGINE_get_default_RSA(); - if (ret->engine) { - ret->meth = ENGINE_get_RSA(ret->engine); - if (!ret->meth) { + } + + if (ret->engine != NULL) { + if ((ret->meth = ENGINE_get_RSA(ret->engine)) == NULL) { RSAerror(ERR_R_ENGINE_LIB); - ENGINE_finish(ret->engine); - free(ret); - return NULL; + goto err; } } #endif - ret->pad = 0; - ret->version = 0; - ret->n = NULL; - ret->e = NULL; - ret->d = NULL; - ret->p = NULL; - ret->q = NULL; - ret->dmp1 = NULL; - ret->dmq1 = NULL; - ret->iqmp = NULL; ret->references = 1; - ret->_method_mod_n = NULL; - ret->_method_mod_p = NULL; - ret->_method_mod_q = NULL; - ret->blinding = NULL; - ret->mt_blinding = NULL; ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { -#ifndef OPENSSL_NO_ENGINE - if (ret->engine) - ENGINE_finish(ret->engine); -#endif - free(ret); - return NULL; - } + + if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) + goto err; if (ret->meth->init != NULL && !ret->meth->init(ret)) { -#ifndef OPENSSL_NO_ENGINE - if (ret->engine) - ENGINE_finish(ret->engine); -#endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data); - free(ret); - ret = NULL; + goto err; } + return ret; + + err: +#ifndef OPENSSL_NO_ENGINE + ENGINE_finish(ret->engine); +#endif + free(ret); + + return NULL; } void @@ -211,8 +194,7 @@ RSA_free(RSA *r) if (r->meth->finish) r->meth->finish(r); #ifndef OPENSSL_NO_ENGINE - if (r->engine) - ENGINE_finish(r->engine); + ENGINE_finish(r->engine); #endif CRYPTO_free_ex_data(CRYPTO_EX_INDEX_RSA, r, &r->ex_data); @@ -227,6 +209,7 @@ RSA_free(RSA *r) BN_clear_free(r->iqmp); BN_BLINDING_free(r->blinding); BN_BLINDING_free(r->mt_blinding); + RSA_PSS_PARAMS_free(r->pss); free(r); } @@ -370,3 +353,15 @@ RSA_set_flags(RSA *r, int flags) { r->flags |= flags; } + +int +RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2) +{ + /* Return an error if the key type is not RSA or RSA-PSS. */ + if (ctx != NULL && ctx->pmeth != NULL && + ctx->pmeth->pkey_id != EVP_PKEY_RSA && + ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return -1; + + return EVP_PKEY_CTX_ctrl(ctx, -1, optype, cmd, p1, p2); +} diff --git a/crypto/rsa/rsa_locl.h b/crypto/rsa/rsa_locl.h index e949ee8..7036449 100644 --- a/crypto/rsa/rsa_locl.h +++ b/crypto/rsa/rsa_locl.h @@ -1,7 +1,18 @@ -/* $OpenBSD: rsa_locl.h,v 1.4 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: rsa_locl.h,v 1.11 2019/11/02 13:47:41 jsing Exp $ */ __BEGIN_HIDDEN_DECLS +#define RSA_MIN_MODULUS_BITS 512 + +/* Macros to test if a pkey or ctx is for a PSS key */ +#define pkey_is_pss(pkey) (pkey->ameth->pkey_id == EVP_PKEY_RSA_PSS) +#define pkey_ctx_is_pss(ctx) (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) + +RSA_PSS_PARAMS *rsa_pss_params_create(const EVP_MD *sigmd, const EVP_MD *mgf1md, + int saltlen); +int rsa_pss_get_param(const RSA_PSS_PARAMS *pss, const EVP_MD **pmd, + const EVP_MD **pmgf1md, int *psaltlen); + extern int int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, size_t siglen, RSA *rsa); diff --git a/crypto/rsa/rsa_meth.c b/crypto/rsa/rsa_meth.c index 0e52799..095368b 100644 --- a/crypto/rsa/rsa_meth.c +++ b/crypto/rsa/rsa_meth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_meth.c,v 1.1 2018/03/17 15:12:56 tb Exp $ */ +/* $OpenBSD: rsa_meth.c,v 1.3 2019/06/05 15:41:33 gilles Exp $ */ /* * Copyright (c) 2018 Theo Buehler * @@ -62,6 +62,24 @@ RSA_meth_dup(const RSA_METHOD *meth) return copy; } +int +RSA_meth_set1_name(RSA_METHOD *meth, const char *name) +{ + char *copy; + + if ((copy = strdup(name)) == NULL) + return 0; + free((char *)meth->name); + meth->name = copy; + return 1; +} + +int +(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) +{ + return meth->finish; +} + int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) @@ -84,3 +102,174 @@ RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) meth->finish = finish; return 1; } + +int +RSA_meth_set_pub_enc(RSA_METHOD *meth, int (*pub_enc)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +{ + meth->rsa_pub_enc = pub_enc; + return 1; +} + +int +RSA_meth_set_pub_dec(RSA_METHOD *meth, int (*pub_dec)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) +{ + meth->rsa_pub_dec = pub_dec; + return 1; +} + +int +RSA_meth_set_mod_exp(RSA_METHOD *meth, int (*mod_exp)(BIGNUM *r0, + const BIGNUM *i, RSA *rsa, BN_CTX *ctx)) +{ + meth->rsa_mod_exp = mod_exp; + return 1; +} + +int +RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)(BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *m_ctx)) +{ + meth->bn_mod_exp = bn_mod_exp; + return 1; +} + +int +RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa)) +{ + meth->init = init; + return 1; +} + +int +RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)(RSA *rsa, int bits, + BIGNUM *e, BN_GENCB *cb)) +{ + meth->rsa_keygen = keygen; + return 1; +} + +int +RSA_meth_set_flags(RSA_METHOD *meth, int flags) +{ + meth->flags = flags; + return 1; +} + +int +RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data) +{ + meth->app_data = app_data; + return 1; +} + +const char * +RSA_meth_get0_name(const RSA_METHOD *meth) +{ + return meth->name; +} + +int +(*RSA_meth_get_pub_enc(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding) +{ + return meth->rsa_pub_enc; +} + +int +(*RSA_meth_get_pub_dec(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding) +{ + return meth->rsa_pub_dec; +} + +int +(*RSA_meth_get_priv_enc(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding) +{ + return meth->rsa_priv_enc; +} + +int +(*RSA_meth_get_priv_dec(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding) +{ + return meth->rsa_priv_dec; +} + +int +(*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i, + RSA *rsa, BN_CTX *ctx) +{ + return meth->rsa_mod_exp; +} + +int +(*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))(BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *m_ctx) +{ + return meth->bn_mod_exp; +} + +int +(*RSA_meth_get_init(const RSA_METHOD *meth))(RSA *rsa) +{ + return meth->init; +} + +int +(*RSA_meth_get_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, BIGNUM *e, + BN_GENCB *cb) +{ + return meth->rsa_keygen; +} + +int +RSA_meth_get_flags(const RSA_METHOD *meth) +{ + return meth->flags; +} + +void * +RSA_meth_get0_app_data(const RSA_METHOD *meth) +{ + return meth->app_data; +} + +int +(*RSA_meth_get_sign(const RSA_METHOD *meth))(int type, + const unsigned char *m, unsigned int m_length, + unsigned char *sigret, unsigned int *siglen, + const RSA *rsa) +{ + return meth->rsa_sign; +} + +int +RSA_meth_set_sign(RSA_METHOD *meth, int (*sign)(int type, + const unsigned char *m, unsigned int m_length, unsigned char *sigret, + unsigned int *siglen, const RSA *rsa)) +{ + meth->rsa_sign = sign; + return 1; +} + +int +(*RSA_meth_get_verify(const RSA_METHOD *meth))(int dtype, + const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, + unsigned int siglen, const RSA *rsa) +{ + return meth->rsa_verify; +} + +int +RSA_meth_set_verify(RSA_METHOD *meth, int (*verify)(int dtype, + const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, + unsigned int siglen, const RSA *rsa)) +{ + meth->rsa_verify = verify; + return 1; +} diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c index cd7af20..e54600b 100644 --- a/crypto/rsa/rsa_oaep.c +++ b/crypto/rsa/rsa_oaep.c @@ -1,6 +1,57 @@ -/* $OpenBSD: rsa_oaep.c,v 1.26 2017/01/29 17:49:23 beck Exp $ */ -/* Written by Ulf Moeller. This software is distributed on an "AS IS" - basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. */ +/* $OpenBSD: rsa_oaep.c,v 1.33 2019/10/17 14:31:56 jsing Exp $ */ +/* + * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ /* EME-OAEP as defined in RFC 2437 (PKCS #1 v2.0) */ @@ -22,69 +73,87 @@ #include #include -#include - -#if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) - #include #include #include #include #include -static int MGF1(unsigned char *mask, long len, const unsigned char *seed, - long seedlen); +#include "constant_time_locl.h" +#include "rsa_locl.h" int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *from, int flen, const unsigned char *param, int plen) +{ + return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen, param, + plen, NULL, NULL); +} + +int +RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, const unsigned char *param, int plen, + const EVP_MD *md, const EVP_MD *mgf1md) { int i, emlen = tlen - 1; unsigned char *db, *seed; - unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH]; + unsigned char *dbmask = NULL; + unsigned char seedmask[EVP_MAX_MD_SIZE]; + int mdlen, dbmask_len = 0; + int rv = 0; - if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1) { + if (md == NULL) + md = EVP_sha1(); + if (mgf1md == NULL) + mgf1md = md; + + if ((mdlen = EVP_MD_size(md)) <= 0) + goto err; + + if (flen > emlen - 2 * mdlen - 1) { RSAerror(RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); - return 0; + goto err; } - if (emlen < 2 * SHA_DIGEST_LENGTH + 1) { + if (emlen < 2 * mdlen + 1) { RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); - return 0; + goto err; } to[0] = 0; seed = to + 1; - db = to + SHA_DIGEST_LENGTH + 1; + db = to + mdlen + 1; - if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL)) - return 0; - memset(db + SHA_DIGEST_LENGTH, 0, - emlen - flen - 2 * SHA_DIGEST_LENGTH - 1); - db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01; - memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, flen); - arc4random_buf(seed, SHA_DIGEST_LENGTH); + if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL)) + goto err; - dbmask = malloc(emlen - SHA_DIGEST_LENGTH); - if (dbmask == NULL) { + memset(db + mdlen, 0, emlen - flen - 2 * mdlen - 1); + db[emlen - flen - mdlen - 1] = 0x01; + memcpy(db + emlen - flen - mdlen, from, flen); + arc4random_buf(seed, mdlen); + + dbmask_len = emlen - mdlen; + if ((dbmask = malloc(dbmask_len)) == NULL) { RSAerror(ERR_R_MALLOC_FAILURE); - return 0; + goto err; } - if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, - SHA_DIGEST_LENGTH) < 0) - return 0; - for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++) + if (PKCS1_MGF1(dbmask, dbmask_len, seed, mdlen, mgf1md) < 0) + goto err; + for (i = 0; i < dbmask_len; i++) db[i] ^= dbmask[i]; - - if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, - emlen - SHA_DIGEST_LENGTH) < 0) - return 0; - for (i = 0; i < SHA_DIGEST_LENGTH; i++) + if (PKCS1_MGF1(seedmask, mdlen, db, dbmask_len, mgf1md) < 0) + goto err; + for (i = 0; i < mdlen; i++) seed[i] ^= seedmask[i]; - free(dbmask); - return 1; + rv = 1; + + err: + explicit_bzero(seedmask, sizeof(seedmask)); + freezero(dbmask, dbmask_len); + + return rv; } int @@ -92,95 +161,158 @@ RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *from, int flen, int num, const unsigned char *param, int plen) { - int i, dblen, mlen = -1; - const unsigned char *maskeddb; - int lzero; - unsigned char *db = NULL; - unsigned char seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH]; - unsigned char *padded_from; - int bad = 0; + return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from, flen, num, + param, plen, NULL, NULL); +} - if (--num < 2 * SHA_DIGEST_LENGTH + 1) - /* - * 'num' is the length of the modulus, i.e. does not depend - * on the particular ciphertext. - */ - goto decoding_err; +int +RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, int num, const unsigned char *param, + int plen, const EVP_MD *md, const EVP_MD *mgf1md) +{ + int i, dblen = 0, mlen = -1, one_index = 0, msg_index; + unsigned int good = 0, found_one_byte, mask; + const unsigned char *maskedseed, *maskeddb; + unsigned char seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE]; + unsigned char *db = NULL, *em = NULL; + int mdlen; - lzero = num - flen; - if (lzero < 0) { - /* - * signalling this error immediately after detection might allow - * for side-channel attacks (e.g. timing if 'plen' is huge - * -- cf. James H. Manger, "A Chosen Ciphertext Attack on RSA - * Optimal Asymmetric Encryption Padding (OAEP) [...]", - * CRYPTO 2001), so we use a 'bad' flag - */ - bad = 1; - lzero = 0; - flen = num; /* don't overflow the memcpy to padded_from */ + if (md == NULL) + md = EVP_sha1(); + if (mgf1md == NULL) + mgf1md = md; + + if ((mdlen = EVP_MD_size(md)) <= 0) + return -1; + + if (tlen <= 0 || flen <= 0) + return -1; + + /* + * |num| is the length of the modulus; |flen| is the length of the + * encoded message. Therefore, for any |from| that was obtained by + * decrypting a ciphertext, we must have |flen| <= |num|. Similarly, + * |num| >= 2 * |mdlen| + 2 must hold for the modulus irrespective + * of the ciphertext, see PKCS #1 v2.2, section 7.1.2. + * This does not leak any side-channel information. + */ + if (num < flen || num < 2 * mdlen + 2) { + RSAerror(RSA_R_OAEP_DECODING_ERROR); + return -1; } - dblen = num - SHA_DIGEST_LENGTH; - db = malloc(dblen + num); - if (db == NULL) { + dblen = num - mdlen - 1; + if ((db = malloc(dblen)) == NULL) { RSAerror(ERR_R_MALLOC_FAILURE); - return -1; + goto cleanup; + } + if ((em = malloc(num)) == NULL) { + RSAerror(ERR_R_MALLOC_FAILURE); + goto cleanup; } /* - * Always do this zero-padding copy (even when lzero == 0) - * to avoid leaking timing info about the value of lzero. + * Caller is encouraged to pass zero-padded message created with + * BN_bn2binpad. Trouble is that since we can't read out of |from|'s + * bounds, it's impossible to have an invariant memory access pattern + * in case |from| was not zero-padded in advance. */ - padded_from = db + dblen; - memset(padded_from, 0, lzero); - memcpy(padded_from + lzero, from, flen); + for (from += flen, em += num, i = 0; i < num; i++) { + mask = ~constant_time_is_zero(flen); + flen -= 1 & mask; + from -= 1 & mask; + *--em = *from & mask; + } + from = em; - maskeddb = padded_from + SHA_DIGEST_LENGTH; + /* + * The first byte must be zero, however we must not leak if this is + * true. See James H. Manger, "A Chosen Ciphertext Attack on RSA + * Optimal Asymmetric Encryption Padding (OAEP) [...]", CRYPTO 2001). + */ + good = constant_time_is_zero(from[0]); - if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen)) - return -1; - for (i = 0; i < SHA_DIGEST_LENGTH; i++) - seed[i] ^= padded_from[i]; + maskedseed = from + 1; + maskeddb = from + 1 + mdlen; - if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH)) - return -1; + if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md)) + goto cleanup; + for (i = 0; i < mdlen; i++) + seed[i] ^= maskedseed[i]; + + if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md)) + goto cleanup; for (i = 0; i < dblen; i++) db[i] ^= maskeddb[i]; - if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL)) - return -1; + if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL)) + goto cleanup; - if (timingsafe_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad) - goto decoding_err; - else { - for (i = SHA_DIGEST_LENGTH; i < dblen; i++) - if (db[i] != 0x00) - break; - if (i == dblen || db[i] != 0x01) - goto decoding_err; - else { - /* everything looks OK */ + good &= constant_time_is_zero(timingsafe_memcmp(db, phash, mdlen)); - mlen = dblen - ++i; - if (tlen < mlen) { - RSAerror(RSA_R_DATA_TOO_LARGE); - mlen = -1; - } else - memcpy(to, db + i, mlen); - } + found_one_byte = 0; + for (i = mdlen; i < dblen; i++) { + /* + * Padding consists of a number of 0-bytes, followed by a 1. + */ + unsigned int equals1 = constant_time_eq(db[i], 1); + unsigned int equals0 = constant_time_is_zero(db[i]); + + one_index = constant_time_select_int(~found_one_byte & equals1, + i, one_index); + found_one_byte |= equals1; + good &= (found_one_byte | equals0); + } + + good &= found_one_byte; + + /* + * At this point |good| is zero unless the plaintext was valid, + * so plaintext-awareness ensures timing side-channels are no longer a + * concern. + */ + msg_index = one_index + 1; + mlen = dblen - msg_index; + + /* + * For good measure, do this check in constant time as well. + */ + good &= constant_time_ge(tlen, mlen); + + /* + * Even though we can't fake result's length, we can pretend copying + * |tlen| bytes where |mlen| bytes would be real. The last |tlen| of + * |dblen| bytes are viewed as a circular buffer starting at |tlen|-|mlen'|, + * where |mlen'| is the "saturated" |mlen| value. Deducing information + * about failure or |mlen| would require an attacker to observe + * memory access patterns with byte granularity *as it occurs*. It + * should be noted that failure is indistinguishable from normal + * operation if |tlen| is fixed by protocol. + */ + tlen = constant_time_select_int(constant_time_lt(dblen, tlen), dblen, tlen); + msg_index = constant_time_select_int(good, msg_index, dblen - tlen); + mlen = dblen - msg_index; + for (from = db + msg_index, mask = good, i = 0; i < tlen; i++) { + unsigned int equals = constant_time_eq(i, mlen); + + from -= dblen & equals; /* if (i == mlen) rewind */ + mask &= mask ^ equals; /* if (i == mlen) mask = 0 */ + to[i] = constant_time_select_8(mask, from[i], to[i]); } - free(db); - return mlen; -decoding_err: /* * To avoid chosen ciphertext attacks, the error message should not - * reveal which kind of decoding error happened + * reveal which kind of decoding error happened. */ RSAerror(RSA_R_OAEP_DECODING_ERROR); - free(db); - return -1; + err_clear_last_constant_time(1 & good); + + cleanup: + explicit_bzero(seed, sizeof(seed)); + freezero(db, dblen); + freezero(em, num); + + return constant_time_select_int(good, mlen, -1); } int @@ -219,14 +351,7 @@ PKCS1_MGF1(unsigned char *mask, long len, const unsigned char *seed, } } rv = 0; -err: + err: EVP_MD_CTX_cleanup(&c); return rv; } - -static int -MGF1(unsigned char *mask, long len, const unsigned char *seed, long seedlen) -{ - return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1()); -} -#endif diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c index b4a4e73..008d425 100644 --- a/crypto/rsa/rsa_pmeth.c +++ b/crypto/rsa/rsa_pmeth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pmeth.c,v 1.20 2017/08/28 17:41:59 jsing Exp $ */ +/* $OpenBSD: rsa_pmeth.c,v 1.32 2019/10/31 14:05:30 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2006. */ @@ -68,7 +68,7 @@ #include #include #include - +#include #include "evp_locl.h" #include "rsa_locl.h" @@ -87,28 +87,38 @@ typedef struct { const EVP_MD *md; /* message digest for MGF1 */ const EVP_MD *mgf1md; - /* PSS/OAEP salt length */ + /* PSS salt length */ int saltlen; + /* Minimum salt length or -1 if no PSS parameter restriction */ + int min_saltlen; /* Temp buffer */ unsigned char *tbuf; + /* OAEP label */ + unsigned char *oaep_label; + size_t oaep_labellen; } RSA_PKEY_CTX; +/* True if PSS parameters are restricted */ +#define rsa_pss_restricted(rctx) (rctx->min_saltlen != -1) + static int pkey_rsa_init(EVP_PKEY_CTX *ctx) { RSA_PKEY_CTX *rctx; - rctx = malloc(sizeof(RSA_PKEY_CTX)); - if (!rctx) + if ((rctx = calloc(1, sizeof(RSA_PKEY_CTX))) == NULL) return 0; - rctx->nbits = 2048; - rctx->pub_exp = NULL; - rctx->pad_mode = RSA_PKCS1_PADDING; - rctx->md = NULL; - rctx->mgf1md = NULL; - rctx->tbuf = NULL; - rctx->saltlen = -2; + rctx->nbits = 2048; + + if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) + rctx->pad_mode = RSA_PKCS1_PSS_PADDING; + else + rctx->pad_mode = RSA_PKCS1_PADDING; + + /* Maximum for sign, auto for verify */ + rctx->saltlen = RSA_PSS_SALTLEN_AUTO; + rctx->min_saltlen = -1; ctx->data = rctx; ctx->keygen_info = rctx->gentmp; @@ -124,27 +134,38 @@ pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) if (!pkey_rsa_init(dst)) return 0; + sctx = src->data; dctx = dst->data; dctx->nbits = sctx->nbits; - if (sctx->pub_exp) { - dctx->pub_exp = BN_dup(sctx->pub_exp); - if (!dctx->pub_exp) + if (sctx->pub_exp != NULL) { + BN_free(dctx->pub_exp); + if ((dctx->pub_exp = BN_dup(sctx->pub_exp)) == NULL) return 0; } dctx->pad_mode = sctx->pad_mode; dctx->md = sctx->md; + dctx->mgf1md = sctx->mgf1md; + if (sctx->oaep_label != NULL) { + free(dctx->oaep_label); + if ((dctx->oaep_label = calloc(1, sctx->oaep_labellen)) == NULL) + return 0; + memcpy(dctx->oaep_label, sctx->oaep_label, sctx->oaep_labellen); + dctx->oaep_labellen = sctx->oaep_labellen; + } + return 1; } static int setup_tbuf(RSA_PKEY_CTX *ctx, EVP_PKEY_CTX *pk) { - if (ctx->tbuf) + if (ctx->tbuf != NULL) return 1; - ctx->tbuf = malloc(EVP_PKEY_size(pk->pkey)); - if (!ctx->tbuf) + if ((ctx->tbuf = calloc(1, EVP_PKEY_size(pk->pkey))) == NULL) { + RSAerror(ERR_R_MALLOC_FAILURE); return 0; + } return 1; } @@ -156,6 +177,7 @@ pkey_rsa_cleanup(EVP_PKEY_CTX *ctx) if (rctx) { BN_free(rctx->pub_exp); free(rctx->tbuf); + free(rctx->oaep_label); free(rctx); } } @@ -175,8 +197,14 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, } if (rctx->pad_mode == RSA_X931_PADDING) { - if (!setup_tbuf(rctx, ctx)) + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { + RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); return -1; + } + if (!setup_tbuf(rctx, ctx)) { + RSAerror(ERR_R_MALLOC_FAILURE); + return -1; + } memcpy(rctx->tbuf, tbs, tbslen); rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); @@ -198,11 +226,13 @@ pkey_rsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, return -1; ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, sig, rsa, RSA_NO_PADDING); - } else + } else { return -1; - } else + } + } else { ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, rctx->pad_mode); + } if (ret < 0) return ret; *siglen = ret; @@ -226,7 +256,7 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, return 0; ret--; if (rctx->tbuf[ret] != - RSA_X931_hash_id(EVP_MD_type(rctx->md))) { + RSA_X931_hash_id(EVP_MD_type(rctx->md))) { RSAerror(RSA_R_ALGORITHM_MISMATCH); return 0; } @@ -244,11 +274,13 @@ pkey_rsa_verifyrecover(EVP_PKEY_CTX *ctx, unsigned char *rout, size_t *routlen, if (ret <= 0) return 0; ret = sltmp; - } else + } else { return -1; - } else + } + } else { ret = RSA_public_decrypt(siglen, sig, rout, ctx->pkey->pkey.rsa, rctx->pad_mode); + } if (ret < 0) return ret; *routlen = ret; @@ -267,6 +299,10 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, if (rctx->pad_mode == RSA_PKCS1_PADDING) return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, sig, siglen, rsa); + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerror(RSA_R_INVALID_DIGEST_LENGTH); + return -1; + } if (rctx->pad_mode == RSA_X931_PADDING) { if (pkey_rsa_verifyrecover(ctx, NULL, &rslen, sig, siglen) <= 0) @@ -285,8 +321,9 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, if (ret <= 0) return 0; return 1; - } else + } else { return -1; + } } else { if (!setup_tbuf(rctx, ctx)) return -1; @@ -296,7 +333,7 @@ pkey_rsa_verify(EVP_PKEY_CTX *ctx, const unsigned char *sig, size_t siglen, return 0; } - if (rslen != tbslen || memcmp(tbs, rctx->tbuf, rslen)) + if (rslen != tbslen || timingsafe_bcmp(tbs, rctx->tbuf, rslen)) return 0; return 1; @@ -306,11 +343,23 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, const unsigned char *in, size_t inlen) { - int ret; RSA_PKEY_CTX *rctx = ctx->data; + int ret; - ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); + if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { + int klen = RSA_size(ctx->pkey->pkey.rsa); + if (!setup_tbuf(rctx, ctx)) + return -1; + if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen, + in, inlen, rctx->oaep_label, rctx->oaep_labellen, + rctx->md, rctx->mgf1md)) + return -1; + ret = RSA_public_encrypt(klen, rctx->tbuf, out, + ctx->pkey->pkey.rsa, RSA_NO_PADDING); + } else { + ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } if (ret < 0) return ret; *outlen = ret; @@ -324,8 +373,20 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, int ret; RSA_PKEY_CTX *rctx = ctx->data; - ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, - rctx->pad_mode); + if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING) { + if (!setup_tbuf(rctx, ctx)) + return -1; + ret = RSA_private_decrypt(inlen, in, rctx->tbuf, + ctx->pkey->pkey.rsa, RSA_NO_PADDING); + if (ret <= 0) + return ret; + ret = RSA_padding_check_PKCS1_OAEP_mgf1(out, ret, rctx->tbuf, + ret, ret, rctx->oaep_label, rctx->oaep_labellen, rctx->md, + rctx->mgf1md); + } else { + ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } if (ret < 0) return ret; *outlen = ret; @@ -335,7 +396,7 @@ pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, unsigned char *out, size_t *outlen, static int check_padding_md(const EVP_MD *md, int padding) { - if (!md) + if (md == NULL) return 1; if (padding == RSA_NO_PADDING) { @@ -348,7 +409,24 @@ check_padding_md(const EVP_MD *md, int padding) RSAerror(RSA_R_INVALID_X931_DIGEST); return 0; } - return 1; + } else { + /* List of all supported RSA digests. */ + switch(EVP_MD_type(md)) { + case NID_sha1: + case NID_sha224: + case NID_sha256: + case NID_sha384: + case NID_sha512: + case NID_md5: + case NID_md5_sha1: + case NID_md4: + case NID_ripemd160: + return 1; + + default: + RSAerror(RSA_R_INVALID_DIGEST); + return 0; + } } return 1; @@ -370,6 +448,8 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) goto bad_pad; if (!rctx->md) rctx->md = EVP_sha1(); + } else if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { + goto bad_pad; } if (p1 == RSA_PKCS1_OAEP_PADDING) { if (!(ctx->operation & EVP_PKEY_OP_TYPE_CRYPT)) @@ -380,7 +460,7 @@ pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) rctx->pad_mode = p1; return 1; } -bad_pad: + bad_pad: RSAerror(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); return -2; @@ -394,38 +474,78 @@ bad_pad: RSAerror(RSA_R_INVALID_PSS_SALTLEN); return -2; } - if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) + if (type == EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN) { *(int *)p2 = rctx->saltlen; - else { - if (p1 < -2) + } else { + if (p1 < RSA_PSS_SALTLEN_MAX) return -2; + if (rsa_pss_restricted(rctx)) { + if (p1 == RSA_PSS_SALTLEN_AUTO && + ctx->operation == EVP_PKEY_OP_VERIFY) { + RSAerror(RSA_R_INVALID_PSS_SALTLEN); + return -2; + } + if ((p1 == RSA_PSS_SALTLEN_DIGEST && + rctx->min_saltlen > EVP_MD_size(rctx->md)) || + (p1 >= 0 && p1 < rctx->min_saltlen)) { + RSAerror(RSA_R_PSS_SALTLEN_TOO_SMALL); + return 0; + } + } rctx->saltlen = p1; } return 1; case EVP_PKEY_CTRL_RSA_KEYGEN_BITS: - if (p1 < 256) { - RSAerror(RSA_R_INVALID_KEYBITS); + if (p1 < RSA_MIN_MODULUS_BITS) { + RSAerror(RSA_R_KEY_SIZE_TOO_SMALL); return -2; } rctx->nbits = p1; return 1; case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP: - if (!p2) + if (p2 == NULL || !BN_is_odd((BIGNUM *)p2) || + BN_is_one((BIGNUM *)p2)) { + RSAerror(RSA_R_BAD_E_VALUE); return -2; + } + BN_free(rctx->pub_exp); rctx->pub_exp = p2; return 1; + case EVP_PKEY_CTRL_RSA_OAEP_MD: + case EVP_PKEY_CTRL_GET_RSA_OAEP_MD: + if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { + RSAerror(RSA_R_INVALID_PADDING_MODE); + return -2; + } + if (type == EVP_PKEY_CTRL_GET_RSA_OAEP_MD) + *(const EVP_MD **)p2 = rctx->md; + else + rctx->md = p2; + return 1; + case EVP_PKEY_CTRL_MD: if (!check_padding_md(p2, rctx->pad_mode)) return 0; + if (rsa_pss_restricted(rctx)) { + if (EVP_MD_type(rctx->md) == EVP_MD_type(p2)) + return 1; + RSAerror(RSA_R_DIGEST_NOT_ALLOWED); + return 0; + } rctx->md = p2; return 1; + case EVP_PKEY_CTRL_GET_MD: + *(const EVP_MD **)p2 = rctx->md; + return 1; + case EVP_PKEY_CTRL_RSA_MGF1_MD: case EVP_PKEY_CTRL_GET_RSA_MGF1_MD: - if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING) { + if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING && + rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { RSAerror(RSA_R_INVALID_MGF1_MD); return -2; } @@ -434,30 +554,70 @@ bad_pad: *(const EVP_MD **)p2 = rctx->mgf1md; else *(const EVP_MD **)p2 = rctx->md; - } else + } else { + if (rsa_pss_restricted(rctx)) { + if (EVP_MD_type(rctx->mgf1md) == EVP_MD_type(p2)) + return 1; + RSAerror(RSA_R_MGF1_DIGEST_NOT_ALLOWED); + return 0; + } rctx->mgf1md = p2; + } return 1; + case EVP_PKEY_CTRL_RSA_OAEP_LABEL: + if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { + RSAerror(RSA_R_INVALID_PADDING_MODE); + return -2; + } + free(rctx->oaep_label); + if (p2 != NULL && p1 > 0) { + rctx->oaep_label = p2; + rctx->oaep_labellen = p1; + } else { + rctx->oaep_label = NULL; + rctx->oaep_labellen = 0; + } + return 1; + + case EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL: + if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING) { + RSAerror(RSA_R_INVALID_PADDING_MODE); + return -2; + } + *(unsigned char **)p2 = rctx->oaep_label; + return rctx->oaep_labellen; + case EVP_PKEY_CTRL_DIGESTINIT: + case EVP_PKEY_CTRL_PKCS7_SIGN: +#ifndef OPENSSL_NO_CMS + case EVP_PKEY_CTRL_CMS_SIGN: +#endif + return 1; + case EVP_PKEY_CTRL_PKCS7_ENCRYPT: case EVP_PKEY_CTRL_PKCS7_DECRYPT: - case EVP_PKEY_CTRL_PKCS7_SIGN: - return 1; +#ifndef OPENSSL_NO_CMS + case EVP_PKEY_CTRL_CMS_DECRYPT: + case EVP_PKEY_CTRL_CMS_ENCRYPT: +#endif + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 1; + + /* fall through */ case EVP_PKEY_CTRL_PEER_KEY: RSAerror(RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE); return -2; default: return -2; + } } static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) { - long lval; - char *ep; - if (!value) { RSAerror(RSA_R_VALUE_MISSING); return 0; @@ -483,39 +643,29 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) return EVP_PKEY_CTX_set_rsa_padding(ctx, pm); } - if (!strcmp(type, "rsa_pss_saltlen")) { + if (strcmp(type, "rsa_pss_saltlen") == 0) { int saltlen; - errno = 0; - lval = strtol(value, &ep, 10); - if (value[0] == '\0' || *ep != '\0') - goto not_a_number; - if ((errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) || - (lval > INT_MAX || lval < INT_MIN)) - goto out_of_range; - saltlen = lval; + if (!strcmp(value, "digest")) + saltlen = RSA_PSS_SALTLEN_DIGEST; + else if (!strcmp(value, "max")) + saltlen = RSA_PSS_SALTLEN_MAX; + else if (!strcmp(value, "auto")) + saltlen = RSA_PSS_SALTLEN_AUTO; + else + saltlen = atoi(value); return EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, saltlen); } - if (!strcmp(type, "rsa_keygen_bits")) { - int nbits; + if (strcmp(type, "rsa_keygen_bits") == 0) { + int nbits = atoi(value); - errno = 0; - lval = strtol(value, &ep, 10); - if (value[0] == '\0' || *ep != '\0') - goto not_a_number; - if ((errno == ERANGE && - (lval == LONG_MAX || lval == LONG_MIN)) || - (lval > INT_MAX || lval < INT_MIN)) - goto out_of_range; - nbits = lval; return EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, nbits); } - if (!strcmp(type, "rsa_keygen_pubexp")) { - int ret; + if (strcmp(type, "rsa_keygen_pubexp") == 0) { BIGNUM *pubexp = NULL; + int ret; if (!BN_asc2bn(&pubexp, value)) return 0; @@ -525,11 +675,70 @@ pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, const char *value) return ret; } -not_a_number: -out_of_range: + if (strcmp(type, "rsa_mgf1_md") == 0) + return EVP_PKEY_CTX_md(ctx, + EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_MGF1_MD, value); + + if (ctx->pmeth->pkey_id == EVP_PKEY_RSA_PSS) { + if (strcmp(type, "rsa_pss_keygen_mgf1_md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_RSA_MGF1_MD, value); + + if (strcmp(type, "rsa_pss_keygen_md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_KEYGEN, + EVP_PKEY_CTRL_MD, value); + + if (strcmp(type, "rsa_pss_keygen_saltlen") == 0) { + int saltlen = atoi(value); + + return EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, saltlen); + } + } + + if (strcmp(type, "rsa_oaep_md") == 0) + return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_TYPE_CRYPT, + EVP_PKEY_CTRL_RSA_OAEP_MD, value); + + if (strcmp(type, "rsa_oaep_label") == 0) { + unsigned char *lab; + long lablen; + int ret; + + if ((lab = string_to_hex(value, &lablen)) == NULL) + return 0; + ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen); + if (ret <= 0) + free(lab); + + return ret; + } + return -2; } +/* Set PSS parameters when generating a key, if necessary. */ +static int +rsa_set_pss_param(RSA *rsa, EVP_PKEY_CTX *ctx) +{ + RSA_PKEY_CTX *rctx = ctx->data; + + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 1; + + /* If all parameters are default values then do not set PSS. */ + if (rctx->md == NULL && rctx->mgf1md == NULL && + rctx->saltlen == RSA_PSS_SALTLEN_AUTO) + return 1; + + rsa->pss = rsa_pss_params_create(rctx->md, rctx->mgf1md, + rctx->saltlen == RSA_PSS_SALTLEN_AUTO ? 0 : rctx->saltlen); + if (rsa->pss == NULL) + return 0; + + return 1; +} + static int pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) { @@ -538,22 +747,27 @@ pkey_rsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) BN_GENCB *pcb, cb; int ret; - if (!rctx->pub_exp) { - rctx->pub_exp = BN_new(); - if (!rctx->pub_exp || !BN_set_word(rctx->pub_exp, RSA_F4)) + if (rctx->pub_exp == NULL) { + if ((rctx->pub_exp = BN_new()) == NULL) + return 0; + if (!BN_set_word(rctx->pub_exp, RSA_F4)) return 0; } - rsa = RSA_new(); - if (!rsa) + if ((rsa = RSA_new()) == NULL) return 0; - if (ctx->pkey_gencb) { + if (ctx->pkey_gencb != NULL) { pcb = &cb; evp_pkey_set_cb_translate(pcb, ctx); - } else + } else { pcb = NULL; + } ret = RSA_generate_key_ex(rsa, rctx->nbits, rctx->pub_exp, pcb); + if (ret > 0 && !rsa_set_pss_param(rsa, ctx)) { + RSA_free(rsa); + return 0; + } if (ret > 0) - EVP_PKEY_assign_RSA(pkey, rsa); + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); else RSA_free(rsa); return ret; @@ -582,3 +796,73 @@ const EVP_PKEY_METHOD rsa_pkey_meth = { .ctrl = pkey_rsa_ctrl, .ctrl_str = pkey_rsa_ctrl_str }; + +/* + * Called for PSS sign or verify initialisation: checks PSS parameter + * sanity and sets any restrictions on key usage. + */ + +static int +pkey_pss_init(EVP_PKEY_CTX *ctx) +{ + RSA *rsa; + RSA_PKEY_CTX *rctx = ctx->data; + const EVP_MD *md; + const EVP_MD *mgf1md; + int min_saltlen, max_saltlen; + + /* Should never happen */ + if (ctx->pmeth->pkey_id != EVP_PKEY_RSA_PSS) + return 0; + rsa = ctx->pkey->pkey.rsa; + + /* If no restrictions just return */ + if (rsa->pss == NULL) + return 1; + + /* Get and check parameters */ + if (!rsa_pss_get_param(rsa->pss, &md, &mgf1md, &min_saltlen)) + return 0; + + /* See if minimum salt length exceeds maximum possible */ + max_saltlen = RSA_size(rsa) - EVP_MD_size(md); + if ((RSA_bits(rsa) & 0x7) == 1) + max_saltlen--; + if (min_saltlen > max_saltlen) { + RSAerror(RSA_R_INVALID_SALT_LENGTH); + return 0; + } + rctx->min_saltlen = min_saltlen; + + /* + * Set PSS restrictions as defaults: we can then block any attempt to + * use invalid values in pkey_rsa_ctrl + */ + + rctx->md = md; + rctx->mgf1md = mgf1md; + rctx->saltlen = min_saltlen; + + return 1; +} + +const EVP_PKEY_METHOD rsa_pss_pkey_meth = { + .pkey_id = EVP_PKEY_RSA_PSS, + .flags = EVP_PKEY_FLAG_AUTOARGLEN, + + .init = pkey_rsa_init, + .copy = pkey_rsa_copy, + .cleanup = pkey_rsa_cleanup, + + .keygen = pkey_rsa_keygen, + + .sign_init = pkey_pss_init, + .sign = pkey_rsa_sign, + + .verify_init = pkey_pss_init, + .verify = pkey_rsa_verify, + + .ctrl = pkey_rsa_ctrl, + .ctrl_str = pkey_rsa_ctrl_str +}; + diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c index 870f634..562f7b2 100644 --- a/crypto/rsa/rsa_pss.c +++ b/crypto/rsa/rsa_pss.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_pss.c,v 1.12 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: rsa_pss.c,v 1.13 2018/09/05 00:55:33 djm Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2005. */ @@ -163,7 +163,7 @@ RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, } if (!EVP_DigestFinal_ex(&ctx, H_, NULL)) goto err; - if (memcmp(H_, H, hLen)) { + if (timingsafe_bcmp(H_, H, hLen)) { RSAerror(RSA_R_BAD_SIGNATURE); ret = 0; } else diff --git a/crypto/rsa/rsa_saos.c b/crypto/rsa/rsa_saos.c index e1fbdcb..93492ac 100644 --- a/crypto/rsa/rsa_saos.c +++ b/crypto/rsa/rsa_saos.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_saos.c,v 1.23 2017/05/02 03:59:45 deraadt Exp $ */ +/* $OpenBSD: rsa_saos.c,v 1.24 2018/09/05 00:55:33 djm Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -130,7 +130,7 @@ RSA_verify_ASN1_OCTET_STRING(int dtype, const unsigned char *m, goto err; if ((unsigned int)sig->length != m_len || - memcmp(m, sig->data, m_len) != 0) { + timingsafe_bcmp(m, sig->data, m_len) != 0) { RSAerror(RSA_R_BAD_SIGNATURE); } else ret = 1; diff --git a/crypto/rsa/rsa_sign.c b/crypto/rsa/rsa_sign.c index 6e9e869..50e07f4 100644 --- a/crypto/rsa/rsa_sign.c +++ b/crypto/rsa/rsa_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa_sign.c,v 1.29 2017/05/02 03:59:45 deraadt Exp $ */ +/* $OpenBSD: rsa_sign.c,v 1.31 2018/09/05 00:55:33 djm Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -70,168 +70,197 @@ /* Size of an SSL signature: MD5+SHA1 */ #define SSL_SIG_LENGTH 36 +static int encode_pkcs1(unsigned char **, int *, int , const unsigned char *, + unsigned int); + +/* + * encode_pkcs1 encodes a DigestInfo prefix of hash `type' and digest `m', as + * described in EMSA-PKCS-v1_5-ENCODE, RFC 8017 section 9. step 2. This + * encodes the DigestInfo (T and tLen) but does not add the padding. + * + * On success, it returns one and sets `*out' to a newly allocated buffer + * containing the result and `*out_len' to its length. Freeing `*out' is + * the caller's responsibility. Failure is indicated by zero. + */ +static int +encode_pkcs1(unsigned char **out, int *out_len, int type, + const unsigned char *m, unsigned int m_len) +{ + X509_SIG sig; + X509_ALGOR algor; + ASN1_TYPE parameter; + ASN1_OCTET_STRING digest; + uint8_t *der = NULL; + int len; + + sig.algor = &algor; + if ((sig.algor->algorithm = OBJ_nid2obj(type)) == NULL) { + RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); + return 0; + } + if (sig.algor->algorithm->length == 0) { + RSAerror( + RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); + return 0; + } + parameter.type = V_ASN1_NULL; + parameter.value.ptr = NULL; + sig.algor->parameter = ¶meter; + + sig.digest = &digest; + sig.digest->data = (unsigned char*)m; /* TMP UGLY CAST */ + sig.digest->length = m_len; + + if ((len = i2d_X509_SIG(&sig, &der)) < 0) + return 0; + + *out = der; + *out_len = len; + + return 1; +} + int RSA_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, RSA *rsa) { - X509_SIG sig; - ASN1_TYPE parameter; - int i, j, ret = 1; - unsigned char *p, *tmps = NULL; - const unsigned char *s = NULL; - X509_ALGOR algor; - ASN1_OCTET_STRING digest; + const unsigned char *encoded = NULL; + unsigned char *tmps = NULL; + int encrypt_len, encoded_len = 0, ret = 0; - if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign) + if ((rsa->flags & RSA_FLAG_SIGN_VER) && rsa->meth->rsa_sign != NULL) return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); - /* Special case: SSL signature, just check the length */ + /* Compute the encoded digest. */ if (type == NID_md5_sha1) { + /* + * NID_md5_sha1 corresponds to the MD5/SHA1 combination in + * TLS 1.1 and earlier. It has no DigestInfo wrapper but + * otherwise is RSASSA-PKCS-v1.5. + */ if (m_len != SSL_SIG_LENGTH) { - RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); + RSAerror(RSA_R_INVALID_DIGEST_LENGTH); return 0; } - i = SSL_SIG_LENGTH; - s = m; + encoded_len = SSL_SIG_LENGTH; + encoded = m; } else { - sig.algor = &algor; - sig.algor->algorithm = OBJ_nid2obj(type); - if (sig.algor->algorithm == NULL) { - RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); - return 0; - } - if (sig.algor->algorithm->length == 0) { - RSAerror(RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD); - return 0; - } - parameter.type = V_ASN1_NULL; - parameter.value.ptr = NULL; - sig.algor->parameter = ¶meter; - - sig.digest = &digest; - sig.digest->data = (unsigned char *)m; /* TMP UGLY CAST */ - sig.digest->length = m_len; - - i = i2d_X509_SIG(&sig, NULL); + if (!encode_pkcs1(&tmps, &encoded_len, type, m, m_len)) + goto err; + encoded = tmps; } - j = RSA_size(rsa); - if (i > j - RSA_PKCS1_PADDING_SIZE) { + if (encoded_len > RSA_size(rsa) - RSA_PKCS1_PADDING_SIZE) { RSAerror(RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); - return 0; + goto err; } - if (type != NID_md5_sha1) { - tmps = malloc(j + 1); - if (tmps == NULL) { - RSAerror(ERR_R_MALLOC_FAILURE); - return 0; - } - p = tmps; - i2d_X509_SIG(&sig, &p); - s = tmps; - } - i = RSA_private_encrypt(i, s, sigret, rsa, RSA_PKCS1_PADDING); - if (i <= 0) - ret = 0; - else - *siglen = i; + if ((encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, + rsa, RSA_PKCS1_PADDING)) <= 0) + goto err; - if (type != NID_md5_sha1) - freezero(tmps, (unsigned int)j + 1); + *siglen = encrypt_len; + ret = 1; + + err: + freezero(tmps, (size_t)encoded_len); return (ret); } +/* + * int_rsa_verify verifies an RSA signature in `sigbuf' using `rsa'. It may be + * called in two modes. If `rm' is NULL, it verifies the signature for the + * digest `m'. Otherwise, it recovers the digest from the signature, writing the + * digest to `rm' and the length to `*prm_len'. `type' is the NID of the digest + * algorithm to use. It returns one on successful verification and zero + * otherwise. + */ int -int_rsa_verify(int dtype, const unsigned char *m, unsigned int m_len, +int_rsa_verify(int type, const unsigned char *m, unsigned int m_len, unsigned char *rm, size_t *prm_len, const unsigned char *sigbuf, size_t siglen, RSA *rsa) { - int i, ret = 0, sigtype; - unsigned char *s; - X509_SIG *sig = NULL; + unsigned char *decrypt_buf, *encoded = NULL; + int decrypt_len, encoded_len = 0, ret = 0; - if (siglen != (unsigned int)RSA_size(rsa)) { + if (siglen != (size_t)RSA_size(rsa)) { RSAerror(RSA_R_WRONG_SIGNATURE_LENGTH); return 0; } - if ((dtype == NID_md5_sha1) && rm) { - i = RSA_public_decrypt((int)siglen, sigbuf, rm, rsa, - RSA_PKCS1_PADDING); - if (i <= 0) - return 0; - *prm_len = i; - return 1; - } - - s = malloc(siglen); - if (s == NULL) { + /* Recover the encoded digest. */ + if ((decrypt_buf = malloc(siglen)) == NULL) { RSAerror(ERR_R_MALLOC_FAILURE); goto err; } - if (dtype == NID_md5_sha1 && m_len != SSL_SIG_LENGTH) { - RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); + if ((decrypt_len = RSA_public_decrypt((int)siglen, sigbuf, decrypt_buf, + rsa, RSA_PKCS1_PADDING)) <= 0) goto err; - } - i = RSA_public_decrypt((int)siglen, sigbuf, s, rsa, RSA_PKCS1_PADDING); + + if (type == NID_md5_sha1) { + /* + * NID_md5_sha1 corresponds to the MD5/SHA1 combination in + * TLS 1.1 and earlier. It has no DigestInfo wrapper but + * otherwise is RSASSA-PKCS1-v1_5. + */ + if (decrypt_len != SSL_SIG_LENGTH) { + RSAerror(RSA_R_INVALID_DIGEST_LENGTH); + goto err; + } - if (i <= 0) - goto err; - - /* Special case: SSL signature */ - if (dtype == NID_md5_sha1) { - if (i != SSL_SIG_LENGTH || memcmp(s, m, SSL_SIG_LENGTH)) - RSAerror(RSA_R_BAD_SIGNATURE); - else - ret = 1; + if (rm != NULL) { + memcpy(rm, decrypt_buf, SSL_SIG_LENGTH); + *prm_len = SSL_SIG_LENGTH; + } else { + if (m_len != SSL_SIG_LENGTH) { + RSAerror(RSA_R_INVALID_MESSAGE_LENGTH); + goto err; + } + if (timingsafe_bcmp(decrypt_buf, + m, SSL_SIG_LENGTH) != 0) { + RSAerror(RSA_R_BAD_SIGNATURE); + goto err; + } + } } else { - const unsigned char *p = s; - - sig = d2i_X509_SIG(NULL, &p, (long)i); - - if (sig == NULL) - goto err; - - /* Excess data can be used to create forgeries */ - if (p != s + i) { - RSAerror(RSA_R_BAD_SIGNATURE); - goto err; - } - - /* Parameters to the signature algorithm can also be used to - create forgeries */ - if (sig->algor->parameter && - ASN1_TYPE_get(sig->algor->parameter) != V_ASN1_NULL) { - RSAerror(RSA_R_BAD_SIGNATURE); - goto err; - } - - sigtype = OBJ_obj2nid(sig->algor->algorithm); - - if (sigtype != dtype) { - RSAerror(RSA_R_ALGORITHM_MISMATCH); - goto err; - } - if (rm) { + /* + * If recovering the digest, extract a digest-sized output from + * the end of `decrypt_buf' for `encode_pkcs1', then compare the + * decryption output as in a standard verification. + */ + if (rm != NULL) { const EVP_MD *md; - md = EVP_get_digestbynid(dtype); - if (md && (EVP_MD_size(md) != sig->digest->length)) - RSAerror(RSA_R_INVALID_DIGEST_LENGTH); - else { - memcpy(rm, sig->digest->data, - sig->digest->length); - *prm_len = sig->digest->length; - ret = 1; + if ((md = EVP_get_digestbynid(type)) == NULL) { + RSAerror(RSA_R_UNKNOWN_ALGORITHM_TYPE); + goto err; } - } else if ((unsigned int)sig->digest->length != m_len || - memcmp(m, sig->digest->data, m_len) != 0) { + if ((m_len = EVP_MD_size(md)) > (size_t)decrypt_len) { + RSAerror(RSA_R_INVALID_DIGEST_LENGTH); + goto err; + } + m = decrypt_buf + decrypt_len - m_len; + } + + /* Construct the encoded digest and ensure it matches */ + if (!encode_pkcs1(&encoded, &encoded_len, type, m, m_len)) + goto err; + + if (encoded_len != decrypt_len || + timingsafe_bcmp(encoded, decrypt_buf, encoded_len) != 0) { RSAerror(RSA_R_BAD_SIGNATURE); - } else - ret = 1; + goto err; + } + + /* Output the recovered digest. */ + if (rm != NULL) { + memcpy(rm, m, m_len); + *prm_len = m_len; + } } -err: - X509_SIG_free(sig); - freezero(s, (unsigned int)siglen); + + ret = 1; + err: + freezero(encoded, (size_t)encoded_len); + freezero(decrypt_buf, siglen); return ret; } diff --git a/crypto/sha/sha1-elf-armv4.S b/crypto/sha/sha1-elf-armv4.S new file mode 100644 index 0000000..5aeaf7c --- /dev/null +++ b/crypto/sha/sha1-elf-armv4.S @@ -0,0 +1,455 @@ +#include "arm_arch.h" + +.text + +.global sha1_block_data_order +.type sha1_block_data_order,%function + +.align 2 +sha1_block_data_order: + stmdb sp!,{r4-r12,lr} + add r2,r1,r2,lsl#6 @ r2 to point at the end of r1 + ldmia r0,{r3,r4,r5,r6,r7} +.Lloop: + ldr r8,.LK_00_19 + mov r14,sp + sub sp,sp,#15*4 + mov r5,r5,ror#30 + mov r6,r6,ror#30 + mov r7,r7,ror#30 @ [6] +.L_00_15: +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r10,[r1,#2] + ldrb r9,[r1,#3] + ldrb r11,[r1,#1] + add r7,r8,r7,ror#2 @ E+=K_00_19 + ldrb r12,[r1],#4 + orr r9,r9,r10,lsl#8 + eor r10,r5,r6 @ F_xx_xx + orr r9,r9,r11,lsl#16 + add r7,r7,r3,ror#27 @ E+=ROR(A,27) + orr r9,r9,r12,lsl#24 +#else + ldr r9,[r1],#4 @ handles unaligned + add r7,r8,r7,ror#2 @ E+=K_00_19 + eor r10,r5,r6 @ F_xx_xx + add r7,r7,r3,ror#27 @ E+=ROR(A,27) +#ifdef __ARMEL__ + rev r9,r9 @ byte swap +#endif +#endif + and r10,r4,r10,ror#2 + add r7,r7,r9 @ E+=X[i] + eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) + str r9,[r14,#-4]! + add r7,r7,r10 @ E+=F_00_19(B,C,D) +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r10,[r1,#2] + ldrb r9,[r1,#3] + ldrb r11,[r1,#1] + add r6,r8,r6,ror#2 @ E+=K_00_19 + ldrb r12,[r1],#4 + orr r9,r9,r10,lsl#8 + eor r10,r4,r5 @ F_xx_xx + orr r9,r9,r11,lsl#16 + add r6,r6,r7,ror#27 @ E+=ROR(A,27) + orr r9,r9,r12,lsl#24 +#else + ldr r9,[r1],#4 @ handles unaligned + add r6,r8,r6,ror#2 @ E+=K_00_19 + eor r10,r4,r5 @ F_xx_xx + add r6,r6,r7,ror#27 @ E+=ROR(A,27) +#ifdef __ARMEL__ + rev r9,r9 @ byte swap +#endif +#endif + and r10,r3,r10,ror#2 + add r6,r6,r9 @ E+=X[i] + eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) + str r9,[r14,#-4]! + add r6,r6,r10 @ E+=F_00_19(B,C,D) +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r10,[r1,#2] + ldrb r9,[r1,#3] + ldrb r11,[r1,#1] + add r5,r8,r5,ror#2 @ E+=K_00_19 + ldrb r12,[r1],#4 + orr r9,r9,r10,lsl#8 + eor r10,r3,r4 @ F_xx_xx + orr r9,r9,r11,lsl#16 + add r5,r5,r6,ror#27 @ E+=ROR(A,27) + orr r9,r9,r12,lsl#24 +#else + ldr r9,[r1],#4 @ handles unaligned + add r5,r8,r5,ror#2 @ E+=K_00_19 + eor r10,r3,r4 @ F_xx_xx + add r5,r5,r6,ror#27 @ E+=ROR(A,27) +#ifdef __ARMEL__ + rev r9,r9 @ byte swap +#endif +#endif + and r10,r7,r10,ror#2 + add r5,r5,r9 @ E+=X[i] + eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) + str r9,[r14,#-4]! + add r5,r5,r10 @ E+=F_00_19(B,C,D) +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r10,[r1,#2] + ldrb r9,[r1,#3] + ldrb r11,[r1,#1] + add r4,r8,r4,ror#2 @ E+=K_00_19 + ldrb r12,[r1],#4 + orr r9,r9,r10,lsl#8 + eor r10,r7,r3 @ F_xx_xx + orr r9,r9,r11,lsl#16 + add r4,r4,r5,ror#27 @ E+=ROR(A,27) + orr r9,r9,r12,lsl#24 +#else + ldr r9,[r1],#4 @ handles unaligned + add r4,r8,r4,ror#2 @ E+=K_00_19 + eor r10,r7,r3 @ F_xx_xx + add r4,r4,r5,ror#27 @ E+=ROR(A,27) +#ifdef __ARMEL__ + rev r9,r9 @ byte swap +#endif +#endif + and r10,r6,r10,ror#2 + add r4,r4,r9 @ E+=X[i] + eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) + str r9,[r14,#-4]! + add r4,r4,r10 @ E+=F_00_19(B,C,D) +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r10,[r1,#2] + ldrb r9,[r1,#3] + ldrb r11,[r1,#1] + add r3,r8,r3,ror#2 @ E+=K_00_19 + ldrb r12,[r1],#4 + orr r9,r9,r10,lsl#8 + eor r10,r6,r7 @ F_xx_xx + orr r9,r9,r11,lsl#16 + add r3,r3,r4,ror#27 @ E+=ROR(A,27) + orr r9,r9,r12,lsl#24 +#else + ldr r9,[r1],#4 @ handles unaligned + add r3,r8,r3,ror#2 @ E+=K_00_19 + eor r10,r6,r7 @ F_xx_xx + add r3,r3,r4,ror#27 @ E+=ROR(A,27) +#ifdef __ARMEL__ + rev r9,r9 @ byte swap +#endif +#endif + and r10,r5,r10,ror#2 + add r3,r3,r9 @ E+=X[i] + eor r10,r10,r7,ror#2 @ F_00_19(B,C,D) + str r9,[r14,#-4]! + add r3,r3,r10 @ E+=F_00_19(B,C,D) + teq r14,sp + bne .L_00_15 @ [((11+4)*5+2)*3] + sub sp,sp,#25*4 +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r10,[r1,#2] + ldrb r9,[r1,#3] + ldrb r11,[r1,#1] + add r7,r8,r7,ror#2 @ E+=K_00_19 + ldrb r12,[r1],#4 + orr r9,r9,r10,lsl#8 + eor r10,r5,r6 @ F_xx_xx + orr r9,r9,r11,lsl#16 + add r7,r7,r3,ror#27 @ E+=ROR(A,27) + orr r9,r9,r12,lsl#24 +#else + ldr r9,[r1],#4 @ handles unaligned + add r7,r8,r7,ror#2 @ E+=K_00_19 + eor r10,r5,r6 @ F_xx_xx + add r7,r7,r3,ror#27 @ E+=ROR(A,27) +#ifdef __ARMEL__ + rev r9,r9 @ byte swap +#endif +#endif + and r10,r4,r10,ror#2 + add r7,r7,r9 @ E+=X[i] + eor r10,r10,r6,ror#2 @ F_00_19(B,C,D) + str r9,[r14,#-4]! + add r7,r7,r10 @ E+=F_00_19(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r6,r8,r6,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r4,r5 @ F_xx_xx + mov r9,r9,ror#31 + add r6,r6,r7,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r3,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r6,r6,r9 @ E+=X[i] + eor r10,r10,r5,ror#2 @ F_00_19(B,C,D) + add r6,r6,r10 @ E+=F_00_19(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r5,r8,r5,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r3,r4 @ F_xx_xx + mov r9,r9,ror#31 + add r5,r5,r6,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r7,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r5,r5,r9 @ E+=X[i] + eor r10,r10,r4,ror#2 @ F_00_19(B,C,D) + add r5,r5,r10 @ E+=F_00_19(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r4,r8,r4,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r7,r3 @ F_xx_xx + mov r9,r9,ror#31 + add r4,r4,r5,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r6,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r4,r4,r9 @ E+=X[i] + eor r10,r10,r3,ror#2 @ F_00_19(B,C,D) + add r4,r4,r10 @ E+=F_00_19(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r3,r8,r3,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r6,r7 @ F_xx_xx + mov r9,r9,ror#31 + add r3,r3,r4,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r5,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r3,r3,r9 @ E+=X[i] + eor r10,r10,r7,ror#2 @ F_00_19(B,C,D) + add r3,r3,r10 @ E+=F_00_19(B,C,D) + + ldr r8,.LK_20_39 @ [+15+16*4] + cmn sp,#0 @ [+3], clear carry to denote 20_39 +.L_20_39_or_60_79: + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r7,r8,r7,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r5,r6 @ F_xx_xx + mov r9,r9,ror#31 + add r7,r7,r3,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + eor r10,r4,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r7,r7,r9 @ E+=X[i] + add r7,r7,r10 @ E+=F_20_39(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r6,r8,r6,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r4,r5 @ F_xx_xx + mov r9,r9,ror#31 + add r6,r6,r7,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + eor r10,r3,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r6,r6,r9 @ E+=X[i] + add r6,r6,r10 @ E+=F_20_39(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r5,r8,r5,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r3,r4 @ F_xx_xx + mov r9,r9,ror#31 + add r5,r5,r6,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + eor r10,r7,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r5,r5,r9 @ E+=X[i] + add r5,r5,r10 @ E+=F_20_39(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r4,r8,r4,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r7,r3 @ F_xx_xx + mov r9,r9,ror#31 + add r4,r4,r5,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + eor r10,r6,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r4,r4,r9 @ E+=X[i] + add r4,r4,r10 @ E+=F_20_39(B,C,D) + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r3,r8,r3,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r6,r7 @ F_xx_xx + mov r9,r9,ror#31 + add r3,r3,r4,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + eor r10,r5,r10,ror#2 @ F_xx_xx + @ F_xx_xx + add r3,r3,r9 @ E+=X[i] + add r3,r3,r10 @ E+=F_20_39(B,C,D) + teq r14,sp @ preserve carry + bne .L_20_39_or_60_79 @ [+((12+3)*5+2)*4] + bcs .L_done @ [+((12+3)*5+2)*4], spare 300 bytes + + ldr r8,.LK_40_59 + sub sp,sp,#20*4 @ [+2] +.L_40_59: + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r7,r8,r7,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r5,r6 @ F_xx_xx + mov r9,r9,ror#31 + add r7,r7,r3,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r4,r10,ror#2 @ F_xx_xx + and r11,r5,r6 @ F_xx_xx + add r7,r7,r9 @ E+=X[i] + add r7,r7,r10 @ E+=F_40_59(B,C,D) + add r7,r7,r11,ror#2 + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r6,r8,r6,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r4,r5 @ F_xx_xx + mov r9,r9,ror#31 + add r6,r6,r7,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r3,r10,ror#2 @ F_xx_xx + and r11,r4,r5 @ F_xx_xx + add r6,r6,r9 @ E+=X[i] + add r6,r6,r10 @ E+=F_40_59(B,C,D) + add r6,r6,r11,ror#2 + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r5,r8,r5,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r3,r4 @ F_xx_xx + mov r9,r9,ror#31 + add r5,r5,r6,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r7,r10,ror#2 @ F_xx_xx + and r11,r3,r4 @ F_xx_xx + add r5,r5,r9 @ E+=X[i] + add r5,r5,r10 @ E+=F_40_59(B,C,D) + add r5,r5,r11,ror#2 + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r4,r8,r4,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r7,r3 @ F_xx_xx + mov r9,r9,ror#31 + add r4,r4,r5,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r6,r10,ror#2 @ F_xx_xx + and r11,r7,r3 @ F_xx_xx + add r4,r4,r9 @ E+=X[i] + add r4,r4,r10 @ E+=F_40_59(B,C,D) + add r4,r4,r11,ror#2 + ldr r9,[r14,#15*4] + ldr r10,[r14,#13*4] + ldr r11,[r14,#7*4] + add r3,r8,r3,ror#2 @ E+=K_xx_xx + ldr r12,[r14,#2*4] + eor r9,r9,r10 + eor r11,r11,r12 @ 1 cycle stall + eor r10,r6,r7 @ F_xx_xx + mov r9,r9,ror#31 + add r3,r3,r4,ror#27 @ E+=ROR(A,27) + eor r9,r9,r11,ror#31 + str r9,[r14,#-4]! + and r10,r5,r10,ror#2 @ F_xx_xx + and r11,r6,r7 @ F_xx_xx + add r3,r3,r9 @ E+=X[i] + add r3,r3,r10 @ E+=F_40_59(B,C,D) + add r3,r3,r11,ror#2 + teq r14,sp + bne .L_40_59 @ [+((12+5)*5+2)*4] + + ldr r8,.LK_60_79 + sub sp,sp,#20*4 + cmp sp,#0 @ set carry to denote 60_79 + b .L_20_39_or_60_79 @ [+4], spare 300 bytes +.L_done: + add sp,sp,#80*4 @ "deallocate" stack frame + ldmia r0,{r8,r9,r10,r11,r12} + add r3,r8,r3 + add r4,r9,r4 + add r5,r10,r5,ror#2 + add r6,r11,r6,ror#2 + add r7,r12,r7,ror#2 + stmia r0,{r3,r4,r5,r6,r7} + teq r1,r2 + bne .Lloop @ [+18], total 1307 + +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r12,pc} +#else + ldmia sp!,{r4-r12,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.align 2 +.LK_00_19: .word 0x5a827999 +.LK_20_39: .word 0x6ed9eba1 +.LK_40_59: .word 0x8f1bbcdc +.LK_60_79: .word 0xca62c1d6 +.size sha1_block_data_order,.-sha1_block_data_order +.asciz "SHA1 block transform for ARMv4, CRYPTOGAMS by " +.align 2 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/sha/sha1-masm-x86_64.S b/crypto/sha/sha1-masm-x86_64.S new file mode 100644 index 0000000..36d8732 --- /dev/null +++ b/crypto/sha/sha1-masm-x86_64.S @@ -0,0 +1,2746 @@ +; 1 "crypto/sha/sha1-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/sha/sha1-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/sha/sha1-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' +EXTERN OPENSSL_ia32cap_P:NEAR + + +PUBLIC sha1_block_data_order + +ALIGN 16 +sha1_block_data_order PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_sha1_block_data_order:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + mov r9d,DWORD PTR[((OPENSSL_ia32cap_P+0))] + mov r8d,DWORD PTR[((OPENSSL_ia32cap_P+4))] + test r8d,(1 SHL 9) + jz $L$ialu + jmp _ssse3_shortcut + +ALIGN 16 +$L$ialu:: + push rbx + push rbp + push r12 + push r13 + mov r11,rsp + mov r8,rdi + sub rsp,72 + mov r9,rsi + and rsp,-64 + mov r10,rdx + mov QWORD PTR[64+rsp],r11 +$L$prologue:: + + mov esi,DWORD PTR[r8] + mov edi,DWORD PTR[4+r8] + mov r11d,DWORD PTR[8+r8] + mov r12d,DWORD PTR[12+r8] + mov r13d,DWORD PTR[16+r8] + jmp $L$loop + +ALIGN 16 +$L$loop:: + mov edx,DWORD PTR[r9] + bswap edx + mov DWORD PTR[rsp],edx + mov eax,r11d + mov ebp,DWORD PTR[4+r9] + mov ecx,esi + xor eax,r12d + bswap ebp + rol ecx,5 + lea r13d,DWORD PTR[1518500249+r13*1+rdx] + and eax,edi + mov DWORD PTR[4+rsp],ebp + add r13d,ecx + xor eax,r12d + rol edi,30 + add r13d,eax + mov eax,edi + mov edx,DWORD PTR[8+r9] + mov ecx,r13d + xor eax,r11d + bswap edx + rol ecx,5 + lea r12d,DWORD PTR[1518500249+r12*1+rbp] + and eax,esi + mov DWORD PTR[8+rsp],edx + add r12d,ecx + xor eax,r11d + rol esi,30 + add r12d,eax + mov eax,esi + mov ebp,DWORD PTR[12+r9] + mov ecx,r12d + xor eax,edi + bswap ebp + rol ecx,5 + lea r11d,DWORD PTR[1518500249+r11*1+rdx] + and eax,r13d + mov DWORD PTR[12+rsp],ebp + add r11d,ecx + xor eax,edi + rol r13d,30 + add r11d,eax + mov eax,r13d + mov edx,DWORD PTR[16+r9] + mov ecx,r11d + xor eax,esi + bswap edx + rol ecx,5 + lea edi,DWORD PTR[1518500249+rdi*1+rbp] + and eax,r12d + mov DWORD PTR[16+rsp],edx + add edi,ecx + xor eax,esi + rol r12d,30 + add edi,eax + mov eax,r12d + mov ebp,DWORD PTR[20+r9] + mov ecx,edi + xor eax,r13d + bswap ebp + rol ecx,5 + lea esi,DWORD PTR[1518500249+rsi*1+rdx] + and eax,r11d + mov DWORD PTR[20+rsp],ebp + add esi,ecx + xor eax,r13d + rol r11d,30 + add esi,eax + mov eax,r11d + mov edx,DWORD PTR[24+r9] + mov ecx,esi + xor eax,r12d + bswap edx + rol ecx,5 + lea r13d,DWORD PTR[1518500249+r13*1+rbp] + and eax,edi + mov DWORD PTR[24+rsp],edx + add r13d,ecx + xor eax,r12d + rol edi,30 + add r13d,eax + mov eax,edi + mov ebp,DWORD PTR[28+r9] + mov ecx,r13d + xor eax,r11d + bswap ebp + rol ecx,5 + lea r12d,DWORD PTR[1518500249+r12*1+rdx] + and eax,esi + mov DWORD PTR[28+rsp],ebp + add r12d,ecx + xor eax,r11d + rol esi,30 + add r12d,eax + mov eax,esi + mov edx,DWORD PTR[32+r9] + mov ecx,r12d + xor eax,edi + bswap edx + rol ecx,5 + lea r11d,DWORD PTR[1518500249+r11*1+rbp] + and eax,r13d + mov DWORD PTR[32+rsp],edx + add r11d,ecx + xor eax,edi + rol r13d,30 + add r11d,eax + mov eax,r13d + mov ebp,DWORD PTR[36+r9] + mov ecx,r11d + xor eax,esi + bswap ebp + rol ecx,5 + lea edi,DWORD PTR[1518500249+rdi*1+rdx] + and eax,r12d + mov DWORD PTR[36+rsp],ebp + add edi,ecx + xor eax,esi + rol r12d,30 + add edi,eax + mov eax,r12d + mov edx,DWORD PTR[40+r9] + mov ecx,edi + xor eax,r13d + bswap edx + rol ecx,5 + lea esi,DWORD PTR[1518500249+rsi*1+rbp] + and eax,r11d + mov DWORD PTR[40+rsp],edx + add esi,ecx + xor eax,r13d + rol r11d,30 + add esi,eax + mov eax,r11d + mov ebp,DWORD PTR[44+r9] + mov ecx,esi + xor eax,r12d + bswap ebp + rol ecx,5 + lea r13d,DWORD PTR[1518500249+r13*1+rdx] + and eax,edi + mov DWORD PTR[44+rsp],ebp + add r13d,ecx + xor eax,r12d + rol edi,30 + add r13d,eax + mov eax,edi + mov edx,DWORD PTR[48+r9] + mov ecx,r13d + xor eax,r11d + bswap edx + rol ecx,5 + lea r12d,DWORD PTR[1518500249+r12*1+rbp] + and eax,esi + mov DWORD PTR[48+rsp],edx + add r12d,ecx + xor eax,r11d + rol esi,30 + add r12d,eax + mov eax,esi + mov ebp,DWORD PTR[52+r9] + mov ecx,r12d + xor eax,edi + bswap ebp + rol ecx,5 + lea r11d,DWORD PTR[1518500249+r11*1+rdx] + and eax,r13d + mov DWORD PTR[52+rsp],ebp + add r11d,ecx + xor eax,edi + rol r13d,30 + add r11d,eax + mov eax,r13d + mov edx,DWORD PTR[56+r9] + mov ecx,r11d + xor eax,esi + bswap edx + rol ecx,5 + lea edi,DWORD PTR[1518500249+rdi*1+rbp] + and eax,r12d + mov DWORD PTR[56+rsp],edx + add edi,ecx + xor eax,esi + rol r12d,30 + add edi,eax + mov eax,r12d + mov ebp,DWORD PTR[60+r9] + mov ecx,edi + xor eax,r13d + bswap ebp + rol ecx,5 + lea esi,DWORD PTR[1518500249+rsi*1+rdx] + and eax,r11d + mov DWORD PTR[60+rsp],ebp + add esi,ecx + xor eax,r13d + rol r11d,30 + add esi,eax + mov edx,DWORD PTR[rsp] + mov eax,r11d + mov ecx,esi + xor edx,DWORD PTR[8+rsp] + xor eax,r12d + rol ecx,5 + xor edx,DWORD PTR[32+rsp] + and eax,edi + lea r13d,DWORD PTR[1518500249+r13*1+rbp] + xor edx,DWORD PTR[52+rsp] + xor eax,r12d + rol edx,1 + add r13d,ecx + rol edi,30 + mov DWORD PTR[rsp],edx + add r13d,eax + mov ebp,DWORD PTR[4+rsp] + mov eax,edi + mov ecx,r13d + xor ebp,DWORD PTR[12+rsp] + xor eax,r11d + rol ecx,5 + xor ebp,DWORD PTR[36+rsp] + and eax,esi + lea r12d,DWORD PTR[1518500249+r12*1+rdx] + xor ebp,DWORD PTR[56+rsp] + xor eax,r11d + rol ebp,1 + add r12d,ecx + rol esi,30 + mov DWORD PTR[4+rsp],ebp + add r12d,eax + mov edx,DWORD PTR[8+rsp] + mov eax,esi + mov ecx,r12d + xor edx,DWORD PTR[16+rsp] + xor eax,edi + rol ecx,5 + xor edx,DWORD PTR[40+rsp] + and eax,r13d + lea r11d,DWORD PTR[1518500249+r11*1+rbp] + xor edx,DWORD PTR[60+rsp] + xor eax,edi + rol edx,1 + add r11d,ecx + rol r13d,30 + mov DWORD PTR[8+rsp],edx + add r11d,eax + mov ebp,DWORD PTR[12+rsp] + mov eax,r13d + mov ecx,r11d + xor ebp,DWORD PTR[20+rsp] + xor eax,esi + rol ecx,5 + xor ebp,DWORD PTR[44+rsp] + and eax,r12d + lea edi,DWORD PTR[1518500249+rdi*1+rdx] + xor ebp,DWORD PTR[rsp] + xor eax,esi + rol ebp,1 + add edi,ecx + rol r12d,30 + mov DWORD PTR[12+rsp],ebp + add edi,eax + mov edx,DWORD PTR[16+rsp] + mov eax,r12d + mov ecx,edi + xor edx,DWORD PTR[24+rsp] + xor eax,r13d + rol ecx,5 + xor edx,DWORD PTR[48+rsp] + and eax,r11d + lea esi,DWORD PTR[1518500249+rsi*1+rbp] + xor edx,DWORD PTR[4+rsp] + xor eax,r13d + rol edx,1 + add esi,ecx + rol r11d,30 + mov DWORD PTR[16+rsp],edx + add esi,eax + mov ebp,DWORD PTR[20+rsp] + mov eax,r11d + mov ecx,esi + xor ebp,DWORD PTR[28+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[1859775393+r13*1+rdx] + xor ebp,DWORD PTR[52+rsp] + xor eax,r12d + add r13d,ecx + xor ebp,DWORD PTR[8+rsp] + rol edi,30 + add r13d,eax + rol ebp,1 + mov DWORD PTR[20+rsp],ebp + mov edx,DWORD PTR[24+rsp] + mov eax,edi + mov ecx,r13d + xor edx,DWORD PTR[32+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[1859775393+r12*1+rbp] + xor edx,DWORD PTR[56+rsp] + xor eax,r11d + add r12d,ecx + xor edx,DWORD PTR[12+rsp] + rol esi,30 + add r12d,eax + rol edx,1 + mov DWORD PTR[24+rsp],edx + mov ebp,DWORD PTR[28+rsp] + mov eax,esi + mov ecx,r12d + xor ebp,DWORD PTR[36+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[1859775393+r11*1+rdx] + xor ebp,DWORD PTR[60+rsp] + xor eax,edi + add r11d,ecx + xor ebp,DWORD PTR[16+rsp] + rol r13d,30 + add r11d,eax + rol ebp,1 + mov DWORD PTR[28+rsp],ebp + mov edx,DWORD PTR[32+rsp] + mov eax,r13d + mov ecx,r11d + xor edx,DWORD PTR[40+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[1859775393+rdi*1+rbp] + xor edx,DWORD PTR[rsp] + xor eax,esi + add edi,ecx + xor edx,DWORD PTR[20+rsp] + rol r12d,30 + add edi,eax + rol edx,1 + mov DWORD PTR[32+rsp],edx + mov ebp,DWORD PTR[36+rsp] + mov eax,r12d + mov ecx,edi + xor ebp,DWORD PTR[44+rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[1859775393+rsi*1+rdx] + xor ebp,DWORD PTR[4+rsp] + xor eax,r13d + add esi,ecx + xor ebp,DWORD PTR[24+rsp] + rol r11d,30 + add esi,eax + rol ebp,1 + mov DWORD PTR[36+rsp],ebp + mov edx,DWORD PTR[40+rsp] + mov eax,r11d + mov ecx,esi + xor edx,DWORD PTR[48+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[1859775393+r13*1+rbp] + xor edx,DWORD PTR[8+rsp] + xor eax,r12d + add r13d,ecx + xor edx,DWORD PTR[28+rsp] + rol edi,30 + add r13d,eax + rol edx,1 + mov DWORD PTR[40+rsp],edx + mov ebp,DWORD PTR[44+rsp] + mov eax,edi + mov ecx,r13d + xor ebp,DWORD PTR[52+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[1859775393+r12*1+rdx] + xor ebp,DWORD PTR[12+rsp] + xor eax,r11d + add r12d,ecx + xor ebp,DWORD PTR[32+rsp] + rol esi,30 + add r12d,eax + rol ebp,1 + mov DWORD PTR[44+rsp],ebp + mov edx,DWORD PTR[48+rsp] + mov eax,esi + mov ecx,r12d + xor edx,DWORD PTR[56+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[1859775393+r11*1+rbp] + xor edx,DWORD PTR[16+rsp] + xor eax,edi + add r11d,ecx + xor edx,DWORD PTR[36+rsp] + rol r13d,30 + add r11d,eax + rol edx,1 + mov DWORD PTR[48+rsp],edx + mov ebp,DWORD PTR[52+rsp] + mov eax,r13d + mov ecx,r11d + xor ebp,DWORD PTR[60+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[1859775393+rdi*1+rdx] + xor ebp,DWORD PTR[20+rsp] + xor eax,esi + add edi,ecx + xor ebp,DWORD PTR[40+rsp] + rol r12d,30 + add edi,eax + rol ebp,1 + mov DWORD PTR[52+rsp],ebp + mov edx,DWORD PTR[56+rsp] + mov eax,r12d + mov ecx,edi + xor edx,DWORD PTR[rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[1859775393+rsi*1+rbp] + xor edx,DWORD PTR[24+rsp] + xor eax,r13d + add esi,ecx + xor edx,DWORD PTR[44+rsp] + rol r11d,30 + add esi,eax + rol edx,1 + mov DWORD PTR[56+rsp],edx + mov ebp,DWORD PTR[60+rsp] + mov eax,r11d + mov ecx,esi + xor ebp,DWORD PTR[4+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[1859775393+r13*1+rdx] + xor ebp,DWORD PTR[28+rsp] + xor eax,r12d + add r13d,ecx + xor ebp,DWORD PTR[48+rsp] + rol edi,30 + add r13d,eax + rol ebp,1 + mov DWORD PTR[60+rsp],ebp + mov edx,DWORD PTR[rsp] + mov eax,edi + mov ecx,r13d + xor edx,DWORD PTR[8+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[1859775393+r12*1+rbp] + xor edx,DWORD PTR[32+rsp] + xor eax,r11d + add r12d,ecx + xor edx,DWORD PTR[52+rsp] + rol esi,30 + add r12d,eax + rol edx,1 + mov DWORD PTR[rsp],edx + mov ebp,DWORD PTR[4+rsp] + mov eax,esi + mov ecx,r12d + xor ebp,DWORD PTR[12+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[1859775393+r11*1+rdx] + xor ebp,DWORD PTR[36+rsp] + xor eax,edi + add r11d,ecx + xor ebp,DWORD PTR[56+rsp] + rol r13d,30 + add r11d,eax + rol ebp,1 + mov DWORD PTR[4+rsp],ebp + mov edx,DWORD PTR[8+rsp] + mov eax,r13d + mov ecx,r11d + xor edx,DWORD PTR[16+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[1859775393+rdi*1+rbp] + xor edx,DWORD PTR[40+rsp] + xor eax,esi + add edi,ecx + xor edx,DWORD PTR[60+rsp] + rol r12d,30 + add edi,eax + rol edx,1 + mov DWORD PTR[8+rsp],edx + mov ebp,DWORD PTR[12+rsp] + mov eax,r12d + mov ecx,edi + xor ebp,DWORD PTR[20+rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[1859775393+rsi*1+rdx] + xor ebp,DWORD PTR[44+rsp] + xor eax,r13d + add esi,ecx + xor ebp,DWORD PTR[rsp] + rol r11d,30 + add esi,eax + rol ebp,1 + mov DWORD PTR[12+rsp],ebp + mov edx,DWORD PTR[16+rsp] + mov eax,r11d + mov ecx,esi + xor edx,DWORD PTR[24+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[1859775393+r13*1+rbp] + xor edx,DWORD PTR[48+rsp] + xor eax,r12d + add r13d,ecx + xor edx,DWORD PTR[4+rsp] + rol edi,30 + add r13d,eax + rol edx,1 + mov DWORD PTR[16+rsp],edx + mov ebp,DWORD PTR[20+rsp] + mov eax,edi + mov ecx,r13d + xor ebp,DWORD PTR[28+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[1859775393+r12*1+rdx] + xor ebp,DWORD PTR[52+rsp] + xor eax,r11d + add r12d,ecx + xor ebp,DWORD PTR[8+rsp] + rol esi,30 + add r12d,eax + rol ebp,1 + mov DWORD PTR[20+rsp],ebp + mov edx,DWORD PTR[24+rsp] + mov eax,esi + mov ecx,r12d + xor edx,DWORD PTR[32+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[1859775393+r11*1+rbp] + xor edx,DWORD PTR[56+rsp] + xor eax,edi + add r11d,ecx + xor edx,DWORD PTR[12+rsp] + rol r13d,30 + add r11d,eax + rol edx,1 + mov DWORD PTR[24+rsp],edx + mov ebp,DWORD PTR[28+rsp] + mov eax,r13d + mov ecx,r11d + xor ebp,DWORD PTR[36+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[1859775393+rdi*1+rdx] + xor ebp,DWORD PTR[60+rsp] + xor eax,esi + add edi,ecx + xor ebp,DWORD PTR[16+rsp] + rol r12d,30 + add edi,eax + rol ebp,1 + mov DWORD PTR[28+rsp],ebp + mov edx,DWORD PTR[32+rsp] + mov eax,r12d + mov ecx,edi + xor edx,DWORD PTR[40+rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[1859775393+rsi*1+rbp] + xor edx,DWORD PTR[rsp] + xor eax,r13d + add esi,ecx + xor edx,DWORD PTR[20+rsp] + rol r11d,30 + add esi,eax + rol edx,1 + mov DWORD PTR[32+rsp],edx + mov ebp,DWORD PTR[36+rsp] + mov eax,r11d + mov ebx,r11d + xor ebp,DWORD PTR[44+rsp] + and eax,r12d + mov ecx,esi + xor ebp,DWORD PTR[4+rsp] + xor ebx,r12d + lea r13d,DWORD PTR[((-1894007588))+r13*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[24+rsp] + add r13d,eax + and ebx,edi + rol ebp,1 + add r13d,ebx + rol edi,30 + mov DWORD PTR[36+rsp],ebp + add r13d,ecx + mov edx,DWORD PTR[40+rsp] + mov eax,edi + mov ebx,edi + xor edx,DWORD PTR[48+rsp] + and eax,r11d + mov ecx,r13d + xor edx,DWORD PTR[8+rsp] + xor ebx,r11d + lea r12d,DWORD PTR[((-1894007588))+r12*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[28+rsp] + add r12d,eax + and ebx,esi + rol edx,1 + add r12d,ebx + rol esi,30 + mov DWORD PTR[40+rsp],edx + add r12d,ecx + mov ebp,DWORD PTR[44+rsp] + mov eax,esi + mov ebx,esi + xor ebp,DWORD PTR[52+rsp] + and eax,edi + mov ecx,r12d + xor ebp,DWORD PTR[12+rsp] + xor ebx,edi + lea r11d,DWORD PTR[((-1894007588))+r11*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[32+rsp] + add r11d,eax + and ebx,r13d + rol ebp,1 + add r11d,ebx + rol r13d,30 + mov DWORD PTR[44+rsp],ebp + add r11d,ecx + mov edx,DWORD PTR[48+rsp] + mov eax,r13d + mov ebx,r13d + xor edx,DWORD PTR[56+rsp] + and eax,esi + mov ecx,r11d + xor edx,DWORD PTR[16+rsp] + xor ebx,esi + lea edi,DWORD PTR[((-1894007588))+rdi*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[36+rsp] + add edi,eax + and ebx,r12d + rol edx,1 + add edi,ebx + rol r12d,30 + mov DWORD PTR[48+rsp],edx + add edi,ecx + mov ebp,DWORD PTR[52+rsp] + mov eax,r12d + mov ebx,r12d + xor ebp,DWORD PTR[60+rsp] + and eax,r13d + mov ecx,edi + xor ebp,DWORD PTR[20+rsp] + xor ebx,r13d + lea esi,DWORD PTR[((-1894007588))+rsi*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[40+rsp] + add esi,eax + and ebx,r11d + rol ebp,1 + add esi,ebx + rol r11d,30 + mov DWORD PTR[52+rsp],ebp + add esi,ecx + mov edx,DWORD PTR[56+rsp] + mov eax,r11d + mov ebx,r11d + xor edx,DWORD PTR[rsp] + and eax,r12d + mov ecx,esi + xor edx,DWORD PTR[24+rsp] + xor ebx,r12d + lea r13d,DWORD PTR[((-1894007588))+r13*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[44+rsp] + add r13d,eax + and ebx,edi + rol edx,1 + add r13d,ebx + rol edi,30 + mov DWORD PTR[56+rsp],edx + add r13d,ecx + mov ebp,DWORD PTR[60+rsp] + mov eax,edi + mov ebx,edi + xor ebp,DWORD PTR[4+rsp] + and eax,r11d + mov ecx,r13d + xor ebp,DWORD PTR[28+rsp] + xor ebx,r11d + lea r12d,DWORD PTR[((-1894007588))+r12*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[48+rsp] + add r12d,eax + and ebx,esi + rol ebp,1 + add r12d,ebx + rol esi,30 + mov DWORD PTR[60+rsp],ebp + add r12d,ecx + mov edx,DWORD PTR[rsp] + mov eax,esi + mov ebx,esi + xor edx,DWORD PTR[8+rsp] + and eax,edi + mov ecx,r12d + xor edx,DWORD PTR[32+rsp] + xor ebx,edi + lea r11d,DWORD PTR[((-1894007588))+r11*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[52+rsp] + add r11d,eax + and ebx,r13d + rol edx,1 + add r11d,ebx + rol r13d,30 + mov DWORD PTR[rsp],edx + add r11d,ecx + mov ebp,DWORD PTR[4+rsp] + mov eax,r13d + mov ebx,r13d + xor ebp,DWORD PTR[12+rsp] + and eax,esi + mov ecx,r11d + xor ebp,DWORD PTR[36+rsp] + xor ebx,esi + lea edi,DWORD PTR[((-1894007588))+rdi*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[56+rsp] + add edi,eax + and ebx,r12d + rol ebp,1 + add edi,ebx + rol r12d,30 + mov DWORD PTR[4+rsp],ebp + add edi,ecx + mov edx,DWORD PTR[8+rsp] + mov eax,r12d + mov ebx,r12d + xor edx,DWORD PTR[16+rsp] + and eax,r13d + mov ecx,edi + xor edx,DWORD PTR[40+rsp] + xor ebx,r13d + lea esi,DWORD PTR[((-1894007588))+rsi*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[60+rsp] + add esi,eax + and ebx,r11d + rol edx,1 + add esi,ebx + rol r11d,30 + mov DWORD PTR[8+rsp],edx + add esi,ecx + mov ebp,DWORD PTR[12+rsp] + mov eax,r11d + mov ebx,r11d + xor ebp,DWORD PTR[20+rsp] + and eax,r12d + mov ecx,esi + xor ebp,DWORD PTR[44+rsp] + xor ebx,r12d + lea r13d,DWORD PTR[((-1894007588))+r13*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[rsp] + add r13d,eax + and ebx,edi + rol ebp,1 + add r13d,ebx + rol edi,30 + mov DWORD PTR[12+rsp],ebp + add r13d,ecx + mov edx,DWORD PTR[16+rsp] + mov eax,edi + mov ebx,edi + xor edx,DWORD PTR[24+rsp] + and eax,r11d + mov ecx,r13d + xor edx,DWORD PTR[48+rsp] + xor ebx,r11d + lea r12d,DWORD PTR[((-1894007588))+r12*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[4+rsp] + add r12d,eax + and ebx,esi + rol edx,1 + add r12d,ebx + rol esi,30 + mov DWORD PTR[16+rsp],edx + add r12d,ecx + mov ebp,DWORD PTR[20+rsp] + mov eax,esi + mov ebx,esi + xor ebp,DWORD PTR[28+rsp] + and eax,edi + mov ecx,r12d + xor ebp,DWORD PTR[52+rsp] + xor ebx,edi + lea r11d,DWORD PTR[((-1894007588))+r11*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[8+rsp] + add r11d,eax + and ebx,r13d + rol ebp,1 + add r11d,ebx + rol r13d,30 + mov DWORD PTR[20+rsp],ebp + add r11d,ecx + mov edx,DWORD PTR[24+rsp] + mov eax,r13d + mov ebx,r13d + xor edx,DWORD PTR[32+rsp] + and eax,esi + mov ecx,r11d + xor edx,DWORD PTR[56+rsp] + xor ebx,esi + lea edi,DWORD PTR[((-1894007588))+rdi*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[12+rsp] + add edi,eax + and ebx,r12d + rol edx,1 + add edi,ebx + rol r12d,30 + mov DWORD PTR[24+rsp],edx + add edi,ecx + mov ebp,DWORD PTR[28+rsp] + mov eax,r12d + mov ebx,r12d + xor ebp,DWORD PTR[36+rsp] + and eax,r13d + mov ecx,edi + xor ebp,DWORD PTR[60+rsp] + xor ebx,r13d + lea esi,DWORD PTR[((-1894007588))+rsi*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[16+rsp] + add esi,eax + and ebx,r11d + rol ebp,1 + add esi,ebx + rol r11d,30 + mov DWORD PTR[28+rsp],ebp + add esi,ecx + mov edx,DWORD PTR[32+rsp] + mov eax,r11d + mov ebx,r11d + xor edx,DWORD PTR[40+rsp] + and eax,r12d + mov ecx,esi + xor edx,DWORD PTR[rsp] + xor ebx,r12d + lea r13d,DWORD PTR[((-1894007588))+r13*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[20+rsp] + add r13d,eax + and ebx,edi + rol edx,1 + add r13d,ebx + rol edi,30 + mov DWORD PTR[32+rsp],edx + add r13d,ecx + mov ebp,DWORD PTR[36+rsp] + mov eax,edi + mov ebx,edi + xor ebp,DWORD PTR[44+rsp] + and eax,r11d + mov ecx,r13d + xor ebp,DWORD PTR[4+rsp] + xor ebx,r11d + lea r12d,DWORD PTR[((-1894007588))+r12*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[24+rsp] + add r12d,eax + and ebx,esi + rol ebp,1 + add r12d,ebx + rol esi,30 + mov DWORD PTR[36+rsp],ebp + add r12d,ecx + mov edx,DWORD PTR[40+rsp] + mov eax,esi + mov ebx,esi + xor edx,DWORD PTR[48+rsp] + and eax,edi + mov ecx,r12d + xor edx,DWORD PTR[8+rsp] + xor ebx,edi + lea r11d,DWORD PTR[((-1894007588))+r11*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[28+rsp] + add r11d,eax + and ebx,r13d + rol edx,1 + add r11d,ebx + rol r13d,30 + mov DWORD PTR[40+rsp],edx + add r11d,ecx + mov ebp,DWORD PTR[44+rsp] + mov eax,r13d + mov ebx,r13d + xor ebp,DWORD PTR[52+rsp] + and eax,esi + mov ecx,r11d + xor ebp,DWORD PTR[12+rsp] + xor ebx,esi + lea edi,DWORD PTR[((-1894007588))+rdi*1+rdx] + rol ecx,5 + xor ebp,DWORD PTR[32+rsp] + add edi,eax + and ebx,r12d + rol ebp,1 + add edi,ebx + rol r12d,30 + mov DWORD PTR[44+rsp],ebp + add edi,ecx + mov edx,DWORD PTR[48+rsp] + mov eax,r12d + mov ebx,r12d + xor edx,DWORD PTR[56+rsp] + and eax,r13d + mov ecx,edi + xor edx,DWORD PTR[16+rsp] + xor ebx,r13d + lea esi,DWORD PTR[((-1894007588))+rsi*1+rbp] + rol ecx,5 + xor edx,DWORD PTR[36+rsp] + add esi,eax + and ebx,r11d + rol edx,1 + add esi,ebx + rol r11d,30 + mov DWORD PTR[48+rsp],edx + add esi,ecx + mov ebp,DWORD PTR[52+rsp] + mov eax,r11d + mov ecx,esi + xor ebp,DWORD PTR[60+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[((-899497514))+r13*1+rdx] + xor ebp,DWORD PTR[20+rsp] + xor eax,r12d + add r13d,ecx + xor ebp,DWORD PTR[40+rsp] + rol edi,30 + add r13d,eax + rol ebp,1 + mov DWORD PTR[52+rsp],ebp + mov edx,DWORD PTR[56+rsp] + mov eax,edi + mov ecx,r13d + xor edx,DWORD PTR[rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[((-899497514))+r12*1+rbp] + xor edx,DWORD PTR[24+rsp] + xor eax,r11d + add r12d,ecx + xor edx,DWORD PTR[44+rsp] + rol esi,30 + add r12d,eax + rol edx,1 + mov DWORD PTR[56+rsp],edx + mov ebp,DWORD PTR[60+rsp] + mov eax,esi + mov ecx,r12d + xor ebp,DWORD PTR[4+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[((-899497514))+r11*1+rdx] + xor ebp,DWORD PTR[28+rsp] + xor eax,edi + add r11d,ecx + xor ebp,DWORD PTR[48+rsp] + rol r13d,30 + add r11d,eax + rol ebp,1 + mov DWORD PTR[60+rsp],ebp + mov edx,DWORD PTR[rsp] + mov eax,r13d + mov ecx,r11d + xor edx,DWORD PTR[8+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[((-899497514))+rdi*1+rbp] + xor edx,DWORD PTR[32+rsp] + xor eax,esi + add edi,ecx + xor edx,DWORD PTR[52+rsp] + rol r12d,30 + add edi,eax + rol edx,1 + mov DWORD PTR[rsp],edx + mov ebp,DWORD PTR[4+rsp] + mov eax,r12d + mov ecx,edi + xor ebp,DWORD PTR[12+rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[((-899497514))+rsi*1+rdx] + xor ebp,DWORD PTR[36+rsp] + xor eax,r13d + add esi,ecx + xor ebp,DWORD PTR[56+rsp] + rol r11d,30 + add esi,eax + rol ebp,1 + mov DWORD PTR[4+rsp],ebp + mov edx,DWORD PTR[8+rsp] + mov eax,r11d + mov ecx,esi + xor edx,DWORD PTR[16+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[((-899497514))+r13*1+rbp] + xor edx,DWORD PTR[40+rsp] + xor eax,r12d + add r13d,ecx + xor edx,DWORD PTR[60+rsp] + rol edi,30 + add r13d,eax + rol edx,1 + mov DWORD PTR[8+rsp],edx + mov ebp,DWORD PTR[12+rsp] + mov eax,edi + mov ecx,r13d + xor ebp,DWORD PTR[20+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[((-899497514))+r12*1+rdx] + xor ebp,DWORD PTR[44+rsp] + xor eax,r11d + add r12d,ecx + xor ebp,DWORD PTR[rsp] + rol esi,30 + add r12d,eax + rol ebp,1 + mov DWORD PTR[12+rsp],ebp + mov edx,DWORD PTR[16+rsp] + mov eax,esi + mov ecx,r12d + xor edx,DWORD PTR[24+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[((-899497514))+r11*1+rbp] + xor edx,DWORD PTR[48+rsp] + xor eax,edi + add r11d,ecx + xor edx,DWORD PTR[4+rsp] + rol r13d,30 + add r11d,eax + rol edx,1 + mov DWORD PTR[16+rsp],edx + mov ebp,DWORD PTR[20+rsp] + mov eax,r13d + mov ecx,r11d + xor ebp,DWORD PTR[28+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[((-899497514))+rdi*1+rdx] + xor ebp,DWORD PTR[52+rsp] + xor eax,esi + add edi,ecx + xor ebp,DWORD PTR[8+rsp] + rol r12d,30 + add edi,eax + rol ebp,1 + mov DWORD PTR[20+rsp],ebp + mov edx,DWORD PTR[24+rsp] + mov eax,r12d + mov ecx,edi + xor edx,DWORD PTR[32+rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[((-899497514))+rsi*1+rbp] + xor edx,DWORD PTR[56+rsp] + xor eax,r13d + add esi,ecx + xor edx,DWORD PTR[12+rsp] + rol r11d,30 + add esi,eax + rol edx,1 + mov DWORD PTR[24+rsp],edx + mov ebp,DWORD PTR[28+rsp] + mov eax,r11d + mov ecx,esi + xor ebp,DWORD PTR[36+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[((-899497514))+r13*1+rdx] + xor ebp,DWORD PTR[60+rsp] + xor eax,r12d + add r13d,ecx + xor ebp,DWORD PTR[16+rsp] + rol edi,30 + add r13d,eax + rol ebp,1 + mov DWORD PTR[28+rsp],ebp + mov edx,DWORD PTR[32+rsp] + mov eax,edi + mov ecx,r13d + xor edx,DWORD PTR[40+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[((-899497514))+r12*1+rbp] + xor edx,DWORD PTR[rsp] + xor eax,r11d + add r12d,ecx + xor edx,DWORD PTR[20+rsp] + rol esi,30 + add r12d,eax + rol edx,1 + mov DWORD PTR[32+rsp],edx + mov ebp,DWORD PTR[36+rsp] + mov eax,esi + mov ecx,r12d + xor ebp,DWORD PTR[44+rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[((-899497514))+r11*1+rdx] + xor ebp,DWORD PTR[4+rsp] + xor eax,edi + add r11d,ecx + xor ebp,DWORD PTR[24+rsp] + rol r13d,30 + add r11d,eax + rol ebp,1 + mov DWORD PTR[36+rsp],ebp + mov edx,DWORD PTR[40+rsp] + mov eax,r13d + mov ecx,r11d + xor edx,DWORD PTR[48+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[((-899497514))+rdi*1+rbp] + xor edx,DWORD PTR[8+rsp] + xor eax,esi + add edi,ecx + xor edx,DWORD PTR[28+rsp] + rol r12d,30 + add edi,eax + rol edx,1 + mov DWORD PTR[40+rsp],edx + mov ebp,DWORD PTR[44+rsp] + mov eax,r12d + mov ecx,edi + xor ebp,DWORD PTR[52+rsp] + xor eax,r11d + rol ecx,5 + lea esi,DWORD PTR[((-899497514))+rsi*1+rdx] + xor ebp,DWORD PTR[12+rsp] + xor eax,r13d + add esi,ecx + xor ebp,DWORD PTR[32+rsp] + rol r11d,30 + add esi,eax + rol ebp,1 + mov DWORD PTR[44+rsp],ebp + mov edx,DWORD PTR[48+rsp] + mov eax,r11d + mov ecx,esi + xor edx,DWORD PTR[56+rsp] + xor eax,edi + rol ecx,5 + lea r13d,DWORD PTR[((-899497514))+r13*1+rbp] + xor edx,DWORD PTR[16+rsp] + xor eax,r12d + add r13d,ecx + xor edx,DWORD PTR[36+rsp] + rol edi,30 + add r13d,eax + rol edx,1 + mov DWORD PTR[48+rsp],edx + mov ebp,DWORD PTR[52+rsp] + mov eax,edi + mov ecx,r13d + xor ebp,DWORD PTR[60+rsp] + xor eax,esi + rol ecx,5 + lea r12d,DWORD PTR[((-899497514))+r12*1+rdx] + xor ebp,DWORD PTR[20+rsp] + xor eax,r11d + add r12d,ecx + xor ebp,DWORD PTR[40+rsp] + rol esi,30 + add r12d,eax + rol ebp,1 + mov edx,DWORD PTR[56+rsp] + mov eax,esi + mov ecx,r12d + xor edx,DWORD PTR[rsp] + xor eax,r13d + rol ecx,5 + lea r11d,DWORD PTR[((-899497514))+r11*1+rbp] + xor edx,DWORD PTR[24+rsp] + xor eax,edi + add r11d,ecx + xor edx,DWORD PTR[44+rsp] + rol r13d,30 + add r11d,eax + rol edx,1 + mov ebp,DWORD PTR[60+rsp] + mov eax,r13d + mov ecx,r11d + xor ebp,DWORD PTR[4+rsp] + xor eax,r12d + rol ecx,5 + lea edi,DWORD PTR[((-899497514))+rdi*1+rdx] + xor ebp,DWORD PTR[28+rsp] + xor eax,esi + add edi,ecx + xor ebp,DWORD PTR[48+rsp] + rol r12d,30 + add edi,eax + rol ebp,1 + mov eax,r12d + mov ecx,edi + xor eax,r11d + lea esi,DWORD PTR[((-899497514))+rsi*1+rbp] + rol ecx,5 + xor eax,r13d + add esi,ecx + rol r11d,30 + add esi,eax + add esi,DWORD PTR[r8] + add edi,DWORD PTR[4+r8] + add r11d,DWORD PTR[8+r8] + add r12d,DWORD PTR[12+r8] + add r13d,DWORD PTR[16+r8] + mov DWORD PTR[r8],esi + mov DWORD PTR[4+r8],edi + mov DWORD PTR[8+r8],r11d + mov DWORD PTR[12+r8],r12d + mov DWORD PTR[16+r8],r13d + + sub r10,1 + lea r9,QWORD PTR[64+r9] + jnz $L$loop + + mov rsi,QWORD PTR[64+rsp] + mov r13,QWORD PTR[rsi] + mov r12,QWORD PTR[8+rsi] + mov rbp,QWORD PTR[16+rsi] + mov rbx,QWORD PTR[24+rsi] + lea rsp,QWORD PTR[32+rsi] +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_sha1_block_data_order:: +sha1_block_data_order ENDP + +ALIGN 16 +sha1_block_data_order_ssse3 PROC PRIVATE + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_sha1_block_data_order_ssse3:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + +_ssse3_shortcut:: + push rbx + push rbp + push r12 + lea rsp,QWORD PTR[((-144))+rsp] + movaps XMMWORD PTR[(64+0)+rsp],xmm6 + movaps XMMWORD PTR[(64+16)+rsp],xmm7 + movaps XMMWORD PTR[(64+32)+rsp],xmm8 + movaps XMMWORD PTR[(64+48)+rsp],xmm9 + movaps XMMWORD PTR[(64+64)+rsp],xmm10 +$L$prologue_ssse3:: + mov r8,rdi + mov r9,rsi + mov r10,rdx + + shl r10,6 + add r10,r9 + lea r11,QWORD PTR[K_XX_XX] + + mov eax,DWORD PTR[r8] + mov ebx,DWORD PTR[4+r8] + mov ecx,DWORD PTR[8+r8] + mov edx,DWORD PTR[12+r8] + mov esi,ebx + mov ebp,DWORD PTR[16+r8] + + movdqa xmm6,XMMWORD PTR[64+r11] + movdqa xmm9,XMMWORD PTR[r11] + movdqu xmm0,XMMWORD PTR[r9] + movdqu xmm1,XMMWORD PTR[16+r9] + movdqu xmm2,XMMWORD PTR[32+r9] + movdqu xmm3,XMMWORD PTR[48+r9] +DB 102,15,56,0,198 + add r9,64 +DB 102,15,56,0,206 +DB 102,15,56,0,214 +DB 102,15,56,0,222 + paddd xmm0,xmm9 + paddd xmm1,xmm9 + paddd xmm2,xmm9 + movdqa XMMWORD PTR[rsp],xmm0 + psubd xmm0,xmm9 + movdqa XMMWORD PTR[16+rsp],xmm1 + psubd xmm1,xmm9 + movdqa XMMWORD PTR[32+rsp],xmm2 + psubd xmm2,xmm9 + jmp $L$oop_ssse3 +ALIGN 16 +$L$oop_ssse3:: + movdqa xmm4,xmm1 + add ebp,DWORD PTR[rsp] + xor ecx,edx + movdqa xmm8,xmm3 +DB 102,15,58,15,224,8 + mov edi,eax + rol eax,5 + paddd xmm9,xmm3 + and esi,ecx + xor ecx,edx + psrldq xmm8,4 + xor esi,edx + add ebp,eax + pxor xmm4,xmm0 + ror ebx,2 + add ebp,esi + pxor xmm8,xmm2 + add edx,DWORD PTR[4+rsp] + xor ebx,ecx + mov esi,ebp + rol ebp,5 + pxor xmm4,xmm8 + and edi,ebx + xor ebx,ecx + movdqa XMMWORD PTR[48+rsp],xmm9 + xor edi,ecx + add edx,ebp + movdqa xmm10,xmm4 + movdqa xmm8,xmm4 + ror eax,7 + add edx,edi + add ecx,DWORD PTR[8+rsp] + xor eax,ebx + pslldq xmm10,12 + paddd xmm4,xmm4 + mov edi,edx + rol edx,5 + and esi,eax + xor eax,ebx + psrld xmm8,31 + xor esi,ebx + add ecx,edx + movdqa xmm9,xmm10 + ror ebp,7 + add ecx,esi + psrld xmm10,30 + por xmm4,xmm8 + add ebx,DWORD PTR[12+rsp] + xor ebp,eax + mov esi,ecx + rol ecx,5 + pslld xmm9,2 + pxor xmm4,xmm10 + and edi,ebp + xor ebp,eax + movdqa xmm10,XMMWORD PTR[r11] + xor edi,eax + add ebx,ecx + pxor xmm4,xmm9 + ror edx,7 + add ebx,edi + movdqa xmm5,xmm2 + add eax,DWORD PTR[16+rsp] + xor edx,ebp + movdqa xmm9,xmm4 +DB 102,15,58,15,233,8 + mov edi,ebx + rol ebx,5 + paddd xmm10,xmm4 + and esi,edx + xor edx,ebp + psrldq xmm9,4 + xor esi,ebp + add eax,ebx + pxor xmm5,xmm1 + ror ecx,7 + add eax,esi + pxor xmm9,xmm3 + add ebp,DWORD PTR[20+rsp] + xor ecx,edx + mov esi,eax + rol eax,5 + pxor xmm5,xmm9 + and edi,ecx + xor ecx,edx + movdqa XMMWORD PTR[rsp],xmm10 + xor edi,edx + add ebp,eax + movdqa xmm8,xmm5 + movdqa xmm9,xmm5 + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[24+rsp] + xor ebx,ecx + pslldq xmm8,12 + paddd xmm5,xmm5 + mov edi,ebp + rol ebp,5 + and esi,ebx + xor ebx,ecx + psrld xmm9,31 + xor esi,ecx + add edx,ebp + movdqa xmm10,xmm8 + ror eax,7 + add edx,esi + psrld xmm8,30 + por xmm5,xmm9 + add ecx,DWORD PTR[28+rsp] + xor eax,ebx + mov esi,edx + rol edx,5 + pslld xmm10,2 + pxor xmm5,xmm8 + and edi,eax + xor eax,ebx + movdqa xmm8,XMMWORD PTR[16+r11] + xor edi,ebx + add ecx,edx + pxor xmm5,xmm10 + ror ebp,7 + add ecx,edi + movdqa xmm6,xmm3 + add ebx,DWORD PTR[32+rsp] + xor ebp,eax + movdqa xmm10,xmm5 +DB 102,15,58,15,242,8 + mov edi,ecx + rol ecx,5 + paddd xmm8,xmm5 + and esi,ebp + xor ebp,eax + psrldq xmm10,4 + xor esi,eax + add ebx,ecx + pxor xmm6,xmm2 + ror edx,7 + add ebx,esi + pxor xmm10,xmm4 + add eax,DWORD PTR[36+rsp] + xor edx,ebp + mov esi,ebx + rol ebx,5 + pxor xmm6,xmm10 + and edi,edx + xor edx,ebp + movdqa XMMWORD PTR[16+rsp],xmm8 + xor edi,ebp + add eax,ebx + movdqa xmm9,xmm6 + movdqa xmm10,xmm6 + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[40+rsp] + xor ecx,edx + pslldq xmm9,12 + paddd xmm6,xmm6 + mov edi,eax + rol eax,5 + and esi,ecx + xor ecx,edx + psrld xmm10,31 + xor esi,edx + add ebp,eax + movdqa xmm8,xmm9 + ror ebx,7 + add ebp,esi + psrld xmm9,30 + por xmm6,xmm10 + add edx,DWORD PTR[44+rsp] + xor ebx,ecx + mov esi,ebp + rol ebp,5 + pslld xmm8,2 + pxor xmm6,xmm9 + and edi,ebx + xor ebx,ecx + movdqa xmm9,XMMWORD PTR[16+r11] + xor edi,ecx + add edx,ebp + pxor xmm6,xmm8 + ror eax,7 + add edx,edi + movdqa xmm7,xmm4 + add ecx,DWORD PTR[48+rsp] + xor eax,ebx + movdqa xmm8,xmm6 +DB 102,15,58,15,251,8 + mov edi,edx + rol edx,5 + paddd xmm9,xmm6 + and esi,eax + xor eax,ebx + psrldq xmm8,4 + xor esi,ebx + add ecx,edx + pxor xmm7,xmm3 + ror ebp,7 + add ecx,esi + pxor xmm8,xmm5 + add ebx,DWORD PTR[52+rsp] + xor ebp,eax + mov esi,ecx + rol ecx,5 + pxor xmm7,xmm8 + and edi,ebp + xor ebp,eax + movdqa XMMWORD PTR[32+rsp],xmm9 + xor edi,eax + add ebx,ecx + movdqa xmm10,xmm7 + movdqa xmm8,xmm7 + ror edx,7 + add ebx,edi + add eax,DWORD PTR[56+rsp] + xor edx,ebp + pslldq xmm10,12 + paddd xmm7,xmm7 + mov edi,ebx + rol ebx,5 + and esi,edx + xor edx,ebp + psrld xmm8,31 + xor esi,ebp + add eax,ebx + movdqa xmm9,xmm10 + ror ecx,7 + add eax,esi + psrld xmm10,30 + por xmm7,xmm8 + add ebp,DWORD PTR[60+rsp] + xor ecx,edx + mov esi,eax + rol eax,5 + pslld xmm9,2 + pxor xmm7,xmm10 + and edi,ecx + xor ecx,edx + movdqa xmm10,XMMWORD PTR[16+r11] + xor edi,edx + add ebp,eax + pxor xmm7,xmm9 + ror ebx,7 + add ebp,edi + movdqa xmm9,xmm7 + add edx,DWORD PTR[rsp] + pxor xmm0,xmm4 +DB 102,68,15,58,15,206,8 + xor ebx,ecx + mov edi,ebp + rol ebp,5 + pxor xmm0,xmm1 + and esi,ebx + xor ebx,ecx + movdqa xmm8,xmm10 + paddd xmm10,xmm7 + xor esi,ecx + add edx,ebp + pxor xmm0,xmm9 + ror eax,7 + add edx,esi + add ecx,DWORD PTR[4+rsp] + xor eax,ebx + movdqa xmm9,xmm0 + movdqa XMMWORD PTR[48+rsp],xmm10 + mov esi,edx + rol edx,5 + and edi,eax + xor eax,ebx + pslld xmm0,2 + xor edi,ebx + add ecx,edx + psrld xmm9,30 + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[8+rsp] + xor ebp,eax + mov edi,ecx + rol ecx,5 + por xmm0,xmm9 + and esi,ebp + xor ebp,eax + movdqa xmm10,xmm0 + xor esi,eax + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[12+rsp] + xor edx,ebp + mov esi,ebx + rol ebx,5 + and edi,edx + xor edx,ebp + xor edi,ebp + add eax,ebx + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[16+rsp] + pxor xmm1,xmm5 +DB 102,68,15,58,15,215,8 + xor esi,edx + mov edi,eax + rol eax,5 + pxor xmm1,xmm2 + xor esi,ecx + add ebp,eax + movdqa xmm9,xmm8 + paddd xmm8,xmm0 + ror ebx,7 + add ebp,esi + pxor xmm1,xmm10 + add edx,DWORD PTR[20+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + movdqa xmm10,xmm1 + movdqa XMMWORD PTR[rsp],xmm8 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + pslld xmm1,2 + add ecx,DWORD PTR[24+rsp] + xor esi,ebx + psrld xmm10,30 + mov edi,edx + rol edx,5 + xor esi,eax + add ecx,edx + ror ebp,7 + add ecx,esi + por xmm1,xmm10 + add ebx,DWORD PTR[28+rsp] + xor edi,eax + movdqa xmm8,xmm1 + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[32+rsp] + pxor xmm2,xmm6 +DB 102,68,15,58,15,192,8 + xor esi,ebp + mov edi,ebx + rol ebx,5 + pxor xmm2,xmm3 + xor esi,edx + add eax,ebx + movdqa xmm10,XMMWORD PTR[32+r11] + paddd xmm9,xmm1 + ror ecx,7 + add eax,esi + pxor xmm2,xmm8 + add ebp,DWORD PTR[36+rsp] + xor edi,edx + mov esi,eax + rol eax,5 + movdqa xmm8,xmm2 + movdqa XMMWORD PTR[16+rsp],xmm9 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + pslld xmm2,2 + add edx,DWORD PTR[40+rsp] + xor esi,ecx + psrld xmm8,30 + mov edi,ebp + rol ebp,5 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + por xmm2,xmm8 + add ecx,DWORD PTR[44+rsp] + xor edi,ebx + movdqa xmm9,xmm2 + mov esi,edx + rol edx,5 + xor edi,eax + add ecx,edx + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[48+rsp] + pxor xmm3,xmm7 +DB 102,68,15,58,15,201,8 + xor esi,eax + mov edi,ecx + rol ecx,5 + pxor xmm3,xmm4 + xor esi,ebp + add ebx,ecx + movdqa xmm8,xmm10 + paddd xmm10,xmm2 + ror edx,7 + add ebx,esi + pxor xmm3,xmm9 + add eax,DWORD PTR[52+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + movdqa xmm9,xmm3 + movdqa XMMWORD PTR[32+rsp],xmm10 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + pslld xmm3,2 + add ebp,DWORD PTR[56+rsp] + xor esi,edx + psrld xmm9,30 + mov edi,eax + rol eax,5 + xor esi,ecx + add ebp,eax + ror ebx,7 + add ebp,esi + por xmm3,xmm9 + add edx,DWORD PTR[60+rsp] + xor edi,ecx + movdqa xmm10,xmm3 + mov esi,ebp + rol ebp,5 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + add ecx,DWORD PTR[rsp] + pxor xmm4,xmm0 +DB 102,68,15,58,15,210,8 + xor esi,ebx + mov edi,edx + rol edx,5 + pxor xmm4,xmm5 + xor esi,eax + add ecx,edx + movdqa xmm9,xmm8 + paddd xmm8,xmm3 + ror ebp,7 + add ecx,esi + pxor xmm4,xmm10 + add ebx,DWORD PTR[4+rsp] + xor edi,eax + mov esi,ecx + rol ecx,5 + movdqa xmm10,xmm4 + movdqa XMMWORD PTR[48+rsp],xmm8 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + pslld xmm4,2 + add eax,DWORD PTR[8+rsp] + xor esi,ebp + psrld xmm10,30 + mov edi,ebx + rol ebx,5 + xor esi,edx + add eax,ebx + ror ecx,7 + add eax,esi + por xmm4,xmm10 + add ebp,DWORD PTR[12+rsp] + xor edi,edx + movdqa xmm8,xmm4 + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[16+rsp] + pxor xmm5,xmm1 +DB 102,68,15,58,15,195,8 + xor esi,ecx + mov edi,ebp + rol ebp,5 + pxor xmm5,xmm6 + xor esi,ebx + add edx,ebp + movdqa xmm10,xmm9 + paddd xmm9,xmm4 + ror eax,7 + add edx,esi + pxor xmm5,xmm8 + add ecx,DWORD PTR[20+rsp] + xor edi,ebx + mov esi,edx + rol edx,5 + movdqa xmm8,xmm5 + movdqa XMMWORD PTR[rsp],xmm9 + xor edi,eax + add ecx,edx + ror ebp,7 + add ecx,edi + pslld xmm5,2 + add ebx,DWORD PTR[24+rsp] + xor esi,eax + psrld xmm8,30 + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + por xmm5,xmm8 + add eax,DWORD PTR[28+rsp] + xor edi,ebp + movdqa xmm9,xmm5 + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + mov edi,ecx + pxor xmm6,xmm2 +DB 102,68,15,58,15,204,8 + xor ecx,edx + add ebp,DWORD PTR[32+rsp] + and edi,edx + pxor xmm6,xmm7 + and esi,ecx + ror ebx,7 + movdqa xmm8,xmm10 + paddd xmm10,xmm5 + add ebp,edi + mov edi,eax + pxor xmm6,xmm9 + rol eax,5 + add ebp,esi + xor ecx,edx + add ebp,eax + movdqa xmm9,xmm6 + movdqa XMMWORD PTR[16+rsp],xmm10 + mov esi,ebx + xor ebx,ecx + add edx,DWORD PTR[36+rsp] + and esi,ecx + pslld xmm6,2 + and edi,ebx + ror eax,7 + psrld xmm9,30 + add edx,esi + mov esi,ebp + rol ebp,5 + add edx,edi + xor ebx,ecx + add edx,ebp + por xmm6,xmm9 + mov edi,eax + xor eax,ebx + movdqa xmm10,xmm6 + add ecx,DWORD PTR[40+rsp] + and edi,ebx + and esi,eax + ror ebp,7 + add ecx,edi + mov edi,edx + rol edx,5 + add ecx,esi + xor eax,ebx + add ecx,edx + mov esi,ebp + xor ebp,eax + add ebx,DWORD PTR[44+rsp] + and esi,eax + and edi,ebp + ror edx,7 + add ebx,esi + mov esi,ecx + rol ecx,5 + add ebx,edi + xor ebp,eax + add ebx,ecx + mov edi,edx + pxor xmm7,xmm3 +DB 102,68,15,58,15,213,8 + xor edx,ebp + add eax,DWORD PTR[48+rsp] + and edi,ebp + pxor xmm7,xmm0 + and esi,edx + ror ecx,7 + movdqa xmm9,XMMWORD PTR[48+r11] + paddd xmm8,xmm6 + add eax,edi + mov edi,ebx + pxor xmm7,xmm10 + rol ebx,5 + add eax,esi + xor edx,ebp + add eax,ebx + movdqa xmm10,xmm7 + movdqa XMMWORD PTR[32+rsp],xmm8 + mov esi,ecx + xor ecx,edx + add ebp,DWORD PTR[52+rsp] + and esi,edx + pslld xmm7,2 + and edi,ecx + ror ebx,7 + psrld xmm10,30 + add ebp,esi + mov esi,eax + rol eax,5 + add ebp,edi + xor ecx,edx + add ebp,eax + por xmm7,xmm10 + mov edi,ebx + xor ebx,ecx + movdqa xmm8,xmm7 + add edx,DWORD PTR[56+rsp] + and edi,ecx + and esi,ebx + ror eax,7 + add edx,edi + mov edi,ebp + rol ebp,5 + add edx,esi + xor ebx,ecx + add edx,ebp + mov esi,eax + xor eax,ebx + add ecx,DWORD PTR[60+rsp] + and esi,ebx + and edi,eax + ror ebp,7 + add ecx,esi + mov esi,edx + rol edx,5 + add ecx,edi + xor eax,ebx + add ecx,edx + mov edi,ebp + pxor xmm0,xmm4 +DB 102,68,15,58,15,198,8 + xor ebp,eax + add ebx,DWORD PTR[rsp] + and edi,eax + pxor xmm0,xmm1 + and esi,ebp + ror edx,7 + movdqa xmm10,xmm9 + paddd xmm9,xmm7 + add ebx,edi + mov edi,ecx + pxor xmm0,xmm8 + rol ecx,5 + add ebx,esi + xor ebp,eax + add ebx,ecx + movdqa xmm8,xmm0 + movdqa XMMWORD PTR[48+rsp],xmm9 + mov esi,edx + xor edx,ebp + add eax,DWORD PTR[4+rsp] + and esi,ebp + pslld xmm0,2 + and edi,edx + ror ecx,7 + psrld xmm8,30 + add eax,esi + mov esi,ebx + rol ebx,5 + add eax,edi + xor edx,ebp + add eax,ebx + por xmm0,xmm8 + mov edi,ecx + xor ecx,edx + movdqa xmm9,xmm0 + add ebp,DWORD PTR[8+rsp] + and edi,edx + and esi,ecx + ror ebx,7 + add ebp,edi + mov edi,eax + rol eax,5 + add ebp,esi + xor ecx,edx + add ebp,eax + mov esi,ebx + xor ebx,ecx + add edx,DWORD PTR[12+rsp] + and esi,ecx + and edi,ebx + ror eax,7 + add edx,esi + mov esi,ebp + rol ebp,5 + add edx,edi + xor ebx,ecx + add edx,ebp + mov edi,eax + pxor xmm1,xmm5 +DB 102,68,15,58,15,207,8 + xor eax,ebx + add ecx,DWORD PTR[16+rsp] + and edi,ebx + pxor xmm1,xmm2 + and esi,eax + ror ebp,7 + movdqa xmm8,xmm10 + paddd xmm10,xmm0 + add ecx,edi + mov edi,edx + pxor xmm1,xmm9 + rol edx,5 + add ecx,esi + xor eax,ebx + add ecx,edx + movdqa xmm9,xmm1 + movdqa XMMWORD PTR[rsp],xmm10 + mov esi,ebp + xor ebp,eax + add ebx,DWORD PTR[20+rsp] + and esi,eax + pslld xmm1,2 + and edi,ebp + ror edx,7 + psrld xmm9,30 + add ebx,esi + mov esi,ecx + rol ecx,5 + add ebx,edi + xor ebp,eax + add ebx,ecx + por xmm1,xmm9 + mov edi,edx + xor edx,ebp + movdqa xmm10,xmm1 + add eax,DWORD PTR[24+rsp] + and edi,ebp + and esi,edx + ror ecx,7 + add eax,edi + mov edi,ebx + rol ebx,5 + add eax,esi + xor edx,ebp + add eax,ebx + mov esi,ecx + xor ecx,edx + add ebp,DWORD PTR[28+rsp] + and esi,edx + and edi,ecx + ror ebx,7 + add ebp,esi + mov esi,eax + rol eax,5 + add ebp,edi + xor ecx,edx + add ebp,eax + mov edi,ebx + pxor xmm2,xmm6 +DB 102,68,15,58,15,208,8 + xor ebx,ecx + add edx,DWORD PTR[32+rsp] + and edi,ecx + pxor xmm2,xmm3 + and esi,ebx + ror eax,7 + movdqa xmm9,xmm8 + paddd xmm8,xmm1 + add edx,edi + mov edi,ebp + pxor xmm2,xmm10 + rol ebp,5 + add edx,esi + xor ebx,ecx + add edx,ebp + movdqa xmm10,xmm2 + movdqa XMMWORD PTR[16+rsp],xmm8 + mov esi,eax + xor eax,ebx + add ecx,DWORD PTR[36+rsp] + and esi,ebx + pslld xmm2,2 + and edi,eax + ror ebp,7 + psrld xmm10,30 + add ecx,esi + mov esi,edx + rol edx,5 + add ecx,edi + xor eax,ebx + add ecx,edx + por xmm2,xmm10 + mov edi,ebp + xor ebp,eax + movdqa xmm8,xmm2 + add ebx,DWORD PTR[40+rsp] + and edi,eax + and esi,ebp + ror edx,7 + add ebx,edi + mov edi,ecx + rol ecx,5 + add ebx,esi + xor ebp,eax + add ebx,ecx + mov esi,edx + xor edx,ebp + add eax,DWORD PTR[44+rsp] + and esi,ebp + and edi,edx + ror ecx,7 + add eax,esi + mov esi,ebx + rol ebx,5 + add eax,edi + xor edx,ebp + add eax,ebx + add ebp,DWORD PTR[48+rsp] + pxor xmm3,xmm7 +DB 102,68,15,58,15,193,8 + xor esi,edx + mov edi,eax + rol eax,5 + pxor xmm3,xmm4 + xor esi,ecx + add ebp,eax + movdqa xmm10,xmm9 + paddd xmm9,xmm2 + ror ebx,7 + add ebp,esi + pxor xmm3,xmm8 + add edx,DWORD PTR[52+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + movdqa xmm8,xmm3 + movdqa XMMWORD PTR[32+rsp],xmm9 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + pslld xmm3,2 + add ecx,DWORD PTR[56+rsp] + xor esi,ebx + psrld xmm8,30 + mov edi,edx + rol edx,5 + xor esi,eax + add ecx,edx + ror ebp,7 + add ecx,esi + por xmm3,xmm8 + add ebx,DWORD PTR[60+rsp] + xor edi,eax + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[rsp] + paddd xmm10,xmm3 + xor esi,ebp + mov edi,ebx + rol ebx,5 + xor esi,edx + movdqa XMMWORD PTR[48+rsp],xmm10 + add eax,ebx + ror ecx,7 + add eax,esi + add ebp,DWORD PTR[4+rsp] + xor edi,edx + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[8+rsp] + xor esi,ecx + mov edi,ebp + rol ebp,5 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + add ecx,DWORD PTR[12+rsp] + xor edi,ebx + mov esi,edx + rol edx,5 + xor edi,eax + add ecx,edx + ror ebp,7 + add ecx,edi + cmp r9,r10 + je $L$done_ssse3 + movdqa xmm6,XMMWORD PTR[64+r11] + movdqa xmm9,XMMWORD PTR[r11] + movdqu xmm0,XMMWORD PTR[r9] + movdqu xmm1,XMMWORD PTR[16+r9] + movdqu xmm2,XMMWORD PTR[32+r9] + movdqu xmm3,XMMWORD PTR[48+r9] +DB 102,15,56,0,198 + add r9,64 + add ebx,DWORD PTR[16+rsp] + xor esi,eax +DB 102,15,56,0,206 + mov edi,ecx + rol ecx,5 + paddd xmm0,xmm9 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + movdqa XMMWORD PTR[rsp],xmm0 + add eax,DWORD PTR[20+rsp] + xor edi,ebp + psubd xmm0,xmm9 + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[24+rsp] + xor esi,edx + mov edi,eax + rol eax,5 + xor esi,ecx + add ebp,eax + ror ebx,7 + add ebp,esi + add edx,DWORD PTR[28+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + add ecx,DWORD PTR[32+rsp] + xor esi,ebx +DB 102,15,56,0,214 + mov edi,edx + rol edx,5 + paddd xmm1,xmm9 + xor esi,eax + add ecx,edx + ror ebp,7 + add ecx,esi + movdqa XMMWORD PTR[16+rsp],xmm1 + add ebx,DWORD PTR[36+rsp] + xor edi,eax + psubd xmm1,xmm9 + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[40+rsp] + xor esi,ebp + mov edi,ebx + rol ebx,5 + xor esi,edx + add eax,ebx + ror ecx,7 + add eax,esi + add ebp,DWORD PTR[44+rsp] + xor edi,edx + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[48+rsp] + xor esi,ecx +DB 102,15,56,0,222 + mov edi,ebp + rol ebp,5 + paddd xmm2,xmm9 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + movdqa XMMWORD PTR[32+rsp],xmm2 + add ecx,DWORD PTR[52+rsp] + xor edi,ebx + psubd xmm2,xmm9 + mov esi,edx + rol edx,5 + xor edi,eax + add ecx,edx + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[56+rsp] + xor esi,eax + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[60+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + add eax,DWORD PTR[r8] + add esi,DWORD PTR[4+r8] + add ecx,DWORD PTR[8+r8] + add edx,DWORD PTR[12+r8] + mov DWORD PTR[r8],eax + add ebp,DWORD PTR[16+r8] + mov DWORD PTR[4+r8],esi + mov ebx,esi + mov DWORD PTR[8+r8],ecx + mov DWORD PTR[12+r8],edx + mov DWORD PTR[16+r8],ebp + jmp $L$oop_ssse3 + +ALIGN 16 +$L$done_ssse3:: + add ebx,DWORD PTR[16+rsp] + xor esi,eax + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[20+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + add ebp,DWORD PTR[24+rsp] + xor esi,edx + mov edi,eax + rol eax,5 + xor esi,ecx + add ebp,eax + ror ebx,7 + add ebp,esi + add edx,DWORD PTR[28+rsp] + xor edi,ecx + mov esi,ebp + rol ebp,5 + xor edi,ebx + add edx,ebp + ror eax,7 + add edx,edi + add ecx,DWORD PTR[32+rsp] + xor esi,ebx + mov edi,edx + rol edx,5 + xor esi,eax + add ecx,edx + ror ebp,7 + add ecx,esi + add ebx,DWORD PTR[36+rsp] + xor edi,eax + mov esi,ecx + rol ecx,5 + xor edi,ebp + add ebx,ecx + ror edx,7 + add ebx,edi + add eax,DWORD PTR[40+rsp] + xor esi,ebp + mov edi,ebx + rol ebx,5 + xor esi,edx + add eax,ebx + ror ecx,7 + add eax,esi + add ebp,DWORD PTR[44+rsp] + xor edi,edx + mov esi,eax + rol eax,5 + xor edi,ecx + add ebp,eax + ror ebx,7 + add ebp,edi + add edx,DWORD PTR[48+rsp] + xor esi,ecx + mov edi,ebp + rol ebp,5 + xor esi,ebx + add edx,ebp + ror eax,7 + add edx,esi + add ecx,DWORD PTR[52+rsp] + xor edi,ebx + mov esi,edx + rol edx,5 + xor edi,eax + add ecx,edx + ror ebp,7 + add ecx,edi + add ebx,DWORD PTR[56+rsp] + xor esi,eax + mov edi,ecx + rol ecx,5 + xor esi,ebp + add ebx,ecx + ror edx,7 + add ebx,esi + add eax,DWORD PTR[60+rsp] + xor edi,ebp + mov esi,ebx + rol ebx,5 + xor edi,edx + add eax,ebx + ror ecx,7 + add eax,edi + add eax,DWORD PTR[r8] + add esi,DWORD PTR[4+r8] + add ecx,DWORD PTR[8+r8] + mov DWORD PTR[r8],eax + add edx,DWORD PTR[12+r8] + mov DWORD PTR[4+r8],esi + add ebp,DWORD PTR[16+r8] + mov DWORD PTR[8+r8],ecx + mov DWORD PTR[12+r8],edx + mov DWORD PTR[16+r8],ebp + movaps xmm6,XMMWORD PTR[((64+0))+rsp] + movaps xmm7,XMMWORD PTR[((64+16))+rsp] + movaps xmm8,XMMWORD PTR[((64+32))+rsp] + movaps xmm9,XMMWORD PTR[((64+48))+rsp] + movaps xmm10,XMMWORD PTR[((64+64))+rsp] + lea rsi,QWORD PTR[144+rsp] + mov r12,QWORD PTR[rsi] + mov rbp,QWORD PTR[8+rsi] + mov rbx,QWORD PTR[16+rsi] + lea rsp,QWORD PTR[24+rsi] +$L$epilogue_ssse3:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_sha1_block_data_order_ssse3:: +sha1_block_data_order_ssse3 ENDP +ALIGN 64 +K_XX_XX:: + DD 05a827999h,05a827999h,05a827999h,05a827999h + DD 06ed9eba1h,06ed9eba1h,06ed9eba1h,06ed9eba1h + DD 08f1bbcdch,08f1bbcdch,08f1bbcdch,08f1bbcdch + DD 0ca62c1d6h,0ca62c1d6h,0ca62c1d6h,0ca62c1d6h + DD 000010203h,004050607h,008090a0bh,00c0d0e0fh +DB 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115 +DB 102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44 +DB 32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60 +DB 97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114 +DB 103,62,0 +ALIGN 64 +EXTERN __imp_RtlVirtualUnwind:NEAR + +ALIGN 16 +se_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + lea r10,QWORD PTR[$L$prologue] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + lea r10,QWORD PTR[$L$epilogue] + cmp rbx,r10 + jae $L$common_seh_tail + + mov rax,QWORD PTR[64+rax] + lea rax,QWORD PTR[32+rax] + + mov rbx,QWORD PTR[((-8))+rax] + mov rbp,QWORD PTR[((-16))+rax] + mov r12,QWORD PTR[((-24))+rax] + mov r13,QWORD PTR[((-32))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + mov QWORD PTR[224+r8],r13 + + jmp $L$common_seh_tail +se_handler ENDP + + +ALIGN 16 +ssse3_handler PROC PRIVATE + push rsi + push rdi + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + pushfq + sub rsp,64 + + mov rax,QWORD PTR[120+r8] + mov rbx,QWORD PTR[248+r8] + + mov rsi,QWORD PTR[8+r9] + mov r11,QWORD PTR[56+r9] + + mov r10d,DWORD PTR[r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jb $L$common_seh_tail + + mov rax,QWORD PTR[152+r8] + + mov r10d,DWORD PTR[4+r11] + lea r10,QWORD PTR[r10*1+rsi] + cmp rbx,r10 + jae $L$common_seh_tail + + lea rsi,QWORD PTR[64+rax] + lea rdi,QWORD PTR[512+r8] + mov ecx,10 + DD 0a548f3fch + lea rax,QWORD PTR[168+rax] + + mov rbx,QWORD PTR[((-8))+rax] + mov rbp,QWORD PTR[((-16))+rax] + mov r12,QWORD PTR[((-24))+rax] + mov QWORD PTR[144+r8],rbx + mov QWORD PTR[160+r8],rbp + mov QWORD PTR[216+r8],r12 + +$L$common_seh_tail:: + mov rdi,QWORD PTR[8+rax] + mov rsi,QWORD PTR[16+rax] + mov QWORD PTR[152+r8],rax + mov QWORD PTR[168+r8],rsi + mov QWORD PTR[176+r8],rdi + + mov rdi,QWORD PTR[40+r9] + mov rsi,r8 + mov ecx,154 + DD 0a548f3fch + + mov rsi,r9 + xor rcx,rcx + mov rdx,QWORD PTR[8+rsi] + mov r8,QWORD PTR[rsi] + mov r9,QWORD PTR[16+rsi] + mov r10,QWORD PTR[40+rsi] + lea r11,QWORD PTR[56+rsi] + lea r12,QWORD PTR[24+rsi] + mov QWORD PTR[32+rsp],r10 + mov QWORD PTR[40+rsp],r11 + mov QWORD PTR[48+rsp],r12 + mov QWORD PTR[56+rsp],rcx + call QWORD PTR[__imp_RtlVirtualUnwind] + + mov eax,1 + add rsp,64 + popfq + pop r15 + pop r14 + pop r13 + pop r12 + pop rbp + pop rbx + pop rdi + pop rsi + DB 0F3h,0C3h ;repret +ssse3_handler ENDP + +.text$ ENDS +.pdata SEGMENT READONLY ALIGN(4) +ALIGN 4 + DD imagerel $L$SEH_begin_sha1_block_data_order + DD imagerel $L$SEH_end_sha1_block_data_order + DD imagerel $L$SEH_info_sha1_block_data_order + DD imagerel $L$SEH_begin_sha1_block_data_order_ssse3 + DD imagerel $L$SEH_end_sha1_block_data_order_ssse3 + DD imagerel $L$SEH_info_sha1_block_data_order_ssse3 +.pdata ENDS +.xdata SEGMENT READONLY ALIGN(8) +ALIGN 8 +$L$SEH_info_sha1_block_data_order:: +DB 9,0,0,0 + DD imagerel se_handler +$L$SEH_info_sha1_block_data_order_ssse3:: +DB 9,0,0,0 + DD imagerel ssse3_handler + DD imagerel $L$prologue_ssse3,imagerel $L$epilogue_ssse3 + +.xdata ENDS +END + diff --git a/crypto/sha/sha1-mingw64-x86_64.S b/crypto/sha/sha1-mingw64-x86_64.S new file mode 100644 index 0000000..3ce9fc9 --- /dev/null +++ b/crypto/sha/sha1-mingw64-x86_64.S @@ -0,0 +1,2664 @@ +#include "x86_arch.h" +.text + + + +.globl sha1_block_data_order +.def sha1_block_data_order; .scl 2; .type 32; .endef +.p2align 4 +sha1_block_data_order: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_sha1_block_data_order: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + movl OPENSSL_ia32cap_P+0(%rip),%r9d + movl OPENSSL_ia32cap_P+4(%rip),%r8d + testl $IA32CAP_MASK1_SSSE3,%r8d + jz .Lialu + jmp _ssse3_shortcut + +.p2align 4 +.Lialu: + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + movq %rsp,%r11 + movq %rdi,%r8 + subq $72,%rsp + movq %rsi,%r9 + andq $-64,%rsp + movq %rdx,%r10 + movq %r11,64(%rsp) +.Lprologue: + + movl 0(%r8),%esi + movl 4(%r8),%edi + movl 8(%r8),%r11d + movl 12(%r8),%r12d + movl 16(%r8),%r13d + jmp .Lloop + +.p2align 4 +.Lloop: + movl 0(%r9),%edx + bswapl %edx + movl %edx,0(%rsp) + movl %r11d,%eax + movl 4(%r9),%ebp + movl %esi,%ecx + xorl %r12d,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%r13,1),%r13d + andl %edi,%eax + movl %ebp,4(%rsp) + addl %ecx,%r13d + xorl %r12d,%eax + roll $30,%edi + addl %eax,%r13d + movl %edi,%eax + movl 8(%r9),%edx + movl %r13d,%ecx + xorl %r11d,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%r12,1),%r12d + andl %esi,%eax + movl %edx,8(%rsp) + addl %ecx,%r12d + xorl %r11d,%eax + roll $30,%esi + addl %eax,%r12d + movl %esi,%eax + movl 12(%r9),%ebp + movl %r12d,%ecx + xorl %edi,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%r11,1),%r11d + andl %r13d,%eax + movl %ebp,12(%rsp) + addl %ecx,%r11d + xorl %edi,%eax + roll $30,%r13d + addl %eax,%r11d + movl %r13d,%eax + movl 16(%r9),%edx + movl %r11d,%ecx + xorl %esi,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%rdi,1),%edi + andl %r12d,%eax + movl %edx,16(%rsp) + addl %ecx,%edi + xorl %esi,%eax + roll $30,%r12d + addl %eax,%edi + movl %r12d,%eax + movl 20(%r9),%ebp + movl %edi,%ecx + xorl %r13d,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%rsi,1),%esi + andl %r11d,%eax + movl %ebp,20(%rsp) + addl %ecx,%esi + xorl %r13d,%eax + roll $30,%r11d + addl %eax,%esi + movl %r11d,%eax + movl 24(%r9),%edx + movl %esi,%ecx + xorl %r12d,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%r13,1),%r13d + andl %edi,%eax + movl %edx,24(%rsp) + addl %ecx,%r13d + xorl %r12d,%eax + roll $30,%edi + addl %eax,%r13d + movl %edi,%eax + movl 28(%r9),%ebp + movl %r13d,%ecx + xorl %r11d,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%r12,1),%r12d + andl %esi,%eax + movl %ebp,28(%rsp) + addl %ecx,%r12d + xorl %r11d,%eax + roll $30,%esi + addl %eax,%r12d + movl %esi,%eax + movl 32(%r9),%edx + movl %r12d,%ecx + xorl %edi,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%r11,1),%r11d + andl %r13d,%eax + movl %edx,32(%rsp) + addl %ecx,%r11d + xorl %edi,%eax + roll $30,%r13d + addl %eax,%r11d + movl %r13d,%eax + movl 36(%r9),%ebp + movl %r11d,%ecx + xorl %esi,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%rdi,1),%edi + andl %r12d,%eax + movl %ebp,36(%rsp) + addl %ecx,%edi + xorl %esi,%eax + roll $30,%r12d + addl %eax,%edi + movl %r12d,%eax + movl 40(%r9),%edx + movl %edi,%ecx + xorl %r13d,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%rsi,1),%esi + andl %r11d,%eax + movl %edx,40(%rsp) + addl %ecx,%esi + xorl %r13d,%eax + roll $30,%r11d + addl %eax,%esi + movl %r11d,%eax + movl 44(%r9),%ebp + movl %esi,%ecx + xorl %r12d,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%r13,1),%r13d + andl %edi,%eax + movl %ebp,44(%rsp) + addl %ecx,%r13d + xorl %r12d,%eax + roll $30,%edi + addl %eax,%r13d + movl %edi,%eax + movl 48(%r9),%edx + movl %r13d,%ecx + xorl %r11d,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%r12,1),%r12d + andl %esi,%eax + movl %edx,48(%rsp) + addl %ecx,%r12d + xorl %r11d,%eax + roll $30,%esi + addl %eax,%r12d + movl %esi,%eax + movl 52(%r9),%ebp + movl %r12d,%ecx + xorl %edi,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%r11,1),%r11d + andl %r13d,%eax + movl %ebp,52(%rsp) + addl %ecx,%r11d + xorl %edi,%eax + roll $30,%r13d + addl %eax,%r11d + movl %r13d,%eax + movl 56(%r9),%edx + movl %r11d,%ecx + xorl %esi,%eax + bswapl %edx + roll $5,%ecx + leal 1518500249(%rbp,%rdi,1),%edi + andl %r12d,%eax + movl %edx,56(%rsp) + addl %ecx,%edi + xorl %esi,%eax + roll $30,%r12d + addl %eax,%edi + movl %r12d,%eax + movl 60(%r9),%ebp + movl %edi,%ecx + xorl %r13d,%eax + bswapl %ebp + roll $5,%ecx + leal 1518500249(%rdx,%rsi,1),%esi + andl %r11d,%eax + movl %ebp,60(%rsp) + addl %ecx,%esi + xorl %r13d,%eax + roll $30,%r11d + addl %eax,%esi + movl 0(%rsp),%edx + movl %r11d,%eax + movl %esi,%ecx + xorl 8(%rsp),%edx + xorl %r12d,%eax + roll $5,%ecx + xorl 32(%rsp),%edx + andl %edi,%eax + leal 1518500249(%rbp,%r13,1),%r13d + xorl 52(%rsp),%edx + xorl %r12d,%eax + roll $1,%edx + addl %ecx,%r13d + roll $30,%edi + movl %edx,0(%rsp) + addl %eax,%r13d + movl 4(%rsp),%ebp + movl %edi,%eax + movl %r13d,%ecx + xorl 12(%rsp),%ebp + xorl %r11d,%eax + roll $5,%ecx + xorl 36(%rsp),%ebp + andl %esi,%eax + leal 1518500249(%rdx,%r12,1),%r12d + xorl 56(%rsp),%ebp + xorl %r11d,%eax + roll $1,%ebp + addl %ecx,%r12d + roll $30,%esi + movl %ebp,4(%rsp) + addl %eax,%r12d + movl 8(%rsp),%edx + movl %esi,%eax + movl %r12d,%ecx + xorl 16(%rsp),%edx + xorl %edi,%eax + roll $5,%ecx + xorl 40(%rsp),%edx + andl %r13d,%eax + leal 1518500249(%rbp,%r11,1),%r11d + xorl 60(%rsp),%edx + xorl %edi,%eax + roll $1,%edx + addl %ecx,%r11d + roll $30,%r13d + movl %edx,8(%rsp) + addl %eax,%r11d + movl 12(%rsp),%ebp + movl %r13d,%eax + movl %r11d,%ecx + xorl 20(%rsp),%ebp + xorl %esi,%eax + roll $5,%ecx + xorl 44(%rsp),%ebp + andl %r12d,%eax + leal 1518500249(%rdx,%rdi,1),%edi + xorl 0(%rsp),%ebp + xorl %esi,%eax + roll $1,%ebp + addl %ecx,%edi + roll $30,%r12d + movl %ebp,12(%rsp) + addl %eax,%edi + movl 16(%rsp),%edx + movl %r12d,%eax + movl %edi,%ecx + xorl 24(%rsp),%edx + xorl %r13d,%eax + roll $5,%ecx + xorl 48(%rsp),%edx + andl %r11d,%eax + leal 1518500249(%rbp,%rsi,1),%esi + xorl 4(%rsp),%edx + xorl %r13d,%eax + roll $1,%edx + addl %ecx,%esi + roll $30,%r11d + movl %edx,16(%rsp) + addl %eax,%esi + movl 20(%rsp),%ebp + movl %r11d,%eax + movl %esi,%ecx + xorl 28(%rsp),%ebp + xorl %edi,%eax + roll $5,%ecx + leal 1859775393(%rdx,%r13,1),%r13d + xorl 52(%rsp),%ebp + xorl %r12d,%eax + addl %ecx,%r13d + xorl 8(%rsp),%ebp + roll $30,%edi + addl %eax,%r13d + roll $1,%ebp + movl %ebp,20(%rsp) + movl 24(%rsp),%edx + movl %edi,%eax + movl %r13d,%ecx + xorl 32(%rsp),%edx + xorl %esi,%eax + roll $5,%ecx + leal 1859775393(%rbp,%r12,1),%r12d + xorl 56(%rsp),%edx + xorl %r11d,%eax + addl %ecx,%r12d + xorl 12(%rsp),%edx + roll $30,%esi + addl %eax,%r12d + roll $1,%edx + movl %edx,24(%rsp) + movl 28(%rsp),%ebp + movl %esi,%eax + movl %r12d,%ecx + xorl 36(%rsp),%ebp + xorl %r13d,%eax + roll $5,%ecx + leal 1859775393(%rdx,%r11,1),%r11d + xorl 60(%rsp),%ebp + xorl %edi,%eax + addl %ecx,%r11d + xorl 16(%rsp),%ebp + roll $30,%r13d + addl %eax,%r11d + roll $1,%ebp + movl %ebp,28(%rsp) + movl 32(%rsp),%edx + movl %r13d,%eax + movl %r11d,%ecx + xorl 40(%rsp),%edx + xorl %r12d,%eax + roll $5,%ecx + leal 1859775393(%rbp,%rdi,1),%edi + xorl 0(%rsp),%edx + xorl %esi,%eax + addl %ecx,%edi + xorl 20(%rsp),%edx + roll $30,%r12d + addl %eax,%edi + roll $1,%edx + movl %edx,32(%rsp) + movl 36(%rsp),%ebp + movl %r12d,%eax + movl %edi,%ecx + xorl 44(%rsp),%ebp + xorl %r11d,%eax + roll $5,%ecx + leal 1859775393(%rdx,%rsi,1),%esi + xorl 4(%rsp),%ebp + xorl %r13d,%eax + addl %ecx,%esi + xorl 24(%rsp),%ebp + roll $30,%r11d + addl %eax,%esi + roll $1,%ebp + movl %ebp,36(%rsp) + movl 40(%rsp),%edx + movl %r11d,%eax + movl %esi,%ecx + xorl 48(%rsp),%edx + xorl %edi,%eax + roll $5,%ecx + leal 1859775393(%rbp,%r13,1),%r13d + xorl 8(%rsp),%edx + xorl %r12d,%eax + addl %ecx,%r13d + xorl 28(%rsp),%edx + roll $30,%edi + addl %eax,%r13d + roll $1,%edx + movl %edx,40(%rsp) + movl 44(%rsp),%ebp + movl %edi,%eax + movl %r13d,%ecx + xorl 52(%rsp),%ebp + xorl %esi,%eax + roll $5,%ecx + leal 1859775393(%rdx,%r12,1),%r12d + xorl 12(%rsp),%ebp + xorl %r11d,%eax + addl %ecx,%r12d + xorl 32(%rsp),%ebp + roll $30,%esi + addl %eax,%r12d + roll $1,%ebp + movl %ebp,44(%rsp) + movl 48(%rsp),%edx + movl %esi,%eax + movl %r12d,%ecx + xorl 56(%rsp),%edx + xorl %r13d,%eax + roll $5,%ecx + leal 1859775393(%rbp,%r11,1),%r11d + xorl 16(%rsp),%edx + xorl %edi,%eax + addl %ecx,%r11d + xorl 36(%rsp),%edx + roll $30,%r13d + addl %eax,%r11d + roll $1,%edx + movl %edx,48(%rsp) + movl 52(%rsp),%ebp + movl %r13d,%eax + movl %r11d,%ecx + xorl 60(%rsp),%ebp + xorl %r12d,%eax + roll $5,%ecx + leal 1859775393(%rdx,%rdi,1),%edi + xorl 20(%rsp),%ebp + xorl %esi,%eax + addl %ecx,%edi + xorl 40(%rsp),%ebp + roll $30,%r12d + addl %eax,%edi + roll $1,%ebp + movl %ebp,52(%rsp) + movl 56(%rsp),%edx + movl %r12d,%eax + movl %edi,%ecx + xorl 0(%rsp),%edx + xorl %r11d,%eax + roll $5,%ecx + leal 1859775393(%rbp,%rsi,1),%esi + xorl 24(%rsp),%edx + xorl %r13d,%eax + addl %ecx,%esi + xorl 44(%rsp),%edx + roll $30,%r11d + addl %eax,%esi + roll $1,%edx + movl %edx,56(%rsp) + movl 60(%rsp),%ebp + movl %r11d,%eax + movl %esi,%ecx + xorl 4(%rsp),%ebp + xorl %edi,%eax + roll $5,%ecx + leal 1859775393(%rdx,%r13,1),%r13d + xorl 28(%rsp),%ebp + xorl %r12d,%eax + addl %ecx,%r13d + xorl 48(%rsp),%ebp + roll $30,%edi + addl %eax,%r13d + roll $1,%ebp + movl %ebp,60(%rsp) + movl 0(%rsp),%edx + movl %edi,%eax + movl %r13d,%ecx + xorl 8(%rsp),%edx + xorl %esi,%eax + roll $5,%ecx + leal 1859775393(%rbp,%r12,1),%r12d + xorl 32(%rsp),%edx + xorl %r11d,%eax + addl %ecx,%r12d + xorl 52(%rsp),%edx + roll $30,%esi + addl %eax,%r12d + roll $1,%edx + movl %edx,0(%rsp) + movl 4(%rsp),%ebp + movl %esi,%eax + movl %r12d,%ecx + xorl 12(%rsp),%ebp + xorl %r13d,%eax + roll $5,%ecx + leal 1859775393(%rdx,%r11,1),%r11d + xorl 36(%rsp),%ebp + xorl %edi,%eax + addl %ecx,%r11d + xorl 56(%rsp),%ebp + roll $30,%r13d + addl %eax,%r11d + roll $1,%ebp + movl %ebp,4(%rsp) + movl 8(%rsp),%edx + movl %r13d,%eax + movl %r11d,%ecx + xorl 16(%rsp),%edx + xorl %r12d,%eax + roll $5,%ecx + leal 1859775393(%rbp,%rdi,1),%edi + xorl 40(%rsp),%edx + xorl %esi,%eax + addl %ecx,%edi + xorl 60(%rsp),%edx + roll $30,%r12d + addl %eax,%edi + roll $1,%edx + movl %edx,8(%rsp) + movl 12(%rsp),%ebp + movl %r12d,%eax + movl %edi,%ecx + xorl 20(%rsp),%ebp + xorl %r11d,%eax + roll $5,%ecx + leal 1859775393(%rdx,%rsi,1),%esi + xorl 44(%rsp),%ebp + xorl %r13d,%eax + addl %ecx,%esi + xorl 0(%rsp),%ebp + roll $30,%r11d + addl %eax,%esi + roll $1,%ebp + movl %ebp,12(%rsp) + movl 16(%rsp),%edx + movl %r11d,%eax + movl %esi,%ecx + xorl 24(%rsp),%edx + xorl %edi,%eax + roll $5,%ecx + leal 1859775393(%rbp,%r13,1),%r13d + xorl 48(%rsp),%edx + xorl %r12d,%eax + addl %ecx,%r13d + xorl 4(%rsp),%edx + roll $30,%edi + addl %eax,%r13d + roll $1,%edx + movl %edx,16(%rsp) + movl 20(%rsp),%ebp + movl %edi,%eax + movl %r13d,%ecx + xorl 28(%rsp),%ebp + xorl %esi,%eax + roll $5,%ecx + leal 1859775393(%rdx,%r12,1),%r12d + xorl 52(%rsp),%ebp + xorl %r11d,%eax + addl %ecx,%r12d + xorl 8(%rsp),%ebp + roll $30,%esi + addl %eax,%r12d + roll $1,%ebp + movl %ebp,20(%rsp) + movl 24(%rsp),%edx + movl %esi,%eax + movl %r12d,%ecx + xorl 32(%rsp),%edx + xorl %r13d,%eax + roll $5,%ecx + leal 1859775393(%rbp,%r11,1),%r11d + xorl 56(%rsp),%edx + xorl %edi,%eax + addl %ecx,%r11d + xorl 12(%rsp),%edx + roll $30,%r13d + addl %eax,%r11d + roll $1,%edx + movl %edx,24(%rsp) + movl 28(%rsp),%ebp + movl %r13d,%eax + movl %r11d,%ecx + xorl 36(%rsp),%ebp + xorl %r12d,%eax + roll $5,%ecx + leal 1859775393(%rdx,%rdi,1),%edi + xorl 60(%rsp),%ebp + xorl %esi,%eax + addl %ecx,%edi + xorl 16(%rsp),%ebp + roll $30,%r12d + addl %eax,%edi + roll $1,%ebp + movl %ebp,28(%rsp) + movl 32(%rsp),%edx + movl %r12d,%eax + movl %edi,%ecx + xorl 40(%rsp),%edx + xorl %r11d,%eax + roll $5,%ecx + leal 1859775393(%rbp,%rsi,1),%esi + xorl 0(%rsp),%edx + xorl %r13d,%eax + addl %ecx,%esi + xorl 20(%rsp),%edx + roll $30,%r11d + addl %eax,%esi + roll $1,%edx + movl %edx,32(%rsp) + movl 36(%rsp),%ebp + movl %r11d,%eax + movl %r11d,%ebx + xorl 44(%rsp),%ebp + andl %r12d,%eax + movl %esi,%ecx + xorl 4(%rsp),%ebp + xorl %r12d,%ebx + leal -1894007588(%rdx,%r13,1),%r13d + roll $5,%ecx + xorl 24(%rsp),%ebp + addl %eax,%r13d + andl %edi,%ebx + roll $1,%ebp + addl %ebx,%r13d + roll $30,%edi + movl %ebp,36(%rsp) + addl %ecx,%r13d + movl 40(%rsp),%edx + movl %edi,%eax + movl %edi,%ebx + xorl 48(%rsp),%edx + andl %r11d,%eax + movl %r13d,%ecx + xorl 8(%rsp),%edx + xorl %r11d,%ebx + leal -1894007588(%rbp,%r12,1),%r12d + roll $5,%ecx + xorl 28(%rsp),%edx + addl %eax,%r12d + andl %esi,%ebx + roll $1,%edx + addl %ebx,%r12d + roll $30,%esi + movl %edx,40(%rsp) + addl %ecx,%r12d + movl 44(%rsp),%ebp + movl %esi,%eax + movl %esi,%ebx + xorl 52(%rsp),%ebp + andl %edi,%eax + movl %r12d,%ecx + xorl 12(%rsp),%ebp + xorl %edi,%ebx + leal -1894007588(%rdx,%r11,1),%r11d + roll $5,%ecx + xorl 32(%rsp),%ebp + addl %eax,%r11d + andl %r13d,%ebx + roll $1,%ebp + addl %ebx,%r11d + roll $30,%r13d + movl %ebp,44(%rsp) + addl %ecx,%r11d + movl 48(%rsp),%edx + movl %r13d,%eax + movl %r13d,%ebx + xorl 56(%rsp),%edx + andl %esi,%eax + movl %r11d,%ecx + xorl 16(%rsp),%edx + xorl %esi,%ebx + leal -1894007588(%rbp,%rdi,1),%edi + roll $5,%ecx + xorl 36(%rsp),%edx + addl %eax,%edi + andl %r12d,%ebx + roll $1,%edx + addl %ebx,%edi + roll $30,%r12d + movl %edx,48(%rsp) + addl %ecx,%edi + movl 52(%rsp),%ebp + movl %r12d,%eax + movl %r12d,%ebx + xorl 60(%rsp),%ebp + andl %r13d,%eax + movl %edi,%ecx + xorl 20(%rsp),%ebp + xorl %r13d,%ebx + leal -1894007588(%rdx,%rsi,1),%esi + roll $5,%ecx + xorl 40(%rsp),%ebp + addl %eax,%esi + andl %r11d,%ebx + roll $1,%ebp + addl %ebx,%esi + roll $30,%r11d + movl %ebp,52(%rsp) + addl %ecx,%esi + movl 56(%rsp),%edx + movl %r11d,%eax + movl %r11d,%ebx + xorl 0(%rsp),%edx + andl %r12d,%eax + movl %esi,%ecx + xorl 24(%rsp),%edx + xorl %r12d,%ebx + leal -1894007588(%rbp,%r13,1),%r13d + roll $5,%ecx + xorl 44(%rsp),%edx + addl %eax,%r13d + andl %edi,%ebx + roll $1,%edx + addl %ebx,%r13d + roll $30,%edi + movl %edx,56(%rsp) + addl %ecx,%r13d + movl 60(%rsp),%ebp + movl %edi,%eax + movl %edi,%ebx + xorl 4(%rsp),%ebp + andl %r11d,%eax + movl %r13d,%ecx + xorl 28(%rsp),%ebp + xorl %r11d,%ebx + leal -1894007588(%rdx,%r12,1),%r12d + roll $5,%ecx + xorl 48(%rsp),%ebp + addl %eax,%r12d + andl %esi,%ebx + roll $1,%ebp + addl %ebx,%r12d + roll $30,%esi + movl %ebp,60(%rsp) + addl %ecx,%r12d + movl 0(%rsp),%edx + movl %esi,%eax + movl %esi,%ebx + xorl 8(%rsp),%edx + andl %edi,%eax + movl %r12d,%ecx + xorl 32(%rsp),%edx + xorl %edi,%ebx + leal -1894007588(%rbp,%r11,1),%r11d + roll $5,%ecx + xorl 52(%rsp),%edx + addl %eax,%r11d + andl %r13d,%ebx + roll $1,%edx + addl %ebx,%r11d + roll $30,%r13d + movl %edx,0(%rsp) + addl %ecx,%r11d + movl 4(%rsp),%ebp + movl %r13d,%eax + movl %r13d,%ebx + xorl 12(%rsp),%ebp + andl %esi,%eax + movl %r11d,%ecx + xorl 36(%rsp),%ebp + xorl %esi,%ebx + leal -1894007588(%rdx,%rdi,1),%edi + roll $5,%ecx + xorl 56(%rsp),%ebp + addl %eax,%edi + andl %r12d,%ebx + roll $1,%ebp + addl %ebx,%edi + roll $30,%r12d + movl %ebp,4(%rsp) + addl %ecx,%edi + movl 8(%rsp),%edx + movl %r12d,%eax + movl %r12d,%ebx + xorl 16(%rsp),%edx + andl %r13d,%eax + movl %edi,%ecx + xorl 40(%rsp),%edx + xorl %r13d,%ebx + leal -1894007588(%rbp,%rsi,1),%esi + roll $5,%ecx + xorl 60(%rsp),%edx + addl %eax,%esi + andl %r11d,%ebx + roll $1,%edx + addl %ebx,%esi + roll $30,%r11d + movl %edx,8(%rsp) + addl %ecx,%esi + movl 12(%rsp),%ebp + movl %r11d,%eax + movl %r11d,%ebx + xorl 20(%rsp),%ebp + andl %r12d,%eax + movl %esi,%ecx + xorl 44(%rsp),%ebp + xorl %r12d,%ebx + leal -1894007588(%rdx,%r13,1),%r13d + roll $5,%ecx + xorl 0(%rsp),%ebp + addl %eax,%r13d + andl %edi,%ebx + roll $1,%ebp + addl %ebx,%r13d + roll $30,%edi + movl %ebp,12(%rsp) + addl %ecx,%r13d + movl 16(%rsp),%edx + movl %edi,%eax + movl %edi,%ebx + xorl 24(%rsp),%edx + andl %r11d,%eax + movl %r13d,%ecx + xorl 48(%rsp),%edx + xorl %r11d,%ebx + leal -1894007588(%rbp,%r12,1),%r12d + roll $5,%ecx + xorl 4(%rsp),%edx + addl %eax,%r12d + andl %esi,%ebx + roll $1,%edx + addl %ebx,%r12d + roll $30,%esi + movl %edx,16(%rsp) + addl %ecx,%r12d + movl 20(%rsp),%ebp + movl %esi,%eax + movl %esi,%ebx + xorl 28(%rsp),%ebp + andl %edi,%eax + movl %r12d,%ecx + xorl 52(%rsp),%ebp + xorl %edi,%ebx + leal -1894007588(%rdx,%r11,1),%r11d + roll $5,%ecx + xorl 8(%rsp),%ebp + addl %eax,%r11d + andl %r13d,%ebx + roll $1,%ebp + addl %ebx,%r11d + roll $30,%r13d + movl %ebp,20(%rsp) + addl %ecx,%r11d + movl 24(%rsp),%edx + movl %r13d,%eax + movl %r13d,%ebx + xorl 32(%rsp),%edx + andl %esi,%eax + movl %r11d,%ecx + xorl 56(%rsp),%edx + xorl %esi,%ebx + leal -1894007588(%rbp,%rdi,1),%edi + roll $5,%ecx + xorl 12(%rsp),%edx + addl %eax,%edi + andl %r12d,%ebx + roll $1,%edx + addl %ebx,%edi + roll $30,%r12d + movl %edx,24(%rsp) + addl %ecx,%edi + movl 28(%rsp),%ebp + movl %r12d,%eax + movl %r12d,%ebx + xorl 36(%rsp),%ebp + andl %r13d,%eax + movl %edi,%ecx + xorl 60(%rsp),%ebp + xorl %r13d,%ebx + leal -1894007588(%rdx,%rsi,1),%esi + roll $5,%ecx + xorl 16(%rsp),%ebp + addl %eax,%esi + andl %r11d,%ebx + roll $1,%ebp + addl %ebx,%esi + roll $30,%r11d + movl %ebp,28(%rsp) + addl %ecx,%esi + movl 32(%rsp),%edx + movl %r11d,%eax + movl %r11d,%ebx + xorl 40(%rsp),%edx + andl %r12d,%eax + movl %esi,%ecx + xorl 0(%rsp),%edx + xorl %r12d,%ebx + leal -1894007588(%rbp,%r13,1),%r13d + roll $5,%ecx + xorl 20(%rsp),%edx + addl %eax,%r13d + andl %edi,%ebx + roll $1,%edx + addl %ebx,%r13d + roll $30,%edi + movl %edx,32(%rsp) + addl %ecx,%r13d + movl 36(%rsp),%ebp + movl %edi,%eax + movl %edi,%ebx + xorl 44(%rsp),%ebp + andl %r11d,%eax + movl %r13d,%ecx + xorl 4(%rsp),%ebp + xorl %r11d,%ebx + leal -1894007588(%rdx,%r12,1),%r12d + roll $5,%ecx + xorl 24(%rsp),%ebp + addl %eax,%r12d + andl %esi,%ebx + roll $1,%ebp + addl %ebx,%r12d + roll $30,%esi + movl %ebp,36(%rsp) + addl %ecx,%r12d + movl 40(%rsp),%edx + movl %esi,%eax + movl %esi,%ebx + xorl 48(%rsp),%edx + andl %edi,%eax + movl %r12d,%ecx + xorl 8(%rsp),%edx + xorl %edi,%ebx + leal -1894007588(%rbp,%r11,1),%r11d + roll $5,%ecx + xorl 28(%rsp),%edx + addl %eax,%r11d + andl %r13d,%ebx + roll $1,%edx + addl %ebx,%r11d + roll $30,%r13d + movl %edx,40(%rsp) + addl %ecx,%r11d + movl 44(%rsp),%ebp + movl %r13d,%eax + movl %r13d,%ebx + xorl 52(%rsp),%ebp + andl %esi,%eax + movl %r11d,%ecx + xorl 12(%rsp),%ebp + xorl %esi,%ebx + leal -1894007588(%rdx,%rdi,1),%edi + roll $5,%ecx + xorl 32(%rsp),%ebp + addl %eax,%edi + andl %r12d,%ebx + roll $1,%ebp + addl %ebx,%edi + roll $30,%r12d + movl %ebp,44(%rsp) + addl %ecx,%edi + movl 48(%rsp),%edx + movl %r12d,%eax + movl %r12d,%ebx + xorl 56(%rsp),%edx + andl %r13d,%eax + movl %edi,%ecx + xorl 16(%rsp),%edx + xorl %r13d,%ebx + leal -1894007588(%rbp,%rsi,1),%esi + roll $5,%ecx + xorl 36(%rsp),%edx + addl %eax,%esi + andl %r11d,%ebx + roll $1,%edx + addl %ebx,%esi + roll $30,%r11d + movl %edx,48(%rsp) + addl %ecx,%esi + movl 52(%rsp),%ebp + movl %r11d,%eax + movl %esi,%ecx + xorl 60(%rsp),%ebp + xorl %edi,%eax + roll $5,%ecx + leal -899497514(%rdx,%r13,1),%r13d + xorl 20(%rsp),%ebp + xorl %r12d,%eax + addl %ecx,%r13d + xorl 40(%rsp),%ebp + roll $30,%edi + addl %eax,%r13d + roll $1,%ebp + movl %ebp,52(%rsp) + movl 56(%rsp),%edx + movl %edi,%eax + movl %r13d,%ecx + xorl 0(%rsp),%edx + xorl %esi,%eax + roll $5,%ecx + leal -899497514(%rbp,%r12,1),%r12d + xorl 24(%rsp),%edx + xorl %r11d,%eax + addl %ecx,%r12d + xorl 44(%rsp),%edx + roll $30,%esi + addl %eax,%r12d + roll $1,%edx + movl %edx,56(%rsp) + movl 60(%rsp),%ebp + movl %esi,%eax + movl %r12d,%ecx + xorl 4(%rsp),%ebp + xorl %r13d,%eax + roll $5,%ecx + leal -899497514(%rdx,%r11,1),%r11d + xorl 28(%rsp),%ebp + xorl %edi,%eax + addl %ecx,%r11d + xorl 48(%rsp),%ebp + roll $30,%r13d + addl %eax,%r11d + roll $1,%ebp + movl %ebp,60(%rsp) + movl 0(%rsp),%edx + movl %r13d,%eax + movl %r11d,%ecx + xorl 8(%rsp),%edx + xorl %r12d,%eax + roll $5,%ecx + leal -899497514(%rbp,%rdi,1),%edi + xorl 32(%rsp),%edx + xorl %esi,%eax + addl %ecx,%edi + xorl 52(%rsp),%edx + roll $30,%r12d + addl %eax,%edi + roll $1,%edx + movl %edx,0(%rsp) + movl 4(%rsp),%ebp + movl %r12d,%eax + movl %edi,%ecx + xorl 12(%rsp),%ebp + xorl %r11d,%eax + roll $5,%ecx + leal -899497514(%rdx,%rsi,1),%esi + xorl 36(%rsp),%ebp + xorl %r13d,%eax + addl %ecx,%esi + xorl 56(%rsp),%ebp + roll $30,%r11d + addl %eax,%esi + roll $1,%ebp + movl %ebp,4(%rsp) + movl 8(%rsp),%edx + movl %r11d,%eax + movl %esi,%ecx + xorl 16(%rsp),%edx + xorl %edi,%eax + roll $5,%ecx + leal -899497514(%rbp,%r13,1),%r13d + xorl 40(%rsp),%edx + xorl %r12d,%eax + addl %ecx,%r13d + xorl 60(%rsp),%edx + roll $30,%edi + addl %eax,%r13d + roll $1,%edx + movl %edx,8(%rsp) + movl 12(%rsp),%ebp + movl %edi,%eax + movl %r13d,%ecx + xorl 20(%rsp),%ebp + xorl %esi,%eax + roll $5,%ecx + leal -899497514(%rdx,%r12,1),%r12d + xorl 44(%rsp),%ebp + xorl %r11d,%eax + addl %ecx,%r12d + xorl 0(%rsp),%ebp + roll $30,%esi + addl %eax,%r12d + roll $1,%ebp + movl %ebp,12(%rsp) + movl 16(%rsp),%edx + movl %esi,%eax + movl %r12d,%ecx + xorl 24(%rsp),%edx + xorl %r13d,%eax + roll $5,%ecx + leal -899497514(%rbp,%r11,1),%r11d + xorl 48(%rsp),%edx + xorl %edi,%eax + addl %ecx,%r11d + xorl 4(%rsp),%edx + roll $30,%r13d + addl %eax,%r11d + roll $1,%edx + movl %edx,16(%rsp) + movl 20(%rsp),%ebp + movl %r13d,%eax + movl %r11d,%ecx + xorl 28(%rsp),%ebp + xorl %r12d,%eax + roll $5,%ecx + leal -899497514(%rdx,%rdi,1),%edi + xorl 52(%rsp),%ebp + xorl %esi,%eax + addl %ecx,%edi + xorl 8(%rsp),%ebp + roll $30,%r12d + addl %eax,%edi + roll $1,%ebp + movl %ebp,20(%rsp) + movl 24(%rsp),%edx + movl %r12d,%eax + movl %edi,%ecx + xorl 32(%rsp),%edx + xorl %r11d,%eax + roll $5,%ecx + leal -899497514(%rbp,%rsi,1),%esi + xorl 56(%rsp),%edx + xorl %r13d,%eax + addl %ecx,%esi + xorl 12(%rsp),%edx + roll $30,%r11d + addl %eax,%esi + roll $1,%edx + movl %edx,24(%rsp) + movl 28(%rsp),%ebp + movl %r11d,%eax + movl %esi,%ecx + xorl 36(%rsp),%ebp + xorl %edi,%eax + roll $5,%ecx + leal -899497514(%rdx,%r13,1),%r13d + xorl 60(%rsp),%ebp + xorl %r12d,%eax + addl %ecx,%r13d + xorl 16(%rsp),%ebp + roll $30,%edi + addl %eax,%r13d + roll $1,%ebp + movl %ebp,28(%rsp) + movl 32(%rsp),%edx + movl %edi,%eax + movl %r13d,%ecx + xorl 40(%rsp),%edx + xorl %esi,%eax + roll $5,%ecx + leal -899497514(%rbp,%r12,1),%r12d + xorl 0(%rsp),%edx + xorl %r11d,%eax + addl %ecx,%r12d + xorl 20(%rsp),%edx + roll $30,%esi + addl %eax,%r12d + roll $1,%edx + movl %edx,32(%rsp) + movl 36(%rsp),%ebp + movl %esi,%eax + movl %r12d,%ecx + xorl 44(%rsp),%ebp + xorl %r13d,%eax + roll $5,%ecx + leal -899497514(%rdx,%r11,1),%r11d + xorl 4(%rsp),%ebp + xorl %edi,%eax + addl %ecx,%r11d + xorl 24(%rsp),%ebp + roll $30,%r13d + addl %eax,%r11d + roll $1,%ebp + movl %ebp,36(%rsp) + movl 40(%rsp),%edx + movl %r13d,%eax + movl %r11d,%ecx + xorl 48(%rsp),%edx + xorl %r12d,%eax + roll $5,%ecx + leal -899497514(%rbp,%rdi,1),%edi + xorl 8(%rsp),%edx + xorl %esi,%eax + addl %ecx,%edi + xorl 28(%rsp),%edx + roll $30,%r12d + addl %eax,%edi + roll $1,%edx + movl %edx,40(%rsp) + movl 44(%rsp),%ebp + movl %r12d,%eax + movl %edi,%ecx + xorl 52(%rsp),%ebp + xorl %r11d,%eax + roll $5,%ecx + leal -899497514(%rdx,%rsi,1),%esi + xorl 12(%rsp),%ebp + xorl %r13d,%eax + addl %ecx,%esi + xorl 32(%rsp),%ebp + roll $30,%r11d + addl %eax,%esi + roll $1,%ebp + movl %ebp,44(%rsp) + movl 48(%rsp),%edx + movl %r11d,%eax + movl %esi,%ecx + xorl 56(%rsp),%edx + xorl %edi,%eax + roll $5,%ecx + leal -899497514(%rbp,%r13,1),%r13d + xorl 16(%rsp),%edx + xorl %r12d,%eax + addl %ecx,%r13d + xorl 36(%rsp),%edx + roll $30,%edi + addl %eax,%r13d + roll $1,%edx + movl %edx,48(%rsp) + movl 52(%rsp),%ebp + movl %edi,%eax + movl %r13d,%ecx + xorl 60(%rsp),%ebp + xorl %esi,%eax + roll $5,%ecx + leal -899497514(%rdx,%r12,1),%r12d + xorl 20(%rsp),%ebp + xorl %r11d,%eax + addl %ecx,%r12d + xorl 40(%rsp),%ebp + roll $30,%esi + addl %eax,%r12d + roll $1,%ebp + movl 56(%rsp),%edx + movl %esi,%eax + movl %r12d,%ecx + xorl 0(%rsp),%edx + xorl %r13d,%eax + roll $5,%ecx + leal -899497514(%rbp,%r11,1),%r11d + xorl 24(%rsp),%edx + xorl %edi,%eax + addl %ecx,%r11d + xorl 44(%rsp),%edx + roll $30,%r13d + addl %eax,%r11d + roll $1,%edx + movl 60(%rsp),%ebp + movl %r13d,%eax + movl %r11d,%ecx + xorl 4(%rsp),%ebp + xorl %r12d,%eax + roll $5,%ecx + leal -899497514(%rdx,%rdi,1),%edi + xorl 28(%rsp),%ebp + xorl %esi,%eax + addl %ecx,%edi + xorl 48(%rsp),%ebp + roll $30,%r12d + addl %eax,%edi + roll $1,%ebp + movl %r12d,%eax + movl %edi,%ecx + xorl %r11d,%eax + leal -899497514(%rbp,%rsi,1),%esi + roll $5,%ecx + xorl %r13d,%eax + addl %ecx,%esi + roll $30,%r11d + addl %eax,%esi + addl 0(%r8),%esi + addl 4(%r8),%edi + addl 8(%r8),%r11d + addl 12(%r8),%r12d + addl 16(%r8),%r13d + movl %esi,0(%r8) + movl %edi,4(%r8) + movl %r11d,8(%r8) + movl %r12d,12(%r8) + movl %r13d,16(%r8) + + subq $1,%r10 + leaq 64(%r9),%r9 + jnz .Lloop + + movq 64(%rsp),%rsi + movq (%rsi),%r13 + movq 8(%rsi),%r12 + movq 16(%rsi),%rbp + movq 24(%rsi),%rbx + leaq 32(%rsi),%rsp +.Lepilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_sha1_block_data_order: +.def sha1_block_data_order_ssse3; .scl 3; .type 32; .endef +.p2align 4 +sha1_block_data_order_ssse3: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_sha1_block_data_order_ssse3: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + +_ssse3_shortcut: + pushq %rbx + pushq %rbp + pushq %r12 + leaq -144(%rsp),%rsp + movaps %xmm6,64+0(%rsp) + movaps %xmm7,64+16(%rsp) + movaps %xmm8,64+32(%rsp) + movaps %xmm9,64+48(%rsp) + movaps %xmm10,64+64(%rsp) +.Lprologue_ssse3: + movq %rdi,%r8 + movq %rsi,%r9 + movq %rdx,%r10 + + shlq $6,%r10 + addq %r9,%r10 + leaq K_XX_XX(%rip),%r11 + + movl 0(%r8),%eax + movl 4(%r8),%ebx + movl 8(%r8),%ecx + movl 12(%r8),%edx + movl %ebx,%esi + movl 16(%r8),%ebp + + movdqa 64(%r11),%xmm6 + movdqa 0(%r11),%xmm9 + movdqu 0(%r9),%xmm0 + movdqu 16(%r9),%xmm1 + movdqu 32(%r9),%xmm2 + movdqu 48(%r9),%xmm3 +.byte 102,15,56,0,198 + addq $64,%r9 +.byte 102,15,56,0,206 +.byte 102,15,56,0,214 +.byte 102,15,56,0,222 + paddd %xmm9,%xmm0 + paddd %xmm9,%xmm1 + paddd %xmm9,%xmm2 + movdqa %xmm0,0(%rsp) + psubd %xmm9,%xmm0 + movdqa %xmm1,16(%rsp) + psubd %xmm9,%xmm1 + movdqa %xmm2,32(%rsp) + psubd %xmm9,%xmm2 + jmp .Loop_ssse3 +.p2align 4 +.Loop_ssse3: + movdqa %xmm1,%xmm4 + addl 0(%rsp),%ebp + xorl %edx,%ecx + movdqa %xmm3,%xmm8 +.byte 102,15,58,15,224,8 + movl %eax,%edi + roll $5,%eax + paddd %xmm3,%xmm9 + andl %ecx,%esi + xorl %edx,%ecx + psrldq $4,%xmm8 + xorl %edx,%esi + addl %eax,%ebp + pxor %xmm0,%xmm4 + rorl $2,%ebx + addl %esi,%ebp + pxor %xmm2,%xmm8 + addl 4(%rsp),%edx + xorl %ecx,%ebx + movl %ebp,%esi + roll $5,%ebp + pxor %xmm8,%xmm4 + andl %ebx,%edi + xorl %ecx,%ebx + movdqa %xmm9,48(%rsp) + xorl %ecx,%edi + addl %ebp,%edx + movdqa %xmm4,%xmm10 + movdqa %xmm4,%xmm8 + rorl $7,%eax + addl %edi,%edx + addl 8(%rsp),%ecx + xorl %ebx,%eax + pslldq $12,%xmm10 + paddd %xmm4,%xmm4 + movl %edx,%edi + roll $5,%edx + andl %eax,%esi + xorl %ebx,%eax + psrld $31,%xmm8 + xorl %ebx,%esi + addl %edx,%ecx + movdqa %xmm10,%xmm9 + rorl $7,%ebp + addl %esi,%ecx + psrld $30,%xmm10 + por %xmm8,%xmm4 + addl 12(%rsp),%ebx + xorl %eax,%ebp + movl %ecx,%esi + roll $5,%ecx + pslld $2,%xmm9 + pxor %xmm10,%xmm4 + andl %ebp,%edi + xorl %eax,%ebp + movdqa 0(%r11),%xmm10 + xorl %eax,%edi + addl %ecx,%ebx + pxor %xmm9,%xmm4 + rorl $7,%edx + addl %edi,%ebx + movdqa %xmm2,%xmm5 + addl 16(%rsp),%eax + xorl %ebp,%edx + movdqa %xmm4,%xmm9 +.byte 102,15,58,15,233,8 + movl %ebx,%edi + roll $5,%ebx + paddd %xmm4,%xmm10 + andl %edx,%esi + xorl %ebp,%edx + psrldq $4,%xmm9 + xorl %ebp,%esi + addl %ebx,%eax + pxor %xmm1,%xmm5 + rorl $7,%ecx + addl %esi,%eax + pxor %xmm3,%xmm9 + addl 20(%rsp),%ebp + xorl %edx,%ecx + movl %eax,%esi + roll $5,%eax + pxor %xmm9,%xmm5 + andl %ecx,%edi + xorl %edx,%ecx + movdqa %xmm10,0(%rsp) + xorl %edx,%edi + addl %eax,%ebp + movdqa %xmm5,%xmm8 + movdqa %xmm5,%xmm9 + rorl $7,%ebx + addl %edi,%ebp + addl 24(%rsp),%edx + xorl %ecx,%ebx + pslldq $12,%xmm8 + paddd %xmm5,%xmm5 + movl %ebp,%edi + roll $5,%ebp + andl %ebx,%esi + xorl %ecx,%ebx + psrld $31,%xmm9 + xorl %ecx,%esi + addl %ebp,%edx + movdqa %xmm8,%xmm10 + rorl $7,%eax + addl %esi,%edx + psrld $30,%xmm8 + por %xmm9,%xmm5 + addl 28(%rsp),%ecx + xorl %ebx,%eax + movl %edx,%esi + roll $5,%edx + pslld $2,%xmm10 + pxor %xmm8,%xmm5 + andl %eax,%edi + xorl %ebx,%eax + movdqa 16(%r11),%xmm8 + xorl %ebx,%edi + addl %edx,%ecx + pxor %xmm10,%xmm5 + rorl $7,%ebp + addl %edi,%ecx + movdqa %xmm3,%xmm6 + addl 32(%rsp),%ebx + xorl %eax,%ebp + movdqa %xmm5,%xmm10 +.byte 102,15,58,15,242,8 + movl %ecx,%edi + roll $5,%ecx + paddd %xmm5,%xmm8 + andl %ebp,%esi + xorl %eax,%ebp + psrldq $4,%xmm10 + xorl %eax,%esi + addl %ecx,%ebx + pxor %xmm2,%xmm6 + rorl $7,%edx + addl %esi,%ebx + pxor %xmm4,%xmm10 + addl 36(%rsp),%eax + xorl %ebp,%edx + movl %ebx,%esi + roll $5,%ebx + pxor %xmm10,%xmm6 + andl %edx,%edi + xorl %ebp,%edx + movdqa %xmm8,16(%rsp) + xorl %ebp,%edi + addl %ebx,%eax + movdqa %xmm6,%xmm9 + movdqa %xmm6,%xmm10 + rorl $7,%ecx + addl %edi,%eax + addl 40(%rsp),%ebp + xorl %edx,%ecx + pslldq $12,%xmm9 + paddd %xmm6,%xmm6 + movl %eax,%edi + roll $5,%eax + andl %ecx,%esi + xorl %edx,%ecx + psrld $31,%xmm10 + xorl %edx,%esi + addl %eax,%ebp + movdqa %xmm9,%xmm8 + rorl $7,%ebx + addl %esi,%ebp + psrld $30,%xmm9 + por %xmm10,%xmm6 + addl 44(%rsp),%edx + xorl %ecx,%ebx + movl %ebp,%esi + roll $5,%ebp + pslld $2,%xmm8 + pxor %xmm9,%xmm6 + andl %ebx,%edi + xorl %ecx,%ebx + movdqa 16(%r11),%xmm9 + xorl %ecx,%edi + addl %ebp,%edx + pxor %xmm8,%xmm6 + rorl $7,%eax + addl %edi,%edx + movdqa %xmm4,%xmm7 + addl 48(%rsp),%ecx + xorl %ebx,%eax + movdqa %xmm6,%xmm8 +.byte 102,15,58,15,251,8 + movl %edx,%edi + roll $5,%edx + paddd %xmm6,%xmm9 + andl %eax,%esi + xorl %ebx,%eax + psrldq $4,%xmm8 + xorl %ebx,%esi + addl %edx,%ecx + pxor %xmm3,%xmm7 + rorl $7,%ebp + addl %esi,%ecx + pxor %xmm5,%xmm8 + addl 52(%rsp),%ebx + xorl %eax,%ebp + movl %ecx,%esi + roll $5,%ecx + pxor %xmm8,%xmm7 + andl %ebp,%edi + xorl %eax,%ebp + movdqa %xmm9,32(%rsp) + xorl %eax,%edi + addl %ecx,%ebx + movdqa %xmm7,%xmm10 + movdqa %xmm7,%xmm8 + rorl $7,%edx + addl %edi,%ebx + addl 56(%rsp),%eax + xorl %ebp,%edx + pslldq $12,%xmm10 + paddd %xmm7,%xmm7 + movl %ebx,%edi + roll $5,%ebx + andl %edx,%esi + xorl %ebp,%edx + psrld $31,%xmm8 + xorl %ebp,%esi + addl %ebx,%eax + movdqa %xmm10,%xmm9 + rorl $7,%ecx + addl %esi,%eax + psrld $30,%xmm10 + por %xmm8,%xmm7 + addl 60(%rsp),%ebp + xorl %edx,%ecx + movl %eax,%esi + roll $5,%eax + pslld $2,%xmm9 + pxor %xmm10,%xmm7 + andl %ecx,%edi + xorl %edx,%ecx + movdqa 16(%r11),%xmm10 + xorl %edx,%edi + addl %eax,%ebp + pxor %xmm9,%xmm7 + rorl $7,%ebx + addl %edi,%ebp + movdqa %xmm7,%xmm9 + addl 0(%rsp),%edx + pxor %xmm4,%xmm0 +.byte 102,68,15,58,15,206,8 + xorl %ecx,%ebx + movl %ebp,%edi + roll $5,%ebp + pxor %xmm1,%xmm0 + andl %ebx,%esi + xorl %ecx,%ebx + movdqa %xmm10,%xmm8 + paddd %xmm7,%xmm10 + xorl %ecx,%esi + addl %ebp,%edx + pxor %xmm9,%xmm0 + rorl $7,%eax + addl %esi,%edx + addl 4(%rsp),%ecx + xorl %ebx,%eax + movdqa %xmm0,%xmm9 + movdqa %xmm10,48(%rsp) + movl %edx,%esi + roll $5,%edx + andl %eax,%edi + xorl %ebx,%eax + pslld $2,%xmm0 + xorl %ebx,%edi + addl %edx,%ecx + psrld $30,%xmm9 + rorl $7,%ebp + addl %edi,%ecx + addl 8(%rsp),%ebx + xorl %eax,%ebp + movl %ecx,%edi + roll $5,%ecx + por %xmm9,%xmm0 + andl %ebp,%esi + xorl %eax,%ebp + movdqa %xmm0,%xmm10 + xorl %eax,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 12(%rsp),%eax + xorl %ebp,%edx + movl %ebx,%esi + roll $5,%ebx + andl %edx,%edi + xorl %ebp,%edx + xorl %ebp,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 16(%rsp),%ebp + pxor %xmm5,%xmm1 +.byte 102,68,15,58,15,215,8 + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + pxor %xmm2,%xmm1 + xorl %ecx,%esi + addl %eax,%ebp + movdqa %xmm8,%xmm9 + paddd %xmm0,%xmm8 + rorl $7,%ebx + addl %esi,%ebp + pxor %xmm10,%xmm1 + addl 20(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + movdqa %xmm1,%xmm10 + movdqa %xmm8,0(%rsp) + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + pslld $2,%xmm1 + addl 24(%rsp),%ecx + xorl %ebx,%esi + psrld $30,%xmm10 + movl %edx,%edi + roll $5,%edx + xorl %eax,%esi + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + por %xmm10,%xmm1 + addl 28(%rsp),%ebx + xorl %eax,%edi + movdqa %xmm1,%xmm8 + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 32(%rsp),%eax + pxor %xmm6,%xmm2 +.byte 102,68,15,58,15,192,8 + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + pxor %xmm3,%xmm2 + xorl %edx,%esi + addl %ebx,%eax + movdqa 32(%r11),%xmm10 + paddd %xmm1,%xmm9 + rorl $7,%ecx + addl %esi,%eax + pxor %xmm8,%xmm2 + addl 36(%rsp),%ebp + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + movdqa %xmm2,%xmm8 + movdqa %xmm9,16(%rsp) + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + pslld $2,%xmm2 + addl 40(%rsp),%edx + xorl %ecx,%esi + psrld $30,%xmm8 + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + por %xmm8,%xmm2 + addl 44(%rsp),%ecx + xorl %ebx,%edi + movdqa %xmm2,%xmm9 + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + addl 48(%rsp),%ebx + pxor %xmm7,%xmm3 +.byte 102,68,15,58,15,201,8 + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + pxor %xmm4,%xmm3 + xorl %ebp,%esi + addl %ecx,%ebx + movdqa %xmm10,%xmm8 + paddd %xmm2,%xmm10 + rorl $7,%edx + addl %esi,%ebx + pxor %xmm9,%xmm3 + addl 52(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + movdqa %xmm3,%xmm9 + movdqa %xmm10,32(%rsp) + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + pslld $2,%xmm3 + addl 56(%rsp),%ebp + xorl %edx,%esi + psrld $30,%xmm9 + movl %eax,%edi + roll $5,%eax + xorl %ecx,%esi + addl %eax,%ebp + rorl $7,%ebx + addl %esi,%ebp + por %xmm9,%xmm3 + addl 60(%rsp),%edx + xorl %ecx,%edi + movdqa %xmm3,%xmm10 + movl %ebp,%esi + roll $5,%ebp + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + addl 0(%rsp),%ecx + pxor %xmm0,%xmm4 +.byte 102,68,15,58,15,210,8 + xorl %ebx,%esi + movl %edx,%edi + roll $5,%edx + pxor %xmm5,%xmm4 + xorl %eax,%esi + addl %edx,%ecx + movdqa %xmm8,%xmm9 + paddd %xmm3,%xmm8 + rorl $7,%ebp + addl %esi,%ecx + pxor %xmm10,%xmm4 + addl 4(%rsp),%ebx + xorl %eax,%edi + movl %ecx,%esi + roll $5,%ecx + movdqa %xmm4,%xmm10 + movdqa %xmm8,48(%rsp) + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + pslld $2,%xmm4 + addl 8(%rsp),%eax + xorl %ebp,%esi + psrld $30,%xmm10 + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + por %xmm10,%xmm4 + addl 12(%rsp),%ebp + xorl %edx,%edi + movdqa %xmm4,%xmm8 + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 16(%rsp),%edx + pxor %xmm1,%xmm5 +.byte 102,68,15,58,15,195,8 + xorl %ecx,%esi + movl %ebp,%edi + roll $5,%ebp + pxor %xmm6,%xmm5 + xorl %ebx,%esi + addl %ebp,%edx + movdqa %xmm9,%xmm10 + paddd %xmm4,%xmm9 + rorl $7,%eax + addl %esi,%edx + pxor %xmm8,%xmm5 + addl 20(%rsp),%ecx + xorl %ebx,%edi + movl %edx,%esi + roll $5,%edx + movdqa %xmm5,%xmm8 + movdqa %xmm9,0(%rsp) + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + pslld $2,%xmm5 + addl 24(%rsp),%ebx + xorl %eax,%esi + psrld $30,%xmm8 + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + por %xmm8,%xmm5 + addl 28(%rsp),%eax + xorl %ebp,%edi + movdqa %xmm5,%xmm9 + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + movl %ecx,%edi + pxor %xmm2,%xmm6 +.byte 102,68,15,58,15,204,8 + xorl %edx,%ecx + addl 32(%rsp),%ebp + andl %edx,%edi + pxor %xmm7,%xmm6 + andl %ecx,%esi + rorl $7,%ebx + movdqa %xmm10,%xmm8 + paddd %xmm5,%xmm10 + addl %edi,%ebp + movl %eax,%edi + pxor %xmm9,%xmm6 + roll $5,%eax + addl %esi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + movdqa %xmm6,%xmm9 + movdqa %xmm10,16(%rsp) + movl %ebx,%esi + xorl %ecx,%ebx + addl 36(%rsp),%edx + andl %ecx,%esi + pslld $2,%xmm6 + andl %ebx,%edi + rorl $7,%eax + psrld $30,%xmm9 + addl %esi,%edx + movl %ebp,%esi + roll $5,%ebp + addl %edi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + por %xmm9,%xmm6 + movl %eax,%edi + xorl %ebx,%eax + movdqa %xmm6,%xmm10 + addl 40(%rsp),%ecx + andl %ebx,%edi + andl %eax,%esi + rorl $7,%ebp + addl %edi,%ecx + movl %edx,%edi + roll $5,%edx + addl %esi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + movl %ebp,%esi + xorl %eax,%ebp + addl 44(%rsp),%ebx + andl %eax,%esi + andl %ebp,%edi + rorl $7,%edx + addl %esi,%ebx + movl %ecx,%esi + roll $5,%ecx + addl %edi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + movl %edx,%edi + pxor %xmm3,%xmm7 +.byte 102,68,15,58,15,213,8 + xorl %ebp,%edx + addl 48(%rsp),%eax + andl %ebp,%edi + pxor %xmm0,%xmm7 + andl %edx,%esi + rorl $7,%ecx + movdqa 48(%r11),%xmm9 + paddd %xmm6,%xmm8 + addl %edi,%eax + movl %ebx,%edi + pxor %xmm10,%xmm7 + roll $5,%ebx + addl %esi,%eax + xorl %ebp,%edx + addl %ebx,%eax + movdqa %xmm7,%xmm10 + movdqa %xmm8,32(%rsp) + movl %ecx,%esi + xorl %edx,%ecx + addl 52(%rsp),%ebp + andl %edx,%esi + pslld $2,%xmm7 + andl %ecx,%edi + rorl $7,%ebx + psrld $30,%xmm10 + addl %esi,%ebp + movl %eax,%esi + roll $5,%eax + addl %edi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + por %xmm10,%xmm7 + movl %ebx,%edi + xorl %ecx,%ebx + movdqa %xmm7,%xmm8 + addl 56(%rsp),%edx + andl %ecx,%edi + andl %ebx,%esi + rorl $7,%eax + addl %edi,%edx + movl %ebp,%edi + roll $5,%ebp + addl %esi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + movl %eax,%esi + xorl %ebx,%eax + addl 60(%rsp),%ecx + andl %ebx,%esi + andl %eax,%edi + rorl $7,%ebp + addl %esi,%ecx + movl %edx,%esi + roll $5,%edx + addl %edi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + movl %ebp,%edi + pxor %xmm4,%xmm0 +.byte 102,68,15,58,15,198,8 + xorl %eax,%ebp + addl 0(%rsp),%ebx + andl %eax,%edi + pxor %xmm1,%xmm0 + andl %ebp,%esi + rorl $7,%edx + movdqa %xmm9,%xmm10 + paddd %xmm7,%xmm9 + addl %edi,%ebx + movl %ecx,%edi + pxor %xmm8,%xmm0 + roll $5,%ecx + addl %esi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + movdqa %xmm0,%xmm8 + movdqa %xmm9,48(%rsp) + movl %edx,%esi + xorl %ebp,%edx + addl 4(%rsp),%eax + andl %ebp,%esi + pslld $2,%xmm0 + andl %edx,%edi + rorl $7,%ecx + psrld $30,%xmm8 + addl %esi,%eax + movl %ebx,%esi + roll $5,%ebx + addl %edi,%eax + xorl %ebp,%edx + addl %ebx,%eax + por %xmm8,%xmm0 + movl %ecx,%edi + xorl %edx,%ecx + movdqa %xmm0,%xmm9 + addl 8(%rsp),%ebp + andl %edx,%edi + andl %ecx,%esi + rorl $7,%ebx + addl %edi,%ebp + movl %eax,%edi + roll $5,%eax + addl %esi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + movl %ebx,%esi + xorl %ecx,%ebx + addl 12(%rsp),%edx + andl %ecx,%esi + andl %ebx,%edi + rorl $7,%eax + addl %esi,%edx + movl %ebp,%esi + roll $5,%ebp + addl %edi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + movl %eax,%edi + pxor %xmm5,%xmm1 +.byte 102,68,15,58,15,207,8 + xorl %ebx,%eax + addl 16(%rsp),%ecx + andl %ebx,%edi + pxor %xmm2,%xmm1 + andl %eax,%esi + rorl $7,%ebp + movdqa %xmm10,%xmm8 + paddd %xmm0,%xmm10 + addl %edi,%ecx + movl %edx,%edi + pxor %xmm9,%xmm1 + roll $5,%edx + addl %esi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + movdqa %xmm1,%xmm9 + movdqa %xmm10,0(%rsp) + movl %ebp,%esi + xorl %eax,%ebp + addl 20(%rsp),%ebx + andl %eax,%esi + pslld $2,%xmm1 + andl %ebp,%edi + rorl $7,%edx + psrld $30,%xmm9 + addl %esi,%ebx + movl %ecx,%esi + roll $5,%ecx + addl %edi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + por %xmm9,%xmm1 + movl %edx,%edi + xorl %ebp,%edx + movdqa %xmm1,%xmm10 + addl 24(%rsp),%eax + andl %ebp,%edi + andl %edx,%esi + rorl $7,%ecx + addl %edi,%eax + movl %ebx,%edi + roll $5,%ebx + addl %esi,%eax + xorl %ebp,%edx + addl %ebx,%eax + movl %ecx,%esi + xorl %edx,%ecx + addl 28(%rsp),%ebp + andl %edx,%esi + andl %ecx,%edi + rorl $7,%ebx + addl %esi,%ebp + movl %eax,%esi + roll $5,%eax + addl %edi,%ebp + xorl %edx,%ecx + addl %eax,%ebp + movl %ebx,%edi + pxor %xmm6,%xmm2 +.byte 102,68,15,58,15,208,8 + xorl %ecx,%ebx + addl 32(%rsp),%edx + andl %ecx,%edi + pxor %xmm3,%xmm2 + andl %ebx,%esi + rorl $7,%eax + movdqa %xmm8,%xmm9 + paddd %xmm1,%xmm8 + addl %edi,%edx + movl %ebp,%edi + pxor %xmm10,%xmm2 + roll $5,%ebp + addl %esi,%edx + xorl %ecx,%ebx + addl %ebp,%edx + movdqa %xmm2,%xmm10 + movdqa %xmm8,16(%rsp) + movl %eax,%esi + xorl %ebx,%eax + addl 36(%rsp),%ecx + andl %ebx,%esi + pslld $2,%xmm2 + andl %eax,%edi + rorl $7,%ebp + psrld $30,%xmm10 + addl %esi,%ecx + movl %edx,%esi + roll $5,%edx + addl %edi,%ecx + xorl %ebx,%eax + addl %edx,%ecx + por %xmm10,%xmm2 + movl %ebp,%edi + xorl %eax,%ebp + movdqa %xmm2,%xmm8 + addl 40(%rsp),%ebx + andl %eax,%edi + andl %ebp,%esi + rorl $7,%edx + addl %edi,%ebx + movl %ecx,%edi + roll $5,%ecx + addl %esi,%ebx + xorl %eax,%ebp + addl %ecx,%ebx + movl %edx,%esi + xorl %ebp,%edx + addl 44(%rsp),%eax + andl %ebp,%esi + andl %edx,%edi + rorl $7,%ecx + addl %esi,%eax + movl %ebx,%esi + roll $5,%ebx + addl %edi,%eax + xorl %ebp,%edx + addl %ebx,%eax + addl 48(%rsp),%ebp + pxor %xmm7,%xmm3 +.byte 102,68,15,58,15,193,8 + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + pxor %xmm4,%xmm3 + xorl %ecx,%esi + addl %eax,%ebp + movdqa %xmm9,%xmm10 + paddd %xmm2,%xmm9 + rorl $7,%ebx + addl %esi,%ebp + pxor %xmm8,%xmm3 + addl 52(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + movdqa %xmm3,%xmm8 + movdqa %xmm9,32(%rsp) + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + pslld $2,%xmm3 + addl 56(%rsp),%ecx + xorl %ebx,%esi + psrld $30,%xmm8 + movl %edx,%edi + roll $5,%edx + xorl %eax,%esi + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + por %xmm8,%xmm3 + addl 60(%rsp),%ebx + xorl %eax,%edi + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 0(%rsp),%eax + paddd %xmm3,%xmm10 + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + movdqa %xmm10,48(%rsp) + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + addl 4(%rsp),%ebp + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 8(%rsp),%edx + xorl %ecx,%esi + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + addl 12(%rsp),%ecx + xorl %ebx,%edi + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + cmpq %r10,%r9 + je .Ldone_ssse3 + movdqa 64(%r11),%xmm6 + movdqa 0(%r11),%xmm9 + movdqu 0(%r9),%xmm0 + movdqu 16(%r9),%xmm1 + movdqu 32(%r9),%xmm2 + movdqu 48(%r9),%xmm3 +.byte 102,15,56,0,198 + addq $64,%r9 + addl 16(%rsp),%ebx + xorl %eax,%esi +.byte 102,15,56,0,206 + movl %ecx,%edi + roll $5,%ecx + paddd %xmm9,%xmm0 + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + movdqa %xmm0,0(%rsp) + addl 20(%rsp),%eax + xorl %ebp,%edi + psubd %xmm9,%xmm0 + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 24(%rsp),%ebp + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + xorl %ecx,%esi + addl %eax,%ebp + rorl $7,%ebx + addl %esi,%ebp + addl 28(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + addl 32(%rsp),%ecx + xorl %ebx,%esi +.byte 102,15,56,0,214 + movl %edx,%edi + roll $5,%edx + paddd %xmm9,%xmm1 + xorl %eax,%esi + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + movdqa %xmm1,16(%rsp) + addl 36(%rsp),%ebx + xorl %eax,%edi + psubd %xmm9,%xmm1 + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 40(%rsp),%eax + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + addl 44(%rsp),%ebp + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 48(%rsp),%edx + xorl %ecx,%esi +.byte 102,15,56,0,222 + movl %ebp,%edi + roll $5,%ebp + paddd %xmm9,%xmm2 + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + movdqa %xmm2,32(%rsp) + addl 52(%rsp),%ecx + xorl %ebx,%edi + psubd %xmm9,%xmm2 + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + addl 56(%rsp),%ebx + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 60(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 0(%r8),%eax + addl 4(%r8),%esi + addl 8(%r8),%ecx + addl 12(%r8),%edx + movl %eax,0(%r8) + addl 16(%r8),%ebp + movl %esi,4(%r8) + movl %esi,%ebx + movl %ecx,8(%r8) + movl %edx,12(%r8) + movl %ebp,16(%r8) + jmp .Loop_ssse3 + +.p2align 4 +.Ldone_ssse3: + addl 16(%rsp),%ebx + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 20(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 24(%rsp),%ebp + xorl %edx,%esi + movl %eax,%edi + roll $5,%eax + xorl %ecx,%esi + addl %eax,%ebp + rorl $7,%ebx + addl %esi,%ebp + addl 28(%rsp),%edx + xorl %ecx,%edi + movl %ebp,%esi + roll $5,%ebp + xorl %ebx,%edi + addl %ebp,%edx + rorl $7,%eax + addl %edi,%edx + addl 32(%rsp),%ecx + xorl %ebx,%esi + movl %edx,%edi + roll $5,%edx + xorl %eax,%esi + addl %edx,%ecx + rorl $7,%ebp + addl %esi,%ecx + addl 36(%rsp),%ebx + xorl %eax,%edi + movl %ecx,%esi + roll $5,%ecx + xorl %ebp,%edi + addl %ecx,%ebx + rorl $7,%edx + addl %edi,%ebx + addl 40(%rsp),%eax + xorl %ebp,%esi + movl %ebx,%edi + roll $5,%ebx + xorl %edx,%esi + addl %ebx,%eax + rorl $7,%ecx + addl %esi,%eax + addl 44(%rsp),%ebp + xorl %edx,%edi + movl %eax,%esi + roll $5,%eax + xorl %ecx,%edi + addl %eax,%ebp + rorl $7,%ebx + addl %edi,%ebp + addl 48(%rsp),%edx + xorl %ecx,%esi + movl %ebp,%edi + roll $5,%ebp + xorl %ebx,%esi + addl %ebp,%edx + rorl $7,%eax + addl %esi,%edx + addl 52(%rsp),%ecx + xorl %ebx,%edi + movl %edx,%esi + roll $5,%edx + xorl %eax,%edi + addl %edx,%ecx + rorl $7,%ebp + addl %edi,%ecx + addl 56(%rsp),%ebx + xorl %eax,%esi + movl %ecx,%edi + roll $5,%ecx + xorl %ebp,%esi + addl %ecx,%ebx + rorl $7,%edx + addl %esi,%ebx + addl 60(%rsp),%eax + xorl %ebp,%edi + movl %ebx,%esi + roll $5,%ebx + xorl %edx,%edi + addl %ebx,%eax + rorl $7,%ecx + addl %edi,%eax + addl 0(%r8),%eax + addl 4(%r8),%esi + addl 8(%r8),%ecx + movl %eax,0(%r8) + addl 12(%r8),%edx + movl %esi,4(%r8) + addl 16(%r8),%ebp + movl %ecx,8(%r8) + movl %edx,12(%r8) + movl %ebp,16(%r8) + movaps 64+0(%rsp),%xmm6 + movaps 64+16(%rsp),%xmm7 + movaps 64+32(%rsp),%xmm8 + movaps 64+48(%rsp),%xmm9 + movaps 64+64(%rsp),%xmm10 + leaq 144(%rsp),%rsi + movq 0(%rsi),%r12 + movq 8(%rsi),%rbp + movq 16(%rsi),%rbx + leaq 24(%rsi),%rsp +.Lepilogue_ssse3: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_sha1_block_data_order_ssse3: +.p2align 6 +K_XX_XX: +.long 0x5a827999,0x5a827999,0x5a827999,0x5a827999 +.long 0x6ed9eba1,0x6ed9eba1,0x6ed9eba1,0x6ed9eba1 +.long 0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc,0x8f1bbcdc +.long 0xca62c1d6,0xca62c1d6,0xca62c1d6,0xca62c1d6 +.long 0x00010203,0x04050607,0x08090a0b,0x0c0d0e0f +.byte 83,72,65,49,32,98,108,111,99,107,32,116,114,97,110,115,102,111,114,109,32,102,111,114,32,120,56,54,95,54,52,44,32,67,82,89,80,84,79,71,65,77,83,32,98,121,32,60,97,112,112,114,111,64,111,112,101,110,115,115,108,46,111,114,103,62,0 +.p2align 6 + +.def se_handler; .scl 3; .type 32; .endef +.p2align 4 +se_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + leaq .Lprologue(%rip),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + movq 152(%r8),%rax + + leaq .Lepilogue(%rip),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + movq 64(%rax),%rax + leaq 32(%rax),%rax + + movq -8(%rax),%rbx + movq -16(%rax),%rbp + movq -24(%rax),%r12 + movq -32(%rax),%r13 + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + movq %r13,224(%r8) + + jmp .Lcommon_seh_tail + + +.def ssse3_handler; .scl 3; .type 32; .endef +.p2align 4 +ssse3_handler: + pushq %rsi + pushq %rdi + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + pushfq + subq $64,%rsp + + movq 120(%r8),%rax + movq 248(%r8),%rbx + + movq 8(%r9),%rsi + movq 56(%r9),%r11 + + movl 0(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jb .Lcommon_seh_tail + + movq 152(%r8),%rax + + movl 4(%r11),%r10d + leaq (%rsi,%r10,1),%r10 + cmpq %r10,%rbx + jae .Lcommon_seh_tail + + leaq 64(%rax),%rsi + leaq 512(%r8),%rdi + movl $10,%ecx +.long 0xa548f3fc + leaq 168(%rax),%rax + + movq -8(%rax),%rbx + movq -16(%rax),%rbp + movq -24(%rax),%r12 + movq %rbx,144(%r8) + movq %rbp,160(%r8) + movq %r12,216(%r8) + +.Lcommon_seh_tail: + movq 8(%rax),%rdi + movq 16(%rax),%rsi + movq %rax,152(%r8) + movq %rsi,168(%r8) + movq %rdi,176(%r8) + + movq 40(%r9),%rdi + movq %r8,%rsi + movl $154,%ecx +.long 0xa548f3fc + + movq %r9,%rsi + xorq %rcx,%rcx + movq 8(%rsi),%rdx + movq 0(%rsi),%r8 + movq 16(%rsi),%r9 + movq 40(%rsi),%r10 + leaq 56(%rsi),%r11 + leaq 24(%rsi),%r12 + movq %r10,32(%rsp) + movq %r11,40(%rsp) + movq %r12,48(%rsp) + movq %rcx,56(%rsp) + call *__imp_RtlVirtualUnwind(%rip) + + movl $1,%eax + addq $64,%rsp + popfq + popq %r15 + popq %r14 + popq %r13 + popq %r12 + popq %rbp + popq %rbx + popq %rdi + popq %rsi + retq + + +.section .pdata +.p2align 2 +.rva .LSEH_begin_sha1_block_data_order +.rva .LSEH_end_sha1_block_data_order +.rva .LSEH_info_sha1_block_data_order +.rva .LSEH_begin_sha1_block_data_order_ssse3 +.rva .LSEH_end_sha1_block_data_order_ssse3 +.rva .LSEH_info_sha1_block_data_order_ssse3 +.section .xdata +.p2align 3 +.LSEH_info_sha1_block_data_order: +.byte 9,0,0,0 +.rva se_handler +.LSEH_info_sha1_block_data_order_ssse3: +.byte 9,0,0,0 +.rva ssse3_handler +.rva .Lprologue_ssse3,.Lepilogue_ssse3 diff --git a/crypto/sha/sha256-elf-armv4.S b/crypto/sha/sha256-elf-armv4.S new file mode 100644 index 0000000..9b155c7 --- /dev/null +++ b/crypto/sha/sha256-elf-armv4.S @@ -0,0 +1,1520 @@ +#include "arm_arch.h" + +.text +.code 32 + +.type K256,%object +.align 5 +K256: +.word 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 +.word 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5 +.word 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3 +.word 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174 +.word 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc +.word 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da +.word 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7 +.word 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967 +.word 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13 +.word 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85 +.word 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3 +.word 0xd192e819,0xd6990624,0xf40e3585,0x106aa070 +.word 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5 +.word 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 +.word 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 +.word 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 +.size K256,.-K256 + +.global sha256_block_data_order +.type sha256_block_data_order,%function +sha256_block_data_order: + sub r3,pc,#8 @ sha256_block_data_order + add r2,r1,r2,lsl#6 @ len to point at the end of inp + stmdb sp!,{r0,r1,r2,r4-r11,lr} + ldmia r0,{r4,r5,r6,r7,r8,r9,r10,r11} + sub r14,r3,#256 @ K256 + sub sp,sp,#16*4 @ alloca(X[16]) +.Loop: +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 0 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r8,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r8,ror#11 + eor r2,r9,r10 +#if 0>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 0==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r8,ror#25 @ Sigma1(e) + and r2,r2,r8 + str r3,[sp,#0*4] + add r3,r3,r0 + eor r2,r2,r10 @ Ch(e,f,g) + add r3,r3,r11 + mov r11,r4,ror#2 + add r3,r3,r2 + eor r11,r11,r4,ror#13 + add r3,r3,r12 + eor r11,r11,r4,ror#22 @ Sigma0(a) +#if 0>=15 + ldr r1,[sp,#2*4] @ from BODY_16_xx +#endif + orr r0,r4,r5 + and r2,r4,r5 + and r0,r0,r6 + add r11,r11,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r7,r7,r3 + add r11,r11,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 1 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r7,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r7,ror#11 + eor r2,r8,r9 +#if 1>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 1==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r7,ror#25 @ Sigma1(e) + and r2,r2,r7 + str r3,[sp,#1*4] + add r3,r3,r0 + eor r2,r2,r9 @ Ch(e,f,g) + add r3,r3,r10 + mov r10,r11,ror#2 + add r3,r3,r2 + eor r10,r10,r11,ror#13 + add r3,r3,r12 + eor r10,r10,r11,ror#22 @ Sigma0(a) +#if 1>=15 + ldr r1,[sp,#3*4] @ from BODY_16_xx +#endif + orr r0,r11,r4 + and r2,r11,r4 + and r0,r0,r5 + add r10,r10,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r6,r6,r3 + add r10,r10,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 2 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r6,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r6,ror#11 + eor r2,r7,r8 +#if 2>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 2==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r6,ror#25 @ Sigma1(e) + and r2,r2,r6 + str r3,[sp,#2*4] + add r3,r3,r0 + eor r2,r2,r8 @ Ch(e,f,g) + add r3,r3,r9 + mov r9,r10,ror#2 + add r3,r3,r2 + eor r9,r9,r10,ror#13 + add r3,r3,r12 + eor r9,r9,r10,ror#22 @ Sigma0(a) +#if 2>=15 + ldr r1,[sp,#4*4] @ from BODY_16_xx +#endif + orr r0,r10,r11 + and r2,r10,r11 + and r0,r0,r4 + add r9,r9,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r5,r5,r3 + add r9,r9,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 3 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r5,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r5,ror#11 + eor r2,r6,r7 +#if 3>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 3==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r5,ror#25 @ Sigma1(e) + and r2,r2,r5 + str r3,[sp,#3*4] + add r3,r3,r0 + eor r2,r2,r7 @ Ch(e,f,g) + add r3,r3,r8 + mov r8,r9,ror#2 + add r3,r3,r2 + eor r8,r8,r9,ror#13 + add r3,r3,r12 + eor r8,r8,r9,ror#22 @ Sigma0(a) +#if 3>=15 + ldr r1,[sp,#5*4] @ from BODY_16_xx +#endif + orr r0,r9,r10 + and r2,r9,r10 + and r0,r0,r11 + add r8,r8,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r4,r4,r3 + add r8,r8,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 4 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r4,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r4,ror#11 + eor r2,r5,r6 +#if 4>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 4==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r4,ror#25 @ Sigma1(e) + and r2,r2,r4 + str r3,[sp,#4*4] + add r3,r3,r0 + eor r2,r2,r6 @ Ch(e,f,g) + add r3,r3,r7 + mov r7,r8,ror#2 + add r3,r3,r2 + eor r7,r7,r8,ror#13 + add r3,r3,r12 + eor r7,r7,r8,ror#22 @ Sigma0(a) +#if 4>=15 + ldr r1,[sp,#6*4] @ from BODY_16_xx +#endif + orr r0,r8,r9 + and r2,r8,r9 + and r0,r0,r10 + add r7,r7,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r11,r11,r3 + add r7,r7,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 5 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r11,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r11,ror#11 + eor r2,r4,r5 +#if 5>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 5==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r11,ror#25 @ Sigma1(e) + and r2,r2,r11 + str r3,[sp,#5*4] + add r3,r3,r0 + eor r2,r2,r5 @ Ch(e,f,g) + add r3,r3,r6 + mov r6,r7,ror#2 + add r3,r3,r2 + eor r6,r6,r7,ror#13 + add r3,r3,r12 + eor r6,r6,r7,ror#22 @ Sigma0(a) +#if 5>=15 + ldr r1,[sp,#7*4] @ from BODY_16_xx +#endif + orr r0,r7,r8 + and r2,r7,r8 + and r0,r0,r9 + add r6,r6,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r10,r10,r3 + add r6,r6,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 6 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r10,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r10,ror#11 + eor r2,r11,r4 +#if 6>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 6==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r10,ror#25 @ Sigma1(e) + and r2,r2,r10 + str r3,[sp,#6*4] + add r3,r3,r0 + eor r2,r2,r4 @ Ch(e,f,g) + add r3,r3,r5 + mov r5,r6,ror#2 + add r3,r3,r2 + eor r5,r5,r6,ror#13 + add r3,r3,r12 + eor r5,r5,r6,ror#22 @ Sigma0(a) +#if 6>=15 + ldr r1,[sp,#8*4] @ from BODY_16_xx +#endif + orr r0,r6,r7 + and r2,r6,r7 + and r0,r0,r8 + add r5,r5,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r9,r9,r3 + add r5,r5,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 7 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r9,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r9,ror#11 + eor r2,r10,r11 +#if 7>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 7==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r9,ror#25 @ Sigma1(e) + and r2,r2,r9 + str r3,[sp,#7*4] + add r3,r3,r0 + eor r2,r2,r11 @ Ch(e,f,g) + add r3,r3,r4 + mov r4,r5,ror#2 + add r3,r3,r2 + eor r4,r4,r5,ror#13 + add r3,r3,r12 + eor r4,r4,r5,ror#22 @ Sigma0(a) +#if 7>=15 + ldr r1,[sp,#9*4] @ from BODY_16_xx +#endif + orr r0,r5,r6 + and r2,r5,r6 + and r0,r0,r7 + add r4,r4,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r8,r8,r3 + add r4,r4,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 8 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r8,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r8,ror#11 + eor r2,r9,r10 +#if 8>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 8==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r8,ror#25 @ Sigma1(e) + and r2,r2,r8 + str r3,[sp,#8*4] + add r3,r3,r0 + eor r2,r2,r10 @ Ch(e,f,g) + add r3,r3,r11 + mov r11,r4,ror#2 + add r3,r3,r2 + eor r11,r11,r4,ror#13 + add r3,r3,r12 + eor r11,r11,r4,ror#22 @ Sigma0(a) +#if 8>=15 + ldr r1,[sp,#10*4] @ from BODY_16_xx +#endif + orr r0,r4,r5 + and r2,r4,r5 + and r0,r0,r6 + add r11,r11,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r7,r7,r3 + add r11,r11,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 9 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r7,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r7,ror#11 + eor r2,r8,r9 +#if 9>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 9==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r7,ror#25 @ Sigma1(e) + and r2,r2,r7 + str r3,[sp,#9*4] + add r3,r3,r0 + eor r2,r2,r9 @ Ch(e,f,g) + add r3,r3,r10 + mov r10,r11,ror#2 + add r3,r3,r2 + eor r10,r10,r11,ror#13 + add r3,r3,r12 + eor r10,r10,r11,ror#22 @ Sigma0(a) +#if 9>=15 + ldr r1,[sp,#11*4] @ from BODY_16_xx +#endif + orr r0,r11,r4 + and r2,r11,r4 + and r0,r0,r5 + add r10,r10,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r6,r6,r3 + add r10,r10,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 10 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r6,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r6,ror#11 + eor r2,r7,r8 +#if 10>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 10==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r6,ror#25 @ Sigma1(e) + and r2,r2,r6 + str r3,[sp,#10*4] + add r3,r3,r0 + eor r2,r2,r8 @ Ch(e,f,g) + add r3,r3,r9 + mov r9,r10,ror#2 + add r3,r3,r2 + eor r9,r9,r10,ror#13 + add r3,r3,r12 + eor r9,r9,r10,ror#22 @ Sigma0(a) +#if 10>=15 + ldr r1,[sp,#12*4] @ from BODY_16_xx +#endif + orr r0,r10,r11 + and r2,r10,r11 + and r0,r0,r4 + add r9,r9,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r5,r5,r3 + add r9,r9,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 11 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r5,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r5,ror#11 + eor r2,r6,r7 +#if 11>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 11==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r5,ror#25 @ Sigma1(e) + and r2,r2,r5 + str r3,[sp,#11*4] + add r3,r3,r0 + eor r2,r2,r7 @ Ch(e,f,g) + add r3,r3,r8 + mov r8,r9,ror#2 + add r3,r3,r2 + eor r8,r8,r9,ror#13 + add r3,r3,r12 + eor r8,r8,r9,ror#22 @ Sigma0(a) +#if 11>=15 + ldr r1,[sp,#13*4] @ from BODY_16_xx +#endif + orr r0,r9,r10 + and r2,r9,r10 + and r0,r0,r11 + add r8,r8,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r4,r4,r3 + add r8,r8,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 12 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r4,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r4,ror#11 + eor r2,r5,r6 +#if 12>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 12==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r4,ror#25 @ Sigma1(e) + and r2,r2,r4 + str r3,[sp,#12*4] + add r3,r3,r0 + eor r2,r2,r6 @ Ch(e,f,g) + add r3,r3,r7 + mov r7,r8,ror#2 + add r3,r3,r2 + eor r7,r7,r8,ror#13 + add r3,r3,r12 + eor r7,r7,r8,ror#22 @ Sigma0(a) +#if 12>=15 + ldr r1,[sp,#14*4] @ from BODY_16_xx +#endif + orr r0,r8,r9 + and r2,r8,r9 + and r0,r0,r10 + add r7,r7,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r11,r11,r3 + add r7,r7,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 13 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r11,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r11,ror#11 + eor r2,r4,r5 +#if 13>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 13==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r11,ror#25 @ Sigma1(e) + and r2,r2,r11 + str r3,[sp,#13*4] + add r3,r3,r0 + eor r2,r2,r5 @ Ch(e,f,g) + add r3,r3,r6 + mov r6,r7,ror#2 + add r3,r3,r2 + eor r6,r6,r7,ror#13 + add r3,r3,r12 + eor r6,r6,r7,ror#22 @ Sigma0(a) +#if 13>=15 + ldr r1,[sp,#15*4] @ from BODY_16_xx +#endif + orr r0,r7,r8 + and r2,r7,r8 + and r0,r0,r9 + add r6,r6,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r10,r10,r3 + add r6,r6,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 14 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r10,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r10,ror#11 + eor r2,r11,r4 +#if 14>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 14==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r10,ror#25 @ Sigma1(e) + and r2,r2,r10 + str r3,[sp,#14*4] + add r3,r3,r0 + eor r2,r2,r4 @ Ch(e,f,g) + add r3,r3,r5 + mov r5,r6,ror#2 + add r3,r3,r2 + eor r5,r5,r6,ror#13 + add r3,r3,r12 + eor r5,r5,r6,ror#22 @ Sigma0(a) +#if 14>=15 + ldr r1,[sp,#0*4] @ from BODY_16_xx +#endif + orr r0,r6,r7 + and r2,r6,r7 + and r0,r0,r8 + add r5,r5,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r9,r9,r3 + add r5,r5,r0 +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r3,[r1],#4 +#else + ldrb r3,[r1,#3] @ 15 + ldrb r12,[r1,#2] + ldrb r2,[r1,#1] + ldrb r0,[r1],#4 + orr r3,r3,r12,lsl#8 + orr r3,r3,r2,lsl#16 + orr r3,r3,r0,lsl#24 +#endif + mov r0,r9,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r9,ror#11 + eor r2,r10,r11 +#if 15>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 15==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r9,ror#25 @ Sigma1(e) + and r2,r2,r9 + str r3,[sp,#15*4] + add r3,r3,r0 + eor r2,r2,r11 @ Ch(e,f,g) + add r3,r3,r4 + mov r4,r5,ror#2 + add r3,r3,r2 + eor r4,r4,r5,ror#13 + add r3,r3,r12 + eor r4,r4,r5,ror#22 @ Sigma0(a) +#if 15>=15 + ldr r1,[sp,#1*4] @ from BODY_16_xx +#endif + orr r0,r5,r6 + and r2,r5,r6 + and r0,r0,r7 + add r4,r4,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r8,r8,r3 + add r4,r4,r0 +.Lrounds_16_xx: + @ ldr r1,[sp,#1*4] @ 16 + ldr r12,[sp,#14*4] + mov r0,r1,ror#7 + ldr r3,[sp,#0*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#9*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r8,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r8,ror#11 + eor r2,r9,r10 +#if 16>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 16==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r8,ror#25 @ Sigma1(e) + and r2,r2,r8 + str r3,[sp,#0*4] + add r3,r3,r0 + eor r2,r2,r10 @ Ch(e,f,g) + add r3,r3,r11 + mov r11,r4,ror#2 + add r3,r3,r2 + eor r11,r11,r4,ror#13 + add r3,r3,r12 + eor r11,r11,r4,ror#22 @ Sigma0(a) +#if 16>=15 + ldr r1,[sp,#2*4] @ from BODY_16_xx +#endif + orr r0,r4,r5 + and r2,r4,r5 + and r0,r0,r6 + add r11,r11,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r7,r7,r3 + add r11,r11,r0 + @ ldr r1,[sp,#2*4] @ 17 + ldr r12,[sp,#15*4] + mov r0,r1,ror#7 + ldr r3,[sp,#1*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#10*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r7,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r7,ror#11 + eor r2,r8,r9 +#if 17>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 17==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r7,ror#25 @ Sigma1(e) + and r2,r2,r7 + str r3,[sp,#1*4] + add r3,r3,r0 + eor r2,r2,r9 @ Ch(e,f,g) + add r3,r3,r10 + mov r10,r11,ror#2 + add r3,r3,r2 + eor r10,r10,r11,ror#13 + add r3,r3,r12 + eor r10,r10,r11,ror#22 @ Sigma0(a) +#if 17>=15 + ldr r1,[sp,#3*4] @ from BODY_16_xx +#endif + orr r0,r11,r4 + and r2,r11,r4 + and r0,r0,r5 + add r10,r10,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r6,r6,r3 + add r10,r10,r0 + @ ldr r1,[sp,#3*4] @ 18 + ldr r12,[sp,#0*4] + mov r0,r1,ror#7 + ldr r3,[sp,#2*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#11*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r6,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r6,ror#11 + eor r2,r7,r8 +#if 18>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 18==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r6,ror#25 @ Sigma1(e) + and r2,r2,r6 + str r3,[sp,#2*4] + add r3,r3,r0 + eor r2,r2,r8 @ Ch(e,f,g) + add r3,r3,r9 + mov r9,r10,ror#2 + add r3,r3,r2 + eor r9,r9,r10,ror#13 + add r3,r3,r12 + eor r9,r9,r10,ror#22 @ Sigma0(a) +#if 18>=15 + ldr r1,[sp,#4*4] @ from BODY_16_xx +#endif + orr r0,r10,r11 + and r2,r10,r11 + and r0,r0,r4 + add r9,r9,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r5,r5,r3 + add r9,r9,r0 + @ ldr r1,[sp,#4*4] @ 19 + ldr r12,[sp,#1*4] + mov r0,r1,ror#7 + ldr r3,[sp,#3*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#12*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r5,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r5,ror#11 + eor r2,r6,r7 +#if 19>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 19==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r5,ror#25 @ Sigma1(e) + and r2,r2,r5 + str r3,[sp,#3*4] + add r3,r3,r0 + eor r2,r2,r7 @ Ch(e,f,g) + add r3,r3,r8 + mov r8,r9,ror#2 + add r3,r3,r2 + eor r8,r8,r9,ror#13 + add r3,r3,r12 + eor r8,r8,r9,ror#22 @ Sigma0(a) +#if 19>=15 + ldr r1,[sp,#5*4] @ from BODY_16_xx +#endif + orr r0,r9,r10 + and r2,r9,r10 + and r0,r0,r11 + add r8,r8,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r4,r4,r3 + add r8,r8,r0 + @ ldr r1,[sp,#5*4] @ 20 + ldr r12,[sp,#2*4] + mov r0,r1,ror#7 + ldr r3,[sp,#4*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#13*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r4,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r4,ror#11 + eor r2,r5,r6 +#if 20>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 20==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r4,ror#25 @ Sigma1(e) + and r2,r2,r4 + str r3,[sp,#4*4] + add r3,r3,r0 + eor r2,r2,r6 @ Ch(e,f,g) + add r3,r3,r7 + mov r7,r8,ror#2 + add r3,r3,r2 + eor r7,r7,r8,ror#13 + add r3,r3,r12 + eor r7,r7,r8,ror#22 @ Sigma0(a) +#if 20>=15 + ldr r1,[sp,#6*4] @ from BODY_16_xx +#endif + orr r0,r8,r9 + and r2,r8,r9 + and r0,r0,r10 + add r7,r7,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r11,r11,r3 + add r7,r7,r0 + @ ldr r1,[sp,#6*4] @ 21 + ldr r12,[sp,#3*4] + mov r0,r1,ror#7 + ldr r3,[sp,#5*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#14*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r11,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r11,ror#11 + eor r2,r4,r5 +#if 21>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 21==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r11,ror#25 @ Sigma1(e) + and r2,r2,r11 + str r3,[sp,#5*4] + add r3,r3,r0 + eor r2,r2,r5 @ Ch(e,f,g) + add r3,r3,r6 + mov r6,r7,ror#2 + add r3,r3,r2 + eor r6,r6,r7,ror#13 + add r3,r3,r12 + eor r6,r6,r7,ror#22 @ Sigma0(a) +#if 21>=15 + ldr r1,[sp,#7*4] @ from BODY_16_xx +#endif + orr r0,r7,r8 + and r2,r7,r8 + and r0,r0,r9 + add r6,r6,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r10,r10,r3 + add r6,r6,r0 + @ ldr r1,[sp,#7*4] @ 22 + ldr r12,[sp,#4*4] + mov r0,r1,ror#7 + ldr r3,[sp,#6*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#15*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r10,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r10,ror#11 + eor r2,r11,r4 +#if 22>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 22==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r10,ror#25 @ Sigma1(e) + and r2,r2,r10 + str r3,[sp,#6*4] + add r3,r3,r0 + eor r2,r2,r4 @ Ch(e,f,g) + add r3,r3,r5 + mov r5,r6,ror#2 + add r3,r3,r2 + eor r5,r5,r6,ror#13 + add r3,r3,r12 + eor r5,r5,r6,ror#22 @ Sigma0(a) +#if 22>=15 + ldr r1,[sp,#8*4] @ from BODY_16_xx +#endif + orr r0,r6,r7 + and r2,r6,r7 + and r0,r0,r8 + add r5,r5,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r9,r9,r3 + add r5,r5,r0 + @ ldr r1,[sp,#8*4] @ 23 + ldr r12,[sp,#5*4] + mov r0,r1,ror#7 + ldr r3,[sp,#7*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#0*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r9,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r9,ror#11 + eor r2,r10,r11 +#if 23>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 23==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r9,ror#25 @ Sigma1(e) + and r2,r2,r9 + str r3,[sp,#7*4] + add r3,r3,r0 + eor r2,r2,r11 @ Ch(e,f,g) + add r3,r3,r4 + mov r4,r5,ror#2 + add r3,r3,r2 + eor r4,r4,r5,ror#13 + add r3,r3,r12 + eor r4,r4,r5,ror#22 @ Sigma0(a) +#if 23>=15 + ldr r1,[sp,#9*4] @ from BODY_16_xx +#endif + orr r0,r5,r6 + and r2,r5,r6 + and r0,r0,r7 + add r4,r4,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r8,r8,r3 + add r4,r4,r0 + @ ldr r1,[sp,#9*4] @ 24 + ldr r12,[sp,#6*4] + mov r0,r1,ror#7 + ldr r3,[sp,#8*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#1*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r8,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r8,ror#11 + eor r2,r9,r10 +#if 24>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 24==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r8,ror#25 @ Sigma1(e) + and r2,r2,r8 + str r3,[sp,#8*4] + add r3,r3,r0 + eor r2,r2,r10 @ Ch(e,f,g) + add r3,r3,r11 + mov r11,r4,ror#2 + add r3,r3,r2 + eor r11,r11,r4,ror#13 + add r3,r3,r12 + eor r11,r11,r4,ror#22 @ Sigma0(a) +#if 24>=15 + ldr r1,[sp,#10*4] @ from BODY_16_xx +#endif + orr r0,r4,r5 + and r2,r4,r5 + and r0,r0,r6 + add r11,r11,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r7,r7,r3 + add r11,r11,r0 + @ ldr r1,[sp,#10*4] @ 25 + ldr r12,[sp,#7*4] + mov r0,r1,ror#7 + ldr r3,[sp,#9*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#2*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r7,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r7,ror#11 + eor r2,r8,r9 +#if 25>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 25==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r7,ror#25 @ Sigma1(e) + and r2,r2,r7 + str r3,[sp,#9*4] + add r3,r3,r0 + eor r2,r2,r9 @ Ch(e,f,g) + add r3,r3,r10 + mov r10,r11,ror#2 + add r3,r3,r2 + eor r10,r10,r11,ror#13 + add r3,r3,r12 + eor r10,r10,r11,ror#22 @ Sigma0(a) +#if 25>=15 + ldr r1,[sp,#11*4] @ from BODY_16_xx +#endif + orr r0,r11,r4 + and r2,r11,r4 + and r0,r0,r5 + add r10,r10,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r6,r6,r3 + add r10,r10,r0 + @ ldr r1,[sp,#11*4] @ 26 + ldr r12,[sp,#8*4] + mov r0,r1,ror#7 + ldr r3,[sp,#10*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#3*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r6,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r6,ror#11 + eor r2,r7,r8 +#if 26>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 26==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r6,ror#25 @ Sigma1(e) + and r2,r2,r6 + str r3,[sp,#10*4] + add r3,r3,r0 + eor r2,r2,r8 @ Ch(e,f,g) + add r3,r3,r9 + mov r9,r10,ror#2 + add r3,r3,r2 + eor r9,r9,r10,ror#13 + add r3,r3,r12 + eor r9,r9,r10,ror#22 @ Sigma0(a) +#if 26>=15 + ldr r1,[sp,#12*4] @ from BODY_16_xx +#endif + orr r0,r10,r11 + and r2,r10,r11 + and r0,r0,r4 + add r9,r9,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r5,r5,r3 + add r9,r9,r0 + @ ldr r1,[sp,#12*4] @ 27 + ldr r12,[sp,#9*4] + mov r0,r1,ror#7 + ldr r3,[sp,#11*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#4*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r5,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r5,ror#11 + eor r2,r6,r7 +#if 27>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 27==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r5,ror#25 @ Sigma1(e) + and r2,r2,r5 + str r3,[sp,#11*4] + add r3,r3,r0 + eor r2,r2,r7 @ Ch(e,f,g) + add r3,r3,r8 + mov r8,r9,ror#2 + add r3,r3,r2 + eor r8,r8,r9,ror#13 + add r3,r3,r12 + eor r8,r8,r9,ror#22 @ Sigma0(a) +#if 27>=15 + ldr r1,[sp,#13*4] @ from BODY_16_xx +#endif + orr r0,r9,r10 + and r2,r9,r10 + and r0,r0,r11 + add r8,r8,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r4,r4,r3 + add r8,r8,r0 + @ ldr r1,[sp,#13*4] @ 28 + ldr r12,[sp,#10*4] + mov r0,r1,ror#7 + ldr r3,[sp,#12*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#5*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r4,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r4,ror#11 + eor r2,r5,r6 +#if 28>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 28==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r4,ror#25 @ Sigma1(e) + and r2,r2,r4 + str r3,[sp,#12*4] + add r3,r3,r0 + eor r2,r2,r6 @ Ch(e,f,g) + add r3,r3,r7 + mov r7,r8,ror#2 + add r3,r3,r2 + eor r7,r7,r8,ror#13 + add r3,r3,r12 + eor r7,r7,r8,ror#22 @ Sigma0(a) +#if 28>=15 + ldr r1,[sp,#14*4] @ from BODY_16_xx +#endif + orr r0,r8,r9 + and r2,r8,r9 + and r0,r0,r10 + add r7,r7,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r11,r11,r3 + add r7,r7,r0 + @ ldr r1,[sp,#14*4] @ 29 + ldr r12,[sp,#11*4] + mov r0,r1,ror#7 + ldr r3,[sp,#13*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#6*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r11,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r11,ror#11 + eor r2,r4,r5 +#if 29>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 29==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r11,ror#25 @ Sigma1(e) + and r2,r2,r11 + str r3,[sp,#13*4] + add r3,r3,r0 + eor r2,r2,r5 @ Ch(e,f,g) + add r3,r3,r6 + mov r6,r7,ror#2 + add r3,r3,r2 + eor r6,r6,r7,ror#13 + add r3,r3,r12 + eor r6,r6,r7,ror#22 @ Sigma0(a) +#if 29>=15 + ldr r1,[sp,#15*4] @ from BODY_16_xx +#endif + orr r0,r7,r8 + and r2,r7,r8 + and r0,r0,r9 + add r6,r6,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r10,r10,r3 + add r6,r6,r0 + @ ldr r1,[sp,#15*4] @ 30 + ldr r12,[sp,#12*4] + mov r0,r1,ror#7 + ldr r3,[sp,#14*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#7*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r10,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r10,ror#11 + eor r2,r11,r4 +#if 30>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 30==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r10,ror#25 @ Sigma1(e) + and r2,r2,r10 + str r3,[sp,#14*4] + add r3,r3,r0 + eor r2,r2,r4 @ Ch(e,f,g) + add r3,r3,r5 + mov r5,r6,ror#2 + add r3,r3,r2 + eor r5,r5,r6,ror#13 + add r3,r3,r12 + eor r5,r5,r6,ror#22 @ Sigma0(a) +#if 30>=15 + ldr r1,[sp,#0*4] @ from BODY_16_xx +#endif + orr r0,r6,r7 + and r2,r6,r7 + and r0,r0,r8 + add r5,r5,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r9,r9,r3 + add r5,r5,r0 + @ ldr r1,[sp,#0*4] @ 31 + ldr r12,[sp,#13*4] + mov r0,r1,ror#7 + ldr r3,[sp,#15*4] + eor r0,r0,r1,ror#18 + ldr r2,[sp,#8*4] + eor r0,r0,r1,lsr#3 @ sigma0(X[i+1]) + mov r1,r12,ror#17 + add r3,r3,r0 + eor r1,r1,r12,ror#19 + add r3,r3,r2 + eor r1,r1,r12,lsr#10 @ sigma1(X[i+14]) + @ add r3,r3,r1 + mov r0,r9,ror#6 + ldr r12,[r14],#4 @ *K256++ + eor r0,r0,r9,ror#11 + eor r2,r10,r11 +#if 31>=16 + add r3,r3,r1 @ from BODY_16_xx +#elif __ARM_ARCH__>=7 && defined(__ARMEL__) && !defined(__STRICT_ALIGNMENT) + rev r3,r3 +#endif +#if 31==15 + str r1,[sp,#17*4] @ leave room for r1 +#endif + eor r0,r0,r9,ror#25 @ Sigma1(e) + and r2,r2,r9 + str r3,[sp,#15*4] + add r3,r3,r0 + eor r2,r2,r11 @ Ch(e,f,g) + add r3,r3,r4 + mov r4,r5,ror#2 + add r3,r3,r2 + eor r4,r4,r5,ror#13 + add r3,r3,r12 + eor r4,r4,r5,ror#22 @ Sigma0(a) +#if 31>=15 + ldr r1,[sp,#1*4] @ from BODY_16_xx +#endif + orr r0,r5,r6 + and r2,r5,r6 + and r0,r0,r7 + add r4,r4,r3 + orr r0,r0,r2 @ Maj(a,b,c) + add r8,r8,r3 + add r4,r4,r0 + and r12,r12,#0xff + cmp r12,#0xf2 + bne .Lrounds_16_xx + + ldr r3,[sp,#16*4] @ pull ctx + ldr r0,[r3,#0] + ldr r2,[r3,#4] + ldr r12,[r3,#8] + add r4,r4,r0 + ldr r0,[r3,#12] + add r5,r5,r2 + ldr r2,[r3,#16] + add r6,r6,r12 + ldr r12,[r3,#20] + add r7,r7,r0 + ldr r0,[r3,#24] + add r8,r8,r2 + ldr r2,[r3,#28] + add r9,r9,r12 + ldr r1,[sp,#17*4] @ pull inp + ldr r12,[sp,#18*4] @ pull inp+len + add r10,r10,r0 + add r11,r11,r2 + stmia r3,{r4,r5,r6,r7,r8,r9,r10,r11} + cmp r1,r12 + sub r14,r14,#256 @ rewind Ktbl + bne .Loop + + add sp,sp,#19*4 @ destroy frame +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r11,pc} +#else + ldmia sp!,{r4-r11,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +.size sha256_block_data_order,.-sha256_block_data_order +.asciz "SHA256 block transform for ARMv4, CRYPTOGAMS by " +.align 2 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/sha/sha256-masm-x86_64.S b/crypto/sha/sha256-masm-x86_64.S new file mode 100644 index 0000000..33c705d --- /dev/null +++ b/crypto/sha/sha256-masm-x86_64.S @@ -0,0 +1,1864 @@ +; 1 "crypto/sha/sha256-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/sha/sha256-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/sha/sha256-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC sha256_block_data_order + +ALIGN 16 +sha256_block_data_order PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_sha256_block_data_order:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + mov r11,rsp + shl rdx,4 + sub rsp,16*4+4*8 + lea rdx,QWORD PTR[rdx*4+rsi] + and rsp,-64 + mov QWORD PTR[((64+0))+rsp],rdi + mov QWORD PTR[((64+8))+rsp],rsi + mov QWORD PTR[((64+16))+rsp],rdx + mov QWORD PTR[((64+24))+rsp],r11 +$L$prologue:: + + lea rbp,QWORD PTR[K256] + + mov eax,DWORD PTR[rdi] + mov ebx,DWORD PTR[4+rdi] + mov ecx,DWORD PTR[8+rdi] + mov edx,DWORD PTR[12+rdi] + mov r8d,DWORD PTR[16+rdi] + mov r9d,DWORD PTR[20+rdi] + mov r10d,DWORD PTR[24+rdi] + mov r11d,DWORD PTR[28+rdi] + jmp $L$loop + +ALIGN 16 +$L$loop:: + xor rdi,rdi + mov r12d,DWORD PTR[rsi] + mov r13d,r8d + mov r14d,eax + bswap r12d + ror r13d,14 + mov r15d,r9d + mov DWORD PTR[rsp],r12d + + ror r14d,9 + xor r13d,r8d + xor r15d,r10d + + ror r13d,5 + add r12d,r11d + xor r14d,eax + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r8d + mov r11d,ebx + + ror r14d,11 + xor r13d,r8d + xor r15d,r10d + + xor r11d,ecx + xor r14d,eax + add r12d,r15d + mov r15d,ebx + + ror r13d,6 + and r11d,eax + and r15d,ecx + + ror r14d,2 + add r12d,r13d + add r11d,r15d + + add edx,r12d + add r11d,r12d + lea rdi,QWORD PTR[1+rdi] + add r11d,r14d + + mov r12d,DWORD PTR[4+rsi] + mov r13d,edx + mov r14d,r11d + bswap r12d + ror r13d,14 + mov r15d,r8d + mov DWORD PTR[4+rsp],r12d + + ror r14d,9 + xor r13d,edx + xor r15d,r9d + + ror r13d,5 + add r12d,r10d + xor r14d,r11d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,edx + mov r10d,eax + + ror r14d,11 + xor r13d,edx + xor r15d,r9d + + xor r10d,ebx + xor r14d,r11d + add r12d,r15d + mov r15d,eax + + ror r13d,6 + and r10d,r11d + and r15d,ebx + + ror r14d,2 + add r12d,r13d + add r10d,r15d + + add ecx,r12d + add r10d,r12d + lea rdi,QWORD PTR[1+rdi] + add r10d,r14d + + mov r12d,DWORD PTR[8+rsi] + mov r13d,ecx + mov r14d,r10d + bswap r12d + ror r13d,14 + mov r15d,edx + mov DWORD PTR[8+rsp],r12d + + ror r14d,9 + xor r13d,ecx + xor r15d,r8d + + ror r13d,5 + add r12d,r9d + xor r14d,r10d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ecx + mov r9d,r11d + + ror r14d,11 + xor r13d,ecx + xor r15d,r8d + + xor r9d,eax + xor r14d,r10d + add r12d,r15d + mov r15d,r11d + + ror r13d,6 + and r9d,r10d + and r15d,eax + + ror r14d,2 + add r12d,r13d + add r9d,r15d + + add ebx,r12d + add r9d,r12d + lea rdi,QWORD PTR[1+rdi] + add r9d,r14d + + mov r12d,DWORD PTR[12+rsi] + mov r13d,ebx + mov r14d,r9d + bswap r12d + ror r13d,14 + mov r15d,ecx + mov DWORD PTR[12+rsp],r12d + + ror r14d,9 + xor r13d,ebx + xor r15d,edx + + ror r13d,5 + add r12d,r8d + xor r14d,r9d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ebx + mov r8d,r10d + + ror r14d,11 + xor r13d,ebx + xor r15d,edx + + xor r8d,r11d + xor r14d,r9d + add r12d,r15d + mov r15d,r10d + + ror r13d,6 + and r8d,r9d + and r15d,r11d + + ror r14d,2 + add r12d,r13d + add r8d,r15d + + add eax,r12d + add r8d,r12d + lea rdi,QWORD PTR[1+rdi] + add r8d,r14d + + mov r12d,DWORD PTR[16+rsi] + mov r13d,eax + mov r14d,r8d + bswap r12d + ror r13d,14 + mov r15d,ebx + mov DWORD PTR[16+rsp],r12d + + ror r14d,9 + xor r13d,eax + xor r15d,ecx + + ror r13d,5 + add r12d,edx + xor r14d,r8d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,eax + mov edx,r9d + + ror r14d,11 + xor r13d,eax + xor r15d,ecx + + xor edx,r10d + xor r14d,r8d + add r12d,r15d + mov r15d,r9d + + ror r13d,6 + and edx,r8d + and r15d,r10d + + ror r14d,2 + add r12d,r13d + add edx,r15d + + add r11d,r12d + add edx,r12d + lea rdi,QWORD PTR[1+rdi] + add edx,r14d + + mov r12d,DWORD PTR[20+rsi] + mov r13d,r11d + mov r14d,edx + bswap r12d + ror r13d,14 + mov r15d,eax + mov DWORD PTR[20+rsp],r12d + + ror r14d,9 + xor r13d,r11d + xor r15d,ebx + + ror r13d,5 + add r12d,ecx + xor r14d,edx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r11d + mov ecx,r8d + + ror r14d,11 + xor r13d,r11d + xor r15d,ebx + + xor ecx,r9d + xor r14d,edx + add r12d,r15d + mov r15d,r8d + + ror r13d,6 + and ecx,edx + and r15d,r9d + + ror r14d,2 + add r12d,r13d + add ecx,r15d + + add r10d,r12d + add ecx,r12d + lea rdi,QWORD PTR[1+rdi] + add ecx,r14d + + mov r12d,DWORD PTR[24+rsi] + mov r13d,r10d + mov r14d,ecx + bswap r12d + ror r13d,14 + mov r15d,r11d + mov DWORD PTR[24+rsp],r12d + + ror r14d,9 + xor r13d,r10d + xor r15d,eax + + ror r13d,5 + add r12d,ebx + xor r14d,ecx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r10d + mov ebx,edx + + ror r14d,11 + xor r13d,r10d + xor r15d,eax + + xor ebx,r8d + xor r14d,ecx + add r12d,r15d + mov r15d,edx + + ror r13d,6 + and ebx,ecx + and r15d,r8d + + ror r14d,2 + add r12d,r13d + add ebx,r15d + + add r9d,r12d + add ebx,r12d + lea rdi,QWORD PTR[1+rdi] + add ebx,r14d + + mov r12d,DWORD PTR[28+rsi] + mov r13d,r9d + mov r14d,ebx + bswap r12d + ror r13d,14 + mov r15d,r10d + mov DWORD PTR[28+rsp],r12d + + ror r14d,9 + xor r13d,r9d + xor r15d,r11d + + ror r13d,5 + add r12d,eax + xor r14d,ebx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r9d + mov eax,ecx + + ror r14d,11 + xor r13d,r9d + xor r15d,r11d + + xor eax,edx + xor r14d,ebx + add r12d,r15d + mov r15d,ecx + + ror r13d,6 + and eax,ebx + and r15d,edx + + ror r14d,2 + add r12d,r13d + add eax,r15d + + add r8d,r12d + add eax,r12d + lea rdi,QWORD PTR[1+rdi] + add eax,r14d + + mov r12d,DWORD PTR[32+rsi] + mov r13d,r8d + mov r14d,eax + bswap r12d + ror r13d,14 + mov r15d,r9d + mov DWORD PTR[32+rsp],r12d + + ror r14d,9 + xor r13d,r8d + xor r15d,r10d + + ror r13d,5 + add r12d,r11d + xor r14d,eax + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r8d + mov r11d,ebx + + ror r14d,11 + xor r13d,r8d + xor r15d,r10d + + xor r11d,ecx + xor r14d,eax + add r12d,r15d + mov r15d,ebx + + ror r13d,6 + and r11d,eax + and r15d,ecx + + ror r14d,2 + add r12d,r13d + add r11d,r15d + + add edx,r12d + add r11d,r12d + lea rdi,QWORD PTR[1+rdi] + add r11d,r14d + + mov r12d,DWORD PTR[36+rsi] + mov r13d,edx + mov r14d,r11d + bswap r12d + ror r13d,14 + mov r15d,r8d + mov DWORD PTR[36+rsp],r12d + + ror r14d,9 + xor r13d,edx + xor r15d,r9d + + ror r13d,5 + add r12d,r10d + xor r14d,r11d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,edx + mov r10d,eax + + ror r14d,11 + xor r13d,edx + xor r15d,r9d + + xor r10d,ebx + xor r14d,r11d + add r12d,r15d + mov r15d,eax + + ror r13d,6 + and r10d,r11d + and r15d,ebx + + ror r14d,2 + add r12d,r13d + add r10d,r15d + + add ecx,r12d + add r10d,r12d + lea rdi,QWORD PTR[1+rdi] + add r10d,r14d + + mov r12d,DWORD PTR[40+rsi] + mov r13d,ecx + mov r14d,r10d + bswap r12d + ror r13d,14 + mov r15d,edx + mov DWORD PTR[40+rsp],r12d + + ror r14d,9 + xor r13d,ecx + xor r15d,r8d + + ror r13d,5 + add r12d,r9d + xor r14d,r10d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ecx + mov r9d,r11d + + ror r14d,11 + xor r13d,ecx + xor r15d,r8d + + xor r9d,eax + xor r14d,r10d + add r12d,r15d + mov r15d,r11d + + ror r13d,6 + and r9d,r10d + and r15d,eax + + ror r14d,2 + add r12d,r13d + add r9d,r15d + + add ebx,r12d + add r9d,r12d + lea rdi,QWORD PTR[1+rdi] + add r9d,r14d + + mov r12d,DWORD PTR[44+rsi] + mov r13d,ebx + mov r14d,r9d + bswap r12d + ror r13d,14 + mov r15d,ecx + mov DWORD PTR[44+rsp],r12d + + ror r14d,9 + xor r13d,ebx + xor r15d,edx + + ror r13d,5 + add r12d,r8d + xor r14d,r9d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ebx + mov r8d,r10d + + ror r14d,11 + xor r13d,ebx + xor r15d,edx + + xor r8d,r11d + xor r14d,r9d + add r12d,r15d + mov r15d,r10d + + ror r13d,6 + and r8d,r9d + and r15d,r11d + + ror r14d,2 + add r12d,r13d + add r8d,r15d + + add eax,r12d + add r8d,r12d + lea rdi,QWORD PTR[1+rdi] + add r8d,r14d + + mov r12d,DWORD PTR[48+rsi] + mov r13d,eax + mov r14d,r8d + bswap r12d + ror r13d,14 + mov r15d,ebx + mov DWORD PTR[48+rsp],r12d + + ror r14d,9 + xor r13d,eax + xor r15d,ecx + + ror r13d,5 + add r12d,edx + xor r14d,r8d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,eax + mov edx,r9d + + ror r14d,11 + xor r13d,eax + xor r15d,ecx + + xor edx,r10d + xor r14d,r8d + add r12d,r15d + mov r15d,r9d + + ror r13d,6 + and edx,r8d + and r15d,r10d + + ror r14d,2 + add r12d,r13d + add edx,r15d + + add r11d,r12d + add edx,r12d + lea rdi,QWORD PTR[1+rdi] + add edx,r14d + + mov r12d,DWORD PTR[52+rsi] + mov r13d,r11d + mov r14d,edx + bswap r12d + ror r13d,14 + mov r15d,eax + mov DWORD PTR[52+rsp],r12d + + ror r14d,9 + xor r13d,r11d + xor r15d,ebx + + ror r13d,5 + add r12d,ecx + xor r14d,edx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r11d + mov ecx,r8d + + ror r14d,11 + xor r13d,r11d + xor r15d,ebx + + xor ecx,r9d + xor r14d,edx + add r12d,r15d + mov r15d,r8d + + ror r13d,6 + and ecx,edx + and r15d,r9d + + ror r14d,2 + add r12d,r13d + add ecx,r15d + + add r10d,r12d + add ecx,r12d + lea rdi,QWORD PTR[1+rdi] + add ecx,r14d + + mov r12d,DWORD PTR[56+rsi] + mov r13d,r10d + mov r14d,ecx + bswap r12d + ror r13d,14 + mov r15d,r11d + mov DWORD PTR[56+rsp],r12d + + ror r14d,9 + xor r13d,r10d + xor r15d,eax + + ror r13d,5 + add r12d,ebx + xor r14d,ecx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r10d + mov ebx,edx + + ror r14d,11 + xor r13d,r10d + xor r15d,eax + + xor ebx,r8d + xor r14d,ecx + add r12d,r15d + mov r15d,edx + + ror r13d,6 + and ebx,ecx + and r15d,r8d + + ror r14d,2 + add r12d,r13d + add ebx,r15d + + add r9d,r12d + add ebx,r12d + lea rdi,QWORD PTR[1+rdi] + add ebx,r14d + + mov r12d,DWORD PTR[60+rsi] + mov r13d,r9d + mov r14d,ebx + bswap r12d + ror r13d,14 + mov r15d,r10d + mov DWORD PTR[60+rsp],r12d + + ror r14d,9 + xor r13d,r9d + xor r15d,r11d + + ror r13d,5 + add r12d,eax + xor r14d,ebx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r9d + mov eax,ecx + + ror r14d,11 + xor r13d,r9d + xor r15d,r11d + + xor eax,edx + xor r14d,ebx + add r12d,r15d + mov r15d,ecx + + ror r13d,6 + and eax,ebx + and r15d,edx + + ror r14d,2 + add r12d,r13d + add eax,r15d + + add r8d,r12d + add eax,r12d + lea rdi,QWORD PTR[1+rdi] + add eax,r14d + + jmp $L$rounds_16_xx +ALIGN 16 +$L$rounds_16_xx:: + mov r13d,DWORD PTR[4+rsp] + mov r14d,DWORD PTR[56+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[36+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[rsp] + mov r13d,r8d + add r12d,r14d + mov r14d,eax + ror r13d,14 + mov r15d,r9d + mov DWORD PTR[rsp],r12d + + ror r14d,9 + xor r13d,r8d + xor r15d,r10d + + ror r13d,5 + add r12d,r11d + xor r14d,eax + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r8d + mov r11d,ebx + + ror r14d,11 + xor r13d,r8d + xor r15d,r10d + + xor r11d,ecx + xor r14d,eax + add r12d,r15d + mov r15d,ebx + + ror r13d,6 + and r11d,eax + and r15d,ecx + + ror r14d,2 + add r12d,r13d + add r11d,r15d + + add edx,r12d + add r11d,r12d + lea rdi,QWORD PTR[1+rdi] + add r11d,r14d + + mov r13d,DWORD PTR[8+rsp] + mov r14d,DWORD PTR[60+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[40+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[4+rsp] + mov r13d,edx + add r12d,r14d + mov r14d,r11d + ror r13d,14 + mov r15d,r8d + mov DWORD PTR[4+rsp],r12d + + ror r14d,9 + xor r13d,edx + xor r15d,r9d + + ror r13d,5 + add r12d,r10d + xor r14d,r11d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,edx + mov r10d,eax + + ror r14d,11 + xor r13d,edx + xor r15d,r9d + + xor r10d,ebx + xor r14d,r11d + add r12d,r15d + mov r15d,eax + + ror r13d,6 + and r10d,r11d + and r15d,ebx + + ror r14d,2 + add r12d,r13d + add r10d,r15d + + add ecx,r12d + add r10d,r12d + lea rdi,QWORD PTR[1+rdi] + add r10d,r14d + + mov r13d,DWORD PTR[12+rsp] + mov r14d,DWORD PTR[rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[44+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[8+rsp] + mov r13d,ecx + add r12d,r14d + mov r14d,r10d + ror r13d,14 + mov r15d,edx + mov DWORD PTR[8+rsp],r12d + + ror r14d,9 + xor r13d,ecx + xor r15d,r8d + + ror r13d,5 + add r12d,r9d + xor r14d,r10d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ecx + mov r9d,r11d + + ror r14d,11 + xor r13d,ecx + xor r15d,r8d + + xor r9d,eax + xor r14d,r10d + add r12d,r15d + mov r15d,r11d + + ror r13d,6 + and r9d,r10d + and r15d,eax + + ror r14d,2 + add r12d,r13d + add r9d,r15d + + add ebx,r12d + add r9d,r12d + lea rdi,QWORD PTR[1+rdi] + add r9d,r14d + + mov r13d,DWORD PTR[16+rsp] + mov r14d,DWORD PTR[4+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[48+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[12+rsp] + mov r13d,ebx + add r12d,r14d + mov r14d,r9d + ror r13d,14 + mov r15d,ecx + mov DWORD PTR[12+rsp],r12d + + ror r14d,9 + xor r13d,ebx + xor r15d,edx + + ror r13d,5 + add r12d,r8d + xor r14d,r9d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ebx + mov r8d,r10d + + ror r14d,11 + xor r13d,ebx + xor r15d,edx + + xor r8d,r11d + xor r14d,r9d + add r12d,r15d + mov r15d,r10d + + ror r13d,6 + and r8d,r9d + and r15d,r11d + + ror r14d,2 + add r12d,r13d + add r8d,r15d + + add eax,r12d + add r8d,r12d + lea rdi,QWORD PTR[1+rdi] + add r8d,r14d + + mov r13d,DWORD PTR[20+rsp] + mov r14d,DWORD PTR[8+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[52+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[16+rsp] + mov r13d,eax + add r12d,r14d + mov r14d,r8d + ror r13d,14 + mov r15d,ebx + mov DWORD PTR[16+rsp],r12d + + ror r14d,9 + xor r13d,eax + xor r15d,ecx + + ror r13d,5 + add r12d,edx + xor r14d,r8d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,eax + mov edx,r9d + + ror r14d,11 + xor r13d,eax + xor r15d,ecx + + xor edx,r10d + xor r14d,r8d + add r12d,r15d + mov r15d,r9d + + ror r13d,6 + and edx,r8d + and r15d,r10d + + ror r14d,2 + add r12d,r13d + add edx,r15d + + add r11d,r12d + add edx,r12d + lea rdi,QWORD PTR[1+rdi] + add edx,r14d + + mov r13d,DWORD PTR[24+rsp] + mov r14d,DWORD PTR[12+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[56+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[20+rsp] + mov r13d,r11d + add r12d,r14d + mov r14d,edx + ror r13d,14 + mov r15d,eax + mov DWORD PTR[20+rsp],r12d + + ror r14d,9 + xor r13d,r11d + xor r15d,ebx + + ror r13d,5 + add r12d,ecx + xor r14d,edx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r11d + mov ecx,r8d + + ror r14d,11 + xor r13d,r11d + xor r15d,ebx + + xor ecx,r9d + xor r14d,edx + add r12d,r15d + mov r15d,r8d + + ror r13d,6 + and ecx,edx + and r15d,r9d + + ror r14d,2 + add r12d,r13d + add ecx,r15d + + add r10d,r12d + add ecx,r12d + lea rdi,QWORD PTR[1+rdi] + add ecx,r14d + + mov r13d,DWORD PTR[28+rsp] + mov r14d,DWORD PTR[16+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[60+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[24+rsp] + mov r13d,r10d + add r12d,r14d + mov r14d,ecx + ror r13d,14 + mov r15d,r11d + mov DWORD PTR[24+rsp],r12d + + ror r14d,9 + xor r13d,r10d + xor r15d,eax + + ror r13d,5 + add r12d,ebx + xor r14d,ecx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r10d + mov ebx,edx + + ror r14d,11 + xor r13d,r10d + xor r15d,eax + + xor ebx,r8d + xor r14d,ecx + add r12d,r15d + mov r15d,edx + + ror r13d,6 + and ebx,ecx + and r15d,r8d + + ror r14d,2 + add r12d,r13d + add ebx,r15d + + add r9d,r12d + add ebx,r12d + lea rdi,QWORD PTR[1+rdi] + add ebx,r14d + + mov r13d,DWORD PTR[32+rsp] + mov r14d,DWORD PTR[20+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[28+rsp] + mov r13d,r9d + add r12d,r14d + mov r14d,ebx + ror r13d,14 + mov r15d,r10d + mov DWORD PTR[28+rsp],r12d + + ror r14d,9 + xor r13d,r9d + xor r15d,r11d + + ror r13d,5 + add r12d,eax + xor r14d,ebx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r9d + mov eax,ecx + + ror r14d,11 + xor r13d,r9d + xor r15d,r11d + + xor eax,edx + xor r14d,ebx + add r12d,r15d + mov r15d,ecx + + ror r13d,6 + and eax,ebx + and r15d,edx + + ror r14d,2 + add r12d,r13d + add eax,r15d + + add r8d,r12d + add eax,r12d + lea rdi,QWORD PTR[1+rdi] + add eax,r14d + + mov r13d,DWORD PTR[36+rsp] + mov r14d,DWORD PTR[24+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[4+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[32+rsp] + mov r13d,r8d + add r12d,r14d + mov r14d,eax + ror r13d,14 + mov r15d,r9d + mov DWORD PTR[32+rsp],r12d + + ror r14d,9 + xor r13d,r8d + xor r15d,r10d + + ror r13d,5 + add r12d,r11d + xor r14d,eax + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r8d + mov r11d,ebx + + ror r14d,11 + xor r13d,r8d + xor r15d,r10d + + xor r11d,ecx + xor r14d,eax + add r12d,r15d + mov r15d,ebx + + ror r13d,6 + and r11d,eax + and r15d,ecx + + ror r14d,2 + add r12d,r13d + add r11d,r15d + + add edx,r12d + add r11d,r12d + lea rdi,QWORD PTR[1+rdi] + add r11d,r14d + + mov r13d,DWORD PTR[40+rsp] + mov r14d,DWORD PTR[28+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[8+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[36+rsp] + mov r13d,edx + add r12d,r14d + mov r14d,r11d + ror r13d,14 + mov r15d,r8d + mov DWORD PTR[36+rsp],r12d + + ror r14d,9 + xor r13d,edx + xor r15d,r9d + + ror r13d,5 + add r12d,r10d + xor r14d,r11d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,edx + mov r10d,eax + + ror r14d,11 + xor r13d,edx + xor r15d,r9d + + xor r10d,ebx + xor r14d,r11d + add r12d,r15d + mov r15d,eax + + ror r13d,6 + and r10d,r11d + and r15d,ebx + + ror r14d,2 + add r12d,r13d + add r10d,r15d + + add ecx,r12d + add r10d,r12d + lea rdi,QWORD PTR[1+rdi] + add r10d,r14d + + mov r13d,DWORD PTR[44+rsp] + mov r14d,DWORD PTR[32+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[12+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[40+rsp] + mov r13d,ecx + add r12d,r14d + mov r14d,r10d + ror r13d,14 + mov r15d,edx + mov DWORD PTR[40+rsp],r12d + + ror r14d,9 + xor r13d,ecx + xor r15d,r8d + + ror r13d,5 + add r12d,r9d + xor r14d,r10d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ecx + mov r9d,r11d + + ror r14d,11 + xor r13d,ecx + xor r15d,r8d + + xor r9d,eax + xor r14d,r10d + add r12d,r15d + mov r15d,r11d + + ror r13d,6 + and r9d,r10d + and r15d,eax + + ror r14d,2 + add r12d,r13d + add r9d,r15d + + add ebx,r12d + add r9d,r12d + lea rdi,QWORD PTR[1+rdi] + add r9d,r14d + + mov r13d,DWORD PTR[48+rsp] + mov r14d,DWORD PTR[36+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[16+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[44+rsp] + mov r13d,ebx + add r12d,r14d + mov r14d,r9d + ror r13d,14 + mov r15d,ecx + mov DWORD PTR[44+rsp],r12d + + ror r14d,9 + xor r13d,ebx + xor r15d,edx + + ror r13d,5 + add r12d,r8d + xor r14d,r9d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,ebx + mov r8d,r10d + + ror r14d,11 + xor r13d,ebx + xor r15d,edx + + xor r8d,r11d + xor r14d,r9d + add r12d,r15d + mov r15d,r10d + + ror r13d,6 + and r8d,r9d + and r15d,r11d + + ror r14d,2 + add r12d,r13d + add r8d,r15d + + add eax,r12d + add r8d,r12d + lea rdi,QWORD PTR[1+rdi] + add r8d,r14d + + mov r13d,DWORD PTR[52+rsp] + mov r14d,DWORD PTR[40+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[20+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[48+rsp] + mov r13d,eax + add r12d,r14d + mov r14d,r8d + ror r13d,14 + mov r15d,ebx + mov DWORD PTR[48+rsp],r12d + + ror r14d,9 + xor r13d,eax + xor r15d,ecx + + ror r13d,5 + add r12d,edx + xor r14d,r8d + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,eax + mov edx,r9d + + ror r14d,11 + xor r13d,eax + xor r15d,ecx + + xor edx,r10d + xor r14d,r8d + add r12d,r15d + mov r15d,r9d + + ror r13d,6 + and edx,r8d + and r15d,r10d + + ror r14d,2 + add r12d,r13d + add edx,r15d + + add r11d,r12d + add edx,r12d + lea rdi,QWORD PTR[1+rdi] + add edx,r14d + + mov r13d,DWORD PTR[56+rsp] + mov r14d,DWORD PTR[44+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[24+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[52+rsp] + mov r13d,r11d + add r12d,r14d + mov r14d,edx + ror r13d,14 + mov r15d,eax + mov DWORD PTR[52+rsp],r12d + + ror r14d,9 + xor r13d,r11d + xor r15d,ebx + + ror r13d,5 + add r12d,ecx + xor r14d,edx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r11d + mov ecx,r8d + + ror r14d,11 + xor r13d,r11d + xor r15d,ebx + + xor ecx,r9d + xor r14d,edx + add r12d,r15d + mov r15d,r8d + + ror r13d,6 + and ecx,edx + and r15d,r9d + + ror r14d,2 + add r12d,r13d + add ecx,r15d + + add r10d,r12d + add ecx,r12d + lea rdi,QWORD PTR[1+rdi] + add ecx,r14d + + mov r13d,DWORD PTR[60+rsp] + mov r14d,DWORD PTR[48+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[28+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[56+rsp] + mov r13d,r10d + add r12d,r14d + mov r14d,ecx + ror r13d,14 + mov r15d,r11d + mov DWORD PTR[56+rsp],r12d + + ror r14d,9 + xor r13d,r10d + xor r15d,eax + + ror r13d,5 + add r12d,ebx + xor r14d,ecx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r10d + mov ebx,edx + + ror r14d,11 + xor r13d,r10d + xor r15d,eax + + xor ebx,r8d + xor r14d,ecx + add r12d,r15d + mov r15d,edx + + ror r13d,6 + and ebx,ecx + and r15d,r8d + + ror r14d,2 + add r12d,r13d + add ebx,r15d + + add r9d,r12d + add ebx,r12d + lea rdi,QWORD PTR[1+rdi] + add ebx,r14d + + mov r13d,DWORD PTR[rsp] + mov r14d,DWORD PTR[52+rsp] + mov r12d,r13d + mov r15d,r14d + + ror r12d,11 + xor r12d,r13d + shr r13d,3 + + ror r12d,7 + xor r13d,r12d + mov r12d,DWORD PTR[32+rsp] + + ror r15d,2 + xor r15d,r14d + shr r14d,10 + + ror r15d,17 + add r12d,r13d + xor r14d,r15d + + add r12d,DWORD PTR[60+rsp] + mov r13d,r9d + add r12d,r14d + mov r14d,ebx + ror r13d,14 + mov r15d,r10d + mov DWORD PTR[60+rsp],r12d + + ror r14d,9 + xor r13d,r9d + xor r15d,r11d + + ror r13d,5 + add r12d,eax + xor r14d,ebx + + add r12d,DWORD PTR[rdi*4+rbp] + and r15d,r9d + mov eax,ecx + + ror r14d,11 + xor r13d,r9d + xor r15d,r11d + + xor eax,edx + xor r14d,ebx + add r12d,r15d + mov r15d,ecx + + ror r13d,6 + and eax,ebx + and r15d,edx + + ror r14d,2 + add r12d,r13d + add eax,r15d + + add r8d,r12d + add eax,r12d + lea rdi,QWORD PTR[1+rdi] + add eax,r14d + + cmp rdi,64 + jb $L$rounds_16_xx + + mov rdi,QWORD PTR[((64+0))+rsp] + lea rsi,QWORD PTR[64+rsi] + + add eax,DWORD PTR[rdi] + add ebx,DWORD PTR[4+rdi] + add ecx,DWORD PTR[8+rdi] + add edx,DWORD PTR[12+rdi] + add r8d,DWORD PTR[16+rdi] + add r9d,DWORD PTR[20+rdi] + add r10d,DWORD PTR[24+rdi] + add r11d,DWORD PTR[28+rdi] + + cmp rsi,QWORD PTR[((64+16))+rsp] + + mov DWORD PTR[rdi],eax + mov DWORD PTR[4+rdi],ebx + mov DWORD PTR[8+rdi],ecx + mov DWORD PTR[12+rdi],edx + mov DWORD PTR[16+rdi],r8d + mov DWORD PTR[20+rdi],r9d + mov DWORD PTR[24+rdi],r10d + mov DWORD PTR[28+rdi],r11d + jb $L$loop + + mov rsi,QWORD PTR[((64+24))+rsp] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_sha256_block_data_order:: +sha256_block_data_order ENDP +ALIGN 64 + +K256:: + DD 0428a2f98h,071374491h,0b5c0fbcfh,0e9b5dba5h + DD 03956c25bh,059f111f1h,0923f82a4h,0ab1c5ed5h + DD 0d807aa98h,012835b01h,0243185beh,0550c7dc3h + DD 072be5d74h,080deb1feh,09bdc06a7h,0c19bf174h + DD 0e49b69c1h,0efbe4786h,00fc19dc6h,0240ca1cch + DD 02de92c6fh,04a7484aah,05cb0a9dch,076f988dah + DD 0983e5152h,0a831c66dh,0b00327c8h,0bf597fc7h + DD 0c6e00bf3h,0d5a79147h,006ca6351h,014292967h + DD 027b70a85h,02e1b2138h,04d2c6dfch,053380d13h + DD 0650a7354h,0766a0abbh,081c2c92eh,092722c85h + DD 0a2bfe8a1h,0a81a664bh,0c24b8b70h,0c76c51a3h + DD 0d192e819h,0d6990624h,0f40e3585h,0106aa070h + DD 019a4c116h,01e376c08h,02748774ch,034b0bcb5h + DD 0391c0cb3h,04ed8aa4ah,05b9cca4fh,0682e6ff3h + DD 0748f82eeh,078a5636fh,084c87814h,08cc70208h + DD 090befffah,0a4506cebh,0bef9a3f7h,0c67178f2h + +.text$ ENDS +END + diff --git a/crypto/sha/sha256-mingw64-x86_64.S b/crypto/sha/sha256-mingw64-x86_64.S new file mode 100644 index 0000000..3de981b --- /dev/null +++ b/crypto/sha/sha256-mingw64-x86_64.S @@ -0,0 +1,1790 @@ +#include "x86_arch.h" +.text + +.globl sha256_block_data_order +.def sha256_block_data_order; .scl 2; .type 32; .endef +.p2align 4 +sha256_block_data_order: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_sha256_block_data_order: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + movq %rsp,%r11 + shlq $4,%rdx + subq $64+32,%rsp + leaq (%rsi,%rdx,4),%rdx + andq $-64,%rsp + movq %rdi,64+0(%rsp) + movq %rsi,64+8(%rsp) + movq %rdx,64+16(%rsp) + movq %r11,64+24(%rsp) +.Lprologue: + + leaq K256(%rip),%rbp + + movl 0(%rdi),%eax + movl 4(%rdi),%ebx + movl 8(%rdi),%ecx + movl 12(%rdi),%edx + movl 16(%rdi),%r8d + movl 20(%rdi),%r9d + movl 24(%rdi),%r10d + movl 28(%rdi),%r11d + jmp .Lloop + +.p2align 4 +.Lloop: + xorq %rdi,%rdi + movl 0(%rsi),%r12d + movl %r8d,%r13d + movl %eax,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r9d,%r15d + movl %r12d,0(%rsp) + + rorl $9,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + rorl $5,%r13d + addl %r11d,%r12d + xorl %eax,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r8d,%r15d + movl %ebx,%r11d + + rorl $11,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + xorl %ecx,%r11d + xorl %eax,%r14d + addl %r15d,%r12d + movl %ebx,%r15d + + rorl $6,%r13d + andl %eax,%r11d + andl %ecx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r11d + + addl %r12d,%edx + addl %r12d,%r11d + leaq 1(%rdi),%rdi + addl %r14d,%r11d + + movl 4(%rsi),%r12d + movl %edx,%r13d + movl %r11d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r8d,%r15d + movl %r12d,4(%rsp) + + rorl $9,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + rorl $5,%r13d + addl %r10d,%r12d + xorl %r11d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %edx,%r15d + movl %eax,%r10d + + rorl $11,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + xorl %ebx,%r10d + xorl %r11d,%r14d + addl %r15d,%r12d + movl %eax,%r15d + + rorl $6,%r13d + andl %r11d,%r10d + andl %ebx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r10d + + addl %r12d,%ecx + addl %r12d,%r10d + leaq 1(%rdi),%rdi + addl %r14d,%r10d + + movl 8(%rsi),%r12d + movl %ecx,%r13d + movl %r10d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %edx,%r15d + movl %r12d,8(%rsp) + + rorl $9,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + rorl $5,%r13d + addl %r9d,%r12d + xorl %r10d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ecx,%r15d + movl %r11d,%r9d + + rorl $11,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + xorl %eax,%r9d + xorl %r10d,%r14d + addl %r15d,%r12d + movl %r11d,%r15d + + rorl $6,%r13d + andl %r10d,%r9d + andl %eax,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r9d + + addl %r12d,%ebx + addl %r12d,%r9d + leaq 1(%rdi),%rdi + addl %r14d,%r9d + + movl 12(%rsi),%r12d + movl %ebx,%r13d + movl %r9d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %ecx,%r15d + movl %r12d,12(%rsp) + + rorl $9,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + rorl $5,%r13d + addl %r8d,%r12d + xorl %r9d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ebx,%r15d + movl %r10d,%r8d + + rorl $11,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + xorl %r11d,%r8d + xorl %r9d,%r14d + addl %r15d,%r12d + movl %r10d,%r15d + + rorl $6,%r13d + andl %r9d,%r8d + andl %r11d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r8d + + addl %r12d,%eax + addl %r12d,%r8d + leaq 1(%rdi),%rdi + addl %r14d,%r8d + + movl 16(%rsi),%r12d + movl %eax,%r13d + movl %r8d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %ebx,%r15d + movl %r12d,16(%rsp) + + rorl $9,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + rorl $5,%r13d + addl %edx,%r12d + xorl %r8d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %eax,%r15d + movl %r9d,%edx + + rorl $11,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + xorl %r10d,%edx + xorl %r8d,%r14d + addl %r15d,%r12d + movl %r9d,%r15d + + rorl $6,%r13d + andl %r8d,%edx + andl %r10d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%edx + + addl %r12d,%r11d + addl %r12d,%edx + leaq 1(%rdi),%rdi + addl %r14d,%edx + + movl 20(%rsi),%r12d + movl %r11d,%r13d + movl %edx,%r14d + bswapl %r12d + rorl $14,%r13d + movl %eax,%r15d + movl %r12d,20(%rsp) + + rorl $9,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + rorl $5,%r13d + addl %ecx,%r12d + xorl %edx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r11d,%r15d + movl %r8d,%ecx + + rorl $11,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + xorl %r9d,%ecx + xorl %edx,%r14d + addl %r15d,%r12d + movl %r8d,%r15d + + rorl $6,%r13d + andl %edx,%ecx + andl %r9d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ecx + + addl %r12d,%r10d + addl %r12d,%ecx + leaq 1(%rdi),%rdi + addl %r14d,%ecx + + movl 24(%rsi),%r12d + movl %r10d,%r13d + movl %ecx,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r11d,%r15d + movl %r12d,24(%rsp) + + rorl $9,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + rorl $5,%r13d + addl %ebx,%r12d + xorl %ecx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r10d,%r15d + movl %edx,%ebx + + rorl $11,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + xorl %r8d,%ebx + xorl %ecx,%r14d + addl %r15d,%r12d + movl %edx,%r15d + + rorl $6,%r13d + andl %ecx,%ebx + andl %r8d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ebx + + addl %r12d,%r9d + addl %r12d,%ebx + leaq 1(%rdi),%rdi + addl %r14d,%ebx + + movl 28(%rsi),%r12d + movl %r9d,%r13d + movl %ebx,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r10d,%r15d + movl %r12d,28(%rsp) + + rorl $9,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + rorl $5,%r13d + addl %eax,%r12d + xorl %ebx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r9d,%r15d + movl %ecx,%eax + + rorl $11,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + xorl %edx,%eax + xorl %ebx,%r14d + addl %r15d,%r12d + movl %ecx,%r15d + + rorl $6,%r13d + andl %ebx,%eax + andl %edx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%eax + + addl %r12d,%r8d + addl %r12d,%eax + leaq 1(%rdi),%rdi + addl %r14d,%eax + + movl 32(%rsi),%r12d + movl %r8d,%r13d + movl %eax,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r9d,%r15d + movl %r12d,32(%rsp) + + rorl $9,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + rorl $5,%r13d + addl %r11d,%r12d + xorl %eax,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r8d,%r15d + movl %ebx,%r11d + + rorl $11,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + xorl %ecx,%r11d + xorl %eax,%r14d + addl %r15d,%r12d + movl %ebx,%r15d + + rorl $6,%r13d + andl %eax,%r11d + andl %ecx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r11d + + addl %r12d,%edx + addl %r12d,%r11d + leaq 1(%rdi),%rdi + addl %r14d,%r11d + + movl 36(%rsi),%r12d + movl %edx,%r13d + movl %r11d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r8d,%r15d + movl %r12d,36(%rsp) + + rorl $9,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + rorl $5,%r13d + addl %r10d,%r12d + xorl %r11d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %edx,%r15d + movl %eax,%r10d + + rorl $11,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + xorl %ebx,%r10d + xorl %r11d,%r14d + addl %r15d,%r12d + movl %eax,%r15d + + rorl $6,%r13d + andl %r11d,%r10d + andl %ebx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r10d + + addl %r12d,%ecx + addl %r12d,%r10d + leaq 1(%rdi),%rdi + addl %r14d,%r10d + + movl 40(%rsi),%r12d + movl %ecx,%r13d + movl %r10d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %edx,%r15d + movl %r12d,40(%rsp) + + rorl $9,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + rorl $5,%r13d + addl %r9d,%r12d + xorl %r10d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ecx,%r15d + movl %r11d,%r9d + + rorl $11,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + xorl %eax,%r9d + xorl %r10d,%r14d + addl %r15d,%r12d + movl %r11d,%r15d + + rorl $6,%r13d + andl %r10d,%r9d + andl %eax,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r9d + + addl %r12d,%ebx + addl %r12d,%r9d + leaq 1(%rdi),%rdi + addl %r14d,%r9d + + movl 44(%rsi),%r12d + movl %ebx,%r13d + movl %r9d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %ecx,%r15d + movl %r12d,44(%rsp) + + rorl $9,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + rorl $5,%r13d + addl %r8d,%r12d + xorl %r9d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ebx,%r15d + movl %r10d,%r8d + + rorl $11,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + xorl %r11d,%r8d + xorl %r9d,%r14d + addl %r15d,%r12d + movl %r10d,%r15d + + rorl $6,%r13d + andl %r9d,%r8d + andl %r11d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r8d + + addl %r12d,%eax + addl %r12d,%r8d + leaq 1(%rdi),%rdi + addl %r14d,%r8d + + movl 48(%rsi),%r12d + movl %eax,%r13d + movl %r8d,%r14d + bswapl %r12d + rorl $14,%r13d + movl %ebx,%r15d + movl %r12d,48(%rsp) + + rorl $9,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + rorl $5,%r13d + addl %edx,%r12d + xorl %r8d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %eax,%r15d + movl %r9d,%edx + + rorl $11,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + xorl %r10d,%edx + xorl %r8d,%r14d + addl %r15d,%r12d + movl %r9d,%r15d + + rorl $6,%r13d + andl %r8d,%edx + andl %r10d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%edx + + addl %r12d,%r11d + addl %r12d,%edx + leaq 1(%rdi),%rdi + addl %r14d,%edx + + movl 52(%rsi),%r12d + movl %r11d,%r13d + movl %edx,%r14d + bswapl %r12d + rorl $14,%r13d + movl %eax,%r15d + movl %r12d,52(%rsp) + + rorl $9,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + rorl $5,%r13d + addl %ecx,%r12d + xorl %edx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r11d,%r15d + movl %r8d,%ecx + + rorl $11,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + xorl %r9d,%ecx + xorl %edx,%r14d + addl %r15d,%r12d + movl %r8d,%r15d + + rorl $6,%r13d + andl %edx,%ecx + andl %r9d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ecx + + addl %r12d,%r10d + addl %r12d,%ecx + leaq 1(%rdi),%rdi + addl %r14d,%ecx + + movl 56(%rsi),%r12d + movl %r10d,%r13d + movl %ecx,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r11d,%r15d + movl %r12d,56(%rsp) + + rorl $9,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + rorl $5,%r13d + addl %ebx,%r12d + xorl %ecx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r10d,%r15d + movl %edx,%ebx + + rorl $11,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + xorl %r8d,%ebx + xorl %ecx,%r14d + addl %r15d,%r12d + movl %edx,%r15d + + rorl $6,%r13d + andl %ecx,%ebx + andl %r8d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ebx + + addl %r12d,%r9d + addl %r12d,%ebx + leaq 1(%rdi),%rdi + addl %r14d,%ebx + + movl 60(%rsi),%r12d + movl %r9d,%r13d + movl %ebx,%r14d + bswapl %r12d + rorl $14,%r13d + movl %r10d,%r15d + movl %r12d,60(%rsp) + + rorl $9,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + rorl $5,%r13d + addl %eax,%r12d + xorl %ebx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r9d,%r15d + movl %ecx,%eax + + rorl $11,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + xorl %edx,%eax + xorl %ebx,%r14d + addl %r15d,%r12d + movl %ecx,%r15d + + rorl $6,%r13d + andl %ebx,%eax + andl %edx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%eax + + addl %r12d,%r8d + addl %r12d,%eax + leaq 1(%rdi),%rdi + addl %r14d,%eax + + jmp .Lrounds_16_xx +.p2align 4 +.Lrounds_16_xx: + movl 4(%rsp),%r13d + movl 56(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 36(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 0(%rsp),%r12d + movl %r8d,%r13d + addl %r14d,%r12d + movl %eax,%r14d + rorl $14,%r13d + movl %r9d,%r15d + movl %r12d,0(%rsp) + + rorl $9,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + rorl $5,%r13d + addl %r11d,%r12d + xorl %eax,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r8d,%r15d + movl %ebx,%r11d + + rorl $11,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + xorl %ecx,%r11d + xorl %eax,%r14d + addl %r15d,%r12d + movl %ebx,%r15d + + rorl $6,%r13d + andl %eax,%r11d + andl %ecx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r11d + + addl %r12d,%edx + addl %r12d,%r11d + leaq 1(%rdi),%rdi + addl %r14d,%r11d + + movl 8(%rsp),%r13d + movl 60(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 40(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 4(%rsp),%r12d + movl %edx,%r13d + addl %r14d,%r12d + movl %r11d,%r14d + rorl $14,%r13d + movl %r8d,%r15d + movl %r12d,4(%rsp) + + rorl $9,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + rorl $5,%r13d + addl %r10d,%r12d + xorl %r11d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %edx,%r15d + movl %eax,%r10d + + rorl $11,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + xorl %ebx,%r10d + xorl %r11d,%r14d + addl %r15d,%r12d + movl %eax,%r15d + + rorl $6,%r13d + andl %r11d,%r10d + andl %ebx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r10d + + addl %r12d,%ecx + addl %r12d,%r10d + leaq 1(%rdi),%rdi + addl %r14d,%r10d + + movl 12(%rsp),%r13d + movl 0(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 44(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 8(%rsp),%r12d + movl %ecx,%r13d + addl %r14d,%r12d + movl %r10d,%r14d + rorl $14,%r13d + movl %edx,%r15d + movl %r12d,8(%rsp) + + rorl $9,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + rorl $5,%r13d + addl %r9d,%r12d + xorl %r10d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ecx,%r15d + movl %r11d,%r9d + + rorl $11,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + xorl %eax,%r9d + xorl %r10d,%r14d + addl %r15d,%r12d + movl %r11d,%r15d + + rorl $6,%r13d + andl %r10d,%r9d + andl %eax,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r9d + + addl %r12d,%ebx + addl %r12d,%r9d + leaq 1(%rdi),%rdi + addl %r14d,%r9d + + movl 16(%rsp),%r13d + movl 4(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 48(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 12(%rsp),%r12d + movl %ebx,%r13d + addl %r14d,%r12d + movl %r9d,%r14d + rorl $14,%r13d + movl %ecx,%r15d + movl %r12d,12(%rsp) + + rorl $9,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + rorl $5,%r13d + addl %r8d,%r12d + xorl %r9d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ebx,%r15d + movl %r10d,%r8d + + rorl $11,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + xorl %r11d,%r8d + xorl %r9d,%r14d + addl %r15d,%r12d + movl %r10d,%r15d + + rorl $6,%r13d + andl %r9d,%r8d + andl %r11d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r8d + + addl %r12d,%eax + addl %r12d,%r8d + leaq 1(%rdi),%rdi + addl %r14d,%r8d + + movl 20(%rsp),%r13d + movl 8(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 52(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 16(%rsp),%r12d + movl %eax,%r13d + addl %r14d,%r12d + movl %r8d,%r14d + rorl $14,%r13d + movl %ebx,%r15d + movl %r12d,16(%rsp) + + rorl $9,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + rorl $5,%r13d + addl %edx,%r12d + xorl %r8d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %eax,%r15d + movl %r9d,%edx + + rorl $11,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + xorl %r10d,%edx + xorl %r8d,%r14d + addl %r15d,%r12d + movl %r9d,%r15d + + rorl $6,%r13d + andl %r8d,%edx + andl %r10d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%edx + + addl %r12d,%r11d + addl %r12d,%edx + leaq 1(%rdi),%rdi + addl %r14d,%edx + + movl 24(%rsp),%r13d + movl 12(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 56(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 20(%rsp),%r12d + movl %r11d,%r13d + addl %r14d,%r12d + movl %edx,%r14d + rorl $14,%r13d + movl %eax,%r15d + movl %r12d,20(%rsp) + + rorl $9,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + rorl $5,%r13d + addl %ecx,%r12d + xorl %edx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r11d,%r15d + movl %r8d,%ecx + + rorl $11,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + xorl %r9d,%ecx + xorl %edx,%r14d + addl %r15d,%r12d + movl %r8d,%r15d + + rorl $6,%r13d + andl %edx,%ecx + andl %r9d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ecx + + addl %r12d,%r10d + addl %r12d,%ecx + leaq 1(%rdi),%rdi + addl %r14d,%ecx + + movl 28(%rsp),%r13d + movl 16(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 60(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 24(%rsp),%r12d + movl %r10d,%r13d + addl %r14d,%r12d + movl %ecx,%r14d + rorl $14,%r13d + movl %r11d,%r15d + movl %r12d,24(%rsp) + + rorl $9,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + rorl $5,%r13d + addl %ebx,%r12d + xorl %ecx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r10d,%r15d + movl %edx,%ebx + + rorl $11,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + xorl %r8d,%ebx + xorl %ecx,%r14d + addl %r15d,%r12d + movl %edx,%r15d + + rorl $6,%r13d + andl %ecx,%ebx + andl %r8d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ebx + + addl %r12d,%r9d + addl %r12d,%ebx + leaq 1(%rdi),%rdi + addl %r14d,%ebx + + movl 32(%rsp),%r13d + movl 20(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 0(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 28(%rsp),%r12d + movl %r9d,%r13d + addl %r14d,%r12d + movl %ebx,%r14d + rorl $14,%r13d + movl %r10d,%r15d + movl %r12d,28(%rsp) + + rorl $9,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + rorl $5,%r13d + addl %eax,%r12d + xorl %ebx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r9d,%r15d + movl %ecx,%eax + + rorl $11,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + xorl %edx,%eax + xorl %ebx,%r14d + addl %r15d,%r12d + movl %ecx,%r15d + + rorl $6,%r13d + andl %ebx,%eax + andl %edx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%eax + + addl %r12d,%r8d + addl %r12d,%eax + leaq 1(%rdi),%rdi + addl %r14d,%eax + + movl 36(%rsp),%r13d + movl 24(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 4(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 32(%rsp),%r12d + movl %r8d,%r13d + addl %r14d,%r12d + movl %eax,%r14d + rorl $14,%r13d + movl %r9d,%r15d + movl %r12d,32(%rsp) + + rorl $9,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + rorl $5,%r13d + addl %r11d,%r12d + xorl %eax,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r8d,%r15d + movl %ebx,%r11d + + rorl $11,%r14d + xorl %r8d,%r13d + xorl %r10d,%r15d + + xorl %ecx,%r11d + xorl %eax,%r14d + addl %r15d,%r12d + movl %ebx,%r15d + + rorl $6,%r13d + andl %eax,%r11d + andl %ecx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r11d + + addl %r12d,%edx + addl %r12d,%r11d + leaq 1(%rdi),%rdi + addl %r14d,%r11d + + movl 40(%rsp),%r13d + movl 28(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 8(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 36(%rsp),%r12d + movl %edx,%r13d + addl %r14d,%r12d + movl %r11d,%r14d + rorl $14,%r13d + movl %r8d,%r15d + movl %r12d,36(%rsp) + + rorl $9,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + rorl $5,%r13d + addl %r10d,%r12d + xorl %r11d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %edx,%r15d + movl %eax,%r10d + + rorl $11,%r14d + xorl %edx,%r13d + xorl %r9d,%r15d + + xorl %ebx,%r10d + xorl %r11d,%r14d + addl %r15d,%r12d + movl %eax,%r15d + + rorl $6,%r13d + andl %r11d,%r10d + andl %ebx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r10d + + addl %r12d,%ecx + addl %r12d,%r10d + leaq 1(%rdi),%rdi + addl %r14d,%r10d + + movl 44(%rsp),%r13d + movl 32(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 12(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 40(%rsp),%r12d + movl %ecx,%r13d + addl %r14d,%r12d + movl %r10d,%r14d + rorl $14,%r13d + movl %edx,%r15d + movl %r12d,40(%rsp) + + rorl $9,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + rorl $5,%r13d + addl %r9d,%r12d + xorl %r10d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ecx,%r15d + movl %r11d,%r9d + + rorl $11,%r14d + xorl %ecx,%r13d + xorl %r8d,%r15d + + xorl %eax,%r9d + xorl %r10d,%r14d + addl %r15d,%r12d + movl %r11d,%r15d + + rorl $6,%r13d + andl %r10d,%r9d + andl %eax,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r9d + + addl %r12d,%ebx + addl %r12d,%r9d + leaq 1(%rdi),%rdi + addl %r14d,%r9d + + movl 48(%rsp),%r13d + movl 36(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 16(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 44(%rsp),%r12d + movl %ebx,%r13d + addl %r14d,%r12d + movl %r9d,%r14d + rorl $14,%r13d + movl %ecx,%r15d + movl %r12d,44(%rsp) + + rorl $9,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + rorl $5,%r13d + addl %r8d,%r12d + xorl %r9d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %ebx,%r15d + movl %r10d,%r8d + + rorl $11,%r14d + xorl %ebx,%r13d + xorl %edx,%r15d + + xorl %r11d,%r8d + xorl %r9d,%r14d + addl %r15d,%r12d + movl %r10d,%r15d + + rorl $6,%r13d + andl %r9d,%r8d + andl %r11d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%r8d + + addl %r12d,%eax + addl %r12d,%r8d + leaq 1(%rdi),%rdi + addl %r14d,%r8d + + movl 52(%rsp),%r13d + movl 40(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 20(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 48(%rsp),%r12d + movl %eax,%r13d + addl %r14d,%r12d + movl %r8d,%r14d + rorl $14,%r13d + movl %ebx,%r15d + movl %r12d,48(%rsp) + + rorl $9,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + rorl $5,%r13d + addl %edx,%r12d + xorl %r8d,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %eax,%r15d + movl %r9d,%edx + + rorl $11,%r14d + xorl %eax,%r13d + xorl %ecx,%r15d + + xorl %r10d,%edx + xorl %r8d,%r14d + addl %r15d,%r12d + movl %r9d,%r15d + + rorl $6,%r13d + andl %r8d,%edx + andl %r10d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%edx + + addl %r12d,%r11d + addl %r12d,%edx + leaq 1(%rdi),%rdi + addl %r14d,%edx + + movl 56(%rsp),%r13d + movl 44(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 24(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 52(%rsp),%r12d + movl %r11d,%r13d + addl %r14d,%r12d + movl %edx,%r14d + rorl $14,%r13d + movl %eax,%r15d + movl %r12d,52(%rsp) + + rorl $9,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + rorl $5,%r13d + addl %ecx,%r12d + xorl %edx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r11d,%r15d + movl %r8d,%ecx + + rorl $11,%r14d + xorl %r11d,%r13d + xorl %ebx,%r15d + + xorl %r9d,%ecx + xorl %edx,%r14d + addl %r15d,%r12d + movl %r8d,%r15d + + rorl $6,%r13d + andl %edx,%ecx + andl %r9d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ecx + + addl %r12d,%r10d + addl %r12d,%ecx + leaq 1(%rdi),%rdi + addl %r14d,%ecx + + movl 60(%rsp),%r13d + movl 48(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 28(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 56(%rsp),%r12d + movl %r10d,%r13d + addl %r14d,%r12d + movl %ecx,%r14d + rorl $14,%r13d + movl %r11d,%r15d + movl %r12d,56(%rsp) + + rorl $9,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + rorl $5,%r13d + addl %ebx,%r12d + xorl %ecx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r10d,%r15d + movl %edx,%ebx + + rorl $11,%r14d + xorl %r10d,%r13d + xorl %eax,%r15d + + xorl %r8d,%ebx + xorl %ecx,%r14d + addl %r15d,%r12d + movl %edx,%r15d + + rorl $6,%r13d + andl %ecx,%ebx + andl %r8d,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%ebx + + addl %r12d,%r9d + addl %r12d,%ebx + leaq 1(%rdi),%rdi + addl %r14d,%ebx + + movl 0(%rsp),%r13d + movl 52(%rsp),%r14d + movl %r13d,%r12d + movl %r14d,%r15d + + rorl $11,%r12d + xorl %r13d,%r12d + shrl $3,%r13d + + rorl $7,%r12d + xorl %r12d,%r13d + movl 32(%rsp),%r12d + + rorl $2,%r15d + xorl %r14d,%r15d + shrl $10,%r14d + + rorl $17,%r15d + addl %r13d,%r12d + xorl %r15d,%r14d + + addl 60(%rsp),%r12d + movl %r9d,%r13d + addl %r14d,%r12d + movl %ebx,%r14d + rorl $14,%r13d + movl %r10d,%r15d + movl %r12d,60(%rsp) + + rorl $9,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + rorl $5,%r13d + addl %eax,%r12d + xorl %ebx,%r14d + + addl (%rbp,%rdi,4),%r12d + andl %r9d,%r15d + movl %ecx,%eax + + rorl $11,%r14d + xorl %r9d,%r13d + xorl %r11d,%r15d + + xorl %edx,%eax + xorl %ebx,%r14d + addl %r15d,%r12d + movl %ecx,%r15d + + rorl $6,%r13d + andl %ebx,%eax + andl %edx,%r15d + + rorl $2,%r14d + addl %r13d,%r12d + addl %r15d,%eax + + addl %r12d,%r8d + addl %r12d,%eax + leaq 1(%rdi),%rdi + addl %r14d,%eax + + cmpq $64,%rdi + jb .Lrounds_16_xx + + movq 64+0(%rsp),%rdi + leaq 64(%rsi),%rsi + + addl 0(%rdi),%eax + addl 4(%rdi),%ebx + addl 8(%rdi),%ecx + addl 12(%rdi),%edx + addl 16(%rdi),%r8d + addl 20(%rdi),%r9d + addl 24(%rdi),%r10d + addl 28(%rdi),%r11d + + cmpq 64+16(%rsp),%rsi + + movl %eax,0(%rdi) + movl %ebx,4(%rdi) + movl %ecx,8(%rdi) + movl %edx,12(%rdi) + movl %r8d,16(%rdi) + movl %r9d,20(%rdi) + movl %r10d,24(%rdi) + movl %r11d,28(%rdi) + jb .Lloop + + movq 64+24(%rsp),%rsi + movq (%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lepilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_sha256_block_data_order: +.p2align 6 + +K256: +.long 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5 +.long 0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5 +.long 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3 +.long 0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174 +.long 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc +.long 0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da +.long 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7 +.long 0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967 +.long 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13 +.long 0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85 +.long 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3 +.long 0xd192e819,0xd6990624,0xf40e3585,0x106aa070 +.long 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5 +.long 0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3 +.long 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208 +.long 0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2 diff --git a/crypto/sha/sha256.c b/crypto/sha/sha256.c index d584660..9c05d3b 100644 --- a/crypto/sha/sha256.c +++ b/crypto/sha/sha256.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sha256.c,v 1.9 2015/09/10 15:56:26 jsing Exp $ */ +/* $OpenBSD: sha256.c,v 1.10 2019/01/21 23:20:31 jsg Exp $ */ /* ==================================================================== * Copyright (c) 2004 The OpenSSL Project. All rights reserved * according to the OpenSSL license [found in ../../LICENSE]. @@ -81,7 +81,7 @@ int SHA224_Final (unsigned char *md, SHA256_CTX *c) * default: case below covers for it. It's not clear however if it's * permitted to truncate to amount of bytes not divisible by 4. I bet not, * but if it is, then default: case shall be extended. For reference. - * Idea behind separate cases for pre-defined lenghts is to let the + * Idea behind separate cases for pre-defined lengths is to let the * compiler decide if it's appropriate to unroll small loops. */ #define HASH_MAKE_STRING(c,s) do { \ diff --git a/crypto/sha/sha512-elf-armv4.S b/crypto/sha/sha512-elf-armv4.S new file mode 100644 index 0000000..8abf8d5 --- /dev/null +++ b/crypto/sha/sha512-elf-armv4.S @@ -0,0 +1,1786 @@ +#include "arm_arch.h" +#ifdef __ARMEL__ +# define LO 0 +# define HI 4 +# define WORD64(hi0,lo0,hi1,lo1) .word lo0,hi0, lo1,hi1 +#else +# define HI 0 +# define LO 4 +# define WORD64(hi0,lo0,hi1,lo1) .word hi0,lo0, hi1,lo1 +#endif + +.text +.code 32 +.type K512,%object +.align 5 +K512: +WORD64(0x428a2f98,0xd728ae22, 0x71374491,0x23ef65cd) +WORD64(0xb5c0fbcf,0xec4d3b2f, 0xe9b5dba5,0x8189dbbc) +WORD64(0x3956c25b,0xf348b538, 0x59f111f1,0xb605d019) +WORD64(0x923f82a4,0xaf194f9b, 0xab1c5ed5,0xda6d8118) +WORD64(0xd807aa98,0xa3030242, 0x12835b01,0x45706fbe) +WORD64(0x243185be,0x4ee4b28c, 0x550c7dc3,0xd5ffb4e2) +WORD64(0x72be5d74,0xf27b896f, 0x80deb1fe,0x3b1696b1) +WORD64(0x9bdc06a7,0x25c71235, 0xc19bf174,0xcf692694) +WORD64(0xe49b69c1,0x9ef14ad2, 0xefbe4786,0x384f25e3) +WORD64(0x0fc19dc6,0x8b8cd5b5, 0x240ca1cc,0x77ac9c65) +WORD64(0x2de92c6f,0x592b0275, 0x4a7484aa,0x6ea6e483) +WORD64(0x5cb0a9dc,0xbd41fbd4, 0x76f988da,0x831153b5) +WORD64(0x983e5152,0xee66dfab, 0xa831c66d,0x2db43210) +WORD64(0xb00327c8,0x98fb213f, 0xbf597fc7,0xbeef0ee4) +WORD64(0xc6e00bf3,0x3da88fc2, 0xd5a79147,0x930aa725) +WORD64(0x06ca6351,0xe003826f, 0x14292967,0x0a0e6e70) +WORD64(0x27b70a85,0x46d22ffc, 0x2e1b2138,0x5c26c926) +WORD64(0x4d2c6dfc,0x5ac42aed, 0x53380d13,0x9d95b3df) +WORD64(0x650a7354,0x8baf63de, 0x766a0abb,0x3c77b2a8) +WORD64(0x81c2c92e,0x47edaee6, 0x92722c85,0x1482353b) +WORD64(0xa2bfe8a1,0x4cf10364, 0xa81a664b,0xbc423001) +WORD64(0xc24b8b70,0xd0f89791, 0xc76c51a3,0x0654be30) +WORD64(0xd192e819,0xd6ef5218, 0xd6990624,0x5565a910) +WORD64(0xf40e3585,0x5771202a, 0x106aa070,0x32bbd1b8) +WORD64(0x19a4c116,0xb8d2d0c8, 0x1e376c08,0x5141ab53) +WORD64(0x2748774c,0xdf8eeb99, 0x34b0bcb5,0xe19b48a8) +WORD64(0x391c0cb3,0xc5c95a63, 0x4ed8aa4a,0xe3418acb) +WORD64(0x5b9cca4f,0x7763e373, 0x682e6ff3,0xd6b2b8a3) +WORD64(0x748f82ee,0x5defb2fc, 0x78a5636f,0x43172f60) +WORD64(0x84c87814,0xa1f0ab72, 0x8cc70208,0x1a6439ec) +WORD64(0x90befffa,0x23631e28, 0xa4506ceb,0xde82bde9) +WORD64(0xbef9a3f7,0xb2c67915, 0xc67178f2,0xe372532b) +WORD64(0xca273ece,0xea26619c, 0xd186b8c7,0x21c0c207) +WORD64(0xeada7dd6,0xcde0eb1e, 0xf57d4f7f,0xee6ed178) +WORD64(0x06f067aa,0x72176fba, 0x0a637dc5,0xa2c898a6) +WORD64(0x113f9804,0xbef90dae, 0x1b710b35,0x131c471b) +WORD64(0x28db77f5,0x23047d84, 0x32caab7b,0x40c72493) +WORD64(0x3c9ebe0a,0x15c9bebc, 0x431d67c4,0x9c100d4c) +WORD64(0x4cc5d4be,0xcb3e42b6, 0x597f299c,0xfc657e2a) +WORD64(0x5fcb6fab,0x3ad6faec, 0x6c44198c,0x4a475817) +.size K512,.-K512 +.LOPENSSL_armcap: +.word OPENSSL_armcap_P-sha512_block_data_order +.skip 32-4 + +.global sha512_block_data_order +.type sha512_block_data_order,%function +sha512_block_data_order: + sub r3,pc,#8 @ sha512_block_data_order + add r2,r1,r2,lsl#7 @ len to point at the end of inp +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) + ldr r12,.LOPENSSL_armcap + ldr r12,[r3,r12] @ OPENSSL_armcap_P + tst r12,#1 + bne .LNEON +#endif + stmdb sp!,{r4-r12,lr} + sub r14,r3,#672 @ K512 + sub sp,sp,#9*8 + + ldr r7,[r0,#32+LO] + ldr r8,[r0,#32+HI] + ldr r9, [r0,#48+LO] + ldr r10, [r0,#48+HI] + ldr r11, [r0,#56+LO] + ldr r12, [r0,#56+HI] +.Loop: + str r9, [sp,#48+0] + str r10, [sp,#48+4] + str r11, [sp,#56+0] + str r12, [sp,#56+4] + ldr r5,[r0,#0+LO] + ldr r6,[r0,#0+HI] + ldr r3,[r0,#8+LO] + ldr r4,[r0,#8+HI] + ldr r9, [r0,#16+LO] + ldr r10, [r0,#16+HI] + ldr r11, [r0,#24+LO] + ldr r12, [r0,#24+HI] + str r3,[sp,#8+0] + str r4,[sp,#8+4] + str r9, [sp,#16+0] + str r10, [sp,#16+4] + str r11, [sp,#24+0] + str r12, [sp,#24+4] + ldr r3,[r0,#40+LO] + ldr r4,[r0,#40+HI] + str r3,[sp,#40+0] + str r4,[sp,#40+4] + +.L00_15: +#if __ARM_ARCH__<7 || defined(__STRICT_ALIGNMENT) + ldrb r3,[r1,#7] + ldrb r9, [r1,#6] + ldrb r10, [r1,#5] + ldrb r11, [r1,#4] + ldrb r4,[r1,#3] + ldrb r12, [r1,#2] + orr r3,r3,r9,lsl#8 + ldrb r9, [r1,#1] + orr r3,r3,r10,lsl#16 + ldrb r10, [r1],#8 + orr r3,r3,r11,lsl#24 + orr r4,r4,r12,lsl#8 + orr r4,r4,r9,lsl#16 + orr r4,r4,r10,lsl#24 +#else + ldr r3,[r1,#4] + ldr r4,[r1],#8 +#ifdef __ARMEL__ + rev r3,r3 + rev r4,r4 +#endif +#endif + @ Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) + @ LO lo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23 + @ HI hi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23 + mov r9,r7,lsr#14 + str r3,[sp,#64+0] + mov r10,r8,lsr#14 + str r4,[sp,#64+4] + eor r9,r9,r8,lsl#18 + ldr r11,[sp,#56+0] @ h.lo + eor r10,r10,r7,lsl#18 + ldr r12,[sp,#56+4] @ h.hi + eor r9,r9,r7,lsr#18 + eor r10,r10,r8,lsr#18 + eor r9,r9,r8,lsl#14 + eor r10,r10,r7,lsl#14 + eor r9,r9,r8,lsr#9 + eor r10,r10,r7,lsr#9 + eor r9,r9,r7,lsl#23 + eor r10,r10,r8,lsl#23 @ Sigma1(e) + adds r3,r3,r9 + ldr r9,[sp,#40+0] @ f.lo + adc r4,r4,r10 @ T += Sigma1(e) + ldr r10,[sp,#40+4] @ f.hi + adds r3,r3,r11 + ldr r11,[sp,#48+0] @ g.lo + adc r4,r4,r12 @ T += h + ldr r12,[sp,#48+4] @ g.hi + + eor r9,r9,r11 + str r7,[sp,#32+0] + eor r10,r10,r12 + str r8,[sp,#32+4] + and r9,r9,r7 + str r5,[sp,#0+0] + and r10,r10,r8 + str r6,[sp,#0+4] + eor r9,r9,r11 + ldr r11,[r14,#LO] @ K[i].lo + eor r10,r10,r12 @ Ch(e,f,g) + ldr r12,[r14,#HI] @ K[i].hi + + adds r3,r3,r9 + ldr r7,[sp,#24+0] @ d.lo + adc r4,r4,r10 @ T += Ch(e,f,g) + ldr r8,[sp,#24+4] @ d.hi + adds r3,r3,r11 + and r9,r11,#0xff + adc r4,r4,r12 @ T += K[i] + adds r7,r7,r3 + ldr r11,[sp,#8+0] @ b.lo + adc r8,r8,r4 @ d += T + teq r9,#148 + + ldr r12,[sp,#16+0] @ c.lo + orreq r14,r14,#1 + @ Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) + @ LO lo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25 + @ HI hi>>28^lo<<4 ^ lo>>2^hi<<30 ^ lo>>7^hi<<25 + mov r9,r5,lsr#28 + mov r10,r6,lsr#28 + eor r9,r9,r6,lsl#4 + eor r10,r10,r5,lsl#4 + eor r9,r9,r6,lsr#2 + eor r10,r10,r5,lsr#2 + eor r9,r9,r5,lsl#30 + eor r10,r10,r6,lsl#30 + eor r9,r9,r6,lsr#7 + eor r10,r10,r5,lsr#7 + eor r9,r9,r5,lsl#25 + eor r10,r10,r6,lsl#25 @ Sigma0(a) + adds r3,r3,r9 + and r9,r5,r11 + adc r4,r4,r10 @ T += Sigma0(a) + + ldr r10,[sp,#8+4] @ b.hi + orr r5,r5,r11 + ldr r11,[sp,#16+4] @ c.hi + and r5,r5,r12 + and r12,r6,r10 + orr r6,r6,r10 + orr r5,r5,r9 @ Maj(a,b,c).lo + and r6,r6,r11 + adds r5,r5,r3 + orr r6,r6,r12 @ Maj(a,b,c).hi + sub sp,sp,#8 + adc r6,r6,r4 @ h += T + tst r14,#1 + add r14,r14,#8 + tst r14,#1 + beq .L00_15 + ldr r9,[sp,#184+0] + ldr r10,[sp,#184+4] + bic r14,r14,#1 +.L16_79: + @ sigma0(x) (ROTR((x),1) ^ ROTR((x),8) ^ ((x)>>7)) + @ LO lo>>1^hi<<31 ^ lo>>8^hi<<24 ^ lo>>7^hi<<25 + @ HI hi>>1^lo<<31 ^ hi>>8^lo<<24 ^ hi>>7 + mov r3,r9,lsr#1 + ldr r11,[sp,#80+0] + mov r4,r10,lsr#1 + ldr r12,[sp,#80+4] + eor r3,r3,r10,lsl#31 + eor r4,r4,r9,lsl#31 + eor r3,r3,r9,lsr#8 + eor r4,r4,r10,lsr#8 + eor r3,r3,r10,lsl#24 + eor r4,r4,r9,lsl#24 + eor r3,r3,r9,lsr#7 + eor r4,r4,r10,lsr#7 + eor r3,r3,r10,lsl#25 + + @ sigma1(x) (ROTR((x),19) ^ ROTR((x),61) ^ ((x)>>6)) + @ LO lo>>19^hi<<13 ^ hi>>29^lo<<3 ^ lo>>6^hi<<26 + @ HI hi>>19^lo<<13 ^ lo>>29^hi<<3 ^ hi>>6 + mov r9,r11,lsr#19 + mov r10,r12,lsr#19 + eor r9,r9,r12,lsl#13 + eor r10,r10,r11,lsl#13 + eor r9,r9,r12,lsr#29 + eor r10,r10,r11,lsr#29 + eor r9,r9,r11,lsl#3 + eor r10,r10,r12,lsl#3 + eor r9,r9,r11,lsr#6 + eor r10,r10,r12,lsr#6 + ldr r11,[sp,#120+0] + eor r9,r9,r12,lsl#26 + + ldr r12,[sp,#120+4] + adds r3,r3,r9 + ldr r9,[sp,#192+0] + adc r4,r4,r10 + + ldr r10,[sp,#192+4] + adds r3,r3,r11 + adc r4,r4,r12 + adds r3,r3,r9 + adc r4,r4,r10 + @ Sigma1(x) (ROTR((x),14) ^ ROTR((x),18) ^ ROTR((x),41)) + @ LO lo>>14^hi<<18 ^ lo>>18^hi<<14 ^ hi>>9^lo<<23 + @ HI hi>>14^lo<<18 ^ hi>>18^lo<<14 ^ lo>>9^hi<<23 + mov r9,r7,lsr#14 + str r3,[sp,#64+0] + mov r10,r8,lsr#14 + str r4,[sp,#64+4] + eor r9,r9,r8,lsl#18 + ldr r11,[sp,#56+0] @ h.lo + eor r10,r10,r7,lsl#18 + ldr r12,[sp,#56+4] @ h.hi + eor r9,r9,r7,lsr#18 + eor r10,r10,r8,lsr#18 + eor r9,r9,r8,lsl#14 + eor r10,r10,r7,lsl#14 + eor r9,r9,r8,lsr#9 + eor r10,r10,r7,lsr#9 + eor r9,r9,r7,lsl#23 + eor r10,r10,r8,lsl#23 @ Sigma1(e) + adds r3,r3,r9 + ldr r9,[sp,#40+0] @ f.lo + adc r4,r4,r10 @ T += Sigma1(e) + ldr r10,[sp,#40+4] @ f.hi + adds r3,r3,r11 + ldr r11,[sp,#48+0] @ g.lo + adc r4,r4,r12 @ T += h + ldr r12,[sp,#48+4] @ g.hi + + eor r9,r9,r11 + str r7,[sp,#32+0] + eor r10,r10,r12 + str r8,[sp,#32+4] + and r9,r9,r7 + str r5,[sp,#0+0] + and r10,r10,r8 + str r6,[sp,#0+4] + eor r9,r9,r11 + ldr r11,[r14,#LO] @ K[i].lo + eor r10,r10,r12 @ Ch(e,f,g) + ldr r12,[r14,#HI] @ K[i].hi + + adds r3,r3,r9 + ldr r7,[sp,#24+0] @ d.lo + adc r4,r4,r10 @ T += Ch(e,f,g) + ldr r8,[sp,#24+4] @ d.hi + adds r3,r3,r11 + and r9,r11,#0xff + adc r4,r4,r12 @ T += K[i] + adds r7,r7,r3 + ldr r11,[sp,#8+0] @ b.lo + adc r8,r8,r4 @ d += T + teq r9,#23 + + ldr r12,[sp,#16+0] @ c.lo + orreq r14,r14,#1 + @ Sigma0(x) (ROTR((x),28) ^ ROTR((x),34) ^ ROTR((x),39)) + @ LO lo>>28^hi<<4 ^ hi>>2^lo<<30 ^ hi>>7^lo<<25 + @ HI hi>>28^lo<<4 ^ lo>>2^hi<<30 ^ lo>>7^hi<<25 + mov r9,r5,lsr#28 + mov r10,r6,lsr#28 + eor r9,r9,r6,lsl#4 + eor r10,r10,r5,lsl#4 + eor r9,r9,r6,lsr#2 + eor r10,r10,r5,lsr#2 + eor r9,r9,r5,lsl#30 + eor r10,r10,r6,lsl#30 + eor r9,r9,r6,lsr#7 + eor r10,r10,r5,lsr#7 + eor r9,r9,r5,lsl#25 + eor r10,r10,r6,lsl#25 @ Sigma0(a) + adds r3,r3,r9 + and r9,r5,r11 + adc r4,r4,r10 @ T += Sigma0(a) + + ldr r10,[sp,#8+4] @ b.hi + orr r5,r5,r11 + ldr r11,[sp,#16+4] @ c.hi + and r5,r5,r12 + and r12,r6,r10 + orr r6,r6,r10 + orr r5,r5,r9 @ Maj(a,b,c).lo + and r6,r6,r11 + adds r5,r5,r3 + orr r6,r6,r12 @ Maj(a,b,c).hi + sub sp,sp,#8 + adc r6,r6,r4 @ h += T + tst r14,#1 + add r14,r14,#8 + ldreq r9,[sp,#184+0] + ldreq r10,[sp,#184+4] + beq .L16_79 + bic r14,r14,#1 + + ldr r3,[sp,#8+0] + ldr r4,[sp,#8+4] + ldr r9, [r0,#0+LO] + ldr r10, [r0,#0+HI] + ldr r11, [r0,#8+LO] + ldr r12, [r0,#8+HI] + adds r9,r5,r9 + str r9, [r0,#0+LO] + adc r10,r6,r10 + str r10, [r0,#0+HI] + adds r11,r3,r11 + str r11, [r0,#8+LO] + adc r12,r4,r12 + str r12, [r0,#8+HI] + + ldr r5,[sp,#16+0] + ldr r6,[sp,#16+4] + ldr r3,[sp,#24+0] + ldr r4,[sp,#24+4] + ldr r9, [r0,#16+LO] + ldr r10, [r0,#16+HI] + ldr r11, [r0,#24+LO] + ldr r12, [r0,#24+HI] + adds r9,r5,r9 + str r9, [r0,#16+LO] + adc r10,r6,r10 + str r10, [r0,#16+HI] + adds r11,r3,r11 + str r11, [r0,#24+LO] + adc r12,r4,r12 + str r12, [r0,#24+HI] + + ldr r3,[sp,#40+0] + ldr r4,[sp,#40+4] + ldr r9, [r0,#32+LO] + ldr r10, [r0,#32+HI] + ldr r11, [r0,#40+LO] + ldr r12, [r0,#40+HI] + adds r7,r7,r9 + str r7,[r0,#32+LO] + adc r8,r8,r10 + str r8,[r0,#32+HI] + adds r11,r3,r11 + str r11, [r0,#40+LO] + adc r12,r4,r12 + str r12, [r0,#40+HI] + + ldr r5,[sp,#48+0] + ldr r6,[sp,#48+4] + ldr r3,[sp,#56+0] + ldr r4,[sp,#56+4] + ldr r9, [r0,#48+LO] + ldr r10, [r0,#48+HI] + ldr r11, [r0,#56+LO] + ldr r12, [r0,#56+HI] + adds r9,r5,r9 + str r9, [r0,#48+LO] + adc r10,r6,r10 + str r10, [r0,#48+HI] + adds r11,r3,r11 + str r11, [r0,#56+LO] + adc r12,r4,r12 + str r12, [r0,#56+HI] + + add sp,sp,#640 + sub r14,r14,#640 + + teq r1,r2 + bne .Loop + + add sp,sp,#8*9 @ destroy frame +#if __ARM_ARCH__>=5 + ldmia sp!,{r4-r12,pc} +#else + ldmia sp!,{r4-r12,lr} + tst lr,#1 + moveq pc,lr @ be binary compatible with V4, yet + .word 0xe12fff1e @ interoperable with Thumb ISA:-) +#endif +#if __ARM_ARCH__>=7 && !defined(__STRICT_ALIGNMENT) +.fpu neon + +.align 4 +.LNEON: + dmb @ errata #451034 on early Cortex A8 + vstmdb sp!,{d8-d15} @ ABI specification says so + sub r3,r3,#672 @ K512 + vldmia r0,{d16-d23} @ load context +.Loop_neon: + vshr.u64 d24,d20,#14 @ 0 +#if 0<16 + vld1.64 {d0},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d20,#18 + vshr.u64 d26,d20,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d20,#50 + vsli.64 d25,d20,#46 + vsli.64 d26,d20,#23 +#if 0<16 && defined(__ARMEL__) + vrev64.8 d0,d0 +#endif + vadd.i64 d27,d28,d23 + veor d29,d21,d22 + veor d24,d25 + vand d29,d20 + veor d24,d26 @ Sigma1(e) + veor d29,d22 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d16,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d16,#34 + vshr.u64 d26,d16,#39 + vsli.64 d24,d16,#36 + vsli.64 d25,d16,#30 + vsli.64 d26,d16,#25 + vadd.i64 d27,d0 + vorr d30,d16,d18 + vand d29,d16,d18 + veor d23,d24,d25 + vand d30,d17 + veor d23,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d23,d27 + vadd.i64 d19,d27 + vadd.i64 d23,d30 + vshr.u64 d24,d19,#14 @ 1 +#if 1<16 + vld1.64 {d1},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d19,#18 + vshr.u64 d26,d19,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d19,#50 + vsli.64 d25,d19,#46 + vsli.64 d26,d19,#23 +#if 1<16 && defined(__ARMEL__) + vrev64.8 d1,d1 +#endif + vadd.i64 d27,d28,d22 + veor d29,d20,d21 + veor d24,d25 + vand d29,d19 + veor d24,d26 @ Sigma1(e) + veor d29,d21 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d23,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d23,#34 + vshr.u64 d26,d23,#39 + vsli.64 d24,d23,#36 + vsli.64 d25,d23,#30 + vsli.64 d26,d23,#25 + vadd.i64 d27,d1 + vorr d30,d23,d17 + vand d29,d23,d17 + veor d22,d24,d25 + vand d30,d16 + veor d22,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d22,d27 + vadd.i64 d18,d27 + vadd.i64 d22,d30 + vshr.u64 d24,d18,#14 @ 2 +#if 2<16 + vld1.64 {d2},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d18,#18 + vshr.u64 d26,d18,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d18,#50 + vsli.64 d25,d18,#46 + vsli.64 d26,d18,#23 +#if 2<16 && defined(__ARMEL__) + vrev64.8 d2,d2 +#endif + vadd.i64 d27,d28,d21 + veor d29,d19,d20 + veor d24,d25 + vand d29,d18 + veor d24,d26 @ Sigma1(e) + veor d29,d20 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d22,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d22,#34 + vshr.u64 d26,d22,#39 + vsli.64 d24,d22,#36 + vsli.64 d25,d22,#30 + vsli.64 d26,d22,#25 + vadd.i64 d27,d2 + vorr d30,d22,d16 + vand d29,d22,d16 + veor d21,d24,d25 + vand d30,d23 + veor d21,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d21,d27 + vadd.i64 d17,d27 + vadd.i64 d21,d30 + vshr.u64 d24,d17,#14 @ 3 +#if 3<16 + vld1.64 {d3},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d17,#18 + vshr.u64 d26,d17,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d17,#50 + vsli.64 d25,d17,#46 + vsli.64 d26,d17,#23 +#if 3<16 && defined(__ARMEL__) + vrev64.8 d3,d3 +#endif + vadd.i64 d27,d28,d20 + veor d29,d18,d19 + veor d24,d25 + vand d29,d17 + veor d24,d26 @ Sigma1(e) + veor d29,d19 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d21,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d21,#34 + vshr.u64 d26,d21,#39 + vsli.64 d24,d21,#36 + vsli.64 d25,d21,#30 + vsli.64 d26,d21,#25 + vadd.i64 d27,d3 + vorr d30,d21,d23 + vand d29,d21,d23 + veor d20,d24,d25 + vand d30,d22 + veor d20,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d20,d27 + vadd.i64 d16,d27 + vadd.i64 d20,d30 + vshr.u64 d24,d16,#14 @ 4 +#if 4<16 + vld1.64 {d4},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d16,#18 + vshr.u64 d26,d16,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d16,#50 + vsli.64 d25,d16,#46 + vsli.64 d26,d16,#23 +#if 4<16 && defined(__ARMEL__) + vrev64.8 d4,d4 +#endif + vadd.i64 d27,d28,d19 + veor d29,d17,d18 + veor d24,d25 + vand d29,d16 + veor d24,d26 @ Sigma1(e) + veor d29,d18 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d20,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d20,#34 + vshr.u64 d26,d20,#39 + vsli.64 d24,d20,#36 + vsli.64 d25,d20,#30 + vsli.64 d26,d20,#25 + vadd.i64 d27,d4 + vorr d30,d20,d22 + vand d29,d20,d22 + veor d19,d24,d25 + vand d30,d21 + veor d19,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d19,d27 + vadd.i64 d23,d27 + vadd.i64 d19,d30 + vshr.u64 d24,d23,#14 @ 5 +#if 5<16 + vld1.64 {d5},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d23,#18 + vshr.u64 d26,d23,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d23,#50 + vsli.64 d25,d23,#46 + vsli.64 d26,d23,#23 +#if 5<16 && defined(__ARMEL__) + vrev64.8 d5,d5 +#endif + vadd.i64 d27,d28,d18 + veor d29,d16,d17 + veor d24,d25 + vand d29,d23 + veor d24,d26 @ Sigma1(e) + veor d29,d17 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d19,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d19,#34 + vshr.u64 d26,d19,#39 + vsli.64 d24,d19,#36 + vsli.64 d25,d19,#30 + vsli.64 d26,d19,#25 + vadd.i64 d27,d5 + vorr d30,d19,d21 + vand d29,d19,d21 + veor d18,d24,d25 + vand d30,d20 + veor d18,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d18,d27 + vadd.i64 d22,d27 + vadd.i64 d18,d30 + vshr.u64 d24,d22,#14 @ 6 +#if 6<16 + vld1.64 {d6},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d22,#18 + vshr.u64 d26,d22,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d22,#50 + vsli.64 d25,d22,#46 + vsli.64 d26,d22,#23 +#if 6<16 && defined(__ARMEL__) + vrev64.8 d6,d6 +#endif + vadd.i64 d27,d28,d17 + veor d29,d23,d16 + veor d24,d25 + vand d29,d22 + veor d24,d26 @ Sigma1(e) + veor d29,d16 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d18,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d18,#34 + vshr.u64 d26,d18,#39 + vsli.64 d24,d18,#36 + vsli.64 d25,d18,#30 + vsli.64 d26,d18,#25 + vadd.i64 d27,d6 + vorr d30,d18,d20 + vand d29,d18,d20 + veor d17,d24,d25 + vand d30,d19 + veor d17,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d17,d27 + vadd.i64 d21,d27 + vadd.i64 d17,d30 + vshr.u64 d24,d21,#14 @ 7 +#if 7<16 + vld1.64 {d7},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d21,#18 + vshr.u64 d26,d21,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d21,#50 + vsli.64 d25,d21,#46 + vsli.64 d26,d21,#23 +#if 7<16 && defined(__ARMEL__) + vrev64.8 d7,d7 +#endif + vadd.i64 d27,d28,d16 + veor d29,d22,d23 + veor d24,d25 + vand d29,d21 + veor d24,d26 @ Sigma1(e) + veor d29,d23 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d17,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d17,#34 + vshr.u64 d26,d17,#39 + vsli.64 d24,d17,#36 + vsli.64 d25,d17,#30 + vsli.64 d26,d17,#25 + vadd.i64 d27,d7 + vorr d30,d17,d19 + vand d29,d17,d19 + veor d16,d24,d25 + vand d30,d18 + veor d16,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d16,d27 + vadd.i64 d20,d27 + vadd.i64 d16,d30 + vshr.u64 d24,d20,#14 @ 8 +#if 8<16 + vld1.64 {d8},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d20,#18 + vshr.u64 d26,d20,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d20,#50 + vsli.64 d25,d20,#46 + vsli.64 d26,d20,#23 +#if 8<16 && defined(__ARMEL__) + vrev64.8 d8,d8 +#endif + vadd.i64 d27,d28,d23 + veor d29,d21,d22 + veor d24,d25 + vand d29,d20 + veor d24,d26 @ Sigma1(e) + veor d29,d22 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d16,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d16,#34 + vshr.u64 d26,d16,#39 + vsli.64 d24,d16,#36 + vsli.64 d25,d16,#30 + vsli.64 d26,d16,#25 + vadd.i64 d27,d8 + vorr d30,d16,d18 + vand d29,d16,d18 + veor d23,d24,d25 + vand d30,d17 + veor d23,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d23,d27 + vadd.i64 d19,d27 + vadd.i64 d23,d30 + vshr.u64 d24,d19,#14 @ 9 +#if 9<16 + vld1.64 {d9},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d19,#18 + vshr.u64 d26,d19,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d19,#50 + vsli.64 d25,d19,#46 + vsli.64 d26,d19,#23 +#if 9<16 && defined(__ARMEL__) + vrev64.8 d9,d9 +#endif + vadd.i64 d27,d28,d22 + veor d29,d20,d21 + veor d24,d25 + vand d29,d19 + veor d24,d26 @ Sigma1(e) + veor d29,d21 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d23,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d23,#34 + vshr.u64 d26,d23,#39 + vsli.64 d24,d23,#36 + vsli.64 d25,d23,#30 + vsli.64 d26,d23,#25 + vadd.i64 d27,d9 + vorr d30,d23,d17 + vand d29,d23,d17 + veor d22,d24,d25 + vand d30,d16 + veor d22,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d22,d27 + vadd.i64 d18,d27 + vadd.i64 d22,d30 + vshr.u64 d24,d18,#14 @ 10 +#if 10<16 + vld1.64 {d10},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d18,#18 + vshr.u64 d26,d18,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d18,#50 + vsli.64 d25,d18,#46 + vsli.64 d26,d18,#23 +#if 10<16 && defined(__ARMEL__) + vrev64.8 d10,d10 +#endif + vadd.i64 d27,d28,d21 + veor d29,d19,d20 + veor d24,d25 + vand d29,d18 + veor d24,d26 @ Sigma1(e) + veor d29,d20 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d22,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d22,#34 + vshr.u64 d26,d22,#39 + vsli.64 d24,d22,#36 + vsli.64 d25,d22,#30 + vsli.64 d26,d22,#25 + vadd.i64 d27,d10 + vorr d30,d22,d16 + vand d29,d22,d16 + veor d21,d24,d25 + vand d30,d23 + veor d21,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d21,d27 + vadd.i64 d17,d27 + vadd.i64 d21,d30 + vshr.u64 d24,d17,#14 @ 11 +#if 11<16 + vld1.64 {d11},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d17,#18 + vshr.u64 d26,d17,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d17,#50 + vsli.64 d25,d17,#46 + vsli.64 d26,d17,#23 +#if 11<16 && defined(__ARMEL__) + vrev64.8 d11,d11 +#endif + vadd.i64 d27,d28,d20 + veor d29,d18,d19 + veor d24,d25 + vand d29,d17 + veor d24,d26 @ Sigma1(e) + veor d29,d19 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d21,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d21,#34 + vshr.u64 d26,d21,#39 + vsli.64 d24,d21,#36 + vsli.64 d25,d21,#30 + vsli.64 d26,d21,#25 + vadd.i64 d27,d11 + vorr d30,d21,d23 + vand d29,d21,d23 + veor d20,d24,d25 + vand d30,d22 + veor d20,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d20,d27 + vadd.i64 d16,d27 + vadd.i64 d20,d30 + vshr.u64 d24,d16,#14 @ 12 +#if 12<16 + vld1.64 {d12},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d16,#18 + vshr.u64 d26,d16,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d16,#50 + vsli.64 d25,d16,#46 + vsli.64 d26,d16,#23 +#if 12<16 && defined(__ARMEL__) + vrev64.8 d12,d12 +#endif + vadd.i64 d27,d28,d19 + veor d29,d17,d18 + veor d24,d25 + vand d29,d16 + veor d24,d26 @ Sigma1(e) + veor d29,d18 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d20,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d20,#34 + vshr.u64 d26,d20,#39 + vsli.64 d24,d20,#36 + vsli.64 d25,d20,#30 + vsli.64 d26,d20,#25 + vadd.i64 d27,d12 + vorr d30,d20,d22 + vand d29,d20,d22 + veor d19,d24,d25 + vand d30,d21 + veor d19,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d19,d27 + vadd.i64 d23,d27 + vadd.i64 d19,d30 + vshr.u64 d24,d23,#14 @ 13 +#if 13<16 + vld1.64 {d13},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d23,#18 + vshr.u64 d26,d23,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d23,#50 + vsli.64 d25,d23,#46 + vsli.64 d26,d23,#23 +#if 13<16 && defined(__ARMEL__) + vrev64.8 d13,d13 +#endif + vadd.i64 d27,d28,d18 + veor d29,d16,d17 + veor d24,d25 + vand d29,d23 + veor d24,d26 @ Sigma1(e) + veor d29,d17 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d19,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d19,#34 + vshr.u64 d26,d19,#39 + vsli.64 d24,d19,#36 + vsli.64 d25,d19,#30 + vsli.64 d26,d19,#25 + vadd.i64 d27,d13 + vorr d30,d19,d21 + vand d29,d19,d21 + veor d18,d24,d25 + vand d30,d20 + veor d18,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d18,d27 + vadd.i64 d22,d27 + vadd.i64 d18,d30 + vshr.u64 d24,d22,#14 @ 14 +#if 14<16 + vld1.64 {d14},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d22,#18 + vshr.u64 d26,d22,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d22,#50 + vsli.64 d25,d22,#46 + vsli.64 d26,d22,#23 +#if 14<16 && defined(__ARMEL__) + vrev64.8 d14,d14 +#endif + vadd.i64 d27,d28,d17 + veor d29,d23,d16 + veor d24,d25 + vand d29,d22 + veor d24,d26 @ Sigma1(e) + veor d29,d16 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d18,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d18,#34 + vshr.u64 d26,d18,#39 + vsli.64 d24,d18,#36 + vsli.64 d25,d18,#30 + vsli.64 d26,d18,#25 + vadd.i64 d27,d14 + vorr d30,d18,d20 + vand d29,d18,d20 + veor d17,d24,d25 + vand d30,d19 + veor d17,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d17,d27 + vadd.i64 d21,d27 + vadd.i64 d17,d30 + vshr.u64 d24,d21,#14 @ 15 +#if 15<16 + vld1.64 {d15},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d21,#18 + vshr.u64 d26,d21,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d21,#50 + vsli.64 d25,d21,#46 + vsli.64 d26,d21,#23 +#if 15<16 && defined(__ARMEL__) + vrev64.8 d15,d15 +#endif + vadd.i64 d27,d28,d16 + veor d29,d22,d23 + veor d24,d25 + vand d29,d21 + veor d24,d26 @ Sigma1(e) + veor d29,d23 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d17,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d17,#34 + vshr.u64 d26,d17,#39 + vsli.64 d24,d17,#36 + vsli.64 d25,d17,#30 + vsli.64 d26,d17,#25 + vadd.i64 d27,d15 + vorr d30,d17,d19 + vand d29,d17,d19 + veor d16,d24,d25 + vand d30,d18 + veor d16,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d16,d27 + vadd.i64 d20,d27 + vadd.i64 d16,d30 + mov r12,#4 +.L16_79_neon: + subs r12,#1 + vshr.u64 q12,q7,#19 + vshr.u64 q13,q7,#61 + vshr.u64 q15,q7,#6 + vsli.64 q12,q7,#45 + vext.8 q14,q0,q1,#8 @ X[i+1] + vsli.64 q13,q7,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q0,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q4,q5,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d20,#14 @ from NEON_00_15 + vadd.i64 q0,q14 + vshr.u64 d25,d20,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d20,#41 @ from NEON_00_15 + vadd.i64 q0,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d20,#50 + vsli.64 d25,d20,#46 + vsli.64 d26,d20,#23 +#if 16<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d23 + veor d29,d21,d22 + veor d24,d25 + vand d29,d20 + veor d24,d26 @ Sigma1(e) + veor d29,d22 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d16,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d16,#34 + vshr.u64 d26,d16,#39 + vsli.64 d24,d16,#36 + vsli.64 d25,d16,#30 + vsli.64 d26,d16,#25 + vadd.i64 d27,d0 + vorr d30,d16,d18 + vand d29,d16,d18 + veor d23,d24,d25 + vand d30,d17 + veor d23,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d23,d27 + vadd.i64 d19,d27 + vadd.i64 d23,d30 + vshr.u64 d24,d19,#14 @ 17 +#if 17<16 + vld1.64 {d1},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d19,#18 + vshr.u64 d26,d19,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d19,#50 + vsli.64 d25,d19,#46 + vsli.64 d26,d19,#23 +#if 17<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d22 + veor d29,d20,d21 + veor d24,d25 + vand d29,d19 + veor d24,d26 @ Sigma1(e) + veor d29,d21 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d23,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d23,#34 + vshr.u64 d26,d23,#39 + vsli.64 d24,d23,#36 + vsli.64 d25,d23,#30 + vsli.64 d26,d23,#25 + vadd.i64 d27,d1 + vorr d30,d23,d17 + vand d29,d23,d17 + veor d22,d24,d25 + vand d30,d16 + veor d22,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d22,d27 + vadd.i64 d18,d27 + vadd.i64 d22,d30 + vshr.u64 q12,q0,#19 + vshr.u64 q13,q0,#61 + vshr.u64 q15,q0,#6 + vsli.64 q12,q0,#45 + vext.8 q14,q1,q2,#8 @ X[i+1] + vsli.64 q13,q0,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q1,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q5,q6,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d18,#14 @ from NEON_00_15 + vadd.i64 q1,q14 + vshr.u64 d25,d18,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d18,#41 @ from NEON_00_15 + vadd.i64 q1,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d18,#50 + vsli.64 d25,d18,#46 + vsli.64 d26,d18,#23 +#if 18<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d21 + veor d29,d19,d20 + veor d24,d25 + vand d29,d18 + veor d24,d26 @ Sigma1(e) + veor d29,d20 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d22,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d22,#34 + vshr.u64 d26,d22,#39 + vsli.64 d24,d22,#36 + vsli.64 d25,d22,#30 + vsli.64 d26,d22,#25 + vadd.i64 d27,d2 + vorr d30,d22,d16 + vand d29,d22,d16 + veor d21,d24,d25 + vand d30,d23 + veor d21,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d21,d27 + vadd.i64 d17,d27 + vadd.i64 d21,d30 + vshr.u64 d24,d17,#14 @ 19 +#if 19<16 + vld1.64 {d3},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d17,#18 + vshr.u64 d26,d17,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d17,#50 + vsli.64 d25,d17,#46 + vsli.64 d26,d17,#23 +#if 19<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d20 + veor d29,d18,d19 + veor d24,d25 + vand d29,d17 + veor d24,d26 @ Sigma1(e) + veor d29,d19 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d21,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d21,#34 + vshr.u64 d26,d21,#39 + vsli.64 d24,d21,#36 + vsli.64 d25,d21,#30 + vsli.64 d26,d21,#25 + vadd.i64 d27,d3 + vorr d30,d21,d23 + vand d29,d21,d23 + veor d20,d24,d25 + vand d30,d22 + veor d20,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d20,d27 + vadd.i64 d16,d27 + vadd.i64 d20,d30 + vshr.u64 q12,q1,#19 + vshr.u64 q13,q1,#61 + vshr.u64 q15,q1,#6 + vsli.64 q12,q1,#45 + vext.8 q14,q2,q3,#8 @ X[i+1] + vsli.64 q13,q1,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q2,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q6,q7,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d16,#14 @ from NEON_00_15 + vadd.i64 q2,q14 + vshr.u64 d25,d16,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d16,#41 @ from NEON_00_15 + vadd.i64 q2,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d16,#50 + vsli.64 d25,d16,#46 + vsli.64 d26,d16,#23 +#if 20<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d19 + veor d29,d17,d18 + veor d24,d25 + vand d29,d16 + veor d24,d26 @ Sigma1(e) + veor d29,d18 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d20,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d20,#34 + vshr.u64 d26,d20,#39 + vsli.64 d24,d20,#36 + vsli.64 d25,d20,#30 + vsli.64 d26,d20,#25 + vadd.i64 d27,d4 + vorr d30,d20,d22 + vand d29,d20,d22 + veor d19,d24,d25 + vand d30,d21 + veor d19,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d19,d27 + vadd.i64 d23,d27 + vadd.i64 d19,d30 + vshr.u64 d24,d23,#14 @ 21 +#if 21<16 + vld1.64 {d5},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d23,#18 + vshr.u64 d26,d23,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d23,#50 + vsli.64 d25,d23,#46 + vsli.64 d26,d23,#23 +#if 21<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d18 + veor d29,d16,d17 + veor d24,d25 + vand d29,d23 + veor d24,d26 @ Sigma1(e) + veor d29,d17 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d19,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d19,#34 + vshr.u64 d26,d19,#39 + vsli.64 d24,d19,#36 + vsli.64 d25,d19,#30 + vsli.64 d26,d19,#25 + vadd.i64 d27,d5 + vorr d30,d19,d21 + vand d29,d19,d21 + veor d18,d24,d25 + vand d30,d20 + veor d18,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d18,d27 + vadd.i64 d22,d27 + vadd.i64 d18,d30 + vshr.u64 q12,q2,#19 + vshr.u64 q13,q2,#61 + vshr.u64 q15,q2,#6 + vsli.64 q12,q2,#45 + vext.8 q14,q3,q4,#8 @ X[i+1] + vsli.64 q13,q2,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q3,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q7,q0,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d22,#14 @ from NEON_00_15 + vadd.i64 q3,q14 + vshr.u64 d25,d22,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d22,#41 @ from NEON_00_15 + vadd.i64 q3,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d22,#50 + vsli.64 d25,d22,#46 + vsli.64 d26,d22,#23 +#if 22<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d17 + veor d29,d23,d16 + veor d24,d25 + vand d29,d22 + veor d24,d26 @ Sigma1(e) + veor d29,d16 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d18,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d18,#34 + vshr.u64 d26,d18,#39 + vsli.64 d24,d18,#36 + vsli.64 d25,d18,#30 + vsli.64 d26,d18,#25 + vadd.i64 d27,d6 + vorr d30,d18,d20 + vand d29,d18,d20 + veor d17,d24,d25 + vand d30,d19 + veor d17,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d17,d27 + vadd.i64 d21,d27 + vadd.i64 d17,d30 + vshr.u64 d24,d21,#14 @ 23 +#if 23<16 + vld1.64 {d7},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d21,#18 + vshr.u64 d26,d21,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d21,#50 + vsli.64 d25,d21,#46 + vsli.64 d26,d21,#23 +#if 23<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d16 + veor d29,d22,d23 + veor d24,d25 + vand d29,d21 + veor d24,d26 @ Sigma1(e) + veor d29,d23 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d17,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d17,#34 + vshr.u64 d26,d17,#39 + vsli.64 d24,d17,#36 + vsli.64 d25,d17,#30 + vsli.64 d26,d17,#25 + vadd.i64 d27,d7 + vorr d30,d17,d19 + vand d29,d17,d19 + veor d16,d24,d25 + vand d30,d18 + veor d16,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d16,d27 + vadd.i64 d20,d27 + vadd.i64 d16,d30 + vshr.u64 q12,q3,#19 + vshr.u64 q13,q3,#61 + vshr.u64 q15,q3,#6 + vsli.64 q12,q3,#45 + vext.8 q14,q4,q5,#8 @ X[i+1] + vsli.64 q13,q3,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q4,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q0,q1,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d20,#14 @ from NEON_00_15 + vadd.i64 q4,q14 + vshr.u64 d25,d20,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d20,#41 @ from NEON_00_15 + vadd.i64 q4,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d20,#50 + vsli.64 d25,d20,#46 + vsli.64 d26,d20,#23 +#if 24<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d23 + veor d29,d21,d22 + veor d24,d25 + vand d29,d20 + veor d24,d26 @ Sigma1(e) + veor d29,d22 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d16,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d16,#34 + vshr.u64 d26,d16,#39 + vsli.64 d24,d16,#36 + vsli.64 d25,d16,#30 + vsli.64 d26,d16,#25 + vadd.i64 d27,d8 + vorr d30,d16,d18 + vand d29,d16,d18 + veor d23,d24,d25 + vand d30,d17 + veor d23,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d23,d27 + vadd.i64 d19,d27 + vadd.i64 d23,d30 + vshr.u64 d24,d19,#14 @ 25 +#if 25<16 + vld1.64 {d9},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d19,#18 + vshr.u64 d26,d19,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d19,#50 + vsli.64 d25,d19,#46 + vsli.64 d26,d19,#23 +#if 25<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d22 + veor d29,d20,d21 + veor d24,d25 + vand d29,d19 + veor d24,d26 @ Sigma1(e) + veor d29,d21 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d23,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d23,#34 + vshr.u64 d26,d23,#39 + vsli.64 d24,d23,#36 + vsli.64 d25,d23,#30 + vsli.64 d26,d23,#25 + vadd.i64 d27,d9 + vorr d30,d23,d17 + vand d29,d23,d17 + veor d22,d24,d25 + vand d30,d16 + veor d22,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d22,d27 + vadd.i64 d18,d27 + vadd.i64 d22,d30 + vshr.u64 q12,q4,#19 + vshr.u64 q13,q4,#61 + vshr.u64 q15,q4,#6 + vsli.64 q12,q4,#45 + vext.8 q14,q5,q6,#8 @ X[i+1] + vsli.64 q13,q4,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q5,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q1,q2,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d18,#14 @ from NEON_00_15 + vadd.i64 q5,q14 + vshr.u64 d25,d18,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d18,#41 @ from NEON_00_15 + vadd.i64 q5,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d18,#50 + vsli.64 d25,d18,#46 + vsli.64 d26,d18,#23 +#if 26<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d21 + veor d29,d19,d20 + veor d24,d25 + vand d29,d18 + veor d24,d26 @ Sigma1(e) + veor d29,d20 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d22,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d22,#34 + vshr.u64 d26,d22,#39 + vsli.64 d24,d22,#36 + vsli.64 d25,d22,#30 + vsli.64 d26,d22,#25 + vadd.i64 d27,d10 + vorr d30,d22,d16 + vand d29,d22,d16 + veor d21,d24,d25 + vand d30,d23 + veor d21,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d21,d27 + vadd.i64 d17,d27 + vadd.i64 d21,d30 + vshr.u64 d24,d17,#14 @ 27 +#if 27<16 + vld1.64 {d11},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d17,#18 + vshr.u64 d26,d17,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d17,#50 + vsli.64 d25,d17,#46 + vsli.64 d26,d17,#23 +#if 27<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d20 + veor d29,d18,d19 + veor d24,d25 + vand d29,d17 + veor d24,d26 @ Sigma1(e) + veor d29,d19 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d21,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d21,#34 + vshr.u64 d26,d21,#39 + vsli.64 d24,d21,#36 + vsli.64 d25,d21,#30 + vsli.64 d26,d21,#25 + vadd.i64 d27,d11 + vorr d30,d21,d23 + vand d29,d21,d23 + veor d20,d24,d25 + vand d30,d22 + veor d20,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d20,d27 + vadd.i64 d16,d27 + vadd.i64 d20,d30 + vshr.u64 q12,q5,#19 + vshr.u64 q13,q5,#61 + vshr.u64 q15,q5,#6 + vsli.64 q12,q5,#45 + vext.8 q14,q6,q7,#8 @ X[i+1] + vsli.64 q13,q5,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q6,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q2,q3,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d16,#14 @ from NEON_00_15 + vadd.i64 q6,q14 + vshr.u64 d25,d16,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d16,#41 @ from NEON_00_15 + vadd.i64 q6,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d16,#50 + vsli.64 d25,d16,#46 + vsli.64 d26,d16,#23 +#if 28<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d19 + veor d29,d17,d18 + veor d24,d25 + vand d29,d16 + veor d24,d26 @ Sigma1(e) + veor d29,d18 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d20,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d20,#34 + vshr.u64 d26,d20,#39 + vsli.64 d24,d20,#36 + vsli.64 d25,d20,#30 + vsli.64 d26,d20,#25 + vadd.i64 d27,d12 + vorr d30,d20,d22 + vand d29,d20,d22 + veor d19,d24,d25 + vand d30,d21 + veor d19,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d19,d27 + vadd.i64 d23,d27 + vadd.i64 d19,d30 + vshr.u64 d24,d23,#14 @ 29 +#if 29<16 + vld1.64 {d13},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d23,#18 + vshr.u64 d26,d23,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d23,#50 + vsli.64 d25,d23,#46 + vsli.64 d26,d23,#23 +#if 29<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d18 + veor d29,d16,d17 + veor d24,d25 + vand d29,d23 + veor d24,d26 @ Sigma1(e) + veor d29,d17 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d19,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d19,#34 + vshr.u64 d26,d19,#39 + vsli.64 d24,d19,#36 + vsli.64 d25,d19,#30 + vsli.64 d26,d19,#25 + vadd.i64 d27,d13 + vorr d30,d19,d21 + vand d29,d19,d21 + veor d18,d24,d25 + vand d30,d20 + veor d18,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d18,d27 + vadd.i64 d22,d27 + vadd.i64 d18,d30 + vshr.u64 q12,q6,#19 + vshr.u64 q13,q6,#61 + vshr.u64 q15,q6,#6 + vsli.64 q12,q6,#45 + vext.8 q14,q7,q0,#8 @ X[i+1] + vsli.64 q13,q6,#3 + veor q15,q12 + vshr.u64 q12,q14,#1 + veor q15,q13 @ sigma1(X[i+14]) + vshr.u64 q13,q14,#8 + vadd.i64 q7,q15 + vshr.u64 q15,q14,#7 + vsli.64 q12,q14,#63 + vsli.64 q13,q14,#56 + vext.8 q14,q3,q4,#8 @ X[i+9] + veor q15,q12 + vshr.u64 d24,d22,#14 @ from NEON_00_15 + vadd.i64 q7,q14 + vshr.u64 d25,d22,#18 @ from NEON_00_15 + veor q15,q13 @ sigma0(X[i+1]) + vshr.u64 d26,d22,#41 @ from NEON_00_15 + vadd.i64 q7,q15 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d22,#50 + vsli.64 d25,d22,#46 + vsli.64 d26,d22,#23 +#if 30<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d17 + veor d29,d23,d16 + veor d24,d25 + vand d29,d22 + veor d24,d26 @ Sigma1(e) + veor d29,d16 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d18,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d18,#34 + vshr.u64 d26,d18,#39 + vsli.64 d24,d18,#36 + vsli.64 d25,d18,#30 + vsli.64 d26,d18,#25 + vadd.i64 d27,d14 + vorr d30,d18,d20 + vand d29,d18,d20 + veor d17,d24,d25 + vand d30,d19 + veor d17,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d17,d27 + vadd.i64 d21,d27 + vadd.i64 d17,d30 + vshr.u64 d24,d21,#14 @ 31 +#if 31<16 + vld1.64 {d15},[r1]! @ handles unaligned +#endif + vshr.u64 d25,d21,#18 + vshr.u64 d26,d21,#41 + vld1.64 {d28},[r3,:64]! @ K[i++] + vsli.64 d24,d21,#50 + vsli.64 d25,d21,#46 + vsli.64 d26,d21,#23 +#if 31<16 && defined(__ARMEL__) + vrev64.8 , +#endif + vadd.i64 d27,d28,d16 + veor d29,d22,d23 + veor d24,d25 + vand d29,d21 + veor d24,d26 @ Sigma1(e) + veor d29,d23 @ Ch(e,f,g) + vadd.i64 d27,d24 + vshr.u64 d24,d17,#28 + vadd.i64 d27,d29 + vshr.u64 d25,d17,#34 + vshr.u64 d26,d17,#39 + vsli.64 d24,d17,#36 + vsli.64 d25,d17,#30 + vsli.64 d26,d17,#25 + vadd.i64 d27,d15 + vorr d30,d17,d19 + vand d29,d17,d19 + veor d16,d24,d25 + vand d30,d18 + veor d16,d26 @ Sigma0(a) + vorr d30,d29 @ Maj(a,b,c) + vadd.i64 d16,d27 + vadd.i64 d20,d27 + vadd.i64 d16,d30 + bne .L16_79_neon + + vldmia r0,{d24-d31} @ load context to temp + vadd.i64 q8,q12 @ vectorized accumulate + vadd.i64 q9,q13 + vadd.i64 q10,q14 + vadd.i64 q11,q15 + vstmia r0,{d16-d23} @ save context + teq r1,r2 + sub r3,#640 @ rewind K512 + bne .Loop_neon + + vldmia sp!,{d8-d15} @ epilogue + .word 0xe12fff1e +#endif +.size sha512_block_data_order,.-sha512_block_data_order +.asciz "SHA512 block transform for ARMv4/NEON, CRYPTOGAMS by " +.align 2 +.comm OPENSSL_armcap_P,4,4 +#if defined(HAVE_GNU_STACK) +.section .note.GNU-stack,"",%progbits +#endif diff --git a/crypto/sha/sha512-masm-x86_64.S b/crypto/sha/sha512-masm-x86_64.S new file mode 100644 index 0000000..4a2b9af --- /dev/null +++ b/crypto/sha/sha512-masm-x86_64.S @@ -0,0 +1,1888 @@ +; 1 "crypto/sha/sha512-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/sha/sha512-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/sha/sha512-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC sha512_block_data_order + +ALIGN 16 +sha512_block_data_order PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_sha512_block_data_order:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + mov rcx,r9 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + mov r11,rsp + shl rdx,4 + sub rsp,16*8+4*8 + lea rdx,QWORD PTR[rdx*8+rsi] + and rsp,-64 + mov QWORD PTR[((128+0))+rsp],rdi + mov QWORD PTR[((128+8))+rsp],rsi + mov QWORD PTR[((128+16))+rsp],rdx + mov QWORD PTR[((128+24))+rsp],r11 +$L$prologue:: + + lea rbp,QWORD PTR[K512] + + mov rax,QWORD PTR[rdi] + mov rbx,QWORD PTR[8+rdi] + mov rcx,QWORD PTR[16+rdi] + mov rdx,QWORD PTR[24+rdi] + mov r8,QWORD PTR[32+rdi] + mov r9,QWORD PTR[40+rdi] + mov r10,QWORD PTR[48+rdi] + mov r11,QWORD PTR[56+rdi] + jmp $L$loop + +ALIGN 16 +$L$loop:: + xor rdi,rdi + mov r12,QWORD PTR[rsi] + mov r13,r8 + mov r14,rax + bswap r12 + ror r13,23 + mov r15,r9 + mov QWORD PTR[rsp],r12 + + ror r14,5 + xor r13,r8 + xor r15,r10 + + ror r13,4 + add r12,r11 + xor r14,rax + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r8 + mov r11,rbx + + ror r14,6 + xor r13,r8 + xor r15,r10 + + xor r11,rcx + xor r14,rax + add r12,r15 + mov r15,rbx + + ror r13,14 + and r11,rax + and r15,rcx + + ror r14,28 + add r12,r13 + add r11,r15 + + add rdx,r12 + add r11,r12 + lea rdi,QWORD PTR[1+rdi] + add r11,r14 + + mov r12,QWORD PTR[8+rsi] + mov r13,rdx + mov r14,r11 + bswap r12 + ror r13,23 + mov r15,r8 + mov QWORD PTR[8+rsp],r12 + + ror r14,5 + xor r13,rdx + xor r15,r9 + + ror r13,4 + add r12,r10 + xor r14,r11 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rdx + mov r10,rax + + ror r14,6 + xor r13,rdx + xor r15,r9 + + xor r10,rbx + xor r14,r11 + add r12,r15 + mov r15,rax + + ror r13,14 + and r10,r11 + and r15,rbx + + ror r14,28 + add r12,r13 + add r10,r15 + + add rcx,r12 + add r10,r12 + lea rdi,QWORD PTR[1+rdi] + add r10,r14 + + mov r12,QWORD PTR[16+rsi] + mov r13,rcx + mov r14,r10 + bswap r12 + ror r13,23 + mov r15,rdx + mov QWORD PTR[16+rsp],r12 + + ror r14,5 + xor r13,rcx + xor r15,r8 + + ror r13,4 + add r12,r9 + xor r14,r10 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rcx + mov r9,r11 + + ror r14,6 + xor r13,rcx + xor r15,r8 + + xor r9,rax + xor r14,r10 + add r12,r15 + mov r15,r11 + + ror r13,14 + and r9,r10 + and r15,rax + + ror r14,28 + add r12,r13 + add r9,r15 + + add rbx,r12 + add r9,r12 + lea rdi,QWORD PTR[1+rdi] + add r9,r14 + + mov r12,QWORD PTR[24+rsi] + mov r13,rbx + mov r14,r9 + bswap r12 + ror r13,23 + mov r15,rcx + mov QWORD PTR[24+rsp],r12 + + ror r14,5 + xor r13,rbx + xor r15,rdx + + ror r13,4 + add r12,r8 + xor r14,r9 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rbx + mov r8,r10 + + ror r14,6 + xor r13,rbx + xor r15,rdx + + xor r8,r11 + xor r14,r9 + add r12,r15 + mov r15,r10 + + ror r13,14 + and r8,r9 + and r15,r11 + + ror r14,28 + add r12,r13 + add r8,r15 + + add rax,r12 + add r8,r12 + lea rdi,QWORD PTR[1+rdi] + add r8,r14 + + mov r12,QWORD PTR[32+rsi] + mov r13,rax + mov r14,r8 + bswap r12 + ror r13,23 + mov r15,rbx + mov QWORD PTR[32+rsp],r12 + + ror r14,5 + xor r13,rax + xor r15,rcx + + ror r13,4 + add r12,rdx + xor r14,r8 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rax + mov rdx,r9 + + ror r14,6 + xor r13,rax + xor r15,rcx + + xor rdx,r10 + xor r14,r8 + add r12,r15 + mov r15,r9 + + ror r13,14 + and rdx,r8 + and r15,r10 + + ror r14,28 + add r12,r13 + add rdx,r15 + + add r11,r12 + add rdx,r12 + lea rdi,QWORD PTR[1+rdi] + add rdx,r14 + + mov r12,QWORD PTR[40+rsi] + mov r13,r11 + mov r14,rdx + bswap r12 + ror r13,23 + mov r15,rax + mov QWORD PTR[40+rsp],r12 + + ror r14,5 + xor r13,r11 + xor r15,rbx + + ror r13,4 + add r12,rcx + xor r14,rdx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r11 + mov rcx,r8 + + ror r14,6 + xor r13,r11 + xor r15,rbx + + xor rcx,r9 + xor r14,rdx + add r12,r15 + mov r15,r8 + + ror r13,14 + and rcx,rdx + and r15,r9 + + ror r14,28 + add r12,r13 + add rcx,r15 + + add r10,r12 + add rcx,r12 + lea rdi,QWORD PTR[1+rdi] + add rcx,r14 + + mov r12,QWORD PTR[48+rsi] + mov r13,r10 + mov r14,rcx + bswap r12 + ror r13,23 + mov r15,r11 + mov QWORD PTR[48+rsp],r12 + + ror r14,5 + xor r13,r10 + xor r15,rax + + ror r13,4 + add r12,rbx + xor r14,rcx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r10 + mov rbx,rdx + + ror r14,6 + xor r13,r10 + xor r15,rax + + xor rbx,r8 + xor r14,rcx + add r12,r15 + mov r15,rdx + + ror r13,14 + and rbx,rcx + and r15,r8 + + ror r14,28 + add r12,r13 + add rbx,r15 + + add r9,r12 + add rbx,r12 + lea rdi,QWORD PTR[1+rdi] + add rbx,r14 + + mov r12,QWORD PTR[56+rsi] + mov r13,r9 + mov r14,rbx + bswap r12 + ror r13,23 + mov r15,r10 + mov QWORD PTR[56+rsp],r12 + + ror r14,5 + xor r13,r9 + xor r15,r11 + + ror r13,4 + add r12,rax + xor r14,rbx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r9 + mov rax,rcx + + ror r14,6 + xor r13,r9 + xor r15,r11 + + xor rax,rdx + xor r14,rbx + add r12,r15 + mov r15,rcx + + ror r13,14 + and rax,rbx + and r15,rdx + + ror r14,28 + add r12,r13 + add rax,r15 + + add r8,r12 + add rax,r12 + lea rdi,QWORD PTR[1+rdi] + add rax,r14 + + mov r12,QWORD PTR[64+rsi] + mov r13,r8 + mov r14,rax + bswap r12 + ror r13,23 + mov r15,r9 + mov QWORD PTR[64+rsp],r12 + + ror r14,5 + xor r13,r8 + xor r15,r10 + + ror r13,4 + add r12,r11 + xor r14,rax + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r8 + mov r11,rbx + + ror r14,6 + xor r13,r8 + xor r15,r10 + + xor r11,rcx + xor r14,rax + add r12,r15 + mov r15,rbx + + ror r13,14 + and r11,rax + and r15,rcx + + ror r14,28 + add r12,r13 + add r11,r15 + + add rdx,r12 + add r11,r12 + lea rdi,QWORD PTR[1+rdi] + add r11,r14 + + mov r12,QWORD PTR[72+rsi] + mov r13,rdx + mov r14,r11 + bswap r12 + ror r13,23 + mov r15,r8 + mov QWORD PTR[72+rsp],r12 + + ror r14,5 + xor r13,rdx + xor r15,r9 + + ror r13,4 + add r12,r10 + xor r14,r11 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rdx + mov r10,rax + + ror r14,6 + xor r13,rdx + xor r15,r9 + + xor r10,rbx + xor r14,r11 + add r12,r15 + mov r15,rax + + ror r13,14 + and r10,r11 + and r15,rbx + + ror r14,28 + add r12,r13 + add r10,r15 + + add rcx,r12 + add r10,r12 + lea rdi,QWORD PTR[1+rdi] + add r10,r14 + + mov r12,QWORD PTR[80+rsi] + mov r13,rcx + mov r14,r10 + bswap r12 + ror r13,23 + mov r15,rdx + mov QWORD PTR[80+rsp],r12 + + ror r14,5 + xor r13,rcx + xor r15,r8 + + ror r13,4 + add r12,r9 + xor r14,r10 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rcx + mov r9,r11 + + ror r14,6 + xor r13,rcx + xor r15,r8 + + xor r9,rax + xor r14,r10 + add r12,r15 + mov r15,r11 + + ror r13,14 + and r9,r10 + and r15,rax + + ror r14,28 + add r12,r13 + add r9,r15 + + add rbx,r12 + add r9,r12 + lea rdi,QWORD PTR[1+rdi] + add r9,r14 + + mov r12,QWORD PTR[88+rsi] + mov r13,rbx + mov r14,r9 + bswap r12 + ror r13,23 + mov r15,rcx + mov QWORD PTR[88+rsp],r12 + + ror r14,5 + xor r13,rbx + xor r15,rdx + + ror r13,4 + add r12,r8 + xor r14,r9 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rbx + mov r8,r10 + + ror r14,6 + xor r13,rbx + xor r15,rdx + + xor r8,r11 + xor r14,r9 + add r12,r15 + mov r15,r10 + + ror r13,14 + and r8,r9 + and r15,r11 + + ror r14,28 + add r12,r13 + add r8,r15 + + add rax,r12 + add r8,r12 + lea rdi,QWORD PTR[1+rdi] + add r8,r14 + + mov r12,QWORD PTR[96+rsi] + mov r13,rax + mov r14,r8 + bswap r12 + ror r13,23 + mov r15,rbx + mov QWORD PTR[96+rsp],r12 + + ror r14,5 + xor r13,rax + xor r15,rcx + + ror r13,4 + add r12,rdx + xor r14,r8 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rax + mov rdx,r9 + + ror r14,6 + xor r13,rax + xor r15,rcx + + xor rdx,r10 + xor r14,r8 + add r12,r15 + mov r15,r9 + + ror r13,14 + and rdx,r8 + and r15,r10 + + ror r14,28 + add r12,r13 + add rdx,r15 + + add r11,r12 + add rdx,r12 + lea rdi,QWORD PTR[1+rdi] + add rdx,r14 + + mov r12,QWORD PTR[104+rsi] + mov r13,r11 + mov r14,rdx + bswap r12 + ror r13,23 + mov r15,rax + mov QWORD PTR[104+rsp],r12 + + ror r14,5 + xor r13,r11 + xor r15,rbx + + ror r13,4 + add r12,rcx + xor r14,rdx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r11 + mov rcx,r8 + + ror r14,6 + xor r13,r11 + xor r15,rbx + + xor rcx,r9 + xor r14,rdx + add r12,r15 + mov r15,r8 + + ror r13,14 + and rcx,rdx + and r15,r9 + + ror r14,28 + add r12,r13 + add rcx,r15 + + add r10,r12 + add rcx,r12 + lea rdi,QWORD PTR[1+rdi] + add rcx,r14 + + mov r12,QWORD PTR[112+rsi] + mov r13,r10 + mov r14,rcx + bswap r12 + ror r13,23 + mov r15,r11 + mov QWORD PTR[112+rsp],r12 + + ror r14,5 + xor r13,r10 + xor r15,rax + + ror r13,4 + add r12,rbx + xor r14,rcx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r10 + mov rbx,rdx + + ror r14,6 + xor r13,r10 + xor r15,rax + + xor rbx,r8 + xor r14,rcx + add r12,r15 + mov r15,rdx + + ror r13,14 + and rbx,rcx + and r15,r8 + + ror r14,28 + add r12,r13 + add rbx,r15 + + add r9,r12 + add rbx,r12 + lea rdi,QWORD PTR[1+rdi] + add rbx,r14 + + mov r12,QWORD PTR[120+rsi] + mov r13,r9 + mov r14,rbx + bswap r12 + ror r13,23 + mov r15,r10 + mov QWORD PTR[120+rsp],r12 + + ror r14,5 + xor r13,r9 + xor r15,r11 + + ror r13,4 + add r12,rax + xor r14,rbx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r9 + mov rax,rcx + + ror r14,6 + xor r13,r9 + xor r15,r11 + + xor rax,rdx + xor r14,rbx + add r12,r15 + mov r15,rcx + + ror r13,14 + and rax,rbx + and r15,rdx + + ror r14,28 + add r12,r13 + add rax,r15 + + add r8,r12 + add rax,r12 + lea rdi,QWORD PTR[1+rdi] + add rax,r14 + + jmp $L$rounds_16_xx +ALIGN 16 +$L$rounds_16_xx:: + mov r13,QWORD PTR[8+rsp] + mov r14,QWORD PTR[112+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[72+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[rsp] + mov r13,r8 + add r12,r14 + mov r14,rax + ror r13,23 + mov r15,r9 + mov QWORD PTR[rsp],r12 + + ror r14,5 + xor r13,r8 + xor r15,r10 + + ror r13,4 + add r12,r11 + xor r14,rax + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r8 + mov r11,rbx + + ror r14,6 + xor r13,r8 + xor r15,r10 + + xor r11,rcx + xor r14,rax + add r12,r15 + mov r15,rbx + + ror r13,14 + and r11,rax + and r15,rcx + + ror r14,28 + add r12,r13 + add r11,r15 + + add rdx,r12 + add r11,r12 + lea rdi,QWORD PTR[1+rdi] + add r11,r14 + + mov r13,QWORD PTR[16+rsp] + mov r14,QWORD PTR[120+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[80+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[8+rsp] + mov r13,rdx + add r12,r14 + mov r14,r11 + ror r13,23 + mov r15,r8 + mov QWORD PTR[8+rsp],r12 + + ror r14,5 + xor r13,rdx + xor r15,r9 + + ror r13,4 + add r12,r10 + xor r14,r11 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rdx + mov r10,rax + + ror r14,6 + xor r13,rdx + xor r15,r9 + + xor r10,rbx + xor r14,r11 + add r12,r15 + mov r15,rax + + ror r13,14 + and r10,r11 + and r15,rbx + + ror r14,28 + add r12,r13 + add r10,r15 + + add rcx,r12 + add r10,r12 + lea rdi,QWORD PTR[1+rdi] + add r10,r14 + + mov r13,QWORD PTR[24+rsp] + mov r14,QWORD PTR[rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[88+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[16+rsp] + mov r13,rcx + add r12,r14 + mov r14,r10 + ror r13,23 + mov r15,rdx + mov QWORD PTR[16+rsp],r12 + + ror r14,5 + xor r13,rcx + xor r15,r8 + + ror r13,4 + add r12,r9 + xor r14,r10 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rcx + mov r9,r11 + + ror r14,6 + xor r13,rcx + xor r15,r8 + + xor r9,rax + xor r14,r10 + add r12,r15 + mov r15,r11 + + ror r13,14 + and r9,r10 + and r15,rax + + ror r14,28 + add r12,r13 + add r9,r15 + + add rbx,r12 + add r9,r12 + lea rdi,QWORD PTR[1+rdi] + add r9,r14 + + mov r13,QWORD PTR[32+rsp] + mov r14,QWORD PTR[8+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[96+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[24+rsp] + mov r13,rbx + add r12,r14 + mov r14,r9 + ror r13,23 + mov r15,rcx + mov QWORD PTR[24+rsp],r12 + + ror r14,5 + xor r13,rbx + xor r15,rdx + + ror r13,4 + add r12,r8 + xor r14,r9 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rbx + mov r8,r10 + + ror r14,6 + xor r13,rbx + xor r15,rdx + + xor r8,r11 + xor r14,r9 + add r12,r15 + mov r15,r10 + + ror r13,14 + and r8,r9 + and r15,r11 + + ror r14,28 + add r12,r13 + add r8,r15 + + add rax,r12 + add r8,r12 + lea rdi,QWORD PTR[1+rdi] + add r8,r14 + + mov r13,QWORD PTR[40+rsp] + mov r14,QWORD PTR[16+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[104+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[32+rsp] + mov r13,rax + add r12,r14 + mov r14,r8 + ror r13,23 + mov r15,rbx + mov QWORD PTR[32+rsp],r12 + + ror r14,5 + xor r13,rax + xor r15,rcx + + ror r13,4 + add r12,rdx + xor r14,r8 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rax + mov rdx,r9 + + ror r14,6 + xor r13,rax + xor r15,rcx + + xor rdx,r10 + xor r14,r8 + add r12,r15 + mov r15,r9 + + ror r13,14 + and rdx,r8 + and r15,r10 + + ror r14,28 + add r12,r13 + add rdx,r15 + + add r11,r12 + add rdx,r12 + lea rdi,QWORD PTR[1+rdi] + add rdx,r14 + + mov r13,QWORD PTR[48+rsp] + mov r14,QWORD PTR[24+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[112+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[40+rsp] + mov r13,r11 + add r12,r14 + mov r14,rdx + ror r13,23 + mov r15,rax + mov QWORD PTR[40+rsp],r12 + + ror r14,5 + xor r13,r11 + xor r15,rbx + + ror r13,4 + add r12,rcx + xor r14,rdx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r11 + mov rcx,r8 + + ror r14,6 + xor r13,r11 + xor r15,rbx + + xor rcx,r9 + xor r14,rdx + add r12,r15 + mov r15,r8 + + ror r13,14 + and rcx,rdx + and r15,r9 + + ror r14,28 + add r12,r13 + add rcx,r15 + + add r10,r12 + add rcx,r12 + lea rdi,QWORD PTR[1+rdi] + add rcx,r14 + + mov r13,QWORD PTR[56+rsp] + mov r14,QWORD PTR[32+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[120+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[48+rsp] + mov r13,r10 + add r12,r14 + mov r14,rcx + ror r13,23 + mov r15,r11 + mov QWORD PTR[48+rsp],r12 + + ror r14,5 + xor r13,r10 + xor r15,rax + + ror r13,4 + add r12,rbx + xor r14,rcx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r10 + mov rbx,rdx + + ror r14,6 + xor r13,r10 + xor r15,rax + + xor rbx,r8 + xor r14,rcx + add r12,r15 + mov r15,rdx + + ror r13,14 + and rbx,rcx + and r15,r8 + + ror r14,28 + add r12,r13 + add rbx,r15 + + add r9,r12 + add rbx,r12 + lea rdi,QWORD PTR[1+rdi] + add rbx,r14 + + mov r13,QWORD PTR[64+rsp] + mov r14,QWORD PTR[40+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[56+rsp] + mov r13,r9 + add r12,r14 + mov r14,rbx + ror r13,23 + mov r15,r10 + mov QWORD PTR[56+rsp],r12 + + ror r14,5 + xor r13,r9 + xor r15,r11 + + ror r13,4 + add r12,rax + xor r14,rbx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r9 + mov rax,rcx + + ror r14,6 + xor r13,r9 + xor r15,r11 + + xor rax,rdx + xor r14,rbx + add r12,r15 + mov r15,rcx + + ror r13,14 + and rax,rbx + and r15,rdx + + ror r14,28 + add r12,r13 + add rax,r15 + + add r8,r12 + add rax,r12 + lea rdi,QWORD PTR[1+rdi] + add rax,r14 + + mov r13,QWORD PTR[72+rsp] + mov r14,QWORD PTR[48+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[8+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[64+rsp] + mov r13,r8 + add r12,r14 + mov r14,rax + ror r13,23 + mov r15,r9 + mov QWORD PTR[64+rsp],r12 + + ror r14,5 + xor r13,r8 + xor r15,r10 + + ror r13,4 + add r12,r11 + xor r14,rax + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r8 + mov r11,rbx + + ror r14,6 + xor r13,r8 + xor r15,r10 + + xor r11,rcx + xor r14,rax + add r12,r15 + mov r15,rbx + + ror r13,14 + and r11,rax + and r15,rcx + + ror r14,28 + add r12,r13 + add r11,r15 + + add rdx,r12 + add r11,r12 + lea rdi,QWORD PTR[1+rdi] + add r11,r14 + + mov r13,QWORD PTR[80+rsp] + mov r14,QWORD PTR[56+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[16+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[72+rsp] + mov r13,rdx + add r12,r14 + mov r14,r11 + ror r13,23 + mov r15,r8 + mov QWORD PTR[72+rsp],r12 + + ror r14,5 + xor r13,rdx + xor r15,r9 + + ror r13,4 + add r12,r10 + xor r14,r11 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rdx + mov r10,rax + + ror r14,6 + xor r13,rdx + xor r15,r9 + + xor r10,rbx + xor r14,r11 + add r12,r15 + mov r15,rax + + ror r13,14 + and r10,r11 + and r15,rbx + + ror r14,28 + add r12,r13 + add r10,r15 + + add rcx,r12 + add r10,r12 + lea rdi,QWORD PTR[1+rdi] + add r10,r14 + + mov r13,QWORD PTR[88+rsp] + mov r14,QWORD PTR[64+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[24+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[80+rsp] + mov r13,rcx + add r12,r14 + mov r14,r10 + ror r13,23 + mov r15,rdx + mov QWORD PTR[80+rsp],r12 + + ror r14,5 + xor r13,rcx + xor r15,r8 + + ror r13,4 + add r12,r9 + xor r14,r10 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rcx + mov r9,r11 + + ror r14,6 + xor r13,rcx + xor r15,r8 + + xor r9,rax + xor r14,r10 + add r12,r15 + mov r15,r11 + + ror r13,14 + and r9,r10 + and r15,rax + + ror r14,28 + add r12,r13 + add r9,r15 + + add rbx,r12 + add r9,r12 + lea rdi,QWORD PTR[1+rdi] + add r9,r14 + + mov r13,QWORD PTR[96+rsp] + mov r14,QWORD PTR[72+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[32+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[88+rsp] + mov r13,rbx + add r12,r14 + mov r14,r9 + ror r13,23 + mov r15,rcx + mov QWORD PTR[88+rsp],r12 + + ror r14,5 + xor r13,rbx + xor r15,rdx + + ror r13,4 + add r12,r8 + xor r14,r9 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rbx + mov r8,r10 + + ror r14,6 + xor r13,rbx + xor r15,rdx + + xor r8,r11 + xor r14,r9 + add r12,r15 + mov r15,r10 + + ror r13,14 + and r8,r9 + and r15,r11 + + ror r14,28 + add r12,r13 + add r8,r15 + + add rax,r12 + add r8,r12 + lea rdi,QWORD PTR[1+rdi] + add r8,r14 + + mov r13,QWORD PTR[104+rsp] + mov r14,QWORD PTR[80+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[40+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[96+rsp] + mov r13,rax + add r12,r14 + mov r14,r8 + ror r13,23 + mov r15,rbx + mov QWORD PTR[96+rsp],r12 + + ror r14,5 + xor r13,rax + xor r15,rcx + + ror r13,4 + add r12,rdx + xor r14,r8 + + add r12,QWORD PTR[rdi*8+rbp] + and r15,rax + mov rdx,r9 + + ror r14,6 + xor r13,rax + xor r15,rcx + + xor rdx,r10 + xor r14,r8 + add r12,r15 + mov r15,r9 + + ror r13,14 + and rdx,r8 + and r15,r10 + + ror r14,28 + add r12,r13 + add rdx,r15 + + add r11,r12 + add rdx,r12 + lea rdi,QWORD PTR[1+rdi] + add rdx,r14 + + mov r13,QWORD PTR[112+rsp] + mov r14,QWORD PTR[88+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[48+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[104+rsp] + mov r13,r11 + add r12,r14 + mov r14,rdx + ror r13,23 + mov r15,rax + mov QWORD PTR[104+rsp],r12 + + ror r14,5 + xor r13,r11 + xor r15,rbx + + ror r13,4 + add r12,rcx + xor r14,rdx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r11 + mov rcx,r8 + + ror r14,6 + xor r13,r11 + xor r15,rbx + + xor rcx,r9 + xor r14,rdx + add r12,r15 + mov r15,r8 + + ror r13,14 + and rcx,rdx + and r15,r9 + + ror r14,28 + add r12,r13 + add rcx,r15 + + add r10,r12 + add rcx,r12 + lea rdi,QWORD PTR[1+rdi] + add rcx,r14 + + mov r13,QWORD PTR[120+rsp] + mov r14,QWORD PTR[96+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[56+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[112+rsp] + mov r13,r10 + add r12,r14 + mov r14,rcx + ror r13,23 + mov r15,r11 + mov QWORD PTR[112+rsp],r12 + + ror r14,5 + xor r13,r10 + xor r15,rax + + ror r13,4 + add r12,rbx + xor r14,rcx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r10 + mov rbx,rdx + + ror r14,6 + xor r13,r10 + xor r15,rax + + xor rbx,r8 + xor r14,rcx + add r12,r15 + mov r15,rdx + + ror r13,14 + and rbx,rcx + and r15,r8 + + ror r14,28 + add r12,r13 + add rbx,r15 + + add r9,r12 + add rbx,r12 + lea rdi,QWORD PTR[1+rdi] + add rbx,r14 + + mov r13,QWORD PTR[rsp] + mov r14,QWORD PTR[104+rsp] + mov r12,r13 + mov r15,r14 + + ror r12,7 + xor r12,r13 + shr r13,7 + + ror r12,1 + xor r13,r12 + mov r12,QWORD PTR[64+rsp] + + ror r15,42 + xor r15,r14 + shr r14,6 + + ror r15,19 + add r12,r13 + xor r14,r15 + + add r12,QWORD PTR[120+rsp] + mov r13,r9 + add r12,r14 + mov r14,rbx + ror r13,23 + mov r15,r10 + mov QWORD PTR[120+rsp],r12 + + ror r14,5 + xor r13,r9 + xor r15,r11 + + ror r13,4 + add r12,rax + xor r14,rbx + + add r12,QWORD PTR[rdi*8+rbp] + and r15,r9 + mov rax,rcx + + ror r14,6 + xor r13,r9 + xor r15,r11 + + xor rax,rdx + xor r14,rbx + add r12,r15 + mov r15,rcx + + ror r13,14 + and rax,rbx + and r15,rdx + + ror r14,28 + add r12,r13 + add rax,r15 + + add r8,r12 + add rax,r12 + lea rdi,QWORD PTR[1+rdi] + add rax,r14 + + cmp rdi,80 + jb $L$rounds_16_xx + + mov rdi,QWORD PTR[((128+0))+rsp] + lea rsi,QWORD PTR[128+rsi] + + add rax,QWORD PTR[rdi] + add rbx,QWORD PTR[8+rdi] + add rcx,QWORD PTR[16+rdi] + add rdx,QWORD PTR[24+rdi] + add r8,QWORD PTR[32+rdi] + add r9,QWORD PTR[40+rdi] + add r10,QWORD PTR[48+rdi] + add r11,QWORD PTR[56+rdi] + + cmp rsi,QWORD PTR[((128+16))+rsp] + + mov QWORD PTR[rdi],rax + mov QWORD PTR[8+rdi],rbx + mov QWORD PTR[16+rdi],rcx + mov QWORD PTR[24+rdi],rdx + mov QWORD PTR[32+rdi],r8 + mov QWORD PTR[40+rdi],r9 + mov QWORD PTR[48+rdi],r10 + mov QWORD PTR[56+rdi],r11 + jb $L$loop + + mov rsi,QWORD PTR[((128+24))+rsp] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_sha512_block_data_order:: +sha512_block_data_order ENDP +ALIGN 64 + +K512:: + DQ 0428a2f98d728ae22h,07137449123ef65cdh + DQ 0b5c0fbcfec4d3b2fh,0e9b5dba58189dbbch + DQ 03956c25bf348b538h,059f111f1b605d019h + DQ 0923f82a4af194f9bh,0ab1c5ed5da6d8118h + DQ 0d807aa98a3030242h,012835b0145706fbeh + DQ 0243185be4ee4b28ch,0550c7dc3d5ffb4e2h + DQ 072be5d74f27b896fh,080deb1fe3b1696b1h + DQ 09bdc06a725c71235h,0c19bf174cf692694h + DQ 0e49b69c19ef14ad2h,0efbe4786384f25e3h + DQ 00fc19dc68b8cd5b5h,0240ca1cc77ac9c65h + DQ 02de92c6f592b0275h,04a7484aa6ea6e483h + DQ 05cb0a9dcbd41fbd4h,076f988da831153b5h + DQ 0983e5152ee66dfabh,0a831c66d2db43210h + DQ 0b00327c898fb213fh,0bf597fc7beef0ee4h + DQ 0c6e00bf33da88fc2h,0d5a79147930aa725h + DQ 006ca6351e003826fh,0142929670a0e6e70h + DQ 027b70a8546d22ffch,02e1b21385c26c926h + DQ 04d2c6dfc5ac42aedh,053380d139d95b3dfh + DQ 0650a73548baf63deh,0766a0abb3c77b2a8h + DQ 081c2c92e47edaee6h,092722c851482353bh + DQ 0a2bfe8a14cf10364h,0a81a664bbc423001h + DQ 0c24b8b70d0f89791h,0c76c51a30654be30h + DQ 0d192e819d6ef5218h,0d69906245565a910h + DQ 0f40e35855771202ah,0106aa07032bbd1b8h + DQ 019a4c116b8d2d0c8h,01e376c085141ab53h + DQ 02748774cdf8eeb99h,034b0bcb5e19b48a8h + DQ 0391c0cb3c5c95a63h,04ed8aa4ae3418acbh + DQ 05b9cca4f7763e373h,0682e6ff3d6b2b8a3h + DQ 0748f82ee5defb2fch,078a5636f43172f60h + DQ 084c87814a1f0ab72h,08cc702081a6439ech + DQ 090befffa23631e28h,0a4506cebde82bde9h + DQ 0bef9a3f7b2c67915h,0c67178f2e372532bh + DQ 0ca273eceea26619ch,0d186b8c721c0c207h + DQ 0eada7dd6cde0eb1eh,0f57d4f7fee6ed178h + DQ 006f067aa72176fbah,00a637dc5a2c898a6h + DQ 0113f9804bef90daeh,01b710b35131c471bh + DQ 028db77f523047d84h,032caab7b40c72493h + DQ 03c9ebe0a15c9bebch,0431d67c49c100d4ch + DQ 04cc5d4becb3e42b6h,0597f299cfc657e2ah + DQ 05fcb6fab3ad6faech,06c44198c4a475817h + +.text$ ENDS +END + diff --git a/crypto/sha/sha512-mingw64-x86_64.S b/crypto/sha/sha512-mingw64-x86_64.S new file mode 100644 index 0000000..5153952 --- /dev/null +++ b/crypto/sha/sha512-mingw64-x86_64.S @@ -0,0 +1,1814 @@ +#include "x86_arch.h" +.text + +.globl sha512_block_data_order +.def sha512_block_data_order; .scl 2; .type 32; .endef +.p2align 4 +sha512_block_data_order: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_sha512_block_data_order: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + movq %r9,%rcx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + movq %rsp,%r11 + shlq $4,%rdx + subq $128+32,%rsp + leaq (%rsi,%rdx,8),%rdx + andq $-64,%rsp + movq %rdi,128+0(%rsp) + movq %rsi,128+8(%rsp) + movq %rdx,128+16(%rsp) + movq %r11,128+24(%rsp) +.Lprologue: + + leaq K512(%rip),%rbp + + movq 0(%rdi),%rax + movq 8(%rdi),%rbx + movq 16(%rdi),%rcx + movq 24(%rdi),%rdx + movq 32(%rdi),%r8 + movq 40(%rdi),%r9 + movq 48(%rdi),%r10 + movq 56(%rdi),%r11 + jmp .Lloop + +.p2align 4 +.Lloop: + xorq %rdi,%rdi + movq 0(%rsi),%r12 + movq %r8,%r13 + movq %rax,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r9,%r15 + movq %r12,0(%rsp) + + rorq $5,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + rorq $4,%r13 + addq %r11,%r12 + xorq %rax,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r8,%r15 + movq %rbx,%r11 + + rorq $6,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + xorq %rcx,%r11 + xorq %rax,%r14 + addq %r15,%r12 + movq %rbx,%r15 + + rorq $14,%r13 + andq %rax,%r11 + andq %rcx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r11 + + addq %r12,%rdx + addq %r12,%r11 + leaq 1(%rdi),%rdi + addq %r14,%r11 + + movq 8(%rsi),%r12 + movq %rdx,%r13 + movq %r11,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r8,%r15 + movq %r12,8(%rsp) + + rorq $5,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + rorq $4,%r13 + addq %r10,%r12 + xorq %r11,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rdx,%r15 + movq %rax,%r10 + + rorq $6,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + xorq %rbx,%r10 + xorq %r11,%r14 + addq %r15,%r12 + movq %rax,%r15 + + rorq $14,%r13 + andq %r11,%r10 + andq %rbx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r10 + + addq %r12,%rcx + addq %r12,%r10 + leaq 1(%rdi),%rdi + addq %r14,%r10 + + movq 16(%rsi),%r12 + movq %rcx,%r13 + movq %r10,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rdx,%r15 + movq %r12,16(%rsp) + + rorq $5,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + rorq $4,%r13 + addq %r9,%r12 + xorq %r10,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rcx,%r15 + movq %r11,%r9 + + rorq $6,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + xorq %rax,%r9 + xorq %r10,%r14 + addq %r15,%r12 + movq %r11,%r15 + + rorq $14,%r13 + andq %r10,%r9 + andq %rax,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r9 + + addq %r12,%rbx + addq %r12,%r9 + leaq 1(%rdi),%rdi + addq %r14,%r9 + + movq 24(%rsi),%r12 + movq %rbx,%r13 + movq %r9,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rcx,%r15 + movq %r12,24(%rsp) + + rorq $5,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + rorq $4,%r13 + addq %r8,%r12 + xorq %r9,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rbx,%r15 + movq %r10,%r8 + + rorq $6,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + xorq %r11,%r8 + xorq %r9,%r14 + addq %r15,%r12 + movq %r10,%r15 + + rorq $14,%r13 + andq %r9,%r8 + andq %r11,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r8 + + addq %r12,%rax + addq %r12,%r8 + leaq 1(%rdi),%rdi + addq %r14,%r8 + + movq 32(%rsi),%r12 + movq %rax,%r13 + movq %r8,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rbx,%r15 + movq %r12,32(%rsp) + + rorq $5,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + rorq $4,%r13 + addq %rdx,%r12 + xorq %r8,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rax,%r15 + movq %r9,%rdx + + rorq $6,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + xorq %r10,%rdx + xorq %r8,%r14 + addq %r15,%r12 + movq %r9,%r15 + + rorq $14,%r13 + andq %r8,%rdx + andq %r10,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rdx + + addq %r12,%r11 + addq %r12,%rdx + leaq 1(%rdi),%rdi + addq %r14,%rdx + + movq 40(%rsi),%r12 + movq %r11,%r13 + movq %rdx,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rax,%r15 + movq %r12,40(%rsp) + + rorq $5,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + rorq $4,%r13 + addq %rcx,%r12 + xorq %rdx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r11,%r15 + movq %r8,%rcx + + rorq $6,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + xorq %r9,%rcx + xorq %rdx,%r14 + addq %r15,%r12 + movq %r8,%r15 + + rorq $14,%r13 + andq %rdx,%rcx + andq %r9,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rcx + + addq %r12,%r10 + addq %r12,%rcx + leaq 1(%rdi),%rdi + addq %r14,%rcx + + movq 48(%rsi),%r12 + movq %r10,%r13 + movq %rcx,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r11,%r15 + movq %r12,48(%rsp) + + rorq $5,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + rorq $4,%r13 + addq %rbx,%r12 + xorq %rcx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r10,%r15 + movq %rdx,%rbx + + rorq $6,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + xorq %r8,%rbx + xorq %rcx,%r14 + addq %r15,%r12 + movq %rdx,%r15 + + rorq $14,%r13 + andq %rcx,%rbx + andq %r8,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rbx + + addq %r12,%r9 + addq %r12,%rbx + leaq 1(%rdi),%rdi + addq %r14,%rbx + + movq 56(%rsi),%r12 + movq %r9,%r13 + movq %rbx,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r10,%r15 + movq %r12,56(%rsp) + + rorq $5,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + rorq $4,%r13 + addq %rax,%r12 + xorq %rbx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r9,%r15 + movq %rcx,%rax + + rorq $6,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + xorq %rdx,%rax + xorq %rbx,%r14 + addq %r15,%r12 + movq %rcx,%r15 + + rorq $14,%r13 + andq %rbx,%rax + andq %rdx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rax + + addq %r12,%r8 + addq %r12,%rax + leaq 1(%rdi),%rdi + addq %r14,%rax + + movq 64(%rsi),%r12 + movq %r8,%r13 + movq %rax,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r9,%r15 + movq %r12,64(%rsp) + + rorq $5,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + rorq $4,%r13 + addq %r11,%r12 + xorq %rax,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r8,%r15 + movq %rbx,%r11 + + rorq $6,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + xorq %rcx,%r11 + xorq %rax,%r14 + addq %r15,%r12 + movq %rbx,%r15 + + rorq $14,%r13 + andq %rax,%r11 + andq %rcx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r11 + + addq %r12,%rdx + addq %r12,%r11 + leaq 1(%rdi),%rdi + addq %r14,%r11 + + movq 72(%rsi),%r12 + movq %rdx,%r13 + movq %r11,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r8,%r15 + movq %r12,72(%rsp) + + rorq $5,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + rorq $4,%r13 + addq %r10,%r12 + xorq %r11,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rdx,%r15 + movq %rax,%r10 + + rorq $6,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + xorq %rbx,%r10 + xorq %r11,%r14 + addq %r15,%r12 + movq %rax,%r15 + + rorq $14,%r13 + andq %r11,%r10 + andq %rbx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r10 + + addq %r12,%rcx + addq %r12,%r10 + leaq 1(%rdi),%rdi + addq %r14,%r10 + + movq 80(%rsi),%r12 + movq %rcx,%r13 + movq %r10,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rdx,%r15 + movq %r12,80(%rsp) + + rorq $5,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + rorq $4,%r13 + addq %r9,%r12 + xorq %r10,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rcx,%r15 + movq %r11,%r9 + + rorq $6,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + xorq %rax,%r9 + xorq %r10,%r14 + addq %r15,%r12 + movq %r11,%r15 + + rorq $14,%r13 + andq %r10,%r9 + andq %rax,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r9 + + addq %r12,%rbx + addq %r12,%r9 + leaq 1(%rdi),%rdi + addq %r14,%r9 + + movq 88(%rsi),%r12 + movq %rbx,%r13 + movq %r9,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rcx,%r15 + movq %r12,88(%rsp) + + rorq $5,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + rorq $4,%r13 + addq %r8,%r12 + xorq %r9,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rbx,%r15 + movq %r10,%r8 + + rorq $6,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + xorq %r11,%r8 + xorq %r9,%r14 + addq %r15,%r12 + movq %r10,%r15 + + rorq $14,%r13 + andq %r9,%r8 + andq %r11,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r8 + + addq %r12,%rax + addq %r12,%r8 + leaq 1(%rdi),%rdi + addq %r14,%r8 + + movq 96(%rsi),%r12 + movq %rax,%r13 + movq %r8,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rbx,%r15 + movq %r12,96(%rsp) + + rorq $5,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + rorq $4,%r13 + addq %rdx,%r12 + xorq %r8,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rax,%r15 + movq %r9,%rdx + + rorq $6,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + xorq %r10,%rdx + xorq %r8,%r14 + addq %r15,%r12 + movq %r9,%r15 + + rorq $14,%r13 + andq %r8,%rdx + andq %r10,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rdx + + addq %r12,%r11 + addq %r12,%rdx + leaq 1(%rdi),%rdi + addq %r14,%rdx + + movq 104(%rsi),%r12 + movq %r11,%r13 + movq %rdx,%r14 + bswapq %r12 + rorq $23,%r13 + movq %rax,%r15 + movq %r12,104(%rsp) + + rorq $5,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + rorq $4,%r13 + addq %rcx,%r12 + xorq %rdx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r11,%r15 + movq %r8,%rcx + + rorq $6,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + xorq %r9,%rcx + xorq %rdx,%r14 + addq %r15,%r12 + movq %r8,%r15 + + rorq $14,%r13 + andq %rdx,%rcx + andq %r9,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rcx + + addq %r12,%r10 + addq %r12,%rcx + leaq 1(%rdi),%rdi + addq %r14,%rcx + + movq 112(%rsi),%r12 + movq %r10,%r13 + movq %rcx,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r11,%r15 + movq %r12,112(%rsp) + + rorq $5,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + rorq $4,%r13 + addq %rbx,%r12 + xorq %rcx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r10,%r15 + movq %rdx,%rbx + + rorq $6,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + xorq %r8,%rbx + xorq %rcx,%r14 + addq %r15,%r12 + movq %rdx,%r15 + + rorq $14,%r13 + andq %rcx,%rbx + andq %r8,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rbx + + addq %r12,%r9 + addq %r12,%rbx + leaq 1(%rdi),%rdi + addq %r14,%rbx + + movq 120(%rsi),%r12 + movq %r9,%r13 + movq %rbx,%r14 + bswapq %r12 + rorq $23,%r13 + movq %r10,%r15 + movq %r12,120(%rsp) + + rorq $5,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + rorq $4,%r13 + addq %rax,%r12 + xorq %rbx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r9,%r15 + movq %rcx,%rax + + rorq $6,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + xorq %rdx,%rax + xorq %rbx,%r14 + addq %r15,%r12 + movq %rcx,%r15 + + rorq $14,%r13 + andq %rbx,%rax + andq %rdx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rax + + addq %r12,%r8 + addq %r12,%rax + leaq 1(%rdi),%rdi + addq %r14,%rax + + jmp .Lrounds_16_xx +.p2align 4 +.Lrounds_16_xx: + movq 8(%rsp),%r13 + movq 112(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 72(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 0(%rsp),%r12 + movq %r8,%r13 + addq %r14,%r12 + movq %rax,%r14 + rorq $23,%r13 + movq %r9,%r15 + movq %r12,0(%rsp) + + rorq $5,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + rorq $4,%r13 + addq %r11,%r12 + xorq %rax,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r8,%r15 + movq %rbx,%r11 + + rorq $6,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + xorq %rcx,%r11 + xorq %rax,%r14 + addq %r15,%r12 + movq %rbx,%r15 + + rorq $14,%r13 + andq %rax,%r11 + andq %rcx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r11 + + addq %r12,%rdx + addq %r12,%r11 + leaq 1(%rdi),%rdi + addq %r14,%r11 + + movq 16(%rsp),%r13 + movq 120(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 80(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 8(%rsp),%r12 + movq %rdx,%r13 + addq %r14,%r12 + movq %r11,%r14 + rorq $23,%r13 + movq %r8,%r15 + movq %r12,8(%rsp) + + rorq $5,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + rorq $4,%r13 + addq %r10,%r12 + xorq %r11,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rdx,%r15 + movq %rax,%r10 + + rorq $6,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + xorq %rbx,%r10 + xorq %r11,%r14 + addq %r15,%r12 + movq %rax,%r15 + + rorq $14,%r13 + andq %r11,%r10 + andq %rbx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r10 + + addq %r12,%rcx + addq %r12,%r10 + leaq 1(%rdi),%rdi + addq %r14,%r10 + + movq 24(%rsp),%r13 + movq 0(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 88(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 16(%rsp),%r12 + movq %rcx,%r13 + addq %r14,%r12 + movq %r10,%r14 + rorq $23,%r13 + movq %rdx,%r15 + movq %r12,16(%rsp) + + rorq $5,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + rorq $4,%r13 + addq %r9,%r12 + xorq %r10,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rcx,%r15 + movq %r11,%r9 + + rorq $6,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + xorq %rax,%r9 + xorq %r10,%r14 + addq %r15,%r12 + movq %r11,%r15 + + rorq $14,%r13 + andq %r10,%r9 + andq %rax,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r9 + + addq %r12,%rbx + addq %r12,%r9 + leaq 1(%rdi),%rdi + addq %r14,%r9 + + movq 32(%rsp),%r13 + movq 8(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 96(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 24(%rsp),%r12 + movq %rbx,%r13 + addq %r14,%r12 + movq %r9,%r14 + rorq $23,%r13 + movq %rcx,%r15 + movq %r12,24(%rsp) + + rorq $5,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + rorq $4,%r13 + addq %r8,%r12 + xorq %r9,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rbx,%r15 + movq %r10,%r8 + + rorq $6,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + xorq %r11,%r8 + xorq %r9,%r14 + addq %r15,%r12 + movq %r10,%r15 + + rorq $14,%r13 + andq %r9,%r8 + andq %r11,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r8 + + addq %r12,%rax + addq %r12,%r8 + leaq 1(%rdi),%rdi + addq %r14,%r8 + + movq 40(%rsp),%r13 + movq 16(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 104(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 32(%rsp),%r12 + movq %rax,%r13 + addq %r14,%r12 + movq %r8,%r14 + rorq $23,%r13 + movq %rbx,%r15 + movq %r12,32(%rsp) + + rorq $5,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + rorq $4,%r13 + addq %rdx,%r12 + xorq %r8,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rax,%r15 + movq %r9,%rdx + + rorq $6,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + xorq %r10,%rdx + xorq %r8,%r14 + addq %r15,%r12 + movq %r9,%r15 + + rorq $14,%r13 + andq %r8,%rdx + andq %r10,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rdx + + addq %r12,%r11 + addq %r12,%rdx + leaq 1(%rdi),%rdi + addq %r14,%rdx + + movq 48(%rsp),%r13 + movq 24(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 112(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 40(%rsp),%r12 + movq %r11,%r13 + addq %r14,%r12 + movq %rdx,%r14 + rorq $23,%r13 + movq %rax,%r15 + movq %r12,40(%rsp) + + rorq $5,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + rorq $4,%r13 + addq %rcx,%r12 + xorq %rdx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r11,%r15 + movq %r8,%rcx + + rorq $6,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + xorq %r9,%rcx + xorq %rdx,%r14 + addq %r15,%r12 + movq %r8,%r15 + + rorq $14,%r13 + andq %rdx,%rcx + andq %r9,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rcx + + addq %r12,%r10 + addq %r12,%rcx + leaq 1(%rdi),%rdi + addq %r14,%rcx + + movq 56(%rsp),%r13 + movq 32(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 120(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 48(%rsp),%r12 + movq %r10,%r13 + addq %r14,%r12 + movq %rcx,%r14 + rorq $23,%r13 + movq %r11,%r15 + movq %r12,48(%rsp) + + rorq $5,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + rorq $4,%r13 + addq %rbx,%r12 + xorq %rcx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r10,%r15 + movq %rdx,%rbx + + rorq $6,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + xorq %r8,%rbx + xorq %rcx,%r14 + addq %r15,%r12 + movq %rdx,%r15 + + rorq $14,%r13 + andq %rcx,%rbx + andq %r8,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rbx + + addq %r12,%r9 + addq %r12,%rbx + leaq 1(%rdi),%rdi + addq %r14,%rbx + + movq 64(%rsp),%r13 + movq 40(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 0(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 56(%rsp),%r12 + movq %r9,%r13 + addq %r14,%r12 + movq %rbx,%r14 + rorq $23,%r13 + movq %r10,%r15 + movq %r12,56(%rsp) + + rorq $5,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + rorq $4,%r13 + addq %rax,%r12 + xorq %rbx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r9,%r15 + movq %rcx,%rax + + rorq $6,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + xorq %rdx,%rax + xorq %rbx,%r14 + addq %r15,%r12 + movq %rcx,%r15 + + rorq $14,%r13 + andq %rbx,%rax + andq %rdx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rax + + addq %r12,%r8 + addq %r12,%rax + leaq 1(%rdi),%rdi + addq %r14,%rax + + movq 72(%rsp),%r13 + movq 48(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 8(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 64(%rsp),%r12 + movq %r8,%r13 + addq %r14,%r12 + movq %rax,%r14 + rorq $23,%r13 + movq %r9,%r15 + movq %r12,64(%rsp) + + rorq $5,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + rorq $4,%r13 + addq %r11,%r12 + xorq %rax,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r8,%r15 + movq %rbx,%r11 + + rorq $6,%r14 + xorq %r8,%r13 + xorq %r10,%r15 + + xorq %rcx,%r11 + xorq %rax,%r14 + addq %r15,%r12 + movq %rbx,%r15 + + rorq $14,%r13 + andq %rax,%r11 + andq %rcx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r11 + + addq %r12,%rdx + addq %r12,%r11 + leaq 1(%rdi),%rdi + addq %r14,%r11 + + movq 80(%rsp),%r13 + movq 56(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 16(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 72(%rsp),%r12 + movq %rdx,%r13 + addq %r14,%r12 + movq %r11,%r14 + rorq $23,%r13 + movq %r8,%r15 + movq %r12,72(%rsp) + + rorq $5,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + rorq $4,%r13 + addq %r10,%r12 + xorq %r11,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rdx,%r15 + movq %rax,%r10 + + rorq $6,%r14 + xorq %rdx,%r13 + xorq %r9,%r15 + + xorq %rbx,%r10 + xorq %r11,%r14 + addq %r15,%r12 + movq %rax,%r15 + + rorq $14,%r13 + andq %r11,%r10 + andq %rbx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r10 + + addq %r12,%rcx + addq %r12,%r10 + leaq 1(%rdi),%rdi + addq %r14,%r10 + + movq 88(%rsp),%r13 + movq 64(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 24(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 80(%rsp),%r12 + movq %rcx,%r13 + addq %r14,%r12 + movq %r10,%r14 + rorq $23,%r13 + movq %rdx,%r15 + movq %r12,80(%rsp) + + rorq $5,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + rorq $4,%r13 + addq %r9,%r12 + xorq %r10,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rcx,%r15 + movq %r11,%r9 + + rorq $6,%r14 + xorq %rcx,%r13 + xorq %r8,%r15 + + xorq %rax,%r9 + xorq %r10,%r14 + addq %r15,%r12 + movq %r11,%r15 + + rorq $14,%r13 + andq %r10,%r9 + andq %rax,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r9 + + addq %r12,%rbx + addq %r12,%r9 + leaq 1(%rdi),%rdi + addq %r14,%r9 + + movq 96(%rsp),%r13 + movq 72(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 32(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 88(%rsp),%r12 + movq %rbx,%r13 + addq %r14,%r12 + movq %r9,%r14 + rorq $23,%r13 + movq %rcx,%r15 + movq %r12,88(%rsp) + + rorq $5,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + rorq $4,%r13 + addq %r8,%r12 + xorq %r9,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rbx,%r15 + movq %r10,%r8 + + rorq $6,%r14 + xorq %rbx,%r13 + xorq %rdx,%r15 + + xorq %r11,%r8 + xorq %r9,%r14 + addq %r15,%r12 + movq %r10,%r15 + + rorq $14,%r13 + andq %r9,%r8 + andq %r11,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%r8 + + addq %r12,%rax + addq %r12,%r8 + leaq 1(%rdi),%rdi + addq %r14,%r8 + + movq 104(%rsp),%r13 + movq 80(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 40(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 96(%rsp),%r12 + movq %rax,%r13 + addq %r14,%r12 + movq %r8,%r14 + rorq $23,%r13 + movq %rbx,%r15 + movq %r12,96(%rsp) + + rorq $5,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + rorq $4,%r13 + addq %rdx,%r12 + xorq %r8,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %rax,%r15 + movq %r9,%rdx + + rorq $6,%r14 + xorq %rax,%r13 + xorq %rcx,%r15 + + xorq %r10,%rdx + xorq %r8,%r14 + addq %r15,%r12 + movq %r9,%r15 + + rorq $14,%r13 + andq %r8,%rdx + andq %r10,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rdx + + addq %r12,%r11 + addq %r12,%rdx + leaq 1(%rdi),%rdi + addq %r14,%rdx + + movq 112(%rsp),%r13 + movq 88(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 48(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 104(%rsp),%r12 + movq %r11,%r13 + addq %r14,%r12 + movq %rdx,%r14 + rorq $23,%r13 + movq %rax,%r15 + movq %r12,104(%rsp) + + rorq $5,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + rorq $4,%r13 + addq %rcx,%r12 + xorq %rdx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r11,%r15 + movq %r8,%rcx + + rorq $6,%r14 + xorq %r11,%r13 + xorq %rbx,%r15 + + xorq %r9,%rcx + xorq %rdx,%r14 + addq %r15,%r12 + movq %r8,%r15 + + rorq $14,%r13 + andq %rdx,%rcx + andq %r9,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rcx + + addq %r12,%r10 + addq %r12,%rcx + leaq 1(%rdi),%rdi + addq %r14,%rcx + + movq 120(%rsp),%r13 + movq 96(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 56(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 112(%rsp),%r12 + movq %r10,%r13 + addq %r14,%r12 + movq %rcx,%r14 + rorq $23,%r13 + movq %r11,%r15 + movq %r12,112(%rsp) + + rorq $5,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + rorq $4,%r13 + addq %rbx,%r12 + xorq %rcx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r10,%r15 + movq %rdx,%rbx + + rorq $6,%r14 + xorq %r10,%r13 + xorq %rax,%r15 + + xorq %r8,%rbx + xorq %rcx,%r14 + addq %r15,%r12 + movq %rdx,%r15 + + rorq $14,%r13 + andq %rcx,%rbx + andq %r8,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rbx + + addq %r12,%r9 + addq %r12,%rbx + leaq 1(%rdi),%rdi + addq %r14,%rbx + + movq 0(%rsp),%r13 + movq 104(%rsp),%r14 + movq %r13,%r12 + movq %r14,%r15 + + rorq $7,%r12 + xorq %r13,%r12 + shrq $7,%r13 + + rorq $1,%r12 + xorq %r12,%r13 + movq 64(%rsp),%r12 + + rorq $42,%r15 + xorq %r14,%r15 + shrq $6,%r14 + + rorq $19,%r15 + addq %r13,%r12 + xorq %r15,%r14 + + addq 120(%rsp),%r12 + movq %r9,%r13 + addq %r14,%r12 + movq %rbx,%r14 + rorq $23,%r13 + movq %r10,%r15 + movq %r12,120(%rsp) + + rorq $5,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + rorq $4,%r13 + addq %rax,%r12 + xorq %rbx,%r14 + + addq (%rbp,%rdi,8),%r12 + andq %r9,%r15 + movq %rcx,%rax + + rorq $6,%r14 + xorq %r9,%r13 + xorq %r11,%r15 + + xorq %rdx,%rax + xorq %rbx,%r14 + addq %r15,%r12 + movq %rcx,%r15 + + rorq $14,%r13 + andq %rbx,%rax + andq %rdx,%r15 + + rorq $28,%r14 + addq %r13,%r12 + addq %r15,%rax + + addq %r12,%r8 + addq %r12,%rax + leaq 1(%rdi),%rdi + addq %r14,%rax + + cmpq $80,%rdi + jb .Lrounds_16_xx + + movq 128+0(%rsp),%rdi + leaq 128(%rsi),%rsi + + addq 0(%rdi),%rax + addq 8(%rdi),%rbx + addq 16(%rdi),%rcx + addq 24(%rdi),%rdx + addq 32(%rdi),%r8 + addq 40(%rdi),%r9 + addq 48(%rdi),%r10 + addq 56(%rdi),%r11 + + cmpq 128+16(%rsp),%rsi + + movq %rax,0(%rdi) + movq %rbx,8(%rdi) + movq %rcx,16(%rdi) + movq %rdx,24(%rdi) + movq %r8,32(%rdi) + movq %r9,40(%rdi) + movq %r10,48(%rdi) + movq %r11,56(%rdi) + jb .Lloop + + movq 128+24(%rsp),%rsi + movq (%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lepilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_sha512_block_data_order: +.p2align 6 + +K512: +.quad 0x428a2f98d728ae22,0x7137449123ef65cd +.quad 0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc +.quad 0x3956c25bf348b538,0x59f111f1b605d019 +.quad 0x923f82a4af194f9b,0xab1c5ed5da6d8118 +.quad 0xd807aa98a3030242,0x12835b0145706fbe +.quad 0x243185be4ee4b28c,0x550c7dc3d5ffb4e2 +.quad 0x72be5d74f27b896f,0x80deb1fe3b1696b1 +.quad 0x9bdc06a725c71235,0xc19bf174cf692694 +.quad 0xe49b69c19ef14ad2,0xefbe4786384f25e3 +.quad 0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65 +.quad 0x2de92c6f592b0275,0x4a7484aa6ea6e483 +.quad 0x5cb0a9dcbd41fbd4,0x76f988da831153b5 +.quad 0x983e5152ee66dfab,0xa831c66d2db43210 +.quad 0xb00327c898fb213f,0xbf597fc7beef0ee4 +.quad 0xc6e00bf33da88fc2,0xd5a79147930aa725 +.quad 0x06ca6351e003826f,0x142929670a0e6e70 +.quad 0x27b70a8546d22ffc,0x2e1b21385c26c926 +.quad 0x4d2c6dfc5ac42aed,0x53380d139d95b3df +.quad 0x650a73548baf63de,0x766a0abb3c77b2a8 +.quad 0x81c2c92e47edaee6,0x92722c851482353b +.quad 0xa2bfe8a14cf10364,0xa81a664bbc423001 +.quad 0xc24b8b70d0f89791,0xc76c51a30654be30 +.quad 0xd192e819d6ef5218,0xd69906245565a910 +.quad 0xf40e35855771202a,0x106aa07032bbd1b8 +.quad 0x19a4c116b8d2d0c8,0x1e376c085141ab53 +.quad 0x2748774cdf8eeb99,0x34b0bcb5e19b48a8 +.quad 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb +.quad 0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3 +.quad 0x748f82ee5defb2fc,0x78a5636f43172f60 +.quad 0x84c87814a1f0ab72,0x8cc702081a6439ec +.quad 0x90befffa23631e28,0xa4506cebde82bde9 +.quad 0xbef9a3f7b2c67915,0xc67178f2e372532b +.quad 0xca273eceea26619c,0xd186b8c721c0c207 +.quad 0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178 +.quad 0x06f067aa72176fba,0x0a637dc5a2c898a6 +.quad 0x113f9804bef90dae,0x1b710b35131c471b +.quad 0x28db77f523047d84,0x32caab7b40c72493 +.quad 0x3c9ebe0a15c9bebc,0x431d67c49c100d4c +.quad 0x4cc5d4becb3e42b6,0x597f299cfc657e2a +.quad 0x5fcb6fab3ad6faec,0x6c44198c4a475817 diff --git a/crypto/sm3/sm3.c b/crypto/sm3/sm3.c new file mode 100644 index 0000000..ff6240a --- /dev/null +++ b/crypto/sm3/sm3.c @@ -0,0 +1,206 @@ +/* $OpenBSD: sm3.c,v 1.1 2018/11/11 06:53:31 tb Exp $ */ +/* + * Copyright (c) 2018, Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef OPENSSL_NO_SM3 + +#include + +#include "sm3_locl.h" + +int +SM3_Init(SM3_CTX *c) +{ + memset(c, 0, sizeof(*c)); + c->A = SM3_A; + c->B = SM3_B; + c->C = SM3_C; + c->D = SM3_D; + c->E = SM3_E; + c->F = SM3_F; + c->G = SM3_G; + c->H = SM3_H; + return 1; +} + +void +SM3_block_data_order(SM3_CTX *ctx, const void *p, size_t num) +{ + const unsigned char *data = p; + SM3_WORD A, B, C, D, E, F, G, H; + SM3_WORD W00, W01, W02, W03, W04, W05, W06, W07; + SM3_WORD W08, W09, W10, W11, W12, W13, W14, W15; + + while (num-- != 0) { + A = ctx->A; + B = ctx->B; + C = ctx->C; + D = ctx->D; + E = ctx->E; + F = ctx->F; + G = ctx->G; + H = ctx->H; + + /* + * We have to load all message bytes immediately since SM3 reads + * them slightly out of order. + */ + HOST_c2l(data, W00); + HOST_c2l(data, W01); + HOST_c2l(data, W02); + HOST_c2l(data, W03); + HOST_c2l(data, W04); + HOST_c2l(data, W05); + HOST_c2l(data, W06); + HOST_c2l(data, W07); + HOST_c2l(data, W08); + HOST_c2l(data, W09); + HOST_c2l(data, W10); + HOST_c2l(data, W11); + HOST_c2l(data, W12); + HOST_c2l(data, W13); + HOST_c2l(data, W14); + HOST_c2l(data, W15); + + R1(A, B, C, D, E, F, G, H, 0x79cc4519, W00, W00 ^ W04); + W00 = EXPAND(W00, W07, W13, W03, W10); + R1(D, A, B, C, H, E, F, G, 0xf3988a32, W01, W01 ^ W05); + W01 = EXPAND(W01, W08, W14, W04, W11); + R1(C, D, A, B, G, H, E, F, 0xe7311465, W02, W02 ^ W06); + W02 = EXPAND(W02, W09, W15, W05, W12); + R1(B, C, D, A, F, G, H, E, 0xce6228cb, W03, W03 ^ W07); + W03 = EXPAND(W03, W10, W00, W06, W13); + R1(A, B, C, D, E, F, G, H, 0x9cc45197, W04, W04 ^ W08); + W04 = EXPAND(W04, W11, W01, W07, W14); + R1(D, A, B, C, H, E, F, G, 0x3988a32f, W05, W05 ^ W09); + W05 = EXPAND(W05, W12, W02, W08, W15); + R1(C, D, A, B, G, H, E, F, 0x7311465e, W06, W06 ^ W10); + W06 = EXPAND(W06, W13, W03, W09, W00); + R1(B, C, D, A, F, G, H, E, 0xe6228cbc, W07, W07 ^ W11); + W07 = EXPAND(W07, W14, W04, W10, W01); + R1(A, B, C, D, E, F, G, H, 0xcc451979, W08, W08 ^ W12); + W08 = EXPAND(W08, W15, W05, W11, W02); + R1(D, A, B, C, H, E, F, G, 0x988a32f3, W09, W09 ^ W13); + W09 = EXPAND(W09, W00, W06, W12, W03); + R1(C, D, A, B, G, H, E, F, 0x311465e7, W10, W10 ^ W14); + W10 = EXPAND(W10, W01, W07, W13, W04); + R1(B, C, D, A, F, G, H, E, 0x6228cbce, W11, W11 ^ W15); + W11 = EXPAND(W11, W02, W08, W14, W05); + R1(A, B, C, D, E, F, G, H, 0xc451979c, W12, W12 ^ W00); + W12 = EXPAND(W12, W03, W09, W15, W06); + R1(D, A, B, C, H, E, F, G, 0x88a32f39, W13, W13 ^ W01); + W13 = EXPAND(W13, W04, W10, W00, W07); + R1(C, D, A, B, G, H, E, F, 0x11465e73, W14, W14 ^ W02); + W14 = EXPAND(W14, W05, W11, W01, W08); + R1(B, C, D, A, F, G, H, E, 0x228cbce6, W15, W15 ^ W03); + W15 = EXPAND(W15, W06, W12, W02, W09); + R2(A, B, C, D, E, F, G, H, 0x9d8a7a87, W00, W00 ^ W04); + W00 = EXPAND(W00, W07, W13, W03, W10); + R2(D, A, B, C, H, E, F, G, 0x3b14f50f, W01, W01 ^ W05); + W01 = EXPAND(W01, W08, W14, W04, W11); + R2(C, D, A, B, G, H, E, F, 0x7629ea1e, W02, W02 ^ W06); + W02 = EXPAND(W02, W09, W15, W05, W12); + R2(B, C, D, A, F, G, H, E, 0xec53d43c, W03, W03 ^ W07); + W03 = EXPAND(W03, W10, W00, W06, W13); + R2(A, B, C, D, E, F, G, H, 0xd8a7a879, W04, W04 ^ W08); + W04 = EXPAND(W04, W11, W01, W07, W14); + R2(D, A, B, C, H, E, F, G, 0xb14f50f3, W05, W05 ^ W09); + W05 = EXPAND(W05, W12, W02, W08, W15); + R2(C, D, A, B, G, H, E, F, 0x629ea1e7, W06, W06 ^ W10); + W06 = EXPAND(W06, W13, W03, W09, W00); + R2(B, C, D, A, F, G, H, E, 0xc53d43ce, W07, W07 ^ W11); + W07 = EXPAND(W07, W14, W04, W10, W01); + R2(A, B, C, D, E, F, G, H, 0x8a7a879d, W08, W08 ^ W12); + W08 = EXPAND(W08, W15, W05, W11, W02); + R2(D, A, B, C, H, E, F, G, 0x14f50f3b, W09, W09 ^ W13); + W09 = EXPAND(W09, W00, W06, W12, W03); + R2(C, D, A, B, G, H, E, F, 0x29ea1e76, W10, W10 ^ W14); + W10 = EXPAND(W10, W01, W07, W13, W04); + R2(B, C, D, A, F, G, H, E, 0x53d43cec, W11, W11 ^ W15); + W11 = EXPAND(W11, W02, W08, W14, W05); + R2(A, B, C, D, E, F, G, H, 0xa7a879d8, W12, W12 ^ W00); + W12 = EXPAND(W12, W03, W09, W15, W06); + R2(D, A, B, C, H, E, F, G, 0x4f50f3b1, W13, W13 ^ W01); + W13 = EXPAND(W13, W04, W10, W00, W07); + R2(C, D, A, B, G, H, E, F, 0x9ea1e762, W14, W14 ^ W02); + W14 = EXPAND(W14, W05, W11, W01, W08); + R2(B, C, D, A, F, G, H, E, 0x3d43cec5, W15, W15 ^ W03); + W15 = EXPAND(W15, W06, W12, W02, W09); + R2(A, B, C, D, E, F, G, H, 0x7a879d8a, W00, W00 ^ W04); + W00 = EXPAND(W00, W07, W13, W03, W10); + R2(D, A, B, C, H, E, F, G, 0xf50f3b14, W01, W01 ^ W05); + W01 = EXPAND(W01, W08, W14, W04, W11); + R2(C, D, A, B, G, H, E, F, 0xea1e7629, W02, W02 ^ W06); + W02 = EXPAND(W02, W09, W15, W05, W12); + R2(B, C, D, A, F, G, H, E, 0xd43cec53, W03, W03 ^ W07); + W03 = EXPAND(W03, W10, W00, W06, W13); + R2(A, B, C, D, E, F, G, H, 0xa879d8a7, W04, W04 ^ W08); + W04 = EXPAND(W04, W11, W01, W07, W14); + R2(D, A, B, C, H, E, F, G, 0x50f3b14f, W05, W05 ^ W09); + W05 = EXPAND(W05, W12, W02, W08, W15); + R2(C, D, A, B, G, H, E, F, 0xa1e7629e, W06, W06 ^ W10); + W06 = EXPAND(W06, W13, W03, W09, W00); + R2(B, C, D, A, F, G, H, E, 0x43cec53d, W07, W07 ^ W11); + W07 = EXPAND(W07, W14, W04, W10, W01); + R2(A, B, C, D, E, F, G, H, 0x879d8a7a, W08, W08 ^ W12); + W08 = EXPAND(W08, W15, W05, W11, W02); + R2(D, A, B, C, H, E, F, G, 0x0f3b14f5, W09, W09 ^ W13); + W09 = EXPAND(W09, W00, W06, W12, W03); + R2(C, D, A, B, G, H, E, F, 0x1e7629ea, W10, W10 ^ W14); + W10 = EXPAND(W10, W01, W07, W13, W04); + R2(B, C, D, A, F, G, H, E, 0x3cec53d4, W11, W11 ^ W15); + W11 = EXPAND(W11, W02, W08, W14, W05); + R2(A, B, C, D, E, F, G, H, 0x79d8a7a8, W12, W12 ^ W00); + W12 = EXPAND(W12, W03, W09, W15, W06); + R2(D, A, B, C, H, E, F, G, 0xf3b14f50, W13, W13 ^ W01); + W13 = EXPAND(W13, W04, W10, W00, W07); + R2(C, D, A, B, G, H, E, F, 0xe7629ea1, W14, W14 ^ W02); + W14 = EXPAND(W14, W05, W11, W01, W08); + R2(B, C, D, A, F, G, H, E, 0xcec53d43, W15, W15 ^ W03); + W15 = EXPAND(W15, W06, W12, W02, W09); + R2(A, B, C, D, E, F, G, H, 0x9d8a7a87, W00, W00 ^ W04); + W00 = EXPAND(W00, W07, W13, W03, W10); + R2(D, A, B, C, H, E, F, G, 0x3b14f50f, W01, W01 ^ W05); + W01 = EXPAND(W01, W08, W14, W04, W11); + R2(C, D, A, B, G, H, E, F, 0x7629ea1e, W02, W02 ^ W06); + W02 = EXPAND(W02, W09, W15, W05, W12); + R2(B, C, D, A, F, G, H, E, 0xec53d43c, W03, W03 ^ W07); + W03 = EXPAND(W03, W10, W00, W06, W13); + R2(A, B, C, D, E, F, G, H, 0xd8a7a879, W04, W04 ^ W08); + R2(D, A, B, C, H, E, F, G, 0xb14f50f3, W05, W05 ^ W09); + R2(C, D, A, B, G, H, E, F, 0x629ea1e7, W06, W06 ^ W10); + R2(B, C, D, A, F, G, H, E, 0xc53d43ce, W07, W07 ^ W11); + R2(A, B, C, D, E, F, G, H, 0x8a7a879d, W08, W08 ^ W12); + R2(D, A, B, C, H, E, F, G, 0x14f50f3b, W09, W09 ^ W13); + R2(C, D, A, B, G, H, E, F, 0x29ea1e76, W10, W10 ^ W14); + R2(B, C, D, A, F, G, H, E, 0x53d43cec, W11, W11 ^ W15); + R2(A, B, C, D, E, F, G, H, 0xa7a879d8, W12, W12 ^ W00); + R2(D, A, B, C, H, E, F, G, 0x4f50f3b1, W13, W13 ^ W01); + R2(C, D, A, B, G, H, E, F, 0x9ea1e762, W14, W14 ^ W02); + R2(B, C, D, A, F, G, H, E, 0x3d43cec5, W15, W15 ^ W03); + + ctx->A ^= A; + ctx->B ^= B; + ctx->C ^= C; + ctx->D ^= D; + ctx->E ^= E; + ctx->F ^= F; + ctx->G ^= G; + ctx->H ^= H; + } +} + +#endif /* !OPENSSL_NO_SM3 */ diff --git a/crypto/sm3/sm3_locl.h b/crypto/sm3/sm3_locl.h new file mode 100644 index 0000000..6ecf809 --- /dev/null +++ b/crypto/sm3/sm3_locl.h @@ -0,0 +1,85 @@ +/* $OpenBSD: sm3_locl.h,v 1.1 2018/11/11 06:53:31 tb Exp $ */ +/* + * Copyright (c) 2018, Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +#define DATA_ORDER_IS_BIG_ENDIAN + +#define HASH_LONG SM3_WORD +#define HASH_CTX SM3_CTX +#define HASH_CBLOCK SM3_CBLOCK +#define HASH_UPDATE SM3_Update +#define HASH_TRANSFORM SM3_Transform +#define HASH_FINAL SM3_Final +#define HASH_MAKE_STRING(c, s) do { \ + unsigned long ll; \ + ll = (c)->A; HOST_l2c(ll, (s)); \ + ll = (c)->B; HOST_l2c(ll, (s)); \ + ll = (c)->C; HOST_l2c(ll, (s)); \ + ll = (c)->D; HOST_l2c(ll, (s)); \ + ll = (c)->E; HOST_l2c(ll, (s)); \ + ll = (c)->F; HOST_l2c(ll, (s)); \ + ll = (c)->G; HOST_l2c(ll, (s)); \ + ll = (c)->H; HOST_l2c(ll, (s)); \ +} while (0) +#define HASH_BLOCK_DATA_ORDER SM3_block_data_order + +void SM3_block_data_order(SM3_CTX *c, const void *p, size_t num); +void SM3_transform(SM3_CTX *c, const unsigned char *data); + +#include "md32_common.h" + +#define P0(X) (X ^ ROTATE(X, 9) ^ ROTATE(X, 17)) +#define P1(X) (X ^ ROTATE(X, 15) ^ ROTATE(X, 23)) + +#define FF0(X, Y, Z) (X ^ Y ^ Z) +#define GG0(X, Y, Z) (X ^ Y ^ Z) + +#define FF1(X, Y, Z) ((X & Y) | ((X | Y) & Z)) +#define GG1(X, Y, Z) ((Z ^ (X & (Y ^ Z)))) + +#define EXPAND(W0, W7, W13, W3, W10) \ + (P1(W0 ^ W7 ^ ROTATE(W13, 15)) ^ ROTATE(W3, 7) ^ W10) + +#define ROUND(A, B, C, D, E, F, G, H, TJ, Wi, Wj, FF, GG) do { \ + const SM3_WORD A12 = ROTATE(A, 12); \ + const SM3_WORD A12_SM = A12 + E + TJ; \ + const SM3_WORD SS1 = ROTATE(A12_SM, 7); \ + const SM3_WORD TT1 = FF(A, B, C) + D + (SS1 ^ A12) + (Wj); \ + const SM3_WORD TT2 = GG(E, F, G) + H + SS1 + Wi; \ + B = ROTATE(B, 9); \ + D = TT1; \ + F = ROTATE(F, 19); \ + H = P0(TT2); \ +} while(0) + +#define R1(A, B, C, D, E, F, G, H, TJ, Wi, Wj) \ + ROUND(A, B, C, D, E, F, G, H, TJ, Wi, Wj, FF0, GG0) + +#define R2(A, B, C, D, E, F, G, H, TJ, Wi, Wj) \ + ROUND(A, B, C, D, E, F, G, H, TJ, Wi, Wj, FF1, GG1) + +#define SM3_A 0x7380166fUL +#define SM3_B 0x4914b2b9UL +#define SM3_C 0x172442d7UL +#define SM3_D 0xda8a0600UL +#define SM3_E 0xa96f30bcUL +#define SM3_F 0x163138aaUL +#define SM3_G 0xe38dee4dUL +#define SM3_H 0xb0fb0e4eUL diff --git a/crypto/sm4/sm4.c b/crypto/sm4/sm4.c new file mode 100644 index 0000000..009c780 --- /dev/null +++ b/crypto/sm4/sm4.c @@ -0,0 +1,263 @@ +/* $OpenBSD: sm4.c,v 1.1 2019/03/17 17:42:37 tb Exp $ */ +/* + * Copyright (c) 2017, 2019 Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#ifndef OPENSSL_NO_SM4 +#include + +struct sm4_key { + uint32_t rk[SM4_KEY_SCHEDULE]; +}; + +static const uint8_t SM4_S[256] = { + 0xD6, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, + 0x28, 0xFB, 0x2C, 0x05, 0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, + 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99, 0x9C, 0x42, 0x50, 0xF4, + 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62, + 0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, + 0x75, 0x8F, 0x3F, 0xA6, 0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, + 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8, 0x68, 0x6B, 0x81, 0xB2, + 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35, + 0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, + 0x01, 0x21, 0x78, 0x87, 0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52, + 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E, 0xEA, 0xBF, 0x8A, 0xD2, + 0x40, 0xC7, 0x38, 0xB5, 0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1, + 0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 0xAD, 0x93, 0x32, 0x30, + 0xF5, 0x8C, 0xB1, 0xE3, 0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, + 0xC0, 0x29, 0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F, 0xD5, 0xDB, 0x37, 0x45, + 0xDE, 0xFD, 0x8E, 0x2F, 0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C, 0x5B, 0x51, + 0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 0x11, 0xD9, 0x5C, 0x41, + 0x1F, 0x10, 0x5A, 0xD8, 0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, + 0x2D, 0x74, 0xD0, 0x12, 0xB8, 0xE5, 0xB4, 0xB0, 0x89, 0x69, 0x97, 0x4A, + 0x0C, 0x96, 0x77, 0x7E, 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84, + 0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 0x79, 0xEE, 0x5F, 0x3E, + 0xD7, 0xCB, 0x39, 0x48, +}; + +/* + * SM4_SBOX_T[j] == L(SM4_SBOX[j]). + */ +static const uint32_t SM4_SBOX_T[256] = { + 0x8ED55B5B, 0xD0924242, 0x4DEAA7A7, 0x06FDFBFB, 0xFCCF3333, 0x65E28787, + 0xC93DF4F4, 0x6BB5DEDE, 0x4E165858, 0x6EB4DADA, 0x44145050, 0xCAC10B0B, + 0x8828A0A0, 0x17F8EFEF, 0x9C2CB0B0, 0x11051414, 0x872BACAC, 0xFB669D9D, + 0xF2986A6A, 0xAE77D9D9, 0x822AA8A8, 0x46BCFAFA, 0x14041010, 0xCFC00F0F, + 0x02A8AAAA, 0x54451111, 0x5F134C4C, 0xBE269898, 0x6D482525, 0x9E841A1A, + 0x1E061818, 0xFD9B6666, 0xEC9E7272, 0x4A430909, 0x10514141, 0x24F7D3D3, + 0xD5934646, 0x53ECBFBF, 0xF89A6262, 0x927BE9E9, 0xFF33CCCC, 0x04555151, + 0x270B2C2C, 0x4F420D0D, 0x59EEB7B7, 0xF3CC3F3F, 0x1CAEB2B2, 0xEA638989, + 0x74E79393, 0x7FB1CECE, 0x6C1C7070, 0x0DABA6A6, 0xEDCA2727, 0x28082020, + 0x48EBA3A3, 0xC1975656, 0x80820202, 0xA3DC7F7F, 0xC4965252, 0x12F9EBEB, + 0xA174D5D5, 0xB38D3E3E, 0xC33FFCFC, 0x3EA49A9A, 0x5B461D1D, 0x1B071C1C, + 0x3BA59E9E, 0x0CFFF3F3, 0x3FF0CFCF, 0xBF72CDCD, 0x4B175C5C, 0x52B8EAEA, + 0x8F810E0E, 0x3D586565, 0xCC3CF0F0, 0x7D196464, 0x7EE59B9B, 0x91871616, + 0x734E3D3D, 0x08AAA2A2, 0xC869A1A1, 0xC76AADAD, 0x85830606, 0x7AB0CACA, + 0xB570C5C5, 0xF4659191, 0xB2D96B6B, 0xA7892E2E, 0x18FBE3E3, 0x47E8AFAF, + 0x330F3C3C, 0x674A2D2D, 0xB071C1C1, 0x0E575959, 0xE99F7676, 0xE135D4D4, + 0x661E7878, 0xB4249090, 0x360E3838, 0x265F7979, 0xEF628D8D, 0x38596161, + 0x95D24747, 0x2AA08A8A, 0xB1259494, 0xAA228888, 0x8C7DF1F1, 0xD73BECEC, + 0x05010404, 0xA5218484, 0x9879E1E1, 0x9B851E1E, 0x84D75353, 0x00000000, + 0x5E471919, 0x0B565D5D, 0xE39D7E7E, 0x9FD04F4F, 0xBB279C9C, 0x1A534949, + 0x7C4D3131, 0xEE36D8D8, 0x0A020808, 0x7BE49F9F, 0x20A28282, 0xD4C71313, + 0xE8CB2323, 0xE69C7A7A, 0x42E9ABAB, 0x43BDFEFE, 0xA2882A2A, 0x9AD14B4B, + 0x40410101, 0xDBC41F1F, 0xD838E0E0, 0x61B7D6D6, 0x2FA18E8E, 0x2BF4DFDF, + 0x3AF1CBCB, 0xF6CD3B3B, 0x1DFAE7E7, 0xE5608585, 0x41155454, 0x25A38686, + 0x60E38383, 0x16ACBABA, 0x295C7575, 0x34A69292, 0xF7996E6E, 0xE434D0D0, + 0x721A6868, 0x01545555, 0x19AFB6B6, 0xDF914E4E, 0xFA32C8C8, 0xF030C0C0, + 0x21F6D7D7, 0xBC8E3232, 0x75B3C6C6, 0x6FE08F8F, 0x691D7474, 0x2EF5DBDB, + 0x6AE18B8B, 0x962EB8B8, 0x8A800A0A, 0xFE679999, 0xE2C92B2B, 0xE0618181, + 0xC0C30303, 0x8D29A4A4, 0xAF238C8C, 0x07A9AEAE, 0x390D3434, 0x1F524D4D, + 0x764F3939, 0xD36EBDBD, 0x81D65757, 0xB7D86F6F, 0xEB37DCDC, 0x51441515, + 0xA6DD7B7B, 0x09FEF7F7, 0xB68C3A3A, 0x932FBCBC, 0x0F030C0C, 0x03FCFFFF, + 0xC26BA9A9, 0xBA73C9C9, 0xD96CB5B5, 0xDC6DB1B1, 0x375A6D6D, 0x15504545, + 0xB98F3636, 0x771B6C6C, 0x13ADBEBE, 0xDA904A4A, 0x57B9EEEE, 0xA9DE7777, + 0x4CBEF2F2, 0x837EFDFD, 0x55114444, 0xBDDA6767, 0x2C5D7171, 0x45400505, + 0x631F7C7C, 0x50104040, 0x325B6969, 0xB8DB6363, 0x220A2828, 0xC5C20707, + 0xF531C4C4, 0xA88A2222, 0x31A79696, 0xF9CE3737, 0x977AEDED, 0x49BFF6F6, + 0x992DB4B4, 0xA475D1D1, 0x90D34343, 0x5A124848, 0x58BAE2E2, 0x71E69797, + 0x64B6D2D2, 0x70B2C2C2, 0xAD8B2626, 0xCD68A5A5, 0xCB955E5E, 0x624B2929, + 0x3C0C3030, 0xCE945A5A, 0xAB76DDDD, 0x867FF9F9, 0xF1649595, 0x5DBBE6E6, + 0x35F2C7C7, 0x2D092424, 0xD1C61717, 0xD66FB9B9, 0xDEC51B1B, 0x94861212, + 0x78186060, 0x30F3C3C3, 0x897CF5F5, 0x5CEFB3B3, 0xD23AE8E8, 0xACDF7373, + 0x794C3535, 0xA0208080, 0x9D78E5E5, 0x56EDBBBB, 0x235E7D7D, 0xC63EF8F8, + 0x8BD45F5F, 0xE7C82F2F, 0xDD39E4E4, 0x68492121, +}; + +static inline uint32_t +rotl(uint32_t a, uint8_t n) +{ + return (a << n) | (a >> (32 - n)); +} + +static inline uint32_t +load_u32_be(const uint8_t *b, uint32_t n) +{ + return ((uint32_t)b[4 * n] << 24) | + ((uint32_t)b[4 * n + 1] << 16) | + ((uint32_t)b[4 * n + 2] << 8) | + ((uint32_t)b[4 * n + 3]); +} + +static inline void +store_u32_be(uint32_t v, uint8_t *b) +{ + b[0] = (uint8_t)(v >> 24); + b[1] = (uint8_t)(v >> 16); + b[2] = (uint8_t)(v >> 8); + b[3] = (uint8_t)(v); +} + +static inline uint32_t +SM4_T_slow(uint32_t X) +{ + uint32_t t = 0; + + t |= ((uint32_t)SM4_S[(uint8_t)(X >> 24)]) << 24; + t |= ((uint32_t)SM4_S[(uint8_t)(X >> 16)]) << 16; + t |= ((uint32_t)SM4_S[(uint8_t)(X >> 8)]) << 8; + t |= SM4_S[(uint8_t)X]; + + /* + * L linear transform + */ + return t ^ rotl(t, 2) ^ rotl(t, 10) ^ rotl(t, 18) ^ rotl(t, 24); +} + +static inline uint32_t +SM4_T(uint32_t X) +{ + return SM4_SBOX_T[(uint8_t)(X >> 24)] ^ + rotl(SM4_SBOX_T[(uint8_t)(X >> 16)], 24) ^ + rotl(SM4_SBOX_T[(uint8_t)(X >> 8)], 16) ^ + rotl(SM4_SBOX_T[(uint8_t)X], 8); +} + +int +SM4_set_key(const uint8_t *key, SM4_KEY *k) +{ + struct sm4_key *ks = (struct sm4_key *)k; + + /* + * Family Key + */ + static const uint32_t FK[4] = { + 0xa3b1bac6, 0x56aa3350, 0x677d9197, 0xb27022dc, + }; + + /* + * Constant Key + */ + static const uint32_t CK[32] = { + 0x00070E15, 0x1C232A31, 0x383F464D, 0x545B6269, + 0x70777E85, 0x8C939AA1, 0xA8AFB6BD, 0xC4CBD2D9, + 0xE0E7EEF5, 0xFC030A11, 0x181F262D, 0x343B4249, + 0x50575E65, 0x6C737A81, 0x888F969D, 0xA4ABB2B9, + 0xC0C7CED5, 0xDCE3EAF1, 0xF8FF060D, 0x141B2229, + 0x30373E45, 0x4C535A61, 0x686F767D, 0x848B9299, + 0xA0A7AEB5, 0xBCC3CAD1, 0xD8DFE6ED, 0xF4FB0209, + 0x10171E25, 0x2C333A41, 0x484F565D, 0x646B7279, + }; + + uint32_t K[4]; + int i; + + K[0] = load_u32_be(key, 0) ^ FK[0]; + K[1] = load_u32_be(key, 1) ^ FK[1]; + K[2] = load_u32_be(key, 2) ^ FK[2]; + K[3] = load_u32_be(key, 3) ^ FK[3]; + + for (i = 0; i < SM4_KEY_SCHEDULE; i++) { + uint32_t X; + uint32_t t = 0; + + X = K[(i + 1) % 4] ^ K[(i + 2) % 4] ^ K[(i + 3) % 4] ^ CK[i]; + + t |= ((uint32_t)SM4_S[(uint8_t)(X >> 24)]) << 24; + t |= ((uint32_t)SM4_S[(uint8_t)(X >> 16)]) << 16; + t |= ((uint32_t)SM4_S[(uint8_t)(X >> 8)]) << 8; + t |= SM4_S[(uint8_t)X]; + + t = t ^ rotl(t, 13) ^ rotl(t, 23); + K[i % 4] ^= t; + ks->rk[i] = K[i % 4]; + } + + return 1; +} + +#define SM4_ROUNDS(k0, k1, k2, k3, F) \ + do { \ + B0 ^= F(B1 ^ B2 ^ B3 ^ ks->rk[k0]); \ + B1 ^= F(B0 ^ B2 ^ B3 ^ ks->rk[k1]); \ + B2 ^= F(B0 ^ B1 ^ B3 ^ ks->rk[k2]); \ + B3 ^= F(B0 ^ B1 ^ B2 ^ ks->rk[k3]); \ + } while(0) + +void +SM4_encrypt(const uint8_t *in, uint8_t *out, const SM4_KEY *k) +{ + struct sm4_key *ks = (struct sm4_key *)k; + uint32_t B0 = load_u32_be(in, 0); + uint32_t B1 = load_u32_be(in, 1); + uint32_t B2 = load_u32_be(in, 2); + uint32_t B3 = load_u32_be(in, 3); + + /* + * Uses byte-wise sbox in the first and last rounds to provide some + * protection from cache based side channels. + */ + SM4_ROUNDS( 0, 1, 2, 3, SM4_T_slow); + SM4_ROUNDS( 4, 5, 6, 7, SM4_T); + SM4_ROUNDS( 8, 9, 10, 11, SM4_T); + SM4_ROUNDS(12, 13, 14, 15, SM4_T); + SM4_ROUNDS(16, 17, 18, 19, SM4_T); + SM4_ROUNDS(20, 21, 22, 23, SM4_T); + SM4_ROUNDS(24, 25, 26, 27, SM4_T); + SM4_ROUNDS(28, 29, 30, 31, SM4_T_slow); + + store_u32_be(B3, out); + store_u32_be(B2, out + 4); + store_u32_be(B1, out + 8); + store_u32_be(B0, out + 12); +} + +void +SM4_decrypt(const uint8_t *in, uint8_t *out, const SM4_KEY *k) +{ + struct sm4_key *ks = (struct sm4_key *)k; + uint32_t B0 = load_u32_be(in, 0); + uint32_t B1 = load_u32_be(in, 1); + uint32_t B2 = load_u32_be(in, 2); + uint32_t B3 = load_u32_be(in, 3); + + SM4_ROUNDS(31, 30, 29, 28, SM4_T_slow); + SM4_ROUNDS(27, 26, 25, 24, SM4_T); + SM4_ROUNDS(23, 22, 21, 20, SM4_T); + SM4_ROUNDS(19, 18, 17, 16, SM4_T); + SM4_ROUNDS(15, 14, 13, 12, SM4_T); + SM4_ROUNDS(11, 10, 9, 8, SM4_T); + SM4_ROUNDS( 7, 6, 5, 4, SM4_T); + SM4_ROUNDS( 3, 2, 1, 0, SM4_T_slow); + + store_u32_be(B3, out); + store_u32_be(B2, out + 4); + store_u32_be(B1, out + 8); + store_u32_be(B0, out + 12); +} + +#endif /* OPENSSL_NO_SM4 */ diff --git a/crypto/stack/stack.c b/crypto/stack/stack.c index d941f9e..b76a0d7 100644 --- a/crypto/stack/stack.c +++ b/crypto/stack/stack.c @@ -1,4 +1,4 @@ -/* $OpenBSD: stack.c,v 1.19 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: stack.c,v 1.20 2018/04/01 00:36:28 schwarze Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -312,6 +312,7 @@ sk_set(_STACK *st, int i, void *value) { if (!st || (i < 0) || (i >= st->num)) return NULL; + st->sorted = 0; return (st->data[i] = value); } diff --git a/crypto/ts/ts_conf.c b/crypto/ts/ts_conf.c index c223aa3..41d185e 100644 --- a/crypto/ts/ts_conf.c +++ b/crypto/ts/ts_conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_conf.c,v 1.10 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_conf.c,v 1.11 2018/04/14 07:18:37 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -248,8 +248,7 @@ err: TSerror(TS_R_COULD_NOT_SET_ENGINE); ERR_asprintf_error_data("engine:%s", name); } - if (e) - ENGINE_free(e); + ENGINE_free(e); return ret; } diff --git a/crypto/ts/ts_req_utils.c b/crypto/ts/ts_req_utils.c index bd707c2..6b9c13f 100644 --- a/crypto/ts/ts_req_utils.c +++ b/crypto/ts/ts_req_utils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_req_utils.c,v 1.5 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_req_utils.c,v 1.6 2018/05/13 15:04:05 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -134,7 +134,7 @@ TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a) } int -TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy) +TS_REQ_set_policy_id(TS_REQ *a, const ASN1_OBJECT *policy) { ASN1_OBJECT *new_policy; @@ -219,7 +219,7 @@ TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos) } int -TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos) +TS_REQ_get_ext_by_OBJ(TS_REQ *a, const ASN1_OBJECT *obj, int lastpos) { return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); } diff --git a/crypto/ts/ts_rsp_sign.c b/crypto/ts/ts_rsp_sign.c index 57e2d7f..6125fdd 100644 --- a/crypto/ts/ts_rsp_sign.c +++ b/crypto/ts/ts_rsp_sign.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_sign.c,v 1.21 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_rsp_sign.c,v 1.23 2019/07/03 03:24:04 deraadt Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -201,7 +201,7 @@ TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key) } int -TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy) +TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy) { if (ctx->default_policy) ASN1_OBJECT_free(ctx->default_policy); @@ -238,7 +238,7 @@ TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs) } int -TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy) +TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy) { ASN1_OBJECT *copy = NULL; @@ -1001,7 +1001,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time, "%04d%02d%02d%02d%02d%02d%sZ", tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min, tm->tm_sec, usecstr); - if (rv == -1 || rv >= sizeof(genTime_str)) + if (rv < 0 || rv >= sizeof(genTime_str)) goto err; /* Now call OpenSSL to check and set our genTime value */ diff --git a/crypto/ts/ts_rsp_utils.c b/crypto/ts/ts_rsp_utils.c index 5638331..233df86 100644 --- a/crypto/ts/ts_rsp_utils.c +++ b/crypto/ts/ts_rsp_utils.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ts_rsp_utils.c,v 1.6 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ts_rsp_utils.c,v 1.7 2018/05/13 15:35:46 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL * project 2002. */ @@ -398,7 +398,7 @@ TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos) } int -TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos) +TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, const ASN1_OBJECT *obj, int lastpos) { return X509v3_get_ext_by_OBJ(a->extensions, obj, lastpos); } diff --git a/crypto/ui/ui_lib.c b/crypto/ui/ui_lib.c index e551030..09522e7 100644 --- a/crypto/ui/ui_lib.c +++ b/crypto/ui/ui_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ui_lib.c,v 1.32 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: ui_lib.c,v 1.44 2020/09/25 11:25:31 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -79,26 +79,22 @@ UI_new_method(const UI_METHOD *method) { UI *ret; - ret = malloc(sizeof(UI)); - if (ret == NULL) { + if ((ret = calloc(1, sizeof(UI))) == NULL) { UIerror(ERR_R_MALLOC_FAILURE); return NULL; } - if (method == NULL) + if ((ret->meth = method) == NULL) ret->meth = UI_get_default_method(); - else - ret->meth = method; - - ret->strings = NULL; - ret->user_data = NULL; - ret->flags = 0; CRYPTO_new_ex_data(CRYPTO_EX_INDEX_UI, ret, &ret->ex_data); + return ret; } static void free_string(UI_STRING *uis) { + if (uis == NULL) + return; if (uis->flags & OUT_STRING_FREEABLE) { free((char *) uis->out_string); switch (uis->type) { @@ -128,8 +124,8 @@ static int allocate_string_stack(UI *ui) { if (ui->strings == NULL) { - ui->strings = sk_UI_STRING_new_null(); - if (ui->strings == NULL) { + if ((ui->strings = sk_UI_STRING_new_null()) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); return -1; } } @@ -137,94 +133,131 @@ allocate_string_stack(UI *ui) } static UI_STRING * -general_allocate_prompt(UI *ui, const char *prompt, int prompt_freeable, +general_allocate_prompt(const char *prompt, int dup_prompt, enum UI_string_types type, int input_flags, char *result_buf) { - UI_STRING *ret = NULL; + UI_STRING *uis = NULL; if (prompt == NULL) { UIerror(ERR_R_PASSED_NULL_PARAMETER); - } else if ((type == UIT_PROMPT || type == UIT_VERIFY || - type == UIT_BOOLEAN) && result_buf == NULL) { - UIerror(UI_R_NO_RESULT_BUFFER); - } else if ((ret = malloc(sizeof(UI_STRING)))) { - ret->out_string = prompt; - ret->flags = prompt_freeable ? OUT_STRING_FREEABLE : 0; - ret->input_flags = input_flags; - ret->type = type; - ret->result_buf = result_buf; + goto err; } - return ret; + if ((type == UIT_PROMPT || type == UIT_VERIFY || type == UIT_BOOLEAN) && + result_buf == NULL) { + UIerror(UI_R_NO_RESULT_BUFFER); + goto err; + } + + if ((uis = calloc(1, sizeof(UI_STRING))) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; + } + uis->out_string = prompt; + if (dup_prompt) { + if ((uis->out_string = strdup(prompt)) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; + } + uis->flags = OUT_STRING_FREEABLE; + } + uis->input_flags = input_flags; + uis->type = type; + uis->result_buf = result_buf; + + return uis; + + err: + free_string(uis); + return NULL; } static int -general_allocate_string(UI *ui, const char *prompt, int prompt_freeable, +general_allocate_string(UI *ui, const char *prompt, int dup_prompt, enum UI_string_types type, int input_flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { - int ret = -1; - UI_STRING *s = general_allocate_prompt(ui, prompt, prompt_freeable, - type, input_flags, result_buf); + UI_STRING *s; + int ret; + + if ((s = general_allocate_prompt(prompt, dup_prompt, type, input_flags, + result_buf)) == NULL) + goto err; + s->_.string_data.result_minsize = minsize; + s->_.string_data.result_maxsize = maxsize; + s->_.string_data.test_buf = test_buf; + + if (allocate_string_stack(ui) < 0) + goto err; + if ((ret = sk_UI_STRING_push(ui->strings, s)) <= 0) + goto err; - if (s) { - if (allocate_string_stack(ui) >= 0) { - s->_.string_data.result_minsize = minsize; - s->_.string_data.result_maxsize = maxsize; - s->_.string_data.test_buf = test_buf; - ret = sk_UI_STRING_push(ui->strings, s); - /* sk_push() returns 0 on error. Let's adapt that */ - if (ret <= 0) - ret--; - } else - free_string(s); - } return ret; + + err: + free_string(s); + return -1; } static int general_allocate_boolean(UI *ui, const char *prompt, const char *action_desc, - const char *ok_chars, const char *cancel_chars, int prompt_freeable, + const char *ok_chars, const char *cancel_chars, int dup_strings, enum UI_string_types type, int input_flags, char *result_buf) { - int ret = -1; - UI_STRING *s; - const char *p; + UI_STRING *s = NULL; + int ret; - if (ok_chars == NULL) { + if (ok_chars == NULL || cancel_chars == NULL) { UIerror(ERR_R_PASSED_NULL_PARAMETER); - } else if (cancel_chars == NULL) { - UIerror(ERR_R_PASSED_NULL_PARAMETER); - } else { - for (p = ok_chars; *p; p++) { - if (strchr(cancel_chars, *p)) { - UIerror(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS); + goto err; + } + if (ok_chars[strcspn(ok_chars, cancel_chars)] != '\0') { + UIerror(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS); + goto err; + } + + if ((s = general_allocate_prompt(prompt, dup_strings, type, input_flags, + result_buf)) == NULL) + goto err; + + if (dup_strings) { + if (action_desc != NULL) { + if ((s->_.boolean_data.action_desc = + strdup(action_desc)) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; } } - - s = general_allocate_prompt(ui, prompt, prompt_freeable, - type, input_flags, result_buf); - - if (s) { - if (allocate_string_stack(ui) >= 0) { - s->_.boolean_data.action_desc = action_desc; - s->_.boolean_data.ok_chars = ok_chars; - s->_.boolean_data.cancel_chars = cancel_chars; - ret = sk_UI_STRING_push(ui->strings, s); - /* - * sk_push() returns 0 on error. Let's adapt - * that - */ - if (ret <= 0) - ret--; - } else - free_string(s); + if ((s->_.boolean_data.ok_chars = strdup(ok_chars)) == NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; } + if ((s->_.boolean_data.cancel_chars = strdup(cancel_chars)) == + NULL) { + UIerror(ERR_R_MALLOC_FAILURE); + goto err; + } + } else { + s->_.boolean_data.action_desc = action_desc; + s->_.boolean_data.ok_chars = ok_chars; + s->_.boolean_data.cancel_chars = cancel_chars; } + + if (allocate_string_stack(ui) < 0) + goto err; + if ((ret = sk_UI_STRING_push(ui->strings, s)) <= 0) + goto err; + return ret; + + err: + free_string(s); + return -1; } -/* Returns the index to the place in the stack or -1 for error. Uses a - direct reference to the prompt. */ +/* + * Returns the index to the place in the stack or -1 for error. Uses a + * direct reference to the prompt. + */ int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) @@ -233,21 +266,12 @@ UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, result_buf, minsize, maxsize, NULL); } -/* Same as UI_add_input_string(), excepts it takes a copy of the prompt */ +/* Same as UI_add_input_string(), excepts it takes a copy of the prompt. */ int UI_dup_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize) { - char *prompt_copy = NULL; - - if (prompt) { - prompt_copy = strdup(prompt); - if (prompt_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return 0; - } - } - return general_allocate_string(ui, prompt_copy, 1, UIT_PROMPT, flags, + return general_allocate_string(ui, prompt, 1, UIT_PROMPT, flags, result_buf, minsize, maxsize, NULL); } @@ -263,16 +287,7 @@ int UI_dup_verify_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize, const char *test_buf) { - char *prompt_copy = NULL; - - if (prompt) { - prompt_copy = strdup(prompt); - if (prompt_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return -1; - } - } - return general_allocate_string(ui, prompt_copy, 1, UIT_VERIFY, flags, + return general_allocate_string(ui, prompt, 1, UIT_VERIFY, flags, result_buf, minsize, maxsize, test_buf); } @@ -288,49 +303,8 @@ int UI_dup_input_boolean(UI *ui, const char *prompt, const char *action_desc, const char *ok_chars, const char *cancel_chars, int flags, char *result_buf) { - char *prompt_copy = NULL; - char *action_desc_copy = NULL; - char *ok_chars_copy = NULL; - char *cancel_chars_copy = NULL; - - if (prompt) { - prompt_copy = strdup(prompt); - if (prompt_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (action_desc) { - action_desc_copy = strdup(action_desc); - if (action_desc_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (ok_chars) { - ok_chars_copy = strdup(ok_chars); - if (ok_chars_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - if (cancel_chars) { - cancel_chars_copy = strdup(cancel_chars); - if (cancel_chars_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - goto err; - } - } - return general_allocate_boolean(ui, prompt_copy, action_desc_copy, - ok_chars_copy, cancel_chars_copy, 1, UIT_BOOLEAN, flags, - result_buf); - -err: - free(prompt_copy); - free(action_desc_copy); - free(ok_chars_copy); - free(cancel_chars_copy); - return -1; + return general_allocate_boolean(ui, prompt, action_desc, ok_chars, + cancel_chars, 1, UIT_BOOLEAN, flags, result_buf); } int @@ -343,17 +317,8 @@ UI_add_info_string(UI *ui, const char *text) int UI_dup_info_string(UI *ui, const char *text) { - char *text_copy = NULL; - - if (text) { - text_copy = strdup(text); - if (text_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return -1; - } - } - return general_allocate_string(ui, text_copy, 1, UIT_INFO, 0, NULL, - 0, 0, NULL); + return general_allocate_string(ui, text, 1, UIT_INFO, 0, NULL, 0, 0, + NULL); } int @@ -366,17 +331,8 @@ UI_add_error_string(UI *ui, const char *text) int UI_dup_error_string(UI *ui, const char *text) { - char *text_copy = NULL; - - if (text) { - text_copy = strdup(text); - if (text_copy == NULL) { - UIerror(ERR_R_MALLOC_FAILURE); - return -1; - } - } - return general_allocate_string(ui, text_copy, 1, UIT_ERROR, 0, NULL, - 0, 0, NULL); + return general_allocate_string(ui, text, 1, UIT_ERROR, 0, NULL, 0, 0, + NULL); } char * @@ -433,8 +389,9 @@ UI_get0_result(UI *ui, int i) } static int -print_error(const char *str, size_t len, UI *ui) +print_error(const char *str, size_t len, void *arg) { + UI *ui = arg; UI_STRING uis; memset(&uis, 0, sizeof(uis)); @@ -456,9 +413,7 @@ UI_process(UI *ui) return -1; if (ui->flags & UI_FLAG_PRINT_ERRORS) - ERR_print_errors_cb( - (int (*)(const char *, size_t, void *)) print_error, - (void *)ui); + ERR_print_errors_cb(print_error, ui); for (i = 0; i < sk_UI_STRING_num(ui->strings); i++) { if (ui->meth->ui_write_string && @@ -500,7 +455,7 @@ UI_process(UI *ui) } } -err: + err: if (ui->meth->ui_close_session && !ui->meth->ui_close_session(ui)) return -1; return ok; @@ -582,7 +537,7 @@ UI_set_method(UI *ui, const UI_METHOD *meth) UI_METHOD * -UI_create_method(char *name) +UI_create_method(const char *name) { UI_METHOD *ui_method = calloc(1, sizeof(UI_METHOD)); @@ -592,9 +547,11 @@ UI_create_method(char *name) return ui_method; } -/* BIG FSCKING WARNING!!!! If you use this on a statically allocated method - (that is, it hasn't been allocated using UI_create_method(), you deserve - anything Murphy can throw at you and more! You have been warned. */ +/* + * BIG FSCKING WARNING!!!! If you use this on a statically allocated method + * (that is, it hasn't been allocated using UI_create_method(), you deserve + * anything Murphy can throw at you and more! You have been warned. + */ void UI_destroy_method(UI_METHOD *ui_method) { @@ -609,8 +566,8 @@ UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)) if (method) { method->ui_open_session = opener; return 0; - } else - return -1; + } + return -1; } int @@ -619,8 +576,8 @@ UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis)) if (method) { method->ui_write_string = writer; return 0; - } else - return -1; + } + return -1; } int @@ -629,8 +586,8 @@ UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)) if (method) { method->ui_flush = flusher; return 0; - } else - return -1; + } + return -1; } int @@ -639,8 +596,8 @@ UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis)) if (method) { method->ui_read_string = reader; return 0; - } else - return -1; + } + return -1; } int @@ -649,8 +606,8 @@ UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)) if (method) { method->ui_close_session = closer; return 0; - } else - return -1; + } + return -1; } int @@ -661,63 +618,57 @@ UI_method_set_prompt_constructor(UI_METHOD *method, if (method) { method->ui_construct_prompt = prompt_constructor; return 0; - } else - return -1; + } + return -1; } int -(*UI_method_get_opener(UI_METHOD * method))(UI *) +(*UI_method_get_opener(const UI_METHOD * method))(UI *) { if (method) return method->ui_open_session; - else - return NULL; + return NULL; } int -(*UI_method_get_writer(UI_METHOD *method))(UI *, UI_STRING *) +(*UI_method_get_writer(const UI_METHOD *method))(UI *, UI_STRING *) { if (method) return method->ui_write_string; - else - return NULL; + return NULL; } int -(*UI_method_get_flusher(UI_METHOD *method)) (UI *) +(*UI_method_get_flusher(const UI_METHOD *method)) (UI *) { if (method) return method->ui_flush; - else - return NULL; + return NULL; } int -(*UI_method_get_reader(UI_METHOD *method))(UI *, UI_STRING *) +(*UI_method_get_reader(const UI_METHOD *method))(UI *, UI_STRING *) { if (method) return method->ui_read_string; - else - return NULL; + return NULL; } int -(*UI_method_get_closer(UI_METHOD *method))(UI *) +(*UI_method_get_closer(const UI_METHOD *method))(UI *) { if (method) return method->ui_close_session; - else - return NULL; + return NULL; } char * -(*UI_method_get_prompt_constructor(UI_METHOD *method))(UI *, const char *, +(*UI_method_get_prompt_constructor(const UI_METHOD *method))(UI *, const char *, const char *) { if (method) return method->ui_construct_prompt; - else - return NULL; + return NULL; } enum UI_string_types @@ -816,6 +767,7 @@ UI_get_result_maxsize(UI_STRING *uis) int UI_set_result(UI *ui, UI_STRING *uis, const char *result) { + const char *p; int l = strlen(result); ui->flags &= ~UI_FLAG_REDOABLE; @@ -851,29 +803,25 @@ UI_set_result(UI *ui, UI_STRING *uis, const char *result) uis->_.string_data.result_maxsize + 1); break; case UIT_BOOLEAN: - { - const char *p; - - if (!uis->result_buf) { - UIerror(UI_R_NO_RESULT_BUFFER); - return -1; - } - uis->result_buf[0] = '\0'; - for (p = result; *p; p++) { - if (strchr(uis->_.boolean_data.ok_chars, *p)) { - uis->result_buf[0] = - uis->_.boolean_data.ok_chars[0]; - break; - } - if (strchr(uis->_.boolean_data.cancel_chars, *p)) { - uis->result_buf[0] = - uis->_.boolean_data.cancel_chars[0]; - break; - } - } - default: - break; + if (!uis->result_buf) { + UIerror(UI_R_NO_RESULT_BUFFER); + return -1; } + uis->result_buf[0] = '\0'; + for (p = result; *p; p++) { + if (strchr(uis->_.boolean_data.ok_chars, *p)) { + uis->result_buf[0] = + uis->_.boolean_data.ok_chars[0]; + break; + } + if (strchr(uis->_.boolean_data.cancel_chars, *p)) { + uis->result_buf[0] = + uis->_.boolean_data.cancel_chars[0]; + break; + } + } + default: + break; } return 0; } diff --git a/crypto/whrlpool/wp-masm-x86_64.S b/crypto/whrlpool/wp-masm-x86_64.S new file mode 100644 index 0000000..78cf97c --- /dev/null +++ b/crypto/whrlpool/wp-masm-x86_64.S @@ -0,0 +1,943 @@ +; 1 "crypto/whrlpool/wp-masm-x86_64.S.tmp" +; 1 "" 1 +; 1 "" 3 +; 340 "" 3 +; 1 "" 1 +; 1 "" 2 +; 1 "crypto/whrlpool/wp-masm-x86_64.S.tmp" 2 +OPTION DOTNAME + +; 1 "./crypto/x86_arch.h" 1 + + +; 16 "./crypto/x86_arch.h" + + + + + + + + + +; 40 "./crypto/x86_arch.h" + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +; 3 "crypto/whrlpool/wp-masm-x86_64.S.tmp" 2 +.text$ SEGMENT ALIGN(64) 'CODE' + +PUBLIC whirlpool_block + +ALIGN 16 +whirlpool_block PROC PUBLIC + mov QWORD PTR[8+rsp],rdi ;WIN64 prologue + mov QWORD PTR[16+rsp],rsi + mov rax,rsp +$L$SEH_begin_whirlpool_block:: + mov rdi,rcx + mov rsi,rdx + mov rdx,r8 + + + push rbx + push rbp + push r12 + push r13 + push r14 + push r15 + + mov r11,rsp + sub rsp,128+40 + and rsp,-64 + + lea r10,QWORD PTR[128+rsp] + mov QWORD PTR[r10],rdi + mov QWORD PTR[8+r10],rsi + mov QWORD PTR[16+r10],rdx + mov QWORD PTR[32+r10],r11 +$L$prologue:: + + mov rbx,r10 + lea rbp,QWORD PTR[$L$table] + + xor rcx,rcx + xor rdx,rdx + mov r8,QWORD PTR[rdi] + mov r9,QWORD PTR[8+rdi] + mov r10,QWORD PTR[16+rdi] + mov r11,QWORD PTR[24+rdi] + mov r12,QWORD PTR[32+rdi] + mov r13,QWORD PTR[40+rdi] + mov r14,QWORD PTR[48+rdi] + mov r15,QWORD PTR[56+rdi] +$L$outerloop:: + mov QWORD PTR[rsp],r8 + mov QWORD PTR[8+rsp],r9 + mov QWORD PTR[16+rsp],r10 + mov QWORD PTR[24+rsp],r11 + mov QWORD PTR[32+rsp],r12 + mov QWORD PTR[40+rsp],r13 + mov QWORD PTR[48+rsp],r14 + mov QWORD PTR[56+rsp],r15 + xor r8,QWORD PTR[rsi] + xor r9,QWORD PTR[8+rsi] + xor r10,QWORD PTR[16+rsi] + xor r11,QWORD PTR[24+rsi] + xor r12,QWORD PTR[32+rsi] + xor r13,QWORD PTR[40+rsi] + xor r14,QWORD PTR[48+rsi] + xor r15,QWORD PTR[56+rsi] + mov QWORD PTR[((64+0))+rsp],r8 + mov QWORD PTR[((64+8))+rsp],r9 + mov QWORD PTR[((64+16))+rsp],r10 + mov QWORD PTR[((64+24))+rsp],r11 + mov QWORD PTR[((64+32))+rsp],r12 + mov QWORD PTR[((64+40))+rsp],r13 + mov QWORD PTR[((64+48))+rsp],r14 + mov QWORD PTR[((64+56))+rsp],r15 + xor rsi,rsi + mov QWORD PTR[24+rbx],rsi +ALIGN 16 +$L$round:: + mov r8,QWORD PTR[4096+rsi*8+rbp] + mov eax,DWORD PTR[rsp] + mov ebx,DWORD PTR[4+rsp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r8,QWORD PTR[rsi*8+rbp] + mov r9,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((0+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + mov r10,QWORD PTR[6+rsi*8+rbp] + mov r11,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + mov r12,QWORD PTR[4+rsi*8+rbp] + mov r13,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((0+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + mov r14,QWORD PTR[2+rsi*8+rbp] + mov r15,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r9,QWORD PTR[rsi*8+rbp] + xor r10,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((8+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r11,QWORD PTR[6+rsi*8+rbp] + xor r12,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r13,QWORD PTR[4+rsi*8+rbp] + xor r14,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((8+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r15,QWORD PTR[2+rsi*8+rbp] + xor r8,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r10,QWORD PTR[rsi*8+rbp] + xor r11,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((16+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r12,QWORD PTR[6+rsi*8+rbp] + xor r13,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r14,QWORD PTR[4+rsi*8+rbp] + xor r15,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((16+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r8,QWORD PTR[2+rsi*8+rbp] + xor r9,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r11,QWORD PTR[rsi*8+rbp] + xor r12,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((24+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r13,QWORD PTR[6+rsi*8+rbp] + xor r14,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r15,QWORD PTR[4+rsi*8+rbp] + xor r8,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((24+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r9,QWORD PTR[2+rsi*8+rbp] + xor r10,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r12,QWORD PTR[rsi*8+rbp] + xor r13,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((32+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r14,QWORD PTR[6+rsi*8+rbp] + xor r15,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r8,QWORD PTR[4+rsi*8+rbp] + xor r9,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((32+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r10,QWORD PTR[2+rsi*8+rbp] + xor r11,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r13,QWORD PTR[rsi*8+rbp] + xor r14,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((40+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r15,QWORD PTR[6+rsi*8+rbp] + xor r8,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r9,QWORD PTR[4+rsi*8+rbp] + xor r10,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((40+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r11,QWORD PTR[2+rsi*8+rbp] + xor r12,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r14,QWORD PTR[rsi*8+rbp] + xor r15,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((48+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r8,QWORD PTR[6+rsi*8+rbp] + xor r9,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r10,QWORD PTR[4+rsi*8+rbp] + xor r11,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((48+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r12,QWORD PTR[2+rsi*8+rbp] + xor r13,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r15,QWORD PTR[rsi*8+rbp] + xor r8,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((56+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r9,QWORD PTR[6+rsi*8+rbp] + xor r10,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r11,QWORD PTR[4+rsi*8+rbp] + xor r12,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((56+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r13,QWORD PTR[2+rsi*8+rbp] + xor r14,QWORD PTR[1+rdi*8+rbp] + mov QWORD PTR[rsp],r8 + mov QWORD PTR[8+rsp],r9 + mov QWORD PTR[16+rsp],r10 + mov QWORD PTR[24+rsp],r11 + mov QWORD PTR[32+rsp],r12 + mov QWORD PTR[40+rsp],r13 + mov QWORD PTR[48+rsp],r14 + mov QWORD PTR[56+rsp],r15 + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r8,QWORD PTR[rsi*8+rbp] + xor r9,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+0+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r10,QWORD PTR[6+rsi*8+rbp] + xor r11,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r12,QWORD PTR[4+rsi*8+rbp] + xor r13,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+0+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r14,QWORD PTR[2+rsi*8+rbp] + xor r15,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r9,QWORD PTR[rsi*8+rbp] + xor r10,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+8+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r11,QWORD PTR[6+rsi*8+rbp] + xor r12,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r13,QWORD PTR[4+rsi*8+rbp] + xor r14,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+8+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r15,QWORD PTR[2+rsi*8+rbp] + xor r8,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r10,QWORD PTR[rsi*8+rbp] + xor r11,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+16+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r12,QWORD PTR[6+rsi*8+rbp] + xor r13,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r14,QWORD PTR[4+rsi*8+rbp] + xor r15,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+16+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r8,QWORD PTR[2+rsi*8+rbp] + xor r9,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r11,QWORD PTR[rsi*8+rbp] + xor r12,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+24+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r13,QWORD PTR[6+rsi*8+rbp] + xor r14,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r15,QWORD PTR[4+rsi*8+rbp] + xor r8,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+24+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r9,QWORD PTR[2+rsi*8+rbp] + xor r10,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r12,QWORD PTR[rsi*8+rbp] + xor r13,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+32+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r14,QWORD PTR[6+rsi*8+rbp] + xor r15,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r8,QWORD PTR[4+rsi*8+rbp] + xor r9,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+32+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r10,QWORD PTR[2+rsi*8+rbp] + xor r11,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r13,QWORD PTR[rsi*8+rbp] + xor r14,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+40+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r15,QWORD PTR[6+rsi*8+rbp] + xor r8,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r9,QWORD PTR[4+rsi*8+rbp] + xor r10,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+40+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r11,QWORD PTR[2+rsi*8+rbp] + xor r12,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r14,QWORD PTR[rsi*8+rbp] + xor r15,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + mov eax,DWORD PTR[((64+48+8))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r8,QWORD PTR[6+rsi*8+rbp] + xor r9,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r10,QWORD PTR[4+rsi*8+rbp] + xor r11,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + mov ebx,DWORD PTR[((64+48+8+4))+rsp] + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r12,QWORD PTR[2+rsi*8+rbp] + xor r13,QWORD PTR[1+rdi*8+rbp] + mov cl,al + mov dl,ah + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr eax,16 + xor r15,QWORD PTR[rsi*8+rbp] + xor r8,QWORD PTR[7+rdi*8+rbp] + mov cl,al + mov dl,ah + + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r9,QWORD PTR[6+rsi*8+rbp] + xor r10,QWORD PTR[5+rdi*8+rbp] + mov cl,bl + mov dl,bh + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + shr ebx,16 + xor r11,QWORD PTR[4+rsi*8+rbp] + xor r12,QWORD PTR[3+rdi*8+rbp] + mov cl,bl + mov dl,bh + + lea rsi,QWORD PTR[rcx*1+rcx] + lea rdi,QWORD PTR[rdx*1+rdx] + xor r13,QWORD PTR[2+rsi*8+rbp] + xor r14,QWORD PTR[1+rdi*8+rbp] + lea rbx,QWORD PTR[128+rsp] + mov rsi,QWORD PTR[24+rbx] + add rsi,1 + cmp rsi,10 + je $L$roundsdone + + mov QWORD PTR[24+rbx],rsi + mov QWORD PTR[((64+0))+rsp],r8 + mov QWORD PTR[((64+8))+rsp],r9 + mov QWORD PTR[((64+16))+rsp],r10 + mov QWORD PTR[((64+24))+rsp],r11 + mov QWORD PTR[((64+32))+rsp],r12 + mov QWORD PTR[((64+40))+rsp],r13 + mov QWORD PTR[((64+48))+rsp],r14 + mov QWORD PTR[((64+56))+rsp],r15 + jmp $L$round +ALIGN 16 +$L$roundsdone:: + mov rdi,QWORD PTR[rbx] + mov rsi,QWORD PTR[8+rbx] + mov rax,QWORD PTR[16+rbx] + xor r8,QWORD PTR[rsi] + xor r9,QWORD PTR[8+rsi] + xor r10,QWORD PTR[16+rsi] + xor r11,QWORD PTR[24+rsi] + xor r12,QWORD PTR[32+rsi] + xor r13,QWORD PTR[40+rsi] + xor r14,QWORD PTR[48+rsi] + xor r15,QWORD PTR[56+rsi] + xor r8,QWORD PTR[rdi] + xor r9,QWORD PTR[8+rdi] + xor r10,QWORD PTR[16+rdi] + xor r11,QWORD PTR[24+rdi] + xor r12,QWORD PTR[32+rdi] + xor r13,QWORD PTR[40+rdi] + xor r14,QWORD PTR[48+rdi] + xor r15,QWORD PTR[56+rdi] + mov QWORD PTR[rdi],r8 + mov QWORD PTR[8+rdi],r9 + mov QWORD PTR[16+rdi],r10 + mov QWORD PTR[24+rdi],r11 + mov QWORD PTR[32+rdi],r12 + mov QWORD PTR[40+rdi],r13 + mov QWORD PTR[48+rdi],r14 + mov QWORD PTR[56+rdi],r15 + lea rsi,QWORD PTR[64+rsi] + sub rax,1 + jz $L$alldone + mov QWORD PTR[8+rbx],rsi + mov QWORD PTR[16+rbx],rax + jmp $L$outerloop +$L$alldone:: + mov rsi,QWORD PTR[32+rbx] + mov r15,QWORD PTR[rsi] + mov r14,QWORD PTR[8+rsi] + mov r13,QWORD PTR[16+rsi] + mov r12,QWORD PTR[24+rsi] + mov rbp,QWORD PTR[32+rsi] + mov rbx,QWORD PTR[40+rsi] + lea rsp,QWORD PTR[48+rsi] +$L$epilogue:: + mov rdi,QWORD PTR[8+rsp] ;WIN64 epilogue + mov rsi,QWORD PTR[16+rsp] + DB 0F3h,0C3h ;repret +$L$SEH_end_whirlpool_block:: +whirlpool_block ENDP + +ALIGN 64 + +$L$table:: +DB 24,24,96,24,192,120,48,216,24,24,96,24,192,120,48,216 +DB 35,35,140,35,5,175,70,38,35,35,140,35,5,175,70,38 +DB 198,198,63,198,126,249,145,184,198,198,63,198,126,249,145,184 +DB 232,232,135,232,19,111,205,251,232,232,135,232,19,111,205,251 +DB 135,135,38,135,76,161,19,203,135,135,38,135,76,161,19,203 +DB 184,184,218,184,169,98,109,17,184,184,218,184,169,98,109,17 +DB 1,1,4,1,8,5,2,9,1,1,4,1,8,5,2,9 +DB 79,79,33,79,66,110,158,13,79,79,33,79,66,110,158,13 +DB 54,54,216,54,173,238,108,155,54,54,216,54,173,238,108,155 +DB 166,166,162,166,89,4,81,255,166,166,162,166,89,4,81,255 +DB 210,210,111,210,222,189,185,12,210,210,111,210,222,189,185,12 +DB 245,245,243,245,251,6,247,14,245,245,243,245,251,6,247,14 +DB 121,121,249,121,239,128,242,150,121,121,249,121,239,128,242,150 +DB 111,111,161,111,95,206,222,48,111,111,161,111,95,206,222,48 +DB 145,145,126,145,252,239,63,109,145,145,126,145,252,239,63,109 +DB 82,82,85,82,170,7,164,248,82,82,85,82,170,7,164,248 +DB 96,96,157,96,39,253,192,71,96,96,157,96,39,253,192,71 +DB 188,188,202,188,137,118,101,53,188,188,202,188,137,118,101,53 +DB 155,155,86,155,172,205,43,55,155,155,86,155,172,205,43,55 +DB 142,142,2,142,4,140,1,138,142,142,2,142,4,140,1,138 +DB 163,163,182,163,113,21,91,210,163,163,182,163,113,21,91,210 +DB 12,12,48,12,96,60,24,108,12,12,48,12,96,60,24,108 +DB 123,123,241,123,255,138,246,132,123,123,241,123,255,138,246,132 +DB 53,53,212,53,181,225,106,128,53,53,212,53,181,225,106,128 +DB 29,29,116,29,232,105,58,245,29,29,116,29,232,105,58,245 +DB 224,224,167,224,83,71,221,179,224,224,167,224,83,71,221,179 +DB 215,215,123,215,246,172,179,33,215,215,123,215,246,172,179,33 +DB 194,194,47,194,94,237,153,156,194,194,47,194,94,237,153,156 +DB 46,46,184,46,109,150,92,67,46,46,184,46,109,150,92,67 +DB 75,75,49,75,98,122,150,41,75,75,49,75,98,122,150,41 +DB 254,254,223,254,163,33,225,93,254,254,223,254,163,33,225,93 +DB 87,87,65,87,130,22,174,213,87,87,65,87,130,22,174,213 +DB 21,21,84,21,168,65,42,189,21,21,84,21,168,65,42,189 +DB 119,119,193,119,159,182,238,232,119,119,193,119,159,182,238,232 +DB 55,55,220,55,165,235,110,146,55,55,220,55,165,235,110,146 +DB 229,229,179,229,123,86,215,158,229,229,179,229,123,86,215,158 +DB 159,159,70,159,140,217,35,19,159,159,70,159,140,217,35,19 +DB 240,240,231,240,211,23,253,35,240,240,231,240,211,23,253,35 +DB 74,74,53,74,106,127,148,32,74,74,53,74,106,127,148,32 +DB 218,218,79,218,158,149,169,68,218,218,79,218,158,149,169,68 +DB 88,88,125,88,250,37,176,162,88,88,125,88,250,37,176,162 +DB 201,201,3,201,6,202,143,207,201,201,3,201,6,202,143,207 +DB 41,41,164,41,85,141,82,124,41,41,164,41,85,141,82,124 +DB 10,10,40,10,80,34,20,90,10,10,40,10,80,34,20,90 +DB 177,177,254,177,225,79,127,80,177,177,254,177,225,79,127,80 +DB 160,160,186,160,105,26,93,201,160,160,186,160,105,26,93,201 +DB 107,107,177,107,127,218,214,20,107,107,177,107,127,218,214,20 +DB 133,133,46,133,92,171,23,217,133,133,46,133,92,171,23,217 +DB 189,189,206,189,129,115,103,60,189,189,206,189,129,115,103,60 +DB 93,93,105,93,210,52,186,143,93,93,105,93,210,52,186,143 +DB 16,16,64,16,128,80,32,144,16,16,64,16,128,80,32,144 +DB 244,244,247,244,243,3,245,7,244,244,247,244,243,3,245,7 +DB 203,203,11,203,22,192,139,221,203,203,11,203,22,192,139,221 +DB 62,62,248,62,237,198,124,211,62,62,248,62,237,198,124,211 +DB 5,5,20,5,40,17,10,45,5,5,20,5,40,17,10,45 +DB 103,103,129,103,31,230,206,120,103,103,129,103,31,230,206,120 +DB 228,228,183,228,115,83,213,151,228,228,183,228,115,83,213,151 +DB 39,39,156,39,37,187,78,2,39,39,156,39,37,187,78,2 +DB 65,65,25,65,50,88,130,115,65,65,25,65,50,88,130,115 +DB 139,139,22,139,44,157,11,167,139,139,22,139,44,157,11,167 +DB 167,167,166,167,81,1,83,246,167,167,166,167,81,1,83,246 +DB 125,125,233,125,207,148,250,178,125,125,233,125,207,148,250,178 +DB 149,149,110,149,220,251,55,73,149,149,110,149,220,251,55,73 +DB 216,216,71,216,142,159,173,86,216,216,71,216,142,159,173,86 +DB 251,251,203,251,139,48,235,112,251,251,203,251,139,48,235,112 +DB 238,238,159,238,35,113,193,205,238,238,159,238,35,113,193,205 +DB 124,124,237,124,199,145,248,187,124,124,237,124,199,145,248,187 +DB 102,102,133,102,23,227,204,113,102,102,133,102,23,227,204,113 +DB 221,221,83,221,166,142,167,123,221,221,83,221,166,142,167,123 +DB 23,23,92,23,184,75,46,175,23,23,92,23,184,75,46,175 +DB 71,71,1,71,2,70,142,69,71,71,1,71,2,70,142,69 +DB 158,158,66,158,132,220,33,26,158,158,66,158,132,220,33,26 +DB 202,202,15,202,30,197,137,212,202,202,15,202,30,197,137,212 +DB 45,45,180,45,117,153,90,88,45,45,180,45,117,153,90,88 +DB 191,191,198,191,145,121,99,46,191,191,198,191,145,121,99,46 +DB 7,7,28,7,56,27,14,63,7,7,28,7,56,27,14,63 +DB 173,173,142,173,1,35,71,172,173,173,142,173,1,35,71,172 +DB 90,90,117,90,234,47,180,176,90,90,117,90,234,47,180,176 +DB 131,131,54,131,108,181,27,239,131,131,54,131,108,181,27,239 +DB 51,51,204,51,133,255,102,182,51,51,204,51,133,255,102,182 +DB 99,99,145,99,63,242,198,92,99,99,145,99,63,242,198,92 +DB 2,2,8,2,16,10,4,18,2,2,8,2,16,10,4,18 +DB 170,170,146,170,57,56,73,147,170,170,146,170,57,56,73,147 +DB 113,113,217,113,175,168,226,222,113,113,217,113,175,168,226,222 +DB 200,200,7,200,14,207,141,198,200,200,7,200,14,207,141,198 +DB 25,25,100,25,200,125,50,209,25,25,100,25,200,125,50,209 +DB 73,73,57,73,114,112,146,59,73,73,57,73,114,112,146,59 +DB 217,217,67,217,134,154,175,95,217,217,67,217,134,154,175,95 +DB 242,242,239,242,195,29,249,49,242,242,239,242,195,29,249,49 +DB 227,227,171,227,75,72,219,168,227,227,171,227,75,72,219,168 +DB 91,91,113,91,226,42,182,185,91,91,113,91,226,42,182,185 +DB 136,136,26,136,52,146,13,188,136,136,26,136,52,146,13,188 +DB 154,154,82,154,164,200,41,62,154,154,82,154,164,200,41,62 +DB 38,38,152,38,45,190,76,11,38,38,152,38,45,190,76,11 +DB 50,50,200,50,141,250,100,191,50,50,200,50,141,250,100,191 +DB 176,176,250,176,233,74,125,89,176,176,250,176,233,74,125,89 +DB 233,233,131,233,27,106,207,242,233,233,131,233,27,106,207,242 +DB 15,15,60,15,120,51,30,119,15,15,60,15,120,51,30,119 +DB 213,213,115,213,230,166,183,51,213,213,115,213,230,166,183,51 +DB 128,128,58,128,116,186,29,244,128,128,58,128,116,186,29,244 +DB 190,190,194,190,153,124,97,39,190,190,194,190,153,124,97,39 +DB 205,205,19,205,38,222,135,235,205,205,19,205,38,222,135,235 +DB 52,52,208,52,189,228,104,137,52,52,208,52,189,228,104,137 +DB 72,72,61,72,122,117,144,50,72,72,61,72,122,117,144,50 +DB 255,255,219,255,171,36,227,84,255,255,219,255,171,36,227,84 +DB 122,122,245,122,247,143,244,141,122,122,245,122,247,143,244,141 +DB 144,144,122,144,244,234,61,100,144,144,122,144,244,234,61,100 +DB 95,95,97,95,194,62,190,157,95,95,97,95,194,62,190,157 +DB 32,32,128,32,29,160,64,61,32,32,128,32,29,160,64,61 +DB 104,104,189,104,103,213,208,15,104,104,189,104,103,213,208,15 +DB 26,26,104,26,208,114,52,202,26,26,104,26,208,114,52,202 +DB 174,174,130,174,25,44,65,183,174,174,130,174,25,44,65,183 +DB 180,180,234,180,201,94,117,125,180,180,234,180,201,94,117,125 +DB 84,84,77,84,154,25,168,206,84,84,77,84,154,25,168,206 +DB 147,147,118,147,236,229,59,127,147,147,118,147,236,229,59,127 +DB 34,34,136,34,13,170,68,47,34,34,136,34,13,170,68,47 +DB 100,100,141,100,7,233,200,99,100,100,141,100,7,233,200,99 +DB 241,241,227,241,219,18,255,42,241,241,227,241,219,18,255,42 +DB 115,115,209,115,191,162,230,204,115,115,209,115,191,162,230,204 +DB 18,18,72,18,144,90,36,130,18,18,72,18,144,90,36,130 +DB 64,64,29,64,58,93,128,122,64,64,29,64,58,93,128,122 +DB 8,8,32,8,64,40,16,72,8,8,32,8,64,40,16,72 +DB 195,195,43,195,86,232,155,149,195,195,43,195,86,232,155,149 +DB 236,236,151,236,51,123,197,223,236,236,151,236,51,123,197,223 +DB 219,219,75,219,150,144,171,77,219,219,75,219,150,144,171,77 +DB 161,161,190,161,97,31,95,192,161,161,190,161,97,31,95,192 +DB 141,141,14,141,28,131,7,145,141,141,14,141,28,131,7,145 +DB 61,61,244,61,245,201,122,200,61,61,244,61,245,201,122,200 +DB 151,151,102,151,204,241,51,91,151,151,102,151,204,241,51,91 +DB 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 +DB 207,207,27,207,54,212,131,249,207,207,27,207,54,212,131,249 +DB 43,43,172,43,69,135,86,110,43,43,172,43,69,135,86,110 +DB 118,118,197,118,151,179,236,225,118,118,197,118,151,179,236,225 +DB 130,130,50,130,100,176,25,230,130,130,50,130,100,176,25,230 +DB 214,214,127,214,254,169,177,40,214,214,127,214,254,169,177,40 +DB 27,27,108,27,216,119,54,195,27,27,108,27,216,119,54,195 +DB 181,181,238,181,193,91,119,116,181,181,238,181,193,91,119,116 +DB 175,175,134,175,17,41,67,190,175,175,134,175,17,41,67,190 +DB 106,106,181,106,119,223,212,29,106,106,181,106,119,223,212,29 +DB 80,80,93,80,186,13,160,234,80,80,93,80,186,13,160,234 +DB 69,69,9,69,18,76,138,87,69,69,9,69,18,76,138,87 +DB 243,243,235,243,203,24,251,56,243,243,235,243,203,24,251,56 +DB 48,48,192,48,157,240,96,173,48,48,192,48,157,240,96,173 +DB 239,239,155,239,43,116,195,196,239,239,155,239,43,116,195,196 +DB 63,63,252,63,229,195,126,218,63,63,252,63,229,195,126,218 +DB 85,85,73,85,146,28,170,199,85,85,73,85,146,28,170,199 +DB 162,162,178,162,121,16,89,219,162,162,178,162,121,16,89,219 +DB 234,234,143,234,3,101,201,233,234,234,143,234,3,101,201,233 +DB 101,101,137,101,15,236,202,106,101,101,137,101,15,236,202,106 +DB 186,186,210,186,185,104,105,3,186,186,210,186,185,104,105,3 +DB 47,47,188,47,101,147,94,74,47,47,188,47,101,147,94,74 +DB 192,192,39,192,78,231,157,142,192,192,39,192,78,231,157,142 +DB 222,222,95,222,190,129,161,96,222,222,95,222,190,129,161,96 +DB 28,28,112,28,224,108,56,252,28,28,112,28,224,108,56,252 +DB 253,253,211,253,187,46,231,70,253,253,211,253,187,46,231,70 +DB 77,77,41,77,82,100,154,31,77,77,41,77,82,100,154,31 +DB 146,146,114,146,228,224,57,118,146,146,114,146,228,224,57,118 +DB 117,117,201,117,143,188,234,250,117,117,201,117,143,188,234,250 +DB 6,6,24,6,48,30,12,54,6,6,24,6,48,30,12,54 +DB 138,138,18,138,36,152,9,174,138,138,18,138,36,152,9,174 +DB 178,178,242,178,249,64,121,75,178,178,242,178,249,64,121,75 +DB 230,230,191,230,99,89,209,133,230,230,191,230,99,89,209,133 +DB 14,14,56,14,112,54,28,126,14,14,56,14,112,54,28,126 +DB 31,31,124,31,248,99,62,231,31,31,124,31,248,99,62,231 +DB 98,98,149,98,55,247,196,85,98,98,149,98,55,247,196,85 +DB 212,212,119,212,238,163,181,58,212,212,119,212,238,163,181,58 +DB 168,168,154,168,41,50,77,129,168,168,154,168,41,50,77,129 +DB 150,150,98,150,196,244,49,82,150,150,98,150,196,244,49,82 +DB 249,249,195,249,155,58,239,98,249,249,195,249,155,58,239,98 +DB 197,197,51,197,102,246,151,163,197,197,51,197,102,246,151,163 +DB 37,37,148,37,53,177,74,16,37,37,148,37,53,177,74,16 +DB 89,89,121,89,242,32,178,171,89,89,121,89,242,32,178,171 +DB 132,132,42,132,84,174,21,208,132,132,42,132,84,174,21,208 +DB 114,114,213,114,183,167,228,197,114,114,213,114,183,167,228,197 +DB 57,57,228,57,213,221,114,236,57,57,228,57,213,221,114,236 +DB 76,76,45,76,90,97,152,22,76,76,45,76,90,97,152,22 +DB 94,94,101,94,202,59,188,148,94,94,101,94,202,59,188,148 +DB 120,120,253,120,231,133,240,159,120,120,253,120,231,133,240,159 +DB 56,56,224,56,221,216,112,229,56,56,224,56,221,216,112,229 +DB 140,140,10,140,20,134,5,152,140,140,10,140,20,134,5,152 +DB 209,209,99,209,198,178,191,23,209,209,99,209,198,178,191,23 +DB 165,165,174,165,65,11,87,228,165,165,174,165,65,11,87,228 +DB 226,226,175,226,67,77,217,161,226,226,175,226,67,77,217,161 +DB 97,97,153,97,47,248,194,78,97,97,153,97,47,248,194,78 +DB 179,179,246,179,241,69,123,66,179,179,246,179,241,69,123,66 +DB 33,33,132,33,21,165,66,52,33,33,132,33,21,165,66,52 +DB 156,156,74,156,148,214,37,8,156,156,74,156,148,214,37,8 +DB 30,30,120,30,240,102,60,238,30,30,120,30,240,102,60,238 +DB 67,67,17,67,34,82,134,97,67,67,17,67,34,82,134,97 +DB 199,199,59,199,118,252,147,177,199,199,59,199,118,252,147,177 +DB 252,252,215,252,179,43,229,79,252,252,215,252,179,43,229,79 +DB 4,4,16,4,32,20,8,36,4,4,16,4,32,20,8,36 +DB 81,81,89,81,178,8,162,227,81,81,89,81,178,8,162,227 +DB 153,153,94,153,188,199,47,37,153,153,94,153,188,199,47,37 +DB 109,109,169,109,79,196,218,34,109,109,169,109,79,196,218,34 +DB 13,13,52,13,104,57,26,101,13,13,52,13,104,57,26,101 +DB 250,250,207,250,131,53,233,121,250,250,207,250,131,53,233,121 +DB 223,223,91,223,182,132,163,105,223,223,91,223,182,132,163,105 +DB 126,126,229,126,215,155,252,169,126,126,229,126,215,155,252,169 +DB 36,36,144,36,61,180,72,25,36,36,144,36,61,180,72,25 +DB 59,59,236,59,197,215,118,254,59,59,236,59,197,215,118,254 +DB 171,171,150,171,49,61,75,154,171,171,150,171,49,61,75,154 +DB 206,206,31,206,62,209,129,240,206,206,31,206,62,209,129,240 +DB 17,17,68,17,136,85,34,153,17,17,68,17,136,85,34,153 +DB 143,143,6,143,12,137,3,131,143,143,6,143,12,137,3,131 +DB 78,78,37,78,74,107,156,4,78,78,37,78,74,107,156,4 +DB 183,183,230,183,209,81,115,102,183,183,230,183,209,81,115,102 +DB 235,235,139,235,11,96,203,224,235,235,139,235,11,96,203,224 +DB 60,60,240,60,253,204,120,193,60,60,240,60,253,204,120,193 +DB 129,129,62,129,124,191,31,253,129,129,62,129,124,191,31,253 +DB 148,148,106,148,212,254,53,64,148,148,106,148,212,254,53,64 +DB 247,247,251,247,235,12,243,28,247,247,251,247,235,12,243,28 +DB 185,185,222,185,161,103,111,24,185,185,222,185,161,103,111,24 +DB 19,19,76,19,152,95,38,139,19,19,76,19,152,95,38,139 +DB 44,44,176,44,125,156,88,81,44,44,176,44,125,156,88,81 +DB 211,211,107,211,214,184,187,5,211,211,107,211,214,184,187,5 +DB 231,231,187,231,107,92,211,140,231,231,187,231,107,92,211,140 +DB 110,110,165,110,87,203,220,57,110,110,165,110,87,203,220,57 +DB 196,196,55,196,110,243,149,170,196,196,55,196,110,243,149,170 +DB 3,3,12,3,24,15,6,27,3,3,12,3,24,15,6,27 +DB 86,86,69,86,138,19,172,220,86,86,69,86,138,19,172,220 +DB 68,68,13,68,26,73,136,94,68,68,13,68,26,73,136,94 +DB 127,127,225,127,223,158,254,160,127,127,225,127,223,158,254,160 +DB 169,169,158,169,33,55,79,136,169,169,158,169,33,55,79,136 +DB 42,42,168,42,77,130,84,103,42,42,168,42,77,130,84,103 +DB 187,187,214,187,177,109,107,10,187,187,214,187,177,109,107,10 +DB 193,193,35,193,70,226,159,135,193,193,35,193,70,226,159,135 +DB 83,83,81,83,162,2,166,241,83,83,81,83,162,2,166,241 +DB 220,220,87,220,174,139,165,114,220,220,87,220,174,139,165,114 +DB 11,11,44,11,88,39,22,83,11,11,44,11,88,39,22,83 +DB 157,157,78,157,156,211,39,1,157,157,78,157,156,211,39,1 +DB 108,108,173,108,71,193,216,43,108,108,173,108,71,193,216,43 +DB 49,49,196,49,149,245,98,164,49,49,196,49,149,245,98,164 +DB 116,116,205,116,135,185,232,243,116,116,205,116,135,185,232,243 +DB 246,246,255,246,227,9,241,21,246,246,255,246,227,9,241,21 +DB 70,70,5,70,10,67,140,76,70,70,5,70,10,67,140,76 +DB 172,172,138,172,9,38,69,165,172,172,138,172,9,38,69,165 +DB 137,137,30,137,60,151,15,181,137,137,30,137,60,151,15,181 +DB 20,20,80,20,160,68,40,180,20,20,80,20,160,68,40,180 +DB 225,225,163,225,91,66,223,186,225,225,163,225,91,66,223,186 +DB 22,22,88,22,176,78,44,166,22,22,88,22,176,78,44,166 +DB 58,58,232,58,205,210,116,247,58,58,232,58,205,210,116,247 +DB 105,105,185,105,111,208,210,6,105,105,185,105,111,208,210,6 +DB 9,9,36,9,72,45,18,65,9,9,36,9,72,45,18,65 +DB 112,112,221,112,167,173,224,215,112,112,221,112,167,173,224,215 +DB 182,182,226,182,217,84,113,111,182,182,226,182,217,84,113,111 +DB 208,208,103,208,206,183,189,30,208,208,103,208,206,183,189,30 +DB 237,237,147,237,59,126,199,214,237,237,147,237,59,126,199,214 +DB 204,204,23,204,46,219,133,226,204,204,23,204,46,219,133,226 +DB 66,66,21,66,42,87,132,104,66,66,21,66,42,87,132,104 +DB 152,152,90,152,180,194,45,44,152,152,90,152,180,194,45,44 +DB 164,164,170,164,73,14,85,237,164,164,170,164,73,14,85,237 +DB 40,40,160,40,93,136,80,117,40,40,160,40,93,136,80,117 +DB 92,92,109,92,218,49,184,134,92,92,109,92,218,49,184,134 +DB 248,248,199,248,147,63,237,107,248,248,199,248,147,63,237,107 +DB 134,134,34,134,68,164,17,194,134,134,34,134,68,164,17,194 +DB 24,35,198,232,135,184,1,79 +DB 54,166,210,245,121,111,145,82 +DB 96,188,155,142,163,12,123,53 +DB 29,224,215,194,46,75,254,87 +DB 21,119,55,229,159,240,74,218 +DB 88,201,41,10,177,160,107,133 +DB 189,93,16,244,203,62,5,103 +DB 228,39,65,139,167,125,149,216 +DB 251,238,124,102,221,23,71,158 +DB 202,45,191,7,173,90,131,51 + +.text$ ENDS +END + diff --git a/crypto/whrlpool/wp-mingw64-x86_64.S b/crypto/whrlpool/wp-mingw64-x86_64.S new file mode 100644 index 0000000..ea9f6cf --- /dev/null +++ b/crypto/whrlpool/wp-mingw64-x86_64.S @@ -0,0 +1,869 @@ +#include "x86_arch.h" +.text + +.globl whirlpool_block +.def whirlpool_block; .scl 2; .type 32; .endef +.p2align 4 +whirlpool_block: + movq %rdi,8(%rsp) + movq %rsi,16(%rsp) + movq %rsp,%rax +.LSEH_begin_whirlpool_block: + movq %rcx,%rdi + movq %rdx,%rsi + movq %r8,%rdx + + pushq %rbx + pushq %rbp + pushq %r12 + pushq %r13 + pushq %r14 + pushq %r15 + + movq %rsp,%r11 + subq $128+40,%rsp + andq $-64,%rsp + + leaq 128(%rsp),%r10 + movq %rdi,0(%r10) + movq %rsi,8(%r10) + movq %rdx,16(%r10) + movq %r11,32(%r10) +.Lprologue: + + movq %r10,%rbx + leaq .Ltable(%rip),%rbp + + xorq %rcx,%rcx + xorq %rdx,%rdx + movq 0(%rdi),%r8 + movq 8(%rdi),%r9 + movq 16(%rdi),%r10 + movq 24(%rdi),%r11 + movq 32(%rdi),%r12 + movq 40(%rdi),%r13 + movq 48(%rdi),%r14 + movq 56(%rdi),%r15 +.Louterloop: + movq %r8,0(%rsp) + movq %r9,8(%rsp) + movq %r10,16(%rsp) + movq %r11,24(%rsp) + movq %r12,32(%rsp) + movq %r13,40(%rsp) + movq %r14,48(%rsp) + movq %r15,56(%rsp) + xorq 0(%rsi),%r8 + xorq 8(%rsi),%r9 + xorq 16(%rsi),%r10 + xorq 24(%rsi),%r11 + xorq 32(%rsi),%r12 + xorq 40(%rsi),%r13 + xorq 48(%rsi),%r14 + xorq 56(%rsi),%r15 + movq %r8,64+0(%rsp) + movq %r9,64+8(%rsp) + movq %r10,64+16(%rsp) + movq %r11,64+24(%rsp) + movq %r12,64+32(%rsp) + movq %r13,64+40(%rsp) + movq %r14,64+48(%rsp) + movq %r15,64+56(%rsp) + xorq %rsi,%rsi + movq %rsi,24(%rbx) +.p2align 4 +.Lround: + movq 4096(%rbp,%rsi,8),%r8 + movl 0(%rsp),%eax + movl 4(%rsp),%ebx + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r8 + movq 7(%rbp,%rdi,8),%r9 + movb %al,%cl + movb %ah,%dl + movl 0+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + movq 6(%rbp,%rsi,8),%r10 + movq 5(%rbp,%rdi,8),%r11 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + movq 4(%rbp,%rsi,8),%r12 + movq 3(%rbp,%rdi,8),%r13 + movb %bl,%cl + movb %bh,%dl + movl 0+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + movq 2(%rbp,%rsi,8),%r14 + movq 1(%rbp,%rdi,8),%r15 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r9 + xorq 7(%rbp,%rdi,8),%r10 + movb %al,%cl + movb %ah,%dl + movl 8+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r11 + xorq 5(%rbp,%rdi,8),%r12 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r13 + xorq 3(%rbp,%rdi,8),%r14 + movb %bl,%cl + movb %bh,%dl + movl 8+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r15 + xorq 1(%rbp,%rdi,8),%r8 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r10 + xorq 7(%rbp,%rdi,8),%r11 + movb %al,%cl + movb %ah,%dl + movl 16+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r12 + xorq 5(%rbp,%rdi,8),%r13 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r14 + xorq 3(%rbp,%rdi,8),%r15 + movb %bl,%cl + movb %bh,%dl + movl 16+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r8 + xorq 1(%rbp,%rdi,8),%r9 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r11 + xorq 7(%rbp,%rdi,8),%r12 + movb %al,%cl + movb %ah,%dl + movl 24+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r13 + xorq 5(%rbp,%rdi,8),%r14 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r15 + xorq 3(%rbp,%rdi,8),%r8 + movb %bl,%cl + movb %bh,%dl + movl 24+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r9 + xorq 1(%rbp,%rdi,8),%r10 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r12 + xorq 7(%rbp,%rdi,8),%r13 + movb %al,%cl + movb %ah,%dl + movl 32+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r14 + xorq 5(%rbp,%rdi,8),%r15 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r8 + xorq 3(%rbp,%rdi,8),%r9 + movb %bl,%cl + movb %bh,%dl + movl 32+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r10 + xorq 1(%rbp,%rdi,8),%r11 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r13 + xorq 7(%rbp,%rdi,8),%r14 + movb %al,%cl + movb %ah,%dl + movl 40+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r15 + xorq 5(%rbp,%rdi,8),%r8 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r9 + xorq 3(%rbp,%rdi,8),%r10 + movb %bl,%cl + movb %bh,%dl + movl 40+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r11 + xorq 1(%rbp,%rdi,8),%r12 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r14 + xorq 7(%rbp,%rdi,8),%r15 + movb %al,%cl + movb %ah,%dl + movl 48+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r8 + xorq 5(%rbp,%rdi,8),%r9 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r10 + xorq 3(%rbp,%rdi,8),%r11 + movb %bl,%cl + movb %bh,%dl + movl 48+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r12 + xorq 1(%rbp,%rdi,8),%r13 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r15 + xorq 7(%rbp,%rdi,8),%r8 + movb %al,%cl + movb %ah,%dl + movl 56+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r9 + xorq 5(%rbp,%rdi,8),%r10 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r11 + xorq 3(%rbp,%rdi,8),%r12 + movb %bl,%cl + movb %bh,%dl + movl 56+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r13 + xorq 1(%rbp,%rdi,8),%r14 + movq %r8,0(%rsp) + movq %r9,8(%rsp) + movq %r10,16(%rsp) + movq %r11,24(%rsp) + movq %r12,32(%rsp) + movq %r13,40(%rsp) + movq %r14,48(%rsp) + movq %r15,56(%rsp) + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r8 + xorq 7(%rbp,%rdi,8),%r9 + movb %al,%cl + movb %ah,%dl + movl 64+0+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r10 + xorq 5(%rbp,%rdi,8),%r11 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r12 + xorq 3(%rbp,%rdi,8),%r13 + movb %bl,%cl + movb %bh,%dl + movl 64+0+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r14 + xorq 1(%rbp,%rdi,8),%r15 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r9 + xorq 7(%rbp,%rdi,8),%r10 + movb %al,%cl + movb %ah,%dl + movl 64+8+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r11 + xorq 5(%rbp,%rdi,8),%r12 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r13 + xorq 3(%rbp,%rdi,8),%r14 + movb %bl,%cl + movb %bh,%dl + movl 64+8+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r15 + xorq 1(%rbp,%rdi,8),%r8 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r10 + xorq 7(%rbp,%rdi,8),%r11 + movb %al,%cl + movb %ah,%dl + movl 64+16+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r12 + xorq 5(%rbp,%rdi,8),%r13 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r14 + xorq 3(%rbp,%rdi,8),%r15 + movb %bl,%cl + movb %bh,%dl + movl 64+16+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r8 + xorq 1(%rbp,%rdi,8),%r9 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r11 + xorq 7(%rbp,%rdi,8),%r12 + movb %al,%cl + movb %ah,%dl + movl 64+24+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r13 + xorq 5(%rbp,%rdi,8),%r14 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r15 + xorq 3(%rbp,%rdi,8),%r8 + movb %bl,%cl + movb %bh,%dl + movl 64+24+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r9 + xorq 1(%rbp,%rdi,8),%r10 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r12 + xorq 7(%rbp,%rdi,8),%r13 + movb %al,%cl + movb %ah,%dl + movl 64+32+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r14 + xorq 5(%rbp,%rdi,8),%r15 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r8 + xorq 3(%rbp,%rdi,8),%r9 + movb %bl,%cl + movb %bh,%dl + movl 64+32+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r10 + xorq 1(%rbp,%rdi,8),%r11 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r13 + xorq 7(%rbp,%rdi,8),%r14 + movb %al,%cl + movb %ah,%dl + movl 64+40+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r15 + xorq 5(%rbp,%rdi,8),%r8 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r9 + xorq 3(%rbp,%rdi,8),%r10 + movb %bl,%cl + movb %bh,%dl + movl 64+40+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r11 + xorq 1(%rbp,%rdi,8),%r12 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r14 + xorq 7(%rbp,%rdi,8),%r15 + movb %al,%cl + movb %ah,%dl + movl 64+48+8(%rsp),%eax + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r8 + xorq 5(%rbp,%rdi,8),%r9 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r10 + xorq 3(%rbp,%rdi,8),%r11 + movb %bl,%cl + movb %bh,%dl + movl 64+48+8+4(%rsp),%ebx + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r12 + xorq 1(%rbp,%rdi,8),%r13 + movb %al,%cl + movb %ah,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%eax + xorq 0(%rbp,%rsi,8),%r15 + xorq 7(%rbp,%rdi,8),%r8 + movb %al,%cl + movb %ah,%dl + + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 6(%rbp,%rsi,8),%r9 + xorq 5(%rbp,%rdi,8),%r10 + movb %bl,%cl + movb %bh,%dl + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + shrl $16,%ebx + xorq 4(%rbp,%rsi,8),%r11 + xorq 3(%rbp,%rdi,8),%r12 + movb %bl,%cl + movb %bh,%dl + + leaq (%rcx,%rcx,1),%rsi + leaq (%rdx,%rdx,1),%rdi + xorq 2(%rbp,%rsi,8),%r13 + xorq 1(%rbp,%rdi,8),%r14 + leaq 128(%rsp),%rbx + movq 24(%rbx),%rsi + addq $1,%rsi + cmpq $10,%rsi + je .Lroundsdone + + movq %rsi,24(%rbx) + movq %r8,64+0(%rsp) + movq %r9,64+8(%rsp) + movq %r10,64+16(%rsp) + movq %r11,64+24(%rsp) + movq %r12,64+32(%rsp) + movq %r13,64+40(%rsp) + movq %r14,64+48(%rsp) + movq %r15,64+56(%rsp) + jmp .Lround +.p2align 4 +.Lroundsdone: + movq 0(%rbx),%rdi + movq 8(%rbx),%rsi + movq 16(%rbx),%rax + xorq 0(%rsi),%r8 + xorq 8(%rsi),%r9 + xorq 16(%rsi),%r10 + xorq 24(%rsi),%r11 + xorq 32(%rsi),%r12 + xorq 40(%rsi),%r13 + xorq 48(%rsi),%r14 + xorq 56(%rsi),%r15 + xorq 0(%rdi),%r8 + xorq 8(%rdi),%r9 + xorq 16(%rdi),%r10 + xorq 24(%rdi),%r11 + xorq 32(%rdi),%r12 + xorq 40(%rdi),%r13 + xorq 48(%rdi),%r14 + xorq 56(%rdi),%r15 + movq %r8,0(%rdi) + movq %r9,8(%rdi) + movq %r10,16(%rdi) + movq %r11,24(%rdi) + movq %r12,32(%rdi) + movq %r13,40(%rdi) + movq %r14,48(%rdi) + movq %r15,56(%rdi) + leaq 64(%rsi),%rsi + subq $1,%rax + jz .Lalldone + movq %rsi,8(%rbx) + movq %rax,16(%rbx) + jmp .Louterloop +.Lalldone: + movq 32(%rbx),%rsi + movq (%rsi),%r15 + movq 8(%rsi),%r14 + movq 16(%rsi),%r13 + movq 24(%rsi),%r12 + movq 32(%rsi),%rbp + movq 40(%rsi),%rbx + leaq 48(%rsi),%rsp +.Lepilogue: + movq 8(%rsp),%rdi + movq 16(%rsp),%rsi + retq +.LSEH_end_whirlpool_block: + +.p2align 6 + +.Ltable: +.byte 24,24,96,24,192,120,48,216,24,24,96,24,192,120,48,216 +.byte 35,35,140,35,5,175,70,38,35,35,140,35,5,175,70,38 +.byte 198,198,63,198,126,249,145,184,198,198,63,198,126,249,145,184 +.byte 232,232,135,232,19,111,205,251,232,232,135,232,19,111,205,251 +.byte 135,135,38,135,76,161,19,203,135,135,38,135,76,161,19,203 +.byte 184,184,218,184,169,98,109,17,184,184,218,184,169,98,109,17 +.byte 1,1,4,1,8,5,2,9,1,1,4,1,8,5,2,9 +.byte 79,79,33,79,66,110,158,13,79,79,33,79,66,110,158,13 +.byte 54,54,216,54,173,238,108,155,54,54,216,54,173,238,108,155 +.byte 166,166,162,166,89,4,81,255,166,166,162,166,89,4,81,255 +.byte 210,210,111,210,222,189,185,12,210,210,111,210,222,189,185,12 +.byte 245,245,243,245,251,6,247,14,245,245,243,245,251,6,247,14 +.byte 121,121,249,121,239,128,242,150,121,121,249,121,239,128,242,150 +.byte 111,111,161,111,95,206,222,48,111,111,161,111,95,206,222,48 +.byte 145,145,126,145,252,239,63,109,145,145,126,145,252,239,63,109 +.byte 82,82,85,82,170,7,164,248,82,82,85,82,170,7,164,248 +.byte 96,96,157,96,39,253,192,71,96,96,157,96,39,253,192,71 +.byte 188,188,202,188,137,118,101,53,188,188,202,188,137,118,101,53 +.byte 155,155,86,155,172,205,43,55,155,155,86,155,172,205,43,55 +.byte 142,142,2,142,4,140,1,138,142,142,2,142,4,140,1,138 +.byte 163,163,182,163,113,21,91,210,163,163,182,163,113,21,91,210 +.byte 12,12,48,12,96,60,24,108,12,12,48,12,96,60,24,108 +.byte 123,123,241,123,255,138,246,132,123,123,241,123,255,138,246,132 +.byte 53,53,212,53,181,225,106,128,53,53,212,53,181,225,106,128 +.byte 29,29,116,29,232,105,58,245,29,29,116,29,232,105,58,245 +.byte 224,224,167,224,83,71,221,179,224,224,167,224,83,71,221,179 +.byte 215,215,123,215,246,172,179,33,215,215,123,215,246,172,179,33 +.byte 194,194,47,194,94,237,153,156,194,194,47,194,94,237,153,156 +.byte 46,46,184,46,109,150,92,67,46,46,184,46,109,150,92,67 +.byte 75,75,49,75,98,122,150,41,75,75,49,75,98,122,150,41 +.byte 254,254,223,254,163,33,225,93,254,254,223,254,163,33,225,93 +.byte 87,87,65,87,130,22,174,213,87,87,65,87,130,22,174,213 +.byte 21,21,84,21,168,65,42,189,21,21,84,21,168,65,42,189 +.byte 119,119,193,119,159,182,238,232,119,119,193,119,159,182,238,232 +.byte 55,55,220,55,165,235,110,146,55,55,220,55,165,235,110,146 +.byte 229,229,179,229,123,86,215,158,229,229,179,229,123,86,215,158 +.byte 159,159,70,159,140,217,35,19,159,159,70,159,140,217,35,19 +.byte 240,240,231,240,211,23,253,35,240,240,231,240,211,23,253,35 +.byte 74,74,53,74,106,127,148,32,74,74,53,74,106,127,148,32 +.byte 218,218,79,218,158,149,169,68,218,218,79,218,158,149,169,68 +.byte 88,88,125,88,250,37,176,162,88,88,125,88,250,37,176,162 +.byte 201,201,3,201,6,202,143,207,201,201,3,201,6,202,143,207 +.byte 41,41,164,41,85,141,82,124,41,41,164,41,85,141,82,124 +.byte 10,10,40,10,80,34,20,90,10,10,40,10,80,34,20,90 +.byte 177,177,254,177,225,79,127,80,177,177,254,177,225,79,127,80 +.byte 160,160,186,160,105,26,93,201,160,160,186,160,105,26,93,201 +.byte 107,107,177,107,127,218,214,20,107,107,177,107,127,218,214,20 +.byte 133,133,46,133,92,171,23,217,133,133,46,133,92,171,23,217 +.byte 189,189,206,189,129,115,103,60,189,189,206,189,129,115,103,60 +.byte 93,93,105,93,210,52,186,143,93,93,105,93,210,52,186,143 +.byte 16,16,64,16,128,80,32,144,16,16,64,16,128,80,32,144 +.byte 244,244,247,244,243,3,245,7,244,244,247,244,243,3,245,7 +.byte 203,203,11,203,22,192,139,221,203,203,11,203,22,192,139,221 +.byte 62,62,248,62,237,198,124,211,62,62,248,62,237,198,124,211 +.byte 5,5,20,5,40,17,10,45,5,5,20,5,40,17,10,45 +.byte 103,103,129,103,31,230,206,120,103,103,129,103,31,230,206,120 +.byte 228,228,183,228,115,83,213,151,228,228,183,228,115,83,213,151 +.byte 39,39,156,39,37,187,78,2,39,39,156,39,37,187,78,2 +.byte 65,65,25,65,50,88,130,115,65,65,25,65,50,88,130,115 +.byte 139,139,22,139,44,157,11,167,139,139,22,139,44,157,11,167 +.byte 167,167,166,167,81,1,83,246,167,167,166,167,81,1,83,246 +.byte 125,125,233,125,207,148,250,178,125,125,233,125,207,148,250,178 +.byte 149,149,110,149,220,251,55,73,149,149,110,149,220,251,55,73 +.byte 216,216,71,216,142,159,173,86,216,216,71,216,142,159,173,86 +.byte 251,251,203,251,139,48,235,112,251,251,203,251,139,48,235,112 +.byte 238,238,159,238,35,113,193,205,238,238,159,238,35,113,193,205 +.byte 124,124,237,124,199,145,248,187,124,124,237,124,199,145,248,187 +.byte 102,102,133,102,23,227,204,113,102,102,133,102,23,227,204,113 +.byte 221,221,83,221,166,142,167,123,221,221,83,221,166,142,167,123 +.byte 23,23,92,23,184,75,46,175,23,23,92,23,184,75,46,175 +.byte 71,71,1,71,2,70,142,69,71,71,1,71,2,70,142,69 +.byte 158,158,66,158,132,220,33,26,158,158,66,158,132,220,33,26 +.byte 202,202,15,202,30,197,137,212,202,202,15,202,30,197,137,212 +.byte 45,45,180,45,117,153,90,88,45,45,180,45,117,153,90,88 +.byte 191,191,198,191,145,121,99,46,191,191,198,191,145,121,99,46 +.byte 7,7,28,7,56,27,14,63,7,7,28,7,56,27,14,63 +.byte 173,173,142,173,1,35,71,172,173,173,142,173,1,35,71,172 +.byte 90,90,117,90,234,47,180,176,90,90,117,90,234,47,180,176 +.byte 131,131,54,131,108,181,27,239,131,131,54,131,108,181,27,239 +.byte 51,51,204,51,133,255,102,182,51,51,204,51,133,255,102,182 +.byte 99,99,145,99,63,242,198,92,99,99,145,99,63,242,198,92 +.byte 2,2,8,2,16,10,4,18,2,2,8,2,16,10,4,18 +.byte 170,170,146,170,57,56,73,147,170,170,146,170,57,56,73,147 +.byte 113,113,217,113,175,168,226,222,113,113,217,113,175,168,226,222 +.byte 200,200,7,200,14,207,141,198,200,200,7,200,14,207,141,198 +.byte 25,25,100,25,200,125,50,209,25,25,100,25,200,125,50,209 +.byte 73,73,57,73,114,112,146,59,73,73,57,73,114,112,146,59 +.byte 217,217,67,217,134,154,175,95,217,217,67,217,134,154,175,95 +.byte 242,242,239,242,195,29,249,49,242,242,239,242,195,29,249,49 +.byte 227,227,171,227,75,72,219,168,227,227,171,227,75,72,219,168 +.byte 91,91,113,91,226,42,182,185,91,91,113,91,226,42,182,185 +.byte 136,136,26,136,52,146,13,188,136,136,26,136,52,146,13,188 +.byte 154,154,82,154,164,200,41,62,154,154,82,154,164,200,41,62 +.byte 38,38,152,38,45,190,76,11,38,38,152,38,45,190,76,11 +.byte 50,50,200,50,141,250,100,191,50,50,200,50,141,250,100,191 +.byte 176,176,250,176,233,74,125,89,176,176,250,176,233,74,125,89 +.byte 233,233,131,233,27,106,207,242,233,233,131,233,27,106,207,242 +.byte 15,15,60,15,120,51,30,119,15,15,60,15,120,51,30,119 +.byte 213,213,115,213,230,166,183,51,213,213,115,213,230,166,183,51 +.byte 128,128,58,128,116,186,29,244,128,128,58,128,116,186,29,244 +.byte 190,190,194,190,153,124,97,39,190,190,194,190,153,124,97,39 +.byte 205,205,19,205,38,222,135,235,205,205,19,205,38,222,135,235 +.byte 52,52,208,52,189,228,104,137,52,52,208,52,189,228,104,137 +.byte 72,72,61,72,122,117,144,50,72,72,61,72,122,117,144,50 +.byte 255,255,219,255,171,36,227,84,255,255,219,255,171,36,227,84 +.byte 122,122,245,122,247,143,244,141,122,122,245,122,247,143,244,141 +.byte 144,144,122,144,244,234,61,100,144,144,122,144,244,234,61,100 +.byte 95,95,97,95,194,62,190,157,95,95,97,95,194,62,190,157 +.byte 32,32,128,32,29,160,64,61,32,32,128,32,29,160,64,61 +.byte 104,104,189,104,103,213,208,15,104,104,189,104,103,213,208,15 +.byte 26,26,104,26,208,114,52,202,26,26,104,26,208,114,52,202 +.byte 174,174,130,174,25,44,65,183,174,174,130,174,25,44,65,183 +.byte 180,180,234,180,201,94,117,125,180,180,234,180,201,94,117,125 +.byte 84,84,77,84,154,25,168,206,84,84,77,84,154,25,168,206 +.byte 147,147,118,147,236,229,59,127,147,147,118,147,236,229,59,127 +.byte 34,34,136,34,13,170,68,47,34,34,136,34,13,170,68,47 +.byte 100,100,141,100,7,233,200,99,100,100,141,100,7,233,200,99 +.byte 241,241,227,241,219,18,255,42,241,241,227,241,219,18,255,42 +.byte 115,115,209,115,191,162,230,204,115,115,209,115,191,162,230,204 +.byte 18,18,72,18,144,90,36,130,18,18,72,18,144,90,36,130 +.byte 64,64,29,64,58,93,128,122,64,64,29,64,58,93,128,122 +.byte 8,8,32,8,64,40,16,72,8,8,32,8,64,40,16,72 +.byte 195,195,43,195,86,232,155,149,195,195,43,195,86,232,155,149 +.byte 236,236,151,236,51,123,197,223,236,236,151,236,51,123,197,223 +.byte 219,219,75,219,150,144,171,77,219,219,75,219,150,144,171,77 +.byte 161,161,190,161,97,31,95,192,161,161,190,161,97,31,95,192 +.byte 141,141,14,141,28,131,7,145,141,141,14,141,28,131,7,145 +.byte 61,61,244,61,245,201,122,200,61,61,244,61,245,201,122,200 +.byte 151,151,102,151,204,241,51,91,151,151,102,151,204,241,51,91 +.byte 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 +.byte 207,207,27,207,54,212,131,249,207,207,27,207,54,212,131,249 +.byte 43,43,172,43,69,135,86,110,43,43,172,43,69,135,86,110 +.byte 118,118,197,118,151,179,236,225,118,118,197,118,151,179,236,225 +.byte 130,130,50,130,100,176,25,230,130,130,50,130,100,176,25,230 +.byte 214,214,127,214,254,169,177,40,214,214,127,214,254,169,177,40 +.byte 27,27,108,27,216,119,54,195,27,27,108,27,216,119,54,195 +.byte 181,181,238,181,193,91,119,116,181,181,238,181,193,91,119,116 +.byte 175,175,134,175,17,41,67,190,175,175,134,175,17,41,67,190 +.byte 106,106,181,106,119,223,212,29,106,106,181,106,119,223,212,29 +.byte 80,80,93,80,186,13,160,234,80,80,93,80,186,13,160,234 +.byte 69,69,9,69,18,76,138,87,69,69,9,69,18,76,138,87 +.byte 243,243,235,243,203,24,251,56,243,243,235,243,203,24,251,56 +.byte 48,48,192,48,157,240,96,173,48,48,192,48,157,240,96,173 +.byte 239,239,155,239,43,116,195,196,239,239,155,239,43,116,195,196 +.byte 63,63,252,63,229,195,126,218,63,63,252,63,229,195,126,218 +.byte 85,85,73,85,146,28,170,199,85,85,73,85,146,28,170,199 +.byte 162,162,178,162,121,16,89,219,162,162,178,162,121,16,89,219 +.byte 234,234,143,234,3,101,201,233,234,234,143,234,3,101,201,233 +.byte 101,101,137,101,15,236,202,106,101,101,137,101,15,236,202,106 +.byte 186,186,210,186,185,104,105,3,186,186,210,186,185,104,105,3 +.byte 47,47,188,47,101,147,94,74,47,47,188,47,101,147,94,74 +.byte 192,192,39,192,78,231,157,142,192,192,39,192,78,231,157,142 +.byte 222,222,95,222,190,129,161,96,222,222,95,222,190,129,161,96 +.byte 28,28,112,28,224,108,56,252,28,28,112,28,224,108,56,252 +.byte 253,253,211,253,187,46,231,70,253,253,211,253,187,46,231,70 +.byte 77,77,41,77,82,100,154,31,77,77,41,77,82,100,154,31 +.byte 146,146,114,146,228,224,57,118,146,146,114,146,228,224,57,118 +.byte 117,117,201,117,143,188,234,250,117,117,201,117,143,188,234,250 +.byte 6,6,24,6,48,30,12,54,6,6,24,6,48,30,12,54 +.byte 138,138,18,138,36,152,9,174,138,138,18,138,36,152,9,174 +.byte 178,178,242,178,249,64,121,75,178,178,242,178,249,64,121,75 +.byte 230,230,191,230,99,89,209,133,230,230,191,230,99,89,209,133 +.byte 14,14,56,14,112,54,28,126,14,14,56,14,112,54,28,126 +.byte 31,31,124,31,248,99,62,231,31,31,124,31,248,99,62,231 +.byte 98,98,149,98,55,247,196,85,98,98,149,98,55,247,196,85 +.byte 212,212,119,212,238,163,181,58,212,212,119,212,238,163,181,58 +.byte 168,168,154,168,41,50,77,129,168,168,154,168,41,50,77,129 +.byte 150,150,98,150,196,244,49,82,150,150,98,150,196,244,49,82 +.byte 249,249,195,249,155,58,239,98,249,249,195,249,155,58,239,98 +.byte 197,197,51,197,102,246,151,163,197,197,51,197,102,246,151,163 +.byte 37,37,148,37,53,177,74,16,37,37,148,37,53,177,74,16 +.byte 89,89,121,89,242,32,178,171,89,89,121,89,242,32,178,171 +.byte 132,132,42,132,84,174,21,208,132,132,42,132,84,174,21,208 +.byte 114,114,213,114,183,167,228,197,114,114,213,114,183,167,228,197 +.byte 57,57,228,57,213,221,114,236,57,57,228,57,213,221,114,236 +.byte 76,76,45,76,90,97,152,22,76,76,45,76,90,97,152,22 +.byte 94,94,101,94,202,59,188,148,94,94,101,94,202,59,188,148 +.byte 120,120,253,120,231,133,240,159,120,120,253,120,231,133,240,159 +.byte 56,56,224,56,221,216,112,229,56,56,224,56,221,216,112,229 +.byte 140,140,10,140,20,134,5,152,140,140,10,140,20,134,5,152 +.byte 209,209,99,209,198,178,191,23,209,209,99,209,198,178,191,23 +.byte 165,165,174,165,65,11,87,228,165,165,174,165,65,11,87,228 +.byte 226,226,175,226,67,77,217,161,226,226,175,226,67,77,217,161 +.byte 97,97,153,97,47,248,194,78,97,97,153,97,47,248,194,78 +.byte 179,179,246,179,241,69,123,66,179,179,246,179,241,69,123,66 +.byte 33,33,132,33,21,165,66,52,33,33,132,33,21,165,66,52 +.byte 156,156,74,156,148,214,37,8,156,156,74,156,148,214,37,8 +.byte 30,30,120,30,240,102,60,238,30,30,120,30,240,102,60,238 +.byte 67,67,17,67,34,82,134,97,67,67,17,67,34,82,134,97 +.byte 199,199,59,199,118,252,147,177,199,199,59,199,118,252,147,177 +.byte 252,252,215,252,179,43,229,79,252,252,215,252,179,43,229,79 +.byte 4,4,16,4,32,20,8,36,4,4,16,4,32,20,8,36 +.byte 81,81,89,81,178,8,162,227,81,81,89,81,178,8,162,227 +.byte 153,153,94,153,188,199,47,37,153,153,94,153,188,199,47,37 +.byte 109,109,169,109,79,196,218,34,109,109,169,109,79,196,218,34 +.byte 13,13,52,13,104,57,26,101,13,13,52,13,104,57,26,101 +.byte 250,250,207,250,131,53,233,121,250,250,207,250,131,53,233,121 +.byte 223,223,91,223,182,132,163,105,223,223,91,223,182,132,163,105 +.byte 126,126,229,126,215,155,252,169,126,126,229,126,215,155,252,169 +.byte 36,36,144,36,61,180,72,25,36,36,144,36,61,180,72,25 +.byte 59,59,236,59,197,215,118,254,59,59,236,59,197,215,118,254 +.byte 171,171,150,171,49,61,75,154,171,171,150,171,49,61,75,154 +.byte 206,206,31,206,62,209,129,240,206,206,31,206,62,209,129,240 +.byte 17,17,68,17,136,85,34,153,17,17,68,17,136,85,34,153 +.byte 143,143,6,143,12,137,3,131,143,143,6,143,12,137,3,131 +.byte 78,78,37,78,74,107,156,4,78,78,37,78,74,107,156,4 +.byte 183,183,230,183,209,81,115,102,183,183,230,183,209,81,115,102 +.byte 235,235,139,235,11,96,203,224,235,235,139,235,11,96,203,224 +.byte 60,60,240,60,253,204,120,193,60,60,240,60,253,204,120,193 +.byte 129,129,62,129,124,191,31,253,129,129,62,129,124,191,31,253 +.byte 148,148,106,148,212,254,53,64,148,148,106,148,212,254,53,64 +.byte 247,247,251,247,235,12,243,28,247,247,251,247,235,12,243,28 +.byte 185,185,222,185,161,103,111,24,185,185,222,185,161,103,111,24 +.byte 19,19,76,19,152,95,38,139,19,19,76,19,152,95,38,139 +.byte 44,44,176,44,125,156,88,81,44,44,176,44,125,156,88,81 +.byte 211,211,107,211,214,184,187,5,211,211,107,211,214,184,187,5 +.byte 231,231,187,231,107,92,211,140,231,231,187,231,107,92,211,140 +.byte 110,110,165,110,87,203,220,57,110,110,165,110,87,203,220,57 +.byte 196,196,55,196,110,243,149,170,196,196,55,196,110,243,149,170 +.byte 3,3,12,3,24,15,6,27,3,3,12,3,24,15,6,27 +.byte 86,86,69,86,138,19,172,220,86,86,69,86,138,19,172,220 +.byte 68,68,13,68,26,73,136,94,68,68,13,68,26,73,136,94 +.byte 127,127,225,127,223,158,254,160,127,127,225,127,223,158,254,160 +.byte 169,169,158,169,33,55,79,136,169,169,158,169,33,55,79,136 +.byte 42,42,168,42,77,130,84,103,42,42,168,42,77,130,84,103 +.byte 187,187,214,187,177,109,107,10,187,187,214,187,177,109,107,10 +.byte 193,193,35,193,70,226,159,135,193,193,35,193,70,226,159,135 +.byte 83,83,81,83,162,2,166,241,83,83,81,83,162,2,166,241 +.byte 220,220,87,220,174,139,165,114,220,220,87,220,174,139,165,114 +.byte 11,11,44,11,88,39,22,83,11,11,44,11,88,39,22,83 +.byte 157,157,78,157,156,211,39,1,157,157,78,157,156,211,39,1 +.byte 108,108,173,108,71,193,216,43,108,108,173,108,71,193,216,43 +.byte 49,49,196,49,149,245,98,164,49,49,196,49,149,245,98,164 +.byte 116,116,205,116,135,185,232,243,116,116,205,116,135,185,232,243 +.byte 246,246,255,246,227,9,241,21,246,246,255,246,227,9,241,21 +.byte 70,70,5,70,10,67,140,76,70,70,5,70,10,67,140,76 +.byte 172,172,138,172,9,38,69,165,172,172,138,172,9,38,69,165 +.byte 137,137,30,137,60,151,15,181,137,137,30,137,60,151,15,181 +.byte 20,20,80,20,160,68,40,180,20,20,80,20,160,68,40,180 +.byte 225,225,163,225,91,66,223,186,225,225,163,225,91,66,223,186 +.byte 22,22,88,22,176,78,44,166,22,22,88,22,176,78,44,166 +.byte 58,58,232,58,205,210,116,247,58,58,232,58,205,210,116,247 +.byte 105,105,185,105,111,208,210,6,105,105,185,105,111,208,210,6 +.byte 9,9,36,9,72,45,18,65,9,9,36,9,72,45,18,65 +.byte 112,112,221,112,167,173,224,215,112,112,221,112,167,173,224,215 +.byte 182,182,226,182,217,84,113,111,182,182,226,182,217,84,113,111 +.byte 208,208,103,208,206,183,189,30,208,208,103,208,206,183,189,30 +.byte 237,237,147,237,59,126,199,214,237,237,147,237,59,126,199,214 +.byte 204,204,23,204,46,219,133,226,204,204,23,204,46,219,133,226 +.byte 66,66,21,66,42,87,132,104,66,66,21,66,42,87,132,104 +.byte 152,152,90,152,180,194,45,44,152,152,90,152,180,194,45,44 +.byte 164,164,170,164,73,14,85,237,164,164,170,164,73,14,85,237 +.byte 40,40,160,40,93,136,80,117,40,40,160,40,93,136,80,117 +.byte 92,92,109,92,218,49,184,134,92,92,109,92,218,49,184,134 +.byte 248,248,199,248,147,63,237,107,248,248,199,248,147,63,237,107 +.byte 134,134,34,134,68,164,17,194,134,134,34,134,68,164,17,194 +.byte 24,35,198,232,135,184,1,79 +.byte 54,166,210,245,121,111,145,82 +.byte 96,188,155,142,163,12,123,53 +.byte 29,224,215,194,46,75,254,87 +.byte 21,119,55,229,159,240,74,218 +.byte 88,201,41,10,177,160,107,133 +.byte 189,93,16,244,203,62,5,103 +.byte 228,39,65,139,167,125,149,216 +.byte 251,238,124,102,221,23,71,158 +.byte 202,45,191,7,173,90,131,51 diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 01a302b..04eada8 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -1,4 +1,4 @@ -/* $OpenBSD: by_dir.c,v 1.38 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: by_dir.c,v 1.39 2018/08/05 14:17:12 bcook Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -103,7 +103,7 @@ static X509_LOOKUP_METHOD x509_dir_lookup = { .name = "Load certs from files in a directory", .new_item = new_dir, .free = free_dir, - .init = NULL, + .init = NULL, .shutdown = NULL, .ctrl = dir_ctrl, .get_by_subject = get_cert_by_subject, @@ -316,7 +316,7 @@ get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name, X509error(ERR_R_MALLOC_FAILURE); goto finish; } - if (type == X509_LU_CRL && ent->hashes) { + if (type == X509_LU_CRL) { htmp.hash = h; CRYPTO_r_lock(CRYPTO_LOCK_X509_STORE); idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp); diff --git a/crypto/x509v3/ext_dat.h b/crypto/x509/ext_dat.h similarity index 98% rename from crypto/x509v3/ext_dat.h rename to crypto/x509/ext_dat.h index 1bacb0d..1a7ae6e 100644 --- a/crypto/x509v3/ext_dat.h +++ b/crypto/x509/ext_dat.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ext_dat.h,v 1.13 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: ext_dat.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/pcy_cache.c b/crypto/x509/pcy_cache.c similarity index 99% rename from crypto/x509v3/pcy_cache.c rename to crypto/x509/pcy_cache.c index 9c8ba82..896ba7d 100644 --- a/crypto/x509v3/pcy_cache.c +++ b/crypto/x509/pcy_cache.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_cache.c,v 1.5 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: pcy_cache.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_data.c b/crypto/x509/pcy_data.c similarity index 98% rename from crypto/x509v3/pcy_data.c rename to crypto/x509/pcy_data.c index b3699b0..dadacb5 100644 --- a/crypto/x509v3/pcy_data.c +++ b/crypto/x509/pcy_data.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_data.c,v 1.9 2015/07/15 16:53:42 miod Exp $ */ +/* $OpenBSD: pcy_data.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_int.h b/crypto/x509/pcy_int.h similarity index 99% rename from crypto/x509v3/pcy_int.h rename to crypto/x509/pcy_int.h index 92b94e2..6632b78 100644 --- a/crypto/x509v3/pcy_int.h +++ b/crypto/x509/pcy_int.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_int.h,v 1.5 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: pcy_int.h,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_lib.c b/crypto/x509/pcy_lib.c similarity index 98% rename from crypto/x509v3/pcy_lib.c rename to crypto/x509/pcy_lib.c index 6f37064..3d5c58d 100644 --- a/crypto/x509v3/pcy_lib.c +++ b/crypto/x509/pcy_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_lib.c,v 1.5 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: pcy_lib.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_map.c b/crypto/x509/pcy_map.c similarity index 98% rename from crypto/x509v3/pcy_map.c rename to crypto/x509/pcy_map.c index 6ee1ffe..287a430 100644 --- a/crypto/x509v3/pcy_map.c +++ b/crypto/x509/pcy_map.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_map.c,v 1.4 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: pcy_map.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509v3/pcy_node.c b/crypto/x509/pcy_node.c similarity index 97% rename from crypto/x509v3/pcy_node.c rename to crypto/x509/pcy_node.c index ba22b26..3a0f230 100644 --- a/crypto/x509v3/pcy_node.c +++ b/crypto/x509/pcy_node.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_node.c,v 1.6 2015/07/18 00:01:05 beck Exp $ */ +/* $OpenBSD: pcy_node.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -68,7 +68,8 @@ node_cmp(const X509_POLICY_NODE * const *a, const X509_POLICY_NODE * const *b) return OBJ_cmp((*a)->data->valid_policy, (*b)->data->valid_policy); } -STACK_OF(X509_POLICY_NODE) *policy_node_cmp_new(void) +STACK_OF(X509_POLICY_NODE) * +policy_node_cmp_new(void) { return sk_X509_POLICY_NODE_new(node_cmp); } diff --git a/crypto/x509v3/pcy_tree.c b/crypto/x509/pcy_tree.c similarity index 99% rename from crypto/x509v3/pcy_tree.c rename to crypto/x509/pcy_tree.c index a56c183..d0f7cd1 100644 --- a/crypto/x509v3/pcy_tree.c +++ b/crypto/x509/pcy_tree.c @@ -1,4 +1,4 @@ -/* $OpenBSD: pcy_tree.c,v 1.17 2016/11/05 15:21:20 miod Exp $ */ +/* $OpenBSD: pcy_tree.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ diff --git a/crypto/x509/vpm_int.h b/crypto/x509/vpm_int.h index 6c8061c..7fc9fef 100644 --- a/crypto/x509/vpm_int.h +++ b/crypto/x509/vpm_int.h @@ -1,4 +1,4 @@ -/* $OpenBSD: vpm_int.h,v 1.3 2016/12/21 15:49:29 jsing Exp $ */ +/* $OpenBSD: vpm_int.h,v 1.4 2018/04/06 07:08:20 beck Exp $ */ /* * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project * 2013. @@ -69,6 +69,7 @@ struct X509_VERIFY_PARAM_ID_st { size_t emaillen; unsigned char *ip; /* If not NULL IP address to match */ size_t iplen; /* Length of IP address */ + int poisoned; }; __END_HIDDEN_DECLS diff --git a/crypto/x509v3/v3_akey.c b/crypto/x509/x509_akey.c similarity index 83% rename from crypto/x509v3/v3_akey.c rename to crypto/x509/x509_akey.c index e2e5730..f8c7113 100644 --- a/crypto/x509v3/v3_akey.c +++ b/crypto/x509/x509_akey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_akey.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_akey.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -87,36 +87,64 @@ const X509V3_EXT_METHOD v3_akey_id = { .usr_data = NULL, }; -static -STACK_OF(CONF_VALUE) *i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, - AUTHORITY_KEYID *akeyid, STACK_OF(CONF_VALUE) *extlist) +static STACK_OF(CONF_VALUE) * +i2v_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, AUTHORITY_KEYID *akeyid, + STACK_OF(CONF_VALUE) *extlist) { - char *tmp; + STACK_OF(CONF_VALUE) *free_extlist = NULL; + char *tmpstr = NULL; - if (akeyid->keyid) { - tmp = hex_to_string(akeyid->keyid->data, akeyid->keyid->length); - X509V3_add_value("keyid", tmp, &extlist); - free(tmp); + if (extlist == NULL) { + if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL) + return NULL; } - if (akeyid->issuer) - extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, extlist); - if (akeyid->serial) { - tmp = hex_to_string(akeyid->serial->data, - akeyid->serial->length); - X509V3_add_value("serial", tmp, &extlist); - free(tmp); + + if (akeyid->keyid != NULL) { + if ((tmpstr = hex_to_string(akeyid->keyid->data, + akeyid->keyid->length)) == NULL) + goto err; + if (!X509V3_add_value("keyid", tmpstr, &extlist)) + goto err; + free(tmpstr); + tmpstr = NULL; } + + if (akeyid->issuer != NULL) { + if ((extlist = i2v_GENERAL_NAMES(NULL, akeyid->issuer, + extlist)) == NULL) + goto err; + } + + if (akeyid->serial != NULL) { + if ((tmpstr = hex_to_string(akeyid->serial->data, + akeyid->serial->length)) == NULL) + goto err; + if (!X509V3_add_value("serial", tmpstr, &extlist)) + goto err; + free(tmpstr); + tmpstr = NULL; + } + + if (sk_CONF_VALUE_num(extlist) <= 0) + goto err; + return extlist; + + err: + free(tmpstr); + sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free); + + return NULL; } -/* Currently two options: +/* + * Currently two options: * keyid: use the issuers subject keyid, the value 'always' means its is * an error if the issuer certificate doesn't have a key id. * issuer: use the issuers cert issuer and serial number. The default is * to only use this if keyid is not present. With the option 'always' * this is always included. */ - static AUTHORITY_KEYID * v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values) @@ -139,8 +167,7 @@ v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, keyid = 1; if (cnf->value && !strcmp(cnf->value, "always")) keyid = 2; - } - else if (!strcmp(cnf->name, "issuer")) { + } else if (!strcmp(cnf->name, "issuer")) { issuer = 1; if (cnf->value && !strcmp(cnf->value, "always")) issuer = 2; @@ -199,7 +226,7 @@ v2i_AUTHORITY_KEYID(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, return akeyid; -err: + err: AUTHORITY_KEYID_free(akeyid); GENERAL_NAME_free(gen); sk_GENERAL_NAME_free(gens); diff --git a/crypto/x509v3/v3_akeya.c b/crypto/x509/x509_akeya.c similarity index 98% rename from crypto/x509v3/v3_akeya.c rename to crypto/x509/x509_akeya.c index 83ef1b5..aba8923 100644 --- a/crypto/x509v3/v3_akeya.c +++ b/crypto/x509/x509_akeya.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_akeya.c,v 1.7 2015/07/25 16:00:14 jsing Exp $ */ +/* $OpenBSD: x509_akeya.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_alt.c b/crypto/x509/x509_alt.c similarity index 88% rename from crypto/x509v3/v3_alt.c rename to crypto/x509/x509_alt.c index 746339b..45aaec2 100644 --- a/crypto/x509v3/v3_alt.c +++ b/crypto/x509/x509_alt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_alt.c,v 1.27 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_alt.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -69,8 +69,8 @@ static GENERAL_NAMES *v2i_issuer_alt(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *nval); static int copy_email(X509V3_CTX *ctx, GENERAL_NAMES *gens, int move_p); static int copy_issuer(X509V3_CTX *ctx, GENERAL_NAMES *gens); -static int do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); -static int do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx); +static int do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx); +static int do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx); const X509V3_EXT_METHOD v3_alt[] = { { @@ -127,57 +127,83 @@ STACK_OF(CONF_VALUE) * i2v_GENERAL_NAMES(X509V3_EXT_METHOD *method, GENERAL_NAMES *gens, STACK_OF(CONF_VALUE) *ret) { - int i; + STACK_OF(CONF_VALUE) *free_ret = NULL; GENERAL_NAME *gen; + int i; + + if (ret == NULL) { + if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { - gen = sk_GENERAL_NAME_value(gens, i); - ret = i2v_GENERAL_NAME(method, gen, ret); + if ((gen = sk_GENERAL_NAME_value(gens, i)) == NULL) + goto err; + if ((ret = i2v_GENERAL_NAME(method, gen, ret)) == NULL) + goto err; } - if (!ret) - return sk_CONF_VALUE_new_null(); + return ret; + + err: + sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free); + + return NULL; } STACK_OF(CONF_VALUE) * i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, STACK_OF(CONF_VALUE) *ret) { + STACK_OF(CONF_VALUE) *free_ret = NULL; unsigned char *p; char oline[256], htmp[5]; int i; + if (ret == NULL) { + if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } + switch (gen->type) { case GEN_OTHERNAME: - X509V3_add_value("othername", "", &ret); + if (!X509V3_add_value("othername", "", &ret)) + goto err; break; case GEN_X400: - X509V3_add_value("X400Name", "", &ret); + if (!X509V3_add_value("X400Name", "", &ret)) + goto err; break; case GEN_EDIPARTY: - X509V3_add_value("EdiPartyName", "", &ret); + if (!X509V3_add_value("EdiPartyName", "", &ret)) + goto err; break; case GEN_EMAIL: - X509V3_add_value_uchar("email", gen->d.ia5->data, &ret); + if (!X509V3_add_value_uchar("email", gen->d.ia5->data, &ret)) + goto err; break; case GEN_DNS: - X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret); + if (!X509V3_add_value_uchar("DNS", gen->d.ia5->data, &ret)) + goto err; break; case GEN_URI: - X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret); + if (!X509V3_add_value_uchar("URI", gen->d.ia5->data, &ret)) + goto err; break; case GEN_DIRNAME: - X509_NAME_oneline(gen->d.dirn, oline, 256); - X509V3_add_value("DirName", oline, &ret); + if (X509_NAME_oneline(gen->d.dirn, oline, 256) == NULL) + goto err; + if (!X509V3_add_value("DirName", oline, &ret)) + goto err; break; - case GEN_IPADD: + case GEN_IPADD: /* XXX */ p = gen->d.ip->data; if (gen->d.ip->length == 4) (void) snprintf(oline, sizeof oline, @@ -193,18 +219,28 @@ i2v_GENERAL_NAME(X509V3_EXT_METHOD *method, GENERAL_NAME *gen, strlcat(oline, ":", sizeof(oline)); } } else { - X509V3_add_value("IP Address", "", &ret); + if (!X509V3_add_value("IP Address", "", &ret)) + goto err; break; } - X509V3_add_value("IP Address", oline, &ret); + if (!X509V3_add_value("IP Address", oline, &ret)) + goto err; break; case GEN_RID: - i2t_ASN1_OBJECT(oline, 256, gen->d.rid); - X509V3_add_value("Registered ID", oline, &ret); + if (!i2t_ASN1_OBJECT(oline, 256, gen->d.rid)) + goto err; + if (!X509V3_add_value("Registered ID", oline, &ret)) + goto err; break; } + return ret; + + err: + sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free); + + return NULL; } int @@ -481,7 +517,7 @@ v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, GENERAL_NAME * a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, - X509V3_CTX *ctx, int gen_type, char *value, int is_nc) + X509V3_CTX *ctx, int gen_type, const char *value, int is_nc) { char is_string = 0; GENERAL_NAME *gen = NULL; @@ -553,8 +589,7 @@ a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, if (is_string) { if (!(gen->d.ia5 = ASN1_IA5STRING_new()) || - !ASN1_STRING_set(gen->d.ia5, (unsigned char*)value, - strlen(value))) { + !ASN1_STRING_set(gen->d.ia5, value, strlen(value))) { X509V3error(ERR_R_MALLOC_FAILURE); goto err; } @@ -609,7 +644,7 @@ v2i_GENERAL_NAME_ex(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, } static int -do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) +do_othername(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) { char *objtmp = NULL, *p; int objlen; @@ -638,7 +673,7 @@ do_othername(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) } static int -do_dirname(GENERAL_NAME *gen, char *value, X509V3_CTX *ctx) +do_dirname(GENERAL_NAME *gen, const char *value, X509V3_CTX *ctx) { int ret; STACK_OF(CONF_VALUE) *sk; diff --git a/crypto/x509/x509_att.c b/crypto/x509/x509_att.c index 7304118..1479b91 100644 --- a/crypto/x509/x509_att.c +++ b/crypto/x509/x509_att.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_att.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_att.c,v 1.17 2018/05/18 19:21:33 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -84,8 +84,8 @@ X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, int lastpos) } int -X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj, - int lastpos) +X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, + const ASN1_OBJECT *obj, int lastpos) { int n; X509_ATTRIBUTE *ex; @@ -205,7 +205,7 @@ X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, } void * -X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, ASN1_OBJECT *obj, +X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, const ASN1_OBJECT *obj, int lastpos, int type) { int i; @@ -353,7 +353,7 @@ err: } int -X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr) +X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr) { if (!attr->single) return sk_ASN1_TYPE_num(attr->value.set); diff --git a/crypto/x509v3/v3_bcons.c b/crypto/x509/x509_bcons.c similarity index 92% rename from crypto/x509v3/v3_bcons.c rename to crypto/x509/x509_bcons.c index 6c5823c..48ce7d6 100644 --- a/crypto/x509v3/v3_bcons.c +++ b/crypto/x509/x509_bcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_bcons.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_bcons.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -145,9 +145,24 @@ static STACK_OF(CONF_VALUE) * i2v_BASIC_CONSTRAINTS(X509V3_EXT_METHOD *method, BASIC_CONSTRAINTS *bcons, STACK_OF(CONF_VALUE) *extlist) { - X509V3_add_value_bool("CA", bcons->ca, &extlist); - X509V3_add_value_int("pathlen", bcons->pathlen, &extlist); + STACK_OF(CONF_VALUE) *free_extlist = NULL; + + if (extlist == NULL) { + if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } + + if (!X509V3_add_value_bool("CA", bcons->ca, &extlist)) + goto err; + if (!X509V3_add_value_int("pathlen", bcons->pathlen, &extlist)) + goto err; + return extlist; + + err: + sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free); + + return NULL; } static BASIC_CONSTRAINTS * diff --git a/crypto/x509v3/v3_bitst.c b/crypto/x509/x509_bitst.c similarity index 91% rename from crypto/x509v3/v3_bitst.c rename to crypto/x509/x509_bitst.c index 039faf2..3d99818 100644 --- a/crypto/x509v3/v3_bitst.c +++ b/crypto/x509/x509_bitst.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_bitst.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_bitst.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -127,12 +127,26 @@ i2v_ASN1_BIT_STRING(X509V3_EXT_METHOD *method, ASN1_BIT_STRING *bits, STACK_OF(CONF_VALUE) *ret) { BIT_STRING_BITNAME *bnam; + STACK_OF(CONF_VALUE) *free_ret = NULL; - for (bnam = method->usr_data; bnam->lname; bnam++) { - if (ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) - X509V3_add_value(bnam->lname, NULL, &ret); + if (ret == NULL) { + if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL) + return NULL; } + + for (bnam = method->usr_data; bnam->lname != NULL; bnam++) { + if (!ASN1_BIT_STRING_get_bit(bits, bnam->bitnum)) + continue; + if (!X509V3_add_value(bnam->lname, NULL, &ret)) + goto err; + } + return ret; + + err: + sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free); + + return NULL; } ASN1_BIT_STRING * diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c index ab0dbcb..6d6e840 100644 --- a/crypto/x509/x509_cmp.c +++ b/crypto/x509/x509_cmp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_cmp.c,v 1.30 2018/03/17 14:57:23 jsing Exp $ */ +/* $OpenBSD: x509_cmp.c,v 1.35 2019/03/13 20:34:00 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -76,7 +76,7 @@ X509_issuer_and_serial_cmp(const X509 *a, const X509 *b) ai = a->cert_info; bi = b->cert_info; - i = ASN1_STRING_cmp(ai->serialNumber, bi->serialNumber); + i = ASN1_INTEGER_cmp(ai->serialNumber, bi->serialNumber); if (i) return (i); return (X509_NAME_cmp(ai->issuer, bi->issuer)); @@ -145,7 +145,7 @@ X509_CRL_match(const X509_CRL *a, const X509_CRL *b) #endif X509_NAME * -X509_get_issuer_name(X509 *a) +X509_get_issuer_name(const X509 *a) { return (a->cert_info->issuer); } @@ -165,7 +165,7 @@ X509_issuer_name_hash_old(X509 *x) #endif X509_NAME * -X509_get_subject_name(X509 *a) +X509_get_subject_name(const X509 *a) { return (a->cert_info->subject); } @@ -176,6 +176,12 @@ X509_get_serialNumber(X509 *a) return (a->cert_info->serialNumber); } +const ASN1_INTEGER * +X509_get0_serialNumber(const X509 *a) +{ + return (a->cert_info->serialNumber); +} + unsigned long X509_subject_name_hash(X509 *x) { @@ -327,7 +333,7 @@ X509_get_pubkey(X509 *x) } EVP_PKEY * -X509_get0_pubkey(X509 *x) +X509_get0_pubkey(const X509 *x) { if (x == NULL || x->cert_info == NULL) return (NULL); @@ -343,12 +349,12 @@ X509_get0_pubkey_bitstr(const X509 *x) } int -X509_check_private_key(X509 *x, EVP_PKEY *k) +X509_check_private_key(const X509 *x, const EVP_PKEY *k) { - EVP_PKEY *xk; + const EVP_PKEY *xk; int ret; - xk = X509_get_pubkey(x); + xk = X509_get0_pubkey(x); if (xk) ret = EVP_PKEY_cmp(xk, k); @@ -367,7 +373,6 @@ X509_check_private_key(X509 *x, EVP_PKEY *k) case -2: X509error(X509_R_UNKNOWN_KEY_TYPE); } - EVP_PKEY_free(xk); if (ret > 0) return 1; return 0; diff --git a/crypto/x509v3/v3_conf.c b/crypto/x509/x509_conf.c similarity index 86% rename from crypto/x509v3/v3_conf.c rename to crypto/x509/x509_conf.c index 27e1bc9..8bf2d10 100644 --- a/crypto/x509v3/v3_conf.c +++ b/crypto/x509/x509_conf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_conf.c,v 1.21 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_conf.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -66,23 +66,27 @@ #include #include -static int v3_check_critical(char **value); -static int v3_check_generic(char **value); +static int v3_check_critical(const char **value); +static int v3_check_generic(const char **value); static X509_EXTENSION *do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, - int crit, char *value); -static X509_EXTENSION *v3_generic_extension(const char *ext, char *value, + int crit, const char *value); +static X509_EXTENSION *v3_generic_extension(const char *ext, const char *value, int crit, int type, X509V3_CTX *ctx); -static char *conf_lhash_get_string(void *db, char *section, char *value); -static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, char *section); +static char *conf_lhash_get_string(void *db, const char *section, + const char *value); +static STACK_OF(CONF_VALUE) *conf_lhash_get_section(void *db, + const char *section); static X509_EXTENSION *do_ext_i2d(const X509V3_EXT_METHOD *method, int ext_nid, int crit, void *ext_struc); -static unsigned char *generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len); +static unsigned char *generic_asn1(const char *value, X509V3_CTX *ctx, + long *ext_len); /* CONF *conf: Config file */ /* char *name: Name */ /* char *value: Value */ X509_EXTENSION * -X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value) +X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name, + const char *value) { int crit; int ext_type; @@ -102,7 +106,8 @@ X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value) /* CONF *conf: Config file */ /* char *value: Value */ X509_EXTENSION * -X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value) +X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, + const char *value) { int crit; int ext_type; @@ -117,7 +122,8 @@ X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value) /* CONF *conf: Config file */ /* char *value: Value */ static X509_EXTENSION * -do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, char *value) +do_ext_nconf(CONF *conf, X509V3_CTX *ctx, int ext_nid, int crit, + const char *value) { const X509V3_EXT_METHOD *method; X509_EXTENSION *ext; @@ -233,9 +239,9 @@ X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc) /* Check the extension string for critical flag */ static int -v3_check_critical(char **value) +v3_check_critical(const char **value) { - char *p = *value; + const char *p = *value; if ((strlen(p) < 9) || strncmp(p, "critical,", 9)) return 0; @@ -247,10 +253,10 @@ v3_check_critical(char **value) /* Check extension string for generic extension and return the type */ static int -v3_check_generic(char **value) +v3_check_generic(const char **value) { int gen_type = 0; - char *p = *value; + const char *p = *value; if ((strlen(p) >= 4) && !strncmp(p, "DER:", 4)) { p += 4; @@ -269,7 +275,7 @@ v3_check_generic(char **value) /* Create a generic extension: for now just handle DER type */ static X509_EXTENSION * -v3_generic_extension(const char *ext, char *value, int crit, int gen_type, +v3_generic_extension(const char *ext, const char *value, int crit, int gen_type, X509V3_CTX *ctx) { unsigned char *ext_der = NULL; @@ -318,7 +324,7 @@ err: } static unsigned char * -generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len) +generic_asn1(const char *value, X509V3_CTX *ctx, long *ext_len) { ASN1_TYPE *typ; unsigned char *ext_der = NULL; @@ -336,7 +342,7 @@ generic_asn1(char *value, X509V3_CTX *ctx, long *ext_len) */ int -X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, +X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, STACK_OF(X509_EXTENSION) **sk) { X509_EXTENSION *ext; @@ -360,7 +366,8 @@ X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, /* Convenience functions to add extensions to a certificate, CRL and request */ int -X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert) +X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, + X509 *cert) { STACK_OF(X509_EXTENSION) **sk = NULL; @@ -372,7 +379,7 @@ X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert) /* Same as above but for a CRL */ int -X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, +X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, X509_CRL *crl) { STACK_OF(X509_EXTENSION) **sk = NULL; @@ -385,7 +392,7 @@ X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, /* Add extensions to certificate request */ int -X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, +X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, X509_REQ *req) { STACK_OF(X509_EXTENSION) *extlist = NULL, **sk = NULL; @@ -404,27 +411,23 @@ X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, /* Config database functions */ char * -X509V3_get_string(X509V3_CTX *ctx, char *name, char *section) +X509V3_get_string(X509V3_CTX *ctx, const char *name, const char *section) { if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_string) { X509V3error(X509V3_R_OPERATION_NOT_DEFINED); return NULL; } - if (ctx->db_meth->get_string) - return ctx->db_meth->get_string(ctx->db, name, section); - return NULL; + return ctx->db_meth->get_string(ctx->db, name, section); } STACK_OF(CONF_VALUE) * -X509V3_get_section(X509V3_CTX *ctx, char *section) +X509V3_get_section(X509V3_CTX *ctx, const char *section) { if (!ctx->db || !ctx->db_meth || !ctx->db_meth->get_section) { X509V3error(X509V3_R_OPERATION_NOT_DEFINED); return NULL; } - if (ctx->db_meth->get_section) - return ctx->db_meth->get_section(ctx->db, section); - return NULL; + return ctx->db_meth->get_section(ctx->db, section); } void @@ -446,13 +449,13 @@ X509V3_section_free(X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section) } static char * -nconf_get_string(void *db, char *section, char *value) +nconf_get_string(void *db, const char *section, const char *value) { return NCONF_get_string(db, section, value); } -static -STACK_OF(CONF_VALUE) *nconf_get_section(void *db, char *section) +static STACK_OF(CONF_VALUE) * +nconf_get_section(void *db, const char *section) { return NCONF_get_section(db, section); } @@ -485,8 +488,8 @@ X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subj, X509_REQ *req, /* Old conf compatibility functions */ X509_EXTENSION * -X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *name, - char *value) +X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, const char *name, + const char *value) { CONF ctmp; @@ -498,7 +501,7 @@ X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *name, /* char *value: Value */ X509_EXTENSION * X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid, - char *value) + const char *value) { CONF ctmp; @@ -507,13 +510,13 @@ X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int ext_nid, } static char * -conf_lhash_get_string(void *db, char *section, char *value) +conf_lhash_get_string(void *db, const char *section, const char *value) { return CONF_get_string(db, section, value); } static STACK_OF(CONF_VALUE) * -conf_lhash_get_section(void *db, char *section) +conf_lhash_get_section(void *db, const char *section) { return CONF_get_section(db, section); } @@ -533,8 +536,8 @@ X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash) } int -X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *section, - X509 *cert) +X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, + const char *section, X509 *cert) { CONF ctmp; @@ -546,7 +549,7 @@ X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, char *section, int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_CRL *crl) + const char *section, X509_CRL *crl) { CONF ctmp; @@ -558,7 +561,7 @@ X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_REQ *req) + const char *section, X509_REQ *req) { CONF ctmp; diff --git a/crypto/x509/x509_constraints.c b/crypto/x509/x509_constraints.c new file mode 100644 index 0000000..5659d6e --- /dev/null +++ b/crypto/x509/x509_constraints.c @@ -0,0 +1,1178 @@ +/* $OpenBSD: x509_constraints.c,v 1.10 2020/09/21 05:41:43 tb Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include +#include +#include +#include +#include + +#include +#include + +#include +#include +#include + +#include "x509_internal.h" + +/* RFC 2821 section 4.5.3.1 */ +#define LOCAL_PART_MAX_LEN 64 +#define DOMAIN_PART_MAX_LEN 255 + +struct x509_constraints_name * +x509_constraints_name_new() +{ + return (calloc(1, sizeof(struct x509_constraints_name))); +} + +void +x509_constraints_name_clear(struct x509_constraints_name *name) +{ + free(name->name); + free(name->local); + free(name->der); + memset(name, 0, sizeof(*name)); +} + +void +x509_constraints_name_free(struct x509_constraints_name *name) +{ + if (name == NULL) + return; + x509_constraints_name_clear(name); + free(name); +} + +struct x509_constraints_name * +x509_constraints_name_dup(struct x509_constraints_name *name) +{ + struct x509_constraints_name *new; + + if ((new = x509_constraints_name_new()) == NULL) + goto err; + new->type = name->type; + new->af = name->af; + new->der_len = name->der_len; + if (name->der_len > 0 && (new->der = malloc(name->der_len)) == NULL) + goto err; + memcpy(new->der, name->der, name->der_len); + if (name->name != NULL && (new->name = strdup(name->name)) == NULL) + goto err; + if (name->local != NULL && (new->local = strdup(name->local)) == NULL) + goto err; + memcpy(new->address, name->address, sizeof(name->address)); + return new; + err: + x509_constraints_name_free(new); + return NULL; +} + +struct x509_constraints_names * +x509_constraints_names_new() +{ + return (calloc(1, sizeof(struct x509_constraints_names))); +} + +void +x509_constraints_names_clear(struct x509_constraints_names *names) +{ + size_t i; + + for (i = 0; i < names->names_count; i++) + x509_constraints_name_free(names->names[i]); + free(names->names); + memset(names, 0, sizeof(*names)); +} + +void +x509_constraints_names_free(struct x509_constraints_names *names) +{ + if (names == NULL) + return; + + x509_constraints_names_clear(names); + free(names); +} + +int +x509_constraints_names_add(struct x509_constraints_names *names, + struct x509_constraints_name *name) +{ + size_t i = names->names_count; + + if (names->names_count == names->names_len) { + struct x509_constraints_name **tmp; + if ((tmp = recallocarray(names->names, names->names_len, + names->names_len + 32, sizeof(*tmp))) == NULL) + return 0; + names->names_len += 32; + names->names = tmp; + } + names->names[i] = name; + names->names_count++; + return 1; +} + +struct x509_constraints_names * +x509_constraints_names_dup(struct x509_constraints_names *names) +{ + struct x509_constraints_names *new = NULL; + struct x509_constraints_name *name = NULL; + size_t i; + + if (names == NULL) + return NULL; + + if ((new = x509_constraints_names_new()) == NULL) + goto err; + for (i = 0; i < names->names_count; i++) { + if ((name = x509_constraints_name_dup(names->names[i])) == NULL) + goto err; + if (!x509_constraints_names_add(new, name)) + goto err; + } + return new; + err: + x509_constraints_names_free(new); + x509_constraints_name_free(name); + return NULL; +} + + +/* + * Validate that the name contains only a hostname consisting of RFC + * 5890 compliant A-labels (see RFC 6066 section 3). This is more + * permissive to allow for a leading '*' for a SAN DNSname wildcard, + * or a leading '.' for a subdomain based constraint, as well as + * allowing for '_' which is commonly accepted by nonconformant + * DNS implementaitons. + */ +static int +x509_constraints_valid_domain_internal(uint8_t *name, size_t len) +{ + uint8_t prev, c = 0; + int component = 0; + int first; + size_t i; + + if (len > DOMAIN_PART_MAX_LEN) + return 0; + + for (i = 0; i < len; i++) { + prev = c; + c = name[i]; + + first = (i == 0); + + /* Everything has to be ASCII, with no NUL byte */ + if (!isascii(c) || c == '\0') + return 0; + /* It must be alphanumeric, a '-', '.', '_' or '*' */ + if (!isalnum(c) && c != '-' && c != '.' && c != '_' && c != '*') + return 0; + + /* '*' can only be the first thing. */ + if (c == '*' && !first) + return 0; + + /* '-' must not start a component or be at the end. */ + if (c == '-' && (component == 0 || i == len - 1)) + return 0; + + /* + * '.' must not be at the end. It may be first overall + * but must not otherwise start a component. + */ + if (c == '.' && ((component == 0 && !first) || i == len - 1)) + return 0; + + if (c == '.') { + /* Components can not end with a dash. */ + if (prev == '-') + return 0; + /* Start new component */ + component = 0; + continue; + } + /* Components must be 63 chars or less. */ + if (++component > 63) + return 0; + } + return 1; +} + +int +x509_constraints_valid_domain(uint8_t *name, size_t len) +{ + if (len == 0) + return 0; + if (name[0] == '*') /* wildcard not allowed in a domain name */ + return 0; + /* + * A domain may not be less than two characters, so you can't + * have a require subdomain name with less than that. + */ + if (len < 3 && name[0] == '.') + return 0; + return x509_constraints_valid_domain_internal(name, len); +} + +int +x509_constraints_valid_host(uint8_t *name, size_t len) +{ + struct sockaddr_in sin4; + struct sockaddr_in6 sin6; + + if (len == 0) + return 0; + if (name[0] == '*') /* wildcard not allowed in a host name */ + return 0; + if (name[0] == '.') /* leading . not allowed in a host name*/ + return 0; + if (inet_pton(AF_INET, name, &sin4) == 1) + return 0; + if (inet_pton(AF_INET6, name, &sin6) == 1) + return 0; + return x509_constraints_valid_domain_internal(name, len); +} + +int +x509_constraints_valid_sandns(uint8_t *name, size_t len) +{ + if (len == 0) + return 0; + + if (name[0] == '.') /* leading . not allowed in a SAN DNS name */ + return 0; + /* + * A domain may not be less than two characters, so you + * can't wildcard a single domain of less than that + */ + if (len < 4 && name[0] == '*') + return 0; + /* + * A wildcard may only be followed by a '.' + */ + if (len >= 4 && name[0] == '*' && name[1] != '.') + return 0; + + return x509_constraints_valid_domain_internal(name, len); +} + +static inline int +local_part_ok(char c) +{ + return (('0' <= c && c <= '9') || ('a' <= c && c <= 'z') || + ('A' <= c && c <= 'Z') || c == '!' || c == '#' || c == '$' || + c == '%' || c == '&' || c == '\'' || c == '*' || c == '+' || + c == '-' || c == '/' || c == '=' || c == '?' || c == '^' || + c == '_' || c == '`' || c == '{' || c == '|' || c == '}' || + c == '~' || c == '.'); +} + +/* + * Parse "candidate" as an RFC 2821 mailbox. + * Returns 0 if candidate is not a valid mailbox or if an error occurs. + * Returns 1 if candidate is a mailbox and adds newly allocated + * local and domain parts of the mailbox to "name->local" and name->name" + */ +int +x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, + struct x509_constraints_name *name) +{ + char working[DOMAIN_PART_MAX_LEN + 1] = { 0 }; + char *candidate_local = NULL; + char *candidate_domain = NULL; + size_t i, wi = 0; + int accept = 0; + int quoted = 0; + + if (candidate == NULL) + return 0; + + /* It can't be bigger than the local part, domain part and the '@' */ + if (len > LOCAL_PART_MAX_LEN + DOMAIN_PART_MAX_LEN + 1) + return 0; + + for (i = 0; i < len; i++) { + char c = candidate[i]; + /* non ascii, cr, lf, or nul is never allowed */ + if (!isascii(c) || c == '\r' || c == '\n' || c == '\0') + goto bad; + if (i == 0) { + /* local part is quoted part */ + if (c == '"') + quoted = 1; + /* can not start with a . */ + if (c == '.') + goto bad; + } + if (wi > DOMAIN_PART_MAX_LEN) + goto bad; + if (accept) { + working[wi++] = c; + accept = 0; + continue; + } + if (candidate_local != NULL) { + /* We are looking for the domain part */ + if (wi > DOMAIN_PART_MAX_LEN) + goto bad; + working[wi++] = c; + if (i == len - 1) { + if (wi == 0) + goto bad; + if (candidate_domain != NULL) + goto bad; + candidate_domain = strdup(working); + if (candidate_domain == NULL) + goto bad; + } + continue; + } + /* We are looking for the local part */ + if (wi > LOCAL_PART_MAX_LEN) + break; + + if (quoted) { + if (c == '\\') { + accept = 1; + continue; + } + if (c == '"' && i != 0) { + /* end the quoted part. @ must be next */ + if (i + 1 == len || candidate[i + 1] != '@') + goto bad; + quoted = 0; + } + /* + * XXX Go strangely permits sp but forbids ht + * mimic that for now + */ + if (c == 9) + goto bad; + working[wi++] = c; + continue; /* all's good inside our quoted string */ + } + if (c == '@') { + if (wi == 0) + goto bad;; + if (candidate_local != NULL) + goto bad; + candidate_local = strdup(working); + if (candidate_local == NULL) + goto bad; + memset(working, 0, sizeof(working)); + wi = 0; + continue; + } + if (c == '\\') { + /* + * RFC 3936 hints these can happen outside of + * quotend string. don't include the \ but + * next character must be ok. + */ + if (i + 1 == len) + goto bad; + if (!local_part_ok(candidate[i + 1])) + goto bad; + accept = 1; + } + if (!local_part_ok(c)) + goto bad; + working[wi++] = c; + } + if (candidate_local == NULL || candidate_domain == NULL) + goto bad; + if (!x509_constraints_valid_host(candidate_domain, + strlen(candidate_domain))) + goto bad; + + name->local = candidate_local; + name->name = candidate_domain; + name->type = GEN_EMAIL; + return 1; + bad: + free(candidate_local); + free(candidate_domain); + return 0; +} + +int +x509_constraints_valid_domain_constraint(uint8_t *constraint, size_t len) +{ + if (len == 0) + return 1; /* empty constraints match */ + + if (constraint[0] == '*') /* wildcard not allowed in a constraint */ + return 0; + + /* + * A domain may not be less than two characters, so you + * can't match a single domain of less than that + */ + if (len < 3 && constraint[0] == '.') + return 0; + return x509_constraints_valid_domain_internal(constraint, len); +} + +/* + * Extract the host part of a URI, returns the host part as a c string + * the caller must free, or or NULL if it could not be found or is + * invalid. + * + * RFC 3986: + * the authority part of a uri starts with // and is terminated with + * the next '/', '?', '#' or end of the URI. + * + * The authority itself contains [userinfo '@'] host [: port] + * + * so the host starts at the start or after the '@', and ends + * with end of URI, '/', '?', "#', or ':'. + */ +int +x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostpart) +{ + size_t i, hostlen = 0; + uint8_t *authority = NULL; + char *host = NULL; + + /* + * Find first '//'. there must be at least a '//' and + * something else. + */ + if (len < 3) + return 0; + for (i = 0; i < len - 1; i++) { + if (!isascii(uri[i])) + return 0; + if (uri[i] == '/' && uri[i + 1] == '/') { + authority = uri + i + 2; + break; + } + } + if (authority == NULL) + return 0; + for (i = authority - uri; i < len; i++) { + if (!isascii(uri[i])) + return 0; + /* it has a userinfo part */ + if (uri[i] == '@') { + hostlen = 0; + /* it can only have one */ + if (host != NULL) + break; + /* start after the userinfo part */ + host = uri + i + 1; + continue; + } + /* did we find the end? */ + if (uri[i] == ':' || uri[i] == '/' || uri[i] == '?' || + uri[i] == '#') + break; + hostlen++; + } + if (hostlen == 0) + return 0; + if (host == NULL) + host = authority; + if (!x509_constraints_valid_host(host, hostlen)) + return 0; + *hostpart = strndup(host, hostlen); + return 1; +} + +int +x509_constraints_sandns(char *sandns, size_t dlen, char *constraint, size_t len) +{ + char *suffix; + + if (len == 0) + return 1; /* an empty constraint matches everything */ + + /* match the end of the domain */ + if (dlen < len) + return 0; + suffix = sandns + (dlen - len); + return (strncasecmp(suffix, constraint, len) == 0); +} + +/* + * Validate a pre-validated domain of length dlen against a pre-validated + * constraint of length len. + * + * returns 1 if the domain and constraint match. + * returns 0 otherwise. + * + * an empty constraint matches everyting. + * constraint will be matched against the domain as a suffix if it + * starts with a '.'. + * domain will be matched against the constraint as a suffix if it + * starts with a '.'. + */ +int +x509_constraints_domain(char *domain, size_t dlen, char *constraint, size_t len) +{ + if (len == 0) + return 1; /* an empty constraint matches everything */ + + if (constraint[0] == '.') { + /* match the end of the domain */ + char *suffix; + if (dlen < len) + return 0; + suffix = domain + (dlen - len); + return (strncasecmp(suffix, constraint, len) == 0); + } + if (domain[0] == '.') { + /* match the end of the constraint */ + char *suffix; + if (len < dlen) + return 0; + suffix = constraint + (len - dlen); + return (strncasecmp(suffix, domain, dlen) == 0); + } + /* otherwise we must exactly match the constraint */ + if (dlen != len) + return 0; + return (strncasecmp(domain, constraint, len) == 0); +} + +int +x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, size_t len, + int *error) +{ + int ret = 0; + char *hostpart = NULL; + + if (!x509_constraints_uri_host(uri, ulen, &hostpart)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + if (hostpart == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_valid_domain_constraint(constraint, len)) { + *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; + goto err; + } + ret = x509_constraints_domain(hostpart, strlen(hostpart), constraint, + len); + err: + free(hostpart); + return ret; +} + +/* + * Verify a validated address of size alen with a validated contraint + * of size constraint_len. returns 1 if matching, 0 if not. + * Addresses are assumed to be pre-validated for a length of 4 and 8 + * respectively for ipv4 addreses and constraints, and a length of + * 16 and 32 respectively for ipv6 address constraints by the caller. + */ +int +x509_constraints_ipaddr(uint8_t *address, size_t alen, uint8_t *constraint, + size_t len) +{ + uint8_t *mask; + size_t i; + + if (alen * 2 != len) + return 0; + + mask = constraint + alen; + for (i = 0; i < alen; i++) { + if ((address[i] & mask[i]) != (constraint[i] & mask[i])) + return 0; + } + return 1; +} + +/* + * Verify a canonicalized der encoded constraint dirname + * a canonicalized der encoded constraint. + */ +int +x509_constraints_dirname(uint8_t *dirname, size_t dlen, + uint8_t *constraint, size_t len) +{ + if (len != dlen) + return 0; + return (memcmp(constraint, dirname, len) == 0); +} + +/* + * De-obfuscate a GENERAL_NAME into useful bytes for a name or constraint. + */ +int +x509_constraints_general_to_bytes(GENERAL_NAME *name, uint8_t **bytes, + size_t *len) +{ + *bytes = NULL; + *len = 0; + + if (name->type == GEN_DNS) { + ASN1_IA5STRING *aname = name->d.dNSName; + *bytes = aname->data; + *len = strlen(aname->data); + return name->type; + } + if (name->type == GEN_EMAIL) { + ASN1_IA5STRING *aname = name->d.rfc822Name; + *bytes = aname->data; + *len = strlen(aname->data); + return name->type; + } + if (name->type == GEN_URI) { + ASN1_IA5STRING *aname = name->d.uniformResourceIdentifier; + *bytes = aname->data; + *len = strlen(aname->data); + return name->type; + } + if (name->type == GEN_DIRNAME) { + X509_NAME *dname = name->d.directoryName; + if (!dname->modified || i2d_X509_NAME(dname, NULL) >= 0) { + *bytes = dname->canon_enc; + *len = dname->canon_enclen; + return name->type; + } + } + if (name->type == GEN_IPADD) { + *bytes = name->d.ip->data; + *len = name->d.ip->length; + return name->type; + } + return 0; +} + + +/* + * Extract the relevant names for constraint checking from "cert", + * validate them, and add them to the list of cert names for "chain". + * returns 1 on success sets error and returns 0 on failure. + */ +int +x509_constraints_extract_names(struct x509_constraints_names *names, + X509 *cert, int is_leaf, int *error) +{ + struct x509_constraints_name *vname = NULL; + X509_NAME *subject_name; + GENERAL_NAME *name; + ssize_t i = 0; + int name_type, include_cn = is_leaf, include_email = is_leaf; + + /* first grab the altnames */ + while ((name = sk_GENERAL_NAME_value(cert->altname, i++)) != NULL) { + uint8_t *bytes = NULL; + size_t len = 0; + + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + + name_type = x509_constraints_general_to_bytes(name, &bytes, + &len); + switch(name_type) { + case GEN_DNS: + if (!x509_constraints_valid_sandns(bytes, len)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + if ((vname->name = strdup(bytes)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname->type=GEN_DNS; + include_cn = 0; /* don't use cn from subject */ + break; + case GEN_EMAIL: + if (!x509_constraints_parse_mailbox(bytes, len, + vname)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + vname->type = GEN_EMAIL; + include_email = 0; /* don't use email from subject */ + break; + case GEN_URI: + if (!x509_constraints_uri_host(bytes, len, &vname->name)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + if (vname->name == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname->type = GEN_URI; + break; + case GEN_DIRNAME: + if (bytes == NULL || ((vname->der = malloc(len)) == + NULL)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (len == 0) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + memcpy(vname->der, bytes, len); + vname->der_len = len; + vname->type = GEN_DIRNAME; + break; + case GEN_IPADD: + if (len == 4) + vname->af = AF_INET; + if (len == 16) + vname->af = AF_INET6; + if (vname->af != AF_INET && vname->af != + AF_INET6) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + memcpy(vname->address, bytes, len); + vname->type = GEN_IPADD; + break; + default: + /* Ignore this name */ + x509_constraints_name_free(vname); + vname = NULL; + continue; + } + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + } + + x509_constraints_name_free(vname); + vname = NULL; + + subject_name = X509_get_subject_name(cert); + if (X509_NAME_entry_count(subject_name) > 0) { + X509_NAME_ENTRY *email; + X509_NAME_ENTRY *cn; + /* + * This cert has a non-empty subject, so we must add + * the subject as a dirname to be compared against + * any dirname constraints + */ + if ((subject_name->modified && + i2d_X509_NAME(subject_name, NULL) < 0) || + (vname = x509_constraints_name_new()) == NULL || + (vname->der = malloc(subject_name->canon_enclen)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + + memcpy(vname->der, subject_name->canon_enc, + subject_name->canon_enclen); + vname->der_len = subject_name->canon_enclen; + vname->type = GEN_DIRNAME; + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + /* + * Get any email addresses from the subject line, and + * add them as mbox names to be compared against any + * email constraints + */ + while (include_email && + (i = X509_NAME_get_index_by_NID(subject_name, + NID_pkcs9_emailAddress, i)) >= 0) { + ASN1_STRING *aname; + if ((email = X509_NAME_get_entry(subject_name, i)) == NULL || + (aname = X509_NAME_ENTRY_get_data(email)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_parse_mailbox(aname->data, + aname->length, vname)) { + *error = X509_V_ERR_UNSUPPORTED_NAME_SYNTAX; + goto err; + } + vname->type = GEN_EMAIL; + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + } + /* + * Include the CN as a hostname to be checked againt + * name constraints if it looks like a hostname. + */ + while (include_cn && + (i = X509_NAME_get_index_by_NID(subject_name, + NID_commonName, i)) >= 0) { + ASN1_STRING *aname; + if ((cn = X509_NAME_get_entry(subject_name, i)) == NULL || + (aname = X509_NAME_ENTRY_get_data(cn)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_valid_host(aname->data, + aname->length)) + continue; /* ignore it if not a hostname */ + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((vname->name = strndup(aname->data, + aname->length)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname->type = GEN_DNS; + if (!x509_constraints_names_add(names, vname)) { + *error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + vname = NULL; + } + } + return 1; + err: + x509_constraints_name_free(vname); + return 0; +} + +/* + * Validate a constraint in a general name, putting the relevant data + * into "name" if valid. returns 0, and sets error if the constraint is + * not valid. returns 1 if the constraint validated. name->type will be + * set to a valid type if there is constraint data in name, or unmodified + * if the GENERAL_NAME had a valid type but was ignored. + */ +int +x509_constraints_validate(GENERAL_NAME *constraint, + struct x509_constraints_name *name, int *error) +{ + uint8_t *bytes = NULL; + size_t len = 0; + int name_type; + + name_type = x509_constraints_general_to_bytes(constraint, &bytes, &len); + switch (name_type) { + case GEN_DIRNAME: + if (bytes == NULL || (name->der = malloc(len)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (len == 0) + goto err; /* XXX The RFCs are delightfully vague */ + memcpy(name->der, bytes, len); + name->der_len = len; + name->type = GEN_DIRNAME; + break; + case GEN_DNS: + if (!x509_constraints_valid_domain_constraint(bytes, len)) + goto err; + if ((name->name = strdup(bytes)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + name->type = GEN_DNS; + break; + case GEN_EMAIL: + if (memchr(bytes, '@', len) != NULL) { + if (!x509_constraints_parse_mailbox(bytes, len, name)) + goto err; + } else { + if (!x509_constraints_valid_domain_constraint(bytes, + len)) + goto err; + if ((name->name = strdup(bytes)) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + } + name->type = GEN_EMAIL; + break; + case GEN_IPADD: + /* Constraints are ip then mask */ + if (len == 8) + name->af = AF_INET; + else if (len == 32) + name->af = AF_INET6; + else + goto err; + memcpy(&name->address[0], bytes, len); + name->type = GEN_IPADD; + break; + case GEN_URI: + if (!x509_constraints_valid_domain_constraint(bytes, len)) + goto err; + name->name = strdup(bytes); + name->type = GEN_URI; + break; + default: + break; + } + return 1; + err: + *error = X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX; + return 0; +} + +int +x509_constraints_extract_constraints(X509 *cert, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, + int *error) +{ + struct x509_constraints_name *vname; + NAME_CONSTRAINTS *nc = cert->nc; + GENERAL_SUBTREE *subtree; + int i; + + if (nc == NULL) + return 1; + + for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { + + subtree = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); + if (subtree->minimum || subtree->maximum) { + *error = X509_V_ERR_SUBTREE_MINMAX; + return 0; + } + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (x509_constraints_validate(subtree->base, vname, error) == + 0) { + x509_constraints_name_free(vname); + return 0; + } + if (vname->type == 0) { + x509_constraints_name_free(vname); + continue; + } + if (!x509_constraints_names_add(permitted, vname)) { + x509_constraints_name_free(vname); + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + } + + for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { + subtree = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); + if (subtree->minimum || subtree->maximum) { + *error = X509_V_ERR_SUBTREE_MINMAX; + return 0; + } + if ((vname = x509_constraints_name_new()) == NULL) { + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (x509_constraints_validate(subtree->base, vname, error) == + 0) { + x509_constraints_name_free(vname); + return 0; + } + if (vname->type == 0) { + x509_constraints_name_free(vname); + continue; + } + if (!x509_constraints_names_add(excluded, vname)) { + x509_constraints_name_free(vname); + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + } + + return 1; +} + +/* + * Match a validated name in "name" against a validated constraint in + * "constraint" return 1 if then name matches, 0 otherwise. + */ +int +x509_constraints_match(struct x509_constraints_name *name, + struct x509_constraints_name *constraint) +{ + if (name->type != constraint->type) + return 0; + if (name->type == GEN_DNS) + return x509_constraints_sandns(name->name, strlen(name->name), + constraint->name, strlen(constraint->name)); + if (name->type == GEN_URI) + return x509_constraints_domain(name->name, strlen(name->name), + constraint->name, strlen(constraint->name)); + if (name->type == GEN_IPADD) { + size_t nlen = name->af == AF_INET ? 4 : 16; + size_t clen = name->af == AF_INET ? 8 : 32; + if (name->af != AF_INET && name->af != AF_INET6) + return 0; + if (constraint->af != AF_INET && constraint->af != AF_INET6) + return 0; + if (name->af != constraint->af) + return 0; + return x509_constraints_ipaddr(name->address, nlen, + constraint->address, clen); + } + if (name->type == GEN_EMAIL) { + if (constraint->local) { + /* mailbox local and domain parts must exactly match */ + return (strcmp(name->local, constraint->local) == 0 && + strcmp(name->name, constraint->name) == 0); + } + /* otherwise match the constraint to the domain part */ + return x509_constraints_domain(name->name, strlen(name->name), + constraint->name, strlen(constraint->name)); + } + if (name->type == GEN_DIRNAME) + return x509_constraints_dirname(name->der, name->der_len, + constraint->der, constraint->der_len); + return 0; +} + +/* + * Make sure every name in names does not match any excluded + * constraints, and does match at least one permitted constraint if + * any are present. Returns 1 if ok, 0, and sets error if not. + */ +int +x509_constraints_check(struct x509_constraints_names *names, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, int *error) +{ + size_t i, j; + + for (i = 0; i < names->names_count; i++) { + int permitted_seen = 0; + int permitted_matched = 0; + + for (j = 0; j < excluded->names_count; j++) { + if (x509_constraints_match(names->names[i], + excluded->names[j])) { + *error = X509_V_ERR_EXCLUDED_VIOLATION; + return 0; + } + } + for (j = 0; j < permitted->names_count; j++) { + if (permitted->names[j]->type == names->names[i]->type) + permitted_seen++; + if (x509_constraints_match(names->names[i], + permitted->names[j])) { + permitted_matched++; + break; + } + } + if (permitted_seen && !permitted_matched) { + *error = X509_V_ERR_PERMITTED_VIOLATION; + return 0; + } + } + return 1; +} + +/* + * Walk a validated chain of X509 certs, starting at the leaf, and + * validate the name constraints in the chain. Intended for use with + * the legacy X509 validtion code in x509_vfy.c + * + * returns 1 if the constraints are ok, 0 otherwise, setting error and + * depth + */ +int +x509_constraints_chain(STACK_OF(X509) *chain, int *error, int *depth) +{ + int chain_length, verify_err = X509_V_ERR_UNSPECIFIED, i = 0; + struct x509_constraints_names *names = NULL; + struct x509_constraints_names *excluded = NULL; + struct x509_constraints_names *permitted = NULL; + size_t constraints_count = 0; + X509 *cert; + + if (chain == NULL || (chain_length = sk_X509_num(chain)) == 0) + goto err; + if (chain_length == 1) + return 1; + if ((names = x509_constraints_names_new()) == NULL) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + + if ((cert = sk_X509_value(chain, 0)) == NULL) + goto err; + if (!x509_constraints_extract_names(names, cert, 1, &verify_err)) + goto err; + for (i = 1; i < chain_length; i++) { + if ((cert = sk_X509_value(chain, i)) == NULL) + goto err; + if (cert->nc != NULL) { + if ((permitted = + x509_constraints_names_new()) == NULL) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((excluded = + x509_constraints_names_new()) == NULL) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_extract_constraints(cert, + permitted, excluded, &verify_err)) + goto err; + constraints_count += permitted->names_count; + constraints_count += excluded->names_count; + if (constraints_count > + X509_VERIFY_MAX_CHAIN_CONSTRAINTS) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_check(names, permitted, excluded, + &verify_err)) + goto err; + x509_constraints_names_free(excluded); + excluded = NULL; + x509_constraints_names_free(permitted); + permitted = NULL; + } + if (!x509_constraints_extract_names(names, cert, 0, + &verify_err)) + goto err; + if (names->names_count > X509_VERIFY_MAX_CHAIN_NAMES) { + verify_err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + } + + x509_constraints_names_free(names); + return 1; + + err: + *error = verify_err; + *depth = i; + x509_constraints_names_free(excluded); + x509_constraints_names_free(permitted); + x509_constraints_names_free(names); + return 0; +} diff --git a/crypto/x509v3/v3_cpols.c b/crypto/x509/x509_cpols.c similarity index 99% rename from crypto/x509v3/v3_cpols.c rename to crypto/x509/x509_cpols.c index 34d3381..4b6c13c 100644 --- a/crypto/x509v3/v3_cpols.c +++ b/crypto/x509/x509_cpols.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_cpols.c,v 1.25 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_cpols.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -398,9 +398,8 @@ NOTICEREF_free(NOTICEREF *a) ASN1_item_free((ASN1_VALUE *)a, &NOTICEREF_it); } -static -STACK_OF(POLICYINFO) *r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - char *value) +static STACK_OF(POLICYINFO) * +r2i_certpol(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *value) { STACK_OF(POLICYINFO) *pols = NULL; char *pstr; diff --git a/crypto/x509v3/v3_crld.c b/crypto/x509/x509_crld.c similarity index 99% rename from crypto/x509v3/v3_crld.c rename to crypto/x509/x509_crld.c index 8660c1e..ff60a88 100644 --- a/crypto/x509v3/v3_crld.c +++ b/crypto/x509/x509_crld.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_crld.c,v 1.22 2017/05/02 04:11:08 deraadt Exp $ */ +/* $OpenBSD: x509_crld.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -104,8 +104,8 @@ const X509V3_EXT_METHOD v3_freshest_crl = { .usr_data = NULL, }; -static -STACK_OF(GENERAL_NAME) *gnames_from_sectname(X509V3_CTX *ctx, char *sect) +static STACK_OF(GENERAL_NAME) * +gnames_from_sectname(X509V3_CTX *ctx, char *sect) { STACK_OF(CONF_VALUE) *gnsect; STACK_OF(GENERAL_NAME) *gens; diff --git a/crypto/x509v3/v3_enum.c b/crypto/x509/x509_enum.c similarity index 96% rename from crypto/x509v3/v3_enum.c rename to crypto/x509/x509_enum.c index af6cebc..f18eea5 100644 --- a/crypto/x509v3/v3_enum.c +++ b/crypto/x509/x509_enum.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_enum.c,v 1.12 2016/12/30 15:54:49 jsing Exp $ */ +/* $OpenBSD: x509_enum.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -93,7 +93,7 @@ const X509V3_EXT_METHOD v3_crl_reason = { }; char * -i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *e) +i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *e) { ENUMERATED_NAMES *enam; long strval; diff --git a/crypto/x509/x509_err.c b/crypto/x509/x509_err.c index 3b32137..cac734d 100644 --- a/crypto/x509/x509_err.c +++ b/crypto/x509/x509_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_err.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_err.c,v 1.15 2020/06/05 16:51:12 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2006 The OpenSSL Project. All rights reserved. * @@ -64,6 +64,7 @@ #include #include +#include /* BEGIN ERROR CODES */ #ifndef OPENSSL_NO_ERR @@ -76,6 +77,11 @@ static ERR_STRING_DATA X509_str_functs[] = { {0, NULL} }; +static ERR_STRING_DATA X509V3_str_functs[] = { + {ERR_FUNC(0xfff), "CRYPTO_internal"}, + {0, NULL} +}; + static ERR_STRING_DATA X509_str_reasons[] = { {ERR_REASON(X509_R_BAD_X509_FILETYPE) , "bad x509 filetype"}, {ERR_REASON(X509_R_BASE64_DECODE_ERROR) , "base64 decode error"}, @@ -106,6 +112,78 @@ static ERR_STRING_DATA X509_str_reasons[] = { {0, NULL} }; +static ERR_STRING_DATA X509V3_str_reasons[] = { + {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"}, + {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"}, + {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"}, + {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"}, + {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"}, + {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"}, + {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"}, + {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"}, + {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"}, + {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"}, + {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"}, + {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"}, + {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"}, + {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"}, + {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"}, + {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"}, + {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"}, + {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"}, + {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"}, + {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"}, + {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"}, + {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"}, + {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"}, + {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"}, + {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"}, + {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"}, + {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"}, + {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, + {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"}, + {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"}, + {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"}, + {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"}, + {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"}, + {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"}, + {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"}, + {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"}, + {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"}, + {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"}, + {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"}, + {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"}, + {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"}, + {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"}, + {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"}, + {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"}, + {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"}, + {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"}, + {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"}, + {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"}, + {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"}, + {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"}, + {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"}, + {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"}, + {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"}, + {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"}, + {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"}, + {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"}, + {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"}, + {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"}, + {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"}, + {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"}, + {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"}, + {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"}, + {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"}, + {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"}, + {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"}, + {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"}, + {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"}, + {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"}, + {0, NULL} +}; + #endif void @@ -118,3 +196,15 @@ ERR_load_X509_strings(void) } #endif } + + +void +ERR_load_X509V3_strings(void) +{ +#ifndef OPENSSL_NO_ERR + if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) { + ERR_load_strings(0, X509V3_str_functs); + ERR_load_strings(0, X509V3_str_reasons); + } +#endif +} diff --git a/crypto/x509/x509_ext.c b/crypto/x509/x509_ext.c index e90befa..21374a2 100644 --- a/crypto/x509/x509_ext.c +++ b/crypto/x509/x509_ext.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_ext.c,v 1.9 2015/02/10 08:33:10 jsing Exp $ */ +/* $OpenBSD: x509_ext.c,v 1.12 2018/05/18 19:28:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,31 +66,31 @@ #include int -X509_CRL_get_ext_count(X509_CRL *x) +X509_CRL_get_ext_count(const X509_CRL *x) { return (X509v3_get_ext_count(x->crl->extensions)); } int -X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos) +X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->crl->extensions, nid, lastpos)); } int -X509_CRL_get_ext_by_OBJ(X509_CRL *x, ASN1_OBJECT *obj, int lastpos) +X509_CRL_get_ext_by_OBJ(const X509_CRL *x, const ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->crl->extensions, obj, lastpos)); } int -X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos) +X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical(x->crl->extensions, crit, lastpos)); } X509_EXTENSION * -X509_CRL_get_ext(X509_CRL *x, int loc) +X509_CRL_get_ext(const X509_CRL *x, int loc) { return (X509v3_get_ext(x->crl->extensions, loc)); } @@ -102,7 +102,7 @@ X509_CRL_delete_ext(X509_CRL *x, int loc) } void * -X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx) +X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->crl->extensions, nid, crit, idx); } @@ -121,32 +121,32 @@ X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc) } int -X509_get_ext_count(X509 *x) +X509_get_ext_count(const X509 *x) { return (X509v3_get_ext_count(x->cert_info->extensions)); } int -X509_get_ext_by_NID(X509 *x, int nid, int lastpos) +X509_get_ext_by_NID(const X509 *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->cert_info->extensions, nid, lastpos)); } int -X509_get_ext_by_OBJ(X509 *x, ASN1_OBJECT *obj, int lastpos) +X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, int lastpos) { return (X509v3_get_ext_by_OBJ(x->cert_info->extensions, obj, lastpos)); } int -X509_get_ext_by_critical(X509 *x, int crit, int lastpos) +X509_get_ext_by_critical(const X509 *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical(x->cert_info->extensions, crit, lastpos)); } X509_EXTENSION * -X509_get_ext(X509 *x, int loc) +X509_get_ext(const X509 *x, int loc) { return (X509v3_get_ext(x->cert_info->extensions, loc)); } @@ -164,7 +164,7 @@ X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc) } void * -X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx) +X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->cert_info->extensions, nid, crit, idx); } @@ -177,31 +177,32 @@ X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags) } int -X509_REVOKED_get_ext_count(X509_REVOKED *x) +X509_REVOKED_get_ext_count(const X509_REVOKED *x) { return (X509v3_get_ext_count(x->extensions)); } int -X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos) +X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, int lastpos) { return (X509v3_get_ext_by_NID(x->extensions, nid, lastpos)); } int -X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x, ASN1_OBJECT *obj, int lastpos) +X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, const ASN1_OBJECT *obj, + int lastpos) { return (X509v3_get_ext_by_OBJ(x->extensions, obj, lastpos)); } int -X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos) +X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, int crit, int lastpos) { return (X509v3_get_ext_by_critical(x->extensions, crit, lastpos)); } X509_EXTENSION * -X509_REVOKED_get_ext(X509_REVOKED *x, int loc) +X509_REVOKED_get_ext(const X509_REVOKED *x, int loc) { return (X509v3_get_ext(x->extensions, loc)); } @@ -219,7 +220,7 @@ X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc) } void * -X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx) +X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, int *crit, int *idx) { return X509V3_get_d2i(x->extensions, nid, crit, idx); } diff --git a/crypto/x509v3/v3_extku.c b/crypto/x509/x509_extku.c similarity index 91% rename from crypto/x509v3/v3_extku.c rename to crypto/x509/x509_extku.c index 527e80b..09bec67 100644 --- a/crypto/x509v3/v3_extku.c +++ b/crypto/x509/x509_extku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_extku.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_extku.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -149,19 +149,34 @@ EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a) static STACK_OF(CONF_VALUE) * i2v_EXTENDED_KEY_USAGE(const X509V3_EXT_METHOD *method, void *a, - STACK_OF(CONF_VALUE) *ext_list) + STACK_OF(CONF_VALUE) *extlist) { - EXTENDED_KEY_USAGE *eku = a; - int i; ASN1_OBJECT *obj; + EXTENDED_KEY_USAGE *eku = a; + STACK_OF(CONF_VALUE) *free_extlist = NULL; char obj_tmp[80]; + int i; + + if (extlist == NULL) { + if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } for (i = 0; i < sk_ASN1_OBJECT_num(eku); i++) { - obj = sk_ASN1_OBJECT_value(eku, i); - i2t_ASN1_OBJECT(obj_tmp, 80, obj); - X509V3_add_value(NULL, obj_tmp, &ext_list); + if ((obj = sk_ASN1_OBJECT_value(eku, i)) == NULL) + goto err; + if (!i2t_ASN1_OBJECT(obj_tmp, sizeof obj_tmp, obj)) + goto err; + if (!X509V3_add_value(NULL, obj_tmp, &extlist)) + goto err; } - return ext_list; + + return extlist; + + err: + sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free); + + return NULL; } static void * diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509/x509_genn.c similarity index 99% rename from crypto/x509v3/v3_genn.c rename to crypto/x509/x509_genn.c index a6b7a18..848006a 100644 --- a/crypto/x509v3/v3_genn.c +++ b/crypto/x509/x509_genn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_genn.c,v 1.12 2015/09/26 17:38:41 jsing Exp $ */ +/* $OpenBSD: x509_genn.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_ia5.c b/crypto/x509/x509_ia5.c similarity index 98% rename from crypto/x509v3/v3_ia5.c rename to crypto/x509/x509_ia5.c index a92041e..4113c3d 100644 --- a/crypto/x509v3/v3_ia5.c +++ b/crypto/x509/x509_ia5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_ia5.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_ia5.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_info.c b/crypto/x509/x509_info.c similarity index 91% rename from crypto/x509v3/v3_info.c rename to crypto/x509/x509_info.c index 27b5415..86ed6fa 100644 --- a/crypto/x509v3/v3_info.c +++ b/crypto/x509/x509_info.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_info.c,v 1.25 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_info.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -207,33 +207,41 @@ i2v_AUTHORITY_INFO_ACCESS(X509V3_EXT_METHOD *method, AUTHORITY_INFO_ACCESS *ainfo, STACK_OF(CONF_VALUE) *ret) { ACCESS_DESCRIPTION *desc; - int i, nlen; - char objtmp[80], *ntmp; CONF_VALUE *vtmp; + STACK_OF(CONF_VALUE) *free_ret = NULL; + char objtmp[80], *ntmp; + int i; + + if (ret == NULL) { + if ((free_ret = ret = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } for (i = 0; i < sk_ACCESS_DESCRIPTION_num(ainfo); i++) { - desc = sk_ACCESS_DESCRIPTION_value(ainfo, i); - ret = i2v_GENERAL_NAME(method, desc->location, ret); - if (!ret) - break; - vtmp = sk_CONF_VALUE_value(ret, i); - i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method); - nlen = strlen(objtmp) + strlen(vtmp->name) + 5; - ntmp = malloc(nlen); - if (!ntmp) { + if ((desc = sk_ACCESS_DESCRIPTION_value(ainfo, i)) == NULL) + goto err; + if ((ret = i2v_GENERAL_NAME(method, desc->location, + ret)) == NULL) + goto err; + if ((vtmp = sk_CONF_VALUE_value(ret, i)) == NULL) + goto err; + if (!i2t_ASN1_OBJECT(objtmp, sizeof objtmp, desc->method)) + goto err; + if (asprintf(&ntmp, "%s - %s", objtmp, vtmp->name) == -1) { + ntmp = NULL; X509V3error(ERR_R_MALLOC_FAILURE); - return NULL; + goto err; } - strlcpy(ntmp, objtmp, nlen); - strlcat(ntmp, " - ", nlen); - strlcat(ntmp, vtmp->name, nlen); free(vtmp->name); vtmp->name = ntmp; - } - if (!ret) - return sk_CONF_VALUE_new_null(); + return ret; + + err: + sk_CONF_VALUE_pop_free(free_ret, X509V3_conf_free); + + return NULL; } static AUTHORITY_INFO_ACCESS * @@ -293,7 +301,7 @@ err: } int -i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a) +i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a) { i2a_ASN1_OBJECT(bp, a->method); return 2; diff --git a/crypto/x509v3/v3_int.c b/crypto/x509/x509_int.c similarity index 98% rename from crypto/x509v3/v3_int.c rename to crypto/x509/x509_int.c index f8a5e7d..35c8853 100644 --- a/crypto/x509v3/v3_int.c +++ b/crypto/x509/x509_int.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_int.c,v 1.11 2016/12/30 15:54:49 jsing Exp $ */ +/* $OpenBSD: x509_int.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509/x509_internal.h b/crypto/x509/x509_internal.h new file mode 100644 index 0000000..9d69055 --- /dev/null +++ b/crypto/x509/x509_internal.h @@ -0,0 +1,128 @@ +/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#ifndef HEADER_X509_INTERNAL_H +#define HEADER_X509_INTERNAL_H + +/* Internal use only, not public API */ +#include + +#include + +/* Hard limits on structure size and number of signature checks. */ +#define X509_VERIFY_MAX_CHAINS 8 /* Max validated chains */ +#define X509_VERIFY_MAX_CHAIN_CERTS 32 /* Max depth of a chain */ +#define X509_VERIFY_MAX_SIGCHECKS 256 /* Max signature checks */ + +/* + * Limit the number of names and constraints we will check in a chain + * to avoid a hostile input DOS + */ +#define X509_VERIFY_MAX_CHAIN_NAMES 512 +#define X509_VERIFY_MAX_CHAIN_CONSTRAINTS 512 + +/* + * Hold the parsed and validated result of names from a certificate. + * these typically come from a GENERALNAME, but we store the parsed + * and validated results, not the ASN1 bytes. + */ +struct x509_constraints_name { + int type; /* GEN_* types from GENERAL_NAME */ + char *name; /* Name to check */ + char *local; /* holds the local part of GEN_EMAIL */ + uint8_t *der; /* DER encoded value or NULL*/ + size_t der_len; + int af; /* INET and INET6 are supported */ + uint8_t address[32]; /* Must hold ipv6 + mask */ +}; + +struct x509_constraints_names { + struct x509_constraints_name **names; + size_t names_len; + size_t names_count; +}; + +struct x509_verify_chain { + STACK_OF(X509) *certs; /* Kept in chain order, includes leaf */ + struct x509_constraints_names *names; /* All names from all certs */ +}; + +struct x509_verify_ctx { + X509_STORE_CTX *xsc; + struct x509_verify_chain **chains; /* Validated chains */ + size_t chains_count; + STACK_OF(X509) *roots; /* Trusted roots for this validation */ + STACK_OF(X509) *intermediates; /* Intermediates provided by peer */ + time_t *check_time; /* Time for validity checks */ + int purpose; /* Cert purpose we are validating */ + size_t max_chains; /* Max chains to return */ + size_t max_depth; /* Max chain depth for validation */ + size_t max_sigs; /* Max number of signature checks */ + size_t sig_checks; /* Number of signature checks done */ + size_t error_depth; /* Depth of last error seen */ + int error; /* Last error seen */ +}; + +int ASN1_time_tm_clamp_notafter(struct tm *tm); + +__BEGIN_HIDDEN_DECLS + +int x509_vfy_check_id(X509_STORE_CTX *ctx); +int x509_vfy_check_revocation(X509_STORE_CTX *ctx); +int x509_vfy_check_policy(X509_STORE_CTX *ctx); +int x509_vfy_check_trust(X509_STORE_CTX *ctx); +int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx); +void x509v3_cache_extensions(X509 *x); + +int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, + int notafter); + +struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, + STACK_OF(X509) *roots); + +void x509_constraints_name_clear(struct x509_constraints_name *name); +int x509_constraints_names_add(struct x509_constraints_names *names, + struct x509_constraints_name *name); +struct x509_constraints_names *x509_constraints_names_dup( + struct x509_constraints_names *names); +void x509_constraints_names_clear(struct x509_constraints_names *names); +struct x509_constraints_names *x509_constraints_names_new(void); +void x509_constraints_names_free(struct x509_constraints_names *names); +int x509_constraints_valid_host(uint8_t *name, size_t len); +int x509_constraints_valid_sandns(uint8_t *name, size_t len); +int x509_constraints_domain(char *domain, size_t dlen, char *constraint, + size_t len); +int x509_constraints_parse_mailbox(uint8_t *candidate, size_t len, + struct x509_constraints_name *name); +int x509_constraints_valid_domain_constraint(uint8_t *constraint, + size_t len); +int x509_constraints_uri_host(uint8_t *uri, size_t len, char **hostp); +int x509_constraints_uri(uint8_t *uri, size_t ulen, uint8_t *constraint, + size_t len, int *error); +int x509_constraints_extract_names(struct x509_constraints_names *names, + X509 *cert, int include_cn, int *error); +int x509_constraints_extract_constraints(X509 *cert, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, int *error); +int x509_constraints_check(struct x509_constraints_names *names, + struct x509_constraints_names *permitted, + struct x509_constraints_names *excluded, int *error); +int x509_constraints_chain(STACK_OF(X509) *chain, int *error, + int *depth); + +__END_HIDDEN_DECLS + +#endif diff --git a/crypto/x509/x509_issuer_cache.c b/crypto/x509/x509_issuer_cache.c new file mode 100644 index 0000000..6831c18 --- /dev/null +++ b/crypto/x509/x509_issuer_cache.c @@ -0,0 +1,167 @@ +/* $OpenBSD: x509_issuer_cache.c,v 1.1 2020/09/11 14:30:51 beck Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* x509_issuer_cache */ + +/* + * The issuer cache is a cache of parent and child x509 certificate + * hashes with a signature validation result. + * + * Entries should only be added to the cache with a validation result + * from checking the public key math that "parent" signed "child". + * + * Finding an entry in the cache gets us the result of a previously + * performed validation of the signature of "parent" signing for the + * validity of "child". It allows us to skip doing the public key math + * when validating a certificate chain. It does not allow us to skip + * any other steps of validation (times, names, key usage, etc.) + */ + +#include +#include + +#include "x509_issuer_cache.h" + +static int +x509_issuer_cmp(struct x509_issuer *x1, struct x509_issuer *x2) +{ + int pcmp; + if ((pcmp = memcmp(x1->parent_md, x2->parent_md, EVP_MAX_MD_SIZE)) != 0) + return pcmp; + return memcmp(x1->child_md, x2->child_md, EVP_MAX_MD_SIZE); +} + +static size_t x509_issuer_cache_count; +static size_t x509_issuer_cache_max = X509_ISSUER_CACHE_MAX; +static RB_HEAD(x509_issuer_tree, x509_issuer) x509_issuer_cache = + RB_INITIALIZER(&x509_issuer_cache); +static TAILQ_HEAD(lruqueue, x509_issuer) x509_issuer_lru = + TAILQ_HEAD_INITIALIZER(x509_issuer_lru); +static pthread_mutex_t x509_issuer_tree_mutex = PTHREAD_MUTEX_INITIALIZER; + +RB_PROTOTYPE(x509_issuer_tree, x509_issuer, entry, x509_issuer_cmp); +RB_GENERATE(x509_issuer_tree, x509_issuer, entry, x509_issuer_cmp); + +/* + * Set the maximum number of cached entries. On additions to the cache + * the least recently used entries will be discarded so that the cache + * stays under the maximum number of entries. Setting a maximum of 0 + * disables the cache. + */ +int +x509_issuer_cache_set_max(size_t max) +{ + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + return 0; + x509_issuer_cache_max = max; + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + + return 1; +} + +/* + * Find a previous result of checking if parent signed child + * + * Returns: + * -1 : No entry exists in the cache. signature must be checked. + * 0 : The signature of parent signing child is invalid. + * 1 : The signature of parent signing child is valid. + */ +int +x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md) +{ + struct x509_issuer candidate, *found; + int ret = -1; + + memset(&candidate, 0, sizeof(candidate)); + candidate.parent_md = parent_md; + candidate.child_md = child_md; + + if (x509_issuer_cache_max == 0) + return -1; + + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + return -1; + if ((found = RB_FIND(x509_issuer_tree, &x509_issuer_cache, + &candidate)) != NULL) { + TAILQ_REMOVE(&x509_issuer_lru, found, queue); + TAILQ_INSERT_HEAD(&x509_issuer_lru, found, queue); + ret = found->valid; + } + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + + return ret; +} + +/* + * Attempt to add a validation result to the cache. + * + * valid must be: + * 0: The signature of parent signing child is invalid. + * 1: The signature of parent signing child is valid. + * + * Previously added entries for the same parent and child are *not* replaced. + */ +void +x509_issuer_cache_add(unsigned char *parent_md, unsigned char *child_md, + int valid) +{ + struct x509_issuer *new; + + if (x509_issuer_cache_max == 0) + return; + if (valid != 0 && valid != 1) + return; + + if ((new = calloc(1, sizeof(struct x509_issuer))) == NULL) + return; + if ((new->parent_md = calloc(1, EVP_MAX_MD_SIZE)) == NULL) + goto err; + memcpy(new->parent_md, parent_md, EVP_MAX_MD_SIZE); + if ((new->child_md = calloc(1, EVP_MAX_MD_SIZE)) == NULL) + goto err; + memcpy(new->child_md, child_md, EVP_MAX_MD_SIZE); + + new->valid = valid; + + if (pthread_mutex_lock(&x509_issuer_tree_mutex) != 0) + goto err; + while (x509_issuer_cache_count >= x509_issuer_cache_max) { + struct x509_issuer *old; + if ((old = TAILQ_LAST(&x509_issuer_lru, lruqueue)) == NULL) + goto err; + TAILQ_REMOVE(&x509_issuer_lru, old, queue); + RB_REMOVE(x509_issuer_tree, &x509_issuer_cache, old); + free(old->parent_md); + free(old->child_md); + free(old); + x509_issuer_cache_count--; + } + if (RB_INSERT(x509_issuer_tree, &x509_issuer_cache, new) == NULL) { + TAILQ_INSERT_HEAD(&x509_issuer_lru, new, queue); + x509_issuer_cache_count++; + new = NULL; + } + err: + (void) pthread_mutex_unlock(&x509_issuer_tree_mutex); + if (new != NULL) { + free(new->parent_md); + free(new->child_md); + } + free(new); + return; +} diff --git a/crypto/x509/x509_issuer_cache.h b/crypto/x509/x509_issuer_cache.h new file mode 100644 index 0000000..6dedde7 --- /dev/null +++ b/crypto/x509/x509_issuer_cache.h @@ -0,0 +1,47 @@ +/* $OpenBSD: x509_issuer_cache.h,v 1.1 2020/09/11 14:30:51 beck Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* x509_issuer_cache */ +#ifndef HEADER_X509_ISSUER_CACHE_H +#define HEADER_X509_ISSUER_CACHE_H + +#include +#include + +#include + +__BEGIN_HIDDEN_DECLS + +struct x509_issuer { + RB_ENTRY(x509_issuer) entry; + TAILQ_ENTRY(x509_issuer) queue; /* LRU of entries */ + /* parent_md and child_md must point to EVP_MAX_MD_SIZE of memory */ + unsigned char *parent_md; + unsigned char *child_md; + int valid; /* Result of signature validation. */ +}; + +#define X509_ISSUER_CACHE_MAX 40000 /* Approx 7.5 MB, entries 200 bytes */ + +int x509_issuer_cache_set_max(size_t max); +int x509_issuer_cache_find(unsigned char *parent_md, unsigned char *child_md); +void x509_issuer_cache_add(unsigned char *parent_md, unsigned char *child_md, + int valid); + +__END_HIDDEN_DECLS + +#endif diff --git a/crypto/x509v3/v3_lib.c b/crypto/x509/x509_lib.c similarity index 95% rename from crypto/x509v3/v3_lib.c rename to crypto/x509/x509_lib.c index f0cc93b..211d0ad 100644 --- a/crypto/x509v3/v3_lib.c +++ b/crypto/x509/x509_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_lib.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_lib.c,v 1.2 2020/09/14 11:35:32 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -103,11 +103,12 @@ ext_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) return ext_cmp(a, b); } -static const X509V3_EXT_METHOD * * -OBJ_bsearch_ext(const X509V3_EXT_METHOD * *key, const X509V3_EXT_METHOD * const *base, int num) +static const X509V3_EXT_METHOD ** +OBJ_bsearch_ext(const X509V3_EXT_METHOD **key, + const X509V3_EXT_METHOD *const *base, int num) { - return (const X509V3_EXT_METHOD * *)OBJ_bsearch_(key, base, num, sizeof(const X509V3_EXT_METHOD *), - ext_cmp_BSEARCH_CMP_FN); + return (const X509V3_EXT_METHOD **)OBJ_bsearch_(key, base, num, + sizeof(const X509V3_EXT_METHOD *), ext_cmp_BSEARCH_CMP_FN); } const X509V3_EXT_METHOD * @@ -167,7 +168,11 @@ X509V3_EXT_add_alias(int nid_to, int nid_from) *tmpext = *ext; tmpext->ext_nid = nid_to; tmpext->ext_flags |= X509V3_EXT_DYNAMIC; - return X509V3_EXT_add(tmpext); + if (!X509V3_EXT_add(tmpext)) { + free(tmpext); + return 0; + } + return 1; } void @@ -227,7 +232,7 @@ X509V3_EXT_d2i(X509_EXTENSION *ext) */ void * -X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) +X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx) { int lastpos, i; X509_EXTENSION *ex, *found_ex = NULL; diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c index 742eb4d..f21103c 100644 --- a/crypto/x509/x509_lu.c +++ b/crypto/x509/x509_lu.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_lu.c,v 1.28 2018/03/17 15:43:32 tb Exp $ */ +/* $OpenBSD: x509_lu.c,v 1.30 2018/08/24 19:21:09 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -65,7 +65,6 @@ #include "x509_lcl.h" static void X509_OBJECT_dec_ref_count(X509_OBJECT *a); -/* static void X509_OBJECT_up_ref_count(X509_OBJECT *a); */ X509_LOOKUP * X509_LOOKUP_new(X509_LOOKUP_METHOD *method) @@ -154,8 +153,8 @@ X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, } int -X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, unsigned char *bytes, - int len, X509_OBJECT *ret) +X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, + const unsigned char *bytes, int len, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_fingerprint == NULL)) return X509_LU_FAIL; @@ -163,7 +162,7 @@ X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, unsigned char *bytes, } int -X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, int len, +X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, const char *str, int len, X509_OBJECT *ret) { if ((ctx->method == NULL) || (ctx->method->get_by_alias == NULL)) @@ -445,17 +444,16 @@ X509_OBJECT_dec_ref_count(X509_OBJECT *a) } } -/*static*/ void +int X509_OBJECT_up_ref_count(X509_OBJECT *a) { switch (a->type) { case X509_LU_X509: - CRYPTO_add(&a->data.x509->references, 1, CRYPTO_LOCK_X509); - break; + return X509_up_ref(a->data.x509); case X509_LU_CRL: - CRYPTO_add(&a->data.crl->references, 1, CRYPTO_LOCK_X509_CRL); - break; + return X509_CRL_up_ref(a->data.crl); } + return 1; } int diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509/x509_ncons.c similarity index 99% rename from crypto/x509v3/v3_ncons.c rename to crypto/x509/x509_ncons.c index 4913135..1621f98 100644 --- a/crypto/x509v3/v3_ncons.c +++ b/crypto/x509/x509_ncons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_ncons.c,v 1.13 2017/07/20 19:45:08 tedu Exp $ */ +/* $OpenBSD: x509_ncons.c,v 1.4 2020/09/16 18:12:06 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -345,10 +345,8 @@ NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc) if (r != X509_V_OK) return r; } - return X509_V_OK; } - static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) { diff --git a/crypto/x509/x509_obj.c b/crypto/x509/x509_obj.c index b34f25b..5c53799 100644 --- a/crypto/x509/x509_obj.c +++ b/crypto/x509/x509_obj.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_obj.c,v 1.17 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_obj.c,v 1.18 2018/05/18 18:19:31 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -66,7 +66,7 @@ #include char * -X509_NAME_oneline(X509_NAME *a, char *buf, int len) +X509_NAME_oneline(const X509_NAME *a, char *buf, int len) { X509_NAME_ENTRY *ne; int i; diff --git a/crypto/x509v3/v3_ocsp.c b/crypto/x509/x509_ocsp.c similarity index 99% rename from crypto/x509v3/v3_ocsp.c rename to crypto/x509/x509_ocsp.c index 8ebda2e..59a2e97 100644 --- a/crypto/x509v3/v3_ocsp.c +++ b/crypto/x509/x509_ocsp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_ocsp.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_ocsp.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ diff --git a/crypto/x509v3/v3_pci.c b/crypto/x509/x509_pci.c similarity index 99% rename from crypto/x509v3/v3_pci.c rename to crypto/x509/x509_pci.c index 437b3ae..8997f0c 100644 --- a/crypto/x509v3/v3_pci.c +++ b/crypto/x509/x509_pci.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pci.c,v 1.13 2017/05/02 04:11:08 deraadt Exp $ */ +/* $OpenBSD: x509_pci.c,v 1.1 2020/06/04 15:19:31 jsing Exp $ */ /* Contributed to the OpenSSL Project 2004 * by Richard Levitte (richard@levitte.org) */ diff --git a/crypto/x509v3/v3_pcia.c b/crypto/x509/x509_pcia.c similarity index 98% rename from crypto/x509v3/v3_pcia.c rename to crypto/x509/x509_pcia.c index f9ec02c..b639aa3 100644 --- a/crypto/x509v3/v3_pcia.c +++ b/crypto/x509/x509_pcia.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pcia.c,v 1.6 2015/07/25 16:00:14 jsing Exp $ */ +/* $OpenBSD: x509_pcia.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Contributed to the OpenSSL Project 2004 * by Richard Levitte (richard@levitte.org) */ diff --git a/crypto/x509v3/v3_pcons.c b/crypto/x509/x509_pcons.c similarity index 91% rename from crypto/x509v3/v3_pcons.c rename to crypto/x509/x509_pcons.c index 30487a4..69bf433 100644 --- a/crypto/x509v3/v3_pcons.c +++ b/crypto/x509/x509_pcons.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pcons.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_pcons.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -133,12 +133,26 @@ i2v_POLICY_CONSTRAINTS(const X509V3_EXT_METHOD *method, void *a, STACK_OF(CONF_VALUE) *extlist) { POLICY_CONSTRAINTS *pcons = a; + STACK_OF(CONF_VALUE) *free_extlist = NULL; + + if (extlist == NULL) { + if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } + + if (!X509V3_add_value_int("Require Explicit Policy", + pcons->requireExplicitPolicy, &extlist)) + goto err; + if (!X509V3_add_value_int("Inhibit Policy Mapping", + pcons->inhibitPolicyMapping, &extlist)) + goto err; - X509V3_add_value_int("Require Explicit Policy", - pcons->requireExplicitPolicy, &extlist); - X509V3_add_value_int("Inhibit Policy Mapping", - pcons->inhibitPolicyMapping, &extlist); return extlist; + + err: + sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free); + + return NULL; } static void * diff --git a/crypto/x509v3/v3_pku.c b/crypto/x509/x509_pku.c similarity index 93% rename from crypto/x509v3/v3_pku.c rename to crypto/x509/x509_pku.c index 507b0cb..9b82ad3 100644 --- a/crypto/x509v3/v3_pku.c +++ b/crypto/x509/x509_pku.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pku.c,v 1.13 2016/12/30 15:54:49 jsing Exp $ */ +/* $OpenBSD: x509_pku.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -64,9 +64,7 @@ static int i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, BIO *out, int indent); -/* -static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *values); -*/ + const X509V3_EXT_METHOD v3_pkey_usage_period = { .ext_nid = NID_private_key_usage_period, .ext_flags = 0, @@ -154,13 +152,3 @@ i2r_PKEY_USAGE_PERIOD(X509V3_EXT_METHOD *method, PKEY_USAGE_PERIOD *usage, } return 1; } - -/* -static PKEY_USAGE_PERIOD *v2i_PKEY_USAGE_PERIOD(method, ctx, values) -X509V3_EXT_METHOD *method; -X509V3_CTX *ctx; -STACK_OF(CONF_VALUE) *values; -{ -return NULL; -} -*/ diff --git a/crypto/x509v3/v3_pmaps.c b/crypto/x509/x509_pmaps.c similarity index 89% rename from crypto/x509v3/v3_pmaps.c rename to crypto/x509/x509_pmaps.c index 32ef6be..352f85a 100644 --- a/crypto/x509v3/v3_pmaps.c +++ b/crypto/x509/x509_pmaps.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_pmaps.c,v 1.11 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_pmaps.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -146,21 +146,38 @@ POLICY_MAPPING_free(POLICY_MAPPING *a) static STACK_OF(CONF_VALUE) * i2v_POLICY_MAPPINGS(const X509V3_EXT_METHOD *method, void *a, - STACK_OF(CONF_VALUE) *ext_list) + STACK_OF(CONF_VALUE) *extlist) { + STACK_OF(CONF_VALUE) *free_extlist = NULL; POLICY_MAPPINGS *pmaps = a; POLICY_MAPPING *pmap; + char issuer[80], subject[80]; int i; - char obj_tmp1[80]; - char obj_tmp2[80]; + + if (extlist == NULL) { + if ((free_extlist = extlist = sk_CONF_VALUE_new_null()) == NULL) + return NULL; + } for (i = 0; i < sk_POLICY_MAPPING_num(pmaps); i++) { - pmap = sk_POLICY_MAPPING_value(pmaps, i); - i2t_ASN1_OBJECT(obj_tmp1, 80, pmap->issuerDomainPolicy); - i2t_ASN1_OBJECT(obj_tmp2, 80, pmap->subjectDomainPolicy); - X509V3_add_value(obj_tmp1, obj_tmp2, &ext_list); + if ((pmap = sk_POLICY_MAPPING_value(pmaps, i)) == NULL) + goto err; + if (!i2t_ASN1_OBJECT(issuer, sizeof issuer, + pmap->issuerDomainPolicy)) + goto err; + if (!i2t_ASN1_OBJECT(subject, sizeof subject, + pmap->subjectDomainPolicy)) + goto err; + if (!X509V3_add_value(issuer, subject, &extlist)) + goto err; } - return ext_list; + + return extlist; + + err: + sk_CONF_VALUE_pop_free(free_extlist, X509V3_conf_free); + + return NULL; } static void * diff --git a/crypto/x509v3/v3_prn.c b/crypto/x509/x509_prn.c similarity index 97% rename from crypto/x509v3/v3_prn.c rename to crypto/x509/x509_prn.c index f65c7aa..5c15cc3 100644 --- a/crypto/x509v3/v3_prn.c +++ b/crypto/x509/x509_prn.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_prn.c,v 1.19 2016/12/30 15:54:49 jsing Exp $ */ +/* $OpenBSD: x509_prn.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -152,8 +152,8 @@ err: } int -X509V3_extensions_print(BIO *bp, char *title, STACK_OF(X509_EXTENSION) *exts, - unsigned long flag, int indent) +X509V3_extensions_print(BIO *bp, const char *title, + const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent) { int i, j; diff --git a/crypto/x509v3/v3_purp.c b/crypto/x509/x509_purp.c similarity index 98% rename from crypto/x509v3/v3_purp.c rename to crypto/x509/x509_purp.c index d692a19..f2d4665 100644 --- a/crypto/x509v3/v3_purp.c +++ b/crypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_purp.c,v 1.30 2017/06/22 17:28:00 jsing Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -73,7 +73,7 @@ #define ns_reject(x, usage) \ (((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage))) -static void x509v3_cache_extensions(X509 *x); +void x509v3_cache_extensions(X509 *x); static int check_ssl_ca(const X509 *x); static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x, @@ -172,7 +172,7 @@ X509_PURPOSE_get0(int idx) } int -X509_PURPOSE_get_by_sname(char *sname) +X509_PURPOSE_get_by_sname(const char *sname) { int i; X509_PURPOSE *xptmp; @@ -204,8 +204,8 @@ X509_PURPOSE_get_by_id(int purpose) int X509_PURPOSE_add(int id, int trust, int flags, - int (*ck)(const X509_PURPOSE *, const X509 *, int), char *name, - char *sname, void *arg) + int (*ck)(const X509_PURPOSE *, const X509 *, int), const char *name, + const char *sname, void *arg) { int idx; X509_PURPOSE *ptmp; @@ -302,25 +302,25 @@ X509_PURPOSE_cleanup(void) } int -X509_PURPOSE_get_id(X509_PURPOSE *xp) +X509_PURPOSE_get_id(const X509_PURPOSE *xp) { return xp->purpose; } char * -X509_PURPOSE_get0_name(X509_PURPOSE *xp) +X509_PURPOSE_get0_name(const X509_PURPOSE *xp) { return xp->name; } char * -X509_PURPOSE_get0_sname(X509_PURPOSE *xp) +X509_PURPOSE_get0_sname(const X509_PURPOSE *xp) { return xp->sname; } int -X509_PURPOSE_get_trust(X509_PURPOSE *xp) +X509_PURPOSE_get_trust(const X509_PURPOSE *xp) { return xp->trust; } @@ -426,7 +426,7 @@ setup_crldp(X509 *x) setup_dp(x, sk_DIST_POINT_value(x->crldp, i)); } -static void +void x509v3_cache_extensions(X509 *x) { BASIC_CONSTRAINTS *bs; diff --git a/crypto/x509/x509_req.c b/crypto/x509/x509_req.c index f87b35c..b44306b 100644 --- a/crypto/x509/x509_req.c +++ b/crypto/x509/x509_req.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_req.c,v 1.20 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_req.c,v 1.21 2018/05/13 06:48:00 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -286,7 +286,8 @@ X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos) } int -X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj, int lastpos) +X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, + int lastpos) { return X509at_get_attr_by_OBJ(req->req_info->attributes, obj, lastpos); } diff --git a/crypto/x509/x509_set.c b/crypto/x509/x509_set.c index becdaf6..1a4b583 100644 --- a/crypto/x509/x509_set.c +++ b/crypto/x509/x509_set.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_set.c,v 1.16 2018/02/22 17:09:28 jsing Exp $ */ +/* $OpenBSD: x509_set.c,v 1.17 2018/08/24 19:55:58 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -87,6 +87,12 @@ X509_set_version(X509 *x, long version) return (ASN1_INTEGER_set(x->cert_info->version, version)); } +long +X509_get_version(const X509 *x) +{ + return ASN1_INTEGER_get(x->cert_info->version); +} + int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial) { @@ -204,3 +210,9 @@ X509_set_pubkey(X509 *x, EVP_PKEY *pkey) return (0); return (X509_PUBKEY_set(&(x->cert_info->key), pkey)); } + +int +X509_get_signature_type(const X509 *x) +{ + return EVP_PKEY_type(OBJ_obj2nid(x->sig_alg->algorithm)); +} diff --git a/crypto/x509v3/v3_skey.c b/crypto/x509/x509_skey.c similarity index 96% rename from crypto/x509v3/v3_skey.c rename to crypto/x509/x509_skey.c index 9dc1741..a906427 100644 --- a/crypto/x509v3/v3_skey.c +++ b/crypto/x509/x509_skey.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_skey.c,v 1.15 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_skey.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -83,13 +83,14 @@ const X509V3_EXT_METHOD v3_skey_id = { }; char * -i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *oct) +i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, const ASN1_OCTET_STRING *oct) { return hex_to_string(oct->data, oct->length); } ASN1_OCTET_STRING * -s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str) +s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, + const char *str) { ASN1_OCTET_STRING *oct; long length; diff --git a/crypto/x509v3/v3_sxnet.c b/crypto/x509/x509_sxnet.c similarity index 95% rename from crypto/x509v3/v3_sxnet.c rename to crypto/x509/x509_sxnet.c index 14c6e5c..e5e98bc 100644 --- a/crypto/x509v3/v3_sxnet.c +++ b/crypto/x509/x509_sxnet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_sxnet.c,v 1.19 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_sxnet.c,v 1.1 2020/06/04 15:19:32 jsing Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -253,7 +253,7 @@ sxnet_v2i(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, /* Add an id given the zone as an ASCII number */ int -SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen) +SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, int userlen) { ASN1_INTEGER *izone = NULL; @@ -267,7 +267,8 @@ SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen) /* Add an id given the zone as an unsigned long */ int -SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen) +SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user, + int userlen) { ASN1_INTEGER *izone = NULL; @@ -286,7 +287,8 @@ SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen) */ int -SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, char *user, int userlen) +SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *zone, const char *user, + int userlen) { SXNET *sx = NULL; SXNETID *id = NULL; @@ -335,7 +337,7 @@ err: } ASN1_OCTET_STRING * -SXNET_get_id_asc(SXNET *sx, char *zone) +SXNET_get_id_asc(SXNET *sx, const char *zone) { ASN1_INTEGER *izone = NULL; ASN1_OCTET_STRING *oct; @@ -374,7 +376,7 @@ SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone) for (i = 0; i < sk_SXNETID_num(sx->ids); i++) { id = sk_SXNETID_value(sx->ids, i); - if (!ASN1_STRING_cmp(id->zone, zone)) + if (!ASN1_INTEGER_cmp(id->zone, zone)) return id->user; } return NULL; diff --git a/crypto/x509/x509_trs.c b/crypto/x509/x509_trs.c index 9af74de..651dc82 100644 --- a/crypto/x509/x509_trs.c +++ b/crypto/x509/x509_trs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_trs.c,v 1.22 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_trs.c,v 1.23 2018/05/18 18:40:38 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -187,7 +187,7 @@ X509_TRUST_set(int *t, int trust) int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2) + const char *name, int arg1, void *arg2) { int idx; X509_TRUST *trtmp; @@ -274,19 +274,19 @@ X509_TRUST_cleanup(void) } int -X509_TRUST_get_flags(X509_TRUST *xp) +X509_TRUST_get_flags(const X509_TRUST *xp) { return xp->flags; } char * -X509_TRUST_get0_name(X509_TRUST *xp) +X509_TRUST_get0_name(const X509_TRUST *xp) { return xp->name; } int -X509_TRUST_get_trust(X509_TRUST *xp) +X509_TRUST_get_trust(const X509_TRUST *xp) { return xp->trust; } diff --git a/crypto/x509v3/v3_utl.c b/crypto/x509/x509_utl.c similarity index 89% rename from crypto/x509v3/v3_utl.c rename to crypto/x509/x509_utl.c index 67ecc81..0fa6ea6 100644 --- a/crypto/x509v3/v3_utl.c +++ b/crypto/x509/x509_utl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: v3_utl.c,v 1.27 2018/03/20 16:16:59 jsing Exp $ */ +/* $OpenBSD: x509_utl.c,v 1.2 2020/09/13 15:06:17 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project. */ @@ -66,6 +66,7 @@ #include #include +char *bn_to_string(const BIGNUM *bn); static char *strip_spaces(char *name); static int sk_strcmp(const char * const *a, const char * const *b); static STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, @@ -78,35 +79,42 @@ static int ipv6_from_asc(unsigned char *v6, const char *in); static int ipv6_cb(const char *elem, int len, void *usr); static int ipv6_hex(unsigned char *out, const char *in, int inlen); -/* Add a CONF_VALUE name value pair to stack */ - +/* Add a CONF_VALUE name-value pair to stack. */ int X509V3_add_value(const char *name, const char *value, STACK_OF(CONF_VALUE) **extlist) { CONF_VALUE *vtmp = NULL; - char *tname = NULL, *tvalue = NULL; + STACK_OF(CONF_VALUE) *free_exts = NULL; - if (name && !(tname = strdup(name))) + if ((vtmp = calloc(1, sizeof(CONF_VALUE))) == NULL) goto err; - if (value && !(tvalue = strdup(value))) - goto err; - if (!(vtmp = malloc(sizeof(CONF_VALUE)))) - goto err; - if (!*extlist && !(*extlist = sk_CONF_VALUE_new_null())) - goto err; - vtmp->section = NULL; - vtmp->name = tname; - vtmp->value = tvalue; + if (name != NULL) { + if ((vtmp->name = strdup(name)) == NULL) + goto err; + } + if (value != NULL) { + if ((vtmp->value = strdup(value)) == NULL) + goto err; + } + + if (*extlist == NULL) { + if ((free_exts = *extlist = sk_CONF_VALUE_new_null()) == NULL) + goto err; + } + if (!sk_CONF_VALUE_push(*extlist, vtmp)) goto err; + return 1; -err: + err: X509V3error(ERR_R_MALLOC_FAILURE); - free(vtmp); - free(tname); - free(tvalue); + X509V3_conf_free(vtmp); + if (free_exts != NULL) { + sk_CONF_VALUE_free(*extlist); + *extlist = NULL; + } return 0; } @@ -140,7 +148,7 @@ X509V3_add_value_bool(const char *name, int asn1_bool, } int -X509V3_add_value_bool_nf(char *name, int asn1_bool, +X509V3_add_value_bool_nf(const char *name, int asn1_bool, STACK_OF(CONF_VALUE) **extlist) { if (asn1_bool) @@ -148,39 +156,65 @@ X509V3_add_value_bool_nf(char *name, int asn1_bool, return 1; } +char * +bn_to_string(const BIGNUM *bn) +{ + const char *sign = ""; + char *bnstr, *hex; + char *ret = NULL; + + /* Only display small numbers in decimal, as conversion is quadratic. */ + if (BN_num_bits(bn) < 128) + return BN_bn2dec(bn); + + if ((hex = bnstr = BN_bn2hex(bn)) == NULL) + goto err; + + if (BN_is_negative(bn)) { + sign = "-"; + hex++; + } + + if (asprintf(&ret, "%s0x%s", sign, hex) == -1) + ret = NULL; + + err: + free(bnstr); + return ret; +} char * -i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, ASN1_ENUMERATED *a) +i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *method, const ASN1_ENUMERATED *a) { - BIGNUM *bntmp = NULL; + BIGNUM *bntmp; char *strtmp = NULL; - if (!a) + if (a == NULL) return NULL; - if (!(bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) || - !(strtmp = BN_bn2dec(bntmp))) + if ((bntmp = ASN1_ENUMERATED_to_BN(a, NULL)) == NULL || + (strtmp = bn_to_string(bntmp)) == NULL) X509V3error(ERR_R_MALLOC_FAILURE); BN_free(bntmp); return strtmp; } char * -i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, ASN1_INTEGER *a) +i2s_ASN1_INTEGER(X509V3_EXT_METHOD *method, const ASN1_INTEGER *a) { - BIGNUM *bntmp = NULL; + BIGNUM *bntmp; char *strtmp = NULL; - if (!a) + if (a == NULL) return NULL; - if (!(bntmp = ASN1_INTEGER_to_BN(a, NULL)) || - !(strtmp = BN_bn2dec(bntmp))) + if ((bntmp = ASN1_INTEGER_to_BN(a, NULL)) == NULL || + (strtmp = bn_to_string(bntmp)) == NULL) X509V3error(ERR_R_MALLOC_FAILURE); BN_free(bntmp); return strtmp; } ASN1_INTEGER * -s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value) +s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, const char *value) { BIGNUM *bn = NULL; ASN1_INTEGER *aint; @@ -230,7 +264,7 @@ s2i_ASN1_INTEGER(X509V3_EXT_METHOD *method, char *value) } int -X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, +X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, STACK_OF(CONF_VALUE) **extlist) { char *strtmp; @@ -246,7 +280,7 @@ X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, } int -X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool) +X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool) { char *btmp; @@ -264,14 +298,14 @@ X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool) return 1; } -err: + err: X509V3error(X509V3_R_INVALID_BOOLEAN_STRING); X509V3_conf_err(value); return 0; } int -X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint) +X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint) { ASN1_INTEGER *itmp; @@ -367,7 +401,7 @@ X509V3_parse_list(const char *line) free(linebuf); return values; -err: + err: free(linebuf); sk_CONF_VALUE_pop_free(values, X509V3_conf_free); return NULL; @@ -475,12 +509,12 @@ string_to_hex(const char *str, long *len) return hexbuf; -err: + err: free(hexbuf); X509V3error(ERR_R_MALLOC_FAILURE); return NULL; -badhex: + badhex: free(hexbuf); X509V3error(X509V3_R_ILLEGAL_HEX_DIGIT); return NULL; @@ -511,7 +545,8 @@ sk_strcmp(const char * const *a, const char * const *b) return strcmp(*a, *b); } -STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) +STACK_OF(OPENSSL_STRING) * +X509_get1_email(X509 *x) { GENERAL_NAMES *gens; STACK_OF(OPENSSL_STRING) *ret; @@ -522,7 +557,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x) return ret; } -STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) +STACK_OF(OPENSSL_STRING) * +X509_get1_ocsp(X509 *x) { AUTHORITY_INFO_ACCESS *info; STACK_OF(OPENSSL_STRING) *ret = NULL; @@ -545,7 +581,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x) return ret; } -STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) +STACK_OF(OPENSSL_STRING) * +X509_REQ_get1_email(X509_REQ *x) { GENERAL_NAMES *gens; STACK_OF(X509_EXTENSION) *exts; @@ -560,8 +597,8 @@ STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x) } -static -STACK_OF(OPENSSL_STRING) *get_email(X509_NAME *name, GENERAL_NAMES *gens) +static STACK_OF(OPENSSL_STRING) * +get_email(X509_NAME *name, GENERAL_NAMES *gens) { STACK_OF(OPENSSL_STRING) *ret = NULL; X509_NAME_ENTRY *ne; @@ -628,12 +665,13 @@ X509_email_free(STACK_OF(OPENSSL_STRING) *sk) sk_OPENSSL_STRING_pop_free(sk, str_free); } -typedef int (*equal_fn) (const unsigned char *pattern, size_t pattern_len, +typedef int (*equal_fn)(const unsigned char *pattern, size_t pattern_len, const unsigned char *subject, size_t subject_len, unsigned int flags); /* Skip pattern prefix to match "wildcard" subject */ -static void skip_prefix(const unsigned char **p, size_t *plen, - const unsigned char *subject, size_t subject_len, unsigned int flags) +static void +skip_prefix(const unsigned char **p, size_t *plen, const unsigned char *subject, + size_t subject_len, unsigned int flags) { const unsigned char *pattern = *p; size_t pattern_len = *plen; @@ -671,9 +709,9 @@ static void skip_prefix(const unsigned char **p, size_t *plen, */ /* Compare using strncasecmp */ -static int equal_nocase(const unsigned char *pattern, size_t pattern_len, - const unsigned char *subject, size_t subject_len, - unsigned int flags) +static int +equal_nocase(const unsigned char *pattern, size_t pattern_len, + const unsigned char *subject, size_t subject_len, unsigned int flags) { if (memchr(pattern, '\0', pattern_len) != NULL) return 0; @@ -686,9 +724,9 @@ static int equal_nocase(const unsigned char *pattern, size_t pattern_len, } /* Compare using strncmp. */ -static int equal_case(const unsigned char *pattern, size_t pattern_len, - const unsigned char *subject, size_t subject_len, - unsigned int flags) +static int +equal_case(const unsigned char *pattern, size_t pattern_len, + const unsigned char *subject, size_t subject_len, unsigned int flags) { if (memchr(pattern, 0, pattern_len) != NULL) return 0; @@ -704,9 +742,9 @@ static int equal_case(const unsigned char *pattern, size_t pattern_len, * RFC 5280, section 7.5, requires that only the domain is compared in a * case-insensitive manner. */ -static int equal_email(const unsigned char *a, size_t a_len, - const unsigned char *b, size_t b_len, - unsigned int unused_flags) +static int +equal_email(const unsigned char *a, size_t a_len, const unsigned char *b, + size_t b_len, unsigned int unused_flags) { size_t pos = a_len; if (a_len != b_len) @@ -719,7 +757,8 @@ static int equal_email(const unsigned char *a, size_t a_len, while (pos > 0) { pos--; if (a[pos] == '@' || b[pos] == '@') { - if (!equal_nocase(a + pos, a_len - pos, b + pos, a_len - pos, 0)) + if (!equal_nocase(a + pos, a_len - pos, b + pos, + a_len - pos, 0)) return 0; break; } @@ -733,7 +772,8 @@ static int equal_email(const unsigned char *a, size_t a_len, * Compare the prefix and suffix with the subject, and check that the * characters in-between are valid. */ -static int wildcard_match(const unsigned char *prefix, size_t prefix_len, +static int +wildcard_match(const unsigned char *prefix, size_t prefix_len, const unsigned char *suffix, size_t suffix_len, const unsigned char *subject, size_t subject_len, unsigned int flags) { @@ -788,8 +828,8 @@ static int wildcard_match(const unsigned char *prefix, size_t prefix_len, #define LABEL_HYPHEN (1 << 2) #define LABEL_IDNA (1 << 3) -static const unsigned char *valid_star(const unsigned char *p, size_t len, - unsigned int flags) +static const unsigned char * +valid_star(const unsigned char *p, size_t len, unsigned int flags) { const unsigned char *star = 0; size_t i; @@ -867,7 +907,8 @@ static const unsigned char *valid_star(const unsigned char *p, size_t len, } /* Compare using wildcards. */ -static int equal_wildcard(const unsigned char *pattern, size_t pattern_len, +static int +equal_wildcard(const unsigned char *pattern, size_t pattern_len, const unsigned char *subject, size_t subject_len, unsigned int flags) { const unsigned char *star = NULL; @@ -926,8 +967,9 @@ do_check_string(ASN1_STRING *a, int cmp_type, equal_fn equal, return rv; } -static int do_x509_check(X509 *x, const char *chk, size_t chklen, - unsigned int flags, int check_type, char **peername) +static int +do_x509_check(X509 *x, const char *chk, size_t chklen, unsigned int flags, + int check_type, char **peername) { GENERAL_NAMES *gens = NULL; X509_NAME *name = NULL; @@ -946,7 +988,8 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, alt_type = V_ASN1_IA5STRING; equal = equal_email; } else if (check_type == GEN_DNS) { - cnid = NID_commonName; + if (!(flags & X509_CHECK_FLAG_NEVER_CHECK_SUBJECT)) + cnid = NID_commonName; /* Implicit client-side DNS sub-domain pattern */ if (chklen > 1 && chk[0] == '.') flags |= _X509_CHECK_FLAG_DOT_SUBDOMAINS; @@ -1010,8 +1053,9 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, return 0; } -int X509_check_host(X509 *x, const char *chk, size_t chklen, - unsigned int flags, char **peername) +int +X509_check_host(X509 *x, const char *chk, size_t chklen, unsigned int flags, + char **peername) { if (chk == NULL) return -2; @@ -1022,8 +1066,8 @@ int X509_check_host(X509 *x, const char *chk, size_t chklen, return do_x509_check(x, chk, chklen, flags, GEN_DNS, peername); } -int X509_check_email(X509 *x, const char *chk, size_t chklen, - unsigned int flags) +int +X509_check_email(X509 *x, const char *chk, size_t chklen, unsigned int flags) { if (chk == NULL) return -2; @@ -1034,7 +1078,8 @@ int X509_check_email(X509 *x, const char *chk, size_t chklen, return do_x509_check(x, chk, chklen, flags, GEN_EMAIL, NULL); } -int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, +int +X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, unsigned int flags) { if (chk == NULL) @@ -1042,7 +1087,8 @@ int X509_check_ip(X509 *x, const unsigned char *chk, size_t chklen, return do_x509_check(x, (char *)chk, chklen, flags, GEN_IPADD, NULL); } -int X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) +int +X509_check_ip_asc(X509 *x, const char *ipasc, unsigned int flags) { unsigned char ipout[16]; size_t iplen; @@ -1121,7 +1167,7 @@ a2i_IPADDRESS_NC(const char *ipasc) return ret; -err: + err: free(iptmp); if (ret) ASN1_OCTET_STRING_free(ret); @@ -1184,7 +1230,7 @@ ipv6_from_asc(unsigned char *v6, const char *in) /* Treat the IPv6 representation as a list of values * separated by ':'. The presence of a '::' will parse - * as one, two or three zero length elements. + * as one, two or three zero length elements. */ if (!CONF_parse_list(in, ':', 0, ipv6_cb, &v6stat)) return 0; diff --git a/crypto/x509/x509_v3.c b/crypto/x509/x509_v3.c index 446ef31..524d551 100644 --- a/crypto/x509/x509_v3.c +++ b/crypto/x509/x509_v3.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_v3.c,v 1.14 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509_v3.c,v 1.17 2018/05/19 10:54:40 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -86,8 +86,8 @@ X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos) } int -X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, ASN1_OBJECT *obj, - int lastpos) +X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *sk, + const ASN1_OBJECT *obj, int lastpos) { int n; X509_EXTENSION *ex; @@ -209,8 +209,8 @@ X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, } X509_EXTENSION * -X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, ASN1_OBJECT *obj, int crit, - ASN1_OCTET_STRING *data) +X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, const ASN1_OBJECT *obj, + int crit, ASN1_OCTET_STRING *data) { X509_EXTENSION *ret; @@ -240,7 +240,7 @@ err: } int -X509_EXTENSION_set_object(X509_EXTENSION *ex, ASN1_OBJECT *obj) +X509_EXTENSION_set_object(X509_EXTENSION *ex, const ASN1_OBJECT *obj) { if ((ex == NULL) || (obj == NULL)) return (0); @@ -288,7 +288,7 @@ X509_EXTENSION_get_data(X509_EXTENSION *ex) } int -X509_EXTENSION_get_critical(X509_EXTENSION *ex) +X509_EXTENSION_get_critical(const X509_EXTENSION *ex) { if (ex == NULL) return (0); diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c new file mode 100644 index 0000000..0c32cd0 --- /dev/null +++ b/crypto/x509/x509_verify.c @@ -0,0 +1,928 @@ +/* $OpenBSD: x509_verify.c,v 1.13 2020/09/26 15:44:06 jsing Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* x509_verify - inspired by golang's crypto/x509/Verify */ + +#include +#include +#include +#include +#include + +#include +#include +#include + +#include "x509_internal.h" +#include "x509_issuer_cache.h" + +static int x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain); +static void x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain); +static int x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, + size_t depth, int error, int ok); +static void x509_verify_chain_free(struct x509_verify_chain *chain); + +#define X509_VERIFY_CERT_HASH (EVP_sha512()) + +struct x509_verify_chain * +x509_verify_chain_new(void) +{ + struct x509_verify_chain *chain; + + if ((chain = calloc(1, sizeof(*chain))) == NULL) + goto err; + if ((chain->certs = sk_X509_new_null()) == NULL) + goto err; + if ((chain->names = x509_constraints_names_new()) == NULL) + goto err; + + return chain; + err: + x509_verify_chain_free(chain); + return NULL; +} + +static void +x509_verify_chain_clear(struct x509_verify_chain *chain) +{ + sk_X509_pop_free(chain->certs, X509_free); + chain->certs = NULL; + x509_constraints_names_free(chain->names); + chain->names = NULL; +} + +static void +x509_verify_chain_free(struct x509_verify_chain *chain) +{ + if (chain == NULL) + return; + x509_verify_chain_clear(chain); + free(chain); +} + +static struct x509_verify_chain * +x509_verify_chain_dup(struct x509_verify_chain *chain) +{ + struct x509_verify_chain *new_chain; + + if ((new_chain = x509_verify_chain_new()) == NULL) + goto err; + if ((new_chain->certs = X509_chain_up_ref(chain->certs)) == NULL) + goto err; + if ((new_chain->names = + x509_constraints_names_dup(chain->names)) == NULL) + goto err; + return(new_chain); + err: + x509_verify_chain_free(new_chain); + return NULL; +} + +static int +x509_verify_chain_append(struct x509_verify_chain *chain, X509 *cert, + int *error) +{ + int verify_err = X509_V_ERR_UNSPECIFIED; + + if (!x509_constraints_extract_names(chain->names, cert, + sk_X509_num(chain->certs) == 0, &verify_err)) { + *error = verify_err; + return 0; + } + X509_up_ref(cert); + if (!sk_X509_push(chain->certs, cert)) { + X509_free(cert); + *error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + return 1; +} + +static X509 * +x509_verify_chain_last(struct x509_verify_chain *chain) +{ + int last; + + if (chain->certs == NULL) + return NULL; + if ((last = sk_X509_num(chain->certs) - 1) < 0) + return NULL; + return sk_X509_value(chain->certs, last); +} + +X509 * +x509_verify_chain_leaf(struct x509_verify_chain *chain) +{ + if (chain->certs == NULL) + return NULL; + return sk_X509_value(chain->certs, 0); +} + +static void +x509_verify_ctx_reset(struct x509_verify_ctx *ctx) +{ + size_t i; + + for (i = 0; i < ctx->chains_count; i++) + x509_verify_chain_free(ctx->chains[i]); + ctx->error = 0; + ctx->error_depth = 0; + ctx->chains_count = 0; + ctx->sig_checks = 0; + ctx->check_time = NULL; +} + +static void +x509_verify_ctx_clear(struct x509_verify_ctx *ctx) +{ + x509_verify_ctx_reset(ctx); + sk_X509_pop_free(ctx->intermediates, X509_free); + free(ctx->chains); + memset(ctx, 0, sizeof(*ctx)); +} + +static int +x509_verify_ctx_cert_is_root(struct x509_verify_ctx *ctx, X509 *cert) +{ + int i; + + for (i = 0; i < sk_X509_num(ctx->roots); i++) { + if (X509_cmp(sk_X509_value(ctx->roots, i), cert) == 0) + return 1; + } + return 0; +} + +static int +x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx, + struct x509_verify_chain *chain) +{ + size_t depth; + X509 *last = x509_verify_chain_last(chain); + + if (ctx->xsc == NULL) + return 1; + + depth = sk_X509_num(chain->certs); + if (depth > 0) + depth--; + + ctx->xsc->last_untrusted = depth ? depth - 1 : 0; + sk_X509_pop_free(ctx->xsc->chain, X509_free); + ctx->xsc->chain = X509_chain_up_ref(chain->certs); + if (ctx->xsc->chain == NULL) + return x509_verify_cert_error(ctx, last, depth, + X509_V_ERR_OUT_OF_MEM, 0); + return 1; +} + +/* Add a validated chain to our list of valid chains */ +static int +x509_verify_ctx_add_chain(struct x509_verify_ctx *ctx, + struct x509_verify_chain *chain) +{ + size_t depth; + X509 *last = x509_verify_chain_last(chain); + + depth = sk_X509_num(chain->certs); + if (depth > 0) + depth--; + + if (ctx->chains_count >= ctx->max_chains) + return x509_verify_cert_error(ctx, last, depth, + X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); + + /* + * If we have a legacy xsc, choose a validated chain, + * and apply the extensions, revocation, and policy checks + * just like the legacy code did. We do this here instead + * of as building the chains to more easily support the + * callback and the bewildering array of VERIFY_PARAM + * knobs that are there for the fiddling. + */ + if (ctx->xsc != NULL) { + if (!x509_verify_ctx_set_xsc_chain(ctx, chain)) + return 0; + + /* + * XXX currently this duplicates some work done + * in chain build, but we keep it here until + * we have feature parity + */ + if (!x509_vfy_check_chain_extensions(ctx->xsc)) + return 0; + + if (!x509_constraints_chain(ctx->xsc->chain, + &ctx->xsc->error, &ctx->xsc->error_depth)) { + X509 *cert = sk_X509_value(ctx->xsc->chain, depth); + if (!x509_verify_cert_error(ctx, cert, + ctx->xsc->error_depth, ctx->xsc->error, 0)) + return 0; + } + + if (!x509_vfy_check_revocation(ctx->xsc)) + return 0; + + if (!x509_vfy_check_policy(ctx->xsc)) + return 0; + } + /* + * no xsc means we are being called from the non-legacy API, + * extensions and purpose are dealt with as the chain is built. + * + * The non-legacy api returns multiple chains but does not do + * any revocation checking (it must be done by the caller on + * any chain they wish to use) + */ + + if ((ctx->chains[ctx->chains_count] = x509_verify_chain_dup(chain)) == + NULL) { + return x509_verify_cert_error(ctx, last, depth, + X509_V_ERR_OUT_OF_MEM, 0); + } + ctx->chains_count++; + ctx->error = X509_V_OK; + ctx->error_depth = depth; + return 1; +} + +static int +x509_verify_potential_parent(struct x509_verify_ctx *ctx, X509 *parent, + X509 *child) +{ + if (ctx->xsc != NULL) + return (ctx->xsc->check_issued(ctx->xsc, child, parent)); + + /* XXX key usage */ + return X509_check_issued(child, parent) != X509_V_OK; +} + +static int +x509_verify_parent_signature(X509 *parent, X509 *child, + unsigned char *child_md, int *error) +{ + unsigned char parent_md[EVP_MAX_MD_SIZE] = { 0 }; + EVP_PKEY *pkey; + int cached; + int ret = 0; + + /* Use cached value if we have it */ + if (child_md != NULL) { + if (!X509_digest(parent, X509_VERIFY_CERT_HASH, parent_md, + NULL)) + return 0; + if ((cached = x509_issuer_cache_find(parent_md, child_md)) >= 0) + return cached; + } + + /* Check signature. Did parent sign child? */ + if ((pkey = X509_get_pubkey(parent)) == NULL) { + *error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; + return 0; + } + if (X509_verify(child, pkey) <= 0) + *error = X509_V_ERR_CERT_SIGNATURE_FAILURE; + else + ret = 1; + + /* Add result to cache */ + if (child_md != NULL) + x509_issuer_cache_add(parent_md, child_md, ret); + + EVP_PKEY_free(pkey); + + return ret; +} + +static int +x509_verify_consider_candidate(struct x509_verify_ctx *ctx, X509 *cert, + unsigned char *cert_md, int is_root_cert, X509 *candidate, + struct x509_verify_chain *current_chain) +{ + int depth = sk_X509_num(current_chain->certs); + struct x509_verify_chain *new_chain; + int i; + + /* Fail if the certificate is already in the chain */ + for (i = 0; i < sk_X509_num(current_chain->certs); i++) { + if (X509_cmp(sk_X509_value(current_chain->certs, i), + candidate) == 0) + return 0; + } + + if (ctx->sig_checks++ > X509_VERIFY_MAX_SIGCHECKS) { + /* don't allow callback to override safety check */ + (void) x509_verify_cert_error(ctx, candidate, depth, + X509_V_ERR_CERT_CHAIN_TOO_LONG, 0); + return 0; + } + + + if (!x509_verify_parent_signature(candidate, cert, cert_md, + &ctx->error)) { + if (!x509_verify_cert_error(ctx, candidate, depth, + ctx->error, 0)) + return 0; + } + + if (!x509_verify_cert_valid(ctx, candidate, current_chain)) + return 0; + + /* candidate is good, add it to a copy of the current chain */ + if ((new_chain = x509_verify_chain_dup(current_chain)) == NULL) { + x509_verify_cert_error(ctx, candidate, depth, + X509_V_ERR_OUT_OF_MEM, 0); + return 0; + } + if (!x509_verify_chain_append(new_chain, candidate, &ctx->error)) { + x509_verify_cert_error(ctx, candidate, depth, + ctx->error, 0); + x509_verify_chain_free(new_chain); + return 0; + } + + /* + * If candidate is a trusted root, we have a validated chain, + * so we save it. Otherwise, recurse until we find a root or + * give up. + */ + if (is_root_cert) { + if (!x509_verify_ctx_set_xsc_chain(ctx, new_chain)) { + x509_verify_chain_free(new_chain); + return 0; + } + if (x509_verify_cert_error(ctx, candidate, depth, X509_V_OK, 1)) { + (void) x509_verify_ctx_add_chain(ctx, new_chain); + goto done; + } + } + + x509_verify_build_chains(ctx, candidate, new_chain); + + done: + x509_verify_chain_free(new_chain); + return 1; +} + +static int +x509_verify_cert_error(struct x509_verify_ctx *ctx, X509 *cert, size_t depth, + int error, int ok) +{ + ctx->error = error; + ctx->error_depth = depth; + if (ctx->xsc != NULL) { + ctx->xsc->error = error; + ctx->xsc->error_depth = depth; + ctx->xsc->current_cert = cert; + return ctx->xsc->verify_cb(ok, ctx->xsc); + } + return ok; +} + +static void +x509_verify_build_chains(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain) +{ + unsigned char cert_md[EVP_MAX_MD_SIZE] = { 0 }; + X509 *candidate; + int i, depth, count; + + depth = sk_X509_num(current_chain->certs); + if (depth > 0) + depth--; + + if (depth >= ctx->max_depth && + !x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_CERT_CHAIN_TOO_LONG, 0)) + return; + + if (!X509_digest(cert, X509_VERIFY_CERT_HASH, cert_md, NULL) && + !x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_UNSPECIFIED, 0)) + return; + + count = ctx->chains_count; + ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY; + ctx->error_depth = depth; + + for (i = 0; i < sk_X509_num(ctx->roots); i++) { + candidate = sk_X509_value(ctx->roots, i); + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 1, candidate, current_chain); + } + } + + if (ctx->intermediates != NULL) { + for (i = 0; i < sk_X509_num(ctx->intermediates); i++) { + candidate = sk_X509_value(ctx->intermediates, i); + if (x509_verify_potential_parent(ctx, candidate, cert)) { + x509_verify_consider_candidate(ctx, cert, + cert_md, 0, candidate, current_chain); + } + } + } + if (ctx->chains_count > count) { + if (ctx->xsc != NULL) { + ctx->xsc->error = X509_V_OK; + ctx->xsc->error_depth = depth; + ctx->xsc->current_cert = cert; + (void) ctx->xsc->verify_cb(1, ctx->xsc); + } + } else if (ctx->error_depth == depth) { + (void) x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0); + } +} + +static int +x509_verify_cert_hostname(struct x509_verify_ctx *ctx, X509 *cert, char *name) +{ + char *candidate; + size_t len; + + if (name == NULL) { + if (ctx->xsc != NULL) + return x509_vfy_check_id(ctx->xsc); + return 1; + } + if ((candidate = strdup(name)) == NULL) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((len = strlen(candidate)) < 1) { + ctx->error = X509_V_ERR_UNSPECIFIED; /* XXX */ + goto err; + } + + /* IP addresses may be written in [ ]. */ + if (candidate[0] == '[' && candidate[len - 1] == ']') { + candidate[len - 1] = '\0'; + if (X509_check_ip_asc(cert, candidate + 1, 0) <= 0) { + ctx->error = X509_V_ERR_IP_ADDRESS_MISMATCH; + goto err; + } + } else { + int flags = 0; + + if (ctx->xsc == NULL) + flags = X509_CHECK_FLAG_NEVER_CHECK_SUBJECT; + + if (X509_check_host(cert, candidate, len, flags, NULL) <= 0) { + ctx->error = X509_V_ERR_HOSTNAME_MISMATCH; + goto err; + } + } + free(candidate); + return 1; + err: + free(candidate); + return x509_verify_cert_error(ctx, cert, 0, ctx->error, 0); +} + +static int +x509_verify_set_check_time(struct x509_verify_ctx *ctx) { + if (ctx->xsc != NULL) { + if (ctx->xsc->param->flags & X509_V_FLAG_USE_CHECK_TIME) { + ctx->check_time = &ctx->xsc->param->check_time; + return 1; + } + if (ctx->xsc->param->flags & X509_V_FLAG_NO_CHECK_TIME) + return 0; + } + + ctx->check_time = NULL; + return 1; +} + +int +x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter) +{ + int type; + + memset(tm, 0, sizeof(*tm)); + + type = ASN1_time_parse(atime->data, atime->length, tm, atime->type); + if (type == -1) + return 0; + + /* RFC 5280 section 4.1.2.5 */ + if (tm->tm_year < 150 && type != V_ASN1_UTCTIME) + return 0; + if (tm->tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) + return 0; + + if (notafter) { + /* + * If we are a completely broken operating system with a + * 32 bit time_t, and we have been told this is a notafter + * date, limit the date to a 32 bit representable value. + */ + if (!ASN1_time_tm_clamp_notafter(tm)) + return 0; + } + + /* + * Defensively fail if the time string is not representable as + * a time_t. A time_t must be sane if you care about times after + * Jan 19 2038. + */ + if (timegm(tm) == -1) + return 0; + + return 1; +} + +static int +x509_verify_cert_time(int is_notafter, const ASN1_TIME *cert_asn1, + time_t *cmp_time, int *error) +{ + struct tm cert_tm, when_tm; + time_t when; + + if (cmp_time == NULL) + when = time(NULL); + else + when = *cmp_time; + + if (!x509_verify_asn1_time_to_tm(cert_asn1, &cert_tm, + is_notafter)) { + *error = is_notafter ? + X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD : + X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD; + return 0; + } + + if (gmtime_r(&when, &when_tm) == NULL) { + *error = X509_V_ERR_UNSPECIFIED; + return 0; + } + + if (is_notafter) { + if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == -1) { + *error = X509_V_ERR_CERT_HAS_EXPIRED; + return 0; + } + } else { + if (ASN1_time_tm_cmp(&cert_tm, &when_tm) == 1) { + *error = X509_V_ERR_CERT_NOT_YET_VALID; + return 0; + } + } + + return 1; +} + +static int +x509_verify_validate_constraints(X509 *cert, + struct x509_verify_chain *current_chain, int *error) +{ + struct x509_constraints_names *excluded = NULL; + struct x509_constraints_names *permitted = NULL; + int err = X509_V_ERR_UNSPECIFIED; + + if (current_chain == NULL) + return 1; + + if (cert->nc != NULL) { + if ((permitted = x509_constraints_names_new()) == NULL) { + err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if ((excluded = x509_constraints_names_new()) == NULL) { + err = X509_V_ERR_OUT_OF_MEM; + goto err; + } + if (!x509_constraints_extract_constraints(cert, + permitted, excluded, &err)) + goto err; + if (!x509_constraints_check(current_chain->names, + permitted, excluded, &err)) + goto err; + x509_constraints_names_free(excluded); + x509_constraints_names_free(permitted); + } + + return 1; + err: + *error = err; + x509_constraints_names_free(excluded); + x509_constraints_names_free(permitted); + return 0; +} + +static int +x509_verify_cert_extensions(struct x509_verify_ctx *ctx, X509 *cert, int need_ca) +{ + if (!(cert->ex_flags & EXFLAG_SET)) { + CRYPTO_w_lock(CRYPTO_LOCK_X509); + x509v3_cache_extensions(cert); + CRYPTO_w_unlock(CRYPTO_LOCK_X509); + } + + if (ctx->xsc != NULL) + return 1; /* legacy is checked after chain is built */ + + if (cert->ex_flags & EXFLAG_CRITICAL) { + ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; + return 0; + } + /* No we don't care about v1, netscape, and other ancient silliness */ + if (need_ca && (!(cert->ex_flags & EXFLAG_BCONS) && + (cert->ex_flags & EXFLAG_CA))) { + ctx->error = X509_V_ERR_INVALID_CA; + return 0; + } + if (ctx->purpose > 0 && X509_check_purpose(cert, ctx->purpose, need_ca)) { + ctx->error = X509_V_ERR_INVALID_PURPOSE; + return 0; + } + + /* XXX support proxy certs later in new api */ + if (ctx->xsc == NULL && cert->ex_flags & EXFLAG_PROXY) { + ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; + return 0; + } + + return 1; +} + +/* Validate that cert is a possible candidate to append to current_chain */ +static int +x509_verify_cert_valid(struct x509_verify_ctx *ctx, X509 *cert, + struct x509_verify_chain *current_chain) +{ + X509 *issuer_candidate; + int should_be_ca = current_chain != NULL; + size_t depth = 0; + + if (current_chain != NULL) + depth = sk_X509_num(current_chain->certs); + + if (!x509_verify_cert_extensions(ctx, cert, should_be_ca)) + return 0; + + if (should_be_ca) { + issuer_candidate = x509_verify_chain_last(current_chain); + if (issuer_candidate != NULL && + !X509_check_issued(issuer_candidate, cert)) + if (!x509_verify_cert_error(ctx, cert, depth, + X509_V_ERR_SUBJECT_ISSUER_MISMATCH, 0)) + return 0; + } + + if (x509_verify_set_check_time(ctx)) { + if (!x509_verify_cert_time(0, X509_get_notBefore(cert), + ctx->check_time, &ctx->error)) { + if (!x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0)) + return 0; + } + + if (!x509_verify_cert_time(1, X509_get_notAfter(cert), + ctx->check_time, &ctx->error)) { + if (!x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0)) + return 0; + } + } + + if (!x509_verify_validate_constraints(cert, current_chain, + &ctx->error) && !x509_verify_cert_error(ctx, cert, depth, + ctx->error, 0)) + return 0; + + return 1; +} + +struct x509_verify_ctx * +x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc, STACK_OF(X509) *roots) +{ + struct x509_verify_ctx *ctx; + size_t max_depth; + + if (xsc == NULL) + return NULL; + + if ((ctx = x509_verify_ctx_new(roots)) == NULL) + return NULL; + + ctx->xsc = xsc; + + if (xsc->untrusted && + (ctx->intermediates = X509_chain_up_ref(xsc->untrusted)) == NULL) + goto err; + + max_depth = X509_VERIFY_MAX_CHAIN_CERTS; + if (xsc->param->depth > 0 && xsc->param->depth < X509_VERIFY_MAX_CHAIN_CERTS) + max_depth = xsc->param->depth; + if (!x509_verify_ctx_set_max_depth(ctx, max_depth)) + goto err; + + return ctx; + err: + x509_verify_ctx_free(ctx); + return NULL; +} + +/* Public API */ + +struct x509_verify_ctx * +x509_verify_ctx_new(STACK_OF(X509) *roots) +{ + struct x509_verify_ctx *ctx; + + if (roots == NULL) + return NULL; + + if ((ctx = calloc(1, sizeof(struct x509_verify_ctx))) == NULL) + return NULL; + + if ((ctx->roots = X509_chain_up_ref(roots)) == NULL) + goto err; + + ctx->max_depth = X509_VERIFY_MAX_CHAIN_CERTS; + ctx->max_chains = X509_VERIFY_MAX_CHAINS; + ctx->max_sigs = X509_VERIFY_MAX_SIGCHECKS; + + if ((ctx->chains = calloc(X509_VERIFY_MAX_CHAINS, + sizeof(*ctx->chains))) == NULL) + goto err; + + return ctx; + err: + x509_verify_ctx_free(ctx); + return NULL; +} + +void +x509_verify_ctx_free(struct x509_verify_ctx *ctx) +{ + if (ctx == NULL) + return; + sk_X509_pop_free(ctx->roots, X509_free); + x509_verify_ctx_clear(ctx); + free(ctx); +} + +int +x509_verify_ctx_set_max_depth(struct x509_verify_ctx *ctx, size_t max) +{ + if (max < 1 || max > X509_VERIFY_MAX_CHAIN_CERTS) + return 0; + ctx->max_depth = max; + return 1; +} + +int +x509_verify_ctx_set_max_chains(struct x509_verify_ctx *ctx, size_t max) +{ + if (max < 1 || max > X509_VERIFY_MAX_CHAINS) + return 0; + ctx->max_chains = max; + return 1; +} + +int +x509_verify_ctx_set_max_signatures(struct x509_verify_ctx *ctx, size_t max) +{ + if (max < 1 || max > 100000) + return 0; + ctx->max_sigs = max; + return 1; +} + +int +x509_verify_ctx_set_purpose(struct x509_verify_ctx *ctx, int purpose) +{ + if (purpose < X509_PURPOSE_MIN || purpose > X509_PURPOSE_MAX) + return 0; + ctx->purpose = purpose; + return 1; +} + +int +x509_verify_ctx_set_intermediates(struct x509_verify_ctx *ctx, + STACK_OF(X509) *intermediates) +{ + if ((ctx->intermediates = X509_chain_up_ref(intermediates)) == NULL) + return 0; + return 1; +} + +const char * +x509_verify_ctx_error_string(struct x509_verify_ctx *ctx) +{ + return X509_verify_cert_error_string(ctx->error); +} + +size_t +x509_verify_ctx_error_depth(struct x509_verify_ctx *ctx) +{ + return ctx->error_depth; +} + +STACK_OF(X509) * +x509_verify_ctx_chain(struct x509_verify_ctx *ctx, size_t i) +{ + if (i >= ctx->chains_count) + return NULL; + return ctx->chains[i]->certs; +} + +size_t +x509_verify(struct x509_verify_ctx *ctx, X509 *leaf, char *name) +{ + struct x509_verify_chain *current_chain; + + if (ctx->roots == NULL || ctx->max_depth == 0) { + ctx->error = X509_V_ERR_INVALID_CALL; + return 0; + } + + if (ctx->xsc != NULL) { + if (leaf != NULL || name != NULL) { + ctx->error = X509_V_ERR_INVALID_CALL; + return 0; + } + leaf = ctx->xsc->cert; + + /* + * XXX + * The legacy code expects the top level cert to be + * there, even if we didn't find a chain. So put it + * there, we will clobber it later if we find a valid + * chain. + */ + if ((ctx->xsc->chain = sk_X509_new_null()) == NULL) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (!X509_up_ref(leaf)) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (!sk_X509_push(ctx->xsc->chain, leaf)) { + X509_free(leaf); + ctx->error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + ctx->xsc->error_depth = 0; + ctx->xsc->current_cert = leaf; + } + + if (!x509_verify_cert_valid(ctx, leaf, NULL)) + return 0; + + if (!x509_verify_cert_hostname(ctx, leaf, name)) + return 0; + + if ((current_chain = x509_verify_chain_new()) == NULL) { + ctx->error = X509_V_ERR_OUT_OF_MEM; + return 0; + } + if (!x509_verify_chain_append(current_chain, leaf, &ctx->error)) { + x509_verify_chain_free(current_chain); + return 0; + } + if (x509_verify_ctx_cert_is_root(ctx, leaf)) + x509_verify_ctx_add_chain(ctx, current_chain); + else + x509_verify_build_chains(ctx, leaf, current_chain); + + x509_verify_chain_free(current_chain); + + /* + * Safety net: + * We could not find a validated chain, and for some reason do not + * have an error set. + */ + if (ctx->chains_count == 0 && ctx->error == 0) + ctx->error = X509_V_ERR_UNSPECIFIED; + + /* Clear whatever errors happened if we have any validated chain */ + if (ctx->chains_count > 0) + ctx->error = X509_V_OK; + + if (ctx->xsc != NULL) { + ctx->xsc->error = ctx->error; + return ctx->xsc->verify_cb(ctx->chains_count, ctx->xsc); + } + return (ctx->chains_count); +} diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c index c8ccae5..fe1431c 100644 --- a/crypto/x509/x509_vfy.c +++ b/crypto/x509/x509_vfy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.c,v 1.68 2018/02/22 17:11:30 jsing Exp $ */ +/* $OpenBSD: x509_vfy.c,v 1.81 2020/09/26 02:06:28 deraadt Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -75,7 +75,9 @@ #include #include "asn1_locl.h" #include "vpm_int.h" +#include "x509_internal.h" #include "x509_lcl.h" +#include "x509_internal.h" /* CRL score values */ @@ -117,12 +119,13 @@ static int null_callback(int ok, X509_STORE_CTX *e); static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer); -static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x); +static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, + int allow_expired); static int check_chain_extensions(X509_STORE_CTX *ctx); static int check_name_constraints(X509_STORE_CTX *ctx); static int check_trust(X509_STORE_CTX *ctx); static int check_revocation(X509_STORE_CTX *ctx); -static int check_cert(X509_STORE_CTX *ctx); +static int check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth); static int check_policy(X509_STORE_CTX *ctx); static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer, @@ -142,6 +145,7 @@ static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafter); static int internal_verify(X509_STORE_CTX *ctx); +static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x); int ASN1_time_tm_clamp_notafter(struct tm *tm); @@ -159,7 +163,7 @@ x509_subject_cmp(X509 **a, X509 **b) } #endif -/* Return 1 is a certificate is self signed */ +/* Return 1 if a certificate is self signed */ static int cert_self_signed(X509 *x) { @@ -182,10 +186,10 @@ check_id_error(X509_STORE_CTX *ctx, int errcode) static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id) { - size_t i; - size_t n = sk_OPENSSL_STRING_num(id->hosts); + size_t i, n; char *name; + n = sk_OPENSSL_STRING_num(id->hosts); free(id->peername); id->peername = NULL; @@ -222,7 +226,21 @@ check_id(X509_STORE_CTX *ctx) } int -X509_verify_cert(X509_STORE_CTX *ctx) +x509_vfy_check_id(X509_STORE_CTX *ctx) { + return check_id(ctx); +} + +/* + * This is the effectively broken legacy OpenSSL chain builder. It + * might find an unvalidated chain and leave it sitting in + * ctx->chain. It does not correctly handle many cases where multiple + * chains could exist. + * + * Oh no.. I know a dirty word... + * Oooooooh.. + */ +static int +X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad) { X509 *x, *xtmp, *xtmp2, *chain_ss = NULL; int bad_chain = 0; @@ -232,30 +250,6 @@ X509_verify_cert(X509_STORE_CTX *ctx) int (*cb) (int xok, X509_STORE_CTX *xctx); STACK_OF(X509) *sktmp = NULL; - if (ctx->cert == NULL) { - X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - if (ctx->chain != NULL) { - /* - * This X509_STORE_CTX has already been used to verify - * a cert. We cannot do another one. - */ - X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - if (ctx->error != X509_V_ERR_INVALID_CALL) { - /* - * This X509_STORE_CTX has not been properly initialized. - */ - X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); - ctx->error = X509_V_ERR_INVALID_CALL; - return -1; - } - ctx->error = X509_V_OK; /* Initialize to OK */ - cb = ctx->verify_cb; /* @@ -315,7 +309,25 @@ X509_verify_cert(X509_STORE_CTX *ctx) } /* If we were passed a cert chain, use it first */ if (ctx->untrusted != NULL) { - xtmp = find_issuer(ctx, sktmp, x); + /* + * If we do not find a non-expired untrusted cert, peek + * ahead and see if we can satisify this from the trusted + * store. If not, see if we have an expired untrusted cert. + */ + xtmp = find_issuer(ctx, sktmp, x, 0); + if (xtmp == NULL && + !(ctx->param->flags & X509_V_FLAG_TRUSTED_FIRST)) { + ok = ctx->get_issuer(&xtmp, ctx, x); + if (ok < 0) { + ctx->error = X509_V_ERR_STORE_LOOKUP; + goto end; + } + if (ok > 0) { + X509_free(xtmp); + break; + } + xtmp = find_issuer(ctx, sktmp, x, 1); + } if (xtmp != NULL) { if (!sk_X509_push(ctx->chain, xtmp)) { X509error(ERR_R_MALLOC_FAILURE); @@ -487,9 +499,10 @@ X509_verify_cert(X509_STORE_CTX *ctx) ctx->current_cert = x; } else { if (!sk_X509_push(ctx->chain, chain_ss)) { - X509_free(chain_ss); X509error(ERR_R_MALLOC_FAILURE); - return 0; + ctx->error = X509_V_ERR_OUT_OF_MEM; + ok = 0; + goto end; } num++; ctx->last_untrusted = num; @@ -504,6 +517,23 @@ X509_verify_cert(X509_STORE_CTX *ctx) if (!ok) goto end; } + end: + sk_X509_free(sktmp); + X509_free(chain_ss); + *bad = bad_chain; + return ok; +} + +static int +X509_verify_cert_legacy(X509_STORE_CTX *ctx) +{ + int ok = 0, bad_chain; + + ctx->error = X509_V_OK; /* Initialize to OK */ + + ok = X509_verify_cert_legacy_build_chain(ctx, &bad_chain); + if (!ok) + goto end; /* We have the chain complete: now we need to check its purpose */ ok = check_chain_extensions(ctx); @@ -518,6 +548,7 @@ X509_verify_cert(X509_STORE_CTX *ctx) ok = check_id(ctx); if (!ok) goto end; + /* * Check revocation status: we do this after copying parameters because * they may be needed for CRL signature verification. @@ -539,21 +570,131 @@ X509_verify_cert(X509_STORE_CTX *ctx) ok = ctx->check_policy(ctx); end: - if (sktmp != NULL) - sk_X509_free(sktmp); - X509_free(chain_ss); - /* Safety net, error returns must set ctx->error */ if (ok <= 0 && ctx->error == X509_V_OK) ctx->error = X509_V_ERR_UNSPECIFIED; + return ok; } +int +X509_verify_cert(X509_STORE_CTX *ctx) +{ + STACK_OF(X509) *roots = NULL; + struct x509_verify_ctx *vctx = NULL; + int chain_count = 0; + + if (ctx->cert == NULL) { + X509error(X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + if (ctx->chain != NULL) { + /* + * This X509_STORE_CTX has already been used to verify + * a cert. We cannot do another one. + */ + X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + if (ctx->param->id->poisoned) { + /* + * This X509_STORE_CTX had failures setting + * up verify parameters. We can not use it. + */ + X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + if (ctx->error != X509_V_ERR_INVALID_CALL) { + /* + * This X509_STORE_CTX has not been properly initialized. + */ + X509error(ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + ctx->error = X509_V_ERR_INVALID_CALL; + return -1; + } + + /* + * If flags request legacy, use the legacy verifier. If we + * requested "no alt chains" from the age of hammer pants, use + * the legacy verifier because the multi chain verifier really + * does find all the "alt chains". + * + * XXX deprecate the NO_ALT_CHAINS flag? + */ + if ((ctx->param->flags & X509_V_FLAG_LEGACY_VERIFY) || + (ctx->param->flags & X509_V_FLAG_NO_ALT_CHAINS)) + return X509_verify_cert_legacy(ctx); + + /* Use the modern multi-chain verifier from x509_verify_cert */ + + /* Find our trusted roots */ + ctx->error = X509_V_ERR_OUT_OF_MEM; + + if (ctx->get_issuer == get_issuer_sk) { + /* + * We are using the trusted stack method. so + * the roots are in the aptly named "ctx->other_ctx" + * pointer. (It could have been called "al") + */ + if ((roots = X509_chain_up_ref(ctx->other_ctx)) == NULL) + return -1; + } else { + /* + * We have a X509_STORE and need to pull out the roots. + * Don't look Ethel... + */ + STACK_OF(X509_OBJECT) *objs; + size_t i, good = 1; + + if ((roots = sk_X509_new_null()) == NULL) + return -1; + + CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); + if ((objs = X509_STORE_get0_objects(ctx->ctx)) == NULL) + good = 0; + for (i = 0; good && i < sk_X509_OBJECT_num(objs); i++) { + X509_OBJECT *obj; + X509 *root; + obj = sk_X509_OBJECT_value(objs, i); + if (obj->type != X509_LU_X509) + continue; + root = obj->data.x509; + if (X509_up_ref(root) == 0) + good = 0; + if (sk_X509_push(roots, root) == 0) { + X509_free(root); + good = 0; + } + } + CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); + + if (!good) { + sk_X509_pop_free(roots, X509_free); + return -1; + } + } + + if ((vctx = x509_verify_ctx_new_from_xsc(ctx, roots)) != NULL) { + ctx->error = X509_V_OK; /* Initialize to OK */ + chain_count = x509_verify(vctx, NULL, NULL); + } + + sk_X509_pop_free(roots, X509_free); + x509_verify_ctx_free(vctx); + + /* if we succeed we have a chain in ctx->chain */ + return (chain_count > 0 && ctx->chain != NULL); +} + /* Given a STACK_OF(X509) find the issuer of cert (if any) */ static X509 * -find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) +find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x, + int allow_expired) { int i; X509 *issuer, *rv = NULL; @@ -561,9 +702,10 @@ find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x) for (i = 0; i < sk_X509_num(sk); i++) { issuer = sk_X509_value(sk, i); if (ctx->check_issued(ctx, x, issuer)) { - rv = issuer; - if (x509_check_cert_time(ctx, rv, -1)) - break; + if (x509_check_cert_time(ctx, issuer, -1)) + return issuer; + if (allow_expired) + rv = issuer; } } return rv; @@ -594,7 +736,7 @@ check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer) static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) { - *issuer = find_issuer(ctx, ctx->other_ctx, x); + *issuer = find_issuer(ctx, ctx->other_ctx, x, 1); if (*issuer) { CRYPTO_add(&(*issuer)->references, 1, CRYPTO_LOCK_X509); return 1; @@ -606,8 +748,8 @@ get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x) * with the supplied purpose */ -static int -check_chain_extensions(X509_STORE_CTX *ctx) +int +x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx) { #ifdef OPENSSL_NO_CHAIN_VERIFY return 1; @@ -749,36 +891,19 @@ end: #endif } +static int +check_chain_extensions(X509_STORE_CTX *ctx) { + return x509_vfy_check_chain_extensions(ctx); +} + static int check_name_constraints(X509_STORE_CTX *ctx) { - X509 *x; - int i, j, rv; - - /* Check name constraints for all certificates */ - for (i = sk_X509_num(ctx->chain) - 1; i >= 0; i--) { - x = sk_X509_value(ctx->chain, i); - /* Ignore self issued certs unless last in chain */ - if (i && (x->ex_flags & EXFLAG_SI)) - continue; - /* Check against constraints for all certificates higher in - * chain including trust anchor. Trust anchor not strictly - * speaking needed but if it includes constraints it is to be - * assumed it expects them to be obeyed. - */ - for (j = sk_X509_num(ctx->chain) - 1; j > i; j--) { - NAME_CONSTRAINTS *nc = sk_X509_value(ctx->chain, j)->nc; - if (nc) { - rv = NAME_CONSTRAINTS_check(x, nc); - if (rv != X509_V_OK) { - ctx->error = rv; - ctx->error_depth = i; - ctx->current_cert = x; - if (!ctx->verify_cb(0, ctx)) - return 0; - } - } - } + if (!x509_constraints_chain(ctx->chain, &ctx->error, + &ctx->error_depth)) { + ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); + if (!ctx->verify_cb(0, ctx)) + return 0; } return 1; } @@ -866,6 +991,11 @@ static int check_trust(X509_STORE_CTX *ctx) return X509_TRUST_UNTRUSTED; } +int x509_vfy_check_trust(X509_STORE_CTX *ctx) +{ + return check_trust(ctx); +} + static int check_revocation(X509_STORE_CTX *ctx) { @@ -882,24 +1012,29 @@ check_revocation(X509_STORE_CTX *ctx) last = 0; } for (i = 0; i <= last; i++) { - ctx->error_depth = i; - ok = check_cert(ctx); + ok = check_cert(ctx, ctx->chain, i); if (!ok) return ok; } return 1; } +int +x509_vfy_check_revocation(X509_STORE_CTX *ctx) +{ + return check_revocation(ctx); +} + static int -check_cert(X509_STORE_CTX *ctx) +check_cert(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int depth) { X509_CRL *crl = NULL, *dcrl = NULL; X509 *x; int ok = 0, cnum; unsigned int last_reasons; - cnum = ctx->error_depth; - x = sk_X509_value(ctx->chain, cnum); + cnum = ctx->error_depth = depth; + x = sk_X509_value(chain, cnum); ctx->current_cert = x; ctx->current_issuer = NULL; ctx->current_crl_score = 0; @@ -1529,9 +1664,10 @@ check_crl(X509_STORE_CTX *ctx, X509_CRL *crl) if (ctx->current_issuer) { issuer = ctx->current_issuer; } else if (cnum < chnum) { - /* Else find CRL issuer: if not last certificate then issuer - * is next certificate in chain. - */ + /* + * Else find CRL issuer: if not last certificate then issuer + * is next certificate in chain. + */ issuer = sk_X509_value(ctx->chain, cnum + 1); } else { issuer = sk_X509_value(ctx->chain, chnum); @@ -1651,8 +1787,8 @@ cert_crl(X509_STORE_CTX *ctx, X509_CRL *crl, X509 *x) return 1; } -static int -check_policy(X509_STORE_CTX *ctx) +int +x509_vfy_check_policy(X509_STORE_CTX *ctx) { int ret; @@ -1698,6 +1834,12 @@ check_policy(X509_STORE_CTX *ctx) return 1; } +static int +check_policy(X509_STORE_CTX *ctx) +{ + return x509_vfy_check_policy(ctx); +} + /* * Inform the verify callback of an error. * @@ -1747,7 +1889,7 @@ x509_check_cert_time(X509_STORE_CTX *ctx, X509 *x, int depth) X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD)) return 0; if (i > 0 && !verify_cb_cert(ctx, x, depth, - X509_V_ERR_CERT_NOT_YET_VALID)) + X509_V_ERR_CERT_NOT_YET_VALID)) return 0; i = X509_cmp_time_internal(X509_get_notAfter(x), ptime, 1); @@ -1799,16 +1941,16 @@ internal_verify(X509_STORE_CTX *ctx) * certificate and its depth (rather than the depth of * the subject). */ - if (xs != xi || (ctx->param->flags & - X509_V_FLAG_CHECK_SS_SIGNATURE)) { + if (xs != xi || + (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) { EVP_PKEY *pkey; if ((pkey = X509_get_pubkey(xi)) == NULL) { if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n, - X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) + X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY)) return 0; } else if (X509_verify(xs, pkey) <= 0) { if (!verify_cb_cert(ctx, xs, n, - X509_V_ERR_CERT_SIGNATURE_FAILURE)) { + X509_V_ERR_CERT_SIGNATURE_FAILURE)) { EVP_PKEY_free(pkey); return 0; } @@ -1860,43 +2002,21 @@ X509_cmp_current_time(const ASN1_TIME *ctm) static int X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafter) { - time_t time1, time2; + time_t compare; struct tm tm1, tm2; int ret = 0; - int type; if (cmp_time == NULL) - time2 = time(NULL); + compare = time(NULL); else - time2 = *cmp_time; + compare = *cmp_time; memset(&tm1, 0, sizeof(tm1)); - type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type); - if (type == -1) + if (!x509_verify_asn1_time_to_tm(ctm, &tm1, clamp_notafter)) goto out; /* invalid time */ - /* RFC 5280 section 4.1.2.5 */ - if (tm1.tm_year < 150 && type != V_ASN1_UTCTIME) - goto out; - if (tm1.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME) - goto out; - - if (clamp_notafter) { - /* Allow for completely broken operating systems. */ - if (!ASN1_time_tm_clamp_notafter(&tm1)) - goto out; - } - - /* - * Defensively fail if the time string is not representable as - * a time_t. A time_t must be sane if you care about times after - * Jan 19 2038. - */ - if ((time1 = timegm(&tm1)) == -1) - goto out; - - if (gmtime_r(&time2, &tm2) == NULL) + if (gmtime_r(&compare, &tm2) == NULL) goto out; ret = ASN1_time_tm_cmp(&tm1, &tm2); diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c index 0897137..448ee20 100644 --- a/crypto/x509/x509_vpm.c +++ b/crypto/x509/x509_vpm.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vpm.c,v 1.17 2018/03/22 15:54:46 beck Exp $ */ +/* $OpenBSD: x509_vpm.c,v 1.22 2020/09/14 08:10:04 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2004. */ @@ -125,7 +125,7 @@ sk_deep_copy(void *sk_void, void *copy_func_void, void *free_func_void) } static int -int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, +x509_param_set_hosts_internal(X509_VERIFY_PARAM_ID *id, int mode, const char *name, size_t namelen) { char *copy; @@ -134,7 +134,6 @@ int_x509_param_set_hosts(X509_VERIFY_PARAM_ID *id, int mode, namelen = strlen(name); /* * Refuse names with embedded NUL bytes. - * XXX: Do we need to push an error onto the error stack? */ if (name && memchr(name, '\0', namelen)) return 0; @@ -197,6 +196,7 @@ x509_verify_param_zero(X509_VERIFY_PARAM *param) free(paramid->ip); paramid->ip = NULL; paramid->iplen = 0; + paramid->poisoned = 0; } X509_VERIFY_PARAM * @@ -367,24 +367,28 @@ X509_VERIFY_PARAM_set1(X509_VERIFY_PARAM *to, const X509_VERIFY_PARAM *from) } static int -int_x509_param_set1(char **pdest, size_t *pdestlen, const char *src, - size_t srclen) +x509_param_set1_internal(char **pdest, size_t *pdestlen, const char *src, + size_t srclen, int nonul) { char *tmp; - if (src) { - if (srclen == 0) { - if ((tmp = strdup(src)) == NULL) - return 0; - srclen = strlen(src); - } else { - if ((tmp = malloc(srclen)) == NULL) - return 0; - memcpy(tmp, src, srclen); - } + + if (src == NULL) + return 0; + + if (srclen == 0) { + srclen = strlen(src); + if (srclen == 0) + return 0; + if ((tmp = strdup(src)) == NULL) + return 0; } else { - tmp = NULL; - srclen = 0; + if (nonul && memchr(src, '\0', srclen)) + return 0; + if ((tmp = malloc(srclen)) == NULL) + return 0; + memcpy(tmp, src, srclen); } + if (*pdest) free(*pdest); *pdest = tmp; @@ -505,14 +509,20 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) { - return int_x509_param_set_hosts(param->id, SET_HOST, name, namelen); + if (x509_param_set_hosts_internal(param->id, SET_HOST, name, namelen)) + return 1; + param->id->poisoned = 1; + return 0; } int X509_VERIFY_PARAM_add1_host(X509_VERIFY_PARAM *param, const char *name, size_t namelen) { - return int_x509_param_set_hosts(param->id, ADD_HOST, name, namelen); + if (x509_param_set_hosts_internal(param->id, ADD_HOST, name, namelen)) + return 1; + param->id->poisoned = 1; + return 0; } void @@ -531,18 +541,25 @@ int X509_VERIFY_PARAM_set1_email(X509_VERIFY_PARAM *param, const char *email, size_t emaillen) { - return int_x509_param_set1(¶m->id->email, ¶m->id->emaillen, - email, emaillen); + if (x509_param_set1_internal(¶m->id->email, ¶m->id->emaillen, + email, emaillen, 1)) + return 1; + param->id->poisoned = 1; + return 0; } int X509_VERIFY_PARAM_set1_ip(X509_VERIFY_PARAM *param, const unsigned char *ip, size_t iplen) { - if (iplen != 0 && iplen != 4 && iplen != 16) - return 0; - return int_x509_param_set1((char **)¶m->id->ip, ¶m->id->iplen, - (char *)ip, iplen); + if (iplen != 4 && iplen != 16) + goto err; + if (x509_param_set1_internal((char **)¶m->id->ip, ¶m->id->iplen, + (char *)ip, iplen, 0)) + return 1; + err: + param->id->poisoned = 1; + return 0; } int @@ -552,8 +569,6 @@ X509_VERIFY_PARAM_set1_ip_asc(X509_VERIFY_PARAM *param, const char *ipasc) size_t iplen; iplen = (size_t)a2i_ipadd(ipout, ipasc); - if (iplen == 0) - return 0; return X509_VERIFY_PARAM_set1_ip(param, ipout, iplen); } diff --git a/crypto/x509/x509name.c b/crypto/x509/x509name.c index 2ca1a76..3649d6a 100644 --- a/crypto/x509/x509name.c +++ b/crypto/x509/x509name.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509name.c,v 1.15 2018/03/17 15:28:27 tb Exp $ */ +/* $OpenBSD: x509name.c,v 1.26 2018/05/30 15:35:45 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -78,7 +78,7 @@ X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf, int len) } int -X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, +X509_NAME_get_text_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, char *buf, int len) { int i; @@ -99,7 +99,7 @@ X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, char *buf, } int -X509_NAME_entry_count(X509_NAME *name) +X509_NAME_entry_count(const X509_NAME *name) { if (name == NULL) return (0); @@ -107,7 +107,7 @@ X509_NAME_entry_count(X509_NAME *name) } int -X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) +X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos) { ASN1_OBJECT *obj; @@ -119,7 +119,8 @@ X509_NAME_get_index_by_NID(X509_NAME *name, int nid, int lastpos) /* NOTE: you should be passsing -1, not 0 as lastpos */ int -X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int lastpos) +X509_NAME_get_index_by_OBJ(const X509_NAME *name, const ASN1_OBJECT *obj, + int lastpos) { int n; X509_NAME_ENTRY *ne; @@ -140,7 +141,7 @@ X509_NAME_get_index_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int lastpos) } X509_NAME_ENTRY * -X509_NAME_get_entry(X509_NAME *name, int loc) +X509_NAME_get_entry(const X509_NAME *name, int loc) { if (name == NULL || sk_X509_NAME_ENTRY_num(name->entries) <= loc || loc < 0) @@ -188,8 +189,8 @@ X509_NAME_delete_entry(X509_NAME *name, int loc) } int -X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, - unsigned char *bytes, int len, int loc, int set) +X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, int type, + const unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; int ret; @@ -204,7 +205,7 @@ X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, - unsigned char *bytes, int len, int loc, int set) + const unsigned char *bytes, int len, int loc, int set) { X509_NAME_ENTRY *ne; int ret; @@ -235,7 +236,8 @@ X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, /* if set is -1, append to previous set, 0 'a new one', and 1, * prepend to the guy we are about to stomp on. */ int -X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) +X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, + int set) { X509_NAME_ENTRY *new_name = NULL; int n, i, inc; @@ -249,17 +251,15 @@ X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) loc = n; else if (loc < 0) loc = n; - + inc = (set == 0); name->modified = 1; if (set == -1) { if (loc == 0) { set = 0; inc = 1; - } else { + } else set = sk_X509_NAME_ENTRY_value(sk, loc - 1)->set; - inc = 0; - } } else /* if (set >= 0) */ { if (loc >= n) { if (loc != 0) @@ -268,10 +268,10 @@ X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) set = 0; } else set = sk_X509_NAME_ENTRY_value(sk, loc)->set; - inc = (set == 0) ? 1 : 0; } - if ((new_name = X509_NAME_ENTRY_dup(ne)) == NULL) + /* OpenSSL has ASN1-generated X509_NAME_ENTRY_dup() without const. */ + if ((new_name = X509_NAME_ENTRY_dup((X509_NAME_ENTRY *)ne)) == NULL) goto err; new_name->set = set; if (!sk_X509_NAME_ENTRY_insert(sk, new_name, loc)) { @@ -281,7 +281,7 @@ X509_NAME_add_entry(X509_NAME *name, X509_NAME_ENTRY *ne, int loc, int set) if (inc) { n = sk_X509_NAME_ENTRY_num(sk); for (i = loc + 1; i < n; i++) - sk_X509_NAME_ENTRY_value(sk, i - 1)->set += 1; + sk_X509_NAME_ENTRY_value(sk, i)->set += 1; } return (1); @@ -311,7 +311,7 @@ X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, X509_NAME_ENTRY * X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, - unsigned char *bytes, int len) + const unsigned char *bytes, int len) { ASN1_OBJECT *obj; X509_NAME_ENTRY *nentry; @@ -327,8 +327,8 @@ X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, int type, } X509_NAME_ENTRY * -X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, ASN1_OBJECT *obj, int type, - const unsigned char *bytes, int len) +X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, const ASN1_OBJECT *obj, + int type, const unsigned char *bytes, int len) { X509_NAME_ENTRY *ret; @@ -354,7 +354,7 @@ err: } int -X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, ASN1_OBJECT *obj) +X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, const ASN1_OBJECT *obj) { if ((ne == NULL) || (obj == NULL)) { X509error(ERR_R_PASSED_NULL_PARAMETER); @@ -391,7 +391,7 @@ X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, } ASN1_OBJECT * -X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) +X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) { if (ne == NULL) return (NULL); @@ -399,7 +399,7 @@ X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne) } ASN1_STRING * -X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne) +X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne) { if (ne == NULL) return (NULL); diff --git a/crypto/x509/x509rset.c b/crypto/x509/x509rset.c index cfac977..de02a40 100644 --- a/crypto/x509/x509rset.c +++ b/crypto/x509/x509rset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509rset.c,v 1.6 2014/07/11 08:44:49 jsing Exp $ */ +/* $OpenBSD: x509rset.c,v 1.7 2018/08/24 19:55:58 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -71,6 +71,12 @@ X509_REQ_set_version(X509_REQ *x, long version) return (ASN1_INTEGER_set(x->req_info->version, version)); } +long +X509_REQ_get_version(const X509_REQ *x) +{ + return ASN1_INTEGER_get(x->req_info->version); +} + int X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) { @@ -79,6 +85,12 @@ X509_REQ_set_subject_name(X509_REQ *x, X509_NAME *name) return (X509_NAME_set(&x->req_info->subject, name)); } +X509_NAME * +X509_REQ_get_subject_name(const X509_REQ *x) +{ + return x->req_info->subject; +} + int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey) { diff --git a/crypto/x509/x509spki.c b/crypto/x509/x509spki.c index 3a1c37c..66bbd1e 100644 --- a/crypto/x509/x509spki.c +++ b/crypto/x509/x509spki.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509spki.c,v 1.13 2017/01/29 17:49:23 beck Exp $ */ +/* $OpenBSD: x509spki.c,v 1.14 2019/05/23 02:08:34 bcook Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -57,6 +57,7 @@ */ #include +#include #include #include diff --git a/crypto/x509/x509type.c b/crypto/x509/x509type.c index d0dcffb..315a5c2 100644 --- a/crypto/x509/x509type.c +++ b/crypto/x509/x509type.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509type.c,v 1.12 2015/06/13 08:38:10 doug Exp $ */ +/* $OpenBSD: x509type.c,v 1.13 2018/05/30 15:59:33 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -63,27 +63,22 @@ #include int -X509_certificate_type(X509 *x, EVP_PKEY *pkey) +X509_certificate_type(const X509 *x, const EVP_PKEY *pkey) { - EVP_PKEY *pk; + const EVP_PKEY *pk = pkey; int ret = 0, i; if (x == NULL) return (0); - if (pkey == NULL) - pk = X509_get_pubkey(x); - else - pk = pkey; - - if (pk == NULL) - return (0); + if (pk == NULL) { + if ((pk = X509_get0_pubkey(x)) == NULL) + return (0); + } switch (pk->type) { case EVP_PKEY_RSA: - ret = EVP_PK_RSA|EVP_PKT_SIGN; -/* if (!sign only extension) */ - ret |= EVP_PKT_ENC; + ret = EVP_PK_RSA|EVP_PKT_SIGN|EVP_PKT_ENC; break; case EVP_PKEY_DSA: ret = EVP_PK_DSA|EVP_PKT_SIGN; @@ -124,7 +119,5 @@ X509_certificate_type(X509 *x, EVP_PKEY *pkey) /* /8 because it's 1024 bits we look for, not bytes */ if (EVP_PKEY_size(pk) <= 1024 / 8) ret |= EVP_PKT_EXP; - if (pkey == NULL) - EVP_PKEY_free(pk); return (ret); } diff --git a/crypto/x509v3/v3err.c b/crypto/x509v3/v3err.c deleted file mode 100644 index a49632a..0000000 --- a/crypto/x509v3/v3err.c +++ /dev/null @@ -1,226 +0,0 @@ -/* $OpenBSD: v3err.c,v 1.11 2014/07/10 22:45:58 jsing Exp $ */ -/* ==================================================================== - * Copyright (c) 1999-2007 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* NOTE: this file was auto generated by the mkerr.pl script: any changes - * made to it will be overwritten when the script next updates this file, - * only reason strings will be preserved. - */ - -#include - -#include - -#include -#include - -/* BEGIN ERROR CODES */ -#ifndef OPENSSL_NO_ERR - -#define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0) -#define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason) - -static ERR_STRING_DATA X509V3_str_functs[] = { - {ERR_FUNC(X509V3_F_A2I_GENERAL_NAME), "A2I_GENERAL_NAME"}, - {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_CANONIZE), "ASIDENTIFIERCHOICE_CANONIZE"}, - {ERR_FUNC(X509V3_F_ASIDENTIFIERCHOICE_IS_CANONICAL), "ASIDENTIFIERCHOICE_IS_CANONICAL"}, - {ERR_FUNC(X509V3_F_COPY_EMAIL), "COPY_EMAIL"}, - {ERR_FUNC(X509V3_F_COPY_ISSUER), "COPY_ISSUER"}, - {ERR_FUNC(X509V3_F_DO_DIRNAME), "DO_DIRNAME"}, - {ERR_FUNC(X509V3_F_DO_EXT_CONF), "DO_EXT_CONF"}, - {ERR_FUNC(X509V3_F_DO_EXT_I2D), "DO_EXT_I2D"}, - {ERR_FUNC(X509V3_F_DO_EXT_NCONF), "DO_EXT_NCONF"}, - {ERR_FUNC(X509V3_F_DO_I2V_NAME_CONSTRAINTS), "DO_I2V_NAME_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_GNAMES_FROM_SECTNAME), "GNAMES_FROM_SECTNAME"}, - {ERR_FUNC(X509V3_F_HEX_TO_STRING), "hex_to_string"}, - {ERR_FUNC(X509V3_F_I2S_ASN1_ENUMERATED), "i2s_ASN1_ENUMERATED"}, - {ERR_FUNC(X509V3_F_I2S_ASN1_IA5STRING), "I2S_ASN1_IA5STRING"}, - {ERR_FUNC(X509V3_F_I2S_ASN1_INTEGER), "i2s_ASN1_INTEGER"}, - {ERR_FUNC(X509V3_F_I2V_AUTHORITY_INFO_ACCESS), "I2V_AUTHORITY_INFO_ACCESS"}, - {ERR_FUNC(X509V3_F_NOTICE_SECTION), "NOTICE_SECTION"}, - {ERR_FUNC(X509V3_F_NREF_NOS), "NREF_NOS"}, - {ERR_FUNC(X509V3_F_POLICY_SECTION), "POLICY_SECTION"}, - {ERR_FUNC(X509V3_F_PROCESS_PCI_VALUE), "PROCESS_PCI_VALUE"}, - {ERR_FUNC(X509V3_F_R2I_CERTPOL), "R2I_CERTPOL"}, - {ERR_FUNC(X509V3_F_R2I_PCI), "R2I_PCI"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_IA5STRING), "S2I_ASN1_IA5STRING"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_INTEGER), "s2i_ASN1_INTEGER"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_OCTET_STRING), "s2i_ASN1_OCTET_STRING"}, - {ERR_FUNC(X509V3_F_S2I_ASN1_SKEY_ID), "S2I_ASN1_SKEY_ID"}, - {ERR_FUNC(X509V3_F_S2I_SKEY_ID), "S2I_SKEY_ID"}, - {ERR_FUNC(X509V3_F_SET_DIST_POINT_NAME), "SET_DIST_POINT_NAME"}, - {ERR_FUNC(X509V3_F_STRING_TO_HEX), "string_to_hex"}, - {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ASC), "SXNET_add_id_asc"}, - {ERR_FUNC(X509V3_F_SXNET_ADD_ID_INTEGER), "SXNET_add_id_INTEGER"}, - {ERR_FUNC(X509V3_F_SXNET_ADD_ID_ULONG), "SXNET_add_id_ulong"}, - {ERR_FUNC(X509V3_F_SXNET_GET_ID_ASC), "SXNET_get_id_asc"}, - {ERR_FUNC(X509V3_F_SXNET_GET_ID_ULONG), "SXNET_get_id_ulong"}, - {ERR_FUNC(X509V3_F_V2I_ASIDENTIFIERS), "V2I_ASIDENTIFIERS"}, - {ERR_FUNC(X509V3_F_V2I_ASN1_BIT_STRING), "v2i_ASN1_BIT_STRING"}, - {ERR_FUNC(X509V3_F_V2I_AUTHORITY_INFO_ACCESS), "V2I_AUTHORITY_INFO_ACCESS"}, - {ERR_FUNC(X509V3_F_V2I_AUTHORITY_KEYID), "V2I_AUTHORITY_KEYID"}, - {ERR_FUNC(X509V3_F_V2I_BASIC_CONSTRAINTS), "V2I_BASIC_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_V2I_CRLD), "V2I_CRLD"}, - {ERR_FUNC(X509V3_F_V2I_EXTENDED_KEY_USAGE), "V2I_EXTENDED_KEY_USAGE"}, - {ERR_FUNC(X509V3_F_V2I_GENERAL_NAMES), "v2i_GENERAL_NAMES"}, - {ERR_FUNC(X509V3_F_V2I_GENERAL_NAME_EX), "v2i_GENERAL_NAME_ex"}, - {ERR_FUNC(X509V3_F_V2I_IDP), "V2I_IDP"}, - {ERR_FUNC(X509V3_F_V2I_IPADDRBLOCKS), "V2I_IPADDRBLOCKS"}, - {ERR_FUNC(X509V3_F_V2I_ISSUER_ALT), "V2I_ISSUER_ALT"}, - {ERR_FUNC(X509V3_F_V2I_NAME_CONSTRAINTS), "V2I_NAME_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_V2I_POLICY_CONSTRAINTS), "V2I_POLICY_CONSTRAINTS"}, - {ERR_FUNC(X509V3_F_V2I_POLICY_MAPPINGS), "V2I_POLICY_MAPPINGS"}, - {ERR_FUNC(X509V3_F_V2I_SUBJECT_ALT), "V2I_SUBJECT_ALT"}, - {ERR_FUNC(X509V3_F_V3_ADDR_VALIDATE_PATH_INTERNAL), "V3_ADDR_VALIDATE_PATH_INTERNAL"}, - {ERR_FUNC(X509V3_F_V3_GENERIC_EXTENSION), "V3_GENERIC_EXTENSION"}, - {ERR_FUNC(X509V3_F_X509V3_ADD1_I2D), "X509V3_add1_i2d"}, - {ERR_FUNC(X509V3_F_X509V3_ADD_VALUE), "X509V3_add_value"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_ADD), "X509V3_EXT_add"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_ADD_ALIAS), "X509V3_EXT_add_alias"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_CONF), "X509V3_EXT_conf"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_I2D), "X509V3_EXT_i2d"}, - {ERR_FUNC(X509V3_F_X509V3_EXT_NCONF), "X509V3_EXT_nconf"}, - {ERR_FUNC(X509V3_F_X509V3_GET_SECTION), "X509V3_get_section"}, - {ERR_FUNC(X509V3_F_X509V3_GET_STRING), "X509V3_get_string"}, - {ERR_FUNC(X509V3_F_X509V3_GET_VALUE_BOOL), "X509V3_get_value_bool"}, - {ERR_FUNC(X509V3_F_X509V3_PARSE_LIST), "X509V3_parse_list"}, - {ERR_FUNC(X509V3_F_X509_PURPOSE_ADD), "X509_PURPOSE_add"}, - {ERR_FUNC(X509V3_F_X509_PURPOSE_SET), "X509_PURPOSE_set"}, - {0, NULL} -}; - -static ERR_STRING_DATA X509V3_str_reasons[] = { - {ERR_REASON(X509V3_R_BAD_IP_ADDRESS) , "bad ip address"}, - {ERR_REASON(X509V3_R_BAD_OBJECT) , "bad object"}, - {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR) , "bn dec2bn error"}, - {ERR_REASON(X509V3_R_BN_TO_ASN1_INTEGER_ERROR), "bn to asn1 integer error"}, - {ERR_REASON(X509V3_R_DIRNAME_ERROR) , "dirname error"}, - {ERR_REASON(X509V3_R_DISTPOINT_ALREADY_SET), "distpoint already set"}, - {ERR_REASON(X509V3_R_DUPLICATE_ZONE_ID) , "duplicate zone id"}, - {ERR_REASON(X509V3_R_ERROR_CONVERTING_ZONE), "error converting zone"}, - {ERR_REASON(X509V3_R_ERROR_CREATING_EXTENSION), "error creating extension"}, - {ERR_REASON(X509V3_R_ERROR_IN_EXTENSION) , "error in extension"}, - {ERR_REASON(X509V3_R_EXPECTED_A_SECTION_NAME), "expected a section name"}, - {ERR_REASON(X509V3_R_EXTENSION_EXISTS) , "extension exists"}, - {ERR_REASON(X509V3_R_EXTENSION_NAME_ERROR), "extension name error"}, - {ERR_REASON(X509V3_R_EXTENSION_NOT_FOUND), "extension not found"}, - {ERR_REASON(X509V3_R_EXTENSION_SETTING_NOT_SUPPORTED), "extension setting not supported"}, - {ERR_REASON(X509V3_R_EXTENSION_VALUE_ERROR), "extension value error"}, - {ERR_REASON(X509V3_R_ILLEGAL_EMPTY_EXTENSION), "illegal empty extension"}, - {ERR_REASON(X509V3_R_ILLEGAL_HEX_DIGIT) , "illegal hex digit"}, - {ERR_REASON(X509V3_R_INCORRECT_POLICY_SYNTAX_TAG), "incorrect policy syntax tag"}, - {ERR_REASON(X509V3_R_INVALID_MULTIPLE_RDNS), "invalid multiple rdns"}, - {ERR_REASON(X509V3_R_INVALID_ASNUMBER) , "invalid asnumber"}, - {ERR_REASON(X509V3_R_INVALID_ASRANGE) , "invalid asrange"}, - {ERR_REASON(X509V3_R_INVALID_BOOLEAN_STRING), "invalid boolean string"}, - {ERR_REASON(X509V3_R_INVALID_EXTENSION_STRING), "invalid extension string"}, - {ERR_REASON(X509V3_R_INVALID_INHERITANCE), "invalid inheritance"}, - {ERR_REASON(X509V3_R_INVALID_IPADDRESS) , "invalid ipaddress"}, - {ERR_REASON(X509V3_R_INVALID_NAME) , "invalid name"}, - {ERR_REASON(X509V3_R_INVALID_NULL_ARGUMENT), "invalid null argument"}, - {ERR_REASON(X509V3_R_INVALID_NULL_NAME) , "invalid null name"}, - {ERR_REASON(X509V3_R_INVALID_NULL_VALUE) , "invalid null value"}, - {ERR_REASON(X509V3_R_INVALID_NUMBER) , "invalid number"}, - {ERR_REASON(X509V3_R_INVALID_NUMBERS) , "invalid numbers"}, - {ERR_REASON(X509V3_R_INVALID_OBJECT_IDENTIFIER), "invalid object identifier"}, - {ERR_REASON(X509V3_R_INVALID_OPTION) , "invalid option"}, - {ERR_REASON(X509V3_R_INVALID_POLICY_IDENTIFIER), "invalid policy identifier"}, - {ERR_REASON(X509V3_R_INVALID_PROXY_POLICY_SETTING), "invalid proxy policy setting"}, - {ERR_REASON(X509V3_R_INVALID_PURPOSE) , "invalid purpose"}, - {ERR_REASON(X509V3_R_INVALID_SAFI) , "invalid safi"}, - {ERR_REASON(X509V3_R_INVALID_SECTION) , "invalid section"}, - {ERR_REASON(X509V3_R_INVALID_SYNTAX) , "invalid syntax"}, - {ERR_REASON(X509V3_R_ISSUER_DECODE_ERROR), "issuer decode error"}, - {ERR_REASON(X509V3_R_MISSING_VALUE) , "missing value"}, - {ERR_REASON(X509V3_R_NEED_ORGANIZATION_AND_NUMBERS), "need organization and numbers"}, - {ERR_REASON(X509V3_R_NO_CONFIG_DATABASE) , "no config database"}, - {ERR_REASON(X509V3_R_NO_ISSUER_CERTIFICATE), "no issuer certificate"}, - {ERR_REASON(X509V3_R_NO_ISSUER_DETAILS) , "no issuer details"}, - {ERR_REASON(X509V3_R_NO_POLICY_IDENTIFIER), "no policy identifier"}, - {ERR_REASON(X509V3_R_NO_PROXY_CERT_POLICY_LANGUAGE_DEFINED), "no proxy cert policy language defined"}, - {ERR_REASON(X509V3_R_NO_PUBLIC_KEY) , "no public key"}, - {ERR_REASON(X509V3_R_NO_SUBJECT_DETAILS) , "no subject details"}, - {ERR_REASON(X509V3_R_ODD_NUMBER_OF_DIGITS), "odd number of digits"}, - {ERR_REASON(X509V3_R_OPERATION_NOT_DEFINED), "operation not defined"}, - {ERR_REASON(X509V3_R_OTHERNAME_ERROR) , "othername error"}, - {ERR_REASON(X509V3_R_POLICY_LANGUAGE_ALREADY_DEFINED), "policy language already defined"}, - {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH) , "policy path length"}, - {ERR_REASON(X509V3_R_POLICY_PATH_LENGTH_ALREADY_DEFINED), "policy path length already defined"}, - {ERR_REASON(X509V3_R_POLICY_SYNTAX_NOT_CURRENTLY_SUPPORTED), "policy syntax not currently supported"}, - {ERR_REASON(X509V3_R_POLICY_WHEN_PROXY_LANGUAGE_REQUIRES_NO_POLICY), "policy when proxy language requires no policy"}, - {ERR_REASON(X509V3_R_SECTION_NOT_FOUND) , "section not found"}, - {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_DETAILS), "unable to get issuer details"}, - {ERR_REASON(X509V3_R_UNABLE_TO_GET_ISSUER_KEYID), "unable to get issuer keyid"}, - {ERR_REASON(X509V3_R_UNKNOWN_BIT_STRING_ARGUMENT), "unknown bit string argument"}, - {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION) , "unknown extension"}, - {ERR_REASON(X509V3_R_UNKNOWN_EXTENSION_NAME), "unknown extension name"}, - {ERR_REASON(X509V3_R_UNKNOWN_OPTION) , "unknown option"}, - {ERR_REASON(X509V3_R_UNSUPPORTED_OPTION) , "unsupported option"}, - {ERR_REASON(X509V3_R_UNSUPPORTED_TYPE) , "unsupported type"}, - {ERR_REASON(X509V3_R_USER_TOO_LONG) , "user too long"}, - {0, NULL} -}; - -#endif - -void -ERR_load_X509V3_strings(void) -{ -#ifndef OPENSSL_NO_ERR - if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) { - ERR_load_strings(0, X509V3_str_functs); - ERR_load_strings(0, X509V3_str_reasons); - } -#endif -} diff --git a/include/compat/machine/endian.h b/include/compat/machine/endian.h index 5ec39af..4dcb60d 100644 --- a/include/compat/machine/endian.h +++ b/include/compat/machine/endian.h @@ -21,7 +21,7 @@ #define BYTE_ORDER BIG_ENDIAN #endif -#elif defined(__linux__) +#elif defined(__linux__) || defined(__midipix__) #include #elif defined(__sun) || defined(_AIX) || defined(__hpux) @@ -37,4 +37,15 @@ #endif +#ifndef __STRICT_ALIGNMENT +#define __STRICT_ALIGNMENT +#if defined(__i386) || defined(__i386__) || \ + defined(__x86_64) || defined(__x86_64__) || \ + defined(__s390__) || defined(__s390x__) || \ + defined(__aarch64__) || \ + ((defined(__arm__) || defined(__arm)) && __ARM_ARCH >= 6) +#undef __STRICT_ALIGNMENT +#endif +#endif + #endif diff --git a/include/compat/netinet/in.h b/include/compat/netinet/in.h index 20e57b8..d1afb27 100644 --- a/include/compat/netinet/in.h +++ b/include/compat/netinet/in.h @@ -8,3 +8,12 @@ #else #include #endif + +#ifndef LIBCRYPTOCOMPAT_NETINET_IN_H +#define LIBCRYPTOCOMPAT_NETINET_IN_H + +#ifdef __ANDROID__ +typedef uint16_t in_port_t; +#endif + +#endif diff --git a/include/compat/pthread.h b/include/compat/pthread.h old mode 100644 new mode 100755 index b2db760..1527d3c --- a/include/compat/pthread.h +++ b/include/compat/pthread.h @@ -3,8 +3,13 @@ * pthread.h compatibility shim */ +#ifndef LIBCRYPTOCOMPAT_PTHREAD_H +#define LIBCRYPTOCOMPAT_PTHREAD_H + #ifdef _WIN32 +#include +#include #include /* @@ -12,6 +17,11 @@ */ #define PTHREAD_ONCE_INIT { INIT_ONCE_STATIC_INIT } +/* + * Static mutex initialization values. + */ +#define PTHREAD_MUTEX_INITIALIZER { .lock = NULL } + /* * Once definitions. */ @@ -38,25 +48,62 @@ pthread_once(pthread_once_t *once, void (*cb) (void)) return 0; } -struct pthread { - HANDLE handle; -}; -typedef struct pthread pthread_t; +typedef DWORD pthread_t; static inline pthread_t pthread_self(void) { - pthread_t self; - self.handle = GetCurrentThread(); - return self; + return GetCurrentThreadId(); } static inline int pthread_equal(pthread_t t1, pthread_t t2) { - return t1.handle == t2.handle; + return t1 == t2; +} + +struct pthread_mutex { + volatile LPCRITICAL_SECTION lock; +}; +typedef struct pthread_mutex pthread_mutex_t; +typedef void pthread_mutexattr_t; + +static inline int +pthread_mutex_init(pthread_mutex_t *mutex, const pthread_mutexattr_t *attr) +{ + if ((mutex->lock = malloc(sizeof(CRITICAL_SECTION))) == NULL) + exit(ENOMEM); + InitializeCriticalSection(mutex->lock); + return 0; +} + +static inline int +pthread_mutex_lock(pthread_mutex_t *mutex) +{ + if (mutex->lock == NULL) { + LPCRITICAL_SECTION lcs; + + if ((lcs = malloc(sizeof(CRITICAL_SECTION))) == NULL) + exit(ENOMEM); + InitializeCriticalSection(lcs); + if (InterlockedCompareExchangePointer((PVOID*)&mutex->lock, (PVOID)lcs, NULL) != NULL) { + DeleteCriticalSection(lcs); + free(lcs); + } + } + EnterCriticalSection(mutex->lock); + return 0; +} + +static inline int +pthread_mutex_unlock(pthread_mutex_t *mutex) +{ + LeaveCriticalSection(mutex->lock); + return 0; } #else #include_next #endif + +#endif diff --git a/include/compat/stdlib.h b/include/compat/stdlib.h index cc04856..2eaea24 100644 --- a/include/compat/stdlib.h +++ b/include/compat/stdlib.h @@ -29,10 +29,12 @@ uint32_t arc4random_uniform(uint32_t upper_bound); void freezero(void *ptr, size_t sz); #endif -#ifndef HAVE_REALLOCARRAY -void *reallocarray(void *, size_t, size_t); +#ifndef HAVE_GETPROGNAME +const char * getprogname(void); #endif +void *reallocarray(void *, size_t, size_t); + #ifndef HAVE_RECALLOCARRAY void *recallocarray(void *, size_t, size_t, size_t); #endif diff --git a/include/compat/sys/_null.h b/include/compat/sys/_null.h new file mode 100644 index 0000000..5d15401 --- /dev/null +++ b/include/compat/sys/_null.h @@ -0,0 +1,18 @@ +/* $OpenBSD: _null.h,v 1.2 2016/09/09 22:07:58 millert Exp $ */ + +/* + * Written by Todd C. Miller, September 9, 2016 + * Public domain. + */ + +#ifndef NULL +#if !defined(__cplusplus) +#define NULL ((void *)0) +#elif __cplusplus >= 201103L +#define NULL nullptr +#elif defined(__GNUG__) +#define NULL __null +#else +#define NULL 0L +#endif +#endif diff --git a/include/compat/sys/queue.h b/include/compat/sys/queue.h new file mode 100644 index 0000000..f28ba89 --- /dev/null +++ b/include/compat/sys/queue.h @@ -0,0 +1,536 @@ +/* $OpenBSD: queue.h,v 1.45 2018/07/12 14:22:54 sashan Exp $ */ +/* $NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $ */ + +/* + * Copyright (c) 1991, 1993 + * The Regents of the University of California. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the University nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * @(#)queue.h 8.5 (Berkeley) 8/20/94 + */ + +#ifndef _SYS_QUEUE_H_ +#define _SYS_QUEUE_H_ + +#include + +/* + * This file defines five types of data structures: singly-linked lists, + * lists, simple queues, tail queues and XOR simple queues. + * + * + * A singly-linked list is headed by a single forward pointer. The elements + * are singly linked for minimum space and pointer manipulation overhead at + * the expense of O(n) removal for arbitrary elements. New elements can be + * added to the list after an existing element or at the head of the list. + * Elements being removed from the head of the list should use the explicit + * macro for this purpose for optimum efficiency. A singly-linked list may + * only be traversed in the forward direction. Singly-linked lists are ideal + * for applications with large datasets and few or no removals or for + * implementing a LIFO queue. + * + * A list is headed by a single forward pointer (or an array of forward + * pointers for a hash table header). The elements are doubly linked + * so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before + * or after an existing element or at the head of the list. A list + * may only be traversed in the forward direction. + * + * A simple queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are singly + * linked to save space, so elements can only be removed from the + * head of the list. New elements can be added to the list before or after + * an existing element, at the head of the list, or at the end of the + * list. A simple queue may only be traversed in the forward direction. + * + * A tail queue is headed by a pair of pointers, one to the head of the + * list and the other to the tail of the list. The elements are doubly + * linked so that an arbitrary element can be removed without a need to + * traverse the list. New elements can be added to the list before or + * after an existing element, at the head of the list, or at the end of + * the list. A tail queue may be traversed in either direction. + * + * An XOR simple queue is used in the same way as a regular simple queue. + * The difference is that the head structure also includes a "cookie" that + * is XOR'd with the queue pointer (first, last or next) to generate the + * real pointer value. + * + * For details on the use of these macros, see the queue(3) manual page. + */ + +#if defined(QUEUE_MACRO_DEBUG) || (defined(_KERNEL) && defined(DIAGNOSTIC)) +#define _Q_INVALID ((void *)-1) +#define _Q_INVALIDATE(a) (a) = _Q_INVALID +#else +#define _Q_INVALIDATE(a) +#endif + +/* + * Singly-linked List definitions. + */ +#define SLIST_HEAD(name, type) \ +struct name { \ + struct type *slh_first; /* first element */ \ +} + +#define SLIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define SLIST_ENTRY(type) \ +struct { \ + struct type *sle_next; /* next element */ \ +} + +/* + * Singly-linked List access methods. + */ +#define SLIST_FIRST(head) ((head)->slh_first) +#define SLIST_END(head) NULL +#define SLIST_EMPTY(head) (SLIST_FIRST(head) == SLIST_END(head)) +#define SLIST_NEXT(elm, field) ((elm)->field.sle_next) + +#define SLIST_FOREACH(var, head, field) \ + for((var) = SLIST_FIRST(head); \ + (var) != SLIST_END(head); \ + (var) = SLIST_NEXT(var, field)) + +#define SLIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = SLIST_FIRST(head); \ + (var) && ((tvar) = SLIST_NEXT(var, field), 1); \ + (var) = (tvar)) + +/* + * Singly-linked List functions. + */ +#define SLIST_INIT(head) { \ + SLIST_FIRST(head) = SLIST_END(head); \ +} + +#define SLIST_INSERT_AFTER(slistelm, elm, field) do { \ + (elm)->field.sle_next = (slistelm)->field.sle_next; \ + (slistelm)->field.sle_next = (elm); \ +} while (0) + +#define SLIST_INSERT_HEAD(head, elm, field) do { \ + (elm)->field.sle_next = (head)->slh_first; \ + (head)->slh_first = (elm); \ +} while (0) + +#define SLIST_REMOVE_AFTER(elm, field) do { \ + (elm)->field.sle_next = (elm)->field.sle_next->field.sle_next; \ +} while (0) + +#define SLIST_REMOVE_HEAD(head, field) do { \ + (head)->slh_first = (head)->slh_first->field.sle_next; \ +} while (0) + +#define SLIST_REMOVE(head, elm, type, field) do { \ + if ((head)->slh_first == (elm)) { \ + SLIST_REMOVE_HEAD((head), field); \ + } else { \ + struct type *curelm = (head)->slh_first; \ + \ + while (curelm->field.sle_next != (elm)) \ + curelm = curelm->field.sle_next; \ + curelm->field.sle_next = \ + curelm->field.sle_next->field.sle_next; \ + } \ + _Q_INVALIDATE((elm)->field.sle_next); \ +} while (0) + +/* + * List definitions. + */ +#define LIST_HEAD(name, type) \ +struct name { \ + struct type *lh_first; /* first element */ \ +} + +#define LIST_HEAD_INITIALIZER(head) \ + { NULL } + +#define LIST_ENTRY(type) \ +struct { \ + struct type *le_next; /* next element */ \ + struct type **le_prev; /* address of previous next element */ \ +} + +/* + * List access methods. + */ +#define LIST_FIRST(head) ((head)->lh_first) +#define LIST_END(head) NULL +#define LIST_EMPTY(head) (LIST_FIRST(head) == LIST_END(head)) +#define LIST_NEXT(elm, field) ((elm)->field.le_next) + +#define LIST_FOREACH(var, head, field) \ + for((var) = LIST_FIRST(head); \ + (var)!= LIST_END(head); \ + (var) = LIST_NEXT(var, field)) + +#define LIST_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = LIST_FIRST(head); \ + (var) && ((tvar) = LIST_NEXT(var, field), 1); \ + (var) = (tvar)) + +/* + * List functions. + */ +#define LIST_INIT(head) do { \ + LIST_FIRST(head) = LIST_END(head); \ +} while (0) + +#define LIST_INSERT_AFTER(listelm, elm, field) do { \ + if (((elm)->field.le_next = (listelm)->field.le_next) != NULL) \ + (listelm)->field.le_next->field.le_prev = \ + &(elm)->field.le_next; \ + (listelm)->field.le_next = (elm); \ + (elm)->field.le_prev = &(listelm)->field.le_next; \ +} while (0) + +#define LIST_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.le_prev = (listelm)->field.le_prev; \ + (elm)->field.le_next = (listelm); \ + *(listelm)->field.le_prev = (elm); \ + (listelm)->field.le_prev = &(elm)->field.le_next; \ +} while (0) + +#define LIST_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.le_next = (head)->lh_first) != NULL) \ + (head)->lh_first->field.le_prev = &(elm)->field.le_next;\ + (head)->lh_first = (elm); \ + (elm)->field.le_prev = &(head)->lh_first; \ +} while (0) + +#define LIST_REMOVE(elm, field) do { \ + if ((elm)->field.le_next != NULL) \ + (elm)->field.le_next->field.le_prev = \ + (elm)->field.le_prev; \ + *(elm)->field.le_prev = (elm)->field.le_next; \ + _Q_INVALIDATE((elm)->field.le_prev); \ + _Q_INVALIDATE((elm)->field.le_next); \ +} while (0) + +#define LIST_REPLACE(elm, elm2, field) do { \ + if (((elm2)->field.le_next = (elm)->field.le_next) != NULL) \ + (elm2)->field.le_next->field.le_prev = \ + &(elm2)->field.le_next; \ + (elm2)->field.le_prev = (elm)->field.le_prev; \ + *(elm2)->field.le_prev = (elm2); \ + _Q_INVALIDATE((elm)->field.le_prev); \ + _Q_INVALIDATE((elm)->field.le_next); \ +} while (0) + +/* + * Simple queue definitions. + */ +#define SIMPLEQ_HEAD(name, type) \ +struct name { \ + struct type *sqh_first; /* first element */ \ + struct type **sqh_last; /* addr of last next element */ \ +} + +#define SIMPLEQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).sqh_first } + +#define SIMPLEQ_ENTRY(type) \ +struct { \ + struct type *sqe_next; /* next element */ \ +} + +/* + * Simple queue access methods. + */ +#define SIMPLEQ_FIRST(head) ((head)->sqh_first) +#define SIMPLEQ_END(head) NULL +#define SIMPLEQ_EMPTY(head) (SIMPLEQ_FIRST(head) == SIMPLEQ_END(head)) +#define SIMPLEQ_NEXT(elm, field) ((elm)->field.sqe_next) + +#define SIMPLEQ_FOREACH(var, head, field) \ + for((var) = SIMPLEQ_FIRST(head); \ + (var) != SIMPLEQ_END(head); \ + (var) = SIMPLEQ_NEXT(var, field)) + +#define SIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = SIMPLEQ_FIRST(head); \ + (var) && ((tvar) = SIMPLEQ_NEXT(var, field), 1); \ + (var) = (tvar)) + +/* + * Simple queue functions. + */ +#define SIMPLEQ_INIT(head) do { \ + (head)->sqh_first = NULL; \ + (head)->sqh_last = &(head)->sqh_first; \ +} while (0) + +#define SIMPLEQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.sqe_next = (head)->sqh_first) == NULL) \ + (head)->sqh_last = &(elm)->field.sqe_next; \ + (head)->sqh_first = (elm); \ +} while (0) + +#define SIMPLEQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.sqe_next = NULL; \ + *(head)->sqh_last = (elm); \ + (head)->sqh_last = &(elm)->field.sqe_next; \ +} while (0) + +#define SIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.sqe_next = (listelm)->field.sqe_next) == NULL)\ + (head)->sqh_last = &(elm)->field.sqe_next; \ + (listelm)->field.sqe_next = (elm); \ +} while (0) + +#define SIMPLEQ_REMOVE_HEAD(head, field) do { \ + if (((head)->sqh_first = (head)->sqh_first->field.sqe_next) == NULL) \ + (head)->sqh_last = &(head)->sqh_first; \ +} while (0) + +#define SIMPLEQ_REMOVE_AFTER(head, elm, field) do { \ + if (((elm)->field.sqe_next = (elm)->field.sqe_next->field.sqe_next) \ + == NULL) \ + (head)->sqh_last = &(elm)->field.sqe_next; \ +} while (0) + +#define SIMPLEQ_CONCAT(head1, head2) do { \ + if (!SIMPLEQ_EMPTY((head2))) { \ + *(head1)->sqh_last = (head2)->sqh_first; \ + (head1)->sqh_last = (head2)->sqh_last; \ + SIMPLEQ_INIT((head2)); \ + } \ +} while (0) + +/* + * XOR Simple queue definitions. + */ +#define XSIMPLEQ_HEAD(name, type) \ +struct name { \ + struct type *sqx_first; /* first element */ \ + struct type **sqx_last; /* addr of last next element */ \ + unsigned long sqx_cookie; \ +} + +#define XSIMPLEQ_ENTRY(type) \ +struct { \ + struct type *sqx_next; /* next element */ \ +} + +/* + * XOR Simple queue access methods. + */ +#define XSIMPLEQ_XOR(head, ptr) ((__typeof(ptr))((head)->sqx_cookie ^ \ + (unsigned long)(ptr))) +#define XSIMPLEQ_FIRST(head) XSIMPLEQ_XOR(head, ((head)->sqx_first)) +#define XSIMPLEQ_END(head) NULL +#define XSIMPLEQ_EMPTY(head) (XSIMPLEQ_FIRST(head) == XSIMPLEQ_END(head)) +#define XSIMPLEQ_NEXT(head, elm, field) XSIMPLEQ_XOR(head, ((elm)->field.sqx_next)) + + +#define XSIMPLEQ_FOREACH(var, head, field) \ + for ((var) = XSIMPLEQ_FIRST(head); \ + (var) != XSIMPLEQ_END(head); \ + (var) = XSIMPLEQ_NEXT(head, var, field)) + +#define XSIMPLEQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = XSIMPLEQ_FIRST(head); \ + (var) && ((tvar) = XSIMPLEQ_NEXT(head, var, field), 1); \ + (var) = (tvar)) + +/* + * XOR Simple queue functions. + */ +#define XSIMPLEQ_INIT(head) do { \ + arc4random_buf(&(head)->sqx_cookie, sizeof((head)->sqx_cookie)); \ + (head)->sqx_first = XSIMPLEQ_XOR(head, NULL); \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(head)->sqx_first); \ +} while (0) + +#define XSIMPLEQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.sqx_next = (head)->sqx_first) == \ + XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ + (head)->sqx_first = XSIMPLEQ_XOR(head, (elm)); \ +} while (0) + +#define XSIMPLEQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.sqx_next = XSIMPLEQ_XOR(head, NULL); \ + *(XSIMPLEQ_XOR(head, (head)->sqx_last)) = XSIMPLEQ_XOR(head, (elm)); \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ +} while (0) + +#define XSIMPLEQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.sqx_next = (listelm)->field.sqx_next) == \ + XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ + (listelm)->field.sqx_next = XSIMPLEQ_XOR(head, (elm)); \ +} while (0) + +#define XSIMPLEQ_REMOVE_HEAD(head, field) do { \ + if (((head)->sqx_first = XSIMPLEQ_XOR(head, \ + (head)->sqx_first)->field.sqx_next) == XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = XSIMPLEQ_XOR(head, &(head)->sqx_first); \ +} while (0) + +#define XSIMPLEQ_REMOVE_AFTER(head, elm, field) do { \ + if (((elm)->field.sqx_next = XSIMPLEQ_XOR(head, \ + (elm)->field.sqx_next)->field.sqx_next) \ + == XSIMPLEQ_XOR(head, NULL)) \ + (head)->sqx_last = \ + XSIMPLEQ_XOR(head, &(elm)->field.sqx_next); \ +} while (0) + + +/* + * Tail queue definitions. + */ +#define TAILQ_HEAD(name, type) \ +struct name { \ + struct type *tqh_first; /* first element */ \ + struct type **tqh_last; /* addr of last next element */ \ +} + +#define TAILQ_HEAD_INITIALIZER(head) \ + { NULL, &(head).tqh_first } + +#define TAILQ_ENTRY(type) \ +struct { \ + struct type *tqe_next; /* next element */ \ + struct type **tqe_prev; /* address of previous next element */ \ +} + +/* + * Tail queue access methods. + */ +#define TAILQ_FIRST(head) ((head)->tqh_first) +#define TAILQ_END(head) NULL +#define TAILQ_NEXT(elm, field) ((elm)->field.tqe_next) +#define TAILQ_LAST(head, headname) \ + (*(((struct headname *)((head)->tqh_last))->tqh_last)) +/* XXX */ +#define TAILQ_PREV(elm, headname, field) \ + (*(((struct headname *)((elm)->field.tqe_prev))->tqh_last)) +#define TAILQ_EMPTY(head) \ + (TAILQ_FIRST(head) == TAILQ_END(head)) + +#define TAILQ_FOREACH(var, head, field) \ + for((var) = TAILQ_FIRST(head); \ + (var) != TAILQ_END(head); \ + (var) = TAILQ_NEXT(var, field)) + +#define TAILQ_FOREACH_SAFE(var, head, field, tvar) \ + for ((var) = TAILQ_FIRST(head); \ + (var) != TAILQ_END(head) && \ + ((tvar) = TAILQ_NEXT(var, field), 1); \ + (var) = (tvar)) + + +#define TAILQ_FOREACH_REVERSE(var, head, headname, field) \ + for((var) = TAILQ_LAST(head, headname); \ + (var) != TAILQ_END(head); \ + (var) = TAILQ_PREV(var, headname, field)) + +#define TAILQ_FOREACH_REVERSE_SAFE(var, head, headname, field, tvar) \ + for ((var) = TAILQ_LAST(head, headname); \ + (var) != TAILQ_END(head) && \ + ((tvar) = TAILQ_PREV(var, headname, field), 1); \ + (var) = (tvar)) + +/* + * Tail queue functions. + */ +#define TAILQ_INIT(head) do { \ + (head)->tqh_first = NULL; \ + (head)->tqh_last = &(head)->tqh_first; \ +} while (0) + +#define TAILQ_INSERT_HEAD(head, elm, field) do { \ + if (((elm)->field.tqe_next = (head)->tqh_first) != NULL) \ + (head)->tqh_first->field.tqe_prev = \ + &(elm)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm)->field.tqe_next; \ + (head)->tqh_first = (elm); \ + (elm)->field.tqe_prev = &(head)->tqh_first; \ +} while (0) + +#define TAILQ_INSERT_TAIL(head, elm, field) do { \ + (elm)->field.tqe_next = NULL; \ + (elm)->field.tqe_prev = (head)->tqh_last; \ + *(head)->tqh_last = (elm); \ + (head)->tqh_last = &(elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_INSERT_AFTER(head, listelm, elm, field) do { \ + if (((elm)->field.tqe_next = (listelm)->field.tqe_next) != NULL)\ + (elm)->field.tqe_next->field.tqe_prev = \ + &(elm)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm)->field.tqe_next; \ + (listelm)->field.tqe_next = (elm); \ + (elm)->field.tqe_prev = &(listelm)->field.tqe_next; \ +} while (0) + +#define TAILQ_INSERT_BEFORE(listelm, elm, field) do { \ + (elm)->field.tqe_prev = (listelm)->field.tqe_prev; \ + (elm)->field.tqe_next = (listelm); \ + *(listelm)->field.tqe_prev = (elm); \ + (listelm)->field.tqe_prev = &(elm)->field.tqe_next; \ +} while (0) + +#define TAILQ_REMOVE(head, elm, field) do { \ + if (((elm)->field.tqe_next) != NULL) \ + (elm)->field.tqe_next->field.tqe_prev = \ + (elm)->field.tqe_prev; \ + else \ + (head)->tqh_last = (elm)->field.tqe_prev; \ + *(elm)->field.tqe_prev = (elm)->field.tqe_next; \ + _Q_INVALIDATE((elm)->field.tqe_prev); \ + _Q_INVALIDATE((elm)->field.tqe_next); \ +} while (0) + +#define TAILQ_REPLACE(head, elm, elm2, field) do { \ + if (((elm2)->field.tqe_next = (elm)->field.tqe_next) != NULL) \ + (elm2)->field.tqe_next->field.tqe_prev = \ + &(elm2)->field.tqe_next; \ + else \ + (head)->tqh_last = &(elm2)->field.tqe_next; \ + (elm2)->field.tqe_prev = (elm)->field.tqe_prev; \ + *(elm2)->field.tqe_prev = (elm2); \ + _Q_INVALIDATE((elm)->field.tqe_prev); \ + _Q_INVALIDATE((elm)->field.tqe_next); \ +} while (0) + +#define TAILQ_CONCAT(head1, head2, field) do { \ + if (!TAILQ_EMPTY(head2)) { \ + *(head1)->tqh_last = (head2)->tqh_first; \ + (head2)->tqh_first->field.tqe_prev = (head1)->tqh_last; \ + (head1)->tqh_last = (head2)->tqh_last; \ + TAILQ_INIT((head2)); \ + } \ +} while (0) + +#endif /* !_SYS_QUEUE_H_ */ diff --git a/include/compat/sys/tree.h b/include/compat/sys/tree.h new file mode 100644 index 0000000..ffcac90 --- /dev/null +++ b/include/compat/sys/tree.h @@ -0,0 +1,1006 @@ +/* $OpenBSD: tree.h,v 1.29 2017/07/30 19:27:20 deraadt Exp $ */ +/* + * Copyright 2002 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_TREE_H_ +#define _SYS_TREE_H_ + +#include + +/* + * This file defines data structures for different types of trees: + * splay trees and red-black trees. + * + * A splay tree is a self-organizing data structure. Every operation + * on the tree causes a splay to happen. The splay moves the requested + * node to the root of the tree and partly rebalances it. + * + * This has the benefit that request locality causes faster lookups as + * the requested nodes move to the top of the tree. On the other hand, + * every lookup causes memory writes. + * + * The Balance Theorem bounds the total access time for m operations + * and n inserts on an initially empty tree as O((m + n)lg n). The + * amortized cost for a sequence of m accesses to a splay tree is O(lg n); + * + * A red-black tree is a binary search tree with the node color as an + * extra attribute. It fulfills a set of conditions: + * - every search path from the root to a leaf consists of the + * same number of black nodes, + * - each red node (except for the root) has a black parent, + * - each leaf node is black. + * + * Every operation on a red-black tree is bounded as O(lg n). + * The maximum height of a red-black tree is 2lg (n+1). + */ + +#define SPLAY_HEAD(name, type) \ +struct name { \ + struct type *sph_root; /* root of the tree */ \ +} + +#define SPLAY_INITIALIZER(root) \ + { NULL } + +#define SPLAY_INIT(root) do { \ + (root)->sph_root = NULL; \ +} while (0) + +#define SPLAY_ENTRY(type) \ +struct { \ + struct type *spe_left; /* left element */ \ + struct type *spe_right; /* right element */ \ +} + +#define SPLAY_LEFT(elm, field) (elm)->field.spe_left +#define SPLAY_RIGHT(elm, field) (elm)->field.spe_right +#define SPLAY_ROOT(head) (head)->sph_root +#define SPLAY_EMPTY(head) (SPLAY_ROOT(head) == NULL) + +/* SPLAY_ROTATE_{LEFT,RIGHT} expect that tmp hold SPLAY_{RIGHT,LEFT} */ +#define SPLAY_ROTATE_RIGHT(head, tmp, field) do { \ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(tmp, field); \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (0) + +#define SPLAY_ROTATE_LEFT(head, tmp, field) do { \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(tmp, field); \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + (head)->sph_root = tmp; \ +} while (0) + +#define SPLAY_LINKLEFT(head, tmp, field) do { \ + SPLAY_LEFT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field); \ +} while (0) + +#define SPLAY_LINKRIGHT(head, tmp, field) do { \ + SPLAY_RIGHT(tmp, field) = (head)->sph_root; \ + tmp = (head)->sph_root; \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field); \ +} while (0) + +#define SPLAY_ASSEMBLE(head, node, left, right, field) do { \ + SPLAY_RIGHT(left, field) = SPLAY_LEFT((head)->sph_root, field); \ + SPLAY_LEFT(right, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT((head)->sph_root, field) = SPLAY_RIGHT(node, field); \ + SPLAY_RIGHT((head)->sph_root, field) = SPLAY_LEFT(node, field); \ +} while (0) + +/* Generates prototypes and inline functions */ + +#define SPLAY_PROTOTYPE(name, type, field, cmp) \ +void name##_SPLAY(struct name *, struct type *); \ +void name##_SPLAY_MINMAX(struct name *, int); \ +struct type *name##_SPLAY_INSERT(struct name *, struct type *); \ +struct type *name##_SPLAY_REMOVE(struct name *, struct type *); \ + \ +/* Finds the node with the same key as elm */ \ +static __unused __inline struct type * \ +name##_SPLAY_FIND(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) \ + return(NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) \ + return (head->sph_root); \ + return (NULL); \ +} \ + \ +static __unused __inline struct type * \ +name##_SPLAY_NEXT(struct name *head, struct type *elm) \ +{ \ + name##_SPLAY(head, elm); \ + if (SPLAY_RIGHT(elm, field) != NULL) { \ + elm = SPLAY_RIGHT(elm, field); \ + while (SPLAY_LEFT(elm, field) != NULL) { \ + elm = SPLAY_LEFT(elm, field); \ + } \ + } else \ + elm = NULL; \ + return (elm); \ +} \ + \ +static __unused __inline struct type * \ +name##_SPLAY_MIN_MAX(struct name *head, int val) \ +{ \ + name##_SPLAY_MINMAX(head, val); \ + return (SPLAY_ROOT(head)); \ +} + +/* Main splay operation. + * Moves node close to the key of elm to top + */ +#define SPLAY_GENERATE(name, type, field, cmp) \ +struct type * \ +name##_SPLAY_INSERT(struct name *head, struct type *elm) \ +{ \ + if (SPLAY_EMPTY(head)) { \ + SPLAY_LEFT(elm, field) = SPLAY_RIGHT(elm, field) = NULL; \ + } else { \ + int __comp; \ + name##_SPLAY(head, elm); \ + __comp = (cmp)(elm, (head)->sph_root); \ + if(__comp < 0) { \ + SPLAY_LEFT(elm, field) = SPLAY_LEFT((head)->sph_root, field);\ + SPLAY_RIGHT(elm, field) = (head)->sph_root; \ + SPLAY_LEFT((head)->sph_root, field) = NULL; \ + } else if (__comp > 0) { \ + SPLAY_RIGHT(elm, field) = SPLAY_RIGHT((head)->sph_root, field);\ + SPLAY_LEFT(elm, field) = (head)->sph_root; \ + SPLAY_RIGHT((head)->sph_root, field) = NULL; \ + } else \ + return ((head)->sph_root); \ + } \ + (head)->sph_root = (elm); \ + return (NULL); \ +} \ + \ +struct type * \ +name##_SPLAY_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *__tmp; \ + if (SPLAY_EMPTY(head)) \ + return (NULL); \ + name##_SPLAY(head, elm); \ + if ((cmp)(elm, (head)->sph_root) == 0) { \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL) { \ + (head)->sph_root = SPLAY_RIGHT((head)->sph_root, field);\ + } else { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + (head)->sph_root = SPLAY_LEFT((head)->sph_root, field);\ + name##_SPLAY(head, elm); \ + SPLAY_RIGHT((head)->sph_root, field) = __tmp; \ + } \ + return (elm); \ + } \ + return (NULL); \ +} \ + \ +void \ +name##_SPLAY(struct name *head, struct type *elm) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ + int __comp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while ((__comp = (cmp)(elm, (head)->sph_root))) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if ((cmp)(elm, __tmp) > 0){ \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} \ + \ +/* Splay with either the minimum or the maximum element \ + * Used to find minimum or maximum element in tree. \ + */ \ +void name##_SPLAY_MINMAX(struct name *head, int __comp) \ +{ \ + struct type __node, *__left, *__right, *__tmp; \ +\ + SPLAY_LEFT(&__node, field) = SPLAY_RIGHT(&__node, field) = NULL;\ + __left = __right = &__node; \ +\ + while (1) { \ + if (__comp < 0) { \ + __tmp = SPLAY_LEFT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp < 0){ \ + SPLAY_ROTATE_RIGHT(head, __tmp, field); \ + if (SPLAY_LEFT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKLEFT(head, __right, field); \ + } else if (__comp > 0) { \ + __tmp = SPLAY_RIGHT((head)->sph_root, field); \ + if (__tmp == NULL) \ + break; \ + if (__comp > 0) { \ + SPLAY_ROTATE_LEFT(head, __tmp, field); \ + if (SPLAY_RIGHT((head)->sph_root, field) == NULL)\ + break; \ + } \ + SPLAY_LINKRIGHT(head, __left, field); \ + } \ + } \ + SPLAY_ASSEMBLE(head, &__node, __left, __right, field); \ +} + +#define SPLAY_NEGINF -1 +#define SPLAY_INF 1 + +#define SPLAY_INSERT(name, x, y) name##_SPLAY_INSERT(x, y) +#define SPLAY_REMOVE(name, x, y) name##_SPLAY_REMOVE(x, y) +#define SPLAY_FIND(name, x, y) name##_SPLAY_FIND(x, y) +#define SPLAY_NEXT(name, x, y) name##_SPLAY_NEXT(x, y) +#define SPLAY_MIN(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_NEGINF)) +#define SPLAY_MAX(name, x) (SPLAY_EMPTY(x) ? NULL \ + : name##_SPLAY_MIN_MAX(x, SPLAY_INF)) + +#define SPLAY_FOREACH(x, name, head) \ + for ((x) = SPLAY_MIN(name, head); \ + (x) != NULL; \ + (x) = SPLAY_NEXT(name, head, x)) + +/* Macros that define a red-black tree */ +#define RB_HEAD(name, type) \ +struct name { \ + struct type *rbh_root; /* root of the tree */ \ +} + +#define RB_INITIALIZER(root) \ + { NULL } + +#define RB_INIT(root) do { \ + (root)->rbh_root = NULL; \ +} while (0) + +#define RB_BLACK 0 +#define RB_RED 1 +#define RB_ENTRY(type) \ +struct { \ + struct type *rbe_left; /* left element */ \ + struct type *rbe_right; /* right element */ \ + struct type *rbe_parent; /* parent element */ \ + int rbe_color; /* node color */ \ +} + +#define RB_LEFT(elm, field) (elm)->field.rbe_left +#define RB_RIGHT(elm, field) (elm)->field.rbe_right +#define RB_PARENT(elm, field) (elm)->field.rbe_parent +#define RB_COLOR(elm, field) (elm)->field.rbe_color +#define RB_ROOT(head) (head)->rbh_root +#define RB_EMPTY(head) (RB_ROOT(head) == NULL) + +#define RB_SET(elm, parent, field) do { \ + RB_PARENT(elm, field) = parent; \ + RB_LEFT(elm, field) = RB_RIGHT(elm, field) = NULL; \ + RB_COLOR(elm, field) = RB_RED; \ +} while (0) + +#define RB_SET_BLACKRED(black, red, field) do { \ + RB_COLOR(black, field) = RB_BLACK; \ + RB_COLOR(red, field) = RB_RED; \ +} while (0) + +#ifndef RB_AUGMENT +#define RB_AUGMENT(x) do {} while (0) +#endif + +#define RB_ROTATE_LEFT(head, elm, tmp, field) do { \ + (tmp) = RB_RIGHT(elm, field); \ + if ((RB_RIGHT(elm, field) = RB_LEFT(tmp, field))) { \ + RB_PARENT(RB_LEFT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_LEFT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (0) + +#define RB_ROTATE_RIGHT(head, elm, tmp, field) do { \ + (tmp) = RB_LEFT(elm, field); \ + if ((RB_LEFT(elm, field) = RB_RIGHT(tmp, field))) { \ + RB_PARENT(RB_RIGHT(tmp, field), field) = (elm); \ + } \ + RB_AUGMENT(elm); \ + if ((RB_PARENT(tmp, field) = RB_PARENT(elm, field))) { \ + if ((elm) == RB_LEFT(RB_PARENT(elm, field), field)) \ + RB_LEFT(RB_PARENT(elm, field), field) = (tmp); \ + else \ + RB_RIGHT(RB_PARENT(elm, field), field) = (tmp); \ + } else \ + (head)->rbh_root = (tmp); \ + RB_RIGHT(tmp, field) = (elm); \ + RB_PARENT(elm, field) = (tmp); \ + RB_AUGMENT(tmp); \ + if ((RB_PARENT(tmp, field))) \ + RB_AUGMENT(RB_PARENT(tmp, field)); \ +} while (0) + +/* Generates prototypes and inline functions */ +#define RB_PROTOTYPE(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp,) +#define RB_PROTOTYPE_STATIC(name, type, field, cmp) \ + RB_PROTOTYPE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) +#define RB_PROTOTYPE_INTERNAL(name, type, field, cmp, attr) \ +attr void name##_RB_INSERT_COLOR(struct name *, struct type *); \ +attr void name##_RB_REMOVE_COLOR(struct name *, struct type *, struct type *);\ +attr struct type *name##_RB_REMOVE(struct name *, struct type *); \ +attr struct type *name##_RB_INSERT(struct name *, struct type *); \ +attr struct type *name##_RB_FIND(struct name *, struct type *); \ +attr struct type *name##_RB_NFIND(struct name *, struct type *); \ +attr struct type *name##_RB_NEXT(struct type *); \ +attr struct type *name##_RB_PREV(struct type *); \ +attr struct type *name##_RB_MINMAX(struct name *, int); \ + \ + +/* Main rb operation. + * Moves node close to the key of elm to top + */ +#define RB_GENERATE(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp,) +#define RB_GENERATE_STATIC(name, type, field, cmp) \ + RB_GENERATE_INTERNAL(name, type, field, cmp, __attribute__((__unused__)) static) +#define RB_GENERATE_INTERNAL(name, type, field, cmp, attr) \ +attr void \ +name##_RB_INSERT_COLOR(struct name *head, struct type *elm) \ +{ \ + struct type *parent, *gparent, *tmp; \ + while ((parent = RB_PARENT(elm, field)) && \ + RB_COLOR(parent, field) == RB_RED) { \ + gparent = RB_PARENT(parent, field); \ + if (parent == RB_LEFT(gparent, field)) { \ + tmp = RB_RIGHT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_RIGHT(parent, field) == elm) { \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_RIGHT(head, gparent, tmp, field); \ + } else { \ + tmp = RB_LEFT(gparent, field); \ + if (tmp && RB_COLOR(tmp, field) == RB_RED) { \ + RB_COLOR(tmp, field) = RB_BLACK; \ + RB_SET_BLACKRED(parent, gparent, field);\ + elm = gparent; \ + continue; \ + } \ + if (RB_LEFT(parent, field) == elm) { \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = parent; \ + parent = elm; \ + elm = tmp; \ + } \ + RB_SET_BLACKRED(parent, gparent, field); \ + RB_ROTATE_LEFT(head, gparent, tmp, field); \ + } \ + } \ + RB_COLOR(head->rbh_root, field) = RB_BLACK; \ +} \ + \ +attr void \ +name##_RB_REMOVE_COLOR(struct name *head, struct type *parent, struct type *elm) \ +{ \ + struct type *tmp; \ + while ((elm == NULL || RB_COLOR(elm, field) == RB_BLACK) && \ + elm != RB_ROOT(head)) { \ + if (RB_LEFT(parent, field) == elm) { \ + tmp = RB_RIGHT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK) {\ + struct type *oleft; \ + if ((oleft = RB_LEFT(tmp, field)))\ + RB_COLOR(oleft, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_RIGHT(head, tmp, oleft, field);\ + tmp = RB_RIGHT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_RIGHT(tmp, field)) \ + RB_COLOR(RB_RIGHT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_LEFT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } else { \ + tmp = RB_LEFT(parent, field); \ + if (RB_COLOR(tmp, field) == RB_RED) { \ + RB_SET_BLACKRED(tmp, parent, field); \ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + if ((RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) &&\ + (RB_RIGHT(tmp, field) == NULL || \ + RB_COLOR(RB_RIGHT(tmp, field), field) == RB_BLACK)) {\ + RB_COLOR(tmp, field) = RB_RED; \ + elm = parent; \ + parent = RB_PARENT(elm, field); \ + } else { \ + if (RB_LEFT(tmp, field) == NULL || \ + RB_COLOR(RB_LEFT(tmp, field), field) == RB_BLACK) {\ + struct type *oright; \ + if ((oright = RB_RIGHT(tmp, field)))\ + RB_COLOR(oright, field) = RB_BLACK;\ + RB_COLOR(tmp, field) = RB_RED; \ + RB_ROTATE_LEFT(head, tmp, oright, field);\ + tmp = RB_LEFT(parent, field); \ + } \ + RB_COLOR(tmp, field) = RB_COLOR(parent, field);\ + RB_COLOR(parent, field) = RB_BLACK; \ + if (RB_LEFT(tmp, field)) \ + RB_COLOR(RB_LEFT(tmp, field), field) = RB_BLACK;\ + RB_ROTATE_RIGHT(head, parent, tmp, field);\ + elm = RB_ROOT(head); \ + break; \ + } \ + } \ + } \ + if (elm) \ + RB_COLOR(elm, field) = RB_BLACK; \ +} \ + \ +attr struct type * \ +name##_RB_REMOVE(struct name *head, struct type *elm) \ +{ \ + struct type *child, *parent, *old = elm; \ + int color; \ + if (RB_LEFT(elm, field) == NULL) \ + child = RB_RIGHT(elm, field); \ + else if (RB_RIGHT(elm, field) == NULL) \ + child = RB_LEFT(elm, field); \ + else { \ + struct type *left; \ + elm = RB_RIGHT(elm, field); \ + while ((left = RB_LEFT(elm, field))) \ + elm = left; \ + child = RB_RIGHT(elm, field); \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ + if (RB_PARENT(elm, field) == old) \ + parent = elm; \ + (elm)->field = (old)->field; \ + if (RB_PARENT(old, field)) { \ + if (RB_LEFT(RB_PARENT(old, field), field) == old)\ + RB_LEFT(RB_PARENT(old, field), field) = elm;\ + else \ + RB_RIGHT(RB_PARENT(old, field), field) = elm;\ + RB_AUGMENT(RB_PARENT(old, field)); \ + } else \ + RB_ROOT(head) = elm; \ + RB_PARENT(RB_LEFT(old, field), field) = elm; \ + if (RB_RIGHT(old, field)) \ + RB_PARENT(RB_RIGHT(old, field), field) = elm; \ + if (parent) { \ + left = parent; \ + do { \ + RB_AUGMENT(left); \ + } while ((left = RB_PARENT(left, field))); \ + } \ + goto color; \ + } \ + parent = RB_PARENT(elm, field); \ + color = RB_COLOR(elm, field); \ + if (child) \ + RB_PARENT(child, field) = parent; \ + if (parent) { \ + if (RB_LEFT(parent, field) == elm) \ + RB_LEFT(parent, field) = child; \ + else \ + RB_RIGHT(parent, field) = child; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = child; \ +color: \ + if (color == RB_BLACK) \ + name##_RB_REMOVE_COLOR(head, parent, child); \ + return (old); \ +} \ + \ +/* Inserts a node into the RB tree */ \ +attr struct type * \ +name##_RB_INSERT(struct name *head, struct type *elm) \ +{ \ + struct type *tmp; \ + struct type *parent = NULL; \ + int comp = 0; \ + tmp = RB_ROOT(head); \ + while (tmp) { \ + parent = tmp; \ + comp = (cmp)(elm, parent); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + RB_SET(elm, parent, field); \ + if (parent != NULL) { \ + if (comp < 0) \ + RB_LEFT(parent, field) = elm; \ + else \ + RB_RIGHT(parent, field) = elm; \ + RB_AUGMENT(parent); \ + } else \ + RB_ROOT(head) = elm; \ + name##_RB_INSERT_COLOR(head, elm); \ + return (NULL); \ +} \ + \ +/* Finds the node with the same key as elm */ \ +attr struct type * \ +name##_RB_FIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) \ + tmp = RB_LEFT(tmp, field); \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (NULL); \ +} \ + \ +/* Finds the first node greater than or equal to the search key */ \ +attr struct type * \ +name##_RB_NFIND(struct name *head, struct type *elm) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *res = NULL; \ + int comp; \ + while (tmp) { \ + comp = cmp(elm, tmp); \ + if (comp < 0) { \ + res = tmp; \ + tmp = RB_LEFT(tmp, field); \ + } \ + else if (comp > 0) \ + tmp = RB_RIGHT(tmp, field); \ + else \ + return (tmp); \ + } \ + return (res); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_NEXT(struct type *elm) \ +{ \ + if (RB_RIGHT(elm, field)) { \ + elm = RB_RIGHT(elm, field); \ + while (RB_LEFT(elm, field)) \ + elm = RB_LEFT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +/* ARGSUSED */ \ +attr struct type * \ +name##_RB_PREV(struct type *elm) \ +{ \ + if (RB_LEFT(elm, field)) { \ + elm = RB_LEFT(elm, field); \ + while (RB_RIGHT(elm, field)) \ + elm = RB_RIGHT(elm, field); \ + } else { \ + if (RB_PARENT(elm, field) && \ + (elm == RB_RIGHT(RB_PARENT(elm, field), field))) \ + elm = RB_PARENT(elm, field); \ + else { \ + while (RB_PARENT(elm, field) && \ + (elm == RB_LEFT(RB_PARENT(elm, field), field)))\ + elm = RB_PARENT(elm, field); \ + elm = RB_PARENT(elm, field); \ + } \ + } \ + return (elm); \ +} \ + \ +attr struct type * \ +name##_RB_MINMAX(struct name *head, int val) \ +{ \ + struct type *tmp = RB_ROOT(head); \ + struct type *parent = NULL; \ + while (tmp) { \ + parent = tmp; \ + if (val < 0) \ + tmp = RB_LEFT(tmp, field); \ + else \ + tmp = RB_RIGHT(tmp, field); \ + } \ + return (parent); \ +} + +#define RB_NEGINF -1 +#define RB_INF 1 + +#define RB_INSERT(name, x, y) name##_RB_INSERT(x, y) +#define RB_REMOVE(name, x, y) name##_RB_REMOVE(x, y) +#define RB_FIND(name, x, y) name##_RB_FIND(x, y) +#define RB_NFIND(name, x, y) name##_RB_NFIND(x, y) +#define RB_NEXT(name, x, y) name##_RB_NEXT(y) +#define RB_PREV(name, x, y) name##_RB_PREV(y) +#define RB_MIN(name, x) name##_RB_MINMAX(x, RB_NEGINF) +#define RB_MAX(name, x) name##_RB_MINMAX(x, RB_INF) + +#define RB_FOREACH(x, name, head) \ + for ((x) = RB_MIN(name, head); \ + (x) != NULL; \ + (x) = name##_RB_NEXT(x)) + +#define RB_FOREACH_SAFE(x, name, head, y) \ + for ((x) = RB_MIN(name, head); \ + ((x) != NULL) && ((y) = name##_RB_NEXT(x), 1); \ + (x) = (y)) + +#define RB_FOREACH_REVERSE(x, name, head) \ + for ((x) = RB_MAX(name, head); \ + (x) != NULL; \ + (x) = name##_RB_PREV(x)) + +#define RB_FOREACH_REVERSE_SAFE(x, name, head, y) \ + for ((x) = RB_MAX(name, head); \ + ((x) != NULL) && ((y) = name##_RB_PREV(x), 1); \ + (x) = (y)) + + +/* + * Copyright (c) 2016 David Gwynne + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +struct rb_type { + int (*t_compare)(const void *, const void *); + void (*t_augment)(void *); + unsigned int t_offset; /* offset of rb_entry in type */ +}; + +struct rb_tree { + struct rb_entry *rbt_root; +}; + +struct rb_entry { + struct rb_entry *rbt_parent; + struct rb_entry *rbt_left; + struct rb_entry *rbt_right; + unsigned int rbt_color; +}; + +#define RBT_HEAD(_name, _type) \ +struct _name { \ + struct rb_tree rbh_root; \ +} + +#define RBT_ENTRY(_type) struct rb_entry + +static inline void +_rb_init(struct rb_tree *rbt) +{ + rbt->rbt_root = NULL; +} + +static inline int +_rb_empty(struct rb_tree *rbt) +{ + return (rbt->rbt_root == NULL); +} + +void *_rb_insert(const struct rb_type *, struct rb_tree *, void *); +void *_rb_remove(const struct rb_type *, struct rb_tree *, void *); +void *_rb_find(const struct rb_type *, struct rb_tree *, const void *); +void *_rb_nfind(const struct rb_type *, struct rb_tree *, const void *); +void *_rb_root(const struct rb_type *, struct rb_tree *); +void *_rb_min(const struct rb_type *, struct rb_tree *); +void *_rb_max(const struct rb_type *, struct rb_tree *); +void *_rb_next(const struct rb_type *, void *); +void *_rb_prev(const struct rb_type *, void *); +void *_rb_left(const struct rb_type *, void *); +void *_rb_right(const struct rb_type *, void *); +void *_rb_parent(const struct rb_type *, void *); +void _rb_set_left(const struct rb_type *, void *, void *); +void _rb_set_right(const struct rb_type *, void *, void *); +void _rb_set_parent(const struct rb_type *, void *, void *); +void _rb_poison(const struct rb_type *, void *, unsigned long); +int _rb_check(const struct rb_type *, void *, unsigned long); + +#define RBT_INITIALIZER(_head) { { NULL } } + +#define RBT_PROTOTYPE(_name, _type, _field, _cmp) \ +extern const struct rb_type *const _name##_RBT_TYPE; \ + \ +__unused static inline void \ +_name##_RBT_INIT(struct _name *head) \ +{ \ + _rb_init(&head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_INSERT(struct _name *head, struct _type *elm) \ +{ \ + return _rb_insert(_name##_RBT_TYPE, &head->rbh_root, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_REMOVE(struct _name *head, struct _type *elm) \ +{ \ + return _rb_remove(_name##_RBT_TYPE, &head->rbh_root, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_FIND(struct _name *head, const struct _type *key) \ +{ \ + return _rb_find(_name##_RBT_TYPE, &head->rbh_root, key); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_NFIND(struct _name *head, const struct _type *key) \ +{ \ + return _rb_nfind(_name##_RBT_TYPE, &head->rbh_root, key); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_ROOT(struct _name *head) \ +{ \ + return _rb_root(_name##_RBT_TYPE, &head->rbh_root); \ +} \ + \ +__unused static inline int \ +_name##_RBT_EMPTY(struct _name *head) \ +{ \ + return _rb_empty(&head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_MIN(struct _name *head) \ +{ \ + return _rb_min(_name##_RBT_TYPE, &head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_MAX(struct _name *head) \ +{ \ + return _rb_max(_name##_RBT_TYPE, &head->rbh_root); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_NEXT(struct _type *elm) \ +{ \ + return _rb_next(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_PREV(struct _type *elm) \ +{ \ + return _rb_prev(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_LEFT(struct _type *elm) \ +{ \ + return _rb_left(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_RIGHT(struct _type *elm) \ +{ \ + return _rb_right(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline struct _type * \ +_name##_RBT_PARENT(struct _type *elm) \ +{ \ + return _rb_parent(_name##_RBT_TYPE, elm); \ +} \ + \ +__unused static inline void \ +_name##_RBT_SET_LEFT(struct _type *elm, struct _type *left) \ +{ \ + return _rb_set_left(_name##_RBT_TYPE, elm, left); \ +} \ + \ +__unused static inline void \ +_name##_RBT_SET_RIGHT(struct _type *elm, struct _type *right) \ +{ \ + return _rb_set_right(_name##_RBT_TYPE, elm, right); \ +} \ + \ +__unused static inline void \ +_name##_RBT_SET_PARENT(struct _type *elm, struct _type *parent) \ +{ \ + return _rb_set_parent(_name##_RBT_TYPE, elm, parent); \ +} \ + \ +__unused static inline void \ +_name##_RBT_POISON(struct _type *elm, unsigned long poison) \ +{ \ + return _rb_poison(_name##_RBT_TYPE, elm, poison); \ +} \ + \ +__unused static inline int \ +_name##_RBT_CHECK(struct _type *elm, unsigned long poison) \ +{ \ + return _rb_check(_name##_RBT_TYPE, elm, poison); \ +} + +#define RBT_GENERATE_INTERNAL(_name, _type, _field, _cmp, _aug) \ +static int \ +_name##_RBT_COMPARE(const void *lptr, const void *rptr) \ +{ \ + const struct _type *l = lptr, *r = rptr; \ + return _cmp(l, r); \ +} \ +static const struct rb_type _name##_RBT_INFO = { \ + _name##_RBT_COMPARE, \ + _aug, \ + offsetof(struct _type, _field), \ +}; \ +const struct rb_type *const _name##_RBT_TYPE = &_name##_RBT_INFO + +#define RBT_GENERATE_AUGMENT(_name, _type, _field, _cmp, _aug) \ +static void \ +_name##_RBT_AUGMENT(void *ptr) \ +{ \ + struct _type *p = ptr; \ + return _aug(p); \ +} \ +RBT_GENERATE_INTERNAL(_name, _type, _field, _cmp, _name##_RBT_AUGMENT) + +#define RBT_GENERATE(_name, _type, _field, _cmp) \ + RBT_GENERATE_INTERNAL(_name, _type, _field, _cmp, NULL) + +#define RBT_INIT(_name, _head) _name##_RBT_INIT(_head) +#define RBT_INSERT(_name, _head, _elm) _name##_RBT_INSERT(_head, _elm) +#define RBT_REMOVE(_name, _head, _elm) _name##_RBT_REMOVE(_head, _elm) +#define RBT_FIND(_name, _head, _key) _name##_RBT_FIND(_head, _key) +#define RBT_NFIND(_name, _head, _key) _name##_RBT_NFIND(_head, _key) +#define RBT_ROOT(_name, _head) _name##_RBT_ROOT(_head) +#define RBT_EMPTY(_name, _head) _name##_RBT_EMPTY(_head) +#define RBT_MIN(_name, _head) _name##_RBT_MIN(_head) +#define RBT_MAX(_name, _head) _name##_RBT_MAX(_head) +#define RBT_NEXT(_name, _elm) _name##_RBT_NEXT(_elm) +#define RBT_PREV(_name, _elm) _name##_RBT_PREV(_elm) +#define RBT_LEFT(_name, _elm) _name##_RBT_LEFT(_elm) +#define RBT_RIGHT(_name, _elm) _name##_RBT_RIGHT(_elm) +#define RBT_PARENT(_name, _elm) _name##_RBT_PARENT(_elm) +#define RBT_SET_LEFT(_name, _elm, _l) _name##_RBT_SET_LEFT(_elm, _l) +#define RBT_SET_RIGHT(_name, _elm, _r) _name##_RBT_SET_RIGHT(_elm, _r) +#define RBT_SET_PARENT(_name, _elm, _p) _name##_RBT_SET_PARENT(_elm, _p) +#define RBT_POISON(_name, _elm, _p) _name##_RBT_POISON(_elm, _p) +#define RBT_CHECK(_name, _elm, _p) _name##_RBT_CHECK(_elm, _p) + +#define RBT_FOREACH(_e, _name, _head) \ + for ((_e) = RBT_MIN(_name, (_head)); \ + (_e) != NULL; \ + (_e) = RBT_NEXT(_name, (_e))) + +#define RBT_FOREACH_SAFE(_e, _name, _head, _n) \ + for ((_e) = RBT_MIN(_name, (_head)); \ + (_e) != NULL && ((_n) = RBT_NEXT(_name, (_e)), 1); \ + (_e) = (_n)) + +#define RBT_FOREACH_REVERSE(_e, _name, _head) \ + for ((_e) = RBT_MAX(_name, (_head)); \ + (_e) != NULL; \ + (_e) = RBT_PREV(_name, (_e))) + +#define RBT_FOREACH_REVERSE_SAFE(_e, _name, _head, _n) \ + for ((_e) = RBT_MAX(_name, (_head)); \ + (_e) != NULL && ((_n) = RBT_PREV(_name, (_e)), 1); \ + (_e) = (_n)) + +#endif /* _SYS_TREE_H_ */ diff --git a/include/compat/sys/types.h b/include/compat/sys/types.h index 2107119..4967843 100644 --- a/include/compat/sys/types.h +++ b/include/compat/sys/types.h @@ -49,6 +49,14 @@ typedef SSIZE_T ssize_t; # define __bounded__(x, y, z) #endif +#if !defined(HAVE_ATTRIBUTE__DEAD) && !defined(__dead) +#ifdef _MSC_VER +#define __dead __declspec(noreturn) +#else +#define __dead __attribute__((__noreturn__)) +#endif +#endif + #ifdef _WIN32 #define __warn_references(sym,msg) #else @@ -62,7 +70,7 @@ typedef SSIZE_T ssize_t; #if defined(__GNUC__) && defined (HAS_GNU_WARNING_LONG) #define __warn_references(sym,msg) \ __asm__(".section .gnu.warning." __STRING(sym) \ - " ; .ascii \"" msg "\" ; .text"); + "\n\t.ascii \"" msg "\"\n\t.text"); #else #define __warn_references(sym,msg) #endif diff --git a/include/compat/syslog.h b/include/compat/syslog.h new file mode 100644 index 0000000..f400ff6 --- /dev/null +++ b/include/compat/syslog.h @@ -0,0 +1,37 @@ +/* + * Public domain + * syslog.h compatibility shim + */ + +#ifndef _WIN32 +#include_next +#endif + +#ifndef LIBCRYPTOCOMPAT_SYSLOG_H +#define LIBCRYPTOCOMPAT_SYSLOG_H + +#ifndef HAVE_SYSLOG_R + +#include + +#ifdef _WIN32 +#define LOG_INFO 6 /* informational */ +#define LOG_USER (1<<3) /* random user-level messages */ +#define LOG_LOCAL2 (18<<3) /* reserved for local use */ +#endif + +struct syslog_data { + int log_stat; + const char *log_tag; + int log_fac; + int log_mask; +}; + +#define SYSLOG_DATA_INIT {0, (const char *)0, LOG_USER, 0xff} + +void syslog_r(int, struct syslog_data *, const char *, ...); +void vsyslog_r(int, struct syslog_data *, const char *, va_list); + +#endif + +#endif diff --git a/include/compat/time.h b/include/compat/time.h index dc460ef..540807d 100644 --- a/include/compat/time.h +++ b/include/compat/time.h @@ -33,12 +33,17 @@ time_t timegm(struct tm *tm); #define CLOCK_REALTIME 0 #endif +#ifndef _WIN32 #ifndef HAVE_CLOCK_GETTIME typedef int clockid_t; int clock_gettime(clockid_t clock_id, struct timespec *tp); #endif -#ifndef timespecsub +#ifdef timespecsub +#define HAVE_TIMESPECSUB +#endif + +#ifndef HAVE_TIMESPECSUB #define timespecsub(tsp, usp, vsp) \ do { \ (vsp)->tv_sec = (tsp)->tv_sec - (usp)->tv_sec; \ @@ -51,3 +56,5 @@ int clock_gettime(clockid_t clock_id, struct timespec *tp); #endif #endif + +#endif diff --git a/include/compat/unistd.h b/include/compat/unistd.h index e70a390..5e6ab1d 100644 --- a/include/compat/unistd.h +++ b/include/compat/unistd.h @@ -37,7 +37,14 @@ ssize_t pwrite(int d, const void *buf, size_t nbytes, off_t offset); #define access _access -unsigned int sleep(unsigned int seconds); +#ifdef _MSC_VER +#include +static inline unsigned int sleep(unsigned int seconds) +{ + Sleep(seconds * 1000); + return seconds; +} +#endif int ftruncate(int fd, off_t length); uid_t getuid(void); @@ -62,6 +69,7 @@ int getpagesize(void); #endif #define pledge(request, paths) 0 +#define unveil(path, permissions) 0 #ifndef HAVE_PIPE2 int pipe2(int fildes[2], int flags); diff --git a/include/openssl/asn1.h b/include/openssl/asn1.h index 6fc4cd7..0a8da41 100644 --- a/include/openssl/asn1.h +++ b/include/openssl/asn1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1.h,v 1.44 2018/02/14 16:46:04 jsing Exp $ */ +/* $OpenBSD: asn1.h,v 1.53 2018/11/30 04:51:19 jeremy Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -125,7 +125,6 @@ extern "C" { #define V_ASN1_UNIVERSALSTRING 28 /**/ #define V_ASN1_BMPSTRING 30 -/* For use with d2i_ASN1_type_bytes() */ #define B_ASN1_NUMERICSTRING 0x0001 #define B_ASN1_PRINTABLESTRING 0x0002 #define B_ASN1_T61STRING 0x0004 @@ -543,178 +542,6 @@ typedef struct BIT_STRING_BITNAME_st { const char *sname; } BIT_STRING_BITNAME; -#ifndef LIBRESSL_INTERNAL - -#define M_ASN1_STRING_length(x) ((x)->length) -#define M_ASN1_STRING_length_set(x, n) ((x)->length = (n)) -#define M_ASN1_STRING_type(x) ((x)->type) -#define M_ASN1_STRING_data(x) ((x)->data) - -/* Macros for string operations */ -#define M_ASN1_BIT_STRING_new() (ASN1_BIT_STRING *)\ - ASN1_STRING_type_new(V_ASN1_BIT_STRING) -#define M_ASN1_BIT_STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_BIT_STRING_dup(a) (ASN1_BIT_STRING *)\ - ASN1_STRING_dup((const ASN1_STRING *)a) -#define M_ASN1_BIT_STRING_cmp(a,b) ASN1_STRING_cmp(\ - (const ASN1_STRING *)a,(const ASN1_STRING *)b) -#define M_ASN1_BIT_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c) - -#define M_ASN1_INTEGER_new() (ASN1_INTEGER *)\ - ASN1_STRING_type_new(V_ASN1_INTEGER) -#define M_ASN1_INTEGER_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_INTEGER_dup(a) (ASN1_INTEGER *)\ - ASN1_STRING_dup((const ASN1_STRING *)a) -#define M_ASN1_INTEGER_cmp(a,b) ASN1_STRING_cmp(\ - (const ASN1_STRING *)a,(const ASN1_STRING *)b) - -#define M_ASN1_ENUMERATED_new() (ASN1_ENUMERATED *)\ - ASN1_STRING_type_new(V_ASN1_ENUMERATED) -#define M_ASN1_ENUMERATED_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_ENUMERATED_dup(a) (ASN1_ENUMERATED *)\ - ASN1_STRING_dup((const ASN1_STRING *)a) -#define M_ASN1_ENUMERATED_cmp(a,b) ASN1_STRING_cmp(\ - (const ASN1_STRING *)a,(const ASN1_STRING *)b) - -#define M_ASN1_OCTET_STRING_new() (ASN1_OCTET_STRING *)\ - ASN1_STRING_type_new(V_ASN1_OCTET_STRING) -#define M_ASN1_OCTET_STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_OCTET_STRING_dup(a) (ASN1_OCTET_STRING *)\ - ASN1_STRING_dup((const ASN1_STRING *)a) -#define M_ASN1_OCTET_STRING_cmp(a,b) ASN1_STRING_cmp(\ - (const ASN1_STRING *)a,(const ASN1_STRING *)b) -#define M_ASN1_OCTET_STRING_set(a,b,c) ASN1_STRING_set((ASN1_STRING *)a,b,c) -#define M_ASN1_OCTET_STRING_print(a,b) ASN1_STRING_print(a,(ASN1_STRING *)b) -#define M_i2d_ASN1_OCTET_STRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_OCTET_STRING,\ - V_ASN1_UNIVERSAL) - -#define M_ASN1_PRINTABLE_new() ASN1_STRING_type_new(V_ASN1_T61STRING) -#define M_ASN1_PRINTABLE_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_PRINTABLE(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\ - pp,a->type,V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_PRINTABLE(a,pp,l) \ - d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \ - B_ASN1_PRINTABLE) - -#define M_DIRECTORYSTRING_new() ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING) -#define M_DIRECTORYSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_DIRECTORYSTRING(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\ - pp,a->type,V_ASN1_UNIVERSAL) -#define M_d2i_DIRECTORYSTRING(a,pp,l) \ - d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \ - B_ASN1_DIRECTORYSTRING) - -#define M_DISPLAYTEXT_new() ASN1_STRING_type_new(V_ASN1_VISIBLESTRING) -#define M_DISPLAYTEXT_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_DISPLAYTEXT(a,pp) i2d_ASN1_bytes((ASN1_STRING *)a,\ - pp,a->type,V_ASN1_UNIVERSAL) -#define M_d2i_DISPLAYTEXT(a,pp,l) \ - d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l, \ - B_ASN1_DISPLAYTEXT) - -#define M_ASN1_PRINTABLESTRING_new() (ASN1_PRINTABLESTRING *)\ - ASN1_STRING_type_new(V_ASN1_PRINTABLESTRING) -#define M_ASN1_PRINTABLESTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_PRINTABLESTRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_PRINTABLESTRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_PRINTABLESTRING(a,pp,l) \ - (ASN1_PRINTABLESTRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_PRINTABLESTRING) - -#define M_ASN1_T61STRING_new() (ASN1_T61STRING *)\ - ASN1_STRING_type_new(V_ASN1_T61STRING) -#define M_ASN1_T61STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_T61STRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_T61STRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_T61STRING(a,pp,l) \ - (ASN1_T61STRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_T61STRING) - -#define M_ASN1_IA5STRING_new() (ASN1_IA5STRING *)\ - ASN1_STRING_type_new(V_ASN1_IA5STRING) -#define M_ASN1_IA5STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_IA5STRING_dup(a) \ - (ASN1_IA5STRING *)ASN1_STRING_dup((const ASN1_STRING *)a) -#define M_i2d_ASN1_IA5STRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_IA5STRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_IA5STRING(a,pp,l) \ - (ASN1_IA5STRING *)d2i_ASN1_type_bytes((ASN1_STRING **)a,pp,l,\ - B_ASN1_IA5STRING) - -#define M_ASN1_UTCTIME_new() (ASN1_UTCTIME *)\ - ASN1_STRING_type_new(V_ASN1_UTCTIME) -#define M_ASN1_UTCTIME_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_UTCTIME_dup(a) (ASN1_UTCTIME *)\ - ASN1_STRING_dup((const ASN1_STRING *)a) - -#define M_ASN1_GENERALIZEDTIME_new() (ASN1_GENERALIZEDTIME *)\ - ASN1_STRING_type_new(V_ASN1_GENERALIZEDTIME) -#define M_ASN1_GENERALIZEDTIME_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_GENERALIZEDTIME_dup(a) (ASN1_GENERALIZEDTIME *)ASN1_STRING_dup(\ - (const ASN1_STRING *)a) - -#define M_ASN1_TIME_new() (ASN1_TIME *)\ - ASN1_STRING_type_new(V_ASN1_UTCTIME) -#define M_ASN1_TIME_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_ASN1_TIME_dup(a) (ASN1_TIME *)\ - ASN1_STRING_dup((const ASN1_STRING *)a) - -#define M_ASN1_GENERALSTRING_new() (ASN1_GENERALSTRING *)\ - ASN1_STRING_type_new(V_ASN1_GENERALSTRING) -#define M_ASN1_GENERALSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_GENERALSTRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_GENERALSTRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_GENERALSTRING(a,pp,l) \ - (ASN1_GENERALSTRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_GENERALSTRING) - -#define M_ASN1_UNIVERSALSTRING_new() (ASN1_UNIVERSALSTRING *)\ - ASN1_STRING_type_new(V_ASN1_UNIVERSALSTRING) -#define M_ASN1_UNIVERSALSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_UNIVERSALSTRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UNIVERSALSTRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_UNIVERSALSTRING(a,pp,l) \ - (ASN1_UNIVERSALSTRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_UNIVERSALSTRING) - -#define M_ASN1_BMPSTRING_new() (ASN1_BMPSTRING *)\ - ASN1_STRING_type_new(V_ASN1_BMPSTRING) -#define M_ASN1_BMPSTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_BMPSTRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_BMPSTRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_BMPSTRING(a,pp,l) \ - (ASN1_BMPSTRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_BMPSTRING) - -#define M_ASN1_VISIBLESTRING_new() (ASN1_VISIBLESTRING *)\ - ASN1_STRING_type_new(V_ASN1_VISIBLESTRING) -#define M_ASN1_VISIBLESTRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_VISIBLESTRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_VISIBLESTRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_VISIBLESTRING(a,pp,l) \ - (ASN1_VISIBLESTRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_VISIBLESTRING) - -#define M_ASN1_UTF8STRING_new() (ASN1_UTF8STRING *)\ - ASN1_STRING_type_new(V_ASN1_UTF8STRING) -#define M_ASN1_UTF8STRING_free(a) ASN1_STRING_free((ASN1_STRING *)a) -#define M_i2d_ASN1_UTF8STRING(a,pp) \ - i2d_ASN1_bytes((ASN1_STRING *)a,pp,V_ASN1_UTF8STRING,\ - V_ASN1_UNIVERSAL) -#define M_d2i_ASN1_UTF8STRING(a,pp,l) \ - (ASN1_UTF8STRING *)d2i_ASN1_type_bytes\ - ((ASN1_STRING **)a,pp,l,B_ASN1_UTF8STRING) - -#endif /* !LIBRESSL_INTERNAL */ - #define B_ASN1_TIME \ B_ASN1_UTCTIME | \ B_ASN1_GENERALIZEDTIME @@ -744,9 +571,18 @@ typedef struct BIT_STRING_BITNAME_st { B_ASN1_BMPSTRING|\ B_ASN1_UTF8STRING -/* for the is_set parameter to i2d_ASN1_SET */ -#define IS_SEQUENCE 0 -#define IS_SET 1 +#ifndef LIBRESSL_INTERNAL +#define M_ASN1_IA5STRING_new ASN1_IA5STRING_new + +#define M_ASN1_INTEGER_free ASN1_INTEGER_free +#define M_ASN1_ENUMERATED_free ASN1_ENUMERATED_free +#define M_ASN1_OCTET_STRING_free ASN1_OCTET_STRING_free + +#define M_ASN1_OCTET_STRING_print ASN1_STRING_print + +#define M_ASN1_STRING_data ASN1_STRING_data +#define M_ASN1_STRING_length ASN1_STRING_length +#endif ASN1_TYPE *ASN1_TYPE_new(void); void ASN1_TYPE_free(ASN1_TYPE *a); @@ -754,14 +590,14 @@ ASN1_TYPE *d2i_ASN1_TYPE(ASN1_TYPE **a, const unsigned char **in, long len); int i2d_ASN1_TYPE(ASN1_TYPE *a, unsigned char **out); extern const ASN1_ITEM ASN1_ANY_it; -int ASN1_TYPE_get(ASN1_TYPE *a); +int ASN1_TYPE_get(const ASN1_TYPE *a); void ASN1_TYPE_set(ASN1_TYPE *a, int type, void *value); int ASN1_TYPE_set1(ASN1_TYPE *a, int type, const void *value); -int ASN1_TYPE_cmp(ASN1_TYPE *a, ASN1_TYPE *b); +int ASN1_TYPE_cmp(const ASN1_TYPE *a, const ASN1_TYPE *b); -ASN1_OBJECT *ASN1_OBJECT_new(void ); +ASN1_OBJECT *ASN1_OBJECT_new(void); void ASN1_OBJECT_free(ASN1_OBJECT *a); -int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp); +int i2d_ASN1_OBJECT(const ASN1_OBJECT *a, unsigned char **pp); ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, long length); ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp, @@ -775,7 +611,7 @@ ASN1_STRING *ASN1_STRING_new(void); void ASN1_STRING_free(ASN1_STRING *a); int ASN1_STRING_copy(ASN1_STRING *dst, const ASN1_STRING *str); ASN1_STRING *ASN1_STRING_dup(const ASN1_STRING *a); -ASN1_STRING *ASN1_STRING_type_new(int type ); +ASN1_STRING *ASN1_STRING_type_new(int type); int ASN1_STRING_cmp(const ASN1_STRING *a, const ASN1_STRING *b); /* Since this is used to store all sorts of things, via macros, for now, make its data void * */ @@ -783,7 +619,7 @@ int ASN1_STRING_set(ASN1_STRING *str, const void *data, int len); void ASN1_STRING_set0(ASN1_STRING *str, void *data, int len); int ASN1_STRING_length(const ASN1_STRING *x); void ASN1_STRING_length_set(ASN1_STRING *x, int n); -int ASN1_STRING_type(ASN1_STRING *x); +int ASN1_STRING_type(const ASN1_STRING *x); unsigned char *ASN1_STRING_data(ASN1_STRING *x); const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x); @@ -795,18 +631,18 @@ extern const ASN1_ITEM ASN1_BIT_STRING_it; int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp); ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, const unsigned char **pp, long length); -int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length ); +int ASN1_BIT_STRING_set(ASN1_BIT_STRING *a, unsigned char *d, int length); int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value); -int ASN1_BIT_STRING_get_bit(ASN1_BIT_STRING *a, int n); -int ASN1_BIT_STRING_check(ASN1_BIT_STRING *a, - unsigned char *flags, int flags_len); +int ASN1_BIT_STRING_get_bit(const ASN1_BIT_STRING *a, int n); +int ASN1_BIT_STRING_check(const ASN1_BIT_STRING *a, + const unsigned char *flags, int flags_len); #ifndef OPENSSL_NO_BIO int ASN1_BIT_STRING_name_print(BIO *out, ASN1_BIT_STRING *bs, BIT_STRING_BITNAME *tbl, int indent); #endif -int ASN1_BIT_STRING_num_asc(char *name, BIT_STRING_BITNAME *tbl); -int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, char *name, int value, +int ASN1_BIT_STRING_num_asc(const char *name, BIT_STRING_BITNAME *tbl); +int ASN1_BIT_STRING_set_asc(ASN1_BIT_STRING *bs, const char *name, int value, BIT_STRING_BITNAME *tbl); int i2d_ASN1_BOOLEAN(int a, unsigned char **pp); @@ -831,7 +667,7 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, const unsigned char ** int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **out); extern const ASN1_ITEM ASN1_ENUMERATED_it; -int ASN1_UTCTIME_check(ASN1_UTCTIME *a); +int ASN1_UTCTIME_check(const ASN1_UTCTIME *a); ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t); ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t, int offset_day, long offset_sec); @@ -841,7 +677,7 @@ int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str); int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t); #endif /* !LIBRESSL_INTERNAL */ -int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a); +int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s, time_t t); ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s, @@ -943,27 +779,21 @@ ASN1_TIME *ASN1_TIME_set(ASN1_TIME *s, time_t t); ASN1_TIME *ASN1_TIME_set_tm(ASN1_TIME *s, struct tm *tm); ASN1_TIME *ASN1_TIME_adj(ASN1_TIME *s, time_t t, int offset_day, long offset_sec); -int ASN1_TIME_check(ASN1_TIME *t); -ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, +int ASN1_TIME_check(const ASN1_TIME *t); +ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(const ASN1_TIME *t, ASN1_GENERALIZEDTIME **out); int ASN1_TIME_set_string(ASN1_TIME *s, const char *str); -int i2d_ASN1_SET(STACK_OF(OPENSSL_BLOCK) *a, unsigned char **pp, - i2d_of_void *i2d, int ex_tag, int ex_class, int is_set); -STACK_OF(OPENSSL_BLOCK) *d2i_ASN1_SET(STACK_OF(OPENSSL_BLOCK) **a, - const unsigned char **pp, long length, d2i_of_void *d2i, - void (*free_func)(OPENSSL_BLOCK), int ex_tag, int ex_class); - #ifndef OPENSSL_NO_BIO -int i2a_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *a); +int i2a_ASN1_INTEGER(BIO *bp, const ASN1_INTEGER *a); int a2i_ASN1_INTEGER(BIO *bp, ASN1_INTEGER *bs, char *buf, int size); -int i2a_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *a); +int i2a_ASN1_ENUMERATED(BIO *bp, const ASN1_ENUMERATED *a); int a2i_ASN1_ENUMERATED(BIO *bp, ASN1_ENUMERATED *bs, char *buf, int size); -int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a); +int i2a_ASN1_OBJECT(BIO *bp, const ASN1_OBJECT *a); int a2i_ASN1_STRING(BIO *bp, ASN1_STRING *bs, char *buf, int size); -int i2a_ASN1_STRING(BIO *bp, ASN1_STRING *a, int type); +int i2a_ASN1_STRING(BIO *bp, const ASN1_STRING *a, int type); #endif -int i2t_ASN1_OBJECT(char *buf, int buf_len, ASN1_OBJECT *a); +int i2t_ASN1_OBJECT(char *buf, int buf_len, const ASN1_OBJECT *a); int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num); ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len, @@ -975,26 +805,14 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(const BIGNUM *bn, ASN1_INTEGER *ai); BIGNUM *ASN1_INTEGER_to_BN(const ASN1_INTEGER *ai, BIGNUM *bn); int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v); -long ASN1_ENUMERATED_get(ASN1_ENUMERATED *a); -ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai); -BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn); +long ASN1_ENUMERATED_get(const ASN1_ENUMERATED *a); +ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(const BIGNUM *bn, ASN1_ENUMERATED *ai); +BIGNUM *ASN1_ENUMERATED_to_BN(const ASN1_ENUMERATED *ai, BIGNUM *bn); /* General */ /* given a string, return the correct type, max is the maximum length */ int ASN1_PRINTABLE_type(const unsigned char *s, int max); -int i2d_ASN1_bytes(ASN1_STRING *a, unsigned char **pp, int tag, int xclass); -ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, const unsigned char **pp, - long length, int Ptag, int Pclass); -unsigned long ASN1_tag2bit(int tag); -/* type is one or more of the B_ASN1_ values. */ -ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, const unsigned char **pp, - long length, int type); - -/* PARSING */ -int asn1_Finish(ASN1_CTX *c); -int asn1_const_Finish(ASN1_const_CTX *c); - /* SPECIALS */ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag, int *pclass, long omax); @@ -1009,25 +827,8 @@ void *ASN1_item_dup(const ASN1_ITEM *it, void *x); #ifndef LIBRESSL_INTERNAL -/* Used to implement other functions */ void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, void *x); -#define ASN1_dup_of(type,i2d,d2i,x) \ - ((type*)ASN1_dup(CHECKED_I2D_OF(type, i2d), \ - CHECKED_D2I_OF(type, d2i), \ - CHECKED_PTR_OF(type, x))) - -#define ASN1_dup_of_const(type,i2d,d2i,x) \ - ((type*)ASN1_dup(CHECKED_I2D_OF(const type, i2d), \ - CHECKED_D2I_OF(type, d2i), \ - CHECKED_PTR_OF(const type, x))) - -/* ASN1 alloc/free macros for when a type is only used internally */ - -#define M_ASN1_new_of(type) (type *)ASN1_item_new(ASN1_ITEM_rptr(type)) -#define M_ASN1_free_of(x, type) \ - ASN1_item_free(CHECKED_PTR_OF(type, x), ASN1_ITEM_rptr(type)) - #endif /* !LIBRESSL_INTERNAL */ void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x); @@ -1052,9 +853,10 @@ int ASN1_i2d_fp(i2d_of_void *i2d, FILE *out, void *x); CHECKED_PTR_OF(const type, x))) int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x); -int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags); +int ASN1_STRING_print_ex_fp(FILE *fp, const ASN1_STRING *str, + unsigned long flags); -int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in); +int ASN1_STRING_to_UTF8(unsigned char **out, const ASN1_STRING *in); #ifndef OPENSSL_NO_BIO void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x); @@ -1083,12 +885,14 @@ int ASN1_UTCTIME_print(BIO *fp, const ASN1_UTCTIME *a); int ASN1_GENERALIZEDTIME_print(BIO *fp, const ASN1_GENERALIZEDTIME *a); int ASN1_TIME_print(BIO *fp, const ASN1_TIME *a); int ASN1_STRING_print(BIO *bp, const ASN1_STRING *v); -int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags); +int ASN1_STRING_print_ex(BIO *out, const ASN1_STRING *str, unsigned long flags); int ASN1_bn_print(BIO *bp, const char *number, const BIGNUM *num, unsigned char *buf, int off); int ASN1_parse(BIO *bp, const unsigned char *pp, long len, int indent); int ASN1_parse_dump(BIO *bp, const unsigned char *pp, long len, int indent, int dump); #endif + +unsigned long ASN1_tag2bit(int tag); const char *ASN1_tag2str(int tag); /* Used to load and write netscape format cert */ @@ -1101,24 +905,17 @@ extern const ASN1_ITEM NETSCAPE_X509_it; int ASN1_UNIVERSALSTRING_to_string(ASN1_UNIVERSALSTRING *s); -int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, unsigned char *data, int len); -int ASN1_TYPE_get_octetstring(ASN1_TYPE *a, unsigned char *data, int max_len); -int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, unsigned char *data, - int len); -int ASN1_TYPE_get_int_octetstring(ASN1_TYPE *a, long *num, unsigned char *data, +int ASN1_TYPE_set_octetstring(ASN1_TYPE *a, const unsigned char *data, int len); +int ASN1_TYPE_get_octetstring(const ASN1_TYPE *a, unsigned char *data, int max_len); - -STACK_OF(OPENSSL_BLOCK) *ASN1_seq_unpack(const unsigned char *buf, int len, - d2i_of_void *d2i, void (*free_func)(OPENSSL_BLOCK)); -unsigned char *ASN1_seq_pack(STACK_OF(OPENSSL_BLOCK) *safes, i2d_of_void *i2d, - unsigned char **buf, int *len ); -void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i); -void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it); -ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d, - ASN1_OCTET_STRING **oct); +int ASN1_TYPE_set_int_octetstring(ASN1_TYPE *a, long num, const unsigned char *data, + int len); +int ASN1_TYPE_get_int_octetstring(const ASN1_TYPE *a, long *num, + unsigned char *data, int max_len); ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct); +void *ASN1_item_unpack(const ASN1_STRING *oct, const ASN1_ITEM *it); void ASN1_STRING_set_default_mask(unsigned long mask); int ASN1_STRING_set_default_mask_asc(const char *p); @@ -1139,15 +936,15 @@ void ASN1_STRING_TABLE_cleanup(void); /* Old API compatible functions */ ASN1_VALUE *ASN1_item_new(const ASN1_ITEM *it); void ASN1_item_free(ASN1_VALUE *val, const ASN1_ITEM *it); -ASN1_VALUE * ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, +ASN1_VALUE *ASN1_item_d2i(ASN1_VALUE **val, const unsigned char **in, long len, const ASN1_ITEM *it); int ASN1_item_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); int ASN1_item_ndef_i2d(ASN1_VALUE *val, unsigned char **out, const ASN1_ITEM *it); void ASN1_add_oid_module(void); -ASN1_TYPE *ASN1_generate_nconf(char *str, CONF *nconf); -ASN1_TYPE *ASN1_generate_v3(char *str, X509V3_CTX *cnf); +ASN1_TYPE *ASN1_generate_nconf(const char *str, CONF *nconf); +ASN1_TYPE *ASN1_generate_v3(const char *str, X509V3_CTX *cnf); /* ASN1 Print flags */ @@ -1174,18 +971,18 @@ int ASN1_item_print(BIO *out, ASN1_VALUE *ifld, int indent, const ASN1_ITEM *it, const ASN1_PCTX *pctx); ASN1_PCTX *ASN1_PCTX_new(void); void ASN1_PCTX_free(ASN1_PCTX *p); -unsigned long ASN1_PCTX_get_flags(ASN1_PCTX *p); +unsigned long ASN1_PCTX_get_flags(const ASN1_PCTX *p); void ASN1_PCTX_set_flags(ASN1_PCTX *p, unsigned long flags); -unsigned long ASN1_PCTX_get_nm_flags(ASN1_PCTX *p); +unsigned long ASN1_PCTX_get_nm_flags(const ASN1_PCTX *p); void ASN1_PCTX_set_nm_flags(ASN1_PCTX *p, unsigned long flags); -unsigned long ASN1_PCTX_get_cert_flags(ASN1_PCTX *p); +unsigned long ASN1_PCTX_get_cert_flags(const ASN1_PCTX *p); void ASN1_PCTX_set_cert_flags(ASN1_PCTX *p, unsigned long flags); -unsigned long ASN1_PCTX_get_oid_flags(ASN1_PCTX *p); +unsigned long ASN1_PCTX_get_oid_flags(const ASN1_PCTX *p); void ASN1_PCTX_set_oid_flags(ASN1_PCTX *p, unsigned long flags); -unsigned long ASN1_PCTX_get_str_flags(ASN1_PCTX *p); +unsigned long ASN1_PCTX_get_str_flags(const ASN1_PCTX *p); void ASN1_PCTX_set_str_flags(ASN1_PCTX *p, unsigned long flags); -BIO_METHOD *BIO_f_asn1(void); +const BIO_METHOD *BIO_f_asn1(void); BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it); @@ -1405,6 +1202,7 @@ void ERR_load_ASN1_strings(void); #define ASN1_R_MSTRING_NOT_UNIVERSAL 139 #define ASN1_R_MSTRING_WRONG_TAG 140 #define ASN1_R_NESTED_ASN1_STRING 197 +#define ASN1_R_NESTED_TOO_DEEP 219 #define ASN1_R_NON_HEX_CHARACTERS 141 #define ASN1_R_NOT_ASCII_FORMAT 190 #define ASN1_R_NOT_ENOUGH_DATA 142 diff --git a/include/openssl/asn1_mac.h b/include/openssl/asn1_mac.h deleted file mode 100644 index fd524dc..0000000 --- a/include/openssl/asn1_mac.h +++ /dev/null @@ -1,426 +0,0 @@ -/* $OpenBSD: asn1_mac.h,v 1.14 2014/06/27 04:41:09 miod Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#ifndef HEADER_ASN1_MAC_H -#define HEADER_ASN1_MAC_H - -#include - -#ifdef __cplusplus -extern "C" { -#endif - -#ifndef ASN1_MAC_ERR_LIB -#define ASN1_MAC_ERR_LIB ERR_LIB_ASN1 -#endif - -#define ASN1_MAC_H_err(f,r,line) \ - ERR_PUT_error(ASN1_MAC_ERR_LIB,(f),(r),__FILE__,(line)) - -#define M_ASN1_D2I_vars(a,type,func) \ - ASN1_const_CTX c; \ - type ret=NULL; \ - \ - c.pp=(const unsigned char **)pp; \ - c.q= *(const unsigned char **)pp; \ - c.error=ERR_R_NESTED_ASN1_ERROR; \ - if ((a == NULL) || ((*a) == NULL)) \ - { if ((ret=(type)func()) == NULL) \ - { c.line=__LINE__; goto err; } } \ - else ret=(*a); - -#define M_ASN1_D2I_Init() \ - c.p= *(const unsigned char **)pp; \ - c.max=(length == 0)?0:(c.p+length); - -#define M_ASN1_D2I_Finish_2(a) \ - if (!asn1_const_Finish(&c)) \ - { c.line=__LINE__; goto err; } \ - *(const unsigned char **)pp=c.p; \ - if (a != NULL) (*a)=ret; \ - return(ret); - -#define M_ASN1_D2I_Finish(a,func,e) \ - M_ASN1_D2I_Finish_2(a); \ -err:\ - ASN1_MAC_H_err((e),c.error,c.line); \ - asn1_add_error(*(const unsigned char **)pp,(int)(c.q- *pp)); \ - if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ - return(NULL) - -#define M_ASN1_D2I_start_sequence() \ - if (!asn1_GetSequence(&c,&length)) \ - { c.line=__LINE__; goto err; } -/* Begin reading ASN1 without a surrounding sequence */ -#define M_ASN1_D2I_begin() \ - c.slen = length; - -/* End reading ASN1 with no check on length */ -#define M_ASN1_D2I_Finish_nolen(a, func, e) \ - *pp=c.p; \ - if (a != NULL) (*a)=ret; \ - return(ret); \ -err:\ - ASN1_MAC_H_err((e),c.error,c.line); \ - asn1_add_error(*pp,(int)(c.q- *pp)); \ - if ((ret != NULL) && ((a == NULL) || (*a != ret))) func(ret); \ - return(NULL) - -#define M_ASN1_D2I_end_sequence() \ - (((c.inf&1) == 0)?(c.slen <= 0): \ - (c.eos=ASN1_const_check_infinite_end(&c.p,c.slen))) - -/* Don't use this with d2i_ASN1_BOOLEAN() */ -#define M_ASN1_D2I_get(b, func) \ - c.q=c.p; \ - if (func(&(b),&c.p,c.slen) == NULL) \ - {c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -/* Don't use this with d2i_ASN1_BOOLEAN() */ -#define M_ASN1_D2I_get_x(type,b,func) \ - c.q=c.p; \ - if (((D2I_OF(type))func)(&(b),&c.p,c.slen) == NULL) \ - {c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -/* use this instead () */ -#define M_ASN1_D2I_get_int(b,func) \ - c.q=c.p; \ - if (func(&(b),&c.p,c.slen) < 0) \ - {c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -#define M_ASN1_D2I_get_opt(b,func,type) \ - if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \ - == (V_ASN1_UNIVERSAL|(type)))) \ - { \ - M_ASN1_D2I_get(b,func); \ - } - -#define M_ASN1_D2I_get_int_opt(b,func,type) \ - if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) \ - == (V_ASN1_UNIVERSAL|(type)))) \ - { \ - M_ASN1_D2I_get_int(b,func); \ - } - -#define M_ASN1_D2I_get_imp(b,func, type) \ - M_ASN1_next=(_tmp& V_ASN1_CONSTRUCTED)|type; \ - c.q=c.p; \ - if (func(&(b),&c.p,c.slen) == NULL) \ - {c.line=__LINE__; M_ASN1_next_prev = _tmp; goto err; } \ - c.slen-=(c.p-c.q);\ - M_ASN1_next_prev=_tmp; - -#define M_ASN1_D2I_get_IMP_opt(b,func,tag,type) \ - if ((c.slen != 0) && ((M_ASN1_next & (~V_ASN1_CONSTRUCTED)) == \ - (V_ASN1_CONTEXT_SPECIFIC|(tag)))) \ - { \ - unsigned char _tmp = M_ASN1_next; \ - M_ASN1_D2I_get_imp(b,func, type);\ - } - -#define M_ASN1_D2I_get_set_type(type,r,func,free_func) \ - M_ASN1_D2I_get_imp_set_type(type,r,func,free_func, \ - V_ASN1_SET,V_ASN1_UNIVERSAL); - -#define M_ASN1_D2I_get_set_opt_type(type,r,func,free_func) \ - if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \ - V_ASN1_CONSTRUCTED|V_ASN1_SET)))\ - { M_ASN1_D2I_get_set_type(type,r,func,free_func); } - -#define M_ASN1_I2D_len_SET_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_len_SET(a,f); - -#define M_ASN1_I2D_put_SET_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_put_SET(a,f); - -#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_put_SEQUENCE(a,f); - -#define M_ASN1_I2D_put_SEQUENCE_opt_type(type,a,f) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - M_ASN1_I2D_put_SEQUENCE_type(type,a,f); - -#define M_ASN1_D2I_get_IMP_set_opt_type(type,b,func,free_func,tag) \ - if ((c.slen != 0) && \ - (M_ASN1_next == \ - (V_ASN1_CONTEXT_SPECIFIC|V_ASN1_CONSTRUCTED|(tag))))\ - { \ - M_ASN1_D2I_get_imp_set_type(type,b,func,free_func,\ - tag,V_ASN1_CONTEXT_SPECIFIC); \ - } - -#define M_ASN1_D2I_get_seq_type(type,r,func,free_func) \ - M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\ - V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL) - -#define M_ASN1_D2I_get_seq_opt_type(type,r,func,free_func) \ - if ((c.slen != 0) && (M_ASN1_next == (V_ASN1_UNIVERSAL| \ - V_ASN1_CONSTRUCTED|V_ASN1_SEQUENCE)))\ - { M_ASN1_D2I_get_seq_type(type,r,func,free_func); } - -#define M_ASN1_D2I_get_IMP_set_type(type,r,func,free_func,x) \ - M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,\ - x,V_ASN1_CONTEXT_SPECIFIC); - -#define M_ASN1_D2I_get_imp_set_type(type,r,func,free_func,a,b) \ - c.q=c.p; \ - if (d2i_ASN1_SET_OF_##type(&(r),&c.p,c.slen,func,\ - free_func,a,b) == NULL) \ - { c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -#define M_ASN1_D2I_get_set_strings(r,func,a,b) \ - c.q=c.p; \ - if (d2i_ASN1_STRING_SET(&(r),&c.p,c.slen,a,b) == NULL) \ - { c.line=__LINE__; goto err; } \ - c.slen-=(c.p-c.q); - -#define M_ASN1_D2I_get_EXP_opt(r,func,tag) \ - if ((c.slen != 0L) && (M_ASN1_next == \ - (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \ - { \ - int Tinf,Ttag,Tclass; \ - long Tlen; \ - \ - c.q=c.p; \ - Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \ - if (Tinf & 0x80) \ - { c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \ - c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) \ - Tlen = c.slen - (c.p - c.q) - 2; \ - if (func(&(r),&c.p,Tlen) == NULL) \ - { c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \ - Tlen = c.slen - (c.p - c.q); \ - if(!ASN1_const_check_infinite_end(&c.p, Tlen)) \ - { c.error=ERR_R_MISSING_ASN1_EOS; \ - c.line=__LINE__; goto err; } \ - }\ - c.slen-=(c.p-c.q); \ - } - -#define M_ASN1_D2I_get_EXP_set_opt_type(type,r,func,free_func,tag,b) \ - if ((c.slen != 0) && (M_ASN1_next == \ - (V_ASN1_CONSTRUCTED|V_ASN1_CONTEXT_SPECIFIC|tag))) \ - { \ - int Tinf,Ttag,Tclass; \ - long Tlen; \ - \ - c.q=c.p; \ - Tinf=ASN1_get_object(&c.p,&Tlen,&Ttag,&Tclass,c.slen); \ - if (Tinf & 0x80) \ - { c.error=ERR_R_BAD_ASN1_OBJECT_HEADER; \ - c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) \ - Tlen = c.slen - (c.p - c.q) - 2; \ - if (d2i_ASN1_SET_OF_##type(&(r),&c.p,Tlen,func, \ - free_func,b,V_ASN1_UNIVERSAL) == NULL) \ - { c.line=__LINE__; goto err; } \ - if (Tinf == (V_ASN1_CONSTRUCTED+1)) { \ - Tlen = c.slen - (c.p - c.q); \ - if(!ASN1_check_infinite_end(&c.p, Tlen)) \ - { c.error=ERR_R_MISSING_ASN1_EOS; \ - c.line=__LINE__; goto err; } \ - }\ - c.slen-=(c.p-c.q); \ - } - -/* BIG UGLY WARNING! This is so damn ugly I wanna puke. Unfortunately, - some macros that use ASN1_const_CTX still insist on writing in the input - stream. ARGH! ARGH! ARGH! Let's get rid of this macro package. - Please? -- Richard Levitte */ -#define M_ASN1_next (*((unsigned char *)(c.p))) -#define M_ASN1_next_prev (*((unsigned char *)(c.q))) - -/*************************************************/ - -#define M_ASN1_I2D_vars(a) int r=0,ret=0; \ - unsigned char *p; \ - if (a == NULL) return(0) - -/* Length Macros */ -#define M_ASN1_I2D_len(a,f) ret+=f(a,NULL) -#define M_ASN1_I2D_len_IMP_opt(a,f) if (a != NULL) M_ASN1_I2D_len(a,f) - -#define M_ASN1_I2D_len_SET_type(type,a,f) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SET, \ - V_ASN1_UNIVERSAL,IS_SET); - -#define M_ASN1_I2D_len_SEQUENCE_type(type,a,f) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,V_ASN1_SEQUENCE, \ - V_ASN1_UNIVERSAL,IS_SEQUENCE) - -#define M_ASN1_I2D_len_SEQUENCE_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_len_SEQUENCE(a,f); - -#define M_ASN1_I2D_len_SEQUENCE_opt_type(type,a,f) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - M_ASN1_I2D_len_SEQUENCE_type(type,a,f); - -#define M_ASN1_I2D_len_IMP_SET_type(type,a,f,x) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \ - V_ASN1_CONTEXT_SPECIFIC,IS_SET); - -#define M_ASN1_I2D_len_IMP_SET_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \ - V_ASN1_CONTEXT_SPECIFIC,IS_SET); - -#define M_ASN1_I2D_len_IMP_SEQUENCE_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - ret+=i2d_ASN1_SET_OF_##type(a,NULL,f,x, \ - V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); - -#define M_ASN1_I2D_len_EXP_opt(a,f,mtag,v) \ - if (a != NULL)\ - { \ - v=f(a,NULL); \ - ret+=ASN1_object_size(1,v,mtag); \ - } - -#define M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_##type##_num(a) != 0))\ - { \ - v=i2d_ASN1_SET_OF_##type(a,NULL,f,tag, \ - V_ASN1_UNIVERSAL, \ - IS_SEQUENCE); \ - ret+=ASN1_object_size(1,v,mtag); \ - } - -/* Put Macros */ -#define M_ASN1_I2D_put(a,f) f(a,&p) - -#define M_ASN1_I2D_put_IMP_opt(a,f,t) \ - if (a != NULL) \ - { \ - unsigned char *q=p; \ - f(a,&p); \ - *q=(V_ASN1_CONTEXT_SPECIFIC|t|(*q&V_ASN1_CONSTRUCTED));\ - } - -#define M_ASN1_I2D_put_SET_type(type,a,f) \ - i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SET,V_ASN1_UNIVERSAL,IS_SET) -#define M_ASN1_I2D_put_IMP_SET_type(type,a,f,x) \ - i2d_ASN1_SET_OF_##type(a,&p,f,x,V_ASN1_CONTEXT_SPECIFIC,IS_SET) - -#define M_ASN1_I2D_put_SEQUENCE_type(type,a,f) \ - i2d_ASN1_SET_OF_##type(a,&p,f,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL, \ - IS_SEQUENCE) - -#define M_ASN1_I2D_put_SEQUENCE_opt(a,f) \ - if ((a != NULL) && (sk_num(a) != 0)) \ - M_ASN1_I2D_put_SEQUENCE(a,f); - -#define M_ASN1_I2D_put_IMP_SET_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - { i2d_ASN1_SET_OF_##type(a,&p,f,x, \ - V_ASN1_CONTEXT_SPECIFIC, \ - IS_SET); } - -#define M_ASN1_I2D_put_IMP_SEQUENCE_opt_type(type,a,f,x) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - { i2d_ASN1_SET_OF_##type(a,&p,f,x, \ - V_ASN1_CONTEXT_SPECIFIC, \ - IS_SEQUENCE); } - -#define M_ASN1_I2D_put_EXP_opt(a,f,tag,v) \ - if (a != NULL) \ - { \ - ASN1_put_object(&p,1,v,tag,V_ASN1_CONTEXT_SPECIFIC); \ - f(a,&p); \ - } - -#define M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(type,a,f,mtag,tag,v) \ - if ((a != NULL) && (sk_##type##_num(a) != 0)) \ - { \ - ASN1_put_object(&p,1,v,mtag,V_ASN1_CONTEXT_SPECIFIC); \ - i2d_ASN1_SET_OF_##type(a,&p,f,tag,V_ASN1_UNIVERSAL, \ - IS_SEQUENCE); \ - } - -#define M_ASN1_I2D_seq_total() \ - r=ASN1_object_size(1,ret,V_ASN1_SEQUENCE); \ - if (pp == NULL) return(r); \ - p= *pp; \ - ASN1_put_object(&p,1,ret,V_ASN1_SEQUENCE,V_ASN1_UNIVERSAL) - -#define M_ASN1_I2D_INF_seq_start(tag,ctx) \ - *(p++)=(V_ASN1_CONSTRUCTED|(tag)|(ctx)); \ - *(p++)=0x80 - -#define M_ASN1_I2D_INF_seq_end() *(p++)=0x00; *(p++)=0x00 - -#define M_ASN1_I2D_finish() *pp=p; \ - return(r); - -int asn1_GetSequence(ASN1_const_CTX *c, long *length); -void asn1_add_error(const unsigned char *address, int offset); -#ifdef __cplusplus -} -#endif - -#endif diff --git a/include/openssl/asn1t.h b/include/openssl/asn1t.h index ba380bd..d6168b6 100644 --- a/include/openssl/asn1t.h +++ b/include/openssl/asn1t.h @@ -1,4 +1,4 @@ -/* $OpenBSD: asn1t.h,v 1.14 2016/12/27 15:12:51 jsing Exp $ */ +/* $OpenBSD: asn1t.h,v 1.15 2019/08/20 13:10:09 inoguchi Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2000. */ @@ -81,6 +81,9 @@ extern "C" { #define ASN1_ITEM_start(itname) \ const ASN1_ITEM itname##_it = { +#define static_ASN1_ITEM_start(itname) \ + static const ASN1_ITEM itname##_it = { + #define ASN1_ITEM_end(itname) \ }; @@ -103,6 +106,18 @@ extern "C" { #tname \ ASN1_ITEM_end(tname) +#define static_ASN1_ITEM_TEMPLATE_END(tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_PRIMITIVE,\ + -1,\ + &tname##_item_tt,\ + 0,\ + NULL,\ + 0,\ + #tname \ + ASN1_ITEM_end(tname) + /* This is a ASN1 type which just embeds a template */ @@ -131,6 +146,8 @@ extern "C" { #define ASN1_SEQUENCE_END(stname) ASN1_SEQUENCE_END_name(stname, stname) +#define static_ASN1_SEQUENCE_END(stname) static_ASN1_SEQUENCE_END_name(stname, stname) + #define ASN1_SEQUENCE_END_name(stname, tname) \ ;\ ASN1_ITEM_start(tname) \ @@ -143,6 +160,18 @@ extern "C" { #stname \ ASN1_ITEM_end(tname) +#define static_ASN1_SEQUENCE_END_name(stname, tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(stname),\ + #stname \ + ASN1_ITEM_end(tname) + #define ASN1_NDEF_SEQUENCE(tname) \ ASN1_SEQUENCE(tname) @@ -177,12 +206,26 @@ extern "C" { #tname \ ASN1_ITEM_end(tname) +#define static_ASN1_NDEF_SEQUENCE_END(tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_NDEF_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(tname),\ + #tname \ + ASN1_ITEM_end(tname) + #define ASN1_BROKEN_SEQUENCE_END(stname) ASN1_SEQUENCE_END_ref(stname, stname) #define ASN1_SEQUENCE_END_enc(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) #define ASN1_SEQUENCE_END_cb(stname, tname) ASN1_SEQUENCE_END_ref(stname, tname) +#define static_ASN1_SEQUENCE_END_cb(stname, tname) static_ASN1_SEQUENCE_END_ref(stname, tname) + #define ASN1_SEQUENCE_END_ref(stname, tname) \ ;\ ASN1_ITEM_start(tname) \ @@ -195,6 +238,18 @@ extern "C" { #stname \ ASN1_ITEM_end(tname) +#define static_ASN1_SEQUENCE_END_ref(stname, tname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_SEQUENCE,\ + V_ASN1_SEQUENCE,\ + tname##_seq_tt,\ + sizeof(tname##_seq_tt) / sizeof(ASN1_TEMPLATE),\ + &tname##_aux,\ + sizeof(stname),\ + #stname \ + ASN1_ITEM_end(tname) + #define ASN1_NDEF_SEQUENCE_END_cb(stname, tname) \ ;\ ASN1_ITEM_start(tname) \ @@ -239,8 +294,12 @@ extern "C" { #define ASN1_CHOICE_END(stname) ASN1_CHOICE_END_name(stname, stname) +#define static_ASN1_CHOICE_END(stname) static_ASN1_CHOICE_END_name(stname, stname) + #define ASN1_CHOICE_END_name(stname, tname) ASN1_CHOICE_END_selector(stname, tname, type) +#define static_ASN1_CHOICE_END_name(stname, tname) static_ASN1_CHOICE_END_selector(stname, tname, type) + #define ASN1_CHOICE_END_selector(stname, tname, selname) \ ;\ ASN1_ITEM_start(tname) \ @@ -253,6 +312,18 @@ extern "C" { #stname \ ASN1_ITEM_end(tname) +#define static_ASN1_CHOICE_END_selector(stname, tname, selname) \ + ;\ + static_ASN1_ITEM_start(tname) \ + ASN1_ITYPE_CHOICE,\ + offsetof(stname,selname) ,\ + tname##_ch_tt,\ + sizeof(tname##_ch_tt) / sizeof(ASN1_TEMPLATE),\ + NULL,\ + sizeof(stname),\ + #stname \ + ASN1_ITEM_end(tname) + #define ASN1_CHOICE_END_cb(stname, tname, selname) \ ;\ ASN1_ITEM_start(tname) \ diff --git a/include/openssl/bio.h b/include/openssl/bio.h index c4d3b23..9fbf3bc 100644 --- a/include/openssl/bio.h +++ b/include/openssl/bio.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bio.h,v 1.40 2018/03/17 15:05:55 tb Exp $ */ +/* $OpenBSD: bio.h,v 1.45 2018/06/02 04:41:12 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -286,7 +286,7 @@ typedef struct bio_method_st { } BIO_METHOD; struct bio_st { - BIO_METHOD *method; + const BIO_METHOD *method; /* bio, mode, argp, argi, argl, ret */ long (*callback)(struct bio_st *, int, const char *, int, long, long); char *cb_arg; /* first argument for the callback */ @@ -337,22 +337,22 @@ typedef int asn1_ps_func(BIO *b, unsigned char **pbuf, int *plen, void *parg); /* BIO_METHOD accessors */ BIO_METHOD *BIO_meth_new(int type, const char *name); void BIO_meth_free(BIO_METHOD *biom); -int (*BIO_meth_get_write(BIO_METHOD *biom))(BIO *, const char *, int); +int (*BIO_meth_get_write(const BIO_METHOD *biom))(BIO *, const char *, int); int BIO_meth_set_write(BIO_METHOD *biom, int (*write)(BIO *, const char *, int)); -int (*BIO_meth_get_read(BIO_METHOD *biom))(BIO *, char *, int); +int (*BIO_meth_get_read(const BIO_METHOD *biom))(BIO *, char *, int); int BIO_meth_set_read(BIO_METHOD *biom, int (*read)(BIO *, char *, int)); -int (*BIO_meth_get_puts(BIO_METHOD *biom))(BIO *, const char *); +int (*BIO_meth_get_puts(const BIO_METHOD *biom))(BIO *, const char *); int BIO_meth_set_puts(BIO_METHOD *biom, int (*puts)(BIO *, const char *)); -int (*BIO_meth_get_gets(BIO_METHOD *biom))(BIO *, char *, int); +int (*BIO_meth_get_gets(const BIO_METHOD *biom))(BIO *, char *, int); int BIO_meth_set_gets(BIO_METHOD *biom, int (*gets)(BIO *, char *, int)); -long (*BIO_meth_get_ctrl(BIO_METHOD *biom))(BIO *, int, long, void *); +long (*BIO_meth_get_ctrl(const BIO_METHOD *biom))(BIO *, int, long, void *); int BIO_meth_set_ctrl(BIO_METHOD *biom, long (*ctrl)(BIO *, int, long, void *)); -int (*BIO_meth_get_create(BIO_METHOD *biom))(BIO *); +int (*BIO_meth_get_create(const BIO_METHOD *biom))(BIO *); int BIO_meth_set_create(BIO_METHOD *biom, int (*create)(BIO *)); -int (*BIO_meth_get_destroy(BIO_METHOD *biom))(BIO *); +int (*BIO_meth_get_destroy(const BIO_METHOD *biom))(BIO *); int BIO_meth_set_destroy(BIO_METHOD *biom, int (*destroy)(BIO *)); -long (*BIO_meth_get_callback_ctrl(BIO_METHOD *biom))(BIO *, int, BIO_info_cb *); +long (*BIO_meth_get_callback_ctrl(const BIO_METHOD *biom))(BIO *, int, BIO_info_cb *); int BIO_meth_set_callback_ctrl(BIO_METHOD *biom, long (*callback_ctrl)(BIO *, int, BIO_info_cb *)); @@ -597,12 +597,12 @@ BIO_asn1_get_suffix(BIO *b, asn1_ps_func **psuffix, asn1_ps_func **psuffix_free); int BIO_get_new_index(void); -BIO_METHOD *BIO_s_file(void ); +const BIO_METHOD *BIO_s_file(void); BIO *BIO_new_file(const char *filename, const char *mode); BIO *BIO_new_fp(FILE *stream, int close_flag); # define BIO_s_file_internal BIO_s_file -BIO * BIO_new(BIO_METHOD *type); -int BIO_set(BIO *a, BIO_METHOD *type); +BIO *BIO_new(const BIO_METHOD *type); +int BIO_set(BIO *a, const BIO_METHOD *type); int BIO_free(BIO *a); int BIO_up_ref(BIO *bio); void *BIO_get_data(BIO *a); @@ -641,20 +641,20 @@ int BIO_nwrite(BIO *bio, char **buf, int num); long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); -BIO_METHOD *BIO_s_mem(void); -BIO *BIO_new_mem_buf(void *buf, int len); -BIO_METHOD *BIO_s_socket(void); -BIO_METHOD *BIO_s_connect(void); -BIO_METHOD *BIO_s_accept(void); -BIO_METHOD *BIO_s_fd(void); -BIO_METHOD *BIO_s_log(void); -BIO_METHOD *BIO_s_bio(void); -BIO_METHOD *BIO_s_null(void); -BIO_METHOD *BIO_f_null(void); -BIO_METHOD *BIO_f_buffer(void); -BIO_METHOD *BIO_f_nbio_test(void); +const BIO_METHOD *BIO_s_mem(void); +BIO *BIO_new_mem_buf(const void *buf, int len); +const BIO_METHOD *BIO_s_socket(void); +const BIO_METHOD *BIO_s_connect(void); +const BIO_METHOD *BIO_s_accept(void); +const BIO_METHOD *BIO_s_fd(void); +const BIO_METHOD *BIO_s_log(void); +const BIO_METHOD *BIO_s_bio(void); +const BIO_METHOD *BIO_s_null(void); +const BIO_METHOD *BIO_f_null(void); +const BIO_METHOD *BIO_f_buffer(void); +const BIO_METHOD *BIO_f_nbio_test(void); #ifndef OPENSSL_NO_DGRAM -BIO_METHOD *BIO_s_datagram(void); +const BIO_METHOD *BIO_s_datagram(void); #endif /* BIO_METHOD *BIO_f_ber(void); */ @@ -698,8 +698,8 @@ int BIO_set_tcp_ndelay(int sock, int turn_on); BIO *BIO_new_socket(int sock, int close_flag); BIO *BIO_new_dgram(int fd, int close_flag); BIO *BIO_new_fd(int fd, int close_flag); -BIO *BIO_new_connect(char *host_port); -BIO *BIO_new_accept(char *host_port); +BIO *BIO_new_connect(const char *host_port); +BIO *BIO_new_accept(const char *host_port); int BIO_new_bio_pair(BIO **bio1, size_t writebuf1, diff --git a/include/openssl/bn.h b/include/openssl/bn.h index cd94e39..cc1f467 100644 --- a/include/openssl/bn.h +++ b/include/openssl/bn.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bn.h,v 1.38 2018/02/20 17:13:14 jsing Exp $ */ +/* $OpenBSD: bn.h,v 1.39 2019/08/25 19:23:59 schwarze Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -308,24 +308,79 @@ int BN_GENCB_call(BN_GENCB *cb, int a, int b); #define BN_prime_checks 0 /* default: select number of iterations based on the size of the number */ -/* number of Miller-Rabin iterations for an error rate of less than 2^-80 - * for random 'b'-bit input, b >= 100 (taken from table 4.4 in the Handbook - * of Applied Cryptography [Menezes, van Oorschot, Vanstone; CRC Press 1996]; - * original paper: Damgaard, Landrock, Pomerance: Average case error estimates - * for the strong probable prime test. -- Math. Comp. 61 (1993) 177-194) */ -#define BN_prime_checks_for_size(b) ((b) >= 1300 ? 2 : \ - (b) >= 850 ? 3 : \ - (b) >= 650 ? 4 : \ - (b) >= 550 ? 5 : \ - (b) >= 450 ? 6 : \ - (b) >= 400 ? 7 : \ - (b) >= 350 ? 8 : \ - (b) >= 300 ? 9 : \ - (b) >= 250 ? 12 : \ - (b) >= 200 ? 15 : \ - (b) >= 150 ? 18 : \ - /* b >= 100 */ 27) +/* + * BN_prime_checks_for_size() returns the number of Miller-Rabin + * iterations that will be done for checking that a random number + * is probably prime. The error rate for accepting a composite + * number as prime depends on the size of the prime |b|. The error + * rates used are for calculating an RSA key with 2 primes, and so + * the level is what you would expect for a key of double the size + * of the prime. + * + * This table is generated using the algorithm of FIPS PUB 186-4 + * Digital Signature Standard (DSS), section F.1, page 117. + * (https://dx.doi.org/10.6028/NIST.FIPS.186-4) + * + * The following magma script was used to generate the output: + * securitybits:=125; + * k:=1024; + * for t:=1 to 65 do + * for M:=3 to Floor(2*Sqrt(k-1)-1) do + * S:=0; + * // Sum over m + * for m:=3 to M do + * s:=0; + * // Sum over j + * for j:=2 to m do + * s+:=(RealField(32)!2)^-(j+(k-1)/j); + * end for; + * S+:=2^(m-(m-1)*t)*s; + * end for; + * A:=2^(k-2-M*t); + * B:=8*(Pi(RealField(32))^2-6)/3*2^(k-2)*S; + * pkt:=2.00743*Log(2)*k*2^-k*(A+B); + * seclevel:=Floor(-Log(2,pkt)); + * if seclevel ge securitybits then + * printf "k: %5o, security: %o bits (t: %o, M: %o)\n",k,seclevel,t,M; + * break; + * end if; + * end for; + * if seclevel ge securitybits then break; end if; + * end for; + * + * It can be run online at: + * http://magma.maths.usyd.edu.au/calc + * + * And will output: + * k: 1024, security: 129 bits (t: 6, M: 23) + * + * k is the number of bits of the prime, securitybits is the level + * we want to reach. + * + * prime length | RSA key size | # MR tests | security level + * -------------+--------------|------------+--------------- + * (b) >= 6394 | >= 12788 | 3 | 256 bit + * (b) >= 3747 | >= 7494 | 3 | 192 bit + * (b) >= 1345 | >= 2690 | 4 | 128 bit + * (b) >= 1080 | >= 2160 | 5 | 128 bit + * (b) >= 852 | >= 1704 | 5 | 112 bit + * (b) >= 476 | >= 952 | 5 | 80 bit + * (b) >= 400 | >= 800 | 6 | 80 bit + * (b) >= 347 | >= 694 | 7 | 80 bit + * (b) >= 308 | >= 616 | 8 | 80 bit + * (b) >= 55 | >= 110 | 27 | 64 bit + * (b) >= 6 | >= 12 | 34 | 64 bit + */ +#define BN_prime_checks_for_size(b) ((b) >= 3747 ? 3 : \ + (b) >= 1345 ? 4 : \ + (b) >= 476 ? 5 : \ + (b) >= 400 ? 6 : \ + (b) >= 347 ? 7 : \ + (b) >= 308 ? 8 : \ + (b) >= 55 ? 27 : \ + /* b >= 6 */ 34) + #define BN_num_bytes(a) ((BN_num_bits(a)+7)/8) /* Note that BN_abs_is_word didn't work reliably for w == 0 until 0.9.8 */ diff --git a/include/openssl/chacha.h b/include/openssl/chacha.h index 8d94e62..e2345b2 100644 --- a/include/openssl/chacha.h +++ b/include/openssl/chacha.h @@ -1,4 +1,4 @@ -/* $OpenBSD: chacha.h,v 1.7 2015/12/09 14:07:55 bcook Exp $ */ +/* $OpenBSD: chacha.h,v 1.8 2019/01/22 00:59:21 dlg Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -46,6 +46,10 @@ void ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, void CRYPTO_chacha_20(unsigned char *out, const unsigned char *in, size_t len, const unsigned char key[32], const unsigned char iv[8], uint64_t counter); +void CRYPTO_xchacha_20(unsigned char *out, const unsigned char *in, size_t len, + const unsigned char key[32], const unsigned char iv[24]); +void CRYPTO_hchacha_20(unsigned char out[32], + const unsigned char key[32], const unsigned char iv[16]); #ifdef __cplusplus } diff --git a/include/openssl/cms.h b/include/openssl/cms.h new file mode 100644 index 0000000..3c92be3 --- /dev/null +++ b/include/openssl/cms.h @@ -0,0 +1,532 @@ +/* $OpenBSD: cms.h,v 1.15 2019/08/11 10:15:30 jsing Exp $ */ +/* + * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL + * project. + */ +/* ==================================================================== + * Copyright (c) 2008 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * licensing@OpenSSL.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + */ + +#ifndef HEADER_CMS_H +#define HEADER_CMS_H + +#include + +#ifndef OPENSSL_NO_CMS +#include +#include +#ifdef __cplusplus +extern "C" { +#endif + +typedef struct CMS_ContentInfo_st CMS_ContentInfo; +typedef struct CMS_SignerInfo_st CMS_SignerInfo; +typedef struct CMS_CertificateChoices CMS_CertificateChoices; +typedef struct CMS_RevocationInfoChoice_st CMS_RevocationInfoChoice; +typedef struct CMS_RecipientInfo_st CMS_RecipientInfo; +typedef struct CMS_ReceiptRequest_st CMS_ReceiptRequest; +typedef struct CMS_Receipt_st CMS_Receipt; +typedef struct CMS_RecipientEncryptedKey_st CMS_RecipientEncryptedKey; +typedef struct CMS_OtherKeyAttribute_st CMS_OtherKeyAttribute; + +DECLARE_STACK_OF(CMS_SignerInfo) +DECLARE_STACK_OF(CMS_RecipientEncryptedKey) +DECLARE_STACK_OF(CMS_RecipientInfo) +DECLARE_STACK_OF(CMS_RevocationInfoChoice) +CMS_ContentInfo *CMS_ContentInfo_new(void); +void CMS_ContentInfo_free(CMS_ContentInfo *a); +CMS_ContentInfo *d2i_CMS_ContentInfo(CMS_ContentInfo **a, const unsigned char **in, long len); +int i2d_CMS_ContentInfo(CMS_ContentInfo *a, unsigned char **out); +extern const ASN1_ITEM CMS_ContentInfo_it; +CMS_ReceiptRequest *CMS_ReceiptRequest_new(void); +void CMS_ReceiptRequest_free(CMS_ReceiptRequest *a); +CMS_ReceiptRequest *d2i_CMS_ReceiptRequest(CMS_ReceiptRequest **a, const unsigned char **in, long len); +int i2d_CMS_ReceiptRequest(CMS_ReceiptRequest *a, unsigned char **out); +extern const ASN1_ITEM CMS_ReceiptRequest_it; +int CMS_ContentInfo_print_ctx(BIO *out, CMS_ContentInfo *x, int indent, const ASN1_PCTX *pctx); + +#define CMS_SIGNERINFO_ISSUER_SERIAL 0 +#define CMS_SIGNERINFO_KEYIDENTIFIER 1 + +#define CMS_RECIPINFO_NONE -1 +#define CMS_RECIPINFO_TRANS 0 +#define CMS_RECIPINFO_AGREE 1 +#define CMS_RECIPINFO_KEK 2 +#define CMS_RECIPINFO_PASS 3 +#define CMS_RECIPINFO_OTHER 4 + +/* S/MIME related flags */ + +#define CMS_TEXT 0x1 +#define CMS_NOCERTS 0x2 +#define CMS_NO_CONTENT_VERIFY 0x4 +#define CMS_NO_ATTR_VERIFY 0x8 +#define CMS_NOSIGS \ + (CMS_NO_CONTENT_VERIFY|CMS_NO_ATTR_VERIFY) +#define CMS_NOINTERN 0x10 +#define CMS_NO_SIGNER_CERT_VERIFY 0x20 +#define CMS_NOVERIFY 0x20 +#define CMS_DETACHED 0x40 +#define CMS_BINARY 0x80 +#define CMS_NOATTR 0x100 +#define CMS_NOSMIMECAP 0x200 +#define CMS_NOOLDMIMETYPE 0x400 +#define CMS_CRLFEOL 0x800 +#define CMS_STREAM 0x1000 +#define CMS_NOCRL 0x2000 +#define CMS_PARTIAL 0x4000 +#define CMS_REUSE_DIGEST 0x8000 +#define CMS_USE_KEYID 0x10000 +#define CMS_DEBUG_DECRYPT 0x20000 +#define CMS_KEY_PARAM 0x40000 +#define CMS_ASCIICRLF 0x80000 + +const ASN1_OBJECT *CMS_get0_type(const CMS_ContentInfo *cms); + +BIO *CMS_dataInit(CMS_ContentInfo *cms, BIO *icont); +int CMS_dataFinal(CMS_ContentInfo *cms, BIO *bio); + +ASN1_OCTET_STRING **CMS_get0_content(CMS_ContentInfo *cms); +int CMS_is_detached(CMS_ContentInfo *cms); +int CMS_set_detached(CMS_ContentInfo *cms, int detached); + +#ifdef HEADER_PEM_H +CMS_ContentInfo *PEM_read_bio_CMS(BIO *bp, CMS_ContentInfo **x, + pem_password_cb *cb, void *u); +CMS_ContentInfo *PEM_read_CMS(FILE *fp, CMS_ContentInfo **x, + pem_password_cb *cb, void *u); +int PEM_write_bio_CMS(BIO *bp, const CMS_ContentInfo *x); +int PEM_write_CMS(FILE *fp, const CMS_ContentInfo *x); +#endif +int CMS_stream(unsigned char ***boundary, CMS_ContentInfo *cms); +CMS_ContentInfo *d2i_CMS_bio(BIO *bp, CMS_ContentInfo **cms); +int i2d_CMS_bio(BIO *bp, CMS_ContentInfo *cms); + +BIO *BIO_new_CMS(BIO *out, CMS_ContentInfo *cms); +int i2d_CMS_bio_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, int flags); +int PEM_write_bio_CMS_stream(BIO *out, CMS_ContentInfo *cms, BIO *in, + int flags); +CMS_ContentInfo *SMIME_read_CMS(BIO *bio, BIO **bcont); +int SMIME_write_CMS(BIO *bio, CMS_ContentInfo *cms, BIO *data, int flags); + +int CMS_final(CMS_ContentInfo *cms, BIO *data, BIO *dcont, unsigned int flags); + +CMS_ContentInfo *CMS_sign(X509 *signcert, EVP_PKEY *pkey, STACK_OF(X509) *certs, + BIO *data, unsigned int flags); + +CMS_ContentInfo *CMS_sign_receipt(CMS_SignerInfo *si, X509 *signcert, + EVP_PKEY *pkey, STACK_OF(X509) *certs, unsigned int flags); + +int CMS_data(CMS_ContentInfo *cms, BIO *out, unsigned int flags); +CMS_ContentInfo *CMS_data_create(BIO *in, unsigned int flags); + +int CMS_digest_verify(CMS_ContentInfo *cms, BIO *dcont, BIO *out, + unsigned int flags); +CMS_ContentInfo *CMS_digest_create(BIO *in, const EVP_MD *md, + unsigned int flags); + +int CMS_EncryptedData_decrypt(CMS_ContentInfo *cms, const unsigned char *key, + size_t keylen, BIO *dcont, BIO *out, unsigned int flags); + +CMS_ContentInfo *CMS_EncryptedData_encrypt(BIO *in, const EVP_CIPHER *cipher, + const unsigned char *key, size_t keylen, unsigned int flags); + +int CMS_EncryptedData_set1_key(CMS_ContentInfo *cms, const EVP_CIPHER *ciph, + const unsigned char *key, size_t keylen); + +int CMS_verify(CMS_ContentInfo *cms, STACK_OF(X509) *certs, + X509_STORE *store, BIO *dcont, BIO *out, unsigned int flags); + +int CMS_verify_receipt(CMS_ContentInfo *rcms, CMS_ContentInfo *ocms, + STACK_OF(X509) *certs, X509_STORE *store, unsigned int flags); + +STACK_OF(X509) *CMS_get0_signers(CMS_ContentInfo *cms); + +CMS_ContentInfo *CMS_encrypt(STACK_OF(X509) *certs, BIO *in, + const EVP_CIPHER *cipher, unsigned int flags); + +int CMS_decrypt(CMS_ContentInfo *cms, EVP_PKEY *pkey, X509 *cert, + BIO *dcont, BIO *out, unsigned int flags); + +int CMS_decrypt_set1_pkey(CMS_ContentInfo *cms, EVP_PKEY *pk, X509 *cert); +int CMS_decrypt_set1_key(CMS_ContentInfo *cms, unsigned char *key, + size_t keylen, const unsigned char *id, size_t idlen); +int CMS_decrypt_set1_password(CMS_ContentInfo *cms, unsigned char *pass, + ssize_t passlen); + +STACK_OF(CMS_RecipientInfo) *CMS_get0_RecipientInfos(CMS_ContentInfo *cms); +int CMS_RecipientInfo_type(CMS_RecipientInfo *ri); +EVP_PKEY_CTX *CMS_RecipientInfo_get0_pkey_ctx(CMS_RecipientInfo *ri); +CMS_ContentInfo *CMS_EnvelopedData_create(const EVP_CIPHER *cipher); +CMS_RecipientInfo *CMS_add1_recipient_cert(CMS_ContentInfo *cms, X509 *recip, + unsigned int flags); +int CMS_RecipientInfo_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pkey); +int CMS_RecipientInfo_ktri_cert_cmp(CMS_RecipientInfo *ri, X509 *cert); +int CMS_RecipientInfo_ktri_get0_algs(CMS_RecipientInfo *ri, EVP_PKEY **pk, + X509 **recip, X509_ALGOR **palg); +int CMS_RecipientInfo_ktri_get0_signer_id(CMS_RecipientInfo *ri, + ASN1_OCTET_STRING **keyid, X509_NAME **issuer, ASN1_INTEGER **sno); + +CMS_RecipientInfo *CMS_add0_recipient_key(CMS_ContentInfo *cms, int nid, + unsigned char *key, size_t keylen, unsigned char *id, size_t idlen, + ASN1_GENERALIZEDTIME *date, ASN1_OBJECT *otherTypeId, ASN1_TYPE *otherType); + +int CMS_RecipientInfo_kekri_get0_id(CMS_RecipientInfo *ri, X509_ALGOR **palg, + ASN1_OCTET_STRING **pid, ASN1_GENERALIZEDTIME **pdate, + ASN1_OBJECT **potherid, ASN1_TYPE **pothertype); + +int CMS_RecipientInfo_set0_key(CMS_RecipientInfo *ri, unsigned char *key, + size_t keylen); + +int CMS_RecipientInfo_kekri_id_cmp(CMS_RecipientInfo *ri, + const unsigned char *id, size_t idlen); + +int CMS_RecipientInfo_set0_password(CMS_RecipientInfo *ri, unsigned char *pass, + ssize_t passlen); + +CMS_RecipientInfo *CMS_add0_recipient_password(CMS_ContentInfo *cms, int iter, + int wrap_nid, int pbe_nid, unsigned char *pass, ssize_t passlen, + const EVP_CIPHER *kekciph); + +int CMS_RecipientInfo_decrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); +int CMS_RecipientInfo_encrypt(CMS_ContentInfo *cms, CMS_RecipientInfo *ri); + +int CMS_uncompress(CMS_ContentInfo *cms, BIO *dcont, BIO *out, + unsigned int flags); +CMS_ContentInfo *CMS_compress(BIO *in, int comp_nid, unsigned int flags); + +int CMS_set1_eContentType(CMS_ContentInfo *cms, const ASN1_OBJECT *oid); +const ASN1_OBJECT *CMS_get0_eContentType(CMS_ContentInfo *cms); + +CMS_CertificateChoices *CMS_add0_CertificateChoices(CMS_ContentInfo *cms); +int CMS_add0_cert(CMS_ContentInfo *cms, X509 *cert); +int CMS_add1_cert(CMS_ContentInfo *cms, X509 *cert); +STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms); + +CMS_RevocationInfoChoice *CMS_add0_RevocationInfoChoice(CMS_ContentInfo *cms); +int CMS_add0_crl(CMS_ContentInfo *cms, X509_CRL *crl); +int CMS_add1_crl(CMS_ContentInfo *cms, X509_CRL *crl); +STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms); + +int CMS_SignedData_init(CMS_ContentInfo *cms); +CMS_SignerInfo *CMS_add1_signer(CMS_ContentInfo *cms, X509 *signer, + EVP_PKEY *pk, const EVP_MD *md, unsigned int flags); +EVP_PKEY_CTX *CMS_SignerInfo_get0_pkey_ctx(CMS_SignerInfo *si); +EVP_MD_CTX *CMS_SignerInfo_get0_md_ctx(CMS_SignerInfo *si); +STACK_OF(CMS_SignerInfo) *CMS_get0_SignerInfos(CMS_ContentInfo *cms); + +void CMS_SignerInfo_set1_signer_cert(CMS_SignerInfo *si, X509 *signer); +int CMS_SignerInfo_get0_signer_id(CMS_SignerInfo *si, ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, ASN1_INTEGER **sno); +int CMS_SignerInfo_cert_cmp(CMS_SignerInfo *si, X509 *cert); +int CMS_set1_signers_certs(CMS_ContentInfo *cms, STACK_OF(X509) *certs, + unsigned int flags); +void CMS_SignerInfo_get0_algs(CMS_SignerInfo *si, EVP_PKEY **pk, X509 **signer, + X509_ALGOR **pdig, X509_ALGOR **psig); +ASN1_OCTET_STRING *CMS_SignerInfo_get0_signature(CMS_SignerInfo *si); +int CMS_SignerInfo_sign(CMS_SignerInfo *si); +int CMS_SignerInfo_verify(CMS_SignerInfo *si); +int CMS_SignerInfo_verify_content(CMS_SignerInfo *si, BIO *chain); + +int CMS_add_smimecap(CMS_SignerInfo *si, STACK_OF(X509_ALGOR) *algs); +int CMS_add_simple_smimecap(STACK_OF(X509_ALGOR) **algs, int algnid, + int keysize); +int CMS_add_standard_smimecap(STACK_OF(X509_ALGOR) **smcap); + +int CMS_signed_get_attr_count(const CMS_SignerInfo *si); +int CMS_signed_get_attr_by_NID(const CMS_SignerInfo *si, int nid, int lastpos); +int CMS_signed_get_attr_by_OBJ(const CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int lastpos); +X509_ATTRIBUTE *CMS_signed_get_attr(const CMS_SignerInfo *si, int loc); +X509_ATTRIBUTE *CMS_signed_delete_attr(CMS_SignerInfo *si, int loc); +int CMS_signed_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr); +int CMS_signed_add1_attr_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *obj, + int type, const void *bytes, int len); +int CMS_signed_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type, + const void *bytes, int len); +int CMS_signed_add1_attr_by_txt(CMS_SignerInfo *si, + const char *attrname, int type, const void *bytes, int len); +void *CMS_signed_get0_data_by_OBJ(CMS_SignerInfo *si, const ASN1_OBJECT *oid, + int lastpos, int type); + +int CMS_unsigned_get_attr_count(const CMS_SignerInfo *si); +int CMS_unsigned_get_attr_by_NID(const CMS_SignerInfo *si, int nid, + int lastpos); +int CMS_unsigned_get_attr_by_OBJ(const CMS_SignerInfo *si, + const ASN1_OBJECT *obj, int lastpos); +X509_ATTRIBUTE *CMS_unsigned_get_attr(const CMS_SignerInfo *si, int loc); +X509_ATTRIBUTE *CMS_unsigned_delete_attr(CMS_SignerInfo *si, int loc); +int CMS_unsigned_add1_attr(CMS_SignerInfo *si, X509_ATTRIBUTE *attr); +int CMS_unsigned_add1_attr_by_OBJ(CMS_SignerInfo *si, + const ASN1_OBJECT *obj, int type, const void *bytes, int len); +int CMS_unsigned_add1_attr_by_NID(CMS_SignerInfo *si, int nid, int type, + const void *bytes, int len); +int CMS_unsigned_add1_attr_by_txt(CMS_SignerInfo *si, const char *attrname, + int type, const void *bytes, int len); +void *CMS_unsigned_get0_data_by_OBJ(CMS_SignerInfo *si, ASN1_OBJECT *oid, + int lastpos, int type); + +#ifdef HEADER_X509V3_H + +int CMS_get1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest **prr); +CMS_ReceiptRequest *CMS_ReceiptRequest_create0(unsigned char *id, int idlen, + int allorfirst, STACK_OF(GENERAL_NAMES) *receiptList, + STACK_OF(GENERAL_NAMES) *receiptsTo); +int CMS_add1_ReceiptRequest(CMS_SignerInfo *si, CMS_ReceiptRequest *rr); +void CMS_ReceiptRequest_get0_values(CMS_ReceiptRequest *rr, ASN1_STRING **pcid, + int *pallorfirst, STACK_OF(GENERAL_NAMES) **plist, + STACK_OF(GENERAL_NAMES) **prto); +#endif +int CMS_RecipientInfo_kari_get0_alg(CMS_RecipientInfo *ri, X509_ALGOR **palg, + ASN1_OCTET_STRING **pukm); +STACK_OF(CMS_RecipientEncryptedKey) * + CMS_RecipientInfo_kari_get0_reks(CMS_RecipientInfo *ri); + +int CMS_RecipientInfo_kari_get0_orig_id(CMS_RecipientInfo *ri, + X509_ALGOR **pubalg, ASN1_BIT_STRING **pubkey, ASN1_OCTET_STRING **keyid, + X509_NAME **issuer, ASN1_INTEGER **sno); + +int CMS_RecipientInfo_kari_orig_id_cmp(CMS_RecipientInfo *ri, X509 *cert); + +int CMS_RecipientEncryptedKey_get0_id(CMS_RecipientEncryptedKey *rek, + ASN1_OCTET_STRING **keyid, ASN1_GENERALIZEDTIME **tm, + CMS_OtherKeyAttribute **other, X509_NAME **issuer, ASN1_INTEGER **sno); +int CMS_RecipientEncryptedKey_cert_cmp(CMS_RecipientEncryptedKey *rek, + X509 *cert); +int CMS_RecipientInfo_kari_set0_pkey(CMS_RecipientInfo *ri, EVP_PKEY *pk); +EVP_CIPHER_CTX *CMS_RecipientInfo_kari_get0_ctx(CMS_RecipientInfo *ri); +int CMS_RecipientInfo_kari_decrypt(CMS_ContentInfo *cms, + CMS_RecipientInfo *ri, CMS_RecipientEncryptedKey *rek); + +int CMS_SharedInfo_encode(unsigned char **pder, X509_ALGOR *kekalg, + ASN1_OCTET_STRING *ukm, int keylen); + +/* Backward compatibility for spelling errors. */ +#define CMS_R_UNKNOWN_DIGEST_ALGORITM CMS_R_UNKNOWN_DIGEST_ALGORITHM +#define CMS_R_UNSUPPORTED_RECPIENTINFO_TYPE \ + CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE + +int ERR_load_CMS_strings(void); + +/* + * CMS function codes. + */ +#define CMS_F_CHECK_CONTENT 99 +#define CMS_F_CMS_ADD0_CERT 164 +#define CMS_F_CMS_ADD0_RECIPIENT_KEY 100 +#define CMS_F_CMS_ADD0_RECIPIENT_PASSWORD 165 +#define CMS_F_CMS_ADD1_RECEIPTREQUEST 158 +#define CMS_F_CMS_ADD1_RECIPIENT_CERT 101 +#define CMS_F_CMS_ADD1_SIGNER 102 +#define CMS_F_CMS_ADD1_SIGNINGTIME 103 +#define CMS_F_CMS_COMPRESS 104 +#define CMS_F_CMS_COMPRESSEDDATA_CREATE 105 +#define CMS_F_CMS_COMPRESSEDDATA_INIT_BIO 106 +#define CMS_F_CMS_COPY_CONTENT 107 +#define CMS_F_CMS_COPY_MESSAGEDIGEST 108 +#define CMS_F_CMS_DATA 109 +#define CMS_F_CMS_DATAFINAL 110 +#define CMS_F_CMS_DATAINIT 111 +#define CMS_F_CMS_DECRYPT 112 +#define CMS_F_CMS_DECRYPT_SET1_KEY 113 +#define CMS_F_CMS_DECRYPT_SET1_PASSWORD 166 +#define CMS_F_CMS_DECRYPT_SET1_PKEY 114 +#define CMS_F_CMS_DIGESTALGORITHM_FIND_CTX 115 +#define CMS_F_CMS_DIGESTALGORITHM_INIT_BIO 116 +#define CMS_F_CMS_DIGESTEDDATA_DO_FINAL 117 +#define CMS_F_CMS_DIGEST_VERIFY 118 +#define CMS_F_CMS_ENCODE_RECEIPT 161 +#define CMS_F_CMS_ENCRYPT 119 +#define CMS_F_CMS_ENCRYPTEDCONTENT_INIT 179 +#define CMS_F_CMS_ENCRYPTEDCONTENT_INIT_BIO 120 +#define CMS_F_CMS_ENCRYPTEDDATA_DECRYPT 121 +#define CMS_F_CMS_ENCRYPTEDDATA_ENCRYPT 122 +#define CMS_F_CMS_ENCRYPTEDDATA_SET1_KEY 123 +#define CMS_F_CMS_ENVELOPEDDATA_CREATE 124 +#define CMS_F_CMS_ENVELOPEDDATA_INIT_BIO 125 +#define CMS_F_CMS_ENVELOPED_DATA_INIT 126 +#define CMS_F_CMS_ENV_ASN1_CTRL 171 +#define CMS_F_CMS_FINAL 127 +#define CMS_F_CMS_GET0_CERTIFICATE_CHOICES 128 +#define CMS_F_CMS_GET0_CONTENT 129 +#define CMS_F_CMS_GET0_ECONTENT_TYPE 130 +#define CMS_F_CMS_GET0_ENVELOPED 131 +#define CMS_F_CMS_GET0_REVOCATION_CHOICES 132 +#define CMS_F_CMS_GET0_SIGNED 133 +#define CMS_F_CMS_MSGSIGDIGEST_ADD1 162 +#define CMS_F_CMS_RECEIPTREQUEST_CREATE0 159 +#define CMS_F_CMS_RECEIPT_VERIFY 160 +#define CMS_F_CMS_RECIPIENTINFO_DECRYPT 134 +#define CMS_F_CMS_RECIPIENTINFO_ENCRYPT 169 +#define CMS_F_CMS_RECIPIENTINFO_KARI_ENCRYPT 178 +#define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ALG 175 +#define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_ORIG_ID 173 +#define CMS_F_CMS_RECIPIENTINFO_KARI_GET0_REKS 172 +#define CMS_F_CMS_RECIPIENTINFO_KARI_ORIG_ID_CMP 174 +#define CMS_F_CMS_RECIPIENTINFO_KEKRI_DECRYPT 135 +#define CMS_F_CMS_RECIPIENTINFO_KEKRI_ENCRYPT 136 +#define CMS_F_CMS_RECIPIENTINFO_KEKRI_GET0_ID 137 +#define CMS_F_CMS_RECIPIENTINFO_KEKRI_ID_CMP 138 +#define CMS_F_CMS_RECIPIENTINFO_KTRI_CERT_CMP 139 +#define CMS_F_CMS_RECIPIENTINFO_KTRI_DECRYPT 140 +#define CMS_F_CMS_RECIPIENTINFO_KTRI_ENCRYPT 141 +#define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_ALGS 142 +#define CMS_F_CMS_RECIPIENTINFO_KTRI_GET0_SIGNER_ID 143 +#define CMS_F_CMS_RECIPIENTINFO_PWRI_CRYPT 167 +#define CMS_F_CMS_RECIPIENTINFO_SET0_KEY 144 +#define CMS_F_CMS_RECIPIENTINFO_SET0_PASSWORD 168 +#define CMS_F_CMS_RECIPIENTINFO_SET0_PKEY 145 +#define CMS_F_CMS_SD_ASN1_CTRL 170 +#define CMS_F_CMS_SET1_IAS 176 +#define CMS_F_CMS_SET1_KEYID 177 +#define CMS_F_CMS_SET1_SIGNERIDENTIFIER 146 +#define CMS_F_CMS_SET_DETACHED 147 +#define CMS_F_CMS_SIGN 148 +#define CMS_F_CMS_SIGNED_DATA_INIT 149 +#define CMS_F_CMS_SIGNERINFO_CONTENT_SIGN 150 +#define CMS_F_CMS_SIGNERINFO_SIGN 151 +#define CMS_F_CMS_SIGNERINFO_VERIFY 152 +#define CMS_F_CMS_SIGNERINFO_VERIFY_CERT 153 +#define CMS_F_CMS_SIGNERINFO_VERIFY_CONTENT 154 +#define CMS_F_CMS_SIGN_RECEIPT 163 +#define CMS_F_CMS_STREAM 155 +#define CMS_F_CMS_UNCOMPRESS 156 +#define CMS_F_CMS_VERIFY 157 +#define CMS_F_KEK_UNWRAP_KEY 180 + +/* + * CMS reason codes. + */ +#define CMS_R_ADD_SIGNER_ERROR 99 +#define CMS_R_CERTIFICATE_ALREADY_PRESENT 175 +#define CMS_R_CERTIFICATE_HAS_NO_KEYID 160 +#define CMS_R_CERTIFICATE_VERIFY_ERROR 100 +#define CMS_R_CIPHER_INITIALISATION_ERROR 101 +#define CMS_R_CIPHER_PARAMETER_INITIALISATION_ERROR 102 +#define CMS_R_CMS_DATAFINAL_ERROR 103 +#define CMS_R_CMS_LIB 104 +#define CMS_R_CONTENTIDENTIFIER_MISMATCH 170 +#define CMS_R_CONTENT_NOT_FOUND 105 +#define CMS_R_CONTENT_TYPE_MISMATCH 171 +#define CMS_R_CONTENT_TYPE_NOT_COMPRESSED_DATA 106 +#define CMS_R_CONTENT_TYPE_NOT_ENVELOPED_DATA 107 +#define CMS_R_CONTENT_TYPE_NOT_SIGNED_DATA 108 +#define CMS_R_CONTENT_VERIFY_ERROR 109 +#define CMS_R_CTRL_ERROR 110 +#define CMS_R_CTRL_FAILURE 111 +#define CMS_R_DECRYPT_ERROR 112 +#define CMS_R_ERROR_GETTING_PUBLIC_KEY 113 +#define CMS_R_ERROR_READING_MESSAGEDIGEST_ATTRIBUTE 114 +#define CMS_R_ERROR_SETTING_KEY 115 +#define CMS_R_ERROR_SETTING_RECIPIENTINFO 116 +#define CMS_R_INVALID_ENCRYPTED_KEY_LENGTH 117 +#define CMS_R_INVALID_KEY_ENCRYPTION_PARAMETER 176 +#define CMS_R_INVALID_KEY_LENGTH 118 +#define CMS_R_MD_BIO_INIT_ERROR 119 +#define CMS_R_MESSAGEDIGEST_ATTRIBUTE_WRONG_LENGTH 120 +#define CMS_R_MESSAGEDIGEST_WRONG_LENGTH 121 +#define CMS_R_MSGSIGDIGEST_ERROR 172 +#define CMS_R_MSGSIGDIGEST_VERIFICATION_FAILURE 162 +#define CMS_R_MSGSIGDIGEST_WRONG_LENGTH 163 +#define CMS_R_NEED_ONE_SIGNER 164 +#define CMS_R_NOT_A_SIGNED_RECEIPT 165 +#define CMS_R_NOT_ENCRYPTED_DATA 122 +#define CMS_R_NOT_KEK 123 +#define CMS_R_NOT_KEY_AGREEMENT 181 +#define CMS_R_NOT_KEY_TRANSPORT 124 +#define CMS_R_NOT_PWRI 177 +#define CMS_R_NOT_SUPPORTED_FOR_THIS_KEY_TYPE 125 +#define CMS_R_NO_CIPHER 126 +#define CMS_R_NO_CONTENT 127 +#define CMS_R_NO_CONTENT_TYPE 173 +#define CMS_R_NO_DEFAULT_DIGEST 128 +#define CMS_R_NO_DIGEST_SET 129 +#define CMS_R_NO_KEY 130 +#define CMS_R_NO_KEY_OR_CERT 174 +#define CMS_R_NO_MATCHING_DIGEST 131 +#define CMS_R_NO_MATCHING_RECIPIENT 132 +#define CMS_R_NO_MATCHING_SIGNATURE 166 +#define CMS_R_NO_MSGSIGDIGEST 167 +#define CMS_R_NO_PASSWORD 178 +#define CMS_R_NO_PRIVATE_KEY 133 +#define CMS_R_NO_PUBLIC_KEY 134 +#define CMS_R_NO_RECEIPT_REQUEST 168 +#define CMS_R_NO_SIGNERS 135 +#define CMS_R_PRIVATE_KEY_DOES_NOT_MATCH_CERTIFICATE 136 +#define CMS_R_RECEIPT_DECODE_ERROR 169 +#define CMS_R_RECIPIENT_ERROR 137 +#define CMS_R_SIGNER_CERTIFICATE_NOT_FOUND 138 +#define CMS_R_SIGNFINAL_ERROR 139 +#define CMS_R_SMIME_TEXT_ERROR 140 +#define CMS_R_STORE_INIT_ERROR 141 +#define CMS_R_TYPE_NOT_COMPRESSED_DATA 142 +#define CMS_R_TYPE_NOT_DATA 143 +#define CMS_R_TYPE_NOT_DIGESTED_DATA 144 +#define CMS_R_TYPE_NOT_ENCRYPTED_DATA 145 +#define CMS_R_TYPE_NOT_ENVELOPED_DATA 146 +#define CMS_R_UNABLE_TO_FINALIZE_CONTEXT 147 +#define CMS_R_UNKNOWN_CIPHER 148 +#define CMS_R_UNKNOWN_DIGEST_ALGORITHM 149 +#define CMS_R_UNKNOWN_ID 150 +#define CMS_R_UNSUPPORTED_COMPRESSION_ALGORITHM 151 +#define CMS_R_UNSUPPORTED_CONTENT_TYPE 152 +#define CMS_R_UNSUPPORTED_KEK_ALGORITHM 153 +#define CMS_R_UNSUPPORTED_KEY_ENCRYPTION_ALGORITHM 179 +#define CMS_R_UNSUPPORTED_RECIPIENTINFO_TYPE 155 +#define CMS_R_UNSUPPORTED_RECIPIENT_TYPE 154 +#define CMS_R_UNSUPPORTED_TYPE 156 +#define CMS_R_UNWRAP_ERROR 157 +#define CMS_R_UNWRAP_FAILURE 180 +#define CMS_R_VERIFICATION_FAILURE 158 +#define CMS_R_WRAP_ERROR 159 + +#ifdef __cplusplus +} +#endif +#endif +#endif diff --git a/include/openssl/conf.h b/include/openssl/conf.h index 095066d..bea6a87 100644 --- a/include/openssl/conf.h +++ b/include/openssl/conf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: conf.h,v 1.14 2015/02/07 13:19:15 doug Exp $ */ +/* $OpenBSD: conf.h,v 1.15 2020/02/17 12:51:48 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -241,6 +241,7 @@ void ERR_load_CONF_strings(void); #define CONF_R_NO_VALUE 108 #define CONF_R_UNABLE_TO_CREATE_NEW_SECTION 103 #define CONF_R_UNKNOWN_MODULE_NAME 113 +#define CONF_R_VARIABLE_EXPANSION_TOO_LONG 116 #define CONF_R_VARIABLE_HAS_NO_VALUE 104 #ifdef __cplusplus diff --git a/include/openssl/crypto.h b/include/openssl/crypto.h index 67e06a1..7de8abb 100644 --- a/include/openssl/crypto.h +++ b/include/openssl/crypto.h @@ -1,4 +1,4 @@ -/* $OpenBSD: crypto.h,v 1.45 2018/03/19 03:35:38 beck Exp $ */ +/* $OpenBSD: crypto.h,v 1.50 2019/01/19 01:07:00 tb Exp $ */ /* ==================================================================== * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. * @@ -203,7 +203,6 @@ typedef struct openssl_item_st { #define CRYPTO_READ 4 #define CRYPTO_WRITE 8 -#ifndef OPENSSL_NO_LOCKING #ifndef CRYPTO_w_lock #define CRYPTO_w_lock(type) \ CRYPTO_lock(CRYPTO_LOCK|CRYPTO_WRITE,type,__FILE__,__LINE__) @@ -216,13 +215,6 @@ typedef struct openssl_item_st { #define CRYPTO_add(addr,amount,type) \ CRYPTO_add_lock(addr,amount,type,__FILE__,__LINE__) #endif -#else -#define CRYPTO_w_lock(a) -#define CRYPTO_w_unlock(a) -#define CRYPTO_r_lock(a) -#define CRYPTO_r_unlock(a) -#define CRYPTO_add(a,b,c) ((*(a))+=(b)) -#endif /* Some applications as well as some parts of OpenSSL need to allocate and deallocate locks in a dynamic fashion. The following typedef @@ -294,11 +286,13 @@ DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS) #define CRYPTO_EX_INDEX_ECDH 13 #define CRYPTO_EX_INDEX_COMP 14 #define CRYPTO_EX_INDEX_STORE 15 +#define CRYPTO_EX_INDEX_EC_KEY 16 /* Dynamically assigned indexes start from this value (don't use directly, use * via CRYPTO_ex_data_new_class). */ #define CRYPTO_EX_INDEX_USER 100 +#ifndef LIBRESSL_INTERNAL #define CRYPTO_malloc_init() (0) #define CRYPTO_malloc_debug_init() (0) @@ -329,6 +323,7 @@ int CRYPTO_is_mem_check_on(void); #define OPENSSL_malloc_locked(num) \ CRYPTO_malloc_locked((int)num,__FILE__,__LINE__) #define OPENSSL_free_locked(addr) CRYPTO_free_locked(addr) +#endif const char *OpenSSL_version(int type); #define OPENSSL_VERSION 0 @@ -368,10 +363,30 @@ void *CRYPTO_get_ex_data(const CRYPTO_EX_DATA *ad, int idx); * potential race-conditions. */ void CRYPTO_cleanup_all_ex_data(void); -int CRYPTO_get_new_lockid(char *name); - -int CRYPTO_num_locks(void); /* return CRYPTO_NUM_LOCKS (shared libs!) */ void CRYPTO_lock(int mode, int type, const char *file, int line); +int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, + int line); + +/* Don't use this structure directly. */ +typedef struct crypto_threadid_st { + void *ptr; + unsigned long val; +} CRYPTO_THREADID; +void CRYPTO_THREADID_current(CRYPTO_THREADID *id); +int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b); +void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src); +unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); + +#ifndef LIBRESSL_INTERNAL +/* These functions are deprecated no-op stubs */ +void CRYPTO_set_id_callback(unsigned long (*func)(void)); +unsigned long (*CRYPTO_get_id_callback(void))(void); +unsigned long CRYPTO_thread_id(void); + +int CRYPTO_get_new_lockid(char *name); +const char *CRYPTO_get_lock_name(int type); + +int CRYPTO_num_locks(void); void CRYPTO_set_locking_callback(void (*func)(int mode, int type, const char *file, int line)); void (*CRYPTO_get_locking_callback(void))(int mode, int type, @@ -381,29 +396,10 @@ void CRYPTO_set_add_lock_callback(int (*func)(int *num, int mount, int type, int (*CRYPTO_get_add_lock_callback(void))(int *num, int mount, int type, const char *file, int line); -/* Don't use this structure directly. */ -typedef struct crypto_threadid_st { - void *ptr; - unsigned long val; -} CRYPTO_THREADID; -/* Only use CRYPTO_THREADID_set_[numeric|pointer]() within callbacks */ void CRYPTO_THREADID_set_numeric(CRYPTO_THREADID *id, unsigned long val); void CRYPTO_THREADID_set_pointer(CRYPTO_THREADID *id, void *ptr); int CRYPTO_THREADID_set_callback(void (*threadid_func)(CRYPTO_THREADID *)); void (*CRYPTO_THREADID_get_callback(void))(CRYPTO_THREADID *); -void CRYPTO_THREADID_current(CRYPTO_THREADID *id); -int CRYPTO_THREADID_cmp(const CRYPTO_THREADID *a, const CRYPTO_THREADID *b); -void CRYPTO_THREADID_cpy(CRYPTO_THREADID *dest, const CRYPTO_THREADID *src); -unsigned long CRYPTO_THREADID_hash(const CRYPTO_THREADID *id); -#ifndef OPENSSL_NO_DEPRECATED -void CRYPTO_set_id_callback(unsigned long (*func)(void)); -unsigned long (*CRYPTO_get_id_callback(void))(void); -unsigned long CRYPTO_thread_id(void); -#endif - -const char *CRYPTO_get_lock_name(int type); -int CRYPTO_add_lock(int *pointer, int amount, int type, const char *file, - int line); int CRYPTO_get_new_dynlockid(void); void CRYPTO_destroy_dynlockid(int i); @@ -414,6 +410,7 @@ void CRYPTO_set_dynlock_destroy_callback(void (*dyn_destroy_function)(struct CRY struct CRYPTO_dynlock_value *(*CRYPTO_get_dynlock_create_callback(void))(const char *file, int line); void (*CRYPTO_get_dynlock_lock_callback(void))(int mode, struct CRYPTO_dynlock_value *l, const char *file, int line); void (*CRYPTO_get_dynlock_destroy_callback(void))(struct CRYPTO_dynlock_value *l, const char *file, int line); +#endif /* CRYPTO_set_mem_functions includes CRYPTO_set_locked_mem_functions -- * call the latter last if you need different functions */ @@ -493,11 +490,11 @@ long CRYPTO_dbg_get_options(void) __attribute__ ((deprecated)); -void CRYPTO_mem_leaks_fp(FILE *); -void CRYPTO_mem_leaks(struct bio_st *bio); +int CRYPTO_mem_leaks_fp(FILE *); +int CRYPTO_mem_leaks(struct bio_st *bio); /* unsigned long order, char *file, int line, int num_bytes, char *addr */ -typedef void *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *); -void CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); +typedef int *CRYPTO_MEM_LEAK_CB(unsigned long, const char *, int, int, void *); +int CRYPTO_mem_leaks_cb(CRYPTO_MEM_LEAK_CB *cb); /* die if we have to */ void OpenSSLDie(const char *file, int line, const char *assertion); diff --git a/include/openssl/curve25519.h b/include/openssl/curve25519.h index 5aaa8c0..c16a4e2 100644 --- a/include/openssl/curve25519.h +++ b/include/openssl/curve25519.h @@ -1,3 +1,4 @@ +/* $OpenBSD: curve25519.h,v 1.3 2019/05/11 15:55:52 tb Exp $ */ /* * Copyright (c) 2015, Google Inc. * diff --git a/include/openssl/dtls1.h b/include/openssl/dtls1.h index 31ba065..c9c5963 100644 --- a/include/openssl/dtls1.h +++ b/include/openssl/dtls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: dtls1.h,v 1.21 2017/01/22 07:16:39 beck Exp $ */ +/* $OpenBSD: dtls1.h,v 1.23 2020/03/12 17:01:53 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -91,11 +91,7 @@ extern "C" { #define DTLS1_CCS_HEADER_LENGTH 1 -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE -#define DTLS1_AL_HEADER_LENGTH 7 -#else #define DTLS1_AL_HEADER_LENGTH 2 -#endif #ifndef OPENSSL_NO_SSL_INTERN @@ -169,6 +165,8 @@ typedef struct dtls1_state_st { struct dtls1_state_internal_st *internal; } DTLS1_STATE; +#ifndef LIBRESSL_INTERNAL + typedef struct dtls1_record_data_st { unsigned char *packet; unsigned int packet_length; @@ -178,6 +176,8 @@ typedef struct dtls1_record_data_st { #endif +#endif + /* Timeout multipliers (timeout slice is defined in apps/timeouts.h */ #define DTLS1_TMO_READ_COUNT 2 #define DTLS1_TMO_WRITE_COUNT 2 diff --git a/include/openssl/ec.h b/include/openssl/ec.h index dc70cfa..a95d99f 100644 --- a/include/openssl/ec.h +++ b/include/openssl/ec.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ec.h,v 1.12 2016/11/04 17:33:19 miod Exp $ */ +/* $OpenBSD: ec.h,v 1.18 2019/09/29 10:09:09 tb Exp $ */ /* * Originally written by Bodo Moeller for the OpenSSL project. */ @@ -97,7 +97,7 @@ extern "C" { #ifndef OPENSSL_ECC_MAX_FIELD_BITS -# define OPENSSL_ECC_MAX_FIELD_BITS 661 +#define OPENSSL_ECC_MAX_FIELD_BITS 661 #endif /** Enum for the point conversion form as defined in X9.62 (ECDSA) @@ -705,6 +705,7 @@ int ECPKParameters_print_fp(FILE *fp, const EC_GROUP *x, int off); /********************************************************************/ typedef struct ec_key_st EC_KEY; +typedef struct ec_key_method_st EC_KEY_METHOD; /* some values for the encoding_flag */ #define EC_PKEY_NO_PARAMETERS 0x001 @@ -713,6 +714,7 @@ typedef struct ec_key_st EC_KEY; /* some values for the flags field */ #define EC_FLAG_NON_FIPS_ALLOW 0x1 #define EC_FLAG_FIPS_CHECKED 0x2 +#define EC_FLAG_COFACTOR_ECDH 0x1000 /** Creates a new EC_KEY object. * \return EC_KEY object or NULL if an error occurred. @@ -911,7 +913,7 @@ EC_KEY *o2i_ECPublicKey(EC_KEY **key, const unsigned char **in, long len); * of bytes needed). * \return 1 on success and 0 if an error occurred */ -int i2o_ECPublicKey(EC_KEY *key, unsigned char **out); +int i2o_ECPublicKey(const EC_KEY *key, unsigned char **out); #ifndef OPENSSL_NO_BIO /** Prints out the ec parameters on human readable form. @@ -945,6 +947,44 @@ int ECParameters_print_fp(FILE *fp, const EC_KEY *key); */ int EC_KEY_print_fp(FILE *fp, const EC_KEY *key, int off); +#define EC_KEY_get_ex_new_index(l, p, newf, dupf, freef) \ + CRYPTO_get_ex_new_index(CRYPTO_EX_INDEX_EC_KEY, l, p, newf, dupf, freef) +int EC_KEY_set_ex_data(EC_KEY *key, int idx, void *arg); +void *EC_KEY_get_ex_data(const EC_KEY *key, int idx); + +const EC_KEY_METHOD *EC_KEY_OpenSSL(void); +const EC_KEY_METHOD *EC_KEY_get_default_method(void); +void EC_KEY_set_default_method(const EC_KEY_METHOD *meth); +const EC_KEY_METHOD *EC_KEY_get_method(const EC_KEY *key); +int EC_KEY_set_method(EC_KEY *key, const EC_KEY_METHOD *meth); +EC_KEY *EC_KEY_new_method(ENGINE *engine); +EC_KEY_METHOD *EC_KEY_METHOD_new(const EC_KEY_METHOD *meth); +void EC_KEY_METHOD_free(EC_KEY_METHOD *meth); +void EC_KEY_METHOD_set_init(EC_KEY_METHOD *meth, + int (*init)(EC_KEY *key), + void (*finish)(EC_KEY *key), + int (*copy)(EC_KEY *dest, const EC_KEY *src), + int (*set_group)(EC_KEY *key, const EC_GROUP *grp), + int (*set_private)(EC_KEY *key, const BIGNUM *priv_key), + int (*set_public)(EC_KEY *key, const EC_POINT *pub_key)); +void EC_KEY_METHOD_set_keygen(EC_KEY_METHOD *meth, + int (*keygen)(EC_KEY *key)); +void EC_KEY_METHOD_set_compute_key(EC_KEY_METHOD *meth, + int (*ckey)(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen))); +void EC_KEY_METHOD_get_init(const EC_KEY_METHOD *meth, + int (**pinit)(EC_KEY *key), + void (**pfinish)(EC_KEY *key), + int (**pcopy)(EC_KEY *dest, const EC_KEY *src), + int (**pset_group)(EC_KEY *key, const EC_GROUP *grp), + int (**pset_private)(EC_KEY *key, const BIGNUM *priv_key), + int (**pset_public)(EC_KEY *key, const EC_POINT *pub_key)); +void EC_KEY_METHOD_get_keygen(const EC_KEY_METHOD *meth, + int (**pkeygen)(EC_KEY *key)); +void EC_KEY_METHOD_get_compute_key(const EC_KEY_METHOD *meth, + int (**pck)(void *out, size_t outlen, const EC_POINT *pub_key, EC_KEY *ecdh, + void *(*KDF) (const void *in, size_t inlen, void *out, size_t *outlen))); + EC_KEY *ECParameters_dup(EC_KEY *key); #ifndef __cplusplus @@ -956,11 +996,96 @@ EC_KEY *ECParameters_dup(EC_KEY *key); #endif #define EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, nid) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, EVP_PKEY_OP_PARAMGEN, \ - EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL) + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID, nid, NULL) +#define EVP_PKEY_CTX_set_ec_param_enc(ctx, flag) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_PARAMGEN|EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_EC_PARAM_ENC, flag, NULL) + +#define EVP_PKEY_CTX_set_ecdh_cofactor_mode(ctx, flag) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_ECDH_COFACTOR, flag, NULL) + +#define EVP_PKEY_CTX_get_ecdh_cofactor_mode(ctx) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_ECDH_COFACTOR, -2, NULL) + +#define EVP_PKEY_CTX_set_ecdh_kdf_type(ctx, kdf) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_KDF_TYPE, kdf, NULL) + +#define EVP_PKEY_CTX_get_ecdh_kdf_type(ctx) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_KDF_TYPE, -2, NULL) + +#define EVP_PKEY_CTX_set_ecdh_kdf_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_KDF_MD, 0, (void *)(md)) + +#define EVP_PKEY_CTX_get_ecdh_kdf_md(ctx, pmd) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_GET_EC_KDF_MD, 0, (void *)(pmd)) + +#define EVP_PKEY_CTX_set_ecdh_kdf_outlen(ctx, len) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_KDF_OUTLEN, len, NULL) + +#define EVP_PKEY_CTX_get_ecdh_kdf_outlen(ctx, plen) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN, 0, \ + (void *)(plen)) + +#define EVP_PKEY_CTX_set0_ecdh_kdf_ukm(ctx, p, plen) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_EC_KDF_UKM, plen, (void *)(p)) + +#define EVP_PKEY_CTX_get0_ecdh_kdf_ukm(ctx, p) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_EC, \ + EVP_PKEY_OP_DERIVE, \ + EVP_PKEY_CTRL_GET_EC_KDF_UKM, 0, (void *)(p)) + +/* SM2 will skip the operation check so no need to pass operation here */ +#define EVP_PKEY_CTX_set1_id(ctx, id, id_len) \ + EVP_PKEY_CTX_ctrl(ctx, -1, -1, \ + EVP_PKEY_CTRL_SET1_ID, (int)id_len, (void*)(id)) + +#define EVP_PKEY_CTX_get1_id(ctx, id) \ + EVP_PKEY_CTX_ctrl(ctx, -1, -1, \ + EVP_PKEY_CTRL_GET1_ID, 0, (void*)(id)) + +#define EVP_PKEY_CTX_get1_id_len(ctx, id_len) \ + EVP_PKEY_CTX_ctrl(ctx, -1, -1, \ + EVP_PKEY_CTRL_GET1_ID_LEN, 0, (void*)(id_len)) #define EVP_PKEY_CTRL_EC_PARAMGEN_CURVE_NID (EVP_PKEY_ALG_CTRL + 1) +#define EVP_PKEY_CTRL_EC_PARAM_ENC (EVP_PKEY_ALG_CTRL + 2) +#define EVP_PKEY_CTRL_EC_ECDH_COFACTOR (EVP_PKEY_ALG_CTRL + 3) +#define EVP_PKEY_CTRL_EC_KDF_TYPE (EVP_PKEY_ALG_CTRL + 4) +#define EVP_PKEY_CTRL_EC_KDF_MD (EVP_PKEY_ALG_CTRL + 5) +#define EVP_PKEY_CTRL_GET_EC_KDF_MD (EVP_PKEY_ALG_CTRL + 6) +#define EVP_PKEY_CTRL_EC_KDF_OUTLEN (EVP_PKEY_ALG_CTRL + 7) +#define EVP_PKEY_CTRL_GET_EC_KDF_OUTLEN (EVP_PKEY_ALG_CTRL + 8) +#define EVP_PKEY_CTRL_EC_KDF_UKM (EVP_PKEY_ALG_CTRL + 9) +#define EVP_PKEY_CTRL_GET_EC_KDF_UKM (EVP_PKEY_ALG_CTRL + 10) +#define EVP_PKEY_CTRL_SET1_ID (EVP_PKEY_ALG_CTRL + 11) +#define EVP_PKEY_CTRL_GET1_ID (EVP_PKEY_ALG_CTRL + 12) +#define EVP_PKEY_CTRL_GET1_ID_LEN (EVP_PKEY_ALG_CTRL + 13) + +/* KDF types */ +#define EVP_PKEY_ECDH_KDF_NONE 1 +#define EVP_PKEY_ECDH_KDF_X9_63 2 /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes @@ -1133,6 +1258,7 @@ void ERR_load_EC_strings(void); #define EC_R_INVALID_COMPRESSED_POINT 110 #define EC_R_INVALID_COMPRESSION_BIT 109 #define EC_R_INVALID_CURVE 141 +#define EC_R_INVALID_DIGEST 151 #define EC_R_INVALID_DIGEST_TYPE 138 #define EC_R_INVALID_ENCODING 102 #define EC_R_INVALID_FIELD 103 @@ -1141,6 +1267,7 @@ void ERR_load_EC_strings(void); #define EC_R_INVALID_PENTANOMIAL_BASIS 132 #define EC_R_INVALID_PRIVATE_KEY 123 #define EC_R_INVALID_TRINOMIAL_BASIS 137 +#define EC_R_KDF_PARAMETER_ERROR 148 #define EC_R_KEYS_NOT_SET 140 #define EC_R_MISSING_PARAMETERS 124 #define EC_R_MISSING_PRIVATE_KEY 125 @@ -1151,12 +1278,15 @@ void ERR_load_EC_strings(void); #define EC_R_NO_FIELD_MOD 133 #define EC_R_NO_PARAMETERS_SET 139 #define EC_R_PASSED_NULL_PARAMETER 134 +#define EC_R_PEER_KEY_ERROR 149 #define EC_R_PKPARAMETERS2GROUP_FAILURE 127 #define EC_R_POINT_AT_INFINITY 106 #define EC_R_POINT_IS_NOT_ON_CURVE 107 +#define EC_R_SHARED_INFO_ERROR 150 #define EC_R_SLOT_FULL 108 #define EC_R_UNDEFINED_GENERATOR 113 #define EC_R_UNDEFINED_ORDER 128 +#define EC_R_UNKNOWN_COFACTOR 164 #define EC_R_UNKNOWN_GROUP 129 #define EC_R_UNKNOWN_ORDER 114 #define EC_R_UNSUPPORTED_FIELD 131 diff --git a/include/openssl/ecdsa.h b/include/openssl/ecdsa.h index 9c53230..c4e107e 100644 --- a/include/openssl/ecdsa.h +++ b/include/openssl/ecdsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ecdsa.h,v 1.5 2018/03/17 15:24:44 tb Exp $ */ +/* $OpenBSD: ecdsa.h,v 1.8 2019/01/19 01:17:41 tb Exp $ */ /** * \file crypto/ecdsa/ecdsa.h Include file for the OpenSSL ECDSA functions * \author Written by Nils Larsch for the OpenSSL project @@ -269,6 +269,37 @@ int ECDSA_set_ex_data(EC_KEY *d, int idx, void *arg); void *ECDSA_get_ex_data(EC_KEY *d, int idx); +/* XXX should be in ec.h, but needs ECDSA_SIG */ +void EC_KEY_METHOD_set_sign(EC_KEY_METHOD *meth, + int (*sign)(int type, const unsigned char *dgst, + int dlen, unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey), + int (*sign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, + BIGNUM **kinvp, BIGNUM **rp), + ECDSA_SIG *(*sign_sig)(const unsigned char *dgst, + int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey)); +void EC_KEY_METHOD_set_verify(EC_KEY_METHOD *meth, + int (*verify)(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey), + int (*verify_sig)(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey)); +void EC_KEY_METHOD_get_sign(const EC_KEY_METHOD *meth, + int (**psign)(int type, const unsigned char *dgst, + int dlen, unsigned char *sig, unsigned int *siglen, + const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey), + int (**psign_setup)(EC_KEY *eckey, BN_CTX *ctx_in, + BIGNUM **kinvp, BIGNUM **rp), + ECDSA_SIG *(**psign_sig)(const unsigned char *dgst, + int dgst_len, const BIGNUM *in_kinv, const BIGNUM *in_r, + EC_KEY *eckey)); +void EC_KEY_METHOD_get_verify(const EC_KEY_METHOD *meth, + int (**pverify)(int type, const unsigned char *dgst, int dgst_len, + const unsigned char *sigbuf, int sig_len, EC_KEY *eckey), + int (**pverify_sig)(const unsigned char *dgst, int dgst_len, + const ECDSA_SIG *sig, EC_KEY *eckey)); + + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. diff --git a/include/openssl/engine.h b/include/openssl/engine.h index 30d1bde..dc14be8 100644 --- a/include/openssl/engine.h +++ b/include/openssl/engine.h @@ -1,4 +1,4 @@ -/* $OpenBSD: engine.h,v 1.31 2015/07/19 22:34:27 doug Exp $ */ +/* $OpenBSD: engine.h,v 1.33 2019/01/19 01:07:00 tb Exp $ */ /* Written by Geoff Thorpe (geoff@geoffthorpe.net) for the OpenSSL * project 2000. */ @@ -87,6 +87,9 @@ #ifndef OPENSSL_NO_ECDSA #include #endif +#ifndef OPENSSL_NO_EC +#include +#endif #include #include #endif @@ -112,6 +115,7 @@ extern "C" { #define ENGINE_METHOD_STORE (unsigned int)0x0100 #define ENGINE_METHOD_PKEY_METHS (unsigned int)0x0200 #define ENGINE_METHOD_PKEY_ASN1_METHS (unsigned int)0x0400 +#define ENGINE_METHOD_EC (unsigned int)0x0800 /* Obvious all-or-nothing cases. */ #define ENGINE_METHOD_ALL (unsigned int)0xFFFF #define ENGINE_METHOD_NONE (unsigned int)0x0000 @@ -353,6 +357,10 @@ int ENGINE_register_ECDSA(ENGINE *e); void ENGINE_unregister_ECDSA(ENGINE *e); void ENGINE_register_all_ECDSA(void); +int ENGINE_register_EC(ENGINE *e); +void ENGINE_unregister_EC(ENGINE *e); +void ENGINE_register_all_EC(void); + int ENGINE_register_DH(ENGINE *e); void ENGINE_unregister_DH(ENGINE *e); void ENGINE_register_all_DH(void); @@ -447,6 +455,7 @@ int ENGINE_set_RSA(ENGINE *e, const RSA_METHOD *rsa_meth); int ENGINE_set_DSA(ENGINE *e, const DSA_METHOD *dsa_meth); int ENGINE_set_ECDH(ENGINE *e, const ECDH_METHOD *ecdh_meth); int ENGINE_set_ECDSA(ENGINE *e, const ECDSA_METHOD *ecdsa_meth); +int ENGINE_set_EC(ENGINE *e, const EC_KEY_METHOD *ec_meth); int ENGINE_set_DH(ENGINE *e, const DH_METHOD *dh_meth); int ENGINE_set_RAND(ENGINE *e, const RAND_METHOD *rand_meth); int ENGINE_set_STORE(ENGINE *e, const STORE_METHOD *store_meth); @@ -486,6 +495,7 @@ const RSA_METHOD *ENGINE_get_RSA(const ENGINE *e); const DSA_METHOD *ENGINE_get_DSA(const ENGINE *e); const ECDH_METHOD *ENGINE_get_ECDH(const ENGINE *e); const ECDSA_METHOD *ENGINE_get_ECDSA(const ENGINE *e); +const EC_KEY_METHOD *ENGINE_get_EC(const ENGINE *e); const DH_METHOD *ENGINE_get_DH(const ENGINE *e); const RAND_METHOD *ENGINE_get_RAND(const ENGINE *e); const STORE_METHOD *ENGINE_get_STORE(const ENGINE *e); @@ -553,6 +563,7 @@ ENGINE *ENGINE_get_default_RSA(void); ENGINE *ENGINE_get_default_DSA(void); ENGINE *ENGINE_get_default_ECDH(void); ENGINE *ENGINE_get_default_ECDSA(void); +ENGINE *ENGINE_get_default_EC(void); ENGINE *ENGINE_get_default_DH(void); ENGINE *ENGINE_get_default_RAND(void); /* These functions can be used to get a functional reference to perform @@ -572,6 +583,7 @@ int ENGINE_set_default_string(ENGINE *e, const char *def_list); int ENGINE_set_default_DSA(ENGINE *e); int ENGINE_set_default_ECDH(ENGINE *e); int ENGINE_set_default_ECDSA(ENGINE *e); +int ENGINE_set_default_EC(ENGINE *e); int ENGINE_set_default_DH(ENGINE *e); int ENGINE_set_default_RAND(ENGINE *e); int ENGINE_set_default_ciphers(ENGINE *e); @@ -686,11 +698,6 @@ typedef int (*dynamic_bind_engine)(ENGINE *e, const char *id, if(!CRYPTO_set_mem_functions(fns->mem_fns.malloc_cb, \ fns->mem_fns.realloc_cb, fns->mem_fns.free_cb)) \ return 0; \ - CRYPTO_set_locking_callback(fns->lock_fns.lock_locking_cb); \ - CRYPTO_set_add_lock_callback(fns->lock_fns.lock_add_lock_cb); \ - CRYPTO_set_dynlock_create_callback(fns->lock_fns.dynlock_create_cb); \ - CRYPTO_set_dynlock_lock_callback(fns->lock_fns.dynlock_lock_cb); \ - CRYPTO_set_dynlock_destroy_callback(fns->lock_fns.dynlock_destroy_cb); \ if(!CRYPTO_set_ex_data_implementation(fns->ex_data_fns)) \ return 0; \ if(!ERR_set_implementation(fns->err_fns)) return 0; \ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index e12e771..f1fe8a1 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: evp.h,v 1.58 2018/02/20 18:05:28 tb Exp $ */ +/* $OpenBSD: evp.h,v 1.79 2020/04/27 19:31:02 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -99,6 +99,7 @@ #define EVP_PKEY_NONE NID_undef #define EVP_PKEY_RSA NID_rsaEncryption +#define EVP_PKEY_RSA_PSS NID_rsassaPss #define EVP_PKEY_RSA2 NID_rsa #define EVP_PKEY_DSA NID_dsa #define EVP_PKEY_DSA1 NID_dsa_2 @@ -325,6 +326,7 @@ struct evp_cipher_st { #define EVP_CIPH_GCM_MODE 0x6 #define EVP_CIPH_CCM_MODE 0x7 #define EVP_CIPH_XTS_MODE 0x10001 +#define EVP_CIPH_WRAP_MODE 0x10002 #define EVP_CIPH_MODE 0xF0007 /* Set if variable length cipher */ #define EVP_CIPH_VARIABLE_LENGTH 0x8 @@ -356,6 +358,12 @@ struct evp_cipher_st { #define EVP_CIPH_FLAG_CUSTOM_CIPHER 0x100000 #define EVP_CIPH_FLAG_AEAD_CIPHER 0x200000 +/* + * Cipher context flag to indicate that we can handle wrap mode: if allowed in + * older applications, it could overflow buffers. + */ +#define EVP_CIPHER_CTX_FLAG_WRAP_ALLOW 0x1 + /* ctrl() values */ #define EVP_CTRL_INIT 0x0 @@ -491,10 +499,15 @@ unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher); #define EVP_CIPHER_mode(e) (EVP_CIPHER_flags(e) & EVP_CIPH_MODE) const EVP_CIPHER * EVP_CIPHER_CTX_cipher(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_encrypting(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_nid(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_block_size(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_key_length(const EVP_CIPHER_CTX *ctx); int EVP_CIPHER_CTX_iv_length(const EVP_CIPHER_CTX *ctx); +int EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx, + unsigned char *iv, size_t len); +int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, + const unsigned char *iv, size_t len); int EVP_CIPHER_CTX_copy(EVP_CIPHER_CTX *out, const EVP_CIPHER_CTX *in); void * EVP_CIPHER_CTX_get_app_data(const EVP_CIPHER_CTX *ctx); void EVP_CIPHER_CTX_set_app_data(EVP_CIPHER_CTX *ctx, void *data); @@ -617,7 +630,8 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen); int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey); -int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, unsigned char *sig, size_t siglen); +int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen); int EVP_OpenInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, const unsigned char *ek, int ekl, const unsigned char *iv, EVP_PKEY *priv); @@ -628,8 +642,10 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *type, int npubk); int EVP_SealFinal(EVP_CIPHER_CTX *ctx, unsigned char *out, int *outl); +EVP_ENCODE_CTX *EVP_ENCODE_CTX_new(void); +void EVP_ENCODE_CTX_free(EVP_ENCODE_CTX *ctx); void EVP_EncodeInit(EVP_ENCODE_CTX *ctx); -void EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, +int EVP_EncodeUpdate(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl, const unsigned char *in, int inl); void EVP_EncodeFinal(EVP_ENCODE_CTX *ctx, unsigned char *out, int *outl); int EVP_EncodeBlock(unsigned char *t, const unsigned char *f, int n); @@ -651,10 +667,10 @@ int EVP_CIPHER_CTX_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr); int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key); #ifndef OPENSSL_NO_BIO -BIO_METHOD *BIO_f_md(void); -BIO_METHOD *BIO_f_base64(void); -BIO_METHOD *BIO_f_cipher(void); -void BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k, +const BIO_METHOD *BIO_f_md(void); +const BIO_METHOD *BIO_f_base64(void); +const BIO_METHOD *BIO_f_cipher(void); +int BIO_set_cipher(BIO *b, const EVP_CIPHER *c, const unsigned char *k, const unsigned char *i, int enc); #endif @@ -680,6 +696,9 @@ const EVP_MD *EVP_sha256(void); const EVP_MD *EVP_sha384(void); const EVP_MD *EVP_sha512(void); #endif +#ifndef OPENSSL_NO_SM3 +const EVP_MD *EVP_sm3(void); +#endif #ifndef OPENSSL_NO_RIPEMD const EVP_MD *EVP_ripemd160(void); #endif @@ -765,6 +784,7 @@ const EVP_CIPHER *EVP_aes_128_ofb(void); const EVP_CIPHER *EVP_aes_128_ctr(void); const EVP_CIPHER *EVP_aes_128_ccm(void); const EVP_CIPHER *EVP_aes_128_gcm(void); +const EVP_CIPHER *EVP_aes_128_wrap(void); const EVP_CIPHER *EVP_aes_128_xts(void); const EVP_CIPHER *EVP_aes_192_ecb(void); const EVP_CIPHER *EVP_aes_192_cbc(void); @@ -776,6 +796,7 @@ const EVP_CIPHER *EVP_aes_192_ofb(void); const EVP_CIPHER *EVP_aes_192_ctr(void); const EVP_CIPHER *EVP_aes_192_ccm(void); const EVP_CIPHER *EVP_aes_192_gcm(void); +const EVP_CIPHER *EVP_aes_192_wrap(void); const EVP_CIPHER *EVP_aes_256_ecb(void); const EVP_CIPHER *EVP_aes_256_cbc(void); const EVP_CIPHER *EVP_aes_256_cfb1(void); @@ -786,6 +807,7 @@ const EVP_CIPHER *EVP_aes_256_ofb(void); const EVP_CIPHER *EVP_aes_256_ctr(void); const EVP_CIPHER *EVP_aes_256_ccm(void); const EVP_CIPHER *EVP_aes_256_gcm(void); +const EVP_CIPHER *EVP_aes_256_wrap(void); const EVP_CIPHER *EVP_aes_256_xts(void); #if !defined(OPENSSL_NO_SHA) && !defined(OPENSSL_NO_SHA1) const EVP_CIPHER *EVP_aes_128_cbc_hmac_sha1(void); @@ -826,6 +848,15 @@ const EVP_CIPHER *EVP_gost2814789_cfb64(void); const EVP_CIPHER *EVP_gost2814789_cnt(void); #endif +#ifndef OPENSSL_NO_SM4 +const EVP_CIPHER *EVP_sm4_ecb(void); +const EVP_CIPHER *EVP_sm4_cbc(void); +const EVP_CIPHER *EVP_sm4_cfb128(void); +#define EVP_sm4_cfb EVP_sm4_cfb128 +const EVP_CIPHER *EVP_sm4_ofb(void); +const EVP_CIPHER *EVP_sm4_ctr(void); +#endif + void OPENSSL_add_all_algorithms_noconf(void); void OPENSSL_add_all_algorithms_conf(void); @@ -866,12 +897,13 @@ int EVP_PKEY_encrypt_old(unsigned char *enc_key, const unsigned char *key, int EVP_PKEY_type(int type); int EVP_PKEY_id(const EVP_PKEY *pkey); int EVP_PKEY_base_id(const EVP_PKEY *pkey); -int EVP_PKEY_bits(EVP_PKEY *pkey); -int EVP_PKEY_size(EVP_PKEY *pkey); +int EVP_PKEY_bits(const EVP_PKEY *pkey); +int EVP_PKEY_size(const EVP_PKEY *pkey); int EVP_PKEY_set_type(EVP_PKEY *pkey, int type); int EVP_PKEY_set_type_str(EVP_PKEY *pkey, const char *str, int len); int EVP_PKEY_assign(EVP_PKEY *pkey, int type, void *key); -void *EVP_PKEY_get0(EVP_PKEY *pkey); +void *EVP_PKEY_get0(const EVP_PKEY *pkey); +const unsigned char *EVP_PKEY_get0_hmac(const EVP_PKEY *pkey, size_t *len); #ifndef OPENSSL_NO_RSA struct rsa_st; @@ -983,6 +1015,7 @@ void EVP_PBE_cleanup(void); #define ASN1_PKEY_CTRL_DEFAULT_MD_NID 0x3 #define ASN1_PKEY_CTRL_CMS_SIGN 0x5 #define ASN1_PKEY_CTRL_CMS_ENVELOPE 0x7 +#define ASN1_PKEY_CTRL_CMS_RI_TYPE 0x8 int EVP_PKEY_asn1_get_count(void); const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx); @@ -995,7 +1028,7 @@ int EVP_PKEY_asn1_get0_info(int *ppkey_id, int *pkey_base_id, int *ppkey_flags, const char **pinfo, const char **ppem_str, const EVP_PKEY_ASN1_METHOD *ameth); -const EVP_PKEY_ASN1_METHOD* EVP_PKEY_get0_asn1(EVP_PKEY *pkey); +const EVP_PKEY_ASN1_METHOD* EVP_PKEY_get0_asn1(const EVP_PKEY *pkey); EVP_PKEY_ASN1_METHOD* EVP_PKEY_asn1_new(int id, int flags, const char *pem_str, const char *info); void EVP_PKEY_asn1_copy(EVP_PKEY_ASN1_METHOD *dst, @@ -1010,7 +1043,7 @@ void EVP_PKEY_asn1_set_public(EVP_PKEY_ASN1_METHOD *ameth, int (*pkey_size)(const EVP_PKEY *pk), int (*pkey_bits)(const EVP_PKEY *pk)); void EVP_PKEY_asn1_set_private(EVP_PKEY_ASN1_METHOD *ameth, - int (*priv_decode)(EVP_PKEY *pk, PKCS8_PRIV_KEY_INFO *p8inf), + int (*priv_decode)(EVP_PKEY *pk, const PKCS8_PRIV_KEY_INFO *p8inf), int (*priv_encode)(PKCS8_PRIV_KEY_INFO *p8, const EVP_PKEY *pk), int (*priv_print)(BIO *out, const EVP_PKEY *pkey, int indent, ASN1_PCTX *pctx)); @@ -1053,9 +1086,13 @@ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, #define EVP_PKEY_OP_TYPE_GEN \ (EVP_PKEY_OP_PARAMGEN | EVP_PKEY_OP_KEYGEN) -#define EVP_PKEY_CTX_set_signature_md(ctx, md) \ - EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, \ - EVP_PKEY_CTRL_MD, 0, (void *)md) +#define EVP_PKEY_CTX_set_signature_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, \ + EVP_PKEY_CTRL_MD, 0, (void *)md) + +#define EVP_PKEY_CTX_get_signature_md(ctx, pmd) \ + EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_TYPE_SIG, \ + EVP_PKEY_CTRL_GET_MD, 0, (void *)(pmd)) #define EVP_PKEY_CTRL_MD 1 #define EVP_PKEY_CTRL_PEER_KEY 2 @@ -1078,6 +1115,8 @@ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth, #define EVP_PKEY_CTRL_CIPHER 12 +#define EVP_PKEY_CTRL_GET_MD 13 + #define EVP_PKEY_ALG_CTRL 0x1000 @@ -1232,6 +1271,8 @@ const EVP_AEAD *EVP_aead_aes_256_gcm(void); #if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) /* EVP_aead_chacha20_poly1305 is ChaCha20 with a Poly1305 authenticator. */ const EVP_AEAD *EVP_aead_chacha20_poly1305(void); +/* EVP_aead_xchacha20_poly1305 is XChaCha20 with a Poly1305 authenticator. */ +const EVP_AEAD *EVP_aead_xchacha20_poly1305(void); #endif /* EVP_AEAD_key_length returns the length of the keys used. */ @@ -1455,6 +1496,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_ERROR_LOADING_SECTION 165 #define EVP_R_ERROR_SETTING_FIPS_MODE 166 #define EVP_R_EVP_PBE_CIPHERINIT_ERROR 119 +#define EVP_R_EXPECTING_AN_HMAC_KEY 174 #define EVP_R_EXPECTING_AN_RSA_KEY 127 #define EVP_R_EXPECTING_A_DH_KEY 128 #define EVP_R_EXPECTING_A_DSA_KEY 129 @@ -1465,6 +1507,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_INPUT_NOT_INITIALIZED 111 #define EVP_R_INVALID_DIGEST 152 #define EVP_R_INVALID_FIPS_MODE 168 +#define EVP_R_INVALID_IV_LENGTH 194 #define EVP_R_INVALID_KEY_LENGTH 130 #define EVP_R_INVALID_OPERATION 148 #define EVP_R_IV_TOO_LARGE 102 @@ -1501,6 +1544,7 @@ void ERR_load_EVP_strings(void); #define EVP_R_UNSUPPORTED_KEY_SIZE 108 #define EVP_R_UNSUPPORTED_PRF 125 #define EVP_R_UNSUPPORTED_PRIVATE_KEY_ALGORITHM 118 +#define EVP_R_WRAP_MODE_NOT_ALLOWED 170 #define EVP_R_UNSUPPORTED_SALT_TYPE 126 #define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 #define EVP_R_WRONG_PUBLIC_KEY_TYPE 110 diff --git a/include/openssl/hkdf.h b/include/openssl/hkdf.h index fb0fac3..34450f9 100644 --- a/include/openssl/hkdf.h +++ b/include/openssl/hkdf.h @@ -1,3 +1,4 @@ +/* $OpenBSD: hkdf.h,v 1.2 2018/04/03 13:33:53 tb Exp $ */ /* Copyright (c) 2014, Google Inc. * * Permission to use, copy, modify, and/or distribute this software for any diff --git a/include/openssl/modes.h b/include/openssl/modes.h index a532cb3..67ec751 100644 --- a/include/openssl/modes.h +++ b/include/openssl/modes.h @@ -1,4 +1,4 @@ -/* $OpenBSD: modes.h,v 1.2 2014/06/12 15:49:30 deraadt Exp $ */ +/* $OpenBSD: modes.h,v 1.3 2018/07/24 10:47:19 bcook Exp $ */ /* ==================================================================== * Copyright (c) 2008 The OpenSSL Project. All rights reserved. * @@ -8,6 +8,10 @@ #include +#ifdef __cplusplus +extern "C" { +#endif + typedef void (*block128_f)(const unsigned char in[16], unsigned char out[16], const void *key); @@ -134,3 +138,7 @@ typedef struct xts128_context XTS128_CONTEXT; int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx, const unsigned char iv[16], const unsigned char *inp, unsigned char *out, size_t len, int enc); + +#ifdef __cplusplus +} +#endif diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h index 2f7b6a9..3ed1087 100644 --- a/include/openssl/obj_mac.h +++ b/include/openssl/obj_mac.h @@ -590,6 +590,11 @@ #define NID_mgf1 911 #define OBJ_mgf1 OBJ_pkcs1,8L +#define SN_pSpecified "PSPECIFIED" +#define LN_pSpecified "pSpecified" +#define NID_pSpecified 992 +#define OBJ_pSpecified OBJ_pkcs1,9L + #define SN_rsassaPss "RSASSA-PSS" #define LN_rsassaPss "rsassaPss" #define NID_rsassaPss 912 @@ -3895,6 +3900,16 @@ #define NID_id_GostR3410_2001_ParamSet_cc 854 #define OBJ_id_GostR3410_2001_ParamSet_cc OBJ_cryptocom,1L,8L,1L +#define SN_sm3 "SM3" +#define LN_sm3 "sm3" +#define NID_sm3 968 +#define OBJ_sm3 1L,2L,156L,10197L,1L,401L + +#define SN_sm3WithRSAEncryption "RSA-SM3" +#define LN_sm3WithRSAEncryption "sm3WithRSAEncryption" +#define NID_sm3WithRSAEncryption 969 +#define OBJ_sm3WithRSAEncryption 1L,2L,156L,10197L,1L,504L + #define SN_camellia_128_cbc "CAMELLIA-128-CBC" #define LN_camellia_128_cbc "camellia-128-cbc" #define NID_camellia_128_cbc 751 @@ -4020,6 +4035,54 @@ #define NID_seed_ofb128 778 #define OBJ_seed_ofb128 OBJ_kisa,1L,6L +#define SN_ISO_CN "ISO-CN" +#define LN_ISO_CN "ISO CN Member Body" +#define NID_ISO_CN 970 +#define OBJ_ISO_CN OBJ_member_body,156L + +#define SN_oscca "oscca" +#define NID_oscca 971 +#define OBJ_oscca OBJ_ISO_CN,10197L + +#define SN_sm_scheme "sm-scheme" +#define NID_sm_scheme 972 +#define OBJ_sm_scheme OBJ_oscca,1L + +#define SN_sm4_ecb "SM4-ECB" +#define LN_sm4_ecb "sm4-ecb" +#define NID_sm4_ecb 973 +#define OBJ_sm4_ecb OBJ_sm_scheme,104L,1L + +#define SN_sm4_cbc "SM4-CBC" +#define LN_sm4_cbc "sm4-cbc" +#define NID_sm4_cbc 974 +#define OBJ_sm4_cbc OBJ_sm_scheme,104L,2L + +#define SN_sm4_ofb128 "SM4-OFB" +#define LN_sm4_ofb128 "sm4-ofb" +#define NID_sm4_ofb128 975 +#define OBJ_sm4_ofb128 OBJ_sm_scheme,104L,3L + +#define SN_sm4_cfb128 "SM4-CFB" +#define LN_sm4_cfb128 "sm4-cfb" +#define NID_sm4_cfb128 976 +#define OBJ_sm4_cfb128 OBJ_sm_scheme,104L,4L + +#define SN_sm4_cfb1 "SM4-CFB1" +#define LN_sm4_cfb1 "sm4-cfb1" +#define NID_sm4_cfb1 977 +#define OBJ_sm4_cfb1 OBJ_sm_scheme,104L,5L + +#define SN_sm4_cfb8 "SM4-CFB8" +#define LN_sm4_cfb8 "sm4-cfb8" +#define NID_sm4_cfb8 978 +#define OBJ_sm4_cfb8 OBJ_sm_scheme,104L,6L + +#define SN_sm4_ctr "SM4-CTR" +#define LN_sm4_ctr "sm4-ctr" +#define NID_sm4_ctr 979 +#define OBJ_sm4_ctr OBJ_sm_scheme,104L,7L + #define SN_hmac "HMAC" #define LN_hmac "hmac" #define NID_hmac 855 @@ -4044,6 +4107,56 @@ #define LN_aes_256_cbc_hmac_sha1 "aes-256-cbc-hmac-sha1" #define NID_aes_256_cbc_hmac_sha1 918 +#define OBJ_x9_63_scheme 1L,3L,133L,16L,840L,63L,0L + +#define OBJ_secg_scheme OBJ_certicom_arc,1L + +#define SN_dhSinglePass_stdDH_sha1kdf_scheme "dhSinglePass-stdDH-sha1kdf-scheme" +#define NID_dhSinglePass_stdDH_sha1kdf_scheme 980 +#define OBJ_dhSinglePass_stdDH_sha1kdf_scheme OBJ_x9_63_scheme,2L + +#define SN_dhSinglePass_stdDH_sha224kdf_scheme "dhSinglePass-stdDH-sha224kdf-scheme" +#define NID_dhSinglePass_stdDH_sha224kdf_scheme 981 +#define OBJ_dhSinglePass_stdDH_sha224kdf_scheme OBJ_secg_scheme,11L,0L + +#define SN_dhSinglePass_stdDH_sha256kdf_scheme "dhSinglePass-stdDH-sha256kdf-scheme" +#define NID_dhSinglePass_stdDH_sha256kdf_scheme 982 +#define OBJ_dhSinglePass_stdDH_sha256kdf_scheme OBJ_secg_scheme,11L,1L + +#define SN_dhSinglePass_stdDH_sha384kdf_scheme "dhSinglePass-stdDH-sha384kdf-scheme" +#define NID_dhSinglePass_stdDH_sha384kdf_scheme 983 +#define OBJ_dhSinglePass_stdDH_sha384kdf_scheme OBJ_secg_scheme,11L,2L + +#define SN_dhSinglePass_stdDH_sha512kdf_scheme "dhSinglePass-stdDH-sha512kdf-scheme" +#define NID_dhSinglePass_stdDH_sha512kdf_scheme 984 +#define OBJ_dhSinglePass_stdDH_sha512kdf_scheme OBJ_secg_scheme,11L,3L + +#define SN_dhSinglePass_cofactorDH_sha1kdf_scheme "dhSinglePass-cofactorDH-sha1kdf-scheme" +#define NID_dhSinglePass_cofactorDH_sha1kdf_scheme 985 +#define OBJ_dhSinglePass_cofactorDH_sha1kdf_scheme OBJ_x9_63_scheme,3L + +#define SN_dhSinglePass_cofactorDH_sha224kdf_scheme "dhSinglePass-cofactorDH-sha224kdf-scheme" +#define NID_dhSinglePass_cofactorDH_sha224kdf_scheme 986 +#define OBJ_dhSinglePass_cofactorDH_sha224kdf_scheme OBJ_secg_scheme,14L,0L + +#define SN_dhSinglePass_cofactorDH_sha256kdf_scheme "dhSinglePass-cofactorDH-sha256kdf-scheme" +#define NID_dhSinglePass_cofactorDH_sha256kdf_scheme 987 +#define OBJ_dhSinglePass_cofactorDH_sha256kdf_scheme OBJ_secg_scheme,14L,1L + +#define SN_dhSinglePass_cofactorDH_sha384kdf_scheme "dhSinglePass-cofactorDH-sha384kdf-scheme" +#define NID_dhSinglePass_cofactorDH_sha384kdf_scheme 988 +#define OBJ_dhSinglePass_cofactorDH_sha384kdf_scheme OBJ_secg_scheme,14L,2L + +#define SN_dhSinglePass_cofactorDH_sha512kdf_scheme "dhSinglePass-cofactorDH-sha512kdf-scheme" +#define NID_dhSinglePass_cofactorDH_sha512kdf_scheme 989 +#define OBJ_dhSinglePass_cofactorDH_sha512kdf_scheme OBJ_secg_scheme,14L,3L + +#define SN_dh_std_kdf "dh-std-kdf" +#define NID_dh_std_kdf 990 + +#define SN_dh_cofactor_kdf "dh-cofactor-kdf" +#define NID_dh_cofactor_kdf 991 + #define SN_teletrust "teletrust" #define NID_teletrust 920 #define OBJ_teletrust OBJ_identified_organization,36L @@ -4140,13 +4253,55 @@ #define NID_id_tc26_gost3411_2012_512 942 #define OBJ_id_tc26_gost3411_2012_512 OBJ_tc26,1L,2L,3L -#define SN_id_tc26_gost_3410_2012_512_paramSetA "id-tc26-gost-3410-2012-512-paramSetA" -#define NID_id_tc26_gost_3410_2012_512_paramSetA 943 -#define OBJ_id_tc26_gost_3410_2012_512_paramSetA OBJ_tc26,2L,1L,2L,1L +#define SN_id_tc26_hmac_gost_3411_12_256 "id-tc26-hmac-gost-3411-12-256" +#define LN_id_tc26_hmac_gost_3411_12_256 "HMAC STREEBOG 256" +#define NID_id_tc26_hmac_gost_3411_12_256 999 +#define OBJ_id_tc26_hmac_gost_3411_12_256 OBJ_tc26,1L,4L,1L -#define SN_id_tc26_gost_3410_2012_512_paramSetB "id-tc26-gost-3410-2012-512-paramSetB" -#define NID_id_tc26_gost_3410_2012_512_paramSetB 944 -#define OBJ_id_tc26_gost_3410_2012_512_paramSetB OBJ_tc26,2L,1L,2L,2L +#define SN_id_tc26_hmac_gost_3411_12_512 "id-tc26-hmac-gost-3411-12-512" +#define LN_id_tc26_hmac_gost_3411_12_512 "HMAC STREEBOG 512" +#define NID_id_tc26_hmac_gost_3411_12_512 1000 +#define OBJ_id_tc26_hmac_gost_3411_12_512 OBJ_tc26,1L,4L,2L + +#define SN_id_tc26_gost_3410_12_256_paramSetA "id-tc26-gost-3410-12-256-paramSetA" +#define LN_id_tc26_gost_3410_12_256_paramSetA "GOST R 34.10-2012 (256 bit) ParamSet A" +#define NID_id_tc26_gost_3410_12_256_paramSetA 993 +#define OBJ_id_tc26_gost_3410_12_256_paramSetA OBJ_tc26,2L,1L,1L,1L + +#define SN_id_tc26_gost_3410_12_256_paramSetB "id-tc26-gost-3410-12-256-paramSetB" +#define LN_id_tc26_gost_3410_12_256_paramSetB "GOST R 34.10-2012 (256 bit) ParamSet B" +#define NID_id_tc26_gost_3410_12_256_paramSetB 994 +#define OBJ_id_tc26_gost_3410_12_256_paramSetB OBJ_tc26,2L,1L,1L,2L + +#define SN_id_tc26_gost_3410_12_256_paramSetC "id-tc26-gost-3410-12-256-paramSetC" +#define LN_id_tc26_gost_3410_12_256_paramSetC "GOST R 34.10-2012 (256 bit) ParamSet C" +#define NID_id_tc26_gost_3410_12_256_paramSetC 995 +#define OBJ_id_tc26_gost_3410_12_256_paramSetC OBJ_tc26,2L,1L,1L,3L + +#define SN_id_tc26_gost_3410_12_256_paramSetD "id-tc26-gost-3410-12-256-paramSetD" +#define LN_id_tc26_gost_3410_12_256_paramSetD "GOST R 34.10-2012 (256 bit) ParamSet D" +#define NID_id_tc26_gost_3410_12_256_paramSetD 996 +#define OBJ_id_tc26_gost_3410_12_256_paramSetD OBJ_tc26,2L,1L,1L,4L + +#define SN_id_tc26_gost_3410_12_512_paramSetTest "id-tc26-gost-3410-12-512-paramSetTest" +#define LN_id_tc26_gost_3410_12_512_paramSetTest "GOST R 34.10-2012 (512 bit) testing parameter set" +#define NID_id_tc26_gost_3410_12_512_paramSetTest 997 +#define OBJ_id_tc26_gost_3410_12_512_paramSetTest OBJ_tc26,2L,1L,2L,0L + +#define SN_id_tc26_gost_3410_12_512_paramSetA "id-tc26-gost-3410-12-512-paramSetA" +#define LN_id_tc26_gost_3410_12_512_paramSetA "GOST R 34.10-2012 (512 bit) ParamSet A" +#define NID_id_tc26_gost_3410_12_512_paramSetA 943 +#define OBJ_id_tc26_gost_3410_12_512_paramSetA OBJ_tc26,2L,1L,2L,1L + +#define SN_id_tc26_gost_3410_12_512_paramSetB "id-tc26-gost-3410-12-512-paramSetB" +#define LN_id_tc26_gost_3410_12_512_paramSetB "GOST R 34.10-2012 (512 bit) ParamSet B" +#define NID_id_tc26_gost_3410_12_512_paramSetB 944 +#define OBJ_id_tc26_gost_3410_12_512_paramSetB OBJ_tc26,2L,1L,2L,2L + +#define SN_id_tc26_gost_3410_12_512_paramSetC "id-tc26-gost-3410-12-512-paramSetC" +#define LN_id_tc26_gost_3410_12_512_paramSetC "GOST R 34.10-2012 (512 bit) ParamSet C" +#define NID_id_tc26_gost_3410_12_512_paramSetC 998 +#define OBJ_id_tc26_gost_3410_12_512_paramSetC OBJ_tc26,2L,1L,2L,3L #define SN_id_tc26_gost_28147_param_Z "id-tc26-gost-28147-param-Z" #define NID_id_tc26_gost_28147_param_Z 945 diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index b2c4367..316fb8e 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ocsp.h,v 1.12 2018/03/17 14:44:34 jsing Exp $ */ +/* $OpenBSD: ocsp.h,v 1.16 2018/08/24 20:03:21 tb Exp $ */ /* Written by Tom Titchener for the OpenSSL * project. */ @@ -383,8 +383,8 @@ typedef struct ocsp_service_locator_st { OCSP_CERTID *OCSP_CERTID_dup(OCSP_CERTID *id); -OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, char *path, OCSP_REQUEST *req); -OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, char *path, OCSP_REQUEST *req, +OCSP_RESPONSE *OCSP_sendreq_bio(BIO *b, const char *path, OCSP_REQUEST *req); +OCSP_REQ_CTX *OCSP_sendreq_new(BIO *io, const char *path, OCSP_REQUEST *req, int maxline); int OCSP_sendreq_nbio(OCSP_RESPONSE **presp, OCSP_REQ_CTX *rctx); void OCSP_REQ_CTX_free(OCSP_REQ_CTX *rctx); @@ -392,10 +392,11 @@ int OCSP_REQ_CTX_set1_req(OCSP_REQ_CTX *rctx, OCSP_REQUEST *req); int OCSP_REQ_CTX_add1_header(OCSP_REQ_CTX *rctx, const char *name, const char *value); -OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, X509 *subject, X509 *issuer); +OCSP_CERTID *OCSP_cert_to_id(const EVP_MD *dgst, const X509 *subject, + const X509 *issuer); -OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, X509_NAME *issuerName, - ASN1_BIT_STRING* issuerKey, ASN1_INTEGER *serialNumber); +OCSP_CERTID *OCSP_cert_id_new(const EVP_MD *dgst, const X509_NAME *issuerName, + const ASN1_BIT_STRING *issuerKey, const ASN1_INTEGER *serialNumber); OCSP_ONEREQ *OCSP_request_add0_id(OCSP_REQUEST *req, OCSP_CERTID *cid); @@ -428,8 +429,8 @@ int OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd, int OCSP_request_verify(OCSP_REQUEST *req, STACK_OF(X509) *certs, X509_STORE *store, unsigned long flags); -int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, - int *pssl); +int OCSP_parse_url(const char *url, char **phost, char **pport, + char **ppath, int *pssl); int OCSP_id_issuer_cmp(OCSP_CERTID *a, OCSP_CERTID *b); int OCSP_id_cmp(OCSP_CERTID *a, OCSP_CERTID *b); @@ -449,17 +450,17 @@ int OCSP_basic_add1_cert(OCSP_BASICRESP *resp, X509 *cert); int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, const EVP_MD *dgst, STACK_OF(X509) *certs, unsigned long flags); -X509_EXTENSION *OCSP_crlID_new(char *url, long *n, char *tim); +X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim); X509_EXTENSION *OCSP_accept_responses_new(char **oids); X509_EXTENSION *OCSP_archive_cutoff_new(char* tim); -X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, char **urls); +X509_EXTENSION *OCSP_url_svcloc_new(X509_NAME* issuer, const char **urls); int OCSP_REQUEST_get_ext_count(OCSP_REQUEST *x); int OCSP_REQUEST_get_ext_by_NID(OCSP_REQUEST *x, int nid, int lastpos); -int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, ASN1_OBJECT *obj, +int OCSP_REQUEST_get_ext_by_OBJ(OCSP_REQUEST *x, const ASN1_OBJECT *obj, int lastpos); int OCSP_REQUEST_get_ext_by_critical(OCSP_REQUEST *x, int crit, int lastpos); @@ -472,7 +473,7 @@ int OCSP_REQUEST_add_ext(OCSP_REQUEST *x, X509_EXTENSION *ex, int loc); int OCSP_ONEREQ_get_ext_count(OCSP_ONEREQ *x); int OCSP_ONEREQ_get_ext_by_NID(OCSP_ONEREQ *x, int nid, int lastpos); -int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, ASN1_OBJECT *obj, +int OCSP_ONEREQ_get_ext_by_OBJ(OCSP_ONEREQ *x, const ASN1_OBJECT *obj, int lastpos); int OCSP_ONEREQ_get_ext_by_critical(OCSP_ONEREQ *x, int crit, int lastpos); X509_EXTENSION *OCSP_ONEREQ_get_ext(OCSP_ONEREQ *x, int loc); @@ -484,7 +485,7 @@ int OCSP_ONEREQ_add_ext(OCSP_ONEREQ *x, X509_EXTENSION *ex, int loc); int OCSP_BASICRESP_get_ext_count(OCSP_BASICRESP *x); int OCSP_BASICRESP_get_ext_by_NID(OCSP_BASICRESP *x, int nid, int lastpos); -int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, ASN1_OBJECT *obj, +int OCSP_BASICRESP_get_ext_by_OBJ(OCSP_BASICRESP *x, const ASN1_OBJECT *obj, int lastpos); int OCSP_BASICRESP_get_ext_by_critical(OCSP_BASICRESP *x, int crit, int lastpos); @@ -499,8 +500,8 @@ int OCSP_BASICRESP_add_ext(OCSP_BASICRESP *x, X509_EXTENSION *ex, int loc); int OCSP_SINGLERESP_get_ext_count(OCSP_SINGLERESP *x); int OCSP_SINGLERESP_get_ext_by_NID(OCSP_SINGLERESP *x, int nid, int lastpos); -int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, ASN1_OBJECT *obj, - int lastpos); +int OCSP_SINGLERESP_get_ext_by_OBJ(OCSP_SINGLERESP *x, + const ASN1_OBJECT *obj, int lastpos); int OCSP_SINGLERESP_get_ext_by_critical(OCSP_SINGLERESP *x, int crit, int lastpos); X509_EXTENSION *OCSP_SINGLERESP_get_ext(OCSP_SINGLERESP *x, int loc); diff --git a/include/openssl/opensslfeatures.h b/include/openssl/opensslfeatures.h index ba4dbba..9684276 100644 --- a/include/openssl/opensslfeatures.h +++ b/include/openssl/opensslfeatures.h @@ -1,26 +1,119 @@ -# define OPENSSL_NO_EC_NISTP_64_GCC_128 -# define OPENSSL_NO_CMS -# define OPENSSL_NO_COMP -# define OPENSSL_NO_EGD -# define OPENSSL_NO_GMP -# define OPENSSL_NO_JPAKE -# define OPENSSL_NO_KRB5 -# define OPENSSL_NO_MD2 -# define OPENSSL_NO_MDC2 -# define OPENSSL_NO_PSK -# define OPENSSL_NO_RC5 -# define OPENSSL_NO_RFC3779 -# define OPENSSL_NO_RSAX -# define OPENSSL_NO_SCTP -# define OPENSSL_NO_SEED -# define OPENSSL_NO_SHA0 -# define OPENSSL_NO_SRP -# define OPENSSL_NO_SSL2 -# define OPENSSL_NO_SSL3 -# define OPENSSL_NO_SSL3_METHOD -# define OPENSSL_NO_STORE -# define OPENSSL_NO_BUF_FREELISTS -# define OPENSSL_NO_HEARTBEATS -# define OPENSSL_NO_DYNAMIC_ENGINE +/* + * Feature flags for LibreSSL... so you can actually tell when things + * are enabled, rather than not being able to tell when things are + * enabled (or possibly not yet not implemented, or removed!). + */ +/* #define LIBRESSL_HAS_TLS1_3 */ -# define OPENSSL_THREADS +#define OPENSSL_THREADS + +#define OPENSSL_NO_BUF_FREELISTS +#define OPENSSL_NO_GMP +#define OPENSSL_NO_JPAKE +#define OPENSSL_NO_KRB5 +#define OPENSSL_NO_RSAX +#define OPENSSL_NO_SHA0 +#define OPENSSL_NO_SSL2 +#define OPENSSL_NO_STORE + +/* + * OPENSSL_NO_* flags that currently appear in OpenSSL. + */ + +/* #define OPENSSL_NO_AFALGENG */ +/* #define OPENSSL_NO_ALGORITHMS */ +/* #define OPENSSL_NO_ARIA */ +/* #define OPENSSL_NO_ASM */ +#define OPENSSL_NO_ASYNC +/* #define OPENSSL_NO_AUTOALGINIT */ +/* #define OPENSSL_NO_AUTOERRINIT */ +/* #define OPENSSL_NO_AUTOLOAD_CONFIG */ +/* #define OPENSSL_NO_BF */ +/* #define OPENSSL_NO_BLAKE2 */ +/* #define OPENSSL_NO_CAMELLIA */ +/* #define OPENSSL_NO_CAPIENG */ +/* #define OPENSSL_NO_CAST */ +/* #define OPENSSL_NO_CHACHA */ +/* #define OPENSSL_NO_CMAC */ +/* #define OPENSSL_NO_CMS */ +#define OPENSSL_NO_COMP /* XXX */ +/* #define OPENSSL_NO_CRYPTO_MDEBUG */ +/* #define OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE */ +/* #define OPENSSL_NO_CT */ +/* #define OPENSSL_NO_DECC_INIT */ +/* #define OPENSSL_NO_DES */ +/* #define OPENSSL_NO_DEVCRYPTOENG */ +/* #define OPENSSL_NO_DGRAM */ +/* #define OPENSSL_NO_DH */ +/* #define OPENSSL_NO_DSA */ +/* #define OPENSSL_NO_DSO */ +/* #define OPENSSL_NO_DTLS */ +/* #define OPENSSL_NO_DTLS1 */ +/* #define OPENSSL_NO_DTLS1_2 */ +/* #define OPENSSL_NO_DTLS1_2_METHOD */ +/* #define OPENSSL_NO_DTLS1_METHOD */ +#define OPENSSL_NO_DYNAMIC_ENGINE +/* #define OPENSSL_NO_EC */ +/* #define OPENSSL_NO_EC2M */ +#define OPENSSL_NO_EC_NISTP_64_GCC_128 +#define OPENSSL_NO_EGD +/* #define OPENSSL_NO_ENGINE */ +/* #define OPENSSL_NO_ERR */ +/* #define OPENSSL_NO_FUZZ_AFL */ +/* #define OPENSSL_NO_FUZZ_LIBFUZZER */ +/* #define OPENSSL_NO_GOST */ +#define OPENSSL_NO_HEARTBEATS +/* #define OPENSSL_NO_HW */ +/* #define OPENSSL_NO_HW_PADLOCK */ +/* #define OPENSSL_NO_IDEA */ +/* #define OPENSSL_NO_INLINE_ASM */ +#define OPENSSL_NO_MD2 +/* #define OPENSSL_NO_MD4 */ +/* #define OPENSSL_NO_MD5 */ +#define OPENSSL_NO_MDC2 +/* #define OPENSSL_NO_MULTIBLOCK */ +/* #define OPENSSL_NO_NEXTPROTONEG */ +/* #define OPENSSL_NO_OCB */ +/* #define OPENSSL_NO_OCSP */ +/* #define OPENSSL_NO_PINSHARED */ +/* #define OPENSSL_NO_POLY1305 */ +/* #define OPENSSL_NO_POSIX_IO */ +#define OPENSSL_NO_PSK +/* #define OPENSSL_NO_RC2 */ +/* #define OPENSSL_NO_RC4 */ +#define OPENSSL_NO_RC5 +/* #define OPENSSL_NO_RDRAND */ +#define OPENSSL_NO_RFC3779 +/* #define OPENSSL_NO_RMD160 */ +/* #define OPENSSL_NO_RSA */ +/* #define OPENSSL_NO_SCRYPT */ +#define OPENSSL_NO_SCTP +/* #define OPENSSL_NO_SECURE_MEMORY */ +#define OPENSSL_NO_SEED +/* #define OPENSSL_NO_SIPHASH */ +/* #define OPENSSL_NO_SM2 */ +/* #define OPENSSL_NO_SM3 */ +/* #define OPENSSL_NO_SM4 */ +/* #define OPENSSL_NO_SOCK */ +#define OPENSSL_NO_SRP +/* #define OPENSSL_NO_SRTP */ +#define OPENSSL_NO_SSL3 +#define OPENSSL_NO_SSL3_METHOD +#define OPENSSL_NO_SSL_TRACE +/* #define OPENSSL_NO_STATIC_ENGINE */ +/* #define OPENSSL_NO_STDIO */ +/* #define OPENSSL_NO_TLS */ +/* #define OPENSSL_NO_TLS1 */ +/* #define OPENSSL_NO_TLS1_1 */ +/* #define OPENSSL_NO_TLS1_1_METHOD */ +/* #define OPENSSL_NO_TLS1_2 */ +/* #define OPENSSL_NO_TLS1_2_METHOD */ +#ifndef LIBRESSL_HAS_TLS1_3 +#define OPENSSL_NO_TLS1_3 +#endif +/* #define OPENSSL_NO_TLS1_METHOD */ +/* #define OPENSSL_NO_TS */ +/* #define OPENSSL_NO_UI_CONSOLE */ +/* #define OPENSSL_NO_UNIT_TEST */ +/* #define OPENSSL_NO_WEAK_SSL_CIPHERS */ +/* #define OPENSSL_NO_WHIRLPOOL */ diff --git a/include/openssl/opensslv.h b/include/openssl/opensslv.h index 68c6e77..28b1f1f 100644 --- a/include/openssl/opensslv.h +++ b/include/openssl/opensslv.h @@ -1,11 +1,11 @@ -/* $OpenBSD: opensslv.h,v 1.46 2018/03/24 13:51:27 bcook Exp $ */ +/* $OpenBSD: opensslv.h,v 1.61 2020/09/25 11:31:39 bcook Exp $ */ #ifndef HEADER_OPENSSLV_H #define HEADER_OPENSSLV_H /* These will change with each release of LibreSSL-portable */ -#define LIBRESSL_VERSION_NUMBER 0x2070200fL +#define LIBRESSL_VERSION_NUMBER 0x3020200fL /* ^ Patch starts here */ -#define LIBRESSL_VERSION_TEXT "LibreSSL 2.7.2" +#define LIBRESSL_VERSION_TEXT "LibreSSL 3.2.2" /* These will never change */ #define OPENSSL_VERSION_NUMBER 0x20000000L diff --git a/include/openssl/pem.h b/include/openssl/pem.h index d1916a1..adc8522 100644 --- a/include/openssl/pem.h +++ b/include/openssl/pem.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pem.h,v 1.17 2016/09/04 16:22:54 jsing Exp $ */ +/* $OpenBSD: pem.h,v 1.19 2018/08/24 19:51:31 tb Exp $ */ /* Copyright (C) 1995-1997 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -385,8 +385,8 @@ int PEM_do_header (EVP_CIPHER_INFO *cipher, unsigned char *data, long *len, #ifndef OPENSSL_NO_BIO int PEM_read_bio(BIO *bp, char **name, char **header, unsigned char **data, long *len); -int PEM_write_bio(BIO *bp, const char *name, char *hdr, unsigned char *data, - long len); +int PEM_write_bio(BIO *bp, const char *name, const char *hdr, + const unsigned char *data, long len); int PEM_bytes_read_bio(unsigned char **pdata, long *plen, char **pnm, const char *name, BIO *bp, pem_password_cb *cb, void *u); void * PEM_ASN1_read_bio(d2i_of_void *d2i, const char *name, BIO *bp, @@ -403,8 +403,8 @@ int PEM_X509_INFO_write_bio(BIO *bp, X509_INFO *xi, EVP_CIPHER *enc, int PEM_read(FILE *fp, char **name, char **header, unsigned char **data, long *len); -int PEM_write(FILE *fp, char *name, char *hdr, unsigned char *data, - long len); +int PEM_write(FILE *fp, const char *name, const char *hdr, + const unsigned char *data, long len); void * PEM_ASN1_read(d2i_of_void *d2i, const char *name, FILE *fp, void **x, pem_password_cb *cb, void *u); int PEM_ASN1_write(i2d_of_void *i2d, const char *name, FILE *fp, @@ -421,8 +421,8 @@ void PEM_SealUpdate(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *out, int *outl, int PEM_SealFinal(PEM_ENCODE_SEAL_CTX *ctx, unsigned char *sig, int *sigl, unsigned char *out, int *outl, EVP_PKEY *priv); -void PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type); -void PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt); +int PEM_SignInit(EVP_MD_CTX *ctx, EVP_MD *type); +int PEM_SignUpdate(EVP_MD_CTX *ctx, unsigned char *d, unsigned int cnt); int PEM_SignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, unsigned int *siglen, EVP_PKEY *pkey); diff --git a/include/openssl/pkcs12.h b/include/openssl/pkcs12.h index e30f9ac..56635f9 100644 --- a/include/openssl/pkcs12.h +++ b/include/openssl/pkcs12.h @@ -1,4 +1,4 @@ -/* $OpenBSD: pkcs12.h,v 1.17 2016/12/30 15:08:58 jsing Exp $ */ +/* $OpenBSD: pkcs12.h,v 1.24 2018/05/30 15:32:11 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -178,9 +178,10 @@ X509_CRL *PKCS12_certbag2x509crl(PKCS12_SAFEBAG *bag); PKCS12_SAFEBAG *PKCS12_item_pack_safebag(void *obj, const ASN1_ITEM *it, int nid1, int nid2); PKCS12_SAFEBAG *PKCS12_MAKE_KEYBAG(PKCS8_PRIV_KEY_INFO *p8); -PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(X509_SIG *p8, const char *pass, int passlen); -PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(PKCS12_SAFEBAG *bag, const char *pass, +PKCS8_PRIV_KEY_INFO *PKCS8_decrypt(const X509_SIG *p8, const char *pass, int passlen); +PKCS8_PRIV_KEY_INFO *PKCS12_decrypt_skey(const PKCS12_SAFEBAG *bag, + const char *pass, int passlen); X509_SIG *PKCS8_encrypt(int pbe_nid, const EVP_CIPHER *cipher, const char *pass, int passlen, unsigned char *salt, int saltlen, int iter, PKCS8_PRIV_KEY_INFO *p8); @@ -195,7 +196,7 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, int passlen); int PKCS12_pack_authsafes(PKCS12 *p12, STACK_OF(PKCS7) *safes); -STACK_OF(PKCS7) *PKCS12_unpack_authsafes(PKCS12 *p12); +STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12); int PKCS12_add_localkeyid(PKCS12_SAFEBAG *bag, unsigned char *name, int namelen); @@ -206,13 +207,14 @@ int PKCS12_add_CSPName_asc(PKCS12_SAFEBAG *bag, const char *name, int PKCS12_add_friendlyname_uni(PKCS12_SAFEBAG *bag, const unsigned char *name, int namelen); int PKCS8_add_keyusage(PKCS8_PRIV_KEY_INFO *p8, int usage); -ASN1_TYPE *PKCS12_get_attr_gen(STACK_OF(X509_ATTRIBUTE) *attrs, int attr_nid); +ASN1_TYPE *PKCS12_get_attr_gen(const STACK_OF(X509_ATTRIBUTE) *attrs, + int attr_nid); char *PKCS12_get_friendlyname(PKCS12_SAFEBAG *bag); -unsigned char *PKCS12_pbe_crypt(X509_ALGOR *algor, const char *pass, - int passlen, unsigned char *in, int inlen, unsigned char **data, +unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor, const char *pass, + int passlen, const unsigned char *in, int inlen, unsigned char **data, int *datalen, int en_de); -void * PKCS12_item_decrypt_d2i(X509_ALGOR *algor, const ASN1_ITEM *it, - const char *pass, int passlen, ASN1_OCTET_STRING *oct, int zbuf); +void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it, + const char *pass, int passlen, const ASN1_OCTET_STRING *oct, int zbuf); ASN1_OCTET_STRING *PKCS12_item_i2d_encrypt(X509_ALGOR *algor, const ASN1_ITEM *it, const char *pass, int passlen, void *obj, int zbuf); PKCS12 *PKCS12_init(int mode); @@ -235,7 +237,7 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, const EVP_MD *md_type); unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, unsigned char **uni, int *unilen); -char *OPENSSL_uni2asc(unsigned char *uni, int unilen); +char *OPENSSL_uni2asc(const unsigned char *uni, int unilen); PKCS12 *PKCS12_new(void); void PKCS12_free(PKCS12 *a); @@ -264,22 +266,22 @@ extern const ASN1_ITEM PKCS12_AUTHSAFES_it; void PKCS12_PBE_add(void); int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert, STACK_OF(X509) **ca); -PKCS12 *PKCS12_create(char *pass, char *name, EVP_PKEY *pkey, X509 *cert, - STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, +PKCS12 *PKCS12_create(const char *pass, const char *name, EVP_PKEY *pkey, + X509 *cert, STACK_OF(X509) *ca, int nid_key, int nid_cert, int iter, int mac_iter, int keytype); PKCS12_SAFEBAG *PKCS12_add_cert(STACK_OF(PKCS12_SAFEBAG) **pbags, X509 *cert); PKCS12_SAFEBAG *PKCS12_add_key(STACK_OF(PKCS12_SAFEBAG) **pbags, EVP_PKEY *key, - int key_usage, int iter, int key_nid, char *pass); + int key_usage, int iter, int key_nid, const char *pass); int PKCS12_add_safe(STACK_OF(PKCS7) **psafes, STACK_OF(PKCS12_SAFEBAG) *bags, - int safe_nid, int iter, char *pass); + int safe_nid, int iter, const char *pass); PKCS12 *PKCS12_add_safes(STACK_OF(PKCS7) *safes, int p7_nid); int i2d_PKCS12_bio(BIO *bp, PKCS12 *p12); int i2d_PKCS12_fp(FILE *fp, PKCS12 *p12); PKCS12 *d2i_PKCS12_bio(BIO *bp, PKCS12 **p12); PKCS12 *d2i_PKCS12_fp(FILE *fp, PKCS12 **p12); -int PKCS12_newpass(PKCS12 *p12, char *oldpass, char *newpass); +int PKCS12_newpass(PKCS12 *p12, const char *oldpass, const char *newpass); /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h index 23929aa..78ac04c 100644 --- a/include/openssl/rsa.h +++ b/include/openssl/rsa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: rsa.h,v 1.38 2018/03/17 15:12:56 tb Exp $ */ +/* $OpenBSD: rsa.h,v 1.51 2019/11/04 12:30:56 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -84,6 +84,25 @@ extern "C" { /* typedef struct rsa_st RSA; */ /* typedef struct rsa_meth_st RSA_METHOD; */ +typedef struct rsa_pss_params_st { + X509_ALGOR *hashAlgorithm; + X509_ALGOR *maskGenAlgorithm; + ASN1_INTEGER *saltLength; + ASN1_INTEGER *trailerField; + + /* Hash algorithm decoded from maskGenAlgorithm. */ + X509_ALGOR *maskHash; +} RSA_PSS_PARAMS; + +typedef struct rsa_oaep_params_st { + X509_ALGOR *hashFunc; + X509_ALGOR *maskGenFunc; + X509_ALGOR *pSourceFunc; + + /* Hash algorithm decoded from maskGenFunc. */ + X509_ALGOR *maskHash; +} RSA_OAEP_PARAMS; + struct rsa_meth_st { const char *name; int (*rsa_pub_enc)(int flen, const unsigned char *from, @@ -127,6 +146,7 @@ struct rsa_st { int pad; long version; const RSA_METHOD *meth; + /* functional reference if 'meth' is ENGINE-provided */ ENGINE *engine; BIGNUM *n; @@ -137,6 +157,10 @@ struct rsa_st { BIGNUM *dmp1; BIGNUM *dmq1; BIGNUM *iqmp; + + /* Parameter restrictions for PSS only keys. */ + RSA_PSS_PARAMS *pss; + /* be careful using this if the RSA structure is shared */ CRYPTO_EX_DATA ex_data; int references; @@ -194,53 +218,88 @@ struct rsa_st { */ #define RSA_FLAG_NO_BLINDING 0x0080 +/* Salt length matches digest */ +#define RSA_PSS_SALTLEN_DIGEST -1 +/* Verify only: auto detect salt length */ +#define RSA_PSS_SALTLEN_AUTO -2 +/* Set salt length to maximum possible */ +#define RSA_PSS_SALTLEN_MAX -3 + #define EVP_PKEY_CTX_set_rsa_padding(ctx, pad) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, EVP_PKEY_CTRL_RSA_PADDING, \ - pad, NULL) + RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_RSA_PADDING, pad, NULL) #define EVP_PKEY_CTX_get_rsa_padding(ctx, ppad) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, -1, \ - EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad) + RSA_pkey_ctx_ctrl(ctx, -1, EVP_PKEY_CTRL_GET_RSA_PADDING, 0, ppad) #define EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, len) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ - (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ - EVP_PKEY_CTRL_RSA_PSS_SALTLEN, \ - len, NULL) + RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL) + +#define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, len) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL) #define EVP_PKEY_CTX_get_rsa_pss_saltlen(ctx, plen) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \ - (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ - EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, \ - 0, plen) + RSA_pkey_ctx_ctrl(ctx, (EVP_PKEY_OP_SIGN|EVP_PKEY_OP_VERIFY), \ + EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN, 0, plen) #define EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, bits) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ - EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_KEYGEN_BITS, bits, NULL) #define EVP_PKEY_CTX_set_rsa_keygen_pubexp(ctx, pubexp) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_KEYGEN, \ - EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp) -#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ - EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md) +#define EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) \ + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)) -#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \ - EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG, \ - EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd) +#define EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)) -#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) -#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) +#define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)) -#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) -#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) -#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5) +#define EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd) \ + RSA_pkey_ctx_ctrl(ctx, EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)(pmd)) + +#define EVP_PKEY_CTX_get_rsa_oaep_md(ctx, pmd) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_GET_RSA_OAEP_MD, 0, (void *)(pmd)) + +#define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l)) + +#define EVP_PKEY_CTX_get0_rsa_oaep_label(ctx, l) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, 0, (void *)(l)) + +#define EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, \ + EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_MD, 0, (void *)(md)) + +#define EVP_PKEY_CTRL_RSA_PADDING (EVP_PKEY_ALG_CTRL + 1) +#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 2) + +#define EVP_PKEY_CTRL_RSA_KEYGEN_BITS (EVP_PKEY_ALG_CTRL + 3) +#define EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP (EVP_PKEY_ALG_CTRL + 4) +#define EVP_PKEY_CTRL_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 5) #define EVP_PKEY_CTRL_GET_RSA_PADDING (EVP_PKEY_ALG_CTRL + 6) #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN (EVP_PKEY_ALG_CTRL + 7) #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD (EVP_PKEY_ALG_CTRL + 8) +#define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 9) +#define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 10) + +#define EVP_PKEY_CTRL_GET_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 11) +#define EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 12) + #define RSA_PKCS1_PADDING 1 #define RSA_SSLV23_PADDING 2 #define RSA_NO_PADDING 3 @@ -289,11 +348,13 @@ const RSA_METHOD *RSA_get_default_method(void); const RSA_METHOD *RSA_get_method(const RSA *rsa); int RSA_set_method(RSA *rsa, const RSA_METHOD *meth); -/* these are the actual SSLeay RSA functions */ +const RSA_METHOD *RSA_PKCS1_OpenSSL(void); const RSA_METHOD *RSA_PKCS1_SSLeay(void); const RSA_METHOD *RSA_null_method(void); +int RSA_pkey_ctx_ctrl(EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2); + RSA *d2i_RSAPublicKey(RSA **a, const unsigned char **in, long len); int i2d_RSAPublicKey(const RSA *a, unsigned char **out); extern const ASN1_ITEM RSAPublicKey_it; @@ -301,19 +362,18 @@ RSA *d2i_RSAPrivateKey(RSA **a, const unsigned char **in, long len); int i2d_RSAPrivateKey(const RSA *a, unsigned char **out); extern const ASN1_ITEM RSAPrivateKey_it; -typedef struct rsa_pss_params_st { - X509_ALGOR *hashAlgorithm; - X509_ALGOR *maskGenAlgorithm; - ASN1_INTEGER *saltLength; - ASN1_INTEGER *trailerField; -} RSA_PSS_PARAMS; - RSA_PSS_PARAMS *RSA_PSS_PARAMS_new(void); void RSA_PSS_PARAMS_free(RSA_PSS_PARAMS *a); RSA_PSS_PARAMS *d2i_RSA_PSS_PARAMS(RSA_PSS_PARAMS **a, const unsigned char **in, long len); int i2d_RSA_PSS_PARAMS(RSA_PSS_PARAMS *a, unsigned char **out); extern const ASN1_ITEM RSA_PSS_PARAMS_it; +RSA_OAEP_PARAMS *RSA_OAEP_PARAMS_new(void); +void RSA_OAEP_PARAMS_free(RSA_OAEP_PARAMS *a); +RSA_OAEP_PARAMS *d2i_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS **a, const unsigned char **in, long len); +int i2d_RSA_OAEP_PARAMS(RSA_OAEP_PARAMS *a, unsigned char **out); +extern const ASN1_ITEM RSA_OAEP_PARAMS_it; + int RSA_print_fp(FILE *fp, const RSA *r, int offset); #ifndef OPENSSL_NO_BIO @@ -368,6 +428,12 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen, const unsigned char *f, int fl, int rsa_len, const unsigned char *p, int pl); +int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, const unsigned char *param, int plen, + const EVP_MD *md, const EVP_MD *mgf1md); +int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, int num, const unsigned char *param, + int plen, const EVP_MD *md, const EVP_MD *mgf1md); int RSA_padding_add_none(unsigned char *to, int tlen, const unsigned char *f, int fl); int RSA_padding_check_none(unsigned char *to, int tlen, @@ -433,11 +499,60 @@ RSA *RSAPrivateKey_dup(RSA *rsa); RSA_METHOD *RSA_meth_new(const char *name, int flags); void RSA_meth_free(RSA_METHOD *meth); RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); +int RSA_meth_set_pub_enc(RSA_METHOD *meth, int (*pub_enc)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +int RSA_meth_set_pub_dec(RSA_METHOD *meth, int (*pub_dec)(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); +int RSA_meth_set_mod_exp(RSA_METHOD *meth, int (*mod_exp)(BIGNUM *r0, + const BIGNUM *i, RSA *rsa, BN_CTX *ctx)); +int RSA_meth_set_bn_mod_exp(RSA_METHOD *meth, int (*bn_mod_exp)(BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *m_ctx)); +int RSA_meth_set_init(RSA_METHOD *meth, int (*init)(RSA *rsa)); +int RSA_meth_set_keygen(RSA_METHOD *meth, int (*keygen)(RSA *rsa, int bits, + BIGNUM *e, BN_GENCB *cb)); +int RSA_meth_set_flags(RSA_METHOD *meth, int flags); +int RSA_meth_set0_app_data(RSA_METHOD *meth, void *app_data); +const char *RSA_meth_get0_name(const RSA_METHOD *); +int (*RSA_meth_get_pub_enc(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding); +int (*RSA_meth_get_pub_dec(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding); +int (*RSA_meth_get_priv_enc(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding); +int (*RSA_meth_get_priv_dec(const RSA_METHOD *meth))(int flen, + const unsigned char *from, unsigned char *to, RSA *rsa, int padding); +int (*RSA_meth_get_mod_exp(const RSA_METHOD *meth))(BIGNUM *r0, const BIGNUM *i, + RSA *rsa, BN_CTX *ctx); +int (*RSA_meth_get_bn_mod_exp(const RSA_METHOD *meth))(BIGNUM *r, + const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, BN_CTX *ctx, + BN_MONT_CTX *m_ctx); +int (*RSA_meth_get_init(const RSA_METHOD *meth))(RSA *rsa); +int (*RSA_meth_get_keygen(const RSA_METHOD *meth))(RSA *rsa, int bits, BIGNUM *e, + BN_GENCB *cb); +int RSA_meth_get_flags(const RSA_METHOD *meth); +void *RSA_meth_get0_app_data(const RSA_METHOD *meth); +int (*RSA_meth_get_sign(const RSA_METHOD *meth))(int type, + const unsigned char *m, unsigned int m_length, + unsigned char *sigret, unsigned int *siglen, + const RSA *rsa); +int RSA_meth_set_sign(RSA_METHOD *rsa, int (*sign)(int type, + const unsigned char *m, unsigned int m_length, unsigned char *sigret, + unsigned int *siglen, const RSA *rsa)); +int (*RSA_meth_get_verify(const RSA_METHOD *meth))(int dtype, + const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, + unsigned int siglen, const RSA *rsa); +int RSA_meth_set_verify(RSA_METHOD *rsa, int (*verify)(int dtype, + const unsigned char *m, unsigned int m_length, const unsigned char *sigbuf, + unsigned int siglen, const RSA *rsa)); + /* BEGIN ERROR CODES */ /* The following lines are auto generated by the script mkerr.pl. Any changes @@ -519,17 +634,22 @@ void ERR_load_RSA_strings(void); #define RSA_R_DATA_TOO_LARGE_FOR_MODULUS 132 #define RSA_R_DATA_TOO_SMALL 111 #define RSA_R_DATA_TOO_SMALL_FOR_KEY_SIZE 122 +#define RSA_R_DIGEST_DOES_NOT_MATCH 158 +#define RSA_R_DIGEST_NOT_ALLOWED 145 #define RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY 112 #define RSA_R_DMP1_NOT_CONGRUENT_TO_D 124 #define RSA_R_DMQ1_NOT_CONGRUENT_TO_D 125 #define RSA_R_D_E_NOT_CONGRUENT_TO_1 123 #define RSA_R_FIRST_OCTET_INVALID 133 #define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE 144 +#define RSA_R_INVALID_DIGEST 157 #define RSA_R_INVALID_DIGEST_LENGTH 143 #define RSA_R_INVALID_HEADER 137 #define RSA_R_INVALID_KEYBITS 145 +#define RSA_R_INVALID_LABEL 160 #define RSA_R_INVALID_MESSAGE_LENGTH 131 #define RSA_R_INVALID_MGF1_MD 156 +#define RSA_R_INVALID_OAEP_PARAMETERS 161 #define RSA_R_INVALID_PADDING 138 #define RSA_R_INVALID_PADDING_MODE 141 #define RSA_R_INVALID_PSS_PARAMETERS 149 @@ -541,6 +661,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_KEY_SIZE_TOO_SMALL 120 #define RSA_R_LAST_OCTET_INVALID 134 #define RSA_R_MODULUS_TOO_LARGE 105 +#define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152 #define RSA_R_NON_FIPS_RSA_METHOD 157 #define RSA_R_NO_PUBLIC_EXPONENT 140 #define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 @@ -549,6 +670,7 @@ void ERR_load_RSA_strings(void); #define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 158 #define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 #define RSA_R_PADDING_CHECK_FAILED 114 +#define RSA_R_PSS_SALTLEN_TOO_SMALL 164 #define RSA_R_P_NOT_PRIME 128 #define RSA_R_Q_NOT_PRIME 129 #define RSA_R_RSA_OPERATIONS_NOT_SUPPORTED 130 @@ -557,9 +679,12 @@ void ERR_load_RSA_strings(void); #define RSA_R_SSLV3_ROLLBACK_ATTACK 115 #define RSA_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD 116 #define RSA_R_UNKNOWN_ALGORITHM_TYPE 117 +#define RSA_R_UNKNOWN_DIGEST 166 #define RSA_R_UNKNOWN_MASK_DIGEST 151 #define RSA_R_UNKNOWN_PADDING_TYPE 118 #define RSA_R_UNKNOWN_PSS_DIGEST 152 +#define RSA_R_UNSUPPORTED_ENCRYPTION_TYPE 162 +#define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 #define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 #define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 #define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 diff --git a/include/openssl/safestack.h b/include/openssl/safestack.h index 6540174..690912b 100644 --- a/include/openssl/safestack.h +++ b/include/openssl/safestack.h @@ -1,4 +1,4 @@ -/* $OpenBSD: safestack.h,v 1.15 2016/12/27 16:02:40 jsing Exp $ */ +/* $OpenBSD: safestack.h,v 1.18 2019/08/11 14:14:14 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999 The OpenSSL Project. All rights reserved. * @@ -179,35 +179,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define SKM_sk_is_sorted(type, st) \ sk_is_sorted(CHECKED_STACK_OF(type, st)) -#ifndef LIBRESSL_INTERNAL -#define SKM_ASN1_SET_OF_d2i(type, st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - (STACK_OF(type) *)d2i_ASN1_SET( \ - (STACK_OF(OPENSSL_BLOCK) **)CHECKED_PTR_OF(STACK_OF(type)*, st), \ - pp, length, \ - CHECKED_D2I_OF(type, d2i_func), \ - CHECKED_SK_FREE_FUNC(type, free_func), \ - ex_tag, ex_class) - -#define SKM_ASN1_SET_OF_i2d(type, st, pp, i2d_func, ex_tag, ex_class, is_set) \ - i2d_ASN1_SET((STACK_OF(OPENSSL_BLOCK) *)CHECKED_STACK_OF(type, st), pp, \ - CHECKED_I2D_OF(type, i2d_func), \ - ex_tag, ex_class, is_set) - -#define SKM_ASN1_seq_pack(type, st, i2d_func, buf, len) \ - ASN1_seq_pack(CHECKED_PTR_OF(STACK_OF(type), st), \ - CHECKED_I2D_OF(type, i2d_func), buf, len) - -#define SKM_ASN1_seq_unpack(type, buf, len, d2i_func, free_func) \ - (STACK_OF(type) *)ASN1_seq_unpack(buf, len, CHECKED_D2I_OF(type, d2i_func), CHECKED_SK_FREE_FUNC(type, free_func)) - -#define SKM_PKCS12_decrypt_d2i(type, algor, d2i_func, free_func, pass, passlen, oct, seq) \ - (STACK_OF(type) *)PKCS12_decrypt_d2i(algor, \ - CHECKED_D2I_OF(type, d2i_func), \ - CHECKED_SK_FREE_FUNC(type, free_func), \ - pass, passlen, oct, seq) -#endif - -/* This block of defines is updated by util/mkstack.pl, please do not touch! */ #define sk_ACCESS_DESCRIPTION_new(cmp) SKM_sk_new(ACCESS_DESCRIPTION, (cmp)) #define sk_ACCESS_DESCRIPTION_new_null() SKM_sk_new_null(ACCESS_DESCRIPTION) #define sk_ACCESS_DESCRIPTION_free(st) SKM_sk_free(ACCESS_DESCRIPTION, (st)) @@ -494,6 +465,28 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_CMS_CertificateChoices_sort(st) SKM_sk_sort(CMS_CertificateChoices, (st)) #define sk_CMS_CertificateChoices_is_sorted(st) SKM_sk_is_sorted(CMS_CertificateChoices, (st)) +#define sk_CMS_RecipientEncryptedKey_new(cmp) SKM_sk_new(CMS_RecipientEncryptedKey, (cmp)) +#define sk_CMS_RecipientEncryptedKey_new_null() SKM_sk_new_null(CMS_RecipientEncryptedKey) +#define sk_CMS_RecipientEncryptedKey_free(st) SKM_sk_free(CMS_RecipientEncryptedKey, (st)) +#define sk_CMS_RecipientEncryptedKey_num(st) SKM_sk_num(CMS_RecipientEncryptedKey, (st)) +#define sk_CMS_RecipientEncryptedKey_value(st, i) SKM_sk_value(CMS_RecipientEncryptedKey, (st), (i)) +#define sk_CMS_RecipientEncryptedKey_set(st, i, val) SKM_sk_set(CMS_RecipientEncryptedKey, (st), (i), (val)) +#define sk_CMS_RecipientEncryptedKey_zero(st) SKM_sk_zero(CMS_RecipientEncryptedKey, (st)) +#define sk_CMS_RecipientEncryptedKey_push(st, val) SKM_sk_push(CMS_RecipientEncryptedKey, (st), (val)) +#define sk_CMS_RecipientEncryptedKey_unshift(st, val) SKM_sk_unshift(CMS_RecipientEncryptedKey, (st), (val)) +#define sk_CMS_RecipientEncryptedKey_find(st, val) SKM_sk_find(CMS_RecipientEncryptedKey, (st), (val)) +#define sk_CMS_RecipientEncryptedKey_find_ex(st, val) SKM_sk_find_ex(CMS_RecipientEncryptedKey, (st), (val)) +#define sk_CMS_RecipientEncryptedKey_delete(st, i) SKM_sk_delete(CMS_RecipientEncryptedKey, (st), (i)) +#define sk_CMS_RecipientEncryptedKey_delete_ptr(st, ptr) SKM_sk_delete_ptr(CMS_RecipientEncryptedKey, (st), (ptr)) +#define sk_CMS_RecipientEncryptedKey_insert(st, val, i) SKM_sk_insert(CMS_RecipientEncryptedKey, (st), (val), (i)) +#define sk_CMS_RecipientEncryptedKey_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(CMS_RecipientEncryptedKey, (st), (cmp)) +#define sk_CMS_RecipientEncryptedKey_dup(st) SKM_sk_dup(CMS_RecipientEncryptedKey, st) +#define sk_CMS_RecipientEncryptedKey_pop_free(st, free_func) SKM_sk_pop_free(CMS_RecipientEncryptedKey, (st), (free_func)) +#define sk_CMS_RecipientEncryptedKey_shift(st) SKM_sk_shift(CMS_RecipientEncryptedKey, (st)) +#define sk_CMS_RecipientEncryptedKey_pop(st) SKM_sk_pop(CMS_RecipientEncryptedKey, (st)) +#define sk_CMS_RecipientEncryptedKey_sort(st) SKM_sk_sort(CMS_RecipientEncryptedKey, (st)) +#define sk_CMS_RecipientEncryptedKey_is_sorted(st) SKM_sk_is_sorted(CMS_RecipientEncryptedKey, (st)) + #define sk_CMS_RecipientInfo_new(cmp) SKM_sk_new(CMS_RecipientInfo, (cmp)) #define sk_CMS_RecipientInfo_new_null() SKM_sk_new_null(CMS_RecipientInfo) #define sk_CMS_RecipientInfo_free(st) SKM_sk_free(CMS_RecipientInfo, (st)) @@ -956,182 +949,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_IPAddressOrRange_sort(st) SKM_sk_sort(IPAddressOrRange, (st)) #define sk_IPAddressOrRange_is_sorted(st) SKM_sk_is_sorted(IPAddressOrRange, (st)) -#define sk_KRB5_APREQBODY_new(cmp) SKM_sk_new(KRB5_APREQBODY, (cmp)) -#define sk_KRB5_APREQBODY_new_null() SKM_sk_new_null(KRB5_APREQBODY) -#define sk_KRB5_APREQBODY_free(st) SKM_sk_free(KRB5_APREQBODY, (st)) -#define sk_KRB5_APREQBODY_num(st) SKM_sk_num(KRB5_APREQBODY, (st)) -#define sk_KRB5_APREQBODY_value(st, i) SKM_sk_value(KRB5_APREQBODY, (st), (i)) -#define sk_KRB5_APREQBODY_set(st, i, val) SKM_sk_set(KRB5_APREQBODY, (st), (i), (val)) -#define sk_KRB5_APREQBODY_zero(st) SKM_sk_zero(KRB5_APREQBODY, (st)) -#define sk_KRB5_APREQBODY_push(st, val) SKM_sk_push(KRB5_APREQBODY, (st), (val)) -#define sk_KRB5_APREQBODY_unshift(st, val) SKM_sk_unshift(KRB5_APREQBODY, (st), (val)) -#define sk_KRB5_APREQBODY_find(st, val) SKM_sk_find(KRB5_APREQBODY, (st), (val)) -#define sk_KRB5_APREQBODY_find_ex(st, val) SKM_sk_find_ex(KRB5_APREQBODY, (st), (val)) -#define sk_KRB5_APREQBODY_delete(st, i) SKM_sk_delete(KRB5_APREQBODY, (st), (i)) -#define sk_KRB5_APREQBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_APREQBODY, (st), (ptr)) -#define sk_KRB5_APREQBODY_insert(st, val, i) SKM_sk_insert(KRB5_APREQBODY, (st), (val), (i)) -#define sk_KRB5_APREQBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_APREQBODY, (st), (cmp)) -#define sk_KRB5_APREQBODY_dup(st) SKM_sk_dup(KRB5_APREQBODY, st) -#define sk_KRB5_APREQBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_APREQBODY, (st), (free_func)) -#define sk_KRB5_APREQBODY_shift(st) SKM_sk_shift(KRB5_APREQBODY, (st)) -#define sk_KRB5_APREQBODY_pop(st) SKM_sk_pop(KRB5_APREQBODY, (st)) -#define sk_KRB5_APREQBODY_sort(st) SKM_sk_sort(KRB5_APREQBODY, (st)) -#define sk_KRB5_APREQBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_APREQBODY, (st)) - -#define sk_KRB5_AUTHDATA_new(cmp) SKM_sk_new(KRB5_AUTHDATA, (cmp)) -#define sk_KRB5_AUTHDATA_new_null() SKM_sk_new_null(KRB5_AUTHDATA) -#define sk_KRB5_AUTHDATA_free(st) SKM_sk_free(KRB5_AUTHDATA, (st)) -#define sk_KRB5_AUTHDATA_num(st) SKM_sk_num(KRB5_AUTHDATA, (st)) -#define sk_KRB5_AUTHDATA_value(st, i) SKM_sk_value(KRB5_AUTHDATA, (st), (i)) -#define sk_KRB5_AUTHDATA_set(st, i, val) SKM_sk_set(KRB5_AUTHDATA, (st), (i), (val)) -#define sk_KRB5_AUTHDATA_zero(st) SKM_sk_zero(KRB5_AUTHDATA, (st)) -#define sk_KRB5_AUTHDATA_push(st, val) SKM_sk_push(KRB5_AUTHDATA, (st), (val)) -#define sk_KRB5_AUTHDATA_unshift(st, val) SKM_sk_unshift(KRB5_AUTHDATA, (st), (val)) -#define sk_KRB5_AUTHDATA_find(st, val) SKM_sk_find(KRB5_AUTHDATA, (st), (val)) -#define sk_KRB5_AUTHDATA_find_ex(st, val) SKM_sk_find_ex(KRB5_AUTHDATA, (st), (val)) -#define sk_KRB5_AUTHDATA_delete(st, i) SKM_sk_delete(KRB5_AUTHDATA, (st), (i)) -#define sk_KRB5_AUTHDATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_AUTHDATA, (st), (ptr)) -#define sk_KRB5_AUTHDATA_insert(st, val, i) SKM_sk_insert(KRB5_AUTHDATA, (st), (val), (i)) -#define sk_KRB5_AUTHDATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_AUTHDATA, (st), (cmp)) -#define sk_KRB5_AUTHDATA_dup(st) SKM_sk_dup(KRB5_AUTHDATA, st) -#define sk_KRB5_AUTHDATA_pop_free(st, free_func) SKM_sk_pop_free(KRB5_AUTHDATA, (st), (free_func)) -#define sk_KRB5_AUTHDATA_shift(st) SKM_sk_shift(KRB5_AUTHDATA, (st)) -#define sk_KRB5_AUTHDATA_pop(st) SKM_sk_pop(KRB5_AUTHDATA, (st)) -#define sk_KRB5_AUTHDATA_sort(st) SKM_sk_sort(KRB5_AUTHDATA, (st)) -#define sk_KRB5_AUTHDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHDATA, (st)) - -#define sk_KRB5_AUTHENTBODY_new(cmp) SKM_sk_new(KRB5_AUTHENTBODY, (cmp)) -#define sk_KRB5_AUTHENTBODY_new_null() SKM_sk_new_null(KRB5_AUTHENTBODY) -#define sk_KRB5_AUTHENTBODY_free(st) SKM_sk_free(KRB5_AUTHENTBODY, (st)) -#define sk_KRB5_AUTHENTBODY_num(st) SKM_sk_num(KRB5_AUTHENTBODY, (st)) -#define sk_KRB5_AUTHENTBODY_value(st, i) SKM_sk_value(KRB5_AUTHENTBODY, (st), (i)) -#define sk_KRB5_AUTHENTBODY_set(st, i, val) SKM_sk_set(KRB5_AUTHENTBODY, (st), (i), (val)) -#define sk_KRB5_AUTHENTBODY_zero(st) SKM_sk_zero(KRB5_AUTHENTBODY, (st)) -#define sk_KRB5_AUTHENTBODY_push(st, val) SKM_sk_push(KRB5_AUTHENTBODY, (st), (val)) -#define sk_KRB5_AUTHENTBODY_unshift(st, val) SKM_sk_unshift(KRB5_AUTHENTBODY, (st), (val)) -#define sk_KRB5_AUTHENTBODY_find(st, val) SKM_sk_find(KRB5_AUTHENTBODY, (st), (val)) -#define sk_KRB5_AUTHENTBODY_find_ex(st, val) SKM_sk_find_ex(KRB5_AUTHENTBODY, (st), (val)) -#define sk_KRB5_AUTHENTBODY_delete(st, i) SKM_sk_delete(KRB5_AUTHENTBODY, (st), (i)) -#define sk_KRB5_AUTHENTBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_AUTHENTBODY, (st), (ptr)) -#define sk_KRB5_AUTHENTBODY_insert(st, val, i) SKM_sk_insert(KRB5_AUTHENTBODY, (st), (val), (i)) -#define sk_KRB5_AUTHENTBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_AUTHENTBODY, (st), (cmp)) -#define sk_KRB5_AUTHENTBODY_dup(st) SKM_sk_dup(KRB5_AUTHENTBODY, st) -#define sk_KRB5_AUTHENTBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_AUTHENTBODY, (st), (free_func)) -#define sk_KRB5_AUTHENTBODY_shift(st) SKM_sk_shift(KRB5_AUTHENTBODY, (st)) -#define sk_KRB5_AUTHENTBODY_pop(st) SKM_sk_pop(KRB5_AUTHENTBODY, (st)) -#define sk_KRB5_AUTHENTBODY_sort(st) SKM_sk_sort(KRB5_AUTHENTBODY, (st)) -#define sk_KRB5_AUTHENTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_AUTHENTBODY, (st)) - -#define sk_KRB5_CHECKSUM_new(cmp) SKM_sk_new(KRB5_CHECKSUM, (cmp)) -#define sk_KRB5_CHECKSUM_new_null() SKM_sk_new_null(KRB5_CHECKSUM) -#define sk_KRB5_CHECKSUM_free(st) SKM_sk_free(KRB5_CHECKSUM, (st)) -#define sk_KRB5_CHECKSUM_num(st) SKM_sk_num(KRB5_CHECKSUM, (st)) -#define sk_KRB5_CHECKSUM_value(st, i) SKM_sk_value(KRB5_CHECKSUM, (st), (i)) -#define sk_KRB5_CHECKSUM_set(st, i, val) SKM_sk_set(KRB5_CHECKSUM, (st), (i), (val)) -#define sk_KRB5_CHECKSUM_zero(st) SKM_sk_zero(KRB5_CHECKSUM, (st)) -#define sk_KRB5_CHECKSUM_push(st, val) SKM_sk_push(KRB5_CHECKSUM, (st), (val)) -#define sk_KRB5_CHECKSUM_unshift(st, val) SKM_sk_unshift(KRB5_CHECKSUM, (st), (val)) -#define sk_KRB5_CHECKSUM_find(st, val) SKM_sk_find(KRB5_CHECKSUM, (st), (val)) -#define sk_KRB5_CHECKSUM_find_ex(st, val) SKM_sk_find_ex(KRB5_CHECKSUM, (st), (val)) -#define sk_KRB5_CHECKSUM_delete(st, i) SKM_sk_delete(KRB5_CHECKSUM, (st), (i)) -#define sk_KRB5_CHECKSUM_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_CHECKSUM, (st), (ptr)) -#define sk_KRB5_CHECKSUM_insert(st, val, i) SKM_sk_insert(KRB5_CHECKSUM, (st), (val), (i)) -#define sk_KRB5_CHECKSUM_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_CHECKSUM, (st), (cmp)) -#define sk_KRB5_CHECKSUM_dup(st) SKM_sk_dup(KRB5_CHECKSUM, st) -#define sk_KRB5_CHECKSUM_pop_free(st, free_func) SKM_sk_pop_free(KRB5_CHECKSUM, (st), (free_func)) -#define sk_KRB5_CHECKSUM_shift(st) SKM_sk_shift(KRB5_CHECKSUM, (st)) -#define sk_KRB5_CHECKSUM_pop(st) SKM_sk_pop(KRB5_CHECKSUM, (st)) -#define sk_KRB5_CHECKSUM_sort(st) SKM_sk_sort(KRB5_CHECKSUM, (st)) -#define sk_KRB5_CHECKSUM_is_sorted(st) SKM_sk_is_sorted(KRB5_CHECKSUM, (st)) - -#define sk_KRB5_ENCDATA_new(cmp) SKM_sk_new(KRB5_ENCDATA, (cmp)) -#define sk_KRB5_ENCDATA_new_null() SKM_sk_new_null(KRB5_ENCDATA) -#define sk_KRB5_ENCDATA_free(st) SKM_sk_free(KRB5_ENCDATA, (st)) -#define sk_KRB5_ENCDATA_num(st) SKM_sk_num(KRB5_ENCDATA, (st)) -#define sk_KRB5_ENCDATA_value(st, i) SKM_sk_value(KRB5_ENCDATA, (st), (i)) -#define sk_KRB5_ENCDATA_set(st, i, val) SKM_sk_set(KRB5_ENCDATA, (st), (i), (val)) -#define sk_KRB5_ENCDATA_zero(st) SKM_sk_zero(KRB5_ENCDATA, (st)) -#define sk_KRB5_ENCDATA_push(st, val) SKM_sk_push(KRB5_ENCDATA, (st), (val)) -#define sk_KRB5_ENCDATA_unshift(st, val) SKM_sk_unshift(KRB5_ENCDATA, (st), (val)) -#define sk_KRB5_ENCDATA_find(st, val) SKM_sk_find(KRB5_ENCDATA, (st), (val)) -#define sk_KRB5_ENCDATA_find_ex(st, val) SKM_sk_find_ex(KRB5_ENCDATA, (st), (val)) -#define sk_KRB5_ENCDATA_delete(st, i) SKM_sk_delete(KRB5_ENCDATA, (st), (i)) -#define sk_KRB5_ENCDATA_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_ENCDATA, (st), (ptr)) -#define sk_KRB5_ENCDATA_insert(st, val, i) SKM_sk_insert(KRB5_ENCDATA, (st), (val), (i)) -#define sk_KRB5_ENCDATA_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_ENCDATA, (st), (cmp)) -#define sk_KRB5_ENCDATA_dup(st) SKM_sk_dup(KRB5_ENCDATA, st) -#define sk_KRB5_ENCDATA_pop_free(st, free_func) SKM_sk_pop_free(KRB5_ENCDATA, (st), (free_func)) -#define sk_KRB5_ENCDATA_shift(st) SKM_sk_shift(KRB5_ENCDATA, (st)) -#define sk_KRB5_ENCDATA_pop(st) SKM_sk_pop(KRB5_ENCDATA, (st)) -#define sk_KRB5_ENCDATA_sort(st) SKM_sk_sort(KRB5_ENCDATA, (st)) -#define sk_KRB5_ENCDATA_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCDATA, (st)) - -#define sk_KRB5_ENCKEY_new(cmp) SKM_sk_new(KRB5_ENCKEY, (cmp)) -#define sk_KRB5_ENCKEY_new_null() SKM_sk_new_null(KRB5_ENCKEY) -#define sk_KRB5_ENCKEY_free(st) SKM_sk_free(KRB5_ENCKEY, (st)) -#define sk_KRB5_ENCKEY_num(st) SKM_sk_num(KRB5_ENCKEY, (st)) -#define sk_KRB5_ENCKEY_value(st, i) SKM_sk_value(KRB5_ENCKEY, (st), (i)) -#define sk_KRB5_ENCKEY_set(st, i, val) SKM_sk_set(KRB5_ENCKEY, (st), (i), (val)) -#define sk_KRB5_ENCKEY_zero(st) SKM_sk_zero(KRB5_ENCKEY, (st)) -#define sk_KRB5_ENCKEY_push(st, val) SKM_sk_push(KRB5_ENCKEY, (st), (val)) -#define sk_KRB5_ENCKEY_unshift(st, val) SKM_sk_unshift(KRB5_ENCKEY, (st), (val)) -#define sk_KRB5_ENCKEY_find(st, val) SKM_sk_find(KRB5_ENCKEY, (st), (val)) -#define sk_KRB5_ENCKEY_find_ex(st, val) SKM_sk_find_ex(KRB5_ENCKEY, (st), (val)) -#define sk_KRB5_ENCKEY_delete(st, i) SKM_sk_delete(KRB5_ENCKEY, (st), (i)) -#define sk_KRB5_ENCKEY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_ENCKEY, (st), (ptr)) -#define sk_KRB5_ENCKEY_insert(st, val, i) SKM_sk_insert(KRB5_ENCKEY, (st), (val), (i)) -#define sk_KRB5_ENCKEY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_ENCKEY, (st), (cmp)) -#define sk_KRB5_ENCKEY_dup(st) SKM_sk_dup(KRB5_ENCKEY, st) -#define sk_KRB5_ENCKEY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_ENCKEY, (st), (free_func)) -#define sk_KRB5_ENCKEY_shift(st) SKM_sk_shift(KRB5_ENCKEY, (st)) -#define sk_KRB5_ENCKEY_pop(st) SKM_sk_pop(KRB5_ENCKEY, (st)) -#define sk_KRB5_ENCKEY_sort(st) SKM_sk_sort(KRB5_ENCKEY, (st)) -#define sk_KRB5_ENCKEY_is_sorted(st) SKM_sk_is_sorted(KRB5_ENCKEY, (st)) - -#define sk_KRB5_PRINCNAME_new(cmp) SKM_sk_new(KRB5_PRINCNAME, (cmp)) -#define sk_KRB5_PRINCNAME_new_null() SKM_sk_new_null(KRB5_PRINCNAME) -#define sk_KRB5_PRINCNAME_free(st) SKM_sk_free(KRB5_PRINCNAME, (st)) -#define sk_KRB5_PRINCNAME_num(st) SKM_sk_num(KRB5_PRINCNAME, (st)) -#define sk_KRB5_PRINCNAME_value(st, i) SKM_sk_value(KRB5_PRINCNAME, (st), (i)) -#define sk_KRB5_PRINCNAME_set(st, i, val) SKM_sk_set(KRB5_PRINCNAME, (st), (i), (val)) -#define sk_KRB5_PRINCNAME_zero(st) SKM_sk_zero(KRB5_PRINCNAME, (st)) -#define sk_KRB5_PRINCNAME_push(st, val) SKM_sk_push(KRB5_PRINCNAME, (st), (val)) -#define sk_KRB5_PRINCNAME_unshift(st, val) SKM_sk_unshift(KRB5_PRINCNAME, (st), (val)) -#define sk_KRB5_PRINCNAME_find(st, val) SKM_sk_find(KRB5_PRINCNAME, (st), (val)) -#define sk_KRB5_PRINCNAME_find_ex(st, val) SKM_sk_find_ex(KRB5_PRINCNAME, (st), (val)) -#define sk_KRB5_PRINCNAME_delete(st, i) SKM_sk_delete(KRB5_PRINCNAME, (st), (i)) -#define sk_KRB5_PRINCNAME_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_PRINCNAME, (st), (ptr)) -#define sk_KRB5_PRINCNAME_insert(st, val, i) SKM_sk_insert(KRB5_PRINCNAME, (st), (val), (i)) -#define sk_KRB5_PRINCNAME_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_PRINCNAME, (st), (cmp)) -#define sk_KRB5_PRINCNAME_dup(st) SKM_sk_dup(KRB5_PRINCNAME, st) -#define sk_KRB5_PRINCNAME_pop_free(st, free_func) SKM_sk_pop_free(KRB5_PRINCNAME, (st), (free_func)) -#define sk_KRB5_PRINCNAME_shift(st) SKM_sk_shift(KRB5_PRINCNAME, (st)) -#define sk_KRB5_PRINCNAME_pop(st) SKM_sk_pop(KRB5_PRINCNAME, (st)) -#define sk_KRB5_PRINCNAME_sort(st) SKM_sk_sort(KRB5_PRINCNAME, (st)) -#define sk_KRB5_PRINCNAME_is_sorted(st) SKM_sk_is_sorted(KRB5_PRINCNAME, (st)) - -#define sk_KRB5_TKTBODY_new(cmp) SKM_sk_new(KRB5_TKTBODY, (cmp)) -#define sk_KRB5_TKTBODY_new_null() SKM_sk_new_null(KRB5_TKTBODY) -#define sk_KRB5_TKTBODY_free(st) SKM_sk_free(KRB5_TKTBODY, (st)) -#define sk_KRB5_TKTBODY_num(st) SKM_sk_num(KRB5_TKTBODY, (st)) -#define sk_KRB5_TKTBODY_value(st, i) SKM_sk_value(KRB5_TKTBODY, (st), (i)) -#define sk_KRB5_TKTBODY_set(st, i, val) SKM_sk_set(KRB5_TKTBODY, (st), (i), (val)) -#define sk_KRB5_TKTBODY_zero(st) SKM_sk_zero(KRB5_TKTBODY, (st)) -#define sk_KRB5_TKTBODY_push(st, val) SKM_sk_push(KRB5_TKTBODY, (st), (val)) -#define sk_KRB5_TKTBODY_unshift(st, val) SKM_sk_unshift(KRB5_TKTBODY, (st), (val)) -#define sk_KRB5_TKTBODY_find(st, val) SKM_sk_find(KRB5_TKTBODY, (st), (val)) -#define sk_KRB5_TKTBODY_find_ex(st, val) SKM_sk_find_ex(KRB5_TKTBODY, (st), (val)) -#define sk_KRB5_TKTBODY_delete(st, i) SKM_sk_delete(KRB5_TKTBODY, (st), (i)) -#define sk_KRB5_TKTBODY_delete_ptr(st, ptr) SKM_sk_delete_ptr(KRB5_TKTBODY, (st), (ptr)) -#define sk_KRB5_TKTBODY_insert(st, val, i) SKM_sk_insert(KRB5_TKTBODY, (st), (val), (i)) -#define sk_KRB5_TKTBODY_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(KRB5_TKTBODY, (st), (cmp)) -#define sk_KRB5_TKTBODY_dup(st) SKM_sk_dup(KRB5_TKTBODY, st) -#define sk_KRB5_TKTBODY_pop_free(st, free_func) SKM_sk_pop_free(KRB5_TKTBODY, (st), (free_func)) -#define sk_KRB5_TKTBODY_shift(st) SKM_sk_shift(KRB5_TKTBODY, (st)) -#define sk_KRB5_TKTBODY_pop(st) SKM_sk_pop(KRB5_TKTBODY, (st)) -#define sk_KRB5_TKTBODY_sort(st) SKM_sk_sort(KRB5_TKTBODY, (st)) -#define sk_KRB5_TKTBODY_is_sorted(st) SKM_sk_is_sorted(KRB5_TKTBODY, (st)) - #define sk_MEM_OBJECT_DATA_new(cmp) SKM_sk_new(MEM_OBJECT_DATA, (cmp)) #define sk_MEM_OBJECT_DATA_new_null() SKM_sk_new_null(MEM_OBJECT_DATA) #define sk_MEM_OBJECT_DATA_free(st) SKM_sk_free(MEM_OBJECT_DATA, (st)) @@ -1462,72 +1279,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_POLICY_MAPPING_sort(st) SKM_sk_sort(POLICY_MAPPING, (st)) #define sk_POLICY_MAPPING_is_sorted(st) SKM_sk_is_sorted(POLICY_MAPPING, (st)) -#define sk_SRP_gN_new(cmp) SKM_sk_new(SRP_gN, (cmp)) -#define sk_SRP_gN_new_null() SKM_sk_new_null(SRP_gN) -#define sk_SRP_gN_free(st) SKM_sk_free(SRP_gN, (st)) -#define sk_SRP_gN_num(st) SKM_sk_num(SRP_gN, (st)) -#define sk_SRP_gN_value(st, i) SKM_sk_value(SRP_gN, (st), (i)) -#define sk_SRP_gN_set(st, i, val) SKM_sk_set(SRP_gN, (st), (i), (val)) -#define sk_SRP_gN_zero(st) SKM_sk_zero(SRP_gN, (st)) -#define sk_SRP_gN_push(st, val) SKM_sk_push(SRP_gN, (st), (val)) -#define sk_SRP_gN_unshift(st, val) SKM_sk_unshift(SRP_gN, (st), (val)) -#define sk_SRP_gN_find(st, val) SKM_sk_find(SRP_gN, (st), (val)) -#define sk_SRP_gN_find_ex(st, val) SKM_sk_find_ex(SRP_gN, (st), (val)) -#define sk_SRP_gN_delete(st, i) SKM_sk_delete(SRP_gN, (st), (i)) -#define sk_SRP_gN_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRP_gN, (st), (ptr)) -#define sk_SRP_gN_insert(st, val, i) SKM_sk_insert(SRP_gN, (st), (val), (i)) -#define sk_SRP_gN_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRP_gN, (st), (cmp)) -#define sk_SRP_gN_dup(st) SKM_sk_dup(SRP_gN, st) -#define sk_SRP_gN_pop_free(st, free_func) SKM_sk_pop_free(SRP_gN, (st), (free_func)) -#define sk_SRP_gN_shift(st) SKM_sk_shift(SRP_gN, (st)) -#define sk_SRP_gN_pop(st) SKM_sk_pop(SRP_gN, (st)) -#define sk_SRP_gN_sort(st) SKM_sk_sort(SRP_gN, (st)) -#define sk_SRP_gN_is_sorted(st) SKM_sk_is_sorted(SRP_gN, (st)) - -#define sk_SRP_gN_cache_new(cmp) SKM_sk_new(SRP_gN_cache, (cmp)) -#define sk_SRP_gN_cache_new_null() SKM_sk_new_null(SRP_gN_cache) -#define sk_SRP_gN_cache_free(st) SKM_sk_free(SRP_gN_cache, (st)) -#define sk_SRP_gN_cache_num(st) SKM_sk_num(SRP_gN_cache, (st)) -#define sk_SRP_gN_cache_value(st, i) SKM_sk_value(SRP_gN_cache, (st), (i)) -#define sk_SRP_gN_cache_set(st, i, val) SKM_sk_set(SRP_gN_cache, (st), (i), (val)) -#define sk_SRP_gN_cache_zero(st) SKM_sk_zero(SRP_gN_cache, (st)) -#define sk_SRP_gN_cache_push(st, val) SKM_sk_push(SRP_gN_cache, (st), (val)) -#define sk_SRP_gN_cache_unshift(st, val) SKM_sk_unshift(SRP_gN_cache, (st), (val)) -#define sk_SRP_gN_cache_find(st, val) SKM_sk_find(SRP_gN_cache, (st), (val)) -#define sk_SRP_gN_cache_find_ex(st, val) SKM_sk_find_ex(SRP_gN_cache, (st), (val)) -#define sk_SRP_gN_cache_delete(st, i) SKM_sk_delete(SRP_gN_cache, (st), (i)) -#define sk_SRP_gN_cache_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRP_gN_cache, (st), (ptr)) -#define sk_SRP_gN_cache_insert(st, val, i) SKM_sk_insert(SRP_gN_cache, (st), (val), (i)) -#define sk_SRP_gN_cache_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRP_gN_cache, (st), (cmp)) -#define sk_SRP_gN_cache_dup(st) SKM_sk_dup(SRP_gN_cache, st) -#define sk_SRP_gN_cache_pop_free(st, free_func) SKM_sk_pop_free(SRP_gN_cache, (st), (free_func)) -#define sk_SRP_gN_cache_shift(st) SKM_sk_shift(SRP_gN_cache, (st)) -#define sk_SRP_gN_cache_pop(st) SKM_sk_pop(SRP_gN_cache, (st)) -#define sk_SRP_gN_cache_sort(st) SKM_sk_sort(SRP_gN_cache, (st)) -#define sk_SRP_gN_cache_is_sorted(st) SKM_sk_is_sorted(SRP_gN_cache, (st)) - -#define sk_SRP_user_pwd_new(cmp) SKM_sk_new(SRP_user_pwd, (cmp)) -#define sk_SRP_user_pwd_new_null() SKM_sk_new_null(SRP_user_pwd) -#define sk_SRP_user_pwd_free(st) SKM_sk_free(SRP_user_pwd, (st)) -#define sk_SRP_user_pwd_num(st) SKM_sk_num(SRP_user_pwd, (st)) -#define sk_SRP_user_pwd_value(st, i) SKM_sk_value(SRP_user_pwd, (st), (i)) -#define sk_SRP_user_pwd_set(st, i, val) SKM_sk_set(SRP_user_pwd, (st), (i), (val)) -#define sk_SRP_user_pwd_zero(st) SKM_sk_zero(SRP_user_pwd, (st)) -#define sk_SRP_user_pwd_push(st, val) SKM_sk_push(SRP_user_pwd, (st), (val)) -#define sk_SRP_user_pwd_unshift(st, val) SKM_sk_unshift(SRP_user_pwd, (st), (val)) -#define sk_SRP_user_pwd_find(st, val) SKM_sk_find(SRP_user_pwd, (st), (val)) -#define sk_SRP_user_pwd_find_ex(st, val) SKM_sk_find_ex(SRP_user_pwd, (st), (val)) -#define sk_SRP_user_pwd_delete(st, i) SKM_sk_delete(SRP_user_pwd, (st), (i)) -#define sk_SRP_user_pwd_delete_ptr(st, ptr) SKM_sk_delete_ptr(SRP_user_pwd, (st), (ptr)) -#define sk_SRP_user_pwd_insert(st, val, i) SKM_sk_insert(SRP_user_pwd, (st), (val), (i)) -#define sk_SRP_user_pwd_set_cmp_func(st, cmp) SKM_sk_set_cmp_func(SRP_user_pwd, (st), (cmp)) -#define sk_SRP_user_pwd_dup(st) SKM_sk_dup(SRP_user_pwd, st) -#define sk_SRP_user_pwd_pop_free(st, free_func) SKM_sk_pop_free(SRP_user_pwd, (st), (free_func)) -#define sk_SRP_user_pwd_shift(st) SKM_sk_shift(SRP_user_pwd, (st)) -#define sk_SRP_user_pwd_pop(st) SKM_sk_pop(SRP_user_pwd, (st)) -#define sk_SRP_user_pwd_sort(st) SKM_sk_sort(SRP_user_pwd, (st)) -#define sk_SRP_user_pwd_is_sorted(st) SKM_sk_is_sorted(SRP_user_pwd, (st)) - #define sk_SRTP_PROTECTION_PROFILE_new(cmp) SKM_sk_new(SRTP_PROTECTION_PROFILE, (cmp)) #define sk_SRTP_PROTECTION_PROFILE_new_null() SKM_sk_new_null(SRTP_PROTECTION_PROFILE) #define sk_SRTP_PROTECTION_PROFILE_free(st) SKM_sk_free(SRTP_PROTECTION_PROFILE, (st)) @@ -2146,7 +1897,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_OPENSSL_STRING_sort(st) SKM_sk_sort(OPENSSL_STRING, (st)) #define sk_OPENSSL_STRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_STRING, (st)) - #define sk_OPENSSL_BLOCK_new(cmp) ((STACK_OF(OPENSSL_BLOCK) *)sk_new(CHECKED_SK_CMP_FUNC(void, cmp))) #define sk_OPENSSL_BLOCK_new_null() ((STACK_OF(OPENSSL_BLOCK) *)sk_new_null()) #define sk_OPENSSL_BLOCK_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_BLOCK, st), CHECKED_PTR_OF(void, val)) @@ -2171,7 +1921,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_OPENSSL_BLOCK_sort(st) SKM_sk_sort(OPENSSL_BLOCK, (st)) #define sk_OPENSSL_BLOCK_is_sorted(st) SKM_sk_is_sorted(OPENSSL_BLOCK, (st)) - #define sk_OPENSSL_PSTRING_new(cmp) ((STACK_OF(OPENSSL_PSTRING) *)sk_new(CHECKED_SK_CMP_FUNC(OPENSSL_STRING, cmp))) #define sk_OPENSSL_PSTRING_new_null() ((STACK_OF(OPENSSL_PSTRING) *)sk_new_null()) #define sk_OPENSSL_PSTRING_push(st, val) sk_push(CHECKED_STACK_OF(OPENSSL_PSTRING, st), CHECKED_PTR_OF(OPENSSL_STRING, val)) @@ -2196,239 +1945,6 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define sk_OPENSSL_PSTRING_sort(st) SKM_sk_sort(OPENSSL_PSTRING, (st)) #define sk_OPENSSL_PSTRING_is_sorted(st) SKM_sk_is_sorted(OPENSSL_PSTRING, (st)) -#ifndef LIBRESSL_INTERNAL -#define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(ACCESS_DESCRIPTION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(ACCESS_DESCRIPTION, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_ACCESS_DESCRIPTION(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(ACCESS_DESCRIPTION, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_ACCESS_DESCRIPTION(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(ACCESS_DESCRIPTION, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_ASN1_INTEGER(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(ASN1_INTEGER, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_ASN1_INTEGER(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(ASN1_INTEGER, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_ASN1_INTEGER(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(ASN1_INTEGER, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_ASN1_INTEGER(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(ASN1_INTEGER, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_ASN1_OBJECT(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(ASN1_OBJECT, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_ASN1_OBJECT(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(ASN1_OBJECT, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_ASN1_OBJECT(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(ASN1_OBJECT, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_ASN1_OBJECT(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(ASN1_OBJECT, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_ASN1_TYPE(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(ASN1_TYPE, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_ASN1_TYPE(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(ASN1_TYPE, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_ASN1_TYPE(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(ASN1_TYPE, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_ASN1_TYPE(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(ASN1_TYPE, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_ASN1_UTF8STRING(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(ASN1_UTF8STRING, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_ASN1_UTF8STRING(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(ASN1_UTF8STRING, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_ASN1_UTF8STRING(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(ASN1_UTF8STRING, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_ASN1_UTF8STRING(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(ASN1_UTF8STRING, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_DIST_POINT(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(DIST_POINT, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_DIST_POINT(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(DIST_POINT, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_DIST_POINT(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(DIST_POINT, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_DIST_POINT(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(DIST_POINT, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_ESS_CERT_ID(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(ESS_CERT_ID, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_ESS_CERT_ID(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(ESS_CERT_ID, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_ESS_CERT_ID(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(ESS_CERT_ID, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_ESS_CERT_ID(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(ESS_CERT_ID, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_EVP_MD(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(EVP_MD, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_EVP_MD(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(EVP_MD, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_EVP_MD(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(EVP_MD, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_EVP_MD(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(EVP_MD, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_GENERAL_NAME(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(GENERAL_NAME, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_GENERAL_NAME(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(GENERAL_NAME, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_GENERAL_NAME(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(GENERAL_NAME, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_GENERAL_NAME(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(GENERAL_NAME, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_OCSP_ONEREQ(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(OCSP_ONEREQ, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_OCSP_ONEREQ(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(OCSP_ONEREQ, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_OCSP_ONEREQ(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(OCSP_ONEREQ, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_OCSP_ONEREQ(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(OCSP_ONEREQ, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_OCSP_SINGLERESP(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(OCSP_SINGLERESP, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_OCSP_SINGLERESP(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(OCSP_SINGLERESP, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_OCSP_SINGLERESP(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(OCSP_SINGLERESP, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_OCSP_SINGLERESP(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(OCSP_SINGLERESP, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_PKCS12_SAFEBAG(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(PKCS12_SAFEBAG, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_PKCS12_SAFEBAG(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(PKCS12_SAFEBAG, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_PKCS12_SAFEBAG(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(PKCS12_SAFEBAG, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_PKCS12_SAFEBAG(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(PKCS12_SAFEBAG, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_PKCS7(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(PKCS7, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_PKCS7(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(PKCS7, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_PKCS7(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(PKCS7, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_PKCS7(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(PKCS7, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(PKCS7_RECIP_INFO, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(PKCS7_RECIP_INFO, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_PKCS7_RECIP_INFO(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(PKCS7_RECIP_INFO, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_PKCS7_RECIP_INFO(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(PKCS7_RECIP_INFO, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(PKCS7_SIGNER_INFO, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(PKCS7_SIGNER_INFO, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_PKCS7_SIGNER_INFO(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(PKCS7_SIGNER_INFO, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_PKCS7_SIGNER_INFO(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(PKCS7_SIGNER_INFO, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_POLICYINFO(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(POLICYINFO, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_POLICYINFO(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(POLICYINFO, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_POLICYINFO(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(POLICYINFO, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_POLICYINFO(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(POLICYINFO, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_POLICYQUALINFO(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(POLICYQUALINFO, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_POLICYQUALINFO(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(POLICYQUALINFO, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_POLICYQUALINFO(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(POLICYQUALINFO, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_POLICYQUALINFO(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(POLICYQUALINFO, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_SXNETID(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(SXNETID, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_SXNETID(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(SXNETID, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_SXNETID(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(SXNETID, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_SXNETID(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(SXNETID, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509_ALGOR(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509_ALGOR, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509_ALGOR(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509_ALGOR, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509_ALGOR(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509_ALGOR, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509_ALGOR(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509_ALGOR, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509_ATTRIBUTE(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509_ATTRIBUTE, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509_ATTRIBUTE(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509_ATTRIBUTE, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509_ATTRIBUTE(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509_ATTRIBUTE, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509_ATTRIBUTE(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509_ATTRIBUTE, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509_CRL(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509_CRL, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509_CRL(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509_CRL, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509_CRL(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509_CRL, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509_CRL(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509_CRL, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509_EXTENSION(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509_EXTENSION, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509_EXTENSION(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509_EXTENSION, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509_EXTENSION(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509_EXTENSION, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509_EXTENSION(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509_EXTENSION, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509_NAME_ENTRY(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509_NAME_ENTRY, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509_NAME_ENTRY(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509_NAME_ENTRY, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509_NAME_ENTRY(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509_NAME_ENTRY, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509_NAME_ENTRY(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509_NAME_ENTRY, (buf), (len), (d2i_func), (free_func)) - -#define d2i_ASN1_SET_OF_X509_REVOKED(st, pp, length, d2i_func, free_func, ex_tag, ex_class) \ - SKM_ASN1_SET_OF_d2i(X509_REVOKED, (st), (pp), (length), (d2i_func), (free_func), (ex_tag), (ex_class)) -#define i2d_ASN1_SET_OF_X509_REVOKED(st, pp, i2d_func, ex_tag, ex_class, is_set) \ - SKM_ASN1_SET_OF_i2d(X509_REVOKED, (st), (pp), (i2d_func), (ex_tag), (ex_class), (is_set)) -#define ASN1_seq_pack_X509_REVOKED(st, i2d_func, buf, len) \ - SKM_ASN1_seq_pack(X509_REVOKED, (st), (i2d_func), (buf), (len)) -#define ASN1_seq_unpack_X509_REVOKED(buf, len, d2i_func, free_func) \ - SKM_ASN1_seq_unpack(X509_REVOKED, (buf), (len), (d2i_func), (free_func)) - -#define PKCS12_decrypt_d2i_PKCS12_SAFEBAG(algor, d2i_func, free_func, pass, passlen, oct, seq) \ - SKM_PKCS12_decrypt_d2i(PKCS12_SAFEBAG, (algor), (d2i_func), (free_func), (pass), (passlen), (oct), (seq)) - -#define PKCS12_decrypt_d2i_PKCS7(algor, d2i_func, free_func, pass, passlen, oct, seq) \ - SKM_PKCS12_decrypt_d2i(PKCS7, (algor), (d2i_func), (free_func), (pass), (passlen), (oct), (seq)) -#endif /* !LIBRESSL_INTERNAL */ - #define lh_ADDED_OBJ_new() LHM_lh_new(ADDED_OBJ,added_obj) #define lh_ADDED_OBJ_insert(lh,inst) LHM_lh_insert(ADDED_OBJ,lh,inst) #define lh_ADDED_OBJ_retrieve(lh,inst) LHM_lh_retrieve(ADDED_OBJ,lh,inst) @@ -2662,6 +2178,5 @@ DECLARE_SPECIAL_STACK_OF(OPENSSL_BLOCK, void) #define lh_SSL_SESSION_stats_bio(lh,out) \ LHM_lh_stats_bio(SSL_SESSION,lh,out) #define lh_SSL_SESSION_free(lh) LHM_lh_free(SSL_SESSION,lh) -/* End of util/mkstack.pl block, you may now edit :-) */ #endif /* !defined HEADER_SAFESTACK_H */ diff --git a/include/openssl/sm3.h b/include/openssl/sm3.h new file mode 100644 index 0000000..553c64d --- /dev/null +++ b/include/openssl/sm3.h @@ -0,0 +1,53 @@ +/* $OpenBSD: sm3.h,v 1.1 2018/11/11 06:53:31 tb Exp $ */ +/* + * Copyright (c) 2018, Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_SM3_H +#define HEADER_SM3_H + +#include +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef OPENSSL_NO_SM3 +#error SM3 is disabled. +#endif + +#define SM3_DIGEST_LENGTH 32 +#define SM3_WORD unsigned int + +#define SM3_CBLOCK 64 +#define SM3_LBLOCK (SM3_CBLOCK / 4) + +typedef struct SM3state_st { + SM3_WORD A, B, C, D, E, F, G, H; + SM3_WORD Nl, Nh; + SM3_WORD data[SM3_LBLOCK]; + unsigned int num; +} SM3_CTX; + +int SM3_Init(SM3_CTX *c); +int SM3_Update(SM3_CTX *c, const void *data, size_t len); +int SM3_Final(unsigned char *md, SM3_CTX *c); + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_SM3_H */ diff --git a/include/openssl/sm4.h b/include/openssl/sm4.h new file mode 100644 index 0000000..5931ac7 --- /dev/null +++ b/include/openssl/sm4.h @@ -0,0 +1,51 @@ +/* $OpenBSD: sm4.h,v 1.1 2019/03/17 17:42:37 tb Exp $ */ +/* + * Copyright (c) 2017, 2019 Ribose Inc + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_SM4_H +#define HEADER_SM4_H + +#include + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef OPENSSL_NO_SM4 +#error SM4 is disabled. +#endif + +#define SM4_DECRYPT 0 +#define SM4_ENCRYPT 1 + +#define SM4_BLOCK_SIZE 16 +#define SM4_KEY_SCHEDULE 32 + +typedef struct sm4_key_st { + unsigned char opaque[128]; +} SM4_KEY; + +int SM4_set_key(const uint8_t *key, SM4_KEY *ks); +void SM4_decrypt(const uint8_t *in, uint8_t *out, const SM4_KEY *ks); +void SM4_encrypt(const uint8_t *in, uint8_t *out, const SM4_KEY *ks); + +#ifdef __cplusplus +} +#endif + +#endif /* HEADER_SM4_H */ diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 78a6787..88039c0 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.154 2018/03/20 15:28:12 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.178 2020/09/20 09:42:00 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -146,6 +146,7 @@ #include #include + #include #include #include @@ -305,6 +306,9 @@ extern "C" { #define SSL_TXT_TLSV1 "TLSv1" #define SSL_TXT_TLSV1_1 "TLSv1.1" #define SSL_TXT_TLSV1_2 "TLSv1.2" +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_TXT_TLSV1_3 "TLSv1.3" +#endif #define SSL_TXT_EXP "EXP" #define SSL_TXT_EXPORT "EXPORT" @@ -399,7 +403,7 @@ struct ssl_method_internal_st; struct ssl_method_st { int (*ssl_dispatch_alert)(SSL *s); int (*num_ciphers)(void); - const SSL_CIPHER *(*get_cipher)(unsigned ncipher); + const SSL_CIPHER *(*get_cipher)(unsigned int ncipher); const SSL_CIPHER *(*get_cipher_by_char)(const unsigned char *ptr); int (*put_cipher_by_char)(const SSL_CIPHER *cipher, unsigned char *ptr); @@ -507,16 +511,15 @@ struct ssl_session_st { /* Set on servers to choose the cipher according to the server's * preferences */ #define SSL_OP_CIPHER_SERVER_PREFERENCE 0x00400000L -/* If set, a server will allow a client to issue a SSLv3.0 version number - * as latest version supported in the premaster secret, even when TLSv1.0 - * (version 3.1) was announced in the client hello. Normally this is - * forbidden to prevent version rollback attacks. */ -#define SSL_OP_TLS_ROLLBACK_BUG 0x00800000L #define SSL_OP_NO_TLSv1 0x04000000L #define SSL_OP_NO_TLSv1_2 0x08000000L #define SSL_OP_NO_TLSv1_1 0x10000000L +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_OP_NO_TLSv1_3 0x20000000L +#endif + /* SSL_OP_ALL: various bug workarounds that should be rather harmless. */ #define SSL_OP_ALL \ (SSL_OP_LEGACY_SERVER_CONNECT) @@ -545,6 +548,7 @@ struct ssl_session_st { #define SSL_OP_TLSEXT_PADDING 0x0 #define SSL_OP_TLS_BLOCK_PADDING_BUG 0x0 #define SSL_OP_TLS_D5_BUG 0x0 +#define SSL_OP_TLS_ROLLBACK_BUG 0x0 /* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success * when just a single record has been written): */ @@ -731,10 +735,10 @@ void SSL_CTX_sess_set_remove_cb(SSL_CTX *ctx, void (*SSL_CTX_sess_get_remove_cb(SSL_CTX *ctx))(struct ssl_ctx_st *ctx, SSL_SESSION *sess); void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, - SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, unsigned char *data, - int len, int *copy)); + SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, + const unsigned char *data, int len, int *copy)); SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(struct ssl_st *ssl, - unsigned char *Data, int len, int *copy); + const unsigned char *data, int len, int *copy); void SSL_CTX_set_info_callback(SSL_CTX *ctx, void (*cb)(const SSL *ssl, int type, int val)); void (*SSL_CTX_get_info_callback(SSL_CTX *ctx))(const SSL *ssl, int type, @@ -750,7 +754,7 @@ void SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, int (*app_gen_cookie_cb)(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)); void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, - int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, + int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len)); void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s, int (*cb)(SSL *ssl, const unsigned char **out, unsigned int *outlen, void *arg), void *arg); @@ -762,7 +766,7 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, const unsigned char *client, unsigned int client_len); void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len); + unsigned int *len); #define OPENSSL_NPN_UNSUPPORTED 0 #define OPENSSL_NPN_NEGOTIATED 1 @@ -1114,12 +1118,22 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_CTRL_GET_EXTRA_CHAIN_CERTS 82 #define SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS 83 +#define SSL_CTRL_CHAIN 88 +#define SSL_CTRL_CHAIN_CERT 89 + #define SSL_CTRL_SET_GROUPS 91 #define SSL_CTRL_SET_GROUPS_LIST 92 #define SSL_CTRL_SET_ECDH_AUTO 94 +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_CTRL_GET_PEER_TMP_KEY 109 +#define SSL_CTRL_GET_SERVER_TMP_KEY SSL_CTRL_GET_PEER_TMP_KEY +#else #define SSL_CTRL_GET_SERVER_TMP_KEY 109 +#endif + +#define SSL_CTRL_GET_CHAIN_CERTS 115 #define SSL_CTRL_SET_DH_AUTO 118 @@ -1170,6 +1184,20 @@ int PEM_write_SSL_SESSION(FILE *fp, SSL_SESSION *x); #define SSL_set_ecdh_auto(s, onoff) \ SSL_ctrl(s,SSL_CTRL_SET_ECDH_AUTO,onoff,NULL) +int SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); +int SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain); +int SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509); +int SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509); +int SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain); +int SSL_CTX_clear_chain_certs(SSL_CTX *ctx); + +int SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain); +int SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain); +int SSL_add0_chain_cert(SSL *ssl, X509 *x509); +int SSL_add1_chain_cert(SSL *ssl, X509 *x509); +int SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain); +int SSL_clear_chain_certs(SSL *ssl); + int SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len); int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups); @@ -1196,36 +1224,59 @@ int SSL_set_max_proto_version(SSL *ssl, uint16_t version); #define SSL_set1_curves_list SSL_set1_groups_list #endif -#define SSL_CTX_add_extra_chain_cert(ctx,x509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_EXTRA_CHAIN_CERT,0,(char *)x509) -#define SSL_CTX_get_extra_chain_certs(ctx,px509) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_GET_EXTRA_CHAIN_CERTS,0,px509) +#define SSL_CTX_add_extra_chain_cert(ctx, x509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_EXTRA_CHAIN_CERT, 0, (char *)x509) +#define SSL_CTX_get_extra_chain_certs(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 0, px509) +#define SSL_CTX_get_extra_chain_certs_only(ctx, px509) \ + SSL_CTX_ctrl(ctx, SSL_CTRL_GET_EXTRA_CHAIN_CERTS, 1, px509) #define SSL_CTX_clear_extra_chain_certs(ctx) \ - SSL_CTX_ctrl(ctx,SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS,0,NULL) + SSL_CTX_ctrl(ctx, SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS, 0, NULL) #define SSL_get_server_tmp_key(s, pk) \ SSL_ctrl(s,SSL_CTRL_GET_SERVER_TMP_KEY,0,pk) +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define SSL_get_peer_tmp_key(s, pk) \ + SSL_ctrl(s, SSL_CTRL_GET_PEER_TMP_KEY, 0, pk) +#endif /* LIBRESSL_HAS_TLS1_3 || LIBRESSL_INTERNAL */ + #ifndef LIBRESSL_INTERNAL /* * Also provide those functions as macros for compatibility with * existing users. */ +#define SSL_CTX_set0_chain SSL_CTX_set0_chain +#define SSL_CTX_set1_chain SSL_CTX_set1_chain +#define SSL_CTX_add0_chain_cert SSL_CTX_add0_chain_cert +#define SSL_CTX_add1_chain_cert SSL_CTX_add1_chain_cert +#define SSL_CTX_get0_chain_certs SSL_CTX_get0_chain_certs +#define SSL_CTX_clear_chain_certs SSL_CTX_clear_chain_certs + +#define SSL_add0_chain_cert SSL_add0_chain_cert +#define SSL_add1_chain_cert SSL_add1_chain_cert +#define SSL_set0_chain SSL_set0_chain +#define SSL_set1_chain SSL_set1_chain +#define SSL_get0_chain_certs SSL_get0_chain_certs +#define SSL_clear_chain_certs SSL_clear_chain_certs + #define SSL_CTX_set1_groups SSL_CTX_set1_groups #define SSL_CTX_set1_groups_list SSL_CTX_set1_groups_list #define SSL_set1_groups SSL_set1_groups #define SSL_set1_groups_list SSL_set1_groups_list + #define SSL_CTX_get_min_proto_version SSL_CTX_get_min_proto_version #define SSL_CTX_get_max_proto_version SSL_CTX_get_max_proto_version #define SSL_CTX_set_min_proto_version SSL_CTX_set_min_proto_version #define SSL_CTX_set_max_proto_version SSL_CTX_set_max_proto_version + #define SSL_get_min_proto_version SSL_get_min_proto_version #define SSL_get_max_proto_version SSL_get_max_proto_version #define SSL_set_min_proto_version SSL_set_min_proto_version #define SSL_set_max_proto_version SSL_set_max_proto_version #endif -BIO_METHOD *BIO_f_ssl(void); +const BIO_METHOD *BIO_f_ssl(void); BIO *BIO_new_ssl(SSL_CTX *ctx, int client); BIO *BIO_new_ssl_connect(SSL_CTX *ctx); BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx); @@ -1234,6 +1285,9 @@ void BIO_ssl_shutdown(BIO *ssl_bio); STACK_OF(SSL_CIPHER) *SSL_CTX_get_ciphers(const SSL_CTX *ctx); int SSL_CTX_set_cipher_list(SSL_CTX *, const char *str); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +int SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str); +#endif SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth); void SSL_CTX_free(SSL_CTX *); int SSL_CTX_up_ref(SSL_CTX *ctx); @@ -1251,7 +1305,7 @@ const SSL_CIPHER *SSL_get_current_cipher(const SSL *s); const SSL_CIPHER *SSL_CIPHER_get_by_id(unsigned int id); const SSL_CIPHER *SSL_CIPHER_get_by_value(uint16_t value); int SSL_CIPHER_get_bits(const SSL_CIPHER *c, int *alg_bits); -char * SSL_CIPHER_get_version(const SSL_CIPHER *c); +const char * SSL_CIPHER_get_version(const SSL_CIPHER *c); const char * SSL_CIPHER_get_name(const SSL_CIPHER *c); unsigned long SSL_CIPHER_get_id(const SSL_CIPHER *c); uint16_t SSL_CIPHER_get_value(const SSL_CIPHER *c); @@ -1275,6 +1329,9 @@ void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio); BIO * SSL_get_rbio(const SSL *s); BIO * SSL_get_wbio(const SSL *s); int SSL_set_cipher_list(SSL *s, const char *str); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +int SSL_set_ciphersuites(SSL *s, const char *str); +#endif void SSL_set_read_ahead(SSL *s, int yes); int SSL_get_verify_mode(const SSL *s); int SSL_get_verify_depth(const SSL *s); @@ -1283,7 +1340,7 @@ void SSL_set_verify(SSL *s, int mode, int (*callback)(int ok, X509_STORE_CTX *ctx)); void SSL_set_verify_depth(SSL *s, int depth); int SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa); -int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len); +int SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len); int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey); int SSL_use_PrivateKey_ASN1(int pk, SSL *ssl, const unsigned char *d, long len); int SSL_use_certificate(SSL *ssl, X509 *x); @@ -1315,7 +1372,7 @@ long SSL_SESSION_get_time(const SSL_SESSION *s); long SSL_SESSION_set_time(SSL_SESSION *s, long t); long SSL_SESSION_get_timeout(const SSL_SESSION *s); long SSL_SESSION_set_timeout(SSL_SESSION *s, long t); -void SSL_copy_session_id(SSL *to, const SSL *from); +int SSL_copy_session_id(SSL *to, const SSL *from); X509 *SSL_SESSION_get0_peer(SSL_SESSION *s); int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, unsigned int sid_len); @@ -1329,6 +1386,10 @@ const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *ss, unsigned int *len); const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *ss, unsigned int *len); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +uint32_t SSL_SESSION_get_max_early_data(const SSL_SESSION *sess); +int SSL_SESSION_set_max_early_data(SSL_SESSION *sess, uint32_t max_early_data); +#endif unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s); int SSL_SESSION_has_ticket(const SSL_SESSION *s); unsigned int SSL_SESSION_get_compress_id(const SSL_SESSION *ss); @@ -1381,6 +1442,10 @@ int SSL_CTX_set_purpose(SSL_CTX *s, int purpose); int SSL_set_purpose(SSL *s, int purpose); int SSL_CTX_set_trust(SSL_CTX *s, int trust); int SSL_set_trust(SSL *s, int trust); +int SSL_set1_host(SSL *s, const char *hostname); +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +const char *SSL_get0_peername(SSL *s); +#endif X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx); int SSL_CTX_set1_param(SSL_CTX *ctx, X509_VERIFY_PARAM *vpm); @@ -1396,6 +1461,26 @@ int SSL_is_server(const SSL *s); int SSL_read(SSL *ssl, void *buf, int num); int SSL_peek(SSL *ssl, void *buf, int num); int SSL_write(SSL *ssl, const void *buf, int num); + +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +uint32_t SSL_CTX_get_max_early_data(const SSL_CTX *ctx); +int SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data); + +uint32_t SSL_get_max_early_data(const SSL *s); +int SSL_set_max_early_data(SSL *s, uint32_t max_early_data); + +#define SSL_EARLY_DATA_NOT_SENT 0 +#define SSL_EARLY_DATA_REJECTED 1 +#define SSL_EARLY_DATA_ACCEPTED 2 +int SSL_get_early_data_status(const SSL *s); + +#define SSL_READ_EARLY_DATA_ERROR 0 +#define SSL_READ_EARLY_DATA_SUCCESS 1 +#define SSL_READ_EARLY_DATA_FINISH 2 +int SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes); +int SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written); +#endif + long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); long SSL_callback_ctrl(SSL *, int, void (*)(void)); long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg); @@ -1431,7 +1516,13 @@ const SSL_METHOD *DTLSv1_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_server_method(void); /* DTLSv1.0 */ const SSL_METHOD *DTLSv1_client_method(void); /* DTLSv1.0 */ +const SSL_METHOD *DTLS_method(void); /* DTLS v1.0 or later */ +const SSL_METHOD *DTLS_server_method(void); /* DTLS v1.0 or later */ +const SSL_METHOD *DTLS_client_method(void); /* DTLS v1.0 or later */ + STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s); +STACK_OF(SSL_CIPHER) *SSL_get_client_ciphers(const SSL *s); +STACK_OF(SSL_CIPHER) *SSL_get1_supported_ciphers(SSL *s); int SSL_do_handshake(SSL *s); int SSL_renegotiate(SSL *s); @@ -1461,12 +1552,12 @@ long SSL_get_default_timeout(const SSL *s); int SSL_library_init(void ); char *SSL_CIPHER_description(const SSL_CIPHER *, char *buf, int size); -STACK_OF(X509_NAME) *SSL_dup_CA_list(STACK_OF(X509_NAME) *sk); +STACK_OF(X509_NAME) *SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk); SSL *SSL_dup(SSL *ssl); X509 *SSL_get_certificate(const SSL *ssl); -/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(SSL *ssl); +/* EVP_PKEY */ struct evp_pkey_st *SSL_get_privatekey(const SSL *ssl); void SSL_CTX_set_quiet_shutdown(SSL_CTX *ctx,int mode); int SSL_CTX_get_quiet_shutdown(const SSL_CTX *ctx); @@ -2114,6 +2205,7 @@ void ERR_load_SSL_strings(void); #define SSL_R_X509_LIB 268 #define SSL_R_X509_VERIFICATION_SETUP_PROBLEMS 269 #define SSL_R_PEER_BEHAVING_BADLY 666 +#define SSL_R_UNKNOWN 999 /* * OpenSSL compatible OPENSSL_INIT options diff --git a/include/openssl/ssl3.h b/include/openssl/ssl3.h index 12ef56b..a102d11 100644 --- a/include/openssl/ssl3.h +++ b/include/openssl/ssl3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl3.h,v 1.46 2017/08/28 17:36:58 jsing Exp $ */ +/* $OpenBSD: ssl3.h,v 1.51 2020/06/05 18:14:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -314,6 +314,7 @@ extern "C" { #define TLS1_HB_RESPONSE 2 #ifndef OPENSSL_NO_SSL_INTERN +#ifndef LIBRESSL_INTERNAL typedef struct ssl3_record_st { /*r */ int type; /* type of record */ @@ -333,6 +334,7 @@ typedef struct ssl3_buffer_st { int left; /* how many bytes left */ } SSL3_BUFFER; +#endif #endif #define SSL3_CT_RSA_SIGN 1 @@ -346,15 +348,11 @@ typedef struct ssl3_buffer_st { * enough to contain all of the cert types defined either for * SSLv3 and TLSv1. */ -#define SSL3_CT_NUMBER 11 - +#define SSL3_CT_NUMBER 13 #define SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS 0x0001 -#define SSL3_FLAGS_DELAY_CLIENT_FINISHED 0x0002 -#define SSL3_FLAGS_POP_BUFFER 0x0004 -#define TLS1_FLAGS_TLS_PADDING_BUG 0x0 #define TLS1_FLAGS_SKIP_CERT_VERIFY 0x0010 -#define TLS1_FLAGS_KEEP_HANDSHAKE 0x0020 +#define TLS1_FLAGS_FREEZE_TRANSCRIPT 0x0020 #define SSL3_FLAGS_CCS_OK 0x0080 #ifndef OPENSSL_NO_SSL_INTERN @@ -367,18 +365,6 @@ typedef struct ssl3_state_st { unsigned char server_random[SSL3_RANDOM_SIZE]; unsigned char client_random[SSL3_RANDOM_SIZE]; - SSL3_BUFFER rbuf; /* read IO goes into here */ - SSL3_BUFFER wbuf; /* write IO goes into here */ - - /* we allow one fatal and one warning alert to be outstanding, - * send close alert via the warning alert */ - int alert_dispatch; - unsigned char send_alert[2]; - - struct { - int new_mac_secret_size; - } tmp; - struct ssl3_state_internal_st *internal; } SSL3_STATE; diff --git a/include/openssl/tls1.h b/include/openssl/tls1.h index 0474bb7..8cd5226 100644 --- a/include/openssl/tls1.h +++ b/include/openssl/tls1.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls1.h,v 1.32 2018/02/17 15:08:21 jsing Exp $ */ +/* $OpenBSD: tls1.h,v 1.41 2020/06/05 18:14:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -151,6 +151,8 @@ #ifndef HEADER_TLS1_H #define HEADER_TLS1_H +#include + #include #ifdef __cplusplus @@ -159,6 +161,10 @@ extern "C" { #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 0 +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define TLS1_3_VERSION 0x0304 +#endif + #define TLS1_2_VERSION 0x0303 #define TLS1_2_VERSION_MAJOR 0x03 #define TLS1_2_VERSION_MINOR 0x03 @@ -230,14 +236,19 @@ extern "C" { /* ExtensionType values from RFC 6091. */ #define TLSEXT_TYPE_cert_type 9 +/* ExtensionType values from RFC 7919. */ +#define TLSEXT_TYPE_supported_groups 10 + /* ExtensionType values from RFC 4492. */ -#define TLSEXT_TYPE_elliptic_curves 10 +#ifndef LIBRESSL_INTERNAL +#define TLSEXT_TYPE_elliptic_curves TLSEXT_TYPE_supported_groups +#endif #define TLSEXT_TYPE_ec_point_formats 11 /* ExtensionType value from RFC 5054. */ #define TLSEXT_TYPE_srp 12 -/* ExtensionType values from RFC 5246. */ +/* ExtensionType value from RFC 5246/RFC 8446. */ #define TLSEXT_TYPE_signature_algorithms 13 /* ExtensionType value from RFC 5764. */ @@ -255,6 +266,29 @@ extern "C" { /* ExtensionType value from RFC 4507. */ #define TLSEXT_TYPE_session_ticket 35 +/* ExtensionType values from RFC 8446 section 4.2 */ +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define TLSEXT_TYPE_pre_shared_key 41 +#define TLSEXT_TYPE_early_data 42 +#define TLSEXT_TYPE_supported_versions 43 +#define TLSEXT_TYPE_cookie 44 +#define TLSEXT_TYPE_psk_key_exchange_modes 45 +#define TLSEXT_TYPE_certificate_authorities 47 +#define TLSEXT_TYPE_oid_filters 48 +#define TLSEXT_TYPE_post_handshake_auth 49 +#define TLSEXT_TYPE_signature_algorithms_cert 50 +#define TLSEXT_TYPE_key_share 51 +#endif + +/* + * TLS 1.3 extension names from OpenSSL, where they decided to use a different + * name from that given in RFC 8446. + */ +#if defined(LIBRESSL_HAS_TLS1_3) +#define TLSEXT_TYPE_psk TLSEXT_TYPE_pre_shared_key +#define TLSEXT_TYPE_psk_kex_modes TLSEXT_TYPE_psk_key_exchange_modes +#endif + /* Temporary extension type */ #define TLSEXT_TYPE_renegotiate 0xff01 @@ -270,29 +304,6 @@ extern "C" { #define TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2 2 #define TLSEXT_ECPOINTFORMAT_last 2 -/* Signature and hash algorithms from RFC 5246. */ - -#define TLSEXT_signature_anonymous 0 -#define TLSEXT_signature_rsa 1 -#define TLSEXT_signature_dsa 2 -#define TLSEXT_signature_ecdsa 3 -/* FIXME IANA */ -#define TLSEXT_signature_gostr01 237 -#define TLSEXT_signature_gostr12_256 238 -#define TLSEXT_signature_gostr12_512 239 - -#define TLSEXT_hash_none 0 -#define TLSEXT_hash_md5 1 -#define TLSEXT_hash_sha1 2 -#define TLSEXT_hash_sha224 3 -#define TLSEXT_hash_sha256 4 -#define TLSEXT_hash_sha384 5 -#define TLSEXT_hash_sha512 6 -/* FIXME IANA */ -#define TLSEXT_hash_gost94 237 -#define TLSEXT_hash_streebog_256 238 -#define TLSEXT_hash_streebog_512 239 - #define TLSEXT_MAXLEN_host_name 255 const char *SSL_get_servername(const SSL *s, const int type); @@ -472,6 +483,15 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) #define TLS1_CK_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0x030000C4 #define TLS1_CK_ADH_WITH_CAMELLIA_256_CBC_SHA256 0x030000C5 +/* TLS 1.3 cipher suites from RFC 8446 appendix B.4. */ +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define TLS1_3_CK_AES_128_GCM_SHA256 0x03001301 +#define TLS1_3_CK_AES_256_GCM_SHA384 0x03001302 +#define TLS1_3_CK_CHACHA20_POLY1305_SHA256 0x03001303 +#define TLS1_3_CK_AES_128_CCM_SHA256 0x03001304 +#define TLS1_3_CK_AES_128_CCM_8_SHA256 0x03001305 +#endif + /* ECC ciphersuites from RFC 4492. */ #define TLS1_CK_ECDH_ECDSA_WITH_NULL_SHA 0x0300C001 #define TLS1_CK_ECDH_ECDSA_WITH_RC4_128_SHA 0x0300C002 @@ -678,7 +698,6 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) #define TLS1_TXT_ADH_WITH_AES_256_GCM_SHA384 "ADH-AES256-GCM-SHA384" /* ECDH HMAC based ciphersuites from RFC 5289. */ - #define TLS1_TXT_ECDHE_ECDSA_WITH_AES_128_SHA256 "ECDHE-ECDSA-AES128-SHA256" #define TLS1_TXT_ECDHE_ECDSA_WITH_AES_256_SHA384 "ECDHE-ECDSA-AES256-SHA384" #define TLS1_TXT_ECDH_ECDSA_WITH_AES_128_SHA256 "ECDH-ECDSA-AES128-SHA256" @@ -703,20 +722,31 @@ SSL_CTX_callback_ctrl(ssl,SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB,(void (*)(void))cb) #define TLS1_TXT_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 "ECDHE-ECDSA-CHACHA20-POLY1305" #define TLS1_TXT_DHE_RSA_WITH_CHACHA20_POLY1305 "DHE-RSA-CHACHA20-POLY1305" +/* TLS 1.3 cipher suites from RFC 8446 appendix B.4. */ +#if defined(LIBRESSL_HAS_TLS1_3) || defined(LIBRESSL_INTERNAL) +#define TLS1_3_TXT_AES_128_GCM_SHA256 "AEAD-AES128-GCM-SHA256" +#define TLS1_3_TXT_AES_256_GCM_SHA384 "AEAD-AES256-GCM-SHA384" +#define TLS1_3_TXT_CHACHA20_POLY1305_SHA256 "AEAD-CHACHA20-POLY1305-SHA256" +#define TLS1_3_TXT_AES_128_CCM_SHA256 "AEAD-AES128-CCM-SHA256" +#define TLS1_3_TXT_AES_128_CCM_8_SHA256 "AEAD-AES128-CCM-8-SHA256" +#endif + #define TLS_CT_RSA_SIGN 1 #define TLS_CT_DSS_SIGN 2 #define TLS_CT_RSA_FIXED_DH 3 #define TLS_CT_DSS_FIXED_DH 4 +#define TLS_CT_GOST94_SIGN 21 +#define TLS_CT_GOST01_SIGN 22 #define TLS_CT_ECDSA_SIGN 64 #define TLS_CT_RSA_FIXED_ECDH 65 #define TLS_CT_ECDSA_FIXED_ECDH 66 -#define TLS_CT_GOST94_SIGN 21 -#define TLS_CT_GOST01_SIGN 22 -#define TLS_CT_GOST12_256_SIGN 238 /* FIXME: IANA */ -#define TLS_CT_GOST12_512_SIGN 239 /* FIXME: IANA */ +#define TLS_CT_GOST12_256_SIGN 67 +#define TLS_CT_GOST12_512_SIGN 68 +#define TLS_CT_GOST12_256_SIGN_COMPAT 238 /* pre-IANA, for compat */ +#define TLS_CT_GOST12_512_SIGN_COMPAT 239 /* pre-IANA, for compat */ /* when correcting this number, correct also SSL3_CT_NUMBER in ssl3.h (see * comment there) */ -#define TLS_CT_NUMBER 11 +#define TLS_CT_NUMBER 13 #define TLS1_FINISH_MAC_LENGTH 12 diff --git a/include/openssl/ts.h b/include/openssl/ts.h index a8d2281..fa8eb94 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ts.h,v 1.8 2016/12/27 16:05:57 jsing Exp $ */ +/* $OpenBSD: ts.h,v 1.10 2018/05/13 15:35:46 tb Exp $ */ /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL * project 2002, 2003, 2004. */ @@ -365,7 +365,7 @@ X509_ALGOR *TS_MSG_IMPRINT_get_algo(TS_MSG_IMPRINT *a); int TS_MSG_IMPRINT_set_msg(TS_MSG_IMPRINT *a, unsigned char *d, int len); ASN1_OCTET_STRING *TS_MSG_IMPRINT_get_msg(TS_MSG_IMPRINT *a); -int TS_REQ_set_policy_id(TS_REQ *a, ASN1_OBJECT *policy); +int TS_REQ_set_policy_id(TS_REQ *a, const ASN1_OBJECT *policy); ASN1_OBJECT *TS_REQ_get_policy_id(TS_REQ *a); int TS_REQ_set_nonce(TS_REQ *a, const ASN1_INTEGER *nonce); @@ -378,7 +378,7 @@ STACK_OF(X509_EXTENSION) *TS_REQ_get_exts(TS_REQ *a); void TS_REQ_ext_free(TS_REQ *a); int TS_REQ_get_ext_count(TS_REQ *a); int TS_REQ_get_ext_by_NID(TS_REQ *a, int nid, int lastpos); -int TS_REQ_get_ext_by_OBJ(TS_REQ *a, ASN1_OBJECT *obj, int lastpos); +int TS_REQ_get_ext_by_OBJ(TS_REQ *a, const ASN1_OBJECT *obj, int lastpos); int TS_REQ_get_ext_by_critical(TS_REQ *a, int crit, int lastpos); X509_EXTENSION *TS_REQ_get_ext(TS_REQ *a, int loc); X509_EXTENSION *TS_REQ_delete_ext(TS_REQ *a, int loc); @@ -439,7 +439,8 @@ STACK_OF(X509_EXTENSION) *TS_TST_INFO_get_exts(TS_TST_INFO *a); void TS_TST_INFO_ext_free(TS_TST_INFO *a); int TS_TST_INFO_get_ext_count(TS_TST_INFO *a); int TS_TST_INFO_get_ext_by_NID(TS_TST_INFO *a, int nid, int lastpos); -int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, ASN1_OBJECT *obj, int lastpos); +int TS_TST_INFO_get_ext_by_OBJ(TS_TST_INFO *a, const ASN1_OBJECT *obj, + int lastpos); int TS_TST_INFO_get_ext_by_critical(TS_TST_INFO *a, int crit, int lastpos); X509_EXTENSION *TS_TST_INFO_get_ext(TS_TST_INFO *a, int loc); X509_EXTENSION *TS_TST_INFO_delete_ext(TS_TST_INFO *a, int loc); @@ -524,14 +525,14 @@ int TS_RESP_CTX_set_signer_cert(TS_RESP_CTX *ctx, X509 *signer); int TS_RESP_CTX_set_signer_key(TS_RESP_CTX *ctx, EVP_PKEY *key); /* This parameter must be set. */ -int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *def_policy); +int TS_RESP_CTX_set_def_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *def_policy); /* No additional certs are included in the response by default. */ int TS_RESP_CTX_set_certs(TS_RESP_CTX *ctx, STACK_OF(X509) *certs); /* Adds a new acceptable policy, only the default policy is accepted by default. */ -int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, ASN1_OBJECT *policy); +int TS_RESP_CTX_add_policy(TS_RESP_CTX *ctx, const ASN1_OBJECT *policy); /* Adds a new acceptable message digest. Note that no message digests are accepted by default. The md argument is shared with the caller. */ diff --git a/include/openssl/ui.h b/include/openssl/ui.h index b6b0075..5ca65b0 100644 --- a/include/openssl/ui.h +++ b/include/openssl/ui.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ui.h,v 1.9 2014/07/10 22:45:58 jsing Exp $ */ +/* $OpenBSD: ui.h,v 1.12 2020/09/24 19:20:32 tb Exp $ */ /* Written by Richard Levitte (richard@levitte.org) for the OpenSSL * project 2001. */ @@ -76,59 +76,62 @@ extern "C" { /* typedef struct ui_method_st UI_METHOD; */ -/* All the following functions return -1 or NULL on error and in some cases - (UI_process()) -2 if interrupted or in some other way cancelled. - When everything is fine, they return 0, a positive value or a non-NULL - pointer, all depending on their purpose. */ +/* + * All the following functions return -1 or NULL on error and in some cases + * (UI_process()) -2 if interrupted or in some other way cancelled. + * When everything is fine, they return 0, a positive value or a non-NULL + * pointer, all depending on their purpose. + */ /* Creators and destructor. */ UI *UI_new(void); UI *UI_new_method(const UI_METHOD *method); void UI_free(UI *ui); -/* The following functions are used to add strings to be printed and prompt - strings to prompt for data. The names are UI_{add,dup}__string - and UI_{add,dup}_input_boolean. - - UI_{add,dup}__string have the following meanings: - add add a text or prompt string. The pointers given to these - functions are used verbatim, no copying is done. - dup make a copy of the text or prompt string, then add the copy - to the collection of strings in the user interface. - - The function is a name for the functionality that the given - string shall be used for. It can be one of: - input use the string as data prompt. - verify use the string as verification prompt. This - is used to verify a previous input. - info use the string for informational output. - error use the string for error output. - Honestly, there's currently no difference between info and error for the - moment. - - UI_{add,dup}_input_boolean have the same semantics for "add" and "dup", - and are typically used when one wants to prompt for a yes/no response. - - - All of the functions in this group take a UI and a prompt string. - The string input and verify addition functions also take a flag argument, - a buffer for the result to end up with, a minimum input size and a maximum - input size (the result buffer MUST be large enough to be able to contain - the maximum number of characters). Additionally, the verify addition - functions takes another buffer to compare the result against. - The boolean input functions take an action description string (which should - be safe to ignore if the expected user action is obvious, for example with - a dialog box with an OK button and a Cancel button), a string of acceptable - characters to mean OK and to mean Cancel. The two last strings are checked - to make sure they don't have common characters. Additionally, the same - flag argument as for the string input is taken, as well as a result buffer. - The result buffer is required to be at least one byte long. Depending on - the answer, the first character from the OK or the Cancel character strings - will be stored in the first byte of the result buffer. No NUL will be - added, so the result is *not* a string. - - On success, the all return an index of the added information. That index - is usefull when retrieving results with UI_get0_result(). */ +/* + * The following functions are used to add strings to be printed and prompt + * strings to prompt for data. The names are UI_{add,dup}__string + * and UI_{add,dup}_input_boolean. + * + * UI_{add,dup}__string have the following meanings: + * add add a text or prompt string. The pointers given to these + * functions are used verbatim, no copying is done. + * dup make a copy of the text or prompt string, then add the copy + * to the collection of strings in the user interface. + * + * The function is a name for the functionality that the given + * string shall be used for. It can be one of: + * input use the string as data prompt. + * verify use the string as verification prompt. This + * is used to verify a previous input. + * info use the string for informational output. + * error use the string for error output. + * Honestly, there's currently no difference between info and error for the + * moment. + * + * UI_{add,dup}_input_boolean have the same semantics for "add" and "dup", + * and are typically used when one wants to prompt for a yes/no response. + * + * All of the functions in this group take a UI and a prompt string. + * The string input and verify addition functions also take a flag argument, + * a buffer for the result to end up in, a minimum input size and a maximum + * input size (the result buffer MUST be large enough to be able to contain + * the maximum number of characters). Additionally, the verify addition + * functions takes another buffer to compare the result against. + * The boolean input functions take an action description string (which should + * be safe to ignore if the expected user action is obvious, for example with + * a dialog box with an OK button and a Cancel button), a string of acceptable + * characters to mean OK and to mean Cancel. The two last strings are checked + * to make sure they don't have common characters. Additionally, the same + * flag argument as for the string input is taken, as well as a result buffer. + * The result buffer is required to be at least one byte long. Depending on + * the answer, the first character from the OK or the Cancel character strings + * will be stored in the first byte of the result buffer. No NUL will be + * added, so the result is *not* a string. + * + * On success, the functions all return an index of the added information. + * That index is useful when retrieving results with UI_get0_result(). + */ int UI_add_input_string(UI *ui, const char *prompt, int flags, char *result_buf, int minsize, int maxsize); int UI_dup_input_string(UI *ui, const char *prompt, int flags, @@ -151,55 +154,60 @@ int UI_dup_error_string(UI *ui, const char *text); /* These are the possible flags. They can be or'ed together. */ /* Use to have echoing of input */ #define UI_INPUT_FLAG_ECHO 0x01 -/* Use a default password. Where that password is found is completely - up to the application, it might for example be in the user data set - with UI_add_user_data(). It is not recommended to have more than - one input in each UI being marked with this flag, or the application - might get confused. */ +/* + * Use a default password. Where that password is found is completely + * up to the application, it might for example be in the user data set + * with UI_add_user_data(). It is not recommended to have more than + * one input in each UI being marked with this flag, or the application + * might get confused. + */ #define UI_INPUT_FLAG_DEFAULT_PWD 0x02 -/* The user of these routines may want to define flags of their own. The core - UI won't look at those, but will pass them on to the method routines. They - must use higher bits so they don't get confused with the UI bits above. - UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use. A good - example of use is this: - - #define MY_UI_FLAG1 (0x01 << UI_INPUT_FLAG_USER_BASE) - -*/ +/* + * Users of these routines may want to define flags of their own. The core + * UI won't look at those, but will pass them on to the method routines. They + * must use higher bits so they don't get confused with the UI bits above. + * UI_INPUT_FLAG_USER_BASE tells which is the lowest bit to use. A good + * example of use is this: + * + * #define MY_UI_FLAG1 (0x01 << UI_INPUT_FLAG_USER_BASE) + */ #define UI_INPUT_FLAG_USER_BASE 16 -/* The following function helps construct a prompt. object_desc is a - textual short description of the object, for example "pass phrase", - and object_name is the name of the object (might be a card name or - a file name. - The returned string shall always be allocated on the heap with - malloc(), and need to be free'd with free(). - - If the ui_method doesn't contain a pointer to a user-defined prompt - constructor, a default string is built, looking like this: - - "Enter {object_desc} for {object_name}:" - - So, if object_desc has the value "pass phrase" and object_name has - the value "foo.key", the resulting string is: - - "Enter pass phrase for foo.key:" -*/ +/* + * The following function helps construct a prompt. object_desc is a + * textual short description of the object, for example "pass phrase", + * and object_name is the name of the object (might be a card name or + * a file name. + * The returned string shall always be allocated on the heap with + * malloc(), and need to be free'd with free(). + * + * If the ui_method doesn't contain a pointer to a user-defined prompt + * constructor, a default string is built, looking like this: + * + * "Enter {object_desc} for {object_name}:" + * + * So, if object_desc has the value "pass phrase" and object_name has + * the value "foo.key", the resulting string is: + * + * "Enter pass phrase for foo.key:" + */ char *UI_construct_prompt(UI *ui_method, const char *object_desc, const char *object_name); -/* The following function is used to store a pointer to user-specific data. - Any previous such pointer will be returned and replaced. - - For callback purposes, this function makes a lot more sense than using - ex_data, since the latter requires that different parts of OpenSSL or - applications share the same ex_data index. - - Note that the UI_OpenSSL() method completely ignores the user data. - Other methods may not, however. */ +/* + * The following function is used to store a pointer to user-specific data. + * Any previous such pointer will be returned and replaced. + * + * For callback purposes, this function makes a lot more sense than using + * ex_data, since the latter requires that different parts of OpenSSL or + * applications share the same ex_data index. + * + * Note that the UI_OpenSSL() method completely ignores the user data. + * Other methods may not, however. + */ void *UI_add_user_data(UI *ui, void *user_data); /* We need a user data retrieving function as well. */ void *UI_get0_user_data(UI *ui); @@ -210,19 +218,25 @@ const char *UI_get0_result(UI *ui, int i); /* When all strings have been added, process the whole thing. */ int UI_process(UI *ui); -/* Give a user interface parametrised control commands. This can be used to - send down an integer, a data pointer or a function pointer, as well as - be used to get information from a UI. */ +/* + * Give a user interface parametrised control commands. This can be used to + * send down an integer, a data pointer or a function pointer, as well as + * be used to get information from a UI. + */ int UI_ctrl(UI *ui, int cmd, long i, void *p, void (*f)(void)); /* The commands */ -/* Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the - OpenSSL error stack before printing any info or added error messages and - before any prompting. */ +/* + * Use UI_CONTROL_PRINT_ERRORS with the value 1 to have UI_process print the + * OpenSSL error stack before printing any info or added error messages and + * before any prompting. + */ #define UI_CTRL_PRINT_ERRORS 1 -/* Check if a UI_process() is possible to do again with the same instance of - a user interface. This makes UI_ctrl() return 1 if it is redoable, and 0 - if not. */ +/* + * Check if a UI_process() is possible to do again with the same instance of + * a user interface. This makes UI_ctrl() return 1 if it is redoable, and 0 + * if not. + */ #define UI_CTRL_IS_REDOABLE 2 @@ -244,56 +258,60 @@ const UI_METHOD *UI_set_method(UI *ui, const UI_METHOD *meth); UI_METHOD *UI_OpenSSL(void); -/* ---------- For method writers ---------- */ -/* A method contains a number of functions that implement the low level - of the User Interface. The functions are: +/* + * ---------- For method writers ---------- + * A method contains a number of functions that implement the low level + * of the User Interface. The functions are: + * + * an opener This function starts a session, maybe by opening + * a channel to a tty, or by opening a window. + * a writer This function is called to write a given string, + * maybe to the tty, maybe as a field label in a + * window. + * a flusher This function is called to flush everything that + * has been output so far. It can be used to actually + * display a dialog box after it has been built. + * a reader This function is called to read a given prompt, + * maybe from the tty, maybe from a field in a + * window. Note that it's called wth all string + * structures, not only the prompt ones, so it must + * check such things itself. + * a closer This function closes the session, maybe by closing + * the channel to the tty, or closing the window. + * + * All these functions are expected to return: + * + * 0 on error. + * 1 on success. + * -1 on out-of-band events, for example if some prompting has + * been canceled (by pressing Ctrl-C, for example). This is + * only checked when returned by the flusher or the reader. + * + * The way this is used, the opener is first called, then the writer for all + * strings, then the flusher, then the reader for all strings and finally the + * closer. Note that if you want to prompt from a terminal or other command + * line interface, the best is to have the reader also write the prompts + * instead of having the writer do it. If you want to prompt from a dialog + * box, the writer can be used to build up the contents of the box, and the + * flusher to actually display the box and run the event loop until all data + * has been given, after which the reader only grabs the given data and puts + * them back into the UI strings. + * + * All method functions take a UI as argument. Additionally, the writer and + * the reader take a UI_STRING. + */ - an opener This function starts a session, maybe by opening - a channel to a tty, or by opening a window. - a writer This function is called to write a given string, - maybe to the tty, maybe as a field label in a - window. - a flusher This function is called to flush everything that - has been output so far. It can be used to actually - display a dialog box after it has been built. - a reader This function is called to read a given prompt, - maybe from the tty, maybe from a field in a - window. Note that it's called wth all string - structures, not only the prompt ones, so it must - check such things itself. - a closer This function closes the session, maybe by closing - the channel to the tty, or closing the window. - - All these functions are expected to return: - - 0 on error. - 1 on success. - -1 on out-of-band events, for example if some prompting has - been canceled (by pressing Ctrl-C, for example). This is - only checked when returned by the flusher or the reader. - - The way this is used, the opener is first called, then the writer for all - strings, then the flusher, then the reader for all strings and finally the - closer. Note that if you want to prompt from a terminal or other command - line interface, the best is to have the reader also write the prompts - instead of having the writer do it. If you want to prompt from a dialog - box, the writer can be used to build up the contents of the box, and the - flusher to actually display the box and run the event loop until all data - has been given, after which the reader only grabs the given data and puts - them back into the UI strings. - - All method functions take a UI as argument. Additionally, the writer and - the reader take a UI_STRING. -*/ - -/* The UI_STRING type is the data structure that contains all the needed info - about a string or a prompt, including test data for a verification prompt. -*/ +/* + * The UI_STRING type is the data structure that contains all the needed info + * about a string or a prompt, including test data for a verification prompt. + */ typedef struct ui_string_st UI_STRING; DECLARE_STACK_OF(UI_STRING) -/* The different types of strings that are currently supported. - This is only needed by method authors. */ +/* + * The different types of strings that are currently supported. + * This is only needed by method authors. + */ enum UI_string_types { UIT_NONE = 0, UIT_PROMPT, /* Prompt for a string */ @@ -304,31 +322,37 @@ enum UI_string_types { }; /* Create and manipulate methods */ -UI_METHOD *UI_create_method(char *name); +UI_METHOD *UI_create_method(const char *name); void UI_destroy_method(UI_METHOD *ui_method); int UI_method_set_opener(UI_METHOD *method, int (*opener)(UI *ui)); -int UI_method_set_writer(UI_METHOD *method, int (*writer)(UI *ui, UI_STRING *uis)); +int UI_method_set_writer(UI_METHOD *method, + int (*writer)(UI *ui, UI_STRING *uis)); int UI_method_set_flusher(UI_METHOD *method, int (*flusher)(UI *ui)); -int UI_method_set_reader(UI_METHOD *method, int (*reader)(UI *ui, UI_STRING *uis)); +int UI_method_set_reader(UI_METHOD *method, + int (*reader)(UI *ui, UI_STRING *uis)); int UI_method_set_closer(UI_METHOD *method, int (*closer)(UI *ui)); -int UI_method_set_prompt_constructor(UI_METHOD *method, char *(*prompt_constructor)(UI* ui, const char* object_desc, const char* object_name)); -int (*UI_method_get_opener(UI_METHOD *method))(UI*); -int (*UI_method_get_writer(UI_METHOD *method))(UI*, UI_STRING*); -int (*UI_method_get_flusher(UI_METHOD *method))(UI*); -int (*UI_method_get_reader(UI_METHOD *method))(UI*, UI_STRING*); -int (*UI_method_get_closer(UI_METHOD *method))(UI*); -char * (*UI_method_get_prompt_constructor(UI_METHOD *method))(UI*, const char*, const char*); - -/* The following functions are helpers for method writers to access relevant - data from a UI_STRING. */ +int UI_method_set_prompt_constructor(UI_METHOD *method, + char *(*prompt_constructor)(UI *ui, const char *object_desc, + const char *object_name)); +int (*UI_method_get_opener(const UI_METHOD *method))(UI *); +int (*UI_method_get_writer(const UI_METHOD *method))(UI *, UI_STRING *); +int (*UI_method_get_flusher(const UI_METHOD *method))(UI *); +int (*UI_method_get_reader(const UI_METHOD *method))(UI *, UI_STRING *); +int (*UI_method_get_closer(const UI_METHOD *method))(UI *); +char *(*UI_method_get_prompt_constructor(const UI_METHOD *method))(UI *, + const char *, const char *); +/* + * The following functions are helpers for method writers to access relevant + * data from a UI_STRING. + */ /* Return type of the UI_STRING */ enum UI_string_types UI_get_string_type(UI_STRING *uis); /* Return input flags of the UI_STRING */ int UI_get_input_flags(UI_STRING *uis); /* Return the actual string to output (the prompt, info or error) */ const char *UI_get0_output_string(UI_STRING *uis); -/* Return the optional action string to output (the boolean promtp instruction) */ +/* Return the optional action string to output (boolean prompt instruction) */ const char *UI_get0_action_string(UI_STRING *uis); /* Return the result of a prompt */ const char *UI_get0_result_string(UI_STRING *uis); @@ -341,14 +365,15 @@ int UI_get_result_maxsize(UI_STRING *uis); /* Set the result of a UI_STRING. */ int UI_set_result(UI *ui, UI_STRING *uis, const char *result); - /* A couple of popular utility functions */ -int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, int verify); -int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, int verify); - +int UI_UTIL_read_pw_string(char *buf, int length, const char *prompt, + int verify); +int UI_UTIL_read_pw(char *buf, char *buff, int size, const char *prompt, + int verify); /* BEGIN ERROR CODES */ -/* The following lines are auto generated by the script mkerr.pl. Any changes +/* + * The following lines are auto generated by the script mkerr.pl. Any changes * made after this point may be overwritten when the script is next run. */ void ERR_load_UI_strings(void); diff --git a/include/openssl/x509.h b/include/openssl/x509.h index 3f7239b..e30cbc0 100644 --- a/include/openssl/x509.h +++ b/include/openssl/x509.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.h,v 1.44 2018/03/17 15:28:27 tb Exp $ */ +/* $OpenBSD: x509.h,v 1.74 2018/08/24 20:26:03 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -112,7 +112,7 @@ extern "C" { #endif -#if defined(_WIN32) +#if defined(_WIN32) && defined(__WINCRYPT_H__) #ifndef LIBRESSL_INTERNAL #ifdef _MSC_VER #pragma message("Warning, overriding WinCrypt defines") @@ -574,19 +574,12 @@ X509_ALGOR *prf; /* PKCS#8 private key info structure */ -struct pkcs8_priv_key_info_st - { - int broken; /* Flag for various broken formats */ -#define PKCS8_OK 0 -#define PKCS8_NO_OCTET 1 -#define PKCS8_EMBEDDED_PARAM 2 -#define PKCS8_NS_DB 3 -#define PKCS8_NEG_PRIVKEY 4 +struct pkcs8_priv_key_info_st { ASN1_INTEGER *version; X509_ALGOR *pkeyalg; - ASN1_TYPE *pkey; /* Should be OCTET STRING but some are broken */ + ASN1_OCTET_STRING *pkey; STACK_OF(X509_ATTRIBUTE) *attributes; - }; +}; #ifdef __cplusplus } @@ -602,29 +595,21 @@ extern "C" { #define X509_EXT_PACK_UNKNOWN 1 #define X509_EXT_PACK_STRING 2 -#define X509_get_version(x) ASN1_INTEGER_get((x)->cert_info->version) -/* #define X509_get_serialNumber(x) ((x)->cert_info->serialNumber) */ -#define X509_get_notBefore(x) ((x)->cert_info->validity->notBefore) -#define X509_get_notAfter(x) ((x)->cert_info->validity->notAfter) #define X509_extract_key(x) X509_get_pubkey(x) /*****/ -#define X509_REQ_get_version(x) ASN1_INTEGER_get((x)->req_info->version) -#define X509_REQ_get_subject_name(x) ((x)->req_info->subject) #define X509_REQ_extract_key(a) X509_REQ_get_pubkey(a) #define X509_name_cmp(a,b) X509_NAME_cmp((a),(b)) -#define X509_get_signature_type(x) EVP_PKEY_type(OBJ_obj2nid((x)->sig_alg->algorithm)) - -#define X509_CRL_get_version(x) ASN1_INTEGER_get((x)->crl->version) -#define X509_CRL_get_lastUpdate(x) ((x)->crl->lastUpdate) -#define X509_CRL_get_nextUpdate(x) ((x)->crl->nextUpdate) -#define X509_CRL_get_issuer(x) ((x)->crl->issuer) -#define X509_CRL_get_REVOKED(x) ((x)->crl->revoked) int X509_CRL_up_ref(X509_CRL *x); int X509_CRL_get_signature_nid(const X509_CRL *crl); const STACK_OF(X509_EXTENSION) *X509_CRL_get0_extensions(const X509_CRL *crl); +long X509_CRL_get_version(const X509_CRL *crl); const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl); const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl); +ASN1_TIME *X509_CRL_get_lastUpdate(X509_CRL *crl); +ASN1_TIME *X509_CRL_get_nextUpdate(X509_CRL *crl); +X509_NAME *X509_CRL_get_issuer(const X509_CRL *crl); +STACK_OF(X509_REVOKED) *X509_CRL_get_REVOKED(X509_CRL *crl); void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg); @@ -666,8 +651,9 @@ int NETSCAPE_SPKI_set_pubkey(NETSCAPE_SPKI *x, EVP_PKEY *pkey); int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki); -int X509_signature_dump(BIO *bp,const ASN1_STRING *sig, int indent); -int X509_signature_print(BIO *bp,X509_ALGOR *alg, ASN1_STRING *sig); +int X509_signature_dump(BIO *bp, const ASN1_STRING *sig, int indent); +int X509_signature_print(BIO *bp, const X509_ALGOR *alg, + const ASN1_STRING *sig); int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md); int X509_sign_ctx(X509 *x, EVP_MD_CTX *ctx); @@ -771,8 +757,8 @@ X509_CRL *X509_CRL_dup(X509_CRL *crl); X509_REQ *X509_REQ_dup(X509_REQ *req); X509_ALGOR *X509_ALGOR_dup(X509_ALGOR *xn); int X509_ALGOR_set0(X509_ALGOR *alg, ASN1_OBJECT *aobj, int ptype, void *pval); -void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, void **ppval, - X509_ALGOR *algor); +void X509_ALGOR_get0(const ASN1_OBJECT **paobj, int *pptype, const void **ppval, + const X509_ALGOR *algor); void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md); int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b); @@ -920,14 +906,14 @@ void X509_get0_signature(const ASN1_BIT_STRING **psig, const X509_ALGOR **palg, const X509 *x); int X509_get_signature_nid(const X509 *x); -int X509_alias_set1(X509 *x, unsigned char *name, int len); -int X509_keyid_set1(X509 *x, unsigned char *id, int len); -unsigned char * X509_alias_get0(X509 *x, int *len); -unsigned char * X509_keyid_get0(X509 *x, int *len); +int X509_alias_set1(X509 *x, const unsigned char *name, int len); +int X509_keyid_set1(X509 *x, const unsigned char *id, int len); +unsigned char *X509_alias_get0(X509 *x, int *len); +unsigned char *X509_keyid_get0(X509 *x, int *len); int (*X509_TRUST_set_default(int (*trust)(int , X509 *, int)))(int, X509 *, int); int X509_TRUST_set(int *t, int trust); -int X509_add1_trust_object(X509 *x, ASN1_OBJECT *obj); -int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj); +int X509_add1_trust_object(X509 *x, const ASN1_OBJECT *obj); +int X509_add1_reject_object(X509 *x, const ASN1_OBJECT *obj); void X509_trust_clear(X509 *x); void X509_reject_clear(X509 *x); @@ -977,7 +963,7 @@ extern const ASN1_ITEM NETSCAPE_CERT_SEQUENCE_it; #ifndef OPENSSL_NO_EVP X509_INFO * X509_INFO_new(void); void X509_INFO_free(X509_INFO *a); -char * X509_NAME_oneline(X509_NAME *a,char *buf,int size); +char * X509_NAME_oneline(const X509_NAME *a, char *buf, int size); int ASN1_item_digest(const ASN1_ITEM *it,const EVP_MD *type,void *data, unsigned char *md,unsigned int *len); @@ -996,12 +982,14 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it, const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x); const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x); int X509_set_version(X509 *x, long version); +long X509_get_version(const X509 *x); int X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial); ASN1_INTEGER * X509_get_serialNumber(X509 *x); +const ASN1_INTEGER *X509_get0_serialNumber(const X509 *x); int X509_set_issuer_name(X509 *x, X509_NAME *name); -X509_NAME * X509_get_issuer_name(X509 *a); +X509_NAME * X509_get_issuer_name(const X509 *a); int X509_set_subject_name(X509 *x, X509_NAME *name); -X509_NAME * X509_get_subject_name(X509 *a); +X509_NAME * X509_get_subject_name(const X509 *a); int X509_set_notBefore(X509 *x, const ASN1_TIME *tm); int X509_set1_notBefore(X509 *x, const ASN1_TIME *tm); int X509_set_notAfter(X509 *x, const ASN1_TIME *tm); @@ -1012,12 +1000,18 @@ const ASN1_TIME *X509_get0_notAfter(const X509 *x); ASN1_TIME *X509_getm_notAfter(const X509 *x); int X509_set_pubkey(X509 *x, EVP_PKEY *pkey); EVP_PKEY * X509_get_pubkey(X509 *x); -EVP_PKEY * X509_get0_pubkey(X509 *x); +EVP_PKEY * X509_get0_pubkey(const X509 *x); ASN1_BIT_STRING *X509_get0_pubkey_bitstr(const X509 *x); -int X509_certificate_type(X509 *x,EVP_PKEY *pubkey /* optional */); +int X509_certificate_type(const X509 *x, const EVP_PKEY *pubkey); +int X509_get_signature_type(const X509 *x); + +#define X509_get_notBefore X509_getm_notBefore +#define X509_get_notAfter X509_getm_notAfter int X509_REQ_set_version(X509_REQ *x,long version); -int X509_REQ_set_subject_name(X509_REQ *req,X509_NAME *name); +long X509_REQ_get_version(const X509_REQ *x); +int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name); +X509_NAME *X509_REQ_get_subject_name(const X509_REQ *x); int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey); EVP_PKEY * X509_REQ_get_pubkey(X509_REQ *req); int X509_REQ_extension_nid(int nid); @@ -1030,7 +1024,7 @@ int X509_REQ_add_extensions(X509_REQ *req, STACK_OF(X509_EXTENSION) *exts); int X509_REQ_get_attr_count(const X509_REQ *req); int X509_REQ_get_attr_by_NID(const X509_REQ *req, int nid, int lastpos); -int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, ASN1_OBJECT *obj, +int X509_REQ_get_attr_by_OBJ(const X509_REQ *req, const ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *X509_REQ_get_attr(const X509_REQ *req, int loc); X509_ATTRIBUTE *X509_REQ_delete_attr(X509_REQ *req, int loc); @@ -1061,7 +1055,7 @@ int X509_REVOKED_set_serialNumber(X509_REVOKED *x, ASN1_INTEGER *serial); int X509_REQ_check_private_key(X509_REQ *x509,EVP_PKEY *pkey); -int X509_check_private_key(X509 *x509,EVP_PKEY *pkey); +int X509_check_private_key(const X509 *x509, const EVP_PKEY *pkey); int X509_issuer_and_serial_cmp(const X509 *a, const X509 *b); unsigned long X509_issuer_and_serial_hash(X509 *a); @@ -1088,11 +1082,13 @@ int X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cfla int X509_print_fp(FILE *bp,X509 *x); int X509_CRL_print_fp(FILE *bp,X509_CRL *x); int X509_REQ_print_fp(FILE *bp,X509_REQ *req); -int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags); +int X509_NAME_print_ex_fp(FILE *fp, const X509_NAME *nm, int indent, + unsigned long flags); #ifndef OPENSSL_NO_BIO -int X509_NAME_print(BIO *bp, X509_NAME *name, int obase); -int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags); +int X509_NAME_print(BIO *bp, const X509_NAME *name, int obase); +int X509_NAME_print_ex(BIO *out, const X509_NAME *nm, int indent, + unsigned long flags); int X509_print_ex(BIO *bp,X509 *x, unsigned long nmflag, unsigned long cflag); int X509_print(BIO *bp,X509 *x); int X509_ocspid_print(BIO *bp,X509 *x); @@ -1102,47 +1098,48 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflag, unsigned long int X509_REQ_print(BIO *bp,X509_REQ *req); #endif -int X509_NAME_entry_count(X509_NAME *name); +int X509_NAME_entry_count(const X509_NAME *name); int X509_NAME_get_text_by_NID(X509_NAME *name, int nid, char *buf,int len); -int X509_NAME_get_text_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, - char *buf,int len); +int X509_NAME_get_text_by_OBJ(X509_NAME *name, + const ASN1_OBJECT *obj, char *buf,int len); /* NOTE: you should be passsing -1, not 0 as lastpos. The functions that use * lastpos, search after that position on. */ -int X509_NAME_get_index_by_NID(X509_NAME *name,int nid,int lastpos); -int X509_NAME_get_index_by_OBJ(X509_NAME *name,ASN1_OBJECT *obj, +int X509_NAME_get_index_by_NID(const X509_NAME *name, int nid, int lastpos); -X509_NAME_ENTRY *X509_NAME_get_entry(X509_NAME *name, int loc); +int X509_NAME_get_index_by_OBJ(const X509_NAME *name, + const ASN1_OBJECT *obj, int lastpos); +X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc); X509_NAME_ENTRY *X509_NAME_delete_entry(X509_NAME *name, int loc); -int X509_NAME_add_entry(X509_NAME *name,X509_NAME_ENTRY *ne, +int X509_NAME_add_entry(X509_NAME *name, const X509_NAME_ENTRY *ne, int loc, int set); -int X509_NAME_add_entry_by_OBJ(X509_NAME *name, ASN1_OBJECT *obj, int type, - unsigned char *bytes, int len, int loc, int set); +int X509_NAME_add_entry_by_OBJ(X509_NAME *name, const ASN1_OBJECT *obj, + int type, const unsigned char *bytes, int len, int loc, int set); int X509_NAME_add_entry_by_NID(X509_NAME *name, int nid, int type, - unsigned char *bytes, int len, int loc, int set); + const unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_txt(X509_NAME_ENTRY **ne, const char *field, int type, const unsigned char *bytes, int len); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_NID(X509_NAME_ENTRY **ne, int nid, - int type,unsigned char *bytes, int len); + int type, const unsigned char *bytes, int len); int X509_NAME_add_entry_by_txt(X509_NAME *name, const char *field, int type, const unsigned char *bytes, int len, int loc, int set); X509_NAME_ENTRY *X509_NAME_ENTRY_create_by_OBJ(X509_NAME_ENTRY **ne, - ASN1_OBJECT *obj, int type,const unsigned char *bytes, - int len); + const ASN1_OBJECT *obj, int type, + const unsigned char *bytes, int len); int X509_NAME_ENTRY_set_object(X509_NAME_ENTRY *ne, - ASN1_OBJECT *obj); + const ASN1_OBJECT *obj); int X509_NAME_ENTRY_set_data(X509_NAME_ENTRY *ne, int type, const unsigned char *bytes, int len); -ASN1_OBJECT * X509_NAME_ENTRY_get_object(X509_NAME_ENTRY *ne); -ASN1_STRING * X509_NAME_ENTRY_get_data(X509_NAME_ENTRY *ne); +ASN1_OBJECT * X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne); +ASN1_STRING * X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne); int X509_NAME_ENTRY_set(const X509_NAME_ENTRY *ne); int X509v3_get_ext_count(const STACK_OF(X509_EXTENSION) *x); int X509v3_get_ext_by_NID(const STACK_OF(X509_EXTENSION) *x, int nid, int lastpos); int X509v3_get_ext_by_OBJ(const STACK_OF(X509_EXTENSION) *x, - ASN1_OBJECT *obj,int lastpos); + const ASN1_OBJECT *obj, int lastpos); int X509v3_get_ext_by_critical(const STACK_OF(X509_EXTENSION) *x, int crit, int lastpos); X509_EXTENSION *X509v3_get_ext(const STACK_OF(X509_EXTENSION) *x, int loc); @@ -1150,56 +1147,67 @@ X509_EXTENSION *X509v3_delete_ext(STACK_OF(X509_EXTENSION) *x, int loc); STACK_OF(X509_EXTENSION) *X509v3_add_ext(STACK_OF(X509_EXTENSION) **x, X509_EXTENSION *ex, int loc); -int X509_get_ext_count(X509 *x); -int X509_get_ext_by_NID(X509 *x, int nid, int lastpos); -int X509_get_ext_by_OBJ(X509 *x,ASN1_OBJECT *obj,int lastpos); -int X509_get_ext_by_critical(X509 *x, int crit, int lastpos); -X509_EXTENSION *X509_get_ext(X509 *x, int loc); +int X509_get_ext_count(const X509 *x); +int X509_get_ext_by_NID(const X509 *x, int nid, int lastpos); +int X509_get_ext_by_OBJ(const X509 *x, const ASN1_OBJECT *obj, + int lastpos); +int X509_get_ext_by_critical(const X509 *x, int crit, int lastpos); +X509_EXTENSION *X509_get_ext(const X509 *x, int loc); X509_EXTENSION *X509_delete_ext(X509 *x, int loc); int X509_add_ext(X509 *x, X509_EXTENSION *ex, int loc); -void * X509_get_ext_d2i(X509 *x, int nid, int *crit, int *idx); +void * X509_get_ext_d2i(const X509 *x, int nid, int *crit, int *idx); int X509_add1_ext_i2d(X509 *x, int nid, void *value, int crit, unsigned long flags); -int X509_CRL_get_ext_count(X509_CRL *x); -int X509_CRL_get_ext_by_NID(X509_CRL *x, int nid, int lastpos); -int X509_CRL_get_ext_by_OBJ(X509_CRL *x,ASN1_OBJECT *obj,int lastpos); -int X509_CRL_get_ext_by_critical(X509_CRL *x, int crit, int lastpos); -X509_EXTENSION *X509_CRL_get_ext(X509_CRL *x, int loc); +int X509_CRL_get_ext_count(const X509_CRL *x); +int X509_CRL_get_ext_by_NID(const X509_CRL *x, int nid, + int lastpos); +int X509_CRL_get_ext_by_OBJ(const X509_CRL *x, + const ASN1_OBJECT *obj, int lastpos); +int X509_CRL_get_ext_by_critical(const X509_CRL *x, int crit, + int lastpos); +X509_EXTENSION *X509_CRL_get_ext(const X509_CRL *x, int loc); X509_EXTENSION *X509_CRL_delete_ext(X509_CRL *x, int loc); int X509_CRL_add_ext(X509_CRL *x, X509_EXTENSION *ex, int loc); -void * X509_CRL_get_ext_d2i(X509_CRL *x, int nid, int *crit, int *idx); -int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, int crit, - unsigned long flags); +void * X509_CRL_get_ext_d2i(const X509_CRL *x, int nid, int *crit, + int *idx); +int X509_CRL_add1_ext_i2d(X509_CRL *x, int nid, void *value, + int crit, unsigned long flags); -int X509_REVOKED_get_ext_count(X509_REVOKED *x); -int X509_REVOKED_get_ext_by_NID(X509_REVOKED *x, int nid, int lastpos); -int X509_REVOKED_get_ext_by_OBJ(X509_REVOKED *x,ASN1_OBJECT *obj,int lastpos); -int X509_REVOKED_get_ext_by_critical(X509_REVOKED *x, int crit, int lastpos); -X509_EXTENSION *X509_REVOKED_get_ext(X509_REVOKED *x, int loc); +int X509_REVOKED_get_ext_count(const X509_REVOKED *x); +int X509_REVOKED_get_ext_by_NID(const X509_REVOKED *x, int nid, + int lastpos); +int X509_REVOKED_get_ext_by_OBJ(const X509_REVOKED *x, + const ASN1_OBJECT *obj, int lastpos); +int X509_REVOKED_get_ext_by_critical(const X509_REVOKED *x, + int crit, int lastpos); +X509_EXTENSION *X509_REVOKED_get_ext(const X509_REVOKED *x, int loc); X509_EXTENSION *X509_REVOKED_delete_ext(X509_REVOKED *x, int loc); -int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, int loc); -void * X509_REVOKED_get_ext_d2i(X509_REVOKED *x, int nid, int *crit, int *idx); -int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, int crit, - unsigned long flags); +int X509_REVOKED_add_ext(X509_REVOKED *x, X509_EXTENSION *ex, + int loc); +void * X509_REVOKED_get_ext_d2i(const X509_REVOKED *x, int nid, + int *crit, int *idx); +int X509_REVOKED_add1_ext_i2d(X509_REVOKED *x, int nid, void *value, + int crit, unsigned long flags); X509_EXTENSION *X509_EXTENSION_create_by_NID(X509_EXTENSION **ex, int nid, int crit, ASN1_OCTET_STRING *data); X509_EXTENSION *X509_EXTENSION_create_by_OBJ(X509_EXTENSION **ex, - ASN1_OBJECT *obj,int crit,ASN1_OCTET_STRING *data); -int X509_EXTENSION_set_object(X509_EXTENSION *ex,ASN1_OBJECT *obj); + const ASN1_OBJECT *obj, int crit, ASN1_OCTET_STRING *data); +int X509_EXTENSION_set_object(X509_EXTENSION *ex, + const ASN1_OBJECT *obj); int X509_EXTENSION_set_critical(X509_EXTENSION *ex, int crit); int X509_EXTENSION_set_data(X509_EXTENSION *ex, ASN1_OCTET_STRING *data); ASN1_OBJECT * X509_EXTENSION_get_object(X509_EXTENSION *ex); ASN1_OCTET_STRING *X509_EXTENSION_get_data(X509_EXTENSION *ne); -int X509_EXTENSION_get_critical(X509_EXTENSION *ex); +int X509_EXTENSION_get_critical(const X509_EXTENSION *ex); int X509at_get_attr_count(const STACK_OF(X509_ATTRIBUTE) *x); int X509at_get_attr_by_NID(const STACK_OF(X509_ATTRIBUTE) *x, int nid, int lastpos); -int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, ASN1_OBJECT *obj, - int lastpos); +int X509at_get_attr_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *sk, + const ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *X509at_get_attr(const STACK_OF(X509_ATTRIBUTE) *x, int loc); X509_ATTRIBUTE *X509at_delete_attr(STACK_OF(X509_ATTRIBUTE) *x, int loc); STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr(STACK_OF(X509_ATTRIBUTE) **x, @@ -1214,7 +1222,7 @@ STACK_OF(X509_ATTRIBUTE) *X509at_add1_attr_by_txt(STACK_OF(X509_ATTRIBUTE) **x, const char *attrname, int type, const unsigned char *bytes, int len); void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x, - ASN1_OBJECT *obj, int lastpos, int type); + const ASN1_OBJECT *obj, int lastpos, int type); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid, int atrtype, const void *data, int len); X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_OBJ(X509_ATTRIBUTE **attr, @@ -1225,14 +1233,14 @@ int X509_ATTRIBUTE_set1_object(X509_ATTRIBUTE *attr, const ASN1_OBJECT *obj); int X509_ATTRIBUTE_set1_data(X509_ATTRIBUTE *attr, int attrtype, const void *data, int len); void *X509_ATTRIBUTE_get0_data(X509_ATTRIBUTE *attr, int idx, int atrtype, void *data); -int X509_ATTRIBUTE_count(X509_ATTRIBUTE *attr); +int X509_ATTRIBUTE_count(const X509_ATTRIBUTE *attr); ASN1_OBJECT *X509_ATTRIBUTE_get0_object(X509_ATTRIBUTE *attr); ASN1_TYPE *X509_ATTRIBUTE_get0_type(X509_ATTRIBUTE *attr, int idx); int EVP_PKEY_get_attr_count(const EVP_PKEY *key); int EVP_PKEY_get_attr_by_NID(const EVP_PKEY *key, int nid, int lastpos); -int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, ASN1_OBJECT *obj, +int EVP_PKEY_get_attr_by_OBJ(const EVP_PKEY *key, const ASN1_OBJECT *obj, int lastpos); X509_ATTRIBUTE *EVP_PKEY_get_attr(const EVP_PKEY *key, int loc); X509_ATTRIBUTE *EVP_PKEY_delete_attr(EVP_PKEY *key, int loc); @@ -1292,18 +1300,17 @@ PKCS8_PRIV_KEY_INFO *d2i_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO **a, const unsi int i2d_PKCS8_PRIV_KEY_INFO(PKCS8_PRIV_KEY_INFO *a, unsigned char **out); extern const ASN1_ITEM PKCS8_PRIV_KEY_INFO_it; -EVP_PKEY *EVP_PKCS82PKEY(PKCS8_PRIV_KEY_INFO *p8); +EVP_PKEY *EVP_PKCS82PKEY(const PKCS8_PRIV_KEY_INFO *p8); PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8(EVP_PKEY *pkey); -PKCS8_PRIV_KEY_INFO *EVP_PKEY2PKCS8_broken(EVP_PKEY *pkey, int broken); -PKCS8_PRIV_KEY_INFO *PKCS8_set_broken(PKCS8_PRIV_KEY_INFO *p8, int broken); -int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, - int version, int ptype, void *pval, - unsigned char *penc, int penclen); -int PKCS8_pkey_get0(ASN1_OBJECT **ppkalg, - const unsigned char **pk, int *ppklen, - X509_ALGOR **pa, - PKCS8_PRIV_KEY_INFO *p8); +int PKCS8_pkey_set0(PKCS8_PRIV_KEY_INFO *priv, ASN1_OBJECT *aobj, int version, + int ptype, void *pval, unsigned char *penc, int penclen); +int PKCS8_pkey_get0(const ASN1_OBJECT **ppkalg, const unsigned char **pk, + int *ppklen, const X509_ALGOR **pa, const PKCS8_PRIV_KEY_INFO *p8); + +const STACK_OF(X509_ATTRIBUTE) *PKCS8_pkey_get0_attrs(const PKCS8_PRIV_KEY_INFO *p8); +int PKCS8_pkey_add1_attr_by_NID(PKCS8_PRIV_KEY_INFO *p8, int nid, int type, + const unsigned char *bytes, int len); int X509_PUBKEY_set0_param(X509_PUBKEY *pub, ASN1_OBJECT *aobj, int ptype, void *pval, @@ -1318,11 +1325,11 @@ int X509_TRUST_get_count(void); X509_TRUST * X509_TRUST_get0(int idx); int X509_TRUST_get_by_id(int id); int X509_TRUST_add(int id, int flags, int (*ck)(X509_TRUST *, X509 *, int), - char *name, int arg1, void *arg2); + const char *name, int arg1, void *arg2); void X509_TRUST_cleanup(void); -int X509_TRUST_get_flags(X509_TRUST *xp); -char *X509_TRUST_get0_name(X509_TRUST *xp); -int X509_TRUST_get_trust(X509_TRUST *xp); +int X509_TRUST_get_flags(const X509_TRUST *xp); +char *X509_TRUST_get0_name(const X509_TRUST *xp); +int X509_TRUST_get_trust(const X509_TRUST *xp); int X509_up_ref(X509 *x); STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain); diff --git a/include/openssl/x509_verify.h b/include/openssl/x509_verify.h new file mode 100644 index 0000000..a097404 --- /dev/null +++ b/include/openssl/x509_verify.h @@ -0,0 +1,42 @@ +/* $OpenBSD: x509_verify.h,v 1.1 2020/09/13 15:06:17 beck Exp $ */ +/* + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#ifndef HEADER_X509_VERIFY_H +#define HEADER_X509_VERIFY_H + +#ifdef LIBRESSL_INTERNAL +struct x509_verify_ctx; +typedef struct x509_verify_ctx X509_VERIFY_CTX; + +X509_VERIFY_CTX *x509_verify_ctx_new(STACK_OF(X509) *roots); +void x509_verify_ctx_free(struct x509_verify_ctx *ctx); + +int x509_verify_ctx_set_max_depth(X509_VERIFY_CTX *ctx, size_t max); +int x509_verify_ctx_set_max_chains(X509_VERIFY_CTX *ctx, size_t max); +int x509_verify_ctx_set_max_signatures(X509_VERIFY_CTX *ctx, size_t max); +int x509_verify_ctx_set_purpose(X509_VERIFY_CTX *ctx, int purpose_id); +int x509_verify_ctx_set_intermediates(X509_VERIFY_CTX *ctx, + STACK_OF(X509) *intermediates); + +const char *x509_verify_ctx_error_string(X509_VERIFY_CTX *ctx); +size_t x509_verify_ctx_error_depth(X509_VERIFY_CTX *ctx); + +STACK_OF(X509) *x509_verify_ctx_chain(X509_VERIFY_CTX *ctx, size_t chain); + +size_t x509_verify(X509_VERIFY_CTX *ctx, X509 *leaf, char *name); +#endif + +#endif diff --git a/include/openssl/x509_vfy.h b/include/openssl/x509_vfy.h index 9e0730b..a68d5c0 100644 --- a/include/openssl/x509_vfy.h +++ b/include/openssl/x509_vfy.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_vfy.h,v 1.27 2018/03/20 15:26:22 jsing Exp $ */ +/* $OpenBSD: x509_vfy.h,v 1.31 2020/09/13 15:06:17 beck Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -134,17 +134,16 @@ typedef struct x509_lookup_method_st void (*free)(X509_LOOKUP *ctx); int (*init)(X509_LOOKUP *ctx); int (*shutdown)(X509_LOOKUP *ctx); - int (*ctrl)(X509_LOOKUP *ctx,int cmd,const char *argc,long argl, - char **ret); - int (*get_by_subject)(X509_LOOKUP *ctx,int type,X509_NAME *name, - X509_OBJECT *ret); - int (*get_by_issuer_serial)(X509_LOOKUP *ctx,int type,X509_NAME *name, - ASN1_INTEGER *serial,X509_OBJECT *ret); - int (*get_by_fingerprint)(X509_LOOKUP *ctx,int type, - unsigned char *bytes,int len, - X509_OBJECT *ret); - int (*get_by_alias)(X509_LOOKUP *ctx,int type,char *str,int len, - X509_OBJECT *ret); + int (*ctrl)(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, + char **ret); + int (*get_by_subject)(X509_LOOKUP *ctx, int type, X509_NAME *name, + X509_OBJECT *ret); + int (*get_by_issuer_serial)(X509_LOOKUP *ctx, int type, X509_NAME *name, + ASN1_INTEGER *serial,X509_OBJECT *ret); + int (*get_by_fingerprint)(X509_LOOKUP *ctx, int type, + const unsigned char *bytes, int len, X509_OBJECT *ret); + int (*get_by_alias)(X509_LOOKUP *ctx, int type, const char *str, + int len, X509_OBJECT *ret); } X509_LOOKUP_METHOD; typedef struct X509_VERIFY_PARAM_ID_st X509_VERIFY_PARAM_ID; @@ -408,6 +407,9 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth); /* Do not check certificate or CRL validity against current time. */ #define X509_V_FLAG_NO_CHECK_TIME 0x200000 +/* Force the use of the legacy certificate verifcation */ +#define X509_V_FLAG_LEGACY_VERIFY 0x400000 + #define X509_VP_FLAG_DEFAULT 0x1 #define X509_VP_FLAG_OVERWRITE 0x2 #define X509_VP_FLAG_RESET_FLAGS 0x4 @@ -424,7 +426,7 @@ int X509_OBJECT_idx_by_subject(STACK_OF(X509_OBJECT) *h, int type, X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_by_subject(STACK_OF(X509_OBJECT) *h,int type,X509_NAME *name); X509_OBJECT *X509_OBJECT_retrieve_match(STACK_OF(X509_OBJECT) *h, X509_OBJECT *x); -void X509_OBJECT_up_ref_count(X509_OBJECT *a); +int X509_OBJECT_up_ref_count(X509_OBJECT *a); int X509_OBJECT_get_type(const X509_OBJECT *a); void X509_OBJECT_free_contents(X509_OBJECT *a); X509 *X509_OBJECT_get0_X509(const X509_OBJECT *xo); @@ -496,8 +498,8 @@ int X509_LOOKUP_by_subject(X509_LOOKUP *ctx, int type, X509_NAME *name, int X509_LOOKUP_by_issuer_serial(X509_LOOKUP *ctx, int type, X509_NAME *name, ASN1_INTEGER *serial, X509_OBJECT *ret); int X509_LOOKUP_by_fingerprint(X509_LOOKUP *ctx, int type, - unsigned char *bytes, int len, X509_OBJECT *ret); -int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, char *str, + const unsigned char *bytes, int len, X509_OBJECT *ret); +int X509_LOOKUP_by_alias(X509_LOOKUP *ctx, int type, const char *str, int len, X509_OBJECT *ret); int X509_LOOKUP_shutdown(X509_LOOKUP *ctx); diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h index fbafd69..d2754fa 100644 --- a/include/openssl/x509v3.h +++ b/include/openssl/x509v3.h @@ -1,4 +1,4 @@ -/* $OpenBSD: x509v3.h,v 1.22 2017/06/22 17:28:00 jsing Exp $ */ +/* $OpenBSD: x509v3.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 1999. */ @@ -121,9 +121,9 @@ void *usr_data; /* Any extension specific data */ }; typedef struct X509V3_CONF_METHOD_st { -char * (*get_string)(void *db, char *section, char *value); -STACK_OF(CONF_VALUE) * (*get_section)(void *db, char *section); -void (*free_string)(void *db, char * string); +char *(*get_string)(void *db, const char *section, const char *value); +STACK_OF(CONF_VALUE) *(*get_section)(void *db, const char *section); +void (*free_string)(void *db, char *string); void (*free_section)(void *db, STACK_OF(CONF_VALUE) *section); } X509V3_CONF_METHOD; @@ -524,11 +524,14 @@ SXNETID *d2i_SXNETID(SXNETID **a, const unsigned char **in, long len); int i2d_SXNETID(SXNETID *a, unsigned char **out); extern const ASN1_ITEM SXNETID_it; -int SXNET_add_id_asc(SXNET **psx, char *zone, char *user, int userlen); -int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, char *user, int userlen); -int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, char *user, int userlen); +int SXNET_add_id_asc(SXNET **psx, const char *zone, const char *user, + int userlen); +int SXNET_add_id_ulong(SXNET **psx, unsigned long lzone, const char *user, + int userlen); +int SXNET_add_id_INTEGER(SXNET **psx, ASN1_INTEGER *izone, const char *user, + int userlen); -ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, char *zone); +ASN1_OCTET_STRING *SXNET_get_id_asc(SXNET *sx, const char *zone); ASN1_OCTET_STRING *SXNET_get_id_ulong(SXNET *sx, unsigned long lzone); ASN1_OCTET_STRING *SXNET_get_id_INTEGER(SXNET *sx, ASN1_INTEGER *zone); @@ -592,15 +595,17 @@ int GENERAL_NAME_set0_othername(GENERAL_NAME *gen, int GENERAL_NAME_get0_otherName(GENERAL_NAME *gen, ASN1_OBJECT **poid, ASN1_TYPE **pvalue); -char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, ASN1_OCTET_STRING *ia5); -ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, X509V3_CTX *ctx, char *str); +char *i2s_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, + const ASN1_OCTET_STRING *ia5); +ASN1_OCTET_STRING *s2i_ASN1_OCTET_STRING(X509V3_EXT_METHOD *method, + X509V3_CTX *ctx, const char *str); EXTENDED_KEY_USAGE *EXTENDED_KEY_USAGE_new(void); void EXTENDED_KEY_USAGE_free(EXTENDED_KEY_USAGE *a); EXTENDED_KEY_USAGE *d2i_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE **a, const unsigned char **in, long len); int i2d_EXTENDED_KEY_USAGE(EXTENDED_KEY_USAGE *a, unsigned char **out); extern const ASN1_ITEM EXTENDED_KEY_USAGE_it; -int i2a_ACCESS_DESCRIPTION(BIO *bp, ACCESS_DESCRIPTION* a); +int i2a_ACCESS_DESCRIPTION(BIO *bp, const ACCESS_DESCRIPTION* a); CERTIFICATEPOLICIES *CERTIFICATEPOLICIES_new(void); void CERTIFICATEPOLICIES_free(CERTIFICATEPOLICIES *a); @@ -683,7 +688,7 @@ extern const ASN1_ITEM POLICY_CONSTRAINTS_it; GENERAL_NAME *a2i_GENERAL_NAME(GENERAL_NAME *out, const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, - int gen_type, char *value, int is_nc); + int gen_type, const char *value, int is_nc); #ifdef HEADER_CONF_H GENERAL_NAME *v2i_GENERAL_NAME(const X509V3_EXT_METHOD *method, X509V3_CTX *ctx, @@ -693,34 +698,41 @@ GENERAL_NAME *v2i_GENERAL_NAME_ex(GENERAL_NAME *out, X509V3_CTX *ctx, CONF_VALUE *cnf, int is_nc); void X509V3_conf_free(CONF_VALUE *val); -X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, char *value); -X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, char *name, char *value); -int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, char *section, STACK_OF(X509_EXTENSION) **sk); -int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509 *cert); -int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_REQ *req); -int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, char *section, X509_CRL *crl); +X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid, + const char *value); +X509_EXTENSION *X509V3_EXT_nconf(CONF *conf, X509V3_CTX *ctx, const char *name, + const char *value); +int X509V3_EXT_add_nconf_sk(CONF *conf, X509V3_CTX *ctx, const char *section, + STACK_OF(X509_EXTENSION) **sk); +int X509V3_EXT_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, + X509 *cert); +int X509V3_EXT_REQ_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, + X509_REQ *req); +int X509V3_EXT_CRL_add_nconf(CONF *conf, X509V3_CTX *ctx, const char *section, + X509_CRL *crl); X509_EXTENSION *X509V3_EXT_conf_nid(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - int ext_nid, char *value); + int ext_nid, const char *value); X509_EXTENSION *X509V3_EXT_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *name, char *value); + const char *name, const char *value); int X509V3_EXT_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509 *cert); + const char *section, X509 *cert); int X509V3_EXT_REQ_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_REQ *req); + const char *section, X509_REQ *req); int X509V3_EXT_CRL_add_conf(LHASH_OF(CONF_VALUE) *conf, X509V3_CTX *ctx, - char *section, X509_CRL *crl); + const char *section, X509_CRL *crl); -int X509V3_add_value_bool_nf(char *name, int asn1_bool, +int X509V3_add_value_bool_nf(const char *name, int asn1_bool, STACK_OF(CONF_VALUE) **extlist); -int X509V3_get_value_bool(CONF_VALUE *value, int *asn1_bool); -int X509V3_get_value_int(CONF_VALUE *value, ASN1_INTEGER **aint); +int X509V3_get_value_bool(const CONF_VALUE *value, int *asn1_bool); +int X509V3_get_value_int(const CONF_VALUE *value, ASN1_INTEGER **aint); void X509V3_set_nconf(X509V3_CTX *ctx, CONF *conf); void X509V3_set_conf_lhash(X509V3_CTX *ctx, LHASH_OF(CONF_VALUE) *lhash); #endif -char * X509V3_get_string(X509V3_CTX *ctx, char *name, char *section); -STACK_OF(CONF_VALUE) * X509V3_get_section(X509V3_CTX *ctx, char *section); +char *X509V3_get_string(X509V3_CTX *ctx, const char *name, + const char *section); +STACK_OF(CONF_VALUE) *X509V3_get_section(X509V3_CTX *ctx, const char *section); void X509V3_string_free(X509V3_CTX *ctx, char *str); void X509V3_section_free( X509V3_CTX *ctx, STACK_OF(CONF_VALUE) *section); void X509V3_set_ctx(X509V3_CTX *ctx, X509 *issuer, X509 *subject, @@ -732,12 +744,13 @@ int X509V3_add_value_uchar(const char *name, const unsigned char *value, STACK_OF(CONF_VALUE) **extlist); int X509V3_add_value_bool(const char *name, int asn1_bool, STACK_OF(CONF_VALUE) **extlist); -int X509V3_add_value_int(const char *name, ASN1_INTEGER *aint, +int X509V3_add_value_int(const char *name, const ASN1_INTEGER *aint, STACK_OF(CONF_VALUE) **extlist); -char * i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, ASN1_INTEGER *aint); -ASN1_INTEGER * s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, char *value); -char * i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint); -char * i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, ASN1_ENUMERATED *aint); +char *i2s_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const ASN1_INTEGER *aint); +ASN1_INTEGER *s2i_ASN1_INTEGER(X509V3_EXT_METHOD *meth, const char *value); +char *i2s_ASN1_ENUMERATED(X509V3_EXT_METHOD *meth, const ASN1_ENUMERATED *aint); +char *i2s_ASN1_ENUMERATED_TABLE(X509V3_EXT_METHOD *meth, + const ASN1_ENUMERATED *aint); int X509V3_EXT_add(X509V3_EXT_METHOD *ext); int X509V3_EXT_add_list(X509V3_EXT_METHOD *extlist); int X509V3_EXT_add_alias(int nid_to, int nid_from); @@ -748,7 +761,8 @@ const X509V3_EXT_METHOD *X509V3_EXT_get_nid(int nid); int X509V3_add_standard_extensions(void); STACK_OF(CONF_VALUE) *X509V3_parse_list(const char *line); void *X509V3_EXT_d2i(X509_EXTENSION *ext); -void *X509V3_get_d2i(STACK_OF(X509_EXTENSION) *x, int nid, int *crit, int *idx); +void *X509V3_get_d2i(const STACK_OF(X509_EXTENSION) *x, int nid, int *crit, + int *idx); X509_EXTENSION *X509V3_EXT_i2d(int ext_nid, int crit, void *ext_struc); @@ -763,7 +777,8 @@ void X509V3_EXT_val_prn(BIO *out, STACK_OF(CONF_VALUE) *val, int indent, int X509V3_EXT_print(BIO *out, X509_EXTENSION *ext, unsigned long flag, int indent); int X509V3_EXT_print_fp(FILE *out, X509_EXTENSION *ext, int flag, int indent); -int X509V3_extensions_print(BIO *out, char *title, STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); +int X509V3_extensions_print(BIO *out, const char *title, + const STACK_OF(X509_EXTENSION) *exts, unsigned long flag, int indent); int X509_check_ca(X509 *x); int X509_check_purpose(X509 *x, int id, int ca); @@ -773,16 +788,16 @@ int X509_check_issued(X509 *issuer, X509 *subject); int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid); int X509_PURPOSE_get_count(void); X509_PURPOSE * X509_PURPOSE_get0(int idx); -int X509_PURPOSE_get_by_sname(char *sname); +int X509_PURPOSE_get_by_sname(const char *sname); int X509_PURPOSE_get_by_id(int id); int X509_PURPOSE_add(int id, int trust, int flags, int (*ck)(const X509_PURPOSE *, const X509 *, int), - char *name, char *sname, void *arg); -char *X509_PURPOSE_get0_name(X509_PURPOSE *xp); -char *X509_PURPOSE_get0_sname(X509_PURPOSE *xp); -int X509_PURPOSE_get_trust(X509_PURPOSE *xp); + const char *name, const char *sname, void *arg); +char *X509_PURPOSE_get0_name(const X509_PURPOSE *xp); +char *X509_PURPOSE_get0_sname(const X509_PURPOSE *xp); +int X509_PURPOSE_get_trust(const X509_PURPOSE *xp); void X509_PURPOSE_cleanup(void); -int X509_PURPOSE_get_id(X509_PURPOSE *); +int X509_PURPOSE_get_id(const X509_PURPOSE *); STACK_OF(OPENSSL_STRING) *X509_get1_email(X509 *x); STACK_OF(OPENSSL_STRING) *X509_REQ_get1_email(X509_REQ *x); @@ -800,6 +815,8 @@ STACK_OF(OPENSSL_STRING) *X509_get1_ocsp(X509 *x); #define X509_CHECK_FLAG_MULTI_LABEL_WILDCARDS 0x8 /* Constraint verifier subdomain patterns to match a single labels. */ #define X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS 0x10 +/* Disable checking the CN for a hostname, to support modern validation */ +#define X509_CHECK_FLAG_NEVER_CHECK_SUBJECT 0x20 /* * Match reference identifiers starting with "." to any sub-domain. diff --git a/include/tls.h b/include/tls.h index 32efd94..de6d257 100644 --- a/include/tls.h +++ b/include/tls.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.h,v 1.53 2018/02/10 04:58:08 jsing Exp $ */ +/* $OpenBSD: tls.h,v 1.58 2020/01/22 06:44:02 beck Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -34,16 +34,19 @@ typedef SSIZE_T ssize_t; #include #include -#define TLS_API 20180210 +#define TLS_API 20200120 #define TLS_PROTOCOL_TLSv1_0 (1 << 1) #define TLS_PROTOCOL_TLSv1_1 (1 << 2) #define TLS_PROTOCOL_TLSv1_2 (1 << 3) +#define TLS_PROTOCOL_TLSv1_3 (1 << 4) + #define TLS_PROTOCOL_TLSv1 \ - (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|TLS_PROTOCOL_TLSv1_2) + (TLS_PROTOCOL_TLSv1_0|TLS_PROTOCOL_TLSv1_1|\ + TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) #define TLS_PROTOCOLS_ALL TLS_PROTOCOL_TLSv1 -#define TLS_PROTOCOLS_DEFAULT TLS_PROTOCOL_TLSv1_2 +#define TLS_PROTOCOLS_DEFAULT (TLS_PROTOCOL_TLSv1_2|TLS_PROTOCOL_TLSv1_3) #define TLS_WANT_POLLIN -2 #define TLS_WANT_POLLOUT -3 @@ -92,6 +95,8 @@ const char *tls_error(struct tls *_ctx); struct tls_config *tls_config_new(void); void tls_config_free(struct tls_config *_config); +const char *tls_default_ca_cert_file(void); + int tls_config_add_keypair_file(struct tls_config *_config, const char *_cert_file, const char *_key_file); int tls_config_add_keypair_mem(struct tls_config *_config, const uint8_t *_cert, @@ -195,6 +200,7 @@ const uint8_t *tls_peer_cert_chain_pem(struct tls *_ctx, size_t *_len); const char *tls_conn_alpn_selected(struct tls *_ctx); const char *tls_conn_cipher(struct tls *_ctx); +int tls_conn_cipher_strength(struct tls *_ctx); const char *tls_conn_servername(struct tls *_ctx); int tls_conn_session_resumed(struct tls *_ctx); const char *tls_conn_version(struct tls *_ctx); diff --git a/ltmain.sh b/ltmain.sh new file mode 100644 index 0000000..5d29bd6 --- /dev/null +++ b/ltmain.sh @@ -0,0 +1,9630 @@ + +# libtool (GNU libtool) 2.4.2 +# Written by Gordon Matzigkeit , 1996 + +# Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, +# 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. +# This is free software; see the source for copying conditions. There is NO +# warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +# GNU Libtool is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# As a special exception to the GNU General Public License, +# if you distribute this file as part of a program or library that +# is built using GNU Libtool, you may include this file under the +# same distribution terms that you use for the rest of that program. +# +# GNU Libtool is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with GNU Libtool; see the file COPYING. If not, a copy +# can be downloaded from http://www.gnu.org/licenses/gpl.html, +# or obtained by writing to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + +# Usage: $progname [OPTION]... [MODE-ARG]... +# +# Provide generalized library-building support services. +# +# --config show all configuration variables +# --debug enable verbose shell tracing +# -n, --dry-run display commands without modifying any files +# --features display basic configuration information and exit +# --mode=MODE use operation mode MODE +# --preserve-dup-deps don't remove duplicate dependency libraries +# --quiet, --silent don't print informational messages +# --no-quiet, --no-silent +# print informational messages (default) +# --no-warn don't display warning messages +# --tag=TAG use configuration variables from tag TAG +# -v, --verbose print more informational messages than default +# --no-verbose don't print the extra informational messages +# --version print version information +# -h, --help, --help-all print short, long, or detailed help message +# +# MODE must be one of the following: +# +# clean remove files from the build directory +# compile compile a source file into a libtool object +# execute automatically set library path, then run a program +# finish complete the installation of libtool libraries +# install install libraries or executables +# link create a library or an executable +# uninstall remove libraries from an installed directory +# +# MODE-ARGS vary depending on the MODE. When passed as first option, +# `--mode=MODE' may be abbreviated as `MODE' or a unique abbreviation of that. +# Try `$progname --help --mode=MODE' for a more detailed description of MODE. +# +# When reporting a bug, please describe a test case to reproduce it and +# include the following information: +# +# host-triplet: $host +# shell: $SHELL +# compiler: $LTCC +# compiler flags: $LTCFLAGS +# linker: $LD (gnu? $with_gnu_ld) +# $progname: (GNU libtool) 2.4.2 +# automake: $automake_version +# autoconf: $autoconf_version +# +# Report bugs to . +# GNU libtool home page: . +# General help using GNU software: . + +PROGRAM=libtool +PACKAGE=libtool +VERSION=2.4.2 +TIMESTAMP="" +package_revision=1.3337 + +# Be Bourne compatible +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Zsh 3.x and 4.x performs word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in *posix*) set -o posix;; esac +fi +BIN_SH=xpg4; export BIN_SH # for Tru64 +DUALCASE=1; export DUALCASE # for MKS sh + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +$1 +_LTECHO_EOF' +} + +# NLS nuisances: We save the old values to restore during execute mode. +lt_user_locale= +lt_safe_locale= +for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES +do + eval "if test \"\${$lt_var+set}\" = set; then + save_$lt_var=\$$lt_var + $lt_var=C + export $lt_var + lt_user_locale=\"$lt_var=\\\$save_\$lt_var; \$lt_user_locale\" + lt_safe_locale=\"$lt_var=C; \$lt_safe_locale\" + fi" +done +LC_ALL=C +LANGUAGE=C +export LANGUAGE LC_ALL + +$lt_unset CDPATH + + +# Work around backward compatibility issue on IRIX 6.5. On IRIX 6.4+, sh +# is ksh but when the shell is invoked as "sh" and the current value of +# the _XPG environment variable is not equal to 1 (one), the special +# positional parameter $0, within a function call, is the name of the +# function. +progpath="$0" + + + +: ${CP="cp -f"} +test "${ECHO+set}" = set || ECHO=${as_echo-'printf %s\n'} +: ${MAKE="make"} +: ${MKDIR="mkdir"} +: ${MV="mv -f"} +: ${RM="rm -f"} +: ${SHELL="${CONFIG_SHELL-/bin/sh}"} +: ${Xsed="$SED -e 1s/^X//"} + +# Global variables: +EXIT_SUCCESS=0 +EXIT_FAILURE=1 +EXIT_MISMATCH=63 # $? = 63 is used to indicate version mismatch to missing. +EXIT_SKIP=77 # $? = 77 is used to indicate a skipped test to automake. + +exit_status=$EXIT_SUCCESS + +# Make sure IFS has a sensible default +lt_nl=' +' +IFS=" $lt_nl" + +dirname="s,/[^/]*$,," +basename="s,^.*/,," + +# func_dirname file append nondir_replacement +# Compute the dirname of FILE. If nonempty, add APPEND to the result, +# otherwise set result to NONDIR_REPLACEMENT. +func_dirname () +{ + func_dirname_result=`$ECHO "${1}" | $SED "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" + else + func_dirname_result="$func_dirname_result${2}" + fi +} # func_dirname may be replaced by extended shell implementation + + +# func_basename file +func_basename () +{ + func_basename_result=`$ECHO "${1}" | $SED "$basename"` +} # func_basename may be replaced by extended shell implementation + + +# func_dirname_and_basename file append nondir_replacement +# perform func_basename and func_dirname in a single function +# call: +# dirname: Compute the dirname of FILE. If nonempty, +# add APPEND to the result, otherwise set result +# to NONDIR_REPLACEMENT. +# value returned in "$func_dirname_result" +# basename: Compute filename of FILE. +# value retuned in "$func_basename_result" +# Implementation must be kept synchronized with func_dirname +# and func_basename. For efficiency, we do not delegate to +# those functions but instead duplicate the functionality here. +func_dirname_and_basename () +{ + # Extract subdirectory from the argument. + func_dirname_result=`$ECHO "${1}" | $SED -e "$dirname"` + if test "X$func_dirname_result" = "X${1}"; then + func_dirname_result="${3}" + else + func_dirname_result="$func_dirname_result${2}" + fi + func_basename_result=`$ECHO "${1}" | $SED -e "$basename"` +} # func_dirname_and_basename may be replaced by extended shell implementation + + +# func_stripname prefix suffix name +# strip PREFIX and SUFFIX off of NAME. +# PREFIX and SUFFIX must not contain globbing or regex special +# characters, hashes, percent signs, but SUFFIX may contain a leading +# dot (in which case that matches only a dot). +# func_strip_suffix prefix name +func_stripname () +{ + case ${2} in + .*) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%\\\\${2}\$%%"`;; + *) func_stripname_result=`$ECHO "${3}" | $SED "s%^${1}%%; s%${2}\$%%"`;; + esac +} # func_stripname may be replaced by extended shell implementation + + +# These SED scripts presuppose an absolute path with a trailing slash. +pathcar='s,^/\([^/]*\).*$,\1,' +pathcdr='s,^/[^/]*,,' +removedotparts=':dotsl + s@/\./@/@g + t dotsl + s,/\.$,/,' +collapseslashes='s@/\{1,\}@/@g' +finalslash='s,/*$,/,' + +# func_normal_abspath PATH +# Remove doubled-up and trailing slashes, "." path components, +# and cancel out any ".." path components in PATH after making +# it an absolute path. +# value returned in "$func_normal_abspath_result" +func_normal_abspath () +{ + # Start from root dir and reassemble the path. + func_normal_abspath_result= + func_normal_abspath_tpath=$1 + func_normal_abspath_altnamespace= + case $func_normal_abspath_tpath in + "") + # Empty path, that just means $cwd. + func_stripname '' '/' "`pwd`" + func_normal_abspath_result=$func_stripname_result + return + ;; + # The next three entries are used to spot a run of precisely + # two leading slashes without using negated character classes; + # we take advantage of case's first-match behaviour. + ///*) + # Unusual form of absolute path, do nothing. + ;; + //*) + # Not necessarily an ordinary path; POSIX reserves leading '//' + # and for example Cygwin uses it to access remote file shares + # over CIFS/SMB, so we conserve a leading double slash if found. + func_normal_abspath_altnamespace=/ + ;; + /*) + # Absolute path, do nothing. + ;; + *) + # Relative path, prepend $cwd. + func_normal_abspath_tpath=`pwd`/$func_normal_abspath_tpath + ;; + esac + # Cancel out all the simple stuff to save iterations. We also want + # the path to end with a slash for ease of parsing, so make sure + # there is one (and only one) here. + func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$removedotparts" -e "$collapseslashes" -e "$finalslash"` + while :; do + # Processed it all yet? + if test "$func_normal_abspath_tpath" = / ; then + # If we ascended to the root using ".." the result may be empty now. + if test -z "$func_normal_abspath_result" ; then + func_normal_abspath_result=/ + fi + break + fi + func_normal_abspath_tcomponent=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$pathcar"` + func_normal_abspath_tpath=`$ECHO "$func_normal_abspath_tpath" | $SED \ + -e "$pathcdr"` + # Figure out what to do with it + case $func_normal_abspath_tcomponent in + "") + # Trailing empty path component, ignore it. + ;; + ..) + # Parent dir; strip last assembled component from result. + func_dirname "$func_normal_abspath_result" + func_normal_abspath_result=$func_dirname_result + ;; + *) + # Actual path component, append it. + func_normal_abspath_result=$func_normal_abspath_result/$func_normal_abspath_tcomponent + ;; + esac + done + # Restore leading double-slash if one was found on entry. + func_normal_abspath_result=$func_normal_abspath_altnamespace$func_normal_abspath_result +} + +# func_relative_path SRCDIR DSTDIR +# generates a relative path from SRCDIR to DSTDIR, with a trailing +# slash if non-empty, suitable for immediately appending a filename +# without needing to append a separator. +# value returned in "$func_relative_path_result" +func_relative_path () +{ + func_relative_path_result= + func_normal_abspath "$1" + func_relative_path_tlibdir=$func_normal_abspath_result + func_normal_abspath "$2" + func_relative_path_tbindir=$func_normal_abspath_result + + # Ascend the tree starting from libdir + while :; do + # check if we have found a prefix of bindir + case $func_relative_path_tbindir in + $func_relative_path_tlibdir) + # found an exact match + func_relative_path_tcancelled= + break + ;; + $func_relative_path_tlibdir*) + # found a matching prefix + func_stripname "$func_relative_path_tlibdir" '' "$func_relative_path_tbindir" + func_relative_path_tcancelled=$func_stripname_result + if test -z "$func_relative_path_result"; then + func_relative_path_result=. + fi + break + ;; + *) + func_dirname $func_relative_path_tlibdir + func_relative_path_tlibdir=${func_dirname_result} + if test "x$func_relative_path_tlibdir" = x ; then + # Have to descend all the way to the root! + func_relative_path_result=../$func_relative_path_result + func_relative_path_tcancelled=$func_relative_path_tbindir + break + fi + func_relative_path_result=../$func_relative_path_result + ;; + esac + done + + # Now calculate path; take care to avoid doubling-up slashes. + func_stripname '' '/' "$func_relative_path_result" + func_relative_path_result=$func_stripname_result + func_stripname '/' '/' "$func_relative_path_tcancelled" + if test "x$func_stripname_result" != x ; then + func_relative_path_result=${func_relative_path_result}/${func_stripname_result} + fi + + # Normalisation. If bindir is libdir, return empty string, + # else relative path ending with a slash; either way, target + # file name can be directly appended. + if test ! -z "$func_relative_path_result"; then + func_stripname './' '' "$func_relative_path_result/" + func_relative_path_result=$func_stripname_result + fi +} + +# The name of this program: +func_dirname_and_basename "$progpath" +progname=$func_basename_result + +# Make sure we have an absolute path for reexecution: +case $progpath in + [\\/]*|[A-Za-z]:\\*) ;; + *[\\/]*) + progdir=$func_dirname_result + progdir=`cd "$progdir" && pwd` + progpath="$progdir/$progname" + ;; + *) + save_IFS="$IFS" + IFS=${PATH_SEPARATOR-:} + for progdir in $PATH; do + IFS="$save_IFS" + test -x "$progdir/$progname" && break + done + IFS="$save_IFS" + test -n "$progdir" || progdir=`pwd` + progpath="$progdir/$progname" + ;; +esac + +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +Xsed="${SED}"' -e 1s/^X//' +sed_quote_subst='s/\([`"$\\]\)/\\\1/g' + +# Same as above, but do not quote variable references. +double_quote_subst='s/\(["`\\]\)/\\\1/g' + +# Sed substitution that turns a string into a regex matching for the +# string literally. +sed_make_literal_regex='s,[].[^$\\*\/],\\&,g' + +# Sed substitution that converts a w32 file name or path +# which contains forward slashes, into one that contains +# (escaped) backslashes. A very naive implementation. +lt_sed_naive_backslashify='s|\\\\*|\\|g;s|/|\\|g;s|\\|\\\\|g' + +# Re-`\' parameter expansions in output of double_quote_subst that were +# `\'-ed in input to the same. If an odd number of `\' preceded a '$' +# in input to double_quote_subst, that '$' was protected from expansion. +# Since each input `\' is now two `\'s, look for any number of runs of +# four `\'s followed by two `\'s and then a '$'. `\' that '$'. +bs='\\' +bs2='\\\\' +bs4='\\\\\\\\' +dollar='\$' +sed_double_backslash="\ + s/$bs4/&\\ +/g + s/^$bs2$dollar/$bs&/ + s/\\([^$bs]\\)$bs2$dollar/\\1$bs2$bs$dollar/g + s/\n//g" + +# Standard options: +opt_dry_run=false +opt_help=false +opt_quiet=false +opt_verbose=false +opt_warning=: + +# func_echo arg... +# Echo program name prefixed message, along with the current mode +# name if it has been set yet. +func_echo () +{ + $ECHO "$progname: ${opt_mode+$opt_mode: }$*" +} + +# func_verbose arg... +# Echo program name prefixed message in verbose mode only. +func_verbose () +{ + $opt_verbose && func_echo ${1+"$@"} + + # A bug in bash halts the script if the last line of a function + # fails when set -e is in force, so we need another command to + # work around that: + : +} + +# func_echo_all arg... +# Invoke $ECHO with all args, space-separated. +func_echo_all () +{ + $ECHO "$*" +} + +# func_error arg... +# Echo program name prefixed message to standard error. +func_error () +{ + $ECHO "$progname: ${opt_mode+$opt_mode: }"${1+"$@"} 1>&2 +} + +# func_warning arg... +# Echo program name prefixed warning message to standard error. +func_warning () +{ + $opt_warning && $ECHO "$progname: ${opt_mode+$opt_mode: }warning: "${1+"$@"} 1>&2 + + # bash bug again: + : +} + +# func_fatal_error arg... +# Echo program name prefixed message to standard error, and exit. +func_fatal_error () +{ + func_error ${1+"$@"} + exit $EXIT_FAILURE +} + +# func_fatal_help arg... +# Echo program name prefixed message to standard error, followed by +# a help hint, and exit. +func_fatal_help () +{ + func_error ${1+"$@"} + func_fatal_error "$help" +} +help="Try \`$progname --help' for more information." ## default + + +# func_grep expression filename +# Check whether EXPRESSION matches any line of FILENAME, without output. +func_grep () +{ + $GREP "$1" "$2" >/dev/null 2>&1 +} + + +# func_mkdir_p directory-path +# Make sure the entire path to DIRECTORY-PATH is available. +func_mkdir_p () +{ + my_directory_path="$1" + my_dir_list= + + if test -n "$my_directory_path" && test "$opt_dry_run" != ":"; then + + # Protect directory names starting with `-' + case $my_directory_path in + -*) my_directory_path="./$my_directory_path" ;; + esac + + # While some portion of DIR does not yet exist... + while test ! -d "$my_directory_path"; do + # ...make a list in topmost first order. Use a colon delimited + # list incase some portion of path contains whitespace. + my_dir_list="$my_directory_path:$my_dir_list" + + # If the last portion added has no slash in it, the list is done + case $my_directory_path in */*) ;; *) break ;; esac + + # ...otherwise throw away the child directory and loop + my_directory_path=`$ECHO "$my_directory_path" | $SED -e "$dirname"` + done + my_dir_list=`$ECHO "$my_dir_list" | $SED 's,:*$,,'` + + save_mkdir_p_IFS="$IFS"; IFS=':' + for my_dir in $my_dir_list; do + IFS="$save_mkdir_p_IFS" + # mkdir can fail with a `File exist' error if two processes + # try to create one of the directories concurrently. Don't + # stop in that case! + $MKDIR "$my_dir" 2>/dev/null || : + done + IFS="$save_mkdir_p_IFS" + + # Bail out if we (or some other process) failed to create a directory. + test -d "$my_directory_path" || \ + func_fatal_error "Failed to create \`$1'" + fi +} + + +# func_mktempdir [string] +# Make a temporary directory that won't clash with other running +# libtool processes, and avoids race conditions if possible. If +# given, STRING is the basename for that directory. +func_mktempdir () +{ + my_template="${TMPDIR-/tmp}/${1-$progname}" + + if test "$opt_dry_run" = ":"; then + # Return a directory name, but don't create it in dry-run mode + my_tmpdir="${my_template}-$$" + else + + # If mktemp works, use that first and foremost + my_tmpdir=`mktemp -d "${my_template}-XXXXXXXX" 2>/dev/null` + + if test ! -d "$my_tmpdir"; then + # Failing that, at least try and use $RANDOM to avoid a race + my_tmpdir="${my_template}-${RANDOM-0}$$" + + save_mktempdir_umask=`umask` + umask 0077 + $MKDIR "$my_tmpdir" + umask $save_mktempdir_umask + fi + + # If we're not in dry-run mode, bomb out on failure + test -d "$my_tmpdir" || \ + func_fatal_error "cannot create temporary directory \`$my_tmpdir'" + fi + + $ECHO "$my_tmpdir" +} + + +# func_quote_for_eval arg +# Aesthetically quote ARG to be evaled later. +# This function returns two values: FUNC_QUOTE_FOR_EVAL_RESULT +# is double-quoted, suitable for a subsequent eval, whereas +# FUNC_QUOTE_FOR_EVAL_UNQUOTED_RESULT has merely all characters +# which are still active within double quotes backslashified. +func_quote_for_eval () +{ + case $1 in + *[\\\`\"\$]*) + func_quote_for_eval_unquoted_result=`$ECHO "$1" | $SED "$sed_quote_subst"` ;; + *) + func_quote_for_eval_unquoted_result="$1" ;; + esac + + case $func_quote_for_eval_unquoted_result in + # Double-quote args containing shell metacharacters to delay + # word splitting, command substitution and and variable + # expansion for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + func_quote_for_eval_result="\"$func_quote_for_eval_unquoted_result\"" + ;; + *) + func_quote_for_eval_result="$func_quote_for_eval_unquoted_result" + esac +} + + +# func_quote_for_expand arg +# Aesthetically quote ARG to be evaled later; same as above, +# but do not quote variable references. +func_quote_for_expand () +{ + case $1 in + *[\\\`\"]*) + my_arg=`$ECHO "$1" | $SED \ + -e "$double_quote_subst" -e "$sed_double_backslash"` ;; + *) + my_arg="$1" ;; + esac + + case $my_arg in + # Double-quote args containing shell metacharacters to delay + # word splitting and command substitution for a subsequent eval. + # Many Bourne shells cannot handle close brackets correctly + # in scan sets, so we specify it separately. + *[\[\~\#\^\&\*\(\)\{\}\|\;\<\>\?\'\ \ ]*|*]*|"") + my_arg="\"$my_arg\"" + ;; + esac + + func_quote_for_expand_result="$my_arg" +} + + +# func_show_eval cmd [fail_exp] +# Unless opt_silent is true, then output CMD. Then, if opt_dryrun is +# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP +# is given, then evaluate it. +func_show_eval () +{ + my_cmd="$1" + my_fail_exp="${2-:}" + + ${opt_silent-false} || { + func_quote_for_expand "$my_cmd" + eval "func_echo $func_quote_for_expand_result" + } + + if ${opt_dry_run-false}; then :; else + eval "$my_cmd" + my_status=$? + if test "$my_status" -eq 0; then :; else + eval "(exit $my_status); $my_fail_exp" + fi + fi +} + + +# func_show_eval_locale cmd [fail_exp] +# Unless opt_silent is true, then output CMD. Then, if opt_dryrun is +# not true, evaluate CMD. If the evaluation of CMD fails, and FAIL_EXP +# is given, then evaluate it. Use the saved locale for evaluation. +func_show_eval_locale () +{ + my_cmd="$1" + my_fail_exp="${2-:}" + + ${opt_silent-false} || { + func_quote_for_expand "$my_cmd" + eval "func_echo $func_quote_for_expand_result" + } + + if ${opt_dry_run-false}; then :; else + eval "$lt_user_locale + $my_cmd" + my_status=$? + eval "$lt_safe_locale" + if test "$my_status" -eq 0; then :; else + eval "(exit $my_status); $my_fail_exp" + fi + fi +} + +# func_tr_sh +# Turn $1 into a string suitable for a shell variable name. +# Result is stored in $func_tr_sh_result. All characters +# not in the set a-zA-Z0-9_ are replaced with '_'. Further, +# if $1 begins with a digit, a '_' is prepended as well. +func_tr_sh () +{ + case $1 in + [0-9]* | *[!a-zA-Z0-9_]*) + func_tr_sh_result=`$ECHO "$1" | $SED 's/^\([0-9]\)/_\1/; s/[^a-zA-Z0-9_]/_/g'` + ;; + * ) + func_tr_sh_result=$1 + ;; + esac +} + + +# func_version +# Echo version message to standard output and exit. +func_version () +{ + $opt_debug + + $SED -n '/(C)/!b go + :more + /\./!{ + N + s/\n# / / + b more + } + :go + /^# '$PROGRAM' (GNU /,/# warranty; / { + s/^# // + s/^# *$// + s/\((C)\)[ 0-9,-]*\( [1-9][0-9]*\)/\1\2/ + p + }' < "$progpath" + exit $? +} + +# func_usage +# Echo short help message to standard output and exit. +func_usage () +{ + $opt_debug + + $SED -n '/^# Usage:/,/^# *.*--help/ { + s/^# // + s/^# *$// + s/\$progname/'$progname'/ + p + }' < "$progpath" + echo + $ECHO "run \`$progname --help | more' for full usage" + exit $? +} + +# func_help [NOEXIT] +# Echo long help message to standard output and exit, +# unless 'noexit' is passed as argument. +func_help () +{ + $opt_debug + + $SED -n '/^# Usage:/,/# Report bugs to/ { + :print + s/^# // + s/^# *$// + s*\$progname*'$progname'* + s*\$host*'"$host"'* + s*\$SHELL*'"$SHELL"'* + s*\$LTCC*'"$LTCC"'* + s*\$LTCFLAGS*'"$LTCFLAGS"'* + s*\$LD*'"$LD"'* + s/\$with_gnu_ld/'"$with_gnu_ld"'/ + s/\$automake_version/'"`(${AUTOMAKE-automake} --version) 2>/dev/null |$SED 1q`"'/ + s/\$autoconf_version/'"`(${AUTOCONF-autoconf} --version) 2>/dev/null |$SED 1q`"'/ + p + d + } + /^# .* home page:/b print + /^# General help using/b print + ' < "$progpath" + ret=$? + if test -z "$1"; then + exit $ret + fi +} + +# func_missing_arg argname +# Echo program name prefixed message to standard error and set global +# exit_cmd. +func_missing_arg () +{ + $opt_debug + + func_error "missing argument for $1." + exit_cmd=exit +} + + +# func_split_short_opt shortopt +# Set func_split_short_opt_name and func_split_short_opt_arg shell +# variables after splitting SHORTOPT after the 2nd character. +func_split_short_opt () +{ + my_sed_short_opt='1s/^\(..\).*$/\1/;q' + my_sed_short_rest='1s/^..\(.*\)$/\1/;q' + + func_split_short_opt_name=`$ECHO "$1" | $SED "$my_sed_short_opt"` + func_split_short_opt_arg=`$ECHO "$1" | $SED "$my_sed_short_rest"` +} # func_split_short_opt may be replaced by extended shell implementation + + +# func_split_long_opt longopt +# Set func_split_long_opt_name and func_split_long_opt_arg shell +# variables after splitting LONGOPT at the `=' sign. +func_split_long_opt () +{ + my_sed_long_opt='1s/^\(--[^=]*\)=.*/\1/;q' + my_sed_long_arg='1s/^--[^=]*=//' + + func_split_long_opt_name=`$ECHO "$1" | $SED "$my_sed_long_opt"` + func_split_long_opt_arg=`$ECHO "$1" | $SED "$my_sed_long_arg"` +} # func_split_long_opt may be replaced by extended shell implementation + +exit_cmd=: + + + + + +magic="%%%MAGIC variable%%%" +magic_exe="%%%MAGIC EXE variable%%%" + +# Global variables. +nonopt= +preserve_args= +lo2o="s/\\.lo\$/.${objext}/" +o2lo="s/\\.${objext}\$/.lo/" +extracted_archives= +extracted_serial=0 + +# If this variable is set in any of the actions, the command in it +# will be execed at the end. This prevents here-documents from being +# left over by shells. +exec_cmd= + +# func_append var value +# Append VALUE to the end of shell variable VAR. +func_append () +{ + eval "${1}=\$${1}\${2}" +} # func_append may be replaced by extended shell implementation + +# func_append_quoted var value +# Quote VALUE and append to the end of shell variable VAR, separated +# by a space. +func_append_quoted () +{ + func_quote_for_eval "${2}" + eval "${1}=\$${1}\\ \$func_quote_for_eval_result" +} # func_append_quoted may be replaced by extended shell implementation + + +# func_arith arithmetic-term... +func_arith () +{ + func_arith_result=`expr "${@}"` +} # func_arith may be replaced by extended shell implementation + + +# func_len string +# STRING may not start with a hyphen. +func_len () +{ + func_len_result=`expr "${1}" : ".*" 2>/dev/null || echo $max_cmd_len` +} # func_len may be replaced by extended shell implementation + + +# func_lo2o object +func_lo2o () +{ + func_lo2o_result=`$ECHO "${1}" | $SED "$lo2o"` +} # func_lo2o may be replaced by extended shell implementation + + +# func_xform libobj-or-source +func_xform () +{ + func_xform_result=`$ECHO "${1}" | $SED 's/\.[^.]*$/.lo/'` +} # func_xform may be replaced by extended shell implementation + + +# func_fatal_configuration arg... +# Echo program name prefixed message to standard error, followed by +# a configuration failure hint, and exit. +func_fatal_configuration () +{ + func_error ${1+"$@"} + func_error "See the $PACKAGE documentation for more information." + func_fatal_error "Fatal configuration error." +} + + +# func_config +# Display the configuration for all the tags in this script. +func_config () +{ + re_begincf='^# ### BEGIN LIBTOOL' + re_endcf='^# ### END LIBTOOL' + + # Default configuration. + $SED "1,/$re_begincf CONFIG/d;/$re_endcf CONFIG/,\$d" < "$progpath" + + # Now print the configurations for the tags. + for tagname in $taglist; do + $SED -n "/$re_begincf TAG CONFIG: $tagname\$/,/$re_endcf TAG CONFIG: $tagname\$/p" < "$progpath" + done + + exit $? +} + +# func_features +# Display the features supported by this script. +func_features () +{ + echo "host: $host" + if test "$build_libtool_libs" = yes; then + echo "enable shared libraries" + else + echo "disable shared libraries" + fi + if test "$build_old_libs" = yes; then + echo "enable static libraries" + else + echo "disable static libraries" + fi + + exit $? +} + +# func_enable_tag tagname +# Verify that TAGNAME is valid, and either flag an error and exit, or +# enable the TAGNAME tag. We also add TAGNAME to the global $taglist +# variable here. +func_enable_tag () +{ + # Global variable: + tagname="$1" + + re_begincf="^# ### BEGIN LIBTOOL TAG CONFIG: $tagname\$" + re_endcf="^# ### END LIBTOOL TAG CONFIG: $tagname\$" + sed_extractcf="/$re_begincf/,/$re_endcf/p" + + # Validate tagname. + case $tagname in + *[!-_A-Za-z0-9,/]*) + func_fatal_error "invalid tag name: $tagname" + ;; + esac + + # Don't test for the "default" C tag, as we know it's + # there but not specially marked. + case $tagname in + CC) ;; + *) + if $GREP "$re_begincf" "$progpath" >/dev/null 2>&1; then + taglist="$taglist $tagname" + + # Evaluate the configuration. Be careful to quote the path + # and the sed script, to avoid splitting on whitespace, but + # also don't use non-portable quotes within backquotes within + # quotes we have to do it in 2 steps: + extractedcf=`$SED -n -e "$sed_extractcf" < "$progpath"` + eval "$extractedcf" + else + func_error "ignoring unknown tag $tagname" + fi + ;; + esac +} + +# func_check_version_match +# Ensure that we are using m4 macros, and libtool script from the same +# release of libtool. +func_check_version_match () +{ + if test "$package_revision" != "$macro_revision"; then + if test "$VERSION" != "$macro_version"; then + if test -z "$macro_version"; then + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, but the +$progname: definition of this LT_INIT comes from an older release. +$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION +$progname: and run autoconf again. +_LT_EOF + else + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, but the +$progname: definition of this LT_INIT comes from $PACKAGE $macro_version. +$progname: You should recreate aclocal.m4 with macros from $PACKAGE $VERSION +$progname: and run autoconf again. +_LT_EOF + fi + else + cat >&2 <<_LT_EOF +$progname: Version mismatch error. This is $PACKAGE $VERSION, revision $package_revision, +$progname: but the definition of this LT_INIT comes from revision $macro_revision. +$progname: You should recreate aclocal.m4 with macros from revision $package_revision +$progname: of $PACKAGE $VERSION and run autoconf again. +_LT_EOF + fi + + exit $EXIT_MISMATCH + fi +} + + +# Shorthand for --mode=foo, only valid as the first argument +case $1 in +clean|clea|cle|cl) + shift; set dummy --mode clean ${1+"$@"}; shift + ;; +compile|compil|compi|comp|com|co|c) + shift; set dummy --mode compile ${1+"$@"}; shift + ;; +execute|execut|execu|exec|exe|ex|e) + shift; set dummy --mode execute ${1+"$@"}; shift + ;; +finish|finis|fini|fin|fi|f) + shift; set dummy --mode finish ${1+"$@"}; shift + ;; +install|instal|insta|inst|ins|in|i) + shift; set dummy --mode install ${1+"$@"}; shift + ;; +link|lin|li|l) + shift; set dummy --mode link ${1+"$@"}; shift + ;; +uninstall|uninstal|uninsta|uninst|unins|unin|uni|un|u) + shift; set dummy --mode uninstall ${1+"$@"}; shift + ;; +esac + + + +# Option defaults: +opt_debug=: +opt_dry_run=false +opt_config=false +opt_preserve_dup_deps=false +opt_features=false +opt_finish=false +opt_help=false +opt_help_all=false +opt_silent=: +opt_warning=: +opt_verbose=: +opt_silent=false +opt_verbose=false + + +# Parse options once, thoroughly. This comes as soon as possible in the +# script to make things like `--version' happen as quickly as we can. +{ + # this just eases exit handling + while test $# -gt 0; do + opt="$1" + shift + case $opt in + --debug|-x) opt_debug='set -x' + func_echo "enabling shell trace mode" + $opt_debug + ;; + --dry-run|--dryrun|-n) + opt_dry_run=: + ;; + --config) + opt_config=: +func_config + ;; + --dlopen|-dlopen) + optarg="$1" + opt_dlopen="${opt_dlopen+$opt_dlopen +}$optarg" + shift + ;; + --preserve-dup-deps) + opt_preserve_dup_deps=: + ;; + --features) + opt_features=: +func_features + ;; + --finish) + opt_finish=: +set dummy --mode finish ${1+"$@"}; shift + ;; + --help) + opt_help=: + ;; + --help-all) + opt_help_all=: +opt_help=': help-all' + ;; + --mode) + test $# = 0 && func_missing_arg $opt && break + optarg="$1" + opt_mode="$optarg" +case $optarg in + # Valid mode arguments: + clean|compile|execute|finish|install|link|relink|uninstall) ;; + + # Catch anything else as an error + *) func_error "invalid argument for $opt" + exit_cmd=exit + break + ;; +esac + shift + ;; + --no-silent|--no-quiet) + opt_silent=false +func_append preserve_args " $opt" + ;; + --no-warning|--no-warn) + opt_warning=false +func_append preserve_args " $opt" + ;; + --no-verbose) + opt_verbose=false +func_append preserve_args " $opt" + ;; + --silent|--quiet) + opt_silent=: +func_append preserve_args " $opt" + opt_verbose=false + ;; + --verbose|-v) + opt_verbose=: +func_append preserve_args " $opt" +opt_silent=false + ;; + --tag) + test $# = 0 && func_missing_arg $opt && break + optarg="$1" + opt_tag="$optarg" +func_append preserve_args " $opt $optarg" +func_enable_tag "$optarg" + shift + ;; + + -\?|-h) func_usage ;; + --help) func_help ;; + --version) func_version ;; + + # Separate optargs to long options: + --*=*) + func_split_long_opt "$opt" + set dummy "$func_split_long_opt_name" "$func_split_long_opt_arg" ${1+"$@"} + shift + ;; + + # Separate non-argument short options: + -\?*|-h*|-n*|-v*) + func_split_short_opt "$opt" + set dummy "$func_split_short_opt_name" "-$func_split_short_opt_arg" ${1+"$@"} + shift + ;; + + --) break ;; + -*) func_fatal_help "unrecognized option \`$opt'" ;; + *) set dummy "$opt" ${1+"$@"}; shift; break ;; + esac + done + + # Validate options: + + # save first non-option argument + if test "$#" -gt 0; then + nonopt="$opt" + shift + fi + + # preserve --debug + test "$opt_debug" = : || func_append preserve_args " --debug" + + case $host in + *cygwin* | *mingw* | *pw32* | *cegcc*) + # don't eliminate duplications in $postdeps and $predeps + opt_duplicate_compiler_generated_deps=: + ;; + *) + opt_duplicate_compiler_generated_deps=$opt_preserve_dup_deps + ;; + esac + + $opt_help || { + # Sanity checks first: + func_check_version_match + + if test "$build_libtool_libs" != yes && test "$build_old_libs" != yes; then + func_fatal_configuration "not configured to build any kind of library" + fi + + # Darwin sucks + eval std_shrext=\"$shrext_cmds\" + + # Only execute mode is allowed to have -dlopen flags. + if test -n "$opt_dlopen" && test "$opt_mode" != execute; then + func_error "unrecognized option \`-dlopen'" + $ECHO "$help" 1>&2 + exit $EXIT_FAILURE + fi + + # Change the help message to a mode-specific one. + generic_help="$help" + help="Try \`$progname --help --mode=$opt_mode' for more information." + } + + + # Bail if the options were screwed + $exit_cmd $EXIT_FAILURE +} + + + + +## ----------- ## +## Main. ## +## ----------- ## + +# func_lalib_p file +# True iff FILE is a libtool `.la' library or `.lo' object file. +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_lalib_p () +{ + test -f "$1" && + $SED -e 4q "$1" 2>/dev/null \ + | $GREP "^# Generated by .*$PACKAGE" > /dev/null 2>&1 +} + +# func_lalib_unsafe_p file +# True iff FILE is a libtool `.la' library or `.lo' object file. +# This function implements the same check as func_lalib_p without +# resorting to external programs. To this end, it redirects stdin and +# closes it afterwards, without saving the original file descriptor. +# As a safety measure, use it only where a negative result would be +# fatal anyway. Works if `file' does not exist. +func_lalib_unsafe_p () +{ + lalib_p=no + if test -f "$1" && test -r "$1" && exec 5<&0 <"$1"; then + for lalib_p_l in 1 2 3 4 + do + read lalib_p_line + case "$lalib_p_line" in + \#\ Generated\ by\ *$PACKAGE* ) lalib_p=yes; break;; + esac + done + exec 0<&5 5<&- + fi + test "$lalib_p" = yes +} + +# func_ltwrapper_script_p file +# True iff FILE is a libtool wrapper script +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_script_p () +{ + func_lalib_p "$1" +} + +# func_ltwrapper_executable_p file +# True iff FILE is a libtool wrapper executable +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_executable_p () +{ + func_ltwrapper_exec_suffix= + case $1 in + *.exe) ;; + *) func_ltwrapper_exec_suffix=.exe ;; + esac + $GREP "$magic_exe" "$1$func_ltwrapper_exec_suffix" >/dev/null 2>&1 +} + +# func_ltwrapper_scriptname file +# Assumes file is an ltwrapper_executable +# uses $file to determine the appropriate filename for a +# temporary ltwrapper_script. +func_ltwrapper_scriptname () +{ + func_dirname_and_basename "$1" "" "." + func_stripname '' '.exe' "$func_basename_result" + func_ltwrapper_scriptname_result="$func_dirname_result/$objdir/${func_stripname_result}_ltshwrapper" +} + +# func_ltwrapper_p file +# True iff FILE is a libtool wrapper script or wrapper executable +# This function is only a basic sanity check; it will hardly flush out +# determined imposters. +func_ltwrapper_p () +{ + func_ltwrapper_script_p "$1" || func_ltwrapper_executable_p "$1" +} + + +# func_execute_cmds commands fail_cmd +# Execute tilde-delimited COMMANDS. +# If FAIL_CMD is given, eval that upon failure. +# FAIL_CMD may read-access the current command in variable CMD! +func_execute_cmds () +{ + $opt_debug + save_ifs=$IFS; IFS='~' + for cmd in $1; do + IFS=$save_ifs + eval cmd=\"$cmd\" + func_show_eval "$cmd" "${2-:}" + done + IFS=$save_ifs +} + + +# func_source file +# Source FILE, adding directory component if necessary. +# Note that it is not necessary on cygwin/mingw to append a dot to +# FILE even if both FILE and FILE.exe exist: automatic-append-.exe +# behavior happens only for exec(3), not for open(2)! Also, sourcing +# `FILE.' does not work on cygwin managed mounts. +func_source () +{ + $opt_debug + case $1 in + */* | *\\*) . "$1" ;; + *) . "./$1" ;; + esac +} + + +# func_resolve_sysroot PATH +# Replace a leading = in PATH with a sysroot. Store the result into +# func_resolve_sysroot_result +func_resolve_sysroot () +{ + func_resolve_sysroot_result=$1 + case $func_resolve_sysroot_result in + =*) + func_stripname '=' '' "$func_resolve_sysroot_result" + func_resolve_sysroot_result=$lt_sysroot$func_stripname_result + ;; + esac +} + +# func_replace_sysroot PATH +# If PATH begins with the sysroot, replace it with = and +# store the result into func_replace_sysroot_result. +func_replace_sysroot () +{ + case "$lt_sysroot:$1" in + ?*:"$lt_sysroot"*) + func_stripname "$lt_sysroot" '' "$1" + func_replace_sysroot_result="=$func_stripname_result" + ;; + *) + # Including no sysroot. + func_replace_sysroot_result=$1 + ;; + esac +} + +# func_infer_tag arg +# Infer tagged configuration to use if any are available and +# if one wasn't chosen via the "--tag" command line option. +# Only attempt this if the compiler in the base compile +# command doesn't match the default compiler. +# arg is usually of the form 'gcc ...' +func_infer_tag () +{ + $opt_debug + if test -n "$available_tags" && test -z "$tagname"; then + CC_quoted= + for arg in $CC; do + func_append_quoted CC_quoted "$arg" + done + CC_expanded=`func_echo_all $CC` + CC_quoted_expanded=`func_echo_all $CC_quoted` + case $@ in + # Blanks in the command may have been stripped by the calling shell, + # but not from the CC environment variable when configure was run. + " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ + " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) ;; + # Blanks at the start of $base_compile will cause this to fail + # if we don't check for them as well. + *) + for z in $available_tags; do + if $GREP "^# ### BEGIN LIBTOOL TAG CONFIG: $z$" < "$progpath" > /dev/null; then + # Evaluate the configuration. + eval "`${SED} -n -e '/^# ### BEGIN LIBTOOL TAG CONFIG: '$z'$/,/^# ### END LIBTOOL TAG CONFIG: '$z'$/p' < $progpath`" + CC_quoted= + for arg in $CC; do + # Double-quote args containing other shell metacharacters. + func_append_quoted CC_quoted "$arg" + done + CC_expanded=`func_echo_all $CC` + CC_quoted_expanded=`func_echo_all $CC_quoted` + case "$@ " in + " $CC "* | "$CC "* | " $CC_expanded "* | "$CC_expanded "* | \ + " $CC_quoted"* | "$CC_quoted "* | " $CC_quoted_expanded "* | "$CC_quoted_expanded "*) + # The compiler in the base compile command matches + # the one in the tagged configuration. + # Assume this is the tagged configuration we want. + tagname=$z + break + ;; + esac + fi + done + # If $tagname still isn't set, then no tagged configuration + # was found and let the user know that the "--tag" command + # line option must be used. + if test -z "$tagname"; then + func_echo "unable to infer tagged configuration" + func_fatal_error "specify a tag with \`--tag'" +# else +# func_verbose "using $tagname tagged configuration" + fi + ;; + esac + fi +} + + + +# func_write_libtool_object output_name pic_name nonpic_name +# Create a libtool object file (analogous to a ".la" file), +# but don't create it if we're doing a dry run. +func_write_libtool_object () +{ + write_libobj=${1} + if test "$build_libtool_libs" = yes; then + write_lobj=\'${2}\' + else + write_lobj=none + fi + + if test "$build_old_libs" = yes; then + write_oldobj=\'${3}\' + else + write_oldobj=none + fi + + $opt_dry_run || { + cat >${write_libobj}T </dev/null` + if test "$?" -eq 0 && test -n "${func_convert_core_file_wine_to_w32_tmp}"; then + func_convert_core_file_wine_to_w32_result=`$ECHO "$func_convert_core_file_wine_to_w32_tmp" | + $SED -e "$lt_sed_naive_backslashify"` + else + func_convert_core_file_wine_to_w32_result= + fi + fi +} +# end: func_convert_core_file_wine_to_w32 + + +# func_convert_core_path_wine_to_w32 ARG +# Helper function used by path conversion functions when $build is *nix, and +# $host is mingw, cygwin, or some other w32 environment. Relies on a correctly +# configured wine environment available, with the winepath program in $build's +# $PATH. Assumes ARG has no leading or trailing path separator characters. +# +# ARG is path to be converted from $build format to win32. +# Result is available in $func_convert_core_path_wine_to_w32_result. +# Unconvertible file (directory) names in ARG are skipped; if no directory names +# are convertible, then the result may be empty. +func_convert_core_path_wine_to_w32 () +{ + $opt_debug + # unfortunately, winepath doesn't convert paths, only file names + func_convert_core_path_wine_to_w32_result="" + if test -n "$1"; then + oldIFS=$IFS + IFS=: + for func_convert_core_path_wine_to_w32_f in $1; do + IFS=$oldIFS + func_convert_core_file_wine_to_w32 "$func_convert_core_path_wine_to_w32_f" + if test -n "$func_convert_core_file_wine_to_w32_result" ; then + if test -z "$func_convert_core_path_wine_to_w32_result"; then + func_convert_core_path_wine_to_w32_result="$func_convert_core_file_wine_to_w32_result" + else + func_append func_convert_core_path_wine_to_w32_result ";$func_convert_core_file_wine_to_w32_result" + fi + fi + done + IFS=$oldIFS + fi +} +# end: func_convert_core_path_wine_to_w32 + + +# func_cygpath ARGS... +# Wrapper around calling the cygpath program via LT_CYGPATH. This is used when +# when (1) $build is *nix and Cygwin is hosted via a wine environment; or (2) +# $build is MSYS and $host is Cygwin, or (3) $build is Cygwin. In case (1) or +# (2), returns the Cygwin file name or path in func_cygpath_result (input +# file name or path is assumed to be in w32 format, as previously converted +# from $build's *nix or MSYS format). In case (3), returns the w32 file name +# or path in func_cygpath_result (input file name or path is assumed to be in +# Cygwin format). Returns an empty string on error. +# +# ARGS are passed to cygpath, with the last one being the file name or path to +# be converted. +# +# Specify the absolute *nix (or w32) name to cygpath in the LT_CYGPATH +# environment variable; do not put it in $PATH. +func_cygpath () +{ + $opt_debug + if test -n "$LT_CYGPATH" && test -f "$LT_CYGPATH"; then + func_cygpath_result=`$LT_CYGPATH "$@" 2>/dev/null` + if test "$?" -ne 0; then + # on failure, ensure result is empty + func_cygpath_result= + fi + else + func_cygpath_result= + func_error "LT_CYGPATH is empty or specifies non-existent file: \`$LT_CYGPATH'" + fi +} +#end: func_cygpath + + +# func_convert_core_msys_to_w32 ARG +# Convert file name or path ARG from MSYS format to w32 format. Return +# result in func_convert_core_msys_to_w32_result. +func_convert_core_msys_to_w32 () +{ + $opt_debug + # awkward: cmd appends spaces to result + func_convert_core_msys_to_w32_result=`( cmd //c echo "$1" ) 2>/dev/null | + $SED -e 's/[ ]*$//' -e "$lt_sed_naive_backslashify"` +} +#end: func_convert_core_msys_to_w32 + + +# func_convert_file_check ARG1 ARG2 +# Verify that ARG1 (a file name in $build format) was converted to $host +# format in ARG2. Otherwise, emit an error message, but continue (resetting +# func_to_host_file_result to ARG1). +func_convert_file_check () +{ + $opt_debug + if test -z "$2" && test -n "$1" ; then + func_error "Could not determine host file name corresponding to" + func_error " \`$1'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback: + func_to_host_file_result="$1" + fi +} +# end func_convert_file_check + + +# func_convert_path_check FROM_PATHSEP TO_PATHSEP FROM_PATH TO_PATH +# Verify that FROM_PATH (a path in $build format) was converted to $host +# format in TO_PATH. Otherwise, emit an error message, but continue, resetting +# func_to_host_file_result to a simplistic fallback value (see below). +func_convert_path_check () +{ + $opt_debug + if test -z "$4" && test -n "$3"; then + func_error "Could not determine the host path corresponding to" + func_error " \`$3'" + func_error "Continuing, but uninstalled executables may not work." + # Fallback. This is a deliberately simplistic "conversion" and + # should not be "improved". See libtool.info. + if test "x$1" != "x$2"; then + lt_replace_pathsep_chars="s|$1|$2|g" + func_to_host_path_result=`echo "$3" | + $SED -e "$lt_replace_pathsep_chars"` + else + func_to_host_path_result="$3" + fi + fi +} +# end func_convert_path_check + + +# func_convert_path_front_back_pathsep FRONTPAT BACKPAT REPL ORIG +# Modifies func_to_host_path_result by prepending REPL if ORIG matches FRONTPAT +# and appending REPL if ORIG matches BACKPAT. +func_convert_path_front_back_pathsep () +{ + $opt_debug + case $4 in + $1 ) func_to_host_path_result="$3$func_to_host_path_result" + ;; + esac + case $4 in + $2 ) func_append func_to_host_path_result "$3" + ;; + esac +} +# end func_convert_path_front_back_pathsep + + +################################################## +# $build to $host FILE NAME CONVERSION FUNCTIONS # +################################################## +# invoked via `$to_host_file_cmd ARG' +# +# In each case, ARG is the path to be converted from $build to $host format. +# Result will be available in $func_to_host_file_result. + + +# func_to_host_file ARG +# Converts the file name ARG from $build format to $host format. Return result +# in func_to_host_file_result. +func_to_host_file () +{ + $opt_debug + $to_host_file_cmd "$1" +} +# end func_to_host_file + + +# func_to_tool_file ARG LAZY +# converts the file name ARG from $build format to toolchain format. Return +# result in func_to_tool_file_result. If the conversion in use is listed +# in (the comma separated) LAZY, no conversion takes place. +func_to_tool_file () +{ + $opt_debug + case ,$2, in + *,"$to_tool_file_cmd",*) + func_to_tool_file_result=$1 + ;; + *) + $to_tool_file_cmd "$1" + func_to_tool_file_result=$func_to_host_file_result + ;; + esac +} +# end func_to_tool_file + + +# func_convert_file_noop ARG +# Copy ARG to func_to_host_file_result. +func_convert_file_noop () +{ + func_to_host_file_result="$1" +} +# end func_convert_file_noop + + +# func_convert_file_msys_to_w32 ARG +# Convert file name ARG from (mingw) MSYS to (mingw) w32 format; automatic +# conversion to w32 is not available inside the cwrapper. Returns result in +# func_to_host_file_result. +func_convert_file_msys_to_w32 () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + func_convert_core_msys_to_w32 "$1" + func_to_host_file_result="$func_convert_core_msys_to_w32_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_msys_to_w32 + + +# func_convert_file_cygwin_to_w32 ARG +# Convert file name ARG from Cygwin to w32 format. Returns result in +# func_to_host_file_result. +func_convert_file_cygwin_to_w32 () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + # because $build is cygwin, we call "the" cygpath in $PATH; no need to use + # LT_CYGPATH in this case. + func_to_host_file_result=`cygpath -m "$1"` + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_cygwin_to_w32 + + +# func_convert_file_nix_to_w32 ARG +# Convert file name ARG from *nix to w32 format. Requires a wine environment +# and a working winepath. Returns result in func_to_host_file_result. +func_convert_file_nix_to_w32 () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + func_convert_core_file_wine_to_w32 "$1" + func_to_host_file_result="$func_convert_core_file_wine_to_w32_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_nix_to_w32 + + +# func_convert_file_msys_to_cygwin ARG +# Convert file name ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. +# Returns result in func_to_host_file_result. +func_convert_file_msys_to_cygwin () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + func_convert_core_msys_to_w32 "$1" + func_cygpath -u "$func_convert_core_msys_to_w32_result" + func_to_host_file_result="$func_cygpath_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_msys_to_cygwin + + +# func_convert_file_nix_to_cygwin ARG +# Convert file name ARG from *nix to Cygwin format. Requires Cygwin installed +# in a wine environment, working winepath, and LT_CYGPATH set. Returns result +# in func_to_host_file_result. +func_convert_file_nix_to_cygwin () +{ + $opt_debug + func_to_host_file_result="$1" + if test -n "$1"; then + # convert from *nix to w32, then use cygpath to convert from w32 to cygwin. + func_convert_core_file_wine_to_w32 "$1" + func_cygpath -u "$func_convert_core_file_wine_to_w32_result" + func_to_host_file_result="$func_cygpath_result" + fi + func_convert_file_check "$1" "$func_to_host_file_result" +} +# end func_convert_file_nix_to_cygwin + + +############################################# +# $build to $host PATH CONVERSION FUNCTIONS # +############################################# +# invoked via `$to_host_path_cmd ARG' +# +# In each case, ARG is the path to be converted from $build to $host format. +# The result will be available in $func_to_host_path_result. +# +# Path separators are also converted from $build format to $host format. If +# ARG begins or ends with a path separator character, it is preserved (but +# converted to $host format) on output. +# +# All path conversion functions are named using the following convention: +# file name conversion function : func_convert_file_X_to_Y () +# path conversion function : func_convert_path_X_to_Y () +# where, for any given $build/$host combination the 'X_to_Y' value is the +# same. If conversion functions are added for new $build/$host combinations, +# the two new functions must follow this pattern, or func_init_to_host_path_cmd +# will break. + + +# func_init_to_host_path_cmd +# Ensures that function "pointer" variable $to_host_path_cmd is set to the +# appropriate value, based on the value of $to_host_file_cmd. +to_host_path_cmd= +func_init_to_host_path_cmd () +{ + $opt_debug + if test -z "$to_host_path_cmd"; then + func_stripname 'func_convert_file_' '' "$to_host_file_cmd" + to_host_path_cmd="func_convert_path_${func_stripname_result}" + fi +} + + +# func_to_host_path ARG +# Converts the path ARG from $build format to $host format. Return result +# in func_to_host_path_result. +func_to_host_path () +{ + $opt_debug + func_init_to_host_path_cmd + $to_host_path_cmd "$1" +} +# end func_to_host_path + + +# func_convert_path_noop ARG +# Copy ARG to func_to_host_path_result. +func_convert_path_noop () +{ + func_to_host_path_result="$1" +} +# end func_convert_path_noop + + +# func_convert_path_msys_to_w32 ARG +# Convert path ARG from (mingw) MSYS to (mingw) w32 format; automatic +# conversion to w32 is not available inside the cwrapper. Returns result in +# func_to_host_path_result. +func_convert_path_msys_to_w32 () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # Remove leading and trailing path separator characters from ARG. MSYS + # behavior is inconsistent here; cygpath turns them into '.;' and ';.'; + # and winepath ignores them completely. + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" + func_to_host_path_result="$func_convert_core_msys_to_w32_result" + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_msys_to_w32 + + +# func_convert_path_cygwin_to_w32 ARG +# Convert path ARG from Cygwin to w32 format. Returns result in +# func_to_host_file_result. +func_convert_path_cygwin_to_w32 () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_to_host_path_result=`cygpath -m -p "$func_to_host_path_tmp1"` + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_cygwin_to_w32 + + +# func_convert_path_nix_to_w32 ARG +# Convert path ARG from *nix to w32 format. Requires a wine environment and +# a working winepath. Returns result in func_to_host_file_result. +func_convert_path_nix_to_w32 () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" + func_to_host_path_result="$func_convert_core_path_wine_to_w32_result" + func_convert_path_check : ";" \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" ";" "$1" + fi +} +# end func_convert_path_nix_to_w32 + + +# func_convert_path_msys_to_cygwin ARG +# Convert path ARG from MSYS to Cygwin format. Requires LT_CYGPATH set. +# Returns result in func_to_host_file_result. +func_convert_path_msys_to_cygwin () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # See func_convert_path_msys_to_w32: + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_msys_to_w32 "$func_to_host_path_tmp1" + func_cygpath -u -p "$func_convert_core_msys_to_w32_result" + func_to_host_path_result="$func_cygpath_result" + func_convert_path_check : : \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" : "$1" + fi +} +# end func_convert_path_msys_to_cygwin + + +# func_convert_path_nix_to_cygwin ARG +# Convert path ARG from *nix to Cygwin format. Requires Cygwin installed in a +# a wine environment, working winepath, and LT_CYGPATH set. Returns result in +# func_to_host_file_result. +func_convert_path_nix_to_cygwin () +{ + $opt_debug + func_to_host_path_result="$1" + if test -n "$1"; then + # Remove leading and trailing path separator characters from + # ARG. msys behavior is inconsistent here, cygpath turns them + # into '.;' and ';.', and winepath ignores them completely. + func_stripname : : "$1" + func_to_host_path_tmp1=$func_stripname_result + func_convert_core_path_wine_to_w32 "$func_to_host_path_tmp1" + func_cygpath -u -p "$func_convert_core_path_wine_to_w32_result" + func_to_host_path_result="$func_cygpath_result" + func_convert_path_check : : \ + "$func_to_host_path_tmp1" "$func_to_host_path_result" + func_convert_path_front_back_pathsep ":*" "*:" : "$1" + fi +} +# end func_convert_path_nix_to_cygwin + + +# func_mode_compile arg... +func_mode_compile () +{ + $opt_debug + # Get the compilation command and the source file. + base_compile= + srcfile="$nonopt" # always keep a non-empty value in "srcfile" + suppress_opt=yes + suppress_output= + arg_mode=normal + libobj= + later= + pie_flag= + + for arg + do + case $arg_mode in + arg ) + # do not "continue". Instead, add this to base_compile + lastarg="$arg" + arg_mode=normal + ;; + + target ) + libobj="$arg" + arg_mode=normal + continue + ;; + + normal ) + # Accept any command-line options. + case $arg in + -o) + test -n "$libobj" && \ + func_fatal_error "you cannot specify \`-o' more than once" + arg_mode=target + continue + ;; + + -pie | -fpie | -fPIE) + func_append pie_flag " $arg" + continue + ;; + + -shared | -static | -prefer-pic | -prefer-non-pic) + func_append later " $arg" + continue + ;; + + -no-suppress) + suppress_opt=no + continue + ;; + + -Xcompiler) + arg_mode=arg # the next one goes into the "base_compile" arg list + continue # The current "srcfile" will either be retained or + ;; # replaced later. I would guess that would be a bug. + + -Wc,*) + func_stripname '-Wc,' '' "$arg" + args=$func_stripname_result + lastarg= + save_ifs="$IFS"; IFS=',' + for arg in $args; do + IFS="$save_ifs" + func_append_quoted lastarg "$arg" + done + IFS="$save_ifs" + func_stripname ' ' '' "$lastarg" + lastarg=$func_stripname_result + + # Add the arguments to base_compile. + func_append base_compile " $lastarg" + continue + ;; + + *) + # Accept the current argument as the source file. + # The previous "srcfile" becomes the current argument. + # + lastarg="$srcfile" + srcfile="$arg" + ;; + esac # case $arg + ;; + esac # case $arg_mode + + # Aesthetically quote the previous argument. + func_append_quoted base_compile "$lastarg" + done # for arg + + case $arg_mode in + arg) + func_fatal_error "you must specify an argument for -Xcompile" + ;; + target) + func_fatal_error "you must specify a target with \`-o'" + ;; + *) + # Get the name of the library object. + test -z "$libobj" && { + func_basename "$srcfile" + libobj="$func_basename_result" + } + ;; + esac + + # Recognize several different file suffixes. + # If the user specifies -o file.o, it is replaced with file.lo + case $libobj in + *.[cCFSifmso] | \ + *.ada | *.adb | *.ads | *.asm | \ + *.c++ | *.cc | *.ii | *.class | *.cpp | *.cxx | \ + *.[fF][09]? | *.for | *.java | *.go | *.obj | *.sx | *.cu | *.cup) + func_xform "$libobj" + libobj=$func_xform_result + ;; + esac + + case $libobj in + *.lo) func_lo2o "$libobj"; obj=$func_lo2o_result ;; + *) + func_fatal_error "cannot determine name of library object from \`$libobj'" + ;; + esac + + func_infer_tag $base_compile + + for arg in $later; do + case $arg in + -shared) + test "$build_libtool_libs" != yes && \ + func_fatal_configuration "can not build a shared library" + build_old_libs=no + continue + ;; + + -static) + build_libtool_libs=no + build_old_libs=yes + continue + ;; + + -prefer-pic) + pic_mode=yes + continue + ;; + + -prefer-non-pic) + pic_mode=no + continue + ;; + esac + done + + func_quote_for_eval "$libobj" + test "X$libobj" != "X$func_quote_for_eval_result" \ + && $ECHO "X$libobj" | $GREP '[]~#^*{};<>?"'"'"' &()|`$[]' \ + && func_warning "libobj name \`$libobj' may not contain shell special characters." + func_dirname_and_basename "$obj" "/" "" + objname="$func_basename_result" + xdir="$func_dirname_result" + lobj=${xdir}$objdir/$objname + + test -z "$base_compile" && \ + func_fatal_help "you must specify a compilation command" + + # Delete any leftover library objects. + if test "$build_old_libs" = yes; then + removelist="$obj $lobj $libobj ${libobj}T" + else + removelist="$lobj $libobj ${libobj}T" + fi + + # On Cygwin there's no "real" PIC flag so we must build both object types + case $host_os in + cygwin* | mingw* | pw32* | os2* | cegcc*) + pic_mode=default + ;; + esac + if test "$pic_mode" = no && test "$deplibs_check_method" != pass_all; then + # non-PIC code in shared libraries is not supported + pic_mode=default + fi + + # Calculate the filename of the output object if compiler does + # not support -o with -c + if test "$compiler_c_o" = no; then + output_obj=`$ECHO "$srcfile" | $SED 's%^.*/%%; s%\.[^.]*$%%'`.${objext} + lockfile="$output_obj.lock" + else + output_obj= + need_locks=no + lockfile= + fi + + # Lock this critical section if it is needed + # We use this script file to make the link, it avoids creating a new file + if test "$need_locks" = yes; then + until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do + func_echo "Waiting for $lockfile to be removed" + sleep 2 + done + elif test "$need_locks" = warn; then + if test -f "$lockfile"; then + $ECHO "\ +*** ERROR, $lockfile exists and contains: +`cat $lockfile 2>/dev/null` + +This indicates that another process is trying to use the same +temporary object file, and libtool could not work around it because +your compiler does not support \`-c' and \`-o' together. If you +repeat this compilation, it may succeed, by chance, but you had better +avoid parallel builds (make -j) in this platform, or get a better +compiler." + + $opt_dry_run || $RM $removelist + exit $EXIT_FAILURE + fi + func_append removelist " $output_obj" + $ECHO "$srcfile" > "$lockfile" + fi + + $opt_dry_run || $RM $removelist + func_append removelist " $lockfile" + trap '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' 1 2 15 + + func_to_tool_file "$srcfile" func_convert_file_msys_to_w32 + srcfile=$func_to_tool_file_result + func_quote_for_eval "$srcfile" + qsrcfile=$func_quote_for_eval_result + + # Only build a PIC object if we are building libtool libraries. + if test "$build_libtool_libs" = yes; then + # Without this assignment, base_compile gets emptied. + fbsd_hideous_sh_bug=$base_compile + + if test "$pic_mode" != no; then + command="$base_compile $qsrcfile $pic_flag" + else + # Don't build PIC code + command="$base_compile $qsrcfile" + fi + + func_mkdir_p "$xdir$objdir" + + if test -z "$output_obj"; then + # Place PIC objects in $objdir + func_append command " -o $lobj" + fi + + func_show_eval_locale "$command" \ + 'test -n "$output_obj" && $RM $removelist; exit $EXIT_FAILURE' + + if test "$need_locks" = warn && + test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then + $ECHO "\ +*** ERROR, $lockfile contains: +`cat $lockfile 2>/dev/null` + +but it should contain: +$srcfile + +This indicates that another process is trying to use the same +temporary object file, and libtool could not work around it because +your compiler does not support \`-c' and \`-o' together. If you +repeat this compilation, it may succeed, by chance, but you had better +avoid parallel builds (make -j) in this platform, or get a better +compiler." + + $opt_dry_run || $RM $removelist + exit $EXIT_FAILURE + fi + + # Just move the object if needed, then go on to compile the next one + if test -n "$output_obj" && test "X$output_obj" != "X$lobj"; then + func_show_eval '$MV "$output_obj" "$lobj"' \ + 'error=$?; $opt_dry_run || $RM $removelist; exit $error' + fi + + # Allow error messages only from the first compilation. + if test "$suppress_opt" = yes; then + suppress_output=' >/dev/null 2>&1' + fi + fi + + # Only build a position-dependent object if we build old libraries. + if test "$build_old_libs" = yes; then + if test "$pic_mode" != yes; then + # Don't build PIC code + command="$base_compile $qsrcfile$pie_flag" + else + command="$base_compile $qsrcfile $pic_flag" + fi + if test "$compiler_c_o" = yes; then + func_append command " -o $obj" + fi + + # Suppress compiler output if we already did a PIC compilation. + func_append command "$suppress_output" + func_show_eval_locale "$command" \ + '$opt_dry_run || $RM $removelist; exit $EXIT_FAILURE' + + if test "$need_locks" = warn && + test "X`cat $lockfile 2>/dev/null`" != "X$srcfile"; then + $ECHO "\ +*** ERROR, $lockfile contains: +`cat $lockfile 2>/dev/null` + +but it should contain: +$srcfile + +This indicates that another process is trying to use the same +temporary object file, and libtool could not work around it because +your compiler does not support \`-c' and \`-o' together. If you +repeat this compilation, it may succeed, by chance, but you had better +avoid parallel builds (make -j) in this platform, or get a better +compiler." + + $opt_dry_run || $RM $removelist + exit $EXIT_FAILURE + fi + + # Just move the object if needed + if test -n "$output_obj" && test "X$output_obj" != "X$obj"; then + func_show_eval '$MV "$output_obj" "$obj"' \ + 'error=$?; $opt_dry_run || $RM $removelist; exit $error' + fi + fi + + $opt_dry_run || { + func_write_libtool_object "$libobj" "$objdir/$objname" "$objname" + + # Unlock the critical section if it was locked + if test "$need_locks" != no; then + removelist=$lockfile + $RM "$lockfile" + fi + } + + exit $EXIT_SUCCESS +} + +$opt_help || { + test "$opt_mode" = compile && func_mode_compile ${1+"$@"} +} + +func_mode_help () +{ + # We need to display help for each of the modes. + case $opt_mode in + "") + # Generic help is extracted from the usage comments + # at the start of this file. + func_help + ;; + + clean) + $ECHO \ +"Usage: $progname [OPTION]... --mode=clean RM [RM-OPTION]... FILE... + +Remove files from the build directory. + +RM is the name of the program to use to delete files associated with each FILE +(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed +to RM. + +If FILE is a libtool library, object or program, all the files associated +with it are deleted. Otherwise, only FILE itself is deleted using RM." + ;; + + compile) + $ECHO \ +"Usage: $progname [OPTION]... --mode=compile COMPILE-COMMAND... SOURCEFILE + +Compile a source file into a libtool library object. + +This mode accepts the following additional options: + + -o OUTPUT-FILE set the output file name to OUTPUT-FILE + -no-suppress do not suppress compiler output for multiple passes + -prefer-pic try to build PIC objects only + -prefer-non-pic try to build non-PIC objects only + -shared do not build a \`.o' file suitable for static linking + -static only build a \`.o' file suitable for static linking + -Wc,FLAG pass FLAG directly to the compiler + +COMPILE-COMMAND is a command to be used in creating a \`standard' object file +from the given SOURCEFILE. + +The output file name is determined by removing the directory component from +SOURCEFILE, then substituting the C source code suffix \`.c' with the +library object suffix, \`.lo'." + ;; + + execute) + $ECHO \ +"Usage: $progname [OPTION]... --mode=execute COMMAND [ARGS]... + +Automatically set library path, then run a program. + +This mode accepts the following additional options: + + -dlopen FILE add the directory containing FILE to the library path + +This mode sets the library path environment variable according to \`-dlopen' +flags. + +If any of the ARGS are libtool executable wrappers, then they are translated +into their corresponding uninstalled binary, and any of their required library +directories are added to the library path. + +Then, COMMAND is executed, with ARGS as arguments." + ;; + + finish) + $ECHO \ +"Usage: $progname [OPTION]... --mode=finish [LIBDIR]... + +Complete the installation of libtool libraries. + +Each LIBDIR is a directory that contains libtool libraries. + +The commands that this mode executes may require superuser privileges. Use +the \`--dry-run' option if you just want to see what would be executed." + ;; + + install) + $ECHO \ +"Usage: $progname [OPTION]... --mode=install INSTALL-COMMAND... + +Install executables or libraries. + +INSTALL-COMMAND is the installation command. The first component should be +either the \`install' or \`cp' program. + +The following components of INSTALL-COMMAND are treated specially: + + -inst-prefix-dir PREFIX-DIR Use PREFIX-DIR as a staging area for installation + +The rest of the components are interpreted as arguments to that command (only +BSD-compatible install options are recognized)." + ;; + + link) + $ECHO \ +"Usage: $progname [OPTION]... --mode=link LINK-COMMAND... + +Link object files or libraries together to form another library, or to +create an executable program. + +LINK-COMMAND is a command using the C compiler that you would use to create +a program from several object files. + +The following components of LINK-COMMAND are treated specially: + + -all-static do not do any dynamic linking at all + -avoid-version do not add a version suffix if possible + -bindir BINDIR specify path to binaries directory (for systems where + libraries must be found in the PATH setting at runtime) + -dlopen FILE \`-dlpreopen' FILE if it cannot be dlopened at runtime + -dlpreopen FILE link in FILE and add its symbols to lt_preloaded_symbols + -export-dynamic allow symbols from OUTPUT-FILE to be resolved with dlsym(3) + -export-symbols SYMFILE + try to export only the symbols listed in SYMFILE + -export-symbols-regex REGEX + try to export only the symbols matching REGEX + -LLIBDIR search LIBDIR for required installed libraries + -lNAME OUTPUT-FILE requires the installed library libNAME + -module build a library that can dlopened + -no-fast-install disable the fast-install mode + -no-install link a not-installable executable + -no-undefined declare that a library does not refer to external symbols + -o OUTPUT-FILE create OUTPUT-FILE from the specified objects + -objectlist FILE Use a list of object files found in FILE to specify objects + -precious-files-regex REGEX + don't remove output files matching REGEX + -release RELEASE specify package release information + -rpath LIBDIR the created library will eventually be installed in LIBDIR + -R[ ]LIBDIR add LIBDIR to the runtime path of programs and libraries + -shared only do dynamic linking of libtool libraries + -shrext SUFFIX override the standard shared library file extension + -static do not do any dynamic linking of uninstalled libtool libraries + -static-libtool-libs + do not do any dynamic linking of libtool libraries + -version-info CURRENT[:REVISION[:AGE]] + specify library version info [each variable defaults to 0] + -weak LIBNAME declare that the target provides the LIBNAME interface + -Wc,FLAG + -Xcompiler FLAG pass linker-specific FLAG directly to the compiler + -Wl,FLAG + -Xlinker FLAG pass linker-specific FLAG directly to the linker + -XCClinker FLAG pass link-specific FLAG to the compiler driver (CC) + +All other options (arguments beginning with \`-') are ignored. + +Every other argument is treated as a filename. Files ending in \`.la' are +treated as uninstalled libtool libraries, other files are standard or library +object files. + +If the OUTPUT-FILE ends in \`.la', then a libtool library is created, +only library objects (\`.lo' files) may be specified, and \`-rpath' is +required, except when creating a convenience library. + +If OUTPUT-FILE ends in \`.a' or \`.lib', then a standard library is created +using \`ar' and \`ranlib', or on Windows using \`lib'. + +If OUTPUT-FILE ends in \`.lo' or \`.${objext}', then a reloadable object file +is created, otherwise an executable program is created." + ;; + + uninstall) + $ECHO \ +"Usage: $progname [OPTION]... --mode=uninstall RM [RM-OPTION]... FILE... + +Remove libraries from an installation directory. + +RM is the name of the program to use to delete files associated with each FILE +(typically \`/bin/rm'). RM-OPTIONS are options (such as \`-f') to be passed +to RM. + +If FILE is a libtool library, all the files associated with it are deleted. +Otherwise, only FILE itself is deleted using RM." + ;; + + *) + func_fatal_help "invalid operation mode \`$opt_mode'" + ;; + esac + + echo + $ECHO "Try \`$progname --help' for more information about other modes." +} + +# Now that we've collected a possible --mode arg, show help if necessary +if $opt_help; then + if test "$opt_help" = :; then + func_mode_help + else + { + func_help noexit + for opt_mode in compile link execute install finish uninstall clean; do + func_mode_help + done + } | sed -n '1p; 2,$s/^Usage:/ or: /p' + { + func_help noexit + for opt_mode in compile link execute install finish uninstall clean; do + echo + func_mode_help + done + } | + sed '1d + /^When reporting/,/^Report/{ + H + d + } + $x + /information about other modes/d + /more detailed .*MODE/d + s/^Usage:.*--mode=\([^ ]*\) .*/Description of \1 mode:/' + fi + exit $? +fi + + +# func_mode_execute arg... +func_mode_execute () +{ + $opt_debug + # The first argument is the command name. + cmd="$nonopt" + test -z "$cmd" && \ + func_fatal_help "you must specify a COMMAND" + + # Handle -dlopen flags immediately. + for file in $opt_dlopen; do + test -f "$file" \ + || func_fatal_help "\`$file' is not a file" + + dir= + case $file in + *.la) + func_resolve_sysroot "$file" + file=$func_resolve_sysroot_result + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$file" \ + || func_fatal_help "\`$lib' is not a valid libtool archive" + + # Read the libtool library. + dlname= + library_names= + func_source "$file" + + # Skip this library if it cannot be dlopened. + if test -z "$dlname"; then + # Warn if it was a shared library. + test -n "$library_names" && \ + func_warning "\`$file' was not linked with \`-export-dynamic'" + continue + fi + + func_dirname "$file" "" "." + dir="$func_dirname_result" + + if test -f "$dir/$objdir/$dlname"; then + func_append dir "/$objdir" + else + if test ! -f "$dir/$dlname"; then + func_fatal_error "cannot find \`$dlname' in \`$dir' or \`$dir/$objdir'" + fi + fi + ;; + + *.lo) + # Just add the directory containing the .lo file. + func_dirname "$file" "" "." + dir="$func_dirname_result" + ;; + + *) + func_warning "\`-dlopen' is ignored for non-libtool libraries and objects" + continue + ;; + esac + + # Get the absolute pathname. + absdir=`cd "$dir" && pwd` + test -n "$absdir" && dir="$absdir" + + # Now add the directory to shlibpath_var. + if eval "test -z \"\$$shlibpath_var\""; then + eval "$shlibpath_var=\"\$dir\"" + else + eval "$shlibpath_var=\"\$dir:\$$shlibpath_var\"" + fi + done + + # This variable tells wrapper scripts just to set shlibpath_var + # rather than running their programs. + libtool_execute_magic="$magic" + + # Check if any of the arguments is a wrapper script. + args= + for file + do + case $file in + -* | *.la | *.lo ) ;; + *) + # Do a test to see if this is really a libtool program. + if func_ltwrapper_script_p "$file"; then + func_source "$file" + # Transform arg to wrapped name. + file="$progdir/$program" + elif func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + func_source "$func_ltwrapper_scriptname_result" + # Transform arg to wrapped name. + file="$progdir/$program" + fi + ;; + esac + # Quote arguments (to preserve shell metacharacters). + func_append_quoted args "$file" + done + + if test "X$opt_dry_run" = Xfalse; then + if test -n "$shlibpath_var"; then + # Export the shlibpath_var. + eval "export $shlibpath_var" + fi + + # Restore saved environment variables + for lt_var in LANG LANGUAGE LC_ALL LC_CTYPE LC_COLLATE LC_MESSAGES + do + eval "if test \"\${save_$lt_var+set}\" = set; then + $lt_var=\$save_$lt_var; export $lt_var + else + $lt_unset $lt_var + fi" + done + + # Now prepare to actually exec the command. + exec_cmd="\$cmd$args" + else + # Display what would be done. + if test -n "$shlibpath_var"; then + eval "\$ECHO \"\$shlibpath_var=\$$shlibpath_var\"" + echo "export $shlibpath_var" + fi + $ECHO "$cmd$args" + exit $EXIT_SUCCESS + fi +} + +test "$opt_mode" = execute && func_mode_execute ${1+"$@"} + + +# func_mode_finish arg... +func_mode_finish () +{ + $opt_debug + libs= + libdirs= + admincmds= + + for opt in "$nonopt" ${1+"$@"} + do + if test -d "$opt"; then + func_append libdirs " $opt" + + elif test -f "$opt"; then + if func_lalib_unsafe_p "$opt"; then + func_append libs " $opt" + else + func_warning "\`$opt' is not a valid libtool archive" + fi + + else + func_fatal_error "invalid argument \`$opt'" + fi + done + + if test -n "$libs"; then + if test -n "$lt_sysroot"; then + sysroot_regex=`$ECHO "$lt_sysroot" | $SED "$sed_make_literal_regex"` + sysroot_cmd="s/\([ ']\)$sysroot_regex/\1/g;" + else + sysroot_cmd= + fi + + # Remove sysroot references + if $opt_dry_run; then + for lib in $libs; do + echo "removing references to $lt_sysroot and \`=' prefixes from $lib" + done + else + tmpdir=`func_mktempdir` + for lib in $libs; do + sed -e "${sysroot_cmd} s/\([ ']-[LR]\)=/\1/g; s/\([ ']\)=/\1/g" $lib \ + > $tmpdir/tmp-la + mv -f $tmpdir/tmp-la $lib + done + ${RM}r "$tmpdir" + fi + fi + + if test -n "$finish_cmds$finish_eval" && test -n "$libdirs"; then + for libdir in $libdirs; do + if test -n "$finish_cmds"; then + # Do each command in the finish commands. + func_execute_cmds "$finish_cmds" 'admincmds="$admincmds +'"$cmd"'"' + fi + if test -n "$finish_eval"; then + # Do the single finish_eval. + eval cmds=\"$finish_eval\" + $opt_dry_run || eval "$cmds" || func_append admincmds " + $cmds" + fi + done + fi + + # Exit here if they wanted silent mode. + $opt_silent && exit $EXIT_SUCCESS + + exit $EXIT_SUCCESS +} + +test "$opt_mode" = finish && func_mode_finish ${1+"$@"} + + +# func_mode_install arg... +func_mode_install () +{ + $opt_debug + # There may be an optional sh(1) argument at the beginning of + # install_prog (especially on Windows NT). + if test "$nonopt" = "$SHELL" || test "$nonopt" = /bin/sh || + # Allow the use of GNU shtool's install command. + case $nonopt in *shtool*) :;; *) false;; esac; then + # Aesthetically quote it. + func_quote_for_eval "$nonopt" + install_prog="$func_quote_for_eval_result " + arg=$1 + shift + else + install_prog= + arg=$nonopt + fi + + # The real first argument should be the name of the installation program. + # Aesthetically quote it. + func_quote_for_eval "$arg" + func_append install_prog "$func_quote_for_eval_result" + install_shared_prog=$install_prog + case " $install_prog " in + *[\\\ /]cp\ *) install_cp=: ;; + *) install_cp=false ;; + esac + + # We need to accept at least all the BSD install flags. + dest= + files= + opts= + prev= + install_type= + isdir=no + stripme= + no_mode=: + for arg + do + arg2= + if test -n "$dest"; then + func_append files " $dest" + dest=$arg + continue + fi + + case $arg in + -d) isdir=yes ;; + -f) + if $install_cp; then :; else + prev=$arg + fi + ;; + -g | -m | -o) + prev=$arg + ;; + -s) + stripme=" -s" + continue + ;; + -*) + ;; + *) + # If the previous option needed an argument, then skip it. + if test -n "$prev"; then + if test "x$prev" = x-m && test -n "$install_override_mode"; then + arg2=$install_override_mode + no_mode=false + fi + prev= + else + dest=$arg + continue + fi + ;; + esac + + # Aesthetically quote the argument. + func_quote_for_eval "$arg" + func_append install_prog " $func_quote_for_eval_result" + if test -n "$arg2"; then + func_quote_for_eval "$arg2" + fi + func_append install_shared_prog " $func_quote_for_eval_result" + done + case " $install_prog " in + *[\\\ /]cp\ *) extra_mode=;; + *) extra_mode='-m 644';; + esac + + test -z "$install_prog" && \ + func_fatal_help "you must specify an install program" + + test -n "$prev" && \ + func_fatal_help "the \`$prev' option requires an argument" + + if test -n "$install_override_mode" && $no_mode; then + if $install_cp; then :; else + func_quote_for_eval "$install_override_mode" + func_append install_shared_prog " -m $func_quote_for_eval_result" + fi + fi + + if test -z "$files"; then + if test -z "$dest"; then + func_fatal_help "no file or destination specified" + else + func_fatal_help "you must specify a destination" + fi + fi + + # Strip any trailing slash from the destination. + func_stripname '' '/' "$dest" + dest=$func_stripname_result + + # Check to see that the destination is a directory. + test -d "$dest" && isdir=yes + if test "$isdir" = yes; then + destdir="$dest" + destname= + else + func_dirname_and_basename "$dest" "" "." + destdir="$func_dirname_result" + destname="$func_basename_result" + + # Not a directory, so check to see that there is only one file specified. + set dummy $files; shift + test "$#" -gt 1 && \ + func_fatal_help "\`$dest' is not a directory" + fi + case $destdir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + for file in $files; do + case $file in + *.lo) ;; + *) + func_fatal_help "\`$destdir' must be an absolute directory name" + ;; + esac + done + ;; + esac + + # This variable tells wrapper scripts just to set variables rather + # than running their programs. + libtool_install_magic="$magic" + + staticlibs= + future_libdirs= + current_libdirs= + for file in $files; do + + # Do each installation. + case $file in + *.$libext) + # Do the static libraries later. + func_append staticlibs " $file" + ;; + + *.la) + func_resolve_sysroot "$file" + file=$func_resolve_sysroot_result + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$file" \ + || func_fatal_help "\`$file' is not a valid libtool archive" + + library_names= + old_library= + relink_command= + func_source "$file" + + # Add the libdir to current_libdirs if it is the destination. + if test "X$destdir" = "X$libdir"; then + case "$current_libdirs " in + *" $libdir "*) ;; + *) func_append current_libdirs " $libdir" ;; + esac + else + # Note the libdir as a future libdir. + case "$future_libdirs " in + *" $libdir "*) ;; + *) func_append future_libdirs " $libdir" ;; + esac + fi + + func_dirname "$file" "/" "" + dir="$func_dirname_result" + func_append dir "$objdir" + + if test -n "$relink_command"; then + # Determine the prefix the user has applied to our future dir. + inst_prefix_dir=`$ECHO "$destdir" | $SED -e "s%$libdir\$%%"` + + # Don't allow the user to place us outside of our expected + # location b/c this prevents finding dependent libraries that + # are installed to the same prefix. + # At present, this check doesn't affect windows .dll's that + # are installed into $libdir/../bin (currently, that works fine) + # but it's something to keep an eye on. + test "$inst_prefix_dir" = "$destdir" && \ + func_fatal_error "error: cannot install \`$file' to a directory not ending in $libdir" + + if test -n "$inst_prefix_dir"; then + # Stick the inst_prefix_dir data into the link command. + relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%-inst-prefix-dir $inst_prefix_dir%"` + else + relink_command=`$ECHO "$relink_command" | $SED "s%@inst_prefix_dir@%%"` + fi + + func_warning "relinking \`$file'" + func_show_eval "$relink_command" \ + 'func_fatal_error "error: relink \`$file'\'' with the above command before installing it"' + fi + + # See the names of the shared library. + set dummy $library_names; shift + if test -n "$1"; then + realname="$1" + shift + + srcname="$realname" + test -n "$relink_command" && srcname="$realname"T + + # Install the shared library and build the symlinks. + func_show_eval "$install_shared_prog $extra_mode $dir/$srcname $destdir/$realname" \ + 'exit $?' + tstripme="$stripme" + case $host_os in + cygwin* | mingw* | pw32* | cegcc*) + case $realname in + *.dll.a) + tstripme="" + ;; + esac + ;; + esac + if test -n "$tstripme" && test -n "$striplib"; then + func_show_eval "$striplib $destdir/$realname" 'exit $?' + fi + + if test "$#" -gt 0; then + # Delete the old symlinks, and create new ones. + # Try `ln -sf' first, because the `ln' binary might depend on + # the symlink we replace! Solaris /bin/ln does not understand -f, + # so we also need to try rm && ln -s. + for linkname + do + test "$linkname" != "$realname" \ + && func_show_eval "(cd $destdir && { $LN_S -f $realname $linkname || { $RM $linkname && $LN_S $realname $linkname; }; })" + done + fi + + # Do each command in the postinstall commands. + lib="$destdir/$realname" + func_execute_cmds "$postinstall_cmds" 'exit $?' + fi + + # Install the pseudo-library for information purposes. + func_basename "$file" + name="$func_basename_result" + instname="$dir/$name"i + func_show_eval "$install_prog $extra_mode $instname $destdir/$name" 'exit $?' + + # Maybe install the static library, too. + test -n "$old_library" && func_append staticlibs " $dir/$old_library" + ;; + + *.lo) + # Install (i.e. copy) a libtool object. + + # Figure out destination file name, if it wasn't already specified. + if test -n "$destname"; then + destfile="$destdir/$destname" + else + func_basename "$file" + destfile="$func_basename_result" + destfile="$destdir/$destfile" + fi + + # Deduce the name of the destination old-style object file. + case $destfile in + *.lo) + func_lo2o "$destfile" + staticdest=$func_lo2o_result + ;; + *.$objext) + staticdest="$destfile" + destfile= + ;; + *) + func_fatal_help "cannot copy a libtool object to \`$destfile'" + ;; + esac + + # Install the libtool object if requested. + test -n "$destfile" && \ + func_show_eval "$install_prog $extra_mode $file $destfile" 'exit $?' + + # Install the old object if enabled. + if test "$build_old_libs" = yes; then + # Deduce the name of the old-style object file. + func_lo2o "$file" + staticobj=$func_lo2o_result + func_show_eval "$install_prog $extra_mode \$staticobj \$staticdest" 'exit $?' + fi + exit $EXIT_SUCCESS + ;; + + *) + # Figure out destination file name, if it wasn't already specified. + if test -n "$destname"; then + destfile="$destdir/$destname" + else + func_basename "$file" + destfile="$func_basename_result" + destfile="$destdir/$destfile" + fi + + # If the file is missing, and there is a .exe on the end, strip it + # because it is most likely a libtool script we actually want to + # install + stripped_ext="" + case $file in + *.exe) + if test ! -f "$file"; then + func_stripname '' '.exe' "$file" + file=$func_stripname_result + stripped_ext=".exe" + fi + ;; + esac + + # Do a test to see if this is really a libtool program. + case $host in + *cygwin* | *mingw*) + if func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + wrapper=$func_ltwrapper_scriptname_result + else + func_stripname '' '.exe' "$file" + wrapper=$func_stripname_result + fi + ;; + *) + wrapper=$file + ;; + esac + if func_ltwrapper_script_p "$wrapper"; then + notinst_deplibs= + relink_command= + + func_source "$wrapper" + + # Check the variables that should have been set. + test -z "$generated_by_libtool_version" && \ + func_fatal_error "invalid libtool wrapper script \`$wrapper'" + + finalize=yes + for lib in $notinst_deplibs; do + # Check to see that each library is installed. + libdir= + if test -f "$lib"; then + func_source "$lib" + fi + libfile="$libdir/"`$ECHO "$lib" | $SED 's%^.*/%%g'` ### testsuite: skip nested quoting test + if test -n "$libdir" && test ! -f "$libfile"; then + func_warning "\`$lib' has not been installed in \`$libdir'" + finalize=no + fi + done + + relink_command= + func_source "$wrapper" + + outputname= + if test "$fast_install" = no && test -n "$relink_command"; then + $opt_dry_run || { + if test "$finalize" = yes; then + tmpdir=`func_mktempdir` + func_basename "$file$stripped_ext" + file="$func_basename_result" + outputname="$tmpdir/$file" + # Replace the output file specification. + relink_command=`$ECHO "$relink_command" | $SED 's%@OUTPUT@%'"$outputname"'%g'` + + $opt_silent || { + func_quote_for_expand "$relink_command" + eval "func_echo $func_quote_for_expand_result" + } + if eval "$relink_command"; then : + else + func_error "error: relink \`$file' with the above command before installing it" + $opt_dry_run || ${RM}r "$tmpdir" + continue + fi + file="$outputname" + else + func_warning "cannot relink \`$file'" + fi + } + else + # Install the binary that we compiled earlier. + file=`$ECHO "$file$stripped_ext" | $SED "s%\([^/]*\)$%$objdir/\1%"` + fi + fi + + # remove .exe since cygwin /usr/bin/install will append another + # one anyway + case $install_prog,$host in + */usr/bin/install*,*cygwin*) + case $file:$destfile in + *.exe:*.exe) + # this is ok + ;; + *.exe:*) + destfile=$destfile.exe + ;; + *:*.exe) + func_stripname '' '.exe' "$destfile" + destfile=$func_stripname_result + ;; + esac + ;; + esac + func_show_eval "$install_prog\$stripme \$file \$destfile" 'exit $?' + $opt_dry_run || if test -n "$outputname"; then + ${RM}r "$tmpdir" + fi + ;; + esac + done + + for file in $staticlibs; do + func_basename "$file" + name="$func_basename_result" + + # Set up the ranlib parameters. + oldlib="$destdir/$name" + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result + + func_show_eval "$install_prog \$file \$oldlib" 'exit $?' + + if test -n "$stripme" && test -n "$old_striplib"; then + func_show_eval "$old_striplib $tool_oldlib" 'exit $?' + fi + + # Do each command in the postinstall commands. + func_execute_cmds "$old_postinstall_cmds" 'exit $?' + done + + test -n "$future_libdirs" && \ + func_warning "remember to run \`$progname --finish$future_libdirs'" + + if test -n "$current_libdirs"; then + # Maybe just do a dry run. + $opt_dry_run && current_libdirs=" -n$current_libdirs" + exec_cmd='$SHELL $progpath $preserve_args --finish$current_libdirs' + else + exit $EXIT_SUCCESS + fi +} + +test "$opt_mode" = install && func_mode_install ${1+"$@"} + + +# func_generate_dlsyms outputname originator pic_p +# Extract symbols from dlprefiles and create ${outputname}S.o with +# a dlpreopen symbol table. +func_generate_dlsyms () +{ + $opt_debug + my_outputname="$1" + my_originator="$2" + my_pic_p="${3-no}" + my_prefix=`$ECHO "$my_originator" | sed 's%[^a-zA-Z0-9]%_%g'` + my_dlsyms= + + if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then + if test -n "$NM" && test -n "$global_symbol_pipe"; then + my_dlsyms="${my_outputname}S.c" + else + func_error "not configured to extract global symbols from dlpreopened files" + fi + fi + + if test -n "$my_dlsyms"; then + case $my_dlsyms in + "") ;; + *.c) + # Discover the nlist of each of the dlfiles. + nlist="$output_objdir/${my_outputname}.nm" + + func_show_eval "$RM $nlist ${nlist}S ${nlist}T" + + # Parse the name list into a source file. + func_verbose "creating $output_objdir/$my_dlsyms" + + $opt_dry_run || $ECHO > "$output_objdir/$my_dlsyms" "\ +/* $my_dlsyms - symbol resolution table for \`$my_outputname' dlsym emulation. */ +/* Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION */ + +#ifdef __cplusplus +extern \"C\" { +#endif + +#if defined(__GNUC__) && (((__GNUC__ == 4) && (__GNUC_MINOR__ >= 4)) || (__GNUC__ > 4)) +#pragma GCC diagnostic ignored \"-Wstrict-prototypes\" +#endif + +/* Keep this code in sync between libtool.m4, ltmain, lt_system.h, and tests. */ +#if defined(_WIN32) || defined(__CYGWIN__) || defined(_WIN32_WCE) +/* DATA imports from DLLs on WIN32 con't be const, because runtime + relocations are performed -- see ld's documentation on pseudo-relocs. */ +# define LT_DLSYM_CONST +#elif defined(__osf__) +/* This system does not cope well with relocations in const data. */ +# define LT_DLSYM_CONST +#else +# define LT_DLSYM_CONST const +#endif + +/* External symbol declarations for the compiler. */\ +" + + if test "$dlself" = yes; then + func_verbose "generating symbol list for \`$output'" + + $opt_dry_run || echo ': @PROGRAM@ ' > "$nlist" + + # Add our own program objects to the symbol list. + progfiles=`$ECHO "$objs$old_deplibs" | $SP2NL | $SED "$lo2o" | $NL2SP` + for progfile in $progfiles; do + func_to_tool_file "$progfile" func_convert_file_msys_to_w32 + func_verbose "extracting global C symbols from \`$func_to_tool_file_result'" + $opt_dry_run || eval "$NM $func_to_tool_file_result | $global_symbol_pipe >> '$nlist'" + done + + if test -n "$exclude_expsyms"; then + $opt_dry_run || { + eval '$EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + } + fi + + if test -n "$export_symbols_regex"; then + $opt_dry_run || { + eval '$EGREP -e "$export_symbols_regex" "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + } + fi + + # Prepare the list of exported symbols + if test -z "$export_symbols"; then + export_symbols="$output_objdir/$outputname.exp" + $opt_dry_run || { + $RM $export_symbols + eval "${SED} -n -e '/^: @PROGRAM@ $/d' -e 's/^.* \(.*\)$/\1/p' "'< "$nlist" > "$export_symbols"' + case $host in + *cygwin* | *mingw* | *cegcc* ) + eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' + eval 'cat "$export_symbols" >> "$output_objdir/$outputname.def"' + ;; + esac + } + else + $opt_dry_run || { + eval "${SED} -e 's/\([].[*^$]\)/\\\\\1/g' -e 's/^/ /' -e 's/$/$/'"' < "$export_symbols" > "$output_objdir/$outputname.exp"' + eval '$GREP -f "$output_objdir/$outputname.exp" < "$nlist" > "$nlist"T' + eval '$MV "$nlist"T "$nlist"' + case $host in + *cygwin* | *mingw* | *cegcc* ) + eval "echo EXPORTS "'> "$output_objdir/$outputname.def"' + eval 'cat "$nlist" >> "$output_objdir/$outputname.def"' + ;; + esac + } + fi + fi + + for dlprefile in $dlprefiles; do + func_verbose "extracting global C symbols from \`$dlprefile'" + func_basename "$dlprefile" + name="$func_basename_result" + case $host in + *cygwin* | *mingw* | *cegcc* ) + # if an import library, we need to obtain dlname + if func_win32_import_lib_p "$dlprefile"; then + func_tr_sh "$dlprefile" + eval "curr_lafile=\$libfile_$func_tr_sh_result" + dlprefile_dlbasename="" + if test -n "$curr_lafile" && func_lalib_p "$curr_lafile"; then + # Use subshell, to avoid clobbering current variable values + dlprefile_dlname=`source "$curr_lafile" && echo "$dlname"` + if test -n "$dlprefile_dlname" ; then + func_basename "$dlprefile_dlname" + dlprefile_dlbasename="$func_basename_result" + else + # no lafile. user explicitly requested -dlpreopen . + $sharedlib_from_linklib_cmd "$dlprefile" + dlprefile_dlbasename=$sharedlib_from_linklib_result + fi + fi + $opt_dry_run || { + if test -n "$dlprefile_dlbasename" ; then + eval '$ECHO ": $dlprefile_dlbasename" >> "$nlist"' + else + func_warning "Could not compute DLL name from $name" + eval '$ECHO ": $name " >> "$nlist"' + fi + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe | + $SED -e '/I __imp/d' -e 's/I __nm_/D /;s/_nm__//' >> '$nlist'" + } + else # not an import lib + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + fi + ;; + *) + $opt_dry_run || { + eval '$ECHO ": $name " >> "$nlist"' + func_to_tool_file "$dlprefile" func_convert_file_msys_to_w32 + eval "$NM \"$func_to_tool_file_result\" 2>/dev/null | $global_symbol_pipe >> '$nlist'" + } + ;; + esac + done + + $opt_dry_run || { + # Make sure we have at least an empty file. + test -f "$nlist" || : > "$nlist" + + if test -n "$exclude_expsyms"; then + $EGREP -v " ($exclude_expsyms)$" "$nlist" > "$nlist"T + $MV "$nlist"T "$nlist" + fi + + # Try sorting and uniquifying the output. + if $GREP -v "^: " < "$nlist" | + if sort -k 3 /dev/null 2>&1; then + sort -k 3 + else + sort +2 + fi | + uniq > "$nlist"S; then + : + else + $GREP -v "^: " < "$nlist" > "$nlist"S + fi + + if test -f "$nlist"S; then + eval "$global_symbol_to_cdecl"' < "$nlist"S >> "$output_objdir/$my_dlsyms"' + else + echo '/* NONE */' >> "$output_objdir/$my_dlsyms" + fi + + echo >> "$output_objdir/$my_dlsyms" "\ + +/* The mapping between symbol names and symbols. */ +typedef struct { + const char *name; + void *address; +} lt_dlsymlist; +extern LT_DLSYM_CONST lt_dlsymlist +lt_${my_prefix}_LTX_preloaded_symbols[]; +LT_DLSYM_CONST lt_dlsymlist +lt_${my_prefix}_LTX_preloaded_symbols[] = +{\ + { \"$my_originator\", (void *) 0 }," + + case $need_lib_prefix in + no) + eval "$global_symbol_to_c_name_address" < "$nlist" >> "$output_objdir/$my_dlsyms" + ;; + *) + eval "$global_symbol_to_c_name_address_lib_prefix" < "$nlist" >> "$output_objdir/$my_dlsyms" + ;; + esac + echo >> "$output_objdir/$my_dlsyms" "\ + {0, (void *) 0} +}; + +/* This works around a problem in FreeBSD linker */ +#ifdef FREEBSD_WORKAROUND +static const void *lt_preloaded_setup() { + return lt_${my_prefix}_LTX_preloaded_symbols; +} +#endif + +#ifdef __cplusplus +} +#endif\ +" + } # !$opt_dry_run + + pic_flag_for_symtable= + case "$compile_command " in + *" -static "*) ;; + *) + case $host in + # compiling the symbol table file with pic_flag works around + # a FreeBSD bug that causes programs to crash when -lm is + # linked before any other PIC object. But we must not use + # pic_flag when linking with -static. The problem exists in + # FreeBSD 2.2.6 and is fixed in FreeBSD 3.1. + *-*-freebsd2.*|*-*-freebsd3.0*|*-*-freebsdelf3.0*) + pic_flag_for_symtable=" $pic_flag -DFREEBSD_WORKAROUND" ;; + *-*-hpux*) + pic_flag_for_symtable=" $pic_flag" ;; + *) + if test "X$my_pic_p" != Xno; then + pic_flag_for_symtable=" $pic_flag" + fi + ;; + esac + ;; + esac + symtab_cflags= + for arg in $LTCFLAGS; do + case $arg in + -pie | -fpie | -fPIE) ;; + *) func_append symtab_cflags " $arg" ;; + esac + done + + # Now compile the dynamic symbol file. + func_show_eval '(cd $output_objdir && $LTCC$symtab_cflags -c$no_builtin_flag$pic_flag_for_symtable "$my_dlsyms")' 'exit $?' + + # Clean up the generated files. + func_show_eval '$RM "$output_objdir/$my_dlsyms" "$nlist" "${nlist}S" "${nlist}T"' + + # Transform the symbol file into the correct name. + symfileobj="$output_objdir/${my_outputname}S.$objext" + case $host in + *cygwin* | *mingw* | *cegcc* ) + if test -f "$output_objdir/$my_outputname.def"; then + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$output_objdir/$my_outputname.def $symfileobj%"` + else + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` + fi + ;; + *) + compile_command=`$ECHO "$compile_command" | $SED "s%@SYMFILE@%$symfileobj%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s%@SYMFILE@%$symfileobj%"` + ;; + esac + ;; + *) + func_fatal_error "unknown suffix for \`$my_dlsyms'" + ;; + esac + else + # We keep going just in case the user didn't refer to + # lt_preloaded_symbols. The linker will fail if global_symbol_pipe + # really was required. + + # Nullify the symbol file. + compile_command=`$ECHO "$compile_command" | $SED "s% @SYMFILE@%%"` + finalize_command=`$ECHO "$finalize_command" | $SED "s% @SYMFILE@%%"` + fi +} + +# func_win32_libid arg +# return the library type of file 'arg' +# +# Need a lot of goo to handle *both* DLLs and import libs +# Has to be a shell function in order to 'eat' the argument +# that is supplied when $file_magic_command is called. +# Despite the name, also deal with 64 bit binaries. +func_win32_libid () +{ + $opt_debug + win32_libid_type="unknown" + win32_fileres=`file -L $1 2>/dev/null` + case $win32_fileres in + *ar\ archive\ import\ library*) # definitely import + win32_libid_type="x86 archive import" + ;; + *ar\ archive*) # could be an import, or static + # Keep the egrep pattern in sync with the one in _LT_CHECK_MAGIC_METHOD. + if eval $OBJDUMP -f $1 | $SED -e '10q' 2>/dev/null | + $EGREP 'file format (pei*-i386(.*architecture: i386)?|pe-arm-wince|pe-x86-64)' >/dev/null; then + func_to_tool_file "$1" func_convert_file_msys_to_w32 + win32_nmres=`eval $NM -f posix -A \"$func_to_tool_file_result\" | + $SED -n -e ' + 1,100{ + / I /{ + s,.*,import, + p + q + } + }'` + case $win32_nmres in + import*) win32_libid_type="x86 archive import";; + *) win32_libid_type="x86 archive static";; + esac + fi + ;; + *DLL*) + win32_libid_type="x86 DLL" + ;; + *executable*) # but shell scripts are "executable" too... + case $win32_fileres in + *MS\ Windows\ PE\ Intel*) + win32_libid_type="x86 DLL" + ;; + esac + ;; + esac + $ECHO "$win32_libid_type" +} + +# func_cygming_dll_for_implib ARG +# +# Platform-specific function to extract the +# name of the DLL associated with the specified +# import library ARG. +# Invoked by eval'ing the libtool variable +# $sharedlib_from_linklib_cmd +# Result is available in the variable +# $sharedlib_from_linklib_result +func_cygming_dll_for_implib () +{ + $opt_debug + sharedlib_from_linklib_result=`$DLLTOOL --identify-strict --identify "$1"` +} + +# func_cygming_dll_for_implib_fallback_core SECTION_NAME LIBNAMEs +# +# The is the core of a fallback implementation of a +# platform-specific function to extract the name of the +# DLL associated with the specified import library LIBNAME. +# +# SECTION_NAME is either .idata$6 or .idata$7, depending +# on the platform and compiler that created the implib. +# +# Echos the name of the DLL associated with the +# specified import library. +func_cygming_dll_for_implib_fallback_core () +{ + $opt_debug + match_literal=`$ECHO "$1" | $SED "$sed_make_literal_regex"` + $OBJDUMP -s --section "$1" "$2" 2>/dev/null | + $SED '/^Contents of section '"$match_literal"':/{ + # Place marker at beginning of archive member dllname section + s/.*/====MARK====/ + p + d + } + # These lines can sometimes be longer than 43 characters, but + # are always uninteresting + /:[ ]*file format pe[i]\{,1\}-/d + /^In archive [^:]*:/d + # Ensure marker is printed + /^====MARK====/p + # Remove all lines with less than 43 characters + /^.\{43\}/!d + # From remaining lines, remove first 43 characters + s/^.\{43\}//' | + $SED -n ' + # Join marker and all lines until next marker into a single line + /^====MARK====/ b para + H + $ b para + b + :para + x + s/\n//g + # Remove the marker + s/^====MARK====// + # Remove trailing dots and whitespace + s/[\. \t]*$// + # Print + /./p' | + # we now have a list, one entry per line, of the stringified + # contents of the appropriate section of all members of the + # archive which possess that section. Heuristic: eliminate + # all those which have a first or second character that is + # a '.' (that is, objdump's representation of an unprintable + # character.) This should work for all archives with less than + # 0x302f exports -- but will fail for DLLs whose name actually + # begins with a literal '.' or a single character followed by + # a '.'. + # + # Of those that remain, print the first one. + $SED -e '/^\./d;/^.\./d;q' +} + +# func_cygming_gnu_implib_p ARG +# This predicate returns with zero status (TRUE) if +# ARG is a GNU/binutils-style import library. Returns +# with nonzero status (FALSE) otherwise. +func_cygming_gnu_implib_p () +{ + $opt_debug + func_to_tool_file "$1" func_convert_file_msys_to_w32 + func_cygming_gnu_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $EGREP ' (_head_[A-Za-z0-9_]+_[ad]l*|[A-Za-z0-9_]+_[ad]l*_iname)$'` + test -n "$func_cygming_gnu_implib_tmp" +} + +# func_cygming_ms_implib_p ARG +# This predicate returns with zero status (TRUE) if +# ARG is an MS-style import library. Returns +# with nonzero status (FALSE) otherwise. +func_cygming_ms_implib_p () +{ + $opt_debug + func_to_tool_file "$1" func_convert_file_msys_to_w32 + func_cygming_ms_implib_tmp=`$NM "$func_to_tool_file_result" | eval "$global_symbol_pipe" | $GREP '_NULL_IMPORT_DESCRIPTOR'` + test -n "$func_cygming_ms_implib_tmp" +} + +# func_cygming_dll_for_implib_fallback ARG +# Platform-specific function to extract the +# name of the DLL associated with the specified +# import library ARG. +# +# This fallback implementation is for use when $DLLTOOL +# does not support the --identify-strict option. +# Invoked by eval'ing the libtool variable +# $sharedlib_from_linklib_cmd +# Result is available in the variable +# $sharedlib_from_linklib_result +func_cygming_dll_for_implib_fallback () +{ + $opt_debug + if func_cygming_gnu_implib_p "$1" ; then + # binutils import library + sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$7' "$1"` + elif func_cygming_ms_implib_p "$1" ; then + # ms-generated import library + sharedlib_from_linklib_result=`func_cygming_dll_for_implib_fallback_core '.idata$6' "$1"` + else + # unknown + sharedlib_from_linklib_result="" + fi +} + + +# func_extract_an_archive dir oldlib +func_extract_an_archive () +{ + $opt_debug + f_ex_an_ar_dir="$1"; shift + f_ex_an_ar_oldlib="$1" + if test "$lock_old_archive_extraction" = yes; then + lockfile=$f_ex_an_ar_oldlib.lock + until $opt_dry_run || ln "$progpath" "$lockfile" 2>/dev/null; do + func_echo "Waiting for $lockfile to be removed" + sleep 2 + done + fi + func_show_eval "(cd \$f_ex_an_ar_dir && $AR x \"\$f_ex_an_ar_oldlib\")" \ + 'stat=$?; rm -f "$lockfile"; exit $stat' + if test "$lock_old_archive_extraction" = yes; then + $opt_dry_run || rm -f "$lockfile" + fi + if ($AR t "$f_ex_an_ar_oldlib" | sort | sort -uc >/dev/null 2>&1); then + : + else + func_fatal_error "object name conflicts in archive: $f_ex_an_ar_dir/$f_ex_an_ar_oldlib" + fi +} + + +# func_extract_archives gentop oldlib ... +func_extract_archives () +{ + $opt_debug + my_gentop="$1"; shift + my_oldlibs=${1+"$@"} + my_oldobjs="" + my_xlib="" + my_xabs="" + my_xdir="" + + for my_xlib in $my_oldlibs; do + # Extract the objects. + case $my_xlib in + [\\/]* | [A-Za-z]:[\\/]*) my_xabs="$my_xlib" ;; + *) my_xabs=`pwd`"/$my_xlib" ;; + esac + func_basename "$my_xlib" + my_xlib="$func_basename_result" + my_xlib_u=$my_xlib + while :; do + case " $extracted_archives " in + *" $my_xlib_u "*) + func_arith $extracted_serial + 1 + extracted_serial=$func_arith_result + my_xlib_u=lt$extracted_serial-$my_xlib ;; + *) break ;; + esac + done + extracted_archives="$extracted_archives $my_xlib_u" + my_xdir="$my_gentop/$my_xlib_u" + + func_mkdir_p "$my_xdir" + + case $host in + *-darwin*) + func_verbose "Extracting $my_xabs" + # Do not bother doing anything if just a dry run + $opt_dry_run || { + darwin_orig_dir=`pwd` + cd $my_xdir || exit $? + darwin_archive=$my_xabs + darwin_curdir=`pwd` + darwin_base_archive=`basename "$darwin_archive"` + darwin_arches=`$LIPO -info "$darwin_archive" 2>/dev/null | $GREP Architectures 2>/dev/null || true` + if test -n "$darwin_arches"; then + darwin_arches=`$ECHO "$darwin_arches" | $SED -e 's/.*are://'` + darwin_arch= + func_verbose "$darwin_base_archive has multiple architectures $darwin_arches" + for darwin_arch in $darwin_arches ; do + func_mkdir_p "unfat-$$/${darwin_base_archive}-${darwin_arch}" + $LIPO -thin $darwin_arch -output "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" "${darwin_archive}" + cd "unfat-$$/${darwin_base_archive}-${darwin_arch}" + func_extract_an_archive "`pwd`" "${darwin_base_archive}" + cd "$darwin_curdir" + $RM "unfat-$$/${darwin_base_archive}-${darwin_arch}/${darwin_base_archive}" + done # $darwin_arches + ## Okay now we've a bunch of thin objects, gotta fatten them up :) + darwin_filelist=`find unfat-$$ -type f -name \*.o -print -o -name \*.lo -print | $SED -e "$basename" | sort -u` + darwin_file= + darwin_files= + for darwin_file in $darwin_filelist; do + darwin_files=`find unfat-$$ -name $darwin_file -print | sort | $NL2SP` + $LIPO -create -output "$darwin_file" $darwin_files + done # $darwin_filelist + $RM -rf unfat-$$ + cd "$darwin_orig_dir" + else + cd $darwin_orig_dir + func_extract_an_archive "$my_xdir" "$my_xabs" + fi # $darwin_arches + } # !$opt_dry_run + ;; + *) + func_extract_an_archive "$my_xdir" "$my_xabs" + ;; + esac + my_oldobjs="$my_oldobjs "`find $my_xdir -name \*.$objext -print -o -name \*.lo -print | sort | $NL2SP` + done + + func_extract_archives_result="$my_oldobjs" +} + + +# func_emit_wrapper [arg=no] +# +# Emit a libtool wrapper script on stdout. +# Don't directly open a file because we may want to +# incorporate the script contents within a cygwin/mingw +# wrapper executable. Must ONLY be called from within +# func_mode_link because it depends on a number of variables +# set therein. +# +# ARG is the value that the WRAPPER_SCRIPT_BELONGS_IN_OBJDIR +# variable will take. If 'yes', then the emitted script +# will assume that the directory in which it is stored is +# the $objdir directory. This is a cygwin/mingw-specific +# behavior. +func_emit_wrapper () +{ + func_emit_wrapper_arg1=${1-no} + + $ECHO "\ +#! $SHELL + +# $output - temporary wrapper script for $objdir/$outputname +# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION +# +# The $output program cannot be directly executed until all the libtool +# libraries that it depends on are installed. +# +# This wrapper script should never be moved out of the build directory. +# If it is, it will not operate correctly. + +# Sed substitution that helps us do robust quoting. It backslashifies +# metacharacters that are still active within double-quoted strings. +sed_quote_subst='$sed_quote_subst' + +# Be Bourne compatible +if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then + emulate sh + NULLCMD=: + # Zsh 3.x and 4.x performs word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in *posix*) set -o posix;; esac +fi +BIN_SH=xpg4; export BIN_SH # for Tru64 +DUALCASE=1; export DUALCASE # for MKS sh + +# The HP-UX ksh and POSIX shell print the target directory to stdout +# if CDPATH is set. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +relink_command=\"$relink_command\" + +# This environment variable determines our operation mode. +if test \"\$libtool_install_magic\" = \"$magic\"; then + # install mode needs the following variables: + generated_by_libtool_version='$macro_version' + notinst_deplibs='$notinst_deplibs' +else + # When we are sourced in execute mode, \$file and \$ECHO are already set. + if test \"\$libtool_execute_magic\" != \"$magic\"; then + file=\"\$0\"" + + qECHO=`$ECHO "$ECHO" | $SED "$sed_quote_subst"` + $ECHO "\ + +# A function that is used when there is no print builtin or printf. +func_fallback_echo () +{ + eval 'cat <<_LTECHO_EOF +\$1 +_LTECHO_EOF' +} + ECHO=\"$qECHO\" + fi + +# Very basic option parsing. These options are (a) specific to +# the libtool wrapper, (b) are identical between the wrapper +# /script/ and the wrapper /executable/ which is used only on +# windows platforms, and (c) all begin with the string "--lt-" +# (application programs are unlikely to have options which match +# this pattern). +# +# There are only two supported options: --lt-debug and +# --lt-dump-script. There is, deliberately, no --lt-help. +# +# The first argument to this parsing function should be the +# script's $0 value, followed by "$@". +lt_option_debug= +func_parse_lt_options () +{ + lt_script_arg0=\$0 + shift + for lt_opt + do + case \"\$lt_opt\" in + --lt-debug) lt_option_debug=1 ;; + --lt-dump-script) + lt_dump_D=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%/[^/]*$%%'\` + test \"X\$lt_dump_D\" = \"X\$lt_script_arg0\" && lt_dump_D=. + lt_dump_F=\`\$ECHO \"X\$lt_script_arg0\" | $SED -e 's/^X//' -e 's%^.*/%%'\` + cat \"\$lt_dump_D/\$lt_dump_F\" + exit 0 + ;; + --lt-*) + \$ECHO \"Unrecognized --lt- option: '\$lt_opt'\" 1>&2 + exit 1 + ;; + esac + done + + # Print the debug banner immediately: + if test -n \"\$lt_option_debug\"; then + echo \"${outputname}:${output}:\${LINENO}: libtool wrapper (GNU $PACKAGE$TIMESTAMP) $VERSION\" 1>&2 + fi +} + +# Used when --lt-debug. Prints its arguments to stdout +# (redirection is the responsibility of the caller) +func_lt_dump_args () +{ + lt_dump_args_N=1; + for lt_arg + do + \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[\$lt_dump_args_N]: \$lt_arg\" + lt_dump_args_N=\`expr \$lt_dump_args_N + 1\` + done +} + +# Core function for launching the target application +func_exec_program_core () +{ +" + case $host in + # Backslashes separate directories on plain windows + *-*-mingw | *-*-os2* | *-cegcc*) + $ECHO "\ + if test -n \"\$lt_option_debug\"; then + \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir\\\\\$program\" 1>&2 + func_lt_dump_args \${1+\"\$@\"} 1>&2 + fi + exec \"\$progdir\\\\\$program\" \${1+\"\$@\"} +" + ;; + + *) + $ECHO "\ + if test -n \"\$lt_option_debug\"; then + \$ECHO \"${outputname}:${output}:\${LINENO}: newargv[0]: \$progdir/\$program\" 1>&2 + func_lt_dump_args \${1+\"\$@\"} 1>&2 + fi + exec \"\$progdir/\$program\" \${1+\"\$@\"} +" + ;; + esac + $ECHO "\ + \$ECHO \"\$0: cannot exec \$program \$*\" 1>&2 + exit 1 +} + +# A function to encapsulate launching the target application +# Strips options in the --lt-* namespace from \$@ and +# launches target application with the remaining arguments. +func_exec_program () +{ + case \" \$* \" in + *\\ --lt-*) + for lt_wr_arg + do + case \$lt_wr_arg in + --lt-*) ;; + *) set x \"\$@\" \"\$lt_wr_arg\"; shift;; + esac + shift + done ;; + esac + func_exec_program_core \${1+\"\$@\"} +} + + # Parse options + func_parse_lt_options \"\$0\" \${1+\"\$@\"} + + # Find the directory that this script lives in. + thisdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*$%%'\` + test \"x\$thisdir\" = \"x\$file\" && thisdir=. + + # Follow symbolic links until we get to the real thisdir. + file=\`ls -ld \"\$file\" | $SED -n 's/.*-> //p'\` + while test -n \"\$file\"; do + destdir=\`\$ECHO \"\$file\" | $SED 's%/[^/]*\$%%'\` + + # If there was a directory component, then change thisdir. + if test \"x\$destdir\" != \"x\$file\"; then + case \"\$destdir\" in + [\\\\/]* | [A-Za-z]:[\\\\/]*) thisdir=\"\$destdir\" ;; + *) thisdir=\"\$thisdir/\$destdir\" ;; + esac + fi + + file=\`\$ECHO \"\$file\" | $SED 's%^.*/%%'\` + file=\`ls -ld \"\$thisdir/\$file\" | $SED -n 's/.*-> //p'\` + done + + # Usually 'no', except on cygwin/mingw when embedded into + # the cwrapper. + WRAPPER_SCRIPT_BELONGS_IN_OBJDIR=$func_emit_wrapper_arg1 + if test \"\$WRAPPER_SCRIPT_BELONGS_IN_OBJDIR\" = \"yes\"; then + # special case for '.' + if test \"\$thisdir\" = \".\"; then + thisdir=\`pwd\` + fi + # remove .libs from thisdir + case \"\$thisdir\" in + *[\\\\/]$objdir ) thisdir=\`\$ECHO \"\$thisdir\" | $SED 's%[\\\\/][^\\\\/]*$%%'\` ;; + $objdir ) thisdir=. ;; + esac + fi + + # Try to get the absolute directory name. + absdir=\`cd \"\$thisdir\" && pwd\` + test -n \"\$absdir\" && thisdir=\"\$absdir\" +" + + if test "$fast_install" = yes; then + $ECHO "\ + program=lt-'$outputname'$exeext + progdir=\"\$thisdir/$objdir\" + + if test ! -f \"\$progdir/\$program\" || + { file=\`ls -1dt \"\$progdir/\$program\" \"\$progdir/../\$program\" 2>/dev/null | ${SED} 1q\`; \\ + test \"X\$file\" != \"X\$progdir/\$program\"; }; then + + file=\"\$\$-\$program\" + + if test ! -d \"\$progdir\"; then + $MKDIR \"\$progdir\" + else + $RM \"\$progdir/\$file\" + fi" + + $ECHO "\ + + # relink executable if necessary + if test -n \"\$relink_command\"; then + if relink_command_output=\`eval \$relink_command 2>&1\`; then : + else + $ECHO \"\$relink_command_output\" >&2 + $RM \"\$progdir/\$file\" + exit 1 + fi + fi + + $MV \"\$progdir/\$file\" \"\$progdir/\$program\" 2>/dev/null || + { $RM \"\$progdir/\$program\"; + $MV \"\$progdir/\$file\" \"\$progdir/\$program\"; } + $RM \"\$progdir/\$file\" + fi" + else + $ECHO "\ + program='$outputname' + progdir=\"\$thisdir/$objdir\" +" + fi + + $ECHO "\ + + if test -f \"\$progdir/\$program\"; then" + + # fixup the dll searchpath if we need to. + # + # Fix the DLL searchpath if we need to. Do this before prepending + # to shlibpath, because on Windows, both are PATH and uninstalled + # libraries must come first. + if test -n "$dllsearchpath"; then + $ECHO "\ + # Add the dll search path components to the executable PATH + PATH=$dllsearchpath:\$PATH +" + fi + + # Export our shlibpath_var if we have one. + if test "$shlibpath_overrides_runpath" = yes && test -n "$shlibpath_var" && test -n "$temp_rpath"; then + $ECHO "\ + # Add our own library path to $shlibpath_var + $shlibpath_var=\"$temp_rpath\$$shlibpath_var\" + + # Some systems cannot cope with colon-terminated $shlibpath_var + # The second colon is a workaround for a bug in BeOS R4 sed + $shlibpath_var=\`\$ECHO \"\$$shlibpath_var\" | $SED 's/::*\$//'\` + + export $shlibpath_var +" + fi + + $ECHO "\ + if test \"\$libtool_execute_magic\" != \"$magic\"; then + # Run the actual program with our arguments. + func_exec_program \${1+\"\$@\"} + fi + else + # The program doesn't exist. + \$ECHO \"\$0: error: \\\`\$progdir/\$program' does not exist\" 1>&2 + \$ECHO \"This script is just a wrapper for \$program.\" 1>&2 + \$ECHO \"See the $PACKAGE documentation for more information.\" 1>&2 + exit 1 + fi +fi\ +" +} + + +# func_emit_cwrapperexe_src +# emit the source code for a wrapper executable on stdout +# Must ONLY be called from within func_mode_link because +# it depends on a number of variable set therein. +func_emit_cwrapperexe_src () +{ + cat < +#include +#ifdef _MSC_VER +# include +# include +# include +#else +# include +# include +# ifdef __CYGWIN__ +# include +# endif +#endif +#include +#include +#include +#include +#include +#include +#include +#include + +/* declarations of non-ANSI functions */ +#if defined(__MINGW32__) +# ifdef __STRICT_ANSI__ +int _putenv (const char *); +# endif +#elif defined(__CYGWIN__) +# ifdef __STRICT_ANSI__ +char *realpath (const char *, char *); +int putenv (char *); +int setenv (const char *, const char *, int); +# endif +/* #elif defined (other platforms) ... */ +#endif + +/* portability defines, excluding path handling macros */ +#if defined(_MSC_VER) +# define setmode _setmode +# define stat _stat +# define chmod _chmod +# define getcwd _getcwd +# define putenv _putenv +# define S_IXUSR _S_IEXEC +# ifndef _INTPTR_T_DEFINED +# define _INTPTR_T_DEFINED +# define intptr_t int +# endif +#elif defined(__MINGW32__) +# define setmode _setmode +# define stat _stat +# define chmod _chmod +# define getcwd _getcwd +# define putenv _putenv +#elif defined(__CYGWIN__) +# define HAVE_SETENV +# define FOPEN_WB "wb" +/* #elif defined (other platforms) ... */ +#endif + +#if defined(PATH_MAX) +# define LT_PATHMAX PATH_MAX +#elif defined(MAXPATHLEN) +# define LT_PATHMAX MAXPATHLEN +#else +# define LT_PATHMAX 1024 +#endif + +#ifndef S_IXOTH +# define S_IXOTH 0 +#endif +#ifndef S_IXGRP +# define S_IXGRP 0 +#endif + +/* path handling portability macros */ +#ifndef DIR_SEPARATOR +# define DIR_SEPARATOR '/' +# define PATH_SEPARATOR ':' +#endif + +#if defined (_WIN32) || defined (__MSDOS__) || defined (__DJGPP__) || \ + defined (__OS2__) +# define HAVE_DOS_BASED_FILE_SYSTEM +# define FOPEN_WB "wb" +# ifndef DIR_SEPARATOR_2 +# define DIR_SEPARATOR_2 '\\' +# endif +# ifndef PATH_SEPARATOR_2 +# define PATH_SEPARATOR_2 ';' +# endif +#endif + +#ifndef DIR_SEPARATOR_2 +# define IS_DIR_SEPARATOR(ch) ((ch) == DIR_SEPARATOR) +#else /* DIR_SEPARATOR_2 */ +# define IS_DIR_SEPARATOR(ch) \ + (((ch) == DIR_SEPARATOR) || ((ch) == DIR_SEPARATOR_2)) +#endif /* DIR_SEPARATOR_2 */ + +#ifndef PATH_SEPARATOR_2 +# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR) +#else /* PATH_SEPARATOR_2 */ +# define IS_PATH_SEPARATOR(ch) ((ch) == PATH_SEPARATOR_2) +#endif /* PATH_SEPARATOR_2 */ + +#ifndef FOPEN_WB +# define FOPEN_WB "w" +#endif +#ifndef _O_BINARY +# define _O_BINARY 0 +#endif + +#define XMALLOC(type, num) ((type *) xmalloc ((num) * sizeof(type))) +#define XFREE(stale) do { \ + if (stale) { free ((void *) stale); stale = 0; } \ +} while (0) + +#if defined(LT_DEBUGWRAPPER) +static int lt_debug = 1; +#else +static int lt_debug = 0; +#endif + +const char *program_name = "libtool-wrapper"; /* in case xstrdup fails */ + +void *xmalloc (size_t num); +char *xstrdup (const char *string); +const char *base_name (const char *name); +char *find_executable (const char *wrapper); +char *chase_symlinks (const char *pathspec); +int make_executable (const char *path); +int check_executable (const char *path); +char *strendzap (char *str, const char *pat); +void lt_debugprintf (const char *file, int line, const char *fmt, ...); +void lt_fatal (const char *file, int line, const char *message, ...); +static const char *nonnull (const char *s); +static const char *nonempty (const char *s); +void lt_setenv (const char *name, const char *value); +char *lt_extend_str (const char *orig_value, const char *add, int to_end); +void lt_update_exe_path (const char *name, const char *value); +void lt_update_lib_path (const char *name, const char *value); +char **prepare_spawn (char **argv); +void lt_dump_script (FILE *f); +EOF + + cat <= 0) + && (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))) + return 1; + else + return 0; +} + +int +make_executable (const char *path) +{ + int rval = 0; + struct stat st; + + lt_debugprintf (__FILE__, __LINE__, "(make_executable): %s\n", + nonempty (path)); + if ((!path) || (!*path)) + return 0; + + if (stat (path, &st) >= 0) + { + rval = chmod (path, st.st_mode | S_IXOTH | S_IXGRP | S_IXUSR); + } + return rval; +} + +/* Searches for the full path of the wrapper. Returns + newly allocated full path name if found, NULL otherwise + Does not chase symlinks, even on platforms that support them. +*/ +char * +find_executable (const char *wrapper) +{ + int has_slash = 0; + const char *p; + const char *p_next; + /* static buffer for getcwd */ + char tmp[LT_PATHMAX + 1]; + int tmp_len; + char *concat_name; + + lt_debugprintf (__FILE__, __LINE__, "(find_executable): %s\n", + nonempty (wrapper)); + + if ((wrapper == NULL) || (*wrapper == '\0')) + return NULL; + + /* Absolute path? */ +#if defined (HAVE_DOS_BASED_FILE_SYSTEM) + if (isalpha ((unsigned char) wrapper[0]) && wrapper[1] == ':') + { + concat_name = xstrdup (wrapper); + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } + else + { +#endif + if (IS_DIR_SEPARATOR (wrapper[0])) + { + concat_name = xstrdup (wrapper); + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } +#if defined (HAVE_DOS_BASED_FILE_SYSTEM) + } +#endif + + for (p = wrapper; *p; p++) + if (*p == '/') + { + has_slash = 1; + break; + } + if (!has_slash) + { + /* no slashes; search PATH */ + const char *path = getenv ("PATH"); + if (path != NULL) + { + for (p = path; *p; p = p_next) + { + const char *q; + size_t p_len; + for (q = p; *q; q++) + if (IS_PATH_SEPARATOR (*q)) + break; + p_len = q - p; + p_next = (*q == '\0' ? q : q + 1); + if (p_len == 0) + { + /* empty path: current directory */ + if (getcwd (tmp, LT_PATHMAX) == NULL) + lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", + nonnull (strerror (errno))); + tmp_len = strlen (tmp); + concat_name = + XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, tmp, tmp_len); + concat_name[tmp_len] = '/'; + strcpy (concat_name + tmp_len + 1, wrapper); + } + else + { + concat_name = + XMALLOC (char, p_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, p, p_len); + concat_name[p_len] = '/'; + strcpy (concat_name + p_len + 1, wrapper); + } + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + } + } + /* not found in PATH; assume curdir */ + } + /* Relative path | not found in path: prepend cwd */ + if (getcwd (tmp, LT_PATHMAX) == NULL) + lt_fatal (__FILE__, __LINE__, "getcwd failed: %s", + nonnull (strerror (errno))); + tmp_len = strlen (tmp); + concat_name = XMALLOC (char, tmp_len + 1 + strlen (wrapper) + 1); + memcpy (concat_name, tmp, tmp_len); + concat_name[tmp_len] = '/'; + strcpy (concat_name + tmp_len + 1, wrapper); + + if (check_executable (concat_name)) + return concat_name; + XFREE (concat_name); + return NULL; +} + +char * +chase_symlinks (const char *pathspec) +{ +#ifndef S_ISLNK + return xstrdup (pathspec); +#else + char buf[LT_PATHMAX]; + struct stat s; + char *tmp_pathspec = xstrdup (pathspec); + char *p; + int has_symlinks = 0; + while (strlen (tmp_pathspec) && !has_symlinks) + { + lt_debugprintf (__FILE__, __LINE__, + "checking path component for symlinks: %s\n", + tmp_pathspec); + if (lstat (tmp_pathspec, &s) == 0) + { + if (S_ISLNK (s.st_mode) != 0) + { + has_symlinks = 1; + break; + } + + /* search backwards for last DIR_SEPARATOR */ + p = tmp_pathspec + strlen (tmp_pathspec) - 1; + while ((p > tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) + p--; + if ((p == tmp_pathspec) && (!IS_DIR_SEPARATOR (*p))) + { + /* no more DIR_SEPARATORS left */ + break; + } + *p = '\0'; + } + else + { + lt_fatal (__FILE__, __LINE__, + "error accessing file \"%s\": %s", + tmp_pathspec, nonnull (strerror (errno))); + } + } + XFREE (tmp_pathspec); + + if (!has_symlinks) + { + return xstrdup (pathspec); + } + + tmp_pathspec = realpath (pathspec, buf); + if (tmp_pathspec == 0) + { + lt_fatal (__FILE__, __LINE__, + "could not follow symlinks for %s", pathspec); + } + return xstrdup (tmp_pathspec); +#endif +} + +char * +strendzap (char *str, const char *pat) +{ + size_t len, patlen; + + assert (str != NULL); + assert (pat != NULL); + + len = strlen (str); + patlen = strlen (pat); + + if (patlen <= len) + { + str += len - patlen; + if (strcmp (str, pat) == 0) + *str = '\0'; + } + return str; +} + +void +lt_debugprintf (const char *file, int line, const char *fmt, ...) +{ + va_list args; + if (lt_debug) + { + (void) fprintf (stderr, "%s:%s:%d: ", program_name, file, line); + va_start (args, fmt); + (void) vfprintf (stderr, fmt, args); + va_end (args); + } +} + +static void +lt_error_core (int exit_status, const char *file, + int line, const char *mode, + const char *message, va_list ap) +{ + fprintf (stderr, "%s:%s:%d: %s: ", program_name, file, line, mode); + vfprintf (stderr, message, ap); + fprintf (stderr, ".\n"); + + if (exit_status >= 0) + exit (exit_status); +} + +void +lt_fatal (const char *file, int line, const char *message, ...) +{ + va_list ap; + va_start (ap, message); + lt_error_core (EXIT_FAILURE, file, line, "FATAL", message, ap); + va_end (ap); +} + +static const char * +nonnull (const char *s) +{ + return s ? s : "(null)"; +} + +static const char * +nonempty (const char *s) +{ + return (s && !*s) ? "(empty)" : nonnull (s); +} + +void +lt_setenv (const char *name, const char *value) +{ + lt_debugprintf (__FILE__, __LINE__, + "(lt_setenv) setting '%s' to '%s'\n", + nonnull (name), nonnull (value)); + { +#ifdef HAVE_SETENV + /* always make a copy, for consistency with !HAVE_SETENV */ + char *str = xstrdup (value); + setenv (name, str, 1); +#else + int len = strlen (name) + 1 + strlen (value) + 1; + char *str = XMALLOC (char, len); + sprintf (str, "%s=%s", name, value); + if (putenv (str) != EXIT_SUCCESS) + { + XFREE (str); + } +#endif + } +} + +char * +lt_extend_str (const char *orig_value, const char *add, int to_end) +{ + char *new_value; + if (orig_value && *orig_value) + { + int orig_value_len = strlen (orig_value); + int add_len = strlen (add); + new_value = XMALLOC (char, add_len + orig_value_len + 1); + if (to_end) + { + strcpy (new_value, orig_value); + strcpy (new_value + orig_value_len, add); + } + else + { + strcpy (new_value, add); + strcpy (new_value + add_len, orig_value); + } + } + else + { + new_value = xstrdup (add); + } + return new_value; +} + +void +lt_update_exe_path (const char *name, const char *value) +{ + lt_debugprintf (__FILE__, __LINE__, + "(lt_update_exe_path) modifying '%s' by prepending '%s'\n", + nonnull (name), nonnull (value)); + + if (name && *name && value && *value) + { + char *new_value = lt_extend_str (getenv (name), value, 0); + /* some systems can't cope with a ':'-terminated path #' */ + int len = strlen (new_value); + while (((len = strlen (new_value)) > 0) && IS_PATH_SEPARATOR (new_value[len-1])) + { + new_value[len-1] = '\0'; + } + lt_setenv (name, new_value); + XFREE (new_value); + } +} + +void +lt_update_lib_path (const char *name, const char *value) +{ + lt_debugprintf (__FILE__, __LINE__, + "(lt_update_lib_path) modifying '%s' by prepending '%s'\n", + nonnull (name), nonnull (value)); + + if (name && *name && value && *value) + { + char *new_value = lt_extend_str (getenv (name), value, 0); + lt_setenv (name, new_value); + XFREE (new_value); + } +} + +EOF + case $host_os in + mingw*) + cat <<"EOF" + +/* Prepares an argument vector before calling spawn(). + Note that spawn() does not by itself call the command interpreter + (getenv ("COMSPEC") != NULL ? getenv ("COMSPEC") : + ({ OSVERSIONINFO v; v.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); + GetVersionEx(&v); + v.dwPlatformId == VER_PLATFORM_WIN32_NT; + }) ? "cmd.exe" : "command.com"). + Instead it simply concatenates the arguments, separated by ' ', and calls + CreateProcess(). We must quote the arguments since Win32 CreateProcess() + interprets characters like ' ', '\t', '\\', '"' (but not '<' and '>') in a + special way: + - Space and tab are interpreted as delimiters. They are not treated as + delimiters if they are surrounded by double quotes: "...". + - Unescaped double quotes are removed from the input. Their only effect is + that within double quotes, space and tab are treated like normal + characters. + - Backslashes not followed by double quotes are not special. + - But 2*n+1 backslashes followed by a double quote become + n backslashes followed by a double quote (n >= 0): + \" -> " + \\\" -> \" + \\\\\" -> \\" + */ +#define SHELL_SPECIAL_CHARS "\"\\ \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" +#define SHELL_SPACE_CHARS " \001\002\003\004\005\006\007\010\011\012\013\014\015\016\017\020\021\022\023\024\025\026\027\030\031\032\033\034\035\036\037" +char ** +prepare_spawn (char **argv) +{ + size_t argc; + char **new_argv; + size_t i; + + /* Count number of arguments. */ + for (argc = 0; argv[argc] != NULL; argc++) + ; + + /* Allocate new argument vector. */ + new_argv = XMALLOC (char *, argc + 1); + + /* Put quoted arguments into the new argument vector. */ + for (i = 0; i < argc; i++) + { + const char *string = argv[i]; + + if (string[0] == '\0') + new_argv[i] = xstrdup ("\"\""); + else if (strpbrk (string, SHELL_SPECIAL_CHARS) != NULL) + { + int quote_around = (strpbrk (string, SHELL_SPACE_CHARS) != NULL); + size_t length; + unsigned int backslashes; + const char *s; + char *quoted_string; + char *p; + + length = 0; + backslashes = 0; + if (quote_around) + length++; + for (s = string; *s != '\0'; s++) + { + char c = *s; + if (c == '"') + length += backslashes + 1; + length++; + if (c == '\\') + backslashes++; + else + backslashes = 0; + } + if (quote_around) + length += backslashes + 1; + + quoted_string = XMALLOC (char, length + 1); + + p = quoted_string; + backslashes = 0; + if (quote_around) + *p++ = '"'; + for (s = string; *s != '\0'; s++) + { + char c = *s; + if (c == '"') + { + unsigned int j; + for (j = backslashes + 1; j > 0; j--) + *p++ = '\\'; + } + *p++ = c; + if (c == '\\') + backslashes++; + else + backslashes = 0; + } + if (quote_around) + { + unsigned int j; + for (j = backslashes; j > 0; j--) + *p++ = '\\'; + *p++ = '"'; + } + *p = '\0'; + + new_argv[i] = quoted_string; + } + else + new_argv[i] = (char *) string; + } + new_argv[argc] = NULL; + + return new_argv; +} +EOF + ;; + esac + + cat <<"EOF" +void lt_dump_script (FILE* f) +{ +EOF + func_emit_wrapper yes | + $SED -n -e ' +s/^\(.\{79\}\)\(..*\)/\1\ +\2/ +h +s/\([\\"]\)/\\\1/g +s/$/\\n/ +s/\([^\n]*\).*/ fputs ("\1", f);/p +g +D' + cat <<"EOF" +} +EOF +} +# end: func_emit_cwrapperexe_src + +# func_win32_import_lib_p ARG +# True if ARG is an import lib, as indicated by $file_magic_cmd +func_win32_import_lib_p () +{ + $opt_debug + case `eval $file_magic_cmd \"\$1\" 2>/dev/null | $SED -e 10q` in + *import*) : ;; + *) false ;; + esac +} + +# func_mode_link arg... +func_mode_link () +{ + $opt_debug + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + # It is impossible to link a dll without this setting, and + # we shouldn't force the makefile maintainer to figure out + # which system we are compiling for in order to pass an extra + # flag for every libtool invocation. + # allow_undefined=no + + # FIXME: Unfortunately, there are problems with the above when trying + # to make a dll which has undefined symbols, in which case not + # even a static library is built. For now, we need to specify + # -no-undefined on the libtool link line when we can be certain + # that all symbols are satisfied, otherwise we get a static library. + allow_undefined=yes + ;; + *) + allow_undefined=yes + ;; + esac + libtool_args=$nonopt + base_compile="$nonopt $@" + compile_command=$nonopt + finalize_command=$nonopt + + compile_rpath= + finalize_rpath= + compile_shlibpath= + finalize_shlibpath= + convenience= + old_convenience= + deplibs= + old_deplibs= + compiler_flags= + linker_flags= + dllsearchpath= + lib_search_path=`pwd` + inst_prefix_dir= + new_inherited_linker_flags= + + avoid_version=no + bindir= + dlfiles= + dlprefiles= + dlself=no + export_dynamic=no + export_symbols= + export_symbols_regex= + generated= + libobjs= + ltlibs= + module=no + no_install=no + objs= + non_pic_objects= + precious_files_regex= + prefer_static_libs=no + preload=no + prev= + prevarg= + release= + rpath= + xrpath= + perm_rpath= + temp_rpath= + thread_safe=no + vinfo= + vinfo_number=no + weak_libs= + single_module="${wl}-single_module" + func_infer_tag $base_compile + + # We need to know -static, to get the right output filenames. + for arg + do + case $arg in + -shared) + test "$build_libtool_libs" != yes && \ + func_fatal_configuration "can not build a shared library" + build_old_libs=no + break + ;; + -all-static | -static | -static-libtool-libs) + case $arg in + -all-static) + if test "$build_libtool_libs" = yes && test -z "$link_static_flag"; then + func_warning "complete static linking is impossible in this configuration" + fi + if test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=yes + ;; + -static) + if test -z "$pic_flag" && test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=built + ;; + -static-libtool-libs) + if test -z "$pic_flag" && test -n "$link_static_flag"; then + dlopen_self=$dlopen_self_static + fi + prefer_static_libs=yes + ;; + esac + build_libtool_libs=no + build_old_libs=yes + break + ;; + esac + done + + # See if our shared archives depend on static archives. + test -n "$old_archive_from_new_cmds" && build_old_libs=yes + + # Go through the arguments, transforming them on the way. + while test "$#" -gt 0; do + arg="$1" + shift + func_quote_for_eval "$arg" + qarg=$func_quote_for_eval_unquoted_result + func_append libtool_args " $func_quote_for_eval_result" + + # If the previous option needs an argument, assign it. + if test -n "$prev"; then + case $prev in + output) + func_append compile_command " @OUTPUT@" + func_append finalize_command " @OUTPUT@" + ;; + esac + + case $prev in + bindir) + bindir="$arg" + prev= + continue + ;; + dlfiles|dlprefiles) + if test "$preload" = no; then + # Add the symbol object into the linking commands. + func_append compile_command " @SYMFILE@" + func_append finalize_command " @SYMFILE@" + preload=yes + fi + case $arg in + *.la | *.lo) ;; # We handle these cases below. + force) + if test "$dlself" = no; then + dlself=needless + export_dynamic=yes + fi + prev= + continue + ;; + self) + if test "$prev" = dlprefiles; then + dlself=yes + elif test "$prev" = dlfiles && test "$dlopen_self" != yes; then + dlself=yes + else + dlself=needless + export_dynamic=yes + fi + prev= + continue + ;; + *) + if test "$prev" = dlfiles; then + func_append dlfiles " $arg" + else + func_append dlprefiles " $arg" + fi + prev= + continue + ;; + esac + ;; + expsyms) + export_symbols="$arg" + test -f "$arg" \ + || func_fatal_error "symbol file \`$arg' does not exist" + prev= + continue + ;; + expsyms_regex) + export_symbols_regex="$arg" + prev= + continue + ;; + framework) + case $host in + *-*-darwin*) + case "$deplibs " in + *" $qarg.ltframework "*) ;; + *) func_append deplibs " $qarg.ltframework" # this is fixed later + ;; + esac + ;; + esac + prev= + continue + ;; + inst_prefix) + inst_prefix_dir="$arg" + prev= + continue + ;; + objectlist) + if test -f "$arg"; then + save_arg=$arg + moreargs= + for fil in `cat "$save_arg"` + do +# func_append moreargs " $fil" + arg=$fil + # A libtool-controlled object. + + # Check to see that this really is a libtool object. + if func_lalib_unsafe_p "$arg"; then + pic_object= + non_pic_object= + + # Read the .lo file + func_source "$arg" + + if test -z "$pic_object" || + test -z "$non_pic_object" || + test "$pic_object" = none && + test "$non_pic_object" = none; then + func_fatal_error "cannot find name of object for \`$arg'" + fi + + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" + + if test "$pic_object" != none; then + # Prepend the subdirectory the object is found in. + pic_object="$xdir$pic_object" + + if test "$prev" = dlfiles; then + if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then + func_append dlfiles " $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi + + # CHECK ME: I think I busted this. -Ossama + if test "$prev" = dlprefiles; then + # Preload the old-style object. + func_append dlprefiles " $pic_object" + prev= + fi + + # A PIC object. + func_append libobjs " $pic_object" + arg="$pic_object" + fi + + # Non-PIC object. + if test "$non_pic_object" != none; then + # Prepend the subdirectory the object is found in. + non_pic_object="$xdir$non_pic_object" + + # A standard non-PIC object + func_append non_pic_objects " $non_pic_object" + if test -z "$pic_object" || test "$pic_object" = none ; then + arg="$non_pic_object" + fi + else + # If the PIC object exists, use it instead. + # $xdir was prepended to $pic_object above. + non_pic_object="$pic_object" + func_append non_pic_objects " $non_pic_object" + fi + else + # Only an error if not doing a dry-run. + if $opt_dry_run; then + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" + + func_lo2o "$arg" + pic_object=$xdir$objdir/$func_lo2o_result + non_pic_object=$xdir$func_lo2o_result + func_append libobjs " $pic_object" + func_append non_pic_objects " $non_pic_object" + else + func_fatal_error "\`$arg' is not a valid libtool object" + fi + fi + done + else + func_fatal_error "link input file \`$arg' does not exist" + fi + arg=$save_arg + prev= + continue + ;; + precious_regex) + precious_files_regex="$arg" + prev= + continue + ;; + release) + release="-$arg" + prev= + continue + ;; + rpath | xrpath) + # We need an absolute path. + case $arg in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + func_fatal_error "only absolute run-paths are allowed" + ;; + esac + if test "$prev" = rpath; then + case "$rpath " in + *" $arg "*) ;; + *) func_append rpath " $arg" ;; + esac + else + case "$xrpath " in + *" $arg "*) ;; + *) func_append xrpath " $arg" ;; + esac + fi + prev= + continue + ;; + shrext) + shrext_cmds="$arg" + prev= + continue + ;; + weak) + func_append weak_libs " $arg" + prev= + continue + ;; + xcclinker) + func_append linker_flags " $qarg" + func_append compiler_flags " $qarg" + prev= + func_append compile_command " $qarg" + func_append finalize_command " $qarg" + continue + ;; + xcompiler) + func_append compiler_flags " $qarg" + prev= + func_append compile_command " $qarg" + func_append finalize_command " $qarg" + continue + ;; + xlinker) + func_append linker_flags " $qarg" + func_append compiler_flags " $wl$qarg" + prev= + func_append compile_command " $wl$qarg" + func_append finalize_command " $wl$qarg" + continue + ;; + *) + eval "$prev=\"\$arg\"" + prev= + continue + ;; + esac + fi # test -n "$prev" + + prevarg="$arg" + + case $arg in + -all-static) + if test -n "$link_static_flag"; then + # See comment for -static flag below, for more details. + func_append compile_command " $link_static_flag" + func_append finalize_command " $link_static_flag" + fi + continue + ;; + + -allow-undefined) + # FIXME: remove this flag sometime in the future. + func_fatal_error "\`-allow-undefined' must not be used because it is the default" + ;; + + -avoid-version) + avoid_version=yes + continue + ;; + + -bindir) + prev=bindir + continue + ;; + + -dlopen) + prev=dlfiles + continue + ;; + + -dlpreopen) + prev=dlprefiles + continue + ;; + + -export-dynamic) + export_dynamic=yes + continue + ;; + + -export-symbols | -export-symbols-regex) + if test -n "$export_symbols" || test -n "$export_symbols_regex"; then + func_fatal_error "more than one -exported-symbols argument is not allowed" + fi + if test "X$arg" = "X-export-symbols"; then + prev=expsyms + else + prev=expsyms_regex + fi + continue + ;; + + -framework) + prev=framework + continue + ;; + + -inst-prefix-dir) + prev=inst_prefix + continue + ;; + + # The native IRIX linker understands -LANG:*, -LIST:* and -LNO:* + # so, if we see these flags be careful not to treat them like -L + -L[A-Z][A-Z]*:*) + case $with_gcc/$host in + no/*-*-irix* | /*-*-irix*) + func_append compile_command " $arg" + func_append finalize_command " $arg" + ;; + esac + continue + ;; + + -L*) + func_stripname "-L" '' "$arg" + if test -z "$func_stripname_result"; then + if test "$#" -gt 0; then + func_fatal_error "require no space between \`-L' and \`$1'" + else + func_fatal_error "need path for \`-L' option" + fi + fi + func_resolve_sysroot "$func_stripname_result" + dir=$func_resolve_sysroot_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + *) + absdir=`cd "$dir" && pwd` + test -z "$absdir" && \ + func_fatal_error "cannot determine absolute directory name of \`$dir'" + dir="$absdir" + ;; + esac + case "$deplibs " in + *" -L$dir "* | *" $arg "*) + # Will only happen for absolute or sysroot arguments + ;; + *) + # Preserve sysroot, but never include relative directories + case $dir in + [\\/]* | [A-Za-z]:[\\/]* | =*) func_append deplibs " $arg" ;; + *) func_append deplibs " -L$dir" ;; + esac + func_append lib_search_path " $dir" + ;; + esac + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + testbindir=`$ECHO "$dir" | $SED 's*/lib$*/bin*'` + case :$dllsearchpath: in + *":$dir:"*) ;; + ::) dllsearchpath=$dir;; + *) func_append dllsearchpath ":$dir";; + esac + case :$dllsearchpath: in + *":$testbindir:"*) ;; + ::) dllsearchpath=$testbindir;; + *) func_append dllsearchpath ":$testbindir";; + esac + ;; + esac + continue + ;; + + -l*) + if test "X$arg" = "X-lc" || test "X$arg" = "X-lm"; then + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-beos* | *-cegcc* | *-*-haiku*) + # These systems don't actually have a C or math library (as such) + continue + ;; + *-*-os2*) + # These systems don't actually have a C library (as such) + test "X$arg" = "X-lc" && continue + ;; + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) + # Do not include libc due to us having libc/libc_r. + test "X$arg" = "X-lc" && continue + ;; + *-*-rhapsody* | *-*-darwin1.[012]) + # Rhapsody C and math libraries are in the System framework + func_append deplibs " System.ltframework" + continue + ;; + *-*-sco3.2v5* | *-*-sco5v6*) + # Causes problems with __ctype + test "X$arg" = "X-lc" && continue + ;; + *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) + # Compiler inserts libc in the correct place for threads to work + test "X$arg" = "X-lc" && continue + ;; + esac + elif test "X$arg" = "X-lc_r"; then + case $host in + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) + # Do not include libc_r directly, use -pthread flag. + continue + ;; + esac + fi + func_append deplibs " $arg" + continue + ;; + + -module) + module=yes + continue + ;; + + # Tru64 UNIX uses -model [arg] to determine the layout of C++ + # classes, name mangling, and exception handling. + # Darwin uses the -arch flag to determine output architecture. + -model|-arch|-isysroot|--sysroot) + func_append compiler_flags " $arg" + func_append compile_command " $arg" + func_append finalize_command " $arg" + prev=xcompiler + continue + ;; + + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) + func_append compiler_flags " $arg" + func_append compile_command " $arg" + func_append finalize_command " $arg" + func_append deplibs " $arg" + case "$new_inherited_linker_flags " in + *" $arg "*) ;; + * ) func_append new_inherited_linker_flags " $arg" ;; + esac + continue + ;; + + -multi_module) + single_module="${wl}-multi_module" + continue + ;; + + -no-fast-install) + fast_install=no + continue + ;; + + -no-install) + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-darwin* | *-cegcc*) + # The PATH hackery in wrapper scripts is required on Windows + # and Darwin in order for the loader to find any dlls it needs. + func_warning "\`-no-install' is ignored for $host" + func_warning "assuming \`-no-fast-install' instead" + fast_install=no + ;; + *) no_install=yes ;; + esac + continue + ;; + + -no-undefined) + allow_undefined=no + continue + ;; + + -objectlist) + prev=objectlist + continue + ;; + + -o) prev=output ;; + + -precious-files-regex) + prev=precious_regex + continue + ;; + + -release) + prev=release + continue + ;; + + -rpath) + prev=rpath + continue + ;; + + -R) + prev=xrpath + continue + ;; + + -R*) + func_stripname '-R' '' "$arg" + dir=$func_stripname_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) ;; + =*) + func_stripname '=' '' "$dir" + dir=$lt_sysroot$func_stripname_result + ;; + *) + func_fatal_error "only absolute run-paths are allowed" + ;; + esac + case "$xrpath " in + *" $dir "*) ;; + *) func_append xrpath " $dir" ;; + esac + continue + ;; + + -shared) + # The effects of -shared are defined in a previous loop. + continue + ;; + + -shrext) + prev=shrext + continue + ;; + + -static | -static-libtool-libs) + # The effects of -static are defined in a previous loop. + # We used to do the same as -all-static on platforms that + # didn't have a PIC flag, but the assumption that the effects + # would be equivalent was wrong. It would break on at least + # Digital Unix and AIX. + continue + ;; + + -thread-safe) + thread_safe=yes + continue + ;; + + -version-info) + prev=vinfo + continue + ;; + + -version-number) + prev=vinfo + vinfo_number=yes + continue + ;; + + -weak) + prev=weak + continue + ;; + + -Wc,*) + func_stripname '-Wc,' '' "$arg" + args=$func_stripname_result + arg= + save_ifs="$IFS"; IFS=',' + for flag in $args; do + IFS="$save_ifs" + func_quote_for_eval "$flag" + func_append arg " $func_quote_for_eval_result" + func_append compiler_flags " $func_quote_for_eval_result" + done + IFS="$save_ifs" + func_stripname ' ' '' "$arg" + arg=$func_stripname_result + ;; + + -Wl,*) + func_stripname '-Wl,' '' "$arg" + args=$func_stripname_result + arg= + save_ifs="$IFS"; IFS=',' + for flag in $args; do + IFS="$save_ifs" + func_quote_for_eval "$flag" + func_append arg " $wl$func_quote_for_eval_result" + func_append compiler_flags " $wl$func_quote_for_eval_result" + func_append linker_flags " $func_quote_for_eval_result" + done + IFS="$save_ifs" + func_stripname ' ' '' "$arg" + arg=$func_stripname_result + ;; + + -Xcompiler) + prev=xcompiler + continue + ;; + + -Xlinker) + prev=xlinker + continue + ;; + + -XCClinker) + prev=xcclinker + continue + ;; + + # -msg_* for osf cc + -msg_*) + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + ;; + + # Flags to be passed through unchanged, with rationale: + # -64, -mips[0-9] enable 64-bit mode for the SGI compiler + # -r[0-9][0-9]* specify processor for the SGI compiler + # -xarch=*, -xtarget=* enable 64-bit mode for the Sun compiler + # +DA*, +DD* enable 64-bit mode for the HP compiler + # -q* compiler args for the IBM compiler + # -m*, -t[45]*, -txscale* architecture-specific flags for GCC + # -F/path path to uninstalled frameworks, gcc on darwin + # -p, -pg, --coverage, -fprofile-* profiling flags for GCC + # @file GCC response files + # -tp=* Portland pgcc target processor selection + # --sysroot=* for sysroot support + # -O*, -flto*, -fwhopr*, -fuse-linker-plugin GCC link-time optimization + -64|-mips[0-9]|-r[0-9][0-9]*|-xarch=*|-xtarget=*|+DA*|+DD*|-q*|-m*| \ + -t[45]*|-txscale*|-p|-pg|--coverage|-fprofile-*|-F*|@*|-tp=*|--sysroot=*| \ + -O*|-flto*|-fwhopr*|-fuse-linker-plugin|-fstack-protector*) + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + func_append compile_command " $arg" + func_append finalize_command " $arg" + func_append compiler_flags " $arg" + continue + ;; + + # Some other compiler flag. + -* | +*) + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + ;; + + *.$objext) + # A standard object. + func_append objs " $arg" + ;; + + *.lo) + # A libtool-controlled object. + + # Check to see that this really is a libtool object. + if func_lalib_unsafe_p "$arg"; then + pic_object= + non_pic_object= + + # Read the .lo file + func_source "$arg" + + if test -z "$pic_object" || + test -z "$non_pic_object" || + test "$pic_object" = none && + test "$non_pic_object" = none; then + func_fatal_error "cannot find name of object for \`$arg'" + fi + + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" + + if test "$pic_object" != none; then + # Prepend the subdirectory the object is found in. + pic_object="$xdir$pic_object" + + if test "$prev" = dlfiles; then + if test "$build_libtool_libs" = yes && test "$dlopen_support" = yes; then + func_append dlfiles " $pic_object" + prev= + continue + else + # If libtool objects are unsupported, then we need to preload. + prev=dlprefiles + fi + fi + + # CHECK ME: I think I busted this. -Ossama + if test "$prev" = dlprefiles; then + # Preload the old-style object. + func_append dlprefiles " $pic_object" + prev= + fi + + # A PIC object. + func_append libobjs " $pic_object" + arg="$pic_object" + fi + + # Non-PIC object. + if test "$non_pic_object" != none; then + # Prepend the subdirectory the object is found in. + non_pic_object="$xdir$non_pic_object" + + # A standard non-PIC object + func_append non_pic_objects " $non_pic_object" + if test -z "$pic_object" || test "$pic_object" = none ; then + arg="$non_pic_object" + fi + else + # If the PIC object exists, use it instead. + # $xdir was prepended to $pic_object above. + non_pic_object="$pic_object" + func_append non_pic_objects " $non_pic_object" + fi + else + # Only an error if not doing a dry-run. + if $opt_dry_run; then + # Extract subdirectory from the argument. + func_dirname "$arg" "/" "" + xdir="$func_dirname_result" + + func_lo2o "$arg" + pic_object=$xdir$objdir/$func_lo2o_result + non_pic_object=$xdir$func_lo2o_result + func_append libobjs " $pic_object" + func_append non_pic_objects " $non_pic_object" + else + func_fatal_error "\`$arg' is not a valid libtool object" + fi + fi + ;; + + *.$libext) + # An archive. + func_append deplibs " $arg" + func_append old_deplibs " $arg" + continue + ;; + + *.la) + # A libtool-controlled library. + + func_resolve_sysroot "$arg" + if test "$prev" = dlfiles; then + # This library was specified with -dlopen. + func_append dlfiles " $func_resolve_sysroot_result" + prev= + elif test "$prev" = dlprefiles; then + # The library was specified with -dlpreopen. + func_append dlprefiles " $func_resolve_sysroot_result" + prev= + else + func_append deplibs " $func_resolve_sysroot_result" + fi + continue + ;; + + # Some other compiler argument. + *) + # Unknown arguments in both finalize_command and compile_command need + # to be aesthetically quoted because they are evaled later. + func_quote_for_eval "$arg" + arg="$func_quote_for_eval_result" + ;; + esac # arg + + # Now actually substitute the argument into the commands. + if test -n "$arg"; then + func_append compile_command " $arg" + func_append finalize_command " $arg" + fi + done # argument parsing loop + + test -n "$prev" && \ + func_fatal_help "the \`$prevarg' option requires an argument" + + if test "$export_dynamic" = yes && test -n "$export_dynamic_flag_spec"; then + eval arg=\"$export_dynamic_flag_spec\" + func_append compile_command " $arg" + func_append finalize_command " $arg" + fi + + oldlibs= + # calculate the name of the file, without its directory + func_basename "$output" + outputname="$func_basename_result" + libobjs_save="$libobjs" + + if test -n "$shlibpath_var"; then + # get the directories listed in $shlibpath_var + eval shlib_search_path=\`\$ECHO \"\${$shlibpath_var}\" \| \$SED \'s/:/ /g\'\` + else + shlib_search_path= + fi + eval sys_lib_search_path=\"$sys_lib_search_path_spec\" + eval sys_lib_dlsearch_path=\"$sys_lib_dlsearch_path_spec\" + + func_dirname "$output" "/" "" + output_objdir="$func_dirname_result$objdir" + func_to_tool_file "$output_objdir/" + tool_output_objdir=$func_to_tool_file_result + # Create the object directory. + func_mkdir_p "$output_objdir" + + # Determine the type of output + case $output in + "") + func_fatal_help "you must specify an output file" + ;; + *.$libext) linkmode=oldlib ;; + *.lo | *.$objext) linkmode=obj ;; + *.la) linkmode=lib ;; + *) linkmode=prog ;; # Anything else should be a program. + esac + + specialdeplibs= + + libs= + # Find all interdependent deplibs by searching for libraries + # that are linked more than once (e.g. -la -lb -la) + for deplib in $deplibs; do + if $opt_preserve_dup_deps ; then + case "$libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append libs " $deplib" + done + + if test "$linkmode" = lib; then + libs="$predeps $libs $compiler_lib_search_path $postdeps" + + # Compute libraries that are listed more than once in $predeps + # $postdeps and mark them as special (i.e., whose duplicates are + # not to be eliminated). + pre_post_deps= + if $opt_duplicate_compiler_generated_deps; then + for pre_post_dep in $predeps $postdeps; do + case "$pre_post_deps " in + *" $pre_post_dep "*) func_append specialdeplibs " $pre_post_deps" ;; + esac + func_append pre_post_deps " $pre_post_dep" + done + fi + pre_post_deps= + fi + + deplibs= + newdependency_libs= + newlib_search_path= + need_relink=no # whether we're linking any uninstalled libtool libraries + notinst_deplibs= # not-installed libtool libraries + notinst_path= # paths that contain not-installed libtool libraries + + case $linkmode in + lib) + passes="conv dlpreopen link" + for file in $dlfiles $dlprefiles; do + case $file in + *.la) ;; + *) + func_fatal_help "libraries can \`-dlopen' only libtool libraries: $file" + ;; + esac + done + ;; + prog) + compile_deplibs= + finalize_deplibs= + alldeplibs=no + newdlfiles= + newdlprefiles= + passes="conv scan dlopen dlpreopen link" + ;; + *) passes="conv" + ;; + esac + + for pass in $passes; do + # The preopen pass in lib mode reverses $deplibs; put it back here + # so that -L comes before libs that need it for instance... + if test "$linkmode,$pass" = "lib,link"; then + ## FIXME: Find the place where the list is rebuilt in the wrong + ## order, and fix it there properly + tmp_deplibs= + for deplib in $deplibs; do + tmp_deplibs="$deplib $tmp_deplibs" + done + deplibs="$tmp_deplibs" + fi + + if test "$linkmode,$pass" = "lib,link" || + test "$linkmode,$pass" = "prog,scan"; then + libs="$deplibs" + deplibs= + fi + if test "$linkmode" = prog; then + case $pass in + dlopen) libs="$dlfiles" ;; + dlpreopen) libs="$dlprefiles" ;; + link) libs="$deplibs %DEPLIBS% $dependency_libs" ;; + esac + fi + if test "$linkmode,$pass" = "lib,dlpreopen"; then + # Collect and forward deplibs of preopened libtool libs + for lib in $dlprefiles; do + # Ignore non-libtool-libs + dependency_libs= + func_resolve_sysroot "$lib" + case $lib in + *.la) func_source "$func_resolve_sysroot_result" ;; + esac + + # Collect preopened libtool deplibs, except any this library + # has declared as weak libs + for deplib in $dependency_libs; do + func_basename "$deplib" + deplib_base=$func_basename_result + case " $weak_libs " in + *" $deplib_base "*) ;; + *) func_append deplibs " $deplib" ;; + esac + done + done + libs="$dlprefiles" + fi + if test "$pass" = dlopen; then + # Collect dlpreopened libraries + save_deplibs="$deplibs" + deplibs= + fi + + for deplib in $libs; do + lib= + found=no + case $deplib in + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + func_append compiler_flags " $deplib" + test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" + if test "$linkmode" = lib ; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; + esac + fi + fi + continue + ;; + -l*) + if test "$linkmode" != lib && test "$linkmode" != prog; then + func_warning "\`-l' is ignored for archives/objects" + continue + fi + func_stripname '-l' '' "$deplib" + name=$func_stripname_result + if test "$linkmode" = lib; then + searchdirs="$newlib_search_path $lib_search_path $compiler_lib_search_dirs $sys_lib_search_path $shlib_search_path" + else + searchdirs="$newlib_search_path $lib_search_path $sys_lib_search_path $shlib_search_path" + fi + for searchdir in $searchdirs; do + for search_ext in .la $std_shrext .so .a; do + # Search the libtool library + lib="$searchdir/lib${name}${search_ext}" + if test -f "$lib"; then + if test "$search_ext" = ".la"; then + found=yes + else + found=no + fi + break 2 + fi + done + done + if test "$found" != yes; then + # deplib doesn't seem to be a libtool library + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" + fi + continue + else # deplib is a libtool library + # If $allow_libtool_libs_with_static_runtimes && $deplib is a stdlib, + # We need to do some special things here, and not later. + if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then + case " $predeps $postdeps " in + *" $deplib "*) + if func_lalib_p "$lib"; then + library_names= + old_library= + func_source "$lib" + for l in $old_library $library_names; do + ll="$l" + done + if test "X$ll" = "X$old_library" ; then # only static version available + found=no + func_dirname "$lib" "" "." + ladir="$func_dirname_result" + lib=$ladir/$old_library + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + test "$linkmode" = lib && newdependency_libs="$deplib $newdependency_libs" + fi + continue + fi + fi + ;; + *) ;; + esac + fi + fi + ;; # -l + *.ltframework) + if test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + deplibs="$deplib $deplibs" + if test "$linkmode" = lib ; then + case "$new_inherited_linker_flags " in + *" $deplib "*) ;; + * ) func_append new_inherited_linker_flags " $deplib" ;; + esac + fi + fi + continue + ;; + -L*) + case $linkmode in + lib) + deplibs="$deplib $deplibs" + test "$pass" = conv && continue + newdependency_libs="$deplib $newdependency_libs" + func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" + ;; + prog) + if test "$pass" = conv; then + deplibs="$deplib $deplibs" + continue + fi + if test "$pass" = scan; then + deplibs="$deplib $deplibs" + else + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + fi + func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" + ;; + *) + func_warning "\`-L' is ignored for archives/objects" + ;; + esac # linkmode + continue + ;; # -L + -R*) + if test "$pass" = link; then + func_stripname '-R' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + dir=$func_resolve_sysroot_result + # Make sure the xrpath contains only unique directories. + case "$xrpath " in + *" $dir "*) ;; + *) func_append xrpath " $dir" ;; + esac + fi + deplibs="$deplib $deplibs" + continue + ;; + *.la) + func_resolve_sysroot "$deplib" + lib=$func_resolve_sysroot_result + ;; + *.$libext) + if test "$pass" = conv; then + deplibs="$deplib $deplibs" + continue + fi + case $linkmode in + lib) + # Linking convenience modules into shared libraries is allowed, + # but linking other static libraries is non-portable. + case " $dlpreconveniencelibs " in + *" $deplib "*) ;; + *) + valid_a_lib=no + case $deplibs_check_method in + match_pattern*) + set dummy $deplibs_check_method; shift + match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` + if eval "\$ECHO \"$deplib\"" 2>/dev/null | $SED 10q \ + | $EGREP "$match_pattern_regex" > /dev/null; then + valid_a_lib=yes + fi + ;; + pass_all) + valid_a_lib=yes + ;; + esac + if test "$valid_a_lib" != yes; then + echo + $ECHO "*** Warning: Trying to link with static lib archive $deplib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because the file extensions .$libext of this argument makes me believe" + echo "*** that it is just a static archive that I should not use here." + else + echo + $ECHO "*** Warning: Linking the shared library $output against the" + $ECHO "*** static library $deplib is not portable!" + deplibs="$deplib $deplibs" + fi + ;; + esac + continue + ;; + prog) + if test "$pass" != link; then + deplibs="$deplib $deplibs" + else + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + fi + continue + ;; + esac # linkmode + ;; # *.$libext + *.lo | *.$objext) + if test "$pass" = conv; then + deplibs="$deplib $deplibs" + elif test "$linkmode" = prog; then + if test "$pass" = dlpreopen || test "$dlopen_support" != yes || test "$build_libtool_libs" = no; then + # If there is no dlopen support or we're linking statically, + # we need to preload. + func_append newdlprefiles " $deplib" + compile_deplibs="$deplib $compile_deplibs" + finalize_deplibs="$deplib $finalize_deplibs" + else + func_append newdlfiles " $deplib" + fi + fi + continue + ;; + %DEPLIBS%) + alldeplibs=yes + continue + ;; + esac # case $deplib + + if test "$found" = yes || test -f "$lib"; then : + else + func_fatal_error "cannot find the library \`$lib' or unhandled argument \`$deplib'" + fi + + # Check to see that this really is a libtool archive. + func_lalib_unsafe_p "$lib" \ + || func_fatal_error "\`$lib' is not a valid libtool archive" + + func_dirname "$lib" "" "." + ladir="$func_dirname_result" + + dlname= + dlopen= + dlpreopen= + libdir= + library_names= + old_library= + inherited_linker_flags= + # If the library was installed with an old release of libtool, + # it will not redefine variables installed, or shouldnotlink + installed=yes + shouldnotlink=no + avoidtemprpath= + + + # Read the .la file + func_source "$lib" + + # Convert "-framework foo" to "foo.ltframework" + if test -n "$inherited_linker_flags"; then + tmp_inherited_linker_flags=`$ECHO "$inherited_linker_flags" | $SED 's/-framework \([^ $]*\)/\1.ltframework/g'` + for tmp_inherited_linker_flag in $tmp_inherited_linker_flags; do + case " $new_inherited_linker_flags " in + *" $tmp_inherited_linker_flag "*) ;; + *) func_append new_inherited_linker_flags " $tmp_inherited_linker_flag";; + esac + done + fi + dependency_libs=`$ECHO " $dependency_libs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + if test "$linkmode,$pass" = "lib,link" || + test "$linkmode,$pass" = "prog,scan" || + { test "$linkmode" != prog && test "$linkmode" != lib; }; then + test -n "$dlopen" && func_append dlfiles " $dlopen" + test -n "$dlpreopen" && func_append dlprefiles " $dlpreopen" + fi + + if test "$pass" = conv; then + # Only check for convenience libraries + deplibs="$lib $deplibs" + if test -z "$libdir"; then + if test -z "$old_library"; then + func_fatal_error "cannot find name of link library for \`$lib'" + fi + # It is a libtool convenience library, so add in its objects. + func_append convenience " $ladir/$objdir/$old_library" + func_append old_convenience " $ladir/$objdir/$old_library" + elif test "$linkmode" != prog && test "$linkmode" != lib; then + func_fatal_error "\`$lib' is not a convenience library" + fi + tmp_libs= + for deplib in $dependency_libs; do + deplibs="$deplib $deplibs" + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done + continue + fi # $pass = conv + + + # Get the name of the library we link against. + linklib= + if test -n "$old_library" && + { test "$prefer_static_libs" = yes || + test "$prefer_static_libs,$installed" = "built,no"; }; then + linklib=$old_library + else + for l in $old_library $library_names; do + linklib="$l" + done + fi + if test -z "$linklib"; then + func_fatal_error "cannot find name of link library for \`$lib'" + fi + + # This library was specified with -dlopen. + if test "$pass" = dlopen; then + if test -z "$libdir"; then + func_fatal_error "cannot -dlopen a convenience library: \`$lib'" + fi + if test -z "$dlname" || + test "$dlopen_support" != yes || + test "$build_libtool_libs" = no; then + # If there is no dlname, no dlopen support or we're linking + # statically, we need to preload. We also need to preload any + # dependent libraries so libltdl's deplib preloader doesn't + # bomb out in the load deplibs phase. + func_append dlprefiles " $lib $dependency_libs" + else + func_append newdlfiles " $lib" + fi + continue + fi # $pass = dlopen + + # We need an absolute path. + case $ladir in + [\\/]* | [A-Za-z]:[\\/]*) abs_ladir="$ladir" ;; + *) + abs_ladir=`cd "$ladir" && pwd` + if test -z "$abs_ladir"; then + func_warning "cannot determine absolute directory name of \`$ladir'" + func_warning "passing it literally to the linker, although it might fail" + abs_ladir="$ladir" + fi + ;; + esac + func_basename "$lib" + laname="$func_basename_result" + + # Find the relevant object directory and library name. + if test "X$installed" = Xyes; then + if test ! -f "$lt_sysroot$libdir/$linklib" && test -f "$abs_ladir/$linklib"; then + func_warning "library \`$lib' was moved." + dir="$ladir" + absdir="$abs_ladir" + libdir="$abs_ladir" + else + dir="$lt_sysroot$libdir" + absdir="$lt_sysroot$libdir" + fi + test "X$hardcode_automatic" = Xyes && avoidtemprpath=yes + else + if test ! -f "$ladir/$objdir/$linklib" && test -f "$abs_ladir/$linklib"; then + dir="$ladir" + absdir="$abs_ladir" + # Remove this search path later + func_append notinst_path " $abs_ladir" + else + dir="$ladir/$objdir" + absdir="$abs_ladir/$objdir" + # Remove this search path later + func_append notinst_path " $abs_ladir" + fi + fi # $installed = yes + func_stripname 'lib' '.la' "$laname" + name=$func_stripname_result + + # This library was specified with -dlpreopen. + if test "$pass" = dlpreopen; then + if test -z "$libdir" && test "$linkmode" = prog; then + func_fatal_error "only libraries may -dlpreopen a convenience library: \`$lib'" + fi + case "$host" in + # special handling for platforms with PE-DLLs. + *cygwin* | *mingw* | *cegcc* ) + # Linker will automatically link against shared library if both + # static and shared are present. Therefore, ensure we extract + # symbols from the import library if a shared library is present + # (otherwise, the dlopen module name will be incorrect). We do + # this by putting the import library name into $newdlprefiles. + # We recover the dlopen module name by 'saving' the la file + # name in a special purpose variable, and (later) extracting the + # dlname from the la file. + if test -n "$dlname"; then + func_tr_sh "$dir/$linklib" + eval "libfile_$func_tr_sh_result=\$abs_ladir/\$laname" + func_append newdlprefiles " $dir/$linklib" + else + func_append newdlprefiles " $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + func_append dlpreconveniencelibs " $dir/$old_library" + fi + ;; + * ) + # Prefer using a static library (so that no silly _DYNAMIC symbols + # are required to link). + if test -n "$old_library"; then + func_append newdlprefiles " $dir/$old_library" + # Keep a list of preopened convenience libraries to check + # that they are being used correctly in the link pass. + test -z "$libdir" && \ + func_append dlpreconveniencelibs " $dir/$old_library" + # Otherwise, use the dlname, so that lt_dlopen finds it. + elif test -n "$dlname"; then + func_append newdlprefiles " $dir/$dlname" + else + func_append newdlprefiles " $dir/$linklib" + fi + ;; + esac + fi # $pass = dlpreopen + + if test -z "$libdir"; then + # Link the convenience library + if test "$linkmode" = lib; then + deplibs="$dir/$old_library $deplibs" + elif test "$linkmode,$pass" = "prog,link"; then + compile_deplibs="$dir/$old_library $compile_deplibs" + finalize_deplibs="$dir/$old_library $finalize_deplibs" + else + deplibs="$lib $deplibs" # used for prog,scan pass + fi + continue + fi + + + if test "$linkmode" = prog && test "$pass" != link; then + func_append newlib_search_path " $ladir" + deplibs="$lib $deplibs" + + linkalldeplibs=no + if test "$link_all_deplibs" != no || test -z "$library_names" || + test "$build_libtool_libs" = no; then + linkalldeplibs=yes + fi + + tmp_libs= + for deplib in $dependency_libs; do + case $deplib in + -L*) func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result" + func_append newlib_search_path " $func_resolve_sysroot_result" + ;; + esac + # Need to link against all dependency_libs? + if test "$linkalldeplibs" = yes; then + deplibs="$deplib $deplibs" + else + # Need to hardcode shared library paths + # or/and link against static libraries + newdependency_libs="$deplib $newdependency_libs" + fi + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $deplib "*) func_append specialdeplibs " $deplib" ;; + esac + fi + func_append tmp_libs " $deplib" + done # for deplib + continue + fi # $linkmode = prog... + + if test "$linkmode,$pass" = "prog,link"; then + if test -n "$library_names" && + { { test "$prefer_static_libs" = no || + test "$prefer_static_libs,$installed" = "built,yes"; } || + test -z "$old_library"; }; then + # We need to hardcode the library path + if test -n "$shlibpath_var" && test -z "$avoidtemprpath" ; then + # Make sure the rpath contains only unique directories. + case "$temp_rpath:" in + *"$absdir:"*) ;; + *) func_append temp_rpath "$absdir:" ;; + esac + fi + + # Hardcode the library path. + # Skip directories that are in the system default run-time + # search path. + case " $sys_lib_dlsearch_path " in + *" $absdir "*) ;; + *) + case "$compile_rpath " in + *" $absdir "*) ;; + *) func_append compile_rpath " $absdir" ;; + esac + ;; + esac + case " $sys_lib_dlsearch_path " in + *" $libdir "*) ;; + *) + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + ;; + esac + fi # $linkmode,$pass = prog,link... + + if test "$alldeplibs" = yes && + { test "$deplibs_check_method" = pass_all || + { test "$build_libtool_libs" = yes && + test -n "$library_names"; }; }; then + # We only need to search for static libraries + continue + fi + fi + + link_static=no # Whether the deplib will be linked statically + use_static_libs=$prefer_static_libs + if test "$use_static_libs" = built && test "$installed" = yes; then + use_static_libs=no + fi + if test -n "$library_names" && + { test "$use_static_libs" = no || test -z "$old_library"; }; then + case $host in + *cygwin* | *mingw* | *cegcc*) + # No point in relinking DLLs because paths are not encoded + func_append notinst_deplibs " $lib" + need_relink=no + ;; + *) + if test "$installed" = no; then + func_append notinst_deplibs " $lib" + test -z "$DESTDIR" && need_relink=yes + fi + ;; + esac + # This is a shared library + + # Warn about portability, can't link against -module's on some + # systems (darwin). Don't bleat about dlopened modules though! + dlopenmodule="" + for dlpremoduletest in $dlprefiles; do + if test "X$dlpremoduletest" = "X$lib"; then + dlopenmodule="$dlpremoduletest" + break + fi + done + if test -z "$dlopenmodule" && test "$shouldnotlink" = yes && test "$pass" = link; then + echo + if test "$linkmode" = prog; then + $ECHO "*** Warning: Linking the executable $output against the loadable module" + else + $ECHO "*** Warning: Linking the shared library $output against the loadable module" + fi + $ECHO "*** $linklib is not portable!" + fi + if test "$linkmode" = lib && + test "$hardcode_into_libs" = yes; then + # Hardcode the library path. + # Skip directories that are in the system default run-time + # search path. + case " $sys_lib_dlsearch_path " in + *" $absdir "*) ;; + *) + case "$compile_rpath " in + *" $absdir "*) ;; + *) func_append compile_rpath " $absdir" ;; + esac + ;; + esac + case " $sys_lib_dlsearch_path " in + *" $libdir "*) ;; + *) + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + ;; + esac + fi + + if test -n "$old_archive_from_expsyms_cmds"; then + # figure out the soname + set dummy $library_names + shift + realname="$1" + shift + libname=`eval "\\$ECHO \"$libname_spec\""` + # use dlname if we got it. it's perfectly good, no? + if test -n "$dlname"; then + soname="$dlname" + elif test -n "$soname_spec"; then + # bleh windows + case $host in + *cygwin* | mingw* | *cegcc*) + func_arith $current - $age + major=$func_arith_result + versuffix="-$major" + ;; + esac + eval soname=\"$soname_spec\" + else + soname="$realname" + fi + + # Make a new name for the extract_expsyms_cmds to use + soroot="$soname" + func_basename "$soroot" + soname="$func_basename_result" + func_stripname 'lib' '.dll' "$soname" + newlib=libimp-$func_stripname_result.a + + # If the library has no export list, then create one now + if test -f "$output_objdir/$soname-def"; then : + else + func_verbose "extracting exported symbol list from \`$soname'" + func_execute_cmds "$extract_expsyms_cmds" 'exit $?' + fi + + # Create $newlib + if test -f "$output_objdir/$newlib"; then :; else + func_verbose "generating import library for \`$soname'" + func_execute_cmds "$old_archive_from_expsyms_cmds" 'exit $?' + fi + # make sure the library variables are pointing to the new library + dir=$output_objdir + linklib=$newlib + fi # test -n "$old_archive_from_expsyms_cmds" + + if test "$linkmode" = prog || test "$opt_mode" != relink; then + add_shlibpath= + add_dir= + add= + lib_linked=yes + case $hardcode_action in + immediate | unsupported) + if test "$hardcode_direct" = no; then + add="$dir/$linklib" + case $host in + *-*-sco3.2v5.0.[024]*) add_dir="-L$dir" ;; + *-*-sysv4*uw2*) add_dir="-L$dir" ;; + *-*-sysv5OpenUNIX* | *-*-sysv5UnixWare7.[01].[10]* | \ + *-*-unixware7*) add_dir="-L$dir" ;; + *-*-darwin* ) + # if the lib is a (non-dlopened) module then we can not + # link against it, someone is ignoring the earlier warnings + if /usr/bin/file -L $add 2> /dev/null | + $GREP ": [^:]* bundle" >/dev/null ; then + if test "X$dlopenmodule" != "X$lib"; then + $ECHO "*** Warning: lib $linklib is a module, not a shared library" + if test -z "$old_library" ; then + echo + echo "*** And there doesn't seem to be a static archive available" + echo "*** The link will probably fail, sorry" + else + add="$dir/$old_library" + fi + elif test -n "$old_library"; then + add="$dir/$old_library" + fi + fi + esac + elif test "$hardcode_minus_L" = no; then + case $host in + *-*-sunos*) add_shlibpath="$dir" ;; + esac + add_dir="-L$dir" + add="-l$name" + elif test "$hardcode_shlibpath_var" = no; then + add_shlibpath="$dir" + add="-l$name" + else + lib_linked=no + fi + ;; + relink) + if test "$hardcode_direct" = yes && + test "$hardcode_direct_absolute" = no; then + add="$dir/$linklib" + elif test "$hardcode_minus_L" = yes; then + add_dir="-L$absdir" + # Try looking first in the location we're being installed to. + if test -n "$inst_prefix_dir"; then + case $libdir in + [\\/]*) + func_append add_dir " -L$inst_prefix_dir$libdir" + ;; + esac + fi + add="-l$name" + elif test "$hardcode_shlibpath_var" = yes; then + add_shlibpath="$dir" + add="-l$name" + else + lib_linked=no + fi + ;; + *) lib_linked=no ;; + esac + + if test "$lib_linked" != yes; then + func_fatal_configuration "unsupported hardcode properties" + fi + + if test -n "$add_shlibpath"; then + case :$compile_shlibpath: in + *":$add_shlibpath:"*) ;; + *) func_append compile_shlibpath "$add_shlibpath:" ;; + esac + fi + if test "$linkmode" = prog; then + test -n "$add_dir" && compile_deplibs="$add_dir $compile_deplibs" + test -n "$add" && compile_deplibs="$add $compile_deplibs" + else + test -n "$add_dir" && deplibs="$add_dir $deplibs" + test -n "$add" && deplibs="$add $deplibs" + if test "$hardcode_direct" != yes && + test "$hardcode_minus_L" != yes && + test "$hardcode_shlibpath_var" = yes; then + case :$finalize_shlibpath: in + *":$libdir:"*) ;; + *) func_append finalize_shlibpath "$libdir:" ;; + esac + fi + fi + fi + + if test "$linkmode" = prog || test "$opt_mode" = relink; then + add_shlibpath= + add_dir= + add= + # Finalize command for both is simple: just hardcode it. + if test "$hardcode_direct" = yes && + test "$hardcode_direct_absolute" = no; then + add="$libdir/$linklib" + elif test "$hardcode_minus_L" = yes; then + add_dir="-L$libdir" + add="-l$name" + elif test "$hardcode_shlibpath_var" = yes; then + case :$finalize_shlibpath: in + *":$libdir:"*) ;; + *) func_append finalize_shlibpath "$libdir:" ;; + esac + add="-l$name" + elif test "$hardcode_automatic" = yes; then + if test -n "$inst_prefix_dir" && + test -f "$inst_prefix_dir$libdir/$linklib" ; then + add="$inst_prefix_dir$libdir/$linklib" + else + add="$libdir/$linklib" + fi + else + # We cannot seem to hardcode it, guess we'll fake it. + add_dir="-L$libdir" + # Try looking first in the location we're being installed to. + if test -n "$inst_prefix_dir"; then + case $libdir in + [\\/]*) + func_append add_dir " -L$inst_prefix_dir$libdir" + ;; + esac + fi + add="-l$name" + fi + + if test "$linkmode" = prog; then + test -n "$add_dir" && finalize_deplibs="$add_dir $finalize_deplibs" + test -n "$add" && finalize_deplibs="$add $finalize_deplibs" + else + test -n "$add_dir" && deplibs="$add_dir $deplibs" + test -n "$add" && deplibs="$add $deplibs" + fi + fi + elif test "$linkmode" = prog; then + # Here we assume that one of hardcode_direct or hardcode_minus_L + # is not unsupported. This is valid on all known static and + # shared platforms. + if test "$hardcode_direct" != unsupported; then + test -n "$old_library" && linklib="$old_library" + compile_deplibs="$dir/$linklib $compile_deplibs" + finalize_deplibs="$dir/$linklib $finalize_deplibs" + else + compile_deplibs="-l$name -L$dir $compile_deplibs" + finalize_deplibs="-l$name -L$dir $finalize_deplibs" + fi + elif test "$build_libtool_libs" = yes; then + # Not a shared library + if test "$deplibs_check_method" != pass_all; then + # We're trying link a shared library against a static one + # but the system doesn't support it. + + # Just print a warning and add the library to dependency_libs so + # that the program can be linked against the static library. + echo + $ECHO "*** Warning: This system can not link to static lib archive $lib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have." + if test "$module" = yes; then + echo "*** But as you try to build a module library, libtool will still create " + echo "*** a static module, that should work as long as the dlopening application" + echo "*** is linked with the -dlopen flag to resolve symbols at runtime." + if test -z "$global_symbol_pipe"; then + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using \`nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** \`nm' from GNU binutils and a full rebuild may help." + fi + if test "$build_old_libs" = no; then + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + fi + else + deplibs="$dir/$old_library $deplibs" + link_static=yes + fi + fi # link shared/static library? + + if test "$linkmode" = lib; then + if test -n "$dependency_libs" && + { test "$hardcode_into_libs" != yes || + test "$build_old_libs" = yes || + test "$link_static" = yes; }; then + # Extract -R from dependency_libs + temp_deplibs= + for libdir in $dependency_libs; do + case $libdir in + -R*) func_stripname '-R' '' "$libdir" + temp_xrpath=$func_stripname_result + case " $xrpath " in + *" $temp_xrpath "*) ;; + *) func_append xrpath " $temp_xrpath";; + esac;; + *) func_append temp_deplibs " $libdir";; + esac + done + dependency_libs="$temp_deplibs" + fi + + func_append newlib_search_path " $absdir" + # Link against this library + test "$link_static" = no && newdependency_libs="$abs_ladir/$laname $newdependency_libs" + # ... and its dependency_libs + tmp_libs= + for deplib in $dependency_libs; do + newdependency_libs="$deplib $newdependency_libs" + case $deplib in + -L*) func_stripname '-L' '' "$deplib" + func_resolve_sysroot "$func_stripname_result";; + *) func_resolve_sysroot "$deplib" ;; + esac + if $opt_preserve_dup_deps ; then + case "$tmp_libs " in + *" $func_resolve_sysroot_result "*) + func_append specialdeplibs " $func_resolve_sysroot_result" ;; + esac + fi + func_append tmp_libs " $func_resolve_sysroot_result" + done + + if test "$link_all_deplibs" != no; then + # Add the search paths of all dependency libraries + for deplib in $dependency_libs; do + path= + case $deplib in + -L*) path="$deplib" ;; + *.la) + func_resolve_sysroot "$deplib" + deplib=$func_resolve_sysroot_result + func_dirname "$deplib" "" "." + dir=$func_dirname_result + # We need an absolute path. + case $dir in + [\\/]* | [A-Za-z]:[\\/]*) absdir="$dir" ;; + *) + absdir=`cd "$dir" && pwd` + if test -z "$absdir"; then + func_warning "cannot determine absolute directory name of \`$dir'" + absdir="$dir" + fi + ;; + esac + if $GREP "^installed=no" $deplib > /dev/null; then + case $host in + *-*-darwin*) + depdepl= + eval deplibrary_names=`${SED} -n -e 's/^library_names=\(.*\)$/\1/p' $deplib` + if test -n "$deplibrary_names" ; then + for tmp in $deplibrary_names ; do + depdepl=$tmp + done + if test -f "$absdir/$objdir/$depdepl" ; then + depdepl="$absdir/$objdir/$depdepl" + darwin_install_name=`${OTOOL} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` + if test -z "$darwin_install_name"; then + darwin_install_name=`${OTOOL64} -L $depdepl | awk '{if (NR == 2) {print $1;exit}}'` + fi + func_append compiler_flags " ${wl}-dylib_file ${wl}${darwin_install_name}:${depdepl}" + func_append linker_flags " -dylib_file ${darwin_install_name}:${depdepl}" + path= + fi + fi + ;; + *) + path="-L$absdir/$objdir" + ;; + esac + else + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $deplib` + test -z "$libdir" && \ + func_fatal_error "\`$deplib' is not a valid libtool archive" + test "$absdir" != "$libdir" && \ + func_warning "\`$deplib' seems to be moved" + + path="-L$absdir" + fi + ;; + esac + case " $deplibs " in + *" $path "*) ;; + *) deplibs="$path $deplibs" ;; + esac + done + fi # link_all_deplibs != no + fi # linkmode = lib + done # for deplib in $libs + if test "$pass" = link; then + if test "$linkmode" = "prog"; then + compile_deplibs="$new_inherited_linker_flags $compile_deplibs" + finalize_deplibs="$new_inherited_linker_flags $finalize_deplibs" + else + compiler_flags="$compiler_flags "`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + fi + fi + dependency_libs="$newdependency_libs" + if test "$pass" = dlpreopen; then + # Link the dlpreopened libraries before other libraries + for deplib in $save_deplibs; do + deplibs="$deplib $deplibs" + done + fi + if test "$pass" != dlopen; then + if test "$pass" != conv; then + # Make sure lib_search_path contains only unique directories. + lib_search_path= + for dir in $newlib_search_path; do + case "$lib_search_path " in + *" $dir "*) ;; + *) func_append lib_search_path " $dir" ;; + esac + done + newlib_search_path= + fi + + if test "$linkmode,$pass" != "prog,link"; then + vars="deplibs" + else + vars="compile_deplibs finalize_deplibs" + fi + for var in $vars dependency_libs; do + # Add libraries to $var in reverse order + eval tmp_libs=\"\$$var\" + new_libs= + for deplib in $tmp_libs; do + # FIXME: Pedantically, this is the right thing to do, so + # that some nasty dependency loop isn't accidentally + # broken: + #new_libs="$deplib $new_libs" + # Pragmatically, this seems to cause very few problems in + # practice: + case $deplib in + -L*) new_libs="$deplib $new_libs" ;; + -R*) ;; + *) + # And here is the reason: when a library appears more + # than once as an explicit dependence of a library, or + # is implicitly linked in more than once by the + # compiler, it is considered special, and multiple + # occurrences thereof are not removed. Compare this + # with having the same library being listed as a + # dependency of multiple other libraries: in this case, + # we know (pedantically, we assume) the library does not + # need to be listed more than once, so we keep only the + # last copy. This is not always right, but it is rare + # enough that we require users that really mean to play + # such unportable linking tricks to link the library + # using -Wl,-lname, so that libtool does not consider it + # for duplicate removal. + case " $specialdeplibs " in + *" $deplib "*) new_libs="$deplib $new_libs" ;; + *) + case " $new_libs " in + *" $deplib "*) ;; + *) new_libs="$deplib $new_libs" ;; + esac + ;; + esac + ;; + esac + done + tmp_libs= + for deplib in $new_libs; do + case $deplib in + -L*) + case " $tmp_libs " in + *" $deplib "*) ;; + *) func_append tmp_libs " $deplib" ;; + esac + ;; + *) func_append tmp_libs " $deplib" ;; + esac + done + eval $var=\"$tmp_libs\" + done # for var + fi + # Last step: remove runtime libs from dependency_libs + # (they stay in deplibs) + tmp_libs= + for i in $dependency_libs ; do + case " $predeps $postdeps $compiler_lib_search_path " in + *" $i "*) + i="" + ;; + esac + if test -n "$i" ; then + func_append tmp_libs " $i" + fi + done + dependency_libs=$tmp_libs + done # for pass + if test "$linkmode" = prog; then + dlfiles="$newdlfiles" + fi + if test "$linkmode" = prog || test "$linkmode" = lib; then + dlprefiles="$newdlprefiles" + fi + + case $linkmode in + oldlib) + if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then + func_warning "\`-dlopen' is ignored for archives" + fi + + case " $deplibs" in + *\ -l* | *\ -L*) + func_warning "\`-l' and \`-L' are ignored for archives" ;; + esac + + test -n "$rpath" && \ + func_warning "\`-rpath' is ignored for archives" + + test -n "$xrpath" && \ + func_warning "\`-R' is ignored for archives" + + test -n "$vinfo" && \ + func_warning "\`-version-info/-version-number' is ignored for archives" + + test -n "$release" && \ + func_warning "\`-release' is ignored for archives" + + test -n "$export_symbols$export_symbols_regex" && \ + func_warning "\`-export-symbols' is ignored for archives" + + # Now set the variables for building old libraries. + build_libtool_libs=no + oldlibs="$output" + func_append objs "$old_deplibs" + ;; + + lib) + # Make sure we only generate libraries of the form `libNAME.la'. + case $outputname in + lib*) + func_stripname 'lib' '.la' "$outputname" + name=$func_stripname_result + eval shared_ext=\"$shrext_cmds\" + eval libname=\"$libname_spec\" + ;; + *) + test "$module" = no && \ + func_fatal_help "libtool library \`$output' must begin with \`lib'" + + if test "$need_lib_prefix" != no; then + # Add the "lib" prefix for modules if required + func_stripname '' '.la' "$outputname" + name=$func_stripname_result + eval shared_ext=\"$shrext_cmds\" + eval libname=\"$libname_spec\" + else + func_stripname '' '.la' "$outputname" + libname=$func_stripname_result + fi + ;; + esac + + if test -n "$objs"; then + if test "$deplibs_check_method" != pass_all; then + func_fatal_error "cannot build libtool library \`$output' from non-libtool objects on this host:$objs" + else + echo + $ECHO "*** Warning: Linking the shared library $output against the non-libtool" + $ECHO "*** objects $objs is not portable!" + func_append libobjs " $objs" + fi + fi + + test "$dlself" != no && \ + func_warning "\`-dlopen self' is ignored for libtool libraries" + + set dummy $rpath + shift + test "$#" -gt 1 && \ + func_warning "ignoring multiple \`-rpath's for a libtool library" + + install_libdir="$1" + + oldlibs= + if test -z "$rpath"; then + if test "$build_libtool_libs" = yes; then + # Building a libtool convenience library. + # Some compilers have problems with a `.al' extension so + # convenience libraries should have the same extension an + # archive normally would. + oldlibs="$output_objdir/$libname.$libext $oldlibs" + build_libtool_libs=convenience + build_old_libs=yes + fi + + test -n "$vinfo" && \ + func_warning "\`-version-info/-version-number' is ignored for convenience libraries" + + test -n "$release" && \ + func_warning "\`-release' is ignored for convenience libraries" + else + + # Parse the version information argument. + save_ifs="$IFS"; IFS=':' + set dummy $vinfo 0 0 0 + shift + IFS="$save_ifs" + + test -n "$7" && \ + func_fatal_help "too many parameters to \`-version-info'" + + # convert absolute version numbers to libtool ages + # this retains compatibility with .la files and attempts + # to make the code below a bit more comprehensible + + case $vinfo_number in + yes) + number_major="$1" + number_minor="$2" + number_revision="$3" + # + # There are really only two kinds -- those that + # use the current revision as the major version + # and those that subtract age and use age as + # a minor version. But, then there is irix + # which has an extra 1 added just for fun + # + case $version_type in + # correct linux to gnu/linux during the next big refactor + darwin|linux|osf|windows|none) + func_arith $number_major + $number_minor + current=$func_arith_result + age="$number_minor" + revision="$number_revision" + ;; + freebsd-aout|freebsd-elf|qnx|sunos) + current="$number_major" + revision="$number_minor" + age="0" + ;; + irix|nonstopux) + func_arith $number_major + $number_minor + current=$func_arith_result + age="$number_minor" + revision="$number_minor" + lt_irix_increment=no + ;; + esac + ;; + no) + current="$1" + revision="$2" + age="$3" + ;; + esac + + # Check that each of the things are valid numbers. + case $current in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "CURRENT \`$current' must be a nonnegative integer" + func_fatal_error "\`$vinfo' is not valid version information" + ;; + esac + + case $revision in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "REVISION \`$revision' must be a nonnegative integer" + func_fatal_error "\`$vinfo' is not valid version information" + ;; + esac + + case $age in + 0|[1-9]|[1-9][0-9]|[1-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9]) ;; + *) + func_error "AGE \`$age' must be a nonnegative integer" + func_fatal_error "\`$vinfo' is not valid version information" + ;; + esac + + if test "$age" -gt "$current"; then + func_error "AGE \`$age' is greater than the current interface number \`$current'" + func_fatal_error "\`$vinfo' is not valid version information" + fi + + # Calculate the version variables. + major= + versuffix= + verstring= + case $version_type in + none) ;; + + darwin) + # Like Linux, but with the current version available in + # verstring for coding it into the library header + func_arith $current - $age + major=.$func_arith_result + versuffix="$major.$age.$revision" + # Darwin ld doesn't like 0 for these options... + func_arith $current + 1 + minor_current=$func_arith_result + xlcverstring="${wl}-compatibility_version ${wl}$minor_current ${wl}-current_version ${wl}$minor_current.$revision" + verstring="-compatibility_version $minor_current -current_version $minor_current.$revision" + ;; + + freebsd-aout) + major=".$current" + versuffix=".$current.$revision"; + ;; + + freebsd-elf) + major=".$current" + versuffix=".$current" + ;; + + irix | nonstopux) + if test "X$lt_irix_increment" = "Xno"; then + func_arith $current - $age + else + func_arith $current - $age + 1 + fi + major=$func_arith_result + + case $version_type in + nonstopux) verstring_prefix=nonstopux ;; + *) verstring_prefix=sgi ;; + esac + verstring="$verstring_prefix$major.$revision" + + # Add in all the interfaces that we are compatible with. + loop=$revision + while test "$loop" -ne 0; do + func_arith $revision - $loop + iface=$func_arith_result + func_arith $loop - 1 + loop=$func_arith_result + verstring="$verstring_prefix$major.$iface:$verstring" + done + + # Before this point, $major must not contain `.'. + major=.$major + versuffix="$major.$revision" + ;; + + linux) # correct to gnu/linux during the next big refactor + func_arith $current - $age + major=.$func_arith_result + versuffix="$major.$age.$revision" + ;; + + osf) + func_arith $current - $age + major=.$func_arith_result + versuffix=".$current.$age.$revision" + verstring="$current.$age.$revision" + + # Add in all the interfaces that we are compatible with. + loop=$age + while test "$loop" -ne 0; do + func_arith $current - $loop + iface=$func_arith_result + func_arith $loop - 1 + loop=$func_arith_result + verstring="$verstring:${iface}.0" + done + + # Make executables depend on our current version. + func_append verstring ":${current}.0" + ;; + + qnx) + major=".$current" + versuffix=".$current" + ;; + + sunos) + major=".$current" + versuffix=".$current.$revision" + ;; + + windows) + # Use '-' rather than '.', since we only want one + # extension on DOS 8.3 filesystems. + func_arith $current - $age + major=$func_arith_result + versuffix="-$major" + ;; + + *) + func_fatal_configuration "unknown library version type \`$version_type'" + ;; + esac + + # Clear the version info if we defaulted, and they specified a release. + if test -z "$vinfo" && test -n "$release"; then + major= + case $version_type in + darwin) + # we can't check for "0.0" in archive_cmds due to quoting + # problems, so we reset it completely + verstring= + ;; + *) + verstring="0.0" + ;; + esac + if test "$need_version" = no; then + versuffix= + else + versuffix=".0.0" + fi + fi + + # Remove version info from name if versioning should be avoided + if test "$avoid_version" = yes && test "$need_version" = no; then + major= + versuffix= + verstring="" + else + # XXX + tmp=`echo $libname|sed -e 's,+,_,g' -e 's,-,_,g' -e 's,\.,_,g'` + eval tmp2=\$${tmp}_ltversion + if ! test -z "${SHARED_LIBS_LOG}"; then + if ! test -f ${SHARED_LIBS_LOG}; then + echo "# SHARED_LIBS+= # " >${SHARED_LIBS_LOG} + fi + tmp4=`echo $libname|sed -e 's/^lib//'` + printf "SHARED_LIBS +=\t%-20s %-8s # %s\n" "$tmp4" "$tmp2" "$versuffix" >>${SHARED_LIBS_LOG} + fi + if test -n "$versuffix" && test -n "$tmp2"; then + versuffix=".$tmp2" + fi + fi + + # Check to see if the archive will have undefined symbols. + if test "$allow_undefined" = yes; then + if test "$allow_undefined_flag" = unsupported; then + func_warning "undefined symbols not allowed in $host shared libraries" + build_libtool_libs=no + build_old_libs=yes + fi + else + # Don't allow undefined symbols. + allow_undefined_flag="$no_undefined_flag" + fi + + fi + + func_generate_dlsyms "$libname" "$libname" "yes" + func_append libobjs " $symfileobj" + test "X$libobjs" = "X " && libobjs= + + if test "$opt_mode" != relink; then + # Remove our outputs, but don't remove object files since they + # may have been created when compiling PIC objects. + removelist= + tempremovelist=`$ECHO "$output_objdir/*"` + for p in $tempremovelist; do + case $p in + *.$objext | *.gcno) + ;; + $output_objdir/$outputname | $output_objdir/$libname.* | $output_objdir/${libname}${release}.*) + if test "X$precious_files_regex" != "X"; then + if $ECHO "$p" | $EGREP -e "$precious_files_regex" >/dev/null 2>&1 + then + continue + fi + fi + func_append removelist " $p" + ;; + *) ;; + esac + done + test -n "$removelist" && \ + func_show_eval "${RM}r \$removelist" + fi + + # Now set the variables for building old libraries. + if test "$build_old_libs" = yes && test "$build_libtool_libs" != convenience ; then + func_append oldlibs " $output_objdir/$libname.$libext" + + # Transform .lo files to .o files. + oldobjs="$objs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; $lo2o" | $NL2SP` + fi + + # Eliminate all temporary directories. + #for path in $notinst_path; do + # lib_search_path=`$ECHO "$lib_search_path " | $SED "s% $path % %g"` + # deplibs=`$ECHO "$deplibs " | $SED "s% -L$path % %g"` + # dependency_libs=`$ECHO "$dependency_libs " | $SED "s% -L$path % %g"` + #done + + if test -n "$xrpath"; then + # If the user specified any rpath flags, then add them. + temp_xrpath= + for libdir in $xrpath; do + func_replace_sysroot "$libdir" + func_append temp_xrpath " -R$func_replace_sysroot_result" + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + done + if test "$hardcode_into_libs" != yes || test "$build_old_libs" = yes; then + dependency_libs="$temp_xrpath $dependency_libs" + fi + fi + + # Make sure dlfiles contains only unique files that won't be dlpreopened + old_dlfiles="$dlfiles" + dlfiles= + for lib in $old_dlfiles; do + case " $dlprefiles $dlfiles " in + *" $lib "*) ;; + *) func_append dlfiles " $lib" ;; + esac + done + + # Make sure dlprefiles contains only unique files + old_dlprefiles="$dlprefiles" + dlprefiles= + for lib in $old_dlprefiles; do + case "$dlprefiles " in + *" $lib "*) ;; + *) func_append dlprefiles " $lib" ;; + esac + done + + if test "$build_libtool_libs" = yes; then + if test -n "$rpath"; then + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-*-beos* | *-cegcc* | *-*-haiku*) + # these systems don't actually have a c library (as such)! + ;; + *-*-rhapsody* | *-*-darwin1.[012]) + # Rhapsody C library is in the System framework + func_append deplibs " System.ltframework" + ;; + *-*-netbsd*) + # Don't link with libc until the a.out ld.so is fixed. + ;; + *-*-openbsd* | *-*-freebsd* | *-*-dragonfly*) + # Do not include libc due to us having libc/libc_r. + ;; + *-*-sco3.2v5* | *-*-sco5v6*) + # Causes problems with __ctype + ;; + *-*-sysv4.2uw2* | *-*-sysv5* | *-*-unixware* | *-*-OpenUNIX*) + # Compiler inserts libc in the correct place for threads to work + ;; + *) + # Add libc to deplibs on all other systems if necessary. + if test "$build_libtool_need_lc" = "yes"; then + func_append deplibs " -lc" + fi + ;; + esac + fi + + # Transform deplibs into only deplibs that can be linked in shared. + name_save=$name + libname_save=$libname + release_save=$release + versuffix_save=$versuffix + major_save=$major + # I'm not sure if I'm treating the release correctly. I think + # release should show up in the -l (ie -lgmp5) so we don't want to + # add it in twice. Is that correct? + release="" + versuffix="" + major="" + newdeplibs= + droppeddeps=no + case $deplibs_check_method in + pass_all) + # Don't check for shared/static. Everything works. + # This might be a little naive. We might want to check + # whether the library exists or not. But this is on + # osf3 & osf4 and I'm not really sure... Just + # implementing what was already the behavior. + newdeplibs=$deplibs + ;; + test_compile) + # This code stresses the "libraries are programs" paradigm to its + # limits. Maybe even breaks it. We compile a program, linking it + # against the deplibs as a proxy for the library. Then we can check + # whether they linked in statically or dynamically with ldd. + $opt_dry_run || $RM conftest.c + cat > conftest.c </dev/null` + $nocaseglob + else + potential_libs=`ls $i/$libnameglob[.-]* 2>/dev/null` + fi + for potent_lib in $potential_libs; do + # Follow soft links. + if ls -lLd "$potent_lib" 2>/dev/null | + $GREP " -> " >/dev/null; then + continue + fi + # The statement above tries to avoid entering an + # endless loop below, in case of cyclic links. + # We might still enter an endless loop, since a link + # loop can be closed while we follow links, + # but so what? + potlib="$potent_lib" + while test -h "$potlib" 2>/dev/null; do + potliblink=`ls -ld $potlib | ${SED} 's/.* -> //'` + case $potliblink in + [\\/]* | [A-Za-z]:[\\/]*) potlib="$potliblink";; + *) potlib=`$ECHO "$potlib" | $SED 's,[^/]*$,,'`"$potliblink";; + esac + done + if eval $file_magic_cmd \"\$potlib\" 2>/dev/null | + $SED -e 10q | + $EGREP "$file_magic_regex" > /dev/null; then + func_append newdeplibs " $a_deplib" + a_deplib="" + break 2 + fi + done + done + fi + if test -n "$a_deplib" ; then + droppeddeps=yes + echo + $ECHO "*** Warning: linker path does not have real file for library $a_deplib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because I did check the linker path looking for a file starting" + if test -z "$potlib" ; then + $ECHO "*** with $libname but no candidates were found. (...for file magic test)" + else + $ECHO "*** with $libname and none of the candidates passed a file format test" + $ECHO "*** using a file magic. Last file checked: $potlib" + fi + fi + ;; + *) + # Add a -L argument. + func_append newdeplibs " $a_deplib" + ;; + esac + done # Gone through all deplibs. + ;; + match_pattern*) + set dummy $deplibs_check_method; shift + match_pattern_regex=`expr "$deplibs_check_method" : "$1 \(.*\)"` + for a_deplib in $deplibs; do + case $a_deplib in + -l*) + func_stripname -l '' "$a_deplib" + name=$func_stripname_result + if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then + case " $predeps $postdeps " in + *" $a_deplib "*) + func_append newdeplibs " $a_deplib" + a_deplib="" + ;; + esac + fi + if test -n "$a_deplib" ; then + libname=`eval "\\$ECHO \"$libname_spec\""` + for i in $lib_search_path $sys_lib_search_path $shlib_search_path; do + potential_libs=`ls $i/$libname[.-]* 2>/dev/null` + for potent_lib in $potential_libs; do + potlib="$potent_lib" # see symlink-check above in file_magic test + if eval "\$ECHO \"$potent_lib\"" 2>/dev/null | $SED 10q | \ + $EGREP "$match_pattern_regex" > /dev/null; then + func_append newdeplibs " $a_deplib" + a_deplib="" + break 2 + fi + done + done + fi + if test -n "$a_deplib" ; then + droppeddeps=yes + echo + $ECHO "*** Warning: linker path does not have real file for library $a_deplib." + echo "*** I have the capability to make that library automatically link in when" + echo "*** you link to this library. But I can only do this if you have a" + echo "*** shared version of the library, which you do not appear to have" + echo "*** because I did check the linker path looking for a file starting" + if test -z "$potlib" ; then + $ECHO "*** with $libname but no candidates were found. (...for regex pattern test)" + else + $ECHO "*** with $libname and none of the candidates passed a file format test" + $ECHO "*** using a regex pattern. Last file checked: $potlib" + fi + fi + ;; + *) + # Add a -L argument. + func_append newdeplibs " $a_deplib" + ;; + esac + done # Gone through all deplibs. + ;; + none | unknown | *) + newdeplibs="" + tmp_deplibs=`$ECHO " $deplibs" | $SED 's/ -lc$//; s/ -[LR][^ ]*//g'` + if test "X$allow_libtool_libs_with_static_runtimes" = "Xyes" ; then + for i in $predeps $postdeps ; do + # can't use Xsed below, because $i might contain '/' + tmp_deplibs=`$ECHO " $tmp_deplibs" | $SED "s,$i,,"` + done + fi + case $tmp_deplibs in + *[!\ \ ]*) + echo + if test "X$deplibs_check_method" = "Xnone"; then + echo "*** Warning: inter-library dependencies are not supported in this platform." + else + echo "*** Warning: inter-library dependencies are not known to be supported." + fi + echo "*** All declared inter-library dependencies are being dropped." + droppeddeps=yes + ;; + esac + ;; + esac + versuffix=$versuffix_save + major=$major_save + release=$release_save + libname=$libname_save + name=$name_save + + case $host in + *-*-rhapsody* | *-*-darwin1.[012]) + # On Rhapsody replace the C library with the System framework + newdeplibs=`$ECHO " $newdeplibs" | $SED 's/ -lc / System.ltframework /'` + ;; + esac + + if test "$droppeddeps" = yes; then + if test "$module" = yes; then + echo + echo "*** Warning: libtool could not satisfy all declared inter-library" + $ECHO "*** dependencies of module $libname. Therefore, libtool will create" + echo "*** a static module, that should work as long as the dlopening" + echo "*** application is linked with the -dlopen flag." + if test -z "$global_symbol_pipe"; then + echo + echo "*** However, this would only work if libtool was able to extract symbol" + echo "*** lists from a program, using \`nm' or equivalent, but libtool could" + echo "*** not find such a program. So, this module is probably useless." + echo "*** \`nm' from GNU binutils and a full rebuild may help." + fi + if test "$build_old_libs" = no; then + oldlibs="$output_objdir/$libname.$libext" + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + else + echo "*** The inter-library dependencies that have been dropped here will be" + echo "*** automatically added whenever a program is linked with this library" + echo "*** or is declared to -dlopen it." + + if test "$allow_undefined" = no; then + echo + echo "*** Since this library must not contain undefined symbols," + echo "*** because either the platform does not support them or" + echo "*** it was explicitly requested with -no-undefined," + echo "*** libtool will only create a static version of it." + if test "$build_old_libs" = no; then + oldlibs="$output_objdir/$libname.$libext" + build_libtool_libs=module + build_old_libs=yes + else + build_libtool_libs=no + fi + fi + fi + fi + # Done checking deplibs! + deplibs=$newdeplibs + fi + # Time to change all our "foo.ltframework" stuff back to "-framework foo" + case $host in + *-*-darwin*) + newdeplibs=`$ECHO " $newdeplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + new_inherited_linker_flags=`$ECHO " $new_inherited_linker_flags" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + deplibs=`$ECHO " $deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + ;; + esac + + # move library search paths that coincide with paths to not yet + # installed libraries to the beginning of the library search list + new_libs= + for path in $notinst_path; do + case " $new_libs " in + *" -L$path/$objdir "*) ;; + *) + case " $deplibs " in + *" -L$path/$objdir "*) + func_append new_libs " -L$path/$objdir" ;; + esac + ;; + esac + done + for deplib in $deplibs; do + case $deplib in + -L*) + case " $new_libs " in + *" $deplib "*) ;; + *) func_append new_libs " $deplib" ;; + esac + ;; + *) func_append new_libs " $deplib" ;; + esac + done + deplibs="$new_libs" + + # All the library-specific variables (install_libdir is set above). + library_names= + old_library= + dlname= + + # Test again, we may have decided not to build it any more + if test "$build_libtool_libs" = yes; then + # Remove ${wl} instances when linking with ld. + # FIXME: should test the right _cmds variable. + case $archive_cmds in + *\$LD\ *) wl= ;; + esac + if test "$hardcode_into_libs" = yes; then + # Hardcode the library paths + hardcode_libdirs= + dep_rpath= + rpath="$finalize_rpath" + test "$opt_mode" != relink && rpath="$compile_rpath$rpath" + for libdir in $rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + func_replace_sysroot "$libdir" + libdir=$func_replace_sysroot_result + if test -z "$hardcode_libdirs"; then + hardcode_libdirs="$libdir" + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + func_append dep_rpath " $flag" + fi + elif test -n "$runpath_var"; then + case "$perm_rpath " in + *" $libdir "*) ;; + *) func_append perm_rpath " $libdir" ;; + esac + fi + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir="$hardcode_libdirs" + eval "dep_rpath=\"$hardcode_libdir_flag_spec\"" + fi + if test -n "$runpath_var" && test -n "$perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $perm_rpath; do + func_append rpath "$dir:" + done + eval "$runpath_var='$rpath\$$runpath_var'; export $runpath_var" + fi + test -n "$dep_rpath" && deplibs="$dep_rpath $deplibs" + fi + + shlibpath="$finalize_shlibpath" + test "$opt_mode" != relink && shlibpath="$compile_shlibpath$shlibpath" + if test -n "$shlibpath"; then + eval "$shlibpath_var='$shlibpath\$$shlibpath_var'; export $shlibpath_var" + fi + + # Get the real and link names of the library. + eval shared_ext=\"$shrext_cmds\" + eval library_names=\"$library_names_spec\" + set dummy $library_names + shift + realname="$1" + shift + + if test -n "$soname_spec"; then + eval soname=\"$soname_spec\" + else + soname="$realname" + fi + if test -z "$dlname"; then + dlname=$soname + fi + + lib="$output_objdir/$realname" + linknames= + for link + do + func_append linknames " $link" + done + + # Use standard objects if they are pic + test -z "$pic_flag" && libobjs=`$ECHO "$libobjs" | $SP2NL | $SED "$lo2o" | $NL2SP` + test "X$libobjs" = "X " && libobjs= + + delfiles= + if test -n "$export_symbols" && test -n "$include_expsyms"; then + $opt_dry_run || cp "$export_symbols" "$output_objdir/$libname.uexp" + export_symbols="$output_objdir/$libname.uexp" + func_append delfiles " $export_symbols" + fi + + orig_export_symbols= + case $host_os in + cygwin* | mingw* | cegcc*) + if test -n "$export_symbols" && test -z "$export_symbols_regex"; then + # exporting using user supplied symfile + if test "x`$SED 1q $export_symbols`" != xEXPORTS; then + # and it's NOT already a .def file. Must figure out + # which of the given symbols are data symbols and tag + # them as such. So, trigger use of export_symbols_cmds. + # export_symbols gets reassigned inside the "prepare + # the list of exported symbols" if statement, so the + # include_expsyms logic still works. + orig_export_symbols="$export_symbols" + export_symbols= + always_export_symbols=yes + fi + fi + ;; + esac + + # Prepare the list of exported symbols + if test -z "$export_symbols"; then + if test "$always_export_symbols" = yes || test -n "$export_symbols_regex"; then + func_verbose "generating symbol list for \`$libname.la'" + export_symbols="$output_objdir/$libname.exp" + $opt_dry_run || $RM $export_symbols + cmds=$export_symbols_cmds + save_ifs="$IFS"; IFS='~' + for cmd1 in $cmds; do + IFS="$save_ifs" + # Take the normal branch if the nm_file_list_spec branch + # doesn't work or if tool conversion is not needed. + case $nm_file_list_spec~$to_tool_file_cmd in + *~func_convert_file_noop | *~func_convert_file_msys_to_w32 | ~*) + try_normal_branch=yes + eval cmd=\"$cmd1\" + func_len " $cmd" + len=$func_len_result + ;; + *) + try_normal_branch=no + ;; + esac + if test "$try_normal_branch" = yes \ + && { test "$len" -lt "$max_cmd_len" \ + || test "$max_cmd_len" -le -1; } + then + func_show_eval "$cmd" 'exit $?' + skipped_export=false + elif test -n "$nm_file_list_spec"; then + func_basename "$output" + output_la=$func_basename_result + save_libobjs=$libobjs + save_output=$output + output=${output_objdir}/${output_la}.nm + func_to_tool_file "$output" + libobjs=$nm_file_list_spec$func_to_tool_file_result + func_append delfiles " $output" + func_verbose "creating $NM input file list: $output" + for obj in $save_libobjs; do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" + done > "$output" + eval cmd=\"$cmd1\" + func_show_eval "$cmd" 'exit $?' + output=$save_output + libobjs=$save_libobjs + skipped_export=false + else + # The command line is too long to execute in one step. + func_verbose "using reloadable object file for export list..." + skipped_export=: + # Break out early, otherwise skipped_export may be + # set to false by a later but shorter cmd. + break + fi + done + IFS="$save_ifs" + if test -n "$export_symbols_regex" && test "X$skipped_export" != "X:"; then + func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' + func_show_eval '$MV "${export_symbols}T" "$export_symbols"' + fi + fi + fi + + if test -n "$export_symbols" && test -n "$include_expsyms"; then + tmp_export_symbols="$export_symbols" + test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" + $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' + fi + + if test "X$skipped_export" != "X:" && test -n "$orig_export_symbols"; then + # The given exports_symbols file has to be filtered, so filter it. + func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" + # FIXME: $output_objdir/$libname.filter potentially contains lots of + # 's' commands which not all seds can handle. GNU sed should be fine + # though. Also, the filter scales superlinearly with the number of + # global variables. join(1) would be nice here, but unfortunately + # isn't a blessed tool. + $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter + func_append delfiles " $export_symbols $output_objdir/$libname.filter" + export_symbols=$output_objdir/$libname.def + $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols + fi + + tmp_deplibs= + for test_deplib in $deplibs; do + case " $convenience " in + *" $test_deplib "*) ;; + *) + func_append tmp_deplibs " $test_deplib" + ;; + esac + done + deplibs="$tmp_deplibs" + + if test -n "$convenience"; then + if test -n "$whole_archive_flag_spec" && + test "$compiler_needs_object" = yes && + test -z "$libobjs"; then + # extract the archives, so we have objects to list. + # TODO: could optimize this to just extract one archive. + whole_archive_flag_spec= + fi + if test -n "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + test "X$libobjs" = "X " && libobjs= + else + gentop="$output_objdir/${outputname}x" + func_append generated " $gentop" + + func_extract_archives $gentop $convenience + func_append libobjs " $func_extract_archives_result" + test "X$libobjs" = "X " && libobjs= + fi + fi + + if test "$thread_safe" = yes && test -n "$thread_safe_flag_spec"; then + eval flag=\"$thread_safe_flag_spec\" + func_append linker_flags " $flag" + fi + + # Make a backup of the uninstalled library when relinking + if test "$opt_mode" = relink; then + $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}U && $MV $realname ${realname}U)' || exit $? + fi + + # Do each of the archive commands. + if test "$module" = yes && test -n "$module_cmds" ; then + if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then + eval test_cmds=\"$module_expsym_cmds\" + cmds=$module_expsym_cmds + else + eval test_cmds=\"$module_cmds\" + cmds=$module_cmds + fi + else + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + eval test_cmds=\"$archive_expsym_cmds\" + cmds=$archive_expsym_cmds + else + eval test_cmds=\"$archive_cmds\" + cmds=$archive_cmds + fi + fi + + if test "X$skipped_export" != "X:" && + func_len " $test_cmds" && + len=$func_len_result && + test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + : + else + # The command line is too long to link in one step, link piecewise + # or, if using GNU ld and skipped_export is not :, use a linker + # script. + + # Save the value of $output and $libobjs because we want to + # use them later. If we have whole_archive_flag_spec, we + # want to use save_libobjs as it was before + # whole_archive_flag_spec was expanded, because we can't + # assume the linker understands whole_archive_flag_spec. + # This may have to be revisited, in case too many + # convenience libraries get linked in and end up exceeding + # the spec. + if test -z "$convenience" || test -z "$whole_archive_flag_spec"; then + save_libobjs=$libobjs + fi + save_output=$output + func_basename "$output" + output_la=$func_basename_result + + # Clear the reloadable object creation command queue and + # initialize k to one. + test_cmds= + concat_cmds= + objlist= + last_robj= + k=1 + + if test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "$with_gnu_ld" = yes; then + output=${output_objdir}/${output_la}.lnkscript + func_verbose "creating GNU ld script: $output" + echo 'INPUT (' > $output + for obj in $save_libobjs + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" >> $output + done + echo ')' >> $output + func_append delfiles " $output" + func_to_tool_file "$output" + output=$func_to_tool_file_result + elif test -n "$save_libobjs" && test "X$skipped_export" != "X:" && test "X$file_list_spec" != X; then + output=${output_objdir}/${output_la}.lnk + func_verbose "creating linker input file list: $output" + : > $output + set x $save_libobjs + shift + firstobj= + if test "$compiler_needs_object" = yes; then + firstobj="$1 " + shift + fi + for obj + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" >> $output + done + func_append delfiles " $output" + func_to_tool_file "$output" + output=$firstobj\"$file_list_spec$func_to_tool_file_result\" + else + if test -n "$save_libobjs"; then + func_verbose "creating reloadable object files..." + output=$output_objdir/$output_la-${k}.$objext + eval test_cmds=\"$reload_cmds\" + func_len " $test_cmds" + len0=$func_len_result + len=$len0 + + # Loop over the list of objects to be linked. + for obj in $save_libobjs + do + func_len " $obj" + func_arith $len + $func_len_result + len=$func_arith_result + if test "X$objlist" = X || + test "$len" -lt "$max_cmd_len"; then + func_append objlist " $obj" + else + # The command $test_cmds is almost too long, add a + # command to the queue. + if test "$k" -eq 1 ; then + # The first file doesn't have a previous command to add. + reload_objs=$objlist + eval concat_cmds=\"$reload_cmds\" + else + # All subsequent reloadable object files will link in + # the last one created. + reload_objs="$objlist $last_robj" + eval concat_cmds=\"\$concat_cmds~$reload_cmds~\$RM $last_robj\" + fi + last_robj=$output_objdir/$output_la-${k}.$objext + func_arith $k + 1 + k=$func_arith_result + output=$output_objdir/$output_la-${k}.$objext + objlist=" $obj" + func_len " $last_robj" + func_arith $len0 + $func_len_result + len=$func_arith_result + fi + done + # Handle the remaining objects by creating one last + # reloadable object file. All subsequent reloadable object + # files will link in the last one created. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + reload_objs="$objlist $last_robj" + eval concat_cmds=\"\${concat_cmds}$reload_cmds\" + if test -n "$last_robj"; then + eval concat_cmds=\"\${concat_cmds}~\$RM $last_robj\" + fi + func_append delfiles " $output" + + else + output= + fi + + if ${skipped_export-false}; then + func_verbose "generating symbol list for \`$libname.la'" + export_symbols="$output_objdir/$libname.exp" + $opt_dry_run || $RM $export_symbols + libobjs=$output + # Append the command to create the export file. + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\$concat_cmds$export_symbols_cmds\" + if test -n "$last_robj"; then + eval concat_cmds=\"\$concat_cmds~\$RM $last_robj\" + fi + fi + + test -n "$save_libobjs" && + func_verbose "creating a temporary reloadable object file: $output" + + # Loop through the commands generated above and execute them. + save_ifs="$IFS"; IFS='~' + for cmd in $concat_cmds; do + IFS="$save_ifs" + $opt_silent || { + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" + } + $opt_dry_run || eval "$cmd" || { + lt_exit=$? + + # Restore the uninstalled library and exit + if test "$opt_mode" = relink; then + ( cd "$output_objdir" && \ + $RM "${realname}T" && \ + $MV "${realname}U" "$realname" ) + fi + + exit $lt_exit + } + done + IFS="$save_ifs" + + if test -n "$export_symbols_regex" && ${skipped_export-false}; then + func_show_eval '$EGREP -e "$export_symbols_regex" "$export_symbols" > "${export_symbols}T"' + func_show_eval '$MV "${export_symbols}T" "$export_symbols"' + fi + fi + + if ${skipped_export-false}; then + if test -n "$export_symbols" && test -n "$include_expsyms"; then + tmp_export_symbols="$export_symbols" + test -n "$orig_export_symbols" && tmp_export_symbols="$orig_export_symbols" + $opt_dry_run || eval '$ECHO "$include_expsyms" | $SP2NL >> "$tmp_export_symbols"' + fi + + if test -n "$orig_export_symbols"; then + # The given exports_symbols file has to be filtered, so filter it. + func_verbose "filter symbol list for \`$libname.la' to tag DATA exports" + # FIXME: $output_objdir/$libname.filter potentially contains lots of + # 's' commands which not all seds can handle. GNU sed should be fine + # though. Also, the filter scales superlinearly with the number of + # global variables. join(1) would be nice here, but unfortunately + # isn't a blessed tool. + $opt_dry_run || $SED -e '/[ ,]DATA/!d;s,\(.*\)\([ \,].*\),s|^\1$|\1\2|,' < $export_symbols > $output_objdir/$libname.filter + func_append delfiles " $export_symbols $output_objdir/$libname.filter" + export_symbols=$output_objdir/$libname.def + $opt_dry_run || $SED -f $output_objdir/$libname.filter < $orig_export_symbols > $export_symbols + fi + fi + + libobjs=$output + # Restore the value of output. + output=$save_output + + if test -n "$convenience" && test -n "$whole_archive_flag_spec"; then + eval libobjs=\"\$libobjs $whole_archive_flag_spec\" + test "X$libobjs" = "X " && libobjs= + fi + # Expand the library linking commands again to reset the + # value of $libobjs for piecewise linking. + + # Do each of the archive commands. + if test "$module" = yes && test -n "$module_cmds" ; then + if test -n "$export_symbols" && test -n "$module_expsym_cmds"; then + cmds=$module_expsym_cmds + else + cmds=$module_cmds + fi + else + if test -n "$export_symbols" && test -n "$archive_expsym_cmds"; then + cmds=$archive_expsym_cmds + else + cmds=$archive_cmds + fi + fi + fi + + if test -n "$delfiles"; then + # Append the command to remove temporary files to $cmds. + eval cmds=\"\$cmds~\$RM $delfiles\" + fi + + # Add any objects from preloaded convenience libraries + if test -n "$dlprefiles"; then + gentop="$output_objdir/${outputname}x" + func_append generated " $gentop" + + func_extract_archives $gentop $dlprefiles + func_append libobjs " $func_extract_archives_result" + test "X$libobjs" = "X " && libobjs= + fi + + save_ifs="$IFS"; IFS='~' + for cmd in $cmds; do + IFS="$save_ifs" + eval cmd=\"$cmd\" + $opt_silent || { + func_quote_for_expand "$cmd" + eval "func_echo $func_quote_for_expand_result" + } + $opt_dry_run || eval "$cmd" || { + lt_exit=$? + + # Restore the uninstalled library and exit + if test "$opt_mode" = relink; then + ( cd "$output_objdir" && \ + $RM "${realname}T" && \ + $MV "${realname}U" "$realname" ) + fi + + exit $lt_exit + } + done + IFS="$save_ifs" + + # Restore the uninstalled library and exit + if test "$opt_mode" = relink; then + $opt_dry_run || eval '(cd $output_objdir && $RM ${realname}T && $MV $realname ${realname}T && $MV ${realname}U $realname)' || exit $? + + if test -n "$convenience"; then + if test -z "$whole_archive_flag_spec"; then + func_show_eval '${RM}r "$gentop"' + fi + fi + + exit $EXIT_SUCCESS + fi + + # Create links to the real library. + for linkname in $linknames; do + if test "$realname" != "$linkname"; then + func_show_eval '(cd "$output_objdir" && $RM "$linkname" && $LN_S "$realname" "$linkname")' 'exit $?' + fi + done + + # If -module or -export-dynamic was specified, set the dlname. + if test "$module" = yes || test "$export_dynamic" = yes; then + # On all known operating systems, these are identical. + dlname="$soname" + fi + fi + ;; + + obj) + if test -n "$dlfiles$dlprefiles" || test "$dlself" != no; then + func_warning "\`-dlopen' is ignored for objects" + fi + + case " $deplibs" in + *\ -l* | *\ -L*) + func_warning "\`-l' and \`-L' are ignored for objects" ;; + esac + + test -n "$rpath" && \ + func_warning "\`-rpath' is ignored for objects" + + test -n "$xrpath" && \ + func_warning "\`-R' is ignored for objects" + + test -n "$vinfo" && \ + func_warning "\`-version-info' is ignored for objects" + + test -n "$release" && \ + func_warning "\`-release' is ignored for objects" + + case $output in + *.lo) + test -n "$objs$old_deplibs" && \ + func_fatal_error "cannot build library object \`$output' from non-libtool objects" + + libobj=$output + func_lo2o "$libobj" + obj=$func_lo2o_result + ;; + *) + libobj= + obj="$output" + ;; + esac + + # Delete the old objects. + $opt_dry_run || $RM $obj $libobj + + # Objects from convenience libraries. This assumes + # single-version convenience libraries. Whenever we create + # different ones for PIC/non-PIC, this we'll have to duplicate + # the extraction. + reload_conv_objs= + gentop= + # reload_cmds runs $LD directly, so let us get rid of + # -Wl from whole_archive_flag_spec and hope we can get by with + # turning comma into space.. + wl= + + if test -n "$convenience"; then + if test -n "$whole_archive_flag_spec"; then + eval tmp_whole_archive_flags=\"$whole_archive_flag_spec\" + reload_conv_objs=$reload_objs\ `$ECHO "$tmp_whole_archive_flags" | $SED 's|,| |g'` + else + gentop="$output_objdir/${obj}x" + func_append generated " $gentop" + + func_extract_archives $gentop $convenience + reload_conv_objs="$reload_objs $func_extract_archives_result" + fi + fi + + # If we're not building shared, we need to use non_pic_objs + test "$build_libtool_libs" != yes && libobjs="$non_pic_objects" + + # Create the old-style object. + reload_objs="$objs$old_deplibs "`$ECHO "$libobjs" | $SP2NL | $SED "/\.${libext}$/d; /\.lib$/d; $lo2o" | $NL2SP`" $reload_conv_objs" ### testsuite: skip nested quoting test + + output="$obj" + func_execute_cmds "$reload_cmds" 'exit $?' + + # Exit if we aren't doing a library object file. + if test -z "$libobj"; then + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + exit $EXIT_SUCCESS + fi + + if test "$build_libtool_libs" != yes; then + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + # Create an invalid libtool object if no PIC, so that we don't + # accidentally link it into a program. + # $show "echo timestamp > $libobj" + # $opt_dry_run || eval "echo timestamp > $libobj" || exit $? + exit $EXIT_SUCCESS + fi + + if test -n "$pic_flag" || test "$pic_mode" != default; then + # Only do commands if we really have different PIC objects. + reload_objs="$libobjs $reload_conv_objs" + output="$libobj" + func_execute_cmds "$reload_cmds" 'exit $?' + fi + + if test -n "$gentop"; then + func_show_eval '${RM}r "$gentop"' + fi + + exit $EXIT_SUCCESS + ;; + + prog) + case $host in + *cygwin*) func_stripname '' '.exe' "$output" + output=$func_stripname_result.exe;; + esac + test -n "$vinfo" && \ + func_warning "\`-version-info' is ignored for programs" + + test -n "$release" && \ + func_warning "\`-release' is ignored for programs" + + test "$preload" = yes \ + && test "$dlopen_support" = unknown \ + && test "$dlopen_self" = unknown \ + && test "$dlopen_self_static" = unknown && \ + func_warning "\`LT_INIT([dlopen])' not used. Assuming no dlopen support." + + case $host in + *-*-rhapsody* | *-*-darwin1.[012]) + # On Rhapsody replace the C library is the System framework + compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's/ -lc / System.ltframework /'` + finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's/ -lc / System.ltframework /'` + ;; + esac + + case $host in + *-*-darwin*) + # Don't allow lazy linking, it breaks C++ global constructors + # But is supposedly fixed on 10.4 or later (yay!). + if test "$tagname" = CXX ; then + case ${MACOSX_DEPLOYMENT_TARGET-10.0} in + 10.[0123]) + func_append compile_command " ${wl}-bind_at_load" + func_append finalize_command " ${wl}-bind_at_load" + ;; + esac + fi + # Time to change all our "foo.ltframework" stuff back to "-framework foo" + compile_deplibs=`$ECHO " $compile_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + finalize_deplibs=`$ECHO " $finalize_deplibs" | $SED 's% \([^ $]*\).ltframework% -framework \1%g'` + ;; + esac + + + # move library search paths that coincide with paths to not yet + # installed libraries to the beginning of the library search list + new_libs= + for path in $notinst_path; do + case " $new_libs " in + *" -L$path/$objdir "*) ;; + *) + case " $compile_deplibs " in + *" -L$path/$objdir "*) + func_append new_libs " -L$path/$objdir" ;; + esac + ;; + esac + done + for deplib in $compile_deplibs; do + case $deplib in + -L*) + case " $new_libs " in + *" $deplib "*) ;; + *) func_append new_libs " $deplib" ;; + esac + ;; + *) func_append new_libs " $deplib" ;; + esac + done + compile_deplibs="$new_libs" + + + func_append compile_command " $compile_deplibs" + func_append finalize_command " $finalize_deplibs" + + if test -n "$rpath$xrpath"; then + # If the user specified any rpath flags, then add them. + for libdir in $rpath $xrpath; do + # This is the magic to use -rpath. + case "$finalize_rpath " in + *" $libdir "*) ;; + *) func_append finalize_rpath " $libdir" ;; + esac + done + fi + + # Now hardcode the library paths + rpath= + hardcode_libdirs= + for libdir in $compile_rpath $finalize_rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs="$libdir" + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + func_append rpath " $flag" + fi + elif test -n "$runpath_var"; then + case "$perm_rpath " in + *" $libdir "*) ;; + *) func_append perm_rpath " $libdir" ;; + esac + fi + case $host in + *-*-cygwin* | *-*-mingw* | *-*-pw32* | *-*-os2* | *-cegcc*) + testbindir=`${ECHO} "$libdir" | ${SED} -e 's*/lib$*/bin*'` + case :$dllsearchpath: in + *":$libdir:"*) ;; + ::) dllsearchpath=$libdir;; + *) func_append dllsearchpath ":$libdir";; + esac + case :$dllsearchpath: in + *":$testbindir:"*) ;; + ::) dllsearchpath=$testbindir;; + *) func_append dllsearchpath ":$testbindir";; + esac + ;; + esac + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir="$hardcode_libdirs" + eval rpath=\" $hardcode_libdir_flag_spec\" + fi + compile_rpath="$rpath" + + rpath= + hardcode_libdirs= + for libdir in $finalize_rpath; do + if test -n "$hardcode_libdir_flag_spec"; then + if test -n "$hardcode_libdir_separator"; then + if test -z "$hardcode_libdirs"; then + hardcode_libdirs="$libdir" + else + # Just accumulate the unique libdirs. + case $hardcode_libdir_separator$hardcode_libdirs$hardcode_libdir_separator in + *"$hardcode_libdir_separator$libdir$hardcode_libdir_separator"*) + ;; + *) + func_append hardcode_libdirs "$hardcode_libdir_separator$libdir" + ;; + esac + fi + else + eval flag=\"$hardcode_libdir_flag_spec\" + func_append rpath " $flag" + fi + elif test -n "$runpath_var"; then + case "$finalize_perm_rpath " in + *" $libdir "*) ;; + *) func_append finalize_perm_rpath " $libdir" ;; + esac + fi + done + # Substitute the hardcoded libdirs into the rpath. + if test -n "$hardcode_libdir_separator" && + test -n "$hardcode_libdirs"; then + libdir="$hardcode_libdirs" + eval rpath=\" $hardcode_libdir_flag_spec\" + fi + finalize_rpath="$rpath" + + if test -n "$libobjs" && test "$build_old_libs" = yes; then + # Transform all the library objects into standard objects. + compile_command=`$ECHO "$compile_command" | $SP2NL | $SED "$lo2o" | $NL2SP` + finalize_command=`$ECHO "$finalize_command" | $SP2NL | $SED "$lo2o" | $NL2SP` + fi + + func_generate_dlsyms "$outputname" "@PROGRAM@" "no" + + # template prelinking step + if test -n "$prelink_cmds"; then + func_execute_cmds "$prelink_cmds" 'exit $?' + fi + + wrappers_required=yes + case $host in + *cegcc* | *mingw32ce*) + # Disable wrappers for cegcc and mingw32ce hosts, we are cross compiling anyway. + wrappers_required=no + ;; + *cygwin* | *mingw* ) + if test "$build_libtool_libs" != yes; then + wrappers_required=no + fi + ;; + *) + if test "$need_relink" = no || test "$build_libtool_libs" != yes; then + wrappers_required=no + fi + ;; + esac + if test "$wrappers_required" = no; then + # Replace the output file specification. + compile_command=`$ECHO "$compile_command" | $SED 's%@OUTPUT@%'"$output"'%g'` + link_command="$compile_command$compile_rpath" + + # We have no uninstalled library dependencies, so finalize right now. + exit_status=0 + func_show_eval "$link_command" 'exit_status=$?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + + # Delete the generated files. + if test -f "$output_objdir/${outputname}S.${objext}"; then + func_show_eval '$RM "$output_objdir/${outputname}S.${objext}"' + fi + + exit $exit_status + fi + + if test -n "$compile_shlibpath$finalize_shlibpath"; then + compile_command="$shlibpath_var=\"$compile_shlibpath$finalize_shlibpath\$$shlibpath_var\" $compile_command" + fi + if test -n "$finalize_shlibpath"; then + finalize_command="$shlibpath_var=\"$finalize_shlibpath\$$shlibpath_var\" $finalize_command" + fi + + compile_var= + finalize_var= + if test -n "$runpath_var"; then + if test -n "$perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $perm_rpath; do + func_append rpath "$dir:" + done + compile_var="$runpath_var=\"$rpath\$$runpath_var\" " + fi + if test -n "$finalize_perm_rpath"; then + # We should set the runpath_var. + rpath= + for dir in $finalize_perm_rpath; do + func_append rpath "$dir:" + done + finalize_var="$runpath_var=\"$rpath\$$runpath_var\" " + fi + fi + + if test "$no_install" = yes; then + # We don't need to create a wrapper script. + link_command="$compile_var$compile_command$compile_rpath" + # Replace the output file specification. + link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output"'%g'` + # Delete the old output file. + $opt_dry_run || $RM $output + # Link the executable and exit + func_show_eval "$link_command" 'exit $?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + + exit $EXIT_SUCCESS + fi + + if test "$hardcode_action" = relink; then + # Fast installation is not supported + link_command="$compile_var$compile_command$compile_rpath" + relink_command="$finalize_var$finalize_command$finalize_rpath" + + func_warning "this platform does not like uninstalled shared libraries" + func_warning "\`$output' will be relinked during installation" + else + if test "$fast_install" != no; then + link_command="$finalize_var$compile_command$finalize_rpath" + if test "$fast_install" = yes; then + relink_command=`$ECHO "$compile_var$compile_command$compile_rpath" | $SED 's%@OUTPUT@%\$progdir/\$file%g'` + else + # fast_install is set to needless + relink_command= + fi + else + link_command="$compile_var$compile_command$compile_rpath" + relink_command="$finalize_var$finalize_command$finalize_rpath" + fi + fi + + # Replace the output file specification. + link_command=`$ECHO "$link_command" | $SED 's%@OUTPUT@%'"$output_objdir/$outputname"'%g'` + + # Delete the old output files. + $opt_dry_run || $RM $output $output_objdir/$outputname $output_objdir/lt-$outputname + + func_show_eval "$link_command" 'exit $?' + + if test -n "$postlink_cmds"; then + func_to_tool_file "$output_objdir/$outputname" + postlink_cmds=`func_echo_all "$postlink_cmds" | $SED -e 's%@OUTPUT@%'"$output_objdir/$outputname"'%g' -e 's%@TOOL_OUTPUT@%'"$func_to_tool_file_result"'%g'` + func_execute_cmds "$postlink_cmds" 'exit $?' + fi + + # Now create the wrapper script. + func_verbose "creating $output" + + # Quote the relink command for shipping. + if test -n "$relink_command"; then + # Preserve any variables that may affect compiler behavior + for var in $variables_saved_for_relink; do + if eval test -z \"\${$var+set}\"; then + relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" + elif eval var_value=\$$var; test -z "$var_value"; then + relink_command="$var=; export $var; $relink_command" + else + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" + fi + done + relink_command="(cd `pwd`; $relink_command)" + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` + fi + + # Only actually do things if not in dry run mode. + $opt_dry_run || { + # win32 will think the script is a binary if it has + # a .exe suffix, so we strip it off here. + case $output in + *.exe) func_stripname '' '.exe' "$output" + output=$func_stripname_result ;; + esac + # test for cygwin because mv fails w/o .exe extensions + case $host in + *cygwin*) + exeext=.exe + func_stripname '' '.exe' "$outputname" + outputname=$func_stripname_result ;; + *) exeext= ;; + esac + case $host in + *cygwin* | *mingw* ) + func_dirname_and_basename "$output" "" "." + output_name=$func_basename_result + output_path=$func_dirname_result + cwrappersource="$output_path/$objdir/lt-$output_name.c" + cwrapper="$output_path/$output_name.exe" + $RM $cwrappersource $cwrapper + trap "$RM $cwrappersource $cwrapper; exit $EXIT_FAILURE" 1 2 15 + + func_emit_cwrapperexe_src > $cwrappersource + + # The wrapper executable is built using the $host compiler, + # because it contains $host paths and files. If cross- + # compiling, it, like the target executable, must be + # executed on the $host or under an emulation environment. + $opt_dry_run || { + $LTCC $LTCFLAGS -o $cwrapper $cwrappersource + $STRIP $cwrapper + } + + # Now, create the wrapper script for func_source use: + func_ltwrapper_scriptname $cwrapper + $RM $func_ltwrapper_scriptname_result + trap "$RM $func_ltwrapper_scriptname_result; exit $EXIT_FAILURE" 1 2 15 + $opt_dry_run || { + # note: this script will not be executed, so do not chmod. + if test "x$build" = "x$host" ; then + $cwrapper --lt-dump-script > $func_ltwrapper_scriptname_result + else + func_emit_wrapper no > $func_ltwrapper_scriptname_result + fi + } + ;; + * ) + $RM $output + trap "$RM $output; exit $EXIT_FAILURE" 1 2 15 + + func_emit_wrapper no > $output + chmod +x $output + ;; + esac + } + exit $EXIT_SUCCESS + ;; + esac + + # See if we need to build an old-fashioned archive. + for oldlib in $oldlibs; do + + if test "$build_libtool_libs" = convenience; then + oldobjs="$libobjs_save $symfileobj" + addlibs="$convenience" + build_libtool_libs=no + else + if test "$build_libtool_libs" = module; then + oldobjs="$libobjs_save" + build_libtool_libs=no + else + oldobjs="$old_deplibs $non_pic_objects" + if test "$preload" = yes && test -f "$symfileobj"; then + func_append oldobjs " $symfileobj" + fi + fi + addlibs="$old_convenience" + fi + + if test -n "$addlibs"; then + gentop="$output_objdir/${outputname}x" + func_append generated " $gentop" + + func_extract_archives $gentop $addlibs + func_append oldobjs " $func_extract_archives_result" + fi + + # Do each command in the archive commands. + if test -n "$old_archive_from_new_cmds" && test "$build_libtool_libs" = yes; then + cmds=$old_archive_from_new_cmds + else + + # Add any objects from preloaded convenience libraries + if test -n "$dlprefiles"; then + gentop="$output_objdir/${outputname}x" + func_append generated " $gentop" + + func_extract_archives $gentop $dlprefiles + func_append oldobjs " $func_extract_archives_result" + fi + + # POSIX demands no paths to be encoded in archives. We have + # to avoid creating archives with duplicate basenames if we + # might have to extract them afterwards, e.g., when creating a + # static archive out of a convenience library, or when linking + # the entirety of a libtool archive into another (currently + # not supported by libtool). + if (for obj in $oldobjs + do + func_basename "$obj" + $ECHO "$func_basename_result" + done | sort | sort -uc >/dev/null 2>&1); then + : + else + echo "copying selected object files to avoid basename conflicts..." + gentop="$output_objdir/${outputname}x" + func_append generated " $gentop" + func_mkdir_p "$gentop" + save_oldobjs=$oldobjs + oldobjs= + counter=1 + for obj in $save_oldobjs + do + func_basename "$obj" + objbase="$func_basename_result" + case " $oldobjs " in + " ") oldobjs=$obj ;; + *[\ /]"$objbase "*) + while :; do + # Make sure we don't pick an alternate name that also + # overlaps. + newobj=lt$counter-$objbase + func_arith $counter + 1 + counter=$func_arith_result + case " $oldobjs " in + *[\ /]"$newobj "*) ;; + *) if test ! -f "$gentop/$newobj"; then break; fi ;; + esac + done + func_show_eval "ln $obj $gentop/$newobj || cp $obj $gentop/$newobj" + func_append oldobjs " $gentop/$newobj" + ;; + *) func_append oldobjs " $obj" ;; + esac + done + fi + func_to_tool_file "$oldlib" func_convert_file_msys_to_w32 + tool_oldlib=$func_to_tool_file_result + eval cmds=\"$old_archive_cmds\" + + func_len " $cmds" + len=$func_len_result + if test "$len" -lt "$max_cmd_len" || test "$max_cmd_len" -le -1; then + cmds=$old_archive_cmds + elif test -n "$archiver_list_spec"; then + func_verbose "using command file archive linking..." + for obj in $oldobjs + do + func_to_tool_file "$obj" + $ECHO "$func_to_tool_file_result" + done > $output_objdir/$libname.libcmd + func_to_tool_file "$output_objdir/$libname.libcmd" + oldobjs=" $archiver_list_spec$func_to_tool_file_result" + cmds=$old_archive_cmds + else + # the command line is too long to link in one step, link in parts + func_verbose "using piecewise archive linking..." + save_RANLIB=$RANLIB + RANLIB=: + objlist= + concat_cmds= + save_oldobjs=$oldobjs + oldobjs= + # Is there a better way of finding the last object in the list? + for obj in $save_oldobjs + do + last_oldobj=$obj + done + eval test_cmds=\"$old_archive_cmds\" + func_len " $test_cmds" + len0=$func_len_result + len=$len0 + for obj in $save_oldobjs + do + func_len " $obj" + func_arith $len + $func_len_result + len=$func_arith_result + func_append objlist " $obj" + if test "$len" -lt "$max_cmd_len"; then + : + else + # the above command should be used before it gets too long + oldobjs=$objlist + if test "$obj" = "$last_oldobj" ; then + RANLIB=$save_RANLIB + fi + test -z "$concat_cmds" || concat_cmds=$concat_cmds~ + eval concat_cmds=\"\${concat_cmds}$old_archive_cmds\" + objlist= + len=$len0 + fi + done + RANLIB=$save_RANLIB + oldobjs=$objlist + if test "X$oldobjs" = "X" ; then + eval cmds=\"\$concat_cmds\" + else + eval cmds=\"\$concat_cmds~\$old_archive_cmds\" + fi + fi + fi + func_execute_cmds "$cmds" 'exit $?' + done + + test -n "$generated" && \ + func_show_eval "${RM}r$generated" + + # Now create the libtool archive. + case $output in + *.la) + old_library= + test "$build_old_libs" = yes && old_library="$libname.$libext" + func_verbose "creating $output" + + # Preserve any variables that may affect compiler behavior + for var in $variables_saved_for_relink; do + if eval test -z \"\${$var+set}\"; then + relink_command="{ test -z \"\${$var+set}\" || $lt_unset $var || { $var=; export $var; }; }; $relink_command" + elif eval var_value=\$$var; test -z "$var_value"; then + relink_command="$var=; export $var; $relink_command" + else + func_quote_for_eval "$var_value" + relink_command="$var=$func_quote_for_eval_result; export $var; $relink_command" + fi + done + # Quote the link command for shipping. + relink_command="(cd `pwd`; $SHELL $progpath $preserve_args --mode=relink $libtool_args @inst_prefix_dir@)" + relink_command=`$ECHO "$relink_command" | $SED "$sed_quote_subst"` + if test "$hardcode_automatic" = yes ; then + relink_command= + fi + + # Only create the output if not a dry run. + $opt_dry_run || { + for installed in no yes; do + if test "$installed" = yes; then + if test -z "$install_libdir"; then + break + fi + output="$output_objdir/$outputname"i + # Replace all uninstalled libtool libraries with the installed ones + newdependency_libs= + for deplib in $dependency_libs; do + case $deplib in + *.la) + func_basename "$deplib" + name="$func_basename_result" + func_resolve_sysroot "$deplib" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $func_resolve_sysroot_result` + test -z "$libdir" && \ + func_fatal_error "\`$deplib' is not a valid libtool archive" + func_append newdependency_libs " ${lt_sysroot:+=}$libdir/$name" + ;; + -L*) + func_stripname -L '' "$deplib" + func_replace_sysroot "$func_stripname_result" + func_append newdependency_libs " -L$func_replace_sysroot_result" + ;; + -R*) + func_stripname -R '' "$deplib" + func_replace_sysroot "$func_stripname_result" + func_append newdependency_libs " -R$func_replace_sysroot_result" + ;; + *) func_append newdependency_libs " $deplib" ;; + esac + done + dependency_libs="$newdependency_libs" + newdlfiles= + + for lib in $dlfiles; do + case $lib in + *.la) + func_basename "$lib" + name="$func_basename_result" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` + test -z "$libdir" && \ + func_fatal_error "\`$lib' is not a valid libtool archive" + func_append newdlfiles " ${lt_sysroot:+=}$libdir/$name" + ;; + *) func_append newdlfiles " $lib" ;; + esac + done + dlfiles="$newdlfiles" + newdlprefiles= + for lib in $dlprefiles; do + case $lib in + *.la) + # Only pass preopened files to the pseudo-archive (for + # eventual linking with the app. that links it) if we + # didn't already link the preopened objects directly into + # the library: + func_basename "$lib" + name="$func_basename_result" + eval libdir=`${SED} -n -e 's/^libdir=\(.*\)$/\1/p' $lib` + test -z "$libdir" && \ + func_fatal_error "\`$lib' is not a valid libtool archive" + func_append newdlprefiles " ${lt_sysroot:+=}$libdir/$name" + ;; + esac + done + dlprefiles="$newdlprefiles" + else + newdlfiles= + for lib in $dlfiles; do + case $lib in + [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; + *) abs=`pwd`"/$lib" ;; + esac + func_append newdlfiles " $abs" + done + dlfiles="$newdlfiles" + newdlprefiles= + for lib in $dlprefiles; do + case $lib in + [\\/]* | [A-Za-z]:[\\/]*) abs="$lib" ;; + *) abs=`pwd`"/$lib" ;; + esac + func_append newdlprefiles " $abs" + done + dlprefiles="$newdlprefiles" + fi + $RM $output + # place dlname in correct position for cygwin + # In fact, it would be nice if we could use this code for all target + # systems that can't hard-code library paths into their executables + # and that have no shared library path variable independent of PATH, + # but it turns out we can't easily determine that from inspecting + # libtool variables, so we have to hard-code the OSs to which it + # applies here; at the moment, that means platforms that use the PE + # object format with DLL files. See the long comment at the top of + # tests/bindir.at for full details. + tdlname=$dlname + case $host,$output,$installed,$module,$dlname in + *cygwin*,*lai,yes,no,*.dll | *mingw*,*lai,yes,no,*.dll | *cegcc*,*lai,yes,no,*.dll) + # If a -bindir argument was supplied, place the dll there. + if test "x$bindir" != x ; + then + func_relative_path "$install_libdir" "$bindir" + tdlname=$func_relative_path_result$dlname + else + # Otherwise fall back on heuristic. + tdlname=../bin/$dlname + fi + ;; + esac + $ECHO > $output "\ +# $outputname - a libtool library file +# Generated by $PROGRAM (GNU $PACKAGE$TIMESTAMP) $VERSION +# +# Please DO NOT delete this file! +# It is necessary for linking the library. + +# The name that we can dlopen(3). +dlname='$tdlname' + +# Names of this library. +library_names='$library_names' + +# The name of the static archive. +old_library='$old_library' + +# Linker flags that can not go in dependency_libs. +inherited_linker_flags='$new_inherited_linker_flags' + +# Libraries that this one depends upon. +dependency_libs='$dependency_libs' + +# Names of additional weak libraries provided by this library +weak_library_names='$weak_libs' + +# Version information for $libname. +current=$current +age=$age +revision=$revision + +# Is this an already installed library? +installed=$installed + +# Should we warn about portability when linking against -modules? +shouldnotlink=$module + +# Files to dlopen/dlpreopen +dlopen='$dlfiles' +dlpreopen='$dlprefiles' + +# Directory that this library needs to be installed in: +libdir='$install_libdir'" + if test "$installed" = no && test "$need_relink" = yes; then + $ECHO >> $output "\ +relink_command=\"$relink_command\"" + fi + done + } + + # Do a symbolic link so that the libtool archive can be found in + # LD_LIBRARY_PATH before the program is installed. + func_show_eval '( cd "$output_objdir" && $RM "$outputname" && $LN_S "../$outputname" "$outputname" )' 'exit $?' + ;; + esac + exit $EXIT_SUCCESS +} + +{ test "$opt_mode" = link || test "$opt_mode" = relink; } && + func_mode_link ${1+"$@"} + + +# func_mode_uninstall arg... +func_mode_uninstall () +{ + $opt_debug + RM="$nonopt" + files= + rmforce= + exit_status=0 + + # This variable tells wrapper scripts just to set variables rather + # than running their programs. + libtool_install_magic="$magic" + + for arg + do + case $arg in + -f) func_append RM " $arg"; rmforce=yes ;; + -*) func_append RM " $arg" ;; + *) func_append files " $arg" ;; + esac + done + + test -z "$RM" && \ + func_fatal_help "you must specify an RM program" + + rmdirs= + + for file in $files; do + func_dirname "$file" "" "." + dir="$func_dirname_result" + if test "X$dir" = X.; then + odir="$objdir" + else + odir="$dir/$objdir" + fi + func_basename "$file" + name="$func_basename_result" + test "$opt_mode" = uninstall && odir="$dir" + + # Remember odir for removal later, being careful to avoid duplicates + if test "$opt_mode" = clean; then + case " $rmdirs " in + *" $odir "*) ;; + *) func_append rmdirs " $odir" ;; + esac + fi + + # Don't error if the file doesn't exist and rm -f was used. + if { test -L "$file"; } >/dev/null 2>&1 || + { test -h "$file"; } >/dev/null 2>&1 || + test -f "$file"; then + : + elif test -d "$file"; then + exit_status=1 + continue + elif test "$rmforce" = yes; then + continue + fi + + rmfiles="$file" + + case $name in + *.la) + # Possibly a libtool archive, so verify it. + if func_lalib_p "$file"; then + func_source $dir/$name + + # Delete the libtool libraries and symlinks. + for n in $library_names; do + func_append rmfiles " $odir/$n" + done + test -n "$old_library" && func_append rmfiles " $odir/$old_library" + + case "$opt_mode" in + clean) + case " $library_names " in + *" $dlname "*) ;; + *) test -n "$dlname" && func_append rmfiles " $odir/$dlname" ;; + esac + test -n "$libdir" && func_append rmfiles " $odir/$name $odir/${name}i" + ;; + uninstall) + if test -n "$library_names"; then + # Do each command in the postuninstall commands. + func_execute_cmds "$postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' + fi + + if test -n "$old_library"; then + # Do each command in the old_postuninstall commands. + func_execute_cmds "$old_postuninstall_cmds" 'test "$rmforce" = yes || exit_status=1' + fi + # FIXME: should reinstall the best remaining shared library. + ;; + esac + fi + ;; + + *.lo) + # Possibly a libtool object, so verify it. + if func_lalib_p "$file"; then + + # Read the .lo file + func_source $dir/$name + + # Add PIC object to the list of files to remove. + if test -n "$pic_object" && + test "$pic_object" != none; then + func_append rmfiles " $dir/$pic_object" + fi + + # Add non-PIC object to the list of files to remove. + if test -n "$non_pic_object" && + test "$non_pic_object" != none; then + func_append rmfiles " $dir/$non_pic_object" + fi + fi + ;; + + *) + if test "$opt_mode" = clean ; then + noexename=$name + case $file in + *.exe) + func_stripname '' '.exe' "$file" + file=$func_stripname_result + func_stripname '' '.exe' "$name" + noexename=$func_stripname_result + # $file with .exe has already been added to rmfiles, + # add $file without .exe + func_append rmfiles " $file" + ;; + esac + # Do a test to see if this is a libtool program. + if func_ltwrapper_p "$file"; then + if func_ltwrapper_executable_p "$file"; then + func_ltwrapper_scriptname "$file" + relink_command= + func_source $func_ltwrapper_scriptname_result + func_append rmfiles " $func_ltwrapper_scriptname_result" + else + relink_command= + func_source $dir/$noexename + fi + + # note $name still contains .exe if it was in $file originally + # as does the version of $file that was added into $rmfiles + func_append rmfiles " $odir/$name $odir/${name}S.${objext}" + if test "$fast_install" = yes && test -n "$relink_command"; then + func_append rmfiles " $odir/lt-$name" + fi + if test "X$noexename" != "X$name" ; then + func_append rmfiles " $odir/lt-${noexename}.c" + fi + fi + fi + ;; + esac + func_show_eval "$RM $rmfiles" 'exit_status=1' + done + + # Try to remove the ${objdir}s in the directories where we deleted files + for dir in $rmdirs; do + if test -d "$dir"; then + func_show_eval "rmdir $dir >/dev/null 2>&1" + fi + done + + exit $exit_status +} + +{ test "$opt_mode" = uninstall || test "$opt_mode" = clean; } && + func_mode_uninstall ${1+"$@"} + +test -z "$opt_mode" && { + help="$generic_help" + func_fatal_help "you must specify a MODE" +} + +test -z "$exec_cmd" && \ + func_fatal_help "invalid operation mode \`$opt_mode'" + +if test -n "$exec_cmd"; then + eval exec "$exec_cmd" + exit $EXIT_FAILURE +fi + +exit $exit_status + + +# The TAGs below are defined such that we never get into a situation +# in which we disable both kinds of libraries. Given conflicting +# choices, we go for a static library, that is the most portable, +# since we can't tell whether shared libraries were disabled because +# the user asked for that or because the platform doesn't support +# them. This is particularly important on AIX, because we don't +# support having both static and shared libraries enabled at the same +# time on that platform, so we default to a shared-only configuration. +# If a disable-shared tag is given, we'll fallback to a static-only +# configuration. But we'll never go from static-only to shared-only. + +# ### BEGIN LIBTOOL TAG CONFIG: disable-shared +build_libtool_libs=no +build_old_libs=yes +# ### END LIBTOOL TAG CONFIG: disable-shared + +# ### BEGIN LIBTOOL TAG CONFIG: disable-static +build_old_libs=`case $build_libtool_libs in yes) echo no;; *) echo yes;; esac` +# ### END LIBTOOL TAG CONFIG: disable-static + +# Local Variables: +# mode:shell-script +# sh-indentation:2 +# End: +# vi:sw=2 + diff --git a/ssl/CMakeLists.txt b/ssl/CMakeLists.txt index e87e0f6..015cb62 100644 --- a/ssl/CMakeLists.txt +++ b/ssl/CMakeLists.txt @@ -1,9 +1,3 @@ -include_directories( - . - ../include - ../include/compat -) - set( SSL_SRC bio_ssl.c @@ -12,9 +6,7 @@ set( bs_cbs.c d1_both.c d1_clnt.c - d1_enc.c d1_lib.c - d1_meth.c d1_pkt.c d1_srtp.c d1_srvr.c @@ -26,41 +18,59 @@ set( ssl_both.c ssl_cert.c ssl_ciph.c + ssl_ciphers.c ssl_clnt.c ssl_err.c ssl_init.c + ssl_kex.c ssl_lib.c + ssl_methods.c ssl_packet.c ssl_pkt.c ssl_rsa.c ssl_sess.c + ssl_sigalgs.c ssl_srvr.c ssl_stat.c ssl_tlsext.c + ssl_transcript.c ssl_txt.c ssl_versions.c - t1_clnt.c t1_enc.c - t1_hash.c t1_lib.c - t1_meth.c - t1_srvr.c + tls12_record_layer.c + tls13_buffer.c + tls13_client.c + tls13_error.c + tls13_handshake.c + tls13_handshake_msg.c + tls13_key_schedule.c + tls13_key_share.c + tls13_legacy.c + tls13_lib.c + tls13_record.c + tls13_record_layer.c + tls13_server.c ) add_library(ssl ${SSL_SRC}) -if (BUILD_SHARED_LIBS) - export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym) - target_link_libraries(ssl crypto) - if (WIN32) - target_link_libraries(ssl Ws2_32.lib) - set(SSL_POSTFIX -${SSL_MAJOR_VERSION}) - endif() - set_target_properties(ssl PROPERTIES - OUTPUT_NAME ssl${SSL_POSTFIX} - ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX}) - set_target_properties(ssl PROPERTIES VERSION ${SSL_VERSION} - SOVERSION ${SSL_MAJOR_VERSION}) +target_include_directories(ssl + PRIVATE + . + ../include/compat + PUBLIC + ../include) + +export_symbol(ssl ${CMAKE_CURRENT_SOURCE_DIR}/ssl.sym) +target_link_libraries(ssl crypto ${PLATFORM_LIBS}) +if (WIN32) + set(SSL_POSTFIX -${SSL_MAJOR_VERSION}) endif() +set_target_properties(ssl PROPERTIES + OUTPUT_NAME ssl${SSL_POSTFIX} + ARCHIVE_OUTPUT_NAME ssl${SSL_POSTFIX}) +set_target_properties(ssl PROPERTIES VERSION ${SSL_VERSION} + SOVERSION ${SSL_MAJOR_VERSION}) if(ENABLE_LIBRESSL_INSTALL) install( diff --git a/ssl/VERSION b/ssl/VERSION index fec7de8..9c7e424 100644 --- a/ssl/VERSION +++ b/ssl/VERSION @@ -1 +1 @@ -45:1:0 +48:1:0 diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c index 344ca21..93cfa0d 100644 --- a/ssl/bio_ssl.c +++ b/ssl/bio_ssl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bio_ssl.c,v 1.27 2017/02/07 02:08:38 beck Exp $ */ +/* $OpenBSD: bio_ssl.c,v 1.29 2018/08/24 20:30:21 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -85,7 +85,7 @@ typedef struct bio_ssl_st { time_t last_time; } BIO_SSL; -static BIO_METHOD methods_sslp = { +static const BIO_METHOD methods_sslp = { .type = BIO_TYPE_SSL, .name = "ssl", .bwrite = ssl_write, @@ -97,7 +97,7 @@ static BIO_METHOD methods_sslp = { .callback_ctrl = ssl_callback_ctrl, }; -BIO_METHOD * +const BIO_METHOD * BIO_f_ssl(void) { return (&methods_sslp); @@ -568,7 +568,9 @@ BIO_ssl_copy_session_id(BIO *t, BIO *f) if ((((BIO_SSL *)t->ptr)->ssl == NULL) || (((BIO_SSL *)f->ptr)->ssl == NULL)) return (0); - SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl, ((BIO_SSL *)f->ptr)->ssl); + if (!SSL_copy_session_id(((BIO_SSL *)t->ptr)->ssl, + ((BIO_SSL *)f->ptr)->ssl)) + return (0); return (1); } diff --git a/ssl/bs_cbb.c b/ssl/bs_cbb.c index bf7de3f..e734dd6 100644 --- a/ssl/bs_cbb.c +++ b/ssl/bs_cbb.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbb.c,v 1.18 2017/11/28 16:34:20 jsing Exp $ */ +/* $OpenBSD: bs_cbb.c,v 1.23 2020/09/16 05:52:04 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -14,7 +14,6 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include #include #include @@ -29,8 +28,7 @@ cbb_init(CBB *cbb, uint8_t *buf, size_t cap) { struct cbb_buffer_st *base; - base = malloc(sizeof(struct cbb_buffer_st)); - if (base == NULL) + if ((base = calloc(1, sizeof(struct cbb_buffer_st))) == NULL) return 0; base->buf = buf; @@ -54,7 +52,7 @@ CBB_init(CBB *cbb, size_t initial_capacity) if (initial_capacity == 0) initial_capacity = CBB_INITIAL_SIZE; - if ((buf = malloc(initial_capacity)) == NULL) + if ((buf = calloc(1, initial_capacity)) == NULL) return 0; if (!cbb_init(cbb, buf, initial_capacity)) { @@ -214,7 +212,8 @@ CBB_flush(CBB *cbb) uint8_t initial_length_byte; /* We already wrote 1 byte for the length. */ - assert (cbb->pending_len_len == 1); + if (cbb->pending_len_len != 1) + return 0; /* Check for long form */ if (len > 0xfffffffe) @@ -362,7 +361,7 @@ CBB_add_bytes(CBB *cbb, const uint8_t *data, size_t len) { uint8_t *dest; - if (!CBB_add_space(cbb, &dest, len)) + if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, &dest, len)) return 0; memcpy(dest, data, len); @@ -375,6 +374,7 @@ CBB_add_space(CBB *cbb, uint8_t **out_data, size_t len) if (!CBB_flush(cbb) || !cbb_buffer_add(cbb->base, out_data, len)) return 0; + memset(*out_data, 0, len); return 1; } @@ -405,6 +405,15 @@ CBB_add_u24(CBB *cbb, size_t value) return cbb_add_u(cbb, (uint32_t)value, 3); } +int +CBB_add_u32(CBB *cbb, size_t value) +{ + if (value > 0xffffffffUL) + return 0; + + return cbb_add_u(cbb, (uint32_t)value, 4); +} + int CBB_add_asn1_uint64(CBB *cbb, uint64_t value) { diff --git a/ssl/bs_cbs.c b/ssl/bs_cbs.c index ea1f010..5c3b9e3 100644 --- a/ssl/bs_cbs.c +++ b/ssl/bs_cbs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bs_cbs.c,v 1.17 2015/06/24 09:44:18 jsing Exp $ */ +/* $OpenBSD: bs_cbs.c,v 1.18 2019/01/23 22:20:40 beck Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -14,7 +14,6 @@ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#include #include #include @@ -347,10 +346,8 @@ cbs_get_asn1(CBS *cbs, CBS *out, unsigned int tag_value, int skip_header) tag != tag_value) return 0; - if (skip_header && !CBS_skip(out, header_len)) { - assert(0); + if (skip_header && !CBS_skip(out, header_len)) return 0; - } return 1; } diff --git a/ssl/bytestring.h b/ssl/bytestring.h index 2e89a57..20ee439 100644 --- a/ssl/bytestring.h +++ b/ssl/bytestring.h @@ -1,4 +1,4 @@ -/* $OpenBSD: bytestring.h,v 1.16 2017/11/28 16:34:20 jsing Exp $ */ +/* $OpenBSD: bytestring.h,v 1.17 2018/08/16 18:39:37 jsing Exp $ */ /* * Copyright (c) 2014, Google Inc. * @@ -461,6 +461,12 @@ int CBB_add_u16(CBB *cbb, size_t value); */ int CBB_add_u24(CBB *cbb, size_t value); +/* + * CBB_add_u32 appends a 32-bit, big-endian number from |value| to |cbb|. It + * returns one on success and zero otherwise. + */ +int CBB_add_u32(CBB *cbb, size_t value); + /* * CBB_add_asn1_uint64 writes an ASN.1 INTEGER into |cbb| using |CBB_add_asn1| * and writes |value| in its contents. It returns one on success and zero on diff --git a/ssl/d1_both.c b/ssl/d1_both.c index 42f8cbd..3d2516c 100644 --- a/ssl/d1_both.c +++ b/ssl/d1_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_both.c,v 1.52 2017/10/08 16:24:02 jsing Exp $ */ +/* $OpenBSD: d1_both.c,v 1.60 2020/09/26 14:43:17 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -161,49 +161,41 @@ static unsigned int g_probable_mtu[] = {1500 - 28, 512 - 28, 256 - 28}; static unsigned int dtls1_guess_mtu(unsigned int curr_mtu); static void dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len); -static unsigned char *dtls1_write_message_header(SSL *s, unsigned char *p); +static int dtls1_write_message_header(const struct hm_header_st *msg_hdr, + unsigned long frag_off, unsigned long frag_len, unsigned char *p); static long dtls1_get_message_fragment(SSL *s, int st1, int stn, long max, int *ok); +void dtls1_hm_fragment_free(hm_fragment *frag); + static hm_fragment * dtls1_hm_fragment_new(unsigned long frag_len, int reassembly) { - hm_fragment *frag = NULL; - unsigned char *buf = NULL; - unsigned char *bitmask = NULL; + hm_fragment *frag; - frag = malloc(sizeof(hm_fragment)); - if (frag == NULL) - return NULL; + if ((frag = calloc(1, sizeof(*frag))) == NULL) + goto err; - if (frag_len) { - buf = malloc(frag_len); - if (buf == NULL) { - free(frag); - return NULL; - } + if (frag_len > 0) { + if ((frag->fragment = calloc(1, frag_len)) == NULL) + goto err; } - /* zero length fragment gets zero frag->fragment */ - frag->fragment = buf; - - /* Initialize reassembly bitmask if necessary */ + /* Initialize reassembly bitmask if necessary. */ if (reassembly) { - bitmask = malloc(RSMBLY_BITMASK_SIZE(frag_len)); - if (bitmask == NULL) { - free(buf); - free(frag); - return NULL; - } - memset(bitmask, 0, RSMBLY_BITMASK_SIZE(frag_len)); + if ((frag->reassembly = calloc(1, + RSMBLY_BITMASK_SIZE(frag_len))) == NULL) + goto err; } - frag->reassembly = bitmask; - return frag; + + err: + dtls1_hm_fragment_free(frag); + return NULL; } -static void +void dtls1_hm_fragment_free(hm_fragment *frag) { if (frag == NULL) @@ -212,7 +204,7 @@ dtls1_hm_fragment_free(hm_fragment *frag) if (frag->msg_header.is_ccs) { EVP_CIPHER_CTX_free( frag->msg_header.saved_retransmit_state.enc_write_ctx); - EVP_MD_CTX_destroy( + EVP_MD_CTX_free( frag->msg_header.saved_retransmit_state.write_hash); } free(frag->fragment); @@ -301,8 +293,10 @@ dtls1_do_write(SSL *s, int type) dtls1_fix_message_header(s, frag_off, len - DTLS1_HM_HEADER_LENGTH); - dtls1_write_message_header(s, - (unsigned char *)&s->internal->init_buf->data[s->internal->init_off]); + if (!dtls1_write_message_header(&D1I(s)->w_msg_hdr, + D1I(s)->w_msg_hdr.frag_off, D1I(s)->w_msg_hdr.frag_len, + (unsigned char *)&s->internal->init_buf->data[s->internal->init_off])) + return -1; OPENSSL_assert(len >= DTLS1_HM_HEADER_LENGTH); } @@ -348,19 +342,16 @@ dtls1_do_write(SSL *s, int type) * Reconstruct message header is if it * is being sent in single fragment */ - *p++ = msg_hdr->type; - l2n3(msg_hdr->msg_len, p); - s2n (msg_hdr->seq, p); - l2n3(0, p); - l2n3(msg_hdr->msg_len, p); - p -= DTLS1_HM_HEADER_LENGTH; + if (!dtls1_write_message_header(msg_hdr, + 0, msg_hdr->msg_len, p)) + return (-1); xlen = ret; } else { p += DTLS1_HM_HEADER_LENGTH; xlen = ret - DTLS1_HM_HEADER_LENGTH; } - tls1_finish_mac(s, p, xlen); + tls1_transcript_record(s, p, xlen); } if (ret == s->internal->init_num) { @@ -417,7 +408,7 @@ dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) } msg_hdr = &D1I(s)->r_msg_hdr; - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); + memset(msg_hdr, 0, sizeof(struct hm_header_st)); again: i = dtls1_get_message_fragment(s, st1, stn, max, ok); @@ -431,21 +422,17 @@ again: msg_len = msg_hdr->msg_len; /* reconstruct message header */ - *(p++) = msg_hdr->type; - l2n3(msg_len, p); - s2n (msg_hdr->seq, p); - l2n3(0, p); - l2n3(msg_len, p); + if (!dtls1_write_message_header(msg_hdr, 0, msg_len, p)) + return -1; - p -= DTLS1_HM_HEADER_LENGTH; msg_len += DTLS1_HM_HEADER_LENGTH; - tls1_finish_mac(s, p, msg_len); + tls1_transcript_record(s, p, msg_len); if (s->internal->msg_callback) s->internal->msg_callback(0, s->version, SSL3_RT_HANDSHAKE, p, msg_len, s, s->internal->msg_callback_arg); - memset(msg_hdr, 0x00, sizeof(struct hm_header_st)); + memset(msg_hdr, 0, sizeof(struct hm_header_st)); /* Don't change sequence numbers while listening */ if (!D1I(s)->listen) @@ -1050,7 +1037,7 @@ dtls1_retransmit_message(SSL *s, unsigned short seq, unsigned long frag_off, item = pqueue_find(s->d1->sent_messages, seq64be); if (item == NULL) { #ifdef DEBUG - fprintf(stderr, "retransmit: message %d non-existant\n", seq); + fprintf(stderr, "retransmit: message %d non-existent\n", seq); #endif *found = 0; return 0; @@ -1167,19 +1154,33 @@ dtls1_fix_message_header(SSL *s, unsigned long frag_off, unsigned long frag_len) msg_hdr->frag_len = frag_len; } -static unsigned char * -dtls1_write_message_header(SSL *s, unsigned char *p) +static int +dtls1_write_message_header(const struct hm_header_st *msg_hdr, + unsigned long frag_off, unsigned long frag_len, unsigned char *p) { - struct hm_header_st *msg_hdr = &D1I(s)->w_msg_hdr; + CBB cbb; - *p++ = msg_hdr->type; - l2n3(msg_hdr->msg_len, p); + /* We assume DTLS1_HM_HEADER_LENGTH bytes are available for now... */ + if (!CBB_init_fixed(&cbb, p, DTLS1_HM_HEADER_LENGTH)) + return 0; + if (!CBB_add_u8(&cbb, msg_hdr->type)) + goto err; + if (!CBB_add_u24(&cbb, msg_hdr->msg_len)) + goto err; + if (!CBB_add_u16(&cbb, msg_hdr->seq)) + goto err; + if (!CBB_add_u24(&cbb, frag_off)) + goto err; + if (!CBB_add_u24(&cbb, frag_len)) + goto err; + if (!CBB_finish(&cbb, NULL, NULL)) + goto err; - s2n(msg_hdr->seq, p); - l2n3(msg_hdr->frag_off, p); - l2n3(msg_hdr->frag_len, p); + return 1; - return p; + err: + CBB_cleanup(&cbb); + return 0; } unsigned int @@ -1239,16 +1240,7 @@ dtls1_get_message_header(unsigned char *data, struct hm_header_st *msg_hdr) void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr) { - memset(ccs_hdr, 0x00, sizeof(struct ccs_header_st)); + memset(ccs_hdr, 0, sizeof(struct ccs_header_st)); ccs_hdr->type = *(data++); } - -int -dtls1_shutdown(SSL *s) -{ - int ret; - - ret = ssl3_shutdown(s); - return ret; -} diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index f3a7e5f..b660589 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_clnt.c,v 1.79 2017/10/10 15:13:26 jsing Exp $ */ +/* $OpenBSD: d1_clnt.c,v 1.83 2020/01/23 10:48:37 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -127,54 +127,6 @@ #include "bytestring.h" -static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = dtls1_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = dtls1_get_client_method, - .get_timeout = dtls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, -}; - -static const SSL_METHOD DTLSv1_client_method_data = { - .ssl_dispatch_alert = dtls1_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_client_method_internal_data, -}; - -const SSL_METHOD * -DTLSv1_client_method(void) -{ - return &DTLSv1_client_method_data; -} - -const SSL_METHOD * -dtls1_get_client_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_client_method()); - return (NULL); -} - int dtls1_get_hello_verify(SSL *s) { @@ -184,9 +136,8 @@ dtls1_get_hello_verify(SSL *s) uint16_t ssl_version; CBS hello_verify_request, cookie; - n = s->method->internal->ssl_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, + n = ssl3_get_message(s, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A, DTLS1_ST_CR_HELLO_VERIFY_REQUEST_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); diff --git a/ssl/d1_enc.c b/ssl/d1_enc.c deleted file mode 100644 index 20686d2..0000000 --- a/ssl/d1_enc.c +++ /dev/null @@ -1,212 +0,0 @@ -/* $OpenBSD: d1_enc.c,v 1.14 2017/01/23 08:08:06 beck Exp $ */ -/* - * DTLS implementation written by Nagendra Modadugu - * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. - */ -/* ==================================================================== - * Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "ssl_locl.h" - -#include -#include -#include - -/* dtls1_enc encrypts/decrypts the record in |s->wrec| / |s->rrec|, respectively. - * - * Returns: - * 0: (in non-constant time) if the record is publically invalid (i.e. too - * short etc). - * 1: if the record's padding is valid / the encryption was successful. - * -1: if the record's padding/AEAD-authenticator is invalid or, if sending, - * an internal error occured. */ -int -dtls1_enc(SSL *s, int send) -{ - SSL3_RECORD *rec; - EVP_CIPHER_CTX *ds; - unsigned long l; - int bs, i, j, k, mac_size = 0; - const EVP_CIPHER *enc; - - if (send) { - if (EVP_MD_CTX_md(s->internal->write_hash)) { - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - if (mac_size < 0) - return -1; - } - ds = s->internal->enc_write_ctx; - rec = &(S3I(s)->wrec); - if (s->internal->enc_write_ctx == NULL) - enc = NULL; - else { - enc = EVP_CIPHER_CTX_cipher(s->internal->enc_write_ctx); - if (rec->data != rec->input) { -#ifdef DEBUG - /* we can't write into the input stream */ - fprintf(stderr, "%s:%d: rec->data != rec->input\n", - __FILE__, __LINE__); -#endif - } else if (EVP_CIPHER_block_size(ds->cipher) > 1) { - arc4random_buf(rec->input, - EVP_CIPHER_block_size(ds->cipher)); - } - } - } else { - if (EVP_MD_CTX_md(s->read_hash)) { - mac_size = EVP_MD_CTX_size(s->read_hash); - OPENSSL_assert(mac_size >= 0); - } - ds = s->enc_read_ctx; - rec = &(S3I(s)->rrec); - if (s->enc_read_ctx == NULL) - enc = NULL; - else - enc = EVP_CIPHER_CTX_cipher(s->enc_read_ctx); - } - - - if ((s->session == NULL) || (ds == NULL) || (enc == NULL)) { - memmove(rec->data, rec->input, rec->length); - rec->input = rec->data; - } else { - l = rec->length; - bs = EVP_CIPHER_block_size(ds->cipher); - - if ((bs != 1) && send) { - i = bs - ((int)l % bs); - - /* Add weird padding of upto 256 bytes */ - - /* we need to add 'i' padding bytes of value j */ - j = i - 1; - for (k = (int)l; k < (int)(l + i); k++) - rec->input[k] = j; - l += i; - rec->length += i; - } - - - if (!send) { - if (l == 0 || l % bs != 0) - return 0; - } - - EVP_Cipher(ds, rec->data, rec->input, l); - - - if ((bs != 1) && !send) - return tls1_cbc_remove_padding(s, rec, bs, mac_size); - } - return (1); -} - diff --git a/ssl/d1_lib.c b/ssl/d1_lib.c index 7e919a6..b7d23ef 100644 --- a/ssl/d1_lib.c +++ b/ssl/d1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_lib.c,v 1.42 2017/04/10 17:27:33 jsing Exp $ */ +/* $OpenBSD: d1_lib.c,v 1.50 2020/09/26 14:43:17 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -70,109 +70,86 @@ #include "pqueue.h" #include "ssl_locl.h" +void dtls1_hm_fragment_free(hm_fragment *frag); + static int dtls1_listen(SSL *s, struct sockaddr *client); SSL3_ENC_METHOD DTLSv1_enc_data = { - .enc = dtls1_enc, .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, }; -long -dtls1_default_timeout(void) -{ - /* 2 hours, the 24 hours mentioned in the DTLSv1 spec - * is way too long for http, the cache would over fill */ - return (60*60*2); -} - int dtls1_new(SSL *s) { - DTLS1_STATE *d1; - if (!ssl3_new(s)) - return (0); - if ((d1 = calloc(1, sizeof(*d1))) == NULL) { - ssl3_free(s); - return (0); - } - if ((d1->internal = calloc(1, sizeof(*d1->internal))) == NULL) { - free(d1); - ssl3_free(s); - return (0); - } + goto err; - /* d1->handshake_epoch=0; */ + if ((s->d1 = calloc(1, sizeof(*s->d1))) == NULL) + goto err; + if ((s->d1->internal = calloc(1, sizeof(*s->d1->internal))) == NULL) + goto err; - d1->internal->unprocessed_rcds.q = pqueue_new(); - d1->internal->processed_rcds.q = pqueue_new(); - d1->internal->buffered_messages = pqueue_new(); - d1->sent_messages = pqueue_new(); - d1->internal->buffered_app_data.q = pqueue_new(); + if ((s->d1->internal->unprocessed_rcds.q = pqueue_new()) == NULL) + goto err; + if ((s->d1->internal->processed_rcds.q = pqueue_new()) == NULL) + goto err; + if ((s->d1->internal->buffered_messages = pqueue_new()) == NULL) + goto err; + if ((s->d1->sent_messages = pqueue_new()) == NULL) + goto err; + if ((s->d1->internal->buffered_app_data.q = pqueue_new()) == NULL) + goto err; - if (s->server) { - d1->internal->cookie_len = sizeof(D1I(s)->cookie); - } + if (s->server) + s->d1->internal->cookie_len = sizeof(D1I(s)->cookie); - if (!d1->internal->unprocessed_rcds.q || !d1->internal->processed_rcds.q || - !d1->internal->buffered_messages || !d1->sent_messages || - !d1->internal->buffered_app_data.q) { - pqueue_free(d1->internal->unprocessed_rcds.q); - pqueue_free(d1->internal->processed_rcds.q); - pqueue_free(d1->internal->buffered_messages); - pqueue_free(d1->sent_messages); - pqueue_free(d1->internal->buffered_app_data.q); - free(d1); - ssl3_free(s); - return (0); - } - - s->d1 = d1; s->method->internal->ssl_clear(s); return (1); + + err: + dtls1_free(s); + return (0); +} + +static void +dtls1_drain_records(pqueue queue) +{ + pitem *item; + DTLS1_RECORD_DATA_INTERNAL *rdata; + + if (queue == NULL) + return; + + while ((item = pqueue_pop(queue)) != NULL) { + rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data; + ssl3_release_buffer(&rdata->rbuf); + free(item->data); + pitem_free(item); + } +} + +static void +dtls1_drain_fragments(pqueue queue) +{ + pitem *item; + + if (queue == NULL) + return; + + while ((item = pqueue_pop(queue)) != NULL) { + dtls1_hm_fragment_free(item->data); + pitem_free(item); + } } static void dtls1_clear_queues(SSL *s) { - pitem *item = NULL; - hm_fragment *frag = NULL; - DTLS1_RECORD_DATA *rdata; - - while ((item = pqueue_pop(D1I(s)->unprocessed_rcds.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } - - while ((item = pqueue_pop(D1I(s)->processed_rcds.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } - - while ((item = pqueue_pop(D1I(s)->buffered_messages)) != NULL) { - frag = (hm_fragment *)item->data; - free(frag->fragment); - free(frag); - pitem_free(item); - } - - while ((item = pqueue_pop(s->d1->sent_messages)) != NULL) { - frag = (hm_fragment *)item->data; - free(frag->fragment); - free(frag); - pitem_free(item); - } - - while ((item = pqueue_pop(D1I(s)->buffered_app_data.q)) != NULL) { - rdata = (DTLS1_RECORD_DATA *) item->data; - free(rdata->rbuf.buf); - free(item->data); - pitem_free(item); - } + dtls1_drain_records(D1I(s)->unprocessed_rcds.q); + dtls1_drain_records(D1I(s)->processed_rcds.q); + dtls1_drain_fragments(D1I(s)->buffered_messages); + dtls1_drain_fragments(s->d1->sent_messages); + dtls1_drain_records(D1I(s)->buffered_app_data.q); } void @@ -455,11 +432,19 @@ void dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, unsigned short epoch) { - unsigned char dtlsseq[SSL3_SEQUENCE_SIZE]; - unsigned char *p; + CBB cbb; - p = dtlsseq; - s2n(epoch, p); - memcpy(p, &seq[2], SSL3_SEQUENCE_SIZE - 2); - memcpy(dst, dtlsseq, SSL3_SEQUENCE_SIZE); + if (!CBB_init_fixed(&cbb, dst, SSL3_SEQUENCE_SIZE)) + goto err; + if (!CBB_add_u16(&cbb, epoch)) + goto err; + if (!CBB_add_bytes(&cbb, &seq[2], SSL3_SEQUENCE_SIZE - 2)) + goto err; + if (!CBB_finish(&cbb, NULL, NULL)) + goto err; + + return; + + err: + CBB_cleanup(&cbb); } diff --git a/ssl/d1_pkt.c b/ssl/d1_pkt.c index 9f670fa..31ea52f 100644 --- a/ssl/d1_pkt.c +++ b/ssl/d1_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_pkt.c,v 1.63 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: d1_pkt.c,v 1.82 2020/09/24 17:59:54 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -186,7 +186,7 @@ static int have_handshake_fragment(SSL *s, int type, unsigned char *buf, int len, int peek); static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap); static void dtls1_record_bitmap_update(SSL *s, DTLS1_BITMAP *bitmap); -static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, +static DTLS1_BITMAP *dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch); static int dtls1_buffer_record(SSL *s, record_pqueue *q, unsigned char *priority); @@ -196,16 +196,16 @@ static int dtls1_process_record(SSL *s); static int dtls1_copy_record(SSL *s, pitem *item) { - DTLS1_RECORD_DATA *rdata; + DTLS1_RECORD_DATA_INTERNAL *rdata; - rdata = (DTLS1_RECORD_DATA *)item->data; + rdata = (DTLS1_RECORD_DATA_INTERNAL *)item->data; - free(s->s3->rbuf.buf); + ssl3_release_buffer(&S3I(s)->rbuf); s->internal->packet = rdata->packet; s->internal->packet_length = rdata->packet_length; - memcpy(&(s->s3->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD)); + memcpy(&(S3I(s)->rbuf), &(rdata->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); + memcpy(&(S3I(s)->rrec), &(rdata->rrec), sizeof(SSL3_RECORD_INTERNAL)); /* Set proper sequence number for mac calculation */ memcpy(&(S3I(s)->read_sequence[2]), &(rdata->packet[5]), 6); @@ -217,30 +217,29 @@ dtls1_copy_record(SSL *s, pitem *item) static int dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) { - DTLS1_RECORD_DATA *rdata; + DTLS1_RECORD_DATA_INTERNAL *rdata; pitem *item; /* Limit the size of the queue to prevent DOS attacks */ if (pqueue_size(queue->q) >= 100) return 0; - rdata = malloc(sizeof(DTLS1_RECORD_DATA)); + rdata = malloc(sizeof(DTLS1_RECORD_DATA_INTERNAL)); item = pitem_new(priority, rdata); if (rdata == NULL || item == NULL) goto init_err; rdata->packet = s->internal->packet; rdata->packet_length = s->internal->packet_length; - memcpy(&(rdata->rbuf), &(s->s3->rbuf), sizeof(SSL3_BUFFER)); - memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD)); + memcpy(&(rdata->rbuf), &(S3I(s)->rbuf), sizeof(SSL3_BUFFER_INTERNAL)); + memcpy(&(rdata->rrec), &(S3I(s)->rrec), sizeof(SSL3_RECORD_INTERNAL)); item->data = rdata; - s->internal->packet = NULL; s->internal->packet_length = 0; - memset(&(s->s3->rbuf), 0, sizeof(SSL3_BUFFER)); - memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD)); + memset(&(S3I(s)->rbuf), 0, sizeof(SSL3_BUFFER_INTERNAL)); + memset(&(S3I(s)->rrec), 0, sizeof(SSL3_RECORD_INTERNAL)); if (!ssl3_setup_buffers(s)) goto err; @@ -252,7 +251,7 @@ dtls1_buffer_record(SSL *s, record_pqueue *queue, unsigned char *priority) return (1); err: - free(rdata->rbuf.buf); + ssl3_release_buffer(&rdata->rbuf); init_err: SSLerror(s, ERR_R_INTERNAL_ERROR); @@ -329,7 +328,7 @@ dtls1_process_record(SSL *s) int i, al; int enc_err; SSL_SESSION *sess; - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; unsigned int mac_size, orig_len; unsigned char md[EVP_MAX_MD_SIZE]; @@ -361,19 +360,17 @@ dtls1_process_record(SSL *s) /* decrypt in place in 'rr->input' */ rr->data = rr->input; - enc_err = s->method->internal->ssl3_enc->enc(s, 0); /* enc_err is: * 0: (in non-constant time) if the record is publically invalid. * 1: if the padding is valid * -1: if the padding is invalid */ - if (enc_err == 0) { + if ((enc_err = tls1_enc(s, 0)) == 0) { /* For DTLS we simply ignore bad packets. */ rr->length = 0; s->internal->packet_length = 0; goto err; } - /* r->length is now the compressed data plus mac */ if ((sess != NULL) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { @@ -383,8 +380,7 @@ dtls1_process_record(SSL *s) mac_size = EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - /* kludge: *_cbc_remove_padding passes padding length in rr->type */ - orig_len = rr->length + ((unsigned int)rr->type >> 8); + orig_len = rr->length + rr->padding_length; /* orig_len is the length of the record before any padding was * removed. This is public information, as is the MAC in use, @@ -469,7 +465,7 @@ err: int dtls1_get_record(SSL *s) { - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; unsigned char *p = NULL; DTLS1_BITMAP *bitmap; unsigned int is_next_epoch; @@ -640,10 +636,10 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) { int al, i, j, ret; unsigned int n; - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; void (*cb)(const SSL *ssl, int type2, int val) = NULL; - if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ + if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ if (!ssl3_setup_buffers(s)) return (-1); @@ -672,7 +668,7 @@ dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) } } -start: + start: s->internal->rwstate = SSL_NOTHING; /* S3I(s)->rrec.type - is the type of record @@ -825,14 +821,6 @@ start: /* XDTLS: In a pathalogical case, the Client Hello * may be fragmented--don't always expect dest_maxlen bytes */ if (rr->length < dest_maxlen) { -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - /* - * for normal alerts rr->length is 2, while - * dest_maxlen is 7 if we were to handle this - * non-existing alert... - */ - FIX ME -#endif s->internal->rstate = SSL_ST_READ_HEADER; rr->length = 0; goto start; @@ -863,7 +851,7 @@ start: (D1I(s)->handshake_fragment[3] != 0)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_HELLO_REQUEST); - goto err; + goto f_err; } /* no need to check sequence number on HELLO REQUEST messages */ @@ -888,7 +876,7 @@ start: } if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) /* no read-ahead left? */ + if (S3I(s)->rbuf.left == 0) /* no read-ahead left? */ { BIO *bio; /* In the case where we try to read application data, @@ -973,9 +961,9 @@ start: /* XDTLS: check that epoch is consistent */ if ((rr->length != ccs_hdr_len) || (rr->off != 0) || (rr->data[0] != SSL3_MT_CCS)) { - i = SSL_AD_ILLEGAL_PARAMETER; + al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_CHANGE_CIPHER_SPEC); - goto err; + goto f_err; } rr->length = 0; @@ -1043,7 +1031,7 @@ start: } if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) /* no read-ahead left? */ + if (S3I(s)->rbuf.left == 0) /* no read-ahead left? */ { BIO *bio; /* In the case where we try to read application data, @@ -1105,9 +1093,9 @@ start: } /* not reached */ -f_err: + f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: return (-1); } @@ -1186,156 +1174,66 @@ dtls1_write_bytes(SSL *s, int type, const void *buf, int len) int do_dtls1_write(SSL *s, int type, const unsigned char *buf, unsigned int len) { - unsigned char *p, *pseq; - int i, mac_size, clear = 0; - int prefix_len = 0; - SSL3_RECORD *wr; - SSL3_BUFFER *wb; - SSL_SESSION *sess; - int bs; + SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); + size_t out_len; + CBB cbb; + int ret; - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ - if (s->s3->wbuf.left != 0) { + memset(&cbb, 0, sizeof(cbb)); + + /* + * First check if there is a SSL3_BUFFER_INTERNAL still being written + * out. This will happen with non blocking IO. + */ + if (wb->left != 0) { OPENSSL_assert(0); /* XDTLS: want to see if we ever get here */ return (ssl3_write_pending(s, type, buf, len)); } - /* If we have an alert to send, lets send it */ - if (s->s3->alert_dispatch) { - i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); - /* if it went, fall through and send more stuff */ + /* If we have an alert to send, let's send it */ + if (S3I(s)->alert_dispatch) { + if ((ret = s->method->ssl_dispatch_alert(s)) <= 0) + return (ret); + /* If it went, fall through and send more stuff. */ } if (len == 0) return 0; - wr = &(S3I(s)->wrec); - wb = &(s->s3->wbuf); - sess = s->session; - - if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) || - (EVP_MD_CTX_md(s->internal->write_hash) == NULL)) - clear = 1; - - if (clear) - mac_size = 0; - else { - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - if (mac_size < 0) - goto err; - } - - /* DTLS implements explicit IV, so no need for empty fragments. */ - - p = wb->buf + prefix_len; - - /* write the header */ - - *(p++) = type&0xff; - wr->type = type; - - *(p++) = (s->version >> 8); - *(p++) = s->version&0xff; - - /* field where we are to write out packet epoch, seq num and len */ - pseq = p; - - p += 10; - - /* lets setup the record stuff. */ - - /* Make space for the explicit IV in case of CBC. - * (this is a bit of a boundary violation, but what the heck). - */ - if (s->internal->enc_write_ctx && - (EVP_CIPHER_mode(s->internal->enc_write_ctx->cipher) & EVP_CIPH_CBC_MODE)) - bs = EVP_CIPHER_block_size(s->internal->enc_write_ctx->cipher); - else - bs = 0; - - wr->data = p + bs; - /* make room for IV in case of CBC */ - wr->length = (int)len; - wr->input = (unsigned char *)buf; - - /* we now 'read' from wr->input, wr->length bytes into - * wr->data */ - - memcpy(wr->data, wr->input, wr->length); - wr->input = wr->data; - - /* we should still have the output to wr->data and the input - * from wr->input. Length should be wr->length. - * wr->data still points in the wb->buf */ - - if (mac_size != 0) { - if (tls1_mac(s, &(p[wr->length + bs]), 1) < 0) - goto err; - wr->length += mac_size; - } - - /* this is true regardless of mac size */ - wr->input = p; - wr->data = p; - - - /* ssl3_enc can only have an error on read */ - if (bs) /* bs != 0 in case of CBC */ - { - arc4random_buf(p, bs); - /* master IV and last CBC residue stand for - * the rest of randomness */ - wr->length += bs; - } - - s->method->internal->ssl3_enc->enc(s, 1); - - /* record length after mac and block padding */ -/* if (type == SSL3_RT_APPLICATION_DATA || - (type == SSL3_RT_ALERT && ! SSL_in_init(s))) */ - - /* there's only one epoch between handshake and app data */ - - s2n(D1I(s)->w_epoch, pseq); - - /* XDTLS: ?? */ -/* else - s2n(D1I(s)->handshake_epoch, pseq); -*/ - - memcpy(pseq, &(S3I(s)->write_sequence[2]), 6); - pseq += 6; - s2n(wr->length, pseq); - - /* we should now have - * wr->data pointing to the encrypted data, which is - * wr->length long */ - wr->type=type; /* not needed but helps for debugging */ - wr->length += DTLS1_RT_HEADER_LENGTH; - - tls1_record_sequence_increment(S3I(s)->write_sequence); - - /* now let's set up wb */ - wb->left = prefix_len + wr->length; wb->offset = 0; - /* memorize arguments so that ssl3_write_pending can detect bad write retries later */ + if (!CBB_init_fixed(&cbb, wb->buf, wb->len)) + goto err; + + tls12_record_layer_set_version(s->internal->rl, s->version); + tls12_record_layer_set_write_epoch(s->internal->rl, D1I(s)->w_epoch); + + if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + goto err; + + if (!CBB_finish(&cbb, NULL, &out_len)) + goto err; + + wb->left = out_len; + + /* + * Memorize arguments so that ssl3_write_pending can detect + * bad write retries later. + */ S3I(s)->wpend_tot = len; S3I(s)->wpend_buf = buf; S3I(s)->wpend_type = type; S3I(s)->wpend_ret = len; - /* we now just need to write the buffer */ + /* We now just need to write the buffer. */ return ssl3_write_pending(s, type, buf, len); -err: + + err: + CBB_cleanup(&cbb); + return -1; } - - static int dtls1_record_replay_check(SSL *s, DTLS1_BITMAP *bitmap) { @@ -1390,34 +1288,23 @@ dtls1_dispatch_alert(SSL *s) unsigned char buf[DTLS1_AL_HEADER_LENGTH]; unsigned char *ptr = &buf[0]; - s->s3->alert_dispatch = 0; + S3I(s)->alert_dispatch = 0; - memset(buf, 0x00, sizeof(buf)); - *ptr++ = s->s3->send_alert[0]; - *ptr++ = s->s3->send_alert[1]; - -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - if (s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE) { - s2n(D1I(s)->handshake_read_seq, ptr); - l2n3(D1I(s)->r_msg_hdr.frag_off, ptr); - } -#endif + memset(buf, 0, sizeof(buf)); + *ptr++ = S3I(s)->send_alert[0]; + *ptr++ = S3I(s)->send_alert[1]; i = do_dtls1_write(s, SSL3_RT_ALERT, &buf[0], sizeof(buf)); if (i <= 0) { - s->s3->alert_dispatch = 1; + S3I(s)->alert_dispatch = 1; /* fprintf( stderr, "not done with alert\n" ); */ } else { - if (s->s3->send_alert[0] == SSL3_AL_FATAL -#ifdef DTLS1_AD_MISSING_HANDSHAKE_MESSAGE - || s->s3->send_alert[1] == DTLS1_AD_MISSING_HANDSHAKE_MESSAGE -#endif - ) + if (S3I(s)->send_alert[0] == SSL3_AL_FATAL) (void)BIO_flush(s->wbio); if (s->internal->msg_callback) s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, - s->s3->send_alert, 2, s, s->internal->msg_callback_arg); + S3I(s)->send_alert, 2, s, s->internal->msg_callback_arg); if (s->internal->info_callback != NULL) cb = s->internal->info_callback; @@ -1425,7 +1312,7 @@ dtls1_dispatch_alert(SSL *s) cb = s->ctx->internal->info_callback; if (cb != NULL) { - j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; + j = (S3I(s)->send_alert[0]<<8)|S3I(s)->send_alert[1]; cb(s, SSL_CB_WRITE_ALERT, j); } } @@ -1434,7 +1321,7 @@ dtls1_dispatch_alert(SSL *s) static DTLS1_BITMAP * -dtls1_get_bitmap(SSL *s, SSL3_RECORD *rr, unsigned int *is_next_epoch) +dtls1_get_bitmap(SSL *s, SSL3_RECORD_INTERNAL *rr, unsigned int *is_next_epoch) { *is_next_epoch = 0; @@ -1460,15 +1347,15 @@ dtls1_reset_seq_numbers(SSL *s, int rw) unsigned int seq_bytes = sizeof(S3I(s)->read_sequence); if (rw & SSL3_CC_READ) { - seq = S3I(s)->read_sequence; D1I(s)->r_epoch++; + seq = S3I(s)->read_sequence; memcpy(&(D1I(s)->bitmap), &(D1I(s)->next_bitmap), sizeof(DTLS1_BITMAP)); - memset(&(D1I(s)->next_bitmap), 0x00, sizeof(DTLS1_BITMAP)); + memset(&(D1I(s)->next_bitmap), 0, sizeof(DTLS1_BITMAP)); } else { + D1I(s)->w_epoch++; seq = S3I(s)->write_sequence; memcpy(D1I(s)->last_write_sequence, seq, sizeof(S3I(s)->write_sequence)); - D1I(s)->w_epoch++; } - memset(seq, 0x00, seq_bytes); + memset(seq, 0, seq_bytes); } diff --git a/ssl/d1_srtp.c b/ssl/d1_srtp.c index eb1877a..70e9a4f 100644 --- a/ssl/d1_srtp.c +++ b/ssl/d1_srtp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srtp.c,v 1.22 2017/08/27 02:58:04 doug Exp $ */ +/* $OpenBSD: d1_srtp.c,v 1.24 2020/03/16 15:25:13 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -140,7 +140,7 @@ static SRTP_PROTECTION_PROFILE srtp_known_profiles[] = { int srtp_find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, - unsigned len) + unsigned int len) { SRTP_PROTECTION_PROFILE *p; @@ -159,7 +159,8 @@ srtp_find_profile_by_name(char *profile_name, SRTP_PROTECTION_PROFILE **pptr, } int -srtp_find_profile_by_num(unsigned profile_num, SRTP_PROTECTION_PROFILE **pptr) +srtp_find_profile_by_num(unsigned int profile_num, + SRTP_PROTECTION_PROFILE **pptr) { SRTP_PROTECTION_PROFILE *p; @@ -207,6 +208,7 @@ ssl_ctx_make_profiles(const char *profiles_string, ptr = col + 1; } while (col); + sk_SRTP_PROTECTION_PROFILE_free(*out); *out = profiles; return 0; diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 57b8ea0..1a1ee54 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: d1_srvr.c,v 1.91 2017/10/12 15:52:50 jsing Exp $ */ +/* $OpenBSD: d1_srvr.c,v 1.95 2018/11/05 05:45:15 jsing Exp $ */ /* * DTLS implementation written by Nagendra Modadugu * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. @@ -125,54 +125,6 @@ #include #include -static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { - .version = DTLS1_VERSION, - .min_version = DTLS1_VERSION, - .max_version = DTLS1_VERSION, - .ssl_new = dtls1_new, - .ssl_clear = dtls1_clear, - .ssl_free = dtls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = dtls1_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = dtls1_get_server_method, - .get_timeout = dtls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = dtls1_get_message, - .ssl_read_bytes = dtls1_read_bytes, - .ssl_write_bytes = dtls1_write_app_data_bytes, - .ssl3_enc = &DTLSv1_enc_data, -}; - -static const SSL_METHOD DTLSv1_server_method_data = { - .ssl_dispatch_alert = dtls1_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = dtls1_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &DTLSv1_server_method_internal_data, -}; - -const SSL_METHOD * -DTLSv1_server_method(void) -{ - return &DTLSv1_server_method_data; -} - -const SSL_METHOD * -dtls1_get_server_method(int ver) -{ - if (ver == DTLS1_VERSION) - return (DTLSv1_server_method()); - return (NULL); -} - int dtls1_send_hello_verify_request(SSL *s) { @@ -188,7 +140,7 @@ dtls1_send_hello_verify_request(SSL *s) return 0; } - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &verify, + if (!ssl3_handshake_msg_start(s, &cbb, &verify, DTLS1_MT_HELLO_VERIFY_REQUEST)) goto err; if (!CBB_add_u16(&verify, s->version)) @@ -197,7 +149,7 @@ dtls1_send_hello_verify_request(SSL *s) goto err; if (!CBB_add_bytes(&cookie, D1I(s)->cookie, D1I(s)->cookie_len)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B; diff --git a/ssl/s3_cbc.c b/ssl/s3_cbc.c index 8c910c5..74e0562 100644 --- a/ssl/s3_cbc.c +++ b/ssl/s3_cbc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_cbc.c,v 1.16 2017/01/23 08:08:06 beck Exp $ */ +/* $OpenBSD: s3_cbc.c,v 1.22 2020/06/19 21:26:40 tb Exp $ */ /* ==================================================================== * Copyright (c) 2012 The OpenSSL Project. All rights reserved. * @@ -73,20 +73,20 @@ * bits. They use the fact that arithmetic shift shifts-in the sign bit. * However, this is not ensured by the C standard so you may need to replace * them with something else on odd CPUs. */ -#define DUPLICATE_MSB_TO_ALL(x) ((unsigned)((int)(x) >> (sizeof(int) * 8 - 1))) +#define DUPLICATE_MSB_TO_ALL(x) ((unsigned int)((int)(x) >> (sizeof(int) * 8 - 1))) #define DUPLICATE_MSB_TO_ALL_8(x) ((unsigned char)(DUPLICATE_MSB_TO_ALL(x))) /* constant_time_lt returns 0xff if a=b and 0x00 otherwise. */ -static unsigned -constant_time_ge(unsigned a, unsigned b) +static unsigned int +constant_time_ge(unsigned int a, unsigned int b) { a -= b; return DUPLICATE_MSB_TO_ALL(~a); @@ -94,9 +94,9 @@ constant_time_ge(unsigned a, unsigned b) /* constant_time_eq_8 returns 0xff if a==b and 0x00 otherwise. */ static unsigned char -constant_time_eq_8(unsigned a, unsigned b) +constant_time_eq_8(unsigned int a, unsigned int b) { - unsigned c = a ^ b; + unsigned int c = a ^ b; c--; return DUPLICATE_MSB_TO_ALL_8(c); } @@ -113,11 +113,11 @@ constant_time_eq_8(unsigned a, unsigned b) * 1: if the padding was valid * -1: otherwise. */ int -tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, - unsigned mac_size) +tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD_INTERNAL *rec, + unsigned int block_size, unsigned int mac_size) { - unsigned padding_length, good, to_check, i; - const unsigned overhead = 1 /* padding length byte */ + mac_size; + unsigned int padding_length, good, to_check, i; + const unsigned int overhead = 1 /* padding length byte */ + mac_size; /* Check if version requires explicit IV */ if (SSL_USE_EXPLICIT_IV(s)) { @@ -135,12 +135,6 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, padding_length = rec->data[rec->length - 1]; - if (EVP_CIPHER_flags(s->enc_read_ctx->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - /* padding is already verified */ - rec->length -= padding_length + 1; - return 1; - } - good = constant_time_ge(rec->length, overhead + padding_length); /* The padding consists of a length byte at the end of the record and * then that many bytes of padding, all with the same value as the @@ -151,9 +145,9 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, * decrypted information. Therefore we always have to check the maximum * amount of padding possible. (Again, the length of the record is * public information so we can use it.) */ - to_check = 255; /* maximum amount of padding. */ - if (to_check > rec->length - 1) - to_check = rec->length - 1; + to_check = 256; /* maximum amount of padding, inc length byte. */ + if (to_check > rec->length) + to_check = rec->length; for (i = 0; i < to_check; i++) { unsigned char mask = constant_time_ge(padding_length, i); @@ -175,7 +169,7 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, padding_length = good & (padding_length + 1); rec->length -= padding_length; - rec->type |= padding_length<<8; /* kludge: pass padding length */ + rec->padding_length = padding_length; return (int)((good & 1) | (~good & -1)); } @@ -200,8 +194,8 @@ tls1_cbc_remove_padding(const SSL* s, SSL3_RECORD *rec, unsigned block_size, #define CBC_MAC_ROTATE_IN_PLACE void -ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, - unsigned md_size, unsigned orig_len) +ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD_INTERNAL *rec, + unsigned int md_size, unsigned int orig_len) { #if defined(CBC_MAC_ROTATE_IN_PLACE) unsigned char rotated_mac_buf[64 + EVP_MAX_MD_SIZE]; @@ -211,14 +205,14 @@ ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, #endif /* mac_end is the index of |rec->data| just after the end of the MAC. */ - unsigned mac_end = rec->length; - unsigned mac_start = mac_end - md_size; + unsigned int mac_end = rec->length; + unsigned int mac_start = mac_end - md_size; /* scan_start contains the number of bytes that we can ignore because * the MAC's position can only vary by 255 bytes. */ - unsigned scan_start = 0; - unsigned i, j; - unsigned div_spoiler; - unsigned rotate_offset; + unsigned int scan_start = 0; + unsigned int i, j; + unsigned int div_spoiler; + unsigned int rotate_offset; OPENSSL_assert(orig_len >= md_size); OPENSSL_assert(md_size <= EVP_MAX_MD_SIZE); @@ -272,6 +266,20 @@ ssl3_cbc_copy_mac(unsigned char* out, const SSL3_RECORD *rec, #endif } +#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff)) + +#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ + *((c)++)=(unsigned char)(((l)>>48)&0xff), \ + *((c)++)=(unsigned char)(((l)>>40)&0xff), \ + *((c)++)=(unsigned char)(((l)>>32)&0xff), \ + *((c)++)=(unsigned char)(((l)>>24)&0xff), \ + *((c)++)=(unsigned char)(((l)>>16)&0xff), \ + *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ + *((c)++)=(unsigned char)(((l) )&0xff)) + /* u32toLE serialises an unsigned, 32-bit number (n) as four bytes at (p) in * little-endian order. The value of p is advanced by four. */ #define u32toLE(n, p) \ @@ -308,7 +316,7 @@ static void tls1_sha256_final_raw(void* ctx, unsigned char *md_out) { SHA256_CTX *sha256 = ctx; - unsigned i; + unsigned int i; for (i = 0; i < 8; i++) { l2n(sha256->h[i], md_out); @@ -319,7 +327,7 @@ static void tls1_sha512_final_raw(void* ctx, unsigned char *md_out) { SHA512_CTX *sha512 = ctx; - unsigned i; + unsigned int i; for (i = 0; i < 8; i++) { l2n8(sha512->h[i], md_out); @@ -374,7 +382,7 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, size_t* md_out_size, const unsigned char header[13], const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length) + unsigned int mac_secret_length) { union { /* @@ -387,8 +395,8 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, } md_state; void (*md_final_raw)(void *ctx, unsigned char *md_out); void (*md_transform)(void *ctx, const unsigned char *block); - unsigned md_size, md_block_size = 64; - unsigned header_length, variance_blocks, + unsigned int md_size, md_block_size = 64; + unsigned int header_length, variance_blocks, len, max_mac_bytes, num_blocks, num_starting_blocks, k, mac_end_offset, c, index_a, index_b; unsigned int bits; /* at most 18 bits */ @@ -397,11 +405,11 @@ ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char* md_out, unsigned char hmac_pad[MAX_HASH_BLOCK_SIZE]; unsigned char first_block[MAX_HASH_BLOCK_SIZE]; unsigned char mac_out[EVP_MAX_MD_SIZE]; - unsigned i, j, md_out_size_u; + unsigned int i, j, md_out_size_u; EVP_MD_CTX md_ctx; /* mdLengthSize is the number of bytes in the length field that terminates * the hash. */ - unsigned md_length_size = 8; + unsigned int md_length_size = 8; char length_is_big_endian = 1; /* This is a, hopefully redundant, check that allows us to forget about diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c index 52e0c52..91bfb5f 100644 --- a/ssl/s3_lib.c +++ b/ssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.165 2018/03/15 12:27:00 jca Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.198 2020/09/17 15:42:14 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -237,22 +237,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 128, }, - /* Cipher 09 */ - { - .valid = 1, - .name = SSL3_TXT_RSA_DES_64_CBC_SHA, - .id = SSL3_CK_RSA_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kRSA, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - /* Cipher 0A */ { .valid = 1, @@ -273,22 +257,6 @@ SSL_CIPHER ssl3_ciphers[] = { * Ephemeral DH (DHE) ciphers. */ - /* Cipher 15 */ - { - .valid = 1, - .name = SSL3_TXT_EDH_RSA_DES_64_CBC_SHA, - .id = SSL3_CK_EDH_RSA_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aRSA, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - /* Cipher 16 */ { .valid = 1, @@ -321,22 +289,6 @@ SSL_CIPHER ssl3_ciphers[] = { .alg_bits = 128, }, - /* Cipher 1A */ - { - .valid = 1, - .name = SSL3_TXT_ADH_DES_64_CBC_SHA, - .id = SSL3_CK_ADH_DES_64_CBC_SHA, - .algorithm_mkey = SSL_kDHE, - .algorithm_auth = SSL_aNULL, - .algorithm_enc = SSL_DES, - .algorithm_mac = SSL_SHA1, - .algorithm_ssl = SSL_SSLV3, - .algo_strength = SSL_LOW, - .algorithm2 = SSL_HANDSHAKE_MAC_DEFAULT|TLS1_PRF, - .strength_bits = 56, - .alg_bits = 56, - }, - /* Cipher 1B */ { .valid = 1, @@ -722,7 +674,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 128, .alg_bits = 128, @@ -740,7 +692,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 256, .alg_bits = 256, @@ -758,7 +710,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 128, .alg_bits = 128, @@ -776,7 +728,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 256, .alg_bits = 256, @@ -794,7 +746,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 128, .alg_bits = 128, @@ -812,7 +764,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 256, .alg_bits = 256, @@ -918,6 +870,60 @@ SSL_CIPHER ssl3_ciphers[] = { }, #endif /* OPENSSL_NO_CAMELLIA */ + /* + * TLSv1.3 cipher suites. + */ + +#ifdef LIBRESSL_HAS_TLS1_3 + /* Cipher 1301 */ + { + .valid = 1, + .name = TLS1_3_TXT_AES_128_GCM_SHA256, + .id = TLS1_3_CK_AES_128_GCM_SHA256, + .algorithm_mkey = SSL_kTLS1_3, + .algorithm_auth = SSL_aTLS1_3, + .algorithm_enc = SSL_AES128GCM, + .algorithm_mac = SSL_AEAD, + .algorithm_ssl = SSL_TLSV1_3, + .algo_strength = SSL_HIGH, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ + .strength_bits = 128, + .alg_bits = 128, + }, + + /* Cipher 1302 */ + { + .valid = 1, + .name = TLS1_3_TXT_AES_256_GCM_SHA384, + .id = TLS1_3_CK_AES_256_GCM_SHA384, + .algorithm_mkey = SSL_kTLS1_3, + .algorithm_auth = SSL_aTLS1_3, + .algorithm_enc = SSL_AES256GCM, + .algorithm_mac = SSL_AEAD, + .algorithm_ssl = SSL_TLSV1_3, + .algo_strength = SSL_HIGH, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA384, /* XXX */ + .strength_bits = 256, + .alg_bits = 256, + }, + + /* Cipher 1303 */ + { + .valid = 1, + .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, + .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, + .algorithm_mkey = SSL_kTLS1_3, + .algorithm_auth = SSL_aTLS1_3, + .algorithm_enc = SSL_CHACHA20POLY1305, + .algorithm_mac = SSL_AEAD, + .algorithm_ssl = SSL_TLSV1_3, + .algo_strength = SSL_HIGH, + .algorithm2 = SSL_HANDSHAKE_MAC_SHA256, /* XXX */ + .strength_bits = 256, + .alg_bits = 256, + }, +#endif + /* Cipher C006 */ { .valid = 1, @@ -1239,7 +1245,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 128, .alg_bits = 128, @@ -1257,7 +1263,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 256, .alg_bits = 256, @@ -1275,7 +1281,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 128, .alg_bits = 128, @@ -1293,7 +1299,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA384|TLS1_PRF_SHA384| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(4)| + FIXED_NONCE_LEN(4)| SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD, .strength_bits = 256, .alg_bits = 256, @@ -1311,7 +1317,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), + FIXED_NONCE_LEN(12), .strength_bits = 256, .alg_bits = 256, }, @@ -1328,7 +1334,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), + FIXED_NONCE_LEN(12), .strength_bits = 256, .alg_bits = 256, }, @@ -1345,7 +1351,7 @@ SSL_CIPHER ssl3_ciphers[] = { .algorithm_ssl = SSL_TLSV1_2, .algo_strength = SSL_HIGH, .algorithm2 = SSL_HANDSHAKE_MAC_SHA256|TLS1_PRF_SHA256| - SSL_CIPHER_ALGORITHM2_AEAD|FIXED_NONCE_LEN(12), + FIXED_NONCE_LEN(12), .strength_bits = 256, .alg_bits = 256, }, @@ -1445,44 +1451,8 @@ ssl3_handshake_msg_hdr_len(SSL *s) SSL3_HM_HEADER_LENGTH); } -unsigned char * -ssl3_handshake_msg_start(SSL *s, uint8_t msg_type) -{ - unsigned char *d, *p; - - d = p = (unsigned char *)s->internal->init_buf->data; - - /* Handshake message type and length. */ - *(p++) = msg_type; - l2n3(0, p); - - return (d + ssl3_handshake_msg_hdr_len(s)); -} - -void -ssl3_handshake_msg_finish(SSL *s, unsigned int len) -{ - unsigned char *p; - uint8_t msg_type; - - p = (unsigned char *)s->internal->init_buf->data; - - /* Handshake message length. */ - msg_type = *(p++); - l2n3(len, p); - - s->internal->init_num = ssl3_handshake_msg_hdr_len(s) + (int)len; - s->internal->init_off = 0; - - if (SSL_IS_DTLS(s)) { - dtls1_set_message_header(s, msg_type, len, 0, len); - dtls1_buffer_message(s, 0); - } -} - int -ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body, - uint8_t msg_type) +ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type) { int ret = 0; @@ -1507,7 +1477,7 @@ ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body, } int -ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake) +ssl3_handshake_msg_finish(SSL *s, CBB *handshake) { unsigned char *data = NULL; size_t outlen; @@ -1589,17 +1559,21 @@ ssl3_free(SSL *s) tls1_cleanup_key_block(s); ssl3_release_read_buffer(s); ssl3_release_write_buffer(s); + freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); DH_free(S3I(s)->tmp.dh); EC_KEY_free(S3I(s)->tmp.ecdh); - freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); + tls13_key_share_free(S3I(s)->hs_tls13.key_share); + tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); + freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); + tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); + sk_X509_NAME_pop_free(S3I(s)->tmp.ca_names, X509_NAME_free); - BIO_free(S3I(s)->handshake_buffer); - - tls1_handshake_hash_free(s); + tls1_transcript_free(s); + tls1_transcript_hash_free(s); free(S3I(s)->alpn_selected); @@ -1623,19 +1597,33 @@ ssl3_clear(SSL *s) S3I(s)->tmp.dh = NULL; EC_KEY_free(S3I(s)->tmp.ecdh); S3I(s)->tmp.ecdh = NULL; - + S3I(s)->tmp.ecdh_nid = NID_undef; freezero(S3I(s)->tmp.x25519, X25519_KEY_LENGTH); S3I(s)->tmp.x25519 = NULL; - rp = s->s3->rbuf.buf; - wp = s->s3->wbuf.buf; - rlen = s->s3->rbuf.len; - wlen = s->s3->wbuf.len; + freezero(S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); + S3I(s)->hs.sigalgs = NULL; + S3I(s)->hs.sigalgs_len = 0; - BIO_free(S3I(s)->handshake_buffer); - S3I(s)->handshake_buffer = NULL; + tls13_key_share_free(S3I(s)->hs_tls13.key_share); + S3I(s)->hs_tls13.key_share = NULL; - tls1_handshake_hash_free(s); + tls13_secrets_destroy(S3I(s)->hs_tls13.secrets); + S3I(s)->hs_tls13.secrets = NULL; + freezero(S3I(s)->hs_tls13.cookie, S3I(s)->hs_tls13.cookie_len); + S3I(s)->hs_tls13.cookie = NULL; + S3I(s)->hs_tls13.cookie_len = 0; + tls13_clienthello_hash_clear(&S3I(s)->hs_tls13); + + S3I(s)->hs.extensions_seen = 0; + + rp = S3I(s)->rbuf.buf; + wp = S3I(s)->wbuf.buf; + rlen = S3I(s)->rbuf.len; + wlen = S3I(s)->wbuf.len; + + tls1_transcript_free(s); + tls1_transcript_hash_free(s); free(S3I(s)->alpn_selected); S3I(s)->alpn_selected = NULL; @@ -1645,10 +1633,10 @@ ssl3_clear(SSL *s) memset(s->s3, 0, sizeof(*s->s3)); S3I(s) = internal; - s->s3->rbuf.buf = rp; - s->s3->wbuf.buf = wp; - s->s3->rbuf.len = rlen; - s->s3->wbuf.len = wlen; + S3I(s)->rbuf.buf = rp; + S3I(s)->wbuf.buf = wp; + S3I(s)->rbuf.len = rlen; + S3I(s)->wbuf.len = wlen; ssl_free_wbio_buffer(s); @@ -1660,23 +1648,19 @@ ssl3_clear(SSL *s) s->internal->packet_length = 0; s->version = TLS1_VERSION; + + S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); } -static long -ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp) +long +_SSL_get_peer_tmp_key(SSL *s, EVP_PKEY **key) { EVP_PKEY *pkey = NULL; - EC_GROUP *group = NULL; - EC_POINT *point = NULL; - EC_KEY *ec_key = NULL; - BIGNUM *order = NULL; SESS_CERT *sc; int ret = 0; - *pkey_tmp = NULL; + *key = NULL; - if (s->server != 0) - return 0; if (s->session == NULL || SSI(s)->sess_cert == NULL) return 0; @@ -1686,40 +1670,29 @@ ssl_ctrl_get_server_tmp_key(SSL *s, EVP_PKEY **pkey_tmp) return 0; if (sc->peer_dh_tmp != NULL) { - ret = EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp); + if (!EVP_PKEY_set1_DH(pkey, sc->peer_dh_tmp)) + goto err; } else if (sc->peer_ecdh_tmp) { - ret = EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp); + if (!EVP_PKEY_set1_EC_KEY(pkey, sc->peer_ecdh_tmp)) + goto err; } else if (sc->peer_x25519_tmp != NULL) { - /* Fudge up an EC_KEY that looks like X25519... */ - if ((group = EC_GROUP_new(EC_GFp_mont_method())) == NULL) + if (!ssl_kex_dummy_ecdhe_x25519(pkey)) goto err; - if ((point = EC_POINT_new(group)) == NULL) + } else if (S3I(s)->hs_tls13.key_share != NULL) { + if (!tls13_key_share_peer_pkey(S3I(s)->hs_tls13.key_share, + pkey)) goto err; - if ((order = BN_new()) == NULL) - goto err; - if (!BN_set_bit(order, 252)) - goto err; - if (!EC_GROUP_set_generator(group, point, order, NULL)) - goto err; - EC_GROUP_set_curve_name(group, NID_X25519); - if ((ec_key = EC_KEY_new()) == NULL) - goto err; - if (!EC_KEY_set_group(ec_key, group)) - goto err; - ret = EVP_PKEY_set1_EC_KEY(pkey, ec_key); + } else { + goto err; } - if (ret == 1) { - *pkey_tmp = pkey; - pkey = NULL; - } + *key = pkey; + pkey = NULL; - err: + ret = 1; + + err: EVP_PKEY_free(pkey); - EC_GROUP_free(group); - EC_POINT_free(point); - EC_KEY_free(ec_key); - BN_free(order); return (ret); } @@ -1758,11 +1731,6 @@ _SSL_set_tmp_dh(SSL *s, DH *dh) { DH *dh_tmp; - if (!ssl_cert_inst(&s->cert)) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - return 0; - } - if (dh == NULL) { SSLerror(s, ERR_R_PASSED_NULL_PARAMETER); return 0; @@ -1792,11 +1760,6 @@ _SSL_set_tmp_ecdh(SSL *s, EC_KEY *ecdh) const EC_GROUP *group; int nid; - if (!ssl_cert_inst(&s->cert)) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - return 0; - } - if (ecdh == NULL) return 0; if ((group = EC_KEY_get0_group(ecdh)) == NULL) @@ -1881,19 +1844,74 @@ _SSL_set_tlsext_status_ids(SSL *s, STACK_OF(OCSP_RESPID) *ids) static int _SSL_get_tlsext_status_ocsp_resp(SSL *s, unsigned char **resp) { - *resp = s->internal->tlsext_ocsp_resp; - return s->internal->tlsext_ocsp_resplen; + if (s->internal->tlsext_ocsp_resp != NULL && + s->internal->tlsext_ocsp_resp_len < INT_MAX) { + *resp = s->internal->tlsext_ocsp_resp; + return (int)s->internal->tlsext_ocsp_resp_len; + } + + *resp = NULL; + + return -1; } static int _SSL_set_tlsext_status_ocsp_resp(SSL *s, unsigned char *resp, int resp_len) { free(s->internal->tlsext_ocsp_resp); + s->internal->tlsext_ocsp_resp = NULL; + s->internal->tlsext_ocsp_resp_len = 0; + + if (resp_len < 0) + return 0; + s->internal->tlsext_ocsp_resp = resp; - s->internal->tlsext_ocsp_resplen = resp_len; + s->internal->tlsext_ocsp_resp_len = (size_t)resp_len; + return 1; } +int +SSL_set0_chain(SSL *ssl, STACK_OF(X509) *chain) +{ + return ssl_cert_set0_chain(ssl->cert, chain); +} + +int +SSL_set1_chain(SSL *ssl, STACK_OF(X509) *chain) +{ + return ssl_cert_set1_chain(ssl->cert, chain); +} + +int +SSL_add0_chain_cert(SSL *ssl, X509 *x509) +{ + return ssl_cert_add0_chain_cert(ssl->cert, x509); +} + +int +SSL_add1_chain_cert(SSL *ssl, X509 *x509) +{ + return ssl_cert_add1_chain_cert(ssl->cert, x509); +} + +int +SSL_get0_chain_certs(const SSL *ssl, STACK_OF(X509) **out_chain) +{ + *out_chain = NULL; + + if (ssl->cert->key != NULL) + *out_chain = ssl->cert->key->chain; + + return 1; +} + +int +SSL_clear_chain_certs(SSL *ssl) +{ + return ssl_cert_set0_chain(ssl->cert, NULL); +} + int SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) { @@ -1904,7 +1922,7 @@ SSL_set1_groups(SSL *s, const int *groups, size_t groups_len) int SSL_set1_groups_list(SSL *s, const char *groups) { - return tls1_set_groups_list(&s->internal->tlsext_supportedgroups, + return tls1_set_group_list(&s->internal->tlsext_supportedgroups, &s->internal->tlsext_supportedgroups_length, groups); } @@ -1975,14 +1993,32 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP: return _SSL_set_tlsext_status_ocsp_resp(s, parg, larg); + case SSL_CTRL_CHAIN: + if (larg == 0) + return SSL_set0_chain(s, (STACK_OF(X509) *)parg); + else + return SSL_set1_chain(s, (STACK_OF(X509) *)parg); + + case SSL_CTRL_CHAIN_CERT: + if (larg == 0) + return SSL_add0_chain_cert(s, (X509 *)parg); + else + return SSL_add1_chain_cert(s, (X509 *)parg); + + case SSL_CTRL_GET_CHAIN_CERTS: + return SSL_get0_chain_certs(s, (STACK_OF(X509) **)parg); + case SSL_CTRL_SET_GROUPS: return SSL_set1_groups(s, parg, larg); case SSL_CTRL_SET_GROUPS_LIST: return SSL_set1_groups_list(s, parg); + /* XXX - rename to SSL_CTRL_GET_PEER_TMP_KEY and remove server check. */ case SSL_CTRL_GET_SERVER_TMP_KEY: - return ssl_ctrl_get_server_tmp_key(s, parg); + if (s->server != 0) + return 0; + return _SSL_get_peer_tmp_key(s, parg); case SSL_CTRL_GET_MIN_PROTO_VERSION: return SSL_get_min_proto_version(s); @@ -2024,13 +2060,6 @@ ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp)(void)) { - if (cmd == SSL_CTRL_SET_TMP_DH_CB || cmd == SSL_CTRL_SET_TMP_ECDH_CB) { - if (!ssl_cert_inst(&s->cert)) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - return 0; - } - } - switch (cmd) { case SSL_CTRL_SET_TMP_RSA_CB: SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); @@ -2153,6 +2182,47 @@ _SSL_CTX_set_tlsext_status_arg(SSL_CTX *ctx, void *arg) return 1; } +int +SSL_CTX_set0_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) +{ + return ssl_cert_set0_chain(ctx->internal->cert, chain); +} + +int +SSL_CTX_set1_chain(SSL_CTX *ctx, STACK_OF(X509) *chain) +{ + return ssl_cert_set1_chain(ctx->internal->cert, chain); +} + +int +SSL_CTX_add0_chain_cert(SSL_CTX *ctx, X509 *x509) +{ + return ssl_cert_add0_chain_cert(ctx->internal->cert, x509); +} + +int +SSL_CTX_add1_chain_cert(SSL_CTX *ctx, X509 *x509) +{ + return ssl_cert_add1_chain_cert(ctx->internal->cert, x509); +} + +int +SSL_CTX_get0_chain_certs(const SSL_CTX *ctx, STACK_OF(X509) **out_chain) +{ + *out_chain = NULL; + + if (ctx->internal->cert->key != NULL) + *out_chain = ctx->internal->cert->key->chain; + + return 1; +} + +int +SSL_CTX_clear_chain_certs(SSL_CTX *ctx) +{ + return ssl_cert_set0_chain(ctx->internal->cert, NULL); +} + static int _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) { @@ -2166,14 +2236,24 @@ _SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *cert) return 1; } -int +static int _SSL_CTX_get_extra_chain_certs(SSL_CTX *ctx, STACK_OF(X509) **certs) +{ + *certs = ctx->extra_certs; + if (*certs == NULL) + *certs = ctx->internal->cert->key->chain; + + return 1; +} + +static int +_SSL_CTX_get_extra_chain_certs_only(SSL_CTX *ctx, STACK_OF(X509) **certs) { *certs = ctx->extra_certs; return 1; } -int +static int _SSL_CTX_clear_extra_chain_certs(SSL_CTX *ctx) { sk_X509_pop_free(ctx->extra_certs, X509_free); @@ -2191,7 +2271,7 @@ SSL_CTX_set1_groups(SSL_CTX *ctx, const int *groups, size_t groups_len) int SSL_CTX_set1_groups_list(SSL_CTX *ctx, const char *groups) { - return tls1_set_groups_list(&ctx->internal->tlsext_supportedgroups, + return tls1_set_group_list(&ctx->internal->tlsext_supportedgroups, &ctx->internal->tlsext_supportedgroups_length, groups); } @@ -2234,11 +2314,29 @@ ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG: return _SSL_CTX_set_tlsext_status_arg(ctx, parg); + case SSL_CTRL_CHAIN: + if (larg == 0) + return SSL_CTX_set0_chain(ctx, (STACK_OF(X509) *)parg); + else + return SSL_CTX_set1_chain(ctx, (STACK_OF(X509) *)parg); + + case SSL_CTRL_CHAIN_CERT: + if (larg == 0) + return SSL_CTX_add0_chain_cert(ctx, (X509 *)parg); + else + return SSL_CTX_add1_chain_cert(ctx, (X509 *)parg); + + case SSL_CTRL_GET_CHAIN_CERTS: + return SSL_CTX_get0_chain_certs(ctx, (STACK_OF(X509) **)parg); + case SSL_CTRL_EXTRA_CHAIN_CERT: return _SSL_CTX_add_extra_chain_cert(ctx, parg); case SSL_CTRL_GET_EXTRA_CHAIN_CERTS: - return _SSL_CTX_get_extra_chain_certs(ctx, parg); + if (larg == 0) + return _SSL_CTX_get_extra_chain_certs(ctx, parg); + else + return _SSL_CTX_get_extra_chain_certs_only(ctx, parg); case SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS: return _SSL_CTX_clear_extra_chain_certs(ctx); @@ -2370,12 +2468,15 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, unsigned long alg_k, alg_a, mask_k, mask_a; STACK_OF(SSL_CIPHER) *prio, *allow; SSL_CIPHER *c, *ret = NULL; + int can_use_ecc; int i, ii, ok; CERT *cert; /* Let's see which ciphers we can support */ cert = s->cert; + can_use_ecc = (tls1_get_shared_curve(s) != NID_undef); + /* * Do not set the compare functions, because this may lead to a * reordering by "id". We want to keep the original ordering. @@ -2399,6 +2500,16 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, !SSL_USE_TLS1_2_CIPHERS(s)) continue; + /* Skip TLS v1.3 only ciphersuites if not supported. */ + if ((c->algorithm_ssl & SSL_TLSV1_3) && + !SSL_USE_TLS1_3_CIPHERS(s)) + continue; + + /* If TLS v1.3, only allow TLS v1.3 ciphersuites. */ + if (SSL_USE_TLS1_3_CIPHERS(s) && + !(c->algorithm_ssl & SSL_TLSV1_3)) + continue; + ssl_set_cert_masks(cert, c); mask_k = cert->mask_k; mask_a = cert->mask_a; @@ -2406,7 +2517,6 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, alg_k = c->algorithm_mkey; alg_a = c->algorithm_auth; - ok = (alg_k & mask_k) && (alg_a & mask_a); /* @@ -2420,7 +2530,7 @@ ssl3_choose_cipher(SSL *s, STACK_OF(SSL_CIPHER) *clnt, * an ephemeral EC key check it. */ if (alg_k & SSL_kECDHE) - ok = ok && tls1_check_ec_tmp_key(s); + ok = ok && can_use_ecc; if (!ok) continue; @@ -2442,14 +2552,16 @@ ssl3_get_req_cert_types(SSL *s, CBB *cbb) #ifndef OPENSSL_NO_GOST if ((alg_k & SSL_kGOST) != 0) { - if (!CBB_add_u8(cbb, TLS_CT_GOST94_SIGN)) - return 0; if (!CBB_add_u8(cbb, TLS_CT_GOST01_SIGN)) return 0; if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN)) return 0; if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN)) return 0; + if (!CBB_add_u8(cbb, TLS_CT_GOST12_256_SIGN_COMPAT)) + return 0; + if (!CBB_add_u8(cbb, TLS_CT_GOST12_512_SIGN_COMPAT)) + return 0; } #endif @@ -2490,11 +2602,11 @@ ssl3_shutdown(SSL *s) ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY); /* * Our shutdown alert has been sent now, and if it still needs - * to be written, s->s3->alert_dispatch will be true + * to be written, S3I(s)->alert_dispatch will be true */ - if (s->s3->alert_dispatch) + if (S3I(s)->alert_dispatch) return(-1); /* return WANT_WRITE */ - } else if (s->s3->alert_dispatch) { + } else if (S3I(s)->alert_dispatch) { /* resend it if not sent */ ret = s->method->ssl_dispatch_alert(s); if (ret == -1) { @@ -2515,7 +2627,7 @@ ssl3_shutdown(SSL *s) } if ((s->internal->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && - !s->s3->alert_dispatch) + !S3I(s)->alert_dispatch) return (1); else return (0); @@ -2524,56 +2636,13 @@ ssl3_shutdown(SSL *s) int ssl3_write(SSL *s, const void *buf, int len) { - int ret, n; - -#if 0 - if (s->internal->shutdown & SSL_SEND_SHUTDOWN) { - s->internal->rwstate = SSL_NOTHING; - return (0); - } -#endif errno = 0; + if (S3I(s)->renegotiate) ssl3_renegotiate_check(s); - /* - * This is an experimental flag that sends the - * last handshake message in the same packet as the first - * use data - used to see if it helps the TCP protocol during - * session-id reuse - */ - /* The second test is because the buffer may have been removed */ - if ((s->s3->flags & SSL3_FLAGS_POP_BUFFER) && (s->wbio == s->bbio)) { - /* First time through, we write into the buffer */ - if (S3I(s)->delay_buf_pop_ret == 0) { - ret = ssl3_write_bytes(s, SSL3_RT_APPLICATION_DATA, - buf, len); - if (ret <= 0) - return (ret); - - S3I(s)->delay_buf_pop_ret = ret; - } - - s->internal->rwstate = SSL_WRITING; - n = BIO_flush(s->wbio); - if (n <= 0) - return (n); - s->internal->rwstate = SSL_NOTHING; - - /* We have flushed the buffer, so remove it */ - ssl_free_wbio_buffer(s); - s->s3->flags&= ~SSL3_FLAGS_POP_BUFFER; - - ret = S3I(s)->delay_buf_pop_ret; - S3I(s)->delay_buf_pop_ret = 0; - } else { - ret = s->method->internal->ssl_write_bytes(s, - SSL3_RT_APPLICATION_DATA, buf, len); - if (ret <= 0) - return (ret); - } - - return (ret); + return s->method->internal->ssl_write_bytes(s, + SSL3_RT_APPLICATION_DATA, buf, len); } static int @@ -2636,7 +2705,7 @@ ssl3_renegotiate_check(SSL *s) int ret = 0; if (S3I(s)->renegotiate) { - if ((s->s3->rbuf.left == 0) && (s->s3->wbuf.left == 0) && + if ((S3I(s)->rbuf.left == 0) && (S3I(s)->wbuf.left == 0) && !SSL_in_init(s)) { /* * If we are the server, and we have sent diff --git a/ssl/ssl.sym b/ssl/ssl.sym index 2e12ff9..e094c2a 100644 --- a/ssl/ssl.sym +++ b/ssl/ssl.sym @@ -4,6 +4,9 @@ BIO_new_ssl BIO_new_ssl_connect BIO_ssl_copy_session_id BIO_ssl_shutdown +DTLS_client_method +DTLS_method +DTLS_server_method DTLSv1_client_method DTLSv1_method DTLSv1_server_method @@ -45,14 +48,18 @@ SSL_CIPHER_is_aead SSL_COMP_add_compression_method SSL_COMP_get_compression_methods SSL_COMP_get_name +SSL_CTX_add0_chain_cert +SSL_CTX_add1_chain_cert SSL_CTX_add_client_CA SSL_CTX_add_session SSL_CTX_callback_ctrl SSL_CTX_check_private_key +SSL_CTX_clear_chain_certs SSL_CTX_ctrl SSL_CTX_flush_sessions SSL_CTX_free SSL_CTX_get0_certificate +SSL_CTX_get0_chain_certs SSL_CTX_get0_param SSL_CTX_get_cert_store SSL_CTX_get_ciphers @@ -81,6 +88,8 @@ SSL_CTX_sess_set_get_cb SSL_CTX_sess_set_new_cb SSL_CTX_sess_set_remove_cb SSL_CTX_sessions +SSL_CTX_set0_chain +SSL_CTX_set1_chain SSL_CTX_set1_groups SSL_CTX_set1_groups_list SSL_CTX_set1_param @@ -152,6 +161,8 @@ SSL_SESSION_set_time SSL_SESSION_set_timeout SSL_SESSION_up_ref SSL_accept +SSL_add0_chain_cert +SSL_add1_chain_cert SSL_add_client_CA SSL_add_dir_cert_subjects_to_stack SSL_add_file_cert_subjects_to_stack @@ -163,6 +174,7 @@ SSL_cache_hit SSL_callback_ctrl SSL_check_private_key SSL_clear +SSL_clear_chain_certs SSL_connect SSL_copy_session_id SSL_ctrl @@ -172,14 +184,17 @@ SSL_dup_CA_list SSL_export_keying_material SSL_free SSL_get0_alpn_selected +SSL_get0_chain_certs SSL_get0_next_proto_negotiated SSL_get0_param SSL_get1_session +SSL_get1_supported_ciphers SSL_get_SSL_CTX SSL_get_certificate SSL_get_cipher_list SSL_get_ciphers SSL_get_client_CA_list +SSL_get_client_ciphers SSL_get_client_random SSL_get_current_cipher SSL_get_current_compression @@ -233,8 +248,11 @@ SSL_renegotiate_pending SSL_rstate_string SSL_rstate_string_long SSL_select_next_proto +SSL_set0_chain +SSL_set1_chain SSL_set1_groups SSL_set1_groups_list +SSL_set1_host SSL_set1_param SSL_set_SSL_CTX SSL_set_accept_state diff --git a/ssl/ssl_algs.c b/ssl/ssl_algs.c index b63f36b..bb736c5 100644 --- a/ssl/ssl_algs.c +++ b/ssl/ssl_algs.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_algs.c,v 1.27 2017/08/12 02:55:22 jsing Exp $ */ +/* $OpenBSD: ssl_algs.c,v 1.28 2019/04/04 16:44:24 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -119,8 +119,7 @@ SSL_library_init(void) EVP_add_digest(EVP_streebog256()); EVP_add_digest(EVP_streebog512()); #endif - /* initialize cipher/digest methods table */ - ssl_load_ciphers(); + return (1); } diff --git a/ssl/ssl_asn1.c b/ssl/ssl_asn1.c index 0ca442f..94fc868 100644 --- a/ssl/ssl_asn1.c +++ b/ssl/ssl_asn1.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_asn1.c,v 1.56 2018/03/20 16:10:57 jsing Exp $ */ +/* $OpenBSD: ssl_asn1.c,v 1.57 2018/08/27 16:42:48 jsing Exp $ */ /* * Copyright (c) 2016 Joel Sing * @@ -44,23 +44,16 @@ time_max(void) return 0; } -int -i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) +static int +SSL_SESSION_encode(SSL_SESSION *s, unsigned char **out, size_t *out_len, + int ticket_encoding) { CBB cbb, session, cipher_suite, session_id, master_key, time, timeout; - CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket; - CBB value; - unsigned char *data = NULL, *peer_cert_bytes = NULL; - size_t data_len = 0; - int len, rv = -1; + CBB peer_cert, sidctx, verify_result, hostname, lifetime, ticket, value; + unsigned char *peer_cert_bytes = NULL; + int len, rv = 0; uint16_t cid; - if (s == NULL) - return (0); - - if (s->cipher == NULL && s->cipher_id == 0) - return (0); - if (!CBB_init(&cbb, 0)) goto err; @@ -87,10 +80,11 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) if (!CBB_add_u16(&cipher_suite, cid)) goto err; - /* Session ID. */ + /* Session ID - zero length for a ticket. */ if (!CBB_add_asn1(&session, &session_id, CBS_ASN1_OCTETSTRING)) goto err; - if (!CBB_add_bytes(&session_id, s->session_id, s->session_id_length)) + if (!CBB_add_bytes(&session_id, s->session_id, + ticket_encoding ? 0 : s->session_id_length)) goto err; /* Master key. */ @@ -173,7 +167,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) } /* Ticket [10]. */ - if (s->tlsext_tick) { + if (s->tlsext_tick != NULL) { if (!CBB_add_asn1(&session, &ticket, SSLASN1_TICKET_TAG)) goto err; if (!CBB_add_asn1(&ticket, &value, CBS_ASN1_OCTETSTRING)) @@ -185,7 +179,44 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) /* Compression method [11]. */ /* SRP username [12]. */ - if (!CBB_finish(&cbb, &data, &data_len)) + if (!CBB_finish(&cbb, out, out_len)) + goto err; + + rv = 1; + + err: + CBB_cleanup(&cbb); + free(peer_cert_bytes); + + return rv; +} + +int +SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len) +{ + if (ss == NULL) + return 0; + + if (ss->cipher == NULL && ss->cipher_id == 0) + return 0; + + return SSL_SESSION_encode(ss, out, out_len, 1); +} + +int +i2d_SSL_SESSION(SSL_SESSION *ss, unsigned char **pp) +{ + unsigned char *data = NULL; + size_t data_len = 0; + int rv = -1; + + if (ss == NULL) + return 0; + + if (ss->cipher == NULL && ss->cipher_id == 0) + return 0; + + if (!SSL_SESSION_encode(ss, &data, &data_len, 0)) goto err; if (data_len > INT_MAX) @@ -204,9 +235,7 @@ i2d_SSL_SESSION(SSL_SESSION *s, unsigned char **pp) rv = (int)data_len; err: - CBB_cleanup(&cbb); freezero(data, data_len); - free(peer_cert_bytes); return rv; } diff --git a/ssl/ssl_both.c b/ssl/ssl_both.c index 03f9597..5da450b 100644 --- a/ssl/ssl_both.c +++ b/ssl/ssl_both.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_both.c,v 1.11 2017/10/08 16:24:02 jsing Exp $ */ +/* $OpenBSD: ssl_both.c,v 1.20 2020/09/24 18:12:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -146,7 +146,7 @@ ssl3_do_write(SSL *s, int type) * Should not be done for 'Hello Request's, but in that case * we'll ignore the result anyway. */ - tls1_finish_mac(s, + tls1_transcript_record(s, (unsigned char *)&s->internal->init_buf->data[s->internal->init_off], ret); if (ret == s->internal->init_num) { @@ -191,12 +191,12 @@ ssl3_send_finished(SSL *s, int a, int b, const char *sender, int slen) S3I(s)->previous_server_finished_len = md_len; } - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &finished, + if (!ssl3_handshake_msg_start(s, &cbb, &finished, SSL3_MT_FINISHED)) goto err; if (!CBB_add_bytes(&finished, S3I(s)->tmp.finish_md, md_len)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = b; @@ -248,7 +248,7 @@ ssl3_get_finished(SSL *s, int a, int b) CBS cbs; /* should actually be 36+4 :-) */ - n = s->method->internal->ssl_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); + n = ssl3_get_message(s, a, b, SSL3_MT_FINISHED, 64, &ok); if (!ok) return ((int)n); @@ -378,60 +378,56 @@ ssl3_add_cert(CBB *cbb, X509 *x) } int -ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x) +ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk) { - int no_chain = 0; + X509_STORE_CTX *xs_ctx = NULL; + STACK_OF(X509) *chain; CBB cert_list; + X509 *x; int ret = 0; int i; if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) goto err; - if ((s->internal->mode & SSL_MODE_NO_AUTO_CHAIN) || s->ctx->extra_certs) - no_chain = 1; + /* Send an empty certificate list when no certificate is available. */ + if (cpk == NULL) + goto done; - /* TLSv1 sends a chain with nothing in it, instead of an alert. */ - if (x != NULL) { - if (no_chain) { - if (!ssl3_add_cert(&cert_list, x)) - goto err; - } else { - X509_STORE_CTX xs_ctx; + if ((chain = cpk->chain) == NULL) + chain = s->ctx->extra_certs; - if (!X509_STORE_CTX_init(&xs_ctx, s->ctx->cert_store, - x, NULL)) { - SSLerror(s, ERR_R_X509_LIB); - goto err; - } - X509_verify_cert(&xs_ctx); - - /* Don't leave errors in the queue. */ - ERR_clear_error(); - for (i = 0; i < sk_X509_num(xs_ctx.chain); i++) { - x = sk_X509_value(xs_ctx.chain, i); - if (!ssl3_add_cert(&cert_list, x)) { - X509_STORE_CTX_cleanup(&xs_ctx); - goto err; - } - } - X509_STORE_CTX_cleanup(&xs_ctx); + if (chain != NULL || (s->internal->mode & SSL_MODE_NO_AUTO_CHAIN)) { + if (!ssl3_add_cert(&cert_list, cpk->x509)) + goto err; + } else { + if ((xs_ctx = X509_STORE_CTX_new()) == NULL) + goto err; + if (!X509_STORE_CTX_init(xs_ctx, s->ctx->cert_store, + cpk->x509, NULL)) { + SSLerror(s, ERR_R_X509_LIB); + goto err; } + X509_verify_cert(xs_ctx); + ERR_clear_error(); + chain = xs_ctx->chain; } - /* Thawte special :-) */ - for (i = 0; i < sk_X509_num(s->ctx->extra_certs); i++) { - x = sk_X509_value(s->ctx->extra_certs, i); + for (i = 0; i < sk_X509_num(chain); i++) { + x = sk_X509_value(chain, i); if (!ssl3_add_cert(&cert_list, x)) goto err; } + done: if (!CBB_flush(cbb)) goto err; ret = 1; err: + X509_STORE_CTX_free(xs_ctx); + return (ret); } @@ -451,6 +447,9 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) CBS cbs; uint8_t u8; + if (SSL_IS_DTLS(s)) + return (dtls1_get_message(s, st1, stn, mt, max, ok)); + if (S3I(s)->tmp.reuse_message) { S3I(s)->tmp.reuse_message = 0; if ((mt >= 0) && (S3I(s)->tmp.message_type != mt)) { @@ -557,7 +556,7 @@ ssl3_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok) /* Feed this message into MAC computation. */ if (s->internal->mac_packet) { - tls1_finish_mac(s, (unsigned char *)s->internal->init_buf->data, + tls1_transcript_record(s, (unsigned char *)s->internal->init_buf->data, s->internal->init_num + 4); if (s->internal->msg_callback) @@ -592,7 +591,7 @@ ssl_cert_type(X509 *x, EVP_PKEY *pkey) i = pk->type; if (i == EVP_PKEY_RSA) { - ret = SSL_PKEY_RSA_ENC; + ret = SSL_PKEY_RSA; } else if (i == EVP_PKEY_EC) { ret = SSL_PKEY_ECC; } else if (i == NID_id_GostR3410_2001 || @@ -687,6 +686,16 @@ err: return (0); } +void +ssl3_release_init_buffer(SSL *s) +{ + BUF_MEM_free(s->internal->init_buf); + s->internal->init_buf = NULL; + s->internal->init_msg = NULL; + s->internal->init_num = 0; + s->internal->init_off = 0; +} + int ssl3_setup_read_buffer(SSL *s) { @@ -700,16 +709,16 @@ ssl3_setup_read_buffer(SSL *s) align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); - if (s->s3->rbuf.buf == NULL) { + if (S3I(s)->rbuf.buf == NULL) { len = SSL3_RT_MAX_PLAIN_LENGTH + SSL3_RT_MAX_ENCRYPTED_OVERHEAD + headerlen + align; - if ((p = malloc(len)) == NULL) + if ((p = calloc(1, len)) == NULL) goto err; - s->s3->rbuf.buf = p; - s->s3->rbuf.len = len; + S3I(s)->rbuf.buf = p; + S3I(s)->rbuf.len = len; } - s->internal->packet = &(s->s3->rbuf.buf[0]); + s->internal->packet = S3I(s)->rbuf.buf; return 1; err: @@ -730,17 +739,17 @@ ssl3_setup_write_buffer(SSL *s) align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1); - if (s->s3->wbuf.buf == NULL) { + if (S3I(s)->wbuf.buf == NULL) { len = s->max_send_fragment + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD + headerlen + align; if (!(s->internal->options & SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)) len += headerlen + align + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD; - if ((p = malloc(len)) == NULL) + if ((p = calloc(1, len)) == NULL) goto err; - s->s3->wbuf.buf = p; - s->s3->wbuf.len = len; + S3I(s)->wbuf.buf = p; + S3I(s)->wbuf.len = len; } return 1; @@ -760,18 +769,22 @@ ssl3_setup_buffers(SSL *s) return 1; } -int -ssl3_release_write_buffer(SSL *s) +void +ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b) { - free(s->s3->wbuf.buf); - s->s3->wbuf.buf = NULL; - return 1; + freezero(b->buf, b->len); + b->buf = NULL; + b->len = 0; } -int +void ssl3_release_read_buffer(SSL *s) { - free(s->s3->rbuf.buf); - s->s3->rbuf.buf = NULL; - return 1; + ssl3_release_buffer(&S3I(s)->rbuf); +} + +void +ssl3_release_write_buffer(SSL *s) +{ + ssl3_release_buffer(&S3I(s)->wbuf); } diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index a244353..43e8331 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.66 2017/08/12 02:55:22 jsing Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.78 2020/06/05 17:55:24 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -158,18 +158,6 @@ SSL_get_ex_data_X509_STORE_CTX_idx(void) return ssl_x509_store_ctx_idx; } -static void -ssl_cert_set_default_md(CERT *cert) -{ - /* Set digest values to defaults */ - cert->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); - cert->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#ifndef OPENSSL_NO_GOST - cert->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); -#endif -} - CERT * ssl_cert_new(void) { @@ -180,9 +168,8 @@ ssl_cert_new(void) SSLerrorx(ERR_R_MALLOC_FAILURE); return (NULL); } - ret->key = &(ret->pkeys[SSL_PKEY_RSA_ENC]); + ret->key = &(ret->pkeys[SSL_PKEY_RSA]); ret->references = 1; - ssl_cert_set_default_md(ret); return (ret); } @@ -234,14 +221,6 @@ ssl_cert_dup(CERT *cert) ret->dh_tmp_cb = cert->dh_tmp_cb; ret->dh_tmp_auto = cert->dh_tmp_auto; - if (cert->ecdh_tmp) { - ret->ecdh_tmp = EC_KEY_dup(cert->ecdh_tmp); - if (ret->ecdh_tmp == NULL) { - SSLerrorx(ERR_R_EC_LIB); - goto err; - } - } - for (i = 0; i < SSL_PKEY_NUM; i++) { if (cert->pkeys[i].x509 != NULL) { ret->pkeys[i].x509 = cert->pkeys[i].x509; @@ -261,24 +240,29 @@ ssl_cert_dup(CERT *cert) * (Nothing at the moment, I think.) */ - case SSL_PKEY_RSA_ENC: - case SSL_PKEY_RSA_SIGN: + case SSL_PKEY_RSA: /* We have an RSA key. */ break; - case SSL_PKEY_DH_RSA: - /* We have a DH key. */ - break; - case SSL_PKEY_ECC: /* We have an ECC key */ break; + case SSL_PKEY_GOST01: + /* We have a GOST key */ + break; + default: /* Can't happen. */ SSLerrorx(SSL_R_LIBRARY_BUG); } } + + if (cert->pkeys[i].chain != NULL) { + if ((ret->pkeys[i].chain = + X509_chain_up_ref(cert->pkeys[i].chain)) == NULL) + goto err; + } } /* @@ -287,21 +271,16 @@ ssl_cert_dup(CERT *cert) */ ret->references = 1; - /* - * Set digests to defaults. NB: we don't copy existing values - * as they will be set during handshake. - */ - ssl_cert_set_default_md(ret); return (ret); -err: + err: DH_free(ret->dh_tmp); - EC_KEY_free(ret->ecdh_tmp); for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(ret->pkeys[i].x509); EVP_PKEY_free(ret->pkeys[i].privatekey); + sk_X509_pop_free(ret->pkeys[i].chain, X509_free); } free (ret); return NULL; @@ -321,43 +300,71 @@ ssl_cert_free(CERT *c) return; DH_free(c->dh_tmp); - EC_KEY_free(c->ecdh_tmp); for (i = 0; i < SSL_PKEY_NUM; i++) { X509_free(c->pkeys[i].x509); EVP_PKEY_free(c->pkeys[i].privatekey); + sk_X509_pop_free(c->pkeys[i].chain, X509_free); } free(c); } int -ssl_cert_inst(CERT **o) +ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain) { - /* - * Create a CERT if there isn't already one - * (which cannot really happen, as it is initially created in - * SSL_CTX_new; but the earlier code usually allows for that one - * being non-existant, so we follow that behaviour, as it might - * turn out that there actually is a reason for it -- but I'm - * not sure that *all* of the existing code could cope with - * s->cert being NULL, otherwise we could do without the - * initialization in SSL_CTX_new). - */ + if (c->key == NULL) + return 0; - if (o == NULL) { - SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); - return (0); - } - if (*o == NULL) { - if ((*o = ssl_cert_new()) == NULL) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } - } - return (1); + sk_X509_pop_free(c->key->chain, X509_free); + c->key->chain = chain; + + return 1; } +int +ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain) +{ + STACK_OF(X509) *new_chain = NULL; + + if (chain != NULL) { + if ((new_chain = X509_chain_up_ref(chain)) == NULL) + return 0; + } + if (!ssl_cert_set0_chain(c, new_chain)) { + sk_X509_pop_free(new_chain, X509_free); + return 0; + } + + return 1; +} + +int +ssl_cert_add0_chain_cert(CERT *c, X509 *cert) +{ + if (c->key == NULL) + return 0; + + if (c->key->chain == NULL) { + if ((c->key->chain = sk_X509_new_null()) == NULL) + return 0; + } + if (!sk_X509_push(c->key->chain, cert)) + return 0; + + return 1; +} + +int +ssl_cert_add1_chain_cert(CERT *c, X509 *cert) +{ + if (!ssl_cert_add0_chain_cert(c, cert)) + return 0; + + X509_up_ref(cert); + + return 1; +} SESS_CERT * ssl_sess_cert_new(void) @@ -369,7 +376,7 @@ ssl_sess_cert_new(void) SSLerrorx(ERR_R_MALLOC_FAILURE); return NULL; } - ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA_ENC]); + ret->peer_key = &(ret->peer_pkeys[SSL_PKEY_RSA]); ret->references = 1; return ret; @@ -454,21 +461,27 @@ set_client_CA_list(STACK_OF(X509_NAME) **ca_list, } STACK_OF(X509_NAME) * -SSL_dup_CA_list(STACK_OF(X509_NAME) *sk) +SSL_dup_CA_list(const STACK_OF(X509_NAME) *sk) { int i; STACK_OF(X509_NAME) *ret; - X509_NAME *name; + X509_NAME *name = NULL; + + if ((ret = sk_X509_NAME_new_null()) == NULL) + goto err; - ret = sk_X509_NAME_new_null(); for (i = 0; i < sk_X509_NAME_num(sk); i++) { - name = X509_NAME_dup(sk_X509_NAME_value(sk, i)); - if ((name == NULL) || !sk_X509_NAME_push(ret, name)) { - sk_X509_NAME_pop_free(ret, X509_NAME_free); - return (NULL); - } + if ((name = X509_NAME_dup(sk_X509_NAME_value(sk, i))) == NULL) + goto err; + if (!sk_X509_NAME_push(ret, name)) + goto err; } return (ret); + + err: + X509_NAME_free(name); + sk_X509_NAME_pop_free(ret, X509_NAME_free); + return NULL; } void @@ -494,8 +507,7 @@ SSL_get_client_CA_list(const SSL *s) { if (s->internal->type == SSL_ST_CONNECT) { /* We are in the client. */ - if (((s->version >> 8) == SSL3_VERSION_MAJOR) && - (s->s3 != NULL)) + if ((s->version >> 8) == SSL3_VERSION_MAJOR) return (S3I(s)->tmp.ca_names); else return (NULL); diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index 271d77f..fd576ce 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_ciph.c,v 1.98 2018/03/17 14:40:45 jsing Exp $ */ +/* $OpenBSD: ssl_ciph.c,v 1.119 2020/09/13 16:49:05 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -150,49 +150,6 @@ #include "ssl_locl.h" -#define SSL_ENC_DES_IDX 0 -#define SSL_ENC_3DES_IDX 1 -#define SSL_ENC_RC4_IDX 2 -#define SSL_ENC_IDEA_IDX 3 -#define SSL_ENC_NULL_IDX 4 -#define SSL_ENC_AES128_IDX 5 -#define SSL_ENC_AES256_IDX 6 -#define SSL_ENC_CAMELLIA128_IDX 7 -#define SSL_ENC_CAMELLIA256_IDX 8 -#define SSL_ENC_GOST89_IDX 9 -#define SSL_ENC_AES128GCM_IDX 10 -#define SSL_ENC_AES256GCM_IDX 11 -#define SSL_ENC_NUM_IDX 12 - - -static const EVP_CIPHER *ssl_cipher_methods[SSL_ENC_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL -}; - -#define SSL_MD_MD5_IDX 0 -#define SSL_MD_SHA1_IDX 1 -#define SSL_MD_GOST94_IDX 2 -#define SSL_MD_GOST89MAC_IDX 3 -#define SSL_MD_SHA256_IDX 4 -#define SSL_MD_SHA384_IDX 5 -#define SSL_MD_STREEBOG256_IDX 6 -/*Constant SSL_MAX_DIGEST equal to size of digests array should be - * defined in the - * ssl_locl.h */ -#define SSL_MD_NUM_IDX SSL_MAX_DIGEST -static const EVP_MD *ssl_digest_methods[SSL_MD_NUM_IDX] = { - NULL, NULL, NULL, NULL, NULL, NULL, NULL, -}; - -static int ssl_mac_pkey_id[SSL_MD_NUM_IDX] = { - EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_GOSTIMIT, - EVP_PKEY_HMAC, EVP_PKEY_HMAC, EVP_PKEY_HMAC, -}; - -static int ssl_mac_secret_size[SSL_MD_NUM_IDX] = { - 0, 0, 0, 0, 0, 0, 0, -}; - #define CIPHER_ADD 1 #define CIPHER_KILL 2 #define CIPHER_DEL 3 @@ -338,10 +295,6 @@ static const SSL_CIPHER cipher_aliases[] = { }, /* symmetric encryption aliases */ - { - .name = SSL_TXT_DES, - .algorithm_enc = SSL_DES, - }, { .name = SSL_TXT_3DES, .algorithm_enc = SSL_3DES, @@ -350,10 +303,6 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_RC4, .algorithm_enc = SSL_RC4, }, - { - .name = SSL_TXT_IDEA, - .algorithm_enc = SSL_IDEA, - }, { .name = SSL_TXT_eNULL, .algorithm_enc = SSL_eNULL, @@ -442,6 +391,32 @@ static const SSL_CIPHER cipher_aliases[] = { .name = SSL_TXT_TLSV1_2, .algorithm_ssl = SSL_TLSV1_2, }, + { + .name = SSL_TXT_TLSV1_3, + .algorithm_ssl = SSL_TLSV1_3, + }, + + /* cipher suite aliases */ +#ifdef LIBRESSL_HAS_TLS1_3 + { + .valid = 1, + .name = "TLS_AES_128_GCM_SHA256", + .id = TLS1_3_CK_AES_128_GCM_SHA256, + .algorithm_ssl = SSL_TLSV1_3, + }, + { + .valid = 1, + .name = "TLS_AES_256_GCM_SHA384", + .id = TLS1_3_CK_AES_256_GCM_SHA384, + .algorithm_ssl = SSL_TLSV1_3, + }, + { + .valid = 1, + .name = "TLS_CHACHA20_POLY1305_SHA256", + .id = TLS1_3_CK_CHACHA20_POLY1305_SHA256, + .algorithm_ssl = SSL_TLSV1_3, + }, +#endif /* strength classes */ { @@ -458,208 +433,97 @@ static const SSL_CIPHER cipher_aliases[] = { }, }; -void -ssl_load_ciphers(void) -{ - ssl_cipher_methods[SSL_ENC_DES_IDX] = - EVP_get_cipherbyname(SN_des_cbc); - ssl_cipher_methods[SSL_ENC_3DES_IDX] = - EVP_get_cipherbyname(SN_des_ede3_cbc); - ssl_cipher_methods[SSL_ENC_RC4_IDX] = - EVP_get_cipherbyname(SN_rc4); - ssl_cipher_methods[SSL_ENC_IDEA_IDX] = NULL; - ssl_cipher_methods[SSL_ENC_AES128_IDX] = - EVP_get_cipherbyname(SN_aes_128_cbc); - ssl_cipher_methods[SSL_ENC_AES256_IDX] = - EVP_get_cipherbyname(SN_aes_256_cbc); - ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] = - EVP_get_cipherbyname(SN_camellia_128_cbc); - ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] = - EVP_get_cipherbyname(SN_camellia_256_cbc); - ssl_cipher_methods[SSL_ENC_GOST89_IDX] = - EVP_get_cipherbyname(SN_gost89_cnt); - - ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] = - EVP_get_cipherbyname(SN_aes_128_gcm); - ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] = - EVP_get_cipherbyname(SN_aes_256_gcm); - - ssl_digest_methods[SSL_MD_MD5_IDX] = - EVP_get_digestbyname(SN_md5); - ssl_mac_secret_size[SSL_MD_MD5_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_MD5_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_MD5_IDX] >= 0); - ssl_digest_methods[SSL_MD_SHA1_IDX] = - EVP_get_digestbyname(SN_sha1); - ssl_mac_secret_size[SSL_MD_SHA1_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA1_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_SHA1_IDX] >= 0); - ssl_digest_methods[SSL_MD_GOST94_IDX] = - EVP_get_digestbyname(SN_id_GostR3411_94); - if (ssl_digest_methods[SSL_MD_GOST94_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST94_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_GOST94_IDX]); - OPENSSL_assert(ssl_mac_secret_size[SSL_MD_GOST94_IDX] >= 0); - } - ssl_digest_methods[SSL_MD_GOST89MAC_IDX] = - EVP_get_digestbyname(SN_id_Gost28147_89_MAC); - if (ssl_mac_pkey_id[SSL_MD_GOST89MAC_IDX]) { - ssl_mac_secret_size[SSL_MD_GOST89MAC_IDX] = 32; - } - - ssl_digest_methods[SSL_MD_SHA256_IDX] = - EVP_get_digestbyname(SN_sha256); - ssl_mac_secret_size[SSL_MD_SHA256_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA256_IDX]); - ssl_digest_methods[SSL_MD_SHA384_IDX] = - EVP_get_digestbyname(SN_sha384); - ssl_mac_secret_size[SSL_MD_SHA384_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_SHA384_IDX]); - ssl_digest_methods[SSL_MD_STREEBOG256_IDX] = - EVP_get_digestbyname(SN_id_tc26_gost3411_2012_256); - ssl_mac_secret_size[SSL_MD_STREEBOG256_IDX] = - EVP_MD_size(ssl_digest_methods[SSL_MD_STREEBOG256_IDX]); -} - int -ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, +ssl_cipher_get_evp(const SSL_SESSION *ss, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size) { - const SSL_CIPHER *c; - int i; + *enc = NULL; + *md = NULL; + *mac_pkey_type = NID_undef; + *mac_secret_size = 0; - c = s->cipher; - if (c == NULL) - return (0); + if (ss->cipher == NULL) + return 0; /* * This function does not handle EVP_AEAD. * See ssl_cipher_get_aead_evp instead. */ - if (c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) - return(0); + if (ss->cipher->algorithm_mac & SSL_AEAD) + return 0; - if ((enc == NULL) || (md == NULL)) - return (0); - - switch (c->algorithm_enc) { - case SSL_DES: - i = SSL_ENC_DES_IDX; - break; + switch (ss->cipher->algorithm_enc) { case SSL_3DES: - i = SSL_ENC_3DES_IDX; + *enc = EVP_des_ede3_cbc(); break; case SSL_RC4: - i = SSL_ENC_RC4_IDX; - break; - case SSL_IDEA: - i = SSL_ENC_IDEA_IDX; + *enc = EVP_rc4(); break; case SSL_eNULL: - i = SSL_ENC_NULL_IDX; + *enc = EVP_enc_null(); break; case SSL_AES128: - i = SSL_ENC_AES128_IDX; + *enc = EVP_aes_128_cbc(); break; case SSL_AES256: - i = SSL_ENC_AES256_IDX; + *enc = EVP_aes_256_cbc(); break; case SSL_CAMELLIA128: - i = SSL_ENC_CAMELLIA128_IDX; + *enc = EVP_camellia_128_cbc(); break; case SSL_CAMELLIA256: - i = SSL_ENC_CAMELLIA256_IDX; + *enc = EVP_camellia_256_cbc(); break; case SSL_eGOST2814789CNT: - i = SSL_ENC_GOST89_IDX; - break; - case SSL_AES128GCM: - i = SSL_ENC_AES128GCM_IDX; - break; - case SSL_AES256GCM: - i = SSL_ENC_AES256GCM_IDX; - break; - default: - i = -1; + *enc = EVP_gost2814789_cnt(); break; } - if ((i < 0) || (i >= SSL_ENC_NUM_IDX)) - *enc = NULL; - else { - if (i == SSL_ENC_NULL_IDX) - *enc = EVP_enc_null(); - else - *enc = ssl_cipher_methods[i]; - } - - switch (c->algorithm_mac) { + switch (ss->cipher->algorithm_mac) { case SSL_MD5: - i = SSL_MD_MD5_IDX; + *md = EVP_md5(); break; case SSL_SHA1: - i = SSL_MD_SHA1_IDX; + *md = EVP_sha1(); break; case SSL_SHA256: - i = SSL_MD_SHA256_IDX; + *md = EVP_sha256(); break; case SSL_SHA384: - i = SSL_MD_SHA384_IDX; - break; - case SSL_GOST94: - i = SSL_MD_GOST94_IDX; + *md = EVP_sha384(); break; case SSL_GOST89MAC: - i = SSL_MD_GOST89MAC_IDX; + *md = EVP_gost2814789imit(); + break; + case SSL_GOST94: + *md = EVP_gostr341194(); break; case SSL_STREEBOG256: - i = SSL_MD_STREEBOG256_IDX; - break; - default: - i = -1; + *md = EVP_streebog256(); break; } - if ((i < 0) || (i >= SSL_MD_NUM_IDX)) { - *md = NULL; - if (mac_pkey_type != NULL) - *mac_pkey_type = NID_undef; - if (mac_secret_size != NULL) - *mac_secret_size = 0; - if (c->algorithm_mac == SSL_AEAD) - mac_pkey_type = NULL; + if (*enc == NULL || *md == NULL) + return 0; + + /* + * EVP_CIPH_FLAG_AEAD_CIPHER and EVP_CIPH_GCM_MODE ciphers are not + * supported via EVP_CIPHER (they should be using EVP_AEAD instead). + */ + if (EVP_CIPHER_flags(*enc) & EVP_CIPH_FLAG_AEAD_CIPHER) + return 0; + if (EVP_CIPHER_mode(*enc) == EVP_CIPH_GCM_MODE) + return 0; + + if (ss->cipher->algorithm_mac == SSL_GOST89MAC) { + *mac_pkey_type = EVP_PKEY_GOSTIMIT; + *mac_secret_size = 32; /* XXX */ } else { - *md = ssl_digest_methods[i]; - if (mac_pkey_type != NULL) - *mac_pkey_type = ssl_mac_pkey_id[i]; - if (mac_secret_size != NULL) - *mac_secret_size = ssl_mac_secret_size[i]; + *mac_pkey_type = EVP_PKEY_HMAC; + *mac_secret_size = EVP_MD_size(*md); } - if ((*enc != NULL) && - (*md != NULL || (EVP_CIPHER_flags(*enc)&EVP_CIPH_FLAG_AEAD_CIPHER)) && - (!mac_pkey_type || *mac_pkey_type != NID_undef)) { - const EVP_CIPHER *evp; - - if (s->ssl_version >> 8 != TLS1_VERSION_MAJOR || - s->ssl_version < TLS1_VERSION) - return 1; - - if (c->algorithm_enc == SSL_RC4 && - c->algorithm_mac == SSL_MD5 && - (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) - *enc = evp, *md = NULL; - else if (c->algorithm_enc == SSL_AES128 && - c->algorithm_mac == SSL_SHA1 && - (evp = EVP_get_cipherbyname("AES-128-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; - else if (c->algorithm_enc == SSL_AES256 && - c->algorithm_mac == SSL_SHA1 && - (evp = EVP_get_cipherbyname("AES-256-CBC-HMAC-SHA1"))) - *enc = evp, *md = NULL; - return (1); - } else - return (0); + return 1; } /* @@ -667,26 +531,22 @@ ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, * for s->cipher. It returns 1 on success and 0 on error. */ int -ssl_cipher_get_evp_aead(const SSL_SESSION *s, const EVP_AEAD **aead) +ssl_cipher_get_evp_aead(const SSL_SESSION *ss, const EVP_AEAD **aead) { - const SSL_CIPHER *c = s->cipher; - *aead = NULL; - if (c == NULL) + if (ss->cipher == NULL) return 0; - if ((c->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD) == 0) + if ((ss->cipher->algorithm_mac & SSL_AEAD) == 0) return 0; - switch (c->algorithm_enc) { -#ifndef OPENSSL_NO_AES + switch (ss->cipher->algorithm_enc) { case SSL_AES128GCM: *aead = EVP_aead_aes_128_gcm(); return 1; case SSL_AES256GCM: *aead = EVP_aead_aes_256_gcm(); return 1; -#endif case SSL_CHACHA20POLY1305: *aead = EVP_aead_chacha20_poly1305(); return 1; @@ -786,26 +646,6 @@ ssl_cipher_get_disabled(unsigned long *mkey, unsigned long *auth, #ifdef SSL_FORBID_ENULL *enc |= SSL_eNULL; #endif - - *enc |= (ssl_cipher_methods[SSL_ENC_DES_IDX ] == NULL) ? SSL_DES : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_3DES_IDX] == NULL) ? SSL_3DES : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_RC4_IDX ] == NULL) ? SSL_RC4 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_IDEA_IDX] == NULL) ? SSL_IDEA : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES128_IDX] == NULL) ? SSL_AES128 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES256_IDX] == NULL) ? SSL_AES256 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES128GCM_IDX] == NULL) ? SSL_AES128GCM : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_AES256GCM_IDX] == NULL) ? SSL_AES256GCM : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA128_IDX] == NULL) ? SSL_CAMELLIA128 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_CAMELLIA256_IDX] == NULL) ? SSL_CAMELLIA256 : 0; - *enc |= (ssl_cipher_methods[SSL_ENC_GOST89_IDX] == NULL) ? SSL_eGOST2814789CNT : 0; - - *mac |= (ssl_digest_methods[SSL_MD_MD5_IDX ] == NULL) ? SSL_MD5 : 0; - *mac |= (ssl_digest_methods[SSL_MD_SHA1_IDX] == NULL) ? SSL_SHA1 : 0; - *mac |= (ssl_digest_methods[SSL_MD_SHA256_IDX] == NULL) ? SSL_SHA256 : 0; - *mac |= (ssl_digest_methods[SSL_MD_SHA384_IDX] == NULL) ? SSL_SHA384 : 0; - *mac |= (ssl_digest_methods[SSL_MD_GOST94_IDX] == NULL) ? SSL_GOST94 : 0; - *mac |= (ssl_digest_methods[SSL_MD_GOST89MAC_IDX] == NULL) ? SSL_GOST89MAC : 0; - *mac |= (ssl_digest_methods[SSL_MD_STREEBOG256_IDX] == NULL) ? SSL_STREEBOG256 : 0; } static void @@ -940,14 +780,13 @@ ssl_cipher_collect_aliases(const SSL_CIPHER **ca_list, int num_of_group_aliases, static void ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, unsigned long alg_auth, unsigned long alg_enc, unsigned long alg_mac, - unsigned long alg_ssl, unsigned long algo_strength, - int rule, int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) + unsigned long alg_ssl, unsigned long algo_strength, int rule, + int strength_bits, CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) { CIPHER_ORDER *head, *tail, *curr, *next, *last; const SSL_CIPHER *cp; int reverse = 0; - if (rule == CIPHER_DEL) reverse = 1; /* needed to maintain sorting between currently deleted ciphers */ @@ -971,6 +810,9 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, cp = curr->cipher; + if (cipher_id && cp->id != cipher_id) + continue; + /* * Selection criteria is either the value of strength_bits * or the algorithms used. @@ -979,7 +821,6 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, if (strength_bits != cp->strength_bits) continue; } else { - if (alg_mkey && !(alg_mkey & cp->algorithm_mkey)) continue; if (alg_auth && !(alg_auth & cp->algorithm_auth)) @@ -994,7 +835,6 @@ ssl_cipher_apply_rule(unsigned long cipher_id, unsigned long alg_mkey, continue; } - /* add the cipher if it has not been added yet. */ if (rule == CIPHER_ADD) { /* reverse == 0 */ @@ -1089,7 +929,7 @@ ssl_cipher_strength_sort(CIPHER_ORDER **head_p, CIPHER_ORDER **tail_p) static int ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, - CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list) + CIPHER_ORDER **tail_p, const SSL_CIPHER **ca_list, int *tls13_seen) { unsigned long alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl; unsigned long algo_strength; @@ -1098,6 +938,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, const char *l, *buf; char ch; + *tls13_seen = 0; + retval = 1; l = rule_str; for (;;) { @@ -1141,7 +983,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, while (((ch >= 'A') && (ch <= 'Z')) || ((ch >= '0') && (ch <= '9')) || ((ch >= 'a') && (ch <= 'z')) || - (ch == '-') || (ch == '.')) { + (ch == '-') || (ch == '.') || + (ch == '_')) { ch = *(++l); buflen++; } @@ -1265,6 +1108,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, * pattern! */ cipher_id = ca_list[j]->id; + if (ca_list[j]->algorithm_ssl == SSL_TLSV1_3) + *tls13_seen = 1; } else { /* * not an explicit ciphersuite; only in this @@ -1310,6 +1155,8 @@ ssl_cipher_process_rulestr(const char *rule_str, CIPHER_ORDER **head_p, while ((*l != '\0') && !ITEM_SEP(*l)) l++; } else if (found) { + if (alg_ssl == SSL_TLSV1_3) + *tls13_seen = 1; ssl_cipher_apply_rule(cipher_id, alg_mkey, alg_auth, alg_enc, alg_mac, alg_ssl, algo_strength, rule, -1, head_p, tail_p); @@ -1337,20 +1184,24 @@ ssl_aes_is_accelerated(void) STACK_OF(SSL_CIPHER) * ssl_create_cipher_list(const SSL_METHOD *ssl_method, STACK_OF(SSL_CIPHER) **cipher_list, - STACK_OF(SSL_CIPHER) **cipher_list_by_id, + STACK_OF(SSL_CIPHER) *cipher_list_tls13, const char *rule_str) { int ok, num_of_ciphers, num_of_alias_max, num_of_group_aliases; unsigned long disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl; - STACK_OF(SSL_CIPHER) *cipherstack, *tmp_cipher_list; + STACK_OF(SSL_CIPHER) *cipherstack; const char *rule_p; CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; + const SSL_CIPHER *cipher; + int tls13_seen = 0; + int any_active; + int i; /* * Return with error if nothing to do. */ - if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) + if (rule_str == NULL || cipher_list == NULL) return NULL; /* @@ -1372,8 +1223,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, - disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, - co_list, &head, &tail); + disabled_mkey, disabled_auth, disabled_enc, disabled_mac, disabled_ssl, + co_list, &head, &tail); /* Now arrange all ciphers by preference: */ @@ -1382,7 +1233,7 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_ADD, -1, &head, &tail); ssl_cipher_apply_rule(0, SSL_kECDHE, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); - if (ssl_aes_is_accelerated() == 1) { + if (ssl_aes_is_accelerated()) { /* * We have hardware assisted AES - prefer AES as a symmetric * cipher, with CHACHA20 second. @@ -1429,6 +1280,9 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, /* Now disable everything (maintaining the ordering!) */ ssl_cipher_apply_rule(0, 0, 0, 0, 0, 0, 0, CIPHER_DEL, -1, &head, &tail); + /* TLSv1.3 first. */ + ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_3, 0, CIPHER_ADD, -1, &head, &tail); + ssl_cipher_apply_rule(0, 0, 0, 0, 0, SSL_TLSV1_3, 0, CIPHER_DEL, -1, &head, &tail); /* * We also need cipher aliases for selecting based on the rule_str. @@ -1446,9 +1300,8 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, SSLerrorx(ERR_R_MALLOC_FAILURE); return(NULL); /* Failure */ } - ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, - disabled_mkey, disabled_auth, disabled_enc, - disabled_mac, disabled_ssl, head); + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, + disabled_auth, disabled_enc, disabled_mac, disabled_ssl, head); /* * If the rule_string begins with DEFAULT, apply the default rule @@ -1458,14 +1311,15 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, rule_p = rule_str; if (strncmp(rule_str, "DEFAULT", 7) == 0) { ok = ssl_cipher_process_rulestr(SSL_DEFAULT_CIPHER_LIST, - &head, &tail, ca_list); + &head, &tail, ca_list, &tls13_seen); rule_p += 7; if (*rule_p == ':') rule_p++; } if (ok && (strlen(rule_p) > 0)) - ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list); + ok = ssl_cipher_process_rulestr(rule_p, &head, &tail, ca_list, + &tls13_seen); free((void *)ca_list); /* Not needed anymore */ @@ -1484,30 +1338,41 @@ ssl_create_cipher_list(const SSL_METHOD *ssl_method, return (NULL); } + /* Prefer TLSv1.3 cipher suites. */ + if (cipher_list_tls13 != NULL) { + for (i = 0; i < sk_SSL_CIPHER_num(cipher_list_tls13); i++) { + cipher = sk_SSL_CIPHER_value(cipher_list_tls13, i); + sk_SSL_CIPHER_push(cipherstack, cipher); + } + tls13_seen = 1; + } + /* * The cipher selection for the list is done. The ciphers are added * to the resulting precedence to the STACK_OF(SSL_CIPHER). + * + * If the rule string did not contain any references to TLSv1.3 and + * TLSv1.3 cipher suites have not been configured separately, + * include inactive TLSv1.3 cipher suites. This avoids attempts to + * use TLSv1.3 with an older rule string that does not include + * TLSv1.3 cipher suites. If the rule string resulted in no active + * cipher suites then we return an empty stack. */ + any_active = 0; for (curr = head; curr != NULL; curr = curr->next) { - if (curr->active) { + if (curr->active || + (!tls13_seen && curr->cipher->algorithm_ssl == SSL_TLSV1_3)) sk_SSL_CIPHER_push(cipherstack, curr->cipher); - } + any_active |= curr->active; } + if (!any_active) + sk_SSL_CIPHER_zero(cipherstack); + free(co_list); /* Not needed any longer */ - tmp_cipher_list = sk_SSL_CIPHER_dup(cipherstack); - if (tmp_cipher_list == NULL) { - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } sk_SSL_CIPHER_free(*cipher_list); *cipher_list = cipherstack; - sk_SSL_CIPHER_free(*cipher_list_by_id); - *cipher_list_by_id = tmp_cipher_list; - (void)sk_SSL_CIPHER_set_cmp_func(*cipher_list_by_id, - ssl_cipher_ptr_id_cmp); - sk_SSL_CIPHER_sort(*cipher_list_by_id); return (cipherstack); } @@ -1543,6 +1408,8 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) ver = "SSLv3"; else if (alg_ssl & SSL_TLSV1_2) ver = "TLSv1.2"; + else if (alg_ssl & SSL_TLSV1_3) + ver = "TLSv1.3"; else ver = "unknown"; @@ -1559,6 +1426,9 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_kGOST: kx = "GOST"; break; + case SSL_kTLS1_3: + kx = "TLSv1.3"; + break; default: kx = "unknown"; } @@ -1579,24 +1449,21 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) case SSL_aGOST01: au = "GOST01"; break; + case SSL_aTLS1_3: + au = "TLSv1.3"; + break; default: au = "unknown"; break; } switch (alg_enc) { - case SSL_DES: - enc = "DES(56)"; - break; case SSL_3DES: enc = "3DES(168)"; break; case SSL_RC4: enc = alg2 & SSL2_CF_8_BYTE_ENC ? "RC4(64)" : "RC4(128)"; break; - case SSL_IDEA: - enc = "IDEA(128)"; - break; case SSL_eNULL: enc = "None"; break; @@ -1674,7 +1541,7 @@ SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) return (ret); } -char * +const char * SSL_CIPHER_get_version(const SSL_CIPHER *c) { if (c == NULL) diff --git a/ssl/ssl_ciphers.c b/ssl/ssl_ciphers.c new file mode 100644 index 0000000..399e274 --- /dev/null +++ b/ssl/ssl_ciphers.c @@ -0,0 +1,296 @@ +/* $OpenBSD: ssl_ciphers.c,v 1.9 2020/09/15 15:28:38 schwarze Exp $ */ +/* + * Copyright (c) 2015-2017 Doug Hogan + * Copyright (c) 2015-2018, 2020 Joel Sing + * Copyright (c) 2019 Theo Buehler + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "bytestring.h" +#include "ssl_locl.h" + +int +ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher) +{ + int i; + + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + if (sk_SSL_CIPHER_value(ciphers, i)->id == cipher->id) + return 1; + } + + return 0; +} + +int +ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, uint16_t min_ver, + uint16_t max_ver) +{ + /* XXX: We only support DTLSv1 which is effectively TLSv1.1 */ + if (min_ver == DTLS1_VERSION || max_ver == DTLS1_VERSION) + min_ver = max_ver = TLS1_1_VERSION; + + switch(cipher->algorithm_ssl) { + case SSL_SSLV3: + if (min_ver <= TLS1_2_VERSION) + return 1; + break; + case SSL_TLSV1_2: + if (min_ver <= TLS1_2_VERSION && TLS1_2_VERSION <= max_ver) + return 1; + break; + case SSL_TLSV1_3: + if (min_ver <= TLS1_3_VERSION && TLS1_3_VERSION <= max_ver) + return 1; + break; + } + + return 0; +} + +int +ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) +{ + SSL_CIPHER *cipher; + int num_ciphers = 0; + uint16_t min_vers, max_vers; + int i; + + if (ciphers == NULL) + return 0; + + if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + return 0; + + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) + return 0; + if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, + max_vers)) + continue; + if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) + return 0; + + num_ciphers++; + } + + /* Add SCSV if there are other ciphers and we're not renegotiating. */ + if (num_ciphers > 0 && !s->internal->renegotiate) { + if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) + return 0; + } + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +STACK_OF(SSL_CIPHER) * +ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) +{ + STACK_OF(SSL_CIPHER) *ciphers = NULL; + const SSL_CIPHER *cipher; + uint16_t cipher_value, max_version; + unsigned long cipher_id; + + S3I(s)->send_connection_binding = 0; + + if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + + while (CBS_len(cbs) > 0) { + if (!CBS_get_u16(cbs, &cipher_value)) { + SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); + goto err; + } + + cipher_id = SSL3_CK_ID | cipher_value; + + if (cipher_id == SSL3_CK_SCSV) { + /* + * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if + * renegotiating. + */ + if (s->internal->renegotiate) { + SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); + ssl3_send_alert(s, SSL3_AL_FATAL, + SSL_AD_HANDSHAKE_FAILURE); + + goto err; + } + S3I(s)->send_connection_binding = 1; + continue; + } + + if (cipher_id == SSL3_CK_FALLBACK_SCSV) { + /* + * TLS_FALLBACK_SCSV indicates that the client + * previously tried a higher protocol version. + * Fail if the current version is an unexpected + * downgrade. + */ + if (!ssl_downgrade_max_version(s, &max_version)) + goto err; + if (s->version < max_version) { + SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); + ssl3_send_alert(s, SSL3_AL_FATAL, + SSL_AD_INAPPROPRIATE_FALLBACK); + goto err; + } + continue; + } + + if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) { + if (!sk_SSL_CIPHER_push(ciphers, cipher)) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + } + } + + return (ciphers); + + err: + sk_SSL_CIPHER_free(ciphers); + + return (NULL); +} + +struct ssl_tls13_ciphersuite { + const char *name; + const char *alias; + unsigned long cid; +}; + +static const struct ssl_tls13_ciphersuite ssl_tls13_ciphersuites[] = { + { + .name = TLS1_3_TXT_AES_128_GCM_SHA256, + .alias = "TLS_AES_128_GCM_SHA256", + .cid = TLS1_3_CK_AES_128_GCM_SHA256, + }, + { + .name = TLS1_3_TXT_AES_256_GCM_SHA384, + .alias = "TLS_AES_256_GCM_SHA384", + .cid = TLS1_3_CK_AES_256_GCM_SHA384, + }, + { + .name = TLS1_3_TXT_CHACHA20_POLY1305_SHA256, + .alias = "TLS_CHACHA20_POLY1305_SHA256", + .cid = TLS1_3_CK_CHACHA20_POLY1305_SHA256, + }, + { + .name = TLS1_3_TXT_AES_128_CCM_SHA256, + .alias = "TLS_AES_128_CCM_SHA256", + .cid = TLS1_3_CK_AES_128_CCM_SHA256, + }, + { + .name = TLS1_3_TXT_AES_128_CCM_8_SHA256, + .alias = "TLS_AES_128_CCM_8_SHA256", + .cid = TLS1_3_CK_AES_128_CCM_8_SHA256, + }, + { + .name = NULL, + }, +}; + +int +ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str) +{ + const struct ssl_tls13_ciphersuite *ciphersuite; + STACK_OF(SSL_CIPHER) *ciphers; + const SSL_CIPHER *cipher; + char *s = NULL; + char *p, *q; + int i; + int ret = 0; + + if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) + goto err; + + /* An empty string is valid and means no ciphers. */ + if (strcmp(str, "") == 0) + goto done; + + if ((s = strdup(str)) == NULL) + goto err; + + q = s; + while ((p = strsep(&q, ":")) != NULL) { + ciphersuite = &ssl_tls13_ciphersuites[0]; + for (i = 0; ciphersuite->name != NULL; i++) { + if (strcmp(p, ciphersuite->name) == 0) + break; + if (strcmp(p, ciphersuite->alias) == 0) + break; + ciphersuite = &ssl_tls13_ciphersuites[i]; + } + if (ciphersuite->name == NULL) + goto err; + + /* We know about the cipher suite, but it is not supported. */ + if ((cipher = ssl3_get_cipher_by_id(ciphersuite->cid)) == NULL) + continue; + + if (!sk_SSL_CIPHER_push(ciphers, cipher)) + goto err; + } + + done: + sk_SSL_CIPHER_free(*out_ciphers); + *out_ciphers = ciphers; + ciphers = NULL; + ret = 1; + + err: + sk_SSL_CIPHER_free(ciphers); + free(s); + + return ret; +} + +int +ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, + STACK_OF(SSL_CIPHER) *cipherlist_tls13, + STACK_OF(SSL_CIPHER) **out_cipherlist) +{ + STACK_OF(SSL_CIPHER) *ciphers = NULL; + const SSL_CIPHER *cipher; + int i, ret = 0; + + if ((ciphers = sk_SSL_CIPHER_dup(cipherlist_tls13)) == NULL) + goto err; + for (i = 0; i < sk_SSL_CIPHER_num(cipherlist); i++) { + cipher = sk_SSL_CIPHER_value(cipherlist, i); + if (cipher->algorithm_ssl == SSL_TLSV1_3) + continue; + if (!sk_SSL_CIPHER_push(ciphers, cipher)) + goto err; + } + + sk_SSL_CIPHER_free(*out_cipherlist); + *out_cipherlist = ciphers; + ciphers = NULL; + + ret = 1; + + err: + sk_SSL_CIPHER_free(ciphers); + + return ret; +} diff --git a/ssl/ssl_clnt.c b/ssl/ssl_clnt.c index 10dbe83..f11dcaa 100644 --- a/ssl/ssl_clnt.c +++ b/ssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.23 2018/02/08 11:30:30 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.73 2020/09/24 18:12:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -170,6 +170,7 @@ #endif #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" static int ca_dn_cmp(const X509_NAME * const *a, const X509_NAME * const *b); @@ -243,11 +244,9 @@ ssl3_connect(SSL *s) /* don't push the buffering BIO quite yet */ - if (!SSL_IS_DTLS(s)) { - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } + if (!tls1_transcript_init(s)) { + ret = -1; + goto end; } S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_A; @@ -269,10 +268,7 @@ ssl3_connect(SSL *s) if (SSL_IS_DTLS(s)) { /* every DTLS ClientHello resets Finished MAC */ - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } + tls1_transcript_reset(s); dtls1_start_timer(s); } @@ -308,6 +304,9 @@ ssl3_connect(SSL *s) /* receive renewed session ticket */ S3I(s)->hs.state = SSL3_ST_CR_SESSION_TICKET_A; } + + /* No client certificate verification. */ + tls1_transcript_free(s); } } else if (SSL_IS_DTLS(s)) { S3I(s)->hs.state = DTLS1_ST_CR_HELLO_VERIFY_REQUEST_A; @@ -510,15 +509,8 @@ ssl3_connect(SSL *s) S3I(s)->hs.state = SSL3_ST_CW_FLUSH; /* clear flags */ - s->s3->flags &= ~SSL3_FLAGS_POP_BUFFER; if (s->internal->hit) { S3I(s)->hs.next_state = SSL_ST_OK; - if (s->s3->flags & - SSL3_FLAGS_DELAY_CLIENT_FINISHED) { - S3I(s)->hs.state = SSL_ST_OK; - s->s3->flags |= SSL3_FLAGS_POP_BUFFER; - S3I(s)->delay_buf_pop_ret = 0; - } } else { /* Allow NewSessionTicket if ticket expected */ if (s->internal->tlsext_ticket_expected) @@ -590,18 +582,16 @@ ssl3_connect(SSL *s) /* clean a few things up */ tls1_cleanup_key_block(s); - if (!SSL_IS_DTLS(s)) { - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; + if (S3I(s)->handshake_transcript != NULL) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } - /* - * If we are not 'joining' the last two packets, - * remove the buffering now - */ - if (!(s->s3->flags & SSL3_FLAGS_POP_BUFFER)) - ssl_free_wbio_buffer(s); - /* else do it later in ssl3_write */ + if (!SSL_IS_DTLS(s)) + ssl3_release_init_buffer(s); + + ssl_free_wbio_buffer(s); s->internal->init_num = 0; s->internal->renegotiate = 0; @@ -696,7 +686,7 @@ ssl3_send_client_hello(SSL *s) if (!SSL_IS_DTLS(s) || D1I(s)->send_cookie == 0) arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &client_hello, + if (!ssl3_handshake_msg_start(s, &cbb, &client_hello, SSL3_MT_CLIENT_HELLO)) goto err; @@ -783,12 +773,12 @@ ssl3_send_client_hello(SSL *s) goto err; /* TLS extensions */ - if (!tlsext_clienthello_build(s, &client_hello)) { + if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, &client_hello)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_CW_CLNT_HELLO_B; @@ -810,16 +800,15 @@ ssl3_get_server_hello(SSL *s) uint16_t server_version, cipher_suite; uint16_t min_version, max_version; uint8_t compression_method; - STACK_OF(SSL_CIPHER) *sk; const SSL_CIPHER *cipher; const SSL_METHOD *method; unsigned long alg_k; size_t outlen; - int i, al, ok; + int al, ok; long n; s->internal->first_packet = 1; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, + n = ssl3_get_message(s, SSL3_ST_CR_SRVR_HELLO_A, SSL3_ST_CR_SRVR_HELLO_B, -1, 20000, /* ?? */ &ok); if (!ok) return ((int)n); @@ -866,9 +855,7 @@ ssl3_get_server_hello(SSL *s) } s->version = server_version; - if ((method = tls1_get_client_method(server_version)) == NULL) - method = dtls1_get_client_method(server_version); - if (method == NULL) { + if ((method = ssl_get_client_method(server_version)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } @@ -881,12 +868,37 @@ ssl3_get_server_hello(SSL *s) sizeof(s->s3->server_random), NULL)) goto err; + if (!ssl_downgrade_max_version(s, &max_version)) + goto err; + if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && + s->version < max_version) { + /* + * RFC 8446 section 4.1.3. We must not downgrade if the server + * random value contains the TLS 1.2 or TLS 1.1 magical value. + */ + if (!CBS_skip(&server_random, + CBS_len(&server_random) - sizeof(tls13_downgrade_12))) + goto err; + if (s->version == TLS1_2_VERSION && + CBS_mem_equal(&server_random, tls13_downgrade_12, + sizeof(tls13_downgrade_12))) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); + goto f_err; + } + if (CBS_mem_equal(&server_random, tls13_downgrade_11, + sizeof(tls13_downgrade_11))) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); + goto f_err; + } + } + /* Session ID. */ if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) goto truncated; - if ((CBS_len(&session_id) > sizeof(s->session->session_id)) || - (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE)) { + if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); goto f_err; @@ -964,9 +976,7 @@ ssl3_get_server_hello(SSL *s) goto f_err; } - sk = ssl_get_ciphers_by_id(s); - i = sk_SSL_CIPHER_find(sk, cipher); - if (i < 0) { + if (!ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { /* we did not say we would use this cipher */ al = SSL_AD_ILLEGAL_PARAMETER; SSLerror(s, SSL_R_WRONG_CIPHER_RETURNED); @@ -987,7 +997,7 @@ ssl3_get_server_hello(SSL *s) } S3I(s)->hs.new_cipher = cipher; - if (!tls1_handshake_hash_init(s)) + if (!tls1_transcript_hash_init(s)) goto err; /* @@ -995,11 +1005,8 @@ ssl3_get_server_hello(SSL *s) * client authentication. */ alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; - if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) && - !tls1_digest_cached_records(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } + if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST))) + tls1_transcript_free(s); if (!CBS_get_u8(&cbs, &compression_method)) goto truncated; @@ -1010,7 +1017,7 @@ ssl3_get_server_hello(SSL *s) goto f_err; } - if (!tlsext_serverhello_parse(s, &cbs, &al)) { + if (!tlsext_client_parse(s, SSL_TLSEXT_MSG_SH, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); goto f_err; } @@ -1059,9 +1066,8 @@ ssl3_get_server_certificate(SSL *s) SESS_CERT *sc; EVP_PKEY *pkey = NULL; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); @@ -1202,9 +1208,9 @@ err: } static int -ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) +ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) { - CBS cbs, dhp, dhg, dhpk; + CBS dhp, dhg, dhpk; BN_CTX *bn_ctx = NULL; SESS_CERT *sc = NULL; DH *dh = NULL; @@ -1214,31 +1220,26 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) alg_a = S3I(s)->hs.new_cipher->algorithm_auth; sc = SSI(s)->sess_cert; - if (*nn < 0) - goto err; - - CBS_init(&cbs, *pp, *nn); - if ((dh = DH_new()) == NULL) { SSLerror(s, ERR_R_DH_LIB); goto err; } - if (!CBS_get_u16_length_prefixed(&cbs, &dhp)) + if (!CBS_get_u16_length_prefixed(cbs, &dhp)) goto truncated; if ((dh->p = BN_bin2bn(CBS_data(&dhp), CBS_len(&dhp), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); goto err; } - if (!CBS_get_u16_length_prefixed(&cbs, &dhg)) + if (!CBS_get_u16_length_prefixed(cbs, &dhg)) goto truncated; if ((dh->g = BN_bin2bn(CBS_data(&dhg), CBS_len(&dhg), NULL)) == NULL) { SSLerror(s, ERR_R_BN_LIB); goto err; } - if (!CBS_get_u16_length_prefixed(&cbs, &dhpk)) + if (!CBS_get_u16_length_prefixed(cbs, &dhpk)) goto truncated; if ((dh->pub_key = BN_bin2bn(CBS_data(&dhpk), CBS_len(&dhpk), NULL)) == NULL) { @@ -1256,16 +1257,13 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) } if (alg_a & SSL_aRSA) - *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); + *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509); else /* XXX - Anonymous DH, so no certificate or pkey. */ *pkey = NULL; sc->peer_dh_tmp = dh; - *nn = CBS_len(&cbs); - *pp = (unsigned char *)CBS_data(&cbs); - return (1); truncated: @@ -1283,56 +1281,27 @@ ssl3_get_server_kex_dhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) static int ssl3_get_server_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, int nid, CBS *public) { - const EC_GROUP *group; - EC_GROUP *ngroup = NULL; - EC_POINT *point = NULL; - BN_CTX *bn_ctx = NULL; EC_KEY *ecdh = NULL; int ret = -1; - /* - * Extract the server's ephemeral ECDH public key. - */ - + /* Extract the server's ephemeral ECDH public key. */ if ((ecdh = EC_KEY_new()) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - - if ((ngroup = EC_GROUP_new_by_curve_name(nid)) == NULL) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - if (EC_KEY_set_group(ecdh, ngroup) == 0) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - - group = EC_KEY_get0_group(ecdh); - - if ((point = EC_POINT_new(group)) == NULL || - (bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - if (EC_POINT_oct2point(group, point, CBS_data(public), - CBS_len(public), bn_ctx) == 0) { + if (!ssl_kex_peer_public_ecdhe_ecp(ecdh, nid, public)) { SSLerror(s, SSL_R_BAD_ECPOINT); ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); goto err; } - EC_KEY_set_public_key(ecdh, point); + sc->peer_nid = nid; sc->peer_ecdh_tmp = ecdh; ecdh = NULL; ret = 1; err: - BN_CTX_free(bn_ctx); - EC_GROUP_free(ngroup); - EC_POINT_free(point); EC_KEY_free(ecdh); return (ret); @@ -1366,9 +1335,9 @@ ssl3_get_server_kex_ecdhe_ecx(SSL *s, SESS_CERT *sc, int nid, CBS *public) } static int -ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) +ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, CBS *cbs) { - CBS cbs, public; + CBS public; uint8_t curve_type; uint16_t curve_id; SESS_CERT *sc; @@ -1379,15 +1348,10 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) alg_a = S3I(s)->hs.new_cipher->algorithm_auth; sc = SSI(s)->sess_cert; - if (*nn < 0) - goto err; - - CBS_init(&cbs, *pp, *nn); - /* Only named curves are supported. */ - if (!CBS_get_u8(&cbs, &curve_type) || + if (!CBS_get_u8(cbs, &curve_type) || curve_type != NAMED_CURVE_TYPE || - !CBS_get_u16(&cbs, &curve_id)) { + !CBS_get_u16(cbs, &curve_id)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_LENGTH_TOO_SHORT); goto f_err; @@ -1409,7 +1373,7 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) goto f_err; } - if (!CBS_get_u8_length_prefixed(&cbs, &public)) + if (!CBS_get_u8_length_prefixed(cbs, &public)) goto truncated; if (nid == NID_X25519) { @@ -1426,16 +1390,13 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) * and ECDSA. */ if (alg_a & SSL_aRSA) - *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA_ENC].x509); + *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_RSA].x509); else if (alg_a & SSL_aECDSA) *pkey = X509_get_pubkey(sc->peer_pkeys[SSL_PKEY_ECC].x509); else /* XXX - Anonymous ECDH, so no certificate or pkey. */ *pkey = NULL; - *nn = CBS_len(&cbs); - *pp = (unsigned char *)CBS_data(&cbs); - return (1); truncated: @@ -1452,14 +1413,16 @@ ssl3_get_server_kex_ecdhe(SSL *s, EVP_PKEY **pkey, unsigned char **pp, long *nn) int ssl3_get_server_key_exchange(SSL *s) { - unsigned char *q, md_buf[EVP_MAX_MD_SIZE*2]; - EVP_MD_CTX md_ctx; - unsigned char *param, *p; - int al, i, j, param_len, ok; - long n, alg_k, alg_a; - EVP_PKEY *pkey = NULL; - const EVP_MD *md = NULL; - RSA *rsa = NULL; + CBS cbs, signature; + const EVP_MD *md = NULL; + EVP_PKEY *pkey = NULL; + EVP_MD_CTX md_ctx; + const unsigned char *param; + long n, alg_k, alg_a; + int al, ok; + size_t param_len; + + EVP_MD_CTX_init(&md_ctx); alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; alg_a = S3I(s)->hs.new_cipher->algorithm_auth; @@ -1468,12 +1431,15 @@ ssl3_get_server_key_exchange(SSL *s) * Use same message size as in ssl3_get_certificate_request() * as ServerKeyExchange message may be skipped. */ - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_KEY_EXCH_A, + n = ssl3_get_message(s, SSL3_ST_CR_KEY_EXCH_A, SSL3_ST_CR_KEY_EXCH_B, -1, s->internal->max_cert_list, &ok); if (!ok) return ((int)n); - EVP_MD_CTX_init(&md_ctx); + if (n < 0) + goto err; + + CBS_init(&cbs, s->internal->init_msg, n); if (S3I(s)->tmp.message_type != SSL3_MT_SERVER_KEY_EXCHANGE) { /* @@ -1506,14 +1472,14 @@ ssl3_get_server_key_exchange(SSL *s) goto err; } - param = p = (unsigned char *)s->internal->init_msg; - param_len = n; + param = CBS_data(&cbs); + param_len = CBS_len(&cbs); if (alg_k & SSL_kDHE) { - if (ssl3_get_server_kex_dhe(s, &pkey, &p, &n) != 1) + if (ssl3_get_server_kex_dhe(s, &pkey, &cbs) != 1) goto err; } else if (alg_k & SSL_kECDHE) { - if (ssl3_get_server_kex_ecdhe(s, &pkey, &p, &n) != 1) + if (ssl3_get_server_kex_ecdhe(s, &pkey, &cbs) != 1) goto err; } else if (alg_k != 0) { al = SSL_AD_UNEXPECTED_MESSAGE; @@ -1521,93 +1487,73 @@ ssl3_get_server_key_exchange(SSL *s) goto f_err; } - param_len = param_len - n; + param_len -= CBS_len(&cbs); /* if it was signed, check the signature */ if (pkey != NULL) { + EVP_PKEY_CTX *pctx; + const struct ssl_sigalg *sigalg; + if (SSL_USE_SIGALGS(s)) { - int sigalg = tls12_get_sigid(pkey); - /* Should never happen */ - if (sigalg == -1) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - /* - * Check key type is consistent - * with signature - */ - if (2 > n) + uint16_t sigalg_value; + + if (!CBS_get_u16(&cbs, &sigalg_value)) goto truncated; - if (sigalg != (int)p[1]) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - md = tls12_get_hash(p[0]); - if (md == NULL) { + if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, + tls12_sigalgs_len)) == NULL) { SSLerror(s, SSL_R_UNKNOWN_DIGEST); al = SSL_AD_DECODE_ERROR; goto f_err; } - p += 2; - n -= 2; - } else - md = EVP_sha1(); + if ((md = sigalg->md()) == NULL) { + SSLerror(s, SSL_R_UNKNOWN_DIGEST); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) { + SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + } else if (pkey->type == EVP_PKEY_RSA) { + sigalg = ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); + } else if (pkey->type == EVP_PKEY_EC) { + sigalg = ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); + } else { + SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + md = sigalg->md(); - if (2 > n) + if (!CBS_get_u16_length_prefixed(&cbs, &signature)) goto truncated; - n2s(p, i); - n -= 2; - j = EVP_PKEY_size(pkey); - - if (i != n || n > j) { - /* wrong packet length */ + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_WRONG_SIGNATURE_LENGTH); goto f_err; } - if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { - j = 0; - q = md_buf; - if (!EVP_DigestInit_ex(&md_ctx, EVP_md5_sha1(), NULL)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - EVP_DigestUpdate(&md_ctx, s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, param, param_len); - EVP_DigestFinal_ex(&md_ctx, q, (unsigned int *)&i); - q += i; - j += i; - i = RSA_verify(NID_md5_sha1, md_buf, j, - p, n, pkey->pkey.rsa); - if (i < 0) { - al = SSL_AD_DECRYPT_ERROR; - SSLerror(s, SSL_R_BAD_RSA_DECRYPT); - goto f_err; - } - if (i == 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerror(s, SSL_R_BAD_SIGNATURE); - goto f_err; - } - } else { - EVP_VerifyInit_ex(&md_ctx, md, NULL); - EVP_VerifyUpdate(&md_ctx, s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx, s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_VerifyUpdate(&md_ctx, param, param_len); - if (EVP_VerifyFinal(&md_ctx, p,(int)n, pkey) <= 0) { - /* bad signature */ - al = SSL_AD_DECRYPT_ERROR; - SSLerror(s, SSL_R_BAD_SIGNATURE); - goto f_err; - } + if (!EVP_DigestVerifyInit(&md_ctx, &pctx, md, NULL, pkey)) + goto err; + if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->client_random, + SSL3_RANDOM_SIZE)) + goto err; + if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && + (!EVP_PKEY_CTX_set_rsa_padding(pctx, + RSA_PKCS1_PSS_PADDING) || + !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) + goto err; + if (!EVP_DigestVerifyUpdate(&md_ctx, s->s3->server_random, + SSL3_RANDOM_SIZE)) + goto err; + if (!EVP_DigestVerifyUpdate(&md_ctx, param, param_len)) + goto err; + if (EVP_DigestVerifyFinal(&md_ctx, CBS_data(&signature), + CBS_len(&signature)) <= 0) { + al = SSL_AD_DECRYPT_ERROR; + SSLerror(s, SSL_R_BAD_SIGNATURE); + goto f_err; } } else { /* aNULL does not need public keys. */ @@ -1615,12 +1561,12 @@ ssl3_get_server_key_exchange(SSL *s) SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - /* still data left over */ - if (n != 0) { - al = SSL_AD_DECODE_ERROR; - SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); - goto f_err; - } + } + + if (CBS_len(&cbs) != 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); + goto f_err; } EVP_PKEY_free(pkey); @@ -1629,7 +1575,6 @@ ssl3_get_server_key_exchange(SSL *s) return (1); truncated: - /* wrong packet length */ al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); @@ -1638,7 +1583,6 @@ ssl3_get_server_key_exchange(SSL *s) err: EVP_PKEY_free(pkey); - RSA_free(rsa); EVP_MD_CTX_cleanup(&md_ctx); return (-1); @@ -1655,9 +1599,8 @@ ssl3_get_certificate_request(SSL *s) const unsigned char *q; STACK_OF(X509_NAME) *ca_sk = NULL; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_REQ_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_REQ_A, SSL3_ST_CR_CERT_REQ_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); @@ -1669,10 +1612,7 @@ ssl3_get_certificate_request(SSL *s) * If we get here we don't need any cached handshake records * as we wont be doing client auth. */ - if (S3I(s)->handshake_buffer) { - if (!tls1_digest_cached_records(s)) - goto err; - } + tls1_transcript_free(s); return (1); } @@ -1718,20 +1658,19 @@ ssl3_get_certificate_request(SSL *s) SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } - - /* Check we have enough room for signature algorithms and - * following length value. - */ if (!CBS_get_u16_length_prefixed(&cert_request, &sigalgs)) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); goto err; } - if (!tls1_process_sigalgs(s, &sigalgs)) { + if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) { ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); goto err; } + if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, + &S3I(s)->hs.sigalgs_len)) + goto err; } /* get the CA RDNs */ @@ -1813,7 +1752,7 @@ ssl3_get_new_session_ticket(SSL *s) long n; CBS cbs, session_ticket; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, + n = ssl3_get_message(s, SSL3_ST_CR_SESSION_TICKET_A, SSL3_ST_CR_SESSION_TICKET_B, -1, 16384, &ok); if (!ok) return ((int)n); @@ -1884,15 +1823,13 @@ int ssl3_get_cert_status(SSL *s) { CBS cert_status, response; - size_t stow_len; int ok, al; long n; uint8_t status_type; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_STATUS_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_STATUS_A, SSL3_ST_CR_CERT_STATUS_B, SSL3_MT_CERTIFICATE_STATUS, 16384, &ok); - if (!ok) return ((int)n); @@ -1926,13 +1863,11 @@ ssl3_get_cert_status(SSL *s) } if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, - &stow_len) || stow_len > INT_MAX) { - s->internal->tlsext_ocsp_resplen = 0; + &s->internal->tlsext_ocsp_resp_len)) { al = SSL_AD_INTERNAL_ERROR; SSLerror(s, ERR_R_MALLOC_FAILURE); goto f_err; } - s->internal->tlsext_ocsp_resplen = (int)stow_len; if (s->ctx->internal->tlsext_status_cb) { int ret; @@ -1961,12 +1896,12 @@ ssl3_get_server_done(SSL *s) int ok, ret = 0; long n; - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_SRVR_DONE_A, + n = ssl3_get_message(s, SSL3_ST_CR_SRVR_DONE_A, SSL3_ST_CR_SRVR_DONE_B, SSL3_MT_SERVER_DONE, 30, /* should be very small, like 0 :-) */ &ok); - if (!ok) return ((int)n); + if (n > 0) { /* should contain no data */ ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_DECODE_ERROR); @@ -1991,7 +1926,7 @@ ssl3_send_client_kex_rsa(SSL *s, SESS_CERT *sess_cert, CBB *cbb) * RSA-Encrypted Premaster Secret Message - RFC 5246 section 7.4.7.1. */ - pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA_ENC].x509); + pkey = X509_get_pubkey(sess_cert->peer_pkeys[SSL_PKEY_RSA].x509); if (pkey == NULL || pkey->type != EVP_PKEY_RSA || pkey->pkey.rsa == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); @@ -2062,13 +1997,15 @@ ssl3_send_client_kex_dhe(SSL *s, SESS_CERT *sess_cert, CBB *cbb) SSLerror(s, ERR_R_DH_LIB); goto err; } - key_size = DH_size(dh_clnt); + if ((key_size = DH_size(dh_clnt)) <= 0) { + SSLerror(s, ERR_R_DH_LIB); + goto err; + } if ((key = malloc(key_size)) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt); - if (key_len <= 0) { + if ((key_len = DH_compute_key(key, dh_srvr->pub_key, dh_clnt)) <= 0) { SSLerror(s, ERR_R_DH_LIB); goto err; } @@ -2098,86 +2035,37 @@ err: static int ssl3_send_client_kex_ecdhe_ecp(SSL *s, SESS_CERT *sc, CBB *cbb) { - const EC_GROUP *group = NULL; - const EC_POINT *point = NULL; EC_KEY *ecdh = NULL; - BN_CTX *bn_ctx = NULL; - unsigned char *key = NULL; - unsigned char *data; - size_t encoded_len; - int key_size = 0, key_len; + uint8_t *key = NULL; + size_t key_len = 0; int ret = -1; CBB ecpoint; - if ((group = EC_KEY_get0_group(sc->peer_ecdh_tmp)) == NULL || - (point = EC_KEY_get0_public_key(sc->peer_ecdh_tmp)) == NULL) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - if ((ecdh = EC_KEY_new()) == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; } - if (!EC_KEY_set_group(ecdh, group)) { - SSLerror(s, ERR_R_EC_LIB); + if (!ssl_kex_generate_ecdhe_ecp(ecdh, sc->peer_nid)) goto err; - } - /* Generate a new ECDH key pair. */ - if (!(EC_KEY_generate_key(ecdh))) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((key_size = ECDH_size(ecdh)) <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((key = malloc(key_size)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - } - key_len = ECDH_compute_key(key, key_size, point, ecdh, NULL); - if (key_len <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - - /* Generate master key from the result. */ - s->session->master_key_length = - tls1_generate_master_secret(s, - s->session->master_key, key, key_len); - - encoded_len = EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh), - POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); - if (encoded_len == 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Encode the public key. */ + /* Encode our public key. */ if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) goto err; - if (!CBB_add_space(&ecpoint, &data, encoded_len)) - goto err; - if (EC_POINT_point2oct(group, EC_KEY_get0_public_key(ecdh), - POINT_CONVERSION_UNCOMPRESSED, data, encoded_len, - bn_ctx) == 0) + if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint)) goto err; if (!CBB_flush(cbb)) goto err; + if (!ssl_kex_derive_ecdhe_ecp(ecdh, sc->peer_ecdh_tmp, &key, &key_len)) + goto err; + s->session->master_key_length = tls1_generate_master_secret(s, + s->session->master_key, key, key_len); + ret = 1; err: - freezero(key, key_size); - - BN_CTX_free(bn_ctx); + freezero(key, key_len); EC_KEY_free(ecdh); return (ret); @@ -2296,7 +2184,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) /* * Compute shared IV and store it in algorithm-specific context data. */ - ukm_hash = EVP_MD_CTX_create(); + ukm_hash = EVP_MD_CTX_new(); if (ukm_hash == NULL) { SSLerror(s, ERR_R_MALLOC_FAILURE); goto err; @@ -2311,7 +2199,7 @@ ssl3_send_client_kex_gost(SSL *s, SESS_CERT *sess_cert, CBB *cbb) EVP_DigestUpdate(ukm_hash, s->s3->client_random, SSL3_RANDOM_SIZE); EVP_DigestUpdate(ukm_hash, s->s3->server_random, SSL3_RANDOM_SIZE); EVP_DigestFinal_ex(ukm_hash, shared_ukm, &md_len); - EVP_MD_CTX_destroy(ukm_hash); + EVP_MD_CTX_free(ukm_hash); if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, EVP_PKEY_OP_ENCRYPT, EVP_PKEY_CTRL_SET_IV, 8, shared_ukm) < 0) { SSLerror(s, SSL_R_LIBRARY_BUG); @@ -2374,7 +2262,7 @@ ssl3_send_client_key_exchange(SSL *s) goto err; } - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &kex, + if (!ssl3_handshake_msg_start(s, &cbb, &kex, SSL3_MT_CLIENT_KEY_EXCHANGE)) goto err; @@ -2397,7 +2285,7 @@ ssl3_send_client_key_exchange(SSL *s) goto err; } - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_CW_KEY_EXCH_B; @@ -2412,147 +2300,281 @@ err: return (-1); } -int -ssl3_send_client_verify(SSL *s) +static int +ssl3_send_client_verify_sigalgs(SSL *s, CBB *cert_verify) { - unsigned char *p; - unsigned char data[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; - EVP_PKEY *pkey; - EVP_PKEY_CTX *pctx = NULL; - EVP_MD_CTX mctx; - unsigned u = 0; - unsigned long n; - int j; + const struct ssl_sigalg *sigalg; + CBB cbb_signature; + EVP_PKEY_CTX *pctx = NULL; + EVP_PKEY *pkey; + EVP_MD_CTX mctx; + const EVP_MD *md; + const unsigned char *hdata; + unsigned char *signature = NULL; + size_t signature_len, hdata_len; + int ret = 0; EVP_MD_CTX_init(&mctx); + pkey = s->cert->key->privatekey; + if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { + SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); + goto err; + } + if ((md = sigalg->md()) == NULL) { + SSLerror(s, SSL_R_UNKNOWN_DIGEST); + goto err; + } + + if (!tls1_transcript_data(s, &hdata, &hdata_len)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (sigalg->key_type == EVP_PKEY_GOSTR01 && + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && + (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING) || + !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignUpdate(&mctx, hdata, hdata_len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignFinal(&mctx, NULL, &signature_len) || + signature_len == 0) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if ((signature = calloc(1, signature_len)) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_DigestSignFinal(&mctx, signature, &signature_len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + + if (!CBB_add_u16(cert_verify, sigalg->value)) + goto err; + if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) + goto err; + if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) + goto err; + if (!CBB_flush(cert_verify)) + goto err; + + ret = 1; + + err: + EVP_MD_CTX_cleanup(&mctx); + free(signature); + return ret; +} + +static int +ssl3_send_client_verify_rsa(SSL *s, CBB *cert_verify) +{ + CBB cbb_signature; + EVP_PKEY *pkey; + unsigned char data[EVP_MAX_MD_SIZE]; + unsigned char *signature = NULL; + unsigned int signature_len; + size_t data_len; + int ret = 0; + + pkey = s->cert->key->privatekey; + + if (!tls1_transcript_hash_value(s, data, sizeof(data), &data_len)) + goto err; + if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) + goto err; + if (RSA_sign(NID_md5_sha1, data, data_len, signature, + &signature_len, pkey->pkey.rsa) <= 0 ) { + SSLerror(s, ERR_R_RSA_LIB); + goto err; + } + + if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) + goto err; + if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) + goto err; + if (!CBB_flush(cert_verify)) + goto err; + + ret = 1; + err: + free(signature); + return ret; +} + +static int +ssl3_send_client_verify_ec(SSL *s, CBB *cert_verify) +{ + CBB cbb_signature; + EVP_PKEY *pkey; + unsigned char data[EVP_MAX_MD_SIZE]; + unsigned char *signature = NULL; + unsigned int signature_len; + int ret = 0; + + pkey = s->cert->key->privatekey; + + if (!tls1_transcript_hash_value(s, data, sizeof(data), NULL)) + goto err; + if ((signature = calloc(1, EVP_PKEY_size(pkey))) == NULL) + goto err; + if (!ECDSA_sign(pkey->save_type, &data[MD5_DIGEST_LENGTH], + SHA_DIGEST_LENGTH, signature, &signature_len, pkey->pkey.ec)) { + SSLerror(s, ERR_R_ECDSA_LIB); + goto err; + } + + if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) + goto err; + if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) + goto err; + if (!CBB_flush(cert_verify)) + goto err; + + ret = 1; + err: + free(signature); + return ret; +} + +#ifndef OPENSSL_NO_GOST +static int +ssl3_send_client_verify_gost(SSL *s, CBB *cert_verify) +{ + CBB cbb_signature; + EVP_MD_CTX mctx; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + const EVP_MD *md; + const unsigned char *hdata; + unsigned char *signature = NULL; + size_t signature_len; + size_t hdata_len; + int nid; + int ret = 0; + + EVP_MD_CTX_init(&mctx); + + pkey = s->cert->key->privatekey; + + if (!tls1_transcript_data(s, &hdata, &hdata_len)) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto err; + } + if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || + (md = EVP_get_digestbynid(nid)) == NULL) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignInit(&mctx, &pctx, md, NULL, pkey)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, + EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, NULL) <= 0) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignUpdate(&mctx, hdata, hdata_len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignFinal(&mctx, NULL, &signature_len) || + signature_len == 0) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if ((signature = calloc(1, signature_len)) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_DigestSignFinal(&mctx, signature, &signature_len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + + if (!CBB_add_u16_length_prefixed(cert_verify, &cbb_signature)) + goto err; + if (!CBB_add_bytes(&cbb_signature, signature, signature_len)) + goto err; + if (!CBB_flush(cert_verify)) + goto err; + + ret = 1; + err: + EVP_MD_CTX_cleanup(&mctx); + free(signature); + return ret; +} +#endif + +int +ssl3_send_client_verify(SSL *s) +{ + CBB cbb, cert_verify; + EVP_PKEY *pkey; + + memset(&cbb, 0, sizeof(cbb)); + if (S3I(s)->hs.state == SSL3_ST_CW_CERT_VRFY_A) { - p = ssl3_handshake_msg_start(s, SSL3_MT_CERTIFICATE_VERIFY); + if (!ssl3_handshake_msg_start(s, &cbb, &cert_verify, + SSL3_MT_CERTIFICATE_VERIFY)) + goto err; - /* - * Create context from key and test if sha1 is allowed as - * digest. - */ pkey = s->cert->key->privatekey; - pctx = EVP_PKEY_CTX_new(pkey, NULL); - EVP_PKEY_sign_init(pctx); - - /* XXX - is this needed? */ - if (EVP_PKEY_CTX_set_signature_md(pctx, EVP_sha1()) <= 0) - ERR_clear_error(); - - if (!SSL_USE_SIGALGS(s)) { - if (S3I(s)->handshake_buffer) { - if (!tls1_digest_cached_records(s)) - goto err; - } - if (!tls1_handshake_hash_value(s, data, sizeof(data), - NULL)) - goto err; - } /* * For TLS v1.2 send signature algorithm and signature * using agreed digest and cached handshake records. */ if (SSL_USE_SIGALGS(s)) { - long hdatalen = 0; - void *hdata; - const EVP_MD *md = s->cert->key->digest; - hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, - &hdata); - if (hdatalen <= 0 || - !tls12_get_sigandhash(p, pkey, md)) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - p += 2; - if (!EVP_SignInit_ex(&mctx, md, NULL) || - !EVP_SignUpdate(&mctx, hdata, hdatalen) || - !EVP_SignFinal(&mctx, p + 2, &u, pkey)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - s2n(u, p); - n = u + 4; - if (!tls1_digest_cached_records(s)) + if (!ssl3_send_client_verify_sigalgs(s, &cert_verify)) goto err; } else if (pkey->type == EVP_PKEY_RSA) { - if (RSA_sign(NID_md5_sha1, data, - MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, &(p[2]), - &u, pkey->pkey.rsa) <= 0 ) { - SSLerror(s, ERR_R_RSA_LIB); + if (!ssl3_send_client_verify_rsa(s, &cert_verify)) goto err; - } - s2n(u, p); - n = u + 2; } else if (pkey->type == EVP_PKEY_EC) { - if (!ECDSA_sign(pkey->save_type, - &(data[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, &(p[2]), - (unsigned int *)&j, pkey->pkey.ec)) { - SSLerror(s, ERR_R_ECDSA_LIB); + if (!ssl3_send_client_verify_ec(s, &cert_verify)) goto err; - } - s2n(j, p); - n = j + 2; #ifndef OPENSSL_NO_GOST } else if (pkey->type == NID_id_GostR3410_94 || - pkey->type == NID_id_GostR3410_2001) { - unsigned char signbuf[128]; - long hdatalen = 0; - void *hdata; - const EVP_MD *md; - int nid; - size_t sigsize; - - hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerror(s, ERR_R_INTERNAL_ERROR); + pkey->type == NID_id_GostR3410_2001) { + if (!ssl3_send_client_verify_gost(s, &cert_verify)) goto err; - } - if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || - !(md = EVP_get_digestbynid(nid))) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - if (!EVP_DigestInit_ex(&mctx, md, NULL) || - !EVP_DigestUpdate(&mctx, hdata, hdatalen) || - !EVP_DigestFinal(&mctx, signbuf, &u) || - (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) || - (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_SIGN, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, - GOST_SIG_FORMAT_RS_LE, - NULL) <= 0) || - (EVP_PKEY_sign(pctx, &(p[2]), &sigsize, - signbuf, u) <= 0)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - if (!tls1_digest_cached_records(s)) - goto err; - j = sigsize; - s2n(j, p); - n = j + 2; #endif } else { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } + tls1_transcript_free(s); + + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; + S3I(s)->hs.state = SSL3_ST_CW_CERT_VRFY_B; - - ssl3_handshake_msg_finish(s, n); } - EVP_MD_CTX_cleanup(&mctx); - EVP_PKEY_CTX_free(pctx); - return (ssl3_handshake_write(s)); -err: - EVP_MD_CTX_cleanup(&mctx); - EVP_PKEY_CTX_free(pctx); + err: + CBB_cleanup(&cbb); + return (-1); } @@ -2567,8 +2589,8 @@ ssl3_send_client_certificate(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_CW_CERT_A) { - if ((s->cert == NULL) || (s->cert->key->x509 == NULL) || - (s->cert->key->privatekey == NULL)) + if (s->cert->key->x509 == NULL || + s->cert->key->privatekey == NULL) S3I(s)->hs.state = SSL3_ST_CW_CERT_B; else S3I(s)->hs.state = SSL3_ST_CW_CERT_C; @@ -2599,21 +2621,25 @@ ssl3_send_client_certificate(SSL *s) X509_free(x509); EVP_PKEY_free(pkey); - if (i == 0) + if (i == 0) { S3I(s)->tmp.cert_req = 2; + /* There is no client certificate to verify. */ + tls1_transcript_free(s); + } + /* Ok, we have a cert */ S3I(s)->hs.state = SSL3_ST_CW_CERT_C; } if (S3I(s)->hs.state == SSL3_ST_CW_CERT_C) { - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &client_cert, + if (!ssl3_handshake_msg_start(s, &cbb, &client_cert, SSL3_MT_CERTIFICATE)) goto err; if (!ssl3_output_cert_chain(s, &client_cert, - (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key->x509)) + (S3I(s)->tmp.cert_req == 2) ? NULL : s->cert->key)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_CW_CERT_D; @@ -2709,10 +2735,11 @@ ssl3_check_finished(SSL *s) return (1); /* this function is called when we really expect a Certificate * message, so permit appropriate message length */ - n = s->method->internal->ssl_get_message(s, SSL3_ST_CR_CERT_A, + n = ssl3_get_message(s, SSL3_ST_CR_CERT_A, SSL3_ST_CR_CERT_B, -1, s->internal->max_cert_list, &ok); if (!ok) return ((int)n); + S3I(s)->tmp.reuse_message = 1; if ((S3I(s)->tmp.message_type == SSL3_MT_FINISHED) || (S3I(s)->tmp.message_type == SSL3_MT_NEWSESSION_TICKET)) diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 250a9ee..cbc2898 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_err.c,v 1.36 2018/03/20 15:28:12 tb Exp $ */ +/* $OpenBSD: ssl_err.c,v 1.37 2020/01/21 05:19:02 jsing Exp $ */ /* ==================================================================== * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. * @@ -462,7 +462,8 @@ static ERR_STRING_DATA SSL_str_reasons[]= { {ERR_REASON(SSL_R_WRONG_VERSION_NUMBER) , "wrong version number"}, {ERR_REASON(SSL_R_X509_LIB) , "x509 lib"}, {ERR_REASON(SSL_R_X509_VERIFICATION_SETUP_PROBLEMS), "x509 verification setup problems"}, - {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY) ,"peer is doing strange or hostile things"}, + {ERR_REASON(SSL_R_PEER_BEHAVING_BADLY), "peer is doing strange or hostile things"}, + {ERR_REASON(SSL_R_UNKNOWN), "unknown failure occurred"}, {0, NULL} }; diff --git a/ssl/ssl_init.c b/ssl/ssl_init.c index 0ef8095..b521d22 100644 --- a/ssl/ssl_init.c +++ b/ssl/ssl_init.c @@ -1,3 +1,4 @@ +/* $OpenBSD: ssl_init.c,v 1.2 2018/03/30 14:59:46 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck * diff --git a/ssl/ssl_kex.c b/ssl/ssl_kex.c new file mode 100644 index 0000000..9f05fd6 --- /dev/null +++ b/ssl/ssl_kex.c @@ -0,0 +1,182 @@ +/* $OpenBSD: ssl_kex.c,v 1.2 2020/04/18 14:07:56 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include +#include +#include +#include + +#include "bytestring.h" + +int +ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey) +{ + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + EC_KEY *ec_key = NULL; + BIGNUM *order = NULL; + int ret = 0; + + /* Fudge up an EC_KEY that looks like X25519... */ + if ((group = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1)) == NULL) + goto err; + if ((point = EC_POINT_new(group)) == NULL) + goto err; + if ((order = BN_new()) == NULL) + goto err; + if (!BN_set_bit(order, 252)) + goto err; + if (!EC_GROUP_set_generator(group, point, order, NULL)) + goto err; + EC_GROUP_set_curve_name(group, NID_X25519); + if ((ec_key = EC_KEY_new()) == NULL) + goto err; + if (!EC_KEY_set_group(ec_key, group)) + goto err; + if (!EVP_PKEY_set1_EC_KEY(pkey, ec_key)) + goto err; + + ret = 1; + + err: + EC_GROUP_free(group); + EC_POINT_free(point); + EC_KEY_free(ec_key); + BN_free(order); + + return ret; +} + +int +ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid) +{ + EC_GROUP *group; + int ret = 0; + + if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) + goto err; + + if (!EC_KEY_set_group(ecdh, group)) + goto err; + if (!EC_KEY_generate_key(ecdh)) + goto err; + + ret = 1; + + err: + EC_GROUP_free(group); + + return ret; +} + +int +ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb) +{ + const EC_GROUP *group; + const EC_POINT *point; + uint8_t *ecp; + size_t ecp_len; + int ret = 0; + + if ((group = EC_KEY_get0_group(ecdh)) == NULL) + goto err; + if ((point = EC_KEY_get0_public_key(ecdh)) == NULL) + goto err; + + if ((ecp_len = EC_POINT_point2oct(group, point, + POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL)) == 0) + goto err; + if (!CBB_add_space(cbb, &ecp, ecp_len)) + goto err; + if ((EC_POINT_point2oct(group, point, POINT_CONVERSION_UNCOMPRESSED, + ecp, ecp_len, NULL)) == 0) + goto err; + + ret = 1; + + err: + return ret; +} + +int +ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs) +{ + EC_GROUP *group = NULL; + EC_POINT *point = NULL; + int ret = 0; + + if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) + goto err; + + if (!EC_KEY_set_group(ecdh, group)) + goto err; + + if ((point = EC_POINT_new(group)) == NULL) + goto err; + if (EC_POINT_oct2point(group, point, CBS_data(cbs), CBS_len(cbs), + NULL) == 0) + goto err; + if (!EC_KEY_set_public_key(ecdh, point)) + goto err; + + ret = 1; + + err: + EC_GROUP_free(group); + EC_POINT_free(point); + + return ret; +} + +int +ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer, + uint8_t **shared_key, size_t *shared_key_len) +{ + const EC_POINT *point; + uint8_t *sk = NULL; + int sk_len = 0; + int ret = 0; + + if (!EC_GROUP_check(EC_KEY_get0_group(ecdh), NULL)) + goto err; + if (!EC_GROUP_check(EC_KEY_get0_group(ecdh_peer), NULL)) + goto err; + + if ((point = EC_KEY_get0_public_key(ecdh_peer)) == NULL) + goto err; + + if ((sk_len = ECDH_size(ecdh)) <= 0) + goto err; + if ((sk = calloc(1, sk_len)) == NULL) + goto err; + + if (ECDH_compute_key(sk, sk_len, point, ecdh, NULL) <= 0) + goto err; + + *shared_key = sk; + *shared_key_len = sk_len; + sk = NULL; + + ret = 1; + + err: + freezero(sk, sk_len); + + return ret; +} diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index 573e63c..6e375e1 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.182 2018/03/17 16:20:01 beck Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.234 2020/09/24 18:12:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -140,6 +140,10 @@ * OTHERWISE. */ +#include +#include +#include + #include #include "ssl_locl.h" @@ -156,6 +160,7 @@ #endif #include "bytestring.h" +#include "ssl_sigalgs.h" const char *SSL_version_str = OPENSSL_VERSION_TEXT; @@ -188,12 +193,12 @@ SSL_clear(SSL *s) s->internal->rwstate = SSL_NOTHING; s->internal->rstate = SSL_ST_READ_HEADER; - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; + tls13_ctx_free(s->internal->tls13); + s->internal->tls13 = NULL; - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->internal->write_hash); + ssl3_release_init_buffer(s); + + ssl_clear_cipher_state(s); s->internal->first_packet = 0; @@ -210,8 +215,6 @@ SSL_clear(SSL *s) } else s->method->internal->ssl_clear(s); - S3I(s)->hs.state = SSL_ST_BEFORE|((s->server) ? SSL_ST_ACCEPT : SSL_ST_CONNECT); - return (1); } @@ -219,13 +222,13 @@ SSL_clear(SSL *s) int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) { - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers; ctx->method = meth; - sk = ssl_create_cipher_list(ctx->method, &(ctx->cipher_list), - &(ctx->internal->cipher_list_by_id), SSL_DEFAULT_CIPHER_LIST); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, + ctx->internal->cipher_list_tls13, SSL_DEFAULT_CIPHER_LIST); + if (ciphers == NULL || sk_SSL_CIPHER_num(ciphers) <= 0) { SSLerrorx(SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return (0); } @@ -235,7 +238,7 @@ SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) SSL * SSL_new(SSL_CTX *ctx) { - SSL *s; + SSL *s; if (ctx == NULL) { SSLerrorx(SSL_R_NULL_SSL_CTX); @@ -246,15 +249,10 @@ SSL_new(SSL_CTX *ctx) return (NULL); } - if ((s = calloc(1, sizeof(*s))) == NULL) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (NULL); - } - if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) { - free(s); - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (NULL); - } + if ((s = calloc(1, sizeof(*s))) == NULL) + goto err; + if ((s->internal = calloc(1, sizeof(*s->internal))) == NULL) + goto err; s->internal->min_version = ctx->internal->min_version; s->internal->max_version = ctx->internal->max_version; @@ -263,23 +261,8 @@ SSL_new(SSL_CTX *ctx) s->internal->mode = ctx->internal->mode; s->internal->max_cert_list = ctx->internal->max_cert_list; - if (ctx->internal->cert != NULL) { - /* - * Earlier library versions used to copy the pointer to - * the CERT, not its contents; only when setting new - * parameters for the per-SSL copy, ssl_cert_new would be - * called (and the direct reference to the per-SSL_CTX - * settings would be lost, but those still were indirectly - * accessed for various purposes, and for that reason they - * used to be known as s->ctx->default_cert). - * Now we don't look at the SSL_CTX's CERT after having - * duplicated it once. - */ - s->cert = ssl_cert_dup(ctx->internal->cert); - if (s->cert == NULL) - goto err; - } else - s->cert=NULL; /* Cannot really happen (see SSL_CTX_new) */ + if ((s->cert = ssl_cert_dup(ctx->internal->cert)) == NULL) + goto err; s->internal->read_ahead = ctx->internal->read_ahead; s->internal->msg_callback = ctx->internal->msg_callback; @@ -308,7 +291,7 @@ SSL_new(SSL_CTX *ctx) s->internal->tlsext_ocsp_ids = NULL; s->internal->tlsext_ocsp_exts = NULL; s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resplen = -1; + s->internal->tlsext_ocsp_resp_len = 0; CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); s->initial_ctx = ctx; @@ -328,7 +311,7 @@ SSL_new(SSL_CTX *ctx) if (ctx->internal->tlsext_supportedgroups != NULL) { s->internal->tlsext_supportedgroups = calloc(ctx->internal->tlsext_supportedgroups_length, - sizeof(ctx->internal->tlsext_supportedgroups)); + sizeof(ctx->internal->tlsext_supportedgroups[0])); if (s->internal->tlsext_supportedgroups == NULL) goto err; memcpy(s->internal->tlsext_supportedgroups, @@ -358,6 +341,9 @@ SSL_new(SSL_CTX *ctx) if (!s->method->internal->ssl_new(s)) goto err; + if ((s->internal->rl = tls12_record_layer_new()) == NULL) + goto err; + s->references = 1; s->server = (ctx->method->internal->ssl_accept == ssl_undefined_function) ? 0 : 1; @@ -469,6 +455,26 @@ SSL_set_trust(SSL *s, int trust) return (X509_VERIFY_PARAM_set_trust(s->param, trust)); } +int +SSL_set1_host(SSL *s, const char *hostname) +{ + struct in_addr ina; + struct in6_addr in6a; + + if (hostname != NULL && *hostname != '\0' && + (inet_pton(AF_INET, hostname, &ina) == 1 || + inet_pton(AF_INET6, hostname, &in6a) == 1)) + return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname); + else + return X509_VERIFY_PARAM_set1_host(s->param, hostname, 0); +} + +const char * +SSL_get0_peername(SSL *s) +{ + return X509_VERIFY_PARAM_get0_peername(s->param); +} + X509_VERIFY_PARAM * SSL_CTX_get0_param(SSL_CTX *ctx) { @@ -522,11 +528,12 @@ SSL_free(SSL *s) BIO_free_all(s->rbio); BIO_free_all(s->wbio); - BUF_MEM_free(s->internal->init_buf); + tls13_ctx_free(s->internal->tls13); + + ssl3_release_init_buffer(s); - /* add extra stuff */ sk_SSL_CIPHER_free(s->cipher_list); - sk_SSL_CIPHER_free(s->internal->cipher_list_by_id); + sk_SSL_CIPHER_free(s->internal->cipher_list_tls13); /* Make the next call work :-) */ if (s->session != NULL) { @@ -534,9 +541,7 @@ SSL_free(SSL *s) SSL_SESSION_free(s->session); } - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->internal->write_hash); + ssl_clear_cipher_state(s); ssl_cert_free(s->cert); @@ -564,6 +569,8 @@ SSL_free(SSL *s) sk_SRTP_PROTECTION_PROFILE_free(s->internal->srtp_profiles); #endif + tls12_record_layer_free(s->internal->rl); + free(s->internal); free(s); } @@ -708,14 +715,12 @@ err: size_t SSL_get_finished(const SSL *s, void *buf, size_t count) { - size_t ret = 0; + size_t ret; - if (s->s3 != NULL) { - ret = S3I(s)->tmp.finish_md_len; - if (count > ret) - count = ret; - memcpy(buf, S3I(s)->tmp.finish_md, count); - } + ret = S3I(s)->tmp.finish_md_len; + if (count > ret) + count = ret; + memcpy(buf, S3I(s)->tmp.finish_md, count); return (ret); } @@ -723,14 +728,12 @@ SSL_get_finished(const SSL *s, void *buf, size_t count) size_t SSL_get_peer_finished(const SSL *s, void *buf, size_t count) { - size_t ret = 0; + size_t ret; - if (s->s3 != NULL) { - ret = S3I(s)->tmp.peer_finish_md_len; - if (count > ret) - count = ret; - memcpy(buf, S3I(s)->tmp.peer_finish_md, count); - } + ret = S3I(s)->tmp.peer_finish_md_len; + if (count > ret) + count = ret; + memcpy(buf, S3I(s)->tmp.peer_finish_md, count); return (ret); } @@ -801,14 +804,6 @@ SSL_get_read_ahead(const SSL *s) int SSL_pending(const SSL *s) { - /* - * SSL_pending cannot work properly if read-ahead is enabled - * (SSL_[CTX_]ctrl(..., SSL_CTRL_SET_READ_AHEAD, 1, NULL)), - * and it is impossible to fix since SSL_pending cannot report - * errors that may be observed while scanning the new data. - * (Note that SSL_pending() is often used as a boolean value, - * so we'd better not return -1.) - */ return (s->method->internal->ssl_pending(s)); } @@ -853,22 +848,21 @@ SSL_get_peer_cert_chain(const SSL *s) * Now in theory, since the calling process own 't' it should be safe to * modify. We need to be able to read f without being hassled */ -void +int SSL_copy_session_id(SSL *t, const SSL *f) { CERT *tmp; - /* Do we need to to SSL locking? */ - SSL_set_session(t, SSL_get_session(f)); + /* Do we need to do SSL locking? */ + if (!SSL_set_session(t, SSL_get_session(f))) + return 0; - /* - * What if we are setup as SSLv2 but want to talk SSLv3 or - * vice-versa. - */ + /* What if we are set up for one protocol but want to talk another? */ if (t->method != f->method) { - t->method->internal->ssl_free(t); /* cleanup current */ - t->method = f->method; /* change method */ - t->method->internal->ssl_new(t); /* setup new */ + t->method->internal->ssl_free(t); + t->method = f->method; + if (!t->method->internal->ssl_new(t)) + return 0; } tmp = t->cert; @@ -878,7 +872,11 @@ SSL_copy_session_id(SSL *t, const SSL *f) } else t->cert = NULL; ssl_cert_free(tmp); - SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length); + + if (!SSL_set_session_id_context(t, f->sid_ctx, f->sid_ctx_length)) + return 0; + + return 1; } /* Fix this so it checks all the valid key/cert options */ @@ -946,10 +944,20 @@ SSL_is_server(const SSL *s) return s->server; } +static long +ssl_get_default_timeout() +{ + /* + * 2 hours, the 24 hours mentioned in the TLSv1 spec + * is way too long for http, the cache would over fill. + */ + return (2 * 60 * 60); +} + long SSL_get_default_timeout(const SSL *s) { - return (s->method->internal->get_timeout()); + return (ssl_get_default_timeout()); } int @@ -964,7 +972,7 @@ SSL_read(SSL *s, void *buf, int num) s->internal->rwstate = SSL_NOTHING; return (0); } - return (s->method->internal->ssl_read(s, buf, num)); + return ssl3_read(s, buf, num); } int @@ -978,7 +986,7 @@ SSL_peek(SSL *s, void *buf, int num) if (s->internal->shutdown & SSL_RECEIVED_SHUTDOWN) { return (0); } - return (s->method->internal->ssl_peek(s, buf, num)); + return ssl3_peek(s, buf, num); } int @@ -994,7 +1002,58 @@ SSL_write(SSL *s, const void *buf, int num) SSLerror(s, SSL_R_PROTOCOL_IS_SHUTDOWN); return (-1); } - return (s->method->internal->ssl_write(s, buf, num)); + return ssl3_write(s, buf, num); +} + +uint32_t +SSL_CTX_get_max_early_data(const SSL_CTX *ctx) +{ + return 0; +} + +int +SSL_CTX_set_max_early_data(SSL_CTX *ctx, uint32_t max_early_data) +{ + return 1; +} + +uint32_t +SSL_get_max_early_data(const SSL *s) +{ + return 0; +} + +int +SSL_set_max_early_data(SSL *s, uint32_t max_early_data) +{ + return 1; +} + +int +SSL_get_early_data_status(const SSL *s) +{ + return SSL_EARLY_DATA_REJECTED; +} + +int +SSL_read_early_data(SSL *s, void *buf, size_t num, size_t *readbytes) +{ + *readbytes = 0; + + if (!s->server) { + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return SSL_READ_EARLY_DATA_ERROR; + } + + return SSL_READ_EARLY_DATA_FINISH; +} + +int +SSL_write_early_data(SSL *s, const void *buf, size_t num, size_t *written) +{ + *written = 0; + SSLerror(s, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return 0; } int @@ -1012,10 +1071,10 @@ SSL_shutdown(SSL *s) return (-1); } - if ((s != NULL) && !SSL_in_init(s)) + if (s != NULL && !SSL_in_init(s)) return (s->method->internal->ssl_shutdown(s)); - else - return (1); + + return (1); } int @@ -1234,52 +1293,58 @@ ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b) return ((l > 0) ? 1:-1); } -int -ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp) -{ - long l; - - l = (*ap)->id - (*bp)->id; - if (l == 0L) - return (0); - else - return ((l > 0) ? 1:-1); -} - -/* - * Return a STACK of the ciphers available for the SSL and in order of - * preference. - */ STACK_OF(SSL_CIPHER) * SSL_get_ciphers(const SSL *s) { - if (s != NULL) { - if (s->cipher_list != NULL) { - return (s->cipher_list); - } else if ((s->ctx != NULL) && (s->ctx->cipher_list != NULL)) { - return (s->ctx->cipher_list); - } - } - return (NULL); + if (s == NULL) + return (NULL); + if (s->cipher_list != NULL) + return (s->cipher_list); + + return (s->ctx->cipher_list); } -/* - * Return a STACK of the ciphers available for the SSL and in order of - * algorithm id. - */ STACK_OF(SSL_CIPHER) * -ssl_get_ciphers_by_id(SSL *s) +SSL_get_client_ciphers(const SSL *s) { - if (s != NULL) { - if (s->internal->cipher_list_by_id != NULL) { - return (s->internal->cipher_list_by_id); - } else if ((s->ctx != NULL) && - (s->ctx->internal->cipher_list_by_id != NULL)) { - return (s->ctx->internal->cipher_list_by_id); - } + if (s == NULL || s->session == NULL || !s->server) + return NULL; + return s->session->ciphers; +} + +STACK_OF(SSL_CIPHER) * +SSL_get1_supported_ciphers(SSL *s) +{ + STACK_OF(SSL_CIPHER) *supported_ciphers = NULL, *ciphers; + const SSL_CIPHER *cipher; + uint16_t min_vers, max_vers; + int i; + + if (s == NULL) + return NULL; + if (!ssl_supported_version_range(s, &min_vers, &max_vers)) + return NULL; + if ((ciphers = SSL_get_ciphers(s)) == NULL) + return NULL; + if ((supported_ciphers = sk_SSL_CIPHER_new_null()) == NULL) + return NULL; + + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) + goto err; + if (!ssl_cipher_allowed_in_version_range(cipher, min_vers, + max_vers)) + continue; + if (!sk_SSL_CIPHER_push(supported_ciphers, cipher)) + goto err; } - return (NULL); + + if (sk_SSL_CIPHER_num(supported_ciphers) > 0) + return supported_ciphers; + + err: + sk_SSL_CIPHER_free(supported_ciphers); + return NULL; } /* See if we have any ECC cipher suites. */ @@ -1313,23 +1378,22 @@ ssl_has_ecc_ciphers(SSL *s) const char * SSL_get_cipher_list(const SSL *s, int n) { - SSL_CIPHER *c; - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers; + const SSL_CIPHER *cipher; - if (s == NULL) + if ((ciphers = SSL_get_ciphers(s)) == NULL) return (NULL); - sk = SSL_get_ciphers(s); - if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= n)) + if ((cipher = sk_SSL_CIPHER_value(ciphers, n)) == NULL) return (NULL); - c = sk_SSL_CIPHER_value(sk, n); - if (c == NULL) - return (NULL); - return (c->name); + + return (cipher->name); } STACK_OF(SSL_CIPHER) * SSL_CTX_get_ciphers(const SSL_CTX *ctx) { + if (ctx == NULL) + return NULL; return ctx->cipher_list; } @@ -1337,68 +1401,101 @@ SSL_CTX_get_ciphers(const SSL_CTX *ctx) int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) { - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers; - sk = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, - &ctx->internal->cipher_list_by_id, str); /* - * ssl_create_cipher_list may return an empty stack if it - * was unable to find a cipher matching the given rule string - * (for example if the rule string specifies a cipher which - * has been disabled). This is not an error as far as - * ssl_create_cipher_list is concerned, and hence - * ctx->cipher_list and ctx->internal->cipher_list_by_id has been - * updated. + * ssl_create_cipher_list may return an empty stack if it was unable to + * find a cipher matching the given rule string (for example if the + * rule string specifies a cipher which has been disabled). This is not + * an error as far as ssl_create_cipher_list is concerned, and hence + * ctx->cipher_list has been updated. */ - if (sk == NULL) + ciphers = ssl_create_cipher_list(ctx->method, &ctx->cipher_list, + ctx->internal->cipher_list_tls13, str); + if (ciphers == NULL) { return (0); - else if (sk_SSL_CIPHER_num(sk) == 0) { + } else if (sk_SSL_CIPHER_num(ciphers) == 0) { SSLerrorx(SSL_R_NO_CIPHER_MATCH); return (0); } return (1); } +int +SSL_CTX_set_ciphersuites(SSL_CTX *ctx, const char *str) +{ + if (!ssl_parse_ciphersuites(&ctx->internal->cipher_list_tls13, str)) { + SSLerrorx(SSL_R_NO_CIPHER_MATCH); + return 0; + } + if (!ssl_merge_cipherlists(ctx->cipher_list, + ctx->internal->cipher_list_tls13, &ctx->cipher_list)) + return 0; + + return 1; +} + /* Specify the ciphers to be used by the SSL. */ int SSL_set_cipher_list(SSL *s, const char *str) { - STACK_OF(SSL_CIPHER) *sk; + STACK_OF(SSL_CIPHER) *ciphers, *ciphers_tls13; - sk = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, - &s->internal->cipher_list_by_id, str); - /* see comment in SSL_CTX_set_cipher_list */ - if (sk == NULL) + if ((ciphers_tls13 = s->internal->cipher_list_tls13) == NULL) + ciphers_tls13 = s->ctx->internal->cipher_list_tls13; + + /* See comment in SSL_CTX_set_cipher_list. */ + ciphers = ssl_create_cipher_list(s->ctx->method, &s->cipher_list, + ciphers_tls13, str); + if (ciphers == NULL) { return (0); - else if (sk_SSL_CIPHER_num(sk) == 0) { + } else if (sk_SSL_CIPHER_num(ciphers) == 0) { SSLerror(s, SSL_R_NO_CIPHER_MATCH); return (0); } return (1); } -/* works well for SSLv2, not so good for SSLv3 */ +int +SSL_set_ciphersuites(SSL *s, const char *str) +{ + STACK_OF(SSL_CIPHER) *ciphers; + + if ((ciphers = s->cipher_list) == NULL) + ciphers = s->ctx->cipher_list; + + if (!ssl_parse_ciphersuites(&s->internal->cipher_list_tls13, str)) { + SSLerrorx(SSL_R_NO_CIPHER_MATCH); + return (0); + } + if (!ssl_merge_cipherlists(ciphers, s->internal->cipher_list_tls13, + &s->cipher_list)) + return 0; + + return 1; +} + char * SSL_get_shared_ciphers(const SSL *s, char *buf, int len) { - char *end; - STACK_OF(SSL_CIPHER) *sk; - SSL_CIPHER *c; - size_t curlen = 0; - int i; + STACK_OF(SSL_CIPHER) *ciphers; + const SSL_CIPHER *cipher; + size_t curlen = 0; + char *end; + int i; if (s->session == NULL || s->session->ciphers == NULL || len < 2) return (NULL); - sk = s->session->ciphers; - if (sk_SSL_CIPHER_num(sk) == 0) + ciphers = s->session->ciphers; + if (sk_SSL_CIPHER_num(ciphers) == 0) return (NULL); buf[0] = '\0'; - for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { - c = sk_SSL_CIPHER_value(sk, i); + for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { + cipher = sk_SSL_CIPHER_value(ciphers, i); end = buf + curlen; - if (strlcat(buf, c->name, len) >= len || + if (strlcat(buf, cipher->name, len) >= len || (curlen = strlcat(buf, ":", len)) >= len) { /* remove truncated cipher from list */ *end = '\0'; @@ -1411,118 +1508,6 @@ SSL_get_shared_ciphers(const SSL *s, char *buf, int len) return (buf); } -int -ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb) -{ - SSL_CIPHER *cipher; - int num_ciphers = 0; - int i; - - if (ciphers == NULL) - return 0; - - for (i = 0; i < sk_SSL_CIPHER_num(ciphers); i++) { - if ((cipher = sk_SSL_CIPHER_value(ciphers, i)) == NULL) - return 0; - - /* Skip TLS v1.2 only ciphersuites if lower than v1.2 */ - if ((cipher->algorithm_ssl & SSL_TLSV1_2) && - (TLS1_get_client_version(s) < TLS1_2_VERSION)) - continue; - - if (!CBB_add_u16(cbb, ssl3_cipher_get_value(cipher))) - return 0; - - num_ciphers++; - } - - /* Add SCSV if there are other ciphers and we're not renegotiating. */ - if (num_ciphers > 0 && !s->internal->renegotiate) { - if (!CBB_add_u16(cbb, SSL3_CK_SCSV & SSL3_CK_VALUE_MASK)) - return 0; - } - - if (!CBB_flush(cbb)) - return 0; - - return 1; -} - -STACK_OF(SSL_CIPHER) * -ssl_bytes_to_cipher_list(SSL *s, CBS *cbs) -{ - STACK_OF(SSL_CIPHER) *ciphers = NULL; - const SSL_CIPHER *cipher; - uint16_t cipher_value, max_version; - unsigned long cipher_id; - - if (s->s3 != NULL) - S3I(s)->send_connection_binding = 0; - - if ((ciphers = sk_SSL_CIPHER_new_null()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - while (CBS_len(cbs) > 0) { - if (!CBS_get_u16(cbs, &cipher_value)) { - SSLerror(s, SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST); - goto err; - } - - cipher_id = SSL3_CK_ID | cipher_value; - - if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) { - /* - * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if - * renegotiating. - */ - if (s->internal->renegotiate) { - SSLerror(s, SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING); - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_HANDSHAKE_FAILURE); - - goto err; - } - S3I(s)->send_connection_binding = 1; - continue; - } - - if (cipher_id == SSL3_CK_FALLBACK_SCSV) { - /* - * TLS_FALLBACK_SCSV indicates that the client - * previously tried a higher protocol version. - * Fail if the current version is an unexpected - * downgrade. - */ - max_version = ssl_max_server_version(s); - if (max_version == 0 || s->version < max_version) { - SSLerror(s, SSL_R_INAPPROPRIATE_FALLBACK); - if (s->s3 != NULL) - ssl3_send_alert(s, SSL3_AL_FATAL, - SSL_AD_INAPPROPRIATE_FALLBACK); - goto err; - } - continue; - } - - if ((cipher = ssl3_get_cipher_by_value(cipher_value)) != NULL) { - if (!sk_SSL_CIPHER_push(ciphers, cipher)) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - } - } - - return (ciphers); - -err: - sk_SSL_CIPHER_free(ciphers); - - return (NULL); -} - - /* * Return a servername extension value if provided in Client Hello, or NULL. * So far, only host_name types are defined (RFC 3546). @@ -1604,7 +1589,7 @@ found: /* SSL_get0_next_proto_negotiated is deprecated. */ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len) + unsigned int *len) { *data = NULL; *len = 0; @@ -1711,15 +1696,13 @@ SSL_CTX_set_alpn_select_cb(SSL_CTX* ctx, */ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, - unsigned *len) + unsigned int *len) { *data = NULL; *len = 0; - if (ssl->s3 != NULL) { - *data = ssl->s3->internal->alpn_selected; - *len = ssl->s3->internal->alpn_selected_len; - } + *data = ssl->s3->internal->alpn_selected; + *len = ssl->s3->internal->alpn_selected_len; } int @@ -1819,6 +1802,7 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->method = meth; ret->internal->min_version = meth->internal->min_version; ret->internal->max_version = meth->internal->max_version; + ret->internal->mode = SSL_MODE_AUTO_RETRY; ret->cert_store = NULL; ret->internal->session_cache_mode = SSL_SESS_CACHE_SERVER; @@ -1827,7 +1811,7 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->internal->session_cache_tail = NULL; /* We take the system default */ - ret->session_timeout = meth->internal->get_timeout(); + ret->session_timeout = ssl_get_default_timeout(); ret->internal->new_session_cb = 0; ret->internal->remove_session_cb = 0; @@ -1851,6 +1835,7 @@ SSL_CTX_new(const SSL_METHOD *meth) ret->verify_mode = SSL_VERIFY_NONE; ret->sid_ctx_length = 0; ret->internal->default_verify_callback = NULL; + if ((ret->internal->cert = ssl_cert_new()) == NULL) goto err; @@ -1868,7 +1853,7 @@ SSL_CTX_new(const SSL_METHOD *meth) goto err; ssl_create_cipher_list(ret->method, &ret->cipher_list, - &ret->internal->cipher_list_by_id, SSL_DEFAULT_CIPHER_LIST); + NULL, SSL_DEFAULT_CIPHER_LIST); if (ret->cipher_list == NULL || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { SSLerrorx(SSL_R_LIBRARY_HAS_NO_CIPHERS); @@ -1965,7 +1950,7 @@ SSL_CTX_free(SSL_CTX *ctx) X509_STORE_free(ctx->cert_store); sk_SSL_CIPHER_free(ctx->cipher_list); - sk_SSL_CIPHER_free(ctx->internal->cipher_list_by_id); + sk_SSL_CIPHER_free(ctx->internal->cipher_list_tls13); ssl_cert_free(ctx->internal->cert); sk_X509_NAME_pop_free(ctx->internal->client_CA, X509_NAME_free); sk_X509_pop_free(ctx->extra_certs, X509_free); @@ -1976,8 +1961,7 @@ SSL_CTX_free(SSL_CTX *ctx) #endif #ifndef OPENSSL_NO_ENGINE - if (ctx->internal->client_cert_engine) - ENGINE_finish(ctx->internal->client_cert_engine); + ENGINE_finish(ctx->internal->client_cert_engine); #endif free(ctx->internal->tlsext_ecpointformatlist); @@ -2021,8 +2005,8 @@ SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) } void -SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, int (*cb)(X509_STORE_CTX *, - void *), void *arg) +SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, + int (*cb)(X509_STORE_CTX *, void *), void *arg) { ctx->internal->app_verify_callback = cb; ctx->internal->app_verify_arg = arg; @@ -2041,66 +2025,50 @@ SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) X509_VERIFY_PARAM_set_depth(ctx->param, depth); } +static int +ssl_cert_can_sign(X509 *x) +{ + /* This call populates extension flags (ex_flags). */ + X509_check_purpose(x, -1, 0); + + /* Key usage, if present, must allow signing. */ + return ((x->ex_flags & EXFLAG_KUSAGE) == 0 || + (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)); +} + void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher) { - int rsa_enc, rsa_sign, dh_tmp; - int have_ecc_cert; - unsigned long mask_k, mask_a; - X509 *x = NULL; - CERT_PKEY *cpk; + unsigned long mask_a, mask_k; + CERT_PKEY *cpk; if (c == NULL) return; - dh_tmp = (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || - c->dh_tmp_auto != 0); + mask_a = SSL_aNULL | SSL_aTLS1_3; + mask_k = SSL_kECDHE | SSL_kTLS1_3; + + if (c->dh_tmp != NULL || c->dh_tmp_cb != NULL || c->dh_tmp_auto != 0) + mask_k |= SSL_kDHE; - cpk = &(c->pkeys[SSL_PKEY_RSA_ENC]); - rsa_enc = (cpk->x509 != NULL && cpk->privatekey != NULL); - cpk = &(c->pkeys[SSL_PKEY_RSA_SIGN]); - rsa_sign = (cpk->x509 != NULL && cpk->privatekey != NULL); cpk = &(c->pkeys[SSL_PKEY_ECC]); - have_ecc_cert = (cpk->x509 != NULL && cpk->privatekey != NULL); - - mask_k = 0; - mask_a = 0; + if (cpk->x509 != NULL && cpk->privatekey != NULL) { + if (ssl_cert_can_sign(cpk->x509)) + mask_a |= SSL_aECDSA; + } cpk = &(c->pkeys[SSL_PKEY_GOST01]); - if (cpk->x509 != NULL && cpk->privatekey !=NULL) { + if (cpk->x509 != NULL && cpk->privatekey != NULL) { mask_k |= SSL_kGOST; mask_a |= SSL_aGOST01; } - if (rsa_enc) - mask_k |= SSL_kRSA; - - if (dh_tmp) - mask_k |= SSL_kDHE; - - if (rsa_enc || rsa_sign) + cpk = &(c->pkeys[SSL_PKEY_RSA]); + if (cpk->x509 != NULL && cpk->privatekey != NULL) { mask_a |= SSL_aRSA; - - mask_a |= SSL_aNULL; - - /* - * An ECC certificate may be usable for ECDH and/or - * ECDSA cipher suites depending on the key usage extension. - */ - if (have_ecc_cert) { - x = (c->pkeys[SSL_PKEY_ECC]).x509; - - /* This call populates extension flags (ex_flags). */ - X509_check_purpose(x, -1, 0); - - /* Key usage, if present, must allow signing. */ - if ((x->ex_flags & EXFLAG_KUSAGE) == 0 || - (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) - mask_a |= SSL_aECDSA; + mask_k |= SSL_kRSA; } - mask_k |= SSL_kECDHE; - c->mask_k = mask_k; c->mask_a = mask_a; c->valid = 1; @@ -2158,10 +2126,7 @@ ssl_get_server_send_pkey(const SSL *s) if (alg_a & SSL_aECDSA) { i = SSL_PKEY_ECC; } else if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_ENC].x509 == NULL) - i = SSL_PKEY_RSA_SIGN; - else - i = SSL_PKEY_RSA_ENC; + i = SSL_PKEY_RSA; } else if (alg_a & SSL_aGOST01) { i = SSL_PKEY_GOST01; } else { /* if (alg_a & SSL_aNULL) */ @@ -2172,20 +2137,12 @@ ssl_get_server_send_pkey(const SSL *s) return (c->pkeys + i); } -X509 * -ssl_get_server_send_cert(const SSL *s) -{ - CERT_PKEY *cpk; - - cpk = ssl_get_server_send_pkey(s); - if (!cpk) - return (NULL); - return (cpk->x509); -} - EVP_PKEY * -ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) +ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd, + const struct ssl_sigalg **sap) { + const struct ssl_sigalg *sigalg = NULL; + EVP_PKEY *pkey = NULL; unsigned long alg_a; CERT *c; int idx = -1; @@ -2194,10 +2151,7 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) c = s->cert; if (alg_a & SSL_aRSA) { - if (c->pkeys[SSL_PKEY_RSA_SIGN].privatekey != NULL) - idx = SSL_PKEY_RSA_SIGN; - else if (c->pkeys[SSL_PKEY_RSA_ENC].privatekey != NULL) - idx = SSL_PKEY_RSA_ENC; + idx = SSL_PKEY_RSA; } else if ((alg_a & SSL_aECDSA) && (c->pkeys[SSL_PKEY_ECC].privatekey != NULL)) idx = SSL_PKEY_ECC; @@ -2205,9 +2159,16 @@ ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *cipher, const EVP_MD **pmd) SSLerror(s, ERR_R_INTERNAL_ERROR); return (NULL); } - if (pmd) - *pmd = c->pkeys[idx].digest; - return (c->pkeys[idx].privatekey); + + pkey = c->pkeys[idx].privatekey; + if ((sigalg = ssl_sigalg_select(s, pkey)) == NULL) { + SSLerror(s, SSL_R_SIGNATURE_ALGORITHMS_ERROR); + return (NULL); + } + *pmd = sigalg->md(); + *sap = sigalg; + + return (pkey); } DH * @@ -2297,28 +2258,28 @@ SSL_get_ssl_method(SSL *s) } int -SSL_set_ssl_method(SSL *s, const SSL_METHOD *meth) +SSL_set_ssl_method(SSL *s, const SSL_METHOD *method) { - int conn = -1; - int ret = 1; + int (*handshake_func)(SSL *) = NULL; + int ret = 1; - if (s->method != meth) { - if (s->internal->handshake_func != NULL) - conn = (s->internal->handshake_func == s->method->internal->ssl_connect); + if (s->method == method) + return (ret); - if (s->method->internal->version == meth->internal->version) - s->method = meth; - else { - s->method->internal->ssl_free(s); - s->method = meth; - ret = s->method->internal->ssl_new(s); - } + if (s->internal->handshake_func == s->method->internal->ssl_connect) + handshake_func = method->internal->ssl_connect; + else if (s->internal->handshake_func == s->method->internal->ssl_accept) + handshake_func = method->internal->ssl_accept; - if (conn == 1) - s->internal->handshake_func = meth->internal->ssl_connect; - else if (conn == 0) - s->internal->handshake_func = meth->internal->ssl_accept; + if (s->method->internal->version == method->internal->version) { + s->method = method; + } else { + s->method->internal->ssl_free(s); + s->method = method; + ret = s->method->internal->ssl_new(s); } + s->internal->handshake_func = handshake_func; + return (ret); } @@ -2429,10 +2390,7 @@ SSL_set_accept_state(SSL *s) s->internal->shutdown = 0; S3I(s)->hs.state = SSL_ST_ACCEPT|SSL_ST_BEFORE; s->internal->handshake_func = s->method->internal->ssl_accept; - /* clear the current cipher */ - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->internal->write_hash); + ssl_clear_cipher_state(s); } void @@ -2442,10 +2400,7 @@ SSL_set_connect_state(SSL *s) s->internal->shutdown = 0; S3I(s)->hs.state = SSL_ST_CONNECT|SSL_ST_BEFORE; s->internal->handshake_func = s->method->internal->ssl_connect; - /* clear the current cipher */ - ssl_clear_cipher_ctx(s); - ssl_clear_hash_ctx(&s->read_hash); - ssl_clear_hash_ctx(&s->internal->write_hash); + ssl_clear_cipher_state(s); } int @@ -2481,6 +2436,8 @@ ssl_version_string(int ver) return (SSL_TXT_TLSV1_1); case TLS1_2_VERSION: return (SSL_TXT_TLSV1_2); + case TLS1_3_VERSION: + return (SSL_TXT_TLSV1_3); default: return ("unknown"); } @@ -2501,15 +2458,15 @@ SSL_dup(SSL *s) int i; if ((ret = SSL_new(SSL_get_SSL_CTX(s))) == NULL) - return (NULL); + goto err; ret->version = s->version; ret->internal->type = s->internal->type; ret->method = s->method; if (s->session != NULL) { - /* This copies session-id, SSL_METHOD, sid_ctx, and 'cert' */ - SSL_copy_session_id(ret, s); + if (!SSL_copy_session_id(ret, s)) + goto err; } else { /* * No session has been established yet, so we have to expect @@ -2522,15 +2479,13 @@ SSL_dup(SSL *s) ret->method = s->method; ret->method->internal->ssl_new(ret); - if (s->cert != NULL) { - ssl_cert_free(ret->cert); - ret->cert = ssl_cert_dup(s->cert); - if (ret->cert == NULL) - goto err; - } + ssl_cert_free(ret->cert); + if ((ret->cert = ssl_cert_dup(s->cert)) == NULL) + goto err; - SSL_set_session_id_context(ret, - s->sid_ctx, s->sid_ctx_length); + if (!SSL_set_session_id_context(ret, s->sid_ctx, + s->sid_ctx_length)) + goto err; } ret->internal->options = s->internal->options; @@ -2587,15 +2542,14 @@ SSL_dup(SSL *s) X509_VERIFY_PARAM_inherit(ret->param, s->param); - /* dup the cipher_list and cipher_list_by_id stacks */ if (s->cipher_list != NULL) { if ((ret->cipher_list = sk_SSL_CIPHER_dup(s->cipher_list)) == NULL) goto err; } - if (s->internal->cipher_list_by_id != NULL) { - if ((ret->internal->cipher_list_by_id = - sk_SSL_CIPHER_dup(s->internal->cipher_list_by_id)) == NULL) + if (s->internal->cipher_list_tls13 != NULL) { + if ((ret->internal->cipher_list_tls13 = + sk_SSL_CIPHER_dup(s->internal->cipher_list_tls13)) == NULL) goto err; } @@ -2613,54 +2567,69 @@ SSL_dup(SSL *s) } } - if (0) { -err: - if (ret != NULL) - SSL_free(ret); - ret = NULL; - } - return (ret); + return ret; + err: + SSL_free(ret); + return NULL; } void -ssl_clear_cipher_ctx(SSL *s) +ssl_clear_cipher_state(SSL *s) +{ + ssl_clear_cipher_read_state(s); + ssl_clear_cipher_write_state(s); +} + +void +ssl_clear_cipher_read_state(SSL *s) { EVP_CIPHER_CTX_free(s->enc_read_ctx); s->enc_read_ctx = NULL; - EVP_CIPHER_CTX_free(s->internal->enc_write_ctx); - s->internal->enc_write_ctx = NULL; + EVP_MD_CTX_free(s->read_hash); + s->read_hash = NULL; + + tls12_record_layer_clear_read_state(s->internal->rl); + tls12_record_layer_set_read_seq_num(s->internal->rl, + S3I(s)->read_sequence); if (s->internal->aead_read_ctx != NULL) { EVP_AEAD_CTX_cleanup(&s->internal->aead_read_ctx->ctx); free(s->internal->aead_read_ctx); s->internal->aead_read_ctx = NULL; } +} + +void +ssl_clear_cipher_write_state(SSL *s) +{ + EVP_CIPHER_CTX_free(s->internal->enc_write_ctx); + s->internal->enc_write_ctx = NULL; + EVP_MD_CTX_free(s->internal->write_hash); + s->internal->write_hash = NULL; + + tls12_record_layer_clear_write_state(s->internal->rl); + tls12_record_layer_set_write_seq_num(s->internal->rl, + S3I(s)->write_sequence); + if (s->internal->aead_write_ctx != NULL) { EVP_AEAD_CTX_cleanup(&s->internal->aead_write_ctx->ctx); free(s->internal->aead_write_ctx); s->internal->aead_write_ctx = NULL; } - } /* Fix this function so that it takes an optional type parameter */ X509 * SSL_get_certificate(const SSL *s) { - if (s->cert != NULL) - return (s->cert->key->x509); - else - return (NULL); + return (s->cert->key->x509); } /* Fix this function so that it takes an optional type parameter */ EVP_PKEY * -SSL_get_privatekey(SSL *s) +SSL_get_privatekey(const SSL *s) { - if (s->cert != NULL) - return (s->cert->key->privatekey); - else - return (NULL); + return (s->cert->key->privatekey); } const SSL_CIPHER * @@ -2813,23 +2782,22 @@ SSL_get_SSL_CTX(const SSL *ssl) SSL_CTX * SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx) { - CERT *ocert = ssl->cert; + CERT *new_cert; - if (ssl->ctx == ctx) - return (ssl->ctx); if (ctx == NULL) ctx = ssl->initial_ctx; - ssl->cert = ssl_cert_dup(ctx->internal->cert); - if (ocert != NULL) { - int i; - /* Copy negotiated digests from original certificate. */ - for (i = 0; i < SSL_PKEY_NUM; i++) - ssl->cert->pkeys[i].digest = ocert->pkeys[i].digest; - ssl_cert_free(ocert); - } - CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX); + if (ssl->ctx == ctx) + return (ssl->ctx); + + if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL) + return NULL; + ssl_cert_free(ssl->cert); + ssl->cert = new_cert; + + SSL_CTX_up_ref(ctx); SSL_CTX_free(ssl->ctx); /* decrement reference count */ ssl->ctx = ctx; + return (ssl->ctx); } @@ -3020,14 +2988,6 @@ SSL_set_msg_callback(SSL *ssl, void (*cb)(int write_p, int version, SSL_callback_ctrl(ssl, SSL_CTRL_SET_MSG_CALLBACK, (void (*)(void))cb); } -void -ssl_clear_hash_ctx(EVP_MD_CTX **hash) -{ - if (*hash) - EVP_MD_CTX_destroy(*hash); - *hash = NULL; -} - void SSL_set_debug(SSL *s, int debug) { diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h index d2a99af..9a9ef59 100644 --- a/ssl/ssl_locl.h +++ b/ssl/ssl_locl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_locl.h,v 1.202 2018/01/27 15:30:05 jsing Exp $ */ +/* $OpenBSD: ssl_locl.h,v 1.295 2020/09/24 18:12:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -161,34 +161,25 @@ #include #include "bytestring.h" +#include "ssl_sigalgs.h" +#include "tls13_internal.h" __BEGIN_HIDDEN_DECLS #define CTASSERT(x) extern char _ctassert[(x) ? 1 : -1 ] \ __attribute__((__unused__)) -#define l2n(l,c) (*((c)++)=(unsigned char)(((l)>>24)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) +#ifndef LIBRESSL_HAS_TLS1_3_CLIENT +#define LIBRESSL_HAS_TLS1_3_CLIENT +#endif -#define l2n8(l,c) (*((c)++)=(unsigned char)(((l)>>56)&0xff), \ - *((c)++)=(unsigned char)(((l)>>48)&0xff), \ - *((c)++)=(unsigned char)(((l)>>40)&0xff), \ - *((c)++)=(unsigned char)(((l)>>32)&0xff), \ - *((c)++)=(unsigned char)(((l)>>24)&0xff), \ - *((c)++)=(unsigned char)(((l)>>16)&0xff), \ - *((c)++)=(unsigned char)(((l)>> 8)&0xff), \ - *((c)++)=(unsigned char)(((l) )&0xff)) +#ifndef LIBRESSL_HAS_TLS1_3_SERVER +#define LIBRESSL_HAS_TLS1_3_SERVER +#endif -#define n2s(c,s) ((s=(((unsigned int)(c[0]))<< 8)| \ - (((unsigned int)(c[1])) )),c+=2) -#define s2n(s,c) ((c[0]=(unsigned char)(((s)>> 8)&0xff), \ - c[1]=(unsigned char)(((s) )&0xff)),c+=2) - -#define l2n3(l,c) ((c[0]=(unsigned char)(((l)>>16)&0xff), \ - c[1]=(unsigned char)(((l)>> 8)&0xff), \ - c[2]=(unsigned char)(((l) )&0xff)),c+=3) +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) || defined(LIBRESSL_HAS_TLS1_3_SERVER) +#define LIBRESSL_HAS_TLS1_3 +#endif /* LOCAL STUFF */ @@ -214,6 +205,7 @@ __BEGIN_HIDDEN_DECLS #define SSL_kDHE 0x00000008L /* tmp DH key no DH cert */ #define SSL_kECDHE 0x00000080L /* ephemeral ECDH */ #define SSL_kGOST 0x00000200L /* GOST key exchange */ +#define SSL_kTLS1_3 0x00000400L /* TLSv1.3 key exchange */ /* Bits for algorithm_auth (server authentication) */ #define SSL_aRSA 0x00000001L /* RSA auth */ @@ -221,6 +213,7 @@ __BEGIN_HIDDEN_DECLS #define SSL_aNULL 0x00000004L /* no auth (i.e. use ADH or AECDH) */ #define SSL_aECDSA 0x00000040L /* ECDSA auth*/ #define SSL_aGOST01 0x00000200L /* GOST R 34.10-2001 signature auth */ +#define SSL_aTLS1_3 0x00000400L /* TLSv1.3 authentication */ /* Bits for algorithm_enc (symmetric encryption) */ #define SSL_DES 0x00000001L @@ -257,6 +250,7 @@ __BEGIN_HIDDEN_DECLS #define SSL_SSLV3 0x00000002L #define SSL_TLSV1 SSL_SSLV3 /* for now */ #define SSL_TLSV1_2 0x00000004L +#define SSL_TLSV1_3 0x00000008L /* Bits for algorithm2 (handshake digests and other extra flags) */ @@ -270,10 +264,6 @@ __BEGIN_HIDDEN_DECLS #define SSL_HANDSHAKE_MAC_STREEBOG256 0x200 #define SSL_HANDSHAKE_MAC_DEFAULT (SSL_HANDSHAKE_MAC_MD5 | SSL_HANDSHAKE_MAC_SHA) -/* When adding new digest in the ssl_ciph.c and increment SSM_MD_NUM_IDX - * make sure to update this constant too */ -#define SSL_MAX_DIGEST 7 - #define SSL3_CK_ID 0x03000000 #define SSL3_CK_VALUE_MASK 0x0000ffff @@ -288,8 +278,10 @@ __BEGIN_HIDDEN_DECLS #define TLS1_PRF_STREEBOG256 (SSL_HANDSHAKE_MAC_STREEBOG256 << TLS1_PRF_DGST_SHIFT) #define TLS1_PRF (TLS1_PRF_MD5 | TLS1_PRF_SHA1) -/* Stream MAC for GOST ciphersuites from cryptopro draft - * (currently this also goes into algorithm2) */ +/* + * Stream MAC for GOST ciphersuites from cryptopro draft + * (currently this also goes into algorithm2). + */ #define TLS1_STREAM_MAC 0x04 /* @@ -299,15 +291,9 @@ __BEGIN_HIDDEN_DECLS */ #define SSL_CIPHER_ALGORITHM2_VARIABLE_NONCE_IN_RECORD (1 << 22) -/* - * SSL_CIPHER_ALGORITHM2_AEAD is an algorithm2 flag that indicates the cipher - * is implemented via an EVP_AEAD. - */ -#define SSL_CIPHER_ALGORITHM2_AEAD (1 << 23) - /* * SSL_CIPHER_AEAD_FIXED_NONCE_LEN returns the number of bytes of fixed nonce - * for an SSL_CIPHER with the SSL_CIPHER_ALGORITHM2_AEAD flag. + * for an SSL_CIPHER with an algorithm_mac of SSL_AEAD. */ #define SSL_CIPHER_AEAD_FIXED_NONCE_LEN(ssl_cipher) \ (((ssl_cipher->algorithm2 >> 24) & 0xf) * 2) @@ -343,12 +329,14 @@ __BEGIN_HIDDEN_DECLS #define SSL_USE_TLS1_2_CIPHERS(s) \ (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_2_CIPHERS) -#define SSL_PKEY_RSA_ENC 0 -#define SSL_PKEY_RSA_SIGN 1 -#define SSL_PKEY_DH_RSA 2 -#define SSL_PKEY_ECC 3 -#define SSL_PKEY_GOST01 4 -#define SSL_PKEY_NUM 5 +/* Allow TLS 1.3 ciphersuites only. */ +#define SSL_USE_TLS1_3_CIPHERS(s) \ + (s->method->internal->ssl3_enc->enc_flags & SSL_ENC_FLAG_TLS1_3_CIPHERS) + +#define SSL_PKEY_RSA 0 +#define SSL_PKEY_ECC 1 +#define SSL_PKEY_GOST01 2 +#define SSL_PKEY_NUM 3 #define SSL_MAX_EMPTY_RECORDS 32 @@ -385,25 +373,15 @@ typedef struct ssl_method_internal_st { int (*ssl_accept)(SSL *s); int (*ssl_connect)(SSL *s); - int (*ssl_read)(SSL *s, void *buf, int len); - int (*ssl_peek)(SSL *s, void *buf, int len); - int (*ssl_write)(SSL *s, const void *buf, int len); int (*ssl_shutdown)(SSL *s); int (*ssl_renegotiate)(SSL *s); int (*ssl_renegotiate_check)(SSL *s); - long (*ssl_get_message)(SSL *s, int st1, int stn, int mt, - long max, int *ok); - int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, - int len, int peek); - int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); - int (*ssl_pending)(const SSL *s); - const struct ssl_method_st *(*get_ssl_method)(int version); - - long (*get_timeout)(void); - int (*ssl_version)(void); + int (*ssl_read_bytes)(SSL *s, int type, unsigned char *buf, int len, + int peek); + int (*ssl_write_bytes)(SSL *s, int type, const void *buf_, int len); struct ssl3_enc_method *ssl3_enc; /* Extra SSLv3/TLS stuff */ } SSL_METHOD_INTERNAL; @@ -443,8 +421,86 @@ typedef struct ssl_handshake_st { /* key_block is the record-layer key block for TLS 1.2 and earlier. */ int key_block_len; unsigned char *key_block; + + /* Extensions seen in this handshake. */ + uint32_t extensions_seen; + + /* sigalgs offered in this handshake in wire form */ + size_t sigalgs_len; + uint8_t *sigalgs; } SSL_HANDSHAKE; +typedef struct cert_pkey_st { + X509 *x509; + EVP_PKEY *privatekey; + STACK_OF(X509) *chain; +} CERT_PKEY; + +typedef struct ssl_handshake_tls13_st { + uint16_t min_version; + uint16_t max_version; + uint16_t version; + + int use_legacy; + int hrr; + + /* Certificate and sigalg selected for use (static pointers). */ + const CERT_PKEY *cpk; + const struct ssl_sigalg *sigalg; + + /* Version proposed by peer server. */ + uint16_t server_version; + + uint16_t server_group; + struct tls13_key_share *key_share; + struct tls13_secrets *secrets; + + uint8_t *cookie; + size_t cookie_len; + + /* Preserved transcript hash. */ + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + + /* Legacy session ID. */ + uint8_t legacy_session_id[SSL_MAX_SSL_SESSION_ID_LENGTH]; + size_t legacy_session_id_len; + + /* ClientHello hash, used to validate following HelloRetryRequest */ + EVP_MD_CTX *clienthello_md_ctx; + unsigned char *clienthello_hash; + unsigned int clienthello_hash_len; + +} SSL_HANDSHAKE_TLS13; + +struct tls12_record_layer; + +struct tls12_record_layer *tls12_record_layer_new(void); +void tls12_record_layer_free(struct tls12_record_layer *rl); +void tls12_record_layer_set_version(struct tls12_record_layer *rl, + uint16_t version); +void tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, + uint16_t epoch); +void tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, + uint16_t epoch); +void tls12_record_layer_clear_read_state(struct tls12_record_layer *rl); +void tls12_record_layer_clear_write_state(struct tls12_record_layer *rl); +void tls12_record_layer_set_read_seq_num(struct tls12_record_layer *rl, + uint8_t *seq_num); +void tls12_record_layer_set_write_seq_num(struct tls12_record_layer *rl, + uint8_t *seq_num); +int tls12_record_layer_set_read_aead(struct tls12_record_layer *rl, + SSL_AEAD_CTX *aead_ctx); +int tls12_record_layer_set_write_aead(struct tls12_record_layer *rl, + SSL_AEAD_CTX *aead_ctx); +int tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); +int tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac); +int tls12_record_layer_seal_record(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, + CBB *out); + typedef struct ssl_ctx_internal_st { uint16_t min_version; uint16_t max_version; @@ -463,7 +519,7 @@ typedef struct ssl_ctx_internal_st { int (*new_session_cb)(struct ssl_st *ssl, SSL_SESSION *sess); void (*remove_session_cb)(struct ssl_ctx_st *ctx, SSL_SESSION *sess); SSL_SESSION *(*get_session_cb)(struct ssl_st *ssl, - unsigned char *data, int len, int *copy); + const unsigned char *data, int len, int *copy); /* if defined, these override the X509_verify_cert() calls */ int (*app_verify_callback)(X509_STORE_CTX *, void *); @@ -477,7 +533,7 @@ typedef struct ssl_ctx_internal_st { unsigned int *cookie_len); /* verify cookie callback */ - int (*app_verify_cookie_cb)(SSL *ssl, unsigned char *cookie, + int (*app_verify_cookie_cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len); void (*info_callback)(const SSL *ssl,int type,int val); /* used if SSL's info_callback is NULL */ @@ -541,8 +597,7 @@ typedef struct ssl_ctx_internal_st { CRYPTO_EX_DATA ex_data; - /* same cipher_list but sorted for lookup */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; + STACK_OF(SSL_CIPHER) *cipher_list_tls13; struct cert_st /* CERT */ *cert; @@ -607,6 +662,8 @@ typedef struct ssl_ctx_internal_st { } SSL_CTX_INTERNAL; typedef struct ssl_internal_st { + struct tls13_ctx *tls13; + uint16_t min_version; uint16_t max_version; @@ -686,8 +743,7 @@ typedef struct ssl_internal_st { int hit; /* reusing a previous session */ - /* crypto */ - STACK_OF(SSL_CIPHER) *cipher_list_by_id; + STACK_OF(SSL_CIPHER) *cipher_list_tls13; /* These are the ones being used, the ones in SSL_SESSION are * the ones to be 'copied' into these ones */ @@ -704,6 +760,8 @@ typedef struct ssl_internal_st { EVP_CIPHER_CTX *enc_write_ctx; /* cryptographic state */ EVP_MD_CTX *write_hash; /* used for mac generation */ + struct tls12_record_layer *rl; + /* session info */ /* extra application data */ @@ -719,20 +777,15 @@ typedef struct ssl_internal_st { long max_cert_list; int first_packet; - int servername_done; /* no further mod of servername - 0 : call the servername extension callback. - 1 : prepare 2, allow last ack just after in server callback. - 2 : don't call servername callback, no ack in server hello - */ - /* Expect OCSP CertificateStatus message */ int tlsext_status_expected; /* OCSP status request only */ STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids; X509_EXTENSIONS *tlsext_ocsp_exts; + /* OCSP response received or to be sent */ unsigned char *tlsext_ocsp_resp; - int tlsext_ocsp_resplen; + size_t tlsext_ocsp_resp_len; /* RFC4507 session ticket expected to be received or sent */ int tlsext_ticket_expected; @@ -759,9 +812,26 @@ typedef struct ssl_internal_st { int empty_record_count; } SSL_INTERNAL; -typedef struct ssl3_state_internal_st { - int delay_buf_pop_ret; +typedef struct ssl3_record_internal_st { + int type; /* type of record */ + unsigned int length; /* How many bytes available */ + unsigned int padding_length; /* Number of padding bytes. */ + unsigned int off; /* read/write offset into 'buf' */ + unsigned char *data; /* pointer to the record data */ + unsigned char *input; /* where the decode bytes are */ + unsigned long epoch; /* epoch number, needed by DTLS1 */ + unsigned char seq_num[8]; /* sequence number, needed by DTLS1 */ +} SSL3_RECORD_INTERNAL; +typedef struct ssl3_buffer_internal_st { + unsigned char *buf; /* at least SSL3_RT_MAX_PACKET_SIZE bytes, + * see ssl3_setup_buffers() */ + size_t len; /* buffer size */ + int offset; /* where to 'copy from' */ + int left; /* how many bytes left */ +} SSL3_BUFFER_INTERNAL; + +typedef struct ssl3_state_internal_st { unsigned char read_sequence[SSL3_SEQUENCE_SIZE]; int read_mac_secret_size; unsigned char read_mac_secret[EVP_MAX_MD_SIZE]; @@ -769,12 +839,19 @@ typedef struct ssl3_state_internal_st { int write_mac_secret_size; unsigned char write_mac_secret[EVP_MAX_MD_SIZE]; + SSL3_BUFFER_INTERNAL rbuf; /* read IO goes into here */ + SSL3_BUFFER_INTERNAL wbuf; /* write IO goes into here */ + + /* we allow one fatal and one warning alert to be outstanding, + * send close alert via the warning alert */ + int alert_dispatch; + unsigned char send_alert[2]; + /* flags for countermeasure against known-IV weakness */ int need_empty_fragments; int empty_fragment_done; - SSL3_RECORD rrec; /* each decoded record goes in here */ - SSL3_RECORD wrec; /* goes out from here */ + SSL3_RECORD_INTERNAL rrec; /* each decoded record goes in here */ /* storage for Alert/Handshake protocol data received but not * yet processed by ssl3_read_bytes: */ @@ -790,8 +867,8 @@ typedef struct ssl3_state_internal_st { int wpend_ret; /* number of bytes submitted */ const unsigned char *wpend_buf; - /* used during startup, digest all incoming/outgoing packets */ - BIO *handshake_buffer; + /* Transcript of handshake messages that have been sent and received. */ + BUF_MEM *handshake_transcript; /* Rolling hash of handshake messages. */ EVP_MD_CTX *handshake_hash; @@ -812,8 +889,11 @@ typedef struct ssl3_state_internal_st { int in_read_app_data; SSL_HANDSHAKE hs; + SSL_HANDSHAKE_TLS13 hs_tls13; struct { + int new_mac_secret_size; + /* actually only needs to be 16+20 */ unsigned char cert_verify_md[EVP_MAX_MD_SIZE*2]; @@ -829,6 +909,7 @@ typedef struct ssl3_state_internal_st { DH *dh; EC_KEY *ecdh; /* holds short lived ECDH key */ + int ecdh_nid; uint8_t *x25519; @@ -870,6 +951,13 @@ typedef struct ssl3_state_internal_st { } SSL3_STATE_INTERNAL; #define S3I(s) (s->s3->internal) +typedef struct dtls1_record_data_internal_st { + unsigned char *packet; + unsigned int packet_length; + SSL3_BUFFER_INTERNAL rbuf; + SSL3_RECORD_INTERNAL rrec; +} DTLS1_RECORD_DATA_INTERNAL; + typedef struct dtls1_state_internal_st { unsigned int send_cookie; unsigned char cookie[DTLS1_COOKIE_LENGTH]; @@ -897,7 +985,7 @@ typedef struct dtls1_state_internal_st { unsigned short handshake_read_seq; /* save last sequence number for retransmissions */ - unsigned char last_write_sequence[8]; + unsigned char last_write_sequence[SSL3_SEQUENCE_SIZE]; /* Received handshake records (processed and unprocessed) */ record_pqueue unprocessed_rcds; @@ -935,13 +1023,6 @@ typedef struct dtls1_state_internal_st { } DTLS1_STATE_INTERNAL; #define D1I(s) (s->d1->internal) -typedef struct cert_pkey_st { - X509 *x509; - EVP_PKEY *privatekey; - /* Digest to use when signing */ - const EVP_MD *digest; -} CERT_PKEY; - typedef struct cert_st { /* Current active set */ CERT_PKEY *key; /* ALWAYS points to an element of the pkeys array @@ -958,8 +1039,6 @@ typedef struct cert_st { DH *(*dh_tmp_cb)(SSL *ssl, int is_export, int keysize); int dh_tmp_auto; - EC_KEY *ecdh_tmp; - CERT_PKEY pkeys[SSL_PKEY_NUM]; int references; /* >1 only if SSL_copy_session_id is used */ @@ -977,6 +1056,7 @@ typedef struct sess_cert_st { /* Obviously we don't have the private keys of these, * so maybe we shouldn't even use the CERT_PKEY type here. */ + int peer_nid; DH *peer_dh_tmp; EC_KEY *peer_ecdh_tmp; uint8_t *peer_x25519_tmp; @@ -988,7 +1068,6 @@ typedef struct sess_cert_st { /*#define RSA_DEBUG */ typedef struct ssl3_enc_method { - int (*enc)(SSL *, int); unsigned int enc_flags; } SSL3_ENC_METHOD; @@ -1008,6 +1087,9 @@ typedef struct ssl3_enc_method { /* Allow TLS 1.2 ciphersuites: applies to DTLS 1.2 as well as TLS 1.2. */ #define SSL_ENC_FLAG_TLS1_2_CIPHERS (1 << 4) +/* Allow TLS 1.3 ciphersuites only. */ +#define SSL_ENC_FLAG_TLS1_3_CIPHERS (1 << 5) + /* * ssl_aead_ctx_st contains information about an AEAD that is being used to * encrypt an SSL connection. @@ -1040,38 +1122,54 @@ int ssl_version_set_min(const SSL_METHOD *meth, uint16_t ver, uint16_t max_ver, uint16_t *out_ver); int ssl_version_set_max(const SSL_METHOD *meth, uint16_t ver, uint16_t min_ver, uint16_t *out_ver); -uint16_t ssl_max_server_version(SSL *s); +int ssl_downgrade_max_version(SSL *s, uint16_t *max_ver); +int ssl_cipher_in_list(STACK_OF(SSL_CIPHER) *ciphers, const SSL_CIPHER *cipher); +int ssl_cipher_allowed_in_version_range(const SSL_CIPHER *cipher, + uint16_t min_ver, uint16_t max_ver); -const SSL_METHOD *dtls1_get_client_method(int ver); -const SSL_METHOD *dtls1_get_server_method(int ver); -const SSL_METHOD *tls1_get_client_method(int ver); -const SSL_METHOD *tls1_get_server_method(int ver); +const SSL_METHOD *tls_legacy_method(void); +const SSL_METHOD *tls_legacy_client_method(void); +const SSL_METHOD *tls_legacy_server_method(void); + +const SSL_METHOD *ssl_get_client_method(uint16_t version); +const SSL_METHOD *ssl_get_server_method(uint16_t version); extern SSL3_ENC_METHOD DTLSv1_enc_data; extern SSL3_ENC_METHOD TLSv1_enc_data; extern SSL3_ENC_METHOD TLSv1_1_enc_data; extern SSL3_ENC_METHOD TLSv1_2_enc_data; +extern SSL3_ENC_METHOD TLSv1_3_enc_data; -void ssl_clear_cipher_ctx(SSL *s); +void ssl_clear_cipher_state(SSL *s); +void ssl_clear_cipher_read_state(SSL *s); +void ssl_clear_cipher_write_state(SSL *s); int ssl_clear_bad_session(SSL *s); + CERT *ssl_cert_new(void); CERT *ssl_cert_dup(CERT *cert); -int ssl_cert_inst(CERT **o); void ssl_cert_free(CERT *c); +int ssl_cert_set0_chain(CERT *c, STACK_OF(X509) *chain); +int ssl_cert_set1_chain(CERT *c, STACK_OF(X509) *chain); +int ssl_cert_add0_chain_cert(CERT *c, X509 *cert); +int ssl_cert_add1_chain_cert(CERT *c, X509 *cert); + SESS_CERT *ssl_sess_cert_new(void); void ssl_sess_cert_free(SESS_CERT *sc); int ssl_get_new_session(SSL *s, int session); -int ssl_get_prev_session(SSL *s, unsigned char *session, int len, - const unsigned char *limit); +int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, + int *alert); int ssl_cipher_id_cmp(const SSL_CIPHER *a, const SSL_CIPHER *b); -SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, int num); -int ssl_cipher_ptr_id_cmp(const SSL_CIPHER * const *ap, - const SSL_CIPHER * const *bp); +SSL_CIPHER *OBJ_bsearch_ssl_cipher_id(SSL_CIPHER *key, SSL_CIPHER const *base, + int num); int ssl_cipher_list_to_bytes(SSL *s, STACK_OF(SSL_CIPHER) *ciphers, CBB *cbb); STACK_OF(SSL_CIPHER) *ssl_bytes_to_cipher_list(SSL *s, CBS *cbs); STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *meth, - STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) **sorted, + STACK_OF(SSL_CIPHER) **pref, STACK_OF(SSL_CIPHER) *tls13, const char *rule_str); +int ssl_parse_ciphersuites(STACK_OF(SSL_CIPHER) **out_ciphers, const char *str); +int ssl_merge_cipherlists(STACK_OF(SSL_CIPHER) *cipherlist, + STACK_OF(SSL_CIPHER) *cipherlist_tls13, + STACK_OF(SSL_CIPHER) **out_cipherlist); void ssl_update_cache(SSL *s, int mode); int ssl_cipher_get_evp(const SSL_SESSION *s, const EVP_CIPHER **enc, const EVP_MD **md, int *mac_pkey_type, int *mac_secret_size); @@ -1083,15 +1181,16 @@ int ssl_undefined_function(SSL *s); int ssl_undefined_void_function(void); int ssl_undefined_const_function(const SSL *s); CERT_PKEY *ssl_get_server_send_pkey(const SSL *s); -X509 *ssl_get_server_send_cert(const SSL *); -EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd); +EVP_PKEY *ssl_get_sign_pkey(SSL *s, const SSL_CIPHER *c, const EVP_MD **pmd, + const struct ssl_sigalg **sap); DH *ssl_get_auto_dh(SSL *s); int ssl_cert_type(X509 *x, EVP_PKEY *pkey); void ssl_set_cert_masks(CERT *c, const SSL_CIPHER *cipher); STACK_OF(SSL_CIPHER) *ssl_get_ciphers_by_id(SSL *s); int ssl_has_ecc_ciphers(SSL *s); int ssl_verify_alarm_type(long type); -void ssl_load_ciphers(void); + +int SSL_SESSION_ticket(SSL_SESSION *ss, unsigned char **out, size_t *out_len); const SSL_CIPHER *ssl3_get_cipher_by_char(const unsigned char *p); int ssl3_put_cipher_by_char(const SSL_CIPHER *c, unsigned char *p); @@ -1117,15 +1216,17 @@ int ssl3_renegotiate_check(SSL *ssl); int ssl3_dispatch_alert(SSL *s); int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek); int ssl3_write_bytes(SSL *s, int type, const void *buf, int len); -int ssl3_output_cert_chain(SSL *s, CBB *cbb, X509 *x); +int ssl3_output_cert_chain(SSL *s, CBB *cbb, CERT_PKEY *cpk); SSL_CIPHER *ssl3_choose_cipher(SSL *ssl, STACK_OF(SSL_CIPHER) *clnt, STACK_OF(SSL_CIPHER) *srvr); int ssl3_setup_buffers(SSL *s); int ssl3_setup_init_buffer(SSL *s); +void ssl3_release_init_buffer(SSL *s); int ssl3_setup_read_buffer(SSL *s); int ssl3_setup_write_buffer(SSL *s); -int ssl3_release_read_buffer(SSL *s); -int ssl3_release_write_buffer(SSL *s); +void ssl3_release_buffer(SSL3_BUFFER_INTERNAL *b); +void ssl3_release_read_buffer(SSL *s); +void ssl3_release_write_buffer(SSL *s); int ssl3_new(SSL *s); void ssl3_free(SSL *s); int ssl3_accept(SSL *s); @@ -1142,18 +1243,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *s, int cmd, void (*fp)(void)); int ssl3_pending(const SSL *s); int ssl3_handshake_msg_hdr_len(SSL *s); -unsigned char *ssl3_handshake_msg_start(SSL *s, uint8_t htype); -void ssl3_handshake_msg_finish(SSL *s, unsigned int len); -int ssl3_handshake_msg_start_cbb(SSL *s, CBB *handshake, CBB *body, +int ssl3_handshake_msg_start(SSL *s, CBB *handshake, CBB *body, uint8_t msg_type); -int ssl3_handshake_msg_finish_cbb(SSL *s, CBB *handshake); +int ssl3_handshake_msg_finish(SSL *s, CBB *handshake); int ssl3_handshake_write(SSL *s); int ssl3_record_write(SSL *s, int type); void tls1_record_sequence_increment(unsigned char *seq); int ssl3_do_change_cipher_spec(SSL *ssl); -long tls1_default_timeout(void); int dtls1_do_write(SSL *s, int type); int ssl3_packet_read(SSL *s, int plen); int ssl3_packet_extend(SSL *s, int plen); @@ -1183,7 +1281,6 @@ void dtls1_get_ccs_header(unsigned char *data, struct ccs_header_st *ccs_hdr); void dtls1_reset_seq_numbers(SSL *s, int rw); void dtls1_build_sequence_number(unsigned char *dst, unsigned char *seq, unsigned short epoch); -long dtls1_default_timeout(void); struct timeval* dtls1_get_timeout(SSL *s, struct timeval* timeleft); int dtls1_check_timeout_num(SSL *s); int dtls1_handle_timeout(SSL *s); @@ -1223,6 +1320,13 @@ int ssl3_get_client_certificate(SSL *s); int ssl3_get_client_key_exchange(SSL *s); int ssl3_get_cert_verify(SSL *s); +int ssl_kex_dummy_ecdhe_x25519(EVP_PKEY *pkey); +int ssl_kex_generate_ecdhe_ecp(EC_KEY *ecdh, int nid); +int ssl_kex_public_ecdhe_ecp(EC_KEY *ecdh, CBB *cbb); +int ssl_kex_peer_public_ecdhe_ecp(EC_KEY *ecdh, int nid, CBS *cbs); +int ssl_kex_derive_ecdhe_ecp(EC_KEY *ecdh, EC_KEY *ecdh_peer, + uint8_t **shared_key, size_t *shared_key_len); + int tls1_new(SSL *s); void tls1_free(SSL *s); void tls1_clear(SSL *s); @@ -1231,27 +1335,30 @@ int dtls1_new(SSL *s); void dtls1_free(SSL *s); void dtls1_clear(SSL *s); long dtls1_ctrl(SSL *s, int cmd, long larg, void *parg); -int dtls1_shutdown(SSL *s); long dtls1_get_message(SSL *s, int st1, int stn, int mt, long max, int *ok); int dtls1_get_record(SSL *s); int dtls1_dispatch_alert(SSL *s); -int dtls1_enc(SSL *s, int snd); int ssl_init_wbio_buffer(SSL *s, int push); void ssl_free_wbio_buffer(SSL *s); -int tls1_handshake_hash_init(SSL *s); -int tls1_handshake_hash_update(SSL *s, const unsigned char *buf, size_t len); -int tls1_handshake_hash_value(SSL *s, const unsigned char *out, size_t len, +int tls1_transcript_hash_init(SSL *s); +int tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len); +int tls1_transcript_hash_value(SSL *s, const unsigned char *out, size_t len, size_t *outlen); -void tls1_handshake_hash_free(SSL *s); +void tls1_transcript_hash_free(SSL *s); + +int tls1_transcript_init(SSL *s); +void tls1_transcript_free(SSL *s); +void tls1_transcript_reset(SSL *s); +int tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len); +int tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len); +void tls1_transcript_freeze(SSL *s); +void tls1_transcript_unfreeze(SSL *s); +int tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len); -int tls1_init_finished_mac(SSL *s); -int tls1_finish_mac(SSL *s, const unsigned char *buf, int len); -void tls1_free_digest_list(SSL *s); void tls1_cleanup_key_block(SSL *s); -int tls1_digest_cached_records(SSL *s); int tls1_change_cipher_state(SSL *s, int which); int tls1_setup_key_block(SSL *s); int tls1_enc(SSL *s, int snd); @@ -1268,14 +1375,19 @@ int ssl_ok(SSL *s); int ssl_using_ecc_cipher(SSL *s); int ssl_check_srvr_ecc_cert_and_alg(X509 *x, SSL *s); +void tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, + size_t *pformatslen); +void tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, + size_t *pgroupslen); + int tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, const int *groups, size_t ngroups); -int tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len, +int tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, const char *groups); int tls1_ec_curve_id2nid(const uint16_t curve_id); uint16_t tls1_ec_nid2curve_id(const int nid); -int tls1_check_curve(SSL *s, const uint16_t curve_id); +int tls1_check_curve(SSL *s, const uint16_t group_id); int tls1_get_shared_curve(SSL *s); int ssl_parse_serverhello_tlsext(SSL *s, unsigned char **data, @@ -1284,59 +1396,40 @@ int ssl_check_clienthello_tlsext_early(SSL *s); int ssl_check_clienthello_tlsext_late(SSL *s); int ssl_check_serverhello_tlsext(SSL *s); -#define tlsext_tick_md EVP_sha256 -int tls1_process_ticket(SSL *s, const unsigned char *session_id, int len, - const unsigned char *limit, SSL_SESSION **ret); -int tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, - const EVP_MD *md); -int tls12_get_sigid(const EVP_PKEY *pk); -const EVP_MD *tls12_get_hash(unsigned char hash_alg); +#define TLS1_TICKET_FATAL_ERROR -1 +#define TLS1_TICKET_NONE 0 +#define TLS1_TICKET_EMPTY 1 +#define TLS1_TICKET_NOT_DECRYPTED 2 +#define TLS1_TICKET_DECRYPTED 3 + +int tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret); -void ssl_clear_hash_ctx(EVP_MD_CTX **hash); long ssl_get_algorithm2(SSL *s); -int tls1_process_sigalgs(SSL *s, CBS *cbs); -void tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, - size_t *sigalgs_len); int tls1_check_ec_server_key(SSL *s); -int tls1_check_ec_tmp_key(SSL *s); - -int ssl_add_clienthello_use_srtp_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_clienthello_use_srtp_ext(SSL *s, const unsigned char *d, - int len, int *al); -int ssl_add_serverhello_use_srtp_ext(SSL *s, unsigned char *p, - int *len, int maxlen); -int ssl_parse_serverhello_use_srtp_ext(SSL *s, const unsigned char *d, - int len, int *al); /* s3_cbc.c */ -void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD *rec, - unsigned md_size, unsigned orig_len); -int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD *rec, - unsigned block_size, unsigned mac_size); +void ssl3_cbc_copy_mac(unsigned char *out, const SSL3_RECORD_INTERNAL *rec, + unsigned int md_size, unsigned int orig_len); +int tls1_cbc_remove_padding(const SSL *s, SSL3_RECORD_INTERNAL *rec, + unsigned int block_size, unsigned int mac_size); char ssl3_cbc_record_digest_supported(const EVP_MD_CTX *ctx); int ssl3_cbc_digest_record(const EVP_MD_CTX *ctx, unsigned char *md_out, size_t *md_out_size, const unsigned char header[13], const unsigned char *data, size_t data_plus_mac_size, size_t data_plus_mac_plus_padding_size, const unsigned char *mac_secret, - unsigned mac_secret_length); + unsigned int mac_secret_length); int SSL_state_func_code(int _state); #define SSLerror(s, r) SSL_error_internal(s, r, __FILE__, __LINE__) #define SSLerrorx(r) ERR_PUT_error(ERR_LIB_SSL,(0xfff),(r),__FILE__,__LINE__) void SSL_error_internal(const SSL *s, int r, char *f, int l); -void tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, - size_t *pformatslen); -void tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, - size_t *pcurveslen); - #ifndef OPENSSL_NO_SRTP int srtp_find_profile_by_name(char *profile_name, - SRTP_PROTECTION_PROFILE **pptr, unsigned len); -int srtp_find_profile_by_num(unsigned profile_num, + SRTP_PROTECTION_PROFILE **pptr, unsigned int len); +int srtp_find_profile_by_num(unsigned int profile_num, SRTP_PROTECTION_PROFILE **pptr); #endif /* OPENSSL_NO_SRTP */ diff --git a/ssl/ssl_methods.c b/ssl/ssl_methods.c new file mode 100644 index 0000000..ff8d17a --- /dev/null +++ b/ssl/ssl_methods.c @@ -0,0 +1,742 @@ +/* $OpenBSD: ssl_methods.c,v 1.16 2020/09/17 15:23:29 jsing Exp $ */ +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + +#include "ssl_locl.h" +#include "tls13_internal.h" + +static const SSL_METHOD_INTERNAL DTLSv1_client_method_internal_data = { + .version = DTLS1_VERSION, + .min_version = DTLS1_VERSION, + .max_version = DTLS1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .ssl3_enc = &DTLSv1_enc_data, +}; + +static const SSL_METHOD DTLSv1_client_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_client_method_internal_data, +}; + +const SSL_METHOD * +DTLSv1_client_method(void) +{ + return &DTLSv1_client_method_data; +} + +const SSL_METHOD * +DTLS_client_method(void) +{ + return DTLSv1_client_method(); +} + +static const SSL_METHOD_INTERNAL DTLSv1_method_internal_data = { + .version = DTLS1_VERSION, + .min_version = DTLS1_VERSION, + .max_version = DTLS1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .ssl3_enc = &DTLSv1_enc_data, +}; + +static const SSL_METHOD DTLSv1_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_method_internal_data, +}; + +const SSL_METHOD * +DTLSv1_method(void) +{ + return &DTLSv1_method_data; +} + +const SSL_METHOD * +DTLS_method(void) +{ + return DTLSv1_method(); +} + +static const SSL_METHOD_INTERNAL DTLSv1_server_method_internal_data = { + .version = DTLS1_VERSION, + .min_version = DTLS1_VERSION, + .max_version = DTLS1_VERSION, + .ssl_new = dtls1_new, + .ssl_clear = dtls1_clear, + .ssl_free = dtls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl_undefined_function, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = dtls1_read_bytes, + .ssl_write_bytes = dtls1_write_app_data_bytes, + .ssl3_enc = &DTLSv1_enc_data, +}; + +static const SSL_METHOD DTLSv1_server_method_data = { + .ssl_dispatch_alert = dtls1_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = dtls1_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &DTLSv1_server_method_internal_data, +}; + +const SSL_METHOD * +DTLSv1_server_method(void) +{ + return &DTLSv1_server_method_data; +} + +const SSL_METHOD * +DTLS_server_method(void) +{ + return DTLSv1_server_method(); +} + +#ifdef LIBRESSL_HAS_TLS1_3_CLIENT +static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = { + .version = TLS1_3_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_3_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = tls13_legacy_connect, + .ssl_shutdown = tls13_legacy_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = tls13_legacy_pending, + .ssl_read_bytes = tls13_legacy_read_bytes, + .ssl_write_bytes = tls13_legacy_write_bytes, + .ssl3_enc = &TLSv1_3_enc_data, +}; + +static const SSL_METHOD TLS_client_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_client_method_internal_data, +}; +#endif + +static const SSL_METHOD_INTERNAL TLS_legacy_client_method_internal_data = { + .version = TLS1_2_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_2_enc_data, +}; + +static const SSL_METHOD TLS_legacy_client_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_legacy_client_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = { + .version = TLS1_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_enc_data, +}; + +static const SSL_METHOD TLSv1_client_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_client_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = { + .version = TLS1_1_VERSION, + .min_version = TLS1_1_VERSION, + .max_version = TLS1_1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_1_enc_data, +}; + +static const SSL_METHOD TLSv1_1_client_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_1_client_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = { + .version = TLS1_2_VERSION, + .min_version = TLS1_2_VERSION, + .max_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl_undefined_function, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_2_enc_data, +}; + +static const SSL_METHOD TLSv1_2_client_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_2_client_method_internal_data, +}; + +const SSL_METHOD * +SSLv23_client_method(void) +{ + return (TLS_client_method()); +} + +const SSL_METHOD * +TLS_client_method(void) +{ +#ifdef LIBRESSL_HAS_TLS1_3_CLIENT + return (&TLS_client_method_data); +#else + return tls_legacy_client_method(); +#endif +} + +const SSL_METHOD * +tls_legacy_client_method(void) +{ + return (&TLS_legacy_client_method_data); +} + +const SSL_METHOD * +TLSv1_client_method(void) +{ + return (&TLSv1_client_method_data); +} + +const SSL_METHOD * +TLSv1_1_client_method(void) +{ + return (&TLSv1_1_client_method_data); +} + +const SSL_METHOD * +TLSv1_2_client_method(void) +{ + return (&TLSv1_2_client_method_data); +} + +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER) +static const SSL_METHOD_INTERNAL TLS_method_internal_data = { + .version = TLS1_3_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_3_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = tls13_legacy_accept, + .ssl_connect = tls13_legacy_connect, + .ssl_shutdown = tls13_legacy_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = tls13_legacy_pending, + .ssl_read_bytes = tls13_legacy_read_bytes, + .ssl_write_bytes = tls13_legacy_write_bytes, + .ssl3_enc = &TLSv1_3_enc_data, +}; + +static const SSL_METHOD TLS_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_method_internal_data, +}; +#endif + +static const SSL_METHOD_INTERNAL TLS_legacy_method_internal_data = { + .version = TLS1_2_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_2_enc_data, +}; + +static const SSL_METHOD TLS_legacy_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_legacy_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = { + .version = TLS1_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_enc_data, +}; + +static const SSL_METHOD TLSv1_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = { + .version = TLS1_1_VERSION, + .min_version = TLS1_1_VERSION, + .max_version = TLS1_1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_1_enc_data, +}; + +static const SSL_METHOD TLSv1_1_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_1_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = { + .version = TLS1_2_VERSION, + .min_version = TLS1_2_VERSION, + .max_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl3_connect, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_2_enc_data, +}; + +static const SSL_METHOD TLSv1_2_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_2_method_internal_data, +}; + +const SSL_METHOD * +SSLv23_method(void) +{ + return (TLS_method()); +} + +const SSL_METHOD * +TLS_method(void) +{ +#if defined(LIBRESSL_HAS_TLS1_3_CLIENT) && defined(LIBRESSL_HAS_TLS1_3_SERVER) + return (&TLS_method_data); +#else + return tls_legacy_method(); +#endif +} + +const SSL_METHOD * +tls_legacy_method(void) +{ + return (&TLS_legacy_method_data); +} + +const SSL_METHOD * +TLSv1_method(void) +{ + return (&TLSv1_method_data); +} + +const SSL_METHOD * +TLSv1_1_method(void) +{ + return (&TLSv1_1_method_data); +} + +const SSL_METHOD * +TLSv1_2_method(void) +{ + return (&TLSv1_2_method_data); +} + +#ifdef LIBRESSL_HAS_TLS1_3_SERVER +static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = { + .version = TLS1_3_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_3_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = tls13_legacy_accept, + .ssl_connect = ssl_undefined_function, + .ssl_shutdown = tls13_legacy_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = tls13_legacy_pending, + .ssl_read_bytes = tls13_legacy_read_bytes, + .ssl_write_bytes = tls13_legacy_write_bytes, + .ssl3_enc = &TLSv1_3_enc_data, +}; + +static const SSL_METHOD TLS_server_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_server_method_internal_data, +}; +#endif + +static const SSL_METHOD_INTERNAL TLS_legacy_server_method_internal_data = { + .version = TLS1_2_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl_undefined_function, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl_undefined_function, + .ssl_renegotiate_check = ssl_ok, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_2_enc_data, +}; + +static const SSL_METHOD TLS_legacy_server_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLS_legacy_server_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_server_method_internal_data = { + .version = TLS1_VERSION, + .min_version = TLS1_VERSION, + .max_version = TLS1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl_undefined_function, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_enc_data, +}; + +static const SSL_METHOD TLSv1_server_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_server_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_1_server_method_internal_data = { + .version = TLS1_1_VERSION, + .min_version = TLS1_1_VERSION, + .max_version = TLS1_1_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl_undefined_function, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_1_enc_data, +}; + +static const SSL_METHOD TLSv1_1_server_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_1_server_method_internal_data, +}; + +static const SSL_METHOD_INTERNAL TLSv1_2_server_method_internal_data = { + .version = TLS1_2_VERSION, + .min_version = TLS1_2_VERSION, + .max_version = TLS1_2_VERSION, + .ssl_new = tls1_new, + .ssl_clear = tls1_clear, + .ssl_free = tls1_free, + .ssl_accept = ssl3_accept, + .ssl_connect = ssl_undefined_function, + .ssl_shutdown = ssl3_shutdown, + .ssl_renegotiate = ssl3_renegotiate, + .ssl_renegotiate_check = ssl3_renegotiate_check, + .ssl_pending = ssl3_pending, + .ssl_read_bytes = ssl3_read_bytes, + .ssl_write_bytes = ssl3_write_bytes, + .ssl3_enc = &TLSv1_2_enc_data, +}; + +static const SSL_METHOD TLSv1_2_server_method_data = { + .ssl_dispatch_alert = ssl3_dispatch_alert, + .num_ciphers = ssl3_num_ciphers, + .get_cipher = ssl3_get_cipher, + .get_cipher_by_char = ssl3_get_cipher_by_char, + .put_cipher_by_char = ssl3_put_cipher_by_char, + .internal = &TLSv1_2_server_method_internal_data, +}; + +const SSL_METHOD * +SSLv23_server_method(void) +{ + return (TLS_server_method()); +} + +const SSL_METHOD * +TLS_server_method(void) +{ +#ifdef LIBRESSL_HAS_TLS1_3_SERVER + return (&TLS_server_method_data); +#else + return tls_legacy_server_method(); +#endif +} + +const SSL_METHOD * +tls_legacy_server_method(void) +{ + return (&TLS_legacy_server_method_data); +} + +const SSL_METHOD * +TLSv1_server_method(void) +{ + return (&TLSv1_server_method_data); +} + +const SSL_METHOD * +TLSv1_1_server_method(void) +{ + return (&TLSv1_1_server_method_data); +} + +const SSL_METHOD * +TLSv1_2_server_method(void) +{ + return (&TLSv1_2_server_method_data); +} + +const SSL_METHOD * +ssl_get_client_method(uint16_t version) +{ + if (version == TLS1_3_VERSION) + return (TLS_client_method()); + if (version == TLS1_2_VERSION) + return (TLSv1_2_client_method()); + if (version == TLS1_1_VERSION) + return (TLSv1_1_client_method()); + if (version == TLS1_VERSION) + return (TLSv1_client_method()); + if (version == DTLS1_VERSION) + return (DTLSv1_client_method()); + + return (NULL); +} + +const SSL_METHOD * +ssl_get_server_method(uint16_t version) +{ + if (version == TLS1_3_VERSION) + return (TLS_server_method()); + if (version == TLS1_2_VERSION) + return (TLSv1_2_server_method()); + if (version == TLS1_1_VERSION) + return (TLSv1_1_server_method()); + if (version == TLS1_VERSION) + return (TLSv1_server_method()); + if (version == DTLS1_VERSION) + return (DTLSv1_server_method()); + + return (NULL); +} diff --git a/ssl/ssl_packet.c b/ssl/ssl_packet.c index 5556ffb..d8fb409 100644 --- a/ssl/ssl_packet.c +++ b/ssl/ssl_packet.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_packet.c,v 1.6 2017/05/06 16:18:36 jsing Exp $ */ +/* $OpenBSD: ssl_packet.c,v 1.8 2018/11/08 22:28:52 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -120,7 +120,7 @@ ssl_convert_sslv2_client_hello(SSL *s) if (n != record_length + 2) return n; - tls1_finish_mac(s, s->internal->packet + 2, + tls1_transcript_record(s, s->internal->packet + 2, s->internal->packet_length - 2); s->internal->mac_packet = 0; @@ -210,10 +210,10 @@ ssl_convert_sslv2_client_hello(SSL *s) if (!CBB_finish(&cbb, &data, &data_len)) goto err; - if (data_len > s->s3->rbuf.len) + if (data_len > S3I(s)->rbuf.len) goto err; - s->internal->packet = s->s3->rbuf.buf; + s->internal->packet = S3I(s)->rbuf.buf; s->internal->packet_length = data_len; memcpy(s->internal->packet, data, data_len); ret = 1; diff --git a/ssl/ssl_pkt.c b/ssl/ssl_pkt.c index 163b029..c9c8647 100644 --- a/ssl/ssl_pkt.c +++ b/ssl/ssl_pkt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_pkt.c,v 1.12 2017/05/07 04:22:24 beck Exp $ */ +/* $OpenBSD: ssl_pkt.c,v 1.31 2020/08/30 15:40:20 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -120,7 +120,7 @@ #include "bytestring.h" static int do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment); + unsigned int len); static int ssl3_get_record(SSL *s); /* @@ -141,7 +141,7 @@ ssl_force_want_read(SSL *s) /* * If extend == 0, obtain new n-byte packet; if extend == 1, increase * packet by another n bytes. - * The packet will be in the sub-array of s->s3->rbuf.buf specified + * The packet will be in the sub-array of S3I(s)->rbuf.buf specified * by s->internal->packet and s->internal->packet_length. * (If s->internal->read_ahead is set, 'max' bytes may be stored in rbuf * [plus s->internal->packet_length bytes if extend == 1].) @@ -152,12 +152,12 @@ ssl3_read_n(SSL *s, int n, int max, int extend) int i, len, left; size_t align; unsigned char *pkt; - SSL3_BUFFER *rb; + SSL3_BUFFER_INTERNAL *rb; if (n <= 0) return n; - rb = &(s->s3->rbuf); + rb = &(S3I(s)->rbuf); if (rb->buf == NULL) if (!ssl3_setup_read_buffer(s)) return -1; @@ -239,7 +239,7 @@ ssl3_read_n(SSL *s, int n, int max, int extend) } while (left < n) { - /* Now we have len+left bytes at the front of s->s3->rbuf.buf + /* Now we have len+left bytes at the front of S3I(s)->rbuf.buf * and need to read in more until we have len+n (up to * len+max if possible) */ @@ -288,7 +288,7 @@ ssl3_packet_read(SSL *s, int plen) { int n; - n = ssl3_read_n(s, plen, s->s3->rbuf.len, 0); + n = ssl3_read_n(s, plen, S3I(s)->rbuf.len, 0); if (n <= 0) return n; if (s->internal->packet_length < plen) @@ -329,10 +329,10 @@ ssl3_get_record(SSL *s) { int al; int enc_err, n, i, ret = -1; - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; SSL_SESSION *sess; unsigned char md[EVP_MAX_MD_SIZE]; - unsigned mac_size, orig_len; + unsigned int mac_size, orig_len; rr = &(S3I(s)->rrec); sess = s->session; @@ -360,7 +360,7 @@ ssl3_get_record(SSL *s) CBS_init(&header, s->internal->packet, SSL3_RT_HEADER_LENGTH); - /* Pull apart the header into the SSL3_RECORD */ + /* Pull apart the header into the SSL3_RECORD_INTERNAL */ if (!CBS_get_u8(&header, &type) || !CBS_get_u16(&header, &ssl_version) || !CBS_get_u16(&header, &len)) { @@ -387,7 +387,7 @@ ssl3_get_record(SSL *s) goto err; } - if (rr->length > s->s3->rbuf.len - SSL3_RT_HEADER_LENGTH) { + if (rr->length > S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH) { al = SSL_AD_RECORD_OVERFLOW; SSLerror(s, SSL_R_PACKET_LENGTH_TOO_LONG); goto f_err; @@ -431,18 +431,16 @@ ssl3_get_record(SSL *s) /* decrypt in place in 'rr->input' */ rr->data = rr->input; - enc_err = s->method->internal->ssl3_enc->enc(s, 0); /* enc_err is: * 0: (in non-constant time) if the record is publically invalid. * 1: if the padding is valid * -1: if the padding is invalid */ - if (enc_err == 0) { - al = SSL_AD_DECRYPTION_FAILED; + if ((enc_err = tls1_enc(s, 0)) == 0) { + al = SSL_AD_BAD_RECORD_MAC; SSLerror(s, SSL_R_BLOCK_CIPHER_PAD_IS_WRONG); goto f_err; } - /* r->length is now the compressed data plus mac */ if ((sess != NULL) && (s->enc_read_ctx != NULL) && (EVP_MD_CTX_md(s->read_hash) != NULL)) { @@ -453,8 +451,7 @@ ssl3_get_record(SSL *s) mac_size = EVP_MD_CTX_size(s->read_hash); OPENSSL_assert(mac_size <= EVP_MAX_MD_SIZE); - /* kludge: *_cbc_remove_padding passes padding length in rr->type */ - orig_len = rr->length + ((unsigned int)rr->type >> 8); + orig_len = rr->length + rr->padding_length; /* orig_len is the length of the record before any padding was * removed. This is public information, as is the MAC in use, @@ -596,7 +593,7 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) else nw = n; - i = do_ssl3_write(s, type, &(buf[tot]), nw, 0); + i = do_ssl3_write(s, type, &(buf[tot]), nw); if (i <= 0) { S3I(s)->wnum = tot; return i; @@ -620,215 +617,121 @@ ssl3_write_bytes(SSL *s, int type, const void *buf_, int len) } static int -do_ssl3_write(SSL *s, int type, const unsigned char *buf, - unsigned int len, int create_empty_fragment) +do_ssl3_write(SSL *s, int type, const unsigned char *buf, unsigned int len) { - unsigned char *p, *plen; - int i, mac_size, clear = 0; - int prefix_len = 0; - int eivlen; - size_t align; - SSL3_RECORD *wr; - SSL3_BUFFER *wb = &(s->s3->wbuf); - SSL_SESSION *sess; + SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); + SSL_SESSION *sess = s->session; + int need_empty_fragment = 0; + size_t align, out_len; + uint16_t version; + CBB cbb; + int ret; + + memset(&cbb, 0, sizeof(cbb)); if (wb->buf == NULL) if (!ssl3_setup_write_buffer(s)) return -1; - /* first check if there is a SSL3_BUFFER still being written - * out. This will happen with non blocking IO */ + /* + * First check if there is a SSL3_BUFFER_INTERNAL still being written + * out. This will happen with non blocking IO. + */ if (wb->left != 0) return (ssl3_write_pending(s, type, buf, len)); - /* If we have an alert to send, lets send it */ - if (s->s3->alert_dispatch) { - i = s->method->ssl_dispatch_alert(s); - if (i <= 0) - return (i); - /* if it went, fall through and send more stuff */ - /* we may have released our buffer, so get it again */ + /* If we have an alert to send, let's send it. */ + if (S3I(s)->alert_dispatch) { + if ((ret = s->method->ssl_dispatch_alert(s)) <= 0) + return (ret); + /* If it went, fall through and send more stuff. */ + + /* We may have released our buffer, if so get it again. */ if (wb->buf == NULL) if (!ssl3_setup_write_buffer(s)) return -1; } - if (len == 0 && !create_empty_fragment) + if (len == 0) return 0; - wr = &(S3I(s)->wrec); - sess = s->session; + /* + * Some servers hang if initial client hello is larger than 256 + * bytes and record version number > TLS 1.0. + */ + version = s->version; + if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate && + TLS1_get_version(s) > TLS1_VERSION) + version = TLS1_VERSION; - if ((sess == NULL) || (s->internal->enc_write_ctx == NULL) || - (EVP_MD_CTX_md(s->internal->write_hash) == NULL)) { - clear = s->internal->enc_write_ctx ? 0 : 1; /* must be AEAD cipher */ - mac_size = 0; - } else { - mac_size = EVP_MD_CTX_size(s->internal->write_hash); - if (mac_size < 0) - goto err; + /* + * Countermeasure against known-IV weakness in CBC ciphersuites + * (see http://www.openssl.org/~bodo/tls-cbc.txt). Note that this + * is unnecessary for AEAD. + */ + if (sess != NULL && s->internal->enc_write_ctx != NULL && + EVP_MD_CTX_md(s->internal->write_hash) != NULL) { + if (S3I(s)->need_empty_fragments && + !S3I(s)->empty_fragment_done && + type == SSL3_RT_APPLICATION_DATA) + need_empty_fragment = 1; } /* - * 'create_empty_fragment' is true only when this function calls - * itself. + * An extra fragment would be a couple of cipher blocks, which would + * be a multiple of SSL3_ALIGN_PAYLOAD, so if we want to align the real + * payload, then we can just simply pretend we have two headers. */ - if (!clear && !create_empty_fragment && !S3I(s)->empty_fragment_done) { - /* - * Countermeasure against known-IV weakness in CBC ciphersuites - * (see http://www.openssl.org/~bodo/tls-cbc.txt) - */ - if (S3I(s)->need_empty_fragments && - type == SSL3_RT_APPLICATION_DATA) { - /* recursive function call with 'create_empty_fragment' set; - * this prepares and buffers the data for an empty fragment - * (these 'prefix_len' bytes are sent out later - * together with the actual payload) */ - prefix_len = do_ssl3_write(s, type, buf, 0, 1); - if (prefix_len <= 0) - goto err; + align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH; + if (need_empty_fragment) + align += SSL3_RT_HEADER_LENGTH; + align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); + wb->offset = align; - if (prefix_len > - (SSL3_RT_HEADER_LENGTH + SSL3_RT_SEND_MAX_ENCRYPTED_OVERHEAD)) { - /* insufficient space */ - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto err; - } - } + if (!CBB_init_fixed(&cbb, wb->buf + align, wb->len - align)) + goto err; + tls12_record_layer_set_version(s->internal->rl, version); + + if (need_empty_fragment) { + if (!tls12_record_layer_seal_record(s->internal->rl, type, + buf, 0, &cbb)) + goto err; S3I(s)->empty_fragment_done = 1; } - if (create_empty_fragment) { - /* extra fragment would be couple of cipher blocks, - * which would be multiple of SSL3_ALIGN_PAYLOAD, so - * if we want to align the real payload, then we can - * just pretent we simply have two headers. */ - align = (size_t)wb->buf + 2 * SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); + if (!tls12_record_layer_seal_record(s->internal->rl, type, buf, len, &cbb)) + goto err; - p = wb->buf + align; - wb->offset = align; - } else if (prefix_len) { - p = wb->buf + wb->offset + prefix_len; - } else { - align = (size_t)wb->buf + SSL3_RT_HEADER_LENGTH; - align = (-align) & (SSL3_ALIGN_PAYLOAD - 1); + if (!CBB_finish(&cbb, NULL, &out_len)) + goto err; - p = wb->buf + align; - wb->offset = align; - } + wb->left = out_len; - /* write the header */ - - *(p++) = type&0xff; - wr->type = type; - - *(p++) = (s->version >> 8); - /* Some servers hang if iniatial client hello is larger than 256 - * bytes and record version number > TLS 1.0 + /* + * Memorize arguments so that ssl3_write_pending can detect + * bad write retries later. */ - if (S3I(s)->hs.state == SSL3_ST_CW_CLNT_HELLO_B && !s->internal->renegotiate && - TLS1_get_version(s) > TLS1_VERSION) - *(p++) = 0x1; - else - *(p++) = s->version&0xff; - - /* field where we are to write out packet length */ - plen = p; - p += 2; - - /* Explicit IV length. */ - if (s->internal->enc_write_ctx && SSL_USE_EXPLICIT_IV(s)) { - int mode = EVP_CIPHER_CTX_mode(s->internal->enc_write_ctx); - if (mode == EVP_CIPH_CBC_MODE) { - eivlen = EVP_CIPHER_CTX_iv_length(s->internal->enc_write_ctx); - if (eivlen <= 1) - eivlen = 0; - } - /* Need explicit part of IV for GCM mode */ - else if (mode == EVP_CIPH_GCM_MODE) - eivlen = EVP_GCM_TLS_EXPLICIT_IV_LEN; - else - eivlen = 0; - } else if (s->internal->aead_write_ctx != NULL && - s->internal->aead_write_ctx->variable_nonce_in_record) { - eivlen = s->internal->aead_write_ctx->variable_nonce_len; - } else - eivlen = 0; - - /* lets setup the record stuff. */ - wr->data = p + eivlen; - wr->length = (int)len; - wr->input = (unsigned char *)buf; - - /* we now 'read' from wr->input, wr->length bytes into wr->data */ - - memcpy(wr->data, wr->input, wr->length); - wr->input = wr->data; - - /* we should still have the output to wr->data and the input - * from wr->input. Length should be wr->length. - * wr->data still points in the wb->buf */ - - if (mac_size != 0) { - if (tls1_mac(s, - &(p[wr->length + eivlen]), 1) < 0) - goto err; - wr->length += mac_size; - } - - wr->input = p; - wr->data = p; - - if (eivlen) { - /* if (RAND_pseudo_bytes(p, eivlen) <= 0) - goto err; - */ - wr->length += eivlen; - } - - /* ssl3_enc can only have an error on read */ - s->method->internal->ssl3_enc->enc(s, 1); - - /* record length after mac and block padding */ - s2n(wr->length, plen); - - /* we should now have - * wr->data pointing to the encrypted data, which is - * wr->length long */ - wr->type=type; /* not needed but helps for debugging */ - wr->length += SSL3_RT_HEADER_LENGTH; - - if (create_empty_fragment) { - /* we are in a recursive call; - * just return the length, don't write out anything here - */ - return wr->length; - } - - /* now let's set up wb */ - wb->left = prefix_len + wr->length; - - /* memorize arguments so that ssl3_write_pending can detect - * bad write retries later */ S3I(s)->wpend_tot = len; S3I(s)->wpend_buf = buf; S3I(s)->wpend_type = type; S3I(s)->wpend_ret = len; - /* we now just need to write the buffer */ + /* We now just need to write the buffer. */ return ssl3_write_pending(s, type, buf, len); -err: + + err: + CBB_cleanup(&cbb); + return -1; } -/* if s->s3->wbuf.left != 0, we need to call this */ +/* if S3I(s)->wbuf.left != 0, we need to call this */ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) { int i; - SSL3_BUFFER *wb = &(s->s3->wbuf); + SSL3_BUFFER_INTERNAL *wb = &(S3I(s)->wbuf); /* XXXX */ if ((S3I(s)->wpend_tot > (int)len) || ((S3I(s)->wpend_buf != buf) && @@ -842,9 +745,8 @@ ssl3_write_pending(SSL *s, int type, const unsigned char *buf, unsigned int len) errno = 0; if (s->wbio != NULL) { s->internal->rwstate = SSL_WRITING; - i = BIO_write(s->wbio, - (char *)&(wb->buf[wb->offset]), - (unsigned int)wb->left); + i = BIO_write(s->wbio, (char *)&(wb->buf[wb->offset]), + (unsigned int)wb->left); } else { SSLerror(s, SSL_R_BIO_NOT_SET); i = -1; @@ -904,9 +806,9 @@ ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek) void (*cb)(const SSL *ssl, int type2, int val) = NULL; int al, i, j, ret, rrcount = 0; unsigned int n; - SSL3_RECORD *rr; + SSL3_RECORD_INTERNAL *rr; - if (s->s3->rbuf.buf == NULL) /* Not initialized yet */ + if (S3I(s)->rbuf.buf == NULL) /* Not initialized yet */ if (!ssl3_setup_read_buffer(s)) return (-1); @@ -1036,7 +938,7 @@ start: s->internal->rstate = SSL_ST_READ_HEADER; rr->off = 0; if (s->internal->mode & SSL_MODE_RELEASE_BUFFERS && - s->s3->rbuf.left == 0) + S3I(s)->rbuf.left == 0) ssl3_release_read_buffer(s); } } @@ -1120,7 +1022,7 @@ start: } if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) { + if (S3I(s)->rbuf.left == 0) { /* no read-ahead left? */ /* In the case where we try to read application data, * but we trigger an SSL handshake, we return -1 with @@ -1281,7 +1183,7 @@ start: } if (!(s->internal->mode & SSL_MODE_AUTO_RETRY)) { - if (s->s3->rbuf.left == 0) { /* no read-ahead left? */ + if (S3I(s)->rbuf.left == 0) { /* no read-ahead left? */ /* In the case where we try to read application data, * but we trigger an SSL handshake, we return -1 with * the retry option set. Otherwise renegotiation may @@ -1408,10 +1310,10 @@ ssl3_send_alert(SSL *s, int level, int desc) if ((level == 2) && (s->session != NULL)) SSL_CTX_remove_session(s->ctx, s->session); - s->s3->alert_dispatch = 1; - s->s3->send_alert[0] = level; - s->s3->send_alert[1] = desc; - if (s->s3->wbuf.left == 0) /* data still being written out? */ + S3I(s)->alert_dispatch = 1; + S3I(s)->send_alert[0] = level; + S3I(s)->send_alert[1] = desc; + if (S3I(s)->wbuf.left == 0) /* data still being written out? */ return s->method->ssl_dispatch_alert(s); /* else data is still being written out, we will get written @@ -1425,20 +1327,20 @@ ssl3_dispatch_alert(SSL *s) int i, j; void (*cb)(const SSL *ssl, int type, int val) = NULL; - s->s3->alert_dispatch = 0; - i = do_ssl3_write(s, SSL3_RT_ALERT, &s->s3->send_alert[0], 2, 0); + S3I(s)->alert_dispatch = 0; + i = do_ssl3_write(s, SSL3_RT_ALERT, &S3I(s)->send_alert[0], 2); if (i <= 0) { - s->s3->alert_dispatch = 1; + S3I(s)->alert_dispatch = 1; } else { /* Alert sent to BIO. If it is important, flush it now. * If the message does not get sent due to non-blocking IO, * we will not worry too much. */ - if (s->s3->send_alert[0] == SSL3_AL_FATAL) + if (S3I(s)->send_alert[0] == SSL3_AL_FATAL) (void)BIO_flush(s->wbio); if (s->internal->msg_callback) s->internal->msg_callback(1, s->version, SSL3_RT_ALERT, - s->s3->send_alert, 2, s, s->internal->msg_callback_arg); + S3I(s)->send_alert, 2, s, s->internal->msg_callback_arg); if (s->internal->info_callback != NULL) cb = s->internal->info_callback; @@ -1446,7 +1348,7 @@ ssl3_dispatch_alert(SSL *s) cb = s->ctx->internal->info_callback; if (cb != NULL) { - j = (s->s3->send_alert[0]<<8)|s->s3->send_alert[1]; + j = (S3I(s)->send_alert[0]<<8)|S3I(s)->send_alert[1]; cb(s, SSL_CB_WRITE_ALERT, j); } } diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c index e99ce1e..0936c0b 100644 --- a/ssl/ssl_rsa.c +++ b/ssl/ssl_rsa.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_rsa.c,v 1.28 2017/02/07 02:08:38 beck Exp $ */ +/* $OpenBSD: ssl_rsa.c,v 1.31 2019/03/25 16:46:48 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -77,10 +77,6 @@ SSL_use_certificate(SSL *ssl, X509 *x) SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ssl->cert)) { - SSLerror(ssl, ERR_R_MALLOC_FAILURE); - return (0); - } return (ssl_set_cert(ssl->cert, x)); } @@ -133,7 +129,7 @@ SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len) X509 *x; int ret; - x = d2i_X509(NULL, &d,(long)len); + x = d2i_X509(NULL, &d, (long)len); if (x == NULL) { SSLerror(ssl, ERR_R_ASN1_LIB); return (0); @@ -154,10 +150,6 @@ SSL_use_RSAPrivateKey(SSL *ssl, RSA *rsa) SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ssl->cert)) { - SSLerror(ssl, ERR_R_MALLOC_FAILURE); - return (0); - } if ((pkey = EVP_PKEY_new()) == NULL) { SSLerror(ssl, ERR_R_EVP_LIB); return (0); @@ -254,14 +246,12 @@ end: } int -SSL_use_RSAPrivateKey_ASN1(SSL *ssl, unsigned char *d, long len) +SSL_use_RSAPrivateKey_ASN1(SSL *ssl, const unsigned char *d, long len) { int ret; - const unsigned char *p; RSA *rsa; - p = d; - if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { + if ((rsa = d2i_RSAPrivateKey(NULL, &d, (long)len)) == NULL) { SSLerror(ssl, ERR_R_ASN1_LIB); return (0); } @@ -280,10 +270,6 @@ SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) SSLerror(ssl, ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ssl->cert)) { - SSLerror(ssl, ERR_R_MALLOC_FAILURE); - return (0); - } ret = ssl_set_pkey(ssl->cert, pkey); return (ret); } @@ -332,11 +318,9 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, const unsigned char *d, long len) { int ret; - const unsigned char *p; EVP_PKEY *pkey; - p = d; - if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { + if ((pkey = d2i_PrivateKey(type, NULL, &d, (long)len)) == NULL) { SSLerror(ssl, ERR_R_ASN1_LIB); return (0); } @@ -353,10 +337,6 @@ SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ctx->internal->cert)) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } return (ssl_set_cert(ctx->internal->cert, x)); } @@ -465,7 +445,7 @@ SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, const unsigned char *d) X509 *x; int ret; - x = d2i_X509(NULL, &d,(long)len); + x = d2i_X509(NULL, &d, (long)len); if (x == NULL) { SSLerrorx(ERR_R_ASN1_LIB); return (0); @@ -486,10 +466,6 @@ SSL_CTX_use_RSAPrivateKey(SSL_CTX *ctx, RSA *rsa) SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ctx->internal->cert)) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } if ((pkey = EVP_PKEY_new()) == NULL) { SSLerrorx(ERR_R_EVP_LIB); return (0); @@ -547,11 +523,9 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len) { int ret; - const unsigned char *p; RSA *rsa; - p = d; - if ((rsa = d2i_RSAPrivateKey(NULL, &p,(long)len)) == NULL) { + if ((rsa = d2i_RSAPrivateKey(NULL, &d, (long)len)) == NULL) { SSLerrorx(ERR_R_ASN1_LIB); return (0); } @@ -568,10 +542,6 @@ SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) SSLerrorx(ERR_R_PASSED_NULL_PARAMETER); return (0); } - if (!ssl_cert_inst(&ctx->internal->cert)) { - SSLerrorx(ERR_R_MALLOC_FAILURE); - return (0); - } return (ssl_set_pkey(ctx->internal->cert, pkey)); } @@ -620,11 +590,9 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, long len) { int ret; - const unsigned char *p; EVP_PKEY *pkey; - p = d; - if ((pkey = d2i_PrivateKey(type, NULL, &p,(long)len)) == NULL) { + if ((pkey = d2i_PrivateKey(type, NULL, &d, (long)len)) == NULL) { SSLerrorx(ERR_R_ASN1_LIB); return (0); } @@ -643,63 +611,43 @@ SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, const unsigned char *d, static int ssl_ctx_use_certificate_chain_bio(SSL_CTX *ctx, BIO *in) { + X509 *ca, *x = NULL; + unsigned long err; int ret = 0; - X509 *x = NULL; - ERR_clear_error(); /* clear error stack for SSL_CTX_use_certificate() */ - - x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata); - if (x == NULL) { + if ((x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata)) == NULL) { SSLerrorx(ERR_R_PEM_LIB); - goto end; + goto err; } - ret = SSL_CTX_use_certificate(ctx, x); + if (!SSL_CTX_use_certificate(ctx, x)) + goto err; - if (ERR_peek_error() != 0) - ret = 0; - /* Key/certificate mismatch doesn't imply ret==0 ... */ - if (ret) { - /* - * If we could set up our certificate, now proceed to - * the CA certificates. - */ - X509 *ca; - int r; - unsigned long err; + if (!ssl_cert_set0_chain(ctx->internal->cert, NULL)) + goto err; - sk_X509_pop_free(ctx->extra_certs, X509_free); - ctx->extra_certs = NULL; - - while ((ca = PEM_read_bio_X509(in, NULL, - ctx->default_passwd_callback, - ctx->default_passwd_callback_userdata)) != NULL) { - r = SSL_CTX_add_extra_chain_cert(ctx, ca); - if (!r) { - X509_free(ca); - ret = 0; - goto end; - } - /* - * Note that we must not free r if it was successfully - * added to the chain (while we must free the main - * certificate, since its reference count is increased - * by SSL_CTX_use_certificate). - */ + /* Process any additional CA certificates. */ + while ((ca = PEM_read_bio_X509(in, NULL, + ctx->default_passwd_callback, + ctx->default_passwd_callback_userdata)) != NULL) { + if (!ssl_cert_add0_chain_cert(ctx->internal->cert, ca)) { + X509_free(ca); + goto err; } - - /* When the while loop ends, it's usually just EOF. */ - err = ERR_peek_last_error(); - if (ERR_GET_LIB(err) == ERR_LIB_PEM && - ERR_GET_REASON(err) == PEM_R_NO_START_LINE) - ERR_clear_error(); - else - ret = 0; /* some real error */ } -end: + /* When the while loop ends, it's usually just EOF. */ + err = ERR_peek_last_error(); + if (ERR_GET_LIB(err) == ERR_LIB_PEM && + ERR_GET_REASON(err) == PEM_R_NO_START_LINE) { + ERR_clear_error(); + ret = 1; + } + + err: X509_free(x); + return (ret); } diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c index b3ee7ef..d805419 100644 --- a/ssl/ssl_sess.c +++ b/ssl/ssl_sess.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_sess.c,v 1.79 2018/03/20 15:28:12 tb Exp $ */ +/* $OpenBSD: ssl_sess.c,v 1.100 2020/09/19 09:56:35 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -194,6 +194,18 @@ SSL_SESSION_get_ex_data(const SSL_SESSION *s, int idx) return (CRYPTO_get_ex_data(&s->internal->ex_data, idx)); } +uint32_t +SSL_SESSION_get_max_early_data(const SSL_SESSION *s) +{ + return 0; +} + +int +SSL_SESSION_set_max_early_data(SSL_SESSION *s, uint32_t max_early_data) +{ + return 1; +} + SSL_SESSION * SSL_SESSION_new(void) { @@ -385,7 +397,7 @@ ssl_get_new_session(SSL *s, int session) return (0); } -sess_id_done: + sess_id_done: if (s->tlsext_hostname) { ss->tlsext_hostname = strdup(s->tlsext_hostname); if (ss->tlsext_hostname == NULL) { @@ -413,15 +425,94 @@ sess_id_done: return (1); } +static SSL_SESSION * +ssl_session_from_cache(SSL *s, CBS *session_id) +{ + SSL_SESSION *sess; + SSL_SESSION data; + + if ((s->session_ctx->internal->session_cache_mode & + SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) + return NULL; + + memset(&data, 0, sizeof(data)); + + data.ssl_version = s->version; + data.session_id_length = CBS_len(session_id); + memcpy(data.session_id, CBS_data(session_id), CBS_len(session_id)); + + CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); + sess = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); + if (sess != NULL) + CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); + CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); + + if (sess == NULL) + s->session_ctx->internal->stats.sess_miss++; + + return sess; +} + +static SSL_SESSION * +ssl_session_from_callback(SSL *s, CBS *session_id) +{ + SSL_SESSION *sess; + int copy; + + if (s->session_ctx->internal->get_session_cb == NULL) + return NULL; + + copy = 1; + if ((sess = s->session_ctx->internal->get_session_cb(s, + CBS_data(session_id), CBS_len(session_id), ©)) == NULL) + return NULL; + /* + * The copy handler may have set copy == 0 to indicate that the session + * structures are shared between threads and that it handles the + * reference count itself. If it didn't set copy to zero, we must + * increment the reference count. + */ + if (copy) + CRYPTO_add(&sess->references, 1, CRYPTO_LOCK_SSL_SESSION); + + s->session_ctx->internal->stats.sess_cb_hit++; + + /* Add the externally cached session to the internal cache as well. */ + if (!(s->session_ctx->internal->session_cache_mode & + SSL_SESS_CACHE_NO_INTERNAL_STORE)) { + /* + * The following should not return 1, + * otherwise, things are very strange. + */ + SSL_CTX_add_session(s->session_ctx, sess); + } + + return sess; +} + +static SSL_SESSION * +ssl_session_by_id(SSL *s, CBS *session_id) +{ + SSL_SESSION *sess; + + if (CBS_len(session_id) == 0) + return NULL; + + if ((sess = ssl_session_from_cache(s, session_id)) == NULL) + sess = ssl_session_from_callback(s, session_id); + + return sess; +} + /* - * ssl_get_prev attempts to find an SSL_SESSION to be used to resume this - * connection. It is only called by servers. + * ssl_get_prev_session attempts to find an SSL_SESSION to be used to resume + * this connection. It is only called by servers. * * session_id: points at the session ID in the ClientHello. This code will * read past the end of this in order to parse out the session ticket * extension, if any. - * len: the length of the session ID. - * limit: a pointer to the first byte after the ClientHello. + * ext_block: a CBS for the ClientHello extensions block. + * alert: alert that the caller should send in case of failure. * * Returns: * -1: error @@ -431,109 +522,64 @@ sess_id_done: * - If a session is found then s->session is pointed at it (after freeing * an existing session if need be) and s->verify_result is set from the * session. - * - Both for new and resumed sessions, s->internal->tlsext_ticket_expected is set - * to 1 if the server should issue a new session ticket (to 0 otherwise). + * - For both new and resumed sessions, s->internal->tlsext_ticket_expected + * indicates whether the server should issue a new session ticket or not. */ int -ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, - const unsigned char *limit) +ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) { - SSL_SESSION *ret = NULL; - int fatal = 0; - int try_session_cache = 1; - int r; + SSL_SESSION *sess = NULL; + size_t session_id_len; + int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0; + int ticket_decrypted = 0; /* This is used only by servers. */ - if (len > SSL_MAX_SSL_SESSION_ID_LENGTH) + if (CBS_len(session_id) > SSL_MAX_SSL_SESSION_ID_LENGTH) goto err; - if (len == 0) - try_session_cache = 0; - /* Sets s->internal->tlsext_ticket_expected. */ - r = tls1_process_ticket(s, session_id, len, limit, &ret); - switch (r) { - case -1: /* Error during processing */ + switch (tls1_process_ticket(s, ext_block, &alert_desc, &sess)) { + case TLS1_TICKET_FATAL_ERROR: fatal = 1; goto err; - case 0: /* No ticket found */ - case 1: /* Zero length ticket found */ - break; /* Ok to carry on processing session id. */ - case 2: /* Ticket found but not decrypted. */ - case 3: /* Ticket decrypted, *ret has been set. */ - try_session_cache = 0; + case TLS1_TICKET_NONE: + case TLS1_TICKET_EMPTY: + if ((sess = ssl_session_by_id(s, session_id)) == NULL) + goto err; + break; + case TLS1_TICKET_NOT_DECRYPTED: + goto err; + case TLS1_TICKET_DECRYPTED: + ticket_decrypted = 1; + + /* + * The session ID is used by some clients to detect that the + * ticket has been accepted so we copy it into sess. + */ + if (!CBS_write_bytes(session_id, sess->session_id, + sizeof(sess->session_id), &session_id_len)) { + fatal = 1; + goto err; + } + sess->session_id_length = (unsigned int)session_id_len; break; default: - abort(); - } - - if (try_session_cache && ret == NULL && - !(s->session_ctx->internal->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP)) { - SSL_SESSION data; - data.ssl_version = s->version; - data.session_id_length = len; - memcpy(data.session_id, session_id, len); - - CRYPTO_r_lock(CRYPTO_LOCK_SSL_CTX); - ret = lh_SSL_SESSION_retrieve(s->session_ctx->internal->sessions, &data); - if (ret != NULL) { - /* Don't allow other threads to steal it. */ - CRYPTO_add(&ret->references, 1, - CRYPTO_LOCK_SSL_SESSION); - } - CRYPTO_r_unlock(CRYPTO_LOCK_SSL_CTX); - - if (ret == NULL) - s->session_ctx->internal->stats.sess_miss++; - } - - if (try_session_cache && ret == NULL && - s->session_ctx->internal->get_session_cb != NULL) { - int copy = 1; - - if ((ret = s->session_ctx->internal->get_session_cb(s, - session_id, len, ©))) { - s->session_ctx->internal->stats.sess_cb_hit++; - - /* - * Increment reference count now if the session - * callback asks us to do so (note that if the session - * structures returned by the callback are shared - * between threads, it must handle the reference count - * itself [i.e. copy == 0], or things won't be - * thread-safe). - */ - if (copy) - CRYPTO_add(&ret->references, 1, - CRYPTO_LOCK_SSL_SESSION); - - /* - * Add the externally cached session to the internal - * cache as well if and only if we are supposed to. - */ - if (!(s->session_ctx->internal->session_cache_mode & - SSL_SESS_CACHE_NO_INTERNAL_STORE)) - /* - * The following should not return 1, - * otherwise, things are very strange. - */ - SSL_CTX_add_session(s->session_ctx, ret); - } - } - - if (ret == NULL) + SSLerror(s, ERR_R_INTERNAL_ERROR); + fatal = 1; goto err; + } - /* Now ret is non-NULL and we own one of its reference counts. */ + /* Now sess is non-NULL and we own one of its reference counts. */ - if (ret->sid_ctx_length != s->sid_ctx_length || - timingsafe_memcmp(ret->sid_ctx, - s->sid_ctx, ret->sid_ctx_length) != 0) { - /* We have the session requested by the client, but we don't - * want to use it in this context. */ - goto err; /* treat like cache miss */ + if (sess->sid_ctx_length != s->sid_ctx_length || + timingsafe_memcmp(sess->sid_ctx, s->sid_ctx, + sess->sid_ctx_length) != 0) { + /* + * We have the session requested by the client, but we don't + * want to use it in this context. Treat it like a cache miss. + */ + goto err; } if ((s->verify_mode & SSL_VERIFY_PEER) && s->sid_ctx_length == 0) { @@ -553,45 +599,43 @@ ssl_get_prev_session(SSL *s, unsigned char *session_id, int len, goto err; } - if (ret->cipher == NULL) { - ret->cipher = ssl3_get_cipher_by_id(ret->cipher_id); - if (ret->cipher == NULL) + if (sess->cipher == NULL) { + sess->cipher = ssl3_get_cipher_by_id(sess->cipher_id); + if (sess->cipher == NULL) goto err; } - if (ret->timeout < (time(NULL) - ret->time)) { - /* timeout */ + if (sess->timeout < (time(NULL) - sess->time)) { s->session_ctx->internal->stats.sess_timeout++; - if (try_session_cache) { - /* session was from the cache, so remove it */ - SSL_CTX_remove_session(s->session_ctx, ret); + if (!ticket_decrypted) { + /* The session was from the cache, so remove it. */ + SSL_CTX_remove_session(s->session_ctx, sess); } goto err; } s->session_ctx->internal->stats.sess_hit++; - if (s->session != NULL) - SSL_SESSION_free(s->session); - s->session = ret; + SSL_SESSION_free(s->session); + s->session = sess; s->verify_result = s->session->verify_result; + return 1; -err: - if (ret != NULL) { - SSL_SESSION_free(ret); - if (!try_session_cache) { - /* - * The session was from a ticket, so we should - * issue a ticket for the new session. - */ - s->internal->tlsext_ticket_expected = 1; - } + err: + SSL_SESSION_free(sess); + if (ticket_decrypted) { + /* + * The session was from a ticket. Issue a ticket for the new + * session. + */ + s->internal->tlsext_ticket_expected = 1; } - if (fatal) + if (fatal) { + *alert = alert_desc; return -1; - else - return 0; + } + return 0; } int @@ -744,45 +788,29 @@ SSL_SESSION_up_ref(SSL_SESSION *ss) int SSL_set_session(SSL *s, SSL_SESSION *session) { - int ret = 0; - const SSL_METHOD *meth; + const SSL_METHOD *method; - if (session != NULL) { - meth = s->ctx->method->internal->get_ssl_method(session->ssl_version); - if (meth == NULL) - meth = s->method->internal->get_ssl_method(session->ssl_version); - if (meth == NULL) { - SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD); - return (0); - } + if (session == NULL) { + SSL_SESSION_free(s->session); + s->session = NULL; - if (meth != s->method) { - if (!SSL_set_ssl_method(s, meth)) - return (0); - } - - /* CRYPTO_w_lock(CRYPTO_LOCK_SSL);*/ - CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); - if (s->session != NULL) - SSL_SESSION_free(s->session); - s->session = session; - s->verify_result = s->session->verify_result; - /* CRYPTO_w_unlock(CRYPTO_LOCK_SSL);*/ - ret = 1; - } else { - if (s->session != NULL) { - SSL_SESSION_free(s->session); - s->session = NULL; - } - - meth = s->ctx->method; - if (meth != s->method) { - if (!SSL_set_ssl_method(s, meth)) - return (0); - } - ret = 1; + return SSL_set_ssl_method(s, s->ctx->method); } - return (ret); + + if ((method = ssl_get_client_method(session->ssl_version)) == NULL) { + SSLerror(s, SSL_R_UNABLE_TO_FIND_SSL_METHOD); + return (0); + } + + if (!SSL_set_ssl_method(s, method)) + return (0); + + CRYPTO_add(&session->references, 1, CRYPTO_LOCK_SSL_SESSION); + SSL_SESSION_free(s->session); + s->session = session; + s->verify_result = s->session->verify_result; + + return (1); } size_t @@ -1092,13 +1120,13 @@ void void SSL_CTX_sess_set_get_cb(SSL_CTX *ctx, SSL_SESSION *(*cb)(struct ssl_st *ssl, - unsigned char *data, int len, int *copy)) + const unsigned char *data, int len, int *copy)) { ctx->internal->get_session_cb = cb; } SSL_SESSION * -(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, unsigned char *data, +(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(SSL *ssl, const unsigned char *data, int len, int *copy) { return ctx->internal->get_session_cb; @@ -1158,7 +1186,7 @@ SSL_CTX_set_cookie_generate_cb(SSL_CTX *ctx, void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx, - int (*cb)(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)) + int (*cb)(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len)) { ctx->internal->app_verify_cookie_cb = cb; } diff --git a/ssl/ssl_sigalgs.c b/ssl/ssl_sigalgs.c new file mode 100644 index 0000000..6378ec8 --- /dev/null +++ b/ssl/ssl_sigalgs.c @@ -0,0 +1,337 @@ +/* $OpenBSD: ssl_sigalgs.c,v 1.21 2020/05/09 16:52:15 beck Exp $ */ +/* + * Copyright (c) 2018-2020 Bob Beck + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +#include +#include + +#include + +#include "bytestring.h" +#include "ssl_locl.h" +#include "ssl_sigalgs.h" +#include "tls13_internal.h" + +const struct ssl_sigalg sigalgs[] = { + { + .value = SIGALG_RSA_PKCS1_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_RSA, + }, + { + .value = SIGALG_ECDSA_SECP521R1_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_EC, + .curve_nid = NID_secp521r1, + }, +#ifndef OPENSSL_NO_GOST + { + .value = SIGALG_GOSTR12_512_STREEBOG_512, + .md = EVP_streebog512, + .key_type = EVP_PKEY_GOSTR12_512, + }, +#endif + { + .value = SIGALG_RSA_PKCS1_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_RSA, + }, + { + .value = SIGALG_ECDSA_SECP384R1_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_EC, + .curve_nid = NID_secp384r1, + }, + { + .value = SIGALG_RSA_PKCS1_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_RSA, + }, + { + .value = SIGALG_ECDSA_SECP256R1_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_EC, + .curve_nid = NID_X9_62_prime256v1, + }, +#ifndef OPENSSL_NO_GOST + { + .value = SIGALG_GOSTR12_256_STREEBOG_256, + .md = EVP_streebog256, + .key_type = EVP_PKEY_GOSTR12_256, + }, + { + .value = SIGALG_GOSTR01_GOST94, + .md = EVP_gostr341194, + .key_type = EVP_PKEY_GOSTR01, + }, +#endif + { + .value = SIGALG_RSA_PSS_RSAE_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_RSA, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_RSAE_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_RSA, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_RSAE_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_RSA, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_PSS_SHA256, + .md = EVP_sha256, + .key_type = EVP_PKEY_RSA, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_PSS_SHA384, + .md = EVP_sha384, + .key_type = EVP_PKEY_RSA, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PSS_PSS_SHA512, + .md = EVP_sha512, + .key_type = EVP_PKEY_RSA, + .flags = SIGALG_FLAG_RSA_PSS, + }, + { + .value = SIGALG_RSA_PKCS1_SHA224, + .md = EVP_sha224, + .key_type = EVP_PKEY_RSA, + }, + { + .value = SIGALG_ECDSA_SECP224R1_SHA224, + .md = EVP_sha224, + .key_type = EVP_PKEY_EC, + }, + { + .value = SIGALG_RSA_PKCS1_SHA1, + .key_type = EVP_PKEY_RSA, + .md = EVP_sha1, + }, + { + .value = SIGALG_ECDSA_SHA1, + .key_type = EVP_PKEY_EC, + .md = EVP_sha1, + }, + { + .value = SIGALG_RSA_PKCS1_MD5_SHA1, + .key_type = EVP_PKEY_RSA, + .md = EVP_md5_sha1, + }, + { + .value = SIGALG_NONE, + }, +}; + +/* Sigalgs for tls 1.3, in preference order, */ +uint16_t tls13_sigalgs[] = { + SIGALG_RSA_PSS_RSAE_SHA512, + SIGALG_RSA_PKCS1_SHA512, + SIGALG_ECDSA_SECP521R1_SHA512, + SIGALG_RSA_PSS_RSAE_SHA384, + SIGALG_RSA_PKCS1_SHA384, + SIGALG_ECDSA_SECP384R1_SHA384, + SIGALG_RSA_PSS_RSAE_SHA256, + SIGALG_RSA_PKCS1_SHA256, + SIGALG_ECDSA_SECP256R1_SHA256, +}; +size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0])); + +/* Sigalgs for tls 1.2, in preference order, */ +uint16_t tls12_sigalgs[] = { + SIGALG_RSA_PSS_RSAE_SHA512, + SIGALG_RSA_PKCS1_SHA512, + SIGALG_ECDSA_SECP521R1_SHA512, + SIGALG_RSA_PSS_RSAE_SHA384, + SIGALG_RSA_PKCS1_SHA384, + SIGALG_ECDSA_SECP384R1_SHA384, + SIGALG_RSA_PSS_RSAE_SHA256, + SIGALG_RSA_PKCS1_SHA256, + SIGALG_ECDSA_SECP256R1_SHA256, + SIGALG_RSA_PKCS1_SHA1, /* XXX */ + SIGALG_ECDSA_SHA1, /* XXX */ +}; +size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0])); + +const struct ssl_sigalg * +ssl_sigalg_lookup(uint16_t sigalg) +{ + int i; + + for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) { + if (sigalgs[i].value == sigalg) + return &sigalgs[i]; + } + + return NULL; +} + +const struct ssl_sigalg * +ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len) +{ + int i; + + for (i = 0; i < len; i++) { + if (values[i] == sigalg) + return ssl_sigalg_lookup(sigalg); + } + + return NULL; +} + +int +ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len) +{ + size_t i; + + for (i = 0; sigalgs[i].value != SIGALG_NONE; i++); + if (len > i) + return 0; + + /* XXX check for duplicates and other sanity BS? */ + + /* Add values in order as long as they are supported. */ + for (i = 0; i < len; i++) { + /* Do not allow the legacy value for < 1.2 to be used */ + if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1) + return 0; + + if (ssl_sigalg_lookup(values[i]) != NULL) { + if (!CBB_add_u16(cbb, values[i])) + return 0; + } else + return 0; + } + return 1; +} + +int +ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, + int check_curve) +{ + if (sigalg == NULL || pkey == NULL) + return 0; + if (sigalg->key_type != pkey->type) + return 0; + + if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) { + /* + * RSA PSS Must have an RSA key that needs to be at + * least as big as twice the size of the hash + 2 + */ + if (pkey->type != EVP_PKEY_RSA || + EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2)) + return 0; + } + + if (pkey->type == EVP_PKEY_EC && check_curve) { + /* Curve must match for EC keys. */ + if (sigalg->curve_nid == 0) + return 0; + if (EC_GROUP_get_curve_name(EC_KEY_get0_group + (EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->curve_nid) { + return 0; + } + } + + return 1; +} + +const struct ssl_sigalg * +ssl_sigalg_select(SSL *s, EVP_PKEY *pkey) +{ + uint16_t *tls_sigalgs = tls12_sigalgs; + size_t tls_sigalgs_len = tls12_sigalgs_len; + int check_curve = 0; + CBS cbs; + + if (TLS1_get_version(s) >= TLS1_3_VERSION) { + tls_sigalgs = tls13_sigalgs; + tls_sigalgs_len = tls13_sigalgs_len; + check_curve = 1; + } + + /* Pre TLS 1.2 defaults */ + if (!SSL_USE_SIGALGS(s)) { + switch (pkey->type) { + case EVP_PKEY_RSA: + return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1); + case EVP_PKEY_EC: + return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); +#ifndef OPENSSL_NO_GOST + case EVP_PKEY_GOSTR01: + return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); +#endif + } + SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); + return (NULL); + } + + /* + * RFC 5246 allows a TLS 1.2 client to send no sigalgs, in + * which case the server must use the the default. + */ + if (TLS1_get_version(s) < TLS1_3_VERSION && + S3I(s)->hs.sigalgs == NULL) { + switch (pkey->type) { + case EVP_PKEY_RSA: + return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1); + case EVP_PKEY_EC: + return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1); +#ifndef OPENSSL_NO_GOST + case EVP_PKEY_GOSTR01: + return ssl_sigalg_lookup(SIGALG_GOSTR01_GOST94); +#endif + } + SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); + return (NULL); + } + + /* + * If we get here, we have client or server sent sigalgs, use one. + */ + CBS_init(&cbs, S3I(s)->hs.sigalgs, S3I(s)->hs.sigalgs_len); + while (CBS_len(&cbs) > 0) { + uint16_t sig_alg; + const struct ssl_sigalg *sigalg; + + if (!CBS_get_u16(&cbs, &sig_alg)) + return 0; + + if ((sigalg = ssl_sigalg(sig_alg, tls_sigalgs, + tls_sigalgs_len)) == NULL) + continue; + + /* RSA cannot be used without PSS in TLSv1.3. */ + if (TLS1_get_version(s) >= TLS1_3_VERSION && + sigalg->key_type == EVP_PKEY_RSA && + (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0) + continue; + + if (ssl_sigalg_pkey_ok(sigalg, pkey, check_curve)) + return sigalg; + } + + SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); + return NULL; +} diff --git a/ssl/ssl_sigalgs.h b/ssl/ssl_sigalgs.h new file mode 100644 index 0000000..13a3597 --- /dev/null +++ b/ssl/ssl_sigalgs.h @@ -0,0 +1,86 @@ +/* $OpenBSD: ssl_sigalgs.h,v 1.14 2019/03/25 17:33:26 jsing Exp $ */ +/* + * Copyright (c) 2018-2019 Bob Beck + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_SSL_SIGALGS_H +#define HEADER_SSL_SIGALGS_H + +__BEGIN_HIDDEN_DECLS + +#define SIGALG_NONE 0x0000 + +/* + * RFC 8446 Section 4.2.3 + * RFC 5246 Section 7.4.1.4.1 + */ +#define SIGALG_RSA_PKCS1_SHA224 0x0301 +#define SIGALG_RSA_PKCS1_SHA256 0x0401 +#define SIGALG_RSA_PKCS1_SHA384 0x0501 +#define SIGALG_RSA_PKCS1_SHA512 0x0601 +#define SIGALG_ECDSA_SECP224R1_SHA224 0x0303 +#define SIGALG_ECDSA_SECP256R1_SHA256 0x0403 +#define SIGALG_ECDSA_SECP384R1_SHA384 0x0503 +#define SIGALG_ECDSA_SECP521R1_SHA512 0x0603 +#define SIGALG_RSA_PSS_RSAE_SHA256 0x0804 +#define SIGALG_RSA_PSS_RSAE_SHA384 0x0805 +#define SIGALG_RSA_PSS_RSAE_SHA512 0x0806 +#define SIGALG_ED25519 0x0807 +#define SIGALG_ED448 0x0808 +#define SIGALG_RSA_PSS_PSS_SHA256 0x0809 +#define SIGALG_RSA_PSS_PSS_SHA384 0x080a +#define SIGALG_RSA_PSS_PSS_SHA512 0x080b +#define SIGALG_RSA_PKCS1_SHA1 0x0201 +#define SIGALG_ECDSA_SHA1 0x0203 +#define SIGALG_PRIVATE_START 0xFE00 +#define SIGALG_PRIVATE_END 0xFFFF + +/* + * If Russia can elect the US President, surely + * IANA could fix this problem. + */ +#define SIGALG_GOSTR12_512_STREEBOG_512 0xEFEF +#define SIGALG_GOSTR12_256_STREEBOG_256 0xEEEE +#define SIGALG_GOSTR01_GOST94 0xEDED + +/* Legacy sigalg for < 1.2 same value as boring uses*/ +#define SIGALG_RSA_PKCS1_MD5_SHA1 0xFF01 + +#define SIGALG_FLAG_RSA_PSS 0x00000001 + +struct ssl_sigalg{ + uint16_t value; + const EVP_MD *(*md)(void); + int key_type; + int curve_nid; + int flags; +}; + +extern uint16_t tls12_sigalgs[]; +extern size_t tls12_sigalgs_len; +extern uint16_t tls13_sigalgs[]; +extern size_t tls13_sigalgs_len; + +const struct ssl_sigalg *ssl_sigalg_lookup(uint16_t sigalg); +const struct ssl_sigalg *ssl_sigalg(uint16_t sigalg, uint16_t *values, size_t len); +int ssl_sigalgs_build(CBB *cbb, uint16_t *values, size_t len); +int ssl_sigalg_pkey_check(uint16_t sigalg, EVP_PKEY *pk); +int ssl_sigalg_pkey_ok(const struct ssl_sigalg *sigalg, EVP_PKEY *pkey, + int check_curve); +const struct ssl_sigalg *ssl_sigalg_select(SSL *s, EVP_PKEY *pkey); + +__END_HIDDEN_DECLS + +#endif diff --git a/ssl/ssl_srvr.c b/ssl/ssl_srvr.c index f1a0c9a..0f448a2 100644 --- a/ssl/ssl_srvr.c +++ b/ssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.28 2018/01/28 09:21:34 inoguchi Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.85 2020/09/24 18:12:00 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -166,6 +166,7 @@ #include #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" int @@ -196,12 +197,6 @@ ssl3_accept(SSL *s) if (SSL_IS_DTLS(s)) D1I(s)->listen = listen; - if (s->cert == NULL) { - SSLerror(s, SSL_R_NO_CERTIFICATE_SET); - ret = -1; - goto end; - } - for (;;) { state = S3I(s)->hs.state; @@ -254,7 +249,8 @@ ssl3_accept(SSL *s) ret = -1; goto end; } - if (!tls1_init_finished_mac(s)) { + + if (!tls1_transcript_init(s)) { ret = -1; goto end; } @@ -299,7 +295,7 @@ ssl3_accept(SSL *s) S3I(s)->hs.state = SSL3_ST_SW_FLUSH; s->internal->init_num = 0; - if (!tls1_init_finished_mac(s)) { + if (!tls1_transcript_init(s)) { ret = -1; goto end; } @@ -349,7 +345,7 @@ ssl3_accept(SSL *s) D1I(s)->handshake_write_seq = 1; D1I(s)->next_handshake_write_seq = 1; goto end; - } + } } else { if (s->internal->rwstate != SSL_X509_LOOKUP) { ret = ssl3_get_client_hello(s); @@ -372,10 +368,7 @@ ssl3_accept(SSL *s) S3I(s)->hs.next_state = SSL3_ST_SR_CLNT_HELLO_A; /* HelloVerifyRequest resets Finished MAC. */ - if (!tls1_init_finished_mac(s)) { - ret = -1; - goto end; - } + tls1_transcript_reset(s); break; case SSL3_ST_SW_SRVR_HELLO_A: @@ -473,12 +466,9 @@ ssl3_accept(SSL *s) skip = 1; S3I(s)->tmp.cert_request = 0; S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_A; - if (!SSL_IS_DTLS(s) && S3I(s)->handshake_buffer) { - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } - } + + if (!SSL_IS_DTLS(s)) + tls1_transcript_free(s); } else { S3I(s)->tmp.cert_request = 1; if (SSL_IS_DTLS(s)) @@ -571,34 +561,21 @@ ssl3_accept(SSL *s) if (!s->session->peer) break; /* - * For sigalgs freeze the handshake buffer - * at this point and digest cached records. + * Freeze the transcript for use during client + * certificate verification. */ - if (!S3I(s)->handshake_buffer) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - ret = -1; - goto end; - } - s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } + tls1_transcript_freeze(s); } else { S3I(s)->hs.state = SSL3_ST_SR_CERT_VRFY_A; s->internal->init_num = 0; + tls1_transcript_free(s); + /* * We need to get hashes here so if there is * a client cert, it can be verified. */ - if (S3I(s)->handshake_buffer) { - if (!tls1_digest_cached_records(s)) { - ret = -1; - goto end; - } - } - if (!tls1_handshake_hash_value(s, + if (!tls1_transcript_hash_value(s, S3I(s)->tmp.cert_verify_md, sizeof(S3I(s)->tmp.cert_verify_md), NULL)) { @@ -696,9 +673,10 @@ ssl3_accept(SSL *s) if (ret <= 0) goto end; S3I(s)->hs.state = SSL3_ST_SW_FLUSH; - if (s->internal->hit) + if (s->internal->hit) { S3I(s)->hs.next_state = SSL3_ST_SR_FINISHED_A; - else + tls1_transcript_free(s); + } else S3I(s)->hs.next_state = SSL_ST_OK; s->internal->init_num = 0; break; @@ -707,11 +685,15 @@ ssl3_accept(SSL *s) /* clean a few things up */ tls1_cleanup_key_block(s); - if (!SSL_IS_DTLS(s)) { - BUF_MEM_free(s->internal->init_buf); - s->internal->init_buf = NULL; + if (S3I(s)->handshake_transcript != NULL) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; } + if (!SSL_IS_DTLS(s)) + ssl3_release_init_buffer(s); + /* remove buffering on output */ ssl_free_wbio_buffer(s); @@ -784,10 +766,10 @@ ssl3_send_hello_request(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_HELLO_REQ_A) { - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &hello, + if (!ssl3_handshake_msg_start(s, &cbb, &hello, SSL3_MT_HELLO_REQUEST)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_SW_HELLO_REQ_B; @@ -817,8 +799,7 @@ ssl3_get_client_hello(SSL *s) STACK_OF(SSL_CIPHER) *ciphers = NULL; unsigned long alg_k; const SSL_METHOD *method; - uint16_t shared_version; - unsigned char *end; + uint16_t max_version, shared_version; /* * We do this so that we will respond with our native type. @@ -832,7 +813,7 @@ ssl3_get_client_hello(SSL *s) } s->internal->first_packet = 1; - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, + n = ssl3_get_message(s, SSL3_ST_SR_CLNT_HELLO_B, SSL3_ST_SR_CLNT_HELLO_C, SSL3_MT_CLIENT_HELLO, SSL3_RT_MAX_PLAIN_LENGTH, &ok); if (!ok) @@ -842,17 +823,35 @@ ssl3_get_client_hello(SSL *s) if (n < 0) goto err; - end = (unsigned char *)s->internal->init_msg + n; - CBS_init(&cbs, s->internal->init_msg, n); + /* Parse client hello up until the extensions (if any). */ + if (!CBS_get_u16(&cbs, &client_version)) + goto truncated; + if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE)) + goto truncated; + if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) + goto truncated; + if (CBS_len(&session_id) > SSL3_SESSION_ID_SIZE) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, SSL_R_SSL3_SESSION_ID_TOO_LONG); + goto f_err; + } + if (SSL_IS_DTLS(s)) { + if (!CBS_get_u8_length_prefixed(&cbs, &cookie)) + goto truncated; + } + if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites)) + goto truncated; + if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods)) + goto truncated; + /* * Use version from inside client hello, not from record header. * (may differ: see RFC 2246, Appendix E, second paragraph) */ - if (!CBS_get_u16(&cbs, &client_version)) - goto truncated; - + if (!ssl_downgrade_max_version(s, &max_version)) + goto err; if (ssl_max_shared_version(s, client_version, &shared_version) != 1) { SSLerror(s, SSL_R_WRONG_VERSION_NUMBER); if ((s->client_version >> 8) == SSL3_VERSION_MAJOR && @@ -869,27 +868,18 @@ ssl3_get_client_hello(SSL *s) s->client_version = client_version; s->version = shared_version; - if ((method = tls1_get_server_method(shared_version)) == NULL) - method = dtls1_get_server_method(shared_version); - if (method == NULL) { + if ((method = ssl_get_server_method(shared_version)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } s->method = method; - if (!CBS_get_bytes(&cbs, &client_random, SSL3_RANDOM_SIZE)) - goto truncated; - if (!CBS_get_u8_length_prefixed(&cbs, &session_id)) - goto truncated; - /* - * If we require cookies (DTLS) and this ClientHello doesn't - * contain one, just return since we do not want to - * allocate any memory yet. So check cookie length... + * If we require cookies (DTLS) and this ClientHello does not contain + * one, just return since we do not want to allocate any memory yet. + * So check cookie length... */ if (SSL_IS_DTLS(s)) { - if (!CBS_get_u8_length_prefixed(&cbs, &cookie)) - goto truncated; if (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE) { if (CBS_len(&cookie) == 0) return (1); @@ -922,14 +912,15 @@ ssl3_get_client_hello(SSL *s) if (!ssl_get_new_session(s, 1)) goto err; } else { - /* XXX - pass CBS through instead... */ - i = ssl_get_prev_session(s, - (unsigned char *)CBS_data(&session_id), - CBS_len(&session_id), end); + CBS ext_block; + + CBS_dup(&cbs, &ext_block); + + i = ssl_get_prev_session(s, &session_id, &ext_block, &al); if (i == 1) { /* previous session */ s->internal->hit = 1; } else if (i == -1) - goto err; + goto f_err; else { /* i == 0 */ if (!ssl_get_new_session(s, 1)) @@ -979,9 +970,6 @@ ssl3_get_client_hello(SSL *s) } } - if (!CBS_get_u16_length_prefixed(&cbs, &cipher_suites)) - goto truncated; - /* XXX - This logic seems wrong... */ if (CBS_len(&cipher_suites) == 0 && CBS_len(&session_id) != 0) { /* we need a cipher if we are not resuming a session */ @@ -1020,9 +1008,6 @@ ssl3_get_client_hello(SSL *s) } } - if (!CBS_get_u8_length_prefixed(&cbs, &compression_methods)) - goto truncated; - comp_null = 0; while (CBS_len(&compression_methods) > 0) { if (!CBS_get_u8(&compression_methods, &comp_method)) @@ -1036,7 +1021,7 @@ ssl3_get_client_hello(SSL *s) goto f_err; } - if (!tlsext_clienthello_parse(s, &cbs, &al)) { + if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, &cbs, &al)) { SSLerror(s, SSL_R_PARSE_TLSEXT); goto f_err; } @@ -1060,6 +1045,27 @@ ssl3_get_client_hello(SSL *s) */ arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); + if (!SSL_IS_DTLS(s) && max_version >= TLS1_2_VERSION && + s->version < max_version) { + /* + * RFC 8446 section 4.1.3. If we are downgrading from TLS 1.3 + * we must set the last 8 bytes of the server random to magical + * values to indicate we meant to downgrade. For TLS 1.2 it is + * recommended that we do the same. + */ + size_t index = SSL3_RANDOM_SIZE - sizeof(tls13_downgrade_12); + uint8_t *magic = &s->s3->server_random[index]; + if (s->version == TLS1_2_VERSION) { + /* Indicate we chose to downgrade to 1.2. */ + memcpy(magic, tls13_downgrade_12, + sizeof(tls13_downgrade_12)); + } else { + /* Indicate we chose to downgrade to 1.1 or lower */ + memcpy(magic, tls13_downgrade_11, + sizeof(tls13_downgrade_11)); + } + } + if (!s->internal->hit && s->internal->tls_session_secret_cb) { SSL_CIPHER *pref_cipher = NULL; @@ -1086,11 +1092,7 @@ ssl3_get_client_hello(SSL *s) s->session->cipher = pref_cipher; sk_SSL_CIPHER_free(s->cipher_list); - sk_SSL_CIPHER_free(s->internal->cipher_list_by_id); - s->cipher_list = sk_SSL_CIPHER_dup(s->session->ciphers); - s->internal->cipher_list_by_id = - sk_SSL_CIPHER_dup(s->session->ciphers); } } @@ -1121,17 +1123,13 @@ ssl3_get_client_hello(SSL *s) S3I(s)->hs.new_cipher = s->session->cipher; } - if (!tls1_handshake_hash_init(s)) + if (!tls1_transcript_hash_init(s)) goto err; alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; if (!(SSL_USE_SIGALGS(s) || (alg_k & SSL_kGOST)) || - !(s->verify_mode & SSL_VERIFY_PEER)) { - if (!tls1_digest_cached_records(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - } + !(s->verify_mode & SSL_VERIFY_PEER)) + tls1_transcript_free(s); /* * We now have the following setup. @@ -1175,7 +1173,7 @@ ssl3_send_server_hello(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_HELLO_A) { - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &server_hello, + if (!ssl3_handshake_msg_start(s, &cbb, &server_hello, SSL3_MT_SERVER_HELLO)) goto err; @@ -1227,12 +1225,12 @@ ssl3_send_server_hello(SSL *s) goto err; /* TLS extensions */ - if (!tlsext_serverhello_build(s, &server_hello)) { + if (!tlsext_server_build(s, SSL_TLSEXT_MSG_SH, &server_hello)) { SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; } @@ -1253,10 +1251,10 @@ ssl3_send_server_done(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_SRVR_DONE_A) { - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &done, + if (!ssl3_handshake_msg_start(s, &cbb, &done, SSL3_MT_SERVER_DONE)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_SW_SRVR_DONE_B; @@ -1271,7 +1269,7 @@ ssl3_send_server_done(SSL *s) return (-1); } -int +static int ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) { CBB dh_p, dh_g, dh_Ys; @@ -1350,12 +1348,7 @@ ssl3_send_server_kex_dhe(SSL *s, CBB *cbb) static int ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) { - const EC_GROUP *group; - const EC_POINT *pubkey; - unsigned char *data; - int encoded_len = 0; - int curve_id = 0; - BN_CTX *bn_ctx = NULL; + uint16_t curve_id; EC_KEY *ecdh; CBB ecpoint; int al; @@ -1374,39 +1367,20 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) goto err; } - if ((S3I(s)->tmp.ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { + if ((S3I(s)->tmp.ecdh = EC_KEY_new()) == NULL) { al = SSL_AD_HANDSHAKE_FAILURE; SSLerror(s, SSL_R_MISSING_TMP_ECDH_KEY); goto f_err; } + S3I(s)->tmp.ecdh_nid = nid; ecdh = S3I(s)->tmp.ecdh; - if (!EC_KEY_generate_key(ecdh)) { - SSLerror(s, ERR_R_ECDH_LIB); + if (!ssl_kex_generate_ecdhe_ecp(ecdh, nid)) goto err; - } - if ((group = EC_KEY_get0_group(ecdh)) == NULL || - (pubkey = EC_KEY_get0_public_key(ecdh)) == NULL || - EC_KEY_get0_private_key(ecdh) == NULL) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } /* * Encode the public key. - */ - encoded_len = EC_POINT_point2oct(group, pubkey, - POINT_CONVERSION_UNCOMPRESSED, NULL, 0, NULL); - if (encoded_len == 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* + * * Only named curves are supported in ECDH ephemeral key exchanges. * In this case the ServerKeyExchange message has: * [1 byte CurveType], [2 byte CurveName] @@ -1419,33 +1393,24 @@ ssl3_send_server_kex_ecdhe_ecp(SSL *s, int nid, CBB *cbb) goto err; if (!CBB_add_u8_length_prefixed(cbb, &ecpoint)) goto err; - if (!CBB_add_space(&ecpoint, &data, encoded_len)) + if (!ssl_kex_public_ecdhe_ecp(ecdh, &ecpoint)) goto err; - if (EC_POINT_point2oct(group, pubkey, POINT_CONVERSION_UNCOMPRESSED, - data, encoded_len, bn_ctx) == 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } if (!CBB_flush(cbb)) goto err; - BN_CTX_free(bn_ctx); - return (1); - + f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - BN_CTX_free(bn_ctx); - return (-1); } static int ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) { - uint8_t *public_key = NULL; - int curve_id; + uint8_t *public_key = NULL, *private_key = NULL; + uint16_t curve_id; CBB ecpoint; int ret = -1; @@ -1454,11 +1419,11 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } - if ((S3I(s)->tmp.x25519 = malloc(X25519_KEY_LENGTH)) == NULL) + if ((private_key = malloc(X25519_KEY_LENGTH)) == NULL) goto err; if ((public_key = malloc(X25519_KEY_LENGTH)) == NULL) goto err; - X25519_keypair(public_key, S3I(s)->tmp.x25519); + X25519_keypair(public_key, private_key); /* Serialize public key. */ if ((curve_id = tls1_ec_nid2curve_id(nid)) == 0) { @@ -1477,10 +1442,13 @@ ssl3_send_server_kex_ecdhe_ecx(SSL *s, int nid, CBB *cbb) if (!CBB_flush(cbb)) goto err; + S3I(s)->tmp.x25519 = private_key; + private_key = NULL; ret = 1; err: free(public_key); + freezero(private_key, X25519_KEY_LENGTH); return (ret); } @@ -1501,36 +1469,39 @@ ssl3_send_server_kex_ecdhe(SSL *s, CBB *cbb) int ssl3_send_server_key_exchange(SSL *s) { - CBB cbb; + CBB cbb, cbb_params, cbb_signature, server_kex; + const struct ssl_sigalg *sigalg = NULL; + unsigned char *signature = NULL; + size_t signature_len = 0; unsigned char *params = NULL; size_t params_len; - unsigned char *q; - unsigned char md_buf[MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH]; - unsigned int u; - EVP_PKEY *pkey; const EVP_MD *md = NULL; - unsigned char *p, *d; - int al, i, j, n, kn; unsigned long type; - BUF_MEM *buf; EVP_MD_CTX md_ctx; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + int al; memset(&cbb, 0, sizeof(cbb)); + memset(&cbb_params, 0, sizeof(cbb_params)); EVP_MD_CTX_init(&md_ctx); + if (S3I(s)->hs.state == SSL3_ST_SW_KEY_EXCH_A) { - type = S3I(s)->hs.new_cipher->algorithm_mkey; - buf = s->internal->init_buf; - - if (!CBB_init(&cbb, 0)) + if (!ssl3_handshake_msg_start(s, &cbb, &server_kex, + SSL3_MT_SERVER_KEY_EXCHANGE)) goto err; + if (!CBB_init(&cbb_params, 0)) + goto err; + + type = S3I(s)->hs.new_cipher->algorithm_mkey; if (type & SSL_kDHE) { - if (ssl3_send_server_kex_dhe(s, &cbb) != 1) + if (ssl3_send_server_kex_dhe(s, &cbb_params) != 1) goto err; } else if (type & SSL_kECDHE) { - if (ssl3_send_server_kex_ecdhe(s, &cbb) != 1) + if (ssl3_send_server_kex_ecdhe(s, &cbb_params) != 1) goto err; } else { al = SSL_AD_HANDSHAKE_FAILURE; @@ -1538,117 +1509,96 @@ ssl3_send_server_key_exchange(SSL *s) goto f_err; } - if (!CBB_finish(&cbb, ¶ms, ¶ms_len)) + if (!CBB_finish(&cbb_params, ¶ms, ¶ms_len)) goto err; + if (!CBB_add_bytes(&server_kex, params, params_len)) + goto err; + + /* Add signature unless anonymous. */ if (!(S3I(s)->hs.new_cipher->algorithm_auth & SSL_aNULL)) { - if ((pkey = ssl_get_sign_pkey( - s, S3I(s)->hs.new_cipher, &md)) == NULL) { + if ((pkey = ssl_get_sign_pkey(s, S3I(s)->hs.new_cipher, + &md, &sigalg)) == NULL) { al = SSL_AD_DECODE_ERROR; goto f_err; } - kn = EVP_PKEY_size(pkey); - } else { - pkey = NULL; - kn = 0; - } - if (!BUF_MEM_grow_clean(buf, ssl3_handshake_msg_hdr_len(s) + - params_len + kn)) { - SSLerror(s, ERR_LIB_BUF); - goto err; - } - - d = p = ssl3_handshake_msg_start(s, - SSL3_MT_SERVER_KEY_EXCHANGE); - - memcpy(p, params, params_len); - - free(params); - params = NULL; - - n = params_len; - p += params_len; - - /* not anonymous */ - if (pkey != NULL) { - /* - * n is the length of the params, they start at &(d[4]) - * and p points to the space at the end. - */ - if (pkey->type == EVP_PKEY_RSA && !SSL_USE_SIGALGS(s)) { - q = md_buf; - j = 0; - if (!EVP_DigestInit_ex(&md_ctx, EVP_md5_sha1(), - NULL)) - goto err; - EVP_DigestUpdate(&md_ctx, s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_DigestUpdate(&md_ctx, d, n); - EVP_DigestFinal_ex(&md_ctx, q, - (unsigned int *)&i); - q += i; - j += i; - if (RSA_sign(NID_md5_sha1, md_buf, j, - &(p[2]), &u, pkey->pkey.rsa) <= 0) { - SSLerror(s, ERR_R_RSA_LIB); - goto err; + /* Send signature algorithm. */ + if (SSL_USE_SIGALGS(s)) { + if (!CBB_add_u16(&server_kex, sigalg->value)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_INTERNAL_ERROR); + goto f_err; } - s2n(u, p); - n += u + 2; - } else if (md) { - /* Send signature algorithm. */ - if (SSL_USE_SIGALGS(s)) { - if (!tls12_get_sigandhash(p, pkey, md)) { - /* Should never happen */ - al = SSL_AD_INTERNAL_ERROR; - SSLerror(s, ERR_R_INTERNAL_ERROR); - goto f_err; - } - p += 2; - } - EVP_SignInit_ex(&md_ctx, md, NULL); - EVP_SignUpdate(&md_ctx, - s->s3->client_random, - SSL3_RANDOM_SIZE); - EVP_SignUpdate(&md_ctx, - s->s3->server_random, - SSL3_RANDOM_SIZE); - EVP_SignUpdate(&md_ctx, d, n); - if (!EVP_SignFinal(&md_ctx, &p[2], - (unsigned int *)&i, pkey)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - s2n(i, p); - n += i + 2; - if (SSL_USE_SIGALGS(s)) - n += 2; - } else { - /* Is this error check actually needed? */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE); - goto f_err; } + + if (!EVP_DigestSignInit(&md_ctx, &pctx, md, NULL, pkey)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && + (!EVP_PKEY_CTX_set_rsa_padding(pctx, + RSA_PKCS1_PSS_PADDING) || + !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignUpdate(&md_ctx, s->s3->client_random, + SSL3_RANDOM_SIZE)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignUpdate(&md_ctx, s->s3->server_random, + SSL3_RANDOM_SIZE)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignUpdate(&md_ctx, params, params_len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestSignFinal(&md_ctx, NULL, &signature_len) || + !signature_len) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if ((signature = calloc(1, signature_len)) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_DigestSignFinal(&md_ctx, signature, &signature_len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + + if (!CBB_add_u16_length_prefixed(&server_kex, + &cbb_signature)) + goto err; + if (!CBB_add_bytes(&cbb_signature, signature, + signature_len)) + goto err; } - ssl3_handshake_msg_finish(s, n); + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; + + S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_B; } - S3I(s)->hs.state = SSL3_ST_SW_KEY_EXCH_B; - EVP_MD_CTX_cleanup(&md_ctx); + free(params); + free(signature); return (ssl3_handshake_write(s)); - + f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - free(params); - EVP_MD_CTX_cleanup(&md_ctx); + CBB_cleanup(&cbb_params); CBB_cleanup(&cbb); + EVP_MD_CTX_cleanup(&md_ctx); + free(params); + free(signature); return (-1); } @@ -1668,7 +1618,7 @@ ssl3_send_certificate_request(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_CERT_REQ_A) { - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &cert_request, + if (!ssl3_handshake_msg_start(s, &cbb, &cert_request, SSL3_MT_CERTIFICATE_REQUEST)) goto err; @@ -1678,14 +1628,9 @@ ssl3_send_certificate_request(SSL *s) goto err; if (SSL_USE_SIGALGS(s)) { - unsigned char *sigalgs_data; - size_t sigalgs_len; - - tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len); - if (!CBB_add_u16_length_prefixed(&cert_request, &sigalgs)) goto err; - if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) + if (!ssl_sigalgs_build(&sigalgs, tls12_sigalgs, tls12_sigalgs_len)) goto err; } @@ -1708,7 +1653,7 @@ ssl3_send_certificate_request(SSL *s) goto err; } - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_SW_CERT_REQ_B; @@ -1724,21 +1669,23 @@ ssl3_send_certificate_request(SSL *s) } static int -ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) +ssl3_get_client_kex_rsa(SSL *s, CBS *cbs) { unsigned char fakekey[SSL_MAX_MASTER_KEY_LENGTH]; - unsigned char *d; - RSA *rsa = NULL; + unsigned char *pms = NULL; + unsigned char *p; + size_t pms_len = 0; EVP_PKEY *pkey = NULL; - int i, al; - - d = p; + RSA *rsa = NULL; + CBS enc_pms; + int decrypt_len; + int al = -1; arc4random_buf(fakekey, sizeof(fakekey)); fakekey[0] = s->client_version >> 8; fakekey[1] = s->client_version & 0xff; - pkey = s->cert->pkeys[SSL_PKEY_RSA_ENC].privatekey; + pkey = s->cert->pkeys[SSL_PKEY_RSA].privatekey; if ((pkey == NULL) || (pkey->type != EVP_PKEY_RSA) || (pkey->pkey.rsa == NULL)) { al = SSL_AD_HANDSHAKE_FAILURE; @@ -1747,61 +1694,48 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) } rsa = pkey->pkey.rsa; - if (2 > n) + pms_len = RSA_size(rsa); + if (pms_len < SSL_MAX_MASTER_KEY_LENGTH) + goto err; + if ((pms = malloc(pms_len)) == NULL) + goto err; + p = pms; + + if (!CBS_get_u16_length_prefixed(cbs, &enc_pms)) goto truncated; - n2s(p, i); - if (n != i + 2) { + if (CBS_len(cbs) != 0 || CBS_len(&enc_pms) != RSA_size(rsa)) { SSLerror(s, SSL_R_TLS_RSA_ENCRYPTED_VALUE_LENGTH_IS_WRONG); goto err; - } else - n = i; + } - i = RSA_private_decrypt((int)n, p, p, rsa, RSA_PKCS1_PADDING); + decrypt_len = RSA_private_decrypt(CBS_len(&enc_pms), CBS_data(&enc_pms), + pms, rsa, RSA_PKCS1_PADDING); ERR_clear_error(); - al = -1; - - if (i != SSL_MAX_MASTER_KEY_LENGTH) { + if (decrypt_len != SSL_MAX_MASTER_KEY_LENGTH) { al = SSL_AD_DECODE_ERROR; /* SSLerror(s, SSL_R_BAD_RSA_DECRYPT); */ } - if (p - d + 2 > n) /* needed in the SSL3 case */ - goto truncated; - if ((al == -1) && !((p[0] == (s->client_version >> 8)) && - (p[1] == (s->client_version & 0xff)))) { + if ((al == -1) && !((pms[0] == (s->client_version >> 8)) && + (pms[1] == (s->client_version & 0xff)))) { /* - * The premaster secret must contain the same version - * number as the ClientHello to detect version rollback - * attacks (strangely, the protocol does not offer such - * protection for DH ciphersuites). - * However, buggy clients exist that send the negotiated - * protocol version instead if the server does not - * support the requested protocol version. - * If SSL_OP_TLS_ROLLBACK_BUG is set, tolerate such - * clients. + * The premaster secret must contain the same version number + * as the ClientHello to detect version rollback attacks + * (strangely, the protocol does not offer such protection for + * DH ciphersuites). + * + * The Klima-Pokorny-Rosa extension of Bleichenbacher's attack + * (http://eprint.iacr.org/2003/052/) exploits the version + * number check as a "bad version oracle" -- an alert would + * reveal that the plaintext corresponding to some ciphertext + * made up by the adversary is properly formatted except that + * the version number is wrong. To avoid such attacks, we should + * treat this just like any other decryption error. */ - if (!((s->internal->options & SSL_OP_TLS_ROLLBACK_BUG) && - (p[0] == (s->version >> 8)) && - (p[1] == (s->version & 0xff)))) { - al = SSL_AD_DECODE_ERROR; - /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ - - /* - * The Klima-Pokorny-Rosa extension of - * Bleichenbacher's attack - * (http://eprint.iacr.org/2003/052/) exploits - * the version number check as a "bad version - * oracle" -- an alert would reveal that the - * plaintext corresponding to some ciphertext - * made up by the adversary is properly - * formatted except that the version number is - * wrong. - * To avoid such attacks, we should treat this - * just like any other decryption error. - */ - } + al = SSL_AD_DECODE_ERROR; + /* SSLerror(s, SSL_R_BAD_PROTOCOL_VERSION_NUMBER); */ } if (al != -1) { @@ -1811,43 +1745,41 @@ ssl3_get_client_kex_rsa(SSL *s, unsigned char *p, long n) * on PKCS #1 v1.5 RSA padding (see RFC 2246, * section 7.4.7.1). */ - i = SSL_MAX_MASTER_KEY_LENGTH; p = fakekey; } s->session->master_key_length = tls1_generate_master_secret(s, - s->session->master_key, p, i); + s->session->master_key, p, SSL_MAX_MASTER_KEY_LENGTH); - explicit_bzero(p, i); + freezero(pms, pms_len); return (1); -truncated: + + truncated: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); -err: + err: + freezero(pms, pms_len); + return (-1); } static int -ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) +ssl3_get_client_kex_dhe(SSL *s, CBS *cbs) { + int key_size = 0; + int key_is_invalid, key_len, al; + unsigned char *key = NULL; BIGNUM *bn = NULL; - int key_size, al; - CBS cbs, dh_Yc; + CBS dh_Yc; DH *dh; - if (n < 0) - goto err; - - CBS_init(&cbs, p, n); - - if (!CBS_get_u16_length_prefixed(&cbs, &dh_Yc)) + if (!CBS_get_u16_length_prefixed(cbs, &dh_Yc)) goto truncated; - - if (CBS_len(&cbs) != 0) + if (CBS_len(cbs) != 0) goto truncated; if (S3I(s)->tmp.dh == NULL) { @@ -1862,22 +1794,37 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) goto err; } - key_size = DH_compute_key(p, bn, dh); - if (key_size <= 0) { + if ((key_size = DH_size(dh)) <= 0) { SSLerror(s, ERR_R_DH_LIB); - BN_clear_free(bn); goto err; } + if ((key = malloc(key_size)) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!DH_check_pub_key(dh, bn, &key_is_invalid)) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_DH_LIB); + goto f_err; + } + if (key_is_invalid) { + al = SSL_AD_ILLEGAL_PARAMETER; + SSLerror(s, ERR_R_DH_LIB); + goto f_err; + } + if ((key_len = DH_compute_key(key, bn, dh)) <= 0) { + al = SSL_AD_INTERNAL_ERROR; + SSLerror(s, ERR_R_DH_LIB); + goto f_err; + } - s->session->master_key_length = - tls1_generate_master_secret( - s, s->session->master_key, p, key_size); - - explicit_bzero(p, key_size); + s->session->master_key_length = tls1_generate_master_secret(s, + s->session->master_key, key, key_len); DH_free(S3I(s)->tmp.dh); S3I(s)->tmp.dh = NULL; + freezero(key, key_size); BN_clear_free(bn); return (1); @@ -1888,160 +1835,76 @@ ssl3_get_client_kex_dhe(SSL *s, unsigned char *p, long n) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); err: + freezero(key, key_size); + BN_clear_free(bn); + return (-1); } static int -ssl3_get_client_kex_ecdhe_ecp(SSL *s, unsigned char *p, long n) +ssl3_get_client_kex_ecdhe_ecp(SSL *s, CBS *cbs) { - EC_KEY *srvr_ecdh = NULL; - EVP_PKEY *clnt_pub_pkey = NULL; - EC_POINT *clnt_ecpoint = NULL; - BN_CTX *bn_ctx = NULL; - int i, al; + uint8_t *key = NULL; + size_t key_len = 0; + EC_KEY *ecdh_peer = NULL; + EC_KEY *ecdh; + CBS public; + int ret = -1; - int ret = 1; - int key_size; - const EC_KEY *tkey; - const EC_GROUP *group; - const BIGNUM *priv_key; - - /* Initialize structures for server's ECDH key pair. */ - if ((srvr_ecdh = EC_KEY_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + /* + * Use the ephemeral values we saved when generating the + * ServerKeyExchange message. + */ + if ((ecdh = S3I(s)->tmp.ecdh) == NULL) { + SSLerror(s, ERR_R_INTERNAL_ERROR); goto err; } /* - * Use the ephemeral values we saved when - * generating the ServerKeyExchange message. + * Get client's public key from encoded point in the ClientKeyExchange + * message. */ - tkey = S3I(s)->tmp.ecdh; - - group = EC_KEY_get0_group(tkey); - priv_key = EC_KEY_get0_private_key(tkey); - - if (!EC_KEY_set_group(srvr_ecdh, group) || - !EC_KEY_set_private_key(srvr_ecdh, priv_key)) { - SSLerror(s, ERR_R_EC_LIB); + if (!CBS_get_u8_length_prefixed(cbs, &public)) goto err; - } - - /* Let's get client's public key */ - if ((clnt_ecpoint = EC_POINT_new(group)) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); + if (CBS_len(cbs) != 0) goto err; - } - if (n == 0L) { - /* Client Publickey was in Client Certificate */ - if (((clnt_pub_pkey = X509_get_pubkey( - s->session->peer)) == NULL) || - (clnt_pub_pkey->type != EVP_PKEY_EC)) { - /* - * XXX: For now, we do not support client - * authentication using ECDH certificates - * so this branch (n == 0L) of the code is - * never executed. When that support is - * added, we ought to ensure the key - * received in the certificate is - * authorized for key agreement. - * ECDH_compute_key implicitly checks that - * the two ECDH shares are for the same - * group. - */ - al = SSL_AD_HANDSHAKE_FAILURE; - SSLerror(s, SSL_R_UNABLE_TO_DECODE_ECDH_CERTS); - goto f_err; - } - - if (EC_POINT_copy(clnt_ecpoint, - EC_KEY_get0_public_key(clnt_pub_pkey->pkey.ec)) - == 0) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - ret = 2; /* Skip certificate verify processing */ - } else { - /* - * Get client's public key from encoded point - * in the ClientKeyExchange message. - */ - if ((bn_ctx = BN_CTX_new()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - - /* Get encoded point length */ - i = *p; - - p += 1; - if (n != 1 + i) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - if (EC_POINT_oct2point(group, - clnt_ecpoint, p, i, bn_ctx) == 0) { - SSLerror(s, ERR_R_EC_LIB); - goto err; - } - /* - * p is pointing to somewhere in the buffer - * currently, so set it to the start. - */ - p = (unsigned char *)s->internal->init_buf->data; - } - - /* Compute the shared pre-master secret */ - key_size = ECDH_size(srvr_ecdh); - if (key_size <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); + if ((ecdh_peer = EC_KEY_new()) == NULL) goto err; - } - i = ECDH_compute_key(p, key_size, clnt_ecpoint, srvr_ecdh, - NULL); - if (i <= 0) { - SSLerror(s, ERR_R_ECDH_LIB); - goto err; - } - EVP_PKEY_free(clnt_pub_pkey); - EC_POINT_free(clnt_ecpoint); - EC_KEY_free(srvr_ecdh); - BN_CTX_free(bn_ctx); + if (!ssl_kex_peer_public_ecdhe_ecp(ecdh_peer, S3I(s)->tmp.ecdh_nid, + &public)) + goto err; + + /* Derive the shared secret and compute master secret. */ + if (!ssl_kex_derive_ecdhe_ecp(ecdh, ecdh_peer, &key, &key_len)) + goto err; + s->session->master_key_length = tls1_generate_master_secret(s, + s->session->master_key, key, key_len); + EC_KEY_free(S3I(s)->tmp.ecdh); S3I(s)->tmp.ecdh = NULL; + S3I(s)->tmp.ecdh_nid = NID_undef; - /* Compute the master secret */ - s->session->master_key_length = - tls1_generate_master_secret( - s, s->session->master_key, p, i); + ret = 1; - explicit_bzero(p, i); - return (ret); - - f_err: - ssl3_send_alert(s, SSL3_AL_FATAL, al); err: - EVP_PKEY_free(clnt_pub_pkey); - EC_POINT_free(clnt_ecpoint); - EC_KEY_free(srvr_ecdh); - BN_CTX_free(bn_ctx); - return (-1); + freezero(key, key_len); + EC_KEY_free(ecdh_peer); + + return (ret); } static int -ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n) +ssl3_get_client_kex_ecdhe_ecx(SSL *s, CBS *cbs) { uint8_t *shared_key = NULL; - CBS cbs, ecpoint; + CBS ecpoint; int ret = -1; - if (n < 0) + if (!CBS_get_u8_length_prefixed(cbs, &ecpoint)) goto err; - - CBS_init(&cbs, p, n); - if (!CBS_get_u8_length_prefixed(&cbs, &ecpoint)) + if (CBS_len(cbs) != 0) goto err; if (CBS_len(&ecpoint) != X25519_KEY_LENGTH) goto err; @@ -2067,25 +1930,23 @@ ssl3_get_client_kex_ecdhe_ecx(SSL *s, unsigned char *p, long n) } static int -ssl3_get_client_kex_ecdhe(SSL *s, unsigned char *p, long n) +ssl3_get_client_kex_ecdhe(SSL *s, CBS *cbs) { if (S3I(s)->tmp.x25519 != NULL) - return ssl3_get_client_kex_ecdhe_ecx(s, p, n); + return ssl3_get_client_kex_ecdhe_ecx(s, cbs); - return ssl3_get_client_kex_ecdhe_ecp(s, p, n); + return ssl3_get_client_kex_ecdhe_ecp(s, cbs); } static int -ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n) +ssl3_get_client_kex_gost(SSL *s, CBS *cbs) { - EVP_PKEY_CTX *pkey_ctx; EVP_PKEY *client_pub_pkey = NULL, *pk = NULL; - unsigned char premaster_secret[32], *start; - size_t outlen = 32, inlen; + unsigned char premaster_secret[32]; unsigned long alg_a; - int Ttag, Tclass; - long Tlen; + size_t outlen = 32; + CBS gostblob; int al; int ret = 0; @@ -2094,8 +1955,11 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n) if (alg_a & SSL_aGOST01) pk = s->cert->pkeys[SSL_PKEY_GOST01].privatekey; - pkey_ctx = EVP_PKEY_CTX_new(pk, NULL); - EVP_PKEY_decrypt_init(pkey_ctx); + if ((pkey_ctx = EVP_PKEY_CTX_new(pk, NULL)) == NULL) + goto err; + if (EVP_PKEY_decrypt_init(pkey_ctx) <= 0) + goto gerr; + /* * If client certificate is present and is of the same type, * maybe use it for key exchange. @@ -2103,32 +1967,28 @@ ssl3_get_client_kex_gost(SSL *s, unsigned char *p, long n) * it is completely valid to use a client certificate for * authorization only. */ - client_pub_pkey = X509_get_pubkey(s->session->peer); - if (client_pub_pkey) { + if ((client_pub_pkey = X509_get_pubkey(s->session->peer)) != NULL) { if (EVP_PKEY_derive_set_peer(pkey_ctx, client_pub_pkey) <= 0) ERR_clear_error(); } - if (2 > n) - goto truncated; + /* Decrypt session key */ - if (ASN1_get_object((const unsigned char **)&p, &Tlen, &Ttag, - &Tclass, n) != V_ASN1_CONSTRUCTED || - Ttag != V_ASN1_SEQUENCE || Tclass != V_ASN1_UNIVERSAL) { - SSLerror(s, SSL_R_DECRYPTION_FAILED); - goto gerr; - } - start = p; - inlen = Tlen; + if (!CBS_get_asn1(cbs, &gostblob, CBS_ASN1_SEQUENCE)) + goto truncated; + if (CBS_len(cbs) != 0) + goto truncated; if (EVP_PKEY_decrypt(pkey_ctx, premaster_secret, &outlen, - start, inlen) <=0) { + CBS_data(&gostblob), CBS_len(&gostblob)) <= 0) { SSLerror(s, SSL_R_DECRYPTION_FAILED); goto gerr; } + /* Generate master secret */ s->session->master_key_length = tls1_generate_master_secret( s, s->session->master_key, premaster_secret, 32); + /* Check if pubkey from client certificate was used */ if (EVP_PKEY_CTX_ctrl(pkey_ctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 2, NULL) > 0) @@ -2155,31 +2015,34 @@ int ssl3_get_client_key_exchange(SSL *s) { unsigned long alg_k; - unsigned char *p; int al, ok; + CBS cbs; long n; /* 2048 maxlen is a guess. How long a key does that permit? */ - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_KEY_EXCH_A, + n = ssl3_get_message(s, SSL3_ST_SR_KEY_EXCH_A, SSL3_ST_SR_KEY_EXCH_B, SSL3_MT_CLIENT_KEY_EXCHANGE, 2048, &ok); if (!ok) return ((int)n); - p = (unsigned char *)s->internal->init_msg; + if (n < 0) + goto err; + + CBS_init(&cbs, s->internal->init_msg, n); alg_k = S3I(s)->hs.new_cipher->algorithm_mkey; if (alg_k & SSL_kRSA) { - if (ssl3_get_client_kex_rsa(s, p, n) != 1) + if (ssl3_get_client_kex_rsa(s, &cbs) != 1) goto err; } else if (alg_k & SSL_kDHE) { - if (ssl3_get_client_kex_dhe(s, p, n) != 1) + if (ssl3_get_client_kex_dhe(s, &cbs) != 1) goto err; } else if (alg_k & SSL_kECDHE) { - if (ssl3_get_client_kex_ecdhe(s, p, n) != 1) + if (ssl3_get_client_kex_ecdhe(s, &cbs) != 1) goto err; } else if (alg_k & SSL_kGOST) { - if (ssl3_get_client_kex_gost(s, p, n) != 1) + if (ssl3_get_client_kex_gost(s, &cbs) != 1) goto err; } else { al = SSL_AD_HANDSHAKE_FAILURE; @@ -2187,6 +2050,12 @@ ssl3_get_client_key_exchange(SSL *s) goto f_err; } + if (CBS_len(&cbs) != 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_BAD_PACKET_LENGTH); + goto f_err; + } + return (1); f_err: @@ -2198,28 +2067,35 @@ ssl3_get_client_key_exchange(SSL *s) int ssl3_get_cert_verify(SSL *s) { - EVP_PKEY *pkey = NULL; - unsigned char *p; - int al, ok, ret = 0; - long n; - int type = 0, i, j; - X509 *peer; + CBS cbs, signature; + const struct ssl_sigalg *sigalg = NULL; const EVP_MD *md = NULL; + EVP_PKEY *pkey = NULL; + X509 *peer = NULL; EVP_MD_CTX mctx; + int al, ok, verify; + const unsigned char *hdata; + size_t hdatalen; + int type = 0; + int ret = 0; + long n; + EVP_MD_CTX_init(&mctx); - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CERT_VRFY_A, + n = ssl3_get_message(s, SSL3_ST_SR_CERT_VRFY_A, SSL3_ST_SR_CERT_VRFY_B, -1, SSL3_RT_MAX_PLAIN_LENGTH, &ok); if (!ok) return ((int)n); + if (n < 0) + goto err; + + CBS_init(&cbs, s->internal->init_msg, n); + if (s->session->peer != NULL) { peer = s->session->peer; pkey = X509_get_pubkey(peer); type = X509_certificate_type(peer, pkey); - } else { - peer = NULL; - pkey = NULL; } if (S3I(s)->tmp.message_type != SSL3_MT_CERTIFICATE_VERIFY) { @@ -2251,149 +2127,151 @@ ssl3_get_cert_verify(SSL *s) goto f_err; } - /* we now have a signature that we need to verify */ - p = (unsigned char *)s->internal->init_msg; - /* - * Check for broken implementations of GOST ciphersuites. - * - * If key is GOST and n is exactly 64, it is a bare - * signature without length field. - */ - if (n == 64 && (pkey->type == NID_id_GostR3410_94 || - pkey->type == NID_id_GostR3410_2001) ) { - i = 64; - } else { - if (SSL_USE_SIGALGS(s)) { - int sigalg = tls12_get_sigid(pkey); - /* Should never happen */ - if (sigalg == -1) { - SSLerror(s, ERR_R_INTERNAL_ERROR); - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } - if (2 > n) - goto truncated; - /* Check key type is consistent with signature */ - if (sigalg != (int)p[1]) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - md = tls12_get_hash(p[0]); - if (md == NULL) { - SSLerror(s, SSL_R_UNKNOWN_DIGEST); - al = SSL_AD_DECODE_ERROR; - goto f_err; - } - p += 2; - n -= 2; + if (!SSL_USE_SIGALGS(s)) { + if (!CBS_get_u16_length_prefixed(&cbs, &signature)) + goto err; + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { + SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + if (CBS_len(&cbs) != 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); + goto f_err; } - if (2 > n) - goto truncated; - n2s(p, i); - n -= 2; - if (i > n) - goto truncated; - } - j = EVP_PKEY_size(pkey); - if ((i > j) || (n > j) || (n <= 0)) { - SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); - al = SSL_AD_DECODE_ERROR; - goto f_err; } if (SSL_USE_SIGALGS(s)) { - long hdatalen = 0; - void *hdata; - hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); - if (hdatalen <= 0) { + EVP_PKEY_CTX *pctx; + uint16_t sigalg_value; + + if (!CBS_get_u16(&cbs, &sigalg_value)) + goto truncated; + if ((sigalg = ssl_sigalg(sigalg_value, tls12_sigalgs, + tls12_sigalgs_len)) == NULL || + (md = sigalg->md()) == NULL) { + SSLerror(s, SSL_R_UNKNOWN_DIGEST); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + if (!ssl_sigalg_pkey_ok(sigalg, pkey, 0)) { + SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + + if (!CBS_get_u16_length_prefixed(&cbs, &signature)) + goto err; + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) { + SSLerror(s, SSL_R_WRONG_SIGNATURE_SIZE); + al = SSL_AD_DECODE_ERROR; + goto f_err; + } + if (CBS_len(&cbs) != 0) { + al = SSL_AD_DECODE_ERROR; + SSLerror(s, SSL_R_EXTRA_DATA_IN_MESSAGE); + goto f_err; + } + + if (!tls1_transcript_data(s, &hdata, &hdatalen)) { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } - if (!EVP_VerifyInit_ex(&mctx, md, NULL) || - !EVP_VerifyUpdate(&mctx, hdata, hdatalen)) { + if (!EVP_DigestVerifyInit(&mctx, &pctx, md, NULL, pkey)) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; goto f_err; } - - if (EVP_VerifyFinal(&mctx, p, i, pkey) <= 0) { + if ((sigalg->flags & SIGALG_FLAG_RSA_PSS) && + (!EVP_PKEY_CTX_set_rsa_padding + (pctx, RSA_PKCS1_PSS_PADDING) || + !EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1))) { + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + if (sigalg->key_type == EVP_PKEY_GOSTR01 && + EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, + EVP_PKEY_CTRL_GOST_SIG_FORMAT, GOST_SIG_FORMAT_RS_LE, + NULL) <= 0) { + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + if (!EVP_DigestVerifyUpdate(&mctx, hdata, hdatalen)) { + SSLerror(s, ERR_R_EVP_LIB); + al = SSL_AD_INTERNAL_ERROR; + goto f_err; + } + if (EVP_DigestVerifyFinal(&mctx, CBS_data(&signature), + CBS_len(&signature)) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); goto f_err; } - } else - if (pkey->type == EVP_PKEY_RSA) { - i = RSA_verify(NID_md5_sha1, S3I(s)->tmp.cert_verify_md, - MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, p, i, - pkey->pkey.rsa); - if (i < 0) { + } else if (pkey->type == EVP_PKEY_RSA) { + verify = RSA_verify(NID_md5_sha1, S3I(s)->tmp.cert_verify_md, + MD5_DIGEST_LENGTH + SHA_DIGEST_LENGTH, CBS_data(&signature), + CBS_len(&signature), pkey->pkey.rsa); + if (verify < 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_RSA_DECRYPT); goto f_err; } - if (i == 0) { + if (verify == 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_RSA_SIGNATURE); goto f_err; } - } else - if (pkey->type == EVP_PKEY_EC) { - j = ECDSA_verify(pkey->save_type, + } else if (pkey->type == EVP_PKEY_EC) { + verify = ECDSA_verify(pkey->save_type, &(S3I(s)->tmp.cert_verify_md[MD5_DIGEST_LENGTH]), - SHA_DIGEST_LENGTH, p, i, pkey->pkey.ec); - if (j <= 0) { - /* bad signature */ + SHA_DIGEST_LENGTH, CBS_data(&signature), + CBS_len(&signature), pkey->pkey.ec); + if (verify <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_ECDSA_SIGNATURE); goto f_err; } - } else #ifndef OPENSSL_NO_GOST - if (pkey->type == NID_id_GostR3410_94 || + } else if (pkey->type == NID_id_GostR3410_94 || pkey->type == NID_id_GostR3410_2001) { - long hdatalen = 0; - void *hdata; - unsigned char signature[128]; - unsigned int siglen = sizeof(signature); - int nid; + unsigned char sigbuf[128]; + unsigned int siglen = sizeof(sigbuf); EVP_PKEY_CTX *pctx; + int nid; - hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); - if (hdatalen <= 0) { + if (!tls1_transcript_data(s, &hdata, &hdatalen)) { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_INTERNAL_ERROR; goto f_err; } if (!EVP_PKEY_get_default_digest_nid(pkey, &nid) || - !(md = EVP_get_digestbynid(nid))) { + !(md = EVP_get_digestbynid(nid))) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; goto f_err; } - pctx = EVP_PKEY_CTX_new(pkey, NULL); - if (!pctx) { + if ((pctx = EVP_PKEY_CTX_new(pkey, NULL)) == NULL) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; goto f_err; } if (!EVP_DigestInit_ex(&mctx, md, NULL) || !EVP_DigestUpdate(&mctx, hdata, hdatalen) || - !EVP_DigestFinal(&mctx, signature, &siglen) || + !EVP_DigestFinal(&mctx, sigbuf, &siglen) || (EVP_PKEY_verify_init(pctx) <= 0) || (EVP_PKEY_CTX_set_signature_md(pctx, md) <= 0) || (EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_VERIFY, - EVP_PKEY_CTRL_GOST_SIG_FORMAT, - GOST_SIG_FORMAT_RS_LE, - NULL) <= 0)) { + EVP_PKEY_CTRL_GOST_SIG_FORMAT, + GOST_SIG_FORMAT_RS_LE, NULL) <= 0)) { SSLerror(s, ERR_R_EVP_LIB); al = SSL_AD_INTERNAL_ERROR; EVP_PKEY_CTX_free(pctx); goto f_err; } - - if (EVP_PKEY_verify(pctx, p, i, signature, siglen) <= 0) { + if (EVP_PKEY_verify(pctx, CBS_data(&signature), + CBS_len(&signature), sigbuf, siglen) <= 0) { al = SSL_AD_DECRYPT_ERROR; SSLerror(s, SSL_R_BAD_SIGNATURE); EVP_PKEY_CTX_free(pctx); @@ -2401,29 +2279,24 @@ ssl3_get_cert_verify(SSL *s) } EVP_PKEY_CTX_free(pctx); - } else #endif - { + } else { SSLerror(s, ERR_R_INTERNAL_ERROR); al = SSL_AD_UNSUPPORTED_CERTIFICATE; goto f_err; } - ret = 1; if (0) { -truncated: + truncated: al = SSL_AD_DECODE_ERROR; SSLerror(s, SSL_R_BAD_PACKET_LENGTH); -f_err: + f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); } -end: - if (S3I(s)->handshake_buffer) { - BIO_free(S3I(s)->handshake_buffer); - S3I(s)->handshake_buffer = NULL; - s->s3->flags &= ~TLS1_FLAGS_KEEP_HANDSHAKE; - } + end: + tls1_transcript_free(s); + err: EVP_MD_CTX_cleanup(&mctx); EVP_PKEY_free(pkey); return (ret); @@ -2439,9 +2312,8 @@ ssl3_get_client_certificate(SSL *s) const unsigned char *q; STACK_OF(X509) *sk = NULL; - n = s->method->internal->ssl_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, + n = ssl3_get_message(s, SSL3_ST_SR_CERT_A, SSL3_ST_SR_CERT_B, -1, s->internal->max_cert_list, &ok); - if (!ok) return ((int)n); @@ -2524,11 +2396,8 @@ ssl3_get_client_certificate(SSL *s) al = SSL_AD_HANDSHAKE_FAILURE; goto f_err; } - /* No client certificate so digest cached records */ - if (S3I(s)->handshake_buffer && !tls1_digest_cached_records(s)) { - al = SSL_AD_INTERNAL_ERROR; - goto f_err; - } + /* No client certificate so free transcript. */ + tls1_transcript_free(s); } else { i = ssl_verify_cert_chain(s, sk); if (i <= 0) { @@ -2582,7 +2451,7 @@ int ssl3_send_server_certificate(SSL *s) { CBB cbb, server_cert; - X509 *x; + CERT_PKEY *cpk; /* * Server Certificate - RFC 5246, section 7.4.2. @@ -2591,17 +2460,17 @@ ssl3_send_server_certificate(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_CERT_A) { - if ((x = ssl_get_server_send_cert(s)) == NULL) { + if ((cpk = ssl_get_server_send_pkey(s)) == NULL) { SSLerror(s, ERR_R_INTERNAL_ERROR); return (0); } - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &server_cert, + if (!ssl3_handshake_msg_start(s, &cbb, &server_cert, SSL3_MT_CERTIFICATE)) goto err; - if (!ssl3_output_cert_chain(s, &server_cert, x)) + if (!ssl3_output_cert_chain(s, &server_cert, cpk)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_SW_CERT_B; @@ -2620,78 +2489,44 @@ ssl3_send_server_certificate(SSL *s) int ssl3_send_newsession_ticket(SSL *s) { - unsigned char *d, *p, *macstart; - unsigned char *senc = NULL; - const unsigned char *const_p; - int len, slen_full, slen; - SSL_SESSION *sess; + CBB cbb, session_ticket, ticket; + SSL_CTX *tctx = s->initial_ctx; + size_t enc_session_len, enc_session_max_len, hmac_len; + size_t session_len = 0; + unsigned char *enc_session = NULL, *session = NULL; + unsigned char iv[EVP_MAX_IV_LENGTH]; + unsigned char key_name[16]; + unsigned char *hmac; unsigned int hlen; EVP_CIPHER_CTX ctx; HMAC_CTX hctx; - SSL_CTX *tctx = s->initial_ctx; - unsigned char iv[EVP_MAX_IV_LENGTH]; - unsigned char key_name[16]; + int len; + + /* + * New Session Ticket - RFC 5077, section 3.3. + */ + + EVP_CIPHER_CTX_init(&ctx); + HMAC_CTX_init(&hctx); + + memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_SESSION_TICKET_A) { - /* get session encoding length */ - slen_full = i2d_SSL_SESSION(s->session, NULL); - /* - * Some length values are 16 bits, so forget it if session is - * too long - */ - if (slen_full > 0xFF00) + if (!ssl3_handshake_msg_start(s, &cbb, &session_ticket, + SSL3_MT_NEWSESSION_TICKET)) goto err; - senc = malloc(slen_full); - if (!senc) + + if (!SSL_SESSION_ticket(s->session, &session, &session_len)) + goto err; + if (session_len > 0xffff) goto err; - p = senc; - i2d_SSL_SESSION(s->session, &p); /* - * Create a fresh copy (not shared with other threads) to - * clean up + * Initialize HMAC and cipher contexts. If callback is present + * it does all the work, otherwise use generated values from + * parent context. */ - const_p = senc; - sess = d2i_SSL_SESSION(NULL, &const_p, slen_full); - if (sess == NULL) - goto err; - - /* ID is irrelevant for the ticket */ - sess->session_id_length = 0; - - slen = i2d_SSL_SESSION(sess, NULL); - if (slen > slen_full) { - /* shouldn't ever happen */ - goto err; - } - p = senc; - i2d_SSL_SESSION(sess, &p); - SSL_SESSION_free(sess); - - /* - * Grow buffer if need be: the length calculation is as - * follows 1 (size of message name) + 3 (message length - * bytes) + 4 (ticket lifetime hint) + 2 (ticket length) + - * 16 (key name) + max_iv_len (iv length) + - * session_length + max_enc_block_size (max encrypted session - * length) + max_md_size (HMAC). - */ - if (!BUF_MEM_grow(s->internal->init_buf, ssl3_handshake_msg_hdr_len(s) + - 22 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH + - EVP_MAX_MD_SIZE + slen)) - goto err; - - d = p = ssl3_handshake_msg_start(s, SSL3_MT_NEWSESSION_TICKET); - - EVP_CIPHER_CTX_init(&ctx); - HMAC_CTX_init(&hctx); - - /* - * Initialize HMAC and cipher contexts. If callback present - * it does all the work otherwise use generated values - * from parent ctx. - */ - if (tctx->internal->tlsext_ticket_key_cb) { + if (tctx->internal->tlsext_ticket_key_cb != NULL) { if (tctx->internal->tlsext_ticket_key_cb(s, key_name, iv, &ctx, &hctx, 1) < 0) { EVP_CIPHER_CTX_cleanup(&ctx); @@ -2702,59 +2537,84 @@ ssl3_send_newsession_ticket(SSL *s) EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, tctx->internal->tlsext_tick_aes_key, iv); HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key, - 16, tlsext_tick_md(), NULL); + 16, EVP_sha256(), NULL); memcpy(key_name, tctx->internal->tlsext_tick_key_name, 16); } + /* Encrypt the session state. */ + enc_session_max_len = session_len + EVP_MAX_BLOCK_LENGTH; + if ((enc_session = calloc(1, enc_session_max_len)) == NULL) + goto err; + enc_session_len = 0; + if (!EVP_EncryptUpdate(&ctx, enc_session, &len, session, + session_len)) + goto err; + enc_session_len += len; + if (!EVP_EncryptFinal_ex(&ctx, enc_session + enc_session_len, + &len)) + goto err; + enc_session_len += len; + + if (enc_session_len > enc_session_max_len) + goto err; + + /* Generate the HMAC. */ + if (!HMAC_Update(&hctx, key_name, sizeof(key_name))) + goto err; + if (!HMAC_Update(&hctx, iv, EVP_CIPHER_CTX_iv_length(&ctx))) + goto err; + if (!HMAC_Update(&hctx, enc_session, enc_session_len)) + goto err; + + if ((hmac_len = HMAC_size(&hctx)) <= 0) + goto err; + /* * Ticket lifetime hint (advisory only): * We leave this unspecified for resumed session * (for simplicity), and guess that tickets for new * sessions will live as long as their sessions. */ - l2n(s->internal->hit ? 0 : s->session->timeout, p); + if (!CBB_add_u32(&session_ticket, + s->internal->hit ? 0 : s->session->timeout)) + goto err; - /* Skip ticket length for now */ - p += 2; - /* Output key name */ - macstart = p; - memcpy(p, key_name, 16); - p += 16; - /* output IV */ - memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx)); - p += EVP_CIPHER_CTX_iv_length(&ctx); - /* Encrypt session data */ - EVP_EncryptUpdate(&ctx, p, &len, senc, slen); - p += len; - EVP_EncryptFinal_ex(&ctx, p, &len); - p += len; - EVP_CIPHER_CTX_cleanup(&ctx); + if (!CBB_add_u16_length_prefixed(&session_ticket, &ticket)) + goto err; + if (!CBB_add_bytes(&ticket, key_name, sizeof(key_name))) + goto err; + if (!CBB_add_bytes(&ticket, iv, EVP_CIPHER_CTX_iv_length(&ctx))) + goto err; + if (!CBB_add_bytes(&ticket, enc_session, enc_session_len)) + goto err; + if (!CBB_add_space(&ticket, &hmac, hmac_len)) + goto err; - HMAC_Update(&hctx, macstart, p - macstart); - HMAC_Final(&hctx, p, &hlen); - HMAC_CTX_cleanup(&hctx); - p += hlen; + if (!HMAC_Final(&hctx, hmac, &hlen)) + goto err; + if (hlen != hmac_len) + goto err; - /* Now write out lengths: p points to end of data written */ - /* Total length */ - len = p - d; - - /* Skip ticket lifetime hint. */ - p = d + 4; - s2n(len - 6, p); /* Message length */ - - ssl3_handshake_msg_finish(s, len); + if (!ssl3_handshake_msg_finish(s, &cbb)) + goto err; S3I(s)->hs.state = SSL3_ST_SW_SESSION_TICKET_B; - - freezero(senc, slen_full); } + EVP_CIPHER_CTX_cleanup(&ctx); + HMAC_CTX_cleanup(&hctx); + freezero(session, session_len); + free(enc_session); + /* SSL3_ST_SW_SESSION_TICKET_B */ return (ssl3_handshake_write(s)); err: - freezero(senc, slen_full); + CBB_cleanup(&cbb); + EVP_CIPHER_CTX_cleanup(&ctx); + HMAC_CTX_cleanup(&hctx); + freezero(session, session_len); + free(enc_session); return (-1); } @@ -2767,7 +2627,7 @@ ssl3_send_cert_status(SSL *s) memset(&cbb, 0, sizeof(cbb)); if (S3I(s)->hs.state == SSL3_ST_SW_CERT_STATUS_A) { - if (!ssl3_handshake_msg_start_cbb(s, &cbb, &certstatus, + if (!ssl3_handshake_msg_start(s, &cbb, &certstatus, SSL3_MT_CERTIFICATE_STATUS)) goto err; if (!CBB_add_u8(&certstatus, s->tlsext_status_type)) @@ -2775,9 +2635,9 @@ ssl3_send_cert_status(SSL *s) if (!CBB_add_u24_length_prefixed(&certstatus, &ocspresp)) goto err; if (!CBB_add_bytes(&ocspresp, s->internal->tlsext_ocsp_resp, - s->internal->tlsext_ocsp_resplen)) + s->internal->tlsext_ocsp_resp_len)) goto err; - if (!ssl3_handshake_msg_finish_cbb(s, &cbb)) + if (!ssl3_handshake_msg_finish(s, &cbb)) goto err; S3I(s)->hs.state = SSL3_ST_SW_CERT_STATUS_B; diff --git a/ssl/ssl_tlsext.c b/ssl/ssl_tlsext.c index 3735b71..a039d0b 100644 --- a/ssl/ssl_tlsext.c +++ b/ssl/ssl_tlsext.c @@ -1,8 +1,8 @@ -/* $OpenBSD: ssl_tlsext.c,v 1.21 2018/02/08 11:30:30 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.c,v 1.82 2020/09/09 12:31:23 inoguchi Exp $ */ /* - * Copyright (c) 2016, 2017 Joel Sing + * Copyright (c) 2016, 2017, 2019 Joel Sing * Copyright (c) 2017 Doug Hogan - * Copyright (c) 2017 Bob Beck + * Copyright (c) 2018-2019 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -16,11 +16,15 @@ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + +#include + #include #include "ssl_locl.h" #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" /* @@ -28,7 +32,7 @@ */ int -tlsext_alpn_clienthello_needs(SSL *s) +tlsext_alpn_client_needs(SSL *s, uint16_t msg_type) { /* ALPN protos have been specified and this is the initial handshake */ return s->internal->alpn_client_proto_list != NULL && @@ -36,7 +40,7 @@ tlsext_alpn_clienthello_needs(SSL *s) } int -tlsext_alpn_clienthello_build(SSL *s, CBB *cbb) +tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB protolist; @@ -54,7 +58,7 @@ tlsext_alpn_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_alpn_server_parse(SSL *s, uint16_t msg_types, CBS *cbs, int *alert) { CBS proto_name_list, alpn; const unsigned char *selected; @@ -87,6 +91,7 @@ tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert) if (r == SSL_TLSEXT_ERR_OK) { free(S3I(s)->alpn_selected); if ((S3I(s)->alpn_selected = malloc(selected_len)) == NULL) { + S3I(s)->alpn_selected_len = 0; *alert = SSL_AD_INTERNAL_ERROR; return 0; } @@ -102,13 +107,13 @@ tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_alpn_serverhello_needs(SSL *s) +tlsext_alpn_server_needs(SSL *s, uint16_t msg_type) { return S3I(s)->alpn_selected != NULL; } int -tlsext_alpn_serverhello_build(SSL *s, CBB *cbb) +tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB list, selected; @@ -129,7 +134,7 @@ tlsext_alpn_serverhello_build(SSL *s, CBB *cbb) } int -tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS list, proto; @@ -163,34 +168,34 @@ tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert) } /* - * Supported Elliptic Curves - RFC 4492 section 5.1.1 + * Supported Groups - RFC 7919 section 2 */ int -tlsext_ec_clienthello_needs(SSL *s) +tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type) { - return ssl_has_ecc_ciphers(s); + return ssl_has_ecc_ciphers(s) || + (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); } int -tlsext_ec_clienthello_build(SSL *s, CBB *cbb) +tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - CBB curvelist; - size_t curves_len; + const uint16_t *groups; + size_t groups_len; + CBB grouplist; int i; - const uint16_t *curves; - tls1_get_curvelist(s, 0, &curves, &curves_len); - - if (curves_len == 0) { + tls1_get_group_list(s, 0, &groups, &groups_len); + if (groups_len == 0) { SSLerror(s, ERR_R_INTERNAL_ERROR); return 0; } - if (!CBB_add_u16_length_prefixed(cbb, &curvelist)) + if (!CBB_add_u16_length_prefixed(cbb, &grouplist)) return 0; - for (i = 0; i < curves_len; i++) { - if (!CBB_add_u16(&curvelist, curves[i])) + for (i = 0; i < groups_len; i++) { + if (!CBB_add_u16(&grouplist, groups[i])) return 0; } @@ -201,48 +206,76 @@ tlsext_ec_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { - CBS curvelist; - size_t curves_len; + CBS grouplist; + size_t groups_len; - if (!CBS_get_u16_length_prefixed(cbs, &curvelist)) + if (!CBS_get_u16_length_prefixed(cbs, &grouplist)) goto err; if (CBS_len(cbs) != 0) goto err; - curves_len = CBS_len(&curvelist); - if (curves_len == 0 || curves_len % 2 != 0) + groups_len = CBS_len(&grouplist); + if (groups_len == 0 || groups_len % 2 != 0) goto err; - curves_len /= 2; + groups_len /= 2; if (!s->internal->hit) { + uint16_t *groups; int i; - uint16_t *curves; + + if (S3I(s)->hs_tls13.hrr) { + if (SSI(s)->tlsext_supportedgroups == NULL) { + *alert = SSL_AD_HANDSHAKE_FAILURE; + return 0; + } + /* + * In the case of TLSv1.3 the client cannot change + * the supported groups. + */ + if (groups_len != SSI(s)->tlsext_supportedgroups_length) { + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + for (i = 0; i < groups_len; i++) { + uint16_t group; + + if (!CBS_get_u16(&grouplist, &group)) + goto err; + if (SSI(s)->tlsext_supportedgroups[i] != group) { + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + } + + return 1; + } if (SSI(s)->tlsext_supportedgroups != NULL) goto err; - if ((curves = reallocarray(NULL, curves_len, + if ((groups = reallocarray(NULL, groups_len, sizeof(uint16_t))) == NULL) { *alert = TLS1_AD_INTERNAL_ERROR; return 0; } - for (i = 0; i < curves_len; i++) { - if (!CBS_get_u16(&curvelist, &curves[i])) { - free(curves); + for (i = 0; i < groups_len; i++) { + if (!CBS_get_u16(&grouplist, &groups[i])) { + free(groups); goto err; } } - if (CBS_len(&curvelist) != 0) { - free(curves); + if (CBS_len(&grouplist) != 0) { + free(groups); goto err; } - SSI(s)->tlsext_supportedgroups = curves; - SSI(s)->tlsext_supportedgroups_length = curves_len; + SSI(s)->tlsext_supportedgroups = groups; + SSI(s)->tlsext_supportedgroups_length = groups_len; } return 1; @@ -254,19 +287,20 @@ tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert) /* This extension is never used by the server. */ int -tlsext_ec_serverhello_needs(SSL *s) +tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type) { return 0; } int -tlsext_ec_serverhello_build(SSL *s, CBB *cbb) +tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return 0; } int -tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { /* * Servers should not send this extension per the RFC. @@ -290,7 +324,7 @@ tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert) * Supported Point Formats Extension - RFC 4492 section 5.1.2 */ static int -tlsext_ecpf_build(SSL *s, CBB *cbb) +tlsext_ecpf_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB ecpf; size_t formats_len; @@ -314,7 +348,7 @@ tlsext_ecpf_build(SSL *s, CBB *cbb) } static int -tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ecpf_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS ecpf; @@ -333,37 +367,39 @@ tlsext_ecpf_parse(SSL *s, CBS *cbs, int *alert) if (!s->internal->hit) { if (!CBS_stow(&ecpf, &(SSI(s)->tlsext_ecpointformatlist), - &(SSI(s)->tlsext_ecpointformatlist_length))) - goto err; + &(SSI(s)->tlsext_ecpointformatlist_length))) { + *alert = TLS1_AD_INTERNAL_ERROR; + return 0; + } } return 1; err: - *alert = TLS1_AD_INTERNAL_ERROR; + *alert = SSL_AD_DECODE_ERROR; return 0; } int -tlsext_ecpf_clienthello_needs(SSL *s) +tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type) { return ssl_has_ecc_ciphers(s); } int -tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb) +tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_ecpf_build(s, cbb); + return tlsext_ecpf_build(s, msg_type, cbb); } int -tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - return tlsext_ecpf_parse(s, cbs, alert); + return tlsext_ecpf_parse(s, msg_type, cbs, alert); } int -tlsext_ecpf_serverhello_needs(SSL *s) +tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type) { if (s->version == DTLS1_VERSION) return 0; @@ -372,28 +408,28 @@ tlsext_ecpf_serverhello_needs(SSL *s) } int -tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb) +tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_ecpf_build(s, cbb); + return tlsext_ecpf_build(s, msg_type, cbb); } int -tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - return tlsext_ecpf_parse(s, cbs, alert); + return tlsext_ecpf_parse(s, msg_type, cbs, alert); } /* * Renegotiation Indication - RFC 5746. */ int -tlsext_ri_clienthello_needs(SSL *s) +tlsext_ri_client_needs(SSL *s, uint16_t msg_type) { return (s->internal->renegotiate); } int -tlsext_ri_clienthello_build(SSL *s, CBB *cbb) +tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB reneg; @@ -409,7 +445,7 @@ tlsext_ri_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS reneg; @@ -437,13 +473,13 @@ tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_ri_serverhello_needs(SSL *s) +tlsext_ri_server_needs(SSL *s, uint16_t msg_type) { - return (S3I(s)->send_connection_binding); + return (s->version < TLS1_3_VERSION && S3I(s)->send_connection_binding); } int -tlsext_ri_serverhello_build(SSL *s, CBB *cbb) +tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB reneg; @@ -462,7 +498,7 @@ tlsext_ri_serverhello_build(SSL *s, CBB *cbb) } int -tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS reneg, prev_client, prev_server; @@ -519,24 +555,30 @@ tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert) * Signature Algorithms - RFC 5246 section 7.4.1.4.1. */ int -tlsext_sigalgs_clienthello_needs(SSL *s) +tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type) { return (TLS1_get_client_version(s) >= TLS1_2_VERSION); } int -tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) +tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - unsigned char *sigalgs_data; - size_t sigalgs_len; + uint16_t *tls_sigalgs = tls12_sigalgs; + size_t tls_sigalgs_len = tls12_sigalgs_len; CBB sigalgs; - tls12_get_req_sig_algs(s, &sigalgs_data, &sigalgs_len); + if (TLS1_get_client_version(s) >= TLS1_3_VERSION && + S3I(s)->hs_tls13.min_version >= TLS1_3_VERSION) { + tls_sigalgs = tls13_sigalgs; + tls_sigalgs_len = tls13_sigalgs_len; + } if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) return 0; - if (!CBB_add_bytes(&sigalgs, sigalgs_data, sigalgs_len)) + + if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) return 0; + if (!CBB_flush(cbb)) return 0; @@ -544,46 +586,79 @@ tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS sigalgs; if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) return 0; + if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) + return 0; + if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) + return 0; - return tls1_process_sigalgs(s, &sigalgs); + return 1; } int -tlsext_sigalgs_serverhello_needs(SSL *s) +tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type) { - return 0; + return (s->version >= TLS1_3_VERSION); } int -tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb) +tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return 0; + uint16_t *tls_sigalgs = tls12_sigalgs; + size_t tls_sigalgs_len = tls12_sigalgs_len; + CBB sigalgs; + + if (s->version >= TLS1_3_VERSION) { + tls_sigalgs = tls13_sigalgs; + tls_sigalgs_len = tls13_sigalgs_len; + } + + if (!CBB_add_u16_length_prefixed(cbb, &sigalgs)) + return 0; + + if (!ssl_sigalgs_build(&sigalgs, tls_sigalgs, tls_sigalgs_len)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; } int -tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* As per the RFC, servers must not send this extension. */ - return 0; + CBS sigalgs; + + if (s->version < TLS1_3_VERSION) + return 0; + + if (!CBS_get_u16_length_prefixed(cbs, &sigalgs)) + return 0; + if (CBS_len(&sigalgs) % 2 != 0 || CBS_len(&sigalgs) > 64) + return 0; + if (!CBS_stow(&sigalgs, &S3I(s)->hs.sigalgs, &S3I(s)->hs.sigalgs_len)) + return 0; + + return 1; } /* * Server Name Indication - RFC 6066, section 3. */ int -tlsext_sni_clienthello_needs(SSL *s) +tlsext_sni_client_needs(SSL *s, uint16_t msg_type) { return (s->tlsext_hostname != NULL); } int -tlsext_sni_clienthello_build(SSL *s, CBB *cbb) +tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB server_name_list, host_name; @@ -602,8 +677,57 @@ tlsext_sni_clienthello_build(SSL *s, CBB *cbb) return 1; } +/* + * Validate that the CBS contains only a hostname consisting of RFC 5890 + * compliant A-labels (see RFC 6066 section 3). Not a complete check + * since we don't parse punycode to verify its validity but limits to + * correct structure and character set. + */ int -tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sni_is_valid_hostname(CBS *cbs) +{ + uint8_t prev, c = 0; + int component = 0; + CBS hostname; + + CBS_dup(cbs, &hostname); + + if (CBS_len(&hostname) > TLSEXT_MAXLEN_host_name) + return 0; + + while(CBS_len(&hostname) > 0) { + prev = c; + if (!CBS_get_u8(&hostname, &c)) + return 0; + /* Everything has to be ASCII, with no NUL byte. */ + if (!isascii(c) || c == '\0') + return 0; + /* It must be alphanumeric, a '-', or a '.' */ + if (!isalnum(c) && c != '-' && c != '.') + return 0; + /* '-' and '.' must not start a component or be at the end. */ + if (component == 0 || CBS_len(&hostname) == 0) { + if (c == '-' || c == '.') + return 0; + } + if (c == '.') { + /* Components can not end with a dash. */ + if (prev == '-') + return 0; + /* Start new component */ + component = 0; + continue; + } + /* Components must be 63 chars or less. */ + if (++component > 63) + return 0; + } + + return 1; +} + +int +tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { CBS server_name_list, host_name; uint8_t name_type; @@ -611,69 +735,86 @@ tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert) if (!CBS_get_u16_length_prefixed(cbs, &server_name_list)) goto err; - /* - * RFC 6066 section 3 forbids multiple host names with the same type. - * Additionally, only one type (host_name) is specified. - */ if (!CBS_get_u8(&server_name_list, &name_type)) goto err; - if (name_type != TLSEXT_NAMETYPE_host_name) + /* + * RFC 6066 section 3, only one type (host_name) is specified. + * We do not tolerate unknown types, neither does BoringSSL. + * other implementations appear more tolerant. + */ + if (name_type != TLSEXT_NAMETYPE_host_name) { + *alert = SSL3_AD_ILLEGAL_PARAMETER; goto err; + } + if (!CBS_get_u16_length_prefixed(&server_name_list, &host_name)) goto err; - if (CBS_len(&host_name) == 0 || - CBS_len(&host_name) > TLSEXT_MAXLEN_host_name || - CBS_contains_zero_byte(&host_name)) { - *alert = TLS1_AD_UNRECOGNIZED_NAME; - return 0; + /* + * RFC 6066 section 3 specifies a host name must be at least 1 byte + * so 0 length is a decode error. + */ + if (CBS_len(&host_name) < 1) + goto err; + + if (!tlsext_sni_is_valid_hostname(&host_name)) { + *alert = SSL3_AD_ILLEGAL_PARAMETER; + goto err; } - if (s->internal->hit) { + if (s->internal->hit || S3I(s)->hs_tls13.hrr) { if (s->session->tlsext_hostname == NULL) { *alert = TLS1_AD_UNRECOGNIZED_NAME; - return 0; + goto err; } if (!CBS_mem_equal(&host_name, s->session->tlsext_hostname, strlen(s->session->tlsext_hostname))) { *alert = TLS1_AD_UNRECOGNIZED_NAME; - return 0; + goto err; } } else { if (s->session->tlsext_hostname != NULL) goto err; if (!CBS_strdup(&host_name, &s->session->tlsext_hostname)) { *alert = TLS1_AD_INTERNAL_ERROR; - return 0; + goto err; } } - if (CBS_len(&server_name_list) != 0) + /* + * RFC 6066 section 3 forbids multiple host names with the same type, + * therefore we allow only one entry. + */ + if (CBS_len(&server_name_list) != 0) { + *alert = SSL3_AD_ILLEGAL_PARAMETER; goto err; + } if (CBS_len(cbs) != 0) goto err; return 1; err: - *alert = SSL_AD_DECODE_ERROR; return 0; } int -tlsext_sni_serverhello_needs(SSL *s) +tlsext_sni_server_needs(SSL *s, uint16_t msg_type) { + if (s->internal->hit) + return 0; + return (s->session->tlsext_hostname != NULL); } int -tlsext_sni_serverhello_build(SSL *s, CBB *cbb) +tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { return 1; } int -tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { if (s->tlsext_hostname == NULL || CBS_len(cbs) != 0) { *alert = TLS1_AD_UNRECOGNIZED_NAME; @@ -711,14 +852,18 @@ tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert) */ int -tlsext_ocsp_clienthello_needs(SSL *s) +tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type) { - return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && - s->version != DTLS1_VERSION); + if (SSL_IS_DTLS(s)) + return 0; + if (msg_type != SSL_TLSEXT_MSG_CH) + return 0; + + return (s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp); } int -tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb) +tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB respid_list, respid, exts; unsigned char *ext_data; @@ -762,14 +907,17 @@ tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - int failure = SSL_AD_DECODE_ERROR; + int alert_desc = SSL_AD_DECODE_ERROR; CBS respid_list, respid, exts; const unsigned char *p; uint8_t status_type; int ret = 0; + if (msg_type != SSL_TLSEXT_MSG_CH) + goto err; + if (!CBS_get_u8(cbs, &status_type)) goto err; if (status_type != TLSEXT_STATUSTYPE_ocsp) { @@ -792,7 +940,7 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) if (CBS_len(&respid_list) > 0) { s->internal->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null(); if (s->internal->tlsext_ocsp_ids == NULL) { - failure = SSL_AD_INTERNAL_ERROR; + alert_desc = SSL_AD_INTERNAL_ERROR; goto err; } } @@ -806,7 +954,7 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) if ((id = d2i_OCSP_RESPID(NULL, &p, CBS_len(&respid))) == NULL) goto err; if (!sk_OCSP_RESPID_push(s->internal->tlsext_ocsp_ids, id)) { - failure = SSL_AD_INTERNAL_ERROR; + alert_desc = SSL_AD_INTERNAL_ERROR; OCSP_RESPID_free(id); goto err; } @@ -831,31 +979,93 @@ tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert) ret = 1; err: if (ret == 0) - *alert = failure; + *alert = alert_desc; return ret; } int -tlsext_ocsp_serverhello_needs(SSL *s) +tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type) { + if (s->version >= TLS1_3_VERSION && + s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp && + s->ctx->internal->tlsext_status_cb != NULL) { + s->internal->tlsext_status_expected = 0; + if (s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg) == SSL_TLSEXT_ERR_OK && + s->internal->tlsext_ocsp_resp_len > 0) + s->internal->tlsext_status_expected = 1; + } return s->internal->tlsext_status_expected; } int -tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb) +tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { + CBB ocsp_response; + + if (s->version >= TLS1_3_VERSION) { + if (!CBB_add_u8(cbb, TLSEXT_STATUSTYPE_ocsp)) + return 0; + if (!CBB_add_u24_length_prefixed(cbb, &ocsp_response)) + return 0; + if (!CBB_add_bytes(&ocsp_response, + s->internal->tlsext_ocsp_resp, + s->internal->tlsext_ocsp_resp_len)) + return 0; + if (!CBB_flush(cbb)) + return 0; + } return 1; } int -tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - if (s->tlsext_status_type == -1) { - *alert = TLS1_AD_UNSUPPORTED_EXTENSION; - return 0; + CBS response; + uint16_t version = TLS1_get_client_version(s); + uint8_t status_type; + + if (version >= TLS1_3_VERSION) { + if (msg_type == SSL_TLSEXT_MSG_CR) { + /* + * RFC 8446, 4.4.2.1 - the server may request an OCSP + * response with an empty status_request. + */ + if (CBS_len(cbs) == 0) + return 1; + + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } + if (!CBS_get_u8(cbs, &status_type)) { + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } + if (status_type != TLSEXT_STATUSTYPE_ocsp) { + SSLerror(s, SSL_R_UNSUPPORTED_STATUS_TYPE); + return 0; + } + if (!CBS_get_u24_length_prefixed(cbs, &response)) { + SSLerror(s, SSL_R_LENGTH_MISMATCH); + return 0; + } + if (CBS_len(&response) > 65536) { + SSLerror(s, SSL_R_DATA_LENGTH_TOO_LONG); + return 0; + } + if (!CBS_stow(&response, &s->internal->tlsext_ocsp_resp, + &s->internal->tlsext_ocsp_resp_len)) { + *alert = SSL_AD_INTERNAL_ERROR; + return 0; + } + } else { + if (s->tlsext_status_type == -1) { + *alert = TLS1_AD_UNSUPPORTED_EXTENSION; + return 0; + } + /* Set flag to expect CertificateStatus message */ + s->internal->tlsext_status_expected = 1; } - /* Set flag to expect CertificateStatus message */ - s->internal->tlsext_status_expected = 1; return 1; } @@ -863,7 +1073,7 @@ tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert) * SessionTicket extension - RFC 5077 section 3.2 */ int -tlsext_sessionticket_clienthello_needs(SSL *s) +tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type) { /* * Send session ticket extension when enabled and not overridden. @@ -884,7 +1094,7 @@ tlsext_sessionticket_clienthello_needs(SSL *s) } int -tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb) +tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* * Signal that we support session tickets by sending an empty @@ -927,7 +1137,8 @@ tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { if (s->internal->tls_session_ticket_ext_cb) { if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), @@ -948,22 +1159,22 @@ tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_sessionticket_serverhello_needs(SSL *s) +tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type) { return (s->internal->tlsext_ticket_expected && !(SSL_get_options(s) & SSL_OP_NO_TICKET)); } int -tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb) +tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { /* Empty ticket */ - return 1; } int -tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert) { if (s->internal->tls_session_ticket_ext_cb) { if (!s->internal->tls_session_ticket_ext_cb(s, CBS_data(cbs), @@ -991,13 +1202,13 @@ tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert) #ifndef OPENSSL_NO_SRTP int -tlsext_srtp_clienthello_needs(SSL *s) +tlsext_srtp_client_needs(SSL *s, uint16_t msg_type) { return SSL_IS_DTLS(s) && SSL_get_srtp_profiles(s) != NULL; } int -tlsext_srtp_clienthello_build(SSL *s, CBB *cbb) +tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { CBB profiles, mki; int ct, i; @@ -1034,7 +1245,7 @@ tlsext_srtp_clienthello_build(SSL *s, CBB *cbb) } int -tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { SRTP_PROTECTION_PROFILE *cprof, *sprof; STACK_OF(SRTP_PROTECTION_PROFILE) *clnt = NULL, *srvr; @@ -1114,13 +1325,13 @@ tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert) } int -tlsext_srtp_serverhello_needs(SSL *s) +tlsext_srtp_server_needs(SSL *s, uint16_t msg_type) { return SSL_IS_DTLS(s) && SSL_get_selected_srtp_profile(s) != NULL; } int -tlsext_srtp_serverhello_build(SSL *s, CBB *cbb) +tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { SRTP_PROTECTION_PROFILE *profile; CBB srtp, mki; @@ -1144,7 +1355,7 @@ tlsext_srtp_serverhello_build(SSL *s, CBB *cbb) } int -tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { STACK_OF(SRTP_PROTECTION_PROFILE) *clnt; SRTP_PROTECTION_PROFILE *prof; @@ -1194,98 +1405,589 @@ tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert) #endif /* OPENSSL_NO_SRTP */ +/* + * TLSv1.3 Key Share - RFC 8446 section 4.2.8. + */ +int +tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type) +{ + /* XXX once this gets initialized when we get tls13_client.c */ + if (S3I(s)->hs_tls13.max_version == 0) + return 0; + return (!SSL_IS_DTLS(s) && S3I(s)->hs_tls13.max_version >= + TLS1_3_VERSION); +} + +int +tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + CBB client_shares; + + if (!CBB_add_u16_length_prefixed(cbb, &client_shares)) + return 0; + + if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, + &client_shares)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +int +tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + CBS client_shares, key_exchange; + uint16_t group; + + if (!CBS_get_u16_length_prefixed(cbs, &client_shares)) + goto err; + + while (CBS_len(&client_shares) > 0) { + + /* Unpack client share. */ + if (!CBS_get_u16(&client_shares, &group)) + goto err; + if (!CBS_get_u16_length_prefixed(&client_shares, &key_exchange)) + return 0; + + /* + * XXX - check key exchange against supported groups from client. + * XXX - check that groups only appear once. + */ + + /* + * Ignore this client share if we're using earlier than TLSv1.3 + * or we've already selected a key share. + */ + if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) + continue; + if (S3I(s)->hs_tls13.key_share != NULL) + continue; + + /* XXX - consider implementing server preference. */ + if (!tls1_check_curve(s, group)) + continue; + + /* Decode and store the selected key share. */ + S3I(s)->hs_tls13.key_share = tls13_key_share_new(group); + if (S3I(s)->hs_tls13.key_share == NULL) + goto err; + if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, + group, &key_exchange)) + goto err; + } + + return 1; + + err: + *alert = SSL_AD_DECODE_ERROR; + return 0; +} + +int +tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type) +{ + if (SSL_IS_DTLS(s) || s->version < TLS1_3_VERSION) + return 0; + + return tlsext_extension_seen(s, TLSEXT_TYPE_key_share); +} + +int +tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + /* In the case of a HRR, we only send the server selected group. */ + if (S3I(s)->hs_tls13.hrr) { + if (S3I(s)->hs_tls13.server_group == 0) + return 0; + return CBB_add_u16(cbb, S3I(s)->hs_tls13.server_group); + } + + if (S3I(s)->hs_tls13.key_share == NULL) + return 0; + + if (!tls13_key_share_public(S3I(s)->hs_tls13.key_share, cbb)) + return 0; + + return 1; +} + +int +tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + CBS key_exchange; + uint16_t group; + + /* Unpack server share. */ + if (!CBS_get_u16(cbs, &group)) + goto err; + + if (CBS_len(cbs) == 0) { + /* HRR does not include an actual key share. */ + /* XXX - we should know that we are in a HRR... */ + S3I(s)->hs_tls13.server_group = group; + return 1; + } + + if (!CBS_get_u16_length_prefixed(cbs, &key_exchange)) + return 0; + + if (S3I(s)->hs_tls13.key_share == NULL) + return 0; + + if (!tls13_key_share_peer_public(S3I(s)->hs_tls13.key_share, + group, &key_exchange)) + goto err; + + return 1; + + err: + *alert = SSL_AD_DECODE_ERROR; + return 0; +} + +/* + * Supported Versions - RFC 8446 section 4.2.1. + */ +int +tlsext_versions_client_needs(SSL *s, uint16_t msg_type) +{ + if (SSL_IS_DTLS(s)) + return 0; + return (S3I(s)->hs_tls13.max_version >= TLS1_3_VERSION); +} + +int +tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + uint16_t max, min; + uint16_t version; + CBB versions; + + max = S3I(s)->hs_tls13.max_version; + min = S3I(s)->hs_tls13.min_version; + + if (min < TLS1_VERSION) + return 0; + + if (!CBB_add_u8_length_prefixed(cbb, &versions)) + return 0; + + /* XXX - fix, but contiguous for now... */ + for (version = max; version >= min; version--) { + if (!CBB_add_u16(&versions, version)) + return 0; + } + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +int +tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + CBS versions; + uint16_t version; + uint16_t max, min; + uint16_t matched_version = 0; + + max = S3I(s)->hs_tls13.max_version; + min = S3I(s)->hs_tls13.min_version; + + if (!CBS_get_u8_length_prefixed(cbs, &versions)) + goto err; + + while (CBS_len(&versions) > 0) { + if (!CBS_get_u16(&versions, &version)) + goto err; + /* + * XXX What is below implements client preference, and + * ignores any server preference entirely. + */ + if (matched_version == 0 && version >= min && version <= max) + matched_version = version; + } + + /* + * XXX if we haven't matched a version we should + * fail - but we currently need to succeed to + * ignore this before the server code for 1.3 + * is set up and initialized. + */ + if (max == 0) + return 1; /* XXX */ + + if (matched_version != 0) { + s->version = matched_version; + return 1; + } + + *alert = SSL_AD_PROTOCOL_VERSION; + return 0; + + err: + *alert = SSL_AD_DECODE_ERROR; + return 0; +} + +int +tlsext_versions_server_needs(SSL *s, uint16_t msg_type) +{ + return (!SSL_IS_DTLS(s) && s->version >= TLS1_3_VERSION); +} + +int +tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + if (!CBB_add_u16(cbb, TLS1_3_VERSION)) + return 0; + /* XXX set 1.2 in legacy version? */ + + return 1; +} + +int +tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + uint16_t selected_version; + + if (!CBS_get_u16(cbs, &selected_version)) { + *alert = SSL_AD_DECODE_ERROR; + return 0; + } + + if (selected_version < TLS1_3_VERSION) { + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + /* XXX test between min and max once initialization code goes in */ + S3I(s)->hs_tls13.server_version = selected_version; + + return 1; +} + + +/* + * Cookie - RFC 8446 section 4.2.2. + */ + +int +tlsext_cookie_client_needs(SSL *s, uint16_t msg_type) +{ + if (SSL_IS_DTLS(s)) + return 0; + if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) + return 0; + return (S3I(s)->hs_tls13.cookie_len > 0 && + S3I(s)->hs_tls13.cookie != NULL); +} + +int +tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + CBB cookie; + + if (!CBB_add_u16_length_prefixed(cbb, &cookie)) + return 0; + + if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, + S3I(s)->hs_tls13.cookie_len)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +int +tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + CBS cookie; + + if (!CBS_get_u16_length_prefixed(cbs, &cookie)) + goto err; + + if (CBS_len(&cookie) != S3I(s)->hs_tls13.cookie_len) + goto err; + + /* + * Check provided cookie value against what server previously + * sent - client *MUST* send the same cookie with new CR after + * a cookie is sent by the server with an HRR. + */ + if (!CBS_mem_equal(&cookie, S3I(s)->hs_tls13.cookie, + S3I(s)->hs_tls13.cookie_len)) { + /* XXX special cookie mismatch alert? */ + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + return 1; + + err: + *alert = SSL_AD_DECODE_ERROR; + return 0; +} + +int +tlsext_cookie_server_needs(SSL *s, uint16_t msg_type) +{ + + if (SSL_IS_DTLS(s)) + return 0; + if (S3I(s)->hs_tls13.max_version < TLS1_3_VERSION) + return 0; + /* + * Server needs to set cookie value in tls13 handshake + * in order to send one, should only be sent with HRR. + */ + return (S3I(s)->hs_tls13.cookie_len > 0 && + S3I(s)->hs_tls13.cookie != NULL); +} + +int +tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb) +{ + CBB cookie; + + /* XXX deduplicate with client code */ + + if (!CBB_add_u16_length_prefixed(cbb, &cookie)) + return 0; + + if (!CBB_add_bytes(&cookie, S3I(s)->hs_tls13.cookie, + S3I(s)->hs_tls13.cookie_len)) + return 0; + + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +int +tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) +{ + CBS cookie; + + /* + * XXX This currently assumes we will not get a second + * HRR from a server with a cookie to process after accepting + * one from the server in the same handshake + */ + if (S3I(s)->hs_tls13.cookie != NULL || + S3I(s)->hs_tls13.cookie_len != 0) { + *alert = SSL_AD_ILLEGAL_PARAMETER; + return 0; + } + + if (!CBS_get_u16_length_prefixed(cbs, &cookie)) + goto err; + + if (!CBS_stow(&cookie, &S3I(s)->hs_tls13.cookie, + &S3I(s)->hs_tls13.cookie_len)) + goto err; + + return 1; + + err: + *alert = SSL_AD_DECODE_ERROR; + return 0; +} + +struct tls_extension_funcs { + int (*needs)(SSL *s, uint16_t msg_type); + int (*build)(SSL *s, uint16_t msg_type, CBB *cbb); + int (*parse)(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +}; + struct tls_extension { uint16_t type; - int (*clienthello_needs)(SSL *s); - int (*clienthello_build)(SSL *s, CBB *cbb); - int (*clienthello_parse)(SSL *s, CBS *cbs, int *alert); - int (*serverhello_needs)(SSL *s); - int (*serverhello_build)(SSL *s, CBB *cbb); - int (*serverhello_parse)(SSL *s, CBS *cbs, int *alert); + uint16_t messages; + struct tls_extension_funcs client; + struct tls_extension_funcs server; }; static struct tls_extension tls_extensions[] = { + { + .type = TLSEXT_TYPE_supported_versions, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | + SSL_TLSEXT_MSG_HRR, + .client = { + .needs = tlsext_versions_client_needs, + .build = tlsext_versions_client_build, + .parse = tlsext_versions_client_parse, + }, + .server = { + .needs = tlsext_versions_server_needs, + .build = tlsext_versions_server_build, + .parse = tlsext_versions_server_parse, + }, + }, + { + .type = TLSEXT_TYPE_key_share, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH | + SSL_TLSEXT_MSG_HRR, + .client = { + .needs = tlsext_keyshare_client_needs, + .build = tlsext_keyshare_client_build, + .parse = tlsext_keyshare_client_parse, + }, + .server = { + .needs = tlsext_keyshare_server_needs, + .build = tlsext_keyshare_server_build, + .parse = tlsext_keyshare_server_parse, + }, + }, { .type = TLSEXT_TYPE_server_name, - .clienthello_needs = tlsext_sni_clienthello_needs, - .clienthello_build = tlsext_sni_clienthello_build, - .clienthello_parse = tlsext_sni_clienthello_parse, - .serverhello_needs = tlsext_sni_serverhello_needs, - .serverhello_build = tlsext_sni_serverhello_build, - .serverhello_parse = tlsext_sni_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, + .client = { + .needs = tlsext_sni_client_needs, + .build = tlsext_sni_client_build, + .parse = tlsext_sni_client_parse, + }, + .server = { + .needs = tlsext_sni_server_needs, + .build = tlsext_sni_server_build, + .parse = tlsext_sni_server_parse, + }, }, { .type = TLSEXT_TYPE_renegotiate, - .clienthello_needs = tlsext_ri_clienthello_needs, - .clienthello_build = tlsext_ri_clienthello_build, - .clienthello_parse = tlsext_ri_clienthello_parse, - .serverhello_needs = tlsext_ri_serverhello_needs, - .serverhello_build = tlsext_ri_serverhello_build, - .serverhello_parse = tlsext_ri_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, + .client = { + .needs = tlsext_ri_client_needs, + .build = tlsext_ri_client_build, + .parse = tlsext_ri_client_parse, + }, + .server = { + .needs = tlsext_ri_server_needs, + .build = tlsext_ri_server_build, + .parse = tlsext_ri_server_parse, + }, }, { .type = TLSEXT_TYPE_status_request, - .clienthello_needs = tlsext_ocsp_clienthello_needs, - .clienthello_build = tlsext_ocsp_clienthello_build, - .clienthello_parse = tlsext_ocsp_clienthello_parse, - .serverhello_needs = tlsext_ocsp_serverhello_needs, - .serverhello_build = tlsext_ocsp_serverhello_build, - .serverhello_parse = tlsext_ocsp_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR | + SSL_TLSEXT_MSG_CT, + .client = { + .needs = tlsext_ocsp_client_needs, + .build = tlsext_ocsp_client_build, + .parse = tlsext_ocsp_client_parse, + }, + .server = { + .needs = tlsext_ocsp_server_needs, + .build = tlsext_ocsp_server_build, + .parse = tlsext_ocsp_server_parse, + }, }, { .type = TLSEXT_TYPE_ec_point_formats, - .clienthello_needs = tlsext_ecpf_clienthello_needs, - .clienthello_build = tlsext_ecpf_clienthello_build, - .clienthello_parse = tlsext_ecpf_clienthello_parse, - .serverhello_needs = tlsext_ecpf_serverhello_needs, - .serverhello_build = tlsext_ecpf_serverhello_build, - .serverhello_parse = tlsext_ecpf_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, + .client = { + .needs = tlsext_ecpf_client_needs, + .build = tlsext_ecpf_client_build, + .parse = tlsext_ecpf_client_parse, + }, + .server = { + .needs = tlsext_ecpf_server_needs, + .build = tlsext_ecpf_server_build, + .parse = tlsext_ecpf_server_parse, + }, }, { - .type = TLSEXT_TYPE_elliptic_curves, - .clienthello_needs = tlsext_ec_clienthello_needs, - .clienthello_build = tlsext_ec_clienthello_build, - .clienthello_parse = tlsext_ec_clienthello_parse, - .serverhello_needs = tlsext_ec_serverhello_needs, - .serverhello_build = tlsext_ec_serverhello_build, - .serverhello_parse = tlsext_ec_serverhello_parse, + .type = TLSEXT_TYPE_supported_groups, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, + .client = { + .needs = tlsext_supportedgroups_client_needs, + .build = tlsext_supportedgroups_client_build, + .parse = tlsext_supportedgroups_client_parse, + }, + .server = { + .needs = tlsext_supportedgroups_server_needs, + .build = tlsext_supportedgroups_server_build, + .parse = tlsext_supportedgroups_server_parse, + }, }, { .type = TLSEXT_TYPE_session_ticket, - .clienthello_needs = tlsext_sessionticket_clienthello_needs, - .clienthello_build = tlsext_sessionticket_clienthello_build, - .clienthello_parse = tlsext_sessionticket_clienthello_parse, - .serverhello_needs = tlsext_sessionticket_serverhello_needs, - .serverhello_build = tlsext_sessionticket_serverhello_build, - .serverhello_parse = tlsext_sessionticket_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH, + .client = { + .needs = tlsext_sessionticket_client_needs, + .build = tlsext_sessionticket_client_build, + .parse = tlsext_sessionticket_client_parse, + }, + .server = { + .needs = tlsext_sessionticket_server_needs, + .build = tlsext_sessionticket_server_build, + .parse = tlsext_sessionticket_server_parse, + }, }, { .type = TLSEXT_TYPE_signature_algorithms, - .clienthello_needs = tlsext_sigalgs_clienthello_needs, - .clienthello_build = tlsext_sigalgs_clienthello_build, - .clienthello_parse = tlsext_sigalgs_clienthello_parse, - .serverhello_needs = tlsext_sigalgs_serverhello_needs, - .serverhello_build = tlsext_sigalgs_serverhello_build, - .serverhello_parse = tlsext_sigalgs_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_CR, + .client = { + .needs = tlsext_sigalgs_client_needs, + .build = tlsext_sigalgs_client_build, + .parse = tlsext_sigalgs_client_parse, + }, + .server = { + .needs = tlsext_sigalgs_server_needs, + .build = tlsext_sigalgs_server_build, + .parse = tlsext_sigalgs_server_parse, + }, }, { .type = TLSEXT_TYPE_application_layer_protocol_negotiation, - .clienthello_needs = tlsext_alpn_clienthello_needs, - .clienthello_build = tlsext_alpn_clienthello_build, - .clienthello_parse = tlsext_alpn_clienthello_parse, - .serverhello_needs = tlsext_alpn_serverhello_needs, - .serverhello_build = tlsext_alpn_serverhello_build, - .serverhello_parse = tlsext_alpn_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_EE, + .client = { + .needs = tlsext_alpn_client_needs, + .build = tlsext_alpn_client_build, + .parse = tlsext_alpn_client_parse, + }, + .server = { + .needs = tlsext_alpn_server_needs, + .build = tlsext_alpn_server_build, + .parse = tlsext_alpn_server_parse, + }, + }, + { + .type = TLSEXT_TYPE_cookie, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_HRR, + .client = { + .needs = tlsext_cookie_client_needs, + .build = tlsext_cookie_client_build, + .parse = tlsext_cookie_client_parse, + }, + .server = { + .needs = tlsext_cookie_server_needs, + .build = tlsext_cookie_server_build, + .parse = tlsext_cookie_server_parse, + }, }, #ifndef OPENSSL_NO_SRTP { .type = TLSEXT_TYPE_use_srtp, - .clienthello_needs = tlsext_srtp_clienthello_needs, - .clienthello_build = tlsext_srtp_clienthello_build, - .clienthello_parse = tlsext_srtp_clienthello_parse, - .serverhello_needs = tlsext_srtp_serverhello_needs, - .serverhello_build = tlsext_srtp_serverhello_build, - .serverhello_parse = tlsext_srtp_serverhello_parse, + .messages = SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH /* XXX */ | + SSL_TLSEXT_MSG_EE, + .client = { + .needs = tlsext_srtp_client_needs, + .build = tlsext_srtp_client_build, + .parse = tlsext_srtp_client_parse, + }, + .server = { + .needs = tlsext_srtp_server_needs, + .build = tlsext_srtp_server_build, + .parse = tlsext_srtp_server_parse, + }, } #endif /* OPENSSL_NO_SRTP */ }; @@ -1295,7 +1997,7 @@ static struct tls_extension tls_extensions[] = { /* Ensure that extensions fit in a uint32_t bitmask. */ CTASSERT(N_TLS_EXTENSIONS <= (sizeof(uint32_t) * 8)); -static struct tls_extension * +struct tls_extension * tls_extension_find(uint16_t type, size_t *tls_extensions_idx) { size_t i; @@ -1310,47 +2012,53 @@ tls_extension_find(uint16_t type, size_t *tls_extensions_idx) return NULL; } -static int -tls_extension_needs(struct tls_extension *tlsext, int is_serverhello, SSL *s) +int +tlsext_extension_seen(SSL *s, uint16_t type) { - if (is_serverhello) - return tlsext->serverhello_needs(s); - return tlsext->clienthello_needs(s); + size_t idx; + + if (tls_extension_find(type, &idx) == NULL) + return 0; + return ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0); +} + +static struct tls_extension_funcs * +tlsext_funcs(struct tls_extension *tlsext, int is_server) +{ + if (is_server) + return &tlsext->server; + + return &tlsext->client; } static int -tls_extension_build(struct tls_extension *tlsext, int is_serverhello, SSL *s, - CBB *cbb) +tlsext_build(SSL *s, int is_server, uint16_t msg_type, CBB *cbb) { - if (is_serverhello) - return tlsext->serverhello_build(s, cbb); - return tlsext->clienthello_build(s, cbb); -} - -static int -tls_extension_parse(struct tls_extension *tlsext, int is_serverhello, SSL *s, - CBS *cbs, int *alert) -{ - if (is_serverhello) - return tlsext->serverhello_parse(s, cbs, alert); - return tlsext->clienthello_parse(s, cbs, alert); -} - -static int -tlsext_build(SSL *s, CBB *cbb, int is_serverhello) -{ - CBB extensions, extension_data; + struct tls_extension_funcs *ext; struct tls_extension *tlsext; + CBB extensions, extension_data; int extensions_present = 0; size_t i; + uint16_t version; + + if (is_server) + version = s->version; + else + version = TLS1_get_client_version(s); if (!CBB_add_u16_length_prefixed(cbb, &extensions)) return 0; for (i = 0; i < N_TLS_EXTENSIONS; i++) { tlsext = &tls_extensions[i]; + ext = tlsext_funcs(tlsext, is_server); - if (!tls_extension_needs(tlsext, is_serverhello, s)) + /* RFC 8446 Section 4.2 */ + if (version >= TLS1_3_VERSION && + !(tlsext->messages & msg_type)) + continue; + + if (!ext->needs(s, msg_type)) continue; if (!CBB_add_u16(&extensions, tlsext->type)) @@ -1358,14 +2066,14 @@ tlsext_build(SSL *s, CBB *cbb, int is_serverhello) if (!CBB_add_u16_length_prefixed(&extensions, &extension_data)) return 0; - if (!tls_extension_build(tlsext, is_serverhello, s, - &extension_data)) + if (!ext->build(s, msg_type, &extension_data)) return 0; extensions_present = 1; } - if (!extensions_present) + if (!extensions_present && + (msg_type & (SSL_TLSEXT_MSG_CH | SSL_TLSEXT_MSG_SH)) != 0) CBB_discard_child(cbb); if (!CBB_flush(cbb)) @@ -1374,101 +2082,159 @@ tlsext_build(SSL *s, CBB *cbb, int is_serverhello) return 1; } -static int -tlsext_parse(SSL *s, CBS *cbs, int *alert, int is_serverhello) +int +tlsext_clienthello_hash_extension(SSL *s, uint16_t type, CBS *cbs) { - CBS extensions, extension_data; + /* + * RFC 8446 4.1.2. For subsequent CH, early data will be removed, + * cookie may be added, padding may be removed. + */ + struct tls13_ctx *ctx = s->internal->tls13; + + if (type == TLSEXT_TYPE_early_data || type == TLSEXT_TYPE_cookie || + type == TLSEXT_TYPE_padding) + return 1; + if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&type, + sizeof(type))) + return 0; + /* + * key_share data may be changed, and pre_shared_key data may + * be changed + */ + if (type == TLSEXT_TYPE_pre_shared_key || type == TLSEXT_TYPE_key_share) + return 1; + if (!tls13_clienthello_hash_update(ctx, cbs)) + return 0; + + return 1; +} + +static int +tlsext_parse(SSL *s, int is_server, uint16_t msg_type, CBS *cbs, int *alert) +{ + struct tls_extension_funcs *ext; struct tls_extension *tlsext; - uint32_t extensions_seen = 0; + CBS extensions, extension_data; uint16_t type; size_t idx; + uint16_t version; + int alert_desc; + + S3I(s)->hs.extensions_seen = 0; + + if (is_server) + version = s->version; + else + version = TLS1_get_client_version(s); /* An empty extensions block is valid. */ if (CBS_len(cbs) == 0) return 1; - *alert = SSL_AD_DECODE_ERROR; + alert_desc = SSL_AD_DECODE_ERROR; if (!CBS_get_u16_length_prefixed(cbs, &extensions)) - return 0; + goto err; while (CBS_len(&extensions) > 0) { if (!CBS_get_u16(&extensions, &type)) - return 0; + goto err; if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) - return 0; + goto err; if (s->internal->tlsext_debug_cb != NULL) - s->internal->tlsext_debug_cb(s, is_serverhello, type, + s->internal->tlsext_debug_cb(s, is_server, type, (unsigned char *)CBS_data(&extension_data), CBS_len(&extension_data), s->internal->tlsext_debug_arg); + if (!SSL_IS_DTLS(s) && version >= TLS1_3_VERSION && is_server && + msg_type == SSL_TLSEXT_MSG_CH) { + if (!tlsext_clienthello_hash_extension(s, type, + &extension_data)) + goto err; + } + /* Unknown extensions are ignored. */ if ((tlsext = tls_extension_find(type, &idx)) == NULL) continue; - /* Check for duplicate known extensions. */ - if ((extensions_seen & (1 << idx)) != 0) - return 0; - extensions_seen |= (1 << idx); + /* RFC 8446 Section 4.2 */ + if (version >= TLS1_3_VERSION && + !(tlsext->messages & msg_type)) { + alert_desc = SSL_AD_ILLEGAL_PARAMETER; + goto err; + } - if (!tls_extension_parse(tlsext, is_serverhello, s, - &extension_data, alert)) - return 0; + /* Check for duplicate known extensions. */ + if ((S3I(s)->hs.extensions_seen & (1 << idx)) != 0) + goto err; + S3I(s)->hs.extensions_seen |= (1 << idx); + + ext = tlsext_funcs(tlsext, is_server); + if (!ext->parse(s, msg_type, &extension_data, &alert_desc)) + goto err; if (CBS_len(&extension_data) != 0) - return 0; + goto err; } return 1; + + err: + *alert = alert_desc; + + return 0; } static void -tlsext_clienthello_reset_state(SSL *s) +tlsext_server_reset_state(SSL *s) { - s->internal->servername_done = 0; s->tlsext_status_type = -1; S3I(s)->renegotiate_seen = 0; free(S3I(s)->alpn_selected); S3I(s)->alpn_selected = NULL; + S3I(s)->alpn_selected_len = 0; s->internal->srtp_profile = NULL; } int -tlsext_clienthello_build(SSL *s, CBB *cbb) +tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_build(s, cbb, 0); + return tlsext_build(s, 1, msg_type, cbb); } int -tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* XXX - this possibly should be done by the caller... */ - tlsext_clienthello_reset_state(s); + /* XXX - this should be done by the caller... */ + if (msg_type == SSL_TLSEXT_MSG_CH) + tlsext_server_reset_state(s); - return tlsext_parse(s, cbs, alert, 0); + return tlsext_parse(s, 1, msg_type, cbs, alert); } static void -tlsext_serverhello_reset_state(SSL *s) +tlsext_client_reset_state(SSL *s) { - S3I(s)->renegotiate_seen = 0; + S3I(s)->renegotiate_seen = 0; free(S3I(s)->alpn_selected); S3I(s)->alpn_selected = NULL; + S3I(s)->alpn_selected_len = 0; } int -tlsext_serverhello_build(SSL *s, CBB *cbb) +tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb) { - return tlsext_build(s, cbb, 1); + return tlsext_build(s, 0, msg_type, cbb); } int -tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert) +tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert) { - /* XXX - this possibly should be done by the caller... */ - tlsext_serverhello_reset_state(s); + /* XXX - this should be done by the caller... */ + if (msg_type == SSL_TLSEXT_MSG_SH) + tlsext_client_reset_state(s); - return tlsext_parse(s, cbs, alert, 1); + return tlsext_parse(s, 0, msg_type, cbs, alert); } diff --git a/ssl/ssl_tlsext.h b/ssl/ssl_tlsext.h index 4248932..d98b387 100644 --- a/ssl/ssl_tlsext.h +++ b/ssl/ssl_tlsext.h @@ -1,7 +1,8 @@ -/* $OpenBSD: ssl_tlsext.h,v 1.12 2018/02/08 11:30:30 jsing Exp $ */ +/* $OpenBSD: ssl_tlsext.h,v 1.25 2020/07/03 04:51:59 tb Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * Copyright (c) 2017 Doug Hogan + * Copyright (c) 2019 Bob Beck * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -16,73 +17,125 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -int tlsext_alpn_clienthello_needs(SSL *s); -int tlsext_alpn_clienthello_build(SSL *s, CBB *cbb); -int tlsext_alpn_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_alpn_serverhello_needs(SSL *s); -int tlsext_alpn_serverhello_build(SSL *s, CBB *cbb); -int tlsext_alpn_serverhello_parse(SSL *s, CBS *cbs, int *alert); +#ifndef HEADER_SSL_TLSEXT_H +#define HEADER_SSL_TLSEXT_H -int tlsext_ri_clienthello_needs(SSL *s); -int tlsext_ri_clienthello_build(SSL *s, CBB *cbb); -int tlsext_ri_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ri_serverhello_needs(SSL *s); -int tlsext_ri_serverhello_build(SSL *s, CBB *cbb); -int tlsext_ri_serverhello_parse(SSL *s, CBS *cbs, int *alert); +/* TLSv1.3 - RFC 8446 Section 4.2. */ +#define SSL_TLSEXT_MSG_CH 0x0001 /* ClientHello */ +#define SSL_TLSEXT_MSG_SH 0x0002 /* ServerHello */ +#define SSL_TLSEXT_MSG_EE 0x0004 /* EncryptedExtension */ +#define SSL_TLSEXT_MSG_CT 0x0008 /* Certificate */ +#define SSL_TLSEXT_MSG_CR 0x0010 /* CertificateRequest */ +#define SSL_TLSEXT_MSG_NST 0x0020 /* NewSessionTicket */ +#define SSL_TLSEXT_MSG_HRR 0x0040 /* HelloRetryRequest */ -int tlsext_sigalgs_clienthello_needs(SSL *s); -int tlsext_sigalgs_clienthello_build(SSL *s, CBB *cbb); -int tlsext_sigalgs_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_sigalgs_serverhello_needs(SSL *s); -int tlsext_sigalgs_serverhello_build(SSL *s, CBB *cbb); -int tlsext_sigalgs_serverhello_parse(SSL *s, CBS *cbs, int *alert); +__BEGIN_HIDDEN_DECLS -int tlsext_sni_clienthello_needs(SSL *s); -int tlsext_sni_clienthello_build(SSL *s, CBB *cbb); -int tlsext_sni_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_sni_serverhello_needs(SSL *s); -int tlsext_sni_serverhello_build(SSL *s, CBB *cbb); -int tlsext_sni_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_alpn_client_needs(SSL *s, uint16_t msg_type); +int tlsext_alpn_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_alpn_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_alpn_server_needs(SSL *s, uint16_t msg_type); +int tlsext_alpn_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_alpn_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_ec_clienthello_needs(SSL *s); -int tlsext_ec_clienthello_build(SSL *s, CBB *cbb); -int tlsext_ec_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ec_serverhello_needs(SSL *s); -int tlsext_ec_serverhello_build(SSL *s, CBB *cbb); -int tlsext_ec_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_ri_client_needs(SSL *s, uint16_t msg_type); +int tlsext_ri_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ri_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_ri_server_needs(SSL *s, uint16_t msg_type); +int tlsext_ri_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ri_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_ecpf_clienthello_needs(SSL *s); -int tlsext_ecpf_clienthello_build(SSL *s, CBB *cbb); -int tlsext_ecpf_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ecpf_serverhello_needs(SSL *s); -int tlsext_ecpf_serverhello_build(SSL *s, CBB *cbb); -int tlsext_ecpf_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_sigalgs_client_needs(SSL *s, uint16_t msg_type); +int tlsext_sigalgs_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sigalgs_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_sigalgs_server_needs(SSL *s, uint16_t msg_type); +int tlsext_sigalgs_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sigalgs_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); -int tlsext_ocsp_clienthello_needs(SSL *s); -int tlsext_ocsp_clienthello_build(SSL *s, CBB *cbb); -int tlsext_ocsp_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_ocsp_serverhello_needs(SSL *s); -int tlsext_ocsp_serverhello_build(SSL *s, CBB *cbb); -int tlsext_ocsp_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_sni_client_needs(SSL *s, uint16_t msg_type); +int tlsext_sni_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sni_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_sni_server_needs(SSL *s, uint16_t msg_type); +int tlsext_sni_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sni_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_sni_is_valid_hostname(CBS *cbs); -int tlsext_sessionticket_clienthello_needs(SSL *s); -int tlsext_sessionticket_clienthello_build(SSL *s, CBB *cbb); -int tlsext_sessionticket_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_sessionticket_serverhello_needs(SSL *s); -int tlsext_sessionticket_serverhello_build(SSL *s, CBB *cbb); -int tlsext_sessionticket_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_supportedgroups_client_needs(SSL *s, uint16_t msg_type); +int tlsext_supportedgroups_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_supportedgroups_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_supportedgroups_server_needs(SSL *s, uint16_t msg_type); +int tlsext_supportedgroups_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_supportedgroups_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_ecpf_client_needs(SSL *s, uint16_t msg_type); +int tlsext_ecpf_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ecpf_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_ecpf_server_needs(SSL *s, uint16_t msg_type); +int tlsext_ecpf_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ecpf_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +int tlsext_ocsp_client_needs(SSL *s, uint16_t msg_type); +int tlsext_ocsp_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ocsp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_ocsp_server_needs(SSL *s, uint16_t msg_type); +int tlsext_ocsp_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_ocsp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +int tlsext_sessionticket_client_needs(SSL *s, uint16_t msg_type); +int tlsext_sessionticket_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sessionticket_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_sessionticket_server_needs(SSL *s, uint16_t msg_type); +int tlsext_sessionticket_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_sessionticket_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_versions_client_needs(SSL *s, uint16_t msg_type); +int tlsext_versions_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_versions_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_versions_server_needs(SSL *s, uint16_t msg_type); +int tlsext_versions_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_versions_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_keyshare_client_needs(SSL *s, uint16_t msg_type); +int tlsext_keyshare_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_keyshare_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); +int tlsext_keyshare_server_needs(SSL *s, uint16_t msg_type); +int tlsext_keyshare_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_keyshare_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, + int *alert); + +int tlsext_cookie_client_needs(SSL *s, uint16_t msg_type); +int tlsext_cookie_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_cookie_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_cookie_server_needs(SSL *s, uint16_t msg_type); +int tlsext_cookie_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_cookie_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); #ifndef OPENSSL_NO_SRTP -int tlsext_srtp_clienthello_needs(SSL *s); -int tlsext_srtp_clienthello_build(SSL *s, CBB *cbb); -int tlsext_srtp_clienthello_parse(SSL *s, CBS *cbs, int *alert); -int tlsext_srtp_serverhello_needs(SSL *s); -int tlsext_srtp_serverhello_build(SSL *s, CBB *cbb); -int tlsext_srtp_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_srtp_client_needs(SSL *s, uint16_t msg_type); +int tlsext_srtp_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_srtp_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); +int tlsext_srtp_server_needs(SSL *s, uint16_t msg_type); +int tlsext_srtp_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_srtp_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); #endif -int tlsext_clienthello_build(SSL *s, CBB *cbb); -int tlsext_clienthello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_client_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_client_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); -int tlsext_serverhello_build(SSL *s, CBB *cbb); -int tlsext_serverhello_parse(SSL *s, CBS *cbs, int *alert); +int tlsext_server_build(SSL *s, uint16_t msg_type, CBB *cbb); +int tlsext_server_parse(SSL *s, uint16_t msg_type, CBS *cbs, int *alert); + +struct tls_extension *tls_extension_find(uint16_t, size_t *); +int tlsext_extension_seen(SSL *s, uint16_t); +__END_HIDDEN_DECLS + +#endif diff --git a/ssl/ssl_transcript.c b/ssl/ssl_transcript.c new file mode 100644 index 0000000..b93004c --- /dev/null +++ b/ssl/ssl_transcript.c @@ -0,0 +1,207 @@ +/* $OpenBSD: ssl_transcript.c,v 1.2 2020/02/05 16:47:34 jsing Exp $ */ +/* + * Copyright (c) 2017 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +#include + +int +tls1_transcript_hash_init(SSL *s) +{ + const unsigned char *data; + const EVP_MD *md; + size_t len; + + tls1_transcript_hash_free(s); + + if (!ssl_get_handshake_evp_md(s, &md)) { + SSLerrorx(ERR_R_INTERNAL_ERROR); + goto err; + } + + if ((S3I(s)->handshake_hash = EVP_MD_CTX_new()) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_DigestInit_ex(S3I(s)->handshake_hash, md, NULL)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + + if (!tls1_transcript_data(s, &data, &len)) { + SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); + goto err; + } + if (!tls1_transcript_hash_update(s, data, len)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + + return 1; + + err: + tls1_transcript_hash_free(s); + + return 0; +} + +int +tls1_transcript_hash_update(SSL *s, const unsigned char *buf, size_t len) +{ + if (S3I(s)->handshake_hash == NULL) + return 1; + + return EVP_DigestUpdate(S3I(s)->handshake_hash, buf, len); +} + +int +tls1_transcript_hash_value(SSL *s, const unsigned char *out, size_t len, + size_t *outlen) +{ + EVP_MD_CTX *mdctx = NULL; + unsigned int mdlen; + int ret = 0; + + if (EVP_MD_CTX_size(S3I(s)->handshake_hash) > len) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) { + SSLerror(s, ERR_R_MALLOC_FAILURE); + goto err; + } + if (!EVP_MD_CTX_copy_ex(mdctx, S3I(s)->handshake_hash)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (!EVP_DigestFinal_ex(mdctx, (unsigned char *)out, &mdlen)) { + SSLerror(s, ERR_R_EVP_LIB); + goto err; + } + if (outlen != NULL) + *outlen = mdlen; + + ret = 1; + + err: + EVP_MD_CTX_free(mdctx); + + return (ret); +} + +void +tls1_transcript_hash_free(SSL *s) +{ + EVP_MD_CTX_free(S3I(s)->handshake_hash); + S3I(s)->handshake_hash = NULL; +} + +int +tls1_transcript_init(SSL *s) +{ + if (S3I(s)->handshake_transcript != NULL) + return 0; + + if ((S3I(s)->handshake_transcript = BUF_MEM_new()) == NULL) + return 0; + + tls1_transcript_reset(s); + + return 1; +} + +void +tls1_transcript_free(SSL *s) +{ + BUF_MEM_free(S3I(s)->handshake_transcript); + S3I(s)->handshake_transcript = NULL; +} + +void +tls1_transcript_reset(SSL *s) +{ + /* + * We should check the return value of BUF_MEM_grow_clean(), however + * due to yet another bad API design, when called with a length of zero + * it is impossible to tell if it succeeded (returning a length of zero) + * or if it failed (and returned zero)... our implementation never + * fails with a length of zero, so we trust all is okay... + */ + (void)BUF_MEM_grow_clean(S3I(s)->handshake_transcript, 0); + + tls1_transcript_unfreeze(s); +} + +int +tls1_transcript_append(SSL *s, const unsigned char *buf, size_t len) +{ + size_t olen, nlen; + + if (S3I(s)->handshake_transcript == NULL) + return 1; + + if (s->s3->flags & TLS1_FLAGS_FREEZE_TRANSCRIPT) + return 1; + + olen = S3I(s)->handshake_transcript->length; + nlen = olen + len; + + if (nlen < olen) + return 0; + + if (BUF_MEM_grow(S3I(s)->handshake_transcript, nlen) == 0) + return 0; + + memcpy(S3I(s)->handshake_transcript->data + olen, buf, len); + + return 1; +} + +int +tls1_transcript_data(SSL *s, const unsigned char **data, size_t *len) +{ + if (S3I(s)->handshake_transcript == NULL) + return 0; + + *data = S3I(s)->handshake_transcript->data; + *len = S3I(s)->handshake_transcript->length; + + return 1; +} + +void +tls1_transcript_freeze(SSL *s) +{ + s->s3->flags |= TLS1_FLAGS_FREEZE_TRANSCRIPT; +} + +void +tls1_transcript_unfreeze(SSL *s) +{ + s->s3->flags &= ~TLS1_FLAGS_FREEZE_TRANSCRIPT; +} + +int +tls1_transcript_record(SSL *s, const unsigned char *buf, size_t len) +{ + if (!tls1_transcript_hash_update(s, buf, len)) + return 0; + + if (!tls1_transcript_append(s, buf, len)) + return 0; + + return 1; +} diff --git a/ssl/ssl_versions.c b/ssl/ssl_versions.c index 240a249..b21fa71 100644 --- a/ssl/ssl_versions.c +++ b/ssl/ssl_versions.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_versions.c,v 1.3 2017/05/06 20:37:25 jsing Exp $ */ +/* $OpenBSD: ssl_versions.c,v 1.6 2020/05/31 18:03:32 jsing Exp $ */ /* * Copyright (c) 2016, 2017 Joel Sing * @@ -94,7 +94,7 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) */ min_version = 0; - max_version = TLS1_2_VERSION; + max_version = TLS1_3_VERSION; if ((s->internal->options & SSL_OP_NO_TLSv1) == 0) min_version = TLS1_VERSION; @@ -102,7 +102,11 @@ ssl_enabled_version_range(SSL *s, uint16_t *min_ver, uint16_t *max_ver) min_version = TLS1_1_VERSION; else if ((s->internal->options & SSL_OP_NO_TLSv1_2) == 0) min_version = TLS1_2_VERSION; + else if ((s->internal->options & SSL_OP_NO_TLSv1_3) == 0) + min_version = TLS1_3_VERSION; + if ((s->internal->options & SSL_OP_NO_TLSv1_3) && min_version < TLS1_3_VERSION) + max_version = TLS1_2_VERSION; if ((s->internal->options & SSL_OP_NO_TLSv1_2) && min_version < TLS1_2_VERSION) max_version = TLS1_1_VERSION; if ((s->internal->options & SSL_OP_NO_TLSv1_1) && min_version < TLS1_1_VERSION) @@ -171,7 +175,9 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) return 0; } - if (peer_ver >= TLS1_2_VERSION) + if (peer_ver >= TLS1_3_VERSION) + shared_version = TLS1_3_VERSION; + else if (peer_ver >= TLS1_2_VERSION) shared_version = TLS1_2_VERSION; else if (peer_ver >= TLS1_1_VERSION) shared_version = TLS1_1_VERSION; @@ -194,26 +200,34 @@ ssl_max_shared_version(SSL *s, uint16_t peer_ver, uint16_t *max_ver) return 1; } -uint16_t -ssl_max_server_version(SSL *s) +int +ssl_downgrade_max_version(SSL *s, uint16_t *max_ver) { - uint16_t max_version, min_version = 0; + uint16_t min_version, max_version; - if (SSL_IS_DTLS(s)) - return (DTLS1_VERSION); + /* + * The downgrade maximum version is based on the versions that are + * enabled, however we also have to then limit to the versions + * supported by the method. The SSL method will be changed during + * version negotiation and when switching from the new stack to + * the legacy context, as such we want to use the method from the + * context. + */ + + if (SSL_IS_DTLS(s)) { + *max_ver = DTLS1_VERSION; + return 1; + } if (!ssl_enabled_version_range(s, &min_version, &max_version)) return 0; - /* - * Limit to the versions supported by this method. The SSL method - * will be changed during version negotiation, as such we want to - * use the SSL method from the context. - */ if (!ssl_clamp_version_range(&min_version, &max_version, s->ctx->method->internal->min_version, s->ctx->method->internal->max_version)) return 0; - return (max_version); + *max_ver = max_version; + + return 1; } diff --git a/ssl/t1_clnt.c b/ssl/t1_clnt.c deleted file mode 100644 index 92b5efb..0000000 --- a/ssl/t1_clnt.c +++ /dev/null @@ -1,243 +0,0 @@ -/* $OpenBSD: t1_clnt.c,v 1.24 2017/01/26 05:31:25 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "ssl_locl.h" - -#include -#include -#include - -static const SSL_METHOD_INTERNAL TLS_client_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_client_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_client_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, -}; - -static const SSL_METHOD TLSv1_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_client_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_client_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, -}; - -static const SSL_METHOD TLSv1_1_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_client_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_2_client_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl_undefined_function, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_client_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLSv1_2_client_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_client_method_internal_data, -}; - -const SSL_METHOD * -tls1_get_client_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_client_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_client_method()); - if (ver == TLS1_VERSION) - return (TLSv1_client_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_client_method(void) -{ - return (TLS_client_method()); -} - -const SSL_METHOD * -TLS_client_method(void) -{ - return (&TLS_client_method_data); -} - -const SSL_METHOD * -TLSv1_client_method(void) -{ - return (&TLSv1_client_method_data); -} - -const SSL_METHOD * -TLSv1_1_client_method(void) -{ - return (&TLSv1_1_client_method_data); -} - -const SSL_METHOD * -TLSv1_2_client_method(void) -{ - return (&TLSv1_2_client_method_data); -} diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c index 9598613..a66c82b 100644 --- a/ssl/t1_enc.c +++ b/ssl/t1_enc.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_enc.c,v 1.109 2017/05/06 22:24:58 beck Exp $ */ +/* $OpenBSD: t1_enc.c,v 1.123 2020/08/30 15:40:20 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -157,61 +157,6 @@ tls1_cleanup_key_block(SSL *s) S3I(s)->hs.key_block_len = 0; } -int -tls1_init_finished_mac(SSL *s) -{ - BIO_free(S3I(s)->handshake_buffer); - - S3I(s)->handshake_buffer = BIO_new(BIO_s_mem()); - if (S3I(s)->handshake_buffer == NULL) - return (0); - - (void)BIO_set_close(S3I(s)->handshake_buffer, BIO_CLOSE); - - return (1); -} - -int -tls1_finish_mac(SSL *s, const unsigned char *buf, int len) -{ - if (len < 0) - return 0; - - if (!tls1_handshake_hash_update(s, buf, len)) - return 0; - - if (S3I(s)->handshake_buffer && - !(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { - BIO_write(S3I(s)->handshake_buffer, (void *)buf, len); - return 1; - } - - return 1; -} - -int -tls1_digest_cached_records(SSL *s) -{ - long hdatalen; - void *hdata; - - hdatalen = BIO_get_mem_data(S3I(s)->handshake_buffer, &hdata); - if (hdatalen <= 0) { - SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); - goto err; - } - - if (!(s->s3->flags & TLS1_FLAGS_KEEP_HANDSHAKE)) { - BIO_free(S3I(s)->handshake_buffer); - S3I(s)->handshake_buffer = NULL; - } - - return 1; - - err: - return 0; -} - void tls1_record_sequence_increment(unsigned char *seq) { @@ -391,19 +336,31 @@ tls1_aead_ctx_init(SSL_AEAD_CTX **aead_ctx) static int tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, - unsigned key_len, const unsigned char *iv, unsigned iv_len) + unsigned int key_len, const unsigned char *iv, unsigned int iv_len) { const EVP_AEAD *aead = S3I(s)->tmp.new_aead; SSL_AEAD_CTX *aead_ctx; + /* XXX - Need to avoid clearing write state for DTLS. */ + if (SSL_IS_DTLS(s)) + return 0; + if (is_read) { + ssl_clear_cipher_read_state(s); if (!tls1_aead_ctx_init(&s->internal->aead_read_ctx)) return 0; aead_ctx = s->internal->aead_read_ctx; + + if (!tls12_record_layer_set_read_aead(s->internal->rl, aead_ctx)) + return 0; } else { + ssl_clear_cipher_write_state(s); if (!tls1_aead_ctx_init(&s->internal->aead_write_ctx)) return 0; aead_ctx = s->internal->aead_write_ctx; + + if (!tls12_record_layer_set_write_aead(s->internal->rl, aead_ctx)) + return 0; } if (!EVP_AEAD_CTX_init(&aead_ctx->ctx, aead, key, key_len, @@ -444,11 +401,10 @@ tls1_change_cipher_state_aead(SSL *s, char is_read, const unsigned char *key, * tls1_change_cipher_state_cipher performs the work needed to switch cipher * states when using EVP_CIPHER. The argument is_read is true iff this function * is being called due to reading, as opposed to writing, a ChangeCipherSpec - * message. In order to support export ciphersuites, use_client_keys indicates - * whether the key material provided is in the "client write" direction. + * message. */ static int -tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, +tls1_change_cipher_state_cipher(SSL *s, char is_read, const unsigned char *mac_secret, unsigned int mac_secret_size, const unsigned char *key, unsigned int key_len, const unsigned char *iv, unsigned int iv_len) @@ -456,32 +412,36 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, EVP_CIPHER_CTX *cipher_ctx; const EVP_CIPHER *cipher; EVP_MD_CTX *mac_ctx; + EVP_PKEY *mac_key; const EVP_MD *mac; + int stream_mac; int mac_type; cipher = S3I(s)->tmp.new_sym_enc; mac = S3I(s)->tmp.new_hash; mac_type = S3I(s)->tmp.new_mac_pkey_type; + stream_mac = S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC; if (is_read) { - if (S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC) + if (stream_mac) s->internal->mac_flags |= SSL_MAC_FLAG_READ_MAC_STREAM; else s->internal->mac_flags &= ~SSL_MAC_FLAG_READ_MAC_STREAM; - EVP_CIPHER_CTX_free(s->enc_read_ctx); - s->enc_read_ctx = NULL; - EVP_MD_CTX_destroy(s->read_hash); - s->read_hash = NULL; + ssl_clear_cipher_read_state(s); if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; s->enc_read_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_create()) == NULL) + if ((mac_ctx = EVP_MD_CTX_new()) == NULL) goto err; s->read_hash = mac_ctx; + + if (!tls12_record_layer_set_read_cipher_hash(s->internal->rl, + cipher_ctx, mac_ctx, stream_mac)) + goto err; } else { - if (S3I(s)->hs.new_cipher->algorithm2 & TLS1_STREAM_MAC) + if (stream_mac) s->internal->mac_flags |= SSL_MAC_FLAG_WRITE_MAC_STREAM; else s->internal->mac_flags &= ~SSL_MAC_FLAG_WRITE_MAC_STREAM; @@ -493,41 +453,29 @@ tls1_change_cipher_state_cipher(SSL *s, char is_read, char use_client_keys, * contexts that are used for DTLS - these are instead freed * by DTLS when its frees a ChangeCipherSpec fragment. */ - if (!SSL_IS_DTLS(s)) { - EVP_CIPHER_CTX_free(s->internal->enc_write_ctx); - s->internal->enc_write_ctx = NULL; - EVP_MD_CTX_destroy(s->internal->write_hash); - s->internal->write_hash = NULL; - } + if (!SSL_IS_DTLS(s)) + ssl_clear_cipher_write_state(s); + if ((cipher_ctx = EVP_CIPHER_CTX_new()) == NULL) goto err; s->internal->enc_write_ctx = cipher_ctx; - if ((mac_ctx = EVP_MD_CTX_create()) == NULL) + if ((mac_ctx = EVP_MD_CTX_new()) == NULL) goto err; s->internal->write_hash = mac_ctx; - } - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) { - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, NULL, - !is_read); - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_GCM_SET_IV_FIXED, - iv_len, (unsigned char *)iv); - } else - EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); - - if (!(EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER)) { - EVP_PKEY *mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, - mac_secret, mac_secret_size); - if (mac_key == NULL) + if (!tls12_record_layer_set_write_cipher_hash(s->internal->rl, + cipher_ctx, mac_ctx, stream_mac)) goto err; - EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); - EVP_PKEY_free(mac_key); - } else if (mac_secret_size > 0) { - /* Needed for "composite" AEADs, such as RC4-HMAC-MD5 */ - EVP_CIPHER_CTX_ctrl(cipher_ctx, EVP_CTRL_AEAD_SET_MAC_KEY, - mac_secret_size, (unsigned char *)mac_secret); } + EVP_CipherInit_ex(cipher_ctx, cipher, NULL, key, iv, !is_read); + + if ((mac_key = EVP_PKEY_new_mac_key(mac_type, NULL, mac_secret, + mac_secret_size)) == NULL) + goto err; + EVP_DigestSignInit(mac_ctx, NULL, mac, NULL, mac_key); + EVP_PKEY_free(mac_key); + if (S3I(s)->hs.new_cipher->algorithm_enc == SSL_eGOST2814789CNT) { int nid; if (S3I(s)->hs.new_cipher->algorithm2 & SSL_HANDSHAKE_MAC_GOST94) @@ -560,7 +508,6 @@ tls1_change_cipher_state(SSL *s, int which) const EVP_AEAD *aead; char is_read, use_client_keys; - cipher = S3I(s)->tmp.new_sym_enc; aead = S3I(s)->tmp.new_aead; @@ -579,7 +526,6 @@ tls1_change_cipher_state(SSL *s, int which) use_client_keys = ((which == SSL3_CHANGE_CIPHER_CLIENT_WRITE) || (which == SSL3_CHANGE_CIPHER_SERVER_READ)); - /* * Reset sequence number to zero - for DTLS this is handled in * dtls1_reset_seq_numbers(). @@ -595,13 +541,9 @@ tls1_change_cipher_state(SSL *s, int which) } else { key_len = EVP_CIPHER_key_length(cipher); iv_len = EVP_CIPHER_iv_length(cipher); - - /* If GCM mode only part of IV comes from PRF. */ - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) - iv_len = EVP_GCM_TLS_FIXED_IV_LEN; } - mac_secret_size = s->s3->tmp.new_mac_secret_size; + mac_secret_size = S3I(s)->tmp.new_mac_secret_size; key_block = S3I(s)->hs.key_block; client_write_mac_secret = key_block; @@ -645,7 +587,7 @@ tls1_change_cipher_state(SSL *s, int which) iv, iv_len); } - return tls1_change_cipher_state_cipher(s, is_read, use_client_keys, + return tls1_change_cipher_state_cipher(s, is_read, mac_secret, mac_secret_size, key, key_len, iv, iv_len); err2: @@ -667,7 +609,7 @@ tls1_setup_key_block(SSL *s) return (1); if (s->session->cipher && - (s->session->cipher->algorithm2 & SSL_CIPHER_ALGORITHM2_AEAD)) { + (s->session->cipher->algorithm_mac & SSL_AEAD)) { if (!ssl_cipher_get_evp_aead(s->session, &aead)) { SSLerror(s, SSL_R_CIPHER_OR_HASH_UNAVAILABLE); return (0); @@ -682,17 +624,13 @@ tls1_setup_key_block(SSL *s) } key_len = EVP_CIPHER_key_length(cipher); iv_len = EVP_CIPHER_iv_length(cipher); - - /* If GCM mode only part of IV comes from PRF. */ - if (EVP_CIPHER_mode(cipher) == EVP_CIPH_GCM_MODE) - iv_len = EVP_GCM_TLS_FIXED_IV_LEN; } S3I(s)->tmp.new_aead = aead; S3I(s)->tmp.new_sym_enc = cipher; S3I(s)->tmp.new_hash = mac; S3I(s)->tmp.new_mac_pkey_type = mac_type; - s->s3->tmp.new_mac_secret_size = mac_secret_size; + S3I(s)->tmp.new_mac_secret_size = mac_secret_size; tls1_cleanup_key_block(s); @@ -749,15 +687,14 @@ tls1_enc(SSL *s, int send) const SSL_AEAD_CTX *aead; const EVP_CIPHER *enc; EVP_CIPHER_CTX *ds; - SSL3_RECORD *rec; + SSL3_RECORD_INTERNAL *rec; unsigned char *seq; unsigned long l; - int bs, i, j, k, pad = 0, ret, mac_size = 0; + int bs, i, j, k, ret, mac_size = 0; if (send) { - aead = s->internal->aead_write_ctx; - rec = &S3I(s)->wrec; - seq = S3I(s)->write_sequence; + /* No longer supported. */ + return -1; } else { aead = s->internal->aead_read_ctx; rec = &S3I(s)->rrec; @@ -957,28 +894,7 @@ tls1_enc(SSL *s, int send) l = rec->length; bs = EVP_CIPHER_block_size(ds->cipher); - if (EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) { - unsigned char buf[13]; - - if (SSL_IS_DTLS(s)) { - dtls1_build_sequence_number(buf, seq, - send ? D1I(s)->w_epoch : D1I(s)->r_epoch); - } else { - memcpy(buf, seq, SSL3_SEQUENCE_SIZE); - tls1_record_sequence_increment(seq); - } - - buf[8] = rec->type; - buf[9] = (unsigned char)(s->version >> 8); - buf[10] = (unsigned char)(s->version); - buf[11] = rec->length >> 8; - buf[12] = rec->length & 0xff; - pad = EVP_CIPHER_CTX_ctrl(ds, EVP_CTRL_AEAD_TLS1_AAD, 13, buf); - if (send) { - l += pad; - rec->length += pad; - } - } else if ((bs != 1) && send) { + if (bs != 1 && send) { i = bs - ((int)l % bs); /* Add weird padding of upto 256 bytes */ @@ -1000,19 +916,12 @@ tls1_enc(SSL *s, int send) if ((EVP_CIPHER_flags(ds->cipher) & EVP_CIPH_FLAG_CUSTOM_CIPHER) ? (i < 0) : (i == 0)) return -1; /* AEAD can fail to verify MAC */ - if (EVP_CIPHER_mode(enc) == EVP_CIPH_GCM_MODE && !send) { - rec->data += EVP_GCM_TLS_EXPLICIT_IV_LEN; - rec->input += EVP_GCM_TLS_EXPLICIT_IV_LEN; - rec->length -= EVP_GCM_TLS_EXPLICIT_IV_LEN; - } ret = 1; if (EVP_MD_CTX_md(s->read_hash) != NULL) mac_size = EVP_MD_CTX_size(s->read_hash); if ((bs != 1) && !send) ret = tls1_cbc_remove_padding(s, rec, bs, mac_size); - if (pad && !send) - rec->length -= pad; } return ret; } @@ -1026,7 +935,7 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) if (str_len < 0) return 0; - if (!tls1_handshake_hash_value(s, buf, sizeof(buf), &hash_len)) + if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) return 0; if (!tls1_PRF(s, s->session->master_key, s->session->master_key_length, @@ -1040,7 +949,7 @@ tls1_final_finish_mac(SSL *s, const char *str, int str_len, unsigned char *out) int tls1_mac(SSL *ssl, unsigned char *md, int send) { - SSL3_RECORD *rec; + SSL3_RECORD_INTERNAL *rec; unsigned char *seq; EVP_MD_CTX *hash; size_t md_size, orig_len; @@ -1052,9 +961,8 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) int t; if (send) { - rec = &(ssl->s3->internal->wrec); - seq = &(ssl->s3->internal->write_sequence[0]); - hash = ssl->internal->write_hash; + /* No longer supported. */ + return -1; } else { rec = &(ssl->s3->internal->rrec); seq = &(ssl->s3->internal->read_sequence[0]); @@ -1080,9 +988,7 @@ tls1_mac(SSL *ssl, unsigned char *md, int send) else memcpy(header, seq, SSL3_SEQUENCE_SIZE); - /* kludge: tls1_cbc_remove_padding passes padding length in rec->type */ - orig_len = rec->length + md_size + ((unsigned int)rec->type >> 8); - rec->type &= 0xff; + orig_len = rec->length + md_size + rec->padding_length; header[8] = rec->type; header[9] = (unsigned char)(ssl->version >> 8); diff --git a/ssl/t1_hash.c b/ssl/t1_hash.c deleted file mode 100644 index aef6e65..0000000 --- a/ssl/t1_hash.c +++ /dev/null @@ -1,111 +0,0 @@ -/* $OpenBSD: t1_hash.c,v 1.2 2017/05/06 16:18:36 jsing Exp $ */ -/* - * Copyright (c) 2017 Joel Sing - * - * Permission to use, copy, modify, and distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#include "ssl_locl.h" - -#include - -int -tls1_handshake_hash_init(SSL *s) -{ - const EVP_MD *md; - long dlen; - void *data; - - tls1_handshake_hash_free(s); - - if (!ssl_get_handshake_evp_md(s, &md)) { - SSLerrorx(ERR_R_INTERNAL_ERROR); - goto err; - } - - if ((S3I(s)->handshake_hash = EVP_MD_CTX_create()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - if (!EVP_DigestInit_ex(S3I(s)->handshake_hash, md, NULL)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - - dlen = BIO_get_mem_data(S3I(s)->handshake_buffer, &data); - if (dlen <= 0) { - SSLerror(s, SSL_R_BAD_HANDSHAKE_LENGTH); - goto err; - } - if (!tls1_handshake_hash_update(s, data, dlen)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - - return 1; - - err: - tls1_handshake_hash_free(s); - - return 0; -} - -int -tls1_handshake_hash_update(SSL *s, const unsigned char *buf, size_t len) -{ - if (S3I(s)->handshake_hash == NULL) - return 1; - - return EVP_DigestUpdate(S3I(s)->handshake_hash, buf, len); -} - -int -tls1_handshake_hash_value(SSL *s, const unsigned char *out, size_t len, - size_t *outlen) -{ - EVP_MD_CTX *mdctx = NULL; - unsigned int mdlen; - int ret = 0; - - if (EVP_MD_CTX_size(S3I(s)->handshake_hash) > len) - goto err; - - if ((mdctx = EVP_MD_CTX_create()) == NULL) { - SSLerror(s, ERR_R_MALLOC_FAILURE); - goto err; - } - if (!EVP_MD_CTX_copy_ex(mdctx, S3I(s)->handshake_hash)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - if (!EVP_DigestFinal_ex(mdctx, (unsigned char *)out, &mdlen)) { - SSLerror(s, ERR_R_EVP_LIB); - goto err; - } - if (outlen != NULL) - *outlen = mdlen; - - ret = 1; - - err: - EVP_MD_CTX_destroy(mdctx); - - return (ret); -} - -void -tls1_handshake_hash_free(SSL *s) -{ - EVP_MD_CTX_destroy(S3I(s)->handshake_hash); - S3I(s)->handshake_hash = NULL; -} diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c index d92fd70..f091dd0 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: t1_lib.c,v 1.141 2018/02/08 11:30:30 jsing Exp $ */ +/* $OpenBSD: t1_lib.c,v 1.176 2020/09/12 17:25:11 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -119,36 +119,25 @@ #include "ssl_locl.h" #include "bytestring.h" +#include "ssl_sigalgs.h" #include "ssl_tlsext.h" -static int tls_decrypt_ticket(SSL *s, const unsigned char *tick, int ticklen, - const unsigned char *sess_id, int sesslen, +static int tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess); SSL3_ENC_METHOD TLSv1_enc_data = { - .enc = tls1_enc, .enc_flags = 0, }; SSL3_ENC_METHOD TLSv1_1_enc_data = { - .enc = tls1_enc, .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV, }; SSL3_ENC_METHOD TLSv1_2_enc_data = { - .enc = tls1_enc, .enc_flags = SSL_ENC_FLAG_EXPLICIT_IV|SSL_ENC_FLAG_SIGALGS| SSL_ENC_FLAG_SHA256_PRF|SSL_ENC_FLAG_TLS1_2_CIPHERS, }; -long -tls1_default_timeout(void) -{ - /* 2 hours, the 24 hours mentioned in the TLSv1 spec - * is way too long for http, the cache would over fill */ - return (60 * 60 * 2); -} - int tls1_new(SSL *s) { @@ -253,7 +242,14 @@ static const uint16_t eccurves_list[] = { }; #endif -static const uint16_t eccurves_default[] = { +static const uint16_t eccurves_client_default[] = { + 29, /* X25519 (29) */ + 23, /* secp256r1 (23) */ + 24, /* secp384r1 (24) */ + 25, /* secp521r1 (25) */ +}; + +static const uint16_t eccurves_server_default[] = { 29, /* X25519 (29) */ 23, /* secp256r1 (23) */ 24, /* secp384r1 (24) */ @@ -361,25 +357,31 @@ tls1_get_formatlist(SSL *s, int client_formats, const uint8_t **pformats, } /* - * Return the appropriate curve list. If client_curves is non-zero, return - * the client/session curves. Otherwise return the custom curve list if one - * exists, or the default curves if a custom list has not been specified. + * Return the appropriate group list. If client_groups is non-zero, return + * the client/session groups. Otherwise return the custom group list if one + * exists, or the default groups if a custom list has not been specified. */ void -tls1_get_curvelist(SSL *s, int client_curves, const uint16_t **pcurves, - size_t *pcurveslen) +tls1_get_group_list(SSL *s, int client_groups, const uint16_t **pgroups, + size_t *pgroupslen) { - if (client_curves != 0) { - *pcurves = SSI(s)->tlsext_supportedgroups; - *pcurveslen = SSI(s)->tlsext_supportedgroups_length; + if (client_groups != 0) { + *pgroups = SSI(s)->tlsext_supportedgroups; + *pgroupslen = SSI(s)->tlsext_supportedgroups_length; return; } - *pcurves = s->internal->tlsext_supportedgroups; - *pcurveslen = s->internal->tlsext_supportedgroups_length; - if (*pcurves == NULL) { - *pcurves = eccurves_default; - *pcurveslen = sizeof(eccurves_default) / 2; + *pgroups = s->internal->tlsext_supportedgroups; + *pgroupslen = s->internal->tlsext_supportedgroups_length; + if (*pgroups != NULL) + return; + + if (!s->server) { + *pgroups = eccurves_client_default; + *pgroupslen = sizeof(eccurves_client_default) / 2; + } else { + *pgroups = eccurves_server_default; + *pgroupslen = sizeof(eccurves_server_default) / 2; } } @@ -410,7 +412,7 @@ tls1_set_groups(uint16_t **out_group_ids, size_t *out_group_ids_len, } int -tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len, +tls1_set_group_list(uint16_t **out_group_ids, size_t *out_group_ids_len, const char *groups) { uint16_t *new_group_ids, *group_ids = NULL; @@ -461,13 +463,13 @@ tls1_set_groups_list(uint16_t **out_group_ids, size_t *out_group_ids_len, int tls1_check_curve(SSL *s, const uint16_t curve_id) { - const uint16_t *curves; - size_t curveslen, i; + const uint16_t *groups; + size_t groupslen, i; - tls1_get_curvelist(s, 0, &curves, &curveslen); + tls1_get_group_list(s, 0, &groups, &groupslen); - for (i = 0; i < curveslen; i++) { - if (curves[i] == curve_id) + for (i = 0; i < groupslen; i++) { + if (groups[i] == curve_id) return (1); } return (0); @@ -486,8 +488,8 @@ tls1_get_shared_curve(SSL *s) /* Return first preference shared curve. */ server_pref = (s->internal->options & SSL_OP_CIPHER_SERVER_PREFERENCE); - tls1_get_curvelist(s, (server_pref == 0), &pref, &preflen); - tls1_get_curvelist(s, (server_pref != 0), &supp, &supplen); + tls1_get_group_list(s, (server_pref == 0), &pref, &preflen); + tls1_get_group_list(s, (server_pref != 0), &supp, &supplen); for (i = 0; i < preflen; i++) { for (j = 0; j < supplen; j++) { @@ -504,43 +506,38 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) { const EC_GROUP *grp; const EC_METHOD *meth; - int is_prime = 0; - int nid, id; + int prime_field; + int nid; if (ec == NULL) return (0); - /* Determine if it is a prime field. */ + /* Determine whether the curve is defined over a prime field. */ if ((grp = EC_KEY_get0_group(ec)) == NULL) return (0); if ((meth = EC_GROUP_method_of(grp)) == NULL) return (0); - if (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field) - is_prime = 1; + prime_field = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field); - /* Determine curve ID. */ + /* Determine curve ID - NID_undef results in a curve ID of zero. */ nid = EC_GROUP_get_curve_name(grp); - id = tls1_ec_nid2curve_id(nid); - /* If we have an ID set it, otherwise set arbitrary explicit curve. */ - if (id != 0) - *curve_id = id; - else - *curve_id = is_prime ? 0xff01 : 0xff02; + if ((*curve_id = tls1_ec_nid2curve_id(nid)) == 0) + *curve_id = prime_field ? 0xff01 : 0xff02; + + if (comp_id == NULL) + return (1); /* Specify the compression identifier. */ - if (comp_id != NULL) { - if (EC_KEY_get0_public_key(ec) == NULL) - return (0); - - if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { - *comp_id = is_prime ? - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime : - TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; - } else { - *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; - } + if (EC_KEY_get0_public_key(ec) == NULL) + return (0); + *comp_id = TLSEXT_ECPOINTFORMAT_uncompressed; + if (EC_KEY_get_conv_form(ec) == POINT_CONVERSION_COMPRESSED) { + *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2; + if (prime_field) + *comp_id = TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime; } + return (1); } @@ -548,8 +545,8 @@ tls1_set_ec_id(uint16_t *curve_id, uint8_t *comp_id, EC_KEY *ec) static int tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) { - size_t curveslen, formatslen, i; - const uint16_t *curves; + size_t groupslen, formatslen, i; + const uint16_t *groups; const uint8_t *formats; /* @@ -569,13 +566,13 @@ tls1_check_ec_key(SSL *s, const uint16_t *curve_id, const uint8_t *comp_id) /* * Check curve list if present, otherwise everything is supported. */ - tls1_get_curvelist(s, 1, &curves, &curveslen); - if (curve_id != NULL && curves != NULL) { - for (i = 0; i < curveslen; i++) { - if (curves[i] == *curve_id) + tls1_get_group_list(s, 1, &groups, &groupslen); + if (curve_id != NULL && groups != NULL) { + for (i = 0; i < groupslen; i++) { + if (groups[i] == *curve_id) break; } - if (i == curveslen) + if (i == groupslen) return (0); } @@ -604,63 +601,6 @@ tls1_check_ec_server_key(SSL *s) return tls1_check_ec_key(s, &curve_id, &comp_id); } -/* Check EC temporary key is compatible with client extensions. */ -int -tls1_check_ec_tmp_key(SSL *s) -{ - EC_KEY *ec = s->cert->ecdh_tmp; - uint16_t curve_id; - - /* Need a shared curve. */ - if (tls1_get_shared_curve(s) != NID_undef) - return (1); - - if (ec == NULL) - return (0); - - if (tls1_set_ec_id(&curve_id, NULL, ec) != 1) - return (0); - - return tls1_check_ec_key(s, &curve_id, NULL); -} - -/* - * List of supported signature algorithms and hashes. Should make this - * customisable at some point, for now include everything we support. - */ - -static unsigned char tls12_sigalgs[] = { - TLSEXT_hash_sha512, TLSEXT_signature_rsa, - TLSEXT_hash_sha512, TLSEXT_signature_ecdsa, -#ifndef OPENSSL_NO_GOST - TLSEXT_hash_streebog_512, TLSEXT_signature_gostr12_512, -#endif - - TLSEXT_hash_sha384, TLSEXT_signature_rsa, - TLSEXT_hash_sha384, TLSEXT_signature_ecdsa, - - TLSEXT_hash_sha256, TLSEXT_signature_rsa, - TLSEXT_hash_sha256, TLSEXT_signature_ecdsa, - -#ifndef OPENSSL_NO_GOST - TLSEXT_hash_streebog_256, TLSEXT_signature_gostr12_256, - TLSEXT_hash_gost94, TLSEXT_signature_gostr01, -#endif - - TLSEXT_hash_sha224, TLSEXT_signature_rsa, - TLSEXT_hash_sha224, TLSEXT_signature_ecdsa, - - TLSEXT_hash_sha1, TLSEXT_signature_rsa, - TLSEXT_hash_sha1, TLSEXT_signature_ecdsa, -}; - -void -tls12_get_req_sig_algs(SSL *s, unsigned char **sigalgs, size_t *sigalgs_len) -{ - *sigalgs = tls12_sigalgs; - *sigalgs_len = sizeof(tls12_sigalgs); -} - int ssl_check_clienthello_tlsext_early(SSL *s) { @@ -689,7 +629,6 @@ ssl_check_clienthello_tlsext_early(SSL *s) ssl3_send_alert(s, SSL3_AL_WARNING, al); return 1; case SSL_TLSEXT_ERR_NOACK: - s->internal->servername_done = 0; default: return 1; } @@ -777,12 +716,11 @@ ssl_check_serverhello_tlsext(SSL *s) if ((s->tlsext_status_type != -1) && !(s->internal->tlsext_status_expected) && s->ctx && s->ctx->internal->tlsext_status_cb) { int r; - /* Set resp to NULL, resplen to -1 so callback knows - * there is no response. - */ + free(s->internal->tlsext_ocsp_resp); s->internal->tlsext_ocsp_resp = NULL; - s->internal->tlsext_ocsp_resplen = -1; + s->internal->tlsext_ocsp_resp_len = 0; + r = s->ctx->internal->tlsext_status_cb(s, s->ctx->internal->tlsext_status_arg); if (r == 0) { @@ -798,14 +736,11 @@ ssl_check_serverhello_tlsext(SSL *s) switch (ret) { case SSL_TLSEXT_ERR_ALERT_FATAL: ssl3_send_alert(s, SSL3_AL_FATAL, al); - return -1; case SSL_TLSEXT_ERR_ALERT_WARNING: ssl3_send_alert(s, SSL3_AL_WARNING, al); - return 1; case SSL_TLSEXT_ERR_NOACK: - s->internal->servername_done = 0; default: return 1; } @@ -815,11 +750,7 @@ ssl_check_serverhello_tlsext(SSL *s) * ClientHello, and other operations depend on the result, we need to handle * any TLS session ticket extension at the same time. * - * session_id: points at the session ID in the ClientHello. This code will - * read past the end of this in order to parse out the session ticket - * extension, if any. - * len: the length of the session ID. - * limit: a pointer to the first byte after the ClientHello. + * ext_block: a CBS for the ClientHello extensions block. * ret: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * @@ -828,13 +759,14 @@ ssl_check_serverhello_tlsext(SSL *s) * never be decrypted, nor will s->internal->tlsext_ticket_expected be set to 1. * * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 0: no ticket was found (or was ignored, based on settings). - * 1: a zero length extension was found, indicating that the client supports - * session tickets but doesn't currently have one to offer. - * 2: either s->internal->tls_session_secret_cb was set, or a ticket was offered but - * couldn't be decrypted because of a non-fatal error. - * 3: a ticket was successfully decrypted and *ret was set. + * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. + * TLS1_TICKET_NONE: no ticket was found (or was ignored, based on settings). + * TLS1_TICKET_EMPTY: a zero length extension was found, indicating that the + * client supports session tickets but doesn't currently have one to offer. + * TLS1_TICKET_NOT_DECRYPTED: either s->internal->tls_session_secret_cb was + * set, or a ticket was offered but couldn't be decrypted because of a + * non-fatal error. + * TLS1_TICKET_DECRYPTED: a ticket was successfully decrypted and *ret was set. * * Side effects: * Sets s->internal->tlsext_ticket_expected to 1 if the server will have to issue @@ -845,396 +777,232 @@ ssl_check_serverhello_tlsext(SSL *s) * Otherwise, s->internal->tlsext_ticket_expected is set to 0. */ int -tls1_process_ticket(SSL *s, const unsigned char *session, int session_len, - const unsigned char *limit, SSL_SESSION **ret) +tls1_process_ticket(SSL *s, CBS *ext_block, int *alert, SSL_SESSION **ret) { - /* Point after session ID in client hello */ - CBS session_id, cookie, cipher_list, compress_algo, extensions; + CBS extensions, ext_data; + uint16_t ext_type = 0; - *ret = NULL; s->internal->tlsext_ticket_expected = 0; + *ret = NULL; - /* If tickets disabled behave as if no ticket present - * to permit stateful resumption. + /* + * If tickets disabled behave as if no ticket present to permit stateful + * resumption. */ if (SSL_get_options(s) & SSL_OP_NO_TICKET) - return 0; - if (!limit) - return 0; + return TLS1_TICKET_NONE; - if (limit < session) - return -1; + /* + * An empty extensions block is valid, but obviously does not contain + * a session ticket. + */ + if (CBS_len(ext_block) == 0) + return TLS1_TICKET_NONE; - CBS_init(&session_id, session, limit - session); - - /* Skip past the session id */ - if (!CBS_skip(&session_id, session_len)) - return -1; - - /* Skip past DTLS cookie */ - if (SSL_IS_DTLS(s)) { - if (!CBS_get_u8_length_prefixed(&session_id, &cookie)) - return -1; + if (!CBS_get_u16_length_prefixed(ext_block, &extensions)) { + *alert = SSL_AD_DECODE_ERROR; + return TLS1_TICKET_FATAL_ERROR; } - /* Skip past cipher list */ - if (!CBS_get_u16_length_prefixed(&session_id, &cipher_list)) - return -1; - - /* Skip past compression algorithm list */ - if (!CBS_get_u8_length_prefixed(&session_id, &compress_algo)) - return -1; - - /* Now at start of extensions */ - if (CBS_len(&session_id) == 0) - return 0; - if (!CBS_get_u16_length_prefixed(&session_id, &extensions)) - return -1; - while (CBS_len(&extensions) > 0) { - CBS ext_data; - uint16_t ext_type; - if (!CBS_get_u16(&extensions, &ext_type) || - !CBS_get_u16_length_prefixed(&extensions, &ext_data)) - return -1; - - if (ext_type == TLSEXT_TYPE_session_ticket) { - int r; - if (CBS_len(&ext_data) == 0) { - /* The client will accept a ticket but doesn't - * currently have one. */ - s->internal->tlsext_ticket_expected = 1; - return 1; - } - if (s->internal->tls_session_secret_cb) { - /* Indicate that the ticket couldn't be - * decrypted rather than generating the session - * from ticket now, trigger abbreviated - * handshake based on external mechanism to - * calculate the master secret later. */ - return 2; - } - - r = tls_decrypt_ticket(s, CBS_data(&ext_data), - CBS_len(&ext_data), session, session_len, ret); - - switch (r) { - case 2: /* ticket couldn't be decrypted */ - s->internal->tlsext_ticket_expected = 1; - return 2; - case 3: /* ticket was decrypted */ - return r; - case 4: /* ticket decrypted but need to renew */ - s->internal->tlsext_ticket_expected = 1; - return 3; - default: /* fatal error */ - return -1; - } + !CBS_get_u16_length_prefixed(&extensions, &ext_data)) { + *alert = SSL_AD_DECODE_ERROR; + return TLS1_TICKET_FATAL_ERROR; } + + if (ext_type == TLSEXT_TYPE_session_ticket) + break; } - return 0; + + if (ext_type != TLSEXT_TYPE_session_ticket) + return TLS1_TICKET_NONE; + + if (CBS_len(&ext_data) == 0) { + /* + * The client will accept a ticket but does not currently + * have one. + */ + s->internal->tlsext_ticket_expected = 1; + return TLS1_TICKET_EMPTY; + } + + if (s->internal->tls_session_secret_cb != NULL) { + /* + * Indicate that the ticket could not be decrypted rather than + * generating the session from ticket now, trigger abbreviated + * handshake based on external mechanism to calculate the master + * secret later. + */ + return TLS1_TICKET_NOT_DECRYPTED; + } + + return tls_decrypt_ticket(s, &ext_data, alert, ret); } /* tls_decrypt_ticket attempts to decrypt a session ticket. * - * etick: points to the body of the session ticket extension. - * eticklen: the length of the session tickets extenion. - * sess_id: points at the session ID. - * sesslen: the length of the session ID. + * ticket: a CBS containing the body of the session ticket extension. * psess: (output) on return, if a ticket was decrypted, then this is set to * point to the resulting session. * * Returns: - * -1: fatal error, either from parsing or decrypting the ticket. - * 2: the ticket couldn't be decrypted. - * 3: a ticket was successfully decrypted and *psess was set. - * 4: same as 3, but the ticket needs to be renewed. + * TLS1_TICKET_FATAL_ERROR: error from parsing or decrypting the ticket. + * TLS1_TICKET_NOT_DECRYPTED: the ticket couldn't be decrypted. + * TLS1_TICKET_DECRYPTED: a ticket was decrypted and *psess was set. */ static int -tls_decrypt_ticket(SSL *s, const unsigned char *etick, int eticklen, - const unsigned char *sess_id, int sesslen, SSL_SESSION **psess) +tls_decrypt_ticket(SSL *s, CBS *ticket, int *alert, SSL_SESSION **psess) { - SSL_SESSION *sess; - unsigned char *sdec; + CBS ticket_name, ticket_iv, ticket_encdata, ticket_hmac; + SSL_SESSION *sess = NULL; + unsigned char *sdec = NULL; + size_t sdec_len = 0; const unsigned char *p; - int slen, mlen, renew_ticket = 0; - unsigned char tick_hmac[EVP_MAX_MD_SIZE]; - HMAC_CTX hctx; - EVP_CIPHER_CTX ctx; + unsigned char hmac[EVP_MAX_MD_SIZE]; + HMAC_CTX *hctx = NULL; + EVP_CIPHER_CTX *cctx = NULL; SSL_CTX *tctx = s->initial_ctx; + int slen, hlen; + int alert_desc = SSL_AD_INTERNAL_ERROR; + int ret = TLS1_TICKET_FATAL_ERROR; + + *psess = NULL; + + if (!CBS_get_bytes(ticket, &ticket_name, 16)) + goto derr; /* - * The API guarantees EVP_MAX_IV_LENGTH bytes of space for - * the iv to tlsext_ticket_key_cb(). Since the total space - * required for a session cookie is never less than this, - * this check isn't too strict. The exact check comes later. + * Initialize session ticket encryption and HMAC contexts. */ - if (eticklen < 16 + EVP_MAX_IV_LENGTH) - return 2; + if ((cctx = EVP_CIPHER_CTX_new()) == NULL) + goto err; + if ((hctx = HMAC_CTX_new()) == NULL) + goto err; - /* Initialize session ticket encryption and HMAC contexts */ - HMAC_CTX_init(&hctx); - EVP_CIPHER_CTX_init(&ctx); - if (tctx->internal->tlsext_ticket_key_cb) { - unsigned char *nctick = (unsigned char *)etick; - int rv = tctx->internal->tlsext_ticket_key_cb(s, - nctick, nctick + 16, &ctx, &hctx, 0); - if (rv < 0) { - HMAC_CTX_cleanup(&hctx); - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - if (rv == 0) { - HMAC_CTX_cleanup(&hctx); - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - if (rv == 2) - renew_ticket = 1; - } else { - /* Check key name matches */ - if (timingsafe_memcmp(etick, - tctx->internal->tlsext_tick_key_name, 16)) - return 2; - HMAC_Init_ex(&hctx, tctx->internal->tlsext_tick_hmac_key, - 16, tlsext_tick_md(), NULL); - EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, - tctx->internal->tlsext_tick_aes_key, etick + 16); - } + if (tctx->internal->tlsext_ticket_key_cb != NULL) { + int rv; - /* - * Attempt to process session ticket, first conduct sanity and - * integrity checks on ticket. - */ - mlen = HMAC_size(&hctx); - if (mlen < 0) { - HMAC_CTX_cleanup(&hctx); - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - - /* Sanity check ticket length: must exceed keyname + IV + HMAC */ - if (eticklen <= 16 + EVP_CIPHER_CTX_iv_length(&ctx) + mlen) { - HMAC_CTX_cleanup(&hctx); - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - eticklen -= mlen; - - /* Check HMAC of encrypted ticket */ - if (HMAC_Update(&hctx, etick, eticklen) <= 0 || - HMAC_Final(&hctx, tick_hmac, NULL) <= 0) { - HMAC_CTX_cleanup(&hctx); - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - - HMAC_CTX_cleanup(&hctx); - if (timingsafe_memcmp(tick_hmac, etick + eticklen, mlen)) { - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - - /* Attempt to decrypt session data */ - /* Move p after IV to start of encrypted ticket, update length */ - p = etick + 16 + EVP_CIPHER_CTX_iv_length(&ctx); - eticklen -= 16 + EVP_CIPHER_CTX_iv_length(&ctx); - sdec = malloc(eticklen); - if (sdec == NULL || - EVP_DecryptUpdate(&ctx, sdec, &slen, p, eticklen) <= 0) { - free(sdec); - EVP_CIPHER_CTX_cleanup(&ctx); - return -1; - } - if (EVP_DecryptFinal_ex(&ctx, sdec + slen, &mlen) <= 0) { - free(sdec); - EVP_CIPHER_CTX_cleanup(&ctx); - return 2; - } - slen += mlen; - EVP_CIPHER_CTX_cleanup(&ctx); - p = sdec; - - sess = d2i_SSL_SESSION(NULL, &p, slen); - free(sdec); - if (sess) { - /* The session ID, if non-empty, is used by some clients to - * detect that the ticket has been accepted. So we copy it to - * the session structure. If it is empty set length to zero - * as required by standard. + /* + * The API guarantees EVP_MAX_IV_LENGTH bytes of space for + * the iv to tlsext_ticket_key_cb(). Since the total space + * required for a session cookie is never less than this, + * this check isn't too strict. The exact check comes later. */ - if (sesslen) - memcpy(sess->session_id, sess_id, sesslen); - sess->session_id_length = sesslen; - *psess = sess; - if (renew_ticket) - return 4; - else - return 3; - } - ERR_clear_error(); - /* For session parse failure, indicate that we need to send a new - * ticket. */ - return 2; -} + if (CBS_len(ticket) < EVP_MAX_IV_LENGTH) + goto derr; -/* Tables to translate from NIDs to TLS v1.2 ids */ - -typedef struct { - int nid; - int id; -} tls12_lookup; - -static tls12_lookup tls12_md[] = { - {NID_md5, TLSEXT_hash_md5}, - {NID_sha1, TLSEXT_hash_sha1}, - {NID_sha224, TLSEXT_hash_sha224}, - {NID_sha256, TLSEXT_hash_sha256}, - {NID_sha384, TLSEXT_hash_sha384}, - {NID_sha512, TLSEXT_hash_sha512}, - {NID_id_GostR3411_94, TLSEXT_hash_gost94}, - {NID_id_tc26_gost3411_2012_256, TLSEXT_hash_streebog_256}, - {NID_id_tc26_gost3411_2012_512, TLSEXT_hash_streebog_512} -}; - -static tls12_lookup tls12_sig[] = { - {EVP_PKEY_RSA, TLSEXT_signature_rsa}, - {EVP_PKEY_EC, TLSEXT_signature_ecdsa}, - {EVP_PKEY_GOSTR01, TLSEXT_signature_gostr01}, -}; - -static int -tls12_find_id(int nid, tls12_lookup *table, size_t tlen) -{ - size_t i; - for (i = 0; i < tlen; i++) { - if (table[i].nid == nid) - return table[i].id; - } - return -1; -} - -int -tls12_get_sigandhash(unsigned char *p, const EVP_PKEY *pk, const EVP_MD *md) -{ - int sig_id, md_id; - if (!md) - return 0; - md_id = tls12_find_id(EVP_MD_type(md), tls12_md, - sizeof(tls12_md) / sizeof(tls12_lookup)); - if (md_id == -1) - return 0; - sig_id = tls12_get_sigid(pk); - if (sig_id == -1) - return 0; - p[0] = (unsigned char)md_id; - p[1] = (unsigned char)sig_id; - return 1; -} - -int -tls12_get_sigid(const EVP_PKEY *pk) -{ - return tls12_find_id(pk->type, tls12_sig, - sizeof(tls12_sig) / sizeof(tls12_lookup)); -} - -const EVP_MD * -tls12_get_hash(unsigned char hash_alg) -{ - switch (hash_alg) { - case TLSEXT_hash_sha1: - return EVP_sha1(); - case TLSEXT_hash_sha224: - return EVP_sha224(); - case TLSEXT_hash_sha256: - return EVP_sha256(); - case TLSEXT_hash_sha384: - return EVP_sha384(); - case TLSEXT_hash_sha512: - return EVP_sha512(); -#ifndef OPENSSL_NO_GOST - case TLSEXT_hash_gost94: - return EVP_gostr341194(); - case TLSEXT_hash_streebog_256: - return EVP_streebog256(); - case TLSEXT_hash_streebog_512: - return EVP_streebog512(); -#endif - default: - return NULL; - } -} - -/* Set preferred digest for each key type */ - -int -tls1_process_sigalgs(SSL *s, CBS *cbs) -{ - const EVP_MD *md; - CERT *c = s->cert; - int idx; - - /* Extension ignored for inappropriate versions */ - if (!SSL_USE_SIGALGS(s)) - return 1; - - /* Should never happen */ - if (c == NULL) - return 0; - - c->pkeys[SSL_PKEY_RSA_SIGN].digest = NULL; - c->pkeys[SSL_PKEY_RSA_ENC].digest = NULL; - c->pkeys[SSL_PKEY_ECC].digest = NULL; - c->pkeys[SSL_PKEY_GOST01].digest = NULL; - - while (CBS_len(cbs) > 0) { - uint8_t hash_alg, sig_alg; - - if (!CBS_get_u8(cbs, &hash_alg) || !CBS_get_u8(cbs, &sig_alg)) - return 0; - - switch (sig_alg) { - case TLSEXT_signature_rsa: - idx = SSL_PKEY_RSA_SIGN; - break; - case TLSEXT_signature_ecdsa: - idx = SSL_PKEY_ECC; - break; - case TLSEXT_signature_gostr01: - case TLSEXT_signature_gostr12_256: - case TLSEXT_signature_gostr12_512: - idx = SSL_PKEY_GOST01; - break; - default: - continue; - } - - if (c->pkeys[idx].digest == NULL) { - md = tls12_get_hash(hash_alg); - if (md) { - c->pkeys[idx].digest = md; - if (idx == SSL_PKEY_RSA_SIGN) - c->pkeys[SSL_PKEY_RSA_ENC].digest = md; - } + if ((rv = tctx->internal->tlsext_ticket_key_cb(s, + (unsigned char *)CBS_data(&ticket_name), + (unsigned char *)CBS_data(ticket), cctx, hctx, 0)) < 0) + goto err; + if (rv == 0) + goto derr; + if (rv == 2) { + /* Renew ticket. */ + s->internal->tlsext_ticket_expected = 1; } + /* + * Now that the cipher context is initialised, we can extract + * the IV since its length is known. + */ + if (!CBS_get_bytes(ticket, &ticket_iv, + EVP_CIPHER_CTX_iv_length(cctx))) + goto derr; + } else { + /* Check that the key name matches. */ + if (!CBS_mem_equal(&ticket_name, + tctx->internal->tlsext_tick_key_name, + sizeof(tctx->internal->tlsext_tick_key_name))) + goto derr; + if (!CBS_get_bytes(ticket, &ticket_iv, + EVP_CIPHER_iv_length(EVP_aes_128_cbc()))) + goto derr; + if (!EVP_DecryptInit_ex(cctx, EVP_aes_128_cbc(), NULL, + tctx->internal->tlsext_tick_aes_key, CBS_data(&ticket_iv))) + goto err; + if (!HMAC_Init_ex(hctx, tctx->internal->tlsext_tick_hmac_key, + sizeof(tctx->internal->tlsext_tick_hmac_key), EVP_sha256(), + NULL)) + goto err; } /* - * Set any remaining keys to default values. NOTE: if alg is not - * supported it stays as NULL. + * Attempt to process session ticket. */ - if (!c->pkeys[SSL_PKEY_RSA_SIGN].digest) { - c->pkeys[SSL_PKEY_RSA_SIGN].digest = EVP_sha1(); - c->pkeys[SSL_PKEY_RSA_ENC].digest = EVP_sha1(); + + if ((hlen = HMAC_size(hctx)) < 0) + goto err; + + if (hlen > CBS_len(ticket)) + goto derr; + if (!CBS_get_bytes(ticket, &ticket_encdata, CBS_len(ticket) - hlen)) + goto derr; + if (!CBS_get_bytes(ticket, &ticket_hmac, hlen)) + goto derr; + if (CBS_len(ticket) != 0) { + alert_desc = SSL_AD_DECODE_ERROR; + goto err; } - if (!c->pkeys[SSL_PKEY_ECC].digest) - c->pkeys[SSL_PKEY_ECC].digest = EVP_sha1(); -#ifndef OPENSSL_NO_GOST - if (!c->pkeys[SSL_PKEY_GOST01].digest) - c->pkeys[SSL_PKEY_GOST01].digest = EVP_gostr341194(); -#endif - return 1; + + /* Check HMAC of encrypted ticket. */ + if (HMAC_Update(hctx, CBS_data(&ticket_name), + CBS_len(&ticket_name)) <= 0) + goto err; + if (HMAC_Update(hctx, CBS_data(&ticket_iv), + CBS_len(&ticket_iv)) <= 0) + goto err; + if (HMAC_Update(hctx, CBS_data(&ticket_encdata), + CBS_len(&ticket_encdata)) <= 0) + goto err; + if (HMAC_Final(hctx, hmac, &hlen) <= 0) + goto err; + + if (!CBS_mem_equal(&ticket_hmac, hmac, hlen)) + goto derr; + + /* Attempt to decrypt session data. */ + sdec_len = CBS_len(&ticket_encdata); + if ((sdec = calloc(1, sdec_len)) == NULL) + goto err; + if (EVP_DecryptUpdate(cctx, sdec, &slen, CBS_data(&ticket_encdata), + CBS_len(&ticket_encdata)) <= 0) + goto derr; + if (EVP_DecryptFinal_ex(cctx, sdec + slen, &hlen) <= 0) + goto derr; + + slen += hlen; + + /* + * For session parse failures, indicate that we need to send a new + * ticket. + */ + p = sdec; + if ((sess = d2i_SSL_SESSION(NULL, &p, slen)) == NULL) + goto derr; + *psess = sess; + sess = NULL; + + ret = TLS1_TICKET_DECRYPTED; + goto done; + + derr: + ERR_clear_error(); + s->internal->tlsext_ticket_expected = 1; + ret = TLS1_TICKET_NOT_DECRYPTED; + goto done; + + err: + *alert = alert_desc; + ret = TLS1_TICKET_FATAL_ERROR; + goto done; + + done: + freezero(sdec, sdec_len); + EVP_CIPHER_CTX_free(cctx); + HMAC_CTX_free(hctx); + SSL_SESSION_free(sess); + + return ret; } diff --git a/ssl/t1_meth.c b/ssl/t1_meth.c deleted file mode 100644 index 6a4a243..0000000 --- a/ssl/t1_meth.c +++ /dev/null @@ -1,243 +0,0 @@ -/* $OpenBSD: t1_meth.c,v 1.23 2017/01/26 05:31:25 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include - -#include "ssl_locl.h" - -static const SSL_METHOD *tls1_get_method(int ver); - -static const SSL_METHOD_INTERNAL TLS_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, -}; - -static const SSL_METHOD TLSv1_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, -}; - -static const SSL_METHOD TLSv1_1_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_2_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl3_connect, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLSv1_2_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_method_internal_data, -}; - -static const SSL_METHOD * -tls1_get_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_method()); - if (ver == TLS1_VERSION) - return (TLSv1_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_method(void) -{ - return (TLS_method()); -} - -const SSL_METHOD * -TLS_method(void) -{ - return &TLS_method_data; -} - -const SSL_METHOD * -TLSv1_method(void) -{ - return (&TLSv1_method_data); -} - -const SSL_METHOD * -TLSv1_1_method(void) -{ - return (&TLSv1_1_method_data); -} - -const SSL_METHOD * -TLSv1_2_method(void) -{ - return (&TLSv1_2_method_data); -} diff --git a/ssl/t1_srvr.c b/ssl/t1_srvr.c deleted file mode 100644 index 1fc0ebe..0000000 --- a/ssl/t1_srvr.c +++ /dev/null @@ -1,244 +0,0 @@ -/* $OpenBSD: t1_srvr.c,v 1.25 2017/01/26 05:31:25 jsing Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -#include - -#include "ssl_locl.h" - -#include -#include -#include -#include - -static const SSL_METHOD_INTERNAL TLS_server_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl_undefined_function, - .ssl_renegotiate_check = ssl_ok, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLS_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLS_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_server_method_internal_data = { - .version = TLS1_VERSION, - .min_version = TLS1_VERSION, - .max_version = TLS1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_enc_data, -}; - -static const SSL_METHOD TLSv1_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_1_server_method_internal_data = { - .version = TLS1_1_VERSION, - .min_version = TLS1_1_VERSION, - .max_version = TLS1_1_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_1_enc_data, -}; - -static const SSL_METHOD TLSv1_1_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_1_server_method_internal_data, -}; - -static const SSL_METHOD_INTERNAL TLSv1_2_server_method_internal_data = { - .version = TLS1_2_VERSION, - .min_version = TLS1_2_VERSION, - .max_version = TLS1_2_VERSION, - .ssl_new = tls1_new, - .ssl_clear = tls1_clear, - .ssl_free = tls1_free, - .ssl_accept = ssl3_accept, - .ssl_connect = ssl_undefined_function, - .ssl_read = ssl3_read, - .ssl_peek = ssl3_peek, - .ssl_write = ssl3_write, - .ssl_shutdown = ssl3_shutdown, - .ssl_pending = ssl3_pending, - .get_ssl_method = tls1_get_server_method, - .get_timeout = tls1_default_timeout, - .ssl_version = ssl_undefined_void_function, - .ssl_renegotiate = ssl3_renegotiate, - .ssl_renegotiate_check = ssl3_renegotiate_check, - .ssl_get_message = ssl3_get_message, - .ssl_read_bytes = ssl3_read_bytes, - .ssl_write_bytes = ssl3_write_bytes, - .ssl3_enc = &TLSv1_2_enc_data, -}; - -static const SSL_METHOD TLSv1_2_server_method_data = { - .ssl_dispatch_alert = ssl3_dispatch_alert, - .num_ciphers = ssl3_num_ciphers, - .get_cipher = ssl3_get_cipher, - .get_cipher_by_char = ssl3_get_cipher_by_char, - .put_cipher_by_char = ssl3_put_cipher_by_char, - .internal = &TLSv1_2_server_method_internal_data, -}; - -const SSL_METHOD * -tls1_get_server_method(int ver) -{ - if (ver == TLS1_2_VERSION) - return (TLSv1_2_server_method()); - if (ver == TLS1_1_VERSION) - return (TLSv1_1_server_method()); - if (ver == TLS1_VERSION) - return (TLSv1_server_method()); - return (NULL); -} - -const SSL_METHOD * -SSLv23_server_method(void) -{ - return (TLS_server_method()); -} - -const SSL_METHOD * -TLS_server_method(void) -{ - return (&TLS_server_method_data); -} - -const SSL_METHOD * -TLSv1_server_method(void) -{ - return (&TLSv1_server_method_data); -} - -const SSL_METHOD * -TLSv1_1_server_method(void) -{ - return (&TLSv1_1_server_method_data); -} - -const SSL_METHOD * -TLSv1_2_server_method(void) -{ - return (&TLSv1_2_server_method_data); -} diff --git a/ssl/tls12_record_layer.c b/ssl/tls12_record_layer.c new file mode 100644 index 0000000..10d0f11 --- /dev/null +++ b/ssl/tls12_record_layer.c @@ -0,0 +1,542 @@ +/* $OpenBSD: tls12_record_layer.c,v 1.4 2020/09/16 17:15:01 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +#include "ssl_locl.h" + +struct tls12_record_layer { + uint16_t version; + int dtls; + + uint16_t read_epoch; + uint16_t write_epoch; + + int read_stream_mac; + int write_stream_mac; + + /* + * XXX - for now these are just pointers to externally managed + * structs/memory. These should eventually be owned by the record layer. + */ + SSL_AEAD_CTX *read_aead_ctx; + SSL_AEAD_CTX *write_aead_ctx; + + EVP_CIPHER_CTX *read_cipher_ctx; + EVP_MD_CTX *read_hash_ctx; + EVP_CIPHER_CTX *write_cipher_ctx; + EVP_MD_CTX *write_hash_ctx; + + uint8_t *read_seq_num; + uint8_t *write_seq_num; +}; + +struct tls12_record_layer * +tls12_record_layer_new(void) +{ + struct tls12_record_layer *rl; + + if ((rl = calloc(1, sizeof(struct tls12_record_layer))) == NULL) + return NULL; + + return rl; +} + +void +tls12_record_layer_free(struct tls12_record_layer *rl) +{ + freezero(rl, sizeof(struct tls12_record_layer)); +} + +void +tls12_record_layer_set_version(struct tls12_record_layer *rl, uint16_t version) +{ + rl->version = version; + rl->dtls = (version == DTLS1_VERSION); +} + +void +tls12_record_layer_set_read_epoch(struct tls12_record_layer *rl, uint16_t epoch) +{ + rl->read_epoch = epoch; +} + +void +tls12_record_layer_set_write_epoch(struct tls12_record_layer *rl, uint16_t epoch) +{ + rl->write_epoch = epoch; +} + +static void +tls12_record_layer_set_read_state(struct tls12_record_layer *rl, + SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, + int stream_mac) +{ + rl->read_aead_ctx = aead_ctx; + + rl->read_cipher_ctx = cipher_ctx; + rl->read_hash_ctx = hash_ctx; + rl->read_stream_mac = stream_mac; +} + +static void +tls12_record_layer_set_write_state(struct tls12_record_layer *rl, + SSL_AEAD_CTX *aead_ctx, EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, + int stream_mac) +{ + rl->write_aead_ctx = aead_ctx; + + rl->write_cipher_ctx = cipher_ctx; + rl->write_hash_ctx = hash_ctx; + rl->write_stream_mac = stream_mac; +} + +void +tls12_record_layer_clear_read_state(struct tls12_record_layer *rl) +{ + tls12_record_layer_set_read_state(rl, NULL, NULL, NULL, 0); + rl->read_seq_num = NULL; +} + +void +tls12_record_layer_clear_write_state(struct tls12_record_layer *rl) +{ + tls12_record_layer_set_write_state(rl, NULL, NULL, NULL, 0); + rl->write_seq_num = NULL; +} + +void +tls12_record_layer_set_read_seq_num(struct tls12_record_layer *rl, + uint8_t *seq_num) +{ + rl->read_seq_num = seq_num; +} + +void +tls12_record_layer_set_write_seq_num(struct tls12_record_layer *rl, + uint8_t *seq_num) +{ + rl->write_seq_num = seq_num; +} + +int +tls12_record_layer_set_read_aead(struct tls12_record_layer *rl, + SSL_AEAD_CTX *aead_ctx) +{ + tls12_record_layer_set_read_state(rl, aead_ctx, NULL, NULL, 0); + + return 1; +} + +int +tls12_record_layer_set_write_aead(struct tls12_record_layer *rl, + SSL_AEAD_CTX *aead_ctx) +{ + tls12_record_layer_set_write_state(rl, aead_ctx, NULL, NULL, 0); + + return 1; +} + +int +tls12_record_layer_set_read_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) +{ + tls12_record_layer_set_read_state(rl, NULL, cipher_ctx, hash_ctx, + stream_mac); + + return 1; +} + +int +tls12_record_layer_set_write_cipher_hash(struct tls12_record_layer *rl, + EVP_CIPHER_CTX *cipher_ctx, EVP_MD_CTX *hash_ctx, int stream_mac) +{ + tls12_record_layer_set_write_state(rl, NULL, cipher_ctx, hash_ctx, + stream_mac); + + return 1; +} + +static int +tls12_record_layer_build_seq_num(struct tls12_record_layer *rl, CBB *cbb, + uint16_t epoch, uint8_t *seq_num, size_t seq_num_len) +{ + CBS seq; + + CBS_init(&seq, seq_num, seq_num_len); + + if (rl->dtls) { + if (!CBB_add_u16(cbb, epoch)) + return 0; + if (!CBS_skip(&seq, 2)) + return 0; + } + + return CBB_add_bytes(cbb, CBS_data(&seq), CBS_len(&seq)); +} + +static int +tls12_record_layer_pseudo_header(struct tls12_record_layer *rl, + uint8_t content_type, uint16_t record_len, uint16_t epoch, uint8_t *seq_num, + size_t seq_num_len, uint8_t **out, size_t *out_len) +{ + CBB cbb; + + *out = NULL; + *out_len = 0; + + /* Build the pseudo-header used for MAC/AEAD. */ + if (!CBB_init(&cbb, 13)) + goto err; + + if (!tls12_record_layer_build_seq_num(rl, &cbb, epoch, + seq_num, seq_num_len)) + goto err; + if (!CBB_add_u8(&cbb, content_type)) + goto err; + if (!CBB_add_u16(&cbb, rl->version)) + goto err; + if (!CBB_add_u16(&cbb, record_len)) + goto err; + + if (!CBB_finish(&cbb, out, out_len)) + goto err; + + return 1; + + err: + CBB_cleanup(&cbb); + + return 0; +} + +static int +tls12_record_layer_mac(struct tls12_record_layer *rl, CBB *cbb, + EVP_MD_CTX *hash_ctx, int stream_mac, uint16_t epoch, uint8_t *seq_num, + size_t seq_num_len, uint8_t content_type, const uint8_t *content, + size_t content_len, size_t *out_len) +{ + EVP_MD_CTX *mac_ctx = NULL; + uint8_t *header = NULL; + size_t header_len; + size_t mac_len; + uint8_t *mac; + int ret = 0; + + if ((mac_ctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_MD_CTX_copy(mac_ctx, hash_ctx)) + goto err; + + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, + epoch, seq_num, seq_num_len, &header, &header_len)) + goto err; + + if (EVP_DigestSignUpdate(mac_ctx, header, header_len) <= 0) + goto err; + if (EVP_DigestSignUpdate(mac_ctx, content, content_len) <= 0) + goto err; + if (EVP_DigestSignFinal(mac_ctx, NULL, &mac_len) <= 0) + goto err; + if (!CBB_add_space(cbb, &mac, mac_len)) + goto err; + if (EVP_DigestSignFinal(mac_ctx, mac, &mac_len) <= 0) + goto err; + + if (stream_mac) { + if (!EVP_MD_CTX_copy(hash_ctx, mac_ctx)) + goto err; + } + + *out_len = mac_len; + ret = 1; + + err: + EVP_MD_CTX_free(mac_ctx); + free(header); + + return ret; +} + +static int +tls12_record_layer_write_mac(struct tls12_record_layer *rl, CBB *cbb, + uint8_t content_type, const uint8_t *content, size_t content_len, + size_t *out_len) +{ + return tls12_record_layer_mac(rl, cbb, rl->write_hash_ctx, + rl->write_stream_mac, rl->write_epoch, rl->write_seq_num, + SSL3_SEQUENCE_SIZE, content_type, content, content_len, out_len); +} + +static int +tls12_record_layer_aead_concat_nonce(struct tls12_record_layer *rl, + const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) +{ + CBB cbb; + + if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) + return 0; + + /* Fixed nonce and variable nonce (sequence number) are concatenated. */ + if (!CBB_init(&cbb, 16)) + goto err; + if (!CBB_add_bytes(&cbb, aead->fixed_nonce, + aead->fixed_nonce_len)) + goto err; + if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) + goto err; + if (!CBB_finish(&cbb, out, out_len)) + goto err; + + return 1; + + err: + CBB_cleanup(&cbb); + + return 0; +} + +static int +tls12_record_layer_aead_xored_nonce(struct tls12_record_layer *rl, + const SSL_AEAD_CTX *aead, uint8_t *seq_num, uint8_t **out, size_t *out_len) +{ + uint8_t *nonce = NULL; + size_t nonce_len = 0; + uint8_t *pad; + CBB cbb; + int i; + + if (aead->variable_nonce_len > SSL3_SEQUENCE_SIZE) + return 0; + if (aead->fixed_nonce_len < aead->variable_nonce_len) + return 0; + + /* + * Variable nonce (sequence number) is right padded, before the fixed + * nonce is XOR'd in. + */ + if (!CBB_init(&cbb, 16)) + goto err; + if (!CBB_add_space(&cbb, &pad, + aead->fixed_nonce_len - aead->variable_nonce_len)) + goto err; + if (!CBB_add_bytes(&cbb, seq_num, aead->variable_nonce_len)) + goto err; + if (!CBB_finish(&cbb, &nonce, &nonce_len)) + goto err; + + for (i = 0; i < aead->fixed_nonce_len; i++) + nonce[i] ^= aead->fixed_nonce[i]; + + *out = nonce; + *out_len = nonce_len; + + return 1; + + err: + CBB_cleanup(&cbb); + freezero(nonce, nonce_len); + + return 0; +} + +static int +tls12_record_layer_seal_record_plaintext(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) +{ + if (rl->write_aead_ctx != NULL || rl->write_cipher_ctx != NULL) + return 0; + + return CBB_add_bytes(out, content, content_len); +} + +static int +tls12_record_layer_seal_record_protected_aead(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) +{ + const SSL_AEAD_CTX *aead = rl->write_aead_ctx; + uint8_t *header = NULL, *nonce = NULL; + size_t header_len = 0, nonce_len = 0; + size_t enc_record_len, out_len; + uint16_t epoch = 0; + uint8_t *enc_data; + int ret = 0; + + /* XXX - move to nonce allocated in record layer, matching TLSv1.3 */ + if (aead->xor_fixed_nonce) { + if (!tls12_record_layer_aead_xored_nonce(rl, aead, + rl->write_seq_num, &nonce, &nonce_len)) + goto err; + } else { + if (!tls12_record_layer_aead_concat_nonce(rl, aead, + rl->write_seq_num, &nonce, &nonce_len)) + goto err; + } + + if (aead->variable_nonce_in_record) { + /* XXX - length check? */ + if (!CBB_add_bytes(out, rl->write_seq_num, aead->variable_nonce_len)) + goto err; + } + + if (!tls12_record_layer_pseudo_header(rl, content_type, content_len, + epoch, rl->write_seq_num, SSL3_SEQUENCE_SIZE, &header, &header_len)) + goto err; + + /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ + enc_record_len = content_len + aead->tag_len; + if (enc_record_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) + goto err; + if (!CBB_add_space(out, &enc_data, enc_record_len)) + goto err; + + if (!EVP_AEAD_CTX_seal(&aead->ctx, enc_data, &out_len, enc_record_len, + nonce, nonce_len, content, content_len, header, header_len)) + goto err; + + if (out_len != enc_record_len) + goto err; + + ret = 1; + + err: + freezero(header, header_len); + freezero(nonce, nonce_len); + + return ret; +} + +static int +tls12_record_layer_seal_record_protected_cipher(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, CBB *out) +{ + EVP_CIPHER_CTX *enc = rl->write_cipher_ctx; + size_t mac_len, pad_len; + int block_size, eiv_len; + uint8_t *enc_data, *eiv, *pad, pad_val; + uint8_t *plain = NULL; + size_t plain_len = 0; + int ret = 0; + CBB cbb; + + if (!CBB_init(&cbb, SSL3_RT_MAX_PLAIN_LENGTH)) + goto err; + + /* Add explicit IV if necessary. */ + eiv_len = 0; + if (rl->version != TLS1_VERSION && + EVP_CIPHER_CTX_mode(enc) == EVP_CIPH_CBC_MODE) + eiv_len = EVP_CIPHER_CTX_iv_length(enc); + if (eiv_len < 0 || eiv_len > EVP_MAX_IV_LENGTH) + goto err; + if (eiv_len > 0) { + if (!CBB_add_space(&cbb, &eiv, eiv_len)) + goto err; + arc4random_buf(eiv, eiv_len); + } + + if (!CBB_add_bytes(&cbb, content, content_len)) + goto err; + + mac_len = 0; + if (rl->write_hash_ctx != NULL) { + if (!tls12_record_layer_write_mac(rl, &cbb, content_type, + content, content_len, &mac_len)) + goto err; + } + + plain_len = (size_t)eiv_len + content_len + mac_len; + + /* Add padding to block size, if necessary. */ + block_size = EVP_CIPHER_CTX_block_size(enc); + if (block_size < 0 || block_size > EVP_MAX_BLOCK_LENGTH) + goto err; + if (block_size > 1) { + pad_len = block_size - (plain_len % block_size); + pad_val = pad_len - 1; + + if (pad_len > 255) + goto err; + if (!CBB_add_space(&cbb, &pad, pad_len)) + goto err; + memset(pad, pad_val, pad_len); + } + + if (!CBB_finish(&cbb, &plain, &plain_len)) + goto err; + + if (plain_len % block_size != 0) + goto err; + if (plain_len > SSL3_RT_MAX_ENCRYPTED_LENGTH) + goto err; + + if (!CBB_add_space(out, &enc_data, plain_len)) + goto err; + if (!EVP_Cipher(enc, enc_data, plain, plain_len)) + goto err; + + ret = 1; + + err: + CBB_cleanup(&cbb); + freezero(plain, plain_len); + + return ret; +} + +int +tls12_record_layer_seal_record(struct tls12_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len, CBB *cbb) +{ + CBB fragment; + + if (!CBB_add_u8(cbb, content_type)) + return 0; + if (!CBB_add_u16(cbb, rl->version)) + return 0; + if (rl->dtls) { + if (!tls12_record_layer_build_seq_num(rl, cbb, + rl->write_epoch, rl->write_seq_num, + SSL3_SEQUENCE_SIZE)) + return 0; + } + if (!CBB_add_u16_length_prefixed(cbb, &fragment)) + return 0; + + if (rl->write_aead_ctx != NULL) { + if (!tls12_record_layer_seal_record_protected_aead(rl, + content_type, content, content_len, &fragment)) + return 0; + } else if (rl->write_cipher_ctx != NULL) { + if (!tls12_record_layer_seal_record_protected_cipher(rl, + content_type, content, content_len, &fragment)) + return 0; + } else { + if (!tls12_record_layer_seal_record_plaintext(rl, + content_type, content, content_len, &fragment)) + return 0; + } + + if (!CBB_flush(cbb)) + return 0; + + tls1_record_sequence_increment(rl->write_seq_num); + + return 1; +} diff --git a/ssl/tls13_buffer.c b/ssl/tls13_buffer.c new file mode 100644 index 0000000..bc10abd --- /dev/null +++ b/ssl/tls13_buffer.c @@ -0,0 +1,137 @@ +/* $OpenBSD: tls13_buffer.c,v 1.3 2020/03/10 17:11:25 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +#include "bytestring.h" +#include "tls13_internal.h" + +struct tls13_buffer { + size_t capacity; + uint8_t *data; + size_t len; + size_t offset; +}; + +static int tls13_buffer_resize(struct tls13_buffer *buf, size_t capacity); + +struct tls13_buffer * +tls13_buffer_new(size_t init_size) +{ + struct tls13_buffer *buf = NULL; + + if ((buf = calloc(1, sizeof(struct tls13_buffer))) == NULL) + goto err; + + if (!tls13_buffer_resize(buf, init_size)) + goto err; + + return buf; + + err: + tls13_buffer_free(buf); + + return NULL; +} + +void +tls13_buffer_free(struct tls13_buffer *buf) +{ + if (buf == NULL) + return; + + freezero(buf->data, buf->capacity); + freezero(buf, sizeof(struct tls13_buffer)); +} + +static int +tls13_buffer_resize(struct tls13_buffer *buf, size_t capacity) +{ + uint8_t *data; + + if (buf->capacity == capacity) + return 1; + + if ((data = recallocarray(buf->data, buf->capacity, capacity, 1)) == NULL) + return 0; + + buf->data = data; + buf->capacity = capacity; + + return 1; +} + +int +tls13_buffer_set_data(struct tls13_buffer *buf, CBS *data) +{ + if (!tls13_buffer_resize(buf, CBS_len(data))) + return 0; + memcpy(buf->data, CBS_data(data), CBS_len(data)); + return 1; +} + +ssize_t +tls13_buffer_extend(struct tls13_buffer *buf, size_t len, + tls13_read_cb read_cb, void *cb_arg) +{ + ssize_t ret; + + if (len == buf->len) + return buf->len; + + if (len < buf->len) + return TLS13_IO_FAILURE; + + if (!tls13_buffer_resize(buf, len)) + return TLS13_IO_FAILURE; + + for (;;) { + if ((ret = read_cb(&buf->data[buf->len], + buf->capacity - buf->len, cb_arg)) <= 0) + return ret; + + if (ret > buf->capacity - buf->len) + return TLS13_IO_FAILURE; + + buf->len += ret; + + if (buf->len == buf->capacity) + return buf->len; + } +} + +void +tls13_buffer_cbs(struct tls13_buffer *buf, CBS *cbs) +{ + CBS_init(cbs, buf->data, buf->len); +} + +int +tls13_buffer_finish(struct tls13_buffer *buf, uint8_t **out, size_t *out_len) +{ + if (out == NULL || out_len == NULL) + return 0; + + *out = buf->data; + *out_len = buf->len; + + buf->capacity = 0; + buf->data = NULL; + buf->len = 0; + + return 1; +} diff --git a/ssl/tls13_client.c b/ssl/tls13_client.c new file mode 100644 index 0000000..35409d9 --- /dev/null +++ b/ssl/tls13_client.c @@ -0,0 +1,1088 @@ +/* $OpenBSD: tls13_client.c,v 1.67 2020/09/11 17:36:27 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +#include + +#include "bytestring.h" +#include "ssl_tlsext.h" +#include "tls13_handshake.h" +#include "tls13_internal.h" + +int +tls13_client_init(struct tls13_ctx *ctx) +{ + const uint16_t *groups; + size_t groups_len; + SSL *s = ctx->ssl; + + if (!ssl_supported_version_range(s, &ctx->hs->min_version, + &ctx->hs->max_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + return 0; + } + s->client_version = s->version = ctx->hs->max_version; + + tls13_record_layer_set_retry_after_phh(ctx->rl, + (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + + if (!ssl_get_new_session(s, 0)) /* XXX */ + return 0; + + if (!tls1_transcript_init(s)) + return 0; + + /* Generate a key share using our preferred group. */ + tls1_get_group_list(s, 0, &groups, &groups_len); + if (groups_len < 1) + return 0; + if ((ctx->hs->key_share = tls13_key_share_new(groups[0])) == NULL) + return 0; + if (!tls13_key_share_generate(ctx->hs->key_share)) + return 0; + + arc4random_buf(s->s3->client_random, SSL3_RANDOM_SIZE); + + /* + * The legacy session identifier should either be set to an + * unpredictable 32-byte value or zero length... a non-zero length + * legacy session identifier triggers compatibility mode (see RFC 8446 + * Appendix D.4). In the pre-TLSv1.3 case a zero length value is used. + */ + if (ctx->middlebox_compat && ctx->hs->max_version >= TLS1_3_VERSION) { + arc4random_buf(ctx->hs->legacy_session_id, + sizeof(ctx->hs->legacy_session_id)); + ctx->hs->legacy_session_id_len = + sizeof(ctx->hs->legacy_session_id); + } + + return 1; +} + +int +tls13_client_connect(struct tls13_ctx *ctx) +{ + if (ctx->mode != TLS13_HS_CLIENT) + return TLS13_IO_FAILURE; + + return tls13_handshake_perform(ctx); +} + +static int +tls13_client_hello_build(struct tls13_ctx *ctx, CBB *cbb) +{ + CBB cipher_suites, compression_methods, session_id; + uint16_t client_version; + SSL *s = ctx->ssl; + + /* Legacy client version is capped at TLS 1.2. */ + client_version = ctx->hs->max_version; + if (client_version > TLS1_2_VERSION) + client_version = TLS1_2_VERSION; + + if (!CBB_add_u16(cbb, client_version)) + goto err; + if (!CBB_add_bytes(cbb, s->s3->client_random, SSL3_RANDOM_SIZE)) + goto err; + + if (!CBB_add_u8_length_prefixed(cbb, &session_id)) + goto err; + if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, + ctx->hs->legacy_session_id_len)) + goto err; + + if (!CBB_add_u16_length_prefixed(cbb, &cipher_suites)) + goto err; + if (!ssl_cipher_list_to_bytes(s, SSL_get_ciphers(s), &cipher_suites)) { + SSLerror(s, SSL_R_NO_CIPHERS_AVAILABLE); + goto err; + } + + if (!CBB_add_u8_length_prefixed(cbb, &compression_methods)) + goto err; + if (!CBB_add_u8(&compression_methods, 0)) + goto err; + + if (!tlsext_client_build(s, SSL_TLSEXT_MSG_CH, cbb)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + return 1; + + err: + return 0; +} + +int +tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb) +{ + if (ctx->hs->min_version < TLS1_2_VERSION) + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); + + /* We may receive a pre-TLSv1.3 alert in response to the client hello. */ + tls13_record_layer_allow_legacy_alerts(ctx->rl, 1); + + if (!tls13_client_hello_build(ctx, cbb)) + return 0; + + return 1; +} + +int +tls13_client_hello_sent(struct tls13_ctx *ctx) +{ + tls13_record_layer_allow_ccs(ctx->rl, 1); + + tls1_transcript_freeze(ctx->ssl); + + if (ctx->middlebox_compat) + ctx->send_dummy_ccs = 1; + + return 1; +} + +static int +tls13_server_hello_is_legacy(CBS *cbs) +{ + CBS extensions_block, extensions, extension_data; + uint16_t selected_version = 0; + uint16_t type; + + CBS_dup(cbs, &extensions_block); + + if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) + return 1; + + while (CBS_len(&extensions) > 0) { + if (!CBS_get_u16(&extensions, &type)) + return 1; + if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) + return 1; + + if (type != TLSEXT_TYPE_supported_versions) + continue; + if (!CBS_get_u16(&extension_data, &selected_version)) + return 1; + if (CBS_len(&extension_data) != 0) + return 1; + } + + return (selected_version < TLS1_3_VERSION); +} + +static int +tls13_server_hello_is_retry(CBS *cbs) +{ + CBS server_hello, server_random; + uint16_t legacy_version; + + CBS_dup(cbs, &server_hello); + + if (!CBS_get_u16(&server_hello, &legacy_version)) + return 0; + if (!CBS_get_bytes(&server_hello, &server_random, SSL3_RANDOM_SIZE)) + return 0; + + /* See if this is a HelloRetryRequest. */ + return CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, + sizeof(tls13_hello_retry_request_hash)); +} + +static int +tls13_server_hello_process(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS server_random, session_id; + uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; + uint16_t cipher_suite, legacy_version; + uint8_t compression_method; + const SSL_CIPHER *cipher; + int alert_desc; + SSL *s = ctx->ssl; + + if (!CBS_get_u16(cbs, &legacy_version)) + goto err; + if (!CBS_get_bytes(cbs, &server_random, SSL3_RANDOM_SIZE)) + goto err; + if (!CBS_get_u8_length_prefixed(cbs, &session_id)) + goto err; + if (!CBS_get_u16(cbs, &cipher_suite)) + goto err; + if (!CBS_get_u8(cbs, &compression_method)) + goto err; + + if (tls13_server_hello_is_legacy(cbs)) { + if (ctx->hs->max_version >= TLS1_3_VERSION) { + /* + * RFC 8446 section 4.1.3, We must not downgrade if + * the server random value contains the TLS 1.2 or 1.1 + * magical value. + */ + if (!CBS_skip(&server_random, CBS_len(&server_random) - + sizeof(tls13_downgrade_12))) + goto err; + if (CBS_mem_equal(&server_random, tls13_downgrade_12, + sizeof(tls13_downgrade_12)) || + CBS_mem_equal(&server_random, tls13_downgrade_11, + sizeof(tls13_downgrade_11))) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + } + + if (!CBS_skip(cbs, CBS_len(cbs))) + goto err; + + ctx->hs->use_legacy = 1; + return 1; + } + + /* From here on in we know we are doing TLSv1.3. */ + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); + tls13_record_layer_allow_legacy_alerts(ctx->rl, 0); + + /* See if this is a HelloRetryRequest. */ + /* XXX - see if we can avoid doing this twice. */ + if (CBS_mem_equal(&server_random, tls13_hello_retry_request_hash, + sizeof(tls13_hello_retry_request_hash))) { + tlsext_msg_type = SSL_TLSEXT_MSG_HRR; + ctx->hs->hrr = 1; + } + + if (!tlsext_client_parse(s, tlsext_msg_type, cbs, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + /* + * See if a supported versions extension was returned. If it was then + * the legacy version must be set to 0x0303 (RFC 8446 section 4.1.3). + * Otherwise, fallback to the legacy version, ensuring that it is both + * within range and not TLS 1.3 or greater (which must use the + * supported version extension. + */ + if (ctx->hs->server_version != 0) { + if (legacy_version != TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; + } + } else { + if (legacy_version < ctx->hs->min_version || + legacy_version > ctx->hs->max_version || + legacy_version > TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; + } + ctx->hs->server_version = legacy_version; + } + + /* The session_id must match. */ + if (!CBS_mem_equal(&session_id, ctx->hs->legacy_session_id, + ctx->hs->legacy_session_id_len)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + /* + * Ensure that the cipher suite is one that we offered in the client + * hello and that it matches the TLS version selected. + */ + cipher = ssl3_get_cipher_by_value(cipher_suite); + if (cipher == NULL || !ssl_cipher_in_list(SSL_get_ciphers(s), cipher)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + if (ctx->hs->server_version == TLS1_3_VERSION && + cipher->algorithm_ssl != SSL_TLSV1_3) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + /* XXX - move this to hs_tls13? */ + S3I(s)->hs.new_cipher = cipher; + + if (compression_method != 0) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + return 1; + + err: + if (ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; + + return 0; +} + +static int +tls13_client_engage_record_protection(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets; + struct tls13_secret context; + unsigned char buf[EVP_MAX_MD_SIZE]; + uint8_t *shared_key = NULL; + size_t shared_key_len = 0; + size_t hash_len; + SSL *s = ctx->ssl; + int ret = 0; + + /* Derive the shared key and engage record protection. */ + + if (!tls13_key_share_derive(ctx->hs->key_share, &shared_key, + &shared_key_len)) + goto err; + + s->session->cipher = S3I(s)->hs.new_cipher; + s->session->ssl_version = ctx->hs->server_version; + + if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) + goto err; + if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + goto err; + + if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) + goto err; + ctx->hs->secrets = secrets; + + /* XXX - pass in hash. */ + if (!tls1_transcript_hash_init(s)) + goto err; + tls1_transcript_free(s); + if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) + goto err; + context.data = buf; + context.len = hash_len; + + /* Early secrets. */ + if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, + secrets->zeros.len, &context)) + goto err; + + /* Handshake secrets. */ + if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, + shared_key_len, &context)) + goto err; + + tls13_record_layer_set_aead(ctx->rl, ctx->aead); + tls13_record_layer_set_hash(ctx->rl, ctx->hash); + + if (!tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->server_handshake_traffic)) + goto err; + if (!tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->client_handshake_traffic)) + goto err; + + ret = 1; + + err: + freezero(shared_key, shared_key_len); + + return ret; +} + +int +tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + /* + * The state machine has no way of knowing if we're going to receive a + * HelloRetryRequest or a ServerHello. As such, we have to handle + * this case here and hand off to the appropriate function. + */ + if (!tls13_server_hello_is_retry(cbs)) { + ctx->handshake_stage.hs_type |= WITHOUT_HRR; + return tls13_server_hello_recv(ctx, cbs); + } + + if (!tls13_server_hello_process(ctx, cbs)) + return 0; + + /* + * This may have been a TLSv1.2 or earlier ServerHello that just happened + * to have matching server random... + */ + if (ctx->hs->use_legacy) + return tls13_use_legacy_client(ctx); + + if (!ctx->hs->hrr) + return 0; + + if (!tls13_synthetic_handshake_message(ctx)) + return 0; + if (!tls13_handshake_msg_record(ctx)) + return 0; + + ctx->hs->hrr = 0; + + return 1; +} + +int +tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb) +{ + /* + * Ensure that the server supported group is one that we listed in our + * supported groups and is not the same as the key share we previously + * offered. + */ + if (!tls1_check_curve(ctx->ssl, ctx->hs->server_group)) + return 0; /* XXX alert */ + if (ctx->hs->server_group == tls13_key_share_group(ctx->hs->key_share)) + return 0; /* XXX alert */ + + /* Switch to new key share. */ + tls13_key_share_free(ctx->hs->key_share); + if ((ctx->hs->key_share = + tls13_key_share_new(ctx->hs->server_group)) == NULL) + return 0; + if (!tls13_key_share_generate(ctx->hs->key_share)) + return 0; + + if (!tls13_client_hello_build(ctx, cbb)) + return 0; + + return 1; +} + +int +tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + SSL *s = ctx->ssl; + + /* + * We may have received a legacy (pre-TLSv1.3) ServerHello or a TLSv1.3 + * ServerHello. HelloRetryRequests have already been handled. + */ + if (!tls13_server_hello_process(ctx, cbs)) + return 0; + + if (ctx->handshake_stage.hs_type & WITHOUT_HRR) { + tls1_transcript_unfreeze(s); + if (!tls13_handshake_msg_record(ctx)) + return 0; + } + + if (ctx->hs->use_legacy) { + if (!(ctx->handshake_stage.hs_type & WITHOUT_HRR)) + return 0; + return tls13_use_legacy_client(ctx); + } + + if (ctx->hs->hrr) { + /* The server has sent two HelloRetryRequests. */ + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + return 0; + } + + if (!tls13_client_engage_record_protection(ctx)) + return 0; + + ctx->handshake_stage.hs_type |= NEGOTIATED; + + return 1; +} + +int +tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + int alert_desc; + + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_EE, cbs, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + return 1; + + err: + if (ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; + + return 0; +} + +int +tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS cert_request_context; + int alert_desc; + + /* + * Thanks to poor state design in the RFC, this function can be called + * when we actually have a certificate message instead of a certificate + * request... in that case we call the certificate handler after + * switching state, to avoid advancing state. + */ + if (tls13_handshake_msg_type(ctx->hs_msg) == TLS13_MT_CERTIFICATE) { + ctx->handshake_stage.hs_type |= WITHOUT_CR; + return tls13_server_certificate_recv(ctx, cbs); + } + + if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) + goto err; + if (CBS_len(&cert_request_context) != 0) + goto err; + + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CR, cbs, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + return 1; + + err: + if (ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; + + return 0; +} + +int +tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS cert_request_context, cert_list, cert_data; + struct stack_st_X509 *certs = NULL; + SSL *s = ctx->ssl; + X509 *cert = NULL; + EVP_PKEY *pkey; + const uint8_t *p; + int cert_idx, alert_desc; + int ret = 0; + + if ((certs = sk_X509_new_null()) == NULL) + goto err; + + if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) + goto err; + if (CBS_len(&cert_request_context) != 0) + goto err; + if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) + goto err; + + while (CBS_len(&cert_list) > 0) { + if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) + goto err; + + if (!tlsext_client_parse(ctx->ssl, SSL_TLSEXT_MSG_CT, + &cert_list, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + p = CBS_data(&cert_data); + if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) + goto err; + if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) + goto err; + + if (!sk_X509_push(certs, cert)) + goto err; + + cert = NULL; + } + + /* A server must always provide a non-empty certificate list. */ + if (sk_X509_num(certs) < 1) { + ctx->alert = TLS13_ALERT_DECODE_ERROR; + tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, + "peer failed to provide a certificate", NULL); + goto err; + } + + /* + * At this stage we still have no proof of possession. As such, it would + * be preferable to keep the chain and verify once we have successfully + * processed the CertificateVerify message. + */ + if (ssl_verify_cert_chain(s, certs) <= 0 && + s->verify_mode != SSL_VERIFY_NONE) { + ctx->alert = ssl_verify_alarm_type(s->verify_result); + tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, + "failed to verify peer certificate", NULL); + goto err; + } + ERR_clear_error(); + + cert = sk_X509_value(certs, 0); + X509_up_ref(cert); + + if ((pkey = X509_get0_pubkey(cert)) == NULL) + goto err; + if (EVP_PKEY_missing_parameters(pkey)) + goto err; + if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) + goto err; + + ssl_sess_cert_free(SSI(s)->sess_cert); + if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) + goto err; + + SSI(s)->sess_cert->cert_chain = certs; + certs = NULL; + + X509_up_ref(cert); + SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; + SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); + + X509_free(s->session->peer); + + X509_up_ref(cert); + s->session->peer = cert; + s->session->verify_result = s->verify_result; + + if (ctx->ocsp_status_recv_cb != NULL && + !ctx->ocsp_status_recv_cb(ctx)) + goto err; + + ret = 1; + + err: + sk_X509_pop_free(certs, X509_free); + X509_free(cert); + + return ret; +} + +int +tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + const struct ssl_sigalg *sigalg; + uint16_t signature_scheme; + uint8_t *sig_content = NULL; + size_t sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + X509 *cert; + CBS signature; + CBB cbb; + int ret = 0; + + memset(&cbb, 0, sizeof(cbb)); + + if (!CBS_get_u16(cbs, &signature_scheme)) + goto err; + if (!CBS_get_u16_length_prefixed(cbs, &signature)) + goto err; + + if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, + tls13_sigalgs_len)) == NULL) + goto err; + + if (!CBB_init(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&cbb, tls13_cert_server_verify_context, + strlen(tls13_cert_server_verify_context))) + goto err; + if (!CBB_add_u8(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, + ctx->hs->transcript_hash_len)) + goto err; + if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) + goto err; + + if ((cert = ctx->ssl->session->peer) == NULL) + goto err; + if ((pkey = X509_get0_pubkey(cert)) == NULL) + goto err; + if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) + goto err; + + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), + CBS_len(&signature)) <= 0) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; + CBB_cleanup(&cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + + return ret; +} + +int +tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret finished_key; + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + uint8_t *verify_data = NULL; + size_t verify_data_len; + uint8_t key[EVP_MAX_MD_SIZE]; + HMAC_CTX *hmac_ctx = NULL; + unsigned int hlen; + int ret = 0; + + /* + * Verify server finished. + */ + finished_key.data = key; + finished_key.len = EVP_MD_size(ctx->hash); + + if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, + &secrets->server_handshake_traffic, "finished", + &context)) + goto err; + + if ((hmac_ctx = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, + ctx->hash, NULL)) + goto err; + if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, + ctx->hs->transcript_hash_len)) + goto err; + verify_data_len = HMAC_size(hmac_ctx); + if ((verify_data = calloc(1, verify_data_len)) == NULL) + goto err; + if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) + goto err; + if (hlen != verify_data_len) + goto err; + + if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + + if (!CBS_skip(cbs, verify_data_len)) + goto err; + + /* + * Derive application traffic keys. + */ + if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, + sizeof(transcript_hash), &transcript_hash_len)) + goto err; + + context.data = transcript_hash; + context.len = transcript_hash_len; + + if (!tls13_derive_application_secrets(secrets, &context)) + goto err; + + /* + * Any records following the server finished message must be encrypted + * using the server application traffic keys. + */ + if (!tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->server_application_traffic)) + goto err; + + tls13_record_layer_allow_ccs(ctx->rl, 0); + + ret = 1; + + err: + HMAC_CTX_free(hmac_ctx); + free(verify_data); + + return ret; +} + +static int +tls13_client_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, + int *ok, const struct ssl_sigalg **out_sigalg) +{ + const struct ssl_sigalg *sigalg; + SSL *s = ctx->ssl; + + *ok = 0; + *out_sigalg = NULL; + + if (cpk->x509 == NULL || cpk->privatekey == NULL) + goto done; + + if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) + goto done; + + *ok = 1; + *out_sigalg = sigalg; + + done: + return 1; +} + +static int +tls13_client_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, + const struct ssl_sigalg **out_sigalg) +{ + SSL *s = ctx->ssl; + const struct ssl_sigalg *sigalg; + CERT_PKEY *cpk; + int cert_ok; + + *out_cpk = NULL; + *out_sigalg = NULL; + + /* + * XXX - RFC 8446, 4.4.2.3: the server can communicate preferences + * with the certificate_authorities (4.2.4) and oid_filters (4.2.5) + * extensions. We should honor the former and must apply the latter. + */ + + cpk = &s->cert->pkeys[SSL_PKEY_ECC]; + if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = &s->cert->pkeys[SSL_PKEY_RSA]; + if (!tls13_client_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = NULL; + sigalg = NULL; + + done: + *out_cpk = cpk; + *out_sigalg = sigalg; + + return 1; +} + +int +tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb) +{ + SSL *s = ctx->ssl; + CBB cert_request_context, cert_list; + const struct ssl_sigalg *sigalg; + STACK_OF(X509) *chain; + CERT_PKEY *cpk; + X509 *cert; + int i, ret = 0; + + if (!tls13_client_select_certificate(ctx, &cpk, &sigalg)) + goto err; + + ctx->hs->cpk = cpk; + ctx->hs->sigalg = sigalg; + + if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) + goto err; + if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) + goto err; + + /* No certificate selected. */ + if (cpk == NULL) + goto done; + + if ((chain = cpk->chain) == NULL) + chain = s->ctx->extra_certs; + + if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_client_build)) + goto err; + + for (i = 0; i < sk_X509_num(chain); i++) { + cert = sk_X509_value(chain, i); + if (!tls13_cert_add(ctx, &cert_list, cert, tlsext_client_build)) + goto err; + } + + ctx->handshake_stage.hs_type |= WITH_CCV; + done: + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + return ret; +} + +int +tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) +{ + const struct ssl_sigalg *sigalg; + uint8_t *sig = NULL, *sig_content = NULL; + size_t sig_len, sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + const CERT_PKEY *cpk; + CBB sig_cbb; + int ret = 0; + + memset(&sig_cbb, 0, sizeof(sig_cbb)); + + if ((cpk = ctx->hs->cpk) == NULL) + goto err; + if ((sigalg = ctx->hs->sigalg) == NULL) + goto err; + pkey = cpk->privatekey; + + if (!CBB_init(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_client_verify_context, + strlen(tls13_cert_client_verify_context))) + goto err; + if (!CBB_add_u8(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, + ctx->hs->transcript_hash_len)) + goto err; + if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) + goto err; + if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) + goto err; + if ((sig = calloc(1, sig_len)) == NULL) + goto err; + if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) + goto err; + + if (!CBB_add_u16(cbb, sigalg->value)) + goto err; + if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) + goto err; + if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + + CBB_cleanup(&sig_cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + free(sig); + + return ret; +} + +int +tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb) +{ + return 0; +} + +int +tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret finished_key; + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + uint8_t key[EVP_MAX_MD_SIZE]; + uint8_t *verify_data; + size_t hmac_len; + unsigned int hlen; + HMAC_CTX *hmac_ctx = NULL; + int ret = 0; + + finished_key.data = key; + finished_key.len = EVP_MD_size(ctx->hash); + + if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, + &secrets->client_handshake_traffic, "finished", + &context)) + goto err; + + if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, + sizeof(transcript_hash), &transcript_hash_len)) + goto err; + + if ((hmac_ctx = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, + ctx->hash, NULL)) + goto err; + if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) + goto err; + + hmac_len = HMAC_size(hmac_ctx); + if (!CBB_add_space(cbb, &verify_data, hmac_len)) + goto err; + if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) + goto err; + if (hlen != hmac_len) + goto err; + + ret = 1; + + err: + HMAC_CTX_free(hmac_ctx); + + return ret; +} + +int +tls13_client_finished_sent(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + + /* + * Any records following the client finished message must be encrypted + * using the client application traffic keys. + */ + return tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->client_application_traffic); +} diff --git a/ssl/tls13_error.c b/ssl/tls13_error.c new file mode 100644 index 0000000..295b6c4 --- /dev/null +++ b/ssl/tls13_error.c @@ -0,0 +1,99 @@ +/* $OpenBSD: tls13_error.c,v 1.1 2020/01/20 13:10:37 jsing Exp $ */ +/* + * Copyright (c) 2014,2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "tls13_internal.h" + +void +tls13_error_clear(struct tls13_error *error) +{ + error->code = 0; + error->subcode = 0; + error->errnum = 0; + error->file = NULL; + error->line = 0; + free(error->msg); + error->msg = NULL; +} + +static int +tls13_error_vset(struct tls13_error *error, int code, int subcode, int errnum, + const char *file, int line, const char *fmt, va_list ap) +{ + char *errmsg = NULL; + int rv = -1; + + tls13_error_clear(error); + + error->code = code; + error->subcode = subcode; + error->errnum = errnum; + error->file = file; + error->line = line; + + if (vasprintf(&errmsg, fmt, ap) == -1) { + errmsg = NULL; + goto err; + } + + if (errnum == -1) { + error->msg = errmsg; + return 0; + } + + if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) { + error->msg = NULL; + goto err; + } + rv = 0; + + err: + free(errmsg); + + return rv; +} + +int +tls13_error_set(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...) +{ + va_list ap; + int errnum, rv; + + errnum = errno; + + va_start(ap, fmt); + rv = tls13_error_vset(error, code, subcode, errnum, file, line, fmt, ap); + va_end(ap); + + return (rv); +} + +int +tls13_error_setx(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...) +{ + va_list ap; + int rv; + + va_start(ap, fmt); + rv = tls13_error_vset(error, code, subcode, -1, file, line, fmt, ap); + va_end(ap); + + return (rv); +} diff --git a/ssl/tls13_handshake.c b/ssl/tls13_handshake.c new file mode 100644 index 0000000..b3cecc7 --- /dev/null +++ b/ssl/tls13_handshake.c @@ -0,0 +1,517 @@ +/* $OpenBSD: tls13_handshake.c,v 1.64 2020/07/30 16:23:17 tb Exp $ */ +/* + * Copyright (c) 2018-2019 Theo Buehler + * Copyright (c) 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "ssl_locl.h" +#include "tls13_handshake.h" +#include "tls13_internal.h" + +/* Based on RFC 8446 and inspired by s2n's TLS 1.2 state machine. */ + +struct tls13_handshake_action { + uint8_t handshake_type; + uint8_t sender; + uint8_t handshake_complete; + uint8_t send_preserve_transcript_hash; + uint8_t recv_preserve_transcript_hash; + + int (*send)(struct tls13_ctx *ctx, CBB *cbb); + int (*sent)(struct tls13_ctx *ctx); + int (*recv)(struct tls13_ctx *ctx, CBS *cbs); +}; + +static enum tls13_message_type + tls13_handshake_active_state(struct tls13_ctx *ctx); + +static const struct tls13_handshake_action * + tls13_handshake_active_action(struct tls13_ctx *ctx); +static int tls13_handshake_advance_state_machine(struct tls13_ctx *ctx); + +static int tls13_handshake_send_action(struct tls13_ctx *ctx, + const struct tls13_handshake_action *action); +static int tls13_handshake_recv_action(struct tls13_ctx *ctx, + const struct tls13_handshake_action *action); + +static const struct tls13_handshake_action state_machine[] = { + [CLIENT_HELLO] = { + .handshake_type = TLS13_MT_CLIENT_HELLO, + .sender = TLS13_HS_CLIENT, + .send = tls13_client_hello_send, + .sent = tls13_client_hello_sent, + .recv = tls13_client_hello_recv, + }, + [CLIENT_HELLO_RETRY] = { + .handshake_type = TLS13_MT_CLIENT_HELLO, + .sender = TLS13_HS_CLIENT, + .send = tls13_client_hello_retry_send, + .recv = tls13_client_hello_retry_recv, + }, + [CLIENT_END_OF_EARLY_DATA] = { + .handshake_type = TLS13_MT_END_OF_EARLY_DATA, + .sender = TLS13_HS_CLIENT, + .send = tls13_client_end_of_early_data_send, + .recv = tls13_client_end_of_early_data_recv, + }, + [CLIENT_CERTIFICATE] = { + .handshake_type = TLS13_MT_CERTIFICATE, + .sender = TLS13_HS_CLIENT, + .send_preserve_transcript_hash = 1, + .send = tls13_client_certificate_send, + .recv = tls13_client_certificate_recv, + }, + [CLIENT_CERTIFICATE_VERIFY] = { + .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, + .sender = TLS13_HS_CLIENT, + .recv_preserve_transcript_hash = 1, + .send = tls13_client_certificate_verify_send, + .recv = tls13_client_certificate_verify_recv, + }, + [CLIENT_FINISHED] = { + .handshake_type = TLS13_MT_FINISHED, + .sender = TLS13_HS_CLIENT, + .recv_preserve_transcript_hash = 1, + .send = tls13_client_finished_send, + .sent = tls13_client_finished_sent, + .recv = tls13_client_finished_recv, + }, + [SERVER_HELLO] = { + .handshake_type = TLS13_MT_SERVER_HELLO, + .sender = TLS13_HS_SERVER, + .send = tls13_server_hello_send, + .sent = tls13_server_hello_sent, + .recv = tls13_server_hello_recv, + }, + [SERVER_HELLO_RETRY_REQUEST] = { + .handshake_type = TLS13_MT_SERVER_HELLO, + .sender = TLS13_HS_SERVER, + .send = tls13_server_hello_retry_request_send, + .recv = tls13_server_hello_retry_request_recv, + .sent = tls13_server_hello_retry_request_sent, + }, + [SERVER_ENCRYPTED_EXTENSIONS] = { + .handshake_type = TLS13_MT_ENCRYPTED_EXTENSIONS, + .sender = TLS13_HS_SERVER, + .send = tls13_server_encrypted_extensions_send, + .recv = tls13_server_encrypted_extensions_recv, + }, + [SERVER_CERTIFICATE] = { + .handshake_type = TLS13_MT_CERTIFICATE, + .sender = TLS13_HS_SERVER, + .send_preserve_transcript_hash = 1, + .send = tls13_server_certificate_send, + .recv = tls13_server_certificate_recv, + }, + [SERVER_CERTIFICATE_REQUEST] = { + .handshake_type = TLS13_MT_CERTIFICATE_REQUEST, + .sender = TLS13_HS_SERVER, + .send = tls13_server_certificate_request_send, + .recv = tls13_server_certificate_request_recv, + }, + [SERVER_CERTIFICATE_VERIFY] = { + .handshake_type = TLS13_MT_CERTIFICATE_VERIFY, + .sender = TLS13_HS_SERVER, + .recv_preserve_transcript_hash = 1, + .send = tls13_server_certificate_verify_send, + .recv = tls13_server_certificate_verify_recv, + }, + [SERVER_FINISHED] = { + .handshake_type = TLS13_MT_FINISHED, + .sender = TLS13_HS_SERVER, + .recv_preserve_transcript_hash = 1, + .send_preserve_transcript_hash = 1, + .send = tls13_server_finished_send, + .sent = tls13_server_finished_sent, + .recv = tls13_server_finished_recv, + }, + [APPLICATION_DATA] = { + .handshake_complete = 1, + }, +}; + +const enum tls13_message_type handshakes[][TLS13_NUM_MESSAGE_TYPES] = { + [INITIAL] = { + CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, + SERVER_HELLO, + }, + [NEGOTIATED] = { + CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE_REQUEST, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_CERTIFICATE, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITHOUT_HRR] = { + CLIENT_HELLO, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE_REQUEST, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_CERTIFICATE, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITHOUT_CR] = { + CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITHOUT_HRR | WITHOUT_CR] = { + CLIENT_HELLO, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITH_PSK] = { + CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_FINISHED, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITHOUT_HRR | WITH_PSK] = { + CLIENT_HELLO, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_FINISHED, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITH_CCV] = { + CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE_REQUEST, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_CERTIFICATE, + CLIENT_CERTIFICATE_VERIFY, + CLIENT_FINISHED, + APPLICATION_DATA, + }, + [NEGOTIATED | WITHOUT_HRR | WITH_CCV] = { + CLIENT_HELLO, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE_REQUEST, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_CERTIFICATE, + CLIENT_CERTIFICATE_VERIFY, + CLIENT_FINISHED, + APPLICATION_DATA, + }, +}; + +const size_t handshake_count = sizeof(handshakes) / sizeof(handshakes[0]); + +#ifndef TLS13_DEBUG +#define DEBUGF(...) +#else +#define DEBUGF(...) fprintf(stderr, __VA_ARGS__) + +static const char * +tls13_handshake_mode_name(uint8_t mode) +{ + switch (mode) { + case TLS13_HS_CLIENT: + return "Client"; + case TLS13_HS_SERVER: + return "Server"; + } + return "Unknown"; +} + +static const char * +tls13_handshake_message_name(uint8_t msg_type) +{ + switch (msg_type) { + case TLS13_MT_CLIENT_HELLO: + return "ClientHello"; + case TLS13_MT_SERVER_HELLO: + return "ServerHello"; + case TLS13_MT_NEW_SESSION_TICKET: + return "NewSessionTicket"; + case TLS13_MT_END_OF_EARLY_DATA: + return "EndOfEarlyData"; + case TLS13_MT_ENCRYPTED_EXTENSIONS: + return "EncryptedExtensions"; + case TLS13_MT_CERTIFICATE: + return "Certificate"; + case TLS13_MT_CERTIFICATE_REQUEST: + return "CertificateRequest"; + case TLS13_MT_CERTIFICATE_VERIFY: + return "CertificateVerify"; + case TLS13_MT_FINISHED: + return "Finished"; + case TLS13_MT_KEY_UPDATE: + return "KeyUpdate"; + } + return "Unknown"; +} +#endif + +static enum tls13_message_type +tls13_handshake_active_state(struct tls13_ctx *ctx) +{ + struct tls13_handshake_stage hs = ctx->handshake_stage; + + if (hs.hs_type >= handshake_count) + return INVALID; + if (hs.message_number >= TLS13_NUM_MESSAGE_TYPES) + return INVALID; + + return handshakes[hs.hs_type][hs.message_number]; +} + +static const struct tls13_handshake_action * +tls13_handshake_active_action(struct tls13_ctx *ctx) +{ + enum tls13_message_type mt = tls13_handshake_active_state(ctx); + + if (mt == INVALID) + return NULL; + + return &state_machine[mt]; +} + +static int +tls13_handshake_advance_state_machine(struct tls13_ctx *ctx) +{ + if (++ctx->handshake_stage.message_number >= TLS13_NUM_MESSAGE_TYPES) + return 0; + + return 1; +} + +int +tls13_handshake_msg_record(struct tls13_ctx *ctx) +{ + CBS cbs; + + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + return tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs)); +} + +int +tls13_handshake_perform(struct tls13_ctx *ctx) +{ + const struct tls13_handshake_action *action; + int ret; + + if (!ctx->handshake_started) { + ctx->handshake_started = 1; + if (ctx->info_cb != NULL) + ctx->info_cb(ctx, TLS13_INFO_HANDSHAKE_STARTED, 1); + } + + for (;;) { + if ((action = tls13_handshake_active_action(ctx)) == NULL) + return TLS13_IO_FAILURE; + + if (action->handshake_complete) { + ctx->handshake_completed = 1; + tls13_record_layer_handshake_completed(ctx->rl); + if (ctx->info_cb != NULL) + ctx->info_cb(ctx, + TLS13_INFO_HANDSHAKE_COMPLETED, 1); + return TLS13_IO_SUCCESS; + } + + DEBUGF("%s %s %s\n", tls13_handshake_mode_name(ctx->mode), + (action->sender == ctx->mode) ? "sending" : "receiving", + tls13_handshake_message_name(action->handshake_type)); + + if (ctx->alert) + return tls13_send_alert(ctx->rl, ctx->alert); + + if (action->sender == ctx->mode) + ret = tls13_handshake_send_action(ctx, action); + else + ret = tls13_handshake_recv_action(ctx, action); + + if (ctx->alert) + return tls13_send_alert(ctx->rl, ctx->alert); + + if (ret <= 0) { + DEBUGF("%s %s returned %d\n", + tls13_handshake_mode_name(ctx->mode), + (action->sender == ctx->mode) ? "send" : "recv", + ret); + return ret; + } + + if (!tls13_handshake_advance_state_machine(ctx)) + return TLS13_IO_FAILURE; + } +} + +static int +tls13_handshake_send_action(struct tls13_ctx *ctx, + const struct tls13_handshake_action *action) +{ + ssize_t ret; + CBB cbb; + + if (ctx->send_dummy_ccs) { + if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) + return ret; + ctx->send_dummy_ccs = 0; + if (ctx->send_dummy_ccs_after) { + ctx->send_dummy_ccs_after = 0; + return TLS13_IO_SUCCESS; + } + } + + /* If we have no handshake message, we need to build one. */ + if (ctx->hs_msg == NULL) { + if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) + return TLS13_IO_FAILURE; + if (!tls13_handshake_msg_start(ctx->hs_msg, &cbb, + action->handshake_type)) + return TLS13_IO_FAILURE; + if (!action->send(ctx, &cbb)) + return TLS13_IO_FAILURE; + if (!tls13_handshake_msg_finish(ctx->hs_msg)) + return TLS13_IO_FAILURE; + } + + if ((ret = tls13_handshake_msg_send(ctx->hs_msg, ctx->rl)) <= 0) + return ret; + + if (!tls13_handshake_msg_record(ctx)) + return TLS13_IO_FAILURE; + + if (action->send_preserve_transcript_hash) { + if (!tls1_transcript_hash_value(ctx->ssl, + ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), + &ctx->hs->transcript_hash_len)) + return TLS13_IO_FAILURE; + } + + if (ctx->handshake_message_sent_cb != NULL) + ctx->handshake_message_sent_cb(ctx); + + tls13_handshake_msg_free(ctx->hs_msg); + ctx->hs_msg = NULL; + + if (action->sent != NULL && !action->sent(ctx)) + return TLS13_IO_FAILURE; + + if (ctx->send_dummy_ccs_after) { + ctx->send_dummy_ccs = 1; + if ((ret = tls13_send_dummy_ccs(ctx->rl)) != TLS13_IO_SUCCESS) + return ret; + ctx->send_dummy_ccs = 0; + ctx->send_dummy_ccs_after = 0; + } + + return TLS13_IO_SUCCESS; +} + +static int +tls13_handshake_recv_action(struct tls13_ctx *ctx, + const struct tls13_handshake_action *action) +{ + uint8_t msg_type; + ssize_t ret; + CBS cbs; + + if (ctx->hs_msg == NULL) { + if ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL) + return TLS13_IO_FAILURE; + } + + if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) <= 0) + return ret; + + if (action->recv_preserve_transcript_hash) { + if (!tls1_transcript_hash_value(ctx->ssl, + ctx->hs->transcript_hash, sizeof(ctx->hs->transcript_hash), + &ctx->hs->transcript_hash_len)) + return TLS13_IO_FAILURE; + } + + if (!tls13_handshake_msg_record(ctx)) + return TLS13_IO_FAILURE; + + if (ctx->handshake_message_recv_cb != NULL) + ctx->handshake_message_recv_cb(ctx); + + /* + * In TLSv1.3 there is no way to know if you're going to receive a + * certificate request message or not, hence we have to special case it + * here. The receive handler also knows how to deal with this situation. + */ + msg_type = tls13_handshake_msg_type(ctx->hs_msg); + if (msg_type != action->handshake_type && + (msg_type != TLS13_MT_CERTIFICATE || + action->handshake_type != TLS13_MT_CERTIFICATE_REQUEST)) + return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + if (!tls13_handshake_msg_content(ctx->hs_msg, &cbs)) + return TLS13_IO_FAILURE; + + ret = TLS13_IO_FAILURE; + if (action->recv(ctx, &cbs)) { + if (CBS_len(&cbs) != 0) { + tls13_set_errorx(ctx, TLS13_ERR_TRAILING_DATA, 0, + "trailing data in handshake message", NULL); + ctx->alert = TLS13_ALERT_DECODE_ERROR; + } else { + ret = TLS13_IO_SUCCESS; + } + } + + tls13_handshake_msg_free(ctx->hs_msg); + ctx->hs_msg = NULL; + + if (ctx->ssl->method->internal->version < TLS1_3_VERSION) + return TLS13_IO_USE_LEGACY; + + return ret; +} diff --git a/ssl/tls13_handshake.h b/ssl/tls13_handshake.h new file mode 100644 index 0000000..8a08b9f --- /dev/null +++ b/ssl/tls13_handshake.h @@ -0,0 +1,54 @@ +/* $OpenBSD: tls13_handshake.h,v 1.5 2020/04/22 17:05:07 jsing Exp $ */ +/* + * Copyright (c) 2019 Theo Buehler + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_TLS13_HANDSHAKE_H +#define HEADER_TLS13_HANDSHAKE_H + +#include /* for NULL */ + +__BEGIN_HIDDEN_DECLS + +#define INITIAL 0x00 +#define NEGOTIATED 0x01 +#define WITHOUT_HRR 0x02 +#define WITHOUT_CR 0x04 +#define WITH_PSK 0x08 +#define WITH_CCV 0x10 +#define WITH_0RTT 0x20 + +enum tls13_message_type { + INVALID, + CLIENT_HELLO, + SERVER_HELLO_RETRY_REQUEST, + CLIENT_HELLO_RETRY, + SERVER_HELLO, + SERVER_ENCRYPTED_EXTENSIONS, + SERVER_CERTIFICATE_REQUEST, + SERVER_CERTIFICATE, + SERVER_CERTIFICATE_VERIFY, + SERVER_FINISHED, + CLIENT_END_OF_EARLY_DATA, + CLIENT_CERTIFICATE, + CLIENT_CERTIFICATE_VERIFY, + CLIENT_FINISHED, + APPLICATION_DATA, + TLS13_NUM_MESSAGE_TYPES, +}; + +__END_HIDDEN_DECLS + +#endif /* !HEADER_TLS13_HANDSHAKE_H */ diff --git a/ssl/tls13_handshake_msg.c b/ssl/tls13_handshake_msg.c new file mode 100644 index 0000000..21932fc --- /dev/null +++ b/ssl/tls13_handshake_msg.c @@ -0,0 +1,194 @@ +/* $OpenBSD: tls13_handshake_msg.c,v 1.2 2019/11/20 16:21:20 beck Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "bytestring.h" +#include "ssl_locl.h" +#include "tls13_internal.h" + +#define TLS13_HANDSHAKE_MSG_HEADER_LEN 4 +#define TLS13_HANDSHAKE_MSG_INITIAL_LEN 256 +#define TLS13_HANDSHAKE_MSG_MAX_LEN (256 * 1024) + +struct tls13_handshake_msg { + uint8_t msg_type; + uint32_t msg_len; + uint8_t *data; + size_t data_len; + + struct tls13_buffer *buf; + CBS cbs; + CBB cbb; +}; + +struct tls13_handshake_msg * +tls13_handshake_msg_new() +{ + struct tls13_handshake_msg *msg = NULL; + + if ((msg = calloc(1, sizeof(struct tls13_handshake_msg))) == NULL) + goto err; + if ((msg->buf = tls13_buffer_new(0)) == NULL) + goto err; + + return msg; + + err: + tls13_handshake_msg_free(msg); + + return NULL; +} + +void +tls13_handshake_msg_free(struct tls13_handshake_msg *msg) +{ + if (msg == NULL) + return; + + tls13_buffer_free(msg->buf); + + CBB_cleanup(&msg->cbb); + + freezero(msg->data, msg->data_len); + freezero(msg, sizeof(struct tls13_handshake_msg)); +} + +void +tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs) +{ + CBS_init(cbs, msg->data, msg->data_len); +} + +int +tls13_handshake_msg_set_buffer(struct tls13_handshake_msg *msg, CBS *cbs) +{ + return tls13_buffer_set_data(msg->buf, cbs); +} + +uint8_t +tls13_handshake_msg_type(struct tls13_handshake_msg *msg) +{ + return msg->msg_type; +} + +int +tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs) +{ + tls13_handshake_msg_data(msg, cbs); + + return CBS_skip(cbs, TLS13_HANDSHAKE_MSG_HEADER_LEN); +} + +int +tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body, + uint8_t msg_type) +{ + if (!CBB_init(&msg->cbb, TLS13_HANDSHAKE_MSG_INITIAL_LEN)) + return 0; + if (!CBB_add_u8(&msg->cbb, msg_type)) + return 0; + if (!CBB_add_u24_length_prefixed(&msg->cbb, body)) + return 0; + + return 1; +} + +int +tls13_handshake_msg_finish(struct tls13_handshake_msg *msg) +{ + if (!CBB_finish(&msg->cbb, &msg->data, &msg->data_len)) + return 0; + + CBS_init(&msg->cbs, msg->data, msg->data_len); + + return 1; +} + +static ssize_t +tls13_handshake_msg_read_cb(void *buf, size_t n, void *cb_arg) +{ + struct tls13_record_layer *rl = cb_arg; + + return tls13_read_handshake_data(rl, buf, n); +} + +int +tls13_handshake_msg_recv(struct tls13_handshake_msg *msg, + struct tls13_record_layer *rl) +{ + uint8_t msg_type; + uint32_t msg_len; + CBS cbs; + int ret; + + if (msg->data != NULL) + return TLS13_IO_FAILURE; + + if (msg->msg_type == 0) { + if ((ret = tls13_buffer_extend(msg->buf, + TLS13_HANDSHAKE_MSG_HEADER_LEN, + tls13_handshake_msg_read_cb, rl)) <= 0) + return ret; + + tls13_buffer_cbs(msg->buf, &cbs); + + if (!CBS_get_u8(&cbs, &msg_type)) + return TLS13_IO_FAILURE; + if (!CBS_get_u24(&cbs, &msg_len)) + return TLS13_IO_FAILURE; + + /* XXX - do we want to make this variable on message type? */ + if (msg_len > TLS13_HANDSHAKE_MSG_MAX_LEN) + return TLS13_IO_FAILURE; + + msg->msg_type = msg_type; + msg->msg_len = msg_len; + } + + if ((ret = tls13_buffer_extend(msg->buf, + TLS13_HANDSHAKE_MSG_HEADER_LEN + msg->msg_len, + tls13_handshake_msg_read_cb, rl)) <= 0) + return ret; + + if (!tls13_buffer_finish(msg->buf, &msg->data, &msg->data_len)) + return TLS13_IO_FAILURE; + + return TLS13_IO_SUCCESS; +} + +int +tls13_handshake_msg_send(struct tls13_handshake_msg *msg, + struct tls13_record_layer *rl) +{ + ssize_t ret; + + if (msg->data == NULL) + return TLS13_IO_FAILURE; + + if (CBS_len(&msg->cbs) == 0) + return TLS13_IO_FAILURE; + + while (CBS_len(&msg->cbs) > 0) { + if ((ret = tls13_write_handshake_data(rl, CBS_data(&msg->cbs), + CBS_len(&msg->cbs))) <= 0) + return ret; + + if (!CBS_skip(&msg->cbs, ret)) + return TLS13_IO_FAILURE; + } + + return TLS13_IO_SUCCESS; +} diff --git a/ssl/tls13_internal.h b/ssl/tls13_internal.h new file mode 100644 index 0000000..03a1a6b --- /dev/null +++ b/ssl/tls13_internal.h @@ -0,0 +1,424 @@ +/* $OpenBSD: tls13_internal.h,v 1.86 2020/07/30 16:23:17 tb Exp $ */ +/* + * Copyright (c) 2018 Bob Beck + * Copyright (c) 2018 Theo Buehler + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_TLS13_INTERNAL_H +#define HEADER_TLS13_INTERNAL_H + +#include +#include + +#include "bytestring.h" + +__BEGIN_HIDDEN_DECLS + +#define TLS13_HS_CLIENT 1 +#define TLS13_HS_SERVER 2 + +#define TLS13_IO_SUCCESS 1 +#define TLS13_IO_EOF 0 +#define TLS13_IO_FAILURE -1 +#define TLS13_IO_ALERT -2 +#define TLS13_IO_WANT_POLLIN -3 +#define TLS13_IO_WANT_POLLOUT -4 +#define TLS13_IO_WANT_RETRY -5 /* Retry the previous call immediately. */ +#define TLS13_IO_USE_LEGACY -6 +#define TLS13_IO_RECORD_VERSION -7 +#define TLS13_IO_RECORD_OVERFLOW -8 + +#define TLS13_ERR_VERIFY_FAILED 16 +#define TLS13_ERR_HRR_FAILED 17 +#define TLS13_ERR_TRAILING_DATA 18 +#define TLS13_ERR_NO_SHARED_CIPHER 19 +#define TLS13_ERR_NO_CERTIFICATE 20 +#define TLS13_ERR_NO_PEER_CERTIFICATE 21 + +#define TLS13_ALERT_LEVEL_WARNING 1 +#define TLS13_ALERT_LEVEL_FATAL 2 + +#define TLS13_ALERT_CLOSE_NOTIFY 0 +#define TLS13_ALERT_UNEXPECTED_MESSAGE 10 +#define TLS13_ALERT_BAD_RECORD_MAC 20 +#define TLS13_ALERT_RECORD_OVERFLOW 22 +#define TLS13_ALERT_HANDSHAKE_FAILURE 40 +#define TLS13_ALERT_BAD_CERTIFICATE 42 +#define TLS13_ALERT_UNSUPPORTED_CERTIFICATE 43 +#define TLS13_ALERT_CERTIFICATE_REVOKED 44 +#define TLS13_ALERT_CERTIFICATE_EXPIRED 45 +#define TLS13_ALERT_CERTIFICATE_UNKNOWN 46 +#define TLS13_ALERT_ILLEGAL_PARAMETER 47 +#define TLS13_ALERT_UNKNOWN_CA 48 +#define TLS13_ALERT_ACCESS_DENIED 49 +#define TLS13_ALERT_DECODE_ERROR 50 +#define TLS13_ALERT_DECRYPT_ERROR 51 +#define TLS13_ALERT_PROTOCOL_VERSION 70 +#define TLS13_ALERT_INSUFFICIENT_SECURITY 71 +#define TLS13_ALERT_INTERNAL_ERROR 80 +#define TLS13_ALERT_INAPPROPRIATE_FALLBACK 86 +#define TLS13_ALERT_USER_CANCELED 90 +#define TLS13_ALERT_MISSING_EXTENSION 109 +#define TLS13_ALERT_UNSUPPORTED_EXTENSION 110 +#define TLS13_ALERT_UNRECOGNIZED_NAME 112 +#define TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE 113 +#define TLS13_ALERT_UNKNOWN_PSK_IDENTITY 115 +#define TLS13_ALERT_CERTIFICATE_REQUIRED 116 +#define TLS13_ALERT_NO_APPLICATION_PROTOCOL 120 + +#define TLS13_INFO_HANDSHAKE_STARTED SSL_CB_HANDSHAKE_START +#define TLS13_INFO_HANDSHAKE_COMPLETED SSL_CB_HANDSHAKE_DONE + +typedef void (*tls13_alert_cb)(uint8_t _alert_desc, void *_cb_arg); +typedef ssize_t (*tls13_phh_recv_cb)(void *_cb_arg, CBS *_cbs); +typedef void (*tls13_phh_sent_cb)(void *_cb_arg); +typedef ssize_t (*tls13_read_cb)(void *_buf, size_t _buflen, void *_cb_arg); +typedef ssize_t (*tls13_write_cb)(const void *_buf, size_t _buflen, + void *_cb_arg); +typedef void (*tls13_handshake_message_cb)(void *_cb_arg); +typedef void (*tls13_info_cb)(void *_cb_arg, int _state, int _ret); +typedef int (*tls13_ocsp_status_cb)(void *_cb_arg); + +/* + * Buffers. + */ +struct tls13_buffer; + +struct tls13_buffer *tls13_buffer_new(size_t init_size); +int tls13_buffer_set_data(struct tls13_buffer *buf, CBS *data); +void tls13_buffer_free(struct tls13_buffer *buf); +ssize_t tls13_buffer_extend(struct tls13_buffer *buf, size_t len, + tls13_read_cb read_cb, void *cb_arg); +void tls13_buffer_cbs(struct tls13_buffer *buf, CBS *cbs); +int tls13_buffer_finish(struct tls13_buffer *buf, uint8_t **out, + size_t *out_len); + +/* + * Secrets. + */ +struct tls13_secret { + uint8_t *data; + size_t len; +}; + +/* RFC 8446 Section 7.1 Page 92 */ +struct tls13_secrets { + const EVP_MD *digest; + int resumption; + int init_done; + int early_done; + int handshake_done; + int schedule_done; + int insecure; /* Set by tests */ + struct tls13_secret zeros; + struct tls13_secret empty_hash; + struct tls13_secret extracted_early; + struct tls13_secret binder_key; + struct tls13_secret client_early_traffic; + struct tls13_secret early_exporter_master; + struct tls13_secret derived_early; + struct tls13_secret extracted_handshake; + struct tls13_secret client_handshake_traffic; + struct tls13_secret server_handshake_traffic; + struct tls13_secret derived_handshake; + struct tls13_secret extracted_master; + struct tls13_secret client_application_traffic; + struct tls13_secret server_application_traffic; + struct tls13_secret exporter_master; + struct tls13_secret resumption_master; +}; + +struct tls13_secrets *tls13_secrets_create(const EVP_MD *digest, + int resumption); +void tls13_secrets_destroy(struct tls13_secrets *secrets); + +int tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, + const struct tls13_secret *secret, const char *label, + const struct tls13_secret *context); + +int tls13_derive_early_secrets(struct tls13_secrets *secrets, uint8_t *psk, + size_t psk_len, const struct tls13_secret *context); +int tls13_derive_handshake_secrets(struct tls13_secrets *secrets, + const uint8_t *ecdhe, size_t ecdhe_len, const struct tls13_secret *context); +int tls13_derive_application_secrets(struct tls13_secrets *secrets, + const struct tls13_secret *context); +int tls13_update_client_traffic_secret(struct tls13_secrets *secrets); +int tls13_update_server_traffic_secret(struct tls13_secrets *secrets); + +/* + * Key shares. + */ +struct tls13_key_share; + +struct tls13_key_share *tls13_key_share_new(uint16_t group_id); +struct tls13_key_share *tls13_key_share_new_nid(int nid); +void tls13_key_share_free(struct tls13_key_share *ks); + +uint16_t tls13_key_share_group(struct tls13_key_share *ks); +int tls13_key_share_peer_pkey(struct tls13_key_share *ks, EVP_PKEY *pkey); +int tls13_key_share_generate(struct tls13_key_share *ks); +int tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb); +int tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group, + CBS *cbs); +int tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key, + size_t *shared_key_len); + +/* + * Record Layer. + */ +struct tls13_record_layer; + +struct tls13_record_layer_callbacks { + tls13_read_cb wire_read; + tls13_write_cb wire_write; + tls13_alert_cb alert_recv; + tls13_alert_cb alert_sent; + tls13_phh_recv_cb phh_recv; + tls13_phh_sent_cb phh_sent; +}; + +struct tls13_record_layer *tls13_record_layer_new( + const struct tls13_record_layer_callbacks *callbacks, void *cb_arg); +void tls13_record_layer_free(struct tls13_record_layer *rl); +void tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow); +void tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow); +void tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs); +void tls13_record_layer_set_aead(struct tls13_record_layer *rl, + const EVP_AEAD *aead); +void tls13_record_layer_set_hash(struct tls13_record_layer *rl, + const EVP_MD *hash); +void tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, + uint16_t version); +void tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry); +void tls13_record_layer_handshake_completed(struct tls13_record_layer *rl); +int tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, + struct tls13_secret *read_key); +int tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, + struct tls13_secret *write_key); +ssize_t tls13_record_layer_send_pending(struct tls13_record_layer *rl); +ssize_t tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs); + +ssize_t tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); +ssize_t tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, + size_t n); +ssize_t tls13_pending_application_data(struct tls13_record_layer *rl); +ssize_t tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); +ssize_t tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n); +ssize_t tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, + size_t n); + +ssize_t tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc); +ssize_t tls13_send_dummy_ccs(struct tls13_record_layer *rl); + +/* + * Handshake Messages. + */ +struct tls13_handshake_msg; + +struct tls13_handshake_msg *tls13_handshake_msg_new(void); +void tls13_handshake_msg_free(struct tls13_handshake_msg *msg); +void tls13_handshake_msg_data(struct tls13_handshake_msg *msg, CBS *cbs); +int tls13_handshake_msg_set_buffer(struct tls13_handshake_msg *msg, CBS *cbs); +uint8_t tls13_handshake_msg_type(struct tls13_handshake_msg *msg); +int tls13_handshake_msg_content(struct tls13_handshake_msg *msg, CBS *cbs); +int tls13_handshake_msg_start(struct tls13_handshake_msg *msg, CBB *body, + uint8_t msg_type); +int tls13_handshake_msg_finish(struct tls13_handshake_msg *msg); +int tls13_handshake_msg_recv(struct tls13_handshake_msg *msg, + struct tls13_record_layer *rl); +int tls13_handshake_msg_send(struct tls13_handshake_msg *msg, + struct tls13_record_layer *rl); + +struct tls13_handshake_stage { + uint8_t hs_type; + uint8_t message_number; +}; + +struct ssl_handshake_tls13_st; + +struct tls13_error { + int code; + int subcode; + int errnum; + const char *file; + int line; + char *msg; +}; + +struct tls13_ctx { + struct tls13_error error; + + SSL *ssl; + struct ssl_handshake_tls13_st *hs; + uint8_t mode; + struct tls13_handshake_stage handshake_stage; + int handshake_started; + int handshake_completed; + int middlebox_compat; + int send_dummy_ccs; + int send_dummy_ccs_after; + + int close_notify_sent; + int close_notify_recv; + + const EVP_AEAD *aead; + const EVP_MD *hash; + + struct tls13_record_layer *rl; + struct tls13_handshake_msg *hs_msg; + uint8_t key_update_request; + uint8_t alert; + int phh_count; + time_t phh_last_seen; + + tls13_handshake_message_cb handshake_message_sent_cb; + tls13_handshake_message_cb handshake_message_recv_cb; + tls13_info_cb info_cb; + tls13_ocsp_status_cb ocsp_status_recv_cb; +}; +#ifndef TLS13_PHH_LIMIT_TIME +#define TLS13_PHH_LIMIT_TIME 3600 +#endif +#ifndef TLS13_PHH_LIMIT +#define TLS13_PHH_LIMIT 100 +#endif + +struct tls13_ctx *tls13_ctx_new(int mode); +void tls13_ctx_free(struct tls13_ctx *ctx); + +const EVP_AEAD *tls13_cipher_aead(const SSL_CIPHER *cipher); +const EVP_MD *tls13_cipher_hash(const SSL_CIPHER *cipher); + +/* + * Legacy interfaces. + */ +int tls13_use_legacy_client(struct tls13_ctx *ctx); +int tls13_use_legacy_server(struct tls13_ctx *ctx); +int tls13_legacy_accept(SSL *ssl); +int tls13_legacy_connect(SSL *ssl); +int tls13_legacy_return_code(SSL *ssl, ssize_t ret); +ssize_t tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg); +ssize_t tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg); +int tls13_legacy_pending(const SSL *ssl); +int tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, + int peek); +int tls13_legacy_write_bytes(SSL *ssl, int type, const void *buf, int len); +int tls13_legacy_shutdown(SSL *ssl); +int tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert); + +/* + * Message Types - RFC 8446, Section B.3. + * + * Values listed as "_RESERVED" were used in previous versions of TLS and are + * listed here for completeness. TLS 1.3 implementations MUST NOT send them but + * might receive them from older TLS implementations. + */ +#define TLS13_MT_HELLO_REQUEST_RESERVED 0 +#define TLS13_MT_CLIENT_HELLO 1 +#define TLS13_MT_SERVER_HELLO 2 +#define TLS13_MT_HELLO_VERIFY_REQUEST_RESERVED 3 +#define TLS13_MT_NEW_SESSION_TICKET 4 +#define TLS13_MT_END_OF_EARLY_DATA 5 +#define TLS13_MT_HELLO_RETRY_REQUEST_RESERVED 6 +#define TLS13_MT_ENCRYPTED_EXTENSIONS 8 +#define TLS13_MT_CERTIFICATE 11 +#define TLS13_MT_SERVER_KEY_EXCHANGE_RESERVED 12 +#define TLS13_MT_CERTIFICATE_REQUEST 13 +#define TLS13_MT_SERVER_HELLO_DONE_RESERVED 14 +#define TLS13_MT_CERTIFICATE_VERIFY 15 +#define TLS13_MT_CLIENT_KEY_EXCHANGE_RESERVED 16 +#define TLS13_MT_FINISHED 20 +#define TLS13_MT_CERTIFICATE_URL_RESERVED 21 +#define TLS13_MT_CERTIFICATE_STATUS_RESERVED 22 +#define TLS13_MT_SUPPLEMENTAL_DATA_RESERVED 23 +#define TLS13_MT_KEY_UPDATE 24 +#define TLS13_MT_MESSAGE_HASH 254 + +int tls13_handshake_msg_record(struct tls13_ctx *ctx); +int tls13_handshake_perform(struct tls13_ctx *ctx); + +int tls13_client_init(struct tls13_ctx *ctx); +int tls13_server_init(struct tls13_ctx *ctx); +int tls13_client_connect(struct tls13_ctx *ctx); +int tls13_server_accept(struct tls13_ctx *ctx); + +int tls13_client_hello_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_hello_sent(struct tls13_ctx *ctx); +int tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_hello_retry_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_end_of_early_data_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_certificate_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_client_finished_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_client_finished_sent(struct tls13_ctx *ctx); +int tls13_server_hello_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_hello_sent(struct tls13_ctx *ctx); +int tls13_server_hello_retry_request_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx); +int tls13_server_encrypted_extensions_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_request_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_finished_recv(struct tls13_ctx *ctx, CBS *cbs); +int tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb); +int tls13_server_finished_sent(struct tls13_ctx *ctx); + +void tls13_error_clear(struct tls13_error *error); +int tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, + int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)); + +int tls13_synthetic_handshake_message(struct tls13_ctx *ctx); +int tls13_clienthello_hash_init(struct tls13_ctx *ctx); +void tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs); +int tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, + size_t len); +int tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs); +int tls13_clienthello_hash_finalize(struct tls13_ctx *ctx); +int tls13_clienthello_hash_validate(struct tls13_ctx *ctx); + +int tls13_error_set(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...); +int tls13_error_setx(struct tls13_error *error, int code, int subcode, + const char *file, int line, const char *fmt, ...); + +#define tls13_set_error(ctx, code, subcode, fmt, ...) \ + tls13_error_set(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ + (fmt), __VA_ARGS__) +#define tls13_set_errorx(ctx, code, subcode, fmt, ...) \ + tls13_error_setx(&(ctx)->error, (code), (subcode), __FILE__, __LINE__, \ + (fmt), __VA_ARGS__) + +extern const uint8_t tls13_downgrade_12[8]; +extern const uint8_t tls13_downgrade_11[8]; +extern const uint8_t tls13_hello_retry_request_hash[32]; +extern const uint8_t tls13_cert_verify_pad[64]; +extern const uint8_t tls13_cert_client_verify_context[]; +extern const uint8_t tls13_cert_server_verify_context[]; + +__END_HIDDEN_DECLS + +#endif diff --git a/ssl/tls13_key_schedule.c b/ssl/tls13_key_schedule.c new file mode 100644 index 0000000..91f59e4 --- /dev/null +++ b/ssl/tls13_key_schedule.c @@ -0,0 +1,380 @@ +/* $OpenBSD: tls13_key_schedule.c,v 1.8 2019/11/17 21:01:08 beck Exp $ */ +/* Copyright (c) 2018, Bob Beck + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include +#include + +#include + +#include "bytestring.h" +#include "tls13_internal.h" + +void +tls13_secrets_destroy(struct tls13_secrets *secrets) +{ + if (secrets == NULL) + return; + + /* you can never be too sure :) */ + freezero(secrets->zeros.data, secrets->zeros.len); + freezero(secrets->empty_hash.data, secrets->empty_hash.len); + + freezero(secrets->extracted_early.data, + secrets->extracted_early.len); + freezero(secrets->binder_key.data, + secrets->binder_key.len); + freezero(secrets->client_early_traffic.data, + secrets->client_early_traffic.len); + freezero(secrets->early_exporter_master.data, + secrets->early_exporter_master.len); + freezero(secrets->derived_early.data, + secrets->derived_early.len); + freezero(secrets->extracted_handshake.data, + secrets->extracted_handshake.len); + freezero(secrets->client_handshake_traffic.data, + secrets->client_handshake_traffic.len); + freezero(secrets->server_handshake_traffic.data, + secrets->server_handshake_traffic.len); + freezero(secrets->derived_handshake.data, + secrets->derived_handshake.len); + freezero(secrets->extracted_master.data, + secrets->extracted_master.len); + freezero(secrets->client_application_traffic.data, + secrets->client_application_traffic.len); + freezero(secrets->server_application_traffic.data, + secrets->server_application_traffic.len); + freezero(secrets->exporter_master.data, + secrets->exporter_master.len); + freezero(secrets->resumption_master.data, + secrets->resumption_master.len); + + freezero(secrets, sizeof(struct tls13_secrets)); +} + +/* + * Allocate a set of secrets for a key schedule using + * a size of hash_length from RFC 8446 section 7.1. + */ +struct tls13_secrets * +tls13_secrets_create(const EVP_MD *digest, int resumption) +{ + struct tls13_secrets *secrets = NULL; + EVP_MD_CTX *mdctx = NULL; + unsigned int mdlen; + size_t hash_length; + + hash_length = EVP_MD_size(digest); + + if ((secrets = calloc(1, sizeof(struct tls13_secrets))) == NULL) + goto err; + + if ((secrets->zeros.data = calloc(hash_length, sizeof(uint8_t))) == + NULL) + goto err; + secrets->zeros.len = hash_length; + + if ((secrets->empty_hash.data = malloc(hash_length)) == NULL) + goto err; + secrets->empty_hash.len = hash_length; + + if ((secrets->extracted_early.data = malloc(hash_length)) == NULL) + goto err; + secrets->extracted_early.len = hash_length; + if ((secrets->binder_key.data = malloc(hash_length)) == NULL) + goto err; + secrets->binder_key.len = hash_length; + if ((secrets->client_early_traffic.data = malloc(hash_length)) == NULL) + goto err; + secrets->client_early_traffic.len = hash_length; + if ((secrets->early_exporter_master.data = malloc(hash_length)) == + NULL) + goto err; + secrets->early_exporter_master.len = hash_length; + if ((secrets->derived_early.data = malloc(hash_length)) == NULL) + goto err; + secrets->derived_early.len = hash_length; + if ((secrets->extracted_handshake.data = malloc(hash_length)) == NULL) + goto err; + secrets->extracted_handshake.len = hash_length; + if ((secrets->client_handshake_traffic.data = malloc(hash_length)) + == NULL) + goto err; + secrets->client_handshake_traffic.len = hash_length; + if ((secrets->server_handshake_traffic.data = malloc(hash_length)) + == NULL) + goto err; + secrets->server_handshake_traffic.len = hash_length; + if ((secrets->derived_handshake.data = malloc(hash_length)) == NULL) + goto err; + secrets->derived_handshake.len = hash_length; + if ((secrets->extracted_master.data = malloc(hash_length)) == NULL) + goto err; + secrets->extracted_master.len = hash_length; + if ((secrets->client_application_traffic.data = malloc(hash_length)) == + NULL) + goto err; + secrets->client_application_traffic.len = hash_length; + if ((secrets->server_application_traffic.data = malloc(hash_length)) == + NULL) + goto err; + secrets->server_application_traffic.len = hash_length; + if ((secrets->exporter_master.data = malloc(hash_length)) == NULL) + goto err; + secrets->exporter_master.len = hash_length; + if ((secrets->resumption_master.data = malloc(hash_length)) == NULL) + goto err; + secrets->resumption_master.len = hash_length; + + /* + * Calculate the hash of a zero-length string - this is needed during + * the "derived" step for key extraction. + */ + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestInit_ex(mdctx, digest, NULL)) + goto err; + if (!EVP_DigestUpdate(mdctx, secrets->zeros.data, 0)) + goto err; + if (!EVP_DigestFinal_ex(mdctx, secrets->empty_hash.data, &mdlen)) + goto err; + EVP_MD_CTX_free(mdctx); + mdctx = NULL; + + if (secrets->empty_hash.len != mdlen) + goto err; + + secrets->digest = digest; + secrets->resumption = resumption; + secrets->init_done = 1; + + return secrets; + + err: + tls13_secrets_destroy(secrets); + EVP_MD_CTX_free(mdctx); + + return NULL; +} + +int +tls13_hkdf_expand_label(struct tls13_secret *out, const EVP_MD *digest, + const struct tls13_secret *secret, const char *label, + const struct tls13_secret *context) +{ + const char tls13_plabel[] = "tls13 "; + uint8_t *hkdf_label; + size_t hkdf_label_len; + CBB cbb, child; + int ret; + + if (!CBB_init(&cbb, 256)) + return 0; + if (!CBB_add_u16(&cbb, out->len)) + goto err; + if (!CBB_add_u8_length_prefixed(&cbb, &child)) + goto err; + if (!CBB_add_bytes(&child, tls13_plabel, strlen(tls13_plabel))) + goto err; + if (!CBB_add_bytes(&child, label, strlen(label))) + goto err; + if (!CBB_add_u8_length_prefixed(&cbb, &child)) + goto err; + if (!CBB_add_bytes(&child, context->data, context->len)) + goto err; + if (!CBB_finish(&cbb, &hkdf_label, &hkdf_label_len)) + goto err; + + ret = HKDF_expand(out->data, out->len, digest, secret->data, + secret->len, hkdf_label, hkdf_label_len); + + free(hkdf_label); + return(ret); + err: + CBB_cleanup(&cbb); + return(0); +} + +static int +tls13_derive_secret(struct tls13_secret *out, const EVP_MD *digest, + const struct tls13_secret *secret, const char *label, + const struct tls13_secret *context) +{ + return tls13_hkdf_expand_label(out, digest, secret, label, context); +} + +int +tls13_derive_early_secrets(struct tls13_secrets *secrets, + uint8_t *psk, size_t psk_len, const struct tls13_secret *context) +{ + if (!secrets->init_done || secrets->early_done) + return 0; + + if (!HKDF_extract(secrets->extracted_early.data, + &secrets->extracted_early.len, secrets->digest, psk, psk_len, + secrets->zeros.data, secrets->zeros.len)) + return 0; + + if (secrets->extracted_early.len != secrets->zeros.len) + return 0; + + if (!tls13_derive_secret(&secrets->binder_key, secrets->digest, + &secrets->extracted_early, + secrets->resumption ? "res binder" : "ext binder", + &secrets->empty_hash)) + return 0; + if (!tls13_derive_secret(&secrets->client_early_traffic, + secrets->digest, &secrets->extracted_early, "c e traffic", + context)) + return 0; + if (!tls13_derive_secret(&secrets->early_exporter_master, + secrets->digest, &secrets->extracted_early, "e exp master", + context)) + return 0; + if (!tls13_derive_secret(&secrets->derived_early, + secrets->digest, &secrets->extracted_early, "derived", + &secrets->empty_hash)) + return 0; + + /* RFC 8446 recommends */ + if (!secrets->insecure) + explicit_bzero(secrets->extracted_early.data, + secrets->extracted_early.len); + secrets->early_done = 1; + return 1; +} + +int +tls13_derive_handshake_secrets(struct tls13_secrets *secrets, + const uint8_t *ecdhe, size_t ecdhe_len, + const struct tls13_secret *context) +{ + if (!secrets->init_done || !secrets->early_done || + secrets->handshake_done) + return 0; + + if (!HKDF_extract(secrets->extracted_handshake.data, + &secrets->extracted_handshake.len, secrets->digest, + ecdhe, ecdhe_len, secrets->derived_early.data, + secrets->derived_early.len)) + return 0; + + if (secrets->extracted_handshake.len != secrets->zeros.len) + return 0; + + /* XXX */ + if (!secrets->insecure) + explicit_bzero(secrets->derived_early.data, + secrets->derived_early.len); + + if (!tls13_derive_secret(&secrets->client_handshake_traffic, + secrets->digest, &secrets->extracted_handshake, "c hs traffic", + context)) + return 0; + if (!tls13_derive_secret(&secrets->server_handshake_traffic, + secrets->digest, &secrets->extracted_handshake, "s hs traffic", + context)) + return 0; + if (!tls13_derive_secret(&secrets->derived_handshake, + secrets->digest, &secrets->extracted_handshake, "derived", + &secrets->empty_hash)) + return 0; + + /* RFC 8446 recommends */ + if (!secrets->insecure) + explicit_bzero(secrets->extracted_handshake.data, + secrets->extracted_handshake.len); + + secrets->handshake_done = 1; + + return 1; +} + +int +tls13_derive_application_secrets(struct tls13_secrets *secrets, + const struct tls13_secret *context) +{ + if (!secrets->init_done || !secrets->early_done || + !secrets->handshake_done || secrets->schedule_done) + return 0; + + if (!HKDF_extract(secrets->extracted_master.data, + &secrets->extracted_master.len, secrets->digest, + secrets->zeros.data, secrets->zeros.len, + secrets->derived_handshake.data, secrets->derived_handshake.len)) + return 0; + + if (secrets->extracted_master.len != secrets->zeros.len) + return 0; + + /* XXX */ + if (!secrets->insecure) + explicit_bzero(secrets->derived_handshake.data, + secrets->derived_handshake.len); + + if (!tls13_derive_secret(&secrets->client_application_traffic, + secrets->digest, &secrets->extracted_master, "c ap traffic", + context)) + return 0; + if (!tls13_derive_secret(&secrets->server_application_traffic, + secrets->digest, &secrets->extracted_master, "s ap traffic", + context)) + return 0; + if (!tls13_derive_secret(&secrets->exporter_master, + secrets->digest, &secrets->extracted_master, "exp master", + context)) + return 0; + if (!tls13_derive_secret(&secrets->resumption_master, + secrets->digest, &secrets->extracted_master, "res master", + context)) + return 0; + + /* RFC 8446 recommends */ + if (!secrets->insecure) + explicit_bzero(secrets->extracted_master.data, + secrets->extracted_master.len); + + secrets->schedule_done = 1; + + return 1; +} + +int +tls13_update_client_traffic_secret(struct tls13_secrets *secrets) +{ + struct tls13_secret context = { .data = "", .len = 0 }; + + if (!secrets->init_done || !secrets->early_done || + !secrets->handshake_done || !secrets->schedule_done) + return 0; + + return tls13_hkdf_expand_label(&secrets->client_application_traffic, + secrets->digest, &secrets->client_application_traffic, + "traffic upd", &context); +} + +int +tls13_update_server_traffic_secret(struct tls13_secrets *secrets) +{ + struct tls13_secret context = { .data = "", .len = 0 }; + + if (!secrets->init_done || !secrets->early_done || + !secrets->handshake_done || !secrets->schedule_done) + return 0; + + return tls13_hkdf_expand_label(&secrets->server_application_traffic, + secrets->digest, &secrets->server_application_traffic, + "traffic upd", &context); +} diff --git a/ssl/tls13_key_share.c b/ssl/tls13_key_share.c new file mode 100644 index 0000000..0d1c091 --- /dev/null +++ b/ssl/tls13_key_share.c @@ -0,0 +1,324 @@ +/* $OpenBSD: tls13_key_share.c,v 1.6 2020/04/18 14:07:56 jsing Exp $ */ +/* + * Copyright (c) 2020 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +#include "bytestring.h" +#include "ssl_locl.h" +#include "tls13_internal.h" + +struct tls13_key_share { + int nid; + uint16_t group_id; + + EC_KEY *ecdhe; + EC_KEY *ecdhe_peer; + + uint8_t *x25519_public; + uint8_t *x25519_private; + uint8_t *x25519_peer_public; +}; + +struct tls13_key_share * +tls13_key_share_new(uint16_t group_id) +{ + struct tls13_key_share *ks; + int nid; + + if ((nid = tls1_ec_curve_id2nid(group_id)) == 0) + return NULL; + + if ((ks = calloc(1, sizeof(struct tls13_key_share))) == NULL) + return NULL; + + ks->group_id = group_id; + ks->nid = nid; + + return ks; +} + +struct tls13_key_share * +tls13_key_share_new_nid(int nid) +{ + uint16_t group_id; + + if ((group_id = tls1_ec_nid2curve_id(nid)) == 0) + return NULL; + + return tls13_key_share_new(group_id); +} + +void +tls13_key_share_free(struct tls13_key_share *ks) +{ + if (ks == NULL) + return; + + EC_KEY_free(ks->ecdhe); + EC_KEY_free(ks->ecdhe_peer); + + freezero(ks->x25519_public, X25519_KEY_LENGTH); + freezero(ks->x25519_private, X25519_KEY_LENGTH); + freezero(ks->x25519_peer_public, X25519_KEY_LENGTH); + + freezero(ks, sizeof(*ks)); +} + +uint16_t +tls13_key_share_group(struct tls13_key_share *ks) +{ + return ks->group_id; +} + +int +tls13_key_share_peer_pkey(struct tls13_key_share *ks, EVP_PKEY *pkey) +{ + if (ks->nid == NID_X25519 && ks->x25519_peer_public != NULL) { + if (!ssl_kex_dummy_ecdhe_x25519(pkey)) + return 0; + } else if (ks->ecdhe_peer != NULL) { + if (!EVP_PKEY_set1_EC_KEY(pkey, ks->ecdhe_peer)) + return 0; + } else { + return 0; + } + + return 1; +} + +static int +tls13_key_share_generate_ecdhe_ecp(struct tls13_key_share *ks) +{ + EC_KEY *ecdhe = NULL; + int ret = 0; + + if (ks->ecdhe != NULL) + goto err; + + if ((ecdhe = EC_KEY_new()) == NULL) + goto err; + if (!ssl_kex_generate_ecdhe_ecp(ecdhe, ks->nid)) + goto err; + + ks->ecdhe = ecdhe; + ecdhe = NULL; + + ret = 1; + + err: + EC_KEY_free(ecdhe); + + return ret; +} + +static int +tls13_key_share_generate_x25519(struct tls13_key_share *ks) +{ + uint8_t *public = NULL, *private = NULL; + int ret = 0; + + if (ks->x25519_public != NULL || ks->x25519_private != NULL) + goto err; + + if ((public = calloc(1, X25519_KEY_LENGTH)) == NULL) + goto err; + if ((private = calloc(1, X25519_KEY_LENGTH)) == NULL) + goto err; + + X25519_keypair(public, private); + + ks->x25519_public = public; + ks->x25519_private = private; + public = NULL; + private = NULL; + + ret = 1; + + err: + freezero(public, X25519_KEY_LENGTH); + freezero(private, X25519_KEY_LENGTH); + + return ret; +} + +int +tls13_key_share_generate(struct tls13_key_share *ks) +{ + if (ks->nid == NID_X25519) + return tls13_key_share_generate_x25519(ks); + + return tls13_key_share_generate_ecdhe_ecp(ks); +} + +static int +tls13_key_share_public_ecdhe_ecp(struct tls13_key_share *ks, CBB *cbb) +{ + if (ks->ecdhe == NULL) + return 0; + + return ssl_kex_public_ecdhe_ecp(ks->ecdhe, cbb); +} + +static int +tls13_key_share_public_x25519(struct tls13_key_share *ks, CBB *cbb) +{ + if (ks->x25519_public == NULL) + return 0; + + return CBB_add_bytes(cbb, ks->x25519_public, X25519_KEY_LENGTH); +} + +int +tls13_key_share_public(struct tls13_key_share *ks, CBB *cbb) +{ + CBB key_exchange; + + if (!CBB_add_u16(cbb, ks->group_id)) + goto err; + if (!CBB_add_u16_length_prefixed(cbb, &key_exchange)) + goto err; + + if (ks->nid == NID_X25519) { + if (!tls13_key_share_public_x25519(ks, &key_exchange)) + goto err; + } else { + if (!tls13_key_share_public_ecdhe_ecp(ks, &key_exchange)) + goto err; + } + + if (!CBB_flush(cbb)) + goto err; + + return 1; + + err: + return 0; +} + +static int +tls13_key_share_peer_public_ecdhe_ecp(struct tls13_key_share *ks, CBS *cbs) +{ + EC_KEY *ecdhe = NULL; + int ret = 0; + + if (ks->ecdhe_peer != NULL) + goto err; + + if ((ecdhe = EC_KEY_new()) == NULL) + goto err; + if (!ssl_kex_peer_public_ecdhe_ecp(ecdhe, ks->nid, cbs)) + goto err; + + ks->ecdhe_peer = ecdhe; + ecdhe = NULL; + + ret = 1; + + err: + EC_KEY_free(ecdhe); + + return ret; +} + +static int +tls13_key_share_peer_public_x25519(struct tls13_key_share *ks, CBS *cbs) +{ + size_t out_len; + + if (ks->x25519_peer_public != NULL) + return 0; + + if (CBS_len(cbs) != X25519_KEY_LENGTH) + return 0; + + return CBS_stow(cbs, &ks->x25519_peer_public, &out_len); +} + +int +tls13_key_share_peer_public(struct tls13_key_share *ks, uint16_t group, + CBS *cbs) +{ + if (ks->group_id != group) + return 0; + + if (ks->nid == NID_X25519) { + if (!tls13_key_share_peer_public_x25519(ks, cbs)) + return 0; + } else { + if (!tls13_key_share_peer_public_ecdhe_ecp(ks, cbs)) + return 0; + } + + return 1; +} + +static int +tls13_key_share_derive_ecdhe_ecp(struct tls13_key_share *ks, + uint8_t **shared_key, size_t *shared_key_len) +{ + if (ks->ecdhe == NULL || ks->ecdhe_peer == NULL) + return 0; + + return ssl_kex_derive_ecdhe_ecp(ks->ecdhe, ks->ecdhe_peer, + shared_key, shared_key_len); +} + +static int +tls13_key_share_derive_x25519(struct tls13_key_share *ks, + uint8_t **shared_key, size_t *shared_key_len) +{ + uint8_t *sk = NULL; + int ret = 0; + + if (ks->x25519_private == NULL || ks->x25519_peer_public == NULL) + goto err; + + if ((sk = calloc(1, X25519_KEY_LENGTH)) == NULL) + goto err; + if (!X25519(sk, ks->x25519_private, ks->x25519_peer_public)) + goto err; + + *shared_key = sk; + *shared_key_len = X25519_KEY_LENGTH; + sk = NULL; + + ret = 1; + + err: + freezero(sk, X25519_KEY_LENGTH); + + return ret; +} + +int +tls13_key_share_derive(struct tls13_key_share *ks, uint8_t **shared_key, + size_t *shared_key_len) +{ + if (*shared_key != NULL) + return 0; + + *shared_key_len = 0; + + if (ks->nid == NID_X25519) + return tls13_key_share_derive_x25519(ks, shared_key, + shared_key_len); + + return tls13_key_share_derive_ecdhe_ecp(ks, shared_key, + shared_key_len); +} diff --git a/ssl/tls13_legacy.c b/ssl/tls13_legacy.c new file mode 100644 index 0000000..317a1cb --- /dev/null +++ b/ssl/tls13_legacy.c @@ -0,0 +1,525 @@ +/* $OpenBSD: tls13_legacy.c,v 1.13 2020/09/13 15:04:35 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "ssl_locl.h" +#include "tls13_internal.h" + +SSL3_ENC_METHOD TLSv1_3_enc_data = { + .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS, +}; + +static ssize_t +tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len) +{ + int n; + + if (ssl->rbio == NULL) { + SSLerror(ssl, SSL_R_BIO_NOT_SET); + return TLS13_IO_FAILURE; + } + + ssl->internal->rwstate = SSL_READING; + errno = 0; + + if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) { + if (BIO_should_read(ssl->rbio)) + return TLS13_IO_WANT_POLLIN; + if (BIO_should_write(ssl->rbio)) + return TLS13_IO_WANT_POLLOUT; + if (n == 0) + return TLS13_IO_EOF; + + if (ERR_peek_error() == 0 && errno != 0) + SYSerror(errno); + + return TLS13_IO_FAILURE; + } + + if (n == len) + ssl->internal->rwstate = SSL_NOTHING; + + return n; +} + +ssize_t +tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + + return tls13_legacy_wire_read(ctx->ssl, buf, n); +} + +static ssize_t +tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len) +{ + int n; + + if (ssl->wbio == NULL) { + SSLerror(ssl, SSL_R_BIO_NOT_SET); + return TLS13_IO_FAILURE; + } + + ssl->internal->rwstate = SSL_WRITING; + errno = 0; + + if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) { + if (BIO_should_read(ssl->wbio)) + return TLS13_IO_WANT_POLLIN; + if (BIO_should_write(ssl->wbio)) + return TLS13_IO_WANT_POLLOUT; + + if (ERR_peek_error() == 0 && errno != 0) + SYSerror(errno); + + return TLS13_IO_FAILURE; + } + + if (n == len) + ssl->internal->rwstate = SSL_NOTHING; + + return n; +} + +ssize_t +tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg) +{ + struct tls13_ctx *ctx = arg; + + return tls13_legacy_wire_write(ctx->ssl, buf, n); +} + +static void +tls13_legacy_error(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int reason = SSL_R_UNKNOWN; + + /* If we received a fatal alert we already put an error on the stack. */ + if (S3I(ssl)->fatal_alert != 0) + return; + + switch (ctx->error.code) { + case TLS13_ERR_VERIFY_FAILED: + reason = SSL_R_CERTIFICATE_VERIFY_FAILED; + break; + case TLS13_ERR_HRR_FAILED: + reason = SSL_R_NO_CIPHERS_AVAILABLE; + break; + case TLS13_ERR_TRAILING_DATA: + reason = SSL_R_EXTRA_DATA_IN_MESSAGE; + break; + case TLS13_ERR_NO_SHARED_CIPHER: + reason = SSL_R_NO_SHARED_CIPHER; + break; + case TLS13_ERR_NO_CERTIFICATE: + reason = SSL_R_MISSING_RSA_CERTIFICATE; /* XXX */ + break; + case TLS13_ERR_NO_PEER_CERTIFICATE: + reason = SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE; + break; + } + + /* Something (probably libcrypto) already pushed an error on the stack. */ + if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0) + return; + + ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file, + ctx->error.line); +} + +int +tls13_legacy_return_code(SSL *ssl, ssize_t ret) +{ + if (ret > INT_MAX) { + SSLerror(ssl, ERR_R_INTERNAL_ERROR); + return -1; + } + + /* A successful read, write or other operation. */ + if (ret > 0) + return ret; + + ssl->internal->rwstate = SSL_NOTHING; + + switch (ret) { + case TLS13_IO_EOF: + return 0; + + case TLS13_IO_FAILURE: + tls13_legacy_error(ssl); + return -1; + + case TLS13_IO_ALERT: + tls13_legacy_error(ssl); + return -1; + + case TLS13_IO_WANT_POLLIN: + BIO_set_retry_read(ssl->rbio); + ssl->internal->rwstate = SSL_READING; + return -1; + + case TLS13_IO_WANT_POLLOUT: + BIO_set_retry_write(ssl->wbio); + ssl->internal->rwstate = SSL_WRITING; + return -1; + + case TLS13_IO_WANT_RETRY: + SSLerror(ssl, ERR_R_INTERNAL_ERROR); + return -1; + } + + SSLerror(ssl, ERR_R_INTERNAL_ERROR); + return -1; +} + +int +tls13_legacy_pending(const SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + ssize_t ret; + + if (ctx == NULL) + return 0; + + ret = tls13_pending_application_data(ctx->rl); + if (ret < 0 || ret > INT_MAX) + return 0; + + return ret; +} + +int +tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + ssize_t ret; + + if (ctx == NULL || !ctx->handshake_completed) { + if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + return ret; + return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN); + } + + tls13_record_layer_set_retry_after_phh(ctx->rl, + (ctx->ssl->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + + if (type != SSL3_RT_APPLICATION_DATA) { + SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + if (len < 0) { + SSLerror(ssl, SSL_R_BAD_LENGTH); + return -1; + } + + if (peek) + ret = tls13_peek_application_data(ctx->rl, buf, len); + else + ret = tls13_read_application_data(ctx->rl, buf, len); + + return tls13_legacy_return_code(ssl, ret); +} + +int +tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + const uint8_t *buf = vbuf; + size_t n, sent; + ssize_t ret; + + if (ctx == NULL || !ctx->handshake_completed) { + if ((ret = ssl->internal->handshake_func(ssl)) <= 0) + return ret; + return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT); + } + + if (type != SSL3_RT_APPLICATION_DATA) { + SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED); + return -1; + } + if (len < 0) { + SSLerror(ssl, SSL_R_BAD_LENGTH); + return -1; + } + + /* + * The TLSv1.3 record layer write behaviour is the same as + * SSL_MODE_ENABLE_PARTIAL_WRITE. + */ + if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) { + ret = tls13_write_application_data(ctx->rl, buf, len); + return tls13_legacy_return_code(ssl, ret); + } + + /* + * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until + * we have written out all of the requested data. + */ + sent = S3I(ssl)->wnum; + if (len < sent) { + SSLerror(ssl, SSL_R_BAD_LENGTH); + return -1; + } + n = len - sent; + for (;;) { + if (n == 0) { + S3I(ssl)->wnum = 0; + return sent; + } + if ((ret = tls13_write_application_data(ctx->rl, + &buf[sent], n)) <= 0) { + S3I(ssl)->wnum = sent; + return tls13_legacy_return_code(ssl, ret); + } + sent += ret; + n -= ret; + } +} + +static int +tls13_use_legacy_stack(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + CBS cbs; + + if (!ssl3_setup_init_buffer(s)) + return 0; + if (!ssl3_setup_buffers(s)) + return 0; + if (!ssl_init_wbio_buffer(s, 1)) + return 0; + + /* Stash any unprocessed data from the last record. */ + tls13_record_layer_rbuf(ctx->rl, &cbs); + if (CBS_len(&cbs) > 0) { + if (!CBS_write_bytes(&cbs, + S3I(s)->rbuf.buf + SSL3_RT_HEADER_LENGTH, + S3I(s)->rbuf.len - SSL3_RT_HEADER_LENGTH, NULL)) + return 0; + + S3I(s)->rbuf.offset = SSL3_RT_HEADER_LENGTH; + S3I(s)->rbuf.left = CBS_len(&cbs); + S3I(s)->rrec.type = SSL3_RT_HANDSHAKE; + S3I(s)->rrec.length = CBS_len(&cbs); + s->internal->rstate = SSL_ST_READ_BODY; + s->internal->packet = S3I(s)->rbuf.buf; + s->internal->packet_length = SSL3_RT_HEADER_LENGTH; + s->internal->mac_packet = 1; + } + + /* Stash the current handshake message. */ + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + if (!CBS_write_bytes(&cbs, s->internal->init_buf->data, + s->internal->init_buf->length, NULL)) + return 0; + + S3I(s)->tmp.reuse_message = 1; + S3I(s)->tmp.message_type = tls13_handshake_msg_type(ctx->hs_msg); + S3I(s)->tmp.message_size = CBS_len(&cbs); + + return 1; +} + +int +tls13_use_legacy_client(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + s->method = tls_legacy_client_method(); + s->internal->handshake_func = s->method->internal->ssl_connect; + s->client_version = s->version = s->method->internal->max_version; + + if (!tls13_use_legacy_stack(ctx)) + return 0; + + S3I(s)->hs.state = SSL3_ST_CR_SRVR_HELLO_A; + + return 1; +} + +int +tls13_use_legacy_server(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + s->method = tls_legacy_server_method(); + s->internal->handshake_func = s->method->internal->ssl_accept; + s->client_version = s->version = s->method->internal->max_version; + s->server = 1; + + if (!tls13_use_legacy_stack(ctx)) + return 0; + + S3I(s)->hs.state = SSL3_ST_SR_CLNT_HELLO_A; + + return 1; +} + +int +tls13_legacy_accept(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int ret; + + if (ctx == NULL) { + if ((ctx = tls13_ctx_new(TLS13_HS_SERVER)) == NULL) { + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + ssl->internal->tls13 = ctx; + ctx->ssl = ssl; + ctx->hs = &S3I(ssl)->hs_tls13; + + if (!tls13_server_init(ctx)) { + if (ERR_peek_error() == 0) + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + } + + ERR_clear_error(); + S3I(ssl)->hs.state = SSL_ST_ACCEPT; + + ret = tls13_server_accept(ctx); + if (ret == TLS13_IO_USE_LEGACY) + return ssl->method->internal->ssl_accept(ssl); + if (ret == TLS13_IO_SUCCESS) + S3I(ssl)->hs.state = SSL_ST_OK; + + return tls13_legacy_return_code(ssl, ret); +} + +int +tls13_legacy_connect(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + int ret; + +#ifdef TLS13_USE_LEGACY_CLIENT_AUTH + /* XXX drop back to legacy for client auth for now */ + if (ssl->cert->key->privatekey != NULL) { + ssl->method = tls_legacy_client_method(); + return ssl->method->internal->ssl_connect(ssl); + } +#endif + + if (ctx == NULL) { + if ((ctx = tls13_ctx_new(TLS13_HS_CLIENT)) == NULL) { + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + ssl->internal->tls13 = ctx; + ctx->ssl = ssl; + ctx->hs = &S3I(ssl)->hs_tls13; + + if (!tls13_client_init(ctx)) { + if (ERR_peek_error() == 0) + SSLerror(ssl, ERR_R_INTERNAL_ERROR); /* XXX */ + return -1; + } + } + + ERR_clear_error(); + S3I(ssl)->hs.state = SSL_ST_CONNECT; + + ret = tls13_client_connect(ctx); + if (ret == TLS13_IO_USE_LEGACY) + return ssl->method->internal->ssl_connect(ssl); + if (ret == TLS13_IO_SUCCESS) + S3I(ssl)->hs.state = SSL_ST_OK; + + return tls13_legacy_return_code(ssl, ret); +} + +int +tls13_legacy_shutdown(SSL *ssl) +{ + struct tls13_ctx *ctx = ssl->internal->tls13; + uint8_t buf[512]; /* XXX */ + ssize_t ret; + + /* + * We need to return 0 when we have sent a close-notify but have not + * yet received one. We return 1 only once we have sent and received + * close-notify alerts. All other cases return -1 and set internal + * state appropriately. + */ + if (ctx == NULL || ssl->internal->quiet_shutdown) { + ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; + return 1; + } + + if (!ctx->close_notify_sent) { + /* Enqueue and send close notify. */ + if (!(ssl->internal->shutdown & SSL_SENT_SHUTDOWN)) { + ssl->internal->shutdown |= SSL_SENT_SHUTDOWN; + if ((ret = tls13_send_alert(ctx->rl, + TLS13_ALERT_CLOSE_NOTIFY)) < 0) + return tls13_legacy_return_code(ssl, ret); + } + if ((ret = tls13_record_layer_send_pending(ctx->rl)) != + TLS13_IO_SUCCESS) + return tls13_legacy_return_code(ssl, ret); + } else if (!ctx->close_notify_recv) { + /* + * If there is no application data pending, attempt to read more + * data in order to receive a close notify. This should trigger + * a record to be read from the wire, which may be application + * handshake or alert data. Only one attempt is made to match + * previous semantics. + */ + if (tls13_pending_application_data(ctx->rl) == 0) { + if ((ret = tls13_read_application_data(ctx->rl, buf, + sizeof(buf))) < 0) + return tls13_legacy_return_code(ssl, ret); + } + } + + if (ctx->close_notify_recv) + return 1; + + return 0; +} + +int +tls13_legacy_servername_process(struct tls13_ctx *ctx, uint8_t *alert) +{ + int legacy_alert = SSL_AD_UNRECOGNIZED_NAME; + int ret = SSL_TLSEXT_ERR_NOACK; + SSL_CTX *ssl_ctx = ctx->ssl->ctx; + SSL *ssl = ctx->ssl; + + if (ssl_ctx->internal->tlsext_servername_callback == NULL) + ssl_ctx = ssl->initial_ctx; + if (ssl_ctx->internal->tlsext_servername_callback == NULL) + return 1; + + ret = ssl_ctx->internal->tlsext_servername_callback(ssl, &legacy_alert, + ssl_ctx->internal->tlsext_servername_arg); + + if (ret == SSL_TLSEXT_ERR_ALERT_FATAL || + ret == SSL_TLSEXT_ERR_ALERT_WARNING) { + if (legacy_alert >= 0 && legacy_alert <= 255) + *alert = legacy_alert; + return 0; + } + + return 1; +} diff --git a/ssl/tls13_lib.c b/ssl/tls13_lib.c new file mode 100644 index 0000000..590426a --- /dev/null +++ b/ssl/tls13_lib.c @@ -0,0 +1,581 @@ +/* $OpenBSD: tls13_lib.c,v 1.54 2020/09/11 15:03:36 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * Copyright (c) 2019 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include + +#include "ssl_locl.h" +#include "ssl_tlsext.h" +#include "tls13_internal.h" + +/* + * Downgrade sentinels - RFC 8446 section 4.1.3, magic values which must be set + * by the server in server random if it is willing to downgrade but supports + * TLSv1.3 + */ +const uint8_t tls13_downgrade_12[8] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x01, +}; +const uint8_t tls13_downgrade_11[8] = { + 0x44, 0x4f, 0x57, 0x4e, 0x47, 0x52, 0x44, 0x00, +}; + +/* + * HelloRetryRequest hash - RFC 8446 section 4.1.3. + */ +const uint8_t tls13_hello_retry_request_hash[32] = { + 0xcf, 0x21, 0xad, 0x74, 0xe5, 0x9a, 0x61, 0x11, + 0xbe, 0x1d, 0x8c, 0x02, 0x1e, 0x65, 0xb8, 0x91, + 0xc2, 0xa2, 0x11, 0x16, 0x7a, 0xbb, 0x8c, 0x5e, + 0x07, 0x9e, 0x09, 0xe2, 0xc8, 0xa8, 0x33, 0x9c, +}; + +/* + * Certificate Verify padding - RFC 8446 section 4.4.3. + */ +const uint8_t tls13_cert_verify_pad[64] = { + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, +}; + +const uint8_t tls13_cert_client_verify_context[] = + "TLS 1.3, client CertificateVerify"; +const uint8_t tls13_cert_server_verify_context[] = + "TLS 1.3, server CertificateVerify"; + +const EVP_AEAD * +tls13_cipher_aead(const SSL_CIPHER *cipher) +{ + if (cipher == NULL) + return NULL; + if (cipher->algorithm_ssl != SSL_TLSV1_3) + return NULL; + + switch (cipher->algorithm_enc) { + case SSL_AES128GCM: + return EVP_aead_aes_128_gcm(); + case SSL_AES256GCM: + return EVP_aead_aes_256_gcm(); + case SSL_CHACHA20POLY1305: + return EVP_aead_chacha20_poly1305(); + } + + return NULL; +} + +const EVP_MD * +tls13_cipher_hash(const SSL_CIPHER *cipher) +{ + if (cipher == NULL) + return NULL; + if (cipher->algorithm_ssl != SSL_TLSV1_3) + return NULL; + + switch (cipher->algorithm2) { + case SSL_HANDSHAKE_MAC_SHA256: + return EVP_sha256(); + case SSL_HANDSHAKE_MAC_SHA384: + return EVP_sha384(); + } + + return NULL; +} + +static void +tls13_alert_received_cb(uint8_t alert_desc, void *arg) +{ + struct tls13_ctx *ctx = arg; + + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + ctx->close_notify_recv = 1; + ctx->ssl->internal->shutdown |= SSL_RECEIVED_SHUTDOWN; + S3I(ctx->ssl)->warn_alert = alert_desc; + return; + } + + if (alert_desc == TLS13_ALERT_USER_CANCELED) { + /* + * We treat this as advisory, since a close_notify alert + * SHOULD follow this alert (RFC 8446 section 6.1). + */ + return; + } + + /* All other alerts are treated as fatal in TLSv1.3. */ + S3I(ctx->ssl)->fatal_alert = alert_desc; + + SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); + ERR_asprintf_error_data("SSL alert number %d", alert_desc); + + SSL_CTX_remove_session(ctx->ssl->ctx, ctx->ssl->session); +} + +static void +tls13_alert_sent_cb(uint8_t alert_desc, void *arg) +{ + struct tls13_ctx *ctx = arg; + + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + ctx->close_notify_sent = 1; + return; + } + + if (alert_desc == TLS13_ALERT_USER_CANCELED) { + return; + } + + /* All other alerts are treated as fatal in TLSv1.3. */ + SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); +} + +static void +tls13_legacy_handshake_message_recv_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + CBS cbs; + + if (s->internal->msg_callback == NULL) + return; + + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + s->internal->msg_callback(0, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, + CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); +} + +static void +tls13_legacy_handshake_message_sent_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + CBS cbs; + + if (s->internal->msg_callback == NULL) + return; + + tls13_handshake_msg_data(ctx->hs_msg, &cbs); + s->internal->msg_callback(1, TLS1_3_VERSION, SSL3_RT_HANDSHAKE, + CBS_data(&cbs), CBS_len(&cbs), s, s->internal->msg_callback_arg); +} + +static void +tls13_legacy_info_cb(void *arg, int state, int ret) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + void (*cb)(const SSL *, int, int); + + if ((cb = s->internal->info_callback) == NULL) + cb = s->ctx->internal->info_callback; + if (cb != NULL) + cb(s, state, ret); +} + +static int +tls13_legacy_ocsp_status_recv_cb(void *arg) +{ + struct tls13_ctx *ctx = arg; + SSL *s = ctx->ssl; + int ret; + + if (s->ctx->internal->tlsext_status_cb == NULL || + s->internal->tlsext_ocsp_resp == NULL) + return 1; + + ret = s->ctx->internal->tlsext_status_cb(s, + s->ctx->internal->tlsext_status_arg); + if (ret < 0) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + SSLerror(s, ERR_R_MALLOC_FAILURE); + return 0; + } + if (ret == 0) { + ctx->alert = TLS13_ALERT_BAD_CERTIFICATE_STATUS_RESPONSE; + SSLerror(s, SSL_R_INVALID_STATUS_RESPONSE); + return 0; + } + + return 1; +} + +static int +tls13_phh_update_local_traffic_secret(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + + if (ctx->mode == TLS13_HS_CLIENT) + return (tls13_update_client_traffic_secret(secrets) && + tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->client_application_traffic)); + return (tls13_update_server_traffic_secret(secrets) && + tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->server_application_traffic)); +} + +static int +tls13_phh_update_peer_traffic_secret(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + + if (ctx->mode == TLS13_HS_CLIENT) + return (tls13_update_server_traffic_secret(secrets) && + tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->server_application_traffic)); + return (tls13_update_client_traffic_secret(secrets) && + tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->client_application_traffic)); +} + +/* + * XXX arbitrarily chosen limit of 100 post handshake handshake + * messages in an hour - to avoid a hostile peer from constantly + * requesting certificates or key renegotiaitons, etc. + */ +static int +tls13_phh_limit_check(struct tls13_ctx *ctx) +{ + time_t now = time(NULL); + + if (ctx->phh_last_seen > now - TLS13_PHH_LIMIT_TIME) { + if (ctx->phh_count > TLS13_PHH_LIMIT) + return 0; + } else + ctx->phh_count = 0; + ctx->phh_count++; + ctx->phh_last_seen = now; + return 1; +} + +static ssize_t +tls13_key_update_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + struct tls13_handshake_msg *hs_msg = NULL; + CBB cbb_hs; + CBS cbs_hs; + uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; + uint8_t key_update_request; + ssize_t ret; + + if (!CBS_get_u8(cbs, &key_update_request)) { + alert = TLS13_ALERT_DECODE_ERROR; + goto err; + } + if (CBS_len(cbs) != 0) { + alert = TLS13_ALERT_DECODE_ERROR; + goto err; + } + if (key_update_request > 1) { + alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + if (!tls13_phh_update_peer_traffic_secret(ctx)) + goto err; + + if (key_update_request == 0) + return TLS13_IO_SUCCESS; + + /* key_update_request == 1 */ + if ((hs_msg = tls13_handshake_msg_new()) == NULL) + goto err; + if (!tls13_handshake_msg_start(hs_msg, &cbb_hs, TLS13_MT_KEY_UPDATE)) + goto err; + if (!CBB_add_u8(&cbb_hs, 0)) + goto err; + if (!tls13_handshake_msg_finish(hs_msg)) + goto err; + + ctx->key_update_request = 1; + tls13_handshake_msg_data(hs_msg, &cbs_hs); + ret = tls13_record_layer_phh(ctx->rl, &cbs_hs); + + tls13_handshake_msg_free(hs_msg); + hs_msg = NULL; + + return ret; + + err: + tls13_handshake_msg_free(hs_msg); + + return tls13_send_alert(ctx->rl, alert); +} + +static void +tls13_phh_done_cb(void *cb_arg) +{ + struct tls13_ctx *ctx = cb_arg; + + if (ctx->key_update_request) { + tls13_phh_update_local_traffic_secret(ctx); + ctx->key_update_request = 0; + } +} + +static ssize_t +tls13_phh_received_cb(void *cb_arg, CBS *cbs) +{ + ssize_t ret = TLS13_IO_FAILURE; + struct tls13_ctx *ctx = cb_arg; + CBS phh_cbs; + + if (!tls13_phh_limit_check(ctx)) + return tls13_send_alert(ctx->rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + if ((ctx->hs_msg == NULL) && + ((ctx->hs_msg = tls13_handshake_msg_new()) == NULL)) + return TLS13_IO_FAILURE; + + if (!tls13_handshake_msg_set_buffer(ctx->hs_msg, cbs)) + return TLS13_IO_FAILURE; + + if ((ret = tls13_handshake_msg_recv(ctx->hs_msg, ctx->rl)) + != TLS13_IO_SUCCESS) + return ret; + + if (!tls13_handshake_msg_content(ctx->hs_msg, &phh_cbs)) + return TLS13_IO_FAILURE; + + switch(tls13_handshake_msg_type(ctx->hs_msg)) { + case TLS13_MT_KEY_UPDATE: + ret = tls13_key_update_recv(ctx, &phh_cbs); + break; + case TLS13_MT_NEW_SESSION_TICKET: + /* XXX do nothing for now and ignore this */ + break; + case TLS13_MT_CERTIFICATE_REQUEST: + /* XXX add support if we choose to advertise this */ + /* FALLTHROUGH */ + default: + ret = TLS13_IO_FAILURE; /* XXX send alert */ + break; + } + + tls13_handshake_msg_free(ctx->hs_msg); + ctx->hs_msg = NULL; + return ret; +} + +static const struct tls13_record_layer_callbacks rl_callbacks = { + .wire_read = tls13_legacy_wire_read_cb, + .wire_write = tls13_legacy_wire_write_cb, + .alert_recv = tls13_alert_received_cb, + .alert_sent = tls13_alert_sent_cb, + .phh_recv = tls13_phh_received_cb, + .phh_sent = tls13_phh_done_cb, +}; + +struct tls13_ctx * +tls13_ctx_new(int mode) +{ + struct tls13_ctx *ctx = NULL; + + if ((ctx = calloc(sizeof(struct tls13_ctx), 1)) == NULL) + goto err; + + ctx->mode = mode; + + if ((ctx->rl = tls13_record_layer_new(&rl_callbacks, ctx)) == NULL) + goto err; + + ctx->handshake_message_sent_cb = tls13_legacy_handshake_message_sent_cb; + ctx->handshake_message_recv_cb = tls13_legacy_handshake_message_recv_cb; + ctx->info_cb = tls13_legacy_info_cb; + ctx->ocsp_status_recv_cb = tls13_legacy_ocsp_status_recv_cb; + + ctx->middlebox_compat = 1; + + return ctx; + + err: + tls13_ctx_free(ctx); + + return NULL; +} + +void +tls13_ctx_free(struct tls13_ctx *ctx) +{ + if (ctx == NULL) + return; + + tls13_error_clear(&ctx->error); + tls13_record_layer_free(ctx->rl); + tls13_handshake_msg_free(ctx->hs_msg); + + freezero(ctx, sizeof(struct tls13_ctx)); +} + +int +tls13_cert_add(struct tls13_ctx *ctx, CBB *cbb, X509 *cert, + int(*build_extensions)(SSL *s, uint16_t msg_type, CBB *cbb)) +{ + CBB cert_data; + uint8_t *data; + int cert_len; + + if ((cert_len = i2d_X509(cert, NULL)) < 0) + return 0; + + if (!CBB_add_u24_length_prefixed(cbb, &cert_data)) + return 0; + if (!CBB_add_space(&cert_data, &data, cert_len)) + return 0; + if (i2d_X509(cert, &data) != cert_len) + return 0; + if (build_extensions != NULL) { + if (!build_extensions(ctx->ssl, SSL_TLSEXT_MSG_CT, cbb)) + return 0; + } else { + CBB cert_exts; + if (!CBB_add_u16_length_prefixed(cbb, &cert_exts)) + return 0; + } + if (!CBB_flush(cbb)) + return 0; + + return 1; +} + +int +tls13_synthetic_handshake_message(struct tls13_ctx *ctx) +{ + struct tls13_handshake_msg *hm = NULL; + unsigned char buf[EVP_MAX_MD_SIZE]; + size_t hash_len; + CBB cbb; + CBS cbs; + SSL *s = ctx->ssl; + int ret = 0; + + /* + * Replace ClientHello with synthetic handshake message - see + * RFC 8446 section 4.4.1. + */ + if (!tls1_transcript_hash_init(s)) + goto err; + if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) + goto err; + + if ((hm = tls13_handshake_msg_new()) == NULL) + goto err; + if (!tls13_handshake_msg_start(hm, &cbb, TLS13_MT_MESSAGE_HASH)) + goto err; + if (!CBB_add_bytes(&cbb, buf, hash_len)) + goto err; + if (!tls13_handshake_msg_finish(hm)) + goto err; + + tls13_handshake_msg_data(hm, &cbs); + + tls1_transcript_reset(ctx->ssl); + if (!tls1_transcript_record(ctx->ssl, CBS_data(&cbs), CBS_len(&cbs))) + goto err; + + ret = 1; + + err: + tls13_handshake_msg_free(hm); + + return ret; +} + +int +tls13_clienthello_hash_init(struct tls13_ctx *ctx) +{ + if (ctx->hs->clienthello_md_ctx != NULL) + return 0; + if ((ctx->hs->clienthello_md_ctx = EVP_MD_CTX_new()) == NULL) + return 0; + if (!EVP_DigestInit_ex(ctx->hs->clienthello_md_ctx, + EVP_sha256(), NULL)) + return 0; + + if ((ctx->hs->clienthello_hash == NULL) && + (ctx->hs->clienthello_hash = calloc(1, EVP_MAX_MD_SIZE)) == + NULL) + return 0; + + return 1; +} + +void +tls13_clienthello_hash_clear(struct ssl_handshake_tls13_st *hs) +{ + EVP_MD_CTX_free(hs->clienthello_md_ctx); + hs->clienthello_md_ctx = NULL; + freezero(hs->clienthello_hash, EVP_MAX_MD_SIZE); + hs->clienthello_hash = NULL; +} + +int +tls13_clienthello_hash_update_bytes(struct tls13_ctx *ctx, void *data, + size_t len) +{ + return EVP_DigestUpdate(ctx->hs->clienthello_md_ctx, data, len); +} + +int +tls13_clienthello_hash_update(struct tls13_ctx *ctx, CBS *cbs) +{ + return tls13_clienthello_hash_update_bytes(ctx, (void *)CBS_data(cbs), + CBS_len(cbs)); +} + +int +tls13_clienthello_hash_finalize(struct tls13_ctx *ctx) +{ + if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx, + ctx->hs->clienthello_hash, + &ctx->hs->clienthello_hash_len)) + return 0; + EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx); + ctx->hs->clienthello_md_ctx = NULL; + return 1; +} + +int +tls13_clienthello_hash_validate(struct tls13_ctx *ctx) +{ + unsigned char new_ch_hash[EVP_MAX_MD_SIZE]; + unsigned int new_ch_hash_len; + + if (ctx->hs->clienthello_hash == NULL) + return 0; + + if (!EVP_DigestFinal_ex(ctx->hs->clienthello_md_ctx, + new_ch_hash, &new_ch_hash_len)) + return 0; + EVP_MD_CTX_free(ctx->hs->clienthello_md_ctx); + ctx->hs->clienthello_md_ctx = NULL; + + if (ctx->hs->clienthello_hash_len != new_ch_hash_len) + return 0; + if (memcmp(ctx->hs->clienthello_hash, new_ch_hash, + new_ch_hash_len) != 0) + return 0; + + return 1; +} + diff --git a/ssl/tls13_record.c b/ssl/tls13_record.c new file mode 100644 index 0000000..c856932 --- /dev/null +++ b/ssl/tls13_record.c @@ -0,0 +1,187 @@ +/* $OpenBSD: tls13_record.c,v 1.6 2020/05/11 18:08:11 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +#include "tls13_internal.h" +#include "tls13_record.h" + +struct tls13_record { + uint16_t version; + uint8_t content_type; + size_t rec_len; + uint8_t *data; + size_t data_len; + CBS cbs; + + struct tls13_buffer *buf; +}; + +struct tls13_record * +tls13_record_new(void) +{ + struct tls13_record *rec = NULL; + + if ((rec = calloc(1, sizeof(struct tls13_record))) == NULL) + goto err; + if ((rec->buf = tls13_buffer_new(TLS13_RECORD_MAX_LEN)) == NULL) + goto err; + + return rec; + + err: + tls13_record_free(rec); + + return NULL; +} + +void +tls13_record_free(struct tls13_record *rec) +{ + if (rec == NULL) + return; + + tls13_buffer_free(rec->buf); + + freezero(rec->data, rec->data_len); + freezero(rec, sizeof(struct tls13_record)); +} + +uint16_t +tls13_record_version(struct tls13_record *rec) +{ + return rec->version; +} + +uint8_t +tls13_record_content_type(struct tls13_record *rec) +{ + return rec->content_type; +} + +int +tls13_record_header(struct tls13_record *rec, CBS *cbs) +{ + if (rec->data_len < TLS13_RECORD_HEADER_LEN) + return 0; + + CBS_init(cbs, rec->data, TLS13_RECORD_HEADER_LEN); + + return 1; +} + +int +tls13_record_content(struct tls13_record *rec, CBS *cbs) +{ + CBS content; + + tls13_record_data(rec, &content); + + if (!CBS_skip(&content, TLS13_RECORD_HEADER_LEN)) + return 0; + + CBS_dup(&content, cbs); + + return 1; +} + +void +tls13_record_data(struct tls13_record *rec, CBS *cbs) +{ + CBS_init(cbs, rec->data, rec->data_len); +} + +int +tls13_record_set_data(struct tls13_record *rec, uint8_t *data, size_t data_len) +{ + if (data_len > TLS13_RECORD_MAX_LEN) + return 0; + + freezero(rec->data, rec->data_len); + rec->data = data; + rec->data_len = data_len; + CBS_init(&rec->cbs, rec->data, rec->data_len); + + return 1; +} + +ssize_t +tls13_record_recv(struct tls13_record *rec, tls13_read_cb wire_read, + void *wire_arg) +{ + uint16_t rec_len, rec_version; + uint8_t content_type; + ssize_t ret; + CBS cbs; + + if (rec->data != NULL) + return TLS13_IO_FAILURE; + + if (rec->content_type == 0) { + if ((ret = tls13_buffer_extend(rec->buf, + TLS13_RECORD_HEADER_LEN, wire_read, wire_arg)) <= 0) + return ret; + + tls13_buffer_cbs(rec->buf, &cbs); + + if (!CBS_get_u8(&cbs, &content_type)) + return TLS13_IO_FAILURE; + if (!CBS_get_u16(&cbs, &rec_version)) + return TLS13_IO_FAILURE; + if (!CBS_get_u16(&cbs, &rec_len)) + return TLS13_IO_FAILURE; + + if ((rec_version >> 8) != SSL3_VERSION_MAJOR) + return TLS13_IO_RECORD_VERSION; + if (rec_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) + return TLS13_IO_RECORD_OVERFLOW; + + rec->content_type = content_type; + rec->version = rec_version; + rec->rec_len = rec_len; + } + + if ((ret = tls13_buffer_extend(rec->buf, + TLS13_RECORD_HEADER_LEN + rec->rec_len, wire_read, wire_arg)) <= 0) + return ret; + + if (!tls13_buffer_finish(rec->buf, &rec->data, &rec->data_len)) + return TLS13_IO_FAILURE; + + return rec->data_len; +} + +ssize_t +tls13_record_send(struct tls13_record *rec, tls13_write_cb wire_write, + void *wire_arg) +{ + ssize_t ret; + + if (rec->data == NULL) + return TLS13_IO_FAILURE; + + while (CBS_len(&rec->cbs) > 0) { + if ((ret = wire_write(CBS_data(&rec->cbs), + CBS_len(&rec->cbs), wire_arg)) <= 0) + return ret; + + if (!CBS_skip(&rec->cbs, ret)) + return TLS13_IO_FAILURE; + } + + return rec->data_len; +} diff --git a/ssl/tls13_record.h b/ssl/tls13_record.h new file mode 100644 index 0000000..400153b --- /dev/null +++ b/ssl/tls13_record.h @@ -0,0 +1,67 @@ +/* $OpenBSD: tls13_record.h,v 1.3 2019/01/21 00:24:19 jsing Exp $ */ +/* + * Copyright (c) 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#ifndef HEADER_TLS13_RECORD_H +#define HEADER_TLS13_RECORD_H + +#include "bytestring.h" +#include "tls13_internal.h" + +__BEGIN_HIDDEN_DECLS + +/* + * TLSv1.3 Record Protocol - RFC 8446 section 5. + * + * The maximum plaintext is 2^14, however for inner plaintext an additional + * byte is allowed for the content type. A maximum AEAD overhead of 255-bytes + * is permitted, along with a 5-byte header, giving a maximum size of + * 5 + 2^14 + 1 + 255 = 16,645-bytes. + */ +#define TLS13_RECORD_HEADER_LEN 5 +#define TLS13_RECORD_MAX_AEAD_OVERHEAD 255 +#define TLS13_RECORD_MAX_PLAINTEXT_LEN 16384 +#define TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN \ + (TLS13_RECORD_MAX_PLAINTEXT_LEN + 1) +#define TLS13_RECORD_MAX_CIPHERTEXT_LEN \ + (TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN + TLS13_RECORD_MAX_AEAD_OVERHEAD) +#define TLS13_RECORD_MAX_LEN \ + (TLS13_RECORD_HEADER_LEN + TLS13_RECORD_MAX_CIPHERTEXT_LEN) + +/* + * TLSv1.3 Per-Record Nonces and Sequence Numbers - RFC 8446 section 5.3. + */ +#define TLS13_RECORD_SEQ_NUM_LEN 8 + +struct tls13_record; + +struct tls13_record *tls13_record_new(void); +void tls13_record_free(struct tls13_record *_rec); +uint16_t tls13_record_version(struct tls13_record *_rec); +uint8_t tls13_record_content_type(struct tls13_record *_rec); +int tls13_record_header(struct tls13_record *_rec, CBS *_cbs); +int tls13_record_content(struct tls13_record *_rec, CBS *_cbs); +void tls13_record_data(struct tls13_record *_rec, CBS *_cbs); +int tls13_record_set_data(struct tls13_record *_rec, uint8_t *_data, + size_t _data_len); +ssize_t tls13_record_recv(struct tls13_record *_rec, tls13_read_cb _wire_read, + void *_wire_arg); +ssize_t tls13_record_send(struct tls13_record *_rec, tls13_write_cb _wire_write, + void *_wire_arg); + +__END_HIDDEN_DECLS + +#endif diff --git a/ssl/tls13_record_layer.c b/ssl/tls13_record_layer.c new file mode 100644 index 0000000..1d75d9e --- /dev/null +++ b/ssl/tls13_record_layer.c @@ -0,0 +1,1200 @@ +/* $OpenBSD: tls13_record_layer.c,v 1.53 2020/09/11 15:03:36 jsing Exp $ */ +/* + * Copyright (c) 2018, 2019 Joel Sing + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include "ssl_locl.h" + +#include "tls13_internal.h" +#include "tls13_record.h" + +static ssize_t tls13_record_layer_write_chunk(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *buf, size_t n); +static ssize_t tls13_record_layer_write_record(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len); + +struct tls13_record_layer { + uint16_t legacy_version; + + int ccs_allowed; + int ccs_seen; + int ccs_sent; + int handshake_completed; + int legacy_alerts_allowed; + int phh; + int phh_retry; + + /* + * Read and/or write channels are closed due to an alert being + * sent or received. In the case of an error alert both channels + * are closed, whereas in the case of a close notify only one + * channel is closed. + */ + int read_closed; + int write_closed; + + struct tls13_record *rrec; + + struct tls13_record *wrec; + uint8_t wrec_content_type; + size_t wrec_appdata_len; + size_t wrec_content_len; + + /* Alert to be sent on return from current read handler. */ + uint8_t alert; + + /* Pending alert messages. */ + uint8_t *alert_data; + size_t alert_len; + uint8_t alert_level; + uint8_t alert_desc; + + /* Pending post-handshake handshake messages (RFC 8446, section 4.6). */ + CBS phh_cbs; + uint8_t *phh_data; + size_t phh_len; + + /* Buffer containing plaintext from opened records. */ + uint8_t rbuf_content_type; + uint8_t *rbuf; + size_t rbuf_len; + CBS rbuf_cbs; + + /* Record protection. */ + const EVP_MD *hash; + const EVP_AEAD *aead; + EVP_AEAD_CTX read_aead_ctx; + EVP_AEAD_CTX write_aead_ctx; + struct tls13_secret read_iv; + struct tls13_secret write_iv; + struct tls13_secret read_nonce; + struct tls13_secret write_nonce; + uint8_t read_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; + uint8_t write_seq_num[TLS13_RECORD_SEQ_NUM_LEN]; + + /* Callbacks. */ + struct tls13_record_layer_callbacks cb; + void *cb_arg; +}; + +static void +tls13_record_layer_rbuf_free(struct tls13_record_layer *rl) +{ + CBS_init(&rl->rbuf_cbs, NULL, 0); + freezero(rl->rbuf, rl->rbuf_len); + rl->rbuf = NULL; + rl->rbuf_len = 0; + rl->rbuf_content_type = 0; +} + +static void +tls13_record_layer_rrec_free(struct tls13_record_layer *rl) +{ + tls13_record_free(rl->rrec); + rl->rrec = NULL; +} + +static void +tls13_record_layer_wrec_free(struct tls13_record_layer *rl) +{ + tls13_record_free(rl->wrec); + rl->wrec = NULL; +} + +struct tls13_record_layer * +tls13_record_layer_new(const struct tls13_record_layer_callbacks *callbacks, + void *cb_arg) +{ + struct tls13_record_layer *rl; + + if ((rl = calloc(1, sizeof(struct tls13_record_layer))) == NULL) + return NULL; + + rl->legacy_version = TLS1_2_VERSION; + rl->cb = *callbacks; + rl->cb_arg = cb_arg; + + return rl; +} + +void +tls13_record_layer_free(struct tls13_record_layer *rl) +{ + if (rl == NULL) + return; + + tls13_record_layer_rbuf_free(rl); + + tls13_record_layer_rrec_free(rl); + tls13_record_layer_wrec_free(rl); + + EVP_AEAD_CTX_cleanup(&rl->read_aead_ctx); + EVP_AEAD_CTX_cleanup(&rl->write_aead_ctx); + + freezero(rl->read_iv.data, rl->read_iv.len); + freezero(rl->write_iv.data, rl->write_iv.len); + freezero(rl->read_nonce.data, rl->read_nonce.len); + freezero(rl->write_nonce.data, rl->write_nonce.len); + + freezero(rl, sizeof(struct tls13_record_layer)); +} + +void +tls13_record_layer_rbuf(struct tls13_record_layer *rl, CBS *cbs) +{ + CBS_dup(&rl->rbuf_cbs, cbs); +} + +static const uint8_t tls13_max_seq_num[TLS13_RECORD_SEQ_NUM_LEN] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, +}; + +int +tls13_record_layer_inc_seq_num(uint8_t *seq_num) +{ + int i; + + /* RFC 8446 section 5.3 - sequence numbers must not wrap. */ + if (memcmp(seq_num, tls13_max_seq_num, TLS13_RECORD_SEQ_NUM_LEN) == 0) + return 0; + + for (i = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--) { + if (++seq_num[i] != 0) + break; + } + + return 1; +} + +static int +tls13_record_layer_update_nonce(struct tls13_secret *nonce, + struct tls13_secret *iv, uint8_t *seq_num) +{ + ssize_t i, j; + + if (nonce->len != iv->len) + return 0; + + /* + * RFC 8446 section 5.3 - sequence number is zero padded and XOR'd + * with the IV to produce a per-record nonce. The IV will also be + * at least 8-bytes in length. + */ + for (i = nonce->len - 1, j = TLS13_RECORD_SEQ_NUM_LEN - 1; i >= 0; i--, j--) + nonce->data[i] = iv->data[i] ^ (j >= 0 ? seq_num[j] : 0); + + return 1; +} + +void +tls13_record_layer_allow_ccs(struct tls13_record_layer *rl, int allow) +{ + rl->ccs_allowed = allow; +} + +void +tls13_record_layer_allow_legacy_alerts(struct tls13_record_layer *rl, int allow) +{ + rl->legacy_alerts_allowed = allow; +} + +void +tls13_record_layer_set_aead(struct tls13_record_layer *rl, + const EVP_AEAD *aead) +{ + rl->aead = aead; +} + +void +tls13_record_layer_set_hash(struct tls13_record_layer *rl, + const EVP_MD *hash) +{ + rl->hash = hash; +} + +void +tls13_record_layer_set_legacy_version(struct tls13_record_layer *rl, + uint16_t version) +{ + rl->legacy_version = version; +} + +void +tls13_record_layer_handshake_completed(struct tls13_record_layer *rl) +{ + rl->handshake_completed = 1; +} + +void +tls13_record_layer_set_retry_after_phh(struct tls13_record_layer *rl, int retry) +{ + rl->phh_retry = retry; +} + +static ssize_t +tls13_record_layer_process_alert(struct tls13_record_layer *rl) +{ + uint8_t alert_level, alert_desc; + ssize_t ret = TLS13_IO_FAILURE; + + /* + * RFC 8446 - sections 5.1 and 6. + * + * A TLSv1.3 alert record can only contain a single alert - this means + * that processing the alert must consume all of the record. The alert + * will result in one of three things - continuation (user_cancelled), + * read channel closure (close_notify) or termination (all others). + */ + if (rl->rbuf == NULL) + return TLS13_IO_FAILURE; + + if (rl->rbuf_content_type != SSL3_RT_ALERT) + return TLS13_IO_FAILURE; + + if (!CBS_get_u8(&rl->rbuf_cbs, &alert_level)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + + if (!CBS_get_u8(&rl->rbuf_cbs, &alert_desc)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + + if (CBS_len(&rl->rbuf_cbs) != 0) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + + tls13_record_layer_rbuf_free(rl); + + /* + * Alert level is ignored for closure alerts (RFC 8446 section 6.1), + * however for error alerts (RFC 8446 section 6.2), the alert level + * must be specified as fatal. + */ + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + rl->read_closed = 1; + ret = TLS13_IO_EOF; + } else if (alert_desc == TLS13_ALERT_USER_CANCELED) { + /* Ignored at the record layer. */ + ret = TLS13_IO_WANT_RETRY; + } else if (alert_level == TLS13_ALERT_LEVEL_FATAL) { + rl->read_closed = 1; + rl->write_closed = 1; + ret = TLS13_IO_ALERT; + } else if (rl->legacy_alerts_allowed && + alert_level == TLS13_ALERT_LEVEL_WARNING) { + /* Ignored and not passed to the callback. */ + return TLS13_IO_WANT_RETRY; + } else { + return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); + } + + rl->cb.alert_recv(alert_desc, rl->cb_arg); + + return ret; +} + +static ssize_t +tls13_record_layer_send_alert(struct tls13_record_layer *rl) +{ + ssize_t ret; + + /* This has to fit into a single record, per RFC 8446 section 5.1. */ + if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, + rl->alert_data, rl->alert_len)) != rl->alert_len) { + if (ret == TLS13_IO_EOF) + ret = TLS13_IO_ALERT; + return ret; + } + + freezero(rl->alert_data, rl->alert_len); + rl->alert_data = NULL; + rl->alert_len = 0; + + if (rl->alert_desc == TLS13_ALERT_CLOSE_NOTIFY) { + rl->write_closed = 1; + ret = TLS13_IO_SUCCESS; + } else if (rl->alert_desc == TLS13_ALERT_USER_CANCELED) { + /* Ignored at the record layer. */ + ret = TLS13_IO_SUCCESS; + } else { + rl->read_closed = 1; + rl->write_closed = 1; + ret = TLS13_IO_ALERT; + } + + rl->cb.alert_sent(rl->alert_desc, rl->cb_arg); + + return ret; +} + +static ssize_t +tls13_record_layer_send_phh(struct tls13_record_layer *rl) +{ + ssize_t ret; + + /* Push out pending post-handshake handshake messages. */ + if ((ret = tls13_record_layer_write_chunk(rl, SSL3_RT_HANDSHAKE, + CBS_data(&rl->phh_cbs), CBS_len(&rl->phh_cbs))) <= 0) + return ret; + if (!CBS_skip(&rl->phh_cbs, ret)) + return TLS13_IO_FAILURE; + if (CBS_len(&rl->phh_cbs) != 0) + return TLS13_IO_WANT_RETRY; + + freezero(rl->phh_data, rl->phh_len); + rl->phh_data = NULL; + rl->phh_len = 0; + + CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); + + rl->cb.phh_sent(rl->cb_arg); + + return TLS13_IO_SUCCESS; +} + +ssize_t +tls13_record_layer_send_pending(struct tls13_record_layer *rl) +{ + /* + * If an alert is pending, then it needs to be sent. However, + * if we're already part of the way through sending post-handshake + * handshake messages, then we need to finish that first... + */ + + if (rl->phh_data != NULL && CBS_len(&rl->phh_cbs) != rl->phh_len) + return tls13_record_layer_send_phh(rl); + + if (rl->alert_data != NULL) + return tls13_record_layer_send_alert(rl); + + if (rl->phh_data != NULL) + return tls13_record_layer_send_phh(rl); + + return TLS13_IO_SUCCESS; +} + +static ssize_t +tls13_record_layer_alert(struct tls13_record_layer *rl, + uint8_t alert_level, uint8_t alert_desc) +{ + CBB cbb; + + if (rl->alert_data != NULL) + return TLS13_IO_FAILURE; + + if (!CBB_init(&cbb, 0)) + goto err; + + if (!CBB_add_u8(&cbb, alert_level)) + goto err; + if (!CBB_add_u8(&cbb, alert_desc)) + goto err; + if (!CBB_finish(&cbb, &rl->alert_data, &rl->alert_len)) + goto err; + + rl->alert_level = alert_level; + rl->alert_desc = alert_desc; + + return tls13_record_layer_send_pending(rl); + + err: + CBB_cleanup(&cbb); + + return TLS13_IO_FAILURE; +} + +ssize_t +tls13_record_layer_phh(struct tls13_record_layer *rl, CBS *cbs) +{ + if (rl->phh_data != NULL) + return TLS13_IO_FAILURE; + + if (!CBS_stow(cbs, &rl->phh_data, &rl->phh_len)) + return TLS13_IO_FAILURE; + + CBS_init(&rl->phh_cbs, rl->phh_data, rl->phh_len); + + return tls13_record_layer_send_pending(rl); +} + +static int +tls13_record_layer_set_traffic_key(const EVP_AEAD *aead, EVP_AEAD_CTX *aead_ctx, + const EVP_MD *hash, struct tls13_secret *iv, struct tls13_secret *nonce, + struct tls13_secret *traffic_key) +{ + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret key = { .data = NULL, .len = 0 }; + int ret = 0; + + EVP_AEAD_CTX_cleanup(aead_ctx); + + freezero(iv->data, iv->len); + iv->data = NULL; + iv->len = 0; + + freezero(nonce->data, nonce->len); + nonce->data = NULL; + nonce->len = 0; + + if ((iv->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) + goto err; + iv->len = EVP_AEAD_nonce_length(aead); + + if ((nonce->data = calloc(1, EVP_AEAD_nonce_length(aead))) == NULL) + goto err; + nonce->len = EVP_AEAD_nonce_length(aead); + + if ((key.data = calloc(1, EVP_AEAD_key_length(aead))) == NULL) + goto err; + key.len = EVP_AEAD_key_length(aead); + + if (!tls13_hkdf_expand_label(iv, hash, traffic_key, "iv", &context)) + goto err; + if (!tls13_hkdf_expand_label(&key, hash, traffic_key, "key", &context)) + goto err; + + if (!EVP_AEAD_CTX_init(aead_ctx, aead, key.data, key.len, + EVP_AEAD_DEFAULT_TAG_LENGTH, NULL)) + goto err; + + ret = 1; + + err: + freezero(key.data, key.len); + + return ret; +} + +int +tls13_record_layer_set_read_traffic_key(struct tls13_record_layer *rl, + struct tls13_secret *read_key) +{ + memset(rl->read_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); + + return tls13_record_layer_set_traffic_key(rl->aead, &rl->read_aead_ctx, + rl->hash, &rl->read_iv, &rl->read_nonce, read_key); +} + +int +tls13_record_layer_set_write_traffic_key(struct tls13_record_layer *rl, + struct tls13_secret *write_key) +{ + memset(rl->write_seq_num, 0, TLS13_RECORD_SEQ_NUM_LEN); + + return tls13_record_layer_set_traffic_key(rl->aead, &rl->write_aead_ctx, + rl->hash, &rl->write_iv, &rl->write_nonce, write_key); +} + +static int +tls13_record_layer_open_record_plaintext(struct tls13_record_layer *rl) +{ + CBS cbs; + + if (rl->aead != NULL) + return 0; + + /* + * We're still operating in plaintext mode, so just copy the + * content from the record to the plaintext buffer. + */ + if (!tls13_record_content(rl->rrec, &cbs)) + return 0; + + if (CBS_len(&cbs) > TLS13_RECORD_MAX_PLAINTEXT_LEN) { + rl->alert = TLS13_ALERT_RECORD_OVERFLOW; + return 0; + } + + tls13_record_layer_rbuf_free(rl); + + if (!CBS_stow(&cbs, &rl->rbuf, &rl->rbuf_len)) + return 0; + + rl->rbuf_content_type = tls13_record_content_type(rl->rrec); + + CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); + + return 1; +} + +static int +tls13_record_layer_open_record_protected(struct tls13_record_layer *rl) +{ + CBS header, enc_record; + ssize_t inner_len; + uint8_t *content = NULL; + size_t content_len = 0; + uint8_t content_type; + size_t out_len; + + if (rl->aead == NULL) + goto err; + + if (!tls13_record_header(rl->rrec, &header)) + goto err; + if (!tls13_record_content(rl->rrec, &enc_record)) + goto err; + + if ((content = calloc(1, CBS_len(&enc_record))) == NULL) + goto err; + content_len = CBS_len(&enc_record); + + if (!tls13_record_layer_update_nonce(&rl->read_nonce, &rl->read_iv, + rl->read_seq_num)) + goto err; + + if (!EVP_AEAD_CTX_open(&rl->read_aead_ctx, + content, &out_len, content_len, + rl->read_nonce.data, rl->read_nonce.len, + CBS_data(&enc_record), CBS_len(&enc_record), + CBS_data(&header), CBS_len(&header))) + goto err; + + if (out_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) { + rl->alert = TLS13_ALERT_RECORD_OVERFLOW; + goto err; + } + + if (!tls13_record_layer_inc_seq_num(rl->read_seq_num)) + goto err; + + /* + * The real content type is hidden at the end of the record content and + * it may be followed by padding that consists of one or more zeroes. + * Time to hunt for that elusive content type! + */ + /* XXX - CBS from end? CBS_get_end_u8()? */ + inner_len = out_len - 1; + while (inner_len >= 0 && content[inner_len] == 0) + inner_len--; + if (inner_len < 0) { + /* Unexpected message per RFC 8446 section 5.4. */ + rl->alert = TLS13_ALERT_UNEXPECTED_MESSAGE; + goto err; + } + if (inner_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) { + rl->alert = TLS13_ALERT_RECORD_OVERFLOW; + goto err; + } + content_type = content[inner_len]; + + tls13_record_layer_rbuf_free(rl); + + rl->rbuf_content_type = content_type; + rl->rbuf = content; + rl->rbuf_len = inner_len; + + CBS_init(&rl->rbuf_cbs, rl->rbuf, rl->rbuf_len); + + return 1; + + err: + freezero(content, content_len); + + return 0; +} + +static int +tls13_record_layer_open_record(struct tls13_record_layer *rl) +{ + if (rl->handshake_completed && rl->aead == NULL) + return 0; + + if (rl->aead == NULL) + return tls13_record_layer_open_record_plaintext(rl); + + return tls13_record_layer_open_record_protected(rl); +} + +static int +tls13_record_layer_seal_record_plaintext(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len) +{ + uint8_t *data = NULL; + size_t data_len = 0; + CBB cbb, body; + + /* + * Allow dummy CCS messages to be sent in plaintext even when + * record protection has been engaged, as long as the handshake + * has not yet completed. + */ + if (rl->handshake_completed) + return 0; + if (rl->aead != NULL && content_type != SSL3_RT_CHANGE_CIPHER_SPEC) + return 0; + + /* + * We're still operating in plaintext mode, so just copy the + * content into the record. + */ + if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + content_len)) + goto err; + + if (!CBB_add_u8(&cbb, content_type)) + goto err; + if (!CBB_add_u16(&cbb, rl->legacy_version)) + goto err; + if (!CBB_add_u16_length_prefixed(&cbb, &body)) + goto err; + if (!CBB_add_bytes(&body, content, content_len)) + goto err; + + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + + if (!tls13_record_set_data(rl->wrec, data, data_len)) + goto err; + + rl->wrec_content_len = content_len; + rl->wrec_content_type = content_type; + + return 1; + + err: + CBB_cleanup(&cbb); + freezero(data, data_len); + + return 0; +} + +static int +tls13_record_layer_seal_record_protected(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len) +{ + uint8_t *data = NULL, *header = NULL, *inner = NULL; + size_t data_len = 0, header_len = 0, inner_len = 0; + uint8_t *enc_record; + size_t enc_record_len; + ssize_t ret = 0; + size_t out_len; + CBB cbb; + + if (rl->aead == NULL) + return 0; + + memset(&cbb, 0, sizeof(cbb)); + + /* Build inner plaintext. */ + if (!CBB_init(&cbb, content_len + 1)) + goto err; + if (!CBB_add_bytes(&cbb, content, content_len)) + goto err; + if (!CBB_add_u8(&cbb, content_type)) + goto err; + /* XXX - padding? */ + if (!CBB_finish(&cbb, &inner, &inner_len)) + goto err; + + if (inner_len > TLS13_RECORD_MAX_INNER_PLAINTEXT_LEN) + goto err; + + /* XXX EVP_AEAD_max_tag_len vs EVP_AEAD_CTX_tag_len. */ + enc_record_len = inner_len + EVP_AEAD_max_tag_len(rl->aead); + if (enc_record_len > TLS13_RECORD_MAX_CIPHERTEXT_LEN) + goto err; + + /* Build the record header. */ + if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN)) + goto err; + if (!CBB_add_u8(&cbb, SSL3_RT_APPLICATION_DATA)) + goto err; + if (!CBB_add_u16(&cbb, TLS1_2_VERSION)) + goto err; + if (!CBB_add_u16(&cbb, enc_record_len)) + goto err; + if (!CBB_finish(&cbb, &header, &header_len)) + goto err; + + /* Build the actual record. */ + if (!CBB_init(&cbb, TLS13_RECORD_HEADER_LEN + enc_record_len)) + goto err; + if (!CBB_add_bytes(&cbb, header, header_len)) + goto err; + if (!CBB_add_space(&cbb, &enc_record, enc_record_len)) + goto err; + if (!CBB_finish(&cbb, &data, &data_len)) + goto err; + + if (!tls13_record_layer_update_nonce(&rl->write_nonce, + &rl->write_iv, rl->write_seq_num)) + goto err; + + /* + * XXX - consider a EVP_AEAD_CTX_seal_iov() that takes an iovec... + * this would avoid a copy since the inner would be passed as two + * separate pieces. + */ + if (!EVP_AEAD_CTX_seal(&rl->write_aead_ctx, + enc_record, &out_len, enc_record_len, + rl->write_nonce.data, rl->write_nonce.len, + inner, inner_len, header, header_len)) + goto err; + + if (out_len != enc_record_len) + goto err; + + if (!tls13_record_layer_inc_seq_num(rl->write_seq_num)) + goto err; + + if (!tls13_record_set_data(rl->wrec, data, data_len)) + goto err; + + rl->wrec_content_len = content_len; + rl->wrec_content_type = content_type; + + data = NULL; + data_len = 0; + + ret = 1; + + err: + CBB_cleanup(&cbb); + + freezero(data, data_len); + freezero(header, header_len); + freezero(inner, inner_len); + + return ret; +} + +static int +tls13_record_layer_seal_record(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len) +{ + if (rl->handshake_completed && rl->aead == NULL) + return 0; + + tls13_record_layer_wrec_free(rl); + + if ((rl->wrec = tls13_record_new()) == NULL) + return 0; + + if (rl->aead == NULL || content_type == SSL3_RT_CHANGE_CIPHER_SPEC) + return tls13_record_layer_seal_record_plaintext(rl, + content_type, content, content_len); + + return tls13_record_layer_seal_record_protected(rl, content_type, + content, content_len); +} + +static ssize_t +tls13_record_layer_read_record(struct tls13_record_layer *rl) +{ + uint8_t content_type, ccs; + ssize_t ret; + CBS cbs; + + if (rl->rrec == NULL) { + if ((rl->rrec = tls13_record_new()) == NULL) + goto err; + } + + if ((ret = tls13_record_recv(rl->rrec, rl->cb.wire_read, rl->cb_arg)) <= 0) { + switch (ret) { + case TLS13_IO_RECORD_VERSION: + return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); + case TLS13_IO_RECORD_OVERFLOW: + return tls13_send_alert(rl, TLS13_ALERT_RECORD_OVERFLOW); + } + return ret; + } + + if (rl->legacy_version == TLS1_2_VERSION && + tls13_record_version(rl->rrec) != TLS1_2_VERSION) + return tls13_send_alert(rl, TLS13_ALERT_PROTOCOL_VERSION); + + content_type = tls13_record_content_type(rl->rrec); + + /* + * Bag of hacks ahead... after the first ClientHello message has been + * sent or received and before the peer's Finished message has been + * received, we may receive an unencrypted ChangeCipherSpec record + * (see RFC 8446 section 5 and appendix D.4). This record must be + * ignored. + */ + if (content_type == SSL3_RT_CHANGE_CIPHER_SPEC) { + if (!rl->ccs_allowed || rl->ccs_seen >= 2) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + if (!tls13_record_content(rl->rrec, &cbs)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + if (!CBS_get_u8(&cbs, &ccs)) + return tls13_send_alert(rl, TLS13_ALERT_DECODE_ERROR); + if (ccs != 1) + return tls13_send_alert(rl, TLS13_ALERT_ILLEGAL_PARAMETER); + rl->ccs_seen++; + tls13_record_layer_rrec_free(rl); + return TLS13_IO_WANT_RETRY; + } + + /* + * Once record protection is engaged, we should only receive + * protected application data messages (aside from the + * dummy ChangeCipherSpec messages, handled above). + */ + if (rl->aead != NULL && content_type != SSL3_RT_APPLICATION_DATA) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + if (!tls13_record_layer_open_record(rl)) + goto err; + + tls13_record_layer_rrec_free(rl); + + /* + * On receiving a handshake or alert record with empty inner plaintext, + * we must terminate the connection with an unexpected_message alert. + * See RFC 8446 section 5.4. + */ + if (CBS_len(&rl->rbuf_cbs) == 0 && + (rl->rbuf_content_type == SSL3_RT_ALERT || + rl->rbuf_content_type == SSL3_RT_HANDSHAKE)) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + switch (rl->rbuf_content_type) { + case SSL3_RT_ALERT: + return tls13_record_layer_process_alert(rl); + + case SSL3_RT_HANDSHAKE: + break; + + case SSL3_RT_APPLICATION_DATA: + if (!rl->handshake_completed) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + break; + + default: + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + } + + return TLS13_IO_SUCCESS; + + err: + return TLS13_IO_FAILURE; +} + +static ssize_t +tls13_record_layer_pending(struct tls13_record_layer *rl, uint8_t content_type) +{ + if (rl->rbuf_content_type != content_type) + return 0; + + return CBS_len(&rl->rbuf_cbs); +} + +static ssize_t +tls13_record_layer_recv_phh(struct tls13_record_layer *rl) +{ + ssize_t ret = TLS13_IO_FAILURE; + + rl->phh = 1; + + /* + * The post handshake handshake receive callback is allowed to return: + * + * TLS13_IO_WANT_POLLIN need more handshake data. + * TLS13_IO_WANT_POLLOUT got whole handshake message, response enqueued. + * TLS13_IO_SUCCESS got the whole handshake, nothing more to do. + * TLS13_IO_FAILURE something broke. + */ + if (rl->cb.phh_recv != NULL) + ret = rl->cb.phh_recv(rl->cb_arg, &rl->rbuf_cbs); + + tls13_record_layer_rbuf_free(rl); + + /* Leave post handshake handshake mode unless we need more data. */ + if (ret != TLS13_IO_WANT_POLLIN) + rl->phh = 0; + + if (ret == TLS13_IO_SUCCESS) { + if (rl->phh_retry) + return TLS13_IO_WANT_RETRY; + + return TLS13_IO_WANT_POLLIN; + } + + return ret; +} + +static ssize_t +tls13_record_layer_read_internal(struct tls13_record_layer *rl, + uint8_t content_type, uint8_t *buf, size_t n, int peek) +{ + ssize_t ret; + + if ((ret = tls13_record_layer_send_pending(rl)) != TLS13_IO_SUCCESS) + return ret; + + if (rl->read_closed) + return TLS13_IO_EOF; + + /* If necessary, pull up the next record. */ + if (CBS_len(&rl->rbuf_cbs) == 0) { + if ((ret = tls13_record_layer_read_record(rl)) <= 0) + return ret; + + /* + * We may have read a valid 0-byte application data record, + * in which case we need to read the next record. + */ + if (CBS_len(&rl->rbuf_cbs) == 0) { + tls13_record_layer_rbuf_free(rl); + return TLS13_IO_WANT_POLLIN; + } + } + + /* + * If we are in post handshake handshake mode, we must not see + * any record type that isn't a handshake until we are done. + */ + if (rl->phh && rl->rbuf_content_type != SSL3_RT_HANDSHAKE) + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + + /* + * Handshake content can appear as post-handshake messages (yup, + * the RFC reused the same content type...), which means we can + * be trying to read application data and need to handle a + * post-handshake handshake message instead... + */ + if (rl->rbuf_content_type != content_type) { + if (rl->rbuf_content_type == SSL3_RT_HANDSHAKE) { + if (rl->handshake_completed) + return tls13_record_layer_recv_phh(rl); + } + return tls13_send_alert(rl, TLS13_ALERT_UNEXPECTED_MESSAGE); + } + + if (n > CBS_len(&rl->rbuf_cbs)) + n = CBS_len(&rl->rbuf_cbs); + + /* XXX - CBS_memcpy? CBS_copy_bytes? */ + memcpy(buf, CBS_data(&rl->rbuf_cbs), n); + + if (!peek) { + if (!CBS_skip(&rl->rbuf_cbs, n)) + goto err; + } + + if (CBS_len(&rl->rbuf_cbs) == 0) + tls13_record_layer_rbuf_free(rl); + + return n; + + err: + return TLS13_IO_FAILURE; +} + +static ssize_t +tls13_record_layer_peek(struct tls13_record_layer *rl, uint8_t content_type, + uint8_t *buf, size_t n) +{ + ssize_t ret; + + do { + ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 1); + } while (ret == TLS13_IO_WANT_RETRY); + + if (rl->alert != 0) + return tls13_send_alert(rl, rl->alert); + + return ret; +} + +static ssize_t +tls13_record_layer_read(struct tls13_record_layer *rl, uint8_t content_type, + uint8_t *buf, size_t n) +{ + ssize_t ret; + + do { + ret = tls13_record_layer_read_internal(rl, content_type, buf, n, 0); + } while (ret == TLS13_IO_WANT_RETRY); + + if (rl->alert != 0) + return tls13_send_alert(rl, rl->alert); + + return ret; +} + +static ssize_t +tls13_record_layer_write_record(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *content, size_t content_len) +{ + ssize_t ret; + + if (rl->write_closed) + return TLS13_IO_EOF; + + /* + * If we pushed out application data while handling other messages, + * we need to return content length on the next call. + */ + if (content_type == SSL3_RT_APPLICATION_DATA && + rl->wrec_appdata_len != 0) { + ret = rl->wrec_appdata_len; + rl->wrec_appdata_len = 0; + return ret; + } + + /* See if there is an existing record and attempt to push it out... */ + if (rl->wrec != NULL) { + if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, + rl->cb_arg)) <= 0) + return ret; + tls13_record_layer_wrec_free(rl); + + if (rl->wrec_content_type == content_type) { + ret = rl->wrec_content_len; + rl->wrec_content_len = 0; + rl->wrec_content_type = 0; + return ret; + } + + /* + * The only partial record type should be application data. + * All other cases are handled to completion. + */ + if (rl->wrec_content_type != SSL3_RT_APPLICATION_DATA) + return TLS13_IO_FAILURE; + rl->wrec_appdata_len = rl->wrec_content_len; + } + + if (content_len > TLS13_RECORD_MAX_PLAINTEXT_LEN) + goto err; + + if (!tls13_record_layer_seal_record(rl, content_type, content, content_len)) + goto err; + + if ((ret = tls13_record_send(rl->wrec, rl->cb.wire_write, rl->cb_arg)) <= 0) + return ret; + + tls13_record_layer_wrec_free(rl); + + return content_len; + + err: + return TLS13_IO_FAILURE; +} + +static ssize_t +tls13_record_layer_write_chunk(struct tls13_record_layer *rl, + uint8_t content_type, const uint8_t *buf, size_t n) +{ + if (n > TLS13_RECORD_MAX_PLAINTEXT_LEN) + n = TLS13_RECORD_MAX_PLAINTEXT_LEN; + + return tls13_record_layer_write_record(rl, content_type, buf, n); +} + +static ssize_t +tls13_record_layer_write(struct tls13_record_layer *rl, uint8_t content_type, + const uint8_t *buf, size_t n) +{ + ssize_t ret; + + do { + ret = tls13_record_layer_send_pending(rl); + } while (ret == TLS13_IO_WANT_RETRY); + if (ret != TLS13_IO_SUCCESS) + return ret; + + do { + ret = tls13_record_layer_write_chunk(rl, content_type, buf, n); + } while (ret == TLS13_IO_WANT_RETRY); + + return ret; +} + +static const uint8_t tls13_dummy_ccs[] = { 0x01 }; + +ssize_t +tls13_send_dummy_ccs(struct tls13_record_layer *rl) +{ + ssize_t ret; + + if (rl->ccs_sent) + return TLS13_IO_FAILURE; + + if ((ret = tls13_record_layer_write(rl, SSL3_RT_CHANGE_CIPHER_SPEC, + tls13_dummy_ccs, sizeof(tls13_dummy_ccs))) <= 0) + return ret; + + rl->ccs_sent = 1; + + return TLS13_IO_SUCCESS; +} + +ssize_t +tls13_read_handshake_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) +{ + return tls13_record_layer_read(rl, SSL3_RT_HANDSHAKE, buf, n); +} + +ssize_t +tls13_write_handshake_data(struct tls13_record_layer *rl, const uint8_t *buf, + size_t n) +{ + return tls13_record_layer_write(rl, SSL3_RT_HANDSHAKE, buf, n); +} + +ssize_t +tls13_pending_application_data(struct tls13_record_layer *rl) +{ + if (!rl->handshake_completed) + return 0; + + return tls13_record_layer_pending(rl, SSL3_RT_APPLICATION_DATA); +} + +ssize_t +tls13_peek_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) +{ + if (!rl->handshake_completed) + return TLS13_IO_FAILURE; + + return tls13_record_layer_peek(rl, SSL3_RT_APPLICATION_DATA, buf, n); +} + +ssize_t +tls13_read_application_data(struct tls13_record_layer *rl, uint8_t *buf, size_t n) +{ + if (!rl->handshake_completed) + return TLS13_IO_FAILURE; + + return tls13_record_layer_read(rl, SSL3_RT_APPLICATION_DATA, buf, n); +} + +ssize_t +tls13_write_application_data(struct tls13_record_layer *rl, const uint8_t *buf, + size_t n) +{ + if (!rl->handshake_completed) + return TLS13_IO_FAILURE; + + return tls13_record_layer_write(rl, SSL3_RT_APPLICATION_DATA, buf, n); +} + +ssize_t +tls13_send_alert(struct tls13_record_layer *rl, uint8_t alert_desc) +{ + uint8_t alert_level = TLS13_ALERT_LEVEL_FATAL; + ssize_t ret; + + if (alert_desc == TLS13_ALERT_CLOSE_NOTIFY || + alert_desc == TLS13_ALERT_USER_CANCELED) + alert_level = TLS13_ALERT_LEVEL_WARNING; + + do { + ret = tls13_record_layer_alert(rl, alert_level, alert_desc); + } while (ret == TLS13_IO_WANT_RETRY); + + return ret; +} diff --git a/ssl/tls13_server.c b/ssl/tls13_server.c new file mode 100644 index 0000000..a5c03b6 --- /dev/null +++ b/ssl/tls13_server.c @@ -0,0 +1,1071 @@ +/* $OpenBSD: tls13_server.c,v 1.61 2020/07/03 04:12:51 tb Exp $ */ +/* + * Copyright (c) 2019, 2020 Joel Sing + * Copyright (c) 2020 Bob Beck + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include + +#include "ssl_locl.h" +#include "ssl_tlsext.h" + +#include "tls13_handshake.h" +#include "tls13_internal.h" + +int +tls13_server_init(struct tls13_ctx *ctx) +{ + SSL *s = ctx->ssl; + + if (!ssl_supported_version_range(s, &ctx->hs->min_version, + &ctx->hs->max_version)) { + SSLerror(s, SSL_R_NO_PROTOCOLS_AVAILABLE); + return 0; + } + s->version = ctx->hs->max_version; + + tls13_record_layer_set_retry_after_phh(ctx->rl, + (s->internal->mode & SSL_MODE_AUTO_RETRY) != 0); + + if (!ssl_get_new_session(s, 0)) /* XXX */ + return 0; + + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_VERSION); + + if (!tls1_transcript_init(s)) + return 0; + + arc4random_buf(s->s3->server_random, SSL3_RANDOM_SIZE); + + return 1; +} + +int +tls13_server_accept(struct tls13_ctx *ctx) +{ + if (ctx->mode != TLS13_HS_SERVER) + return TLS13_IO_FAILURE; + + return tls13_handshake_perform(ctx); +} + +static int +tls13_client_hello_is_legacy(CBS *cbs) +{ + CBS extensions_block, extensions, extension_data, versions; + uint16_t version, max_version = 0; + uint16_t type; + + CBS_dup(cbs, &extensions_block); + + if (!CBS_get_u16_length_prefixed(&extensions_block, &extensions)) + return 1; + + while (CBS_len(&extensions) > 0) { + if (!CBS_get_u16(&extensions, &type)) + return 1; + if (!CBS_get_u16_length_prefixed(&extensions, &extension_data)) + return 1; + + if (type != TLSEXT_TYPE_supported_versions) + continue; + if (!CBS_get_u8_length_prefixed(&extension_data, &versions)) + return 1; + while (CBS_len(&versions) > 0) { + if (!CBS_get_u16(&versions, &version)) + return 1; + if (version >= max_version) + max_version = version; + } + if (CBS_len(&extension_data) != 0) + return 1; + } + + return (max_version < TLS1_3_VERSION); +} + +int +tls13_client_hello_required_extensions(struct tls13_ctx *ctx) +{ + SSL *ssl = ctx->ssl; + + /* + * RFC 8446, section 9.2. If the ClientHello has supported_versions + * containing TLSv1.3, presence or absence of some extensions requires + * presence or absence of others. + */ + + /* + * If we got no pre_shared_key, then signature_algorithms and + * supported_groups must both be present. + */ + if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_pre_shared_key)) { + if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_signature_algorithms)) + return 0; + if (!tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups)) + return 0; + } + + /* + * supported_groups and key_share must either both be present or + * both be absent. + */ + if (tlsext_extension_seen(ssl, TLSEXT_TYPE_supported_groups) != + tlsext_extension_seen(ssl, TLSEXT_TYPE_key_share)) + return 0; + + /* + * XXX - Require server_name from client? If so, we SHOULD enforce + * this here - RFC 8446, 9.2. + */ + + return 1; +} + +static const uint8_t tls13_compression_null_only[] = { 0 }; + +static int +tls13_client_hello_process(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS cipher_suites, client_random, compression_methods, session_id; + STACK_OF(SSL_CIPHER) *ciphers = NULL; + const SSL_CIPHER *cipher; + uint16_t legacy_version; + int alert_desc; + SSL *s = ctx->ssl; + int ret = 0; + + if (!CBS_get_u16(cbs, &legacy_version)) + goto err; + if (!CBS_get_bytes(cbs, &client_random, SSL3_RANDOM_SIZE)) + goto err; + if (!CBS_get_u8_length_prefixed(cbs, &session_id)) + goto err; + if (!CBS_get_u16_length_prefixed(cbs, &cipher_suites)) + goto err; + if (!CBS_get_u8_length_prefixed(cbs, &compression_methods)) + goto err; + + if (tls13_client_hello_is_legacy(cbs) || s->version < TLS1_3_VERSION) { + if (!CBS_skip(cbs, CBS_len(cbs))) + goto err; + return tls13_use_legacy_server(ctx); + } + + /* Add decoded values to the current ClientHello hash */ + if (!tls13_clienthello_hash_init(ctx)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update_bytes(ctx, (void *)&legacy_version, + sizeof(legacy_version))) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &client_random)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &session_id)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &cipher_suites)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + if (!tls13_clienthello_hash_update(ctx, &compression_methods)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + + if (!tlsext_server_parse(s, SSL_TLSEXT_MSG_CH, cbs, &alert_desc)) { + ctx->alert = alert_desc; + goto err; + } + + /* Finalize first ClientHello hash, or validate against it */ + if (!ctx->hs->hrr) { + if (!tls13_clienthello_hash_finalize(ctx)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + } else { + if (!tls13_clienthello_hash_validate(ctx)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + tls13_clienthello_hash_clear(ctx->hs); + } + + if (!tls13_client_hello_required_extensions(ctx)) { + ctx->alert = TLS13_ALERT_MISSING_EXTENSION; + goto err; + } + + /* + * If we got this far we have a supported versions extension that offers + * TLS 1.3 or later. This requires the legacy version be set to 0x0303. + */ + if (legacy_version != TLS1_2_VERSION) { + ctx->alert = TLS13_ALERT_PROTOCOL_VERSION; + goto err; + } + + /* Store legacy session identifier so we can echo it. */ + if (CBS_len(&session_id) > sizeof(ctx->hs->legacy_session_id)) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + if (!CBS_write_bytes(&session_id, ctx->hs->legacy_session_id, + sizeof(ctx->hs->legacy_session_id), + &ctx->hs->legacy_session_id_len)) { + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + goto err; + } + + /* Parse cipher suites list and select preferred cipher. */ + if ((ciphers = ssl_bytes_to_cipher_list(s, &cipher_suites)) == NULL) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + cipher = ssl3_choose_cipher(s, ciphers, SSL_get_ciphers(s)); + if (cipher == NULL) { + tls13_set_errorx(ctx, TLS13_ERR_NO_SHARED_CIPHER, 0, + "no shared cipher found", NULL); + ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; + goto err; + } + S3I(s)->hs.new_cipher = cipher; + + /* Ensure only the NULL compression method is advertised. */ + if (!CBS_mem_equal(&compression_methods, tls13_compression_null_only, + sizeof(tls13_compression_null_only))) { + ctx->alert = TLS13_ALERT_ILLEGAL_PARAMETER; + goto err; + } + + ret = 1; + + err: + sk_SSL_CIPHER_free(ciphers); + + return ret; +} + +int +tls13_client_hello_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + SSL *s = ctx->ssl; + + if (!tls13_client_hello_process(ctx, cbs)) + goto err; + + /* See if we switched back to the legacy client method. */ + if (s->method->internal->version < TLS1_3_VERSION) + return 1; + + tls13_record_layer_set_legacy_version(ctx->rl, TLS1_2_VERSION); + + /* + * If a matching key share was provided, we do not need to send a + * HelloRetryRequest. + */ + /* + * XXX - ideally NEGOTIATED would only be added after record protection + * has been enabled. This would probably mean using either an + * INITIAL | WITHOUT_HRR state, or another intermediate state. + */ + if (ctx->hs->key_share != NULL) + ctx->handshake_stage.hs_type |= NEGOTIATED | WITHOUT_HRR; + + /* XXX - check this is the correct point */ + tls13_record_layer_allow_ccs(ctx->rl, 1); + + return 1; + + err: + return 0; +} + +static int +tls13_server_hello_build(struct tls13_ctx *ctx, CBB *cbb, int hrr) +{ + uint16_t tlsext_msg_type = SSL_TLSEXT_MSG_SH; + const uint8_t *server_random; + CBB session_id; + SSL *s = ctx->ssl; + uint16_t cipher; + + cipher = SSL_CIPHER_get_value(S3I(s)->hs.new_cipher); + server_random = s->s3->server_random; + + if (hrr) { + server_random = tls13_hello_retry_request_hash; + tlsext_msg_type = SSL_TLSEXT_MSG_HRR; + } + + if (!CBB_add_u16(cbb, TLS1_2_VERSION)) + goto err; + if (!CBB_add_bytes(cbb, server_random, SSL3_RANDOM_SIZE)) + goto err; + if (!CBB_add_u8_length_prefixed(cbb, &session_id)) + goto err; + if (!CBB_add_bytes(&session_id, ctx->hs->legacy_session_id, + ctx->hs->legacy_session_id_len)) + goto err; + if (!CBB_add_u16(cbb, cipher)) + goto err; + if (!CBB_add_u8(cbb, 0)) + goto err; + if (!tlsext_server_build(s, tlsext_msg_type, cbb)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + return 1; +err: + return 0; +} + +static int +tls13_server_engage_record_protection(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets; + struct tls13_secret context; + unsigned char buf[EVP_MAX_MD_SIZE]; + uint8_t *shared_key = NULL; + size_t shared_key_len = 0; + size_t hash_len; + SSL *s = ctx->ssl; + int ret = 0; + + if (!tls13_key_share_derive(ctx->hs->key_share, + &shared_key, &shared_key_len)) + goto err; + + s->session->cipher = S3I(s)->hs.new_cipher; + + if ((ctx->aead = tls13_cipher_aead(S3I(s)->hs.new_cipher)) == NULL) + goto err; + if ((ctx->hash = tls13_cipher_hash(S3I(s)->hs.new_cipher)) == NULL) + goto err; + + if ((secrets = tls13_secrets_create(ctx->hash, 0)) == NULL) + goto err; + ctx->hs->secrets = secrets; + + /* XXX - pass in hash. */ + if (!tls1_transcript_hash_init(s)) + goto err; + tls1_transcript_free(s); + if (!tls1_transcript_hash_value(s, buf, sizeof(buf), &hash_len)) + goto err; + context.data = buf; + context.len = hash_len; + + /* Early secrets. */ + if (!tls13_derive_early_secrets(secrets, secrets->zeros.data, + secrets->zeros.len, &context)) + goto err; + + /* Handshake secrets. */ + if (!tls13_derive_handshake_secrets(ctx->hs->secrets, shared_key, + shared_key_len, &context)) + goto err; + + tls13_record_layer_set_aead(ctx->rl, ctx->aead); + tls13_record_layer_set_hash(ctx->rl, ctx->hash); + + if (!tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->client_handshake_traffic)) + goto err; + if (!tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->server_handshake_traffic)) + goto err; + + ctx->handshake_stage.hs_type |= NEGOTIATED; + if (!(SSL_get_verify_mode(s) & SSL_VERIFY_PEER)) + ctx->handshake_stage.hs_type |= WITHOUT_CR; + + ret = 1; + + err: + freezero(shared_key, shared_key_len); + return ret; +} + +int +tls13_server_hello_retry_request_send(struct tls13_ctx *ctx, CBB *cbb) +{ + int nid; + + ctx->hs->hrr = 1; + + if (!tls13_synthetic_handshake_message(ctx)) + return 0; + + if (ctx->hs->key_share != NULL) + return 0; + if ((nid = tls1_get_shared_curve(ctx->ssl)) == NID_undef) + return 0; + if ((ctx->hs->server_group = tls1_ec_nid2curve_id(nid)) == 0) + return 0; + + if (!tls13_server_hello_build(ctx, cbb, 1)) + return 0; + + return 1; +} + +int +tls13_server_hello_retry_request_sent(struct tls13_ctx *ctx) +{ + /* + * If the client has requested middlebox compatibility mode, + * we MUST send a dummy CCS following our first handshake message. + * See RFC 8446 Appendix D.4. + */ + if (ctx->hs->legacy_session_id_len > 0) + ctx->send_dummy_ccs_after = 1; + + return 1; +} + +int +tls13_client_hello_retry_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + SSL *s = ctx->ssl; + + if (!tls13_client_hello_process(ctx, cbs)) + return 0; + + /* XXX - need further checks. */ + if (s->method->internal->version < TLS1_3_VERSION) + return 0; + + ctx->hs->hrr = 0; + + return 1; +} + +static int +tls13_servername_process(struct tls13_ctx *ctx) +{ + uint8_t alert = TLS13_ALERT_INTERNAL_ERROR; + + if (!tls13_legacy_servername_process(ctx, &alert)) { + ctx->alert = alert; + return 0; + } + + return 1; +} + +int +tls13_server_hello_send(struct tls13_ctx *ctx, CBB *cbb) +{ + if (ctx->hs->key_share == NULL) + return 0; + if (!tls13_key_share_generate(ctx->hs->key_share)) + return 0; + if (!tls13_servername_process(ctx)) + return 0; + + ctx->hs->server_group = 0; + + if (!tls13_server_hello_build(ctx, cbb, 0)) + return 0; + + return 1; +} + +int +tls13_server_hello_sent(struct tls13_ctx *ctx) +{ + /* + * If the client has requested middlebox compatibility mode, + * we MUST send a dummy CCS following our first handshake message. + * See RFC 8446 Appendix D.4. + */ + if ((ctx->handshake_stage.hs_type & WITHOUT_HRR) && + ctx->hs->legacy_session_id_len > 0) + ctx->send_dummy_ccs_after = 1; + + return tls13_server_engage_record_protection(ctx); +} + +int +tls13_server_encrypted_extensions_send(struct tls13_ctx *ctx, CBB *cbb) +{ + if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_EE, cbb)) + goto err; + + return 1; + err: + return 0; +} + +int +tls13_server_certificate_request_send(struct tls13_ctx *ctx, CBB *cbb) +{ + CBB certificate_request_context; + + if (!CBB_add_u8_length_prefixed(cbb, &certificate_request_context)) + goto err; + if (!tlsext_server_build(ctx->ssl, SSL_TLSEXT_MSG_CR, cbb)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + return 1; + err: + return 0; +} + +static int +tls13_server_check_certificate(struct tls13_ctx *ctx, CERT_PKEY *cpk, + int *ok, const struct ssl_sigalg **out_sigalg) +{ + const struct ssl_sigalg *sigalg; + SSL *s = ctx->ssl; + + *ok = 0; + *out_sigalg = NULL; + + if (cpk->x509 == NULL || cpk->privatekey == NULL) + goto done; + + if (!X509_check_purpose(cpk->x509, -1, 0)) + return 0; + + /* + * The digitalSignature bit MUST be set if the Key Usage extension is + * present as per RFC 8446 section 4.4.2.2. + */ + if ((cpk->x509->ex_flags & EXFLAG_KUSAGE) && + !(cpk->x509->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE)) + goto done; + + if ((sigalg = ssl_sigalg_select(s, cpk->privatekey)) == NULL) + goto done; + + *ok = 1; + *out_sigalg = sigalg; + + done: + return 1; +} + +static int +tls13_server_select_certificate(struct tls13_ctx *ctx, CERT_PKEY **out_cpk, + const struct ssl_sigalg **out_sigalg) +{ + SSL *s = ctx->ssl; + const struct ssl_sigalg *sigalg; + CERT_PKEY *cpk; + int cert_ok; + + *out_cpk = NULL; + *out_sigalg = NULL; + + cpk = &s->cert->pkeys[SSL_PKEY_ECC]; + if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = &s->cert->pkeys[SSL_PKEY_RSA]; + if (!tls13_server_check_certificate(ctx, cpk, &cert_ok, &sigalg)) + return 0; + if (cert_ok) + goto done; + + cpk = NULL; + sigalg = NULL; + + done: + *out_cpk = cpk; + *out_sigalg = sigalg; + + return 1; +} + +int +tls13_server_certificate_send(struct tls13_ctx *ctx, CBB *cbb) +{ + SSL *s = ctx->ssl; + CBB cert_request_context, cert_list; + const struct ssl_sigalg *sigalg; + STACK_OF(X509) *chain; + CERT_PKEY *cpk; + X509 *cert; + int i, ret = 0; + + if (!tls13_server_select_certificate(ctx, &cpk, &sigalg)) + goto err; + + if (cpk == NULL) { + /* A server must always provide a certificate. */ + ctx->alert = TLS13_ALERT_HANDSHAKE_FAILURE; + tls13_set_errorx(ctx, TLS13_ERR_NO_CERTIFICATE, 0, + "no server certificate", NULL); + goto err; + } + + ctx->hs->cpk = cpk; + ctx->hs->sigalg = sigalg; + + if ((chain = cpk->chain) == NULL) + chain = s->ctx->extra_certs; + + if (!CBB_add_u8_length_prefixed(cbb, &cert_request_context)) + goto err; + if (!CBB_add_u24_length_prefixed(cbb, &cert_list)) + goto err; + + if (!tls13_cert_add(ctx, &cert_list, cpk->x509, tlsext_server_build)) + goto err; + + for (i = 0; i < sk_X509_num(chain); i++) { + cert = sk_X509_value(chain, i); + /* + * XXX we don't send extensions with chain certs to avoid sending + * a leaf ocsp stape with the chain certs. This needs to get + * fixed + */ + if (!tls13_cert_add(ctx, &cert_list, cert, NULL)) + goto err; + } + + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + return ret; +} + +int +tls13_server_certificate_verify_send(struct tls13_ctx *ctx, CBB *cbb) +{ + const struct ssl_sigalg *sigalg; + uint8_t *sig = NULL, *sig_content = NULL; + size_t sig_len, sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + const CERT_PKEY *cpk; + CBB sig_cbb; + int ret = 0; + + memset(&sig_cbb, 0, sizeof(sig_cbb)); + + if ((cpk = ctx->hs->cpk) == NULL) + goto err; + if ((sigalg = ctx->hs->sigalg) == NULL) + goto err; + pkey = cpk->privatekey; + + if (!CBB_init(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&sig_cbb, tls13_cert_server_verify_context, + strlen(tls13_cert_server_verify_context))) + goto err; + if (!CBB_add_u8(&sig_cbb, 0)) + goto err; + if (!CBB_add_bytes(&sig_cbb, ctx->hs->transcript_hash, + ctx->hs->transcript_hash_len)) + goto err; + if (!CBB_finish(&sig_cbb, &sig_content, &sig_content_len)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestSignInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestSignUpdate(mdctx, sig_content, sig_content_len)) + goto err; + if (EVP_DigestSignFinal(mdctx, NULL, &sig_len) <= 0) + goto err; + if ((sig = calloc(1, sig_len)) == NULL) + goto err; + if (EVP_DigestSignFinal(mdctx, sig, &sig_len) <= 0) + goto err; + + if (!CBB_add_u16(cbb, sigalg->value)) + goto err; + if (!CBB_add_u16_length_prefixed(cbb, &sig_cbb)) + goto err; + if (!CBB_add_bytes(&sig_cbb, sig, sig_len)) + goto err; + + if (!CBB_flush(cbb)) + goto err; + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_INTERNAL_ERROR; + + CBB_cleanup(&sig_cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + free(sig); + + return ret; +} + +int +tls13_server_finished_send(struct tls13_ctx *ctx, CBB *cbb) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret finished_key; + uint8_t transcript_hash[EVP_MAX_MD_SIZE]; + size_t transcript_hash_len; + uint8_t key[EVP_MAX_MD_SIZE]; + uint8_t *verify_data; + size_t hmac_len; + unsigned int hlen; + HMAC_CTX *hmac_ctx = NULL; + int ret = 0; + + finished_key.data = key; + finished_key.len = EVP_MD_size(ctx->hash); + + if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, + &secrets->server_handshake_traffic, "finished", + &context)) + goto err; + + if (!tls1_transcript_hash_value(ctx->ssl, transcript_hash, + sizeof(transcript_hash), &transcript_hash_len)) + goto err; + + if ((hmac_ctx = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, + ctx->hash, NULL)) + goto err; + if (!HMAC_Update(hmac_ctx, transcript_hash, transcript_hash_len)) + goto err; + + hmac_len = HMAC_size(hmac_ctx); + if (!CBB_add_space(cbb, &verify_data, hmac_len)) + goto err; + if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) + goto err; + if (hlen != hmac_len) + goto err; + + ret = 1; + + err: + HMAC_CTX_free(hmac_ctx); + + return ret; +} + +int +tls13_server_finished_sent(struct tls13_ctx *ctx) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + + /* + * Derive application traffic keys. + */ + context.data = ctx->hs->transcript_hash; + context.len = ctx->hs->transcript_hash_len; + + if (!tls13_derive_application_secrets(secrets, &context)) + return 0; + + /* + * Any records following the server finished message must be encrypted + * using the server application traffic keys. + */ + return tls13_record_layer_set_write_traffic_key(ctx->rl, + &secrets->server_application_traffic); +} + +int +tls13_client_certificate_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + CBS cert_request_context, cert_list, cert_data, cert_exts; + struct stack_st_X509 *certs = NULL; + SSL *s = ctx->ssl; + X509 *cert = NULL; + EVP_PKEY *pkey; + const uint8_t *p; + int cert_idx; + int ret = 0; + + if (!CBS_get_u8_length_prefixed(cbs, &cert_request_context)) + goto err; + if (CBS_len(&cert_request_context) != 0) + goto err; + if (!CBS_get_u24_length_prefixed(cbs, &cert_list)) + goto err; + if (CBS_len(&cert_list) == 0) { + if (!(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) + return 1; + ctx->alert = TLS13_ALERT_CERTIFICATE_REQUIRED; + tls13_set_errorx(ctx, TLS13_ERR_NO_PEER_CERTIFICATE, 0, + "peer did not provide a certificate", NULL); + goto err; + } + + if ((certs = sk_X509_new_null()) == NULL) + goto err; + while (CBS_len(&cert_list) > 0) { + if (!CBS_get_u24_length_prefixed(&cert_list, &cert_data)) + goto err; + if (!CBS_get_u16_length_prefixed(&cert_list, &cert_exts)) + goto err; + + p = CBS_data(&cert_data); + if ((cert = d2i_X509(NULL, &p, CBS_len(&cert_data))) == NULL) + goto err; + if (p != CBS_data(&cert_data) + CBS_len(&cert_data)) + goto err; + + if (!sk_X509_push(certs, cert)) + goto err; + + cert = NULL; + } + + /* + * At this stage we still have no proof of possession. As such, it would + * be preferable to keep the chain and verify once we have successfully + * processed the CertificateVerify message. + */ + if (ssl_verify_cert_chain(s, certs) <= 0) { + ctx->alert = ssl_verify_alarm_type(s->verify_result); + tls13_set_errorx(ctx, TLS13_ERR_VERIFY_FAILED, 0, + "failed to verify peer certificate", NULL); + goto err; + } + ERR_clear_error(); + + cert = sk_X509_value(certs, 0); + X509_up_ref(cert); + + if ((pkey = X509_get0_pubkey(cert)) == NULL) + goto err; + if (EVP_PKEY_missing_parameters(pkey)) + goto err; + if ((cert_idx = ssl_cert_type(cert, pkey)) < 0) + goto err; + + ssl_sess_cert_free(SSI(s)->sess_cert); + if ((SSI(s)->sess_cert = ssl_sess_cert_new()) == NULL) + goto err; + + SSI(s)->sess_cert->cert_chain = certs; + certs = NULL; + + X509_up_ref(cert); + SSI(s)->sess_cert->peer_pkeys[cert_idx].x509 = cert; + SSI(s)->sess_cert->peer_key = &(SSI(s)->sess_cert->peer_pkeys[cert_idx]); + + X509_free(s->session->peer); + + X509_up_ref(cert); + s->session->peer = cert; + s->session->verify_result = s->verify_result; + + ctx->handshake_stage.hs_type |= WITH_CCV; + ret = 1; + + err: + sk_X509_pop_free(certs, X509_free); + X509_free(cert); + + return ret; +} + +int +tls13_client_certificate_verify_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + const struct ssl_sigalg *sigalg; + uint16_t signature_scheme; + uint8_t *sig_content = NULL; + size_t sig_content_len; + EVP_MD_CTX *mdctx = NULL; + EVP_PKEY_CTX *pctx; + EVP_PKEY *pkey; + X509 *cert; + CBS signature; + CBB cbb; + int ret = 0; + + memset(&cbb, 0, sizeof(cbb)); + + if (!CBS_get_u16(cbs, &signature_scheme)) + goto err; + if (!CBS_get_u16_length_prefixed(cbs, &signature)) + goto err; + + if ((sigalg = ssl_sigalg(signature_scheme, tls13_sigalgs, + tls13_sigalgs_len)) == NULL) + goto err; + + if (!CBB_init(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, tls13_cert_verify_pad, + sizeof(tls13_cert_verify_pad))) + goto err; + if (!CBB_add_bytes(&cbb, tls13_cert_client_verify_context, + strlen(tls13_cert_client_verify_context))) + goto err; + if (!CBB_add_u8(&cbb, 0)) + goto err; + if (!CBB_add_bytes(&cbb, ctx->hs->transcript_hash, + ctx->hs->transcript_hash_len)) + goto err; + if (!CBB_finish(&cbb, &sig_content, &sig_content_len)) + goto err; + + if ((cert = ctx->ssl->session->peer) == NULL) + goto err; + if ((pkey = X509_get0_pubkey(cert)) == NULL) + goto err; + if (!ssl_sigalg_pkey_ok(sigalg, pkey, 1)) + goto err; + + if (CBS_len(&signature) > EVP_PKEY_size(pkey)) + goto err; + + if ((mdctx = EVP_MD_CTX_new()) == NULL) + goto err; + if (!EVP_DigestVerifyInit(mdctx, &pctx, sigalg->md(), NULL, pkey)) + goto err; + if (sigalg->flags & SIGALG_FLAG_RSA_PSS) { + if (!EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING)) + goto err; + if (!EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, -1)) + goto err; + } + if (!EVP_DigestVerifyUpdate(mdctx, sig_content, sig_content_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + if (EVP_DigestVerifyFinal(mdctx, CBS_data(&signature), + CBS_len(&signature)) <= 0) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + + ret = 1; + + err: + if (!ret && ctx->alert == 0) + ctx->alert = TLS13_ALERT_DECODE_ERROR; + + CBB_cleanup(&cbb); + EVP_MD_CTX_free(mdctx); + free(sig_content); + + return ret; +} + +int +tls13_client_end_of_early_data_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + return 0; +} + +int +tls13_client_finished_recv(struct tls13_ctx *ctx, CBS *cbs) +{ + struct tls13_secrets *secrets = ctx->hs->secrets; + struct tls13_secret context = { .data = "", .len = 0 }; + struct tls13_secret finished_key; + uint8_t *verify_data = NULL; + size_t verify_data_len; + uint8_t key[EVP_MAX_MD_SIZE]; + HMAC_CTX *hmac_ctx = NULL; + unsigned int hlen; + int ret = 0; + + /* + * Verify client finished. + */ + finished_key.data = key; + finished_key.len = EVP_MD_size(ctx->hash); + + if (!tls13_hkdf_expand_label(&finished_key, ctx->hash, + &secrets->client_handshake_traffic, "finished", + &context)) + goto err; + + if ((hmac_ctx = HMAC_CTX_new()) == NULL) + goto err; + if (!HMAC_Init_ex(hmac_ctx, finished_key.data, finished_key.len, + ctx->hash, NULL)) + goto err; + if (!HMAC_Update(hmac_ctx, ctx->hs->transcript_hash, + ctx->hs->transcript_hash_len)) + goto err; + verify_data_len = HMAC_size(hmac_ctx); + if ((verify_data = calloc(1, verify_data_len)) == NULL) + goto err; + if (!HMAC_Final(hmac_ctx, verify_data, &hlen)) + goto err; + if (hlen != verify_data_len) + goto err; + + if (!CBS_mem_equal(cbs, verify_data, verify_data_len)) { + ctx->alert = TLS13_ALERT_DECRYPT_ERROR; + goto err; + } + + if (!CBS_skip(cbs, verify_data_len)) + goto err; + + /* + * Any records following the client finished message must be encrypted + * using the client application traffic keys. + */ + if (!tls13_record_layer_set_read_traffic_key(ctx->rl, + &secrets->client_application_traffic)) + goto err; + + tls13_record_layer_allow_ccs(ctx->rl, 0); + + ret = 1; + + err: + HMAC_CTX_free(hmac_ctx); + free(verify_data); + + return ret; +} diff --git a/tap-driver.sh b/tap-driver.sh new file mode 100755 index 0000000..865761d --- /dev/null +++ b/tap-driver.sh @@ -0,0 +1,651 @@ +#! /bin/sh +# Copyright (C) 2011-2020 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to or send patches to +# . + +scriptversion=2013-12-23.17; # UTC + +# Make unconditional expansion of undefined variables an error. This +# helps a lot in preventing typo-related bugs. +set -u + +me=tap-driver.sh + +fatal () +{ + echo "$me: fatal: $*" >&2 + exit 1 +} + +usage_error () +{ + echo "$me: $*" >&2 + print_usage >&2 + exit 2 +} + +print_usage () +{ + cat < + # + trap : 1 3 2 13 15 + if test $merge -gt 0; then + exec 2>&1 + else + exec 2>&3 + fi + "$@" + echo $? + ) | LC_ALL=C ${AM_TAP_AWK-awk} \ + -v me="$me" \ + -v test_script_name="$test_name" \ + -v log_file="$log_file" \ + -v trs_file="$trs_file" \ + -v expect_failure="$expect_failure" \ + -v merge="$merge" \ + -v ignore_exit="$ignore_exit" \ + -v comments="$comments" \ + -v diag_string="$diag_string" \ +' +# TODO: the usages of "cat >&3" below could be optimized when using +# GNU awk, and/on on systems that supports /dev/fd/. + +# Implementation note: in what follows, `result_obj` will be an +# associative array that (partly) simulates a TAP result object +# from the `TAP::Parser` perl module. + +## ----------- ## +## FUNCTIONS ## +## ----------- ## + +function fatal(msg) +{ + print me ": " msg | "cat >&2" + exit 1 +} + +function abort(where) +{ + fatal("internal error " where) +} + +# Convert a boolean to a "yes"/"no" string. +function yn(bool) +{ + return bool ? "yes" : "no"; +} + +function add_test_result(result) +{ + if (!test_results_index) + test_results_index = 0 + test_results_list[test_results_index] = result + test_results_index += 1 + test_results_seen[result] = 1; +} + +# Whether the test script should be re-run by "make recheck". +function must_recheck() +{ + for (k in test_results_seen) + if (k != "XFAIL" && k != "PASS" && k != "SKIP") + return 1 + return 0 +} + +# Whether the content of the log file associated to this test should +# be copied into the "global" test-suite.log. +function copy_in_global_log() +{ + for (k in test_results_seen) + if (k != "PASS") + return 1 + return 0 +} + +function get_global_test_result() +{ + if ("ERROR" in test_results_seen) + return "ERROR" + if ("FAIL" in test_results_seen || "XPASS" in test_results_seen) + return "FAIL" + all_skipped = 1 + for (k in test_results_seen) + if (k != "SKIP") + all_skipped = 0 + if (all_skipped) + return "SKIP" + return "PASS"; +} + +function stringify_result_obj(result_obj) +{ + if (result_obj["is_unplanned"] || result_obj["number"] != testno) + return "ERROR" + + if (plan_seen == LATE_PLAN) + return "ERROR" + + if (result_obj["directive"] == "TODO") + return result_obj["is_ok"] ? "XPASS" : "XFAIL" + + if (result_obj["directive"] == "SKIP") + return result_obj["is_ok"] ? "SKIP" : COOKED_FAIL; + + if (length(result_obj["directive"])) + abort("in function stringify_result_obj()") + + return result_obj["is_ok"] ? COOKED_PASS : COOKED_FAIL +} + +function decorate_result(result) +{ + color_name = color_for_result[result] + if (color_name) + return color_map[color_name] "" result "" color_map["std"] + # If we are not using colorized output, or if we do not know how + # to colorize the given result, we should return it unchanged. + return result +} + +function report(result, details) +{ + if (result ~ /^(X?(PASS|FAIL)|SKIP|ERROR)/) + { + msg = ": " test_script_name + add_test_result(result) + } + else if (result == "#") + { + msg = " " test_script_name ":" + } + else + { + abort("in function report()") + } + if (length(details)) + msg = msg " " details + # Output on console might be colorized. + print decorate_result(result) msg + # Log the result in the log file too, to help debugging (this is + # especially true when said result is a TAP error or "Bail out!"). + print result msg | "cat >&3"; +} + +function testsuite_error(error_message) +{ + report("ERROR", "- " error_message) +} + +function handle_tap_result() +{ + details = result_obj["number"]; + if (length(result_obj["description"])) + details = details " " result_obj["description"] + + if (plan_seen == LATE_PLAN) + { + details = details " # AFTER LATE PLAN"; + } + else if (result_obj["is_unplanned"]) + { + details = details " # UNPLANNED"; + } + else if (result_obj["number"] != testno) + { + details = sprintf("%s # OUT-OF-ORDER (expecting %d)", + details, testno); + } + else if (result_obj["directive"]) + { + details = details " # " result_obj["directive"]; + if (length(result_obj["explanation"])) + details = details " " result_obj["explanation"] + } + + report(stringify_result_obj(result_obj), details) +} + +# `skip_reason` should be empty whenever planned > 0. +function handle_tap_plan(planned, skip_reason) +{ + planned += 0 # Avoid getting confused if, say, `planned` is "00" + if (length(skip_reason) && planned > 0) + abort("in function handle_tap_plan()") + if (plan_seen) + { + # Error, only one plan per stream is acceptable. + testsuite_error("multiple test plans") + return; + } + planned_tests = planned + # The TAP plan can come before or after *all* the TAP results; we speak + # respectively of an "early" or a "late" plan. If we see the plan line + # after at least one TAP result has been seen, assume we have a late + # plan; in this case, any further test result seen after the plan will + # be flagged as an error. + plan_seen = (testno >= 1 ? LATE_PLAN : EARLY_PLAN) + # If testno > 0, we have an error ("too many tests run") that will be + # automatically dealt with later, so do not worry about it here. If + # $plan_seen is true, we have an error due to a repeated plan, and that + # has already been dealt with above. Otherwise, we have a valid "plan + # with SKIP" specification, and should report it as a particular kind + # of SKIP result. + if (planned == 0 && testno == 0) + { + if (length(skip_reason)) + skip_reason = "- " skip_reason; + report("SKIP", skip_reason); + } +} + +function extract_tap_comment(line) +{ + if (index(line, diag_string) == 1) + { + # Strip leading `diag_string` from `line`. + line = substr(line, length(diag_string) + 1) + # And strip any leading and trailing whitespace left. + sub("^[ \t]*", "", line) + sub("[ \t]*$", "", line) + # Return what is left (if any). + return line; + } + return ""; +} + +# When this function is called, we know that line is a TAP result line, +# so that it matches the (perl) RE "^(not )?ok\b". +function setup_result_obj(line) +{ + # Get the result, and remove it from the line. + result_obj["is_ok"] = (substr(line, 1, 2) == "ok" ? 1 : 0) + sub("^(not )?ok[ \t]*", "", line) + + # If the result has an explicit number, get it and strip it; otherwise, + # automatically assing the next progresive number to it. + if (line ~ /^[0-9]+$/ || line ~ /^[0-9]+[^a-zA-Z0-9_]/) + { + match(line, "^[0-9]+") + # The final `+ 0` is to normalize numbers with leading zeros. + result_obj["number"] = substr(line, 1, RLENGTH) + 0 + line = substr(line, RLENGTH + 1) + } + else + { + result_obj["number"] = testno + } + + if (plan_seen == LATE_PLAN) + # No further test results are acceptable after a "late" TAP plan + # has been seen. + result_obj["is_unplanned"] = 1 + else if (plan_seen && testno > planned_tests) + result_obj["is_unplanned"] = 1 + else + result_obj["is_unplanned"] = 0 + + # Strip trailing and leading whitespace. + sub("^[ \t]*", "", line) + sub("[ \t]*$", "", line) + + # This will have to be corrected if we have a "TODO"/"SKIP" directive. + result_obj["description"] = line + result_obj["directive"] = "" + result_obj["explanation"] = "" + + if (index(line, "#") == 0) + return # No possible directive, nothing more to do. + + # Directives are case-insensitive. + rx = "[ \t]*#[ \t]*([tT][oO][dD][oO]|[sS][kK][iI][pP])[ \t]*" + + # See whether we have the directive, and if yes, where. + pos = match(line, rx "$") + if (!pos) + pos = match(line, rx "[^a-zA-Z0-9_]") + + # If there was no TAP directive, we have nothing more to do. + if (!pos) + return + + # Let`s now see if the TAP directive has been escaped. For example: + # escaped: ok \# SKIP + # not escaped: ok \\# SKIP + # escaped: ok \\\\\# SKIP + # not escaped: ok \ # SKIP + if (substr(line, pos, 1) == "#") + { + bslash_count = 0 + for (i = pos; i > 1 && substr(line, i - 1, 1) == "\\"; i--) + bslash_count += 1 + if (bslash_count % 2) + return # Directive was escaped. + } + + # Strip the directive and its explanation (if any) from the test + # description. + result_obj["description"] = substr(line, 1, pos - 1) + # Now remove the test description from the line, that has been dealt + # with already. + line = substr(line, pos) + # Strip the directive, and save its value (normalized to upper case). + sub("^[ \t]*#[ \t]*", "", line) + result_obj["directive"] = toupper(substr(line, 1, 4)) + line = substr(line, 5) + # Now get the explanation for the directive (if any), with leading + # and trailing whitespace removed. + sub("^[ \t]*", "", line) + sub("[ \t]*$", "", line) + result_obj["explanation"] = line +} + +function get_test_exit_message(status) +{ + if (status == 0) + return "" + if (status !~ /^[1-9][0-9]*$/) + abort("getting exit status") + if (status < 127) + exit_details = "" + else if (status == 127) + exit_details = " (command not found?)" + else if (status >= 128 && status <= 255) + exit_details = sprintf(" (terminated by signal %d?)", status - 128) + else if (status > 256 && status <= 384) + # We used to report an "abnormal termination" here, but some Korn + # shells, when a child process die due to signal number n, can leave + # in $? an exit status of 256+n instead of the more standard 128+n. + # Apparently, both behaviours are allowed by POSIX (2008), so be + # prepared to handle them both. See also Austing Group report ID + # 0000051 + exit_details = sprintf(" (terminated by signal %d?)", status - 256) + else + # Never seen in practice. + exit_details = " (abnormal termination)" + return sprintf("exited with status %d%s", status, exit_details) +} + +function write_test_results() +{ + print ":global-test-result: " get_global_test_result() > trs_file + print ":recheck: " yn(must_recheck()) > trs_file + print ":copy-in-global-log: " yn(copy_in_global_log()) > trs_file + for (i = 0; i < test_results_index; i += 1) + print ":test-result: " test_results_list[i] > trs_file + close(trs_file); +} + +BEGIN { + +## ------- ## +## SETUP ## +## ------- ## + +'"$init_colors"' + +# Properly initialized once the TAP plan is seen. +planned_tests = 0 + +COOKED_PASS = expect_failure ? "XPASS": "PASS"; +COOKED_FAIL = expect_failure ? "XFAIL": "FAIL"; + +# Enumeration-like constants to remember which kind of plan (if any) +# has been seen. It is important that NO_PLAN evaluates "false" as +# a boolean. +NO_PLAN = 0 +EARLY_PLAN = 1 +LATE_PLAN = 2 + +testno = 0 # Number of test results seen so far. +bailed_out = 0 # Whether a "Bail out!" directive has been seen. + +# Whether the TAP plan has been seen or not, and if yes, which kind +# it is ("early" is seen before any test result, "late" otherwise). +plan_seen = NO_PLAN + +## --------- ## +## PARSING ## +## --------- ## + +is_first_read = 1 + +while (1) + { + # Involutions required so that we are able to read the exit status + # from the last input line. + st = getline + if (st < 0) # I/O error. + fatal("I/O error while reading from input stream") + else if (st == 0) # End-of-input + { + if (is_first_read) + abort("in input loop: only one input line") + break + } + if (is_first_read) + { + is_first_read = 0 + nextline = $0 + continue + } + else + { + curline = nextline + nextline = $0 + $0 = curline + } + # Copy any input line verbatim into the log file. + print | "cat >&3" + # Parsing of TAP input should stop after a "Bail out!" directive. + if (bailed_out) + continue + + # TAP test result. + if ($0 ~ /^(not )?ok$/ || $0 ~ /^(not )?ok[^a-zA-Z0-9_]/) + { + testno += 1 + setup_result_obj($0) + handle_tap_result() + } + # TAP plan (normal or "SKIP" without explanation). + else if ($0 ~ /^1\.\.[0-9]+[ \t]*$/) + { + # The next two lines will put the number of planned tests in $0. + sub("^1\\.\\.", "") + sub("[^0-9]*$", "") + handle_tap_plan($0, "") + continue + } + # TAP "SKIP" plan, with an explanation. + else if ($0 ~ /^1\.\.0+[ \t]*#/) + { + # The next lines will put the skip explanation in $0, stripping + # any leading and trailing whitespace. This is a little more + # tricky in truth, since we want to also strip a potential leading + # "SKIP" string from the message. + sub("^[^#]*#[ \t]*(SKIP[: \t][ \t]*)?", "") + sub("[ \t]*$", ""); + handle_tap_plan(0, $0) + } + # "Bail out!" magic. + # Older versions of prove and TAP::Harness (e.g., 3.17) did not + # recognize a "Bail out!" directive when preceded by leading + # whitespace, but more modern versions (e.g., 3.23) do. So we + # emulate the latter, "more modern" behaviour. + else if ($0 ~ /^[ \t]*Bail out!/) + { + bailed_out = 1 + # Get the bailout message (if any), with leading and trailing + # whitespace stripped. The message remains stored in `$0`. + sub("^[ \t]*Bail out![ \t]*", ""); + sub("[ \t]*$", ""); + # Format the error message for the + bailout_message = "Bail out!" + if (length($0)) + bailout_message = bailout_message " " $0 + testsuite_error(bailout_message) + } + # Maybe we have too look for dianogtic comments too. + else if (comments != 0) + { + comment = extract_tap_comment($0); + if (length(comment)) + report("#", comment); + } + } + +## -------- ## +## FINISH ## +## -------- ## + +# A "Bail out!" directive should cause us to ignore any following TAP +# error, as well as a non-zero exit status from the TAP producer. +if (!bailed_out) + { + if (!plan_seen) + { + testsuite_error("missing test plan") + } + else if (planned_tests != testno) + { + bad_amount = testno > planned_tests ? "many" : "few" + testsuite_error(sprintf("too %s tests run (expected %d, got %d)", + bad_amount, planned_tests, testno)) + } + if (!ignore_exit) + { + # Fetch exit status from the last line. + exit_message = get_test_exit_message(nextline) + if (exit_message) + testsuite_error(exit_message) + } + } + +write_test_results() + +exit 0 + +} # End of "BEGIN" block. +' + +# TODO: document that we consume the file descriptor 3 :-( +} 3>"$log_file" + +test $? -eq 0 || fatal "I/O or internal error" + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/test-driver b/test-driver new file mode 100755 index 0000000..89dba1e --- /dev/null +++ b/test-driver @@ -0,0 +1,148 @@ +#! /bin/sh +# test-driver - basic testsuite driver script. + +scriptversion=2018-03-07.03; # UTC + +# Copyright (C) 2011-2020 Free Software Foundation, Inc. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2, or (at your option) +# any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# As a special exception to the GNU General Public License, if you +# distribute this file as part of a program that contains a +# configuration script generated by Autoconf, you may include it under +# the same distribution terms that you use for the rest of that program. + +# This file is maintained in Automake, please report +# bugs to or send patches to +# . + +# Make unconditional expansion of undefined variables an error. This +# helps a lot in preventing typo-related bugs. +set -u + +usage_error () +{ + echo "$0: $*" >&2 + print_usage >&2 + exit 2 +} + +print_usage () +{ + cat <$log_file 2>&1 +estatus=$? + +if test $enable_hard_errors = no && test $estatus -eq 99; then + tweaked_estatus=1 +else + tweaked_estatus=$estatus +fi + +case $tweaked_estatus:$expect_failure in + 0:yes) col=$red res=XPASS recheck=yes gcopy=yes;; + 0:*) col=$grn res=PASS recheck=no gcopy=no;; + 77:*) col=$blu res=SKIP recheck=no gcopy=yes;; + 99:*) col=$mgn res=ERROR recheck=yes gcopy=yes;; + *:yes) col=$lgn res=XFAIL recheck=no gcopy=yes;; + *:*) col=$red res=FAIL recheck=yes gcopy=yes;; +esac + +# Report the test outcome and exit status in the logs, so that one can +# know whether the test passed or failed simply by looking at the '.log' +# file, without the need of also peaking into the corresponding '.trs' +# file (automake bug#11814). +echo "$res $test_name (exit status: $estatus)" >>$log_file + +# Report outcome to console. +echo "${col}${res}${std}: $test_name" + +# Register the test result, and other relevant metadata. +echo ":test-result: $res" > $trs_file +echo ":global-test-result: $res" >> $trs_file +echo ":recheck: $recheck" >> $trs_file +echo ":copy-in-global-log: $gcopy" >> $trs_file + +# Local Variables: +# mode: shell-script +# sh-indentation: 2 +# eval: (add-hook 'before-save-hook 'time-stamp) +# time-stamp-start: "scriptversion=" +# time-stamp-format: "%:y-%02m-%02d.%02H" +# time-stamp-time-zone: "UTC0" +# time-stamp-end: "; # UTC" +# End: diff --git a/tls/CMakeLists.txt b/tls/CMakeLists.txt index 6c5303c..f64b1c3 100644 --- a/tls/CMakeLists.txt +++ b/tls/CMakeLists.txt @@ -1,9 +1,3 @@ -include_directories( - . - ../include - ../include/compat -) - set( TLS_SRC tls.c @@ -24,32 +18,35 @@ if(WIN32) TLS_SRC ${TLS_SRC} compat/ftruncate.c - compat/getuid.c compat/pread.c compat/pwrite.c ) endif() if(NOT "${OPENSSLDIR}" STREQUAL "") - add_definitions(-D_PATH_SSL_CA_FILE=\"${OPENSSLDIR}/cert.pem\") + add_definitions(-DTLS_DEFAULT_CA_FILE=\"${OPENSSLDIR}/cert.pem\") else() - add_definitions(-D_PATH_SSL_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\") + add_definitions(-DTLS_DEFAULT_CA_FILE=\"${CMAKE_INSTALL_PREFIX}/etc/ssl/cert.pem\") endif() add_library(tls ${TLS_SRC}) -if (BUILD_SHARED_LIBS) - export_symbol(tls ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym) - target_link_libraries(tls ssl crypto) - if (WIN32) - target_link_libraries(tls Ws2_32.lib) - set(TLS_POSTFIX -${TLS_MAJOR_VERSION}) - endif() - set_target_properties(tls PROPERTIES - OUTPUT_NAME tls${TLS_POSTFIX} - ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX}) - set_target_properties(tls PROPERTIES VERSION ${TLS_VERSION} - SOVERSION ${TLS_MAJOR_VERSION}) +target_include_directories(tls + PRIVATE + . + ../include/compat + PUBLIC + ../include) + +export_symbol(tls ${CMAKE_CURRENT_SOURCE_DIR}/tls.sym) +target_link_libraries(tls ssl crypto ${PLATFORM_LIBS}) +if (WIN32) + set(TLS_POSTFIX -${TLS_MAJOR_VERSION}) endif() +set_target_properties(tls PROPERTIES + OUTPUT_NAME tls${TLS_POSTFIX} + ARCHIVE_OUTPUT_NAME tls${TLS_POSTFIX}) +set_target_properties(tls PROPERTIES VERSION ${TLS_VERSION} + SOVERSION ${TLS_MAJOR_VERSION}) if(ENABLE_LIBRESSL_INSTALL) install( diff --git a/tls/VERSION b/tls/VERSION index 778aba6..77c98b5 100644 --- a/tls/VERSION +++ b/tls/VERSION @@ -1 +1 @@ -17:1:0 +20:1:0 diff --git a/tls/compat/getuid.c b/tls/compat/getuid.c deleted file mode 100644 index 9a46317..0000000 --- a/tls/compat/getuid.c +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Public domain - * - * Kinichiro Inoguchi - */ - -#ifdef _WIN32 - -#include - -uid_t -getuid(void) -{ - /* Windows fstat sets 0 as st_uid */ - return 0; -} - -#endif diff --git a/tls/tls.c b/tls/tls.c index 467db16..3d6723b 100644 --- a/tls/tls.c +++ b/tls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.79 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.85 2020/05/24 15:12:54 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -41,8 +41,7 @@ static int tls_init_rv = -1; static void tls_do_init(void) { - SSL_load_error_strings(); - SSL_library_init(); + OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_CONFIG, NULL); if (BIO_sock_init() != 1) return; @@ -257,7 +256,9 @@ tls_configure(struct tls *ctx, struct tls_config *config) if (config == NULL) config = tls_config_default; + pthread_mutex_lock(&config->mutex); config->refcount++; + pthread_mutex_unlock(&config->mutex); tls_config_free(ctx->config); @@ -404,6 +405,8 @@ tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx, int tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) { + SSL_CTX_clear_mode(ssl_ctx, SSL_MODE_AUTO_RETRY); + SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); @@ -413,6 +416,7 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1); SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1); SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2); + SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1); @@ -420,6 +424,8 @@ tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1); if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0) SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2); + if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0) + SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3); if (ctx->config->alpn != NULL) { if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn, @@ -502,7 +508,7 @@ tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify) /* If no CA has been specified, attempt to load the default. */ if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) { - if (tls_config_load_file(&ctx->error, "CA", _PATH_SSL_CA_FILE, + if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(), &ca_mem, &ca_len) != 0) goto err; ca_free = ca_mem; diff --git a/tls/tls.sym b/tls/tls.sym index 923924f..e3fcb67 100644 --- a/tls/tls.sym +++ b/tls/tls.sym @@ -51,6 +51,7 @@ tls_config_verify_client_optional tls_configure tls_conn_alpn_selected tls_conn_cipher +tls_conn_cipher_strength tls_conn_servername tls_conn_session_resumed tls_conn_version @@ -59,6 +60,7 @@ tls_connect_cbs tls_connect_fds tls_connect_servername tls_connect_socket +tls_default_ca_cert_file tls_error tls_free tls_handshake diff --git a/tls/tls_config.c b/tls/tls_config.c index a4e2373..ed47170 100644 --- a/tls/tls_config.c +++ b/tls/tls_config.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_config.c,v 1.51 2018/03/20 15:40:10 jsing Exp $ */ +/* $OpenBSD: tls_config.c,v 1.58 2020/01/20 08:39:21 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -15,15 +15,12 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef _MSC_VER -#define NO_REDEF_POSIX_FUNCTIONS -#endif - #include #include #include #include +#include #include #include @@ -31,6 +28,14 @@ #include "tls_internal.h" +static const char default_ca_file[] = TLS_DEFAULT_CA_FILE; + +const char * +tls_default_ca_cert_file(void) +{ + return default_ca_file; +} + int tls_config_load_file(struct tls_error *error, const char *filetype, const char *filename, char **buf, size_t *len) @@ -89,12 +94,15 @@ tls_config_new_internal(void) if ((config = calloc(1, sizeof(*config))) == NULL) return (NULL); - if ((config->keypair = tls_keypair_new()) == NULL) + if (pthread_mutex_init(&config->mutex, NULL) != 0) goto err; config->refcount = 1; config->session_fd = -1; + if ((config->keypair = tls_keypair_new()) == NULL) + goto err; + /* * Default configuration. */ @@ -145,11 +153,16 @@ void tls_config_free(struct tls_config *config) { struct tls_keypair *kp, *nkp; + int refcount; if (config == NULL) return; - if (--config->refcount > 0) + pthread_mutex_lock(&config->mutex); + refcount = --config->refcount; + pthread_mutex_unlock(&config->mutex); + + if (refcount > 0) return; for (kp = config->keypair; kp != NULL; kp = nkp) { @@ -193,10 +206,7 @@ tls_config_clear_keys(struct tls_config *config) struct tls_keypair *kp; for (kp = config->keypair; kp != NULL; kp = kp->next) - tls_keypair_clear(kp); - - tls_config_set_ca_mem(config, NULL, 0); - tls_config_set_crl_mem(config, NULL, 0); + tls_keypair_clear_key(kp); } int @@ -243,6 +253,8 @@ tls_config_parse_protocols(uint32_t *protocols, const char *protostr) proto = TLS_PROTOCOL_TLSv1_1; else if (strcasecmp(p, "tlsv1.2") == 0) proto = TLS_PROTOCOL_TLSv1_2; + else if (strcasecmp(p, "tlsv1.3") == 0) + proto = TLS_PROTOCOL_TLSv1_3; if (proto == 0) { free(s); @@ -618,8 +630,6 @@ tls_config_set_keypair_file_internal(struct tls_config *config, return (-1); if (tls_config_set_key_file(config, key_file) != 0) return (-1); - if (tls_config_set_key_file(config, key_file) != 0) - return (-1); if (ocsp_file != NULL && tls_config_set_ocsp_staple_file(config, ocsp_file) != 0) return (-1); diff --git a/tls/tls_conninfo.c b/tls/tls_conninfo.c index 8e479ed..d44dc84 100644 --- a/tls/tls_conninfo.c +++ b/tls/tls_conninfo.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_conninfo.c,v 1.20 2018/02/10 04:48:44 jsing Exp $ */ +/* $OpenBSD: tls_conninfo.c,v 1.21 2019/11/02 13:37:59 jsing Exp $ */ /* * Copyright (c) 2015 Joel Sing * Copyright (c) 2015 Bob Beck @@ -246,6 +246,7 @@ tls_conninfo_populate(struct tls *ctx) goto err; if ((ctx->conninfo->cipher = strdup(tmp)) == NULL) goto err; + ctx->conninfo->cipher_strength = SSL_get_cipher_bits(ctx->ssl_conn, NULL); if (ctx->servername != NULL) { if ((ctx->conninfo->servername = @@ -312,6 +313,14 @@ tls_conn_cipher(struct tls *ctx) return (ctx->conninfo->cipher); } +int +tls_conn_cipher_strength(struct tls *ctx) +{ + if (ctx->conninfo == NULL) + return (0); + return (ctx->conninfo->cipher_strength); +} + const char * tls_conn_servername(struct tls *ctx) { diff --git a/tls/tls_internal.h b/tls/tls_internal.h index a227e2f..1dd5f45 100644 --- a/tls/tls_internal.h +++ b/tls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.71 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.77 2019/11/16 21:39:52 beck Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * Copyright (c) 2014 Joel Sing @@ -19,6 +19,8 @@ #ifndef HEADER_TLS_INTERNAL_H #define HEADER_TLS_INTERNAL_H +#include + #include #include @@ -26,11 +28,11 @@ __BEGIN_HIDDEN_DECLS -#ifndef _PATH_SSL_CA_FILE -#define _PATH_SSL_CA_FILE "/etc/ssl/cert.pem" +#ifndef TLS_DEFAULT_CA_FILE +#define TLS_DEFAULT_CA_FILE "/etc/ssl/cert.pem" #endif -#define TLS_CIPHERS_DEFAULT "TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" +#define TLS_CIPHERS_DEFAULT "TLSv1.3:TLSv1.2+AEAD+ECDHE:TLSv1.2+AEAD+DHE" #define TLS_CIPHERS_COMPAT "HIGH:!aNULL" #define TLS_CIPHERS_LEGACY "HIGH:MEDIUM:!aNULL" #define TLS_CIPHERS_ALL "ALL:!aNULL:!eNULL" @@ -79,6 +81,7 @@ struct tls_ticket_key { struct tls_config { struct tls_error error; + pthread_mutex_t mutex; int refcount; char *alpn; @@ -113,6 +116,7 @@ struct tls_config { struct tls_conninfo { char *alpn; char *cipher; + int cipher_strength; char *servername; int session_resumed; char *version; @@ -201,7 +205,7 @@ int tls_set_mem(char **_dest, size_t *_destlen, const void *_src, int tls_set_string(const char **_dest, const char *_src); struct tls_keypair *tls_keypair_new(void); -void tls_keypair_clear(struct tls_keypair *_keypair); +void tls_keypair_clear_key(struct tls_keypair *_keypair); void tls_keypair_free(struct tls_keypair *_keypair); int tls_keypair_set_cert_file(struct tls_keypair *_keypair, struct tls_error *_error, const char *_cert_file); diff --git a/tls/tls_keypair.c b/tls/tls_keypair.c index 03e7f4a..a98e5c2 100644 --- a/tls/tls_keypair.c +++ b/tls/tls_keypair.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_keypair.c,v 1.5 2018/02/10 04:57:35 jsing Exp $ */ +/* $OpenBSD: tls_keypair.c,v 1.6 2018/04/07 16:35:34 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -29,14 +29,6 @@ tls_keypair_new(void) return calloc(1, sizeof(struct tls_keypair)); } -static void -tls_keypair_clear_key(struct tls_keypair *keypair) -{ - freezero(keypair->key_mem, keypair->key_len); - keypair->key_mem = NULL; - keypair->key_len = 0; -} - static int tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error) { @@ -64,6 +56,14 @@ tls_keypair_pubkey_hash(struct tls_keypair *keypair, struct tls_error *error) return (rv); } +void +tls_keypair_clear_key(struct tls_keypair *keypair) +{ + freezero(keypair->key_mem, keypair->key_len); + keypair->key_mem = NULL; + keypair->key_len = 0; +} + int tls_keypair_set_cert_file(struct tls_keypair *keypair, struct tls_error *error, const char *cert_file) @@ -116,26 +116,17 @@ tls_keypair_set_ocsp_staple_mem(struct tls_keypair *keypair, staple, len); } -void -tls_keypair_clear(struct tls_keypair *keypair) -{ - struct tls_error error; - - tls_keypair_set_cert_mem(keypair, &error, NULL, 0); - tls_keypair_set_key_mem(keypair, &error, NULL, 0); - tls_keypair_set_ocsp_staple_mem(keypair, &error, NULL, 0); - - free(keypair->pubkey_hash); - keypair->pubkey_hash = NULL; -} - void tls_keypair_free(struct tls_keypair *keypair) { if (keypair == NULL) return; - tls_keypair_clear(keypair); + tls_keypair_clear_key(keypair); + + free(keypair->cert_mem); + free(keypair->ocsp_staple); + free(keypair->pubkey_hash); free(keypair); } diff --git a/tls/tls_ocsp.c b/tls/tls_ocsp.c index 17afb8e..32c372e 100644 --- a/tls/tls_ocsp.c +++ b/tls/tls_ocsp.c @@ -1,3 +1,4 @@ +/* $OpenBSD: tls_ocsp.c,v 1.19 2019/12/03 14:56:42 tb Exp $ */ /* * Copyright (c) 2015 Marko Kreen * Copyright (c) 2016 Bob Beck diff --git a/tls/tls_server.c b/tls/tls_server.c index 44bef6b..a709a2b 100644 --- a/tls/tls_server.c +++ b/tls/tls_server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_server.c,v 1.44 2018/03/19 16:34:47 jsing Exp $ */ +/* $OpenBSD: tls_server.c,v 1.45 2019/05/13 22:36:01 bcook Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -52,7 +52,9 @@ tls_server_conn(struct tls *ctx) conn_ctx->flags |= TLS_SERVER_CONN; + pthread_mutex_lock(&ctx->config->mutex); ctx->config->refcount++; + pthread_mutex_unlock(&ctx->config->mutex); conn_ctx->config = ctx->config; conn_ctx->keypair = ctx->config->keypair; diff --git a/tls/tls_util.c b/tls/tls_util.c index 7eb9902..b144fb1 100644 --- a/tls/tls_util.c +++ b/tls/tls_util.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_util.c,v 1.12 2018/02/08 07:55:29 jsing Exp $ */ +/* $OpenBSD: tls_util.c,v 1.14 2019/04/13 18:47:58 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * Copyright (c) 2014 Ted Unangst @@ -17,10 +17,6 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifdef _MSC_VER -#define NO_REDEF_POSIX_FUNCTIONS -#endif - #include #include @@ -47,10 +43,11 @@ tls_set_mem(char **dest, size_t *destlen, const void *src, size_t srclen) free(*dest); *dest = NULL; *destlen = 0; - if (src != NULL) + if (src != NULL) { if ((*dest = memdup(src, srclen)) == NULL) return -1; - *destlen = srclen; + *destlen = srclen; + } return 0; } @@ -105,10 +102,14 @@ tls_host_port(const char *hostport, char **host, char **port) *p++ = '\0'; - if (asprintf(host, "%s", h) == -1) + if (asprintf(host, "%s", h) == -1) { + *host = NULL; goto err; - if (asprintf(port, "%s", p) == -1) + } + if (asprintf(port, "%s", p) == -1) { + *port = NULL; goto err; + } rv = 0; goto done;