https://github.com/openssl/openssl/commits/ and pick the appropriate
release branch.
+ Changes between 1.1.1h and 1.1.1i [8 Dec 2020]
+
+ *) Fixed NULL pointer deref in the GENERAL_NAME_cmp function
+ This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME.
+ If an attacker can control both items being compared then this could lead
+ to a possible denial of service attack. OpenSSL itself uses the
+ GENERAL_NAME_cmp function for two purposes:
+ 1) Comparing CRL distribution point names between an available CRL and a
+ CRL distribution point embedded in an X509 certificate
+ 2) When verifying that a timestamp response token signer matches the
+ timestamp authority name (exposed via the API functions
+ TS_RESP_verify_response and TS_RESP_verify_token)
+ (CVE-2020-1971)
+ [Matt Caswell]
+
+ *) Add support for Apple Silicon M1 Macs with the darwin64-arm64-cc target.
+ [Stuart Carnie]
+
+ *) The security callback, which can be customised by application code, supports
+ the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY
+ in the "other" parameter. In most places this is what is passed. All these
+ places occur server side. However there was one client side call of this
+ security operation and it passed a DH object instead. This is incorrect
+ according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all
+ of the other locations. Therefore this client side call has been changed to
+ pass an EVP_PKEY instead.
+ [Matt Caswell]
+
+ *) In 1.1.1h, an expired trusted (root) certificate was not anymore rejected
+ when validating a certificate path. This check is restored in 1.1.1i.
+ [David von Oheimb]
+
+ Changes between 1.1.1g and 1.1.1h [22 Sep 2020]
+
+ *) Certificates with explicit curve parameters are now disallowed in
+ verification chains if the X509_V_FLAG_X509_STRICT flag is used.
+ [Tomas Mraz]
+
+ *) The 'MinProtocol' and 'MaxProtocol' configuration commands now silently
+ ignore TLS protocol version bounds when configuring DTLS-based contexts, and
+ conversely, silently ignore DTLS protocol version bounds when configuring
+ TLS-based contexts. The commands can be repeated to set bounds of both
+ types. The same applies with the corresponding "min_protocol" and
+ "max_protocol" command-line switches, in case some application uses both TLS
+ and DTLS.
+
+ SSL_CTX instances that are created for a fixed protocol version (e.g.
+ TLSv1_server_method()) also silently ignore version bounds. Previously
+ attempts to apply bounds to these protocol versions would result in an
+ error. Now only the "version-flexible" SSL_CTX instances are subject to
+ limits in configuration files in command-line options.
+ [Viktor Dukhovni]
+
+ *) Handshake now fails if Extended Master Secret extension is dropped
+ on renegotiation.
+ [Tomas Mraz]
+
+ *) Accidentally, an expired trusted (root) certificate is not anymore rejected
+ when validating a certificate path.
+ [David von Oheimb]
+
+ *) The Oracle Developer Studio compiler will start reporting deprecated APIs
+
Changes between 1.1.1f and 1.1.1g [21 Apr 2020]
*) Fixed segmentation fault in SSL_check_chain()
inherit_from => [ "linux-generic32", asm("mips64_asm") ],
cflags => add("-mabi=n32"),
cxxflags => add("-mabi=n32"),
- bn_ops => "SIXTY_FOUR_BIT RC4_CHAR",
+ bn_ops => "RC4_CHAR",
perlasm_scheme => "n32",
multilib => "32",
},
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => add(threads("-pthread")),
- ex_libs => threads("-pthread"),
+ ex_libs => add(threads("-pthread")),
bn_ops => "BN_LLONG RC4_CHAR",
perlasm_scheme => "aix32",
shared_ldflag => add_before("-shared -static-libgcc"),
CFLAGS => picker(debug => "-O0 -g",
release => "-O"),
cflags => combine("-maix64", threads("-pthread")),
- ex_libs => threads("-pthread"),
+ ex_libs => add(threads("-pthread")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
perlasm_scheme => "aix64",
shared_ldflag => add_before("-shared -static-libgcc"),
cflags => combine("-q32 -qmaxmem=16384 -qro -qroconst",
threads("-qthreaded")),
cppflags => threads("-D_THREAD_SAFE"),
- ex_libs => threads("-lpthreads"),
+ ex_libs => add(threads("-lpthreads")),
bn_ops => "BN_LLONG RC4_CHAR",
perlasm_scheme => "aix32",
shared_cflag => "-qpic",
cflags => combine("-q64 -qmaxmem=16384 -qro -qroconst",
threads("-qthreaded")),
cppflags => threads("-D_THREAD_SAFE"),
- ex_libs => threads("-lpthreads"),
+ ex_libs => add(threads("-lpthreads")),
bn_ops => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
perlasm_scheme => "aix64",
dso_scheme => "dlfcn",
}
push @ex_libs, '$(PORTSDK_LIBPATH)/portlib.lib'
if (defined(env('PORTSDK_LIBPATH')));
- push @ex_libs, ' /nodefaultlib coredll.lib corelibc.lib'
- if (env('TARGETCPU') eq "X86");
- return @ex_libs;
+ push @ex_libs, '/nodefaultlib coredll.lib corelibc.lib'
+ if (env('TARGETCPU') =~ /^X86|^ARMV4[IT]/);
+ return join(" ", @ex_libs);
}),
},
bn_ops => "SIXTY_FOUR_BIT_LONG",
perlasm_scheme => "macosx",
},
+ "darwin64-arm64-cc" => {
+ inherit_from => [ "darwin-common", asm("aarch64_asm") ],
+ CFLAGS => add("-Wall"),
+ cflags => add("-arch arm64"),
+ lib_cppflags => add("-DL_ENDIAN"),
+ bn_ops => "SIXTY_FOUR_BIT_LONG",
+ perlasm_scheme => "ios64",
+ },
##### GNU Hurd
"hurd-x86" => {
join(' ', $target{cppflags} || (),
(map { '-D'.quotify1($_) } @{$target{defines}},
@{$config{defines}}),
- (map { '-I'.quotify1($_) } @{$target{includes}},
- @{$config{includes}}),
+ (map { '-I'.'"'.$_.'"' } @{$target{includes}},
+ @{$config{includes}}),
@{$config{cppflags}}) -}
CNF_CFLAGS={- join(' ', $target{cflags} || (),
@{$config{cflags}}) -}
# Unified build supports separate build dir
my $srcdir = catdir(absolutedir(dirname($0))); # catdir ensures local syntax
my $blddir = catdir(absolutedir(".")); # catdir ensures local syntax
+
+# File::Spec::Unix doesn't detect case insensitivity, so we make sure to
+# check if the source and build directory are really the same, and make
+# them so. This avoids all kinds of confusion later on.
+# We must check @File::Spec::ISA rather than using File::Spec->isa() to
+# know if File::Spec ended up loading File::Spec::Unix.
+$srcdir = $blddir
+ if (grep(/::Unix$/, @File::Spec::ISA)
+ && samedir($srcdir, $blddir));
+
my $dofile = abs2rel(catfile($srcdir, "util/dofile.pl"));
my $local_config_envname = 'OPENSSL_LOCAL_CONFIG_DIR';
-$config{sourcedir} = abs2rel($srcdir);
-$config{builddir} = abs2rel($blddir);
+$config{sourcedir} = abs2rel($srcdir, $blddir);
+$config{builddir} = abs2rel($blddir, $blddir);
# Collect reconfiguration information if needed
my @argvcopy=@ARGV;
print "Using os-specific seed configuration\n";
push @seed_sources, 'os';
}
+if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) {
+ delete $disabled{'egd'};
+}
if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) {
die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1;
warn <<_____ if scalar(@seed_sources) == 1;
return realpath($dir);
}
+# Check if all paths are one and the same, using stat. They must both exist
+# We need this for the cases when File::Spec doesn't detect case insensitivity
+# (File::Spec::Unix assumes case sensitivity)
+sub samedir {
+ die "samedir expects two arguments\n" unless scalar @_ == 2;
+
+ my @stat0 = stat($_[0]); # First argument
+ my @stat1 = stat($_[1]); # Second argument
+
+ die "Couldn't stat $_[0]" unless @stat0;
+ die "Couldn't stat $_[1]" unless @stat1;
+
+ # Compare device number
+ return 0 unless ($stat0[0] == $stat1[0]);
+ # Compare "inode". The perl manual recommends comparing as
+ # string rather than as number.
+ return 0 unless ($stat0[1] eq $stat1[1]);
+
+ return 1; # All the same
+}
+
sub quotify {
my %processors = (
perl => sub { my $x = shift;
This file gives a brief overview of the major changes between each OpenSSL
release. For more details please read the CHANGES file.
+ Major changes between OpenSSL 1.1.1h and OpenSSL 1.1.1i [8 Dec 2020]
+
+ o Fixed NULL pointer deref in GENERAL_NAME_cmp (CVE-2020-1971)
+
+ Major changes between OpenSSL 1.1.1g and OpenSSL 1.1.1h [22 Sep 2020]
+
+ o Disallow explicit curve parameters in verifications chains when
+ X509_V_FLAG_X509_STRICT is used
+ o Enable 'MinProtocol' and 'MaxProtocol' to configure both TLS and DTLS
+ contexts
+ o Oracle Developer Studio will start reporting deprecation warnings
+
Major changes between OpenSSL 1.1.1f and OpenSSL 1.1.1g [21 Apr 2020]
o Fixed segmentation fault in SSL_check_chain() (CVE-2020-1967)
-------------------
Beside basic tools like perl and make you'll need to download the Android
- NDK. It's available for Linux, Mac OS X and Windows, but only Linux
- version was actually tested. There is no reason to believe that Mac OS X
+ NDK. It's available for Linux, macOS and Windows, but only Linux
+ version was actually tested. There is no reason to believe that macOS
wouldn't work. And as for Windows, it's unclear which "shell" would be
suitable, MSYS2 might have best chances. NDK version should play lesser
role, the goal is to support a range of most recent versions.
$ cpan -f -i Text::Template
- Note: on VMS, you must quote any argument that contains upper case
+ Note: on VMS, you must quote any argument that contains uppercase
characters, so the lines above would be:
$ cpan -i "Text::Template"
An ANSI C compiled is needed among other things. This means that
VAX C is not and will not be supported.
- We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require
+ We have only tested with DEC C (aka HP VMS C / VSI C) and require
version 7.1 or later. Compiling with a different ANSI C compiler may
require some work.
and require --cross-compile-prefix option. While on MSYS[2] it's solved
rather by placing gcc that produces "MinGW binary" code 1st on $PATH.
This is customarily source of confusion. "Hosted" applications "live" in
- emulated file system name space with POSIX-y root, mount points, /dev
+ emulated filesystem name space with POSIX-y root, mount points, /dev
and even /proc. Confusion is intensified by the fact that MSYS2 shell
(or rather emulated execve(2) call) examines the binary it's about to
start, and if it's found *not* to be linked with MSYS2 POSIX-y thing,
- command line arguments that look like file names get translated from
+ command line arguments that look like filenames get translated from
emulated name space to "native". For example '/c/some/where' becomes
'c:\some\where', '/dev/null' - 'nul'. This creates an illusion that
there is no difference between MSYS2 shell and "MinGW binary", but
it's referred to in quotes here, as "MinGW binary", it's just as
"native" as it can get.)
- Visual C++ builds, a.k.a. VC-*
+ Visual C++ builds, aka VC-*
==============================
Requirement details
the other hand oldest one is known not to work. Everything between
falls into best-effort category.
- - Netwide Assembler, a.k.a. NASM, available from https://www.nasm.us,
+ - Netwide Assembler, aka NASM, available from https://www.nasm.us,
is required. Note that NASM is the only supported assembler. Even
though Microsoft provided assembler is NOT supported, contemporary
64-bit version is exercised through continuous integration of
If you link with static OpenSSL libraries then you're expected to
additionally link your application with WS2_32.LIB, GDI32.LIB,
ADVAPI32.LIB, CRYPT32.LIB and USER32.LIB. Those developing
- non-interactive service applications might feel concerned about
+ noninteractive service applications might feel concerned about
linking with GDI32.LIB and USER32.LIB, as they are justly associated
with interactive desktop, which is not available to service
processes. The toolkit is designed to detect in which context it's
- OpenSSL 1.1.1g 21 Apr 2020
+ OpenSSL 1.1.1i 8 Dec 2020
Copyright (c) 1998-2020 The OpenSSL Project
Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
row[DB_exp_date][tm->length] = '\0';
row[DB_rev_date] = NULL;
row[DB_file] = OPENSSL_strdup("unknown");
- if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
- (row[DB_file] == NULL) || (row[DB_name] == NULL)) {
+ if ((row[DB_type] == NULL) || (row[DB_file] == NULL)
+ || (row[DB_name] == NULL)) {
BIO_printf(bio_err, "Memory allocation failure\n");
goto end;
}
/*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
if (key_param == NULL || key_param->idx != keyidx) {
cms_key_param *nparam;
nparam = app_malloc(sizeof(*nparam), "key param buffer");
- nparam->idx = keyidx;
- if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL)
+ if ((nparam->param = sk_OPENSSL_STRING_new_null()) == NULL) {
+ OPENSSL_free(nparam);
goto end;
+ }
+ nparam->idx = keyidx;
nparam->next = NULL;
if (key_first == NULL)
key_first = nparam;
/*
- * Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
goto end;
}
+ ret = 0;
+
if (rv <= 0) {
BIO_puts(bio_err, "Error writing key\n");
ERR_print_errors(bio_err);
+ ret = 1;
}
if (text) {
if (rv <= 0) {
BIO_puts(bio_err, "Error printing key\n");
ERR_print_errors(bio_err);
+ ret = 1;
}
}
- ret = 0;
-
end:
EVP_PKEY_free(pkey);
EVP_PKEY_CTX_free(ctx);
-----BEGIN RSA PRIVATE KEY-----
-
MIISKAIBAAKCBAEAiQ2f1X6Bte1DKD0OoCBKEikzPW+5w3oXk3WwnE97Wxzy6wJZ
ebbZC3CZKKBnJeBMrysPf+lK+9+fP6Vm8bp1wvbcSIA59BDrX6irFSuM/bdnkbuF
MFlDjt+uVrxwoyqfPi2IPot1HQg3l5mdyBqcTWvbOnU2L9HZxJfPUCjfzdTMPrMY
yO7iBUNJzv6Qh22malLp4P8gzACkD7DGlSTnoB5cLwcjmDGg+i9WrUBbOiVTeQfZ
kOj1o+Tz35ndpq/DDUVlqliB9krcxva+QHeJPH53EGI+YVg1nD+s/vUDZ3mQMGX9
DQou2L8uU6RnWNv/BihGcL8QvS4Ty6QyPOUPpD3zc70JQAEcQk9BxQNaELgJX0IN
-22cYn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
+2cYUn22tYvElew9G41OpDqzBRcfbdJmKXQ2HcroShutYJQRGUpAXHk24fy6JVkIU
ojF5U6cwextMja1ZIIZgh9eugIRUeIE7319nQNDzuXWjRCcoBLA25P7wnpHWDRpz
D9ovXCIvdja74lL5psqobV6L5+fbLPkSgXoImKR0LQKCAgAIC9Jk8kxumCyIVGCP
PeM5Uby9M3GMuKrfYsn0Y5e97+kSJF1dpojTodBgR2KQar6eVrvXt+8uZCcIjfx8
rMlMLtKfp2w8HlMZpsUlToNCx6CI+tJrohzcs3BAVAbjFAXRKWGijB1rxwyDdHPv
I+/wJTNaRNPQ1M0SwtEL/zJd21y3KSPn4eL+GP3efhlDSjtlDvZqkdAUsU8=
-----END RSA PRIVATE KEY-----
-
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
case OPT_SSL3:
min_version = SSL3_VERSION;
max_version = SSL3_VERSION;
+ socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+ isdtls = 0;
+#endif
break;
case OPT_TLS1_3:
min_version = TLS1_3_VERSION;
max_version = TLS1_3_VERSION;
+ socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+ isdtls = 0;
+#endif
break;
case OPT_TLS1_2:
min_version = TLS1_2_VERSION;
max_version = TLS1_2_VERSION;
+ socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+ isdtls = 0;
+#endif
break;
case OPT_TLS1_1:
min_version = TLS1_1_VERSION;
max_version = TLS1_1_VERSION;
+ socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+ isdtls = 0;
+#endif
break;
case OPT_TLS1:
min_version = TLS1_VERSION;
max_version = TLS1_VERSION;
+ socket_type = SOCK_STREAM;
+#ifndef OPENSSL_NO_DTLS
+ isdtls = 0;
+#endif
break;
case OPT_DTLS:
#ifndef OPENSSL_NO_DTLS
{"", OPT_MD, '-', "Any supported digest"},
#ifndef OPENSSL_NO_MD5
{"subject_hash_old", OPT_SUBJECT_HASH_OLD, '-',
- "Print old-style (MD5) issuer hash value"},
- {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
"Print old-style (MD5) subject hash value"},
+ {"issuer_hash_old", OPT_ISSUER_HASH_OLD, '-',
+ "Print old-style (MD5) issuer hash value"},
#endif
#ifndef OPENSSL_NO_ENGINE
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
- cd ..
- ps: >-
if (-not $env:APPVEYOR_PULL_REQUEST_NUMBER`
- -or (&git log -2 | Select-String "\[extended tests\]") ) {
+ -or (&git log -1 $env:APPVEYOR_PULL_REQUEST_HEAD_COMMIT |
+ Select-String "\[extended tests\]") ) {
$env:EXTENDED_TESTS="yes"
}
Power*)
echo "ppc-apple-darwin${VERSION}"
;;
- x86_64)
- echo "x86_64-apple-darwin${VERSION}"
- ;;
*)
- echo "i686-apple-darwin${VERSION}"
+ echo "${MACHINE}-apple-darwin${VERSION}"
;;
esac
exit 0
else
OUT="darwin64-x86_64-cc"
fi ;;
+ $MACHINE-apple-darwin*)
+ OUT="darwin64-$MACHINE-cc"
+ ;;
armv6+7-*-iphoneos)
__CNF_CFLAGS="$__CNF_CFLAGS -arch armv6 -arch armv7"
__CNF_CXXFLAGS="$__CNF_CXXFLAGS -arch armv6 -arch armv7"
InvCipher(in, out, rk, key->rounds);
}
-
-# ifndef OPENSSL_SMALL_FOOTPRINT
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key,
- const unsigned char *ivec);
-
-static void RawToBits(const u8 raw[64], u64 bits[8])
-{
- int i, j;
- u64 in, out;
-
- memset(bits, 0, 64);
- for (i = 0; i < 8; i++) {
- in = 0;
- for (j = 0; j < 8; j++)
- in |= ((u64)raw[i * 8 + j]) << (8 * j);
- out = in & 0xF0F0F0F00F0F0F0FuLL;
- out |= (in & 0x0F0F0F0F00000000uLL) >> 28;
- out |= (in & 0x00000000F0F0F0F0uLL) << 28;
- in = out & 0xCCCC3333CCCC3333uLL;
- in |= (out & 0x3333000033330000uLL) >> 14;
- in |= (out & 0x0000CCCC0000CCCCuLL) << 14;
- out = in & 0xAA55AA55AA55AA55uLL;
- out |= (in & 0x5500550055005500uLL) >> 7;
- out |= (in & 0x00AA00AA00AA00AAuLL) << 7;
- for (j = 0; j < 8; j++) {
- bits[j] |= (out & 0xFFuLL) << (8 * i);
- out = out >> 8;
- }
- }
-}
-
-static void BitsToRaw(const u64 bits[8], u8 raw[64])
-{
- int i, j;
- u64 in, out;
-
- for (i = 0; i < 8; i++) {
- in = 0;
- for (j = 0; j < 8; j++)
- in |= ((bits[j] >> (8 * i)) & 0xFFuLL) << (8 * j);
- out = in & 0xF0F0F0F00F0F0F0FuLL;
- out |= (in & 0x0F0F0F0F00000000uLL) >> 28;
- out |= (in & 0x00000000F0F0F0F0uLL) << 28;
- in = out & 0xCCCC3333CCCC3333uLL;
- in |= (out & 0x3333000033330000uLL) >> 14;
- in |= (out & 0x0000CCCC0000CCCCuLL) << 14;
- out = in & 0xAA55AA55AA55AA55uLL;
- out |= (in & 0x5500550055005500uLL) >> 7;
- out |= (in & 0x00AA00AA00AA00AAuLL) << 7;
- for (j = 0; j < 8; j++) {
- raw[i * 8 + j] = (u8)out;
- out = out >> 8;
- }
- }
-}
-
-static void BitsXtime(u64 state[8])
-{
- u64 b;
-
- b = state[7];
- state[7] = state[6];
- state[6] = state[5];
- state[5] = state[4];
- state[4] = state[3] ^ b;
- state[3] = state[2] ^ b;
- state[2] = state[1];
- state[1] = state[0] ^ b;
- state[0] = b;
-}
-
-/*
- * This S-box implementation follows a circuit described in
- * Boyar and Peralta: "A new combinational logic minimization
- * technique with applications to cryptology."
- * https://eprint.iacr.org/2009/191.pdf
- *
- * The math is similar to above, in that it uses
- * a tower field of GF(2^2^2^2) but with a different
- * basis representation, that is better suited to
- * logic designs.
- */
-static void BitsSub(u64 state[8])
-{
- u64 x0, x1, x2, x3, x4, x5, x6, x7;
- u64 y1, y2, y3, y4, y5, y6, y7, y8, y9, y10, y11;
- u64 y12, y13, y14, y15, y16, y17, y18, y19, y20, y21;
- u64 t0, t1, t2, t3, t4, t5, t6, t7, t8, t9, t10, t11;
- u64 t12, t13, t14, t15, t16, t17, t18, t19, t20, t21;
- u64 t22, t23, t24, t25, t26, t27, t28, t29, t30, t31;
- u64 t32, t33, t34, t35, t36, t37, t38, t39, t40, t41;
- u64 t42, t43, t44, t45, t46, t47, t48, t49, t50, t51;
- u64 t52, t53, t54, t55, t56, t57, t58, t59, t60, t61;
- u64 t62, t63, t64, t65, t66, t67;
- u64 z0, z1, z2, z3, z4, z5, z6, z7, z8, z9, z10, z11;
- u64 z12, z13, z14, z15, z16, z17;
- u64 s0, s1, s2, s3, s4, s5, s6, s7;
-
- x7 = state[0];
- x6 = state[1];
- x5 = state[2];
- x4 = state[3];
- x3 = state[4];
- x2 = state[5];
- x1 = state[6];
- x0 = state[7];
- y14 = x3 ^ x5;
- y13 = x0 ^ x6;
- y9 = x0 ^ x3;
- y8 = x0 ^ x5;
- t0 = x1 ^ x2;
- y1 = t0 ^ x7;
- y4 = y1 ^ x3;
- y12 = y13 ^ y14;
- y2 = y1 ^ x0;
- y5 = y1 ^ x6;
- y3 = y5 ^ y8;
- t1 = x4 ^ y12;
- y15 = t1 ^ x5;
- y20 = t1 ^ x1;
- y6 = y15 ^ x7;
- y10 = y15 ^ t0;
- y11 = y20 ^ y9;
- y7 = x7 ^ y11;
- y17 = y10 ^ y11;
- y19 = y10 ^ y8;
- y16 = t0 ^ y11;
- y21 = y13 ^ y16;
- y18 = x0 ^ y16;
- t2 = y12 & y15;
- t3 = y3 & y6;
- t4 = t3 ^ t2;
- t5 = y4 & x7;
- t6 = t5 ^ t2;
- t7 = y13 & y16;
- t8 = y5 & y1;
- t9 = t8 ^ t7;
- t10 = y2 & y7;
- t11 = t10 ^ t7;
- t12 = y9 & y11;
- t13 = y14 & y17;
- t14 = t13 ^ t12;
- t15 = y8 & y10;
- t16 = t15 ^ t12;
- t17 = t4 ^ t14;
- t18 = t6 ^ t16;
- t19 = t9 ^ t14;
- t20 = t11 ^ t16;
- t21 = t17 ^ y20;
- t22 = t18 ^ y19;
- t23 = t19 ^ y21;
- t24 = t20 ^ y18;
- t25 = t21 ^ t22;
- t26 = t21 & t23;
- t27 = t24 ^ t26;
- t28 = t25 & t27;
- t29 = t28 ^ t22;
- t30 = t23 ^ t24;
- t31 = t22 ^ t26;
- t32 = t31 & t30;
- t33 = t32 ^ t24;
- t34 = t23 ^ t33;
- t35 = t27 ^ t33;
- t36 = t24 & t35;
- t37 = t36 ^ t34;
- t38 = t27 ^ t36;
- t39 = t29 & t38;
- t40 = t25 ^ t39;
- t41 = t40 ^ t37;
- t42 = t29 ^ t33;
- t43 = t29 ^ t40;
- t44 = t33 ^ t37;
- t45 = t42 ^ t41;
- z0 = t44 & y15;
- z1 = t37 & y6;
- z2 = t33 & x7;
- z3 = t43 & y16;
- z4 = t40 & y1;
- z5 = t29 & y7;
- z6 = t42 & y11;
- z7 = t45 & y17;
- z8 = t41 & y10;
- z9 = t44 & y12;
- z10 = t37 & y3;
- z11 = t33 & y4;
- z12 = t43 & y13;
- z13 = t40 & y5;
- z14 = t29 & y2;
- z15 = t42 & y9;
- z16 = t45 & y14;
- z17 = t41 & y8;
- t46 = z15 ^ z16;
- t47 = z10 ^ z11;
- t48 = z5 ^ z13;
- t49 = z9 ^ z10;
- t50 = z2 ^ z12;
- t51 = z2 ^ z5;
- t52 = z7 ^ z8;
- t53 = z0 ^ z3;
- t54 = z6 ^ z7;
- t55 = z16 ^ z17;
- t56 = z12 ^ t48;
- t57 = t50 ^ t53;
- t58 = z4 ^ t46;
- t59 = z3 ^ t54;
- t60 = t46 ^ t57;
- t61 = z14 ^ t57;
- t62 = t52 ^ t58;
- t63 = t49 ^ t58;
- t64 = z4 ^ t59;
- t65 = t61 ^ t62;
- t66 = z1 ^ t63;
- s0 = t59 ^ t63;
- s6 = ~(t56 ^ t62);
- s7 = ~(t48 ^ t60);
- t67 = t64 ^ t65;
- s3 = t53 ^ t66;
- s4 = t51 ^ t66;
- s5 = t47 ^ t65;
- s1 = ~(t64 ^ s3);
- s2 = ~(t55 ^ t67);
- state[0] = s7;
- state[1] = s6;
- state[2] = s5;
- state[3] = s4;
- state[4] = s3;
- state[5] = s2;
- state[6] = s1;
- state[7] = s0;
-}
-
-static void BitsShiftRows(u64 state[8])
-{
- u64 s, s0;
- int i;
-
- for (i = 0; i < 8; i++) {
- s = state[i];
- s0 = s & 0x1111111111111111uLL;
- s0 |= ((s & 0x2220222022202220uLL) >> 4) | ((s & 0x0002000200020002uLL) << 12);
- s0 |= ((s & 0x4400440044004400uLL) >> 8) | ((s & 0x0044004400440044uLL) << 8);
- s0 |= ((s & 0x8000800080008000uLL) >> 12) | ((s & 0x0888088808880888uLL) << 4);
- state[i] = s0;
- }
-}
-
-static void BitsMixColumns(u64 state[8])
-{
- u64 s1, s;
- u64 s0[8];
- int i;
-
- for (i = 0; i < 8; i++) {
- s1 = state[i];
- s = s1;
- s ^= ((s & 0xCCCCCCCCCCCCCCCCuLL) >> 2) | ((s & 0x3333333333333333uLL) << 2);
- s ^= ((s & 0xAAAAAAAAAAAAAAAAuLL) >> 1) | ((s & 0x5555555555555555uLL) << 1);
- s ^= s1;
- s0[i] = s;
- }
- BitsXtime(state);
- for (i = 0; i < 8; i++) {
- s1 = state[i];
- s = s0[i];
- s ^= s1;
- s ^= ((s1 & 0xEEEEEEEEEEEEEEEEuLL) >> 1) | ((s1 & 0x1111111111111111uLL) << 3);
- state[i] = s;
- }
-}
-
-static void BitsAddRoundKey(u64 state[8], const u64 key[8])
-{
- int i;
-
- for (i = 0; i < 8; i++)
- state[i] ^= key[i];
-}
-
-void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
- size_t blocks, const AES_KEY *key,
- const unsigned char *ivec)
-{
- struct {
- u8 cipher[64];
- u64 state[8];
- u64 rd_key[AES_MAXNR + 1][8];
- } *bs;
- u32 ctr32;
- int i;
-
- ctr32 = GETU32(ivec + 12);
- if (blocks >= 4
- && (bs = OPENSSL_malloc(sizeof(*bs)))) {
- for (i = 0; i < key->rounds + 1; i++) {
- memcpy(bs->cipher + 0, &key->rd_key[4 * i], 16);
- memcpy(bs->cipher + 16, bs->cipher, 16);
- memcpy(bs->cipher + 32, bs->cipher, 32);
- RawToBits(bs->cipher, bs->rd_key[i]);
- }
- while (blocks) {
- memcpy(bs->cipher, ivec, 12);
- PUTU32(bs->cipher + 12, ctr32);
- ctr32++;
- memcpy(bs->cipher + 16, ivec, 12);
- PUTU32(bs->cipher + 28, ctr32);
- ctr32++;
- memcpy(bs->cipher + 32, ivec, 12);
- PUTU32(bs->cipher + 44, ctr32);
- ctr32++;
- memcpy(bs->cipher + 48, ivec, 12);
- PUTU32(bs->cipher + 60, ctr32);
- ctr32++;
- RawToBits(bs->cipher, bs->state);
- BitsAddRoundKey(bs->state, bs->rd_key[0]);
- for (i = 1; i < key->rounds; i++) {
- BitsSub(bs->state);
- BitsShiftRows(bs->state);
- BitsMixColumns(bs->state);
- BitsAddRoundKey(bs->state, bs->rd_key[i]);
- }
- BitsSub(bs->state);
- BitsShiftRows(bs->state);
- BitsAddRoundKey(bs->state, bs->rd_key[key->rounds]);
- BitsToRaw(bs->state, bs->cipher);
- for (i = 0; i < 64 && blocks; i++) {
- out[i] = in[i] ^ bs->cipher[i];
- if ((i & 15) == 15)
- blocks--;
- }
- in += i;
- out += i;
- }
- OPENSSL_clear_free(bs, sizeof(*bs));
- } else {
- unsigned char cipher[16];
-
- while (blocks) {
- memcpy(cipher, ivec, 12);
- PUTU32(cipher + 12, ctr32);
- AES_encrypt(cipher, cipher, key);
- for (i = 0; i < 16; i++)
- out[i] = in[i] ^ cipher[i];
- in += 16;
- out += 16;
- ctr32++;
- blocks--;
- }
- }
-}
-# endif
#elif !defined(AES_ASM)
/*-
Te0[x] = S [x].[02, 01, 01, 03];
/*
- * Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include <openssl/aes.h>
#include "aes_local.h"
-#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
-typedef struct {
- unsigned long data[N_WORDS];
-} aes_block_t;
-
/* XXX: probably some better way to do this */
#if defined(__i386__) || defined(__x86_64__)
# define UNALIGNED_MEMOPS_ARE_FAST 1
# define UNALIGNED_MEMOPS_ARE_FAST 0
#endif
+#define N_WORDS (AES_BLOCK_SIZE / sizeof(unsigned long))
+typedef struct {
+ unsigned long data[N_WORDS];
+#if defined(__GNUC__) && UNALIGNED_MEMOPS_ARE_FAST
+} aes_block_t __attribute((__aligned__(1)));
+#else
+} aes_block_t;
+#endif
+
#if UNALIGNED_MEMOPS_ARE_FAST
# define load_block(d, s) (d) = *(const aes_block_t *)(s)
# define store_block(d, s) *(aes_block_t *)(d) = (s)
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
$avx=1 if (!$avx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
`ml64 2>&1` =~ /Version ([0-9]+)\./ &&
$1>=10);
-$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0);
+$avx=1 if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/ && $2>=3.0);
$shaext=1; ### set to zero if compiling for 1.0.1
$avx = ($1>=10) + ($1>=12);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
.Loop192:
vtbl.8 $key,{$in1},$mask
vext.8 $tmp,$zero,$in0,#12
+#ifdef __ARMEB__
+ vst1.32 {$in1},[$out],#16
+ sub $out,$out,#8
+#else
vst1.32 {$in1},[$out],#8
+#endif
aese $key,$zero
subs $bits,$bits,#1
ldr $rounds,[$key,#240]
ldr $ctr, [$ivp, #12]
+#ifdef __ARMEB__
+ vld1.8 {$dat0},[$ivp]
+#else
vld1.32 {$dat0},[$ivp]
-
+#endif
vld1.32 {q8-q9},[$key] // load key schedule...
sub $rounds,$rounds,#4
mov $step,#16
#ifndef __ARMEB__
rev $ctr, $ctr
#endif
- vorr $dat1,$dat0,$dat0
add $tctr1, $ctr, #1
- vorr $dat2,$dat0,$dat0
- add $ctr, $ctr, #2
vorr $ivec,$dat0,$dat0
rev $tctr1, $tctr1
- vmov.32 ${dat1}[3],$tctr1
+ vmov.32 ${ivec}[3],$tctr1
+ add $ctr, $ctr, #2
+ vorr $dat1,$ivec,$ivec
b.ls .Lctr32_tail
rev $tctr2, $ctr
+ vmov.32 ${ivec}[3],$tctr2
sub $len,$len,#3 // bias
- vmov.32 ${dat2}[3],$tctr2
+ vorr $dat2,$ivec,$ivec
b .Loop3x_ctr32
.align 4
aese $dat1,q8
aesmc $tmp1,$dat1
vld1.8 {$in0},[$inp],#16
- vorr $dat0,$ivec,$ivec
+ add $tctr0,$ctr,#1
aese $dat2,q8
aesmc $dat2,$dat2
vld1.8 {$in1},[$inp],#16
- vorr $dat1,$ivec,$ivec
+ rev $tctr0,$tctr0
aese $tmp0,q9
aesmc $tmp0,$tmp0
aese $tmp1,q9
mov $key_,$key
aese $dat2,q9
aesmc $tmp2,$dat2
- vorr $dat2,$ivec,$ivec
- add $tctr0,$ctr,#1
aese $tmp0,q12
aesmc $tmp0,$tmp0
aese $tmp1,q12
aese $tmp1,q13
aesmc $tmp1,$tmp1
veor $in2,$in2,$rndlast
- rev $tctr0,$tctr0
+ vmov.32 ${ivec}[3], $tctr0
aese $tmp2,q13
aesmc $tmp2,$tmp2
- vmov.32 ${dat0}[3], $tctr0
+ vorr $dat0,$ivec,$ivec
rev $tctr1,$tctr1
aese $tmp0,q14
aesmc $tmp0,$tmp0
+ vmov.32 ${ivec}[3], $tctr1
+ rev $tctr2,$ctr
aese $tmp1,q14
aesmc $tmp1,$tmp1
- vmov.32 ${dat1}[3], $tctr1
- rev $tctr2,$ctr
+ vorr $dat1,$ivec,$ivec
+ vmov.32 ${ivec}[3], $tctr2
aese $tmp2,q14
aesmc $tmp2,$tmp2
- vmov.32 ${dat2}[3], $tctr2
+ vorr $dat2,$ivec,$ivec
subs $len,$len,#3
aese $tmp0,q15
aese $tmp1,q15
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
"asn1_item_embed_d2i"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EMBED_NEW, 0),
"asn1_item_embed_new"},
+ {ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_EX_I2D, 0), "ASN1_item_ex_i2d"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_FLAGS_I2D, 0),
"asn1_item_flags_i2d"},
{ERR_PACK(ERR_LIB_ASN1, ASN1_F_ASN1_ITEM_I2D_BIO, 0), "ASN1_item_i2d_bio"},
"asn1 sig parse error"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_AUX_ERROR), "aux error"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_OBJECT_HEADER), "bad object header"},
+ {ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BAD_TEMPLATE), "bad template"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BMPSTRING_IS_WRONG_LENGTH),
"bmpstring is wrong length"},
{ERR_PACK(ERR_LIB_ASN1, 0, ASN1_R_BN_LIB), "bn lib"},
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
goto err;
EVP_PKEY_free(ret);
ret = tmp;
+ if (EVP_PKEY_type(type) != EVP_PKEY_base_id(ret))
+ goto err;
} else {
ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
goto err;
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
tag, aclass, opt, ctx);
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
p = *in;
/* Just read in tag and class */
ret = asn1_check_tlen(NULL, &otag, &oclass, NULL, NULL,
ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_MSTRING_NOT_UNIVERSAL);
goto err;
}
+
/* Check tag matches bit map */
if (!(ASN1_tag2bit(otag) & it->utype)) {
/* If OPTIONAL, assume this is OK */
return ef->asn1_ex_d2i(pval, in, len, it, tag, aclass, opt, ctx);
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EMBED_D2I, ASN1_R_BAD_TEMPLATE);
+ goto err;
+ }
+
if (asn1_cb && !asn1_cb(ASN1_OP_D2I_PRE, pval, it, NULL))
goto auxerr;
if (*pval) {
/*
- * Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return asn1_i2d_ex_primitive(pval, out, it, tag, aclass);
case ASN1_ITYPE_MSTRING:
+ /*
+ * It never makes sense for multi-strings to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
+ return -1;
+ }
return asn1_i2d_ex_primitive(pval, out, it, -1, aclass);
case ASN1_ITYPE_CHOICE:
+ /*
+ * It never makes sense for CHOICE types to have implicit tagging, so
+ * if tag != -1, then this looks like an error in the template.
+ */
+ if (tag != -1) {
+ ASN1err(ASN1_F_ASN1_ITEM_EX_I2D, ASN1_R_BAD_TEMPLATE);
+ return -1;
+ }
if (asn1_cb && !asn1_cb(ASN1_OP_I2D_PRE, pval, it, NULL))
return 0;
i = asn1_get_choice_selector(pval, it);
/*
- * Copyright 1998-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return 0;
return ASN1_TYPE_cmp(a->parameter, b->parameter);
}
+
+int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src)
+{
+ if (src == NULL || dest == NULL)
+ return 0;
+
+ if (dest->algorithm)
+ ASN1_OBJECT_free(dest->algorithm);
+ dest->algorithm = NULL;
+
+ if (dest->parameter)
+ ASN1_TYPE_free(dest->parameter);
+ dest->parameter = NULL;
+
+ if (src->algorithm)
+ if ((dest->algorithm = OBJ_dup(src->algorithm)) == NULL)
+ return 0;
+
+ if (src->parameter) {
+ dest->parameter = ASN1_TYPE_new();
+ if (dest->parameter == NULL)
+ return 0;
+
+ /* Assuming this is also correct for a BOOL.
+ * set does copy as a side effect.
+ */
+ if (ASN1_TYPE_set1(dest->parameter,
+ src->parameter->type, src->parameter->value.ptr) == 0)
+ return 0;
+ }
+ return 1;
+}
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* https://www.openssl.org/source/license.html
*/
+#ifndef _GNU_SOURCE
+# define _GNU_SOURCE
+#endif
+
#include <assert.h>
#include <string.h>
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
fvalue = tmpvalue;
}
ufvalue = abs_val(fvalue);
- if (ufvalue > ULONG_MAX) {
+ /*
+ * By subtracting 65535 (2^16-1) we cancel the low order 15 bits
+ * of ULONG_MAX to avoid using imprecise floating point values.
+ */
+ if (ufvalue >= (double)(ULONG_MAX - 65535) + 65536.0) {
/* Number too big */
return 0;
}
b->init = 1;
} else if (num == 1) {
OPENSSL_free(data->param_serv);
- data->param_serv = BUF_strdup(ptr);
- b->init = 1;
+ if ((data->param_serv = OPENSSL_strdup(ptr)) == NULL)
+ ret = 0;
+ else
+ b->init = 1;
} else if (num == 2) {
data->bind_mode |= BIO_SOCK_NONBLOCK;
} else if (num == 3) {
case BIO_CONN_S_BLOCKED_CONNECT:
i = BIO_sock_error(b->num);
- if (i) {
+ if (i != 0) {
BIO_clear_retry_flags(b);
+ if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) {
+ /*
+ * if there are more addresses to try, do that first
+ */
+ BIO_closesocket(b->num);
+ c->state = BIO_CONN_S_CREATE_SOCKET;
+ ERR_clear_error();
+ break;
+ }
SYSerr(SYS_F_CONNECT, i);
ERR_add_error_data(4,
"hostname=", c->param_hostname,
case BIO_C_SET_CONNECT:
if (ptr != NULL) {
b->init = 1;
- if (num == 0) {
+ if (num == 0) { /* BIO_set_conn_hostname */
char *hold_service = data->param_service;
/* We affect the hostname regardless. However, the input
* string might contain a host:service spec, so we must
* parse it, which might or might not affect the service
*/
+
OPENSSL_free(data->param_hostname);
data->param_hostname = NULL;
ret = BIO_parse_hostserv(ptr,
BIO_PARSE_PRIO_HOST);
if (hold_service != data->param_service)
OPENSSL_free(hold_service);
- } else if (num == 1) {
+ } else if (num == 1) { /* BIO_set_conn_port */
OPENSSL_free(data->param_service);
- data->param_service = BUF_strdup(ptr);
- } else if (num == 2) {
+ if ((data->param_service = OPENSSL_strdup(ptr)) == NULL)
+ ret = 0;
+ } else if (num == 2) { /* BIO_set_conn_address */
const BIO_ADDR *addr = (const BIO_ADDR *)ptr;
+ char *host = BIO_ADDR_hostname_string(addr, 1);
+ char *service = BIO_ADDR_service_string(addr, 1);
+
+ ret = host != NULL && service != NULL;
if (ret) {
- data->param_hostname = BIO_ADDR_hostname_string(addr, 1);
- data->param_service = BIO_ADDR_service_string(addr, 1);
+ OPENSSL_free(data->param_hostname);
+ data->param_hostname = host;
+ OPENSSL_free(data->param_service);
+ data->param_service = service;
BIO_ADDRINFO_free(data->addr_first);
data->addr_first = NULL;
data->addr_iter = NULL;
+ } else {
+ OPENSSL_free(host);
+ OPENSSL_free(service);
}
- } else if (num == 3) {
+ } else if (num == 3) { /* BIO_set_conn_ip_family */
data->connect_family = *(int *)ptr;
} else {
ret = 0;
$addx = ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$avx = ($ver>=3.0) + ($ver>=3.01);
$addx = ($ver>=3.03);
$addx = ($1>=12);
}
-if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
+if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$addx = ($ver>=3.03);
}
$addx = ($1>=12);
}
-if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
+if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$addx = ($ver>=3.03);
}
$addx = ($1>=12);
}
-if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
+if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$addx = ($ver>=3.03);
}
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "internal/cryptlib.h"
#include "bn_local.h"
-/* solves ax == 1 (mod n) */
-static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
- const BIGNUM *a, const BIGNUM *n,
- BN_CTX *ctx);
-
-BIGNUM *BN_mod_inverse(BIGNUM *in,
- const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
+/*
+ * bn_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
+ * not contain branches that may leak sensitive information.
+ *
+ * This is a static function, we ensure all callers in this file pass valid
+ * arguments: all passed pointers here are non-NULL.
+ */
+static ossl_inline
+BIGNUM *bn_mod_inverse_no_branch(BIGNUM *in,
+ const BIGNUM *a, const BIGNUM *n,
+ BN_CTX *ctx, int *pnoinv)
{
- BIGNUM *rv;
- int noinv;
- rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
- if (noinv)
- BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
- return rv;
+ BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
+ BIGNUM *ret = NULL;
+ int sign;
+
+ bn_check_top(a);
+ bn_check_top(n);
+
+ BN_CTX_start(ctx);
+ A = BN_CTX_get(ctx);
+ B = BN_CTX_get(ctx);
+ X = BN_CTX_get(ctx);
+ D = BN_CTX_get(ctx);
+ M = BN_CTX_get(ctx);
+ Y = BN_CTX_get(ctx);
+ T = BN_CTX_get(ctx);
+ if (T == NULL)
+ goto err;
+
+ if (in == NULL)
+ R = BN_new();
+ else
+ R = in;
+ if (R == NULL)
+ goto err;
+
+ BN_one(X);
+ BN_zero(Y);
+ if (BN_copy(B, a) == NULL)
+ goto err;
+ if (BN_copy(A, n) == NULL)
+ goto err;
+ A->neg = 0;
+
+ if (B->neg || (BN_ucmp(B, A) >= 0)) {
+ /*
+ * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
+ * BN_div_no_branch will be called eventually.
+ */
+ {
+ BIGNUM local_B;
+ bn_init(&local_B);
+ BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
+ if (!BN_nnmod(B, &local_B, A, ctx))
+ goto err;
+ /* Ensure local_B goes out of scope before any further use of B */
+ }
+ }
+ sign = -1;
+ /*-
+ * From B = a mod |n|, A = |n| it follows that
+ *
+ * 0 <= B < A,
+ * -sign*X*a == B (mod |n|),
+ * sign*Y*a == A (mod |n|).
+ */
+
+ while (!BN_is_zero(B)) {
+ BIGNUM *tmp;
+
+ /*-
+ * 0 < B < A,
+ * (*) -sign*X*a == B (mod |n|),
+ * sign*Y*a == A (mod |n|)
+ */
+
+ /*
+ * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
+ * BN_div_no_branch will be called eventually.
+ */
+ {
+ BIGNUM local_A;
+ bn_init(&local_A);
+ BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
+
+ /* (D, M) := (A/B, A%B) ... */
+ if (!BN_div(D, M, &local_A, B, ctx))
+ goto err;
+ /* Ensure local_A goes out of scope before any further use of A */
+ }
+
+ /*-
+ * Now
+ * A = D*B + M;
+ * thus we have
+ * (**) sign*Y*a == D*B + M (mod |n|).
+ */
+
+ tmp = A; /* keep the BIGNUM object, the value does not
+ * matter */
+
+ /* (A, B) := (B, A mod B) ... */
+ A = B;
+ B = M;
+ /* ... so we have 0 <= B < A again */
+
+ /*-
+ * Since the former M is now B and the former B is now A,
+ * (**) translates into
+ * sign*Y*a == D*A + B (mod |n|),
+ * i.e.
+ * sign*Y*a - D*A == B (mod |n|).
+ * Similarly, (*) translates into
+ * -sign*X*a == A (mod |n|).
+ *
+ * Thus,
+ * sign*Y*a + D*sign*X*a == B (mod |n|),
+ * i.e.
+ * sign*(Y + D*X)*a == B (mod |n|).
+ *
+ * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
+ * -sign*X*a == B (mod |n|),
+ * sign*Y*a == A (mod |n|).
+ * Note that X and Y stay non-negative all the time.
+ */
+
+ if (!BN_mul(tmp, D, X, ctx))
+ goto err;
+ if (!BN_add(tmp, tmp, Y))
+ goto err;
+
+ M = Y; /* keep the BIGNUM object, the value does not
+ * matter */
+ Y = X;
+ X = tmp;
+ sign = -sign;
+ }
+
+ /*-
+ * The while loop (Euclid's algorithm) ends when
+ * A == gcd(a,n);
+ * we have
+ * sign*Y*a == A (mod |n|),
+ * where Y is non-negative.
+ */
+
+ if (sign < 0) {
+ if (!BN_sub(Y, n, Y))
+ goto err;
+ }
+ /* Now Y*a == A (mod |n|). */
+
+ if (BN_is_one(A)) {
+ /* Y*a == 1 (mod |n|) */
+ if (!Y->neg && BN_ucmp(Y, n) < 0) {
+ if (!BN_copy(R, Y))
+ goto err;
+ } else {
+ if (!BN_nnmod(R, Y, n, ctx))
+ goto err;
+ }
+ } else {
+ *pnoinv = 1;
+ /* caller sets the BN_R_NO_INVERSE error */
+ goto err;
+ }
+
+ ret = R;
+ *pnoinv = 0;
+
+ err:
+ if ((ret == NULL) && (in == NULL))
+ BN_free(R);
+ BN_CTX_end(ctx);
+ bn_check_top(ret);
+ return ret;
}
+/*
+ * This is an internal function, we assume all callers pass valid arguments:
+ * all pointers passed here are assumed non-NULL.
+ */
BIGNUM *int_bn_mod_inverse(BIGNUM *in,
const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx,
int *pnoinv)
/* This is invalid input so we don't worry about constant time here */
if (BN_abs_is_word(n, 1) || BN_is_zero(n)) {
- if (pnoinv != NULL)
- *pnoinv = 1;
+ *pnoinv = 1;
return NULL;
}
- if (pnoinv != NULL)
- *pnoinv = 0;
+ *pnoinv = 0;
if ((BN_get_flags(a, BN_FLG_CONSTTIME) != 0)
|| (BN_get_flags(n, BN_FLG_CONSTTIME) != 0)) {
- return BN_mod_inverse_no_branch(in, a, n, ctx);
+ return bn_mod_inverse_no_branch(in, a, n, ctx, pnoinv);
}
bn_check_top(a);
goto err;
}
} else {
- if (pnoinv)
- *pnoinv = 1;
+ *pnoinv = 1;
goto err;
}
ret = R;
return ret;
}
-/*
- * BN_mod_inverse_no_branch is a special version of BN_mod_inverse. It does
- * not contain branches that may leak sensitive information.
- */
-static BIGNUM *BN_mod_inverse_no_branch(BIGNUM *in,
- const BIGNUM *a, const BIGNUM *n,
- BN_CTX *ctx)
+/* solves ax == 1 (mod n) */
+BIGNUM *BN_mod_inverse(BIGNUM *in,
+ const BIGNUM *a, const BIGNUM *n, BN_CTX *ctx)
{
- BIGNUM *A, *B, *X, *Y, *M, *D, *T, *R = NULL;
- BIGNUM *ret = NULL;
- int sign;
-
- bn_check_top(a);
- bn_check_top(n);
-
- BN_CTX_start(ctx);
- A = BN_CTX_get(ctx);
- B = BN_CTX_get(ctx);
- X = BN_CTX_get(ctx);
- D = BN_CTX_get(ctx);
- M = BN_CTX_get(ctx);
- Y = BN_CTX_get(ctx);
- T = BN_CTX_get(ctx);
- if (T == NULL)
- goto err;
-
- if (in == NULL)
- R = BN_new();
- else
- R = in;
- if (R == NULL)
- goto err;
-
- BN_one(X);
- BN_zero(Y);
- if (BN_copy(B, a) == NULL)
- goto err;
- if (BN_copy(A, n) == NULL)
- goto err;
- A->neg = 0;
-
- if (B->neg || (BN_ucmp(B, A) >= 0)) {
- /*
- * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
- * BN_div_no_branch will be called eventually.
- */
- {
- BIGNUM local_B;
- bn_init(&local_B);
- BN_with_flags(&local_B, B, BN_FLG_CONSTTIME);
- if (!BN_nnmod(B, &local_B, A, ctx))
- goto err;
- /* Ensure local_B goes out of scope before any further use of B */
- }
- }
- sign = -1;
- /*-
- * From B = a mod |n|, A = |n| it follows that
- *
- * 0 <= B < A,
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- */
-
- while (!BN_is_zero(B)) {
- BIGNUM *tmp;
-
- /*-
- * 0 < B < A,
- * (*) -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|)
- */
-
- /*
- * Turn BN_FLG_CONSTTIME flag on, so that when BN_div is invoked,
- * BN_div_no_branch will be called eventually.
- */
- {
- BIGNUM local_A;
- bn_init(&local_A);
- BN_with_flags(&local_A, A, BN_FLG_CONSTTIME);
+ BN_CTX *new_ctx = NULL;
+ BIGNUM *rv;
+ int noinv = 0;
- /* (D, M) := (A/B, A%B) ... */
- if (!BN_div(D, M, &local_A, B, ctx))
- goto err;
- /* Ensure local_A goes out of scope before any further use of A */
+ if (ctx == NULL) {
+ ctx = new_ctx = BN_CTX_new();
+ if (ctx == NULL) {
+ BNerr(BN_F_BN_MOD_INVERSE, ERR_R_MALLOC_FAILURE);
+ return NULL;
}
-
- /*-
- * Now
- * A = D*B + M;
- * thus we have
- * (**) sign*Y*a == D*B + M (mod |n|).
- */
-
- tmp = A; /* keep the BIGNUM object, the value does not
- * matter */
-
- /* (A, B) := (B, A mod B) ... */
- A = B;
- B = M;
- /* ... so we have 0 <= B < A again */
-
- /*-
- * Since the former M is now B and the former B is now A,
- * (**) translates into
- * sign*Y*a == D*A + B (mod |n|),
- * i.e.
- * sign*Y*a - D*A == B (mod |n|).
- * Similarly, (*) translates into
- * -sign*X*a == A (mod |n|).
- *
- * Thus,
- * sign*Y*a + D*sign*X*a == B (mod |n|),
- * i.e.
- * sign*(Y + D*X)*a == B (mod |n|).
- *
- * So if we set (X, Y, sign) := (Y + D*X, X, -sign), we arrive back at
- * -sign*X*a == B (mod |n|),
- * sign*Y*a == A (mod |n|).
- * Note that X and Y stay non-negative all the time.
- */
-
- if (!BN_mul(tmp, D, X, ctx))
- goto err;
- if (!BN_add(tmp, tmp, Y))
- goto err;
-
- M = Y; /* keep the BIGNUM object, the value does not
- * matter */
- Y = X;
- X = tmp;
- sign = -sign;
- }
-
- /*-
- * The while loop (Euclid's algorithm) ends when
- * A == gcd(a,n);
- * we have
- * sign*Y*a == A (mod |n|),
- * where Y is non-negative.
- */
-
- if (sign < 0) {
- if (!BN_sub(Y, n, Y))
- goto err;
}
- /* Now Y*a == A (mod |n|). */
- if (BN_is_one(A)) {
- /* Y*a == 1 (mod |n|) */
- if (!Y->neg && BN_ucmp(Y, n) < 0) {
- if (!BN_copy(R, Y))
- goto err;
- } else {
- if (!BN_nnmod(R, Y, n, ctx))
- goto err;
- }
- } else {
- BNerr(BN_F_BN_MOD_INVERSE_NO_BRANCH, BN_R_NO_INVERSE);
- goto err;
- }
- ret = R;
- err:
- if ((ret == NULL) && (in == NULL))
- BN_free(R);
- BN_CTX_end(ctx);
- bn_check_top(ret);
- return ret;
+ rv = int_bn_mod_inverse(in, a, n, ctx, &noinv);
+ if (noinv)
+ BNerr(BN_F_BN_MOD_INVERSE, BN_R_NO_INVERSE);
+ BN_CTX_free(new_ctx);
+ return rv;
}
/*-
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return &const_one;
}
+/*
+ * Old Visual Studio ARM compiler miscompiles BN_num_bits_word()
+ * https://mta.openssl.org/pipermail/openssl-users/2018-August/008465.html
+ */
+#if defined(_MSC_VER) && defined(_ARM_) && defined(_WIN32_WCE) \
+ && _MSC_VER>=1400 && _MSC_VER<1501
+# define MS_BROKEN_BN_num_bits_word
+# pragma optimize("", off)
+#endif
int BN_num_bits_word(BN_ULONG l)
{
BN_ULONG x, mask;
return bits;
}
+#ifdef MS_BROKEN_BN_num_bits_word
+# pragma optimize("", on)
+#endif
/*
* This function still leaks `a->dmax`: it's caller's responsibility to
BIGNUM *BN_copy(BIGNUM *a, const BIGNUM *b)
{
+ int bn_words;
+
bn_check_top(b);
+ bn_words = BN_get_flags(b, BN_FLG_CONSTTIME) ? b->dmax : b->top;
+
if (a == b)
return a;
- if (bn_wexpand(a, b->top) == NULL)
+ if (bn_wexpand(a, bn_words) == NULL)
return NULL;
if (b->top > 0)
- memcpy(a->d, b->d, sizeof(b->d[0]) * b->top);
+ memcpy(a->d, b->d, sizeof(b->d[0]) * bn_words);
a->neg = b->neg;
a->top = b->top;
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
int neg = 0;
BIGNUM *a = NULL;
- if (n < 4) {
+ if (n < 4 || (d[0] & 0x80) != 0) {
BNerr(BN_F_BN_MPI2BN, BN_R_INVALID_LENGTH);
return NULL;
}
.text
.extern OPENSSL_armcap_P
+.hidden OPENSSL_armcap_P
.align 5
.Lsigma:
$1>=10); # first version supporting AVX
$ymm=1 if ($xmm && !$ymm &&
- `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/ &&
+ `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/ &&
$2>=3.0); # first version supporting AVX
$a="eax";
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
/*
- * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return 1;
}
/* Initialise context */
- if (cipher && !EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
- return 0;
+ if (cipher != NULL) {
+ /* Ensure we can't use this ctx until we also have a key */
+ ctx->nlast_block = -1;
+ if (!EVP_EncryptInit_ex(ctx->cctx, cipher, impl, NULL, NULL))
+ return 0;
+ }
/* Non-NULL key means initialisation complete */
- if (key) {
+ if (key != NULL) {
int bl;
+
+ /* If anything fails then ensure we can't use this ctx */
+ ctx->nlast_block = -1;
if (!EVP_CIPHER_CTX_cipher(ctx->cctx))
return 0;
if (!EVP_CIPHER_CTX_set_key_length(ctx->cctx, keylen))
if (!EVP_EncryptInit_ex(ctx->cctx, NULL, NULL, key, zero_iv))
return 0;
bl = EVP_CIPHER_CTX_block_size(ctx->cctx);
- if (!EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl))
+ if (EVP_Cipher(ctx->cctx, ctx->tbl, zero_iv, bl) <= 0)
return 0;
make_kn(ctx->k1, ctx->tbl, bl);
make_kn(ctx->k2, ctx->k1, bl);
return 1;
data += nleft;
/* Else not final block so encrypt it */
- if (!EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl))
+ if (EVP_Cipher(ctx->cctx, ctx->tbl, ctx->last_block, bl) <= 0)
return 0;
}
/* Encrypt all but one of the complete blocks left */
while (dlen > bl) {
- if (!EVP_Cipher(ctx->cctx, ctx->tbl, data, bl))
+ if (EVP_Cipher(ctx->cctx, ctx->tbl, data, bl) <= 0)
return 0;
dlen -= bl;
data += bl;
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
default:
CMSerr(CMS_F_CMS_DATAINIT, CMS_R_UNSUPPORTED_TYPE);
- return NULL;
+ goto err;
}
if (cmsbio)
return BIO_push(cmsbio, cont);
+err:
if (!icont)
BIO_free(cont);
return NULL;
/*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
ASN1_INTEGER *key = NULL;
if (keysize > 0) {
key = ASN1_INTEGER_new();
- if (key == NULL || !ASN1_INTEGER_set(key, keysize))
+ if (key == NULL || !ASN1_INTEGER_set(key, keysize)) {
+ ASN1_INTEGER_free(key);
return 0;
+ }
}
alg = X509_ALGOR_new();
if (alg == NULL) {
/*
- * Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
char *ptr;
long len;
len = BIO_get_mem_data(dcont, &ptr);
- tmpin = BIO_new_mem_buf(ptr, len);
+ tmpin = (len == 0) ? dcont : BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) {
CMSerr(CMS_F_CMS_VERIFY, ERR_R_MALLOC_FAILURE);
goto err2;
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
if (biosk == NULL) {
if ((biosk = sk_BIO_new_null()) == NULL) {
CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
+ BIO_free(next);
goto err;
}
}
if (!sk_BIO_push(biosk, in)) {
CONFerr(CONF_F_DEF_LOAD_BIO, ERR_R_MALLOC_FAILURE);
+ BIO_free(next);
goto err;
}
/* continue with reading from the included BIO */
/*
- * Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
/* Enumerate the modules to find one which includes me. */
do {
- if ((uintptr_t) addr >= (uintptr_t) me32.modBaseAddr &&
- (uintptr_t) addr < (uintptr_t) (me32.modBaseAddr + me32.modBaseSize)) {
+ if ((size_t) addr >= (size_t) me32.modBaseAddr &&
+ (size_t) addr < (size_t) (me32.modBaseAddr + me32.modBaseSize)) {
(*close_snap) (hModuleSnap);
FreeLibrary(dll);
# ifdef _WIN32_WCE
ldr $t2,[sp,#32*18+12] @ ~is_equal(S1,S2)
mvn $t0,$t0 @ -1/0 -> 0/-1
mvn $t1,$t1 @ -1/0 -> 0/-1
- orr $a0,$t0
- orr $a0,$t1
- orrs $a0,$t2 @ set flags
+ orr $a0,$a0,$t0
+ orr $a0,$a0,$t1
+ orrs $a0,$a0,$t2 @ set flags
@ if(~is_equal(U1,U2) | in1infty | in2infty | ~is_equal(S1,S2))
bne .Ladd_proceed
+++ /dev/null
-#! /usr/bin/env perl
-# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
-# Copyright (c) 2014, Intel Corporation. All Rights Reserved.
-#
-# Licensed under the OpenSSL license (the "License"). You may not use
-# this file except in compliance with the License. You can obtain a copy
-# in the file LICENSE in the source distribution or at
-# https://www.openssl.org/source/license.html
-#
-# Originally written by Shay Gueron (1, 2), and Vlad Krasnov (1)
-# (1) Intel Corporation, Israel Development Center, Haifa, Israel
-# (2) University of Haifa, Israel
-#
-# Reference:
-# S.Gueron and V.Krasnov, "Fast Prime Field Elliptic Curve Cryptography with
-# 256 Bit Primes"
-
-$flavour = shift;
-$output = shift;
-if ($flavour =~ /\./) { $output = $flavour; undef $flavour; }
-
-$win64=0; $win64=1 if ($flavour =~ /[nm]asm|mingw64/ || $output =~ /\.asm$/);
-
-$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
-( $xlate="${dir}x86_64-xlate.pl" and -f $xlate ) or
-( $xlate="${dir}../../perlasm/x86_64-xlate.pl" and -f $xlate) or
-die "can't locate x86_64-xlate.pl";
-
-open OUT,"| \"$^X\" $xlate $flavour $output";
-*STDOUT=*OUT;
-
-if (`$ENV{CC} -Wa,-v -c -o /dev/null -x assembler /dev/null 2>&1`
- =~ /GNU assembler version ([2-9]\.[0-9]+)/) {
- $avx = ($1>=2.19) + ($1>=2.22);
- $addx = ($1>=2.23);
-}
-
-if (!$addx && $win64 && ($flavour =~ /nasm/ || $ENV{ASM} =~ /nasm/) &&
- `nasm -v 2>&1` =~ /NASM version ([2-9]\.[0-9]+)/) {
- $avx = ($1>=2.09) + ($1>=2.10);
- $addx = ($1>=2.10);
-}
-
-if (!$addx && $win64 && ($flavour =~ /masm/ || $ENV{ASM} =~ /ml64/) &&
- `ml64 2>&1` =~ /Version ([0-9]+)\./) {
- $avx = ($1>=10) + ($1>=11);
- $addx = ($1>=12);
-}
-
-if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+)\.([0-9]+)/) {
- my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
- $avx = ($ver>=3.0) + ($ver>=3.01);
- $addx = ($ver>=3.03);
-}
-
-if ($avx>=2) {{
-$digit_size = "\$29";
-$n_digits = "\$9";
-
-$code.=<<___;
-.text
-
-.align 64
-.LAVX2_AND_MASK:
-.LAVX2_POLY:
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x000001ff, 0x000001ff, 0x000001ff, 0x000001ff
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x00040000, 0x00040000, 0x00040000, 0x00040000
-.quad 0x1fe00000, 0x1fe00000, 0x1fe00000, 0x1fe00000
-.quad 0x00ffffff, 0x00ffffff, 0x00ffffff, 0x00ffffff
-
-.LAVX2_POLY_x2:
-.quad 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC
-.quad 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC
-.quad 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC
-.quad 0x400007FC, 0x400007FC, 0x400007FC, 0x400007FC
-.quad 0x3FFFFFFE, 0x3FFFFFFE, 0x3FFFFFFE, 0x3FFFFFFE
-.quad 0x3FFFFFFE, 0x3FFFFFFE, 0x3FFFFFFE, 0x3FFFFFFE
-.quad 0x400FFFFE, 0x400FFFFE, 0x400FFFFE, 0x400FFFFE
-.quad 0x7F7FFFFE, 0x7F7FFFFE, 0x7F7FFFFE, 0x7F7FFFFE
-.quad 0x03FFFFFC, 0x03FFFFFC, 0x03FFFFFC, 0x03FFFFFC
-
-.LAVX2_POLY_x8:
-.quad 0xFFFFFFF8, 0xFFFFFFF8, 0xFFFFFFF8, 0xFFFFFFF8
-.quad 0xFFFFFFF8, 0xFFFFFFF8, 0xFFFFFFF8, 0xFFFFFFF8
-.quad 0xFFFFFFF8, 0xFFFFFFF8, 0xFFFFFFF8, 0xFFFFFFF8
-.quad 0x80000FF8, 0x80000FF8, 0x80000FF8, 0x80000FF8
-.quad 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC
-.quad 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC, 0x7FFFFFFC
-.quad 0x801FFFFC, 0x801FFFFC, 0x801FFFFC, 0x801FFFFC
-.quad 0xFEFFFFFC, 0xFEFFFFFC, 0xFEFFFFFC, 0xFEFFFFFC
-.quad 0x07FFFFF8, 0x07FFFFF8, 0x07FFFFF8, 0x07FFFFF8
-
-.LONE:
-.quad 0x00000020, 0x00000020, 0x00000020, 0x00000020
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x1fffc000, 0x1fffc000, 0x1fffc000, 0x1fffc000
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1f7fffff, 0x1f7fffff, 0x1f7fffff, 0x1f7fffff
-.quad 0x03ffffff, 0x03ffffff, 0x03ffffff, 0x03ffffff
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-
-# RR = 2^266 mod p in AVX2 format, to transform from the native OpenSSL
-# Montgomery form (*2^256) to our format (*2^261)
-
-.LTO_MONT_AVX2:
-.quad 0x00000400, 0x00000400, 0x00000400, 0x00000400
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x1ff80000, 0x1ff80000, 0x1ff80000, 0x1ff80000
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x0fffffff, 0x0fffffff, 0x0fffffff, 0x0fffffff
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x00000003, 0x00000003, 0x00000003, 0x00000003
-
-.LFROM_MONT_AVX2:
-.quad 0x00000001, 0x00000001, 0x00000001, 0x00000001
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-.quad 0x1ffffe00, 0x1ffffe00, 0x1ffffe00, 0x1ffffe00
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1fffffff, 0x1fffffff, 0x1fffffff, 0x1fffffff
-.quad 0x1ffbffff, 0x1ffbffff, 0x1ffbffff, 0x1ffbffff
-.quad 0x001fffff, 0x001fffff, 0x001fffff, 0x001fffff
-.quad 0x00000000, 0x00000000, 0x00000000, 0x00000000
-
-.LIntOne:
-.long 1,1,1,1,1,1,1,1
-___
-
-{
-# This function receives a pointer to an array of four affine points
-# (X, Y, <1>) and rearranges the data for AVX2 execution, while
-# converting it to 2^29 radix redundant form
-
-my ($X0,$X1,$X2,$X3, $Y0,$Y1,$Y2,$Y3,
- $T0,$T1,$T2,$T3, $T4,$T5,$T6,$T7)=map("%ymm$_",(0..15));
-
-$code.=<<___;
-.globl ecp_nistz256_avx2_transpose_convert
-.type ecp_nistz256_avx2_transpose_convert,\@function,2
-.align 64
-ecp_nistz256_avx2_transpose_convert:
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -8-16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- # Load the data
- vmovdqa 32*0(%rsi), $X0
- lea 112(%rsi), %rax # size optimization
- vmovdqa 32*1(%rsi), $Y0
- lea .LAVX2_AND_MASK(%rip), %rdx
- vmovdqa 32*2(%rsi), $X1
- vmovdqa 32*3(%rsi), $Y1
- vmovdqa 32*4-112(%rax), $X2
- vmovdqa 32*5-112(%rax), $Y2
- vmovdqa 32*6-112(%rax), $X3
- vmovdqa 32*7-112(%rax), $Y3
-
- # Transpose X and Y independently
- vpunpcklqdq $X1, $X0, $T0 # T0 = [B2 A2 B0 A0]
- vpunpcklqdq $X3, $X2, $T1 # T1 = [D2 C2 D0 C0]
- vpunpckhqdq $X1, $X0, $T2 # T2 = [B3 A3 B1 A1]
- vpunpckhqdq $X3, $X2, $T3 # T3 = [D3 C3 D1 C1]
-
- vpunpcklqdq $Y1, $Y0, $T4
- vpunpcklqdq $Y3, $Y2, $T5
- vpunpckhqdq $Y1, $Y0, $T6
- vpunpckhqdq $Y3, $Y2, $T7
-
- vperm2i128 \$0x20, $T1, $T0, $X0 # X0 = [D0 C0 B0 A0]
- vperm2i128 \$0x20, $T3, $T2, $X1 # X1 = [D1 C1 B1 A1]
- vperm2i128 \$0x31, $T1, $T0, $X2 # X2 = [D2 C2 B2 A2]
- vperm2i128 \$0x31, $T3, $T2, $X3 # X3 = [D3 C3 B3 A3]
-
- vperm2i128 \$0x20, $T5, $T4, $Y0
- vperm2i128 \$0x20, $T7, $T6, $Y1
- vperm2i128 \$0x31, $T5, $T4, $Y2
- vperm2i128 \$0x31, $T7, $T6, $Y3
- vmovdqa (%rdx), $T7
-
- vpand (%rdx), $X0, $T0 # out[0] = in[0] & mask;
- vpsrlq \$29, $X0, $X0
- vpand $T7, $X0, $T1 # out[1] = (in[0] >> shift) & mask;
- vpsrlq \$29, $X0, $X0
- vpsllq \$6, $X1, $T2
- vpxor $X0, $T2, $T2
- vpand $T7, $T2, $T2 # out[2] = ((in[0] >> (shift*2)) ^ (in[1] << (64-shift*2))) & mask;
- vpsrlq \$23, $X1, $X1
- vpand $T7, $X1, $T3 # out[3] = (in[1] >> ((shift*3)%64)) & mask;
- vpsrlq \$29, $X1, $X1
- vpsllq \$12, $X2, $T4
- vpxor $X1, $T4, $T4
- vpand $T7, $T4, $T4 # out[4] = ((in[1] >> ((shift*4)%64)) ^ (in[2] << (64*2-shift*4))) & mask;
- vpsrlq \$17, $X2, $X2
- vpand $T7, $X2, $T5 # out[5] = (in[2] >> ((shift*5)%64)) & mask;
- vpsrlq \$29, $X2, $X2
- vpsllq \$18, $X3, $T6
- vpxor $X2, $T6, $T6
- vpand $T7, $T6, $T6 # out[6] = ((in[2] >> ((shift*6)%64)) ^ (in[3] << (64*3-shift*6))) & mask;
- vpsrlq \$11, $X3, $X3
- vmovdqa $T0, 32*0(%rdi)
- lea 112(%rdi), %rax # size optimization
- vpand $T7, $X3, $T0 # out[7] = (in[3] >> ((shift*7)%64)) & mask;
- vpsrlq \$29, $X3, $X3 # out[8] = (in[3] >> ((shift*8)%64)) & mask;
-
- vmovdqa $T1, 32*1(%rdi)
- vmovdqa $T2, 32*2(%rdi)
- vmovdqa $T3, 32*3(%rdi)
- vmovdqa $T4, 32*4-112(%rax)
- vmovdqa $T5, 32*5-112(%rax)
- vmovdqa $T6, 32*6-112(%rax)
- vmovdqa $T0, 32*7-112(%rax)
- vmovdqa $X3, 32*8-112(%rax)
- lea 448(%rdi), %rax # size optimization
-
- vpand $T7, $Y0, $T0 # out[0] = in[0] & mask;
- vpsrlq \$29, $Y0, $Y0
- vpand $T7, $Y0, $T1 # out[1] = (in[0] >> shift) & mask;
- vpsrlq \$29, $Y0, $Y0
- vpsllq \$6, $Y1, $T2
- vpxor $Y0, $T2, $T2
- vpand $T7, $T2, $T2 # out[2] = ((in[0] >> (shift*2)) ^ (in[1] << (64-shift*2))) & mask;
- vpsrlq \$23, $Y1, $Y1
- vpand $T7, $Y1, $T3 # out[3] = (in[1] >> ((shift*3)%64)) & mask;
- vpsrlq \$29, $Y1, $Y1
- vpsllq \$12, $Y2, $T4
- vpxor $Y1, $T4, $T4
- vpand $T7, $T4, $T4 # out[4] = ((in[1] >> ((shift*4)%64)) ^ (in[2] << (64*2-shift*4))) & mask;
- vpsrlq \$17, $Y2, $Y2
- vpand $T7, $Y2, $T5 # out[5] = (in[2] >> ((shift*5)%64)) & mask;
- vpsrlq \$29, $Y2, $Y2
- vpsllq \$18, $Y3, $T6
- vpxor $Y2, $T6, $T6
- vpand $T7, $T6, $T6 # out[6] = ((in[2] >> ((shift*6)%64)) ^ (in[3] << (64*3-shift*6))) & mask;
- vpsrlq \$11, $Y3, $Y3
- vmovdqa $T0, 32*9-448(%rax)
- vpand $T7, $Y3, $T0 # out[7] = (in[3] >> ((shift*7)%64)) & mask;
- vpsrlq \$29, $Y3, $Y3 # out[8] = (in[3] >> ((shift*8)%64)) & mask;
-
- vmovdqa $T1, 32*10-448(%rax)
- vmovdqa $T2, 32*11-448(%rax)
- vmovdqa $T3, 32*12-448(%rax)
- vmovdqa $T4, 32*13-448(%rax)
- vmovdqa $T5, 32*14-448(%rax)
- vmovdqa $T6, 32*15-448(%rax)
- vmovdqa $T0, 32*16-448(%rax)
- vmovdqa $Y3, 32*17-448(%rax)
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps 16*0(%rsp), %xmm6
- movaps 16*1(%rsp), %xmm7
- movaps 16*2(%rsp), %xmm8
- movaps 16*3(%rsp), %xmm9
- movaps 16*4(%rsp), %xmm10
- movaps 16*5(%rsp), %xmm11
- movaps 16*6(%rsp), %xmm12
- movaps 16*7(%rsp), %xmm13
- movaps 16*8(%rsp), %xmm14
- movaps 16*9(%rsp), %xmm15
- lea 8+16*10(%rsp), %rsp
-___
-$code.=<<___;
- ret
-.size ecp_nistz256_avx2_transpose_convert,.-ecp_nistz256_avx2_transpose_convert
-___
-}
-{
-################################################################################
-# This function receives a pointer to an array of four AVX2 formatted points
-# (X, Y, Z) convert the data to normal representation, and rearranges the data
-
-my ($D0,$D1,$D2,$D3, $D4,$D5,$D6,$D7, $D8)=map("%ymm$_",(0..8));
-my ($T0,$T1,$T2,$T3, $T4,$T5,$T6)=map("%ymm$_",(9..15));
-
-$code.=<<___;
-
-.globl ecp_nistz256_avx2_convert_transpose_back
-.type ecp_nistz256_avx2_convert_transpose_back,\@function,2
-.align 32
-ecp_nistz256_avx2_convert_transpose_back:
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -8-16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- mov \$3, %ecx
-
-.Lconv_loop:
- vmovdqa 32*0(%rsi), $D0
- lea 160(%rsi), %rax # size optimization
- vmovdqa 32*1(%rsi), $D1
- vmovdqa 32*2(%rsi), $D2
- vmovdqa 32*3(%rsi), $D3
- vmovdqa 32*4-160(%rax), $D4
- vmovdqa 32*5-160(%rax), $D5
- vmovdqa 32*6-160(%rax), $D6
- vmovdqa 32*7-160(%rax), $D7
- vmovdqa 32*8-160(%rax), $D8
-
- vpsllq \$29, $D1, $D1
- vpsllq \$58, $D2, $T0
- vpaddq $D1, $D0, $D0
- vpaddq $T0, $D0, $D0 # out[0] = (in[0]) ^ (in[1] << shift*1) ^ (in[2] << shift*2);
-
- vpsrlq \$6, $D2, $D2
- vpsllq \$23, $D3, $D3
- vpsllq \$52, $D4, $T1
- vpaddq $D2, $D3, $D3
- vpaddq $D3, $T1, $D1 # out[1] = (in[2] >> (64*1-shift*2)) ^ (in[3] << shift*3%64) ^ (in[4] << shift*4%64);
-
- vpsrlq \$12, $D4, $D4
- vpsllq \$17, $D5, $D5
- vpsllq \$46, $D6, $T2
- vpaddq $D4, $D5, $D5
- vpaddq $D5, $T2, $D2 # out[2] = (in[4] >> (64*2-shift*4)) ^ (in[5] << shift*5%64) ^ (in[6] << shift*6%64);
-
- vpsrlq \$18, $D6, $D6
- vpsllq \$11, $D7, $D7
- vpsllq \$40, $D8, $T3
- vpaddq $D6, $D7, $D7
- vpaddq $D7, $T3, $D3 # out[3] = (in[6] >> (64*3-shift*6)) ^ (in[7] << shift*7%64) ^ (in[8] << shift*8%64);
-
- vpunpcklqdq $D1, $D0, $T0 # T0 = [B2 A2 B0 A0]
- vpunpcklqdq $D3, $D2, $T1 # T1 = [D2 C2 D0 C0]
- vpunpckhqdq $D1, $D0, $T2 # T2 = [B3 A3 B1 A1]
- vpunpckhqdq $D3, $D2, $T3 # T3 = [D3 C3 D1 C1]
-
- vperm2i128 \$0x20, $T1, $T0, $D0 # X0 = [D0 C0 B0 A0]
- vperm2i128 \$0x20, $T3, $T2, $D1 # X1 = [D1 C1 B1 A1]
- vperm2i128 \$0x31, $T1, $T0, $D2 # X2 = [D2 C2 B2 A2]
- vperm2i128 \$0x31, $T3, $T2, $D3 # X3 = [D3 C3 B3 A3]
-
- vmovdqa $D0, 32*0(%rdi)
- vmovdqa $D1, 32*3(%rdi)
- vmovdqa $D2, 32*6(%rdi)
- vmovdqa $D3, 32*9(%rdi)
-
- lea 32*9(%rsi), %rsi
- lea 32*1(%rdi), %rdi
-
- dec %ecx
- jnz .Lconv_loop
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps 16*0(%rsp), %xmm6
- movaps 16*1(%rsp), %xmm7
- movaps 16*2(%rsp), %xmm8
- movaps 16*3(%rsp), %xmm9
- movaps 16*4(%rsp), %xmm10
- movaps 16*5(%rsp), %xmm11
- movaps 16*6(%rsp), %xmm12
- movaps 16*7(%rsp), %xmm13
- movaps 16*8(%rsp), %xmm14
- movaps 16*9(%rsp), %xmm15
- lea 8+16*10(%rsp), %rsp
-___
-$code.=<<___;
- ret
-.size ecp_nistz256_avx2_convert_transpose_back,.-ecp_nistz256_avx2_convert_transpose_back
-___
-}
-{
-my ($r_ptr,$a_ptr,$b_ptr,$itr)=("%rdi","%rsi","%rdx","%ecx");
-my ($ACC0,$ACC1,$ACC2,$ACC3,$ACC4,$ACC5,$ACC6,$ACC7,$ACC8)=map("%ymm$_",(0..8));
-my ($B,$Y,$T0,$AND_MASK,$OVERFLOW)=map("%ymm$_",(9..13));
-
-sub NORMALIZE {
-my $ret=<<___;
- vpsrlq $digit_size, $ACC0, $T0
- vpand $AND_MASK, $ACC0, $ACC0
- vpaddq $T0, $ACC1, $ACC1
-
- vpsrlq $digit_size, $ACC1, $T0
- vpand $AND_MASK, $ACC1, $ACC1
- vpaddq $T0, $ACC2, $ACC2
-
- vpsrlq $digit_size, $ACC2, $T0
- vpand $AND_MASK, $ACC2, $ACC2
- vpaddq $T0, $ACC3, $ACC3
-
- vpsrlq $digit_size, $ACC3, $T0
- vpand $AND_MASK, $ACC3, $ACC3
- vpaddq $T0, $ACC4, $ACC4
-
- vpsrlq $digit_size, $ACC4, $T0
- vpand $AND_MASK, $ACC4, $ACC4
- vpaddq $T0, $ACC5, $ACC5
-
- vpsrlq $digit_size, $ACC5, $T0
- vpand $AND_MASK, $ACC5, $ACC5
- vpaddq $T0, $ACC6, $ACC6
-
- vpsrlq $digit_size, $ACC6, $T0
- vpand $AND_MASK, $ACC6, $ACC6
- vpaddq $T0, $ACC7, $ACC7
-
- vpsrlq $digit_size, $ACC7, $T0
- vpand $AND_MASK, $ACC7, $ACC7
- vpaddq $T0, $ACC8, $ACC8
- #vpand $AND_MASK, $ACC8, $ACC8
-___
- $ret;
-}
-
-sub STORE {
-my $ret=<<___;
- vmovdqa $ACC0, 32*0(%rdi)
- lea 160(%rdi), %rax # size optimization
- vmovdqa $ACC1, 32*1(%rdi)
- vmovdqa $ACC2, 32*2(%rdi)
- vmovdqa $ACC3, 32*3(%rdi)
- vmovdqa $ACC4, 32*4-160(%rax)
- vmovdqa $ACC5, 32*5-160(%rax)
- vmovdqa $ACC6, 32*6-160(%rax)
- vmovdqa $ACC7, 32*7-160(%rax)
- vmovdqa $ACC8, 32*8-160(%rax)
-___
- $ret;
-}
-
-$code.=<<___;
-.type avx2_normalize,\@abi-omnipotent
-.align 32
-avx2_normalize:
- vpsrlq $digit_size, $ACC0, $T0
- vpand $AND_MASK, $ACC0, $ACC0
- vpaddq $T0, $ACC1, $ACC1
-
- vpsrlq $digit_size, $ACC1, $T0
- vpand $AND_MASK, $ACC1, $ACC1
- vpaddq $T0, $ACC2, $ACC2
-
- vpsrlq $digit_size, $ACC2, $T0
- vpand $AND_MASK, $ACC2, $ACC2
- vpaddq $T0, $ACC3, $ACC3
-
- vpsrlq $digit_size, $ACC3, $T0
- vpand $AND_MASK, $ACC3, $ACC3
- vpaddq $T0, $ACC4, $ACC4
-
- vpsrlq $digit_size, $ACC4, $T0
- vpand $AND_MASK, $ACC4, $ACC4
- vpaddq $T0, $ACC5, $ACC5
-
- vpsrlq $digit_size, $ACC5, $T0
- vpand $AND_MASK, $ACC5, $ACC5
- vpaddq $T0, $ACC6, $ACC6
-
- vpsrlq $digit_size, $ACC6, $T0
- vpand $AND_MASK, $ACC6, $ACC6
- vpaddq $T0, $ACC7, $ACC7
-
- vpsrlq $digit_size, $ACC7, $T0
- vpand $AND_MASK, $ACC7, $ACC7
- vpaddq $T0, $ACC8, $ACC8
- #vpand $AND_MASK, $ACC8, $ACC8
-
- ret
-.size avx2_normalize,.-avx2_normalize
-
-.type avx2_normalize_n_store,\@abi-omnipotent
-.align 32
-avx2_normalize_n_store:
- vpsrlq $digit_size, $ACC0, $T0
- vpand $AND_MASK, $ACC0, $ACC0
- vpaddq $T0, $ACC1, $ACC1
-
- vpsrlq $digit_size, $ACC1, $T0
- vpand $AND_MASK, $ACC1, $ACC1
- vmovdqa $ACC0, 32*0(%rdi)
- lea 160(%rdi), %rax # size optimization
- vpaddq $T0, $ACC2, $ACC2
-
- vpsrlq $digit_size, $ACC2, $T0
- vpand $AND_MASK, $ACC2, $ACC2
- vmovdqa $ACC1, 32*1(%rdi)
- vpaddq $T0, $ACC3, $ACC3
-
- vpsrlq $digit_size, $ACC3, $T0
- vpand $AND_MASK, $ACC3, $ACC3
- vmovdqa $ACC2, 32*2(%rdi)
- vpaddq $T0, $ACC4, $ACC4
-
- vpsrlq $digit_size, $ACC4, $T0
- vpand $AND_MASK, $ACC4, $ACC4
- vmovdqa $ACC3, 32*3(%rdi)
- vpaddq $T0, $ACC5, $ACC5
-
- vpsrlq $digit_size, $ACC5, $T0
- vpand $AND_MASK, $ACC5, $ACC5
- vmovdqa $ACC4, 32*4-160(%rax)
- vpaddq $T0, $ACC6, $ACC6
-
- vpsrlq $digit_size, $ACC6, $T0
- vpand $AND_MASK, $ACC6, $ACC6
- vmovdqa $ACC5, 32*5-160(%rax)
- vpaddq $T0, $ACC7, $ACC7
-
- vpsrlq $digit_size, $ACC7, $T0
- vpand $AND_MASK, $ACC7, $ACC7
- vmovdqa $ACC6, 32*6-160(%rax)
- vpaddq $T0, $ACC8, $ACC8
- #vpand $AND_MASK, $ACC8, $ACC8
- vmovdqa $ACC7, 32*7-160(%rax)
- vmovdqa $ACC8, 32*8-160(%rax)
-
- ret
-.size avx2_normalize_n_store,.-avx2_normalize_n_store
-
-################################################################################
-# void avx2_mul_x4(void* RESULTx4, void *Ax4, void *Bx4);
-.type avx2_mul_x4,\@abi-omnipotent
-.align 32
-avx2_mul_x4:
- lea .LAVX2_POLY(%rip), %rax
-
- vpxor $ACC0, $ACC0, $ACC0
- vpxor $ACC1, $ACC1, $ACC1
- vpxor $ACC2, $ACC2, $ACC2
- vpxor $ACC3, $ACC3, $ACC3
- vpxor $ACC4, $ACC4, $ACC4
- vpxor $ACC5, $ACC5, $ACC5
- vpxor $ACC6, $ACC6, $ACC6
- vpxor $ACC7, $ACC7, $ACC7
-
- vmovdqa 32*7(%rax), %ymm14
- vmovdqa 32*8(%rax), %ymm15
-
- mov $n_digits, $itr
- lea -512($a_ptr), $a_ptr # strategic bias to control u-op density
- jmp .Lavx2_mul_x4_loop
-
-.align 32
-.Lavx2_mul_x4_loop:
- vmovdqa 32*0($b_ptr), $B
- lea 32*1($b_ptr), $b_ptr
-
- vpmuludq 32*0+512($a_ptr), $B, $T0
- vpmuludq 32*1+512($a_ptr), $B, $OVERFLOW # borrow $OVERFLOW
- vpaddq $T0, $ACC0, $ACC0
- vpmuludq 32*2+512($a_ptr), $B, $T0
- vpaddq $OVERFLOW, $ACC1, $ACC1
- vpand $AND_MASK, $ACC0, $Y
- vpmuludq 32*3+512($a_ptr), $B, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC2
- vpmuludq 32*4+512($a_ptr), $B, $T0
- vpaddq $OVERFLOW, $ACC3, $ACC3
- vpmuludq 32*5+512($a_ptr), $B, $OVERFLOW
- vpaddq $T0, $ACC4, $ACC4
- vpmuludq 32*6+512($a_ptr), $B, $T0
- vpaddq $OVERFLOW, $ACC5, $ACC5
- vpmuludq 32*7+512($a_ptr), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- # Skip some multiplications, optimizing for the constant poly
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*8+512($a_ptr), $B, $ACC8
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- .byte 0x67
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $OVERFLOW
- .byte 0x67
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $T0
- vpaddq $OVERFLOW, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $OVERFLOW
- vpaddq $T0, $ACC7, $ACC6
- vpaddq $OVERFLOW, $ACC8, $ACC7
-
- dec $itr
- jnz .Lavx2_mul_x4_loop
-
- vpxor $ACC8, $ACC8, $ACC8
-
- ret
-.size avx2_mul_x4,.-avx2_mul_x4
-
-# Function optimized for the constant 1
-################################################################################
-# void avx2_mul_by1_x4(void* RESULTx4, void *Ax4);
-.type avx2_mul_by1_x4,\@abi-omnipotent
-.align 32
-avx2_mul_by1_x4:
- lea .LAVX2_POLY(%rip), %rax
-
- vpxor $ACC0, $ACC0, $ACC0
- vpxor $ACC1, $ACC1, $ACC1
- vpxor $ACC2, $ACC2, $ACC2
- vpxor $ACC3, $ACC3, $ACC3
- vpxor $ACC4, $ACC4, $ACC4
- vpxor $ACC5, $ACC5, $ACC5
- vpxor $ACC6, $ACC6, $ACC6
- vpxor $ACC7, $ACC7, $ACC7
- vpxor $ACC8, $ACC8, $ACC8
-
- vmovdqa 32*3+.LONE(%rip), %ymm14
- vmovdqa 32*7+.LONE(%rip), %ymm15
-
- mov $n_digits, $itr
- jmp .Lavx2_mul_by1_x4_loop
-
-.align 32
-.Lavx2_mul_by1_x4_loop:
- vmovdqa 32*0($a_ptr), $B
- .byte 0x48,0x8d,0xb6,0x20,0,0,0 # lea 32*1($a_ptr), $a_ptr
-
- vpsllq \$5, $B, $OVERFLOW
- vpmuludq %ymm14, $B, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC3
- .byte 0x67
- vpmuludq $AND_MASK, $B, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $T0, $ACC4, $ACC4
- vpaddq $T0, $ACC5, $ACC5
- vpaddq $T0, $ACC6, $ACC6
- vpsllq \$23, $B, $T0
-
- .byte 0x67,0x67
- vpmuludq %ymm15, $B, $OVERFLOW
- vpsubq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- .byte 0x67,0x67
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $OVERFLOW
- vmovdqa $ACC5, $ACC4
- vpmuludq 32*7(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC6, $ACC5
- vpaddq $T0, $ACC7, $ACC6
- vpmuludq 32*8(%rax), $Y, $ACC7
-
- dec $itr
- jnz .Lavx2_mul_by1_x4_loop
-
- ret
-.size avx2_mul_by1_x4,.-avx2_mul_by1_x4
-
-################################################################################
-# void avx2_sqr_x4(void* RESULTx4, void *Ax4, void *Bx4);
-.type avx2_sqr_x4,\@abi-omnipotent
-.align 32
-avx2_sqr_x4:
- lea .LAVX2_POLY(%rip), %rax
-
- vmovdqa 32*7(%rax), %ymm14
- vmovdqa 32*8(%rax), %ymm15
-
- vmovdqa 32*0($a_ptr), $B
- vmovdqa 32*1($a_ptr), $ACC1
- vmovdqa 32*2($a_ptr), $ACC2
- vmovdqa 32*3($a_ptr), $ACC3
- vmovdqa 32*4($a_ptr), $ACC4
- vmovdqa 32*5($a_ptr), $ACC5
- vmovdqa 32*6($a_ptr), $ACC6
- vmovdqa 32*7($a_ptr), $ACC7
- vpaddq $ACC1, $ACC1, $ACC1 # 2*$ACC0..7
- vmovdqa 32*8($a_ptr), $ACC8
- vpaddq $ACC2, $ACC2, $ACC2
- vmovdqa $ACC1, 32*0(%rcx)
- vpaddq $ACC3, $ACC3, $ACC3
- vmovdqa $ACC2, 32*1(%rcx)
- vpaddq $ACC4, $ACC4, $ACC4
- vmovdqa $ACC3, 32*2(%rcx)
- vpaddq $ACC5, $ACC5, $ACC5
- vmovdqa $ACC4, 32*3(%rcx)
- vpaddq $ACC6, $ACC6, $ACC6
- vmovdqa $ACC5, 32*4(%rcx)
- vpaddq $ACC7, $ACC7, $ACC7
- vmovdqa $ACC6, 32*5(%rcx)
- vpaddq $ACC8, $ACC8, $ACC8
- vmovdqa $ACC7, 32*6(%rcx)
- vmovdqa $ACC8, 32*7(%rcx)
-
- #itr 1
- vpmuludq $B, $B, $ACC0
- vpmuludq $B, $ACC1, $ACC1
- vpand $AND_MASK, $ACC0, $Y
- vpmuludq $B, $ACC2, $ACC2
- vpmuludq $B, $ACC3, $ACC3
- vpmuludq $B, $ACC4, $ACC4
- vpmuludq $B, $ACC5, $ACC5
- vpmuludq $B, $ACC6, $ACC6
- vpmuludq $AND_MASK, $Y, $T0
- vpmuludq $B, $ACC7, $ACC7
- vpmuludq $B, $ACC8, $ACC8
- vmovdqa 32*1($a_ptr), $B
-
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 2
- vpmuludq $B, $B, $OVERFLOW
- vpand $AND_MASK, $ACC0, $Y
- vpmuludq 32*1(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC1, $ACC1
- vpmuludq 32*2(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC2
- vpmuludq 32*3(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC3, $ACC3
- vpmuludq 32*4(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC4, $ACC4
- vpmuludq 32*5(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC5, $ACC5
- vpmuludq 32*6(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*2($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 3
- vpmuludq $B, $B, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpmuludq 32*2(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC2
- vpmuludq 32*3(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC3, $ACC3
- vpmuludq 32*4(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC4, $ACC4
- vpmuludq 32*5(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC5, $ACC5
- vpmuludq 32*6(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*3($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 4
- vpmuludq $B, $B, $OVERFLOW
- vpmuludq 32*3(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC3, $ACC3
- vpmuludq 32*4(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC4, $ACC4
- vpmuludq 32*5(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC5, $ACC5
- vpmuludq 32*6(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*4($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 5
- vpmuludq $B, $B, $T0
- vpmuludq 32*4(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC4, $ACC4
- vpmuludq 32*5(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC5, $ACC5
- vpmuludq 32*6(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*5($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3+.LAVX2_POLY(%rip), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 6
- vpmuludq $B, $B, $OVERFLOW
- vpmuludq 32*5(%rcx), $B, $T0
- vpaddq $OVERFLOW, $ACC5, $ACC5
- vpmuludq 32*6(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*6($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 7
- vpmuludq $B, $B, $T0
- vpmuludq 32*6(%rcx), $B, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC6
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*7($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 8
- vpmuludq $B, $B, $OVERFLOW
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC7
- vpmuludq 32*7(%rcx), $B, $ACC8
- vmovdqa 32*8($a_ptr), $B
- vpaddq $T0, $ACC0, $OVERFLOW
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpand $AND_MASK, $ACC0, $Y
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- #itr 9
- vpmuludq $B, $B, $ACC8
-
- vpmuludq $AND_MASK, $Y, $T0
- vpaddq $T0, $ACC0, $OVERFLOW
- vpsrlq $digit_size, $OVERFLOW, $OVERFLOW
- vpaddq $T0, $ACC1, $ACC0
- vpaddq $T0, $ACC2, $ACC1
- vpmuludq 32*3(%rax), $Y, $T0
- vpaddq $OVERFLOW, $ACC0, $ACC0
- vpaddq $T0, $ACC3, $ACC2
- vmovdqa $ACC4, $ACC3
- vpsllq \$18, $Y, $T0
- vmovdqa $ACC5, $ACC4
- vpmuludq %ymm14, $Y, $OVERFLOW
- vpaddq $T0, $ACC6, $ACC5
- vpmuludq %ymm15, $Y, $T0
- vpaddq $OVERFLOW, $ACC7, $ACC6
- vpaddq $T0, $ACC8, $ACC7
-
- vpxor $ACC8, $ACC8, $ACC8
-
- ret
-.size avx2_sqr_x4,.-avx2_sqr_x4
-
-################################################################################
-# void avx2_sub_x4(void* RESULTx4, void *Ax4, void *Bx4);
-.type avx2_sub_x4,\@abi-omnipotent
-.align 32
-avx2_sub_x4:
- vmovdqa 32*0($a_ptr), $ACC0
- lea 160($a_ptr), $a_ptr
- lea .LAVX2_POLY_x8+128(%rip), %rax
- lea 128($b_ptr), $b_ptr
- vmovdqa 32*1-160($a_ptr), $ACC1
- vmovdqa 32*2-160($a_ptr), $ACC2
- vmovdqa 32*3-160($a_ptr), $ACC3
- vmovdqa 32*4-160($a_ptr), $ACC4
- vmovdqa 32*5-160($a_ptr), $ACC5
- vmovdqa 32*6-160($a_ptr), $ACC6
- vmovdqa 32*7-160($a_ptr), $ACC7
- vmovdqa 32*8-160($a_ptr), $ACC8
-
- vpaddq 32*0-128(%rax), $ACC0, $ACC0
- vpaddq 32*1-128(%rax), $ACC1, $ACC1
- vpaddq 32*2-128(%rax), $ACC2, $ACC2
- vpaddq 32*3-128(%rax), $ACC3, $ACC3
- vpaddq 32*4-128(%rax), $ACC4, $ACC4
- vpaddq 32*5-128(%rax), $ACC5, $ACC5
- vpaddq 32*6-128(%rax), $ACC6, $ACC6
- vpaddq 32*7-128(%rax), $ACC7, $ACC7
- vpaddq 32*8-128(%rax), $ACC8, $ACC8
-
- vpsubq 32*0-128($b_ptr), $ACC0, $ACC0
- vpsubq 32*1-128($b_ptr), $ACC1, $ACC1
- vpsubq 32*2-128($b_ptr), $ACC2, $ACC2
- vpsubq 32*3-128($b_ptr), $ACC3, $ACC3
- vpsubq 32*4-128($b_ptr), $ACC4, $ACC4
- vpsubq 32*5-128($b_ptr), $ACC5, $ACC5
- vpsubq 32*6-128($b_ptr), $ACC6, $ACC6
- vpsubq 32*7-128($b_ptr), $ACC7, $ACC7
- vpsubq 32*8-128($b_ptr), $ACC8, $ACC8
-
- ret
-.size avx2_sub_x4,.-avx2_sub_x4
-
-.type avx2_select_n_store,\@abi-omnipotent
-.align 32
-avx2_select_n_store:
- vmovdqa `8+32*9*8`(%rsp), $Y
- vpor `8+32*9*8+32`(%rsp), $Y, $Y
-
- vpandn $ACC0, $Y, $ACC0
- vpandn $ACC1, $Y, $ACC1
- vpandn $ACC2, $Y, $ACC2
- vpandn $ACC3, $Y, $ACC3
- vpandn $ACC4, $Y, $ACC4
- vpandn $ACC5, $Y, $ACC5
- vpandn $ACC6, $Y, $ACC6
- vmovdqa `8+32*9*8+32`(%rsp), $B
- vpandn $ACC7, $Y, $ACC7
- vpandn `8+32*9*8`(%rsp), $B, $B
- vpandn $ACC8, $Y, $ACC8
-
- vpand 32*0(%rsi), $B, $T0
- lea 160(%rsi), %rax
- vpand 32*1(%rsi), $B, $Y
- vpxor $T0, $ACC0, $ACC0
- vpand 32*2(%rsi), $B, $T0
- vpxor $Y, $ACC1, $ACC1
- vpand 32*3(%rsi), $B, $Y
- vpxor $T0, $ACC2, $ACC2
- vpand 32*4-160(%rax), $B, $T0
- vpxor $Y, $ACC3, $ACC3
- vpand 32*5-160(%rax), $B, $Y
- vpxor $T0, $ACC4, $ACC4
- vpand 32*6-160(%rax), $B, $T0
- vpxor $Y, $ACC5, $ACC5
- vpand 32*7-160(%rax), $B, $Y
- vpxor $T0, $ACC6, $ACC6
- vpand 32*8-160(%rax), $B, $T0
- vmovdqa `8+32*9*8+32`(%rsp), $B
- vpxor $Y, $ACC7, $ACC7
-
- vpand 32*0(%rdx), $B, $Y
- lea 160(%rdx), %rax
- vpxor $T0, $ACC8, $ACC8
- vpand 32*1(%rdx), $B, $T0
- vpxor $Y, $ACC0, $ACC0
- vpand 32*2(%rdx), $B, $Y
- vpxor $T0, $ACC1, $ACC1
- vpand 32*3(%rdx), $B, $T0
- vpxor $Y, $ACC2, $ACC2
- vpand 32*4-160(%rax), $B, $Y
- vpxor $T0, $ACC3, $ACC3
- vpand 32*5-160(%rax), $B, $T0
- vpxor $Y, $ACC4, $ACC4
- vpand 32*6-160(%rax), $B, $Y
- vpxor $T0, $ACC5, $ACC5
- vpand 32*7-160(%rax), $B, $T0
- vpxor $Y, $ACC6, $ACC6
- vpand 32*8-160(%rax), $B, $Y
- vpxor $T0, $ACC7, $ACC7
- vpxor $Y, $ACC8, $ACC8
- `&STORE`
-
- ret
-.size avx2_select_n_store,.-avx2_select_n_store
-___
-$code.=<<___ if (0); # inlined
-################################################################################
-# void avx2_mul_by2_x4(void* RESULTx4, void *Ax4);
-.type avx2_mul_by2_x4,\@abi-omnipotent
-.align 32
-avx2_mul_by2_x4:
- vmovdqa 32*0($a_ptr), $ACC0
- lea 160($a_ptr), %rax
- vmovdqa 32*1($a_ptr), $ACC1
- vmovdqa 32*2($a_ptr), $ACC2
- vmovdqa 32*3($a_ptr), $ACC3
- vmovdqa 32*4-160(%rax), $ACC4
- vmovdqa 32*5-160(%rax), $ACC5
- vmovdqa 32*6-160(%rax), $ACC6
- vmovdqa 32*7-160(%rax), $ACC7
- vmovdqa 32*8-160(%rax), $ACC8
-
- vpaddq $ACC0, $ACC0, $ACC0
- vpaddq $ACC1, $ACC1, $ACC1
- vpaddq $ACC2, $ACC2, $ACC2
- vpaddq $ACC3, $ACC3, $ACC3
- vpaddq $ACC4, $ACC4, $ACC4
- vpaddq $ACC5, $ACC5, $ACC5
- vpaddq $ACC6, $ACC6, $ACC6
- vpaddq $ACC7, $ACC7, $ACC7
- vpaddq $ACC8, $ACC8, $ACC8
-
- ret
-.size avx2_mul_by2_x4,.-avx2_mul_by2_x4
-___
-my ($r_ptr_in,$a_ptr_in,$b_ptr_in)=("%rdi","%rsi","%rdx");
-my ($r_ptr,$a_ptr,$b_ptr)=("%r8","%r9","%r10");
-
-$code.=<<___;
-################################################################################
-# void ecp_nistz256_avx2_point_add_affine_x4(void* RESULTx4, void *Ax4, void *Bx4);
-.globl ecp_nistz256_avx2_point_add_affine_x4
-.type ecp_nistz256_avx2_point_add_affine_x4,\@function,3
-.align 32
-ecp_nistz256_avx2_point_add_affine_x4:
- mov %rsp, %rax
- push %rbp
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- lea -8(%rax), %rbp
-
-# Result + 32*0 = Result.X
-# Result + 32*9 = Result.Y
-# Result + 32*18 = Result.Z
-
-# A + 32*0 = A.X
-# A + 32*9 = A.Y
-# A + 32*18 = A.Z
-
-# B + 32*0 = B.X
-# B + 32*9 = B.Y
-
- sub \$`32*9*8+32*2+32*8`, %rsp
- and \$-64, %rsp
-
- mov $r_ptr_in, $r_ptr
- mov $a_ptr_in, $a_ptr
- mov $b_ptr_in, $b_ptr
-
- vmovdqa 32*0($a_ptr_in), %ymm0
- vmovdqa .LAVX2_AND_MASK(%rip), $AND_MASK
- vpxor %ymm1, %ymm1, %ymm1
- lea 256($a_ptr_in), %rax # size optimization
- vpor 32*1($a_ptr_in), %ymm0, %ymm0
- vpor 32*2($a_ptr_in), %ymm0, %ymm0
- vpor 32*3($a_ptr_in), %ymm0, %ymm0
- vpor 32*4-256(%rax), %ymm0, %ymm0
- lea 256(%rax), %rcx # size optimization
- vpor 32*5-256(%rax), %ymm0, %ymm0
- vpor 32*6-256(%rax), %ymm0, %ymm0
- vpor 32*7-256(%rax), %ymm0, %ymm0
- vpor 32*8-256(%rax), %ymm0, %ymm0
- vpor 32*9-256(%rax), %ymm0, %ymm0
- vpor 32*10-256(%rax), %ymm0, %ymm0
- vpor 32*11-256(%rax), %ymm0, %ymm0
- vpor 32*12-512(%rcx), %ymm0, %ymm0
- vpor 32*13-512(%rcx), %ymm0, %ymm0
- vpor 32*14-512(%rcx), %ymm0, %ymm0
- vpor 32*15-512(%rcx), %ymm0, %ymm0
- vpor 32*16-512(%rcx), %ymm0, %ymm0
- vpor 32*17-512(%rcx), %ymm0, %ymm0
- vpcmpeqq %ymm1, %ymm0, %ymm0
- vmovdqa %ymm0, `32*9*8`(%rsp)
-
- vpxor %ymm1, %ymm1, %ymm1
- vmovdqa 32*0($b_ptr), %ymm0
- lea 256($b_ptr), %rax # size optimization
- vpor 32*1($b_ptr), %ymm0, %ymm0
- vpor 32*2($b_ptr), %ymm0, %ymm0
- vpor 32*3($b_ptr), %ymm0, %ymm0
- vpor 32*4-256(%rax), %ymm0, %ymm0
- lea 256(%rax), %rcx # size optimization
- vpor 32*5-256(%rax), %ymm0, %ymm0
- vpor 32*6-256(%rax), %ymm0, %ymm0
- vpor 32*7-256(%rax), %ymm0, %ymm0
- vpor 32*8-256(%rax), %ymm0, %ymm0
- vpor 32*9-256(%rax), %ymm0, %ymm0
- vpor 32*10-256(%rax), %ymm0, %ymm0
- vpor 32*11-256(%rax), %ymm0, %ymm0
- vpor 32*12-512(%rcx), %ymm0, %ymm0
- vpor 32*13-512(%rcx), %ymm0, %ymm0
- vpor 32*14-512(%rcx), %ymm0, %ymm0
- vpor 32*15-512(%rcx), %ymm0, %ymm0
- vpor 32*16-512(%rcx), %ymm0, %ymm0
- vpor 32*17-512(%rcx), %ymm0, %ymm0
- vpcmpeqq %ymm1, %ymm0, %ymm0
- vmovdqa %ymm0, `32*9*8+32`(%rsp)
-
- # Z1^2 = Z1*Z1
- lea `32*9*2`($a_ptr), %rsi
- lea `32*9*2`(%rsp), %rdi
- lea `32*9*8+32*2`(%rsp), %rcx # temporary vector
- call avx2_sqr_x4
- call avx2_normalize_n_store
-
- # U2 = X2*Z1^2
- lea `32*9*0`($b_ptr), %rsi
- lea `32*9*2`(%rsp), %rdx
- lea `32*9*0`(%rsp), %rdi
- call avx2_mul_x4
- #call avx2_normalize
- `&STORE`
-
- # S2 = Z1*Z1^2 = Z1^3
- lea `32*9*2`($a_ptr), %rsi
- lea `32*9*2`(%rsp), %rdx
- lea `32*9*1`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- # S2 = S2*Y2 = Y2*Z1^3
- lea `32*9*1`($b_ptr), %rsi
- lea `32*9*1`(%rsp), %rdx
- lea `32*9*1`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- # H = U2 - U1 = U2 - X1
- lea `32*9*0`(%rsp), %rsi
- lea `32*9*0`($a_ptr), %rdx
- lea `32*9*3`(%rsp), %rdi
- call avx2_sub_x4
- call avx2_normalize_n_store
-
- # R = S2 - S1 = S2 - Y1
- lea `32*9*1`(%rsp), %rsi
- lea `32*9*1`($a_ptr), %rdx
- lea `32*9*4`(%rsp), %rdi
- call avx2_sub_x4
- call avx2_normalize_n_store
-
- # Z3 = H*Z1*Z2
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*2`($a_ptr), %rdx
- lea `32*9*2`($r_ptr), %rdi
- call avx2_mul_x4
- call avx2_normalize
-
- lea .LONE(%rip), %rsi
- lea `32*9*2`($a_ptr), %rdx
- call avx2_select_n_store
-
- # R^2 = R^2
- lea `32*9*4`(%rsp), %rsi
- lea `32*9*6`(%rsp), %rdi
- lea `32*9*8+32*2`(%rsp), %rcx # temporary vector
- call avx2_sqr_x4
- call avx2_normalize_n_store
-
- # H^2 = H^2
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*5`(%rsp), %rdi
- call avx2_sqr_x4
- call avx2_normalize_n_store
-
- # H^3 = H^2*H
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*5`(%rsp), %rdx
- lea `32*9*7`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- # U2 = U1*H^2
- lea `32*9*0`($a_ptr), %rsi
- lea `32*9*5`(%rsp), %rdx
- lea `32*9*0`(%rsp), %rdi
- call avx2_mul_x4
- #call avx2_normalize
- `&STORE`
-
- # Hsqr = U2*2
- #lea 32*9*0(%rsp), %rsi
- #lea 32*9*5(%rsp), %rdi
- #call avx2_mul_by2_x4
-
- vpaddq $ACC0, $ACC0, $ACC0 # inlined avx2_mul_by2_x4
- lea `32*9*5`(%rsp), %rdi
- vpaddq $ACC1, $ACC1, $ACC1
- vpaddq $ACC2, $ACC2, $ACC2
- vpaddq $ACC3, $ACC3, $ACC3
- vpaddq $ACC4, $ACC4, $ACC4
- vpaddq $ACC5, $ACC5, $ACC5
- vpaddq $ACC6, $ACC6, $ACC6
- vpaddq $ACC7, $ACC7, $ACC7
- vpaddq $ACC8, $ACC8, $ACC8
- call avx2_normalize_n_store
-
- # X3 = R^2 - H^3
- #lea 32*9*6(%rsp), %rsi
- #lea 32*9*7(%rsp), %rdx
- #lea 32*9*5(%rsp), %rcx
- #lea 32*9*0($r_ptr), %rdi
- #call avx2_sub_x4
- #NORMALIZE
- #STORE
-
- # X3 = X3 - U2*2
- #lea 32*9*0($r_ptr), %rsi
- #lea 32*9*0($r_ptr), %rdi
- #call avx2_sub_x4
- #NORMALIZE
- #STORE
-
- lea `32*9*6+128`(%rsp), %rsi
- lea .LAVX2_POLY_x2+128(%rip), %rax
- lea `32*9*7+128`(%rsp), %rdx
- lea `32*9*5+128`(%rsp), %rcx
- lea `32*9*0`($r_ptr), %rdi
-
- vmovdqa 32*0-128(%rsi), $ACC0
- vmovdqa 32*1-128(%rsi), $ACC1
- vmovdqa 32*2-128(%rsi), $ACC2
- vmovdqa 32*3-128(%rsi), $ACC3
- vmovdqa 32*4-128(%rsi), $ACC4
- vmovdqa 32*5-128(%rsi), $ACC5
- vmovdqa 32*6-128(%rsi), $ACC6
- vmovdqa 32*7-128(%rsi), $ACC7
- vmovdqa 32*8-128(%rsi), $ACC8
-
- vpaddq 32*0-128(%rax), $ACC0, $ACC0
- vpaddq 32*1-128(%rax), $ACC1, $ACC1
- vpaddq 32*2-128(%rax), $ACC2, $ACC2
- vpaddq 32*3-128(%rax), $ACC3, $ACC3
- vpaddq 32*4-128(%rax), $ACC4, $ACC4
- vpaddq 32*5-128(%rax), $ACC5, $ACC5
- vpaddq 32*6-128(%rax), $ACC6, $ACC6
- vpaddq 32*7-128(%rax), $ACC7, $ACC7
- vpaddq 32*8-128(%rax), $ACC8, $ACC8
-
- vpsubq 32*0-128(%rdx), $ACC0, $ACC0
- vpsubq 32*1-128(%rdx), $ACC1, $ACC1
- vpsubq 32*2-128(%rdx), $ACC2, $ACC2
- vpsubq 32*3-128(%rdx), $ACC3, $ACC3
- vpsubq 32*4-128(%rdx), $ACC4, $ACC4
- vpsubq 32*5-128(%rdx), $ACC5, $ACC5
- vpsubq 32*6-128(%rdx), $ACC6, $ACC6
- vpsubq 32*7-128(%rdx), $ACC7, $ACC7
- vpsubq 32*8-128(%rdx), $ACC8, $ACC8
-
- vpsubq 32*0-128(%rcx), $ACC0, $ACC0
- vpsubq 32*1-128(%rcx), $ACC1, $ACC1
- vpsubq 32*2-128(%rcx), $ACC2, $ACC2
- vpsubq 32*3-128(%rcx), $ACC3, $ACC3
- vpsubq 32*4-128(%rcx), $ACC4, $ACC4
- vpsubq 32*5-128(%rcx), $ACC5, $ACC5
- vpsubq 32*6-128(%rcx), $ACC6, $ACC6
- vpsubq 32*7-128(%rcx), $ACC7, $ACC7
- vpsubq 32*8-128(%rcx), $ACC8, $ACC8
- call avx2_normalize
-
- lea 32*0($b_ptr), %rsi
- lea 32*0($a_ptr), %rdx
- call avx2_select_n_store
-
- # H = U2 - X3
- lea `32*9*0`(%rsp), %rsi
- lea `32*9*0`($r_ptr), %rdx
- lea `32*9*3`(%rsp), %rdi
- call avx2_sub_x4
- call avx2_normalize_n_store
-
- #
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*4`(%rsp), %rdx
- lea `32*9*3`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- #
- lea `32*9*7`(%rsp), %rsi
- lea `32*9*1`($a_ptr), %rdx
- lea `32*9*1`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- #
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*1`(%rsp), %rdx
- lea `32*9*1`($r_ptr), %rdi
- call avx2_sub_x4
- call avx2_normalize
-
- lea 32*9($b_ptr), %rsi
- lea 32*9($a_ptr), %rdx
- call avx2_select_n_store
-
- #lea 32*9*0($r_ptr), %rsi
- #lea 32*9*0($r_ptr), %rdi
- #call avx2_mul_by1_x4
- #NORMALIZE
- #STORE
-
- lea `32*9*1`($r_ptr), %rsi
- lea `32*9*1`($r_ptr), %rdi
- call avx2_mul_by1_x4
- call avx2_normalize_n_store
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps %xmm6, -16*10(%rbp)
- movaps %xmm7, -16*9(%rbp)
- movaps %xmm8, -16*8(%rbp)
- movaps %xmm9, -16*7(%rbp)
- movaps %xmm10, -16*6(%rbp)
- movaps %xmm11, -16*5(%rbp)
- movaps %xmm12, -16*4(%rbp)
- movaps %xmm13, -16*3(%rbp)
- movaps %xmm14, -16*2(%rbp)
- movaps %xmm15, -16*1(%rbp)
-___
-$code.=<<___;
- mov %rbp, %rsp
- pop %rbp
- ret
-.size ecp_nistz256_avx2_point_add_affine_x4,.-ecp_nistz256_avx2_point_add_affine_x4
-
-################################################################################
-# void ecp_nistz256_avx2_point_add_affines_x4(void* RESULTx4, void *Ax4, void *Bx4);
-.globl ecp_nistz256_avx2_point_add_affines_x4
-.type ecp_nistz256_avx2_point_add_affines_x4,\@function,3
-.align 32
-ecp_nistz256_avx2_point_add_affines_x4:
- mov %rsp, %rax
- push %rbp
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- lea -8(%rax), %rbp
-
-# Result + 32*0 = Result.X
-# Result + 32*9 = Result.Y
-# Result + 32*18 = Result.Z
-
-# A + 32*0 = A.X
-# A + 32*9 = A.Y
-
-# B + 32*0 = B.X
-# B + 32*9 = B.Y
-
- sub \$`32*9*8+32*2+32*8`, %rsp
- and \$-64, %rsp
-
- mov $r_ptr_in, $r_ptr
- mov $a_ptr_in, $a_ptr
- mov $b_ptr_in, $b_ptr
-
- vmovdqa 32*0($a_ptr_in), %ymm0
- vmovdqa .LAVX2_AND_MASK(%rip), $AND_MASK
- vpxor %ymm1, %ymm1, %ymm1
- lea 256($a_ptr_in), %rax # size optimization
- vpor 32*1($a_ptr_in), %ymm0, %ymm0
- vpor 32*2($a_ptr_in), %ymm0, %ymm0
- vpor 32*3($a_ptr_in), %ymm0, %ymm0
- vpor 32*4-256(%rax), %ymm0, %ymm0
- lea 256(%rax), %rcx # size optimization
- vpor 32*5-256(%rax), %ymm0, %ymm0
- vpor 32*6-256(%rax), %ymm0, %ymm0
- vpor 32*7-256(%rax), %ymm0, %ymm0
- vpor 32*8-256(%rax), %ymm0, %ymm0
- vpor 32*9-256(%rax), %ymm0, %ymm0
- vpor 32*10-256(%rax), %ymm0, %ymm0
- vpor 32*11-256(%rax), %ymm0, %ymm0
- vpor 32*12-512(%rcx), %ymm0, %ymm0
- vpor 32*13-512(%rcx), %ymm0, %ymm0
- vpor 32*14-512(%rcx), %ymm0, %ymm0
- vpor 32*15-512(%rcx), %ymm0, %ymm0
- vpor 32*16-512(%rcx), %ymm0, %ymm0
- vpor 32*17-512(%rcx), %ymm0, %ymm0
- vpcmpeqq %ymm1, %ymm0, %ymm0
- vmovdqa %ymm0, `32*9*8`(%rsp)
-
- vpxor %ymm1, %ymm1, %ymm1
- vmovdqa 32*0($b_ptr), %ymm0
- lea 256($b_ptr), %rax # size optimization
- vpor 32*1($b_ptr), %ymm0, %ymm0
- vpor 32*2($b_ptr), %ymm0, %ymm0
- vpor 32*3($b_ptr), %ymm0, %ymm0
- vpor 32*4-256(%rax), %ymm0, %ymm0
- lea 256(%rax), %rcx # size optimization
- vpor 32*5-256(%rax), %ymm0, %ymm0
- vpor 32*6-256(%rax), %ymm0, %ymm0
- vpor 32*7-256(%rax), %ymm0, %ymm0
- vpor 32*8-256(%rax), %ymm0, %ymm0
- vpor 32*9-256(%rax), %ymm0, %ymm0
- vpor 32*10-256(%rax), %ymm0, %ymm0
- vpor 32*11-256(%rax), %ymm0, %ymm0
- vpor 32*12-512(%rcx), %ymm0, %ymm0
- vpor 32*13-512(%rcx), %ymm0, %ymm0
- vpor 32*14-512(%rcx), %ymm0, %ymm0
- vpor 32*15-512(%rcx), %ymm0, %ymm0
- vpor 32*16-512(%rcx), %ymm0, %ymm0
- vpor 32*17-512(%rcx), %ymm0, %ymm0
- vpcmpeqq %ymm1, %ymm0, %ymm0
- vmovdqa %ymm0, `32*9*8+32`(%rsp)
-
- # H = U2 - U1 = X2 - X1
- lea `32*9*0`($b_ptr), %rsi
- lea `32*9*0`($a_ptr), %rdx
- lea `32*9*3`(%rsp), %rdi
- call avx2_sub_x4
- call avx2_normalize_n_store
-
- # R = S2 - S1 = Y2 - Y1
- lea `32*9*1`($b_ptr), %rsi
- lea `32*9*1`($a_ptr), %rdx
- lea `32*9*4`(%rsp), %rdi
- call avx2_sub_x4
- call avx2_normalize_n_store
-
- # Z3 = H*Z1*Z2 = H
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*2`($r_ptr), %rdi
- call avx2_mul_by1_x4
- call avx2_normalize
-
- vmovdqa `32*9*8`(%rsp), $B
- vpor `32*9*8+32`(%rsp), $B, $B
-
- vpandn $ACC0, $B, $ACC0
- lea .LONE+128(%rip), %rax
- vpandn $ACC1, $B, $ACC1
- vpandn $ACC2, $B, $ACC2
- vpandn $ACC3, $B, $ACC3
- vpandn $ACC4, $B, $ACC4
- vpandn $ACC5, $B, $ACC5
- vpandn $ACC6, $B, $ACC6
- vpandn $ACC7, $B, $ACC7
-
- vpand 32*0-128(%rax), $B, $T0
- vpandn $ACC8, $B, $ACC8
- vpand 32*1-128(%rax), $B, $Y
- vpxor $T0, $ACC0, $ACC0
- vpand 32*2-128(%rax), $B, $T0
- vpxor $Y, $ACC1, $ACC1
- vpand 32*3-128(%rax), $B, $Y
- vpxor $T0, $ACC2, $ACC2
- vpand 32*4-128(%rax), $B, $T0
- vpxor $Y, $ACC3, $ACC3
- vpand 32*5-128(%rax), $B, $Y
- vpxor $T0, $ACC4, $ACC4
- vpand 32*6-128(%rax), $B, $T0
- vpxor $Y, $ACC5, $ACC5
- vpand 32*7-128(%rax), $B, $Y
- vpxor $T0, $ACC6, $ACC6
- vpand 32*8-128(%rax), $B, $T0
- vpxor $Y, $ACC7, $ACC7
- vpxor $T0, $ACC8, $ACC8
- `&STORE`
-
- # R^2 = R^2
- lea `32*9*4`(%rsp), %rsi
- lea `32*9*6`(%rsp), %rdi
- lea `32*9*8+32*2`(%rsp), %rcx # temporary vector
- call avx2_sqr_x4
- call avx2_normalize_n_store
-
- # H^2 = H^2
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*5`(%rsp), %rdi
- call avx2_sqr_x4
- call avx2_normalize_n_store
-
- # H^3 = H^2*H
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*5`(%rsp), %rdx
- lea `32*9*7`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- # U2 = U1*H^2
- lea `32*9*0`($a_ptr), %rsi
- lea `32*9*5`(%rsp), %rdx
- lea `32*9*0`(%rsp), %rdi
- call avx2_mul_x4
- #call avx2_normalize
- `&STORE`
-
- # Hsqr = U2*2
- #lea 32*9*0(%rsp), %rsi
- #lea 32*9*5(%rsp), %rdi
- #call avx2_mul_by2_x4
-
- vpaddq $ACC0, $ACC0, $ACC0 # inlined avx2_mul_by2_x4
- lea `32*9*5`(%rsp), %rdi
- vpaddq $ACC1, $ACC1, $ACC1
- vpaddq $ACC2, $ACC2, $ACC2
- vpaddq $ACC3, $ACC3, $ACC3
- vpaddq $ACC4, $ACC4, $ACC4
- vpaddq $ACC5, $ACC5, $ACC5
- vpaddq $ACC6, $ACC6, $ACC6
- vpaddq $ACC7, $ACC7, $ACC7
- vpaddq $ACC8, $ACC8, $ACC8
- call avx2_normalize_n_store
-
- # X3 = R^2 - H^3
- #lea 32*9*6(%rsp), %rsi
- #lea 32*9*7(%rsp), %rdx
- #lea 32*9*5(%rsp), %rcx
- #lea 32*9*0($r_ptr), %rdi
- #call avx2_sub_x4
- #NORMALIZE
- #STORE
-
- # X3 = X3 - U2*2
- #lea 32*9*0($r_ptr), %rsi
- #lea 32*9*0($r_ptr), %rdi
- #call avx2_sub_x4
- #NORMALIZE
- #STORE
-
- lea `32*9*6+128`(%rsp), %rsi
- lea .LAVX2_POLY_x2+128(%rip), %rax
- lea `32*9*7+128`(%rsp), %rdx
- lea `32*9*5+128`(%rsp), %rcx
- lea `32*9*0`($r_ptr), %rdi
-
- vmovdqa 32*0-128(%rsi), $ACC0
- vmovdqa 32*1-128(%rsi), $ACC1
- vmovdqa 32*2-128(%rsi), $ACC2
- vmovdqa 32*3-128(%rsi), $ACC3
- vmovdqa 32*4-128(%rsi), $ACC4
- vmovdqa 32*5-128(%rsi), $ACC5
- vmovdqa 32*6-128(%rsi), $ACC6
- vmovdqa 32*7-128(%rsi), $ACC7
- vmovdqa 32*8-128(%rsi), $ACC8
-
- vpaddq 32*0-128(%rax), $ACC0, $ACC0
- vpaddq 32*1-128(%rax), $ACC1, $ACC1
- vpaddq 32*2-128(%rax), $ACC2, $ACC2
- vpaddq 32*3-128(%rax), $ACC3, $ACC3
- vpaddq 32*4-128(%rax), $ACC4, $ACC4
- vpaddq 32*5-128(%rax), $ACC5, $ACC5
- vpaddq 32*6-128(%rax), $ACC6, $ACC6
- vpaddq 32*7-128(%rax), $ACC7, $ACC7
- vpaddq 32*8-128(%rax), $ACC8, $ACC8
-
- vpsubq 32*0-128(%rdx), $ACC0, $ACC0
- vpsubq 32*1-128(%rdx), $ACC1, $ACC1
- vpsubq 32*2-128(%rdx), $ACC2, $ACC2
- vpsubq 32*3-128(%rdx), $ACC3, $ACC3
- vpsubq 32*4-128(%rdx), $ACC4, $ACC4
- vpsubq 32*5-128(%rdx), $ACC5, $ACC5
- vpsubq 32*6-128(%rdx), $ACC6, $ACC6
- vpsubq 32*7-128(%rdx), $ACC7, $ACC7
- vpsubq 32*8-128(%rdx), $ACC8, $ACC8
-
- vpsubq 32*0-128(%rcx), $ACC0, $ACC0
- vpsubq 32*1-128(%rcx), $ACC1, $ACC1
- vpsubq 32*2-128(%rcx), $ACC2, $ACC2
- vpsubq 32*3-128(%rcx), $ACC3, $ACC3
- vpsubq 32*4-128(%rcx), $ACC4, $ACC4
- vpsubq 32*5-128(%rcx), $ACC5, $ACC5
- vpsubq 32*6-128(%rcx), $ACC6, $ACC6
- vpsubq 32*7-128(%rcx), $ACC7, $ACC7
- vpsubq 32*8-128(%rcx), $ACC8, $ACC8
- call avx2_normalize
-
- lea 32*0($b_ptr), %rsi
- lea 32*0($a_ptr), %rdx
- call avx2_select_n_store
-
- # H = U2 - X3
- lea `32*9*0`(%rsp), %rsi
- lea `32*9*0`($r_ptr), %rdx
- lea `32*9*3`(%rsp), %rdi
- call avx2_sub_x4
- call avx2_normalize_n_store
-
- # H = H*R
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*4`(%rsp), %rdx
- lea `32*9*3`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- # S2 = S1 * H^3
- lea `32*9*7`(%rsp), %rsi
- lea `32*9*1`($a_ptr), %rdx
- lea `32*9*1`(%rsp), %rdi
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- #
- lea `32*9*3`(%rsp), %rsi
- lea `32*9*1`(%rsp), %rdx
- lea `32*9*1`($r_ptr), %rdi
- call avx2_sub_x4
- call avx2_normalize
-
- lea 32*9($b_ptr), %rsi
- lea 32*9($a_ptr), %rdx
- call avx2_select_n_store
-
- #lea 32*9*0($r_ptr), %rsi
- #lea 32*9*0($r_ptr), %rdi
- #call avx2_mul_by1_x4
- #NORMALIZE
- #STORE
-
- lea `32*9*1`($r_ptr), %rsi
- lea `32*9*1`($r_ptr), %rdi
- call avx2_mul_by1_x4
- call avx2_normalize_n_store
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps %xmm6, -16*10(%rbp)
- movaps %xmm7, -16*9(%rbp)
- movaps %xmm8, -16*8(%rbp)
- movaps %xmm9, -16*7(%rbp)
- movaps %xmm10, -16*6(%rbp)
- movaps %xmm11, -16*5(%rbp)
- movaps %xmm12, -16*4(%rbp)
- movaps %xmm13, -16*3(%rbp)
- movaps %xmm14, -16*2(%rbp)
- movaps %xmm15, -16*1(%rbp)
-___
-$code.=<<___;
- mov %rbp, %rsp
- pop %rbp
- ret
-.size ecp_nistz256_avx2_point_add_affines_x4,.-ecp_nistz256_avx2_point_add_affines_x4
-
-################################################################################
-# void ecp_nistz256_avx2_to_mont(void* RESULTx4, void *Ax4);
-.globl ecp_nistz256_avx2_to_mont
-.type ecp_nistz256_avx2_to_mont,\@function,2
-.align 32
-ecp_nistz256_avx2_to_mont:
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -8-16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- vmovdqa .LAVX2_AND_MASK(%rip), $AND_MASK
- lea .LTO_MONT_AVX2(%rip), %rdx
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps 16*0(%rsp), %xmm6
- movaps 16*1(%rsp), %xmm7
- movaps 16*2(%rsp), %xmm8
- movaps 16*3(%rsp), %xmm9
- movaps 16*4(%rsp), %xmm10
- movaps 16*5(%rsp), %xmm11
- movaps 16*6(%rsp), %xmm12
- movaps 16*7(%rsp), %xmm13
- movaps 16*8(%rsp), %xmm14
- movaps 16*9(%rsp), %xmm15
- lea 8+16*10(%rsp), %rsp
-___
-$code.=<<___;
- ret
-.size ecp_nistz256_avx2_to_mont,.-ecp_nistz256_avx2_to_mont
-
-################################################################################
-# void ecp_nistz256_avx2_from_mont(void* RESULTx4, void *Ax4);
-.globl ecp_nistz256_avx2_from_mont
-.type ecp_nistz256_avx2_from_mont,\@function,2
-.align 32
-ecp_nistz256_avx2_from_mont:
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -8-16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- vmovdqa .LAVX2_AND_MASK(%rip), $AND_MASK
- lea .LFROM_MONT_AVX2(%rip), %rdx
- call avx2_mul_x4
- call avx2_normalize_n_store
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps 16*0(%rsp), %xmm6
- movaps 16*1(%rsp), %xmm7
- movaps 16*2(%rsp), %xmm8
- movaps 16*3(%rsp), %xmm9
- movaps 16*4(%rsp), %xmm10
- movaps 16*5(%rsp), %xmm11
- movaps 16*6(%rsp), %xmm12
- movaps 16*7(%rsp), %xmm13
- movaps 16*8(%rsp), %xmm14
- movaps 16*9(%rsp), %xmm15
- lea 8+16*10(%rsp), %rsp
-___
-$code.=<<___;
- ret
-.size ecp_nistz256_avx2_from_mont,.-ecp_nistz256_avx2_from_mont
-
-################################################################################
-# void ecp_nistz256_avx2_set1(void* RESULTx4);
-.globl ecp_nistz256_avx2_set1
-.type ecp_nistz256_avx2_set1,\@function,1
-.align 32
-ecp_nistz256_avx2_set1:
- lea .LONE+128(%rip), %rax
- lea 128(%rdi), %rdi
- vzeroupper
- vmovdqa 32*0-128(%rax), %ymm0
- vmovdqa 32*1-128(%rax), %ymm1
- vmovdqa 32*2-128(%rax), %ymm2
- vmovdqa 32*3-128(%rax), %ymm3
- vmovdqa 32*4-128(%rax), %ymm4
- vmovdqa 32*5-128(%rax), %ymm5
- vmovdqa %ymm0, 32*0-128(%rdi)
- vmovdqa 32*6-128(%rax), %ymm0
- vmovdqa %ymm1, 32*1-128(%rdi)
- vmovdqa 32*7-128(%rax), %ymm1
- vmovdqa %ymm2, 32*2-128(%rdi)
- vmovdqa 32*8-128(%rax), %ymm2
- vmovdqa %ymm3, 32*3-128(%rdi)
- vmovdqa %ymm4, 32*4-128(%rdi)
- vmovdqa %ymm5, 32*5-128(%rdi)
- vmovdqa %ymm0, 32*6-128(%rdi)
- vmovdqa %ymm1, 32*7-128(%rdi)
- vmovdqa %ymm2, 32*8-128(%rdi)
-
- vzeroupper
- ret
-.size ecp_nistz256_avx2_set1,.-ecp_nistz256_avx2_set1
-___
-}
-{
-################################################################################
-# void ecp_nistz256_avx2_multi_gather_w7(void* RESULT, void *in,
-# int index0, int index1, int index2, int index3);
-################################################################################
-
-my ($val,$in_t,$index0,$index1,$index2,$index3)=("%rdi","%rsi","%edx","%ecx","%r8d","%r9d");
-my ($INDEX0,$INDEX1,$INDEX2,$INDEX3)=map("%ymm$_",(0..3));
-my ($R0a,$R0b,$R1a,$R1b,$R2a,$R2b,$R3a,$R3b)=map("%ymm$_",(4..11));
-my ($M0,$T0,$T1,$TMP0)=map("%ymm$_",(12..15));
-
-$code.=<<___;
-.globl ecp_nistz256_avx2_multi_gather_w7
-.type ecp_nistz256_avx2_multi_gather_w7,\@function,6
-.align 32
-ecp_nistz256_avx2_multi_gather_w7:
- vzeroupper
-___
-$code.=<<___ if ($win64);
- lea -8-16*10(%rsp), %rsp
- vmovaps %xmm6, -8-16*10(%rax)
- vmovaps %xmm7, -8-16*9(%rax)
- vmovaps %xmm8, -8-16*8(%rax)
- vmovaps %xmm9, -8-16*7(%rax)
- vmovaps %xmm10, -8-16*6(%rax)
- vmovaps %xmm11, -8-16*5(%rax)
- vmovaps %xmm12, -8-16*4(%rax)
- vmovaps %xmm13, -8-16*3(%rax)
- vmovaps %xmm14, -8-16*2(%rax)
- vmovaps %xmm15, -8-16*1(%rax)
-___
-$code.=<<___;
- lea .LIntOne(%rip), %rax
-
- vmovd $index0, %xmm0
- vmovd $index1, %xmm1
- vmovd $index2, %xmm2
- vmovd $index3, %xmm3
-
- vpxor $R0a, $R0a, $R0a
- vpxor $R0b, $R0b, $R0b
- vpxor $R1a, $R1a, $R1a
- vpxor $R1b, $R1b, $R1b
- vpxor $R2a, $R2a, $R2a
- vpxor $R2b, $R2b, $R2b
- vpxor $R3a, $R3a, $R3a
- vpxor $R3b, $R3b, $R3b
- vmovdqa (%rax), $M0
-
- vpermd $INDEX0, $R0a, $INDEX0
- vpermd $INDEX1, $R0a, $INDEX1
- vpermd $INDEX2, $R0a, $INDEX2
- vpermd $INDEX3, $R0a, $INDEX3
-
- mov \$64, %ecx
- lea 112($val), $val # size optimization
- jmp .Lmulti_select_loop_avx2
-
-# INDEX=0, corresponds to the point at infty (0,0)
-.align 32
-.Lmulti_select_loop_avx2:
- vpcmpeqd $INDEX0, $M0, $TMP0
-
- vmovdqa `32*0+32*64*2*0`($in_t), $T0
- vmovdqa `32*1+32*64*2*0`($in_t), $T1
- vpand $TMP0, $T0, $T0
- vpand $TMP0, $T1, $T1
- vpxor $T0, $R0a, $R0a
- vpxor $T1, $R0b, $R0b
-
- vpcmpeqd $INDEX1, $M0, $TMP0
-
- vmovdqa `32*0+32*64*2*1`($in_t), $T0
- vmovdqa `32*1+32*64*2*1`($in_t), $T1
- vpand $TMP0, $T0, $T0
- vpand $TMP0, $T1, $T1
- vpxor $T0, $R1a, $R1a
- vpxor $T1, $R1b, $R1b
-
- vpcmpeqd $INDEX2, $M0, $TMP0
-
- vmovdqa `32*0+32*64*2*2`($in_t), $T0
- vmovdqa `32*1+32*64*2*2`($in_t), $T1
- vpand $TMP0, $T0, $T0
- vpand $TMP0, $T1, $T1
- vpxor $T0, $R2a, $R2a
- vpxor $T1, $R2b, $R2b
-
- vpcmpeqd $INDEX3, $M0, $TMP0
-
- vmovdqa `32*0+32*64*2*3`($in_t), $T0
- vmovdqa `32*1+32*64*2*3`($in_t), $T1
- vpand $TMP0, $T0, $T0
- vpand $TMP0, $T1, $T1
- vpxor $T0, $R3a, $R3a
- vpxor $T1, $R3b, $R3b
-
- vpaddd (%rax), $M0, $M0 # increment
- lea 32*2($in_t), $in_t
-
- dec %ecx
- jnz .Lmulti_select_loop_avx2
-
- vmovdqu $R0a, 32*0-112($val)
- vmovdqu $R0b, 32*1-112($val)
- vmovdqu $R1a, 32*2-112($val)
- vmovdqu $R1b, 32*3-112($val)
- vmovdqu $R2a, 32*4-112($val)
- vmovdqu $R2b, 32*5-112($val)
- vmovdqu $R3a, 32*6-112($val)
- vmovdqu $R3b, 32*7-112($val)
-
- vzeroupper
-___
-$code.=<<___ if ($win64);
- movaps 16*0(%rsp), %xmm6
- movaps 16*1(%rsp), %xmm7
- movaps 16*2(%rsp), %xmm8
- movaps 16*3(%rsp), %xmm9
- movaps 16*4(%rsp), %xmm10
- movaps 16*5(%rsp), %xmm11
- movaps 16*6(%rsp), %xmm12
- movaps 16*7(%rsp), %xmm13
- movaps 16*8(%rsp), %xmm14
- movaps 16*9(%rsp), %xmm15
- lea 8+16*10(%rsp), %rsp
-___
-$code.=<<___;
- ret
-.size ecp_nistz256_avx2_multi_gather_w7,.-ecp_nistz256_avx2_multi_gather_w7
-
-.extern OPENSSL_ia32cap_P
-.globl ecp_nistz_avx2_eligible
-.type ecp_nistz_avx2_eligible,\@abi-omnipotent
-.align 32
-ecp_nistz_avx2_eligible:
- mov OPENSSL_ia32cap_P+8(%rip),%eax
- shr \$5,%eax
- and \$1,%eax
- ret
-.size ecp_nistz_avx2_eligible,.-ecp_nistz_avx2_eligible
-___
-}
-}} else {{ # assembler is too old
-$code.=<<___;
-.text
-
-.globl ecp_nistz256_avx2_transpose_convert
-.globl ecp_nistz256_avx2_convert_transpose_back
-.globl ecp_nistz256_avx2_point_add_affine_x4
-.globl ecp_nistz256_avx2_point_add_affines_x4
-.globl ecp_nistz256_avx2_to_mont
-.globl ecp_nistz256_avx2_from_mont
-.globl ecp_nistz256_avx2_set1
-.globl ecp_nistz256_avx2_multi_gather_w7
-.type ecp_nistz256_avx2_multi_gather_w7,\@abi-omnipotent
-ecp_nistz256_avx2_transpose_convert:
-ecp_nistz256_avx2_convert_transpose_back:
-ecp_nistz256_avx2_point_add_affine_x4:
-ecp_nistz256_avx2_point_add_affines_x4:
-ecp_nistz256_avx2_to_mont:
-ecp_nistz256_avx2_from_mont:
-ecp_nistz256_avx2_set1:
-ecp_nistz256_avx2_multi_gather_w7:
- .byte 0x0f,0x0b # ud2
- ret
-.size ecp_nistz256_avx2_multi_gather_w7,.-ecp_nistz256_avx2_multi_gather_w7
-
-.globl ecp_nistz_avx2_eligible
-.type ecp_nistz_avx2_eligible,\@abi-omnipotent
-ecp_nistz_avx2_eligible:
- xor %eax,%eax
- ret
-.size ecp_nistz_avx2_eligible,.-ecp_nistz_avx2_eligible
-___
-}}
-
-foreach (split("\n",$code)) {
- s/\`([^\`]*)\`/eval($1)/geo;
-
- print $_,"\n";
-}
-
-close STDOUT or die "error closing STDOUT: $!";
$addx = ($1>=12);
}
-if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
+if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$avx = ($ver>=3.0) + ($ver>=3.01);
$addx = ($ver>=3.03);
$addx = ($1>=12);
}
-if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
+if (!$addx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+)\.([0-9]+)/) {
my $ver = $2 + $3/100.0; # 3.1->3.01, 3.10->3.10
$addx = ($ver>=3.03);
}
/*
- * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static int ecdh_cms_encrypt(CMS_RecipientInfo *ri);
#endif
-static int eckey_param2type(int *pptype, void **ppval, EC_KEY *ec_key)
+static int eckey_param2type(int *pptype, void **ppval, const EC_KEY *ec_key)
{
const EC_GROUP *group;
int nid;
&& (nid = EC_GROUP_get_curve_name(group)))
/* we have a 'named curve' => just set the OID */
{
- *ppval = OBJ_nid2obj(nid);
+ ASN1_OBJECT *asn1obj = OBJ_nid2obj(nid);
+
+ if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
+ ASN1_OBJECT_free(asn1obj);
+ ECerr(EC_F_ECKEY_PARAM2TYPE, EC_R_MISSING_OID);
+ return 0;
+ }
+ *ppval = asn1obj;
*pptype = V_ASN1_OBJECT;
} else { /* explicit parameters */
pstr = ASN1_STRING_new();
if (pstr == NULL)
return 0;
- pstr->length = i2d_ECParameters(ec_key, &pstr->data);
+
+ /*
+ * The cast in the following line is intentional as the
+ * `i2d_ECParameters` signature can't be constified (see discussion at
+ * https://github.com/openssl/openssl/pull/9347 where related and
+ * required constification backports were rejected).
+ *
+ * This cast should be safe anyway, because we can expect
+ * `i2d_ECParameters()` to treat the first argument as if it was const.
+ */
+ pstr->length = i2d_ECParameters((EC_KEY *)ec_key, &pstr->data);
if (pstr->length <= 0) {
ASN1_STRING_free(pstr);
ECerr(EC_F_ECKEY_PARAM2TYPE, ERR_R_EC_LIB);
static int eckey_pub_encode(X509_PUBKEY *pk, const EVP_PKEY *pkey)
{
- EC_KEY *ec_key = pkey->pkey.ec;
+ const EC_KEY *ec_key = pkey->pkey.ec;
void *pval = NULL;
int ptype;
unsigned char *penc = NULL, *p;
ASN1_INTEGER *cofactor;
} /* ECPARAMETERS */ ;
+typedef enum {
+ ECPKPARAMETERS_TYPE_NAMED = 0,
+ ECPKPARAMETERS_TYPE_EXPLICIT,
+ ECPKPARAMETERS_TYPE_IMPLICIT
+} ecpk_parameters_type_t;
+
struct ecpk_parameters_st {
int type;
union {
return NULL;
}
} else {
- if (ret->type == 0)
+ if (ret->type == ECPKPARAMETERS_TYPE_NAMED)
ASN1_OBJECT_free(ret->value.named_curve);
- else if (ret->type == 1 && ret->value.parameters)
+ else if (ret->type == ECPKPARAMETERS_TYPE_EXPLICIT
+ && ret->value.parameters != NULL)
ECPARAMETERS_free(ret->value.parameters);
}
*/
tmp = EC_GROUP_get_curve_name(group);
if (tmp) {
- ret->type = 0;
- if ((ret->value.named_curve = OBJ_nid2obj(tmp)) == NULL)
+ ASN1_OBJECT *asn1obj = OBJ_nid2obj(tmp);
+
+ if (asn1obj == NULL || OBJ_length(asn1obj) == 0) {
+ ASN1_OBJECT_free(asn1obj);
+ ECerr(EC_F_EC_GROUP_GET_ECPKPARAMETERS, EC_R_MISSING_OID);
ok = 0;
+ } else {
+ ret->type = ECPKPARAMETERS_TYPE_NAMED;
+ ret->value.named_curve = asn1obj;
+ }
} else
/* we don't know the nid => ERROR */
ok = 0;
} else {
/* use the ECPARAMETERS structure */
- ret->type = 1;
+ ret->type = ECPKPARAMETERS_TYPE_EXPLICIT;
if ((ret->value.parameters =
EC_GROUP_get_ecparameters(group, NULL)) == NULL)
ok = 0;
return NULL;
}
- if (params->type == 0) { /* the curve is given by an OID */
+ if (params->type == ECPKPARAMETERS_TYPE_NAMED) {
+ /* the curve is given by an OID */
tmp = OBJ_obj2nid(params->value.named_curve);
if ((ret = EC_GROUP_new_by_curve_name(tmp)) == NULL) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS,
return NULL;
}
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_NAMED_CURVE);
- } else if (params->type == 1) { /* the parameters are given by a
- * ECPARAMETERS structure */
+ } else if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) {
+ /* the parameters are given by an ECPARAMETERS structure */
ret = EC_GROUP_new_from_ecparameters(params->value.parameters);
if (!ret) {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, ERR_R_EC_LIB);
return NULL;
}
EC_GROUP_set_asn1_flag(ret, OPENSSL_EC_EXPLICIT_CURVE);
- } else if (params->type == 2) { /* implicitlyCA */
+ } else if (params->type == ECPKPARAMETERS_TYPE_IMPLICIT) {
+ /* implicit parameters inherited from CA - unsupported */
return NULL;
} else {
ECerr(EC_F_EC_GROUP_NEW_FROM_ECPKPARAMETERS, EC_R_ASN1_ERROR);
return NULL;
}
+ if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT)
+ group->decoded_from_explicit_params = 1;
+
if (a) {
EC_GROUP_free(*a);
*a = group;
if (priv_key->parameters) {
EC_GROUP_free(ret->group);
ret->group = EC_GROUP_new_from_ecpkparameters(priv_key->parameters);
+ if (ret->group != NULL
+ && priv_key->parameters->type == ECPKPARAMETERS_TYPE_EXPLICIT)
+ ret->group->decoded_from_explicit_params = 1;
}
if (ret->group == NULL) {
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
{ERR_PACK(ERR_LIB_EC, 0, EC_R_LADDER_POST_FAILURE), "ladder post failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_LADDER_PRE_FAILURE), "ladder pre failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_LADDER_STEP_FAILURE), "ladder step failure"},
+ {ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_OID), "missing OID"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PARAMETERS), "missing parameters"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_MISSING_PRIVATE_KEY), "missing private key"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_NEED_NEW_SETUP_VALUES),
/*
- * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
#include "internal/refcount.h"
#include <openssl/err.h>
#include <openssl/engine.h>
+#include "crypto/bn.h"
EC_KEY *EC_KEY_new(void)
{
int EC_KEY_set_private_key(EC_KEY *key, const BIGNUM *priv_key)
{
+ int fixed_top;
+ const BIGNUM *order = NULL;
+ BIGNUM *tmp_key = NULL;
+
if (key->group == NULL || key->group->meth == NULL)
return 0;
+
+ /*
+ * Not only should key->group be set, but it should also be in a valid
+ * fully initialized state.
+ *
+ * Specifically, to operate in constant time, we need that the group order
+ * is set, as we use its length as the fixed public size of any scalar used
+ * as an EC private key.
+ */
+ order = EC_GROUP_get0_order(key->group);
+ if (order == NULL || BN_is_zero(order))
+ return 0; /* This should never happen */
+
if (key->group->meth->set_private != NULL
&& key->group->meth->set_private(key, priv_key) == 0)
return 0;
if (key->meth->set_private != NULL
&& key->meth->set_private(key, priv_key) == 0)
return 0;
+
+ /*
+ * We should never leak the bit length of the secret scalar in the key,
+ * so we always set the `BN_FLG_CONSTTIME` flag on the internal `BIGNUM`
+ * holding the secret scalar.
+ *
+ * This is important also because `BN_dup()` (and `BN_copy()`) do not
+ * propagate the `BN_FLG_CONSTTIME` flag from the source `BIGNUM`, and
+ * this brings an extra risk of inadvertently losing the flag, even when
+ * the caller specifically set it.
+ *
+ * The propagation has been turned on and off a few times in the past
+ * years because in some conditions has shown unintended consequences in
+ * some code paths, so at the moment we can't fix this in the BN layer.
+ *
+ * In `EC_KEY_set_private_key()` we can work around the propagation by
+ * manually setting the flag after `BN_dup()` as we know for sure that
+ * inside the EC module the `BN_FLG_CONSTTIME` is always treated
+ * correctly and should not generate unintended consequences.
+ *
+ * Setting the BN_FLG_CONSTTIME flag alone is never enough, we also have
+ * to preallocate the BIGNUM internal buffer to a fixed public size big
+ * enough that operations performed during the processing never trigger
+ * a realloc which would leak the size of the scalar through memory
+ * accesses.
+ *
+ * Fixed Length
+ * ------------
+ *
+ * The order of the large prime subgroup of the curve is our choice for
+ * a fixed public size, as that is generally the upper bound for
+ * generating a private key in EC cryptosystems and should fit all valid
+ * secret scalars.
+ *
+ * For preallocating the BIGNUM storage we look at the number of "words"
+ * required for the internal representation of the order, and we
+ * preallocate 2 extra "words" in case any of the subsequent processing
+ * might temporarily overflow the order length.
+ */
+ tmp_key = BN_dup(priv_key);
+ if (tmp_key == NULL)
+ return 0;
+
+ BN_set_flags(tmp_key, BN_FLG_CONSTTIME);
+
+ fixed_top = bn_get_top(order) + 2;
+ if (bn_wexpand(tmp_key, fixed_top) == NULL) {
+ BN_clear_free(tmp_key);
+ return 0;
+ }
+
BN_clear_free(key->priv_key);
- key->priv_key = BN_dup(priv_key);
- return (key->priv_key == NULL) ? 0 : 1;
+ key->priv_key = tmp_key;
+
+ return 1;
}
const EC_POINT *EC_KEY_get0_public_key(const EC_KEY *key)
key->flags &= ~flags;
}
+int EC_KEY_decoded_from_explicit_params(const EC_KEY *key)
+{
+ if (key == NULL || key->group == NULL)
+ return -1;
+ return key->group->decoded_from_explicit_params;
+}
+
size_t EC_KEY_key2buf(const EC_KEY *key, point_conversion_form_t form,
unsigned char **pbuf, BN_CTX *ctx)
{
dest->asn1_flag = src->asn1_flag;
dest->asn1_form = src->asn1_form;
+ dest->decoded_from_explicit_params = src->decoded_from_explicit_params;
if (src->seed) {
OPENSSL_free(dest->seed);
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
BIGNUM *order, *cofactor;
int curve_name; /* optional NID for named curve */
int asn1_flag; /* flag to control the asn1 encoding */
+ int decoded_from_explicit_params; /* set if decoded from explicit
+ * curve parameters encoding */
point_conversion_form_t asn1_form;
unsigned char *seed; /* optional seed for parameters (appears in
* ASN1) */
*/
typedef uint64_t limb;
+typedef uint64_t limb_aX __attribute((__aligned__(1)));
typedef uint128_t widelimb;
typedef limb felem[4];
*/
static void bin28_to_felem(felem out, const u8 in[28])
{
- out[0] = *((const uint64_t *)(in)) & 0x00ffffffffffffff;
- out[1] = (*((const uint64_t *)(in + 7))) & 0x00ffffffffffffff;
- out[2] = (*((const uint64_t *)(in + 14))) & 0x00ffffffffffffff;
- out[3] = (*((const uint64_t *)(in+20))) >> 8;
+ out[0] = *((const limb *)(in)) & 0x00ffffffffffffff;
+ out[1] = (*((const limb_aX *)(in + 7))) & 0x00ffffffffffffff;
+ out[2] = (*((const limb_aX *)(in + 14))) & 0x00ffffffffffffff;
+ out[3] = (*((const limb_aX *)(in + 20))) >> 8;
}
static void felem_to_bin28(u8 out[28], const felem in)
# define NLIMBS 9
typedef uint64_t limb;
+typedef limb limb_aX __attribute((__aligned__(1)));
typedef limb felem[NLIMBS];
typedef uint128_t largefelem[NLIMBS];
static void bin66_to_felem(felem out, const u8 in[66])
{
out[0] = (*((limb *) & in[0])) & bottom58bits;
- out[1] = (*((limb *) & in[7]) >> 2) & bottom58bits;
- out[2] = (*((limb *) & in[14]) >> 4) & bottom58bits;
- out[3] = (*((limb *) & in[21]) >> 6) & bottom58bits;
- out[4] = (*((limb *) & in[29])) & bottom58bits;
- out[5] = (*((limb *) & in[36]) >> 2) & bottom58bits;
- out[6] = (*((limb *) & in[43]) >> 4) & bottom58bits;
- out[7] = (*((limb *) & in[50]) >> 6) & bottom58bits;
- out[8] = (*((limb *) & in[58])) & bottom57bits;
+ out[1] = (*((limb_aX *) & in[7]) >> 2) & bottom58bits;
+ out[2] = (*((limb_aX *) & in[14]) >> 4) & bottom58bits;
+ out[3] = (*((limb_aX *) & in[21]) >> 6) & bottom58bits;
+ out[4] = (*((limb_aX *) & in[29])) & bottom58bits;
+ out[5] = (*((limb_aX *) & in[36]) >> 2) & bottom58bits;
+ out[6] = (*((limb_aX *) & in[43]) >> 4) & bottom58bits;
+ out[7] = (*((limb_aX *) & in[50]) >> 6) & bottom58bits;
+ out[8] = (*((limb_aX *) & in[58])) & bottom57bits;
}
/*
{
memset(out, 0, 66);
(*((limb *) & out[0])) = in[0];
- (*((limb *) & out[7])) |= in[1] << 2;
- (*((limb *) & out[14])) |= in[2] << 4;
- (*((limb *) & out[21])) |= in[3] << 6;
- (*((limb *) & out[29])) = in[4];
- (*((limb *) & out[36])) |= in[5] << 2;
- (*((limb *) & out[43])) |= in[6] << 4;
- (*((limb *) & out[50])) |= in[7] << 6;
- (*((limb *) & out[58])) = in[8];
+ (*((limb_aX *) & out[7])) |= in[1] << 2;
+ (*((limb_aX *) & out[14])) |= in[2] << 4;
+ (*((limb_aX *) & out[21])) |= in[3] << 6;
+ (*((limb_aX *) & out[29])) = in[4];
+ (*((limb_aX *) & out[36])) |= in[5] << 2;
+ (*((limb_aX *) & out[43])) |= in[6] << 4;
+ (*((limb_aX *) & out[50])) |= in[7] << 6;
+ (*((limb_aX *) & out[58])) = in[8];
}
/* BN_to_felem converts an OpenSSL BIGNUM into an felem */
return ret;
}
-/*
- * Note that by default ECP_NISTZ256_AVX2 is undefined. While it's great
- * code processing 4 points in parallel, corresponding serial operation
- * is several times slower, because it uses 29x29=58-bit multiplication
- * as opposite to 64x64=128-bit in integer-only scalar case. As result
- * it doesn't provide *significant* performance improvement. Note that
- * just defining ECP_NISTZ256_AVX2 is not sufficient to make it work,
- * you'd need to compile even asm/ecp_nistz256-avx.pl module.
- */
-#if defined(ECP_NISTZ256_AVX2)
-# if !(defined(__x86_64) || defined(__x86_64__) || \
- defined(_M_AMD64) || defined(_M_X64)) || \
- !(defined(__GNUC__) || defined(_MSC_VER)) /* this is for ALIGN32 */
-# undef ECP_NISTZ256_AVX2
-# else
-/* Constant time access, loading four values, from four consecutive tables */
-void ecp_nistz256_avx2_multi_gather_w7(void *result, const void *in,
- int index0, int index1, int index2,
- int index3);
-void ecp_nistz256_avx2_transpose_convert(void *RESULTx4, const void *in);
-void ecp_nistz256_avx2_convert_transpose_back(void *result, const void *Ax4);
-void ecp_nistz256_avx2_point_add_affine_x4(void *RESULTx4, const void *Ax4,
- const void *Bx4);
-void ecp_nistz256_avx2_point_add_affines_x4(void *RESULTx4, const void *Ax4,
- const void *Bx4);
-void ecp_nistz256_avx2_to_mont(void *RESULTx4, const void *Ax4);
-void ecp_nistz256_avx2_from_mont(void *RESULTx4, const void *Ax4);
-void ecp_nistz256_avx2_set1(void *RESULTx4);
-int ecp_nistz_avx2_eligible(void);
-
-static void booth_recode_w7(unsigned char *sign,
- unsigned char *digit, unsigned char in)
-{
- unsigned char s, d;
-
- s = ~((in >> 7) - 1);
- d = (1 << 8) - in - 1;
- d = (d & s) | (in & ~s);
- d = (d >> 1) + (d & 1);
-
- *sign = s & 1;
- *digit = d;
-}
-
-/*
- * ecp_nistz256_avx2_mul_g performs multiplication by G, using only the
- * precomputed table. It does 4 affine point additions in parallel,
- * significantly speeding up point multiplication for a fixed value.
- */
-static void ecp_nistz256_avx2_mul_g(P256_POINT *r,
- unsigned char p_str[33],
- const P256_POINT_AFFINE(*preComputedTable)[64])
-{
- const unsigned int window_size = 7;
- const unsigned int mask = (1 << (window_size + 1)) - 1;
- unsigned int wvalue;
- /* Using 4 windows at a time */
- unsigned char sign0, digit0;
- unsigned char sign1, digit1;
- unsigned char sign2, digit2;
- unsigned char sign3, digit3;
- unsigned int idx = 0;
- BN_ULONG tmp[P256_LIMBS];
- int i;
-
- ALIGN32 BN_ULONG aX4[4 * 9 * 3] = { 0 };
- ALIGN32 BN_ULONG bX4[4 * 9 * 2] = { 0 };
- ALIGN32 P256_POINT_AFFINE point_arr[4];
- ALIGN32 P256_POINT res_point_arr[4];
-
- /* Initial four windows */
- wvalue = *((u16 *) & p_str[0]);
- wvalue = (wvalue << 1) & mask;
- idx += window_size;
- booth_recode_w7(&sign0, &digit0, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign1, &digit1, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign2, &digit2, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign3, &digit3, wvalue);
-
- ecp_nistz256_avx2_multi_gather_w7(point_arr, preComputedTable[0],
- digit0, digit1, digit2, digit3);
-
- ecp_nistz256_neg(tmp, point_arr[0].Y);
- copy_conditional(point_arr[0].Y, tmp, sign0);
- ecp_nistz256_neg(tmp, point_arr[1].Y);
- copy_conditional(point_arr[1].Y, tmp, sign1);
- ecp_nistz256_neg(tmp, point_arr[2].Y);
- copy_conditional(point_arr[2].Y, tmp, sign2);
- ecp_nistz256_neg(tmp, point_arr[3].Y);
- copy_conditional(point_arr[3].Y, tmp, sign3);
-
- ecp_nistz256_avx2_transpose_convert(aX4, point_arr);
- ecp_nistz256_avx2_to_mont(aX4, aX4);
- ecp_nistz256_avx2_to_mont(&aX4[4 * 9], &aX4[4 * 9]);
- ecp_nistz256_avx2_set1(&aX4[4 * 9 * 2]);
-
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign0, &digit0, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign1, &digit1, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign2, &digit2, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign3, &digit3, wvalue);
-
- ecp_nistz256_avx2_multi_gather_w7(point_arr, preComputedTable[4 * 1],
- digit0, digit1, digit2, digit3);
-
- ecp_nistz256_neg(tmp, point_arr[0].Y);
- copy_conditional(point_arr[0].Y, tmp, sign0);
- ecp_nistz256_neg(tmp, point_arr[1].Y);
- copy_conditional(point_arr[1].Y, tmp, sign1);
- ecp_nistz256_neg(tmp, point_arr[2].Y);
- copy_conditional(point_arr[2].Y, tmp, sign2);
- ecp_nistz256_neg(tmp, point_arr[3].Y);
- copy_conditional(point_arr[3].Y, tmp, sign3);
-
- ecp_nistz256_avx2_transpose_convert(bX4, point_arr);
- ecp_nistz256_avx2_to_mont(bX4, bX4);
- ecp_nistz256_avx2_to_mont(&bX4[4 * 9], &bX4[4 * 9]);
- /* Optimized when both inputs are affine */
- ecp_nistz256_avx2_point_add_affines_x4(aX4, aX4, bX4);
-
- for (i = 2; i < 9; i++) {
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign0, &digit0, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign1, &digit1, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign2, &digit2, wvalue);
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
- booth_recode_w7(&sign3, &digit3, wvalue);
-
- ecp_nistz256_avx2_multi_gather_w7(point_arr,
- preComputedTable[4 * i],
- digit0, digit1, digit2, digit3);
-
- ecp_nistz256_neg(tmp, point_arr[0].Y);
- copy_conditional(point_arr[0].Y, tmp, sign0);
- ecp_nistz256_neg(tmp, point_arr[1].Y);
- copy_conditional(point_arr[1].Y, tmp, sign1);
- ecp_nistz256_neg(tmp, point_arr[2].Y);
- copy_conditional(point_arr[2].Y, tmp, sign2);
- ecp_nistz256_neg(tmp, point_arr[3].Y);
- copy_conditional(point_arr[3].Y, tmp, sign3);
-
- ecp_nistz256_avx2_transpose_convert(bX4, point_arr);
- ecp_nistz256_avx2_to_mont(bX4, bX4);
- ecp_nistz256_avx2_to_mont(&bX4[4 * 9], &bX4[4 * 9]);
-
- ecp_nistz256_avx2_point_add_affine_x4(aX4, aX4, bX4);
- }
-
- ecp_nistz256_avx2_from_mont(&aX4[4 * 9 * 0], &aX4[4 * 9 * 0]);
- ecp_nistz256_avx2_from_mont(&aX4[4 * 9 * 1], &aX4[4 * 9 * 1]);
- ecp_nistz256_avx2_from_mont(&aX4[4 * 9 * 2], &aX4[4 * 9 * 2]);
-
- ecp_nistz256_avx2_convert_transpose_back(res_point_arr, aX4);
- /* Last window is performed serially */
- wvalue = *((u16 *) & p_str[(idx - 1) / 8]);
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- booth_recode_w7(&sign0, &digit0, wvalue);
- ecp_nistz256_gather_w7((P256_POINT_AFFINE *)r,
- preComputedTable[36], digit0);
- ecp_nistz256_neg(tmp, r->Y);
- copy_conditional(r->Y, tmp, sign0);
- memcpy(r->Z, ONE, sizeof(ONE));
- /* Sum the four windows */
- ecp_nistz256_point_add(r, r, &res_point_arr[0]);
- ecp_nistz256_point_add(r, r, &res_point_arr[1]);
- ecp_nistz256_point_add(r, r, &res_point_arr[2]);
- ecp_nistz256_point_add(r, r, &res_point_arr[3]);
-}
-# endif
-#endif
-
__owur static int ecp_nistz256_set_from_affine(EC_POINT *out, const EC_GROUP *group,
const P256_POINT_AFFINE *in,
BN_CTX *ctx)
}
if (preComputedTable) {
+ BN_ULONG infty;
+
if ((BN_num_bits(scalar) > 256)
|| BN_is_negative(scalar)) {
if ((tmp_scalar = BN_CTX_get(ctx)) == NULL)
for (; i < 33; i++)
p_str[i] = 0;
-#if defined(ECP_NISTZ256_AVX2)
- if (ecp_nistz_avx2_eligible()) {
- ecp_nistz256_avx2_mul_g(&p.p, p_str, preComputedTable);
- } else
-#endif
- {
- BN_ULONG infty;
+ /* First window */
+ wvalue = (p_str[0] << 1) & mask;
+ idx += window_size;
- /* First window */
- wvalue = (p_str[0] << 1) & mask;
- idx += window_size;
+ wvalue = _booth_recode_w7(wvalue);
- wvalue = _booth_recode_w7(wvalue);
+ ecp_nistz256_gather_w7(&p.a, preComputedTable[0],
+ wvalue >> 1);
- ecp_nistz256_gather_w7(&p.a, preComputedTable[0],
- wvalue >> 1);
-
- ecp_nistz256_neg(p.p.Z, p.p.Y);
- copy_conditional(p.p.Y, p.p.Z, wvalue & 1);
-
- /*
- * Since affine infinity is encoded as (0,0) and
- * Jacobian ias (,,0), we need to harmonize them
- * by assigning "one" or zero to Z.
- */
- infty = (p.p.X[0] | p.p.X[1] | p.p.X[2] | p.p.X[3] |
- p.p.Y[0] | p.p.Y[1] | p.p.Y[2] | p.p.Y[3]);
- if (P256_LIMBS == 8)
- infty |= (p.p.X[4] | p.p.X[5] | p.p.X[6] | p.p.X[7] |
- p.p.Y[4] | p.p.Y[5] | p.p.Y[6] | p.p.Y[7]);
-
- infty = 0 - is_zero(infty);
- infty = ~infty;
-
- p.p.Z[0] = ONE[0] & infty;
- p.p.Z[1] = ONE[1] & infty;
- p.p.Z[2] = ONE[2] & infty;
- p.p.Z[3] = ONE[3] & infty;
- if (P256_LIMBS == 8) {
- p.p.Z[4] = ONE[4] & infty;
- p.p.Z[5] = ONE[5] & infty;
- p.p.Z[6] = ONE[6] & infty;
- p.p.Z[7] = ONE[7] & infty;
- }
+ ecp_nistz256_neg(p.p.Z, p.p.Y);
+ copy_conditional(p.p.Y, p.p.Z, wvalue & 1);
- for (i = 1; i < 37; i++) {
- unsigned int off = (idx - 1) / 8;
- wvalue = p_str[off] | p_str[off + 1] << 8;
- wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
- idx += window_size;
+ /*
+ * Since affine infinity is encoded as (0,0) and
+ * Jacobian is (,,0), we need to harmonize them
+ * by assigning "one" or zero to Z.
+ */
+ infty = (p.p.X[0] | p.p.X[1] | p.p.X[2] | p.p.X[3] |
+ p.p.Y[0] | p.p.Y[1] | p.p.Y[2] | p.p.Y[3]);
+ if (P256_LIMBS == 8)
+ infty |= (p.p.X[4] | p.p.X[5] | p.p.X[6] | p.p.X[7] |
+ p.p.Y[4] | p.p.Y[5] | p.p.Y[6] | p.p.Y[7]);
+
+ infty = 0 - is_zero(infty);
+ infty = ~infty;
+
+ p.p.Z[0] = ONE[0] & infty;
+ p.p.Z[1] = ONE[1] & infty;
+ p.p.Z[2] = ONE[2] & infty;
+ p.p.Z[3] = ONE[3] & infty;
+ if (P256_LIMBS == 8) {
+ p.p.Z[4] = ONE[4] & infty;
+ p.p.Z[5] = ONE[5] & infty;
+ p.p.Z[6] = ONE[6] & infty;
+ p.p.Z[7] = ONE[7] & infty;
+ }
- wvalue = _booth_recode_w7(wvalue);
+ for (i = 1; i < 37; i++) {
+ unsigned int off = (idx - 1) / 8;
+ wvalue = p_str[off] | p_str[off + 1] << 8;
+ wvalue = (wvalue >> ((idx - 1) % 8)) & mask;
+ idx += window_size;
- ecp_nistz256_gather_w7(&t.a,
- preComputedTable[i], wvalue >> 1);
+ wvalue = _booth_recode_w7(wvalue);
- ecp_nistz256_neg(t.p.Z, t.a.Y);
- copy_conditional(t.a.Y, t.p.Z, wvalue & 1);
+ ecp_nistz256_gather_w7(&t.a,
+ preComputedTable[i], wvalue >> 1);
- ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a);
- }
+ ecp_nistz256_neg(t.p.Z, t.a.Y);
+ copy_conditional(t.a.Y, t.p.Z, wvalue & 1);
+
+ ecp_nistz256_point_add_affine(&p.p, &p.p, &t.a);
}
} else {
p_is_infinity = 1;
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
cleanup_stack = NULL;
}
CRYPTO_THREAD_lock_free(global_engine_lock);
+ global_engine_lock = NULL;
}
/* Now the "ex_data" support */
ASN1_F_ASN1_ITEM_DUP:191:ASN1_item_dup
ASN1_F_ASN1_ITEM_EMBED_D2I:120:asn1_item_embed_d2i
ASN1_F_ASN1_ITEM_EMBED_NEW:121:asn1_item_embed_new
+ASN1_F_ASN1_ITEM_EX_I2D:144:ASN1_item_ex_i2d
ASN1_F_ASN1_ITEM_FLAGS_I2D:118:asn1_item_flags_i2d
ASN1_F_ASN1_ITEM_I2D_BIO:192:ASN1_item_i2d_bio
ASN1_F_ASN1_ITEM_I2D_FP:193:ASN1_item_i2d_fp
PEM_F_PEM_SIGNFINAL:112:PEM_SignFinal
PEM_F_PEM_WRITE:113:PEM_write
PEM_F_PEM_WRITE_BIO:114:PEM_write_bio
+PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL:147:\
+ PEM_write_bio_PrivateKey_traditional
PEM_F_PEM_WRITE_PRIVATEKEY:139:PEM_write_PrivateKey
PEM_F_PEM_X509_INFO_READ:115:PEM_X509_INFO_read
PEM_F_PEM_X509_INFO_READ_BIO:116:PEM_X509_INFO_read_bio
X509_F_X509_OBJECT_NEW:150:X509_OBJECT_new
X509_F_X509_PRINT_EX_FP:118:X509_print_ex_fp
X509_F_X509_PUBKEY_DECODE:148:x509_pubkey_decode
+X509_F_X509_PUBKEY_GET:161:X509_PUBKEY_get
X509_F_X509_PUBKEY_GET0:119:X509_PUBKEY_get0
X509_F_X509_PUBKEY_SET:120:X509_PUBKEY_set
X509_F_X509_REQ_CHECK_PRIVATE_KEY:144:X509_REQ_check_private_key
ASN1_R_ASN1_SIG_PARSE_ERROR:204:asn1 sig parse error
ASN1_R_AUX_ERROR:100:aux error
ASN1_R_BAD_OBJECT_HEADER:102:bad object header
+ASN1_R_BAD_TEMPLATE:230:bad template
ASN1_R_BMPSTRING_IS_WRONG_LENGTH:214:bmpstring is wrong length
ASN1_R_BN_LIB:105:bn lib
ASN1_R_BOOLEAN_IS_WRONG_LENGTH:106:boolean is wrong length
EC_R_LADDER_POST_FAILURE:136:ladder post failure
EC_R_LADDER_PRE_FAILURE:153:ladder pre failure
EC_R_LADDER_STEP_FAILURE:162:ladder step failure
+EC_R_MISSING_OID:167:missing OID
EC_R_MISSING_PARAMETERS:124:missing parameters
EC_R_MISSING_PRIVATE_KEY:125:missing private key
EC_R_NEED_NEW_SETUP_VALUES:157:need new setup values
PEM_R_UNSUPPORTED_CIPHER:113:unsupported cipher
PEM_R_UNSUPPORTED_ENCRYPTION:114:unsupported encryption
PEM_R_UNSUPPORTED_KEY_COMPONENTS:126:unsupported key components
+PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE:110:unsupported public key type
PKCS12_R_CANT_PACK_STRUCTURE:100:cant pack structure
PKCS12_R_CONTENT_TYPE_NOT_DATA:121:content type not data
PKCS12_R_DECODE_ERROR:101:decode error
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
/*
* copy start of the next block into proper place
*/
- if (ctx->buf_len_save - ctx->buf_off_save > 0) {
+ if (ctx->buf_len_save > ctx->buf_off_save) {
ctx->buf_len = ctx->buf_len_save - ctx->buf_off_save;
memmove(ctx->buf, &(ctx->buf[ctx->buf_off_save]),
ctx->buf_len);
size_t len, const AES_KEY *key1,
const AES_KEY *key2, const unsigned char iv[16]);
#endif
-#if !defined(AES_ASM) && !defined(AES_CTR_ASM) \
- && defined(OPENSSL_AES_CONST_TIME) \
- && !defined(OPENSSL_SMALL_FOOTPRINT)
-# define AES_CTR_ASM
-#endif
#ifdef AES_CTR_ASM
void AES_ctr32_encrypt(const unsigned char *in, unsigned char *out,
size_t blocks, const AES_KEY *key,
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
table = data_ascii2bin;
/* trim white space from the start of the line. */
- while ((conv_ascii2bin(*f, table) == B64_WS) && (n > 0)) {
+ while ((n > 0) && (conv_ascii2bin(*f, table) == B64_WS)) {
f++;
n--;
}
/*
- * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2004-2014, Akamai Technologies. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
OPENSSL_free(sh.freelist);
OPENSSL_free(sh.bittable);
OPENSSL_free(sh.bitmalloc);
- if (sh.map_result != NULL && sh.map_size)
+ if (sh.map_result != MAP_FAILED && sh.map_size)
munmap(sh.map_result, sh.map_size);
memset(&sh, 0, sizeof(sh));
}
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# define STRICT_ALIGNMENT 0
#endif
+#if defined(__GNUC__) && !STRICT_ALIGNMENT
+typedef size_t size_t_aX __attribute((__aligned__(1)));
+#else
+typedef size_t size_t_aX;
+#endif
+
void CRYPTO_cbc128_encrypt(const unsigned char *in, unsigned char *out,
size_t len, const void *key,
unsigned char ivec[16], block128_f block)
} else {
while (len >= 16) {
for (n = 0; n < 16; n += sizeof(size_t))
- *(size_t *)(out + n) =
- *(size_t *)(in + n) ^ *(size_t *)(iv + n);
+ *(size_t_aX *)(out + n) =
+ *(size_t_aX *)(in + n) ^ *(size_t_aX *)(iv + n);
(*block) (out, out, key);
iv = out;
len -= 16;
}
} else if (16 % sizeof(size_t) == 0) { /* always true */
while (len >= 16) {
- size_t *out_t = (size_t *)out, *iv_t = (size_t *)iv;
+ size_t_aX *out_t = (size_t_aX *)out;
+ size_t_aX *iv_t = (size_t_aX *)iv;
(*block) (in, out, key);
for (n = 0; n < 16 / sizeof(size_t); n++)
}
} else if (16 % sizeof(size_t) == 0) { /* always true */
while (len >= 16) {
- size_t c, *out_t = (size_t *)out, *ivec_t = (size_t *)ivec;
- const size_t *in_t = (const size_t *)in;
+ size_t c;
+ size_t_aX *out_t = (size_t_aX *)out;
+ size_t_aX *ivec_t = (size_t_aX *)ivec;
+ const size_t_aX *in_t = (const size_t_aX *)in;
(*block) (in, tmp.c, key);
for (n = 0; n < 16 / sizeof(size_t); n++) {
/*
- * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "modes_local.h"
#include <string.h>
+#ifndef STRICT_ALIGNMENT
+# ifdef __GNUC__
+typedef u64 u64_a1 __attribute((__aligned__(1)));
+# else
+typedef u64 u64_a1;
+# endif
+#endif
+
/*
* First you setup M and L parameters and pass the key schedule. This is
* called once per session setup...
ctx->cmac.u[0] ^= temp.u[0];
ctx->cmac.u[1] ^= temp.u[1];
#else
- ctx->cmac.u[0] ^= ((u64 *)inp)[0];
- ctx->cmac.u[1] ^= ((u64 *)inp)[1];
+ ctx->cmac.u[0] ^= ((u64_a1 *)inp)[0];
+ ctx->cmac.u[1] ^= ((u64_a1 *)inp)[1];
#endif
(*block) (ctx->cmac.c, ctx->cmac.c, key);
(*block) (ctx->nonce.c, scratch.c, key);
temp.u[1] ^= scratch.u[1];
memcpy(out, temp.c, 16);
#else
- ((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0];
- ((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1];
+ ((u64_a1 *)out)[0] = scratch.u[0] ^ ((u64_a1 *)inp)[0];
+ ((u64_a1 *)out)[1] = scratch.u[1] ^ ((u64_a1 *)inp)[1];
#endif
inp += 16;
out += 16;
ctx->cmac.u[1] ^= (scratch.u[1] ^= temp.u[1]);
memcpy(out, scratch.c, 16);
#else
- ctx->cmac.u[0] ^= (((u64 *)out)[0] = scratch.u[0] ^ ((u64 *)inp)[0]);
- ctx->cmac.u[1] ^= (((u64 *)out)[1] = scratch.u[1] ^ ((u64 *)inp)[1]);
+ ctx->cmac.u[0] ^= (((u64_a1 *)out)[0]
+ = scratch.u[0] ^ ((u64_a1 *)inp)[0]);
+ ctx->cmac.u[1] ^= (((u64_a1 *)out)[1]
+ = scratch.u[1] ^ ((u64_a1 *)inp)[1]);
#endif
(*block) (ctx->cmac.c, ctx->cmac.c, key);
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "modes_local.h"
#include <string.h>
+#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT)
+typedef size_t size_t_aX __attribute((__aligned__(1)));
+#else
+typedef size_t size_t_aX;
+#endif
+
/*
* The input and output encrypted as though 128bit cfb mode is being used.
* The extra state information to record how much of the 128bit block we have
while (len >= 16) {
(*block) (ivec, ivec, key);
for (; n < 16; n += sizeof(size_t)) {
- *(size_t *)(out + n) =
- *(size_t *)(ivec + n) ^= *(size_t *)(in + n);
+ *(size_t_aX *)(out + n) =
+ *(size_t_aX *)(ivec + n)
+ ^= *(size_t_aX *)(in + n);
}
len -= 16;
out += 16;
while (len >= 16) {
(*block) (ivec, ivec, key);
for (; n < 16; n += sizeof(size_t)) {
- size_t t = *(size_t *)(in + n);
- *(size_t *)(out + n) = *(size_t *)(ivec + n) ^ t;
- *(size_t *)(ivec + n) = t;
+ size_t t = *(size_t_aX *)(in + n);
+ *(size_t_aX *)(out + n)
+ = *(size_t_aX *)(ivec + n) ^ t;
+ *(size_t_aX *)(ivec + n) = t;
}
len -= 16;
out += 16;
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "modes_local.h"
#include <string.h>
+#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT)
+typedef size_t size_t_aX __attribute((__aligned__(1)));
+#else
+typedef size_t size_t_aX;
+#endif
+
/*
* NOTE: the IV/counter CTR mode is big-endian. The code itself is
* endian-neutral.
(*block) (ivec, ecount_buf, key);
ctr128_inc_aligned(ivec);
for (n = 0; n < 16; n += sizeof(size_t))
- *(size_t *)(out + n) =
- *(size_t *)(in + n) ^ *(size_t *)(ecount_buf + n);
+ *(size_t_aX *)(out + n) =
+ *(size_t_aX *)(in + n)
+ ^ *(size_t_aX *)(ecount_buf + n);
len -= 16;
out += 16;
in += 16;
/*
- * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "modes_local.h"
#include <string.h>
+#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT)
+typedef size_t size_t_aX __attribute((__aligned__(1)));
+#else
+typedef size_t size_t_aX;
+#endif
+
#if defined(BSWAP4) && defined(STRICT_ALIGNMENT)
/* redefine, because alignment is ensured */
# undef GETU32
size_t j = GHASH_CHUNK;
while (j) {
- size_t *out_t = (size_t *)out;
- const size_t *in_t = (const size_t *)in;
+ size_t_aX *out_t = (size_t_aX *)out;
+ const size_t_aX *in_t = (const size_t_aX *)in;
(*block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
size_t j = i;
while (len >= 16) {
- size_t *out_t = (size_t *)out;
- const size_t *in_t = (const size_t *)in;
+ size_t_aX *out_t = (size_t_aX *)out;
+ const size_t_aX *in_t = (const size_t_aX *)in;
(*block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
GHASH(ctx, in, GHASH_CHUNK);
while (j) {
- size_t *out_t = (size_t *)out;
- const size_t *in_t = (const size_t *)in;
+ size_t_aX *out_t = (size_t_aX *)out;
+ const size_t_aX *in_t = (const size_t_aX *)in;
(*block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
if ((i = (len & (size_t)-16))) {
GHASH(ctx, in, i);
while (len >= 16) {
- size_t *out_t = (size_t *)out;
- const size_t *in_t = (const size_t *)in;
+ size_t_aX *out_t = (size_t_aX *)out;
+ const size_t_aX *in_t = (const size_t_aX *)in;
(*block) (ctx->Yi.c, ctx->EKi.c, key);
++ctr;
/*
- * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2010-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# endif
#endif
+#ifndef STRICT_ALIGNMENT
+# ifdef __GNUC__
+typedef u32 u32_a1 __attribute((__aligned__(1)));
+# else
+typedef u32 u32_a1;
+# endif
+#endif
+
#if !defined(PEDANTIC) && !defined(OPENSSL_NO_ASM) && !defined(OPENSSL_NO_INLINE_ASM)
# if defined(__GNUC__) && __GNUC__>=2
# if defined(__x86_64) || defined(__x86_64__)
asm ("bswapl %0" \
: "+r"(ret_)); ret_; })
# elif defined(__aarch64__)
-# define BSWAP8(x) ({ u64 ret_; \
+# if defined(__BYTE_ORDER__) && defined(__ORDER_LITTLE_ENDIAN__) && \
+ __BYTE_ORDER__==__ORDER_LITTLE_ENDIAN__
+# define BSWAP8(x) ({ u64 ret_; \
asm ("rev %0,%1" \
: "=r"(ret_) : "r"(x)); ret_; })
-# define BSWAP4(x) ({ u32 ret_; \
+# define BSWAP4(x) ({ u32 ret_; \
asm ("rev %w0,%w1" \
: "=r"(ret_) : "r"(x)); ret_; })
+# endif
# elif (defined(__arm__) || defined(__arm)) && !defined(STRICT_ALIGNMENT)
# define BSWAP8(x) ({ u32 lo_=(u64)(x)>>32,hi_=(x); \
asm ("rev %0,%0; rev %1,%1" \
# endif
#endif
#if defined(BSWAP4) && !defined(STRICT_ALIGNMENT)
-# define GETU32(p) BSWAP4(*(const u32 *)(p))
-# define PUTU32(p,v) *(u32 *)(p) = BSWAP4(v)
+# define GETU32(p) BSWAP4(*(const u32_a1 *)(p))
+# define PUTU32(p,v) *(u32_a1 *)(p) = BSWAP4(v)
#else
# define GETU32(p) ((u32)(p)[0]<<24|(u32)(p)[1]<<16|(u32)(p)[2]<<8|(u32)(p)[3])
# define PUTU32(p,v) ((p)[0]=(u8)((v)>>24),(p)[1]=(u8)((v)>>16),(p)[2]=(u8)((v)>>8),(p)[3]=(u8)(v))
/*
- * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "modes_local.h"
#include <string.h>
+#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT)
+typedef size_t size_t_aX __attribute((__aligned__(1)));
+#else
+typedef size_t size_t_aX;
+#endif
+
/*
* The input and output encrypted as though 128bit ofb mode is being used.
* The extra state information to record how much of the 128bit block we have
while (len >= 16) {
(*block) (ivec, ivec, key);
for (; n < 16; n += sizeof(size_t))
- *(size_t *)(out + n) =
- *(size_t *)(in + n) ^ *(size_t *)(ivec + n);
+ *(size_t_aX *)(out + n) =
+ *(size_t_aX *)(in + n)
+ ^ *(size_t_aX *)(ivec + n);
len -= 16;
out += 16;
in += 16;
/*
- * Copyright 2011-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#include "modes_local.h"
#include <string.h>
+#ifndef STRICT_ALIGNMENT
+# ifdef __GNUC__
+typedef u64 u64_a1 __attribute((__aligned__(1)));
+# else
+typedef u64 u64_a1;
+# endif
+#endif
+
int CRYPTO_xts128_encrypt(const XTS128_CONTEXT *ctx,
const unsigned char iv[16],
const unsigned char *inp, unsigned char *out,
scratch.u[0] ^= tweak.u[0];
scratch.u[1] ^= tweak.u[1];
#else
- scratch.u[0] = ((u64 *)inp)[0] ^ tweak.u[0];
- scratch.u[1] = ((u64 *)inp)[1] ^ tweak.u[1];
+ scratch.u[0] = ((u64_a1 *)inp)[0] ^ tweak.u[0];
+ scratch.u[1] = ((u64_a1 *)inp)[1] ^ tweak.u[1];
#endif
(*ctx->block1) (scratch.c, scratch.c, ctx->key1);
#if defined(STRICT_ALIGNMENT)
scratch.u[1] ^= tweak.u[1];
memcpy(out, scratch.c, 16);
#else
- ((u64 *)out)[0] = scratch.u[0] ^= tweak.u[0];
- ((u64 *)out)[1] = scratch.u[1] ^= tweak.u[1];
+ ((u64_a1 *)out)[0] = scratch.u[0] ^= tweak.u[0];
+ ((u64_a1 *)out)[1] = scratch.u[1] ^= tweak.u[1];
#endif
inp += 16;
out += 16;
scratch.u[0] ^= tweak1.u[0];
scratch.u[1] ^= tweak1.u[1];
#else
- scratch.u[0] = ((u64 *)inp)[0] ^ tweak1.u[0];
- scratch.u[1] = ((u64 *)inp)[1] ^ tweak1.u[1];
+ scratch.u[0] = ((u64_a1 *)inp)[0] ^ tweak1.u[0];
+ scratch.u[1] = ((u64_a1 *)inp)[1] ^ tweak1.u[1];
#endif
(*ctx->block1) (scratch.c, scratch.c, ctx->key1);
scratch.u[0] ^= tweak1.u[0];
scratch.u[1] ^= tweak.u[1];
memcpy(out, scratch.c, 16);
#else
- ((u64 *)out)[0] = scratch.u[0] ^ tweak.u[0];
- ((u64 *)out)[1] = scratch.u[1] ^ tweak.u[1];
+ ((u64_a1 *)out)[0] = scratch.u[0] ^ tweak.u[0];
+ ((u64_a1 *)out)[1] = scratch.u[1] ^ tweak.u[1];
#endif
}
/*
- * Copyright 2003-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2003-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
int openssl_strerror_r(int errnum, char *buf, size_t buflen)
{
-#if defined(_MSC_VER) && _MSC_VER>=1400
+#if defined(_MSC_VER) && _MSC_VER>=1400 && !defined(_WIN32_WCE)
return !strerror_s(buf, buflen, errnum);
#elif defined(_GNU_SOURCE)
char *err;
/*
- * Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
if (gmtime_r(timer, result) == NULL)
return NULL;
ts = result;
-#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400
+#elif defined (OPENSSL_SYS_WINDOWS) && defined(_MSC_VER) && _MSC_VER >= 1400 && !defined(_WIN32_WCE)
if (gmtime_s(result, timer))
return NULL;
ts = result;
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_SIGNFINAL, 0), "PEM_SignFinal"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE, 0), "PEM_write"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO, 0), "PEM_write_bio"},
+ {ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL, 0),
+ "PEM_write_bio_PrivateKey_traditional"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_WRITE_PRIVATEKEY, 0),
"PEM_write_PrivateKey"},
{ERR_PACK(ERR_LIB_PEM, PEM_F_PEM_X509_INFO_READ, 0), "PEM_X509_INFO_read"},
"unsupported encryption"},
{ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_KEY_COMPONENTS),
"unsupported key components"},
+ {ERR_PACK(ERR_LIB_PEM, 0, PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE),
+ "unsupported public key type"},
{0, NULL}
};
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
}
}
- if ((dsize = i2d(x, NULL)) < 0) {
+ if ((dsize = i2d(x, NULL)) <= 0) {
PEMerr(PEM_F_PEM_ASN1_WRITE_BIO, ERR_R_ASN1_LIB);
dsize = 0;
goto err;
{
BIO *tmp = *header;
char *linebuf, *p;
- int len, line, ret = 0, end = 0;
+ int len, line, ret = 0, end = 0, prev_partial_line_read = 0, partial_line_read = 0;
/* 0 if not seen (yet), 1 if reading header, 2 if finished header */
enum header_status got_header = MAYBE_HEADER;
unsigned int flags_mask;
flags_mask = ~0u;
len = BIO_gets(bp, linebuf, LINESIZE);
if (len <= 0) {
- PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_SHORT_HEADER);
+ PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE);
goto err;
}
+ /*
+ * Check if line has been read completely or if only part of the line
+ * has been read. Keep the previous value to ignore newlines that
+ * appear due to reading a line up until the char before the newline.
+ */
+ prev_partial_line_read = partial_line_read;
+ partial_line_read = len == LINESIZE-1 && linebuf[LINESIZE-2] != '\n';
+
if (got_header == MAYBE_HEADER) {
if (memchr(linebuf, ':', len) != NULL)
got_header = IN_HEADER;
/* Check for end of header. */
if (linebuf[0] == '\n') {
- if (got_header == POST_HEADER) {
- /* Another blank line is an error. */
- PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE);
- goto err;
+ /*
+ * If previous line has been read only partially this newline is a
+ * regular newline at the end of a line and not an empty line.
+ */
+ if (!prev_partial_line_read) {
+ if (got_header == POST_HEADER) {
+ /* Another blank line is an error. */
+ PEMerr(PEM_F_GET_HEADER_AND_DATA, PEM_R_BAD_END_LINE);
+ goto err;
+ }
+ got_header = POST_HEADER;
+ tmp = *data;
}
- got_header = POST_HEADER;
- tmp = *data;
continue;
}
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
pem_password_cb *cb, void *u)
{
char pem_str[80];
+
+ if (x->ameth == NULL || x->ameth->old_priv_encode == NULL) {
+ PEMerr(PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL,
+ PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
+ return 0;
+ }
BIO_snprintf(pem_str, 80, "%s PRIVATE KEY", x->ameth->pem_str);
return PEM_ASN1_write_bio((i2d_of_void *)i2d_PrivateKey,
pem_str, bp, x, enc, kstr, klen, cb, u);
/*
- * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
{
const unsigned char *p = *in;
unsigned int ret;
- ret = *p++;
- ret |= (*p++ << 8);
- ret |= (*p++ << 16);
- ret |= (*p++ << 24);
+ ret = (unsigned int)*p++;
+ ret |= (unsigned int)*p++ << 8;
+ ret |= (unsigned int)*p++ << 16;
+ ret |= (unsigned int)*p++ << 24;
*in = p;
return ret;
}
wrlen = BIO_write(out, tmp, outlen);
OPENSSL_free(tmp);
if (wrlen == outlen) {
- PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE);
return outlen;
}
+ PEMerr(PEM_F_I2B_PVK_BIO, PEM_R_BIO_WRITE_FAILURE);
return -1;
}
/*
- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
char *ptr;
long len;
len = BIO_get_mem_data(indata, &ptr);
- tmpin = BIO_new_mem_buf(ptr, len);
+ tmpin = (len == 0) ? indata : BIO_new_mem_buf(ptr, len);
if (tmpin == NULL) {
PKCS7err(PKCS7_F_PKCS7_VERIFY, ERR_R_MALLOC_FAILURE);
goto err;
// forward "declarations" are required for Apple
.extern OPENSSL_armcap_P
+.hidden OPENSSL_armcap_P
+.globl poly1305_init
+.hidden poly1305_init
.globl poly1305_blocks
+.hidden poly1305_blocks
.globl poly1305_emit
+.hidden poly1305_emit
-.globl poly1305_init
.type poly1305_init,%function
.align 5
poly1305_init:
st1 {$ACC4}[0],[$ctx]
.Lno_data_neon:
- .inst 0xd50323bf // autiasp
ldr x29,[sp],#80
+ .inst 0xd50323bf // autiasp
ret
.size poly1305_blocks_neon,.-poly1305_blocks_neon
$avx = ($1>=2.09) + ($1>=2.10);
}
- if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/) {
+ if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
}
$avx = ($1>=10) + ($1>=12);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
* Process a complete block using BCC algorithm of SP 800-90A 10.3.3
*/
__owur static int ctr_BCC_block(RAND_DRBG_CTR *ctr, unsigned char *out,
- const unsigned char *in)
+ const unsigned char *in, int len)
{
int i, outlen = AES_BLOCK_SIZE;
- for (i = 0; i < 16; i++)
+ for (i = 0; i < len; i++)
out[i] ^= in[i];
- if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
+ if (!EVP_CipherUpdate(ctr->ctx_df, out, &outlen, out, len)
+ || outlen != len)
return 0;
return 1;
}
*/
__owur static int ctr_BCC_blocks(RAND_DRBG_CTR *ctr, const unsigned char *in)
{
- if (!ctr_BCC_block(ctr, ctr->KX, in)
- || !ctr_BCC_block(ctr, ctr->KX + 16, in))
- return 0;
- if (ctr->keylen != 16 && !ctr_BCC_block(ctr, ctr->KX + 32, in))
- return 0;
- return 1;
+ unsigned char in_tmp[48];
+ unsigned char num_of_blk = 2;
+
+ memcpy(in_tmp, in, 16);
+ memcpy(in_tmp + 16, in, 16);
+ if (ctr->keylen != 16) {
+ memcpy(in_tmp + 32, in, 16);
+ num_of_blk = 3;
+ }
+ return ctr_BCC_block(ctr, ctr->KX, in_tmp, AES_BLOCK_SIZE * num_of_blk);
}
/*
*/
__owur static int ctr_BCC_init(RAND_DRBG_CTR *ctr)
{
+ unsigned char bltmp[48] = {0};
+ unsigned char num_of_blk;
+
memset(ctr->KX, 0, 48);
- memset(ctr->bltmp, 0, 16);
- if (!ctr_BCC_block(ctr, ctr->KX, ctr->bltmp))
- return 0;
- ctr->bltmp[3] = 1;
- if (!ctr_BCC_block(ctr, ctr->KX + 16, ctr->bltmp))
- return 0;
- if (ctr->keylen != 16) {
- ctr->bltmp[3] = 2;
- if (!ctr_BCC_block(ctr, ctr->KX + 32, ctr->bltmp))
- return 0;
- }
- return 1;
+ num_of_blk = ctr->keylen == 16 ? 2 : 3;
+ bltmp[(AES_BLOCK_SIZE * 1) + 3] = 1;
+ bltmp[(AES_BLOCK_SIZE * 2) + 3] = 2;
+ return ctr_BCC_block(ctr, ctr->KX, bltmp, num_of_blk * AES_BLOCK_SIZE);
}
/*
|| !ctr_BCC_final(ctr))
return 0;
/* Set up key K */
- if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->KX, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->KX, NULL, -1))
return 0;
/* X follows key K */
- if (!EVP_CipherUpdate(ctr->ctx, ctr->KX, &outlen, ctr->KX + ctr->keylen,
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX, &outlen, ctr->KX + ctr->keylen,
AES_BLOCK_SIZE)
|| outlen != AES_BLOCK_SIZE)
return 0;
- if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 16, &outlen, ctr->KX,
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 16, &outlen, ctr->KX,
AES_BLOCK_SIZE)
|| outlen != AES_BLOCK_SIZE)
return 0;
if (ctr->keylen != 16)
- if (!EVP_CipherUpdate(ctr->ctx, ctr->KX + 32, &outlen, ctr->KX + 16,
- AES_BLOCK_SIZE)
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, ctr->KX + 32, &outlen,
+ ctr->KX + 16, AES_BLOCK_SIZE)
|| outlen != AES_BLOCK_SIZE)
return 0;
return 1;
{
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
int outlen = AES_BLOCK_SIZE;
+ unsigned char V_tmp[48], out[48];
+ unsigned char len;
/* correct key is already set up. */
+ memcpy(V_tmp, ctr->V, 16);
inc_128(ctr);
- if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outlen, ctr->V, AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
- return 0;
-
- /* If keylen longer than 128 bits need extra encrypt */
- if (ctr->keylen != 16) {
+ memcpy(V_tmp + 16, ctr->V, 16);
+ if (ctr->keylen == 16) {
+ len = 32;
+ } else {
inc_128(ctr);
- if (!EVP_CipherUpdate(ctr->ctx, ctr->K+16, &outlen, ctr->V,
- AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
- return 0;
+ memcpy(V_tmp + 32, ctr->V, 16);
+ len = 48;
}
- inc_128(ctr);
- if (!EVP_CipherUpdate(ctr->ctx, ctr->V, &outlen, ctr->V, AES_BLOCK_SIZE)
- || outlen != AES_BLOCK_SIZE)
+ if (!EVP_CipherUpdate(ctr->ctx_ecb, out, &outlen, V_tmp, len)
+ || outlen != len)
return 0;
-
- /* If 192 bit key part of V is on end of K */
- if (ctr->keylen == 24) {
- memcpy(ctr->V + 8, ctr->V, 8);
- memcpy(ctr->V, ctr->K + 24, 8);
- }
+ memcpy(ctr->K, out, ctr->keylen);
+ memcpy(ctr->V, out + ctr->keylen, 16);
if ((drbg->flags & RAND_DRBG_FLAG_CTR_NO_DF) == 0) {
/* If no input reuse existing derived value */
ctr_XOR(ctr, in2, in2len);
}
- if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1)
+ || !EVP_CipherInit_ex(ctr->ctx_ctr, NULL, NULL, ctr->K, NULL, -1))
return 0;
return 1;
}
memset(ctr->K, 0, sizeof(ctr->K));
memset(ctr->V, 0, sizeof(ctr->V));
- if (!EVP_CipherInit_ex(ctr->ctx, ctr->cipher, NULL, ctr->K, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_ecb, NULL, NULL, ctr->K, NULL, -1))
return 0;
+
+ inc_128(ctr);
if (!ctr_update(drbg, entropy, entropylen, pers, perslen, nonce, noncelen))
return 0;
return 1;
const unsigned char *entropy, size_t entropylen,
const unsigned char *adin, size_t adinlen)
{
+ RAND_DRBG_CTR *ctr = &drbg->data.ctr;
+
if (entropy == NULL)
return 0;
+
+ inc_128(ctr);
if (!ctr_update(drbg, entropy, entropylen, adin, adinlen, NULL, 0))
return 0;
return 1;
}
+static void ctr96_inc(unsigned char *counter)
+{
+ u32 n = 12, c = 1;
+
+ do {
+ --n;
+ c += counter[n];
+ counter[n] = (u8)c;
+ c >>= 8;
+ } while (n);
+}
+
__owur static int drbg_ctr_generate(RAND_DRBG *drbg,
unsigned char *out, size_t outlen,
const unsigned char *adin, size_t adinlen)
{
RAND_DRBG_CTR *ctr = &drbg->data.ctr;
+ unsigned int ctr32, blocks;
+ int outl, buflen;
if (adin != NULL && adinlen != 0) {
+ inc_128(ctr);
+
if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
return 0;
/* This means we reuse derived value */
adinlen = 0;
}
- for ( ; ; ) {
- int outl = AES_BLOCK_SIZE;
+ inc_128(ctr);
+ if (outlen == 0) {
inc_128(ctr);
- if (outlen < 16) {
- /* Use K as temp space as it will be updated */
- if (!EVP_CipherUpdate(ctr->ctx, ctr->K, &outl, ctr->V,
- AES_BLOCK_SIZE)
- || outl != AES_BLOCK_SIZE)
- return 0;
- memcpy(out, ctr->K, outlen);
- break;
- }
- if (!EVP_CipherUpdate(ctr->ctx, out, &outl, ctr->V, AES_BLOCK_SIZE)
- || outl != AES_BLOCK_SIZE)
+
+ if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
return 0;
- out += 16;
- outlen -= 16;
- if (outlen == 0)
- break;
+ return 1;
}
+ memset(out, 0, outlen);
+
+ do {
+ if (!EVP_CipherInit_ex(ctr->ctx_ctr,
+ NULL, NULL, NULL, ctr->V, -1))
+ return 0;
+
+ /*-
+ * outlen has type size_t while EVP_CipherUpdate takes an
+ * int argument and thus cannot be guaranteed to process more
+ * than 2^31-1 bytes at a time. We process such huge generate
+ * requests in 2^30 byte chunks, which is the greatest multiple
+ * of AES block size lower than or equal to 2^31-1.
+ */
+ buflen = outlen > (1U << 30) ? (1U << 30) : outlen;
+ blocks = (buflen + 15) / 16;
+
+ ctr32 = GETU32(ctr->V + 12) + blocks;
+ if (ctr32 < blocks) {
+ /* 32-bit counter overflow into V. */
+ if (ctr32 != 0) {
+ blocks -= ctr32;
+ buflen = blocks * 16;
+ ctr32 = 0;
+ }
+ ctr96_inc(ctr->V);
+ }
+ PUTU32(ctr->V + 12, ctr32);
+
+ if (!EVP_CipherUpdate(ctr->ctx_ctr, out, &outl, out, buflen)
+ || outl != buflen)
+ return 0;
+
+ out += buflen;
+ outlen -= buflen;
+ } while (outlen);
+
if (!ctr_update(drbg, adin, adinlen, NULL, 0, NULL, 0))
return 0;
return 1;
static int drbg_ctr_uninstantiate(RAND_DRBG *drbg)
{
- EVP_CIPHER_CTX_free(drbg->data.ctr.ctx);
+ EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ecb);
+ EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_ctr);
EVP_CIPHER_CTX_free(drbg->data.ctr.ctx_df);
OPENSSL_cleanse(&drbg->data.ctr, sizeof(drbg->data.ctr));
return 1;
return 0;
case NID_aes_128_ctr:
keylen = 16;
- ctr->cipher = EVP_aes_128_ecb();
+ ctr->cipher_ecb = EVP_aes_128_ecb();
+ ctr->cipher_ctr = EVP_aes_128_ctr();
break;
case NID_aes_192_ctr:
keylen = 24;
- ctr->cipher = EVP_aes_192_ecb();
+ ctr->cipher_ecb = EVP_aes_192_ecb();
+ ctr->cipher_ctr = EVP_aes_192_ctr();
break;
case NID_aes_256_ctr:
keylen = 32;
- ctr->cipher = EVP_aes_256_ecb();
+ ctr->cipher_ecb = EVP_aes_256_ecb();
+ ctr->cipher_ctr = EVP_aes_256_ctr();
break;
}
drbg->meth = &drbg_ctr_meth;
ctr->keylen = keylen;
- if (ctr->ctx == NULL)
- ctr->ctx = EVP_CIPHER_CTX_new();
- if (ctr->ctx == NULL)
+ if (ctr->ctx_ecb == NULL)
+ ctr->ctx_ecb = EVP_CIPHER_CTX_new();
+ if (ctr->ctx_ctr == NULL)
+ ctr->ctx_ctr = EVP_CIPHER_CTX_new();
+ if (ctr->ctx_ecb == NULL || ctr->ctx_ctr == NULL
+ || !EVP_CipherInit_ex(ctr->ctx_ecb,
+ ctr->cipher_ecb, NULL, NULL, NULL, 1)
+ || !EVP_CipherInit_ex(ctr->ctx_ctr,
+ ctr->cipher_ctr, NULL, NULL, NULL, 1))
return 0;
+
+ drbg->meth = &drbg_ctr_meth;
drbg->strength = keylen * 8;
drbg->seedlen = keylen + 16;
if (ctr->ctx_df == NULL)
return 0;
/* Set key schedule for df_key */
- if (!EVP_CipherInit_ex(ctr->ctx_df, ctr->cipher, NULL, df_key, NULL, 1))
+ if (!EVP_CipherInit_ex(ctr->ctx_df,
+ ctr->cipher_ecb, NULL, df_key, NULL, 1))
return 0;
drbg->min_entropylen = ctr->keylen;
max_entropylen += drbg->max_noncelen;
}
- drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
- if (drbg->reseed_next_counter) {
- drbg->reseed_next_counter++;
- if(!drbg->reseed_next_counter)
- drbg->reseed_next_counter = 1;
- }
-
if (drbg->get_entropy != NULL)
entropylen = drbg->get_entropy(drbg, &entropy, min_entropy,
min_entropylen, max_entropylen, 0);
}
drbg->state = DRBG_READY;
- drbg->reseed_gen_counter = 1;
+ drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+ if (drbg->enable_reseed_propagation) {
+ if (drbg->parent == NULL)
+ tsan_counter(&drbg->reseed_counter);
+ else
+ tsan_store(&drbg->reseed_counter,
+ tsan_load(&drbg->parent->reseed_counter));
+ }
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
}
drbg->state = DRBG_ERROR;
-
- drbg->reseed_next_counter = tsan_load(&drbg->reseed_prop_counter);
- if (drbg->reseed_next_counter) {
- drbg->reseed_next_counter++;
- if(!drbg->reseed_next_counter)
- drbg->reseed_next_counter = 1;
- }
-
if (drbg->get_entropy != NULL)
entropylen = drbg->get_entropy(drbg, &entropy, drbg->strength,
drbg->min_entropylen,
goto end;
drbg->state = DRBG_READY;
- drbg->reseed_gen_counter = 1;
+ drbg->generate_counter = 1;
drbg->reseed_time = time(NULL);
- tsan_store(&drbg->reseed_prop_counter, drbg->reseed_next_counter);
+ if (drbg->enable_reseed_propagation) {
+ if (drbg->parent == NULL)
+ tsan_counter(&drbg->reseed_counter);
+ else
+ tsan_store(&drbg->reseed_counter,
+ tsan_load(&drbg->parent->reseed_counter));
+ }
end:
if (entropy != NULL && drbg->cleanup_entropy != NULL)
drbg->meth->reseed(drbg, adin, adinlen, NULL, 0);
} else if (reseeded == 0) {
/* do a full reseeding if it has not been done yet above */
- RAND_DRBG_reseed(drbg, NULL, 0, 0);
+ if (!RAND_DRBG_reseed(drbg, NULL, 0, 0)) {
+ RANDerr(RAND_F_RAND_DRBG_RESTART, RAND_R_RESEED_ERROR);
+ }
}
}
}
if (drbg->reseed_interval > 0) {
- if (drbg->reseed_gen_counter >= drbg->reseed_interval)
+ if (drbg->generate_counter >= drbg->reseed_interval)
reseed_required = 1;
}
if (drbg->reseed_time_interval > 0) {
|| now - drbg->reseed_time >= drbg->reseed_time_interval)
reseed_required = 1;
}
- if (drbg->parent != NULL) {
- unsigned int reseed_counter = tsan_load(&drbg->reseed_prop_counter);
- if (reseed_counter > 0
- && tsan_load(&drbg->parent->reseed_prop_counter)
- != reseed_counter)
+ if (drbg->enable_reseed_propagation && drbg->parent != NULL) {
+ if (drbg->reseed_counter != tsan_load(&drbg->parent->reseed_counter))
reseed_required = 1;
}
return 0;
}
- drbg->reseed_gen_counter++;
+ drbg->generate_counter++;
return 1;
}
RAND_DRBG_get_nonce_fn get_nonce,
RAND_DRBG_cleanup_nonce_fn cleanup_nonce)
{
- if (drbg->state != DRBG_UNINITIALISED
- || drbg->parent != NULL)
+ if (drbg->state != DRBG_UNINITIALISED)
return 0;
drbg->get_entropy = get_entropy;
drbg->cleanup_entropy = cleanup_entropy;
if (parent == NULL && rand_drbg_enable_locking(drbg) == 0)
goto err;
- /* enable seed propagation */
- tsan_store(&drbg->reseed_prop_counter, 1);
+ /* enable reseed propagation */
+ drbg->enable_reseed_propagation = 1;
+ drbg->reseed_counter = 1;
/*
* Ignore instantiation error to support just-in-time instantiation.
prediction_resistance,
(unsigned char *)&drbg, sizeof(drbg)) != 0)
bytes = bytes_needed;
- drbg->reseed_next_counter
- = tsan_load(&drbg->parent->reseed_prop_counter);
rand_drbg_unlock(drbg->parent);
rand_pool_add_end(pool, bytes, 8 * bytes);
* The state of a DRBG AES-CTR.
*/
typedef struct rand_drbg_ctr_st {
- EVP_CIPHER_CTX *ctx;
+ EVP_CIPHER_CTX *ctx_ecb;
+ EVP_CIPHER_CTX *ctx_ctr;
EVP_CIPHER_CTX *ctx_df;
- const EVP_CIPHER *cipher;
+ const EVP_CIPHER *cipher_ecb;
+ const EVP_CIPHER *cipher_ctr;
size_t keylen;
unsigned char K[32];
unsigned char V[16];
size_t max_perslen, max_adinlen;
/* Counts the number of generate requests since the last reseed. */
- unsigned int reseed_gen_counter;
+ unsigned int generate_counter;
/*
* Maximum number of generate requests until a reseed is required.
* This value is ignored if it is zero.
* This value is ignored if it is zero.
*/
time_t reseed_time_interval;
+
+ /*
+ * Enables reseed propagation (see following comment)
+ */
+ unsigned int enable_reseed_propagation;
+
/*
* Counts the number of reseeds since instantiation.
- * This value is ignored if it is zero.
+ * This value is ignored if enable_reseed_propagation is zero.
*
* This counter is used only for seed propagation from the <master> DRBG
* to its two children, the <public> and <private> DRBG. This feature is
* is added by RAND_add() or RAND_seed() will have an immediate effect on
* the output of RAND_bytes() resp. RAND_priv_bytes().
*/
- TSAN_QUALIFIER unsigned int reseed_prop_counter;
- unsigned int reseed_next_counter;
+ TSAN_QUALIFIER unsigned int reseed_counter;
size_t seedlen;
DRBG_STATUS state;
# include <sys/utsname.h>
# endif
#endif
-#if defined(__FreeBSD__) && !defined(OPENSSL_SYS_UEFI)
+#if (defined(__FreeBSD__) || defined(__NetBSD__)) && !defined(OPENSSL_SYS_UEFI)
# include <sys/types.h>
# include <sys/sysctl.h>
# include <sys/param.h>
#endif
-#if defined(__OpenBSD__) || defined(__NetBSD__)
+#if defined(__OpenBSD__)
# include <sys/param.h>
#endif
* when the sysctl returns long and we want to request something not a
* multiple of longs, which should never be the case.
*/
+#if defined(__FreeBSD__)
if (!ossl_assert(buflen % sizeof(long) == 0)) {
errno = EINVAL;
return -1;
}
+#endif
/*
* On NetBSD before 4.0 KERN_ARND was an alias for KERN_URND, and only
mib[1] = KERN_ARND;
do {
- len = buflen;
+ len = buflen > 256 ? 256 : buflen;
if (sysctl(mib, 2, buf, &len, NULL, 0) == -1)
return done > 0 ? done : -1;
done += len;
* - OpenBSD since 5.6
* - Linux since 3.17 with glibc 2.25
* - FreeBSD since 12.0 (1200061)
+ *
+ * Note: Sometimes getentropy() can be provided but not implemented
+ * internally. So we need to check errno for ENOSYS
*/
# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux)
extern int getentropy(void *buffer, size_t length) __attribute__((weak));
- if (getentropy != NULL)
- return getentropy(buf, buflen) == 0 ? (ssize_t)buflen : -1;
+ if (getentropy != NULL) {
+ if (getentropy(buf, buflen) == 0)
+ return (ssize_t)buflen;
+ if (errno != ENOSYS)
+ return -1;
+ }
# else
union {
void *p;
} random_devices[OSSL_NELEM(random_device_paths)];
static int keep_random_devices_open = 1;
-# if defined(__linux) && defined(DEVRANDOM_WAIT)
+# if defined(__linux) && defined(DEVRANDOM_WAIT) \
+ && defined(OPENSSL_RAND_SEED_GETRANDOM)
static void *shm_addr;
static void cleanup_shm(void)
}
return seeded;
}
-# else /* defined __linux */
+# else /* defined __linux && DEVRANDOM_WAIT && OPENSSL_RAND_SEED_GETRANDOM */
static int wait_random_seeded(void)
{
return 1;
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#ifndef OPENSSL_NO_POSIX_IO
# include <sys/stat.h>
# include <fcntl.h>
-# ifdef _WIN32
+# if defined(_WIN32) && !defined(_WIN32_WCE)
# include <windows.h>
# include <io.h>
# define stat _stat
/*
- * Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static int rsa_pub_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
{
+ /*
+ * Don't check the public/private key, this is mostly for smart
+ * cards.
+ */
+ if (((RSA_flags(a->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK))
+ || (RSA_flags(b->pkey.rsa) & RSA_METHOD_FLAG_NO_CHECK)) {
+ return 1;
+ }
+
if (BN_cmp(b->pkey.rsa->n, a->pkey.rsa->n) != 0
|| BN_cmp(b->pkey.rsa->e, a->pkey.rsa->e) != 0)
return 0;
`ml 2>&1` =~ /Version ([0-9]+)\./ &&
$1>=10); # first version supporting AVX
-$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/ &&
+$ymm=1 if ($xmm && !$ymm && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/ &&
$2>=3.0); # first version supporting AVX
$shaext=$xmm; ### set to zero if compiling for 1.0.1
.text
.extern OPENSSL_armcap_P
+.hidden OPENSSL_armcap_P
.globl sha1_block_data_order
.type sha1_block_data_order,%function
.align 6
#endif
.asciz "SHA1 block transform for ARMv8, CRYPTOGAMS by <appro\@openssl.org>"
.align 2
-.comm OPENSSL_armcap_P,4,4
___
}}}
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
$avx = ($1>=10) + ($1>=11);
}
-if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/) {
+if ($xmm && !$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
.text
.extern OPENSSL_armcap_P
+.hidden OPENSSL_armcap_P
.globl $func
.type $func,%function
.align 6
___
}
-$code.=<<___;
-#ifndef __KERNEL__
-.comm OPENSSL_armcap_P,4,4
-#endif
-___
-
{ my %opcode = (
"sha256h" => 0x5e004000, "sha256h2" => 0x5e005000,
"sha256su0" => 0x5e282800, "sha256su1" => 0x5e006000 );
$avx = ($1>=10) + ($1>=11);
}
-if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:^clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
+if (!$avx && `$ENV{CC} -v 2>&1` =~ /((?:clang|LLVM) version|.*based on LLVM) ([0-9]+\.[0-9]+)/) {
$avx = ($2>=3.0) + ($2>3.0);
}
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
}
} else {
int i;
+#ifndef OPENSSL_NO_ENGINE
+ ENGINE *curengine = ENGINE_get_first();
+
+ while (curengine != NULL) {
+ ENGINE_PKEY_ASN1_METHS_PTR asn1meths =
+ ENGINE_get_pkey_asn1_meths(curengine);
+
+ if (asn1meths != NULL) {
+ const int *nids = NULL;
+ int nids_n = asn1meths(curengine, NULL, &nids, 0);
+
+ for (i = 0; i < nids_n; i++) {
+ EVP_PKEY_ASN1_METHOD *ameth2 = NULL;
+ EVP_PKEY *tmp_pkey = NULL;
+ const unsigned char *tmp_blob = blob;
+
+ if (!asn1meths(curengine, &ameth2, NULL, nids[i]))
+ continue;
+ if (ameth2 == NULL
+ || ameth2->pkey_flags & ASN1_PKEY_ALIAS)
+ continue;
+
+ tmp_pkey = d2i_PrivateKey(ameth2->pkey_id, NULL,
+ &tmp_blob, len);
+ if (tmp_pkey != NULL) {
+ if (pkey != NULL)
+ EVP_PKEY_free(tmp_pkey);
+ else
+ pkey = tmp_pkey;
+ (*matchcount)++;
+ }
+ }
+ }
+ curengine = ENGINE_get_next(curengine);
+ }
+#endif
for (i = 0; i < EVP_PKEY_asn1_get_count(); i++) {
EVP_PKEY *tmp_pkey = NULL;
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
{
- int loader_ret = ctx->loader->close(ctx->loader_ctx);
+ int loader_ret;
+
+ if (ctx == NULL)
+ return 1;
+ loader_ret = ctx->loader->close(ctx->loader_ctx);
OPENSSL_free(ctx);
return loader_ret;
goto err;
if (!ASN1_INTEGER_set(serial, 1))
goto err;
+
return serial;
err:
TSerr(TS_F_DEF_SERIAL_CB, ERR_R_MALLOC_FAILURE);
TS_RESP_CTX_set_status_info(ctx, TS_STATUS_REJECTION,
"Error during serial number generation.");
+ ASN1_INTEGER_free(serial);
return NULL;
}
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
is_a_tty = 0;
else
# endif
+# ifdef EPERM
+ /*
+ * Linux can return EPERM (Operation not permitted),
+ * e.g. if a daemon executes openssl via fork()+execve()
+ * This should be ok
+ */
+ if (errno == EPERM)
+ is_a_tty = 0;
+ else
+# endif
# ifdef ENODEV
/*
* MacOS X returns ENODEV (Operation not supported by device),
/*
- * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# undef STRICT_ALIGNMENT
#endif
+#ifndef STRICT_ALIGNMENT
+# ifdef __GNUC__
+typedef u64 u64_a1 __attribute((__aligned__(1)));
+# else
+typedef u64 u64_a1;
+# endif
+#endif
+
+#if defined(__GNUC__) && !defined(STRICT_ALIGNMENT)
+typedef u64 u64_aX __attribute((__aligned__(1)));
+#else
+typedef u64 u64_aX;
+#endif
+
#undef SMALL_REGISTER_BANK
#if defined(__i386) || defined(__i386__) || defined(_M_IX86)
# define SMALL_REGISTER_BANK
# define LL(c0,c1,c2,c3,c4,c5,c6,c7) c0,c1,c2,c3,c4,c5,c6,c7, \
c0,c1,c2,c3,c4,c5,c6,c7
# define C0(K,i) (((u64*)(Cx.c+0))[2*K.c[(i)*8+0]])
-# define C1(K,i) (((u64*)(Cx.c+7))[2*K.c[(i)*8+1]])
-# define C2(K,i) (((u64*)(Cx.c+6))[2*K.c[(i)*8+2]])
-# define C3(K,i) (((u64*)(Cx.c+5))[2*K.c[(i)*8+3]])
-# define C4(K,i) (((u64*)(Cx.c+4))[2*K.c[(i)*8+4]])
-# define C5(K,i) (((u64*)(Cx.c+3))[2*K.c[(i)*8+5]])
-# define C6(K,i) (((u64*)(Cx.c+2))[2*K.c[(i)*8+6]])
-# define C7(K,i) (((u64*)(Cx.c+1))[2*K.c[(i)*8+7]])
+# define C1(K,i) (((u64_a1*)(Cx.c+7))[2*K.c[(i)*8+1]])
+# define C2(K,i) (((u64_a1*)(Cx.c+6))[2*K.c[(i)*8+2]])
+# define C3(K,i) (((u64_a1*)(Cx.c+5))[2*K.c[(i)*8+3]])
+# define C4(K,i) (((u64_a1*)(Cx.c+4))[2*K.c[(i)*8+4]])
+# define C5(K,i) (((u64_a1*)(Cx.c+3))[2*K.c[(i)*8+5]])
+# define C6(K,i) (((u64_a1*)(Cx.c+2))[2*K.c[(i)*8+6]])
+# define C7(K,i) (((u64_a1*)(Cx.c+1))[2*K.c[(i)*8+7]])
#endif
static const
} else
# endif
{
- const u64 *pa = (const u64 *)p;
+ const u64_aX *pa = (const u64_aX *)p;
S.q[0] = (K.q[0] = H->q[0]) ^ pa[0];
S.q[1] = (K.q[1] = H->q[1]) ^ pa[1];
S.q[2] = (K.q[2] = H->q[2]) ^ pa[2];
} else
# endif
{
- const u64 *pa = (const u64 *)p;
+ const u64_aX *pa = (const u64_aX *)p;
H->q[0] ^= S.q[0] ^ pa[0];
H->q[1] ^= S.q[1] ^ pa[1];
H->q[2] ^= S.q[2] ^ pa[2];
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return ret;
}
-void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
+void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
const ASN1_OBJECT *obj, int lastpos, int type)
{
int i;
{
int rv;
+ if (a == b) /* for efficiency */
+ return 0;
/* ensure hash is valid */
if (X509_check_purpose((X509 *)a, -1, 0) != 1)
return -2;
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
{ERR_PACK(ERR_LIB_X509, X509_F_X509_PRINT_EX_FP, 0), "X509_print_ex_fp"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_DECODE, 0),
"x509_pubkey_decode"},
+ {ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_GET, 0), "X509_PUBKEY_get"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_GET0, 0), "X509_PUBKEY_get0"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_PUBKEY_SET, 0), "X509_PUBKEY_set"},
{ERR_PACK(ERR_LIB_X509, X509_F_X509_REQ_CHECK_PRIVATE_KEY, 0),
/*
- * Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
void x509_set_signature_info(X509_SIG_INFO *siginf, const X509_ALGOR *alg,
const ASN1_STRING *sig);
+int x509_likely_issued(X509 *issuer, X509 *subject);
+int x509_signing_allowed(const X509 *issuer, const X509 *subject);
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*palg = &req->sig_alg;
}
+void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig)
+{
+ if (req->signature)
+ ASN1_BIT_STRING_free(req->signature);
+ req->signature = psig;
+}
+
+int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg)
+{
+ return X509_ALGOR_copy(&req->sig_alg, palg);
+}
+
int X509_REQ_get_signature_nid(const X509_REQ *req)
{
return OBJ_obj2nid(req->sig_alg.algorithm);
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return "OCSP verification failed";
case X509_V_ERR_OCSP_CERT_UNKNOWN:
return "OCSP unknown cert";
+ case X509_V_ERR_EC_KEY_EXPLICIT_PARAMS:
+ return "Certificate public key has explicit ECC parameters";
default:
/* Printing an error number into a static buffer is not thread-safe */
static int check_dane_issuer(X509_STORE_CTX *ctx, int depth);
static int check_key_level(X509_STORE_CTX *ctx, X509 *cert);
static int check_sig_level(X509_STORE_CTX *ctx, X509 *cert);
+static int check_curve(X509 *cert);
static int get_crl_score(X509_STORE_CTX *ctx, X509 **pissuer,
unsigned int *preasons, X509_CRL *crl, X509 *x);
return ok;
}
-/* Return 1 is a certificate is self signed */
+/*
+ * Return 1 if given cert is considered self-signed, 0 if not or on error.
+ * This does not verify self-signedness but relies on x509v3_cache_extensions()
+ * matching issuer and subject names (i.e., the cert being self-issued) and any
+ * present authority key identifier matching the subject key identifier, etc.
+ */
static int cert_self_signed(X509 *x)
{
if (X509_check_purpose(x, -1, 0) != 1)
xtmp = sk_X509_value(certs, i);
if (!X509_cmp(xtmp, x))
break;
+ xtmp = NULL;
}
- if (i < sk_X509_num(certs))
- X509_up_ref(xtmp);
- else
+ if (xtmp != NULL && !X509_up_ref(xtmp))
xtmp = NULL;
sk_X509_pop_free(certs, X509_free);
return xtmp;
return -1;
}
+ if (!X509_up_ref(ctx->cert)) {
+ X509err(X509_F_X509_VERIFY_CERT, ERR_R_INTERNAL_ERROR);
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return -1;
+ }
+
/*
* first we make sure the chain we are going to build is present and that
* the first entry is in place
*/
- if (((ctx->chain = sk_X509_new_null()) == NULL) ||
- (!sk_X509_push(ctx->chain, ctx->cert))) {
+ if ((ctx->chain = sk_X509_new_null()) == NULL
+ || !sk_X509_push(ctx->chain, ctx->cert)) {
+ X509_free(ctx->cert);
X509err(X509_F_X509_VERIFY_CERT, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return -1;
}
- X509_up_ref(ctx->cert);
+
ctx->num_untrusted = 1;
/* If the peer's public key is too weak, we can stop early. */
return ret;
}
+static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
+{
+ int i, n = sk_X509_num(sk);
+
+ for (i = 0; i < n; i++)
+ if (X509_cmp(sk_X509_value(sk, i), cert) == 0)
+ return 1;
+ return 0;
+}
+
/*
- * Given a STACK_OF(X509) find the issuer of cert (if any)
+ * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
+ * The issuer must not be the same as x and must not yet be in ctx->chain, where the
+ * exceptional case x is self-issued and ctx->chain has just one element is allowed.
*/
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
- if (ctx->check_issued(ctx, x, issuer)) {
+ /*
+ * Below check 'issuer != x' is an optimization and safety precaution:
+ * Candidate issuer cert cannot be the same as the subject cert 'x'.
+ */
+ if (issuer != x && ctx->check_issued(ctx, x, issuer)
+ && (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
+ || !sk_X509_contains(ctx->chain, issuer))) {
rv = issuer;
if (x509_check_cert_time(ctx, rv, -1))
break;
return rv;
}
-/* Given a possible certificate and issuer check them */
-
+/* Check that the given certificate 'x' is issued by the certificate 'issuer' */
static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
{
- int ret;
- if (x == issuer)
- return cert_self_signed(x);
- ret = X509_check_issued(issuer, x);
- if (ret == X509_V_OK) {
- int i;
- X509 *ch;
- /* Special case: single self signed certificate */
- if (cert_self_signed(x) && sk_X509_num(ctx->chain) == 1)
- return 1;
- for (i = 0; i < sk_X509_num(ctx->chain); i++) {
- ch = sk_X509_value(ctx->chain, i);
- if (ch == issuer || !X509_cmp(ch, issuer)) {
- ret = X509_V_ERR_PATH_LOOP;
- break;
- }
- }
- }
-
- return (ret == X509_V_OK);
+ return x509_likely_issued(issuer, x) == X509_V_OK;
}
/* Alternative lookup method: look from a STACK stored in other_ctx */
-
static int get_issuer_sk(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
{
*issuer = find_issuer(ctx, ctx->other_ctx, x);
- if (*issuer) {
- X509_up_ref(*issuer);
- return 1;
- } else
- return 0;
+
+ if (*issuer == NULL || !X509_up_ref(*issuer))
+ goto err;
+
+ return 1;
+
+ err:
+ *issuer = NULL;
+ return 0;
}
static STACK_OF(X509) *lookup_certs_sk(X509_STORE_CTX *ctx, X509_NAME *nm)
for (i = 0; i < sk_X509_num(ctx->other_ctx); i++) {
x = sk_X509_value(ctx->other_ctx, i);
if (X509_NAME_cmp(nm, X509_get_subject_name(x)) == 0) {
+ if (!X509_up_ref(x)) {
+ sk_X509_pop_free(sk, X509_free);
+ X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_INTERNAL_ERROR);
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ return NULL;
+ }
if (sk == NULL)
sk = sk_X509_new_null();
- if (sk == NULL || sk_X509_push(sk, x) == 0) {
+ if (sk == NULL || !sk_X509_push(sk, x)) {
+ X509_free(x);
sk_X509_pop_free(sk, X509_free);
X509err(X509_F_LOOKUP_CERTS_SK, ERR_R_MALLOC_FAILURE);
ctx->error = X509_V_ERR_OUT_OF_MEM;
return NULL;
}
- X509_up_ref(x);
}
}
return sk;
ret = 1;
break;
}
+ if ((ctx->param->flags & X509_V_FLAG_X509_STRICT) && num > 1) {
+ /* Check for presence of explicit elliptic curve parameters */
+ ret = check_curve(x);
+ if (ret < 0)
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ else if (ret == 0)
+ ctx->error = X509_V_ERR_EC_KEY_EXPLICIT_PARAMS;
+ }
if ((x->ex_flags & EXFLAG_CA) == 0
&& x->ex_pathlen != -1
&& (ctx->param->flags & X509_V_FLAG_X509_STRICT)) {
return 1;
}
+/* verify the issuer signatures and cert times of ctx->chain */
static int internal_verify(X509_STORE_CTX *ctx)
{
int n = sk_X509_num(ctx->chain) - 1;
if (ctx->bare_ta_signed) {
xs = xi;
xi = NULL;
- goto check_cert;
+ goto check_cert_time;
}
if (ctx->check_issued(ctx, xi, xi))
- xs = xi;
+ xs = xi; /* the typical case: last cert in the chain is self-issued */
else {
if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
xs = xi;
- goto check_cert;
+ goto check_cert_time;
+ }
+ if (n <= 0) {
+ if (!verify_cb_cert(ctx, xi, 0,
+ X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE))
+ return 0;
+
+ xs = xi;
+ goto check_cert_time;
}
- if (n <= 0)
- return verify_cb_cert(ctx, xi, 0,
- X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE);
+
n--;
ctx->error_depth = n;
xs = sk_X509_value(ctx->chain, n);
* is allowed to reset errors (at its own peril).
*/
while (n >= 0) {
- EVP_PKEY *pkey;
-
/*
- * Skip signature check for self signed certificates unless explicitly
- * asked for. It doesn't add any security and just wastes time. If
- * the issuer's public key is unusable, report the issuer certificate
- * and its depth (rather than the depth of the subject).
+ * For each iteration of this loop:
+ * n is the subject depth
+ * xs is the subject cert, for which the signature is to be checked
+ * xi is the supposed issuer cert containing the public key to use
+ * Initially xs == xi if the last cert in the chain is self-issued.
+ *
+ * Skip signature check for self-signed certificates unless explicitly
+ * asked for because it does not add any security and just wastes time.
*/
- if (xs != xi || (ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)) {
+ if (xs != xi || ((ctx->param->flags & X509_V_FLAG_CHECK_SS_SIGNATURE)
+ && (xi->ex_flags & EXFLAG_SS) != 0)) {
+ EVP_PKEY *pkey;
+ /*
+ * If the issuer's public key is not available or its key usage
+ * does not support issuing the subject cert, report the issuer
+ * cert and its depth (rather than n, the depth of the subject).
+ */
+ int issuer_depth = n + (xs == xi ? 0 : 1);
+ /*
+ * According to https://tools.ietf.org/html/rfc5280#section-6.1.4
+ * step (n) we must check any given key usage extension in a CA cert
+ * when preparing the verification of a certificate issued by it.
+ * According to https://tools.ietf.org/html/rfc5280#section-4.2.1.3
+ * we must not verify a certifiate signature if the key usage of the
+ * CA certificate that issued the certificate prohibits signing.
+ * In case the 'issuing' certificate is the last in the chain and is
+ * not a CA certificate but a 'self-issued' end-entity cert (i.e.,
+ * xs == xi && !(xi->ex_flags & EXFLAG_CA)) RFC 5280 does not apply
+ * (see https://tools.ietf.org/html/rfc6818#section-2) and thus
+ * we are free to ignore any key usage restrictions on such certs.
+ */
+ int ret = xs == xi && (xi->ex_flags & EXFLAG_CA) == 0
+ ? X509_V_OK : x509_signing_allowed(xi, xs);
+
+ if (ret != X509_V_OK && !verify_cb_cert(ctx, xi, issuer_depth, ret))
+ return 0;
if ((pkey = X509_get0_pubkey(xi)) == NULL) {
- if (!verify_cb_cert(ctx, xi, xi != xs ? n+1 : n,
- X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY))
+ ret = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
+ if (!verify_cb_cert(ctx, xi, issuer_depth, ret))
return 0;
} else if (X509_verify(xs, pkey) <= 0) {
- if (!verify_cb_cert(ctx, xs, n,
- X509_V_ERR_CERT_SIGNATURE_FAILURE))
+ ret = X509_V_ERR_CERT_SIGNATURE_FAILURE;
+ if (!verify_cb_cert(ctx, xs, n, ret))
return 0;
}
}
- check_cert:
+ check_cert_time: /* in addition to RFC 5280, do also for trusted (root) cert */
/* Calls verify callback as needed */
if (!x509_check_cert_time(ctx, xs, n))
return 0;
/* Drop this issuer from future consideration */
(void) sk_X509_delete_ptr(sktmp, xtmp);
+ if (!X509_up_ref(xtmp)) {
+ X509err(X509_F_BUILD_CHAIN, ERR_R_INTERNAL_ERROR);
+ trust = X509_TRUST_REJECTED;
+ ctx->error = X509_V_ERR_UNSPECIFIED;
+ search = 0;
+ continue;
+ }
+
if (!sk_X509_push(ctx->chain, xtmp)) {
+ X509_free(xtmp);
X509err(X509_F_BUILD_CHAIN, ERR_R_MALLOC_FAILURE);
trust = X509_TRUST_REJECTED;
ctx->error = X509_V_ERR_OUT_OF_MEM;
continue;
}
- X509_up_ref(x = xtmp);
+ x = xtmp;
++ctx->num_untrusted;
ss = cert_self_signed(xtmp);
}
/*
+ * Check whether the public key of ``cert`` does not use explicit params
+ * for an elliptic curve.
+ *
+ * Returns 1 on success, 0 if check fails, -1 for other errors.
+ */
+static int check_curve(X509 *cert)
+{
+#ifndef OPENSSL_NO_EC
+ EVP_PKEY *pkey = X509_get0_pubkey(cert);
+
+ /* Unsupported or malformed key */
+ if (pkey == NULL)
+ return -1;
+
+ if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
+ int ret;
+
+ ret = EC_KEY_decoded_from_explicit_params(EVP_PKEY_get0_EC_KEY(pkey));
+ return ret < 0 ? ret : !ret;
+ }
+#endif
+
+ return 1;
+}
+
+/*
* Check whether the signature digest algorithm of ``cert`` meets the security
* level of ``ctx``. Should not be checked for trust anchors (whether
* self-signed or otherwise).
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
{
EVP_PKEY *ret = X509_PUBKEY_get0(key);
- if (ret != NULL)
- EVP_PKEY_up_ref(ret);
+
+ if (ret != NULL && !EVP_PKEY_up_ref(ret)) {
+ X509err(X509_F_X509_PUBKEY_GET, ERR_R_INTERNAL_ERROR);
+ ret = NULL;
+ }
return ret;
}
/*
- * Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
X509V3err(X509V3_F_POLICY_DATA_NEW, ERR_R_MALLOC_FAILURE);
+ ASN1_OBJECT_free(id);
return NULL;
}
ret->expected_policy_set = sk_ASN1_OBJECT_new_null();
/*
- * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
num = sk_GENERAL_NAME_num(ialt);
if (!sk_GENERAL_NAME_reserve(gens, num)) {
X509V3err(X509V3_F_COPY_ISSUER, ERR_R_MALLOC_FAILURE);
+ sk_GENERAL_NAME_free(ialt);
goto err;
}
/*
- * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
IMPLEMENT_ASN1_FUNCTIONS(OTHERNAME)
ASN1_SEQUENCE(EDIPARTYNAME) = {
- ASN1_IMP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
- ASN1_IMP_OPT(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
+ /* DirectoryString is a CHOICE type so use explicit tagging */
+ ASN1_EXP_OPT(EDIPARTYNAME, nameAssigner, DIRECTORYSTRING, 0),
+ ASN1_EXP(EDIPARTYNAME, partyName, DIRECTORYSTRING, 1)
} ASN1_SEQUENCE_END(EDIPARTYNAME)
IMPLEMENT_ASN1_FUNCTIONS(EDIPARTYNAME)
(char *)a);
}
+static int edipartyname_cmp(const EDIPARTYNAME *a, const EDIPARTYNAME *b)
+{
+ int res;
+
+ if (a == NULL || b == NULL) {
+ /*
+ * Shouldn't be possible in a valid GENERAL_NAME, but we handle it
+ * anyway. OTHERNAME_cmp treats NULL != NULL so we do the same here
+ */
+ return -1;
+ }
+ if (a->nameAssigner == NULL && b->nameAssigner != NULL)
+ return -1;
+ if (a->nameAssigner != NULL && b->nameAssigner == NULL)
+ return 1;
+ /* If we get here then both have nameAssigner set, or both unset */
+ if (a->nameAssigner != NULL) {
+ res = ASN1_STRING_cmp(a->nameAssigner, b->nameAssigner);
+ if (res != 0)
+ return res;
+ }
+ /*
+ * partyName is required, so these should never be NULL. We treat it in
+ * the same way as the a == NULL || b == NULL case above
+ */
+ if (a->partyName == NULL || b->partyName == NULL)
+ return -1;
+
+ return ASN1_STRING_cmp(a->partyName, b->partyName);
+}
+
/* Returns 0 if they are equal, != 0 otherwise. */
int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b)
{
return -1;
switch (a->type) {
case GEN_X400:
+ result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address);
+ break;
+
case GEN_EDIPARTY:
- result = ASN1_TYPE_cmp(a->d.other, b->d.other);
+ result = edipartyname_cmp(a->d.ediPartyName, b->d.ediPartyName);
break;
case GEN_OTHERNAME:
{
switch (type) {
case GEN_X400:
+ a->d.x400Address = value;
+ break;
+
case GEN_EDIPARTY:
- a->d.other = value;
+ a->d.ediPartyName = value;
break;
case GEN_OTHERNAME:
*ptype = a->type;
switch (a->type) {
case GEN_X400:
+ return a->d.x400Address;
+
case GEN_EDIPARTY:
- return a->d.other;
+ return a->d.ediPartyName;
case GEN_OTHERNAME:
return a->d.otherName;
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include "crypto/x509.h"
+#include "../x509/x509_local.h" /* for x509_signing_allowed() */
#include "internal/tsan_assist.h"
static void x509v3_cache_extensions(X509 *x);
return 1;
}
+/* Check that issuer public key algorithm matches subject signature algorithm */
+static int check_sig_alg_match(const EVP_PKEY *pkey, const X509 *subject)
+{
+ int pkey_nid;
+
+ if (pkey == NULL)
+ return X509_V_ERR_NO_ISSUER_PUBLIC_KEY;
+ if (OBJ_find_sigid_algs(OBJ_obj2nid(subject->cert_info.signature.algorithm),
+ NULL, &pkey_nid) == 0)
+ return X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM;
+ if (EVP_PKEY_type(pkey_nid) != EVP_PKEY_base_id(pkey))
+ return X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH;
+ return X509_V_OK;
+}
+
#define V1_ROOT (EXFLAG_V1|EXFLAG_SS)
#define ku_reject(x, usage) \
(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
x->ex_flags |= EXFLAG_INVALID;
/* Does subject name match issuer ? */
if (!X509_NAME_cmp(X509_get_subject_name(x), X509_get_issuer_name(x))) {
- x->ex_flags |= EXFLAG_SI;
- /* If SKID matches AKID also indicate self signed */
- if (X509_check_akid(x, x->akid) == X509_V_OK &&
- !ku_reject(x, KU_KEY_CERT_SIGN))
- x->ex_flags |= EXFLAG_SS;
+ x->ex_flags |= EXFLAG_SI; /* cert is self-issued */
+ if (X509_check_akid(x, x->akid) == X509_V_OK /* SKID matches AKID */
+ /* .. and the signature alg matches the PUBKEY alg: */
+ && check_sig_alg_match(X509_get0_pubkey(x), x) == X509_V_OK)
+ x->ex_flags |= EXFLAG_SS; /* indicate self-signed */
}
x->altname = X509_get_ext_d2i(x, NID_subject_alt_name, &i, NULL);
if (x->altname == NULL && i != -1)
}
/*-
+ * Check if certificate I<issuer> is allowed to issue certificate I<subject>
+ * according to the B<keyUsage> field of I<issuer> if present
+ * depending on any proxyCertInfo extension of I<subject>.
+ * Returns 0 for OK, or positive for reason for rejection
+ * where reason codes match those for X509_verify_cert().
+ */
+int x509_signing_allowed(const X509 *issuer, const X509 *subject)
+{
+ if (subject->ex_flags & EXFLAG_PROXY) {
+ if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
+ return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
+ } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
+ return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
+ return X509_V_OK;
+}
+
+/*-
* Various checks to see if one certificate issued the second.
* This can be used to prune a set of possible issuer certificates
* which have been looked up using some simple method such as by
* These are:
* 1. Check issuer_name(subject) == subject_name(issuer)
* 2. If akid(subject) exists check it matches issuer
- * 3. If key_usage(issuer) exists check it supports certificate signing
+ * 3. Check that issuer public key algorithm matches subject signature algorithm
+ * 4. If key_usage(issuer) exists check it supports certificate signing
* returns 0 for OK, positive for reason for mismatch, reasons match
* codes for X509_verify_cert()
*/
int X509_check_issued(X509 *issuer, X509 *subject)
{
+ int ret;
+
+ if ((ret = x509_likely_issued(issuer, subject)) != X509_V_OK)
+ return ret;
+ return x509_signing_allowed(issuer, subject);
+}
+
+/* do the checks 1., 2., and 3. as described above for X509_check_issued() */
+int x509_likely_issued(X509 *issuer, X509 *subject)
+{
if (X509_NAME_cmp(X509_get_subject_name(issuer),
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
return ret;
}
- if (subject->ex_flags & EXFLAG_PROXY) {
- if (ku_reject(issuer, KU_DIGITAL_SIGNATURE))
- return X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE;
- } else if (ku_reject(issuer, KU_KEY_CERT_SIGN))
- return X509_V_ERR_KEYUSAGE_NO_CERTSIGN;
- return X509_V_OK;
+ /* check if the subject signature alg matches the issuer's PUBKEY alg */
+ return check_sig_alg_match(X509_get0_pubkey(issuer), subject);
}
int X509_check_akid(X509 *issuer, AUTHORITY_KEYID *akid)
=item B<-signCA>
-This option is the same as the B<-signreq> option except it uses the
+This option is the same as the B<-sign> option except it uses the
configuration file section B<v3_ca> and so makes the signed request a
valid CA certificate. This is useful when creating intermediate CA from
a root CA. Extra params are passed on to B<openssl ca> command.
CA.pl -newca
CA.pl -newreq
- CA.pl -signreq
+ CA.pl -sign
CA.pl -pkcs12 "My Test Certificate"
=head1 DSA CERTIFICATES
CA.pl -newca
-enter cacert.pem when prompted for the CA file name.
+enter cacert.pem when prompted for the CA filename.
Create a DSA certificate request and private key (a different set of parameters
can optionally be created first):
Sign the request:
- CA.pl -signreq
+ CA.pl -sign
=head1 NOTES
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-noemailDN>
The DN of a certificate can contain the EMAIL field if present in the
-request DN, however it is good policy just having the e-mail set into
+request DN, however, it is good policy just having the e-mail set into
the altName extension of the certificate. When this option is set the
EMAIL field is removed from the certificate' subject and set only in
the, eventually present, extensions. The B<email_in_dn> keyword can be
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-sign filename>
Digitally sign the digest using the private key in "filename". Note this option
-does not support Ed25519 or Ed448 private keys. Use the B<pkeyutl> command
-instead for this.
+does not support Ed25519 or Ed448 private keys.
=item B<-keyform arg>
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
All the block ciphers normally use PKCS#5 padding, also known as standard
block padding. This allows a rudimentary integrity or password check to
-be performed. However since the chance of random data passing the test
+be performed. However, since the chance of random data passing the test
is better than 1 in 256 it isn't a very good test.
If padding is disabled then the input data must be a multiple of the cipher
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-host hostname:port>, B<-path pathname>
If the B<host> option is present then the OCSP request is sent to the host
-B<hostname> on port B<port>. B<path> specifies the HTTP path name to use
+B<hostname> on port B<port>. B<path> specifies the HTTP pathname to use
or "/" by default. This is equivalent to specifying B<-url> with scheme
http:// and the given hostname, port, and pathname.
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
encryption purposes but arbitrary length keys for signing. The B<-keysig>
option marks the key for signing only. Signing only keys can be used for
S/MIME signing, authenticode (ActiveX control signing) and SSL client
-authentication, however due to a bug only MSIE 5.0 and later support
+authentication, however, due to a bug only MSIE 5.0 and later support
the use of signing only keys for SSL client authentication.
=item B<-macalg digest>
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Test vectors from this PKCS#5 v2.0 implementation were posted to the
pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
counts, several people confirmed that they could decrypt the private
-keys produced and Therefore it can be assumed that the PKCS#5 v2.0
+keys produced and therefore, it can be assumed that the PKCS#5 v2.0
implementation is reasonably accurate at least as far as these
algorithms are concerned.
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The B<pkeyutl> command can be used to perform low level public key operations
+The B<pkeyutl> command can be used to perform low-level public key operations
using any supported algorithm.
=head1 OPTIONS
=head1 COPYRIGHT
-Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-nbio_test>
-Tests non-blocking I/O
+Tests nonblocking I/O
=item B<-nbio>
-Turns on non-blocking I/O
+Turns on nonblocking I/O
=item B<-crlf>
list to choose from. This is normally because the server is not sending
the clients certificate authority in its "acceptable CA list" when it
requests a certificate. By using B<s_client> the CA list can be viewed
-and checked. However some servers only request client authentication
+and checked. However, some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
is necessary to use the B<-prexit> option and send an HTTP request
for an appropriate page.
If a certificate is specified on the command line using the B<-cert>
option it will not be used unless the server specifically requests
-a client certificate. Therefor merely including a client certificate
+a client certificate. Therefore, merely including a client certificate
on the command line is no guarantee that the certificate works.
If there are problems verifying a server certificate then the
=item B<-id_prefix val>
Generate SSL/TLS session IDs prefixed by B<val>. This is mostly useful
-for testing any SSL/TLS code (eg. proxies) that wish to deal with multiple
+for testing any SSL/TLS code (e.g. proxies) that wish to deal with multiple
servers, when each of which might be generating a unique range of session
-IDs (eg. with a certain prefix).
+IDs (e.g. with a certain prefix).
=item B<-rand file...>
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
list to choose from. This is normally because the server is not sending
the clients certificate authority in its "acceptable CA list" when it
requests a certificate. By using L<s_client(1)> the CA list can be
-viewed and checked. However some servers only request client authentication
+viewed and checked. However, some servers only request client authentication
after a specific URL is requested. To obtain the list in this case it
is necessary to use the B<-prexit> option of L<s_client(1)> and
send an HTTP request for an appropriate page.
If a certificate is specified on the command line using the B<-cert>
option it will not be used unless the server specifically requests
-a client certificate. Therefor merely including a client certificate
+a client certificate. Therefore, merely including a client certificate
on the command line is no guarantee that the certificate works.
=head1 BUGS
Since the SSL session output contains the master key it is
possible to read the contents of an encrypted session using this
-information. Therefore appropriate security precautions should be taken if
+information. Therefore, appropriate security precautions should be taken if
the information is being output by a "real" application. This is however
strongly discouraged and should only be used for debugging purposes.
=item 2.
The TSA attaches the current date and time to the received hash value,
-signs them and sends the time stamp token back to the client. By
+signs them and sends the timestamp token back to the client. By
creating this token the TSA certifies the existence of the original
data file at the time of response generation.
=item 3.
-The TSA client receives the time stamp token and verifies the
+The TSA client receives the timestamp token and verifies the
signature on it. It also checks if the token contains the same hash
value that it had sent to the TSA.
=back
-There is one DER encoded protocol data unit defined for transporting a time
-stamp request to the TSA and one for sending the time stamp response
+There is one DER encoded protocol data unit defined for transporting
+a timestamp request to the TSA and one for sending the timestamp response
back to the client. The B<ts> command has three main functions:
-creating a time stamp request based on a data file,
-creating a time stamp response based on a request, verifying if a
+creating a timestamp request based on a data file,
+creating a timestamp response based on a request, verifying if a
response corresponds to a particular request or a data file.
There is no support for sending the requests/responses automatically
=head2 Time Stamp Request generation
-The B<-query> switch can be used for creating and printing a time stamp
+The B<-query> switch can be used for creating and printing a timestamp
request with the following options:
=over 4
=item B<-data> file_to_hash
-The data file for which the time stamp request needs to be
+The data file for which the timestamp request needs to be
created. stdin is the default if neither the B<-data> nor the B<-digest>
parameter is specified. (Optional)
=item B<-tspolicy> object_id
The policy that the client expects the TSA to use for creating the
-time stamp token. Either the dotted OID notation or OID names defined
+timestamp token. Either the dotted OID notation or OID names defined
in the config file can be used. If no policy is requested the TSA will
use its own default policy. (Optional)
=item B<-in> request.tsq
-This option specifies a previously created time stamp request in DER
+This option specifies a previously created timestamp request in DER
format that will be printed into the output file. Useful when you need
to examine the content of a request in human-readable
format. (Optional)
=head2 Time Stamp Response generation
-A time stamp response (TimeStampResp) consists of a response status
-and the time stamp token itself (ContentInfo), if the token generation was
-successful. The B<-reply> command is for creating a time stamp
-response or time stamp token based on a request and printing the
+A timestamp response (TimeStampResp) consists of a response status
+and the timestamp token itself (ContentInfo), if the token generation was
+successful. The B<-reply> command is for creating a timestamp
+response or timestamp token based on a request and printing the
response/token in human-readable format. If B<-token_out> is not
-specified the output is always a time stamp response (TimeStampResp),
-otherwise it is a time stamp token (ContentInfo).
+specified the output is always a timestamp response (TimeStampResp),
+otherwise it is a timestamp token (ContentInfo).
=over 4
=item B<-queryfile> request.tsq
-The name of the file containing a DER encoded time stamp request. (Optional)
+The name of the file containing a DER encoded timestamp request. (Optional)
=item B<-passin> password_src
=item B<-in> response.tsr
-Specifies a previously created time stamp response or time stamp token
+Specifies a previously created timestamp response or timestamp token
(if B<-token_in> is also specified) in DER format that will be written
to the output file. This option does not require a request, it is
useful e.g. when you need to examine the content of a response or
-token or you want to extract the time stamp token from a response. If
-the input is a token and the output is a time stamp response a default
+token or you want to extract the timestamp token from a response. If
+the input is a token and the output is a timestamp response a default
'granted' status info is added to the token. (Optional)
=item B<-token_in>
This flag can be used together with the B<-in> option and indicates
-that the input is a DER encoded time stamp token (ContentInfo) instead
-of a time stamp response (TimeStampResp). (Optional)
+that the input is a DER encoded timestamp token (ContentInfo) instead
+of a timestamp response (TimeStampResp). (Optional)
=item B<-out> response.tsr
=item B<-token_out>
-The output is a time stamp token (ContentInfo) instead of time stamp
+The output is a timestamp token (ContentInfo) instead of timestamp
response (TimeStampResp). (Optional)
=item B<-text>
=head2 Time Stamp Response verification
-The B<-verify> command is for verifying if a time stamp response or time
-stamp token is valid and matches a particular time stamp request or
+The B<-verify> command is for verifying if a timestamp response or
+timestamp token is valid and matches a particular timestamp request or
data file. The B<-verify> command does not use the configuration file.
=over 4
=item B<-queryfile> request.tsq
-The original time stamp request in DER format. The B<-data> and B<-digest>
+The original timestamp request in DER format. The B<-data> and B<-digest>
options must not be specified with this one. (Optional)
=item B<-in> response.tsr
-The time stamp response that needs to be verified in DER format. (Mandatory)
+The timestamp response that needs to be verified in DER format. (Mandatory)
=item B<-token_in>
This flag can be used together with the B<-in> option and indicates
-that the input is a DER encoded time stamp token (ContentInfo) instead
-of a time stamp response (TimeStampResp). (Optional)
+that the input is a DER encoded timestamp token (ContentInfo) instead
+of a timestamp response (TimeStampResp). (Optional)
=item B<-CApath> trusted_cert_path
=item B<serial>
The name of the file containing the hexadecimal serial number of the
-last time stamp response created. This number is incremented by 1 for
+last timestamp response created. This number is incremented by 1 for
each response. If the file does not exist at the time of response
generation a new file is created with serial number 1. (Mandatory)
=item B<clock_precision_digits>
Specifies the maximum number of digits, which represent the fraction of
-seconds, that need to be included in the time field. The trailing zeroes
+seconds, that need to be included in the time field. The trailing zeros
must be removed from the time, so there might actually be fewer digits,
or no fraction of seconds at all. Supported only on UNIX platforms.
The maximum value is 6, default is 0.
=head2 Time Stamp Request
-To create a time stamp request for design1.txt with SHA-1
+To create a timestamp request for design1.txt with SHA-1
without nonce and policy and no certificate is required in the response:
openssl ts -query -data design1.txt -no_nonce \
-out design1.tsq
-To create a similar time stamp request with specifying the message imprint
+To create a similar timestamp request with specifying the message imprint
explicitly:
openssl ts -query -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
openssl ts -query -in design1.tsq -text
-To create a time stamp request which includes the MD-5 digest
+To create a timestamp request which includes the MD-5 digest
of design2.txt, requests the signer certificate and nonce,
specifies a policy id (assuming the tsa_policy1 name is defined in the
OID section of the config file):
tsacert.pem is the signing certificate issued by cacert.pem and
tsakey.pem is the private key of the TSA.
-To create a time stamp response for a request:
+To create a timestamp response for a request:
openssl ts -reply -queryfile design1.tsq -inkey tsakey.pem \
-signer tsacert.pem -out design1.tsr
openssl ts -reply -queryfile design1.tsq -out design1.tsr
-To print a time stamp reply to stdout in human readable format:
+To print a timestamp reply to stdout in human readable format:
openssl ts -reply -in design1.tsr -text
-To create a time stamp token instead of time stamp response:
+To create a timestamp token instead of timestamp response:
openssl ts -reply -queryfile design1.tsq -out design1_token.der -token_out
-To print a time stamp token to stdout in human readable format:
+To print a timestamp token to stdout in human readable format:
openssl ts -reply -in design1_token.der -token_in -text -token_out
-To extract the time stamp token from a response:
+To extract the timestamp token from a response:
openssl ts -reply -in design1.tsr -out design1_token.der -token_out
-To add 'granted' status info to a time stamp token thereby creating a
+To add 'granted' status info to a timestamp token thereby creating a
valid response:
openssl ts -reply -in design1_token.der -token_in -out design1.tsr
=head2 Time Stamp Verification
-To verify a time stamp reply against a request:
+To verify a timestamp reply against a request:
openssl ts -verify -queryfile design1.tsq -in design1.tsr \
-CAfile cacert.pem -untrusted tsacert.pem
-To verify a time stamp reply that includes the certificate chain:
+To verify a timestamp reply that includes the certificate chain:
openssl ts -verify -queryfile design2.tsq -in design2.tsr \
-CAfile cacert.pem
-To verify a time stamp token against the original data file:
+To verify a timestamp token against the original data file:
openssl ts -verify -data design2.txt -in design2.tsr \
-CAfile cacert.pem
-To verify a time stamp token against a message imprint:
+To verify a timestamp token against a message imprint:
openssl ts -verify -digest b7e5d3f93198b38379852f2c04e78d73abdd0f4b \
-in design2.tsr -CAfile cacert.pem
=item *
-No support for time stamps over SMTP, though it is quite easy
+No support for timestamps over SMTP, though it is quite easy
to implement an automatic e-mail based TSA with L<procmail(1)>
and L<perl(1)>. HTTP server support is provided in the form of
a separate apache module. HTTP client support is provided by
The file containing the last serial number of the TSA is not
locked when being read or written. This is a problem if more than one
-instance of L<openssl(1)> is trying to create a time stamp
+instance of L<openssl(1)> is trying to create a timestamp
response at the same time. This is not an issue when using the apache
server module, it does proper locking.
=head1 COPYRIGHT
-Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The B<tsget> command can be used for sending a time stamp request, as
-specified in B<RFC 3161>, to a time stamp server over HTTP or HTTPS and storing
-the time stamp response in a file. This tool cannot be used for creating the
+The B<tsget> command can be used for sending a timestamp request, as
+specified in B<RFC 3161>, to a timestamp server over HTTP or HTTPS and storing
+the timestamp response in a file. This tool cannot be used for creating the
requests and verifying responses, you can use the OpenSSL B<ts(1)> command to
do that. B<tsget> can send several requests to the server without closing
the TCP connection if more than one requests are specified on the command
line.
-The tool sends the following HTTP request for each time stamp request:
+The tool sends the following HTTP request for each timestamp request:
POST url HTTP/1.1
User-Agent: OpenTSA tsget.pl/<version>
=item B<-h> server_url
-The URL of the HTTP/HTTPS server listening for time stamp requests.
+The URL of the HTTP/HTTPS server listening for timestamp requests.
=item B<-e> extension
=item B<-o> output
This option can be specified only when just one request is sent to the
-server. The time stamp response will be written to the given output file. '-'
-means standard output. In case of multiple time stamp requests or the absence
+server. The timestamp response will be written to the given output file. '-'
+means standard output. In case of multiple timestamp requests or the absence
of this argument the names of the output files will be derived from the names
of the input files and the default or specified extension argument. (Optional)
=item [request]...
-List of files containing B<RFC 3161> DER-encoded time stamp requests. If no
+List of files containing B<RFC 3161> DER-encoded timestamp requests. If no
requests are specified only one request will be sent to the server and it will be
read from the standard input. (Optional)
=head1 EXAMPLES
The examples below presume that B<file1.tsq> and B<file2.tsq> contain valid
-time stamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests
+timestamp requests, tsa.opentsa.org listens at port 8080 for HTTP requests
and at port 8443 for HTTPS requests, the TSA service is available at the /tsa
absolute path.
-Get a time stamp response for file1.tsq over HTTP, output is written to
+Get a timestamp response for file1.tsq over HTTP, output is written to
file1.tsr:
tsget -h http://tsa.opentsa.org:8080/tsa file1.tsq
-Get a time stamp response for file1.tsq and file2.tsq over HTTP showing
+Get a timestamp response for file1.tsq and file2.tsq over HTTP showing
progress, output is written to file1.reply and file2.reply respectively:
tsget -h http://tsa.opentsa.org:8080/tsa -v -e .reply \
file1.tsq file2.tsq
-Create a time stamp request, write it to file3.tsq, send it to the server and
+Create a timestamp request, write it to file3.tsq, send it to the server and
write the response to file3.tsr:
openssl ts -query -data file3.txt -cert | tee file3.tsq \
| tsget -h http://tsa.opentsa.org:8080/tsa \
-o file3.tsr
-Get a time stamp response for file1.tsq over HTTPS without client
+Get a timestamp response for file1.tsq over HTTPS without client
authentication:
tsget -h https://tsa.opentsa.org:8443/tsa \
-C cacerts.pem file1.tsq
-Get a time stamp response for file1.tsq over HTTPS with certificate-based
+Get a timestamp response for file1.tsq over HTTPS with certificate-based
client authentication (it will ask for the passphrase if client_key.pem is
protected):
=head1 COPYRIGHT
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-check_ss_sig>
-Verify the signature on the self-signed root CA. This is disabled by default
-because it doesn't add any security.
+Verify the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming CA
+certificate with key usage restrictions not including the keyCertSign bit.
+This verification is disabled by default because it doesn't add any security.
=item B<-CRLfile file>
=head1 VERIFY OPERATION
The B<verify> program uses the same functions as the internal SSL and S/MIME
-verification, therefore this description applies to these verify operations
+verification, therefore, this description applies to these verify operations
too.
There is one crucial difference between the verify operations performed
For compatibility with previous versions of OpenSSL, a certificate with no
trust settings is considered to be valid for all purposes.
-The final operation is to check the validity of the certificate chain. The validity
-period is checked against the current system time and the notBefore and notAfter
-dates in the certificate. The certificate signatures are also checked at this
-point.
+The final operation is to check the validity of the certificate chain.
+For each element in the chain, including the root CA certificate,
+the validity period as specified by the C<notBefore> and C<notAfter> fields
+is checked against the current system time.
+The B<-attime> flag may be used to use a reference time other than "now."
+The certificate signature is checked as well
+(except for the signature of the typically self-signed root CA certificate,
+which is verified only if the B<-check_ss_sig> option is given).
If all operations complete successfully then certificate is considered valid. If
any operation fails then the certificate is not valid.
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item B<-checkend arg>
Checks if the certificate expires within the next B<arg> seconds and exits
-non-zero if yes it will expire or zero if not.
+nonzero if yes it will expire or zero if not.
=item B<-fingerprint>
In general an B<ASN1_INTEGER> or B<ASN1_ENUMERATED> type can contain an
integer of almost arbitrary size and so cannot always be represented by a C
-B<int64_t> type. However in many cases (for example version numbers) they
+B<int64_t> type. However, in many cases (for example version numbers) they
represent small integers which can be more easily manipulated if converted to
an appropriate C integer type.
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
is null terminated or does not contain embedded nulls. The actual format
of the data will depend on the actual string type itself: for example
for an IA5String the data will be ASCII, for a BMPString two bytes per
-character in big endian format, and for an UTF8String it will be in UTF8 format.
+character in big endian format, and for a UTF8String it will be in UTF8 format.
Similar care should be take to ensure the data is in the correct format
when calling ASN1_STRING_set().
=head1 COPYRIGHT
-Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
will be positive. If B<to> represents a time earlier than B<from> then
one or both of B<*pday> and B<*psec> will be negative. If B<to> and B<from>
represent the same time then B<*pday> and B<*psec> will both be zero.
-If both B<*pday> and B<*psec> are non-zero they will always have the same
+If both B<*pday> and B<*psec> are nonzero they will always have the same
sign. The value of B<*psec> will always be less than the number of seconds
in a day. If B<from> or B<to> is NULL the current time is used.
=head1 BUGS
ASN1_TIME_print(), ASN1_UTCTIME_print() and ASN1_GENERALIZEDTIME_print()
-do not print out the time zone: it either prints out "GMT" or nothing. But all
+do not print out the timezone: it either prints out "GMT" or nothing. But all
certificates complying with RFC5280 et al use GMT anyway.
Use the ASN1_TIME_normalize() function to normalize the time value before
=head1 COPYRIGHT
-Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
ASN1_TYPE_set1() sets the value of B<a> to B<type> a copy of B<value>.
ASN1_TYPE_cmp() compares ASN.1 types B<a> and B<b> and returns 0 if
-they are identical and non-zero otherwise.
+they are identical and nonzero otherwise.
ASN1_TYPE_unpack_sequence() attempts to parse the SEQUENCE present in
B<t> using the ASN.1 structure B<it>. If successful it returns a pointer
ASN1_TYPE_cmp() may not return zero if two types are equivalent but have
different encodings. For example the single content octet of the boolean TRUE
-value under BER can have any non-zero encoding but ASN1_TYPE_cmp() will
+value under BER can have any nonzero encoding but ASN1_TYPE_cmp() will
only return zero if the values are the same.
If either or both of the parameters passed to ASN1_TYPE_cmp() is NULL the
-return value is non-zero. Technically if both parameters are NULL the two
-types could be absent OPTIONAL fields and so should match, however passing
+return value is nonzero. Technically if both parameters are NULL the two
+types could be absent OPTIONAL fields and so should match, however, passing
NULL values could also indicate a programming error (for example an
unparsable type which returns NULL) for types which do B<not> match. So
applications should handle the case of two absent values separately.
ASN1_TYPE_set1() returns 1 for success and 0 for failure.
-ASN1_TYPE_cmp() returns 0 if the types are identical and non-zero otherwise.
+ASN1_TYPE_cmp() returns 0 if the types are identical and nonzero otherwise.
ASN1_TYPE_unpack_sequence() returns a pointer to an ASN.1 structure or
NULL on failure.
B<*numfds>. It is the caller's responsibility to ensure that sufficient memory
has been allocated in B<*fd> to receive all the file descriptors. Calling
ASYNC_WAIT_CTX_get_all_fds() with a NULL B<fd> value will return no file
-descriptors but will still populate B<*numfds>. Therefore application code is
+descriptors but will still populate B<*numfds>. Therefore, application code is
typically expected to call this function twice: once to get the number of fds,
and then again when sufficient memory has been allocated. If only one
asynchronous engine is being used then normally this call will only ever return
On Windows platforms the openssl/async.h header is dependent on some
of the types customarily made available by including windows.h. The
application developer is likely to require control over when the latter
-is included, commonly as one of the first included headers. Therefore
+is included, commonly as one of the first included headers. Therefore,
it is defined as an application developer's responsibility to include
windows.h prior to async.h.
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
On Windows platforms the openssl/async.h header is dependent on some
of the types customarily made available by including windows.h. The
application developer is likely to require control over when the latter
-is included, commonly as one of the first included headers. Therefore
+is included, commonly as one of the first included headers. Therefore,
it is defined as an application developer's responsibility to include
windows.h prior to async.h.
=head1 COPYRIGHT
-Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
to decrypt. Some programs and protocols simplify this, like SSH, where
B<ivec> is simply initialized to zero.
BF_cbc_encrypt() operates on data that is a multiple of 8 bytes long, while
-BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt an variable
+BF_cfb64_encrypt() and BF_ofb64_encrypt() are used to encrypt a variable
number of bytes (the amount does not have to be an exact multiple of 8). The
purpose of the latter two is to simulate stream ciphers, and therefore, they
need the parameter B<num>, which is a pointer to an integer where the current
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
BIO_ADDR_clear() clears any data held within the provided B<BIO_ADDR> and sets
it back to an uninitialised state.
-BIO_ADDR_rawmake() takes a protocol B<family>, an byte array of
+BIO_ADDR_rawmake() takes a protocol B<family>, a byte array of
size B<wherelen> with an address in network byte order pointed at
by B<where> and a port number in network byte order in B<port> (except
for the B<AF_UNIX> protocol family, where B<port> is meaningless and
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The BIO_lookup_ex() implementation uses the platform provided getaddrinfo()
function. On Linux it is known that specifying 0 for the protocol will not
-return any SCTP based addresses when calling getaddrinfo(). Therefore if an SCTP
+return any SCTP based addresses when calling getaddrinfo(). Therefore, if an SCTP
address is required then the B<protocol> parameter to BIO_lookup_ex() should be
explicitly set to IPPROTO_SCTP. The same may be true on other platforms.
=head1 COPYRIGHT
-Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item BIO_SOCK_NONBLOCK
-Sets the socket to non-blocking mode.
+Sets the socket to nonblocking mode.
=item BIO_SOCK_NODELAY
=head1 COPYRIGHT
-Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
operation usually pass the operation to the next BIO in the chain.
This often means there is no need to locate the required BIO for
a particular operation, it can be called on a chain and it will
-be automatically passed to the relevant BIO. However this can cause
+be automatically passed to the relevant BIO. However, this can cause
unexpected results: for example no current filter BIOs implement
BIO_seek(), but this may still succeed if the chain ends in a FILE
or file descriptor BIO.
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
This can be used by custom BIOs for storing implementation specific information.
The BIO_set_init() function sets the value of the BIO's "init" flag to indicate
-whether initialisation has been completed for this BIO or not. A non-zero value
+whether initialisation has been completed for this BIO or not. A nonzero value
indicates that initialisation is complete, whilst zero indicates that it is not.
Often initialisation will complete during initial construction of the BIO. For
some BIOs however, initialisation may not complete until after additional steps
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
BIO_parse_hostserv() will parse the information given in B<hostserv>,
-create strings with the host name and service name and give those
+create strings with the hostname and service name and give those
back via B<host> and B<service>. Those will need to be freed after
they are used. B<hostserv_prio> helps determine if B<hostserv> shall
-be interpreted primarily as a host name or a service name in ambiguous
+be interpreted primarily as a hostname or a service name in ambiguous
cases.
The syntax the BIO_parse_hostserv() recognises is:
=head1 COPYRIGHT
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NOTES
A 0 or -1 return is not necessarily an indication of an error. In
-particular when the source/sink is non-blocking or of a certain type
+particular when the source/sink is nonblocking or of a certain type
it may merely be an indication that no data is currently available and that
the application should retry the operation later.
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
connections. This can be resolved by using BIO_pop() (see above)
and freeing up the accept BIO after the initial connection.
-If the underlying accept socket is non-blocking and BIO_do_accept() is
+If the underlying accept socket is nonblocking and BIO_do_accept() is
called to await an incoming connection it is possible for
BIO_should_io_special() with the reason BIO_RR_ACCEPT. If this happens
then it is an indication that an accept attempt would block: the application
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
...
BIO_new_bio_pair(&internal_bio, 0, &network_bio, 0);
SSL_set_bio(ssl, internal_bio, internal_bio);
- SSL_operations(); /* e.g SSL_read and SSL_write */
+ SSL_operations(); /* e.g. SSL_read and SSL_write */
...
application | TLS-engine
...
As the BIO pair will only buffer the data and never directly access the
-connection, it behaves non-blocking and will return as soon as the write
+connection, it behaves nonblocking and will return as soon as the write
buffer is full or the read buffer is drained. Then the application has to
flush the write buffer and/or fill the read buffer.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
I/O call is caused by an error condition, although a zero return
will normally mean that the connection was closed.
-If the port name is supplied as part of the host name then this will
+If the port name is supplied as part of the hostname then this will
override any value set with BIO_set_conn_port(). This may be undesirable
if the application does not wish to allow connection to arbitrary
ports. This can be avoided by checking for the presence of the ':'
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
On Windows BIO_new_files reserves for the filename argument to be
UTF-8 encoded. In other words if you have to make it work in multi-
-lingual environment, encode file names in UTF-8.
+lingual environment, encode filenames in UTF-8.
=head1 RETURN VALUES
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
BIO_set_callback_ex() and BIO_get_callback_ex() set and retrieve the BIO
-callback. The callback is called during most high level BIO operations. It can
+callback. The callback is called during most high-level BIO operations. It can
be used for debugging purposes to trace operations on a BIO or to modify its
operation.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
BN_mod() corresponds to BN_div() with I<dv> set to B<NULL>.
-BN_nnmod() reduces I<a> modulo I<m> and places the non-negative
+BN_nnmod() reduces I<a> modulo I<m> and places the nonnegative
remainder in I<r>.
-BN_mod_add() adds I<a> to I<b> modulo I<m> and places the non-negative
+BN_mod_add() adds I<a> to I<b> modulo I<m> and places the nonnegative
result in I<r>.
BN_mod_sub() subtracts I<b> from I<a> modulo I<m> and places the
-non-negative result in I<r>.
+nonnegative result in I<r>.
-BN_mod_mul() multiplies I<a> by I<b> and finds the non-negative
+BN_mod_mul() multiplies I<a> by I<b> and finds the nonnegative
remainder respective to modulus I<m> (C<r=(a*b) mod m>). I<r> may be
the same B<BIGNUM> as I<a> or I<b>. For more efficient algorithms for
repeated computations using the same modulus, see
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
BN_bn2binpad() also converts the absolute value of B<a> into big-endian form
and stores it at B<to>. B<tolen> indicates the length of the output buffer
-B<to>. The result is padded with zeroes if necessary. If B<tolen> is less than
+B<to>. The result is padded with zeros if necessary. If B<tolen> is less than
BN_num_bytes(B<a>) an error is returned.
BN_bin2bn() converts the positive integer in big-endian form of length
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If B<cb> is not B<NULL>, B<BN_GENCB_call(cb, 1, j)> is called
after the j-th iteration (j = 0, 1, ...). B<ctx> is a
-pre-allocated B<BN_CTX> (to save the overhead of allocating and
+preallocated B<BN_CTX> (to save the overhead of allocating and
freeing the structure in a loop), or B<NULL>.
BN_GENCB_call() calls the callback function held in the B<BN_GENCB> structure
BN_from_montgomery() performs the Montgomery reduction I<r> = I<a>*R^-1.
BN_to_montgomery() computes Mont(I<a>,R^2), i.e. I<a>*R.
-Note that I<a> must be non-negative and smaller than the modulus.
+Note that I<a> must be nonnegative and smaller than the modulus.
For all functions, I<ctx> is a previously allocated B<BN_CTX> used for
temporary variables.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
BN_is_bit_set() tests if bit B<n> in B<a> is set.
BN_mask_bits() truncates B<a> to an B<n> bit number
-(C<a&=~((~0)E<gt>E<gt>n)>). An error occurs if B<a> already is
+(C<a&=~((~0)E<lt>E<lt>n)>). An error occurs if B<a> already is
shorter than B<n> bits.
BN_lshift() shifts B<a> left by B<n> bits and places the result in
-B<r> (C<r=a*2^n>). Note that B<n> must be non-negative. BN_lshift1() shifts
+B<r> (C<r=a*2^n>). Note that B<n> must be nonnegative. BN_lshift1() shifts
B<a> left by one and places the result in B<r> (C<r=2*a>).
BN_rshift() shifts B<a> right by B<n> bits and places the result in
-B<r> (C<r=a/2^n>). Note that B<n> must be non-negative. BN_rshift1() shifts
+B<r> (C<r=a/2^n>). Note that B<n> must be nonnegative. BN_rshift1() shifts
B<a> right by one and places the result in B<r> (C<r=a/2>).
For the shift functions, B<r> and B<a> may be the same variable.
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
B<flags> is an optional set of flags, which can be used to modify the verify
operation.
-CMS_get0_signers() retrieves the signing certificate(s) from B<cms>, it must
+CMS_get0_signers() retrieves the signing certificate(s) from B<cms>, it may only
be called after a successful CMS_verify() operation.
=head1 VERIFY PROCESS
is not considered important.
Chain verification should arguably be performed using the signing time rather
-than the current time. However since the signing time is supplied by the
+than the current time. However, since the signing time is supplied by the
signer it cannot be trusted without additional evidence (such as a trusted
timestamp).
=head1 COPYRIGHT
-Copyright 2008-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2008-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
openssl/crypto.h header are dependent on some of the types customarily
made available by including windows.h. The application developer is
likely to require control over when the latter is included, commonly as
-one of the first included headers. Therefore it is defined as an
+one of the first included headers. Therefore, it is defined as an
application developer's responsibility to include windows.h prior to
crypto.h where use of CRYPTO_THREAD_* types and functions is required.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 RETURN VALUES
-CRYPTO_memcmp() returns 0 if the memory regions are equal and non-zero
+CRYPTO_memcmp() returns 0 if the memory regions are equal and nonzero
otherwise.
=head1 NOTES
Unlike memcmp(2), this function cannot be used to order the two memory regions
-as the return value when they differ is undefined, other than being non-zero.
+as the return value when they differ is undefined, other than being nonzero.
=head1 COPYRIGHT
-Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
error is returned, the key schedule is not generated.
DES_set_key() works like
-DES_set_key_checked() if the I<DES_check_key> flag is non-zero,
+DES_set_key_checked() if the I<DES_check_key> flag is nonzero,
otherwise like DES_set_key_unchecked(). These functions are available
for compatibility; it is recommended to use a function that does not
depend on a global variable.
decrypts a single 8-byte I<DES_cblock> in I<electronic code book>
(ECB) mode. It always transforms the input data, pointed to by
I<input>, into the output data, pointed to by the I<output> argument.
-If the I<encrypt> argument is non-zero (DES_ENCRYPT), the I<input>
+If the I<encrypt> argument is nonzero (DES_ENCRYPT), the I<input>
(cleartext) is encrypted in to the I<output> (ciphertext) using the
key_schedule specified by the I<schedule> argument, previously set via
I<DES_set_key>. If I<encrypt> is zero (DES_DECRYPT), the I<input> (now
encryption by using I<ks1> for the final encryption.
DES_ncbc_encrypt() encrypts/decrypts using the I<cipher-block-chaining>
-(CBC) mode of DES. If the I<encrypt> argument is non-zero, the
+(CBC) mode of DES. If the I<encrypt> argument is nonzero, the
routine cipher-block-chain encrypts the cleartext data pointed to by
the I<input> argument into the ciphertext pointed to by the I<output>
argument, using the key schedule provided by the I<schedule> argument,
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
object, or NULL if no such ENGINE has been set.
The DH_get_length() and DH_set_length() functions get and set the optional
-length parameter associated with this DH object. If the length is non-zero then
+length parameter associated with this DH object. If the length is nonzero then
it is used, otherwise it is ignored. The B<length> parameter indicates the
length of the secret exponent (private key) in bits.
=head1 COPYRIGHT
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
This will replace the DH_METHOD used by the DH key and if the previous method
was supplied by an ENGINE, the handle to that ENGINE will be released during the
change. It is possible to have DH keys that only work with certain DH_METHOD
-implementations (eg. from an ENGINE module that supports embedded
+implementations (e.g. from an ENGINE module that supports embedded
hardware-protected keys), and in such cases attempting to change the DH_METHOD
for the key can have unexpected results.
DH_set_default_method() returns no value.
-DH_set_method() returns non-zero if the provided B<meth> was successfully set as
+DH_set_method() returns nonzero if the provided B<meth> was successfully set as
the method for B<dh> (including unloading the ENGINE handle if the previous
method was supplied by an ENGINE).
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
B<rsa>. This will replace the DSA_METHOD used by the DSA key and if the
previous method was supplied by an ENGINE, the handle to that ENGINE will
be released during the change. It is possible to have DSA keys that only
-work with certain DSA_METHOD implementations (eg. from an ENGINE module
+work with certain DSA_METHOD implementations (e.g. from an ENGINE module
that supports embedded hardware-protected keys), and in such cases
attempting to change the DSA_METHOD for the key can have unexpected
results. See L<DSA_meth_new> for information on constructing custom DSA_METHOD
DSA_set_default_method() returns no value.
-DSA_set_method() returns non-zero if the provided B<meth> was successfully set as
+DSA_set_method() returns nonzero if the provided B<meth> was successfully set as
the method for B<dsa> (including unloading the ENGINE handle if the previous
method was supplied by an ENGINE).
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If DTLS is used over UDP (or any datagram based protocol that does not validate
the source IP) then it is susceptible to this type of attack. TLSv1.3 is
designed to operate over a stream-based transport protocol (such as TCP).
-If TCP is being used then there is no need to use SSL_stateless(). However some
+If TCP is being used then there is no need to use SSL_stateless(). However, some
stream-based transport protocols (e.g. QUIC) may not validate the source
address. In this case a TLSv1.3 application would be susceptible to this attack.
filled in.
A return value of 0 indicates a non-fatal error. This could (for
-example) be because of non-blocking IO, or some invalid message having been
+example) be because of nonblocking IO, or some invalid message having been
received from a peer. Errors may be placed on the OpenSSL error queue with
further information if appropriate. Typically user code is expected to retry the
call to DTLSv1_listen() in the event of a non-fatal error.
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
ECDSA_SIG_get0, ECDSA_SIG_get0_r, ECDSA_SIG_get0_s, ECDSA_SIG_set0,
ECDSA_SIG_new, ECDSA_SIG_free, ECDSA_size, ECDSA_sign, ECDSA_do_sign,
ECDSA_verify, ECDSA_do_verify, ECDSA_sign_setup, ECDSA_sign_ex,
-ECDSA_do_sign_ex - low level elliptic curve digital signature algorithm (ECDSA)
+ECDSA_do_sign_ex - low-level elliptic curve digital signature algorithm (ECDSA)
functions
=head1 SYNOPSIS
=head1 DESCRIPTION
-Note: these functions provide a low level interface to ECDSA. Most
+Note: these functions provide a low-level interface to ECDSA. Most
applications should use the higher level B<EVP> interface such as
L<EVP_DigestSignInit(3)> or L<EVP_DigestVerifyInit(3)> instead.
=head1 COPYRIGHT
-Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
EC_GROUP_set_curve() sets the curve parameters B<p>, B<a> and B<b>. For a curve
over Fp B<p> is the prime for the field. For a curve over F2^m B<p> represents
the irreducible polynomial - each bit represents a term in the polynomial.
-Therefore there will either be three or five bits set dependent on whether the
+Therefore, there will either be three or five bits set dependent on whether the
polynomial is a trinomial or a pentanomial.
In either case, B<a> and B<b> represents the coefficients a and b from the
relevant equation introduced above.
=head1 COPYRIGHT
-Copyright 2013-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
EC_KEY_get0_group, EC_KEY_set_group, EC_KEY_get0_private_key,
EC_KEY_set_private_key, EC_KEY_get0_public_key, EC_KEY_set_public_key,
EC_KEY_get_conv_form,
-EC_KEY_set_conv_form, EC_KEY_set_asn1_flag, EC_KEY_precompute_mult,
+EC_KEY_set_conv_form, EC_KEY_set_asn1_flag,
+EC_KEY_decoded_from_explicit_params, EC_KEY_precompute_mult,
EC_KEY_generate_key, EC_KEY_check_key, EC_KEY_set_public_key_affine_coordinates,
EC_KEY_oct2key, EC_KEY_key2buf, EC_KEY_oct2priv, EC_KEY_priv2oct,
EC_KEY_priv2buf - Functions for creating, destroying and manipulating
point_conversion_form_t EC_KEY_get_conv_form(const EC_KEY *key);
void EC_KEY_set_conv_form(EC_KEY *eckey, point_conversion_form_t cform);
void EC_KEY_set_asn1_flag(EC_KEY *eckey, int asn1_flag);
+ int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
int EC_KEY_precompute_mult(EC_KEY *key, BN_CTX *ctx);
int EC_KEY_generate_key(EC_KEY *key);
int EC_KEY_check_key(const EC_KEY *key);
(if set). Refer to L<EC_GROUP_copy(3)> for further information on the
asn1_flag.
+EC_KEY_decoded_from_explicit_params() returns 1 if the group of the I<key> was
+decoded from data with explicitly encoded group parameters, -1 if the I<key>
+is NULL or the group parameters are missing, and 0 otherwise.
+
EC_KEY_precompute_mult() stores multiples of the underlying EC_GROUP generator
for faster point multiplication. See also L<EC_POINT_add(3)>.
EC_KEY_oct2key() and EC_KEY_key2buf() are identical to the functions
-EC_POINT_oct2point() and EC_KEY_point2buf() except they use the public key
+EC_POINT_oct2point() and EC_POINT_point2buf() except they use the public key
EC_POINT in B<eckey>.
EC_KEY_oct2priv() and EC_KEY_priv2oct() convert between the private key
=head1 COPYRIGHT
-Copyright 2013-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Points can also be described in terms of their compressed co-ordinates. For a
point (x, y), for any given value for x such that the point is on the curve
-there will only ever be two possible values for y. Therefore a point can be set
+there will only ever be two possible values for y. Therefore, a point can be set
using the EC_POINT_set_compressed_coordinates() function where B<x> is the x
co-ordinate and B<y_bit> is a value 0 or 1 to identify which of the two
possible values for y should be used.
=head1 COPYRIGHT
-Copyright 2013-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2013-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head2 Reference counting and handles
Due to the modular nature of the ENGINE API, pointers to ENGINEs need to be
-treated as handles - ie. not only as pointers, but also as references to
+treated as handles - i.e. not only as pointers, but also as references to
the underlying ENGINE object. Ie. one should obtain a new reference when
making copies of an ENGINE pointer if the copies will be used (and
released) independently.
To obtain a functional reference from an existing structural reference,
call the ENGINE_init() function. This returns zero if the ENGINE was not
-already operational and couldn't be successfully initialised (eg. lack of
+already operational and couldn't be successfully initialised (e.g. lack of
system drivers, no special hardware attached, etc), otherwise it will
-return non-zero to indicate that the ENGINE is now operational and will
+return nonzero to indicate that the ENGINE is now operational and will
have allocated a new B<functional> reference to the ENGINE. All functional
references are released by calling ENGINE_finish() (which removes the
implicit structural reference as well).
The second way to get a functional reference is by asking OpenSSL for a
-default implementation for a given task, eg. by ENGINE_get_default_RSA(),
+default implementation for a given task, e.g. by ENGINE_get_default_RSA(),
ENGINE_get_default_cipher_engine(), etc. These are discussed in the next
section, though they are not usually required by application programmers as
they are used automatically when creating and using the relevant
"algorithm" so all implementations implicitly register using the same 'nid'
index.
-When a default ENGINE is requested for a given abstraction/algorithm/mode, (eg.
+When a default ENGINE is requested for a given abstraction/algorithm/mode, (e.g.
when calling RSA_new_method(NULL)), a "get_default" call will be made to the
ENGINE subsystem to process the corresponding state table and return a
functional reference to an initialised ENGINE whose implementation should be
will want to allow the user to specify exactly which ENGINE they want used
if any is to be used at all. Others may prefer to load all support and have
OpenSSL automatically use at run-time any ENGINE that is able to
-successfully initialise - ie. to assume that this corresponds to
+successfully initialise - i.e. to assume that this corresponds to
acceleration hardware attached to the machine or some such thing. There are
probably numerous other ways in which applications may prefer to handle
things, so we will simply illustrate the consequences as they apply to a
driver or config files it needs to load, required network addresses,
smart-card identifiers, passwords to initialise protected devices,
logging information, etc etc. This class of commands typically needs to be
-passed to an ENGINE B<before> attempting to initialise it, ie. before
+passed to an ENGINE B<before> attempting to initialise it, i.e. before
calling ENGINE_init(). The other class of commands consist of settings or
operations that tweak certain behaviour or cause certain operations to take
place, and these commands may work either before or after ENGINE_init(), or
}
Note that ENGINE_ctrl_cmd_string() accepts a boolean argument that can
-relax the semantics of the function - if set non-zero it will only return
+relax the semantics of the function - if set nonzero it will only return
failure if the ENGINE supported the given command name but failed while
executing it, if the ENGINE doesn't support the command name it will simply
return success without doing anything. In this case we assume the user is
and input parameters of the control commands supported by an ENGINE using a
structural reference. Note that some control commands are defined by OpenSSL
itself and it will intercept and handle these control commands on behalf of the
-ENGINE, ie. the ENGINE's ctrl() handler is not used for the control command.
+ENGINE, i.e. the ENGINE's ctrl() handler is not used for the control command.
openssl/engine.h defines an index, ENGINE_CMD_BASE, that all control commands
implemented by ENGINEs should be numbered from. Any command value lower than
this symbol is considered a "generic" command is handled directly by the
operations via ENGINE_ctrl(), including passing to and/or from the control
commands data of any arbitrary type. These commands are supported in the
discovery mechanisms simply to allow applications to determine if an ENGINE
-supports certain specific commands it might want to use (eg. application "foo"
+supports certain specific commands it might want to use (e.g. application "foo"
might query various ENGINEs to see if they implement "FOO_GET_VENDOR_LOGO_GIF" -
and ENGINE could therefore decide whether or not to support this "foo"-specific
extension).
=head1 COPYRIGHT
-Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
ERR_get_error_line(), ERR_peek_error_line() and
ERR_peek_last_error_line() are the same as the above, but they
-additionally store the file name and line number where
+additionally store the filename and line number where
the error occurred in *B<file> and *B<line>, unless these are B<NULL>.
ERR_get_error_line_data(), ERR_peek_error_line_data() and
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The error strings will have the following format:
- [pid]:error:[error code]:[library name]:[function name]:[reason string]:[file name]:[line]:[optional text message]
+ [pid]:error:[error code]:[library name]:[function name]:[reason string]:[filename]:[line]:[optional text message]
I<error code> is an 8 digit hexadecimal number. I<library name>,
I<function name> and I<reason string> are ASCII text, as is I<optional
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_SSL_HANDSHAKE_FAILURE);
-Function and reason codes should consist of upper case characters,
+Function and reason codes should consist of uppercase characters,
numbers and underscores only. The error file generation script translates
function codes into function names by looking in the header files
for an appropriate function name, if none is found it just uses
the capitalized form such as "SSL3_READ_BYTES" in the above example.
The trailing section of a reason code (after the "_R_") is translated
-into lower case and underscores changed to spaces.
+into lowercase and underscores changed to spaces.
Although a library will normally report errors using its own specific
XXXerr macro, another library's macro can be used. This is normally
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The EVP digest routines are a high level interface to message digests,
+The EVP digest routines are a high-level interface to message digests,
and should be used instead of the cipher-specific functions.
=over 4
=head1 NOTES
The B<EVP> interface to message digests should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
+preference to the low-level interfaces. This is because the code then becomes
transparent to the digest used and much more flexible.
New applications should use the SHA-2 (such as L<EVP_sha256(3)>) or the SHA-3
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The EVP signature routines are a high level interface to digital signatures.
+The EVP signature routines are a high-level interface to digital signatures.
EVP_DigestSignInit() sets up signing context B<ctx> to use digest B<type> from
ENGINE B<e> and private key B<pkey>. B<ctx> must be created with
=head1 NOTES
The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
+preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
EVP_DigestSign() is a one shot operation which signs a single block of data
=head1 DESCRIPTION
-The EVP signature routines are a high level interface to digital signatures.
+The EVP signature routines are a high-level interface to digital signatures.
EVP_DigestVerifyInit() sets up verification context B<ctx> to use digest
B<type> from ENGINE B<e> and public key B<pkey>. B<ctx> must be created
=head1 NOTES
The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
+preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
EVP_DigestVerify() is a one shot operation which verifies a single block of
=head1 COPYRIGHT
-Copyright 2006-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The EVP encode routines provide a high level interface to base 64 encoding and
+The EVP encode routines provide a high-level interface to base 64 encoding and
decoding. Base 64 encoding converts binary data into a printable form that uses
the characters A-Z, a-z, 0-9, "+" and "/" to represent the data. For every 3
bytes of binary data provided 4 bytes of base 64 encoded data will be produced
be encoded or decoded that are pending in the B<ctx> object.
EVP_EncodeBlock() encodes a full block of input data in B<f> and of length
-B<dlen> and stores it in B<t>. For every 3 bytes of input provided 4 bytes of
-output data will be produced. If B<dlen> is not divisible by 3 then the block is
+B<n> and stores it in B<t>. For every 3 bytes of input provided 4 bytes of
+output data will be produced. If B<n> is not divisible by 3 then the block is
encoded as a final block of data and the output is padded such that it is always
divisible by 4. Additionally a NUL terminator character will be added. For
example if 16 bytes of input data is provided then 24 bytes of encoded data is
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The EVP cipher routines are a high level interface to certain
+The EVP cipher routines are a high-level interface to certain
symmetric ciphers.
EVP_CIPHER_CTX_new() creates a cipher context.
EVP_EncryptUpdate() encrypts B<inl> bytes from the buffer B<in> and
writes the encrypted version to B<out>. This function can be called
multiple times to encrypt successive blocks of data. The amount
-of data written depends on the block alignment of the encrypted data:
-as a result the amount of data written may be anything from zero bytes
-to (inl + cipher_block_size - 1) so B<out> should contain sufficient
-room. The actual number of bytes written is placed in B<outl>. It also
+of data written depends on the block alignment of the encrypted data.
+For most ciphers and modes, the amount of data written can be anything
+from zero bytes to (inl + cipher_block_size - 1) bytes.
+For wrap cipher modes, the amount of data written can be anything
+from zero bytes to (inl + cipher_block_size) bytes.
+For stream ciphers, the amount of data written can be anything from zero
+bytes to inl bytes.
+Thus, B<out> should contain sufficient room for the operation being performed.
+The actual number of bytes written is placed in B<outl>. It also
checks if B<in> and B<out> are partially overlapping, and if they are
0 is returned to indicate failure.
=item EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, ivlen, NULL)
-Sets the CCM nonce (IV) length. This call can only be made before specifying an
-nonce value. The nonce length is given by B<15 - L> so it is 7 by default for
+Sets the CCM nonce (IV) length. This call can only be made before specifying
+a nonce value. The nonce length is given by B<15 - L> so it is 7 by default for
AES.
=back
=head1 NOTES
Where possible the B<EVP> interface to symmetric ciphers should be used in
-preference to the low level interfaces. This is because the code then becomes
+preference to the low-level interfaces. This is because the code then becomes
transparent to the cipher used and much more flexible. Additionally, the
B<EVP> interface will ensure the use of platform specific cryptographic
-acceleration such as AES-NI (the low level interfaces do not provide the
+acceleration such as AES-NI (the low-level interfaces do not provide the
guarantee).
PKCS padding works by adding B<n> padding bytes of value B<n> to make the total
/* Don't set key or IV right away; we want to check lengths */
ctx = EVP_CIPHER_CTX_new();
- EVP_CipherInit_ex(&ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
+ EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, NULL, NULL,
do_encrypt);
OPENSSL_assert(EVP_CIPHER_CTX_key_length(ctx) == 16);
OPENSSL_assert(EVP_CIPHER_CTX_iv_length(ctx) == 16);
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The EVP envelope routines are a high level interface to envelope
+The EVP envelope routines are a high-level interface to envelope
decryption. They decrypt a public key encrypted symmetric key and
then decrypt data using it.
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The default is 0.
The EVP_PKEY_CTX_set_dh_pad() macro sets the DH padding mode. If B<pad> is
-1 the shared secret is padded with zeroes up to the size of the DH prime B<p>.
+1 the shared secret is padded with zeros up to the size of the DH prime B<p>.
If B<pad> is zero (the default) then no padding is performed.
EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to
=head1 COPYRIGHT
-Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NOTES
The B<EVP_PKEY_CTX> structure is an opaque public key algorithm context used
-by the OpenSSL high level public key API. Contexts B<MUST NOT> be shared between
+by the OpenSSL high-level public key API. Contexts B<MUST NOT> be shared between
threads: that is it is not permissible to use the same context simultaneously
in two threads.
=head1 COPYRIGHT
-Copyright 2006-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The function EVP_PKEY_CTX_get_keygen_info() returns parameters associated
with the generation operation. If B<idx> is -1 the total number of
parameters available is returned. Any non negative value returns the value of
-that parameter. EVP_PKEY_CTX_gen_keygen_info() with a non-negative value for
+that parameter. EVP_PKEY_CTX_gen_keygen_info() with a nonnegative value for
B<idx> should only be called within the generation callback.
If the callback returns 0 then the key generation operation is aborted and an
=head1 COPYRIGHT
-Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
EVP_PKEY_new_CMAC_key() works in the same way as EVP_PKEY_new_raw_private_key()
except it is only for the B<EVP_PKEY_CMAC> algorithm type. In addition to the
raw private key data, it also takes a cipher algorithm to be used during
-creation of a CMAC in the B<cipher> argument.
+creation of a CMAC in the B<cipher> argument. The cipher should be a standard
+encryption only cipher. For example AEAD and XTS ciphers should not be used.
EVP_PKEY_new_mac_key() works in the same way as EVP_PKEY_new_raw_private_key().
New applications should use EVP_PKEY_new_raw_private_key() instead.
=head1 DESCRIPTION
-The EVP envelope routines are a high level interface to envelope
+The EVP envelope routines are a high-level interface to envelope
encryption. They generate a random key and IV (if required) then
"envelope" it by using public key encryption. Data can then be
encrypted using this key.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-The EVP signature routines are a high level interface to digital
+The EVP signature routines are a high-level interface to digital
signatures.
EVP_SignInit_ex() sets up signing context I<ctx> to use digest
=head1 NOTES
The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
+preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
When signing with DSA private keys the random number generator must be seeded.
=head1 DESCRIPTION
-The EVP signature verification routines are a high level interface to digital
+The EVP signature verification routines are a high-level interface to digital
signatures.
EVP_VerifyInit_ex() sets up verification context B<ctx> to use digest
=head1 NOTES
The B<EVP> interface to digital signatures should almost always be used in
-preference to the low level interfaces. This is because the code then becomes
+preference to the low-level interfaces. This is because the code then becomes
transparent to the algorithm used and much more flexible.
The call to EVP_VerifyFinal() internally finalizes a copy of the digest context.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
#include <openssl/hmac.h>
unsigned char *HMAC(const EVP_MD *evp_md, const void *key,
- int key_len, const unsigned char *d, int n,
+ int key_len, const unsigned char *d, size_t n,
unsigned char *md, unsigned int *md_len);
HMAC_CTX *HMAC_CTX_new(void);
int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int key_len,
const EVP_MD *md, ENGINE *impl);
- int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, int len);
+ int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
void HMAC_CTX_free(HMAC_CTX *ctx);
HMAC_CTX_new() creates a new HMAC_CTX in heap memory.
-HMAC_CTX_reset() zeroes an existing B<HMAC_CTX> and associated
+HMAC_CTX_reset() zeros an existing B<HMAC_CTX> and associated
resources, making it suitable for new computations as if it was newly
created with HMAC_CTX_new().
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
OCSP_cert_to_id() and OCSP_cert_id_new() return either a pointer to a valid
B<OCSP_CERTID> structure or B<NULL> if an error occurred.
-OCSP_id_cmp() and OCSP_id_issuer_cmp() returns zero for a match and non-zero
+OCSP_id_cmp() and OCSP_id_issuer_cmp() returns zero for a match and nonzero
otherwise.
OCSP_CERTID_free() does not return a value.
=head1 COPYRIGHT
-Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The return values of OCSP_check_nonce() can be checked to cover each case. A
positive return value effectively indicates success: nonces are both present
-and match, both absent or present in the response only. A non-zero return
+and match, both absent or present in the response only. A nonzero return
additionally covers the case where the nonce is present in the request only:
this will happen if the responder doesn't support nonces. A zero return value
indicates present and mismatched nonces: this should be treated as an error
OCSP_check_validity() checks the validity of B<thisupd> and B<nextupd> values
which will be typically obtained from OCSP_resp_find_status() or
-OCSP_single_get0_status(). If B<sec> is non-zero it indicates how many seconds
+OCSP_single_get0_status(). If B<sec> is nonzero it indicates how many seconds
leeway should be allowed in the check. If B<maxsec> is positive it indicates
the maximum age of B<thisupd> in seconds.
An OCSP response for a certificate contains B<thisUpdate> and B<nextUpdate>
fields. Normally the current time should be between these two values. To
-account for clock skew the B<maxsec> field can be set to non-zero in
+account for clock skew the B<maxsec> field can be set to nonzero in
OCSP_check_validity(). Some responders do not set the B<nextUpdate> field, this
would otherwise mean an ancient response would be considered valid: the
B<maxsec> parameter to OCSP_check_validity() can be used to limit the permitted
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
default value of 4k is used. The OCSP request B<req> may be set to B<NULL>
and provided later if required.
-OCSP_sendreq_nbio() performs non-blocking I/O on the OCSP request context
+OCSP_sendreq_nbio() performs nonblocking I/O on the OCSP request context
B<rctx>. When the operation is complete it returns the response in B<*presp>.
OCSP_REQ_CTX_free() frees up the OCSP context B<rctx>.
write) should be retried and appropriate action taken (for example a select()
call on the underlying socket).
-OCSP_sendreq_bio() does not support retries and so cannot handle non-blocking
+OCSP_sendreq_bio() does not support retries and so cannot handle nonblocking
I/O efficiently. It is retained for compatibility and its use in new
applications is not recommended.
normally truncated to a power of 2, so make sure that your hash
function returns well mixed low order bits. The B<compare> callback
takes two arguments (pointers to two hash table entries), and returns
-0 if their keys are equal, non-zero otherwise.
+0 if their keys are equal, nonzero otherwise.
If your hash table
will contain items of some particular type and the B<hash> and
As an example, a hash table may be maintained by code that, for
reasons of encapsulation, has only "const" access to the data being
-indexed in the hash table (ie. it is returned as "const" from
+indexed in the hash table (i.e. it is returned as "const" from
elsewhere in their code) - in this case the LHASH prototypes are
appropriate as-is. Conversely, if the caller is responsible for the
life-time of the data in question, then they may well wish to make
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
There are several reasons why calling the OpenSSL configuration routines is
advisable. For example, to load dynamic ENGINEs from shared libraries (DSOs).
-However very few applications currently support the control interface and so
+However, very few applications currently support the control interface and so
very few can load and use dynamic ENGINEs. Equally in future more sophisticated
ENGINEs will require certain control operations to customize them. If an
application calls OPENSSL_config() it doesn't need to know or care about
=head1 COPYRIGHT
-Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item bit #64+19 denoting availability of ADCX and ADOX instructions;
=item bit #64+21 denoting availability of VPMADD52[LH]UQ instructions,
-a.k.a. AVX512IFMA extension;
+aka AVX512IFMA extension;
=item bit #64+29 denoting availability of SHA extension;
=head1 COPYRIGHT
-Copyright 2004-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
automatically deinitialise as required.
However, there may be situations when explicit initialisation is desirable or
-needed, for example when some non-default initialisation is required. The
+needed, for example when some nondefault initialisation is required. The
function OPENSSL_init_crypto() can be used for this purpose for
libcrypto (see also L<OPENSSL_init_ssl(3)> for the libssl
equivalent).
Numerous internal OpenSSL functions call OPENSSL_init_crypto().
-Therefore, in order to perform non-default initialisation,
+Therefore, in order to perform nondefault initialisation,
OPENSSL_init_crypto() MUST be called by application code prior to
any other OpenSSL function calls.
non-null B<OPENSSL_INIT_SETTINGS> object.
The object can be allocated via B<OPENSSL_init_new()>.
The B<OPENSSL_INIT_set_config_filename()> function can be used to specify a
-non-default filename, which is copied and need not refer to persistent storage.
+nondefault filename, which is copied and need not refer to persistent storage.
Similarly, OPENSSL_INIT_set_config_appname() can be used to specify a
-non-default application name.
-Finally, OPENSSL_INIT_set_file_flags can be used to specify non-default flags.
+nondefault application name.
+Finally, OPENSSL_INIT_set_file_flags can be used to specify nondefault flags.
If the B<CONF_MFLAGS_IGNORE_RETURN_CODES> flag is not included, any errors in
the configuration file will cause an error return from B<OPENSSL_init_crypto>
or indirectly L<OPENSSL_init_ssl(3)>.
=head1 COPYRIGHT
-Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
automatically deinitialise as required.
However, there may be situations when explicit initialisation is desirable or
-needed, for example when some non-default initialisation is required. The
+needed, for example when some nondefault initialisation is required. The
function OPENSSL_init_ssl() can be used for this purpose. Calling
this function will explicitly initialise BOTH libcrypto and libssl. To
explicitly initialise ONLY libcrypto see the
L<OPENSSL_init_crypto(3)> function.
Numerous internal OpenSSL functions call OPENSSL_init_ssl().
-Therefore, in order to perform non-default initialisation,
+Therefore, in order to perform nondefault initialisation,
OPENSSL_init_ssl() MUST be called by application code prior to
any other OpenSSL function calls.
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head2 Functions
-OSSL_STORE_open() takes a uri or path B<uri>, password UI method
-B<ui_method> with associated data B<ui_data>, and post processing
-callback B<post_process> with associated data B<post_process_data>,
+OSSL_STORE_open() takes a uri or path I<uri>, password UI method
+I<ui_method> with associated data I<ui_data>, and post processing
+callback I<post_process> with associated data I<post_process_data>,
opens a channel to the data located at that URI and returns a
B<OSSL_STORE_CTX> with all necessary internal information.
-The given B<ui_method> and B<ui_data_data> will be reused by all
-functions that use B<OSSL_STORE_CTX> when interaction is needed.
-The given B<post_process> and B<post_process_data> will be reused by
+The given I<ui_method> and I<ui_data> will be reused by all
+functions that use B<OSSL_STORE_CTX> when interaction is needed,
+for instance to provide a password.
+The given I<post_process> and I<post_process_data> will be reused by
OSSL_STORE_load() to manipulate or drop the value to be returned.
-The B<post_process> function drops values by returning B<NULL>, which
+The I<post_process> function drops values by returning NULL, which
will cause OSSL_STORE_load() to start its process over with loading
-the next object, until B<post_process> returns something other than
-B<NULL>, or the end of data is reached as indicated by OSSL_STORE_eof().
+the next object, until I<post_process> returns something other than
+NULL, or the end of data is reached as indicated by OSSL_STORE_eof().
-OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number B<cmd> and
+OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number I<cmd> and
more arguments not specified here.
The available loader specific command numbers and arguments they each
take depends on the loader that's used and is documented together with
OSSL_STORE_close() takes a B<OSSL_STORE_CTX>, closes the channel that was opened
by OSSL_STORE_open() and frees all other information that was stored in the
B<OSSL_STORE_CTX>, as well as the B<OSSL_STORE_CTX> itself.
+If I<ctx> is NULL it does nothing.
=head1 SUPPORTED SCHEMES
=head1 RETURN VALUES
OSSL_STORE_open() returns a pointer to a B<OSSL_STORE_CTX> on success, or
-B<NULL> on failure.
+NULL on failure.
OSSL_STORE_load() returns a pointer to a B<OSSL_STORE_INFO> on success, or
-B<NULL> on error or when end of data is reached.
+NULL on error or when end of data is reached.
Use OSSL_STORE_error() and OSSL_STORE_eof() to determine the meaning of a
-returned B<NULL>.
+returned NULL.
OSSL_STORE_eof() returns 1 if the end of data has been reached, otherwise
0.
OSSL_STORE_ctrl(), OSSL_STORE_load(), OSSL_STORE_eof() and OSSL_STORE_close()
were added in OpenSSL 1.1.1.
+Handling of NULL I<ctx> argument for OSSL_STORE_close()
+was introduced in OpenSSL 1.1.1h.
+
=head1 COPYRIGHT
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
structure.
The B<RSA_PUBKEY> functions also process an RSA public key using
-an RSA structure. However the public key is encoded using a
+an RSA structure. However, the public key is encoded using a
SubjectPublicKeyInfo structure and an error occurs if the public
key is not RSA.
=head1 BUGS
The PEM read routines in some versions of OpenSSL will not correctly reuse
-an existing structure. Therefore the following:
+an existing structure. Therefore, the following:
PEM_read_bio_X509(bp, &x, 0, NULL);
=head1 COPYRIGHT
-Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
is not considered important.
Chain verification should arguably be performed using the signing time rather
-than the current time. However since the signing time is supplied by the
+than the current time. However, since the signing time is supplied by the
signer it cannot be trusted without additional evidence (such as a trusted
timestamp).
=head1 COPYRIGHT
-Copyright 2002-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The optional B<flags> argument specifies a set of bit flags which can be
joined using the | operator. Currently, the only flag is
-RAND_DRBG_FLAG_CTR_NO_DF, which disables the use of a the derivation function
+RAND_DRBG_FLAG_CTR_NO_DF, which disables the use of the derivation function
ctr_df. For an explanation, see [NIST SP 800-90A Rev. 1].
If a B<parent> instance is specified then this will be used instead of
=head1 COPYRIGHT
-Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
it must also indicate an error by returning a buffer length of 0.
See NOTES section for more details.
-The B<cleanup_entropy>() callback is called from the B<drbg> to to clear and
+The B<cleanup_entropy>() callback is called from the B<drbg> to clear and
free the buffer allocated previously by get_entropy().
The values B<out> and B<outlen> are the random buffer's address and length,
as returned by the get_entropy() callback.
=head1 COPYRIGHT
-Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
descriptors by default, which allows such sources to operate in a
chroot(2) jail without the associated device nodes being available. When
the B<keep> argument is zero, this call disables the retention of file
-descriptors. Conversely, a non-zero argument enables the retention of
+descriptors. Conversely, a nonzero argument enables the retention of
file descriptors. This function is usually called during initialization
and it takes effect immediately.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
RAND_load_file() reads a number of bytes from file B<filename> and
-adds them to the PRNG. If B<max_bytes> is non-negative,
+adds them to the PRNG. If B<max_bytes> is nonnegative,
up to B<max_bytes> are read;
if B<max_bytes> is -1, the complete file is read.
Do not load the same file multiple times unless its contents have
filename.
On all systems, if the environment variable B<RANDFILE> is set, its
-value will be used as the seed file name.
+value will be used as the seed filename.
Otherwise, the file is called C<.rnd>, found in platform dependent locations:
=over 4
=back
If C<$HOME> (on non-Windows and non-VMS system) is not set either, or
-B<num> is too small for the path name, an error occurs.
+B<num> is too small for the pathname, an error occurs.
=head1 RETURN VALUES
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
must be used to protect the RSA operation from that attack.
RSA_blinding_on() turns blinding on for key B<rsa> and generates a
-random blinding factor. B<ctx> is B<NULL> or a pre-allocated and
+random blinding factor. B<ctx> is B<NULL> or a preallocated and
initialized B<BN_CTX>.
RSA_blinding_off() turns blinding off and frees the memory used for
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NAME
-RSA_private_encrypt, RSA_public_decrypt - low level signature operations
+RSA_private_encrypt, RSA_public_decrypt - low-level signature operations
=head1 SYNOPSIS
=head1 DESCRIPTION
-These functions handle RSA signatures at a low level.
+These functions handle RSA signatures at a low-level.
RSA_private_encrypt() signs the B<flen> bytes at B<from> (usually a
message digest with an algorithm identifier) using the private key
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
B<rsa>. This will replace the RSA_METHOD used by the RSA key and if the
previous method was supplied by an ENGINE, the handle to that ENGINE will
be released during the change. It is possible to have RSA keys that only
-work with certain RSA_METHOD implementations (eg. from an ENGINE module
+work with certain RSA_METHOD implementations (e.g. from an ENGINE module
that supports embedded hardware-protected keys), and in such cases
attempting to change the RSA_METHOD for the key can have unexpected
results.
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
SHA224(), SHA256(), SHA384() and SHA512() functions are not thread safe if
B<md> is NULL.
-The predecessor of SHA-1, SHA, is also implemented, but it should be
-used only when backward compatibility is required.
-
=head1 RETURN VALUES
SHA1(), SHA224(), SHA256(), SHA384() and SHA512() return a pointer to the hash
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The B<value> argument is a colon separated list of groups. The group can be
either the B<NIST> name (e.g. B<P-256>), some other commonly used name where
-applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g B<prime256v1>). Group
+applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g. B<prime256v1>). Group
names are case sensitive. The list should be in order of preference with the
most preferred group first.
The B<value> argument is a curve name or the special value B<auto> which
picks an appropriate curve based on client and server preferences. The curve
can be either the B<NIST> name (e.g. B<P-256>) or an OpenSSL OID name
-(e.g B<prime256v1>). Curve names are case sensitive.
+(e.g. B<prime256v1>). Curve names are case sensitive.
=item B<-cipher>
=item B<-min_protocol>, B<-max_protocol>
Sets the minimum and maximum supported protocol.
-Currently supported protocol values are B<SSLv3>, B<TLSv1>,
-B<TLSv1.1>, B<TLSv1.2>, B<TLSv1.3> for TLS and B<DTLSv1>, B<DTLSv1.2> for DTLS,
-and B<None> for no limit.
-If either bound is not specified then only the other bound applies,
-if specified.
-To restrict the supported protocol versions use these commands rather
-than the deprecated alternative commands below.
+Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
+B<TLSv1.2>, B<TLSv1.3> for TLS; B<DTLSv1>, B<DTLSv1.2> for DTLS, and B<None>
+for no limit.
+If either the lower or upper bound is not specified then only the other bound
+applies, if specified.
+If your application supports both TLS and DTLS you can specify any of these
+options twice, once with a bound for TLS and again with an appropriate bound
+for DTLS.
+To restrict the supported protocol versions use these commands rather than the
+deprecated alternative commands below.
=item B<-no_ssl3>, B<-no_tls1>, B<-no_tls1_1>, B<-no_tls1_2>, B<-no_tls1_3>
The B<value> argument is a colon separated list of groups. The group can be
either the B<NIST> name (e.g. B<P-256>), some other commonly used name where
-applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g B<prime256v1>). Group
+applicable (e.g. B<X25519>) or an OpenSSL OID name (e.g. B<prime256v1>). Group
names are case sensitive. The list should be in order of preference with the
most preferred group first.
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
-The value B<None> will disable the limit.
+The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
+apply only to DTLS-based contexts.
+The command can be repeated with one instance setting a TLS bound, and the
+other setting a DTLS bound.
+The value B<None> applies to both types of contexts and disables the limits.
=item B<MaxProtocol>
Currently supported protocol values are B<SSLv3>, B<TLSv1>, B<TLSv1.1>,
B<TLSv1.2>, B<TLSv1.3>, B<DTLSv1> and B<DTLSv1.2>.
-The value B<None> will disable the limit.
+The SSL and TLS bounds apply only to TLS-based contexts, while the DTLS bounds
+apply only to DTLS-based contexts.
+The command can be repeated with one instance setting a TLS bound, and the
+other setting a DTLS bound.
+The value B<None> applies to both types of contexts and disables the limits.
=item B<Protocol>
=item B<SSL_CONF_TYPE_FILE>
-The value is a file name.
+The value is a filename.
=item B<SSL_CONF_TYPE_DIR>
=head1 COPYRIGHT
-Copyright 2012-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
matched the peer certificate chain.
The return value indicates the match depth or failure to match just as with
SSL_get0_dane_authority().
-When the return value is non-negative, the storage pointed to by the B<usage>,
+When the return value is nonnegative, the storage pointed to by the B<usage>,
B<selector>, B<mtype> and B<data> parameters is updated to the corresponding
TLSA record fields.
The B<data> field is in binary wire form, and is therefore not NUL-terminated,
optional DANE verification features.
SSL_CTX_dane_clear_flags() and SSL_dane_clear_flags() can be used to disable
the same features.
-The B<flags> argument is a bitmask of the features to enable or disable.
+The B<flags> argument is a bit mask of the features to enable or disable.
The B<flags> set for an B<SSL_CTX> context are copied to each B<SSL> handle
associated with that context at the time the handle is created.
Subsequent changes in the context's B<flags> have no effect on the B<flags> set
The functions SSL_get0_dane_authority() and SSL_get0_dane_tlsa() return a
negative value when DANE authentication failed or was not enabled, a
-non-negative value indicates the chain depth at which the TLSA record matched a
+nonnegative value indicates the chain depth at which the TLSA record matched a
chain certificate, or the depth of the top-most certificate, when the TLSA
record is a full public key that is its signer.
=head1 COPYRIGHT
-Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NOTES
The protocol-lists must be in wire-format, which is defined as a vector of
-non-empty, 8-bit length-prefixed, byte strings. The length-prefix byte is not
+nonempty, 8-bit length-prefixed, byte strings. The length-prefix byte is not
included in the length. Each string is limited to 255 bytes. A byte-string
length of 0 is invalid. A truncated byte-string is invalid. The length of the
vector is not in the vector itself, but in a separate variable.
=head1 COPYRIGHT
-Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
/*
* Prefix the session_id with the required prefix. NB: If our
* prefix is too long, clip it - but there will be worse effects
- * anyway, eg. the server could only possibly create 1 session
- * ID (ie. the prefix!) so all future session negotiations will
+ * anyway, e.g. the server could only possibly create 1 session
+ * ID (i.e. the prefix!) so all future session negotiations will
* fail due to conflicts.
*/
memcpy(id, session_id_prefix, strlen(session_id_prefix) < *id_len ?
=head1 COPYRIGHT
-Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If an alert is handled, SSL_CB_ALERT is set and B<ret> specifies the alert
information.
-B<where> is a bitmask made up of the following bits:
+B<where> is a bit mask made up of the following bits:
=over 4
Callback has been called to indicate exit of a handshake function. This will
happen after the end of a handshake, but may happen at other times too such as
-on error or when IO might otherwise block and non-blocking is being used.
+on error or when IO might otherwise block and nonblocking is being used.
=item SSL_CB_READ
=head1 COPYRIGHT
-Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
chain is set.
The default value for the maximum certificate chain size is 100kB (30kB
-on the 16bit DOS platform). This should be sufficient for usual certificate
+on the 16-bit DOS platform). This should be sufficient for usual certificate
chains (OpenSSL's default maximum chain length is 10, see
L<SSL_CTX_set_verify(3)>, and certificates
without special extensions have a typical size of 1-2kB).
=head1 COPYRIGHT
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-SSL_CTX_set_mode() adds the mode set via bitmask in B<mode> to B<ctx>.
+SSL_CTX_set_mode() adds the mode set via bit mask in B<mode> to B<ctx>.
Options already set before are not cleared.
-SSL_CTX_clear_mode() removes the mode set via bitmask in B<mode> from B<ctx>.
+SSL_CTX_clear_mode() removes the mode set via bit mask in B<mode> from B<ctx>.
-SSL_set_mode() adds the mode set via bitmask in B<mode> to B<ssl>.
+SSL_set_mode() adds the mode set via bit mask in B<mode> to B<ssl>.
Options already set before are not cleared.
-SSL_clear_mode() removes the mode set via bitmask in B<mode> from B<ssl>.
+SSL_clear_mode() removes the mode set via bit mask in B<mode> from B<ssl>.
SSL_CTX_get_mode() returns the mode set for B<ctx>.
Make it possible to retry SSL_write_ex() or SSL_write() with changed buffer
location (the buffer contents must stay the same). This is not the default to
-avoid the misconception that non-blocking SSL_write() behaves like
-non-blocking write().
+avoid the misconception that nonblocking SSL_write() behaves like
+nonblocking write().
=item SSL_MODE_AUTO_RETRY
B<SSL_MODE_AUTO_RETRY> causes it to try to process the next record instead of
returning.
-In a non-blocking environment applications must be prepared to handle
+In a nonblocking environment applications must be prepared to handle
incomplete read/write operations.
-Setting B<SSL_MODE_AUTO_RETRY> for a non-blocking B<BIO> will process
+Setting B<SSL_MODE_AUTO_RETRY> for a nonblocking B<BIO> will process
non-application data records until either no more data is available or
an application data record has been processed.
=head1 RETURN VALUES
-SSL_CTX_set_mode() and SSL_set_mode() return the new mode bitmask
+SSL_CTX_set_mode() and SSL_set_mode() return the new mode bit mask
after adding B<mode>.
-SSL_CTX_get_mode() and SSL_get_mode() return the current bitmask.
+SSL_CTX_get_mode() and SSL_get_mode() return the current bit mask.
=head1 SEE ALSO
=head1 COPYRIGHT
-Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-SSL_CTX_set_options() adds the options set via bitmask in B<options> to B<ctx>.
+SSL_CTX_set_options() adds the options set via bit mask in B<options> to B<ctx>.
Options already set before are not cleared!
-SSL_set_options() adds the options set via bitmask in B<options> to B<ssl>.
+SSL_set_options() adds the options set via bit mask in B<options> to B<ssl>.
Options already set before are not cleared!
-SSL_CTX_clear_options() clears the options set via bitmask in B<options>
+SSL_CTX_clear_options() clears the options set via bit mask in B<options>
to B<ctx>.
-SSL_clear_options() clears the options set via bitmask in B<options> to B<ssl>.
+SSL_clear_options() clears the options set via bit mask in B<options> to B<ssl>.
SSL_CTX_get_options() returns the options set for B<ctx>.
=head1 NOTES
The behaviour of the SSL library can be changed by setting several options.
-The options are coded as bitmasks and can be combined by a bitwise B<or>
+The options are coded as bit masks and can be combined by a bitwise B<or>
operation (|).
SSL_CTX_set_options() and SSL_set_options() affect the (external)
information needs to be cached locally.
The TLSv1.3 protocol only supports tickets and does not directly support session
-ids. However OpenSSL allows two modes of ticket operation in TLSv1.3: stateful
+ids. However, OpenSSL allows two modes of ticket operation in TLSv1.3: stateful
and stateless. Stateless tickets work the same way as in TLSv1.2 and below.
Stateful tickets mimic the session id behaviour available in TLSv1.2 and below.
The session information is cached on the server and the session id is wrapped up
=head1 RETURN VALUES
-SSL_CTX_set_options() and SSL_set_options() return the new options bitmask
+SSL_CTX_set_options() and SSL_set_options() return the new options bit mask
after adding B<options>.
-SSL_CTX_clear_options() and SSL_clear_options() return the new options bitmask
+SSL_CTX_clear_options() and SSL_clear_options() return the new options bit mask
after clearing B<options>.
-SSL_CTX_get_options() and SSL_get_options() return the current bitmask.
+SSL_CTX_get_options() and SSL_get_options() return the current bit mask.
SSL_get_secure_renegotiation_support() returns 1 is the peer supports
secure renegotiation and 0 if it does not.
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
check to see if a callback has been set via SSL_CTX_set_psk_client_callback() or
SSL_set_psk_client_callback() and use that. In this case the B<hint> value will
always be NULL and the handshake digest will default to SHA-256 for any returned
-PSK.
+PSK. TLSv1.3 early data exchanges are possible in PSK connections only with the
+B<SSL_psk_use_session_cb_func> callback, and are not possible with the
+B<SSL_psk_client_cb_func> callback.
=head1 NOTES
has occurred so that L<SSL_session_reused(3)> will return true.
There are no known security issues with sharing the same PSK between TLSv1.2 (or
-below) and TLSv1.3. However the RFC has this note of caution:
+below) and TLSv1.3. However, the RFC has this note of caution:
"While there is no known way in which the same PSK might produce related output
in both versions, only limited analysis has been done. Implementations can
=head1 COPYRIGHT
-Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
SSL_CTX_set_read_ahead() and SSL_set_read_ahead() set whether we should read as
-many input bytes as possible (for non-blocking reads) or not. For example if
+many input bytes as possible (for nonblocking reads) or not. For example if
B<x> bytes are currently required by OpenSSL, but B<y> bytes are available from
the underlying BIO (where B<y> > B<x>), then OpenSSL will read all B<y> bytes
into its buffer (providing that the buffer is large enough) if reading ahead is
=head1 COPYRIGHT
-Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NOTES
-B<WARNING> at this time setting the security level higher than 1 for
-general internet use is likely to cause B<considerable> interoperability
-issues and is not recommended. This is because the B<SHA1> algorithm
-is very widely used in certificates and will be rejected at levels
-higher than 1 because it only offers 80 bits of security.
-
The default security level can be configured when OpenSSL is compiled by
setting B<-DOPENSSL_TLS_SECURITY_LEVEL=level>. If not set then 1 is used.
=head1 COPYRIGHT
-Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
prevent sessions being stored in the internal cache (though the application can
add them manually using L<SSL_CTX_add_session(3)>). Note:
in any SSL/TLS servers where external caching is configured, any successful
-session lookups in the external cache (ie. for session-resume requests) would
+session lookups in the external cache (i.e. for session-resume requests) would
normally be copied into the local cache before processing continues - this flag
prevents these additions to the internal cache as well.
=head1 COPYRIGHT
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Sessions are generated within a certain context. When exporting/importing
sessions with B<i2d_SSL_SESSION>/B<d2i_SSL_SESSION> it would be possible,
to re-import a session generated from another context (e.g. another
-application), which might lead to malfunctions. Therefore each application
+application), which might lead to malfunctions. Therefore, each application
must set its own session id context B<sid_ctx> which is used to distinguish
the contexts and is stored in exported sessions. The B<sid_ctx> can be
any kind of binary data with a given length, it is therefore possible
=head1 COPYRIGHT
-Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The handshake should be aborted, either because of an error or because of some
policy. Note that in TLSv1.3 a client may send more than one ticket in a single
-handshake. Therefore just because one ticket is unacceptable it does not mean
+handshake. Therefore, just because one ticket is unacceptable it does not mean
that all of them are. For this reason this option should be used with caution.
=item SSL_TICKET_RETURN_IGNORE
=head1 HISTORY
-The SSL_CTX_set_session_ticket_cb(), SSSL_SESSION_set1_ticket_appdata()
+The SSL_CTX_set_session_ticket_cb(), SSL_SESSION_set1_ticket_appdata()
and SSL_SESSION_get_ticket_appdata() functions were added in OpenSSL 1.1.1.
=head1 COPYRIGHT
-Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
In order to benefit from the pipelining capability. You need to have an engine
that provides ciphers that support this. The OpenSSL "dasync" engine provides
-AES128-SHA based ciphers that have this capability. However these are for
+AES128-SHA based ciphers that have this capability. However, these are for
development and test purposes only.
SSL_CTX_set_max_send_fragment() and SSL_set_max_send_fragment() set the
=head1 COPYRIGHT
-Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=item SSL_TLSEXT_ERR_ALERT_WARNING
If this value is returned then the servername is not accepted by the server.
-However the handshake will continue and send a warning alert instead. The value
+However, the handshake will continue and send a warning alert instead. The value
of the alert should be stored in the location pointed to by the B<al> parameter
as for SSL_TLSEXT_ERR_ALERT_FATAL above. Note that TLSv1.3 does not support
warning alerts, so if TLSv1.3 has been negotiated then this return value is
=item On the client, during or after the handshake and a TLSv1.2 (or below)
resumption occurred
-If the session from the orignal handshake had a servername accepted by the
+If the session from the original handshake had a servername accepted by the
server then it will return that servername.
Otherwise it returns the servername set via SSL_set_tlsext_host_name() or NULL
Prior to 1.1.1e, when the client requested a servername in an initial TLSv1.2
handshake, the server accepted it, and then the client successfully resumed but
-set a different explict servername in the second handshake then when called by
+set a different explicit servername in the second handshake then when called by
the client it returned the servername from the second handshake. This has now
been changed to return the servername requested in the original handshake.
Also prior to 1.1.1e, if the client sent a servername in the first handshake but
-the server did not accept it, and then a second handshake occured where TLSv1.2
+the server did not accept it, and then a second handshake occurred where TLSv1.2
resumption was successful then when called by the server it returned the
servername requested in the original handshake. This has now been changed to
NULL.
unsigned char *iv, EVP_CIPHER_CTX *ctx,
HMAC_CTX *hctx, int enc)
{
+ your_type_t *key; /* something that you need to implement */
+
if (enc) { /* create new session */
if (RAND_bytes(iv, EVP_MAX_IV_LENGTH) <= 0)
return -1; /* insufficient random */
}
memcpy(key_name, key->name, 16);
- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv);
- HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
+ EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->aes_key, iv);
+ HMAC_Init_ex(&hctx, key->hmac_key, 32, EVP_sha256(), NULL);
return 1;
} else { /* retrieve session */
- key = findkey(name);
+ time_t t = time(NULL);
+ key = findkey(key_name); /* something that you need to implement */
- if (key == NULL || key->expire < now())
+ if (key == NULL || key->expire < t)
return 0;
- HMAC_Init_ex(&hctx, key->hmac_key, 16, EVP_sha256(), NULL);
- EVP_DecryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->aes_key, iv);
+ HMAC_Init_ex(&hctx, key->hmac_key, 32, EVP_sha256(), NULL);
+ EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->aes_key, iv);
- if (key->expire < now() - RENEW_TIME) {
+ if (key->expire < t - RENEW_TIME) { /* RENEW_TIME: implement */
/*
* return 2 - This session will get a new ticket even though the
* current one is still valid.
=head1 COPYRIGHT
-Copyright 2014-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
and it will use that in preference. If no such callback is present then it will
check to see if a callback has been set via SSL_CTX_set_psk_server_callback() or
SSL_set_psk_server_callback() and use that. In this case the handshake digest
-will default to SHA-256 for any returned PSK.
+will default to SHA-256 for any returned PSK. TLSv1.3 early data exchanges are
+possible in PSK connections only with the B<SSL_psk_find_session_cb_func>
+callback, and are not possible with the B<SSL_psk_server_cb_func> callback.
=head1 NOTES
=head1 NOTES
There are no known security issues with sharing the same PSK between TLSv1.2 (or
-below) and TLSv1.3. However the RFC has this note of caution:
+below) and TLSv1.3. However, the RFC has this note of caution:
"While there is no known way in which the same PSK might produce related output
in both versions, only limited analysis has been done. Implementations can
=head1 COPYRIGHT
-Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If the underlying BIO is B<blocking>, SSL_accept() will only return once the
handshake has been finished or an error occurred.
-If the underlying BIO is B<non-blocking>, SSL_accept() will also return
+If the underlying BIO is B<nonblocking>, SSL_accept() will also return
when the underlying BIO could not satisfy the needs of SSL_accept()
to continue the handshake, indicating the problem by the return value -1.
In this case a call to SSL_get_error() with the
return value of SSL_accept() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of SSL_accept().
-The action depends on the underlying BIO. When using a non-blocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
The TLS/SSL handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
not clean. It can also occur if action is needed to continue the operation
-for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
+for nonblocking BIOs. Call SSL_get_error() with the return value B<ret>
to find out the reason.
=back
After freeing the buffers, the buffers are automatically reallocated upon a
new read or write. The SSL_alloc_buffers() does not need to be called, but
-can be used to make sure the buffers are pre-allocated. This can be used to
+can be used to make sure the buffers are preallocated. This can be used to
avoid allocation during data processing or with CRYPTO_set_mem_functions()
to control where and how buffers are allocated.
=head1 COPYRIGHT
-Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If the underlying BIO is B<blocking>, SSL_connect() will only return once the
handshake has been finished or an error occurred.
-If the underlying BIO is B<non-blocking>, SSL_connect() will also return
+If the underlying BIO is B<nonblocking>, SSL_connect() will also return
when the underlying BIO could not satisfy the needs of SSL_connect()
to continue the handshake, indicating the problem by the return value -1.
In this case a call to SSL_get_error() with the
return value of SSL_connect() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of SSL_connect().
-The action depends on the underlying BIO. When using a non-blocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
The TLS/SSL handshake was not successful, because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
not clean. It can also occur if action is needed to continue the operation
-for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
+for nonblocking BIOs. Call SSL_get_error() with the return value B<ret>
to find out the reason.
=back
If the underlying BIO is B<blocking>, SSL_do_handshake() will only return
once the handshake has been finished or an error occurred.
-If the underlying BIO is B<non-blocking>, SSL_do_handshake() will also return
+If the underlying BIO is B<nonblocking>, SSL_do_handshake() will also return
when the underlying BIO could not satisfy the needs of SSL_do_handshake()
to continue the handshake. In this case a call to SSL_get_error() with the
return value of SSL_do_handshake() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of SSL_do_handshake().
-The action depends on the underlying BIO. When using a non-blocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
The TLS/SSL handshake was not successful because a fatal error occurred either
at the protocol level or a connection failure occurred. The shutdown was
not clean. It can also occur if action is needed to continue the operation
-for non-blocking BIOs. Call SSL_get_error() with the return value B<ret>
+for nonblocking BIOs. Call SSL_get_error() with the return value B<ret>
to find out the reason.
=back
from the file descriptor). This function should only be called if the SSL object
is currently waiting for asynchronous work to complete (i.e.
SSL_ERROR_WANT_ASYNC has been received - see L<SSL_get_error(3)>). Typically the
-list will only contain one file descriptor. However if multiple asynchronous
+list will only contain one file descriptor. However, if multiple asynchronous
capable engines are in use then more than one is possible. The number of file
descriptors returned is stored in B<*numfds> and the file descriptors themselves
are in B<*fds>. The B<fds> parameter may be NULL in which case no file
On Windows platforms the openssl/async.h header is dependent on some
of the types customarily made available by including windows.h. The
application developer is likely to require control over when the latter
-is included, commonly as one of the first included headers. Therefore
+is included, commonly as one of the first included headers. Therefore,
it is defined as an application developer's responsibility to include
windows.h prior to async.h.
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The operation did not complete and can be retried later.
B<SSL_ERROR_WANT_READ> is returned when the last operation was a read
-operation from a non-blocking B<BIO>.
+operation from a nonblocking B<BIO>.
It means that not enough data was available at this time to complete the
operation.
If at a later time the underlying B<BIO> has data available for reading the same
See L<SSL_read(3)> for more information.
B<SSL_ERROR_WANT_WRITE> is returned when the last operation was a write
-to a non-blocking B<BIO> and it was unable to sent all data to the B<BIO>.
-When the B<BIO> is writeable again, the same function can be called again.
+to a nonblocking B<BIO> and it was unable to sent all data to the B<BIO>.
+When the B<BIO> is writable again, the same function can be called again.
Note that the retry may again lead to an B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE> condition.
It is safe to call SSL_read() or SSL_read_ex() when more data is available
even when the call that set this error was an SSL_write() or SSL_write_ex().
-However if the call was an SSL_write() or SSL_write_ex(), it should be called
+However, if the call was an SSL_write() or SSL_write_ex(), it should be called
again to continue sending the application data.
For socket B<BIO>s (e.g. when SSL_set_fd() was used), select() or
SSL_up_ref() increments the reference count for an
existing B<SSL> structure.
-SSL_dup() duplicates an existing B<SSL> structure into a new allocated one. All
-settings are inherited from the original B<SSL> structure. Dynamic data (i.e.
-existing connection details) are not copied, the new B<SSL> is set into an
-initial accept (server) or connect (client) state.
+The function SSL_dup() creates and returns a new B<SSL> structure from the same
+B<SSL_CTX> that was used to create I<s>. It additionally duplicates a subset of
+the settings in I<s> into the new B<SSL> object.
+
+For SSL_dup() to work, the connection MUST be in its initial state and
+MUST NOT have yet started the SSL handshake. For connections that are not in
+their initial state SSL_dup() just increments an internal
+reference count and returns the I<same> handle. It may be possible to
+use L<SSL_clear(3)> to recycle an SSL handle that is not in its initial
+state for re-use, but this is best avoided. Instead, save and restore
+the session, if desired, and construct a fresh handle for each connection.
+
+The subset of settings in I<s> that are duplicated are:
+
+=over 4
+
+=item any session data if configured (including the session_id_context)
+
+=item any tmp_dh settings set via L<SSL_set_tmp_dh(3)>,
+L<SSL_set_tmp_dh_callback(3)>, or L<SSL_set_dh_auto(3)>
+
+=item any configured certificates, private keys or certificate chains
+
+=item any configured signature algorithms, or client signature algorithms
+
+=item any DANE settings
+
+=item any Options set via L<SSL_set_options(3)>
+
+=item any Mode set via L<SSL_set_mode(3)>
+
+=item any minimum or maximum protocol settings set via
+L<SSL_set_min_proto_version(3)> or L<SSL_set_max_proto_version(3)> (Note: Only
+from OpenSSL 1.1.1h and above)
+
+=item any Verify mode, callback or depth set via L<SSL_set_verify(3)> or
+L<SSL_set_verify_depth(3)> or any configured X509 verification parameters
+
+=item any msg callback or info callback set via L<SSL_set_msg_callback(3)> or
+L<SSL_set_info_callback(3)>
+
+=item any default password callback set via L<SSL_set_default_passwd_cb(3)>
+
+=item any session id generation callback set via L<SSL_set_generate_session_id(3)>
+
+=item any configured Cipher List
+
+=item initial accept (server) or connect (client) state
+
+=item the max cert list value set via L<SSL_set_max_cert_list(3)>
+
+=item the read_ahead value set via L<SSL_set_read_ahead(3)>
+
+=item application specific data set via L<SSL_set_ex_data(3)>
+
+=item any CA list or client CA list set via L<SSL_set0_CA_list(3)>,
+SSL_set0_client_CA_list() or similar functions
+
+=item any security level settings or callbacks
+
+=item any configured serverinfo data
+
+=item any configured PSK identity hint
+
+=item any configured custom extensions
+
+=item any client certificate types configured via SSL_set1_client_certificate_types
+
+=back
=head1 RETURN VALUES
=head1 COPYRIGHT
-Copyright 2000-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
DTLS and pipelining (see L<SSL_CTX_set_split_send_fragment(3)>). These
additional bytes will be buffered by OpenSSL but will remain unprocessed until
they are needed. As these bytes are still in an unprocessed state SSL_pending()
-will ignore them. Therefore it is possible for no more bytes to be readable from
+will ignore them. Therefore, it is possible for no more bytes to be readable from
the underlying BIO (because OpenSSL has already read them) and for SSL_pending()
to return 0, even though readable application data bytes are available (because
the data is in unprocessed buffered records).
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
The read functions work based on the SSL/TLS records. The data are received in
records (with a maximum record size of 16kB). Only when a record has been
completely received, can it be processed (decryption and check of integrity).
-Therefore data that was not retrieved at the last read call can still be
+Therefore, data that was not retrieved at the last read call can still be
buffered inside the SSL layer and will be retrieved on the next read
call. If B<num> is higher than the number of bytes buffered then the read
functions will return with the bytes buffered. If no more bytes are in the
Note that if B<SSL_MODE_AUTO_RETRY> is set and only non-application data is
available the call will hang.
-If the underlying BIO is B<non-blocking>, a read function will also return when
+If the underlying BIO is B<nonblocking>, a read function will also return when
the underlying BIO could not satisfy the needs of the function to continue the
operation.
In this case a call to L<SSL_get_error(3)> with the
The calling process then must repeat the call after taking appropriate action
to satisfy the needs of the read function.
The action depends on the underlying BIO.
-When using a non-blocking socket, nothing is to be done, but select() can be
+When using a nonblocking socket, nothing is to be done, but select() can be
used to check for the required condition.
When using a buffering BIO, like a BIO pair, data must be written into or
retrieved out of the BIO before being able to continue.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
These functions are used to send and receive early data where TLSv1.3 has been
negotiated. Early data can be sent by the client immediately after its initial
ClientHello without having to wait for the server to complete the handshake.
-Early data can only be sent if a session has previously been established with
-the server, and the server is known to support it. Additionally these functions
-can be used to send data from the server to the client when the client has not
-yet completed the authentication stage of the handshake.
+Early data can be sent if a session has previously been established with the
+server or when establishing a new session using an out-of-band PSK, and only
+when the server is known to support it. Additionally these functions can be used
+to send data from the server to the client when the client has not yet completed
+the authentication stage of the handshake.
Early data has weaker security properties than other data sent over an SSL/TLS
connection. In particular the data does not have forward secrecy. There are also
server application will either use both of SSL_read_early_data() and
SSL_CTX_set_max_early_data() (or SSL_set_max_early_data()), or neither of them,
since there is no practical benefit from using only one of them. If the maximum
-early data setting for a server is non-zero then replay protection is
+early data setting for a server is nonzero then replay protection is
automatically enabled (see L</REPLAY PROTECTION> below).
If the server rejects the early data sent by a client then it will skip over
server. If a client sends more data than this then the connection will abort.
The configured value for max_early_data on a server may change over time as
-required. However clients may have tickets containing the previously configured
+required. However, clients may have tickets containing the previously configured
max_early_data value. The recv_max_early_data should always be equal to or
higher than any recently configured max_early_data value in order to avoid
aborted connections. The recv_max_early_data should never be set to less than
When early data is in use the TLS protocol provides no security guarantees that
the same early data was not replayed across multiple connections. As a
mitigation for this issue OpenSSL automatically enables replay protection if the
-server is configured with a non-zero max early data value. With replay
+server is configured with a nonzero max early data value. With replay
protection enabled sessions are forced to be single use only. If a client
attempts to reuse a session ticket more than once, then the second and
subsequent attempts will fall back to a full handshake (and any early data that
the possibility of replay attacks.
The OpenSSL replay protection does not apply to external Pre Shared Keys (PSKs)
-(e.g. see SSL_CTX_set_psk_find_session_callback(3)). Therefore extreme caution
+(e.g. see SSL_CTX_set_psk_find_session_callback(3)). Therefore, extreme caution
should be applied when combining external PSKs with early data.
Some applications may mitigate the replay risks in other ways. For those
=head1 COPYRIGHT
-Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
These functions configure server hostname checks in the SSL client.
SSL_set1_host() sets the expected DNS hostname to B<name> clearing
-any previously specified host name or names. If B<name> is NULL,
+any previously specified hostname or names. If B<name> is NULL,
or the empty string the list of hostnames is cleared, and name
-checks are not performed on the peer certificate. When a non-empty
+checks are not performed on the peer certificate. When a nonempty
B<name> is specified, certificate verification automatically checks
the peer hostname via L<X509_check_host(3)> with B<flags> as specified
via SSL_set_hostflags(). Clients that enable DANE TLSA authentication
=head1 COPYRIGHT
-Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
SSL_set0_rbio() connects the BIO B<rbio> for the read operations of the B<ssl>
object. The SSL engine inherits the behaviour of B<rbio>. If the BIO is
-non-blocking then the B<ssl> object will also have non-blocking behaviour. This
+nonblocking then the B<ssl> object will also have nonblocking behaviour. This
function transfers ownership of B<rbio> to B<ssl>. It will be automatically
freed using L<BIO_free_all(3)> when the B<ssl> is freed. On calling this
function, any existing B<rbio> that was previously set will also be freed via a
SSL_set0_wbio() works in the same as SSL_set0_rbio() except that it connects
the BIO B<wbio> for the write operations of the B<ssl> object. Note that if the
rbio and wbio are the same then SSL_set0_rbio() and SSL_set0_wbio() each take
-ownership of one reference. Therefore it may be necessary to increment the
+ownership of one reference. Therefore, it may be necessary to increment the
number of references available using L<BIO_up_ref(3)> before calling the set0
functions.
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
When performing the operation, a B<socket BIO> is automatically created to
interface between the B<ssl> and B<fd>. The BIO and hence the SSL engine
-inherit the behaviour of B<fd>. If B<fd> is non-blocking, the B<ssl> will
-also have non-blocking behaviour.
+inherit the behaviour of B<fd>. If B<fd> is nonblocking, the B<ssl> will
+also have nonblocking behaviour.
If there was already a BIO connected to B<ssl>, BIO_free() will be called
(for both the reading and writing side, if different).
=head1 COPYRIGHT
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NOTES
-The shutdown state of an ssl connection is a bitmask of:
+The shutdown state of an ssl connection is a bit mask of:
=over 4
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If the underlying BIO is B<blocking>, SSL_shutdown() will only return once the
handshake step has been finished or an error occurred.
-If the underlying BIO is B<non-blocking>, SSL_shutdown() will also return
+If the underlying BIO is B<nonblocking>, SSL_shutdown() will also return
when the underlying BIO could not satisfy the needs of SSL_shutdown()
to continue the handshake. In this case a call to SSL_get_error() with the
return value of SSL_shutdown() will yield B<SSL_ERROR_WANT_READ> or
B<SSL_ERROR_WANT_WRITE>. The calling process then must repeat the call after
taking appropriate action to satisfy the needs of SSL_shutdown().
-The action depends on the underlying BIO. When using a non-blocking socket,
+The action depends on the underlying BIO. When using a nonblocking socket,
nothing is to be done, but select() can be used to check for the required
condition. When using a buffering BIO, like a BIO pair, data must be written
into or retrieved out of the BIO before being able to continue.
see L<SSL_CTX_set_quiet_shutdown(3)>.
When "quiet shutdown" is enabled, SSL_shutdown() will always succeed
and return 1.
+Note that this is not standard compliant behaviour.
+It should only be done when the peer has a way to make sure all
+data has been received and doesn't wait for the close_notify alert
+message, otherwise an unexpected EOF will be reported.
+
+There are implementations that do not send the required close_notify alert.
+If there is a need to communicate with such an implementation, and it's clear
+that all data has been received, do not wait for the peer's close_notify alert.
+Waiting for the close_notify alert when the peer just closes the connection will
+result in an error being generated.
=head1 RETURN VALUES
The shutdown is not yet finished: the close_notify was sent but the peer
did not send it back yet.
Call SSL_read() to do a bidirectional shutdown.
-The output of L<SSL_get_error(3)> may be misleading, as an
-erroneous SSL_ERROR_SYSCALL may be flagged even though no error occurred.
+
+Unlike most other function, returning 0 does not indicate an error.
+L<SSL_get_error(3)> should not get called, it may misleadingly
+indicate an error even though no error occurred.
=item Z<>1
The shutdown was not successful.
Call L<SSL_get_error(3)> with the return value B<ret> to find out the reason.
-It can occur if an action is needed to continue the operation for non-blocking
+It can occur if an action is needed to continue the operation for nonblocking
BIOs.
It can also occur when not all data was read using SSL_read().
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
or when a connection has been established. It however can be of significant
interest during the handshake.
-When using non-blocking sockets, the function call performing the handshake
+When using nonblocking sockets, the function call performing the handshake
may return with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE condition,
so that SSL_state_string[_long]() may be called.
-For both blocking or non-blocking sockets, the details state information
+For both blocking or nonblocking sockets, the details state information
can be used within the info_callback function set with the
SSL_set_info_callback() call.
=head1 COPYRIGHT
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Unlike L<SSL_get_error(3)>, which also evaluates the
error queue, the results are obtained by examining an internal state flag
only. The information must therefore only be used for normal operation under
-non-blocking I/O. Error conditions are not handled and must be treated
+nonblocking I/O. Error conditions are not handled and must be treated
using L<SSL_get_error(3)>.
The result returned by SSL_want() should always be consistent with
=head1 COPYRIGHT
-Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
If the underlying BIO is B<blocking>, the write functions will only return, once
the write operation has been finished or an error occurred.
-If the underlying BIO is B<non-blocking> the write functions will also return
+If the underlying BIO is B<nonblocking> the write functions will also return
when the underlying BIO could not satisfy the needs of the function to continue
the operation. In this case a call to L<SSL_get_error(3)> with the
return value of the write function will yield B<SSL_ERROR_WANT_READ>
call to a write function can also cause read operations! The calling process
then must repeat the call after taking appropriate action to satisfy the needs
of the write function. The action depends on the underlying BIO. When using a
-non-blocking socket, nothing is to be done, but select() can be used to check
+nonblocking socket, nothing is to be done, but select() can be used to check
for the required condition. When using a buffering BIO, like a BIO pair, data
must be written into or retrieved out of the BIO before being able to continue.
=head1 COPYRIGHT
-Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
prompt, and stores it in B<buf>.
The maximum allowed size is given with B<length>, including the
terminating NUL byte.
-If B<verify> is non-zero, the password will be verified as well.
+If B<verify> is nonzero, the password will be verified as well.
UI_UTIL_read_pw() does the same as UI_UTIL_read_pw_string(), the
difference is that you can give it an external buffer B<buff> for the
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
-A method contains a few functions that implement the low level of the
+A method contains a few functions that implement the low-level of the
User Interface.
These functions are:
=head1 COPYRIGHT
-Copyright 2001-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
a prompt from two pieces of information: an description and a name.
The default constructor (if there is none provided by the method used)
creates a string "Enter I<description> for I<name>:". With the
-description "pass phrase" and the file name "foo.key", that becomes
+description "pass phrase" and the filename "foo.key", that becomes
"Enter pass phrase for foo.key:". Other methods may create whatever
string and may include encodings that will be processed by the other
method functions.
=head1 COPYRIGHT
-Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NOTES
In almost all cases an extension can occur at most once and multiple
-occurrences is an error. Therefore the B<idx> parameter is usually B<NULL>.
+occurrences is an error. Therefore, the B<idx> parameter is usually B<NULL>.
The B<flags> parameter may be one of the following values.
=head1 COPYRIGHT
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NAME
-X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_cmp - AlgorithmIdentifier functions
+X509_ALGOR_dup, X509_ALGOR_set0, X509_ALGOR_get0, X509_ALGOR_set_md, X509_ALGOR_cmp, X509_ALGOR_copy - AlgorithmIdentifier functions
=head1 SYNOPSIS
const void **ppval, const X509_ALGOR *alg);
void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
+ int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src);
=head1 DESCRIPTION
values for the message digest B<md>.
X509_ALGOR_cmp() compares B<a> and B<b> and returns 0 if they have identical
-encodings and non-zero otherwise.
+encodings and nonzero otherwise.
+
+X509_ALGOR_copy() copies the source values into the dest structs; making
+a duplicate of each (and free any thing pointed to from within *dest).
=head1 RETURN VALUES
X509_ALGOR_dup() returns a valid B<X509_ALGOR> structure or NULL if an error
occurred.
-X509_ALGOR_set0() returns 1 on success or 0 on error.
+X509_ALGOR_set0() and X509_ALGOR_copy() return 1 on success or 0 on error.
X509_ALGOR_get0() and X509_ALGOR_set_md() return no values.
X509_ALGOR_cmp() returns 0 if the two parameters have identical encodings and
-non-zero otherwise.
+nonzero otherwise.
+
+=head1 HISTORY
+
+The X509_ALGOR_copy() was added in 1.1.1e.
=head1 COPYRIGHT
-Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
the directory.
The directory should contain one certificate or CRL per file in PEM format,
-with a file name of the form I<hash>.I<N> for a certificate, or
+with a filename of the form I<hash>.I<N> for a certificate, or
I<hash>.B<r>I<N> for a CRL.
The I<hash> is the value returned by the L<X509_NAME_hash(3)> function applied
to the subject name for certificates or issuer name for CRLs.
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
using X509_STORE_add_cert() or X509_STORE_add_crl(). This increments
its reference count. However, the X509_STORE_CTX_get_by_subject()
function also increases the reference count which leads to one too
-many references being held. Therefore applications should
+many references being held. Therefore, applications should
additionally call X509_free() or X509_CRL_free() to decrement the
reference count again.
checks.
X509_STORE_CTX_get_error_depth() returns the B<depth> of the error. This is a
-non-negative integer representing where in the certificate chain the error
+nonnegative integer representing where in the certificate chain the error
occurred. If it is zero it occurred in the end entity certificate, one if
it is the certificate which signed the end entity certificate and so on.
X509_STORE_CTX_get_error() returns B<X509_V_OK> or an error code.
-X509_STORE_CTX_get_error_depth() returns a non-negative error depth.
+X509_STORE_CTX_get_error_depth() returns a nonnegative error depth.
X509_STORE_CTX_get_current_cert() returns the certificate which caused the
error or B<NULL> if no certificate is relevant to the error.
=head1 COPYRIGHT
-Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
X509_STORE_CTX_new() returns a newly initialised B<X509_STORE_CTX> structure.
X509_STORE_CTX_cleanup() internally cleans up an B<X509_STORE_CTX> structure.
-The context can then be reused with an new call to X509_STORE_CTX_init().
+The context can then be reused with a new call to X509_STORE_CTX_init().
X509_STORE_CTX_free() completely frees up B<ctx>. After this call B<ctx>
is no longer valid.
by B<ctx> to be B<chain>.
Ownership of the chain is transferred to B<ctx> and should not be
free'd by the caller.
-X509_STORE_CTX_get0_chain() returns a the internal pointer used by the
+X509_STORE_CTX_get0_chain() returns the internal pointer used by the
B<ctx> that contains the validated chain.
X509_STORE_CTX_set0_crls() sets a set of CRLs to use to aid certificate
=head1 RETURN VALUES
-X509_STORE_CTX_new() returns an newly allocates context or B<NULL> is an
+X509_STORE_CTX_new() returns a newly allocated context or B<NULL> if an
error occurred.
X509_STORE_CTX_init() returns 1 for success or 0 if an error occurred.
=head1 COPYRIGHT
-Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
verification, either by overriding error conditions or logging errors for
debugging purposes.
-However a verification callback is B<not> essential and the default operation
+However, a verification callback is B<not> essential and the default operation
is often sufficient.
The B<ok> parameter to the callback indicates the value the callback should
=head1 COPYRIGHT
-Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
function will be used instead.>
X509_STORE_set_check_issued() sets the function to check that a given
-certificate B<x> is issued with the issuer certificate B<issuer>.
+certificate B<x> is issued by the issuer certificate B<issuer>.
This function must return 0 on failure (among others if B<x> hasn't
been issued with B<issuer>) and 1 on success.
I<If no function to get the issuer is provided, the internal default
=head1 COPYRIGHT
-Copyright 2009-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
shorter than 1024 bits.
X509_VERIFY_PARAM_set1_host() sets the expected DNS hostname to
-B<name> clearing any previously specified host name or names. If
+B<name> clearing any previously specified hostname or names. If
B<name> is NULL, or empty the list of hostnames is cleared, and
name checks are not performed on the peer certificate. If B<name>
is NUL-terminated, B<namelen> may be zero, otherwise B<namelen>
If B<X509_V_FLAG_USE_DELTAS> is set delta CRLs (if present) are used to
determine certificate status. If not set deltas are ignored.
-B<X509_V_FLAG_CHECK_SS_SIGNATURE> enables checking of the root CA self signed
-certificate signature. By default this check is disabled because it doesn't
+B<X509_V_FLAG_CHECK_SS_SIGNATURE> requests checking the signature of
+the last certificate in a chain if the certificate is supposedly self-signed.
+This is prohibited and will result in an error if it is a non-conforming CA
+certificate with key usage restrictions not including the keyCertSign bit.
+By default this check is disabled because it doesn't
add any additional security but in some cases applications might want to
-check the signature anyway. A side effect of not checking the root CA
-signature is that disabled or unsupported message digests on the root CA
-are not treated as fatal errors.
+check the signature anyway. A side effect of not checking the self-signature
+of such a certificate is that disabled or unsupported message digests used for
+the signature are not treated as fatal errors.
When B<X509_V_FLAG_TRUSTED_FIRST> is set, construction of the certificate chain
in L<X509_verify_cert(3)> will search the trust store for issuer certificates
=head1 COPYRIGHT
-Copyright 2009-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2009-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
B<basicConstraints>, and 5 if it has outdated Netscape Certificate Type
extension telling that it is CA certificate.
-Actually, any non-zero value means that this certificate could have been
+Actually, any nonzero value means that this certificate could have been
used to sign other certificates.
=head1 SEE ALSO
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 DESCRIPTION
The certificate matching functions are used to check whether a
-certificate matches a given host name, email address, or IP address.
+certificate matches a given hostname, email address, or IP address.
The validity of the certificate and its trust level has to be checked by
other means.
X509_check_host() checks if the certificate Subject Alternative
-Name (SAN) or Subject CommonName (CN) matches the specified host
-name, which must be encoded in the preferred name syntax described
+Name (SAN) or Subject CommonName (CN) matches the specified hostname,
+which must be encoded in the preferred name syntax described
in section 3.5 of RFC 1034. By default, wildcards are supported
and they match only in the left-most label; but they may match
part of that label with an explicit prefix or suffix. For example,
domain names must be given in A-label form. The B<namelen> argument
must be the number of characters in the name string or zero in which
case the length is calculated with strlen(B<name>). When B<name> starts
-with a dot (e.g ".example.com"), it will be matched by a certificate
+with a dot (e.g. ".example.com"), it will be matched by a certificate
valid for any sub-domain of B<name>, (see also
B<X509_CHECK_FLAG_SINGLE_LABEL_SUBDOMAINS> below).
=head1 COPYRIGHT
-Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head1 NAME
-X509_check_issued - checks if certificate is issued by another
+X509_check_issued - checks if certificate is apparently issued by another
certificate
=head1 SYNOPSIS
=head1 DESCRIPTION
-This function checks if certificate I<subject> was issued using CA
-certificate I<issuer>. This function takes into account not only
-matching of issuer field of I<subject> with subject field of I<issuer>,
-but also compares B<authorityKeyIdentifier> extension of I<subject> with
-B<subjectKeyIdentifier> of I<issuer> if B<authorityKeyIdentifier>
-present in the I<subject> certificate and checks B<keyUsage> field of
-I<issuer>.
+X509_check_issued() checks if certificate I<subject> was apparently issued
+using (CA) certificate I<issuer>. This function takes into account not only
+matching of the issuer field of I<subject> with the subject field of I<issuer>,
+but also compares all sub-fields of the B<authorityKeyIdentifier> extension of
+I<subject>, as far as present, with the respective B<subjectKeyIdentifier>,
+serial number, and issuer fields of I<issuer>, as far as present. It also checks
+if the B<keyUsage> field (if present) of I<issuer> allows certificate signing.
+It does not check the certificate signature.
=head1 RETURN VALUES
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=over 4
-=item -1 an error condition has occured
+=item -1 an error condition has occurred
=item E<32>1 if the certificate was created to perform the purpose represented by I<id>
=over 4
-=item -1 an error condition has occured
+=item -1 an error condition has occurred
=item E<32>0 not a CA or does not have the purpose represented by I<id>
=head1 NAME
-X509_get0_signature, X509_get_signature_nid, X509_get0_tbs_sigalg,
-X509_REQ_get0_signature, X509_REQ_get_signature_nid, X509_CRL_get0_signature,
-X509_CRL_get_signature_nid, X509_get_signature_info, X509_SIG_INFO_get,
-X509_SIG_INFO_set - signature information
+X509_get0_signature, X509_REQ_set0_signature, X509_REQ_set1_signature_algo,
+X509_get_signature_nid, X509_get0_tbs_sigalg, X509_REQ_get0_signature,
+X509_REQ_get_signature_nid, X509_CRL_get0_signature, X509_CRL_get_signature_nid,
+X509_get_signature_info, X509_SIG_INFO_get, X509_SIG_INFO_set - signature information
=head1 SYNOPSIS
void X509_get0_signature(const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg,
const X509 *x);
+ void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig);
+ int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg);
int X509_get_signature_nid(const X509 *x);
const X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x);
to the signature algorithm of B<x>. The values returned are internal
pointers which B<MUST NOT> be freed up after the call.
+X509_set0_signature() and X509_REQ_set1_signature_algo() are the
+equivalent setters for the two values of X509_get0_signature().
+
X509_get0_tbs_sigalg() returns the signature algorithm in the signed
portion of B<x>.
returned is valid or 0 if the information is not available (e.g.
unknown algorithms or malformed parameters).
+X509_REQ_set1_signature_algo() returns 0 on success; or 1 on an
+error (e.g. null ALGO pointer). X509_REQ_set0_signature does
+not return an error value.
+
=head1 SEE ALSO
L<d2i_X509(3)>,
X509_CRL_get0_signature() and X509_CRL_get_signature_nid() were
added in OpenSSL 1.1.0.
+The X509_REQ_set0_signature() and X509_REQ_set1_signature_algo()
+were added in OpenSSL 1.1.1e.
+
=head1 COPYRIGHT
-Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
X509v3_get_ext_by_critical() is similar to X509v3_get_ext_by_NID() except it
looks for an extension of criticality B<crit>. A zero value for B<crit>
-looks for a non-critical extension a non-zero value looks for a critical
+looks for a non-critical extension a nonzero value looks for a critical
extension.
X509v3_delete_ext() deletes the extension with index B<loc> from B<x>. The
=head1 COPYRIGHT
-Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
#include <openssl/dh.h>
- DH *d2i_DHparams(DH **a, unsigned char **pp, long length);
+ DH *d2i_DHparams(DH **a, const unsigned char **pp, long length);
int i2d_DHparams(DH *a, unsigned char **pp);
=head1 DESCRIPTION
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=for comment generic
- TYPE *d2i_TYPE(TYPE **a, unsigned char **ppin, long length);
+ TYPE *d2i_TYPE(TYPE **a, const unsigned char **ppin, long length);
TYPE *d2i_TYPE_bio(BIO *bp, TYPE **a);
TYPE *d2i_TYPE_fp(FILE *fp, TYPE **a);
populated B<TYPE> structure -- it B<cannot> simply be fed with an
empty structure such as that returned by TYPE_new().
-The encoded data is in binary form and may contain embedded zeroes.
-Therefore any FILE pointers or BIOs should be opened in binary mode.
+The encoded data is in binary form and may contain embedded zeros.
+Therefore, any FILE pointers or BIOs should be opened in binary mode.
Functions such as strlen() will B<not> return the correct length
of the encoded structure.
Attempt to decode a buffer:
X509 *x;
- unsigned char *buf, *p;
+ unsigned char *buf;
+ const unsigned char *p;
int len;
/* Set up buf and len to point to the input buffer. */
Alternative technique:
X509 *x;
- unsigned char *buf, *p;
+ unsigned char *buf;
+ const unsigned char *p;
int len;
/* Set up buf and len to point to the input buffer. */
ssl_conf = ssl_sect
[ssl_sect]
-
system_default = system_default_sect
[system_default_sect]
-
MinProtocol = TLSv1.2
-
+ MinProtocol = DTLSv1.2
=head1 NOTES
Note: in the above example you will get an error in non FIPS capable versions
of OpenSSL.
-Simple OpenSSL library configuration to make TLS 1.3 the system-default
-minimum TLS version:
+Simple OpenSSL library configuration to make TLS 1.2 and DTLS 1.2 the
+system-default minimum TLS and DTLS versions, respectively:
# Toplevel section for openssl (including libssl)
openssl_conf = default_conf_section
system_default = system_default_section
[system_default_section]
- MinProtocol = TLSv1.3
+ MinProtocol = TLSv1.2
+ MinProtocol = DTLSv1.2
+
+The minimum TLS protocol is applied to B<SSL_CTX> objects that are TLS-based,
+and the minimum DTLS protocol to those are DTLS-based.
+The same applies also to maximum versions set with B<MaxProtocol>.
More complex OpenSSL library configuration. Add OID and don't enter FIPS mode:
The escaping isn't quite right: if you want to use sequences like B<\n>
you can't use any quote escaping on the same line.
-Files are loaded in a single pass. This means that an variable expansion
+Files are loaded in a single pass. This means that a variable expansion
will only work if the variables referenced are defined earlier in the
file.
This is a multi valued extension which indicates whether a certificate is
a CA certificate. The first (mandatory) name is B<CA> followed by B<TRUE> or
-B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by an
-non-negative value can be included.
+B<FALSE>. If B<CA> is B<TRUE> then an optional B<pathlen> name followed by a
+nonnegative value can be included.
For example:
=head1 COPYRIGHT
-Copyright 2004-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
EVP_PKEY_CTX_set1_id(pctx, id, id_len);
When calling the EVP_DigestSignInit() or EVP_DigestVerifyInit() functions, a
-pre-allocated B<EVP_PKEY_CTX> should be assigned to the B<EVP_MD_CTX>. This is
+preallocated B<EVP_PKEY_CTX> should be assigned to the B<EVP_MD_CTX>. This is
done by calling:
EVP_MD_CTX_set_pkey_ctx(mctx, pctx);
=head1 COPYRIGHT
-Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2018-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
Symmetric encryption is available with the L<B<EVP_Encrypt>I<XXX>|EVP_EncryptInit(3)>
functions. The L<B<EVP_Digest>I<XXX>|EVP_DigestInit(3)> functions provide message digests.
-The B<EVP_PKEY>I<XXX> functions provide a high level interface to
+The B<EVP_PKEY>I<XXX> functions provide a high-level interface to
asymmetric algorithms. To create a new EVP_PKEY see
L<EVP_PKEY_new(3)>. EVP_PKEYs can be associated
with a private key of a particular algorithm by using the functions
=item For signing and verifying see L<EVP_PKEY_sign(3)>,
L<EVP_PKEY_verify(3)> and L<EVP_PKEY_verify_recover(3)>.
However, note that
-these functions do not perform a digest of the data to be signed. Therefore
+these functions do not perform a digest of the data to be signed. Therefore,
normally you would use the L<EVP_DigestSignInit(3)>
functions for this purpose.
implementations automatically in preference to built in software
implementations. For more information, consult the engine(3) man page.
-Although low level algorithm specific functions exist for many algorithms
+Although low-level algorithm specific functions exist for many algorithms
their use is discouraged. They cannot be used with an ENGINE and ENGINE
-versions of new algorithms cannot be accessed using the low level functions.
+versions of new algorithms cannot be accessed using the low-level functions.
Also makes code harder to adapt to new algorithms and some options are not
-cleanly supported at the low level and some operations are more efficient
-using the high level interface.
+cleanly supported at the low-level and some operations are more efficient
+using the high-level interface.
=head1 SEE ALSO
=head1 COPYRIGHT
-Copyright 2000-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
=head2 General
A STORE is a layer of functionality to retrieve a number of supported
-objects from a repository of any kind, addressable as a file name or
+objects from a repository of any kind, addressable as a filename or
as a URI.
The functionality supports the pattern "open a channel to the
=head1 COPYRIGHT
-Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
# if defined(OPENSSL_SYS_WINDOWS)
# define strcasecmp _stricmp
# define strncasecmp _strnicmp
-# if (_MSC_VER >= 1310)
+# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE)
# define open _open
# define fdopen _fdopen
# define close _close
/*
- * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL licenses, (the "License");
* you may not use this file except in compliance with the License.
#include <openssl/asn1.h>
#include <openssl/asn1t.h>
#include <openssl/dh.h>
+#include <openssl/dsa.h>
#include <openssl/ec.h>
#include <openssl/ocsp.h>
#include <openssl/pkcs12.h>
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#ifndef HEADER_ASN1ERR_H
# define HEADER_ASN1ERR_H
-# ifndef HEADER_SYMHACKS_H
-# include <openssl/symhacks.h>
-# endif
+# include <openssl/symhacks.h>
# ifdef __cplusplus
extern "C"
# define ASN1_F_ASN1_ITEM_DUP 191
# define ASN1_F_ASN1_ITEM_EMBED_D2I 120
# define ASN1_F_ASN1_ITEM_EMBED_NEW 121
+# define ASN1_F_ASN1_ITEM_EX_I2D 144
# define ASN1_F_ASN1_ITEM_FLAGS_I2D 118
# define ASN1_F_ASN1_ITEM_I2D_BIO 192
# define ASN1_F_ASN1_ITEM_I2D_FP 193
# define ASN1_R_ASN1_SIG_PARSE_ERROR 204
# define ASN1_R_AUX_ERROR 100
# define ASN1_R_BAD_OBJECT_HEADER 102
+# define ASN1_R_BAD_TEMPLATE 230
# define ASN1_R_BMPSTRING_IS_WRONG_LENGTH 214
# define ASN1_R_BN_LIB 105
# define ASN1_R_BOOLEAN_IS_WRONG_LENGTH 106
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
* avoid leaking exponent information through timing,
* BN_mod_exp_mont() will call BN_mod_exp_mont_consttime,
* BN_div() will call BN_div_no_branch,
- * BN_mod_inverse() will call BN_mod_inverse_no_branch.
+ * BN_mod_inverse() will call bn_mod_inverse_no_branch.
*/
# define BN_FLG_CONSTTIME 0x04
# define BN_FLG_SECURE 0x08
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
defined(__osf__) || defined(__sgi) || defined(__hpux) || \
defined(OPENSSL_SYS_VMS) || defined (__OpenBSD__)
# include <inttypes.h>
-# elif defined(_MSC_VER) && _MSC_VER<=1500
+# elif defined(_MSC_VER) && _MSC_VER<1600
/*
* minimally required typdefs for systems not supporting inttypes.h or
* stdint.h: currently just older VC++
/*
- * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2002-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
void EC_KEY_clear_flags(EC_KEY *key, int flags);
+int EC_KEY_decoded_from_explicit_params(const EC_KEY *key);
+
/** Creates a new EC_KEY object using a named curve as underlying
* EC_GROUP object.
* \param nid NID of the named curve.
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# define EC_R_LADDER_POST_FAILURE 136
# define EC_R_LADDER_PRE_FAILURE 153
# define EC_R_LADDER_STEP_FAILURE 162
+# define EC_R_MISSING_OID 167
# define EC_R_MISSING_PARAMETERS 124
# define EC_R_MISSING_PRIVATE_KEY 125
# define EC_R_NEED_NEW_SETUP_VALUES 157
/*
* {- join("\n * ", @autowarntext) -}
*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# undef DECLARE_DEPRECATED
# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
# endif
+# elif defined(__SUNPRO_C)
+# if (__SUNPRO_C >= 0x5130)
+# undef DECLARE_DEPRECATED
+# define DECLARE_DEPRECATED(f) f __attribute__ ((deprecated));
+# endif
# endif
#endif
* (Prior to 0.9.5a beta1, a different scheme was used: MMNNFFRBB for
* major minor fix final patch/beta)
*/
-# define OPENSSL_VERSION_NUMBER 0x1010107fL
-# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1g 21 Apr 2020"
+# define OPENSSL_VERSION_NUMBER 0x1010109fL
+# define OPENSSL_VERSION_TEXT "OpenSSL 1.1.1i 8 Dec 2020"
/*-
* The macros below are to be used for shared library (.so, .dll, ...)
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# define PEM_F_PEM_SIGNFINAL 112
# define PEM_F_PEM_WRITE 113
# define PEM_F_PEM_WRITE_BIO 114
+# define PEM_F_PEM_WRITE_BIO_PRIVATEKEY_TRADITIONAL 147
# define PEM_F_PEM_WRITE_PRIVATEKEY 139
# define PEM_F_PEM_X509_INFO_READ 115
# define PEM_F_PEM_X509_INFO_READ_BIO 116
# define PEM_R_UNSUPPORTED_CIPHER 113
# define PEM_R_UNSUPPORTED_ENCRYPTION 114
# define PEM_R_UNSUPPORTED_KEY_COMPONENTS 126
+# define PEM_R_UNSUPPORTED_PUBLIC_KEY_TYPE 110
#endif
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
# define SSL_get1_groups(s, glist) \
SSL_ctrl(s,SSL_CTRL_GET_GROUPS,0,(int*)(glist))
# define SSL_CTX_set1_groups(ctx, glist, glistlen) \
- SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(char *)(glist))
+ SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS,glistlen,(int *)(glist))
# define SSL_CTX_set1_groups_list(ctx, s) \
SSL_CTX_ctrl(ctx,SSL_CTRL_SET_GROUPS_LIST,0,(char *)(s))
# define SSL_set1_groups(s, glist, glistlen) \
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
# define TLS1_FLAGS_STATELESS 0x0800
+/* Set if extended master secret extension required on renegotiation */
+# define TLS1_FLAGS_REQUIRED_EXTMS 0x1000
+
# define SSL3_MT_HELLO_REQUEST 0
# define SSL3_MT_CLIENT_HELLO 1
# define SSL3_MT_SERVER_HELLO 2
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
const void **ppval, const X509_ALGOR *algor);
void X509_ALGOR_set_md(X509_ALGOR *alg, const EVP_MD *md);
int X509_ALGOR_cmp(const X509_ALGOR *a, const X509_ALGOR *b);
+int X509_ALGOR_copy(X509_ALGOR *dest, const X509_ALGOR *src);
X509_NAME *X509_NAME_dup(X509_NAME *xn);
X509_NAME_ENTRY *X509_NAME_ENTRY_dup(X509_NAME_ENTRY *ne);
int X509_REQ_set_subject_name(X509_REQ *req, X509_NAME *name);
void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig,
const X509_ALGOR **palg);
+void X509_REQ_set0_signature(X509_REQ *req, ASN1_BIT_STRING *psig);
+int X509_REQ_set1_signature_algo(X509_REQ *req, X509_ALGOR *palg);
int X509_REQ_get_signature_nid(const X509_REQ *req);
int i2d_re_X509_REQ_tbs(X509_REQ *req, unsigned char **pp);
int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);
int type,
const unsigned char *bytes,
int len);
-void *X509at_get0_data_by_OBJ(STACK_OF(X509_ATTRIBUTE) *x,
+void *X509at_get0_data_by_OBJ(const STACK_OF(X509_ATTRIBUTE) *x,
const ASN1_OBJECT *obj, int lastpos, int type);
X509_ATTRIBUTE *X509_ATTRIBUTE_create_by_NID(X509_ATTRIBUTE **attr, int nid,
int atrtype, const void *data,
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
# define X509_V_ERR_OCSP_VERIFY_NEEDED 73 /* Need OCSP verification */
# define X509_V_ERR_OCSP_VERIFY_FAILED 74 /* Couldn't verify cert through OCSP */
# define X509_V_ERR_OCSP_CERT_UNKNOWN 75 /* Certificate wasn't recognized by the OCSP responder */
+# define X509_V_ERR_SIGNATURE_ALGORITHM_MISMATCH 76
+# define X509_V_ERR_NO_ISSUER_PUBLIC_KEY 77
+# define X509_V_ERR_UNSUPPORTED_SIGNATURE_ALGORITHM 78
+# define X509_V_ERR_EC_KEY_EXPLICIT_PARAMS 79
/* Certificate verify flags */
/*
* Generated by util/mkerr.pl DO NOT EDIT
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
#ifndef HEADER_X509ERR_H
# define HEADER_X509ERR_H
-# ifndef HEADER_SYMHACKS_H
-# include <openssl/symhacks.h>
-# endif
+# include <openssl/symhacks.h>
# ifdef __cplusplus
extern "C"
# define X509_F_X509_OBJECT_NEW 150
# define X509_F_X509_PRINT_EX_FP 118
# define X509_F_X509_PUBKEY_DECODE 148
+# define X509_F_X509_PUBKEY_GET 161
# define X509_F_X509_PUBKEY_GET0 119
# define X509_F_X509_PUBKEY_SET 120
# define X509_F_X509_REQ_CHECK_PRIVATE_KEY 144
/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
ssl_free(b);
if (!ssl_new(b))
return 0;
+ bs = BIO_get_data(b);
}
BIO_set_shutdown(b, num);
ssl = (SSL *)ptr;
/*
- * Copyright 2005-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
wb = &s->rlayer.wbuf[0];
/*
- * first check if there is a SSL3_BUFFER still being written out. This
- * will happen with non blocking IO
+ * DTLS writes whole datagrams, so there can't be anything left in
+ * the buffer.
*/
if (!ossl_assert(SSL3_BUFFER_get_left(wb) == 0)) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DO_DTLS1_WRITE,
/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
headerlen = SSL3_RT_HEADER_LENGTH;
#if defined(SSL3_ALIGN_PAYLOAD) && SSL3_ALIGN_PAYLOAD!=0
- align = (-SSL3_RT_HEADER_LENGTH) & (SSL3_ALIGN_PAYLOAD - 1);
+ align = SSL3_ALIGN_PAYLOAD - 1;
#endif
len = ssl_get_max_send_fragment(s)
const SSL_CIPHER *ssl3_get_cipher_by_std_name(const char *stdname)
{
- SSL_CIPHER *c = NULL, *tbl;
- SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers};
- size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS};
+ SSL_CIPHER *tbl;
+ SSL_CIPHER *alltabs[] = {tls13_ciphers, ssl3_ciphers, ssl3_scsvs};
+ size_t i, j, tblsize[] = {TLS13_NUM_CIPHERS, SSL3_NUM_CIPHERS,
+ SSL3_NUM_SCSVS};
/* this is not efficient, necessary to optimize this? */
for (j = 0; j < OSSL_NELEM(alltabs); j++) {
if (tbl->stdname == NULL)
continue;
if (strcmp(stdname, tbl->stdname) == 0) {
- c = tbl;
- break;
- }
- }
- }
- if (c == NULL) {
- tbl = ssl3_scsvs;
- for (i = 0; i < SSL3_NUM_SCSVS; i++, tbl++) {
- if (strcmp(stdname, tbl->stdname) == 0) {
- c = tbl;
- break;
+ return tbl;
}
}
}
- return c;
+ return NULL;
}
/*
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
const char *name;
int version;
};
+ /*
+ * Note: To avoid breaking previously valid configurations, we must retain
+ * legacy entries in this table even if the underlying protocol is no
+ * longer supported. This also means that the constants SSL3_VERSION, ...
+ * need to be retained indefinitely. This table can only grow, never
+ * shrink.
+ */
static const struct protocol_versions versions[] = {
{"None", 0},
{"SSLv3", SSL3_VERSION},
OPENSSL_free(s->ext.ocsp.resp);
OPENSSL_free(s->ext.alpn);
OPENSSL_free(s->ext.tls13_cookie);
+ if (s->clienthello != NULL)
+ OPENSSL_free(s->clienthello->pre_proc_exts);
OPENSSL_free(s->clienthello);
OPENSSL_free(s->pha_context);
EVP_MD_CTX_free(s->pha_dgst);
* - Otherwise it returns NULL
*
* During/after the handshake (TLSv1.2 or below resumption occurred):
- * - If the session from the orignal handshake had a servername accepted
+ * - If the session from the original handshake had a servername accepted
* by the server then it will return that servername.
* - Otherwise it returns the servername set via
* SSL_set_tlsext_host_name() (or NULL if it was not called).
const unsigned char *context, size_t contextlen,
int use_context)
{
- if (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER)
+ if (s->session == NULL
+ || (s->version < TLS1_VERSION && s->version != DTLS1_BAD_VER))
return -1;
return s->method->ssl3_enc->export_keying_material(s, out, olen, label,
goto err;
ret->version = s->version;
ret->options = s->options;
+ ret->min_proto_version = s->min_proto_version;
+ ret->max_proto_version = s->max_proto_version;
ret->mode = s->mode;
SSL_set_max_cert_list(ret, SSL_get_max_cert_list(s));
SSL_set_read_ahead(ret, SSL_get_read_ahead(s));
if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL, &ret->ex_data, &s->ex_data))
goto err;
- /* setup rbio, and wbio */
- if (s->rbio != NULL) {
- if (!BIO_dup_state(s->rbio, (char *)&ret->rbio))
- goto err;
- }
- if (s->wbio != NULL) {
- if (s->wbio != s->rbio) {
- if (!BIO_dup_state(s->wbio, (char *)&ret->wbio))
- goto err;
- } else {
- BIO_up_ref(ret->rbio);
- ret->wbio = ret->rbio;
- }
- }
-
ret->server = s->server;
if (s->handshake_func) {
if (s->server)
/*
- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
EVP_PKEY_copy_parameters(pktmp, pkey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
- /*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
- if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA
- && RSA_flags(EVP_PKEY_get0_RSA(pkey)) & RSA_METHOD_FLAG_NO_CHECK) ;
- else
-#endif
if (!X509_check_private_key(c->pkeys[i].x509, pkey)) {
X509_free(c->pkeys[i].x509);
c->pkeys[i].x509 = NULL;
EVP_PKEY_copy_parameters(pkey, c->pkeys[i].privatekey);
ERR_clear_error();
-#ifndef OPENSSL_NO_RSA
- /*
- * Don't check the public/private key, this is mostly for smart
- * cards.
- */
- if (EVP_PKEY_id(c->pkeys[i].privatekey) == EVP_PKEY_RSA
- && RSA_flags(EVP_PKEY_get0_RSA(c->pkeys[i].privatekey)) &
- RSA_METHOD_FLAG_NO_CHECK) ;
- else
-#endif /* OPENSSL_NO_RSA */
if (!X509_check_private_key(x, c->pkeys[i].privatekey)) {
/*
* don't fail for a cert/key mismatch, just free current private
EVP_PKEY_copy_parameters(pubkey, privatekey);
} /* else both have parameters */
- /* Copied from ssl_set_cert/pkey */
-#ifndef OPENSSL_NO_RSA
- if ((EVP_PKEY_id(privatekey) == EVP_PKEY_RSA) &&
- ((RSA_flags(EVP_PKEY_get0_RSA(privatekey)) & RSA_METHOD_FLAG_NO_CHECK)))
- /* no-op */ ;
- else
-#endif
/* check that key <-> cert match */
if (EVP_PKEY_cmp(pubkey, privatekey) != 1) {
SSLerr(SSL_F_SSL_SET_CERT_AND_KEY, SSL_R_PRIVATE_KEY_MISMATCH);
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
{
SSL_SESSION *dest;
- dest = OPENSSL_malloc(sizeof(*src));
+ dest = OPENSSL_malloc(sizeof(*dest));
if (dest == NULL) {
goto err;
}
static int init_ems(SSL *s, unsigned int context)
{
- if (!s->server)
+ if (s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS) {
s->s3->flags &= ~TLS1_FLAGS_RECEIVED_EXTMS;
+ s->s3->flags |= TLS1_FLAGS_REQUIRED_EXTMS;
+ }
return 1;
}
static int final_ems(SSL *s, unsigned int context, int sent)
{
+ /*
+ * Check extended master secret extension is not dropped on
+ * renegotiation.
+ */
+ if (!(s->s3->flags & TLS1_FLAGS_RECEIVED_EXTMS)
+ && (s->s3->flags & TLS1_FLAGS_REQUIRED_EXTMS)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_FINAL_EMS,
+ SSL_R_INCONSISTENT_EXTMS);
+ return 0;
+ }
if (!s->server && s->hit) {
/*
* Check extended master secret extension is consistent with
if (sesstmp == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR,
SSL_F_TLS_PARSE_CTOS_PSK, ERR_R_INTERNAL_ERROR);
- return 0;
+ goto err;
}
SSL_SESSION_free(sess);
sess = sesstmp;
/*
- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
* Copyright 2005 Nokia. All rights reserved.
*
}
bnpub_key = NULL;
- if (!ssl_security(s, SSL_SECOP_TMP_DH, DH_security_bits(dh), 0, dh)) {
- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
- SSL_R_DH_KEY_TOO_SMALL);
- goto err;
- }
-
if (EVP_PKEY_assign_DH(peer_tmp, dh) == 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PROCESS_SKE_DHE,
ERR_R_EVP_LIB);
goto err;
}
+ dh = NULL;
+
+ if (!ssl_security(s, SSL_SECOP_TMP_DH, EVP_PKEY_security_bits(peer_tmp),
+ 0, peer_tmp)) {
+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PROCESS_SKE_DHE,
+ SSL_R_DH_KEY_TOO_SMALL);
+ goto err;
+ }
s->s3->peer_tmp = peer_tmp;
static const X509ERR2ALERT x509table[] = {
{X509_V_ERR_APPLICATION_VERIFICATION, SSL_AD_HANDSHAKE_FAILURE},
{X509_V_ERR_CA_KEY_TOO_SMALL, SSL_AD_BAD_CERTIFICATE},
+ {X509_V_ERR_EC_KEY_EXPLICIT_PARAMS, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_CA_MD_TOO_WEAK, SSL_AD_BAD_CERTIFICATE},
{X509_V_ERR_CERT_CHAIN_TOO_LONG, SSL_AD_UNKNOWN_CA},
{X509_V_ERR_CERT_HAS_EXPIRED, SSL_AD_CERTIFICATE_EXPIRED},
*/
int ssl_set_version_bound(int method_version, int version, int *bound)
{
+ int valid_tls;
+ int valid_dtls;
+
if (version == 0) {
*bound = version;
return 1;
}
+ valid_tls = version >= SSL3_VERSION && version <= TLS_MAX_VERSION;
+ valid_dtls =
+ DTLS_VERSION_LE(version, DTLS_MAX_VERSION) &&
+ DTLS_VERSION_GE(version, DTLS1_BAD_VER);
+
+ if (!valid_tls && !valid_dtls)
+ return 0;
+
/*-
* Restrict TLS methods to TLS protocol versions.
* Restrict DTLS methods to DTLS protocol versions.
* configurations. If the MIN (supported) version ever rises, the user's
* "floor" remains valid even if no longer available. We don't expect the
* MAX ceiling to ever get lower, so making that variable makes sense.
+ *
+ * We ignore attempts to set bounds on version-inflexible methods,
+ * returning success.
*/
switch (method_version) {
default:
- /*
- * XXX For fixed version methods, should we always fail and not set any
- * bounds, always succeed and not set any bounds, or set the bounds and
- * arrange to fail later if they are not met? At present fixed-version
- * methods are not subject to controls that disable individual protocol
- * versions.
- */
- return 0;
+ break;
case TLS_ANY_VERSION:
- if (version < SSL3_VERSION || version > TLS_MAX_VERSION)
- return 0;
+ if (valid_tls)
+ *bound = version;
break;
case DTLS_ANY_VERSION:
- if (DTLS_VERSION_GT(version, DTLS_MAX_VERSION) ||
- DTLS_VERSION_LT(version, DTLS1_BAD_VER))
- return 0;
+ if (valid_dtls)
+ *bound = version;
break;
}
-
- *bound = version;
return 1;
}
s->s3->tmp.pkey = ssl_generate_pkey(pkdhp);
if (s->s3->tmp.pkey == NULL) {
- /* SSLfatal() already called */
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, 0, ERR_R_INTERNAL_ERROR);
goto err;
}
#ifndef OPENSSL_NO_DH
DH *ssl_get_auto_dh(SSL *s)
{
+ DH *dhp = NULL;
+ BIGNUM *p = NULL, *g = NULL;
int dh_secbits = 80;
- if (s->cert->dh_tmp_auto == 2)
- return DH_get_1024_160();
- if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
- if (s->s3->tmp.new_cipher->strength_bits == 256)
- dh_secbits = 128;
- else
- dh_secbits = 80;
- } else {
- if (s->s3->tmp.cert == NULL)
- return NULL;
- dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ if (s->cert->dh_tmp_auto != 2) {
+ if (s->s3->tmp.new_cipher->algorithm_auth & (SSL_aNULL | SSL_aPSK)) {
+ if (s->s3->tmp.new_cipher->strength_bits == 256)
+ dh_secbits = 128;
+ else
+ dh_secbits = 80;
+ } else {
+ if (s->s3->tmp.cert == NULL)
+ return NULL;
+ dh_secbits = EVP_PKEY_security_bits(s->s3->tmp.cert->privatekey);
+ }
}
- if (dh_secbits >= 128) {
- DH *dhp = DH_new();
- BIGNUM *p, *g;
- if (dhp == NULL)
- return NULL;
- g = BN_new();
- if (g == NULL || !BN_set_word(g, 2)) {
- DH_free(dhp);
- BN_free(g);
- return NULL;
- }
- if (dh_secbits >= 192)
- p = BN_get_rfc3526_prime_8192(NULL);
- else
- p = BN_get_rfc3526_prime_3072(NULL);
- if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
- DH_free(dhp);
- BN_free(p);
- BN_free(g);
- return NULL;
- }
- return dhp;
+ dhp = DH_new();
+ if (dhp == NULL)
+ return NULL;
+ g = BN_new();
+ if (g == NULL || !BN_set_word(g, 2)) {
+ DH_free(dhp);
+ BN_free(g);
+ return NULL;
+ }
+ if (dh_secbits >= 192)
+ p = BN_get_rfc3526_prime_8192(NULL);
+ else if (dh_secbits >= 152)
+ p = BN_get_rfc3526_prime_4096(NULL);
+ else if (dh_secbits >= 128)
+ p = BN_get_rfc3526_prime_3072(NULL);
+ else if (dh_secbits >= 112)
+ p = BN_get_rfc3526_prime_2048(NULL);
+ else
+ p = BN_get_rfc2409_prime_1024(NULL);
+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) {
+ DH_free(dhp);
+ BN_free(p);
+ BN_free(g);
+ return NULL;
}
- if (dh_secbits >= 112)
- return DH_get_2048_224();
- return DH_get_1024_160();
+ return dhp;
}
#endif
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
if (*pmsglen < 32)
return 0;
- tm = (p[0] << 24) | (p[1] << 16) | (p[2] << 8) | p[3];
+ tm = ((unsigned int)p[0] << 24)
+ | ((unsigned int)p[1] << 16)
+ | ((unsigned int)p[2] << 8)
+ | (unsigned int)p[3];
p += 4;
BIO_indent(bio, indent, 80);
BIO_puts(bio, "Random:\n");
break;
if (extlen != 4)
return 0;
- max_early_data = (ext[0] << 24) | (ext[1] << 16) | (ext[2] << 8)
- | ext[3];
+ max_early_data = ((unsigned int)ext[0] << 24)
+ | ((unsigned int)ext[1] << 16)
+ | ((unsigned int)ext[2] << 8)
+ | (unsigned int)ext[3];
BIO_indent(bio, indent + 2, 80);
BIO_printf(bio, "max_early_data=%u\n", max_early_data);
break;
}
if (msglen < 4)
return 0;
- tick_life = (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
+ tick_life = ((unsigned int)msg[0] << 24)
+ | ((unsigned int)msg[1] << 16)
+ | ((unsigned int)msg[2] << 8)
+ | (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
if (msglen < 4)
return 0;
ticket_age_add =
- (msg[0] << 24) | (msg[1] << 16) | (msg[2] << 8) | msg[3];
+ ((unsigned int)msg[0] << 24)
+ | ((unsigned int)msg[1] << 16)
+ | ((unsigned int)msg[2] << 8)
+ | (unsigned int)msg[3];
msglen -= 4;
msg += 4;
BIO_indent(bio, indent + 2, 80);
uint32_t algenc;
ivlen = EVP_CCM_TLS_IV_LEN;
- if (s->s3->tmp.new_cipher == NULL) {
+ if (s->s3->tmp.new_cipher != NULL) {
+ algenc = s->s3->tmp.new_cipher->algorithm_enc;
+ } else if (s->session->cipher != NULL) {
/* We've not selected a cipher yet - we must be doing early data */
algenc = s->session->cipher->algorithm_enc;
+ } else if (s->psksession != NULL && s->psksession->cipher != NULL) {
+ /* We must be doing early data with out-of-band PSK */
+ algenc = s->psksession->cipher->algorithm_enc;
} else {
- algenc = s->s3->tmp.new_cipher->algorithm_enc;
+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_DERIVE_SECRET_KEY_AND_IV,
+ ERR_R_EVP_LIB);
+ goto err;
}
if (algenc & (SSL_AES128CCM8 | SSL_AES256CCM8))
taglen = EVP_CCM8_TLS_TAG_LEN;
/*
- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return 1;
}
+typedef struct {
+ ASN1_STRING *invalidDirString;
+} INVALIDTEMPLATE;
+
+ASN1_SEQUENCE(INVALIDTEMPLATE) = {
+ /*
+ * DirectoryString is a CHOICE type so it must use explicit tagging -
+ * but we deliberately use implicit here, which makes this template invalid.
+ */
+ ASN1_IMP(INVALIDTEMPLATE, invalidDirString, DIRECTORYSTRING, 12)
+} static_ASN1_SEQUENCE_END(INVALIDTEMPLATE)
+
+IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(INVALIDTEMPLATE)
+IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(INVALIDTEMPLATE)
+
+/* Empty sequence for invalid template test */
+static unsigned char t_invalid_template[] = {
+ 0x30, 0x03, /* SEQUENCE tag + length */
+ 0x0c, 0x01, 0x41 /* UTF8String, length 1, "A" */
+};
+
+static int test_invalid_template(void)
+{
+ const unsigned char *p = t_invalid_template;
+ INVALIDTEMPLATE *tmp = d2i_INVALIDTEMPLATE(NULL, &p,
+ sizeof(t_invalid_template));
+
+ /* We expect a NULL pointer return */
+ if (TEST_ptr_null(tmp))
+ return 1;
+
+ INVALIDTEMPLATE_free(tmp);
+ return 0;
+}
+
int setup_tests(void)
{
#if OPENSSL_API_COMPAT < 0x10200000L
ADD_TEST(test_uint32);
ADD_TEST(test_int64);
ADD_TEST(test_uint64);
+ ADD_TEST(test_invalid_template);
return 1;
}
/*
- * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return test_intern(&uint64_test_package);
}
+typedef struct {
+ ASN1_STRING *invalidDirString;
+} INVALIDTEMPLATE;
+
+ASN1_SEQUENCE(INVALIDTEMPLATE) = {
+ /*
+ * DirectoryString is a CHOICE type so it must use explicit tagging -
+ * but we deliberately use implicit here, which makes this template invalid.
+ */
+ ASN1_IMP(INVALIDTEMPLATE, invalidDirString, DIRECTORYSTRING, 12)
+} static_ASN1_SEQUENCE_END(INVALIDTEMPLATE)
+
+IMPLEMENT_STATIC_ASN1_ENCODE_FUNCTIONS(INVALIDTEMPLATE)
+IMPLEMENT_STATIC_ASN1_ALLOC_FUNCTIONS(INVALIDTEMPLATE)
+
+static int test_invalid_template(void)
+{
+ INVALIDTEMPLATE *temp = INVALIDTEMPLATE_new();
+ int ret;
+
+ if (!TEST_ptr(temp))
+ return 0;
+
+ ret = i2d_INVALIDTEMPLATE(temp, NULL);
+
+ INVALIDTEMPLATE_free(temp);
+
+ /* We expect the i2d operation to fail */
+ return ret < 0;
+}
+
+
int setup_tests(void)
{
#if OPENSSL_API_COMPAT < 0x10200000L
ADD_TEST(test_uint32);
ADD_TEST(test_int64);
ADD_TEST(test_uint64);
+ ADD_TEST(test_invalid_template);
return 1;
}
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
if (!TEST_int_eq(BIO_snprintf(buf, sizeof(buf),
"%f\n", 2 * (double)ULONG_MAX), -1))
return 0;
+
return 1;
}
IF[{- !$disabled{ec} -}]
PROGRAMS_NO_INST=ec_internal_test curve448_internal_test
ENDIF
+ IF[{- !$disabled{cmac} -}]
+ PROGRAMS_NO_INST=cmactest
+ ENDIF
SOURCE[poly1305_internal_test]=poly1305_internal_test.c
INCLUDE[poly1305_internal_test]=.. ../include
INCLUDE[ctype_internal_test]=.. ../include
DEPEND[ctype_internal_test]=../libcrypto.a libtestutil.a
+ IF[{- !$disabled{cmac} -}]
+ SOURCE[cmactest]=cmactest.c
+ INCLUDE[cmactest]=../include ../apps/include
+ DEPEND[cmactest]=../libcrypto.a libtestutil.a
+ ENDIF
+
SOURCE[siphash_internal_test]=siphash_internal_test.c
INCLUDE[siphash_internal_test]=.. ../include
DEPEND[siphash_internal_test]=../libcrypto.a libtestutil.a
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDGDCCAgCgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTIwMDkxNTEzMDY0MVoYDzIxMjAwOTE2MTMwNjQxWjANMQswCQYDVQQD
+DAJDQTCCAUswggEDBgcqhkjOPQIBMIH3AgEBMCwGByqGSM49AQECIQD/////AAAA
+AQAAAAAAAAAAAAAAAP///////////////zBbBCD/////AAAAAQAAAAAAAAAAAAAA
+AP///////////////AQgWsY12Ko6k+ez671VdpiGvGUdBrDMU7D2O848PifSYEsD
+FQDEnTYIhucEk2pmeOETnSa3gZ9+kARBBGsX0fLhLEJH+Lzm5WOkQPJ3A32BLesz
+oPShOUXYmMKWT+NC4v4af5uO5+tKfA+eFivOM1drMV7Oy7ZAaDe/UfUCIQD/////
+AAAAAP//////////vOb6racXnoTzucrC/GMlUQIBAQNCAASlXna3kSD/Yol3RA5I
+icjIxYb9UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM
+5NDco1MwUTAdBgNVHQ4EFgQUFk6ucH6gMXeadmuV7a1iWEnU/CIwHwYDVR0jBBgw
+FoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG
+9w0BAQsFAAOCAQEAdyUgfT0eAsZzoHFXoWN5uqi0MHuhLI37TEzkH5h7iTpDQJTQ
+F0SjbawfM/nxxUekRW3mjFu3lft+VA7yC0OTNBLffan/vTh+HGOvvYZSMJYgKrMG
+PRWgDId+n9RTcQCf+91cISvOazHixRiJG7JfRLdNZsAE+miw4HgPLFboTwpxtTDJ
+zJ4ssBC6P+5IHwBCtNMiilJMMMzuSaZa5iSo6M9AdXWfcQN3uhW1lgQOLOlKLcbo
+3UhW1GMMhTTeytM5aylbKhRsnL7ozmS44zsKZ25YaQxgjdKitFjVN6j7eyQ7C9J2
+bLXgl3APweLQbGGs0zv08Ad0SCCKYLHK6mMJqg==
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIICJDCCAQygAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTIwMDkxNTEzMDY1MFoYDzIxMjAwOTE2MTMwNjUwWjANMQswCQYDVQQD
+DAJDQTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPt+MXCi9+wztEvmdG2EVSk7
+bAiJMXJXW/u0NbcGCrrbhO1NJSHHV3Lks888sqeSPh/bif/ASJ0HX+VarMUoFIKj
+UzBRMB0GA1UdDgQWBBRjigU5REz8Lwf1iD6mALVhsHIanjAfBgNVHSMEGDAWgBSO
+9SWvHptrhD18gJrJU5xNcvejUjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEB
+CwUAA4IBAQCQs9wpblefb2C9a7usGL1DJjWJQIFHtUf+6p/KPgEV7LF138ECjL5s
+0AWRd8Q8SbsBH49j2r3LLLMkvFglyRaN+FF+TCC/UQtclTb4+HgLsUT2xSU8U2cY
+SOnzNB5AX/qAAsdOGqOjivPtGXcXFexDKPsw3n+3rJgymBP6hbLagb47IabNhot5
+bMM6S+bmfpMwfsm885zr5vG2Gg9FjjH94Vx4I7eRLkjCS88gkIR1J35ecHFteOdo
+idOaCHQddYiKukBzgdjtTxSDXKffkaybylrwOZ8VBlQd3zC7s02d+riHCnroLnnE
+cwYLlJ5z6jN7zoPZ55yX/EmA0RVny2le
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg
+9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A
+AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgdEf20fpuqEZU
+tZ4ORoq4vb5ETV4a6QOl/iGnDQt++/ihRANCAASlXna3kSD/Yol3RA5IicjIxYb9
+UJoCTzb/LsxjlOvIS5OqCTzpqP0p3JrnvLPsbzq7Cf/g0bNlxAGs1iVM5NDc
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgCTrYrMKcyV49+w4B
+TWr2WTZsMM4aFpaYulKAuhiuQ7mhRANCAAT7fjFwovfsM7RL5nRthFUpO2wIiTFy
+V1v7tDW3Bgq624TtTSUhx1dy5LPPPLKnkj4f24n/wEidB1/lWqzFKBSC
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIChzCCAi6gAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y
+MDA5MTUxMzE0MzlaGA8yMTIwMDkxNjEzMTQzOVowGTEXMBUGA1UEAwwOc2VydmVy
+LmV4YW1wbGUwggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcqhkjOPQEBAiEA////
+/wAAAAEAAAAAAAAAAAAAAAD///////////////8wWwQg/////wAAAAEAAAAAAAAA
+AAAAAAD///////////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw9jvOPD4n
+0mBLAxUAxJ02CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxCR/i85uVjpEDydwN9
+gS3rM6D0oTlF2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFezsu2QGg3v1H1AiEA
+/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVECAQEDQgAE+7TDP7C9VqQP
+TnqoJc/Fvf/N45BX+lBfmfiGBeRKtSsvrERUlymzQ4/nxVtymozAgFxQ0my998HH
+TSVCj7Sq56N9MHswHQYDVR0OBBYEFKKwEfKYhNv6fbQf0Xd0te7J3GZdMB8GA1Ud
+IwQYMBaAFGOKBTlETPwvB/WIPqYAtWGwchqeMAkGA1UdEwQCMAAwEwYDVR0lBAww
+CgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwCgYIKoZIzj0E
+AwIDRwAwRAIgb4UITAOFlATeaayWQX9r5gf61qcnzT7TjXCekf7ww9oCIBDltg/u
+ZvS9gqviMFuPjTuk/FhsCTAUzTT7WmgcWeH7
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIBlDCCATqgAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y
+MDA5MTUxMzE0NDVaGA8yMTIwMDkxNjEzMTQ0NVowGTEXMBUGA1UEAwwOc2VydmVy
+LmV4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQv5PnMStW/Wx9lpvjl
+JTsFIjc2wBv14sNuMh1hfNX8ZJcoCfAAKYu6ujxXt328GWBMaubRbBjOd/eqpEst
+tYKzo30wezAdBgNVHQ4EFgQUmb/qcE413hkpmtjEMyRZZFcN1TYwHwYDVR0jBBgw
+FoAUFk6ucH6gMXeadmuV7a1iWEnU/CIwCQYDVR0TBAIwADATBgNVHSUEDDAKBggr
+BgEFBQcDATAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNI
+ADBFAiEA9y6J8rdAbO0mDZscIb8rIn6HgxBW4WAqTlFeZeHjjOYCIAmt2ldyObOL
+tXaiaxYX3WAOR1vmfzsdrkCAOCfAkpbo
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIBkzCCATqgAwIBAgIBAjAKBggqhkjOPQQDAjANMQswCQYDVQQDDAJDQTAgFw0y
+MDA5MTUxNDEwNDhaGA8yMTIwMDkxNjE0MTA0OFowGTEXMBUGA1UEAwwOc2VydmVy
+LmV4YW1wbGUwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAS0YU57+RFRWxr/frnL
++vOYkY3h9roKnvxCG07wK5tevEYtSdKz0KsHvDBDatw1r3JNv+m2p54/3AqFPAZ3
+5b0Po30wezAdBgNVHQ4EFgQUypypuZrUl0BEmbuhfJpo3QFNIvUwHwYDVR0jBBgw
+FoAUY4oFOURM/C8H9Yg+pgC1YbByGp4wCQYDVR0TBAIwADATBgNVHSUEDDAKBggr
+BgEFBQcDATAZBgNVHREEEjAQgg5zZXJ2ZXIuZXhhbXBsZTAKBggqhkjOPQQDAgNH
+ADBEAiAEkKD7H5uxQ4YbQOiN4evbu5RCV5W7TVE80iBfcY5u4wIgGcwr++lVNX0Q
+CTT+M3ukDjOA8OEvKUz1TiDuRAQ29qU=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB
+AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA
+///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV
+AMSdNgiG5wSTamZ44ROdJreBn36QBEEEaxfR8uEsQkf4vOblY6RA8ncDfYEt6zOg
+9KE5RdiYwpZP40Li/hp/m47n60p8D54WK84zV2sxXs7LtkBoN79R9QIhAP////8A
+AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQg0cmpcTcEYG5G
+ZaVkGjtsBc3sLZn1EuV9qNK2qx6iNzmhRANCAAT7tMM/sL1WpA9Oeqglz8W9/83j
+kFf6UF+Z+IYF5Eq1Ky+sRFSXKbNDj+fFW3KajMCAXFDSbL33wcdNJUKPtKrn
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2ue+X5ZFJPJPQG2E
+WQY4ALv2PkPp2Gy6KrMiokgmjkehRANCAAQv5PnMStW/Wx9lpvjlJTsFIjc2wBv1
+4sNuMh1hfNX8ZJcoCfAAKYu6ujxXt328GWBMaubRbBjOd/eqpEsttYKz
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgGSoneIKG3//ujXGu
+/EoJdNhpKZj026EF/YQ5FblUBWahRANCAAS0YU57+RFRWxr/frnL+vOYkY3h9roK
+nvxCG07wK5tevEYtSdKz0KsHvDBDatw1r3JNv+m2p54/3AqFPAZ35b0P
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIDIjCCAgqgAwIBAgIUT99h/YrAdcDg3fdLy5UajB8e994wDQYJKoZIhvcNAQEL
+BQAwGTEXMBUGA1UEAwwOZWUtc2VsZi1zaWduZWQwIBcNMjAwNzI4MTQxNjA4WhgP
+MjEyMDA3MDQxNDE2MDhaMBkxFzAVBgNVBAMMDmVlLXNlbGYtc2lnbmVkMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqP+JWGGFrt7bLA/Vc/vit6gbenVg
+K9R9PHN2ta7eky9/JJBtyRz0ijjNn6KAFlbLtCy7k+UXH/8NxkP+MTT4KNh16aO7
+iILvo3LiU2IFRU3gMZfvqp0Q0lgNngaeMrsbCFZdZQ8/Zo7CNqAR/8BZNf1JHN0c
+QjMGeK4EOCPl53Vn05StWqlAH6xZEPUMwWStSsTGNVOzlmqCGxWL0Zmr5J5vlKrS
+luVX+4yRZIo8JBbG0hm+gmATO2Kw7T4ds8r5a98xuXqeS0dopynHP0riIie075Bj
+1+/Qckk+W625G9Qrb4Zo3dVzErhDydxBD6KjRk+LZ4iED2H+eTQfSokftwIDAQAB
+o2AwXjAdBgNVHQ4EFgQU55viKq2KbDrLdlHljgeYIpfhc6IwHwYDVR0jBBgwFoAU
+55viKq2KbDrLdlHljgeYIpfhc6IwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMC
+B4AwDQYJKoZIhvcNAQELBQADggEBAGDEbS5kJArjjQNK02oxhQyz1dbDy23evRxm
+WW/NtlJAQAgEMXoNo9fioj0L4cvDy40r87V6/RsV2eijwZEfwGloACif7v78w8QO
+h4XiW9oGxcQkdMIYZLDVW9AZPDIkK5NHNfQaeAxCprAufYnRMv035UotLzCBRrkG
+G2TIs45vRp/6mYFVtm0Nf9CFvu4dXH8W+GlBONG0FAiBW+JzgTr9OmrzfqJTEDrf
+vv/hOiu8XvvlF5piPBqKE76rEvkXUSjgDZ2/Ju1fjqpV2I8Hz1Mj9w9tRE8g4E9o
+ZcRXX3MNPaHxnNhgYSPdpywwkyILz2AHwmAzh07cdttRFFPw+fM=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIC8jCCAdqgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMB4XDTIwMTIwMjE0MTYwOVoXDTIwMTIwMTE0MTYwOVowEjEQMA4GA1UEAwwH
+Um9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHmAPUGvKBG
+OHkPPx5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3j
+IVyk7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcAr
+VREXOjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI
+0YYqalUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt
+9gfNbiuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337Vo
+IkN+ZiQjr8UCAwEAAaNTMFEwHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NS
+MB8GA1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMA8GA1UdEwEB/wQFMAMB
+Af8wDQYJKoZIhvcNAQELBQADggEBAH1uqov7eXVT6GbhJ7foASTQpIaVi4GXIfbS
+bYKCb0erWkLfW7EKalOTBp5TjWONSM4mX2OlZag7yq1P1YwMaBA51OkH0Ojic9fX
+majK2S/ZyFI6NLoPqN0Uw/K1HHU0DXpK/mf3YdFOEZMf9LVlXR0O6og19HxBmNnN
+LhTOQ29IGqNzayHGBi4U8LG+UAe5sxlC+gnnQEPGMrOS1XElybtHIxnqk2LJDvXj
+2Dj12TCISD9bQ53oRkudTvTPyvxK6OsnFC/wTBmHk03yxnZdQEKyj9guahiRb+hj
+sz4mDWWMmelcr6veEfzzlUZK7aoIrpJmgukhv/Qafwczo38J5U0=
+-----END CERTIFICATE-----
-#! /bin/sh
+#! /bin/bash
# Primary root: root-cert
# root cert variants: CA:false, key2, DN2
# trust variants: +serverAuth -serverAuth +clientAuth -clientAuth +anyEKU -anyEKU
#
./mkcert.sh genroot "Root CA" root-key root-cert
+DAYS=-1 ./mkcert.sh genroot "Root CA" root-key root-expired
./mkcert.sh genss "Root CA" root-key root-nonca
./mkcert.sh genroot "Root CA" root-key2 root-cert2
./mkcert.sh genroot "Root Cert 2" root-key root-name2
# CA has 768-bit key
OPENSSL_KEYBITS=768 \
./mkcert.sh genca "CA" ca-key-768 ca-cert-768 root-key root-cert
+# EC cert with explicit curve
+./mkcert.sh genca "CA" ca-key-ec-explicit ca-cert-ec-explicit root-key root-cert
+# EC cert with named curve
+./mkcert.sh genca "CA" ca-key-ec-named ca-cert-ec-named root-key root-cert
# client intermediate ca: cca-cert
# trust variants: +serverAuth, -serverAuth, +clientAuth, -clientAuth
./mkcert.sh genee server.example ee-key ee-name2 ca-key ca-name2
./mkcert.sh genee -p clientAuth server.example ee-key ee-client ca-key ca-cert
./mkcert.sh genee server.example ee-key ee-pathlen ca-key ca-cert \
- -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0")
+ -extfile <(echo "basicConstraints=CA:FALSE,pathlen:0") # bash needed here
#
openssl x509 -in ee-cert.pem -trustout \
-addtrust serverAuth -out ee+serverAuth.pem
# 768-bit leaf key
OPENSSL_KEYBITS=768 \
./mkcert.sh genee server.example ee-key-768 ee-cert-768 ca-key ca-cert
+# EC cert with explicit curve signed by named curve ca
+./mkcert.sh genee server.example ee-key-ec-explicit ee-cert-ec-explicit ca-key-ec-named ca-cert-ec-named
+# EC cert with named curve signed by explicit curve ca
+./mkcert.sh genee server.example ee-key-ec-named-explicit \
+ ee-cert-ec-named-explicit ca-key-ec-explicit ca-cert-ec-explicit
+# EC cert with named curve signed by named curve ca
+./mkcert.sh genee server.example ee-key-ec-named-named \
+ ee-cert-ec-named-named ca-key-ec-named ca-cert-ec-named
+
+# self-signed end-entity cert with explicit keyUsage not including KeyCertSign
+openssl req -new -x509 -key ee-key.pem -subj /CN=ee-self-signed -out ee-self-signed.pem -addext keyUsage=digitalSignature -days 36500
# Proxy certificates, off of ee-client
# Start with some good ones
--- /dev/null
+/*
+ * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "internal/nelem.h"
+
+#include <openssl/cmac.h>
+#include <openssl/aes.h>
+#include <openssl/evp.h>
+
+#include "testutil.h"
+
+static const char xtskey[32] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b,
+ 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+};
+
+static struct test_st {
+ const char key[32];
+ int key_len;
+ const unsigned char data[64];
+ int data_len;
+ const char *mac;
+} test[3] = {
+ {
+ {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+ 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+ },
+ 16,
+ "My test data",
+ 12,
+ "29cec977c48f63c200bd5c4a6881b224"
+ },
+ {
+ {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+ 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+ 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+ },
+ 32,
+ "My test data",
+ 12,
+ "db6493aa04e4761f473b2b453c031c9a"
+ },
+ {
+ {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+ 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+ 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f
+ },
+ 32,
+ "My test data again",
+ 18,
+ "65c11c75ecf590badd0a5e56cbb8af60"
+ },
+};
+
+static char *pt(unsigned char *md, unsigned int len);
+
+static int test_cmac_bad(void)
+{
+ CMAC_CTX *ctx = NULL;
+ int ret = 0;
+
+ ctx = CMAC_CTX_new();
+ if (!TEST_ptr(ctx)
+ || !TEST_false(CMAC_Init(ctx, NULL, 0, NULL, NULL))
+ || !TEST_false(CMAC_Update(ctx, test[0].data, test[0].data_len))
+ /* Should be able to pass cipher first, and then key */
+ || !TEST_true(CMAC_Init(ctx, NULL, 0, EVP_aes_128_cbc(), NULL))
+ /* Must have a key */
+ || !TEST_false(CMAC_Update(ctx, test[0].data, test[0].data_len))
+ /* Now supply the key */
+ || !TEST_true(CMAC_Init(ctx, test[0].key, test[0].key_len, NULL, NULL))
+ /* Update should now work */
+ || !TEST_true(CMAC_Update(ctx, test[0].data, test[0].data_len))
+ /* XTS is not a suitable cipher to use */
+ || !TEST_false(CMAC_Init(ctx, xtskey, sizeof(xtskey), EVP_aes_128_xts(),
+ NULL))
+ || !TEST_false(CMAC_Update(ctx, test[0].data, test[0].data_len)))
+ goto err;
+
+ ret = 1;
+err:
+ CMAC_CTX_free(ctx);
+ return ret;
+}
+
+static int test_cmac_run(void)
+{
+ char *p;
+ CMAC_CTX *ctx = NULL;
+ unsigned char buf[AES_BLOCK_SIZE];
+ size_t len;
+ int ret = 0;
+
+ ctx = CMAC_CTX_new();
+
+ if (!TEST_true(CMAC_Init(ctx, test[0].key, test[0].key_len,
+ EVP_aes_128_cbc(), NULL))
+ || !TEST_true(CMAC_Update(ctx, test[0].data, test[0].data_len))
+ || !TEST_true(CMAC_Final(ctx, buf, &len)))
+ goto err;
+
+ p = pt(buf, len);
+ if (!TEST_str_eq(p, test[0].mac))
+ goto err;
+
+ if (!TEST_true(CMAC_Init(ctx, test[1].key, test[1].key_len,
+ EVP_aes_256_cbc(), NULL))
+ || !TEST_true(CMAC_Update(ctx, test[1].data, test[1].data_len))
+ || !TEST_true(CMAC_Final(ctx, buf, &len)))
+ goto err;
+
+ p = pt(buf, len);
+ if (!TEST_str_eq(p, test[1].mac))
+ goto err;
+
+ if (!TEST_true(CMAC_Init(ctx, test[2].key, test[2].key_len, NULL, NULL))
+ || !TEST_true(CMAC_Update(ctx, test[2].data, test[2].data_len))
+ || !TEST_true(CMAC_Final(ctx, buf, &len)))
+ goto err;
+ p = pt(buf, len);
+ if (!TEST_str_eq(p, test[2].mac))
+ goto err;
+ /* Test reusing a key */
+ if (!TEST_true(CMAC_Init(ctx, NULL, 0, NULL, NULL))
+ || !TEST_true(CMAC_Update(ctx, test[2].data, test[2].data_len))
+ || !TEST_true(CMAC_Final(ctx, buf, &len)))
+ goto err;
+ p = pt(buf, len);
+ if (!TEST_str_eq(p, test[2].mac))
+ goto err;
+
+ /* Test setting the cipher and key separately */
+ if (!TEST_true(CMAC_Init(ctx, NULL, 0, EVP_aes_256_cbc(), NULL))
+ || !TEST_true(CMAC_Init(ctx, test[2].key, test[2].key_len, NULL, NULL))
+ || !TEST_true(CMAC_Update(ctx, test[2].data, test[2].data_len))
+ || !TEST_true(CMAC_Final(ctx, buf, &len)))
+ goto err;
+ p = pt(buf, len);
+ if (!TEST_str_eq(p, test[2].mac))
+ goto err;
+
+ ret = 1;
+err:
+ CMAC_CTX_free(ctx);
+ return ret;
+}
+
+static int test_cmac_copy(void)
+{
+ char *p;
+ CMAC_CTX *ctx = NULL, *ctx2 = NULL;
+ unsigned char buf[AES_BLOCK_SIZE];
+ size_t len;
+ int ret = 0;
+
+ ctx = CMAC_CTX_new();
+ ctx2 = CMAC_CTX_new();
+ if (!TEST_ptr(ctx) || !TEST_ptr(ctx2))
+ goto err;
+
+ if (!TEST_true(CMAC_Init(ctx, test[0].key, test[0].key_len,
+ EVP_aes_128_cbc(), NULL))
+ || !TEST_true(CMAC_Update(ctx, test[0].data, test[0].data_len))
+ || !TEST_true(CMAC_CTX_copy(ctx2, ctx))
+ || !TEST_true(CMAC_Final(ctx2, buf, &len)))
+ goto err;
+
+ p = pt(buf, len);
+ if (!TEST_str_eq(p, test[0].mac))
+ goto err;
+
+ ret = 1;
+err:
+ CMAC_CTX_free(ctx2);
+ CMAC_CTX_free(ctx);
+ return ret;
+}
+
+static char *pt(unsigned char *md, unsigned int len)
+{
+ unsigned int i;
+ static char buf[80];
+
+ for (i = 0; i < len; i++)
+ sprintf(&(buf[i * 2]), "%02x", md[i]);
+ return buf;
+}
+
+int setup_tests(void)
+{
+ ADD_TEST(test_cmac_bad);
+ ADD_TEST(test_cmac_run);
+ ADD_TEST(test_cmac_copy);
+ return 1;
+}
+
/*
- * Copyright 2011-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2011-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
*/
static int error_check(DRBG_SELFTEST_DATA *td)
{
- static char zero[sizeof(RAND_DRBG)];
RAND_DRBG *drbg = NULL;
TEST_CTX t;
unsigned char buff[1024];
/* Test detection of too large personalisation string */
if (!init(drbg, td, &t)
- || RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1) > 0)
+ || !TEST_false(RAND_DRBG_instantiate(drbg, td->pers, drbg->max_perslen + 1)))
goto err;
/*
/* Test entropy source failure detection: i.e. returns no data */
t.entropylen = 0;
- if (TEST_int_le(RAND_DRBG_instantiate(drbg, td->pers, td->perslen), 0))
+ if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen)))
goto err;
/* Try to generate output from uninstantiated DRBG */
goto err;
/* Test insufficient entropy */
+ if (!init(drbg, td, &t))
+ goto err;
t.entropylen = drbg->min_entropylen - 1;
- if (!init(drbg, td, &t)
- || RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !uninstantiate(drbg))
goto err;
/* Test too much entropy */
+ if (!init(drbg, td, &t))
+ goto err;
t.entropylen = drbg->max_entropylen + 1;
- if (!init(drbg, td, &t)
- || RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !uninstantiate(drbg))
goto err;
/* Test too small nonce */
if (drbg->min_noncelen) {
+ if (!init(drbg, td, &t))
+ goto err;
t.noncelen = drbg->min_noncelen - 1;
- if (!init(drbg, td, &t)
- || RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !uninstantiate(drbg))
goto err;
}
/* Test too large nonce */
if (drbg->max_noncelen) {
+ if (!init(drbg, td, &t))
+ goto err;
t.noncelen = drbg->max_noncelen + 1;
- if (!init(drbg, td, &t)
- || RAND_DRBG_instantiate(drbg, td->pers, td->perslen) > 0
+ if (!TEST_false(RAND_DRBG_instantiate(drbg, td->pers, td->perslen))
|| !uninstantiate(drbg))
goto err;
}
* failure.
*/
t.entropylen = 0;
- if (TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
+ if (!TEST_false(RAND_DRBG_generate(drbg, buff, td->exlen, 1,
td->adin, td->adinlen))
|| !uninstantiate(drbg))
goto err;
/* Instantiate again with valid data */
if (!instantiate(drbg, td, &t))
goto err;
- reseed_counter_tmp = drbg->reseed_gen_counter;
- drbg->reseed_gen_counter = drbg->reseed_interval;
+ reseed_counter_tmp = drbg->generate_counter;
+ drbg->generate_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
- || !TEST_int_eq(drbg->reseed_gen_counter, reseed_counter_tmp + 1)
+ || !TEST_int_eq(drbg->generate_counter, reseed_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/* Test reseed counter works */
if (!instantiate(drbg, td, &t))
goto err;
- reseed_counter_tmp = drbg->reseed_gen_counter;
- drbg->reseed_gen_counter = drbg->reseed_interval;
+ reseed_counter_tmp = drbg->generate_counter;
+ drbg->generate_counter = drbg->reseed_interval;
/* Generate output and check entropy has been requested for reseed */
t.entropycnt = 0;
if (!TEST_true(RAND_DRBG_generate(drbg, buff, td->exlen, 0,
td->adin, td->adinlen))
|| !TEST_int_eq(t.entropycnt, 1)
- || !TEST_int_eq(drbg->reseed_gen_counter, reseed_counter_tmp + 1)
+ || !TEST_int_eq(drbg->generate_counter, reseed_counter_tmp + 1)
|| !uninstantiate(drbg))
goto err;
/* Test explicit reseed with too large additional input */
if (!instantiate(drbg, td, &t)
- || RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0) > 0)
+ || !TEST_false(RAND_DRBG_reseed(drbg, td->adin, drbg->max_adinlen + 1, 0)))
goto err;
/* Test explicit reseed with entropy source failure */
t.entropylen = 0;
- if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
+ if (!TEST_false(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0))
|| !uninstantiate(drbg))
goto err;
if (!instantiate(drbg, td, &t))
goto err;
t.entropylen = drbg->max_entropylen + 1;
- if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
+ if (!TEST_false(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0))
|| !uninstantiate(drbg))
goto err;
if (!instantiate(drbg, td, &t))
goto err;
t.entropylen = drbg->min_entropylen - 1;
- if (!TEST_int_le(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0), 0)
+ if (!TEST_false(RAND_DRBG_reseed(drbg, td->adin, td->adinlen, 0))
|| !uninstantiate(drbg))
goto err;
- /* Standard says we have to check uninstantiate really zeroes */
- if (!TEST_mem_eq(zero, sizeof(drbg->data), &drbg->data, sizeof(drbg->data)))
- goto err;
-
ret = 1;
err:
DRBG_SELFTEST_DATA *td = &drbg_test[i];
int rv = 0;
- if (error_check(td))
+ if (!error_check(td))
goto err;
rv = 1;
*/
/* Test whether seed propagation is enabled */
- if (!TEST_int_ne(master->reseed_prop_counter, 0)
- || !TEST_int_ne(public->reseed_prop_counter, 0)
- || !TEST_int_ne(private->reseed_prop_counter, 0))
+ if (!TEST_int_ne(master->reseed_counter, 0)
+ || !TEST_int_ne(public->reseed_counter, 0)
+ || !TEST_int_ne(private->reseed_counter, 0))
return 0;
/* Check whether the master DRBG's reseed counter is the largest one */
- if (!TEST_int_le(public->reseed_prop_counter, master->reseed_prop_counter)
- || !TEST_int_le(private->reseed_prop_counter, master->reseed_prop_counter))
+ if (!TEST_int_le(public->reseed_counter, master->reseed_counter)
+ || !TEST_int_le(private->reseed_counter, master->reseed_counter))
return 0;
/*
if (expect_success == 1) {
/* Test whether all three reseed counters are synchronized */
- if (!TEST_int_eq(public->reseed_prop_counter, master->reseed_prop_counter)
- || !TEST_int_eq(private->reseed_prop_counter, master->reseed_prop_counter))
+ if (!TEST_int_eq(public->reseed_counter, master->reseed_counter)
+ || !TEST_int_eq(private->reseed_counter, master->reseed_counter))
return 0;
/* Test whether reseed time of master DRBG is set correctly */
* Test whether the public and private DRBG are both reseeded when their
* reseed counters differ from the master's reseed counter.
*/
- master->reseed_prop_counter++;
+ master->reseed_counter++;
if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 1, 0)))
goto error;
reset_drbg_hook_ctx();
* Test whether the public DRBG is reseeded when its reseed counter differs
* from the master's reseed counter.
*/
- master->reseed_prop_counter++;
- private->reseed_prop_counter++;
+ master->reseed_counter++;
+ private->reseed_counter++;
if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 1, 0, 0)))
goto error;
reset_drbg_hook_ctx();
* Test whether the private DRBG is reseeded when its reseed counter differs
* from the master's reseed counter.
*/
- master->reseed_prop_counter++;
- public->reseed_prop_counter++;
+ master->reseed_counter++;
+ public->reseed_counter++;
if (!TEST_true(test_drbg_reseed(1, master, public, private, 0, 0, 1, 0)))
goto error;
reset_drbg_hook_ctx();
* Test whether none of the DRBGs is reseed if the master fails to reseed
*/
master_ctx.fail = 1;
- master->reseed_prop_counter++;
+ master->reseed_counter++;
RAND_add(rand_add_buf, sizeof(rand_add_buf), sizeof(rand_add_buf));
if (!TEST_true(test_drbg_reseed(0, master, public, private, 0, 0, 0, 0)))
goto error;
/*
- * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return ret;
}
+/*
+ * Tests behavior of the decoded_from_explicit_params flag and API
+ */
+static int decoded_flag_test(void)
+{
+ EC_GROUP *grp;
+ EC_GROUP *grp_copy = NULL;
+ ECPARAMETERS *ecparams = NULL;
+ ECPKPARAMETERS *ecpkparams = NULL;
+ EC_KEY *key = NULL;
+ unsigned char *encodedparams = NULL;
+ const unsigned char *encp;
+ int encodedlen;
+ int testresult = 0;
+
+ /* Test EC_GROUP_new not setting the flag */
+ grp = EC_GROUP_new(EC_GFp_simple_method());
+ if (!TEST_ptr(grp)
+ || !TEST_int_eq(grp->decoded_from_explicit_params, 0))
+ goto err;
+ EC_GROUP_free(grp);
+
+ /* Test EC_GROUP_new_by_curve_name not setting the flag */
+ grp = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
+ if (!TEST_ptr(grp)
+ || !TEST_int_eq(grp->decoded_from_explicit_params, 0))
+ goto err;
+
+ /* Test EC_GROUP_new_from_ecparameters not setting the flag */
+ if (!TEST_ptr(ecparams = EC_GROUP_get_ecparameters(grp, NULL))
+ || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecparameters(ecparams))
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
+ goto err;
+ EC_GROUP_free(grp_copy);
+ grp_copy = NULL;
+ ECPARAMETERS_free(ecparams);
+ ecparams = NULL;
+
+ /* Test EC_GROUP_new_from_ecpkparameters not setting the flag */
+ if (!TEST_int_eq(EC_GROUP_get_asn1_flag(grp), OPENSSL_EC_NAMED_CURVE)
+ || !TEST_ptr(ecpkparams = EC_GROUP_get_ecpkparameters(grp, NULL))
+ || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecpkparameters(ecpkparams))
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0)
+ || !TEST_ptr(key = EC_KEY_new())
+ /* Test EC_KEY_decoded_from_explicit_params on key without a group */
+ || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), -1)
+ || !TEST_int_eq(EC_KEY_set_group(key, grp_copy), 1)
+ /* Test EC_KEY_decoded_from_explicit_params negative case */
+ || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), 0))
+ goto err;
+ EC_GROUP_free(grp_copy);
+ grp_copy = NULL;
+ ECPKPARAMETERS_free(ecpkparams);
+ ecpkparams = NULL;
+
+ /* Test d2i_ECPKParameters with named params not setting the flag */
+ if (!TEST_int_gt(encodedlen = i2d_ECPKParameters(grp, &encodedparams), 0)
+ || !TEST_ptr(encp = encodedparams)
+ || !TEST_ptr(grp_copy = d2i_ECPKParameters(NULL, &encp, encodedlen))
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
+ goto err;
+ EC_GROUP_free(grp_copy);
+ grp_copy = NULL;
+ OPENSSL_free(encodedparams);
+ encodedparams = NULL;
+
+ /* Asn1 flag stays set to explicit with EC_GROUP_new_from_ecpkparameters */
+ EC_GROUP_set_asn1_flag(grp, OPENSSL_EC_EXPLICIT_CURVE);
+ if (!TEST_ptr(ecpkparams = EC_GROUP_get_ecpkparameters(grp, NULL))
+ || !TEST_ptr(grp_copy = EC_GROUP_new_from_ecpkparameters(ecpkparams))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(grp_copy), OPENSSL_EC_EXPLICIT_CURVE)
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 0))
+ goto err;
+ EC_GROUP_free(grp_copy);
+ grp_copy = NULL;
+
+ /* Test d2i_ECPKParameters with explicit params setting the flag */
+ if (!TEST_int_gt(encodedlen = i2d_ECPKParameters(grp, &encodedparams), 0)
+ || !TEST_ptr(encp = encodedparams)
+ || !TEST_ptr(grp_copy = d2i_ECPKParameters(NULL, &encp, encodedlen))
+ || !TEST_int_eq(EC_GROUP_get_asn1_flag(grp_copy), OPENSSL_EC_EXPLICIT_CURVE)
+ || !TEST_int_eq(grp_copy->decoded_from_explicit_params, 1)
+ || !TEST_int_eq(EC_KEY_set_group(key, grp_copy), 1)
+ /* Test EC_KEY_decoded_from_explicit_params positive case */
+ || !TEST_int_eq(EC_KEY_decoded_from_explicit_params(key), 1))
+ goto err;
+
+ testresult = 1;
+
+ err:
+ EC_KEY_free(key);
+ EC_GROUP_free(grp);
+ EC_GROUP_free(grp_copy);
+ ECPARAMETERS_free(ecparams);
+ ECPKPARAMETERS_free(ecpkparams);
+ OPENSSL_free(encodedparams);
+
+ return testresult;
+}
+
int setup_tests(void)
{
crv_len = EC_get_builtin_curves(NULL, 0);
ADD_TEST(field_tests_ec2_simple);
#endif
ADD_ALL_TESTS(field_tests_default, crv_len);
+ ADD_TEST(decoded_flag_test);
return 1;
}
/*
- * Copyright 2001-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved.
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
*
* Licensed under the OpenSSL license (the "License"). You may not use
return ret;
}
+/*
+ * check the EC_METHOD respects the supplied EC_GROUP_set_generator G
+ */
+static int custom_generator_test(int id)
+{
+ int ret = 0, nid, bsize;
+ EC_GROUP *group = NULL;
+ EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL;
+ BN_CTX *ctx = NULL;
+ BIGNUM *k = NULL;
+ unsigned char *b1 = NULL, *b2 = NULL;
+
+ /* Do some setup */
+ nid = curves[id].nid;
+ TEST_note("Curve %s", OBJ_nid2sn(nid));
+ if (!TEST_ptr(ctx = BN_CTX_new()))
+ return 0;
+
+ BN_CTX_start(ctx);
+
+ if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)))
+ goto err;
+
+ /* expected byte length of encoded points */
+ bsize = (EC_GROUP_get_degree(group) + 7) / 8;
+ bsize = 2 * bsize + 1;
+
+ if (!TEST_ptr(k = BN_CTX_get(ctx))
+ /* fetch a testing scalar k != 0,1 */
+ || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1,
+ BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY))
+ /* make k even */
+ || !TEST_true(BN_clear_bit(k, 0))
+ || !TEST_ptr(G2 = EC_POINT_new(group))
+ || !TEST_ptr(Q1 = EC_POINT_new(group))
+ /* Q1 := kG */
+ || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx))
+ /* pull out the bytes of that */
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+ POINT_CONVERSION_UNCOMPRESSED, NULL,
+ 0, ctx), bsize)
+ || !TEST_ptr(b1 = OPENSSL_malloc(bsize))
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q1,
+ POINT_CONVERSION_UNCOMPRESSED, b1,
+ bsize, ctx), bsize)
+ /* new generator is G2 := 2G */
+ || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group),
+ ctx))
+ || !TEST_true(EC_GROUP_set_generator(group, G2,
+ EC_GROUP_get0_order(group),
+ EC_GROUP_get0_cofactor(group)))
+ || !TEST_ptr(Q2 = EC_POINT_new(group))
+ || !TEST_true(BN_rshift1(k, k))
+ /* Q2 := k/2 G2 */
+ || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx))
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+ POINT_CONVERSION_UNCOMPRESSED, NULL,
+ 0, ctx), bsize)
+ || !TEST_ptr(b2 = OPENSSL_malloc(bsize))
+ || !TEST_int_eq(EC_POINT_point2oct(group, Q2,
+ POINT_CONVERSION_UNCOMPRESSED, b2,
+ bsize, ctx), bsize)
+ /* Q1 = kG = k/2 G2 = Q2 should hold */
+ || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0))
+ goto err;
+
+ ret = 1;
+
+ err:
+ BN_CTX_end(ctx);
+ EC_POINT_free(Q1);
+ EC_POINT_free(Q2);
+ EC_POINT_free(G2);
+ EC_GROUP_free(group);
+ BN_CTX_free(ctx);
+ OPENSSL_free(b1);
+ OPENSSL_free(b2);
+
+ return ret;
+}
+
#endif /* OPENSSL_NO_EC */
int setup_tests(void)
ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len);
ADD_ALL_TESTS(ec_point_hex2point_test, crv_len);
+ ADD_ALL_TESTS(custom_generator_test, crv_len);
#endif /* OPENSSL_NO_EC */
return 1;
}
/*
- * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
}
if (extra->client.alpn_protocols != NULL) {
unsigned char *alpn_protos = NULL;
- size_t alpn_protos_len;
+ size_t alpn_protos_len = 0;
+
if (!TEST_true(parse_protos(extra->client.alpn_protocols,
&alpn_protos, &alpn_protos_len))
/* Reversed return value convention... */
#! /usr/bin/env perl
-# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
"cert-1023line.pem" => 1,
"cert-1024line.pem" => 1,
"cert-1025line.pem" => 1,
+ "cert-254-chars-at-the-end.pem" => 1,
+ "cert-254-chars-in-the-middle.pem" => 1,
"cert-255line.pem" => 1,
"cert-256line.pem" => 1,
"cert-257line.pem" => 1,
"cert-misalignedpad.pem" => 0,
"cert-onecolumn.pem" => 1,
"cert-oneline.pem" => 1,
+ "cert-oneline-multiple-of-254.pem" => 1,
"cert-shortandlongline.pem" => 1,
"cert-shortline.pem" => 1,
"cert-threecolumn.pem" => 1,
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLf
+mipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo
+9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjo
+Kx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT
+3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCB
+TaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c=
+-----END CERTIFICATE-----
--- /dev/null
+-----BEGIN CERTIFICATE-----
+MIIEcjCCAyegAwIBAgIUPLgYY73GEwkikNCKRJrcbCR+TbQwDQYJKoZIhvcNAQELBQAwgZUxCzAJBgNVBAYTAkFVMWMwYQYDVQQIDFpUaGUgR3JlYXQgU3RhdGUgb2YgTG9uZy1XaW5kZWQgQ2VydGlmaWNhdGUgRmllbGQgTmFtZXMgV2hlcmVieSB0byBJbmNyZWFzZSB0aGUgT3V0cHV0IFNpemUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMDA0MDcwMDAwNDJaFw0zMDA0MDUwMDAwNDJaMIGVMQswCQYDVQQGEwJBVTFjMGEGA1UECAxaVGhlIEdyZWF0IFN0YXRlIG9mIExvbmctV2luZGVkIENlcnRpZmljYXRlIEZpZWxkIE5hbWVzIFdoZXJlYnkgdG8gSW5jcmVhc2UgdGhlIE91dHB1dCBTaXplMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggFUMA0GCSqGSIb3DQEBAQUAA4IBQQAwggE8AoIBMwLfmipKB41NPXrbp/T5eu+fndvZq72N/Tq0vZp2dRoz89NEFC3jYVBjp4pmVwCS9F/fGX1tnVfhb9k/4fqiI/y9lBVzxaHyMG/pt0D2nTS8iaMTM7uBeRvB5rUZlEbU8uvv4GXu3CeP/NnVceXruGbPb4IpjfoUbGLvn5oK35h8a+LNY5f7QRBlAXtUwYrdxVzT+CqQ4wIAuqoIVXgRIweveS1ArbS8hOtsVnu1bUAQVKqORHx8gtbOyiA4heTCEOkwh45YV6KW+uLI1wTeE4E9erlI4RwZ7umbBnQai/hYL//AUfQKQhpGbgfyJrS0UYY7WEP/mcFQh0U2EBTXtAy/e4XPiftViR3+pd+G2TJ/JFofDDzJRrceeo9tUnMr0pKtU7oB77lSKgsruKKkhn6lLH8CAwEAAaNTMFEwHQYDVR0OBBYEFIkawSiFUdL6G3jw8qg1WQI8Xi4rMB8GA1UdIwQYMBaAFIkawSiFUdL6G3jw8qg1WQI8Xi4rMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggE0AAHe/+71vykcq9BQ5h2X7MpnkE5n0Yn0Xi24uuCpv59JjABmOdaeT6XBQ5UJN8WfidawgzbJ6WiWgjflaMfRfjsdCJRgvdw0gfXXXrsseJMeMYnw1hQTGuB83BKjXBdL6zb45qGf2Fgjm3aNW2NUVM+Q2QfMjoKx13hTyDh9l5nOhMv/Rkygcx1Row2WbkvrhxvCLxY0VhL7RuPV8K0ogKicv8VJgQriOUVTTkqBP1xUimKSTaNaZ8KAnC7thxxZHxsNa45a6AouPSzyAOPZQgCJW83OIFxvWsdYU1KvP1wmoi1XC9giSQ/5sLPu/eAYTzmY+Xd6Sq8dF8uyodeI2gFu3AzC28PVKeUriIGfxaqEUn+aXx5W+r8JTE6fQ9mBo9YxJBXG+OTIFgHR27q2dJwqK9c=
+-----END CERTIFICATE-----
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use OpenSSL::Test::Simple;
+
+simple_test("test_cmac", "cmactest", "cmac");
#! /usr/bin/env perl
-# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
setup("test_ec");
-plan tests => 5;
+plan tests => 11;
require_ok(srctop_file('test','recipes','tconversion.pl'));
ok(run(test(["ectest"])), "running ectest");
- SKIP: {
- skip "Skipping ec conversion test", 3
- if disabled("ec");
-
- subtest 'ec conversions -- private key' => sub {
- tconversion("ec", srctop_file("test","testec-p256.pem"));
- };
- subtest 'ec conversions -- private key PKCS#8' => sub {
- tconversion("ec", srctop_file("test","testec-p256.pem"), "pkey");
- };
- subtest 'ec conversions -- public key' => sub {
- tconversion("ec", srctop_file("test","testecpub-p256.pem"), "ec", "-pubin", "-pubout");
- };
+SKIP: {
+ skip "Skipping EC conversion test", 3
+ if disabled("ec");
+
+ subtest 'EC conversions -- private key' => sub {
+ tconversion("ec", srctop_file("test","testec-p256.pem"));
+ };
+ subtest 'EC conversions -- private key PKCS#8' => sub {
+ tconversion("ec", srctop_file("test","testec-p256.pem"), "pkey");
+ };
+ subtest 'EC conversions -- public key' => sub {
+ tconversion("ec", srctop_file("test","testecpub-p256.pem"),
+ "ec", "-pubin", "-pubout");
+ };
+}
+
+SKIP: {
+ skip "Skipping EdDSA conversion test", 6
+ if disabled("ec");
+
+ subtest 'Ed25519 conversions -- private key' => sub {
+ tconversion("pkey", srctop_file("test","tested25519.pem"));
+ };
+ subtest 'Ed25519 conversions -- private key PKCS#8' => sub {
+ tconversion("pkey", srctop_file("test","tested25519.pem"), "pkey");
+ };
+ subtest 'Ed25519 conversions -- public key' => sub {
+ tconversion("pkey", srctop_file("test","tested25519pub.pem"),
+ "pkey", "-pubin", "-pubout");
+ };
+
+ subtest 'Ed448 conversions -- private key' => sub {
+ tconversion("pkey", srctop_file("test","tested448.pem"));
+ };
+ subtest 'Ed448 conversions -- private key PKCS#8' => sub {
+ tconversion("pkey", srctop_file("test","tested448.pem"), "pkey");
+ };
+ subtest 'Ed448 conversions -- public key' => sub {
+ tconversion("pkey", srctop_file("test","tested448pub.pem"),
+ "pkey", "-pubin", "-pubout");
+ };
}
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use File::Spec;
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+use OpenSSL::Test::Utils;
+
+setup("test_genec");
+
+plan skip_all => "This test is unsupported in a no-ec build"
+ if disabled("ec");
+
+my @prime_curves = qw(
+ secp112r1
+ secp112r2
+ secp128r1
+ secp128r2
+ secp160k1
+ secp160r1
+ secp160r2
+ secp192k1
+ secp224k1
+ secp224r1
+ secp256k1
+ secp384r1
+ secp521r1
+ prime192v1
+ prime192v2
+ prime192v3
+ prime239v1
+ prime239v2
+ prime239v3
+ prime256v1
+ wap-wsg-idm-ecid-wtls6
+ wap-wsg-idm-ecid-wtls7
+ wap-wsg-idm-ecid-wtls8
+ wap-wsg-idm-ecid-wtls9
+ wap-wsg-idm-ecid-wtls12
+ brainpoolP160r1
+ brainpoolP160t1
+ brainpoolP192r1
+ brainpoolP192t1
+ brainpoolP224r1
+ brainpoolP224t1
+ brainpoolP256r1
+ brainpoolP256t1
+ brainpoolP320r1
+ brainpoolP320t1
+ brainpoolP384r1
+ brainpoolP384t1
+ brainpoolP512r1
+ brainpoolP512t1
+);
+
+my @binary_curves = qw(
+ sect113r1
+ sect113r2
+ sect131r1
+ sect131r2
+ sect163k1
+ sect163r1
+ sect163r2
+ sect193r1
+ sect193r2
+ sect233k1
+ sect233r1
+ sect239k1
+ sect283k1
+ sect283r1
+ sect409k1
+ sect409r1
+ sect571k1
+ sect571r1
+ c2pnb163v1
+ c2pnb163v2
+ c2pnb163v3
+ c2pnb176v1
+ c2tnb191v1
+ c2tnb191v2
+ c2tnb191v3
+ c2pnb208w1
+ c2tnb239v1
+ c2tnb239v2
+ c2tnb239v3
+ c2pnb272w1
+ c2pnb304w1
+ c2tnb359v1
+ c2pnb368w1
+ c2tnb431r1
+ wap-wsg-idm-ecid-wtls1
+ wap-wsg-idm-ecid-wtls3
+ wap-wsg-idm-ecid-wtls4
+ wap-wsg-idm-ecid-wtls5
+ wap-wsg-idm-ecid-wtls10
+ wap-wsg-idm-ecid-wtls11
+);
+
+my @explicit_only_curves = ();
+push(@explicit_only_curves, qw(
+ Oakley-EC2N-3
+ Oakley-EC2N-4
+ )) if !disabled("ec2m");
+
+my @other_curves = ();
+push(@other_curves, 'SM2')
+ if !disabled("sm2");
+
+my @curve_aliases = qw(
+ P-192
+ P-224
+ P-256
+ P-384
+ P-521
+);
+push(@curve_aliases, qw(
+ B-163
+ B-233
+ B-283
+ B-409
+ B-571
+ K-163
+ K-233
+ K-283
+ K-409
+ K-571
+)) if !disabled("ec2m");
+
+my @curve_list = ();
+push(@curve_list, @prime_curves);
+push(@curve_list, @binary_curves)
+ if !disabled("ec2m");
+push(@curve_list, @other_curves);
+push(@curve_list, @curve_aliases);
+
+my @params_encodings = ('named_curve', 'explicit');
+
+my @output_formats = ('PEM', 'DER');
+
+plan tests => scalar(@curve_list) * scalar(@params_encodings)
+ * (1 + scalar(@output_formats)) # Try listed @output_formats and text output
+ * 2 # Test generating parameters and keys
+ + 1 # Checking that with no curve it fails
+ + 1 # Checking that with unknown curve it fails
+ + 1 # Subtest for explicit only curves
+ ;
+
+ok(!run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC'])),
+ "genpkey EC with no params should fail");
+
+ok(!run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:bogus_foobar_curve'])),
+ "genpkey EC with unknown curve name should fail");
+
+foreach my $curvename (@curve_list) {
+ foreach my $paramenc (@params_encodings) {
+
+ # --- Test generating parameters ---
+
+ ok(run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-text'])),
+ "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+ foreach my $outform (@output_formats) {
+ my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+ ok(run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-outform', $outform,
+ '-out', $outfile])),
+ "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+ }
+
+ # --- Test generating actual keys ---
+
+ ok(run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-text'])),
+ "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+ foreach my $outform (@output_formats) {
+ my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+ ok(run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-outform', $outform,
+ '-out', $outfile])),
+ "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+ }
+ }
+}
+
+subtest "test curves that only support explicit parameters encoding" => sub {
+ @curve_list = @explicit_only_curves;
+
+ plan skip_all => "This test is unsupported under current configuration"
+ if scalar(@curve_list) <= 0;
+
+ plan tests => scalar(@curve_list) * scalar(@params_encodings)
+ * (1 + scalar(@output_formats)) # Try listed @output_formats and text output
+ * 2 # Test generating parameters and keys
+ ;
+
+ foreach my $curvename (@curve_list) {
+ my $paramenc = "explicit";
+
+ # --- Test generating parameters ---
+
+ ok(run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-text'])),
+ "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+ foreach my $outform (@output_formats) {
+ my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+ ok(run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-outform', $outform,
+ '-out', $outfile])),
+ "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+ }
+
+ # --- Test generating actual keys ---
+
+ ok(run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-text'])),
+ "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+ foreach my $outform (@output_formats) {
+ my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+ ok(run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-outform', $outform,
+ '-out', $outfile])),
+ "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+ }
+
+ my $paramenc = "named_curve";
+
+ # --- Test generating parameters ---
+
+ ok(!run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-text'])),
+ "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+ foreach my $outform (@output_formats) {
+ my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+ ok(!run(app([ 'openssl', 'genpkey', '-genparam',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-outform', $outform,
+ '-out', $outfile])),
+ "genpkey EC params ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+ }
+
+ # --- Test generating actual keys ---
+
+ ok(!run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-text'])),
+ "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (text)");
+
+ foreach my $outform (@output_formats) {
+ my $outfile = "ecgen.${curvename}.${paramenc}." . lc $outform;
+ ok(!run(app([ 'openssl', 'genpkey',
+ '-algorithm', 'EC',
+ '-pkeyopt', 'ec_paramgen_curve:'.$curvename,
+ '-pkeyopt', 'ec_param_enc:'.$paramenc,
+ '-outform', $outform,
+ '-out', $outfile])),
+ "genpkey EC key on ${curvename} with ec_param_enc:'${paramenc}' (${outform})");
+ }
+ }
+};
--- /dev/null
+#! /usr/bin/env perl
+# Copyright 2017-2020 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the Apache License 2.0 (the "License"). You may not use
+# this file except in compliance with the License. You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+
+use strict;
+use warnings;
+
+use File::Spec;
+use OpenSSL::Test qw/:DEFAULT with srctop_file/;
+use OpenSSL::Test::Utils;
+
+setup("test_dgst");
+
+plan tests => 5;
+
+sub tsignverify {
+ my $testtext = shift;
+ my $privkey = shift;
+ my $pubkey = shift;
+
+ my $data_to_sign = srctop_file('test', 'README');
+ my $other_data = srctop_file('test', 'README.external');
+
+ plan tests => 4;
+
+ ok(run(app(['openssl', 'dgst', '-sign', $privkey,
+ '-out', 'testdgst.sig',
+ $data_to_sign])),
+ $testtext.": Generating signature");
+
+ ok(run(app(['openssl', 'dgst', '-prverify', $privkey,
+ '-signature', 'testdgst.sig',
+ $data_to_sign])),
+ $testtext.": Verify signature with private key");
+
+ ok(run(app(['openssl', 'dgst', '-verify', $pubkey,
+ '-signature', 'testdgst.sig',
+ $data_to_sign])),
+ $testtext.": Verify signature with public key");
+
+ ok(!run(app(['openssl', 'dgst', '-verify', $pubkey,
+ '-signature', 'testdgst.sig',
+ $other_data])),
+ $testtext.": Expect failure verifying mismatching data");
+
+ unlink 'testdgst.sig';
+}
+
+SKIP: {
+ skip "RSA is not supported by this OpenSSL build", 1
+ if disabled("rsa");
+
+ subtest "RSA signature generation and verification with `dgst` CLI" => sub {
+ tsignverify("RSA",
+ srctop_file("test","testrsa.pem"),
+ srctop_file("test","testrsapub.pem"));
+ };
+}
+
+SKIP: {
+ skip "DSA is not supported by this OpenSSL build", 1
+ if disabled("dsa");
+
+ subtest "DSA signature generation and verification with `dgst` CLI" => sub {
+ tsignverify("DSA",
+ srctop_file("test","testdsa.pem"),
+ srctop_file("test","testdsapub.pem"));
+ };
+}
+
+SKIP: {
+ skip "ECDSA is not supported by this OpenSSL build", 1
+ if disabled("ec");
+
+ subtest "ECDSA signature generation and verification with `dgst` CLI" => sub {
+ tsignverify("ECDSA",
+ srctop_file("test","testec-p256.pem"),
+ srctop_file("test","testecpub-p256.pem"));
+ };
+}
+
+SKIP: {
+ skip "EdDSA is not supported by this OpenSSL build", 2
+ if disabled("ec");
+
+ skip "EdDSA is not supported with `dgst` CLI", 2;
+
+ subtest "Ed25519 signature generation and verification with `dgst` CLI" => sub {
+ tsignverify("Ed25519",
+ srctop_file("test","tested25519.pem"),
+ srctop_file("test","tested25519pub.pem"));
+ };
+
+ subtest "Ed448 signature generation and verification with `dgst` CLI" => sub {
+ tsignverify("Ed448",
+ srctop_file("test","tested448.pem"),
+ srctop_file("test","tested448pub.pem"));
+ };
+}
#! /usr/bin/env perl
-# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
setup("test_req");
-plan tests => 12;
+plan tests => 14;
require_ok(srctop_file('test','recipes','tconversion.pl'));
}
};
+subtest "generating certificate requests with Ed25519" => sub {
+ plan tests => 2;
+
+ SKIP: {
+ skip "Ed25519 is not supported by this OpenSSL build", 2
+ if disabled("ec");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq.pem", "-utf8",
+ "-key", srctop_file("test", "tested25519.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq.pem", "-noout"])),
+ "Verifying signature on request");
+ }
+};
+
+subtest "generating certificate requests with Ed448" => sub {
+ plan tests => 2;
+
+ SKIP: {
+ skip "Ed448 is not supported by this OpenSSL build", 2
+ if disabled("ec");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-new", "-out", "testreq.pem", "-utf8",
+ "-key", srctop_file("test", "tested448.pem")])),
+ "Generating request");
+
+ ok(run(app(["openssl", "req",
+ "-config", srctop_file("test", "test.cnf"),
+ "-verify", "-in", "testreq.pem", "-noout"])),
+ "Verifying signature on request");
+ }
+};
+
subtest "generating certificate requests" => sub {
plan tests => 2;
run(app([@args]));
}
-plan tests => 137;
+plan tests => 145;
# Canonical success
ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]),
"fail untrusted partial chain");
ok(verify("ee-cert", "sslserver", [qw(ca-cert)], [], "-partial_chain"),
"accept trusted partial chain");
+ok(!verify("ee-cert", "sslserver", [qw(ca-expired)], [], "-partial_chain"),
+ "reject expired trusted partial chain"); # this check is beyond RFC 5280
+ok(!verify("ee-cert", "sslserver", [qw(root-expired)], [qw(ca-cert)]),
+ "reject expired trusted root"); # this check is beyond RFC 5280
ok(verify("ee-cert", "sslserver", [qw(sca-cert)], [], "-partial_chain"),
"accept partial chain with server purpose");
ok(!verify("ee-cert", "sslserver", [qw(cca-cert)], [], "-partial_chain"),
ok(!verify("ee-cert-md5", "sslserver", ["root-cert"], ["ca-cert"]),
"reject md5 leaf at auth level 1");
+# Explicit vs named curve tests
+SKIP: {
+ skip "EC is not supported by this OpenSSL build", 5
+ if disabled("ec");
+ ok(verify("ee-cert-ec-explicit", "sslserver", ["root-cert"],
+ ["ca-cert-ec-named"]),
+ "accept explicit curve leaf with named curve intermediate without strict");
+ ok(verify("ee-cert-ec-named-explicit", "sslserver", ["root-cert"],
+ ["ca-cert-ec-explicit"]),
+ "accept named curve leaf with explicit curve intermediate without strict");
+ ok(!verify("ee-cert-ec-explicit", "sslserver", ["root-cert"],
+ ["ca-cert-ec-named"], "-x509_strict"),
+ "reject explicit curve leaf with named curve intermediate with strict");
+ ok(!verify("ee-cert-ec-named-explicit", "sslserver", ["root-cert"],
+ ["ca-cert-ec-explicit"], "-x509_strict"),
+ "reject named curve leaf with explicit curve intermediate with strict");
+ ok(verify("ee-cert-ec-named-named", "sslserver", ["root-cert"],
+ ["ca-cert-ec-named"], "-x509_strict"),
+ "accept named curve leaf with named curve intermediate with strict");
+}
+
# Depth tests, note the depth limit bounds the number of CA certificates
# between the trust-anchor and the leaf, so, for example, with a root->ca->leaf
# chain, depth = 1 is sufficient, but depth == 0 is not.
ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"),
"Public Key Algorithm rsa instead of rsaEncryption");
+ ok(verify("ee-self-signed", "sslserver", ["ee-self-signed"], []),
+ "accept trusted self-signed EE cert excluding key usage keyCertSign");
+
SKIP: {
skip "Ed25519 is not supported by this OpenSSL build", 1
if disabled("ec");
/*
- * Copyright 1999-2019 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1999-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
static int rsa_setkey(RSA** key, unsigned char* ctext, int idx)
{
int clen = 0;
+
*key = RSA_new();
- switch (idx) {
- case 0:
- clen = key1(*key, ctext);
- break;
- case 1:
- clen = key2(*key, ctext);
- break;
- case 2:
- clen = key3(*key, ctext);
- break;
- }
+ if (*key != NULL)
+ switch (idx) {
+ case 0:
+ clen = key1(*key, ctext);
+ break;
+ case 1:
+ clen = key2(*key, ctext);
+ break;
+ case 2:
+ clen = key3(*key, ctext);
+ break;
+ }
return clen;
}
return testresult;
}
-#endif
/*
* Very focused test to exercise a single case in the server-side state
return testresult;
}
+#endif
static int execute_test_large_message(const SSL_METHOD *smeth,
const SSL_METHOD *cmeth,
#define MSG6 "test"
#define MSG7 "message."
-#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
+#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
+#define TLS13_CHACHA20_POLY1305_SHA256_BYTES ((const unsigned char *)"\x13\x03")
+#define TLS13_AES_128_CCM_SHA256_BYTES ((const unsigned char *)"\x13\x04")
+#define TLS13_AES_128_CCM_8_SHA256_BYTES ((const unsigned char *)"\x13\05")
static SSL_SESSION *create_a_psk(SSL *ssl)
}
/*
+ * Test TLSv1.3 PSK can be used to send early_data with all 5 ciphersuites
+ * idx == 0: Test with TLS1_3_RFC_AES_128_GCM_SHA256
+ * idx == 1: Test with TLS1_3_RFC_AES_256_GCM_SHA384
+ * idx == 2: Test with TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+ * idx == 3: Test with TLS1_3_RFC_AES_128_CCM_SHA256
+ * idx == 4: Test with TLS1_3_RFC_AES_128_CCM_8_SHA256
+ */
+static int test_early_data_psk_with_all_ciphers(int idx)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL;
+ int testresult = 0;
+ SSL_SESSION *sess = NULL;
+ unsigned char buf[20];
+ size_t readbytes, written;
+ const SSL_CIPHER *cipher;
+ const char *cipher_str[] = {
+ TLS1_3_RFC_AES_128_GCM_SHA256,
+ TLS1_3_RFC_AES_256_GCM_SHA384,
+# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ TLS1_3_RFC_CHACHA20_POLY1305_SHA256,
+# else
+ NULL,
+# endif
+ TLS1_3_RFC_AES_128_CCM_SHA256,
+ TLS1_3_RFC_AES_128_CCM_8_SHA256
+ };
+ const unsigned char *cipher_bytes[] = {
+ TLS13_AES_128_GCM_SHA256_BYTES,
+ TLS13_AES_256_GCM_SHA384_BYTES,
+# if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
+ TLS13_CHACHA20_POLY1305_SHA256_BYTES,
+# else
+ NULL,
+# endif
+ TLS13_AES_128_CCM_SHA256_BYTES,
+ TLS13_AES_128_CCM_8_SHA256_BYTES
+ };
+
+ if (cipher_str[idx] == NULL)
+ return 1;
+
+ /* We always set this up with a final parameter of "2" for PSK */
+ if (!TEST_true(setupearly_data_test(&cctx, &sctx, &clientssl,
+ &serverssl, &sess, 2)))
+ goto end;
+
+ if (!TEST_true(SSL_set_ciphersuites(clientssl, cipher_str[idx]))
+ || !TEST_true(SSL_set_ciphersuites(serverssl, cipher_str[idx])))
+ goto end;
+
+ /*
+ * 'setupearly_data_test' creates only one instance of SSL_SESSION
+ * and assigns to both client and server with incremented reference
+ * and the same instance is updated in 'sess'.
+ * So updating ciphersuite in 'sess' which will get reflected in
+ * PSK handshake using psk use sess and find sess cb.
+ */
+ cipher = SSL_CIPHER_find(clientssl, cipher_bytes[idx]);
+ if (!TEST_ptr(cipher) || !TEST_true(SSL_SESSION_set_cipher(sess, cipher)))
+ goto end;
+
+ SSL_set_connect_state(clientssl);
+ if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1),
+ &written)))
+ goto end;
+
+ if (!TEST_int_eq(SSL_read_early_data(serverssl, buf, sizeof(buf),
+ &readbytes),
+ SSL_READ_EARLY_DATA_SUCCESS)
+ || !TEST_mem_eq(buf, readbytes, MSG1, strlen(MSG1))
+ || !TEST_int_eq(SSL_get_early_data_status(serverssl),
+ SSL_EARLY_DATA_ACCEPTED)
+ || !TEST_int_eq(SSL_connect(clientssl), 1)
+ || !TEST_int_eq(SSL_accept(serverssl), 1))
+ goto end;
+
+ /* Send some normal data from client to server */
+ if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written))
+ || !TEST_size_t_eq(written, strlen(MSG2)))
+ goto end;
+
+ if (!TEST_true(SSL_read_ex(serverssl, buf, sizeof(buf), &readbytes))
+ || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2)))
+ goto end;
+
+ testresult = 1;
+ end:
+ SSL_SESSION_free(sess);
+ SSL_SESSION_free(clientpsk);
+ SSL_SESSION_free(serverpsk);
+ clientpsk = serverpsk = NULL;
+ if (clientssl != NULL)
+ SSL_shutdown(clientssl);
+ if (serverssl != NULL)
+ SSL_shutdown(serverssl);
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ return testresult;
+}
+
+/*
* Test that a server that doesn't try to read early data can handle a
* client sending some.
*/
SSL_CTX_set_min_proto_version(cctx, protocols[tst]);
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL,
- NULL))
- || !TEST_true(create_ssl_connection(serverssl, clientssl,
- SSL_ERROR_NONE)))
+ NULL)))
+ goto end;
+
+ /*
+ * Premature call of SSL_export_keying_material should just fail.
+ */
+ if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1,
+ sizeof(ckeymat1), label,
+ SMALL_LABEL_LEN + 1, context,
+ sizeof(context) - 1, 1), 0))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE)))
goto end;
if (tst == 5) {
return testresult;
}
+#ifndef OPENSSL_NO_TLS1_2
+static int test_ssl_dup(void)
+{
+ SSL_CTX *cctx = NULL, *sctx = NULL;
+ SSL *clientssl = NULL, *serverssl = NULL, *client2ssl = NULL;
+ int testresult = 0;
+ BIO *rbio = NULL, *wbio = NULL;
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ TLS_client_method(),
+ 0,
+ 0,
+ &sctx, &cctx, cert, privkey)))
+ goto end;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+
+ if (!TEST_true(SSL_set_min_proto_version(clientssl, TLS1_2_VERSION))
+ || !TEST_true(SSL_set_max_proto_version(clientssl, TLS1_2_VERSION)))
+ goto end;
+
+ client2ssl = SSL_dup(clientssl);
+ rbio = SSL_get_rbio(clientssl);
+ if (!TEST_ptr(rbio)
+ || !TEST_true(BIO_up_ref(rbio)))
+ goto end;
+ SSL_set0_rbio(client2ssl, rbio);
+ rbio = NULL;
+
+ wbio = SSL_get_wbio(clientssl);
+ if (!TEST_ptr(wbio) || !TEST_true(BIO_up_ref(wbio)))
+ goto end;
+ SSL_set0_wbio(client2ssl, wbio);
+ rbio = NULL;
+
+ if (!TEST_ptr(client2ssl)
+ /* Handshake not started so pointers should be different */
+ || !TEST_ptr_ne(clientssl, client2ssl))
+ goto end;
+
+ if (!TEST_int_eq(SSL_get_min_proto_version(client2ssl), TLS1_2_VERSION)
+ || !TEST_int_eq(SSL_get_max_proto_version(client2ssl), TLS1_2_VERSION))
+ goto end;
+
+ if (!TEST_true(create_ssl_connection(serverssl, client2ssl, SSL_ERROR_NONE)))
+ goto end;
+
+ SSL_free(clientssl);
+ clientssl = SSL_dup(client2ssl);
+ if (!TEST_ptr(clientssl)
+ /* Handshake has finished so pointers should be the same */
+ || !TEST_ptr_eq(clientssl, client2ssl))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_free(client2ssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+
+ return testresult;
+}
+#endif
+
int setup_tests(void)
{
if (!TEST_ptr(certsdir = test_get_argument(0))
ADD_ALL_TESTS(test_early_data_skip_abort, 3);
ADD_ALL_TESTS(test_early_data_not_sent, 3);
ADD_ALL_TESTS(test_early_data_psk, 8);
+ ADD_ALL_TESTS(test_early_data_psk_with_all_ciphers, 5);
ADD_ALL_TESTS(test_early_data_not_expected, 3);
# ifndef OPENSSL_NO_TLS1_2
ADD_ALL_TESTS(test_early_data_tls1_2, 3);
ADD_ALL_TESTS(test_client_cert_cb, 2);
ADD_ALL_TESTS(test_ca_names, 3);
ADD_ALL_TESTS(test_servername, 10);
+#ifndef OPENSSL_NO_TLS1_2
+ ADD_TEST(test_ssl_dup);
+#endif
return 1;
}
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MC4CAQAwBQYDK2VwBCIEINTuctv5E1hK1bbY8fdp+K06/nwoy/HU++CXqI9EdVhC
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN PUBLIC KEY-----
+MCowBQYDK2VwAyEAGb9ECWmEzf6FQbrBZ9w7lshQhqowtrbLDFw4rXAxZuE=
+-----END PUBLIC KEY-----
--- /dev/null
+-----BEGIN PRIVATE KEY-----
+MEcCAQAwBQYDK2VxBDsEOWyCpWLLgI0Q1jK+ichRPr9skp803fqMn2PJlg7240ij
+UoyKP8wvBE45o/xblEkvjwMudUmiAJj5Ww==
+-----END PRIVATE KEY-----
--- /dev/null
+-----BEGIN PUBLIC KEY-----
+MEMwBQYDK2VxAzoAX9dEm1m0Yf0s54fsYWrUah2hNCSFpw4fig6nXYDpZ3jt8SR2
+m0bHBhvWeD3x5Q9s0foavq/oJWGA
+-----END PUBLIC KEY-----
/*
- * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
{
int ret = 0;
unsigned char *refd;
- size_t refdatalen;
+ size_t refdatalen = 0;
if (enc)
refd = multihexstr2buf(recd->ciphertext, &refdatalen);
/*
- * Copyright 2012-2018 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2012-2020 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
return failed == 0;
}
+struct gennamedata {
+ const unsigned char der[22];
+ size_t derlen;
+} gennames[] = {
+ {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * SEQUENCE {}
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x30, 0x00
+ },
+ 21
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * [APPLICATION 0] {}
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x13, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x02, 0x60, 0x00
+ },
+ 21
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x61
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.2 }
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x02, 0xa0, 0x03, 0x0c, 0x01, 0x61
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * UTF8String { "b" }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x0c, 0x01, 0x62
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * BOOLEAN { TRUE }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0xff
+ },
+ 22
+ }, {
+ /*
+ * [0] {
+ * OBJECT_IDENTIFIER { 1.2.840.113554.4.1.72585.2.1 }
+ * [0] {
+ * BOOLEAN { FALSE }
+ * }
+ * }
+ */
+ {
+ 0xa0, 0x14, 0x06, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04,
+ 0x01, 0x84, 0xb7, 0x09, 0x02, 0x01, 0xa0, 0x03, 0x01, 0x01, 0x00
+ },
+ 22
+ }, {
+ /* [1 PRIMITIVE] { "a" } */
+ {
+ 0x81, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [1 PRIMITIVE] { "b" } */
+ {
+ 0x81, 0x01, 0x62
+ },
+ 3
+ }, {
+ /* [2 PRIMITIVE] { "a" } */
+ {
+ 0x82, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [2 PRIMITIVE] { "b" } */
+ {
+ 0x82, 0x01, 0x62
+ },
+ 3
+ }, {
+ /*
+ * [4] {
+ * SEQUENCE {
+ * SET {
+ * SEQUENCE {
+ * # commonName
+ * OBJECT_IDENTIFIER { 2.5.4.3 }
+ * UTF8String { "a" }
+ * }
+ * }
+ * }
+ * }
+ */
+ {
+ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x01, 0x61
+ },
+ 16
+ }, {
+ /*
+ * [4] {
+ * SEQUENCE {
+ * SET {
+ * SEQUENCE {
+ * # commonName
+ * OBJECT_IDENTIFIER { 2.5.4.3 }
+ * UTF8String { "b" }
+ * }
+ * }
+ * }
+ * }
+ */
+ {
+ 0xa4, 0x0e, 0x30, 0x0c, 0x31, 0x0a, 0x30, 0x08, 0x06, 0x03, 0x55,
+ 0x04, 0x03, 0x0c, 0x01, 0x62
+ },
+ 16
+ }, {
+ /*
+ * [5] {
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x61
+ },
+ 7
+ }, {
+ /*
+ * [5] {
+ * [1] {
+ * UTF8String { "b" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x05, 0xa1, 0x03, 0x0c, 0x01, 0x62
+ },
+ 7
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String {}
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x09, 0xa0, 0x02, 0x0c, 0x00, 0xa1, 0x03, 0x0c, 0x01, 0x61
+ },
+ 11
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String { "a" }
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x61, 0xa1, 0x03, 0x0c, 0x01,
+ 0x61
+ },
+ 12
+ }, {
+ /*
+ * [5] {
+ * [0] {
+ * UTF8String { "b" }
+ * }
+ * [1] {
+ * UTF8String { "a" }
+ * }
+ * }
+ */
+ {
+ 0xa5, 0x0a, 0xa0, 0x03, 0x0c, 0x01, 0x62, 0xa1, 0x03, 0x0c, 0x01,
+ 0x61
+ },
+ 12
+ }, {
+ /* [6 PRIMITIVE] { "a" } */
+ {
+ 0x86, 0x01, 0x61
+ },
+ 3
+ }, {
+ /* [6 PRIMITIVE] { "b" } */
+ {
+ 0x86, 0x01, 0x62
+ },
+ 3
+ }, {
+ /* [7 PRIMITIVE] { `11111111` } */
+ {
+ 0x87, 0x04, 0x11, 0x11, 0x11, 0x11
+ },
+ 6
+ }, {
+ /* [7 PRIMITIVE] { `22222222`} */
+ {
+ 0x87, 0x04, 0x22, 0x22, 0x22, 0x22
+ },
+ 6
+ }, {
+ /* [7 PRIMITIVE] { `11111111111111111111111111111111` } */
+ {
+ 0x87, 0x10, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11,
+ 0x11, 0x11, 0x11, 0x11, 0x11, 0x11, 0x11
+ },
+ 18
+ }, {
+ /* [7 PRIMITIVE] { `22222222222222222222222222222222` } */
+ {
+ 0x87, 0x10, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22,
+ 0x22, 0x22, 0x22, 0x22, 0x22, 0x22, 0x22
+ },
+ 18
+ }, {
+ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.1 } */
+ {
+ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
+ 0xb7, 0x09, 0x02, 0x01
+ },
+ 15
+ }, {
+ /* [8 PRIMITIVE] { 1.2.840.113554.4.1.72585.2.2 } */
+ {
+ 0x88, 0x0d, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x04, 0x01, 0x84,
+ 0xb7, 0x09, 0x02, 0x02
+ },
+ 15
+ }
+};
+
+static int test_GENERAL_NAME_cmp(void)
+{
+ size_t i, j;
+ GENERAL_NAME **namesa = OPENSSL_malloc(sizeof(*namesa)
+ * OSSL_NELEM(gennames));
+ GENERAL_NAME **namesb = OPENSSL_malloc(sizeof(*namesb)
+ * OSSL_NELEM(gennames));
+ int testresult = 0;
+
+ if (!TEST_ptr(namesa) || !TEST_ptr(namesb))
+ goto end;
+
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ const unsigned char *derp = gennames[i].der;
+
+ /*
+ * We create two versions of each GENERAL_NAME so that we ensure when
+ * we compare them they are always different pointers.
+ */
+ namesa[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
+ derp = gennames[i].der;
+ namesb[i] = d2i_GENERAL_NAME(NULL, &derp, gennames[i].derlen);
+ if (!TEST_ptr(namesa[i]) || !TEST_ptr(namesb[i]))
+ goto end;
+ }
+
+ /* Every name should be equal to itself and not equal to any others. */
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ for (j = 0; j < OSSL_NELEM(gennames); j++) {
+ if (i == j) {
+ if (!TEST_int_eq(GENERAL_NAME_cmp(namesa[i], namesb[j]), 0))
+ goto end;
+ } else {
+ if (!TEST_int_ne(GENERAL_NAME_cmp(namesa[i], namesb[j]), 0))
+ goto end;
+ }
+ }
+ }
+ testresult = 1;
+
+ end:
+ for (i = 0; i < OSSL_NELEM(gennames); i++) {
+ if (namesa != NULL)
+ GENERAL_NAME_free(namesa[i]);
+ if (namesb != NULL)
+ GENERAL_NAME_free(namesb[i]);
+ }
+ OPENSSL_free(namesa);
+ OPENSSL_free(namesb);
+
+ return testresult;
+}
+
int setup_tests(void)
{
ADD_ALL_TESTS(call_run_cert, OSSL_NELEM(name_fns));
+ ADD_TEST(test_GENERAL_NAME_cmp);
return 1;
}
EVP_PKEY_meth_get_digestverify 4541 1_1_1e EXIST::FUNCTION:
EVP_PKEY_meth_get_digestsign 4542 1_1_1e EXIST::FUNCTION:
RSA_get0_pss_params 4543 1_1_1e EXIST::FUNCTION:RSA
+X509_ALGOR_copy 4544 1_1_1h EXIST::FUNCTION:
+X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION:
+X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION:
+EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC
#! /usr/bin/env perl
-# Copyright 2006-2018 The OpenSSL Project Authors. All Rights Reserved.
+# Copyright 2006-2020 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the OpenSSL license (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
$vft = "VFT_APP";
}
-my $YEAR = [localtime()]->[5] + 1900;
+my $YEAR = [gmtime($ENV{SOURCE_DATE_EPOCH} || time())]->[5] + 1900;
print <<___;
#include <winver.h>