Compare commits

..

1221 Commits

Author SHA1 Message Date
Matt Caswell
e903aaf894 Remove some documentation for functions not in 1.0.x
A few functions in the recently added EVP_EncodeInit docs don't apply to
the 1.0.x branches.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 12:54:06 +01:00
Matt Caswell
fec6d1e868 Add documentation for EVP_EncodeInit() and similar functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:54:00 +01:00
Matt Caswell
5d20e98465 Ensure EVP_EncodeUpdate handles an output length that is too long
With the EVP_EncodeUpdate function it is the caller's responsibility to
determine how big the output buffer should be. The function writes the
amount actually used to |*outl|. However this could go negative with a
sufficiently large value for |inl|. We add a check for this error
condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:52:53 +01:00
Matt Caswell
5b814481f3 Avoid overflow in EVP_EncodeUpdate
An overflow can occur in the EVP_EncodeUpdate function which is used for
Base64 encoding of binary data. If an attacker is able to supply very large
amounts of input data then a length check can overflow resulting in a heap
corruption. Due to the very large amounts of data involved this will most
likely result in a crash.

Internally to OpenSSL the EVP_EncodeUpdate function is primarly used by the
PEM_write_bio* family of functions. These are mainly used within the
OpenSSL command line applications, so any application which processes
data from an untrusted source and outputs it as a PEM file should be
considered vulnerable to this issue.

User applications that call these APIs directly with large amounts of
untrusted data may also be vulnerable.

Issue reported by Guido Vranken.

CVE-2016-2105

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-03 11:52:53 +01:00
Matt Caswell
2919516136 Prevent EBCDIC overread for very long strings
ASN1 Strings that are over 1024 bytes can cause an overread in
applications using the X509_NAME_oneline() function on EBCDIC systems.
This could result in arbitrary stack data being returned in the buffer.

Issue reported by Guido Vranken.

CVE-2016-2176

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-03 10:28:00 +01:00
Matt Caswell
56ea22458f Fix encrypt overflow
An overflow can occur in the EVP_EncryptUpdate function. If an attacker is
able to supply very large amounts of input data after a previous call to
EVP_EncryptUpdate with a partial block then a length check can overflow
resulting in a heap corruption.

Following an analysis of all OpenSSL internal usage of the
EVP_EncryptUpdate function all usage is one of two forms.

The first form is like this:
EVP_EncryptInit()
EVP_EncryptUpdate()

i.e. where the EVP_EncryptUpdate() call is known to be the first called
function after an EVP_EncryptInit(), and therefore that specific call
must be safe.

The second form is where the length passed to EVP_EncryptUpdate() can be
seen from the code to be some small value and therefore there is no
possibility of an overflow.

Since all instances are one of these two forms, I believe that there can
be no overflows in internal code due to this problem.

It should be noted that EVP_DecryptUpdate() can call EVP_EncryptUpdate()
in certain code paths. Also EVP_CipherUpdate() is a synonym for
EVP_EncryptUpdate(). Therefore I have checked all instances of these
calls too, and came to the same conclusion, i.e. there are no instances
in internal usage where an overflow could occur.

This could still represent a security issue for end user code that calls
this function directly.

CVE-2016-2106

Issue reported by Guido Vranken.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3f3582139fbb259a1c3cbb0a25236500a409bf26)
2016-05-03 09:03:16 +01:00
Dr. Stephen Henson
1d29506fe0 Fix i2d_X509_AUX: pp can be NULL.
Reported by David Benjamin

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 05aef4bbdbc18e7b9490512cdee41e8a608bcc0e)
2016-05-02 22:50:19 +01:00
Dr. Stephen Henson
66ce2861c1 Don't free ret->data if malloc fails.
Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 64eaf6c928f4066d62aa86f805796ef05bd0b1cc)
2016-04-29 21:43:12 +01:00
Dr. Stephen Henson
1c81a59503 Add checks to X509_NAME_oneline()
Sanity check field lengths and sums to avoid potential overflows and reject
excessively large X509_NAME structures.

Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 9b08619cb45e75541809b1154c90e1a00450e537)

Conflicts:
	crypto/x509/x509.h
	crypto/x509/x509_err.c
2016-04-29 19:55:56 +01:00
Dr. Stephen Henson
0b34cf8223 Sanity check buffer length.
Reject zero length buffers passed to X509_NAME_onelne().

Issue reported by Guido Vranken.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b33d1141b6dcce947708b984c5e9e91dad3d675d)
2016-04-29 19:54:06 +01:00
Dr. Stephen Henson
53d6c14bef Add size limit to X509_NAME structure.
This adds an explicit limit to the size of an X509_NAME structure. Some
part of OpenSSL (e.g. TLS) already effectively limit the size due to
restrictions on certificate size.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 295f3a24919157e2f9021d0b1709353710ad63db)
2016-04-29 19:53:47 +01:00
Dr. Stephen Henson
6dfa55ab2f Reject inappropriate private key encryption ciphers.
The traditional private key encryption algorithm doesn't function
properly if the IV length of the cipher is zero. These ciphers
(e.g. ECB mode) are not suitable for private key encryption
anyway.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit d78df5dfd650e6de159a19a033513481064644f5)
2016-04-28 00:07:20 +01:00
Matt Caswell
a04d08fc18 Ensure we check i2d_X509 return val
The i2d_X509() function can return a negative value on error. Therefore
we should make sure we check it.

Issue reported by Yuan Jochen Kang.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 446ba8de9af9aa4fa3debc7c76a38f4efed47a62)
2016-04-26 14:39:56 +01:00
Matt Caswell
1ee4541576 Fix a signed/unsigned warning
This causes a compilation failure when using --strict-warnings in 1.0.2
and 1.0.1

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 0ca67644ddedfd656d43a6639d89a6236ff64652)
2016-04-25 19:47:18 +01:00
Rich Salz
184ebf0fca Fix NULL deref in apps/pkcs7
Thanks to Brian Carpenter for finding and reporting this.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 79356a83b78a2d936dcd022847465d9ebf6c67b1)
2016-04-25 11:46:52 -04:00
Viktor Dukhovni
697283ba41 Fix buffer overrun in ASN1_parse().
Backport of commits:

        79c7f74d6cefd5d32fa20e69195ad3de834ce065
	bdcd660e33710079b495cf5cc6a1aaa5d2dcd317

from master.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-23 00:46:32 -04:00
Dr. Stephen Henson
3d411057a5 Harden ASN.1 BIO handling of large amounts of data.
If the ASN.1 BIO is presented with a large length field read it in
chunks of increasing size checking for EOF on each read. This prevents
small files allocating excessive amounts of data.

CVE-2016-2109

Thanks to Brian Carpenter for reporting this issue.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c62981390d6cf9e3d612c489b8b77c2913b25807)
2016-04-23 00:28:06 +01:00
David Benjamin
7a433893ad Fix memory leak on invalid CertificateRequest.
Free up parsed X509_NAME structure if the CertificateRequest message
contains excess data.

The security impact is considered insignificant. This is a client side
only leak and a large number of connections to malicious servers would
be needed to have a significant impact.

This was found by libFuzzer.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit ec66c8c98881186abbb4a7ddd6617970f1ee27a7)
2016-04-07 19:27:45 +01:00
Dr. Stephen Henson
f4bed7c7b6 Fix FIPS SSLv2 test
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 21211ade53f92629250bbea5e37d9179a31d3be2)
2016-03-26 16:02:39 +00:00
Matt Caswell
f16080718e Fix the no-comp option for Windows
no-comp on Windows was not actually suppressing compilation of the code,
although it was suppressing its use.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a6406c95984a1009f5676bbcf60cc0d6db107af4)
2016-03-18 12:17:06 +00:00
Matt Caswell
4275ee389b Add a check for a failed malloc
Ensure we check for a NULL return from OPENSSL_malloc

Issue reported by Guido Vranken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-18 11:59:11 +00:00
Matt Caswell
d31b25138f Ensure that memory allocated for the ticket is freed
If a call to EVP_DecryptUpdate fails then a memory leak could occur.
Ensure that the memory is freed appropriately.

Issue reported by Guido Vranken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-18 11:59:11 +00:00
Matt Caswell
4161523ecd Fix a potential double free in EVP_DigestInit_ex
There is a potential double free in EVP_DigestInit_ex. This is believed
to be reached only as a result of programmer error - but we should fix it
anyway.

Issue reported by Guido Vranken.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ffe9150b1508a0ffc9e724f975691f24eb045c05)
2016-03-18 11:44:47 +00:00
Kurt Roeckx
6629966097 Add no-ssl2-method
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2341
(cherry picked from commit 4256957570a233ed4e9840353e95e623dfd62086)
2016-03-14 21:17:18 +01:00
Viktor Dukhovni
03c71b84d3 expose SSLv2 method prototypes
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-03-09 03:13:06 -05:00
Viktor Dukhovni
5bac9d44e7 Retain SSLv2 methods as functions that return NULL
This improves ABI compatibility when symbol resolution is not lazy.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-08 09:08:28 -05:00
Andy Polyakov
a159719440 bn/asm/x86[_64]-mont*.pl: complement alloca with page-walking.
Some OSes, *cough*-dows, insist on stack being "wired" to
physical memory in strictly sequential manner, i.e. if stack
allocation spans two pages, then reference to farmost one can
be punishable by SEGV. But page walking can do good even on
other OSes, because it guarantees that villain thread hits
the guard page before it can make damage to innocent one...

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit adc4f1fc25b2cac90076f1e1695b05b7aeeae501)

Resolved conflicts:
	crypto/bn/asm/x86_64-mont.pl
	crypto/bn/asm/x86_64-mont5.pl

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-07 22:16:11 +01:00
Kurt Roeckx
6e7a1f35b7 Remove LOW from the default
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 29cce508972f61511318bf8cf7011fae027cddb2)
2016-03-07 18:57:40 +01:00
Dr. Stephen Henson
0199251318 Don't shift serial number into sign bit
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 01c32b5e448f6d42a23ff16bdc6bb0605287fa6f)
2016-03-07 15:19:58 +00:00
Dr. Stephen Henson
298d823bf8 Sanity check PVK file fields.
PVK files with abnormally large length or salt fields can cause an
integer overflow which can result in an OOB read and heap corruption.
However this is an rarely used format and private key files do not
normally come from untrusted sources the security implications not
significant.

Fix by limiting PVK length field to 100K and salt to 10K: these should be
more than enough to cover any files encountered in practice.

Issue reported by Guido Vranken.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5f57abe2b150139b8b057313d52b1fe8f126c952)
2016-03-04 01:26:13 +00:00
Matt Caswell
73158771aa Prepare for 1.0.1t-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 13:42:02 +00:00
Matt Caswell
57ac73fb5d Prepare for 1.0.1s release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 13:40:46 +00:00
Matt Caswell
5d2b93ad7b make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 13:40:45 +00:00
Matt Caswell
f588db9017 Ensure mk1mf.pl is aware of no-weak-ssl-ciphers option
Update mk1mf.pl to properly handle no-weak-ssl-ciphers

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 12:42:12 +00:00
Matt Caswell
8954b54182 Update CHANGES and NEWS for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 11:51:00 +00:00
Andy Polyakov
c582e9d213 perlasm/x86_64-xlate.pl: handle inter-bank movd.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 902b30df193afc3417a96ba72a81ed390bd50de3)
2016-03-01 11:27:40 +00:00
Andy Polyakov
7f98aa7403 crypto/bn/x86_64-mont5.pl: constant-time gather procedure.
[Backport from master]

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 11:27:40 +00:00
Andy Polyakov
d7a854c055 bn/bn_exp.c: constant-time MOD_EXP_CTIME_COPY_FROM_PREBUF.
Performance penalty varies from platform to platform, and even
key length. For rsa2048 sign it was observed to reach almost 10%.

CVE-2016-0702

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-01 11:24:05 +00:00
Viktor Dukhovni
abd5d8fbef Disable EXPORT and LOW SSLv3+ ciphers by default
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:24:02 +00:00
Viktor Dukhovni
a82cfd612b Bring SSL method documentation up to date
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:24:02 +00:00
Viktor Dukhovni
56f1acf5ef Disable SSLv2 default build, default negotiation and weak ciphers.
SSLv2 is by default disabled at build-time.  Builds that are not
configured with "enable-ssl2" will not support SSLv2.  Even if
"enable-ssl2" is used, users who want to negotiate SSLv2 via the
version-flexible SSLv23_method() will need to explicitly call either
of:

    SSL_CTX_clear_options(ctx, SSL_OP_NO_SSLv2);
or
    SSL_clear_options(ssl, SSL_OP_NO_SSLv2);

as appropriate.  Even if either of those is used, or the application
explicitly uses the version-specific SSLv2_method() or its client
or server variants, SSLv2 ciphers vulnerable to exhaustive search
key recovery have been removed.  Specifically, the SSLv2 40-bit
EXPORT ciphers, and SSLv2 56-bit DES are no longer available.

Mitigation for CVE-2016-0800

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-01 11:23:45 +00:00
Matt Caswell
8f651326a5 Fix BN_hex2bn/BN_dec2bn NULL ptr/heap corruption
In the BN_hex2bn function the number of hex digits is calculated using
an int value |i|. Later |bn_expand| is called with a value of |i * 4|.
For large values of |i| this can result in |bn_expand| not allocating any
memory because |i * 4| is negative. This leaves ret->d as NULL leading
to a subsequent NULL ptr deref. For very large values of |i|, the
calculation |i * 4| could be a positive value smaller than |i|. In this
case memory is allocated to ret->d, but it is insufficiently sized
leading to heap corruption. A similar issue exists in BN_dec2bn.

This could have security consequences if BN_hex2bn/BN_dec2bn is ever
called by user applications with very large untrusted hex/dec data. This is
anticipated to be a rare occurrence.

All OpenSSL internal usage of this function uses data that is not expected
to be untrusted, e.g. config file data or application command line
arguments. If user developed applications generate config file data based
on untrusted data then it is possible that this could also lead to security
consequences. This is also anticipated to be a rare.

Issue reported by Guido Vranken.

CVE-2016-0797

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c175308407858afff3fc8c2e5e085d94d12edc7d)
2016-02-29 16:40:02 +00:00
Kurt Roeckx
f16bc6f06c Revert "Don't check RSA_FLAG_SIGN_VER."
This reverts commit 23a58779f53a9060c823d00d76b3070cad61d9a3.

This broke existing engines that didn't properly implement the sign and verify
functions.

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #2077
2016-02-27 13:38:01 +01:00
Matt Caswell
a801bf2638 Fix memory issues in BIO_*printf functions
The internal |fmtstr| function used in processing a "%s" format string
in the BIO_*printf functions could overflow while calculating the length
of a string and cause an OOB read when printing very long strings.

Additionally the internal |doapr_outch| function can attempt to write to
an OOB memory location (at an offset from the NULL pointer) in the event of
a memory allocation failure. In 1.0.2 and below this could be caused where
the size of a buffer to be allocated is greater than INT_MAX. E.g. this
could be in processing a very long "%s" format string. Memory leaks can also
occur.

These issues will only occur on certain platforms where sizeof(size_t) >
sizeof(int). E.g. many 64 bit systems. The first issue may mask the second
issue dependent on compiler behaviour.

These problems could enable attacks where large amounts of untrusted data
is passed to the BIO_*printf functions. If applications use these functions
in this way then they could be vulnerable. OpenSSL itself uses these
functions when printing out human-readable dumps of ASN.1 data. Therefore
applications that print this data could be vulnerable if the data is from
untrusted sources. OpenSSL command line applications could also be
vulnerable where they print out ASN.1 data, or if untrusted data is passed
as command line arguments.

Libssl is not considered directly vulnerable. Additionally certificates etc
received via remote connections via libssl are also unlikely to be able to
trigger these issues because of message size limits enforced within libssl.

CVE-2016-0799

Issue reported by Guido Vranken.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 578b956fe741bf8e84055547b1e83c28dd902c73)
2016-02-25 22:48:17 +00:00
Emilia Kasper
59a908f1e8 CVE-2016-0798: avoid memory leak in SRP
The SRP user database lookup method SRP_VBASE_get_by_user had confusing
memory management semantics; the returned pointer was sometimes newly
allocated, and sometimes owned by the callee. The calling code has no
way of distinguishing these two cases.

Specifically, SRP servers that configure a secret seed to hide valid
login information are vulnerable to a memory leak: an attacker
connecting with an invalid username can cause a memory leak of around
300 bytes per connection.

Servers that do not configure SRP, or configure SRP but do not configure
a seed are not vulnerable.

In Apache, the seed directive is known as SSLSRPUnknownUserSeed.

To mitigate the memory leak, the seed handling in SRP_VBASE_get_by_user
is now disabled even if the user has configured a seed.

Applications are advised to migrate to SRP_VBASE_get1_by_user. However,
note that OpenSSL makes no strong guarantees about the
indistinguishability of valid and invalid logins. In particular,
computations are currently not carried out in constant time.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 15:44:21 +01:00
FdaSilvaYY
3ee48ada8c GH714: missing field initialisation
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 04f2a0b50d219aafcef2fa718d91462b587aa23d)
2016-02-23 13:21:48 -05:00
Dr. Stephen Henson
ccb2a61407 Fix double free in DSA private key parsing.
Fix double free bug when parsing malformed DSA private keys.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

CVE-2016-0705

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6c88c71b4e4825c7bc0489306d062d017634eb88)
2016-02-19 14:04:21 +00:00
Andy Polyakov
3629c49d7a modes/ctr128.c: pay attention to ecount_buf alignment in CRYPTO_ctr128_encrypt.
It's never problem if CRYPTO_ctr128_encrypt is called from EVP, because
buffer in question is always aligned within EVP_CIPHER_CTX structure.

RT#4218

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 5e4bbeb49fb6522d858703201b5adee9611e7b7b)
2016-02-12 22:01:13 +01:00
Andy Polyakov
b0b9f693b4 util/mk1mf.pl: use LINK_CMD instead of LINK variable.
Trouble is that LINK variable assignment in make-file interferes with
LINK environment variable, which can be used to modify Microsoft's
LINK.EXE behaviour.

RT#4289

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d44bb1c31ca00f4359090daa15659c0dd1a08f0d)

Resolved conflicts:
	util/pl/VC-32.pl

(cherry picked from commit 0fffd522426c7fc022894c8dd079dc2625c04096)
2016-02-11 21:30:19 +01:00
Andy Polyakov
9b6e183925 ms/uplink-x86.pl: make it work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 740b2b9a6cf31b02916a4d18f868e8a95934c083)
2016-02-10 12:57:29 +01:00
Kurt Roeckx
99a5c8a659 Fix CHANGES entry about DSA_generate_parameters_ex
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit 2b0c11a620c3a3431410c5d56799286f60f60d8d)
2016-01-28 19:56:49 +01:00
Richard Levitte
5d5de781a5 Correct number of arguments in BIO_get_conn_int_port macro
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 41a28cb2944a4e1c9d13889757a3bd9f72abeca1)
2016-01-28 18:20:53 +01:00
Matt Caswell
69ff244490 Prepare for 1.0.1s-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
09ccb58518 Prepare for 1.0.1r release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Richard Levitte
6210c70992 TARFILE wasn't correctly set
This solves an earlier cherry-pick mistake.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
bea4cb2e80 Further updates to CHANGES and NEWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
5fed60f962 Update CHANGES and NEWS ready for release
Update CHANGES and NEWS with details of the issues fixed in the forthcoming
release.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-28 17:06:38 +00:00
Viktor Dukhovni
4040a7fd10 Better SSLv2 cipher-suite enforcement
Based on patch by: Nimrod Aviram <nimrod.aviram@gmail.com>

CVE-2015-3197

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-28 17:06:38 +00:00
Matt Caswell
8bc643efc8 Always generate DH keys for ephemeral DH cipher suites
Modified version of the commit ffaef3f15 in the master branch by Stephen
Henson. This makes the SSL_OP_SINGLE_DH_USE option a no-op and always
generates a new DH key for every handshake regardless.

This is a follow on from CVE-2016-0701. This branch is not impacted by
that CVE because it does not support X9.42 style parameters. It is still
possible to generate parameters based on primes that are not "safe",
although by default OpenSSL does not do this. The documentation does
sign post that using such parameters is unsafe if the private DH key is
reused. However to avoid accidental problems or future attacks this commit
has been backported to this branch.

Issue reported by Antonio Sanso

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-28 10:27:55 +00:00
Richard Levitte
126ac21c80 Fix BSD -rpath parameter
For BSD systems, Configure adds a shared_ldflags including a reference
to the Makefile variable LIBRPATH, but since it must be passed down to
Makefile.shared, care must be taken so the value of LIBRPATH doesn't
get expanded too early, or it ends up giving an empty string.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c64879d3f3cc4c7f1c436a9fe3bd109847a23629)
2016-01-19 20:59:31 +01:00
Alessandro Ghedini
51223748e5 Validate ClientHello session_id field length and send alert on failure
RT#4080

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-19 15:42:23 +00:00
Prayag Verma
4c33d583f5 Update license year range to 2016
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 02f70372470b4dd3b21443bb615292175f5d2c88)
2016-01-19 10:24:52 -05:00
Viktor Dukhovni
e9a6c72e3c Empty SNI names are not valid
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-16 21:14:02 -05:00
Dr. Stephen Henson
00cebd1131 To avoid possible time_t overflow use X509_time_adj_ex()
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 9aa00b187a65b1f30789d6274ec31ea86efe7973)

Conflicts:
	apps/x509.c
2016-01-14 03:04:31 +00:00
Kurt Roeckx
f5fc9404c2 Change minimum DH size from 768 to 1024
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
2016-01-11 00:13:54 +01:00
Kurt Roeckx
ff9cef0266 File is about s_time, not s_client
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1918e01c9f915e2eba31a5e2f86f0a5daa4fafb6)
2016-01-10 13:14:52 +01:00
Viktor Dukhovni
737d57d072 Fix X509_STORE_CTX_cleanup()
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-04 21:50:01 -05:00
Rich Salz
b5dbbebbc2 RT4202: Update rt URL's.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 41977c53cd04f52b2b5e56d31ace782577620ac3)
2015-12-28 16:41:28 -05:00
Matt Caswell
968bccee46 Add some documentation for the OCSP callback functions
Describe the usage of the OCSP callback functions on both the client and
the server side.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit c52c3b5e11253afabaa62739a8ee1c4c4bddcd53)
2015-12-27 22:05:36 +00:00
Matt Caswell
604f67f521 Ensure we don't call the OCSP callback if resuming a session
It makes no sense to call the OCSP status callback if we are resuming a
session because no certificates will be sent.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 0ac6239955965f58f9dddb4229e8cd58e0dba20d)
2015-12-27 22:05:36 +00:00
Matt Caswell
a7316aace3 Fix error when server does not send CertificateStatus message
If a server sends the status_request extension then it may choose
to send the CertificateStatus message. However this is optional.
We were treating it as mandatory and the connection was failing.

Thanks to BoringSSL for reporting this issue.

RT#4120

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 905943af3b43116b64ae815db1a6b9c2f15e0356)
2015-12-27 22:05:36 +00:00
David Benjamin
1967199f9f Fix memory leak in DSA redo case.
Found by clang scan-build.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>

RT: #4184, MR: #1496
(cherry picked from commit 679d87515d23ca31491effdc264edc81c695a72a)
2015-12-22 11:54:42 +01:00
Dr. Stephen Henson
23a58779f5 Don't check RSA_FLAG_SIGN_VER.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 6656ba7152dfe4bba865e327dd362ea08544aa80)
2015-12-20 19:28:23 +00:00
Richard Levitte
f9b52eb6b1 BIO_s_datagram() ctrl doesn't support SEEK/TELL, so don't pretend it does
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 17592f323ac7dad381cc3b512573c291b1a820c0)
2015-12-19 22:10:32 +01:00
Richard Levitte
074821106c Correct or add comments indicating what controls belong to what
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6d97060ee00518efc99c5d89a78529dc111780fb)
2015-12-19 22:10:32 +01:00
Richard Levitte
0dae9636e8 Document how BIO_get_conn_ip and BIO_get_conn_int_port actually work
No dummy arguments.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7eb51251252ea0b269227d267512b98495f51bc4)
2015-12-19 22:10:32 +01:00
Richard Levitte
f08360a160 Have BIO_get_conn_int_port use BIO_ctrl instead BIO_int_ctrl
BIO_int_ctrl isn't made for the purpose BIO_get_conn_int_port used it
for.

This also changes BIO_C_GET_CONNECT to actually return the port
instead of assigning it to a pointer that was never returned back to
the caller.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2a60fccdd9b696e01fddaa268e92ea210beb0e8f)
2015-12-19 22:10:32 +01:00
Matt Caswell
583f4bf7e8 Fix more URLs mangled by reformat
Fix some more URLs mangled by indent in the reformat. These ones don't exist
in master so we have a separate commit. Based on a patch supplied by Arnaud
Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:40:39 +00:00
Matt Caswell
ff2c19efdb Fix URLs mangled by reformat
Some URLs in the source code ended up getting mangled by indent. This fixes
it. Based on a patch supplied by Arnaud Lacombe <al@aerilon.ca>

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-19 20:40:39 +00:00
Richard Levitte
e961c7a201 Remove the "eay" c-file-style indicators
Since we don't use the eay style any more, there's no point tryint to
tell emacs to use it.

Reviewed-by: Ben Laurie <ben@openssl.org>
2015-12-18 13:13:31 +01:00
Rich Salz
d7f7144391 Provide better "make depend" warning.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2e31ef0366d368ac8cf7f5ecc9052bff27337799)
2015-12-16 17:47:22 -05:00
Emilia Kasper
d6af325d51 Fix a ** 0 mod 1 = 0 for real this time.
Commit 2b0180c37fa6ffc48ee40caa831ca398b828e680 attempted to do this but
only hit one of many BN_mod_exp codepaths. Fix remaining variants and add
a test for each method.

Thanks to Hanno Boeck for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit d911097d7c93e4cfeab624b34d73fe51da158b69)
(cherry picked from commit 44e4f5b04b43054571e278381662cebd3f3555e6)
2015-12-14 18:27:04 +01:00
Richard Levitte
36be5f77d0 Fix tarball production to keep test/bctest and util/pod2mantest
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 474a53b3a36568d19d7b918ee879efd2707e7c67)
2015-12-14 11:24:24 +01:00
Matt Caswell
f612bdb342 Ensure |rwstate| is set correctly on BIO_flush
A BIO_flush call in the DTLS code was not correctly setting the |rwstate|
variable to SSL_WRITING. This means that SSL_get_error() will not return
SSL_ERROR_WANT_WRITE in the event of an IO retry.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 67f60be8c9ae5ff3129fcd6238baf124385a41d8)
2015-12-10 12:50:56 +00:00
Matt Caswell
4a53424318 Fix DTLS handshake fragment retries
If using DTLS and NBIO then if a second or subsequent handshake message
fragment hits a retry, then the retry attempt uses the wrong fragment
offset value. This commit restores the fragment offset from the last
attempt.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 2ad226e88bee97847496e542d63c67997d5beda6)
2015-12-10 12:50:55 +00:00
Dr Stephen Henson
d724616f68 Don't use applink for static builds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 10119938215298ad414468e7c2779d7fd1a0b979)
2015-12-09 00:30:27 +00:00
Rich Salz
d27f073bf5 Refer to website for acknowledgements.
Reviewed-by: Steve Marquess <marquess@openssl.com>
(cherry picked from commit ab29c82a55f3583a490733dd521ea6c486e8e2fb)
2015-12-08 16:08:20 -05:00
Richard Levitte
a19244a433 Not all 'find's know -xtype, use -type instead
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3cd7aef34d0d414d27ab00abadb99265a2cffde9)
2015-12-08 21:06:34 +01:00
Richard Levitte
cf269a1a0e Adapt the OS X build to use the OS X tar
As part of this, move release creation to a script to be called from
.travis.yml.  That makes it much easier to test outside of travis.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 382af61f6213e975b4c2a50fd8b9fedd23d86ab5)
2015-12-08 21:06:34 +01:00
Richard Levitte
4305622736 Make it possible to affect the way dists are made
Introducing DISTTARVARS to propagate changed variables down to the
tar-making target.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d3c30a1799bf7b4dc7223b84417c4de992a6b9c)
2015-12-08 21:06:33 +01:00
Richard Levitte
66a1ccf494 Cleanup the EVP_MD_CTX before exit rather than after
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit c44844d928ad3c471c8dbe8baf2df8957900125b)
2015-12-08 12:07:22 +01:00
Richard Levitte
777adea16a Change tar owner and group to just 0
It seems like some tar versions don't like the name:id form for
--owner and --group.  The closest known anonymous user being 0 (root),
that seems to be the most appropriate user/group to assign ownership
to.  It matters very little when unpacking either way.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b91dd150d2b9b5ddca37722e7f52ea59ba7f80da)
2015-12-07 20:11:05 +01:00
Richard Levitte
641365436e Do not add symlinks in the source release
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 451a5bdf0386d7acf091c3e3b39107e5ed8be25d)
2015-12-07 16:25:18 +01:00
Richard Levitte
1e8a87295e In travis, build from a "source release" rather than from the build tree
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 475fc3d8729190fd12b4ff23d6ec488439fb78f9)
2015-12-07 16:25:13 +01:00
Richard Levitte
3b92a6fe4f Small changes to creating dists
Make TARFILE include ../ instead of having that hard coded all over the place.
When transforming file names in TAR_COMMAND, use $(NAME) instead of openssl-$(VERSION)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4a544810f08539f1549eea9be36bd878c67c8e26)
2015-12-07 16:24:23 +01:00
Matt Caswell
d82626caec Prepare for 1.0.1r-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:51:13 +00:00
Matt Caswell
55615e8d48 Prepare for 1.0.1q release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:50:26 +00:00
Matt Caswell
56edb20184 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 14:50:26 +00:00
Matt Caswell
ac3dd9b7e6 Update CHANGES and NEWS
Update the CHANGES and NEWS files for the new release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 13:45:13 +01:00
Dr. Stephen Henson
d8541d7e9e Add PSS parameter check.
Avoid seg fault by checking mgf1 parameter is not NULL. This can be
triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

Thanks to Loïc Jonas Etienne (Qnective AG) for discovering this bug.

CVE-2015-3194

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-03 13:45:13 +01:00
Dr. Stephen Henson
b29ffa392e Fix leak with ASN.1 combine.
When parsing a combined structure pass a flag to the decode routine
so on error a pointer to the parent structure is not zeroed as
this will leak any additional components in the parent.

This can leak memory in any application parsing PKCS#7 or CMS structures.

CVE-2015-3195.

Thanks to Adam Langley (Google/BoringSSL) for discovering this bug using
libFuzzer.

PR#4131

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-03 13:45:13 +01:00
Andy Polyakov
005f4893dc e_os.h: limit _MSC_VER trickery to older compilers.
PR: #3390, backport from 1.0.2.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-03 13:24:42 +01:00
Dr. Stephen Henson
d585cc32a5 typo
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-12-02 21:49:37 +00:00
Richard Levitte
fb35ea28f4 _BSD_SOURCE is deprecated, use _DEFAULT_SOURCE instead
The feature_test_macros(7) manual tells us that _BSD_SOURCE is
deprecated since glibc 2.20 and that the compiler will warn about it
being used, unless _DEFAULT_SOURCE is defined as well.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f9fd35248c9a3b1125d9ab82ffb19d62e86533ac)
2015-12-02 18:49:57 +01:00
Matt Caswell
41d049e1cd Return errors even if the cookie validation has succeeded
In the DTLS ClientHello processing the return value is stored in |ret| which
by default is -1. We wish to return 1 on success or 2 on success *and* we
have validated the DTLS cookie. Previously on successful validation of the
cookie we were setting |ret| to 2. Unfortunately if we later encounter an
error then we can end up returning a successful (positive) return code from
the function because we already set |ret| to a positive value.

This does not appear to have a security consequence because the handshake
just fails at a later point.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-11-30 10:51:43 +00:00
Kurt Roeckx
98b94544e5 Use both sun and __sun
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit ed02493567390cac6d07447f193fcaac5b219af3)
2015-11-24 23:44:50 +01:00
Marcus Meissner
844de56ed6 mark openssl configuration as loaded at end of OPENSSL_config
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

GH: #466
(cherry picked from commit 434b58457c8cca4d09f77a1774d6d2c446604bae)
2015-11-24 22:05:47 +01:00
Pascal Cuoq
784934498f ssl3_free(): Return if it wasn't created
If somewhere in SSL_new() there is a memory allocation failure, ssl3_free() can
get called with s->s3 still being NULL.

Patch also provided by Willy Tarreau <wtarreau@haproxy.com>

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit 3e7bd2ce0b16f8611298175d6dc7cb35ee06ea6d)
2015-11-24 21:56:39 +01:00
Kurt Roeckx
0b5f9ce37b Set reference count earlier
Backport of 0e04674e964b905e67e3d215bcf888932c92765f

Reviewed-by: Steve Henson <steve@openssl.org>

RT #4047, #4110, MR #1356
2015-11-24 21:53:40 +01:00
Dr. Stephen Henson
fc45da0535 Fix uninitialised p error.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 63eb10a07ee29a312e50a227f5b3a290b1ad22b4)
2015-11-24 16:55:44 +00:00
Dr. Stephen Henson
5844c9453f Limit depth of ASN1 parse printing.
Thanks to Guido Vranken <guidovranken@gmail.com> for reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 158e5207a794603f5d64ffa95e0247c7808ab445)

Conflicts:
	crypto/asn1/asn1_par.c
2015-11-24 15:30:17 +00:00
Kurt Roeckx
88883f2ebf Use defined(__sun) instead of defined(sun)
Strict ISO confirming C compilers only define __sun

Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>

RT #4144, MR #1353

(cherry picked from commit 3d32218812e87221344f2985512e42e4aaa88745)
2015-11-22 12:25:00 +01:00
Alessandro Ghedini
638856f40c Add initial AppVeyor configuration
Original patch by Frank Morgner.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

GH: #456
(cherry picked from commit 68db80e2d1accdd4c4a6b4763559c6cfe9663820)
2015-11-21 20:15:54 +01:00
Matt Caswell
a5184a6c89 Ensure all EVP calls have their returns checked where appropriate
There are lots of calls to EVP functions from within libssl There were
various places where we should probably check the return value but don't.
This adds these checks.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 56d913467541506572f908a34c32ca7071f77a94)

Conflicts:
	ssl/s3_enc.c
	ssl/s3_srvr.c
2015-11-20 15:56:42 +00:00
Rich Salz
e71aab1c02 Fix release in README.
Reviewed-by: Steve Marquess <marquess@openssl.com>
2015-11-18 16:58:40 -05:00
Graeme Perrow
b77390a2ff RT32671: wrong multiple errs TS_check_status_info
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f236ef27bd2ca99b3367554aa3e2fc9ca345deb5)
2015-11-13 16:57:41 -05:00
Matt Caswell
78b9d13474 Stop DTLS servers asking for unsafe legacy renegotiation
If a DTLS client that does not support secure renegotiation connects to an
OpenSSL DTLS server then, by default, renegotiation is disabled. If a
server application attempts to initiate a renegotiation then OpenSSL is
supposed to prevent this. However due to a discrepancy between the TLS and
DTLS code, the server sends a HelloRequest anyway in DTLS.

This is not a security concern because the handshake will still fail later
in the process when the client responds with a ClientHello.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d40ec4ab8e7c0ff39bf4f9918fbb9dfdca4c5221)
2015-11-10 19:27:25 +00:00
Matt Caswell
e83009840a Only call ssl3_init_finished_mac once for DTLS
In DTLS if an IO retry occurs during writing of a fragmented ClientHello
then we can end up reseting the finish mac variables on the retry, which
causes a handshake failure. We should only reset on the first attempt not
on retries.

Thanks to BoringSSL for reporting this issue.

RT#4119

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 15a7164eb7d4d031608fcec2801d7f7b11b16923)
2015-11-10 18:47:57 +00:00
Matt Caswell
84d0c40f3f Fix missing malloc return value checks
During work on a larger change in master a number of locations were
identified where return value checks were missing. This backports the
relevant fixes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 903738ac63e60c10552741e2d6de9753c67e0ff3)

Conflicts:
	crypto/cms/cms_sd.c
2015-11-09 23:00:37 +00:00
Richard Levitte
c8cc43108d Make the match for previous cflags a bit more strict
./Configure [target] --strict-warnings -Wno-pedantic-ms-format
would not add '-pedantic' because it matches '-Wno-pedantic-ms-format',
which was added first.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6703c4ea87b30554283deaa5df1f8d68725d3ee4)
2015-11-09 12:15:07 +01:00
Matt Caswell
1fe1c65c3b Minor EVP_SignInit_ex doc fix
EVP_SignInit_ex was missing from the NAME section of its man page so
typing "man EVP_SignInit_ex" failed to load the page.

Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 3d866ea67e8b19777e88ac2a78ee4188e0983168)
2015-11-04 14:39:32 +00:00
Matt Caswell
22ec08d7b7 Clarify the preferred way of creating patch files
Clarify that git format-patch output is preferred for creating patch files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f89ee71bc81017e04ac50f570d8aed87f495bcf2)
2015-11-02 14:34:40 +00:00
Rich Salz
0f5fdb73d7 Some README and CONTRIBUTING cleanups.
Close GH Issue 69
Close GH PR 457/RT4113
Some other updates

By Rich Salz, Alessandro Ghedini, Steve Marquess, Collin Anderson

(manual cherry-pick of a2aaf8be7e3c22a61ef89f273aa85f482b955336 and
b06935f439af7150d3ae566922353c3f210e63ed)

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-11-01 08:41:25 -05:00
Pascal Cuoq
9f82c7b3aa BN_GF2m_mod_inv(): check bn_wexpand return value
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

MR #1276, RT #4107

(cherry picked from commit 94b3664a528258df5ebcaae213d19bf6568cc47d)
2015-10-29 20:41:32 +01:00
Alessandro Ghedini
200c8ed4f5 Remove useless code
RT#4081

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 070c23325af4526c9a8532a60d63522c58d5554b)
2015-10-23 20:47:53 +02:00
Alessandro Ghedini
a5524e534b Check memory allocation
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8cf9d71a3a43d9b98a8a278d47dc08088a954a7b)
2015-10-23 20:43:46 +02:00
Alessandro Ghedini
edd0f5c201 Fix references to various RFCs
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 3240e7cf5f651d9d94814b4d494fbe294e463b72)
2015-10-23 20:43:09 +02:00
Alessandro Ghedini
020bc42893 Fix typos
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d900a015b5a89ea2018e6122dd2738925e4d68ab)
2015-10-23 20:41:17 +02:00
Alessandro Ghedini
61587d65ea Set salt length after the malloc has succeeded
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit c2319cf9fce87a2e82efb6e58ced11a85190dc3d)
2015-10-23 20:39:25 +02:00
Alessandro Ghedini
71d5679cd3 Fix memory leaks and other mistakes on errors
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 3f6c7691870d1cd2ad0e0c83638cef3f35a0b548)
2015-10-23 20:38:52 +02:00
Alessandro Ghedini
418c051161 Replace malloc+strlcpy with strdup
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8acaabec429b39f9436f6a88006384d72d292539)
2015-10-23 20:38:47 +02:00
Alessandro Ghedini
6a3dd58678 Do not treat 0 return value from BIO_get_fd() as error
0 is a valid file descriptor.

RT#4068

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4428c7dba8f6f407d915c1226f4e0f673e8be241)
2015-10-23 20:38:06 +02:00
Adam Eijdenberg
2d404dc380 Clarify return values for EVP_DigestVerifyFinal.
Previous language was unclear.  New language isn't pretty but I believe
it is more accurate.

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8cbb048c3ea416f2bd8a3706d027f3aa26ef08d9)
2015-10-22 21:11:19 -04:00
Dr. Stephen Henson
b2593839da Typo.
PR#4079

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c69ce9351336f5b4a8b33890756b3fd185528210)

Conflicts:
	crypto/evp/e_des3.c
2015-10-11 00:45:18 +01:00
Rich Salz
bfc19297cd Avoid SHA1 weakness
In X509_cmp, if cert digest is equal, look at DER of the
signed part.  This is what master and 1.0.2 already do.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-10-09 17:06:21 -04:00
Rich Salz
978b5d709a Fix travis build for 1.0.1
Add explicit linux-clang targets
Add --strict-warnings support for clang
Disable mingw debug builds

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-10-08 23:31:29 -04:00
Matt Caswell
ec1f125512 Don't treat a bare OCTETSTRING as DigestInfo in int_rsa_verify
The function int_rsa_verify is an internal function used for verifying an
RSA signature. It takes an argument |dtype| which indicates the digest type
that was used. Dependant on that digest type the processing of the
signature data will vary. In particular if |dtype == NID_mdc2| and the
signature data is a bare OCTETSTRING then it is treated differently to the
default case where the signature data is treated as a DigestInfo (X509_SIG).

Due to a missing "else" keyword the logic actually correctly processes the
OCTETSTRING format signature first, and then attempts to continue and
process it as DigestInfo. This will invariably fail because we already know
that it is a bare OCTETSTRING.

This failure doesn't actualy make a real difference because it ends up at
the |err| label regardless and still returns a "success" result. This patch
just cleans things up to make it look a bit more sane.

RT#4076

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit dffe51091f412dcbc18f6641132f0b4f0def6bce)
2015-10-08 14:17:08 +01:00
Richard Levitte
363c8fd572 When ENGINE_add finds that id or name is missing, actually return
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5850cc75ea0c1581a9034390f1ca77cadc596238)
2015-10-08 12:41:06 +02:00
Pascal Cuoq
91dc4497de Move BN_CTX_start() call so the error case can always call BN_CTX_end().
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #1231

(cherry picked from commit 99c203337574d967c86ffbfa13f40ace51048485)
2015-10-07 20:41:34 +02:00
Pascal Cuoq
11ca27c912 Set flags to 0 before calling BN_with_flags()
BN_with_flags() will read the dest->flags to keep the BN_FLG_MALLOCED but
overwrites everything else.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #1231

(cherry picked from commit f92768e6f5259069bd21dbed2b98b3423c1dfca4)
2015-10-07 20:41:15 +02:00
Dr. Stephen Henson
a0ba92ccde Don't try and parse boolean type.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e58c4d3cdde7a0a01df2884bfeec31a2b07be22d)
2015-10-06 15:16:50 +01:00
Matt Caswell
f141376ae2 Change functions to pass in a limit rather than calculate it
Some extension handling functions were passing in a pointer to the start
of the data, plus the length in order to calculate the end, rather than
just passing in the end to start with. This change makes things a little
more readable.

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	ssl/s3_srvr.c
	ssl/ssl_locl.h
	ssl/t1_lib.c
2015-10-05 19:52:38 +01:00
Alessandro Ghedini
e4840c88c5 Validate ClientHello extension field length
RT#4069

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-05 19:48:28 +01:00
Kurt Roeckx
67d4253174 Fix more d2i cases to properly update the input pointer
Thanks to David Benjamin <davidben@google.com> for pointing them out.

Reviewed-by: Steve Henson <steve@openssl.org>
MR #1198

(cherry picked from commit 605236f6a8fe0743af2f63d93239a74c69dae137)
2015-10-03 13:36:31 +02:00
Dr. Stephen Henson
978c8aa8b7 Link in applink with fips_premain_dso
PR#4042

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d62c64b947ae96463a331de005165c57966d2149)
2015-09-29 18:44:02 +01:00
Ismo Puustinen
72ac982306 GH367: use random data if seed too short.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6f997dc36504d67d1339ceb6bce4ecba673d8568)
2015-09-29 12:49:16 -04:00
Hubert Kario
b0c8e38e33 RT4051: fix ciphers man page typo
the alias supported by OpenSSL 1.0.1 is "EECDH" not "EECDHE"
(GH PR 405)

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-29 11:15:12 -04:00
Emilia Kasper
64ec479559 RT2772: accept empty SessionTicket
RFC 5077 section 3.3 says: If the server determines that it does not
want to include a ticket after it has included the SessionTicket
extension in the ServerHello, then it sends a zero-length ticket in the
NewSessionTicket handshake message.

Previously the client would fail upon attempting to allocate a
zero-length buffer. Now, we have the client ignore the empty ticket and
keep the existing session.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 21b538d616b388fa0ce64ef54da3504253895cf8)
2015-09-28 16:13:45 +02:00
Dr. Stephen Henson
7794c355ea SRP memory leak fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 92ea6fe597238779e23fd9e1fee82d30641d61a8)
2015-09-28 14:34:47 +01:00
Rich Salz
dfa08ea750 Fix typo in previous merge
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-25 11:43:51 -04:00
Rich Salz
2bd918696b Change --debug to -d for compat with old releases.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1d4ddb4e1a088f1333c4bb155c52c7f94e572bca)
2015-09-25 11:39:37 -04:00
Emilia Kasper
456b9820eb BUF_strdup and friends: update docs
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 58e3457a82e8940ff36b36949f9c7a60e7614b2c)
(cherry picked from commit be250ee2d353a9c8ed858bf8ca274d3107ae2f64)
2015-09-22 20:09:42 +02:00
Emilia Kasper
e56c77b8ee BUF_strndup: tidy
Fix comment, add another overflow check, tidy style

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit de8883e11befde31d9b6cfbbd1fc017c365e0bbf)
(cherry picked from commit f5afe9ce3f7ab8d2fef460054d1170427db0d02c)
2015-09-22 20:09:42 +02:00
Alessandro Ghedini
6905187488 Make BUF_strndup() read-safe on arbitrary inputs
BUF_strndup was calling strlen through BUF_strlcpy, and ended up reading
past the input if the input was not a C string.

Make it explicitly part of BUF_strndup's contract to never read more
than |siz| input bytes. This augments the standard strndup contract to
be safer.

The commit also adds a check for siz overflow and some brief documentation
for BUF_strndup().

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 110f7b37de9feecfb64950601cc7cec77cf6130b)
(cherry picked from commit f61216ba9d17430fb5eb3e2b202a209960b9d51b)
2015-09-22 20:09:38 +02:00
Rich Salz
9d1fcbebbc GH398: Add mingw cross-compile, etc.
For all release branches.  It adds travis build support. If you don't
have a config file it uses the default (because we enabled travis for the
project), which uses ruby/rake/rakefiles, and you get confusing "build
still failing" messages.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit db9defdfe306e1adf0af7188b187d535eb0268da)
2015-09-22 13:46:51 -04:00
David Woodhouse
21d8f24485 RT3479: Add UTF8 support to BIO_read_filename()
If we use BIO_new_file(), on Windows it'll jump through hoops to work
around their unusual charset/Unicode handling. it'll convert a UTF-8
filename to UCS-16LE and attempt to use _wfopen().

If you use BIO_read_filename(), it doesn't do this. Shouldn't it be
consistent?

It would certainly be nice if SSL_use_certificate_chain_file() worked.

Also made BIO_C_SET_FILENAME work (rsalz)

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit ff03599a2f518dbdf13bca0bb0208e431b892fe9)
2015-09-21 17:33:06 -04:00
Gunnar Kudrjavets
f9394bd7a0 RT3823: Improve the robustness of event logging
There are a couple of minor fixes here:

1) Handle the case when RegisterEventSource() fails (which it may for
various reasons) and do the work of logging the event only if it succeeds.

2) Handle the case when ReportEvent() fails and do our best in debug builds
to at least attempt somehow indicate that something has gone wrong. The
typical situation would be someone running tools like DbMon, DBWin32,
DebugView or just having the debugger attached. The intent is to make sure
that at least some data will be captured so that we can save hours and days
of debugging time.

3) Minor fix to change the MessageBox() flag to MB_ICONERROR. Though the
value of MB_ICONERROR is the same value as MB_ICONSTOP, the intent is
better conveyed by using MB_ICONERROR.

Testing performed:

1) Clean compilation for debug-VC-WIN32 and VC-WIN32.

2) Good test results (nmake -f ms\ntdll.mak test) for debug-VC-WIN32 and
VC-WIN32.

3) Stepped through relevant changes using WinDBG and exercised the impacted
code paths.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4cd94416a452c3a3e0df24c297f7d2f0e6d5bb5f)
2015-09-21 14:36:39 -04:00
Matt Caswell
b2a6718819 Fix SRP memory leaks
There were some memory leaks in the creation of an SRP verifier (both on
successful completion and also on some error paths).

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit bf95cde28712cfcad90cb3975cdcb8e5c0f20fde)
2015-09-21 10:26:32 +01:00
Dr. Stephen Henson
34a0eade7f Make SRP work with -www
PR#3817

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4e7e623012e1604d985e2ef362c2957d464f3f01)

Conflicts:
	apps/s_server.c
2015-09-20 14:28:22 +01:00
Dr. Stephen Henson
2bc914eb29 Handle SSL_ERROR_WANT_X509_LOOKUP
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f1c412c9e63f7c9cac2c723bff09cce563dda1b0)
2015-09-20 14:22:52 +01:00
Viktor Dukhovni
2ab1e7fde3 Fix indentation
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4fe1cbdff89768c5d1983988ce1022674a438bbb)
2015-09-19 09:10:38 -04:00
Rich Salz
628c15039f This undoes GH367 for non-master
Was only approved for master, to avoid compatibility issues on
previous releases.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 6be18a22199de4d114b53686c31ba02723fc2c18)
2015-09-18 15:56:45 -04:00
Matt Caswell
a50a8a76dd Make sure OPENSSL_cleanse checks for NULL
In master we have the function OPENSSL_clear_free(x,y), which immediately
returns if x == NULL. In <=1.0.2 this function does not exist so we have to
do:
OPENSSL_cleanse(x, y);
OPENSSL_free(x);

However, previously, OPENSSL_cleanse did not check that if x == NULL, so
the real equivalent check would have to be:
if (x != NULL)
    OPENSSL_cleanse(x, y);
OPENSSL_free(x);

It would be easy to get this wrong during cherry-picking to other branches
and therefore, for safety, it is best to just ensure OPENSSL_cleanse also
checks for NULL.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 020d8fc83fe1a94232db1ee1166309e2458a8a18)
2015-09-17 22:33:31 +01:00
Emilia Kasper
7ac2c47583 base64 decode: check for high bit
Previously, the conversion would silently coerce to ASCII. Now, we error
out.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b785504a10310cb2872270eb409b70971be5e76e)
(cherry picked from commit cb71f17dc786c72ec74c0ebb983b3ccfde484271)
2015-09-17 21:45:28 +02:00
Emilia Kasper
76067c75fd RT3757: base64 encoding bugs
Rewrite EVP_DecodeUpdate.

In particular: reject extra trailing padding, and padding in the middle
of the content. Don't limit line length. Add tests.

Previously, the behaviour was ill-defined, and depended on the position
of the padding within the input.

In addition, this appears to fix a possible two-byte oob read.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 3cdd1e94b1d71f2ce3002738f9506da91fe2af45)
(cherry picked from commit 37faf117965de181f4de0b4032eecac2566de5f6)
2015-09-17 20:15:41 +02:00
Ivo Raisr
f95d1af064 Make no-psk compile without warnings.
PR#4035

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 929f6d6f55275b17cfdd5c405ef403bce87c9aef)
2015-09-16 18:12:04 +01:00
Rich Salz
83fcd322f7 RT4044: Remove .cvsignore files.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-15 12:01:30 -04:00
Rich Salz
12650153ec RT4044: Remove .cvsignore files.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3be39dc1e3378d79531e385a72051c4dc5c6b34d)
2015-09-15 12:00:18 -04:00
Kurt Roeckx
8f42c34f8f d2i: don't update input pointer on failure
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
MR #1005
(cherry picked from commit a46c9789ce2aecedceef119e9883513c7a49f1ca)
2015-09-15 00:15:03 +02:00
Dr. Stephen Henson
421baf1862 Check for FIPS mode after loading config.
PR#3958

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2aa5a2c76656f3873fecd0f0bcc628c1861c27a9)
2015-09-12 02:43:36 +01:00
Dr. Stephen Henson
8b5ac90e5e Use default field separator.
If the field separator isn't specified through -nameopt then use
XN_FLAG_SEP_CPLUS_SPC instead of printing nothing and returing an error.

PR#2397

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 03706afa30aeb4407287171a9d6f9a765395d0a2)
2015-09-11 20:52:58 +01:00
Emilia Kasper
4cb23e12a3 RT3754: check for NULL pointer
Fix both the caller to error out on malloc failure, as well as the
eventual callee to handle a NULL gracefully.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-09-10 17:23:33 +02:00
Matt Caswell
dd642deea8 Fix session resumption
Commit f0348c842e7 introduced a problem with session resumption. The
version for the session is fixed when the session is created. By moving
the creation of the session earlier in the process the version is fixed
*before* version negotiation has completed when processing the ServerHello
on the client side. This fix updates the session version after version neg
has completed.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit dc0c888811cebfa2d21c844be0d81335fb2361da)
2015-09-02 00:31:33 +01:00
Matt Caswell
927f7a8703 Fix building with OPENSSL_NO_TLSEXT.
Builds using no-tlsext in 1.0.0 and 0.9.8 are broken. This commit fixes the
issue. The same commit is applied to 1.0.1 and 1.0.2 branches for code
consistency. However this commit will not fix no-tlsext in those branches
which have always been broken for other reasons. The commit is not applied
to master at all, because no-tlsext has been completely removed from that
branch.

Based on a patch by Marc Branchaud <marcnarc@xiplink.com>

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9a931208d7fc8a3596dda005cdbd6439938f01b0)
2015-09-02 00:07:24 +01:00
Tim Zhang
525e13612e Fix the comment for POINT_CONVERSION_UNCOMPRESSED
The |z| value should be 0x04 not 0x02

RT#3838

Signed-off-by: Matt Caswell <matt@openssl.org>

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 91d2728b38b1df930f337e163816a0fc9580b6a6)
2015-09-01 23:55:47 +01:00
Emilia Kasper
5999b897ff OpenSSL 1.0.1n: add missing CHANGES entry
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-01 20:13:21 +02:00
Emilia Kasper
bae16c98c1 RT4002: check for NULL cipher in p12_crpt.c
The NULL cipher case can't actually happen because we have no
EVP_PBE_CTL combinations where cipher_nid is -1 and keygen is
PKCS12_PBE_keyivgen. But make the code more obviously correct.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 394f7b6fcc38132b8ccff0a3253b9dd15640cfc0)
2015-09-01 20:06:08 +02:00
Emilia Kasper
9d4798a9e0 RT 3493: fix RSA test
- Pass in the right ciphertext length to ensure we're indeed testing
  ciphertext corruption (and not truncation).
- Only test one mutation per byte to not make the test too slow.
- Add a separate test for truncated ciphertexts.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 25d6b3401ca40c9a2cbe5080449c1c2a37037777)
2015-09-01 20:05:56 +02:00
Richard Levitte
246a010b78 Ignore .dir-locals.el
Because we recently encourage people to have a .dir-locals.el, it's a good
idea to ignore it on a git level.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d7c02691a5e6f2716759eacb6f48c39f15ee57c8)
2015-09-01 01:19:52 +02:00
mrpre
1915a22184 check bn_new return value
Slightly modified from the original PR.
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>

(cherry picked from commit a7e974c7be90e2c9673e2ce6215a70f734eb8ad4)
2015-08-31 16:06:29 -04:00
Ben Kaduk
a6ce498b2a GH367 follow-up, for more clarity
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 36ac7bc8a9c856bcdff6eecdaca128ccc5430a1e)
2015-08-31 13:47:12 -04:00
Emilia Kasper
d46e946d26 BN_mod_exp_mont_consttime: check for zero modulus.
Don't dereference |d| when |top| is zero. Also test that various BIGNUM methods behave correctly on zero/even inputs.

Follow-up to b11980d79a52ec08844f08bea0e66c04b691840b

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-31 19:33:42 +02:00
Richard Levitte
c88f65f5b5 Remove auto-fill-mode
Apparently, emacs sees changes to auto-fill-mode as insecure

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6dc08048d93ff35de882878f190ae49aa698b5d2)
2015-08-31 18:21:04 +02:00
Richard Levitte
fc90ab42db Add an example .dir-locals.el
This file, when copied to .dir-locals.el in the OpenSSL source top,
will make sure that the CC mode style "OpenSSL-II" will be used for
all C files.

Additionally, I makes sure that tabs are never used as indentation
character, regardless of the emacs mode, and that the fill column is
78.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0927f0d822b1e0f55cb7d8bacf9004ad3495514b)
2015-08-31 18:21:04 +02:00
Richard Levitte
8d677c10f9 Add emacs CC mode style for OpenSSL
This hopefully conforms closely enough to the current code style.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d9b3554b2d9724bc2d1621a026ddaf0223e2d191)
2015-08-31 18:21:04 +02:00
Emilia Kasper
cb5320014d bntest: don't dereference the |d| array for a zero BIGNUM.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 4d04226c2ec7e7f69f6234def63631648e35e828)
(cherry picked from commit 9c989aaa749d88b63bef5d5beeb3046eae62d836)
2015-08-31 16:53:37 +02:00
Ismo Puustinen
9a97446468 GH367: Fix dsa keygen for too-short seed
If the seed value for dsa key generation is too short (< qsize),
return an error. Also update the documentation.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit f00a10b89734e84fe80f98ad9e2e77b557c701ae)
2015-08-28 11:25:44 -04:00
David Brodski
80c25ba676 Fixed problem with multiple load-unload of comp zlib
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8cbb153357896c4b224e0678550944f7851bc3b2)
2015-08-26 17:36:44 -04:00
Viktor Dukhovni
eb55a6f455 GH correct organizationalUnitName
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 208b2d541dcb3b8f62639d2a8cc5771af4ba8755)
2015-08-26 17:32:09 -04:00
Matt Caswell
be8b8603d6 Fix DTLS session ticket renewal
A DTLS client will abort a handshake if the server attempts to renew the
session ticket. This is caused by a state machine discrepancy between DTLS
and TLS discovered during the state machine rewrite work.

The bug can be demonstrated as follows:

Start a DTLS s_server instance:
openssl s_server -dtls

Start a client and obtain a session but no ticket:
openssl s_client -dtls -sess_out session.pem -no_ticket

Now start a client reusing the session, but allow a ticket:
openssl s_client -dtls -sess_in session.pem

The client will abort the handshake.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ee4ffd6fccd169775ba74afb1dbfecff48ee413d)

Conflicts:
	ssl/d1_clnt.c
2015-08-26 10:27:35 +01:00
Markus Rinne
86de216da3 RT4019: Duplicate -hmac flag in dgst.pod
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-08-25 12:15:03 -04:00
Rich Salz
bedcd9385f GH372: Remove duplicate flags
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 32c5e0ba0f9097e9c788ed8402fcbf6646cd2c2d)
2015-08-25 12:13:11 -04:00
Richard Levitte
2507c8cfb3 Add new types to indent.pro
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3da9505dc02b0594633c73a11343f54bb5dbf536)
2015-08-17 18:25:27 +02:00
Rich Salz
98e75c0b69 Move FAQ to the web.
Best hope of keeping current.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4f46473a86c9e3741203b22d4d401a3763583494)
2015-08-16 19:04:03 -04:00
Dr. Stephen Henson
2cf51451f3 Update docs.
Clarify and update documention for extra chain certificates.

PR#3878.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2fd7fb99dba9f56fbcb7ee1686bef30c7aef4754)
2015-08-14 06:35:38 +01:00
Dr. Stephen Henson
50e56c1d8c Return error for unsupported modes.
PR#3974
PR#3975

Reviewed-by: Matt Caswell <matt@openssl.org>

Conflicts:
	crypto/evp/evp_lib.c
2015-08-12 14:29:02 +01:00
Dr. Stephen Henson
2d17250368 Fix memory leak if setup fails.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 891eac4604b5f05413e59602fae1f11136f4719a)

Conflicts:
	crypto/cms/cms_enc.c
2015-08-12 14:24:08 +01:00
Dr. Stephen Henson
aa701624b1 Err isn't always malloc failure.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit a187e08d856690b5c1da3184d0ff560d572f893b)

Conflicts:
	crypto/cms/cms_smime.c
2015-08-12 14:23:48 +01:00
Matt Caswell
396e300449 Fix "make test" seg fault with SCTP enabled
When config'd with "sctp" running "make test" causes a seg fault. This is
actually due to the way ssltest works - it dives under the covers and frees
up BIOs manually and so some BIOs are NULL when the SCTP code does not
expect it. The simplest fix is just to add some sanity checks to make sure
the BIOs aren't NULL before we use them.

This problem occurs in master and 1.0.2. The fix has also been applied to
1.0.1 to keep the code in sync.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f75d5171be0b3b5419c8974133e1573cf976a8bb)
2015-08-11 22:27:05 +01:00
Matt Caswell
402634f8aa Fix missing return value checks in SCTP
There are some missing return value checks in the SCTP code. In master this
was causing a compilation failure when config'd with
"--strict-warnings sctp".

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d8e8590ed90eba6ef651d09d77befb14f980de2c)
2015-08-11 22:27:05 +01:00
Matt Caswell
b11980d79a Check for 0 modulus in BN_MONT_CTX_set
The function BN_MONT_CTX_set was assuming that the modulus was non-zero
and therefore that |mod->top| > 0. In an error situation that may not be
the case and could cause a seg fault.

This is a follow on from CVE-2015-1794.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-08-11 20:23:00 +01:00
Guy Leaver (guleaver)
f15c99f4d4 Fix seg fault with 0 p val in SKE
If a client receives a ServerKeyExchange for an anon DH ciphersuite with the
value of p set to 0 then a seg fault can occur. This commits adds a test to
reject p, g and pub key parameters that have a 0 value (in accordance with
RFC 5246)

The security vulnerability only affects master and 1.0.2, but the fix is
additionally applied to 1.0.1 for additional confidence.

CVE-2015-1794

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-08-11 20:23:00 +01:00
Matt Caswell
507ea77b82 Fix warning when compiling with no-ec2m
EC_KEY_set_public_key_affine_coordinates was using some variables that only
apply if OPENSSL_NO_EC2M is not defined.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 8d11b7c7ee84ad0aa243476088285d15b22c5470)
2015-08-04 10:52:09 +01:00
Dirk Wetter
556803fc3d GH336: Return an exit code if report fails
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e36ce2d986a5edbd33d6d176fb95c8046fae9725)
2015-08-01 14:33:21 -04:00
Loganaden Velvindron
1a9a506cfb Clear BN-mont values when free'ing it.
From a CloudFlare patch.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 1a586b3942de1c0bd64203d09385d5e74f499d8d)
2015-07-31 13:38:48 -04:00
Dr. Stephen Henson
5030cc69ff use X9.31 keygen by default in FIPS mode
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d0c9a90640c8902fef3eb74e8ef05227f8e7dcb7)
2015-07-30 14:35:42 +01:00
Martin Vejnar
721cbae7e6 RT3774: double-free in DSA
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit fa4629b6a2518d202fd051f228c3d8770682b3be)
2015-07-29 21:21:47 -04:00
Rich Salz
372e74903e Tweak README about rt and bug reporting.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 932af1617e277904bcca6e47729a420bba39785b)
2015-07-29 10:39:14 -04:00
Matt Caswell
728432aed0 Fix SSL_set_session_ticket_ext when used with SSLv23_method
The function SSL_set_session_ticket_ext can be used to set custom session
ticket data passed in the initial ClientHello. This can be particularly
useful for EAP-FAST. However, when using SSLv23_method, the session does
not get created until the ServerHello has been received. The extension code
will only add the SessionTicket data to the ClientHello if a session already
exists. Therefore SSL_set_session_ticket_ext has no impact when used in
conjunction with SSLv23_method. The solution is to simply create the session
during creation of the ClientHello instead of waiting for the ServerHello.

This commit fixes the test failure introduced by the previous commit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-27 16:47:00 +01:00
Matt Caswell
8e75dcf587 Add test for SSL_set_session_ticket_ext
The function SSL_set_session_ticket_ext sets the ticket data to be sent in
the ClientHello. This is useful for EAP-FAST. This commit adds a test to
ensure that when this function is called the expected ticket data actually
appears in the ClientHello.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-07-27 16:14:02 +01:00
mancha
396a2dc071 Fix author credit for e5c0bc6
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-15 06:50:12 -04:00
Rich Salz
001c957676 Revert "Missing perldoc markup around < literal"
This reverts commit e5c0bc6cc49a23b50a272801c4bd53639c25fca4.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-07-15 06:50:12 -04:00
Ernie Hershey
2507d846e1 GH322: Fix typo in generated comment.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit ad282e638b6824325fb83ecf7cde2e7996f52b79)
2015-07-15 03:33:26 -04:00
GitHub User
432785095c Missing perldoc markup around < literal
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e5c0bc6cc49a23b50a272801c4bd53639c25fca4)
2015-07-14 01:33:29 -04:00
Richard Levitte
a027bba22a Conversion to UTF-8 where needed
This leaves behind files with names ending with '.iso-8859-1'.  These
should be safe to remove.  If something went wrong when re-encoding,
there will be some files with names ending with '.utf8' left behind.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-07-14 01:18:57 +02:00
Richard Levitte
13e742a439 Small script to re-encode files that need it to UTF-8
This requires 'iconv' and that 'file' can take the options '-b' and '-i'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f608b4064d58ca4dfdfdfc921308b51cb96205e2)
2015-07-14 01:13:52 +02:00
Richard Levitte
2794dec7b2 Remove extra '; \' in apps/Makefile
Fixes GH#330

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit eeb97bce751296b2e04a92d00c0d0a792ba61834)

Conflicts:
	apps/Makefile
2015-07-13 17:15:38 +02:00
Richard Levitte
2035e2db68 Set numeric IDs for tar as well
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit da24e6f8a05ea657684094e04c1a54efa04c2962)
2015-07-10 20:31:57 +02:00
Richard Levitte
be85620419 Stop using tardy
Instead of piping through tardy, and possibly suffering from bugs in certain
versions, use --transform, --owner and --group directly with GNU tar (we
already expect that tar variant).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27f98436b9a84b94fbdd8e32960504634ae44cc0)

Conflicts:
	Makefile.org
2015-07-10 17:31:32 +02:00
Peter Waltenberg
b5e972fdd3 Exit on error in ecparam
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 99dcd88035330d59ab40b5bc0f551aca7020cd30)
2015-07-09 15:43:34 -04:00
Dr. Stephen Henson
a15ba3cca3 Sort @sstacklst correctly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2a7059c56f885a3fa0842e886f5178def8e5481d)
2015-07-09 16:58:07 +01:00
Matt Caswell
7c17c20a56 Prepare for 1.0.1q-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:29:59 +01:00
Matt Caswell
5ab53da9fb Prepare for 1.0.1p release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 13:22:23 +01:00
Matt Caswell
245daa2b73 Update CHANGES and NEWS for the new release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-09 09:32:04 +01:00
Matt Caswell
cb22d2ae5a Fix alt chains bug
This is a follow up to the alternate chains certificate forgery issue
(CVE-2015-1793). That issue is exacerbated in 1.0.1 by a related bug which
means that we *always* check for an alternative chain, even if we have
already found a chain. The code is supposed to stop as soon as it has found
one (and does do in master and 1.0.2).

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:57:36 +01:00
Matt Caswell
b3b1eb5735 Reject calls to X509_verify_cert that have not been reinitialised
The function X509_verify_cert checks the value of |ctx->chain| at the
beginning, and if it is NULL then it initialises it, along with the value
of ctx->untrusted. The normal way to use X509_verify_cert() is to first
call X509_STORE_CTX_init(); then set up various parameters etc; then call
X509_verify_cert(); then check the results; and finally call
X509_STORE_CTX_cleanup(). The initial call to X509_STORE_CTX_init() sets
|ctx->chain| to NULL. The only place in the OpenSSL codebase  where
|ctx->chain| is set to anything other than a non NULL value is in
X509_verify_cert itself. Therefore the only ways that |ctx->chain| could be
non NULL on entry to X509_verify_cert is if one of the following occurs:
1) An application calls X509_verify_cert() twice without re-initialising
in between.
2) An application reaches inside the X509_STORE_CTX structure and changes
the value of |ctx->chain| directly.

With regards to the second of these, we should discount this - it should
not be supported to allow this.

With regards to the first of these, the documentation is not exactly
crystal clear, but the implication is that you must call
X509_STORE_CTX_init() before each call to X509_verify_cert(). If you fail
to do this then, at best, the results would be undefined.

Calling X509_verify_cert() with |ctx->chain| set to a non NULL value is
likely to have unexpected results, and could be dangerous. This commit
changes the behaviour of X509_verify_cert() so that it causes an error if
|ctx->chain| is anything other than NULL (because this indicates that we
have not been initialised properly). It also clarifies the associated
documentation. This is a follow up commit to CVE-2015-1793.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:52:36 +01:00
Matt Caswell
d42d100433 Add test for CVE-2015-1793
This adds a test for CVE-2015-1793. This adds a new test file
verify_extra_test.c, which could form the basis for additional
verification tests.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	test/Makefile
2015-07-07 22:52:31 +01:00
Matt Caswell
9a0db453ba Fix alternate chains certificate forgery issue
During certificate verfification, OpenSSL will attempt to find an
alternative certificate chain if the first attempt to build such a chain
fails. An error in the implementation of this logic can mean that an
attacker could cause certain checks on untrusted certificates to be
bypassed, such as the CA flag, enabling them to use a valid leaf
certificate to act as a CA and "issue" an invalid certificate.

This occurs where at least one cert is added to the first chain from the
trust store, but that chain still ends up being untrusted. In that case
ctx->last_untrusted is decremented in error.

Patch provided by the BoringSSL project.

CVE-2015-1793

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-07-07 22:50:04 +01:00
Dr. Stephen Henson
cb6e0ed17a Relax CCM tag check.
In CCM mode don't require a tag before initialising decrypt: this allows
the tag length to be set without requiring the tag.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 9cca7be11d62298b2af0722f94345012c86eaed4)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
e5d5019a23 document -2 return value
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5727582cf51e98e5e0faa435e7da2c8929533c0d)
2015-07-06 18:36:10 +01:00
Dr. Stephen Henson
d6be3124f2 Fix PSK handling.
The PSK identity hint should be stored in the SSL_SESSION structure
and not in the parent context (which will overwrite values used
by other SSL structures with the same SSL_CTX).

Use BUF_strndup when copying identity as it may not be null terminated.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3c66a669dfc7b3792f7af0758ea26fe8502ce70c)
2015-07-02 13:04:25 +01:00
Dr. Stephen Henson
eb0e2a5c5d Check for errors with SRP
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5fced2395ddfb603a50fd1bd87411e603a59dc6f)
2015-06-29 19:21:34 +01:00
Dr. Stephen Henson
0d25eb7800 Don't output bogus errors in PKCS12_parse
PR#3923

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ffbf304d4832bd51bb0618f8ca5b7c26647ee664)
2015-06-25 04:55:56 +01:00
Rich Salz
ae2f46597a RT3907-fix
Typo in local variable name; introduced by previous fix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit cc3f3fc2b1c94d65824ab8d69595b6d89b17cf8d)
2015-06-22 20:50:36 -04:00
Rich Salz
9ad2eb6a6e RT3907: avoid "local" in testssl script
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 75ba5c58c6b3b3326a6c3198100830afa120e7c3)
2015-06-22 15:50:14 -04:00
Richard Levitte
f4961dc2af Cleanup mttest.c : because we no longer use stdio here, don't include it
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ca96efd24b73f917837fdd45b1c22d7b8ff8cbd)
2015-06-21 22:13:28 +02:00
Richard Levitte
40ced6c187 Add -ldl to the build of mttest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit d62c98c81c7b47b7b1878fd7e91e5fd33818faf0)
2015-06-21 22:13:28 +02:00
Richard Levitte
f1817dd4d0 Cleanup mttest.c : do not try to output reference counts when threads are done
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 964626957f79e07ed97756527cdc7e84007c60c9)
2015-06-21 22:13:28 +02:00
Richard Levitte
5891dae67c Cleanup mttest.c : better error reporting when certs are missing
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 7a1789d254c561bd3024c971b5cfeeedd12d63f3)
2015-06-21 22:13:28 +02:00
Richard Levitte
1d6d4efea5 Cleanup mttest.c : make ssl_method a pointer to const
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f4c73bfe0ab7a0e8f82fe2947c0f77fe3d98acab)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
0fee334404 Cleanup mttest.c : more output changes
More fprintf()s and printf()s to turn into BIO calls.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-21 22:13:28 +02:00
Richard Levitte
141f7d263b Cleanup mttest.c : modernise output
Construct bio_err and bio_stdout from file handles instead of FILE
pointers, since the latter might not be implemented (when OPENSSL_NO_STDIO
is defined).
Convert all output to use BIO_printf.
Change lh_foo to lh_SSL_SESSION_foo.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit bb8abd6735e198de36c1eb9098a7f1516d156220)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
ae3254a52d Cleanup mttest.c : modernise the threads setup
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5c78e1835285ce4acdc7cc4f4c06aa7d6661c9b4)

Conflicts:
	crypto/threads/mttest.c
2015-06-21 22:13:28 +02:00
Richard Levitte
9720dd4314 Cleanup mttest.c : remove MS_CALLBACK
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3f9286556d6d78c1800caae97a9328afb2557e6)
2015-06-21 22:13:28 +02:00
Rich Salz
83d6620986 RT1688: Add dependencies for parallel make
Backport to 1.0.1 and 1.0.2 to fix RT 3905

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8e6bb99979b95ee8b878e22e043ceb78d79c32a1)
2015-06-21 15:27:30 -04:00
Richard Levitte
347fc5d8cd Make preprocessor error into real preprocessor error
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit b4f0d1a4a89b964dba80036a6348ca0a1913c526)
2015-06-16 13:14:09 +02:00
Richard Levitte
a5d8c1c291 Remove one extraneous parenthesis
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 30cf91784bfde82622f79d87d17d20ce73329532)
2015-06-16 13:14:09 +02:00
Matt Caswell
902795b2f1 Prepare for 1.0.1p-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:24:26 +01:00
Matt Caswell
2a8c2799e1 Prepare for 1.0.1o release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:20:59 +01:00
Matt Caswell
2ad310ffde Updated CHANGES and NEWS entries for new release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 16:02:04 +01:00
Adam Langley
6cbc78906b Allow a zero length extension block
It is valid for an extension block to be present in a ClientHello, but to
be of zero length.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-12 15:45:17 +01:00
Matt Caswell
fffcf87a55 Fix ABI break with HMAC
Recent HMAC changes broke ABI compatibility due to a new field in HMAC_CTX.
This backs that change out, and does it a different way.

Thanks to Timo Teras for the concept.

Conflicts:
	crypto/hmac/hmac.c

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-12 14:43:23 +01:00
Matt Caswell
3adca975dc Prepare for 1.0.1o-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:08:34 +01:00
Matt Caswell
517899e6c8 Prepare for 1.0.1n release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-11 15:05:11 +01:00
Andy Polyakov
f61bbf8da5 bn/bn_gf2m.c: avoid infinite loop wich malformed ECParamters.
CVE-2015-1788

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4924b37ee01f71ae19c94a8934b80eeb2f677932)
2015-06-11 15:02:21 +01:00
Matt Caswell
1f31458a77 Update CHANGES and NEWS
Updates to CHANGES and NEWS to take account of the latest security fixes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 15:02:21 +01:00
Emilia Kasper
5fbc59cac6 PKCS#7: Fix NULL dereference with missing EncryptedContent.
CVE-2015-1790

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-06-11 15:02:21 +01:00
Emilia Kasper
370ac32030 Fix length checks in X509_cmp_time to avoid out-of-bounds reads.
Also tighten X509_cmp_time to reject more than three fractional
seconds in the time; and to reject trailing garbage after the offset.

CVE-2015-1789

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-11 15:02:21 +01:00
Dr. Stephen Henson
dd90a91d87 Fix infinite loop in CMS
Fix loop in do_free_upto if cmsbio is NULL: this will happen when attempting
to verify and a digest is not recognised. Reported by Johannes Bauer.

CVE-2015-1792

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-11 15:02:21 +01:00
Richard Levitte
176b59d157 Correction of make depend merge error
$(PROGS) was mistakenly removed, adding it back.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5ef5b9ffa91ad6061c42291564a1dc786300ebdd)
2015-06-11 15:52:29 +02:00
Matt Caswell
907f04a303 More ssl_session_dup fixes
Fix error handling in ssl_session_dup, as well as incorrect setting up of
the session ticket. Follow on from CVE-2015-1791.

Thanks to LibreSSL project for reporting these issues.

Conflicts:
	ssl/ssl_sess.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-11 10:08:18 +01:00
Kurt Roeckx
f3b355fec3 Only allow a temporary rsa key exchange when they key is larger than 512.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #838

(cherry picked from commit 57e477b9ec66542afc8c9c13ae7c4271209fb88f)
2015-06-11 00:10:24 +02:00
Kurt Roeckx
c4ce10773f Properly check certificate in case of export ciphers.
Reviewed-by: Rich Salz <rsalz@openssl.org>
MR #838

(cherry picked from commit 39a298a1c0e7a76e301b9f2ebe8d33d90ad0a3b4)
2015-06-11 00:10:02 +02:00
Matt Caswell
d46de4ce48 DTLS handshake message fragments musn't span packets
It should not be possible for DTLS message fragments to span multiple
packets. However previously if the message header fitted exactly into one
packet, and the fragment body was in the next packet then this would work.
Obviously this would fail if packets get re-ordered mid-flight.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-10 12:12:57 +01:00
Matt Caswell
418df5ea23 Fix leak in HMAC error path
In the event of an error in the HMAC function, leaks can occur because the
HMAC_CTX does not get cleaned up.

Thanks to the BoringSSL project for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit e43a13c807e42688c72c4f3d001112bf0a110464)
2015-06-10 11:08:51 +01:00
Matt Caswell
d163a2cc46 EC_POINT_is_on_curve does not return a boolean
The function EC_POINT_is_on_curve does not return a boolean value.
It returns 1 if the point is on the curve, 0 if it is not, and -1
on error. Many usages within OpenSSL were incorrectly using this
function and therefore not correctly handling error conditions.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 68886be7e2cd395a759fcd41d2cede461b68843d)
2015-06-10 10:51:17 +01:00
Matt Caswell
72df35acf2 Tighten extension handling
This adds additional checks to the processing of extensions in a ClientHello
to ensure that either no extensions are present, or if they are then they
take up the exact amount of space expected.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	ssl/t1_lib.c
2015-06-10 10:32:05 +01:00
Matt Caswell
f92b196723 Fix memory leaks in BIO_dup_chain()
This fixes a memory leak that can occur whilst duplicating a BIO chain if
the call to CRYPTO_dup_ex_data() fails. It also fixes a second memory leak
where if a failure occurs after successfully creating the first BIO in the
chain, then the beginning of the new chain was not freed.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>

Conflicts:
	crypto/bio/bio_lib.c
2015-06-10 10:29:31 +01:00
Matt Caswell
e94118ae2a Replace memset with OPENSSL_cleanse()
BUF_MEM_free() attempts to cleanse memory using memset immediately prior
to a free. This is at risk of being optimised away by the compiler, so
replace with a call to OPENSSL_cleanse() instead.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-06-10 10:29:31 +01:00
Matt Caswell
106a9a5d7e Fix Kerberos issue in ssl_session_dup
The fix for CVE-2015-1791 introduced an error in ssl_session_dup for
Kerberos.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit dcad51bc13c9b716d9a66248bcc4038c071ff158)
2015-06-10 10:02:16 +01:00
Richard Levitte
cb972a4fe7 When making libcrypto from apps or test, make sure to include engines
For librypto to be complete, the stuff in both crypto/ and engines/
have to be built.  Doing 'make test' or 'make apps' from a clean
source tree failed to do so.
Corrected by using the new 'build_libcrypto' in the top Makefile.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit acaff3b797f50a0a0e17a0be45b7fafad962004e)
2015-06-10 02:12:34 +02:00
Richard Levitte
ee2d14be94 Add and rearrange building of libraries
There's a need for a target that will build all of libcrypto, so let's
add 'build_libcrypto' that does this.  For ortogonality, let's also
add 'build_libssl'.  Have both also depend on 'libcrypto.pc' and
'libssl.pc' so those get built together with the libraries.
This makes 'all' depend on fewer things directly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 177b5f9c82e1152d6ce20a83556db629697fff65)

Conflicts:
	Makefile.org
2015-06-10 02:12:25 +02:00
Dr. Stephen Henson
3d2c3fa5fc return correct NID for undefined object
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0fb9990480919163cc375a2b6c0df1d8d901a77b)
2015-06-08 21:47:05 +01:00
Emilia Kasper
ba5693686e Use CRYPTO_memcmp in s3_cbc.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 05627d57e55517eae21c251fe287760bd1137218)
2015-06-08 15:05:08 +02:00
Emilia Kasper
59b5ab4aa7 Use CRYPTO_memcmp when comparing authenticators
Pointed out by Victor Vasiliev (vasilvv@mit.edu) via Adam Langley
(Google).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 1e4a355dcabe2f75df5bb8b41b394d37037169d2)
(cherry picked from commit ac32a77cd69784568090e934a31622ddfee49ca7)
2015-06-08 15:01:47 +02:00
Matt Caswell
c22ed559bb Remove misleading comment
Remove a comment that suggested further clean up was required.
DH_free() performs the necessary cleanup.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f3d889523ee84f1e87e4da0d59e2702a4bee7907)
2015-06-04 12:56:13 +01:00
Matt Caswell
4b6f33a5c2 Clean premaster_secret for GOST
Ensure OPENSSL_cleanse() is called on the premaster secret value calculated for GOST.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit b7ee4815f2452c854cc859e8dda88f2673cdddea)

Conflicts:
	ssl/s3_srvr.c
2015-06-04 12:56:13 +01:00
Matt Caswell
c36d3840ff Clean Kerberos pre-master secret
Ensure the Kerberos pre-master secret has OPENSSL_cleanse called on it.

With thanks to the Open Crypto Audit Project for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4e3dbe37ca39fa68b6949fbde62f3ec0f0584f7e)
2015-06-04 12:42:51 +01:00
Matt Caswell
05bdebb6e0 Fix off-by-one error in BN_bn2hex
A BIGNUM can have the value of -0. The function BN_bn2hex fails to account
for this and can allocate a buffer one byte too short in the event of -0
being used, leading to a one byte buffer overrun. All usage within the
OpenSSL library is considered safe. Any security risk is considered
negligible.

With thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and
Filip Palian for discovering and reporting this issue.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit c56353071d9849220714d8a556806703771b9269)

Conflicts:
	crypto/bn/bn_print.c
2015-06-04 09:29:13 +01:00
Annie Yousar
32b2ad7e07 RT3230: Better test for C identifier
objects.pl only looked for a space to see if the name could be
used as a C identifier.  Improve the test to match the real C
rules.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 591b7aef05b22cba09b179e5787a9bf40dfc9508)
2015-06-02 17:17:54 -04:00
Richard Levitte
1977240204 Add the macro OPENSSL_SYS_WIN64
This is for consistency.
Additionally, have its presence define OPENSSL_SYS_WINDOWS as well.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 3f131556d6678bc3754f1e6d98a9a5bfc24e368c)

Conflicts:
	e_os2.h
2015-06-02 18:05:31 +02:00
Matt Caswell
939b496027 Fix race condition in NewSessionTicket
If a NewSessionTicket is received by a multi-threaded client when
attempting to reuse a previous ticket then a race condition can occur
potentially leading to a double free of the ticket data.

CVE-2015-1791

This also fixes RT#3808 where a session ID is changed for a session already
in the client session cache. Since the session ID is the key to the cache
this breaks the cache access.

Parts of this patch were inspired by this Akamai change:
c0bf69a791

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 27c76b9b8010b536687318739c6f631ce4194688)

Conflicts:
	ssl/ssl.h
	ssl/ssl_err.c
2015-06-02 12:44:40 +01:00
Matt Caswell
cce3e4adb7 Clear state in DTLSv1_listen
This is a backport of commit e83ee04bb7de800cdb71d522fa562e99328003a3 from
the master branch (and this has also been applied to 1.0.2). In 1.0.2 this
was CVE-2015-0207. For other branches there is no known security issue, but
this is being backported as a precautionary measure.

The DTLSv1_listen function is intended to be stateless and processes
the initial ClientHello from many peers. It is common for user code to
loop over the call to DTLSv1_listen until a valid ClientHello is received
with an associated cookie. A defect in the implementation of DTLSv1_listen
means that state is preserved in the SSL object from one invokation to the
next.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-06-02 09:12:39 +01:00
Matt Caswell
f3e85f4359 Check the message type requested is the type received in DTLS
dtls1_get_message has an |mt| variable which is the type of the message that
is being requested. If it is negative then any message type is allowed.
However the value of |mt| is not checked in one of the main code paths, so a
peer can send a message of a completely different type and it will be
processed as if it was the message type that we were expecting. This has
very little practical consequences because the current behaviour will still
fail when the format of the message isn't as expected.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c2b1d872b25f3ec78e04f5cd2de8f21e853c4a6)
2015-06-01 00:33:22 +01:00
Dr. Stephen Henson
cc74177e71 check for error when creating PKCS#8 structure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2849707fa65d2803e6d1c1603fdd3fd1fdc4c6cc)
2015-05-28 18:02:19 +01:00
Dr. Stephen Henson
e2cf18c635 PEM doc fixes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f097f81c891bb1f479426d8ac9c9541390334983)
2015-05-28 18:02:19 +01:00
Andy Polyakov
df00b6eb5e Housekeeping 'make TABLE' update.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26 21:55:57 +02:00
Emilia Kasper
1ee85aab75 Fix ssltest to use 1024-bit DHE parameters
Also add more ciphersuite test coverage, and a negative test for
512-bit DHE.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-26 12:41:51 +02:00
Matt Caswell
029e8f3ac9 Don't check for a negative SRP extension size
The size of the SRP extension can never be negative (the variable
|size| is unsigned). Therefore don't check if it is less than zero.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 9c89d290834f3ed9146eeb8b64fe5de817679a0b)
2015-05-26 10:42:10 +01:00
Matt Caswell
28ea6ad612 Fix error check in GOST engine
The return value of i2d functions can be negative if an error occurs.
Therefore don't assign the return value to an unsigned type and *then*
check if it is negative.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 90e7cdff3aa66779486914f88333f6601f0c1cf4)
2015-05-26 10:42:10 +01:00
Matt Caswell
4ae1c7771d Handle unsigned struct timeval members
The members of struct timeval on OpenVMS are unsigned. The logic for
calculating timeouts needs adjusting to deal with this.

RT#3862

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fc52ac9028b9492fb086ba35a3352ea46e03ecfc)
2015-05-26 10:42:10 +01:00
Andy Polyakov
dbcf8e3319 Configure: replace -mv8 with -mcpu=v8 in SPARC config lines.
RT#3860

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit aa1e42215b6729c0143fb056e3791e3fcdf7af6a)
2015-05-26 10:24:20 +02:00
Billy Brumley
5fcfef49d9 fix copy paste error in ec_GF2m function prototypes
RT#3858

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 71f6130b7a96bacbffae4611796ed98c2f724d96)
2015-05-26 10:14:56 +02:00
Andy Polyakov
8af1319270 bn/bn_lcl.h: fix MIPS-specific gcc version check.
RT#3859

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 60c268b21ac81cc6b1af5c5470282a613b96f6fd)
2015-05-26 10:08:44 +02:00
Andy Polyakov
38b7073328 md32_common.h: backport ICC fix.
RT#3843

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-26 09:58:12 +02:00
Matt Caswell
75077a2277 Don't send an alert if we've just received one
If the record received is for a version that we don't support, previously we
were sending an alert back. However if the incoming record already looks
like an alert then probably we shouldn't do that. So suppress an outgoing
alert if it looks like we've got one incoming.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-25 23:11:02 +01:00
Richard Levitte
c62592e52f Fix update and depend in engines/
The update: target in engines/ didn't recurse into engines/ccgost.
The update: and depend: targets in engines/ccgost needed a fixup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8b822d2566853ee5e313c37529f71336209b28ab)
2015-05-23 11:22:10 +02:00
Richard Levitte
f460f050c2 Missed a couple of spots in the update change
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6f45032f6730622e8d484d92e07c7fce7d1f88ac)

Conflicts:
	apps/Makefile
2015-05-23 11:22:10 +02:00
Richard Levitte
eb797fde3f Fix the update target and remove duplicate file updates
We had updates of certain header files in both Makefile.org and the
Makefile in the directory the header file lived in.  This is error
prone and also sometimes generates slightly different results (usually
just a comment that differs) depending on which way the update was
done.

This removes the file update targets from the top level Makefile, adds
an update: target in all Makefiles and has it depend on the depend: or
local_depend: targets, whichever is appropriate, so we don't get a
double run through the whole file tree.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0f539dc1a2f45580435c39dada44dd276e79cb88)

Conflicts:
	Makefile.org
	apps/Makefile
	test/Makefile
2015-05-23 11:22:10 +02:00
Matt Caswell
b484b040e3 Fix off-by-one in BN_rand
If BN_rand is called with |bits| set to 1 and |top| set to 1 then a 1 byte
buffer overflow can occur. There are no such instances within the OpenSSL at
the moment.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke, Filip Palian for
discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-22 23:45:33 +01:00
Matt Caswell
726b5e7132 Reject negative shifts for BN_rshift and BN_lshift
The functions BN_rshift and BN_lshift shift their arguments to the right or
left by a specified number of bits. Unpredicatable results (including
crashes) can occur if a negative number is supplied for the shift value.

Thanks to Mateusz Kocielski (LogicalTrust), Marek Kroemeke and Filip Palian
for discovering and reporting this issue.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 7cc18d8158b5fc2676393d99b51c30c135502107)

Conflicts:
	crypto/bn/bn.h
	crypto/bn/bn_err.c
2015-05-22 23:21:55 +01:00
Lubom
0a9f8e0621 Lost alert in DTLS
If a client receives a bad hello request in DTLS then the alert is not
sent correctly.

RT#2801

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4dc1aa0436fdb8af50960db676b739c8ef81f38c)
2015-05-22 10:24:49 +01:00
Matt Caswell
1c687ff4dd Add documentation for the -no_alt_chains option for various apps, as well as the X509_V_FLAG_NO_ALT_CHAINS flag.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	doc/apps/cms.pod
	doc/apps/ocsp.pod
	doc/apps/s_client.pod
	doc/apps/s_server.pod
	doc/apps/smime.pod
	doc/apps/verify.pod
2015-05-20 23:14:25 +02:00
Matt Caswell
c6a39046f5 Add -no_alt_chains option to apps to implement the new X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building certificate chains, the first chain found will be the one used. Without this flag, if the first chain found is not trusted then we will keep looking to see if we can build an alternative chain instead.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>

Conflicts:
	apps/cms.c
	apps/ocsp.c
	apps/s_client.c
	apps/s_server.c
	apps/smime.c
	apps/verify.c
2015-05-20 23:14:25 +02:00
Matt Caswell
cf1bf3f032 Add flag to inhibit checking for alternate certificate chains. Setting this behaviour will force behaviour as per previous versions of OpenSSL
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
2015-05-20 23:14:24 +02:00
Matt Caswell
f7bf8e02df In certain situations the server provided certificate chain may no longer be valid. However the issuer of the leaf, or some intermediate cert is in fact in the trust store.
When building a trust chain if the first attempt fails, then try to see if
alternate chains could be constructed that are trusted.

RT3637
RT3621

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
2015-05-20 23:14:24 +02:00
Kurt Roeckx
3b509e8cdc Correctly check for export size limit
40 bit ciphers are limited to 512 bit RSA, 56 bit ciphers to 1024 bit.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit ac38115c1a4fb61c66c2a8cd2a9800751828d328)
2015-05-20 22:23:28 +02:00
Emilia Kasper
63830384e9 client: reject handshakes with DH parameters < 768 bits.
Since the client has no way of communicating her supported parameter
range to the server, connections to servers that choose weak DH will
simply fail.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
ff4de7dde9 Update documentation with Diffie-Hellman best practices.
- Do not advise generation of DH parameters with dsaparam to save
computation time.
- Promote use of custom parameters more, and explicitly forbid use of
built-in parameters weaker than 2048 bits.
- Advise the callback to ignore <keylength> - it is currently called
with 1024 bits, but this value can and should be safely ignored by
servers.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
3372aeed2c dhparam: fix documentation
The default bitlength is now 2048. Also clarify that either the number
of bits or the generator must be present:

$ openssl dhparam -2
and
$ openssl dhparam 2048
generate parameters but
$ openssl dhparam
does not.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
8568170d77 dhparam: set the default to 2048 bits
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-20 15:01:36 +02:00
Emilia Kasper
f1612746ec s_server: Use 2048-bit DH parameters by default.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-20 15:01:36 +02:00
StudioEtrange
5a1f055d91 GitHub284: Fix typo in xx-32.pl scripts.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-20 04:35:39 -04:00
Robert Swiecki
e96de9822e Don't add write errors into bytecounts
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 00d565cfbe90fab3b157e644caca4eb4a2ebec79)
2015-05-19 07:20:38 -04:00
Andy Polyakov
2df0ba9b4f mk1mf.pl: replace chop for windows.
Backport old patch to make it work in mixture of perls for Windows.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Cherry-picked from 7bb98eee3c9e4694dfc2217001d5075ce8d2906e

(cherry picked from commit 051b41df4105355a5a9c7f1c0bd00cc70b2d324c)
2015-05-15 14:19:29 -04:00
Rich Salz
76b49a8ad7 Add NULL checks from master
The big "don't check for NULL" cleanup requires backporting some
of the lowest-level functions to actually do nothing if NULL is
given.  This will make it easier to backport fixes to release
branches, where master assumes those lower-level functions are "safe"

This commit addresses those tickets: 3798 3799 3801.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit f34b095fab1569d093b639bfcc9a77d6020148ff)
2015-05-13 12:55:23 -04:00
Hanno Böck
5e0ec9012b Call of memcmp with null pointers in obj_cmp()
The function obj_cmp() (file crypto/objects/obj_dat.c) can in some
situations call memcmp() with a null pointer and a zero length.

This is invalid behaviour. When compiling openssl with undefined
behaviour sanitizer (add -fsanitize=undefined to compile flags) this
can be seen. One example that triggers this behaviour is the pkcs7
command (but there are others, e.g. I've seen it with the timestamp
function):
apps/openssl pkcs7 -in test/testp7.pem

What happens is that obj_cmp takes objects of the type ASN1_OBJECT and
passes their ->data pointer to memcmp. Zero-sized ASN1_OBJECT
structures can have a null pointer as data.

RT#3816

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2b8dc08b74fc3c6d4c2fc855cc23bac691d985be)
2015-05-13 15:32:23 +01:00
Matt Caswell
5c122908ab Don't allow a CCS when expecting a CertificateVerify
Currently we set change_cipher_spec_ok to 1 before calling
ssl3_get_cert_verify(). This is because this message is optional and if it
is not sent then the next thing we would expect to get is the CCS. However,
although it is optional, we do actually know whether we should be receiving
one in advance. If we have received a client cert then we should expect
a CertificateVerify message. By the time we get to this point we will
already have bombed out if we didn't get a Certificate when we should have
done, so it is safe just to check whether |peer| is NULL or not. If it is
we won't get a CertificateVerify, otherwise we will. Therefore we should
change the logic so that we only attempt to get the CertificateVerify if
we are expecting one, and not allow a CCS in this scenario.

Whilst this is good practice for TLS it is even more important for DTLS.
In DTLS messages can be lost. Therefore we may be in a situation where a
CertificateVerify message does not arrive even though one was sent. In that
case the next message the server will receive will be the CCS. This could
also happen if messages get re-ordered in-flight. In DTLS if
|change_cipher_spec_ok| is not set and a CCS is received it is ignored.
However if |change_cipher_spec_ok| *is* set then a CCS arrival will
immediately move the server into the next epoch. Any messages arriving for
the previous epoch will be ignored. This means that, in this scenario, the
handshake can never complete. The client will attempt to retransmit
missing messages, but the server will ignore them because they are the wrong
epoch. The server meanwhile will still be waiting for the CertificateVerify
which is never going to arrive.

RT#2958

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit a0bd6493369d960abef11c2346b9bbb308b4285a)
2015-05-13 11:25:10 +01:00
Kurt Cancemi
1c70c783af Add missing NULL check in X509V3_parse_list()
Matt's note: I added a call to X509V3err to Kurt's original patch.

RT#3840

Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 344c271eb339fc2982e9a3584a94e51112d84584)
2015-05-11 12:21:43 +01:00
Bjoern D. Rasmussen
9dff24e43a Fix for memcpy() and strcmp() being undefined.
clang says: "s_cb.c:958:9: error: implicitly declaring library function
'memcpy'"

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f744cceff5bce8cb00a6ddd739c1bbb85c142ea)

Conflicts:
	apps/s_cb.c
2015-05-11 12:05:53 +01:00
Matt Caswell
6865dea2d6 Check sk_SSL_CIPHER_new_null return value
If sk_SSL_CIPHER_new_null() returns NULL then ssl_bytes_to_cipher_list()
should also return NULL.

Based on an original patch by mrpre <mrpre@163.com>.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 14def5f5375594830597cc153e11c6017f6adddf)
2015-05-11 11:54:10 +01:00
Matt Caswell
76d0c6d48e Add more error state transitions (DTLS)
Ensure all fatal errors transition into the new error state for DTLS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cefc93910c4c0f7fa9f8c1f8f7aad084a7fa87d2)

Conflicts:
	ssl/d1_srvr.c

Conflicts:
	ssl/d1_srvr.c
2015-05-05 20:09:14 +01:00
Matt Caswell
a329ae2268 Add more error state transitions (client)
Ensure all fatal errors transition into the new error state on the client
side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cc273a93617a5c1e69cb5db6f655e463f8e31806)

Conflicts:
	ssl/s3_clnt.c

Conflicts:
	ssl/s3_clnt.c
2015-05-05 20:08:35 +01:00
Matt Caswell
f3c4abb377 Add more error state transitions
Ensure all fatal errors transition into the new error state on the server
side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cf9b0b6fb253fd40225d7c648a08646686e62d2d)

Conflicts:
	ssl/s3_srvr.c
2015-05-05 20:07:48 +01:00
Matt Caswell
189e20c68c Add Error state
Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a89db885e0d8aac3a9df1bbccb0c1ddfd8b2e10a)

Conflicts:
	ssl/s3_srvr.c
	ssl/ssl_stat.c
2015-05-05 20:07:48 +01:00
Richard Levitte
4b771121f2 RT2943: Check sizes if -iv and -K arguments
RT2943 only complains about the incorrect check of -K argument size,
we might as well do the same thing with the -iv argument.

Before this, we only checked that the given argument wouldn't give a
bitstring larger than EVP_MAX_KEY_LENGTH.  we can be more precise and
check against the size of the actual cipher used.

(cherry picked from commit 8920a7cd04f43b1a090d0b0a8c9e16b94c6898d4)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-04 21:18:43 +02:00
Gilles Khouzam
ee827adf04 RT3820: Don't call GetDesktopWindow()
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bed2edf1cb73f1fe2c11029acc694086bc14443e)
2015-05-02 08:02:06 -04:00
Hanno Böck
cd258a84db Fix uninitialized variable.
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit 539ed89f686866b82a9ec9a4c3b112878d29cd73)
2015-05-02 07:46:09 -04:00
Matt Caswell
017f695f2c Fix buffer overrun in RSA signing
The problem occurs in EVP_PKEY_sign() when using RSA with X931 padding.
It is only triggered if the RSA key size is smaller than the digest length.
So with SHA512 you can trigger the overflow with anything less than an RSA
512 bit key. I managed to trigger a 62 byte overflow when using a 16 bit RSA
key. This wasn't sufficient to cause a crash, although your mileage may
vary.

In practice RSA keys of this length are never used and X931 padding is very
rare. Even if someone did use an excessively short RSA key, the chances of
them combining that with a longer digest and X931 padding is very
small. For these reasons I do not believe there is a security implication to
this. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 34166d41892643a36ad2d1f53cc0025e2edc2a39)
2015-04-30 23:27:07 +01:00
Matt Caswell
ee900ed1f7 Add sanity check to print_bin function
Add a sanity check to the print_bin function to ensure that the |off|
argument is positive. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3deeeeb61b0c5b9b5f0993a67b7967d2f85186da)
2015-04-30 23:27:07 +01:00
Matt Caswell
39b36cb438 Add sanity check to ssl_get_prev_session
Sanity check the |len| parameter to ensure it is positive. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cb0f400b0cea2d2943f99b1e89c04ff6ed748cd5)
2015-04-30 23:27:07 +01:00
Matt Caswell
26800340db Sanity check the return from final_finish_mac
The return value is checked for 0. This is currently safe but we should
really check for <= 0 since -1 is frequently used for error conditions.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c427570e5098e120cbcb66e799f85c317aac7b91)

Conflicts:
	ssl/ssl_locl.h

Conflicts:
	ssl/ssl_locl.h
2015-04-30 23:27:05 +01:00
Matt Caswell
592ac25342 Add sanity check in ssl3_cbc_digest_record
For SSLv3 the code assumes that |header_length| > |md_block_size|. Whilst
this is true for all SSLv3 ciphersuites, this fact is far from obvious by
looking at the code. If this were not the case then an integer overflow
would occur, leading to a subsequent buffer overflow. Therefore I have
added an explicit sanity check to ensure header_length is always valid.
Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 29b0a15a480626544dd0c803d5de671552544de6)
2015-04-30 23:26:07 +01:00
Matt Caswell
d889682208 Clarify logic in BIO_*printf functions
The static function dynamically allocates an output buffer if the output
grows larger than the static buffer that is normally used. The original
logic implied that |currlen| could be greater than |maxlen| which is
incorrect (and if so would cause a buffer overrun). Also the original
logic would call OPENSSL_malloc to create a dynamic buffer equal to the
size of the static buffer, and then immediately call OPENSSL_realloc to
make it bigger, rather than just creating a buffer than was big enough in
the first place. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9d9e37744cd5119f9921315864d1cd28717173cd)
2015-04-30 23:26:07 +01:00
Matt Caswell
951ede2a06 Sanity check EVP_EncodeUpdate buffer len
There was already a sanity check to ensure the passed buffer length is not
zero. Extend this to ensure that it also not negative. Thanks to Kevin
Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3 Solutions) for
reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b86d7dca69f5c80abd60896c8ed3039fc56210cc)
2015-04-30 23:26:07 +01:00
Matt Caswell
974d4d675c Sanity check EVP_CTRL_AEAD_TLS_AAD
The various implementations of EVP_CTRL_AEAD_TLS_AAD expect a buffer of at
least 13 bytes long. Add sanity checks to ensure that the length is at
least that. Also add a new constant (EVP_AEAD_TLS1_AAD_LEN) to evp.h to
represent this length. Thanks to Kevin Wojtysiak (Int3 Solutions) and
Paramjot Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit c8269881093324b881b81472be037055571f73f3)

Conflicts:
	ssl/record/ssl3_record.c

Conflicts:
	apps/speed.c
	crypto/evp/e_aes_cbc_hmac_sha256.c
	crypto/evp/evp.h
2015-04-30 23:26:06 +01:00
Matt Caswell
3be5df2272 Sanity check DES_enc_write buffer length
Add a sanity check to DES_enc_write to ensure the buffer length provided
is not negative. Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot
Oberoi (Int3 Solutions) for reporting this issue.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 873fb39f20b6763daba226b74e83fb194924c7bf)
2015-04-30 23:24:21 +01:00
Matt Caswell
80a06268ae Add length sanity check in SSLv2 n_do_ssl_write()
Fortify flagged up a problem in n_do_ssl_write() in SSLv2. Analysing the
code I do not believe there is a real problem here. However the logic flows
are complicated enough that a sanity check of |len| is probably worthwhile.

Thanks to Kevin Wojtysiak (Int3 Solutions) and Paramjot Oberoi (Int3
Solutions) for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f8cd7bc661f90dc012c9d2bae1808a4281985f)
2015-04-29 17:44:02 +01:00
Loganaden Velvindron
e3dd33c25c Fix CRYPTO_strdup
The function CRYPTO_strdup (aka OPENSSL_strdup) fails to check the return
value from CRYPTO_malloc to see if it is NULL before attempting to use it.
This patch adds a NULL check.

RT3786

Signed-off-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 37b0cf936744d9edb99b5dd82cae78a7eac6ad60)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 20d21389c8b6f5b754573ffb6a4dc4f3986f2ca4)
2015-04-22 17:24:47 +01:00
Emilia Kasper
d695a02254 Repair EAP-FAST session resumption
EAP-FAST session resumption relies on handshake message lookahead
to determine server intentions. Commits
980bc1ec6114f5511b20c2e6ca741e61a39b99d6
and
7b3ba508af5c86afe43e28174aa3c53a0a24f4d9
removed the lookahead so broke session resumption.

This change partially reverts the commits and brings the lookahead back
in reduced capacity for TLS + EAP-FAST only. Since EAP-FAST does not
support regular session tickets, the lookahead now only checks for a
Finished message.

Regular handshakes are unaffected by this change.

Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 6e3d015363ed09c4eff5c02ad41153387ffdf5af)
2015-04-21 19:37:17 +02:00
Emilia Kasper
a209623fbb Initialize variable
newsig may be used (freed) uninitialized on a malloc error.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 68249414405500660578b337f1c8dd5dd4bb5bcc)
2015-04-21 19:32:43 +02:00
Emilia Kasper
92caee08d3 make update
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-04-21 17:53:36 +02:00
Richard Levitte
0725acd071 Initialised 'ok' and redo the logic.
The logic with how 'ok' was calculated didn't quite convey what's "ok",
so the logic is slightly redone to make it less confusing.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 06affe3dac65592a341547f5a47e52cedb7b71f8)
2015-04-21 01:45:58 +02:00
Matt Caswell
5fa7c10bc4 Fix return checks in GOST engine
Filled in lots of return value checks that were missing the GOST engine, and
added appropriate error handling.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8817e2e0c998757d3bd036d7f45fe8d0a49fbe2d)
2015-04-20 23:13:02 +01:00
Matt Caswell
96d9674646 Fix misc NULL derefs in sureware engine
Fix miscellaneous NULL pointer derefs in the sureware engine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7b611e5fe8eaac9512f72094c460f3ed6040076a)
2015-04-20 23:13:01 +01:00
Dr. Stephen Henson
32d3b0f52f Fix encoding bug in i2c_ASN1_INTEGER
Fix bug where i2c_ASN1_INTEGER mishandles zero if it is marked as
negative.

Thanks to Huzaifa Sidhpurwala <huzaifas@redhat.com> and
Hanno Böck <hanno@hboeck.de> for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a0eed48d37a4b7beea0c966caf09ad46f4a92a44)
2015-04-18 14:44:17 +01:00
Emilia Kasper
31d085ca74 Error out immediately on empty ciphers list.
A 0-length ciphers list is never permitted. The old code only used to
reject an empty ciphers list for connections with a session ID. It
would later error out on a NULL structure, so this change just moves
the alert closer to the problem source.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 3ae91cfb327c9ed689b9aaf7bca01a3f5a0657cb)
2015-04-17 18:47:25 +02:00
Viktor Dukhovni
c70908d247 Code style: space after 'if'
Reviewed-by: Matt Caswell <gitlab@openssl.org>
2015-04-16 13:51:51 -04:00
Andy Polyakov
e963109fcd Please Clang's sanitizer, addendum.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-04-16 18:29:49 +02:00
Dr. Stephen Henson
da23637e8e Limit depth of nested sequences when generating ASN.1
Reported by Hanno Böck <hanno@hboeck.de>
PR#3800

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c4137b5e828d8fab0b244defb79257619dad8fc7)
2015-04-16 16:06:48 +01:00
Dr. Stephen Henson
5c3fbbc875 Reject empty generation strings.
Reported by Hanno Böck <hanno@hboeck.de>

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 111b60bea01d234b5873488c19ff2b9c5d4d58e9)
2015-04-16 16:06:47 +01:00
Matt Caswell
40f26ac782 Fix ssl_get_prev_session overrun
If OpenSSL is configured with no-tlsext then ssl_get_prev_session can read
past the end of the ClientHello message if the session_id length in the
ClientHello is invalid. This should not cause any security issues since the
underlying buffer is 16k in size. It should never be possible to overrun by
that many bytes.

This is probably made redundant by the previous commit - but you can never be
too careful.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 5e0a80c1c9b2b06c2d203ad89778ce1b98e0b5ad)
2015-04-14 14:59:54 +01:00
Matt Caswell
89c2720298 Check for ClientHello message overruns
The ClientHello processing is insufficiently rigorous in its checks to make
sure that we don't read past the end of the message. This does not have
security implications due to the size of the underlying buffer - but still
needs to be fixed.

With thanks to Qinghao Tang for reporting this issue.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c9642eb1ff79a30e2c7632ef8267cc34cc2b0d79)
2015-04-14 14:50:20 +01:00
Kurt Roeckx
047cdde7a5 do_dirname: Don't change gen on failures
It would set gen->d.dirn to a freed pointer in case X509V3_NAME_from_section
failed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 8ec5c5dd361343d9017eff8547b19e86e4944ebc)
2015-04-11 20:57:43 +02:00
Kurt Roeckx
10473a5a2c X509_VERIFY_PARAM_free: Check param for NULL
Reviewed-by: Viktor Dukhovni <openssl-users@dukhovni.org>
(cherry picked from commit f49baeff50d0be9c8d86aed6fb4a08841aa3da41)
2015-04-11 20:57:43 +02:00
Dr. Stephen Henson
bd41063b11 Don't set *pval to NULL in ASN1_item_ex_new.
While *pval is usually a pointer in rare circumstances it can be a long
value. One some platforms (e.g. WIN64) where
sizeof(long) < sizeof(ASN1_VALUE *) this will write past the field.

*pval is initialised correctly in the rest of ASN1_item_ex_new so setting it
to NULL is unecessary anyway.

Thanks to Julien Kauffmann for reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit f617b4969a9261b9d7d381670aefbe2cf766a2cb)

Conflicts:
	crypto/asn1/tasn_new.c
2015-04-10 19:53:00 +01:00
Richard Levitte
0186f7bf87 Have mkerr.pl treat already existing multiline string defs properly
Since source reformat, we ended up with some error reason string
definitions that spanned two lines.  That in itself is fine, but we
sometimes edited them to provide better strings than what could be
automatically determined from the reason macro, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "Peer haven't sent GOST certificate, required for selected ciphersuite"},

However, mkerr.pl didn't treat those two-line definitions right, and
they ended up being retranslated to whatever the macro name would
indicate, for example:

    {ERR_REASON(SSL_R_NO_GOST_CERTIFICATE_SENT_BY_PEER),
     "No gost certificate sent by peer"},

Clearly not what we wanted.  This change fixes this problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 2cfdfe0918f03f8323c9523a2beb2b363ae86ca7)
2015-04-08 21:47:00 +02:00
Richard Levitte
10a612a9e4 Ignore the non-dll windows specific build directories
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 37d92b1b2bb6e6e04d62d6f7774a2d8190a99174)
2015-04-08 18:01:34 +02:00
Emilia Kasper
a20db08e77 Harden SSLv2-supporting servers against Bleichenbacher's attack.
There is no indication that the timing differences are exploitable in
OpenSSL, and indeed there is some indication (Usenix '14) that they
are too small to be exploitable. Nevertheless, be careful and apply
the same countermeasures as in s3_srvr.c

Thanks to Nimrod Aviram, Sebastian Schinzel and Yuval Shavitt for
reporting this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae50d8270026edf5b3c7f8aaa0c6677462b33d97)
2015-04-08 16:42:28 +02:00
John Foley
9da34ad6cb Fix intermittent s_server issues with ECDHE
Resolve a problem when using s_server with ECDHE cipher
suites in OpenSSL_1_0_1-stable.  Due to an uninitialized variable,
SSL_CTX_set_tmp_ecdh() is not always invoked within s_server. This bug
appears to have been introduced by
059907771b89549cbd07a81df1a5bdf51e062066.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-04-07 23:37:46 +01:00
Douglas E Engert
a63d3ac012 Ensure EC private keys retain leading zeros
RFC5915 requires the use of the I2OSP primitive as defined in RFC3447
for storing an EC Private Key. This converts the private key into an
OCTETSTRING and retains any leading zeros. This commit ensures that those
leading zeros are present if required.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 30cd4ff294252c4b6a4b69cbef6a5b4117705d22)

Conflicts:
	crypto/ec/ec_asn1.c
2015-03-31 16:41:33 +01:00
Emilia Kasper
8a46e51ed8 Fix uninitialized variable warning
While a true positive, it's almost harmless because EVP_DecryptInit_ex would have to fail and that doesn't happen under normal operation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 15:19:20 +01:00
Matt Caswell
fe9b85c3cb Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 70e5fd877890489a3972bf8bf50bfec1fca3875e)
2015-03-25 13:09:31 +00:00
Matt Caswell
42c9c7103c Fix HMAC to pass invalid key len test
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
4ebc70cc51 Add HMAC test for invalid key len
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
2674af2f79 Ensure that both the MD and key have been initialised before attempting to
create an HMAC

Inspired by BoringSSL commit 2fe7f2d0d9a6fcc75b4e594eeec306cc55acd594

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	crypto/hmac/hmac.c
2015-03-25 13:01:04 +00:00
Matt Caswell
bae9b9915a Add more HMAC tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:01:04 +00:00
Matt Caswell
750190567a Fix RAND_(pseudo_)?_bytes returns
Ensure all calls to RAND_bytes and RAND_pseudo_bytes have their return
value checked correctly

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 8f8e4e4f5253085ab673bb74094c3e492c56af44)

Conflicts:
	crypto/evp/e_des3.c
2015-03-25 12:45:17 +00:00
Kurt Roeckx
23a9b24aa1 Don't send a for ServerKeyExchange for kDHr and kDHd
The certificate already contains the DH parameters in that case.
ssl3_send_server_key_exchange() would fail in that case anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 93f1c13619c5b41f2dcfdbf6ae666f867922a87a)
2015-03-24 22:58:30 +01:00
Dr. Stephen Henson
5d74b4b4b3 Configuration file examples.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b68c30da01b4eedcd546f81844156646387cacb)
2015-03-24 12:27:36 +00:00
Dr. Stephen Henson
d635f4bb36 Make OCSP response verification more flexible.
If a set of certificates is supplied to OCSP_basic_verify use those in
addition to any present in the OCSP response as untrusted CAs when
verifying a certificate chain.

PR#3668

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4ca5efc2874e094d6382b30416824eda6dde52fe)
2015-03-24 12:14:32 +00:00
Mike Frysinger
117476ba30 Fix malloc define typo
Fix compilation failure when SCTP is compiled due to incorrect define.

Reported-by: Conrad Kostecki <ck+gentoobugzilla@bl4ckb0x.de>
URL: https://bugs.gentoo.org/543828

RT#3758
Signed-off-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 7c82e339a677f8546e1456c7a8f6788598a9de43)
2015-03-24 11:35:46 +00:00
Matt Caswell
a6a704f448 Prepare for 1.0.1n-dev
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:41:07 +00:00
Matt Caswell
506c106880 Prepare for 1.0.1m release
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
686d82a7a2 make update
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 13:38:37 +00:00
Matt Caswell
8ca79fcbf4 Fix unsigned/signed warnings
Fix some unsigned/signed warnings introduced as part of the fix
for CVE-2015-0293

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
a4517be9e3 Fix a failure to NULL a pointer freed on error.
Reported by the LibreSSL project as a follow on to CVE-2015-0209

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
6e24e1cdd2 Update NEWS file
Update the NEWS file with the latest entries from CHANGES ready for the
release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
ffc69bd942 Update CHANGES for release
Update CHANGES fiel with all the latest fixes ready for the release.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Matt Caswell
82123b5e94 Remove overlapping CHANGES/NEWS entries
Remove entries from CHANGES and NEWS from letter releases that occur *after*
the next point release. Without this we get duplicate entries for the same
issue appearing multiple times.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Emilia Kasper
cd56a08d4e Fix reachable assert in SSLv2 servers.
This assert is reachable for servers that support SSLv2 and export ciphers.
Therefore, such servers can be DoSed by sending a specially crafted
SSLv2 CLIENT-MASTER-KEY.

Also fix s2_srvr.c to error out early if the key lengths are malformed.
These lengths are sent unencrypted, so this does not introduce an oracle.

CVE-2015-0293

This issue was discovered by Sean Burford (Google) and Emilia Käsper of
the OpenSSL development team.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-19 12:59:31 +00:00
Emilia Kasper
e2acb69c76 PKCS#7: avoid NULL pointer dereferences with missing content
In PKCS#7, the ASN.1 content component is optional.
This typically applies to inner content (detached signatures),
however we must also handle unexpected missing outer content
correctly.

This patch only addresses functions reachable from parsing,
decryption and verification, and functions otherwise associated
with reading potentially untrusted data.

Correcting all low-level API calls requires further work.

CVE-2015-0289

Thanks to Michal Zalewski (Google) for reporting this issue.

Reviewed-by: Steve Henson <steve@openssl.org>
2015-03-19 12:59:31 +00:00
Dr. Stephen Henson
c982285ab6 Fix ASN1_TYPE_cmp
Fix segmentation violation when ASN1_TYPE_cmp is passed a boolean type. This
can be triggered during certificate verification so could be a DoS attack
against a client or a server enabling client authentication.

CVE-2015-0286

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-19 12:59:31 +00:00
Dr. Stephen Henson
b485d97634 Free up ADB and CHOICE if already initialised.
CVE-2015-0287

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-03-18 11:52:27 +00:00
Matt Caswell
636c42d747 Dead code removal from apps
Some miscellaneous removal of dead code from apps. Also fix an issue with
error handling with pkcs7.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 11abf92259e899f4f7da4a3e80781e84b0fb1a64)
2015-03-17 14:52:46 +00:00
Matt Caswell
28e4f659c5 Remove dead code from crypto
Some miscellaneous removal of dead code from lib crypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b7573c597c1932ef709b2455ffab47348b5c54e5)
2015-03-17 14:52:46 +00:00
Matt Caswell
6a43243d1d Fix seg fault in s_time
Passing a negative value for the "-time" option to s_time results in a seg
fault. This commit fixes it so that time has to be greater than 0.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit dfef52f6f277327e118fdd0fe34486852c2789b6)
2015-03-17 13:49:32 +00:00
Matt Caswell
f08731cd82 Add sanity check to PRF
The function tls1_PRF counts the number of digests in use and partitions
security evenly between them. There always needs to be at least one digest
in use, otherwise this is an internal error. Add a sanity check for this.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 668f6f08c62177ab5893fc26ebb67053aafdffc8)
2015-03-17 13:49:32 +00:00
Matt Caswell
f4b8760056 Fix memset call in stack.c
The function sk_zero is supposed to zero the elements held within a stack.
It uses memset to do this. However it calculates the size of each element
as being sizeof(char **) instead of sizeof(char *). This probably doesn't
make much practical difference in most cases, but isn't a portable
assumption.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 7132ac830fa08d9a936e011d7c541b0c52115b33)
2015-03-17 13:49:31 +00:00
Matt Caswell
d3554bff69 Move malloc fail checks closer to malloc
Move memory allocation failure checks closer to the site of the malloc in
dgst app. Only a problem if the debug flag is set...but still should be
fixed.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit be1477adc97e76f4b83ed8075589f529069bd5d1)
2015-03-17 13:49:31 +00:00
Matt Caswell
3f9117e161 Add malloc failure checks
Add some missing checks for memory allocation failures in ca app.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a561bfe944c0beba73551731cb98af70dfee3549)
2015-03-17 13:49:31 +00:00
Andy Polyakov
eadc81e7dd Avoid reading an unused byte after the buffer
Other curves don't have this problem.

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 9fbbdd73c58c29dc46cc314f7165e45e6d43fd60)
2015-03-14 18:31:54 +01:00
Emilia Kasper
a2fcab9978 Fix undefined behaviour in shifts.
Td4 and Te4 are arrays of u8. A u8 << int promotes the u8 to an int first then shifts.
If the mathematical result of a shift (as modelled by lhs * 2^{rhs}) is not representable
in an integer, behaviour is undefined. In other words, you can't shift into the sign bit
of a signed integer. Fix this by casting to u32 whenever we're shifting left by 24.

(For consistency, cast other shifts, too.)

Caught by -fsanitize=shift

Submitted by Nick Lewycky (Google)

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8b37e5c14f0eddb10c7f91ef91004622d90ef361)
2015-03-13 21:14:56 -07:00
Dr. Stephen Henson
1a09816435 additional configuration documentation
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 3d764db7a24e3dca1a3ee57202ce3c818d592141)
2015-03-12 13:45:52 +00:00
Dr. Stephen Henson
0e978b9a5d ASN.1 print fix.
When printing out an ASN.1 structure if the type is an item template don't
fall thru and attempt to interpret as a primitive type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 5dc1247a7494f50c88ce7492518bbe0ce6f124fa)
2015-03-12 13:45:52 +00:00
Matt Caswell
f06249f112 Fix missing return checks in v3_cpols.c
Fixed assorted missing return value checks in c3_cpols.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c5f2b5336ab72e40ab91e2ca85639f51fa3178c6)
2015-03-12 09:33:48 +00:00
Matt Caswell
2407241fb2 Fix dsa_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 0c7ca4033dcf5398334d4b78a7dfb941c8167a40)
2015-03-12 09:33:48 +00:00
Matt Caswell
3942e7d9eb Fix dh_pub_encode
The return value from ASN1_STRING_new() was not being checked which could
lead to a NULL deref in the event of a malloc failure. Also fixed a mem
leak in the error path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6aa8dab2bbfd5ad3cfc0d07fe5d7243635d5b2a2)

Conflicts:
	crypto/dh/dh_ameth.c
2015-03-12 09:33:46 +00:00
Matt Caswell
2679485e69 Fix asn1_item_print_ctx
The call to asn1_do_adb can return NULL on error, so we should check the
return value before attempting to use it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 34a7ed0c39aa3ab67eea1e106577525eaf0d7a00)
2015-03-12 09:32:23 +00:00
Matt Caswell
e6dcb08984 ASN1_primitive_new NULL param handling
ASN1_primitive_new takes an ASN1_ITEM * param |it|. There are a couple
of conditional code paths that check whether |it| is NULL or not - but
later |it| is deref'd unconditionally. If |it| was ever really NULL then
this would seg fault. In practice ASN1_primitive_new is marked as an
internal function in the public header file. The only places it is ever
used internally always pass a non NULL parameter for |it|. Therefore, change
the code to sanity check that |it| is not NULL, and remove the conditional
checking.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 9e488fd6ab2c295941e91a47ab7bcd346b7540c7)
2015-03-12 09:32:22 +00:00
Matt Caswell
0c8f422999 Fix EVP_DigestInit_ex with NULL digest
Calling EVP_DigestInit_ex which has already had the digest set up for it
should be possible. You are supposed to be able to pass NULL for the type.
However currently this seg faults.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit a01087027bd0c5ec053d4eabd972bd942bfcd92f)
2015-03-12 09:32:22 +00:00
Matt Caswell
cc27bec2b4 Fix error handling in bn_exp
In the event of an error |rr| could be NULL. Therefore don't assume you can
use |rr| in the error handling code.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8c5a7b33c6269c3bd6bc0df6b4c22e4fba03b485)
2015-03-12 09:32:22 +00:00
Matt Caswell
f5ee521307 Fix seg fault in ASN1_generate_v3/ASN1_generate_nconf
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit ac5a110621ca48f0bebd5b4d76d081de403da29e)
2015-03-11 11:32:07 +00:00
Matt Caswell
58d8a271ab Cleanse buffers
Cleanse various intermediate buffers used by the PRF (backported version
from master).

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 35fafc4dbc0b3a717ad1b208fe2867e8c64867de)

Conflicts:
	ssl/s3_enc.c
2015-03-11 10:49:22 +00:00
Emilia Kasper
8b7e469d06 Harmonize return values in dtls1_buffer_record
Ensure all malloc failures return -1.

Reported by Adam Langley (Google).

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 06c6a2b4a3a6e64303caa256398dd2dc16f9c35a)
2015-03-10 13:52:37 -07:00
Richard Godbee
93cb447df2 BIO_debug_callback: Fix output on 64-bit machines
BIO_debug_callback() no longer assumes the hexadecimal representation of
a pointer fits in 8 characters.

Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 460e920d8a274e27aab36346eeda6685a42c3314)
2015-03-10 12:34:27 +01:00
Dmitry-Me
521246e608 Fix wrong numbers being passed as string lengths
Signed-off-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 0b142f022e2c5072295e00ebc11c5b707a726d74)
2015-03-09 21:06:30 +01:00
Dr. Stephen Henson
ef6d3485ec update ordinals
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-09 16:58:16 +00:00
Dr. Stephen Henson
a67303954c fix warning
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit d6ca1cee8b6efac5906ac66443d1ca67fe689ff8)
2015-03-08 22:42:23 +00:00
Dr. Stephen Henson
cb9d5b7b53 Cleanse PKCS#8 private key components.
New function ASN1_STRING_clear_free which cleanses an ASN1_STRING
structure before freeing it.

Call ASN1_STRING_clear_free on PKCS#8 private key components.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a8ae0891d4bfd18f224777aed1fbb172504421f1)
2015-03-08 16:29:42 +00:00
Dr. Stephen Henson
876ed10574 Additional CMS documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e3013932df2d899e8600c305342bc14b682dc0d1)
2015-03-08 16:19:38 +00:00
Kurt Roeckx
bc2e18a3c8 Remove export ciphers from the DEFAULT cipher list
They are moved to the COMPLEMENTOFDEFAULT instead.
This also fixes SSLv2 to be part of COMPLEMENTOFDEFAULT.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit f417997a324037025be61737288e40e171a8218c)

Conflicts:
	ssl/ssl_ciph.c
2015-03-07 23:08:12 +01:00
Matt Caswell
0440d4ebe4 Update mkerr.pl for new format
Make the output from mkerr.pl consistent with the newly reformatted code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-06 14:08:42 +00:00
Kurt Cancemi
183db9af80 Use constants not numbers
This patch uses warning/fatal constants instead of numbers with comments for
warning/alerts in d1_pkt.c and s3_pkt.c

RT#3725

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit fd865cadcb603918bdcfcf44e487721c657a1117)
2015-03-05 09:30:35 +00:00
Matt Caswell
9f11421950 Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 918bb8652969fd53f0c390c1cd909265ed502c7e)

Conflicts:
	crypto/bio/bss_dgram.c

Conflicts:
	apps/cms.c
	apps/s_cb.c
	apps/s_server.c
	apps/speed.c
	crypto/dh/dh_pmeth.c
	ssl/s3_pkt.c
2015-03-05 09:22:50 +00:00
Dr. Stephen Henson
51527f1e35 Check public key is not NULL.
CVE-2015-0288
PR#3708

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 28a00bcd8e318da18031b2ac8778c64147cd54f9)
2015-03-02 15:26:47 +00:00
Dr. Stephen Henson
1810b04728 Fix format script.
The format script didn't correctly recognise some ASN.1 macros and
didn't reformat some files as a result. Fix script and reformat
affected files.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 437b14b533fe7f7408e3ebca6d5569f1d3347b1a)
2015-03-02 13:43:29 +00:00
Matt Caswell
5c921f14cb Fix d2i_SSL_SESSION for DTLS1_BAD_VER
Some Cisco appliances use a pre-standard version number for DTLS. We support
this as DTLS1_BAD_VER within the code.

This change fixes d2i_SSL_SESSION for that DTLS version.

Based on an original patch by David Woodhouse <dwmw2@infradead.org>

RT#3704

Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/ssl_asn1.c

Conflicts:
	ssl/dtls1.h
2015-02-27 20:32:49 +00:00
Matt Caswell
d58a852fbd Fixed missing return value checks.
Added various missing return value checks in tls1_change_cipher_state.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	ssl/t1_enc.c
2015-02-27 15:26:06 +00:00
Matt Caswell
323a7e76e6 Fix missing return value checks.
Fixed various missing return value checks in ssl3_send_newsession_ticket.
Also a mem leak on error.

Reviewed-by: Richard Levitte <levitte@openssl.org>

Conflicts:
	ssl/s3_srvr.c

Conflicts:
	ssl/s3_srvr.c
2015-02-27 15:25:05 +00:00
Matt Caswell
059907771b Fix warning with no-ec
This fixes another warning when config'd with no-ec

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-27 08:58:02 +00:00
Matt Caswell
ea65e92b22 Fix no-ec warning
This is a partial back port of commit 5b430cfc to remove a warning when
compiling with no-ec.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-27 08:57:44 +00:00
Matt Caswell
f3cc3da447 Fix evp_extra_test.c with no-ec
When OpenSSL is configured with no-ec, then the new evp_extra_test fails to
pass. This change adds appropriate OPENSSL_NO_EC guards around the code.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit a988036259a4e119f6787b4c585f506226330120)
2015-02-26 23:36:47 +00:00
Matt Caswell
1aff39de76 Fix some minor documentation issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
eafdbd8ec3 Remove pointless free, and use preferred way of calling d2i_* functions
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
1159e24d56 Add dire warnings about the "reuse" capability of the d2i_* functions.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
b91058d222 Provide documentation for i2d_ECPrivateKey and d2i_ECPrivateKey
Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	doc/crypto/EC_KEY_new.pod
	doc/crypto/EC_POINT_new.pod
2015-02-25 17:46:20 +00:00
Matt Caswell
89117535f1 Fix a failure to NULL a pointer freed on error.
Inspired by BoringSSL commit 517073cd4b by Eric Roman <eroman@chromium.org>

CVE-2015-0209

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-02-25 17:46:20 +00:00
Matt Caswell
08a2df480d Import evp_test.c from BoringSSL. Unfortunately we already have a file
called evp_test.c, so I have called this one evp_extra_test.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>

Conflicts:
	crypto/evp/Makefile
	test/Makefile

Conflicts:
	test/Makefile
	crypto/evp/evp_extra_test.c
2015-02-25 17:40:41 +00:00
Dr. Stephen Henson
9cd061725b Document -no_explicit
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 384dee51242e950c56b3bac32145957bfbf3cd4b)
2015-02-24 15:28:56 +00:00
Edgar Pek
e347d80287 Fix null-pointer dereference
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bcfa19a8d19506c26b5f8d9d9934ca2aa5f96b43)
2015-02-22 13:27:20 +01:00
Kurt Roeckx
9e7a5464d7 Fix memory leak
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit edac5dc220d494dff7ee259dfd84335ffa50e938)
2015-02-22 13:27:19 +01:00
Doug Hogan
e224c45317 Avoid a double-free in an error path.
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 1549a265209d449b6aefd2b49d7d39f7fbe0689b)
2015-02-22 13:27:19 +01:00
Richard Levitte
e961fa4479 Restore -DTERMIO/-DTERMIOS on Windows platforms.
The previous defaulting to TERMIOS took away -DTERMIOS / -DTERMIO a
bit too enthusiastically.  Windows/DOSish platforms of all sorts get
identified as OPENSSL_SYS_MSDOS, and they get a different treatment
altogether UNLESS -DTERMIO or -DTERMIOS is explicitely given with the
configuration.  The answer is to restore those macro definitions for
the affected configuration targets.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ba4bdee7184a5cea5bef8739eb360e5c2bc3b52c)

Conflicts:
	Configure
2015-02-22 09:42:08 +01:00
Richard Levitte
aafdbbc469 Assume TERMIOS is default, remove TERMIO on all Linux.
The rationale for this move is that TERMIOS is default, supported by
POSIX-1.2001, and most definitely on Linux.  For a few other systems,
TERMIO may still be the termnial interface of preference, so we keep
-DTERMIO on those in Configure.

crypto/ui/ui_openssl.c is simplified in this regard, and will define
TERMIOS for all systems except a select few exceptions.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 64e6bf64b36136d487e2fbf907f09612e69ae911)

Conflicts:
	Configure
	crypto/ui/ui_openssl.c
2015-02-22 09:15:11 +01:00
Rich Salz
a9ea906654 RT3684: rand_egd needs stddef.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 872f91c4036e35d292d423e751741ba76f8c5594)
2015-02-12 14:24:21 -05:00
Graeme Perrow
bb14c2c9ca RT3670: Check return from BUF_MEM_grow_clean
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b0333e697c008d639c56f48e9148cb8cba957e32)
2015-02-12 13:01:42 -05:00
Eric Dequin
a1331af032 Missing OPENSSL_free on error path.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 1d2932de4cefcc200f175863a42c311916269981)
2015-02-12 11:15:39 -05:00
Andy Polyakov
e48e86232e Bring objects.pl output even closer to new format.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 849037169d98d070c27d094ac341fc6aca1ed2ca)
2015-02-09 16:02:44 +01:00
Dr. Stephen Henson
66aacf3872 Fix memory leak reporting.
Free up bio_err after memory leak data has been printed to it.

In int_free_ex_data if ex_data is NULL there is nothing to free up
so return immediately and don't reallocate it.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 9c7a780bbebc1b6d87dc38a6aa3339033911a8bb)
2015-02-09 13:01:28 +00:00
Andy Polyakov
97ac0d8564 Harmonize objects.pl output with new format.
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 7ce38623194f6df6a846cd01753b63f361c88e57)
2015-02-09 09:59:38 +01:00
Matt Caswell
f8e662e71c Fix error handling in ssltest
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit ae632974f905c59176fa5f312826f8f692890b67)
2015-02-06 10:10:49 +00:00
Rich Salz
468e04bf1f Fixed bad formatting in crypto/des/spr.h
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 7e35f06ea908e47f87b723b5e951ffc55463eb8b)
2015-02-05 09:45:48 -05:00
Dr. Stephen Henson
ac7d33deec Make objxref.pl output in correct format
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6922ddee1b7b1bddbe0d59a5bbdcf8ff39343434)
2015-02-04 13:35:49 +00:00
Dr. Stephen Henson
6b7c68e038 Check PKCS#8 pkey field is valid before cleansing.
PR:3683
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 52e028b9de371da62c1e51b46592517b1068d770)
2015-02-03 14:02:25 +00:00
Richard Levitte
81ce20e6ac dso_vms needs to add the .EXE extension if there is none already
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be7b1097e28ff6d49f0d4b7ab8b036d6da87ebc6)
2015-01-30 05:03:14 +01:00
Viktor Dkhovni
324a977492 Replace exit() with error return.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-27 16:36:25 -05:00
Rich Salz
69aeb99f32 Revert "Remove engine_rsax and its asm file."
This reverts commit 5226c62b7632dfaf38480919d406307318a7d145.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-27 16:35:55 -05:00
Matt Caswell
53e652ae44 Provide documentation for all SSL(_CTX)?_(get|set)(_default)?_read_ahead
functions.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8507474564f3f743f5daa3468ca97a9b707b3583)
2015-01-27 14:35:13 +00:00
Matt Caswell
131d3fdfe2 Remove explicit setting of read_ahead for DTLS. It never makes sense not to
use read_ahead with DTLS because it doesn't work. Therefore read_ahead needs
to be the default.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit f4002412518703d07fee321d4c88ee0bbe1694fe)

Conflicts:
	apps/s_client.c
	apps/s_server.c
2015-01-27 14:35:11 +00:00
Matt Caswell
1895583835 Make DTLS always act as if read_ahead is set. The actual value of read_ahead
is ignored for DTLS.

RT#3657

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8dd4ad0ff5d1d07ec4b6dd5d5104131269a472aa)
2015-01-27 14:33:32 +00:00
Rich Salz
5226c62b76 Remove engine_rsax and its asm file.
cherry-picked from db7cb7ab9a5968f32ddbe11c3fba71ccbf4ffa53
This wasn't cleanly cherry-picked, since the build
process changed a bit for 1.0.2.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-26 11:01:30 -05:00
Rich Salz
491f3e4e8e Make OPENSSL_config truly ignore errors.
Per discussion: should not exit. Should not print to stderr.
Errors are ignored.  Updated doc to reflect that, and the fact
that this function is to be avoided.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(cherry picked from commit abdd677125f3a9e3082f8c5692203590fdb9b860)
2015-01-25 21:15:57 -05:00
Kurt Roeckx
184693f4af Fix segfault with empty fields as last in the config.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-24 15:04:53 +01:00
Matt Caswell
925bfca5d3 Fix for reformat problems with e_padlock.c
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit d3b7cac41b957704932a0cdbc74d4d48ed507cd0)
2015-01-22 14:22:19 +00:00
Matt Caswell
90a5adffc7 Fix formatting error in pem.h
Reviewed-by: Andy Polyakov <appro@openssl.org>

Conflicts:
	crypto/pem/pem.h
2015-01-22 14:22:19 +00:00
Rob Stradling
73f8982017 Use inner algorithm when printing certificate.
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 004efdbb41f731d36bf12d251909aaa08704a756)
2015-01-22 14:10:02 +00:00
Matt Caswell
cda8845ded Re-align some comments after running the reformat script.
This should be a one off operation (subsequent invokation of the
script should not move them)

This commit is for the 1.0.1 changes

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:39:01 +00:00
Matt Caswell
47050853f1 Rerun util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:49 +00:00
Matt Caswell
10621efd32 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:39 +00:00
Matt Caswell
e498b83fed More tweaks for comments due indent issues
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:30 +00:00
Matt Caswell
2e4d15fd04 Fix modes.h so that indent doesn't complain
Conflicts:
	crypto/modes/modes.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:24 +00:00
Matt Caswell
3b0e0d1231 Backport hw_ibmca.c from master due to failed merge
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:18 +00:00
Matt Caswell
f7b36402d6 Tweaks for comments due to indent's inability to handle them
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:11 +00:00
Matt Caswell
0f6c965823 Move more comments that confuse indent
Conflicts:
	crypto/dsa/dsa.h
	demos/engines/ibmca/hw_ibmca.c
	ssl/ssl_locl.h

Conflicts:
	crypto/bn/rsaz_exp.c
	crypto/evp/e_aes_cbc_hmac_sha1.c
	crypto/evp/e_aes_cbc_hmac_sha256.c
	ssl/ssl_locl.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:38:04 +00:00
Dr. Stephen Henson
4651718410 Delete trailing whitespace from output.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:59 +00:00
Dr. Stephen Henson
fbfad23f0c Add -d debug option to save preprocessed files.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:54 +00:00
Dr. Stephen Henson
68085a73af Test option -nc
Add option -nc which sets COMMENTS=true but disables all indent comment
reformatting options.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:48 +00:00
Matt Caswell
bc974f8b36 Add ecp_nistz256.c to list of files skipped by openssl-format-source
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:43 +00:00
Matt Caswell
72d7ed66e2 Manually reformat aes_x86core.c and add it to the list of files skipped by
openssl-format-source

Conflicts:
	crypto/aes/aes_x86core.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:36 +00:00
Andy Polyakov
2655f5644d crypto/ofb128.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:31 +00:00
Andy Polyakov
3af30a7b8b modes/ctr128.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:26 +00:00
Andy Polyakov
e060570e62 modes/cfb128.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:20 +00:00
Matt Caswell
1ac02e4b89 Fix indent comment corruption issue
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:15 +00:00
Matt Caswell
7116341e18 Amend openssl-format-source so that it give more repeatable output
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:10 +00:00
Andy Polyakov
92fe1dbc0e bn/bn_const.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:37:05 +00:00
Andy Polyakov
d9bd6d1f3d bn/asm/x86_64-gcc.cL make it indent-friendly.
Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:59 +00:00
Andy Polyakov
c44bad6b38 bn/bn_asm.c: make it indent-friendly.
Conflicts:
	crypto/bn/bn_asm.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:53 +00:00
Andy Polyakov
2e989d80ce bn/bn_exp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:47 +00:00
Matt Caswell
2cef4e6c29 Manually reformat aes_core.c
Add aes_core.c to the list of files not processed by openssl-format-source

Conflicts:
	crypto/aes/aes_core.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:41 +00:00
Matt Caswell
064198a817 Add obj_dat.h to the list of files that will not be processed by
openssl-format-source

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:35 +00:00
Matt Caswell
4017726f72 Fix strange formatting by indent
Conflicts:
	crypto/hmac/hmac.h

Conflicts:
	crypto/evp/e_aes_cbc_hmac_sha256.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:29 +00:00
Andy Polyakov
1d7c823ab5 modes/modes_lcl.h: make it indent-friendly.
Conflicts:
	crypto/modes/modes_lcl.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:23 +00:00
Matt Caswell
3cf9f81b09 indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Conflicts:
	crypto/bn/bn.h
	crypto/ec/ec_lcl.h
	crypto/rsa/rsa.h
	demos/engines/ibmca/hw_ibmca.c
	ssl/ssl.h
	ssl/ssl3.h

Conflicts:
	crypto/ec/ec_lcl.h
	ssl/tls1.h

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:16 +00:00
Andy Polyakov
5a098aeb9d modes/gcm128.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:10 +00:00
Andy Polyakov
c197906261 modes/cts128.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:36:04 +00:00
Andy Polyakov
87309e2fc1 crypto/mem_dbg.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:59 +00:00
Matt Caswell
9fb77b8e0d More indent fixes for STACK_OF
Conflicts:
	ssl/s3_lib.c

Conflicts:
	apps/cms.c
	crypto/x509/x509_lu.c
	crypto/x509/x509_vfy.h
	ssl/s3_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:51 +00:00
Matt Caswell
3bb069d808 Fix indent issue with functions using STACK_OF
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:42 +00:00
Matt Caswell
7962ea7aa6 Fix indent issue with engine.h
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:36 +00:00
Matt Caswell
cbb5afdc34 Fix logic to check for indent.pro
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:27 +00:00
Andy Polyakov
f9189b79bf crypto/cryptlib.c: make it indent-friendly.
Conflicts:
	crypto/cryptlib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:20 +00:00
Andy Polyakov
d68e7df7ab bn/bntest.c: make it indent-friendly.
Conflicts:
	crypto/bn/bntest.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:12 +00:00
Andy Polyakov
1c246f6bef bn/bn_recp.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:06 +00:00
Andy Polyakov
802e6cfc05 engines/e_ubsec.c: make it indent-friendly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:35:00 +00:00
Andy Polyakov
b2aec696f2 apps/speed.c: make it indent-friendly.
Conflicts:
	apps/speed.c

Conflicts:
	apps/speed.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:53 +00:00
Matt Caswell
18d3333cfd Fix make errors
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:48 +00:00
Richard Levitte
196767e08b Make the script a little more location agnostic
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:43 +00:00
Matt Caswell
2e7341ec5a Provide script for filtering data initialisers for structs/unions. indent just can't handle it.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:35 +00:00
Dr. Stephen Henson
3aac5918b1 Script fixes.
Don't use double newline for headers.
Don't interpret ASN1_PCTX as start of an ASN.1 module.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:29 +00:00
Richard Levitte
ed4260b4a0 Run expand before perl, to make sure things are properly aligned
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:24 +00:00
Richard Levitte
4cf7ba6cce Force the use of our indent profile
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:34:17 +00:00
Tim Hudson
0ddec4259d Provide source reformating script. Requires GNU indent to be
available.

Script written by Tim Hudson, with amendments by Steve Henson, Rich Salz and
Matt Caswell

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-22 09:34:02 +00:00
Matt Caswell
1566497495 Fix source where indent will not be able to cope
Conflicts:
	apps/ciphers.c
	ssl/s3_pkt.c

Conflicts:
	crypto/ec/ec_curve.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:33:54 +00:00
Matt Caswell
712548231e Additional comment changes for reformat of 1.0.1
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:33:47 +00:00
Matt Caswell
ac84cb4cfe Further comment changes for reformat
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:33:38 +00:00
Tim Hudson
3e9a08ecb1 mark all block comments that need format preserving so that
indent will not alter them when reformatting comments

(cherry picked from commit 1d97c8435171a7af575f73c526d79e1ef0ee5960)

Conflicts:
	crypto/bn/bn_lcl.h
	crypto/bn/bn_prime.c
	crypto/engine/eng_all.c
	crypto/rc4/rc4_utl.c
	crypto/sha/sha.h
	ssl/kssl.c
	ssl/t1_lib.c

Conflicts:
	crypto/rc4/rc4_enc.c
	crypto/x509v3/v3_scts.c
	crypto/x509v3/v3nametest.c
	ssl/d1_both.c
	ssl/s3_srvr.c
	ssl/ssl.h
	ssl/ssl_locl.h
	ssl/ssltest.c
	ssl/t1_lib.c

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:33:23 +00:00
Matt Caswell
3a9a032163 Prepare for 1.0.1m-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:49:54 +00:00
Matt Caswell
b83ceba7d5 Prepare for 1.0.1l release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:45:15 +00:00
Matt Caswell
d9738d5f07 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-15 14:45:15 +00:00
Matt Caswell
583f0bc402 Updates to CHANGES and NEWS
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-15 13:17:18 +00:00
Richard Levitte
e8e878bec7 Define CFLAGS as cflags on VMS as well
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 43257b9f51de749262258668c77c2f0f99d7a15b)
2015-01-14 00:16:21 +01:00
Matt Caswell
6099e629f5 Make output from openssl version -f consistent with previous versions
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 2d2671790ee12dedd92c97f35b6feb755b8d4374)
2015-01-13 11:29:11 +00:00
Matt Caswell
3570086760 Fix warning where BIO_FLAGS_UPLINK was being redefined.
This warning breaks the build in 1.0.0 and 0.9.8

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit b1ffc6ca1c387efad0772c16dfe426afef45dc4f)
2015-01-13 11:25:33 +00:00
Matt Caswell
acb341eb6e Avoid deprecation problems in Visual Studio 13
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 86d21d0b9577322ac5da0114c5fac16eb49b4cef)
2015-01-13 09:47:47 +00:00
Dr. Stephen Henson
8fb2c9922a RT3662: Allow leading . in nameConstraints
Change by SteveH from original by John Denker (in the RT)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 77ff1f3b8bfaa348956c5096a2b829f2e767b4f1)
2015-01-10 16:03:05 -05:00
Matt Caswell
a97c208c5a Further windows specific .gitignore entries
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 41c9cfbc4ee7345547fb98cccb8511f082f0910b)
2015-01-09 23:40:51 +00:00
Matt Caswell
cc6e9f9abb Update .gitignore with windows files to be excluded from git
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	.gitignore

(cherry picked from commit 04f670cf3d8f22e0d197a071d2db536fb7ebd9c7)
2015-01-09 11:30:31 +00:00
Matt Caswell
56cd740449 Fix build failure on Windows due to undefined cflags identifier
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 5c5e7e1a7eb114cf136e1ae4b6a413bc48ba41eb)
2015-01-08 19:26:28 +00:00
Matt Caswell
8437225d34 Prepare for 1.0.1l-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:07:43 +00:00
Matt Caswell
b4a57c4c41 Prepare for 1.0.1k release
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:03:40 +00:00
Matt Caswell
faa8038edd make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2015-01-08 14:03:39 +00:00
Matt Caswell
e02863b5ac CHANGES and NEWS updates for release
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Steve Henson <steve@openssl.org>
2015-01-08 13:51:50 +00:00
Matt Caswell
04685bc949 A memory leak can occur in dtls1_buffer_record if either of the calls to
ssl3_setup_buffers or pqueue_insert fail. The former will fail if there is a
malloc failure, whilst the latter will fail if attempting to add a duplicate
record to the queue. This should never happen because duplicate records should
be detected and dropped before any attempt to add them to the queue.
Unfortunately records that arrive that are for the next epoch are not being
recorded correctly, and therefore replays are not being detected.
Additionally, these "should not happen" failures that can occur in
dtls1_buffer_record are not being treated as fatal and therefore an attacker
could exploit this by sending repeated replay records for the next epoch,
eventually causing a DoS through memory exhaustion.

Thanks to Chris Mueller for reporting this issue and providing initial
analysis and a patch. Further analysis and the final patch was performed by
Matt Caswell from the OpenSSL development team.

CVE-2015-0206

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2015-01-08 13:43:20 +00:00
Dr. Stephen Henson
98a0f9660d Unauthenticated DH client certificate fix.
Fix to prevent use of DH client certificates without sending
certificate verify message.

If we've used a client certificate to generate the premaster secret
ssl3_get_client_key_exchange returns 2 and ssl3_get_cert_verify is
never called.

We can only skip the certificate verify message in
ssl3_get_cert_verify if the client didn't send a certificate.

Thanks to Karthikeyan Bhargavan for reporting this issue.
CVE-2015-0205
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 13:43:20 +00:00
Matt Caswell
45fe66b8ba Follow on from CVE-2014-3571. This fixes the code that was the original source
of the crash due to p being NULL. Steve's fix prevents this situation from
occuring - however this is by no means obvious by looking at the code for
dtls1_get_record. This fix just makes things look a bit more sane.

Reviewed-by: Dr Steve Henson <steve@openssl.org>
2015-01-08 13:43:20 +00:00
Dr. Stephen Henson
8d7aab986b Fix crash in dtls1_get_record whilst in the listen state where you get two
separate reads performed - one for the header and one for the body of the
handshake record.

CVE-2014-3571

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-01-08 13:43:20 +00:00
Andy Polyakov
e078642dde Fix for CVE-2014-3570.
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit e793809ba50c1e90ab592fb640a856168e50f3de)
(with 1.0.1-specific addendum)
2015-01-08 13:43:20 +00:00
Dr. Stephen Henson
ffd14272c4 fix error discrepancy
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4a4d4158572fd8b3dc641851b8378e791df7972d)
2015-01-07 18:10:51 +00:00
Andy Polyakov
f16f3ac559 Fix irix-cc build.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e464403d0bda2f1f74eb68582e4988e591c32433)
2015-01-07 18:43:34 +01:00
Richard Levitte
4fb433d221 VMS fixups for 1.0.1
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-01-07 16:45:10 +01:00
Dr. Stephen Henson
293c1e2235 use correct credit in CHANGES
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 4138e3882556c762d77eb827b8be98507cde48df)
2015-01-06 22:41:36 +00:00
Emilia Kasper
d5e16a711e Only inherit the session ID context in SSL_set_SSL_CTX if the existing
context was also inherited (matches that of the existing SSL_CTX).

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit ac8e9cbe14b59dacfe4ac52bc5ff06f8003e9b01)
2015-01-06 23:10:09 +01:00
Dr. Stephen Henson
178c562a46 use correct function name
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit cb62ab4b17818fe66d2fed0a7fe71969131c811b)
2015-01-06 21:04:50 +00:00
Martin Brejcha
61052e891e Fix memory leak.
Fix memory leak by freeing up saved_message.data if it is not NULL.

PR#3489
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 41cd41c4416f545a18ead37e09e437c75fa07c95)
2015-01-06 16:49:49 +00:00
Matt Caswell
cb951e336b Remove blank line from start of cflags character array in buildinf.h
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit b691154e18c0367643696db3cf73debe9ddfa9ae)
2015-01-06 15:37:12 +00:00
Dr. Stephen Henson
37580f43b5 Only allow ephemeral RSA keys in export ciphersuites.
OpenSSL clients would tolerate temporary RSA keys in non-export
ciphersuites. It also had an option SSL_OP_EPHEMERAL_RSA which
enabled this server side. Remove both options as they are a
protocol violation.

Thanks to Karthikeyan Bhargavan for reporting this issue.
(CVE-2015-0204)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 4b4c1fcc88aec8c9e001b0a0077d3cd4de1ed0e6)

Conflicts:
	doc/ssl/SSL_CTX_set_options.pod
2015-01-06 13:14:05 +00:00
Dr. Stephen Henson
ef28c6d676 ECDH downgrade bug fix.
Fix bug where an OpenSSL client would accept a handshake using an
ephemeral ECDH ciphersuites with the server key exchange message omitted.

Thanks to Karthikeyan Bhargavan for reporting this issue.

CVE-2014-3572
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit b15f8769644b00ef7283521593360b7b2135cb63)
2015-01-05 23:48:55 +00:00
Dr. Stephen Henson
2175744952 update ordinals
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 31c65a7bc0de7ff1446645d41af388893362f579)
2015-01-05 16:51:28 +00:00
Adam Langley
2357cd2e20 Ensure that the session ID context of an SSL* is updated
when its SSL_CTX is updated.

From BoringSSL commit
https://boringssl.googlesource.com/boringssl/+/a5dc545bbcffd9c24cebe65e9ab5ce72d4535e3a

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 61aa44ca99473f9cabdfb2d3b35abd0b473437d1)
2015-01-05 17:33:28 +01:00
Dr. Stephen Henson
5951cc004b Constify ASN1_TYPE_cmp add X509_ALGOR_cmp.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 4c52816d35681c0533c25fdd3abb4b7c6962302d)
2015-01-05 14:54:46 +00:00
Dr. Stephen Henson
a8565530e2 Fix various certificate fingerprint issues.
By using non-DER or invalid encodings outside the signed portion of a
certificate the fingerprint can be changed without breaking the signature.
Although no details of the signed portion of the certificate can be changed
this can cause problems with some applications: e.g. those using the
certificate fingerprint for blacklists.

1. Reject signatures with non zero unused bits.

If the BIT STRING containing the signature has non zero unused bits reject
the signature. All current signature algorithms require zero unused bits.

2. Check certificate algorithm consistency.

Check the AlgorithmIdentifier inside TBS matches the one in the
certificate signature. NB: this will result in signature failure
errors for some broken certificates.

3. Check DSA/ECDSA signatures use DER.

Reencode DSA/ECDSA signatures and compare with the original received
signature. Return an error if there is a mismatch.

This will reject various cases including garbage after signature
(thanks to Antti Karjalainen and Tuomo Untinen from the Codenomicon CROSS
program for discovering this case) and use of BER or invalid ASN.1 INTEGERs
(negative or with leading zeroes).

CVE-2014-8275
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 684400ce192dac51df3d3e92b61830a6ef90be3e)
2015-01-05 14:36:20 +00:00
Rich Salz
9e9ee7e37f RT2914: NULL check missing in X509_name_canon
Check for NULL return from X509_NAME_ENTRY_new()

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 2c60925d1ccc0b96287bdc9acb90198e7180d642)
2015-01-04 14:52:16 -05:00
Dr. Stephen Henson
500d67f15a Clear existing extension state.
When parsing ClientHello clear any existing extension state from
SRP login and SRTP profile.

Thanks to Karthikeyan Bhargavan for reporting this issue.
Reviewed-by: Matt Caswell <matt@openssl.org>

(cherry picked from commit 47606dda672a5008168f62d4b7d7f94cd2d31313)

Conflicts:
	ssl/t1_lib.c
2015-01-02 22:30:20 +00:00
Dominik Neubauer
40fb8587ed typo in s_client
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-12-31 11:19:56 +01:00
Kurt Roeckx
c14a808c51 Make "run" volatile
RT#3629

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 17:00:47 +01:00
Thorsten Glaser
cdf42d7b43 Document openssl dgst -hmac option
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 17:00:23 +01:00
Kurt Roeckx
7858d304bc dlfcn: always define _GNU_SOURCE
We need this for the freebsd kernel with glibc as used in the Debian kfreebsd
ports.  There shouldn't be a problem defining this on systems not using glibc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 17:00:23 +01:00
Kurt Roeckx
f14a6bf515 Fix memory leak in the apps
The BIO_free() allocated ex_data again that we already freed.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-30 17:00:22 +01:00
Alok Menghrajani
5dad57536f Improves certificates HOWTO
* adds links to various related documents.
* fixes a few typos.
* rewords a few sentences.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 67472bd82bed9d5e481b0d75926aab93618902be)
2014-12-22 16:26:12 +01:00
Richard Levitte
a5fad4d6bc Small typo
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit 7cfab40f43afac2f46652886e260d1c4de058806)
2014-12-22 15:37:06 +01:00
Michael Tuexen
d6c2e3e621 Fix incorrect OPENSSL_assert() usage.
Return an error code for I/O errors instead of an assertion failure.

PR#3470
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 2521fcd8527008ceb3e4748f95b0ed4e2d70cfef)
2014-12-20 14:46:40 +00:00
Matt Caswell
8c46748bcb Fix a problem if CFLAGS is too long cversion.c fails to compile when config
is run with --strict-warnings.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 488f16e31b8f5ec2513410929325d0830d76762d)
2014-12-19 14:08:17 +00:00
Kurt Roeckx
86edf13b1c Return error when a bit string indicates an invalid amount of bits left
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-12-18 15:12:00 +01:00
Dr. Stephen Henson
fcd9b1073a Reject invalid constructed encodings.
According to X6.90 null, object identifier, boolean, integer and enumerated
types can only have primitive encodings: return an error if any of
these are received with a constructed encoding.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit f5e4b6b5b566320a8d774f9475540f7d0e6a704d)
2014-12-17 14:40:09 +00:00
Emilia Kasper
036df29387 Add a comment noting the padding oracle.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 03af843039af758fc9bbb4ae6c09ec2bc715f2c5)
2014-12-17 14:56:25 +01:00
Emilia Kasper
60b7d3bbb5 Revert "RT3425: constant-time evp_enc"
Causes more problems than it fixes: even though error codes
are not part of the stable API, several users rely on the
specific error code, and the change breaks them. Conversely,
we don't have any concrete use-cases for constant-time behaviour here.

This reverts commit f2df488a1c7402e48c21c83e937955dfe9f40bee.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2014-12-17 14:56:05 +01:00
Emilia Kasper
7e9d42ce97 Build fixes
Various build fixes, mostly uncovered by clang's unused-const-variable
and unused-function errors.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 0e1c318ece3c82e96ae95a34a1badf58198d6b28)
2014-12-17 14:31:20 +01:00
Richard Levitte
b3147fcbe6 Clear warnings/errors within RL_DEBUG code sections (RL_DEBUG should be renamed)
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 8bc8450a26329e3c890df60026f969e7caabff3d)
2014-12-17 14:27:42 +01:00
Richard Levitte
feefb73ad9 Clear warnings/errors within TLS_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit bf68456f538cacc9dcfd00986962aef0e8538289)
2014-12-17 14:27:42 +01:00
Richard Levitte
8932b82f7d Clear warnings/errors within KSSL_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 53332a75d16a5bb3b9d90c15fcf38d2e87160a52)
2014-12-17 14:27:42 +01:00
Richard Levitte
a4a759acec Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cd387d21daa939862e081f00be0a98dbc5a85351)
2014-12-17 14:27:42 +01:00
Richard Levitte
6e5a554533 Clear warnings/errors within CIPHER_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 0c403e80a9952c83a38eab3c8a4ce42e17a2cee0)
2014-12-17 14:27:42 +01:00
Richard Levitte
2164a17a7d Clear warnings/errors within BN_CTX_DEBUG code sections
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 553affbef7bb5dd313514e06dab5cd9b1de1835f)
2014-12-17 14:27:42 +01:00
Adam Langley
dc1e493808 Premaster secret handling fixes
From BoringSSL
- Send an alert when the client key exchange isn't correctly formatted.
- Reject overly short RSA ciphertexts to avoid a (benign) out-of-bounds memory access.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 4aecfd4d9f366c849c9627ab666d1b1addc024e6)
2014-12-17 14:04:04 +01:00
Bodo Möller
1fe8304db0 Backport regression test
master branch has a specific regression test for a bug in x86_64-mont5 code,
see commit cdfe0fdde6a966bdb0447de66aa04a85d99a0551.

This code is now in 1.0.2/1.0.1, so also backport the test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit bb565cd29e34caeeaf12ecfdbe6273c2c794f5a2)
2014-12-17 12:00:59 +01:00
Emilia Kasper
bfd19df6d0 Check for invalid divisors in BN_div.
Invalid zero-padding in the divisor could cause a division by 0.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit a43bcd9e96c5180e5c6c82164ece643c0097485e)
2014-12-17 10:01:13 +01:00
Matt Caswell
7f9edfd23a Add OPENSSL_NO_ECDH guards
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-12-16 10:14:14 +00:00
Matt Caswell
9673056c25 Remove extraneous white space, and add some braces
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 55e530265a7ea8f264717a4e37338cc04eca2007)
2014-12-16 00:08:04 +00:00
Matt Caswell
f50730d361 DTLS fixes for signed/unsigned issues
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 1904d21123849a65dafde1705e6dd5b7c2f420eb)
2014-12-16 00:08:04 +00:00
Matt Caswell
9beb948c0d Checkout return value of dtls1_output_cert_chain
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-15 21:27:19 +00:00
Matt Caswell
ce5ddefc43 Check return value of ssl3_output_cert_chain
Based on commit 66f96fe2d519147097c118d4bf60704c69ed0635 by Steve Henson

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-15 21:26:56 +00:00
Emilia Kasper
458f23f610 Fix unused variable warning
The temporary variable causes unused variable warnings in opt mode with clang,
because the subsequent assert is compiled out.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 6af16ec5eed85390bcbd004806a842d6153d6a31)
2014-12-15 13:19:09 +01:00
Matt Caswell
c983a77887 Fix memory leak in s2_srvr.c if BUF_MEM_grow fails
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit d04a1e0b5beb3329cdf8c4ec35b9113cbc41d2f2)
2014-12-13 00:05:52 +00:00
Matt Caswell
7516eaf492 Fixed memory leak if BUF_MEM_grow fails
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit bb1ddd3d9a0d01656b90693a214b911995a5fe8c)
2014-12-13 00:05:52 +00:00
Matt Caswell
c6a84ff351 Fix use of NULL memory pointer in X509_VERIFY_PARAM_new in the event of a
malloc failure.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-12-12 23:50:24 +00:00
Matt Caswell
b8b9bcb458 Fixed memory leak in the event of a failure of BUF_MEM_grow
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 41bf25013032da0eeb111ce3c8fc0946c0e61c41)
2014-12-08 16:48:05 +00:00
Matt Caswell
be617fbaf8 Fix memory leak in SSL_new if errors occur.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit 76e6509085ea96df0ca542568ee2596343711307)
2014-12-08 16:48:05 +00:00
Emilia Kasper
321ba85899 Reject elliptic curve lists of odd lengths.
The Supported Elliptic Curves extension contains a vector of NamedCurves
of 2 bytes each, so the total length must be even. Accepting odd-length
lists was observed to lead to a non-exploitable one-byte out-of-bounds
read in the latest development branches (1.0.2 and master). Released
versions of OpenSSL are not affected.

Thanks to Felix Groebert of the Google Security Team for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 33d5ba862939ff8db70a9e36fc9a326fab3e8d98)
2014-12-05 16:44:20 +01:00
Matt Caswell
fcabfc66ae Remove incorrect code inadvertently introduced through commit 59669b6ab.
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	ssl/d1_lib.c
2014-12-04 14:21:50 +00:00
Matt Caswell
9844573039 Remove "#if 0" code
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 4bb8eb9ce4f794fecf020a15b54e8505fced0edf)
2014-12-03 09:35:25 +00:00
Matt Caswell
6579603874 Only use the fallback mtu after 2 unsuccessful retransmissions if it is less
than the mtu we are already using

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 047f21593eebbc617a410a208ded01e65ca11028)
2014-12-03 09:35:25 +00:00
Matt Caswell
d68aade28a Updates to s_client and s_server to remove the constant 28 (for IPv4 header
and UDP header) when setting an mtu. This constant is not always correct (e.g.
if using IPv6). Use the new DTLS_CTRL functions instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 464ce92026bd0c79186cbefa75470f39607110be)
2014-12-03 09:35:25 +00:00
Matt Caswell
3242e5938b If we really get a situation where the underlying mtu is less than the minimum
we will support then dtls1_do_write can go into an infinite loop. This commit
fixes that.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit d3d9eef31661633f5b003a9e115c1822f79d1870)
2014-12-03 09:35:24 +00:00
Matt Caswell
35384e8e5b Fix dtls_query_mtu so that it will always either complete with an mtu that is
at least the minimum or it will fail.
There were some instances in dtls1_query_mtu where the final mtu can end up
being less than the minimum, i.e. where the user has set an mtu manually. This
shouldn't be allowed. Also remove dtls1_guess_mtu that, despite having
logic for guessing an mtu, was actually only ever used to work out the minimum
mtu to use.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 1620a2e49c777f31f2ce57966ae74006b48ad759)
2014-12-03 09:35:24 +00:00
Matt Caswell
4c21e004a3 Remove instances in libssl of the constant 28 (for size of IPv4 header + UDP)
and instead use the value provided by the underlying BIO. Also provide some
new DTLS_CTRLs so that the library user can set the mtu without needing to
know this constant. These new DTLS_CTRLs provide the capability to set the
link level mtu to be used (i.e. including this IP/UDP overhead). The previous
DTLS_CTRLs required the library user to subtract this overhead first.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 59669b6abf620d1ed2ef4d1e2df25c998b89b64d)

Conflicts:
	ssl/d1_both.c
	ssl/ssl_lib.c
2014-12-03 09:35:23 +00:00
Matt Caswell
59ee70e386 There are a number of instances throughout the code where the constant 28 is
used with no explanation. Some of this was introduced as part of RT#1929. The
value 28 is the length of the IP header (20 bytes) plus the UDP header (8
bytes). However use of this constant is incorrect because there may be
instances where a different value is needed, e.g. an IPv4 header is 20 bytes
but an IPv6 header is 40. Similarly you may not be using UDP (e.g. SCTP).
This commit introduces a new BIO_CTRL that provides the value to be used for
this mtu "overhead". It will be used by subsequent commits.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 0d3ae34df573f477b6b1aaf614d52dcdfcff5fce)

Conflicts:
	crypto/bio/bss_dgram.c
2014-12-03 09:34:04 +00:00
Matt Caswell
43e569921e The first call to query the mtu in dtls1_do_write correctly checks that the
mtu that we have received is not less than the minimum. If its less it uses the
minimum instead. The second call to query the mtu does not do that, but
instead uses whatever comes back. We have seen an instance in RT#3592 where we
have got an unreasonably small mtu come back. This commit makes both query
checks consistent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 6abb0d1f8e702a0daa9c32b8021d01eda0483018)
2014-12-03 09:32:48 +00:00
Matt Caswell
8aaeec9f9a The SSL_OP_NO_QUERY_MTU option is supposed to stop the mtu from being
automatically updated, and we should use the one provided instead.
Unfortunately there are a couple of locations where this is not respected.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 001235778a6e9c645dc0507cad6092d99c9af8f5)
2014-12-03 09:32:48 +00:00
Matt Caswell
8454d3f924 Verify that we have a sensible message len and fail if not
RT#3592 provides an instance where the OPENSSL_assert that this commit
replaces can be hit. I was able to recreate this issue by forcing the
underlying BIO to misbehave and come back with very small mtu values. This
happens the second time around the while loop after we have detected that the
MTU has been exceeded following the call to dtls1_write_bytes.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit cf75017bfd60333ff65edf9840001cd2c49870a3)
2014-12-03 09:32:48 +00:00
Kurt Roeckx
5004c22c25 Use the SSLv23 method by default
If SSLv2 and SSLv3 are both disabled we still support SSL/TLS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-02 11:29:07 +01:00
Richard Levitte
e96872f4c0 Check for FindNextFile when defining it rather than FindFirstFile
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-28 23:31:45 +01:00
Richard Levitte
14e9a78d47 [PR3597] Advance to the next state variant when reusing messages.
Previously, state variant was not advanced, which resulted in state
being stuck in the st1 variant (usually "_A").

This broke certificate callback retry logic when accepting connections
that were using SSLv2 ClientHello (hence reusing the message), because
their state never advanced to SSL3_ST_SR_CLNT_HELLO_C variant required
for the retry code path.

Reported by Yichun Zhang (agentzh).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2014-11-28 23:31:45 +01:00
Richard Levitte
2aca9b272e Correct some layout issues, convert all remaining tabs to appropriate amounts of spaces.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8123d158ab6f0a6a468748c133e33c2063ff36b5)
2014-11-28 17:04:29 +01:00
Alok Menghrajani
26d7cb400e Improves the proxy certificates howto doc.
The current documentation contains a bunch of spelling and grammar mistakes. I also
found it hard to understand some paragraphs, so here is my attempt to improve its
readability.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 03b637a730e4a298c360cc143de7564060c06324)
2014-11-28 17:04:28 +01:00
Matt Caswell
2db95e094d Fixed warning in ssl2_enc
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:53:44 +00:00
Matt Caswell
5fc8bb6ab7 Check EVP_Cipher return values for SSL2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:53:27 +00:00
Matt Caswell
244d0955ad Add checks to the return value of EVP_Cipher to prevent silent encryption failure.
PR#1767

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-27 21:53:02 +00:00
Matt Caswell
061e68c554 Remove redundant checks in ssl_cert_dup. This was causing spurious error messages when using GOST
PR#3613

Reviewed-by: Richard Levitte <levitte@openssl.org>
(cherry picked from commit fc3968a25ce0c16cab8730ec0d68a59856158029)
2014-11-27 20:53:58 +00:00
Matt Caswell
3f1d582f70 Remove duplicated code
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-27 14:32:40 +00:00
Matt Caswell
8a2e5bf6b7 Tidy up ocsp help output
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 5e31a40f47c6bfd09c718d2af42ba8d8fe6bb932)

Conflicts:
	apps/ocsp.c

(cherry picked from commit e16458269036f4334525009906d346f68a73b2a4)
2014-11-27 14:18:45 +00:00
André Guerreiro
6c3d948723 Add documentation on -timeout option in the ocsp utility
PR#3612

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit de87dd46c1283f899a9ecf4ccc72db74f36afbf2)
(cherry picked from commit 4d3df37bc7fd33d0bec5da04d2572caa0cdbab75)
2014-11-27 14:18:45 +00:00
Guenter
51c5ab5d3a NetWare compilation fix.
Workaround for NetWare CodeWarrior compiler which doesn't properly lookup
includes when in same directory as the C file which includes it.

PR#3569
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>

(cherry picked from commit 333fad9f2de1dea99552fcb424b312ca1a390f85)
2014-11-27 14:04:13 +00:00
Matt Caswell
ff60f33811 Updates to X509_NAME_get_index_by_NID.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 648495864513da788246f9b75dbbbce0614ed5e8)
2014-11-27 13:57:23 +00:00
Matt Caswell
2cfa5edb26 Updates to X509_NAME_add_entry_by_txt.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit f281b8df704ce0123fa2193f2890a25da1756528)
2014-11-27 13:57:23 +00:00
Matt Caswell
291a3e9629 Updates to EVP_PKEY_encrypt.pod submitted by user Bernardh via the wiki
Minor changes made by Matt Caswell.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 34890ac18eb5ee7bffe9d460480164e1546b491e)
2014-11-27 13:57:23 +00:00
Matt Caswell
2184a14b62 Add include of ssl.h which is required by srtp.h
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit f67203836cd4a35c1774b6147e0f2d33eb7b1b6f)
2014-11-27 13:19:23 +00:00
Matt Caswell
2e84084fbc Fixed memory leak due to incorrect freeing of DTLS reassembly bit mask
PR#3608

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 8a35dbb6d89a16d792b79b157b3e89443639ec94)
2014-11-26 10:14:13 +00:00
Matt Caswell
26f9cfbdca Corrected comments in ssl.h about SSLv23_method and friends
PR#3574

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 3a0765882c4b3b67960b7efb203570764dd4ed29)
2014-11-25 22:25:18 +00:00
David Benjamin
7fc5f4f117 Do not resume a session if the negotiated protocol version does not match
the session's version (server).

See also BoringSSL's commit bdf5e72f50e25f0e45e825c156168766d8442dde.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 9e189b9dc10786c755919e6792e923c584c918a1)
2014-11-20 16:31:42 +01:00
Emilia Kasper
249a3e362f Ensure SSL3_FLAGS_CCS_OK (or d1->change_cipher_spec_ok for DTLS) is reset
once the ChangeCipherSpec message is received. Previously, the server would
set the flag once at SSL3_ST_SR_CERT_VRFY and again at SSL3_ST_SR_FINISHED.
This would allow a second CCS to arrive and would corrupt the server state.

(Because the first CCS would latch the correct keys and subsequent CCS
messages would have to be encrypted, a MitM attacker cannot exploit this,
though.)

Thanks to Joeri de Ruiter for reporting this issue.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit e94a6c0ede623960728415b68650a595e48f5a43)

Conflicts:
	CHANGES
	ssl/s3_srvr.c
2014-11-20 15:32:08 +01:00
Emilia Kasper
15d717f574 Always require an advertised NewSessionTicket message.
The server must send a NewSessionTicket message if it advertised one
in the ServerHello, so make a missing ticket message an alert
in the client.

An equivalent change was independently made in BoringSSL, see commit
6444287806d801b9a45baf1f6f02a0e3a16e144c.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit de2c7504ebd4ec15334ae151a31917753468f86f)

Conflicts:
	CHANGES
2014-11-20 15:29:17 +01:00
Emilia Kasper
b8712b2b9a Remove ssl3_check_finished.
The client sends a session ID with the session ticket, and uses
the returned ID to detect resumption, so we do not need to peek
at handshake messages: s->hit tells us explicitly if we're resuming.

An equivalent change was independently made in BoringSSL, see commit
407886f589cf2dbaed82db0a44173036c3bc3317.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 980bc1ec6114f5511b20c2e6ca741e61a39b99d6)

Conflicts:
	ssl/d1_clnt.c
	ssl/s3_clnt.c
2014-11-20 15:26:26 +01:00
Emilia Kasper
1eaccbef57 Set s->hit when resuming from external pre-shared secret.
The same change was independently made in BoringSSL, see commit
9eaeef81fa2d4fd6246dc02b6203fa936a5eaf67

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 7b3ba508af5c86afe43e28174aa3c53a0a24f4d9)
2014-11-20 15:20:17 +01:00
Emilia Kasper
e2f69f5ce7 Reset s->tlsext_ticket_expected in ssl_scan_serverhello_tlsext.
This ensures that it's zeroed even if the SSL object is reused
(as in ssltest.c). It also ensures that it applies to DTLS, too.

Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit a06cd5d056c6a5b1d161786873e21a5e53d554d8)
2014-11-20 15:20:16 +01:00
Dr. Stephen Henson
821bee4333 New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>

(cherry picked from commit 3881d8106df732fc433d30446625dfa2396da42d)

Conflicts:
	util/mkdef.pl
2014-11-19 22:57:51 +00:00
Matt Caswell
8b6205c484 Added OPENSSL_NO_EC2M guards around the preferred EC curve list
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-11-18 13:15:28 +00:00
Jan Hykel
e5cf62b04d Don't use msg on error.
Don't attempt to access msg structure if recvmsg returns an error.

PR#3483
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 012aa9ec76b158179b4de44bb5de8b8472045eac)
2014-11-17 12:42:15 +00:00
Dr. Stephen Henson
b1edca2a4c Fix cross reference table generator.
If the hash or public key algorithm is "undef" the signature type
will receive special handling and shouldn't be included in the
cross reference table.
Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 55f7fb8848b6e4bec291724a479e1580d6f407d6)
2014-11-13 13:35:58 +00:00
Alok Menghrajani
e7768ebbd2 Fixes a minor typo in the EVP docs.
Out is the buffer which needs to contain at least inl + cipher_block_size - 1 bytes. Outl
is just an int*.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 5211e094dec9486a540ac480f345df1a8d2b2862)
2014-11-12 21:05:24 +00:00
Michal Bozon
329a76c085 Correct timestamp output when clock_precision_digits > 0
PR#3535

Reviewed-by: Stephen Henson <steve@openssl.org>
2014-11-12 20:54:10 +00:00
Matt Caswell
bbb76be9b5 Fix free of garbage pointer. PR#3595
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit e04d426bf98ebb22abf0f15b6f09d333a6e8b2ad)
2014-11-12 20:31:27 +00:00
Kurt Roeckx
b726b8a60c Fix warning about negative unsigned intergers
Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-11-11 15:48:34 +01:00
Russell Coker
e298409c34 Fix datarace reported by valgrind/helgrind
This doesn't really fix the datarace but changes it so it can only happens
once. This isn't really a problem since we always just set it to the same
value. We now just stop writing it after the first time.

PR3584, https://bugs.debian.org/534534

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-11-10 18:36:09 +01:00
Andy Polyakov
25012d5e79 md32_common.h: address compiler warning in HOST_c2l.
Reviewed-by: Stephen Henson <steve@openssl.org>
(cherry picked from commit d45282fc7cd9b97ed1479f8b8af713337fce57f5)
2014-10-29 10:55:48 +01:00
Samuel Neves
09b7de77b3 Use only unsigned arithmetic in constant-time operations
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-10-28 20:50:44 +01:00
Emilia Kasper
9bdedec0cf Tighten session ticket handling
Tighten client-side session ticket handling during renegotiation:
ensure that the client only accepts a session ticket if the server sends
the extension anew in the ServerHello. Previously, a TLS client would
reuse the old extension state and thus accept a session ticket if one was
announced in the initial ServerHello.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit d663df2399d1d9d6015bcfd2ec87b925ea3558a2)

Conflicts:
	CHANGES
2014-10-28 17:41:49 +01:00
Emilia Kasper
f63fa8b10a Fix ssltest logic when some protocols are compiled out.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit fd28a41ec899eb8749e21d11441fd4df35ed9a07)

Conflicts:
	ssl/ssltest.c
2014-10-27 16:36:19 +01:00
Bodo Moeller
d47aebbb47 Fix and improve SSL_MODE_SEND_FALLBACK_SCSV documentation.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-21 22:40:41 +02:00
Bodo Moeller
08931f1cd6 When processing ClientHello.cipher_suites, don't ignore cipher suites
listed after TLS_FALLBACK_SCSV.

RT: 3575
Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-10-21 22:32:30 +02:00
Kurt Roeckx
6ce9687b5a Keep old method in case of an unsupported protocol
When we're configured with no-ssl3 and we receive an SSL v3 Client Hello, we set
the method to NULL.  We didn't used to do that, and it breaks things.  This is a
regression introduced in 62f45cc27d07187b59551e4fad3db4e52ea73f2c.  Keep the old
method since the code is not able to deal with a NULL method at this time.

CVE-2014-3569, PR#3571

Reviewed-by: Emilia Käsper <emilia@openssl.org>
(cherry picked from commit 392fa7a952e97d82eac6958c81ed1e256e6b8ca5)
2014-10-21 21:08:14 +02:00
Tim Hudson
20e610580e no-ssl2 with no-ssl3 does not mean drop the ssl lib
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit c882abd52269a59ed8e0510e5febf667428ece85)
2014-10-20 15:25:55 +10:00
Andy Polyakov
4fa17211bb e_os.h: refine inline override logic (to address warnings in debug build).
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 55c7a4cf112bf154ed405ee05a6b7924b6b1ba92)
2014-10-17 11:53:02 +02:00
Andy Polyakov
d8d40fc676 e_os.h: allow inline functions to be compiled by legacy compilers.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 40155f408985aff2e9f1b61b7cb04a3e518633a1)
2014-10-17 11:52:47 +02:00
Kurt Cancemi
3c7fcdfdd4 RT3547: Add missing static qualifier
Reviewed-by: Ben Laurie <ben@openssl.org>
(cherry picked from commit 87d388c955c14a7c1371f9c7555fb429a406a3d3)
2014-10-17 11:48:42 +02:00
Matt Caswell
e356ac5c06 Prepare for 1.0.1k-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:55:20 +01:00
Matt Caswell
872e681c00 Prepare for 1.0.1j release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 13:54:46 +01:00
Matt Caswell
38b71ba8ff Updates to NEWS
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
2014-10-15 08:51:50 -04:00
Matt Caswell
f8cf36c298 Add updates to CHANGES file
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-10-15 08:51:50 -04:00
Geoff Thorpe
26a59d9b46 Fix no-ssl3 configuration option
CVE-2014-3568

Reviewed-by: Emilia Kasper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 08:51:50 -04:00
Dr. Stephen Henson
7fd4ce6a99 Fix for session tickets memory leak.
CVE-2014-3567

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5dc6070a03779cd524f0e67f76c945cb0ac38320)
2014-10-15 08:51:50 -04:00
Matt Caswell
d9d09a8d0f Fix SRTP compile issues for windows
Related to CVE-2014-3513

This fix was developed by the OpenSSL Team

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:51:50 -04:00
Matt Caswell
2b0532f398 Fix for SRTP Memory Leak
CVE-2014-3513

This issue was reported to OpenSSL on 26th September 2014, based on an origi
issue and patch developed by the LibreSSL project. Further analysis of the i
was performed by the OpenSSL team.

The fix was developed by the OpenSSL team.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 08:51:49 -04:00
Bodo Moeller
7d07c75c5b Fix SSL_R naming inconsistency.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 14:47:39 +02:00
Andy Polyakov
f34297db80 aesni-x86_64.pl: make ECB subroutine Windows ABI compliant.
RT: 3553
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 69d5747f90136aa026a96204f26ab39549dfc69b)
2014-10-15 11:13:14 +02:00
Tim Hudson
e2e5326e5b Add constant_time_locl.h to HEADERS,
so the Win32 compile picks it up correctly.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-10-15 10:49:51 +02:00
Richard Levitte
592c6e1191 Add the constant time test to the VMS build and tests
Reviewed-by: Tim Hudson <tjh@openssl.org>

Conflicts:
	test/maketests.com
	test/tests.com
2014-10-15 10:49:44 +02:00
Richard Levitte
8202802fad Include "constant_time_locl.h" rather than "../constant_time_locl.h".
The different -I compiler parameters will take care of the rest...

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:35 +02:00
Richard Levitte
f79bb32926 Spaces were added in some strings for better readability. However, those spaces do not belong in file names, so when picking out the individual parts, remove the spaces
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:24 +02:00
Richard Levitte
7a3809fd97 Adjust VMS build to Unix build. Most of all, make it so the disabled
algorithms MD2 and RC5 don't get built.
Also, disable building the test apps in crypto/des and crypto/pkcs7, as
they have no support at all.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:49:08 +02:00
Richard Levitte
f13a149088 Make sure test/tests.com exit gracefully, even when openssl.exe wasn't properly built.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:55 +02:00
Richard Levitte
fc586d2955 Update the VMS build according to the latest unixly build. Partly provided by Zoltan Arpadffy <arpadffy@polarhome.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:48:32 +02:00
Richard Levitte
17d45dec4d Make sure that disabling the MAYLOSEDATA3 warning is only done when the compiler supports it. Otherwise, there are warnings about it lacking everywhere, which is quite tedious to read through while trying to check for other warnings.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-15 10:47:12 +02:00
Bodo Moeller
6bfe55380a Support TLS_FALLBACK_SCSV.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 04:05:42 +02:00
Dr. Stephen Henson
4e05aedbca Preserve digests for SNI.
SSL_set_SSL_CTX is normally called for SNI after ClientHello has
received and the digest to use for each certificate has been decided.
The original ssl->cert contains the negotiated digests and is now
copied to the new ssl->cert.

PR: 3560
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-10-10 23:21:14 +01:00
Matt Caswell
bf3e200eb4 Removed duplicate definition of PKCS7_type_is_encrypted
Patch supplied by Matthieu Patou <mat@matws.net>, and modified to also
remove duplicate definition of PKCS7_type_is_digest.

PR#3551

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e0fdea3e49e7454aa76bd5ecf3a3747641354c68)
2014-10-06 23:46:25 +01:00
Dr. Stephen Henson
55614f89f0 Add additional DigestInfo checks.
Reencode DigestInto in DER and check against the original: this
will reject any improperly encoded DigestInfo structures.

Note: this is a precautionary measure, there is no known attack
which can exploit this.

Thanks to Brian Smith for reporting this issue.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-09-29 12:22:32 +01:00
Emilia Kasper
b1620443f3 Add missing tests
Accidentally omitted from commit 455b65dfab0de51c9f67b3c909311770f2b3f801

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit fdc35a9d3e8cf4cfd9330d5df9883f42cf5648ad)
2014-09-25 13:47:16 +02:00
Dr. Stephen Henson
4ed98b6e25 Use correct function name: CMS_add1_signer()
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 5886354dcca4f8445ed35b6995a035b75409590c)
2014-09-25 00:06:59 +01:00
Andy Polyakov
3a33923515 crypto/bn/bn_nist.c: work around MSC ARM compiler bug.
RT: 3541
Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 8b07c005fe006044d0e4a795421447deca3c9f2c)
2014-09-25 00:47:18 +02:00
Emilia Kasper
f2df488a1c RT3425: constant-time evp_enc
Do the final padding check in EVP_DecryptFinal_ex in constant time to
avoid a timing leak from padding failure.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e)

Conflicts:
	crypto/evp/evp_enc.c

(cherry picked from commit 738911cde68b2b3706e502cf8daf5b14738f2f42)
2014-09-24 16:25:54 +02:00
Emilia Kasper
8d507aee7c RT3067: simplify patch
(Original commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)

Use the new constant-time methods consistently in s3_srvr.c

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(cherry picked from commit 455b65dfab0de51c9f67b3c909311770f2b3f801)
2014-09-24 15:52:41 +02:00
Adam Langley
133145686e This change alters the processing of invalid, RSA pre-master secrets so
that bad encryptions are treated like random session keys in constant
time.

(cherry picked from commit adb46dbc6dd7347750df2468c93e8c34bcb93a4b)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-09-24 15:46:26 +02:00
Emilia Kasper
0f04b004ac RT3066: rewrite RSA padding checks to be slightly more constant time.
Also tweak s3_cbc.c to use new constant-time methods.
Also fix memory leaks from internal errors in RSA_padding_check_PKCS1_OAEP_mgf1

This patch is based on the original RT submission by Adam Langley <agl@chromium.org>,
as well as code from BoringSSL and OpenSSL.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>

Conflicts:
	crypto/rsa/rsa_oaep.c
2014-09-24 14:17:41 +02:00
Tim Hudson
81e3a6055c Fixed error introduced in commit f2be92b94dad3c6cbdf79d99a324804094cf1617
that fixed PR#3450 where an existing cast masked an issue when i was changed
from int to long in that commit

Picked up on z/linux (s390) where sizeof(int)!=sizeof(long)

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit b5ff559ff90124c6fd53bbb49dae5edb4e821e0a)
2014-09-22 06:34:25 +10:00
Rich Salz
bea9a17726 RT2560: missing NULL check in ocsp_req_find_signer
If we don't find a signer in the internal list, then fall
through and look at the internal list; don't just return NULL.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit b2aa38a980e9fbf158aafe487fb729c492b241fb)
2014-09-10 12:20:25 -04:00
Erik Auerswald
b537ea9ce4 RT3301: Discard too-long heartbeat requests
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit af4c6e348e4bad6303e7d214cdcf2536487aabe4)
2014-09-08 11:23:10 -04:00
Adam Langley
13ce52be1b psk_client_callback, 128-byte id bug.
Fix a bug in handling of 128 byte long PSK identity in
psk_client_callback.

OpenSSL supports PSK identities of up to (and including) 128 bytes in
length. PSK identity is obtained via the psk_client_callback,
implementors of which are expected to provide a NULL-terminated
identity. However, the callback is invoked with only 128 bytes of
storage thus making it impossible to return a 128 byte long identity and
the required additional NULL byte.

This CL fixes the issue by passing in a 129 byte long buffer into the
psk_client_callback. As a safety precaution, this CL also zeroes out the
buffer before passing it into the callback, uses strnlen for obtaining
the length of the identity returned by the callback, and aborts the
handshake if the identity (without the NULL terminator) is longer than
128 bytes.

(Original patch amended to achieve strnlen in a different way.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit be0d851732bad7370640702bc9c4a33189ede287)
2014-09-05 12:22:50 +02:00
Adam Langley
11853c50ec Ensure that x**0 mod 1 = 0.
(cherry picked from commit 2b0180c37fa6ffc48ee40caa831ca398b828e680)

Reviewed-by: Ben Laurie <ben@openssl.org>
2014-09-04 16:06:51 +02:00
Richard Levitte
a60aa7e008 Followup on RT3334 fix: make sure that a directory that's the empty
string returns 0 with errno = ENOENT.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 360928b7d0f16dde70e26841bbf9e1af727e8b8f)
2014-09-03 22:26:05 +02:00
Phil Mesnier
a49256a349 RT3334: Fix crypto/LPdir_win.c
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6a14fe7576e7a14a46ba14df8be8fe478536b4fb)
2014-09-03 22:26:05 +02:00
Emilia Kasper
e517dfd3d1 Make the inline const-time functions static.
"inline" without static is not correct as the compiler may choose to ignore it
and will then either emit an external definition, or expect one.

Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 86f50b36e63275a916b147f9d8764e3c0c060fdb)
2014-09-02 15:24:59 +02:00
Andy Polyakov
74687f5979 md5-x86_64.pl: work around warning.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 4d86e8df6be69ed13abb73fd564f1f894eea0a98)
2014-08-30 19:19:01 +02:00
Rich Salz
8dc6617ad5 Add tags/TAGS
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 9d6253cfd3395dfe7147dae134579c6b16544c53)
2014-08-30 10:09:30 -04:00
Rich Salz
c2119214c2 RT2119,3407: Updated to dgst.pod
Re-order algorithm list.
Be consistent in command synopsis.
Add content about signing.
Add EXAMPLE section
Add some missing options: -r, -fips-fingerprint -non-fips-allow
Various other fixes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit 6aa9dbab0f9b90060b7ee609b8c3c726ce4faf21)
2014-08-30 10:06:07 -04:00
James Westby
22387f00b6 RT1941: c_rehash.pod is missing
Add the file written by James Westby, graciously contributed
under the terms of the OpenSSL license.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit cf2239b3b397174a8a6b1cc84ff68aba34ed5941)
2014-08-30 09:51:56 -04:00
Rich Salz
4d16915381 RT2379: Bug in BIO_set_accept_port.pod
The doc says that port can be "*" to mean any port.
That's wrong.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 07e3b31fae98b985d3d2aad7066144b11833f688)
2014-08-29 16:46:28 -04:00
Emilia Kasper
e7169a5835 Constant-time utilities
Pull constant-time methods out to a separate header, add tests.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 9a9b0c0401cae443f115ff19921d347b20aa396b)

Conflicts:
	test/Makefile
2014-08-28 17:07:07 +02:00
Raphael Spreitzer
abc2dfbcc3 RT2400: ASN1_STRING_to_UTF8 missing initializer
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit f9fb43e176ad2a914108cd2b403425dc1ebc7262)
2014-08-27 22:59:52 -04:00
Rich Salz
23ea9f6f03 RT2308: Add extern "C" { ... } wrapper
Add the wrapper to all public header files (Configure
generates one).  Don't bother for those that are just
lists of #define's that do renaming.

Reviewed-by: Tim Hudson <tjh@openssl.org>

(cherry picked from commit 089f10e69ece75ce31540501fe0898b15e898552)
2014-08-27 21:47:12 -04:00
Emilia Kasper
3e5df37861 Explicitly check for empty ASN.1 strings in d2i_ECPrivateKey
The old code implicitly relies on the ASN.1 code returning a \0-prefixed buffer
when the buffer length is 0. Change this to verify explicitly that the ASN.1 string
has positive length.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit 82dc08de54ce443c2a9ac478faffe79e76157795)
2014-08-27 19:50:36 +02:00
Matt Caswell
4e5f9f8a9a RT3065: automatically generate a missing EC public key
When d2i_ECPrivateKey reads a private key with a missing (optional) public key,
generate one automatically from the group and private key.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit ed383f847156940e93f256fed78599873a4a9b28)

Conflicts:
	doc/crypto/EC_KEY_new.pod
2014-08-27 19:50:36 +02:00
Adam Langley
9446ecfb3a RT3065: ec_private_key_dont_crash
This change saves several EC routines from crashing when an EC_KEY is
missing a public key. The public key is optional in the EC private key
format and, without this patch, running the following through `openssl
ec` causes a crash:

-----BEGIN EC PRIVATE KEY-----
MBkCAQEECAECAwQFBgcIoAoGCCqGSM49AwEH
-----END EC PRIVATE KEY-----

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit b391570bdeb386d4fd325917c248d593d3c43930)
2014-08-27 19:50:36 +02:00
Mihai Militaru
48ecdec7a0 RT2210: Add missing EVP_cleanup to example
I also removed some trailing whitespace and cleaned
up the "see also" list.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
(cherry picked from commit 7b3e11c54466f1da8b707c932e308d345fd61101)
2014-08-27 13:27:06 -04:00
David Gatwood
8f5f782253 RT1744: SSL_CTX_set_dump_dh() doc feedback
The description of when the server creates a DH key is
confusing.  This cleans it up.
(rsalz: also removed trailing whitespace.)

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2014-08-26 13:40:45 -04:00
Jan Schaumann
228a77a4ad RT1804: fix EXAMPLE in EVP_EncryptInit.pod
The EXAMPLE that used FILE and RC2 doesn't compile due to a
few minor errors.  Tweak to use IDEA and AES-128. Remove
examples about RC2 and RC5.

Reviewed-by: Emilia Kasper <emilia@openssl.org>
2014-08-25 10:26:57 -04:00
Matt Caswell
03b17a5789 Typo fixes to evp documentation.
This patch was submitted by user "Kox" via the wiki

Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 2dd8cb3b9593f528d9537aa6a003d5c93df1e3c5)
2014-08-24 21:26:40 +01:00
Adam Langley
391f3b5708 RT3060: Limit the number of empty records.
Limit the number of empty records that will be processed consecutively
in order to prevent ssl3_get_record from never returning.

Reported by "oftc_must_be_destroyed" and George Kadianakis.

Reviewed-by: Bodo Moeller <bodo@openssl.org>
(cherry picked from commit 3aac17a82fbaf2bc23ee62f24611e5883d3e7b97)
2014-08-22 15:53:14 +02:00
Adam Langley
fe9b9a880f RT3061: Don't SEGFAULT when trying to export a public DSA key as a private key.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit e19c93811f0db499c98d2888f1c0c0ab65e6238a)
2014-08-22 15:25:18 +02:00
Emilia Kasper
9f96ea4c2b Improve EVP_PKEY_sign documentation
Clarify the intended use of EVP_PKEY_sign. Make the code example compile.

Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit d64c533a207f7b6d86c3bc8ffb053e5f4d0c1ca0)
2014-08-22 15:06:09 +02:00
Emilia Kasper
41a765182f define inline for Visual Studio
In Visual Studio, inline is available in C++ only, however __inline is available for C, see
http://msdn.microsoft.com/en-us/library/z8y1yy88.aspx

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Dr Stephen Henson <steve@openssl.org>
(cherry picked from commit f511b25a7370c775dc9fd6198dbacd1706cf242b)
2014-08-21 16:07:55 +02:00
Emilia Kasper
bcdd904c6c Fix build when BSAES_ASM is defined but VPAES_ASM is not
Reviewed-by: Andy Polyakov <appro@openssl.org>
(cherry picked from commit da92be4d68bec81030838e3228ef0238c565af85)
2014-08-21 15:48:23 +02:00
Adam Langley
a90b1e32d2 Add volatile qualifications to two blocks of inline asm to stop GCC from
eliminating them as dead code.

Both volatile and "memory" are used because of some concern that the compiler
may still cache values across the asm block without it, and because this was
such a painful debugging session that I wanted to ensure that it's never
repeated.

(cherry picked from commit 7753a3a68431aa81b82beea4c3f5374b41454679)

Conflicts:
	crypto/bn/asm/x86_64-gcc.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-08-19 17:09:27 +02:00
Matt Caswell
0ed8e95c4b Fixed out-of-bounds read errors in ssl3_get_key_exchange.
PR#3450

Conflicts:
	ssl/s3_clnt.c

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-15 23:29:28 +01:00
Bodo Moeller
6b5b85f4f6 Further improve/fix ec_GFp_simple_points_make_affine (ecp_smpl.c) and
group_order_tests (ectest.c).  Also fix the EC_POINTs_mul documentation (ec.h).

Reviewed-by: emilia@openssl.org
2014-08-13 17:44:53 +02:00
Dr. Stephen Henson
03ebf85f77 Fix SRP ciphersuites.
Add patch missed from backport of SRP ciphersuite fix.
PR#3490
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-12 20:42:27 +01:00
Dr. Stephen Henson
30fbe92c78 Fix SRP authentication ciphersuites.
The addition of SRP authentication needs to be checked in various places
to work properly. Specifically:

A certificate is not sent.
A certificate request must not be sent.
Server key exchange message must not contain a signature.
If appropriate SRP authentication ciphersuites should be chosen.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 8f5a8805b82d1ae81168b11b7f1506db9e047dec)

Conflicts:

	ssl/s3_clnt.c
	ssl/s3_lib.c
2014-08-09 00:13:27 +01:00
Dr. Stephen Henson
1241e77f15 Test SRP authentication ciphersuites.
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 193c1c07165b0042abd217274a084b49459d4443)
2014-08-09 00:10:26 +01:00
Dr. Stephen Henson
1433cac53c Only use FIPS EC methods in FIPS mode.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-07 01:08:14 +01:00
Matt Caswell
204fb36a0e Prepare for 1.0.1j-dev
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:19:10 +01:00
Matt Caswell
2b45603445 Prepare for 1.0.1i release
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Matt Caswell
d70c0be4c1 make update
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-08-06 22:18:45 +01:00
Dr. Stephen Henson
9b649d9a73 update NEWS
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
abbd58559e update CHANGES
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:33:25 +01:00
Dr. Stephen Henson
d15d17bb64 Check SRP parameters early.
Check SRP parameters when they are received so we can send back an
appropriate alert.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
966fe81f9b Fix SRP buffer overrun vulnerability.
Invalid parameters passed to the SRP code can be overrun an internal
buffer. Add sanity check that g, A, B < N to SRP code.

Thanks to Sean Devlin and Watson Ladd of Cryptography Services, NCC
Group for reporting this issue.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
83764a989d Fix SRP ciphersuite DoS vulnerability.
If a client attempted to use an SRP ciphersuite and it had not been
set up correctly it would crash with a null pointer read. A malicious
server could exploit this in a DoS attack.

Thanks to Joonas Kuorilehto and Riku Hietamäki from Codenomicon
for reporting this issue.

CVE-2014-5139
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Gabor Tyukasz
86788e1ee6 Fix race condition in ssl_parse_serverhello_tlsext
CVE-2014-3509
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Kasper
03b04ddac1 Fix OID handling:
- Upon parsing, reject OIDs with invalid base-128 encoding.
- Always NUL-terminate the destination buffer in OBJ_obj2txt printing function.

CVE-2014-3508

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-06 20:27:51 +01:00
Emilia Käsper
88ae012c80 Fix DTLS anonymous EC(DH) denial of service
CVE-2014-3510

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2014-08-06 20:27:51 +01:00
David Benjamin
fc4f4cdb8b Fix protocol downgrade bug in case of fragmented packets
CVE-2014-3511

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Bodo Möller <bodo@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
4e0fbdc4ec Remove some duplicate DTLS code.
In a couple of functions, a sequence number would be calculated twice.

Additionally, in |dtls1_process_out_of_seq_message|, we know that
|frag_len| <= |msg_hdr->msg_len| so the later tests for |frag_len <
msg_hdr->msg_len| can be more clearly written as |frag_len !=
msg_hdr->msg_len|, since that's the only remaining case.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
0c37aed3f3 Applying same fix as in dtls1_process_out_of_seq_message. A truncated DTLS fragment would cause *ok to be clear, but the return value would still be the number of bytes read.
Problem identified by Emilia Käsper, based on previous issue/patch by Adam
Langley.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
099ccdb808 Fix return code for truncated DTLS fragment.
Previously, a truncated DTLS fragment in
|dtls1_process_out_of_seq_message| would cause *ok to be cleared, but
the return value would still be the number of bytes read. This would
cause |dtls1_get_message| not to consider it an error and it would
continue processing as normal until the calling function noticed that
*ok was zero.

I can't see an exploit here because |dtls1_get_message| uses
|s->init_num| as the length, which will always be zero from what I can
see.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
9871417fb7 Fix memory leak from zero-length DTLS fragments.
The |pqueue_insert| function can fail if one attempts to insert a
duplicate sequence number. When handling a fragment of an out of
sequence message, |dtls1_process_out_of_seq_message| would not call
|dtls1_reassemble_fragment| if the fragment's length was zero. It would
then allocate a fresh fragment and attempt to insert it, but ignore the
return value, leaking the fragment.

This allows an attacker to exhaust the memory of a DTLS peer.

Fixes CVE-2014-3507

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
fc7804ec39 Fix DTLS handshake message size checks.
In |dtls1_reassemble_fragment|, the value of
|msg_hdr->frag_off+frag_len| was being checked against the maximum
handshake message size, but then |msg_len| bytes were allocated for the
fragment buffer. This means that so long as the fragment was within the
allowed size, the pending handshake message could consume 16MB + 2MB
(for the reassembly bitmap). Approx 10 outstanding handshake messages
are allowed, meaning that an attacker could consume ~180MB per DTLS
connection.

In the non-fragmented path (in |dtls1_process_out_of_seq_message|), no
check was applied.

Fixes CVE-2014-3506

Wholly based on patch by Adam Langley with one minor amendment.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Matt Caswell
e7b9d9be48 Added comment for the frag->reassembly == NULL case as per feedback from Emilia
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Adam Langley
2172d4f63c Avoid double free when processing DTLS packets.
The |item| variable, in both of these cases, may contain a pointer to a
|pitem| structure within |s->d1->buffered_messages|. It was being freed
in the error case while still being in |buffered_messages|. When the
error later caused the |SSL*| to be destroyed, the item would be double
freed.

Thanks to Wah-Teh Chang for spotting that the fix in 1632ef74 was
inconsistent with the other error paths (but correct).

Fixes CVE-2014-3505

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-06 20:27:51 +01:00
Dr. Stephen Henson
c34091d47e make update
Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-08-01 21:23:49 +01:00
Dr. Stephen Henson
a9f4ebd753 Fix error discrepancy.
We can't rename ssleay_rand_bytes to md_rand_bytes_lock as this will cause
an error code discrepancy. Instead keep ssleay_rand_bytes and add an
extra parameter: since ssleay_rand_bytes is not part of the public API
this wont cause any binary compatibility issues.
Reviewed-by: Kurt Roeckx <kurt@openssl.org >
(cherry picked from commit 8068a675a7d1a657c54546f24e673e59e6707f03)
2014-08-01 18:42:40 +01:00
Bodo Moeller
604c9948a8 Update $default_depflags to match current defaults. 2014-08-01 19:07:57 +02:00
Bodo Moeller
281720c2a3 Simplify and fix ec_GFp_simple_points_make_affine
(which didn't always handle value 0 correctly).

Reviewed-by: emilia@openssl.org

Conflicts:
	CHANGES
2014-08-01 17:50:26 +02:00
Dr. Stephen Henson
2a9023f7b4 Avoid multiple lock using FIPS DRBG.
Don't use multiple locks when SP800-90 DRBG is used outside FIPS mode.

PR#3176
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a3efe1b6e9d2aa2ce5661e4d4b97262eae743fa7)
2014-07-30 21:09:20 +01:00
Dr. Stephen Henson
36e8c39899 Add conditional unit testing interface.
Don't call internal functions directly call them through
SSL_test_functions(). This also makes unit testing work on
Windows and platforms that don't export internal functions
from shared libraries.

By default unit testing is not enabled: it requires the compile
time option "enable-unit-test".
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit e0fc7961c4fbd27577fb519d9aea2dc788742715)

Conflicts:

	ssl/Makefile
	util/mkdef.pl
2014-07-24 19:43:25 +01:00
Billy Brumley
e3f009c595 "EC_POINT_invert" was checking "dbl" function pointer instead of "invert".
PR#2569

Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit cba11f57ce161fd301a72194827327128191de7e)
2014-07-21 22:28:40 +01:00
Tim Hudson
fbe3baa773 Remove old unused and unmaintained demonstration code.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
(cherry picked from commit 62352b8138018775a4c085a105fccd9cdcb6323f)
2014-07-22 07:26:35 +10:00
Tim Hudson
690998f904 Minor documentation update removing "really" and a
statement of opinion rather than a fact.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit c8d133e4b6f1ed1b7ad3c1a6d2c62f460e26c050)
2014-07-21 20:24:47 +10:00
Dr. Stephen Henson
3221da845f Fix documentation for RSA_set_method(3)
PR#1675
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit 197400c3f0d617d71ad8167b52fb73046d334320)
2014-07-19 18:26:12 +01:00
Jeffrey Walton
9aeb410419 Fix typo, add reference.
PR#3456
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(cherry picked from commit d48e78f0cf22aaddb563f4bcfccf25b1a45ac8a4)
2014-07-17 12:08:52 +01:00
Matt Caswell
bf4519cde5 Disabled XTS mode in enc utility as it is not supported
PR#3442

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit 2097a17c576f2395a10b05f14490688bc5f45a07)
2014-07-16 21:05:10 +01:00
Matt Caswell
e967b94356 Add Matt Caswell's fingerprint, and general update on the fingerprints file to bring it up to date
Reviewed-by: Tim Hudson <tjh@openssl.org>
(cherry picked from commit 3bd548192a03142c80cf8bc68659d79dea20a738)
2014-07-15 23:24:26 +01:00
Dr. Stephen Henson
2316286c0e Clarify -Verify and PSK.
PR#3452
(cherry picked from commit ca2015a617842fed3d36ed4dcbbf8d5e27bc5216)
2014-07-15 20:23:35 +01:00
Dr. Stephen Henson
67bde7d465 Fix DTLS certificate requesting code.
Use same logic when determining when to expect a client
certificate for both TLS and DTLS.

PR#3452
(cherry picked from commit c8d710dc5f83d69d802f941a4cc5895eb5fe3d65)
2014-07-15 18:23:44 +01:00
Dr. Stephen Henson
cd63f94d4d Don't allow -www etc options with DTLS.
The options which emulate a web server don't make sense when doing DTLS.
Exit with an error if an attempt is made to use them.

PR#3453
(cherry picked from commit 58a2aaeade8bdecd0f9f0df41927f7cff3012547)
2014-07-15 12:25:39 +01:00
Dr. Stephen Henson
2054eb771e Add ECC extensions with DTLS.
PR#3449
2014-07-15 12:20:30 +01:00
Dr. Stephen Henson
ea0ceb11a0 Use case insensitive compare for servername.
PR#3445
(cherry picked from commit 1c3e9a7c67ccdc5e770829fe951e5832e600d377)
2014-07-15 00:00:03 +01:00
Hubert Kario
00579b98c4 document -nextprotoneg option in man pages
Add description of the option to advertise support of
Next Protocol Negotiation extension (-nextprotoneg) to
man pages of s_client and s_server.

PR#3444
(cherry picked from commit 7efd0e777e65eaa6c60d85b1cc5c889f872f8fc4)

Conflicts:

	doc/apps/s_server.pod
2014-07-14 23:43:58 +01:00
Dr. Stephen Henson
ee5a8d3e31 Use more common name for GOST key exchange.
(cherry picked from commit 7aabd9c92fe6f0ea2a82869e5171dcc4518cee85)
2014-07-14 18:31:54 +01:00
Matt Caswell
72370164c3 Fixed valgrind complaint due to BN_consttime_swap reading uninitialised data.
This is actually ok for this function, but initialised to zero anyway if
PURIFY defined.

This does have the impact of masking any *real* unitialised data reads in bn though.

Patch based on approach suggested by Rich Salz.

PR#3415

(cherry picked from commit 77747e2d9a5573b1dbc15e247ce18c03374c760c)
2014-07-13 22:23:10 +01:00
Peter Mosmans
704422ce1e Add names of GOST algorithms.
PR#3440
(cherry picked from commit 924e5eda2c82d737cc5a1b9c37918aa6e34825da)
2014-07-13 18:31:36 +01:00
Richard Levitte
8e8d7e1b26 * crypto/ui/ui_lib.c: misplaced brace in switch statement.
Detected by dcruette@qualitesys.com

(cherry picked from commit 8b5dd340919e511137696792279f595a70ae2762)
2014-07-13 19:15:30 +02:00
Ben Laurie
3ed6327571 Don't clean up uninitialised EVP_CIPHER_CTX on error (CID 483259).
(cherry picked from commit c1d1b0114e9d370c30649e46182393dbfc00e20c)
2014-07-10 17:52:37 +01:00
Matt Caswell
efd4f1dfd3 Fix memory leak in BIO_free if there is no destroy function.
Based on an original patch by Neitrino Photonov <neitrinoph@gmail.com>

PR#3439

(cherry picked from commit 66816c53bea0ecddb9448da7ea9a51a334496127)
2014-07-09 23:34:35 +01:00
David Lloyd
00032b0ba1 Prevent infinite loop loading config files.
PR#2985
(cherry picked from commit 9d23f422a32cb333a5e803199ae230706b1bf9f5)
2014-07-07 13:50:00 +01:00
Dr. Stephen Henson
a07f514fc0 Usage for -hack and -prexit -verify_return_error
(cherry picked from commit ee724df75d9ad67fd954253ac514fddb46f1e3c6)
2014-07-06 22:48:57 +01:00
Dr. Stephen Henson
b197c770a6 Document certificate status request options.
(cherry picked from commit cba3f1c739f012aaadb85aaefaf8de424d2695e2)

Conflicts:

	doc/apps/s_client.pod
	doc/apps/s_server.pod
2014-07-06 22:48:52 +01:00
Dr. Stephen Henson
b7c9762598 s_server usage for certificate status requests
(cherry picked from commit a44f219c009798054d6741e919cba5b2e656dbf4)
2014-07-06 22:45:44 +01:00
Dr. Stephen Henson
a414bc8c3e Update ticket callback docs.
(cherry picked from commit a23a6e85d8dcd5733a343754f434201f3c9aa6f0)
2014-07-06 12:42:27 +01:00
Dr. Stephen Henson
98a3c3c514 Sanity check keylength in PVK files.
PR#2277
(cherry picked from commit 733a6c882e92f8221bd03a51643bb47f5f81bb81)
2014-07-06 00:36:11 +01:00
Jeffrey Walton
157fd05aad Added reference to platform specific cryptographic acceleration such as AES-NI 2014-07-06 00:04:32 +01:00
Matt Caswell
9f510ceb5d Fixed error in pod files with latest versions of pod2man
(cherry picked from commit 07255f0a76d9d349d915e14f969b9ff2ee0d1953)
2014-07-06 00:04:32 +01:00
Alan Hryngle
675b1c2fce Return smaller of ret and f.
PR#3418.
(cherry picked from commit fdea4fff8fb058be928980600b24cf4c62ef3630)
2014-07-05 22:38:44 +01:00
Dr. Stephen Henson
c923132e9d Don't limit message sizes in ssl3_get_cert_verify.
PR#319 (reoponed version).
(cherry picked from commit 7f6e9578648728478e84246fd3e64026b8b6a48e)
2014-07-05 13:30:55 +01:00
Dr. Stephen Henson
1864e3bed3 typo
(cherry picked from commit 2cfbec1caea8f9567bdff85d33d22481f2afb40a)
(cherry picked from commit a9661e45acda0bedcb2413b412f9ffc3f9fb2354)
2014-07-04 18:43:55 +01:00
Dr. Stephen Henson
af7bcd7daa Add license info.
(cherry picked from commit 55707a36cce3584457f687ff020842c079624ee8)
2014-07-04 18:43:50 +01:00
Rich Salz
3fa2fff86f Merge branch 'rsalz-docfixes' 2014-07-03 12:53:36 -04:00
Rich Salz
b372a64e10 Close 3170, remove reference to Ariel Glenn's old 0.9.8 doc
(cherry picked from commit f1112985e847286033ac573e70bdee752d26f46f)
2014-07-03 12:51:33 -04:00
Andy Polyakov
e432336433 bn_exp.c: fix x86_64-specific crash with one-word modulus.
PR: #3397
(cherry picked from commit eca441b2b4d33d2a18d163ef9b4b3aff14251c73)
2014-07-02 21:21:02 +02:00
Dr. Stephen Henson
f3b0e0215c update release notes 2014-07-02 18:32:03 +01:00
Matt Smart
a6cc0e0a0d Fix doc typo.
ERR_get_error(3) references the non-existent
ERR_get_last_error_line_data instead of the one that does exist,
ERR_peek_last_error_line_data.

PR#3283
(cherry picked from commit 5cc99c6cf5e908df6b00b04af7f08e99c0698c7b)
2014-07-02 03:45:07 +01:00
Thijs Alkemade
b2cb6dc1ef Make disabling last cipher work.
(cherry picked from commit 7cb472bd0d0fd9da3d42bed1acc56c3a79fc5328)
2014-07-02 03:32:50 +01:00
Geoff Thorpe
f87f88a69f util/mkerr.pl: fix perl warning
Gets rid of this;

defined(@array) is deprecated at ../util/mkerr.pl line 792.
        (Maybe you should just omit the defined()?)
defined(@array) is deprecated at ../util/mkerr.pl line 800.
        (Maybe you should just omit the defined()?)

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
(cherry picked from commit 647f360e2e86818cee1f2d0429e071d14814e0b5)
2014-07-02 01:50:51 +01:00
Dr. Stephen Henson
6d87cd2f03 ASN1 sanity check.
Primitive encodings shouldn't use indefinite length constructed
form.

PR#2438 (partial).
(cherry picked from commit 398e99fe5e06edb11f55a39ce0883d9aa633ffa9)
2014-07-02 01:00:18 +01:00
Ben Laurie
2db3ea2929 Fix possible buffer overrun. 2014-07-01 23:39:17 +01:00
Dr. Stephen Henson
c28b055a0c Fix copy for CCM, GCM and XTS.
Internal pointers in CCM, GCM and XTS contexts should either be
NULL or set to point to the appropriate key schedule. This needs
to be adjusted when copying contexts.
(cherry picked from commit c2fd5d79ffc4fc9d120a0faad579ce96473e6a2f)
2014-06-30 14:00:00 +01:00
Jeffrey Walton
02e8d46119 Clarified that the signature's buffer size, s, is not used as an
IN parameter.

Under the old docs, the only thing stated was "at most
EVP_PKEY_size(pkey) bytes will be written". It was kind of misleading
since it appears EVP_PKEY_size(pkey) WILL be written regardless of the
signature's buffer size.

(cherry picked from commit 6e6ba36d980f67b6e5c7b139f78da7acbbf8ec76)
2014-06-29 23:36:51 +01:00
ZNV
105a3db56e Make EVP_CIPHER_CTX_copy work in GCM mode.
PR#3272
(cherry picked from commit 370bf1d708e6d7af42e1752fb078d0822c9bc73d)
2014-06-29 22:02:42 +01:00
Dr. Stephen Henson
295befec25 Fix memory leak.
PR#2531
(cherry picked from commit 44724beeadf95712a42a8b21dc71bf110e89a262)
2014-06-29 13:52:03 +01:00
Ken Ballou
cb34cb1f23 Typo.
PR#3173
(cherry picked from commit 76ed5a42ea68dd08bba44e4003b7e638e5d8a4a3)
2014-06-29 13:39:24 +01:00
Dr. Stephen Henson
86f393ceb7 Show errors on CSR verification failure.
If CSR verify fails in ca utility print out error messages.
Otherwise some errors give misleading output: for example
if the key size exceeds the library limit.

PR#2875
(cherry picked from commit a30bdb55d1361b9926eef8127debfc2e1bb8c484)
2014-06-29 13:34:44 +01:00
Dr. Stephen Henson
d6d324374e Make no-ssl3 no-ssl2 do more sensible things.
(cherry picked from commit 7ae6a4b659facfd7ad8131238aa1d349cb3fc951)
2014-06-29 03:05:37 +01:00
Dr. Stephen Henson
14999bcc59 Clarify protocols supported.
Update protocols supported and note that SSLv2 is effectively disabled
by default.

PR#3184
(cherry picked from commit 1b13a4f38dfc385d5e776f6b3e06c5795874cf9b)
2014-06-29 00:04:43 +01:00
Dr. Stephen Henson
046e288edf Typo.
PR#3107
(cherry picked from commit 7c206db9280865ae4af352dbc14e9019a6c4795d)
2014-06-28 12:43:18 +01:00
Dr. Stephen Henson
d8b11e75cb Don't disable state strings with no-ssl2
Some state strings were erronously not compiled when no-ssl2
was set.

PR#3295
(cherry picked from commit 0518a3e19e18cfc441cab261b28441b8c8bd77bf)
2014-06-28 00:56:42 +01:00
yogesh nagarkar
0df7959d43 Fix compilation with -DSSL_DEBUG -DTLS_DEBUG -DKSSL_DEBUG
PR#3141
(cherry picked from commit d183545d4589f1e7a40190400b8b99ea3d1f7f97)
2014-06-28 00:41:49 +01:00
Andreas Westfeld
5894eb1f33 Fix typo in ideatest.c
(cherry picked from commit d1d4382dcb3fdcad4758ef7e7dd7b61dbf5abbfe)
2014-06-28 00:06:40 +01:00
Ken Ballou
6daba1dc6a Remove redundant check.
PR#3174
(cherry picked from commit fd331c0bb9b557903dd2ce88398570a3327b5ef0)
2014-06-27 23:18:21 +01:00
Dr. Stephen Henson
69b8f2895b Fix for EVP_PBE_alg_add().
In EVP_PBE_alg_add don't use the underlying NID for the cipher
as it may have a non-standard key size.

PR#3206
(cherry picked from commit efb7caef637a1de8468ca109efd355a9d0e73a45)
2014-06-27 22:58:55 +01:00
Dr. Stephen Henson
0ace876730 Tolerate critical AKID in CRLs.
PR#3014
(cherry picked from commit 11da66f8b1fbe5777fe08cc6ace9e1f2c1576a50)
2014-06-27 18:50:33 +01:00
Tom Greenslade
e9daf8a9ce Handle IPv6 addresses in OCSP_parse_url.
PR#2783
(cherry picked from commit b36f35cda964544a15d53d3fdfec9b2bab8cacb1)
2014-06-27 17:31:44 +01:00
Tomas Mraz
cf0156622a Don't advertise ECC ciphersuits in SSLv2 compatible client hello.
PR#3374
(cherry picked from commit 0436369fccd128cb7f6a8538d5fed1c876c437af)
2014-06-27 16:52:05 +01:00
Jeffrey Walton
86cac6d3b2 Clarify docs.
Document that the certificate passed to SSL_CTX_add_extra_chain_cert()
should not be freed by the application.

PR#3409
(cherry picked from commit 0535c2d67ca2d684087ef90be35d5fb207aab227)

Add restrictions section present in other branches.

Conflicts:

	doc/ssl/SSL_CTX_add_extra_chain_cert.pod
2014-06-27 16:41:45 +01:00
Dr. Stephen Henson
f46ea1d8e2 Remove ancient obsolete files under pkcs7.
(cherry picked from commit 7be6b27aaf5ed77f13c93dc89a2c27a42082db3f)
2014-06-27 13:54:45 +01:00
Dr. Stephen Henson
0980992d44 Memory leak and NULL derefernce fixes.
PR#3403
2014-06-27 03:21:10 +01:00
Dr. Stephen Henson
38a503fb8a Fix OID encoding for one component.
OIDs with one component don't have an encoding.

PR#2556 (Bug#1)
2014-06-27 03:17:15 +01:00
Huzaifa Sidhpurwala
fef58ce79e Make sure BN_sqr can never return a negative value.
PR#3410
(cherry picked from commit e14e764c0d5d469da63d0819c6ffc0e1e9e7f0bb)
2014-06-26 23:50:36 +01:00
Jenny Yung
da0d5e78bc Memory allocation checks.
PR#3399.
2014-06-26 23:32:17 +01:00
Miod Vallat
ad212c1ed1 Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

Bug discovered and fixed by Miod Vallat from the OpenBSD team.

PR#3375
2014-06-22 23:20:39 +01:00
Matt Caswell
e1bce59fd3 Revert "Fix off-by-one errors in ssl_cipher_get_evp()"
This reverts commit 29411a0c7a00a73e4ca42be8b5a7401d3bb5107a.

Incorrect attribution.
2014-06-22 23:20:19 +01:00
Dr. Stephen Henson
9beb75d3c4 Accept CCS after sending finished.
Allow CCS after finished has been sent by client: at this point
keys have been correctly set up so it is OK to accept CCS from
server. Without this renegotiation can sometimes fail.

PR#3400
(cherry picked from commit 99cd6a91fcb0931feaebbb4832681d40a66fad41)
2014-06-14 22:26:10 +01:00
Matt Caswell
042ef467ee Fixed incorrect return code handling in ssl3_final_finish_mac.
Based on an original patch by Joel Sing (OpenBSD) who also originally identified the issue.
2014-06-13 15:53:29 +01:00
Matt Caswell
01736e6c41 Revert "Fixed incorrect return code handling in ssl3_final_finish_mac"
This reverts commit 9ab788aa23feaa0e3b9efc2213e0c27913f8d987.

Missing attribution
2014-06-13 15:53:08 +01:00
Kurt Cancemi
29411a0c7a Fix off-by-one errors in ssl_cipher_get_evp()
In the ssl_cipher_get_evp() function, fix off-by-one errors in index validation before accessing arrays.

PR#3375
2014-06-12 21:15:54 +01:00
Dr. Stephen Henson
b66f59adfa Fix compilation with no-comp
(cherry picked from commit 7239a09c7b5757ed8d0e9869f3e9b03c0e11f4d1)
2014-06-11 14:33:32 +01:00
Matt Caswell
9ab788aa23 Fixed incorrect return code handling in ssl3_final_finish_mac 2014-06-10 23:28:10 +01:00
Hubert Kario
87887a7a65 backport changes to ciphers(1) man page
Backport of the patch:
add ECC strings to ciphers(1), point out difference between DH and ECDH
and few other changes applicable to the 1.0.1 code base.

 * Make a clear distinction between DH and ECDH key exchange.
 * Group all key exchange cipher suite identifiers, first DH then ECDH
 * add descriptions for all supported *DH* identifiers
 * add ECDSA authentication descriptions
 * add example showing how to disable all suites that offer no
   authentication or encryption
 * backport listing of elliptic curve cipher suites.
 * backport listing of TLS 1.2 cipher suites, add note that DH_RSA
   and DH_DSS is not implemented in this version
 * backport of description of PSK and listing of PSK cipher suites
 * backport description of AES128, AES256 and AESGCM options
 * backport description of CAMELLIA128, CAMELLIA256 options
2014-06-10 20:56:39 +01:00
Mike Bland
5a0d057e49 Create test/testutil.h for unit test helper macros
Defines SETUP_TEST_FIXTURE and EXECUTE_TEST, and updates ssl/heartbeat_test.c
using these macros. SETUP_TEST_FIXTURE makes use of the new TEST_CASE_NAME
macro, defined to use __func__ or __FUNCTION__ on platforms that support those
symbols, or to use the file name and line number otherwise. This should fix
several reported build problems related to lack of C99 support.
2014-06-10 19:27:45 +01:00
Dr. Stephen Henson
aa59369b4c Fix null pointer errors.
PR#3394
(cherry picked from commit 7a9d59c148b773f59a41f8697eeecf369a0974c2)
2014-06-10 14:48:07 +01:00
Dr. Stephen Henson
18c7f2fce8 SRP ciphersuite correction.
SRP ciphersuites do not have no authentication. They have authentication
based on SRP. Add new SRP authentication flag and cipher string.
(cherry picked from commit a86b88acc373ac1fb0ca709a5fb8a8fa74683f67)
2014-06-09 12:09:49 +01:00
Dr. Stephen Henson
6a8d6f039a Update strength_bits for 3DES.
Fix strength_bits to 112 for 3DES.
(cherry picked from commit 837c203719205ab19b5609b2df7151be8df05687)
2014-06-09 12:09:49 +01:00
Kurt Roeckx
5ff9c21f72 Link heartbeat_test with the static version of the libraries
It's using an internal API that that might not be available in the shared
library.
2014-06-09 00:13:06 +01:00
Jakub Wilk
5c52c04650 Create ~/.rnd with mode 0600 instead of 0666
Because of a missing include <fcntl.h> we don't have O_CREATE and don't create
the file with open() using mode 0600 but fall back to using fopen() with the
default umask followed by a chmod().

Problem found by Jakub Wilk <jwilk@debian.org>.
2014-06-08 21:25:43 +01:00
Dr. Stephen Henson
6c86bf7a1e update NEWS 2014-06-07 18:19:03 +01:00
Dr. Stephen Henson
0d4d2e02eb Make tls_session_secret_cb work with CVE-2014-0224 fix.
If application uses tls_session_secret_cb for session resumption
set the CCS_OK flag.
(cherry picked from commit 953c592572e8811b7956cc09fbd8e98037068b58)
2014-06-07 15:27:21 +01:00
Matt Caswell
151399a944 Fixed minor duplication in docs 2014-06-07 12:32:00 +01:00
Dr. Stephen Henson
049615e35d Prepare for 1.0.1i-dev 2014-06-05 10:45:50 +01:00
Dr. Stephen Henson
6b72417a00 Prepare for 1.0.1h release 2014-06-05 10:45:00 +01:00
Dr. Stephen Henson
aabbe99fcb Update CHANGES and NEWS 2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
8011cd56e3 Fix CVE-2014-3470
Check session_cert is not NULL before dereferencing it.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
d3152655d5 Fix CVE-2014-0221
Unnecessary recursion when receiving a DTLS hello request can be used to
crash a DTLS client. Fixed by handling DTLS hello request without recursion.

Thanks to Imre Rad (Search-Lab Ltd.) for discovering this issue.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
006cd7083f Additional CVE-2014-0224 protection.
Return a fatal error if an attempt is made to use a zero length
master secret.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
bc8923b1ec Fix for CVE-2014-0224
Only accept change cipher spec when it is expected instead of at any
time. This prevents premature setting of session keys before the master
secret is determined which an attacker could use as a MITM attack.

Thanks to KIKUCHI Masashi (Lepidum Co. Ltd.) for reporting this issue
and providing the initial fix this patch is based on.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
1632ef7448 Fix for CVE-2014-0195
A buffer overrun attack can be triggered by sending invalid DTLS fragments
to an OpenSSL DTLS client or server. This is potentially exploitable to
run arbitrary code on a vulnerable client or server.

Fixed by adding consistency check for DTLS fragments.

Thanks to Jüri Aedla for reporting this issue.
2014-06-05 09:04:27 +01:00
Dr. Stephen Henson
f1f4fbde2a make update 2014-06-05 09:02:03 +01:00
Libor Krystek
1854c48005 Corrected OPENSSL_NO_EC_NISTP_64_GCC_128 usage in ec_lcl.h. PR#3370 2014-06-03 23:19:21 +01:00
David Benjamin
ebda73f867 Check there is enough room for extension.
(cherry picked from commit 7d89b3bf42e4b4067371ab33ef7631434e41d1e4)
2014-06-02 19:00:02 +01:00
zhu qun-ying
bcc311668e Free up s->d1->buffered_app_data.q properly.
PR#3286
(cherry picked from commit 71e95000afb2227fe5cac1c79ae884338bcd8d0b)
2014-06-02 14:40:18 +01:00
Sami Farin
1dd26414df Typo: set i to -1 before goto.
PR#3302
(cherry picked from commit 9717f01951f976f76dd40a38d9fc7307057fa4c4)
2014-06-02 14:22:06 +01:00
Matt Caswell
056389eb1c Added SSLErr call for internal error in dtls1_buffer_record 2014-06-01 21:38:01 +01:00
David Ramos
a07856a08d Delays the queue insertion until after the ssl3_setup_buffers() call due to use-after-free bug. PR#3362 2014-06-01 21:37:47 +01:00
Dr. Stephen Henson
19ce768c6b Recognise padding extension.
(cherry picked from commit ea2bb861f0daaa20819bf9ac8c146f7593feacd4)

Conflicts:

	apps/s_cb.c
(cherry picked from commit 14dc83ca779e91a267701a1fb05b2bbcf2cb63c4)
2014-06-01 16:50:37 +01:00
Dr. Stephen Henson
aaed77c55e Option to disable padding extension.
Add TLS padding extension to SSL_OP_ALL so it is used with other
"bugs" options and can be turned off.

This replaces SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG which is an ancient
option referring to SSLv2 and SSLREF.

PR#3336
2014-06-01 16:50:37 +01:00
Dr. Stephen Henson
49270d0431 Set default global mask to UTF8 only.
(cherry picked from commit 3009244da47b989c4cc59ba02cf81a4e9d8f8431)
2014-06-01 15:04:29 +01:00
David Ramos
673c42b238 Allocate extra space when NETSCAPE_HANG_BUG defined.
Make sure there is an extra 4 bytes for server done message when
NETSCAPE_HANG_BUG is defined.

PR#3361
2014-06-01 14:30:10 +01:00
David Ramos
5541b18ba8 Initialise alg.
PR#3313
(cherry picked from commit 7e2c6f7eb01515a990f77fbc5441be8e1a17152a)
2014-06-01 13:05:20 +01:00
Dr. Stephen Henson
28e117f49f Use correct digest when exporting keying material.
PR#3319
(cherry picked from commit 84691390eae86befd33c83721dacedb539ae34e6)
2014-05-31 13:43:01 +01:00
Dr. Stephen Henson
46bfc05480 Don't compile heartbeat test code on Windows (for now).
(cherry picked from commit 2c575907d2c8601a18716f718ce309ed4e1f1783)
2014-05-31 13:43:01 +01:00
Hubert Kario
427a37ca3f add description of -attime to man page
the verify app man page didn't describe the usage of attime option
even though it was listed as a valid option in the -help message.

This patch fixes this omission.
2014-05-30 23:33:10 +01:00
Hubert Kario
39ae3b338f add description of -no_ecdhe option to s_server man page
While the -help message references this option, the man page
doesn't mention the -no_ecdhe option.
This patch fixes this omission.
2014-05-30 23:32:54 +01:00
Dr. Stephen Henson
48f5b3efce Set version number correctly.
PR#3249
(cherry picked from commit 8909bf20269035d295743fca559207ef2eb84eb3)
2014-05-29 14:12:14 +01:00
František Bořánek
f8dc000699 Fix memory leak.
PR#3278
(cherry picked from commit de56fe797081fc09ebd1add06d6e2df42a324fd5)
2014-05-29 14:12:14 +01:00
Martin Kaiser
bf8d6f9ab8 remove duplicate 0x for default RSASSA-PSS salt len
(cherry picked from commit 3820fec3a09faecba7fe9912aa20ef7fcda8337b)
2014-05-29 14:12:14 +01:00
Peter Mosmans
17e844a450 Fix for test_bn regular expression to work on Windows using MSYS. PR#3346 2014-05-27 23:26:11 +01:00
Matt Caswell
8ca7d12430 Fixed Windows compilation failure 2014-05-27 00:26:55 +01:00
Matt Caswell
67b9c82ea2 Fixed error in args for SSL_set_msg_callback and SSL_set_msg_callback_arg 2014-05-25 23:48:15 +01:00
Matt Caswell
a6f5b991eb Fix for non compilation with TLS_DEBUG defined 2014-05-24 23:56:58 +01:00
Mike Bland
756587dcb9 Fix heartbeat_test for -DOPENSSL_NO_HEARTBEATS
Replaces the entire test with a trivial implementation when
OPENSSL_NO_HEARTBEATS is defined.
2014-05-22 22:05:26 +01:00
Matt Caswell
0a084f7b3a Fixed minor copy&paste error, and stray space causing rendering problem 2014-05-22 00:12:14 +01:00
Dr. Stephen Henson
da0a95b23a Fix for PKCS12_create if no-rc2 specified.
Use triple DES for certificate encryption if no-rc2 is
specified.

PR#3357
(cherry picked from commit 4689c08453e95eeefcc88c9f32dc6e509f95caff)
2014-05-21 11:14:33 +01:00
Dr. Stephen Henson
599fe418a1 Change default cipher in smime app to des3.
PR#3357
(cherry picked from commit ca3ffd9670f2b589bf8cc04923f953e06d6fbc58)
2014-05-21 11:14:33 +01:00
Dr. Stephen Henson
4519e7b839 For portability use BUF_strndup instead of strndup.
(cherry picked from commit dcca7b13e9066443237dd3001ae52fd103151c98)
2014-05-20 11:23:23 +01:00
Janpopan
4659b53e7d Fix a wrong parameter count ERR_add_error_data 2014-05-19 22:17:00 +01:00
Ben Laurie
dc22495d35 Merge branch 'mbland-heartbeat-test-1.0.1' into OpenSSL_1_0_1-stable 2014-05-19 18:26:04 +01:00
Mike Bland
ab0d964259 Unit/regression test for TLS heartbeats.
Regression test against CVE-2014-0160 (Heartbleed).

More info: http://mike-bland.com/tags/heartbleed.html

(based on commit 35cb55988b75573105eefd00d27d0138eebe40b1)
2014-05-19 18:23:24 +01:00
Ben Laurie
dac3654e2d Allow the maximum value. 2014-05-19 18:21:39 +01:00
Ben Laurie
989d87cb1a Fix signed/unsigned warning. 2014-05-19 18:20:54 +01:00
Matt Caswell
d6934a02b5 Moved note about lack of support for AEAD modes out of BUGS section to SUPPORTED CIPHERS section (bug has been fixed, but still no support for AEAD) 2014-05-15 21:17:19 +01:00
Dr. Stephen Henson
f9986e9abf Enc doesn't support AEAD ciphers. 2014-05-15 14:16:44 +01:00
Jeffrey Walton
1f5e321ec1 Fix grammar error in verify pod. PR#3355 2014-05-14 22:59:48 +01:00
Jeffrey Walton
b6adb6ef58 Add information to BUGS section of enc documentation. PR#3354 2014-05-14 22:59:48 +01:00
Michal Bozon
bfdaf45141 Corrected POD syntax errors. PR#3353 2014-05-14 22:59:48 +01:00
Kurt Roeckx
69526a354d Check sk_SSL_CIPHER_num() after assigning sk. 2014-05-12 23:01:06 +01:00
Jean-Paul Calderone
778f2b648c Correct the return type on the signature for X509_STORE_CTX_get_ex_data given in the pod file. 2014-05-12 22:48:34 +01:00
Serguei E. Leontiev
2223317bef Replace manual ASN1 decoder with ASN1_get_object
Replace manual ASN.1 decoder with ASN1_get object. This
will decode the tag and length properly and check against
it does not exceed the supplied buffer length.

PR#3335
(cherry picked from commit b0308dddd1cc6a8e1de803ef29ba6da25ee072c2)
2014-05-12 18:41:50 +01:00
Matt Caswell
b107586c0c Fixed NULL pointer dereference. See PR#3321 2014-05-12 00:43:33 +01:00
Kurt Roeckx
d544755389 Set authkey to NULL and check malloc return value. 2014-05-12 00:24:59 +01:00
Martin Brejcha
88398e9ba3 dgram_sctp_ctrl: authkey memory leak
PR: 3327
2014-05-12 00:24:59 +01:00
Günther Noack
15c1ac03c8 Avoid out-of-bounds write in SSL_get_shared_ciphers
PR: 3317
2014-05-11 23:57:14 +01:00
Viktor Dukhovni
c3c6fc7855 Fix infinite loop. PR#3347 2014-05-11 21:13:18 +01:00
Tim Hudson
4d8cca8a7e safety check to ensure we dont send out beyond the users buffer 2014-05-11 13:29:59 +01:00
Dr. Stephen Henson
d61be85581 Return an error if no recipient type matches.
If the key type does not match any CMS recipient type return
an error instead of using a random key (MMA mitigation). This
does not leak any useful information to an attacker.

PR#3348
2014-05-09 14:24:51 +01:00
Tim Hudson
9e456a8537 coverity 966576 - close socket in error path 2014-05-08 23:19:19 +01:00
Tim Hudson
f179e2b899 PR#3342 fix resource leak coverity issue 966577 2014-05-08 23:18:44 +01:00
Tim Hudson
6a60b41431 fix coverity issue 966597 - error line is not always initialised 2014-05-08 00:00:08 +01:00
Matt Caswell
c6a47f988c Fixed NULL pointer dereference in PKCS7_dataDecode reported by David Ramos in PR#3339 2014-05-07 23:25:46 +01:00
Geoff Thorpe
d0666f289a evp: prevent underflow in base64 decoding
This patch resolves RT ticket #2608.

Thanks to Robert Dugal for originally spotting this, and to David
Ramos for noticing that the ball had been dropped.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 18:10:23 -04:00
Geoff Thorpe
d8afda60a9 bignum: allow concurrent BN_MONT_CTX_set_locked()
The lazy-initialisation of BN_MONT_CTX was serialising all threads, as
noted by Daniel Sands and co at Sandia. This was to handle the case that
2 or more threads race to lazy-init the same context, but stunted all
scalability in the case where 2 or more threads are doing unrelated
things! We favour the latter case by punishing the former. The init work
gets done by each thread that finds the context to be uninitialised, and
we then lock the "set" logic after that work is done - the winning
thread's work gets used, the losing threads throw away what they've done.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 18:10:21 -04:00
Geoff Thorpe
804ab36df6 dso: eliminate VMS code on non-VMS systems
Even though the meat of dso_vms.c is compiled out on non-VMS builds,
the (pre-)compiler still traverses some of the macro handling. This
trips up at least one non-VMS build configuration, so this commit
makes the skip-VMS case more robust.

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-06 18:10:17 -04:00
Dr. Stephen Henson
a41d5174e2 Initialize num properly.
PR#3289
PR#3345
(cherry picked from commit 3ba1e406c2309adb427ced9815ebf05f5b58d155)
2014-05-06 14:09:14 +01:00
Dr. Stephen Henson
9c5d953a07 Set Enveloped data version to 2 if ktri version not zero. 2014-05-06 14:02:38 +01:00
Tim Hudson
7b7b18c57e - fix coverity issues 966593-966596 2014-05-06 00:07:34 +01:00
David Ramos
8eb094b946 Double free in i2o_ECPublicKey
PR: 3338
2014-05-04 00:53:19 +01:00
Jeff Trawick
7fa18a63cb typo in SSL_get_peer_cert_chain docs
RT: 3304
2014-05-02 00:27:37 +01:00
Matt Caswell
90600a5e3b Fixed spelling error in error message. Fix supplied by Marcos Marado 2014-05-01 00:23:57 +01:00
Lubomir Rintel
23f5908ac7 POD: Fix item numbering
Newer pod2man considers =item [1-9] part of a numbered list, while =item
0 starts an unnumbered list. Add a zero effect formatting mark to override
this.

doc/apps/smime.pod around line 315: Expected text after =item, not a
number
...

PR#3146
2014-04-30 23:47:29 +01:00
mancha
e622237d12 Fix version documentation.
Specify -f is for compilation flags. Add -d to synopsis section.

(cherry picked from commit 006397ea62bbcae22c8664d53c2222b808c4bdd1)

Closes #79.
2014-04-26 11:21:34 +01:00
mancha
f0816174d2 Fix eckey_priv_encode()
Fix eckey_priv_encode to return an error on failure of i2d_ECPrivateKey.
2014-04-24 19:32:17 +00:00
Steve Marquess
057444f844 Add new sponsors
(cherry picked from commit 351f0a124bffaa94d2a8abdec2e7dde5ae9c457d)
2014-04-24 12:32:59 +01:00
Ben Laurie
725c5f1ad3 Fix use after free. 2014-04-23 07:33:17 +01:00
Ben Laurie
9c8dc84ac1 Fix double frees. 2014-04-22 17:02:37 +01:00
Dr. Stephen Henson
e3899ababb Document -debug_decrypt option.
(cherry picked from commit 0dd5b94aeb77c2982bdf6886962b7a8491c6c9ed)
2014-04-16 12:36:06 +01:00
Dr. Stephen Henson
3fc880ac5d Extension checking fixes.
When looking for an extension we need to set the last found
position to -1 to properly search all extensions.

PR#3309.
(cherry picked from commit 300b9f0b704048f60776881f1d378c74d9c32fbd)
2014-04-15 18:53:04 +01:00
Dr. Stephen Henson
602b2790ca Clarify CMS_decrypt behaviour.
(cherry picked from commit 5f8e9a477a18551052f2019c1f374061acbaa5e6)
2014-04-15 18:19:40 +01:00
Dr. Stephen Henson
b05a3ad765 Add new key fingerprint.
(cherry picked from commit 3143a332e8f2f5ca1a6f0262a1a1a66103f2adf7)
2014-04-11 02:51:48 +01:00
Dr. Stephen Henson
3d8f4f23af Fix free errors in ocsp utility.
Keep copy of any host, path and port values allocated by
OCSP_parse_url and free as necessary.
(cherry picked from commit 5219d3dd350cc74498dd49daef5e6ee8c34d9857)
2014-04-09 15:45:35 +01:00
Steven M. Schweda
a74bee5fc7 VMS build fix #2. 2014-04-08 17:23:03 +01:00
Steven M. Schweda
55c9e24875 VMS build fix for older compilers. 2014-04-07 23:14:11 +01:00
Dr. Stephen Henson
ebe221948d Prepare for 1.0.1h-dev 2014-04-07 17:58:39 +01:00
Dr. Stephen Henson
b2d951e423 Prepare for 1.0.1g release 2014-04-07 17:55:44 +01:00
Dr. Stephen Henson
c5993d10a8 Update NEWS. 2014-04-07 17:53:31 +01:00
Dr. Stephen Henson
5be1ae28ef Return if ssleay_rand_add called with zero num.
Treat a zero length passed to ssleay_rand_add a no op: the existing logic
zeroes the md value which is very bad. OpenSSL itself never does this
internally and the actual call doesn't make sense as it would be passing
zero bytes of entropy.

Thanks to Marcus Meissner <meissner@suse.de> for reporting this bug.
2014-04-07 17:53:31 +01:00
Dr. Stephen Henson
96db9023b8 Add heartbeat extension bounds check.
A missing bounds check in the handling of the TLS heartbeat extension
can be used to reveal up to 64k of memory to a connected client or
server.

Thanks for Neel Mehta of Google Security for discovering this bug and to
Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for
preparing the fix (CVE-2014-0160)
2014-04-07 17:53:31 +01:00
Dr. Stephen Henson
0d7717fc9c Document -verify_return_error option.
(cherry picked from commit 4e6c12f3088d3ee5747ec9e16d03fc671b8f40be)
2014-04-07 13:04:21 +01:00
Andy Polyakov
aba7600029 crypto/modes/gcm128.c: more strict aliasing fixes.
(cherry picked from commit 997d1aac7cfb957decb62d8f0034a7eca6177fec)
2014-04-06 17:22:46 +02:00
Andy Polyakov
00acdfbf98 vpaes-x86_64.pl: fix typo, which for some reason triggers rkhunter.
(cherry picked from commit 6eebcf345933694e08aba400faf6f639fb4db196)
2014-04-06 12:55:22 +02:00
Dr. Stephen Henson
51624dbdae Set TLS padding extension value.
Enable TLS padding extension using official value from:

http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml
(cherry picked from commit cd6bd5ffda616822b52104fee0c4c7d623fd4f53)

Conflicts:

	CHANGES
	ssl/tls1.h
2014-04-05 20:52:59 +01:00
Dr. Stephen Henson
9e29df0027 Update FAQ.
(cherry picked from commit 6cc0068430d0a4abdef0b466d422e6a4d154a5fe)
2014-04-04 13:07:22 +01:00
Dr. Stephen Henson
f54167d1dc Use correct length when prompting for password.
Use bufsiz - 1 not BUFSIZ - 1 when prompting for a password in
the openssl utility.

Thanks to Rob Mackinnon, Leviathan Security for reporting this issue.
(cherry picked from commit 7ba08a4d73c1bdfd3aced09a628b1d7d7747cdca)
2014-04-04 13:07:17 +01:00
Dr. Stephen Henson
6042582b62 Document new crl option.
(cherry picked from commit dbb7654dc189992966ecd95ca66f7a3bb011ab9b)
2014-04-03 13:37:11 +01:00
Tim Hudson
50522642a0 Add option to generate old hash format.
New -hash_old to generate CRL hashes using old
(before OpenSSL 1.0.0) algorithm.
(cherry picked from commit de2d97cd799f38024d70847bab37d91aa5a2536e)
2014-04-03 13:37:04 +01:00
Eric Young
bfc3424d1f Fix base64 decoding bug.
A short PEM encoded sequence if passed to the BIO, and the file
had 2 \n following would fail.

PR#3289
(cherry picked from commit 10378fb5f4c67270b800e8f7c600cd0548874811)
2014-04-02 19:57:27 +01:00
Dr. Stephen Henson
1c65936882 update NEWS 2014-03-12 14:43:52 +00:00
Dr. Stephen Henson
40acdb192e Update ordinals.
Use a previously unused value as we will be updating multiple released
branches.
(cherry picked from commit 0737acd2a8cc688902b5151cab5dc6737b82fb96)
2014-03-12 14:41:37 +00:00
Dr. Stephen Henson
4b7a4ba29c Fix for CVE-2014-0076
Fix for the attack described in the paper "Recovering OpenSSL
ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack"
by Yuval Yarom and Naomi Benger. Details can be obtained from:
http://eprint.iacr.org/2014/140

Thanks to Yuval Yarom and Naomi Benger for discovering this
flaw and to Yuval Yarom for supplying a fix.
(cherry picked from commit 2198be3483259de374f91e57d247d0fc667aef29)

Conflicts:

	CHANGES
2014-03-12 14:19:54 +00:00
Dr. Stephen Henson
e0660c6257 typo
(cherry picked from commit a029788b0e0c19cee4007cc1f73201cf2c13addf)
2014-03-10 15:48:43 +00:00
Dr. Stephen Henson
b4ada742d1 Remove -WX option from debug-VC-WIN32 2014-03-07 19:07:51 +00:00
Andy Polyakov
a93d952cd4 engines/ccgost/gosthash.c: simplify and avoid SEGV.
PR: 3275
(cherry picked from commit ea38f020492042bc1d1adc26ef197b0b9cadf968)
2014-03-07 11:03:51 +01:00
Andy Polyakov
5b56fec6f5 Makefile.org: mask touch's exit code
[but don't let it mask make's].

PR: 3269
(cherry picked from commit 2f34088e5e9ff02ad20df50571073abac04f1431)
2014-02-27 12:37:08 +01:00
Dr. Stephen Henson
32171e4e07 Fix for WIN32 builds with KRB5
(cherry picked from commit 3eddd1706a30cdf3dc9278692d8ee9038eac8a0d)
2014-02-26 15:33:09 +00:00
Andy Polyakov
48e6edabed ssl/t1_enc.c: check EVP_MD_CTX_copy return value.
PR: 3201
(cherry picked from commit 03da57fe14f2de5bde9d4496a2ae9a4ae8879f88)
2014-02-25 22:24:24 +01:00
Dr. Stephen Henson
069607124d update NEWS 2014-02-25 14:27:18 +00:00
Dr. Stephen Henson
caf55bfacf Avoid Windows 8 Getversion deprecated errors.
Windows 8 SDKs complain that GetVersion() is deprecated.

We only use GetVersion like this:

	(GetVersion() < 0x80000000)

which checks if the Windows version is NT based. Use a macro check_winnt()
which uses GetVersion() on older SDK versions and true otherwise.
(cherry picked from commit a4cc3c8041104896d51ae12ef7b678c31808ce52)
2014-02-25 13:42:25 +00:00
Andy Polyakov
ce3631015e ms/do_win64a.bat: forward to NUL, not NUL:.
Allegedly formwarding to NUL: sometimes creates NUL file in file
system.

PR: 3250
(cherry picked from commit 63aff3001ef6ba2ac376cd3f237fb0d0b3e77f30)
2014-02-24 19:33:54 +01:00
Andy Polyakov
3ae1b53496 BC-32.pl: pre-1.0.2-specific refresh for Borland C.
PR: 3251
Suggested by: Thorsten Schning
2014-02-24 16:54:10 +01:00
Andy Polyakov
79bb00534d BC-32.pl: refresh Borland C support.
PR: 3251
Suggested by: Thorsten Schning
(cherry picked from commit 779c51c6446f384c2f2a7bd5cc4c3e0366baf628)
2014-02-24 16:49:10 +01:00
Andy Polyakov
c4b16ddc8f x509/by_dir.c: fix run-away pointer (and potential SEGV)
when adding duplicates in add_cert_dir.

PR: 3261
Reported by: Marian Done
(cherry picked from commit 758954e0d8232d370ed72b7f86640e40443e1778)
2014-02-24 15:23:46 +01:00
Dr. Stephen Henson
deb3b08ff2 Add /fixed flag for FIPS links where appropriate.
(cherry picked from commit c55fef76f77aa54e85ca534785b2b19cebbe940c)

Conflicts:

	util/pl/VC-32.pl
2014-02-15 20:30:08 +00:00
Dr. Stephen Henson
b45b3efd5d Remove duplicate statement.
(cherry picked from commit 5a7652c3e585e970e5b778074c92e617e48fde38)
2014-02-15 01:29:36 +00:00
Kurt Roeckx
e420060ac9 Use defaults bits in req when not given
If you use "-newkey rsa" it's supposed to read the default number of bits from the
config file.  However the value isn't used to generate the key, but it does
print it's generating such a key.  The set_keygen_ctx() doesn't call
EVP_PKEY_CTX_set_rsa_keygen_bits() and you end up with the default set in
pkey_rsa_init() (1024).  Afterwards the number of bits gets read from the config
file, but nothing is done with that anymore.

We now read the config first and use the value from the config file when no size
is given.

PR: 2592
(cherry picked from commit 3343220327664680420d4068e1fbe46d2236f1b0)
2014-02-14 22:35:39 +00:00
Kurt Roeckx
d8ec8a4a65 Fix additional pod errors with numbered items.
(cherry picked from commit e547c45f1c74e976656c042ec9d873f6eea0e756)
2014-02-14 22:35:39 +00:00
Scott Schaefer
040ed7b4d0 Fix various spelling errors
(cherry picked from commit 2b4ffc659eabec29f76821f0ac624a2b8c19e4c7)
2014-02-14 22:35:39 +00:00
Scott Schaefer
c76e5b08a1 Document pkcs12 -password behavior
apps/pkcs12.c accepts -password as an argument.  The document author
almost certainly meant to write "-password, -passin".

However, that is not correct, either.  Actually the code treats
-password as equivalent to -passin, EXCEPT when -export is also
specified, in which case -password as equivalent to -passout.
(cherry picked from commit 856c6dfb09d69fc82ada2611c6cd792dfc60e355)
2014-02-14 22:35:39 +00:00
Dr. Stephen Henson
0071215832 Backport TLS padding extension from master.
(cherry picked from commit 8c6d8c2a498146992123ef5407d7ba01a1e7224d)

Conflicts:

	CHANGES
	ssl/t1_lib.c
2014-02-14 22:19:03 +00:00
Dr. Stephen Henson
4a55631e4d Backport TLS padding extension from master.
(cherry picked from commit 8c6d8c2a498146992123ef5407d7ba01a1e7224d)

Conflicts:

	CHANGES
	ssl/t1_lib.c
2014-02-05 15:42:04 +00:00
Dr. Stephen Henson
19a68574a9 Add quotes as CC can contain spaces.
PR#3253
(cherry picked from commit 7f6e09b5316928a9da24d2f695d1885a26dd38ec)
2014-02-03 14:14:09 +00:00
Dr. Stephen Henson
f21e6b6ecb Clarify docs.
Remove reference to ERR_TXT_MALLOCED in the error library as that is
only used internally. Indicate that returned error data must not be
freed.
(cherry picked from commit f2d678e6e89b6508147086610e985d4e8416e867)
2014-01-29 01:02:12 +00:00
Dr. Stephen Henson
e1549a01c7 typo
(cherry picked from commit cb2182676bdf652070bc272a3896d957763a4324)
2014-01-28 15:36:30 +00:00
Dr. Stephen Henson
765be74d24 Fix demo comment: 0.9.9 never released.
(cherry picked from commit 717cc8589540b95122a652dee68e6a75b6262d93)
2014-01-28 15:17:47 +00:00
Dr. Stephen Henson
9614d2c676 Check i before r[i].
PR#3244
2014-01-28 15:10:27 +00:00
Dr. Stephen Henson
ad03c71ea1 Add loaded dynamic ENGINEs to list.
Always add a dynamically loaded ENGINE to list. Otherwise it can cause
problems when multiply loaded, especially if it adds new public key methods.
For all current engines we only want a single implementation anyway.
(cherry picked from commit e933f91f50108a43c0198cdc63ecdfdbc77b4d0d)
2014-01-28 13:57:34 +00:00
Dr. Stephen Henson
4eedf86a16 Use default digest implementation in dgst.c
Use default instead of ENGINE version of digest. Without this
errors will occur if you use an ENGINE for a private key and
it doesn't implement the digest in question.
2014-01-23 18:36:33 +00:00
Kaspar Brand
eb85ee9a88 Omit initial status request callback check.
PR#3178
2014-01-16 13:49:38 +00:00
Zoltan Arpadffy
fa2026dc88 VMS fixes 2014-01-11 22:42:37 +00:00
Dr. Stephen Henson
fe08007399 Fix bug in X509_V_FLAG_IGNORE_CRITICAL CRL handling.
(cherry picked from commit 8f4077ca69076cebaca51b7b666db1ed49e46b9e)
2014-01-09 22:54:03 +00:00
Dr. Stephen Henson
e3ebdcff12 Update NEWS. 2014-01-08 14:24:21 +00:00
Dr. Stephen Henson
cb10cf1224 Update NEWS. 2014-01-08 13:39:48 +00:00
Dr. Stephen Henson
c0dd71c97c Fix warning
PR#3220
2014-01-08 13:36:27 +00:00
Dr. Stephen Henson
51478be956 Update NEWS: removal of time in handshakes. 2014-01-06 15:37:02 +00:00
Dr. Stephen Henson
a7304e4b98 Prepare for 1.0.1g-dev 2014-01-06 14:37:03 +00:00
Dr. Stephen Henson
0d8776344c Prepare for 1.0.1f release 2014-01-06 14:36:07 +00:00
Dr. Stephen Henson
197e0ea817 Fix for TLS record tampering bug CVE-2013-4353 2014-01-06 14:35:04 +00:00
Dr. Stephen Henson
c776a3f398 make update 2014-01-06 13:33:27 +00:00
Dr. Stephen Henson
25c9fa6026 Restore SSL_OP_MSIE_SSLV2_RSA_PADDING
The flag SSL_OP_MSIE_SSLV2_RSA_PADDING hasn't done anything since OpenSSL
0.9.7h but deleting it will break source compatibility with any software
that references it. Restore it but #define to zero.
(cherry picked from commit b17d6b8d1d49fa4732deff17cfd1833616af0d9c)
2014-01-04 14:00:44 +00:00
Dr. Stephen Henson
d2dc33d57c update NEWS 2014-01-02 19:02:28 +00:00
Dr. Stephen Henson
f3dcc8411e Don't change version number if session established
When sending an invalid version number alert don't change the
version number to the client version if a session is already
established.

Thanks to Marek Majkowski for additional analysis of this issue.

PR#3191
2014-01-02 15:12:48 +00:00
Dr. Stephen Henson
1c2c5e402a Don't use rdrand engine as default unless explicitly requested.
(cherry picked from commit 8f68678989a198ead3ab59a698302ecb0f1c8fb1)
2013-12-22 16:08:01 +00:00
Dr. Stephen Henson
34628967f1 Fix DTLS retransmission from previous session.
For DTLS we might need to retransmit messages from the previous session
so keep a copy of write context in DTLS retransmission buffers instead
of replacing it after sending CCS. CVE-2013-6450.
2013-12-20 23:12:18 +00:00
Dr. Stephen Henson
a6c62f0c25 Ignore NULL parameter in EVP_MD_CTX_destroy. 2013-12-20 22:52:41 +00:00
Dr. Stephen Henson
ca989269a2 Use version in SSL_METHOD not SSL structure.
When deciding whether to use TLS 1.2 PRF and record hash algorithms
use the version number in the corresponding SSL_METHOD structure
instead of the SSL structure. The SSL structure version is sometimes
inaccurate. Note: OpenSSL 1.0.2 and later effectively do this already.
(CVE-2013-6449)
2013-12-19 21:04:28 +00:00
Andy Polyakov
2ec4181ba9 sha512.c: fullfull implicit API contract in SHA512_Transform.
SHA512_Transform was initially added rather as tribute to tradition
than for practucal reasons. But use was recently found in ssl/s3_cbc.c
and it turned to be problematic on platforms that don't tolerate
misasligned references to memory and lack assembly subroutine.
(cherry picked from commit cdd1acd788020d2c525331da1712ada778f1373c)
2013-12-18 23:03:03 +01:00
Dr. Stephen Henson
0294b2be5f Check EVP errors for handshake digests.
Partial mitigation of PR#3200
2013-12-18 13:26:10 +00:00
Dr. Stephen Henson
f1068a1ab7 Get FIPS checking logic right.
We need to lock when *not* in FIPS mode.
(cherry picked from commit 57c4e42d7545b51cbc00015defc81db7236dc15f)
2013-12-10 12:54:55 +00:00
Dr. Stephen Henson
cadde467a8 remove obsolete STATUS file 2013-12-10 00:10:53 +00:00
Dr. Stephen Henson
c2bdcba347 Add release dates to NEWS 2013-12-09 23:55:12 +00:00
Dr. Stephen Henson
60df657b3a make update 2013-12-08 13:23:14 +00:00
Dr. Stephen Henson
17a2d0801f Avoid multiple locks in FIPS mode.
PR: 3176.

In FIPS mode ssleay_rand_bytes is only used for PRNG seeding and is
performed in either a single threaded context (when the PRNG is first
initialised) or under a lock (reseeding). To avoid multiple locks disable
use of CRYPTO_LOCK_RAND in FIPS mode in ssleay_rand_bytes.
(cherry picked from commit 53142f72c9b9c9bad2f39ca6200a4f04f5c8001c)
2013-12-08 13:23:14 +00:00
Andy Polyakov
accb3007ac bn/asm/x86_64-mont5.pl: comply with Win64 ABI.
PR: 3189
Submitted by: Oscar Ciurana
(cherry picked from commit c5d5f5bd0fe8b2313bec844c0f80f3d49562bfa8)
2013-12-04 00:03:46 +01:00
Dr. Stephen Henson
b13dff6141 Simplify and update openssl.spec 2013-11-27 15:38:04 +00:00
Andy Polyakov
4ade6a8ca4 srp/srp_grps.h: make it Compaq C-friendly.
PR: 3165
Submitted by: Daniel Richard G.
(cherry picked from commit 2df9ec01d563f9cc2deab07e8c3391059d476592)
(cherry picked from commit 0de70011adf6952e3b975d1a8a383879b64f3b77)
2013-11-12 22:20:45 +01:00
Andy Polyakov
00fadef414 modes/asm/ghash-alpha.pl: update from HEAD.
PR: 3165
(cherry picked from commit 220d1e5353409d9af938111b22d6b58e6a42f633)
2013-11-12 22:01:31 +01:00
Andy Polyakov
7ed244a0b3 Make Makefiles OSF-make-friendly.
PR: 3165
(cherry picked from commit d1cf23ac86c05b22b8780e2c03b67230564d2d34)
2013-11-12 22:01:20 +01:00
Dr. Stephen Henson
e94a23876c Fix memory leak.
(cherry picked from commit 16bc45ba956fdf07c7cda7feda88de597569df63)
2013-11-11 23:55:40 +00:00
Dr. Stephen Henson
041f681943 Typo.
(cherry picked from commit 5c50462e1e23eeb6d91e1e5311f5da0b79b04fb4)
2013-11-11 22:24:40 +00:00
Andy Polyakov
afec9f57da Makefile.org: make FIPS build work with BSD make.
(cherry picked from commit 60adefa61025ffd7d56cf7ff8491008f783282bf)
2013-11-10 23:08:25 +01:00
Dr. Stephen Henson
0ec1a77891 Check for missing components in RSA_check.
(cherry picked from commit 01be36ef70525e81fc358d2e559bdd0a0d9427a5)
2013-11-09 15:09:21 +00:00
Dr. Stephen Henson
62c2b6d944 Document RSAPublicKey_{in,out} options.
(cherry picked from commit 7040d73d22987532faa503630d6616cf2788c975)
2013-11-09 15:09:21 +00:00
Andy Polyakov
5b98979712 engines/ccgost/gost89.h: make word32 defintion unconditional.
Original definition depended on __LONG_MAX__ that is not guaranteed to
be present. As we don't support platforms with int narrower that 32 bits
it's appropriate to make defition inconditional.

PR: 3165
(cherry picked from commit 96180cac04591abfe50fc86096365553484bde65)
2013-11-08 23:09:26 +01:00
Andy Polyakov
9abbf5cce7 modes/asm/ghash-alpha.pl: make it work with older assembler.
PR: 3165
(cherry picked from commit d24d1d7daf515aa19fbf18f6371e3e617028a07c)
2013-11-08 23:09:13 +01:00
Dr. Stephen Henson
ddfe486e4c Enable PSK in FIPS mode.
Enable PSK ciphersuites with AES or DES3 in FIPS mode.
(cherry picked from commit e0ffd129c16af90eb5e2ce54e57832c0046d1aaf)
2013-11-06 14:40:01 +00:00
Dr. Stephen Henson
834d30bc63 Initialise context before using it.
(cherry picked from commit a4947e4e064d2d5bb622ac64cf13edc4a46ed196)
2013-11-06 13:19:23 +00:00
Ben Laurie
e26faa9e0c PBKDF2 should be efficient. Contributed by Christian Heimes
<christian@python.org>.
2013-11-03 17:33:54 +00:00
Robin Seggelmann
025f7dbdd1 DTLS/SCTP Finished Auth Bug
PR: 2808

With DTLS/SCTP the SCTP extension SCTP-AUTH is used to protect DATA and
FORWARD-TSN chunks. The key for this extension is derived from the
master secret and changed with the next ChangeCipherSpec, whenever a new
key has been negotiated. The following Finished then already uses the
new key.  Unfortunately, the ChangeCipherSpec and Finished are part of
the same flight as the ClientKeyExchange, which is necessary for the
computation of the new secret. Hence, these messages are sent
immediately following each other, leaving the server very little time to
compute the new secret and pass it to SCTP before the finished arrives.
So the Finished is likely to be discarded by SCTP and a retransmission
becomes necessary. To prevent this issue, the Finished of the client is
still sent with the old key.
(cherry picked from commit 9fb523adce6fd6015b68da2ca8e4ac4900ac2be2)
(cherry picked from commit b9ef52b07897f249a9fa44943dba33fba8fb2721)
2013-11-01 22:44:20 +00:00
Robin Seggelmann
44f4934bde DTLS/SCTP struct authchunks Bug
PR: 2809

DTLS/SCTP requires DATA and FORWARD-TSN chunks to be protected with
SCTP-AUTH.  It is checked if this has been activated successfully for
the local and remote peer. Due to a bug, however, the
gauth_number_of_chunks field of the authchunks struct is missing on
FreeBSD, and was therefore not considered in the OpenSSL implementation.
This patch sets the corresponding pointer for the check correctly
whether or not this bug is present.
(cherry picked from commit f596e3c491035fe80db5fc0c3ff6b647662b0003)
(cherry picked from commit b8140811367f6e1ef13afa6ffe9625309c46946c)
2013-11-01 22:44:06 +00:00
Nick Mathewson
453ca706cc Fix another gmt_unix_time case in server_random 2013-10-20 15:14:40 -07:00
Dr. Stephen Henson
5e1ff664f9 Don't use RSA+MD5 with TLS 1.2
Since the TLS 1.2 supported signature algorithms extension is less
sophisticaed in OpenSSL 1.0.1 this has to be done in two stages.

RSA+MD5 is removed from supported signature algorithms extension:
any compliant implementation should never use RSA+MD5 as a result.

To cover the case of a broken implementation using RSA+MD5 anyway
disable lookup of MD5 algorithm in TLS 1.2.
2013-10-20 12:23:27 +01:00
Ben Laurie
833a896681 More cleanup. 2013-10-19 12:37:15 +01:00
Ben Laurie
34e43b909f Cleanup. 2013-10-19 12:34:15 +01:00
Ben Laurie
62036c6fc3 Merge branch 'no_gmt_unix_time' of git://github.com/nmathewson/openssl into OpenSSL_1_0_1-stable 2013-10-19 11:46:32 +01:00
Andy Polyakov
68dd8512b7 MIPS assembly pack: get rid of deprecated instructions.
Latest MIPS ISA specification declared 'branch likely' instructions
obsolete. To makes code future-proof replace them with equivalent.
(cherry picked from commit 0c2adb0a9be76da8de9bbfd5377215f71711a52e)
2013-10-13 13:19:12 +02:00
Andy Polyakov
bbf9f3c654 aes/asm/bsaes-x86_64.pl: update from master.
Performance improvement and Windows-specific bugfix (PR#3139).
(cherry picked from commit 9ed6fba2b4685ced2340feff03da5a12ed14b003)
2013-10-12 21:50:15 +02:00
Nick Mathewson
2583270191 Control sending time with SSL_SEND_{CLIENT,SERVER}RANDOM_MODE
(I'd rather use an option, but it appears that the options field is
full.)

Now, we send the time in the gmt_unix_time field if the appropriate
one of these mode options is set, but randomize the field if the flag
is not set.
2013-10-09 10:37:53 -04:00
Nick Mathewson
3da721dac9 Refactor {client,server}_random to call an intermediate function
I'll be using this to make an option for randomizing the time.
2013-10-09 10:28:42 -04:00
Andy Polyakov
eb22b7ec75 evp/e_des3.c: fix typo with potential integer overflow on 32-bit platforms.
Submitted by: Yuriy Kaminskiy
(cherry picked from commit 524b00c0da42b129ed8622dfb3f5eab9cc5d6617)

Resolved conflicts:

	crypto/evp/e_des3.c
2013-10-03 11:11:44 +02:00
Ben Laurie
b93916149d Constification. 2013-10-01 14:53:18 +01:00
Dr. Stephen Henson
82f42a1d2e Typo.
(cherry picked from commit 415ece73015a0e24ea934ecfb857d022952bb65b)
2013-09-30 14:20:42 +01:00
Dr. Stephen Henson
a4870de5aa Disable Dual EC DRBG.
Return an error if an attempt is made to enable the Dual EC DRBG: it
is not used by default.
2013-09-22 18:24:12 +01:00
Dr. Stephen Henson
39aabe59c8 Fix warning. 2013-09-22 18:24:12 +01:00
Nick Mathewson
f4c93b46ed Do not include a timestamp in the ServerHello Random field.
Instead, send random bytes.
2013-09-16 13:44:10 -04:00
Nick Mathewson
4af793036f Do not include a timestamp in the ClientHello Random field.
Instead, send random bytes.

While the gmt_unix_time record was added in an ostensible attempt to
mitigate the dangers of a bad RNG, its presence leaks the host's view
of the current time in the clear.  This minor leak can help
fingerprint TLS instances across networks and protocols... and what's
worse, it's doubtful thet the gmt_unix_time record does any good at
all for its intended purpose, since:

    * It's quite possible to open two TLS connections in one second.
    * If the PRNG output is prone to repeat itself, ephemeral
    * handshakes (and who knows what else besides) are broken.
2013-09-16 13:44:10 -04:00
Rob Stradling
13bca90ac5 Update CHANGES. 2013-09-16 15:17:37 +01:00
Rob Stradling
c9a6ddafc5 Tidy up comments. 2013-09-16 15:07:52 +01:00
Rob Stradling
f4a51970d2 Use TLS version supplied by client when fingerprinting Safari. 2013-09-16 15:07:52 +01:00
Rob Stradling
937f125efc Fix compilation with no-ec and/or no-tlsext. 2013-09-16 15:07:52 +01:00
Rob Stradling
4b61f6d2a6 Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari on OS X.
OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
2013-09-16 15:07:51 +01:00
Ben Laurie
d5bff72615 Remove AVX and VIS3 support. 2013-09-16 15:05:21 +01:00
Andy Polyakov
3b4be0018b gcm128.c: update from master (add AVX and VIS3 support). 2013-09-16 14:14:56 +01:00
Andy Polyakov
125c2ed8a3 crypto/modes: even more strict aliasing fixes [and fix bug in cbc128.c from
previous cbc128.c commit].
2013-09-16 14:12:25 +01:00
Andy Polyakov
09da95542a cbc128.c: fix strict aliasing warning. 2013-09-16 14:11:53 +01:00
Bodo Moeller
cc53b38574 Sync CHANGES and NEWS files. 2013-09-16 14:47:56 +02:00
Bodo Moeller
0aeeae0c9c Fix overly lenient comparisons:
- EC_GROUP_cmp shouldn't consider curves equal just because
      the curve name is the same. (They really *should* be the same
      in this case, but there's an EC_GROUP_set_curve_name API,
      which could be misused.)

    - EC_POINT_cmp shouldn't return 0 for ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED
      or EC_R_INCOMPATIBLE_OBJECTS errors because in a cmp API, 0 indicates
      equality (not an error).

    Reported by: king cope

(cherry picked from commit 312a46791ab465cfa3bf26764361faed0e5df014)
2013-09-16 13:09:27 +02:00
Andy Polyakov
00c991f028 crypto/armcap.c: fix typo in rdtsc subroutine.
PR: 3125
Submitted by: Kyle McMartin
(cherry picked from commit 8e52a9063a8a016bdac780005256994d26f9c2f9)
2013-09-15 22:11:34 +02:00
Dr. Stephen Henson
55856a7b74 Correct ECDSA example.
(cherry picked from commit 3a918ea2bbf4175d9461f81be1403d3781b2c0dc)
2013-08-20 17:30:38 +01:00
Michael Tuexen
83a3af9f4e DTLS message_sequence number wrong in rehandshake ServerHello
This fix ensures that
* A HelloRequest is retransmitted if not responded by a ClientHello
* The HelloRequest "consumes" the sequence number 0. The subsequent
ServerHello uses the sequence number 1.
* The client also expects the sequence number of the ServerHello to
be 1 if a HelloRequest was received earlier.
This patch fixes the RFC violation.
(cherry picked from commit b62f4daac00303280361924b9cc19b3e27528b15)
2013-08-13 18:55:41 +01:00
Michael Tuexen
76bf0cf27c DTLS handshake fix.
Reported by: Prashant Jaikumar <rmstar@gmail.com>

Fix handling of application data received before a handshake.
(cherry picked from commit 0c75eeacd3285b395dc75b65c3e6fe6ffbef59f0)
2013-08-08 13:32:11 +01:00
Dr. Stephen Henson
7cf0529b52 Fix verify loop with CRL checking.
PR #3090
Reported by: Franck Youssef <fry@open.ch>

If no new reason codes are obtained after checking a CRL exit with an
error to avoid repeatedly checking the same CRL.

This will only happen if verify errors such as invalid CRL scope are
overridden in a callback.
(cherry picked from commit 4b26645c1a71cf9ce489e4f79fc836760b670ffe)
2013-08-06 16:08:09 +01:00
Kaspar Brand
6c03af135b Fix for PEM_X509_INFO_read_bio.
PR: 3028
Fix bug introduced in PEM_X509_INFO_bio which wouldn't process RSA keys
correctly if they appeared first.
(cherry picked from commit 5ae8d6bcbaff99423a2608559d738a3fcf7ed6dc)
2013-08-06 16:05:19 +01:00
Andy Polyakov
5cd1aa4f15 crypto/evp/e_aes.c: fix logical pre-processor bug and formatting.
Bug would emerge when XTS is added to bsaes-armv7.pl. Pointed out by
Ard Biesheuvel of Linaro.
(cherry picked from commit 044f63086051d7542fa9485a1432498c39c4d8fa)
2013-08-03 17:08:43 +02:00
Andy Polyakov
04b80f4003 crypto/sha/asm/sha1-x86_64.pl: comply with Win64 ABI. 2013-07-31 23:53:49 +02:00
Andy Polyakov
591c55a981 config: fix executable format detection on latest FreeBSD.
Submitted by: Bryan Drewery
PR: 3075
(cherry picked from commit c256e69d3f3acd0794ae9c1f353f4093bd4c8878)
2013-07-01 00:00:20 +02:00
Andy Polyakov
cd2693862b PA-RISC assembler pack: switch to bve in 64-bit builds.
PR: 3074
(cherry picked from commit 02450ec69dda7815ba1e7bd74eb30f0ae1eb3042)
2013-06-30 23:15:53 +02:00
Dr. Stephen Henson
25370e93c6 Typo: don't call RAND_cleanup during app startup.
(cherry picked from commit 90e7f983b573c3f3c722a02db4491a1b1cd87e8c)
2013-06-12 21:18:47 +01:00
Dr. Stephen Henson
cdb6c48445 Don't use RC2 with PKCS#12 files in FIPS mode. 2013-05-30 21:39:50 +01:00
Dr. Stephen Henson
04b727b4dd Fix PSS signature printing.
Fix PSS signature printing: consistently use 0x prefix for hex values for
padding length and trailer fields.
(cherry picked from commit deb24ad53147f5a8dd63416224a5edd7bbc0e74a)
2013-05-05 14:03:30 +01:00
Dr. Stephen Henson
cbd93a0636 Reencode with X509_CRL_ctx_sign too.
(cherry picked from commit 96940f4f2d0300c033379a87db0ff19e598c6264)
2013-05-03 13:06:18 +01:00
Dr. Stephen Henson
b9e84f007f Reencode certificates in X509_sign_ctx.
Reencode certificates in X509_sign_ctx as well as X509_sign.

This was causing a problem in the x509 application when it modified an
existing certificate.
(cherry picked from commit c6d8adb8a45186617e0a8e2c09469bd164b92b31)
2013-05-02 12:24:56 +01:00
Andy Polyakov
29a546720b crypto/modes/modes_lcl.h: let STRICT_ALIGNMENT be on ARMv7.
While ARMv7 in general is capable of unaligned access, not all instructions
actually are. And trouble is that compiler doesn't seem to differentiate
those capable and incapable of unaligned access. Side effect is that kernel
goes into endless loop retrying same instruction triggering unaligned trap.
Problem was observed in xts128.c and ccm128.c modules. It's possible to
resolve it by using (volatile u32*) casts, but letting STRICT_ALIGNMENT
be feels more appropriate.
(cherry picked from commit 3bdd80521a81d50ade4214053cd9b293f920a77b)
2013-04-13 21:19:31 +02:00
Dr. Stephen Henson
0e9dd387ea Set s->d1 to NULL after freeing it.
(cherry picked from commit 04638f2fc335a6dc2af8e5d556d36e29c261dcd2)
2013-04-08 18:40:28 +01:00
Dr. Stephen Henson
79dabcc137 Typo.
(cherry picked from commit 0ded2a06891a4d5a207d8f29aa9a89a755158170)
2013-03-31 17:43:58 +01:00
Dr. Stephen Henson
944bc29f90 Call RAND_cleanup in openssl application. 2013-03-28 14:28:06 +00:00
Matt Caswell
03e1b3a153 Make binary curve ASN.1 work in FIPS mode.
Don't check for binary curves by checking methods: the values will
be different in FIPS mode as they are redirected to the validated module
version.
(cherry picked from commit 94782e0e9c28bd872107b8f814f4db68c9fbf5ab)
2013-03-26 16:58:40 +00:00
Dr. Stephen Henson
9c95ff968a Disable compression for DTLS.
The only standard compression method is stateful and is incompatible with
DTLS.
(cherry picked from commit e14b8410ca882da8e9579a2d928706f894c8e1ae)
2013-03-19 13:47:29 +00:00
Andy Polyakov
96b680f210 x86cpuid.pl: make it work with older CPUs.
PR: 3005
(cherry picked from commit 5702e965d759dde8a098d8108660721ba2b93a7d)
2013-03-18 19:50:23 +01:00
Andy Polyakov
9ab3ce1246 e_aes_cbc_hmac_sha1.c: fix rare bad record mac on AES-NI plaforms.
PR: 3002
(cherry picked from commit 5c60046553716fcf160718f59160493194f212dc)
2013-03-18 19:35:48 +01:00
Michael Tuexen
3972dbe462 Avoid unnecessary fragmentation.
(cherry picked from commit 80ccc66d7eedb2d06050130c77c482ae1584199a)
2013-03-18 14:33:09 +00:00
Dr. Stephen Henson
85615e33e5 Encode INTEGER correctly.
If an ASN1_INTEGER structure is allocated but not explicitly set encode
it as zero: don't generate an invalid zero length INTEGER.
(cherry picked from commit 1643edc63c3e15b6db5a15a728bc288f2cc2bbc7)
2013-03-18 14:21:56 +00:00
Dr. Stephen Henson
f4cfc3444a Merge branch 'OpenSSL_1_0_1-stable' of ../openssl into OpenSSL_1_0_1-stable 2013-03-18 14:00:13 +00:00
Dr. Stephen Henson
24f599af21 Typo.
(cherry picked from commit 1546fb780bc11556a18d70c5fb29af4a9d5beaff)
2013-03-18 13:59:44 +00:00
Andy Polyakov
bca0d7fdb5 x86_64-gf2m.pl: fix typo.
(cherry picked from commit 342dbbbe4eb82b6e12163965a12f580c2deb03ad)
2013-03-01 22:38:11 +01:00
Andy Polyakov
bc4ae2cb0b x86_64-gf2m.pl: add missing Windows build fix for #2963.
PR: 3004
(cherry picked from commit 7c43601d4424575d589f028aed0d5a4ae337527f)
2013-03-01 21:58:08 +01:00
Andy Polyakov
ef4b9f001a bn_nist.c: cumulative update from master.
PR: 2981, 2837
2013-02-16 11:40:35 +01:00
Nick Alcock
08f8933fa3 Fix POD errors to stop make install_docs dying with pod2man 2.5.0+
podlators 2.5.0 has switched to dying on POD syntax errors. This means
that a bunch of long-standing erroneous POD in the openssl documentation
now leads to fatal errors from pod2man, halting installation.

Unfortunately POD constraints mean that you have to sort numeric lists
in ascending order if they start with 1: you cannot do 1, 0, 2 even if
you want 1 to appear first. I've reshuffled such (alas, I wish there
were a better way but I don't know of one).
(cherry picked from commit 5cc270774258149235f69e1789b3370f57b0e27b)
2013-02-15 19:40:09 +01:00
Andy Polyakov
41958376b5 cms-test.pl: make it work with not-so-latest perl.
(cherry picked from commit 9c437e2faded18b4ef6499d7041c65d6e216955b)
2013-02-14 16:39:33 +01:00
David Woodhouse
9fe4603b82 Check DTLS_BAD_VER for version number.
The version check for DTLS1_VERSION was redundant as
DTLS1_VERSION > TLS1_1_VERSION, however we do need to
check for DTLS1_BAD_VER for compatibility.

PR:2984
(cherry picked from commit d980abb22e22661e98e5cee33d760ab0c7584ecc)
2013-02-12 15:16:05 +00:00
Dr. Stephen Henson
147dbb2fe3 Fix for SSL_get_certificate
Now we set the current certificate to the one used by a server
there is no need to call ssl_get_server_send_cert which will
fail if we haven't sent a certificate yet.
2013-02-11 18:24:03 +00:00
Dr. Stephen Henson
cbf9b4aed3 Fix in ssltest is no-ssl2 configured 2013-02-11 18:17:50 +00:00
Dr. Stephen Henson
625a55324f update CHANGES 2013-02-11 16:35:10 +00:00
Dr. Stephen Henson
3151e328e0 prepare for next version 2013-02-11 16:14:11 +00:00
Dr. Stephen Henson
46ebd9e3bb use 10240 for record size
Workaround for non-compliant tar files sometimes created by "make dist".
2013-02-11 15:21:21 +00:00
Dr. Stephen Henson
f66db68e1f prepare for release 2013-02-11 11:57:46 +00:00
Dr. Stephen Henson
0c4b72e9c0 Update NEWS 2013-02-11 11:54:10 +00:00
Lutz Jaenicke
f88dbb8385 FAQ/README: we are now using Git instead of CVS 2013-02-11 11:29:05 +01:00
Andy Polyakov
1113fc31ba sparccpuid.S: work around emulator bug on T1.
(cherry picked from commit 3caeef94bd045608af03b061643992e3afd9c445)
2013-02-11 10:41:57 +01:00
Andy Polyakov
0898147090 ssl/*: fix linking errors with no-srtp. 2013-02-09 19:52:07 +01:00
Andy Polyakov
4d8da30fc1 ssl/s3_[clnt|srvr].c: fix warnings. 2013-02-09 19:50:34 +01:00
Andy Polyakov
579f3a631e s3_cbc.c: make CBC_MAC_ROTATE_IN_PLACE universal.
(cherry picked from commit f93a41877d8d7a287debb7c63d7b646abaaf269c)
2013-02-08 21:37:07 +01:00
Andy Polyakov
47061af106 s3_cbc.c: get rid of expensive divisions [from master].
(cherry picked from commit e9baceab5a385e570706ca98dec768b2d89d1ac6)
2013-02-08 17:00:46 +01:00
Andy Polyakov
13e225300f e_aes_cbc_hmac_sha1.c: fine-tune cache line alignment.
With previous commit it also ensures that valgrind is happy.
2013-02-08 09:45:09 +01:00
Ben Laurie
26bc56d014 Add clang target. 2013-02-07 16:17:43 -08:00
Ben Laurie
496681cd51 Remove extraneous brackets (clang doesn't like them). 2013-02-07 16:17:43 -08:00
Andy Polyakov
746c6f3a53 e_aes_cbc_hmac_sha1.c: align calculated MAC at cache line. 2013-02-07 23:04:31 +01:00
Andy Polyakov
8545f73b89 ssl/[d1|s3]_pkt.c: harmomize orig_len handling. 2013-02-07 22:47:05 +01:00
Dr. Stephen Henson
32cc2479b4 Fix IV check and padding removal.
Fix the calculation that checks there is enough room in a record
after removing padding and optional explicit IV. (by Steve)

For AEAD remove the correct number of padding bytes (by Andy)
2013-02-07 21:06:37 +00:00
Adam Langley
f306b87d76 Fix for EXP-RC2-CBC-MD5
MD5 should use little endian order. Fortunately the only ciphersuite
affected is EXP-RC2-CBC-MD5 (TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5) which
is a rarely used export grade ciphersuite.
2013-02-06 16:05:40 +00:00
Dr. Stephen Henson
41cf07f0ec prepare for next version 2013-02-06 02:26:24 +00:00
Dr. Stephen Henson
62f4033381 typo 2013-02-04 23:12:58 +00:00
Dr. Stephen Henson
f9f6a8f96c Prepare for release. 2013-02-04 22:40:10 +00:00
Dr. Stephen Henson
df0d93564e typo 2013-02-04 22:39:37 +00:00
Dr. Stephen Henson
0d589ac150 make update 2013-02-04 21:29:41 +00:00
Dr. Stephen Henson
35d732fc2e Fix error codes. 2013-02-04 21:13:18 +00:00
Dr. Stephen Henson
896ddb9851 Reword NEWS entry. 2013-02-04 20:48:45 +00:00
Dr. Stephen Henson
e630b3c218 Update NEWS 2013-02-04 20:47:36 +00:00
Dr. Stephen Henson
f1ca56a69f Add CHANGES entries. 2013-02-04 20:37:46 +00:00
Andy Polyakov
529d27ea47 e_aes_cbc_hmac_sha1.c: cleanse temporary copy of HMAC secret. 2013-02-03 20:04:39 +01:00
Andy Polyakov
b2226c6c83 bn_word.c: fix overflow bug in BN_add_word.
(cherry picked from commit 134c00659a1bc67ad35a1e4620e16bc4315e6e37)
2013-02-02 22:39:00 +01:00
Andy Polyakov
024de2174b x86_64 assembly pack: keep making Windows build more robust.
PR: 2963 and a number of others
(cherry picked from commit 4568182a8b8cbfd15cbc175189029ac547bd1762)
2013-02-02 22:26:20 +01:00
Andy Polyakov
125093b59f e_aes_cbc_hmac_sha1.c: address the CBC decrypt timing issues.
Address CBC decrypt timing issues and reenable the AESNI+SHA1 stitch.
2013-02-02 19:35:09 +01:00
Ben Laurie
f3e99ea072 Merge remote-tracking branch 'origin/OpenSSL_1_0_1-stable' into OpenSSL_1_0_1-stable 2013-02-01 19:04:26 +00:00
Andy Polyakov
8bfd4c659f ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility.
Kludge alert. This is arranged by passing padding length in unused
bits of SSL3_RECORD->type, so that orig_len can be reconstructed.
2013-02-01 15:54:37 +01:00
Andy Polyakov
ec07246a08 ssl/*: remove SSL3_RECORD->orig_len to restore binary compatibility. 2013-02-01 15:34:09 +01:00
Dr. Stephen Henson
04e45b52ee Don't access EVP_MD_CTX internals directly. 2013-02-01 14:12:27 +00:00
Andy Polyakov
d5371324d9 s3/s3_cbc.c: allow for compilations with NO_SHA256|512. 2013-02-01 10:31:59 +01:00
Andy Polyakov
36260233e7 ssl/s3_cbc.c: md_state alignment portability fix.
RISCs are picky and alignment granted by compiler for md_state can be
insufficient for SHA512.
2013-02-01 10:31:52 +01:00
Andy Polyakov
cab13fc847 ssl/s3_cbc.c: uint64_t portability fix.
Break dependency on uint64_t. It's possible to declare bits as
unsigned int, because TLS packets are limited in size and 32-bit
value can't overflow.
2013-02-01 10:31:23 +01:00
Dr. Stephen Henson
34ab3c8c71 typo. 2013-01-31 23:04:39 +00:00
Dr. Stephen Henson
25c93fd240 Merge branch 'ben/timing-1.0.1' into OpenSSL_1_0_1-stable 2013-01-31 17:04:41 +00:00
Dr. Stephen Henson
428c1064c3 Update NEWS 2013-01-31 16:39:40 +00:00
Dr. Stephen Henson
81ce0e14e7 Add ordinal for CRYPTO_memcmp: since this will affect multiple
branches it needs to be in a "gap".
2013-01-31 15:31:57 +00:00
Dr. Stephen Henson
b908e88ec1 Timing fix mitigation for FIPS mode.
We have to use EVP in FIPS mode so we can only partially mitigate
timing differences.

Make an extra call to EVP_DigestSignUpdate to hash additonal blocks
to cover any timing differences caused by removal of padding.
2013-01-31 12:34:10 +00:00
Dr. Stephen Henson
62e4506a7d Don't try and verify signatures if key is NULL (CVE-2013-0166)
Add additional check to catch this in ASN1_item_verify too.
2013-01-29 16:49:24 +00:00
Ben Laurie
014265eb02 Oops. Add missing file. 2013-01-28 18:24:55 +00:00
Ben Laurie
9f27de170d Update DTLS code to match CBC decoding in TLS.
This change updates the DTLS code to match the constant-time CBC
behaviour in the TLS.
2013-01-28 17:34:33 +00:00
Ben Laurie
6cb19b7681 Don't crash when processing a zero-length, TLS >= 1.1 record.
The previous CBC patch was bugged in that there was a path through enc()
in s3_pkt.c/d1_pkt.c which didn't set orig_len. orig_len would be left
at the previous value which could suggest that the packet was a
sufficient length when it wasn't.
2013-01-28 17:33:18 +00:00
Ben Laurie
e130841bcc Make CBC decoding constant time.
This patch makes the decoding of SSLv3 and TLS CBC records constant
time. Without this, a timing side-channel can be used to build a padding
oracle and mount Vaudenay's attack.

This patch also disables the stitched AESNI+SHA mode pending a similar
fix to that code.

In order to be easy to backport, this change is implemented in ssl/,
rather than as a generic AEAD mode. In the future this should be changed
around so that HMAC isn't in ssl/, but crypto/ as FIPS expects.
2013-01-28 17:31:49 +00:00
Ben Laurie
2ee798880a Add and use a constant-time memcmp.
This change adds CRYPTO_memcmp, which compares two vectors of bytes in
an amount of time that's independent of their contents. It also changes
several MAC compares in the code to use this over the standard memcmp,
which may leak information about the size of a matching prefix.
2013-01-28 17:30:38 +00:00
Dr. Stephen Henson
ffcf4c6164 Don't include comp.h in cmd_cd.c if OPENSSL_NO_COMP set 2013-01-23 01:07:23 +00:00
Andy Polyakov
b286a96811 x86_64 assembly pack: make Windows build more robust [from master].
PR: 2963 and a number of others
2013-01-22 22:54:04 +01:00
Andy Polyakov
2a2df2e9f2 bn/asm/mips.pl: hardwire local call to bn_div_words. 2013-01-22 21:16:51 +01:00
Dr. Stephen Henson
15481c5e42 Don't include comp.h if no-comp set. 2013-01-20 01:10:52 +00:00
Andy Polyakov
366b60b9da engines/ccgost: GOST fixes [from master].
Submitted by: Dmitry Belyavsky, Seguei Leontiev
PR: 2821
2013-01-19 18:26:54 +01:00
Andy Polyakov
4782444a35 .gitignore adjustments 2013-01-19 13:33:04 +01:00
Dr. Stephen Henson
8a17e161d1 Merge branch 'OpenSSL_1_0_1-stable' of /home/steve/src/git/openssl into OpenSSL_1_0_1-stable 2013-01-14 00:24:34 +00:00
Ben Laurie
72f27cd2df Fix some clang warnings. 2013-01-14 00:22:28 +00:00
Dr. Stephen Henson
3b3674ae58 Merge branch 'OpenSSL_1_0_1-stable' of openssl.net:openssl into OpenSSL_1_0_1-stable 2013-01-13 23:01:43 +00:00
Ben Laurie
9d75e765bc Correct EVP_PKEY_verifyrecover to EVP_PKEY_verify_recover (RT 2955). 2013-01-13 23:00:46 +00:00
Ben Laurie
bf07bd4d61 Correct EVP_PKEY_verifyrecover to EVP_PKEY_verify_recover (RT 2955). 2013-01-12 15:13:40 +00:00
Dr. Stephen Henson
296cc7f4b8 Update debug-steve64 2013-01-07 16:24:58 +00:00
Dr. Stephen Henson
3d92984689 Add .gitignore 2013-01-07 16:23:00 +00:00
Dr. Stephen Henson
51447d5db5 In FIPS mode use PKCS#8 format when writing private keys:
traditional format uses MD5 which is prohibited in FIPS mode.
2013-01-07 16:19:28 +00:00
Dr. Stephen Henson
1dcf520fe2 Change default bits to 1024 2013-01-07 16:18:57 +00:00
Dr. Stephen Henson
fca84dabe6 make no-comp compile 2012-12-30 16:05:11 +00:00
Dr. Stephen Henson
3ea1e13569 add missing \n 2012-12-23 18:19:28 +00:00
Andy Polyakov
dd6639bd3a VC-32.pl: fix typo [from HEAD].
Submitted by: Pierre Delaage
2012-12-16 19:41:57 +00:00
Ben Laurie
bee0550397 Documentation improvements by Chris Palmer (Google). 2012-12-14 13:29:51 +00:00
Ben Laurie
fc57c58c81 Document -pubkey option. 2012-12-13 16:08:17 +00:00
Ben Laurie
5bb6d96558 Make verify return errors. 2012-12-13 15:48:42 +00:00
Ben Laurie
28e1bd35bd Add 64 bit target. 2012-12-13 15:46:46 +00:00
Dr. Stephen Henson
dd83cc298d Fix two bugs which affect delta CRL handling:
Use -1 to check all extensions in CRLs.
Always set flag for freshest CRL.
2012-12-06 18:25:03 +00:00
Andy Polyakov
ea00598596 aes-s390x.pl: fix XTS bugs in z196-specific code path [from HEAD]. 2012-12-05 17:45:24 +00:00
Dr. Stephen Henson
a650314f72 check mval for NULL too 2012-12-04 17:26:13 +00:00
Dr. Stephen Henson
54fdc39a08 fix leak 2012-12-03 16:33:24 +00:00
Andy Polyakov
7dc98a62b2 aes-s389x.pl: harmonize software-only code path [from HEAD]. 2012-12-01 11:11:12 +00:00
Dr. Stephen Henson
f20ba1c9bb PR: 2803
Submitted by: jean-etienne.schwartz@bull.net

In OCSP_basic_varify return an error if X509_STORE_CTX_init fails.
2012-11-29 19:15:36 +00:00
Dr. Stephen Henson
7c3562947a reject zero length point format list or supported curves extensions 2012-11-22 14:15:25 +00:00
Dr. Stephen Henson
eb3a3911fc PR: 2908
Submitted by: Dmitry Belyavsky <beldmit@gmail.com>

Fix DH double free if parameter generation fails.
2012-11-21 14:02:21 +00:00
Dr. Stephen Henson
540f7c75ef fix leaks 2012-11-20 00:28:56 +00:00
Dr. Stephen Henson
d6342aab08 correct docs 2012-11-19 20:07:05 +00:00
Dr. Stephen Henson
e7b85bc402 PR: 2880
Submitted by: "Florian Rüchel" <florian.ruechel@ruhr-uni-bochum.de>

Correctly handle local machine keys in the capi ENGINE.
2012-11-18 15:21:02 +00:00
Dr. Stephen Henson
07eaaab2f6 add "missing" TLSv1.2 cipher alias 2012-11-15 19:15:20 +00:00
Dr. Stephen Henson
96f7fafa24 Don't require tag before ciphertext in AESGCM mode 2012-10-16 22:46:40 +00:00
Andy Polyakov
487a0df700 aix[64]-cc: get MT support right [from HEAD].
PR: 2896
2012-10-16 08:16:25 +00:00
Bodo Möller
09ef5f6258 Fix EC_KEY initialization race.
Submitted by: Adam Langley
2012-10-05 20:51:12 +00:00
Bodo Möller
bcc0e4ca7c Fix Valgrind warning.
Submitted by: Adam Langley
2012-09-24 19:49:42 +00:00
Richard Levitte
caac8fefdc * Configure: make the debug-levitte-linux{elf,noasm} less extreme. 2012-09-24 18:49:04 +00:00
Dr. Stephen Henson
353e845120 Minor enhancement to PR#2836 fix. Instead of modifying SSL_get_certificate
change the current certificate (in s->cert->key) to the one used and then
SSL_get_certificate and SSL_get_privatekey will automatically work.

Note for 1.0.1 and earlier also includes backport of the function
ssl_get_server_send_pkey.
2012-09-21 14:01:59 +00:00
Richard Levitte
d1451f18d9 * ssl/t1_enc.c (tls1_change_cipher_state): Stupid bug. Fortunately in
debugging code that's seldom used.
2012-09-21 13:08:28 +00:00
Bodo Möller
c3a5b7b82a Fix warning.
Submitted by: Chromium Authors
2012-09-17 17:24:44 +00:00
Ben Laurie
70d91d60bc Call OCSP Stapling callback after ciphersuite has been chosen, so the
right response is stapled. Also change SSL_get_certificate() so it
returns the certificate actually sent.

See http://rt.openssl.org/Ticket/Display.html?id=2836.
2012-09-17 14:39:38 +00:00
Andy Polyakov
bc78883017 e_aes.c: uninitialized variable in aes_ccm_init_key [from HEAD].
PR: 2874
Submitted by: Tomas Mraz
2012-09-15 08:46:31 +00:00
Dr. Stephen Henson
f929f201fb fix memory leak 2012-09-11 13:44:38 +00:00
Andy Polyakov
554cf97f03 bn_lcl.h: gcc removed support for "h" constraint, which broke inline
assembler [from HEAD].
2012-09-01 13:23:05 +00:00
Dr. Stephen Henson
48ccbeefda Don't load GOST ENGINE if it is already loaded.
Multiple copies of the ENGINE will cause problems when it is cleaned up as
the methods are stored in static structures which will be overwritten and
freed up more than once.

Set static methods to NULL when the ENGINE is freed so it can be reloaded.
2012-09-01 11:29:52 +00:00
Dr. Stephen Henson
7a217076d9 PR: 2786
Reported by: Tomas Mraz <tmraz@redhat.com>

Treat a NULL value passed to drbg_free_entropy callback as non-op. This
can happen if the call to fips_get_entropy fails.
2012-08-22 22:42:04 +00:00
Andy Polyakov
0720bf7df1 sha1-armv4-large.pl: comply with ABI [from HEAD]. 2012-08-17 19:59:49 +00:00
Andy Polyakov
9d6727781d aes-mips.pl: harmonize with fips module.
PR: 2863
Submitted by: Duane Sand
2012-08-17 09:02:40 +00:00
Bodo Möller
12c1621523 Enable message names for TLS 1.1, 1.2 with -msg. 2012-08-16 13:43:37 +00:00
Andy Polyakov
f9b48d60f2 gosthash.c: use memmove in circle_xor8, as input pointers can be equal
[from HEAD].

PR: 2858
2012-08-13 16:38:43 +00:00
Andy Polyakov
5c29127666 ./Configure: libcrypto.a can grow to many GB on Solaris 10, because of ar bug
[from HEAD].

PR: 2838
2012-08-13 16:18:59 +00:00
Andy Polyakov
78d767f5ec gcm128.c: fix AAD-only case with AAD length not divisible by 16 [from HEAD].
PR: 2859
Submitted by: John Foley
2012-08-13 15:32:18 +00:00
Richard Levitte
c8b979e929 Add evp_cnf in the build. 2012-07-05 12:58:27 +00:00
Dr. Stephen Henson
2beaa91ca7 update NEWS 2012-07-05 11:49:56 +00:00
Richard Levitte
efa288ceac Have the new names start in column 48, that makes it easy to see when
the 31 character limit is reached (on a 80 column display, do the math)
2012-07-05 09:00:49 +00:00
Richard Levitte
ad3bbd4a16 Cosmetics: remove duplicate symbol in crypto/symhacks.h 2012-07-05 08:49:30 +00:00
Dr. Stephen Henson
73913443a5 add missing evp_cnf.c file 2012-07-04 13:14:11 +00:00
Dr. Stephen Henson
e133ff7190 PR: 2840
Reported by: David McCullough <david_mccullough@mcafee.com>

Restore fips configuration module from 0.9.8.
2012-07-03 20:16:30 +00:00
Dr. Stephen Henson
25da47c3c8 Fix memory leak.
Always perform nexproto callback argument initialisation in s_server
otherwise we use uninitialised data if -nocert is specified.
2012-07-03 16:36:10 +00:00
Ben Laurie
4dc40f5eec Unused variable. 2012-07-01 16:04:12 +00:00
Andy Polyakov
a1a37575f0 bss_dgram.c: fix typos in Windows code. 2012-07-01 09:12:14 +00:00
Dr. Stephen Henson
c64c0e03d3 don't use pseudo digests for default values of keys 2012-06-27 14:11:40 +00:00
Andy Polyakov
e1e882a368 x86_64 assembly pack: make it possible to compile with Perl located
on path with spaces [from HEAD].

PR: 2835
2012-06-27 12:58:03 +00:00
Dr. Stephen Henson
36b0719793 oops, add -debug_decrypt option which was accidenatally left out 2012-06-19 13:39:03 +00:00
Andy Polyakov
7655044dd3 bss_dgram.c: fix bugs [from HEAD].
PR: 2833
2012-06-19 12:36:00 +00:00
Dr. Stephen Henson
58fdd30664 revert more "version skew" changes that break FIPS builds 2012-06-10 23:01:28 +00:00
Dr. Stephen Henson
7175dbaeba Revert "version skew" patches that break FIPS compilation. 2012-06-09 23:35:34 +00:00
Ben Laurie
af454b5bb0 Reduce version skew. 2012-06-08 09:18:47 +00:00
Andy Polyakov
5b2bbf37fa s2_clnt.c: compensate for compiler bug [from HEAD]. 2012-05-16 18:22:27 +00:00
Andy Polyakov
6321ac9e15 ppccap.c: assume no features under 32-bit AIX kernel [from HEAD].
PR: 2810
2012-05-16 18:18:29 +00:00
Dr. Stephen Henson
eeca72f71e PR: 2813
Reported by: Constantine Sapuntzakis <csapuntz@gmail.com>

Fix possible deadlock when decoding public keys.
2012-05-11 13:52:46 +00:00
Dr. Stephen Henson
6e164e5c3d PR: 2811
Reported by: Phil Pennock <openssl-dev@spodhuis.org>

Make renegotiation work for TLS 1.2, 1.1 by not using a lower record
version client hello workaround if renegotiating.
2012-05-11 13:32:26 +00:00
Dr. Stephen Henson
1b452133ae PR: 2806
Submitted by: PK <runningdoglackey@yahoo.com>

Correct ciphersuite signature algorithm definitions.
2012-05-10 18:24:32 +00:00
Dr. Stephen Henson
d9c34505e5 prepare for next version 2012-05-10 16:02:30 +00:00
Dr. Stephen Henson
f9885acc8c prepare for 1.0.1c release 2012-05-10 15:16:37 +00:00
Dr. Stephen Henson
fa9df48401 update NEWS 2012-05-10 15:11:34 +00:00
Dr. Stephen Henson
d414a5a0f0 Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and
DTLS to fix DoS attack.

Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic
fuzzing as a service testing platform.
(CVE-2012-2333)
2012-05-10 15:10:15 +00:00
Richard Levitte
9eb4460e68 Don't forget to install srtp.h as well 2012-05-10 15:01:22 +00:00
Dr. Stephen Henson
6984d16671 oops, revert unrelated change 2012-05-10 13:38:18 +00:00
Dr. Stephen Henson
5b9d0995a1 Reported by: Solar Designer of Openwall
Make sure tkeylen is initialised properly when encrypting CMS messages.
2012-05-10 13:34:22 +00:00
Richard Levitte
7ad8e1fc4e Correct environment variable is OPENSSL_ALLOW_PROXY_CERTS. 2012-05-04 10:43:22 +00:00
Andy Polyakov
c9b31189a9 ppccpuid.pl: branch hints in OPENSSL_cleanse impact small block performance
of digest algorithms, mosty SHA, on Power7. Mystery of century, why SHA,
why slower algorithm are affected more... [from HEAD].
PR: 2794
Submitted by: Ashley Lai
2012-04-27 20:20:15 +00:00
Dr. Stephen Henson
c76b7a1a82 Don't try to use unvalidated composite ciphers in FIPS mode 2012-04-26 18:49:45 +00:00
Dr. Stephen Henson
c940e07014 prepare for next version 2012-04-26 12:01:38 +00:00
Dr. Stephen Henson
88be4ebfbc make update 2012-04-26 10:42:20 +00:00
Dr. Stephen Henson
effa47b80a prepare for 1.0.1b release 2012-04-26 10:40:39 +00:00
Dr. Stephen Henson
067400b16e update NEWS 2012-04-26 10:39:11 +00:00
Andy Polyakov
748628ced0 CHANGES: clarify. 2012-04-26 07:34:39 +00:00
Andy Polyakov
6791060eae CHANGEs: fix typos and clarify. 2012-04-26 07:25:04 +00:00
Dr. Stephen Henson
502dfeb8de Change value of SSL_OP_NO_TLSv1_1 to avoid clash with SSL_OP_ALL and
OpenSSL 1.0.0. Add CHANGES entry noting the consequences.
2012-04-25 23:08:44 +00:00
Andy Polyakov
5bbed29518 s23_clnt.c: ensure interoperability by maitaining client "version capability"
vector contiguous [from HEAD].
PR: 2802
2012-04-25 22:07:23 +00:00
Dr. Stephen Henson
2f2d33f470 correct error code 2012-04-22 13:31:26 +00:00
Dr. Stephen Henson
be60a3feaa check correctness of errors before updating them so we don't get bogus errors added 2012-04-22 13:25:19 +00:00
Dr. Stephen Henson
e504a829a0 correct old FAQ answers, sync with HEAD 2012-04-22 13:21:38 +00:00
Andy Polyakov
0d829f6681 e_rc4_hmac_md5.c: reapply commit#21726, which was erroneously omitted.
PR: 2797, 2792
2012-04-20 21:45:17 +00:00
Dr. Stephen Henson
d9540579c5 call OPENSSL_init when calling FIPS_mode too 2012-04-20 14:42:54 +00:00
Dr. Stephen Henson
ecf963b80d make ciphers work again for FIPS builds 2012-04-20 00:07:48 +00:00
Andy Polyakov
7fc6d35be0 e_rc4_hmac_md5.c: last commit was inappropriate for non-x86[_64] platforms
[from HEAD].
PR: 2792
2012-04-19 20:43:02 +00:00
Dr. Stephen Henson
e7d2a37158 update for next version 2012-04-19 16:53:43 +00:00
Dr. Stephen Henson
531c6fc8f3 prepare for 1.0.1a release 2012-04-19 12:17:19 +00:00
Dr. Stephen Henson
e011d0a3c4 update NEWS 2012-04-19 12:14:28 +00:00
Dr. Stephen Henson
8d5505d099 Check for potentially exploitable overflows in asn1_d2i_read_bio
BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer
in CRYPTO_realloc_clean.

Thanks to Tavis Ormandy, Google Security Team, for discovering this
issue and to Adam Langley <agl@chromium.org> for fixing it. (CVE-2012-2110)
2012-04-19 12:13:59 +00:00
Andy Polyakov
d36e0ee460 Makefile.org: clear yet another environment variable [from HEAD].
PR: 2793
2012-04-19 06:40:36 +00:00
Dr. Stephen Henson
143619ccf6 only call FIPS_cipherinit in FIPS mode 2012-04-18 22:41:50 +00:00
Andy Polyakov
9f339d75b5 e_rc4_hmac_md5.c: update from HEAD, fixes crash on legacy Intel CPUs.
PR: 2792
2012-04-18 17:51:33 +00:00
Dr. Stephen Henson
28583660fb update NEWS 2012-04-18 17:30:20 +00:00
Dr. Stephen Henson
dedfe959dd correct error code 2012-04-18 14:53:48 +00:00
Bodo Möller
4d936ace08 Disable SHA-2 ciphersuites in < TLS 1.2 connections.
(TLS 1.2 clients could end up negotiating these with an OpenSSL server
with TLS 1.2 disabled, which is problematic.)

Submitted by: Adam Langley
2012-04-17 15:20:17 +00:00
Dr. Stephen Henson
89bd25eb26 Additional workaround for PR#2771
If OPENSSL_MAX_TLS1_2_CIPHER_LENGTH is set then limit the size of client
ciphersuites to this value. A value of 50 should be sufficient.

Document workarounds in CHANGES.
2012-04-17 14:41:23 +00:00
Dr. Stephen Henson
4a1cf50187 Partial workaround for PR#2771.
Some servers hang when presented with a client hello record length exceeding
255 bytes but will work with longer client hellos if the TLS record version
in client hello does not exceed TLS v1.0. Unfortunately this doesn't fix all
cases...
2012-04-17 13:20:19 +00:00
Andy Polyakov
32e12316e5 OPENSSL_NO_SOCK fixes [from HEAD].
PR: 2791
Submitted by: Ben Noordhuis
2012-04-16 17:43:15 +00:00
Andy Polyakov
ad7b24f145 Minor compatibility fixes [from HEAD].
PR: 2790
Submitted by: Alexei Khlebnikov
2012-04-16 17:36:12 +00:00
Andy Polyakov
c2770c0e0e s3_srvr.c: fix typo [from HEAD].
PR: 2538
2012-04-15 17:23:41 +00:00
Andy Polyakov
371056f2b9 e_aes_cbc_hmac_sha1.c: handle zero-length payload and engage empty frag
countermeasure [from HEAD].

PR: 2778
2012-04-15 14:23:03 +00:00
Andy Polyakov
2d613908e8 s390x asm pack: fix typos. 2012-04-12 06:47:01 +00:00
Dr. Stephen Henson
18fb1fae08 oops, macro not present in OpenSSL 1.0.2 2012-04-11 15:11:16 +00:00
Dr. Stephen Henson
39ef161c72 fix reset fix 2012-04-11 15:05:45 +00:00
Dr. Stephen Henson
a7612c5066 make reinitialisation work for CMAC 2012-04-11 12:26:13 +00:00
Dr. Stephen Henson
6cbae10b5e update rather ancient EVP digest documentation 2012-04-10 22:28:22 +00:00
Andy Polyakov
ebe81134c0 aes-s390x.pl: fix crash in AES_set_decrypt_key in linux32-s390x build [from HEAD]. 2012-04-09 15:12:45 +00:00
Andy Polyakov
a1d573e282 aes-armv4.pl: make it more foolproof [inspired by aes-s390x.pl in 1.0.1]. 2012-04-05 08:31:37 +00:00
Andy Polyakov
e959e24b47 aes-s390x.pl: fix endless loop in linux32-s390x build. 2012-04-05 08:17:21 +00:00
Andy Polyakov
3f98d7c0b5 ssl/ssl_ciph.c: interim solution for assertion in d1_pkt.c(444) [from HEAD].
PR: 2778
2012-04-04 20:51:27 +00:00
Andy Polyakov
d2f950c984 CHANGES: mention vpaes fix and harmonize with 1.0.0.
PR: 2775
2012-03-31 18:55:41 +00:00
Dr. Stephen Henson
63e8f16737 PR: 2778(part)
Submitted by: John Fitzgibbon <john_fitzgibbon@yahoo.com>

Time is always encoded as 4 bytes, not sizeof(Time).
2012-03-31 18:02:43 +00:00
Andy Polyakov
9bf5fd894f modes_lcl.h: make it work on i386 [from HEAD].
PR: 2780
2012-03-31 17:03:54 +00:00
Andy Polyakov
6296729fae vpaes-x86[_64].pl: handle zero length in vpaes_cbc_encrypt [from HEAD].
PR: 2775
2012-03-31 16:55:18 +00:00
Andy Polyakov
67d216801b util/cygwin.sh update [from HEAD].
PR: 2761
Submitted by: Corinna Vinschen
2012-03-31 11:07:28 +00:00
Andy Polyakov
0a5575f3f6 bn/bn_gf2m.c: make new BN_GF2m_mod_inv work with BN_DEBUG_RAND [from HEAD]. 2012-03-30 17:40:52 +00:00
Dr. Stephen Henson
418044cbab Experimental workaround to large client hello issue (see PR#2771).
If OPENSSL_NO_TLS1_2_CLIENT is set then TLS v1.2 is disabled for clients
only.
2012-03-29 19:08:54 +00:00
Andy Polyakov
8c67b13407 perlasm/x86masm.pl: fix last fix [from HEAD]. 2012-03-29 18:11:21 +00:00
Andy Polyakov
2a477ccf0b ans1/tasn_prn.c: avoid bool in variable names [from HEAD].
PR: 2776
2012-03-29 17:48:43 +00:00
Dr. Stephen Henson
c34137bef9 fix leak 2012-03-22 16:28:51 +00:00
Dr. Stephen Henson
914d91c5b3 Submitted by: Markus Friedl <mfriedl@gmail.com>
Fix memory leaks in 'goto err' cases.
2012-03-22 15:43:19 +00:00
Dr. Stephen Henson
e733dea3ce update version to 1.0.1a-dev 2012-03-22 15:18:19 +00:00
711 changed files with 16456 additions and 101043 deletions

5
.gitignore vendored
View File

@ -12,15 +12,10 @@
# Top level excludes
/Makefile.bak
/Makefile
/MINFO
/*.a
/include
/*.pc
/rehash.time
/inc.*
/makefile.*
/out.*
/tmp.*
# Most *.c files under test/ are symlinks
/test/*.c

View File

@ -42,9 +42,6 @@ before_script:
export CROSS_COMPILE=${CC%%gcc}; unset CC;
./Configure mingw64 $CONFIG_OPTS;
else
if [ "$CC" == gcc ]; then
export CONFIG_OPTS="$CONFIG_OPTS -Wno-error=shadow";
fi;
./config $CONFIG_OPTS;
fi
- cd ..
@ -56,5 +53,8 @@ script:
- cd ..
notifications:
email:
recipient:
- openssl-commits@openssl.org
email:
on_success: change
on_failure: always

508
CHANGES
View File

@ -2,11 +2,7 @@
OpenSSL CHANGES
_______________
Changes between 1.0.2g and 1.0.2h [xx XXX xxxx]
*) Modify behavior of ALPN to invoke callback after SNI/servername
callback, such that updates to the SSL_CTX affect ALPN.
[Todd Short]
Changes between 1.0.1s and 1.0.1t [xx XXX xxxx]
*) Remove LOW from the DEFAULT cipher list. This removes singles DES from the
default.
@ -16,7 +12,7 @@
methods are enabled and ssl2 is disabled the methods return NULL.
[Kurt Roeckx]
Changes between 1.0.2f and 1.0.2g [1 Mar 2016]
Changes between 1.0.1r and 1.0.1s [1 Mar 2016]
* Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
Builds that are not configured with "enable-weak-ssl-ciphers" will not
@ -148,37 +144,13 @@
apps to use 2048 bits by default.
[Emilia Käsper]
Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
Changes between 1.0.1q and 1.0.1r [28 Jan 2016]
*) DH small subgroups
*) Protection for DH small subgroup attacks
Historically OpenSSL only ever generated DH parameters based on "safe"
primes. More recently (in version 1.0.2) support was provided for
generating X9.42 style parameter files such as those required for RFC 5114
support. The primes used in such files may not be "safe". Where an
application is using DH configured with parameters based on primes that are
not "safe" then an attacker could use this fact to find a peer's private
DH exponent. This attack requires that the attacker complete multiple
handshakes in which the peer uses the same private DH exponent. For example
this could be used to discover a TLS server's private DH exponent if it's
reusing the private DH exponent or it's using a static DH ciphersuite.
OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
TLS. It is not on by default. If the option is not set then the server
reuses the same private DH exponent for the life of the server process and
would be vulnerable to this attack. It is believed that many popular
applications do set this option and would therefore not be at risk.
The fix for this issue adds an additional check where a "q" parameter is
available (as is the case in X9.42 based parameters). This detects the
only known attack, and is the only possible defense for static DH
ciphersuites. This could have some performance impact.
Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
default and cannot be disabled. This could have some performance impact.
This issue was reported to OpenSSL by Antonio Sanso (Adobe).
(CVE-2016-0701)
As a precautionary measure the SSL_OP_SINGLE_DH_USE option has been
switched on by default and cannot be disabled. This could have some
performance impact.
[Matt Caswell]
*) SSLv2 doesn't block disabled ciphers
@ -196,26 +168,7 @@
*) Reject DH handshakes with parameters shorter than 1024 bits.
[Kurt Roeckx]
Changes between 1.0.2d and 1.0.2e [3 Dec 2015]
*) BN_mod_exp may produce incorrect results on x86_64
There is a carry propagating bug in the x86_64 Montgomery squaring
procedure. No EC algorithms are affected. Analysis suggests that attacks
against RSA and DSA as a result of this defect would be very difficult to
perform and are not believed likely. Attacks against DH are considered just
feasible (although very difficult) because most of the work necessary to
deduce information about a private key may be performed offline. The amount
of resources required for such an attack would be very significant and
likely only accessible to a limited number of attackers. An attacker would
additionally need online access to an unpatched system using the target
private key in a scenario with persistent DH parameters and a private
key that is shared between multiple clients. For example this can occur by
default in OpenSSL DHE based SSL/TLS ciphersuites.
This issue was reported to OpenSSL by Hanno Böck.
(CVE-2015-3193)
[Andy Polyakov]
Changes between 1.0.1p and 1.0.1q [3 Dec 2015]
*) Certificate verify crash with missing PSS parameter
@ -254,7 +207,7 @@
use a random seed, as already documented.
[Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
Changes between 1.0.2c and 1.0.2d [9 Jul 2015]
Changes between 1.0.1o and 1.0.1p [9 Jul 2015]
*) Alternate chains certificate forgery
@ -279,13 +232,12 @@
(CVE-2015-3196)
[Stephen Henson]
Changes between 1.0.2b and 1.0.2c [12 Jun 2015]
Changes between 1.0.1n and 1.0.1o [12 Jun 2015]
*) Fix HMAC ABI incompatibility. The previous version introduced an ABI
incompatibility in the handling of HMAC. The previous ABI has now been
restored.
Changes between 1.0.2a and 1.0.2b [11 Jun 2015]
Changes between 1.0.1m and 1.0.1n [11 Jun 2015]
*) Malformed ECParameters causes infinite loop
@ -353,65 +305,13 @@
(CVE-2015-1791)
[Matt Caswell]
*) Removed support for the two export grade static DH ciphersuites
EXP-DH-RSA-DES-CBC-SHA and EXP-DH-DSS-DES-CBC-SHA. These two ciphersuites
were newly added (along with a number of other static DH ciphersuites) to
1.0.2. However the two export ones have *never* worked since they were
introduced. It seems strange in any case to be adding new export
ciphersuites, and given "logjam" it also does not seem correct to fix them.
[Matt Caswell]
*) Only support 256-bit or stronger elliptic curves with the
'ecdh_auto' setting (server) or by default (client). Of supported
curves, prefer P-256 (both).
[Emilia Kasper]
*) Reject DH handshakes with parameters shorter than 768 bits.
[Kurt Roeckx and Emilia Kasper]
Changes between 1.0.2 and 1.0.2a [19 Mar 2015]
*) dhparam: generate 2048-bit parameters by default.
[Kurt Roeckx and Emilia Kasper]
*) ClientHello sigalgs DoS fix
If a client connects to an OpenSSL 1.0.2 server and renegotiates with an
invalid signature algorithms extension a NULL pointer dereference will
occur. This can be exploited in a DoS attack against the server.
This issue was was reported to OpenSSL by David Ramos of Stanford
University.
(CVE-2015-0291)
[Stephen Henson and Matt Caswell]
*) Multiblock corrupted pointer fix
OpenSSL 1.0.2 introduced the "multiblock" performance improvement. This
feature only applies on 64 bit x86 architecture platforms that support AES
NI instructions. A defect in the implementation of "multiblock" can cause
OpenSSL's internal write buffer to become incorrectly set to NULL when
using non-blocking IO. Typically, when the user application is using a
socket BIO for writing, this will only result in a failed connection.
However if some other BIO is used then it is likely that a segmentation
fault will be triggered, thus enabling a potential DoS attack.
This issue was reported to OpenSSL by Daniel Danner and Rainer Mueller.
(CVE-2015-0290)
[Matt Caswell]
*) Segmentation fault in DTLSv1_listen fix
The DTLSv1_listen function is intended to be stateless and processes the
initial ClientHello from many peers. It is common for user code to loop
over the call to DTLSv1_listen until a valid ClientHello is received with
an associated cookie. A defect in the implementation of DTLSv1_listen means
that state is preserved in the SSL object from one invocation to the next
that can lead to a segmentation fault. Errors processing the initial
ClientHello can trigger this scenario. An example of such an error could be
that a DTLS1.0 only client is attempting to connect to a DTLS1.2 only
server.
This issue was reported to OpenSSL by Per Allansson.
(CVE-2015-0207)
[Matt Caswell]
Changes between 1.0.1l and 1.0.1m [19 Mar 2015]
*) Segmentation fault in ASN1_TYPE_cmp fix
@ -424,20 +324,6 @@
(CVE-2015-0286)
[Stephen Henson]
*) Segmentation fault for invalid PSS parameters fix
The signature verification routines will crash with a NULL pointer
dereference if presented with an ASN.1 signature using the RSA PSS
algorithm and invalid parameters. Since these routines are used to verify
certificate signature algorithms this can be used to crash any
certificate verification operation and exploited in a DoS attack. Any
application which performs certificate verification is vulnerable including
OpenSSL clients and servers which enable client authentication.
This issue was was reported to OpenSSL by Brian Carpenter.
(CVE-2015-0208)
[Stephen Henson]
*) ASN.1 structure reuse memory corruption fix
Reusing a structure in ASN.1 parsing may allow an attacker to cause
@ -476,36 +362,6 @@
(CVE-2015-0293)
[Emilia Käsper]
*) Empty CKE with client auth and DHE fix
If client auth is used then a server can seg fault in the event of a DHE
ciphersuite being selected and a zero length ClientKeyExchange message
being sent by the client. This could be exploited in a DoS attack.
(CVE-2015-1787)
[Matt Caswell]
*) Handshake with unseeded PRNG fix
Under certain conditions an OpenSSL 1.0.2 client can complete a handshake
with an unseeded PRNG. The conditions are:
- The client is on a platform where the PRNG has not been seeded
automatically, and the user has not seeded manually
- A protocol specific client method version has been used (i.e. not
SSL_client_methodv23)
- A ciphersuite is used that does not require additional random data from
the PRNG beyond the initial ClientHello client random (e.g. PSK-RC4-SHA).
If the handshake succeeds then the client random that has been used will
have been generated from a PRNG with insufficient entropy and therefore the
output may be predictable.
For example using the following command with an unseeded openssl will
succeed on an unpatched platform:
openssl s_client -psk 1a2b3c4d -tls1_2 -cipher PSK-RC4-SHA
(CVE-2015-0285)
[Matt Caswell]
*) Use After Free following d2i_ECPrivatekey error fix
A malformed EC private key file consumed via the d2i_ECPrivateKey function
@ -532,340 +388,6 @@
*) Removed the export ciphers from the DEFAULT ciphers
[Kurt Roeckx]
Changes between 1.0.1l and 1.0.2 [22 Jan 2015]
*) Change RSA and DH/DSA key generation apps to generate 2048-bit
keys by default.
[Kurt Roeckx]
*) Facilitate "universal" ARM builds targeting range of ARM ISAs, e.g.
ARMv5 through ARMv8, as opposite to "locking" it to single one.
So far those who have to target multiple plaforms would compromise
and argue that binary targeting say ARMv5 would still execute on
ARMv8. "Universal" build resolves this compromise by providing
near-optimal performance even on newer platforms.
[Andy Polyakov]
*) Accelerated NIST P-256 elliptic curve implementation for x86_64
(other platforms pending).
[Shay Gueron & Vlad Krasnov (Intel Corp), Andy Polyakov]
*) Add support for the SignedCertificateTimestampList certificate and
OCSP response extensions from RFC6962.
[Rob Stradling]
*) Fix ec_GFp_simple_points_make_affine (thus, EC_POINTs_mul etc.)
for corner cases. (Certain input points at infinity could lead to
bogus results, with non-infinity inputs mapped to infinity too.)
[Bodo Moeller]
*) Initial support for PowerISA 2.0.7, first implemented in POWER8.
This covers AES, SHA256/512 and GHASH. "Initial" means that most
common cases are optimized and there still is room for further
improvements. Vector Permutation AES for Altivec is also added.
[Andy Polyakov]
*) Add support for little-endian ppc64 Linux target.
[Marcelo Cerri (IBM)]
*) Initial support for AMRv8 ISA crypto extensions. This covers AES,
SHA1, SHA256 and GHASH. "Initial" means that most common cases
are optimized and there still is room for further improvements.
Both 32- and 64-bit modes are supported.
[Andy Polyakov, Ard Biesheuvel (Linaro)]
*) Improved ARMv7 NEON support.
[Andy Polyakov]
*) Support for SPARC Architecture 2011 crypto extensions, first
implemented in SPARC T4. This covers AES, DES, Camellia, SHA1,
SHA256/512, MD5, GHASH and modular exponentiation.
[Andy Polyakov, David Miller]
*) Accelerated modular exponentiation for Intel processors, a.k.a.
RSAZ.
[Shay Gueron & Vlad Krasnov (Intel Corp)]
*) Support for new and upcoming Intel processors, including AVX2,
BMI and SHA ISA extensions. This includes additional "stitched"
implementations, AESNI-SHA256 and GCM, and multi-buffer support
for TLS encrypt.
This work was sponsored by Intel Corp.
[Andy Polyakov]
*) Support for DTLS 1.2. This adds two sets of DTLS methods: DTLS_*_method()
supports both DTLS 1.2 and 1.0 and should use whatever version the peer
supports and DTLSv1_2_*_method() which supports DTLS 1.2 only.
[Steve Henson]
*) Use algorithm specific chains in SSL_CTX_use_certificate_chain_file():
this fixes a limiation in previous versions of OpenSSL.
[Steve Henson]
*) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
MGF1 digest and OAEP label.
[Steve Henson]
*) Add EVP support for key wrapping algorithms, to avoid problems with
existing code the flag EVP_CIPHER_CTX_WRAP_ALLOW has to be set in
the EVP_CIPHER_CTX or an error is returned. Add AES and DES3 wrap
algorithms and include tests cases.
[Steve Henson]
*) Add functions to allocate and set the fields of an ECDSA_METHOD
structure.
[Douglas E. Engert, Steve Henson]
*) New functions OPENSSL_gmtime_diff and ASN1_TIME_diff to find the
difference in days and seconds between two tm or ASN1_TIME structures.
[Steve Henson]
*) Add -rev test option to s_server to just reverse order of characters
received by client and send back to server. Also prints an abbreviated
summary of the connection parameters.
[Steve Henson]
*) New option -brief for s_client and s_server to print out a brief summary
of connection parameters.
[Steve Henson]
*) Add callbacks for arbitrary TLS extensions.
[Trevor Perrin <trevp@trevp.net> and Ben Laurie]
*) New option -crl_download in several openssl utilities to download CRLs
from CRLDP extension in certificates.
[Steve Henson]
*) New options -CRL and -CRLform for s_client and s_server for CRLs.
[Steve Henson]
*) New function X509_CRL_diff to generate a delta CRL from the difference
of two full CRLs. Add support to "crl" utility.
[Steve Henson]
*) New functions to set lookup_crls function and to retrieve
X509_STORE from X509_STORE_CTX.
[Steve Henson]
*) Print out deprecated issuer and subject unique ID fields in
certificates.
[Steve Henson]
*) Extend OCSP I/O functions so they can be used for simple general purpose
HTTP as well as OCSP. New wrapper function which can be used to download
CRLs using the OCSP API.
[Steve Henson]
*) Delegate command line handling in s_client/s_server to SSL_CONF APIs.
[Steve Henson]
*) SSL_CONF* functions. These provide a common framework for application
configuration using configuration files or command lines.
[Steve Henson]
*) SSL/TLS tracing code. This parses out SSL/TLS records using the
message callback and prints the results. Needs compile time option
"enable-ssl-trace". New options to s_client and s_server to enable
tracing.
[Steve Henson]
*) New ctrl and macro to retrieve supported points extensions.
Print out extension in s_server and s_client.
[Steve Henson]
*) New functions to retrieve certificate signature and signature
OID NID.
[Steve Henson]
*) Add functions to retrieve and manipulate the raw cipherlist sent by a
client to OpenSSL.
[Steve Henson]
*) New Suite B modes for TLS code. These use and enforce the requirements
of RFC6460: restrict ciphersuites, only permit Suite B algorithms and
only use Suite B curves. The Suite B modes can be set by using the
strings "SUITEB128", "SUITEB192" or "SUITEB128ONLY" for the cipherstring.
[Steve Henson]
*) New chain verification flags for Suite B levels of security. Check
algorithms are acceptable when flags are set in X509_verify_cert.
[Steve Henson]
*) Make tls1_check_chain return a set of flags indicating checks passed
by a certificate chain. Add additional tests to handle client
certificates: checks for matching certificate type and issuer name
comparison.
[Steve Henson]
*) If an attempt is made to use a signature algorithm not in the peer
preference list abort the handshake. If client has no suitable
signature algorithms in response to a certificate request do not
use the certificate.
[Steve Henson]
*) If server EC tmp key is not in client preference list abort handshake.
[Steve Henson]
*) Add support for certificate stores in CERT structure. This makes it
possible to have different stores per SSL structure or one store in
the parent SSL_CTX. Include distint stores for certificate chain
verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN
to build and store a certificate chain in CERT structure: returing
an error if the chain cannot be built: this will allow applications
to test if a chain is correctly configured.
Note: if the CERT based stores are not set then the parent SSL_CTX
store is used to retain compatibility with existing behaviour.
[Steve Henson]
*) New function ssl_set_client_disabled to set a ciphersuite disabled
mask based on the current session, check mask when sending client
hello and checking the requested ciphersuite.
[Steve Henson]
*) New ctrls to retrieve and set certificate types in a certificate
request message. Print out received values in s_client. If certificate
types is not set with custom values set sensible values based on
supported signature algorithms.
[Steve Henson]
*) Support for distinct client and server supported signature algorithms.
[Steve Henson]
*) Add certificate callback. If set this is called whenever a certificate
is required by client or server. An application can decide which
certificate chain to present based on arbitrary criteria: for example
supported signature algorithms. Add very simple example to s_server.
This fixes many of the problems and restrictions of the existing client
certificate callback: for example you can now clear an existing
certificate and specify the whole chain.
[Steve Henson]
*) Add new "valid_flags" field to CERT_PKEY structure which determines what
the certificate can be used for (if anything). Set valid_flags field
in new tls1_check_chain function. Simplify ssl_set_cert_masks which used
to have similar checks in it.
Add new "cert_flags" field to CERT structure and include a "strict mode".
This enforces some TLS certificate requirements (such as only permitting
certificate signature algorithms contained in the supported algorithms
extension) which some implementations ignore: this option should be used
with caution as it could cause interoperability issues.
[Steve Henson]
*) Update and tidy signature algorithm extension processing. Work out
shared signature algorithms based on preferences and peer algorithms
and print them out in s_client and s_server. Abort handshake if no
shared signature algorithms.
[Steve Henson]
*) Add new functions to allow customised supported signature algorithms
for SSL and SSL_CTX structures. Add options to s_client and s_server
to support them.
[Steve Henson]
*) New function SSL_certs_clear() to delete all references to certificates
from an SSL structure. Before this once a certificate had been added
it couldn't be removed.
[Steve Henson]
*) Integrate hostname, email address and IP address checking with certificate
verification. New verify options supporting checking in opensl utility.
[Steve Henson]
*) Fixes and wildcard matching support to hostname and email checking
functions. Add manual page.
[Florian Weimer (Red Hat Product Security Team)]
*) New functions to check a hostname email or IP address against a
certificate. Add options x509 utility to print results of checks against
a certificate.
[Steve Henson]
*) Fix OCSP checking.
[Rob Stradling <rob.stradling@comodo.com> and Ben Laurie]
*) Initial experimental support for explicitly trusted non-root CAs.
OpenSSL still tries to build a complete chain to a root but if an
intermediate CA has a trust setting included that is used. The first
setting is used: whether to trust (e.g., -addtrust option to the x509
utility) or reject.
[Steve Henson]
*) Add -trusted_first option which attempts to find certificates in the
trusted store even if an untrusted chain is also supplied.
[Steve Henson]
*) MIPS assembly pack updates: support for MIPS32r2 and SmartMIPS ASE,
platform support for Linux and Android.
[Andy Polyakov]
*) Support for linux-x32, ILP32 environment in x86_64 framework.
[Andy Polyakov]
*) Experimental multi-implementation support for FIPS capable OpenSSL.
When in FIPS mode the approved implementations are used as normal,
when not in FIPS mode the internal unapproved versions are used instead.
This means that the FIPS capable OpenSSL isn't forced to use the
(often lower perfomance) FIPS implementations outside FIPS mode.
[Steve Henson]
*) Transparently support X9.42 DH parameters when calling
PEM_read_bio_DHparameters. This means existing applications can handle
the new parameter format automatically.
[Steve Henson]
*) Initial experimental support for X9.42 DH parameter format: mainly
to support use of 'q' parameter for RFC5114 parameters.
[Steve Henson]
*) Add DH parameters from RFC5114 including test data to dhtest.
[Steve Henson]
*) Support for automatic EC temporary key parameter selection. If enabled
the most preferred EC parameters are automatically used instead of
hardcoded fixed parameters. Now a server just has to call:
SSL_CTX_set_ecdh_auto(ctx, 1) and the server will automatically
support ECDH and use the most appropriate parameters.
[Steve Henson]
*) Enhance and tidy EC curve and point format TLS extension code. Use
static structures instead of allocation if default values are used.
New ctrls to set curves we wish to support and to retrieve shared curves.
Print out shared curves in s_server. New options to s_server and s_client
to set list of supported curves.
[Steve Henson]
*) New ctrls to retrieve supported signature algorithms and
supported curve values as an array of NIDs. Extend openssl utility
to print out received values.
[Steve Henson]
*) Add new APIs EC_curve_nist2nid and EC_curve_nid2nist which convert
between NIDs and the more common NIST names such as "P-256". Enhance
ecparam utility and ECC method to recognise the NIST names for curves.
[Steve Henson]
*) Enhance SSL/TLS certificate chain handling to support different
chains for each certificate instead of one chain in the parent SSL_CTX.
[Steve Henson]
*) Support for fixed DH ciphersuite client authentication: where both
server and client use DH certificates with common parameters.
[Steve Henson]
*) Support for fixed DH ciphersuites: those requiring DH server
certificates.
[Steve Henson]
*) New function i2d_re_X509_tbs for re-encoding the TBS portion of
the certificate.
Note: Related 1.0.2-beta specific macros X509_get_cert_info,
X509_CINF_set_modified, X509_CINF_get_issuer, X509_CINF_get_extensions and
X509_CINF_get_signature were reverted post internal team review.
Changes between 1.0.1k and 1.0.1l [15 Jan 2015]
*) Build fixes for the Windows and OpenVMS platforms
@ -1176,7 +698,7 @@
[mancha <mancha1@zoho.com>]
*) Fix eckey_priv_encode so it immediately returns an error upon a failure
in i2d_ECPrivateKey. Thanks to Ted Unangst for feedback on this issue.
in i2d_ECPrivateKey.
[mancha <mancha1@zoho.com>]
*) Fix some double frees. These are not thought to be exploitable.

224
Configure
View File

@ -109,28 +109,11 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimenta
my $gcc_devteam_warn = "-Wall -pedantic -DPEDANTIC -Wno-long-long -Wsign-compare -Wmissing-prototypes -Wshadow -Wformat -Werror -DCRYPTO_MDEBUG_ALL -DCRYPTO_MDEBUG_ABORT -DREF_CHECK -DOPENSSL_NO_DEPRECATED";
# TODO(openssl-team): fix problems and investigate if (at least) the following
# warnings can also be enabled:
# -Wconditional-uninitialized, -Wswitch-enum, -Wunused-macros,
# -Wmissing-field-initializers, -Wmissing-variable-declarations,
# -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align,
# -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token
# -Wextended-offsetof
my $clang_disabled_warnings = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof";
# These are used in addition to $gcc_devteam_warn when the compiler is clang.
# TODO(openssl-team): fix problems and investigate if (at least) the
# following warnings can also be enabled: -Wconditional-uninitialized,
# -Wswitch-enum, -Wunused-macros, -Wmissing-field-initializers,
# -Wmissing-variable-declarations,
# -Wincompatible-pointer-types-discards-qualifiers, -Wcast-align,
# -Wunreachable-code -Wunused-parameter -Wlanguage-extension-token
# -Wextended-offsetof
my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
# Warn that "make depend" should be run?
my $warn_make_depend = 0;
my $clang_devteam_warn = "-Wno-unused-parameter -Wno-missing-field-initializers -Wno-language-extension-token -Wno-extended-offsetof -Qunused-arguments";
my $strict_warnings = 0;
my $x86_gcc_des="DES_PTR DES_RISC1 DES_UNROLL";
@ -150,25 +133,24 @@ my $tlib="-lnsl -lsocket";
my $bits1="THIRTY_TWO_BIT ";
my $bits2="SIXTY_FOUR_BIT ";
my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o::des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
my $x86_asm="x86cpuid.o:bn-586.o co-586.o x86-mont.o x86-gf2m.o:des-586.o crypt586.o:aes-586.o vpaes-x86.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o:cmll-x86.o:ghash-x86.o:";
my $x86_elf_asm="$x86_asm:elf";
my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o:ecp_nistz256.o ecp_nistz256-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o aesni-mb-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o sha1-mb-x86_64.o sha256-mb-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o aesni-gcm-x86_64.o:";
my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o vis3-mont.o sparct4-mont.o sparcv9-gf2m.o::des_enc-sparc.o fcrypt_b.o dest4-sparcv9.o:aes_core.o aes_cbc.o aes-sparcv9.o aest4-sparcv9.o::md5-sparcv9.o:sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o::::::camellia.o cmll_misc.o cmll_cbc.o cmllt4-sparcv9.o:ghash-sparcv9.o::void";
my $sparcv8_asm=":sparcv8.o::des_enc-sparc.o fcrypt_b.o:::::::::::::void";
my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o::::::sha1-alpha.o:::::::ghash-alpha.o::void";
my $mips64_asm=":bn-mips.o mips-mont.o:::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
my $mips32_asm=$mips64_asm; $mips32_asm =~ s/\s*sha512\-mips\.o//;
my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o:::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o:::aes_cbc.o aes-armv4.o bsaes-armv7.o aesv8-armx.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o ghashv8-armx.o::void";
my $aarch64_asm="armcap.o arm64cpuid.o mem_clr.o::::aes_core.o aes_cbc.o aesv8-armx.o:::sha1-armv8.o sha256-armv8.o sha512-armv8.o:::::::ghashv8-armx.o:";
my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o:::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o:::aes_core.o aes_cbc.o aes-ppc.o vpaes-ppc.o aesp8-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o sha256p8-ppc.o sha512p8-ppc.o:::::::ghashp8-ppc.o:";
my $ppc32_asm=$ppc64_asm;
my $no_asm="::::::::::::::::void";
my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o modexp512-x86_64.o::aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o aesni-x86_64.o aesni-sha1-x86_64.o::md5-x86_64.o:sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o::rc4-x86_64.o rc4-md5-x86_64.o:::wp-x86_64.o:cmll-x86_64.o cmll_misc.o:ghash-x86_64.o:";
my $ia64_asm="ia64cpuid.o:bn-ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o rc4_skey.o:::::ghash-ia64.o::void";
my $sparcv9_asm="sparcv9cap.o sparccpuid.o:bn-sparcv9.o sparcv9-mont.o sparcv9a-mont.o:des_enc-sparc.o fcrypt_b.o:aes_core.o aes_cbc.o aes-sparcv9.o:::sha1-sparcv9.o sha256-sparcv9.o sha512-sparcv9.o:::::::ghash-sparcv9.o::void";
my $sparcv8_asm=":sparcv8.o:des_enc-sparc.o fcrypt_b.o:::::::::::::void";
my $alpha_asm="alphacpuid.o:bn_asm.o alpha-mont.o:::::sha1-alpha.o:::::::ghash-alpha.o::void";
my $mips32_asm=":bn-mips.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o::::::::";
my $mips64_asm=":bn-mips.o mips-mont.o::aes_cbc.o aes-mips.o:::sha1-mips.o sha256-mips.o sha512-mips.o::::::::";
my $s390x_asm="s390xcap.o s390xcpuid.o:bn-s390x.o s390x-mont.o s390x-gf2m.o::aes-s390x.o aes-ctr.o aes-xts.o:::sha1-s390x.o sha256-s390x.o sha512-s390x.o::rc4-s390x.o:::::ghash-s390x.o:";
my $armv4_asm="armcap.o armv4cpuid.o:bn_asm.o armv4-mont.o armv4-gf2m.o::aes_cbc.o aes-armv4.o:::sha1-armv4-large.o sha256-armv4.o sha512-armv4.o:::::::ghash-armv4.o::void";
my $parisc11_asm="pariscid.o:bn_asm.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::32";
my $parisc20_asm="pariscid.o:pa-risc2W.o parisc-mont.o::aes_core.o aes_cbc.o aes-parisc.o:::sha1-parisc.o sha256-parisc.o sha512-parisc.o::rc4-parisc.o:::::ghash-parisc.o::64";
my $ppc32_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o::::::::";
my $ppc64_asm="ppccpuid.o ppccap.o:bn-ppc.o ppc-mont.o ppc64-mont.o::aes_core.o aes_cbc.o aes-ppc.o:::sha1-ppc.o sha256-ppc.o sha512-ppc.o::::::::";
my $no_asm=":::::::::::::::void";
# As for $BSDthreads. Idea is to maintain "collective" set of flags,
# which would cover all BSD flavors. -pthread applies to them all,
@ -179,7 +161,7 @@ my $no_asm="::::::::::::::::void";
# seems to be sufficient?
my $BSDthreads="-pthread -D_THREAD_SAFE -D_REENTRANT";
#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $ec_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
#config-string $cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $cpuid_obj : $bn_obj : $des_obj : $aes_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $wp_obj : $cmll_obj : $modes_obj : $engines_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags : $multilib
my %table=(
# File 'TABLE' (created by 'make TABLE') contains the data from this list,
@ -201,14 +183,14 @@ my %table=(
"debug-ben-debug-64", "gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-ben-macos", "cc:$gcc_devteam_warn -arch i386 -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::-Wl,-search_paths_first::::",
"debug-ben-macos-gcc46", "gcc-mp-4.6:$gcc_devteam_warn -Wconversion -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -O3 -DL_ENDIAN -g3 -pipe::(unknown)::::::",
"debug-ben-darwin64","cc:$gcc_devteam_warn -g -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-ben-debug-64-clang", "clang:$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-ben-darwin64","cc:$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-ben-no-opt", "gcc: -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -DTERMIOS -Wall -g3::(unknown)::::::",
"debug-ben-strict", "gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
"debug-bodo", "gcc:$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-ulf", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DBN_DEBUG_RAND -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations:::CYGWIN32:::${no_asm}:win32:cygwin-shared:::.dll",
"debug-steve64", "gcc:$gcc_devteam_warn -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -Wno-overlength-strings -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-steve32", "gcc:$gcc_devteam_warn -m32 -DL_ENDIAN -DCONF_DEBUG -DDEBUG_SAFESTACK -g -pipe::-D_REENTRANT::-rdynamic -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:-m32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-steve-opt", "gcc:$gcc_devteam_warn -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -DDEBUG_SAFESTACK -g::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -220,10 +202,11 @@ my %table=(
"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o::des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-ia32-aes", "gcc:-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:x86cpuid.o:bn-586.o co-586.o x86-mont.o:des-586.o crypt586.o:aes_x86core.o aes_cbc.o aesni-x86.o:bf-586.o:md5-586.o:sha1-586.o sha256-586.o sha512-586.o:cast-586.o:rc4-586.o:rmd-586.o:rc5-586.o:wp_block.o wp-mmx.o::ghash-x86.o::elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-generic32","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DTERMIO -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-generic64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"debug-linux-x86_64","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-linux-x86_64-clang","clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"dist", "cc:-O::(unknown)::::::",
# Basic configs that should work on any (32 and less bit) box
@ -252,7 +235,7 @@ my %table=(
"solaris64-x86_64-gcc","gcc:-m64 -O3 -Wall -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-fPIC:-m64 -shared -static-libgcc:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
#### Solaris x86 with Sun C setups
"solaris-x86-cc","cc:-fast -xarch=generic -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:${no_asm}:dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"solaris64-x86_64-cc","cc:-fast -xarch=amd64 -xstrconst -Xa -DL_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:solaris-shared:-KPIC:-xarch=amd64 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/64",
#### SPARC Solaris with GNU C setups
@ -327,7 +310,7 @@ my %table=(
"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${no_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"hpux-parisc1_1-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:${parisc11_asm}:dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa1.1",
"hpux-parisc2-gcc","gcc:-march=2.0 -O3 -DB_ENDIAN -D_REENTRANT::::-Wl,+s -ldld:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL DES_RISC1:".eval{my $asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:-fPIC:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o:::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::pa-risc2W.o::::::::::::::void:dlfcn:hpux-shared:-fpic:-shared:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",
# More attempts at unified 10.X and 11.X targets for HP C compiler.
#
@ -374,58 +357,21 @@ my %table=(
# throw in -D[BL]_ENDIAN, whichever appropriate...
"linux-generic32","gcc:-O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ppc", "gcc:-DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc32_asm}:linux32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#######################################################################
# Note that -march is not among compiler options in below linux-armv4
# target line. Not specifying one is intentional to give you choice to:
#
# a) rely on your compiler default by not specifying one;
# b) specify your target platform explicitly for optimal performance,
# e.g. -march=armv6 or -march=armv7-a;
# c) build "universal" binary that targets *range* of platforms by
# specifying minimum and maximum supported architecture;
#
# As for c) option. It actually makes no sense to specify maximum to be
# less than ARMv7, because it's the least requirement for run-time
# switch between platform-specific code paths. And without run-time
# switch performance would be equivalent to one for minimum. Secondly,
# there are some natural limitations that you'd have to accept and
# respect. Most notably you can *not* build "universal" binary for
# big-endian platform. This is because ARMv7 processor always picks
# instructions in little-endian order. Another similar limitation is
# that -mthumb can't "cross" -march=armv6t2 boundary, because that's
# where it became Thumb-2. Well, this limitation is a bit artificial,
# because it's not really impossible, but it's deemed too tricky to
# support. And of course you have to be sure that your binutils are
# actually up to the task of handling maximum target platform. With all
# this in mind here is an example of how to configure "universal" build:
#
# ./Configure linux-armv4 -march=armv6 -D__ARM_MAX_ARCH__=8
#
"linux-armv4", "gcc: -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-aarch64","gcc: -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${aarch64_asm}:linux64:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# Configure script adds minimally required -march for assembly support,
# if no -march was specified at command line. mips32 and mips64 below
# refer to contemporary MIPS Architecture specifications, MIPS32 and
# MIPS64, rather than to kernel bitness.
"linux-mips32", "gcc:-mabi=32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-mips64", "gcc:-mabi=n32 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:n32:dlfcn:linux-shared:-fPIC:-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::32",
"linux64-mips64", "gcc:-mabi=64 -O3 -Wall -DBN_DIV3W::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips64_asm}:64:dlfcn:linux-shared:-fPIC:-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
# It's believed that majority of ARM toolchains predefine appropriate -march.
# If you compiler does not, do complement config command line with one!
"linux-armv4", "gcc:-O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### IA-32 targets...
"linux-ia32-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia32-icc", "icc:-DL_ENDIAN -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-elf", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-aout", "gcc:-DL_ENDIAN -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:a.out",
####
"linux-generic64","gcc:-O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ppc64", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${ppc64_asm}:linux64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-ppc64le","gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:$ppc64_asm:linux64le:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::",
"linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64", "gcc:-DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-ecc","ecc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-ia64-icc","icc:-DL_ENDIAN -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_INT:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"linux-x86_64", "gcc:-m64 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-clang", "clang: -m64 -DL_ENDIAN -O3 -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"debug-linux-x86_64-clang", "clang: -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -g -Wall -Wextra $clang_disabled_warnings -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x86_64-icc", "icc:-DL_ENDIAN -O2::-D_REENTRANT::-ldl -no_cpprt:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux-x32", "gcc:-mx32 -DL_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-mx32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::x32",
"linux-x86_64-clang","clang: -m64 -DL_ENDIAN -O3 -Wall -Qunused-arguments::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
"linux64-s390x", "gcc:-m64 -DB_ENDIAN -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:${s390x_asm}:64:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::64",
#### So called "highgprs" target for z/Architecture CPUs
# "Highgprs" is kernel feature first implemented in Linux 2.6.32, see
@ -472,7 +418,6 @@ my %table=(
"android","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-x86","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:".eval{my $asm=${x86_elf_asm};$asm=~s/:elf/:android/;$asm}.":dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-armv7","gcc:-march=armv7-a -mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${armv4_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"android-mips","gcc:-mandroid -I\$(ANDROID_DEV)/include -B\$(ANDROID_DEV)/lib -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${mips32_asm}:o32:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### *BSD [do see comment about ${BSDthreads} above!]
"BSD-generic32","gcc:-O3 -fomit-frame-pointer -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL:${no_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -487,7 +432,7 @@ my %table=(
# triggered by RIPEMD160 code.
"BSD-sparc64", "gcc:-DB_ENDIAN -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::BN_LLONG RC2_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC2 BF_PTR:${sparcv9_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"BSD-ia64", "gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_INT:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"BSD-x86_64", "cc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"BSD-x86_64", "gcc:-DL_ENDIAN -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:elf:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"bsdi-elf-gcc", "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@ -520,11 +465,11 @@ my %table=(
# UnixWare 2.0x fails destest with -O.
"unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}-1:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
# SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
"sco5-cc", "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}-1:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"sco5-cc", "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
"sco5-gcc", "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
#### IBM's AIX.
"aix3-cc", "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
@ -584,9 +529,9 @@ my %table=(
# Visual C targets
#
# Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
"VC-WIN64I","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o ia64-mont.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
"VC-WIN64A","cl:-W3 -Gs0 -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o:::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
"debug-VC-WIN64I","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:ia64cpuid.o:ia64.o::aes_core.o aes_cbc.o aes-ia64.o::md5-ia64.o:sha1-ia64.o sha256-ia64.o sha512-ia64.o:::::::ghash-ia64.o::ias:win32",
"debug-VC-WIN64A","cl:-W3 -Gs0 -Gy -Zi -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DUNICODE -D_UNICODE -D_CRT_SECURE_NO_DEPRECATE:::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:".eval{my $asm=$x86_64_asm;$asm=~s/x86_64-gcc\.o/bn_asm.o/;$asm}.":auto:win32",
# x86 Win32 target defaults to ANSI API, if you want UNICODE, complement
# 'perl Configure VC-WIN32' with '-DUNICODE -D_UNICODE'
@ -613,8 +558,9 @@ my %table=(
"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
# Cygwin
"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:coff:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
"Cygwin-x86_64", "gcc:-DTERMIOS -DL_ENDIAN -O3 -Wall:::CYGWIN::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:mingw64:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_asm}:coff:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
# NetWare from David Ward (dsward@novell.com)
# requires either MetroWerks NLM development tools, or gcc / nlmconv
@ -646,8 +592,7 @@ my %table=(
"darwin64-ppc-cc","cc:-arch ppc64 -O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc64_asm}:osx64:dlfcn:darwin-shared:-fPIC -fno-common:-arch ppc64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"darwin-i386-cc","cc:-arch i386 -O3 -fomit-frame-pointer -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:".eval{my $asm=$x86_asm;$asm=~s/cast\-586\.o//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-darwin-i386-cc","cc:-arch i386 -g3 -DL_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:BN_LLONG RC4_INT RC4_CHUNK DES_UNROLL BF_PTR:${x86_asm}:macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch i386 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-darwin64-x86_64-cc","cc:-arch x86_64 -ggdb -g2 -O0 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"darwin64-x86_64-cc","cc:-arch x86_64 -O3 -DL_ENDIAN -Wall::-D_REENTRANT:MACOSX:-Wl,-search_paths_first%:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL:".eval{my $asm=$x86_64_asm;$asm=~s/rc4\-[^:]+//;$asm}.":macosx:dlfcn:darwin-shared:-fPIC -fno-common:-arch x86_64 -dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${ppc32_asm}:osx32:dlfcn:darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
# iPhoneOS/iOS
"iphoneos-cross","llvm-gcc:-O3 -isysroot \$(CROSS_TOP)/SDKs/\$(CROSS_SDK) -fomit-frame-pointer -fno-common::-D_REENTRANT:iOS:-Wl,-search_paths_first%:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}:dlfcn:darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
@ -700,7 +645,6 @@ my $idx_lflags = $idx++;
my $idx_bn_ops = $idx++;
my $idx_cpuid_obj = $idx++;
my $idx_bn_obj = $idx++;
my $idx_ec_obj = $idx++;
my $idx_des_obj = $idx++;
my $idx_aes_obj = $idx++;
my $idx_bf_obj = $idx++;
@ -781,13 +725,11 @@ my %disabled = ( # "what" => "comment" [or special keyword "experimental
"ec_nistp_64_gcc_128" => "default",
"gmp" => "default",
"jpake" => "experimental",
"libunbound" => "experimental",
"md2" => "default",
"rc5" => "default",
"rfc3779" => "default",
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
"ssl2" => "default",
"store" => "experimental",
"unit-test" => "default",
@ -799,7 +741,7 @@ my @experimental = ();
# This is what $depflags will look like with the above defaults
# (we need this to see if we should advise the user to run "make depend"):
my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_LIBUNBOUND -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_SSL_TRACE -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
my $default_depflags = " -DOPENSSL_NO_EC_NISTP_64_GCC_128 -DOPENSSL_NO_GMP -DOPENSSL_NO_JPAKE -DOPENSSL_NO_MD2 -DOPENSSL_NO_RC5 -DOPENSSL_NO_RFC3779 -DOPENSSL_NO_SCTP -DOPENSSL_NO_STORE -DOPENSSL_NO_UNIT_TEST";
# Explicit "no-..." options will be collected in %disabled along with the defaults.
# To remove something from %disabled, use "enable-foo" (unless it's experimental).
@ -944,7 +886,16 @@ PROCESS_ARGS:
}
elsif (/^[-+]/)
{
if (/^--prefix=(.*)$/)
if (/^-[lL](.*)$/ or /^-Wl,/)
{
$libs.=$_." ";
}
elsif (/^-[^-]/ or /^\+/)
{
$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
$flags.=$_." ";
}
elsif (/^--prefix=(.*)$/)
{
$prefix=$1;
}
@ -988,14 +939,10 @@ PROCESS_ARGS:
{
$cross_compile_prefix=$1;
}
elsif (/^-[lL](.*)$/ or /^-Wl,/)
else
{
$libs.=$_." ";
}
else # common if (/^[-+]/), just pass down...
{
$_ =~ s/%([0-9a-f]{1,2})/chr(hex($1))/gei;
$flags.=$_." ";
print STDERR $usage;
exit(1);
}
}
elsif ($_ =~ /^([^:]+):(.+)$/)
@ -1222,7 +1169,6 @@ my $cc = $fields[$idx_cc];
if($ENV{CC}) {
$cc = $ENV{CC};
}
my $cflags = $fields[$idx_cflags];
my $unistd = $fields[$idx_unistd];
my $thread_cflag = $fields[$idx_thread_cflag];
@ -1231,7 +1177,6 @@ my $lflags = $fields[$idx_lflags];
my $bn_ops = $fields[$idx_bn_ops];
my $cpuid_obj = $fields[$idx_cpuid_obj];
my $bn_obj = $fields[$idx_bn_obj];
my $ec_obj = $fields[$idx_ec_obj];
my $des_obj = $fields[$idx_des_obj];
my $aes_obj = $fields[$idx_aes_obj];
my $bf_obj = $fields[$idx_bf_obj];
@ -1277,12 +1222,6 @@ if ($target =~ /^mingw/ && `$cc --target-help 2>&1` !~ m/\-mno\-cygwin/m)
$shared_ldflag =~ s/\-mno\-cygwin\s*//;
}
if ($target =~ /linux.*\-mips/ && !$no_asm && $flags !~ /\-m(ips|arch=)/) {
# minimally required architecture flags for assembly modules
$cflags="-mips2 $cflags" if ($target =~ /mips32/);
$cflags="-mips3 $cflags" if ($target =~ /mips64/);
}
my $no_shared_warn=0;
my $no_user_cflags=0;
@ -1409,7 +1348,7 @@ $lflags="$libs$lflags" if ($libs ne "");
if ($no_asm)
{
$cpuid_obj=$bn_obj=$ec_obj=
$cpuid_obj=$bn_obj=
$des_obj=$aes_obj=$bf_obj=$cast_obj=$rc4_obj=$rc5_obj=$cmll_obj=
$modes_obj=$sha1_obj=$md5_obj=$rmd160_obj=$wp_obj=$engines_obj="";
}
@ -1490,7 +1429,6 @@ if ($target =~ /\-icc$/) # Intel C compiler
}
if ($iccver>=8)
{
$cflags=~s/\-KPIC/-fPIC/;
# Eliminate unnecessary dependency from libirc.a. This is
# essential for shared library support, as otherwise
# apps/openssl can end up in endless loop upon startup...
@ -1498,17 +1436,12 @@ if ($target =~ /\-icc$/) # Intel C compiler
}
if ($iccver>=9)
{
$lflags.=" -i-static";
$lflags=~s/\-no_cpprt/-no-cpprt/;
$cflags.=" -i-static";
$cflags=~s/\-no_cpprt/-no-cpprt/;
}
if ($iccver>=10)
{
$lflags=~s/\-i\-static/-static-intel/;
}
if ($iccver>=11)
{
$cflags.=" -no-intel-extensions"; # disable Cilk
$lflags=~s/\-no\-cpprt/-no-cxxlib/;
$cflags=~s/\-i\-static/-static-intel/;
}
}
@ -1589,7 +1522,7 @@ if ($rmd160_obj =~ /\.o$/)
}
if ($aes_obj =~ /\.o$/)
{
$cflags.=" -DAES_ASM" if ($aes_obj =~ m/\baes\-/);;
$cflags.=" -DAES_ASM";
# aes-ctr.o is not a real file, only indication that assembler
# module implements AES_ctr32_encrypt...
$cflags.=" -DAES_CTR_ASM" if ($aes_obj =~ s/\s*aes\-ctr\.o//);
@ -1611,14 +1544,10 @@ else {
$wp_obj="wp_block.o";
}
$cmll_obj=$cmll_enc unless ($cmll_obj =~ /.o$/);
if ($modes_obj =~ /ghash\-/)
if ($modes_obj =~ /ghash/)
{
$cflags.=" -DGHASH_ASM";
}
if ($ec_obj =~ /ecp_nistz256/)
{
$cflags.=" -DECP_NISTZ256_ASM";
}
# "Stringify" the C flags string. This permits it to be made part of a string
# and works as well on command lines.
@ -1656,11 +1585,10 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
$shlib_minor=$2;
}
my $ecc = $cc;
$ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
if ($strict_warnings)
{
my $ecc = $cc;
$ecc = "clang" if `$cc --version 2>&1` =~ /clang/;
my $wopt;
die "ERROR --strict-warnings requires gcc or clang" unless ($ecc =~ /gcc$/ or $ecc =~ /clang$/);
foreach $wopt (split /\s+/, $gcc_devteam_warn)
@ -1724,7 +1652,6 @@ while (<IN>)
s/^AR=\s*ar/AR= $ar/;
s/^RANLIB=.*/RANLIB= $ranlib/;
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $ecc eq "gcc" || $ecc eq "clang";
}
s/^CFLAG=.*$/CFLAG= $cflags/;
s/^DEPFLAG=.*$/DEPFLAG=$depflags/;
@ -1733,7 +1660,6 @@ while (<IN>)
s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
s/^CPUID_OBJ=.*$/CPUID_OBJ= $cpuid_obj/;
s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
s/^EC_ASM=.*$/EC_ASM= $ec_obj/;
s/^DES_ENC=.*$/DES_ENC= $des_obj/;
s/^AES_ENC=.*$/AES_ENC= $aes_obj/;
s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
@ -1795,7 +1721,6 @@ print "CFLAG =$cflags\n";
print "EX_LIBS =$lflags\n";
print "CPUID_OBJ =$cpuid_obj\n";
print "BN_ASM =$bn_obj\n";
print "EC_ASM =$ec_obj\n";
print "DES_ENC =$des_obj\n";
print "AES_ENC =$aes_obj\n";
print "BF_ENC =$bf_obj\n";
@ -2088,7 +2013,7 @@ BEGIN
VALUE "ProductVersion", "$version\\0"
// Optional:
//VALUE "Comments", "\\0"
VALUE "LegalCopyright", "Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
VALUE "LegalCopyright", "Copyright © 1998-2005 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
//VALUE "LegalTrademarks", "\\0"
//VALUE "PrivateBuild", "\\0"
//VALUE "SpecialBuild", "\\0"
@ -2203,12 +2128,12 @@ sub print_table_entry
{
my $target = shift;
my ($cc, $cflags, $unistd, $thread_cflag, $sys_id, $lflags,
$bn_ops, $cpuid_obj, $bn_obj, $ec_obj, $des_obj, $aes_obj, $bf_obj,
$md5_obj, $sha1_obj, $cast_obj, $rc4_obj, $rmd160_obj,
$rc5_obj, $wp_obj, $cmll_obj, $modes_obj, $engines_obj,
$perlasm_scheme, $dso_scheme, $shared_target, $shared_cflag,
$shared_ldflag, $shared_extension, $ranlib, $arflags, $multilib)=
(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
my $bn_ops,my $cpuid_obj,my $bn_obj,my $des_obj,my $aes_obj, my $bf_obj,
my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
my $rc5_obj,my $wp_obj,my $cmll_obj,my $modes_obj, my $engines_obj,
my $perlasm_scheme,my $dso_scheme,my $shared_target,my $shared_cflag,
my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags,my $multilib)=
split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
print <<EOF
@ -2223,7 +2148,6 @@ sub print_table_entry
\$bn_ops = $bn_ops
\$cpuid_obj = $cpuid_obj
\$bn_obj = $bn_obj
\$ec_obj = $ec_obj
\$des_obj = $des_obj
\$aes_obj = $aes_obj
\$bf_obj = $bf_obj

View File

@ -1,8 +0,0 @@
#!/bin/sh
BRANCH=`git rev-parse --abbrev-ref HEAD`
./Configure $@ no-symlinks
make files
util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
make -f makefile.$BRANCH init

View File

@ -1,5 +0,0 @@
#!/bin/sh
BRANCH=`git rev-parse --abbrev-ref HEAD`
make -f makefile.$BRANCH $@

View File

@ -69,7 +69,7 @@ RANLIB= ranlib
NM= nm
PERL= perl
TAR= tar
TARFLAGS= --no-recursion
TARFLAGS= --no-recursion --record-size=10240
MAKEDEPPROG=makedepend
LIBDIR=lib
@ -88,7 +88,6 @@ PROCESSOR=
# CPUID module collects small commonly used assembler snippets
CPUID_OBJ=
BN_ASM= bn_asm.o
EC_ASM=
DES_ENC= des_enc.o fcrypt_b.o
AES_ENC= aes_core.o aes_cbc.o
BF_ENC= bf_enc.o
@ -202,9 +201,7 @@ CLEARENV= TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS} \
$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS} \
$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
# LC_ALL=C ensures that error [and other] messages are delivered in
# same language for uniform treatment.
BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
BUILDENV= PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
CC='$(CC)' CFLAG='$(CFLAG)' \
AS='$(CC)' ASFLAG='$(CFLAG) -c' \
AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)' \
@ -223,8 +220,8 @@ BUILDENV= LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)' \
SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)' \
PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)' \
CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)' \
EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)' \
CPUID_OBJ='$(CPUID_OBJ)' \
BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' \
AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)' \
BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)' \
RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)' \
@ -332,7 +329,7 @@ clean-shared:
done; \
fi; \
( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
if [ "$(PLATFORM)" = "Cygwin" ]; then \
( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
fi; \
done
@ -381,11 +378,11 @@ libssl.pc: Makefile
echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
echo 'includedir=$${prefix}/include'; \
echo ''; \
echo 'Name: OpenSSL-libssl'; \
echo 'Name: OpenSSL'; \
echo 'Description: Secure Sockets Layer and cryptography libraries'; \
echo 'Version: '$(VERSION); \
echo 'Requires.private: libcrypto'; \
echo 'Libs: -L$${libdir} -lssl'; \
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
@ -398,7 +395,10 @@ openssl.pc: Makefile
echo 'Name: OpenSSL'; \
echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
echo 'Version: '$(VERSION); \
echo 'Requires: libssl libcrypto' ) > openssl.pc
echo 'Requires: '; \
echo 'Libs: -L$${libdir} -lssl -lcrypto'; \
echo 'Libs.private: $(EX_LIBS)'; \
echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
Makefile: Makefile.org Configure config
@echo "Makefile is older than Makefile.org, Configure or config."
@ -561,7 +561,11 @@ install_sw:
do \
if [ -f "$$i" -o -f "$$i.a" ]; then \
( echo installing $$i; \
if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
if [ "$(PLATFORM)" != "Cygwin" ]; then \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
else \
c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
@ -569,10 +573,6 @@ install_sw:
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
else \
cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
fi ); \
if expr $(PLATFORM) : 'mingw' > /dev/null; then \
( case $$i in \
@ -605,10 +605,6 @@ install_sw:
install_html_docs:
here="`pwd`"; \
filecase=; \
case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
filecase=-i; \
esac; \
for subdir in apps crypto ssl; do \
mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
for i in doc/$$subdir/*.pod; do \
@ -637,9 +633,9 @@ install_docs:
@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
here="`pwd`"; \
filecase=; \
case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
filecase=-i; \
esac; \
fi; \
set -e; for i in doc/apps/*.pod; do \
fn=`basename $$i .pod`; \
sec=`$(PERL) util/extract-section.pl 1 < $$i`; \

View File

@ -272,7 +272,7 @@ link_o.cygwin:
SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-Bsymbolic"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-s,-Bsymbolic"; \
$(LINK_SO_O)
#for mingw target if def-file is in use dll-name should match library-name
link_a.cygwin:
@ -289,7 +289,7 @@ link_a.cygwin:
SHLIB_SOVER=32; \
extras="$(LIBNAME).def"; \
$(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \
base=; [ $(LIBNAME) = "crypto" -a -n "$(FIPSCANLIB)" ] && base=-Wl,--image-base,0x63000000; \
base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
fi; \
dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
$(PERL) util/mkrc.pl $$dll_name | \
@ -297,7 +297,7 @@ link_a.cygwin:
extras="$$extras rc.o"; \
ALLSYMSFLAGS='-Wl,--whole-archive'; \
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-s,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
[ -f apps/$$dll_name ] && rm apps/$$dll_name; \
[ -f test/$$dll_name ] && rm test/$$dll_name; \
$(LINK_SO_A) || exit 1; \

36
NEWS
View File

@ -5,11 +5,11 @@
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [under development]
Major changes between OpenSSL 1.0.1s and OpenSSL 1.0.1t [under development]
o
Major changes between OpenSSL 1.0.2f and OpenSSL 1.0.2g [1 Mar 2016]
Major changes between OpenSSL 1.0.1r and OpenSSL 1.0.1s [1 Mar 2016]
o Disable weak ciphers in SSLv3 and up in default builds of OpenSSL.
o Disable SSLv2 default build, default negotiation and weak ciphers
@ -22,30 +22,29 @@
o Fix memory issues in BIO_*printf functions (CVE-2016-0799)
o Fix side channel attack on modular exponentiation (CVE-2016-0702)
Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
Major changes between OpenSSL 1.0.1q and OpenSSL 1.0.1r [28 Jan 2016]
o DH small subgroups (CVE-2016-0701)
o Protection for DH small subgroup attacks
o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)
Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
Major changes between OpenSSL 1.0.1p and OpenSSL 1.0.1q [3 Dec 2015]
o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
o X509_ATTRIBUTE memory leak (CVE-2015-3195)
o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
o In DSA_generate_parameters_ex, if the provided seed is too short,
return an error
Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
Major changes between OpenSSL 1.0.1o and OpenSSL 1.0.1p [9 Jul 2015]
o Alternate chains certificate forgery (CVE-2015-1793)
o Race condition handling PSK identify hint (CVE-2015-3196)
Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
Major changes between OpenSSL 1.0.1n and OpenSSL 1.0.1o [12 Jun 2015]
o Fix HMAC ABI incompatibility
Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
Major changes between OpenSSL 1.0.1m and OpenSSL 1.0.1n [11 Jun 2015]
o Malformed ECParameters causes infinite loop (CVE-2015-1788)
o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
@ -53,33 +52,16 @@
o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
o Race condition handling NewSessionTicket (CVE-2015-1791)
Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.1m [19 Mar 2015]
o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
o Multiblock corrupted pointer fix (CVE-2015-0290)
o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
o Empty CKE with client auth and DHE fix (CVE-2015-1787)
o Handshake with unseeded PRNG fix (CVE-2015-0285)
o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
o Removed the export ciphers from the DEFAULT ciphers
Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
o Suite B support for TLS 1.2 and DTLS 1.2
o Support for DTLS 1.2
o TLS automatic EC curve selection.
o API to set TLS supported signature algorithms and curves
o SSL_CONF configuration API.
o TLS Brainpool support.
o ALPN support.
o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
o Build fixes for the Windows and OpenVMS platforms

2
README
View File

@ -1,5 +1,5 @@
OpenSSL 1.0.2h-dev
OpenSSL 1.0.1t-dev
Copyright (c) 1998-2015 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson

1000
TABLE

File diff suppressed because it is too large Load Diff

View File

@ -124,7 +124,10 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
char buffer[200];
#ifdef OPENSSL_SYS_WINDOWS
BIO_printf(bio_e, "Loading 'screen' into random state -");
BIO_flush(bio_e);
RAND_screen();
BIO_printf(bio_e, " done\n");
#endif
if (file == NULL)

View File

@ -282,8 +282,6 @@ int str2fmt(char *s)
return (FORMAT_PKCS12);
else if ((*s == 'E') || (*s == 'e'))
return (FORMAT_ENGINE);
else if ((*s == 'H') || (*s == 'h'))
return FORMAT_HTTP;
else if ((*s == 'P') || (*s == 'p')) {
if (s[1] == 'V' || s[1] == 'v')
return FORMAT_PVK;
@ -786,72 +784,12 @@ static int load_pkcs12(BIO *err, BIO *in, const char *desc,
return ret;
}
int load_cert_crl_http(const char *url, BIO *err,
X509 **pcert, X509_CRL **pcrl)
{
char *host = NULL, *port = NULL, *path = NULL;
BIO *bio = NULL;
OCSP_REQ_CTX *rctx = NULL;
int use_ssl, rv = 0;
if (!OCSP_parse_url(url, &host, &port, &path, &use_ssl))
goto err;
if (use_ssl) {
if (err)
BIO_puts(err, "https not supported\n");
goto err;
}
bio = BIO_new_connect(host);
if (!bio || !BIO_set_conn_port(bio, port))
goto err;
rctx = OCSP_REQ_CTX_new(bio, 1024);
if (!rctx)
goto err;
if (!OCSP_REQ_CTX_http(rctx, "GET", path))
goto err;
if (!OCSP_REQ_CTX_add1_header(rctx, "Host", host))
goto err;
if (pcert) {
do {
rv = X509_http_nbio(rctx, pcert);
}
while (rv == -1);
} else {
do {
rv = X509_CRL_http_nbio(rctx, pcrl);
} while (rv == -1);
}
err:
if (host)
OPENSSL_free(host);
if (path)
OPENSSL_free(path);
if (port)
OPENSSL_free(port);
if (bio)
BIO_free_all(bio);
if (rctx)
OCSP_REQ_CTX_free(rctx);
if (rv != 1) {
if (bio && err)
BIO_printf(bio_err, "Error loading %s from %s\n",
pcert ? "certificate" : "CRL", url);
ERR_print_errors(bio_err);
}
return rv;
}
X509 *load_cert(BIO *err, const char *file, int format,
const char *pass, ENGINE *e, const char *cert_descrip)
{
X509 *x = NULL;
BIO *cert;
if (format == FORMAT_HTTP) {
load_cert_crl_http(file, err, &x, NULL);
return x;
}
if ((cert = BIO_new(BIO_s_file())) == NULL) {
ERR_print_errors(err);
goto end;
@ -909,49 +847,6 @@ X509 *load_cert(BIO *err, const char *file, int format,
return (x);
}
X509_CRL *load_crl(const char *infile, int format)
{
X509_CRL *x = NULL;
BIO *in = NULL;
if (format == FORMAT_HTTP) {
load_cert_crl_http(infile, bio_err, NULL, &x);
return x;
}
in = BIO_new(BIO_s_file());
if (in == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x = d2i_X509_CRL_bio(in, NULL);
else if (format == FORMAT_PEM)
x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
else {
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
if (x == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
end:
BIO_free(in);
return (x);
}
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip)
{
@ -2265,9 +2160,6 @@ int args_verify(char ***pargs, int *pargc,
char **oldargs = *pargs;
char *arg = **pargs, *argn = (*pargs)[1];
time_t at_time = 0;
char *hostname = NULL;
char *email = NULL;
char *ipasc = NULL;
if (!strcmp(arg, "-policy")) {
if (!argn)
*badarg = 1;
@ -2321,21 +2213,6 @@ int args_verify(char ***pargs, int *pargc,
at_time = (time_t)timestamp;
}
(*pargs)++;
} else if (strcmp(arg, "-verify_hostname") == 0) {
if (!argn)
*badarg = 1;
hostname = argn;
(*pargs)++;
} else if (strcmp(arg, "-verify_email") == 0) {
if (!argn)
*badarg = 1;
email = argn;
(*pargs)++;
} else if (strcmp(arg, "-verify_ip") == 0) {
if (!argn)
*badarg = 1;
ipasc = argn;
(*pargs)++;
} else if (!strcmp(arg, "-ignore_critical"))
flags |= X509_V_FLAG_IGNORE_CRITICAL;
else if (!strcmp(arg, "-issuer_checks"))
@ -2362,16 +2239,6 @@ int args_verify(char ***pargs, int *pargc,
flags |= X509_V_FLAG_NOTIFY_POLICY;
else if (!strcmp(arg, "-check_ss_sig"))
flags |= X509_V_FLAG_CHECK_SS_SIGNATURE;
else if (!strcmp(arg, "-trusted_first"))
flags |= X509_V_FLAG_TRUSTED_FIRST;
else if (!strcmp(arg, "-suiteB_128_only"))
flags |= X509_V_FLAG_SUITEB_128_LOS_ONLY;
else if (!strcmp(arg, "-suiteB_128"))
flags |= X509_V_FLAG_SUITEB_128_LOS;
else if (!strcmp(arg, "-suiteB_192"))
flags |= X509_V_FLAG_SUITEB_192_LOS;
else if (!strcmp(arg, "-partial_chain"))
flags |= X509_V_FLAG_PARTIAL_CHAIN;
else if (!strcmp(arg, "-no_alt_chains"))
flags |= X509_V_FLAG_NO_ALT_CHAINS;
else
@ -2403,15 +2270,6 @@ int args_verify(char ***pargs, int *pargc,
if (at_time)
X509_VERIFY_PARAM_set_time(*pm, at_time);
if (hostname && !X509_VERIFY_PARAM_set1_host(*pm, hostname, 0))
*badarg = 1;
if (email && !X509_VERIFY_PARAM_set1_email(*pm, email, 0))
*badarg = 1;
if (ipasc && !X509_VERIFY_PARAM_set1_ip_asc(*pm, ipasc))
*badarg = 1;
end:
(*pargs)++;
@ -2442,11 +2300,7 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
else
len = 1024;
len = BIO_read(in, tbuf, len);
if (len < 0) {
BIO_free(mem);
return -1;
}
if (len == 0)
if (len <= 0)
break;
if (BIO_write(mem, tbuf, len) != len) {
BIO_free(mem);
@ -2463,7 +2317,7 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
return ret;
}
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
{
int rv;
char *stmp, *vtmp = NULL;
@ -2699,9 +2553,6 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret)
BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
if (psk_key)
OPENSSL_free(psk_key);
psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn);
@ -2731,9 +2582,6 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
BIO_puts(out, "JPAKE authentication succeeded, setting PSK\n");
if (psk_key)
OPENSSL_free(psk_key);
psk_key = BN_bn2hex(JPAKE_get_shared_key(ctx));
BIO_pop(bconn);
@ -2744,7 +2592,7 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret)
#endif
#ifndef OPENSSL_NO_TLSEXT
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
/*-
* next_protos_parse parses a comma separated list of strings into a string
* in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
@ -2783,106 +2631,8 @@ unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
*outlen = len + 1;
return out;
}
#endif /* ndef OPENSSL_NO_TLSEXT */
void print_cert_checks(BIO *bio, X509 *x,
const char *checkhost,
const char *checkemail, const char *checkip)
{
if (x == NULL)
return;
if (checkhost) {
BIO_printf(bio, "Hostname %s does%s match certificate\n",
checkhost, X509_check_host(x, checkhost, 0, 0, NULL) == 1
? "" : " NOT");
}
if (checkemail) {
BIO_printf(bio, "Email %s does%s match certificate\n",
checkemail, X509_check_email(x, checkemail, 0,
0) ? "" : " NOT");
}
if (checkip) {
BIO_printf(bio, "IP %s does%s match certificate\n",
checkip, X509_check_ip_asc(x, checkip, 0) ? "" : " NOT");
}
}
/* Get first http URL from a DIST_POINT structure */
static const char *get_dp_url(DIST_POINT *dp)
{
GENERAL_NAMES *gens;
GENERAL_NAME *gen;
int i, gtype;
ASN1_STRING *uri;
if (!dp->distpoint || dp->distpoint->type != 0)
return NULL;
gens = dp->distpoint->name.fullname;
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
gen = sk_GENERAL_NAME_value(gens, i);
uri = GENERAL_NAME_get0_value(gen, &gtype);
if (gtype == GEN_URI && ASN1_STRING_length(uri) > 6) {
char *uptr = (char *)ASN1_STRING_data(uri);
if (!strncmp(uptr, "http://", 7))
return uptr;
}
}
return NULL;
}
/*
* Look through a CRLDP structure and attempt to find an http URL to
* downloads a CRL from.
*/
static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
{
int i;
const char *urlptr = NULL;
for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
urlptr = get_dp_url(dp);
if (urlptr)
return load_crl(urlptr, FORMAT_HTTP);
}
return NULL;
}
/*
* Example of downloading CRLs from CRLDP: not usable for real world as it
* always downloads, doesn't support non-blocking I/O and doesn't cache
* anything.
*/
static STACK_OF(X509_CRL) *crls_http_cb(X509_STORE_CTX *ctx, X509_NAME *nm)
{
X509 *x;
STACK_OF(X509_CRL) *crls = NULL;
X509_CRL *crl;
STACK_OF(DIST_POINT) *crldp;
x = X509_STORE_CTX_get_current_cert(ctx);
crldp = X509_get_ext_d2i(x, NID_crl_distribution_points, NULL, NULL);
crl = load_crl_crldp(crldp);
sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
if (!crl)
return NULL;
crls = sk_X509_CRL_new_null();
sk_X509_CRL_push(crls, crl);
/* Try to download delta CRL */
crldp = X509_get_ext_d2i(x, NID_freshest_crl, NULL, NULL);
crl = load_crl_crldp(crldp);
sk_DIST_POINT_pop_free(crldp, DIST_POINT_free);
if (crl)
sk_X509_CRL_push(crls, crl);
return crls;
}
void store_setup_crl_download(X509_STORE *st)
{
X509_STORE_set_lookup_crls_cb(st, crls_http_cb);
}
#endif /* !OPENSSL_NO_TLSEXT &&
* !OPENSSL_NO_NEXTPROTONEG */
/*
* Platform-specific sections

View File

@ -205,7 +205,7 @@ extern BIO *bio_err;
# endif
# endif
# if defined(OPENSSL_SYSNAME_WIN32) || defined(OPENSSL_SYSNAME_WINCE)
# ifdef OPENSSL_SYSNAME_WIN32
# define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
# else
# define openssl_fdset(a,b) FD_SET(a, b)
@ -245,9 +245,6 @@ int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
int add_oid_section(BIO *err, CONF *conf);
X509 *load_cert(BIO *err, const char *file, int format,
const char *pass, ENGINE *e, const char *cert_descrip);
X509_CRL *load_crl(const char *infile, int format);
int load_cert_crl_http(const char *url, BIO *err,
X509 **pcert, X509_CRL **pcrl);
EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
const char *pass, ENGINE *e, const char *key_descrip);
EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
@ -265,9 +262,8 @@ ENGINE *setup_engine(BIO *err, const char *engine, int debug);
# ifndef OPENSSL_NO_OCSP
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
const char *host, const char *path,
const char *port, int use_ssl,
const STACK_OF(CONF_VALUE) *headers,
char *host, char *path, char *port,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout);
# endif
@ -321,7 +317,7 @@ int args_verify(char ***pargs, int *pargc,
int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
void policies_print(BIO *out, X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param);
int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
@ -338,15 +334,10 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
# endif
# ifndef OPENSSL_NO_TLSEXT
# if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
# endif /* ndef OPENSSL_NO_TLSEXT */
void print_cert_checks(BIO *bio, X509 *x,
const char *checkhost,
const char *checkemail, const char *checkip);
void store_setup_crl_download(X509_STORE *st);
# endif /* !OPENSSL_NO_TLSEXT &&
* !OPENSSL_NO_NEXTPROTONEG */
# define FORMAT_UNDEF 0
# define FORMAT_ASN1 1
@ -362,7 +353,6 @@ void store_setup_crl_download(X509_STORE *st);
# define FORMAT_ASN1RSA 10 /* DER RSAPubicKey format */
# define FORMAT_MSBLOB 11 /* MS Key blob format */
# define FORMAT_PVK 12 /* MS PVK file format */
# define FORMAT_HTTP 13 /* Download using HTTP */
# define EXT_COPY_NONE 0
# define EXT_COPY_ADD 1

View File

@ -473,11 +473,6 @@ int MAIN(int argc, char **argv)
goto bad;
infile = *(++argv);
dorevoke = 1;
} else if (strcmp(*argv, "-valid") == 0) {
if (--argc < 1)
goto bad;
infile = *(++argv);
dorevoke = 2;
} else if (strcmp(*argv, "-extensions") == 0) {
if (--argc < 1)
goto bad;
@ -1440,8 +1435,6 @@ int MAIN(int argc, char **argv)
revcert = load_cert(bio_err, infile, FORMAT_PEM, NULL, e, infile);
if (revcert == NULL)
goto err;
if (dorevoke == 2)
rev_type = -1;
j = do_revoke(revcert, db, rev_type, rev_arg);
if (j <= 0)
goto err;
@ -1969,12 +1962,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
if (enddate == NULL)
X509_time_adj_ex(X509_get_notAfter(ret), days, 0, NULL);
else {
int tdays;
else
ASN1_TIME_set_string(X509_get_notAfter(ret), enddate);
ASN1_TIME_diff(&tdays, NULL, NULL, X509_get_notAfter(ret));
days = tdays;
}
if (!X509_set_subject_name(ret, subject))
goto err;
@ -2414,20 +2403,13 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
}
/* Revoke Certificate */
if (type == -1)
ok = 1;
else
ok = do_revoke(x509, db, type, value);
ok = do_revoke(x509, db, type, value);
goto err;
} else if (index_name_cmp_noconst(row, rrow)) {
BIO_printf(bio_err, "ERROR:name does not match %s\n", row[DB_name]);
goto err;
} else if (type == -1) {
BIO_printf(bio_err, "ERROR:Already present, serial number %s\n",
row[DB_serial]);
goto err;
} else if (rrow[DB_type][0] == 'R') {
BIO_printf(bio_err, "ERROR:Already revoked, serial number %s\n",
row[DB_serial]);

View File

@ -85,9 +85,6 @@ int MAIN(int argc, char **argv)
{
int ret = 1, i;
int verbose = 0, Verbose = 0;
#ifndef OPENSSL_NO_SSL_TRACE
int stdname = 0;
#endif
const char **pp;
const char *p;
int badops = 0;
@ -122,10 +119,6 @@ int MAIN(int argc, char **argv)
verbose = 1;
else if (strcmp(*argv, "-V") == 0)
verbose = Verbose = 1;
#ifndef OPENSSL_NO_SSL_TRACE
else if (strcmp(*argv, "-stdname") == 0)
stdname = verbose = 1;
#endif
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv, "-ssl2") == 0)
meth = SSLv2_client_method();
@ -209,14 +202,7 @@ int MAIN(int argc, char **argv)
id1, id2, id3);
}
}
#ifndef OPENSSL_NO_SSL_TRACE
if (stdname) {
const char *nm = SSL_CIPHER_standard_name(c);
if (nm == NULL)
nm = "UNKNOWN";
BIO_printf(STDout, "%s - ", nm);
}
#endif
BIO_puts(STDout, SSL_CIPHER_description(c, buf, sizeof buf));
}
}

View File

@ -75,8 +75,6 @@ static void receipt_request_print(BIO *out, CMS_ContentInfo *cms);
static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
*rr_to, int rr_allorfirst, STACK_OF(OPENSSL_STRING)
*rr_from);
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param);
# define SMIME_OP 0x10
# define SMIME_IP 0x20
@ -100,14 +98,6 @@ static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
int verify_err = 0;
typedef struct cms_key_param_st cms_key_param;
struct cms_key_param_st {
int idx;
STACK_OF(OPENSSL_STRING) *param;
cms_key_param *next;
};
int MAIN(int, char **);
int MAIN(int argc, char **argv)
@ -122,7 +112,7 @@ int MAIN(int argc, char **argv)
STACK_OF(OPENSSL_STRING) *sksigners = NULL, *skkeys = NULL;
char *certfile = NULL, *keyfile = NULL, *contfile = NULL;
char *certsoutfile = NULL;
const EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL;
const EVP_CIPHER *cipher = NULL;
CMS_ContentInfo *cms = NULL, *rcms = NULL;
X509_STORE *store = NULL;
X509 *cert = NULL, *recip = NULL, *signer = NULL;
@ -150,8 +140,6 @@ int MAIN(int argc, char **argv)
unsigned char *pwri_pass = NULL, *pwri_tmp = NULL;
size_t secret_keylen = 0, secret_keyidlen = 0;
cms_key_param *key_first = NULL, *key_param = NULL;
ASN1_OBJECT *econtent_type = NULL;
X509_VERIFY_PARAM *vpm = NULL;
@ -213,8 +201,6 @@ int MAIN(int argc, char **argv)
cipher = EVP_des_ede3_cbc();
else if (!strcmp(*args, "-des"))
cipher = EVP_des_cbc();
else if (!strcmp(*args, "-des3-wrap"))
wrap_cipher = EVP_des_ede3_wrap();
# endif
# ifndef OPENSSL_NO_SEED
else if (!strcmp(*args, "-seed"))
@ -235,12 +221,6 @@ int MAIN(int argc, char **argv)
cipher = EVP_aes_192_cbc();
else if (!strcmp(*args, "-aes256"))
cipher = EVP_aes_256_cbc();
else if (!strcmp(*args, "-aes128-wrap"))
wrap_cipher = EVP_aes_128_wrap();
else if (!strcmp(*args, "-aes192-wrap"))
wrap_cipher = EVP_aes_192_wrap();
else if (!strcmp(*args, "-aes256-wrap"))
wrap_cipher = EVP_aes_256_wrap();
# endif
# ifndef OPENSSL_NO_CAMELLIA
else if (!strcmp(*args, "-camellia128"))
@ -398,17 +378,7 @@ int MAIN(int argc, char **argv)
} else if (!strcmp(*args, "-recip")) {
if (!args[1])
goto argerr;
if (operation == SMIME_ENCRYPT) {
if (!encerts)
encerts = sk_X509_new_null();
cert = load_cert(bio_err, *++args, FORMAT_PEM,
NULL, e, "recipient certificate file");
if (!cert)
goto end;
sk_X509_push(encerts, cert);
cert = NULL;
} else
recipfile = *++args;
recipfile = *++args;
} else if (!strcmp(*args, "-certsout")) {
if (!args[1])
goto argerr;
@ -443,40 +413,6 @@ int MAIN(int argc, char **argv)
if (!args[1])
goto argerr;
keyform = str2fmt(*++args);
} else if (!strcmp(*args, "-keyopt")) {
int keyidx = -1;
if (!args[1])
goto argerr;
if (operation == SMIME_ENCRYPT) {
if (encerts)
keyidx += sk_X509_num(encerts);
} else {
if (keyfile || signerfile)
keyidx++;
if (skkeys)
keyidx += sk_OPENSSL_STRING_num(skkeys);
}
if (keyidx < 0) {
BIO_printf(bio_err, "No key specified\n");
goto argerr;
}
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = OPENSSL_malloc(sizeof(cms_key_param));
if (!nparam) {
BIO_printf(bio_err, "Out of memory\n");
goto argerr;
}
nparam->idx = keyidx;
nparam->param = sk_OPENSSL_STRING_new_null();
nparam->next = NULL;
if (key_first == NULL)
key_first = nparam;
else
key_param->next = nparam;
key_param = nparam;
}
sk_OPENSSL_STRING_push(key_param->param, *++args);
} else if (!strcmp(*args, "-rctform")) {
if (!args[1])
goto argerr;
@ -566,7 +502,7 @@ int MAIN(int argc, char **argv)
badarg = 1;
}
} else if (operation == SMIME_ENCRYPT) {
if (!*args && !secret_key && !pwri_pass && !encerts) {
if (!*args && !secret_key && !pwri_pass) {
BIO_printf(bio_err, "No recipient(s) certificate(s) specified\n");
badarg = 1;
}
@ -631,7 +567,6 @@ int MAIN(int argc, char **argv)
"-inkey file input private key (if not signer or recipient)\n");
BIO_printf(bio_err,
"-keyform arg input private key format (PEM or ENGINE)\n");
BIO_printf(bio_err, "-keyopt nm:v set public key parameters\n");
BIO_printf(bio_err, "-out file output file\n");
BIO_printf(bio_err,
"-outform arg output format SMIME (default), PEM or DER\n");
@ -717,7 +652,7 @@ int MAIN(int argc, char **argv)
goto end;
}
if (*args && !encerts)
if (*args)
encerts = sk_X509_new_null();
while (*args) {
if (!(cert = load_cert(bio_err, *args, FORMAT_PEM,
@ -869,39 +804,10 @@ int MAIN(int argc, char **argv)
} else if (operation == SMIME_COMPRESS) {
cms = CMS_compress(in, -1, flags);
} else if (operation == SMIME_ENCRYPT) {
int i;
flags |= CMS_PARTIAL;
cms = CMS_encrypt(NULL, in, cipher, flags);
cms = CMS_encrypt(encerts, in, cipher, flags);
if (!cms)
goto end;
for (i = 0; i < sk_X509_num(encerts); i++) {
CMS_RecipientInfo *ri;
cms_key_param *kparam;
int tflags = flags;
X509 *x = sk_X509_value(encerts, i);
for (kparam = key_first; kparam; kparam = kparam->next) {
if (kparam->idx == i) {
tflags |= CMS_KEY_PARAM;
break;
}
}
ri = CMS_add1_recipient_cert(cms, x, tflags);
if (!ri)
goto end;
if (kparam) {
EVP_PKEY_CTX *pctx;
pctx = CMS_RecipientInfo_get0_pkey_ctx(ri);
if (!cms_set_pkey_param(pctx, kparam->param))
goto end;
}
if (CMS_RecipientInfo_type(ri) == CMS_RECIPINFO_AGREE
&& wrap_cipher) {
EVP_CIPHER_CTX *wctx;
wctx = CMS_RecipientInfo_kari_get0_ctx(ri);
EVP_EncryptInit_ex(wctx, wrap_cipher, NULL, NULL, NULL);
}
}
if (secret_key) {
if (!CMS_add0_recipient_key(cms, NID_undef,
secret_key, secret_keylen,
@ -974,11 +880,8 @@ int MAIN(int argc, char **argv)
flags |= CMS_REUSE_DIGEST;
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {
CMS_SignerInfo *si;
cms_key_param *kparam;
int tflags = flags;
signerfile = sk_OPENSSL_STRING_value(sksigners, i);
keyfile = sk_OPENSSL_STRING_value(skkeys, i);
signer = load_cert(bio_err, signerfile, FORMAT_PEM, NULL,
e, "signer certificate");
if (!signer)
@ -987,21 +890,9 @@ int MAIN(int argc, char **argv)
"signing key file");
if (!key)
goto end;
for (kparam = key_first; kparam; kparam = kparam->next) {
if (kparam->idx == i) {
tflags |= CMS_KEY_PARAM;
break;
}
}
si = CMS_add1_signer(cms, signer, key, sign_md, tflags);
si = CMS_add1_signer(cms, signer, key, sign_md, flags);
if (!si)
goto end;
if (kparam) {
EVP_PKEY_CTX *pctx;
pctx = CMS_SignerInfo_get0_pkey_ctx(si);
if (!cms_set_pkey_param(pctx, kparam->param))
goto end;
}
if (rr && !CMS_add1_ReceiptRequest(si, rr))
goto end;
X509_free(signer);
@ -1156,13 +1047,6 @@ int MAIN(int argc, char **argv)
sk_OPENSSL_STRING_free(rr_to);
if (rr_from)
sk_OPENSSL_STRING_free(rr_from);
for (key_param = key_first; key_param;) {
cms_key_param *tparam;
sk_OPENSSL_STRING_free(key_param->param);
tparam = key_param->next;
OPENSSL_free(key_param);
key_param = tparam;
}
X509_STORE_free(store);
X509_free(cert);
X509_free(recip);
@ -1336,22 +1220,4 @@ static CMS_ReceiptRequest *make_receipt_request(STACK_OF(OPENSSL_STRING)
return NULL;
}
static int cms_set_pkey_param(EVP_PKEY_CTX *pctx,
STACK_OF(OPENSSL_STRING) *param)
{
char *keyopt;
int i;
if (sk_OPENSSL_STRING_num(param) <= 0)
return 1;
for (i = 0; i < sk_OPENSSL_STRING_num(param); i++) {
keyopt = sk_OPENSSL_STRING_value(param, i);
if (pkey_ctrl_string(pctx, keyopt) <= 0) {
BIO_printf(bio_err, "parameter error \"%s\"\n", keyopt);
ERR_print_errors(bio_err);
return 0;
}
}
return 1;
}
#endif

View File

@ -96,6 +96,7 @@ static const char *crl_usage[] = {
NULL
};
static X509_CRL *load_crl(char *file, int format);
static BIO *bio_out = NULL;
int MAIN(int, char **);
@ -105,10 +106,10 @@ int MAIN(int argc, char **argv)
unsigned long nmflag = 0;
X509_CRL *x = NULL;
char *CAfile = NULL, *CApath = NULL;
int ret = 1, i, num, badops = 0, badsig = 0;
int ret = 1, i, num, badops = 0;
BIO *out = NULL;
int informat, outformat, keyformat;
char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
int informat, outformat;
char *infile = NULL, *outfile = NULL;
int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout =
0, text = 0;
#ifndef OPENSSL_NO_MD5
@ -146,7 +147,6 @@ int MAIN(int argc, char **argv)
informat = FORMAT_PEM;
outformat = FORMAT_PEM;
keyformat = FORMAT_PEM;
argc--;
argv++;
@ -173,18 +173,6 @@ int MAIN(int argc, char **argv)
if (--argc < 1)
goto bad;
infile = *(++argv);
} else if (strcmp(*argv, "-gendelta") == 0) {
if (--argc < 1)
goto bad;
crldiff = *(++argv);
} else if (strcmp(*argv, "-key") == 0) {
if (--argc < 1)
goto bad;
keyfile = *(++argv);
} else if (strcmp(*argv, "-keyform") == 0) {
if (--argc < 1)
goto bad;
keyformat = str2fmt(*(++argv));
} else if (strcmp(*argv, "-out") == 0) {
if (--argc < 1)
goto bad;
@ -226,8 +214,6 @@ int MAIN(int argc, char **argv)
fingerprint = ++num;
else if (strcmp(*argv, "-crlnumber") == 0)
crlnumber = ++num;
else if (strcmp(*argv, "-badsig") == 0)
badsig = 1;
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
/* ok */
digest = md_alg;
@ -295,33 +281,6 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "verify OK\n");
}
if (crldiff) {
X509_CRL *newcrl, *delta;
if (!keyfile) {
BIO_puts(bio_err, "Missing CRL signing key\n");
goto end;
}
newcrl = load_crl(crldiff, informat);
if (!newcrl)
goto end;
pkey = load_key(bio_err, keyfile, keyformat, 0, NULL, NULL,
"CRL signing key");
if (!pkey) {
X509_CRL_free(newcrl);
goto end;
}
delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
X509_CRL_free(newcrl);
EVP_PKEY_free(pkey);
if (delta) {
X509_CRL_free(x);
x = delta;
} else {
BIO_puts(bio_err, "Error creating delta CRL\n");
goto end;
}
}
if (num) {
for (i = 1; i <= num; i++) {
if (issuer == i) {
@ -410,9 +369,6 @@ int MAIN(int argc, char **argv)
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = (int)i2d_X509_CRL_bio(out, x);
else if (outformat == FORMAT_PEM)
@ -427,8 +383,6 @@ int MAIN(int argc, char **argv)
}
ret = 0;
end:
if (ret != 0)
ERR_print_errors(bio_err);
BIO_free_all(out);
BIO_free_all(bio_out);
bio_out = NULL;
@ -440,3 +394,41 @@ int MAIN(int argc, char **argv)
apps_shutdown();
OPENSSL_EXIT(ret);
}
static X509_CRL *load_crl(char *infile, int format)
{
X509_CRL *x = NULL;
BIO *in = NULL;
in = BIO_new(BIO_s_file());
if (in == NULL) {
ERR_print_errors(bio_err);
goto end;
}
if (infile == NULL)
BIO_set_fp(in, stdin, BIO_NOCLOSE);
else {
if (BIO_read_filename(in, infile) <= 0) {
perror(infile);
goto end;
}
}
if (format == FORMAT_ASN1)
x = d2i_X509_CRL_bio(in, NULL);
else if (format == FORMAT_PEM)
x = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
else {
BIO_printf(bio_err, "bad input format specified for input crl\n");
goto end;
}
if (x == NULL) {
BIO_printf(bio_err, "unable to load CRL\n");
ERR_print_errors(bio_err);
goto end;
}
end:
BIO_free(in);
return (x);
}

View File

@ -103,7 +103,7 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
ENGINE *e = NULL, *impl = NULL;
ENGINE *e = NULL;
unsigned char *buf = NULL;
int i, err = 1;
const EVP_MD *md = NULL, *m;
@ -124,7 +124,6 @@ int MAIN(int argc, char **argv)
char *passargin = NULL, *passin = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
int engine_impl = 0;
#endif
char *hmac_key = NULL;
char *mac_name = NULL;
@ -200,8 +199,7 @@ int MAIN(int argc, char **argv)
break;
engine = *(++argv);
e = setup_engine(bio_err, engine, 0);
} else if (strcmp(*argv, "-engine_impl") == 0)
engine_impl = 1;
}
#endif
else if (strcmp(*argv, "-hex") == 0)
out_bin = 0;
@ -286,10 +284,6 @@ int MAIN(int argc, char **argv)
EVP_MD_do_all_sorted(list_md_fn, bio_err);
goto end;
}
#ifndef OPENSSL_NO_ENGINE
if (engine_impl)
impl = e;
#endif
in = BIO_new(BIO_s_file());
bmd = BIO_new(BIO_f_md());
@ -363,7 +357,7 @@ int MAIN(int argc, char **argv)
if (mac_name) {
EVP_PKEY_CTX *mac_ctx = NULL;
int r = 0;
if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
if (!init_gen_str(bio_err, &mac_ctx, mac_name, e, 0))
goto mac_end;
if (macopts) {
char *macopt;
@ -397,7 +391,7 @@ int MAIN(int argc, char **argv)
}
if (hmac_key) {
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
(unsigned char *)hmac_key, -1);
if (!sigkey)
goto end;
@ -413,9 +407,9 @@ int MAIN(int argc, char **argv)
goto end;
}
if (do_verify)
r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
r = EVP_DigestVerifyInit(mctx, &pctx, md, NULL, sigkey);
else
r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
r = EVP_DigestSignInit(mctx, &pctx, md, NULL, sigkey);
if (!r) {
BIO_printf(bio_err, "Error setting context\n");
ERR_print_errors(bio_err);
@ -435,15 +429,9 @@ int MAIN(int argc, char **argv)
}
/* we use md as a filter, reading from 'in' */
else {
EVP_MD_CTX *mctx = NULL;
if (!BIO_get_md_ctx(bmd, &mctx)) {
BIO_printf(bio_err, "Error getting context\n");
ERR_print_errors(bio_err);
goto end;
}
if (md == NULL)
md = EVP_md5();
if (!EVP_DigestInit_ex(mctx, md, impl)) {
if (!BIO_set_md(bmd, md)) {
BIO_printf(bio_err, "Error setting digest %s\n", pname);
ERR_print_errors(bio_err);
goto end;
@ -495,8 +483,7 @@ int MAIN(int argc, char **argv)
EVP_PKEY_asn1_get0_info(NULL, NULL,
NULL, NULL, &sig_name, ameth);
}
if (md)
md_name = EVP_MD_name(md);
md_name = EVP_MD_name(md);
}
err = 0;
for (i = 0; i < argc; i++) {
@ -594,12 +581,9 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
BIO_printf(out, "%02x", buf[i]);
BIO_printf(out, " *%s\n", file);
} else {
if (sig_name) {
BIO_puts(out, sig_name);
if (md_name)
BIO_printf(out, "-%s", md_name);
BIO_printf(out, "(%s)= ", file);
} else if (md_name)
if (sig_name)
BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
else if (md_name)
BIO_printf(out, "%s(%s)= ", md_name, file);
else
BIO_printf(out, "(%s)= ", file);

View File

@ -489,12 +489,9 @@ int MAIN(int argc, char **argv)
if (!noout) {
if (outformat == FORMAT_ASN1)
i = i2d_DHparams_bio(out, dh);
else if (outformat == FORMAT_PEM) {
if (dh->q)
i = PEM_write_bio_DHxparams(out, dh);
else
i = PEM_write_bio_DHparams(out, dh);
} else {
else if (outformat == FORMAT_PEM)
i = PEM_write_bio_DHparams(out, dh);
else {
BIO_printf(bio_err, "bad output format specified for outfile\n");
goto end;
}

View File

@ -370,9 +370,6 @@ int MAIN(int argc, char **argv)
} else
nid = OBJ_sn2nid(curve_name);
if (nid == 0)
nid = EC_curve_nist2nid(curve_name);
if (nid == 0) {
BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
goto end;

View File

@ -80,7 +80,7 @@
# include <openssl/pem.h>
# include <openssl/rand.h>
# define DEFBITS 2048
# define DEFBITS 1024
# undef PROG
# define PROG genrsa_main

View File

@ -776,7 +776,7 @@ $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
$ CCDISABLEWARNINGS = "" !!! "MAYLOSEDATA3" !!! "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
$ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. ""
$ THEN
$ IF CCDISABLEWARNINGS .NES. THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
$ IF CCDISABLEWARNINGS .NES. "" THEN CCDISABLEWARNINGS = CCDISABLEWARNINGS + ","
$ CCDISABLEWARNINGS = CCDISABLEWARNINGS + USER_CCDISABLEWARNINGS
$ ENDIF
$!

View File

@ -110,17 +110,16 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *md,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig);
EVP_PKEY *rkey, STACK_OF(X509) *rother,
unsigned long flags, int nmin, int ndays);
static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
static BIO *init_responder(const char *port);
static BIO *init_responder(char *port);
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
const char *port);
char *port);
static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
const STACK_OF(CONF_VALUE) *headers,
static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout);
# undef PROG
@ -155,14 +154,12 @@ int MAIN(int argc, char **argv)
long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
char *CAfile = NULL, *CApath = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *vpm = NULL;
STACK_OF(X509) *sign_other = NULL, *verify_other = NULL, *rother = NULL;
char *sign_certfile = NULL, *verify_certfile = NULL, *rcertfile = NULL;
unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
int ret = 1;
int accept_count = -1;
int badarg = 0;
int badsig = 0;
int i;
int ignore_err = 0;
STACK_OF(OPENSSL_STRING) *reqnames = NULL;
@ -173,7 +170,7 @@ int MAIN(int argc, char **argv)
char *rca_filename = NULL;
CA_DB *rdb = NULL;
int nmin = 0, ndays = -1;
const EVP_MD *cert_id_md = NULL, *rsign_md = NULL;
const EVP_MD *cert_id_md = NULL;
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@ -209,7 +206,6 @@ int MAIN(int argc, char **argv)
OPENSSL_free(tport);
if (tpath)
OPENSSL_free(tpath);
thost = tport = tpath = NULL;
if (args[1]) {
args++;
if (!OCSP_parse_url(*args, &host, &port, &path, &use_ssl)) {
@ -268,8 +264,6 @@ int MAIN(int argc, char **argv)
verify_flags |= OCSP_TRUSTOTHER;
else if (!strcmp(*args, "-no_intern"))
verify_flags |= OCSP_NOINTERN;
else if (!strcmp(*args, "-badsig"))
badsig = 1;
else if (!strcmp(*args, "-text")) {
req_text = 1;
resp_text = 1;
@ -326,10 +320,6 @@ int MAIN(int argc, char **argv)
CApath = *args;
} else
badarg = 1;
} else if (args_verify(&args, NULL, &badarg, bio_err, &vpm)) {
if (badarg)
goto end;
continue;
} else if (!strcmp(*args, "-validity_period")) {
if (args[1]) {
args++;
@ -475,14 +465,6 @@ int MAIN(int argc, char **argv)
rcertfile = *args;
} else
badarg = 1;
} else if (!strcmp(*args, "-rmd")) {
if (args[1]) {
args++;
rsign_md = EVP_get_digestbyname(*args);
if (!rsign_md)
badarg = 1;
} else
badarg = 1;
} else if ((cert_id_md = EVP_get_digestbyname((*args) + 1)) == NULL) {
badarg = 1;
}
@ -602,10 +584,7 @@ int MAIN(int argc, char **argv)
add_nonce = 0;
if (!req && reqin) {
if (!strcmp(reqin, "-"))
derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
else
derbio = BIO_new_file(reqin, "rb");
derbio = BIO_new_file(reqin, "rb");
if (!derbio) {
BIO_printf(bio_err, "Error Opening OCSP request file\n");
goto end;
@ -702,10 +681,7 @@ int MAIN(int argc, char **argv)
OCSP_REQUEST_print(out, req, 0);
if (reqout) {
if (!strcmp(reqout, "-"))
derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
else
derbio = BIO_new_file(reqout, "wb");
derbio = BIO_new_file(reqout, "wb");
if (!derbio) {
BIO_printf(bio_err, "Error opening file %s\n", reqout);
goto end;
@ -730,7 +706,7 @@ int MAIN(int argc, char **argv)
if (rdb) {
i = make_ocsp_response(&resp, req, rdb, rca_cert, rsigner, rkey,
rsign_md, rother, rflags, nmin, ndays, badsig);
rother, rflags, nmin, ndays);
if (cbio)
send_ocsp_response(cbio, resp);
} else if (host) {
@ -745,10 +721,7 @@ int MAIN(int argc, char **argv)
goto end;
# endif
} else if (respin) {
if (!strcmp(respin, "-"))
derbio = BIO_new_fp(stdin, BIO_NOCLOSE);
else
derbio = BIO_new_file(respin, "rb");
derbio = BIO_new_file(respin, "rb");
if (!derbio) {
BIO_printf(bio_err, "Error Opening OCSP response file\n");
goto end;
@ -768,10 +741,7 @@ int MAIN(int argc, char **argv)
done_resp:
if (respout) {
if (!strcmp(respout, "-"))
derbio = BIO_new_fp(stdout, BIO_NOCLOSE);
else
derbio = BIO_new_file(respout, "wb");
derbio = BIO_new_file(respout, "wb");
if (!derbio) {
BIO_printf(bio_err, "Error opening file %s\n", respout);
goto end;
@ -808,10 +778,6 @@ int MAIN(int argc, char **argv)
resp = NULL;
goto redo_accept;
}
ret = 0;
goto end;
} else if (ridx_filename) {
ret = 0;
goto end;
}
@ -819,8 +785,6 @@ int MAIN(int argc, char **argv)
store = setup_verify(bio_err, CAfile, CApath);
if (!store)
goto end;
if (vpm)
X509_STORE_set1_param(store, vpm);
if (verify_certfile) {
verify_other = load_certs(bio_err, verify_certfile, FORMAT_PEM,
NULL, e, "validator certificate");
@ -835,38 +799,37 @@ int MAIN(int argc, char **argv)
goto end;
}
ret = 0;
if (!noverify) {
if (req && ((i = OCSP_check_nonce(req, bs)) <= 0)) {
if (i == -1)
BIO_printf(bio_err, "WARNING: no nonce in response\n");
else {
BIO_printf(bio_err, "Nonce Verify error\n");
ret = 1;
goto end;
}
}
i = OCSP_basic_verify(bs, verify_other, store, verify_flags);
if (i < 0)
i = OCSP_basic_verify(bs, NULL, store, 0);
if (i <= 0) {
BIO_printf(bio_err, "Response Verify Failure\n");
ERR_print_errors(bio_err);
ret = 1;
} else
BIO_printf(bio_err, "Response verify OK\n");
}
if (!print_ocsp_summary(out, bs, req, reqnames, ids, nsec, maxage))
ret = 1;
goto end;
ret = 0;
end:
ERR_print_errors(bio_err);
X509_free(signer);
X509_STORE_free(store);
if (vpm)
X509_VERIFY_PARAM_free(vpm);
EVP_PKEY_free(key);
EVP_PKEY_free(rkey);
X509_free(issuer);
@ -1021,9 +984,8 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
CA_DB *db, X509 *ca, X509 *rcert,
EVP_PKEY *rkey, const EVP_MD *rmd,
STACK_OF(X509) *rother, unsigned long flags,
int nmin, int ndays, int badsig)
EVP_PKEY *rkey, STACK_OF(X509) *rother,
unsigned long flags, int nmin, int ndays)
{
ASN1_TIME *thisupd = NULL, *nextupd = NULL;
OCSP_CERTID *cid, *ca_id = NULL;
@ -1107,10 +1069,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
OCSP_copy_nonce(bs, req);
OCSP_basic_sign(bs, rcert, rkey, rmd, rother, flags);
if (badsig)
bs->signature->data[bs->signature->length - 1] ^= 0x1;
OCSP_basic_sign(bs, rcert, rkey, NULL, rother, flags);
*resp = OCSP_response_create(OCSP_RESPONSE_STATUS_SUCCESSFUL, bs);
@ -1146,7 +1105,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
/* Quick and dirty OCSP server: read in and parse input request */
static BIO *init_responder(const char *port)
static BIO *init_responder(char *port)
{
BIO *acbio = NULL, *bufbio = NULL;
bufbio = BIO_new(BIO_f_buffer());
@ -1178,7 +1137,7 @@ static BIO *init_responder(const char *port)
}
static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio,
const char *port)
char *port)
{
int have_post = 0, len;
OCSP_REQUEST *req = NULL;
@ -1239,8 +1198,8 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
return 1;
}
static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
const STACK_OF(CONF_VALUE) *headers,
static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, char *path,
STACK_OF(CONF_VALUE) *headers,
OCSP_REQUEST *req, int req_timeout)
{
int fd;
@ -1327,9 +1286,8 @@ static OCSP_RESPONSE *query_responder(BIO *err, BIO *cbio, const char *path,
}
OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
const char *host, const char *path,
const char *port, int use_ssl,
const STACK_OF(CONF_VALUE) *headers,
char *host, char *path, char *port,
int use_ssl, STACK_OF(CONF_VALUE) *headers,
int req_timeout)
{
BIO *cbio = NULL;

View File

@ -103,7 +103,7 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes

View File

@ -103,7 +103,7 @@ emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_bits = 1024
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes

View File

@ -124,16 +124,6 @@ int MAIN(int argc, char **argv)
}
} else
badarg = 1;
} else if (!strcmp(*args, "-v2prf")) {
if (args[1]) {
args++;
pbe_nid = OBJ_txt2nid(*args);
if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
BIO_printf(bio_err, "Unknown PRF algorithm %s\n", *args);
badarg = 1;
}
} else
badarg = 1;
} else if (!strcmp(*args, "-inform")) {
if (args[1]) {
args++;

View File

@ -73,12 +73,11 @@ static void usage(void);
#define PROG pkeyutl_main
static EVP_PKEY_CTX *init_ctx(int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passargin, int pkey_op, ENGINE *e,
int impl);
char *keyfile, int keyform, int key_type,
char *passargin, int pkey_op, ENGINE *e);
static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
const char *file, ENGINE* e);
const char *file);
static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
unsigned char *out, size_t *poutlen,
@ -98,13 +97,10 @@ int MAIN(int argc, char **argv)
EVP_PKEY_CTX *ctx = NULL;
char *passargin = NULL;
int keysize = -1;
int engine_impl = 0;
unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
size_t buf_outlen = 0;
size_t buf_outlen;
int buf_inlen = 0, siglen = -1;
const char *inkey = NULL;
const char *peerkey = NULL;
STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;
int ret = 1, rv = -1;
@ -138,13 +134,21 @@ int MAIN(int argc, char **argv)
} else if (!strcmp(*argv, "-inkey")) {
if (--argc < 1)
badarg = 1;
else
inkey = *++argv;
else {
ctx = init_ctx(&keysize,
*(++argv), keyform, key_type,
passargin, pkey_op, e);
if (!ctx) {
BIO_puts(bio_err, "Error initializing context\n");
ERR_print_errors(bio_err);
badarg = 1;
}
}
} else if (!strcmp(*argv, "-peerkey")) {
if (--argc < 1)
badarg = 1;
else
peerkey = *++argv;
else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
badarg = 1;
} else if (!strcmp(*argv, "-passin")) {
if (--argc < 1)
badarg = 1;
@ -167,8 +171,6 @@ int MAIN(int argc, char **argv)
badarg = 1;
else
e = setup_engine(bio_err, *(++argv), 0);
} else if (!strcmp(*argv, "-engine_impl")) {
engine_impl = 1;
}
#endif
else if (!strcmp(*argv, "-pubin"))
@ -185,21 +187,23 @@ int MAIN(int argc, char **argv)
pkey_op = EVP_PKEY_OP_VERIFY;
else if (!strcmp(*argv, "-verifyrecover"))
pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
else if (!strcmp(*argv, "-rev"))
rev = 1;
else if (!strcmp(*argv, "-encrypt"))
pkey_op = EVP_PKEY_OP_ENCRYPT;
else if (!strcmp(*argv, "-decrypt"))
pkey_op = EVP_PKEY_OP_DECRYPT;
else if (!strcmp(*argv, "-derive"))
pkey_op = EVP_PKEY_OP_DERIVE;
else if (!strcmp(*argv, "-rev"))
rev = 1;
else if (strcmp(*argv, "-pkeyopt") == 0) {
if (--argc < 1)
badarg = 1;
else if ((pkeyopts == NULL &&
(pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
sk_OPENSSL_STRING_push(pkeyopts, *++argv) == 0) {
BIO_puts(bio_err, "out of memory\n");
else if (!ctx) {
BIO_puts(bio_err, "-pkeyopt command before -inkey\n");
badarg = 1;
} else if (pkey_ctrl_string(ctx, *(++argv)) <= 0) {
BIO_puts(bio_err, "parameter setting error\n");
ERR_print_errors(bio_err);
goto end;
}
} else
@ -212,37 +216,10 @@ int MAIN(int argc, char **argv)
argv++;
}
if (inkey == NULL ||
(peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE)) {
if (!ctx) {
usage();
goto end;
}
ctx = init_ctx(&keysize, inkey, keyform, key_type,
passargin, pkey_op, e, engine_impl);
if (!ctx) {
BIO_puts(bio_err, "Error initializing context\n");
ERR_print_errors(bio_err);
goto end;
}
if (peerkey != NULL && !setup_peer(bio_err, ctx, peerform, peerkey, e)) {
BIO_puts(bio_err, "Error setting up peer key\n");
ERR_print_errors(bio_err);
goto end;
}
if (pkeyopts != NULL) {
int num = sk_OPENSSL_STRING_num(pkeyopts);
int i;
for (i = 0; i < num; ++i) {
const char *opt = sk_OPENSSL_STRING_value(pkeyopts, i);
if (pkey_ctrl_string(ctx, opt) <= 0) {
BIO_puts(bio_err, "parameter setting error\n");
ERR_print_errors(bio_err);
goto end;
}
}
}
if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
BIO_puts(bio_err, "Signature file specified for non verify\n");
@ -292,7 +269,7 @@ int MAIN(int argc, char **argv)
}
siglen = bio_to_mem(&sig, keysize * 10, sigbio);
BIO_free(sigbio);
if (siglen < 0) {
if (siglen <= 0) {
BIO_printf(bio_err, "Error reading signature data\n");
goto end;
}
@ -301,7 +278,7 @@ int MAIN(int argc, char **argv)
if (in) {
/* Read the input data */
buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
if (buf_inlen < 0) {
if (buf_inlen <= 0) {
BIO_printf(bio_err, "Error reading input Data\n");
exit(1);
}
@ -329,7 +306,7 @@ int MAIN(int argc, char **argv)
} else {
rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
buf_in, (size_t)buf_inlen);
if (rv > 0 && buf_outlen != 0) {
if (rv > 0) {
buf_out = OPENSSL_malloc(buf_outlen);
if (!buf_out)
rv = -1;
@ -359,14 +336,12 @@ int MAIN(int argc, char **argv)
EVP_PKEY_CTX_free(ctx);
BIO_free(in);
BIO_free_all(out);
if (buf_in != NULL)
if (buf_in)
OPENSSL_free(buf_in);
if (buf_out != NULL)
if (buf_out)
OPENSSL_free(buf_out);
if (sig != NULL)
if (sig)
OPENSSL_free(sig);
if (pkeyopts != NULL)
sk_OPENSSL_STRING_free(pkeyopts);
return ret;
}
@ -393,21 +368,18 @@ static void usage()
BIO_printf(bio_err, "-hexdump hex dump output\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err,
"-engine e use engine e, maybe a hardware device, for loading keys.\n");
BIO_printf(bio_err, "-engine_impl also use engine given by -engine for crypto operations\n");
"-engine e use engine e, possibly a hardware device.\n");
#endif
BIO_printf(bio_err, "-passin arg pass phrase source\n");
}
static EVP_PKEY_CTX *init_ctx(int *pkeysize,
const char *keyfile, int keyform, int key_type,
char *passargin, int pkey_op, ENGINE *e,
int engine_impl)
char *keyfile, int keyform, int key_type,
char *passargin, int pkey_op, ENGINE *e)
{
EVP_PKEY *pkey = NULL;
EVP_PKEY_CTX *ctx = NULL;
ENGINE *impl = NULL;
char *passin = NULL;
int rv = -1;
X509 *x;
@ -446,14 +418,9 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
if (!pkey)
goto end;
#ifndef OPENSSL_NO_ENGINE
if (engine_impl)
impl = e;
#endif
ctx = EVP_PKEY_CTX_new(pkey, impl);
ctx = EVP_PKEY_CTX_new(pkey, e);
EVP_PKEY_free(pkey);
if (!ctx)
@ -500,15 +467,16 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
}
static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
const char *file, ENGINE* e)
const char *file)
{
EVP_PKEY *peer = NULL;
ENGINE* engine = NULL;
int ret;
if (!ctx) {
BIO_puts(err, "-peerkey command before -inkey\n");
return 0;
}
if (peerform == FORMAT_ENGINE)
engine = e;
peer = load_pubkey(bio_err, file, peerform, 0, NULL, engine, "Peer Key");
peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
if (!peer) {
BIO_printf(bio_err, "Error reading peer key %s\n", file);

View File

@ -101,8 +101,8 @@
#define STRING_MASK "string_mask"
#define UTF8_IN "utf8"
#define DEFAULT_KEY_LENGTH 2048
#define MIN_KEY_LENGTH 512
#define DEFAULT_KEY_LENGTH 512
#define MIN_KEY_LENGTH 384
#undef PROG
#define PROG req_main

View File

@ -250,7 +250,7 @@ int MAIN(int argc, char **argv)
if (outfile) {
if (!(out = BIO_new_file(outfile, "wb"))) {
BIO_printf(bio_err, "Error Writing Output File\n");
BIO_printf(bio_err, "Error Reading Output File\n");
ERR_print_errors(bio_err);
goto end;
}
@ -276,7 +276,7 @@ int MAIN(int argc, char **argv)
/* Read the input data */
rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
if (rsa_inlen < 0) {
if (rsa_inlen <= 0) {
BIO_printf(bio_err, "Error reading input Data\n");
exit(1);
}
@ -311,7 +311,7 @@ int MAIN(int argc, char **argv)
}
if (rsa_outlen < 0) {
if (rsa_outlen <= 0) {
BIO_printf(bio_err, "RSA operation error\n");
ERR_print_errors(bio_err);
goto end;

View File

@ -152,21 +152,15 @@ typedef fd_mask fd_set;
#define PROTOCOL "tcp"
int do_server(int port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept);
int (*cb) (char *hostname, int s, unsigned char *context),
unsigned char *context);
#ifdef HEADER_X509_H
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
#ifdef HEADER_SSL_H
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain, int build_chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_curves(BIO *out, SSL *s, int noshared);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, char *server, int port, int type);
int should_retry(int i);
int extract_port(char *str, short *port_ptr);
@ -188,24 +182,3 @@ int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len);
int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int cookie_len);
typedef struct ssl_excert_st SSL_EXCERT;
void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
void ssl_excert_free(SSL_EXCERT *exc);
int args_excert(char ***pargs, int *pargc,
int *badarg, BIO *err, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc, BIO *err);
void print_ssl_summary(BIO *bio, SSL *s);
#ifdef HEADER_SSL_H
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
const char *vfyCAfile, const char *chCApath,
const char *chCAfile, STACK_OF(X509_CRL) *crls,
int crl_download);
#endif

View File

@ -111,7 +111,7 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h> /* for memcpy() and strcmp() */
#include <string.h> /* for memcpy() */
#define USE_SOCKETS
#define NON_MAIN
#include "apps.h"
@ -126,7 +126,6 @@
#define COOKIE_SECRET_LENGTH 16
int verify_depth = 0;
int verify_quiet = 0;
int verify_error = X509_V_OK;
int verify_return_error = 0;
unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@ -141,16 +140,13 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
err = X509_STORE_CTX_get_error(ctx);
depth = X509_STORE_CTX_get_error_depth(ctx);
if (!verify_quiet || !ok) {
BIO_printf(bio_err, "depth=%d ", depth);
if (err_cert) {
X509_NAME_print_ex(bio_err,
X509_get_subject_name(err_cert),
0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
} else
BIO_puts(bio_err, "<no cert>\n");
}
BIO_printf(bio_err, "depth=%d ", depth);
if (err_cert) {
X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
} else
BIO_puts(bio_err, "<no cert>\n");
if (!ok) {
BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
X509_verify_cert_error_string(err));
@ -183,14 +179,13 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
BIO_printf(bio_err, "\n");
break;
case X509_V_ERR_NO_EXPLICIT_POLICY:
if (!verify_quiet)
policies_print(bio_err, ctx);
policies_print(bio_err, ctx);
break;
}
if (err == X509_V_OK && ok == 2 && !verify_quiet)
if (err == X509_V_OK && ok == 2)
policies_print(bio_err, ctx);
if (ok && !verify_quiet)
BIO_printf(bio_err, "verify return:%d\n", ok);
BIO_printf(bio_err, "verify return:%d\n", ok);
return (ok);
}
@ -251,10 +246,8 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
return (1);
}
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
STACK_OF(X509) *chain, int build_chain)
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
{
int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
if (cert == NULL)
return 1;
if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
@ -262,7 +255,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
ERR_print_errors(bio_err);
return 0;
}
if (SSL_CTX_use_PrivateKey(ctx, key) <= 0) {
BIO_printf(bio_err, "error setting private key\n");
ERR_print_errors(bio_err);
@ -277,263 +269,6 @@ int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
"Private key does not match the certificate public key\n");
return 0;
}
if (chain && !SSL_CTX_set1_chain(ctx, chain)) {
BIO_printf(bio_err, "error setting certificate chain\n");
ERR_print_errors(bio_err);
return 0;
}
if (build_chain && !SSL_CTX_build_cert_chain(ctx, chflags)) {
BIO_printf(bio_err, "error building certificate chain\n");
ERR_print_errors(bio_err);
return 0;
}
return 1;
}
static void ssl_print_client_cert_types(BIO *bio, SSL *s)
{
const unsigned char *p;
int i;
int cert_type_num = SSL_get0_certificate_types(s, &p);
if (!cert_type_num)
return;
BIO_puts(bio, "Client Certificate Types: ");
for (i = 0; i < cert_type_num; i++) {
unsigned char cert_type = p[i];
char *cname;
switch (cert_type) {
case TLS_CT_RSA_SIGN:
cname = "RSA sign";
break;
case TLS_CT_DSS_SIGN:
cname = "DSA sign";
break;
case TLS_CT_RSA_FIXED_DH:
cname = "RSA fixed DH";
break;
case TLS_CT_DSS_FIXED_DH:
cname = "DSS fixed DH";
break;
case TLS_CT_ECDSA_SIGN:
cname = "ECDSA sign";
break;
case TLS_CT_RSA_FIXED_ECDH:
cname = "RSA fixed ECDH";
break;
case TLS_CT_ECDSA_FIXED_ECDH:
cname = "ECDSA fixed ECDH";
break;
case TLS_CT_GOST94_SIGN:
cname = "GOST94 Sign";
break;
case TLS_CT_GOST01_SIGN:
cname = "GOST01 Sign";
break;
default:
cname = NULL;
}
if (i)
BIO_puts(bio, ", ");
if (cname)
BIO_puts(bio, cname);
else
BIO_printf(bio, "UNKNOWN (%d),", cert_type);
}
BIO_puts(bio, "\n");
}
static int do_print_sigalgs(BIO *out, SSL *s, int shared)
{
int i, nsig, client;
client = SSL_is_server(s) ? 0 : 1;
if (shared)
nsig = SSL_get_shared_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
else
nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
if (nsig == 0)
return 1;
if (shared)
BIO_puts(out, "Shared ");
if (client)
BIO_puts(out, "Requested ");
BIO_puts(out, "Signature Algorithms: ");
for (i = 0; i < nsig; i++) {
int hash_nid, sign_nid;
unsigned char rhash, rsign;
const char *sstr = NULL;
if (shared)
SSL_get_shared_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
&rsign, &rhash);
else
SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash);
if (i)
BIO_puts(out, ":");
if (sign_nid == EVP_PKEY_RSA)
sstr = "RSA";
else if (sign_nid == EVP_PKEY_DSA)
sstr = "DSA";
else if (sign_nid == EVP_PKEY_EC)
sstr = "ECDSA";
if (sstr)
BIO_printf(out, "%s+", sstr);
else
BIO_printf(out, "0x%02X+", (int)rsign);
if (hash_nid != NID_undef)
BIO_printf(out, "%s", OBJ_nid2sn(hash_nid));
else
BIO_printf(out, "0x%02X", (int)rhash);
}
BIO_puts(out, "\n");
return 1;
}
int ssl_print_sigalgs(BIO *out, SSL *s)
{
int mdnid;
if (!SSL_is_server(s))
ssl_print_client_cert_types(out, s);
do_print_sigalgs(out, s, 0);
do_print_sigalgs(out, s, 1);
if (SSL_get_peer_signature_nid(s, &mdnid))
BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(mdnid));
return 1;
}
#ifndef OPENSSL_NO_EC
int ssl_print_point_formats(BIO *out, SSL *s)
{
int i, nformats;
const char *pformats;
nformats = SSL_get0_ec_point_formats(s, &pformats);
if (nformats <= 0)
return 1;
BIO_puts(out, "Supported Elliptic Curve Point Formats: ");
for (i = 0; i < nformats; i++, pformats++) {
if (i)
BIO_puts(out, ":");
switch (*pformats) {
case TLSEXT_ECPOINTFORMAT_uncompressed:
BIO_puts(out, "uncompressed");
break;
case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime:
BIO_puts(out, "ansiX962_compressed_prime");
break;
case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2:
BIO_puts(out, "ansiX962_compressed_char2");
break;
default:
BIO_printf(out, "unknown(%d)", (int)*pformats);
break;
}
}
if (nformats <= 0)
BIO_puts(out, "NONE");
BIO_puts(out, "\n");
return 1;
}
int ssl_print_curves(BIO *out, SSL *s, int noshared)
{
int i, ncurves, *curves, nid;
const char *cname;
ncurves = SSL_get1_curves(s, NULL);
if (ncurves <= 0)
return 1;
curves = OPENSSL_malloc(ncurves * sizeof(int));
if (!curves) {
BIO_puts(out, "Malloc error getting supported curves\n");
return 0;
}
SSL_get1_curves(s, curves);
BIO_puts(out, "Supported Elliptic Curves: ");
for (i = 0; i < ncurves; i++) {
if (i)
BIO_puts(out, ":");
nid = curves[i];
/* If unrecognised print out hex version */
if (nid & TLSEXT_nid_unknown)
BIO_printf(out, "0x%04X", nid & 0xFFFF);
else {
/* Use NIST name for curve if it exists */
cname = EC_curve_nid2nist(nid);
if (!cname)
cname = OBJ_nid2sn(nid);
BIO_printf(out, "%s", cname);
}
}
if (ncurves == 0)
BIO_puts(out, "NONE");
OPENSSL_free(curves);
if (noshared) {
BIO_puts(out, "\n");
return 1;
}
BIO_puts(out, "\nShared Elliptic curves: ");
ncurves = SSL_get_shared_curve(s, -1);
for (i = 0; i < ncurves; i++) {
if (i)
BIO_puts(out, ":");
nid = SSL_get_shared_curve(s, i);
cname = EC_curve_nid2nist(nid);
if (!cname)
cname = OBJ_nid2sn(nid);
BIO_printf(out, "%s", cname);
}
if (ncurves == 0)
BIO_puts(out, "NONE");
BIO_puts(out, "\n");
return 1;
}
#endif
int ssl_print_tmp_key(BIO *out, SSL *s)
{
EVP_PKEY *key;
if (!SSL_get_server_tmp_key(s, &key))
return 1;
BIO_puts(out, "Server Temp Key: ");
switch (EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_bits(key));
break;
case EVP_PKEY_DH:
BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key));
break;
#ifndef OPENSSL_NO_ECDH
case EVP_PKEY_EC:
{
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
int nid;
const char *cname;
nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
EC_KEY_free(ec);
cname = EC_curve_nid2nist(nid);
if (!cname)
cname = OBJ_nid2sn(nid);
BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key));
}
#endif
}
EVP_PKEY_free(key);
return 1;
}
@ -981,11 +716,6 @@ void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
extname = "next protocol";
break;
#endif
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
case TLSEXT_TYPE_application_layer_protocol_negotiation:
extname = "application layer protocol negotiation";
break;
#endif
case TLSEXT_TYPE_padding:
extname = "TLS padding";
@ -1154,504 +884,3 @@ int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie,
return 0;
}
/*
* Example of extended certificate handling. Where the standard support of
* one certificate per algorithm is not sufficient an application can decide
* which certificate(s) to use at runtime based on whatever criteria it deems
* appropriate.
*/
/* Linked list of certificates, keys and chains */
struct ssl_excert_st {
int certform;
const char *certfile;
int keyform;
const char *keyfile;
const char *chainfile;
X509 *cert;
EVP_PKEY *key;
STACK_OF(X509) *chain;
int build_chain;
struct ssl_excert_st *next, *prev;
};
struct chain_flags {
int flag;
const char *name;
};
struct chain_flags chain_flags_list[] = {
{CERT_PKEY_VALID, "Overall Validity"},
{CERT_PKEY_SIGN, "Sign with EE key"},
{CERT_PKEY_EE_SIGNATURE, "EE signature"},
{CERT_PKEY_CA_SIGNATURE, "CA signature"},
{CERT_PKEY_EE_PARAM, "EE key parameters"},
{CERT_PKEY_CA_PARAM, "CA key parameters"},
{CERT_PKEY_EXPLICIT_SIGN, "Explicity sign with EE key"},
{CERT_PKEY_ISSUER_NAME, "Issuer Name"},
{CERT_PKEY_CERT_TYPE, "Certificate Type"},
{0, NULL}
};
static void print_chain_flags(BIO *out, SSL *s, int flags)
{
struct chain_flags *ctmp = chain_flags_list;
while (ctmp->name) {
BIO_printf(out, "\t%s: %s\n", ctmp->name,
flags & ctmp->flag ? "OK" : "NOT OK");
ctmp++;
}
BIO_printf(out, "\tSuite B: ");
if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS)
BIO_puts(out, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n");
else
BIO_printf(out, "not tested\n");
}
/*
* Very basic selection callback: just use any certificate chain reported as
* valid. More sophisticated could prioritise according to local policy.
*/
static int set_cert_cb(SSL *ssl, void *arg)
{
int i, rv;
SSL_EXCERT *exc = arg;
#ifdef CERT_CB_TEST_RETRY
static int retry_cnt;
if (retry_cnt < 5) {
retry_cnt++;
fprintf(stderr, "Certificate callback retry test: count %d\n",
retry_cnt);
return -1;
}
#endif
SSL_certs_clear(ssl);
if (!exc)
return 1;
/*
* Go to end of list and traverse backwards since we prepend newer
* entries this retains the original order.
*/
while (exc->next)
exc = exc->next;
i = 0;
while (exc) {
i++;
rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n");
print_chain_flags(bio_err, ssl, rv);
if (rv & CERT_PKEY_VALID) {
SSL_use_certificate(ssl, exc->cert);
SSL_use_PrivateKey(ssl, exc->key);
/*
* NB: we wouldn't normally do this as it is not efficient
* building chains on each connection better to cache the chain
* in advance.
*/
if (exc->build_chain) {
if (!SSL_build_cert_chain(ssl, 0))
return 0;
} else if (exc->chain)
SSL_set1_chain(ssl, exc->chain);
}
exc = exc->prev;
}
return 1;
}
void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc)
{
SSL_CTX_set_cert_cb(ctx, set_cert_cb, exc);
}
static int ssl_excert_prepend(SSL_EXCERT **pexc)
{
SSL_EXCERT *exc;
exc = OPENSSL_malloc(sizeof(SSL_EXCERT));
if (!exc)
return 0;
exc->certfile = NULL;
exc->keyfile = NULL;
exc->chainfile = NULL;
exc->cert = NULL;
exc->key = NULL;
exc->chain = NULL;
exc->prev = NULL;
exc->build_chain = 0;
exc->next = *pexc;
*pexc = exc;
if (exc->next) {
exc->certform = exc->next->certform;
exc->keyform = exc->next->keyform;
exc->next->prev = exc;
} else {
exc->certform = FORMAT_PEM;
exc->keyform = FORMAT_PEM;
}
return 1;
}
void ssl_excert_free(SSL_EXCERT *exc)
{
SSL_EXCERT *curr;
while (exc) {
if (exc->cert)
X509_free(exc->cert);
if (exc->key)
EVP_PKEY_free(exc->key);
if (exc->chain)
sk_X509_pop_free(exc->chain, X509_free);
curr = exc;
exc = exc->next;
OPENSSL_free(curr);
}
}
int load_excert(SSL_EXCERT **pexc, BIO *err)
{
SSL_EXCERT *exc = *pexc;
if (!exc)
return 1;
/* If nothing in list, free and set to NULL */
if (!exc->certfile && !exc->next) {
ssl_excert_free(exc);
*pexc = NULL;
return 1;
}
for (; exc; exc = exc->next) {
if (!exc->certfile) {
BIO_printf(err, "Missing filename\n");
return 0;
}
exc->cert = load_cert(err, exc->certfile, exc->certform,
NULL, NULL, "Server Certificate");
if (!exc->cert)
return 0;
if (exc->keyfile) {
exc->key = load_key(err, exc->keyfile, exc->keyform,
0, NULL, NULL, "Server Key");
} else {
exc->key = load_key(err, exc->certfile, exc->certform,
0, NULL, NULL, "Server Key");
}
if (!exc->key)
return 0;
if (exc->chainfile) {
exc->chain = load_certs(err,
exc->chainfile, FORMAT_PEM,
NULL, NULL, "Server Chain");
if (!exc->chain)
return 0;
}
}
return 1;
}
int args_excert(char ***pargs, int *pargc,
int *badarg, BIO *err, SSL_EXCERT **pexc)
{
char *arg = **pargs, *argn = (*pargs)[1];
SSL_EXCERT *exc = *pexc;
int narg = 2;
if (!exc) {
if (ssl_excert_prepend(&exc))
*pexc = exc;
else {
BIO_printf(err, "Error initialising xcert\n");
*badarg = 1;
goto err;
}
}
if (strcmp(arg, "-xcert") == 0) {
if (!argn) {
*badarg = 1;
return 1;
}
if (exc->certfile && !ssl_excert_prepend(&exc)) {
BIO_printf(err, "Error adding xcert\n");
*badarg = 1;
goto err;
}
exc->certfile = argn;
} else if (strcmp(arg, "-xkey") == 0) {
if (!argn) {
*badarg = 1;
return 1;
}
if (exc->keyfile) {
BIO_printf(err, "Key already specified\n");
*badarg = 1;
return 1;
}
exc->keyfile = argn;
} else if (strcmp(arg, "-xchain") == 0) {
if (!argn) {
*badarg = 1;
return 1;
}
if (exc->chainfile) {
BIO_printf(err, "Chain already specified\n");
*badarg = 1;
return 1;
}
exc->chainfile = argn;
} else if (strcmp(arg, "-xchain_build") == 0) {
narg = 1;
exc->build_chain = 1;
} else if (strcmp(arg, "-xcertform") == 0) {
if (!argn) {
*badarg = 1;
goto err;
}
exc->certform = str2fmt(argn);
} else if (strcmp(arg, "-xkeyform") == 0) {
if (!argn) {
*badarg = 1;
goto err;
}
exc->keyform = str2fmt(argn);
} else
return 0;
(*pargs) += narg;
if (pargc)
*pargc -= narg;
*pexc = exc;
return 1;
err:
ERR_print_errors(err);
ssl_excert_free(exc);
*pexc = NULL;
return 1;
}
static void print_raw_cipherlist(BIO *bio, SSL *s)
{
const unsigned char *rlist;
static const unsigned char scsv_id[] = { 0, 0, 0xFF };
size_t i, rlistlen, num;
if (!SSL_is_server(s))
return;
num = SSL_get0_raw_cipherlist(s, NULL);
rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
BIO_puts(bio, "Client cipher list: ");
for (i = 0; i < rlistlen; i += num, rlist += num) {
const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
if (i)
BIO_puts(bio, ":");
if (c)
BIO_puts(bio, SSL_CIPHER_get_name(c));
else if (!memcmp(rlist, scsv_id - num + 3, num))
BIO_puts(bio, "SCSV");
else {
size_t j;
BIO_puts(bio, "0x");
for (j = 0; j < num; j++)
BIO_printf(bio, "%02X", rlist[j]);
}
}
BIO_puts(bio, "\n");
}
void print_ssl_summary(BIO *bio, SSL *s)
{
const SSL_CIPHER *c;
X509 *peer;
/*
* const char *pnam = SSL_is_server(s) ? "client" : "server";
*/
BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s));
print_raw_cipherlist(bio, s);
c = SSL_get_current_cipher(s);
BIO_printf(bio, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
do_print_sigalgs(bio, s, 0);
peer = SSL_get_peer_certificate(s);
if (peer) {
int nid;
BIO_puts(bio, "Peer certificate: ");
X509_NAME_print_ex(bio, X509_get_subject_name(peer),
0, XN_FLAG_ONELINE);
BIO_puts(bio, "\n");
if (SSL_get_peer_signature_nid(s, &nid))
BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid));
} else
BIO_puts(bio, "No peer certificate\n");
if (peer)
X509_free(peer);
#ifndef OPENSSL_NO_EC
ssl_print_point_formats(bio, s);
if (SSL_is_server(s))
ssl_print_curves(bio, s, 1);
else
ssl_print_tmp_key(bio, s);
#else
if (!SSL_is_server(s))
ssl_print_tmp_key(bio, s);
#endif
}
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
{
char *arg = **pargs, *argn = (*pargs)[1];
int rv;
/* Attempt to run SSL configuration command */
rv = SSL_CONF_cmd_argv(cctx, pargc, pargs);
/* If parameter not recognised just return */
if (rv == 0)
return 0;
/* see if missing argument error */
if (rv == -3) {
BIO_printf(err, "%s needs an argument\n", arg);
*badarg = 1;
goto end;
}
/* Check for some other error */
if (rv < 0) {
BIO_printf(err, "Error with command: \"%s %s\"\n",
arg, argn ? argn : "");
*badarg = 1;
goto end;
}
/* Store command and argument */
/* If only one argument processed store value as NULL */
if (rv == 1)
argn = NULL;
if (!*pstr)
*pstr = sk_OPENSSL_STRING_new_null();
if (!*pstr || !sk_OPENSSL_STRING_push(*pstr, arg) ||
!sk_OPENSSL_STRING_push(*pstr, argn)) {
BIO_puts(err, "Memory allocation failure\n");
goto end;
}
end:
if (*badarg)
ERR_print_errors(err);
return 1;
}
int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx,
STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake)
{
int i;
SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
const char *param = sk_OPENSSL_STRING_value(str, i);
const char *value = sk_OPENSSL_STRING_value(str, i + 1);
/*
* If no_ecdhe or named curve already specified don't need a default.
*/
if (!no_ecdhe && !strcmp(param, "-named_curve"))
no_ecdhe = 1;
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake && !strcmp(param, "-cipher")) {
BIO_puts(err, "JPAKE sets cipher to PSK\n");
return 0;
}
#endif
if (SSL_CONF_cmd(cctx, param, value) <= 0) {
BIO_printf(err, "Error with command: \"%s %s\"\n",
param, value ? value : "");
ERR_print_errors(err);
return 0;
}
}
/*
* This is a special case to keep existing s_server functionality: if we
* don't have any curve specified *and* we haven't disabled ECDHE then
* use P-256.
*/
if (!no_ecdhe) {
if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) {
BIO_puts(err, "Error setting EC curve\n");
ERR_print_errors(err);
return 0;
}
}
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake) {
if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
BIO_puts(err, "Error setting cipher to PSK\n");
ERR_print_errors(err);
return 0;
}
}
#endif
if (!SSL_CONF_CTX_finish(cctx)) {
BIO_puts(err, "Error finishing context\n");
ERR_print_errors(err);
return 0;
}
return 1;
}
static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
{
X509_CRL *crl;
int i;
for (i = 0; i < sk_X509_CRL_num(crls); i++) {
crl = sk_X509_CRL_value(crls, i);
X509_STORE_add_crl(st, crl);
}
return 1;
}
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
{
X509_STORE *st;
st = SSL_CTX_get_cert_store(ctx);
add_crls_store(st, crls);
if (crl_download)
store_setup_crl_download(st);
return 1;
}
int ssl_load_stores(SSL_CTX *ctx,
const char *vfyCApath, const char *vfyCAfile,
const char *chCApath, const char *chCAfile,
STACK_OF(X509_CRL) *crls, int crl_download)
{
X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0;
if (vfyCApath || vfyCAfile) {
vfy = X509_STORE_new();
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
goto err;
add_crls_store(vfy, crls);
SSL_CTX_set1_verify_cert_store(ctx, vfy);
if (crl_download)
store_setup_crl_download(vfy);
}
if (chCApath || chCAfile) {
ch = X509_STORE_new();
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
goto err;
SSL_CTX_set1_chain_cert_store(ctx, ch);
}
rv = 1;
err:
if (vfy)
X509_STORE_free(vfy);
if (ch)
X509_STORE_free(ch);
return rv;
}

View File

@ -202,7 +202,6 @@ typedef unsigned int u_int;
extern int verify_depth;
extern int verify_error;
extern int verify_return_error;
extern int verify_quiet;
#ifdef FIONBIO
static int c_nbio = 0;
@ -225,10 +224,8 @@ static void print_stuff(BIO *berr, SSL *con, int full);
static int ocsp_resp_cb(SSL *s, void *arg);
#endif
static BIO *bio_c_out = NULL;
static BIO *bio_c_msg = NULL;
static int c_quiet = 0;
static int c_ign_eof = 0;
static int c_brief = 0;
#ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */
@ -307,12 +304,6 @@ static void sc_usage(void)
BIO_printf(bio_err,
" -connect host:port - who to connect to (default is %s:%s)\n",
SSL_HOST_NAME, PORT_STR);
BIO_printf(bio_err,
" -verify_hostname host - check peer certificate matches \"host\"\n");
BIO_printf(bio_err,
" -verify_email email - check peer certificate matches \"email\"\n");
BIO_printf(bio_err,
" -verify_ip ipaddr - check peer certificate matches \"ipaddr\"\n");
BIO_printf(bio_err,
" -verify arg - turn on peer certificate verification\n");
@ -390,6 +381,8 @@ static void sc_usage(void)
" -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
BIO_printf(bio_err,
" -bugs - Switch on all SSL implementation bug workarounds\n");
BIO_printf(bio_err,
" -serverpref - Use server's cipher preferences (only SSLv2)\n");
BIO_printf(bio_err,
" -cipher - preferred cipher to use, use the 'openssl ciphers'\n");
BIO_printf(bio_err,
@ -420,23 +413,11 @@ static void sc_usage(void)
" -status - request certificate status from server\n");
BIO_printf(bio_err,
" -no_ticket - disable use of RFC4507bis session tickets\n");
BIO_printf(bio_err,
" -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n");
BIO_printf(bio_err,
" -curves arg - Elliptic curves to advertise (colon-separated list)\n");
BIO_printf(bio_err,
" -sigalgs arg - Signature algorithms to support (colon-separated list)\n");
BIO_printf(bio_err,
" -client_sigalgs arg - Signature algorithms to support for client\n");
BIO_printf(bio_err,
" certificate authentication (colon-separated list)\n");
#endif
#ifndef OPENSSL_NO_NEXTPROTONEG
# ifndef OPENSSL_NO_NEXTPROTONEG
BIO_printf(bio_err,
" -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n");
# endif
#endif
BIO_printf(bio_err,
" -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n");
BIO_printf(bio_err,
" -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
#ifndef OPENSSL_NO_SRTP
@ -624,27 +605,6 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen,
return SSL_TLSEXT_ERR_OK;
}
# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
const unsigned char *in, size_t inlen,
int *al, void *arg)
{
char pem_name[100];
unsigned char ext_buf[4 + 65536];
/* Reconstruct the type/len fields prior to extension data */
ext_buf[0] = ext_type >> 8;
ext_buf[1] = ext_type & 0xFF;
ext_buf[2] = inlen >> 8;
ext_buf[3] = inlen & 0xFF;
memcpy(ext_buf + 4, in, inlen);
BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
ext_type);
PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
return 1;
}
#endif
enum {
@ -660,7 +620,7 @@ int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int build_chain = 0;
unsigned int off = 0, clr = 0;
SSL *con = NULL;
#ifndef OPENSSL_NO_KRB5
KSSL_CTX *kctx;
@ -673,16 +633,13 @@ int MAIN(int argc, char **argv)
short port = PORT;
int full_log = 1;
char *host = SSL_HOST_NAME;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
char *cert_file = NULL, *key_file = NULL;
int cert_format = FORMAT_PEM, key_format = FORMAT_PEM;
char *passarg = NULL, *pass = NULL;
X509 *cert = NULL;
EVP_PKEY *key = NULL;
STACK_OF(X509) *chain = NULL;
char *CApath = NULL, *CAfile = NULL;
char *chCApath = NULL, *chCAfile = NULL;
char *vfyCApath = NULL, *vfyCAfile = NULL;
int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE;
char *CApath = NULL, *CAfile = NULL, *cipher = NULL;
int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0;
int crlf = 0;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
SSL_CTX *ctx = NULL;
@ -715,10 +672,6 @@ int MAIN(int argc, char **argv)
# ifndef OPENSSL_NO_NEXTPROTONEG
const char *next_proto_neg_in = NULL;
# endif
const char *alpn_in = NULL;
# define MAX_SI_TYPES 100
unsigned short serverinfo_types[MAX_SI_TYPES];
int serverinfo_types_count = 0;
#endif
char *sess_in = NULL;
char *sess_out = NULL;
@ -728,25 +681,13 @@ int MAIN(int argc, char **argv)
int enable_timeouts = 0;
long socket_mtu = 0;
#ifndef OPENSSL_NO_JPAKE
static char *jpake_secret = NULL;
# define no_jpake !jpake_secret
#else
# define no_jpake 1
char *jpake_secret = NULL;
#endif
#ifndef OPENSSL_NO_SRP
char *srppass = NULL;
int srp_lateuser = 0;
SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
#endif
SSL_EXCERT *exc = NULL;
SSL_CONF_CTX *cctx = NULL;
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
char *crl_file = NULL;
int crl_format = FORMAT_PEM;
int crl_download = 0;
STACK_OF(X509_CRL) *crls = NULL;
meth = SSLv23_client_method();
@ -764,12 +705,6 @@ int MAIN(int argc, char **argv)
if (!load_config(bio_err, NULL))
goto end;
cctx = SSL_CONF_CTX_new();
if (!cctx)
goto end;
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
if (((cbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((sbuf = OPENSSL_malloc(BUFSIZZ)) == NULL) ||
((mbuf = OPENSSL_malloc(BUFSIZZ)) == NULL)) {
@ -806,19 +741,12 @@ int MAIN(int argc, char **argv)
if (--argc < 1)
goto bad;
verify_depth = atoi(*(++argv));
if (!c_quiet)
BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
} else if (strcmp(*argv, "-cert") == 0) {
if (--argc < 1)
goto bad;
cert_file = *(++argv);
} else if (strcmp(*argv, "-CRL") == 0) {
if (--argc < 1)
goto bad;
crl_file = *(++argv);
} else if (strcmp(*argv, "-crl_download") == 0)
crl_download = 1;
else if (strcmp(*argv, "-sess_out") == 0) {
} else if (strcmp(*argv, "-sess_out") == 0) {
if (--argc < 1)
goto bad;
sess_out = *(++argv);
@ -830,31 +758,13 @@ int MAIN(int argc, char **argv)
if (--argc < 1)
goto bad;
cert_format = str2fmt(*(++argv));
} else if (strcmp(*argv, "-CRLform") == 0) {
if (--argc < 1)
goto bad;
crl_format = str2fmt(*(++argv));
} else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
if (badarg)
goto bad;
continue;
} else if (strcmp(*argv, "-verify_return_error") == 0)
verify_return_error = 1;
else if (strcmp(*argv, "-verify_quiet") == 0)
verify_quiet = 1;
else if (strcmp(*argv, "-brief") == 0) {
c_brief = 1;
verify_quiet = 1;
c_quiet = 1;
} else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) {
if (badarg)
goto bad;
continue;
} else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) {
if (badarg)
goto bad;
continue;
} else if (strcmp(*argv, "-prexit") == 0)
else if (strcmp(*argv, "-prexit") == 0)
prexit = 1;
else if (strcmp(*argv, "-crlf") == 0)
crlf = 1;
@ -881,15 +791,6 @@ int MAIN(int argc, char **argv)
#endif
else if (strcmp(*argv, "-msg") == 0)
c_msg = 1;
else if (strcmp(*argv, "-msgfile") == 0) {
if (--argc < 1)
goto bad;
bio_c_msg = BIO_new_file(*(++argv), "w");
}
#ifndef OPENSSL_NO_SSL_TRACE
else if (strcmp(*argv, "-trace") == 0)
c_msg = 2;
#endif
else if (strcmp(*argv, "-showcerts") == 0)
c_showcerts = 1;
else if (strcmp(*argv, "-nbio_test") == 0)
@ -958,15 +859,11 @@ int MAIN(int argc, char **argv)
meth = TLSv1_client_method();
#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv, "-dtls") == 0) {
meth = DTLS_client_method();
socket_type = SOCK_DGRAM;
} else if (strcmp(*argv, "-dtls1") == 0) {
else if (strcmp(*argv, "-dtls1") == 0) {
meth = DTLSv1_client_method();
socket_type = SOCK_DGRAM;
} else if (strcmp(*argv, "-dtls1_2") == 0) {
meth = DTLSv1_2_client_method();
socket_type = SOCK_DGRAM;
} else if (strcmp(*argv, "-fallback_scsv") == 0) {
fallback_scsv = 1;
} else if (strcmp(*argv, "-timeout") == 0)
enable_timeouts = 1;
else if (strcmp(*argv, "-mtu") == 0) {
@ -975,9 +872,9 @@ int MAIN(int argc, char **argv)
socket_mtu = atol(*(++argv));
}
#endif
else if (strcmp(*argv, "-fallback_scsv") == 0) {
fallback_scsv = 1;
} else if (strcmp(*argv, "-keyform") == 0) {
else if (strcmp(*argv, "-bugs") == 0)
bugs = 1;
else if (strcmp(*argv, "-keyform") == 0) {
if (--argc < 1)
goto bad;
key_format = str2fmt(*(++argv));
@ -985,10 +882,6 @@ int MAIN(int argc, char **argv)
if (--argc < 1)
goto bad;
passarg = *(++argv);
} else if (strcmp(*argv, "-cert_chain") == 0) {
if (--argc < 1)
goto bad;
chain_file = *(++argv);
} else if (strcmp(*argv, "-key") == 0) {
if (--argc < 1)
goto bad;
@ -999,30 +892,27 @@ int MAIN(int argc, char **argv)
if (--argc < 1)
goto bad;
CApath = *(++argv);
} else if (strcmp(*argv, "-chainCApath") == 0) {
if (--argc < 1)
goto bad;
chCApath = *(++argv);
} else if (strcmp(*argv, "-verifyCApath") == 0) {
if (--argc < 1)
goto bad;
vfyCApath = *(++argv);
} else if (strcmp(*argv, "-build_chain") == 0)
build_chain = 1;
else if (strcmp(*argv, "-CAfile") == 0) {
} else if (strcmp(*argv, "-CAfile") == 0) {
if (--argc < 1)
goto bad;
CAfile = *(++argv);
} else if (strcmp(*argv, "-chainCAfile") == 0) {
if (--argc < 1)
goto bad;
chCAfile = *(++argv);
} else if (strcmp(*argv, "-verifyCAfile") == 0) {
if (--argc < 1)
goto bad;
vfyCAfile = *(++argv);
} else if (strcmp(*argv, "-no_tls1_2") == 0)
off |= SSL_OP_NO_TLSv1_2;
else if (strcmp(*argv, "-no_tls1_1") == 0)
off |= SSL_OP_NO_TLSv1_1;
else if (strcmp(*argv, "-no_tls1") == 0)
off |= SSL_OP_NO_TLSv1;
else if (strcmp(*argv, "-no_ssl3") == 0)
off |= SSL_OP_NO_SSLv3;
else if (strcmp(*argv, "-no_ssl2") == 0)
off |= SSL_OP_NO_SSLv2;
else if (strcmp(*argv, "-no_comp") == 0) {
off |= SSL_OP_NO_COMPRESSION;
}
#ifndef OPENSSL_NO_TLSEXT
else if (strcmp(*argv, "-no_ticket") == 0) {
off |= SSL_OP_NO_TICKET;
}
# ifndef OPENSSL_NO_NEXTPROTONEG
else if (strcmp(*argv, "-nextprotoneg") == 0) {
if (--argc < 1)
@ -1030,32 +920,20 @@ int MAIN(int argc, char **argv)
next_proto_neg_in = *(++argv);
}
# endif
else if (strcmp(*argv, "-alpn") == 0) {
if (--argc < 1)
goto bad;
alpn_in = *(++argv);
} else if (strcmp(*argv, "-serverinfo") == 0) {
char *c;
int start = 0;
int len;
if (--argc < 1)
goto bad;
c = *(++argv);
serverinfo_types_count = 0;
len = strlen(c);
for (i = 0; i <= len; ++i) {
if (i == len || c[i] == ',') {
serverinfo_types[serverinfo_types_count]
= atoi(c + start);
serverinfo_types_count++;
start = i + 1;
}
if (serverinfo_types_count == MAX_SI_TYPES)
break;
}
}
#endif
else if (strcmp(*argv, "-serverpref") == 0)
off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
else if (strcmp(*argv, "-legacy_renegotiation") == 0)
off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
else if (strcmp(*argv, "-legacy_server_connect") == 0) {
off |= SSL_OP_LEGACY_SERVER_CONNECT;
} else if (strcmp(*argv, "-no_legacy_server_connect") == 0) {
clr |= SSL_OP_LEGACY_SERVER_CONNECT;
} else if (strcmp(*argv, "-cipher") == 0) {
if (--argc < 1)
goto bad;
cipher = *(++argv);
}
#ifdef FIONBIO
else if (strcmp(*argv, "-nbio") == 0) {
c_nbio = 1;
@ -1146,6 +1024,11 @@ int MAIN(int argc, char **argv)
goto end;
}
psk_identity = "JPAKE";
if (cipher) {
BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
goto end;
}
cipher = "PSK";
}
#endif
@ -1204,33 +1087,6 @@ int MAIN(int argc, char **argv)
}
}
if (chain_file) {
chain = load_certs(bio_err, chain_file, FORMAT_PEM,
NULL, e, "client certificate chain");
if (!chain)
goto end;
}
if (crl_file) {
X509_CRL *crl;
crl = load_crl(crl_file, crl_format);
if (!crl) {
BIO_puts(bio_err, "Error loading CRL\n");
ERR_print_errors(bio_err);
goto end;
}
crls = sk_X509_CRL_new_null();
if (!crls || !sk_X509_CRL_push(crls, crl)) {
BIO_puts(bio_err, "Error adding CRL\n");
ERR_print_errors(bio_err);
X509_CRL_free(crl);
goto end;
}
}
if (!load_excert(&exc, bio_err))
goto end;
if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
&& !RAND_status()) {
BIO_printf(bio_err,
@ -1241,10 +1097,8 @@ int MAIN(int argc, char **argv)
app_RAND_load_files(inrand));
if (bio_c_out == NULL) {
if (c_quiet && !c_debug) {
if (c_quiet && !c_debug && !c_msg) {
bio_c_out = BIO_new(BIO_s_null());
if (c_msg && !bio_c_msg)
bio_c_msg = BIO_new_fp(stdout, BIO_NOCLOSE);
} else {
if (bio_c_out == NULL)
bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE);
@ -1266,17 +1120,6 @@ int MAIN(int argc, char **argv)
if (vpm)
SSL_CTX_set1_param(ctx, vpm);
if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1, no_jpake)) {
ERR_print_errors(bio_err);
goto end;
}
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
crls, crl_download)) {
BIO_printf(bio_err, "Error loading store locations\n");
ERR_print_errors(bio_err);
goto end;
}
#ifndef OPENSSL_NO_ENGINE
if (ssl_client_engine) {
if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
@ -1306,43 +1149,35 @@ int MAIN(int argc, char **argv)
if (srtp_profiles != NULL)
SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
#endif
if (exc)
ssl_ctx_set_excert(ctx, exc);
if (bugs)
SSL_CTX_set_options(ctx, SSL_OP_ALL | off);
else
SSL_CTX_set_options(ctx, off);
#if !defined(OPENSSL_NO_TLSEXT)
# if !defined(OPENSSL_NO_NEXTPROTONEG)
if (clr)
SSL_CTX_clear_options(ctx, clr);
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
if (next_proto.data)
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
# endif
if (alpn_in) {
unsigned short alpn_len;
unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
if (alpn == NULL) {
BIO_printf(bio_err, "Error parsing -alpn argument\n");
goto end;
}
SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len);
OPENSSL_free(alpn);
}
#endif
#ifndef OPENSSL_NO_TLSEXT
for (i = 0; i < serverinfo_types_count; i++) {
SSL_CTX_add_client_custom_ext(ctx,
serverinfo_types[i],
NULL, NULL, NULL,
serverinfo_cli_parse_cb, NULL);
}
#endif
if (state)
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
if (cipher != NULL)
if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
BIO_printf(bio_err, "error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
#if 0
else
SSL_CTX_set_cipher_list(ctx, getenv("SSL_CIPHER"));
else
SSL_CTX_set_cipher_list(ctx, getenv("SSL_CIPHER"));
#endif
SSL_CTX_set_verify(ctx, verify, verify_callback);
if (!set_cert_key_stuff(ctx, cert, key))
goto end;
if ((CAfile || CApath)
&& !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) {
@ -1351,11 +1186,6 @@ int MAIN(int argc, char **argv)
if (!SSL_CTX_set_default_verify_paths(ctx)) {
ERR_print_errors(bio_err);
}
ssl_ctx_add_crls(ctx, crls, crl_download);
if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
goto end;
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL) {
tlsextcbp.biodebug = bio_err;
@ -1447,7 +1277,7 @@ int MAIN(int argc, char **argv)
if (c_Pause & 0x01)
SSL_set_debug(con, 1);
if (socket_type == SOCK_DGRAM) {
if (SSL_version(con) == DTLS1_VERSION) {
sbio = BIO_new_dgram(s, BIO_NOCLOSE);
if (getsockname(s, &peer, (void *)&peerlen) < 0) {
@ -1501,13 +1331,8 @@ int MAIN(int argc, char **argv)
BIO_set_callback_arg(sbio, (char *)bio_c_out);
}
if (c_msg) {
#ifndef OPENSSL_NO_SSL_TRACE
if (c_msg == 2)
SSL_set_msg_callback(con, SSL_trace);
else
#endif
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_c_out);
}
#ifndef OPENSSL_NO_TLSEXT
if (c_tlsextdebug) {
@ -1690,11 +1515,6 @@ int MAIN(int argc, char **argv)
BIO_printf(bio_err, "Error writing session file %s\n",
sess_out);
}
if (c_brief) {
BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
print_ssl_summary(bio_err, con);
}
print_stuff(bio_c_out, con, full_log);
if (full_log > 0)
full_log--;
@ -1960,10 +1780,7 @@ int MAIN(int argc, char **argv)
break;
case SSL_ERROR_SYSCALL:
ret = get_last_socket_error();
if (c_brief)
BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
else
BIO_printf(bio_err, "read:errno=%d\n", ret);
BIO_printf(bio_err, "read:errno=%d\n", ret);
goto shut;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_c_out, "closed\n");
@ -2063,12 +1880,8 @@ int MAIN(int argc, char **argv)
SSL_CTX_free(ctx);
if (cert)
X509_free(cert);
if (crls)
sk_X509_CRL_pop_free(crls, X509_CRL_free);
if (key)
EVP_PKEY_free(key);
if (chain)
sk_X509_pop_free(chain, X509_free);
if (pass)
OPENSSL_free(pass);
#ifndef OPENSSL_NO_SRP
@ -2076,15 +1889,6 @@ int MAIN(int argc, char **argv)
#endif
if (vpm)
X509_VERIFY_PARAM_free(vpm);
ssl_excert_free(exc);
if (ssl_args)
sk_OPENSSL_STRING_free(ssl_args);
if (cctx)
SSL_CONF_CTX_free(cctx);
#ifndef OPENSSL_NO_JPAKE
if (jpake_secret && psk_key)
OPENSSL_free(psk_key);
#endif
if (cbuf != NULL) {
OPENSSL_cleanse(cbuf, BUFSIZZ);
OPENSSL_free(cbuf);
@ -2101,10 +1905,6 @@ int MAIN(int argc, char **argv)
BIO_free(bio_c_out);
bio_c_out = NULL;
}
if (bio_c_msg != NULL) {
BIO_free(bio_c_msg);
bio_c_msg = NULL;
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
@ -2198,9 +1998,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
BIO_write(bio, "\n", 1);
}
ssl_print_sigalgs(bio, s);
ssl_print_tmp_key(bio, s);
BIO_printf(bio,
"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
BIO_number_read(SSL_get_rbio(s)),
@ -2240,8 +2037,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
}
#endif
#if !defined(OPENSSL_NO_TLSEXT)
# if !defined(OPENSSL_NO_NEXTPROTONEG)
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
if (next_proto.status != -1) {
const unsigned char *proto;
unsigned int proto_len;
@ -2250,18 +2046,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
BIO_write(bio, proto, proto_len);
BIO_write(bio, "\n", 1);
}
# endif
{
const unsigned char *proto;
unsigned int proto_len;
SSL_get0_alpn_selected(s, &proto, &proto_len);
if (proto_len > 0) {
BIO_printf(bio, "ALPN protocol: ");
BIO_write(bio, proto, proto_len);
BIO_write(bio, "\n", 1);
} else
BIO_printf(bio, "No ALPN negotiated\n");
}
#endif
#ifndef OPENSSL_NO_SRTP

File diff suppressed because it is too large Load Diff

View File

@ -290,9 +290,8 @@ static int init_client_ip(int *sock, unsigned char ip[4], int port, int type)
}
int do_server(int port, int type, int *ret,
int (*cb) (char *hostname, int s, int stype,
unsigned char *context), unsigned char *context,
int naccept)
int (*cb) (char *hostname, int s, unsigned char *context),
unsigned char *context)
{
int sock;
char *name = NULL;
@ -314,14 +313,12 @@ int do_server(int port, int type, int *ret,
}
} else
sock = accept_socket;
i = (*cb) (name, sock, type, context);
i = (*cb) (name, sock, context);
if (name != NULL)
OPENSSL_free(name);
if (type == SOCK_STREAM)
SHUTDOWN2(sock);
if (naccept != -1)
naccept--;
if (i < 0 || naccept == 0) {
if (i < 0) {
SHUTDOWN2(accept_socket);
return (i);
}

View File

@ -634,12 +634,6 @@ int MAIN(int argc, char **argv)
p7 = PKCS7_sign(NULL, NULL, other, in, flags);
if (!p7)
goto end;
if (flags & PKCS7_NOCERTS) {
for (i = 0; i < sk_X509_num(other); i++) {
X509 *x = sk_X509_value(other, i);
PKCS7_add_certificate(p7, x);
}
}
} else
flags |= PKCS7_REUSE_DIGEST;
for (i = 0; i < sk_OPENSSL_STRING_num(sksigners); i++) {

View File

@ -366,8 +366,6 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out,
}
# endif /* OPENSSL_NO_ECDH */
static void multiblock_speed(const EVP_CIPHER *evp_cipher);
int MAIN(int, char **);
int MAIN(int argc, char **argv)
@ -648,7 +646,6 @@ int MAIN(int argc, char **argv)
# ifndef NO_FORK
int multi = 0;
# endif
int multiblock = 0;
# ifndef TIMES
usertime = -1;
@ -779,9 +776,6 @@ int MAIN(int argc, char **argv)
mr = 1;
j--; /* Otherwise, -mr gets confused with an
* algorithm. */
} else if (argc > 0 && !strcmp(*argv, "-mb")) {
multiblock = 1;
j--;
} else
# ifndef OPENSSL_NO_MD2
if (strcmp(*argv, "md2") == 0)
@ -1947,20 +1941,6 @@ int MAIN(int argc, char **argv)
# endif
if (doit[D_EVP]) {
# ifdef EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK
if (multiblock && evp_cipher) {
if (!
(EVP_CIPHER_flags(evp_cipher) &
EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK)) {
fprintf(stderr, "%s is not multi-block capable\n",
OBJ_nid2ln(evp_cipher->nid));
goto end;
}
multiblock_speed(evp_cipher);
mret = 0;
goto end;
}
# endif
for (j = 0; j < SIZE_NUM; j++) {
if (evp_cipher) {
EVP_CIPHER_CTX ctx;
@ -2762,113 +2742,4 @@ static int do_multi(int multi)
return 1;
}
# endif
static void multiblock_speed(const EVP_CIPHER *evp_cipher)
{
static int mblengths[] =
{ 8 * 1024, 2 * 8 * 1024, 4 * 8 * 1024, 8 * 8 * 1024, 8 * 16 * 1024 };
int j, count, num = sizeof(lengths) / sizeof(lengths[0]);
const char *alg_name;
unsigned char *inp, *out, no_key[32], no_iv[16];
EVP_CIPHER_CTX ctx;
double d = 0.0;
inp = OPENSSL_malloc(mblengths[num - 1]);
out = OPENSSL_malloc(mblengths[num - 1] + 1024);
if (!inp || !out) {
BIO_printf(bio_err,"Out of memory\n");
goto end;
}
EVP_CIPHER_CTX_init(&ctx);
EVP_EncryptInit_ex(&ctx, evp_cipher, NULL, no_key, no_iv);
EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_AEAD_SET_MAC_KEY, sizeof(no_key),
no_key);
alg_name = OBJ_nid2ln(evp_cipher->nid);
for (j = 0; j < num; j++) {
print_message(alg_name, 0, mblengths[j]);
Time_F(START);
for (count = 0, run = 1; run && count < 0x7fffffff; count++) {
unsigned char aad[EVP_AEAD_TLS1_AAD_LEN];
EVP_CTRL_TLS1_1_MULTIBLOCK_PARAM mb_param;
size_t len = mblengths[j];
int packlen;
memset(aad, 0, 8); /* avoid uninitialized values */
aad[8] = 23; /* SSL3_RT_APPLICATION_DATA */
aad[9] = 3; /* version */
aad[10] = 2;
aad[11] = 0; /* length */
aad[12] = 0;
mb_param.out = NULL;
mb_param.inp = aad;
mb_param.len = len;
mb_param.interleave = 8;
packlen = EVP_CIPHER_CTX_ctrl(&ctx,
EVP_CTRL_TLS1_1_MULTIBLOCK_AAD,
sizeof(mb_param), &mb_param);
if (packlen > 0) {
mb_param.out = out;
mb_param.inp = inp;
mb_param.len = len;
EVP_CIPHER_CTX_ctrl(&ctx,
EVP_CTRL_TLS1_1_MULTIBLOCK_ENCRYPT,
sizeof(mb_param), &mb_param);
} else {
int pad;
RAND_bytes(out, 16);
len += 16;
aad[11] = len >> 8;
aad[12] = len;
pad = EVP_CIPHER_CTX_ctrl(&ctx,
EVP_CTRL_AEAD_TLS1_AAD,
EVP_AEAD_TLS1_AAD_LEN, aad);
EVP_Cipher(&ctx, out, inp, len + pad);
}
}
d = Time_F(STOP);
BIO_printf(bio_err,
mr ? "+R:%d:%s:%f\n"
: "%d %s's in %.2fs\n", count, "evp", d);
results[D_EVP][j] = ((double)count) / d * mblengths[j];
}
if (mr) {
fprintf(stdout, "+H");
for (j = 0; j < num; j++)
fprintf(stdout, ":%d", mblengths[j]);
fprintf(stdout, "\n");
fprintf(stdout, "+F:%d:%s", D_EVP, alg_name);
for (j = 0; j < num; j++)
fprintf(stdout, ":%.2f", results[D_EVP][j]);
fprintf(stdout, "\n");
} else {
fprintf(stdout,
"The 'numbers' are in 1000s of bytes per second processed.\n");
fprintf(stdout, "type ");
for (j = 0; j < num; j++)
fprintf(stdout, "%7d bytes", mblengths[j]);
fprintf(stdout, "\n");
fprintf(stdout, "%-24s", alg_name);
for (j = 0; j < num; j++) {
if (results[D_EVP][j] > 10000)
fprintf(stdout, " %11.2fk", results[D_EVP][j] / 1e3);
else
fprintf(stdout, " %11.2f ", results[D_EVP][j]);
}
fprintf(stdout, "\n");
}
end:
if (inp)
OPENSSL_free(inp);
if (out)
OPENSSL_free(out);
}
#endif

View File

@ -88,7 +88,6 @@ int MAIN(int argc, char **argv)
X509_STORE *cert_ctx = NULL;
X509_LOOKUP *lookup = NULL;
X509_VERIFY_PARAM *vpm = NULL;
int crl_download = 0;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
#endif
@ -137,8 +136,7 @@ int MAIN(int argc, char **argv)
if (argc-- < 1)
goto end;
crlfile = *(++argv);
} else if (strcmp(*argv, "-crl_download") == 0)
crl_download = 1;
}
#ifndef OPENSSL_NO_ENGINE
else if (strcmp(*argv, "-engine") == 0) {
if (--argc < 1)
@ -216,9 +214,6 @@ int MAIN(int argc, char **argv)
}
ret = 0;
if (crl_download)
store_setup_crl_download(cert_ctx);
if (argc < 1) {
if (1 != check(cert_ctx, NULL, untrusted, trusted, crls, e))
ret = -1;

View File

@ -150,9 +150,6 @@ static const char *x509_usage[] = {
" -engine e - use engine e, possibly a hardware device.\n",
#endif
" -certopt arg - various certificate text options\n",
" -checkhost host - check certificate matches \"host\"\n",
" -checkemail email - check certificate matches \"email\"\n",
" -checkip ipaddr - check certificate matches \"ipaddr\"\n",
NULL
};
@ -166,9 +163,6 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
char *section, ASN1_INTEGER *sno);
static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt);
static int reqfile = 0;
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
static int force_version = 2;
#endif
int MAIN(int, char **);
@ -180,16 +174,15 @@ int MAIN(int argc, char **argv)
X509 *x = NULL, *xca = NULL;
ASN1_OBJECT *objtmp;
STACK_OF(OPENSSL_STRING) *sigopts = NULL;
EVP_PKEY *Upkey = NULL, *CApkey = NULL, *fkey = NULL;
EVP_PKEY *Upkey = NULL, *CApkey = NULL;
ASN1_INTEGER *sno = NULL;
int i, num, badops = 0, badsig = 0;
int i, num, badops = 0;
BIO *out = NULL;
BIO *STDout = NULL;
STACK_OF(ASN1_OBJECT) *trust = NULL, *reject = NULL;
int informat, outformat, keyformat, CAformat, CAkeyformat;
char *infile = NULL, *outfile = NULL, *keyfile = NULL, *CAfile = NULL;
char *CAkeyfile = NULL, *CAserial = NULL;
char *fkeyfile = NULL;
char *alias = NULL;
int text = 0, serial = 0, subject = 0, issuer = 0, startdate =
0, enddate = 0;
@ -215,9 +208,6 @@ int MAIN(int argc, char **argv)
int need_rand = 0;
int checkend = 0, checkoffset = 0;
unsigned long nmflag = 0, certflag = 0;
char *checkhost = NULL;
char *checkemail = NULL;
char *checkip = NULL;
#ifndef OPENSSL_NO_ENGINE
char *engine = NULL;
#endif
@ -284,15 +274,7 @@ int MAIN(int argc, char **argv)
sigopts = sk_OPENSSL_STRING_new_null();
if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
goto bad;
}
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
else if (strcmp(*argv, "-force_version") == 0) {
if (--argc < 1)
goto bad;
force_version = atoi(*(++argv)) - 1;
}
#endif
else if (strcmp(*argv, "-days") == 0) {
} else if (strcmp(*argv, "-days") == 0) {
if (--argc < 1)
goto bad;
days = atoi(*(++argv));
@ -345,10 +327,6 @@ int MAIN(int argc, char **argv)
goto bad;
if (!(sno = s2i_ASN1_INTEGER(NULL, *(++argv))))
goto bad;
} else if (strcmp(*argv, "-force_pubkey") == 0) {
if (--argc < 1)
goto bad;
fkeyfile = *(++argv);
} else if (strcmp(*argv, "-addtrust") == 0) {
if (--argc < 1)
goto bad;
@ -446,18 +424,6 @@ int MAIN(int argc, char **argv)
goto bad;
checkoffset = atoi(*(++argv));
checkend = 1;
} else if (strcmp(*argv, "-checkhost") == 0) {
if (--argc < 1)
goto bad;
checkhost = *(++argv);
} else if (strcmp(*argv, "-checkemail") == 0) {
if (--argc < 1)
goto bad;
checkemail = *(++argv);
} else if (strcmp(*argv, "-checkip") == 0) {
if (--argc < 1)
goto bad;
checkip = *(++argv);
} else if (strcmp(*argv, "-noout") == 0)
noout = ++num;
else if (strcmp(*argv, "-trustout") == 0)
@ -481,8 +447,6 @@ int MAIN(int argc, char **argv)
#endif
else if (strcmp(*argv, "-ocspid") == 0)
ocspid = ++num;
else if (strcmp(*argv, "-badsig") == 0)
badsig = 1;
else if ((md_alg = EVP_get_digestbyname(*argv + 1))) {
/* ok */
digest = md_alg;
@ -520,13 +484,6 @@ int MAIN(int argc, char **argv)
goto end;
}
if (fkeyfile) {
fkey = load_pubkey(bio_err, fkeyfile, keyformat, 0,
NULL, e, "Forced key");
if (fkey == NULL)
goto end;
}
if ((CAkeyfile == NULL) && (CA_flag) && (CAformat == FORMAT_PEM)) {
CAkeyfile = CAfile;
} else if ((CA_flag) && (CAkeyfile == NULL)) {
@ -648,13 +605,10 @@ int MAIN(int argc, char **argv)
X509_gmtime_adj(X509_get_notBefore(x), 0);
X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL);
if (fkey)
X509_set_pubkey(x, fkey);
else {
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x, pkey);
EVP_PKEY_free(pkey);
}
pkey = X509_REQ_get_pubkey(req);
X509_set_pubkey(x, pkey);
EVP_PKEY_free(pkey);
} else
x = load_cert(bio_err, infile, informat, NULL, e, "Certificate");
@ -983,16 +937,11 @@ int MAIN(int argc, char **argv)
goto end;
}
print_cert_checks(STDout, x, checkhost, checkemail, checkip);
if (noout) {
ret = 0;
goto end;
}
if (badsig)
x->signature->data[x->signature->length - 1] ^= 0x1;
if (outformat == FORMAT_ASN1)
i = i2d_X509_bio(out, x);
else if (outformat == FORMAT_PEM) {
@ -1033,7 +982,6 @@ int MAIN(int argc, char **argv)
X509_free(xca);
EVP_PKEY_free(Upkey);
EVP_PKEY_free(CApkey);
EVP_PKEY_free(fkey);
if (sigopts)
sk_OPENSSL_STRING_free(sigopts);
X509_REQ_free(rq);
@ -1153,11 +1101,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
if (conf) {
X509V3_CTX ctx2;
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
X509_set_version(x, force_version);
#else
X509_set_version(x, 2); /* version 3 certificate */
#endif
X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx2, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx2, section, x))
@ -1237,11 +1181,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
}
if (conf) {
X509V3_CTX ctx;
#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
X509_set_version(x, force_version);
#else
X509_set_version(x, 2); /* version 3 certificate */
#endif
X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
X509V3_set_nconf(&ctx, conf);
if (!X509V3_EXT_add_nconf(conf, &ctx, section, x))

28
config
View File

@ -587,33 +587,15 @@ case "$GUESSOS" in
fi
;;
ppc64-*-linux2)
if [ -z "$KERNEL_BITS" ]; then
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure linux-ppc64' *manually*."
if [ "$TEST" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
fi
if [ "$KERNEL_BITS" = "64" ]; then
OUT="linux-ppc64"
else
OUT="linux-ppc"
(echo "__LP64__" | gcc -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null) || options="$options -m32"
fi
;;
ppc64le-*-linux2) OUT="linux-ppc64le" ;;
ppc-*-linux2) OUT="linux-ppc" ;;
mips64*-*-linux2)
echo "WARNING! If you wish to build 64-bit library, then you have to"
echo " invoke './Configure linux64-mips64' *manually*."
echo " invoke './Configure linux-ppc64' *manually*."
if [ "$TEST" = "false" -a -t 1 ]; then
echo " You have about 5 seconds to press Ctrl-C to abort."
(trap "stty `stty -g`" 2 0; stty -icanon min 0 time 50; read waste) <&1
fi
OUT="linux-mips64"
OUT="linux-ppc"
;;
mips*-*-linux2) OUT="linux-mips32" ;;
ppc-*-linux2) OUT="linux-ppc" ;;
ppc60x-*-vxworks*) OUT="vxworks-ppc60x" ;;
ppcgen-*-vxworks*) OUT="vxworks-ppcgen" ;;
pentium-*-vxworks*) OUT="vxworks-pentium" ;;
@ -662,7 +644,6 @@ case "$GUESSOS" in
armv[1-3]*-*-linux2) OUT="linux-generic32" ;;
armv[7-9]*-*-linux2) OUT="linux-armv4"; options="$options -march=armv7-a" ;;
arm*-*-linux2) OUT="linux-armv4" ;;
aarch64-*-linux2) OUT="linux-aarch64" ;;
sh*b-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
sh*-*-linux2) OUT="linux-generic32"; options="$options -DL_ENDIAN" ;;
m68k*-*-linux2) OUT="linux-generic32"; options="$options -DB_ENDIAN" ;;
@ -852,8 +833,7 @@ case "$GUESSOS" in
# *-dgux) OUT="dgux" ;;
mips-sony-newsos4) OUT="newsos4-gcc" ;;
*-*-cygwin_pre1.3) OUT="Cygwin-pre1.3" ;;
i[3456]86-*-cygwin) OUT="Cygwin" ;;
*-*-cygwin) OUT="Cygwin-${MACHINE}" ;;
*-*-cygwin) OUT="Cygwin" ;;
t3e-cray-unicosmk) OUT="cray-t3e" ;;
j90-cray-unicos) OUT="cray-j90" ;;
nsr-tandem-nsk) OUT="tandem-c89" ;;

View File

@ -74,9 +74,9 @@ ia64cpuid.s: ia64cpuid.S; $(CC) $(CFLAGS) -E ia64cpuid.S > $@
ppccpuid.s: ppccpuid.pl; $(PERL) ppccpuid.pl $(PERLASM_SCHEME) $@
pariscid.s: pariscid.pl; $(PERL) pariscid.pl $(PERLASM_SCHEME) $@
alphacpuid.s: alphacpuid.pl
(preproc=$$$$.$@.S; trap "rm $$preproc" INT; \
(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
$(PERL) alphacpuid.pl > $$preproc && \
$(CC) -E -P $$preproc > $@ && rm $$preproc)
$(CC) -E $$preproc > $@ && rm $$preproc)
testapps:
[ -z "$(THIS)" ] || ( if echo $(SDIRS) | fgrep ' des '; \
@ -88,7 +88,7 @@ subdirs:
@target=all; $(RECURSIVE_MAKE)
files:
$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
@target=files; $(RECURSIVE_MAKE)
links:
@ -102,7 +102,7 @@ lib: $(LIB)
@touch lib
$(LIB): $(LIBOBJ)
$(AR) $(LIB) $(LIBOBJ)
test -z "$(FIPSLIBDIR)" || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
[ -z "$(FIPSLIBDIR)" ] || $(AR) $(LIB) $(FIPSLIBDIR)fipscanister.o
$(RANLIB) $(LIB) || echo Never mind.
shared: buildinf.h lib subdirs

View File

@ -65,22 +65,12 @@ aesni-x86_64.s: asm/aesni-x86_64.pl
$(PERL) asm/aesni-x86_64.pl $(PERLASM_SCHEME) > $@
aesni-sha1-x86_64.s: asm/aesni-sha1-x86_64.pl
$(PERL) asm/aesni-sha1-x86_64.pl $(PERLASM_SCHEME) > $@
aesni-sha256-x86_64.s: asm/aesni-sha256-x86_64.pl
$(PERL) asm/aesni-sha256-x86_64.pl $(PERLASM_SCHEME) > $@
aesni-mb-x86_64.s: asm/aesni-mb-x86_64.pl
$(PERL) asm/aesni-mb-x86_64.pl $(PERLASM_SCHEME) > $@
aes-sparcv9.s: asm/aes-sparcv9.pl
$(PERL) asm/aes-sparcv9.pl $(CFLAGS) > $@
aest4-sparcv9.s: asm/aest4-sparcv9.pl ../perlasm/sparcv9_modes.pl
$(PERL) asm/aest4-sparcv9.pl $(CFLAGS) > $@
aes-ppc.s: asm/aes-ppc.pl
$(PERL) asm/aes-ppc.pl $(PERLASM_SCHEME) $@
vpaes-ppc.s: asm/vpaes-ppc.pl
$(PERL) asm/vpaes-ppc.pl $(PERLASM_SCHEME) $@
aesp8-ppc.s: asm/aesp8-ppc.pl
$(PERL) asm/aesp8-ppc.pl $(PERLASM_SCHEME) $@
aes-parisc.s: asm/aes-parisc.pl
$(PERL) asm/aes-parisc.pl $(PERLASM_SCHEME) $@
@ -88,18 +78,12 @@ aes-parisc.s: asm/aes-parisc.pl
aes-mips.S: asm/aes-mips.pl
$(PERL) asm/aes-mips.pl $(PERLASM_SCHEME) $@
aesv8-armx.S: asm/aesv8-armx.pl
$(PERL) asm/aesv8-armx.pl $(PERLASM_SCHEME) $@
aesv8-armx.o: aesv8-armx.S
# GNU make "catch all"
aes-%.S: asm/aes-%.pl; $(PERL) $< $(PERLASM_SCHEME) > $@
aes-armv4.o: aes-armv4.S
bsaes-%.S: asm/bsaes-%.pl; $(PERL) $< $(PERLASM_SCHEME) $@
bsaes-armv7.o: bsaes-armv7.S
files:
$(PERL) $(TOP)/util/files.pl "AES_ENC=$(AES_ENC)" Makefile >> $(TOP)/MINFO
$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
links:
@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
@ -165,7 +149,7 @@ aes_wrap.o: ../../e_os.h ../../include/openssl/aes.h
aes_wrap.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
aes_wrap.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
aes_wrap.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
aes_wrap.o: ../../include/openssl/modes.h ../../include/openssl/opensslconf.h
aes_wrap.o: ../../include/openssl/opensslconf.h
aes_wrap.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
aes_wrap.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
aes_wrap.o: ../../include/openssl/symhacks.h ../cryptlib.h aes_wrap.c

View File

@ -54,19 +54,197 @@
#include "cryptlib.h"
#include <openssl/aes.h>
#include <openssl/modes.h>
#include <openssl/bio.h>
static const unsigned char default_iv[] = {
0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6, 0xA6,
};
int AES_wrap_key(AES_KEY *key, const unsigned char *iv,
unsigned char *out,
const unsigned char *in, unsigned int inlen)
{
return CRYPTO_128_wrap(key, iv, out, in, inlen, (block128_f) AES_encrypt);
unsigned char *A, B[16], *R;
unsigned int i, j, t;
if ((inlen & 0x7) || (inlen < 8))
return -1;
A = B;
t = 1;
memcpy(out + 8, in, inlen);
if (!iv)
iv = default_iv;
memcpy(A, iv, 8);
for (j = 0; j < 6; j++) {
R = out + 8;
for (i = 0; i < inlen; i += 8, t++, R += 8) {
memcpy(B + 8, R, 8);
AES_encrypt(B, B, key);
A[7] ^= (unsigned char)(t & 0xff);
if (t > 0xff) {
A[6] ^= (unsigned char)((t >> 8) & 0xff);
A[5] ^= (unsigned char)((t >> 16) & 0xff);
A[4] ^= (unsigned char)((t >> 24) & 0xff);
}
memcpy(R, B + 8, 8);
}
}
memcpy(out, A, 8);
return inlen + 8;
}
int AES_unwrap_key(AES_KEY *key, const unsigned char *iv,
unsigned char *out,
const unsigned char *in, unsigned int inlen)
{
return CRYPTO_128_unwrap(key, iv, out, in, inlen,
(block128_f) AES_decrypt);
unsigned char *A, B[16], *R;
unsigned int i, j, t;
inlen -= 8;
if (inlen & 0x7)
return -1;
if (inlen < 8)
return -1;
A = B;
t = 6 * (inlen >> 3);
memcpy(A, in, 8);
memcpy(out, in + 8, inlen);
for (j = 0; j < 6; j++) {
R = out + inlen - 8;
for (i = 0; i < inlen; i += 8, t--, R -= 8) {
A[7] ^= (unsigned char)(t & 0xff);
if (t > 0xff) {
A[6] ^= (unsigned char)((t >> 8) & 0xff);
A[5] ^= (unsigned char)((t >> 16) & 0xff);
A[4] ^= (unsigned char)((t >> 24) & 0xff);
}
memcpy(B + 8, R, 8);
AES_decrypt(B, B, key);
memcpy(R, B + 8, 8);
}
}
if (!iv)
iv = default_iv;
if (memcmp(A, iv, 8)) {
OPENSSL_cleanse(out, inlen);
return 0;
}
return inlen;
}
#ifdef AES_WRAP_TEST
int AES_wrap_unwrap_test(const unsigned char *kek, int keybits,
const unsigned char *iv,
const unsigned char *eout,
const unsigned char *key, int keylen)
{
unsigned char *otmp = NULL, *ptmp = NULL;
int r, ret = 0;
AES_KEY wctx;
otmp = OPENSSL_malloc(keylen + 8);
ptmp = OPENSSL_malloc(keylen);
if (!otmp || !ptmp)
return 0;
if (AES_set_encrypt_key(kek, keybits, &wctx))
goto err;
r = AES_wrap_key(&wctx, iv, otmp, key, keylen);
if (r <= 0)
goto err;
if (eout && memcmp(eout, otmp, keylen))
goto err;
if (AES_set_decrypt_key(kek, keybits, &wctx))
goto err;
r = AES_unwrap_key(&wctx, iv, ptmp, otmp, r);
if (memcmp(key, ptmp, keylen))
goto err;
ret = 1;
err:
if (otmp)
OPENSSL_free(otmp);
if (ptmp)
OPENSSL_free(ptmp);
return ret;
}
int main(int argc, char **argv)
{
static const unsigned char kek[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f,
0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
};
static const unsigned char key[] = {
0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff,
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
static const unsigned char e1[] = {
0x1f, 0xa6, 0x8b, 0x0a, 0x81, 0x12, 0xb4, 0x47,
0xae, 0xf3, 0x4b, 0xd8, 0xfb, 0x5a, 0x7b, 0x82,
0x9d, 0x3e, 0x86, 0x23, 0x71, 0xd2, 0xcf, 0xe5
};
static const unsigned char e2[] = {
0x96, 0x77, 0x8b, 0x25, 0xae, 0x6c, 0xa4, 0x35,
0xf9, 0x2b, 0x5b, 0x97, 0xc0, 0x50, 0xae, 0xd2,
0x46, 0x8a, 0xb8, 0xa1, 0x7a, 0xd8, 0x4e, 0x5d
};
static const unsigned char e3[] = {
0x64, 0xe8, 0xc3, 0xf9, 0xce, 0x0f, 0x5b, 0xa2,
0x63, 0xe9, 0x77, 0x79, 0x05, 0x81, 0x8a, 0x2a,
0x93, 0xc8, 0x19, 0x1e, 0x7d, 0x6e, 0x8a, 0xe7
};
static const unsigned char e4[] = {
0x03, 0x1d, 0x33, 0x26, 0x4e, 0x15, 0xd3, 0x32,
0x68, 0xf2, 0x4e, 0xc2, 0x60, 0x74, 0x3e, 0xdc,
0xe1, 0xc6, 0xc7, 0xdd, 0xee, 0x72, 0x5a, 0x93,
0x6b, 0xa8, 0x14, 0x91, 0x5c, 0x67, 0x62, 0xd2
};
static const unsigned char e5[] = {
0xa8, 0xf9, 0xbc, 0x16, 0x12, 0xc6, 0x8b, 0x3f,
0xf6, 0xe6, 0xf4, 0xfb, 0xe3, 0x0e, 0x71, 0xe4,
0x76, 0x9c, 0x8b, 0x80, 0xa3, 0x2c, 0xb8, 0x95,
0x8c, 0xd5, 0xd1, 0x7d, 0x6b, 0x25, 0x4d, 0xa1
};
static const unsigned char e6[] = {
0x28, 0xc9, 0xf4, 0x04, 0xc4, 0xb8, 0x10, 0xf4,
0xcb, 0xcc, 0xb3, 0x5c, 0xfb, 0x87, 0xf8, 0x26,
0x3f, 0x57, 0x86, 0xe2, 0xd8, 0x0e, 0xd3, 0x26,
0xcb, 0xc7, 0xf0, 0xe7, 0x1a, 0x99, 0xf4, 0x3b,
0xfb, 0x98, 0x8b, 0x9b, 0x7a, 0x02, 0xdd, 0x21
};
AES_KEY wctx, xctx;
int ret;
ret = AES_wrap_unwrap_test(kek, 128, NULL, e1, key, 16);
fprintf(stderr, "Key test result %d\n", ret);
ret = AES_wrap_unwrap_test(kek, 192, NULL, e2, key, 16);
fprintf(stderr, "Key test result %d\n", ret);
ret = AES_wrap_unwrap_test(kek, 256, NULL, e3, key, 16);
fprintf(stderr, "Key test result %d\n", ret);
ret = AES_wrap_unwrap_test(kek, 192, NULL, e4, key, 24);
fprintf(stderr, "Key test result %d\n", ret);
ret = AES_wrap_unwrap_test(kek, 256, NULL, e5, key, 24);
fprintf(stderr, "Key test result %d\n", ret);
ret = AES_wrap_unwrap_test(kek, 256, NULL, e6, key, 32);
fprintf(stderr, "Key test result %d\n", ret);
}
#endif

View File

@ -89,10 +89,8 @@ typedef unsigned long long u64;
#endif
#undef ROTATE
#if defined(_MSC_VER)
# define ROTATE(a,n) _lrotl(a,n)
#elif defined(__ICC)
# define ROTATE(a,n) _rotl(a,n)
#if defined(_MSC_VER) || defined(__ICC)
# define ROTATE(a,n) _lrotl(a,n)
#elif defined(__GNUC__) && __GNUC__>=2
# if defined(__i386) || defined(__i386__) || defined(__x86_64) || defined(__x86_64__)
# define ROTATE(a,n) ({ register unsigned int ret; \

View File

@ -39,7 +39,7 @@
# but exhibits up to 10% improvement on other cores.
#
# Second version is "monolithic" replacement for aes_core.c, which in
# addition to AES_[de|en]crypt implements AES_set_[de|en]cryption_key.
# addition to AES_[de|en]crypt implements private_AES_set_[de|en]cryption_key.
# This made it possible to implement little-endian variant of the
# algorithm without modifying the base C code. Motivating factor for
# the undertaken effort was that it appeared that in tight IA-32
@ -103,12 +103,11 @@
# byte for 128-bit key.
#
# ECB encrypt ECB decrypt CBC large chunk
# P4 52[54] 83[95] 23
# AMD K8 46[41] 66[70] 18
# PIII 41[50] 60[77] 24
# Core 2 31[36] 45[64] 18.5
# Atom 76[100] 96[138] 60
# Pentium 115 150 77
# P4 56[60] 84[100] 23
# AMD K8 48[44] 70[79] 18
# PIII 41[50] 61[91] 24
# Core 2 32[38] 45[70] 18.5
# Pentium 120 160 77
#
# Version 4.1 switches to compact S-box even in key schedule setup.
#
@ -243,7 +242,7 @@ $vertical_spin=0; # shift "verticaly" defaults to 0, because of
sub encvert()
{ my ($te,@s) = @_;
my ($v0,$v1) = ($acc,$key);
my $v0 = $acc, $v1 = $key;
&mov ($v0,$s[3]); # copy s3
&mov (&DWP(4,"esp"),$s[2]); # save s2
@ -300,7 +299,7 @@ sub encvert()
# Another experimental routine, which features "horizontal spin," but
# eliminates one reference to stack. Strangely enough runs slower...
sub enchoriz()
{ my ($v0,$v1) = ($key,$acc);
{ my $v0 = $key, $v1 = $acc;
&movz ($v0,&LB($s0)); # 3, 2, 1, 0*
&rotr ($s2,8); # 8,11,10, 9
@ -428,7 +427,7 @@ sub sse_encbody()
######################################################################
sub enccompact()
{ my $Fn = \&mov;
{ my $Fn = mov;
while ($#_>5) { pop(@_); $Fn=sub{}; }
my ($i,$te,@s)=@_;
my $tmp = $key;
@ -477,25 +476,24 @@ sub enctransform()
my $tmp = $tbl;
my $r2 = $key ;
&and ($tmp,$s[$i]);
&lea ($r2,&DWP(0,$s[$i],$s[$i]));
&mov ($acc,$tmp);
&mov ($acc,$s[$i]);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&and ($r2,0xfefefefe);
&lea ($r2,&DWP(0,$s[$i],$s[$i]));
&sub ($acc,$tmp);
&mov ($tmp,$s[$i]);
&and ($r2,0xfefefefe);
&and ($acc,0x1b1b1b1b);
&rotr ($tmp,16);
&mov ($tmp,$s[$i]);
&xor ($acc,$r2); # r2
&mov ($r2,$s[$i]);
&xor ($s[$i],$acc); # r0 ^ r2
&rotr ($r2,16+8);
&xor ($acc,$tmp);
&rotl ($s[$i],24);
&xor ($acc,$r2);
&mov ($tmp,0x80808080) if ($i!=1);
&xor ($s[$i],$acc); # ROTATE(r2^r0,24) ^ r2
&xor ($s[$i],$acc) # ROTATE(r2^r0,24) ^ r2
&rotr ($tmp,16);
&xor ($s[$i],$tmp);
&rotr ($tmp,8);
&xor ($s[$i],$tmp);
}
&function_begin_B("_x86_AES_encrypt_compact");
@ -528,7 +526,6 @@ sub enctransform()
&enccompact(1,$tbl,$s1,$s2,$s3,$s0,1);
&enccompact(2,$tbl,$s2,$s3,$s0,$s1,1);
&enccompact(3,$tbl,$s3,$s0,$s1,$s2,1);
&mov ($tbl,0x80808080);
&enctransform(2);
&enctransform(3);
&enctransform(0);
@ -610,84 +607,82 @@ sub sse_enccompact()
&pshufw ("mm5","mm4",0x0d); # 15,14,11,10
&movd ("eax","mm1"); # 5, 4, 1, 0
&movd ("ebx","mm5"); # 15,14,11,10
&mov ($__key,$key);
&movz ($acc,&LB("eax")); # 0
&movz ("edx",&HB("eax")); # 1
&pshufw ("mm2","mm0",0x0d); # 7, 6, 3, 2
&movz ("ecx",&BP(-128,$tbl,$acc,1)); # 0
&movz ($key,&LB("ebx")); # 10
&pshufw ("mm2","mm0",0x0d); # 7, 6, 3, 2
&movz ("edx",&HB("eax")); # 1
&movz ("edx",&BP(-128,$tbl,"edx",1)); # 1
&shr ("eax",16); # 5, 4
&shl ("edx",8); # 1
&shr ("eax",16); # 5, 4
&movz ($acc,&BP(-128,$tbl,$key,1)); # 10
&movz ($key,&HB("ebx")); # 11
&movz ($acc,&LB("ebx")); # 10
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 10
&shl ($acc,16); # 10
&pshufw ("mm6","mm4",0x08); # 13,12, 9, 8
&or ("ecx",$acc); # 10
&movz ($acc,&BP(-128,$tbl,$key,1)); # 11
&movz ($key,&HB("eax")); # 5
&pshufw ("mm6","mm4",0x08); # 13,12, 9, 8
&movz ($acc,&HB("ebx")); # 11
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 11
&shl ($acc,24); # 11
&shr ("ebx",16); # 15,14
&or ("edx",$acc); # 11
&shr ("ebx",16); # 15,14
&movz ($acc,&BP(-128,$tbl,$key,1)); # 5
&movz ($key,&HB("ebx")); # 15
&movz ($acc,&HB("eax")); # 5
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 5
&shl ($acc,8); # 5
&or ("ecx",$acc); # 5
&movz ($acc,&BP(-128,$tbl,$key,1)); # 15
&movz ($key,&LB("eax")); # 4
&movz ($acc,&HB("ebx")); # 15
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 15
&shl ($acc,24); # 15
&or ("ecx",$acc); # 15
&movz ($acc,&BP(-128,$tbl,$key,1)); # 4
&movz ($key,&LB("ebx")); # 14
&movd ("eax","mm2"); # 7, 6, 3, 2
&movd ("mm0","ecx"); # t[0] collected
&movz ("ecx",&BP(-128,$tbl,$key,1)); # 14
&movz ($key,&HB("eax")); # 3
&shl ("ecx",16); # 14
&movd ("ebx","mm6"); # 13,12, 9, 8
&movz ($acc,&LB("eax")); # 4
&movz ("ecx",&BP(-128,$tbl,$acc,1)); # 4
&movd ("eax","mm2"); # 7, 6, 3, 2
&movz ($acc,&LB("ebx")); # 14
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 14
&shl ($acc,16); # 14
&or ("ecx",$acc); # 14
&movz ($acc,&BP(-128,$tbl,$key,1)); # 3
&movz ($key,&HB("ebx")); # 9
&movd ("ebx","mm6"); # 13,12, 9, 8
&movz ($acc,&HB("eax")); # 3
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 3
&shl ($acc,24); # 3
&or ("ecx",$acc); # 3
&movz ($acc,&BP(-128,$tbl,$key,1)); # 9
&movz ($key,&LB("ebx")); # 8
&movz ($acc,&HB("ebx")); # 9
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 9
&shl ($acc,8); # 9
&shr ("ebx",16); # 13,12
&or ("ecx",$acc); # 9
&movz ($acc,&BP(-128,$tbl,$key,1)); # 8
&movz ($key,&LB("eax")); # 2
&shr ("eax",16); # 7, 6
&movd ("mm1","ecx"); # t[1] collected
&movz ("ecx",&BP(-128,$tbl,$key,1)); # 2
&movz ($key,&HB("eax")); # 7
&shl ("ecx",16); # 2
&and ("eax",0xff); # 6
&movz ($acc,&LB("ebx")); # 8
&movz ("ecx",&BP(-128,$tbl,$acc,1)); # 8
&shr ("ebx",16); # 13,12
&movz ($acc,&LB("eax")); # 2
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 2
&shl ($acc,16); # 2
&or ("ecx",$acc); # 2
&shr ("eax",16); # 7, 6
&punpckldq ("mm0","mm1"); # t[0,1] collected
&movz ($acc,&BP(-128,$tbl,$key,1)); # 7
&movz ($key,&HB("ebx")); # 13
&movz ($acc,&HB("eax")); # 7
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 7
&shl ($acc,24); # 7
&and ("ebx",0xff); # 12
&movz ("eax",&BP(-128,$tbl,"eax",1)); # 6
&or ("ecx",$acc); # 7
&and ("eax",0xff); # 6
&movz ("eax",&BP(-128,$tbl,"eax",1)); # 6
&shl ("eax",16); # 6
&movz ($acc,&BP(-128,$tbl,$key,1)); # 13
&or ("edx","eax"); # 6
&movz ($acc,&HB("ebx")); # 13
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 13
&shl ($acc,8); # 13
&movz ("ebx",&BP(-128,$tbl,"ebx",1)); # 12
&or ("ecx",$acc); # 13
&or ("edx","ebx"); # 12
&mov ($key,$__key);
&movd ("mm4","ecx"); # t[2] collected
&and ("ebx",0xff); # 12
&movz ("ebx",&BP(-128,$tbl,"ebx",1)); # 12
&or ("edx","ebx"); # 12
&movd ("mm5","edx"); # t[3] collected
&punpckldq ("mm4","mm5"); # t[2,3] collected
@ -1227,7 +1222,7 @@ sub enclast()
######################################################################
sub deccompact()
{ my $Fn = \&mov;
{ my $Fn = mov;
while ($#_>5) { pop(@_); $Fn=sub{}; }
my ($i,$td,@s)=@_;
my $tmp = $key;
@ -1275,30 +1270,30 @@ sub dectransform()
my $tp4 = @s[($i+3)%4]; $tp4 = @s[3] if ($i==1);
my $tp8 = $tbl;
&mov ($tmp,0x80808080);
&and ($tmp,$s[$i]);
&mov ($acc,$tmp);
&mov ($acc,$s[$i]);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&lea ($tp2,&DWP(0,$s[$i],$s[$i]));
&sub ($acc,$tmp);
&and ($tp2,0xfefefefe);
&and ($acc,0x1b1b1b1b);
&xor ($tp2,$acc);
&mov ($tmp,0x80808080);
&xor ($acc,$tp2);
&mov ($tp2,$acc);
&and ($tmp,$tp2);
&mov ($acc,$tmp);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&lea ($tp4,&DWP(0,$tp2,$tp2));
&sub ($acc,$tmp);
&and ($tp4,0xfefefefe);
&and ($acc,0x1b1b1b1b);
&xor ($tp2,$s[$i]); # tp2^tp1
&xor ($tp4,$acc);
&mov ($tmp,0x80808080);
&xor ($acc,$tp4);
&mov ($tp4,$acc);
&and ($tmp,$tp4);
&mov ($acc,$tmp);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&lea ($tp8,&DWP(0,$tp4,$tp4));
&sub ($acc,$tmp);
@ -1310,13 +1305,13 @@ sub dectransform()
&xor ($s[$i],$tp2);
&xor ($tp2,$tp8);
&rotl ($tp2,24);
&xor ($s[$i],$tp4);
&xor ($tp4,$tp8);
&rotl ($tp2,24);
&xor ($s[$i],$tp8); # ^= tp8^(tp4^tp1)^(tp2^tp1)
&rotl ($tp4,16);
&xor ($s[$i],$tp2); # ^= ROTATE(tp8^tp2^tp1,24)
&xor ($s[$i],$tp8); # ^= tp8^(tp4^tp1)^(tp2^tp1)
&rotl ($tp8,8);
&xor ($s[$i],$tp2); # ^= ROTATE(tp8^tp2^tp1,24)
&xor ($s[$i],$tp4); # ^= ROTATE(tp8^tp4^tp1,16)
&mov ($s[0],$__s0) if($i==2); #prefetch $s0
&mov ($s[1],$__s1) if($i==3); #prefetch $s1
@ -1394,87 +1389,85 @@ sub dectransform()
sub sse_deccompact()
{
&pshufw ("mm1","mm0",0x0c); # 7, 6, 1, 0
&pshufw ("mm5","mm4",0x09); # 13,12,11,10
&movd ("eax","mm1"); # 7, 6, 1, 0
&movd ("ebx","mm5"); # 13,12,11,10
&mov ($__key,$key);
&pshufw ("mm5","mm4",0x09); # 13,12,11,10
&movz ($acc,&LB("eax")); # 0
&movz ("edx",&HB("eax")); # 1
&pshufw ("mm2","mm0",0x06); # 3, 2, 5, 4
&movz ("ecx",&BP(-128,$tbl,$acc,1)); # 0
&movz ($key,&LB("ebx")); # 10
&movd ("ebx","mm5"); # 13,12,11,10
&movz ("edx",&HB("eax")); # 1
&movz ("edx",&BP(-128,$tbl,"edx",1)); # 1
&shr ("eax",16); # 7, 6
&shl ("edx",8); # 1
&movz ($acc,&BP(-128,$tbl,$key,1)); # 10
&movz ($key,&HB("ebx")); # 11
&pshufw ("mm2","mm0",0x06); # 3, 2, 5, 4
&movz ($acc,&LB("ebx")); # 10
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 10
&shl ($acc,16); # 10
&pshufw ("mm6","mm4",0x03); # 9, 8,15,14
&or ("ecx",$acc); # 10
&movz ($acc,&BP(-128,$tbl,$key,1)); # 11
&movz ($key,&HB("eax")); # 7
&shr ("eax",16); # 7, 6
&movz ($acc,&HB("ebx")); # 11
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 11
&shl ($acc,24); # 11
&shr ("ebx",16); # 13,12
&or ("edx",$acc); # 11
&shr ("ebx",16); # 13,12
&movz ($acc,&BP(-128,$tbl,$key,1)); # 7
&movz ($key,&HB("ebx")); # 13
&pshufw ("mm6","mm4",0x03); # 9, 8,15,14
&movz ($acc,&HB("eax")); # 7
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 7
&shl ($acc,24); # 7
&or ("ecx",$acc); # 7
&movz ($acc,&BP(-128,$tbl,$key,1)); # 13
&movz ($key,&LB("eax")); # 6
&movz ($acc,&HB("ebx")); # 13
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 13
&shl ($acc,8); # 13
&movd ("eax","mm2"); # 3, 2, 5, 4
&or ("ecx",$acc); # 13
&movz ($acc,&BP(-128,$tbl,$key,1)); # 6
&movz ($key,&LB("ebx")); # 12
&shl ($acc,16); # 6
&movd ("ebx","mm6"); # 9, 8,15,14
&movd ("mm0","ecx"); # t[0] collected
&movz ("ecx",&BP(-128,$tbl,$key,1)); # 12
&movz ($key,&LB("eax")); # 4
&movz ($acc,&LB("eax")); # 6
&movd ("eax","mm2"); # 3, 2, 5, 4
&movz ("ecx",&BP(-128,$tbl,$acc,1)); # 6
&shl ("ecx",16); # 6
&movz ($acc,&LB("ebx")); # 12
&movd ("ebx","mm6"); # 9, 8,15,14
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 12
&or ("ecx",$acc); # 12
&movz ($acc,&BP(-128,$tbl,$key,1)); # 4
&movz ($key,&LB("ebx")); # 14
&movz ($acc,&LB("eax")); # 4
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 4
&or ("edx",$acc); # 4
&movz ($acc,&BP(-128,$tbl,$key,1)); # 14
&movz ($key,&HB("eax")); # 5
&movz ($acc,&LB("ebx")); # 14
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 14
&shl ($acc,16); # 14
&shr ("eax",16); # 3, 2
&or ("edx",$acc); # 14
&movz ($acc,&BP(-128,$tbl,$key,1)); # 5
&movz ($key,&HB("ebx")); # 15
&shr ("ebx",16); # 9, 8
&shl ($acc,8); # 5
&movd ("mm1","edx"); # t[1] collected
&movz ("edx",&BP(-128,$tbl,$key,1)); # 15
&movz ($key,&HB("ebx")); # 9
&shl ("edx",24); # 15
&and ("ebx",0xff); # 8
&movz ($acc,&HB("eax")); # 5
&movz ("edx",&BP(-128,$tbl,$acc,1)); # 5
&shl ("edx",8); # 5
&movz ($acc,&HB("ebx")); # 15
&shr ("eax",16); # 3, 2
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 15
&shl ($acc,24); # 15
&or ("edx",$acc); # 15
&shr ("ebx",16); # 9, 8
&punpckldq ("mm0","mm1"); # t[0,1] collected
&movz ($acc,&BP(-128,$tbl,$key,1)); # 9
&movz ($key,&LB("eax")); # 2
&movz ($acc,&HB("ebx")); # 9
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 9
&shl ($acc,8); # 9
&movz ("eax",&HB("eax")); # 3
&movz ("ebx",&BP(-128,$tbl,"ebx",1)); # 8
&or ("ecx",$acc); # 9
&movz ($acc,&BP(-128,$tbl,$key,1)); # 2
&and ("ebx",0xff); # 8
&movz ("ebx",&BP(-128,$tbl,"ebx",1)); # 8
&or ("edx","ebx"); # 8
&movz ($acc,&LB("eax")); # 2
&movz ($acc,&BP(-128,$tbl,$acc,1)); # 2
&shl ($acc,16); # 2
&movz ("eax",&BP(-128,$tbl,"eax",1)); # 3
&or ("edx",$acc); # 2
&movd ("mm4","edx"); # t[2] collected
&movz ("eax",&HB("eax")); # 3
&movz ("eax",&BP(-128,$tbl,"eax",1)); # 3
&shl ("eax",24); # 3
&or ("ecx","eax"); # 3
&mov ($key,$__key);
&movd ("mm4","edx"); # t[2] collected
&movd ("mm5","ecx"); # t[3] collected
&punpckldq ("mm4","mm5"); # t[2,3] collected
@ -2188,8 +2181,8 @@ my $mark=&DWP(76+240,"esp"); # copy of aes_key->rounds
&mov ("ecx",240/4);
&xor ("eax","eax");
&align (4);
&data_word(0xABF3F689); # rep stosd
&set_label("skip_ezero");
&data_word(0xABF3F689); # rep stosd
&set_label("skip_ezero")
&mov ("esp",$_esp);
&popf ();
&set_label("drop_out");
@ -2308,8 +2301,8 @@ my $mark=&DWP(76+240,"esp"); # copy of aes_key->rounds
&mov ("ecx",240/4);
&xor ("eax","eax");
&align (4);
&data_word(0xABF3F689); # rep stosd
&set_label("skip_dzero");
&data_word(0xABF3F689); # rep stosd
&set_label("skip_dzero")
&mov ("esp",$_esp);
&popf ();
&function_end_A();
@ -2872,32 +2865,32 @@ sub deckey()
{ my ($i,$key,$tp1,$tp2,$tp4,$tp8) = @_;
my $tmp = $tbl;
&mov ($tmp,0x80808080);
&and ($tmp,$tp1);
&lea ($tp2,&DWP(0,$tp1,$tp1));
&mov ($acc,$tmp);
&mov ($acc,$tp1);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&lea ($tp2,&DWP(0,$tp1,$tp1));
&sub ($acc,$tmp);
&and ($tp2,0xfefefefe);
&and ($acc,0x1b1b1b1b);
&xor ($tp2,$acc);
&mov ($tmp,0x80808080);
&xor ($acc,$tp2);
&mov ($tp2,$acc);
&and ($tmp,$tp2);
&lea ($tp4,&DWP(0,$tp2,$tp2));
&mov ($acc,$tmp);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&lea ($tp4,&DWP(0,$tp2,$tp2));
&sub ($acc,$tmp);
&and ($tp4,0xfefefefe);
&and ($acc,0x1b1b1b1b);
&xor ($tp2,$tp1); # tp2^tp1
&xor ($tp4,$acc);
&mov ($tmp,0x80808080);
&xor ($acc,$tp4);
&mov ($tp4,$acc);
&and ($tmp,$tp4);
&lea ($tp8,&DWP(0,$tp4,$tp4));
&mov ($acc,$tmp);
&and ($acc,0x80808080);
&mov ($tmp,$acc);
&shr ($tmp,7);
&lea ($tp8,&DWP(0,$tp4,$tp4));
&xor ($tp4,$tp1); # tp4^tp1
&sub ($acc,$tmp);
&and ($tp8,0xfefefefe);

View File

@ -1,7 +1,7 @@
#!/usr/bin/env perl
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
@ -51,23 +51,9 @@ $key="r11";
$rounds="r12";
$code=<<___;
#ifndef __KERNEL__
# include "arm_arch.h"
#else
# define __ARM_ARCH__ __LINUX_ARM_ARCH__
#endif
#include "arm_arch.h"
.text
#if __ARM_ARCH__<7
.code 32
#else
.syntax unified
# ifdef __thumb2__
.thumb
# else
.code 32
# endif
#endif
.type AES_Te,%object
.align 5
@ -181,11 +167,7 @@ AES_Te:
.type AES_encrypt,%function
.align 5
AES_encrypt:
#if __ARM_ARCH__<7
sub r3,pc,#8 @ AES_encrypt
#else
adr r3,AES_encrypt
#endif
stmdb sp!,{r1,r4-r12,lr}
mov $rounds,r0 @ inp
mov $key,r2
@ -427,21 +409,11 @@ _armv4_AES_encrypt:
.align 5
private_AES_set_encrypt_key:
_armv4_AES_set_encrypt_key:
#if __ARM_ARCH__<7
sub r3,pc,#8 @ AES_set_encrypt_key
#else
adr r3,private_AES_set_encrypt_key
#endif
teq r0,#0
#if __ARM_ARCH__>=7
itt eq @ Thumb2 thing, sanity check in ARM
#endif
moveq r0,#-1
beq .Labrt
teq r2,#0
#if __ARM_ARCH__>=7
itt eq @ Thumb2 thing, sanity check in ARM
#endif
moveq r0,#-1
beq .Labrt
@ -450,9 +422,6 @@ _armv4_AES_set_encrypt_key:
teq r1,#192
beq .Lok
teq r1,#256
#if __ARM_ARCH__>=7
itt ne @ Thumb2 thing, sanity check in ARM
#endif
movne r0,#-1
bne .Labrt
@ -607,9 +576,6 @@ _armv4_AES_set_encrypt_key:
str $s2,[$key,#-16]
subs $rounds,$rounds,#1
str $s3,[$key,#-12]
#if __ARM_ARCH__>=7
itt eq @ Thumb2 thing, sanity check in ARM
#endif
subeq r2,$key,#216
beq .Ldone
@ -679,9 +645,6 @@ _armv4_AES_set_encrypt_key:
str $s2,[$key,#-24]
subs $rounds,$rounds,#1
str $s3,[$key,#-20]
#if __ARM_ARCH__>=7
itt eq @ Thumb2 thing, sanity check in ARM
#endif
subeq r2,$key,#256
beq .Ldone
@ -711,17 +674,11 @@ _armv4_AES_set_encrypt_key:
str $i3,[$key,#-4]
b .L256_loop
.align 2
.Ldone: mov r0,#0
ldmia sp!,{r4-r12,lr}
.Labrt:
#if __ARM_ARCH__>=5
ret @ bx lr
#else
tst lr,#1
.Labrt: tst lr,#1
moveq pc,lr @ be binary compatible with V4, yet
bx lr @ interoperable with Thumb ISA:-)
#endif
.size private_AES_set_encrypt_key,.-private_AES_set_encrypt_key
.global private_AES_set_decrypt_key
@ -731,57 +688,34 @@ private_AES_set_decrypt_key:
str lr,[sp,#-4]! @ push lr
bl _armv4_AES_set_encrypt_key
teq r0,#0
ldr lr,[sp],#4 @ pop lr
ldrne lr,[sp],#4 @ pop lr
bne .Labrt
mov r0,r2 @ AES_set_encrypt_key preserves r2,
mov r1,r2 @ which is AES_KEY *key
b _armv4_AES_set_enc2dec_key
.size private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
stmdb sp!,{r4-r12}
@ void AES_set_enc2dec_key(const AES_KEY *inp,AES_KEY *out)
.global AES_set_enc2dec_key
.type AES_set_enc2dec_key,%function
.align 5
AES_set_enc2dec_key:
_armv4_AES_set_enc2dec_key:
stmdb sp!,{r4-r12,lr}
ldr $rounds,[r2,#240] @ AES_set_encrypt_key preserves r2,
mov $key,r2 @ which is AES_KEY *key
mov $i1,r2
add $i2,r2,$rounds,lsl#4
ldr $rounds,[r0,#240]
mov $i1,r0 @ input
add $i2,r0,$rounds,lsl#4
mov $key,r1 @ ouput
add $tbl,r1,$rounds,lsl#4
str $rounds,[r1,#240]
.Linv: ldr $s0,[$i1],#16
ldr $s1,[$i1,#-12]
ldr $s2,[$i1,#-8]
ldr $s3,[$i1,#-4]
ldr $t1,[$i2],#-16
ldr $t2,[$i2,#16+4]
ldr $t3,[$i2,#16+8]
ldr $i3,[$i2,#16+12]
str $s0,[$tbl],#-16
str $s1,[$tbl,#16+4]
str $s2,[$tbl,#16+8]
str $s3,[$tbl,#16+12]
str $t1,[$key],#16
str $t2,[$key,#-12]
str $t3,[$key,#-8]
str $i3,[$key,#-4]
teq $i1,$i2
bne .Linv
ldr $s0,[$i1]
.Linv: ldr $s0,[$i1]
ldr $s1,[$i1,#4]
ldr $s2,[$i1,#8]
ldr $s3,[$i1,#12]
str $s0,[$key]
str $s1,[$key,#4]
str $s2,[$key,#8]
str $s3,[$key,#12]
sub $key,$key,$rounds,lsl#3
ldr $t1,[$i2]
ldr $t2,[$i2,#4]
ldr $t3,[$i2,#8]
ldr $i3,[$i2,#12]
str $s0,[$i2],#-16
str $s1,[$i2,#16+4]
str $s2,[$i2,#16+8]
str $s3,[$i2,#16+12]
str $t1,[$i1],#16
str $t2,[$i1,#-12]
str $t3,[$i1,#-8]
str $i3,[$i1,#-4]
teq $i1,$i2
bne .Linv
___
$mask80=$i1;
$mask1b=$i2;
@ -839,7 +773,7 @@ $code.=<<___;
moveq pc,lr @ be binary compatible with V4, yet
bx lr @ interoperable with Thumb ISA:-)
#endif
.size AES_set_enc2dec_key,.-AES_set_enc2dec_key
.size private_AES_set_decrypt_key,.-private_AES_set_decrypt_key
.type AES_Td,%object
.align 5
@ -949,11 +883,7 @@ AES_Td:
.type AES_decrypt,%function
.align 5
AES_decrypt:
#if __ARM_ARCH__<7
sub r3,pc,#8 @ AES_decrypt
#else
adr r3,AES_decrypt
#endif
stmdb sp!,{r1,r4-r12,lr}
mov $rounds,r0 @ inp
mov $key,r2
@ -1150,9 +1080,8 @@ _armv4_AES_decrypt:
ldrb $t3,[$tbl,$i3] @ Td4[s0>>0]
and $i3,lr,$s1,lsr#8
add $s1,$tbl,$s1,lsr#24
ldrb $i1,[$tbl,$i1] @ Td4[s1>>0]
ldrb $s1,[$s1] @ Td4[s1>>24]
ldrb $s1,[$tbl,$s1,lsr#24] @ Td4[s1>>24]
ldrb $i2,[$tbl,$i2] @ Td4[s1>>16]
eor $s0,$i1,$s0,lsl#24
ldrb $i3,[$tbl,$i3] @ Td4[s1>>8]
@ -1165,8 +1094,7 @@ _armv4_AES_decrypt:
ldrb $i2,[$tbl,$i2] @ Td4[s2>>0]
and $i3,lr,$s2,lsr#16
add $s2,$tbl,$s2,lsr#24
ldrb $s2,[$s2] @ Td4[s2>>24]
ldrb $s2,[$tbl,$s2,lsr#24] @ Td4[s2>>24]
eor $s0,$s0,$i1,lsl#8
ldrb $i3,[$tbl,$i3] @ Td4[s2>>16]
eor $s1,$i2,$s1,lsl#16
@ -1178,9 +1106,8 @@ _armv4_AES_decrypt:
ldrb $i2,[$tbl,$i2] @ Td4[s3>>8]
and $i3,lr,$s3 @ i2
add $s3,$tbl,$s3,lsr#24
ldrb $i3,[$tbl,$i3] @ Td4[s3>>0]
ldrb $s3,[$s3] @ Td4[s3>>24]
ldrb $s3,[$tbl,$s3,lsr#24] @ Td4[s3>>24]
eor $s0,$s0,$i1,lsl#16
ldr $i1,[$key,#0]
eor $s1,$s1,$i2,lsl#8
@ -1203,15 +1130,5 @@ _armv4_AES_decrypt:
___
$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4
$code =~ s/\bret\b/bx\tlr/gm;
open SELF,$0;
while(<SELF>) {
next if (/^#!/);
last if (!s/^#/@/ and !/^$/);
print;
}
close SELF;
print $code;
close STDOUT; # enforce flush

File diff suppressed because it is too large Load Diff

View File

@ -45,8 +45,6 @@ if ($flavour =~ /64/) {
$PUSH ="stw";
} else { die "nonsense $flavour"; }
$LITTLE_ENDIAN = ($flavour=~/le$/) ? $SIZE_T : 0;
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
@ -70,7 +68,7 @@ $key="r5";
$Tbl0="r3";
$Tbl1="r6";
$Tbl2="r7";
$Tbl3=$out; # stay away from "r2"; $out is offloaded to stack
$Tbl3="r2";
$s0="r8";
$s1="r9";
@ -78,7 +76,7 @@ $s2="r10";
$s3="r11";
$t0="r12";
$t1="r0"; # stay away from "r13";
$t1="r13";
$t2="r14";
$t3="r15";
@ -102,6 +100,9 @@ $acc13="r29";
$acc14="r30";
$acc15="r31";
# stay away from TLS pointer
if ($SIZE_T==8) { die if ($t1 ne "r13"); $t1="r0"; }
else { die if ($Tbl3 ne "r2"); $Tbl3=$t0; $t0="r0"; }
$mask80=$Tbl2;
$mask1b=$Tbl3;
@ -336,7 +337,8 @@ $code.=<<___;
$STU $sp,-$FRAME($sp)
mflr r0
$PUSH $out,`$FRAME-$SIZE_T*19`($sp)
$PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
$PUSH r13,`$FRAME-$SIZE_T*19`($sp)
$PUSH r14,`$FRAME-$SIZE_T*18`($sp)
$PUSH r15,`$FRAME-$SIZE_T*17`($sp)
$PUSH r16,`$FRAME-$SIZE_T*16`($sp)
@ -363,61 +365,16 @@ $code.=<<___;
bne Lenc_unaligned
Lenc_unaligned_ok:
___
$code.=<<___ if (!$LITTLE_ENDIAN);
lwz $s0,0($inp)
lwz $s1,4($inp)
lwz $s2,8($inp)
lwz $s3,12($inp)
___
$code.=<<___ if ($LITTLE_ENDIAN);
lwz $t0,0($inp)
lwz $t1,4($inp)
lwz $t2,8($inp)
lwz $t3,12($inp)
rotlwi $s0,$t0,8
rotlwi $s1,$t1,8
rotlwi $s2,$t2,8
rotlwi $s3,$t3,8
rlwimi $s0,$t0,24,0,7
rlwimi $s1,$t1,24,0,7
rlwimi $s2,$t2,24,0,7
rlwimi $s3,$t3,24,0,7
rlwimi $s0,$t0,24,16,23
rlwimi $s1,$t1,24,16,23
rlwimi $s2,$t2,24,16,23
rlwimi $s3,$t3,24,16,23
___
$code.=<<___;
bl LAES_Te
bl Lppc_AES_encrypt_compact
$POP $out,`$FRAME-$SIZE_T*19`($sp)
___
$code.=<<___ if ($LITTLE_ENDIAN);
rotlwi $t0,$s0,8
rotlwi $t1,$s1,8
rotlwi $t2,$s2,8
rotlwi $t3,$s3,8
rlwimi $t0,$s0,24,0,7
rlwimi $t1,$s1,24,0,7
rlwimi $t2,$s2,24,0,7
rlwimi $t3,$s3,24,0,7
rlwimi $t0,$s0,24,16,23
rlwimi $t1,$s1,24,16,23
rlwimi $t2,$s2,24,16,23
rlwimi $t3,$s3,24,16,23
stw $t0,0($out)
stw $t1,4($out)
stw $t2,8($out)
stw $t3,12($out)
___
$code.=<<___ if (!$LITTLE_ENDIAN);
stw $s0,0($out)
stw $s1,4($out)
stw $s2,8($out)
stw $s3,12($out)
___
$code.=<<___;
b Lenc_done
Lenc_unaligned:
@ -460,7 +417,6 @@ Lenc_xpage:
bl LAES_Te
bl Lppc_AES_encrypt_compact
$POP $out,`$FRAME-$SIZE_T*19`($sp)
extrwi $acc00,$s0,8,0
extrwi $acc01,$s0,8,8
@ -493,6 +449,8 @@ Lenc_xpage:
Lenc_done:
$POP r0,`$FRAME+$LRSAVE`($sp)
$POP $toc,`$FRAME-$SIZE_T*20`($sp)
$POP r13,`$FRAME-$SIZE_T*19`($sp)
$POP r14,`$FRAME-$SIZE_T*18`($sp)
$POP r15,`$FRAME-$SIZE_T*17`($sp)
$POP r16,`$FRAME-$SIZE_T*16`($sp)
@ -590,7 +548,7 @@ Lenc_loop:
xor $s2,$t2,$acc14
xor $s3,$t3,$acc15
addi $key,$key,16
bdnz Lenc_loop
bdnz- Lenc_loop
addi $Tbl2,$Tbl0,2048
nop
@ -806,7 +764,6 @@ Lenc_compact_done:
blr
.long 0
.byte 0,12,0x14,0,0,0,0,0
.size .AES_encrypt,.-.AES_encrypt
.globl .AES_decrypt
.align 7
@ -814,7 +771,8 @@ Lenc_compact_done:
$STU $sp,-$FRAME($sp)
mflr r0
$PUSH $out,`$FRAME-$SIZE_T*19`($sp)
$PUSH $toc,`$FRAME-$SIZE_T*20`($sp)
$PUSH r13,`$FRAME-$SIZE_T*19`($sp)
$PUSH r14,`$FRAME-$SIZE_T*18`($sp)
$PUSH r15,`$FRAME-$SIZE_T*17`($sp)
$PUSH r16,`$FRAME-$SIZE_T*16`($sp)
@ -841,61 +799,16 @@ Lenc_compact_done:
bne Ldec_unaligned
Ldec_unaligned_ok:
___
$code.=<<___ if (!$LITTLE_ENDIAN);
lwz $s0,0($inp)
lwz $s1,4($inp)
lwz $s2,8($inp)
lwz $s3,12($inp)
___
$code.=<<___ if ($LITTLE_ENDIAN);
lwz $t0,0($inp)
lwz $t1,4($inp)
lwz $t2,8($inp)
lwz $t3,12($inp)
rotlwi $s0,$t0,8
rotlwi $s1,$t1,8
rotlwi $s2,$t2,8
rotlwi $s3,$t3,8
rlwimi $s0,$t0,24,0,7
rlwimi $s1,$t1,24,0,7
rlwimi $s2,$t2,24,0,7
rlwimi $s3,$t3,24,0,7
rlwimi $s0,$t0,24,16,23
rlwimi $s1,$t1,24,16,23
rlwimi $s2,$t2,24,16,23
rlwimi $s3,$t3,24,16,23
___
$code.=<<___;
bl LAES_Td
bl Lppc_AES_decrypt_compact
$POP $out,`$FRAME-$SIZE_T*19`($sp)
___
$code.=<<___ if ($LITTLE_ENDIAN);
rotlwi $t0,$s0,8
rotlwi $t1,$s1,8
rotlwi $t2,$s2,8
rotlwi $t3,$s3,8
rlwimi $t0,$s0,24,0,7
rlwimi $t1,$s1,24,0,7
rlwimi $t2,$s2,24,0,7
rlwimi $t3,$s3,24,0,7
rlwimi $t0,$s0,24,16,23
rlwimi $t1,$s1,24,16,23
rlwimi $t2,$s2,24,16,23
rlwimi $t3,$s3,24,16,23
stw $t0,0($out)
stw $t1,4($out)
stw $t2,8($out)
stw $t3,12($out)
___
$code.=<<___ if (!$LITTLE_ENDIAN);
stw $s0,0($out)
stw $s1,4($out)
stw $s2,8($out)
stw $s3,12($out)
___
$code.=<<___;
b Ldec_done
Ldec_unaligned:
@ -938,7 +851,6 @@ Ldec_xpage:
bl LAES_Td
bl Lppc_AES_decrypt_compact
$POP $out,`$FRAME-$SIZE_T*19`($sp)
extrwi $acc00,$s0,8,0
extrwi $acc01,$s0,8,8
@ -971,6 +883,8 @@ Ldec_xpage:
Ldec_done:
$POP r0,`$FRAME+$LRSAVE`($sp)
$POP $toc,`$FRAME-$SIZE_T*20`($sp)
$POP r13,`$FRAME-$SIZE_T*19`($sp)
$POP r14,`$FRAME-$SIZE_T*18`($sp)
$POP r15,`$FRAME-$SIZE_T*17`($sp)
$POP r16,`$FRAME-$SIZE_T*16`($sp)
@ -1068,7 +982,7 @@ Ldec_loop:
xor $s2,$t2,$acc14
xor $s3,$t3,$acc15
addi $key,$key,16
bdnz Ldec_loop
bdnz- Ldec_loop
addi $Tbl2,$Tbl0,2048
nop
@ -1441,7 +1355,6 @@ Ldec_compact_done:
blr
.long 0
.byte 0,12,0x14,0,0,0,0,0
.size .AES_decrypt,.-.AES_decrypt
.asciz "AES for PPC, CRYPTOGAMS by <appro\@openssl.org>"
.align 7

View File

@ -818,9 +818,13 @@ $code.=<<___ if (!$softonly);
tmhl %r0,0x4000 # check for message-security assist
jz .Lekey_internal
llihh %r0,0x8000
srlg %r0,%r0,0(%r5)
ng %r0,48(%r1) # check kmc capability vector
lghi %r0,0 # query capability vector
la %r1,16($sp)
.long 0xb92f0042 # kmc %r4,%r2
llihh %r1,0x8000
srlg %r1,%r1,0(%r5)
ng %r1,16($sp)
jz .Lekey_internal
lmg %r0,%r1,0($inp) # just copy 128 bits...
@ -1440,10 +1444,13 @@ $code.=<<___ if (0); ######### kmctr code was measured to be ~12% slower
llgfr $s0,%r0
lgr $s1,%r1
larl %r1,OPENSSL_s390xcap_P
lghi %r0,0
la %r1,16($sp)
.long 0xb92d2042 # kmctr %r4,%r2,%r2
llihh %r0,0x8000 # check if kmctr supports the function code
srlg %r0,%r0,0($s0)
ng %r0,64(%r1) # check kmctr capability vector
ng %r0,16($sp)
lgr %r0,$s0
lgr %r1,$s1
jz .Lctr32_km_loop
@ -1590,10 +1597,12 @@ $code.=<<___ if(1);
llgfr $s0,%r0 # put aside the function code
lghi $s1,0x7f
nr $s1,%r0
larl %r1,OPENSSL_s390xcap_P
llihh %r0,0x8000
srlg %r0,%r0,32($s1) # check for 32+function code
ng %r0,32(%r1) # check km capability vector
lghi %r0,0 # query capability vector
la %r1,$tweak-16($sp)
.long 0xb92e0042 # km %r4,%r2
llihh %r1,0x8000
srlg %r1,%r1,32($s1) # check for 32+function code
ng %r1,$tweak-16($sp)
lgr %r0,$s0 # restore the function code
la %r1,0($key1) # restore $key1
jz .Lxts_km_vanilla
@ -2220,7 +2229,7 @@ ___
}
$code.=<<___;
.string "AES for s390x, CRYPTOGAMS by <appro\@openssl.org>"
.comm OPENSSL_s390xcap_P,80,8
.comm OPENSSL_s390xcap_P,16,8
___
$code =~ s/\`([^\`]*)\`/eval $1/gem;

View File

@ -19,10 +19,9 @@
# Performance in number of cycles per processed byte for 128-bit key:
#
# ECB encrypt ECB decrypt CBC large chunk
# AMD64 33 43 13.0
# EM64T 38 56 18.6(*)
# Core 2 30 42 14.5(*)
# Atom 65 86 32.1(*)
# AMD64 33 41 13.0
# EM64T 38 59 18.6(*)
# Core 2 30 43 14.5(*)
#
# (*) with hyper-threading off
@ -367,66 +366,68 @@ $code.=<<___;
movzb `&lo("$s0")`,$t0
movzb `&lo("$s1")`,$t1
movzb `&lo("$s2")`,$t2
movzb `&lo("$s3")`,$t3
movzb `&hi("$s1")`,$acc0
movzb `&hi("$s2")`,$acc1
shr \$16,$s2
movzb `&hi("$s3")`,$acc2
movzb ($sbox,$t0,1),$t0
movzb ($sbox,$t1,1),$t1
movzb ($sbox,$t2,1),$t2
movzb ($sbox,$t3,1),$t3
movzb `&lo("$s3")`,$t3
movzb `&hi("$s1")`,$acc0
movzb `&hi("$s2")`,$acc1
movzb ($sbox,$t3,1),$t3
movzb ($sbox,$acc0,1),$t4 #$t0
movzb `&hi("$s0")`,$acc0
movzb ($sbox,$acc1,1),$t5 #$t1
movzb `&lo("$s2")`,$acc1
movzb `&hi("$s3")`,$acc2
movzb `&hi("$s0")`,$acc0
shr \$16,$s2
movzb ($sbox,$acc2,1),$acc2 #$t2
movzb ($sbox,$acc0,1),$acc0 #$t3
shl \$8,$t4
shr \$16,$s3
movzb `&lo("$s2")`,$acc1
shl \$8,$t4
shl \$8,$t5
xor $t4,$t0
shr \$16,$s0
movzb `&lo("$s3")`,$t4
shr \$16,$s1
xor $t5,$t1
shl \$8,$acc2
movzb `&lo("$s0")`,$t5
movzb ($sbox,$acc1,1),$acc1 #$t0
xor $acc2,$t2
xor $t4,$t0
xor $t5,$t1
movzb `&lo("$s3")`,$t4
shr \$16,$s0
shr \$16,$s1
movzb `&lo("$s0")`,$t5
shl \$8,$acc2
shl \$8,$acc0
movzb `&lo("$s1")`,$acc2
shl \$16,$acc1
xor $acc0,$t3
movzb ($sbox,$t4,1),$t4 #$t1
movzb `&hi("$s3")`,$acc0
movzb ($sbox,$t5,1),$t5 #$t2
xor $acc1,$t0
xor $acc2,$t2
xor $acc0,$t3
shr \$8,$s2
movzb `&hi("$s0")`,$acc1
shl \$16,$t4
shr \$8,$s1
shl \$16,$t5
xor $t4,$t1
movzb `&lo("$s1")`,$acc2
movzb `&hi("$s3")`,$acc0
shl \$16,$acc1
movzb ($sbox,$acc2,1),$acc2 #$t3
movzb ($sbox,$acc0,1),$acc0 #$t0
xor $acc1,$t0
movzb `&hi("$s0")`,$acc1
shr \$8,$s2
shr \$8,$s1
movzb ($sbox,$acc1,1),$acc1 #$t1
movzb ($sbox,$s2,1),$s3 #$t3
movzb ($sbox,$s1,1),$s2 #$t2
shl \$16,$t4
shl \$16,$t5
shl \$16,$acc2
xor $t4,$t1
xor $t5,$t2
shl \$24,$acc0
xor $acc2,$t3
shl \$24,$acc0
shl \$24,$acc1
xor $acc0,$t0
shl \$24,$s3
xor $acc1,$t1
xor $acc0,$t0
shl \$24,$s2
xor $acc1,$t1
mov $t0,$s0
mov $t1,$s1
xor $t2,$s2
@ -465,12 +466,12 @@ sub enctransform()
{ my ($t3,$r20,$r21)=($acc2,"%r8d","%r9d");
$code.=<<___;
mov \$0x80808080,$t0
mov \$0x80808080,$t1
and $s0,$t0
and $s1,$t1
mov $t0,$acc0
mov $t1,$acc1
mov $s0,$acc0
mov $s1,$acc1
and \$0x80808080,$acc0
and \$0x80808080,$acc1
mov $acc0,$t0
mov $acc1,$t1
shr \$7,$t0
lea ($s0,$s0),$r20
shr \$7,$t1
@ -488,25 +489,25 @@ $code.=<<___;
xor $r20,$s0
xor $r21,$s1
mov \$0x80808080,$t2
mov $s2,$acc0
mov $s3,$acc1
rol \$24,$s0
mov \$0x80808080,$t3
rol \$24,$s1
and $s2,$t2
and $s3,$t3
and \$0x80808080,$acc0
and \$0x80808080,$acc1
xor $r20,$s0
xor $r21,$s1
mov $t2,$acc0
mov $acc0,$t2
mov $acc1,$t3
ror \$16,$t0
mov $t3,$acc1
ror \$16,$t1
lea ($s2,$s2),$r20
shr \$7,$t2
lea ($s2,$s2),$r20
xor $t0,$s0
shr \$7,$t3
xor $t1,$s1
ror \$8,$t0
shr \$7,$t3
lea ($s3,$s3),$r21
ror \$8,$t0
ror \$8,$t1
sub $t2,$acc0
sub $t3,$acc1
@ -522,23 +523,23 @@ $code.=<<___;
xor $acc0,$r20
xor $acc1,$r21
ror \$16,$t2
xor $r20,$s2
ror \$16,$t3
xor $r21,$s3
rol \$24,$s2
mov 0($sbox),$acc0 # prefetch Te4
rol \$24,$s3
xor $r20,$s2
mov 64($sbox),$acc1
xor $r21,$s3
mov 128($sbox),$r20
mov 0($sbox),$acc0 # prefetch Te4
ror \$16,$t2
ror \$16,$t3
mov 64($sbox),$acc1
xor $t2,$s2
ror \$8,$t2
xor $t3,$s3
mov 128($sbox),$r20
ror \$8,$t2
ror \$8,$t3
xor $t2,$s2
mov 192($sbox),$r21
xor $t2,$s2
xor $t3,$s3
___
}
@ -935,69 +936,70 @@ $code.=<<___;
movzb `&lo("$s0")`,$t0
movzb `&lo("$s1")`,$t1
movzb `&lo("$s2")`,$t2
movzb `&lo("$s3")`,$t3
movzb `&hi("$s3")`,$acc0
movzb `&hi("$s0")`,$acc1
shr \$16,$s3
movzb `&hi("$s1")`,$acc2
movzb ($sbox,$t0,1),$t0
movzb ($sbox,$t1,1),$t1
movzb ($sbox,$t2,1),$t2
movzb ($sbox,$t3,1),$t3
movzb `&lo("$s3")`,$t3
movzb `&hi("$s3")`,$acc0
movzb `&hi("$s0")`,$acc1
movzb ($sbox,$t3,1),$t3
movzb ($sbox,$acc0,1),$t4 #$t0
movzb `&hi("$s2")`,$acc0
movzb ($sbox,$acc1,1),$t5 #$t1
movzb `&hi("$s1")`,$acc2
movzb `&hi("$s2")`,$acc0
shr \$16,$s2
movzb ($sbox,$acc2,1),$acc2 #$t2
movzb ($sbox,$acc0,1),$acc0 #$t3
shr \$16,$s3
shr \$16,$s2
shl \$8,$t5
shl \$8,$t4
movzb `&lo("$s2")`,$acc1
shr \$16,$s0
xor $t4,$t0
shr \$16,$s1
movzb `&lo("$s3")`,$t4
shl \$8,$acc2
xor $t5,$t1
shl \$8,$acc0
movzb `&lo("$s0")`,$t5
shl \$8,$t4
shl \$8,$t5
movzb ($sbox,$acc1,1),$acc1 #$t0
xor $acc2,$t2
movzb `&lo("$s1")`,$acc2
xor $t4,$t0
xor $t5,$t1
shl \$16,$acc1
xor $acc0,$t3
movzb `&lo("$s3")`,$t4
shr \$16,$s0
shr \$16,$s1
movzb `&lo("$s0")`,$t5
shl \$8,$acc2
shl \$8,$acc0
movzb ($sbox,$t4,1),$t4 #$t1
movzb `&hi("$s1")`,$acc0
movzb ($sbox,$acc2,1),$acc2 #$t3
xor $acc1,$t0
movzb ($sbox,$t5,1),$t5 #$t2
movzb `&hi("$s2")`,$acc1
xor $acc2,$t2
xor $acc0,$t3
shl \$16,$acc2
movzb `&lo("$s1")`,$acc2
movzb `&hi("$s1")`,$acc0
shl \$16,$acc1
movzb ($sbox,$acc2,1),$acc2 #$t3
movzb ($sbox,$acc0,1),$acc0 #$t0
xor $acc1,$t0
movzb `&hi("$s2")`,$acc1
shl \$16,$t4
shl \$16,$t5
xor $acc2,$t3
movzb `&hi("$s3")`,$acc2
movzb ($sbox,$acc1,1),$s1 #$t1
xor $t4,$t1
shr \$8,$s0
xor $t5,$t2
movzb ($sbox,$acc0,1),$acc0 #$t0
movzb ($sbox,$acc1,1),$s1 #$t1
movzb ($sbox,$acc2,1),$s2 #$t2
movzb `&hi("$s3")`,$acc1
shr \$8,$s0
shl \$16,$acc2
movzb ($sbox,$acc1,1),$s2 #$t2
movzb ($sbox,$s0,1),$s3 #$t3
xor $acc2,$t3
mov $t0,$s0
shl \$24,$acc0
shl \$24,$s1
shl \$24,$s2
xor $acc0,$s0
xor $acc0,$t0
shl \$24,$s3
xor $t1,$s1
mov $t0,$s0
xor $t2,$s2
xor $t3,$s3
___
@ -1012,12 +1014,12 @@ sub dectransform()
my $prefetch = shift;
$code.=<<___;
mov $mask80,$tp40
mov $mask80,$tp48
and $tp10,$tp40
and $tp18,$tp48
mov $tp40,$acc0
mov $tp48,$acc8
mov $tp10,$acc0
mov $tp18,$acc8
and $mask80,$acc0
and $mask80,$acc8
mov $acc0,$tp40
mov $acc8,$tp48
shr \$7,$tp40
lea ($tp10,$tp10),$tp20
shr \$7,$tp48
@ -1028,15 +1030,15 @@ $code.=<<___;
and $maskfe,$tp28
and $mask1b,$acc0
and $mask1b,$acc8
xor $acc0,$tp20
xor $acc8,$tp28
mov $mask80,$tp80
mov $mask80,$tp88
xor $tp20,$acc0
xor $tp28,$acc8
mov $acc0,$tp20
mov $acc8,$tp28
and $tp20,$tp80
and $tp28,$tp88
mov $tp80,$acc0
mov $tp88,$acc8
and $mask80,$acc0
and $mask80,$acc8
mov $acc0,$tp80
mov $acc8,$tp88
shr \$7,$tp80
lea ($tp20,$tp20),$tp40
shr \$7,$tp88
@ -1047,15 +1049,15 @@ $code.=<<___;
and $maskfe,$tp48
and $mask1b,$acc0
and $mask1b,$acc8
xor $acc0,$tp40
xor $acc8,$tp48
mov $mask80,$tp80
mov $mask80,$tp88
xor $tp40,$acc0
xor $tp48,$acc8
mov $acc0,$tp40
mov $acc8,$tp48
and $tp40,$tp80
and $tp48,$tp88
mov $tp80,$acc0
mov $tp88,$acc8
and $mask80,$acc0
and $mask80,$acc8
mov $acc0,$tp80
mov $acc8,$tp88
shr \$7,$tp80
xor $tp10,$tp20 # tp2^=tp1
shr \$7,$tp88
@ -1080,51 +1082,51 @@ $code.=<<___;
mov $tp10,$acc0
mov $tp18,$acc8
xor $tp80,$tp40 # tp4^tp1^=tp8
shr \$32,$acc0
xor $tp88,$tp48 # tp4^tp1^=tp8
shr \$32,$acc0
shr \$32,$acc8
xor $tp20,$tp80 # tp8^=tp8^tp2^tp1=tp2^tp1
rol \$8,`&LO("$tp10")` # ROTATE(tp1^tp8,8)
xor $tp28,$tp88 # tp8^=tp8^tp2^tp1=tp2^tp1
rol \$8,`&LO("$tp10")` # ROTATE(tp1^tp8,8)
rol \$8,`&LO("$tp18")` # ROTATE(tp1^tp8,8)
xor $tp40,$tp80 # tp2^tp1^=tp8^tp4^tp1=tp8^tp4^tp2
rol \$8,`&LO("$acc0")` # ROTATE(tp1^tp8,8)
xor $tp48,$tp88 # tp2^tp1^=tp8^tp4^tp1=tp8^tp4^tp2
rol \$8,`&LO("$acc0")` # ROTATE(tp1^tp8,8)
rol \$8,`&LO("$acc8")` # ROTATE(tp1^tp8,8)
xor `&LO("$tp80")`,`&LO("$tp10")`
shr \$32,$tp80
xor `&LO("$tp88")`,`&LO("$tp18")`
shr \$32,$tp80
shr \$32,$tp88
xor `&LO("$tp80")`,`&LO("$acc0")`
xor `&LO("$tp88")`,`&LO("$acc8")`
mov $tp20,$tp80
rol \$24,`&LO("$tp20")` # ROTATE(tp2^tp1^tp8,24)
mov $tp28,$tp88
rol \$24,`&LO("$tp28")` # ROTATE(tp2^tp1^tp8,24)
shr \$32,$tp80
xor `&LO("$tp20")`,`&LO("$tp10")`
shr \$32,$tp88
xor `&LO("$tp28")`,`&LO("$tp18")`
rol \$24,`&LO("$tp20")` # ROTATE(tp2^tp1^tp8,24)
rol \$24,`&LO("$tp28")` # ROTATE(tp2^tp1^tp8,24)
rol \$24,`&LO("$tp80")` # ROTATE(tp2^tp1^tp8,24)
mov $tp40,$tp20
rol \$24,`&LO("$tp88")` # ROTATE(tp2^tp1^tp8,24)
xor `&LO("$tp20")`,`&LO("$tp10")`
xor `&LO("$tp28")`,`&LO("$tp18")`
mov $tp40,$tp20
mov $tp48,$tp28
shr \$32,$tp20
xor `&LO("$tp80")`,`&LO("$acc0")`
shr \$32,$tp28
xor `&LO("$tp88")`,`&LO("$acc8")`
`"mov 0($sbox),$mask80" if ($prefetch)`
rol \$16,`&LO("$tp40")` # ROTATE(tp4^tp1^tp8,16)
shr \$32,$tp20
shr \$32,$tp28
`"mov 64($sbox),$maskfe" if ($prefetch)`
rol \$16,`&LO("$tp40")` # ROTATE(tp4^tp1^tp8,16)
rol \$16,`&LO("$tp48")` # ROTATE(tp4^tp1^tp8,16)
`"mov 128($sbox),$mask1b" if ($prefetch)`
rol \$16,`&LO("$tp20")` # ROTATE(tp4^tp1^tp8,16)
rol \$16,`&LO("$tp28")` # ROTATE(tp4^tp1^tp8,16)
`"mov 192($sbox),$tp80" if ($prefetch)`
xor `&LO("$tp40")`,`&LO("$tp10")`
rol \$16,`&LO("$tp28")` # ROTATE(tp4^tp1^tp8,16)
xor `&LO("$tp48")`,`&LO("$tp18")`
`"mov 256($sbox),$tp88" if ($prefetch)`
xor `&LO("$tp20")`,`&LO("$acc0")`
@ -1300,6 +1302,10 @@ private_AES_set_encrypt_key:
call _x86_64_AES_set_encrypt_key
mov 8(%rsp),%r15
mov 16(%rsp),%r14
mov 24(%rsp),%r13
mov 32(%rsp),%r12
mov 40(%rsp),%rbp
mov 48(%rsp),%rbx
add \$56,%rsp

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,919 +0,0 @@
#!/usr/bin/env perl
# ====================================================================
# Written by David S. Miller <davem@devemloft.net> and Andy Polyakov
# <appro@openssl.org>. The module is licensed under 2-clause BSD
# license. October 2012. All rights reserved.
# ====================================================================
######################################################################
# AES for SPARC T4.
#
# AES round instructions complete in 3 cycles and can be issued every
# cycle. It means that round calculations should take 4*rounds cycles,
# because any given round instruction depends on result of *both*
# previous instructions:
#
# |0 |1 |2 |3 |4
# |01|01|01|
# |23|23|23|
# |01|01|...
# |23|...
#
# Provided that fxor [with IV] takes 3 cycles to complete, critical
# path length for CBC encrypt would be 3+4*rounds, or in other words
# it should process one byte in at least (3+4*rounds)/16 cycles. This
# estimate doesn't account for "collateral" instructions, such as
# fetching input from memory, xor-ing it with zero-round key and
# storing the result. Yet, *measured* performance [for data aligned
# at 64-bit boundary!] deviates from this equation by less than 0.5%:
#
# 128-bit key 192- 256-
# CBC encrypt 2.70/2.90(*) 3.20/3.40 3.70/3.90
# (*) numbers after slash are for
# misaligned data.
#
# Out-of-order execution logic managed to fully overlap "collateral"
# instructions with those on critical path. Amazing!
#
# As with Intel AES-NI, question is if it's possible to improve
# performance of parallelizeable modes by interleaving round
# instructions. Provided round instruction latency and throughput
# optimal interleave factor is 2. But can we expect 2x performance
# improvement? Well, as round instructions can be issued one per
# cycle, they don't saturate the 2-way issue pipeline and therefore
# there is room for "collateral" calculations... Yet, 2x speed-up
# over CBC encrypt remains unattaintable:
#
# 128-bit key 192- 256-
# CBC decrypt 1.64/2.11 1.89/2.37 2.23/2.61
# CTR 1.64/2.08(*) 1.89/2.33 2.23/2.61
# (*) numbers after slash are for
# misaligned data.
#
# Estimates based on amount of instructions under assumption that
# round instructions are not pairable with any other instruction
# suggest that latter is the actual case and pipeline runs
# underutilized. It should be noted that T4 out-of-order execution
# logic is so capable that performance gain from 2x interleave is
# not even impressive, ~7-13% over non-interleaved code, largest
# for 256-bit keys.
# To anchor to something else, software implementation processes
# one byte in 29 cycles with 128-bit key on same processor. Intel
# Sandy Bridge encrypts byte in 5.07 cycles in CBC mode and decrypts
# in 0.93, naturally with AES-NI.
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
push(@INC,"${dir}","${dir}../../perlasm");
require "sparcv9_modes.pl";
&asm_init(@ARGV);
$::evp=1; # if $evp is set to 0, script generates module with
# AES_[en|de]crypt, AES_set_[en|de]crypt_key and AES_cbc_encrypt entry
# points. These however are not fully compatible with openssl/aes.h,
# because they expect AES_KEY to be aligned at 64-bit boundary. When
# used through EVP, alignment is arranged at EVP layer. Second thing
# that is arranged by EVP is at least 32-bit alignment of IV.
######################################################################
# single-round subroutines
#
{
my ($inp,$out,$key,$rounds,$tmp,$mask)=map("%o$_",(0..5));
$code.=<<___ if ($::abibits==64);
.register %g2,#scratch
.register %g3,#scratch
___
$code.=<<___;
.text
.globl aes_t4_encrypt
.align 32
aes_t4_encrypt:
andcc $inp, 7, %g1 ! is input aligned?
andn $inp, 7, $inp
ldx [$key + 0], %g4
ldx [$key + 8], %g5
ldx [$inp + 0], %o4
bz,pt %icc, 1f
ldx [$inp + 8], %o5
ldx [$inp + 16], $inp
sll %g1, 3, %g1
sub %g0, %g1, %o3
sllx %o4, %g1, %o4
sllx %o5, %g1, %g1
srlx %o5, %o3, %o5
srlx $inp, %o3, %o3
or %o5, %o4, %o4
or %o3, %g1, %o5
1:
ld [$key + 240], $rounds
ldd [$key + 16], %f12
ldd [$key + 24], %f14
xor %g4, %o4, %o4
xor %g5, %o5, %o5
movxtod %o4, %f0
movxtod %o5, %f2
srl $rounds, 1, $rounds
ldd [$key + 32], %f16
sub $rounds, 1, $rounds
ldd [$key + 40], %f18
add $key, 48, $key
.Lenc:
aes_eround01 %f12, %f0, %f2, %f4
aes_eround23 %f14, %f0, %f2, %f2
ldd [$key + 0], %f12
ldd [$key + 8], %f14
sub $rounds,1,$rounds
aes_eround01 %f16, %f4, %f2, %f0
aes_eround23 %f18, %f4, %f2, %f2
ldd [$key + 16], %f16
ldd [$key + 24], %f18
brnz,pt $rounds, .Lenc
add $key, 32, $key
andcc $out, 7, $tmp ! is output aligned?
aes_eround01 %f12, %f0, %f2, %f4
aes_eround23 %f14, %f0, %f2, %f2
aes_eround01_l %f16, %f4, %f2, %f0
aes_eround23_l %f18, %f4, %f2, %f2
bnz,pn %icc, 2f
nop
std %f0, [$out + 0]
retl
std %f2, [$out + 8]
2: alignaddrl $out, %g0, $out
mov 0xff, $mask
srl $mask, $tmp, $mask
faligndata %f0, %f0, %f4
faligndata %f0, %f2, %f6
faligndata %f2, %f2, %f8
stda %f4, [$out + $mask]0xc0 ! partial store
std %f6, [$out + 8]
add $out, 16, $out
orn %g0, $mask, $mask
retl
stda %f8, [$out + $mask]0xc0 ! partial store
.type aes_t4_encrypt,#function
.size aes_t4_encrypt,.-aes_t4_encrypt
.globl aes_t4_decrypt
.align 32
aes_t4_decrypt:
andcc $inp, 7, %g1 ! is input aligned?
andn $inp, 7, $inp
ldx [$key + 0], %g4
ldx [$key + 8], %g5
ldx [$inp + 0], %o4
bz,pt %icc, 1f
ldx [$inp + 8], %o5
ldx [$inp + 16], $inp
sll %g1, 3, %g1
sub %g0, %g1, %o3
sllx %o4, %g1, %o4
sllx %o5, %g1, %g1
srlx %o5, %o3, %o5
srlx $inp, %o3, %o3
or %o5, %o4, %o4
or %o3, %g1, %o5
1:
ld [$key + 240], $rounds
ldd [$key + 16], %f12
ldd [$key + 24], %f14
xor %g4, %o4, %o4
xor %g5, %o5, %o5
movxtod %o4, %f0
movxtod %o5, %f2
srl $rounds, 1, $rounds
ldd [$key + 32], %f16
sub $rounds, 1, $rounds
ldd [$key + 40], %f18
add $key, 48, $key
.Ldec:
aes_dround01 %f12, %f0, %f2, %f4
aes_dround23 %f14, %f0, %f2, %f2
ldd [$key + 0], %f12
ldd [$key + 8], %f14
sub $rounds,1,$rounds
aes_dround01 %f16, %f4, %f2, %f0
aes_dround23 %f18, %f4, %f2, %f2
ldd [$key + 16], %f16
ldd [$key + 24], %f18
brnz,pt $rounds, .Ldec
add $key, 32, $key
andcc $out, 7, $tmp ! is output aligned?
aes_dround01 %f12, %f0, %f2, %f4
aes_dround23 %f14, %f0, %f2, %f2
aes_dround01_l %f16, %f4, %f2, %f0
aes_dround23_l %f18, %f4, %f2, %f2
bnz,pn %icc, 2f
nop
std %f0, [$out + 0]
retl
std %f2, [$out + 8]
2: alignaddrl $out, %g0, $out
mov 0xff, $mask
srl $mask, $tmp, $mask
faligndata %f0, %f0, %f4
faligndata %f0, %f2, %f6
faligndata %f2, %f2, %f8
stda %f4, [$out + $mask]0xc0 ! partial store
std %f6, [$out + 8]
add $out, 16, $out
orn %g0, $mask, $mask
retl
stda %f8, [$out + $mask]0xc0 ! partial store
.type aes_t4_decrypt,#function
.size aes_t4_decrypt,.-aes_t4_decrypt
___
}
######################################################################
# key setup subroutines
#
{
my ($inp,$bits,$out,$tmp)=map("%o$_",(0..5));
$code.=<<___;
.globl aes_t4_set_encrypt_key
.align 32
aes_t4_set_encrypt_key:
.Lset_encrypt_key:
and $inp, 7, $tmp
alignaddr $inp, %g0, $inp
cmp $bits, 192
ldd [$inp + 0], %f0
bl,pt %icc,.L128
ldd [$inp + 8], %f2
be,pt %icc,.L192
ldd [$inp + 16], %f4
brz,pt $tmp, .L256aligned
ldd [$inp + 24], %f6
ldd [$inp + 32], %f8
faligndata %f0, %f2, %f0
faligndata %f2, %f4, %f2
faligndata %f4, %f6, %f4
faligndata %f6, %f8, %f6
.L256aligned:
___
for ($i=0; $i<6; $i++) {
$code.=<<___;
std %f0, [$out + `32*$i+0`]
aes_kexpand1 %f0, %f6, $i, %f0
std %f2, [$out + `32*$i+8`]
aes_kexpand2 %f2, %f0, %f2
std %f4, [$out + `32*$i+16`]
aes_kexpand0 %f4, %f2, %f4
std %f6, [$out + `32*$i+24`]
aes_kexpand2 %f6, %f4, %f6
___
}
$code.=<<___;
std %f0, [$out + `32*$i+0`]
aes_kexpand1 %f0, %f6, $i, %f0
std %f2, [$out + `32*$i+8`]
aes_kexpand2 %f2, %f0, %f2
std %f4, [$out + `32*$i+16`]
std %f6, [$out + `32*$i+24`]
std %f0, [$out + `32*$i+32`]
std %f2, [$out + `32*$i+40`]
mov 14, $tmp
st $tmp, [$out + 240]
retl
xor %o0, %o0, %o0
.align 16
.L192:
brz,pt $tmp, .L192aligned
nop
ldd [$inp + 24], %f6
faligndata %f0, %f2, %f0
faligndata %f2, %f4, %f2
faligndata %f4, %f6, %f4
.L192aligned:
___
for ($i=0; $i<7; $i++) {
$code.=<<___;
std %f0, [$out + `24*$i+0`]
aes_kexpand1 %f0, %f4, $i, %f0
std %f2, [$out + `24*$i+8`]
aes_kexpand2 %f2, %f0, %f2
std %f4, [$out + `24*$i+16`]
aes_kexpand2 %f4, %f2, %f4
___
}
$code.=<<___;
std %f0, [$out + `24*$i+0`]
aes_kexpand1 %f0, %f4, $i, %f0
std %f2, [$out + `24*$i+8`]
aes_kexpand2 %f2, %f0, %f2
std %f4, [$out + `24*$i+16`]
std %f0, [$out + `24*$i+24`]
std %f2, [$out + `24*$i+32`]
mov 12, $tmp
st $tmp, [$out + 240]
retl
xor %o0, %o0, %o0
.align 16
.L128:
brz,pt $tmp, .L128aligned
nop
ldd [$inp + 16], %f4
faligndata %f0, %f2, %f0
faligndata %f2, %f4, %f2
.L128aligned:
___
for ($i=0; $i<10; $i++) {
$code.=<<___;
std %f0, [$out + `16*$i+0`]
aes_kexpand1 %f0, %f2, $i, %f0
std %f2, [$out + `16*$i+8`]
aes_kexpand2 %f2, %f0, %f2
___
}
$code.=<<___;
std %f0, [$out + `16*$i+0`]
std %f2, [$out + `16*$i+8`]
mov 10, $tmp
st $tmp, [$out + 240]
retl
xor %o0, %o0, %o0
.type aes_t4_set_encrypt_key,#function
.size aes_t4_set_encrypt_key,.-aes_t4_set_encrypt_key
.globl aes_t4_set_decrypt_key
.align 32
aes_t4_set_decrypt_key:
mov %o7, %o5
call .Lset_encrypt_key
nop
mov %o5, %o7
sll $tmp, 4, $inp ! $tmp is number of rounds
add $tmp, 2, $tmp
add $out, $inp, $inp ! $inp=$out+16*rounds
srl $tmp, 2, $tmp ! $tmp=(rounds+2)/4
.Lkey_flip:
ldd [$out + 0], %f0
ldd [$out + 8], %f2
ldd [$out + 16], %f4
ldd [$out + 24], %f6
ldd [$inp + 0], %f8
ldd [$inp + 8], %f10
ldd [$inp - 16], %f12
ldd [$inp - 8], %f14
sub $tmp, 1, $tmp
std %f0, [$inp + 0]
std %f2, [$inp + 8]
std %f4, [$inp - 16]
std %f6, [$inp - 8]
std %f8, [$out + 0]
std %f10, [$out + 8]
std %f12, [$out + 16]
std %f14, [$out + 24]
add $out, 32, $out
brnz $tmp, .Lkey_flip
sub $inp, 32, $inp
retl
xor %o0, %o0, %o0
.type aes_t4_set_decrypt_key,#function
.size aes_t4_set_decrypt_key,.-aes_t4_set_decrypt_key
___
}
{{{
my ($inp,$out,$len,$key,$ivec,$enc)=map("%i$_",(0..5));
my ($ileft,$iright,$ooff,$omask,$ivoff)=map("%l$_",(1..7));
$code.=<<___;
.align 32
_aes128_encrypt_1x:
___
for ($i=0; $i<4; $i++) {
$code.=<<___;
aes_eround01 %f`16+8*$i+0`, %f0, %f2, %f4
aes_eround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_eround01 %f`16+8*$i+4`, %f4, %f2, %f0
aes_eround23 %f`16+8*$i+6`, %f4, %f2, %f2
___
}
$code.=<<___;
aes_eround01 %f48, %f0, %f2, %f4
aes_eround23 %f50, %f0, %f2, %f2
aes_eround01_l %f52, %f4, %f2, %f0
retl
aes_eround23_l %f54, %f4, %f2, %f2
.type _aes128_encrypt_1x,#function
.size _aes128_encrypt_1x,.-_aes128_encrypt_1x
.align 32
_aes128_encrypt_2x:
___
for ($i=0; $i<4; $i++) {
$code.=<<___;
aes_eround01 %f`16+8*$i+0`, %f0, %f2, %f8
aes_eround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_eround01 %f`16+8*$i+0`, %f4, %f6, %f10
aes_eround23 %f`16+8*$i+2`, %f4, %f6, %f6
aes_eround01 %f`16+8*$i+4`, %f8, %f2, %f0
aes_eround23 %f`16+8*$i+6`, %f8, %f2, %f2
aes_eround01 %f`16+8*$i+4`, %f10, %f6, %f4
aes_eround23 %f`16+8*$i+6`, %f10, %f6, %f6
___
}
$code.=<<___;
aes_eround01 %f48, %f0, %f2, %f8
aes_eround23 %f50, %f0, %f2, %f2
aes_eround01 %f48, %f4, %f6, %f10
aes_eround23 %f50, %f4, %f6, %f6
aes_eround01_l %f52, %f8, %f2, %f0
aes_eround23_l %f54, %f8, %f2, %f2
aes_eround01_l %f52, %f10, %f6, %f4
retl
aes_eround23_l %f54, %f10, %f6, %f6
.type _aes128_encrypt_2x,#function
.size _aes128_encrypt_2x,.-_aes128_encrypt_2x
.align 32
_aes128_loadkey:
ldx [$key + 0], %g4
ldx [$key + 8], %g5
___
for ($i=2; $i<22;$i++) { # load key schedule
$code.=<<___;
ldd [$key + `8*$i`], %f`12+2*$i`
___
}
$code.=<<___;
retl
nop
.type _aes128_loadkey,#function
.size _aes128_loadkey,.-_aes128_loadkey
_aes128_load_enckey=_aes128_loadkey
_aes128_load_deckey=_aes128_loadkey
___
&alg_cbc_encrypt_implement("aes",128);
if ($::evp) {
&alg_ctr32_implement("aes",128);
&alg_xts_implement("aes",128,"en");
&alg_xts_implement("aes",128,"de");
}
&alg_cbc_decrypt_implement("aes",128);
$code.=<<___;
.align 32
_aes128_decrypt_1x:
___
for ($i=0; $i<4; $i++) {
$code.=<<___;
aes_dround01 %f`16+8*$i+0`, %f0, %f2, %f4
aes_dround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_dround01 %f`16+8*$i+4`, %f4, %f2, %f0
aes_dround23 %f`16+8*$i+6`, %f4, %f2, %f2
___
}
$code.=<<___;
aes_dround01 %f48, %f0, %f2, %f4
aes_dround23 %f50, %f0, %f2, %f2
aes_dround01_l %f52, %f4, %f2, %f0
retl
aes_dround23_l %f54, %f4, %f2, %f2
.type _aes128_decrypt_1x,#function
.size _aes128_decrypt_1x,.-_aes128_decrypt_1x
.align 32
_aes128_decrypt_2x:
___
for ($i=0; $i<4; $i++) {
$code.=<<___;
aes_dround01 %f`16+8*$i+0`, %f0, %f2, %f8
aes_dround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_dround01 %f`16+8*$i+0`, %f4, %f6, %f10
aes_dround23 %f`16+8*$i+2`, %f4, %f6, %f6
aes_dround01 %f`16+8*$i+4`, %f8, %f2, %f0
aes_dround23 %f`16+8*$i+6`, %f8, %f2, %f2
aes_dround01 %f`16+8*$i+4`, %f10, %f6, %f4
aes_dround23 %f`16+8*$i+6`, %f10, %f6, %f6
___
}
$code.=<<___;
aes_dround01 %f48, %f0, %f2, %f8
aes_dround23 %f50, %f0, %f2, %f2
aes_dround01 %f48, %f4, %f6, %f10
aes_dround23 %f50, %f4, %f6, %f6
aes_dround01_l %f52, %f8, %f2, %f0
aes_dround23_l %f54, %f8, %f2, %f2
aes_dround01_l %f52, %f10, %f6, %f4
retl
aes_dround23_l %f54, %f10, %f6, %f6
.type _aes128_decrypt_2x,#function
.size _aes128_decrypt_2x,.-_aes128_decrypt_2x
___
$code.=<<___;
.align 32
_aes192_encrypt_1x:
___
for ($i=0; $i<5; $i++) {
$code.=<<___;
aes_eround01 %f`16+8*$i+0`, %f0, %f2, %f4
aes_eround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_eround01 %f`16+8*$i+4`, %f4, %f2, %f0
aes_eround23 %f`16+8*$i+6`, %f4, %f2, %f2
___
}
$code.=<<___;
aes_eround01 %f56, %f0, %f2, %f4
aes_eround23 %f58, %f0, %f2, %f2
aes_eround01_l %f60, %f4, %f2, %f0
retl
aes_eround23_l %f62, %f4, %f2, %f2
.type _aes192_encrypt_1x,#function
.size _aes192_encrypt_1x,.-_aes192_encrypt_1x
.align 32
_aes192_encrypt_2x:
___
for ($i=0; $i<5; $i++) {
$code.=<<___;
aes_eround01 %f`16+8*$i+0`, %f0, %f2, %f8
aes_eround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_eround01 %f`16+8*$i+0`, %f4, %f6, %f10
aes_eround23 %f`16+8*$i+2`, %f4, %f6, %f6
aes_eround01 %f`16+8*$i+4`, %f8, %f2, %f0
aes_eround23 %f`16+8*$i+6`, %f8, %f2, %f2
aes_eround01 %f`16+8*$i+4`, %f10, %f6, %f4
aes_eround23 %f`16+8*$i+6`, %f10, %f6, %f6
___
}
$code.=<<___;
aes_eround01 %f56, %f0, %f2, %f8
aes_eround23 %f58, %f0, %f2, %f2
aes_eround01 %f56, %f4, %f6, %f10
aes_eround23 %f58, %f4, %f6, %f6
aes_eround01_l %f60, %f8, %f2, %f0
aes_eround23_l %f62, %f8, %f2, %f2
aes_eround01_l %f60, %f10, %f6, %f4
retl
aes_eround23_l %f62, %f10, %f6, %f6
.type _aes192_encrypt_2x,#function
.size _aes192_encrypt_2x,.-_aes192_encrypt_2x
.align 32
_aes256_encrypt_1x:
aes_eround01 %f16, %f0, %f2, %f4
aes_eround23 %f18, %f0, %f2, %f2
ldd [$key + 208], %f16
ldd [$key + 216], %f18
aes_eround01 %f20, %f4, %f2, %f0
aes_eround23 %f22, %f4, %f2, %f2
ldd [$key + 224], %f20
ldd [$key + 232], %f22
___
for ($i=1; $i<6; $i++) {
$code.=<<___;
aes_eround01 %f`16+8*$i+0`, %f0, %f2, %f4
aes_eround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_eround01 %f`16+8*$i+4`, %f4, %f2, %f0
aes_eround23 %f`16+8*$i+6`, %f4, %f2, %f2
___
}
$code.=<<___;
aes_eround01 %f16, %f0, %f2, %f4
aes_eround23 %f18, %f0, %f2, %f2
ldd [$key + 16], %f16
ldd [$key + 24], %f18
aes_eround01_l %f20, %f4, %f2, %f0
aes_eround23_l %f22, %f4, %f2, %f2
ldd [$key + 32], %f20
retl
ldd [$key + 40], %f22
.type _aes256_encrypt_1x,#function
.size _aes256_encrypt_1x,.-_aes256_encrypt_1x
.align 32
_aes256_encrypt_2x:
aes_eround01 %f16, %f0, %f2, %f8
aes_eround23 %f18, %f0, %f2, %f2
aes_eround01 %f16, %f4, %f6, %f10
aes_eround23 %f18, %f4, %f6, %f6
ldd [$key + 208], %f16
ldd [$key + 216], %f18
aes_eround01 %f20, %f8, %f2, %f0
aes_eround23 %f22, %f8, %f2, %f2
aes_eround01 %f20, %f10, %f6, %f4
aes_eround23 %f22, %f10, %f6, %f6
ldd [$key + 224], %f20
ldd [$key + 232], %f22
___
for ($i=1; $i<6; $i++) {
$code.=<<___;
aes_eround01 %f`16+8*$i+0`, %f0, %f2, %f8
aes_eround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_eround01 %f`16+8*$i+0`, %f4, %f6, %f10
aes_eround23 %f`16+8*$i+2`, %f4, %f6, %f6
aes_eround01 %f`16+8*$i+4`, %f8, %f2, %f0
aes_eround23 %f`16+8*$i+6`, %f8, %f2, %f2
aes_eround01 %f`16+8*$i+4`, %f10, %f6, %f4
aes_eround23 %f`16+8*$i+6`, %f10, %f6, %f6
___
}
$code.=<<___;
aes_eround01 %f16, %f0, %f2, %f8
aes_eround23 %f18, %f0, %f2, %f2
aes_eround01 %f16, %f4, %f6, %f10
aes_eround23 %f18, %f4, %f6, %f6
ldd [$key + 16], %f16
ldd [$key + 24], %f18
aes_eround01_l %f20, %f8, %f2, %f0
aes_eround23_l %f22, %f8, %f2, %f2
aes_eround01_l %f20, %f10, %f6, %f4
aes_eround23_l %f22, %f10, %f6, %f6
ldd [$key + 32], %f20
retl
ldd [$key + 40], %f22
.type _aes256_encrypt_2x,#function
.size _aes256_encrypt_2x,.-_aes256_encrypt_2x
.align 32
_aes192_loadkey:
ldx [$key + 0], %g4
ldx [$key + 8], %g5
___
for ($i=2; $i<26;$i++) { # load key schedule
$code.=<<___;
ldd [$key + `8*$i`], %f`12+2*$i`
___
}
$code.=<<___;
retl
nop
.type _aes192_loadkey,#function
.size _aes192_loadkey,.-_aes192_loadkey
_aes256_loadkey=_aes192_loadkey
_aes192_load_enckey=_aes192_loadkey
_aes192_load_deckey=_aes192_loadkey
_aes256_load_enckey=_aes192_loadkey
_aes256_load_deckey=_aes192_loadkey
___
&alg_cbc_encrypt_implement("aes",256);
&alg_cbc_encrypt_implement("aes",192);
if ($::evp) {
&alg_ctr32_implement("aes",256);
&alg_xts_implement("aes",256,"en");
&alg_xts_implement("aes",256,"de");
&alg_ctr32_implement("aes",192);
}
&alg_cbc_decrypt_implement("aes",192);
&alg_cbc_decrypt_implement("aes",256);
$code.=<<___;
.align 32
_aes256_decrypt_1x:
aes_dround01 %f16, %f0, %f2, %f4
aes_dround23 %f18, %f0, %f2, %f2
ldd [$key + 208], %f16
ldd [$key + 216], %f18
aes_dround01 %f20, %f4, %f2, %f0
aes_dround23 %f22, %f4, %f2, %f2
ldd [$key + 224], %f20
ldd [$key + 232], %f22
___
for ($i=1; $i<6; $i++) {
$code.=<<___;
aes_dround01 %f`16+8*$i+0`, %f0, %f2, %f4
aes_dround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_dround01 %f`16+8*$i+4`, %f4, %f2, %f0
aes_dround23 %f`16+8*$i+6`, %f4, %f2, %f2
___
}
$code.=<<___;
aes_dround01 %f16, %f0, %f2, %f4
aes_dround23 %f18, %f0, %f2, %f2
ldd [$key + 16], %f16
ldd [$key + 24], %f18
aes_dround01_l %f20, %f4, %f2, %f0
aes_dround23_l %f22, %f4, %f2, %f2
ldd [$key + 32], %f20
retl
ldd [$key + 40], %f22
.type _aes256_decrypt_1x,#function
.size _aes256_decrypt_1x,.-_aes256_decrypt_1x
.align 32
_aes256_decrypt_2x:
aes_dround01 %f16, %f0, %f2, %f8
aes_dround23 %f18, %f0, %f2, %f2
aes_dround01 %f16, %f4, %f6, %f10
aes_dround23 %f18, %f4, %f6, %f6
ldd [$key + 208], %f16
ldd [$key + 216], %f18
aes_dround01 %f20, %f8, %f2, %f0
aes_dround23 %f22, %f8, %f2, %f2
aes_dround01 %f20, %f10, %f6, %f4
aes_dround23 %f22, %f10, %f6, %f6
ldd [$key + 224], %f20
ldd [$key + 232], %f22
___
for ($i=1; $i<6; $i++) {
$code.=<<___;
aes_dround01 %f`16+8*$i+0`, %f0, %f2, %f8
aes_dround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_dround01 %f`16+8*$i+0`, %f4, %f6, %f10
aes_dround23 %f`16+8*$i+2`, %f4, %f6, %f6
aes_dround01 %f`16+8*$i+4`, %f8, %f2, %f0
aes_dround23 %f`16+8*$i+6`, %f8, %f2, %f2
aes_dround01 %f`16+8*$i+4`, %f10, %f6, %f4
aes_dround23 %f`16+8*$i+6`, %f10, %f6, %f6
___
}
$code.=<<___;
aes_dround01 %f16, %f0, %f2, %f8
aes_dround23 %f18, %f0, %f2, %f2
aes_dround01 %f16, %f4, %f6, %f10
aes_dround23 %f18, %f4, %f6, %f6
ldd [$key + 16], %f16
ldd [$key + 24], %f18
aes_dround01_l %f20, %f8, %f2, %f0
aes_dround23_l %f22, %f8, %f2, %f2
aes_dround01_l %f20, %f10, %f6, %f4
aes_dround23_l %f22, %f10, %f6, %f6
ldd [$key + 32], %f20
retl
ldd [$key + 40], %f22
.type _aes256_decrypt_2x,#function
.size _aes256_decrypt_2x,.-_aes256_decrypt_2x
.align 32
_aes192_decrypt_1x:
___
for ($i=0; $i<5; $i++) {
$code.=<<___;
aes_dround01 %f`16+8*$i+0`, %f0, %f2, %f4
aes_dround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_dround01 %f`16+8*$i+4`, %f4, %f2, %f0
aes_dround23 %f`16+8*$i+6`, %f4, %f2, %f2
___
}
$code.=<<___;
aes_dround01 %f56, %f0, %f2, %f4
aes_dround23 %f58, %f0, %f2, %f2
aes_dround01_l %f60, %f4, %f2, %f0
retl
aes_dround23_l %f62, %f4, %f2, %f2
.type _aes192_decrypt_1x,#function
.size _aes192_decrypt_1x,.-_aes192_decrypt_1x
.align 32
_aes192_decrypt_2x:
___
for ($i=0; $i<5; $i++) {
$code.=<<___;
aes_dround01 %f`16+8*$i+0`, %f0, %f2, %f8
aes_dround23 %f`16+8*$i+2`, %f0, %f2, %f2
aes_dround01 %f`16+8*$i+0`, %f4, %f6, %f10
aes_dround23 %f`16+8*$i+2`, %f4, %f6, %f6
aes_dround01 %f`16+8*$i+4`, %f8, %f2, %f0
aes_dround23 %f`16+8*$i+6`, %f8, %f2, %f2
aes_dround01 %f`16+8*$i+4`, %f10, %f6, %f4
aes_dround23 %f`16+8*$i+6`, %f10, %f6, %f6
___
}
$code.=<<___;
aes_dround01 %f56, %f0, %f2, %f8
aes_dround23 %f58, %f0, %f2, %f2
aes_dround01 %f56, %f4, %f6, %f10
aes_dround23 %f58, %f4, %f6, %f6
aes_dround01_l %f60, %f8, %f2, %f0
aes_dround23_l %f62, %f8, %f2, %f2
aes_dround01_l %f60, %f10, %f6, %f4
retl
aes_dround23_l %f62, %f10, %f6, %f6
.type _aes192_decrypt_2x,#function
.size _aes192_decrypt_2x,.-_aes192_decrypt_2x
___
}}}
if (!$::evp) {
$code.=<<___;
.global AES_encrypt
AES_encrypt=aes_t4_encrypt
.global AES_decrypt
AES_decrypt=aes_t4_decrypt
.global AES_set_encrypt_key
.align 32
AES_set_encrypt_key:
andcc %o2, 7, %g0 ! check alignment
bnz,a,pn %icc, 1f
mov -1, %o0
brz,a,pn %o0, 1f
mov -1, %o0
brz,a,pn %o2, 1f
mov -1, %o0
andncc %o1, 0x1c0, %g0
bnz,a,pn %icc, 1f
mov -2, %o0
cmp %o1, 128
bl,a,pn %icc, 1f
mov -2, %o0
b aes_t4_set_encrypt_key
nop
1: retl
nop
.type AES_set_encrypt_key,#function
.size AES_set_encrypt_key,.-AES_set_encrypt_key
.global AES_set_decrypt_key
.align 32
AES_set_decrypt_key:
andcc %o2, 7, %g0 ! check alignment
bnz,a,pn %icc, 1f
mov -1, %o0
brz,a,pn %o0, 1f
mov -1, %o0
brz,a,pn %o2, 1f
mov -1, %o0
andncc %o1, 0x1c0, %g0
bnz,a,pn %icc, 1f
mov -2, %o0
cmp %o1, 128
bl,a,pn %icc, 1f
mov -2, %o0
b aes_t4_set_decrypt_key
nop
1: retl
nop
.type AES_set_decrypt_key,#function
.size AES_set_decrypt_key,.-AES_set_decrypt_key
___
my ($inp,$out,$len,$key,$ivec,$enc)=map("%o$_",(0..5));
$code.=<<___;
.globl AES_cbc_encrypt
.align 32
AES_cbc_encrypt:
ld [$key + 240], %g1
nop
brz $enc, .Lcbc_decrypt
cmp %g1, 12
bl,pt %icc, aes128_t4_cbc_encrypt
nop
be,pn %icc, aes192_t4_cbc_encrypt
nop
ba aes256_t4_cbc_encrypt
nop
.Lcbc_decrypt:
bl,pt %icc, aes128_t4_cbc_decrypt
nop
be,pn %icc, aes192_t4_cbc_decrypt
nop
ba aes256_t4_cbc_decrypt
nop
.type AES_cbc_encrypt,#function
.size AES_cbc_encrypt,.-AES_cbc_encrypt
___
}
$code.=<<___;
.asciz "AES for SPARC T4, David S. Miller, Andy Polyakov"
.align 4
___
&emit_assembler();
close STDOUT;

View File

@ -1,989 +0,0 @@
#!/usr/bin/env perl
#
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
# ====================================================================
#
# This module implements support for ARMv8 AES instructions. The
# module is endian-agnostic in sense that it supports both big- and
# little-endian cases. As does it support both 32- and 64-bit modes
# of operation. Latter is achieved by limiting amount of utilized
# registers to 16, which implies additional NEON load and integer
# instructions. This has no effect on mighty Apple A7, where results
# are literally equal to the theoretical estimates based on AES
# instruction latencies and issue rates. On Cortex-A53, an in-order
# execution core, this costs up to 10-15%, which is partially
# compensated by implementing dedicated code path for 128-bit
# CBC encrypt case. On Cortex-A57 parallelizable mode performance
# seems to be limited by sheer amount of NEON instructions...
#
# Performance in cycles per byte processed with 128-bit key:
#
# CBC enc CBC dec CTR
# Apple A7 2.39 1.20 1.20
# Cortex-A53 1.32 1.29 1.46
# Cortex-A57(*) 1.95 0.85 0.93
# Denver 1.96 0.86 0.80
#
# (*) original 3.64/1.34/1.32 results were for r0p0 revision
# and are still same even for updated module;
$flavour = shift;
open STDOUT,">".shift;
$prefix="aes_v8";
$code=<<___;
#include "arm_arch.h"
#if __ARM_MAX_ARCH__>=7
.text
___
$code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/);
$code.=".arch armv7-a\n.fpu neon\n.code 32\n" if ($flavour !~ /64/);
#^^^^^^ this is done to simplify adoption by not depending
# on latest binutils.
# Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
# NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
# maintain both 32- and 64-bit codes within single module and
# transliterate common code to either flavour with regex vodoo.
#
{{{
my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
$flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
$code.=<<___;
.align 5
rcon:
.long 0x01,0x01,0x01,0x01
.long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
.long 0x1b,0x1b,0x1b,0x1b
.globl ${prefix}_set_encrypt_key
.type ${prefix}_set_encrypt_key,%function
.align 5
${prefix}_set_encrypt_key:
.Lenc_key:
___
$code.=<<___ if ($flavour =~ /64/);
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
$code.=<<___;
mov $ptr,#-1
cmp $inp,#0
b.eq .Lenc_key_abort
cmp $out,#0
b.eq .Lenc_key_abort
mov $ptr,#-2
cmp $bits,#128
b.lt .Lenc_key_abort
cmp $bits,#256
b.gt .Lenc_key_abort
tst $bits,#0x3f
b.ne .Lenc_key_abort
adr $ptr,rcon
cmp $bits,#192
veor $zero,$zero,$zero
vld1.8 {$in0},[$inp],#16
mov $bits,#8 // reuse $bits
vld1.32 {$rcon,$mask},[$ptr],#32
b.lt .Loop128
b.eq .L192
b .L256
.align 4
.Loop128:
vtbl.8 $key,{$in0},$mask
vext.8 $tmp,$zero,$in0,#12
vst1.32 {$in0},[$out],#16
aese $key,$zero
subs $bits,$bits,#1
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $key,$key,$rcon
veor $in0,$in0,$tmp
vshl.u8 $rcon,$rcon,#1
veor $in0,$in0,$key
b.ne .Loop128
vld1.32 {$rcon},[$ptr]
vtbl.8 $key,{$in0},$mask
vext.8 $tmp,$zero,$in0,#12
vst1.32 {$in0},[$out],#16
aese $key,$zero
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $key,$key,$rcon
veor $in0,$in0,$tmp
vshl.u8 $rcon,$rcon,#1
veor $in0,$in0,$key
vtbl.8 $key,{$in0},$mask
vext.8 $tmp,$zero,$in0,#12
vst1.32 {$in0},[$out],#16
aese $key,$zero
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $key,$key,$rcon
veor $in0,$in0,$tmp
veor $in0,$in0,$key
vst1.32 {$in0},[$out]
add $out,$out,#0x50
mov $rounds,#10
b .Ldone
.align 4
.L192:
vld1.8 {$in1},[$inp],#8
vmov.i8 $key,#8 // borrow $key
vst1.32 {$in0},[$out],#16
vsub.i8 $mask,$mask,$key // adjust the mask
.Loop192:
vtbl.8 $key,{$in1},$mask
vext.8 $tmp,$zero,$in0,#12
vst1.32 {$in1},[$out],#8
aese $key,$zero
subs $bits,$bits,#1
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in0,$in0,$tmp
vdup.32 $tmp,${in0}[3]
veor $tmp,$tmp,$in1
veor $key,$key,$rcon
vext.8 $in1,$zero,$in1,#12
vshl.u8 $rcon,$rcon,#1
veor $in1,$in1,$tmp
veor $in0,$in0,$key
veor $in1,$in1,$key
vst1.32 {$in0},[$out],#16
b.ne .Loop192
mov $rounds,#12
add $out,$out,#0x20
b .Ldone
.align 4
.L256:
vld1.8 {$in1},[$inp]
mov $bits,#7
mov $rounds,#14
vst1.32 {$in0},[$out],#16
.Loop256:
vtbl.8 $key,{$in1},$mask
vext.8 $tmp,$zero,$in0,#12
vst1.32 {$in1},[$out],#16
aese $key,$zero
subs $bits,$bits,#1
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in0,$in0,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $key,$key,$rcon
veor $in0,$in0,$tmp
vshl.u8 $rcon,$rcon,#1
veor $in0,$in0,$key
vst1.32 {$in0},[$out],#16
b.eq .Ldone
vdup.32 $key,${in0}[3] // just splat
vext.8 $tmp,$zero,$in1,#12
aese $key,$zero
veor $in1,$in1,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in1,$in1,$tmp
vext.8 $tmp,$zero,$tmp,#12
veor $in1,$in1,$tmp
veor $in1,$in1,$key
b .Loop256
.Ldone:
str $rounds,[$out]
mov $ptr,#0
.Lenc_key_abort:
mov x0,$ptr // return value
`"ldr x29,[sp],#16" if ($flavour =~ /64/)`
ret
.size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
.globl ${prefix}_set_decrypt_key
.type ${prefix}_set_decrypt_key,%function
.align 5
${prefix}_set_decrypt_key:
___
$code.=<<___ if ($flavour =~ /64/);
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
$code.=<<___ if ($flavour !~ /64/);
stmdb sp!,{r4,lr}
___
$code.=<<___;
bl .Lenc_key
cmp x0,#0
b.ne .Ldec_key_abort
sub $out,$out,#240 // restore original $out
mov x4,#-16
add $inp,$out,x12,lsl#4 // end of key schedule
vld1.32 {v0.16b},[$out]
vld1.32 {v1.16b},[$inp]
vst1.32 {v0.16b},[$inp],x4
vst1.32 {v1.16b},[$out],#16
.Loop_imc:
vld1.32 {v0.16b},[$out]
vld1.32 {v1.16b},[$inp]
aesimc v0.16b,v0.16b
aesimc v1.16b,v1.16b
vst1.32 {v0.16b},[$inp],x4
vst1.32 {v1.16b},[$out],#16
cmp $inp,$out
b.hi .Loop_imc
vld1.32 {v0.16b},[$out]
aesimc v0.16b,v0.16b
vst1.32 {v0.16b},[$inp]
eor x0,x0,x0 // return value
.Ldec_key_abort:
___
$code.=<<___ if ($flavour !~ /64/);
ldmia sp!,{r4,pc}
___
$code.=<<___ if ($flavour =~ /64/);
ldp x29,x30,[sp],#16
ret
___
$code.=<<___;
.size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
___
}}}
{{{
sub gen_block () {
my $dir = shift;
my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
my ($inp,$out,$key)=map("x$_",(0..2));
my $rounds="w3";
my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
$code.=<<___;
.globl ${prefix}_${dir}crypt
.type ${prefix}_${dir}crypt,%function
.align 5
${prefix}_${dir}crypt:
ldr $rounds,[$key,#240]
vld1.32 {$rndkey0},[$key],#16
vld1.8 {$inout},[$inp]
sub $rounds,$rounds,#2
vld1.32 {$rndkey1},[$key],#16
.Loop_${dir}c:
aes$e $inout,$rndkey0
aes$mc $inout,$inout
vld1.32 {$rndkey0},[$key],#16
subs $rounds,$rounds,#2
aes$e $inout,$rndkey1
aes$mc $inout,$inout
vld1.32 {$rndkey1},[$key],#16
b.gt .Loop_${dir}c
aes$e $inout,$rndkey0
aes$mc $inout,$inout
vld1.32 {$rndkey0},[$key]
aes$e $inout,$rndkey1
veor $inout,$inout,$rndkey0
vst1.8 {$inout},[$out]
ret
.size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
___
}
&gen_block("en");
&gen_block("de");
}}}
{{{
my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);
### q8-q15 preloaded key schedule
$code.=<<___;
.globl ${prefix}_cbc_encrypt
.type ${prefix}_cbc_encrypt,%function
.align 5
${prefix}_cbc_encrypt:
___
$code.=<<___ if ($flavour =~ /64/);
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
$code.=<<___ if ($flavour !~ /64/);
mov ip,sp
stmdb sp!,{r4-r8,lr}
vstmdb sp!,{d8-d15} @ ABI specification says so
ldmia ip,{r4-r5} @ load remaining args
___
$code.=<<___;
subs $len,$len,#16
mov $step,#16
b.lo .Lcbc_abort
cclr $step,eq
cmp $enc,#0 // en- or decrypting?
ldr $rounds,[$key,#240]
and $len,$len,#-16
vld1.8 {$ivec},[$ivp]
vld1.8 {$dat},[$inp],$step
vld1.32 {q8-q9},[$key] // load key schedule...
sub $rounds,$rounds,#6
add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
sub $rounds,$rounds,#2
vld1.32 {q10-q11},[$key_],#32
vld1.32 {q12-q13},[$key_],#32
vld1.32 {q14-q15},[$key_],#32
vld1.32 {$rndlast},[$key_]
add $key_,$key,#32
mov $cnt,$rounds
b.eq .Lcbc_dec
cmp $rounds,#2
veor $dat,$dat,$ivec
veor $rndzero_n_last,q8,$rndlast
b.eq .Lcbc_enc128
vld1.32 {$in0-$in1},[$key_]
add $key_,$key,#16
add $key4,$key,#16*4
add $key5,$key,#16*5
aese $dat,q8
aesmc $dat,$dat
add $key6,$key,#16*6
add $key7,$key,#16*7
b .Lenter_cbc_enc
.align 4
.Loop_cbc_enc:
aese $dat,q8
aesmc $dat,$dat
vst1.8 {$ivec},[$out],#16
.Lenter_cbc_enc:
aese $dat,q9
aesmc $dat,$dat
aese $dat,$in0
aesmc $dat,$dat
vld1.32 {q8},[$key4]
cmp $rounds,#4
aese $dat,$in1
aesmc $dat,$dat
vld1.32 {q9},[$key5]
b.eq .Lcbc_enc192
aese $dat,q8
aesmc $dat,$dat
vld1.32 {q8},[$key6]
aese $dat,q9
aesmc $dat,$dat
vld1.32 {q9},[$key7]
nop
.Lcbc_enc192:
aese $dat,q8
aesmc $dat,$dat
subs $len,$len,#16
aese $dat,q9
aesmc $dat,$dat
cclr $step,eq
aese $dat,q10
aesmc $dat,$dat
aese $dat,q11
aesmc $dat,$dat
vld1.8 {q8},[$inp],$step
aese $dat,q12
aesmc $dat,$dat
veor q8,q8,$rndzero_n_last
aese $dat,q13
aesmc $dat,$dat
vld1.32 {q9},[$key_] // re-pre-load rndkey[1]
aese $dat,q14
aesmc $dat,$dat
aese $dat,q15
veor $ivec,$dat,$rndlast
b.hs .Loop_cbc_enc
vst1.8 {$ivec},[$out],#16
b .Lcbc_done
.align 5
.Lcbc_enc128:
vld1.32 {$in0-$in1},[$key_]
aese $dat,q8
aesmc $dat,$dat
b .Lenter_cbc_enc128
.Loop_cbc_enc128:
aese $dat,q8
aesmc $dat,$dat
vst1.8 {$ivec},[$out],#16
.Lenter_cbc_enc128:
aese $dat,q9
aesmc $dat,$dat
subs $len,$len,#16
aese $dat,$in0
aesmc $dat,$dat
cclr $step,eq
aese $dat,$in1
aesmc $dat,$dat
aese $dat,q10
aesmc $dat,$dat
aese $dat,q11
aesmc $dat,$dat
vld1.8 {q8},[$inp],$step
aese $dat,q12
aesmc $dat,$dat
aese $dat,q13
aesmc $dat,$dat
aese $dat,q14
aesmc $dat,$dat
veor q8,q8,$rndzero_n_last
aese $dat,q15
veor $ivec,$dat,$rndlast
b.hs .Loop_cbc_enc128
vst1.8 {$ivec},[$out],#16
b .Lcbc_done
___
{
my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
$code.=<<___;
.align 5
.Lcbc_dec:
vld1.8 {$dat2},[$inp],#16
subs $len,$len,#32 // bias
add $cnt,$rounds,#2
vorr $in1,$dat,$dat
vorr $dat1,$dat,$dat
vorr $in2,$dat2,$dat2
b.lo .Lcbc_dec_tail
vorr $dat1,$dat2,$dat2
vld1.8 {$dat2},[$inp],#16
vorr $in0,$dat,$dat
vorr $in1,$dat1,$dat1
vorr $in2,$dat2,$dat2
.Loop3x_cbc_dec:
aesd $dat0,q8
aesimc $dat0,$dat0
aesd $dat1,q8
aesimc $dat1,$dat1
aesd $dat2,q8
aesimc $dat2,$dat2
vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aesd $dat0,q9
aesimc $dat0,$dat0
aesd $dat1,q9
aesimc $dat1,$dat1
aesd $dat2,q9
aesimc $dat2,$dat2
vld1.32 {q9},[$key_],#16
b.gt .Loop3x_cbc_dec
aesd $dat0,q8
aesimc $dat0,$dat0
aesd $dat1,q8
aesimc $dat1,$dat1
aesd $dat2,q8
aesimc $dat2,$dat2
veor $tmp0,$ivec,$rndlast
subs $len,$len,#0x30
veor $tmp1,$in0,$rndlast
mov.lo x6,$len // x6, $cnt, is zero at this point
aesd $dat0,q9
aesimc $dat0,$dat0
aesd $dat1,q9
aesimc $dat1,$dat1
aesd $dat2,q9
aesimc $dat2,$dat2
veor $tmp2,$in1,$rndlast
add $inp,$inp,x6 // $inp is adjusted in such way that
// at exit from the loop $dat1-$dat2
// are loaded with last "words"
vorr $ivec,$in2,$in2
mov $key_,$key
aesd $dat0,q12
aesimc $dat0,$dat0
aesd $dat1,q12
aesimc $dat1,$dat1
aesd $dat2,q12
aesimc $dat2,$dat2
vld1.8 {$in0},[$inp],#16
aesd $dat0,q13
aesimc $dat0,$dat0
aesd $dat1,q13
aesimc $dat1,$dat1
aesd $dat2,q13
aesimc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
aesd $dat0,q14
aesimc $dat0,$dat0
aesd $dat1,q14
aesimc $dat1,$dat1
aesd $dat2,q14
aesimc $dat2,$dat2
vld1.8 {$in2},[$inp],#16
aesd $dat0,q15
aesd $dat1,q15
aesd $dat2,q15
vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
add $cnt,$rounds,#2
veor $tmp0,$tmp0,$dat0
veor $tmp1,$tmp1,$dat1
veor $dat2,$dat2,$tmp2
vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
vst1.8 {$tmp0},[$out],#16
vorr $dat0,$in0,$in0
vst1.8 {$tmp1},[$out],#16
vorr $dat1,$in1,$in1
vst1.8 {$dat2},[$out],#16
vorr $dat2,$in2,$in2
b.hs .Loop3x_cbc_dec
cmn $len,#0x30
b.eq .Lcbc_done
nop
.Lcbc_dec_tail:
aesd $dat1,q8
aesimc $dat1,$dat1
aesd $dat2,q8
aesimc $dat2,$dat2
vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aesd $dat1,q9
aesimc $dat1,$dat1
aesd $dat2,q9
aesimc $dat2,$dat2
vld1.32 {q9},[$key_],#16
b.gt .Lcbc_dec_tail
aesd $dat1,q8
aesimc $dat1,$dat1
aesd $dat2,q8
aesimc $dat2,$dat2
aesd $dat1,q9
aesimc $dat1,$dat1
aesd $dat2,q9
aesimc $dat2,$dat2
aesd $dat1,q12
aesimc $dat1,$dat1
aesd $dat2,q12
aesimc $dat2,$dat2
cmn $len,#0x20
aesd $dat1,q13
aesimc $dat1,$dat1
aesd $dat2,q13
aesimc $dat2,$dat2
veor $tmp1,$ivec,$rndlast
aesd $dat1,q14
aesimc $dat1,$dat1
aesd $dat2,q14
aesimc $dat2,$dat2
veor $tmp2,$in1,$rndlast
aesd $dat1,q15
aesd $dat2,q15
b.eq .Lcbc_dec_one
veor $tmp1,$tmp1,$dat1
veor $tmp2,$tmp2,$dat2
vorr $ivec,$in2,$in2
vst1.8 {$tmp1},[$out],#16
vst1.8 {$tmp2},[$out],#16
b .Lcbc_done
.Lcbc_dec_one:
veor $tmp1,$tmp1,$dat2
vorr $ivec,$in2,$in2
vst1.8 {$tmp1},[$out],#16
.Lcbc_done:
vst1.8 {$ivec},[$ivp]
.Lcbc_abort:
___
}
$code.=<<___ if ($flavour !~ /64/);
vldmia sp!,{d8-d15}
ldmia sp!,{r4-r8,pc}
___
$code.=<<___ if ($flavour =~ /64/);
ldr x29,[sp],#16
ret
___
$code.=<<___;
.size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
___
}}}
{{{
my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
my ($rounds,$cnt,$key_)=("w5","w6","x7");
my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
my $step="x12"; # aliases with $tctr2
my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
my ($dat,$tmp)=($dat0,$tmp0);
### q8-q15 preloaded key schedule
$code.=<<___;
.globl ${prefix}_ctr32_encrypt_blocks
.type ${prefix}_ctr32_encrypt_blocks,%function
.align 5
${prefix}_ctr32_encrypt_blocks:
___
$code.=<<___ if ($flavour =~ /64/);
stp x29,x30,[sp,#-16]!
add x29,sp,#0
___
$code.=<<___ if ($flavour !~ /64/);
mov ip,sp
stmdb sp!,{r4-r10,lr}
vstmdb sp!,{d8-d15} @ ABI specification says so
ldr r4, [ip] @ load remaining arg
___
$code.=<<___;
ldr $rounds,[$key,#240]
ldr $ctr, [$ivp, #12]
vld1.32 {$dat0},[$ivp]
vld1.32 {q8-q9},[$key] // load key schedule...
sub $rounds,$rounds,#4
mov $step,#16
cmp $len,#2
add $key_,$key,x5,lsl#4 // pointer to last 5 round keys
sub $rounds,$rounds,#2
vld1.32 {q12-q13},[$key_],#32
vld1.32 {q14-q15},[$key_],#32
vld1.32 {$rndlast},[$key_]
add $key_,$key,#32
mov $cnt,$rounds
cclr $step,lo
#ifndef __ARMEB__
rev $ctr, $ctr
#endif
vorr $dat1,$dat0,$dat0
add $tctr1, $ctr, #1
vorr $dat2,$dat0,$dat0
add $ctr, $ctr, #2
vorr $ivec,$dat0,$dat0
rev $tctr1, $tctr1
vmov.32 ${dat1}[3],$tctr1
b.ls .Lctr32_tail
rev $tctr2, $ctr
sub $len,$len,#3 // bias
vmov.32 ${dat2}[3],$tctr2
b .Loop3x_ctr32
.align 4
.Loop3x_ctr32:
aese $dat0,q8
aesmc $dat0,$dat0
aese $dat1,q8
aesmc $dat1,$dat1
aese $dat2,q8
aesmc $dat2,$dat2
vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aese $dat0,q9
aesmc $dat0,$dat0
aese $dat1,q9
aesmc $dat1,$dat1
aese $dat2,q9
aesmc $dat2,$dat2
vld1.32 {q9},[$key_],#16
b.gt .Loop3x_ctr32
aese $dat0,q8
aesmc $tmp0,$dat0
aese $dat1,q8
aesmc $tmp1,$dat1
vld1.8 {$in0},[$inp],#16
vorr $dat0,$ivec,$ivec
aese $dat2,q8
aesmc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
vorr $dat1,$ivec,$ivec
aese $tmp0,q9
aesmc $tmp0,$tmp0
aese $tmp1,q9
aesmc $tmp1,$tmp1
vld1.8 {$in2},[$inp],#16
mov $key_,$key
aese $dat2,q9
aesmc $tmp2,$dat2
vorr $dat2,$ivec,$ivec
add $tctr0,$ctr,#1
aese $tmp0,q12
aesmc $tmp0,$tmp0
aese $tmp1,q12
aesmc $tmp1,$tmp1
veor $in0,$in0,$rndlast
add $tctr1,$ctr,#2
aese $tmp2,q12
aesmc $tmp2,$tmp2
veor $in1,$in1,$rndlast
add $ctr,$ctr,#3
aese $tmp0,q13
aesmc $tmp0,$tmp0
aese $tmp1,q13
aesmc $tmp1,$tmp1
veor $in2,$in2,$rndlast
rev $tctr0,$tctr0
aese $tmp2,q13
aesmc $tmp2,$tmp2
vmov.32 ${dat0}[3], $tctr0
rev $tctr1,$tctr1
aese $tmp0,q14
aesmc $tmp0,$tmp0
aese $tmp1,q14
aesmc $tmp1,$tmp1
vmov.32 ${dat1}[3], $tctr1
rev $tctr2,$ctr
aese $tmp2,q14
aesmc $tmp2,$tmp2
vmov.32 ${dat2}[3], $tctr2
subs $len,$len,#3
aese $tmp0,q15
aese $tmp1,q15
aese $tmp2,q15
veor $in0,$in0,$tmp0
vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
vst1.8 {$in0},[$out],#16
veor $in1,$in1,$tmp1
mov $cnt,$rounds
vst1.8 {$in1},[$out],#16
veor $in2,$in2,$tmp2
vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
vst1.8 {$in2},[$out],#16
b.hs .Loop3x_ctr32
adds $len,$len,#3
b.eq .Lctr32_done
cmp $len,#1
mov $step,#16
cclr $step,eq
.Lctr32_tail:
aese $dat0,q8
aesmc $dat0,$dat0
aese $dat1,q8
aesmc $dat1,$dat1
vld1.32 {q8},[$key_],#16
subs $cnt,$cnt,#2
aese $dat0,q9
aesmc $dat0,$dat0
aese $dat1,q9
aesmc $dat1,$dat1
vld1.32 {q9},[$key_],#16
b.gt .Lctr32_tail
aese $dat0,q8
aesmc $dat0,$dat0
aese $dat1,q8
aesmc $dat1,$dat1
aese $dat0,q9
aesmc $dat0,$dat0
aese $dat1,q9
aesmc $dat1,$dat1
vld1.8 {$in0},[$inp],$step
aese $dat0,q12
aesmc $dat0,$dat0
aese $dat1,q12
aesmc $dat1,$dat1
vld1.8 {$in1},[$inp]
aese $dat0,q13
aesmc $dat0,$dat0
aese $dat1,q13
aesmc $dat1,$dat1
veor $in0,$in0,$rndlast
aese $dat0,q14
aesmc $dat0,$dat0
aese $dat1,q14
aesmc $dat1,$dat1
veor $in1,$in1,$rndlast
aese $dat0,q15
aese $dat1,q15
cmp $len,#1
veor $in0,$in0,$dat0
veor $in1,$in1,$dat1
vst1.8 {$in0},[$out],#16
b.eq .Lctr32_done
vst1.8 {$in1},[$out]
.Lctr32_done:
___
$code.=<<___ if ($flavour !~ /64/);
vldmia sp!,{d8-d15}
ldmia sp!,{r4-r10,pc}
___
$code.=<<___ if ($flavour =~ /64/);
ldr x29,[sp],#16
ret
___
$code.=<<___;
.size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
___
}}}
$code.=<<___;
#endif
___
########################################
if ($flavour =~ /64/) { ######## 64-bit code
my %opcode = (
"aesd" => 0x4e285800, "aese" => 0x4e284800,
"aesimc"=> 0x4e287800, "aesmc" => 0x4e286800 );
local *unaes = sub {
my ($mnemonic,$arg)=@_;
$arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
sprintf ".inst\t0x%08x\t//%s %s",
$opcode{$mnemonic}|$1|($2<<5),
$mnemonic,$arg;
};
foreach(split("\n",$code)) {
s/\`([^\`]*)\`/eval($1)/geo;
s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo; # old->new registers
s/@\s/\/\//o; # old->new style commentary
#s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o or
s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel $2,$3,$2,$1/o or
s/vmov\.i8/movi/o or # fix up legacy mnemonics
s/vext\.8/ext/o or
s/vrev32\.8/rev32/o or
s/vtst\.8/cmtst/o or
s/vshr/ushr/o or
s/^(\s+)v/$1/o or # strip off v prefix
s/\bbx\s+lr\b/ret/o;
# fix up remainig legacy suffixes
s/\.[ui]?8//o;
m/\],#8/o and s/\.16b/\.8b/go;
s/\.[ui]?32//o and s/\.16b/\.4s/go;
s/\.[ui]?64//o and s/\.16b/\.2d/go;
s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
print $_,"\n";
}
} else { ######## 32-bit code
my %opcode = (
"aesd" => 0xf3b00340, "aese" => 0xf3b00300,
"aesimc"=> 0xf3b003c0, "aesmc" => 0xf3b00380 );
local *unaes = sub {
my ($mnemonic,$arg)=@_;
if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
|(($2&7)<<1) |(($2&8)<<2);
# since ARMv7 instructions are always encoded little-endian.
# correct solution is to use .inst directive, but older
# assemblers don't implement it:-(
sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
$word&0xff,($word>>8)&0xff,
($word>>16)&0xff,($word>>24)&0xff,
$mnemonic,$arg;
}
};
sub unvtbl {
my $arg=shift;
$arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
sprintf "vtbl.8 d%d,{q%d},d%d\n\t".
"vtbl.8 d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
}
sub unvdup32 {
my $arg=shift;
$arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
sprintf "vdup.32 q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
}
sub unvmov32 {
my $arg=shift;
$arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
sprintf "vmov.32 d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
}
foreach(split("\n",$code)) {
s/\`([^\`]*)\`/eval($1)/geo;
s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
s/\/\/\s?/@ /o; # new->old style commentary
# fix up remainig new-style suffixes
s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo or
s/\],#[0-9]+/]!/o;
s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or
s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
s/vdup\.32\s+(.*)/unvdup32($1)/geo or
s/vmov\.32\s+(.*)/unvmov32($1)/geo or
s/^(\s+)b\./$1b/o or
s/^(\s+)mov\./$1mov/o or
s/^(\s+)ret/$1bx\tlr/o;
print $_,"\n";
}
}
close STDOUT;

File diff suppressed because it is too large Load Diff

View File

@ -38,9 +38,8 @@
# Emilia's this(*) difference
#
# Core 2 9.30 8.69 +7%
# Nehalem(**) 7.63 6.88 +11%
# Atom 17.1 16.4 +4%
# Silvermont - 12.9
# Nehalem(**) 7.63 6.98 +9%
# Atom 17.1 17.4 -2%(***)
#
# (*) Comparison is not completely fair, because "this" is ECB,
# i.e. no extra processing such as counter values calculation
@ -51,6 +50,14 @@
# (**) Results were collected on Westmere, which is considered to
# be equivalent to Nehalem for this code.
#
# (***) Slowdown on Atom is rather strange per se, because original
# implementation has a number of 9+-bytes instructions, which
# are bad for Atom front-end, and which I eliminated completely.
# In attempt to address deterioration sbox() was tested in FP
# SIMD "domain" (movaps instead of movdqa, xorps instead of
# pxor, etc.). While it resulted in nominal 4% improvement on
# Atom, it hurted Westmere by more than 2x factor.
#
# As for key schedule conversion subroutine. Interface to OpenSSL
# relies on per-invocation on-the-fly conversion. This naturally
# has impact on performance, especially for short inputs. Conversion
@ -60,7 +67,7 @@
# conversion conversion/8x block
# Core 2 240 0.22
# Nehalem 180 0.20
# Atom 430 0.20
# Atom 430 0.19
#
# The ratio values mean that 128-byte blocks will be processed
# 16-18% slower, 256-byte blocks - 9-10%, 384-byte blocks - 6-7%,
@ -76,10 +83,9 @@
# Add decryption procedure. Performance in CPU cycles spent to decrypt
# one byte out of 4096-byte buffer with 128-bit key is:
#
# Core 2 9.98
# Nehalem 7.80
# Atom 17.9
# Silvermont 14.0
# Core 2 9.83
# Nehalem 7.74
# Atom 19.0
#
# November 2011.
#
@ -428,21 +434,21 @@ my $mask=pop;
$code.=<<___;
pxor 0x00($key),@x[0]
pxor 0x10($key),@x[1]
pxor 0x20($key),@x[2]
pxor 0x30($key),@x[3]
pshufb $mask,@x[0]
pxor 0x20($key),@x[2]
pshufb $mask,@x[1]
pxor 0x40($key),@x[4]
pxor 0x50($key),@x[5]
pxor 0x30($key),@x[3]
pshufb $mask,@x[2]
pxor 0x40($key),@x[4]
pshufb $mask,@x[3]
pxor 0x60($key),@x[6]
pxor 0x70($key),@x[7]
pxor 0x50($key),@x[5]
pshufb $mask,@x[4]
pxor 0x60($key),@x[6]
pshufb $mask,@x[5]
pxor 0x70($key),@x[7]
pshufb $mask,@x[6]
pshufb $mask,@x[7]
lea 0x80($key),$key
pshufb $mask,@x[7]
___
}
@ -814,18 +820,18 @@ _bsaes_encrypt8:
movdqa 0x50($const), @XMM[8] # .LM0SR
pxor @XMM[9], @XMM[0] # xor with round0 key
pxor @XMM[9], @XMM[1]
pxor @XMM[9], @XMM[2]
pxor @XMM[9], @XMM[3]
pshufb @XMM[8], @XMM[0]
pxor @XMM[9], @XMM[2]
pshufb @XMM[8], @XMM[1]
pxor @XMM[9], @XMM[4]
pxor @XMM[9], @XMM[5]
pxor @XMM[9], @XMM[3]
pshufb @XMM[8], @XMM[2]
pxor @XMM[9], @XMM[4]
pshufb @XMM[8], @XMM[3]
pxor @XMM[9], @XMM[6]
pxor @XMM[9], @XMM[7]
pxor @XMM[9], @XMM[5]
pshufb @XMM[8], @XMM[4]
pxor @XMM[9], @XMM[6]
pshufb @XMM[8], @XMM[5]
pxor @XMM[9], @XMM[7]
pshufb @XMM[8], @XMM[6]
pshufb @XMM[8], @XMM[7]
_bsaes_encrypt8_bitslice:
@ -878,18 +884,18 @@ _bsaes_decrypt8:
movdqa -0x30($const), @XMM[8] # .LM0ISR
pxor @XMM[9], @XMM[0] # xor with round0 key
pxor @XMM[9], @XMM[1]
pxor @XMM[9], @XMM[2]
pxor @XMM[9], @XMM[3]
pshufb @XMM[8], @XMM[0]
pxor @XMM[9], @XMM[2]
pshufb @XMM[8], @XMM[1]
pxor @XMM[9], @XMM[4]
pxor @XMM[9], @XMM[5]
pxor @XMM[9], @XMM[3]
pshufb @XMM[8], @XMM[2]
pxor @XMM[9], @XMM[4]
pshufb @XMM[8], @XMM[3]
pxor @XMM[9], @XMM[6]
pxor @XMM[9], @XMM[7]
pxor @XMM[9], @XMM[5]
pshufb @XMM[8], @XMM[4]
pxor @XMM[9], @XMM[6]
pshufb @XMM[8], @XMM[5]
pxor @XMM[9], @XMM[7]
pshufb @XMM[8], @XMM[6]
pshufb @XMM[8], @XMM[7]
___
@ -1931,21 +1937,21 @@ $code.=<<___;
movdqa -0x10(%r11), @XMM[8] # .LSWPUPM0SR
pxor @XMM[9], @XMM[0] # xor with round0 key
pxor @XMM[9], @XMM[1]
pxor @XMM[9], @XMM[2]
pxor @XMM[9], @XMM[3]
pshufb @XMM[8], @XMM[0]
pxor @XMM[9], @XMM[2]
pshufb @XMM[8], @XMM[1]
pxor @XMM[9], @XMM[4]
pxor @XMM[9], @XMM[5]
pxor @XMM[9], @XMM[3]
pshufb @XMM[8], @XMM[2]
pxor @XMM[9], @XMM[4]
pshufb @XMM[8], @XMM[3]
pxor @XMM[9], @XMM[6]
pxor @XMM[9], @XMM[7]
pxor @XMM[9], @XMM[5]
pshufb @XMM[8], @XMM[4]
pxor @XMM[9], @XMM[6]
pshufb @XMM[8], @XMM[5]
pxor @XMM[9], @XMM[7]
pshufb @XMM[8], @XMM[6]
pshufb @XMM[8], @XMM[7]
lea .LBS0(%rip), %r11 # constants table
pshufb @XMM[8], @XMM[7]
mov %ebx,%r10d # pass rounds
call _bsaes_encrypt8_bitslice

File diff suppressed because it is too large Load Diff

View File

@ -27,10 +27,9 @@
#
# aes-586.pl vpaes-x86.pl
#
# Core 2(**) 28.1/41.4/18.3 21.9/25.2(***)
# Nehalem 27.9/40.4/18.1 10.2/11.9
# Atom 70.7/92.1/60.1 61.1/75.4(***)
# Silvermont 45.4/62.9/24.1 49.2/61.1(***)
# Core 2(**) 29.1/42.3/18.3 22.0/25.6(***)
# Nehalem 27.9/40.4/18.1 10.3/12.0
# Atom 102./119./60.1 64.5/85.3(***)
#
# (*) "Hyper-threading" in the context refers rather to cache shared
# among multiple cores, than to specifically Intel HTT. As vast
@ -41,8 +40,8 @@
# (**) "Core 2" refers to initial 65nm design, a.k.a. Conroe.
#
# (***) Less impressive improvement on Core 2 and Atom is due to slow
# pshufb, yet it's respectable +28%/64% improvement on Core 2
# and +15% on Atom (as implied, over "hyper-threading-safe"
# pshufb, yet it's respectable +32%/65% improvement on Core 2
# and +58%/40% on Atom (as implied, over "hyper-threading-safe"
# code path).
#
# <appro@openssl.org>
@ -184,35 +183,35 @@ $k_dsbo=0x2c0; # decryption sbox final output
&movdqa ("xmm1","xmm6")
&movdqa ("xmm2",&QWP($k_ipt,$const));
&pandn ("xmm1","xmm0");
&pand ("xmm0","xmm6");
&movdqu ("xmm5",&QWP(0,$key));
&psrld ("xmm1",4);
&pand ("xmm0","xmm6");
&pshufb ("xmm2","xmm0");
&movdqa ("xmm0",&QWP($k_ipt+16,$const));
&pxor ("xmm2","xmm5");
&psrld ("xmm1",4);
&add ($key,16);
&pshufb ("xmm0","xmm1");
&lea ($base,&DWP($k_mc_backward,$const));
&pxor ("xmm2","xmm5");
&pxor ("xmm0","xmm2");
&add ($key,16);
&lea ($base,&DWP($k_mc_backward,$const));
&jmp (&label("enc_entry"));
&set_label("enc_loop",16);
# middle of middle round
&movdqa ("xmm4",&QWP($k_sb1,$const)); # 4 : sb1u
&movdqa ("xmm0",&QWP($k_sb1+16,$const));# 0 : sb1t
&pshufb ("xmm4","xmm2"); # 4 = sb1u
&pshufb ("xmm0","xmm3"); # 0 = sb1t
&pxor ("xmm4","xmm5"); # 4 = sb1u + k
&movdqa ("xmm5",&QWP($k_sb2,$const)); # 4 : sb2u
&movdqa ("xmm0",&QWP($k_sb1+16,$const));# 0 : sb1t
&pshufb ("xmm0","xmm3"); # 0 = sb1t
&pxor ("xmm0","xmm4"); # 0 = A
&movdqa ("xmm1",&QWP(-0x40,$base,$magic));# .Lk_mc_forward[]
&movdqa ("xmm5",&QWP($k_sb2,$const)); # 4 : sb2u
&pshufb ("xmm5","xmm2"); # 4 = sb2u
&movdqa ("xmm1",&QWP(-0x40,$base,$magic));# .Lk_mc_forward[]
&movdqa ("xmm2",&QWP($k_sb2+16,$const));# 2 : sb2t
&movdqa ("xmm4",&QWP(0,$base,$magic)); # .Lk_mc_backward[]
&pshufb ("xmm2","xmm3"); # 2 = sb2t
&movdqa ("xmm3","xmm0"); # 3 = A
&pxor ("xmm2","xmm5"); # 2 = 2A
&movdqa ("xmm4",&QWP(0,$base,$magic)); # .Lk_mc_backward[]
&movdqa ("xmm3","xmm0"); # 3 = A
&pshufb ("xmm0","xmm1"); # 0 = B
&add ($key,16); # next key
&pxor ("xmm0","xmm2"); # 0 = 2A+B
@ -221,30 +220,30 @@ $k_dsbo=0x2c0; # decryption sbox final output
&pxor ("xmm3","xmm0"); # 3 = 2A+B+D
&pshufb ("xmm0","xmm1"); # 0 = 2B+C
&and ($magic,0x30); # ... mod 4
&sub ($round,1); # nr--
&pxor ("xmm0","xmm3"); # 0 = 2A+3B+C+D
&sub ($round,1); # nr--
&set_label("enc_entry");
# top of round
&movdqa ("xmm1","xmm6"); # 1 : i
&movdqa ("xmm5",&QWP($k_inv+16,$const));# 2 : a/k
&pandn ("xmm1","xmm0"); # 1 = i<<4
&psrld ("xmm1",4); # 1 = i
&pand ("xmm0","xmm6"); # 0 = k
&movdqa ("xmm5",&QWP($k_inv+16,$const));# 2 : a/k
&pshufb ("xmm5","xmm0"); # 2 = a/k
&movdqa ("xmm3","xmm7"); # 3 : 1/i
&pxor ("xmm0","xmm1"); # 0 = j
&movdqa ("xmm3","xmm7"); # 3 : 1/i
&pshufb ("xmm3","xmm1"); # 3 = 1/i
&movdqa ("xmm4","xmm7"); # 4 : 1/j
&pxor ("xmm3","xmm5"); # 3 = iak = 1/i + a/k
&movdqa ("xmm4","xmm7"); # 4 : 1/j
&pshufb ("xmm4","xmm0"); # 4 = 1/j
&movdqa ("xmm2","xmm7"); # 2 : 1/iak
&pxor ("xmm4","xmm5"); # 4 = jak = 1/j + a/k
&movdqa ("xmm2","xmm7"); # 2 : 1/iak
&pshufb ("xmm2","xmm3"); # 2 = 1/iak
&movdqa ("xmm3","xmm7"); # 3 : 1/jak
&pxor ("xmm2","xmm0"); # 2 = io
&pshufb ("xmm3","xmm4"); # 3 = 1/jak
&movdqa ("xmm3","xmm7"); # 3 : 1/jak
&movdqu ("xmm5",&QWP(0,$key));
&pshufb ("xmm3","xmm4"); # 3 = 1/jak
&pxor ("xmm3","xmm1"); # 3 = jo
&jnz (&label("enc_loop"));
@ -266,8 +265,8 @@ $k_dsbo=0x2c0; # decryption sbox final output
## Same API as encryption core.
##
&function_begin_B("_vpaes_decrypt_core");
&lea ($base,&DWP($k_dsbd,$const));
&mov ($round,&DWP(240,$key));
&lea ($base,&DWP($k_dsbd,$const));
&movdqa ("xmm1","xmm6");
&movdqa ("xmm2",&QWP($k_dipt-$k_dsbd,$base));
&pandn ("xmm1","xmm0");
@ -293,61 +292,62 @@ $k_dsbo=0x2c0; # decryption sbox final output
## Inverse mix columns
##
&movdqa ("xmm4",&QWP(-0x20,$base)); # 4 : sb9u
&movdqa ("xmm1",&QWP(-0x10,$base)); # 0 : sb9t
&pshufb ("xmm4","xmm2"); # 4 = sb9u
&pshufb ("xmm1","xmm3"); # 0 = sb9t
&pxor ("xmm0","xmm4");
&movdqa ("xmm4",&QWP(0,$base)); # 4 : sbdu
&pxor ("xmm0","xmm1"); # 0 = ch
&movdqa ("xmm1",&QWP(0x10,$base)); # 0 : sbdt
&pshufb ("xmm4","xmm2"); # 4 = sbdu
&pshufb ("xmm0","xmm5"); # MC ch
&pshufb ("xmm1","xmm3"); # 0 = sbdt
&pxor ("xmm0","xmm4"); # 4 = ch
&movdqa ("xmm4",&QWP(0x20,$base)); # 4 : sbbu
&pxor ("xmm0","xmm1"); # 0 = ch
&movdqa ("xmm1",&QWP(0x30,$base)); # 0 : sbbt
&pshufb ("xmm4","xmm2"); # 4 = sbbu
&pshufb ("xmm0","xmm5"); # MC ch
&pshufb ("xmm1","xmm3"); # 0 = sbbt
&pxor ("xmm0","xmm4"); # 4 = ch
&movdqa ("xmm4",&QWP(0x40,$base)); # 4 : sbeu
&pxor ("xmm0","xmm1"); # 0 = ch
&movdqa ("xmm1",&QWP(0x50,$base)); # 0 : sbet
&pshufb ("xmm4","xmm2"); # 4 = sbeu
&pshufb ("xmm0","xmm5"); # MC ch
&pshufb ("xmm1","xmm3"); # 0 = sbet
&pxor ("xmm0","xmm4"); # 4 = ch
&pxor ("xmm4","xmm0");
&movdqa ("xmm0",&QWP(-0x10,$base)); # 0 : sb9t
&pshufb ("xmm0","xmm3"); # 0 = sb9t
&pxor ("xmm0","xmm4"); # 0 = ch
&add ($key,16); # next round key
&palignr("xmm5","xmm5",12);
&pxor ("xmm0","xmm1"); # 0 = ch
&pshufb ("xmm0","xmm5"); # MC ch
&movdqa ("xmm4",&QWP(0,$base)); # 4 : sbdu
&pshufb ("xmm4","xmm2"); # 4 = sbdu
&pxor ("xmm4","xmm0"); # 4 = ch
&movdqa ("xmm0",&QWP(0x10,$base)); # 0 : sbdt
&pshufb ("xmm0","xmm3"); # 0 = sbdt
&pxor ("xmm0","xmm4"); # 0 = ch
&sub ($round,1); # nr--
&pshufb ("xmm0","xmm5"); # MC ch
&movdqa ("xmm4",&QWP(0x20,$base)); # 4 : sbbu
&pshufb ("xmm4","xmm2"); # 4 = sbbu
&pxor ("xmm4","xmm0"); # 4 = ch
&movdqa ("xmm0",&QWP(0x30,$base)); # 0 : sbbt
&pshufb ("xmm0","xmm3"); # 0 = sbbt
&pxor ("xmm0","xmm4"); # 0 = ch
&pshufb ("xmm0","xmm5"); # MC ch
&movdqa ("xmm4",&QWP(0x40,$base)); # 4 : sbeu
&pshufb ("xmm4","xmm2"); # 4 = sbeu
&pxor ("xmm4","xmm0"); # 4 = ch
&movdqa ("xmm0",&QWP(0x50,$base)); # 0 : sbet
&pshufb ("xmm0","xmm3"); # 0 = sbet
&pxor ("xmm0","xmm4"); # 0 = ch
&palignr("xmm5","xmm5",12);
&set_label("dec_entry");
# top of round
&movdqa ("xmm1","xmm6"); # 1 : i
&movdqa ("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
&pandn ("xmm1","xmm0"); # 1 = i<<4
&pand ("xmm0","xmm6"); # 0 = k
&psrld ("xmm1",4); # 1 = i
&pand ("xmm0","xmm6"); # 0 = k
&movdqa ("xmm2",&QWP($k_inv+16,$const));# 2 : a/k
&pshufb ("xmm2","xmm0"); # 2 = a/k
&movdqa ("xmm3","xmm7"); # 3 : 1/i
&pxor ("xmm0","xmm1"); # 0 = j
&movdqa ("xmm3","xmm7"); # 3 : 1/i
&pshufb ("xmm3","xmm1"); # 3 = 1/i
&movdqa ("xmm4","xmm7"); # 4 : 1/j
&pxor ("xmm3","xmm2"); # 3 = iak = 1/i + a/k
&movdqa ("xmm4","xmm7"); # 4 : 1/j
&pshufb ("xmm4","xmm0"); # 4 = 1/j
&pxor ("xmm4","xmm2"); # 4 = jak = 1/j + a/k
&movdqa ("xmm2","xmm7"); # 2 : 1/iak
&pshufb ("xmm2","xmm3"); # 2 = 1/iak
&movdqa ("xmm3","xmm7"); # 3 : 1/jak
&pxor ("xmm2","xmm0"); # 2 = io
&movdqa ("xmm3","xmm7"); # 3 : 1/jak
&pshufb ("xmm3","xmm4"); # 3 = 1/jak
&movdqu ("xmm0",&QWP(0,$key));
&pxor ("xmm3","xmm1"); # 3 = jo
&movdqu ("xmm0",&QWP(0,$key));
&jnz (&label("dec_loop"));
# middle of last round
@ -542,12 +542,12 @@ $k_dsbo=0x2c0; # decryption sbox final output
## %xmm0: b+c+d b+c b a
##
&function_begin_B("_vpaes_schedule_192_smear");
&pshufd ("xmm1","xmm6",0x80); # d c 0 0 -> c 0 0 0
&pshufd ("xmm0","xmm6",0x80); # d c 0 0 -> c 0 0 0
&pxor ("xmm6","xmm0"); # -> c+d c 0 0
&pshufd ("xmm0","xmm7",0xFE); # b a _ _ -> b b b a
&pxor ("xmm6","xmm1"); # -> c+d c 0 0
&pxor ("xmm1","xmm1");
&pxor ("xmm6","xmm0"); # -> b+c+d b+c b a
&movdqa ("xmm0","xmm6");
&pxor ("xmm1","xmm1");
&movhlps("xmm6","xmm1"); # clobber low side with zeros
&ret ();
&function_end_B("_vpaes_schedule_192_smear");

View File

@ -27,10 +27,9 @@
#
# aes-x86_64.pl vpaes-x86_64.pl
#
# Core 2(**) 29.6/41.1/14.3 21.9/25.2(***)
# Nehalem 29.6/40.3/14.6 10.0/11.8
# Atom 57.3/74.2/32.1 60.9/77.2(***)
# Silvermont 52.7/64.0/19.5 48.8/60.8(***)
# Core 2(**) 30.5/43.7/14.3 21.8/25.7(***)
# Nehalem 30.5/42.2/14.6 9.8/11.8
# Atom 63.9/79.0/32.1 64.0/84.8(***)
#
# (*) "Hyper-threading" in the context refers rather to cache shared
# among multiple cores, than to specifically Intel HTT. As vast
@ -41,7 +40,7 @@
# (**) "Core 2" refers to initial 65nm design, a.k.a. Conroe.
#
# (***) Less impressive improvement on Core 2 and Atom is due to slow
# pshufb, yet it's respectable +36%/62% improvement on Core 2
# pshufb, yet it's respectable +40%/78% improvement on Core 2
# (as implied, over "hyper-threading-safe" code path).
#
# <appro@openssl.org>
@ -96,8 +95,8 @@ _vpaes_encrypt_core:
movdqa .Lk_ipt+16(%rip), %xmm0 # ipthi
pshufb %xmm1, %xmm0
pxor %xmm5, %xmm2
add \$16, %r9
pxor %xmm2, %xmm0
add \$16, %r9
lea .Lk_mc_backward(%rip),%r10
jmp .Lenc_entry
@ -105,19 +104,19 @@ _vpaes_encrypt_core:
.Lenc_loop:
# middle of middle round
movdqa %xmm13, %xmm4 # 4 : sb1u
movdqa %xmm12, %xmm0 # 0 : sb1t
pshufb %xmm2, %xmm4 # 4 = sb1u
pshufb %xmm3, %xmm0 # 0 = sb1t
pxor %xmm5, %xmm4 # 4 = sb1u + k
movdqa %xmm15, %xmm5 # 4 : sb2u
movdqa %xmm12, %xmm0 # 0 : sb1t
pshufb %xmm3, %xmm0 # 0 = sb1t
pxor %xmm4, %xmm0 # 0 = A
movdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
movdqa %xmm15, %xmm5 # 4 : sb2u
pshufb %xmm2, %xmm5 # 4 = sb2u
movdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
movdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
movdqa %xmm14, %xmm2 # 2 : sb2t
pshufb %xmm3, %xmm2 # 2 = sb2t
movdqa %xmm0, %xmm3 # 3 = A
pxor %xmm5, %xmm2 # 2 = 2A
movdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
movdqa %xmm0, %xmm3 # 3 = A
pshufb %xmm1, %xmm0 # 0 = B
add \$16, %r9 # next key
pxor %xmm2, %xmm0 # 0 = 2A+B
@ -126,30 +125,30 @@ _vpaes_encrypt_core:
pxor %xmm0, %xmm3 # 3 = 2A+B+D
pshufb %xmm1, %xmm0 # 0 = 2B+C
and \$0x30, %r11 # ... mod 4
sub \$1,%rax # nr--
pxor %xmm3, %xmm0 # 0 = 2A+3B+C+D
sub \$1,%rax # nr--
.Lenc_entry:
# top of round
movdqa %xmm9, %xmm1 # 1 : i
movdqa %xmm11, %xmm5 # 2 : a/k
pandn %xmm0, %xmm1 # 1 = i<<4
psrld \$4, %xmm1 # 1 = i
pand %xmm9, %xmm0 # 0 = k
movdqa %xmm11, %xmm5 # 2 : a/k
pshufb %xmm0, %xmm5 # 2 = a/k
movdqa %xmm10, %xmm3 # 3 : 1/i
pxor %xmm1, %xmm0 # 0 = j
movdqa %xmm10, %xmm3 # 3 : 1/i
pshufb %xmm1, %xmm3 # 3 = 1/i
movdqa %xmm10, %xmm4 # 4 : 1/j
pxor %xmm5, %xmm3 # 3 = iak = 1/i + a/k
movdqa %xmm10, %xmm4 # 4 : 1/j
pshufb %xmm0, %xmm4 # 4 = 1/j
movdqa %xmm10, %xmm2 # 2 : 1/iak
pxor %xmm5, %xmm4 # 4 = jak = 1/j + a/k
movdqa %xmm10, %xmm2 # 2 : 1/iak
pshufb %xmm3, %xmm2 # 2 = 1/iak
movdqa %xmm10, %xmm3 # 3 : 1/jak
pxor %xmm0, %xmm2 # 2 = io
pshufb %xmm4, %xmm3 # 3 = 1/jak
movdqa %xmm10, %xmm3 # 3 : 1/jak
movdqu (%r9), %xmm5
pshufb %xmm4, %xmm3 # 3 = 1/jak
pxor %xmm1, %xmm3 # 3 = jo
jnz .Lenc_loop
@ -202,61 +201,62 @@ _vpaes_decrypt_core:
## Inverse mix columns
##
movdqa -0x20(%r10),%xmm4 # 4 : sb9u
movdqa -0x10(%r10),%xmm1 # 0 : sb9t
pshufb %xmm2, %xmm4 # 4 = sb9u
pshufb %xmm3, %xmm1 # 0 = sb9t
pxor %xmm4, %xmm0
movdqa 0x00(%r10),%xmm4 # 4 : sbdu
pxor %xmm1, %xmm0 # 0 = ch
movdqa 0x10(%r10),%xmm1 # 0 : sbdt
pshufb %xmm2, %xmm4 # 4 = sbdu
pshufb %xmm5, %xmm0 # MC ch
pshufb %xmm3, %xmm1 # 0 = sbdt
pxor %xmm4, %xmm0 # 4 = ch
movdqa 0x20(%r10),%xmm4 # 4 : sbbu
pxor %xmm1, %xmm0 # 0 = ch
movdqa 0x30(%r10),%xmm1 # 0 : sbbt
pshufb %xmm2, %xmm4 # 4 = sbbu
pshufb %xmm5, %xmm0 # MC ch
pshufb %xmm3, %xmm1 # 0 = sbbt
pxor %xmm4, %xmm0 # 4 = ch
movdqa 0x40(%r10),%xmm4 # 4 : sbeu
pxor %xmm1, %xmm0 # 0 = ch
movdqa 0x50(%r10),%xmm1 # 0 : sbet
pshufb %xmm2, %xmm4 # 4 = sbeu
pshufb %xmm5, %xmm0 # MC ch
pshufb %xmm3, %xmm1 # 0 = sbet
pxor %xmm4, %xmm0 # 4 = ch
pxor %xmm0, %xmm4
movdqa -0x10(%r10),%xmm0 # 0 : sb9t
pshufb %xmm3, %xmm0 # 0 = sb9t
pxor %xmm4, %xmm0 # 0 = ch
add \$16, %r9 # next round key
palignr \$12, %xmm5, %xmm5
pxor %xmm1, %xmm0 # 0 = ch
sub \$1,%rax # nr--
pshufb %xmm5, %xmm0 # MC ch
movdqa 0x00(%r10),%xmm4 # 4 : sbdu
pshufb %xmm2, %xmm4 # 4 = sbdu
pxor %xmm0, %xmm4 # 4 = ch
movdqa 0x10(%r10),%xmm0 # 0 : sbdt
pshufb %xmm3, %xmm0 # 0 = sbdt
pxor %xmm4, %xmm0 # 0 = ch
sub \$1,%rax # nr--
pshufb %xmm5, %xmm0 # MC ch
movdqa 0x20(%r10),%xmm4 # 4 : sbbu
pshufb %xmm2, %xmm4 # 4 = sbbu
pxor %xmm0, %xmm4 # 4 = ch
movdqa 0x30(%r10),%xmm0 # 0 : sbbt
pshufb %xmm3, %xmm0 # 0 = sbbt
pxor %xmm4, %xmm0 # 0 = ch
pshufb %xmm5, %xmm0 # MC ch
movdqa 0x40(%r10),%xmm4 # 4 : sbeu
pshufb %xmm2, %xmm4 # 4 = sbeu
pxor %xmm0, %xmm4 # 4 = ch
movdqa 0x50(%r10),%xmm0 # 0 : sbet
pshufb %xmm3, %xmm0 # 0 = sbet
pxor %xmm4, %xmm0 # 0 = ch
palignr \$12, %xmm5, %xmm5
.Ldec_entry:
# top of round
movdqa %xmm9, %xmm1 # 1 : i
pandn %xmm0, %xmm1 # 1 = i<<4
movdqa %xmm11, %xmm2 # 2 : a/k
psrld \$4, %xmm1 # 1 = i
pand %xmm9, %xmm0 # 0 = k
movdqa %xmm11, %xmm2 # 2 : a/k
pshufb %xmm0, %xmm2 # 2 = a/k
movdqa %xmm10, %xmm3 # 3 : 1/i
pxor %xmm1, %xmm0 # 0 = j
movdqa %xmm10, %xmm3 # 3 : 1/i
pshufb %xmm1, %xmm3 # 3 = 1/i
movdqa %xmm10, %xmm4 # 4 : 1/j
pxor %xmm2, %xmm3 # 3 = iak = 1/i + a/k
movdqa %xmm10, %xmm4 # 4 : 1/j
pshufb %xmm0, %xmm4 # 4 = 1/j
pxor %xmm2, %xmm4 # 4 = jak = 1/j + a/k
movdqa %xmm10, %xmm2 # 2 : 1/iak
pshufb %xmm3, %xmm2 # 2 = 1/iak
movdqa %xmm10, %xmm3 # 3 : 1/jak
pxor %xmm0, %xmm2 # 2 = io
movdqa %xmm10, %xmm3 # 3 : 1/jak
pshufb %xmm4, %xmm3 # 3 = 1/jak
movdqu (%r9), %xmm0
pxor %xmm1, %xmm3 # 3 = jo
movdqu (%r9), %xmm0
jnz .Ldec_loop
# middle of last round
@ -464,12 +464,12 @@ _vpaes_schedule_core:
.type _vpaes_schedule_192_smear,\@abi-omnipotent
.align 16
_vpaes_schedule_192_smear:
pshufd \$0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0
pshufd \$0x80, %xmm6, %xmm0 # d c 0 0 -> c 0 0 0
pxor %xmm0, %xmm6 # -> c+d c 0 0
pshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a
pxor %xmm1, %xmm6 # -> c+d c 0 0
pxor %xmm1, %xmm1
pxor %xmm0, %xmm6 # -> b+c+d b+c b a
movdqa %xmm6, %xmm0
pxor %xmm1, %xmm1
movhlps %xmm1, %xmm6 # clobber low side with zeros
ret
.size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear

View File

@ -1,46 +0,0 @@
#include "arm_arch.h"
.text
.arch armv8-a+crypto
.align 5
.global _armv7_neon_probe
.type _armv7_neon_probe,%function
_armv7_neon_probe:
orr v15.16b, v15.16b, v15.16b
ret
.size _armv7_neon_probe,.-_armv7_neon_probe
.global _armv7_tick
.type _armv7_tick,%function
_armv7_tick:
mrs x0, CNTVCT_EL0
ret
.size _armv7_tick,.-_armv7_tick
.global _armv8_aes_probe
.type _armv8_aes_probe,%function
_armv8_aes_probe:
aese v0.16b, v0.16b
ret
.size _armv8_aes_probe,.-_armv8_aes_probe
.global _armv8_sha1_probe
.type _armv8_sha1_probe,%function
_armv8_sha1_probe:
sha1h s0, s0
ret
.size _armv8_sha1_probe,.-_armv8_sha1_probe
.global _armv8_sha256_probe
.type _armv8_sha256_probe,%function
_armv8_sha256_probe:
sha256su0 v0.4s, v0.4s
ret
.size _armv8_sha256_probe,.-_armv8_sha256_probe
.global _armv8_pmull_probe
.type _armv8_pmull_probe,%function
_armv8_pmull_probe:
pmull v0.1q, v0.1d, v0.1d
ret
.size _armv8_pmull_probe,.-_armv8_pmull_probe

View File

@ -10,24 +10,13 @@
# define __ARMEL__
# endif
# elif defined(__GNUC__)
# if defined(__aarch64__)
# define __ARM_ARCH__ 8
# if __BYTE_ORDER__==__ORDER_BIG_ENDIAN__
# define __ARMEB__
# else
# define __ARMEL__
# endif
/*
* Why doesn't gcc define __ARM_ARCH__? Instead it defines
* bunch of below macros. See all_architectires[] table in
* gcc/config/arm/arm.c. On a side note it defines
* __ARMEL__/__ARMEB__ for little-/big-endian.
*/
# elif defined(__ARM_ARCH)
# define __ARM_ARCH__ __ARM_ARCH
# elif defined(__ARM_ARCH_8A__)
# define __ARM_ARCH__ 8
# elif defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \
# if defined(__ARM_ARCH_7__) || defined(__ARM_ARCH_7A__) || \
defined(__ARM_ARCH_7R__)|| defined(__ARM_ARCH_7M__) || \
defined(__ARM_ARCH_7EM__)
# define __ARM_ARCH__ 7
@ -52,27 +41,11 @@
# include <openssl/fipssyms.h>
# endif
# if !defined(__ARM_MAX_ARCH__)
# define __ARM_MAX_ARCH__ __ARM_ARCH__
# endif
# if __ARM_MAX_ARCH__<__ARM_ARCH__
# error "__ARM_MAX_ARCH__ can't be less than __ARM_ARCH__"
# elif __ARM_MAX_ARCH__!=__ARM_ARCH__
# if __ARM_ARCH__<7 && __ARM_MAX_ARCH__>=7 && defined(__ARMEB__)
# error "can't build universal big-endian binary"
# endif
# endif
# if !__ASSEMBLER__
extern unsigned int OPENSSL_armcap_P;
# define ARMV7_NEON (1<<0)
# define ARMV7_TICK (1<<1)
# endif
# define ARMV7_NEON (1<<0)
# define ARMV7_TICK (1<<1)
# define ARMV8_AES (1<<2)
# define ARMV8_SHA1 (1<<3)
# define ARMV8_SHA256 (1<<4)
# define ARMV8_PMULL (1<<5)
#endif

View File

@ -7,18 +7,8 @@
#include "arm_arch.h"
unsigned int OPENSSL_armcap_P = 0;
unsigned int OPENSSL_armcap_P;
#if __ARM_MAX_ARCH__<7
void OPENSSL_cpuid_setup(void)
{
}
unsigned long OPENSSL_rdtsc(void)
{
return 0;
}
#else
static sigset_t all_masked;
static sigjmp_buf ill_jmp;
@ -32,13 +22,9 @@ static void ill_handler(int sig)
* ARM compilers support inline assembler...
*/
void _armv7_neon_probe(void);
void _armv8_aes_probe(void);
void _armv8_sha1_probe(void);
void _armv8_sha256_probe(void);
void _armv8_pmull_probe(void);
unsigned long _armv7_tick(void);
unsigned int _armv7_tick(void);
unsigned long OPENSSL_rdtsc(void)
unsigned int OPENSSL_rdtsc(void)
{
if (OPENSSL_armcap_P & ARMV7_TICK)
return _armv7_tick();
@ -46,44 +32,9 @@ unsigned long OPENSSL_rdtsc(void)
return 0;
}
/*
* Use a weak reference to getauxval() so we can use it if it is available but
* don't break the build if it is not.
*/
# if defined(__GNUC__) && __GNUC__>=2
#if defined(__GNUC__) && __GNUC__>=2
void OPENSSL_cpuid_setup(void) __attribute__ ((constructor));
extern unsigned long getauxval(unsigned long type) __attribute__ ((weak));
# else
static unsigned long (*getauxval) (unsigned long) = NULL;
# endif
/*
* ARM puts the the feature bits for Crypto Extensions in AT_HWCAP2, whereas
* AArch64 used AT_HWCAP.
*/
# if defined(__arm__) || defined (__arm)
# define HWCAP 16
/* AT_HWCAP */
# define HWCAP_NEON (1 << 12)
# define HWCAP_CE 26
/* AT_HWCAP2 */
# define HWCAP_CE_AES (1 << 0)
# define HWCAP_CE_PMULL (1 << 1)
# define HWCAP_CE_SHA1 (1 << 2)
# define HWCAP_CE_SHA256 (1 << 3)
# elif defined(__aarch64__)
# define HWCAP 16
/* AT_HWCAP */
# define HWCAP_NEON (1 << 1)
# define HWCAP_CE HWCAP
# define HWCAP_CE_AES (1 << 3)
# define HWCAP_CE_PMULL (1 << 4)
# define HWCAP_CE_SHA1 (1 << 5)
# define HWCAP_CE_SHA256 (1 << 6)
# endif
#endif
void OPENSSL_cpuid_setup(void)
{
char *e;
@ -96,7 +47,7 @@ void OPENSSL_cpuid_setup(void)
trigger = 1;
if ((e = getenv("OPENSSL_armcap"))) {
OPENSSL_armcap_P = (unsigned int)strtoul(e, NULL, 0);
OPENSSL_armcap_P = strtoul(e, NULL, 0);
return;
}
@ -116,42 +67,9 @@ void OPENSSL_cpuid_setup(void)
sigprocmask(SIG_SETMASK, &ill_act.sa_mask, &oset);
sigaction(SIGILL, &ill_act, &ill_oact);
if (getauxval != NULL) {
if (getauxval(HWCAP) & HWCAP_NEON) {
unsigned long hwcap = getauxval(HWCAP_CE);
OPENSSL_armcap_P |= ARMV7_NEON;
if (hwcap & HWCAP_CE_AES)
OPENSSL_armcap_P |= ARMV8_AES;
if (hwcap & HWCAP_CE_PMULL)
OPENSSL_armcap_P |= ARMV8_PMULL;
if (hwcap & HWCAP_CE_SHA1)
OPENSSL_armcap_P |= ARMV8_SHA1;
if (hwcap & HWCAP_CE_SHA256)
OPENSSL_armcap_P |= ARMV8_SHA256;
}
} else if (sigsetjmp(ill_jmp, 1) == 0) {
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv7_neon_probe();
OPENSSL_armcap_P |= ARMV7_NEON;
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_pmull_probe();
OPENSSL_armcap_P |= ARMV8_PMULL | ARMV8_AES;
} else if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_aes_probe();
OPENSSL_armcap_P |= ARMV8_AES;
}
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_sha1_probe();
OPENSSL_armcap_P |= ARMV8_SHA1;
}
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv8_sha256_probe();
OPENSSL_armcap_P |= ARMV8_SHA256;
}
}
if (sigsetjmp(ill_jmp, 1) == 0) {
_armv7_tick();
@ -161,4 +79,3 @@ void OPENSSL_cpuid_setup(void)
sigaction(SIGILL, &ill_oact, NULL);
sigprocmask(SIG_SETMASK, &oset, NULL);
}
#endif

View File

@ -4,6 +4,20 @@
.code 32
.align 5
.global _armv7_neon_probe
.type _armv7_neon_probe,%function
_armv7_neon_probe:
.word 0xf26ee1fe @ vorr q15,q15,q15
.word 0xe12fff1e @ bx lr
.size _armv7_neon_probe,.-_armv7_neon_probe
.global _armv7_tick
.type _armv7_tick,%function
_armv7_tick:
mrc p15,0,r0,c9,c13,0
.word 0xe12fff1e @ bx lr
.size _armv7_tick,.-_armv7_tick
.global OPENSSL_atomic_add
.type OPENSSL_atomic_add,%function
OPENSSL_atomic_add:
@ -14,7 +28,7 @@ OPENSSL_atomic_add:
cmp r2,#0
bne .Ladd
mov r0,r3
bx lr
.word 0xe12fff1e @ bx lr
#else
stmdb sp!,{r4-r6,lr}
ldr r2,.Lspinlock
@ -67,131 +81,62 @@ OPENSSL_cleanse:
adds r1,r1,#4
bne .Little
.Lcleanse_done:
#if __ARM_ARCH__>=5
bx lr
#else
tst lr,#1
moveq pc,lr
.word 0xe12fff1e @ bx lr
#endif
.size OPENSSL_cleanse,.-OPENSSL_cleanse
#if __ARM_MAX_ARCH__>=7
.arch armv7-a
.fpu neon
.align 5
.global _armv7_neon_probe
.type _armv7_neon_probe,%function
_armv7_neon_probe:
vorr q0,q0,q0
bx lr
.size _armv7_neon_probe,.-_armv7_neon_probe
.global _armv7_tick
.type _armv7_tick,%function
_armv7_tick:
mrrc p15,1,r0,r1,c14 @ CNTVCT
bx lr
.size _armv7_tick,.-_armv7_tick
.global _armv8_aes_probe
.type _armv8_aes_probe,%function
_armv8_aes_probe:
.byte 0x00,0x03,0xb0,0xf3 @ aese.8 q0,q0
bx lr
.size _armv8_aes_probe,.-_armv8_aes_probe
.global _armv8_sha1_probe
.type _armv8_sha1_probe,%function
_armv8_sha1_probe:
.byte 0x40,0x0c,0x00,0xf2 @ sha1c.32 q0,q0,q0
bx lr
.size _armv8_sha1_probe,.-_armv8_sha1_probe
.global _armv8_sha256_probe
.type _armv8_sha256_probe,%function
_armv8_sha256_probe:
.byte 0x40,0x0c,0x00,0xf3 @ sha256h.32 q0,q0,q0
bx lr
.size _armv8_sha256_probe,.-_armv8_sha256_probe
.global _armv8_pmull_probe
.type _armv8_pmull_probe,%function
_armv8_pmull_probe:
.byte 0x00,0x0e,0xa0,0xf2 @ vmull.p64 q0,d0,d0
bx lr
.size _armv8_pmull_probe,.-_armv8_pmull_probe
#endif
.global OPENSSL_wipe_cpu
.type OPENSSL_wipe_cpu,%function
OPENSSL_wipe_cpu:
#if __ARM_MAX_ARCH__>=7
ldr r0,.LOPENSSL_armcap
adr r1,.LOPENSSL_armcap
ldr r0,[r1,r0]
#endif
eor r2,r2,r2
eor r3,r3,r3
eor ip,ip,ip
#if __ARM_MAX_ARCH__>=7
tst r0,#1
beq .Lwipe_done
veor q0, q0, q0
veor q1, q1, q1
veor q2, q2, q2
veor q3, q3, q3
veor q8, q8, q8
veor q9, q9, q9
veor q10, q10, q10
veor q11, q11, q11
veor q12, q12, q12
veor q13, q13, q13
veor q14, q14, q14
veor q15, q15, q15
.word 0xf3000150 @ veor q0, q0, q0
.word 0xf3022152 @ veor q1, q1, q1
.word 0xf3044154 @ veor q2, q2, q2
.word 0xf3066156 @ veor q3, q3, q3
.word 0xf34001f0 @ veor q8, q8, q8
.word 0xf34221f2 @ veor q9, q9, q9
.word 0xf34441f4 @ veor q10, q10, q10
.word 0xf34661f6 @ veor q11, q11, q11
.word 0xf34881f8 @ veor q12, q12, q12
.word 0xf34aa1fa @ veor q13, q13, q13
.word 0xf34cc1fc @ veor q14, q14, q14
.word 0xf34ee1fe @ veor q15, q15, q15
.Lwipe_done:
#endif
mov r0,sp
#if __ARM_ARCH__>=5
bx lr
#else
tst lr,#1
moveq pc,lr
.word 0xe12fff1e @ bx lr
#endif
.size OPENSSL_wipe_cpu,.-OPENSSL_wipe_cpu
.global OPENSSL_instrument_bus
.type OPENSSL_instrument_bus,%function
OPENSSL_instrument_bus:
eor r0,r0,r0
#if __ARM_ARCH__>=5
bx lr
#else
tst lr,#1
moveq pc,lr
.word 0xe12fff1e @ bx lr
#endif
.size OPENSSL_instrument_bus,.-OPENSSL_instrument_bus
.global OPENSSL_instrument_bus2
.type OPENSSL_instrument_bus2,%function
OPENSSL_instrument_bus2:
eor r0,r0,r0
#if __ARM_ARCH__>=5
bx lr
#else
tst lr,#1
moveq pc,lr
.word 0xe12fff1e @ bx lr
#endif
.size OPENSSL_instrument_bus2,.-OPENSSL_instrument_bus2
.align 5
#if __ARM_MAX_ARCH__>=7
.LOPENSSL_armcap:
.word OPENSSL_armcap_P-.LOPENSSL_armcap
#endif
#if __ARM_ARCH__>=6
.align 5
#else

View File

@ -176,7 +176,7 @@ a_gentm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
a_gentm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
a_gentm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
a_gentm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
a_gentm.o: ../cryptlib.h ../o_time.h a_gentm.c asn1_locl.h
a_gentm.o: ../cryptlib.h ../o_time.h a_gentm.c
a_i2d_fp.o: ../../e_os.h ../../include/openssl/asn1.h
a_i2d_fp.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
a_i2d_fp.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
@ -277,7 +277,6 @@ a_time.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
a_time.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
a_time.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
a_time.o: ../../include/openssl/symhacks.h ../cryptlib.h ../o_time.h a_time.c
a_time.o: asn1_locl.h
a_type.o: ../../e_os.h ../../include/openssl/asn1.h
a_type.o: ../../include/openssl/asn1t.h ../../include/openssl/bio.h
a_type.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
@ -294,7 +293,7 @@ a_utctm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
a_utctm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
a_utctm.o: ../../include/openssl/ossl_typ.h ../../include/openssl/safestack.h
a_utctm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
a_utctm.o: ../cryptlib.h ../o_time.h a_utctm.c asn1_locl.h
a_utctm.o: ../cryptlib.h ../o_time.h a_utctm.c
a_utf8.o: ../../e_os.h ../../include/openssl/asn1.h ../../include/openssl/bio.h
a_utf8.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
a_utf8.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

View File

@ -65,7 +65,6 @@
#include "cryptlib.h"
#include "o_time.h"
#include <openssl/asn1.h>
#include "asn1_locl.h"
#if 0
@ -118,7 +117,7 @@ ASN1_GENERALIZEDTIME *d2i_ASN1_GENERALIZEDTIME(ASN1_GENERALIZEDTIME **a,
#endif
int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *d)
{
static const int min[9] = { 0, 0, 1, 1, 0, 0, 0, 0, 0 };
static const int max[9] = { 99, 99, 12, 31, 23, 59, 59, 12, 59 };
@ -140,8 +139,6 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
for (i = 0; i < 7; i++) {
if ((i == 6) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
i++;
if (tm)
tm->tm_sec = 0;
break;
}
if ((a[o] < '0') || (a[o] > '9'))
@ -158,31 +155,6 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
if ((n < min[i]) || (n > max[i]))
goto err;
if (tm) {
switch (i) {
case 0:
tm->tm_year = n * 100 - 1900;
break;
case 1:
tm->tm_year += n;
break;
case 2:
tm->tm_mon = n - 1;
break;
case 3:
tm->tm_mday = n;
break;
case 4:
tm->tm_hour = n;
break;
case 5:
tm->tm_min = n;
break;
case 6:
tm->tm_sec = n;
break;
}
}
}
/*
* Optional fractional seconds: decimal point followed by one or more
@ -202,7 +174,6 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
if (a[o] == 'Z')
o++;
else if ((a[o] == '+') || (a[o] == '-')) {
int offsign = a[o] == '-' ? -1 : 1, offset = 0;
o++;
if (o + 4 > l)
goto err;
@ -216,17 +187,9 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
n = (n * 10) + a[o] - '0';
if ((n < min[i]) || (n > max[i]))
goto err;
if (tm) {
if (i == 7)
offset = n * 3600;
else if (i == 8)
offset += n * 60;
}
o++;
}
if (offset && !OPENSSL_gmtime_adj(tm, 0, offset * offsign))
return 0;
} else if (a[o]) {
} else {
/* Missing time zone information. */
goto err;
}
@ -235,11 +198,6 @@ int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d)
return (0);
}
int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *d)
{
return asn1_generalizedtime_to_tm(NULL, d);
}
int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str)
{
ASN1_GENERALIZEDTIME t;

View File

@ -66,7 +66,6 @@
#include "cryptlib.h"
#include "o_time.h"
#include <openssl/asn1t.h>
#include "asn1_locl.h"
IMPLEMENT_ASN1_MSTRING(ASN1_TIME, B_ASN1_TIME)
@ -197,32 +196,3 @@ int ASN1_TIME_set_string(ASN1_TIME *s, const char *str)
return 1;
}
static int asn1_time_to_tm(struct tm *tm, const ASN1_TIME *t)
{
if (t == NULL) {
time_t now_t;
time(&now_t);
if (OPENSSL_gmtime(&now_t, tm))
return 1;
return 0;
}
if (t->type == V_ASN1_UTCTIME)
return asn1_utctime_to_tm(tm, t);
else if (t->type == V_ASN1_GENERALIZEDTIME)
return asn1_generalizedtime_to_tm(tm, t);
return 0;
}
int ASN1_TIME_diff(int *pday, int *psec,
const ASN1_TIME *from, const ASN1_TIME *to)
{
struct tm tm_from, tm_to;
if (!asn1_time_to_tm(&tm_from, from))
return 0;
if (!asn1_time_to_tm(&tm_to, to))
return 0;
return OPENSSL_gmtime_diff(pday, psec, &tm_from, &tm_to);
}

View File

@ -61,7 +61,6 @@
#include "cryptlib.h"
#include "o_time.h"
#include <openssl/asn1.h>
#include "asn1_locl.h"
#if 0
int i2d_ASN1_UTCTIME(ASN1_UTCTIME *a, unsigned char **pp)
@ -110,7 +109,7 @@ ASN1_UTCTIME *d2i_ASN1_UTCTIME(ASN1_UTCTIME **a, unsigned char **pp,
#endif
int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
int ASN1_UTCTIME_check(ASN1_UTCTIME *d)
{
static const int min[8] = { 0, 1, 1, 0, 0, 0, 0, 0 };
static const int max[8] = { 99, 12, 31, 23, 59, 59, 12, 59 };
@ -128,8 +127,6 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
for (i = 0; i < 6; i++) {
if ((i == 5) && ((a[o] == 'Z') || (a[o] == '+') || (a[o] == '-'))) {
i++;
if (tm)
tm->tm_sec = 0;
break;
}
if ((a[o] < '0') || (a[o] > '9'))
@ -146,33 +143,10 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
if ((n < min[i]) || (n > max[i]))
goto err;
if (tm) {
switch (i) {
case 0:
tm->tm_year = n < 50 ? n + 100 : n;
break;
case 1:
tm->tm_mon = n - 1;
break;
case 2:
tm->tm_mday = n;
break;
case 3:
tm->tm_hour = n;
break;
case 4:
tm->tm_min = n;
break;
case 5:
tm->tm_sec = n;
break;
}
}
}
if (a[o] == 'Z')
o++;
else if ((a[o] == '+') || (a[o] == '-')) {
int offsign = a[o] == '-' ? -1 : 1, offset = 0;
o++;
if (o + 4 > l)
goto err;
@ -186,25 +160,12 @@ int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d)
n = (n * 10) + a[o] - '0';
if ((n < min[i]) || (n > max[i]))
goto err;
if (tm) {
if (i == 6)
offset = n * 3600;
else if (i == 7)
offset += n * 60;
}
o++;
}
if (offset && !OPENSSL_gmtime_adj(tm, 0, offset * offsign))
return 0;
}
return o == l;
return (o == l);
err:
return 0;
}
int ASN1_UTCTIME_check(const ASN1_UTCTIME *d)
{
return asn1_utctime_to_tm(NULL, d);
return (0);
}
int ASN1_UTCTIME_set_string(ASN1_UTCTIME *s, const char *str)
@ -288,26 +249,43 @@ ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t)
{
struct tm stm, ttm;
int day, sec;
struct tm *tm;
struct tm data;
int offset;
int year;
if (!asn1_utctime_to_tm(&stm, s))
#define g2(p) (((p)[0]-'0')*10+(p)[1]-'0')
if (s->data[12] == 'Z')
offset = 0;
else {
offset = g2(s->data + 13) * 60 + g2(s->data + 15);
if (s->data[12] == '-')
offset = -offset;
}
t -= offset * 60; /* FIXME: may overflow in extreme cases */
tm = OPENSSL_gmtime(&t, &data);
/*
* NB: -1, 0, 1 already valid return values so use -2 to indicate error.
*/
if (tm == NULL)
return -2;
if (!OPENSSL_gmtime(&t, &ttm))
return -2;
#define return_cmp(a,b) if ((a)<(b)) return -1; else if ((a)>(b)) return 1
year = g2(s->data);
if (year < 50)
year += 100;
return_cmp(year, tm->tm_year);
return_cmp(g2(s->data + 2) - 1, tm->tm_mon);
return_cmp(g2(s->data + 4), tm->tm_mday);
return_cmp(g2(s->data + 6), tm->tm_hour);
return_cmp(g2(s->data + 8), tm->tm_min);
return_cmp(g2(s->data + 10), tm->tm_sec);
#undef g2
#undef return_cmp
if (!OPENSSL_gmtime_diff(&day, &sec, &ttm, &stm))
return -2;
if (day > 0)
return 1;
if (day < 0)
return -1;
if (sec > 0)
return 1;
if (sec < 0)
return -1;
return 0;
}

View File

@ -68,7 +68,6 @@
extern const EVP_PKEY_ASN1_METHOD rsa_asn1_meths[];
extern const EVP_PKEY_ASN1_METHOD dsa_asn1_meths[];
extern const EVP_PKEY_ASN1_METHOD dh_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD dhx_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD eckey_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD hmac_asn1_meth;
extern const EVP_PKEY_ASN1_METHOD cmac_asn1_meth;
@ -93,10 +92,7 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
&eckey_asn1_meth,
#endif
&hmac_asn1_meth,
&cmac_asn1_meth,
#ifndef OPENSSL_NO_DH
&dhx_asn1_meth
#endif
&cmac_asn1_meth
};
typedef int sk_cmp_fn_type(const char *const *a, const char *const *b);
@ -464,21 +460,3 @@ void EVP_PKEY_asn1_set_ctrl(EVP_PKEY_ASN1_METHOD *ameth,
{
ameth->pkey_ctrl = pkey_ctrl;
}
void EVP_PKEY_asn1_set_item(EVP_PKEY_ASN1_METHOD *ameth,
int (*item_verify) (EVP_MD_CTX *ctx,
const ASN1_ITEM *it,
void *asn,
X509_ALGOR *a,
ASN1_BIT_STRING *sig,
EVP_PKEY *pkey),
int (*item_sign) (EVP_MD_CTX *ctx,
const ASN1_ITEM *it,
void *asn,
X509_ALGOR *alg1,
X509_ALGOR *alg2,
ASN1_BIT_STRING *sig))
{
ameth->item_sign = item_sign;
ameth->item_verify = item_verify;
}

View File

@ -207,13 +207,13 @@ typedef struct asn1_const_ctx_st {
# define ASN1_OBJECT_FLAG_CRITICAL 0x02/* critical x509v3 object id */
# define ASN1_OBJECT_FLAG_DYNAMIC_STRINGS 0x04/* internal use */
# define ASN1_OBJECT_FLAG_DYNAMIC_DATA 0x08/* internal use */
struct asn1_object_st {
typedef struct asn1_object_st {
const char *sn, *ln;
int nid;
int length;
const unsigned char *data; /* data remains const after init */
int flags; /* Should we free this one */
};
} ASN1_OBJECT;
# define ASN1_STRING_FLAG_BITS_LEFT 0x08/* Set if 0x07 has bits left value */
/*
@ -843,7 +843,7 @@ int ASN1_INTEGER_cmp(const ASN1_INTEGER *x, const ASN1_INTEGER *y);
DECLARE_ASN1_FUNCTIONS(ASN1_ENUMERATED)
int ASN1_UTCTIME_check(const ASN1_UTCTIME *a);
int ASN1_UTCTIME_check(ASN1_UTCTIME *a);
ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t);
ASN1_UTCTIME *ASN1_UTCTIME_adj(ASN1_UTCTIME *s, time_t t,
int offset_day, long offset_sec);
@ -853,15 +853,13 @@ int ASN1_UTCTIME_cmp_time_t(const ASN1_UTCTIME *s, time_t t);
time_t ASN1_UTCTIME_get(const ASN1_UTCTIME *s);
# endif
int ASN1_GENERALIZEDTIME_check(const ASN1_GENERALIZEDTIME *a);
int ASN1_GENERALIZEDTIME_check(ASN1_GENERALIZEDTIME *a);
ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
time_t t);
ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_adj(ASN1_GENERALIZEDTIME *s,
time_t t, int offset_day,
long offset_sec);
int ASN1_GENERALIZEDTIME_set_string(ASN1_GENERALIZEDTIME *s, const char *str);
int ASN1_TIME_diff(int *pday, int *psec,
const ASN1_TIME *from, const ASN1_TIME *to);
DECLARE_ASN1_FUNCTIONS(ASN1_OCTET_STRING)
ASN1_OCTET_STRING *ASN1_OCTET_STRING_dup(const ASN1_OCTET_STRING *a);

View File

@ -59,9 +59,6 @@
/* Internal ASN1 structures and functions: not for application use */
int asn1_utctime_to_tm(struct tm *tm, const ASN1_UTCTIME *d);
int asn1_generalizedtime_to_tm(struct tm *tm, const ASN1_GENERALIZEDTIME *d);
/* ASN1 print context structure */
struct asn1_pctx_st {

View File

@ -229,21 +229,6 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags,
}
}
if (!(cflag & X509_FLAG_NO_IDS)) {
if (ci->issuerUID) {
if (BIO_printf(bp, "%8sIssuer Unique ID: ", "") <= 0)
goto err;
if (!X509_signature_dump(bp, ci->issuerUID, 12))
goto err;
}
if (ci->subjectUID) {
if (BIO_printf(bp, "%8sSubject Unique ID: ", "") <= 0)
goto err;
if (!X509_signature_dump(bp, ci->subjectUID, 12))
goto err;
}
}
if (!(cflag & X509_FLAG_NO_EXTENSIONS))
X509V3_extensions_print(bp, "X509v3 extensions",
ci->extensions, cflag, 8);

View File

@ -717,7 +717,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
long plen;
char cst, inf, free_cont = 0;
const unsigned char *p;
BUF_MEM buf = { 0, NULL, 0 };
BUF_MEM buf;
const unsigned char *cont = NULL;
long len;
if (!pval) {
@ -793,6 +793,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
} else {
len = p - cont + plen;
p += plen;
buf.data = NULL;
}
} else if (cst) {
if (utype == V_ASN1_NULL || utype == V_ASN1_BOOLEAN
@ -801,9 +802,9 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ASN1_R_TYPE_NOT_PRIMITIVE);
return 0;
}
/* Free any returned 'buf' content */
free_cont = 1;
buf.length = 0;
buf.max = 0;
buf.data = NULL;
/*
* Should really check the internal tags are correct but some things
* may get this wrong. The relevant specs say that constructed string
@ -811,16 +812,18 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
* So instead just check for UNIVERSAL class and ignore the tag.
*/
if (!asn1_collect(&buf, &p, plen, inf, -1, V_ASN1_UNIVERSAL, 0)) {
free_cont = 1;
goto err;
}
len = buf.length;
/* Append a final null to string */
if (!BUF_MEM_grow_clean(&buf, len + 1)) {
ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE, ERR_R_MALLOC_FAILURE);
goto err;
return 0;
}
buf.data[len] = 0;
cont = (const unsigned char *)buf.data;
free_cont = 1;
} else {
cont = p;
len = plen;
@ -828,7 +831,6 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval,
}
/* We now have content length and type: translate into a structure */
/* asn1_ex_c2i may reuse allocated buffer, and so sets free_cont to 0 */
if (!asn1_ex_c2i(pval, cont, len, utype, &free_cont, it))
goto err;

View File

@ -58,8 +58,8 @@
#include <stdio.h>
#include "cryptlib.h"
#include <openssl/asn1t.h>
#include "asn1_locl.h"
#include <openssl/asn1t.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@ -341,8 +341,6 @@ ASN1_SEQUENCE_ref(X509_CRL, crl_cb, CRYPTO_LOCK_X509_CRL) = {
IMPLEMENT_ASN1_FUNCTIONS(X509_REVOKED)
IMPLEMENT_ASN1_DUP_FUNCTION(X509_REVOKED)
IMPLEMENT_ASN1_FUNCTIONS(X509_CRL_INFO)
IMPLEMENT_ASN1_FUNCTIONS(X509_CRL)

View File

@ -217,23 +217,3 @@ int i2d_X509_AUX(X509 *a, unsigned char **pp)
return length;
}
int i2d_re_X509_tbs(X509 *x, unsigned char **pp)
{
x->cert_info->enc.modified = 1;
return i2d_X509_CINF(x->cert_info, pp);
}
void X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg,
const X509 *x)
{
if (psig)
*psig = x->signature;
if (palg)
*palg = x->sig_alg;
}
int X509_get_signature_nid(const X509 *x)
{
return OBJ_obj2nid(x->sig_alg->algorithm);
}

View File

@ -163,13 +163,10 @@ int X509_add1_reject_object(X509 *x, ASN1_OBJECT *obj)
if (!(objtmp = OBJ_dup(obj)))
return 0;
if (!(aux = aux_get(x)))
goto err;
return 0;
if (!aux->reject && !(aux->reject = sk_ASN1_OBJECT_new_null()))
goto err;
return 0;
return sk_ASN1_OBJECT_push(aux->reject, objtmp);
err:
ASN1_OBJECT_free(objtmp);
return 0;
}
void X509_trust_clear(X509 *x)

View File

@ -181,28 +181,3 @@ int BIO_dump_indent(BIO *bp, const char *s, int len, int indent)
{
return BIO_dump_indent_cb(write_bio, bp, s, len, indent);
}
int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
int datalen)
{
int i, j = 0;
if (datalen < 1)
return 1;
for (i = 0; i < datalen - 1; i++) {
if (i && !j)
BIO_printf(out, "%*s", indent, "");
BIO_printf(out, "%02X:", data[i]);
j = (j + 1) % width;
if (!j)
BIO_printf(out, "\n");
}
if (i && !j)
BIO_printf(out, "%*s", indent, "");
BIO_printf(out, "%02X", data[datalen - 1]);
return 1;
}

View File

@ -225,17 +225,13 @@ int BIO_get_port(const char *str, unsigned short *port_ptr)
int BIO_sock_error(int sock)
{
int j, i;
union {
size_t s;
int i;
} size;
int size;
# if defined(OPENSSL_SYS_BEOS_R5)
return 0;
# endif
/* heuristic way to adapt for platforms that expect 64-bit optlen */
size.s = 0, size.i = sizeof(j);
size = sizeof(int);
/*
* Note: under Windows the third parameter is of type (char *) whereas
* under other systems it is (void *) if you don't have a cast it will

View File

@ -174,7 +174,6 @@ extern "C" {
# define BIO_CTRL_DGRAM_SET_NEXT_TIMEOUT 45/* Next DTLS handshake timeout
* to adjust socket timeouts */
# define BIO_CTRL_DGRAM_SET_DONT_FRAG 48
# define BIO_CTRL_DGRAM_GET_MTU_OVERHEAD 49
@ -689,7 +688,7 @@ long BIO_debug_callback(BIO *bio, int cmd, const char *argp, int argi,
long argl, long ret);
BIO_METHOD *BIO_s_mem(void);
BIO *BIO_new_mem_buf(const void *buf, int len);
BIO *BIO_new_mem_buf(void *buf, int len);
BIO_METHOD *BIO_s_socket(void);
BIO_METHOD *BIO_s_connect(void);
BIO_METHOD *BIO_s_accept(void);
@ -730,9 +729,6 @@ int BIO_dump_indent(BIO *b, const char *bytes, int len, int indent);
int BIO_dump_fp(FILE *fp, const char *s, int len);
int BIO_dump_indent_fp(FILE *fp, const char *s, int len, int indent);
# endif
int BIO_hex_string(BIO *out, int indent, int width, unsigned char *data,
int datalen);
struct hostent *BIO_gethostbyname(const char *name);
/*-
* We might want a thread-safe interface too:
@ -769,8 +765,8 @@ int BIO_dgram_sctp_wait_for_dry(BIO *b);
int BIO_dgram_sctp_msg_waiting(BIO *b);
# endif
BIO *BIO_new_fd(int fd, int close_flag);
BIO *BIO_new_connect(const char *host_port);
BIO *BIO_new_accept(const char *host_port);
BIO *BIO_new_connect(char *host_port);
BIO *BIO_new_accept(char *host_port);
int BIO_new_bio_pair(BIO **bio1, size_t writebuf1,
BIO **bio2, size_t writebuf2);

View File

@ -1,6 +1,6 @@
/* crypto/bio/bio_err.c */
/* ====================================================================
* Copyright (c) 1999-2015 The OpenSSL Project. All rights reserved.
* Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions

View File

@ -445,7 +445,7 @@ static int acpt_puts(BIO *bp, const char *str)
return (ret);
}
BIO *BIO_new_accept(const char *str)
BIO *BIO_new_accept(char *str)
{
BIO *ret;

View File

@ -594,7 +594,7 @@ static int conn_puts(BIO *bp, const char *str)
return (ret);
}
BIO *BIO_new_connect(const char *str)
BIO *BIO_new_connect(char *str)
{
BIO *ret;

View File

@ -65,7 +65,7 @@
#include <openssl/bio.h>
#ifndef OPENSSL_NO_DGRAM
# if defined(OPENSSL_SYS_VMS)
# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VMS)
# include <sys/timeb.h>
# endif
@ -80,10 +80,6 @@
# define IP_MTU 14 /* linux is lame */
# endif
# if OPENSSL_USE_IPV6 && !defined(IPPROTO_IPV6)
# define IPPROTO_IPV6 41 /* windows is lame */
# endif
# if defined(__FreeBSD__) && defined(IN6_IS_ADDR_V4MAPPED)
/* Standard definition causes type-punning problems. */
# undef IN6_IS_ADDR_V4MAPPED
@ -500,8 +496,8 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
int *ip;
struct sockaddr *to = NULL;
bio_dgram_data *data = NULL;
int sockopt_val = 0;
# if defined(OPENSSL_SYS_LINUX) && (defined(IP_MTU_DISCOVER) || defined(IP_MTU))
int sockopt_val = 0;
socklen_t sockopt_len; /* assume that system supporting IP_MTU is
* modern enough to define socklen_t */
socklen_t addr_len;
@ -884,61 +880,6 @@ static long dgram_ctrl(BIO *b, int cmd, long num, void *ptr)
ret = 0;
break;
# endif
case BIO_CTRL_DGRAM_SET_DONT_FRAG:
sockopt_val = num ? 1 : 0;
switch (data->peer.sa.sa_family) {
case AF_INET:
# if defined(IP_DONTFRAG)
if ((ret = setsockopt(b->num, IPPROTO_IP, IP_DONTFRAG,
&sockopt_val, sizeof(sockopt_val))) < 0) {
perror("setsockopt");
ret = -1;
}
# elif defined(OPENSSL_SYS_LINUX) && defined(IP_MTU_DISCOVER) && defined (IP_PMTUDISC_PROBE)
if ((sockopt_val = num ? IP_PMTUDISC_PROBE : IP_PMTUDISC_DONT),
(ret = setsockopt(b->num, IPPROTO_IP, IP_MTU_DISCOVER,
&sockopt_val, sizeof(sockopt_val))) < 0) {
perror("setsockopt");
ret = -1;
}
# elif defined(OPENSSL_SYS_WINDOWS) && defined(IP_DONTFRAGMENT)
if ((ret = setsockopt(b->num, IPPROTO_IP, IP_DONTFRAGMENT,
(const char *)&sockopt_val,
sizeof(sockopt_val))) < 0) {
perror("setsockopt");
ret = -1;
}
# else
ret = -1;
# endif
break;
# if OPENSSL_USE_IPV6
case AF_INET6:
# if defined(IPV6_DONTFRAG)
if ((ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_DONTFRAG,
(const void *)&sockopt_val,
sizeof(sockopt_val))) < 0) {
perror("setsockopt");
ret = -1;
}
# elif defined(OPENSSL_SYS_LINUX) && defined(IPV6_MTUDISCOVER)
if ((sockopt_val = num ? IP_PMTUDISC_PROBE : IP_PMTUDISC_DONT),
(ret = setsockopt(b->num, IPPROTO_IPV6, IPV6_MTU_DISCOVER,
&sockopt_val, sizeof(sockopt_val))) < 0) {
perror("setsockopt");
ret = -1;
}
# else
ret = -1;
# endif
break;
# endif
default:
ret = -1;
break;
}
break;
case BIO_CTRL_DGRAM_GET_MTU_OVERHEAD:
ret = dgram_get_mtu_overhead(data);
break;
@ -2052,22 +1993,11 @@ int BIO_dgram_non_fatal_error(int err)
static void get_current_time(struct timeval *t)
{
# if defined(_WIN32)
SYSTEMTIME st;
union {
unsigned __int64 ul;
FILETIME ft;
} now;
GetSystemTime(&st);
SystemTimeToFileTime(&st, &now.ft);
# ifdef __MINGW32__
now.ul -= 116444736000000000ULL;
# else
now.ul -= 116444736000000000UI64; /* re-bias to 1/1/1970 */
# endif
t->tv_sec = (long)(now.ul / 10000000);
t->tv_usec = ((int)(now.ul % 10000000)) / 10;
# ifdef OPENSSL_SYS_WIN32
struct _timeb tb;
_ftime(&tb);
t->tv_sec = (long)tb.time;
t->tv_usec = (long)tb.millitm * 1000;
# elif defined(OPENSSL_SYS_VMS)
struct timeb tb;
ftime(&tb);

View File

@ -63,27 +63,9 @@
#if defined(OPENSSL_NO_POSIX_IO)
/*
* Dummy placeholder for BIO_s_fd...
* One can argue that one should implement dummy placeholder for
* BIO_s_fd here...
*/
BIO *BIO_new_fd(int fd, int close_flag)
{
return NULL;
}
int BIO_fd_non_fatal_error(int err)
{
return 0;
}
int BIO_fd_should_retry(int i)
{
return 0;
}
BIO_METHOD *BIO_s_fd(void)
{
return NULL;
}
#else
/*
* As for unconditional usage of "UPLINK" interface in this module.

View File

@ -91,8 +91,7 @@ BIO_METHOD *BIO_s_mem(void)
return (&mem_method);
}
BIO *BIO_new_mem_buf(const void *buf, int len)
BIO *BIO_new_mem_buf(void *buf, int len)
{
BIO *ret;
BUF_MEM *b;
@ -106,8 +105,7 @@ BIO *BIO_new_mem_buf(const void *buf, int len)
if (!(ret = BIO_new(BIO_s_mem())))
return NULL;
b = (BUF_MEM *)ret->ptr;
/* Cast away const and trust in the MEM_RDONLY flag. */
b->data = (void *)buf;
b->data = buf;
b->length = sz;
b->max = sz;
ret->flags |= BIO_FLAGS_MEM_RDONLY;

View File

@ -77,12 +77,6 @@ sparcv9a-mont.s: asm/sparcv9a-mont.pl
$(PERL) asm/sparcv9a-mont.pl $(CFLAGS) > $@
sparcv9-mont.s: asm/sparcv9-mont.pl
$(PERL) asm/sparcv9-mont.pl $(CFLAGS) > $@
vis3-mont.s: asm/vis3-mont.pl
$(PERL) asm/vis3-mont.pl $(CFLAGS) > $@
sparct4-mont.S: asm/sparct4-mont.pl
$(PERL) asm/sparct4-mont.pl $(CFLAGS) > $@
sparcv9-gf2m.S: asm/sparcv9-gf2m.pl
$(PERL) asm/sparcv9-gf2m.pl $(CFLAGS) > $@
bn-mips3.o: asm/mips3.s
@if [ "$(CC)" = "gcc" ]; then \
@ -108,10 +102,8 @@ x86_64-mont5.s: asm/x86_64-mont5.pl
$(PERL) asm/x86_64-mont5.pl $(PERLASM_SCHEME) > $@
x86_64-gf2m.s: asm/x86_64-gf2m.pl
$(PERL) asm/x86_64-gf2m.pl $(PERLASM_SCHEME) > $@
rsaz-x86_64.s: asm/rsaz-x86_64.pl
$(PERL) asm/rsaz-x86_64.pl $(PERLASM_SCHEME) > $@
rsaz-avx2.s: asm/rsaz-avx2.pl
$(PERL) asm/rsaz-avx2.pl $(PERLASM_SCHEME) > $@
modexp512-x86_64.s: asm/modexp512-x86_64.pl
$(PERL) asm/modexp512-x86_64.pl $(PERLASM_SCHEME) > $@
bn-ia64.s: asm/ia64.S
$(CC) $(CFLAGS) -E asm/ia64.S > $@
@ -133,15 +125,14 @@ ppc-mont.s: asm/ppc-mont.pl;$(PERL) asm/ppc-mont.pl $(PERLASM_SCHEME) $@
ppc64-mont.s: asm/ppc64-mont.pl;$(PERL) asm/ppc64-mont.pl $(PERLASM_SCHEME) $@
alpha-mont.s: asm/alpha-mont.pl
(preproc=$$$$.$@.S; trap "rm $$preproc" INT; \
(preproc=/tmp/$$$$.$@; trap "rm $$preproc" INT; \
$(PERL) asm/alpha-mont.pl > $$preproc && \
$(CC) -E -P $$preproc > $@ && rm $$preproc)
$(CC) -E $$preproc > $@ && rm $$preproc)
# GNU make "catch all"
%-mont.S: asm/%-mont.pl; $(PERL) $< $(PERLASM_SCHEME) $@
%-mont.s: asm/%-mont.pl; $(PERL) $< $(PERLASM_SCHEME) $@
%-gf2m.S: asm/%-gf2m.pl; $(PERL) $< $(PERLASM_SCHEME) $@
armv4-mont.o: armv4-mont.S
armv4-gf2m.o: armv4-gf2m.S
files:
@ -253,7 +244,7 @@ bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
bn_exp.o: ../../include/openssl/symhacks.h ../constant_time_locl.h
bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h rsaz_exp.h
bn_exp.o: ../cryptlib.h bn_exp.c bn_lcl.h
bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h

View File

@ -20,26 +20,48 @@
# length, more for longer keys. Even though NEON 1x1 multiplication
# runs in even less cycles, ~30, improvement is measurable only on
# longer keys. One has to optimize code elsewhere to get NEON glow...
#
# April 2014
#
# Double bn_GF2m_mul_2x2 performance by using algorithm from paper
# referred below, which improves ECDH and ECDSA verify benchmarks
# by 18-40%.
#
# Câmara, D.; Gouvêa, C. P. L.; López, J. & Dahab, R.: Fast Software
# Polynomial Multiplication on ARM Processors using the NEON Engine.
#
# http://conradoplg.cryptoland.net/files/2010/12/mocrysen13.pdf
while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
open STDOUT,">$output";
sub Dlo() { shift=~m|q([1]?[0-9])|?"d".($1*2):""; }
sub Dhi() { shift=~m|q([1]?[0-9])|?"d".($1*2+1):""; }
sub Q() { shift=~m|d([1-3]?[02468])|?"q".($1/2):""; }
$code=<<___;
#include "arm_arch.h"
.text
.code 32
#if __ARM_ARCH__>=7
.fpu neon
.type mul_1x1_neon,%function
.align 5
mul_1x1_neon:
vshl.u64 `&Dlo("q1")`,d16,#8 @ q1-q3 are slided $a
vmull.p8 `&Q("d0")`,d16,d17 @ a·bb
vshl.u64 `&Dlo("q2")`,d16,#16
vmull.p8 q1,`&Dlo("q1")`,d17 @ a<<8·bb
vshl.u64 `&Dlo("q3")`,d16,#24
vmull.p8 q2,`&Dlo("q2")`,d17 @ a<<16·bb
vshr.u64 `&Dlo("q1")`,#8
vmull.p8 q3,`&Dlo("q3")`,d17 @ a<<24·bb
vshl.u64 `&Dhi("q1")`,#24
veor d0,`&Dlo("q1")`
vshr.u64 `&Dlo("q2")`,#16
veor d0,`&Dhi("q1")`
vshl.u64 `&Dhi("q2")`,#16
veor d0,`&Dlo("q2")`
vshr.u64 `&Dlo("q3")`,#24
veor d0,`&Dhi("q2")`
vshl.u64 `&Dhi("q3")`,#8
veor d0,`&Dlo("q3")`
veor d0,`&Dhi("q3")`
bx lr
.size mul_1x1_neon,.-mul_1x1_neon
#endif
___
################
# private interface to mul_1x1_ialu
@ -137,17 +159,56 @@ ___
# void bn_GF2m_mul_2x2(BN_ULONG *r,
# BN_ULONG a1,BN_ULONG a0,
# BN_ULONG b1,BN_ULONG b0); # r[3..0]=a1a0·b1b0
{
($A1,$B1,$A0,$B0,$A1B1,$A0B0)=map("d$_",(18..23));
$code.=<<___;
.global bn_GF2m_mul_2x2
.type bn_GF2m_mul_2x2,%function
.align 5
bn_GF2m_mul_2x2:
#if __ARM_MAX_ARCH__>=7
#if __ARM_ARCH__>=7
ldr r12,.LOPENSSL_armcap
.Lpic: ldr r12,[pc,r12]
tst r12,#1
bne .LNEON
beq .Lialu
veor $A1,$A1
vmov.32 $B1,r3,r3 @ two copies of b1
vmov.32 ${A1}[0],r1 @ a1
veor $A0,$A0
vld1.32 ${B0}[],[sp,:32] @ two copies of b0
vmov.32 ${A0}[0],r2 @ a0
mov r12,lr
vmov d16,$A1
vmov d17,$B1
bl mul_1x1_neon @ a1·b1
vmov $A1B1,d0
vmov d16,$A0
vmov d17,$B0
bl mul_1x1_neon @ a0·b0
vmov $A0B0,d0
veor d16,$A0,$A1
veor d17,$B0,$B1
veor $A0,$A0B0,$A1B1
bl mul_1x1_neon @ (a0+a1)·(b0+b1)
veor d0,$A0 @ (a0+a1)·(b0+b1)-a0·b0-a1·b1
vshl.u64 d1,d0,#32
vshr.u64 d0,d0,#32
veor $A0B0,d1
veor $A1B1,d0
vst1.32 {${A0B0}[0]},[r0,:32]!
vst1.32 {${A0B0}[1]},[r0,:32]!
vst1.32 {${A1B1}[0]},[r0,:32]!
vst1.32 {${A1B1}[1]},[r0,:32]
bx r12
.align 4
.Lialu:
#endif
___
$ret="r10"; # reassigned 1st argument
@ -199,72 +260,8 @@ $code.=<<___;
moveq pc,lr @ be binary compatible with V4, yet
bx lr @ interoperable with Thumb ISA:-)
#endif
___
}
{
my ($r,$t0,$t1,$t2,$t3)=map("q$_",(0..3,8..12));
my ($a,$b,$k48,$k32,$k16)=map("d$_",(26..31));
$code.=<<___;
#if __ARM_MAX_ARCH__>=7
.arch armv7-a
.fpu neon
.align 5
.LNEON:
ldr r12, [sp] @ 5th argument
vmov.32 $a, r2, r1
vmov.32 $b, r12, r3
vmov.i64 $k48, #0x0000ffffffffffff
vmov.i64 $k32, #0x00000000ffffffff
vmov.i64 $k16, #0x000000000000ffff
vext.8 $t0#lo, $a, $a, #1 @ A1
vmull.p8 $t0, $t0#lo, $b @ F = A1*B
vext.8 $r#lo, $b, $b, #1 @ B1
vmull.p8 $r, $a, $r#lo @ E = A*B1
vext.8 $t1#lo, $a, $a, #2 @ A2
vmull.p8 $t1, $t1#lo, $b @ H = A2*B
vext.8 $t3#lo, $b, $b, #2 @ B2
vmull.p8 $t3, $a, $t3#lo @ G = A*B2
vext.8 $t2#lo, $a, $a, #3 @ A3
veor $t0, $t0, $r @ L = E + F
vmull.p8 $t2, $t2#lo, $b @ J = A3*B
vext.8 $r#lo, $b, $b, #3 @ B3
veor $t1, $t1, $t3 @ M = G + H
vmull.p8 $r, $a, $r#lo @ I = A*B3
veor $t0#lo, $t0#lo, $t0#hi @ t0 = (L) (P0 + P1) << 8
vand $t0#hi, $t0#hi, $k48
vext.8 $t3#lo, $b, $b, #4 @ B4
veor $t1#lo, $t1#lo, $t1#hi @ t1 = (M) (P2 + P3) << 16
vand $t1#hi, $t1#hi, $k32
vmull.p8 $t3, $a, $t3#lo @ K = A*B4
veor $t2, $t2, $r @ N = I + J
veor $t0#lo, $t0#lo, $t0#hi
veor $t1#lo, $t1#lo, $t1#hi
veor $t2#lo, $t2#lo, $t2#hi @ t2 = (N) (P4 + P5) << 24
vand $t2#hi, $t2#hi, $k16
vext.8 $t0, $t0, $t0, #15
veor $t3#lo, $t3#lo, $t3#hi @ t3 = (K) (P6 + P7) << 32
vmov.i64 $t3#hi, #0
vext.8 $t1, $t1, $t1, #14
veor $t2#lo, $t2#lo, $t2#hi
vmull.p8 $r, $a, $b @ D = A*B
vext.8 $t3, $t3, $t3, #12
vext.8 $t2, $t2, $t2, #13
veor $t0, $t0, $t1
veor $t2, $t2, $t3
veor $r, $r, $t0
veor $r, $r, $t2
vst1.32 {$r}, [r0]
ret @ bx lr
#endif
___
}
$code.=<<___;
.size bn_GF2m_mul_2x2,.-bn_GF2m_mul_2x2
#if __ARM_MAX_ARCH__>=7
#if __ARM_ARCH__>=7
.align 5
.LOPENSSL_armcap:
.word OPENSSL_armcap_P-(.Lpic+8)
@ -272,18 +269,10 @@ $code.=<<___;
.asciz "GF(2^m) Multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
.align 5
#if __ARM_MAX_ARCH__>=7
.comm OPENSSL_armcap_P,4,4
#endif
___
foreach (split("\n",$code)) {
s/\`([^\`]*)\`/eval $1/geo;
s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo or
s/\bret\b/bx lr/go or
s/\bbx\s+lr\b/.word\t0xe12fff1e/go; # make it possible to compile with -march=armv4
print $_,"\n";
}
$code =~ s/\`([^\`]*)\`/eval $1/gem;
$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4
print $code;
close STDOUT; # enforce flush

View File

@ -1,7 +1,7 @@
#!/usr/bin/env perl
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
@ -23,21 +23,6 @@
# than 1/2KB. Windows CE port would be trivial, as it's exclusively
# about decorations, ABI and instruction syntax are identical.
# November 2013
#
# Add NEON code path, which handles lengths divisible by 8. RSA/DSA
# performance improvement on Cortex-A8 is ~45-100% depending on key
# length, more for longer keys. On Cortex-A15 the span is ~10-105%.
# On Snapdragon S4 improvement was measured to vary from ~70% to
# incredible ~380%, yes, 4.8x faster, for RSA4096 sign. But this is
# rather because original integer-only code seems to perform
# suboptimally on S4. Situation on Cortex-A9 is unfortunately
# different. It's being looked into, but the trouble is that
# performance for vectors longer than 256 bits is actually couple
# of percent worse than for integer-only code. The code is chosen
# for execution on all NEON-capable processors, because gain on
# others outweighs the marginal loss on Cortex-A9.
while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
open STDOUT,">$output";
@ -67,40 +52,16 @@ $_n0="$num,#14*4";
$_num="$num,#15*4"; $_bpend=$_num;
$code=<<___;
#include "arm_arch.h"
.text
.code 32
#if __ARM_MAX_ARCH__>=7
.align 5
.LOPENSSL_armcap:
.word OPENSSL_armcap_P-bn_mul_mont
#endif
.global bn_mul_mont
.type bn_mul_mont,%function
.align 5
.align 2
bn_mul_mont:
ldr ip,[sp,#4] @ load num
stmdb sp!,{r0,r2} @ sp points at argument block
#if __ARM_MAX_ARCH__>=7
tst ip,#7
bne .Lialu
adr r0,bn_mul_mont
ldr r2,.LOPENSSL_armcap
ldr r0,[r0,r2]
tst r0,#1 @ NEON available?
ldmia sp, {r0,r2}
beq .Lialu
add sp,sp,#8
b bn_mul8x_mont_neon
.align 4
.Lialu:
#endif
cmp ip,#2
mov $num,ip @ load num
ldr $num,[sp,#3*4] @ load num
cmp $num,#2
movlt r0,#0
addlt sp,sp,#2*4
blt .Labrt
@ -230,447 +191,14 @@ bn_mul_mont:
ldmia sp!,{r4-r12,lr} @ restore registers
add sp,sp,#2*4 @ skip over {r0,r2}
mov r0,#1
.Labrt:
#if __ARM_ARCH__>=5
ret @ bx lr
#else
tst lr,#1
.Labrt: tst lr,#1
moveq pc,lr @ be binary compatible with V4, yet
bx lr @ interoperable with Thumb ISA:-)
#endif
.size bn_mul_mont,.-bn_mul_mont
___
{
sub Dlo() { shift=~m|q([1]?[0-9])|?"d".($1*2):""; }
sub Dhi() { shift=~m|q([1]?[0-9])|?"d".($1*2+1):""; }
my ($A0,$A1,$A2,$A3)=map("d$_",(0..3));
my ($N0,$N1,$N2,$N3)=map("d$_",(4..7));
my ($Z,$Temp)=("q4","q5");
my ($A0xB,$A1xB,$A2xB,$A3xB,$A4xB,$A5xB,$A6xB,$A7xB)=map("q$_",(6..13));
my ($Bi,$Ni,$M0)=map("d$_",(28..31));
my $zero=&Dlo($Z);
my $temp=&Dlo($Temp);
my ($rptr,$aptr,$bptr,$nptr,$n0,$num)=map("r$_",(0..5));
my ($tinptr,$toutptr,$inner,$outer)=map("r$_",(6..9));
$code.=<<___;
#if __ARM_MAX_ARCH__>=7
.arch armv7-a
.fpu neon
.type bn_mul8x_mont_neon,%function
.align 5
bn_mul8x_mont_neon:
mov ip,sp
stmdb sp!,{r4-r11}
vstmdb sp!,{d8-d15} @ ABI specification says so
ldmia ip,{r4-r5} @ load rest of parameter block
sub $toutptr,sp,#16
vld1.32 {${Bi}[0]}, [$bptr,:32]!
sub $toutptr,$toutptr,$num,lsl#4
vld1.32 {$A0-$A3}, [$aptr]! @ can't specify :32 :-(
and $toutptr,$toutptr,#-64
vld1.32 {${M0}[0]}, [$n0,:32]
mov sp,$toutptr @ alloca
veor $zero,$zero,$zero
subs $inner,$num,#8
vzip.16 $Bi,$zero
vmull.u32 $A0xB,$Bi,${A0}[0]
vmull.u32 $A1xB,$Bi,${A0}[1]
vmull.u32 $A2xB,$Bi,${A1}[0]
vshl.i64 $temp,`&Dhi("$A0xB")`,#16
vmull.u32 $A3xB,$Bi,${A1}[1]
vadd.u64 $temp,$temp,`&Dlo("$A0xB")`
veor $zero,$zero,$zero
vmul.u32 $Ni,$temp,$M0
vmull.u32 $A4xB,$Bi,${A2}[0]
vld1.32 {$N0-$N3}, [$nptr]!
vmull.u32 $A5xB,$Bi,${A2}[1]
vmull.u32 $A6xB,$Bi,${A3}[0]
vzip.16 $Ni,$zero
vmull.u32 $A7xB,$Bi,${A3}[1]
bne .LNEON_1st
@ special case for num=8, everything is in register bank...
vmlal.u32 $A0xB,$Ni,${N0}[0]
sub $outer,$num,#1
vmlal.u32 $A1xB,$Ni,${N0}[1]
vmlal.u32 $A2xB,$Ni,${N1}[0]
vmlal.u32 $A3xB,$Ni,${N1}[1]
vmlal.u32 $A4xB,$Ni,${N2}[0]
vmov $Temp,$A0xB
vmlal.u32 $A5xB,$Ni,${N2}[1]
vmov $A0xB,$A1xB
vmlal.u32 $A6xB,$Ni,${N3}[0]
vmov $A1xB,$A2xB
vmlal.u32 $A7xB,$Ni,${N3}[1]
vmov $A2xB,$A3xB
vmov $A3xB,$A4xB
vshr.u64 $temp,$temp,#16
vmov $A4xB,$A5xB
vmov $A5xB,$A6xB
vadd.u64 $temp,$temp,`&Dhi("$Temp")`
vmov $A6xB,$A7xB
veor $A7xB,$A7xB
vshr.u64 $temp,$temp,#16
b .LNEON_outer8
.align 4
.LNEON_outer8:
vld1.32 {${Bi}[0]}, [$bptr,:32]!
veor $zero,$zero,$zero
vzip.16 $Bi,$zero
vadd.u64 `&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
vmlal.u32 $A0xB,$Bi,${A0}[0]
vmlal.u32 $A1xB,$Bi,${A0}[1]
vmlal.u32 $A2xB,$Bi,${A1}[0]
vshl.i64 $temp,`&Dhi("$A0xB")`,#16
vmlal.u32 $A3xB,$Bi,${A1}[1]
vadd.u64 $temp,$temp,`&Dlo("$A0xB")`
veor $zero,$zero,$zero
subs $outer,$outer,#1
vmul.u32 $Ni,$temp,$M0
vmlal.u32 $A4xB,$Bi,${A2}[0]
vmlal.u32 $A5xB,$Bi,${A2}[1]
vmlal.u32 $A6xB,$Bi,${A3}[0]
vzip.16 $Ni,$zero
vmlal.u32 $A7xB,$Bi,${A3}[1]
vmlal.u32 $A0xB,$Ni,${N0}[0]
vmlal.u32 $A1xB,$Ni,${N0}[1]
vmlal.u32 $A2xB,$Ni,${N1}[0]
vmlal.u32 $A3xB,$Ni,${N1}[1]
vmlal.u32 $A4xB,$Ni,${N2}[0]
vmov $Temp,$A0xB
vmlal.u32 $A5xB,$Ni,${N2}[1]
vmov $A0xB,$A1xB
vmlal.u32 $A6xB,$Ni,${N3}[0]
vmov $A1xB,$A2xB
vmlal.u32 $A7xB,$Ni,${N3}[1]
vmov $A2xB,$A3xB
vmov $A3xB,$A4xB
vshr.u64 $temp,$temp,#16
vmov $A4xB,$A5xB
vmov $A5xB,$A6xB
vadd.u64 $temp,$temp,`&Dhi("$Temp")`
vmov $A6xB,$A7xB
veor $A7xB,$A7xB
vshr.u64 $temp,$temp,#16
bne .LNEON_outer8
vadd.u64 `&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
mov $toutptr,sp
vshr.u64 $temp,`&Dlo("$A0xB")`,#16
mov $inner,$num
vadd.u64 `&Dhi("$A0xB")`,`&Dhi("$A0xB")`,$temp
add $tinptr,sp,#16
vshr.u64 $temp,`&Dhi("$A0xB")`,#16
vzip.16 `&Dlo("$A0xB")`,`&Dhi("$A0xB")`
b .LNEON_tail2
.align 4
.LNEON_1st:
vmlal.u32 $A0xB,$Ni,${N0}[0]
vld1.32 {$A0-$A3}, [$aptr]!
vmlal.u32 $A1xB,$Ni,${N0}[1]
subs $inner,$inner,#8
vmlal.u32 $A2xB,$Ni,${N1}[0]
vmlal.u32 $A3xB,$Ni,${N1}[1]
vmlal.u32 $A4xB,$Ni,${N2}[0]
vld1.32 {$N0-$N1}, [$nptr]!
vmlal.u32 $A5xB,$Ni,${N2}[1]
vst1.64 {$A0xB-$A1xB}, [$toutptr,:256]!
vmlal.u32 $A6xB,$Ni,${N3}[0]
vmlal.u32 $A7xB,$Ni,${N3}[1]
vst1.64 {$A2xB-$A3xB}, [$toutptr,:256]!
vmull.u32 $A0xB,$Bi,${A0}[0]
vld1.32 {$N2-$N3}, [$nptr]!
vmull.u32 $A1xB,$Bi,${A0}[1]
vst1.64 {$A4xB-$A5xB}, [$toutptr,:256]!
vmull.u32 $A2xB,$Bi,${A1}[0]
vmull.u32 $A3xB,$Bi,${A1}[1]
vst1.64 {$A6xB-$A7xB}, [$toutptr,:256]!
vmull.u32 $A4xB,$Bi,${A2}[0]
vmull.u32 $A5xB,$Bi,${A2}[1]
vmull.u32 $A6xB,$Bi,${A3}[0]
vmull.u32 $A7xB,$Bi,${A3}[1]
bne .LNEON_1st
vmlal.u32 $A0xB,$Ni,${N0}[0]
add $tinptr,sp,#16
vmlal.u32 $A1xB,$Ni,${N0}[1]
sub $aptr,$aptr,$num,lsl#2 @ rewind $aptr
vmlal.u32 $A2xB,$Ni,${N1}[0]
vld1.64 {$Temp}, [sp,:128]
vmlal.u32 $A3xB,$Ni,${N1}[1]
sub $outer,$num,#1
vmlal.u32 $A4xB,$Ni,${N2}[0]
vst1.64 {$A0xB-$A1xB}, [$toutptr,:256]!
vmlal.u32 $A5xB,$Ni,${N2}[1]
vshr.u64 $temp,$temp,#16
vld1.64 {$A0xB}, [$tinptr, :128]!
vmlal.u32 $A6xB,$Ni,${N3}[0]
vst1.64 {$A2xB-$A3xB}, [$toutptr,:256]!
vmlal.u32 $A7xB,$Ni,${N3}[1]
vst1.64 {$A4xB-$A5xB}, [$toutptr,:256]!
vadd.u64 $temp,$temp,`&Dhi("$Temp")`
veor $Z,$Z,$Z
vst1.64 {$A6xB-$A7xB}, [$toutptr,:256]!
vld1.64 {$A1xB-$A2xB}, [$tinptr, :256]!
vst1.64 {$Z}, [$toutptr,:128]
vshr.u64 $temp,$temp,#16
b .LNEON_outer
.align 4
.LNEON_outer:
vld1.32 {${Bi}[0]}, [$bptr,:32]!
sub $nptr,$nptr,$num,lsl#2 @ rewind $nptr
vld1.32 {$A0-$A3}, [$aptr]!
veor $zero,$zero,$zero
mov $toutptr,sp
vzip.16 $Bi,$zero
sub $inner,$num,#8
vadd.u64 `&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
vmlal.u32 $A0xB,$Bi,${A0}[0]
vld1.64 {$A3xB-$A4xB},[$tinptr,:256]!
vmlal.u32 $A1xB,$Bi,${A0}[1]
vmlal.u32 $A2xB,$Bi,${A1}[0]
vld1.64 {$A5xB-$A6xB},[$tinptr,:256]!
vmlal.u32 $A3xB,$Bi,${A1}[1]
vshl.i64 $temp,`&Dhi("$A0xB")`,#16
veor $zero,$zero,$zero
vadd.u64 $temp,$temp,`&Dlo("$A0xB")`
vld1.64 {$A7xB},[$tinptr,:128]!
vmul.u32 $Ni,$temp,$M0
vmlal.u32 $A4xB,$Bi,${A2}[0]
vld1.32 {$N0-$N3}, [$nptr]!
vmlal.u32 $A5xB,$Bi,${A2}[1]
vmlal.u32 $A6xB,$Bi,${A3}[0]
vzip.16 $Ni,$zero
vmlal.u32 $A7xB,$Bi,${A3}[1]
.LNEON_inner:
vmlal.u32 $A0xB,$Ni,${N0}[0]
vld1.32 {$A0-$A3}, [$aptr]!
vmlal.u32 $A1xB,$Ni,${N0}[1]
subs $inner,$inner,#8
vmlal.u32 $A2xB,$Ni,${N1}[0]
vmlal.u32 $A3xB,$Ni,${N1}[1]
vst1.64 {$A0xB-$A1xB}, [$toutptr,:256]!
vmlal.u32 $A4xB,$Ni,${N2}[0]
vld1.64 {$A0xB}, [$tinptr, :128]!
vmlal.u32 $A5xB,$Ni,${N2}[1]
vst1.64 {$A2xB-$A3xB}, [$toutptr,:256]!
vmlal.u32 $A6xB,$Ni,${N3}[0]
vld1.64 {$A1xB-$A2xB}, [$tinptr, :256]!
vmlal.u32 $A7xB,$Ni,${N3}[1]
vst1.64 {$A4xB-$A5xB}, [$toutptr,:256]!
vmlal.u32 $A0xB,$Bi,${A0}[0]
vld1.64 {$A3xB-$A4xB}, [$tinptr, :256]!
vmlal.u32 $A1xB,$Bi,${A0}[1]
vst1.64 {$A6xB-$A7xB}, [$toutptr,:256]!
vmlal.u32 $A2xB,$Bi,${A1}[0]
vld1.64 {$A5xB-$A6xB}, [$tinptr, :256]!
vmlal.u32 $A3xB,$Bi,${A1}[1]
vld1.32 {$N0-$N3}, [$nptr]!
vmlal.u32 $A4xB,$Bi,${A2}[0]
vld1.64 {$A7xB}, [$tinptr, :128]!
vmlal.u32 $A5xB,$Bi,${A2}[1]
vmlal.u32 $A6xB,$Bi,${A3}[0]
vmlal.u32 $A7xB,$Bi,${A3}[1]
bne .LNEON_inner
vmlal.u32 $A0xB,$Ni,${N0}[0]
add $tinptr,sp,#16
vmlal.u32 $A1xB,$Ni,${N0}[1]
sub $aptr,$aptr,$num,lsl#2 @ rewind $aptr
vmlal.u32 $A2xB,$Ni,${N1}[0]
vld1.64 {$Temp}, [sp,:128]
vmlal.u32 $A3xB,$Ni,${N1}[1]
subs $outer,$outer,#1
vmlal.u32 $A4xB,$Ni,${N2}[0]
vst1.64 {$A0xB-$A1xB}, [$toutptr,:256]!
vmlal.u32 $A5xB,$Ni,${N2}[1]
vld1.64 {$A0xB}, [$tinptr, :128]!
vshr.u64 $temp,$temp,#16
vst1.64 {$A2xB-$A3xB}, [$toutptr,:256]!
vmlal.u32 $A6xB,$Ni,${N3}[0]
vld1.64 {$A1xB-$A2xB}, [$tinptr, :256]!
vmlal.u32 $A7xB,$Ni,${N3}[1]
vst1.64 {$A4xB-$A5xB}, [$toutptr,:256]!
vadd.u64 $temp,$temp,`&Dhi("$Temp")`
vst1.64 {$A6xB-$A7xB}, [$toutptr,:256]!
vshr.u64 $temp,$temp,#16
bne .LNEON_outer
mov $toutptr,sp
mov $inner,$num
.LNEON_tail:
vadd.u64 `&Dlo("$A0xB")`,`&Dlo("$A0xB")`,$temp
vld1.64 {$A3xB-$A4xB}, [$tinptr, :256]!
vshr.u64 $temp,`&Dlo("$A0xB")`,#16
vadd.u64 `&Dhi("$A0xB")`,`&Dhi("$A0xB")`,$temp
vld1.64 {$A5xB-$A6xB}, [$tinptr, :256]!
vshr.u64 $temp,`&Dhi("$A0xB")`,#16
vld1.64 {$A7xB}, [$tinptr, :128]!
vzip.16 `&Dlo("$A0xB")`,`&Dhi("$A0xB")`
.LNEON_tail2:
vadd.u64 `&Dlo("$A1xB")`,`&Dlo("$A1xB")`,$temp
vst1.32 {`&Dlo("$A0xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A1xB")`,#16
vadd.u64 `&Dhi("$A1xB")`,`&Dhi("$A1xB")`,$temp
vshr.u64 $temp,`&Dhi("$A1xB")`,#16
vzip.16 `&Dlo("$A1xB")`,`&Dhi("$A1xB")`
vadd.u64 `&Dlo("$A2xB")`,`&Dlo("$A2xB")`,$temp
vst1.32 {`&Dlo("$A1xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A2xB")`,#16
vadd.u64 `&Dhi("$A2xB")`,`&Dhi("$A2xB")`,$temp
vshr.u64 $temp,`&Dhi("$A2xB")`,#16
vzip.16 `&Dlo("$A2xB")`,`&Dhi("$A2xB")`
vadd.u64 `&Dlo("$A3xB")`,`&Dlo("$A3xB")`,$temp
vst1.32 {`&Dlo("$A2xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A3xB")`,#16
vadd.u64 `&Dhi("$A3xB")`,`&Dhi("$A3xB")`,$temp
vshr.u64 $temp,`&Dhi("$A3xB")`,#16
vzip.16 `&Dlo("$A3xB")`,`&Dhi("$A3xB")`
vadd.u64 `&Dlo("$A4xB")`,`&Dlo("$A4xB")`,$temp
vst1.32 {`&Dlo("$A3xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A4xB")`,#16
vadd.u64 `&Dhi("$A4xB")`,`&Dhi("$A4xB")`,$temp
vshr.u64 $temp,`&Dhi("$A4xB")`,#16
vzip.16 `&Dlo("$A4xB")`,`&Dhi("$A4xB")`
vadd.u64 `&Dlo("$A5xB")`,`&Dlo("$A5xB")`,$temp
vst1.32 {`&Dlo("$A4xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A5xB")`,#16
vadd.u64 `&Dhi("$A5xB")`,`&Dhi("$A5xB")`,$temp
vshr.u64 $temp,`&Dhi("$A5xB")`,#16
vzip.16 `&Dlo("$A5xB")`,`&Dhi("$A5xB")`
vadd.u64 `&Dlo("$A6xB")`,`&Dlo("$A6xB")`,$temp
vst1.32 {`&Dlo("$A5xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A6xB")`,#16
vadd.u64 `&Dhi("$A6xB")`,`&Dhi("$A6xB")`,$temp
vld1.64 {$A0xB}, [$tinptr, :128]!
vshr.u64 $temp,`&Dhi("$A6xB")`,#16
vzip.16 `&Dlo("$A6xB")`,`&Dhi("$A6xB")`
vadd.u64 `&Dlo("$A7xB")`,`&Dlo("$A7xB")`,$temp
vst1.32 {`&Dlo("$A6xB")`[0]}, [$toutptr, :32]!
vshr.u64 $temp,`&Dlo("$A7xB")`,#16
vadd.u64 `&Dhi("$A7xB")`,`&Dhi("$A7xB")`,$temp
vld1.64 {$A1xB-$A2xB}, [$tinptr, :256]!
vshr.u64 $temp,`&Dhi("$A7xB")`,#16
vzip.16 `&Dlo("$A7xB")`,`&Dhi("$A7xB")`
subs $inner,$inner,#8
vst1.32 {`&Dlo("$A7xB")`[0]}, [$toutptr, :32]!
bne .LNEON_tail
vst1.32 {${temp}[0]}, [$toutptr, :32] @ top-most bit
sub $nptr,$nptr,$num,lsl#2 @ rewind $nptr
subs $aptr,sp,#0 @ clear carry flag
add $bptr,sp,$num,lsl#2
.LNEON_sub:
ldmia $aptr!, {r4-r7}
ldmia $nptr!, {r8-r11}
sbcs r8, r4,r8
sbcs r9, r5,r9
sbcs r10,r6,r10
sbcs r11,r7,r11
teq $aptr,$bptr @ preserves carry
stmia $rptr!, {r8-r11}
bne .LNEON_sub
ldr r10, [$aptr] @ load top-most bit
veor q0,q0,q0
sub r11,$bptr,sp @ this is num*4
veor q1,q1,q1
mov $aptr,sp
sub $rptr,$rptr,r11 @ rewind $rptr
mov $nptr,$bptr @ second 3/4th of frame
sbcs r10,r10,#0 @ result is carry flag
.LNEON_copy_n_zap:
ldmia $aptr!, {r4-r7}
ldmia $rptr, {r8-r11}
movcc r8, r4
vst1.64 {q0-q1}, [$nptr,:256]! @ wipe
movcc r9, r5
movcc r10,r6
vst1.64 {q0-q1}, [$nptr,:256]! @ wipe
movcc r11,r7
ldmia $aptr, {r4-r7}
stmia $rptr!, {r8-r11}
sub $aptr,$aptr,#16
ldmia $rptr, {r8-r11}
movcc r8, r4
vst1.64 {q0-q1}, [$aptr,:256]! @ wipe
movcc r9, r5
movcc r10,r6
vst1.64 {q0-q1}, [$nptr,:256]! @ wipe
movcc r11,r7
teq $aptr,$bptr @ preserves carry
stmia $rptr!, {r8-r11}
bne .LNEON_copy_n_zap
sub sp,ip,#96
vldmia sp!,{d8-d15}
ldmia sp!,{r4-r11}
ret @ bx lr
.size bn_mul8x_mont_neon,.-bn_mul8x_mont_neon
#endif
___
}
$code.=<<___;
.asciz "Montgomery multiplication for ARMv4/NEON, CRYPTOGAMS by <appro\@openssl.org>"
.asciz "Montgomery multiplication for ARMv4, CRYPTOGAMS by <appro\@openssl.org>"
.align 2
#if __ARM_MAX_ARCH__>=7
.comm OPENSSL_armcap_P,4,4
#endif
___
$code =~ s/\`([^\`]*)\`/eval $1/gem;
$code =~ s/\bbx\s+lr\b/.word\t0xe12fff1e/gm; # make it possible to compile with -march=armv4
$code =~ s/\bret\b/bx lr/gm;
print $code;
close STDOUT;

View File

@ -46,7 +46,7 @@
# ($s0,$s1,$s2,$s3,$s4,$s5,$s6,$s7)=map("\$$_",(16..23));
# ($gp,$sp,$fp,$ra)=map("\$$_",(28..31));
#
$flavour = shift || "o32"; # supported flavours are o32,n32,64,nubi32,nubi64
$flavour = shift; # supported flavours are o32,n32,64,nubi32,nubi64
if ($flavour =~ /64|n32/i) {
$PTR_ADD="dadd"; # incidentally works even on n32

View File

@ -48,7 +48,7 @@
# has to content with 40-85% improvement depending on benchmark and
# key length, more for longer keys.
$flavour = shift || "o32";
$flavour = shift;
while (($output=shift) && ($output!~/^\w[\w\-]*\.\w+$/)) {}
open STDOUT,">$output";

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -191,7 +191,7 @@ L1st:
addi $j,$j,$BNSZ ; j++
addi $tp,$tp,$BNSZ ; tp++
bdnz L1st
bdnz- L1st
;L1st
addc $lo0,$alo,$hi0
addze $hi0,$ahi
@ -253,7 +253,7 @@ Linner:
addze $hi1,$hi1
$ST $lo1,0($tp) ; tp[j-1]
addi $tp,$tp,$BNSZ ; tp++
bdnz Linner
bdnz- Linner
;Linner
$LD $tj,$BNSZ($tp) ; tp[j]
addc $lo0,$alo,$hi0
@ -276,7 +276,7 @@ Linner:
slwi $tj,$num,`log($BNSZ)/log(2)`
$UCMP $i,$tj
addi $i,$i,$BNSZ
ble Louter
ble- Louter
addi $num,$num,2 ; restore $num
subfc $j,$j,$j ; j=0 and "clear" XER[CA]
@ -289,7 +289,7 @@ Lsub: $LDX $tj,$tp,$j
subfe $aj,$nj,$tj ; tp[j]-np[j]
$STX $aj,$rp,$j
addi $j,$j,$BNSZ
bdnz Lsub
bdnz- Lsub
li $j,0
mtctr $num
@ -304,7 +304,7 @@ Lcopy: ; copy or in-place refresh
$STX $tj,$rp,$j
$STX $j,$tp,$j ; zap at once
addi $j,$j,$BNSZ
bdnz Lcopy
bdnz- Lcopy
$POP $tj,0($sp)
li r3,1
@ -325,7 +325,6 @@ Lcopy: ; copy or in-place refresh
.long 0
.byte 0,12,4,0,0x80,12,6,0
.long 0
.size .bn_mul_mont_int,.-.bn_mul_mont_int
.asciz "Montgomery Multiplication for PPC, CRYPTOGAMS by <appro\@openssl.org>"
___

View File

@ -392,7 +392,6 @@ $data=<<EOF;
.long 0
.byte 0,12,0x14,0,0,0,2,0
.long 0
.size .bn_sqr_comba4,.-.bn_sqr_comba4
#
# NOTE: The following label name should be changed to
@ -820,7 +819,6 @@ $data=<<EOF;
.long 0
.byte 0,12,0x14,0,0,0,2,0
.long 0
.size .bn_sqr_comba8,.-.bn_sqr_comba8
#
# NOTE: The following label name should be changed to
@ -974,7 +972,6 @@ $data=<<EOF;
.long 0
.byte 0,12,0x14,0,0,0,3,0
.long 0
.size .bn_mul_comba4,.-.bn_mul_comba4
#
# NOTE: The following label name should be changed to
@ -1513,7 +1510,6 @@ $data=<<EOF;
.long 0
.byte 0,12,0x14,0,0,0,3,0
.long 0
.size .bn_mul_comba8,.-.bn_mul_comba8
#
# NOTE: The following label name should be changed to
@ -1556,7 +1552,7 @@ Lppcasm_sub_mainloop:
# if carry = 1 this is r7-r8. Else it
# is r7-r8 -1 as we need.
$STU r6,$BNSZ(r3)
bdnz Lppcasm_sub_mainloop
bdnz- Lppcasm_sub_mainloop
Lppcasm_sub_adios:
subfze r3,r0 # if carry bit is set then r3 = 0 else -1
andi. r3,r3,1 # keep only last bit.
@ -1564,7 +1560,6 @@ Lppcasm_sub_adios:
.long 0
.byte 0,12,0x14,0,0,0,4,0
.long 0
.size .bn_sub_words,.-.bn_sub_words
#
# NOTE: The following label name should be changed to
@ -1603,14 +1598,13 @@ Lppcasm_add_mainloop:
$LDU r8,$BNSZ(r5)
adde r8,r7,r8
$STU r8,$BNSZ(r3)
bdnz Lppcasm_add_mainloop
bdnz- Lppcasm_add_mainloop
Lppcasm_add_adios:
addze r3,r0 #return carry bit.
blr
.long 0
.byte 0,12,0x14,0,0,0,4,0
.long 0
.size .bn_add_words,.-.bn_add_words
#
# NOTE: The following label name should be changed to
@ -1726,7 +1720,6 @@ Lppcasm_div9:
.long 0
.byte 0,12,0x14,0,0,0,3,0
.long 0
.size .bn_div_words,.-.bn_div_words
#
# NOTE: The following label name should be changed to
@ -1762,13 +1755,12 @@ Lppcasm_sqr_mainloop:
$UMULH r8,r6,r6
$STU r7,$BNSZ(r3)
$STU r8,$BNSZ(r3)
bdnz Lppcasm_sqr_mainloop
bdnz- Lppcasm_sqr_mainloop
Lppcasm_sqr_adios:
blr
.long 0
.byte 0,12,0x14,0,0,0,3,0
.long 0
.size .bn_sqr_words,.-.bn_sqr_words
#
# NOTE: The following label name should be changed to
@ -1827,7 +1819,7 @@ Lppcasm_mw_LOOP:
addi r3,r3,`4*$BNSZ`
addi r4,r4,`4*$BNSZ`
bdnz Lppcasm_mw_LOOP
bdnz- Lppcasm_mw_LOOP
Lppcasm_mw_REM:
andi. r5,r5,0x3
@ -1874,7 +1866,6 @@ Lppcasm_mw_OVER:
.long 0
.byte 0,12,0x14,0,0,0,4,0
.long 0
.size bn_mul_words,.-bn_mul_words
#
# NOTE: The following label name should be changed to
@ -1951,7 +1942,7 @@ Lppcasm_maw_mainloop:
$ST r11,`3*$BNSZ`(r3)
addi r3,r3,`4*$BNSZ`
addi r4,r4,`4*$BNSZ`
bdnz Lppcasm_maw_mainloop
bdnz- Lppcasm_maw_mainloop
Lppcasm_maw_leftover:
andi. r5,r5,0x3
@ -2000,7 +1991,6 @@ Lppcasm_maw_adios:
.long 0
.byte 0,12,0x14,0,0,0,4,0
.long 0
.size .bn_mul_add_words,.-.bn_mul_add_words
.align 4
EOF
$data =~ s/\`([^\`]*)\`/eval $1/gem;

View File

@ -1,7 +1,7 @@
#!/usr/bin/env perl
# ====================================================================
# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
# Written by Andy Polyakov <appro@fy.chalmers.se> for the OpenSSL
# project. The module is, however, dual licensed under OpenSSL and
# CRYPTOGAMS licenses depending on where you obtain it. For further
# details see http://www.openssl.org/~appro/cryptogams/.
@ -65,14 +65,6 @@
# others alternative would be to break dependence on upper halves of
# GPRs by sticking to 32-bit integer operations...
# December 2012
# Remove above mentioned dependence on GPRs' upper halves in 32-bit
# build. No signal masking overhead, but integer instructions are
# *more* numerous... It's still "universally" faster than 32-bit
# ppc-mont.pl, but improvement coefficient is not as impressive
# for longer keys...
$flavour = shift;
if ($flavour =~ /32/) {
@ -94,8 +86,6 @@ if ($flavour =~ /32/) {
$POP= "ld";
} else { die "nonsense $flavour"; }
$LITTLE_ENDIAN = ($flavour=~/le$/) ? 4 : 0;
$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
@ -120,9 +110,6 @@ $tp="r10";
$j="r11";
$i="r12";
# non-volatile registers
$c1="r19";
$n1="r20";
$a1="r21";
$nap_d="r22"; # interleaved ap and np in double format
$a0="r23"; # ap[0]
$t0="r24"; # temporary registers
@ -193,8 +180,8 @@ $T3a="f30"; $T3b="f31";
# . .
# +-------------------------------+
# . .
# -13*size_t +-------------------------------+
# | 13 saved gpr, r19-r31 |
# -12*size_t +-------------------------------+
# | 10 saved gpr, r22-r31 |
# . .
# . .
# -12*8 +-------------------------------+
@ -228,9 +215,6 @@ $code=<<___;
mr $i,$sp
$STUX $sp,$sp,$tp ; alloca
$PUSH r19,`-12*8-13*$SIZE_T`($i)
$PUSH r20,`-12*8-12*$SIZE_T`($i)
$PUSH r21,`-12*8-11*$SIZE_T`($i)
$PUSH r22,`-12*8-10*$SIZE_T`($i)
$PUSH r23,`-12*8-9*$SIZE_T`($i)
$PUSH r24,`-12*8-8*$SIZE_T`($i)
@ -253,26 +237,40 @@ $code=<<___;
stfd f29,`-3*8`($i)
stfd f30,`-2*8`($i)
stfd f31,`-1*8`($i)
___
$code.=<<___ if ($SIZE_T==8);
ld $a0,0($ap) ; pull ap[0] value
ld $n0,0($n0) ; pull n0[0] value
ld $t3,0($bp) ; bp[0]
___
$code.=<<___ if ($SIZE_T==4);
mr $t1,$n0
lwz $a0,0($ap) ; pull ap[0,1] value
lwz $t0,4($ap)
lwz $n0,0($t1) ; pull n0[0,1] value
lwz $t1,4($t1)
lwz $t3,0($bp) ; bp[0,1]
lwz $t2,4($bp)
insrdi $a0,$t0,32,0
insrdi $n0,$t1,32,0
insrdi $t3,$t2,32,0
___
$code.=<<___;
addi $tp,$sp,`$FRAME+$TRANSFER+8+64`
li $i,-64
add $nap_d,$tp,$num
and $nap_d,$nap_d,$i ; align to 64 bytes
mulld $t7,$a0,$t3 ; ap[0]*bp[0]
; nap_d is off by 1, because it's used with stfdu/lfdu
addi $nap_d,$nap_d,-8
srwi $j,$num,`3+1` ; counter register, num/2
mulld $t7,$t7,$n0 ; tp[0]*n0
addi $j,$j,-1
addi $tp,$sp,`$FRAME+$TRANSFER-8`
li $carry,0
mtctr $j
___
$code.=<<___ if ($SIZE_T==8);
ld $a0,0($ap) ; pull ap[0] value
ld $t3,0($bp) ; bp[0]
ld $n0,0($n0) ; pull n0[0] value
mulld $t7,$a0,$t3 ; ap[0]*bp[0]
; transfer bp[0] to FPU as 4x16-bit values
extrdi $t0,$t3,16,48
extrdi $t1,$t3,16,32
@ -282,8 +280,6 @@ $code.=<<___ if ($SIZE_T==8);
std $t1,`$FRAME+8`($sp)
std $t2,`$FRAME+16`($sp)
std $t3,`$FRAME+24`($sp)
mulld $t7,$t7,$n0 ; tp[0]*n0
; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
extrdi $t4,$t7,16,48
extrdi $t5,$t7,16,32
@ -293,61 +289,21 @@ $code.=<<___ if ($SIZE_T==8);
std $t5,`$FRAME+40`($sp)
std $t6,`$FRAME+48`($sp)
std $t7,`$FRAME+56`($sp)
extrdi $t0,$a0,32,32 ; lwz $t0,4($ap)
extrdi $t1,$a0,32,0 ; lwz $t1,0($ap)
lwz $t2,`12^$LITTLE_ENDIAN`($ap) ; load a[1] as 32-bit word pair
lwz $t3,`8^$LITTLE_ENDIAN`($ap)
lwz $t4,`4^$LITTLE_ENDIAN`($np) ; load n[0] as 32-bit word pair
lwz $t5,`0^$LITTLE_ENDIAN`($np)
lwz $t6,`12^$LITTLE_ENDIAN`($np) ; load n[1] as 32-bit word pair
lwz $t7,`8^$LITTLE_ENDIAN`($np)
___
$code.=<<___ if ($SIZE_T==8);
lwz $t0,4($ap) ; load a[j] as 32-bit word pair
lwz $t1,0($ap)
lwz $t2,12($ap) ; load a[j+1] as 32-bit word pair
lwz $t3,8($ap)
lwz $t4,4($np) ; load n[j] as 32-bit word pair
lwz $t5,0($np)
lwz $t6,12($np) ; load n[j+1] as 32-bit word pair
lwz $t7,8($np)
___
$code.=<<___ if ($SIZE_T==4);
lwz $a0,0($ap) ; pull ap[0,1] value
mr $n1,$n0
lwz $a1,4($ap)
li $c1,0
lwz $t1,0($bp) ; bp[0,1]
lwz $t3,4($bp)
lwz $n0,0($n1) ; pull n0[0,1] value
lwz $n1,4($n1)
mullw $t4,$a0,$t1 ; mulld ap[0]*bp[0]
mulhwu $t5,$a0,$t1
mullw $t6,$a1,$t1
mullw $t7,$a0,$t3
add $t5,$t5,$t6
add $t5,$t5,$t7
; transfer bp[0] to FPU as 4x16-bit values
extrwi $t0,$t1,16,16
extrwi $t1,$t1,16,0
extrwi $t2,$t3,16,16
extrwi $t3,$t3,16,0
std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
std $t1,`$FRAME+8`($sp)
std $t2,`$FRAME+16`($sp)
std $t3,`$FRAME+24`($sp)
mullw $t0,$t4,$n0 ; mulld tp[0]*n0
mulhwu $t1,$t4,$n0
mullw $t2,$t5,$n0
mullw $t3,$t4,$n1
add $t1,$t1,$t2
add $t1,$t1,$t3
; transfer (ap[0]*bp[0])*n0 to FPU as 4x16-bit values
extrwi $t4,$t0,16,16
extrwi $t5,$t0,16,0
extrwi $t6,$t1,16,16
extrwi $t7,$t1,16,0
std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
std $t5,`$FRAME+40`($sp)
std $t6,`$FRAME+48`($sp)
std $t7,`$FRAME+56`($sp)
mr $t0,$a0 ; lwz $t0,0($ap)
mr $t1,$a1 ; lwz $t1,4($ap)
lwz $t2,8($ap) ; load a[j..j+3] as 32-bit word pairs
lwz $t0,0($ap) ; load a[j..j+3] as 32-bit word pairs
lwz $t1,4($ap)
lwz $t2,8($ap)
lwz $t3,12($ap)
lwz $t4,0($np) ; load n[j..j+3] as 32-bit word pairs
lwz $t5,4($np)
@ -363,7 +319,7 @@ $code.=<<___;
lfd $nb,`$FRAME+40`($sp)
lfd $nc,`$FRAME+48`($sp)
lfd $nd,`$FRAME+56`($sp)
std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
std $t0,`$FRAME+64`($sp)
std $t1,`$FRAME+72`($sp)
std $t2,`$FRAME+80`($sp)
std $t3,`$FRAME+88`($sp)
@ -465,14 +421,14 @@ $code.=<<___;
L1st:
___
$code.=<<___ if ($SIZE_T==8);
lwz $t0,`4^$LITTLE_ENDIAN`($ap) ; load a[j] as 32-bit word pair
lwz $t1,`0^$LITTLE_ENDIAN`($ap)
lwz $t2,`12^$LITTLE_ENDIAN`($ap) ; load a[j+1] as 32-bit word pair
lwz $t3,`8^$LITTLE_ENDIAN`($ap)
lwz $t4,`4^$LITTLE_ENDIAN`($np) ; load n[j] as 32-bit word pair
lwz $t5,`0^$LITTLE_ENDIAN`($np)
lwz $t6,`12^$LITTLE_ENDIAN`($np) ; load n[j+1] as 32-bit word pair
lwz $t7,`8^$LITTLE_ENDIAN`($np)
lwz $t0,4($ap) ; load a[j] as 32-bit word pair
lwz $t1,0($ap)
lwz $t2,12($ap) ; load a[j+1] as 32-bit word pair
lwz $t3,8($ap)
lwz $t4,4($np) ; load n[j] as 32-bit word pair
lwz $t5,0($np)
lwz $t6,12($np) ; load n[j+1] as 32-bit word pair
lwz $t7,8($np)
___
$code.=<<___ if ($SIZE_T==4);
lwz $t0,0($ap) ; load a[j..j+3] as 32-bit word pairs
@ -485,7 +441,7 @@ $code.=<<___ if ($SIZE_T==4);
lwz $t7,12($np)
___
$code.=<<___;
std $t0,`$FRAME+64`($sp) ; yes, std even in 32-bit build
std $t0,`$FRAME+64`($sp)
std $t1,`$FRAME+72`($sp)
std $t2,`$FRAME+80`($sp)
std $t3,`$FRAME+88`($sp)
@ -493,9 +449,6 @@ $code.=<<___;
std $t5,`$FRAME+104`($sp)
std $t6,`$FRAME+112`($sp)
std $t7,`$FRAME+120`($sp)
___
if ($SIZE_T==8 or $flavour =~ /osx/) {
$code.=<<___;
ld $t0,`$FRAME+0`($sp)
ld $t1,`$FRAME+8`($sp)
ld $t2,`$FRAME+16`($sp)
@ -504,20 +457,6 @@ $code.=<<___;
ld $t5,`$FRAME+40`($sp)
ld $t6,`$FRAME+48`($sp)
ld $t7,`$FRAME+56`($sp)
___
} else {
$code.=<<___;
lwz $t1,`$FRAME+0^$LITTLE_ENDIAN`($sp)
lwz $t0,`$FRAME+4^$LITTLE_ENDIAN`($sp)
lwz $t3,`$FRAME+8^$LITTLE_ENDIAN`($sp)
lwz $t2,`$FRAME+12^$LITTLE_ENDIAN`($sp)
lwz $t5,`$FRAME+16^$LITTLE_ENDIAN`($sp)
lwz $t4,`$FRAME+20^$LITTLE_ENDIAN`($sp)
lwz $t7,`$FRAME+24^$LITTLE_ENDIAN`($sp)
lwz $t6,`$FRAME+28^$LITTLE_ENDIAN`($sp)
___
}
$code.=<<___;
lfd $A0,`$FRAME+64`($sp)
lfd $A1,`$FRAME+72`($sp)
lfd $A2,`$FRAME+80`($sp)
@ -549,9 +488,7 @@ $code.=<<___;
fmadd $T0b,$A0,$bb,$dotb
stfd $A2,24($nap_d) ; save a[j+1] in double format
stfd $A3,32($nap_d)
___
if ($SIZE_T==8 or $flavour =~ /osx/) {
$code.=<<___;
fmadd $T1a,$A0,$bc,$T1a
fmadd $T1b,$A0,$bd,$T1b
fmadd $T2a,$A1,$bc,$T2a
@ -624,123 +561,11 @@ $code.=<<___;
stfd $T3b,`$FRAME+56`($sp)
std $t0,8($tp) ; tp[j-1]
stdu $t4,16($tp) ; tp[j]
___
} else {
$code.=<<___;
fmadd $T1a,$A0,$bc,$T1a
fmadd $T1b,$A0,$bd,$T1b
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
fmadd $T2a,$A1,$bc,$T2a
fmadd $T2b,$A1,$bd,$T2b
stfd $N0,40($nap_d) ; save n[j] in double format
stfd $N1,48($nap_d)
srwi $c1,$t1,16
insrwi $carry,$t1,16,0
fmadd $T3a,$A2,$bc,$T3a
fmadd $T3b,$A2,$bd,$T3b
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
fmul $dota,$A3,$bc
fmul $dotb,$A3,$bd
stfd $N2,56($nap_d) ; save n[j+1] in double format
stfdu $N3,64($nap_d)
insrwi $t0,$t2,16,0 ; 0..31 bits
srwi $c1,$t3,16
insrwi $carry,$t3,16,0
fmadd $T1a,$N1,$na,$T1a
fmadd $T1b,$N1,$nb,$T1b
lwz $t3,`$FRAME+32^$LITTLE_ENDIAN`($sp) ; permuted $t1
lwz $t2,`$FRAME+36^$LITTLE_ENDIAN`($sp) ; permuted $t0
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
fmadd $T2a,$N2,$na,$T2a
fmadd $T2b,$N2,$nb,$T2b
srwi $c1,$t5,16
insrwi $carry,$t5,16,0
fmadd $T3a,$N3,$na,$T3a
fmadd $T3b,$N3,$nb,$T3b
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
fmadd $T0a,$N0,$na,$T0a
fmadd $T0b,$N0,$nb,$T0b
insrwi $t4,$t6,16,0 ; 32..63 bits
srwi $c1,$t7,16
insrwi $carry,$t7,16,0
fmadd $T1a,$N0,$nc,$T1a
fmadd $T1b,$N0,$nd,$T1b
lwz $t7,`$FRAME+40^$LITTLE_ENDIAN`($sp) ; permuted $t3
lwz $t6,`$FRAME+44^$LITTLE_ENDIAN`($sp) ; permuted $t2
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
fmadd $T2a,$N1,$nc,$T2a
fmadd $T2b,$N1,$nd,$T2b
stw $t0,12($tp) ; tp[j-1]
stw $t4,8($tp)
srwi $c1,$t3,16
insrwi $carry,$t3,16,0
fmadd $T3a,$N2,$nc,$T3a
fmadd $T3b,$N2,$nd,$T3b
lwz $t1,`$FRAME+48^$LITTLE_ENDIAN`($sp) ; permuted $t5
lwz $t0,`$FRAME+52^$LITTLE_ENDIAN`($sp) ; permuted $t4
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
fmadd $dota,$N3,$nc,$dota
fmadd $dotb,$N3,$nd,$dotb
insrwi $t2,$t6,16,0 ; 64..95 bits
srwi $c1,$t7,16
insrwi $carry,$t7,16,0
fctid $T0a,$T0a
fctid $T0b,$T0b
lwz $t5,`$FRAME+56^$LITTLE_ENDIAN`($sp) ; permuted $t7
lwz $t4,`$FRAME+60^$LITTLE_ENDIAN`($sp) ; permuted $t6
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
fctid $T1a,$T1a
fctid $T1b,$T1b
srwi $c1,$t1,16
insrwi $carry,$t1,16,0
fctid $T2a,$T2a
fctid $T2b,$T2b
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
fctid $T3a,$T3a
fctid $T3b,$T3b
insrwi $t0,$t4,16,0 ; 96..127 bits
srwi $c1,$t5,16
insrwi $carry,$t5,16,0
stfd $T0a,`$FRAME+0`($sp)
stfd $T0b,`$FRAME+8`($sp)
stfd $T1a,`$FRAME+16`($sp)
stfd $T1b,`$FRAME+24`($sp)
stfd $T2a,`$FRAME+32`($sp)
stfd $T2b,`$FRAME+40`($sp)
stfd $T3a,`$FRAME+48`($sp)
stfd $T3b,`$FRAME+56`($sp)
stw $t2,20($tp) ; tp[j]
stwu $t0,16($tp)
___
}
$code.=<<___;
bdnz L1st
bdnz- L1st
fctid $dota,$dota
fctid $dotb,$dotb
___
if ($SIZE_T==8 or $flavour =~ /osx/) {
$code.=<<___;
ld $t0,`$FRAME+0`($sp)
ld $t1,`$FRAME+8`($sp)
ld $t2,`$FRAME+16`($sp)
@ -786,117 +611,33 @@ $code.=<<___;
insrdi $t6,$t7,48,0
srdi $ovf,$t7,48
std $t6,8($tp) ; tp[num-1]
___
} else {
$code.=<<___;
lwz $t1,`$FRAME+0^$LITTLE_ENDIAN`($sp)
lwz $t0,`$FRAME+4^$LITTLE_ENDIAN`($sp)
lwz $t3,`$FRAME+8^$LITTLE_ENDIAN`($sp)
lwz $t2,`$FRAME+12^$LITTLE_ENDIAN`($sp)
lwz $t5,`$FRAME+16^$LITTLE_ENDIAN`($sp)
lwz $t4,`$FRAME+20^$LITTLE_ENDIAN`($sp)
lwz $t7,`$FRAME+24^$LITTLE_ENDIAN`($sp)
lwz $t6,`$FRAME+28^$LITTLE_ENDIAN`($sp)
stfd $dota,`$FRAME+64`($sp)
stfd $dotb,`$FRAME+72`($sp)
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
insrwi $carry,$t1,16,0
srwi $c1,$t1,16
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
insrwi $t0,$t2,16,0 ; 0..31 bits
insrwi $carry,$t3,16,0
srwi $c1,$t3,16
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
insrwi $carry,$t5,16,0
srwi $c1,$t5,16
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
insrwi $t4,$t6,16,0 ; 32..63 bits
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
stw $t0,12($tp) ; tp[j-1]
stw $t4,8($tp)
lwz $t3,`$FRAME+32^$LITTLE_ENDIAN`($sp) ; permuted $t1
lwz $t2,`$FRAME+36^$LITTLE_ENDIAN`($sp) ; permuted $t0
lwz $t7,`$FRAME+40^$LITTLE_ENDIAN`($sp) ; permuted $t3
lwz $t6,`$FRAME+44^$LITTLE_ENDIAN`($sp) ; permuted $t2
lwz $t1,`$FRAME+48^$LITTLE_ENDIAN`($sp) ; permuted $t5
lwz $t0,`$FRAME+52^$LITTLE_ENDIAN`($sp) ; permuted $t4
lwz $t5,`$FRAME+56^$LITTLE_ENDIAN`($sp) ; permuted $t7
lwz $t4,`$FRAME+60^$LITTLE_ENDIAN`($sp) ; permuted $t6
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
insrwi $carry,$t3,16,0
srwi $c1,$t3,16
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
insrwi $t2,$t6,16,0 ; 64..95 bits
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
insrwi $carry,$t1,16,0
srwi $c1,$t1,16
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
insrwi $t0,$t4,16,0 ; 96..127 bits
insrwi $carry,$t5,16,0
srwi $c1,$t5,16
stw $t2,20($tp) ; tp[j]
stwu $t0,16($tp)
lwz $t7,`$FRAME+64^$LITTLE_ENDIAN`($sp)
lwz $t6,`$FRAME+68^$LITTLE_ENDIAN`($sp)
lwz $t5,`$FRAME+72^$LITTLE_ENDIAN`($sp)
lwz $t4,`$FRAME+76^$LITTLE_ENDIAN`($sp)
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
addc $t4,$t4,$carry
adde $t5,$t5,$c1
insrwi $t6,$t4,16,0
srwi $t4,$t4,16
insrwi $t4,$t5,16,0
srwi $ovf,$t5,16
stw $t6,12($tp) ; tp[num-1]
stw $t4,8($tp)
___
}
$code.=<<___;
slwi $t7,$num,2
subf $nap_d,$t7,$nap_d ; rewind pointer
li $i,8 ; i=1
.align 5
Louter:
addi $tp,$sp,`$FRAME+$TRANSFER`
li $carry,0
mtctr $j
___
$code.=<<___ if ($SIZE_T==8);
ldx $t3,$bp,$i ; bp[i]
ldx $t3,$bp,$i ; bp[i]
___
$code.=<<___ if ($SIZE_T==4);
add $t0,$bp,$i
lwz $t3,0($t0) ; bp[i,i+1]
lwz $t0,4($t0)
insrdi $t3,$t0,32,0
___
$code.=<<___;
ld $t6,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
mulld $t7,$a0,$t3 ; ap[0]*bp[i]
add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
mulld $t7,$a0,$t3 ; ap[0]*bp[i]
addi $tp,$sp,`$FRAME+$TRANSFER`
add $t7,$t7,$t6 ; ap[0]*bp[i]+tp[0]
li $carry,0
mulld $t7,$t7,$n0 ; tp[0]*n0
mtctr $j
; transfer bp[i] to FPU as 4x16-bit values
extrdi $t0,$t3,16,48
extrdi $t1,$t3,16,32
@ -906,8 +647,6 @@ $code.=<<___ if ($SIZE_T==8);
std $t1,`$FRAME+8`($sp)
std $t2,`$FRAME+16`($sp)
std $t3,`$FRAME+24`($sp)
mulld $t7,$t7,$n0 ; tp[0]*n0
; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
extrdi $t4,$t7,16,48
extrdi $t5,$t7,16,32
@ -917,50 +656,7 @@ $code.=<<___ if ($SIZE_T==8);
std $t5,`$FRAME+40`($sp)
std $t6,`$FRAME+48`($sp)
std $t7,`$FRAME+56`($sp)
___
$code.=<<___ if ($SIZE_T==4);
add $t0,$bp,$i
li $c1,0
lwz $t1,0($t0) ; bp[i,i+1]
lwz $t3,4($t0)
mullw $t4,$a0,$t1 ; ap[0]*bp[i]
lwz $t0,`$FRAME+$TRANSFER+8+4`($sp) ; tp[0]
mulhwu $t5,$a0,$t1
lwz $t2,`$FRAME+$TRANSFER+8`($sp) ; tp[0]
mullw $t6,$a1,$t1
mullw $t7,$a0,$t3
add $t5,$t5,$t6
add $t5,$t5,$t7
addc $t4,$t4,$t0 ; ap[0]*bp[i]+tp[0]
adde $t5,$t5,$t2
; transfer bp[i] to FPU as 4x16-bit values
extrwi $t0,$t1,16,16
extrwi $t1,$t1,16,0
extrwi $t2,$t3,16,16
extrwi $t3,$t3,16,0
std $t0,`$FRAME+0`($sp) ; yes, std in 32-bit build
std $t1,`$FRAME+8`($sp)
std $t2,`$FRAME+16`($sp)
std $t3,`$FRAME+24`($sp)
mullw $t0,$t4,$n0 ; mulld tp[0]*n0
mulhwu $t1,$t4,$n0
mullw $t2,$t5,$n0
mullw $t3,$t4,$n1
add $t1,$t1,$t2
add $t1,$t1,$t3
; transfer (ap[0]*bp[i]+tp[0])*n0 to FPU as 4x16-bit values
extrwi $t4,$t0,16,16
extrwi $t5,$t0,16,0
extrwi $t6,$t1,16,16
extrwi $t7,$t1,16,0
std $t4,`$FRAME+32`($sp) ; yes, std in 32-bit build
std $t5,`$FRAME+40`($sp)
std $t6,`$FRAME+48`($sp)
std $t7,`$FRAME+56`($sp)
___
$code.=<<___;
lfd $A0,8($nap_d) ; load a[j] in double format
lfd $A1,16($nap_d)
lfd $A2,24($nap_d) ; load a[j+1] in double format
@ -1073,9 +769,7 @@ Linner:
fmul $dotb,$A3,$bd
lfd $A2,24($nap_d) ; load a[j+1] in double format
lfd $A3,32($nap_d)
___
if ($SIZE_T==8 or $flavour =~ /osx/) {
$code.=<<___;
fmadd $T1a,$N1,$na,$T1a
fmadd $T1b,$N1,$nb,$T1b
ld $t0,`$FRAME+0`($sp)
@ -1162,131 +856,10 @@ $code.=<<___;
addze $carry,$carry
std $t3,-16($tp) ; tp[j-1]
std $t5,-8($tp) ; tp[j]
___
} else {
$code.=<<___;
fmadd $T1a,$N1,$na,$T1a
fmadd $T1b,$N1,$nb,$T1b
lwz $t1,`$FRAME+0^$LITTLE_ENDIAN`($sp)
lwz $t0,`$FRAME+4^$LITTLE_ENDIAN`($sp)
fmadd $T2a,$N2,$na,$T2a
fmadd $T2b,$N2,$nb,$T2b
lwz $t3,`$FRAME+8^$LITTLE_ENDIAN`($sp)
lwz $t2,`$FRAME+12^$LITTLE_ENDIAN`($sp)
fmadd $T3a,$N3,$na,$T3a
fmadd $T3b,$N3,$nb,$T3b
lwz $t5,`$FRAME+16^$LITTLE_ENDIAN`($sp)
lwz $t4,`$FRAME+20^$LITTLE_ENDIAN`($sp)
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
fmadd $T0a,$N0,$na,$T0a
fmadd $T0b,$N0,$nb,$T0b
lwz $t7,`$FRAME+24^$LITTLE_ENDIAN`($sp)
lwz $t6,`$FRAME+28^$LITTLE_ENDIAN`($sp)
srwi $c1,$t1,16
insrwi $carry,$t1,16,0
fmadd $T1a,$N0,$nc,$T1a
fmadd $T1b,$N0,$nd,$T1b
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
fmadd $T2a,$N1,$nc,$T2a
fmadd $T2b,$N1,$nd,$T2b
insrwi $t0,$t2,16,0 ; 0..31 bits
srwi $c1,$t3,16
insrwi $carry,$t3,16,0
fmadd $T3a,$N2,$nc,$T3a
fmadd $T3b,$N2,$nd,$T3b
lwz $t2,12($tp) ; tp[j]
lwz $t3,8($tp)
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
fmadd $dota,$N3,$nc,$dota
fmadd $dotb,$N3,$nd,$dotb
srwi $c1,$t5,16
insrwi $carry,$t5,16,0
fctid $T0a,$T0a
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
fctid $T0b,$T0b
insrwi $t4,$t6,16,0 ; 32..63 bits
srwi $c1,$t7,16
insrwi $carry,$t7,16,0
fctid $T1a,$T1a
addc $t0,$t0,$t2
adde $t4,$t4,$t3
lwz $t3,`$FRAME+32^$LITTLE_ENDIAN`($sp) ; permuted $t1
lwz $t2,`$FRAME+36^$LITTLE_ENDIAN`($sp) ; permuted $t0
fctid $T1b,$T1b
addze $carry,$carry
addze $c1,$c1
stw $t0,4($tp) ; tp[j-1]
stw $t4,0($tp)
fctid $T2a,$T2a
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
lwz $t7,`$FRAME+40^$LITTLE_ENDIAN`($sp) ; permuted $t3
lwz $t6,`$FRAME+44^$LITTLE_ENDIAN`($sp) ; permuted $t2
fctid $T2b,$T2b
srwi $c1,$t3,16
insrwi $carry,$t3,16,0
lwz $t1,`$FRAME+48^$LITTLE_ENDIAN`($sp) ; permuted $t5
lwz $t0,`$FRAME+52^$LITTLE_ENDIAN`($sp) ; permuted $t4
fctid $T3a,$T3a
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
lwz $t5,`$FRAME+56^$LITTLE_ENDIAN`($sp) ; permuted $t7
lwz $t4,`$FRAME+60^$LITTLE_ENDIAN`($sp) ; permuted $t6
fctid $T3b,$T3b
insrwi $t2,$t6,16,0 ; 64..95 bits
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
lwz $t6,20($tp)
lwzu $t7,16($tp)
addc $t0,$t0,$carry
stfd $T0a,`$FRAME+0`($sp)
adde $t1,$t1,$c1
srwi $carry,$t0,16
stfd $T0b,`$FRAME+8`($sp)
insrwi $carry,$t1,16,0
srwi $c1,$t1,16
addc $t4,$t4,$carry
stfd $T1a,`$FRAME+16`($sp)
adde $t5,$t5,$c1
srwi $carry,$t4,16
insrwi $t0,$t4,16,0 ; 96..127 bits
stfd $T1b,`$FRAME+24`($sp)
insrwi $carry,$t5,16,0
srwi $c1,$t5,16
addc $t2,$t2,$t6
stfd $T2a,`$FRAME+32`($sp)
adde $t0,$t0,$t7
stfd $T2b,`$FRAME+40`($sp)
addze $carry,$carry
stfd $T3a,`$FRAME+48`($sp)
addze $c1,$c1
stfd $T3b,`$FRAME+56`($sp)
stw $t2,-4($tp) ; tp[j]
stw $t0,-8($tp)
___
}
$code.=<<___;
bdnz Linner
bdnz- Linner
fctid $dota,$dota
fctid $dotb,$dotb
___
if ($SIZE_T==8 or $flavour =~ /osx/) {
$code.=<<___;
ld $t0,`$FRAME+0`($sp)
ld $t1,`$FRAME+8`($sp)
ld $t2,`$FRAME+16`($sp)
@ -1353,116 +926,7 @@ $code.=<<___;
insrdi $t6,$t7,48,0
srdi $ovf,$t7,48
std $t6,0($tp) ; tp[num-1]
___
} else {
$code.=<<___;
lwz $t1,`$FRAME+0^$LITTLE_ENDIAN`($sp)
lwz $t0,`$FRAME+4^$LITTLE_ENDIAN`($sp)
lwz $t3,`$FRAME+8^$LITTLE_ENDIAN`($sp)
lwz $t2,`$FRAME+12^$LITTLE_ENDIAN`($sp)
lwz $t5,`$FRAME+16^$LITTLE_ENDIAN`($sp)
lwz $t4,`$FRAME+20^$LITTLE_ENDIAN`($sp)
lwz $t7,`$FRAME+24^$LITTLE_ENDIAN`($sp)
lwz $t6,`$FRAME+28^$LITTLE_ENDIAN`($sp)
stfd $dota,`$FRAME+64`($sp)
stfd $dotb,`$FRAME+72`($sp)
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
insrwi $carry,$t1,16,0
srwi $c1,$t1,16
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
insrwi $t0,$t2,16,0 ; 0..31 bits
lwz $t2,12($tp) ; tp[j]
insrwi $carry,$t3,16,0
srwi $c1,$t3,16
lwz $t3,8($tp)
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
insrwi $carry,$t5,16,0
srwi $c1,$t5,16
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
insrwi $t4,$t6,16,0 ; 32..63 bits
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
addc $t0,$t0,$t2
adde $t4,$t4,$t3
addze $carry,$carry
addze $c1,$c1
stw $t0,4($tp) ; tp[j-1]
stw $t4,0($tp)
lwz $t3,`$FRAME+32^$LITTLE_ENDIAN`($sp) ; permuted $t1
lwz $t2,`$FRAME+36^$LITTLE_ENDIAN`($sp) ; permuted $t0
lwz $t7,`$FRAME+40^$LITTLE_ENDIAN`($sp) ; permuted $t3
lwz $t6,`$FRAME+44^$LITTLE_ENDIAN`($sp) ; permuted $t2
lwz $t1,`$FRAME+48^$LITTLE_ENDIAN`($sp) ; permuted $t5
lwz $t0,`$FRAME+52^$LITTLE_ENDIAN`($sp) ; permuted $t4
lwz $t5,`$FRAME+56^$LITTLE_ENDIAN`($sp) ; permuted $t7
lwz $t4,`$FRAME+60^$LITTLE_ENDIAN`($sp) ; permuted $t6
addc $t2,$t2,$carry
adde $t3,$t3,$c1
srwi $carry,$t2,16
insrwi $carry,$t3,16,0
srwi $c1,$t3,16
addc $t6,$t6,$carry
adde $t7,$t7,$c1
srwi $carry,$t6,16
insrwi $t2,$t6,16,0 ; 64..95 bits
lwz $t6,20($tp)
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
lwzu $t7,16($tp)
addc $t0,$t0,$carry
adde $t1,$t1,$c1
srwi $carry,$t0,16
insrwi $carry,$t1,16,0
srwi $c1,$t1,16
addc $t4,$t4,$carry
adde $t5,$t5,$c1
srwi $carry,$t4,16
insrwi $t0,$t4,16,0 ; 96..127 bits
insrwi $carry,$t5,16,0
srwi $c1,$t5,16
addc $t2,$t2,$t6
adde $t0,$t0,$t7
lwz $t7,`$FRAME+64^$LITTLE_ENDIAN`($sp)
lwz $t6,`$FRAME+68^$LITTLE_ENDIAN`($sp)
addze $carry,$carry
addze $c1,$c1
lwz $t5,`$FRAME+72^$LITTLE_ENDIAN`($sp)
lwz $t4,`$FRAME+76^$LITTLE_ENDIAN`($sp)
addc $t6,$t6,$carry
adde $t7,$t7,$c1
stw $t2,-4($tp) ; tp[j]
stw $t0,-8($tp)
addc $t6,$t6,$ovf
addze $t7,$t7
srwi $carry,$t6,16
insrwi $carry,$t7,16,0
srwi $c1,$t7,16
addc $t4,$t4,$carry
adde $t5,$t5,$c1
insrwi $t6,$t4,16,0
srwi $t4,$t4,16
insrwi $t4,$t5,16,0
srwi $ovf,$t5,16
stw $t6,4($tp) ; tp[num-1]
stw $t4,0($tp)
___
}
$code.=<<___;
slwi $t7,$num,2
addi $i,$i,8
subf $nap_d,$t7,$nap_d ; rewind pointer
@ -1490,7 +954,7 @@ Lsub: ldx $t0,$tp,$i
stdx $t0,$rp,$i
stdx $t2,$t6,$i
addi $i,$i,16
bdnz Lsub
bdnz- Lsub
li $i,0
subfe $ovf,$i,$ovf ; handle upmost overflow bit
@ -1517,7 +981,7 @@ Lcopy: ; copy or in-place refresh
stdx $i,$tp,$i ; zap tp at once
stdx $i,$t4,$i
addi $i,$i,16
bdnz Lcopy
bdnz- Lcopy
___
$code.=<<___ if ($SIZE_T==4);
subf $np,$num,$np ; rewind np
@ -1530,14 +994,14 @@ $code.=<<___ if ($SIZE_T==4);
mtctr $j
.align 4
Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
lwz $t1,8($tp)
lwz $t2,20($tp)
lwzu $t3,16($tp)
Lsub: ld $t0,8($tp) ; load tp[j..j+3] in 64-bit word order
ldu $t2,16($tp)
lwz $t4,4($np) ; load np[j..j+3] in 32-bit word order
lwz $t5,8($np)
lwz $t6,12($np)
lwzu $t7,16($np)
extrdi $t1,$t0,32,0
extrdi $t3,$t2,32,0
subfe $t4,$t4,$t0 ; tp[j]-np[j]
stw $t0,4($ap) ; save tp[j..j+3] in 32-bit word order
subfe $t5,$t5,$t1 ; tp[j+1]-np[j+1]
@ -1550,7 +1014,7 @@ Lsub: lwz $t0,12($tp) ; load tp[j..j+3] in 64-bit word order
stw $t5,8($rp)
stw $t6,12($rp)
stwu $t7,16($rp)
bdnz Lsub
bdnz- Lsub
li $i,0
subfe $ovf,$i,$ovf ; handle upmost overflow bit
@ -1582,15 +1046,12 @@ Lcopy: ; copy or in-place refresh
stwu $t3,16($rp)
std $i,8($tp) ; zap tp at once
stdu $i,16($tp)
bdnz Lcopy
bdnz- Lcopy
___
$code.=<<___;
$POP $i,0($sp)
li r3,1 ; signal "handled"
$POP r19,`-12*8-13*$SIZE_T`($i)
$POP r20,`-12*8-12*$SIZE_T`($i)
$POP r21,`-12*8-11*$SIZE_T`($i)
$POP r22,`-12*8-10*$SIZE_T`($i)
$POP r23,`-12*8-9*$SIZE_T`($i)
$POP r24,`-12*8-8*$SIZE_T`($i)
@ -1616,9 +1077,8 @@ $code.=<<___;
mr $sp,$i
blr
.long 0
.byte 0,12,4,0,0x8c,13,6,0
.byte 0,12,4,0,0x8c,10,6,0
.long 0
.size .$fname,.-.$fname
.asciz "Montgomery Multiplication for PPC64, CRYPTOGAMS by <appro\@openssl.org>"
___

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More